From ee37d990c89bb3bab1b54e3b3fb43e9f79ed039b Mon Sep 17 00:00:00 2001
From: Ian Kelling <iank@fsf.org>
Date: Sun, 11 Aug 2019 19:42:59 -0400
Subject: [PATCH] changes for buster linode

---
 README                                 |  8 ++-
 fai-redep                              | 88 +++++++++++++++-----------
 fai-revm                               | 26 ++++----
 fai/config/basefiles/mk-basefile       |  1 +
 fai/config/class/50-host-classes       |  2 +-
 fai/config/class/BUSTER_LINODE.var     |  2 +
 fai/config/class/DEBIAN.var            |  3 +-
 fai/config/class/DEFAULT.var           |  4 +-
 fai/config/distro-install-common/end   | 19 +-----
 fai/config/hooks/instsoft.DEFAULT      | 42 ++++++------
 fai/config/hooks/partition.DEFAULT     | 81 +++++++++++++++---------
 fai/config/package_config/DEBIAN       | 29 ++-------
 fai/config/package_config/STANDARD     | 35 ++++++++++
 fai/config/package_config/UBUNTU       | 18 ------
 fai/config/scripts/DEBIAN/30-interface | 49 +++++++-------
 fai/config/scripts/GRUB_PC/11-iank     | 41 ++++++++----
 grub.cfg.autodiscover                  |  9 +--
 grub.cfg.netinst                       | 78 +++++++++++++++++++++++
 grub.cfg.netinst-linode                | 78 +++++++++++++++++++++++
 grub.cfg.sysinfo-linode                | 78 +++++++++++++++++++++++
 myfai-chboot-local                     |  2 +-
 wrt-setup-local                        |  4 +-
 22 files changed, 493 insertions(+), 204 deletions(-)
 create mode 100644 fai/config/class/BUSTER_LINODE.var
 create mode 100644 grub.cfg.netinst
 create mode 100644 grub.cfg.netinst-linode
 create mode 100644 grub.cfg.sysinfo-linode

diff --git a/README b/README
index 9d5e00f..f20bd12 100644
--- a/README
+++ b/README
@@ -80,7 +80,13 @@ All scripts meant to be used directly are listed here:
 
 # Scripts to setup the environment for the install
 
-sudo fai-cd -g $PWD/grub.cfg.autodiscover -f -A $BASEFILE_DIR/autodiscover.iso # create autodiscover cd
+
+# create tiny autodiscover cd
+fai-redep && sudo fai-cd -g $PWD/grub.cfg.autodiscover -f -A $BASEFILE_DIR/autodiscover.iso
+# create normal fai cd (replace TARGET_HOST)
+fai-redep -t TARGET_HOST && sudo fai-cd -M -g $PWD/grub.cfg.netinst -f $BASEFILE_DIR/netinst.iso
+note, may need to set hostname in something like LAST.var
+also, may need to unset proxy.
 mymk-basefile # Create basefiles for various distros
 archlike-pxe # Setup pxe boot server from an archlike base image
 fai-redep # Deploy fai configuration to host "faiserver"
diff --git a/fai-redep b/fai-redep
index 3e1263d..c90aea8 100755
--- a/fai-redep
+++ b/fai-redep
@@ -1,40 +1,50 @@
 #!/bin/bash
-# Copyright (C) 2016 Ian Kelling
-
-# This program is free software; you can redistribute it and/or
-# modify it under the terms of the GNU General Public License
-# as published by the Free Software Foundation; either version 2
-# of the License, or (at your option) any later version.
-
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+# Copyright (C) 2019 Ian Kelling
+# SPDX-License-Identifier: AGPL-3.0-or-later
 set -eE -o pipefail
 trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR
 
-x="$(readlink -f "$BASH_SOURCE")"; cd ${x%/*}
+readonly this_file="$(readlink -f -- "${BASH_SOURCE[0]}")"; cd "${this_file%/*}"
 
 usage() {
-    cat <<EOF
-usage: ${0##*/} [-h|--help] [HOST] [DISTRO]
+  cat <<EOF
+usage: ${0##*/} [OPTIONS] [HOST]
 Deploy fai config (the one in nfs) to HOST or default faiserver
-Specify DISTRO for setting up DESKTOP packages.
+
+
+-d DISTRO      DISTRO for setting up fai class DESKTOP packages, for preinstalling stuff.
+-t TARGET_HOST Copy only secrets for TARGET_HOST into the config space. Useful for virtual server
+               on hardware we don't control.
+-h|--help    Print help and exit
 
 Note: uses paths specific to authors machine.
 EOF
-    exit $1
+  exit $1
 }
-case $1 in
-    -h|--help) usage ;;
-esac
 
+##### begin command line parsing ########
+
+# ensure we can handle args with spaces or empty.
+ret=0; getopt -T || ret=$?
+[[ $ret == 4 ]] || { echo "Install util-linux for enhanced getopt" >&2; exit 1; }
+
+temp=$(getopt -l help hd:t: "$@") || usage 1
+eval set -- "$temp"
+while true; do
+  case $1 in
+    -d) distro=$2; shift ;;
+    -t) target=$2; shift ;;
+    -h|--help) usage ;;
+    --) shift; break ;;
+    *) echo "$0: unexpected args: $*" >&2 ; usage 1 ;;
+  esac
+  shift
+done
 host=${1:-faiserver}
-distro=$2
+
+readonly host distro target
+
+##### end command line parsing ########
 
 # i use faiserver as a dns alias, but ssh key is associated with
 # a canonical hostname and we will have ssh warning spam unless we
@@ -43,22 +53,30 @@ faiserver_host=$(chost $host) || faiserver_host=$host
 
 rsync -rlpt --delete --relative --exclude /fai/config/basefiles/ fai/config root@$faiserver_host:/srv
 
-
-scp -q ~/.ssh/home.pub \
-    root@$faiserver_host:/srv/fai/config/files/root/.ssh/authorized_keys/GRUB_PC
+sudo rsync -a /root/.ssh/home.pub \
+    root@$faiserver_host:/srv/fai/config/files/root/.ssh/authorized_keys/STANDARD
 # todo: automatically disable faiserver after a period so
-# these files are not exposed.
-sudo scp -qr /q/root/luks /q/root/shadow \
-  root@$faiserver_host:/srv/fai/config/distro-install-common
+# these files are not available.
 
-# should tar ssh all the files, but these ones really justified it
-tar -cz /p/c/machine_specific/*/filesystem/etc/ssh | \
-  ssh root@$faiserver_host tar -xz -C /srv/fai/config/distro-install-common
+if [[ $target ]]; then
+  sudo rsync -lpt --files-from=- /q/root root@$faiserver_host:/srv/fai/config/distro-install-common <<EOF
+luks/$target
+luks/host-$target
+shadow/$target
+EOF
+else
+  sudo rsync -rlpt /q/root/shadow /q/root/luks root@$faiserver_host:/srv/fai/config/distro-install-common
+fi
 
+dirs=(/p/c/machine_specific/${target:-*}/filesystem/etc/ssh)
+if [[ -e ${dirs[0]} ]]; then
+  rsync -rlpt --delete --relative ${dirs[@]} root@$faiserver_host:/srv/fai/config/distro-install-common
+fi
 
 . /a/bin/distro-setup/pkgs
 pall+=($(/a/bin/buildscripts/emacs -p; /a/bin/distro-setup/distro-pkgs $distro))
-{ echo PACKAGES install; echo "${pall[*]}"|sed 's/ /\n/g'; } | \
+
+printf "%s\n%s\n" "PACKAGES install" ${pall[*]} | \
   ssh root@$faiserver_host dd of=/srv/fai/config/package_config/DESKTOP 2>/dev/null ||: # broken pipe
 
 
@@ -72,8 +90,6 @@ set -eE -o pipefail
 # the other directory, so it's kind of a tossup, whatever.
 sed -ri 's,^ *(TFTP_DIRECTORY=).*,\1"/srv/tftp/fai",' /etc/default/tftpd-hpa
 systemctl restart tftpd-hpa
-chmod 644 /srv/fai/config/files/root/.ssh/authorized_keys/GRUB_PC
-chmod -R a+rX /srv/fai/config/distro-install-common
 
 changed=false
 f=/srv/fai/nfsroot/root/.ssh/known_hosts
diff --git a/fai-revm b/fai-revm
index d09bbcc..7645888 100755
--- a/fai-revm
+++ b/fai-revm
@@ -17,9 +17,11 @@
 
 
 
-x="$(readlink -f "$BASH_SOURCE")"
-script_dir="${x%/*}"
+readonly this_file="$(readlink -f -- "${BASH_SOURCE[0]}")"
+script_dir="${this_file%/*}"
+# shellcheck source=./bash-trace
 source "${script_dir}/bash-trace"
+cd $script_dir
 
 e() { echo "$*"; "$@"; }
 
@@ -37,6 +39,7 @@ fails. Just run again if that happens.
 -n         Create new qcow2(s) for vm. Good for testing partitioning
            script, to ensure a blank disk.
 -p         Use pxe instead of autodiscover iso with fai.
+-c         Use normal fai-cd iso is instead of autodiscover iso.
 -r         Do not boot after install is complete
 -h|--help  Print help and exit.
 
@@ -48,13 +51,15 @@ EOF
 orig_args=("$@")
 new_disk=false
 pxe=false
-temp=$(getopt -l help dnprh "$@") || usage 1
+iso=autodiscover.iso
+temp=$(getopt -l help dnpcrh "$@") || usage 1
 eval set -- "$temp"
 while true; do
   case $1 in
     -d) dhcp_arg=-d; shift ;;
     -n) new_disk=true; shift ;;
     -p) pxe=true; shift ;;
+    -c) iso=netinst.iso; shift ;;
     -r) reboot_arg=--noreboot; shift ;;
     -h|--help) usage ;;
     --) shift; break ;;
@@ -65,7 +70,7 @@ done
 
 # change this to test different disk counts. 1 and > 1 should be the only
 # important things to test.
-disk_count=1
+disk_count=2
 
 
 if [[ $script_dir == /a/bin/* ]]; then
@@ -76,7 +81,6 @@ if [[ $script_dir == /a/bin/* ]]; then
   exec /tmp/faifreeze/${BASH_SOURCE##*/} "${orig_args[@]}"
 fi
 
-cd $script_dir
 
 is_arch_revm() {
   [[ ${0##*/} == arch-revm ]]
@@ -105,12 +109,12 @@ else
     if [[ ! $BASEFILE_DIR ]]; then
       BASEFILE_DIR=/tmp
     fi
-    a=$BASEFILE_DIR/autodiscover.iso
-    b=$BASEFILE_DIR/STRETCH64.tar.gz
-    if [[ ! -e $a || $(stat -c %Y $a) -lt $(stat -c %Y $b) ]]; then
-      e s fai-cd -g $(readlink -f grub.cfg.autodiscover) -f -A $BASEFILE_DIR/autodiscover.iso
+    isopath=$BASEFILE_DIR/$iso
+    isosrc=$BASEFILE_DIR/STRETCH64.tar.gz
+    if [[ ! -e $isopath || $(stat -c %Y $isopath) -lt $(stat -c %Y $isosrc) ]]; then
+      e s fai-cd -g $(readlink -f grub.cfg.${iso%%.*}) -f -A $isopath
     fi
-    boot_arg="--cdrom $BASEFILE_DIR/autodiscover.iso"
+    boot_arg="--cdrom $isopath"
     e fai-redep
     e myfai-chboot default
   fi
@@ -153,7 +157,7 @@ s iptables -P FORWARD ACCEPT
   #   --graphics spice,listen=0.0.0.0 $console_arg |& grep -v '^ *$' | uniq &
 
 
-e s virt-install --os-variant $variant  -n $name $boot_arg -r 2048 --vcpus 1 \
+e s virt-install --rng /dev/urandom --os-variant $variant  -n $name $boot_arg -r 2048 --vcpus 1 \
   ${disk_arg[*]} -w bridge=br0,mac=52:54:00:9c:ef:ad $reboot_arg \
   --graphics spice,listen=0.0.0.0 $console_arg |& grep -v '^ *$' | uniq &
 
diff --git a/fai/config/basefiles/mk-basefile b/fai/config/basefiles/mk-basefile
index f739142..152392d 100755
--- a/fai/config/basefiles/mk-basefile
+++ b/fai/config/basefiles/mk-basefile
@@ -1,4 +1,5 @@
 #! /bin/bash
+set -x
 # mk-basefile, create basefiles for some distributions
 #
 # Thomas Lange, Uni Koeln, 2011-2018
diff --git a/fai/config/class/50-host-classes b/fai/config/class/50-host-classes
index 61af5ee..74eb50a 100755
--- a/fai/config/class/50-host-classes
+++ b/fai/config/class/50-host-classes
@@ -32,7 +32,7 @@
 #
 # The apt sources files we want, STRETCH_FREE, STRETCH_NONFREE,
 # BUSTER_FREE, BUSTER_NONFREE, TESTING_FREE, TESTING_NONFREE,
-# XENIAL_FREE, FLIDAS, ETIONA, STRETCH_LINODE.
+# XENIAL_FREE, FLIDAS, ETIONA, STRETCH_LINODE, BUSTER_LINODE.
 #
 # It's all a little redundant in some cases, but it keeps things
 # simpler.
diff --git a/fai/config/class/BUSTER_LINODE.var b/fai/config/class/BUSTER_LINODE.var
new file mode 100644
index 0000000..9030f9e
--- /dev/null
+++ b/fai/config/class/BUSTER_LINODE.var
@@ -0,0 +1,2 @@
+HOSTNAME=li
+APTPROXY=
\ No newline at end of file
diff --git a/fai/config/class/DEBIAN.var b/fai/config/class/DEBIAN.var
index f343669..07632b2 100644
--- a/fai/config/class/DEBIAN.var
+++ b/fai/config/class/DEBIAN.var
@@ -17,5 +17,4 @@ MODULESLIST="usbhid psmouse"
 FAI_RAMDISKS="$target/var/lib/dpkg $target/var/cache"
 
 # if you want to use the faiserver as APT proxy
-# ian: uncommented
-APTPROXY=http://faiserver:3142
+# APTPROXY=http://faiserver:3142
diff --git a/fai/config/class/DEFAULT.var b/fai/config/class/DEFAULT.var
index 9934bb4..1c8de54 100644
--- a/fai/config/class/DEFAULT.var
+++ b/fai/config/class/DEFAULT.var
@@ -6,4 +6,6 @@ LOGUSER=fai
 # when downloading from https intead of nfs, this is not set,
 # it is used as the default for LOGSERVER, and for calling chboot.
 # My faiserver's hostname is always faiserver, so just hardcoding it.
-SERVER=faiserver
\ No newline at end of file
+SERVER=faiserver
+
+APTPROXY=http://faiserver:3142
diff --git a/fai/config/distro-install-common/end b/fai/config/distro-install-common/end
index 8ae323c..2871106 100755
--- a/fai/config/distro-install-common/end
+++ b/fai/config/distro-install-common/end
@@ -10,10 +10,11 @@ fi
 
 # ssh host keys
 # note, $BASH_SOURCE is not defined here under fai.
+
 src=$(dirname "$0")/p/c/machine_specific/$HOSTNAME/filesystem/etc/ssh
 dst=$target/etc/ssh
 if [[ -e $src && -e $dst ]]; then
-  # outside of fai context, we skip this
+  # outside of fai context or setting up a brand new host, we skip this
   cp -rT $src $dst
 fi
 
@@ -74,7 +75,7 @@ $ROOTCMD usermod -a -G docker iank
 f=$target/etc/sysctl.d/99-sysctl.conf
 key=fs.inotify.max_user_watches
 if [[ -e $f ]]; then sed -ri --follow-symlinks "/^\s*$key\s*=/d" $f; fi
-echo "fs.inotify.max_user_watches = 1000000" >> $f
+echo "fs.inotify.max_user_watches = 50000" >> $f
 # applies it. it would be also be applied after a reboot
 $ROOTCMD sysctl --system
 
@@ -84,19 +85,5 @@ if [[ ! -e $f ]] || ! grep -xF "$line" $f; then
   echo "$line" >> $f
 fi
 
-dir=/p/c/machine_specific/$HOSTNAME/.unison
-$ROOTCMD mkdir -p $dir
-if ! $ROOTCMD test -L /root/.unison; then
-  $ROOTCMD rm -rf /root/.unison
-  $ROOTCMD ln -s -T $dir /root/.unison
-fi
-
-$ROOTCMD chown -R 1000:1000 $dir
-while true; do
-  $ROOTCMD chown 1000:1000 $dir
-  $ROOTCMD chmod 700 $dir
-  dir=$(dirname $dir)
-  if [[ $dir == /p ]]; then break; fi
-done
 
 au --system -s /bin/false --home-dir /var/lib/bitcoind bitcoin
diff --git a/fai/config/hooks/instsoft.DEFAULT b/fai/config/hooks/instsoft.DEFAULT
index f02f1cf..bdcaab1 100755
--- a/fai/config/hooks/instsoft.DEFAULT
+++ b/fai/config/hooks/instsoft.DEFAULT
@@ -1,8 +1,10 @@
 #!/bin/bash
 
+# These are things we can do before package_config packages get installed.
+
 # exit for any vm except demohost, or if we are doing a dirinstall
 if ifclass VM && ! ifclass demohost || ifclass VOL_STRETCH_BOOTSTRAP || [[ ! $FAI_ACTION || $FAI_ACTION = dirinstall ]]; then
-    exit 0
+  exit 0
 fi
 
 keyfile=/var/lib/fai/config/distro-install-common/luks/host-$HOSTNAME
@@ -13,32 +15,30 @@ cat <<'EOF'
 $(cat $keyfile)
 EOF
 EOFOUTER
-chmod +x $f
-
-
-f=$target/root/keyscript-manual
-cat >$f  <<'EOF'
-#!/bin/sh
-if ! [ -e /tmp/key ]; then
-    stty -echo
-    read pass
-    printf '%s' "$pass" > /tmp/key
-fi
-cat /tmp/key
-EOF
-chmod +x $f
+chmod 700 $f
 
 
 # for hosts which don't have these data volumes, copy the specific
 # files we need.
 if ifclass demohost; then
-    files=(/var/lib/fai/config/distro-install-common/luks/host-demohost)
+  files=(/var/lib/fai/config/distro-install-common/luks/host-demohost)
 elif ifclass tp; then
-    files=(/var/lib/fai/config/distro-install-common/luks/host-{tp,demohost})
+  files=(/var/lib/fai/config/distro-install-common/luks/host-{tp,demohost})
 fi
 if [[ ${files[0]}  ]]; then
-    d=$target/q/root/luks
-    mkdir -p $d
-    cp ${files[@]} $d
-    chmod -R o-rwx $d
+  d=$target/q/root/luks
+  mkdir -p $d
+  chmod 700 $d
+  cp -p ${files[@]} $d
 fi
+
+
+#### this bit is duplicated in rootsshsync
+f=/var/lib/fai/config/files/root/.ssh/authorized_keys/STANDARD
+d=$target/etc/initramfs-tools
+d2=$target/etc/dropbear-initramfs
+mkdir -p $d/root/.ssh $d2
+chmod 700 $d/root $d/root/.ssh
+# i think buster uses the second, flidas uses the first.
+cp -p $f $d/root/.ssh/authorized_keys
+cp -p $f $d2/authorized_keys
diff --git a/fai/config/hooks/partition.DEFAULT b/fai/config/hooks/partition.DEFAULT
index b10ef25..2905435 100755
--- a/fai/config/hooks/partition.DEFAULT
+++ b/fai/config/hooks/partition.DEFAULT
@@ -140,12 +140,26 @@ else
   partition=false # change to true to force a full wipe
 fi
 
+## ignore disks that are mounted, eg when running from fai-cd
+declare -A disk_excludes
+while read -r l; do
+  eval "$l"
+  if [[ ! $PKNAME ]]; then
+    PKNAME="$KNAME"
+  fi
+  if [[ $MOUNTPOINT ]]; then
+    disk_excludes[$PKNAME]=true
+  fi
+done < <(lsblk -nP -o KNAME,MOUNTPOINT,PKNAME)
 
 
 hdds=()
 ssds=()
 cd /sys/block
 for disk in [sv]d[a-z]; do
+  if [[ ${disk_excludes[$disk]} ]]; then
+    continue
+  fi
   case $(cat $disk/queue/rotational) in
     0) ssds+=(/dev/$disk) ;;
     1) hdds+=(/dev/$disk) ;;
@@ -170,7 +184,7 @@ for dev in ${short_devs[@]}; do
   if $partition; then break; fi
   y=$(readlink -f $dev)
   arr=($y[0-9])
-  [[ ${#arr[@]}  == "${lastn}" ]] || partition=true
+  [[ ${#arr[@]}  == "$lastn" ]] || partition=true
   for (( i=1; i <= lastn; i++ )); do
     [[ -e ${dev}$i ]] || partition=true
   done
@@ -193,7 +207,7 @@ shopt -s extglob
 for short_dev in ${short_devs[@]}; do
   devs+=($(devbyid $short_dev))
 done
-if [[ ! ${devs[@]} ]]; then
+if [[ ! ${devs[0]} ]]; then
   echo "$0: error: failed to detect devs" >&2
   exit 1
 fi
@@ -226,12 +240,12 @@ for dev in ${devs[@]}; do
         break
       fi
     done
-    $bad_disk || boot_devs+=(`bootdev`)
+    $bad_disk || boot_devs+=($(bootdev))
   else
-    boot_devs+=(`bootdev`)
+    boot_devs+=($(bootdev))
   fi
   if [[ $boot_devs && $first ]]; then
-    first_grub_extdev=`grub_extdev`
+    first_grub_extdev=$(grub_extdev)
     first=false
   fi
 done
@@ -287,22 +301,31 @@ bpart() { # btrfs a partition
 # head -c 2048 /dev/urandom | od | s dd of=/q/root/luks/host-demohost
 luks_dir=${LUKS_DIR:-/var/lib/fai/config/distro-install-common/luks}
 
-if [[ ! -e $luks_dir/host-$HOSTNAME ]]; then
-  echo "$0: error: no key for hostname at $luks_dir/host-$HOSTNAME" >&2
-  exit 1
+
+luks_file=$luks_dir/host-$HOSTNAME
+if [[ ! -e $luks_file ]]; then
+  hostkeys=($luks_dir/host-*)
+  # if there is only one key, we might be deploying somewhere
+  # where dhcp doesnt give us a proper hostname, so use that.
+  if [[ ${#hostkeys[@]} == 1 && -e ${hostkeys[0]} ]]; then
+    luks_file=${hostkeys[0]}
+  else
+    echo "$0: error: no key for hostname at $luks_file" >&2
+    exit 1
+  fi
 fi
 
-lukspw=$(cat $luks_dir/iank)
-# # ian: disabled by chaning to tpnew while I use the tp host.
 # # note, corresponding changes in /b/ds/keyscript-{on,off}
 if ifclass tpnew; then
   lukspw=$(cat $luks_dir/traci)
-fi
-if ifclass ziva; then
+elif ifclass BUSTER_LINODE; then
+  lukspw=$(cat $luks_dir/li)
+elif ifclass ziva; then
   lukspw=$(cat $luks_dir/ziva)
-fi
-if ifclass demohost; then
+elif ifclass demohost; then
   lukspw=x
+else
+  lukspw=$(cat $luks_dir/iank)
 fi
 
 
@@ -315,7 +338,7 @@ swap_mib=$(( $(grep ^MemTotal: /proc/meminfo | \
 mkdir -p /tmp/fai
 root_devs=()
 for dev in ${devs[@]}; do
-  root_devs+=(`rootdev`)
+  root_devs+=($(rootdev))
 done
 shopt -s nullglob
 if $partition; then
@@ -394,7 +417,7 @@ if $partition; then
     # wait at all. So I've added a 3 second minimum wait.
     sleep 3
     secs=0
-    while [[ ! -e `rootdev` ]] && (( secs < 10 )); do
+    while [[ ! -e $(rootdev) ]] && (( secs < 10 )); do
       sleep 1
       secs=$((secs +1))
     done
@@ -406,7 +429,7 @@ if $partition; then
     # to grubenv after booting, but that relies on the boot always succeeding.
     # This is just a bit more robust, and it could work for booting
     # into ipxe which can't persist data, if we ever got that working.
-    mkfs.ext2 `grub_extdev`
+    mkfs.ext2 $(grub_extdev)
     # when we move to newer than trisquel 8, we can remove
     # --type luks1. We can also check on cryptsetup --help | less /compil
     # to see about the other settings. Default in debian 9 is luks2.
@@ -414,11 +437,11 @@ if $partition; then
     # cryptsetup luksAddKey --pbkdf pbkdf2
     # then remove the new format keys with cryptsetup luksRemoveKey
     # then cryptsetup convert DEV --type luks1, then readd old keys and remove temp.
-    yes YES | cryptsetup luksFormat `rootdev` $luks_dir/host-$HOSTNAME \
+    yes YES | cryptsetup luksFormat $(rootdev) $luks_file \
                          --type luks1 -c aes-cbc-essiv:sha256 -s 256 || [[ $? == 141 ]]
     yes "$lukspw" | \
-      cryptsetup luksAddKey --key-file $luks_dir/host-$HOSTNAME \
-                 `rootdev` || [[ $? == 141 ]]
+      cryptsetup luksAddKey --key-file $luks_file \
+                 $(rootdev) || [[ $? == 141 ]]
     # background: Keyfile and password are treated just
     # like 2 ways to input a passphrase, so we don't actually need to have
     # different contents of keyfile and passphrase, but it makes some
@@ -429,8 +452,8 @@ if $partition; then
     #    yes 'test' | cryptsetup luksRemoveKey /dev/... \
       #                            /key/file || [[ $? == 141 ]]
 
-    cryptsetup luksOpen `rootdev` `root-cryptname` \
-               --key-file $luks_dir/host-$HOSTNAME
+    cryptsetup luksOpen $(rootdev) $(root-cryptname) \
+               --key-file $luks_file
 
     if [[ $SPECIAL_DISK ]]; then
       exit 0
@@ -442,9 +465,9 @@ if $partition; then
   bpart ${boot_devs[@]}
 else
   for dev in ${devs[@]}; do
-    mkfs.ext2 `grub_extdev`
-    cryptsetup luksOpen `rootdev` `root-cryptname` \
-               --key-file $luks_dir/host-$HOSTNAME
+    mkfs.ext2 $(grub_extdev)
+    cryptsetup luksOpen $(rootdev) $(root-cryptname) \
+               --key-file $luks_file
   done
   sleep 1
 fi
@@ -524,13 +547,13 @@ $first_boot_dev  /boot  btrfs  noatime,subvol=$boot_vol  0 0
 EOF
   swaps=()
   for dev in ${devs[@]}; do
-    swaps+=(`swap-cryptname`)
+    swaps+=($(swap-cryptname))
     cat >>/tmp/fai/crypttab <<EOF
-`root-cryptname`  `rootdev`  none  keyscript=/root/keyscript,discard,luks
-`swap-cryptname` `swapdev`  /dev/urandom  swap,cipher=aes-xts-plain64,size=256,hash=ripemd160
+$(root-cryptname)  $(rootdev)  none  keyscript=decrypt_keyctl,discard,luks,initramfs
+$(swap-cryptname) $(swapdev)  /dev/urandom  swap,cipher=aes-xts-plain64,size=256,hash=ripemd160
 EOF
     cat >> /tmp/fai/fstab <<EOF
-`swap-cryptdev`  none  swap  sw  0 0
+$(swap-cryptdev)  none  swap  sw  0 0
 EOF
   done
 
diff --git a/fai/config/package_config/DEBIAN b/fai/config/package_config/DEBIAN
index 31072d3..88dc034 100644
--- a/fai/config/package_config/DEBIAN
+++ b/fai/config/package_config/DEBIAN
@@ -1,20 +1,3 @@
-# duplicated in UBUNTU
-PACKAGES install-norec
-debconf-utils
-file
-less
-rsync
-openssh-client openssh-server
-time
-procinfo
-locales
-console-setup kbd
-pciutils usbutils
-unattended-upgrades
-
-PACKAGES install STRETCH BUSTER
-apt-transport-https
-
 # otherwise sshd takes like 10 seconds to start
 PACKAGES install BUSTER
 haveged
@@ -31,6 +14,8 @@ memtest86+
 PACKAGES install CHROOT
 linux-image-686-pae-
 linux-image-amd64-
+initramfs-tools-core-
+dropbear-initramfs-
 
 PACKAGES install AMD64
 linux-image-amd64
@@ -40,17 +25,11 @@ PACKAGES install ARM64
 grub-efi-arm64
 linux-image-arm64
 
-# ian: This line is duplicated in UBUNTU
-# lsof is used in my btrfs util scritps.
-# netcat is used for proxy.
-# resolvconf because if we don't install it now we have to reboot for it to
-# take effect. This is explained when you do dpkg-reconfigure resolvconf,
-# and may be fixed in future releases
 PACKAGES install GRUB_PC
-grub-pc cryptsetup btrfs-progs mbuffer sudo bridge-utils netcat-openbsd resolvconf lsof
+grub-pc
 
 PACKAGES install GRUB_EFI
-grub-efi cryptsetup btrfs-progs mbuffer sudo bridge-utils netcat-openbsd resolvconf lsof
+grub-efi
 
 
 PACKAGES install LVM
diff --git a/fai/config/package_config/STANDARD b/fai/config/package_config/STANDARD
index 36bde10..f563fdf 100644
--- a/fai/config/package_config/STANDARD
+++ b/fai/config/package_config/STANDARD
@@ -28,3 +28,38 @@ telnet
 traceroute
 ucf
 xz-utils
+# ian standard packages
+# lsof is used in my btrfs util scritps.
+# netcat is used for proxy.
+# resolvconf because if we don't install it now we have to reboot for it to
+# take effect. This is explained when you do dpkg-reconfigure resolvconf,
+# and may be fixed in future releases
+keyutils
+cryptsetup
+btrfs-progs
+sudo
+bridge-utils
+netcat-openbsd
+resolvconf
+lsof
+debconf-utils
+file
+less
+rsync
+openssh-client openssh-server
+time
+procinfo
+locales
+console-setup kbd
+pciutils usbutils
+unattended-upgrades
+initramfs-tools-core
+dropbear-initramfs
+apt-transport-https
+
+# iank, copied from DEBIAN so it goes into ubuntu too
+PACKAGES install GRUB_PC
+grub-pc
+
+PACKAGES install GRUB_EFI
+grub-efi
diff --git a/fai/config/package_config/UBUNTU b/fai/config/package_config/UBUNTU
index 327fa28..02f852d 100644
--- a/fai/config/package_config/UBUNTU
+++ b/fai/config/package_config/UBUNTU
@@ -1,17 +1,3 @@
-# duplicated in DEBIAN
-PACKAGES install-norec
-debconf-utils
-file
-less
-rsync
-openssh-client openssh-server
-time
-procinfo
-locales
-console-setup kbd
-pciutils usbutils
-unattended-upgrades
-
 PACKAGES install I386
 linux-image-generic
 memtest86+
@@ -23,10 +9,6 @@ PACKAGES install AMD64
 linux-image-generic
 memtest86+
 
-# duplicated in DEBIAN
-PACKAGES install GRUB_PC
-grub-pc cryptsetup btrfs-progs mbuffer sudo bridge-utils netcat-openbsd resolvconf lsof
-
 
 PACKAGES install FLIDAS64 XENIAL64
 linux-image-generic-hwe-8.0
diff --git a/fai/config/scripts/DEBIAN/30-interface b/fai/config/scripts/DEBIAN/30-interface
index 5955f7b..808aa25 100755
--- a/fai/config/scripts/DEBIAN/30-interface
+++ b/fai/config/scripts/DEBIAN/30-interface
@@ -69,10 +69,6 @@ newnicnames() {
 	    break
 	fi
     done
-    # This condition is only needed because the nfsroot I use
-    # is based on Jessie, which has an old udev which can't
-    # figure out the persistent interface name used in stretch.
-    if ifclass VM; then NIC1=ens3; return; fi
     if [[ ! $name ]]; then
 	echo "$0: error: could not find systemd predictable network name. Using $NIC1."
     fi
@@ -97,30 +93,31 @@ case "$FAI_ACTION" in
     elif [ -d $target/etc/network/interfaces.d ]; then
         # ifupdown >= 0.7.41 (Debian >= 8, Ubuntu >= 14.04)
 
-      if ifclass VM; then
+      if ifclass VM || ifclass BUSTER_LINODE; then
         # note, this condition would apply to the elif below too,
         # but I don't specify a static ip in fai, so not bothering
         cat > $target/etc/network/interfaces <<-EOF
-	# generated by FAI
-	auto lo $NIC1
-	iface lo inet loopback
-	iface $NIC1 inet dhcp
+# generated by FAI
+auto lo $NIC1
+iface lo inet loopback
+iface $NIC1 inet dhcp
+iface $NIC1 inet6 auto
 EOF
       else
-        cat > $target/etc/network/interfaces <<-EOF
-        # generated by FAI
-        auto lo br0
-        iface lo inet loopback
-        iface $NIC1 inet manual
-        # make a bridge by default so we can have bridged vms.
-        # Some example I read had stp on, but i don't need stp,
-        # and it causes a vm to fail pxe boot, presumably unless
-        # you add some delay.
-        # http://wiki.libvirt.org/page/PXE_boot_%28or_dhcp%29_on_guest_failed
-        iface br0 inet dhcp
-          bridge_ports $NIC1
-          bridge_stp off
-          bridge_maxwait 0
+        cat > $target/etc/network/interfaces <<EOF
+# generated by FAI
+auto lo br0
+iface lo inet loopback
+iface $NIC1 inet manual
+# make a bridge by default so we can have bridged vms.
+# Some example I read had stp on, but i don't need stp,
+# and it causes a vm to fail pxe boot, presumably unless
+# you add some delay.
+# http://wiki.libvirt.org/page/PXE_boot_%28or_dhcp%29_on_guest_failed
+iface br0 inet dhcp
+  bridge_ports $NIC1
+  bridge_stp off
+  bridge_maxwait 0
 EOF
       fi
     else
@@ -137,6 +134,12 @@ EOF
         fi
     fi
     ;;
+
+  if ifclass BUSTER_LINODE; then
+    f=/etc/initramfs-tools/initramfs.conf
+    ainsl $f
+    fi
+
 esac
 
 # here fcopy is mostly used, when installing a client for running in a
diff --git a/fai/config/scripts/GRUB_PC/11-iank b/fai/config/scripts/GRUB_PC/11-iank
index 3bb65ea..45c869d 100755
--- a/fai/config/scripts/GRUB_PC/11-iank
+++ b/fai/config/scripts/GRUB_PC/11-iank
@@ -13,6 +13,7 @@ if ! type -t fcopy &>/dev/null; then
 fi
 
 chroot $FAI_ROOT bash <<'EOFOUTER'
+set -eE -o pipefail
 if getent group systemd-journal >/dev/null; then
   # makes the journal be saved to disk.
   mkdir -p /var/log/journal
@@ -99,9 +100,19 @@ EOF
 
 if [[ $FAI_ACTION != dirinstall ]]; then
 
-  cat >$FAI_ROOT/etc/grub.d/40_custom <<'EOF'
+
+  if ifclass BUSTER_LINODE; then
+    speed=19200
+    # luks.crypttab=no see man systemd-cryptsetup-generator
+    cmdline="luks.crypttab=no console=ttyS0,${speed}n8"
+  else
+    speed=115200
+    cmdline="luks.crypttab=no console=ttyS0,${speed} console=tty0"
+  fi
+
+  cat >$FAI_ROOT/etc/grub.d/40_custom <<EOF
 #!/bin/sh
-exec tail -n +3 $0
+exec tail -n +3 \$0
 # This file provides an easy way to add custom menu entries.  Simply type the
 # menu entries you want to add after this comment.  Be careful not to change
 # the 'exec tail' line above.
@@ -109,32 +120,36 @@ exec tail -n +3 $0
 # https://www.coreboot.org/Serial_console # tty
 # but removed unneeded stuff
 
-serial --speed=115200
+serial --speed=$speed
 terminal_input --append  serial
 terminal_output --append serial
 EOF
 
-   chroot $FAI_ROOT bash <<'EOF'
+
+
+  chroot $FAI_ROOT bash <<EOF
+set -eE -o pipefail
 # https://askubuntu.com/questions/33416/how-do-i-disable-the-boot-splash-screen-and-only-show-kernel-and-boot-text-inst
-# it suggests not having plymouth-theme-ubuntu-text, but
-# making it not installed then kills plymouth, then makes
-# the system not boot.
-sed -ri 's/(^ *GRUB_CMDLINE_LINUX.*)quiet splash/\1/' /etc/default/grub
-
-# todo: not sure, but this might screw up systems without a serial port
-# and thus need a conditional.
-sed -ri 's/^ *GRUB_CMDLINE_LINUX_DEFAULT="/\0console=ttyS0,115200 console=tty0 /' /etc/default/grub
+# we remove quiet and splash, and all thats left is what we want
+
+sed -ri 's/^ *GRUB_CMDLINE_LINUX_DEFAULT=.*"/GRUB_CMDLINE_LINUX_DEFAULT="$cmdline"/' /etc/default/grub
 # on xenial, no grub is displayed at all. fix that.
 # found just by noticing this in the config file, and a
 # warning about it in error.log
 sed -i '/^ *GRUB_HIDDEN_TIMEOUT/d' /etc/default/grub
 
 update-grub2
+
+# Just include all of them for now incase we are creating
+# an install for a different machine.. in distro-begin, we
+# slim it down to whats used.
+find /lib/modules/*/kernel/drivers/net /lib/modules/*/kernel/net -type f -name '*.ko' -printf "%f\n" | sed 's/.ko$//' | sort -u >/etc/initramfs-tools/modules
+update-initramfs -u -k all
 EOF
 fi
 
 
 # reading through the groups that iank is in but user2 isn't,
 for g in plugdev audio video cdrom; do
-    $ROOTCMD usermod -a -G $g user2
+  $ROOTCMD usermod -a -G $g user2
 done
diff --git a/grub.cfg.autodiscover b/grub.cfg.autodiscover
index 6ed3a28..9103e45 100644
--- a/grub.cfg.autodiscover
+++ b/grub.cfg.autodiscover
@@ -57,17 +57,18 @@ menuentry "" --unrestricted {
 
 # ian: Added this from fai
 # note, we could replace faiserver with an ip if we didn't want to mess with dns.
-# args are copied from myfai-chboot-local
+# args are copied from myfai-chboot-local.
+# Note, for a real cd or usb flash, we probably do not want reboot, so we can remove the disk
+# after install is done
 menuentry "FAI server via dns" {
     set gfxpayload=$resolution
-    linux   /boot/vmlinuz FAI_FLAGS=verbose,sshd,createvt FAI_CONFIG_SRC=nfs://faiserver/srv/fai/config root=/dev/nfs rw nfsroot=faiserver:/srv/fai/nfsroot,vers=3,nolock aufs rootovl ip=dhcp FAI_FLAGS=verbose,sshd,createvt
+    linux   /boot/vmlinuz FAI_FLAGS=verbose,sshd,createvt,reboot FAI_CONFIG_SRC=nfs://faiserver/srv/fai/config root=/dev/nfs rw nfsroot=faiserver:/srv/fai/nfsroot,vers=3,nolock aufs rootovl ip=dhcp FAI_FLAGS=verbose,sshd,createvt
     initrd  /boot/initrd.img
 }
 
-
 menuentry "Autodiscover the FAI server" {
     set gfxpayload=$resolution
-    linux   /boot/vmlinuz FAI_FLAGS="menu,verbose,createvt" fai.discover aufs rootovl root=/dev/nfs ip=dhcp quiet
+    linux   /boot/vmlinuz FAI_FLAGS="menu,verbose,createvt,reboot" fai.discover aufs rootovl root=/dev/nfs ip=dhcp quiet
     initrd  /boot/initrd.img
 }
 
diff --git a/grub.cfg.netinst b/grub.cfg.netinst
new file mode 100644
index 0000000..17d8e1f
--- /dev/null
+++ b/grub.cfg.netinst
@@ -0,0 +1,78 @@
+## grub2 configuration
+set default="Netinstall"
+set timeout=2
+set resolution=1024x768
+
+if loadfont /boot/grub/unicode.pf2 ; then
+   insmod png
+   set gfxmode=640x480
+   insmod gfxterm
+   insmod vbe
+   terminal_output gfxterm
+fi
+
+if background_image /boot/grub/fai.png ; then
+  set color_normal=black/black
+  set color_highlight=red/black
+  set menu_color_normal=black/black
+  set menu_color_highlight=black/yellow
+else
+  set menu_color_normal=white/black
+  set menu_color_highlight=black/yellow
+fi
+
+# make sure we can access partitions
+insmod part_msdos
+insmod part_gpt
+
+if [ ${iso_path} ] ; then
+    set loopback="findiso=${iso_path}"
+fi
+
+menuentry "" --unrestricted {
+    set gfxpayload=$resolution
+}
+menuentry "        +------------------------------------------------------+" --unrestricted {
+    set gfxpayload=$resolution
+}
+
+menuentry "        |        Fully  Automatic  Installation                |" --unrestricted {
+    set gfxpayload=$resolution
+
+}
+menuentry "        |     _VERSIONSTRING_     |" --unrestricted {
+    set gfxpayload=$resolution
+
+}
+menuentry "        |        (c) Thomas Lange  lange@debian.org            |" --unrestricted {
+    set gfxpayload=$resolution
+}
+menuentry "        +------------------------------------------------------+" --unrestricted {
+    set gfxpayload=$resolution
+}
+}
+menuentry "" --unrestricted {
+    set gfxpayload=$resolution
+}
+
+menuentry "Netinstall" {
+    set gfxpayload=$resolution
+    linux   /boot/vmlinuz console=ttyS0,19200n8 FAI_FLAGS="verbose,sshd,createvt,reboot" FAI_ACTION=install FAI_CONFIG_SRC=file:///var/lib/fai/config rd.live.image root=live:CDLABEL=FAI_CD rd.neednet ip=dhcp quiet
+    initrd  /boot/initrd.img
+}
+
+
+menuentry "Boot OS of first partition on first disk" --unrestricted {
+    if [ -d (cd) ]; then
+       chainloader (hd0)+1
+    fi
+
+    if [ "$root" = "hd1" ]; then
+       chainloader (hd0)+1
+    fi
+
+    if [ "$root" = "hd0" ]; then
+       set root=(hd1)
+       chainloader (hd1)+1
+   fi
+}
diff --git a/grub.cfg.netinst-linode b/grub.cfg.netinst-linode
new file mode 100644
index 0000000..92f1667
--- /dev/null
+++ b/grub.cfg.netinst-linode
@@ -0,0 +1,78 @@
+## grub2 configuration
+set default="Netinstall"
+set timeout=2
+set resolution=1024x768
+
+if loadfont /boot/grub/unicode.pf2 ; then
+   insmod png
+   set gfxmode=640x480
+   insmod gfxterm
+   insmod vbe
+   terminal_output gfxterm
+fi
+
+if background_image /boot/grub/fai.png ; then
+  set color_normal=black/black
+  set color_highlight=red/black
+  set menu_color_normal=black/black
+  set menu_color_highlight=black/yellow
+else
+  set menu_color_normal=white/black
+  set menu_color_highlight=black/yellow
+fi
+
+# make sure we can access partitions
+insmod part_msdos
+insmod part_gpt
+
+if [ ${iso_path} ] ; then
+    set loopback="findiso=${iso_path}"
+fi
+
+menuentry "" --unrestricted {
+    set gfxpayload=$resolution
+}
+menuentry "        +------------------------------------------------------+" --unrestricted {
+    set gfxpayload=$resolution
+}
+
+menuentry "        |        Fully  Automatic  Installation                |" --unrestricted {
+    set gfxpayload=$resolution
+
+}
+menuentry "        |     _VERSIONSTRING_     |" --unrestricted {
+    set gfxpayload=$resolution
+
+}
+menuentry "        |        (c) Thomas Lange  lange@debian.org            |" --unrestricted {
+    set gfxpayload=$resolution
+}
+menuentry "        +------------------------------------------------------+" --unrestricted {
+    set gfxpayload=$resolution
+}
+}
+menuentry "" --unrestricted {
+    set gfxpayload=$resolution
+}
+
+menuentry "Netinstall" {
+    set gfxpayload=$resolution
+    linux   /boot/vmlinuz console=ttyS0,19200n8 FAI_FLAGS="verbose,sshd,createvt" FAI_ACTION=install FAI_CONFIG_SRC=file:///var/lib/fai/config rd.live.image root=live:CDLABEL=FAI_CD rd.neednet ip=dhcp quiet
+    initrd  /boot/initrd.img
+}
+
+
+menuentry "Boot OS of first partition on first disk" --unrestricted {
+    if [ -d (cd) ]; then
+       chainloader (hd0)+1
+    fi
+
+    if [ "$root" = "hd1" ]; then
+       chainloader (hd0)+1
+    fi
+
+    if [ "$root" = "hd0" ]; then
+       set root=(hd1)
+       chainloader (hd1)+1
+   fi
+}
diff --git a/grub.cfg.sysinfo-linode b/grub.cfg.sysinfo-linode
new file mode 100644
index 0000000..b5d1126
--- /dev/null
+++ b/grub.cfg.sysinfo-linode
@@ -0,0 +1,78 @@
+## grub2 configuration
+set default="Netinstall"
+set timeout=2
+set resolution=1024x768
+
+if loadfont /boot/grub/unicode.pf2 ; then
+   insmod png
+   set gfxmode=640x480
+   insmod gfxterm
+   insmod vbe
+   terminal_output gfxterm
+fi
+
+if background_image /boot/grub/fai.png ; then
+  set color_normal=black/black
+  set color_highlight=red/black
+  set menu_color_normal=black/black
+  set menu_color_highlight=black/yellow
+else
+  set menu_color_normal=white/black
+  set menu_color_highlight=black/yellow
+fi
+
+# make sure we can access partitions
+insmod part_msdos
+insmod part_gpt
+
+if [ ${iso_path} ] ; then
+    set loopback="findiso=${iso_path}"
+fi
+
+menuentry "" --unrestricted {
+    set gfxpayload=$resolution
+}
+menuentry "        +------------------------------------------------------+" --unrestricted {
+    set gfxpayload=$resolution
+}
+
+menuentry "        |        Fully  Automatic  Installation                |" --unrestricted {
+    set gfxpayload=$resolution
+
+}
+menuentry "        |     _VERSIONSTRING_     |" --unrestricted {
+    set gfxpayload=$resolution
+
+}
+menuentry "        |        (c) Thomas Lange  lange@debian.org            |" --unrestricted {
+    set gfxpayload=$resolution
+}
+menuentry "        +------------------------------------------------------+" --unrestricted {
+    set gfxpayload=$resolution
+}
+}
+menuentry "" --unrestricted {
+    set gfxpayload=$resolution
+}
+
+menuentry "Netinstall" {
+    set gfxpayload=$resolution
+    linux   /boot/vmlinuz console=ttyS0,19200n8 FAI_FLAGS="verbose,sshd,createvt" FAI_ACTION=sysinfo FAI_CONFIG_SRC=file:///var/lib/fai/config rd.live.image root=live:CDLABEL=FAI_CD rd.neednet ip=dhcp quiet
+    initrd  /boot/initrd.img
+}
+
+
+menuentry "Boot OS of first partition on first disk" --unrestricted {
+    if [ -d (cd) ]; then
+       chainloader (hd0)+1
+    fi
+
+    if [ "$root" = "hd1" ]; then
+       chainloader (hd0)+1
+    fi
+
+    if [ "$root" = "hd0" ]; then
+       set root=(hd1)
+       chainloader (hd1)+1
+   fi
+}
diff --git a/myfai-chboot-local b/myfai-chboot-local
index d8d4846..3ecc7d1 100755
--- a/myfai-chboot-local
+++ b/myfai-chboot-local
@@ -84,7 +84,7 @@ if modprobe nfsd &>/dev/null; then
   if [[ -w /etc/exports ]]; then
     sed -ri --follow-symlinks '\%^/srv/fai/%d' /etc/exports
     cat >>/etc/exports <<EOF
-/srv/fai/config $ip(async,ro,no_subtree_check)
+/srv/fai/config $ip(async,ro,no_subtree_check,no_root_squash)
 /srv/fai/nfsroot $ip(async,ro,no_subtree_check,no_root_squash)
 EOF
     exportfs -ra
diff --git a/wrt-setup-local b/wrt-setup-local
index 73eaeba..91f8193 100755
--- a/wrt-setup-local
+++ b/wrt-setup-local
@@ -435,10 +435,10 @@ config rule
  option family ipv6
 
 config rule
- option name http-ipv6
+ option name https-ipv6
  option src wan
  option dest lan
- option dest_port 80
+ option dest_port 443
  option target ACCEPT
  option family ipv6
 
-- 
2.30.2