diff --git a/.gitignore b/.gitignore index 656b86f..e1390fd 100644 --- a/.gitignore +++ b/.gitignore @@ -9,5 +9,6 @@ config/skel.tar.zst config/.sync_*.db config/.sync_*.db config.d/*.conf +config.d/*.sys ks_pc_prof/* ks.cfg diff --git a/client_software/0020_nextcloud_mozilla_pre/user_run.sh b/client_software/0020_nextcloud_mozilla_pre/user_run.sh index 096a674..b266be2 100755 --- a/client_software/0020_nextcloud_mozilla_pre/user_run.sh +++ b/client_software/0020_nextcloud_mozilla_pre/user_run.sh @@ -28,7 +28,7 @@ if not 'DAVTOKEN_USER' in environ: sys.exit(1) options = { - 'webdav_hostname': "https://nextcloud.obel1x.de/remote.php/dav/files/" + environ['DAVTOKEN_USER'], + 'webdav_hostname': "https://" + environ['SERVERFQDN_NC'] + "/remote.php/dav/files/" + environ['DAVTOKEN_USER'], 'webdav_login': environ['DAVTOKEN_USER'], 'webdav_password': environ['DAVTOKEN_PASS'] } diff --git a/config/setup_system.conf.dist b/config/setup_system.conf.dist index 8cc8490..8c04d4a 100644 --- a/config/setup_system.conf.dist +++ b/config/setup_system.conf.dist @@ -12,22 +12,25 @@ export INSTALLDOCS="https://gitea.dtext.online/obel1x/fedora-OEMDRV/src/branch/m export UPGRADEURL="https://gitea.dtext.online/obel1x/fedora-OEMDRV.git" export UPGRADEBRANCH="main" -#Group, that will have sudo rights on the client -export CLIENTADMINGROUP="clientadmins" - -# Method to determine Unique Hostname / FQDN of the Client. May be replaced by your needs -if [ "$EUID" -eq 0 ]; then - export HOSTNM="pc-$( dmidecode -t system | grep -i 'UUID' | sed 's/UUID: //' | tr '[:upper:]' '[:lower:]' | sed 's/[^0-9a-z]*//g' | xargs|tail -c 13)" -else - export HOSTNM=$( hostname -s ) -fi -export FQDN=${HOSTNM}.${DOMAIN} - #Configuration Files - maybe syned with your companies settings export SYSCONFIGPATH="/opt/sys_config" export DISTCONFIGPATH="/opt/sys_config/config" export DISTCONFIGPATH_SRC="/Shared/sw_geteilt/client_settings" +#Group, that will have sudo rights on the client +export CLIENTADMINGROUP="clientadmins" + +# Method to determine Unique Hostname / FQDN of the Client. May be replaced by your needs +#Should always had been set by install.sh and should be there anyway. +#if [ ! -r ${SYSCONFIGPATH}/config.d/machine_uuid.sys ]; then +#elif [ "$EUID" -eq 0 ]; then +# export HOSTNM="pc-$( dmidecode -t system | grep -i 'UUID' | sed 's/UUID: //' | tr '[:upper:]' '[:lower:]' | sed 's/[^0-9a-z]*//g' | xargs|tail -c 13)" +#else +# export HOSTNM=$( hostname -s ) +#fi +export HOSTNM="pc-$( cat /opt/sys_config/config.d/machine_uuid.sys )" +export FQDN=${HOSTNM}.${DOMAIN} + #Additional Client-Software- Repository-Folder in Nextcloud (Shared Folder / Systemwide) export CLIENT_SOFTWARE_DST="/opt/sys_config/client_software" # Optional. If you don't have a Folder that should always be synced, leave this empty export CLIENT_SOFTWARE_SRC="/Shared/sw_geteilt/client_software" Set to the Nextcloud directory where the software should come from diff --git a/install.md b/install.md index caec2b1..d9c91ed 100644 --- a/install.md +++ b/install.md @@ -1,4 +1,4 @@ -# OEMDRV Bootstrap — install.sh +# OEMDRV Bootstrap — install.sh + install_from_repo.sh the script `./system_setup/install.sh` prepares a target machine for automated Fedora deployment. It shrinks an existing partition to carve out a dedicated **OEMDRV** partition, which Anaconda/Kickstart will detect automatically during installation. @@ -26,6 +26,19 @@ curl -fsSL https://gitea.dtext.online/obel1x/fedora-OEMDRV/raw/branch/main/syste sudo bash /tmp/install.sh ``` +## Run directly from another repository + +If you are on another fork or branch and you want to test your changes, do: + +```bash +export REPO_URL="https://yourgitserver.tld/.../fedora-OEMDRV.git" +export REPO_BRANCH="anotherbranch" +curl -fsSL ${REPO_URL%.git}/raw/branch/${REPO_BRANCH:-main}/system_setup/install.sh -o /tmp/install.sh +sudo -E bash /tmp/install.sh +``` + +That way, install.sh should know what to pull. + ## After the script completes Configure your environment before running any installation: diff --git a/ks_base_profiles/cinnamon_fullsetup.cfg b/ks_base_profiles/cinnamon_fullsetup.cfg index 5833e0d..c8a2743 100644 --- a/ks_base_profiles/cinnamon_fullsetup.cfg +++ b/ks_base_profiles/cinnamon_fullsetup.cfg @@ -82,9 +82,8 @@ authselect enable-feature with-fingerprint # Generated using Blivet version 3.12.1 -ignoredisk --only-use=sda -# Partition clearing information -#clearpart --none --initlabel +ignoredisk --only-use=sda,nvme0n1 +# Partition clearing information - do NOT USE --initlabel ! clearpart --none autopart --type=btrfs diff --git a/ks_base_profiles/kde_fullsetup.cfg b/ks_base_profiles/kde_fullsetup.cfg index 4e0774b..235b498 100644 --- a/ks_base_profiles/kde_fullsetup.cfg +++ b/ks_base_profiles/kde_fullsetup.cfg @@ -93,9 +93,8 @@ nss-pam-ldapd authselect enable-feature with-fingerprint # Generated using Blivet version 3.12.1 -ignoredisk --only-use=sda -# Partition clearing information -#clearpart --none --initlabel +ignoredisk --only-use=sda,nvme0n1 +# Partition clearing information - do NOT USE --initlabel ! clearpart --none autopart --type=btrfs diff --git a/system_setup/configure.sh b/system_setup/configure.sh index b7653f0..557c449 100755 --- a/system_setup/configure.sh +++ b/system_setup/configure.sh @@ -49,15 +49,84 @@ do_configure() { echo "" echo "=== System Configuration ===" echo "Press Enter to keep the current value, or type a new one." - echo "" source "$CONF_FILE" - VARS=("TLDOMAIN" "DOMAIN" "SERVERFQDN_IPA" "SERVERFQDN_NC" "CLIENTADMINGROUP" "IPAVAULTUSE" ) + VARS=("TLDOMAIN" "SERVERFQDN_IPA" "DOMAIN" "SERVERFQDN_NC" "IPAVAULTUSE" "IPAVAULTNAME" "DISTCONFIGPATH_SRC" "CLIENTADMINGROUP" ) for ELE in "${VARS[@]}" do - new_ELE=$(prompt_value "${ELE}" "${!ELE}") - set_conf_var "${ELE}" "${new_ELE}" - source "$CONF_FILE" + while true; do + echo "" + new_ELE=$(prompt_value "${ELE}" "${!ELE}") + set_conf_var "${ELE}" "${new_ELE}" + source "$CONF_FILE" + REPEAT_TEST=1 + case ${ELE} in + "SERVERFQDN_NC") echo "=== Testing: Nextcloud server ===" + NC_STATUS=$(curl -fsSL "https://${SERVERFQDN_NC}/status.php" 2>/dev/null) + if echo "$NC_STATUS" | grep -q '"installed":true'; then + NC_VERSION=$(echo "$NC_STATUS" | grep -oP '(?<="versionstring":")[^"]+') + echo "Nextcloud confirmed at ${SERVERFQDN_NC} (version ${NC_VERSION})." + REPEAT_TEST=0 + else + echo "" + echo "WARNING: '${SERVERFQDN_NC}' does not appear to be a valid Nextcloud server." + echo " Could not reach https://${SERVERFQDN_NC}/status.php or response was unexpected." + read -rp "Start configuration again (a) or quit (q)? [a/q]: " ans + if [[ "${ans,,}" == "q" ]]; then + echo "Quitting." + exit 1 + fi + fi + ;; + "SERVERFQDN_IPA") echo "=== Testing: FreeIPA server ===" + IPA_CODE=$(curl -s -o /dev/null -w "%{http_code}" \ + "https://${SERVERFQDN_IPA}/ipa/session/json" 2>/dev/null) + if [[ "$IPA_CODE" == "200" || "$IPA_CODE" == "401" ]]; then + echo "FreeIPA server confirmed at ${SERVERFQDN_IPA}." + REPEAT_TEST=0 + else + echo "" + echo "WARNING: '${SERVERFQDN_IPA}' does not appear to be a valid FreeIPA server." + echo " https://${SERVERFQDN_IPA}/ipa/session/json returned: ${IPA_CODE:-no response}" + read -rp "Start configuration again (a) or quit (q)? [a/q]: " ans + if [[ "${ans,,}" == "q" ]]; then + echo "Quitting." + exit 1 + fi + fi + ;; + "DOMAIN") echo "=== Testing: IPA Domain DNS records ===" + if ! command -v dig &>/dev/null; then + echo "WARNING: 'dig' not found; skipping DNS check." + REPEAT_TEST=0 + else + LDAP_SRV=$(dig +short SRV "_ldap._tcp.${DOMAIN}" 2>/dev/null) + KRB_TXT=$(dig +short TXT "_kerberos.${DOMAIN}" 2>/dev/null) + KDC_SRV=$(dig +short SRV "_kerberos._udp.${DOMAIN}" 2>/dev/null) + if [[ -n "$LDAP_SRV" && -n "$KRB_TXT" ]]; then + REALM=$(echo "$KRB_TXT" | tr -d '"') + echo "IPA domain confirmed: ${DOMAIN}" + echo " Kerberos realm : ${REALM}" + [[ -n "$KDC_SRV" ]] && echo " KDC SRV : ${KDC_SRV}" + REPEAT_TEST=0 + else + echo "" + [[ -z "$LDAP_SRV" ]] && echo "WARNING: No _ldap._tcp.${DOMAIN} SRV record found." + [[ -z "$KRB_TXT" ]] && echo "WARNING: No _kerberos.${DOMAIN} TXT record found." + echo " '${DOMAIN}' does not appear to be a valid IPA domain." + read -rp "Start configuration again (a) or quit (q)? [a/q]: " ans + if [[ "${ans,,}" == "q" ]]; then + echo "Quitting." + exit 1 + fi + fi + fi + ;; + *) REPEAT_TEST=0 + ;; + esac + [[ $REPEAT_TEST == 0 ]] && break + done done echo "" @@ -67,42 +136,6 @@ do_configure() { while true; do do_configure - echo "" - echo "=== Testing: Nextcloud server ===" - NC_STATUS=$(curl -fsSL "https://${SERVERFQDN_NC}/status.php" 2>/dev/null) - if echo "$NC_STATUS" | grep -q '"installed":true'; then - NC_VERSION=$(echo "$NC_STATUS" | grep -oP '(?<="versionstring":")[^"]+') - echo "Nextcloud confirmed at ${SERVERFQDN_NC} (version ${NC_VERSION})." - else - echo "" - echo "WARNING: '${SERVERFQDN_NC}' does not appear to be a valid Nextcloud server." - echo " Could not reach https://${SERVERFQDN_NC}/status.php or response was unexpected." - read -rp "Start configuration again (a) or quit (q)? [a/q]: " ans - if [[ "${ans,,}" == "q" ]]; then - echo "Quitting." - exit 1 - fi - continue - fi - - echo "" - echo "=== Testing: FreeIPA server ===" - IPA_CODE=$(curl -s -o /dev/null -w "%{http_code}" \ - "https://${SERVERFQDN_IPA}/ipa/session/json" 2>/dev/null) - if [[ "$IPA_CODE" == "200" || "$IPA_CODE" == "401" ]]; then - echo "FreeIPA server confirmed at ${SERVERFQDN_IPA}." - else - echo "" - echo "WARNING: '${SERVERFQDN_IPA}' does not appear to be a valid FreeIPA server." - echo " https://${SERVERFQDN_IPA}/ipa/session/json returned: ${IPA_CODE:-no response}" - read -rp "Start configuration again (a) or quit (q)? [a/q]: " ans - if [[ "${ans,,}" == "q" ]]; then - echo "Quitting." - exit 1 - fi - continue - fi - echo "" echo "=== Select Kickstart Profile ===" KS_DIR="${SCRIPTDIR}/../ks_base_profiles" diff --git a/system_setup/install.sh b/system_setup/install.sh index 30689dc..5191cac 100755 --- a/system_setup/install.sh +++ b/system_setup/install.sh @@ -14,7 +14,8 @@ SHRINK_MIB=4096 OEMDRV_LABEL="OEMDRV" MOUNT_POINT="/opt/sys_config" MOUNT_OPTS="compress=zstd:6" -REPO_URL="${1:-https://gitea.dtext.online/obel1x/fedora-OEMDRV.git}" +REPO_URL="${REPO_URL:-https://gitea.dtext.online/obel1x/fedora-OEMDRV.git}" +REPO_BRANCH="${REPO_BRANCH:-main}" MIN_FREE_MIB=$(( SHRINK_MIB + 512 )) # require 512 MiB headroom above the shrink size # ── Helpers ─────────────────────────────────────────────────────────────────── @@ -28,11 +29,37 @@ require_root() { } check_tools() { + declare -A tool_pkg=( + [lsblk]="util-linux" [blkid]="util-linux" + [parted]="parted" [partprobe]="parted" + [mkfs.btrfs]="btrfs-progs" [git]="git" + [e2fsck]="e2fsprogs" [resize2fs]="e2fsprogs" + [tune2fs]="e2fsprogs" + ) local missing=() for tool in lsblk blkid parted partprobe mkfs.btrfs git e2fsck resize2fs tune2fs; do command -v "$tool" >/dev/null 2>&1 || missing+=("$tool") done - [[ ${#missing[@]} -eq 0 ]] || die "Missing required tools: ${missing[*]}" + [[ ${#missing[@]} -eq 0 ]] && return 0 + + echo "Missing required tools: ${missing[*]}" + local pkgs=() + for tool in "${missing[@]}"; do + local pkg="${tool_pkg[$tool]}" + [[ " ${pkgs[*]} " != *" $pkg "* ]] && pkgs+=("$pkg") + done + + read -r -p " Install missing packages (${pkgs[*]}) with dnf? [y/N]: " ans + if [[ "${ans,,}" == "y" ]]; then + dnf install -y "${pkgs[@]}" || die "Package installation failed." + local still_missing=() + for tool in "${missing[@]}"; do + command -v "$tool" >/dev/null 2>&1 || still_missing+=("$tool") + done + [[ ${#still_missing[@]} -eq 0 ]] || die "Still missing after install: ${still_missing[*]}" + else + die "Missing required tools: ${missing[*]}" + fi } # Returns 0 if the remote install.sh matches this script's checksum, @@ -43,7 +70,7 @@ check_repo_url() { tmpdir=$(mktemp -d /tmp/oemdrv_repocheck.XXXXXX) - if ! curl -fsSL "${REPO_URL%.git}/raw/branch/main/system_setup/install.sh" \ + if ! curl -fsSL "${REPO_URL%.git}/raw/branch/${REPO_BRANCH}/system_setup/install.sh" \ -o "$tmpdir/install.sh" 2>/dev/null; then rm -rf "$tmpdir" return 1 @@ -267,13 +294,13 @@ info "Verifying repository URL..." check_repo_url case $? in 1) echo - echo "WARNING: '$REPO_URL' is not a reachable git repository." + echo "WARNING: '$REPO_URL' branch '${REPO_BRANCH}' is not a reachable git repository." read -r -p " Continue anyway? [y/N]: " ans [[ "${ans,,}" == "y" ]] || { echo "Aborted."; exit 0; } ;; 2) echo echo "WARNING: The checksum of this script does not match 'system_setup/install.sh'" - echo " at '$REPO_URL'." + echo " at '$REPO_URL' branch '${REPO_BRANCH}'." echo " You may be running an outdated or modified version of install.sh." read -r -p " Continue anyway? [y/N]: " ans [[ "${ans,,}" == "y" ]] || { echo "Aborted."; exit 0; } @@ -470,8 +497,15 @@ mount -o "$MOUNT_OPTS" "$OEMDRV_DEV" "$MOUNT_POINT" || die "mount failed." info "Cloning $REPO_URL into $MOUNT_POINT..." cd "$MOUNT_POINT" || die "Cannot cd to $MOUNT_POINT." -git clone --progress --depth 1 "$REPO_URL" . || die "git clone failed." -chmod o=rwX . -R # to make changes to the configuration possible after install +git clone --progress --depth 1 -b $REPO_BRANCH "$REPO_URL" . || die "git clone failed." + +# Write hardware UUID to a user-readable per-machine file +dmidecode -t system | grep -i 'UUID' \ + | sed 's/UUID: //' | tr '[:upper:]' '[:lower:]' \ + | sed 's/[^0-9a-z]*//g' | xargs | tail -c 13 \ + > "./config.d/machine_uuid.sys" + + chmod o=rwX . -R # to make changes to the configuration possible after install # ── Done ────────────────────────────────────────────────────────────────────── diff --git a/system_setup/mount_ecrypt_home.sh b/system_setup/mount_ecrypt_home.sh index aca9171..59f43fb 100755 --- a/system_setup/mount_ecrypt_home.sh +++ b/system_setup/mount_ecrypt_home.sh @@ -80,19 +80,20 @@ else fi fi if [ "${ENCKEY}." == "." ]; then - echo "Some Error while fetching your Credentials. This should not happen. Quit." + echo "Some Error while fetching your IPA Vault Key. This should not happen. Quit." rm /var/tmp/IPAVAULTKEY.txt exit 2 fi +echo "Sucessfuly obtained IPA vault fileencryption key." #Setup and use encrypted filesystem -if [ ! -d "${DECRYPTEDDATADIR}" ]; then +if [ ! -d "${DECRYPTEDDATADIR}" ] || [ ! -f "${HOME}/.config/gocryptfs/gocryptfs.conf" ]; then #Key has been obtained, but no Directory was created till know echo "First Setup of encryption: Creating new Directories now" mkdir -p ${ENCRYPTEDDATADIR} ${DECRYPTEDDATADIR} ${HOME}/.config/gocryptfs - gocryptfs -init -passfile /var/tmp/IPAVAULTKEY.txt -config ${HOME}/.config/gocryptfs/gocryptfs.conf ${ENCRYPTEDDATADIR} >/dev/null + gocryptfs -init -allow_other -passfile /var/tmp/IPAVAULTKEY.txt -config ${HOME}/.config/gocryptfs/gocryptfs.conf ${ENCRYPTEDDATADIR} >/dev/null fi -gocryptfs -noprealloc -passfile /var/tmp/IPAVAULTKEY.txt -config ${HOME}/.config/gocryptfs/gocryptfs.conf ${ENCRYPTEDDATADIR} ${DECRYPTEDDATADIR} >/dev/null +gocryptfs -noprealloc -allow_other -passfile /var/tmp/IPAVAULTKEY.txt -config ${HOME}/.config/gocryptfs/gocryptfs.conf ${ENCRYPTEDDATADIR} ${DECRYPTEDDATADIR} >/dev/null RETVAL=$? rm /var/tmp/IPAVAULTKEY.txt cd ${EXECDIR} @@ -100,6 +101,6 @@ if [ ${RETVAL} -eq 0 ]; then echo "Sucessfully mounted encrypted private Directory ${DECRYPTEDDATADIR}" exit 0 else - echo "Errorcode ${RETAVAL}" + echo "Errorcode ${RETVAL}" exit 1 fi diff --git a/system_setup/setup_system_full.sh b/system_setup/setup_system_full.sh index d1fb19b..f29f404 100755 --- a/system_setup/setup_system_full.sh +++ b/system_setup/setup_system_full.sh @@ -67,7 +67,7 @@ ExecStart=/bin/sh ${SCRIPTPATH}/${SCRIPTNAME} firstrun_run #ExecStart=-/sbin/agetty --noclear -n -l "/bin/sh ${SCRIPTPATH}/${SCRIPTNAME} firstrun_run" %I 38400 # user interaction in tty8 StandardInput=tty -TTYPath=/dev/tty2 +TTYPath=/dev/tty8 TTYReset=yes TTYVHangup=yes @@ -132,6 +132,9 @@ install_sw() #Make KDE single click echo -e "[KDE]\nSingleClick=true" | tee -a /etc/xdg/kdeglobals + #Make encryption accessible for root + echo "user_allow_other" >>/etc/fuse.conf + #Set openh264 enabled dnf config-manager setopt fedora-cisco-openh264.enabled=1 @@ -142,7 +145,7 @@ install_sw() ipa_register_host() { #Integrate this PC into Domain -chvt 2 +chvt 8 #Check if IPA is already Configured echo "Checking for existing IPA- Setup." if ( grep -q "${FQDN}" /etc/ipa/default.conf ); then diff --git a/system_setup/sync_client_software.sh b/system_setup/sync_client_software.sh index d5921f4..488d9e3 100755 --- a/system_setup/sync_client_software.sh +++ b/system_setup/sync_client_software.sh @@ -12,7 +12,7 @@ fi #Check Token if [ "${DAVTOKEN_USER}." == "." ]; then - echo "Error: Script cannot be executed standalone, must be run with a matching sudo rule and needs a prereserved environement from logon-script." + echo "Error: Script cannot be executed standalone, must be run with a matching sudo rule and needs a prereserved environment from logon-script." echo "A matching sudo rule could look like this: "'^'${SYSCONFIGPATH////'\/'}'\/system_setup\/sync_client_software\.sh.*$' echo "Hint: the rule must contain the !authenticate and setenv option to work." echo "Press any key to continue" && read -n 1 -s -r && exit 1