X-Git-Url: https://iankelling.org/git/?a=blobdiff_plain;f=fai%2Fconfig%2Fdistro-install-common%2Fend;h=2455ece011a46266e2ce65e86abfbdf099e8bed2;hb=HEAD;hp=6be266ebacfedd9b4e8a61d0b9bd14ece91a0267;hpb=2e975979fa5bad84f3d2a84a9d62fbfd8793374c;p=automated-distro-installer

diff --git a/fai/config/distro-install-common/end b/fai/config/distro-install-common/end
index 6be266e..2455ece 100755
--- a/fai/config/distro-install-common/end
+++ b/fai/config/distro-install-common/end
@@ -4,84 +4,117 @@ set -eE -o pipefail
 trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR
 
 if [[ $EUID != 0 ]]; then
-    echo "$0: error: expected to be root."
-    exit 1
+  echo "$0: error: expected to be root."
+  exit 1
 fi
 
-### begin set hostname
-echo $HOSTNAME > /etc/hostname
-sed -i '/^127\.0\.1\.1/d' /etc/hosts
-echo "127.0.1.1 $HOSTNAME" >> /etc/hosts
-hostname -F /etc/hostname
-### end set hostname
-
-TPW=/q/root/shadow/traci-simple
-if ifclass tp; then
-    ROOTPW="$TPW"
-else
-    ROOTPW=/q/root/shadow/standard
+# ssh host keys
+# note, $BASH_SOURCE is not defined here under fai.
+
+src=$(dirname "$0")/p/c/machine_specific/$HOSTNAME/filesystem/etc/ssh
+dst=$target/etc/ssh
+if [[ -e $src && -e $dst ]]; then
+  # outside of fai context or setting up a brand new host, we skip this
+  cp -rT $src $dst
 fi
 
-chpw() {
-    # generating a hashed password:
-    # under debian, you can do
-    # mkpasswd -m sha-512 -s >/q/root/shadow/standard
-    # On arch, best seems to be copy your shadow file to a temp location,
-    # then passwd, get out the new pass, then copy the shadow file back.
-
-    user=$1
-    pwfile=$2
-    if [[ $pwfile && -e $pwfile ]]; then
-        printf "$user:" | cat - "$pwfile" | $ROOTCMD chpasswd -e
-    else
-        echo "$0: warning: no pw set for $user"
-    fi
-}
-au() {
-    if ! $ROOTCMD getent passwd $1; then
-        $ROOTCMD useradd -m -s /bin/bash $1 || [[ $? == 9 ]]
-    fi
+root_pw_f=/q/root/shadow/standard
+if [[ ! -e $root_pw_f ]]; then
+  root_pw_f=/q/root/shadow/$HOSTNAME
+fi
+
+au() { # add user. i don't use adduser for portability
+  local user=${@: -1}
+  if ! $ROOTCMD getent passwd $user; then
+    $ROOTCMD useradd -c $user -Um -s /bin/bash $@
+  fi
 }
 
-chpw root "$ROOTPW"
-# 9 = user already exists. so we are idempotent.
-au ian
-chpw ian "$ROOTPW"
 
-au traci
+# only setup root pass for bootstrap vol
+# for bootstrap vol, we only use root user
+if ifclass VOL_BULLSEYE_BOOTSTRAP || ifclass VOL_BOOKWORM_BOOTSTRAP; then
+  sed 's/^/root:/' $root_pw_f | $ROOTCMD chpasswd -e
+  exit 0
+fi
+
+
+# return of 9 = user already exists. so we are idempotent.
+au iank
+# generating a hashed password:
+# under debian, you can do
+# mkpasswd -m sha-512 -s >/q/root/shadow/standard
+# On arch, best seems to be copy your shadow file to a temp location,
+# then passwd, get out the new pass, then copy the shadow file back.
+if [[ -e $root_pw_f ]]; then
+  sed 's/^/root:/' $root_pw_f | $ROOTCMD chpasswd -e
+  sed 's/^/iank:/' $root_pw_f | $ROOTCMD chpasswd -e
+fi
+
+au user2
 if ifclass frodo; then
-    chpw traci "$TPW"
+  sed 's/^/user2:/' /q/root/shadow/user2 | $ROOTCMD chpasswd -e
 fi
-# comparing ian's groups to traci, I see none she should join on arch
-$ROOTCMD usermod -a -G traci ian
+# comparing iank's groups to user2, I see none she should join on arch
+$ROOTCMD usermod -a -G user2 iank
 
 
+$ROOTCMD getent group docker &>/dev/null || $ROOTCMD groupadd -r docker
+$ROOTCMD usermod -a -G docker iank
+
 # based on unison error, with 8192 from
 # sysctl -a | grep fs.inotify.max_user_watches
 #http://stackoverflow.com/questions/535768/what-is-a-reasonable-amount-of-inotify-watches-with-linux
-
 f=$target/etc/sysctl.d/99-sysctl.conf
 key=fs.inotify.max_user_watches
-if [[ -e $f ]]; then sed -ri "/^\s*$key\s*=/d" $f; fi
-echo "fs.inotify.max_user_watches = 1000000" >> $f
+if [[ -e $f ]]; then sed -ri --follow-symlinks "/^\s*$key\s*=/d" $f; fi
+echo "fs.inotify.max_user_watches = 50000" >> $f
 # applies it. it would be also be applied after a reboot
 $ROOTCMD sysctl --system
 
-f=$target/etc/sudoers
-line='ian  ALL=(ALL)  NOPASSWD: ALL'
-if [[ ! -e $f ]] || ! grep -xF "$line" $f; then
-    echo "$line" >> $f
+if getent group sudo >/dev/null; then
+  $ROOTCMD usermod -aG sudo iank
 fi
 
+mkdir -p $target/etc/sudoers.d
+cat >$target/etc/sudoers.d/ianksudoers <<'EOF'
+Defaults timestamp_timeout=1440
+# used in bashrc
+Defaults  env_keep += SUDOD
+# always_set_home
+# makes ubuntu be like debian
+# https://unix.stackexchange.com/a/91572
+Defaults always_set_home
+# umask: default setting is to have  minimum umask of 0022
+# This lets us have user-specific umasks which are more permissive.
+# I did this for transmission and set it's umask gecos on install,
+# see there for more info.
+Defaults !umask
+# i use sudo in cronjobs, it spams the logs rather uselessly
+# https://stackoverflow.com/questions/14277116/suppress-log-entry-for-single-sudo-commands
+Defaults:root,iank !log_allowed, !pam_session
+# for just the root user, set some env vars
+Defaults>root env_file=/etc/rootsudoenv
+
+# a few commands we should be able to run with no password
+iank ALL = (root) NOPASSWD: /usr/local/bin/spend,/usr/local/bin/us,/usr/local/bin/off,/usr/bin/nmtui-connect,/usr/local/bin/bitcoinoff,/usr/local/bin/bitcoinon
+
+EOF
+
+case $HOSTNAME in
+  li|bk|je)
+    cat >>$target/etc/sudoers.d/ianksudoers <<'EOF'
+iank  ALL=(ALL)  NOPASSWD: ALL
+EOF
+    ;;
+esac
+
+# remove old config line. can be removed eventually.
+f=$target/etc/sudoers
+line='iank  ALL=(ALL)  NOPASSWD: ALL'
+if grep -qxF "$line" $f; then
+  sed -i "/^$line/d" $f
+fi
 
-dir=/q/p/c/machine_specific/$HOSTNAME/.unison
-$ROOTCMD mkdir -p $dir
 
-$ROOTCMD ln -sf /q/p /
-$ROOTCMD chown -R 1000:1000 $dir
-while true; do
-    $ROOTCMD chown 1000:1000 $dir
-    $ROOTCMD chmod 700 $dir
-    dir=$(dirname $dir)
-    [[ $dir != /q ]] || break
-done
+au --system -s /bin/false --home-dir /var/lib/bitcoind bitcoin