+
+if [[ ! -e $basefile ]]; then
+ printf "%s\n" "$0: error basefile=$basefile does not exist" >&2
+ exit 1
+fi
+
+if [[ ! -d $BASEFILE_DIR ]]; then
+ printf "%s\n" "$0: error BASEFILE_DIR=$BASEFILE_DIR does not exist" >&2
+ exit 1
+fi
+
+
+if ! type -p wget &>/dev/null; then
+ apt-get install -y wget
+fi
+
+armhf() {
+ [[ $(dpkg --print-architecture) == armhf ]]
+}
+
+# fai on ubuntu only has official support using the universe repo, but newer
+# tends to have less bugs.
+wget -O - https://fai-project.org/download/2BF8D9FE074BCDE4.asc | apt-key add -
+
+update=false
+case $base in
+ stretch|bullseye|bullseye)
+ if ! grep -qFx "deb https://fai-project.org/download $base koeln" /etc/apt/sources.list.d/fai.list; then
+ update=true
+ fi
+ cat >/etc/apt/sources.list.d/fai.list <<EOF
+deb https://fai-project.org/download $base koeln
+EOF
+ ;;
+ *)
+ echo "$0: error: script needs updating for new base" >&2
+ exit 1
+ ;;
+esac
+
+f=/var/cache/apt/pkgcache.bin;
+if [[ -r $f ]]; then
+ cachetime=$(stat -c %Y $f );
+ now=$(date +%s)
+ limittime=$(( now - 60*60*2 ))
+ if (( cachtime > limittime )); then
+ update=true
+ fi
+fi
+
+if $update; then
+ apt-get update
+fi
+
+# Relevant packages from fai-quickstart depends and fai-server recommends.
+# I especially do not wait isc-dhcp-server or an inetd. Also excludes
+# nfs-kernel-server. On an android chroot, we don\'t have nfs in the
+# kernel, or the ability to install it.
+# xorriso is for running fai-cd -a, not strictly need for fai-server
+# perl-tk is for fai-monitor-gui
+pkgs=(fai-doc tftpd-hpa tar reprepro squashfs-tools binutils xorriso perl-tk)
+if modprobe nfsd &>/dev/null; then
+ pkgs+=(nfs-kernel-server)
+else
+ pkgs+=(apache2)
+fi
+
+
+e apt-get install -y ${pkgs[@]}
+# confnew since we edit /etc/fai/NFSROOT in an automated way
+# fai-client is already a fai-server dependency, but make sure it gets upgraded
+e apt-get install --no-install-recommends -y -o Dpkg::Options::=--no-force-confdef -o Dpkg::Options::=--force-confnew fai-server fai-client
+
+r=http://http.us.debian.org/debian
+# like default, but scrap httpredir, and nonfree.
+# All my systems should be able to get along without nonfree
+# for a base working system afaik.
+
+cat >/etc/fai/apt/sources.list <<EOF
+deb $r $base main contrib
+EOF
+
+### begin setup security repo ###
+case $base in
+ stretch|buster)
+ cat >>/etc/fai/apt/sources.list <<EOF
+deb http://security.debian.org/debian-security $base/updates main contrib
+EOF
+ ;;
+ *)
+ # new naming convention
+ cat >>/etc/fai/apt/sources.list <<EOF
+deb http://security.debian.org/debian-security $base-security main contrib
+EOF
+esac
+### end setup security repo ###
+
+
+cat >>/etc/fai/apt/sources.list <<EOF
+# use fai repo. it's commented in the defaults. it's got bug fixes.
+# and may contain newer packages.
+deb http://fai-project.org/download $base koeln
+EOF
+
+## Get latest kernel and btrfs for dealing with btrfs issues.
+# if [[ $base == buster ]]; then
+# cat >>/etc/fai/apt/sources.list <<'EOF'
+# deb http://ftp.debian.org/debian buster-backports main
+# EOF
+# # note, fai doesn\'t look at /etc/fai/apt/preferences.d
+# cat >/etc/fai/apt/preferences <<'EOF'
+# Package: linux-* firmware-linux-free btrfs-progs
+# Pin: release a=buster-backports
+# Pin-Priority: 500
+# EOF
+# fi
+
+
+$sed -f - /etc/fai/nfsroot.conf <<EOF
+$ a FAI_ROOTPW='$(</q/root/shadow/standard)'
+/^\s*FAI_ROOTPW/d
+$ a SSH_IDENTITY=/root/.ssh/home.pub
+/^\s*SSH_IDENTITY/d
+s,^( *FAI_DEBOOTSTRAP=).*,\1"$base $r",
+# add --arch amd64. this is needed on arm system which is
+# used to install amd64 clients. On amd64 servers, it's redundant.
+# disabled for now, since creating fai nfsroot on my arm machine
+# is not working
+#/--arch amd64/!s/^(\s*FAI_DEBOOTSTRAP_OPTS=")/\1--arch amd64 /
+EOF
+