#!/bin/bash -x
set -eE -o pipefail
-trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?"' ERR
+trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR
+if [[ $EUID != 0 ]]; then
+ echo "$0: error: expected to be root."
+ exit 1
+fi
+# ssh host keys
+# note, $BASH_SOURCE is not defined here under fai.
+src=$(dirname "$0")/p/c/machine_specific/$HOSTNAME/filesystem/etc/ssh
+dst=$target/etc/ssh
+if [[ -e $src && -e $dst ]]; then
+ # outside of fai context or setting up a brand new host, we skip this
+ cp -rT $src $dst
+fi
+
+USER2PW=/q/root/shadow/user2
+# if doesn't exist, we dont set one
+ROOTPW=/q/root/shadow/standard
+if [[ ! -e $ROOTPW ]]; then
+ ROOTPW=/q/root/shadow/$HOSTNAME
+fi
+
+chpw() {
+ # generating a hashed password:
+ # under debian, you can do
+ # mkpasswd -m sha-512 -s >/q/root/shadow/standard
+ # On arch, best seems to be copy your shadow file to a temp location,
+ # then passwd, get out the new pass, then copy the shadow file back.
+
+ user=$1
+ pwfile=$2
+ if [[ $pwfile && -e $pwfile ]]; then
+ printf "$user:" | cat - "$pwfile" | $ROOTCMD chpasswd -e
+ else
+ echo "$0: warning: no pw set for $user" >&2
+ fi
+}
+au() { # add user. i don't use adduser for portability
+ local user=${@: -1}
+ if ! $ROOTCMD getent passwd $user; then
+ $ROOTCMD useradd -c $user -Um -s /bin/bash $@
+ fi
+}
+
+chpw root "$ROOTPW"
+
+# only setup root pass for bootstrap vol
+if ifclass VOL_BULLSEYE_BOOTSTRAP; then
+ exit 0
+fi
+
+
+# return of 9 = user already exists. so we are idempotent.
+au iank
+chpw iank "$ROOTPW"
+
+au user2
+if ifclass frodo; then
+ chpw user2 "$USER2PW"
+fi
+# comparing iank's groups to user2, I see none she should join on arch
+$ROOTCMD usermod -a -G user2 iank
+
+
+$ROOTCMD getent group docker &>/dev/null || $ROOTCMD groupadd -r docker
+$ROOTCMD usermod -a -G docker iank
# based on unison error, with 8192 from
# sysctl -a | grep fs.inotify.max_user_watches
#http://stackoverflow.com/questions/535768/what-is-a-reasonable-amount-of-inotify-watches-with-linux
-echo "fs.inotify.max_user_watches = 1000000" >> $target/etc/sysctl.d/99-sysctl.conf
-# if we weren't rebooting, you could apply it now with:
-# sysctl --system
+f=$target/etc/sysctl.d/99-sysctl.conf
+key=fs.inotify.max_user_watches
+if [[ -e $f ]]; then sed -ri --follow-symlinks "/^\s*$key\s*=/d" $f; fi
+echo "fs.inotify.max_user_watches = 50000" >> $f
+# applies it. it would be also be applied after a reboot
+$ROOTCMD sysctl --system
+
+if getent group sudo >/dev/null; then
+ usermod -aG sudo iank
+fi
+
+cat >$target/etc/sudoers.d/ianksudoers <<'EOF'
+Defaults timestamp_timeout=1440
+# used in bashrc
+Defaults env_keep += SUDOD
+# always_set_home
+# makes ubuntu be like debian
+# https://unix.stackexchange.com/a/91572
+Defaults always_set_home
+# umask: default setting is to have minimum umask of 0022
+# This lets us have user-specific umasks which are more permissive.
+# I did this for transmission and set it's umask gecos on install,
+# see there for more info.
+Defaults !umask
+# i use sudo in cronjobs, it spams the logs rather uselessly
+# https://stackoverflow.com/questions/14277116/suppress-log-entry-for-single-sudo-commands
+Defaults:root,iank !log_allowed, !pam_session
+# for just the root user, set some env vars
+Defaults>root env_file=/etc/rootsudoenv
+EOF
-echo 'ian ALL=(ALL) NOPASSWD: ALL' >> $target/etc/sudoers
+case $HOSTNAME in
+ li|bk|je)
+ cat >>$target/etc/sudoers.d/ianksudoers <<'EOF'
+iank ALL=(ALL) NOPASSWD: ALL
+EOF
+ ;;
+esac
+# remove old config line. can be removed eventually.
+f=$target/etc/sudoers
+line='iank ALL=(ALL) NOPASSWD: ALL'
+if grep -qxF "$line" $f; then
+ sed -i "/^$line/d" $f
+fi
-dir=/q/p/c/machine_specific/$HOSTNAME/.unison
-$ROOTCMD mkdir -p $dir
-$ROOTCMD rm -rf /root/.unison
-$ROOTCMD ln -s $dir /root
-$ROOTCMD ln -s /q/p /
-$ROOTCMD ln -s /q/a /
-# kvm is normally created by some package,
-# but unison doesn't like unknown groups, so make it now so initial sync works.
-$ROOTCMD groupadd kvm
+au --system -s /bin/false --home-dir /var/lib/bitcoind bitcoin