TailRescue Headscale Live ISO

Debian Live 기반 구조/백업용 rescue ISO 프로젝트입니다.

목표:

• Ventoy/iVentoy/Proxmox ISO 부팅
• DHCP로 유선 네트워크 자동 연결
• PharmQ Headscale에 Tailscale 자동 등록
• 외부에서 Tailnet IP로 SSH 접속
• Windows/산업용 PC 디스크 확인 및 NTFS read-only 마운트
• rsync/rclone/restic/gddrescue로 안전한 백업 지원

현재 검증 상태

검증일: 2026-06-01

• 빌드 호스트: pve7
• 테스트 VM: pve7 VMID 990
• Headscale login server: https://head.pharmq.kr
• 자동등록 노드 예: tailrescue-44a29acb-3hhi3pl0
• Tailnet SSH 검증: ssh rescue@100.64.0.80 성공
• passwordless sudo 검증 성공
• 디스크 인식 검증: /dev/sda, /dev/sdb
• NTFS 도구 포함 확인: ntfs-3g, ntfs-3g.probe, ntfsfix

저장소 정책

Git에는 다음만 보관합니다.

• live-build 설정 템플릿
• 빌드/검증 스크립트
• runbook/docs
• Hermes skill

Git에는 다음을 넣지 않습니다.

• 완성 ISO (*.iso)
• Headscale preauth key
• password 원문
• private SSH key
• 빌드 chroot/cache/binary 산출물

ISO는 Gitea Release attachment, 별도 artifact storage, 또는 /root/tailrescue-dist 같은 내부 보관소에 둡니다.

빠른 사용

cp templates/rescue.env.example rescue.env
# rescue.env에 현장용 preauth key/password/authorized key 설정
./scripts/build-live-iso.sh
./scripts/test-proxmox-vm.sh

현장 흐름

1. 최신 ISO를 Ventoy USB에 복사
2. 대상 PC에서 ISO 부팅
3. Debian Live 메뉴에서 Enter
4. 1~2분 대기
5. Headscale에서 tailrescue-* 노드 IP 확인
6. ssh rescue@100.64.x.y
7. rescue-status, list-disks
8. sudo mount-ntfs-ro /dev/sdXN /mnt/windows
9. 백업 실행

보안 원칙

• 현장별 1회용/단기 Headscale preauth key 사용
• password fallback은 Tailnet-only MVP용이며 현장마다 교체
• 가능하면 public-key auth 우선
• 원본 NTFS는 read-only 마운트 기본
• 작업 후 ephemeral tailrescue-* 노드 정리

v0.1.1 i386 industrial PC rescue build

검증일: 2026-06-01

• Release: https://git.0bin.in/thug0bin/tailrescue-headscale-iso/releases/tag/v0.1.1
• i386 ISO: https://git.0bin.in/thug0bin/tailrescue-headscale-iso/releases/download/v0.1.1/tailrescue-headscale-i386-240h-20260601-2312.iso
• SHA256: 71e00ab650f177d62295da66b8c7323d95150621ab3a0e7d60c94a39bb8c8173
• Architecture: i386, Debian 12 linux-image-686-pae
• Tailscale: i386 .deb 직접 포함
• Proxmox 검증: VMID 991, qemu32, rtl8139
• Headscale 자동등록: tag:rescue, 240h reusable/ephemeral preauth key로 검증
• 검증 Tailnet IP: 100.64.0.78
• CT909 admin(100.64.0.72) → rescue SSH 검증 완료

Download and verify:

curl -fL -O https://git.0bin.in/thug0bin/tailrescue-headscale-iso/releases/download/v0.1.1/tailrescue-headscale-i386-240h-20260601-2312.iso
curl -fL -O https://git.0bin.in/thug0bin/tailrescue-headscale-iso/releases/download/v0.1.1/SHA256SUMS.i386
sha256sum -c SHA256SUMS.i386

Build equivalent:

ARCH=i386 ISO_NAME=tailrescue-headscale-i386-240h-20260601-2312.iso ./scripts/build-live-iso.sh

Gitea Release artifact

Verified PoC ISO is published as a Gitea Release attachment:

• Release: https://git.0bin.in/thug0bin/tailrescue-headscale-iso/releases/tag/v0.1.0
• ISO: https://git.0bin.in/thug0bin/tailrescue-headscale-iso/releases/download/v0.1.0/tailrescue-headscale-20260601-1842.iso
• SHA256SUMS: https://git.0bin.in/thug0bin/tailrescue-headscale-iso/releases/download/v0.1.0/SHA256SUMS

Download and verify:

curl -fL -O https://git.0bin.in/thug0bin/tailrescue-headscale-iso/releases/download/v0.1.0/tailrescue-headscale-20260601-1842.iso
curl -fL -O https://git.0bin.in/thug0bin/tailrescue-headscale-iso/releases/download/v0.1.0/SHA256SUMS
sha256sum -c SHA256SUMS

Release upload pattern for future builds:

curl -H "Authorization: token $GITEA_TOKEN"   -F "attachment=@tailrescue-headscale-YYYYMMDD-HHMM.iso"   "https://git.0bin.in/api/v1/repos/thug0bin/tailrescue-headscale-iso/releases/<release_id>/assets?name=tailrescue-headscale-YYYYMMDD-HHMM.iso"

Do not commit ISO files into Git.

Note: the repository is public so Release attachments can be downloaded without authentication. Do not commit secrets or field-specific rescue.env; rotate preauth keys per build.