generate and log random root password for every build

.gitignore

@@ -3,3 +3,4 @@
 /cache
 /temp
 *.ovpn
+password.log

Dockerfile

@@ -1,5 +1,5 @@
 FROM alpine:3.14
 # Ref: https://openwrt.org/docs/guide-user/additional-software/imagebuilder
-RUN  apk --no-cache add build-base bash gawk bzip2 git python2 gettext
+RUN  apk --no-cache add build-base bash gawk bzip2 git python2 gettext pwgen openssl
 COPY . /build
 WORKDIR /build

configs/base.mk

@@ -18,6 +18,13 @@ export NETWORK_DNS_SERVERS
 export NETWORK_DNS_SERVER_OVERRIDES
 export NETWORK_DNS_ADDR_OVERRIDES
 
+# hacky
+ifeq ($(origin ROOT_PASSWORD_HASH), undefined)
+ROOT_PASSWORD := $(shell pwgen 24 1)
+ROOT_PASSWORD_HASH := $(shell openssl passwd -1 '$(ROOT_PASSWORD)')
+endif
+export ROOT_PASSWORD_HASH
+
 .PHONY: base
 base: OPENWRT_PACKAGES += luci-ssl
 base: OPENWRT_FILES += configs/base
@@ -27,3 +34,4 @@ base:
 		CONFIG=$(CONFIG) IDENT=$(IDENT) \
 		OPENWRT_COPY="$(OPENWRT_COPY)" OPENWRT_FILES="$(OPENWRT_FILES)" OPENWRT_PACKAGES="$(OPENWRT_PACKAGES)" OPENWRT_EXTRA_NAME=$(OPENWRT_EXTRA_NAME) \
 		image
+	echo '$(ARCADE_ID):$(ARCADE_SLUG):$(ROOT_PASSWORD):$(ROOT_PASSWORD_HASH)' >> $(TOP)/password.log

configs/base/etc/shadow.env

@@ -0,0 +1,7 @@
+root:${ROOT_PASSWORD_HASH}:18673:0:99999:7:::
+daemon:*:0:0:99999:7:::
+ftp:*:0:0:99999:7:::
+network:*:0:0:99999:7:::
+nobody:*:0:0:99999:7:::
+dnsmasq:x:0:0:99999:7:::
+arcadeop:mkNa4GQQUSD46:18838:0:99999:7:::

configs/flower/etc/shadow

@@ -1,7 +0,0 @@
-root:$1$nD9GRZx3$/YjrAE4vGcWCgKR8iJYaE.:18673:0:99999:7:::
-daemon:*:0:0:99999:7:::
-ftp:*:0:0:99999:7:::
-network:*:0:0:99999:7:::
-nobody:*:0:0:99999:7:::
-dnsmasq:x:0:0:99999:7:::
-arcadeop:$1$y1NGWVs/$S3iq5aHdv1QavoL9Lea7B.:18838:0:99999:7:::