. fai-wrapper
./fai/config/hooks/partition.DEFAULT
-# on local host
+# on remote host
# install ubuntu 20.04 using virt-install
-s virt-install --os-variant=ubuntu16.04 --cdrom ubuntu-20.04-desktop-amd64.iso --disk path=u2004.qcow2 -r 2048 --vcpus 1 -n u2004
-sudo qemu-img create -o preallocation=metadata -f qcow2 u2004.qcow2 15G
+sudo -i
+virt-install --os-variant=ubuntu16.04 --cdrom ubuntu-20.04-desktop-amd64.iso --disk path=u2004.qcow2 -r 2048 --vcpus 1 -n u2004
+qemu-img create -o preallocation=metadata -f qcow2 u2004.qcow2 15G
+# alternatively, also tried a physical install, because I know the virtual install ends up
+# with some differen things, like some spice service. then pulled the data out with
+rsync -ahSAX --numeric-ids --exclude=proc --exclude=sys --exclude=dev --exclude=tmp --exclude=run root@tp:/ .; mkdir proc sys dev tmp
+
modprobe nbd
+qemu-nbd --connect=/dev/nbd0 u1804.qcow2 -f qcow2
qemu-nbd --connect=/dev/nbd0 u2004.qcow2 -f qcow2
-s mount /dev/nbd0p5 /mnt/1
-s rsync -avhSAXP --numeric-ids /mnt/1/ root@tp:/mnt/root/root_ubuntubionic
-
-# on remote host:
-# mount boot and root to /mnt/1
-sudo -i
-cd /mnt/1
+mount /dev/nbd0p1 /mnt/1 # bionic
+mount /dev/nbd0p5 /mnt/1 # focal
+mount -o bind /mnt/root/root_ubuntubionic /mnt/2
+mount -o bind /mnt/root/root_ubuntufocal /mnt/2
+mkdir -p /mnt/2/boot
+mount -o bind /mnt/boot/boot_ubuntubionic /mnt/2/boot
+mount -o bind /mnt/boot/boot_ubuntufocal /mnt/2/boot
+# S = sparse, A = acls, X = xattrs
+rsync -ahSAX --numeric-ids /mnt/1/ /mnt/2
+
+cd /mnt/2
cp /tmp/fai/crypttab etc
-cp /tmp/fstab etc
+sed -i "s#/root/keyscript,#decrypt_keyctl,#" etc/crypttab
+cp /tmp/fai/fstab etc
+echo "tmpfs /tmp tmpfs nodev,nosuid,size=50%,mode=1777 0 0" >> etc/fstab
chrbind
chroot .
+mv /etc/resolv.conf /etc/resolv.conf.old
+echo nameserver 1.1.1.1 >/etc/resolv.conf
# install programs from /a/bin/fai/fai/config/package_config/STANDARD:
-apt install openssh-client openssh-server cryptsetup keyutils btrfs-progs console-setup kbd pciutils usbutils unattended-upgrades initramfs-tools-core dropbear-initramfs
+apt install -y openssh-client openssh-server cryptsetup keyutils btrfs-progs console-setup kbd pciutils usbutils unattended-upgrades initramfs-tools-core dropbear-initramfs
+mv /etc/resolv.conf.old /etc/resolv.conf
exit
-# install authorized keys in dropbear and .ssh folder
+d=etc/initramfs-tools
+mkdir -p $d/root/.ssh etc/dropbear-initramfs root/.ssh
+chmod 700 $d/root $d/root/.ssh root/.ssh
+cp -p /root/.ssh/authorized_keys $d/root/.ssh/authorized_keys
+cp -p /root/.ssh/authorized_keys etc/dropbear-initramfs
+cp -p /root/.ssh/authorized_keys root/.ssh/authorized_keys
chroot .
-grub-install --no-floppy $(grub-probe -tdrive -d /dev/sda3)
+sed -ri 's/^ *GRUB_CMDLINE_LINUX_DEFAULT=.*/GRUB_CMDLINE_LINUX_DEFAULT="rd.luks.crypttab=no"/' /etc/default/grub
+grub-install --no-floppy $(grub-probe -tdrive -d /dev/sda)
update-grub
grub-bios-setup -d /boot/grub/i386-pc -s /dev/sda
exit
#!/bin/bash
if [[ ! -e /a/bin/fai/fai-wrapper || $FAI_ACTION == dirinstall ]]; then
- case $HOSTNAME in
- # stretch based minimal recovery / bootstraping os:
- _) echo DEBIAN STRETCH64 VOL_STRETCH_BOOTSTRAP STRETCH_FREE ;;
- # flidas
- _) echo UBUNTU FLIDAS64 VOL_FLIDAS FLIDAS ;;
- # etiona
- _) echo UBUNTU ETIONA64 VOL_ETIONA ETIONA ;;
- # stretch
- _) echo DEBIAN STRETCH64 VOL_STRETCH STRETCH_FREE ;;
- # buster
- _) echo DEBIAN BUSTER64 VOL_BUSTER BUSTER_FREE ;;
- # testing
- _) echo DEBIAN STRETCH64 VOL_TESTING TESTING_FREE ;;
- # xenial
- _) echo UBUNTU XENIAL64 VOL_XENIAL XENIAL_FREE ;;
- # bionic
- _) echo UBUNTU BIONIC64 VOL_BIONIC BIONIC ;;
- # focal
- _) echo UBUNTU FOCAL64 VOL_FOCAL FOCAL ;;
- esac
+ case $HOSTNAME in
+ # stretch based minimal recovery / bootstraping os:
+ _) echo DEBIAN STRETCH64 VOL_STRETCH_BOOTSTRAP STRETCH_FREE ;;
+ # flidas
+ _) echo UBUNTU FLIDAS64 VOL_FLIDAS FLIDAS ;;
+ # etiona
+ _) echo UBUNTU ETIONA64 VOL_ETIONA ETIONA ;;
+ # stretch
+ _) echo DEBIAN STRETCH64 VOL_STRETCH STRETCH_FREE ;;
+ # buster
+ _) echo DEBIAN BUSTER64 VOL_BUSTER BUSTER_FREE ;;
+ # testing
+ _) echo DEBIAN STRETCH64 VOL_TESTING TESTING_FREE ;;
+ # xenial
+ _) echo UBUNTU XENIAL64 VOL_XENIAL XENIAL_FREE ;;
+ # bionic
+ _) echo UBUNTU BIONIC64 VOL_BIONIC BIONIC ;;
+ # focal
+ _) echo UBUNTU FOCAL64 VOL_FOCAL FOCAL ;;
+ esac
fi
###### end Template for 51-multi-boot ######
if [[ -e /a/bin/fai/fai-wrapper ]]; then
- source /a/bin/distro-functions/src/identify-distros
- if isdebian; then
- echo "DEBIAN"
- fi
- if isdebian-stable; then
- echo "STRETCH"
- case $HOSTNAME in
- li|lj) echo "STRETCH_LINODE" ;;
- *)
- # nonfree repo is not going away any time soon due to
- # gcc-doc being in nonfree
- echo "STRETCH_NONFREE"
- ;;
- esac
- fi
+ source /a/bin/distro-functions/src/identify-distros
+ if isdebian; then
+ echo "DEBIAN"
+ tmp=$(debian-codename)
+ echo ${tmp^^}
+ # nonfree repo is not going away any time soon due to
+ # gcc-doc being in nonfree
+ echo ${tmp^^}_NONFREE
+ fi
+ case $HOSTNAME in
+ li|lj) echo "LINODE" ;;
+ bk) echo "NOCRYPT" ;;
+ esac
fi
echo FAIBASE STANDARD
if grep ^52:54:00: /sys/class/net/eth0/address &>/dev/null; then
- # if our eth0 mac is in the kvm range, we are a vm.
- echo "VM"
+ # if our eth0 mac is in the kvm range, we are a vm.
+ echo "VM"
fi
fi
}
au() { # add user. i don't use adduser for portability
- if ! $ROOTCMD getent passwd ${@: -1}; then
- $ROOTCMD useradd -Um -s /bin/bash $@
+ local user=${@: -1}
+ if ! $ROOTCMD getent passwd $user; then
+ $ROOTCMD useradd -c $user -Um -s /bin/bash $@
fi
}
ssh root@some_hostname
lsblk # identify boot dev. if boot dev is a raid, this could be repeated on all boot devs.
mount /dev/sdd3 /mnt
-mount_point=/mnt/boot_debiantesting # the subvol i want to chboot to
+mp=/mnt/boot_debiantesting # the subvol i want to chboot to
boot_disk=/dev/sdd
-grub-bios-setup -d $mount_point/grub/i386-pc -s -m $mount_point/grub/device.map $boot_disk
+grub-bios-setup -d $mp/grub/i386-pc -s -m $mp/grub/device.map $boot_disk
reboot
todo: figure out if it's possible to make a multi-distro grub like I have with libreboot
wipe=true
fi
-## ignore disks that are mounted, eg when running from fai-cd
-declare -A disk_excludes
-while read -r l; do
- eval "$l"
- if [[ ! $PKNAME ]]; then
- PKNAME="$KNAME"
- fi
- if [[ $MOUNTPOINT ]]; then
- disk_excludes[$PKNAME]=true
- fi
-done < <(lsblk -nP -o KNAME,MOUNTPOINT,PKNAME)
+declare -A disk_excludes
+if ! ifclass USE_MOUNTED; then
+ ## ignore disks that are mounted, eg when running from fai-cd
+ while read -r l; do
+ eval "$l"
+ if [[ ! $PKNAME ]]; then
+ PKNAME="$KNAME"
+ fi
+ if [[ $MOUNTPOINT ]]; then
+ disk_excludes[$PKNAME]=true
+ fi
+ done < <(lsblk -nP -o KNAME,MOUNTPOINT,PKNAME)
+fi
hdds=()
ssds=()
fi
$FAI/distro-install-common/end
+
+
+
if ifclass VOL_STRETCH_BOOTSTRAP; then
fcopy -riM /etc/systemd/system
chroot $FAI_ROOT bash <<'EOFOUTER'
# these get copied in an earlier stage by fai, but leaving it here since
# I run this as a single post-fai script to update things that have changed.
+tmpfile1=$(mktemp)
+chroot $FAI_ROOT /usr/bin/apt-cache policy >$tmpfile1
fcopy -riBM /etc/apt
+tmpfile2=$(mktemp)
+chroot $FAI_ROOT /usr/bin/apt-cache policy >$tmpfile2
+if ! diff -q $tmpfile1 $tmpfile2; then
+ chroot $FAI_ROOT /usr/bin/apt update
+fi
+
# outside of fai, this seems to regularly lead to
# E: Could not get lock /var/lib/apt/lists/lock - open (11: Resource temporarily unavailable)
# so add a sleep. 1 sec is probably way more than needed.
grep -xFq "$line" $f || tee -a $f <<<"$line"
-# default jessie groups + kvm, systemd-journal, adm
-for g in adm cdrom floppy sudo audio dip video plugdev netdev; do
+# default debian groups (jessie through buster) + adm, sudo
+for g in cdrom floppy audio dip video plugdev netdev adm sudo; do
if getent gropu $g >/dev/null; then
usermod -aG $g iank
fi
EOFOUTER
-if [[ $FAI_ACTION != dirinstall ]]; then
+# bitfolk installer handles the rest
+case $HOSTNAME in
+ bk) exit 0 ;;
+esac
+
+
+if [[ $FAI_ACTION != dirinstall ]] && ! ifclass NOCRYPT; then
# luks options, see man systemd-cryptsetup-generator
# all i know is that with luks.crypttab=no, swap still timed out on boot.
# and with rd.luks.crypttab=no, it works.
update-grub2
EOF
-fi ##### end != dirinstall
+fi ##### end != dirinstall && != NOCRYPT
# reading through the groups that iank is in but user2 isn't,
ln -sf /dev/null $target/etc/systemd/network/99-default.link
# use networkmanager if this host has wireless.
-if [[ $(iw dev) ]]; then
+
+if type -p iw &>/dev/null && [[ $(iw dev) ]]; then
chroot $FAI_ROOT bash <<EOF
apt-get -y install network-manager
EOF
rm -f $target/etc/resolv.conf
ln -s ../run/systemd/resolve/stub-resolv.conf $target/etc/resolv.conf
+# needed for bitfolk image
+if [[ -e /a/bin/fai/fai-wrapper ]]; then
+ systemctl enable systemd-resolved
+ systemctl start systemd-resolved
+fi
if ifclass LINODE; then
mkdir -p $target/etc/initramfs-tools/conf.d
usage: ${0##*/} [-h|--help] [HOST/IP] [wrt-setup-local_ARGS]
setup my router in general: dhcp, dns, etc.
-Default HOST is root@10.0.0.1
+Default HOST is 10.0.0.1 or 10.2.0.1 if they are the gateway, otherwise
+it must be specified.
Note, use -m "''" to send an empty mac arg. When we get a new enough
bash, we can use ${@@Q} to properly pass an empty var.
exit $1
}
-h=root@10.0.0.1
case $1 in
-h|--help) usage ;;
?*) h="$1"; shift ;;
esac
+if [[ ! $h ]]; then
+ read -r _ _ gateway _ < <(ip -4 route get 8.8.8.8)
+ case $gateway in
+ 10.0.0.1|10.2.0.1)
+ h=root@$gateway
+ ;;
+ *)
+ echo "$0: error: gateway = $gateway and no HOST/IP specified"
+ exit 1
+ ;;
+ esac
+fi
+
echo "$0: host=$h"
cat ~/.ssh/home.pub | ssh $h dd of=/etc/dropbear/authorized_keys 2>/dev/null
# relay is built for openwrt 18.06.2, r7676-cddd7b4c77
sudo scp /q/root/shadow/router /p/c/machine_specific/wrt/etc/dropbear/dropbear_rsa_host_key \
/a/opt/openwrt/source/bin/packages/mips_24kc/mypackages/relay_1.0-1_mips_24kc.ipk \
- /p/c/machine_specific/wrt/etc/wg.{key,psk} $h:
+ /p/router-secrets /p/c/machine_specific/wrt/etc/wg.{key,psk} $h:
scp ../openwrtkeyring/usign/* $h:/etc/opkg/keys
ssh $h <<EOFOUTER
set -x
# librecmc 1.5.1 is missing nfs-kernel-server and screen
-cat >/etc/opkg/customfeeds.conf <<'EOF'
-src/gz openwrt_packages http://downloads.openwrt.org/releases/19.07.2/packages/mips_24kc/packages
+source /etc/os-release
+if [[ $ID == librecmc && $VERSION == v1.5.1-core]]; then
+ cat >/etc/opkg/customfeeds.conf <<'EOF'
+src/gz openwrt_packages http://downloads.openwrt.org/releases/19.07.3/packages/mips_24kc/packages
+fi
EOF
if ! opkg list-installed|grep bash; then
opkg install bash
fi
export HOME_DOMAIN=$HOME_DOMAIN
-export WIRELESSMAC=$WIRELESSMAC
wrt-setup-local $@
EOFOUTER
+dnsmasq_restart=false
+firewall_restart=false
dev2=false
test=false
libremanage_host=wrt2
-if [[ -e /p/router-secrets ]]; then
- source /p/router-secrets
+secrets=false
+if [[ -e /root/router-secrets ]]; then
+ secrets=true
+ source /root/router-secrets
fi
rmac=$(cat /sys/class/net/eth0/address)
-if [[ $rhost ]]; then
+if $secrets; then
hostname=${rhost[$rmac]}
fi
: ${hostname:=wrt}
done
shift "$((OPTIND-1))" # Discard the options and sentinel --
-if [[ ! $mac ]] && ! $test; then
+if [[ ! $mac ]] && ! $test && $secrets; then
# if we wanted to increment it
- #WIRELESSMAC=${WIRELESSMAC:0: -1}$((${WIRELESSMAC: -1} + 2))
- mac=$WIRELESSMAC
+ #mac=${mac:0: -1}$((${mac: -1} + 2))
+ mac=${rwmac[$rmac]}
fi
if (( $# != 0 )); then
### network config
###
-ssid="check out gnu.org"
lan=10.0.0.0
if $test; then
- ssid="gnuv3"
lan=10.1.0.0
elif [[ $hostname == cmc ]]; then
- ssid=Svenska
lan=10.2.0.0
fi
-if [[ $rkey ]]; then
+if $test; then
+ ssid="gnuv3"
+elif $secrets; then
+ ssid=${rssid[$rmac]}
+fi
+
+: ${ssid:=librecmc}
+
+
+if $secrets; then
key=${rkey[$rmac]}
fi
: ${key:=pictionary49}
EOF
-firewall_restart=false
firewall-cedit() {
- v cedit /etc/config/firewall <<EOF
-
+ case $hostname in
+ wrt)
+ v cedit host /etc/config/firewall <<EOF
+config redirect
+ option name ssh
+ option src wan
+ option src_dport 22
+ option dest_ip $l.3
+ option dest lan
+EOF
+ ;;
+ cmc)
+ v cedit host /etc/config/firewall <<EOF
config redirect
option name ssh
option src wan
option src_dport 22
option dest_ip $l.2
option dest lan
+EOF
+ ;;
+ esac
+
+ v cedit /etc/config/firewall <<EOF
config rule
option src wan
option target ACCEPT
option target ACCEPT
option dest_port 2202
-config redirect
- option name sshfrodo
- option src wan
- option src_dport 2203
- option dest_port 22
- option dest_ip $l.3
- option dest lan
-config rule
- option src wan
- option target ACCEPT
- option dest_port 2203
-
config redirect
option name sshx2
option src wan
fi
-dnsmasq_restart=false
+
v cedit /etc/hosts <<EOF || dnsmasq_restart=true
127.0.1.1 $hostname
-$l.1 $hostname b8.nz
-$l.2 kd faiserver
-$l.3 frodo
-$l.4 wrt2
-$l.5 x2
$l.6 demohost
#$l.7 x3
-$l.8 tp
-$l.9 bb8
-$l.14 wrt3
-2600:3c00::f03c:91ff:fe6d:baf8 li
72.14.176.105 li
-2a01:7e01::f03c:91ff:feb5:baec l2
-172.105.84.95 l2
+2600:3c00::f03c:91ff:fe6d:baf8 li
+85.119.83.50 bk
+2001:ba8:1f1:f0c9::2 bk
# netns creation looks for next free subnet starting at 10.173, but I only
# use one, and I would keep this one as the first created.
10.173.0.2 transmission
EOF
+case $hostname in
+ wrt)
+ v cedit host /etc/hosts <<EOF || dnsmasq_restart=true
+$l.1 $hostname t.b8.nz
+$l.3 frodo
+$l.4 wrt2
+EOF
+ v cedit host /etc/dnsmasq.conf <<EOF || dnsmasq_restart=true
+server=/b8.nz/#
+
+server=/kd.b8.nz/#
+server=/x2.b8.nz/#
+server=/tp.b8.nz/#
+server=/bb8.b8.nz/#
+server=/wrt3.b8.nz/#
+EOF
+ ;;
+
+ cmc)
+ v cedit host /etc/hosts <<EOF || dnsmasq_restart=true
+$l.1 $hostname b8.nz
+$l.2 kd
+$l.5 x2 faiserver
+$l.8 tp
+$l.9 bb8
+$l.14 wrt3
+EOF
+ v cedit host /etc/dnsmasq.conf <<EOF || dnsmasq_restart=true
+server=/t.b8.nz/#
+
+server=/frodo.b8.nz/#
+server=/wrt.b8.nz/#
+server=/wrt2.b8.nz/#
+EOF
+ ;;
+esac
+
#mail_host=$(grep -F mail.iankelling.org /etc/hosts | awk '{print $1}')
# if [[ $mail_host ]]; then
#dhcp-host=c8:60:00:2b:15:07,set:kd,$l.2,kd
dhcp-host=00:26:18:97:bb:16,set:frodo,$l.3,frodo
# 4 is reserved for a staticly configured host.
-dhcp-host=00:1f:16:16:39:24,set:x2,$l.5,x2
+# old x2 with bad fan
+#dhcp-host=00:1f:16:16:39:24,set:x2,$l.5,x2
+dhcp-host=f0:de:f1:81:ec:88,set:x2,$l.5,x2
# This is so fai can have an explicit name to use for testing,
# or else any random machine which did a pxe boot would get
# reformatted. The mac is from doing a virt-install, cancelling it,
iankelling.org / git / automated-distro-installer / commitdiff