From 70b26facc8d3aa4e4c46c87201d99fa727e749e6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20unbrot=20P=C3=A4tzold?= Date: Wed, 29 Apr 2026 11:58:36 +0200 Subject: [PATCH 01/14] Updated ks base-profiles --- CLAUDE.md | 1 - ks_base_profiles/kde_fullsetup.cfg | 105 ++++++++++++++++++++++++----- ks_base_profiles/minimal_setup.cfg | 50 -------------- ks_pc_prof/pc-9cdb93ef7c20.cfg | 1 - 4 files changed, 87 insertions(+), 70 deletions(-) delete mode 100644 ks_base_profiles/minimal_setup.cfg delete mode 100644 ks_pc_prof/pc-9cdb93ef7c20.cfg diff --git a/CLAUDE.md b/CLAUDE.md index c8e2d80..3bdc345 100644 --- a/CLAUDE.md +++ b/CLAUDE.md @@ -70,7 +70,6 @@ ${CLIENT_SOFTWARE_DST}/install.sh 0010_kwallet - `ks.cfg` — the primary kickstart used for production installs (Fedora 43, KDE, x86_64, German locale/keyboard) - `ks_base_profiles/kde_fullsetup.cfg` — an alternate/reference profile generated by Anaconda -- `ks_base_profiles/minimal_setup.cfg`, `part_sda.cfg` — additional profile fragments - `ks_pc_prof/` — per-machine kickstart overrides, named by system UUID suffix (e.g. `pc-9cdb93ef7c20.cfg`) ## Sudo rule required for logon_script diff --git a/ks_base_profiles/kde_fullsetup.cfg b/ks_base_profiles/kde_fullsetup.cfg index 21445f6..1006d75 100644 --- a/ks_base_profiles/kde_fullsetup.cfg +++ b/ks_base_profiles/kde_fullsetup.cfg @@ -1,47 +1,116 @@ -# Generated by Anaconda 43.44 +#Basic settings: +graphical +text -%pre -/bin/sh /mnt/tmp/ks_base_profiles/basic_pre_script.inc -%end +# Configure installation method +url --mirrorlist="https://mirrors.fedoraproject.org/mirrorlist?repo=fedora-43&arch=x86_64" +repo --name=fedora-updates --mirrorlist="https://mirrors.fedoraproject.org/mirrorlist?repo=updates-released-f43&arch=x86_64" --cost=0 +repo --name=fedora-cisco-openh264 --mirrorlist="https://mirrors.fedoraproject.org/mirrorlist?repo=fedora-cisco-openh264-43&arch=x86_64" --install +repo --name=rpmfusion-free --mirrorlist="https://mirrors.rpmfusion.org/mirrorlist?repo=free-fedora-43&arch=x86_64" +repo --name=rpmfusion-free-updates --mirrorlist="https://mirrors.rpmfusion.org/mirrorlist?repo=free-fedora-updates-released-43&arch=x86_64" --cost=0 +repo --name=rpmfusion-nonfree --mirrorlist="https://mirrors.rpmfusion.org/mirrorlist?repo=nonfree-fedora-43&arch=x86_64" +repo --name=rpmfusion-nonfree-updates --mirrorlist="https://mirrors.rpmfusion.org/mirrorlist?repo=nonfree-fedora-updates-released-43&arch=x86_64" --cost=0 # Keyboard layouts keyboard --vckeymap=de-nodeadkeys --xlayouts='de (nodeadkeys)' # System language lang de_DE.UTF-8 +# System timezone +timezone Europe/Berlin --utc + +%pre --log=/root/ks-pre.log +mkdir /mnt/anaconda_pre +mount -L OEMDRV /mnt/anaconda_pre +/bin/sh /mnt/anaconda_pre/ks_base_profiles/basic_pre_script.inc +%end %packages @^kde-desktop-environment +@core @admin-tools -@development-tools @domain-client -@editors -@firefox -@kde-apps -@kde-desktop +@system-tools @kde-media @kde-spin-initial-setup @libreoffice @office @sound-and-video -@system-tools +libva-utils +libavcodec-freeworld +mesa-va-drivers-freeworld +ffmpeg @vlc - +python-vlc +#@development-tools +#@editors +@firefox +thunderbird +openssh-server +bash +sudo +gocryptfs +htop +mc +mediawriter +python-pip +pykickstart +xrdp +xorgxrdp +libxcb-doc +plasma-workspace-x11 +xterm +wmctrl +flatpak +btrfs-assistant +btrbk +ktorrent +cadaver +kdevelop +git +diffuse +remmina +android-tools +-kpat +-kmines +#Annoying plasmoids +-kdeplasma-addons +#Search - Powerful, but slow +-akonadi-server +-akonadi-server-mysql +-dragon +-kdeconnectd +-kde-connect +-samba +-samba-client +-samba-usershares +-BackupPC +#Needed by SSSD +oddjob-mkhomedir +nss-pam-ldapd %end # System authorization information authselect enable-feature with-fingerprint -# Run the Setup Agent on first boot -firstboot --enable -timesource --ntp-server=_gateway -# System timezone -timezone Europe/Berlin --utc +# Generated using Blivet version 3.12.1 +ignoredisk --only-use=sda +# Partition clearing information +#clearpart --none --initlabel +clearpart --none +autopart --type=btrfs # Root password # This Password is completely unknown to anyone. After installation, the PC should be Member of Domain and the users may use sudo to become superuser. rootpw --iscrypted $y$j9T$jpKVkxaFqL6GH6GAgB0Yb/$oc.rfZgnHNlTAIj/boJeI.ZFf1QHvMF7fymZww9bzE3 +#user --name=none -%post -/bin/sh /mnt/tmp/system_setup/setup_system_full.sh install +# Do not run the Setup Agent on first boot because it will complain about missing user account which we dont want +firstboot --disable + +%post --log=/root/ks-post.log +mkdir /opt/sys_config +mount -L OEMDRV /opt/sys_config +/bin/sh /opt/sys_config/system_setup/setup_system_full.sh install +umount /opt/sys_config %end diff --git a/ks_base_profiles/minimal_setup.cfg b/ks_base_profiles/minimal_setup.cfg deleted file mode 100644 index ab8e1e3..0000000 --- a/ks_base_profiles/minimal_setup.cfg +++ /dev/null @@ -1,50 +0,0 @@ -# Generated by Anaconda 43.44 -# Keyboard layouts -keyboard --vckeymap=de-nodeadkeys --xlayouts='de (nodeadkeys)' -# System language -lang de_DE.UTF-8 - -%packages -@^kde-desktop-environment -@admin-tools -@development-tools -@domain-client -@editors -@firefox -@kde-apps -@kde-desktop -@kde-media -@kde-spin-initial-setup -@libreoffice -@office -@sound-and-video -@system-tools -@vlc - -%end - -# System authorization information -authselect enable-feature with-fingerprint - -# Run the Setup Agent on first boot -firstboot --enable - -# Generated using Blivet version 3.12.1 -ignoredisk --only-use=nvme0n1 -# Partition clearing information -clearpart --none --initlabel -# Disk partitioning information -part /boot/efi --fstype="efi" --ondisk=nvme0n1 --size=600 --fsoptions="umask=0077,shortname=winnt" -part /sys_config --fstype="ext4" --noformat --onpart=UUID=3f9837da-5a46-4da1-a98b-62a8899e63cb --label=OEMDRV -part /boot --fstype="ext4" --ondisk=nvme0n1 --size=2048 -part btrfs.115 --fstype="btrfs" --ondisk=nvme0n1 --size=485249 -btrfs none --label=fedora_fedora btrfs.115 -btrfs / --subvol --name=root LABEL=fedora_fedora -btrfs /home --subvol --name=home LABEL=fedora_fedora - -timesource --ntp-server=_gateway -# System timezone -timezone Europe/Berlin --utc - -# Root password -rootpw --iscrypted $y$j9T$SYQgSGCnU.FUaT7BKMEI9TKz$nLPf1uHlzpoBCmEndvVRK2FnY67wUY2TyxiMUIufH7A \ No newline at end of file diff --git a/ks_pc_prof/pc-9cdb93ef7c20.cfg b/ks_pc_prof/pc-9cdb93ef7c20.cfg deleted file mode 100644 index 9f0cc95..0000000 --- a/ks_pc_prof/pc-9cdb93ef7c20.cfg +++ /dev/null @@ -1 +0,0 @@ -%include ../ks_base_profiles/kde_fullsetup.cfg From 99d5799581262c05f75ad1704617d4066d77da3e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20unbrot=20P=C3=A4tzold?= Date: Wed, 29 Apr 2026 12:05:15 +0200 Subject: [PATCH 02/14] Gitignore +ks_pc_prof --- .gitignore | 1 + 1 file changed, 1 insertion(+) diff --git a/.gitignore b/.gitignore index 1fcc764..3fcf0fc 100644 --- a/.gitignore +++ b/.gitignore @@ -9,3 +9,4 @@ config/skel.tar.zst config/.sync_*.db config/.sync_*.db config.d/*.conf +ks_pc_prof/* From 3df883dc63d5ce4299cd8d56ae62c670ccff2ef8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20unbrot=20P=C3=A4tzold?= Date: Wed, 29 Apr 2026 13:14:33 +0200 Subject: [PATCH 03/14] Make use of config.d/configure.conf file for first setup --- system_setup/setup_system.inc.sh | 24 ++++++++++++++++-------- system_setup/sync_client_software.sh | 18 ++++++++++++++++++ 2 files changed, 34 insertions(+), 8 deletions(-) diff --git a/system_setup/setup_system.inc.sh b/system_setup/setup_system.inc.sh index 777a9b5..98c0137 100755 --- a/system_setup/setup_system.inc.sh +++ b/system_setup/setup_system.inc.sh @@ -15,15 +15,23 @@ # fi # return 0 #} -if [ ! -f $(dirname "$0")/../config/setup_system.conf ]; then - echo "System configuration not found. Please make a copy of setup_system.conf.dist, name it setup_system.conf and check the settings in it before running." - echo "Press any key to continue" && read -n 1 -s -r && exit 1 -fi -source $(dirname "$0")/../config/setup_system.conf -#Parse additional client-configs -if [[ `ls -1 $(dirname "$0")/../config.d/*.conf 2>/dev/null | wc -l ` -gt 0 ]]; then - source $(dirname "$0")/../config.d/*.conf +#Check for configure.conf - used for frist setup of system +if [[ -f $(dirname "$0")/../config.d/configure.conf ]]; then + echo "System in configure-mode. Will use $(dirname "$0")/../config.d/configure.conf for setup." + source $(dirname "$0")/../config.d/configure.conf +else + #Load default system setup file + if [[ ! -f $(dirname "$0")/../config/setup_system.conf ]]; then + echo "System configuration not found. Please make a copy of setup_system.conf.dist, name it setup_system.conf and check the settings in it before running." + echo "Press any key to continue" && read -n 1 -s -r && exit 1 + fi + source $(dirname "$0")/../config/setup_system.conf + + #Parse additional client-configs + if [[ `ls -1 $(dirname "$0")/../config.d/*.conf 2>/dev/null | wc -l ` -gt 0 ]]; then + source $(dirname "$0")/../config.d/*.conf + fi fi #Check if the Data- Directory is encrypted diff --git a/system_setup/sync_client_software.sh b/system_setup/sync_client_software.sh index 968bc2f..d5921f4 100755 --- a/system_setup/sync_client_software.sh +++ b/system_setup/sync_client_software.sh @@ -72,6 +72,24 @@ if [[ ! -z "${DISTCONFIGPATH_SRC}" ]]; then fi echo "Sucessfully synced." echo "" + + # Check, if we are in configure-mode and if so, remove the file and reread the now new synced configuration + if [ -f $(dirname "$0")/../config.d/configure.conf ]; then + #Check if configuration was obtained by sync + if [ -f $(dirname "$0")/../config/setup_system.conf ]; then + echo "Existing configuration found in Repository, removing configure-mode and reread the configuration." + rm -f $(dirname "$0")/../config.d/configure.conf.bak >/dev/null + mv $(dirname "$0")/../config.d/configure.conf $(dirname "$0")/../config.d/configure.conf.bak + source $(dirname "$0")/../config/setup_system.conf + else + echo "System is in configure-mode and configuration repository was found and synced, but still not configuration was found" + echo "checking file $(dirname "$0")/../config/setup_system.conf" + echo "" + echo "Please make a inital copy of config/setup_system.conf.dist to config/setup_system.conf and check all settings there." + echo "Then rerun the logon script to sync the file to your repository." + echo "Press any key to continue" && read -n 1 -s -r && exit 1 + fi + fi fi #Check if Repository is defined if [ "${CLIENT_SOFTWARE_DST}." == "." ]; then From 3eee476fc41b2f2953648ccd91ab3571b5ba0b0a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20unbrot=20P=C3=A4tzold?= Date: Wed, 29 Apr 2026 13:29:52 +0200 Subject: [PATCH 04/14] Add Cinnamon kickstart profile based on KDE fullsetup Replaces KDE desktop environment group and KDE-specific packages with Cinnamon equivalents (transmission-gtk replaces ktorrent). Co-Authored-By: Claude Sonnet 4.6 --- ks_base_profiles/cinnamon_fullsetup.cfg | 102 ++++++++++++++++++++++++ 1 file changed, 102 insertions(+) create mode 100644 ks_base_profiles/cinnamon_fullsetup.cfg diff --git a/ks_base_profiles/cinnamon_fullsetup.cfg b/ks_base_profiles/cinnamon_fullsetup.cfg new file mode 100644 index 0000000..5b2eeca --- /dev/null +++ b/ks_base_profiles/cinnamon_fullsetup.cfg @@ -0,0 +1,102 @@ +#Basic settings: +graphical +text + +# Configure installation method +url --mirrorlist="https://mirrors.fedoraproject.org/mirrorlist?repo=fedora-43&arch=x86_64" +repo --name=fedora-updates --mirrorlist="https://mirrors.fedoraproject.org/mirrorlist?repo=updates-released-f43&arch=x86_64" --cost=0 +repo --name=fedora-cisco-openh264 --mirrorlist="https://mirrors.fedoraproject.org/mirrorlist?repo=fedora-cisco-openh264-43&arch=x86_64" --install +repo --name=rpmfusion-free --mirrorlist="https://mirrors.rpmfusion.org/mirrorlist?repo=free-fedora-43&arch=x86_64" +repo --name=rpmfusion-free-updates --mirrorlist="https://mirrors.rpmfusion.org/mirrorlist?repo=free-fedora-updates-released-43&arch=x86_64" --cost=0 +repo --name=rpmfusion-nonfree --mirrorlist="https://mirrors.rpmfusion.org/mirrorlist?repo=nonfree-fedora-43&arch=x86_64" +repo --name=rpmfusion-nonfree-updates --mirrorlist="https://mirrors.rpmfusion.org/mirrorlist?repo=nonfree-fedora-updates-released-43&arch=x86_64" --cost=0 + +# Keyboard layouts +keyboard --vckeymap=de-nodeadkeys --xlayouts='de (nodeadkeys)' +# System language +lang de_DE.UTF-8 +# System timezone +timezone Europe/Berlin --utc + +%pre --log=/root/ks-pre.log +mkdir /mnt/anaconda_pre +mount -L OEMDRV /mnt/anaconda_pre +/bin/sh /mnt/anaconda_pre/ks_base_profiles/basic_pre_script.inc +%end + +%packages +@^cinnamon-desktop-environment +@core +@admin-tools +@domain-client +@system-tools +@libreoffice +@office +@sound-and-video +libva-utils +libavcodec-freeworld +mesa-va-drivers-freeworld +ffmpeg +@vlc +python-vlc +#@development-tools +#@editors +@firefox +thunderbird +openssh-server +bash +sudo +gocryptfs +htop +mc +mediawriter +python-pip +pykickstart +xrdp +xorgxrdp +libxcb-doc +xterm +wmctrl +flatpak +btrfs-assistant +btrbk +transmission-gtk +cadaver +git +diffuse +remmina +android-tools +-samba +-samba-client +-samba-usershares +-BackupPC +#Needed by SSSD +oddjob-mkhomedir +nss-pam-ldapd +%end + +# System authorization information +authselect enable-feature with-fingerprint + + +# Generated using Blivet version 3.12.1 +ignoredisk --only-use=sda +# Partition clearing information +#clearpart --none --initlabel +clearpart --none +autopart --type=btrfs + +# Root password +# This Password is completely unknown to anyone. After installation, the PC should be Member of Domain and the users may use sudo to become superuser. +rootpw --iscrypted $y$j9T$jpKVkxaFqL6GH6GAgB0Yb/$oc.rfZgnHNlTAIj/boJeI.ZFf1QHvMF7fymZww9bzE3 +#user --name=none + +# Do not run the Setup Agent on first boot because it will complain about missing user account which we dont want +firstboot --disable + +%post --log=/root/ks-post.log +mkdir /opt/sys_config +mount -L OEMDRV /opt/sys_config +/bin/sh /opt/sys_config/system_setup/setup_system_full.sh install +umount /opt/sys_config +%end From 05a47a140dd8e5798713e24badd817fbda1c1ebc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20unbrot=20P=C3=A4tzold?= Date: Wed, 29 Apr 2026 14:12:11 +0200 Subject: [PATCH 05/14] Add configure.sh wizard and offer to run it after install - system_setup/configure.sh: interactive first-time setup wizard that edits config.d/configure.conf, tests the encrypted home mount, and obtains a Nextcloud WebDAV token - configure.md: short usage documentation for configure.sh - system_setup/install.sh: after cloning the repo, ask whether to run configure.sh immediately (as the sudo-invoking user via su) Co-Authored-By: Claude Sonnet 4.6 --- configure.md | 34 ++++++++ system_setup/configure.sh | 163 ++++++++++++++++++++++++++++++++++++++ system_setup/install.sh | 27 +++++-- 3 files changed, 219 insertions(+), 5 deletions(-) create mode 100644 configure.md create mode 100755 system_setup/configure.sh diff --git a/configure.md b/configure.md new file mode 100644 index 0000000..1afc83a --- /dev/null +++ b/configure.md @@ -0,0 +1,34 @@ +# configure.sh — First-time setup wizard + +Run `system_setup/configure.sh` as a **normal user** (not root) on the machine that has the OEMDRV partition mounted. It guides you through all site-specific settings, tests the configuration, and leaves the system ready for a Fedora installation. + +```bash +bash /opt/sys_config/system_setup/configure.sh +``` + +## What it does + +1. **Edits configuration values** — prompts for each setting below. Press Enter to keep the shown default, or type a new value. Derived values (e.g. `SERVERFQDN_IPA`) are updated immediately when you change `TLDOMAIN`, so subsequent prompts always reflect your latest input. + + | Variable | Description | + |---|---| + | `TLDOMAIN` | Top-level domain of your infrastructure (e.g. `company.tld`) | + | `SERVERFQDN_IPA` | FQDN of the FreeIPA server (default: `ipa.`) | + | `SERVERFQDN_NC` | FQDN of the Nextcloud server (default: `nextcloud.`) | + | `CLIENTADMINGROUP` | IPA group that receives sudo rights on clients | + | `DECRYPTEDDATADIR` | Mount point for the decrypted user data directory | + | `ENCRYPTEDDATADIR` | Path of the gocryptfs-encrypted data directory | + | `IPAVAULTUSE` | `true` to use IPA KRA vault for the encryption key, `false` to disable encryption | + | `IPAVAULTNAME` | Name of the IPA vault entry (default: `CLIENT_FILEENCRYPTION_`) | + +2. **Confirms the FQDN** — shows the computed `FQDN` (`.clients.`) and lets you override the hostname part if needed. + +3. **Tests the encrypted home mount** — runs `mount_ecrypt_home.sh`. On failure you can restart the wizard or quit. + +4. **Obtains a Nextcloud WebDAV token** — calls `get_nc_token`, which opens Firefox for login. Verifies that the returned token belongs to the current user. You can retry or quit on failure. + +5. On success, the written config file `config.d/configure.conf` is picked up automatically by all other scripts instead of `config/setup_system.conf`. + +## After the wizard completes + +Boot the target machine from the Fedora USB installer. Anaconda detects the OEMDRV partition and runs the Kickstart automatically. diff --git a/system_setup/configure.sh b/system_setup/configure.sh new file mode 100755 index 0000000..5e4bf6b --- /dev/null +++ b/system_setup/configure.sh @@ -0,0 +1,163 @@ +#!/usr/bin/env bash +# configure.sh - Interactive first-time configuration wizard +# +# SPDX-FileCopyrightText: Daniel Pätzold +# SPDX-License-Identifier: AGPL-3.0-or-later + +SCRIPTDIR="$(cd "$(dirname "$0")" && pwd)" +CONF_DIST="${SCRIPTDIR}/../config/setup_system.conf.dist" +CONF_FILE="${SCRIPTDIR}/../config.d/configure.conf" + +if [[ "$EUID" -eq 0 ]]; then + echo "ERROR: This script must not be run as root." >&2 + exit 1 +fi + +# Prompt for a single value; returns the old value unchanged if the user presses Enter. +prompt_value() { + local name="$1" current="$2" new_val + printf ' %-28s [%s]: ' "$name" "$current" >&2 + read -r new_val + printf '%s' "${new_val:-$current}" +} + +# Replace the first matching simple export line in configure.conf. +set_conf_var() { + local varname="$1" value="$2" + sed -i "s|^[[:space:]]*export ${varname}=.*|export ${varname}=\"${value}\"|" "$CONF_FILE" +} + +# Update an existing bare "export VAR=…" line at the top level, or append one. +override_conf_var() { + local varname="$1" value="$2" + if grep -q "^export ${varname}=" "$CONF_FILE"; then + sed -i "s|^export ${varname}=.*|export ${varname}=\"${value}\"|" "$CONF_FILE" + else + printf 'export %s="%s"\n' "$varname" "$value" >> "$CONF_FILE" + fi +} + +do_configure() { + mkdir -p "$(dirname "$CONF_FILE")" + cp "$CONF_DIST" "$CONF_FILE" + + # Source the dist defaults (unset computed vars first so they are re-evaluated). + unset TLDOMAIN DOMAIN SERVERFQDN_IPA SERVERFQDN_NC CLIENTADMINGROUP \ + DECRYPTEDDATADIR ENCRYPTEDDATADIR IPAVAULTUSE IPAVAULTNAME HOSTNM FQDN + # shellcheck disable=SC1090 + source "$CONF_FILE" + + echo "" + echo "=== System Configuration ===" + echo "Press Enter to keep the current value, or type a new one." + echo "" + + new_TLDOMAIN=$(prompt_value "TLDOMAIN" "$TLDOMAIN") + TLDOMAIN="$new_TLDOMAIN" + DOMAIN="clients.${TLDOMAIN}" + SERVERFQDN_IPA="ipa.${TLDOMAIN}" + SERVERFQDN_NC="nextcloud.${TLDOMAIN}" + + new_SERVERFQDN_IPA=$(prompt_value "SERVERFQDN_IPA" "$SERVERFQDN_IPA") + SERVERFQDN_IPA="$new_SERVERFQDN_IPA" + + new_SERVERFQDN_NC=$(prompt_value "SERVERFQDN_NC" "$SERVERFQDN_NC") + SERVERFQDN_NC="$new_SERVERFQDN_NC" + + new_CLIENTADMINGROUP=$(prompt_value "CLIENTADMINGROUP" "$CLIENTADMINGROUP") + CLIENTADMINGROUP="$new_CLIENTADMINGROUP" + + new_DECRYPTEDDATADIR=$(prompt_value "DECRYPTEDDATADIR" "$DECRYPTEDDATADIR") + DECRYPTEDDATADIR="$new_DECRYPTEDDATADIR" + + new_ENCRYPTEDDATADIR=$(prompt_value "ENCRYPTEDDATADIR" "$ENCRYPTEDDATADIR") + ENCRYPTEDDATADIR="$new_ENCRYPTEDDATADIR" + + new_IPAVAULTUSE=$(prompt_value "IPAVAULTUSE" "$IPAVAULTUSE") + IPAVAULTUSE="$new_IPAVAULTUSE" + + new_IPAVAULTNAME=$(prompt_value "IPAVAULTNAME" "$IPAVAULTNAME") + IPAVAULTNAME="$new_IPAVAULTNAME" + + set_conf_var "TLDOMAIN" "$new_TLDOMAIN" + set_conf_var "SERVERFQDN_IPA" "$new_SERVERFQDN_IPA" + set_conf_var "SERVERFQDN_NC" "$new_SERVERFQDN_NC" + set_conf_var "CLIENTADMINGROUP" "$new_CLIENTADMINGROUP" + set_conf_var "DECRYPTEDDATADIR" "$new_DECRYPTEDDATADIR" + set_conf_var "ENCRYPTEDDATADIR" "$new_ENCRYPTEDDATADIR" + set_conf_var "IPAVAULTUSE" "$new_IPAVAULTUSE" + # IPAVAULTNAME uses computed concatenation in the dist file; override at top level. + override_conf_var "IPAVAULTNAME" "$new_IPAVAULTNAME" + + # Re-source with the updated TLDOMAIN so DOMAIN and FQDN are recomputed correctly. + unset DOMAIN HOSTNM FQDN + source "$CONF_FILE" + + echo "" + echo "Computed FQDN: ${FQDN}" + read -rp "Is this correct? [Y/n]: " ans + if [[ "${ans,,}" == "n" ]]; then + read -rp " Enter desired hostname (HOSTNM) [${HOSTNM}]: " new_HOSTNM + new_HOSTNM="${new_HOSTNM:-$HOSTNM}" + override_conf_var "HOSTNM" "$new_HOSTNM" + # Also pin FQDN so it stays correct regardless of eval order. + override_conf_var "FQDN" "${new_HOSTNM}.clients.${new_TLDOMAIN}" + echo " Updated FQDN: ${new_HOSTNM}.clients.${new_TLDOMAIN}" + fi + + echo "" + echo "Configuration written to: ${CONF_FILE}" +} + +while true; do + do_configure + + # Load setup_system.inc.sh (which re-sources configure.conf and defines all functions). + # shellcheck disable=SC1090 + source "${SCRIPTDIR}/setup_system.inc.sh" + + echo "" + echo "=== Testing: mounting encrypted home directory ===" + bash "${SCRIPTDIR}/mount_ecrypt_home.sh" + if [[ $? -ne 0 ]]; then + echo "" + echo "mount_ecrypt_home.sh reported an error." + read -rp "Start configuration again (a) or quit (q)? [a/q]: " ans + if [[ "${ans,,}" == "q" ]]; then + echo "Quitting." + exit 1 + fi + echo "" + continue + fi + + echo "" + echo "=== Testing: obtaining Nextcloud WebDAV token ===" + while true; do + get_nc_token + current_user="$(id -un)" + if [[ "${DAVTOKEN_USER}" == "${current_user}" ]]; then + echo "Token obtained successfully for user '${DAVTOKEN_USER}'." + break + fi + echo "" + if [[ -z "${DAVTOKEN_USER}" ]]; then + echo "Token could not be obtained (DAVTOKEN_USER is empty)." + else + echo "Token user '${DAVTOKEN_USER}' does not match current user '${current_user}'." + fi + read -rp "Retry get_nc_token (r) or quit (q)? [r/q]: " ans + if [[ "${ans,,}" == "q" ]]; then + echo "Quitting." + exit 1 + fi + done + + echo "" + echo "=== Configuration complete ===" + echo "All values have been configured and verified successfully." + echo "The system is now ready for the new installation." + echo "Boot from the Fedora USB installer — Anaconda will detect the OEMDRV partition" + echo "and run the Kickstart automatically." + exit 0 +done diff --git a/system_setup/install.sh b/system_setup/install.sh index 6496b26..c81a501 100755 --- a/system_setup/install.sh +++ b/system_setup/install.sh @@ -440,9 +440,26 @@ echo echo " OEMDRV device : $OEMDRV_DEV" echo " Mounted at : $MOUNT_POINT" echo -echo "Next steps:" -echo " 1. cp $MOUNT_POINT/config/setup_system.conf.dist \\" -echo " $MOUNT_POINT/config/setup_system.conf" -echo " 2. Edit setup_system.conf with your domain, IPA/Nextcloud FQDNs, and paths." -echo " 3. Boot the Kickstart installer — it will detect the OEMDRV partition automatically." + +# ── Optionally run configure.sh ─────────────────────────────────────────────── + +CONF_SCRIPT="$MOUNT_POINT/system_setup/configure.sh" + echo +read -r -p "Run configure.sh now to set up your environment? [y/N]: " RUN_CONF +if [[ "${RUN_CONF,,}" == "y" ]]; then + if [[ -n "$SUDO_USER" ]]; then + info "Running configure.sh as user '$SUDO_USER'..." + su - "$SUDO_USER" -c "bash '$CONF_SCRIPT'" + else + echo + echo "configure.sh must be run as a non-root user. Please run:" + echo " bash $CONF_SCRIPT" + fi +else + echo + echo "Next steps:" + echo " 1. Run: bash $CONF_SCRIPT" + echo " 2. Boot the Kickstart installer — it will detect the OEMDRV partition automatically." + echo +fi From f69b423b308a98ee7534d17c9794f62876d40df8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20unbrot=20P=C3=A4tzold?= Date: Wed, 29 Apr 2026 16:17:33 +0200 Subject: [PATCH 06/14] Add repo URL verification via curl checksum in install.sh Before partitioning, check_repo_url() downloads system_setup/install.sh from REPO_URL and compares its sha256sum against the running script. Warns and asks to continue if the URL is unreachable or the checksums differ. Also accept an optional first argument to override REPO_URL. Co-Authored-By: Claude Sonnet 4.6 --- system_setup/install.sh | 41 ++++++++++++++++++++++++++++++++++++++++- 1 file changed, 40 insertions(+), 1 deletion(-) diff --git a/system_setup/install.sh b/system_setup/install.sh index c81a501..cabb65a 100755 --- a/system_setup/install.sh +++ b/system_setup/install.sh @@ -14,7 +14,7 @@ SHRINK_MIB=4096 OEMDRV_LABEL="OEMDRV" MOUNT_POINT="/opt/sys_config" MOUNT_OPTS="compress=zstd:6" -REPO_URL="https://gitea.dtext.online/obel1x/fedora-OEMDRV.git" +REPO_URL="${1:-https://gitea.dtext.online/obel1x/fedora-OEMDRV.git}" MIN_FREE_MIB=$(( SHRINK_MIB + 512 )) # require 512 MiB headroom above the shrink size # ── Helpers ─────────────────────────────────────────────────────────────────── @@ -35,6 +35,28 @@ check_tools() { [[ ${#missing[@]} -eq 0 ]] || die "Missing required tools: ${missing[*]}" } +# Returns 0 if the remote install.sh matches this script's checksum, +# 1 if the URL is unreachable or the file cannot be downloaded, +# 2 if the checksum does not match. +check_repo_url() { + local tmpdir sum_remote sum_local + + tmpdir=$(mktemp -d /tmp/oemdrv_repocheck.XXXXXX) + + if ! curl -fsSL "${REPO_URL%.git}/raw/branch/main/system_setup/install.sh" \ + -o "$tmpdir/install.sh" 2>/dev/null; then + rm -rf "$tmpdir" + return 1 + fi + + sum_remote=$(sha256sum "$tmpdir/install.sh" | awk '{print $1}') + sum_local=$(sha256sum "$0" | awk '{print $1}') + rm -rf "$tmpdir" + + [[ "$sum_remote" == "$sum_local" ]] || return 2 + return 0 +} + # ── Free-space helpers ──────────────────────────────────────────────────────── # Free MiB for a mounted device via df @@ -241,6 +263,23 @@ new_part_device() { require_root check_tools +info "Verifying repository URL..." +check_repo_url +case $? in + 1) echo + echo "WARNING: '$REPO_URL' is not a reachable git repository." + read -r -p " Continue anyway? [y/N]: " ans + [[ "${ans,,}" == "y" ]] || { echo "Aborted."; exit 0; } + ;; + 2) echo + echo "WARNING: The checksum of this script does not match 'system_setup/install.sh'" + echo " at '$REPO_URL'." + echo " You may be running an outdated or modified version of install.sh." + read -r -p " Continue anyway? [y/N]: " ans + [[ "${ans,,}" == "y" ]] || { echo "Aborted."; exit 0; } + ;; +esac + info "Scanning for shrinkable partitions and unpartitioned free space..." collect_partitions collect_free_space From d3f4345f971392eaffb4abadd4cd771515c72a1c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20unbrot=20P=C3=A4tzold?= Date: Wed, 29 Apr 2026 16:28:41 +0200 Subject: [PATCH 07/14] Install.sh: Make changes possible for first setup --- system_setup/install.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/system_setup/install.sh b/system_setup/install.sh index cabb65a..7187ccf 100755 --- a/system_setup/install.sh +++ b/system_setup/install.sh @@ -471,6 +471,7 @@ mount -o "$MOUNT_OPTS" "$OEMDRV_DEV" "$MOUNT_POINT" || die "mount failed." info "Cloning $REPO_URL into $MOUNT_POINT..." cd "$MOUNT_POINT" || die "Cannot cd to $MOUNT_POINT." git clone --progress --depth 1 "$REPO_URL" . || die "git clone failed." +chmod o=rwX . -R # to make changes to the configuration possible after install # ── Done ────────────────────────────────────────────────────────────────────── From a9be4d0ac9a864c30af126eedd19359b1b02c0e4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20unbrot=20P=C3=A4tzold?= Date: Wed, 29 Apr 2026 17:05:46 +0200 Subject: [PATCH 08/14] Bugfixing configure and make temporary token possible --- system_setup/configure.sh | 56 +++++--------------------------- system_setup/setup_system.inc.sh | 13 ++++++-- 2 files changed, 19 insertions(+), 50 deletions(-) diff --git a/system_setup/configure.sh b/system_setup/configure.sh index 5e4bf6b..125db14 100755 --- a/system_setup/configure.sh +++ b/system_setup/configure.sh @@ -54,57 +54,32 @@ do_configure() { new_TLDOMAIN=$(prompt_value "TLDOMAIN" "$TLDOMAIN") TLDOMAIN="$new_TLDOMAIN" - DOMAIN="clients.${TLDOMAIN}" - SERVERFQDN_IPA="ipa.${TLDOMAIN}" - SERVERFQDN_NC="nextcloud.${TLDOMAIN}" + DOMAIN="ipa.$TLDOMAIN}" + new_DOMAIN=$(prompt_value "DOMAIN" "$DOMAIN") + DOMAIN="${new_DOMAIN}" + + SERVERFQDN_IPA="ipa.${TLDOMAIN}" new_SERVERFQDN_IPA=$(prompt_value "SERVERFQDN_IPA" "$SERVERFQDN_IPA") SERVERFQDN_IPA="$new_SERVERFQDN_IPA" + SERVERFQDN_NC="nextcloud.${TLDOMAIN}" new_SERVERFQDN_NC=$(prompt_value "SERVERFQDN_NC" "$SERVERFQDN_NC") SERVERFQDN_NC="$new_SERVERFQDN_NC" new_CLIENTADMINGROUP=$(prompt_value "CLIENTADMINGROUP" "$CLIENTADMINGROUP") CLIENTADMINGROUP="$new_CLIENTADMINGROUP" - new_DECRYPTEDDATADIR=$(prompt_value "DECRYPTEDDATADIR" "$DECRYPTEDDATADIR") - DECRYPTEDDATADIR="$new_DECRYPTEDDATADIR" - - new_ENCRYPTEDDATADIR=$(prompt_value "ENCRYPTEDDATADIR" "$ENCRYPTEDDATADIR") - ENCRYPTEDDATADIR="$new_ENCRYPTEDDATADIR" - - new_IPAVAULTUSE=$(prompt_value "IPAVAULTUSE" "$IPAVAULTUSE") - IPAVAULTUSE="$new_IPAVAULTUSE" - - new_IPAVAULTNAME=$(prompt_value "IPAVAULTNAME" "$IPAVAULTNAME") - IPAVAULTNAME="$new_IPAVAULTNAME" - set_conf_var "TLDOMAIN" "$new_TLDOMAIN" + set_conf_var "DOMAIN" "$DOMAIN" set_conf_var "SERVERFQDN_IPA" "$new_SERVERFQDN_IPA" set_conf_var "SERVERFQDN_NC" "$new_SERVERFQDN_NC" set_conf_var "CLIENTADMINGROUP" "$new_CLIENTADMINGROUP" - set_conf_var "DECRYPTEDDATADIR" "$new_DECRYPTEDDATADIR" - set_conf_var "ENCRYPTEDDATADIR" "$new_ENCRYPTEDDATADIR" - set_conf_var "IPAVAULTUSE" "$new_IPAVAULTUSE" - # IPAVAULTNAME uses computed concatenation in the dist file; override at top level. - override_conf_var "IPAVAULTNAME" "$new_IPAVAULTNAME" # Re-source with the updated TLDOMAIN so DOMAIN and FQDN are recomputed correctly. unset DOMAIN HOSTNM FQDN source "$CONF_FILE" - echo "" - echo "Computed FQDN: ${FQDN}" - read -rp "Is this correct? [Y/n]: " ans - if [[ "${ans,,}" == "n" ]]; then - read -rp " Enter desired hostname (HOSTNM) [${HOSTNM}]: " new_HOSTNM - new_HOSTNM="${new_HOSTNM:-$HOSTNM}" - override_conf_var "HOSTNM" "$new_HOSTNM" - # Also pin FQDN so it stays correct regardless of eval order. - override_conf_var "FQDN" "${new_HOSTNM}.clients.${new_TLDOMAIN}" - echo " Updated FQDN: ${new_HOSTNM}.clients.${new_TLDOMAIN}" - fi - echo "" echo "Configuration written to: ${CONF_FILE}" } @@ -116,24 +91,11 @@ while true; do # shellcheck disable=SC1090 source "${SCRIPTDIR}/setup_system.inc.sh" - echo "" - echo "=== Testing: mounting encrypted home directory ===" - bash "${SCRIPTDIR}/mount_ecrypt_home.sh" - if [[ $? -ne 0 ]]; then - echo "" - echo "mount_ecrypt_home.sh reported an error." - read -rp "Start configuration again (a) or quit (q)? [a/q]: " ans - if [[ "${ans,,}" == "q" ]]; then - echo "Quitting." - exit 1 - fi - echo "" - continue - fi - echo "" echo "=== Testing: obtaining Nextcloud WebDAV token ===" while true; do + # This makes the Token only available for this session + unset DAVTOKENFILENAME get_nc_token current_user="$(id -un)" if [[ "${DAVTOKEN_USER}" == "${current_user}" ]]; then diff --git a/system_setup/setup_system.inc.sh b/system_setup/setup_system.inc.sh index 98c0137..3d2277f 100755 --- a/system_setup/setup_system.inc.sh +++ b/system_setup/setup_system.inc.sh @@ -90,7 +90,7 @@ get_nc_token() { fi fi - if [ ! -f ${DAVTOKENFILENAME} ]; then + if [ ! -f ${DAVTOKENFILENAME} ] || [ -z ${DAVTOKENFILENAME} ]; then echo "No token found here. Getting a new WEBDAV Token for this Device." echo "Please logon to your Nextcloud instance via SSO/kerberos" @@ -101,6 +101,9 @@ get_nc_token() { REQTOKEN=$( echo "${REQJSON}" | grep -oP '(?<="token":")[^"]+(?=")' ) REQURL=$( echo "${REQJSON}" | grep -oP '(?<="login":")[^"]+(?=")' ) + if [[ -z ${DISPLAY} ]]; then + export DISPLAY=:0 + fi /usr/bin/firefox "${REQURL}" & for i in {1..200} @@ -110,8 +113,12 @@ get_nc_token() { echo -n "Poll Number ${i}..." POLLJSON=$( curl -s -X POST "https://${SERVERFQDN_NC}/login/v2/poll" -d "token=${REQTOKEN}" ) if [[ "${POLLJSON}" == *"appPassword"* ]]; then - echo "${POLLJSON}" > ${DAVTOKENFILENAME} - echo "found token. Token has been written to ${DAVTOKENFILENAME}" + if [ ! -z ${DAVTOKENFILENAME} ]; then + echo "${POLLJSON}" > ${DAVTOKENFILENAME} + echo "Token has been written to ${DAVTOKENFILENAME}" + else + echo "Temporary token was obtained." + fi pkill firefox break else From a5c8d596fadd162dfff125b51b2a37b64db9759f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20unbrot=20P=C3=A4tzold?= Date: Wed, 29 Apr 2026 17:52:26 +0200 Subject: [PATCH 09/14] Configure.sh: make dynamic variable prompts and run without tokenfile --- system_setup/configure.sh | 38 +++++++++----------------------- system_setup/setup_system.inc.sh | 3 ++- 2 files changed, 12 insertions(+), 29 deletions(-) diff --git a/system_setup/configure.sh b/system_setup/configure.sh index 125db14..abaf676 100755 --- a/system_setup/configure.sh +++ b/system_setup/configure.sh @@ -45,40 +45,20 @@ do_configure() { unset TLDOMAIN DOMAIN SERVERFQDN_IPA SERVERFQDN_NC CLIENTADMINGROUP \ DECRYPTEDDATADIR ENCRYPTEDDATADIR IPAVAULTUSE IPAVAULTNAME HOSTNM FQDN # shellcheck disable=SC1090 - source "$CONF_FILE" echo "" echo "=== System Configuration ===" echo "Press Enter to keep the current value, or type a new one." echo "" - new_TLDOMAIN=$(prompt_value "TLDOMAIN" "$TLDOMAIN") - TLDOMAIN="$new_TLDOMAIN" - - DOMAIN="ipa.$TLDOMAIN}" - new_DOMAIN=$(prompt_value "DOMAIN" "$DOMAIN") - DOMAIN="${new_DOMAIN}" - - SERVERFQDN_IPA="ipa.${TLDOMAIN}" - new_SERVERFQDN_IPA=$(prompt_value "SERVERFQDN_IPA" "$SERVERFQDN_IPA") - SERVERFQDN_IPA="$new_SERVERFQDN_IPA" - - SERVERFQDN_NC="nextcloud.${TLDOMAIN}" - new_SERVERFQDN_NC=$(prompt_value "SERVERFQDN_NC" "$SERVERFQDN_NC") - SERVERFQDN_NC="$new_SERVERFQDN_NC" - - new_CLIENTADMINGROUP=$(prompt_value "CLIENTADMINGROUP" "$CLIENTADMINGROUP") - CLIENTADMINGROUP="$new_CLIENTADMINGROUP" - - set_conf_var "TLDOMAIN" "$new_TLDOMAIN" - set_conf_var "DOMAIN" "$DOMAIN" - set_conf_var "SERVERFQDN_IPA" "$new_SERVERFQDN_IPA" - set_conf_var "SERVERFQDN_NC" "$new_SERVERFQDN_NC" - set_conf_var "CLIENTADMINGROUP" "$new_CLIENTADMINGROUP" - - # Re-source with the updated TLDOMAIN so DOMAIN and FQDN are recomputed correctly. - unset DOMAIN HOSTNM FQDN source "$CONF_FILE" + VARS=("TLDOMAIN" "DOMAIN" "SERVERFQDN_IPA" "SERVERFQDN_NC" "CLIENTADMINGROUP" ) + for ELE in "${VARS[@]}" + do + new_ELE=$(prompt_value "${ELE}" "${!ELE}") + set_conf_var "${ELE}" "${new_ELE}" + source "$CONF_FILE" + done echo "" echo "Configuration written to: ${CONF_FILE}" @@ -94,8 +74,10 @@ while true; do echo "" echo "=== Testing: obtaining Nextcloud WebDAV token ===" while true; do - # This makes the Token only available for this session + # This makes the Token only available for this session, not written to disk unset DAVTOKENFILENAME + #Sets a temporay Hostname for the Token + export HOSTNM="OEMDRV_TEST_TOKEN" get_nc_token current_user="$(id -un)" if [[ "${DAVTOKEN_USER}" == "${current_user}" ]]; then diff --git a/system_setup/setup_system.inc.sh b/system_setup/setup_system.inc.sh index 3d2277f..523f7b3 100755 --- a/system_setup/setup_system.inc.sh +++ b/system_setup/setup_system.inc.sh @@ -82,7 +82,8 @@ get_nc_token() { return 1 # Token for Superuser makes no sense and cannot work fi - if [ ${IPAVAULTUSE} == "true" ]; then + # If Filename is given andf encryption is turned on, than first check for encrypted Directory + if [ ${IPAVAULTUSE} == "true" ] && [ ! -z ${DAVTOKENFILENAME} ]; then check_data_isecrypted if [ $? -ne 0 ]; then echo "Data Directory is not encrypted. Please mount it first." From 9cb2977527caa695936057f89126c9f85e726192 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20unbrot=20P=C3=A4tzold?= Date: Wed, 29 Apr 2026 18:02:20 +0200 Subject: [PATCH 10/14] Fix Firefox display access when configure.sh runs via su Pass DISPLAY and WAYLAND_DISPLAY explicitly through the su call in install.sh so Firefox can connect to the user's display session. Remove the now-unnecessary DISPLAY=:0 fallback from get_nc_token. Co-Authored-By: Claude Sonnet 4.6 --- system_setup/install.sh | 2 +- system_setup/setup_system.inc.sh | 3 --- 2 files changed, 1 insertion(+), 4 deletions(-) diff --git a/system_setup/install.sh b/system_setup/install.sh index 7187ccf..30689dc 100755 --- a/system_setup/install.sh +++ b/system_setup/install.sh @@ -490,7 +490,7 @@ read -r -p "Run configure.sh now to set up your environment? [y/N]: " RUN_CONF if [[ "${RUN_CONF,,}" == "y" ]]; then if [[ -n "$SUDO_USER" ]]; then info "Running configure.sh as user '$SUDO_USER'..." - su - "$SUDO_USER" -c "bash '$CONF_SCRIPT'" + su - "$SUDO_USER" -c "DISPLAY='${DISPLAY}' WAYLAND_DISPLAY='${WAYLAND_DISPLAY}' bash '$CONF_SCRIPT'" else echo echo "configure.sh must be run as a non-root user. Please run:" diff --git a/system_setup/setup_system.inc.sh b/system_setup/setup_system.inc.sh index 523f7b3..6256c27 100755 --- a/system_setup/setup_system.inc.sh +++ b/system_setup/setup_system.inc.sh @@ -102,9 +102,6 @@ get_nc_token() { REQTOKEN=$( echo "${REQJSON}" | grep -oP '(?<="token":")[^"]+(?=")' ) REQURL=$( echo "${REQJSON}" | grep -oP '(?<="login":")[^"]+(?=")' ) - if [[ -z ${DISPLAY} ]]; then - export DISPLAY=:0 - fi /usr/bin/firefox "${REQURL}" & for i in {1..200} From d363a806c03a8ca2b64ba5dc9edbc58289726a25 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20unbrot=20P=C3=A4tzold?= Date: Wed, 29 Apr 2026 19:03:33 +0200 Subject: [PATCH 11/14] Replace token test in configure.sh with server reachability checks Instead of obtaining a Nextcloud WebDAV token, verify the configured servers directly: - Nextcloud: check /status.php for "installed":true and show version - FreeIPA: check /ipa/session/json for HTTP 200 or 401 Both checks offer restart or quit on failure. Co-Authored-By: Claude Sonnet 4.6 --- system_setup/configure.sh | 54 ++++++++++++++++++++++----------------- 1 file changed, 30 insertions(+), 24 deletions(-) diff --git a/system_setup/configure.sh b/system_setup/configure.sh index abaf676..e51f426 100755 --- a/system_setup/configure.sh +++ b/system_setup/configure.sh @@ -52,7 +52,7 @@ do_configure() { echo "" source "$CONF_FILE" - VARS=("TLDOMAIN" "DOMAIN" "SERVERFQDN_IPA" "SERVERFQDN_NC" "CLIENTADMINGROUP" ) + VARS=("TLDOMAIN" "DOMAIN" "SERVERFQDN_IPA" "SERVERFQDN_NC" "CLIENTADMINGROUP" "IPAVAULTUSE" ) for ELE in "${VARS[@]}" do new_ELE=$(prompt_value "${ELE}" "${!ELE}") @@ -67,35 +67,41 @@ do_configure() { while true; do do_configure - # Load setup_system.inc.sh (which re-sources configure.conf and defines all functions). - # shellcheck disable=SC1090 - source "${SCRIPTDIR}/setup_system.inc.sh" - echo "" - echo "=== Testing: obtaining Nextcloud WebDAV token ===" - while true; do - # This makes the Token only available for this session, not written to disk - unset DAVTOKENFILENAME - #Sets a temporay Hostname for the Token - export HOSTNM="OEMDRV_TEST_TOKEN" - get_nc_token - current_user="$(id -un)" - if [[ "${DAVTOKEN_USER}" == "${current_user}" ]]; then - echo "Token obtained successfully for user '${DAVTOKEN_USER}'." - break - fi + echo "=== Testing: Nextcloud server ===" + NC_STATUS=$(curl -fsSL "https://${SERVERFQDN_NC}/status.php" 2>/dev/null) + if echo "$NC_STATUS" | grep -q '"installed":true'; then + NC_VERSION=$(echo "$NC_STATUS" | grep -oP '(?<="versionstring":")[^"]+') + echo "Nextcloud confirmed at ${SERVERFQDN_NC} (version ${NC_VERSION})." + else echo "" - if [[ -z "${DAVTOKEN_USER}" ]]; then - echo "Token could not be obtained (DAVTOKEN_USER is empty)." - else - echo "Token user '${DAVTOKEN_USER}' does not match current user '${current_user}'." - fi - read -rp "Retry get_nc_token (r) or quit (q)? [r/q]: " ans + echo "WARNING: '${SERVERFQDN_NC}' does not appear to be a valid Nextcloud server." + echo " Could not reach https://${SERVERFQDN_NC}/status.php or response was unexpected." + read -rp "Start configuration again (a) or quit (q)? [a/q]: " ans if [[ "${ans,,}" == "q" ]]; then echo "Quitting." exit 1 fi - done + continue + fi + + echo "" + echo "=== Testing: FreeIPA server ===" + IPA_CODE=$(curl -s -o /dev/null -w "%{http_code}" \ + "https://${SERVERFQDN_IPA}/ipa/session/json" 2>/dev/null) + if [[ "$IPA_CODE" == "200" || "$IPA_CODE" == "401" ]]; then + echo "FreeIPA server confirmed at ${SERVERFQDN_IPA}." + else + echo "" + echo "WARNING: '${SERVERFQDN_IPA}' does not appear to be a valid FreeIPA server." + echo " https://${SERVERFQDN_IPA}/ipa/session/json returned: ${IPA_CODE:-no response}" + read -rp "Start configuration again (a) or quit (q)? [a/q]: " ans + if [[ "${ans,,}" == "q" ]]; then + echo "Quitting." + exit 1 + fi + continue + fi echo "" echo "=== Configuration complete ===" From 2a359b36a606c5e31d6509b18be4e55ef5ac08a2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20unbrot=20P=C3=A4tzold?= Date: Wed, 29 Apr 2026 19:31:07 +0200 Subject: [PATCH 12/14] Prepare base profiles for selection --- README.md | 19 +++++++------------ ks_base_profiles/cinnamon_fullsetup.cfg | 4 +++- ks_base_profiles/kde_fullsetup.cfg | 7 +++---- ks_base_profiles/part_sda.cfg | 10 ---------- 4 files changed, 13 insertions(+), 27 deletions(-) delete mode 100644 ks_base_profiles/part_sda.cfg diff --git a/README.md b/README.md index 42fd8cd..243a737 100644 --- a/README.md +++ b/README.md @@ -1,23 +1,18 @@ -# Fedora OEMDRV + +# Fedora automated install script collection an automated massinstallation scripting collection for Fedora and Anaconda IN DEVELOPMENT ! This Software is very Specific, it needs at least: -- A Free IPA Server with IP Clients enrolled to the Domain -- A Nextcloud instance, connected to the Domain +- A Free IPA Server in which IP Clients can be enrolled to +- An Admin that has the rights to do so +- A Nextcloud instance, connected to the Domain which should have Software Configuration and Reository Paths setup - A client pc that will use this software to automate install and setup the PC ## Install -1. Create Partition named "OEMDRV", at least 1 GByte in size on a local disk that will be readable when starting installation from stick -2. Format it BTRFS and mount it to "/opt/sys_config" -3. Copy git files in it with "git clone --progress --depth 1 https://gitea.dtext.online/obel1x/fedora-OEMDRV.git /opt/sys_config" - 1. or for developement "git clone --progress https://gitea.dtext.online/obel1x/fedora-OEMDRV.git /opt/sys_config" +- Look at the file [install.md](install.md) -Setup -- Make a copy of /opt/sys_config/system_setup/setup_system.conf.dist, name it /opt/sys_config/system_setup/setup_system.conf -- Check the settings in it and change to your needs before running - -More to come... +more to come diff --git a/ks_base_profiles/cinnamon_fullsetup.cfg b/ks_base_profiles/cinnamon_fullsetup.cfg index 5b2eeca..5833e0d 100644 --- a/ks_base_profiles/cinnamon_fullsetup.cfg +++ b/ks_base_profiles/cinnamon_fullsetup.cfg @@ -1,4 +1,6 @@ -#Basic settings: +# Full Cinnamon Setup + +#Basic settings graphical text diff --git a/ks_base_profiles/kde_fullsetup.cfg b/ks_base_profiles/kde_fullsetup.cfg index 1006d75..4e0774b 100644 --- a/ks_base_profiles/kde_fullsetup.cfg +++ b/ks_base_profiles/kde_fullsetup.cfg @@ -1,4 +1,6 @@ -#Basic settings: +# Full KDE Wayland Setup + +#Basic settings graphical text @@ -41,8 +43,6 @@ mesa-va-drivers-freeworld ffmpeg @vlc python-vlc -#@development-tools -#@editors @firefox thunderbird openssh-server @@ -92,7 +92,6 @@ nss-pam-ldapd # System authorization information authselect enable-feature with-fingerprint - # Generated using Blivet version 3.12.1 ignoredisk --only-use=sda # Partition clearing information diff --git a/ks_base_profiles/part_sda.cfg b/ks_base_profiles/part_sda.cfg deleted file mode 100644 index 5ef26b5..0000000 --- a/ks_base_profiles/part_sda.cfg +++ /dev/null @@ -1,10 +0,0 @@ -# Generated using Blivet version 3.12.1 -ignoredisk --only-use=sda -# Partition clearing information -clearpart --none --initlabel -# Disk partitioning information -part biosboot --fstype="biosboot" --ondisk=sda --size=1 -part btrfs.69 --fstype="btrfs" --ondisk=sda --size=80000 -part /boot --fstype="xfs" --ondisk=sda --size=2048 -btrfs none --label=fedora btrfs.69 -btrfs / --subvol --name=root LABEL=fedora From 340cef962f4ae41df36526cd6e5c12ce10a53c74 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20unbrot=20P=C3=A4tzold?= Date: Wed, 29 Apr 2026 19:32:41 +0200 Subject: [PATCH 13/14] Remove single ks.cfg --- .gitignore | 1 + ks.cfg | 116 ----------------------------------------------------- 2 files changed, 1 insertion(+), 116 deletions(-) delete mode 100644 ks.cfg diff --git a/.gitignore b/.gitignore index 3fcf0fc..656b86f 100644 --- a/.gitignore +++ b/.gitignore @@ -10,3 +10,4 @@ config/.sync_*.db config/.sync_*.db config.d/*.conf ks_pc_prof/* +ks.cfg diff --git a/ks.cfg b/ks.cfg deleted file mode 100644 index 1006d75..0000000 --- a/ks.cfg +++ /dev/null @@ -1,116 +0,0 @@ -#Basic settings: -graphical -text - -# Configure installation method -url --mirrorlist="https://mirrors.fedoraproject.org/mirrorlist?repo=fedora-43&arch=x86_64" -repo --name=fedora-updates --mirrorlist="https://mirrors.fedoraproject.org/mirrorlist?repo=updates-released-f43&arch=x86_64" --cost=0 -repo --name=fedora-cisco-openh264 --mirrorlist="https://mirrors.fedoraproject.org/mirrorlist?repo=fedora-cisco-openh264-43&arch=x86_64" --install -repo --name=rpmfusion-free --mirrorlist="https://mirrors.rpmfusion.org/mirrorlist?repo=free-fedora-43&arch=x86_64" -repo --name=rpmfusion-free-updates --mirrorlist="https://mirrors.rpmfusion.org/mirrorlist?repo=free-fedora-updates-released-43&arch=x86_64" --cost=0 -repo --name=rpmfusion-nonfree --mirrorlist="https://mirrors.rpmfusion.org/mirrorlist?repo=nonfree-fedora-43&arch=x86_64" -repo --name=rpmfusion-nonfree-updates --mirrorlist="https://mirrors.rpmfusion.org/mirrorlist?repo=nonfree-fedora-updates-released-43&arch=x86_64" --cost=0 - -# Keyboard layouts -keyboard --vckeymap=de-nodeadkeys --xlayouts='de (nodeadkeys)' -# System language -lang de_DE.UTF-8 -# System timezone -timezone Europe/Berlin --utc - -%pre --log=/root/ks-pre.log -mkdir /mnt/anaconda_pre -mount -L OEMDRV /mnt/anaconda_pre -/bin/sh /mnt/anaconda_pre/ks_base_profiles/basic_pre_script.inc -%end - -%packages -@^kde-desktop-environment -@core -@admin-tools -@domain-client -@system-tools -@kde-media -@kde-spin-initial-setup -@libreoffice -@office -@sound-and-video -libva-utils -libavcodec-freeworld -mesa-va-drivers-freeworld -ffmpeg -@vlc -python-vlc -#@development-tools -#@editors -@firefox -thunderbird -openssh-server -bash -sudo -gocryptfs -htop -mc -mediawriter -python-pip -pykickstart -xrdp -xorgxrdp -libxcb-doc -plasma-workspace-x11 -xterm -wmctrl -flatpak -btrfs-assistant -btrbk -ktorrent -cadaver -kdevelop -git -diffuse -remmina -android-tools --kpat --kmines -#Annoying plasmoids --kdeplasma-addons -#Search - Powerful, but slow --akonadi-server --akonadi-server-mysql --dragon --kdeconnectd --kde-connect --samba --samba-client --samba-usershares --BackupPC -#Needed by SSSD -oddjob-mkhomedir -nss-pam-ldapd -%end - -# System authorization information -authselect enable-feature with-fingerprint - - -# Generated using Blivet version 3.12.1 -ignoredisk --only-use=sda -# Partition clearing information -#clearpart --none --initlabel -clearpart --none -autopart --type=btrfs - -# Root password -# This Password is completely unknown to anyone. After installation, the PC should be Member of Domain and the users may use sudo to become superuser. -rootpw --iscrypted $y$j9T$jpKVkxaFqL6GH6GAgB0Yb/$oc.rfZgnHNlTAIj/boJeI.ZFf1QHvMF7fymZww9bzE3 -#user --name=none - -# Do not run the Setup Agent on first boot because it will complain about missing user account which we dont want -firstboot --disable - -%post --log=/root/ks-post.log -mkdir /opt/sys_config -mount -L OEMDRV /opt/sys_config -/bin/sh /opt/sys_config/system_setup/setup_system_full.sh install -umount /opt/sys_config -%end From 0721550e9caa7601a77d43f0d3ee03424118a197 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20unbrot=20P=C3=A4tzold?= Date: Wed, 29 Apr 2026 19:38:52 +0200 Subject: [PATCH 14/14] Add kickstart profile selection to configure.sh After server checks pass, present all ks_base_profiles/*.cfg files with their first-paragraph description and require the user to pick one. The selected profile is copied to ks.cfg in the repo root. Co-Authored-By: Claude Sonnet 4.6 --- system_setup/configure.sh | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) diff --git a/system_setup/configure.sh b/system_setup/configure.sh index e51f426..b7653f0 100755 --- a/system_setup/configure.sh +++ b/system_setup/configure.sh @@ -103,6 +103,34 @@ while true; do continue fi + echo "" + echo "=== Select Kickstart Profile ===" + KS_DIR="${SCRIPTDIR}/../ks_base_profiles" + KS_DEST="${SCRIPTDIR}/../ks.cfg" + + mapfile -t KS_FILES < <(find "$KS_DIR" -maxdepth 1 -name "*.cfg" | sort) + if [[ ${#KS_FILES[@]} -eq 0 ]]; then + echo "No kickstart profiles found in ${KS_DIR}." + exit 1 + fi + + echo "" + for i in "${!KS_FILES[@]}"; do + desc=$(awk '/^$/{exit} {print}' "${KS_FILES[$i]}" \ + | sed 's/^#[[:space:]]*//' | tr '\n' ' ' | xargs) + printf " %d) %-36s %s\n" "$((i+1))" "$(basename "${KS_FILES[$i]}")" "$desc" + done + echo "" + + while true; do + read -rp "Select profile [1-${#KS_FILES[@]}]: " sel + [[ "$sel" =~ ^[0-9]+$ ]] && (( sel >= 1 && sel <= ${#KS_FILES[@]} )) && break + echo " Invalid selection, please enter a number between 1 and ${#KS_FILES[@]}." + done + + cp "${KS_FILES[$((sel-1))]}" "$KS_DEST" + echo "Copied '$(basename "${KS_FILES[$((sel-1))]}")' to ${KS_DEST}." + echo "" echo "=== Configuration complete ===" echo "All values have been configured and verified successfully."