From 063571e8986a9f38af7541dcc3d13f0019e1d5ec Mon Sep 17 00:00:00 2001
From: Christian Heller <c.heller@plomlompom.de>
Date: Wed, 14 May 2025 08:39:46 +0200
Subject: [PATCH] Fix.

---
 trixie/aptmark/minimal_server             |  1 +
 trixie/aptmark/reform_qemu                |  6 +++
 trixie/copy/reform_qemu/etc/nftables.conf | 43 +++++++++++++++++
 trixie/copy/reform_qemu/home/plom/run.sh  | 20 ++++++++
 trixie/scripts/setup_reform_qemu.sh       | 56 +++++++++++++++++++++++
 5 files changed, 126 insertions(+)
 create mode 120000 trixie/aptmark/minimal_server
 create mode 100644 trixie/aptmark/reform_qemu
 create mode 100755 trixie/copy/reform_qemu/etc/nftables.conf
 create mode 100755 trixie/copy/reform_qemu/home/plom/run.sh
 create mode 100644 trixie/scripts/setup_reform_qemu.sh

diff --git a/trixie/aptmark/minimal_server b/trixie/aptmark/minimal_server
new file mode 120000
index 0000000..647c77d
--- /dev/null
+++ b/trixie/aptmark/minimal_server
@@ -0,0 +1 @@
+../../bookworm/aptmark/minimal_server
\ No newline at end of file
diff --git a/trixie/aptmark/reform_qemu b/trixie/aptmark/reform_qemu
new file mode 100644
index 0000000..6a06dee
--- /dev/null
+++ b/trixie/aptmark/reform_qemu
@@ -0,0 +1,6 @@
+# for getting images
+wget 
+# qemu stuff
+qemu-system-aarch64
+ipxe-qemu
+#
diff --git a/trixie/copy/reform_qemu/etc/nftables.conf b/trixie/copy/reform_qemu/etc/nftables.conf
new file mode 100755
index 0000000..56b3db1
--- /dev/null
+++ b/trixie/copy/reform_qemu/etc/nftables.conf
@@ -0,0 +1,43 @@
+#!/usr/sbin/nft -f
+
+flush ruleset
+
+table inet filter {
+    chain input {
+        type filter \
+            hook input \
+            priority 0;
+        policy drop;
+        iif lo \
+            accept \
+            comment "accept localhost traffic";
+        ct state invalid \
+            drop \
+            comment "drop invalid connections";
+        ct state established, related \
+            accept \
+            comment "accept traffic originated from us";
+        tcp dport 22 \
+            accept \
+            comment "accept SSH on default port";
+        tcp dport 5994 \
+            accept \
+            comment "accept VNC";
+        ip protocol icmp \
+            icmp type echo-request \
+            accept \
+            comment "accept ICMP for pinging";
+    }
+    chain forward {
+        type filter \
+            hook forward \
+            priority 0;
+        policy drop;
+    }
+    chain output {
+        type filter \
+            hook output \
+            priority 0;
+        policy accept;
+    }
+}
diff --git a/trixie/copy/reform_qemu/home/plom/run.sh b/trixie/copy/reform_qemu/home/plom/run.sh
new file mode 100755
index 0000000..1d0d842
--- /dev/null
+++ b/trixie/copy/reform_qemu/home/plom/run.sh
@@ -0,0 +1,20 @@
+#!/bin/sh
+set -e
+NAME_REPO='reform-system-image'
+URL_REPO="https://source.mnt.re/reform/${NAME_REPO}"
+NAME_IMG='pocket-reform-system-rk3588.img'
+NAME_IMG_GZ="${NAME_IMG}.gz"
+URL_IMG="${URL_REPO}/-/jobs/9939/artifacts/raw/${NAME_IMG_GZ}?inline=false"
+PATH_EMULATE_SH="${NAME_REPO}/emulate.sh"
+
+cd
+if [ ! -e "${NAME_REPO}" ]; then
+    git clone "${URL_REPO}"
+    sed -i 's/-vnc :94,share=force-shared/-vnc :94,share=ignore/' "${PATH_EMULATE_SH}"
+fi
+if [ ! -e "${NAME_IMG}" ]; then
+    wget "${POCKET_IMG}"
+    gunzip "${NAME_IMG_GZ}"
+fi
+"${PATH_EMULATE_SH}" "${NAME_IMG}"
+
diff --git a/trixie/scripts/setup_reform_qemu.sh b/trixie/scripts/setup_reform_qemu.sh
new file mode 100644
index 0000000..8d35db9
--- /dev/null
+++ b/trixie/scripts/setup_reform_qemu.sh
@@ -0,0 +1,56 @@
+#!/bin/sh
+set -e
+cd $(dirname "$0")
+. lib/apt_get_digested
+. lib/constants_etc  # PATH_ETC
+. lib/constants_ssh  # PATH_REL_SSH, PATH_USER_SSH
+. lib/copy_dirtrees_of_tags
+. lib/core_setup
+. lib/expect_n_args
+. lib/path_tmp_timestamped
+. lib/prefixed_msg
+. lib/put_finished_marker
+
+prefixed_msg_init
+prefixed_msg 'starting'
+
+INSTALL_TAGS='all minimal_server user keep_if_installed:systemd-resolved reform-qemu'
+
+expect_n_args 1 2 'HOSTNAME, [FQDN]' $@
+HOSTNAME="$1"
+FQDN="$2"
+
+prefixed_msg_no_nl 'Determining external IP â¦'
+for _CANDIDATE in $(hostname -I); do
+    _START=$(echo ${_CANDIDATE} | cut -d'.' -f1)
+    if [ "$(echo -n ${_START} | wc -c)" -gt 3 ]; then  # ignore IPv6
+        continue
+    fi 
+    if [ "${_START}" = "127" -o "${_START}" = "192" -o "${_START}" = "172" ]; then
+        continue
+    fi
+    EXTERNAL_IP="${_CANDIDATE}"
+    break
+done
+echo " it's: ${EXTERNAL_IP}"
+
+if [ ! -z "${FQDN}" ]; then
+    prefixed_msg "Ensuring provided FQDN ${FQDN} maps to it â¦"
+    IP_BY_DNS=$(getent ahostsv4 "${FQDN}" | head -1 | cut -d' ' -f1)
+    if [ ! "${IP_BY_DNS}" = "${EXTERNAL_IP}" ]; then
+        abort "DNS mapping provided FQDN '${FQDN}' to ${IP_BY_DNS} rather than this system's external IP ${EXTERNAL_IP}."
+    fi
+fi
+
+core_setup "${HOSTNAME}" "${FQDN}" "${EXTERNAL_IP}" "${INSTALL_TAGS}"
+
+prefixed_msg 'Moving SSH data from root to user â¦'
+mkdir -p "${PATH_USER_SSH}"
+mv "/root/${PATH_REL_SSH}/authorized_keys" "${PATH_USER_SSH}/"
+chown -R "${USERNAME}:${USERNAME}" "${PATH_USER_SSH}"
+
+prefixed_msg 'Enabling firewall â¦'
+systemctl --quiet enable --now nftables
+
+put_finished_marker 'setup_reform_qemu'
+prefixed_msg_exit
-- 
2.30.2