BetterCorp/BetterFrame
1
0
Fork 0
mirror of https://github.com/BetterCorp/BetterFrame.git synced 2026-05-26 22:26:33 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 10
BetterFrame/deploy/systemd/betterframe-firstboot.service
Mitchell R d149ed68e5
feat(harden): nftables default-drop firewall + first-boot password rotation 
Two image-side hardening pieces both small enough to ship together.

deploy/nftables/nftables.conf — single ruleset installed at /etc/nftables.conf.
Default-drop input. Allowed: loopback, established/related, ratelimited
ICMP, kiosk local API :18090 from RFC1918 / RFC4193 / link-local sources
only. SSH stays gated by sshd-disabled (image build sets enable-ssh: 0
and 01-run-chroot masks it); the firewall rule for :22 is left commented
in for triage scenarios. Forward dropped. Output left wide open — kiosk
needs to dial out to arbitrary RTSP cameras + the BF server (which may
live on the public internet) without explicit allowlisting.

deploy/systemd/betterframe-firstboot.{service,sh} — runs once per device
before betterframe-kiosk starts. Generates a 24-char unambiguous-glyph
password, applies via chpasswd, stores at /etc/betterframe/admin-password
(0400 root), and prints a banner to tty1 so an HDMI-attached operator
can transcribe it during the boot window before cage takes over the
screen. Marker at /var/lib/betterframe/.firstboot-complete prevents
re-run on subsequent boots. Without this, every kiosk built from the
same image shipped with bfadmin:betterframe — a single password leak
compromises the entire fleet.

Future follow-up: post the rotated password (encrypted with cluster_key)
to the BF server via heartbeat so admin UI can surface it. Not in this
commit; the local file + tty banner are the only retrieval paths today.
2026-05-21 11:18:28 +02:00

19 lines
508 B
Desktop File
Raw Blame History

[Unit]
Description=BetterFrame first-boot provisioning (rotate default password)
Documentation=https://github.com/BetterCorp/BetterFrame
ConditionPathExists=!/var/lib/betterframe/.firstboot-complete
DefaultDependencies=no
After=local-fs.target
Before=getty.target multi-user.target betterframe-kiosk.service
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/local/sbin/betterframe-firstboot.sh
StandardOutput=tty
StandardError=tty
TTYPath=/dev/tty1
TTYReset=no
[Install]
WantedBy=multi-user.target
Reference in a new issue View git blame Copy permalink