Merge pull request 'configure.sh wizard, install improvements, encryption fixes, branch support' (#19) from devel into main

Reviewed-on: #19

.gitignore

@@ -9,5 +9,6 @@ config/skel.tar.zst
 config/.sync_*.db
 config/.sync_*.db
 config.d/*.conf
+config.d/*.sys
 ks_pc_prof/*
 ks.cfg

client_software/0020_nextcloud_mozilla_pre/user_run.sh

@@ -28,7 +28,7 @@ if not 'DAVTOKEN_USER' in environ:
   sys.exit(1)
 
 options = {
- 'webdav_hostname': "https://nextcloud.obel1x.de/remote.php/dav/files/" + environ['DAVTOKEN_USER'],
+ 'webdav_hostname': "https://" + environ['SERVERFQDN_NC'] + "/remote.php/dav/files/" + environ['DAVTOKEN_USER'],
  'webdav_login':    environ['DAVTOKEN_USER'],
  'webdav_password': environ['DAVTOKEN_PASS']
 }

config/setup_system.conf.dist

@@ -12,22 +12,25 @@ export INSTALLDOCS="https://gitea.dtext.online/obel1x/fedora-OEMDRV/src/branch/m
 export UPGRADEURL="https://gitea.dtext.online/obel1x/fedora-OEMDRV.git"
 export UPGRADEBRANCH="main"
 
-#Group, that will have sudo rights on the client
-export CLIENTADMINGROUP="clientadmins"
-
-# Method to determine Unique Hostname / FQDN of the Client. May be replaced by your needs
-if [ "$EUID" -eq 0 ]; then
-    export HOSTNM="pc-$( dmidecode -t system | grep -i 'UUID' | sed 's/UUID: //' | tr '[:upper:]' '[:lower:]' | sed 's/[^0-9a-z]*//g' | xargs|tail -c 13)"
-else
-    export HOSTNM=$( hostname -s )
-fi
-export FQDN=${HOSTNM}.${DOMAIN}
-
 #Configuration Files - maybe syned with your companies settings
 export SYSCONFIGPATH="/opt/sys_config"
 export DISTCONFIGPATH="/opt/sys_config/config"
 export DISTCONFIGPATH_SRC="/Shared/sw_geteilt/client_settings"
 
+#Group, that will have sudo rights on the client
+export CLIENTADMINGROUP="clientadmins"
+
+# Method to determine Unique Hostname / FQDN of the Client. May be replaced by your needs
+#Should always had been set by install.sh and should be there anyway.
+#if [ ! -r ${SYSCONFIGPATH}/config.d/machine_uuid.sys ]; then
+#elif [ "$EUID" -eq 0 ]; then
+#    export HOSTNM="pc-$( dmidecode -t system | grep -i 'UUID' | sed 's/UUID: //' | tr '[:upper:]' '[:lower:]' | sed 's/[^0-9a-z]*//g' | xargs|tail -c 13)"
+#else
+#    export HOSTNM=$( hostname -s )
+#fi
+export HOSTNM="pc-$( cat /opt/sys_config/config.d/machine_uuid.sys )"
+export FQDN=${HOSTNM}.${DOMAIN}
+
 #Additional Client-Software- Repository-Folder in Nextcloud (Shared Folder / Systemwide)
 export CLIENT_SOFTWARE_DST="/opt/sys_config/client_software" # Optional. If you don't have a Folder that should always be synced, leave this empty
 export CLIENT_SOFTWARE_SRC="/Shared/sw_geteilt/client_software" Set to the Nextcloud directory where the software should come from

install.md

@@ -1,4 +1,4 @@
-# OEMDRV Bootstrap — install.sh
+# OEMDRV Bootstrap — install.sh + install_from_repo.sh
 
 the script `./system_setup/install.sh` prepares a target machine for automated Fedora deployment. It shrinks an existing partition to carve out a dedicated **OEMDRV** partition, which Anaconda/Kickstart will detect automatically during installation.
 
@@ -26,6 +26,19 @@ curl -fsSL https://gitea.dtext.online/obel1x/fedora-OEMDRV/raw/branch/main/syste
 sudo bash /tmp/install.sh
 ```
 
+## Run directly from another repository
+
+If you are on another fork or branch and you want to test your changes, do:
+
+```bash
+export REPO_URL="https://yourgitserver.tld/.../fedora-OEMDRV.git"
+export REPO_BRANCH="anotherbranch"
+curl -fsSL ${REPO_URL%.git}/raw/branch/${REPO_BRANCH:-main}/system_setup/install.sh -o /tmp/install.sh
+sudo -E bash /tmp/install.sh
+```
+
+That way, install.sh should know what to pull.
+
 ## After the script completes
 
 Configure your environment before running any installation:

ks_base_profiles/cinnamon_fullsetup.cfg

@@ -82,9 +82,8 @@ authselect enable-feature with-fingerprint
 
 
 # Generated using Blivet version 3.12.1
-ignoredisk --only-use=sda
-# Partition clearing information
-#clearpart --none --initlabel
+ignoredisk --only-use=sda,nvme0n1
+# Partition clearing information - do NOT USE --initlabel !
 clearpart --none
 autopart --type=btrfs
 

ks_base_profiles/kde_fullsetup.cfg

@@ -93,9 +93,8 @@ nss-pam-ldapd
 authselect enable-feature with-fingerprint
 
 # Generated using Blivet version 3.12.1
-ignoredisk --only-use=sda
-# Partition clearing information
-#clearpart --none --initlabel
+ignoredisk --only-use=sda,nvme0n1
+# Partition clearing information - do NOT USE --initlabel !
 clearpart --none
 autopart --type=btrfs
 

system_setup/configure.sh

@@ -49,15 +49,84 @@ do_configure() {
     echo ""
     echo "=== System Configuration ==="
     echo "Press Enter to keep the current value, or type a new one."
-    echo ""
 
     source "$CONF_FILE"
-    VARS=("TLDOMAIN" "DOMAIN" "SERVERFQDN_IPA" "SERVERFQDN_NC" "CLIENTADMINGROUP" "IPAVAULTUSE" )
+    VARS=("TLDOMAIN" "SERVERFQDN_IPA" "DOMAIN" "SERVERFQDN_NC" "IPAVAULTUSE" "IPAVAULTNAME" "DISTCONFIGPATH_SRC" "CLIENTADMINGROUP" )
     for ELE in "${VARS[@]}"
     do
-        new_ELE=$(prompt_value "${ELE}" "${!ELE}")
-        set_conf_var "${ELE}" "${new_ELE}"
-        source "$CONF_FILE"
+        while true; do
+            echo ""
+            new_ELE=$(prompt_value "${ELE}" "${!ELE}")
+            set_conf_var "${ELE}" "${new_ELE}"
+            source "$CONF_FILE"
+            REPEAT_TEST=1
+            case ${ELE} in
+                "SERVERFQDN_NC") echo "=== Testing: Nextcloud server ==="
+                    NC_STATUS=$(curl -fsSL "https://${SERVERFQDN_NC}/status.php" 2>/dev/null)
+                    if echo "$NC_STATUS" | grep -q '"installed":true'; then
+                        NC_VERSION=$(echo "$NC_STATUS" | grep -oP '(?<="versionstring":")[^"]+')
+                        echo "Nextcloud confirmed at ${SERVERFQDN_NC} (version ${NC_VERSION})."
+                        REPEAT_TEST=0
+                    else
+                        echo ""
+                        echo "WARNING: '${SERVERFQDN_NC}' does not appear to be a valid Nextcloud server."
+                        echo "         Could not reach https://${SERVERFQDN_NC}/status.php or response was unexpected."
+                        read -rp "Start configuration again (a) or quit (q)? [a/q]: " ans
+                        if [[ "${ans,,}" == "q" ]]; then
+                            echo "Quitting."
+                            exit 1
+                        fi
+                    fi
+                    ;;
+                "SERVERFQDN_IPA") echo "=== Testing: FreeIPA server ==="
+                    IPA_CODE=$(curl -s -o /dev/null -w "%{http_code}" \
+                    "https://${SERVERFQDN_IPA}/ipa/session/json" 2>/dev/null)
+                    if [[ "$IPA_CODE" == "200" || "$IPA_CODE" == "401" ]]; then
+                        echo "FreeIPA server confirmed at ${SERVERFQDN_IPA}."
+                        REPEAT_TEST=0
+                    else
+                        echo ""
+                        echo "WARNING: '${SERVERFQDN_IPA}' does not appear to be a valid FreeIPA server."
+                        echo "         https://${SERVERFQDN_IPA}/ipa/session/json returned: ${IPA_CODE:-no response}"
+                        read -rp "Start configuration again (a) or quit (q)? [a/q]: " ans
+                        if [[ "${ans,,}" == "q" ]]; then
+                            echo "Quitting."
+                            exit 1
+                        fi
+                    fi
+                    ;;
+                "DOMAIN") echo "=== Testing: IPA Domain DNS records ==="
+                    if ! command -v dig &>/dev/null; then
+                        echo "WARNING: 'dig' not found; skipping DNS check."
+                        REPEAT_TEST=0
+                    else
+                        LDAP_SRV=$(dig +short SRV "_ldap._tcp.${DOMAIN}" 2>/dev/null)
+                        KRB_TXT=$(dig +short TXT "_kerberos.${DOMAIN}" 2>/dev/null)
+                        KDC_SRV=$(dig +short SRV "_kerberos._udp.${DOMAIN}" 2>/dev/null)
+                        if [[ -n "$LDAP_SRV" && -n "$KRB_TXT" ]]; then
+                            REALM=$(echo "$KRB_TXT" | tr -d '"')
+                            echo "IPA domain confirmed: ${DOMAIN}"
+                            echo "  Kerberos realm : ${REALM}"
+                            [[ -n "$KDC_SRV" ]] && echo "  KDC SRV        : ${KDC_SRV}"
+                            REPEAT_TEST=0
+                        else
+                            echo ""
+                            [[ -z "$LDAP_SRV" ]] && echo "WARNING: No _ldap._tcp.${DOMAIN} SRV record found."
+                            [[ -z "$KRB_TXT" ]] && echo "WARNING: No _kerberos.${DOMAIN} TXT record found."
+                            echo "         '${DOMAIN}' does not appear to be a valid IPA domain."
+                            read -rp "Start configuration again (a) or quit (q)? [a/q]: " ans
+                            if [[ "${ans,,}" == "q" ]]; then
+                                echo "Quitting."
+                                exit 1
+                            fi
+                        fi
+                    fi
+                    ;;
+                *) REPEAT_TEST=0
+                    ;;
+            esac
+            [[ $REPEAT_TEST == 0 ]] && break
+        done
     done
 
     echo ""
@@ -67,42 +136,6 @@ do_configure() {
 while true; do
     do_configure
 
-    echo ""
-    echo "=== Testing: Nextcloud server ==="
-    NC_STATUS=$(curl -fsSL "https://${SERVERFQDN_NC}/status.php" 2>/dev/null)
-    if echo "$NC_STATUS" | grep -q '"installed":true'; then
-        NC_VERSION=$(echo "$NC_STATUS" | grep -oP '(?<="versionstring":")[^"]+')
-        echo "Nextcloud confirmed at ${SERVERFQDN_NC} (version ${NC_VERSION})."
-    else
-        echo ""
-        echo "WARNING: '${SERVERFQDN_NC}' does not appear to be a valid Nextcloud server."
-        echo "         Could not reach https://${SERVERFQDN_NC}/status.php or response was unexpected."
-        read -rp "Start configuration again (a) or quit (q)? [a/q]: " ans
-        if [[ "${ans,,}" == "q" ]]; then
-            echo "Quitting."
-            exit 1
-        fi
-        continue
-    fi
-
-    echo ""
-    echo "=== Testing: FreeIPA server ==="
-    IPA_CODE=$(curl -s -o /dev/null -w "%{http_code}" \
-        "https://${SERVERFQDN_IPA}/ipa/session/json" 2>/dev/null)
-    if [[ "$IPA_CODE" == "200" || "$IPA_CODE" == "401" ]]; then
-        echo "FreeIPA server confirmed at ${SERVERFQDN_IPA}."
-    else
-        echo ""
-        echo "WARNING: '${SERVERFQDN_IPA}' does not appear to be a valid FreeIPA server."
-        echo "         https://${SERVERFQDN_IPA}/ipa/session/json returned: ${IPA_CODE:-no response}"
-        read -rp "Start configuration again (a) or quit (q)? [a/q]: " ans
-        if [[ "${ans,,}" == "q" ]]; then
-            echo "Quitting."
-            exit 1
-        fi
-        continue
-    fi
-
     echo ""
     echo "=== Select Kickstart Profile ==="
     KS_DIR="${SCRIPTDIR}/../ks_base_profiles"

system_setup/install.sh

@@ -14,7 +14,8 @@ SHRINK_MIB=4096
 OEMDRV_LABEL="OEMDRV"
 MOUNT_POINT="/opt/sys_config"
 MOUNT_OPTS="compress=zstd:6"
-REPO_URL="${1:-https://gitea.dtext.online/obel1x/fedora-OEMDRV.git}"
+REPO_URL="${REPO_URL:-https://gitea.dtext.online/obel1x/fedora-OEMDRV.git}"
+REPO_BRANCH="${REPO_BRANCH:-main}"
 MIN_FREE_MIB=$(( SHRINK_MIB + 512 ))   # require 512 MiB headroom above the shrink size
 
 # ── Helpers ───────────────────────────────────────────────────────────────────
@@ -28,11 +29,37 @@ require_root() {
 }
 
 check_tools() {
+    declare -A tool_pkg=(
+        [lsblk]="util-linux"       [blkid]="util-linux"
+        [parted]="parted"          [partprobe]="parted"
+        [mkfs.btrfs]="btrfs-progs" [git]="git"
+        [e2fsck]="e2fsprogs"       [resize2fs]="e2fsprogs"
+        [tune2fs]="e2fsprogs"
+    )
     local missing=()
     for tool in lsblk blkid parted partprobe mkfs.btrfs git e2fsck resize2fs tune2fs; do
         command -v "$tool" >/dev/null 2>&1 || missing+=("$tool")
     done
-    [[ ${#missing[@]} -eq 0 ]] || die "Missing required tools: ${missing[*]}"
+    [[ ${#missing[@]} -eq 0 ]] && return 0
+
+    echo "Missing required tools: ${missing[*]}"
+    local pkgs=()
+    for tool in "${missing[@]}"; do
+        local pkg="${tool_pkg[$tool]}"
+        [[ " ${pkgs[*]} " != *" $pkg "* ]] && pkgs+=("$pkg")
+    done
+
+    read -r -p "  Install missing packages (${pkgs[*]}) with dnf? [y/N]: " ans
+    if [[ "${ans,,}" == "y" ]]; then
+        dnf install -y "${pkgs[@]}" || die "Package installation failed."
+        local still_missing=()
+        for tool in "${missing[@]}"; do
+            command -v "$tool" >/dev/null 2>&1 || still_missing+=("$tool")
+        done
+        [[ ${#still_missing[@]} -eq 0 ]] || die "Still missing after install: ${still_missing[*]}"
+    else
+        die "Missing required tools: ${missing[*]}"
+    fi
 }
 
 # Returns 0 if the remote install.sh matches this script's checksum,
@@ -43,7 +70,7 @@ check_repo_url() {
 
     tmpdir=$(mktemp -d /tmp/oemdrv_repocheck.XXXXXX)
 
-    if ! curl -fsSL "${REPO_URL%.git}/raw/branch/main/system_setup/install.sh" \
+    if ! curl -fsSL "${REPO_URL%.git}/raw/branch/${REPO_BRANCH}/system_setup/install.sh" \
               -o "$tmpdir/install.sh" 2>/dev/null; then
         rm -rf "$tmpdir"
         return 1
@@ -267,13 +294,13 @@ info "Verifying repository URL..."
 check_repo_url
 case $? in
     1) echo
-       echo "WARNING: '$REPO_URL' is not a reachable git repository."
+       echo "WARNING: '$REPO_URL' branch '${REPO_BRANCH}' is not a reachable git repository."
        read -r -p "  Continue anyway? [y/N]: " ans
        [[ "${ans,,}" == "y" ]] || { echo "Aborted."; exit 0; }
        ;;
     2) echo
        echo "WARNING: The checksum of this script does not match 'system_setup/install.sh'"
-       echo "         at '$REPO_URL'."
+       echo "         at '$REPO_URL' branch '${REPO_BRANCH}'."
        echo "         You may be running an outdated or modified version of install.sh."
        read -r -p "  Continue anyway? [y/N]: " ans
        [[ "${ans,,}" == "y" ]] || { echo "Aborted."; exit 0; }
@@ -470,8 +497,15 @@ mount -o "$MOUNT_OPTS" "$OEMDRV_DEV" "$MOUNT_POINT" || die "mount failed."
 
 info "Cloning $REPO_URL into $MOUNT_POINT..."
 cd "$MOUNT_POINT" || die "Cannot cd to $MOUNT_POINT."
-git clone --progress --depth 1 "$REPO_URL" . || die "git clone failed."
-chmod o=rwX . -R # to make changes to the configuration possible after install
+git clone --progress --depth 1 -b $REPO_BRANCH "$REPO_URL" . || die "git clone failed."
+
+# Write hardware UUID to a user-readable per-machine file
+dmidecode -t system | grep -i 'UUID' \
+    | sed 's/UUID: //' | tr '[:upper:]' '[:lower:]' \
+    | sed 's/[^0-9a-z]*//g' | xargs | tail -c 13 \
+    > "./config.d/machine_uuid.sys"
+
+    chmod o=rwX . -R # to make changes to the configuration possible after install
 
 # ── Done ──────────────────────────────────────────────────────────────────────
 

system_setup/mount_ecrypt_home.sh

@@ -80,19 +80,20 @@ else
     fi
 fi
 if [ "${ENCKEY}." == "." ]; then
-    echo "Some Error while fetching your Credentials. This should not happen. Quit."
+    echo "Some Error while fetching your IPA Vault Key. This should not happen. Quit."
     rm /var/tmp/IPAVAULTKEY.txt
     exit 2
 fi
+echo "Sucessfuly obtained IPA vault fileencryption key."
 
 #Setup and use encrypted filesystem
-if [ ! -d "${DECRYPTEDDATADIR}" ]; then
+if [ ! -d "${DECRYPTEDDATADIR}" ] || [ ! -f "${HOME}/.config/gocryptfs/gocryptfs.conf" ]; then
     #Key has been obtained, but no Directory was created till know
     echo "First Setup of encryption: Creating new Directories now"
     mkdir -p ${ENCRYPTEDDATADIR} ${DECRYPTEDDATADIR} ${HOME}/.config/gocryptfs
-    gocryptfs -init -passfile /var/tmp/IPAVAULTKEY.txt -config ${HOME}/.config/gocryptfs/gocryptfs.conf ${ENCRYPTEDDATADIR} >/dev/null
+    gocryptfs -init -allow_other -passfile /var/tmp/IPAVAULTKEY.txt -config ${HOME}/.config/gocryptfs/gocryptfs.conf ${ENCRYPTEDDATADIR} >/dev/null
 fi
-gocryptfs -noprealloc -passfile /var/tmp/IPAVAULTKEY.txt -config ${HOME}/.config/gocryptfs/gocryptfs.conf ${ENCRYPTEDDATADIR} ${DECRYPTEDDATADIR} >/dev/null
+gocryptfs -noprealloc -allow_other -passfile /var/tmp/IPAVAULTKEY.txt -config ${HOME}/.config/gocryptfs/gocryptfs.conf ${ENCRYPTEDDATADIR} ${DECRYPTEDDATADIR} >/dev/null
 RETVAL=$?
 rm /var/tmp/IPAVAULTKEY.txt
 cd ${EXECDIR}
@@ -100,6 +101,6 @@ if [ ${RETVAL} -eq 0 ]; then
     echo "Sucessfully mounted encrypted private Directory ${DECRYPTEDDATADIR}"
     exit 0
 else
-    echo "Errorcode ${RETAVAL}"
+    echo "Errorcode ${RETVAL}"
     exit 1
 fi

system_setup/setup_system_full.sh

@@ -67,7 +67,7 @@ ExecStart=/bin/sh ${SCRIPTPATH}/${SCRIPTNAME} firstrun_run
 #ExecStart=-/sbin/agetty --noclear -n -l "/bin/sh ${SCRIPTPATH}/${SCRIPTNAME} firstrun_run" %I 38400
 # user interaction in tty8
 StandardInput=tty
-TTYPath=/dev/tty2
+TTYPath=/dev/tty8
 TTYReset=yes
 TTYVHangup=yes
 
@@ -132,6 +132,9 @@ install_sw()
   #Make KDE single click
   echo -e "[KDE]\nSingleClick=true" | tee -a /etc/xdg/kdeglobals
 
+  #Make encryption accessible for root
+  echo "user_allow_other" >>/etc/fuse.conf
+
   #Set openh264 enabled
   dnf config-manager setopt fedora-cisco-openh264.enabled=1
 
@@ -142,7 +145,7 @@ install_sw()
 ipa_register_host()
 {
 #Integrate this PC into Domain
-chvt 2
+chvt 8
 #Check if IPA is already Configured
 echo "Checking for existing IPA- Setup."
 if ( grep -q "${FQDN}" /etc/ipa/default.conf ); then

system_setup/sync_client_software.sh

@@ -12,7 +12,7 @@ fi
 
 #Check Token
 if [ "${DAVTOKEN_USER}." == "." ]; then
-    echo "Error: Script cannot be executed standalone, must be run with a matching sudo rule and needs a prereserved environement from logon-script."
+    echo "Error: Script cannot be executed standalone, must be run with a matching sudo rule and needs a prereserved environment from logon-script."
     echo "A matching sudo rule could look like this: "'^'${SYSCONFIGPATH////'\/'}'\/system_setup\/sync_client_software\.sh.*$'
     echo "Hint: the rule must contain the !authenticate and setenv option to work."
     echo "Press any key to continue" && read -n 1 -s -r && exit 1