X-Git-Url: https://iankelling.org/git/?p=automated-distro-installer;a=blobdiff_plain;f=fai%2Fconfig%2Fdistro-install-common%2Fend;h=b248bd31e7759b17a96c77ae1f33bee83db94c81;hp=6bb2880ef82a3f160c9cdcf31bed07826929220f;hb=683400c6a28e49f3db1fc1bd051b7fc3efc63336;hpb=8730d8986b29c6481223b02a85eaf448212a97c1 diff --git a/fai/config/distro-install-common/end b/fai/config/distro-install-common/end index 6bb2880..b248bd3 100755 --- a/fai/config/distro-install-common/end +++ b/fai/config/distro-install-common/end @@ -1,35 +1,123 @@ #!/bin/bash -x set -eE -o pipefail -trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?"' ERR +trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR +if [[ $EUID != 0 ]]; then + echo "$0: error: expected to be root." + exit 1 +fi +# ssh host keys +# note, $BASH_SOURCE is not defined here under fai. +src=$(dirname "$0")/p/c/machine_specific/$HOSTNAME/filesystem/etc/ssh +dst=$target/etc/ssh +if [[ -e $src && -e $dst ]]; then + # outside of fai context or setting up a brand new host, we skip this + cp -rT $src $dst +fi + +USER2PW=/q/root/shadow/user2 +# if doesn't exist, we dont set one +ROOTPW=/q/root/shadow/standard +if [[ ! -e $ROOTPW ]]; then + ROOTPW=/q/root/shadow/$HOSTNAME +fi + +chpw() { + # generating a hashed password: + # under debian, you can do + # mkpasswd -m sha-512 -s >/q/root/shadow/standard + # On arch, best seems to be copy your shadow file to a temp location, + # then passwd, get out the new pass, then copy the shadow file back. + + user=$1 + pwfile=$2 + if [[ $pwfile && -e $pwfile ]]; then + printf "$user:" | cat - "$pwfile" | $ROOTCMD chpasswd -e + else + echo "$0: warning: no pw set for $user" >&2 + fi +} +au() { # add user. i don't use adduser for portability + local user=${@: -1} + if ! $ROOTCMD getent passwd $user; then + $ROOTCMD useradd -c $user -Um -s /bin/bash $@ + fi +} + +chpw root "$ROOTPW" + +# only setup root pass for bootstrap vol +if ifclass VOL_BULLSEYE_BOOTSTRAP; then + exit 0 +fi + + +# return of 9 = user already exists. so we are idempotent. +au iank +chpw iank "$ROOTPW" + +au user2 +if ifclass frodo; then + chpw user2 "$USER2PW" +fi +# comparing iank's groups to user2, I see none she should join on arch +$ROOTCMD usermod -a -G user2 iank + + +$ROOTCMD getent group docker &>/dev/null || $ROOTCMD groupadd -r docker +$ROOTCMD usermod -a -G docker iank # based on unison error, with 8192 from # sysctl -a | grep fs.inotify.max_user_watches #http://stackoverflow.com/questions/535768/what-is-a-reasonable-amount-of-inotify-watches-with-linux -echo "fs.inotify.max_user_watches = 1000000" >> $target/etc/sysctl.d/99-sysctl.conf -# if we weren't rebooting, you could apply it now with: -# sysctl --system +f=$target/etc/sysctl.d/99-sysctl.conf +key=fs.inotify.max_user_watches +if [[ -e $f ]]; then sed -ri --follow-symlinks "/^\s*$key\s*=/d" $f; fi +echo "fs.inotify.max_user_watches = 50000" >> $f +# applies it. it would be also be applied after a reboot +$ROOTCMD sysctl --system -echo 'ian ALL=(ALL) NOPASSWD: ALL' >> $target/etc/sudoers +if getent group sudo >/dev/null; then + usermod -aG sudo iank +fi +cat >$target/etc/sudoers.d/ianksudoers <<'EOF' +Defaults timestamp_timeout=1440 +# used in bashrc +Defaults env_keep += SUDOD +# always_set_home +# makes ubuntu be like debian +# https://unix.stackexchange.com/a/91572 +Defaults always_set_home +# umask: default setting is to have minimum umask of 0022 +# This lets us have user-specific umasks which are more permissive. +# I did this for transmission and set it's umask gecos on install, +# see there for more info. +Defaults !umask +# i use sudo in cronjobs, it spams the logs rather uselessly +# https://stackoverflow.com/questions/14277116/suppress-log-entry-for-single-sudo-commands +Defaults:root,iank !log_allowed, !pam_session +# for just the root user, set some env vars +Defaults>root env_file=/etc/rootsudoenv +EOF -dir=/q/p/c/machine_specific/$HOSTNAME/.unison -$ROOTCMD mkdir -p $dir +case $HOSTNAME in + li|bk|je) + cat >>$target/etc/sudoers.d/ianksudoers <<'EOF' +iank ALL=(ALL) NOPASSWD: ALL +EOF + ;; +esac -$ROOTCMD rm -rf /root/.unison -$ROOTCMD ln -s $dir /root -$ROOTCMD ln -s /q/p / +# remove old config line. can be removed eventually. +f=$target/etc/sudoers +line='iank ALL=(ALL) NOPASSWD: ALL' +if grep -qxF "$line" $f; then + sed -i "/^$line/d" $f +fi -while true; do - $ROOTCMD chown 1000:1000 $dir - $ROOTCMD chmod 700 $dir - dir=$(dirname $dir) - [[ $dir != /q ]] || break -done -# kvm is normally created by some package, -# but unison doesn't like unknown groups, so make it now so initial sync works. -$ROOTCMD groupadd kvm +au --system -s /bin/false --home-dir /var/lib/bitcoind bitcoin