# ssh host keys
# note, $BASH_SOURCE is not defined here under fai.
+
src=$(dirname "$0")/p/c/machine_specific/$HOSTNAME/filesystem/etc/ssh
dst=$target/etc/ssh
if [[ -e $src && -e $dst ]]; then
- # outside of fai context, we skip this
+ # outside of fai context or setting up a brand new host, we skip this
cp -rT $src $dst
fi
-USER2PW=/q/root/shadow/user2
-if ifclass ziva; then
- ROOTPW=/q/root/shadow/ziva
-else
- ROOTPW=/q/root/shadow/standard
+root_pw_f=/q/root/shadow/standard
+if [[ ! -e $root_pw_f ]]; then
+ root_pw_f=/q/root/shadow/$HOSTNAME
fi
-chpw() {
- # generating a hashed password:
- # under debian, you can do
- # mkpasswd -m sha-512 -s >/q/root/shadow/standard
- # On arch, best seems to be copy your shadow file to a temp location,
- # then passwd, get out the new pass, then copy the shadow file back.
-
- user=$1
- pwfile=$2
- if [[ $pwfile && -e $pwfile ]]; then
- printf "$user:" | cat - "$pwfile" | $ROOTCMD chpasswd -e
- else
- echo "$0: warning: no pw set for $user" >&2
- fi
-}
au() { # add user. i don't use adduser for portability
- if ! $ROOTCMD getent passwd ${@: -1}; then
- $ROOTCMD useradd -Um -s /bin/bash $@
+ local user=${@: -1}
+ if ! $ROOTCMD getent passwd $user; then
+ $ROOTCMD useradd -c $user -Um -s /bin/bash $@
fi
}
-chpw root "$ROOTPW"
# only setup root pass for bootstrap vol
-if ifclass VOL_STRETCH_BOOTSTRAP; then
+if ifclass VOL_BULLSEYE_BOOTSTRAP || VOL_BOOKWORM_BOOTSTRAP; then
exit 0
fi
# return of 9 = user already exists. so we are idempotent.
au iank
-chpw iank "$ROOTPW"
+# generating a hashed password:
+# under debian, you can do
+# mkpasswd -m sha-512 -s >/q/root/shadow/standard
+# On arch, best seems to be copy your shadow file to a temp location,
+# then passwd, get out the new pass, then copy the shadow file back.
+if [[ -e $root_pw_f ]]; then
+ sed 's/^/root:/' $root_pw_f | $ROOTCMD chpasswd -e
+ sed 's/^/iank:/' $root_pw_f | $ROOTCMD chpasswd -e
+fi
au user2
if ifclass frodo; then
- chpw user2 "$USER2PW"
+ sed 's/^/user2:/' /q/root/shadow/user2 | $ROOTCMD chpasswd -e
fi
# comparing iank's groups to user2, I see none she should join on arch
$ROOTCMD usermod -a -G user2 iank
f=$target/etc/sysctl.d/99-sysctl.conf
key=fs.inotify.max_user_watches
if [[ -e $f ]]; then sed -ri --follow-symlinks "/^\s*$key\s*=/d" $f; fi
-echo "fs.inotify.max_user_watches = 1000000" >> $f
+echo "fs.inotify.max_user_watches = 50000" >> $f
# applies it. it would be also be applied after a reboot
$ROOTCMD sysctl --system
-f=$target/etc/sudoers
-line='iank ALL=(ALL) NOPASSWD: ALL'
-if [[ ! -e $f ]] || ! grep -xF "$line" $f; then
- echo "$line" >> $f
+if getent group sudo >/dev/null; then
+ $ROOTCMD usermod -aG sudo iank
fi
-dir=/p/c/machine_specific/$HOSTNAME/.unison
-$ROOTCMD mkdir -p $dir
-if ! $ROOTCMD test -L /root/.unison; then
- $ROOTCMD rm -rf /root/.unison
- $ROOTCMD ln -s -T $dir /root/.unison
+cat >$target/etc/sudoers.d/ianksudoers <<'EOF'
+Defaults timestamp_timeout=1440
+# used in bashrc
+Defaults env_keep += SUDOD
+# always_set_home
+# makes ubuntu be like debian
+# https://unix.stackexchange.com/a/91572
+Defaults always_set_home
+# umask: default setting is to have minimum umask of 0022
+# This lets us have user-specific umasks which are more permissive.
+# I did this for transmission and set it's umask gecos on install,
+# see there for more info.
+Defaults !umask
+# i use sudo in cronjobs, it spams the logs rather uselessly
+# https://stackoverflow.com/questions/14277116/suppress-log-entry-for-single-sudo-commands
+Defaults:root,iank !log_allowed, !pam_session
+# for just the root user, set some env vars
+Defaults>root env_file=/etc/rootsudoenv
+
+# a few commands we should be able to run with no password
+iank ALL = (root) NOPASSWD: /usr/local/bin/spend,/usr/local/bin/us,/usr/local/bin/off,/usr/bin/nmtui-connect,/usr/local/bin/bitcoinoff,/usr/local/bin/bitcoinon
+
+EOF
+
+case $HOSTNAME in
+ li|bk|je)
+ cat >>$target/etc/sudoers.d/ianksudoers <<'EOF'
+iank ALL=(ALL) NOPASSWD: ALL
+EOF
+ ;;
+esac
+
+# remove old config line. can be removed eventually.
+f=$target/etc/sudoers
+line='iank ALL=(ALL) NOPASSWD: ALL'
+if grep -qxF "$line" $f; then
+ sed -i "/^$line/d" $f
fi
-$ROOTCMD chown -R 1000:1000 $dir
-while true; do
- $ROOTCMD chown 1000:1000 $dir
- $ROOTCMD chmod 700 $dir
- dir=$(dirname $dir)
- if [[ $dir == /p ]]; then break; fi
-done
au --system -s /bin/false --home-dir /var/lib/bitcoind bitcoin