add file for bootstrap distro

[automated-distro-installer] / fai / config / scripts / IANK / 11-iank

#!/bin/bash -x

set -eE -o pipefail
trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR

if [[ $EUID != 0 ]]; then
  echo "$0: error: expected to be root."
  exit 1
fi

if ! type -t fcopy &>/dev/null; then
  sudo apt-get -y install fai-client
fi

if [[ -e /a/bin/fai/fai-wrapper ]]; then
  chroot() {
    shift
    "$@"
  }
fi



# -r = recursive
# -i = ignore non-matching class warnings, always exit 0
# -B = no backup files
fcopy -riBM /boot
# this is also done by FAIBASE/10-misc by default (without B)
fcopy -riBM /root
fcopy -riBM /usr/local/bin

# this gets done by fai, but just happens too often that
# I add sources due to new distros, whatever.
fcopy -riBM /etc/apt/preferences.d
fcopy -riBM /etc/apt/sources.list.d


src=$FAI/distro-install-common/shadow
dst=/q/root/shadow
if [[ ! -e $dst && -e $src ]]; then
  # outside of fai context, we skip this
  mkdir -p $dst
  mount -o bind $src $dst
fi

$FAI/distro-install-common/end



### begin sources install + updates
# these get copied in an earlier stage by fai, but leaving it here since
# I run this as a single post-fai script to update things that have changed.
tmpfile1=$(mktemp)
# this can fail if we need an apt update
chroot $FAI_ROOT /usr/bin/apt-cache policy >$tmpfile1 ||:
fcopy -riBM /etc/apt

# get ubuntu key, for running from fai wrapper.
apt-key add $FAI/package_config/UBUNTU.asc

tmpfile2=$(mktemp)
chroot $FAI_ROOT /usr/bin/apt-cache policy >$tmpfile2
if ! diff -q $tmpfile1 $tmpfile2; then
  chroot $FAI_ROOT /usr/bin/apt update
fi
# outside of fai, this seems to regularly lead to
# E: Could not get lock /var/lib/apt/lists/lock - open (11: Resource temporarily unavailable)
# so add a sleep. 1 sec is probably way more than needed.
sleep 1
f=$FAI_ROOT/var/cache/apt/pkgcache.bin
if [[ ! -r $f ]] || (( $(( $(date +%s) - $(stat -c %Y $f ) )) > 60*60*2 )); then
  i=0
  while fuser $FAI_ROOT/var/lib/dpkg/lock &>/dev/null; do
    sleep 1
    i=$(( i+1 ))
    if (( i > 300 )); then
      echo "error: timed out waiting for /var/lib/dpkg/lock" >&2
      exit 1
    fi
    $ROOTCMD apt-get update
  done
fi
### end sources install + updates


#### misc configurations
chroot $FAI_ROOT bash <<'EOFOUTER'
if getent group systemd-journal >/dev/null; then
  # makes the journal be saved to disk.
  mkdir -p /var/log/journal
  chmod 755 /var/log/journal
fi
debconf-set-selections <<EOF
kexec-tools kexec-tools/load_kexec boolean false
EOF
apt-get install -y pxe-kexec

# this is usefull. Only thing reason I see this being disabled by default is
# that a normal user can disrupt the system, eg cause a reboot.
sed -i '$a kernel.sysrq=1
/^kernel.sysrq=/d' /etc/sysctl.conf

EOFOUTER


if [[ $FAI_ACTION != dirinstall ]] && ! ifclass NOCRYPT; then
  # luks options, see man systemd-cryptsetup-generator
  # all i know is that with luks.crypttab=no, swap still timed out on boot.
  # and with rd.luks.crypttab=no, it works.
  if ifclass LINODE; then
    speed=19200
    cmdline="rd.luks.crypttab=no net.ifnames=0 console=ttyS0,${speed}n8"
  else
    speed=115200
    cmdline="rd.luks.crypttab=no net.ifnames=0 console=ttyS0,${speed}n8 console=tty0"
    case $HOSTNAME in
      kd)
        fcopy -v /usr/bin/myncq

        cat >$target/etc/systemd/system/myncq.service <<'EOF'
[Unit]
Description=fix ncq errors

[Service]
Type=oneshot
ExecStart=/usr/bin/myncq
TimeoutStartSec=20

[Install]
# https://www.enricozini.org/blog/2017/debian/systemd-07-devices/
WantedBy=dev-disk-by\x2did-ata\x2dSamsung_SSD_870_QVO_8TB_S5VUNG0N900656V.device
EOF

        chroot $FAI_ROOT bash <<'EOFOUTER'
systemctl enable myncq.service
/usr/bin/myncq no-upgrub
EOFOUTER

        ;;
      # per rubens suggestion to make a d16 more stable
      kd|kw) cmdline+=" pci=realloc=off" ;;
    esac
  fi

  cat >$FAI_ROOT/etc/grub.d/40_custom <<EOF
#!/bin/sh
exec tail -n +3 \$0
# This file provides an easy way to add custom menu entries.  Simply type the
# menu entries you want to add after this comment.  Be careful not to change
# the 'exec tail' line above.

# https://www.coreboot.org/Serial_console # tty
# but removed unneeded stuff

serial --speed=$speed
terminal_input --append  serial
terminal_output --append serial
EOF


  chroot $FAI_ROOT bash <<EOF
set -eE -o pipefail
# https://askubuntu.com/questions/33416/how-do-i-disable-the-boot-splash-screen-and-only-show-kernel-and-boot-text-inst

sed -ri 's/(^GRUB_CMDLINE_LINUX_DEFAULT=")quiet/\1/;s/^(GRUB_CMDLINE_LINUX_DEFAULT=".*) quiet([ "])/\1\2/' /etc/default/grub
sed -ri 's/(^GRUB_CMDLINE_LINUX_DEFAULT=")splash/\1/;s/^(GRUB_CMDLINE_LINUX_DEFAULT=".*) splash([ "])/\1\2/' /etc/default/grub

for arg in $cmdline; do
  if ! grep "^GRUB_CMDLINE_LINUX_DEFAULT=.*[\" ]${arg//./\\.}[\" ]" /etc/default/grub; then
    sed -ri "s/^GRUB_CMDLINE_LINUX_DEFAULT=\"(.*)/GRUB_CMDLINE_LINUX_DEFAULT=\"$arg \1/" /etc/default/grub
  fi
done

if grep -qF "$cmdline" /etc/default/grub; then
  # already set things, exit
  exit 0
fi
sed -ri 's/^ *GRUB_CMDLINE_LINUX_DEFAULT=.*/GRUB_CMDLINE_LINUX_DEFAULT="$cmdline"/' /etc/default/grub
# on xenial, no grub is displayed at all. fix that.
# found just by noticing this in the config file, and a
# warning about it in error.log
sed -i '/^ *GRUB_HIDDEN_TIMEOUT/d' /etc/default/grub

if type -P update-grub2 &>/dev/null; then
  update-grub2
else
  update-grub
fi

EOF
fi ##### end != dirinstall && != NOCRYPT


###### begin network setup ####

# use old names. the idea of them changing between boots has never
# happened to me and I usually only have 1 wired or other type.
# If I ever do need to care about it, I will.
# Strangely this didn't work on kw, so I added kernel cmdline parameter.
# https://www.freedesktop.org/wiki/Software/systemd/PredictableNetworkInterfaceNames/
ln -sf /dev/null $target/etc/systemd/network/99-default.link


# bitfolk installer handles the rest
case $HOSTNAME in
  bk|je) exit 0 ;;
esac


# bug fix, somewhere between t9's xorg 1.19.6
# and 1.20.1-3ubuntu2
#  xserver-xorg-video-nouveau                 1:1.0.15-3
# xorg stopped load nouveau
#  https://www.linuxquestions.org/questions/slackware-14/kernel-modules-conflicting-with-nouveau-driver-4175623867/
# https://nouveau.freedesktop.org/InstallNouveau.html
if lspci|grep -q 'GeForce GTX 6[0-9][0-9]\]'; then
  mkdir -p $target/etc/X11/xorg.conf.d/
  cat >$target/etc/X11/xorg.conf.d/10-nouveau.conf <<'EOF'
Section "Device"
Identifier "Device0"
Driver "nouveau"
EndSection
EOF
fi

# use networkmanager if this host has wireless.
if [[ $HOSTNAME == bo ]] || type -p iw &>/dev/null && [[ $(iw dev) ]]; then
  chroot $FAI_ROOT bash <<EOF
apt-get -y install network-manager
EOF

  # allow networkmanager to manage interfaces
  #https://bugs.launchpad.net/ubuntu/+source/network-manager/+bug/1638842
  touch $target/etc/NetworkManager/conf.d/10-globally-managed-devices.conf
  # in a default desktop install, it looks like netplan creates this file under
  # run/NetworkManager/conf.d in early boot.

  # By default, dns=default is set in etiona, and dns is just broken.
  # Maybe with resolvconf it would work, but theres no need for that.
  # https://wiki.gnome.org/Projects/NetworkManager/DNS
  cat >$target/etc/NetworkManager/conf.d/99-iank.conf <<'EOF'
[main]
dns=systemd-resolved
EOF
  if [[ $HOSTNAME == frodo ]]; then
    cat > $target/etc/network/interfaces <<-EOF
# generated by FAI
auto lo eth0
iface lo inet loopback
iface eth0 inet static
address 10.3.0.2/16

source-directory /etc/network/interfaces.d
EOF
  fi

else
  cat > $target/etc/network/interfaces <<-EOF
# generated by FAI
auto lo eth0
iface lo inet loopback
iface eth0 inet dhcp
iface eth0 inet6 auto

source-directory /etc/network/interfaces.d
EOF

  # previously had an else condition after
  #elif ifclass VM || ifclass LINODE; then
  # iface $NIC1 inet manual
  # iface br0 inet dhcp
  #   bridge_ports $NIC1
  #   bridge_stp off
  #   bridge_maxwait 0
  # however, on t9, on startup, br0, became
  # rename1 and didn't come up. i dunno why,
  # but the bridge is for vms that I rarely use,
  # so not bothering to figure it out.


fi

if ifclass LINODE; then
  mkdir -p $target/etc/initramfs-tools/conf.d
  cat >$target/etc/initramfs-tools/conf.d/mine <<EOF
# dhcp in initramfs doesn't work on linode. i dunno why, whatever.
# man 5 initramfs.conf
# /usr/share/doc/klibc-utils/README.ipconfig.gz
# /usr/share/initramfs-tools/scripts/functions
IP=$linode_ip::$linode_gw:255.255.255.0::eth0:off
EOF


  if [[ $HOSTNAME == li ]]; then

    cat > $target/etc/network/interfaces <<-EOF
# generated by FAI
auto lo eth0
iface lo inet loopback
iface eth0 inet dhcp
# for the standard network config, uncomment this and comment the lines after it.
#iface eth0 inet6 auto

iface eth0 inet6 static
# this is really a /128. it seems like we need to assign it for ipv6 to work.
address 2600:3c00::f03c:91ff:fe6d:baf8/64
gateway fe80::1

iface eth0 inet6 static
# from a requested /64 pool
address 2600:3c00:e000:280::2/64

source-directory /etc/network/interfaces.d
EOF
  fi
fi

# I prefer to stick with ifup/down for now. a. networkd is not in its
# own package, so cant use in other init systems. b. it works fine.
chroot $FAI_ROOT bash <<EOF
systemctl disable systemd-networkd.socket systemd-networkd networkd-dispatcher systemd-networkd-wait-online
systemctl mask systemd-networkd.socket systemd-networkd networkd-dispatcher systemd-networkd-wait-online
EOF

##### end network setup  #####


if ifclass VOL_BULLSEYE_BOOTSTRAP; then
  fcopy /etc/systemd/system/faicheck.service
  chroot $FAI_ROOT bash <<'EOFOUTER'
systemctl enable faicheck.service
EOFOUTER
  exit 0 # avoid unnecessary stuff in bootstrap vol
fi


## misc settings
chroot $FAI_ROOT bash <<'EOFOUTER'
#### begin .ssh setup ###
set -x
set -eE -o pipefail
if ! [[ -s /home/iank/.ssh/authorized_keys ]]; then
  mkdir -p /home/iank/.ssh
  f=/root/.ssh/authorized_keys
  if [[ -e $f ]]; then
     cp $f /home/iank/.ssh
  fi
  chown -R 1000:1000 /home/iank/.ssh
  chmod -R u=Xrw,og= /home/iank/.ssh
  rm -rf /root/.ssh
  # remove broken symlinks or the following cp will fail
  find /home/iank/.ssh -xtype l -exec rm '{}' \;
  cp -rL /home/iank/.ssh /root
  chown -R root:root /root/.ssh
  chmod 700 /root/.ssh
fi

# old link from
# # https://ticktockhouse.svbtle.com/my-obligatory-ubuntu-ssh-agent-post
# but that made a service that started too soon and didn't pick up our
# x env vars. instead, copy from the root ssh-agent just the
# appropriate things into a new service.
rm -f /home/iank/.config/systemd/user/default.target.wants/ssh-agent.service

rm -f /home/iank/.local/share/systemd/user/sshaiank.service \
  /home/iank/.config/systemd/user/default.target.wants/sshaiank.service

#### end .ssh setup ###

## duplicated in ssh-emacs-setup
# done here so its setup earlier for convenience
line='AcceptEnv INSIDE_EMACS BRC COLUMNS'
f=/etc/ssh/sshd_config
grep -xFq "$line" $f || tee -a $f <<<"$line"


# default debian groups (jessie through buster) + adm, root, admin
for g in cdrom floppy audio dip video plugdev netdev adm sudo admin; do
  if getent group $g >/dev/null; then
    usermod -aG $g iank
  fi
done

if getent group systemd-journal >/dev/null; then
  usermod -aG systemd-journal iank
fi
EOFOUTER

rm -f $target/etc/resolv.conf
ln -s ../run/systemd/resolve/stub-resolv.conf $target/etc/resolv.conf
# needed for bitfolk image
if [[ -e /a/bin/fai/fai-wrapper ]]; then
  systemctl enable systemd-resolved
  systemctl start systemd-resolved
fi



# reading through the groups that iank is in but user2 isn't,
for g in plugdev audio video cdrom; do
  $ROOTCMD usermod -a -G $g user2
done