forked from obel1x/fedora-OEMDRV
Compare commits
4 Commits
main
..
8e2cd35eb4
| Author | SHA1 | Date | |
|---|---|---|---|
 Daniel unbrot Pätzold
|
8e2cd35eb4 | ||
|
Daniel unbrot Pätzold
|
6806a218a9 | ||
|
Daniel unbrot Pätzold
|
26677c6c2c | ||
|
Daniel unbrot Pätzold
|
7d418353ed |
+8
-6
@@ -1,12 +1,14 @@
|
||||
.Trash*
|
||||
*.kdev4
|
||||
.kdev4/*
|
||||
ks_pc_prof/*
|
||||
ks.cfg
|
||||
config/*
|
||||
!config/README.md
|
||||
client_software/.sync_*.db
|
||||
client_software/setup_system.conf
|
||||
config/setup_system.conf
|
||||
config/*.bak
|
||||
config/skel.tar.zst
|
||||
config/.sync_*.db
|
||||
config.d/*.conf
|
||||
config.d/*.sys
|
||||
config.d/*.bak
|
||||
client_software_cust/*
|
||||
!client_software_cust/README.md
|
||||
ks_pc_prof/*
|
||||
ks.cfg
|
||||
|
||||
@@ -18,13 +18,13 @@ echo "Setup KWallet Password- Service."
|
||||
|
||||
#Check for root
|
||||
if [ "$EUID" -ne 0 ]; then
|
||||
echo "Error: Script requires root."
|
||||
echo "Error: Script requires root. Please check if ${SCRIPTPATH}/${SCRIPTNAME} is in sudoers rules and if you are a member. And if executed via sudo."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
#Check Token
|
||||
if [ "${DAVTOKEN_USER}." == "." ]; then
|
||||
echo "Error: Script cannot be executed standalone and needs a prereserved environment from sync_client_software.sh. Quit."
|
||||
echo "Error: Script cannot be executed standalone and needs a prereserved Environment. Quit."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
|
||||
@@ -1,13 +1,6 @@
|
||||
#!/bin/bash
|
||||
# Restart and test Kwallet- Service
|
||||
|
||||
#Check Token
|
||||
if [ "${DAVTOKEN_USER}." == "." ]; then
|
||||
echo "Error: Script cannot be executed standalone and needs a prereserved environment from sync_client_software.sh. Quit."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
|
||||
# Vars
|
||||
WALLETAPPID="sys_config_wallet_script"
|
||||
WALLETNAME="kdewallet"
|
||||
@@ -18,12 +11,7 @@ if [[ -z $(wmctrl -m | grep "KWin") ]]; then
|
||||
fi
|
||||
|
||||
#Restart the service
|
||||
# Stop any leftover unit from a previous session before creating a new one
|
||||
systemctl --user stop kwalletd6-logon.service 2>/dev/null || true
|
||||
systemd-run --user --unit=kwalletd6-logon \
|
||||
--property=RemainAfterExit=yes \
|
||||
--property=SuccessExitStatus=1 \
|
||||
kwalletd6 >${TEMPDIR}/kwalletd6.log 2>&1 &
|
||||
systemd-run --user --scope --unit=kwalletd6-logon kwalletd6 >${TEMPDIR}/kwalletd6.log 2>&1 &
|
||||
sleep 1
|
||||
|
||||
#Check if kwalletd is enabled now
|
||||
|
||||
@@ -21,9 +21,6 @@ from webdav3.client import Client
|
||||
#Variables
|
||||
thunderbird_tar = os.path.dirname(__file__) + '/thunderbird.tar.zst'
|
||||
firefox_tar = os.path.dirname(__file__) + '/firefox.tar.zst'
|
||||
#If defined, use another Profile for that Company
|
||||
if 'PROFILE_FIREFOX_TAR_FILE' in environ:
|
||||
firefox_tar=environ['PROFILE_FIREFOX_TAR_FILE']
|
||||
firefoxhome_path = environ['HOME'] + "/.config/mozilla/firefox"
|
||||
firefoxhome_profile_src = os.path.dirname(__file__) + '/profiles_ff.ini'
|
||||
firefoxhome_profile_dst = firefoxhome_path + '/profiles.ini'
|
||||
|
||||
+15
@@ -0,0 +1,15 @@
|
||||
#!/usr/bin/env sh
|
||||
# SPDX-FileCopyrightText: Daniel Pätzold
|
||||
# SPDX-License-Identifier: AGPL-3.0-or-later
|
||||
#
|
||||
# Sofwareinstallation script for Nextcloud Talk.
|
||||
#
|
||||
|
||||
#Check for root
|
||||
if [ "$EUID" -ne 0 ]; then
|
||||
echo "Error: Script requires root. Please check if ${SCRIPTPATH}/${SCRIPTNAME} is in sudoers rules and if you are a member. And if executed via sudo."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
cp -n *.desktop $SUDO_HOME/Schreibtisch
|
||||
chown $SUDO_USER:$SUDO_USER $SUDO_HOME/Schreibtisch/*.desktop
|
||||
@@ -1,8 +0,0 @@
|
||||
#!/usr/bin/env sh
|
||||
# SPDX-FileCopyrightText: Daniel Pätzold
|
||||
# SPDX-License-Identifier: AGPL-3.0-or-later
|
||||
#
|
||||
# Copies the included Desktop files to the Desktop
|
||||
#
|
||||
|
||||
cp -n *.desktop $HOME/Schreibtisch
|
||||
Regular → Executable
@@ -1,24 +0,0 @@
|
||||
# 0060_ssh_key
|
||||
|
||||
Provisions a per-user `~/.ssh/id_ed25519` key and escrows it in the FreeIPA
|
||||
KRA vault (`SSH_PRIV_KEY`), so the same key is reused across machines instead
|
||||
of generating a new one on every install.
|
||||
|
||||
Run as the logged-in user via `client_software/user_run.sh` (needs the
|
||||
`DAVTOKEN_USER` environment prepared by `sync_client_software.sh`).
|
||||
|
||||
Behavior:
|
||||
- `~/.ssh` is relocated to `${DECRYPTEDDATADIR}/ssh_keys` (the user's
|
||||
gocryptfs-encrypted data dir) on first run: any existing content is moved
|
||||
there once, then `~/.ssh` becomes a symlink to it. Subsequent runs detect
|
||||
the symlink and skip this step.
|
||||
- If `~/.ssh/id_ed25519` already exists, it's left untouched.
|
||||
- Otherwise, tries `ipa vault-retrieve` for `SSH_PRIV_KEY`:
|
||||
- found → key is fetched, permissions fixed to `0600`, public key derived.
|
||||
- not found → a new vault is created, a new key pair is generated, and the
|
||||
private key is archived to the vault.
|
||||
- Requires `IPAVAULTUSE=true` (KRA available); otherwise the script is a
|
||||
no-op.
|
||||
|
||||
Note: this only handles private-key escrow. Publishing the public key to the
|
||||
user's FreeIPA entry (`ipa user-mod --sshpubkey`) is not done by this script.
|
||||
@@ -1,81 +0,0 @@
|
||||
#!/usr/bin/env sh
|
||||
# SPDX-FileCopyrightText: Daniel Pätzold
|
||||
# SPDX-License-Identifier: AGPL-3.0-or-later
|
||||
#
|
||||
# If IPA-KRA is available, use it to store or retrieve personal private ssh key, so that the key won't change every time on new installs
|
||||
#
|
||||
|
||||
#Check Token
|
||||
if [ "${DAVTOKEN_USER}." == "." ]; then
|
||||
echo "Error: Script cannot be executed standalone and needs a prereserved environment from sync_client_software.sh. Quit."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
SSHDIR="${HOME}/.ssh"
|
||||
SSHDIR_REAL="${DECRYPTEDDATADIR}/ssh_keys"
|
||||
KEYFILE="${SSHDIR}/id_ed25519"
|
||||
SSHVAULTNAME="SSH_PRIV_KEY"
|
||||
|
||||
#Relocate ~/.ssh into the encrypted data directory, migrating any existing content once
|
||||
if [ ! -L "${SSHDIR}" ]; then
|
||||
mkdir -p "${SSHDIR_REAL}"
|
||||
chmod 0700 "${SSHDIR_REAL}"
|
||||
if [ -d "${SSHDIR}" ]; then
|
||||
echo "Migrating existing ${SSHDIR} contents to ${SSHDIR_REAL}."
|
||||
cp -a "${SSHDIR}/." "${SSHDIR_REAL}/"
|
||||
if [ $? -ne 0 ]; then
|
||||
echo "Error migrating ${SSHDIR} contents to ${SSHDIR_REAL}. Aborting, please check."
|
||||
exit 1
|
||||
fi
|
||||
rm -rf "${SSHDIR}"
|
||||
fi
|
||||
ln -s "${SSHDIR_REAL}" "${SSHDIR}"
|
||||
if [ $? -ne 0 ]; then
|
||||
echo "Error creating symlink ${SSHDIR} -> ${SSHDIR_REAL}. Aborting, please check."
|
||||
exit 1
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ ${IPAVAULTUSE} = "false" ]; then
|
||||
echo "No IPA- KRA service configured, SSH Key provisioning to and from IPA is not available."
|
||||
else
|
||||
if [ -f ${KEYFILE} ]; then
|
||||
echo "SSH Key already present at ${KEYFILE}. Leaving it untouched."
|
||||
else
|
||||
echo "SSH Key ${KEYFILE} not found. Getting Key from IPA- Vault"
|
||||
ipa vault-retrieve "${SSHVAULTNAME}" --out ${KEYFILE}
|
||||
if [ $? -ne 0 ]; then
|
||||
echo "Seems there is no key yet on IPA, creating it new."
|
||||
ipa vault-add "${SSHVAULTNAME}" --desc "SSH private key (Stored by OEMDRV autoinstall Modules)" --type=standard
|
||||
if [ $? -ne 0 ]; then
|
||||
echo "Error creating the new Vault named ${SSHVAULTNAME} on IPA. This should not happen, aborting. Please check."
|
||||
exit 1
|
||||
else
|
||||
ssh-keygen -t ed25519 -C "$(whoami)" -N "" -f ${KEYFILE}
|
||||
if [ $? -ne 0 ]; then
|
||||
echo "Error generating the new SSH key at ${KEYFILE}. Aborting without touching the Vault. Please check."
|
||||
exit 1
|
||||
fi
|
||||
ipa vault-archive "${SSHVAULTNAME}" --in ${KEYFILE}
|
||||
if [ $? -ne 0 ]; then
|
||||
echo "Error storing the Key to the created Vault ${SSHVAULTNAME}. This should not happen, aborting. Please check."
|
||||
exit 1
|
||||
else
|
||||
echo "Sucessfully created SSH Key and stored it in IPAs KRA Vault named ${SSHVAULTNAME}."
|
||||
fi
|
||||
fi
|
||||
else
|
||||
# derive public key from private key when enrolling to new system
|
||||
ssh-keygen -y -f "${KEYFILE}" > "${KEYFILE}.pub"
|
||||
if [ $? -eq 0 ]; then
|
||||
chmod 0600 "${KEYFILE}" "${KEYFILE}.pub"
|
||||
echo "Sucessfully fetched SSH Key from IPA."
|
||||
else
|
||||
echo "Something went wrong with Key provisioning, please check."
|
||||
exit 1
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
|
||||
exit 0
|
||||
@@ -7,13 +7,7 @@
|
||||
|
||||
#Check for root
|
||||
if [ "$EUID" -ne 0 ]; then
|
||||
echo "Error: Script requires root."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
#Check Token
|
||||
if [ "${DAVTOKEN_USER}." == "." ]; then
|
||||
echo "Error: Script cannot be executed standalone and needs a prereserved environment from sync_client_software.sh. Quit."
|
||||
echo "Error: Script requires root. Please check if ${SCRIPTPATH}/${SCRIPTNAME} is in sudoers rules and if you are a member. And if executed via sudo."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
|
||||
@@ -1,9 +1,7 @@
|
||||
# Pre installed software installation script repository
|
||||
Central Software installation script Repository
|
||||
Must be executed from script ../sync_client_software.sh
|
||||
|
||||
Contains Packages to install and setup at user logon first.
|
||||
Each package is in one directory and may include two scripts which will be called from user logon script:
|
||||
The install script here will check for the right environment, and execute the install.sh script in each directory.
|
||||
|
||||
- install.sh - will be called with root- privileges to install software or other administrative tasks
|
||||
- user_run.sh - will get executed after all admins scripts had been executed in user context to setup user configs ad data
|
||||
|
||||
The execution will be sorted by directory name.
|
||||
Be sure to name the directories to get sorted the right way.
|
||||
E.g. you may use all base installations with directories beginning with numbers < 0100 and all additional apps with numbers > 0100
|
||||
|
||||
@@ -2,12 +2,51 @@
|
||||
# SPDX-FileCopyrightText: Daniel Pätzold
|
||||
# SPDX-License-Identifier: AGPL-3.0-or-later
|
||||
#
|
||||
# Obsolete Script
|
||||
# Will get removed completely, its only here to advise the user to update and rerun the logon_script
|
||||
# Central sofwareinstallation script. Should be called from ""/sys_config/system_setup/sync_client_software.sh install"
|
||||
# If P1 is given, only installs will be executed, that are containing the P1 string in their dirname
|
||||
#
|
||||
if [ "$EUID" -ne 0 ] || [ "$SUDO_USER." == "." ]; then
|
||||
echo "Error: Script requires root privileges and a sudo environment."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
echo " ==================== "
|
||||
echo "Obsolete Script $0 called. Please update via git (should have been done already, check above!) and rerun the logon_script by relogon again."
|
||||
echo "This Message should disappear then. Press any key to continue."
|
||||
read -n 1 -s -r
|
||||
exit 1
|
||||
#Check Token
|
||||
if [ "${DAVTOKEN_USER}." == "." ]; then
|
||||
echo "Error: Script cannot be executed standalone and needs a prereserved environement from logon-script."
|
||||
echo "To get executed without password prompt, use the NOPASSWD rule in sudo. In FreeIPA you can use the sudo-option !authenticate in the sudo rule."
|
||||
echo "Additionally add the sudo command to the rule: ^\/sys_config\/system_setup\/sync_client_software\.sh.*$"
|
||||
echo "Press any key to continue" && read -n 1 -s -r && exit 1
|
||||
fi
|
||||
|
||||
echo "Installing additional Software."
|
||||
for DIR in $(ls -d ${CLIENT_SOFTWARE_DST}/*/ | sort); # list directories in the form "/tmp/dirname/"
|
||||
do
|
||||
DIR=${DIR%*/} # remove the trailing "/"
|
||||
if [[ "$1." != "." ]] && [[ "${DIR}" != *"$1"* ]]; then
|
||||
#search for string in dir
|
||||
echo "Skipping ${DIR} while not in search parameter ( $1 )."
|
||||
continue
|
||||
fi
|
||||
if [ -f "${DIR}/install.sh" ]; then
|
||||
echo "*** ==================== ***"
|
||||
echo "*** Installing ${DIR##*/} ***" # print everything after the final "/"
|
||||
cd ${DIR}
|
||||
${DIR}/install.sh
|
||||
if [ $? -ne 0 ]; then
|
||||
echo "*** ==================== ***"
|
||||
echo "Some Error in script, will not continue. Please check."
|
||||
echo "Press any key to continue."
|
||||
read -n 1 -s -r
|
||||
cd ${SCRIPTPATH}
|
||||
exit 1
|
||||
fi
|
||||
echo "*** ==================== ***"
|
||||
fi
|
||||
done
|
||||
cd ${SCRIPTPATH}
|
||||
|
||||
#Last, remove unused Flatpak- Runtimes and unused Data
|
||||
echo "Removing unused Flatpak- Data."
|
||||
flatpak uninstall --unused -y
|
||||
su -c "flatpak uninstall --delete-data -y" $SUDO_USER
|
||||
echo "Sucessfully Installed Software."
|
||||
|
||||
@@ -2,12 +2,43 @@
|
||||
# SPDX-FileCopyrightText: Daniel Pätzold
|
||||
# SPDX-License-Identifier: AGPL-3.0-or-later
|
||||
#
|
||||
# Obsolete Script
|
||||
# Will get removed completely, its only here to advise the user to update and rerun the logon_script
|
||||
# Running user scripts after install (as user, not root)
|
||||
# If P1 is given, only scripts will be executed, that are containing the P1 string in their dirname
|
||||
#
|
||||
|
||||
echo " ==================== "
|
||||
echo "Obsolete Script $0 called. Please update via git (should have been done already, check above!) and rerun the logon_script by relogon again."
|
||||
echo "This Message should disappear then. Press any key to continue."
|
||||
read -n 1 -s -r
|
||||
exit 1
|
||||
#Check Token
|
||||
if [ "${DAVTOKEN_USER}." == "." ]; then
|
||||
echo "Error: Script cannot be executed standalone and needs a prereserved environement from logon-script."
|
||||
echo "Press any key to continue" && read -n 1 -s -r && exit 1
|
||||
fi
|
||||
|
||||
echo "Running user scripts in software."
|
||||
for DIR in $(ls -d ${CLIENT_SOFTWARE_DST}/*/ | sort); # list directories in the form "/tmp/dirname/"
|
||||
do
|
||||
DIR=${DIR%*/} # remove the trailing "/"
|
||||
if [[ "$1." != "." ]] && [[ "${DIR}" != *"$1"* ]]; then
|
||||
#search for string in dir
|
||||
echo "Skipping ${DIR} while not in search parameter ( $1 )."
|
||||
continue
|
||||
fi
|
||||
if [ -f "${DIR}/user_run.sh" ]; then
|
||||
echo "*** ==================== ***"
|
||||
echo "*** Running ${DIR##*/} ***" # print everything after the final "/"
|
||||
cd ${DIR}
|
||||
${DIR}/user_run.sh
|
||||
if [ $? -ne 0 ]; then
|
||||
echo "*** ==================== ***"
|
||||
echo "Some Error in script, will not continue. Please check."
|
||||
echo "Press any key to continue."
|
||||
read -n 1 -s -r
|
||||
cd ${SCRIPTPATH}
|
||||
exit 1
|
||||
fi
|
||||
echo "*** ==================== ***"
|
||||
fi
|
||||
done
|
||||
echo "Completed user scripts in software."
|
||||
|
||||
cd ${SCRIPTPATH}
|
||||
exit 0
|
||||
|
||||
|
||||
@@ -1,14 +0,0 @@
|
||||
# Companys Software Repository
|
||||
|
||||
This Repository contains the software of you company, which is delivered by your company admins.
|
||||
All files here despite this README ar not traked by git and are not part of installation packages.
|
||||
Your Company is completely free to add files to it.
|
||||
Your Company is encouraged to setup its own git repository
|
||||
|
||||
The scripts will be run at logon time after the scripts of the predefined software has been installed.
|
||||
Each package is in one directory and may include two scripts which will be called from user logon script:
|
||||
|
||||
- install.sh - will be called with root- privileges to install software or other administrative tasks
|
||||
- user_run.sh - will get executed after all admins scripts had been executed in user context to setup user configs ad data
|
||||
|
||||
The execution will be sorted by directory name.
|
||||
+2
-2
@@ -1,4 +1,4 @@
|
||||
# Local config Files
|
||||
|
||||
You may have SYSTEM specific .conf files in here, which will be not be touched by anything and will be sourced by the scripts to overwrite any of the settings in setup_system.conf.dist.
|
||||
Don't use this folder for special settings of your company. It is only for the PC itself if it is configured in another way as all others. The syntax should be same as setup_system.conf.dist
|
||||
You may have .conf files in here, which will be not be touched by anything and will be sourced by the scripts to overwrite any of the settings in setup_system.conf.dist
|
||||
The syntax should be same as setup_system.conf.dist
|
||||
|
||||
@@ -31,13 +31,8 @@ fi
|
||||
export FQDN=${HOSTNM}.${DOMAIN}
|
||||
|
||||
#Additional Client-Software- Repository-Folder in Nextcloud (Shared Folder / Systemwide)
|
||||
export CLIENT_SOFTWARE_CUST_DST="${SYSCONFIGPATH}/client_software_cust" # Required. Must not be changed!
|
||||
export CLIENT_SOFTWARE_CUST_SRC="/Shared/sw_geteilt/client_software_cust" # Set to the Nextcloud directory where the software should come from
|
||||
|
||||
# OBSOLETE / OLD Variables for packaged files under client_software. Those files will not be synced to NC any more!
|
||||
# if still set, they will cause sync to complain about it
|
||||
unset CLIENT_SOFTWARE_DST
|
||||
unset CLIENT_SOFTWARE_SRC
|
||||
export CLIENT_SOFTWARE_DST="/opt/sys_config/client_software" # Optional. If you don't have a Folder that should always be synced, leave this empty
|
||||
export CLIENT_SOFTWARE_SRC="/Shared/sw_geteilt/client_software" Set to the Nextcloud directory where the software should come from
|
||||
|
||||
#Secure File Encryption
|
||||
#Needs a running KRA- Service on FreeIPA
|
||||
@@ -73,18 +68,12 @@ if [ "$EUID" -ne 0 ]; then
|
||||
export CLIENT_DATA_SYNC_DECLARE="$(declare -p CLIENT_DATA_SYNC)" # Do not remove
|
||||
#End of Sync Folder for nextcloud client
|
||||
|
||||
#Firefox Profiles
|
||||
#Firefox Profiles of the User
|
||||
export PROFILE_FIREFOX_RESET_LOCAL="true" # Set this to wipe ~/.mozilla each time if you don't want users to setup their own firefox profile
|
||||
# Optional: own Firefox profile used for this company if given as default
|
||||
# You may use any tar file, that contains a valid firefox profile set up to your companies need.
|
||||
# As example look at 0020_nextcloud_mozilla_pre/firefox.tar.zst
|
||||
# You should put it under e.g SYSCONFIGPATH and than use the filepath relative. e.g. "${SYSCONFIGPATH}/firefox.tar.zst"
|
||||
export PROFILE_FIREFOX_TAR_FILE=""
|
||||
#Mozilla profile paths on Nextcloud Server. Syncs your profiles to Nextcloud.
|
||||
export PROFILE_FIREFOX_SRC="mozilla_profiles/firefox"
|
||||
export PROFILE_FIREFOX_DST="${DECRYPTEDDATADIR}/firefox"
|
||||
|
||||
#Thunderbird Profiles to also be synced
|
||||
#Thunderbird Profiles
|
||||
export PROFILE_TB_SRC="mozilla_profiles/thunderbird"
|
||||
export PROFILE_TB_DST="${DECRYPTEDDATADIR}/thunderbird"
|
||||
|
||||
|
||||
@@ -44,11 +44,13 @@ do_configure() {
|
||||
if [ -f "$CONF_FILE" ] || [ -f "$CONF_PRE" ]; then
|
||||
echo "Some alternatives found for configure source:"
|
||||
if [[ -f "$CONF_PRE" ]]; then
|
||||
echo " Choice (p): Another config run result was found in $CONF_PRE."
|
||||
echo " Choice (p): Another config run result was found in $CONF_PRE ."
|
||||
echo " Hint: May contain Values that already were setup different for your details"
|
||||
else
|
||||
unset CONF_PRE
|
||||
fi
|
||||
if [[ -f "$CONF_FILE" ]]; then
|
||||
echo " Choice (c): Found companys full config in $CONF_FILE."
|
||||
echo " Choice (c): Found companys full config in $CONF_FILE ."
|
||||
echo " This may be a full config, that is valid for your company."
|
||||
else
|
||||
unset CONF_FILE
|
||||
@@ -62,13 +64,12 @@ do_configure() {
|
||||
case "${CHOICE}" in
|
||||
"p")
|
||||
if [[ -f "$CONF_PRE" ]]; then
|
||||
echo "Using the existing config run file $CONF_PRE"
|
||||
echo "Using the existing config run file."
|
||||
break
|
||||
fi
|
||||
;;
|
||||
"c")
|
||||
if [[ -f "$CONF_FILE" ]]; then
|
||||
echo "Replacing $CONF_PRE with $CONF_FILE"
|
||||
rm "$CONF_PRE" >/dev/null 2>&1
|
||||
cp "$CONF_FILE" "$CONF_PRE" && break
|
||||
fi
|
||||
|
||||
@@ -361,12 +361,8 @@ if [[ -n "$EXISTING_OEMDRV_DEV" ]]; then
|
||||
fi
|
||||
|
||||
if [[ -f "$MOUNT_POINT/system_setup/setup_system.inc.sh" && -f "$MOUNT_POINT/config/setup_system.conf" ]]; then
|
||||
if [ ! -z $REPO_URL ]; then BACK_REPO_URL="$REPO_URL"; fi
|
||||
if [ ! -z $REPO_BRANCH ]; then BACK_REPO_BRANCH="$REPO_BRANCH"; fi
|
||||
info "Reading existing configuration from ${MOUNT_POINT} ..."
|
||||
source "$MOUNT_POINT/system_setup/setup_system.inc.sh"
|
||||
if [ ! -z $BACK_REPO_URL ]; then REPO_URL="$BACK_REPO_URL"; fi
|
||||
if [ ! -z $BACK_REPO_BRANCH ]; then REPO_BRANCH="$BACK_REPO_BRANCH"; fi
|
||||
fi
|
||||
|
||||
# ── Check existing git repository origin ──────────────────────────────
|
||||
|
||||
@@ -1,4 +1,4 @@
|
||||
#!/usr/bin/env bash
|
||||
#!/usr/bin/env sh
|
||||
# SPDX-FileCopyrightText: Daniel Pätzold
|
||||
# SPDX-License-Identifier: AGPL-3.0-or-later
|
||||
#
|
||||
@@ -47,19 +47,15 @@ if [[ $? -ne 0 ]]; then
|
||||
echo "Error: python3-ipaclient is not installed. Please install it via: sudo dnf install python3-ipaclient"
|
||||
fi
|
||||
|
||||
if [ "${XDG_CURRENT_DESKTOP}" = "KDE" ]; then
|
||||
# Start each session empty (not restoring previous apps) - avoids stale mounts and autostart conflicts
|
||||
kwriteconfig5 --file ksmserverrc --group General --key loginMode 2 >/dev/null 2>&1
|
||||
# Make kdesu use sudo
|
||||
kwriteconfig5 --file kdesurc --group super-user-command --key super-user-command sudo >/dev/null 2>&1
|
||||
fi
|
||||
#TODO C: Check if Desktop is KDE/Plasma and support other Displays
|
||||
# Make kdesu use sudo
|
||||
kwriteconfig5 --file kdesurc --group super-user-command --key super-user-command sudo >/dev/null 2>&1
|
||||
|
||||
# Mount the private Directory
|
||||
elog_add_command "${SYSCONFIGPATH}/system_setup/mount_ecrypt_home.sh"
|
||||
if [ $? -ne 0 ]; then
|
||||
elog_add "Some Error when running/mounting private Directory, cannot continue. Your Data will not be available."
|
||||
elog_add "If the File was not found: The mount script was searched in directory ${SYSCONFIGPATH} which is defined by SYSCONFIGPATH in your config."
|
||||
elog_add "Please check if your setup is correct."
|
||||
elog_add "Some Error when mounting private Directory, cannot continue. Your Data will not be available."
|
||||
elog_add "The script was searched by SYSCONFIGPATH in directory ${SYSCONFIGPATH}, please check if your setup is correct."
|
||||
elog_add "If you want to redo this script here, execute ${SCRIPTPATH}/${SCRIPTNAME}"
|
||||
echo "Press any key to continue" && read -n 1 -s -r && exit 1
|
||||
fi
|
||||
@@ -67,7 +63,7 @@ fi
|
||||
#Get WEBDAV TOKEN from Nextcloud
|
||||
get_nc_token
|
||||
if [ $? -ne 0 ]; then
|
||||
elog_add "Some Error when getting WEBDAV token. Cannot continue. Your Data will not be available."
|
||||
elog_add "Some Error when mounting private Directory, cannot continue. Your Data will not be available."
|
||||
echo "Press any key to continue" && read -n 1 -s -r && exit 1
|
||||
fi
|
||||
elog_add "Successfully obtained Token for User ${DAVTOKEN_USER}"
|
||||
@@ -79,20 +75,6 @@ elog_add "Update and install client software"
|
||||
#Set global to enable git
|
||||
git config --global --add safe.directory /opt/sys_config
|
||||
|
||||
# Pre check for old configuration parameters, will be removed in the future
|
||||
if [ ! -z "${CLIENT_SOFTWARE_DST}" ] || [ ! -z "${CLIENT_SOFTWARE_SRC}" ]; then
|
||||
elog_add " ===================="
|
||||
elog_add ""
|
||||
elog_add "WARNING: Your company/setup has still CLIENT_SOFTWARE_DST or CLIENT_SOFTWARE_SRC set."
|
||||
elog_add "These parameters are obsolete and must be removed! The new parameters are CLIENT_SOFTWARE_CUST_DST and CLIENT_SOFTWARE_CUST_SRC"
|
||||
elog_add "as the software repository has been split into customer software and distributed software."
|
||||
elog_add "Please try to relog first. If this problem reoccures, contact your system admins to correct it."
|
||||
elog_add "Will continue with the new path. Press any key to continue."
|
||||
elog_add ""
|
||||
elog_add " ===================="
|
||||
read -n 1 -s -r
|
||||
fi
|
||||
|
||||
# First, check the sudo rule
|
||||
elog_add "Check the matching client rule:"
|
||||
#Somewhat strange "sudo -l" will *sometimes* ask for password instead of just checking if the rule can be found, so it needs -n to be silent
|
||||
@@ -129,8 +111,10 @@ else
|
||||
# Rule seems to be ok, executing script
|
||||
elog_add "Matching Sudo rule found."
|
||||
elog_add ""
|
||||
elog_add "Running ${SYSCONFIGPATH}/system_setup/sync_client_software.sh"
|
||||
elog_add "Running client software sync..."
|
||||
elog_add_command "/usr/bin/sudo -n --preserve-env ${SYSCONFIGPATH}/system_setup/sync_client_software.sh install $1"
|
||||
#ERRTXT=$( { /usr/bin/sudo -n --preserve-env ${SYSCONFIGPATH}/system_setup/sync_client_software.sh install > >(tee -a ${LOGFILE}); } 2>&1 )
|
||||
#ERR=$?
|
||||
if [[ $RETNO -ne 0 ]]; then
|
||||
elog_add "Errorcode was $RETNO"
|
||||
elog_add "Error executing software sync and install, please check your output!"
|
||||
@@ -138,84 +122,18 @@ else
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
echo ""
|
||||
|
||||
#Anyway run user scripts if existent
|
||||
elog_add "Running user setup scripts in user- context."
|
||||
#1. Run the scripts, that are delivered by the package maintainers
|
||||
elog_add "Pre installed user setup scripts"
|
||||
for DIR in $(ls -d ${SYSCONFIGPATH}/client_software/*/ | sort); # list directories in the form "/tmp/dirname/"
|
||||
do
|
||||
DIR=${DIR%*/} # remove the trailing "/"
|
||||
if [[ "$1." != "." ]] && [[ "${DIR}" != *"$1"* ]]; then
|
||||
#search for string in dir
|
||||
elog_add "Skipping ${DIR} while not in search parameter ( $1 )."
|
||||
continue
|
||||
fi
|
||||
if [ -f "${DIR}/user_run.sh" ]; then
|
||||
elog_add " >>> Running ${DIR}/user_run.sh"
|
||||
cd ${DIR}
|
||||
elog_add_command "${DIR}/user_run.sh"
|
||||
if [ $? -ne 0 ]; then
|
||||
elog_add " ===================="
|
||||
elog_add "Some Error in script, will not continue. Please check."
|
||||
elog_add "Press any key to continue."
|
||||
read -n 1 -s -r
|
||||
exit 1
|
||||
fi
|
||||
elog_add " ===================="
|
||||
fi
|
||||
done
|
||||
elog_add "Done running pre installed user setup scripts"
|
||||
|
||||
#2. Run the scripts, that are delivered by the package maintainers
|
||||
# To run scripts, the tepository path must always be set right (but maybe empty, which is fine)
|
||||
if [ "${CLIENT_SOFTWARE_CUST_DST}" != "${SYSCONFIGPATH}/client_software_cust" ]; then
|
||||
echo "Error in config: Required parameter CLIENT_SOFTWARE_CUST_DST is missing or set wrong."
|
||||
echo "Please relog and if the problem reoccures, contact your system admins to correct the Values."
|
||||
read -n 1 -s -r -p "Press any key to continue"
|
||||
else
|
||||
elog_add "Running company delivered user setup scripts in ${CLIENT_SOFTWARE_CUST_DST}"
|
||||
for DIR in $(ls -d ${CLIENT_SOFTWARE_CUST_DST}/*/ | sort); # list directories in the form "/tmp/dirname/"
|
||||
do
|
||||
DIR=${DIR%*/} # remove the trailing "/"
|
||||
if [[ "$1." != "." ]] && [[ "${DIR}" != *"$1"* ]]; then
|
||||
#search for string in dir
|
||||
elog_add "Skipping ${DIR} while not in search parameter ( $1 )."
|
||||
continue
|
||||
fi
|
||||
if [ -f "${DIR}/user_run.sh" ]; then
|
||||
elog_add " >>> Running ${DIR}/user_run.sh"
|
||||
cd ${DIR}
|
||||
elog_add_command "${DIR}/user_run.sh"
|
||||
if [ $? -ne 0 ]; then
|
||||
elog_add " ===================="
|
||||
elog_add "Some Error in script, will not continue. Please check."
|
||||
elog_add "Press any key to continue."
|
||||
read -n 1 -s -r
|
||||
exit 1
|
||||
fi
|
||||
elog_add " ===================="
|
||||
fi
|
||||
done
|
||||
elog_add "Done running company user setup scripts"
|
||||
elog_add_command "${CLIENT_SOFTWARE_DST}/user_run.sh $1"
|
||||
if [ $? -ne 0 ]; then
|
||||
exit 1
|
||||
fi
|
||||
elog_add "Completed user setup scripts."
|
||||
elog_add ""
|
||||
|
||||
# Remove unused flatpak user installed software and data
|
||||
flatpak uninstall --unused -y --user
|
||||
flatpak uninstall --delete-data -y
|
||||
|
||||
#SYNC Firefox + Thunderbird Profile
|
||||
if [ ! -z "${PROFILE_FIREFOX_SRC}" ]; then
|
||||
${SYSCONFIGPATH}/system_setup/mozilla_starter.sh firefox sync
|
||||
fi
|
||||
if [ $? -eq 0 ] && [ ! -z "${PROFILE_TB_SRC}" ]; then
|
||||
${SYSCONFIGPATH}/system_setup/mozilla_starter.sh thunderbird sync
|
||||
if [ $? -eq 0 ]; then
|
||||
elog_add "Successfully synced Mozilla profiles (log in another file)."
|
||||
fi
|
||||
fi
|
||||
${SYSCONFIGPATH}/system_setup/mozilla_starter.sh firefox sync && ${SYSCONFIGPATH}/system_setup/mozilla_starter.sh thunderbird sync
|
||||
elog_add "Successfully synced Mozilla profiles (log in another file)."
|
||||
|
||||
elog_add "Sucessfully run logon script (Wait 3 seconds)"
|
||||
sleep 3
|
||||
|
||||
@@ -93,20 +93,10 @@ if [ ! -d "${DECRYPTEDDATADIR}" ] || [ ! -f "${HOME}/.config/gocryptfs/gocryptfs
|
||||
mkdir -p ${ENCRYPTEDDATADIR} ${DECRYPTEDDATADIR} ${HOME}/.config/gocryptfs
|
||||
gocryptfs -init -allow_other -passfile ${XDG_RUNTIME_DIR}/IPAVAULTKEY -config ${HOME}/.config/gocryptfs/gocryptfs.conf ${ENCRYPTEDDATADIR} >/dev/null
|
||||
fi
|
||||
systemd-run --user --unit=gocryptfs-home \
|
||||
--property="ExecStop=/usr/bin/fusermount -u ${DECRYPTEDDATADIR}" \
|
||||
--property=KillMode=none \
|
||||
--property=TimeoutStopSec=30 \
|
||||
gocryptfs -fg -noprealloc -allow_other -passfile ${XDG_RUNTIME_DIR}/IPAVAULTKEY -config ${HOME}/.config/gocryptfs/gocryptfs.conf ${ENCRYPTEDDATADIR} ${DECRYPTEDDATADIR} >/dev/null
|
||||
systemd-run --user --scope --unit=gocryptfs-home \
|
||||
gocryptfs -noprealloc -allow_other -passfile ${XDG_RUNTIME_DIR}/IPAVAULTKEY -config ${HOME}/.config/gocryptfs/gocryptfs.conf ${ENCRYPTEDDATADIR} ${DECRYPTEDDATADIR} >/dev/null
|
||||
RETVAL=$?
|
||||
# Service starts asynchronously - wait for the FUSE mount to appear before removing
|
||||
# the passfile, otherwise gocryptfs may not have read it yet
|
||||
_t=0
|
||||
while [ "${_t}" -lt 10 ] && ! grep -q "${DECRYPTEDDATADIR}" /proc/mounts 2>/dev/null; do
|
||||
sleep 1
|
||||
_t=$((_t + 1))
|
||||
done
|
||||
rm -f ${XDG_RUNTIME_DIR}/IPAVAULTKEY
|
||||
rm ${XDG_RUNTIME_DIR}/IPAVAULTKEY
|
||||
cd ${EXECDIR}
|
||||
if [ ${RETVAL} -eq 0 ]; then
|
||||
echo "Sucessfully mounted encrypted private Directory ${DECRYPTEDDATADIR}"
|
||||
|
||||
@@ -10,16 +10,6 @@ if [ "$EUID" -ne 0 ]; then
|
||||
echo "Press any key to continue" && read -n 1 -s -r && exit 1
|
||||
fi
|
||||
|
||||
# Remove 'server _gateway iburst' from chrony.conf — Anaconda adds it as a fallback but
|
||||
# _gateway is not resolvable by chronyd at startup; DHCP-sourced servers via sourcedir
|
||||
# /run/chrony-dhcp already cover NTP discovery so this line is redundant and noisy.
|
||||
_CHRONY_CONF="/etc/chrony.conf"
|
||||
if [ -f "${_CHRONY_CONF}" ] && grep -q "^server _gateway" "${_CHRONY_CONF}"; then
|
||||
echo "Patching chrony.conf: removing unresolvable 'server _gateway' entry"
|
||||
sed -i "/^server _gateway/d" "${_CHRONY_CONF}"
|
||||
systemctl restart chronyd
|
||||
fi
|
||||
|
||||
# Ensure krb5_validate = False in sssd.conf to restore offline auth
|
||||
# (SSSD >= 2.10.1 skips the CAP_DAC_READ_SEARCH raise in offline mode, so validate_tgt
|
||||
# fails with EACCES before the cached-credential fallback is reached)
|
||||
@@ -83,16 +73,6 @@ else
|
||||
fi
|
||||
echo ""
|
||||
|
||||
# Before running sync or software installs, restore the rights to all filles.
|
||||
# They must be owned by root, changeable by admingroup and readable by otherusers (we are root, so we can change!)
|
||||
# user_run.sh must also be executable by users
|
||||
chown root:${CLIENTADMINGROUP} -R ${SYSCONFIGPATH}
|
||||
chmod ug+rwX,o=rX -R ${SYSCONFIGPATH}
|
||||
|
||||
#Make all install.sh executable
|
||||
find ${SYSCONFIGPATH}/client_software -type f -name install.sh -exec chmod ug+x,o-x {} \;
|
||||
find ${SYSCONFIGPATH}/client_software -type f -name user_run.sh -exec chmod ugo+x {} \;
|
||||
|
||||
# At first, sync central configs if they are configured to be synced
|
||||
if [[ ! -z "${DISTCONFIGPATH_SRC}" ]]; then
|
||||
echo "Synced config path was found, doing remote sync."
|
||||
@@ -150,52 +130,16 @@ if [[ ! -z "${DISTCONFIGPATH_SRC}" ]]; then
|
||||
fi
|
||||
fi
|
||||
|
||||
echo "Running install scripts in admin- context."
|
||||
# Run pre installed scripts in client_software
|
||||
echo "Running pre installed install scripts in admin- context."
|
||||
for DIR in $(ls -d ${SYSCONFIGPATH}/client_software/*/ | sort); do
|
||||
DIR=${DIR%*/} # remove the trailing "/"
|
||||
if [[ "$2." != "." ]] && [[ "${DIR}" != *"$2"* ]]; then
|
||||
#search for string in dir
|
||||
echo "Skipping ${DIR} while not in search parameter ( $2 )."
|
||||
continue
|
||||
fi
|
||||
if [ -f "${DIR}/install.sh" ]; then
|
||||
echo " ===================="
|
||||
echo " >>> Running ${DIR}/install.sh"
|
||||
cd ${DIR}
|
||||
${DIR}/install.sh
|
||||
if [ $? -ne 0 ]; then
|
||||
echo " ===================="
|
||||
echo "Some Error in script, will not continue. Please check."
|
||||
echo "Press any key to continue."
|
||||
read -n 1 -s -r
|
||||
exit 1
|
||||
fi
|
||||
echo " ===================="
|
||||
fi
|
||||
done
|
||||
echo "Done running pre installed install scripts in admin- context."
|
||||
echo
|
||||
|
||||
# To run scripts, the repository path must always be set right (but maybe empty, which is fine)
|
||||
if [ "${CLIENT_SOFTWARE_CUST_DST}" != "${SYSCONFIGPATH}/client_software_cust" ]; then
|
||||
echo "Error in config: Required parameter CLIENT_SOFTWARE_CUST_DST is missing or set wrong."
|
||||
echo "Please relog and if the problem reoccures, contact your system admins to correct the Values."
|
||||
read -n 1 -s -r -p "Press any key to continue"
|
||||
echo
|
||||
exit 1
|
||||
#Check if Repository is defined
|
||||
if [ "${CLIENT_SOFTWARE_DST}." == "." ]; then
|
||||
echo "No central softwarerepository defined (CLIENT_SOFTWARE_DST). Skipping sync."
|
||||
else
|
||||
# Then, sync all client_software-files
|
||||
if [[ -z "${CLIENT_SOFTWARE_CUST_SRC}" ]]; then
|
||||
echo "No customer software sync is defined, skipping sync"
|
||||
echo "${CLIENT_SOFTWARE_CUST_DST} with ${CLIENT_SOFTWARE_CUST_SRC}"
|
||||
echo
|
||||
else
|
||||
echo "Syncing customer software repository ${CLIENT_SOFTWARE_CUST_DST}"
|
||||
if [[ ! -z "${CLIENT_SOFTWARE_SRC}" ]]; then
|
||||
echo "Syncing central softwarerepository ${CLIENT_SOFTWARE_DST}"
|
||||
# Create Directory if not existent
|
||||
mkdir -p ${CLIENT_SOFTWARE_CUST_DST}
|
||||
SYNCCMD="sudo -i /usr/bin/flatpak run --branch=stable --arch=x86_64 --command=nextcloudcmd com.nextcloud.desktopclient.nextcloud -h -u ${DAVTOKEN_USER} -p ${DAVTOKEN_PASS} --path ${CLIENT_SOFTWARE_CUST_SRC} ${CLIENT_SOFTWARE_CUST_DST} https://${SERVERFQDN_NC}"
|
||||
mkdir -p ${CLIENT_SOFTWARE_DST}
|
||||
SYNCCMD="sudo -i /usr/bin/flatpak run --branch=stable --arch=x86_64 --command=nextcloudcmd com.nextcloud.desktopclient.nextcloud -h -u ${DAVTOKEN_USER} -p ${DAVTOKEN_PASS} --path ${CLIENT_SOFTWARE_SRC} ${CLIENT_SOFTWARE_DST} https://${SERVERFQDN_NC}"
|
||||
SYNCCMD_HIDDENPW=$( echo "${SYNCCMD/${DAVTOKEN_PASS}/***HIDDEN***}" )
|
||||
echo "Exec: ${SYNCCMD_HIDDENPW}"
|
||||
echo "Sync Client Software"
|
||||
@@ -212,53 +156,22 @@ else
|
||||
fi
|
||||
echo "Sucessfully synced."
|
||||
fi
|
||||
echo
|
||||
echo ""
|
||||
|
||||
# After Snc NC is not able to set permission the right way (like execution flag)
|
||||
# So this need to be done again for new files coming in via sync
|
||||
# we do it either with or without sync for better safety
|
||||
# After sync again, restore the rights to all filles. They must be owned by root, changeable by admingroup and readable by otherusers (we are root, so we can change!)
|
||||
chown root:${CLIENTADMINGROUP} -R ${SYSCONFIGPATH}
|
||||
chmod ug+rwX,o=rX -R ${SYSCONFIGPATH}
|
||||
|
||||
#Make all install.sh executable
|
||||
find ${SYSCONFIGPATH}/client_software -type f -name install.sh -exec chmod ug+x,o-x {} \;
|
||||
find ${SYSCONFIGPATH}/client_software -type f -name user_run.sh -exec chmod ugo+x {} \;
|
||||
find ${SYSCONFIGPATH}/client_software_cust -type f -name install.sh -exec chmod ug+x,o-x {} \;
|
||||
find ${SYSCONFIGPATH}/client_software_cust -type f -name user_run.sh -exec chmod ugo+x {} \;
|
||||
find ${CLIENT_SOFTWARE_DST} -type f -name install.sh -exec chmod ugo+x {} \;
|
||||
|
||||
#Run customer setup
|
||||
if [ ! -z "${CLIENT_SOFTWARE_CUST_DST}" ]; then
|
||||
echo "Running company install scripts in admin- context."
|
||||
for DIR in $(ls -d ${CLIENT_SOFTWARE_CUST_DST}/*/ | sort); do
|
||||
DIR=${DIR%*/} # remove the trailing "/"
|
||||
if [[ "$2." != "." ]] && [[ "${DIR}" != *"$2"* ]]; then
|
||||
#search for string in dir
|
||||
echo "Skipping ${DIR} while not in search parameter ( $2 )."
|
||||
continue
|
||||
fi
|
||||
if [ -f "${DIR}/install.sh" ]; then
|
||||
echo " ===================="
|
||||
echo " >>> Running ${DIR}/install.sh"
|
||||
cd ${DIR}
|
||||
${DIR}/install.sh
|
||||
if [ $? -ne 0 ]; then
|
||||
echo " ===================="
|
||||
echo "Some Error in script, will not continue. Please check."
|
||||
echo "Press any key to continue."
|
||||
read -n 1 -s -r
|
||||
exit 1
|
||||
fi
|
||||
echo " ===================="
|
||||
fi
|
||||
done
|
||||
echo "Done running company install scripts in admin- context."
|
||||
#Run Software setup
|
||||
echo "Running Setup of Software"
|
||||
if [ $1 == "install" ]; then
|
||||
${CLIENT_SOFTWARE_DST}/install.sh $2
|
||||
if [ $? -ne 0 ]; then
|
||||
exit 1
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
|
||||
#Last, remove unused Flatpak- Runtimes and unused Data
|
||||
echo "Removing unused Flatpak- Data."
|
||||
flatpak uninstall --unused -y
|
||||
|
||||
echo "Done running install scripts in admin- context."
|
||||
echo ""
|
||||
exit 0
|
||||
|
||||
Reference in New Issue
Block a user