+scp -q ~/.ssh/id_rsa.pub \
+ root@$faiserver_host:/srv/fai/config/files/root/.ssh/authorized_keys/GRUB_PC
+# todo: automatically disable faiserver after a period so
+# these files are not exposed.
+s scp -qr /q/root/luks /q/root/shadow \
+ root@$faiserver_host:/srv/fai/config/distro-install-common
+
+# should tar ssh all the files, but these ones really justified it
+tar -cz /p/c/machine_specific/*/filesystem/etc/ssh | \
+ ssh root@$faiserver_host tar -xz -C /srv/fai/config/distro-install-common
+
+
+# built BELENOS basefile with mk-basefile -J BELENOS64. it's stored in
+# it's own repo which is published alongside this one called
+# fai-basefiles due to being a large binary file.
+
+declare -A sums
+while read -r sum file; do
+ sums[$file]=$sum
+done < <(cat /a/bin/fai-basefiles/md5sums.txt)
+
+{ timeout 2 curl -s http://fai-project.org/download/basefiles/md5sums.txt ||:; } |
+ while read -r sum file; do
+ if [[ ${sums[$file]} && ${sums[$file]} != $sum ]]; then
+ echo "${0##*/}: WARNING!!!!!!!!! NEW UPSTREAM BASEFILE: $file"
+ fi
+ done
+rsync -r --delete /a/bin/fai-basefiles/basefiles root@$faiserver_host:/srv/fai/config
+ssh root@$faiserver_host bash <<'EOF'
+set -eE -o pipefail
+set -x
+# make it the root because pxe-kexec only looks there.
+# It wouldn't be too hard to change if we needed.
+# We could also just dump things in /srv/tftp, but fai
+# has some defaults, which I don't even use, which expect
+# the other directory, so it's kind of a tossup, whatever.
+sed -ri 's,^ *(TFTP_DIRECTORY=).*,\1"/srv/tftp/fai",' /etc/default/tftpd-hpa
+systemctl restart tftpd-hpa
+chmod 644 /srv/fai/config/files/root/.ssh/authorized_keys/GRUB_PC
+chmod -R a+rX /srv/fai/config/distro-install-common
+# this basefile has tar acls bug, so I'm using my own
+# local one for now.
+#cd /srv/fai/config/basefiles
+#u=http://fai-project.org/download/basefiles/XENIAL64.tar.xz
+#wget -nv -N $u
+
+changed=false
+f=/srv/fai/nfsroot/root/.ssh/known_hosts
+# the known hosts entries that fai already sets up are like
+# IP,HOSTNAME key_info...
+# we are skipping the ip, because it doesn't block ssh
+# with a prompt as long as you have the user supplied hostname,
+# and i don't want to deal with getting it, it's not adding
+# any important security in this case.
+if ! grep -xFq "$line" $f; then
+ changed=true
+ printf "%s\n" "$line" >>$f
+fi
+
+if ! modprobe nfsd &>/dev/null; then
+ # no apt-cache on maru debian, because we are low on space already
+ sed -i '/^ *APTPROXY=/d' /srv/fai/config/class/DEBIAN.var
+ # maru debian doesn't have loopback devs created
+ if ! losetup -f; then
+ shopt -s nullglob
+ x=(/dev/loop*)
+ minor=0
+ if (( ${#x[@]} )); then
+ minor=$(( ${x[-1]#/dev/loop} + 1 ))
+ fi
+ mknod -m660 /dev/loop$minor b 7 $minor
+ losetup -f
+ fi
+ # -B boo only iso, no nfsroot, no paritial miorr, no config space.
+ # -f = force, for overwriting
+ # -S = make squash image for http booting
+ # -d config space url, instead of putting it in the squash.img,
+ # this just makes it so that we don't have to regenerate the img
+ # when the config changes.
+ cd /srv/fai/config
+ tar czf /var/www/faiserver/html/config.tar.gz .
+ if $changed || [[ ! -e /var/www/faiserver/html/squash.img ]]; then
+ # note, on maru, selinux needs to be disabled in android before
+ # this will work.
+ mount
+ export debug=true
+ fai-cd -d http://faiserver:8080/config.tar.gz -f -M -S /var/www/faiserver/html/squash.img
+ mount
+ fi
+fi
+EOF