From 08a9ff658f14b6ccd0d396711304b74e51307c0e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Hugo=20H=C3=B6rnquist?= Date: Sun, 31 Oct 2021 01:11:18 +0200 Subject: Work on netbooting raspberry pis. --- modules/exports/manifests/init.pp | 19 +++++ modules/overlay/manifests/init.pp | 17 +++++ modules/raspi/manifests/init.pp | 143 ++++++++++++++++++++++++++++++++++++++ 3 files changed, 179 insertions(+) create mode 100644 modules/exports/manifests/init.pp create mode 100644 modules/overlay/manifests/init.pp create mode 100644 modules/raspi/manifests/init.pp (limited to 'modules') diff --git a/modules/exports/manifests/init.pp b/modules/exports/manifests/init.pp new file mode 100644 index 0000000..ce75b29 --- /dev/null +++ b/modules/exports/manifests/init.pp @@ -0,0 +1,19 @@ +define exports ( + Hash[String,Array[String]] $options, + String $dir = $name, + String $exports_file = '/etc/exports', +) { + + $fixed_opts = $options.map |$key, $val| { + $joined_vals = $val.join(',') + "${key}(${joined_vals})" + }.join(' ') + + file_line { "Export ${exports_file} ${dir}": + ensure => present, + path => $exports_file, + match => "^${dir}", + line => "${dir} ${fixed_opts}" + } + +} diff --git a/modules/overlay/manifests/init.pp b/modules/overlay/manifests/init.pp new file mode 100644 index 0000000..a85683d --- /dev/null +++ b/modules/overlay/manifests/init.pp @@ -0,0 +1,17 @@ +define overlay ( +) { + + { + lowerdir => "${dir}/root/base", + upperdir => "${dir}/root/overlays/${name}", + workdir => "${dir}/root/workdirs/${name}", + nfs_export => 'on', + } + + file_line { + ensure => present, + path => "${dir}/fstab" + line => "overlay root/export/${name} + } + +} diff --git a/modules/raspi/manifests/init.pp b/modules/raspi/manifests/init.pp new file mode 100644 index 0000000..c622f26 --- /dev/null +++ b/modules/raspi/manifests/init.pp @@ -0,0 +1,143 @@ +define raspi ( + String $dir, + String $version, +) { + # https://www.kernel.org/doc/html/latest/admin-guide/nfs/nfsroot.html + + + file { $dir: + ensure => directory, + } + + $img_file = "${version}-raspios-buster-armhf-lite" + + file { "${dir}/${img_file}.zip": + ensure => file, + source => "https://downloads.raspberrypi.org/raspios_lite_armhf/images/raspios_lite_armhf-2021-05-28/${img_file}.zip", + checksum => 'sha256', + checksum_value => 'c5dad159a2775c687e9281b1a0e586f7471690ae28f2f2282c90e7d59f64273c', + } ~> exec { "/usr/bin/unzip ${img_file}.zip": + creates => "${dir}/${img_file}.img", + cwd => $dir, + } + + # see modprobe.d(5) + # /sys/module/loop/parameters/max_part + file { '/etc/modprobe.d/loop.conf': + content => "options loop max_part=8\n", + } + + ['root'].each |$d| { + file { "${dir}/${d}": + ensure => directory, + } + ['base', 'export', 'overlays', 'workdirs'].each |$subdir| { + file { "${dir}/${d}/${subdir}": + ensure => directory, + } + } + } + + $mounts = { + 'root' => ['music',], + # 'boot' => ['music',], + } + + # overlay fs not supported for FAT32 filesystems + + $fstab = "${dir}/fstab" + file { $fstab: + ensure => file, + } + + File[$fstab] -> File_Line <| path == $fstab |> + + $mounts.each |$type, $lst| { + $lst.each |$name| { + + $dict = { + lowerdir => "${dir}/${type}/base", + upperdir => "${dir}/${type}/overlays/${name}", + workdir => "${dir}/${type}/workdirs/${name}", + nfs_export => 'on', + } + + $target = "${dir}/${type}/export/${name}" + + file { [ + $dict['upperdir'], + $dict['workdir'], + $target, + ] : + ensure => directory, + } + + $opts = $dict.map |$k, $v| { "$k=$v" }.join(',') + + file_line { "Raspi fstab ${type} ${target}": + ensure => present, + path => $fstab, + line => "overlay ${target} overlay ${opts}", + } + } + } + + ensure_packages ( ['nfs-utils'], { ensure => latest, }) + service { 'nfs-server': + ensure => running, + enable => true, + } + + exports { "${dir}/root/export": + options => { + '*' => [ + 'rw', + 'no_subtree_check', + 'no_root_squash', + # Our mounts under the exported tree are also exported, which is + # needed since our export point is simply a mount point + 'crossmnt', + 'fsid=1', + ], + }, + } + + # TODO ensure that we are mounted before we start changing stuff + + $root = "${dir}/root/export/music" + + file { "${root}/etc/systemd/system/multi-user.target.wants/ssh.service": + ensure => link, + target => '/lib/systemd/system/ssh.service', + } + + file { "${root}/etc/fstab": + ensure => absent, + } + + file { "${root}/root/.ssh": + ensure => directory, + } + + file { "${root}/root/.ssh/authorized_keys": + ensure => file, + } + + file_line { 'raspbian root key': + path => "${root}/root/.ssh/authorized_keys", + line => 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC8bdCl6aFmYoWAZIoorFv96oV45Jv75vH0TyNTKyByNV0dr6qgJzt8HJ1J/bVDs+q679f4udA1HLGLncyoJS1rGw9meP36dXCQBPMdfZJN0tIrYWgo2Hb7ZpDjsvxGTHaE9jzWlDUI9DcoWoa1Hy8roqsFZgbEnW4H1QG2Hr1+MkjoKvxhXFZoDxuq5K8WcHpehhEU8YcHSKiL0R5jhGlGbL+Qvb1QUL1sXQquHrgJB4IwrrYt2chX4W9Uo+PMny6VYV8ubuXvYCyQehQqZmkYSWD3iJAu59Ti0MLC+egBVZ6UkWAn4kik5cbboC36ioDCKQfrpvfZuUg4OA01N033QoC3+aKUwic8t+Z9sQz7PKT3JTJA5cLTjV+FMoZfKUiSrgm2jgk2mYl86HyHbjwvVq3I0Ny5xXHX3n2DwY9kT3tV16lA3m6oRPeUwZDo7sCzHuMTj2tQE8mMzpZ6kA/CkwAOotY6S/XSbyynIrYpu0Y2HJ6Rax8XGt09DEc7XAE= hugo@gandalf', + } + + # $ l=$(losetup --show -f ${file}.img) + # $ mount "${l}p1" boot/base + # $ mount "${l}p2" root/base + # $ dd if=/dev/loop0p1 of=boot-sector.img + + + # console=serial0,115200 console=tty1 root=/dev/nfs rootfstype=10.0.0.40:/usr/local/raspi/root,vers=4.1,proto=tcp id=dhcp elevator=deadline rootwait rw + + # cmdline.txt + # root=/dev/nfs + # rootfstype=10.0.0.40:/usr/local/raspi/root,vers=4.1,proto=tcp + +} -- cgit v1.2.3 From 85793838bc917566d739b330255d11e941320b45 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Hugo=20H=C3=B6rnquist?= Date: Mon, 13 Dec 2021 23:35:56 +0100 Subject: Add losetup. --- modules/losetup/files/dismantle-loop-device | 15 +++++++++++++++ modules/losetup/files/loop@.service | 12 ++++++++++++ modules/losetup/files/setup-loop-device | 16 ++++++++++++++++ modules/losetup/manifests/init.pp | 24 ++++++++++++++++++++++++ 4 files changed, 67 insertions(+) create mode 100644 modules/losetup/files/dismantle-loop-device create mode 100644 modules/losetup/files/loop@.service create mode 100755 modules/losetup/files/setup-loop-device create mode 100644 modules/losetup/manifests/init.pp (limited to 'modules') diff --git a/modules/losetup/files/dismantle-loop-device b/modules/losetup/files/dismantle-loop-device new file mode 100644 index 0000000..be3f3a0 --- /dev/null +++ b/modules/losetup/files/dismantle-loop-device @@ -0,0 +1,15 @@ +#!/bin/bash + +target_file="$1" +safe_name="$(systemd-escape "$target_file")" + +set +x + +loop_device=$(readlink "/dev/loop-by-name/${safe_name}") +rm "/dev/loop-by-name/${safe_name}" + +for part in "/dev/loop-by-name/${safe_name}"-p*; do + rm "$part" +done + +losetup -d $loop_device diff --git a/modules/losetup/files/loop@.service b/modules/losetup/files/loop@.service new file mode 100644 index 0000000..e9dc008 --- /dev/null +++ b/modules/losetup/files/loop@.service @@ -0,0 +1,12 @@ +[Unit] +Description=Loopback device for %I + +[Service] +ExecStart=/usr/libexec/setup-loop-device "%I" +ExecStop=/usr/libexec/dismantle-loop-device "%I" +#ExecStopPost=rm /dev/loop-by-name/"%i"* +#ExecStart=echo %I +ExecStartPre=mkdir -p /dev/loop-by-name +# Cant't have any dashes in filename, due to escaping rules +# ExecStartPre=/bin/sh -c "grep -vq '-' <<< "%i"" +RemainAfterExit=yes diff --git a/modules/losetup/files/setup-loop-device b/modules/losetup/files/setup-loop-device new file mode 100755 index 0000000..4215273 --- /dev/null +++ b/modules/losetup/files/setup-loop-device @@ -0,0 +1,16 @@ +#!/bin/bash + +target_file="$1" +safe_name="$(systemd-escape "$target_file")" + +set +x + +loop_device=$(losetup --find --show "$target_file") + +ln -s $loop_device "/dev/loop-by-name/${safe_name}" + +for part in "${loop_device}"p*; do + last_two=${part:$[${#part}-2]} + ln -s $part \ + "/dev/loop-by-name/${safe_name}-${last_two}" +done diff --git a/modules/losetup/manifests/init.pp b/modules/losetup/manifests/init.pp new file mode 100644 index 0000000..8d7f8d8 --- /dev/null +++ b/modules/losetup/manifests/init.pp @@ -0,0 +1,24 @@ +class losetup { + file { '/etc/systemd/system/loop@.service': + ensure => file, + source => "puppet:///modules/${module_name}/loop@.service", + } + + # ensure_resource ('file', { path => '/usr/libexec', ensure => directory }) + file { '/usr/libexec': + ensure => directory, + } + + file { + default: + ensure => file, + mode => '0555', + ; +'/usr/libexec/setup-loop-device': + source => "puppet:///modules/${module_name}/setup-loop-device", + ; +'/usr/libexec/dismantle-loop-device': + source => "puppet:///modules/${module_name}/dismantle-loop-device", + ; + } +} -- cgit v1.2.3 From d449ef502030454ba88eeb0a81fdb46b09d0d6b0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Hugo=20H=C3=B6rnquist?= Date: Mon, 13 Dec 2021 23:37:40 +0100 Subject: Minor fixes --- modules/cgit/files/filters/hugo-pre.sh | 4 ++-- modules/exports/manifests/init.pp | 2 ++ 2 files changed, 4 insertions(+), 2 deletions(-) (limited to 'modules') diff --git a/modules/cgit/files/filters/hugo-pre.sh b/modules/cgit/files/filters/hugo-pre.sh index de94b26..b716525 100755 --- a/modules/cgit/files/filters/hugo-pre.sh +++ b/modules/cgit/files/filters/hugo-pre.sh @@ -2,10 +2,10 @@ name=$1 -extension=${1: -3} +extension=${name: -3} case $extension in - .md) markdown ;; + .md) pandoc -f gfm -t html ;; *) cat <<- EOF 
$(cat -)
diff --git a/modules/exports/manifests/init.pp b/modules/exports/manifests/init.pp index ce75b29..8280c71 100644 --- a/modules/exports/manifests/init.pp +++ b/modules/exports/manifests/init.pp @@ -1,3 +1,5 @@ +# Setup export item. +# Should be be callable multiple times define exports ( Hash[String,Array[String]] $options, String $dir = $name, -- cgit v1.2.3 From 0301818fa87bf588dfcd13c1644936aa5537fa15 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Hugo=20H=C3=B6rnquist?= Date: Mon, 13 Dec 2021 23:38:02 +0100 Subject: Gandalf web certbot. --- modules/profiles/manifests/gandalf_web.pp | 54 +++++++++++++++++++++++++++++-- 1 file changed, 52 insertions(+), 2 deletions(-) (limited to 'modules') diff --git a/modules/profiles/manifests/gandalf_web.pp b/modules/profiles/manifests/gandalf_web.pp index 810064b..1295d83 100644 --- a/modules/profiles/manifests/gandalf_web.pp +++ b/modules/profiles/manifests/gandalf_web.pp @@ -1,4 +1,6 @@ -class profiles::gandalf_web { +class profiles::gandalf_web ( + String $certname, +) { class { '::nginx': manage_repo => false, @@ -13,6 +15,7 @@ class profiles::gandalf_web { 'text/plain' => 'wiki txt', }, include_modules_enabled => true, + server_purge => true, } file { '/etc/nginx/modules-enabled': @@ -21,7 +24,41 @@ class profiles::gandalf_web { recurse => true, } - $certname = 'bookmark.gandalf.adrift.space' + # TODO this fails at bootstrapping, since letsencrypt requires nginx + # to be enabled, but nginx can't be enabled if any cert file is + # missing + # Letsencrypt::Certonly <| |> -> Nginx::Resource::Server <| |> + + $domains = [ + 'bookmark.gandalf.adrift.space', + 'calendar.gandalf.adrift.space', + 'repo.gandalf.adrift.space', + 'gandalf.adrift.space', + 'hack.adrift.space', + 'adrift.space', + ] + + ensure_packages (['cronie',], { ensure => installed }) + + ensure_packages (['certbot', 'certbot-nginx'], { ensure => installed }) + class { '::letsencrypt': + config => { + email => 'hugo@hornquist.se', + # server => 'https://acme-staging-v02.api.letsencrypt.org/directory', + server => 'https://acme-v02.api.letsencrypt.org/directory', + }, + manage_install => false, + } + + letsencrypt::certonly { $certname: + ensure => present, + domains => $domains, + manage_cron => true, + plugin => 'nginx', + additional_args => [ '--quiet', ], + # pre_hook_commands => [ 'systemctl stop nginx.service', ], + post_hook_commands => [ 'systemctl restart nginx.service', ], + } nginx::resource::server { 'gandalf': @@ -49,4 +86,17 @@ class profiles::gandalf_web { server => 'gandalf', } + nginx::resource::server { 'repo.gandalf.adrift.space': + ipv6_enable => true, + ipv6_listen_options => '', + server_name => [ 'repo.gandalf.adrift.space', ], + ssl => true, + ssl_cert => "/etc/letsencrypt/live/${certname}/fullchain.pem", + ssl_key => "/etc/letsencrypt/live/${certname}/privkey.pem", + ssl_redirect => true, + index_files => [ 'index.html', ], + www_root => '/usr/net/repo/', + use_default_location => true, + } + } -- cgit v1.2.3 From fa66475b6dd9835ac6f060202acc744632dd4c89 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Hugo=20H=C3=B6rnquist?= Date: Mon, 13 Dec 2021 23:39:36 +0100 Subject: Raspi setup was a bad idea. --- modules/raspi/manifests/init.pp | 143 ---------------------------------------- 1 file changed, 143 deletions(-) delete mode 100644 modules/raspi/manifests/init.pp (limited to 'modules') diff --git a/modules/raspi/manifests/init.pp b/modules/raspi/manifests/init.pp deleted file mode 100644 index c622f26..0000000 --- a/modules/raspi/manifests/init.pp +++ /dev/null @@ -1,143 +0,0 @@ -define raspi ( - String $dir, - String $version, -) { - # https://www.kernel.org/doc/html/latest/admin-guide/nfs/nfsroot.html - - - file { $dir: - ensure => directory, - } - - $img_file = "${version}-raspios-buster-armhf-lite" - - file { "${dir}/${img_file}.zip": - ensure => file, - source => "https://downloads.raspberrypi.org/raspios_lite_armhf/images/raspios_lite_armhf-2021-05-28/${img_file}.zip", - checksum => 'sha256', - checksum_value => 'c5dad159a2775c687e9281b1a0e586f7471690ae28f2f2282c90e7d59f64273c', - } ~> exec { "/usr/bin/unzip ${img_file}.zip": - creates => "${dir}/${img_file}.img", - cwd => $dir, - } - - # see modprobe.d(5) - # /sys/module/loop/parameters/max_part - file { '/etc/modprobe.d/loop.conf': - content => "options loop max_part=8\n", - } - - ['root'].each |$d| { - file { "${dir}/${d}": - ensure => directory, - } - ['base', 'export', 'overlays', 'workdirs'].each |$subdir| { - file { "${dir}/${d}/${subdir}": - ensure => directory, - } - } - } - - $mounts = { - 'root' => ['music',], - # 'boot' => ['music',], - } - - # overlay fs not supported for FAT32 filesystems - - $fstab = "${dir}/fstab" - file { $fstab: - ensure => file, - } - - File[$fstab] -> File_Line <| path == $fstab |> - - $mounts.each |$type, $lst| { - $lst.each |$name| { - - $dict = { - lowerdir => "${dir}/${type}/base", - upperdir => "${dir}/${type}/overlays/${name}", - workdir => "${dir}/${type}/workdirs/${name}", - nfs_export => 'on', - } - - $target = "${dir}/${type}/export/${name}" - - file { [ - $dict['upperdir'], - $dict['workdir'], - $target, - ] : - ensure => directory, - } - - $opts = $dict.map |$k, $v| { "$k=$v" }.join(',') - - file_line { "Raspi fstab ${type} ${target}": - ensure => present, - path => $fstab, - line => "overlay ${target} overlay ${opts}", - } - } - } - - ensure_packages ( ['nfs-utils'], { ensure => latest, }) - service { 'nfs-server': - ensure => running, - enable => true, - } - - exports { "${dir}/root/export": - options => { - '*' => [ - 'rw', - 'no_subtree_check', - 'no_root_squash', - # Our mounts under the exported tree are also exported, which is - # needed since our export point is simply a mount point - 'crossmnt', - 'fsid=1', - ], - }, - } - - # TODO ensure that we are mounted before we start changing stuff - - $root = "${dir}/root/export/music" - - file { "${root}/etc/systemd/system/multi-user.target.wants/ssh.service": - ensure => link, - target => '/lib/systemd/system/ssh.service', - } - - file { "${root}/etc/fstab": - ensure => absent, - } - - file { "${root}/root/.ssh": - ensure => directory, - } - - file { "${root}/root/.ssh/authorized_keys": - ensure => file, - } - - file_line { 'raspbian root key': - path => "${root}/root/.ssh/authorized_keys", - line => 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC8bdCl6aFmYoWAZIoorFv96oV45Jv75vH0TyNTKyByNV0dr6qgJzt8HJ1J/bVDs+q679f4udA1HLGLncyoJS1rGw9meP36dXCQBPMdfZJN0tIrYWgo2Hb7ZpDjsvxGTHaE9jzWlDUI9DcoWoa1Hy8roqsFZgbEnW4H1QG2Hr1+MkjoKvxhXFZoDxuq5K8WcHpehhEU8YcHSKiL0R5jhGlGbL+Qvb1QUL1sXQquHrgJB4IwrrYt2chX4W9Uo+PMny6VYV8ubuXvYCyQehQqZmkYSWD3iJAu59Ti0MLC+egBVZ6UkWAn4kik5cbboC36ioDCKQfrpvfZuUg4OA01N033QoC3+aKUwic8t+Z9sQz7PKT3JTJA5cLTjV+FMoZfKUiSrgm2jgk2mYl86HyHbjwvVq3I0Ny5xXHX3n2DwY9kT3tV16lA3m6oRPeUwZDo7sCzHuMTj2tQE8mMzpZ6kA/CkwAOotY6S/XSbyynIrYpu0Y2HJ6Rax8XGt09DEc7XAE= hugo@gandalf', - } - - # $ l=$(losetup --show -f ${file}.img) - # $ mount "${l}p1" boot/base - # $ mount "${l}p2" root/base - # $ dd if=/dev/loop0p1 of=boot-sector.img - - - # console=serial0,115200 console=tty1 root=/dev/nfs rootfstype=10.0.0.40:/usr/local/raspi/root,vers=4.1,proto=tcp id=dhcp elevator=deadline rootwait rw - - # cmdline.txt - # root=/dev/nfs - # rootfstype=10.0.0.40:/usr/local/raspi/root,vers=4.1,proto=tcp - -} -- cgit v1.2.3