initial commit

.vscode/settings.json

@@ -0,0 +1,3 @@
+{
+  "ansible.python.interpreterPath": "/bin/python"
+}

apps/init.ansible.yml

@@ -0,0 +1 @@
+- import_playbook:

directories.ansible.yml

@@ -0,0 +1,32 @@
+- hosts: localhost
+  vars_files:
+    - map.yml
+  tasks:
+    - name: Create base directory
+      file:
+        path: "{{ dir }}"
+        recurse: yes
+        owner: root
+        group: root
+        state: directory
+    - name: Create bin directory
+      file:
+        path: "{{ bin_dir }}"
+        recurse: yes
+        owner: root
+        group: root
+        state: directory
+    - name: Create etc directory
+      file:
+        path: "{{ etc_dir }}"
+        recurse: yes
+        owner: root
+        group: root
+        state: directory
+    - name: Create apps directory
+      file:
+        path: "{{ app_dir }}"
+        recurse: yes
+        owner: root
+        group: root
+        state: directory

haproxy/init.ansible.yml

@@ -0,0 +1 @@
+- import_playbook:

map.yml

@@ -0,0 +1,4 @@
+dir: /usr/local/noveria
+bin_dir: /usr/local/noveria/bin
+etc_dir: /usr/local/noveria/etc
+app_dir: /usr/local/noveria/apps

mysql/init.ansible.yml

@@ -0,0 +1 @@
+- import_playbook:

network/init.ansible.yml

@@ -0,0 +1 @@
+- import_playbook:

openssh/init.ansible.yml

@@ -0,0 +1 @@
+- import_playbook:

podman/init.ansible.yml

@@ -0,0 +1 @@
+- import_playbook:

system/base.ansible.yml

@@ -0,0 +1,67 @@
+- hosts: localhost
+  vars_files:
+    - ../map.yml
+  tasks:
+    - name: Install base packages
+      package:
+        state: present
+        name:
+          - linux-lts
+          - linux-firmware-none
+          - openjdk17-jre-headless
+          - jq
+          - vim
+          - git
+          - findmnt
+          - util-linux
+          - sudo
+          - curl
+          - rsync
+          - screen
+    - name: Systemupdate script
+      template:
+        src: files/base_systemupdate
+        dest: "{{ app_dir }}/systemupdate"
+        owner: root
+        group: root
+        mode: '0755'
+    - name: Systemupdate bin-link
+      file:
+        src: "{{ app_dir }}/systemupdate"
+        dest: "{{ bin_dir }}/systemupdate"
+        owner: root
+        group: root
+        state: link
+    - name: Enable modules Service
+      service:
+        state: started
+        name: modules
+        enabled: true
+    - name: Tun permission service
+      file:
+        path: "/etc/init.d/tun-perm"
+        src: files/base_tun-perm.initd
+        owner: root
+        group: root
+        mode: '0755'
+        state: file
+    - name: Enable tun-perm service
+      service:
+        state: started
+        name: tun-perm
+        enabled: true
+    - name: Enable sysctl service
+      service:
+        state: started
+        name: sysctl
+        enabled: true
+    - name: Enable syslog service
+      service:
+        state: started
+        name: syslog
+        enabled: true
+    - name: Enable sysfs service
+      service:
+        state: started
+        name: sysfs
+        enabled: true

system/bootloader.ansible.yml

@@ -0,0 +1,74 @@
+- hosts: localhost
+  vars_files:
+    - /map.yml
+  tasks:
+    - name: Install bootloader pkgs
+      package:
+        name:
+          - grub
+          - grub-efi
+          - mkinitfs
+          - mkinitfs-doc
+          - efibootmgr
+        state: present
+    - name: Get current timestamp
+      command: | 
+        CURRENT_SUBVOLUME=$(LC_ALL=C btrfs sub show / | LC_ALL=C grep Name: | tr -d \'[:space:]\'); TIMESTAMP_FORMAT=\'[[:digit:]]{4}-[[:digit:]]{2}-[[:digit:]]{2}_[[:digit:]]{2}-[[:digit:]]{2}-[[:digit:]]{2}\'; echo "$CURRENT_SUBVOLUME" | grep -Eo "$TIMESTAMP_FORMAT"
+      register: CURRENT_SUBVOLUME_TIMESTAMP
+      run_once: true
+    - name: Get current timestamp human
+      command: |
+        CURRENT_SUBVOLUME_TIMESTAMP=\'{{ CURRENT_SUBVOLUME_TIMESTAMP.stdout }}\'; echo "${CURRENT_SUBVOLUME_TIMESTAMP:0:10} ${CURRENT_SUBVOLUME_TIMESTAMP:11:2}:${CURRENT_SUBVOLUME_TIMESTAMP:14:2}"
+      register: CURRENT_SUBVOLUME_TIMESTAMP_HUMAN
+      run_once: true
+    - name: Get current kernel version
+      command: |
+        uname -r
+      register: KERNEL_VERSION
+      run_once: true
+    - name: mkinitfs config
+      lineinfile:
+        path: "/etc/mkinitfs/mkinitfs.conf"
+        regexp: '^features.?=.?'
+        line: features="ata base btrfs keymap kms mmc nvme scsi usb virtio"
+        owner: root
+        group: root
+        mode: '0644'
+    - name: os-release file
+      template:
+        src: files/bootloader_os-release.j2
+        dest: "/etc/os-release"
+        owner: root
+        group: root
+        mode: '0644'
+      vars:
+        OS_VERSION: "2406"
+        OS_RELEASE_INFO: '"Timestamp: {{ CURRENT_SUBVOLUME_TIMESTAMP_HUMAN.stdout }} | Kernel: {{ KERNEL_VERSION.stdout }}"'
+    - name: Motd Directory
+      file:
+        name: /etc/motd.d
+        owner: root
+        group: root
+        mode: '0755'
+        state: directory
+    - name: Motd
+      template:
+        src: files/bootloader_00_noveria.motd.j2
+        dest: /etc/motd.d/00_noveria.motd
+        owner: root
+        group: root
+        mode: '0644'
+      vars:
+        OS_NAME: 'Novos 2406'
+        OS_RELEASE_INFO: 'Timestamp: {{ CURRENT_SUBVOLUME_TIMESTAMP_HUMAN.stdout }} | Kernel: {{ KERNEL_VERSION.stdout }}'
+        OS_ISSUE_URL: 'https://git.noveria.org/NoveriaOS/ISO/issues'
+    - name: Issue
+      template:
+        src: files/bootloader_issue.j2
+        dest: /etc/issue
+        owner: root
+        group: root
+        mode: '0644'
+      vars:
+        OS_NAME: 'Novos 2406'
+        OS_RELEASE_INFO: "{{ CURRENT_SUBVOLUME_TIMESTAMP_HUMAN.stdout }}"

system/files/base_systemupdate

@@ -0,0 +1,205 @@
+#!/usr/bin/env bash
+
+#######################################################################################################################
+##
+## Script to full update the system
+##
+##   0. Pre checks
+##   1. Generate new boot environment (BE)
+##   2. Update and Salt highstate
+##   3. Clean up
+##
+#######################################################################################################################
+
+
+#######################################################################################################################
+## Definitions
+#######################################################################################################################
+
+readonly TEMPDIR=$(mktemp -d /tmp/systemupdate.XXXXXX)
+readonly LOCK_FILE="${TEMPDIR}/systemupdate.lock"
+
+readonly TIMESTAMP=$(date +"%Y-%m-%d_%H-%M-%S")
+
+readonly BTRFS_ROOT="/btrfs"
+readonly CURRENT_SUBVOLUME=$(LC_ALL=C btrfs sub show / | LC_ALL=C grep 'Name' | cut -d: -f2 | awk '{$1=$1};1')
+readonly NEW_SUBVOLUME="@root_${TIMESTAMP}"
+readonly MOUNTPOINT='/mnt'
+
+readonly EFI_DISK=$(findmnt -T /efi -o SOURCE | tail -n 1)
+readonly ROOT_DISK=$(findmnt / -o SOURCE | cut -d"[" -f1 | tail -n 1)
+
+readonly BE_HISTORY_COUNT=5
+
+
+#######################################################################################################################
+## Errorhandling
+#######################################################################################################################
+
+#----------------------------------------------------------------------------------------------------------------------
+#   systemupdate failed
+#----------------------------------------------------------------------------------------------------------------------
+systemupdateFailed() {
+  echo ""
+  echo "┌──────────────────────────────────────────┐"
+  echo "│  FAILED => clean up                      │"
+  echo "└──────────────────────────────────────────┘"
+
+  subtaskTitle "Unmount BE if mounted"
+  unmountMountpoint
+
+  subtaskTitle "Remove BE"
+  removeBEFromTimestamp ${TIMESTAMP}
+
+  rm -f ${LOCK_FILE}
+
+  subtaskTitle "Finished with exit code 1"
+  exit 1
+}
+
+# catch ^C and other signals and clean up
+trap "echo -e '\n=> Interrupted with CTRL+C' >&2; systemupdateFailed" SIGINT SIGHUP SIGTERM SIGABRT
+
+
+#######################################################################################################################
+## Helper Functions
+#######################################################################################################################
+
+#----------------------------------------------------------------------------------------------------------------------
+#   Subtask title output
+#----------------------------------------------------------------------------------------------------------------------
+subtaskTitle() {
+  echo -e "\n=> $1"
+}
+
+#----------------------------------------------------------------------------------------------------------------------
+#   Unmount ${MOUNTPOINT}
+#----------------------------------------------------------------------------------------------------------------------
+unmountMountpoint() {
+  # if mountpoint exists -> umount
+  [[ $(findmnt -M "${MOUNTPOINT}") ]] && umount -R "${MOUNTPOINT}"
+}
+
+#----------------------------------------------------------------------------------------------------------------------
+#   Recursive subvolume delete
+#----------------------------------------------------------------------------------------------------------------------
+btrfsSubDelRecursive() {
+  btrfs sub list -o "${BTRFS_ROOT}/${1}" | cut -d " " -f 9 | while read i; do
+    btrfsSubDelRecursive "$i"
+  done
+  btrfs sub del "${BTRFS_ROOT}/${1}"
+}
+
+#----------------------------------------------------------------------------------------------------------------------
+#   Remove BE from timestamp
+#----------------------------------------------------------------------------------------------------------------------
+removeBEFromTimestamp() {
+  # remove all subvolume with this timestamp
+  for f in $(btrfs sub list -o /btrfs | cut -d " " -f 9 | grep "@root"); do
+    if [[ "$f" =~ "$1" ]]; then
+      btrfsSubDelRecursive "$f"
+    fi
+  done
+}
+
+
+#######################################################################################################################
+## Main
+#######################################################################################################################
+
+echo "┌──────────────────────────────────────────┐"
+echo "│  0. Pre checks                           │"
+echo "└──────────────────────────────────────────┘"
+subtaskTitle "Check if another systemupgrade is in progress"
+if [ -f ${LOCK_FILE} ]; then
+  echo "[ERROR] Another systemupgrade is in progress (lockfile: ${LOCK_FILE}) => exit" >&2
+  exit 1
+fi
+
+subtaskTitle "Check if ${MOUNTPOINT} exists"
+if [ ! -d ${MOUNTPOINT} ]; then
+  mkdir -p "${MOUNTPOINT}"
+fi
+
+subtaskTitle "Check if ${MOUNTPOINT} is already a mountpoint"
+if [[ $(findmnt -M "${MOUNTPOINT}") ]]; then
+  echo "[ERROR] ${MOUNTPOINT} is already a mountpoint => exit" >&2
+  exit 1
+fi
+
+subtaskTitle "Checks finished and update can start"
+
+# Create lock file
+touch ${LOCK_FILE} || systemupdateFailed
+
+
+echo ""
+echo "┌──────────────────────────────────────────┐"
+echo "│  1. Generate new boot environment (BE)   │"
+echo "└──────────────────────────────────────────┘"
+
+subtaskTitle "Create snapshot of current running system"
+btrfs subvolume snapshot / ${BTRFS_ROOT}/${NEW_SUBVOLUME} || systemupdateFailed
+
+subtaskTitle "Mount new BE to ${MOUNTPOINT}"
+mount -o noatime,nodiratime,discard=async,space_cache=v2,subvol="${NEW_SUBVOLUME}" "${ROOT_DISK}" "${MOUNTPOINT}" || systemupdateFailed
+mount -o noatime,nodiratime,discard=async,space_cache=v2,subvol=@home "${ROOT_DISK}" "${MOUNTPOINT}/home" || systemupdateFailed
+mount -o noatime,nodiratime,discard=async,space_cache=v2,subvol=@podman "${ROOT_DISK}" "${MOUNTPOINT}/opt/podman" || systemupdateFailed
+mount -o noatime,nodiratime,discard=async,space_cache=v2,subvol=@mysql "${ROOT_DISK}" "${MOUNTPOINT}/var/lib/mysql" || systemupdateFailed
+mount -o noatime,nodiratime,discard=async,space_cache=v2,subvol=/ "${ROOT_DISK}" "${MOUNTPOINT}/btrfs" || systemupdateFailed
+
+mount -o nodev,nosuid,noexec "${EFI_DISK}" "${MOUNTPOINT}/efi" || systemupdateFailed
+mount -t proc /proc "${MOUNTPOINT}/proc/" || systemupdateFailed
+mount -t sysfs /sys "${MOUNTPOINT}/sys/" || systemupdateFailed
+mount -o bind /sys/firmware/efi/efivars "${MOUNTPOINT}/sys/firmware/efi/efivars/" || systemupdateFailed
+mount -o bind /dev "${MOUNTPOINT}/dev/" || systemupdateFailed
+mount -o bind /run "${MOUNTPOINT}/run/" || systemupdateFailed
+
+subtaskTitle "New BE mounted"
+
+echo ""
+echo "┌──────────────────────────────────────────┐"
+echo "│  2. Update and Salt highstate            │"
+echo "└──────────────────────────────────────────┘"
+
+subtaskTitle "Update Saltstack"
+
+chroot "${MOUNTPOINT}" /bin/bash -c "git -C /srv/salt pull" || systemupdateFailed
+
+subtaskTitle "Update bootloader configs"
+chroot "${MOUNTPOINT}" /bin/bash -c "salt-call state.sls system.bootloader" >/dev/null || systemupdateFailed
+
+subtaskTitle "Alpine repositories & keyring update"
+chroot "${MOUNTPOINT}" /bin/bash -c "apk update" || systemupdateFailed
+
+subtaskTitle "Alpine packages update"
+chroot "${MOUNTPOINT}" /bin/bash -c "apk upgrade" || systemupdateFailed
+
+subtaskTitle "Salt highstate"
+chroot "${MOUNTPOINT}" /bin/bash -c "salt-call state.highstate" >/dev/null || systemupdateFailed
+
+subtaskTitle "Generate new initial ramdisk"
+latest_kernel="$(chroot "${MOUNTPOINT}" /bin/bash -c 'echo $(apk search linux-lts | head -n1 | cut -d- -f3- | sed "s|r||")-lts')"
+chroot "${MOUNTPOINT}" /bin/bash -c "mkinitfs $latest_kernel" || systemupdateFailed
+
+subtaskTitle "Update motd"
+chroot "${MOUNTPOINT}" /bin/bash -c "/usr/local/noveria/bin/generate_motd" || systemupdateFailed
+
+subtaskTitle "Update GRUB"
+chroot "${MOUNTPOINT}" /bin/bash -c "grub-install --target=x86_64-efi --efi-directory=/efi --bootloader-id=alpine" || systemupdateFailed
+chroot "${MOUNTPOINT}" /bin/bash -c "/usr/local/noveria/bin/noveriablcgen --noconfirm" || systemupdateFailed
+
+subtaskTitle "Update finished"
+
+subtaskTitle "Unmount BE"
+unmountMountpoint
+
+echo ""
+echo "┌──────────────────────────────────────────┐"
+echo "│  3. Clean Up                             │"
+echo "└──────────────────────────────────────────┘"
+
+subtaskTitle "Clean up finished"
+
+# Remove lock file
+rm -f ${LOCK_FILE}

system/files/base_tun-perm.initd

@@ -0,0 +1,13 @@
+#!/sbin/openrc-run
+supervisor=supervise-daemon
+
+name="tun module permission setter"
+description="setting the permission of /dev/net/tun to 666"
+
+command=$(which chmod)
+command_args="0666 /dev/net/tun"
+command_user="root"
+
+depend() {
+  need modules
+}

system/files/bootloader_00_noveria.motd.j2

@@ -0,0 +1,17 @@
+╔═══════════════════════════════════════════════╗
+║                 Velkommen til                 ║
+║       _   _                     _             ║
+║      | \ | |                   (_)            ║
+║      |  \| | _____   _____ _ __ _  __ _       ║
+║      | . ` |/ _ \ \ / / _ \ '__| |/ _` |      ║
+║      | |\  | (_) \ V /  __/ |  | | (_| |      ║
+║      |_| \_|\___/ \_/ \___|_|  |_|\__,_|      ║
+║                                               ║
+╚═══════════════════════════════════════════════╝
+
+OS: {{ OS_NAME }}
+Version: {{ OS_RELEASE_INFO }}
+
+Report issues on: {{ OS_ISSUE_URL }}
+
+═════════════════════════════════════════════════

system/files/bootloader_issue.j2

@@ -0,0 +1,2 @@
+Velkommen til {{ OS_NAME }}
+Timestamp: {{ OS_RELEASE_INFO }} | Kernel: \r

system/files/bootloader_os-release.j2

@@ -0,0 +1,8 @@
+NAME="Novos"
+ID=noveriaos
+ID_LIKE=alpine
+VERSION_ID="{{ OS_VERSION }}"
+PRETTY_NAME="Novos {{ OS_VERSION }}"
+RELEASE_INFO={{ OS_RELEASE_INFO }}
+HOME_URL="https://noveria.org"
+BUG_REPORT_URL="https://git.noveria.org/Novos/ISO/issues"

system/init.ansible.yml

@@ -0,0 +1,7 @@
+- import_playbook: base.ansible.yml
+- import_playbook: bootloader.ansible.yml
+# - import_playbook: disks.ansible.yml
+# - import_playbook: user.ansible.yml
+# - import_playbook: shell.ansible.yml
+# - import_playbook: ansible.ansible.yml
+  

top.ansible.yml

@@ -0,0 +1,2 @@
+- import_playbook: directories.ansible.yml
+- import_playbook: system/init.ansible.yml