#!/bin/bash # Copyright (C) 2019 Ian Kelling # SPDX-License-Identifier: AGPL-3.0-or-later set -eE -o pipefail trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR [[ $EUID == 0 ]] || exec sudo -E "${BASH_SOURCE[0]}" "$@" readonly this_file="$(readlink -f -- "${BASH_SOURCE[0]}")"; cd "${this_file%/*}" source bash-trace usage() { cat <> /srv/fai/config/class/LAST.var note FAI_ACTION might be able to be set elsewhere, like in grub for this case -d DISTRO DISTRO for setting up fai class DESKTOP packages, for preinstalling stuff. -t TARGET_HOST Copy only secrets for TARGET_HOST into the config space. Useful for virtual server on hardware we don't control. -h|--help Print help and exit Note: uses paths specific to authors machine. EOF exit $1 } ##### begin command line parsing ######## # ensure we can handle args with spaces or empty. ret=0; getopt -T || ret=$? [[ $ret == 4 ]] || { echo "Install util-linux for enhanced getopt" >&2; exit 1; } temp=$(getopt -l help hd:t: "$@") || usage 1 eval set -- "$temp" while true; do case $1 in -d) distro=$2; shift ;; -t) target=$2; shift ;; -h|--help) usage ;; --) shift; break ;; *) echo "$0: unexpected args: $*" >&2 ; usage 1 ;; esac shift done host=${1:-faiserver} readonly host distro target ##### end command line parsing ######## m() { printf "$pre %s\n" "$*"; "$@"; } # i use faiserver as a dns alias, but ssh key is associated with # a canonical hostname and we will have ssh warning spam unless we # use it, so look it up just to avoid the warning spam. faiserver_host=$(/a/exe/chost $host) # faiserver_host=$host faiserver_addr=$(host $host | sed -rn 's/^\S+ has address //p;T;q' ||:) if ! ip a | grep "^ *inet.\? $faiserver_addr" &>/dev/null; then rpre=(-e "ssh -F $HOME/.ssh/confighome" root@$faiserver_host:) faiserver_shell="ssh -F $HOME/.ssh/confighome root@$faiserver_host" fi # these are gitignored. rsync -atL /home/iank/.ssh/authorized_keys fai/config/files/root/.ssh/authorized_keys/STANDARD # we hssh and ssh_filter_btrbk for the initial btrbk (alternatively, I could open up the # permissions in authorized_keys, but that just seems lazy) install --owner=iank --group=iank -d fai/config/files/usr/local/bin/hssh install --owner=iank --group=iank -d fai/config/files/usr/local/bin/ssh_filter_btrbk.sh rsync -atL /a/opt/btrbk/ssh_filter_btrbk.sh fai/config/files/usr/local/bin/ssh_filter_btrbk.sh/STANDARD m rsync -rlpt --delete --relative --exclude /fai/config/basefiles/ fai/config "${rpre[@]}"/srv # todo: automatically disable faiserver after a period so # these files are not available. if [[ $target ]]; then secret_files=(luks/$target luks/host-$target shadow/$target) exists=false secret_exists=() for f in ${secret_files[@]}; do if [[ -e /q/root/$f ]]; then exists=true secrets_to_send+=("$f") fi done if $exists; then { for f in ${secrets_to_send[@]}; do echo $f done } | rsync -lpt --files-from=- /q/root "${rpre[@]}"/srv/fai/config/distro-install-common fi else rsync -rlpt /q/root/shadow /q/root/luks "${rpre[@]}"/srv/fai/config/distro-install-common fi rsync -rlpt --delete /a/opt/btrfs-progs-release "${rpre[@]}"/srv/fai/config/distro-install-common dirs=(/p/c/machine_specific/${target:-*}/filesystem/etc/ssh) if [[ -e ${dirs[0]} ]]; then rsync -rlpt --delete --relative ${dirs[@]} "${rpre[@]}"/srv/fai/config/distro-install-common fi . /a/bin/distro-setup/pkgs pall+=($(/a/bin/buildscripts/emacs -p; /a/bin/distro-setup/distro-pkgs $distro)) printf "%s\n%s\n" "PACKAGES install" ${pall[*]} | \ $faiserver_shell dd of=/srv/fai/config/package_config/DESKTOP status=none ||: # broken pipe m rsync -rplt --include '/*.zst' --exclude '/**' --delete-excluded $BASEFILE_DIR/ "${rpre[@]}"/srv/fai/config/basefiles/