From: Ian Kelling Date: Sun, 31 Jan 2016 10:03:37 +0000 (-0800) Subject: add wrt and fai server setup scripts X-Git-Url: https://iankelling.org/git/?a=commitdiff_plain;h=a43d3eec943c5f0491b300214a3c744d31a6e542;p=automated-distro-installer add wrt and fai server setup scripts --- diff --git a/README b/README new file mode 100644 index 0000000..f9137a0 --- /dev/null +++ b/README @@ -0,0 +1,4 @@ +Scripts for initial setup of OSes on my home network. + +My network is a wndr3700v2 router with openwrt on it and a few pcs +with various gnu/linux distros on them. diff --git a/arch-init b/arch-init index 30ec9f1..28ffe37 100755 --- a/arch-init +++ b/arch-init @@ -5,7 +5,7 @@ set -eE -o pipefail trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?"' ERR -cd "${BASH_SOURCE%/*}" +cd $(dirname $(readlink -f "$BASH_SOURCE")) export ROOTPW="$1" export hostname="$2" @@ -69,6 +69,7 @@ mount /dev/?da1 /mnt/boot # https://wiki.archlinux.org/index.php/Dm-crypt/Device_encryption#Keyfiles cp /root/luks/host-$hostname /mnt/crypto_keyfile.bin +chmod 600 /mnt/crypto_keyfile.bin shopt -s extglob diff --git a/debian-preseed b/debian-preseed new file mode 100755 index 0000000..86b4ffd --- /dev/null +++ b/debian-preseed @@ -0,0 +1,142 @@ +#!/bin/bash + +set -eE -o pipefail +trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?"' ERR + +usage() { + cat <>$preseed + ;; + debian-jessie) + wget -q https://www.debian.org/releases/jessie/$preseed + wget -qN http://ftp.nl.debian.org/debian/dists/jessie/$neboot_path + cat >>$preseed <<'EOF' +tasksel tasksel/first multiselect ssh-server +EOF + if ! $interactive_partition; then + cat >>$preseed <> $preseed <> $preseed <> /home/$user/.ssh/authorized_keys"; \ +in-target chown -R $user:$user /home/$user; \ +in-target chmod -R go-rwx /home/$user/.ssh/authorized_keys; \ +in-target cp -r /home/$user/.ssh /root; \ +in-target usermod -a -G sudo $user; +EOF diff --git a/debian-pxe-preseed b/debian-pxe-preseed new file mode 100755 index 0000000..52ca18f --- /dev/null +++ b/debian-pxe-preseed @@ -0,0 +1,26 @@ +#!/bin/bash + +set -eE -o pipefail +trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?"' ERR + + +[[ $EUID == 0 ]] || exec sudo "$BASH_SOURCE" "$@" + +cd $(dirname $(readlink -f "$BASH_SOURCE")) + +mount_dir=$(mktemp -d) + +mount -o users wrt:/mnt/usb $mount_dir + +cd $mount_dir +rm -rf debian-wheezy +mkdir debian-wheezy +cd debian-wheezy +debian-preseed "$@" # my script +cd .. +rm -f tftpboot +ln -s debian-wheezy tftpboot + +cd / +umount $mount_dir +pxe-server # my script diff --git a/fai-redep b/fai-redep index 3e13067..0c23459 100755 --- a/fai-redep +++ b/fai-redep @@ -1,4 +1,5 @@ -#!/bin/bash -lx +#!/bin/bash -l +set -x # Deploy fai configuration to faiserver, # then start a virtual machine to test the config. @@ -6,8 +7,10 @@ set -eE -o pipefail trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?"' ERR -ssh root@faiserver rm -rf /srv/fai/config/\* -scp -r /a/bin/fai/fai/config root@faiserver:/srv/fai +cd $(dirname $(readlink -f "$BASH_SOURCE")) + +ssh root@faiserver rm -rf /srv/fai/config +scp -r fai/config root@faiserver:/srv/fai # fai example pass: fai #ROOTPW='$1$kBnWcO.E$djxB128U7dMkrltJHPf6d1' diff --git a/fai-revm b/fai-revm index 97bb1a8..9c8fd9c 100755 --- a/fai-revm +++ b/fai-revm @@ -1,5 +1,7 @@ -#!/bin/bash -lx +#!/bin/bash -l +set -x +# Assumes pxe config for dhcp has been setup. # Deploy fai configuration to faiserver, # then start a virtual machine to test the config. @@ -9,9 +11,15 @@ trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?"' ERR new_disk=false [[ ! $1 ]] || new_disk=true -cd "${BASH_SOURCE%/*}" +cd $(dirname $(readlink -f "$BASH_SOURCE")) -[[ $0 == *arch-revm ]] || ./fai-redep +if [[ $0 == *arch-revm ]]; then + # via osinfo-query os. guessing arch is closest to latest fedora. + variant=fedora22 +else + ./fai-redep + variant=debian8 +fi name=demohost @@ -24,7 +32,7 @@ for f in /var/lib/libvirt/images/${name}{,b}; do done disk_arg=("--disk path=/var/lib/libvirt/images/$name"{,b}) -s virt-install --os-variant debian8 --cpu host -n $name --pxe -r 2048 --vcpus 1 \ +s virt-install --os-variant $variant --cpu host -n $name --pxe -r 2048 --vcpus 1 \ ${disk_arg[*]} -w bridge=br0,mac=52:54:00:9c:ef:ad & if [[ $0 == *arch-revm ]]; then diff --git a/fai-setup b/fai-setup index 7c5ce08..dc0dceb 100755 --- a/fai-setup +++ b/fai-setup @@ -22,12 +22,17 @@ apt-get -y install $(apt-cache show fai-quickstart | grep ^Depends: |head -n 1|\ sed -r 's/^Depends:|,|\|[^,]+|isc-dhcp-server//g') sed -i 's/^#deb/deb/' /etc/fai/apt/sources.list sed -i 's/#LOGUSER/LOGUSER/' /etc/fai/fai.conf -fai-setup -v +# from man fai-make-nfsroot, +# figured out after partitioning ignored my crypt partition +if ! grep cryptsetup /etc/fai/NFSROOT &>/dev/null; then + sed -ri '/^PACKAGES install$/a cryptsetup' /etc/fai/NFSROOT +fi +fai-setup -vf { head -n 1 /srv/fai/nfsroot/root/.ssh/known_hosts | awk '{print $1}' \ | tr '\n' ' '; ssh-keyscan localhost | grep -o "ecdsa-sha2-nistp256.*"; \ } >>/srv/fai/nfsroot/root/.ssh/known_hosts -# from config machine. todo: clean this up. +# this does not alter the config on a new install sed -ri 's#^([[:space:]]*TFTP_DIRECTORY[[:space:]]*=).*#\1"/srv/tftp"#' \ /etc/default/tftpd-hpa @@ -46,19 +51,20 @@ service tftpd-hpa restart std_arg="-u nfs://faiserver/srv/fai/config" fai-chboot -Iv $std_arg default kernel=$(fai-chboot -L '^default$' | awk '{print $3}') -my_ip=$(getent hosts faiserver | awk '{ print $1 }') +type -t host &>/dev/null || apt-get -y install dnsutils +my_ip=$(host faiserver $(route -n | sed -rn 's/^(0\.){3}0\s+(\S+).*/\2/p') | \ + sed -rn 's/^faiserver has address //p') k_args=$(fai-chboot -L '^default$' | \ sed -r "s/^(\S+\s+){3}(.*root=)(.*)/\2$my_ip:\3/") fai-chboot -k "$k_args" -v -f verbose,sshd,createvt,reboot $std_arg $kernel default # make the faiserver also the apt proxy server -apt-get install apt-cacher-ng +apt-get -y install apt-cacher-ng # background on choosing apt-cacher-ng: # googling around a bit finds 2 main solutions: # http://askubuntu.com/questions/3503/best-way-to-cache-apt-downloads-on-a-lan # apt-cacher-ng doesn't have zeroconf. -# so I'm not sure how smart it will be if the server goes down. # It touts having minimal dependencies, but I don't care. # The downside to squid-deb-proxy is that it's config is for specific repos, # you have to add all the repos you use. @@ -69,8 +75,5 @@ apt-get install apt-cacher-ng # random fai note: as far as I can tell, profiles are just for putting # in a selectable boot menu, which I don't want. -if [[ ! -e ~/.ssh/id_rsa.pub ]]; then - ssh-keygen -t rsa -N '' -fi -x=$(mktemp); ssh -F /dev/null -oUserKnownHostsFile=$x localhost : -cat x | tee -a /srv/fai/nfsroot/root/.ssh/known_hosts +# somewhere I call it faiserver, but debian's default is faiserver.lan +sed -ri 's/faiserver.lan/faiserver/' /srv/fai/nfsroot/root/.ssh/known_hosts diff --git a/fai/NFSROOT b/fai/NFSROOT deleted file mode 100644 index dc39e21..0000000 --- a/fai/NFSROOT +++ /dev/null @@ -1,5 +0,0 @@ -# from man fai-make-nfsroot, -# after partitioning ignored my crypt partition - -PACKAGES install -cryptsetup diff --git a/fai/config/hooks/partition.DEFAULT b/fai/config/hooks/partition.DEFAULT index 64e09a2..31f07ec 100755 --- a/fai/config/hooks/partition.DEFAULT +++ b/fai/config/hooks/partition.DEFAULT @@ -46,7 +46,7 @@ for dev in ${devs[@]}; do done done -partition=true # override temporarily +#partition=true # for temporarily override # keyfiles generated like: # head -c 2048 /dev/urandom | od | s dd of=/q/root/luks/host-demohost @@ -86,6 +86,8 @@ shopt -s nullglob if $partition; then for dev in ${devs[@]}; do for x in $dev[0-9]; do wipefs -a $x; done + done + for dev in ${devs[@]}; do parted -s $dev mklabel gpt # gpt ubuntu cloud image uses ~4. fai uses 1 MiB. ehh, i'll do 4. # also, using MB instead of MiB causes complains about alignment. diff --git a/faiserver-revm b/faiserver-revm new file mode 100755 index 0000000..eeae0b9 --- /dev/null +++ b/faiserver-revm @@ -0,0 +1,25 @@ +#!/bin/bash -l +set -x + +set -eE -o pipefail +trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?"' ERR + +cd $(dirname $(readlink -f "$BASH_SOURCE")) + +./debian-pxe-preseed -i 192.168.1.1 -u ian -g vda + +name=faiserver +s virshrm $name ||: + +f=/var/lib/libvirt/images/${name} +s qemu-img create -o preallocation=metadata -f qcow2 $f 30G + +s virt-install --os-variant debian8 --cpu host -n $name --pxe -r 1024 --vcpus 1 \ + --disk $f -w bridge=br0,mac=52:54:00:56:09:f9 & + +sleep $((60*6)) # takes like 10x as long as a fai install! +while ! scp fai-setup root@faiserver:; do + sleep 5 +done + +ssh root@faiserver ./fai-setup diff --git a/pxe-server b/pxe-server new file mode 100755 index 0000000..2e8b2a4 --- /dev/null +++ b/pxe-server @@ -0,0 +1,36 @@ +#!/bin/bash -x + +# usage: $0 [TYPE] +# default distro is the base debian/fedora type. others are fai & arch + +set -eE -o pipefail +trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?"' ERR + +action=${1:-default} + +arch() { + default + cat <<'EOF' +dhcp-option-force=209,boot/syslinux/archiso.cfg +dhcp-option-force=210,/arch/ +dhcp-boot=/arch/boot/syslinux/lpxelinux.0 +EOF +} + +default() { + cat <<'EOF' +enable-tftp +tftp-root=/mnt/usb/tftpboot +dhcp-boot=pxelinux.0 +EOF +} + +fai() { + cat <<'EOF' +dhcp-boot=fai/pxelinux.0,faiserver.lan,faiserver.lan +EOF +} + + +$action | ssh wrt "cedit pxe-server /etc/dnsmasq.conf || /etc/init.d/dnsmasq restart +if [[ $action == arch ]]; then arch-pxe-mount; fi" diff --git a/wrt-setup b/wrt-setup new file mode 100755 index 0000000..fda94a3 --- /dev/null +++ b/wrt-setup @@ -0,0 +1,274 @@ +#!/bin/bash + +set -eE -o pipefail +trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?"' ERR + + +# ssh + +pmirror() { + # background: upgrading all packages is not recommended because it + # doesn't go into the firmware. build new firmware if you want + # lots of upgrades. + f=(/tmp/opkg-lists/*) + f=${f[0]} + if ! (( $(date -r $f +%s) + 60*60*24 > $(date +%s) )); then + opkg update + fi +} + +pi() { + for x in "$@"; do + if [[ ! $(opkg list-installed "$x") ]]; then + pmirror + opkg install "$@" + fi + done +} + +v() { + printf "+ %s\n" "$*" + "$@" +} + +cat >/usr/bin/arch-pxe-mount <<'EOFOUTER' +#!/bin/bash +# symlinks are collapsed for nfs mount points, so use a bind mount. +# tried putting this in /etc/config/fstab, +# then doig block mount, it didn't work. This doesn't persist across reboots, +# todo: figure that out +d=/run/archiso/bootmnt +cat > /etc/fstab </dev/null || mount $d +/etc/init.d/nfsd restart +EOFOUTER +chmod +x /usr/bin/arch-pxe-mount + +cat >.profile <<'EOF' +# changing login shell emits spam on ssh single commands & scp + # sed -i 's#/bin/ash$#/bin/bash#' /etc/passwd +#https://dev.openwrt.org/ticket/13852 +[ "$PS1" = "" ] || { + /bin/bash + exit +} +EOF +v pi kmod-usb-storage block-mount kmod-fs-ext4 nfs-kernel-server + + + +sed -ri "s/option[[:space:]]*encryption[[:space:]]*'?none'?/option encryption psk2\n option key pictionary49/" /etc/config/wireless +sed -i '/^[[:space:]]*option disabled/d' /etc/config/wireless +v wifi + + +v /etc/init.d/fstab enable ||: + +# rebooting makes mounting work, but comparing lsmod, +# i'm guessing this will too. todo, test it. +# 255 == module already loaded +for mod in scsi_mod sd_mod; do v modprobe $mod || [[ $? == 255 ]]; done + +# for arch pxe. The default settings in the installer expect to find +# the NFS at /run/archiso/bootmnt +mkdir -p /run/archiso/bootmnt + +# todo: at some later time, i found /mnt/usb not mounted, watch to see if +# that is the case after running this or rebooting. +# wiki says safe to do in case of fstab changes: +cedit /etc/config/fstab <<'EOF' || { v block umount; v block mount; } +config global automount + option from_fstab 1 + option anon_mount 1 + +config global autoswap + option from_fstab 1 + option anon_swap 1 + +config mount + option target /mnt/usb + option device /dev/sda2 + option fstype ext4 + option options rw,async,noatime,nodiratime + option enabled 1 + option enabled_fsck 0 + +config swap + option device /dev/sda1 + option enabled 1 + +EOF + + + + # exportfs -ra won't cut it when its the same path, but now a bind mount +cedit /etc/exports <<'EOF' || v /etc/init.d/nfsd restart ||: +/mnt/usb 192.168.1.0/255.255.255.0(rw,no_root_squash,insecure,sync,no_subtree_check) +# for arch pxe +/run/archiso/bootmnt 192.168.1.0/255.255.255.0(rw,no_root_squash,insecure,sync,no_subtree_check) + +EOF + + +v /etc/init.d/portmap start +v /etc/init.d/nfsd start +v /etc/init.d/portmap enable +v /etc/init.d/nfsd enable + + + +cedit /etc/config/firewall <<'EOF' || /etc/init.d/firewall restart +# port forwarding +config redirect +option name bittorrent +option src wan +option src_dport 63324 +option dest_ip 192.168.1.2 +option dest lan +# making the port open (not sure if this is actually needed) +config rule +option src wan +option target ACCEPT +option dest_port 63324 + + +config redirect +option name bithtpc +option src wan +option src_dport 63325 +option dest_ip 192.168.1.4 +option dest lan + +config rule +option src wan +option target ACCEPT +option dest_port 63325 + + +config redirect +option name ssh +option src wan +#uncomment the 2 lines for security of using a non-standard port +# and comment out the 22 port line +# option src_dport 63321 +option src_dport 22 +option dest_ip 192.168.1.2 +option dest lan +# option dest_port 22 # already default + +config rule +option src wan +option target ACCEPT +option dest_port 22 + + +# for https +config redirect + option src wan + option src_dport 443 + option dest lan + option dest_ip 192.168.1.2 + option proto tcp + +config rule + option src wan + option target ACCEPT + option dest_port 443 + option proto tcp + + +config redirect + option src wan + option src_dport 80 + option dest lan + option dest_ip 192.168.1.2 + option proto tcp + +config rule + option src wan + option target ACCEPT + option dest_port 80 + option proto tcp +EOF + + +dnsmasq_restart=false +cedit /etc/hosts < + +dhcp-host=f4:6d:04:02:ee:eb,192.168.1.2,treetowl +dhcp-host=00:26:18:97:bb:16,192.168.1.3,frodo +dhcp-host=10:78:d2:da:29:22,192.168.1.4,htpc +dhcp-host=00:1f:16:16:39:24,192.168.1.5,x2 +# this is so fai can have an explicit name to use for testing, +# or else any random machine which did a pxe boot would get +# reformatted. The mac is from doing a virt-install, cancelling it, +# and copying the generated mac, so it should be randomish. +dhcp-host=52:54:00:9c:ef:ad,192.168.1.6,demohost +dhcp-host=52:54:00:56:09:f9,192.168.1.7,faiserver +dhcp-host=80:fa:5b:1c:6e:cf,192.168.1.8,tp + + +# template +# dhcp-host=,192.168.1., +EOF + +if $dnsmasq_restart; then + v /etc/init.d/dnsmasq restart +fi diff --git a/wrt-setup-remote b/wrt-setup-remote new file mode 100755 index 0000000..ccd96c4 --- /dev/null +++ b/wrt-setup-remote @@ -0,0 +1,14 @@ +#!/bin/bash + +set -eE -o pipefail +trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?"' ERR + +h=root@192.168.1.1 +scp /a/bin/fai/wrt-setup /a/bin/bash-programs-by-ian/repos/cedit/cedit $h:/usr/bin +ssh $h <<'EOF' +if ! opkg list-installed|grep bash; then + opkg update + opkg install bash +fi +wrt-setup +EOF