X-Git-Url: https://iankelling.org/git/?a=blobdiff_plain;f=fai%2Fconfig%2Fdistro-install-common%2Fend;h=22fa4f0c322f34b1310626ed88d97321d9c63ef5;hb=79cd04733bf570db299ef09195c498a63f3f3fd5;hp=0204ce50025bd3312267c7bed58c2382c17413a2;hpb=f67d4b719356595b424aa3cd358abc79426583c5;p=automated-distro-installer diff --git a/fai/config/distro-install-common/end b/fai/config/distro-install-common/end index 0204ce5..22fa4f0 100755 --- a/fai/config/distro-install-common/end +++ b/fai/config/distro-install-common/end @@ -18,28 +18,11 @@ if [[ -e $src && -e $dst ]]; then cp -rT $src $dst fi -USER2PW=/q/root/shadow/user2 -# if doesn't exist, we dont set one -ROOTPW=/q/root/shadow/standard -if [[ ! -e $ROOTPW ]]; then - ROOTPW=/q/root/shadow/$HOSTNAME +root_pw_f=/q/root/shadow/standard +if [[ ! -e $root_pw_f ]]; then + root_pw_f=/q/root/shadow/$HOSTNAME fi -chpw() { - # generating a hashed password: - # under debian, you can do - # mkpasswd -m sha-512 -s >/q/root/shadow/standard - # On arch, best seems to be copy your shadow file to a temp location, - # then passwd, get out the new pass, then copy the shadow file back. - - user=$1 - pwfile=$2 - if [[ $pwfile && -e $pwfile ]]; then - printf "$user:" | cat - "$pwfile" | $ROOTCMD chpasswd -e - else - echo "$0: warning: no pw set for $user" >&2 - fi -} au() { # add user. i don't use adduser for portability local user=${@: -1} if ! $ROOTCMD getent passwd $user; then @@ -47,7 +30,6 @@ au() { # add user. i don't use adduser for portability fi } -chpw root "$ROOTPW" # only setup root pass for bootstrap vol if ifclass VOL_BULLSEYE_BOOTSTRAP; then @@ -57,11 +39,19 @@ fi # return of 9 = user already exists. so we are idempotent. au iank -chpw iank "$ROOTPW" +# generating a hashed password: +# under debian, you can do +# mkpasswd -m sha-512 -s >/q/root/shadow/standard +# On arch, best seems to be copy your shadow file to a temp location, +# then passwd, get out the new pass, then copy the shadow file back. +if [[ -e $root_pw_f ]]; then + sed 's/^/root:/' $root_pw_f | $ROOTCMD chpasswd -e + sed 's/^/iank:/' $root_pw_f | $ROOTCMD chpasswd -e +fi au user2 if ifclass frodo; then - chpw user2 "$USER2PW" + sed 's/^/user2:/' /q/root/shadow/user2 | $ROOTCMD chpasswd -e fi # comparing iank's groups to user2, I see none she should join on arch $ROOTCMD usermod -a -G user2 iank @@ -80,10 +70,47 @@ echo "fs.inotify.max_user_watches = 50000" >> $f # applies it. it would be also be applied after a reboot $ROOTCMD sysctl --system +if getent group sudo >/dev/null; then + $ROOTCMD usermod -aG sudo iank +fi + +cat >$target/etc/sudoers.d/ianksudoers <<'EOF' +Defaults timestamp_timeout=1440 +# used in bashrc +Defaults env_keep += SUDOD +# always_set_home +# makes ubuntu be like debian +# https://unix.stackexchange.com/a/91572 +Defaults always_set_home +# umask: default setting is to have minimum umask of 0022 +# This lets us have user-specific umasks which are more permissive. +# I did this for transmission and set it's umask gecos on install, +# see there for more info. +Defaults !umask +# i use sudo in cronjobs, it spams the logs rather uselessly +# https://stackoverflow.com/questions/14277116/suppress-log-entry-for-single-sudo-commands +Defaults:root,iank !log_allowed, !pam_session +# for just the root user, set some env vars +Defaults>root env_file=/etc/rootsudoenv + +# a few commands we should be able to run with no password +iank ALL = (root) NOPASSWD: /usr/local/bin/spend,/usr/bin/nmtui-connect + +EOF + +case $HOSTNAME in + li|bk|je) + cat >>$target/etc/sudoers.d/ianksudoers <<'EOF' +iank ALL=(ALL) NOPASSWD: ALL +EOF + ;; +esac + +# remove old config line. can be removed eventually. f=$target/etc/sudoers line='iank ALL=(ALL) NOPASSWD: ALL' -if [[ ! -e $f ]] || ! grep -xF "$line" $f; then - echo "$line" >> $f +if grep -qxF "$line" $f; then + sed -i "/^$line/d" $f fi