SSSD >= 2.10.1 no longer raises CAP_DAC_READ_SEARCH to effective in
offline mode, so validate_tgt fails with EACCES reading /etc/krb5.keytab
before the cached-credential fallback is reached. Adding krb5_validate =
False disables the keytab validation step and restores reliable offline
authentication for FreeIPA domain users.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
git clean -fd scopes to the current directory and below, so running it
from the system_setup/ subdirectory missed untracked files in sibling
dirs like config/. Use -C "${SYSCONFIGPATH}" to always clean from the
repo root regardless of invocation directory.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Replace the broken `git rebase HEAD^` with a proper shallow fetch:
- `git fetch --depth=1` limits local history to one commit, regardless of server history
- `git reset --hard FETCH_HEAD` syncs the working tree to the fetched tip
- `git clean -fd` removes untracked non-ignored files left by old versions
- `git gc --prune=now` immediately purges unreachable history objects
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- sync_client_software.sh: add system-wide flatpak session-bus override for
Nextcloud so KWallet D-Bus access works for all users; fix broken compound
test ([ a || b ] → [ a ] || [ b ])
- user_run.sh: check KWallet entries with hasEntry before writing — skip write
and print info message when both passwords are already present; remove stale
commented-out code
- install.sh: forward REPO_URL and REPO_BRANCH into configure.sh environment
for both the su- and direct-bash invocation paths
- configure.sh: simplify do_configure (user cleanup)
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
setup_system.inc.sh: replace $(dirname "$0") with $(dirname "${BASH_SOURCE[0]:-$0}") so
paths resolve correctly whether the file is sourced or executed directly. Add --missingconfok
flag to warn-and-continue instead of prompting+aborting when config is missing. Fix machine_uuid
path (missing ../). Move `source config` into the else branch so it is not reached when
missingconfok skips the exit.
install.sh: source inc.sh instead of executing it as a subprocess so exported variables
(REPO_URL etc.) propagate back to the caller. Fix git-origin conflict handling: when reusing
an existing OEMDRV partition the user has already confirmed they want to keep it, so remove
the "fresh clone / wipe" option entirely. Now always pulls (fetch+checkout) when a git repo
is present; clears and fresh-clones only when no git repo exists on the partition.
basic_pre_script.inc: dot-source inc.sh so INSTALLDOCS and other config vars are available.
config.dist, sync_client_software.sh: rename UPGRADEURL/UPGRADEBRANCH to REPO_URL/REPO_BRANCH
to match the variable names already used in install.sh.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Use config/setup_system.conf as the template for configure.conf when
present, so existing values appear as defaults. Falls back to the dist
file on a fresh install.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- install.sh: pre-create ks.cfg with o+w after permission setup so
non-root users can overwrite it (OEMDRV root itself stays o=rX)
- install.sh: restore su drop to $SUDO_USER when it is set and not
root; fall back to direct root execution otherwise
- configure.sh: remove the hard root check so both cases work
- configure.md: update docs to reflect root/non-root support
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Move setup_system.conf.dist to system_setup/config.dist/ and
skel.tar.zst.dist + pack_skel.sh to system_setup/skel/; config/ now
holds only gitignored local files
- Fix configure.sh CONF_DIST path (was pointing at non-existent
config/setup_system.conf.dist)
- Fix skel/pack_skel.sh: remove vestigial source line whose path was
wrong in both old and new location
- Update error messages in setup_system.inc.sh and
sync_client_software.sh to reference new dist file location
- Move machine_uuid reading/writing into setup_system.inc.sh so all
scripts have MACHINEID available; setup_system.conf.dist now uses
MACHINEID conditionally with a hostname fallback
- sync_client_software.sh: fix && / typo (should be && \) that broke
the flatpak remote-add → install chain; add network error handling
after flatpak install; cleanup upgrade logic and chown placement
- Update CLAUDE.md and install.md to reflect new dist file locations
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Detect existing OEMDRV partition at startup; offer to reuse it
instead of creating a new one (mounts if needed, sources existing
setup_system.inc.sh before cloning)
- When existing repo origin/branch differs from REPO_URL/REPO_BRANCH,
offer to pull from existing origin, migrate to new origin (preserving
gitignored local files), or fall through to fresh clone
- Extract finish_install() and do_clone_and_done() helpers to share
clone, permissions, and configure.sh prompt across all paths
- Replace generic chmod with chown root:root + chmod ug=rwX,o=rX
recursively, plus o+w on config/ and config.d/
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Fetches user_full_name (givenname + sn) and user_email from FreeIPA via
ipalib and writes them into the Thunderbird IMAP account prefs. Adds
ipalib availability check to logon_script.sh. Drops TB_MAIL_FULLNAME
config variable.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
/var/tmp is persistent on-disk storage. The encryption key must never
be written to disk, even temporarily. Replaced all occurrences of
/var/tmp/IPAVAULTKEY.txt with ${XDG_RUNTIME_DIR}/IPAVAULTKEY, which
is a per-user tmpfs directory (/run/user/<UID>) created by
systemd-logind: guaranteed memory-only, mode 0700, wiped on logout.
Also removed the TODO comment that tracked this exact issue.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
KDE Plasma runs each autostart .desktop entry as a systemd user unit.
systemd tracks service liveness by cgroup membership, not just the
main PID. Any process forked inside the service — even via setsid or &
— stays in the service's cgroup and keeps app-logon_script.sh@autostart
in active (running) state indefinitely after logon_script.sh exits.
mount_ecrypt_home.sh: wrap the gocryptfs mount call with
systemd-run --user --scope --unit=gocryptfs-home
The FUSE daemon that gocryptfs forks now lives in its own transient
scope cgroup. Exit-code propagation is unchanged because systemd-run
--scope returns the main process's exit code.
0050_nextcloud_desktopclient/user_run.sh: replace
/usr/bin/setsid ... &
with
systemd-run --user --scope --unit=nextcloud-client ... &
setsid creates a new session but does not move the process out of the
cgroup; systemd-run --scope does.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Free-space start alignment
parted reports free space starting at 0,02 MiB (before the GPT
alignment boundary). The collect_free_space awk now rounds the start
up to the next whole MiB (ceiling) and enforces a minimum of 1 MiB,
then recomputes the usable size from the adjusted start. This prevents
parted from being asked to create a partition at 0 MiB, which it
cannot do.
Locale-independent partition creation
The previous `printf 'Yes\n' | parted mkpart` relied on parted
accepting an English answer to its alignment-confirmation prompt.
On a German-locale system parted asks "Ist dies noch akzeptabel?"
and ignores "Yes", causing mkpart to fail. Replaced with `parted -s`
(script/non-interactive mode), consistent with every other parted
call in the script.
Correct new-partition detection on disks with gaps
The old heuristic took the highest partition number after partprobe.
On a disk where existing partitions are numbered 2/3/4, a new
partition in the gap before them receives number 1 — making the
old heuristic point at partition 4 (the existing btrfs volume) and
subsequently run mkfs.btrfs on it. The new awk matches by start
position (OEMDRV_START ± 1 MiB) instead, which is unambiguous
regardless of how numbers are assigned.
Infinite loop on EOF stdin
When the selection while-loop's `read` hits EOF (e.g. stdin exhausted
after sudo consumed a piped password), it returns exit code 1 with an
empty INPUT, which falls through to "Invalid input." and spins
forever. Added `|| { echo; echo "Aborted."; exit 0; }` to all three
read calls in the loop.
install.md: drop stale install_from_repo.sh reference from title;
clarify that REPO_URL/REPO_BRANCH overrides are optional.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
install.sh writes the last 12 chars of the DMI system UUID to
config.d/machine_uuid.sys (0444) after git clone, so non-root scripts
can derive the hardware-bound hostname without needing dmidecode.
conf.dist reads machine_uuid.sys first; falls back to dmidecode (root)
or hostname -s (user) if the file is absent.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Instead of dying immediately, check_tools now lists missing packages,
asks the user to install them with dnf, and re-verifies after install.
Decline still aborts as before.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Each variable is now prompted in a retry loop so a failed test re-prompts
that specific variable instead of restarting the whole wizard. Adds DNS-based
IPA domain validation (_ldap._tcp SRV + _kerberos TXT + _kerberos._udp SRV),
matching what ipa-client-install --domain performs. Fixes syntax errors
(bare `do` → `while true; do`, `continue` → `break`). Expands VARS to include
IPAVAULTNAME, CLIENT_SOFTWARE_SRC, DISTCONFIGPATH_SRC.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
After server checks pass, present all ks_base_profiles/*.cfg files
with their first-paragraph description and require the user to pick
one. The selected profile is copied to ks.cfg in the repo root.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Instead of obtaining a Nextcloud WebDAV token, verify the configured
servers directly:
- Nextcloud: check /status.php for "installed":true and show version
- FreeIPA: check /ipa/session/json for HTTP 200 or 401
Both checks offer restart or quit on failure.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Pass DISPLAY and WAYLAND_DISPLAY explicitly through the su call in
install.sh so Firefox can connect to the user's display session.
Remove the now-unnecessary DISPLAY=:0 fallback from get_nc_token.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Daniel unbrot Pätzold
unbrot