diff --git a/configure.md b/configure.md new file mode 100644 index 0000000..1afc83a --- /dev/null +++ b/configure.md @@ -0,0 +1,34 @@ +# configure.sh — First-time setup wizard + +Run `system_setup/configure.sh` as a **normal user** (not root) on the machine that has the OEMDRV partition mounted. It guides you through all site-specific settings, tests the configuration, and leaves the system ready for a Fedora installation. + +```bash +bash /opt/sys_config/system_setup/configure.sh +``` + +## What it does + +1. **Edits configuration values** — prompts for each setting below. Press Enter to keep the shown default, or type a new value. Derived values (e.g. `SERVERFQDN_IPA`) are updated immediately when you change `TLDOMAIN`, so subsequent prompts always reflect your latest input. + + | Variable | Description | + |---|---| + | `TLDOMAIN` | Top-level domain of your infrastructure (e.g. `company.tld`) | + | `SERVERFQDN_IPA` | FQDN of the FreeIPA server (default: `ipa.`) | + | `SERVERFQDN_NC` | FQDN of the Nextcloud server (default: `nextcloud.`) | + | `CLIENTADMINGROUP` | IPA group that receives sudo rights on clients | + | `DECRYPTEDDATADIR` | Mount point for the decrypted user data directory | + | `ENCRYPTEDDATADIR` | Path of the gocryptfs-encrypted data directory | + | `IPAVAULTUSE` | `true` to use IPA KRA vault for the encryption key, `false` to disable encryption | + | `IPAVAULTNAME` | Name of the IPA vault entry (default: `CLIENT_FILEENCRYPTION_`) | + +2. **Confirms the FQDN** — shows the computed `FQDN` (`.clients.`) and lets you override the hostname part if needed. + +3. **Tests the encrypted home mount** — runs `mount_ecrypt_home.sh`. On failure you can restart the wizard or quit. + +4. **Obtains a Nextcloud WebDAV token** — calls `get_nc_token`, which opens Firefox for login. Verifies that the returned token belongs to the current user. You can retry or quit on failure. + +5. On success, the written config file `config.d/configure.conf` is picked up automatically by all other scripts instead of `config/setup_system.conf`. + +## After the wizard completes + +Boot the target machine from the Fedora USB installer. Anaconda detects the OEMDRV partition and runs the Kickstart automatically. diff --git a/system_setup/configure.sh b/system_setup/configure.sh new file mode 100755 index 0000000..5e4bf6b --- /dev/null +++ b/system_setup/configure.sh @@ -0,0 +1,163 @@ +#!/usr/bin/env bash +# configure.sh - Interactive first-time configuration wizard +# +# SPDX-FileCopyrightText: Daniel Pätzold +# SPDX-License-Identifier: AGPL-3.0-or-later + +SCRIPTDIR="$(cd "$(dirname "$0")" && pwd)" +CONF_DIST="${SCRIPTDIR}/../config/setup_system.conf.dist" +CONF_FILE="${SCRIPTDIR}/../config.d/configure.conf" + +if [[ "$EUID" -eq 0 ]]; then + echo "ERROR: This script must not be run as root." >&2 + exit 1 +fi + +# Prompt for a single value; returns the old value unchanged if the user presses Enter. +prompt_value() { + local name="$1" current="$2" new_val + printf ' %-28s [%s]: ' "$name" "$current" >&2 + read -r new_val + printf '%s' "${new_val:-$current}" +} + +# Replace the first matching simple export line in configure.conf. +set_conf_var() { + local varname="$1" value="$2" + sed -i "s|^[[:space:]]*export ${varname}=.*|export ${varname}=\"${value}\"|" "$CONF_FILE" +} + +# Update an existing bare "export VAR=…" line at the top level, or append one. +override_conf_var() { + local varname="$1" value="$2" + if grep -q "^export ${varname}=" "$CONF_FILE"; then + sed -i "s|^export ${varname}=.*|export ${varname}=\"${value}\"|" "$CONF_FILE" + else + printf 'export %s="%s"\n' "$varname" "$value" >> "$CONF_FILE" + fi +} + +do_configure() { + mkdir -p "$(dirname "$CONF_FILE")" + cp "$CONF_DIST" "$CONF_FILE" + + # Source the dist defaults (unset computed vars first so they are re-evaluated). + unset TLDOMAIN DOMAIN SERVERFQDN_IPA SERVERFQDN_NC CLIENTADMINGROUP \ + DECRYPTEDDATADIR ENCRYPTEDDATADIR IPAVAULTUSE IPAVAULTNAME HOSTNM FQDN + # shellcheck disable=SC1090 + source "$CONF_FILE" + + echo "" + echo "=== System Configuration ===" + echo "Press Enter to keep the current value, or type a new one." + echo "" + + new_TLDOMAIN=$(prompt_value "TLDOMAIN" "$TLDOMAIN") + TLDOMAIN="$new_TLDOMAIN" + DOMAIN="clients.${TLDOMAIN}" + SERVERFQDN_IPA="ipa.${TLDOMAIN}" + SERVERFQDN_NC="nextcloud.${TLDOMAIN}" + + new_SERVERFQDN_IPA=$(prompt_value "SERVERFQDN_IPA" "$SERVERFQDN_IPA") + SERVERFQDN_IPA="$new_SERVERFQDN_IPA" + + new_SERVERFQDN_NC=$(prompt_value "SERVERFQDN_NC" "$SERVERFQDN_NC") + SERVERFQDN_NC="$new_SERVERFQDN_NC" + + new_CLIENTADMINGROUP=$(prompt_value "CLIENTADMINGROUP" "$CLIENTADMINGROUP") + CLIENTADMINGROUP="$new_CLIENTADMINGROUP" + + new_DECRYPTEDDATADIR=$(prompt_value "DECRYPTEDDATADIR" "$DECRYPTEDDATADIR") + DECRYPTEDDATADIR="$new_DECRYPTEDDATADIR" + + new_ENCRYPTEDDATADIR=$(prompt_value "ENCRYPTEDDATADIR" "$ENCRYPTEDDATADIR") + ENCRYPTEDDATADIR="$new_ENCRYPTEDDATADIR" + + new_IPAVAULTUSE=$(prompt_value "IPAVAULTUSE" "$IPAVAULTUSE") + IPAVAULTUSE="$new_IPAVAULTUSE" + + new_IPAVAULTNAME=$(prompt_value "IPAVAULTNAME" "$IPAVAULTNAME") + IPAVAULTNAME="$new_IPAVAULTNAME" + + set_conf_var "TLDOMAIN" "$new_TLDOMAIN" + set_conf_var "SERVERFQDN_IPA" "$new_SERVERFQDN_IPA" + set_conf_var "SERVERFQDN_NC" "$new_SERVERFQDN_NC" + set_conf_var "CLIENTADMINGROUP" "$new_CLIENTADMINGROUP" + set_conf_var "DECRYPTEDDATADIR" "$new_DECRYPTEDDATADIR" + set_conf_var "ENCRYPTEDDATADIR" "$new_ENCRYPTEDDATADIR" + set_conf_var "IPAVAULTUSE" "$new_IPAVAULTUSE" + # IPAVAULTNAME uses computed concatenation in the dist file; override at top level. + override_conf_var "IPAVAULTNAME" "$new_IPAVAULTNAME" + + # Re-source with the updated TLDOMAIN so DOMAIN and FQDN are recomputed correctly. + unset DOMAIN HOSTNM FQDN + source "$CONF_FILE" + + echo "" + echo "Computed FQDN: ${FQDN}" + read -rp "Is this correct? [Y/n]: " ans + if [[ "${ans,,}" == "n" ]]; then + read -rp " Enter desired hostname (HOSTNM) [${HOSTNM}]: " new_HOSTNM + new_HOSTNM="${new_HOSTNM:-$HOSTNM}" + override_conf_var "HOSTNM" "$new_HOSTNM" + # Also pin FQDN so it stays correct regardless of eval order. + override_conf_var "FQDN" "${new_HOSTNM}.clients.${new_TLDOMAIN}" + echo " Updated FQDN: ${new_HOSTNM}.clients.${new_TLDOMAIN}" + fi + + echo "" + echo "Configuration written to: ${CONF_FILE}" +} + +while true; do + do_configure + + # Load setup_system.inc.sh (which re-sources configure.conf and defines all functions). + # shellcheck disable=SC1090 + source "${SCRIPTDIR}/setup_system.inc.sh" + + echo "" + echo "=== Testing: mounting encrypted home directory ===" + bash "${SCRIPTDIR}/mount_ecrypt_home.sh" + if [[ $? -ne 0 ]]; then + echo "" + echo "mount_ecrypt_home.sh reported an error." + read -rp "Start configuration again (a) or quit (q)? [a/q]: " ans + if [[ "${ans,,}" == "q" ]]; then + echo "Quitting." + exit 1 + fi + echo "" + continue + fi + + echo "" + echo "=== Testing: obtaining Nextcloud WebDAV token ===" + while true; do + get_nc_token + current_user="$(id -un)" + if [[ "${DAVTOKEN_USER}" == "${current_user}" ]]; then + echo "Token obtained successfully for user '${DAVTOKEN_USER}'." + break + fi + echo "" + if [[ -z "${DAVTOKEN_USER}" ]]; then + echo "Token could not be obtained (DAVTOKEN_USER is empty)." + else + echo "Token user '${DAVTOKEN_USER}' does not match current user '${current_user}'." + fi + read -rp "Retry get_nc_token (r) or quit (q)? [r/q]: " ans + if [[ "${ans,,}" == "q" ]]; then + echo "Quitting." + exit 1 + fi + done + + echo "" + echo "=== Configuration complete ===" + echo "All values have been configured and verified successfully." + echo "The system is now ready for the new installation." + echo "Boot from the Fedora USB installer — Anaconda will detect the OEMDRV partition" + echo "and run the Kickstart automatically." + exit 0 +done diff --git a/system_setup/install.sh b/system_setup/install.sh index 6496b26..c81a501 100755 --- a/system_setup/install.sh +++ b/system_setup/install.sh @@ -440,9 +440,26 @@ echo echo " OEMDRV device : $OEMDRV_DEV" echo " Mounted at : $MOUNT_POINT" echo -echo "Next steps:" -echo " 1. cp $MOUNT_POINT/config/setup_system.conf.dist \\" -echo " $MOUNT_POINT/config/setup_system.conf" -echo " 2. Edit setup_system.conf with your domain, IPA/Nextcloud FQDNs, and paths." -echo " 3. Boot the Kickstart installer — it will detect the OEMDRV partition automatically." + +# ── Optionally run configure.sh ─────────────────────────────────────────────── + +CONF_SCRIPT="$MOUNT_POINT/system_setup/configure.sh" + echo +read -r -p "Run configure.sh now to set up your environment? [y/N]: " RUN_CONF +if [[ "${RUN_CONF,,}" == "y" ]]; then + if [[ -n "$SUDO_USER" ]]; then + info "Running configure.sh as user '$SUDO_USER'..." + su - "$SUDO_USER" -c "bash '$CONF_SCRIPT'" + else + echo + echo "configure.sh must be run as a non-root user. Please run:" + echo " bash $CONF_SCRIPT" + fi +else + echo + echo "Next steps:" + echo " 1. Run: bash $CONF_SCRIPT" + echo " 2. Boot the Kickstart installer — it will detect the OEMDRV partition automatically." + echo +fi