# TailRescue Headscale Live ISO

Debian Live 기반 구조/백업용 rescue ISO 프로젝트입니다.

목표:

- Ventoy/iVentoy/Proxmox ISO 부팅
- DHCP로 유선 네트워크 자동 연결
- PharmQ Headscale에 Tailscale 자동 등록
- 외부에서 Tailnet IP로 SSH 접속
- Windows/산업용 PC 디스크 확인 및 NTFS read-only 마운트
- rsync/rclone/restic/gddrescue로 안전한 백업 지원

## 현재 검증 상태

검증일: 2026-06-01

- 빌드 호스트: `pve7`
- 테스트 VM: `pve7` VMID `990`
- Headscale login server: `https://head.pharmq.kr`
- 자동등록 노드 예: `tailrescue-44a29acb-3hhi3pl0`
- Tailnet SSH 검증: `ssh rescue@100.64.0.80` 성공
- passwordless sudo 검증 성공
- 디스크 인식 검증: `/dev/sda`, `/dev/sdb`
- NTFS 도구 포함 확인: `ntfs-3g`, `ntfs-3g.probe`, `ntfsfix`

## 저장소 정책

Git에는 다음만 보관합니다.

- live-build 설정 템플릿
- 빌드/검증 스크립트
- runbook/docs
- Hermes skill

Git에는 다음을 넣지 않습니다.

- 완성 ISO (`*.iso`)
- Headscale preauth key
- password 원문
- private SSH key
- 빌드 chroot/cache/binary 산출물

ISO는 Gitea Release attachment, 별도 artifact storage, 또는 `/root/tailrescue-dist` 같은 내부 보관소에 둡니다.

## 빠른 사용

```bash
cp templates/rescue.env.example rescue.env
# rescue.env에 현장용 preauth key/password/authorized key 설정
./scripts/build-live-iso.sh
./scripts/test-proxmox-vm.sh
```

## 현장 흐름

1. 최신 ISO를 Ventoy USB에 복사
2. 대상 PC에서 ISO 부팅
3. Debian Live 메뉴에서 Enter
4. 1~2분 대기
5. Headscale에서 `tailrescue-*` 노드 IP 확인
6. `ssh rescue@100.64.x.y`
7. `rescue-status`, `list-disks`
8. `sudo mount-ntfs-ro /dev/sdXN /mnt/windows`
9. 백업 실행

## 보안 원칙

- 현장별 1회용/단기 Headscale preauth key 사용
- password fallback은 Tailnet-only MVP용이며 현장마다 교체
- 가능하면 public-key auth 우선
- 원본 NTFS는 read-only 마운트 기본
- 작업 후 ephemeral `tailrescue-*` 노드 정리



## v0.1.1 i386 industrial PC rescue build

검증일: 2026-06-01

- Release: https://git.0bin.in/thug0bin/tailrescue-headscale-iso/releases/tag/v0.1.1
- i386 ISO: https://git.0bin.in/thug0bin/tailrescue-headscale-iso/releases/download/v0.1.1/tailrescue-headscale-i386-240h-20260601-2312.iso
- SHA256: `71e00ab650f177d62295da66b8c7323d95150621ab3a0e7d60c94a39bb8c8173`
- Architecture: `i386`, Debian 12 `linux-image-686-pae`
- Tailscale: i386 `.deb` 직접 포함
- Proxmox 검증: VMID `991`, `qemu32`, `rtl8139`
- Headscale 자동등록: `tag:rescue`, 240h reusable/ephemeral preauth key로 검증
- 검증 Tailnet IP: `100.64.0.78`
- CT909 admin(`100.64.0.72`) → rescue SSH 검증 완료

Download and verify:

```bash
curl -fL -O https://git.0bin.in/thug0bin/tailrescue-headscale-iso/releases/download/v0.1.1/tailrescue-headscale-i386-240h-20260601-2312.iso
curl -fL -O https://git.0bin.in/thug0bin/tailrescue-headscale-iso/releases/download/v0.1.1/SHA256SUMS.i386
sha256sum -c SHA256SUMS.i386
```

Build equivalent:

```bash
ARCH=i386 ISO_NAME=tailrescue-headscale-i386-240h-20260601-2312.iso ./scripts/build-live-iso.sh
```

## Gitea Release artifact

Verified PoC ISO is published as a Gitea Release attachment:

- Release: https://git.0bin.in/thug0bin/tailrescue-headscale-iso/releases/tag/v0.1.0
- ISO: https://git.0bin.in/thug0bin/tailrescue-headscale-iso/releases/download/v0.1.0/tailrescue-headscale-20260601-1842.iso
- SHA256SUMS: https://git.0bin.in/thug0bin/tailrescue-headscale-iso/releases/download/v0.1.0/SHA256SUMS

Download and verify:

```bash
curl -fL -O https://git.0bin.in/thug0bin/tailrescue-headscale-iso/releases/download/v0.1.0/tailrescue-headscale-20260601-1842.iso
curl -fL -O https://git.0bin.in/thug0bin/tailrescue-headscale-iso/releases/download/v0.1.0/SHA256SUMS
sha256sum -c SHA256SUMS
```

Release upload pattern for future builds:

```bash
curl -H "Authorization: token $GITEA_TOKEN"   -F "attachment=@tailrescue-headscale-YYYYMMDD-HHMM.iso"   "https://git.0bin.in/api/v1/repos/thug0bin/tailrescue-headscale-iso/releases/<release_id>/assets?name=tailrescue-headscale-YYYYMMDD-HHMM.iso"
```

Do not commit ISO files into Git.

Note: the repository is public so Release attachments can be downloaded without authentication. Do not commit secrets or field-specific `rescue.env`; rotate preauth keys per build.