From 0b1ade5771e93b386b60fbd039a8c5ce78d34066 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20unbrot=20P=C3=A4tzold?= Date: Thu, 30 Apr 2026 12:36:05 +0200 Subject: [PATCH 01/19] Anaconda ks.cfg: use also nvme drives --- ks_base_profiles/cinnamon_fullsetup.cfg | 5 ++--- ks_base_profiles/kde_fullsetup.cfg | 5 ++--- 2 files changed, 4 insertions(+), 6 deletions(-) diff --git a/ks_base_profiles/cinnamon_fullsetup.cfg b/ks_base_profiles/cinnamon_fullsetup.cfg index 5833e0d..c8a2743 100644 --- a/ks_base_profiles/cinnamon_fullsetup.cfg +++ b/ks_base_profiles/cinnamon_fullsetup.cfg @@ -82,9 +82,8 @@ authselect enable-feature with-fingerprint # Generated using Blivet version 3.12.1 -ignoredisk --only-use=sda -# Partition clearing information -#clearpart --none --initlabel +ignoredisk --only-use=sda,nvme0n1 +# Partition clearing information - do NOT USE --initlabel ! clearpart --none autopart --type=btrfs diff --git a/ks_base_profiles/kde_fullsetup.cfg b/ks_base_profiles/kde_fullsetup.cfg index 4e0774b..235b498 100644 --- a/ks_base_profiles/kde_fullsetup.cfg +++ b/ks_base_profiles/kde_fullsetup.cfg @@ -93,9 +93,8 @@ nss-pam-ldapd authselect enable-feature with-fingerprint # Generated using Blivet version 3.12.1 -ignoredisk --only-use=sda -# Partition clearing information -#clearpart --none --initlabel +ignoredisk --only-use=sda,nvme0n1 +# Partition clearing information - do NOT USE --initlabel ! clearpart --none autopart --type=btrfs From 2032bde99dd76d67afba409d972db700a0917bd1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20unbrot=20P=C3=A4tzold?= Date: Thu, 30 Apr 2026 12:51:59 +0200 Subject: [PATCH 02/19] IPA-register use Terminal 8 for better logging --- system_setup/setup_system_full.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/system_setup/setup_system_full.sh b/system_setup/setup_system_full.sh index d1fb19b..257949e 100755 --- a/system_setup/setup_system_full.sh +++ b/system_setup/setup_system_full.sh @@ -67,7 +67,7 @@ ExecStart=/bin/sh ${SCRIPTPATH}/${SCRIPTNAME} firstrun_run #ExecStart=-/sbin/agetty --noclear -n -l "/bin/sh ${SCRIPTPATH}/${SCRIPTNAME} firstrun_run" %I 38400 # user interaction in tty8 StandardInput=tty -TTYPath=/dev/tty2 +TTYPath=/dev/tty8 TTYReset=yes TTYVHangup=yes @@ -142,7 +142,7 @@ install_sw() ipa_register_host() { #Integrate this PC into Domain -chvt 2 +chvt 8 #Check if IPA is already Configured echo "Checking for existing IPA- Setup." if ( grep -q "${FQDN}" /etc/ipa/default.conf ); then From d316a7b605d8161ddfb3944eed5d72be43eb7825 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20unbrot=20P=C3=A4tzold?= Date: Thu, 30 Apr 2026 12:52:41 +0200 Subject: [PATCH 03/19] Refactor configure.sh: per-variable validation loop with DNS domain check MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Each variable is now prompted in a retry loop so a failed test re-prompts that specific variable instead of restarting the whole wizard. Adds DNS-based IPA domain validation (_ldap._tcp SRV + _kerberos TXT + _kerberos._udp SRV), matching what ipa-client-install --domain performs. Fixes syntax errors (bare `do` → `while true; do`, `continue` → `break`). Expands VARS to include IPAVAULTNAME, CLIENT_SOFTWARE_SRC, DISTCONFIGPATH_SRC. Co-Authored-By: Claude Sonnet 4.6 --- system_setup/configure.sh | 116 +++++++++++++++++++++++++------------- 1 file changed, 76 insertions(+), 40 deletions(-) diff --git a/system_setup/configure.sh b/system_setup/configure.sh index b7653f0..3f7080d 100755 --- a/system_setup/configure.sh +++ b/system_setup/configure.sh @@ -52,12 +52,84 @@ do_configure() { echo "" source "$CONF_FILE" - VARS=("TLDOMAIN" "DOMAIN" "SERVERFQDN_IPA" "SERVERFQDN_NC" "CLIENTADMINGROUP" "IPAVAULTUSE" ) + VARS=("TLDOMAIN" "SERVERFQDN_IPA" "DOMAIN" "SERVERFQDN_NC" "IPAVAULTUSE" "IPAVAULTNAME" "CLIENT_SOFTWARE_SRC" "DISTCONFIGPATH_SRC" "CLIENTADMINGROUP" ) for ELE in "${VARS[@]}" do - new_ELE=$(prompt_value "${ELE}" "${!ELE}") - set_conf_var "${ELE}" "${new_ELE}" - source "$CONF_FILE" + while true; do + new_ELE=$(prompt_value "${ELE}" "${!ELE}") + set_conf_var "${ELE}" "${new_ELE}" + source "$CONF_FILE" + REPEAT_TEST=1 + case ${ELE} in + "SERVERFQDN_NC") echo "" + echo "=== Testing: Nextcloud server ===" + NC_STATUS=$(curl -fsSL "https://${SERVERFQDN_NC}/status.php" 2>/dev/null) + if echo "$NC_STATUS" | grep -q '"installed":true'; then + NC_VERSION=$(echo "$NC_STATUS" | grep -oP '(?<="versionstring":")[^"]+') + echo "Nextcloud confirmed at ${SERVERFQDN_NC} (version ${NC_VERSION})." + REPEAT_TEST=0 + else + echo "" + echo "WARNING: '${SERVERFQDN_NC}' does not appear to be a valid Nextcloud server." + echo " Could not reach https://${SERVERFQDN_NC}/status.php or response was unexpected." + read -rp "Start configuration again (a) or quit (q)? [a/q]: " ans + if [[ "${ans,,}" == "q" ]]; then + echo "Quitting." + exit 1 + fi + fi + ;; + "SERVERFQDN_IPA") echo "" + echo "=== Testing: FreeIPA server ===" + IPA_CODE=$(curl -s -o /dev/null -w "%{http_code}" \ + "https://${SERVERFQDN_IPA}/ipa/session/json" 2>/dev/null) + if [[ "$IPA_CODE" == "200" || "$IPA_CODE" == "401" ]]; then + echo "FreeIPA server confirmed at ${SERVERFQDN_IPA}." + REPEAT_TEST=0 + else + echo "" + echo "WARNING: '${SERVERFQDN_IPA}' does not appear to be a valid FreeIPA server." + echo " https://${SERVERFQDN_IPA}/ipa/session/json returned: ${IPA_CODE:-no response}" + read -rp "Start configuration again (a) or quit (q)? [a/q]: " ans + if [[ "${ans,,}" == "q" ]]; then + echo "Quitting." + exit 1 + fi + fi + ;; + "DOMAIN") echo "" + echo "=== Testing: IPA Domain DNS records ===" + if ! command -v dig &>/dev/null; then + echo "WARNING: 'dig' not found; skipping DNS check." + REPEAT_TEST=0 + else + LDAP_SRV=$(dig +short SRV "_ldap._tcp.${DOMAIN}" 2>/dev/null) + KRB_TXT=$(dig +short TXT "_kerberos.${DOMAIN}" 2>/dev/null) + KDC_SRV=$(dig +short SRV "_kerberos._udp.${DOMAIN}" 2>/dev/null) + if [[ -n "$LDAP_SRV" && -n "$KRB_TXT" ]]; then + REALM=$(echo "$KRB_TXT" | tr -d '"') + echo "IPA domain confirmed: ${DOMAIN}" + echo " Kerberos realm : ${REALM}" + [[ -n "$KDC_SRV" ]] && echo " KDC SRV : ${KDC_SRV}" + REPEAT_TEST=0 + else + echo "" + [[ -z "$LDAP_SRV" ]] && echo "WARNING: No _ldap._tcp.${DOMAIN} SRV record found." + [[ -z "$KRB_TXT" ]] && echo "WARNING: No _kerberos.${DOMAIN} TXT record found." + echo " '${DOMAIN}' does not appear to be a valid IPA domain." + read -rp "Start configuration again (a) or quit (q)? [a/q]: " ans + if [[ "${ans,,}" == "q" ]]; then + echo "Quitting." + exit 1 + fi + fi + fi + ;; + *) REPEAT_TEST=0 + ;; + esac + [[ $REPEAT_TEST == 0 ]] && break + done done echo "" @@ -67,42 +139,6 @@ do_configure() { while true; do do_configure - echo "" - echo "=== Testing: Nextcloud server ===" - NC_STATUS=$(curl -fsSL "https://${SERVERFQDN_NC}/status.php" 2>/dev/null) - if echo "$NC_STATUS" | grep -q '"installed":true'; then - NC_VERSION=$(echo "$NC_STATUS" | grep -oP '(?<="versionstring":")[^"]+') - echo "Nextcloud confirmed at ${SERVERFQDN_NC} (version ${NC_VERSION})." - else - echo "" - echo "WARNING: '${SERVERFQDN_NC}' does not appear to be a valid Nextcloud server." - echo " Could not reach https://${SERVERFQDN_NC}/status.php or response was unexpected." - read -rp "Start configuration again (a) or quit (q)? [a/q]: " ans - if [[ "${ans,,}" == "q" ]]; then - echo "Quitting." - exit 1 - fi - continue - fi - - echo "" - echo "=== Testing: FreeIPA server ===" - IPA_CODE=$(curl -s -o /dev/null -w "%{http_code}" \ - "https://${SERVERFQDN_IPA}/ipa/session/json" 2>/dev/null) - if [[ "$IPA_CODE" == "200" || "$IPA_CODE" == "401" ]]; then - echo "FreeIPA server confirmed at ${SERVERFQDN_IPA}." - else - echo "" - echo "WARNING: '${SERVERFQDN_IPA}' does not appear to be a valid FreeIPA server." - echo " https://${SERVERFQDN_IPA}/ipa/session/json returned: ${IPA_CODE:-no response}" - read -rp "Start configuration again (a) or quit (q)? [a/q]: " ans - if [[ "${ans,,}" == "q" ]]; then - echo "Quitting." - exit 1 - fi - continue - fi - echo "" echo "=== Select Kickstart Profile ===" KS_DIR="${SCRIPTDIR}/../ks_base_profiles" From bcbcc3392dae85174358e1c48ed75b5e8bc62bf7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20unbrot=20P=C3=A4tzold?= Date: Thu, 30 Apr 2026 13:06:49 +0200 Subject: [PATCH 04/19] install.sh: offer to install missing tools via dnf Instead of dying immediately, check_tools now lists missing packages, asks the user to install them with dnf, and re-verifies after install. Decline still aborts as before. Co-Authored-By: Claude Sonnet 4.6 --- system_setup/install.sh | 28 +++++++++++++++++++++++++++- 1 file changed, 27 insertions(+), 1 deletion(-) diff --git a/system_setup/install.sh b/system_setup/install.sh index 30689dc..4f68c3d 100755 --- a/system_setup/install.sh +++ b/system_setup/install.sh @@ -28,11 +28,37 @@ require_root() { } check_tools() { + declare -A tool_pkg=( + [lsblk]="util-linux" [blkid]="util-linux" + [parted]="parted" [partprobe]="parted" + [mkfs.btrfs]="btrfs-progs" [git]="git" + [e2fsck]="e2fsprogs" [resize2fs]="e2fsprogs" + [tune2fs]="e2fsprogs" + ) local missing=() for tool in lsblk blkid parted partprobe mkfs.btrfs git e2fsck resize2fs tune2fs; do command -v "$tool" >/dev/null 2>&1 || missing+=("$tool") done - [[ ${#missing[@]} -eq 0 ]] || die "Missing required tools: ${missing[*]}" + [[ ${#missing[@]} -eq 0 ]] && return 0 + + echo "Missing required tools: ${missing[*]}" + local pkgs=() + for tool in "${missing[@]}"; do + local pkg="${tool_pkg[$tool]}" + [[ " ${pkgs[*]} " != *" $pkg "* ]] && pkgs+=("$pkg") + done + + read -r -p " Install missing packages (${pkgs[*]}) with dnf? [y/N]: " ans + if [[ "${ans,,}" == "y" ]]; then + dnf install -y "${pkgs[@]}" || die "Package installation failed." + local still_missing=() + for tool in "${missing[@]}"; do + command -v "$tool" >/dev/null 2>&1 || still_missing+=("$tool") + done + [[ ${#still_missing[@]} -eq 0 ]] || die "Still missing after install: ${still_missing[*]}" + else + die "Missing required tools: ${missing[*]}" + fi } # Returns 0 if the remote install.sh matches this script's checksum, From f89d0f36f14ab9a8609fb7d214657d12404ec9a3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20unbrot=20P=C3=A4tzold?= Date: Thu, 30 Apr 2026 14:55:33 +0200 Subject: [PATCH 05/19] Write DMI UUID to machine_uuid.sys for user-accessible machine ID install.sh writes the last 12 chars of the DMI system UUID to config.d/machine_uuid.sys (0444) after git clone, so non-root scripts can derive the hardware-bound hostname without needing dmidecode. conf.dist reads machine_uuid.sys first; falls back to dmidecode (root) or hostname -s (user) if the file is absent. Co-Authored-By: Claude Sonnet 4.6 --- config/setup_system.conf.dist | 4 +++- system_setup/install.sh | 9 +++++++++ 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/config/setup_system.conf.dist b/config/setup_system.conf.dist index 8cc8490..613032d 100644 --- a/config/setup_system.conf.dist +++ b/config/setup_system.conf.dist @@ -16,7 +16,9 @@ export UPGRADEBRANCH="main" export CLIENTADMINGROUP="clientadmins" # Method to determine Unique Hostname / FQDN of the Client. May be replaced by your needs -if [ "$EUID" -eq 0 ]; then +if [ -r /opt/sys_config/config.d/machine_uuid.sys ]; then + export HOSTNM="pc-$( cat /opt/sys_config/config.d/machine_uuid.sys )" +elif [ "$EUID" -eq 0 ]; then export HOSTNM="pc-$( dmidecode -t system | grep -i 'UUID' | sed 's/UUID: //' | tr '[:upper:]' '[:lower:]' | sed 's/[^0-9a-z]*//g' | xargs|tail -c 13)" else export HOSTNM=$( hostname -s ) diff --git a/system_setup/install.sh b/system_setup/install.sh index 4f68c3d..e31581e 100755 --- a/system_setup/install.sh +++ b/system_setup/install.sh @@ -497,6 +497,15 @@ mount -o "$MOUNT_OPTS" "$OEMDRV_DEV" "$MOUNT_POINT" || die "mount failed." info "Cloning $REPO_URL into $MOUNT_POINT..." cd "$MOUNT_POINT" || die "Cannot cd to $MOUNT_POINT." git clone --progress --depth 1 "$REPO_URL" . || die "git clone failed." + +# Write hardware UUID to a user-readable per-machine file +mkdir -p "${MOUNT_POINT}/config.d" +dmidecode -t system | grep -i 'UUID' \ + | sed 's/UUID: //' | tr '[:upper:]' '[:lower:]' \ + | sed 's/[^0-9a-z]*//g' | xargs | tail -c 13 \ + > "${MOUNT_POINT}/config.d/machine_uuid.sys" +chmod 0444 "${MOUNT_POINT}/config.d/machine_uuid.sys" + chmod o=rwX . -R # to make changes to the configuration possible after install # ── Done ────────────────────────────────────────────────────────────────────── From 29c87be593636b90c4aab854b99578863362cd8d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20unbrot=20P=C3=A4tzold?= Date: Thu, 30 Apr 2026 15:06:47 +0200 Subject: [PATCH 06/19] Replace instable HOSTNM determination by file for installation. --- .gitignore | 1 + config/setup_system.conf.dist | 27 ++++++++++++++------------- system_setup/configure.sh | 3 ++- system_setup/install.sh | 6 ++---- 4 files changed, 19 insertions(+), 18 deletions(-) diff --git a/.gitignore b/.gitignore index 656b86f..e1390fd 100644 --- a/.gitignore +++ b/.gitignore @@ -9,5 +9,6 @@ config/skel.tar.zst config/.sync_*.db config/.sync_*.db config.d/*.conf +config.d/*.sys ks_pc_prof/* ks.cfg diff --git a/config/setup_system.conf.dist b/config/setup_system.conf.dist index 613032d..8c04d4a 100644 --- a/config/setup_system.conf.dist +++ b/config/setup_system.conf.dist @@ -12,24 +12,25 @@ export INSTALLDOCS="https://gitea.dtext.online/obel1x/fedora-OEMDRV/src/branch/m export UPGRADEURL="https://gitea.dtext.online/obel1x/fedora-OEMDRV.git" export UPGRADEBRANCH="main" -#Group, that will have sudo rights on the client -export CLIENTADMINGROUP="clientadmins" - -# Method to determine Unique Hostname / FQDN of the Client. May be replaced by your needs -if [ -r /opt/sys_config/config.d/machine_uuid.sys ]; then - export HOSTNM="pc-$( cat /opt/sys_config/config.d/machine_uuid.sys )" -elif [ "$EUID" -eq 0 ]; then - export HOSTNM="pc-$( dmidecode -t system | grep -i 'UUID' | sed 's/UUID: //' | tr '[:upper:]' '[:lower:]' | sed 's/[^0-9a-z]*//g' | xargs|tail -c 13)" -else - export HOSTNM=$( hostname -s ) -fi -export FQDN=${HOSTNM}.${DOMAIN} - #Configuration Files - maybe syned with your companies settings export SYSCONFIGPATH="/opt/sys_config" export DISTCONFIGPATH="/opt/sys_config/config" export DISTCONFIGPATH_SRC="/Shared/sw_geteilt/client_settings" +#Group, that will have sudo rights on the client +export CLIENTADMINGROUP="clientadmins" + +# Method to determine Unique Hostname / FQDN of the Client. May be replaced by your needs +#Should always had been set by install.sh and should be there anyway. +#if [ ! -r ${SYSCONFIGPATH}/config.d/machine_uuid.sys ]; then +#elif [ "$EUID" -eq 0 ]; then +# export HOSTNM="pc-$( dmidecode -t system | grep -i 'UUID' | sed 's/UUID: //' | tr '[:upper:]' '[:lower:]' | sed 's/[^0-9a-z]*//g' | xargs|tail -c 13)" +#else +# export HOSTNM=$( hostname -s ) +#fi +export HOSTNM="pc-$( cat /opt/sys_config/config.d/machine_uuid.sys )" +export FQDN=${HOSTNM}.${DOMAIN} + #Additional Client-Software- Repository-Folder in Nextcloud (Shared Folder / Systemwide) export CLIENT_SOFTWARE_DST="/opt/sys_config/client_software" # Optional. If you don't have a Folder that should always be synced, leave this empty export CLIENT_SOFTWARE_SRC="/Shared/sw_geteilt/client_software" Set to the Nextcloud directory where the software should come from diff --git a/system_setup/configure.sh b/system_setup/configure.sh index 3f7080d..986021b 100755 --- a/system_setup/configure.sh +++ b/system_setup/configure.sh @@ -52,7 +52,8 @@ do_configure() { echo "" source "$CONF_FILE" - VARS=("TLDOMAIN" "SERVERFQDN_IPA" "DOMAIN" "SERVERFQDN_NC" "IPAVAULTUSE" "IPAVAULTNAME" "CLIENT_SOFTWARE_SRC" "DISTCONFIGPATH_SRC" "CLIENTADMINGROUP" ) + # Currently not possible to change "IPAVAULTNAME" becaue + VARS=("TLDOMAIN" "SERVERFQDN_IPA" "DOMAIN" "SERVERFQDN_NC" "IPAVAULTUSE" "CLIENT_SOFTWARE_SRC" "DISTCONFIGPATH_SRC" "CLIENTADMINGROUP" ) for ELE in "${VARS[@]}" do while true; do diff --git a/system_setup/install.sh b/system_setup/install.sh index e31581e..feb4072 100755 --- a/system_setup/install.sh +++ b/system_setup/install.sh @@ -499,14 +499,12 @@ cd "$MOUNT_POINT" || die "Cannot cd to $MOUNT_POINT." git clone --progress --depth 1 "$REPO_URL" . || die "git clone failed." # Write hardware UUID to a user-readable per-machine file -mkdir -p "${MOUNT_POINT}/config.d" dmidecode -t system | grep -i 'UUID' \ | sed 's/UUID: //' | tr '[:upper:]' '[:lower:]' \ | sed 's/[^0-9a-z]*//g' | xargs | tail -c 13 \ - > "${MOUNT_POINT}/config.d/machine_uuid.sys" -chmod 0444 "${MOUNT_POINT}/config.d/machine_uuid.sys" + > "./config.d/machine_uuid.sys" -chmod o=rwX . -R # to make changes to the configuration possible after install + chmod o=rwX . -R # to make changes to the configuration possible after install # ── Done ────────────────────────────────────────────────────────────────────── From d0932a2fdaa96840d428994019b75b6ae4ae4ee3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20unbrot=20P=C3=A4tzold?= Date: Thu, 30 Apr 2026 15:15:20 +0200 Subject: [PATCH 07/19] Configure: Make IPAVAULTNAME again possible --- system_setup/configure.sh | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/system_setup/configure.sh b/system_setup/configure.sh index 986021b..3f7080d 100755 --- a/system_setup/configure.sh +++ b/system_setup/configure.sh @@ -52,8 +52,7 @@ do_configure() { echo "" source "$CONF_FILE" - # Currently not possible to change "IPAVAULTNAME" becaue - VARS=("TLDOMAIN" "SERVERFQDN_IPA" "DOMAIN" "SERVERFQDN_NC" "IPAVAULTUSE" "CLIENT_SOFTWARE_SRC" "DISTCONFIGPATH_SRC" "CLIENTADMINGROUP" ) + VARS=("TLDOMAIN" "SERVERFQDN_IPA" "DOMAIN" "SERVERFQDN_NC" "IPAVAULTUSE" "IPAVAULTNAME" "CLIENT_SOFTWARE_SRC" "DISTCONFIGPATH_SRC" "CLIENTADMINGROUP" ) for ELE in "${VARS[@]}" do while true; do From 4a7ee59559f67715f76f6927af3f76bc4a157405 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20unbrot=20P=C3=A4tzold?= Date: Thu, 30 Apr 2026 15:19:58 +0200 Subject: [PATCH 08/19] configure: CLIENT_SOFTWARE_SRC not needed --- system_setup/configure.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/system_setup/configure.sh b/system_setup/configure.sh index 3f7080d..2372542 100755 --- a/system_setup/configure.sh +++ b/system_setup/configure.sh @@ -52,7 +52,7 @@ do_configure() { echo "" source "$CONF_FILE" - VARS=("TLDOMAIN" "SERVERFQDN_IPA" "DOMAIN" "SERVERFQDN_NC" "IPAVAULTUSE" "IPAVAULTNAME" "CLIENT_SOFTWARE_SRC" "DISTCONFIGPATH_SRC" "CLIENTADMINGROUP" ) + VARS=("TLDOMAIN" "SERVERFQDN_IPA" "DOMAIN" "SERVERFQDN_NC" "IPAVAULTUSE" "IPAVAULTNAME" "DISTCONFIGPATH_SRC" "CLIENTADMINGROUP" ) for ELE in "${VARS[@]}" do while true; do From 0d86bc3d1a69c7a1da267279c71f4565a88640f9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20unbrot=20P=C3=A4tzold?= Date: Thu, 30 Apr 2026 15:37:19 +0200 Subject: [PATCH 09/19] Div visual updates --- system_setup/configure.sh | 11 ++++------- system_setup/sync_client_software.sh | 2 +- 2 files changed, 5 insertions(+), 8 deletions(-) diff --git a/system_setup/configure.sh b/system_setup/configure.sh index 2372542..557c449 100755 --- a/system_setup/configure.sh +++ b/system_setup/configure.sh @@ -49,20 +49,19 @@ do_configure() { echo "" echo "=== System Configuration ===" echo "Press Enter to keep the current value, or type a new one." - echo "" source "$CONF_FILE" VARS=("TLDOMAIN" "SERVERFQDN_IPA" "DOMAIN" "SERVERFQDN_NC" "IPAVAULTUSE" "IPAVAULTNAME" "DISTCONFIGPATH_SRC" "CLIENTADMINGROUP" ) for ELE in "${VARS[@]}" do while true; do + echo "" new_ELE=$(prompt_value "${ELE}" "${!ELE}") set_conf_var "${ELE}" "${new_ELE}" source "$CONF_FILE" REPEAT_TEST=1 case ${ELE} in - "SERVERFQDN_NC") echo "" - echo "=== Testing: Nextcloud server ===" + "SERVERFQDN_NC") echo "=== Testing: Nextcloud server ===" NC_STATUS=$(curl -fsSL "https://${SERVERFQDN_NC}/status.php" 2>/dev/null) if echo "$NC_STATUS" | grep -q '"installed":true'; then NC_VERSION=$(echo "$NC_STATUS" | grep -oP '(?<="versionstring":")[^"]+') @@ -79,8 +78,7 @@ do_configure() { fi fi ;; - "SERVERFQDN_IPA") echo "" - echo "=== Testing: FreeIPA server ===" + "SERVERFQDN_IPA") echo "=== Testing: FreeIPA server ===" IPA_CODE=$(curl -s -o /dev/null -w "%{http_code}" \ "https://${SERVERFQDN_IPA}/ipa/session/json" 2>/dev/null) if [[ "$IPA_CODE" == "200" || "$IPA_CODE" == "401" ]]; then @@ -97,8 +95,7 @@ do_configure() { fi fi ;; - "DOMAIN") echo "" - echo "=== Testing: IPA Domain DNS records ===" + "DOMAIN") echo "=== Testing: IPA Domain DNS records ===" if ! command -v dig &>/dev/null; then echo "WARNING: 'dig' not found; skipping DNS check." REPEAT_TEST=0 diff --git a/system_setup/sync_client_software.sh b/system_setup/sync_client_software.sh index d5921f4..488d9e3 100755 --- a/system_setup/sync_client_software.sh +++ b/system_setup/sync_client_software.sh @@ -12,7 +12,7 @@ fi #Check Token if [ "${DAVTOKEN_USER}." == "." ]; then - echo "Error: Script cannot be executed standalone, must be run with a matching sudo rule and needs a prereserved environement from logon-script." + echo "Error: Script cannot be executed standalone, must be run with a matching sudo rule and needs a prereserved environment from logon-script." echo "A matching sudo rule could look like this: "'^'${SYSCONFIGPATH////'\/'}'\/system_setup\/sync_client_software\.sh.*$' echo "Hint: the rule must contain the !authenticate and setenv option to work." echo "Press any key to continue" && read -n 1 -s -r && exit 1 From fe9f6841f33bfe2e49d822dc8d85ed9fcfc8d2f5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20unbrot=20P=C3=A4tzold?= Date: Thu, 30 Apr 2026 16:19:01 +0200 Subject: [PATCH 10/19] Cryptfilesystem: Allow root to access encrypted directory --- system_setup/mount_ecrypt_home.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/system_setup/mount_ecrypt_home.sh b/system_setup/mount_ecrypt_home.sh index aca9171..98cc1c8 100755 --- a/system_setup/mount_ecrypt_home.sh +++ b/system_setup/mount_ecrypt_home.sh @@ -90,9 +90,9 @@ if [ ! -d "${DECRYPTEDDATADIR}" ]; then #Key has been obtained, but no Directory was created till know echo "First Setup of encryption: Creating new Directories now" mkdir -p ${ENCRYPTEDDATADIR} ${DECRYPTEDDATADIR} ${HOME}/.config/gocryptfs - gocryptfs -init -passfile /var/tmp/IPAVAULTKEY.txt -config ${HOME}/.config/gocryptfs/gocryptfs.conf ${ENCRYPTEDDATADIR} >/dev/null + gocryptfs -init -allow_other -config ${HOME}/.config/gocryptfs/gocryptfs.conf ${ENCRYPTEDDATADIR} >/dev/null fi -gocryptfs -noprealloc -passfile /var/tmp/IPAVAULTKEY.txt -config ${HOME}/.config/gocryptfs/gocryptfs.conf ${ENCRYPTEDDATADIR} ${DECRYPTEDDATADIR} >/dev/null +gocryptfs -noprealloc -allow_other -passfile /var/tmp/IPAVAULTKEY.txt -config ${HOME}/.config/gocryptfs/gocryptfs.conf ${ENCRYPTEDDATADIR} ${DECRYPTEDDATADIR} >/dev/null RETVAL=$? rm /var/tmp/IPAVAULTKEY.txt cd ${EXECDIR} From ee2ae055e93eabfa59bdb9efc58398be9a67cb1c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20unbrot=20P=C3=A4tzold?= Date: Thu, 30 Apr 2026 16:23:56 +0200 Subject: [PATCH 11/19] Crypt: Add Passfile --- system_setup/mount_ecrypt_home.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/system_setup/mount_ecrypt_home.sh b/system_setup/mount_ecrypt_home.sh index 98cc1c8..af2ff60 100755 --- a/system_setup/mount_ecrypt_home.sh +++ b/system_setup/mount_ecrypt_home.sh @@ -90,7 +90,7 @@ if [ ! -d "${DECRYPTEDDATADIR}" ]; then #Key has been obtained, but no Directory was created till know echo "First Setup of encryption: Creating new Directories now" mkdir -p ${ENCRYPTEDDATADIR} ${DECRYPTEDDATADIR} ${HOME}/.config/gocryptfs - gocryptfs -init -allow_other -config ${HOME}/.config/gocryptfs/gocryptfs.conf ${ENCRYPTEDDATADIR} >/dev/null + gocryptfs -init -allow_other -passfile /var/tmp/IPAVAULTKEY.txt -config ${HOME}/.config/gocryptfs/gocryptfs.conf ${ENCRYPTEDDATADIR} >/dev/null fi gocryptfs -noprealloc -allow_other -passfile /var/tmp/IPAVAULTKEY.txt -config ${HOME}/.config/gocryptfs/gocryptfs.conf ${ENCRYPTEDDATADIR} ${DECRYPTEDDATADIR} >/dev/null RETVAL=$? From 7a3f610740d5d425aabbe1230308abc0e53e53da Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20unbrot=20P=C3=A4tzold?= Date: Thu, 30 Apr 2026 16:34:01 +0200 Subject: [PATCH 12/19] Crypt: Better check for configured --- system_setup/mount_ecrypt_home.sh | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/system_setup/mount_ecrypt_home.sh b/system_setup/mount_ecrypt_home.sh index af2ff60..d73a8eb 100755 --- a/system_setup/mount_ecrypt_home.sh +++ b/system_setup/mount_ecrypt_home.sh @@ -80,13 +80,14 @@ else fi fi if [ "${ENCKEY}." == "." ]; then - echo "Some Error while fetching your Credentials. This should not happen. Quit." + echo "Some Error while fetching your IPA Vault Key. This should not happen. Quit." rm /var/tmp/IPAVAULTKEY.txt exit 2 fi +echo "Sucessfuly obtained IPA vault fileencryption key." #Setup and use encrypted filesystem -if [ ! -d "${DECRYPTEDDATADIR}" ]; then +if [ ! -d "${DECRYPTEDDATADIR}" ] || [ -f "${HOME}/.config/gocryptfs/gocryptfs.conf" ]; then #Key has been obtained, but no Directory was created till know echo "First Setup of encryption: Creating new Directories now" mkdir -p ${ENCRYPTEDDATADIR} ${DECRYPTEDDATADIR} ${HOME}/.config/gocryptfs @@ -100,6 +101,6 @@ if [ ${RETVAL} -eq 0 ]; then echo "Sucessfully mounted encrypted private Directory ${DECRYPTEDDATADIR}" exit 0 else - echo "Errorcode ${RETAVAL}" + echo "Errorcode ${RETVAL}" exit 1 fi From b586de545eed6ba831e543d861b5a07a66bd90d7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20unbrot=20P=C3=A4tzold?= Date: Thu, 30 Apr 2026 16:36:34 +0200 Subject: [PATCH 13/19] check crypt setup file --- system_setup/mount_ecrypt_home.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/system_setup/mount_ecrypt_home.sh b/system_setup/mount_ecrypt_home.sh index d73a8eb..59f43fb 100755 --- a/system_setup/mount_ecrypt_home.sh +++ b/system_setup/mount_ecrypt_home.sh @@ -87,7 +87,7 @@ fi echo "Sucessfuly obtained IPA vault fileencryption key." #Setup and use encrypted filesystem -if [ ! -d "${DECRYPTEDDATADIR}" ] || [ -f "${HOME}/.config/gocryptfs/gocryptfs.conf" ]; then +if [ ! -d "${DECRYPTEDDATADIR}" ] || [ ! -f "${HOME}/.config/gocryptfs/gocryptfs.conf" ]; then #Key has been obtained, but no Directory was created till know echo "First Setup of encryption: Creating new Directories now" mkdir -p ${ENCRYPTEDDATADIR} ${DECRYPTEDDATADIR} ${HOME}/.config/gocryptfs From 554ef23c7e40b362130b083fd6cf35785be59cc9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20unbrot=20P=C3=A4tzold?= Date: Thu, 30 Apr 2026 16:43:46 +0200 Subject: [PATCH 14/19] Encryption: Add user_allow_other to /etc/fuse.conf --- system_setup/setup_system_full.sh | 3 +++ 1 file changed, 3 insertions(+) diff --git a/system_setup/setup_system_full.sh b/system_setup/setup_system_full.sh index 257949e..f29f404 100755 --- a/system_setup/setup_system_full.sh +++ b/system_setup/setup_system_full.sh @@ -132,6 +132,9 @@ install_sw() #Make KDE single click echo -e "[KDE]\nSingleClick=true" | tee -a /etc/xdg/kdeglobals + #Make encryption accessible for root + echo "user_allow_other" >>/etc/fuse.conf + #Set openh264 enabled dnf config-manager setopt fedora-cisco-openh264.enabled=1 From 58b23b00e73f690ef30136e4a522576da02bb284 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20unbrot=20P=C3=A4tzold?= Date: Thu, 30 Apr 2026 16:45:45 +0200 Subject: [PATCH 15/19] mozilla_pre: fixed server adress --- client_software/0020_nextcloud_mozilla_pre/user_run.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/client_software/0020_nextcloud_mozilla_pre/user_run.sh b/client_software/0020_nextcloud_mozilla_pre/user_run.sh index 096a674..b266be2 100755 --- a/client_software/0020_nextcloud_mozilla_pre/user_run.sh +++ b/client_software/0020_nextcloud_mozilla_pre/user_run.sh @@ -28,7 +28,7 @@ if not 'DAVTOKEN_USER' in environ: sys.exit(1) options = { - 'webdav_hostname': "https://nextcloud.obel1x.de/remote.php/dav/files/" + environ['DAVTOKEN_USER'], + 'webdav_hostname': "https://" + environ['SERVERFQDN_NC'] + "/remote.php/dav/files/" + environ['DAVTOKEN_USER'], 'webdav_login': environ['DAVTOKEN_USER'], 'webdav_password': environ['DAVTOKEN_PASS'] } From 8263d92b5bd0a529f77d3a609edd6488cd317e1e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20unbrot=20P=C3=A4tzold?= Date: Thu, 30 Apr 2026 17:16:26 +0200 Subject: [PATCH 16/19] Add install_from_repo.sh --- install.md | 2 +- system_setup/install_from_repo.sh | 12 ++++++++++++ 2 files changed, 13 insertions(+), 1 deletion(-) create mode 100755 system_setup/install_from_repo.sh diff --git a/install.md b/install.md index caec2b1..e346678 100644 --- a/install.md +++ b/install.md @@ -1,4 +1,4 @@ -# OEMDRV Bootstrap — install.sh +# OEMDRV Bootstrap — install.sh + install_from_repo.sh the script `./system_setup/install.sh` prepares a target machine for automated Fedora deployment. It shrinks an existing partition to carve out a dedicated **OEMDRV** partition, which Anaconda/Kickstart will detect automatically during installation. diff --git a/system_setup/install_from_repo.sh b/system_setup/install_from_repo.sh new file mode 100755 index 0000000..5273ed6 --- /dev/null +++ b/system_setup/install_from_repo.sh @@ -0,0 +1,12 @@ +#!/usr/bin/env sh +# SPDX-FileCopyrightText: Daniel Pätzold +# SPDX-License-Identifier: AGPL-3.0-or-later +# +# Fetches the installfile from a repository and runs it +# +REPO_URL="${1:-https://gitea.dtext.online/obel1x/fedora-OEMDRV.git}" +REPO_BRANCH="${2:-main}" + +SCRIPTURL="${REPO_URL%.git}/raw/branch/${REPO_BRANCH}/system_setup/install.sh" +echo "Fetching from ${SCRIPTURL} and running script with sudo" +curl -fsSL ${SCRIPTURL} -o /tmp/install.sh && sudo bash /tmp/install.sh ${REPO_URL} From b088a03f880316772986d7b5ce76af50f5702f37 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20unbrot=20P=C3=A4tzold?= Date: Thu, 30 Apr 2026 18:01:48 +0200 Subject: [PATCH 17/19] Describe how to install with testenvironment --- install.md | 13 +++++++++++++ system_setup/install.sh | 11 ++++++----- system_setup/install_from_repo.sh | 12 ------------ 3 files changed, 19 insertions(+), 17 deletions(-) delete mode 100755 system_setup/install_from_repo.sh diff --git a/install.md b/install.md index e346678..da1bb03 100644 --- a/install.md +++ b/install.md @@ -26,6 +26,19 @@ curl -fsSL https://gitea.dtext.online/obel1x/fedora-OEMDRV/raw/branch/main/syste sudo bash /tmp/install.sh ``` +## Run directly from another repository + +If you are on another fork or branch and you want to test your changes, do: + +```bash +export REPO_URL="https://yourgitserver.tld/.../fedora-OEMDRV.git" +export REPO_BRANCH="anotherbranch" +curl -fsSL ${REPO_URL%.git}/raw/branch/${REPO_BRANCH}/system_setup/install.sh -o /tmp/install.sh +sudo -E bash /tmp/install.sh +``` + +That way, install.sh should know what to pull. + ## After the script completes Configure your environment before running any installation: diff --git a/system_setup/install.sh b/system_setup/install.sh index feb4072..5191cac 100755 --- a/system_setup/install.sh +++ b/system_setup/install.sh @@ -14,7 +14,8 @@ SHRINK_MIB=4096 OEMDRV_LABEL="OEMDRV" MOUNT_POINT="/opt/sys_config" MOUNT_OPTS="compress=zstd:6" -REPO_URL="${1:-https://gitea.dtext.online/obel1x/fedora-OEMDRV.git}" +REPO_URL="${REPO_URL:-https://gitea.dtext.online/obel1x/fedora-OEMDRV.git}" +REPO_BRANCH="${REPO_BRANCH:-main}" MIN_FREE_MIB=$(( SHRINK_MIB + 512 )) # require 512 MiB headroom above the shrink size # ── Helpers ─────────────────────────────────────────────────────────────────── @@ -69,7 +70,7 @@ check_repo_url() { tmpdir=$(mktemp -d /tmp/oemdrv_repocheck.XXXXXX) - if ! curl -fsSL "${REPO_URL%.git}/raw/branch/main/system_setup/install.sh" \ + if ! curl -fsSL "${REPO_URL%.git}/raw/branch/${REPO_BRANCH}/system_setup/install.sh" \ -o "$tmpdir/install.sh" 2>/dev/null; then rm -rf "$tmpdir" return 1 @@ -293,13 +294,13 @@ info "Verifying repository URL..." check_repo_url case $? in 1) echo - echo "WARNING: '$REPO_URL' is not a reachable git repository." + echo "WARNING: '$REPO_URL' branch '${REPO_BRANCH}' is not a reachable git repository." read -r -p " Continue anyway? [y/N]: " ans [[ "${ans,,}" == "y" ]] || { echo "Aborted."; exit 0; } ;; 2) echo echo "WARNING: The checksum of this script does not match 'system_setup/install.sh'" - echo " at '$REPO_URL'." + echo " at '$REPO_URL' branch '${REPO_BRANCH}'." echo " You may be running an outdated or modified version of install.sh." read -r -p " Continue anyway? [y/N]: " ans [[ "${ans,,}" == "y" ]] || { echo "Aborted."; exit 0; } @@ -496,7 +497,7 @@ mount -o "$MOUNT_OPTS" "$OEMDRV_DEV" "$MOUNT_POINT" || die "mount failed." info "Cloning $REPO_URL into $MOUNT_POINT..." cd "$MOUNT_POINT" || die "Cannot cd to $MOUNT_POINT." -git clone --progress --depth 1 "$REPO_URL" . || die "git clone failed." +git clone --progress --depth 1 -b $REPO_BRANCH "$REPO_URL" . || die "git clone failed." # Write hardware UUID to a user-readable per-machine file dmidecode -t system | grep -i 'UUID' \ diff --git a/system_setup/install_from_repo.sh b/system_setup/install_from_repo.sh deleted file mode 100755 index 5273ed6..0000000 --- a/system_setup/install_from_repo.sh +++ /dev/null @@ -1,12 +0,0 @@ -#!/usr/bin/env sh -# SPDX-FileCopyrightText: Daniel Pätzold -# SPDX-License-Identifier: AGPL-3.0-or-later -# -# Fetches the installfile from a repository and runs it -# -REPO_URL="${1:-https://gitea.dtext.online/obel1x/fedora-OEMDRV.git}" -REPO_BRANCH="${2:-main}" - -SCRIPTURL="${REPO_URL%.git}/raw/branch/${REPO_BRANCH}/system_setup/install.sh" -echo "Fetching from ${SCRIPTURL} and running script with sudo" -curl -fsSL ${SCRIPTURL} -o /tmp/install.sh && sudo bash /tmp/install.sh ${REPO_URL} From 1ffa1adafae22ac973eb5a5ecbd494ed6d11369d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20unbrot=20P=C3=A4tzold?= Date: Thu, 30 Apr 2026 18:06:24 +0200 Subject: [PATCH 18/19] Test install.sh --- install.md | 2 +- system_setup/install.sh | 4 ++++ 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/install.md b/install.md index da1bb03..d9c91ed 100644 --- a/install.md +++ b/install.md @@ -33,7 +33,7 @@ If you are on another fork or branch and you want to test your changes, do: ```bash export REPO_URL="https://yourgitserver.tld/.../fedora-OEMDRV.git" export REPO_BRANCH="anotherbranch" -curl -fsSL ${REPO_URL%.git}/raw/branch/${REPO_BRANCH}/system_setup/install.sh -o /tmp/install.sh +curl -fsSL ${REPO_URL%.git}/raw/branch/${REPO_BRANCH:-main}/system_setup/install.sh -o /tmp/install.sh sudo -E bash /tmp/install.sh ``` diff --git a/system_setup/install.sh b/system_setup/install.sh index 5191cac..053d1fe 100755 --- a/system_setup/install.sh +++ b/system_setup/install.sh @@ -14,8 +14,12 @@ SHRINK_MIB=4096 OEMDRV_LABEL="OEMDRV" MOUNT_POINT="/opt/sys_config" MOUNT_OPTS="compress=zstd:6" +echo ${REPO_URL} REPO_URL="${REPO_URL:-https://gitea.dtext.online/obel1x/fedora-OEMDRV.git}" REPO_BRANCH="${REPO_BRANCH:-main}" +echo ${REPO_URL} +exit 0 + MIN_FREE_MIB=$(( SHRINK_MIB + 512 )) # require 512 MiB headroom above the shrink size # ── Helpers ─────────────────────────────────────────────────────────────────── From a960c084b74226354233dfe5095af3393d724e2d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20unbrot=20P=C3=A4tzold?= Date: Thu, 30 Apr 2026 18:09:09 +0200 Subject: [PATCH 19/19] Undo test install.sh --- system_setup/install.sh | 4 ---- 1 file changed, 4 deletions(-) diff --git a/system_setup/install.sh b/system_setup/install.sh index 053d1fe..5191cac 100755 --- a/system_setup/install.sh +++ b/system_setup/install.sh @@ -14,12 +14,8 @@ SHRINK_MIB=4096 OEMDRV_LABEL="OEMDRV" MOUNT_POINT="/opt/sys_config" MOUNT_OPTS="compress=zstd:6" -echo ${REPO_URL} REPO_URL="${REPO_URL:-https://gitea.dtext.online/obel1x/fedora-OEMDRV.git}" REPO_BRANCH="${REPO_BRANCH:-main}" -echo ${REPO_URL} -exit 0 - MIN_FREE_MIB=$(( SHRINK_MIB + 512 )) # require 512 MiB headroom above the shrink size # ── Helpers ───────────────────────────────────────────────────────────────────