set -eE -o pipefail
trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR
+[[ $EUID == 0 ]] || exec sudo -E "${BASH_SOURCE[0]}" "$@"
+
readonly this_file="$(readlink -f -- "${BASH_SOURCE[0]}")"; cd "${this_file%/*}"
usage() {
# i use faiserver as a dns alias, but ssh key is associated with
# a canonical hostname and we will have ssh warning spam unless we
# use it, so look it up just to avoid the warning spam.
-faiserver_host=$(chost $host) || faiserver_host=$host
+faiserver_host=$(/a/exe/chost $host) || faiserver_host=$host
+
+faiserver_addr=$(host $host | sed -rn 's/^\S+ has address //p;T;q' ||:)
+if ! ip a | grep "^ *inet.\? $faiserver_addr" &>/dev/null; then
+ rpre="-e 'ssh -F $HOME/.ssh/confighome' root@$faiserver_host:"
+ faiserver_shell="ssh -F $HOME/.ssh/confighome root@$faiserver_host"
+fi
-rsync -rlpt --delete --relative --exclude /fai/config/basefiles/ fai/config root@$faiserver_host:/srv
+# these are gitignored.
+rsync -atL /home/iank/.ssh/authorized_keys fai/config/files/root/.ssh/authorized_keys/STANDARD
+# we hssh and ssh_filter_btrbk for the initial btrbk (alternatively, I could open up the
+# permissions in authorized_keys, but that just seems lazy)
+install --owner=iank --group=iank -d fai/config/files/usr/local/bin/hssh
+rsync -atL /a/bin/ds/hssh fai/config/files/usr/local/bin/hssh/STANDARD
+install --owner=iank --group=iank -d fai/config/files/usr/local/bin/ssh_filter_btrbk.sh
+rsync -atL /a/opt/btrbk/ssh_filter_btrbk.sh fai/config/files/usr/local/bin/ssh_filter_btrbk.sh/STANDARD
+
+rsync -rlpt --delete --relative --exclude /fai/config/basefiles/ fai/config $rpre/srv
-sudo rsync -a /root/.ssh/home.pub \
- root@$faiserver_host:/srv/fai/config/files/root/.ssh/authorized_keys/STANDARD
# todo: automatically disable faiserver after a period so
# these files are not available.
if [[ $target ]]; then
- if sudo test -e /q/root/shadow/$target; then
+ if test -e /q/root/shadow/$target; then
shadowfile=shadow/$target # empty otherwise
fi
- sudo rsync -lpt --files-from=- /q/root root@$faiserver_host:/srv/fai/config/distro-install-common <<EOF
+ rsync -lpt --files-from=- /q/root $rpre/srv/fai/config/distro-install-common <<EOF
luks/$target
luks/host-$target
$shadowfile
EOF
else
- sudo rsync -rlpt /q/root/shadow /q/root/luks root@$faiserver_host:/srv/fai/config/distro-install-common
+ rsync -rlpt /q/root/shadow /q/root/luks $rpre/srv/fai/config/distro-install-common
fi
dirs=(/p/c/machine_specific/${target:-*}/filesystem/etc/ssh)
if [[ -e ${dirs[0]} ]]; then
- rsync -rlpt --delete --relative ${dirs[@]} root@$faiserver_host:/srv/fai/config/distro-install-common
+ rsync -rlpt --delete --relative ${dirs[@]} $rpre/srv/fai/config/distro-install-common
fi
. /a/bin/distro-setup/pkgs
pall+=($(/a/bin/buildscripts/emacs -p; /a/bin/distro-setup/distro-pkgs $distro))
printf "%s\n%s\n" "PACKAGES install" ${pall[*]} | \
- ssh root@$faiserver_host dd of=/srv/fai/config/package_config/DESKTOP 2>/dev/null ||: # broken pipe
+ $faiserver_shell dd of=/srv/fai/config/package_config/DESKTOP 2>/dev/null ||: # broken pipe
-rsync -rplt --include '/*.gz' --exclude '/**' --delete-excluded $BASEFILE_DIR/ root@$faiserver_host:/srv/fai/config/basefiles/
-ssh root@$faiserver_host bash <<'EOF'
-set -eE -o pipefail
-# make it the root because pxe-kexec only looks there.
-# It wouldn't be too hard to change if we needed.
-# We could also just dump things in /srv/tftp, but fai
-# has some defaults, which I don't even use, which expect
-# the other directory, so it's kind of a tossup, whatever.
-sed -ri 's,^ *(TFTP_DIRECTORY=).*,\1"/srv/tftp/fai",' /etc/default/tftpd-hpa
-systemctl restart tftpd-hpa
-
-changed=false
-f=/srv/fai/nfsroot/root/.ssh/known_hosts
-install -d -m 700 /srv/fai/nfsroot/root/.ssh
-# the known hosts entries that fai already sets up are like
-# IP,HOSTNAME key_info...
-# we are skipping the ip, because it doesn't block ssh
-# with a prompt as long as you have the user supplied hostname,
-# and i don't want to deal with getting it, it's not adding
-# any important security in this case.
-if ! grep -xFq "$line" $f &>/dev/null; then
- changed=true
- printf "%s\n" "$line" >>$f
-fi
-
-if ! modprobe nfsd &>/dev/null; then
- # no apt-cache on maru debian, because we are low on space already
- sed -i '/^ *APTPROXY=/d' /srv/fai/config/class/DEBIAN.var
- # maru debian doesn't have loopback devs created
- if ! losetup -f; then
- shopt -s nullglob
- x=(/dev/loop*)
- minor=0
- if (( ${#x[@]} )); then
- minor=$(( ${x[-1]#/dev/loop} + 1 ))
- fi
- mknod -m660 /dev/loop$minor b 7 $minor
- losetup -f
- fi
- # -B boo only iso, no nfsroot, no paritial miorr, no config space.
- # -f = force, for overwriting
- # -S = make squash image for http booting
- # -d config space url, instead of putting it in the squash.img,
- # this just makes it so that we don't have to regenerate the img
- # when the config changes.
- cd /srv/fai/config
- tar czf /var/www/faiserver/html/config.tar.gz .
- if $changed || [[ ! -e /var/www/faiserver/html/squash.img ]]; then
- # note, on maru, selinux needs to be disabled in android before
- # this will work.
- mount
- export debug=true
- fai-cd -d http://faiserver:8080/config.tar.gz -f -M -S /var/www/faiserver/html/squash.img
- mount
- fi
-fi
-EOF
+rsync -rplt --include '/*.gz' --exclude '/**' --delete-excluded $BASEFILE_DIR/ $rpre/srv/fai/config/basefiles/
iankelling.org / git / automated-distro-installer / blobdiff