ROOTPW="$TPPASS"
fi
-(( $# >= 2 )) || { echo "error: need 2 arguments"; exit 1; }
+(( $# >= 1 )) || { echo "$0: error: need 1 or 2 arguments"; exit 1; }
mv /root/devbyid /usr/bin
for x in $(bash 50-host-classes); do
export CLASS_$x=true
done
-export CLASS_TWO_DISK=true
export LUKS_DIR=/root/luks
export HOSTNAME=$hostname
export DISTRO=arch
export PARTITION_PROMPT=true
+# to be idempotent if we fail after partitioning
already_partitioned=true
mount_out=$(mount)
for dir in /mnt{,/home,/boot,/q}; do
export bootn=3
export swapn=2
export BOOT_DEVICE
+export ROOT_PARTITIONS
sed -ri "/^crypt_dev_\S+$rootn /d" /tmp/fai/crypttab
if ! $already_partitioned; then
chmod 600 /mnt/crypto_keyfile.bin
-shopt -s extglob
-case $hostname in
- # todo: these hosts are broken, not updated to new fai hyrbrid scripts.
- frodo)
-
- # for this system, no separate /boot, to keep partitions simple,
- # since we want simpler backup recovery.
- mount -U $rootid /mnt
- ;;&
- treetowl)
- mount /dev/mapper/vg_treetowl00-lv02 /mnt
- mount -U $bootid /mnt/boot
- ;;&
- frodo|treetowl)
- rm -rf /mnt/!(a|i|q|f|boot) /mnt/boot/*
- ;;
-esac
-
-
-
if [[ $mirror ]]; then
echo "$0: 404 errors about core.db etc are normal,
they will succeed using the secodary mirror"
fi
pacstrap /mnt base
cp /tmp/fai/{fstab,crypttab} /mnt/etc
-cp /usr/bin/devbyid /mnt/root
-case $hostname in
- frodo)
- # the root .ssh needs to be like this,
- # because it\'s used to get the key to mount an encrypted filesystem
- # on top of itself.
- d=/mnt/q/root/.ssh
- rm -rf $d # for idempotency
- mkdir -p $d
- scp -oStrictHostKeyChecking=no ian@treetowl:/a/c/machine_specific/frodo/subdir_files/.ssh/* $d
- cp .ssh/* $d
- ln -s /q/root/.ssh /mnt/root
- # background: errors=remount-ro is a debian installer thing. seems like
- # not a bad idea. man mount says: The default is set in the filesystem
- # superblock, and can be changed using tune2fs(8)
-
- cat > /mnt/etc/fstab <<'EOF'
-UUID=e9ce7b46-9a21-4e79-b7f7-0b18acb57587 / ext4 noatime,errors=remount-ro 0 1
-UUID=dd67766f-93c5-4ce3-9877-a1d9841dd4a4 none swap sw 0 0
-/dev/sr0 /media/cdrom0 udf,iso9660 user,noauto 0 0
-/dev/mapper/crypta7 /mnt/btrfs_root btrfs subvolid=0,noatime,noauto 0 2
-/dev/mapper/crypta7 /a btrfs subvol=a,noatime,noauto 0 2
-EOF
- ;;
- *)
- cp -r .ssh /mnt/root
- cp -r /root/distro-install-common /mnt/root
- ;;&
- treetowl)
- echo "UUID=a9e83bb7-d23d-4de6-ba9f-d88b887f7206 /a ext4 noatime 0 2" >> /mnt/etc/fstab
- ;;
-esac
+cp /root/encrypt /mnt/usr/lib/initcpio/hooks
+# not needed anymore
+#cp /usr/bin/devbyid /mnt/root
+
+cp -r .ssh /mnt/root
+cp -r /root/distro-install-common /mnt/root
cp /root/arch-init-chroot /mnt/root
# for manual commands, arch-chroot /mnt bash
ln -s /run/systemd/resolve/resolv.conf /mnt/etc/resolv.conf
# not necsesary, but makes reboot go fast.
-umount -R /mnt; sleep 1
+#umount -R /mnt; sleep 1
# causes 255 exit code, so doing this from the caller script.
# reboot now
# which will be the crypt device name under /dev/mapper/
# https://wiki.archlinux.org/index.php/GRUB#Additional_arguments
-first_boot_dev=${BOOT_DEVICE%% *}
-crypt_dev=${first_boot_dev}$rootn
-crypt_name=$(/root/devbyid $crypt_dev)
-crypt_name=crypt_dev_${crypt_name##*/}
+
+root_devs=( ${ROOT_PARTITIONS} )
+first_root_dev=${root_devs[0]}
k_args=(
- cryptdevice=$crypt_dev:$crypt_name:allow-discards
- root=/dev/mapper/$crypt_name
- resume=${crypt_dev%[0-9]}$swapn
+ cryptdevices=${ROOT_PARTITIONS// /,}
+ root=/dev/mapper/crypt_dev_${first_root_dev##*/}
+ resume=${first_root_dev%[0-9]}$swapn
)
-crypt_mapper_devs=(/dev/mapper/crypt_dev_*$rootn)
-crypt_count=${#crypt_mapper_devs[@]}
-if [[ crypt_count == 0 ]]; then
- echo "$0: error: expected crypt_mapper_devs length to be > 0"
- ls -la /dev/mapper
- exit 1
-fi
-keyfile_vars=()
-dup_keys=()
extra_encrypt_hooks=()
# If we have more than 1 to decrypt, arch wiki lead me onto
# a sort of hacky way run the encrypt hook multiple times.
-for ((i=1; i < $crypt_count; i++)); do
- extra_encrypt_hooks+=(encrypt$i)
- if (( i = 1 )); then dup_keys=(" "); fi # prefix with an empty space
- cp /crypto_keyfile.bin /crypto_keyfile$i.bin
- dup_keys+=(/crypto_keyfile$i.bin)
- base=/usr/lib/initcpio
- cp $base/hooks/encrypt{,$i}
- cp $base/install/encrypt{,$i}
- sed -i "s/cryptdevice/cryptdevice$i/" $base/hooks/encrypt$i
- sed -i "s/cryptkey/cryptkey$i/" $base/hooks/encrypt$i
- crypt_name=${crypt_mapper_devs[i]#/dev/mapper/}
- crypt_dev=/dev/${crypt_name#crypt_dev_}
- k_args+=(cryptdevice$i=$crypt_dev:$crypt_name:allow-discards
- cryptkey$i=rootfs:/crypto_keyfile$i.bin)
-done
+
+base=/usr/lib/initcpio
+
# https://wiki.archlinux.org/index.php/Dm-crypt/Encrypting_an_entire_system#Configuring_mkinitcpio_2
# used to have lvm2 after encrypt for lvm, but not using lvm anymore
-for x in encrypt ${extra_encrypt_hooks[@]} btrfs; do
+for x in encrypt btrfs; do
sed -ri -f - /etc/mkinitcpio.conf <<EOF
/^ *HOOKS.*\b$x\b/!s/^( *HOOKS=.*)filesystems/\1$x filesystems/
EOF
# this is the default file, otherwise you use cryptkey=device:fstype:path
sed -ri -f - /etc/mkinitcpio.conf <<EOF
-s#^\s*FILES=.*#FILES="/crypto_keyfile.bin${dup_keys[*]}"#
+s#^\s*FILES=.*#FILES="/crypto_keyfile.bin"#
EOF
echo "$0: FILES:"
grep FILES /etc/mkinitcpio.conf
grub-install --recheck $dev
done
grub-mkconfig -o /boot/grub/grub.cfg
-pacman -S --noconfirm openssh unison
+# gtk2 is an optional dependency of unison.
+# debian's unison binary has it linked in,
+# so i install it so I can use the same binary for syncing
+# the two distros.
+pacman -S --noconfirm openssh unison gtk2 rsync
echo "root:$ROOTPW" | chpasswd -e
rm -rf /home/ian/.ssh
cp -r /root/.ssh /home/ian
-chown ian:ian /home/ian/.ssh
+chown -R ian:ian /home/ian/.ssh
# the groups recommended by
# https://wiki.archlinux.org/index.php/Users_and_groups#Group_list
usermod -aG games,rfkill,users,uucp,wheel ian
fi
host=$1
-[[ $host == frodo ]] && scp /a/c/machine_specific/frodo/subdir_files/.ssh/* frodo:.ssh/
+scp -o StrictHostKeyChecking=false -o UserKnownHostsFile=/dev/null \
+ /p/c/machine_specific/$host/filesystem/etc/ssh/* root@$host:/etc/ssh
+
if [[ -e /var/cache/pacman/pkg ]]; then
darkhttpd /var/cache/pacman/pkg &
- url=http://$HOSTNAME:8080
+ mirror=http://$HOSTNAME:8080
fi
faid=/a/bin/fai
fai_files=(
distro-install-common
hooks/partition.DEFAULT
class/50-host-classes
+
)
sudo scp -r /a/bin/fai/arch-init{,-chroot} \
+ /a/bin/fai/encrypt \
${fai_files[@]/#//a/bin/fai/fai/config/} \
/a/bin/devbyid \
/q/root/luks /q/root/shadow root@$host:
# on debian, you can use mkpasswd -m sha-512 to generate a pass.
# arch doesn't have this program. instead, you can do passwd,
# and extract it from the shadow file.
-ssh root@$host bash -x ./arch-init $host $url
-ssh root@$host reboot now || [[ $? == 255 ]]
+ssh root@$host bash -x ./arch-init $host $mirror
+
+#ssh root@$host reboot now || [[ $? == 255 ]]
+
# next up is:
# ssh $host /a/bin/distro-begin
-killall darkhttpd
+if [[ -e /var/cache/pacman/pkg ]]; then
+ killall darkhttpd
+fi
# todo: this doesn't work. figure out why.
#kill $!
--- /dev/null
+#!/bin/bash
+echo $(date) > /tmp/myarchinit.log
+if ! ip a | grep '^ *inet ' | grep -vF 127.0.0.1; then
+ cat <<'eof'
+We don't have an ipv4 address. Maybe arch doesn't do that for us,
+or we are probably using an ethernet port
+which is not the 1st one, so we haven't automatically done dhcpcd,
+so let's do it on whatever interface has a carrier
+eof
+ for f in /sys/class/net/*; do
+ if [[ `cat $f/carrier` == 1 ]]; then
+ echo $0: running: dhcpcd ${f##*/}
+ dhcpcd ${f##*/}
+ break
+ fi
+ done
+fi
+systemctl start sshd
set -eE -o pipefail
trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR
+x="$(readlink -f "$BASH_SOURCE")"
+script_dir="${x%/*}"
cd /a/opt
iso="archlinux-2016.05.01-dual"
sfs=$iso/arch/x86_64/airootfs.sfs
sed -i -f - $iso/arch/boot/syslinux/archiso_pxe64.cfg <<EOF
1itotaltimeout 1
/^LABEL arch64_nfs/a menu default
-s/^APPEND .*/\0 script=myarchinit.sh/
+s/^APPEND .*/\0 script=arch-iso-init.sh/
EOF
# based on https://blog.chendry.org/2015/02/06/automating-arch-linux-installation.html
# and https://wiki.archlinux.org/index.php/Remastering_the_Install_ISO
s mkdir -p squashfs-root/root/.ssh
s chmod 755 squashfs-root/root/.ssh
s cp ~/.ssh/id_rsa.pub squashfs-root/root/.ssh/authorized_keys
-s dd of=squashfs-root/root/myarchinit.sh <<EOF
-#!/bin/bash
-echo $(date) > /tmp/myarchinit.log
-dhcpcd eth0
-systemctl start sshd
-EOF
+
+s cp $script_dir/arch-iso-init.sh squashfs-root/root
s rm $sfs
s mksquashfs squashfs-root $sfs -comp xz
# file transfer to wrt is slow, so remove some useless files
--- /dev/null
+#!/usr/bin/ash
+run_hook() {
+ set -x
+ echo $0
+ modprobe -a -q dm-crypt >/dev/null 2>&1
+ [ "${quiet}" = "y" ] && CSQUIET=">/dev/null"
+
+ # Get keyfile if specified
+ ckeyfile="/crypto_keyfile.bin"
+ if [ -n "$cryptkey" ]; then
+ IFS=: read ckdev ckarg1 ckarg2 <<EOF
+$cryptkey
+EOF
+
+ if [ "$ckdev" = "rootfs" ]; then
+ ckeyfile=$ckarg1
+ elif resolved=$(resolve_device "${ckdev}" ${rootdelay}); then
+ case ${ckarg1} in
+ *[!0-9]*)
+ # Use a file on the device
+ # ckarg1 is not numeric: ckarg1=filesystem, ckarg2=path
+ mkdir /ckey
+ mount -r -t "$ckarg1" "$resolved" /ckey
+ dd if="/ckey/$ckarg2" of="$ckeyfile" >/dev/null 2>&1
+ umount /ckey
+ ;;
+ *)
+ # Read raw data from the block device
+ # ckarg1 is numeric: ckarg1=offset, ckarg2=length
+ dd if="$resolved" of="$ckeyfile" bs=1 skip="$ckarg1" count="$ckarg2" >/dev/null 2>&1
+ ;;
+ esac
+ fi
+ [ ! -f ${ckeyfile} ] && echo "Keyfile could not be opened. Reverting to passphrase."
+ fi
+
+ for cryptdev in ${cryptdevices//,/ }; do
+ cryptname=crypt_dev_${cryptdev##*/}
+
+ if [ -n "${cryptoptions}" ]; then
+ cryptargs="${cryptargs} --allow-discards"
+ fi
+ for cryptopt in ${cryptoptions//,/ }; do
+ case ${cryptopt} in
+ no-allow-discards)
+ cryptargs=""
+ ;;
+ *)
+ echo "Encryption option '${cryptopt}' not known, ignoring." >&2
+ ;;
+ esac
+ done
+
+ if resolved=$(resolve_device "${cryptdev}" ${rootdelay}); then
+ if cryptsetup isLuks ${resolved} >/dev/null 2>&1; then
+ dopassphrase=1
+ # If keyfile exists, try to use that
+ if [ -f ${ckeyfile} ]; then
+ if eval cryptsetup --key-file ${ckeyfile} open --type luks ${resolved} ${cryptname} ${cryptargs} ${CSQUIET}; then
+ dopassphrase=0
+ else
+ echo "Invalid keyfile. Reverting to passphrase."
+ fi
+ fi
+ # Ask for a passphrase
+ if [ ${dopassphrase} -gt 0 ]; then
+ echo ""
+ echo "A password is required to access the ${cryptname} volume:"
+
+ #loop until we get a real password
+ while ! eval cryptsetup open --type luks ${resolved} ${cryptname} ${cryptargs} ${CSQUIET}; do
+ sleep 2;
+ done
+ fi
+ if [ -e "/dev/mapper/${cryptname}" ]; then
+ if [ ${DEPRECATED_CRYPT} -eq 1 ]; then
+ export root="/dev/mapper/root"
+ fi
+ else
+ err "Password succeeded, but ${cryptname} creation failed, aborting..."
+ exit 1
+ fi
+ elif [ -n "${crypto}" ]; then
+ msg "Non-LUKS encrypted device found..."
+ if echo "$crypto" | awk -F: '{ exit(NF == 5) }'; then
+ err "Verify parameter format: crypto=hash:cipher:keysize:offset:skip"
+ err "Non-LUKS decryption not attempted..."
+ return 1
+ fi
+ exe="cryptsetup open --type plain $resolved $cryptname $cryptargs"
+ IFS=: read c_hash c_cipher c_keysize c_offset c_skip <<EOF
+$crypto
+EOF
+ [ -n "$c_hash" ] && exe="$exe --hash '$c_hash'"
+ [ -n "$c_cipher" ] && exe="$exe --cipher '$c_cipher'"
+ [ -n "$c_keysize" ] && exe="$exe --key-size '$c_keysize'"
+ [ -n "$c_offset" ] && exe="$exe --offset '$c_offset'"
+ [ -n "$c_skip" ] && exe="$exe --skip '$c_skip'"
+ if [ -f "$ckeyfile" ]; then
+ exe="$exe --key-file $ckeyfile"
+ else
+ exe="$exe --verify-passphrase"
+ echo ""
+ echo "A password is required to access the ${cryptname} volume:"
+ fi
+ eval "$exe $CSQUIET"
+
+ if [ $? -ne 0 ]; then
+ err "Non-LUKS device decryption failed. verify format: "
+ err " crypto=hash:cipher:keysize:offset:skip"
+ exit 1
+ fi
+ if [ -e "/dev/mapper/${cryptname}" ]; then
+ if [ ${DEPRECATED_CRYPT} -eq 1 ]; then
+ export root="/dev/mapper/root"
+ fi
+ else
+ err "Password succeeded, but ${cryptname} creation failed, aborting..."
+ exit 1
+ fi
+ else
+ err "Failed to open encryption mapping: The device ${cryptdev} is not a LUKS volume and the crypto= paramater was not specified."
+ fi
+ fi
+ done
+ rm -f ${ckeyfile}
+}
+
+# vim: set ft=sh ts=4 sw=4 et:
--- /dev/null
+#!/usr/bin/ash
+
+run_hook() {
+ modprobe -a -q dm-crypt >/dev/null 2>&1
+ [ "${quiet}" = "y" ] && CSQUIET=">/dev/null"
+
+ # Get keyfile if specified
+ ckeyfile="/crypto_keyfile.bin"
+ if [ -n "$cryptkey" ]; then
+ IFS=: read ckdev ckarg1 ckarg2 <<EOF
+$cryptkey
+EOF
+
+ if [ "$ckdev" = "rootfs" ]; then
+ ckeyfile=$ckarg1
+ elif resolved=$(resolve_device "${ckdev}" ${rootdelay}); then
+ case ${ckarg1} in
+ *[!0-9]*)
+ # Use a file on the device
+ # ckarg1 is not numeric: ckarg1=filesystem, ckarg2=path
+ mkdir /ckey
+ mount -r -t "$ckarg1" "$resolved" /ckey
+ dd if="/ckey/$ckarg2" of="$ckeyfile" >/dev/null 2>&1
+ umount /ckey
+ ;;
+ *)
+ # Read raw data from the block device
+ # ckarg1 is numeric: ckarg1=offset, ckarg2=length
+ dd if="$resolved" of="$ckeyfile" bs=1 skip="$ckarg1" count="$ckarg2" >/dev/null 2>&1
+ ;;
+ esac
+ fi
+ [ ! -f ${ckeyfile} ] && echo "Keyfile could not be opened. Reverting to passphrase."
+ fi
+
+ if [ -n "${cryptdevice}" ]; then
+ DEPRECATED_CRYPT=0
+ IFS=: read cryptdev cryptname cryptoptions <<EOF
+$cryptdevice
+EOF
+ else
+ DEPRECATED_CRYPT=1
+ cryptdev="${root}"
+ cryptname="root"
+ fi
+
+ warn_deprecated() {
+ echo "The syntax 'root=${root}' where '${root}' is an encrypted volume is deprecated"
+ echo "Use 'cryptdevice=${root}:root root=/dev/mapper/root' instead."
+ }
+
+ for cryptopt in ${cryptoptions//,/ }; do
+ case ${cryptopt} in
+ allow-discards)
+ cryptargs="${cryptargs} --allow-discards"
+ ;;
+ *)
+ echo "Encryption option '${cryptopt}' not known, ignoring." >&2
+ ;;
+ esac
+ done
+
+ if resolved=$(resolve_device "${cryptdev}" ${rootdelay}); then
+ if cryptsetup isLuks ${resolved} >/dev/null 2>&1; then
+ [ ${DEPRECATED_CRYPT} -eq 1 ] && warn_deprecated
+ dopassphrase=1
+ # If keyfile exists, try to use that
+ if [ -f ${ckeyfile} ]; then
+ if eval cryptsetup --key-file ${ckeyfile} open --type luks ${resolved} ${cryptname} ${cryptargs} ${CSQUIET}; then
+ dopassphrase=0
+ else
+ echo "Invalid keyfile. Reverting to passphrase."
+ fi
+ fi
+ # Ask for a passphrase
+ if [ ${dopassphrase} -gt 0 ]; then
+ echo ""
+ echo "A password is required to access the ${cryptname} volume:"
+
+ #loop until we get a real password
+ while ! eval cryptsetup open --type luks ${resolved} ${cryptname} ${cryptargs} ${CSQUIET}; do
+ sleep 2;
+ done
+ fi
+ if [ -e "/dev/mapper/${cryptname}" ]; then
+ if [ ${DEPRECATED_CRYPT} -eq 1 ]; then
+ export root="/dev/mapper/root"
+ fi
+ else
+ err "Password succeeded, but ${cryptname} creation failed, aborting..."
+ exit 1
+ fi
+ elif [ -n "${crypto}" ]; then
+ [ ${DEPRECATED_CRYPT} -eq 1 ] && warn_deprecated
+ msg "Non-LUKS encrypted device found..."
+ if echo "$crypto" | awk -F: '{ exit(NF == 5) }'; then
+ err "Verify parameter format: crypto=hash:cipher:keysize:offset:skip"
+ err "Non-LUKS decryption not attempted..."
+ return 1
+ fi
+ exe="cryptsetup open --type plain $resolved $cryptname $cryptargs"
+ IFS=: read c_hash c_cipher c_keysize c_offset c_skip <<EOF
+$crypto
+EOF
+ [ -n "$c_hash" ] && exe="$exe --hash '$c_hash'"
+ [ -n "$c_cipher" ] && exe="$exe --cipher '$c_cipher'"
+ [ -n "$c_keysize" ] && exe="$exe --key-size '$c_keysize'"
+ [ -n "$c_offset" ] && exe="$exe --offset '$c_offset'"
+ [ -n "$c_skip" ] && exe="$exe --skip '$c_skip'"
+ if [ -f "$ckeyfile" ]; then
+ exe="$exe --key-file $ckeyfile"
+ else
+ exe="$exe --verify-passphrase"
+ echo ""
+ echo "A password is required to access the ${cryptname} volume:"
+ fi
+ eval "$exe $CSQUIET"
+
+ if [ $? -ne 0 ]; then
+ err "Non-LUKS device decryption failed. verify format: "
+ err " crypto=hash:cipher:keysize:offset:skip"
+ exit 1
+ fi
+ if [ -e "/dev/mapper/${cryptname}" ]; then
+ if [ ${DEPRECATED_CRYPT} -eq 1 ]; then
+ export root="/dev/mapper/root"
+ fi
+ else
+ err "Password succeeded, but ${cryptname} creation failed, aborting..."
+ exit 1
+ fi
+ else
+ err "Failed to open encryption mapping: The device ${cryptdev} is not a LUKS volume and the crypto= paramater was not specified."
+ fi
+ fi
+ rm -f ${ckeyfile}
+}
+
+# vim: set ft=sh ts=4 sw=4 et:
cd $(dirname $(readlink -f "$BASH_SOURCE"))
-ssh root@faiserver rm -rf /srv/fai/config
-scp -r fai/config root@faiserver:/srv/fai
+
+faiserver_host=faiserver
+# i use faiserver as a dns alias, but ssh key is associated with
+# a canonical hostname and we will have ssh warning spam unless we
+# use it, so look it up.
+if addr=$(host faiserver); then
+ addr=${addr##* }
+ if h=$(host $addr); then
+ h=${h##* }
+ faiserver_host=${h%%.*}
+ else
+ echo "$0: warning: host \$addr($addr) failed"
+ fi
+else
+ echo "$0: warning: host faiserver failed"
+fi
+
+
+ssh root@$faiserver_host rm -rf /srv/fai/config
+scp -r fai/config root@$faiserver_host:/srv/fai
# fai example pass: fai
#ROOTPW='$1$kBnWcO.E$djxB128U7dMkrltJHPf6d1'
f=/q/root/shadow/standard
if s test -e $f; then
- ssh root@faiserver tee -a /srv/fai/config/class/DEFAULT.var <<EOF
+ ssh root@$faiserver_host tee -a /srv/fai/config/class/DEFAULT.var <<EOF
ROOTPW='$(s cat $f)'
EOF
fi
tpvar="$(s cat /q/root/shadow/traci-simple)"
-ssh root@faiserver tee -a /srv/fai/config/class/tp.var <<EOF
+ssh root@$faiserver_host tee -a /srv/fai/config/class/tp.var <<EOF
ROOTPW='$tpvar'
EOF
scp ~/.ssh/id_rsa.pub \
- root@faiserver:/srv/fai/config/files/home/ian/.ssh/authorized_keys/GRUB_PC
+ root@$faiserver_host:/srv/fai/config/files/home/ian/.ssh/authorized_keys/GRUB_PC
# todo: automatically disable faiserver after a period so
# these files are not exposed.
s scp -r /q/root/luks /q/root/shadow/traci{,-simple} \
- root@faiserver:/srv/fai/config/distro-install-common
-scp /a/bin/devbyid root@faiserver:/srv/fai/nfsroot/usr/local/bin
-ssh root@faiserver bash <<'EOF'
+ root@$faiserver_host:/srv/fai/config/distro-install-common
+scp /a/bin/devbyid root@$faiserver_host:/srv/fai/nfsroot/usr/local/bin
+ssh root@$faiserver_host bash <<'EOF'
set -eE -o pipefail
chmod 644 /srv/fai/config/files/home/ian/.ssh/authorized_keys/GRUB_PC
chmod -R a+rX /srv/fai/config/distro-install-common
$ROOTCMD ln -sf $dir /root
$ROOTCMD ln -sf /q/p /
+chown -R 1000:1000 $dir
while true; do
$ROOTCMD chown 1000:1000 $dir
$ROOTCMD chmod 700 $dir
dir=$(dirname $dir)
[[ $dir != /q ]] || break
done
-
esac
}
-first_boot_dev=$(bootdev ${devs[0]})
+first_boot_dev=${boot_devs[0]}
# keyfiles generated like:
# head -c 2048 /dev/urandom | od | s dd of=/q/root/luks/host-demohost
awk '{print $2}') * 3/(${#devs[@]} * 2 ) / 1024 ))
mkdir -p /tmp/fai
+root_devs=()
+for dev in ${devs[@]}; do
+ root_devs+=(`rootdev`)
+done
shopt -s nullglob
if $partition; then
for dev in ${devs[@]}; do
#BOOT_DEVICE=\${BOOT_DEVICE:-"${devs[0]}"}
# swaplist seems to do nothing.
+
cat >/tmp/fai/disk_var.sh <<EOF
+# ROOT_PARTITIONS is added by me, used in arch setup.
+ROOT_PARTITIONS="${root_devs[@]}"
ROOT_PARTITION=\${ROOT_PARTITION:-$first_root_crypt}
BOOT_PARTITION=\${BOOT_PARTITION:-$first_boot_dev}
BOOT_DEVICE="${short_devs[@]}"
# and depending on the type, setup the tftp server.
# usage: $0 TYPE
-# default distro is the base debian/fedora type. others are fai & arch
+# default distro is the base debian/fedora type. others are fai & arch.
+# for no pxe server, use a no-op like : or true.
set -eE -o pipefail
trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR
iankelling.org / git / automated-distro-installer / commitdiff