From ceeb4e46d3bb326d01fcc7ed98d94ab0b580eda3 Mon Sep 17 00:00:00 2001
From: Ian Kelling <iank@fsf.org>
Date: Sun, 25 Dec 2022 16:01:28 -0500
Subject: [PATCH] various fixes

---
 README                                        |  2 +-
 fai-redep                                     |  3 +-
 fai/config/distro-install-common/end          |  2 +-
 .../distro-install-common/libreboot_grub.cfg  |  2 +-
 .../root/fai-check/VOL_BULLSEYE_BOOTSTRAP     | 33 ++++++---
 fai/config/hooks/partition.DEFAULT            |  7 +-
 lk                                            | 25 ++++---
 myfai-chboot-local                            | 37 ++++++----
 wrt-init                                      |  7 ++
 wrt-setup                                     |  2 +-
 wrt-setup-local                               | 73 +++++++++++++++----
 11 files changed, 132 insertions(+), 61 deletions(-)

diff --git a/README b/README
index 304227a..b73c104 100644
--- a/README
+++ b/README
@@ -79,7 +79,7 @@ existing /etc/ssh/*host* to
 /p/c/machine_specific/HOST/filesystem/etc/ssh
 
 host-* luks keyfiles generated like:
-head -c 2048 /dev/urandom | od | s dd of=/q/root/luks/host-demohost
+h=demohost; head -c 2048 /dev/urandom | od | se dd of=/q/root/luks/host-$h
 
 Configuration of which luks key to use is in
 fai/config/hooks/partition.DEFAULT
diff --git a/fai-redep b/fai-redep
index 7c8b9dd..4269aa3 100755
--- a/fai-redep
+++ b/fai-redep
@@ -59,7 +59,8 @@ m() { printf "$pre %s\n"  "$*"; "$@"; }
 # i use faiserver as a dns alias, but ssh key is associated with
 # a canonical hostname and we will have ssh warning spam unless we
 # use it, so look it up just to avoid the warning spam.
-faiserver_host=$(/a/exe/chost $host) || faiserver_host=$host
+faiserver_host=$(/a/exe/chost $host)
+#  faiserver_host=$host
 
 faiserver_addr=$(host $host | sed -rn 's/^\S+ has address //p;T;q' ||:)
 if ! ip a | grep "^ *inet.\? $faiserver_addr" &>/dev/null; then
diff --git a/fai/config/distro-install-common/end b/fai/config/distro-install-common/end
index 22fa4f0..0205387 100755
--- a/fai/config/distro-install-common/end
+++ b/fai/config/distro-install-common/end
@@ -94,7 +94,7 @@ Defaults:root,iank !log_allowed, !pam_session
 Defaults>root env_file=/etc/rootsudoenv
 
 # a few commands we should be able to run with no password
-iank ALL = (root) NOPASSWD: /usr/local/bin/spend,/usr/bin/nmtui-connect
+iank ALL = (root) NOPASSWD: /usr/local/bin/spend,/usr/bin/nmtui-connect,/usr/local/bin/bitcoinoff
 
 EOF
 
diff --git a/fai/config/distro-install-common/libreboot_grub.cfg b/fai/config/distro-install-common/libreboot_grub.cfg
index 9ea5390..d9dde28 100644
--- a/fai/config/distro-install-common/libreboot_grub.cfg
+++ b/fai/config/distro-install-common/libreboot_grub.cfg
@@ -20,7 +20,7 @@ function save_chosen {
 # fai check, it does it, then reboots. But fai-check also sets
 # did_fai_check to a 3rd state os_true which means we did the fai check,
 # and we don't want to do it again. This is useful for systems without
-# libreboot, although it's not used yet.
+# libreboot.
 
 # We don't set this to fai check so we can't get into
 # an infinite reboot cycle. We depend on the os to
diff --git a/fai/config/files/root/fai-check/VOL_BULLSEYE_BOOTSTRAP b/fai/config/files/root/fai-check/VOL_BULLSEYE_BOOTSTRAP
index 6f01194..a250238 100755
--- a/fai/config/files/root/fai-check/VOL_BULLSEYE_BOOTSTRAP
+++ b/fai/config/files/root/fai-check/VOL_BULLSEYE_BOOTSTRAP
@@ -3,7 +3,7 @@
 set -eE -o pipefail
 trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR
 
-
+#set -x
 
 usage() {
   cat <<EOF
@@ -59,10 +59,15 @@ if $force; then
   exit
 fi
 
+if ! dmidecode -t system | grep -F "Version: ThinkPad X200" &>/dev/null; then
+  echo "not x200, exiting"
+  exit 0
+fi
+
 first=true
 for dev in $(btrfs fi show / | sed -rn 's#^\s*devid\s.*\s([^0-9 ]+)\S+$#\1#p' \
                |sort); do
-
+  echo dev=$dev
   found=false
   # Decide which is my grub_ext partition. see partition.DEFAULT file
   # for details. currently it is 4
@@ -70,6 +75,7 @@ for dev in $(btrfs fi show / | sed -rn 's#^\s*devid\s.*\s([^0-9 ]+)\S+$#\1#p' \
     if [[ $(blockdev --getsize64 ${dev}$i) == 8388608 ]]; then
       grub_extn=${dev}$i
       found=true
+      echo grub_extn=$grub_extn
       break
     fi
   done
@@ -77,18 +83,17 @@ for dev in $(btrfs fi show / | sed -rn 's#^\s*devid\s.*\s([^0-9 ]+)\S+$#\1#p' \
     echo "$0: error: failed to find grub_ext partition."
     exit 1
   fi
-  mount $grub_extn /mnt
+  m mount $grub_extn /mnt
   if $first; then
     if [[ -e /mnt/grubenv ]]; then
-      set -x
+      m grub-editenv /mnt/grubenv list
       source <(grub-editenv /mnt/grubenv list)
-      set +x
     fi
     first=false
     # we could just as well check if last_boot != /debianbullseye_bootstrap
     # the intent with this one is just a little clearer.
     if [[ $did_fai_check == true ]]; then
-      grub-editenv /mnt/grubenv set did_fai_check=os_true
+      m grub-editenv /mnt/grubenv set did_fai_check=os_true
       # our service does not wait for network-online.target,
       # because it will wait for too long when we don't have a network
       # connection. So, we wait for 10 seconds.
@@ -101,13 +106,17 @@ for dev in $(btrfs fi show / | sed -rn 's#^\s*devid\s.*\s([^0-9 ]+)\S+$#\1#p' \
     # if looks at them, which may not be the same as us.
     # If the disk dies, we just lose the default boot option,
     # we will have to do manual steps to replace it anyways.
-    rm -f /mnt/gruvenv
+    m rm -f /mnt/gruvenv
   fi
-  umount /mnt
+  m umount /mnt
 done
 
 # the check for last_boot is not needed afaik, just sanity check.
-if [[ $did_fai_check == true && $last_boot != /debianbullseye_bootstrap ]]; then
-  # no need to reboot if we actually want to boot into this os.
-  reboot
-fi
+case $did_fai_check in
+  true|os_true)
+    if [[ $last_boot != /debianbullseye_bootstrap ]]; then
+      # no need to reboot if we actually want to boot into this os.
+      echo "last_boot not debianbullseye_bootstrap, rebooting"
+      reboot
+    fi
+esac
diff --git a/fai/config/hooks/partition.DEFAULT b/fai/config/hooks/partition.DEFAULT
index 1586e48..410b915 100755
--- a/fai/config/hooks/partition.DEFAULT
+++ b/fai/config/hooks/partition.DEFAULT
@@ -866,8 +866,13 @@ if $partition; then
       # so use fixed sizes to allow both to grow
       # 600 = uefi 512 + grubext 8 + bios grub 3 + some extra cuz this is lvm
       #root_mib=$(( disk_mib - root2_part_mib - swap_mib - boot_part_mib - boot2_part_mib - 600 ))
-      root_mib=$(( 1000 * 1000 )) # * 1000 to make it in gb.
       o_mib=$(( 120 * 1000 ))
+      # max minus o, minus a gig just for some extra space
+      max_root_mib=$(( disk_mib - root2_part_mib - swap_mib - boot_part_mib - boot2_part_mib - 600 - o_mib - 1000 ))
+      root_mib=$(( 1000 * 1000 )) # * 1000 to make it in gb.
+      if (( max_root_mib < root_mib )); then
+        root_mib=$max_root_mib
+      fi
     fi
 
     if [[ ! $SPECIAL_DISK ]]; then
diff --git a/lk b/lk
index 247f4ed..b757fcc 100755
--- a/lk
+++ b/lk
@@ -16,7 +16,7 @@
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
 
 usage() {
-    cat <<EOF
+  cat <<EOF
 Usage: ${0##*/} [-h|--help] [HOST]
 fai kexec from upstream live cds, i.e. curl|bash
 
@@ -35,37 +35,38 @@ Obviously beware that anyone on your network could send commands to the install
 
 This has been tested on trisquel 7 & 8 & ubuntu 16.04 & 18.10.  With
 18.10 and trisquel 8 on an x200, kexec was unreliable, resulting in
-freezes and kernel panics.
+freezes and kernel panics. On t11, linux 5.15.0-40-generic, after kexec,
+black screen, ping worked but nothing else. Debian 11 live image worked.
 
 If the screen just sits in a weird color inverted, corrupted looking state,
 it's probably nothing wrong with the computer, but a problem
 with the fai server. If you can do this from a virtual terminal,
 it will print out more info (I know from running it on a vm).
 EOF
-    exit $1
+  exit $1
 }
 case $1 in
-    -h|--help) usage ;;
-    ?*) host=$1
+  -h|--help) usage ;;
+  ?*) host=$1
 esac
 
 if [[ $host ]]; then
   ssh root@$host bash -s < $(readlink -f "$BASH_SOURCE")
   exit $?
-  fi
+fi
 
 set -ex
 if grep -q ID=ubuntu /etc/os-release; then
-    # add universe, pxe-kexec is there
-    sed -ri '/^\s*deb/{/universe/!s/$/ universe/}' /etc/apt/sources.list
+  # add universe, pxe-kexec is there
+  sed -ri '/^\s*deb/{/universe/!s/$/ universe/}' /etc/apt/sources.list
 fi
 if ! type -p pxe-kexec >/dev/null 2>&1; then
-    apt-get update ||: # try even if we fail
-    apt-get install -y debconf
-    debconf-set-selections <<EOF
+  apt-get update ||: # try even if we fail
+  apt-get install -y debconf
+  debconf-set-selections <<EOF
 kexec-tools kexec-tools/load_kexec boolean false
 EOF
-    apt-get install -y pxe-kexec
+  apt-get install -y pxe-kexec
 fi
 # running this piped to bash on belenos, the apt-get goes
 # into the background while it's still installing, and pxe-kexec
diff --git a/myfai-chboot-local b/myfai-chboot-local
index cef41c4..c631d56 100755
--- a/myfai-chboot-local
+++ b/myfai-chboot-local
@@ -56,22 +56,27 @@ if [[ ! $1 ]]; then
 fi
 
 # somewhat duplicated in brc hostip()
-  case $host in
-    [0-9:])
-      hostip=$host
-      ;;
-    *)
-      hostip=$(getent ahostsv4 "$host" | awk '{ print $1 }' | head -n1)
-      ;;
-  esac
-
-
-# assuming ipv4, or else we might need to deal with multiple addresses
-# in an ipv4 + ipv6 network.
-my_ip=$(ip -4 route get $hostip | sed -nr 's,^.*src\s+(\S+).*,\1,p')
-if [[ ! $my_ip || $my_ip =~ [[:space:]] ]]; then
-  echo "$0: error: failed to get \$my_ip, got: $my_ip"
-  exit 1
+case $host in
+  default) : ;;
+  [0-9:])
+    hostip=$host
+    ;;
+  *)
+    hostip=$(getent ahostsv4 "$host" | awk '{ print $1 }' | head -n1)
+    ;;
+esac
+
+if [[ $hostip ]]; then
+
+  # assuming ipv4, or else we might need to deal with multiple addresses
+  # in an ipv4 + ipv6 network.
+  my_ip=$(ip -4 route get $hostip | sed -nr 's,^.*src\s+(\S+).*,\1,p')
+  if [[ ! $my_ip || $my_ip =~ [[:space:]] ]]; then
+    echo "$0: error: failed to get \$my_ip, got: $my_ip"
+    exit 1
+  fi
+else
+  my_ip=$(ip r show default | sed -r 's/.*via ([^ ]*).*/\1/' | head -n1)
 fi
 
 if [[ $host == default ]]; then
diff --git a/wrt-init b/wrt-init
index ebfac9c..d6e9817 100755
--- a/wrt-init
+++ b/wrt-init
@@ -13,6 +13,13 @@ if ! opkg list-installed|grep bash; then
   opkg update
   opkg install bash
 fi
+
+if [ -f /root/err ]; then
+  mkdir -p /usr/local/lib
+  mv /root/err /usr/local/lib
+fi
+
+# this isnt used anymore
 export HOME_DOMAIN=$1
 shift
 wrt-setup-local "$@"
diff --git a/wrt-setup b/wrt-setup
index 1e0d636..157dfac 100755
--- a/wrt-setup
+++ b/wrt-setup
@@ -77,7 +77,7 @@ scp /a/work/libremanage/libremanage /a/bin/fai/wrt-init /a/bin/fai/wrt-setup-loc
 #/a/opt/openwrt/source/bin/packages/mips_24kc/mypackages/relay_1.0-1_mips_24kc.ipk \
 
 scp /q/root/shadow/router /p/c/machine_specific/wrt/etc/dropbear/dropbear_rsa_host_key \
-     /p/router-secrets /p/c/machine_specific/wrt/etc/wg.{key,psk} $h:
+     /p/router-secrets /p/c/machine_specific/wrt/etc/wg.{key,psk} /b/errhandle/err $h:
 scp ../openwrtkeyring/usign/* $h:/etc/opkg/keys
 
 ssh $h wrt-init ${HOME_DOMAIN:-b8.nz} "$@"
diff --git a/wrt-setup-local b/wrt-setup-local
index df965ea..d5910c0 100755
--- a/wrt-setup-local
+++ b/wrt-setup-local
@@ -16,8 +16,7 @@
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
 
 
-set -eE -o pipefail
-trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR
+f=/usr/local/lib/err;test -r $f || { echo "error: $0 no $f" >&2;exit 1;}; . $f
 
 
 usage() {
@@ -94,12 +93,14 @@ shift "$((OPTIND-1))"   # Discard the options and sentinel --
 
 if [[ $1 ]]; then
   h=$1
-  hostname=$h
 else
   h=cmc
+fi
+if [[ ! $hostname ]]; then
   hostname=$h
 fi
 
+
 secrets=false
 if [[ -e /root/router-secrets ]]; then
   secrets=true
@@ -235,7 +236,8 @@ mask=255.255.0.0
 cidr=16
 l=${lan%.0}
 
-passwd -l root ||: #already locked fails
+# why did we lock this? i don't know
+#passwd -l root ||: #already locked fails
 
 sed -ibak '/^root:/d' /etc/shadow
 # /root/router created by manually running passwd then copying the resulting
@@ -580,6 +582,7 @@ EOF
       ;;
   esac
 
+
   cedit /etc/config/firewall <<EOF
 ## begin no external dns for ziva
 config rule
@@ -649,6 +652,19 @@ config rule
  option dest_port        9091
 
 
+config redirect
+ option name nagioskd
+ option src              wan
+ option src_dport        3005
+ option dest_port        3005
+ option dest_ip          $l.2
+ option dest             lan
+config rule
+ option src              wan
+ option target           ACCEPT
+ option dest_port        3005
+
+
 config redirect
  option name sshkd
  option src              wan
@@ -854,17 +870,39 @@ config rule
  option target ACCEPT
  option family ipv6
 
-# include a file with users custom iptables rules
-config include
-	option path /etc/firewall.user
-	option type 'restore'
-	option family 'ipv4'
+# not using and in newer wrt, fails, probably due to nonexistent file, error output
+# on
 
+# Reference error: left-hand side expression is not an array or object
+# In [anonymous function](), file /usr/share/ucode/fw4.uc, line 3137, byte 12:
+#   called from function [arrow function] (/usr/share/ucode/fw4.uc:733:71)
+#   called from function foreach ([C])
+#   called from function [anonymous function] (/usr/share/ucode/fw4.uc:733:72)
+#   called from function render_ruleset (/usr/share/firewall4/main.uc:56:24)
+#   called from anonymous function (/usr/share/firewall4/main.uc:143:29)
+
+#  `        if (!inc.enabled) {`
+#   Near here -------^
+#
+#
+# The rendered ruleset contains errors, not doing firewall restart.
+# /usr/bin/wrt-setup-local:160:error: ""$@"" returned 1
+
+
+## include a file with users custom iptables rules
+#config include
+#	option path /etc/firewall.user
+#	option type 'restore'
+#	option family 'ipv4'
 
 EOF
 }
 firewall-cedit || firewall_restart=true
 
+
+
+
+
 # not using wireguard for now
 # if ! uci get firewall.@zone[1].network | grep wg0 &>/dev/null; then
 #   # cant mix cedit plus uci
@@ -908,7 +946,7 @@ uset dhcp.@dnsmasq[0].local
 # note: tried this, it didn't do anything:
 # uset dhcp.@odhcpd[0].dns 10.2.0.1
 
-# iank, disabled while debugging.
+# iank, disablde while debugging.
 #/etc/init.d/odhcpd stop
 #/etc/init.d/odhcpd disable
 
@@ -1114,11 +1152,9 @@ dhcp-host=94:05:bb:1e:2c:2e,set:sy,$l.3,sy
 # top port, iPXE (PCI 04:00.0) in seabios boot menu
 #dhcp-host=c8:60:00:2b:15:07,set:kd,$l.2,kd
 # 4 is reserved for a staticly configured host wrt2
-# old x2 with bad fan
-#dhcp-host=00:1f:16:16:39:24,set:x2,$l.5,x2
 dhcp-host=f0:de:f1:81:ec:88,set:x2,$l.5,x2
 dhcp-host=c4:8e:8f:44:f5:63,set:x2w,$l.6,x2w
-dhcp-host=70:a6:cc:34:09:22,set:syw,$l.7,syw
+dhcp-host=10:51:07:f5:f1:b8,set:syw,$l.7,syw
 dhcp-host=80:fa:5b:1c:6e:cf,set:amy,$l.8,amy
 # This is so fai can have an explicit name to use for testing,
 # or else any random machine which did a pxe boot would get
@@ -1129,6 +1165,7 @@ dhcp-host=52:54:00:9c:ef:ad,set:demohost,$l.12,demohost
 #dhcp-host=52:54:00:9c:ef:ad,ignore
 dhcp-host=62:03:cb:a8:3e:a3,set:trp,$1.13,trp
 # 14 = wrt3
+dhcp-host=ac:d1:b8:5c:eb:d7,set:x3w,$l.17,x3w
 dhcp-host=00:1f:16:14:01:d8,set:x3,$l.18,x3
 # BRN001BA98CA823 in dhcp logs
 dhcp-host=00:1b:a9:8c:a8:23,set:brother,$l.19,brother
@@ -1141,10 +1178,12 @@ dhcp-host=70:a6:cc:3a:bb:b4,set:bow,$l.29,bow
 dhcp-host=6c:56:97:88:7b:74,set:amazontab,$l.31,amazontab
 dhcp-host=0a:8a:9b:cf:b5:ec,set:samsungtab,$l.32,samsungtab
 dhcp-host=b8:27:eb:78:21:1d,set:pi3b,$l.33,pi3b
-dhcp-host=e4:5f:01:07:50:3f,set:pi4,$l.38,pi4
-dhcp-host=e4:5f:01:07:50:40,set:pi4w,$l.39,pi4w
+# old x2 with bad fan
+dhcp-host=00:1f:16:16:39:24,set:x8,$l.38,x8
 # server d16:
 dhcp-host=38:2c:4a:c9:33:13,set:bigs,$l.48,bigs
+dhcp-host=e4:5f:01:07:50:40,set:pi4w,$l.49,pi4
+dhcp-host=e4:5f:01:07:50:3f,set:pi4,$l.50,pi4w
 
 
 # faiserver vm
@@ -1193,6 +1232,10 @@ if $firewall_restart; then
   v /etc/init.d/firewall restart
 fi
 
+# turn off luci
+/etc/init.d/uhttpd stop
+/etc/init.d/uhttpd disable
+
 # this may just restart the network and take care of the network_restart below.
 if $wireless_restart; then
   v wifi
-- 
2.30.2