From 917fa30617ccafa3a7ed5218a418cf058948b729 Mon Sep 17 00:00:00 2001
From: Ian Kelling <iank@fsf.org>
Date: Wed, 24 Apr 2019 23:27:01 -0400
Subject: [PATCH] minor improvements and misc changes

---
 README                               |  2 +-
 fai/config/distro-install-common/end | 64 +++++++++++++-------------
 faiserver-setup                      | 58 +++++++++--------------
 lk                                   |  7 ++-
 pxe-server                           | 69 ++++++++++++++++++++--------
 wrt-disabled-firewall-rules          | 10 ----
 wrt-setup                            |  5 +-
 wrt-setup-local                      | 69 +++++++++++++++++-----------
 8 files changed, 155 insertions(+), 129 deletions(-)

diff --git a/README b/README
index 97cf483..3146081 100644
--- a/README
+++ b/README
@@ -130,7 +130,7 @@ export SPECIAL_DISK=/dev/REPLACEMENT_DEV
 
 
 ssh root@HOST
-for x in /target/*; do umount $x; done
+for x in /target/* /target; do umount $x; done
 cat >p
 PASSWORD HERE(ctrl-d ctrl-d)
 cd /dev/disk/by-id/
diff --git a/fai/config/distro-install-common/end b/fai/config/distro-install-common/end
index 3948073..a6bc113 100755
--- a/fai/config/distro-install-common/end
+++ b/fai/config/distro-install-common/end
@@ -4,8 +4,8 @@ set -eE -o pipefail
 trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR
 
 if [[ $EUID != 0 ]]; then
-    echo "$0: error: expected to be root."
-    exit 1
+  echo "$0: error: expected to be root."
+  exit 1
 fi
 
 # ssh host keys
@@ -13,37 +13,37 @@ fi
 src=$(dirname "$0")/p/c/machine_specific/$HOSTNAME/filesystem/etc/ssh
 dst=$target/etc/ssh
 if [[ -e $src && -e $dst ]]; then
-    # outside of fai context, we skip this
-    cp -rT $src $dst
+  # outside of fai context, we skip this
+  cp -rT $src $dst
 fi
 
 TPW=/q/root/shadow/traci-simple
 if ifclass tp; then
-    ROOTPW=/q/root/shadow/standard
-#    ROOTPW="$TPW"
+  ROOTPW=/q/root/shadow/standard
+  #    ROOTPW="$TPW"
 else
-    ROOTPW=/q/root/shadow/standard
+  ROOTPW=/q/root/shadow/standard
 fi
 
 chpw() {
-    # generating a hashed password:
-    # under debian, you can do
-    # mkpasswd -m sha-512 -s >/q/root/shadow/standard
-    # On arch, best seems to be copy your shadow file to a temp location,
-    # then passwd, get out the new pass, then copy the shadow file back.
-
-    user=$1
-    pwfile=$2
-    if [[ $pwfile && -e $pwfile ]]; then
-        printf "$user:" | cat - "$pwfile" | $ROOTCMD chpasswd -e
-    else
-        echo "$0: warning: no pw set for $user" >&2
-    fi
+  # generating a hashed password:
+  # under debian, you can do
+  # mkpasswd -m sha-512 -s >/q/root/shadow/standard
+  # On arch, best seems to be copy your shadow file to a temp location,
+  # then passwd, get out the new pass, then copy the shadow file back.
+
+  user=$1
+  pwfile=$2
+  if [[ $pwfile && -e $pwfile ]]; then
+    printf "$user:" | cat - "$pwfile" | $ROOTCMD chpasswd -e
+  else
+    echo "$0: warning: no pw set for $user" >&2
+  fi
 }
 au() { # add user. i don't use adduser for portability
-    if ! $ROOTCMD getent passwd ${@: -1}; then
-        $ROOTCMD useradd -Um -s /bin/bash $@
-    fi
+  if ! $ROOTCMD getent passwd ${@: -1}; then
+    $ROOTCMD useradd -Um -s /bin/bash $@
+  fi
 }
 
 chpw root "$ROOTPW"
@@ -60,18 +60,18 @@ chpw iank "$ROOTPW"
 
 au traci
 if ifclass frodo; then
-    chpw traci "$TPW"
+  chpw traci "$TPW"
 fi
 # comparing iank's groups to traci, I see none she should join on arch
 $ROOTCMD usermod -a -G traci iank
 
+
 $ROOTCMD getent group docker &>/dev/null || $ROOTCMD groupadd -r docker
 $ROOTCMD usermod -a -G docker iank
 
 # based on unison error, with 8192 from
 # sysctl -a | grep fs.inotify.max_user_watches
 #http://stackoverflow.com/questions/535768/what-is-a-reasonable-amount-of-inotify-watches-with-linux
-
 f=$target/etc/sysctl.d/99-sysctl.conf
 key=fs.inotify.max_user_watches
 if [[ -e $f ]]; then sed -ri --follow-symlinks "/^\s*$key\s*=/d" $f; fi
@@ -82,22 +82,22 @@ $ROOTCMD sysctl --system
 f=$target/etc/sudoers
 line='iank  ALL=(ALL)  NOPASSWD: ALL'
 if [[ ! -e $f ]] || ! grep -xF "$line" $f; then
-    echo "$line" >> $f
+  echo "$line" >> $f
 fi
 
 dir=/p/c/machine_specific/$HOSTNAME/.unison
 $ROOTCMD mkdir -p $dir
 if ! $ROOTCMD test -L /root/.unison; then
-    $ROOTCMD rm -rf /root/.unison
-    $ROOTCMD ln -s -T $dir /root/.unison
+  $ROOTCMD rm -rf /root/.unison
+  $ROOTCMD ln -s -T $dir /root/.unison
 fi
 
 $ROOTCMD chown -R 1000:1000 $dir
 while true; do
-    $ROOTCMD chown 1000:1000 $dir
-    $ROOTCMD chmod 700 $dir
-    dir=$(dirname $dir)
-    if [[ $dir == /p ]]; then break; fi
+  $ROOTCMD chown 1000:1000 $dir
+  $ROOTCMD chmod 700 $dir
+  dir=$(dirname $dir)
+  if [[ $dir == /p ]]; then break; fi
 done
 
 au --system -s /bin/false --home-dir /var/lib/bitcoind bitcoin
diff --git a/faiserver-setup b/faiserver-setup
index 4742ae1..d8489ed 100755
--- a/faiserver-setup
+++ b/faiserver-setup
@@ -21,7 +21,7 @@ x="$(readlink -f "$BASH_SOURCE")"; source "${x%/*}/bash-trace"
 
 usage() {
   cat <<EOF
-usage: ${0##*/} [-h|--help] [BASE_CODENAME]
+usage: ${0##*/} [-h|--help] [BASE_CODENAME] [ARCH]
 install fai-server on the current machine
 
 Initial setup of a fai server. works on localhost.  Set's the current ip
@@ -29,8 +29,8 @@ as the tftp server. I vaguely remember that using a hostname does not
 work.  Separate from running this, faiserver needs to be setup in dns to
 point to whatever host this is run on.
 
-Default BASE_CODENAME is stretch, and it expects corresponding
-$BASEFILE_DIR/${UPCASED_BASE_CODENAME}64.tar.gz to exist, and it must have been
+Default BASE_CODENAME is stretch. Default ARCH is 64. The script expects corresponding
+$BASEFILE_DIR/${UPCASED_BASE_CODENAME}${ARCH}.tar.(gz|xz) to exist, and it must have been
 generated around the same time as the nfsroot, at least so it has the
 same kernel version.
 
@@ -42,15 +42,21 @@ case $1 in
 esac
 
 
-e() { echo "$@"; "$@"; }
+e() { echo "+ $@"; "$@"; }
 
 
 base=${1:-stretch}
-basefile=$BASEFILE_DIR/${base^^}64.tar.gz
+arch=${2:-64}
+basefile=($BASEFILE_DIR/${base^^}${arch^^}.tar.[gx]z)
 sed="sed -ri --follow-symlinks"
 
 if [[ ! -e $basefile ]]; then
-  printf "%s\n" "$0: error BASEFILE_DIR=$BASEFILE_DIR  does not exist"
+  printf "%s\n" "$0: error basefile=$basefile  does not exist" >&2
+  exit 1
+fi
+
+if [[ ! -d $BASEFILE_DIR ]]; then
+  printf "%s\n" "$0: error BASEFILE_DIR=$BASEFILE_DIR  does not exist" >&2
   exit 1
 fi
 
@@ -63,35 +69,12 @@ armhf() {
   [[ $(dpkg --print-architecture) == armhf ]]
 }
 
-if armhf; then
-  if apt-cache policy | grep o=Debian,a=testing,n=stretch &>/dev/null; then
-    cat >/etc/apt/sources.list.d/testing.list <<'EOF'
-deb http://http.us.debian.org/debian testing main contrib non-free
-deb-src http://http.us.debian.org/debian testing main contrib non-free
-
-deb http://security.debian.org/ testing/updates main contrib non-free
-deb-src http://security.debian.org/ testing/updates main contrib non-free
-
-deb http://http.us.debian.org/debian testing-updates main contrib non-free
-deb-src http://http.us.debian.org/debian testing-updates main contrib non-free
-EOF
-
-    cat >/etc/apt/preferences.d/fai <<'EOF'
-Package: fai-server fai-client fai-doc
-Pin: release a=testing
-Pin-Priority: 500
-
-Package: *
-Pin: release a=testing
-Pin-Priority: -10
-EOF
-  fi
-elif grep -xFq 'VERSION="8 (jessie)"' /etc/os-release; then
+if grep -xFq 'VERSION="8 (jessie)"' /etc/os-release; then
   gpg -a --recv-keys 2BF8D9FE074BCDE4; gpg -a --export 2BF8D9FE074BCDE4 | apt-key add -
   cat >/etc/apt/sources.list.d/fai.list <<'EOF'
 deb https://fai-project.org/download jessie koeln
 EOF
-elif grep -xFq 'VERSION="9 (stretch)"' /etc/os-release || grep -iE 'flidas|xenail' /etc/os-release ; then
+elif grep -iE 'VERSION=.*(stretch|flidas|xenail)' /etc/os-release; then
   # fai on ubuntu only has official support using the universe repo, but newer
   # tends to have less bugs.
   gpg --keyserver hkp://pool.sks-keyservers.net -a --recv-keys 2BF8D9FE074BCDE4; gpg -a --export 2BF8D9FE074BCDE4 | apt-key add -
@@ -128,10 +111,10 @@ else
 fi
 
 
-apt-get install -y ${pkgs[@]}
+e apt-get install -y ${pkgs[@]}
 # confnew since we edit /etc/fai/NFSROOT in an automated way
 # fai-client is already a fai-server dependency, but make sure it gets upgraded
-apt-get install --no-install-recommends -y -o Dpkg::Options::="--force-confnew" fai-server fai-client
+e apt-get install --no-install-recommends -y -o Dpkg::Options::="--force-confnew" fai-server fai-client
 
 r=http://http.us.debian.org/debian
 # like default, but scrap httpredir, and nonfree.
@@ -184,6 +167,7 @@ $sed 's/#LOGUSER/LOGUSER/' /etc/fai/fai.conf
 $sed -i '/^LOGUSER=/d' /etc/fai/fai.conf
 $sed -i '/^FAI_FLAGS=/d' /etc/fai/fai.conf
 echo "FAI_FLAGS=verbose" >>/etc/fai/fai.conf
+# note if this isnt set, the user isnt created
 echo "LOGUSER=fai" >>/etc/fai/fai.conf
 
 # from man fai-make-nfsroot,
@@ -200,8 +184,8 @@ fi
 
 if armhf; then
   cd /srv/fai
-  rm -rf nfsroot
-  tar Jxf $basefile
+  e rm -rf nfsroot
+  e tar Jxf $basefile
   # background: Can't build the nfsroot on my arm system now.  First,
   # fai-make-nfsroot won't work out of the box. One idea to make it work
   # is by installing qemu-user-static, then copying qemu-x86_64-static
@@ -247,12 +231,12 @@ if armhf; then
 type setup_tftp
 EOF
                               )
-  setup_tftp
+  e setup_tftp
 
   # -g causes skipping set_root_pw() in fai-make-nfsroot, -ag
   # is the only way to make it run without chrooting. the options
   # seem contradictory, but it works.
-  fai-setup -evag
+  e fai-setup -evag
 
 else # not armhf
   # note, this copies the -B arg to
diff --git a/lk b/lk
index dbe9d2e..7715fda 100644
--- a/lk
+++ b/lk
@@ -23,7 +23,12 @@ fai kexec from upstream live cds, i.e. curl|bash
 You can copy this to a http server, then wget -O- url|sudo bash
 curl is sometimes not preinstalled on a live cd.
 
-This has been tested on trisquel belenos and ubuntu xenial & 18.10.
+Alternative to http server:
+1. on install machine nc -l 1234 | sudo bash
+2. On another machine nc INSTALL_MACHINE 1234 <live-kexec
+Obviously beware that anyone on your network could send commands to the install machine.
+
+This has been tested on trisquel 7 & 8 & ubuntu 16.04 & 18.10.
 With 18.10 on an x200, kexec was unreliable, resulting in freezes and
 kernel panics.
 
diff --git a/pxe-server b/pxe-server
index 3abb1ba..c46c72e 100755
--- a/pxe-server
+++ b/pxe-server
@@ -22,26 +22,28 @@ x="$(readlink -f "$BASH_SOURCE")"; source "${x%/*}/bash-trace"
 
 usage() {
   cat <<EOF
-Usage: ${0##*/} [OPTIONS] [HOST TYPE]
-Configure dnsmasq boot options and fai-chboot if appropriate.
+Usage: ${0##*/} [OPTIONS] [HOST] [TYPE]
+Configure dnsmasq boot options and fai-chboot if appropriate. This is
+not general purpose, it has code specific to dhcp servers I run.
 
-Without HOST TYPE, disable  server and fai server.
+Without TYPE, disable  server and fai server. In that case, HOST is only
+needed for fsf office network.
 
 HOST       A hostname known to the dhcp server, or default for all.
 TYPE       One of arch, parabola, plain, fai.
 
--d         Don't alter dhcp config. Only make sense for fai type, and on network
-           other than home network.
--r         Don't redeploy fai config. For example, if there is a different host
-           that is mid-install.
-
 -a         Don't setup pxe, just Wait for 2 dhcp acks, then disable the pxe
            server after a delay.  First ack is for pxe boot, 2nd ack is
            for os boot. Sometimes on debian, there is a 3rd one shortly
            after the 2nd. I can't remember exactly why this caused a
            problem, but I'm hoping the sleep will take care of it.
--S         sets FAI_ACTION=sysinfo, see myfai-chboot for more info.
+-d         Don't alter dhcp config. Only make sense for fai type, and on network
+           other than home or fsf.
 -k         Pass -k to myfai-chboot.
+-r         Don't redeploy fai config. For example, if there is a different host
+           that is mid-install.
+
+-S         sets FAI_ACTION=sysinfo, see myfai-chboot for more info.
 -w         Setup pxe, then wait like -a.
 -h|--help  Print help and exit
 
@@ -65,16 +67,22 @@ dhcp=true
 redep=true
 acks=2
 wait=false
+fsf=false
+
+case $HOSTNAME in
+  x3|kw) fsf=true ;;
+esac
+
 chboot_args=()
-temp=$(getopt -l help adrSkwh "$@") || usage 1
+temp=$(getopt -l help adkrSwh "$@") || usage 1
 eval set -- "$temp"
 while true; do
   case $1 in
     -a) wait=true; set=false; shift ;;
     -d) dhcp=false; shift ;;
+    -k) chboot_args+=(-k); shift ;;
     -r) redep=false; shift ;;
     -S) chboot_args+=(-S); shift ;;
-    -k) chboot_args+=(-k); shift ;;
     -w) wait=true; set=true; shift ;;
     -h|--help) usage ;;
     --) shift; break ;;
@@ -85,7 +93,7 @@ done
 read -r host type <<<"$@"
 
 case $# in
-  0);;
+  [01]);;
   2)
     case $type in
       arch|parabola) cmd=archlike ;;
@@ -98,7 +106,7 @@ case $# in
     esac
     ;;
   *)
-    echo "$0: error: expected 0 or 2 arguments"
+    echo "$0: error: expected 0-2 arguments"
     echo
     usage 1
     ;;
@@ -145,27 +153,52 @@ EOF
 }
 
 ack-wait() {
+  if $fsf; then
+    wait_cmd="ssh tarantula tail -n0 -f /var/log/syslog"
+  else
+    wait_cmd="ssh wrt logread -f"
+  fi
   wait_count=$1
   if [[ $host ]]; then
+    if $fsf; then
+      host_regex=" $(getent hosts kw | awk '{print $1}' | sed 's/\./\\./g')"
+      else
     host_regex=" $host"
+    fi
   fi
-  regex=".*DHCPACK.*$host_regex$"
+  regex=".*DHCPACK.*$host_regex\b"
   i=0
   while (( i != wait_count )) && read -r line; do
     if [[ $line =~ $regex ]]; then
       i=$((i+1))
       echo $line
     fi
-  done < <(ssh wrt logread -f)
+  done < <($wait_cmd ||:) # tail returns 2 it seems
   e sleep 20
 }
 
 set-pxe() {
   $dhcp || return 0
-  echo "$0: updating dnsmasq.conf:"
-  $cmd
-  ${cmd:-:}|ssh wrt "cedit pxe /etc/dnsmasq.conf || /etc/init.d/dnsmasq restart
+  if $fsf; then
+    if [[ ! $cmd ]]; then
+      echo "$0: removing pxe for $host on tarantula"
+      ssh tarantula bash -e <<EOF
+sed -ri 's/^( *host +$host *\{).*/\1/' /etc/dhcp3/dhcpd.conf
+/etc/init.d/dhcp3-server restart
+EOF
+    elif [[ $cmd == fai ]]; then
+      echo "$0: adding pxe for $host on tarantula"
+      ssh tarantula bash -e <<EOF
+sed -ri 's/^( *host +$host *\{).*/\1 next-server faiserver.office.fsf.org; filename "pxelinux.0";/' /etc/dhcp3/dhcpd.conf
+/etc/init.d/dhcp3-server restart
+EOF
+    fi
+  else
+    echo "$0: updating dnsmasq.conf:"
+    $cmd
+    ${cmd:-:}|ssh wrt "cedit pxe /etc/dnsmasq.conf || /etc/init.d/dnsmasq restart
 $([[ $type == arch || $type == parabola ]] && echo archlike-pxe-mount)"
+  fi
 }
 
 
diff --git a/wrt-disabled-firewall-rules b/wrt-disabled-firewall-rules
index 29c80da..b2cfdf0 100644
--- a/wrt-disabled-firewall-rules
+++ b/wrt-disabled-firewall-rules
@@ -20,16 +20,6 @@ config rule
     option target           ACCEPT
     option dest_port        63324
 
-config redirect
-    option name frodobittorrent
-    option src              vpn
-    option src_dport        63326
-    option dest_ip          192.168.1.3
-    option dest             lan
-config rule
-    option src              vpn
-    option target           ACCEPT
-    option dest_port        63326
 
 
 config redirect
diff --git a/wrt-setup b/wrt-setup
index 3e71ef5..e9d620e 100755
--- a/wrt-setup
+++ b/wrt-setup
@@ -23,7 +23,7 @@ x="$(readlink -f "$BASH_SOURCE")"; cd ${x%/*}
 
 usage() {
   cat <<EOF
-usage: ${0##*/} [-h|--help] [-d|--dev2] [HOST/IP]
+usage: ${0##*/} [-h|--help] [-2|--dev2] [HOST/IP]
 setup my router in general: dhcp, dns, etc.
 
 dev2 is for setting up a second device for testing etc.
@@ -55,7 +55,8 @@ fi
 cat ~/.ssh/home.pub | ssh $h dd of=/etc/dropbear/authorized_keys 2>/dev/null
 scp /a/bin/fai/wrt-setup-local /a/bin/cedit/cedit $h:/usr/bin
 # build for openwrt 18.06.2, r7676-cddd7b4c77
-scp /a/opt/openwrt/source/bin/packages/mips_24kc/mypackages/relay_1.0-1_mips_24kc.ipk $h:
+sudo scp /q/root/shadow/router \
+     /a/opt/openwrt/source/bin/packages/mips_24kc/mypackages/relay_1.0-1_mips_24kc.ipk $h:
 ssh $h <<EOF
 if ! opkg list-installed|grep bash; then
     opkg update
diff --git a/wrt-setup-local b/wrt-setup-local
index ddf78d6..f465da5 100755
--- a/wrt-setup-local
+++ b/wrt-setup-local
@@ -47,12 +47,40 @@ v() {
   "$@"
 }
 
+######### uci example:#######
+# # https://wiki.openwrt.org/doc/uci
+# wan_index=$(uci show firewall | sed -rn 's/firewall\.@zone\[([0-9])+\]\.name=wan/\1/p')
+# wan="firewall.@zone[$wan_index]"
+# if [[ $(uci get firewall.@forwarding[0].dest) != $forward_dest ]]; then
+#     # default is wan
+#     v uci set firewall.@forwarding[0].dest=$forward_dest
+#     uci commit firewall
+#     firewall_restart=true
+# fi
+####### end uci example #####
+
+uset() {
+  local key="$1"
+  local val="$2"
+  local service="${key%%.*}"
+  restart_var=${service}_restart
+  if [[ ! ${!restart_var} ]]; then
+    eval $restart_var=false
+  fi
+  if [[ $(uci get "$key") != "$val" ]]; then
+    v uci set "$key"="$val"
+    uci commit $service
+    eval $restart_var=true
+  fi
+}
+
+
 ### network config
 ###
 ssid="check out gnu.org"
 lan=10.0.0.0
 if $dev2; then
-  ssid="test1"
+  ssid="gnuv3"
   lan=10.1.0.0
 fi
 mask=255.255.0.0
@@ -60,6 +88,14 @@ l=${lan%.0}
 
 passwd -l root ||: #already locked fails
 
+sed -ibak '/^root:/d' /etc/shadow
+# /root/router created by manually running passwd then copying the resulting
+# line. We have no mkpasswd on wrt/librecmc, then we scp it in.
+cat /root/router >>/etc/shadow
+# otherwise, serial console gets root login with no password
+uset system.@system[0].ttylogin 1
+
+
 cat >/usr/bin/archlike-pxe-mount <<'EOFOUTER'
 #!/bin/bash
 # symlinks are collapsed for nfs mount points, so use a bind mount.
@@ -154,32 +190,6 @@ EOF
 
 
 
-######### uci example:#######
-# # https://wiki.openwrt.org/doc/uci
-# wan_index=$(uci show firewall | sed -rn 's/firewall\.@zone\[([0-9])+\]\.name=wan/\1/p')
-# wan="firewall.@zone[$wan_index]"
-# if [[ $(uci get firewall.@forwarding[0].dest) != $forward_dest ]]; then
-#     # default is wan
-#     v uci set firewall.@forwarding[0].dest=$forward_dest
-#     uci commit firewall
-#     firewall_restart=true
-# fi
-
-
-uset() {
-  local key="$1"
-  local val="$2"
-  local service="${key%%.*}"
-  restart_var=${service}_restart
-  if [[ ! ${!restart_var} ]]; then
-    eval $restart_var=false
-  fi
-  if [[ $(uci get "$key") != "$val" ]]; then
-    v uci set "$key"="$val"
-    uci commit $service
-    eval $restart_var=true
-  fi
-}
 
 uset dropbear.@dropbear[0].PasswordAuth 0
 uset dropbear.@dropbear[0].RootPasswordAuth 0
@@ -236,6 +246,8 @@ EOF
 
 firewall_restart=false
 v cedit /etc/config/firewall <<EOF || firewall_restart=true
+
+
 config redirect
     option name ssh
     option src              wan
@@ -330,7 +342,8 @@ $l.4 htpc
 $l.5 x2
 $l.6 demohost
 $l.7 x3
-$l.8 tp faiserver b8.nz
+$l.8 tp b8.nz faiserver
+$l.9 bb8
 72.14.176.105 li
 
 # netns creation looks for next free subnet starting at 10.173, but I only
-- 
2.30.2