From dd15132a6c4e286a30ef9c0a2fc8cee41b0ebe09 Mon Sep 17 00:00:00 2001 From: LinuxSquare Date: Thu, 27 Jun 2024 19:43:34 +0200 Subject: [PATCH] initial commit --- .vscode/settings.json | 3 + apps/init.ansible.yml | 1 + directories.ansible.yml | 32 ++++ haproxy/init.ansible.yml | 1 + map.yml | 4 + mysql/init.ansible.yml | 1 + network/init.ansible.yml | 1 + openssh/init.ansible.yml | 1 + podman/init.ansible.yml | 1 + system/ansible.ansible.yml | 0 system/base.ansible.yml | 67 +++++++ system/bootloader.ansible.yml | 74 ++++++++ system/disks.ansible.yml | 0 system/files/base_systemupdate | 205 +++++++++++++++++++++ system/files/base_tun-perm.initd | 13 ++ system/files/bootloader_00_noveria.motd.j2 | 17 ++ system/files/bootloader_issue.j2 | 2 + system/files/bootloader_os-release.j2 | 8 + system/init.ansible.yml | 7 + system/shell.ansible.yml | 0 system/user.ansible.yml | 0 top.ansible.yml | 2 + 22 files changed, 440 insertions(+) create mode 100644 .vscode/settings.json create mode 100644 apps/init.ansible.yml create mode 100644 directories.ansible.yml create mode 100644 haproxy/init.ansible.yml create mode 100644 map.yml create mode 100644 mysql/init.ansible.yml create mode 100644 network/init.ansible.yml create mode 100644 openssh/init.ansible.yml create mode 100644 podman/init.ansible.yml create mode 100644 system/ansible.ansible.yml create mode 100644 system/base.ansible.yml create mode 100644 system/bootloader.ansible.yml create mode 100644 system/disks.ansible.yml create mode 100644 system/files/base_systemupdate create mode 100644 system/files/base_tun-perm.initd create mode 100644 system/files/bootloader_00_noveria.motd.j2 create mode 100644 system/files/bootloader_issue.j2 create mode 100644 system/files/bootloader_os-release.j2 create mode 100644 system/init.ansible.yml create mode 100644 system/shell.ansible.yml create mode 100644 system/user.ansible.yml create mode 100644 top.ansible.yml diff --git a/.vscode/settings.json b/.vscode/settings.json new file mode 100644 index 0000000..64bda28 --- /dev/null +++ b/.vscode/settings.json @@ -0,0 +1,3 @@ +{ + "ansible.python.interpreterPath": "/bin/python" +} diff --git a/apps/init.ansible.yml b/apps/init.ansible.yml new file mode 100644 index 0000000..24ca4e1 --- /dev/null +++ b/apps/init.ansible.yml @@ -0,0 +1 @@ +- import_playbook: diff --git a/directories.ansible.yml b/directories.ansible.yml new file mode 100644 index 0000000..24ae42a --- /dev/null +++ b/directories.ansible.yml @@ -0,0 +1,32 @@ +- hosts: localhost + vars_files: + - map.yml + tasks: + - name: Create base directory + file: + path: "{{ dir }}" + recurse: yes + owner: root + group: root + state: directory + - name: Create bin directory + file: + path: "{{ bin_dir }}" + recurse: yes + owner: root + group: root + state: directory + - name: Create etc directory + file: + path: "{{ etc_dir }}" + recurse: yes + owner: root + group: root + state: directory + - name: Create apps directory + file: + path: "{{ app_dir }}" + recurse: yes + owner: root + group: root + state: directory diff --git a/haproxy/init.ansible.yml b/haproxy/init.ansible.yml new file mode 100644 index 0000000..24ca4e1 --- /dev/null +++ b/haproxy/init.ansible.yml @@ -0,0 +1 @@ +- import_playbook: diff --git a/map.yml b/map.yml new file mode 100644 index 0000000..ee332bf --- /dev/null +++ b/map.yml @@ -0,0 +1,4 @@ +dir: /usr/local/noveria +bin_dir: /usr/local/noveria/bin +etc_dir: /usr/local/noveria/etc +app_dir: /usr/local/noveria/apps diff --git a/mysql/init.ansible.yml b/mysql/init.ansible.yml new file mode 100644 index 0000000..24ca4e1 --- /dev/null +++ b/mysql/init.ansible.yml @@ -0,0 +1 @@ +- import_playbook: diff --git a/network/init.ansible.yml b/network/init.ansible.yml new file mode 100644 index 0000000..24ca4e1 --- /dev/null +++ b/network/init.ansible.yml @@ -0,0 +1 @@ +- import_playbook: diff --git a/openssh/init.ansible.yml b/openssh/init.ansible.yml new file mode 100644 index 0000000..24ca4e1 --- /dev/null +++ b/openssh/init.ansible.yml @@ -0,0 +1 @@ +- import_playbook: diff --git a/podman/init.ansible.yml b/podman/init.ansible.yml new file mode 100644 index 0000000..24ca4e1 --- /dev/null +++ b/podman/init.ansible.yml @@ -0,0 +1 @@ +- import_playbook: diff --git a/system/ansible.ansible.yml b/system/ansible.ansible.yml new file mode 100644 index 0000000..e69de29 diff --git a/system/base.ansible.yml b/system/base.ansible.yml new file mode 100644 index 0000000..02e76c0 --- /dev/null +++ b/system/base.ansible.yml @@ -0,0 +1,67 @@ +- hosts: localhost + vars_files: + - ../map.yml + tasks: + - name: Install base packages + package: + state: present + name: + - linux-lts + - linux-firmware-none + - openjdk17-jre-headless + - jq + - vim + - git + - findmnt + - util-linux + - sudo + - curl + - rsync + - screen + - name: Systemupdate script + template: + src: files/base_systemupdate + dest: "{{ app_dir }}/systemupdate" + owner: root + group: root + mode: '0755' + - name: Systemupdate bin-link + file: + src: "{{ app_dir }}/systemupdate" + dest: "{{ bin_dir }}/systemupdate" + owner: root + group: root + state: link + - name: Enable modules Service + service: + state: started + name: modules + enabled: true + - name: Tun permission service + file: + path: "/etc/init.d/tun-perm" + src: files/base_tun-perm.initd + owner: root + group: root + mode: '0755' + state: file + - name: Enable tun-perm service + service: + state: started + name: tun-perm + enabled: true + - name: Enable sysctl service + service: + state: started + name: sysctl + enabled: true + - name: Enable syslog service + service: + state: started + name: syslog + enabled: true + - name: Enable sysfs service + service: + state: started + name: sysfs + enabled: true diff --git a/system/bootloader.ansible.yml b/system/bootloader.ansible.yml new file mode 100644 index 0000000..8bc78f1 --- /dev/null +++ b/system/bootloader.ansible.yml @@ -0,0 +1,74 @@ +- hosts: localhost + vars_files: + - /map.yml + tasks: + - name: Install bootloader pkgs + package: + name: + - grub + - grub-efi + - mkinitfs + - mkinitfs-doc + - efibootmgr + state: present + - name: Get current timestamp + command: | + CURRENT_SUBVOLUME=$(LC_ALL=C btrfs sub show / | LC_ALL=C grep Name: | tr -d \'[:space:]\'); TIMESTAMP_FORMAT=\'[[:digit:]]{4}-[[:digit:]]{2}-[[:digit:]]{2}_[[:digit:]]{2}-[[:digit:]]{2}-[[:digit:]]{2}\'; echo "$CURRENT_SUBVOLUME" | grep -Eo "$TIMESTAMP_FORMAT" + register: CURRENT_SUBVOLUME_TIMESTAMP + run_once: true + - name: Get current timestamp human + command: | + CURRENT_SUBVOLUME_TIMESTAMP=\'{{ CURRENT_SUBVOLUME_TIMESTAMP.stdout }}\'; echo "${CURRENT_SUBVOLUME_TIMESTAMP:0:10} ${CURRENT_SUBVOLUME_TIMESTAMP:11:2}:${CURRENT_SUBVOLUME_TIMESTAMP:14:2}" + register: CURRENT_SUBVOLUME_TIMESTAMP_HUMAN + run_once: true + - name: Get current kernel version + command: | + uname -r + register: KERNEL_VERSION + run_once: true + - name: mkinitfs config + lineinfile: + path: "/etc/mkinitfs/mkinitfs.conf" + regexp: '^features.?=.?' + line: features="ata base btrfs keymap kms mmc nvme scsi usb virtio" + owner: root + group: root + mode: '0644' + - name: os-release file + template: + src: files/bootloader_os-release.j2 + dest: "/etc/os-release" + owner: root + group: root + mode: '0644' + vars: + OS_VERSION: "2406" + OS_RELEASE_INFO: '"Timestamp: {{ CURRENT_SUBVOLUME_TIMESTAMP_HUMAN.stdout }} | Kernel: {{ KERNEL_VERSION.stdout }}"' + - name: Motd Directory + file: + name: /etc/motd.d + owner: root + group: root + mode: '0755' + state: directory + - name: Motd + template: + src: files/bootloader_00_noveria.motd.j2 + dest: /etc/motd.d/00_noveria.motd + owner: root + group: root + mode: '0644' + vars: + OS_NAME: 'Novos 2406' + OS_RELEASE_INFO: 'Timestamp: {{ CURRENT_SUBVOLUME_TIMESTAMP_HUMAN.stdout }} | Kernel: {{ KERNEL_VERSION.stdout }}' + OS_ISSUE_URL: 'https://git.noveria.org/NoveriaOS/ISO/issues' + - name: Issue + template: + src: files/bootloader_issue.j2 + dest: /etc/issue + owner: root + group: root + mode: '0644' + vars: + OS_NAME: 'Novos 2406' + OS_RELEASE_INFO: "{{ CURRENT_SUBVOLUME_TIMESTAMP_HUMAN.stdout }}" diff --git a/system/disks.ansible.yml b/system/disks.ansible.yml new file mode 100644 index 0000000..e69de29 diff --git a/system/files/base_systemupdate b/system/files/base_systemupdate new file mode 100644 index 0000000..15ceb25 --- /dev/null +++ b/system/files/base_systemupdate @@ -0,0 +1,205 @@ +#!/usr/bin/env bash + +####################################################################################################################### +## +## Script to full update the system +## +## 0. Pre checks +## 1. Generate new boot environment (BE) +## 2. Update and Salt highstate +## 3. Clean up +## +####################################################################################################################### + + +####################################################################################################################### +## Definitions +####################################################################################################################### + +readonly TEMPDIR=$(mktemp -d /tmp/systemupdate.XXXXXX) +readonly LOCK_FILE="${TEMPDIR}/systemupdate.lock" + +readonly TIMESTAMP=$(date +"%Y-%m-%d_%H-%M-%S") + +readonly BTRFS_ROOT="/btrfs" +readonly CURRENT_SUBVOLUME=$(LC_ALL=C btrfs sub show / | LC_ALL=C grep 'Name' | cut -d: -f2 | awk '{$1=$1};1') +readonly NEW_SUBVOLUME="@root_${TIMESTAMP}" +readonly MOUNTPOINT='/mnt' + +readonly EFI_DISK=$(findmnt -T /efi -o SOURCE | tail -n 1) +readonly ROOT_DISK=$(findmnt / -o SOURCE | cut -d"[" -f1 | tail -n 1) + +readonly BE_HISTORY_COUNT=5 + + +####################################################################################################################### +## Errorhandling +####################################################################################################################### + +#---------------------------------------------------------------------------------------------------------------------- +# systemupdate failed +#---------------------------------------------------------------------------------------------------------------------- +systemupdateFailed() { + echo "" + echo "┌──────────────────────────────────────────┐" + echo "│ FAILED => clean up │" + echo "└──────────────────────────────────────────┘" + + subtaskTitle "Unmount BE if mounted" + unmountMountpoint + + subtaskTitle "Remove BE" + removeBEFromTimestamp ${TIMESTAMP} + + rm -f ${LOCK_FILE} + + subtaskTitle "Finished with exit code 1" + exit 1 +} + +# catch ^C and other signals and clean up +trap "echo -e '\n=> Interrupted with CTRL+C' >&2; systemupdateFailed" SIGINT SIGHUP SIGTERM SIGABRT + + +####################################################################################################################### +## Helper Functions +####################################################################################################################### + +#---------------------------------------------------------------------------------------------------------------------- +# Subtask title output +#---------------------------------------------------------------------------------------------------------------------- +subtaskTitle() { + echo -e "\n=> $1" +} + +#---------------------------------------------------------------------------------------------------------------------- +# Unmount ${MOUNTPOINT} +#---------------------------------------------------------------------------------------------------------------------- +unmountMountpoint() { + # if mountpoint exists -> umount + [[ $(findmnt -M "${MOUNTPOINT}") ]] && umount -R "${MOUNTPOINT}" +} + +#---------------------------------------------------------------------------------------------------------------------- +# Recursive subvolume delete +#---------------------------------------------------------------------------------------------------------------------- +btrfsSubDelRecursive() { + btrfs sub list -o "${BTRFS_ROOT}/${1}" | cut -d " " -f 9 | while read i; do + btrfsSubDelRecursive "$i" + done + btrfs sub del "${BTRFS_ROOT}/${1}" +} + +#---------------------------------------------------------------------------------------------------------------------- +# Remove BE from timestamp +#---------------------------------------------------------------------------------------------------------------------- +removeBEFromTimestamp() { + # remove all subvolume with this timestamp + for f in $(btrfs sub list -o /btrfs | cut -d " " -f 9 | grep "@root"); do + if [[ "$f" =~ "$1" ]]; then + btrfsSubDelRecursive "$f" + fi + done +} + + +####################################################################################################################### +## Main +####################################################################################################################### + +echo "┌──────────────────────────────────────────┐" +echo "│ 0. Pre checks │" +echo "└──────────────────────────────────────────┘" +subtaskTitle "Check if another systemupgrade is in progress" +if [ -f ${LOCK_FILE} ]; then + echo "[ERROR] Another systemupgrade is in progress (lockfile: ${LOCK_FILE}) => exit" >&2 + exit 1 +fi + +subtaskTitle "Check if ${MOUNTPOINT} exists" +if [ ! -d ${MOUNTPOINT} ]; then + mkdir -p "${MOUNTPOINT}" +fi + +subtaskTitle "Check if ${MOUNTPOINT} is already a mountpoint" +if [[ $(findmnt -M "${MOUNTPOINT}") ]]; then + echo "[ERROR] ${MOUNTPOINT} is already a mountpoint => exit" >&2 + exit 1 +fi + +subtaskTitle "Checks finished and update can start" + +# Create lock file +touch ${LOCK_FILE} || systemupdateFailed + + +echo "" +echo "┌──────────────────────────────────────────┐" +echo "│ 1. Generate new boot environment (BE) │" +echo "└──────────────────────────────────────────┘" + +subtaskTitle "Create snapshot of current running system" +btrfs subvolume snapshot / ${BTRFS_ROOT}/${NEW_SUBVOLUME} || systemupdateFailed + +subtaskTitle "Mount new BE to ${MOUNTPOINT}" +mount -o noatime,nodiratime,discard=async,space_cache=v2,subvol="${NEW_SUBVOLUME}" "${ROOT_DISK}" "${MOUNTPOINT}" || systemupdateFailed +mount -o noatime,nodiratime,discard=async,space_cache=v2,subvol=@home "${ROOT_DISK}" "${MOUNTPOINT}/home" || systemupdateFailed +mount -o noatime,nodiratime,discard=async,space_cache=v2,subvol=@podman "${ROOT_DISK}" "${MOUNTPOINT}/opt/podman" || systemupdateFailed +mount -o noatime,nodiratime,discard=async,space_cache=v2,subvol=@mysql "${ROOT_DISK}" "${MOUNTPOINT}/var/lib/mysql" || systemupdateFailed +mount -o noatime,nodiratime,discard=async,space_cache=v2,subvol=/ "${ROOT_DISK}" "${MOUNTPOINT}/btrfs" || systemupdateFailed + +mount -o nodev,nosuid,noexec "${EFI_DISK}" "${MOUNTPOINT}/efi" || systemupdateFailed +mount -t proc /proc "${MOUNTPOINT}/proc/" || systemupdateFailed +mount -t sysfs /sys "${MOUNTPOINT}/sys/" || systemupdateFailed +mount -o bind /sys/firmware/efi/efivars "${MOUNTPOINT}/sys/firmware/efi/efivars/" || systemupdateFailed +mount -o bind /dev "${MOUNTPOINT}/dev/" || systemupdateFailed +mount -o bind /run "${MOUNTPOINT}/run/" || systemupdateFailed + +subtaskTitle "New BE mounted" + +echo "" +echo "┌──────────────────────────────────────────┐" +echo "│ 2. Update and Salt highstate │" +echo "└──────────────────────────────────────────┘" + +subtaskTitle "Update Saltstack" + +chroot "${MOUNTPOINT}" /bin/bash -c "git -C /srv/salt pull" || systemupdateFailed + +subtaskTitle "Update bootloader configs" +chroot "${MOUNTPOINT}" /bin/bash -c "salt-call state.sls system.bootloader" >/dev/null || systemupdateFailed + +subtaskTitle "Alpine repositories & keyring update" +chroot "${MOUNTPOINT}" /bin/bash -c "apk update" || systemupdateFailed + +subtaskTitle "Alpine packages update" +chroot "${MOUNTPOINT}" /bin/bash -c "apk upgrade" || systemupdateFailed + +subtaskTitle "Salt highstate" +chroot "${MOUNTPOINT}" /bin/bash -c "salt-call state.highstate" >/dev/null || systemupdateFailed + +subtaskTitle "Generate new initial ramdisk" +latest_kernel="$(chroot "${MOUNTPOINT}" /bin/bash -c 'echo $(apk search linux-lts | head -n1 | cut -d- -f3- | sed "s|r||")-lts')" +chroot "${MOUNTPOINT}" /bin/bash -c "mkinitfs $latest_kernel" || systemupdateFailed + +subtaskTitle "Update motd" +chroot "${MOUNTPOINT}" /bin/bash -c "/usr/local/noveria/bin/generate_motd" || systemupdateFailed + +subtaskTitle "Update GRUB" +chroot "${MOUNTPOINT}" /bin/bash -c "grub-install --target=x86_64-efi --efi-directory=/efi --bootloader-id=alpine" || systemupdateFailed +chroot "${MOUNTPOINT}" /bin/bash -c "/usr/local/noveria/bin/noveriablcgen --noconfirm" || systemupdateFailed + +subtaskTitle "Update finished" + +subtaskTitle "Unmount BE" +unmountMountpoint + +echo "" +echo "┌──────────────────────────────────────────┐" +echo "│ 3. Clean Up │" +echo "└──────────────────────────────────────────┘" + +subtaskTitle "Clean up finished" + +# Remove lock file +rm -f ${LOCK_FILE} diff --git a/system/files/base_tun-perm.initd b/system/files/base_tun-perm.initd new file mode 100644 index 0000000..faaf950 --- /dev/null +++ b/system/files/base_tun-perm.initd @@ -0,0 +1,13 @@ +#!/sbin/openrc-run +supervisor=supervise-daemon + +name="tun module permission setter" +description="setting the permission of /dev/net/tun to 666" + +command=$(which chmod) +command_args="0666 /dev/net/tun" +command_user="root" + +depend() { + need modules +} diff --git a/system/files/bootloader_00_noveria.motd.j2 b/system/files/bootloader_00_noveria.motd.j2 new file mode 100644 index 0000000..ae20476 --- /dev/null +++ b/system/files/bootloader_00_noveria.motd.j2 @@ -0,0 +1,17 @@ +╔═══════════════════════════════════════════════╗ +║ Velkommen til ║ +║ _ _ _ ║ +║ | \ | | (_) ║ +║ | \| | _____ _____ _ __ _ __ _ ║ +║ | . ` |/ _ \ \ / / _ \ '__| |/ _` | ║ +║ | |\ | (_) \ V / __/ | | | (_| | ║ +║ |_| \_|\___/ \_/ \___|_| |_|\__,_| ║ +║ ║ +╚═══════════════════════════════════════════════╝ + +OS: {{ OS_NAME }} +Version: {{ OS_RELEASE_INFO }} + +Report issues on: {{ OS_ISSUE_URL }} + +═════════════════════════════════════════════════ diff --git a/system/files/bootloader_issue.j2 b/system/files/bootloader_issue.j2 new file mode 100644 index 0000000..9196589 --- /dev/null +++ b/system/files/bootloader_issue.j2 @@ -0,0 +1,2 @@ +Velkommen til {{ OS_NAME }} +Timestamp: {{ OS_RELEASE_INFO }} | Kernel: \r diff --git a/system/files/bootloader_os-release.j2 b/system/files/bootloader_os-release.j2 new file mode 100644 index 0000000..3cff746 --- /dev/null +++ b/system/files/bootloader_os-release.j2 @@ -0,0 +1,8 @@ +NAME="Novos" +ID=noveriaos +ID_LIKE=alpine +VERSION_ID="{{ OS_VERSION }}" +PRETTY_NAME="Novos {{ OS_VERSION }}" +RELEASE_INFO={{ OS_RELEASE_INFO }} +HOME_URL="https://noveria.org" +BUG_REPORT_URL="https://git.noveria.org/Novos/ISO/issues" diff --git a/system/init.ansible.yml b/system/init.ansible.yml new file mode 100644 index 0000000..50dac05 --- /dev/null +++ b/system/init.ansible.yml @@ -0,0 +1,7 @@ +- import_playbook: base.ansible.yml +- import_playbook: bootloader.ansible.yml +# - import_playbook: disks.ansible.yml +# - import_playbook: user.ansible.yml +# - import_playbook: shell.ansible.yml +# - import_playbook: ansible.ansible.yml + diff --git a/system/shell.ansible.yml b/system/shell.ansible.yml new file mode 100644 index 0000000..e69de29 diff --git a/system/user.ansible.yml b/system/user.ansible.yml new file mode 100644 index 0000000..e69de29 diff --git a/top.ansible.yml b/top.ansible.yml new file mode 100644 index 0000000..782c52c --- /dev/null +++ b/top.ansible.yml @@ -0,0 +1,2 @@ +- import_playbook: directories.ansible.yml +- import_playbook: system/init.ansible.yml