initramfs hook for tailscale

This is intended to be used with an ephemeral auth key with an ACL tag,
and ACL rules that restrict the ephemeral node to inbound-only traffic.
It does not share instance state with tailscale running in Linux.

Reference:
- https://tailscale.com/kb/1111/ephemeral-nodes/
- https://tailscale.com/kb/1068/acl-tags/#generate-an-auth-key-with-an-acl-tag
- https://tailscale.com/kb/1068/acl-tags/#using-tags-in-acls-for-access-control

debian/changelog

@@ -0,0 +1,5 @@
+tailscale-initramfs (0.1) unstable; urgency=medium
+
+  * Initial Release.
+
+ -- Paul Aurich <paul@darkrain42.org>  Fri, 14 Jan 2022 21:03:16 -0800

debian/control

@@ -0,0 +1,20 @@
+Source: tailscale-initramfs
+Section: net
+Priority: optional
+Maintainer: Paul Aurich <paul@darkrain42.org>
+Build-Depends: debhelper-compat (= 13)
+Standards-Version: 4.5.1
+Homepage: https://github.com/darkrain42/tailscale-initramfs
+Vcs-Browser: https://github.com/darkrain42/tailscale-initramfs
+Vcs-Git: https://github.com/darkrain42/tailscale-initramfs.git
+Rules-Requires-Root: no
+
+Package: tailscale-initramfs
+Architecture: all
+Depends: initramfs-tools, tailscale, ${misc:Depends}
+Recommends: ca-certificates
+Suggests: dropbear-initramfs
+Description: tailscale VPN - third-party initramfs integration
+ tailscale is a WireGuard VPN. This package provides initramfs integration,
+ intended to allow connectivity to/from a tailnet, e.g. to to allow remote
+ unlocking of a cryptroot.

debian/copyright

@@ -0,0 +1,24 @@
+Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
+Upstream-Name: tailscale-initramfs
+Upstream-Contact: Paul Aurich <paul@darkrain42.org>
+Source: https://github.com/darkrain42/tailscale-initramfs
+
+Files: *
+Copyright: 2022 Paul Aurich <paul@darkrain42.org>
+License: GPL-2+
+
+# Started from dropbear-initramfs scripts.
+Files: scripts/*
+Copyright: 2009  <debian@x.ray.net>
+           2015 Guilhem Moulin <guilhem@debian.org>
+           2022 Paul Aurich <paul@darkrain42.org>
+License: GPL-2+
+
+License: GPL-2+
+ This package is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 2 of the License, or
+ (at your option) any later version.
+ .
+ The full text of version 2 of the GPL is distributed in
+ /usr/share/common-licenses/GPL-2 on Debian systems.

debian/install

@@ -0,0 +1,5 @@
+conf-hooks.d/tailscale usr/share/initramfs-tools/conf-hooks.d
+config/config etc/tailscale/initramfs
+hooks/tailscale usr/share/initramfs-tools/hooks
+scripts/init-bottom/tailscale usr/share/initramfs-tools/scripts/init-bottom
+scripts/init-premount/tailscale usr/share/initramfs-tools/scripts/init-premount

debian/rules

@@ -0,0 +1,14 @@
+#!/usr/bin/make -f
+
+#export DH_VERBOSE = 1
+
+%:
+	dh $@
+
+execute_after_dh_fixperms:
+	chmod 600 debian/tailscale-initramfs/etc/tailscale/initramfs/config
+
+override_dh_builddeb:
+	# Workaround for building on Ubuntu and installing on Debian (Ubuntu uses
+	# zstd). https://bugs.debian.org/892664
+	dh_builddeb -- -Zxz

debian/source/format

@@ -0,0 +1 @@
+3.0 (native)

debian/tailscale-initramfs.lintian-overrides

@@ -0,0 +1 @@
+tailscale-initramfs: non-standard-file-perm etc/tailscale/initramfs/config 0600 != 0644