osi-tools/osi-mk.d/systemd-osi-shell.sh

#!/hint/bash -euE
# Copyright (C) 2018  Luke Shumaker
# SPDX-License-Identifier: AGPL-3.0-or-later

post_install+=(10:systemd-osi-shell:post_install)
systemd-osi-shell:post_install() {
	local arg_mountpoint=$1
	
	cat <<-'EOT' > "${arg_mountpoint}/etc/systemd/system/osi-shell.target"
		[Unit]
		Description=osi-shell target
		Requires=multi-user.target
		After=multi-user.target
		Conflicts=rescue.target
		AllowIsolate=yes
		EOT
	ln -sfT -- osi-shell.target "${arg_mountpoint}/etc/systemd/system/default.target"

	cat <<-'EOT' > "${arg_mountpoint}/etc/systemd/system/osi-shell.service"
		[Unit]
		Description=osi-shell service
		Wants=network-online.target
		After=network-online.target

		[Service]
		KillSignal=SIGHUP
		KillMode=process
		IgnoreSIGPIPE=no

		# We can't use login(1) because it masks the exit status of the shell,
		# but we want this to be a real local login with PAM, so use su(1),
		# but trick in in to using login(1)'s PAM config.  We undo this trick by
		# using nsenter(1) to reset the mount namespace after we've done the PAM stuff.
		# This hardcodes the shell as /bin/bash, which is the default for root.
		ExecStart=/bin/unshare --mount -- sh -c 'mount --bind /etc/pam.d/login /etc/pam.d/su && exec -- su -c "exec nsenter --mount --target=1 -- bash -l"'
		StandardInput=tty
		TTYPath=/dev/ttyS0
		TTYReset=yes
		TTYVHangup=yes

		# Write the exit status to ttyS1 and poweroff
		# Bash sets exit status to 128+SIGNAL if we get killed by a signal,
		# but there's not a good one-liner way to get from signal name to number,
		# so just use 128.
		ExecStopPost=/bin/sh -c 'if [ "$EXIT_CODE" = exited ]; then echo $EXIT_STATUS; else echo 128; fi > /dev/ttyS1; systemctl poweroff --no-block'

		[Install]
		WantedBy=osi-shell.target
		EOT
	systemctl --root="$arg_mountpoint" enable osi-shell.service
}