Merge pull request 'configure.sh wizard, install improvements, encryption fixes, branch support' (#18) from unbrot/fedora-OEMDRV:main into devel

Reviewed-on: #18
2026-04-30 18:34:01 +02:00
parent da3ac68586 fdbd4e44f5
commit 9ce4686a2b
11 changed files with 161 additions and 75 deletions
@@ -9,5 +9,6 @@ config/skel.tar.zst
 config/.sync_*.db
 config/.sync_*.db
 config.d/*.conf
 config.d/*.sys
 ks_pc_prof/*
 ks.cfg
@@ -28,7 +28,7 @@ if not 'DAVTOKEN_USER' in environ:
  sys.exit(1)
 options = {
- 'webdav_hostname': "https://nextcloud.obel1x.de/remote.php/dav/files/" + environ['DAVTOKEN_USER'],
+ 'webdav_hostname': "https://" + environ['SERVERFQDN_NC'] + "/remote.php/dav/files/" + environ['DAVTOKEN_USER'],
 'webdav_login':    environ['DAVTOKEN_USER'],
 'webdav_password': environ['DAVTOKEN_PASS']
 }
@@ -12,22 +12,25 @@ export INSTALLDOCS="https://gitea.dtext.online/obel1x/fedora-OEMDRV/src/branch/m
 export UPGRADEURL="https://gitea.dtext.online/obel1x/fedora-OEMDRV.git"
 export UPGRADEBRANCH="main"
 #Group, that will have sudo rights on the client
 export CLIENTADMINGROUP="clientadmins"
 # Method to determine Unique Hostname / FQDN of the Client. May be replaced by your needs
 if [ "$EUID" -eq 0 ]; then
    export HOSTNM="pc-$( dmidecode -t system | grep -i 'UUID' | sed 's/UUID: //' | tr '[:upper:]' '[:lower:]' | sed 's/[^0-9a-z]*//g' | xargs|tail -c 13)"
 else
    export HOSTNM=$( hostname -s )
 fi
 export FQDN=${HOSTNM}.${DOMAIN}
 #Configuration Files - maybe syned with your companies settings
 export SYSCONFIGPATH="/opt/sys_config"
 export DISTCONFIGPATH="/opt/sys_config/config"
 export DISTCONFIGPATH_SRC="/Shared/sw_geteilt/client_settings"
 #Group, that will have sudo rights on the client
 export CLIENTADMINGROUP="clientadmins"
 # Method to determine Unique Hostname / FQDN of the Client. May be replaced by your needs
 #Should always had been set by install.sh and should be there anyway.
 #if [ ! -r ${SYSCONFIGPATH}/config.d/machine_uuid.sys ]; then
 #elif [ "$EUID" -eq 0 ]; then
 #    export HOSTNM="pc-$( dmidecode -t system | grep -i 'UUID' | sed 's/UUID: //' | tr '[:upper:]' '[:lower:]' | sed 's/[^0-9a-z]*//g' | xargs|tail -c 13)"
 #else
 #    export HOSTNM=$( hostname -s )
 #fi
 export HOSTNM="pc-$( cat /opt/sys_config/config.d/machine_uuid.sys )"
 export FQDN=${HOSTNM}.${DOMAIN}
 #Additional Client-Software- Repository-Folder in Nextcloud (Shared Folder / Systemwide)
 export CLIENT_SOFTWARE_DST="/opt/sys_config/client_software" # Optional. If you don't have a Folder that should always be synced, leave this empty
 export CLIENT_SOFTWARE_SRC="/Shared/sw_geteilt/client_software" Set to the Nextcloud directory where the software should come from
@@ -1,4 +1,4 @@
-# OEMDRV Bootstrap — install.sh
+# OEMDRV Bootstrap — install.sh + install_from_repo.sh
 the script `./system_setup/install.sh` prepares a target machine for automated Fedora deployment. It shrinks an existing partition to carve out a dedicated **OEMDRV** partition, which Anaconda/Kickstart will detect automatically during installation.
@@ -26,6 +26,19 @@ curl -fsSL https://gitea.dtext.online/obel1x/fedora-OEMDRV/raw/branch/main/syste
 sudo bash /tmp/install.sh
 ```
 ## Run directly from another repository
 If you are on another fork or branch and you want to test your changes, do:
 ```bash
 export REPO_URL="https://yourgitserver.tld/.../fedora-OEMDRV.git"
 export REPO_BRANCH="anotherbranch"
 curl -fsSL ${REPO_URL%.git}/raw/branch/${REPO_BRANCH:-main}/system_setup/install.sh -o /tmp/install.sh
 sudo -E bash /tmp/install.sh
 ```
 That way, install.sh should know what to pull.
 ## After the script completes
 Configure your environment before running any installation:
@@ -82,9 +82,8 @@ authselect enable-feature with-fingerprint
 # Generated using Blivet version 3.12.1
-ignoredisk --only-use=sda
+ignoredisk --only-use=sda,nvme0n1
-# Partition clearing information
+# Partition clearing information - do NOT USE --initlabel !
 #clearpart --none --initlabel
 clearpart --none
 autopart --type=btrfs
@@ -93,9 +93,8 @@ nss-pam-ldapd
 authselect enable-feature with-fingerprint
 # Generated using Blivet version 3.12.1
-ignoredisk --only-use=sda
+ignoredisk --only-use=sda,nvme0n1
-# Partition clearing information
+# Partition clearing information - do NOT USE --initlabel !
 #clearpart --none --initlabel
 clearpart --none
 autopart --type=btrfs
@@ -49,30 +49,24 @@ do_configure() {
    echo ""
    echo "=== System Configuration ==="
    echo "Press Enter to keep the current value, or type a new one."
    echo ""
    source "$CONF_FILE"
-    VARS=("TLDOMAIN" "DOMAIN" "SERVERFQDN_IPA" "SERVERFQDN_NC" "CLIENTADMINGROUP" "IPAVAULTUSE" )
+    VARS=("TLDOMAIN" "SERVERFQDN_IPA" "DOMAIN" "SERVERFQDN_NC" "IPAVAULTUSE" "IPAVAULTNAME" "DISTCONFIGPATH_SRC" "CLIENTADMINGROUP" )
    for ELE in "${VARS[@]}"
    do
        while true; do
            echo ""
            new_ELE=$(prompt_value "${ELE}" "${!ELE}")
            set_conf_var "${ELE}" "${new_ELE}"
            source "$CONF_FILE"
-    done
+            REPEAT_TEST=1
-
+            case ${ELE} in
-    echo ""
+                "SERVERFQDN_NC") echo "=== Testing: Nextcloud server ==="
    echo "Configuration written to: ${CONF_FILE}"
 }
 while true; do
    do_configure
    echo ""
    echo "=== Testing: Nextcloud server ==="
                    NC_STATUS=$(curl -fsSL "https://${SERVERFQDN_NC}/status.php" 2>/dev/null)
                    if echo "$NC_STATUS" | grep -q '"installed":true'; then
                        NC_VERSION=$(echo "$NC_STATUS" | grep -oP '(?<="versionstring":")[^"]+')
                        echo "Nextcloud confirmed at ${SERVERFQDN_NC} (version ${NC_VERSION})."
                        REPEAT_TEST=0
                    else
                        echo ""
                        echo "WARNING: '${SERVERFQDN_NC}' does not appear to be a valid Nextcloud server."
@@ -82,15 +76,14 @@ while true; do
                            echo "Quitting."
                            exit 1
                        fi
        continue
                    fi
-
+                    ;;
-    echo ""
+                "SERVERFQDN_IPA") echo "=== Testing: FreeIPA server ==="
    echo "=== Testing: FreeIPA server ==="
                    IPA_CODE=$(curl -s -o /dev/null -w "%{http_code}" \
                    "https://${SERVERFQDN_IPA}/ipa/session/json" 2>/dev/null)
                    if [[ "$IPA_CODE" == "200" || "$IPA_CODE" == "401" ]]; then
                        echo "FreeIPA server confirmed at ${SERVERFQDN_IPA}."
                        REPEAT_TEST=0
                    else
                        echo ""
                        echo "WARNING: '${SERVERFQDN_IPA}' does not appear to be a valid FreeIPA server."
@@ -100,8 +93,48 @@ while true; do
                            echo "Quitting."
                            exit 1
                        fi
        continue
                    fi
                    ;;
                "DOMAIN") echo "=== Testing: IPA Domain DNS records ==="
                    if ! command -v dig &>/dev/null; then
                        echo "WARNING: 'dig' not found; skipping DNS check."
                        REPEAT_TEST=0
                    else
                        LDAP_SRV=$(dig +short SRV "_ldap._tcp.${DOMAIN}" 2>/dev/null)
                        KRB_TXT=$(dig +short TXT "_kerberos.${DOMAIN}" 2>/dev/null)
                        KDC_SRV=$(dig +short SRV "_kerberos._udp.${DOMAIN}" 2>/dev/null)
                        if [[ -n "$LDAP_SRV" && -n "$KRB_TXT" ]]; then
                            REALM=$(echo "$KRB_TXT" | tr -d '"')
                            echo "IPA domain confirmed: ${DOMAIN}"
                            echo "  Kerberos realm : ${REALM}"
                            [[ -n "$KDC_SRV" ]] && echo "  KDC SRV        : ${KDC_SRV}"
                            REPEAT_TEST=0
                        else
                            echo ""
                            [[ -z "$LDAP_SRV" ]] && echo "WARNING: No _ldap._tcp.${DOMAIN} SRV record found."
                            [[ -z "$KRB_TXT" ]] && echo "WARNING: No _kerberos.${DOMAIN} TXT record found."
                            echo "         '${DOMAIN}' does not appear to be a valid IPA domain."
                            read -rp "Start configuration again (a) or quit (q)? [a/q]: " ans
                            if [[ "${ans,,}" == "q" ]]; then
                                echo "Quitting."
                                exit 1
                            fi
                        fi
                    fi
                    ;;
                *) REPEAT_TEST=0
                    ;;
            esac
            [[ $REPEAT_TEST == 0 ]] && break
        done
    done
    echo ""
    echo "Configuration written to: ${CONF_FILE}"
 }
 while true; do
    do_configure
    echo ""
    echo "=== Select Kickstart Profile ==="
@@ -14,7 +14,8 @@ SHRINK_MIB=4096
 OEMDRV_LABEL="OEMDRV"
 MOUNT_POINT="/opt/sys_config"
 MOUNT_OPTS="compress=zstd:6"
-REPO_URL="${1:-https://gitea.dtext.online/obel1x/fedora-OEMDRV.git}"
+REPO_URL="${REPO_URL:-https://gitea.dtext.online/obel1x/fedora-OEMDRV.git}"
 REPO_BRANCH="${REPO_BRANCH:-main}"
 MIN_FREE_MIB=$(( SHRINK_MIB + 512 ))   # require 512 MiB headroom above the shrink size
 # ── Helpers ───────────────────────────────────────────────────────────────────
@@ -28,11 +29,37 @@ require_root() {
 }
 check_tools() {
    declare -A tool_pkg=(
        [lsblk]="util-linux"       [blkid]="util-linux"
        [parted]="parted"          [partprobe]="parted"
        [mkfs.btrfs]="btrfs-progs" [git]="git"
        [e2fsck]="e2fsprogs"       [resize2fs]="e2fsprogs"
        [tune2fs]="e2fsprogs"
    )
    local missing=()
    for tool in lsblk blkid parted partprobe mkfs.btrfs git e2fsck resize2fs tune2fs; do
        command -v "$tool" >/dev/null 2>&1 || missing+=("$tool")
    done
-    [[ ${#missing[@]} -eq 0 ]] || die "Missing required tools: ${missing[*]}"
+    [[ ${#missing[@]} -eq 0 ]] && return 0
    echo "Missing required tools: ${missing[*]}"
    local pkgs=()
    for tool in "${missing[@]}"; do
        local pkg="${tool_pkg[$tool]}"
        [[ " ${pkgs[*]} " != *" $pkg "* ]] && pkgs+=("$pkg")
    done
    read -r -p "  Install missing packages (${pkgs[*]}) with dnf? [y/N]: " ans
    if [[ "${ans,,}" == "y" ]]; then
        dnf install -y "${pkgs[@]}" || die "Package installation failed."
        local still_missing=()
        for tool in "${missing[@]}"; do
            command -v "$tool" >/dev/null 2>&1 || still_missing+=("$tool")
        done
        [[ ${#still_missing[@]} -eq 0 ]] || die "Still missing after install: ${still_missing[*]}"
    else
        die "Missing required tools: ${missing[*]}"
    fi
 }
 # Returns 0 if the remote install.sh matches this script's checksum,
@@ -43,7 +70,7 @@ check_repo_url() {
    tmpdir=$(mktemp -d /tmp/oemdrv_repocheck.XXXXXX)
-    if ! curl -fsSL "${REPO_URL%.git}/raw/branch/main/system_setup/install.sh" \
+    if ! curl -fsSL "${REPO_URL%.git}/raw/branch/${REPO_BRANCH}/system_setup/install.sh" \
              -o "$tmpdir/install.sh" 2>/dev/null; then
        rm -rf "$tmpdir"
        return 1
@@ -267,13 +294,13 @@ info "Verifying repository URL..."
 check_repo_url
 case $? in
    1) echo
-       echo "WARNING: '$REPO_URL' is not a reachable git repository."
+       echo "WARNING: '$REPO_URL' branch '${REPO_BRANCH}' is not a reachable git repository."
       read -r -p "  Continue anyway? [y/N]: " ans
       [[ "${ans,,}" == "y" ]] || { echo "Aborted."; exit 0; }
       ;;
    2) echo
       echo "WARNING: The checksum of this script does not match 'system_setup/install.sh'"
-       echo "         at '$REPO_URL'."
+       echo "         at '$REPO_URL' branch '${REPO_BRANCH}'."
       echo "         You may be running an outdated or modified version of install.sh."
       read -r -p "  Continue anyway? [y/N]: " ans
       [[ "${ans,,}" == "y" ]] || { echo "Aborted."; exit 0; }
@@ -470,8 +497,15 @@ mount -o "$MOUNT_OPTS" "$OEMDRV_DEV" "$MOUNT_POINT" || die "mount failed."
 info "Cloning $REPO_URL into $MOUNT_POINT..."
 cd "$MOUNT_POINT" || die "Cannot cd to $MOUNT_POINT."
-git clone --progress --depth 1 "$REPO_URL" . || die "git clone failed."
+git clone --progress --depth 1 -b $REPO_BRANCH "$REPO_URL" . || die "git clone failed."
-chmod o=rwX . -R # to make changes to the configuration possible after install
+
 # Write hardware UUID to a user-readable per-machine file
 dmidecode -t system | grep -i 'UUID' \
    | sed 's/UUID: //' | tr '[:upper:]' '[:lower:]' \
    | sed 's/[^0-9a-z]*//g' | xargs | tail -c 13 \
    > "./config.d/machine_uuid.sys"
    chmod o=rwX . -R # to make changes to the configuration possible after install
 # ── Done ──────────────────────────────────────────────────────────────────────
@@ -80,19 +80,20 @@ else
    fi
 fi
 if [ "${ENCKEY}." == "." ]; then
-    echo "Some Error while fetching your Credentials. This should not happen. Quit."
+    echo "Some Error while fetching your IPA Vault Key. This should not happen. Quit."
    rm /var/tmp/IPAVAULTKEY.txt
    exit 2
 fi
 echo "Sucessfuly obtained IPA vault fileencryption key."
 #Setup and use encrypted filesystem
-if [ ! -d "${DECRYPTEDDATADIR}" ]; then
+if [ ! -d "${DECRYPTEDDATADIR}" ] || [ ! -f "${HOME}/.config/gocryptfs/gocryptfs.conf" ]; then
    #Key has been obtained, but no Directory was created till know
    echo "First Setup of encryption: Creating new Directories now"
    mkdir -p ${ENCRYPTEDDATADIR} ${DECRYPTEDDATADIR} ${HOME}/.config/gocryptfs
-    gocryptfs -init -passfile /var/tmp/IPAVAULTKEY.txt -config ${HOME}/.config/gocryptfs/gocryptfs.conf ${ENCRYPTEDDATADIR} >/dev/null
+    gocryptfs -init -allow_other -passfile /var/tmp/IPAVAULTKEY.txt -config ${HOME}/.config/gocryptfs/gocryptfs.conf ${ENCRYPTEDDATADIR} >/dev/null
 fi
-gocryptfs -noprealloc -passfile /var/tmp/IPAVAULTKEY.txt -config ${HOME}/.config/gocryptfs/gocryptfs.conf ${ENCRYPTEDDATADIR} ${DECRYPTEDDATADIR} >/dev/null
+gocryptfs -noprealloc -allow_other -passfile /var/tmp/IPAVAULTKEY.txt -config ${HOME}/.config/gocryptfs/gocryptfs.conf ${ENCRYPTEDDATADIR} ${DECRYPTEDDATADIR} >/dev/null
 RETVAL=$?
 rm /var/tmp/IPAVAULTKEY.txt
 cd ${EXECDIR}
@@ -100,6 +101,6 @@ if [ ${RETVAL} -eq 0 ]; then
    echo "Sucessfully mounted encrypted private Directory ${DECRYPTEDDATADIR}"
    exit 0
 else
-    echo "Errorcode ${RETAVAL}"
+    echo "Errorcode ${RETVAL}"
    exit 1
 fi
@@ -67,7 +67,7 @@ ExecStart=/bin/sh ${SCRIPTPATH}/${SCRIPTNAME} firstrun_run
 #ExecStart=-/sbin/agetty --noclear -n -l "/bin/sh ${SCRIPTPATH}/${SCRIPTNAME} firstrun_run" %I 38400
 # user interaction in tty8
 StandardInput=tty
-TTYPath=/dev/tty2
+TTYPath=/dev/tty8
 TTYReset=yes
 TTYVHangup=yes
@@ -132,6 +132,9 @@ install_sw()
  #Make KDE single click
  echo -e "[KDE]\nSingleClick=true" | tee -a /etc/xdg/kdeglobals
  #Make encryption accessible for root
  echo "user_allow_other" >>/etc/fuse.conf
  #Set openh264 enabled
  dnf config-manager setopt fedora-cisco-openh264.enabled=1
@@ -142,7 +145,7 @@ install_sw()
 ipa_register_host()
 {
 #Integrate this PC into Domain
-chvt 2
+chvt 8
 #Check if IPA is already Configured
 echo "Checking for existing IPA- Setup."
 if ( grep -q "${FQDN}" /etc/ipa/default.conf ); then
@@ -12,7 +12,7 @@ fi
 #Check Token
 if [ "${DAVTOKEN_USER}." == "." ]; then
-    echo "Error: Script cannot be executed standalone, must be run with a matching sudo rule and needs a prereserved environement from logon-script."
+    echo "Error: Script cannot be executed standalone, must be run with a matching sudo rule and needs a prereserved environment from logon-script."
    echo "A matching sudo rule could look like this: "'^'${SYSCONFIGPATH////'\/'}'\/system_setup\/sync_client_software\.sh.*$'
    echo "Hint: the rule must contain the !authenticate and setenv option to work."
    echo "Press any key to continue" && read -n 1 -s -r && exit 1