configure.md

@@ -0,0 +1,34 @@
+# configure.sh — First-time setup wizard
+
+Run `system_setup/configure.sh` as a **normal user** (not root) on the machine that has the OEMDRV partition mounted. It guides you through all site-specific settings, tests the configuration, and leaves the system ready for a Fedora installation.
+
+```bash
+bash /opt/sys_config/system_setup/configure.sh
+```
+
+## What it does
+
+1. **Edits configuration values** — prompts for each setting below. Press Enter to keep the shown default, or type a new value. Derived values (e.g. `SERVERFQDN_IPA`) are updated immediately when you change `TLDOMAIN`, so subsequent prompts always reflect your latest input.
+
+   | Variable | Description |
+   |---|---|
+   | `TLDOMAIN` | Top-level domain of your infrastructure (e.g. `company.tld`) |
+   | `SERVERFQDN_IPA` | FQDN of the FreeIPA server (default: `ipa.<TLDOMAIN>`) |
+   | `SERVERFQDN_NC` | FQDN of the Nextcloud server (default: `nextcloud.<TLDOMAIN>`) |
+   | `CLIENTADMINGROUP` | IPA group that receives sudo rights on clients |
+   | `DECRYPTEDDATADIR` | Mount point for the decrypted user data directory |
+   | `ENCRYPTEDDATADIR` | Path of the gocryptfs-encrypted data directory |
+   | `IPAVAULTUSE` | `true` to use IPA KRA vault for the encryption key, `false` to disable encryption |
+   | `IPAVAULTNAME` | Name of the IPA vault entry (default: `CLIENT_FILEENCRYPTION_<hostname>`) |
+
+2. **Confirms the FQDN** — shows the computed `FQDN` (`<hostname>.clients.<TLDOMAIN>`) and lets you override the hostname part if needed.
+
+3. **Tests the encrypted home mount** — runs `mount_ecrypt_home.sh`. On failure you can restart the wizard or quit.
+
+4. **Obtains a Nextcloud WebDAV token** — calls `get_nc_token`, which opens Firefox for login. Verifies that the returned token belongs to the current user. You can retry or quit on failure.
+
+5. On success, the written config file `config.d/configure.conf` is picked up automatically by all other scripts instead of `config/setup_system.conf`.
+
+## After the wizard completes
+
+Boot the target machine from the Fedora USB installer. Anaconda detects the OEMDRV partition and runs the Kickstart automatically.

system_setup/configure.sh

@@ -0,0 +1,163 @@
+#!/usr/bin/env bash
+# configure.sh - Interactive first-time configuration wizard
+#
+# SPDX-FileCopyrightText: Daniel Pätzold
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
+SCRIPTDIR="$(cd "$(dirname "$0")" && pwd)"
+CONF_DIST="${SCRIPTDIR}/../config/setup_system.conf.dist"
+CONF_FILE="${SCRIPTDIR}/../config.d/configure.conf"
+
+if [[ "$EUID" -eq 0 ]]; then
+    echo "ERROR: This script must not be run as root." >&2
+    exit 1
+fi
+
+# Prompt for a single value; returns the old value unchanged if the user presses Enter.
+prompt_value() {
+    local name="$1" current="$2" new_val
+    printf '  %-28s [%s]: ' "$name" "$current" >&2
+    read -r new_val
+    printf '%s' "${new_val:-$current}"
+}
+
+# Replace the first matching simple export line in configure.conf.
+set_conf_var() {
+    local varname="$1" value="$2"
+    sed -i "s|^[[:space:]]*export ${varname}=.*|export ${varname}=\"${value}\"|" "$CONF_FILE"
+}
+
+# Update an existing bare "export VAR=…" line at the top level, or append one.
+override_conf_var() {
+    local varname="$1" value="$2"
+    if grep -q "^export ${varname}=" "$CONF_FILE"; then
+        sed -i "s|^export ${varname}=.*|export ${varname}=\"${value}\"|" "$CONF_FILE"
+    else
+        printf 'export %s="%s"\n' "$varname" "$value" >> "$CONF_FILE"
+    fi
+}
+
+do_configure() {
+    mkdir -p "$(dirname "$CONF_FILE")"
+    cp "$CONF_DIST" "$CONF_FILE"
+
+    # Source the dist defaults (unset computed vars first so they are re-evaluated).
+    unset TLDOMAIN DOMAIN SERVERFQDN_IPA SERVERFQDN_NC CLIENTADMINGROUP \
+          DECRYPTEDDATADIR ENCRYPTEDDATADIR IPAVAULTUSE IPAVAULTNAME HOSTNM FQDN
+    # shellcheck disable=SC1090
+    source "$CONF_FILE"
+
+    echo ""
+    echo "=== System Configuration ==="
+    echo "Press Enter to keep the current value, or type a new one."
+    echo ""
+
+    new_TLDOMAIN=$(prompt_value "TLDOMAIN" "$TLDOMAIN")
+    TLDOMAIN="$new_TLDOMAIN"
+    DOMAIN="clients.${TLDOMAIN}"
+    SERVERFQDN_IPA="ipa.${TLDOMAIN}"
+    SERVERFQDN_NC="nextcloud.${TLDOMAIN}"
+
+    new_SERVERFQDN_IPA=$(prompt_value "SERVERFQDN_IPA" "$SERVERFQDN_IPA")
+    SERVERFQDN_IPA="$new_SERVERFQDN_IPA"
+
+    new_SERVERFQDN_NC=$(prompt_value "SERVERFQDN_NC" "$SERVERFQDN_NC")
+    SERVERFQDN_NC="$new_SERVERFQDN_NC"
+
+    new_CLIENTADMINGROUP=$(prompt_value "CLIENTADMINGROUP" "$CLIENTADMINGROUP")
+    CLIENTADMINGROUP="$new_CLIENTADMINGROUP"
+
+    new_DECRYPTEDDATADIR=$(prompt_value "DECRYPTEDDATADIR" "$DECRYPTEDDATADIR")
+    DECRYPTEDDATADIR="$new_DECRYPTEDDATADIR"
+
+    new_ENCRYPTEDDATADIR=$(prompt_value "ENCRYPTEDDATADIR" "$ENCRYPTEDDATADIR")
+    ENCRYPTEDDATADIR="$new_ENCRYPTEDDATADIR"
+
+    new_IPAVAULTUSE=$(prompt_value "IPAVAULTUSE" "$IPAVAULTUSE")
+    IPAVAULTUSE="$new_IPAVAULTUSE"
+
+    new_IPAVAULTNAME=$(prompt_value "IPAVAULTNAME" "$IPAVAULTNAME")
+    IPAVAULTNAME="$new_IPAVAULTNAME"
+
+    set_conf_var "TLDOMAIN"         "$new_TLDOMAIN"
+    set_conf_var "SERVERFQDN_IPA"   "$new_SERVERFQDN_IPA"
+    set_conf_var "SERVERFQDN_NC"    "$new_SERVERFQDN_NC"
+    set_conf_var "CLIENTADMINGROUP" "$new_CLIENTADMINGROUP"
+    set_conf_var "DECRYPTEDDATADIR" "$new_DECRYPTEDDATADIR"
+    set_conf_var "ENCRYPTEDDATADIR" "$new_ENCRYPTEDDATADIR"
+    set_conf_var "IPAVAULTUSE"      "$new_IPAVAULTUSE"
+    # IPAVAULTNAME uses computed concatenation in the dist file; override at top level.
+    override_conf_var "IPAVAULTNAME" "$new_IPAVAULTNAME"
+
+    # Re-source with the updated TLDOMAIN so DOMAIN and FQDN are recomputed correctly.
+    unset DOMAIN HOSTNM FQDN
+    source "$CONF_FILE"
+
+    echo ""
+    echo "Computed FQDN: ${FQDN}"
+    read -rp "Is this correct? [Y/n]: " ans
+    if [[ "${ans,,}" == "n" ]]; then
+        read -rp "  Enter desired hostname (HOSTNM) [${HOSTNM}]: " new_HOSTNM
+        new_HOSTNM="${new_HOSTNM:-$HOSTNM}"
+        override_conf_var "HOSTNM" "$new_HOSTNM"
+        # Also pin FQDN so it stays correct regardless of eval order.
+        override_conf_var "FQDN" "${new_HOSTNM}.clients.${new_TLDOMAIN}"
+        echo "  Updated FQDN: ${new_HOSTNM}.clients.${new_TLDOMAIN}"
+    fi
+
+    echo ""
+    echo "Configuration written to: ${CONF_FILE}"
+}
+
+while true; do
+    do_configure
+
+    # Load setup_system.inc.sh (which re-sources configure.conf and defines all functions).
+    # shellcheck disable=SC1090
+    source "${SCRIPTDIR}/setup_system.inc.sh"
+
+    echo ""
+    echo "=== Testing: mounting encrypted home directory ==="
+    bash "${SCRIPTDIR}/mount_ecrypt_home.sh"
+    if [[ $? -ne 0 ]]; then
+        echo ""
+        echo "mount_ecrypt_home.sh reported an error."
+        read -rp "Start configuration again (a) or quit (q)? [a/q]: " ans
+        if [[ "${ans,,}" == "q" ]]; then
+            echo "Quitting."
+            exit 1
+        fi
+        echo ""
+        continue
+    fi
+
+    echo ""
+    echo "=== Testing: obtaining Nextcloud WebDAV token ==="
+    while true; do
+        get_nc_token
+        current_user="$(id -un)"
+        if [[ "${DAVTOKEN_USER}" == "${current_user}" ]]; then
+            echo "Token obtained successfully for user '${DAVTOKEN_USER}'."
+            break
+        fi
+        echo ""
+        if [[ -z "${DAVTOKEN_USER}" ]]; then
+            echo "Token could not be obtained (DAVTOKEN_USER is empty)."
+        else
+            echo "Token user '${DAVTOKEN_USER}' does not match current user '${current_user}'."
+        fi
+        read -rp "Retry get_nc_token (r) or quit (q)? [r/q]: " ans
+        if [[ "${ans,,}" == "q" ]]; then
+            echo "Quitting."
+            exit 1
+        fi
+    done
+
+    echo ""
+    echo "=== Configuration complete ==="
+    echo "All values have been configured and verified successfully."
+    echo "The system is now ready for the new installation."
+    echo "Boot from the Fedora USB installer — Anaconda will detect the OEMDRV partition"
+    echo "and run the Kickstart automatically."
+    exit 0
+done

system_setup/install.sh

@@ -440,9 +440,26 @@ echo
 echo "  OEMDRV device : $OEMDRV_DEV"
 echo "  Mounted at    : $MOUNT_POINT"
 echo
-echo "Next steps:"
+
-echo "  1. cp $MOUNT_POINT/config/setup_system.conf.dist \\"
+# ── Optionally run configure.sh ───────────────────────────────────────────────
-echo "        $MOUNT_POINT/config/setup_system.conf"
+
-echo "  2. Edit setup_system.conf with your domain, IPA/Nextcloud FQDNs, and paths."
+CONF_SCRIPT="$MOUNT_POINT/system_setup/configure.sh"
-echo "  3. Boot the Kickstart installer — it will detect the OEMDRV partition automatically."
+
 echo
+read -r -p "Run configure.sh now to set up your environment? [y/N]: " RUN_CONF
+if [[ "${RUN_CONF,,}" == "y" ]]; then
+    if [[ -n "$SUDO_USER" ]]; then
+        info "Running configure.sh as user '$SUDO_USER'..."
+        su - "$SUDO_USER" -c "bash '$CONF_SCRIPT'"
+    else
+        echo
+        echo "configure.sh must be run as a non-root user. Please run:"
+        echo "  bash $CONF_SCRIPT"
+    fi
+else
+    echo
+    echo "Next steps:"
+    echo "  1. Run: bash $CONF_SCRIPT"
+    echo "  2. Boot the Kickstart installer — it will detect the OEMDRV partition automatically."
+    echo
+fi