From 1248128a287a4b9715ff0e90a04f7fb4d8d57134 Mon Sep 17 00:00:00 2001
From: Jonathan Dahan <git@jonathan.is>
Date: Sun, 29 Sep 2024 13:41:59 -0400
Subject: [PATCH] We can use unix tools for password management

---
 .../00-install-solar-protocol/01-run.sh       | 23 +++----------
 .../usr/lib/userpass-pi/userpass-service      | 32 -------------------
 2 files changed, 5 insertions(+), 50 deletions(-)
 delete mode 100755 utilities/build/stage-solar/00-install-solar-protocol/files/usr/lib/userpass-pi/userpass-service

diff --git a/utilities/build/stage-solar/00-install-solar-protocol/01-run.sh b/utilities/build/stage-solar/00-install-solar-protocol/01-run.sh
index 8791aaf8..e97a8a67 100755
--- a/utilities/build/stage-solar/00-install-solar-protocol/01-run.sh
+++ b/utilities/build/stage-solar/00-install-solar-protocol/01-run.sh
@@ -27,7 +27,7 @@ echo "::warning file=utilities/setAllPermissions.sh,title=skipping permissions f
 endinfo
 
 info "setting up apache web server"
-on_chroot <<EOF
+on_chroot << EOF
 a2enmod headers
 a2enmod rewrite
 a2enmod userdir
@@ -43,7 +43,7 @@ sed -i \
 
 echo 'Listen 8080' >> ${ROOTFS_DIR}/etc/apache2/ports.conf
 
-cat >> ${ROOTFS_DIR}/etc/apache2/apache2.conf <<EOF
+cat >> ${ROOTFS_DIR}/etc/apache2/apache2.conf << EOF
 
 <Directory /home/pi/solar-protocol/frontend/>
     Options Indexes FollowSymLinks
@@ -55,15 +55,7 @@ EOF
 endinfo
 
 info "setting up fail2ban to protect against bots"
-cat > ${ROOTFS_DIR}/etc/fail2ban/jail.local <<EOF
-[sshd]
-enabled = true
-filter = sshd
-backend = systemd
-logpath = /var/log/auth.log
-maxretry = 5
-bantime = 3600
-EOF
+cp files/etc/fail2ban/jail.local ${ROOTFS_DIR}/etc/fail2ban/jail.local
 endinfo
 
 info "fixing php timezone"
@@ -87,14 +79,9 @@ rm ${ROOTFS_DIR}/etc/issue
 envsubst < files/etc/issue.template > ${ROOTFS_DIR}/etc/issue
 endinfo
 
-info "add post-install password change tool"
-install -d "${ROOTFS_DIR}/etc/systemd/system"
-install -m 644 files/etc/systemd/system/userpass.service "${ROOTFS_DIR}/etc/systemd/system/userpass.service"
-install -d "${ROOTFS_DIR}/usr/lib/userpass-pi"
-install -m 755 files/usr/lib/userpass-pi/userpass-service "${ROOTFS_DIR}/usr/lib/userpass-pi/userpass-service"
-
+info "expire default password to force change on first login"
 on_chroot << EOF
-  systemctl enable userpass.service
+  chage --lastday 0 pi
 EOF
 
 install files/home/pi/disable-ssh-password-auth "${ROOTFS_DIR}/home/pi/"
diff --git a/utilities/build/stage-solar/00-install-solar-protocol/files/usr/lib/userpass-pi/userpass-service b/utilities/build/stage-solar/00-install-solar-protocol/files/usr/lib/userpass-pi/userpass-service
deleted file mode 100755
index 14353009..00000000
--- a/utilities/build/stage-solar/00-install-solar-protocol/files/usr/lib/userpass-pi/userpass-service
+++ /dev/null
@@ -1,32 +0,0 @@
-#!/bin/sh -e
-
-validate_password() {
-    if [ -z "$NEW_PASS" ]; then
-        echo "Password cannot be empty."
-        return 1
-    fi
-}
-
-if [ "$(raspi-config nonint get_boot_cli)" -ne 0 ]; then
-    exit
-fi
-
-VT="$(tty | sed 's|/dev/tty||')"
-ORIG_VT="1"
-if [ -t 0 ]; then
-    chvt "$VT"
-fi
-FIRST_USER="$(getent passwd 1000 | cut -d: -f1)"
-
-while true; do
-    NEW_PASS="$(whiptail --passwordbox "Please set a password for $FIRST_USER:" 20 60 3>&1 1>&2 2>&3)"
-    if [ "$(whiptail --passwordbox "Please confirm the password:" 20 60 3>&1 1>&2 2>&3)" != "$NEW_PASS" ]; then
-        MSG="Passwords did not match"
-    elif MSG=$(validate_password); then
-        break
-    fi
-    whiptail --msgbox "$MSG" 20 60
-done
-
-echo "$FIRST_USER:$NEW_PASS" | chpasswd
-chvt "$ORIG_VT"