diff --git a/apt_ostree/constants.py b/apt_ostree/constants.py index b1b1f3c..585ed11 100644 --- a/apt_ostree/constants.py +++ b/apt_ostree/constants.py @@ -10,7 +10,6 @@ VERSION = "0.1" # packages to exclude from systemd-tmpfiles check. excluded_packages = [ "ucf", - "dpkg", "base-files", "systemd", "init-system-helpers", diff --git a/config/debian/bookworm/bootstrap.yaml b/config/debian/bookworm/bootstrap.yaml index 7ac41a2..560732d 100644 --- a/config/debian/bookworm/bootstrap.yaml +++ b/config/debian/bookworm/bootstrap.yaml @@ -8,21 +8,59 @@ mmdebstrap: suite: bookworm architectures: [amd64] components: [main, contrib, non-free, non-free-firmware] - vairant: minbase + # Customizations that happen before bootstrapping. setup-hooks: - 'sync-in overlay/debian/ /' - 'sync-in overlay/ostree/ /' + - 'sync-in overlay/auto-login/ /' + - 'sync-in overlay/firstboot/ /' + # Customizations that happen after boostrapping. customize-hooks: + - 'sync-in overlay/adduser/ /' - echo 'root:root' | chroot "$1" chpasswd - - echo "localhost" > $1/etc/hostname + - chroot $1 echo "localhost" > $1/etc/hostname + - systemctl disable --root=$1 apt-daily.timer cron + - systemctl enable --root="$1" firstboot systemd-networkd + - chroot $1 cp -alf /lib/systemd/resolv.conf /etc/resolv.conf + - chroot $1 cp -alf /usr/libexec/libostree/grub2-15_ostree /etc/grub.d/15_ostree + - chroot $1 cp -alf /usr/lib/os-release /etc/os-release + # Packages to install after bootstrapping. packages: - linux-image-amd64 - firmware-linux - + - sudo - ostree - ostree-boot + - libostree-1-1 + - libostree-dev - systemd-boot - dracut + - grub-efi-amd64 + - vim + - net-tools + - openssh-client + - openssh-server + - procps + - less + - dbus + - policykit-1 + - libnss-resolve + - curl + - wget + - git-core + - rsync + - bubblewrap + - python3-apt + - python3-all + - python3-pip + - python3-pbr + - python3-gi + - python3-click + - bdebstrap + - gobject-introspection + - gir1.2-ostree-1.0 + - software-properties-common + - libnss-systemd diff --git a/config/debian/bookworm/image/image.yaml b/config/debian/bookworm/image/image.yaml index 916de8f..37b6c8e 100644 --- a/config/debian/bookworm/image/image.yaml +++ b/config/debian/bookworm/image/image.yaml @@ -5,7 +5,7 @@ {{- $cmdline := or .cmdline "console=tty0 console=ttyS0,115200n8 rootwait rw fsck.mode=auto fsck.repair=yes systemd.gpt_auto=false" -}} {{- $branch := or .branch "debian/bookworm" -}} {{- $repo := or .repo "ostree_repo" -}} -{{- $size := or .size "3G" -}} +{{- $size := or .size "20G" -}} architecture: {{ $architecture }} diff --git a/config/debian/bookworm/overlay/adduser/etc/adduser.conf b/config/debian/bookworm/overlay/adduser/etc/adduser.conf new file mode 100644 index 0000000..c155f43 --- /dev/null +++ b/config/debian/bookworm/overlay/adduser/etc/adduser.conf @@ -0,0 +1,107 @@ +# /etc/adduser.conf: `adduser' configuration. +# See adduser(8) and adduser.conf(5) for full documentation. + +# A commented out setting indicates that this is the default in the +# code. If you need to change those settings, remove the comment and +# make your intended change. + +# STDERRMSGLEVEL, STDOUTMSGLEVEL, and LOGMSGLEVEL set the minimum +# priority for messages logged to syslog/journal and the console, +# respectively. +# Values are trace, debug, info, warn, err, and fatal. +# Messages with the set priority or higher get logged to the +# respective medium. +#STDERRMSGLEVEL=warn +#STDOUTMSGLEVEL=info +#SYSLOGLEVEL=info + +# The login shell to be used for all new users. +# Default: DSHELL=/bin/bash +#DSHELL=/bin/bash + +# The directory in which new home directories should be created. +# Default: DHOME=/home +DHOME=/var/home + +# The directory from which skeletal user configuration files +# will be copied. +# Default: SKEL=/etc/skel +#SKEL=/etc/skel + +# Specify inclusive ranges of UIDs and GIDs from which UIDs and GIDs +# for system users, system groups, non-system users and non-system groups +# can be dynamically allocated. +# Default: FIRST_SYSTEM_UID=100, LAST_SYSTEM_UID=999 +#FIRST_SYSTEM_UID=100 +#LAST_SYSTEM_UID=999 + +# Default: FIRST_SYSTEM_GID=100, LAST_SYSTEM_GID=999 +#FIRST_SYSTEM_GID=100 +#LAST_SYSTEM_GID=999 + +# Default: FIRST_UID=1000, LAST_UID=59999 +#FIRST_UID=1000 +#LAST_UID=59999 + +# Default: FIRST_GID=1000, LAST_GID=59999 +#FIRST_GID=1000 +#LAST_GID=59999 + +# Specify a file or a directory containing UID and GID pool. +#UID_POOL=/etc/adduser-pool.conf +#UID_POOL=/etc/adduser-pool.d/ +#GID_POOL=/etc/adduser-pool.conf +#GID_POOL=/etc/adduser-pool.d/ + +# Specify whether each created non-system user will be +# given their own group to use. +# Default: USERGROUPS=yes +#USERGROUPS=yes + +# Defines the groupname or GID of the group all newly-created +# non-system users are placed into. +# It is a configuration error to define both variables +# even if the values are consistent. +# Default: USERS_GID=undefined, USERS_GROUP=users +#USERS_GID=100 +#USERS_GROUP=users + +# The permissions mode for home directories of non-system users. +# Default: DIR_MODE=0700 +#DIR_MODE=0700 + +# The permissions mode for home directories of system users. +# Default: SYS_DIR_MODE=0755 +#SYS_DIR_MODE=0755 + +# If set to a nonempty value, new users will have quotas copied +# from that user with `edquota -p QUOTAUSER newuser' +# Default: QUOTAUSER="" +#QUOTAUSER="" + +# Non-system user- and groupnames are checked against this regular +# expression. +# Default: NAME_REGEX="^[a-z][-a-z0-9_]*\$?$" +#NAME_REGEX="^[a-z][-a-z0-9_]*\$?$" + +# System user- and groupnames are checked against this regular +# expression. +# Default: SYS_NAME_REGEX="^[a-z_][-a-z0-9_]*\$?$" +#SYS_NAME_REGEX="^[a-z_][-a-z0-9_]*\$?$" + +# When populating the newly created home directory of a non-system user, +# files in SKEL matching this regex are not copied. +# Default: SKEL_IGNORE_REGEX="\.(dpkg|ucf)-(old|new|dist|save)$" +#SKEL_IGNORE_REGEX="\.(dpkg|ucf)-(old|new|dist|save)$" + +# list of groups that new non-system users will be added to +# if ADD_EXTRA_GROUPS is non-zero or set on the command line. +# Default: EXTRA_GROUPS="users" +#EXTRA_GROUPS="users" + +# Setting this to something other than 0 will cause adduser to add +# newly created non-system users to the list of groups defined by +# EXTRA_GROUPS. +# Default: ADD_EXTRA_GROUPS=0 +#ADD_EXTRA_GROUPS=0 + diff --git a/config/debian/bookworm/overlay/adduser/etc/default/useradd b/config/debian/bookworm/overlay/adduser/etc/default/useradd new file mode 100644 index 0000000..36dc611 --- /dev/null +++ b/config/debian/bookworm/overlay/adduser/etc/default/useradd @@ -0,0 +1,37 @@ +# Default values for useradd(8) +# +# The SHELL variable specifies the default login shell on your +# system. +# Similar to DSHELL in adduser. However, we use "sh" here because +# useradd is a low level utility and should be as general +# as possible +SHELL=/bin/sh +# +# The default group for users +# 100=users on Debian systems +# Same as USERS_GID in adduser +# This argument is used when the -n flag is specified. +# The default behavior (when -n and -g are not specified) is to create a +# primary user group with the same name as the user being added to the +# system. +# GROUP=100 +# +# The default home directory. Same as DHOME for adduser +HOME=/var/home +# +# The number of days after a password expires until the account +# is permanently disabled +# INACTIVE=-1 +# +# The default expire date +# EXPIRE= +# +# The SKEL variable specifies the directory containing "skeletal" user +# files; in other words, files such as a sample .profile that will be +# copied to the new user's home directory when it is created. +# SKEL=/etc/skel +# +# Defines whether the mail spool should be created while +# creating the account +# CREATE_MAIL_SPOOL=no + diff --git a/config/debian/bookworm/overlay/auto-login/etc/hostname b/config/debian/bookworm/overlay/auto-login/etc/hostname new file mode 100644 index 0000000..2fbb50c --- /dev/null +++ b/config/debian/bookworm/overlay/auto-login/etc/hostname @@ -0,0 +1 @@ +localhost diff --git a/config/debian/bookworm/overlay/auto-login/etc/systemd/network/dhcp.network b/config/debian/bookworm/overlay/auto-login/etc/systemd/network/dhcp.network new file mode 100644 index 0000000..aec1849 --- /dev/null +++ b/config/debian/bookworm/overlay/auto-login/etc/systemd/network/dhcp.network @@ -0,0 +1,5 @@ +[Match] +Name=en* + +[Network] +DHCP=yes diff --git a/config/debian/bookworm/overlay/auto-login/etc/systemd/system/console-getty.service.d/autologin.conf b/config/debian/bookworm/overlay/auto-login/etc/systemd/system/console-getty.service.d/autologin.conf new file mode 100644 index 0000000..4b3bb71 --- /dev/null +++ b/config/debian/bookworm/overlay/auto-login/etc/systemd/system/console-getty.service.d/autologin.conf @@ -0,0 +1,3 @@ +[Service] +ExecStart= +ExecStart=-/sbin/agetty -o '-p -f -- \\u' --noclear --keep-baud --autologin user - 115200,38400,9600 $TERM diff --git a/config/debian/bookworm/overlay/auto-login/etc/systemd/system/serial-getty@ttyS0.service.d/autologin.conf b/config/debian/bookworm/overlay/auto-login/etc/systemd/system/serial-getty@ttyS0.service.d/autologin.conf new file mode 100644 index 0000000..1a5fef1 --- /dev/null +++ b/config/debian/bookworm/overlay/auto-login/etc/systemd/system/serial-getty@ttyS0.service.d/autologin.conf @@ -0,0 +1,4 @@ +[Service] +Type=simple +ExecStart= +ExecStart=-/sbin/agetty --autologin user --noclear %I 38400 linux diff --git a/config/debian/bookworm/overlay/debian/etc/apt/apt.conf.d/15update-stamp b/config/debian/bookworm/overlay/debian/etc/apt/apt.conf.d/15update-stamp new file mode 100644 index 0000000..14ead83 --- /dev/null +++ b/config/debian/bookworm/overlay/debian/etc/apt/apt.conf.d/15update-stamp @@ -0,0 +1 @@ +APT::Update::Post-Invoke-Success {"touch /var/lib/apt/periodic/update-success-stamp 2>/dev/null || true";}; diff --git a/config/debian/bookworm/overlay/debian/etc/apt/apt.conf.d/90disable-http-pipelining b/config/debian/bookworm/overlay/debian/etc/apt/apt.conf.d/90disable-http-pipelining new file mode 100644 index 0000000..0d5af05 --- /dev/null +++ b/config/debian/bookworm/overlay/debian/etc/apt/apt.conf.d/90disable-http-pipelining @@ -0,0 +1,4 @@ +# Work around issues with the APT downloader corrupting files and +# causing "Hash Sum Mismatch" errors: +# https://phabricator.collabora.com/T15071 +Acquire::http::Pipeline-Depth 0; diff --git a/config/debian/bookworm/overlay/debian/etc/apt/sources.list b/config/debian/bookworm/overlay/debian/etc/apt/sources.list new file mode 100644 index 0000000..865ce88 --- /dev/null +++ b/config/debian/bookworm/overlay/debian/etc/apt/sources.list @@ -0,0 +1,14 @@ +deb https://ftp.debian.org/debian/ bookworm contrib main non-free non-free-firmware +# deb-src https://ftp.debian.org/debian/ bookworm contrib main non-free non-free-firmware + +deb https://ftp.debian.org/debian/ bookworm-updates contrib main non-free non-free-firmware +# deb-src https://ftp.debian.org/debian/ bookworm-updates contrib main non-free non-free-firmware + +deb https://ftp.debian.org/debian/ bookworm-proposed-updates contrib main non-free non-free-firmware +# deb-src https://ftp.debian.org/debian/ bookworm-proposed-updates contrib main non-free non-free-firmware + +deb https://ftp.debian.org/debian/ bookworm-backports contrib main non-free non-free-firmware +# deb-src https://ftp.debian.org/debian/ bookworm-backports contrib main non-free non-free-firmware + +deb https://security.debian.org/debian-security/ bookworm-security contrib main non-free non-free-firmware +# deb-src https://security.debian.org/debian-security/ bookworm-security contrib main non-free non-free-firmware diff --git a/config/debian/bookworm/overlay/debian/etc/default/grub b/config/debian/bookworm/overlay/debian/etc/default/grub new file mode 100644 index 0000000..33d69ce --- /dev/null +++ b/config/debian/bookworm/overlay/debian/etc/default/grub @@ -0,0 +1,45 @@ +# If you change this file, run 'update-grub' afterwards to update +# /boot/grub/grub.cfg. +# For full documentation of the options in this file, see: +# info -f grub -n 'Simple configuration' + +GRUB_DEFAULT=0 +GRUB_TIMEOUT=5 +GRUB_DISTRIBUTOR=`lsb_release -i -s 2> /dev/null || echo Debian` +GRUB_CMDLINE_LINUX_DEFAULT="quiet" +GRUB_CMDLINE_LINUX="" +# Kernel console on both serial and kvm/local console +GRUB_CMDLINE_LINUX="console=tty0 console=ttyS0,115200n8 rootdelay=60" +# Show grub menu on both serial and kvm/local console +GRUB_TERMINAL="console serial" +GRUB_SERIAL_COMMAND="serial --unit=0 --speed=115200 --word=8 --parity=no --stop=1" + + +# If your computer has multiple operating systems installed, then you +# probably want to run os-prober. However, if your computer is a host +# for guest OSes installed via LVM or raw disk devices, running +# os-prober can cause damage to those guest OSes as it mounts +# filesystems to look for things. +#GRUB_DISABLE_OS_PROBER=false + +# Uncomment to enable BadRAM filtering, modify to suit your needs +# This works with Linux (no patch required) and with any kernel that obtains +# the memory map information from GRUB (GNU Mach, kernel of FreeBSD ...) +#GRUB_BADRAM="0x01234567,0xfefefefe,0x89abcdef,0xefefefef" + +# Uncomment to disable graphical terminal +#GRUB_TERMINAL=console + +# The resolution used on graphical terminal +# note that you can use only modes which your graphic card supports via VBE +# you can see them in real GRUB with the command `vbeinfo' +#GRUB_GFXMODE=640x480 + +# Uncomment if you don't want GRUB to pass "root=UUID=xxx" parameter to Linux +#GRUB_DISABLE_LINUX_UUID=true + +# Uncomment to disable generation of recovery mode menu entries +#GRUB_DISABLE_RECOVERY="true" + +# Uncomment to get a beep at grub start +#GRUB_INIT_TUNE="480 440 1" diff --git a/config/debian/bookworm/overlay/debian/etc/dpkg/dpkg.cfg.d/starlingx-dpkg-sppedup b/config/debian/bookworm/overlay/debian/etc/dpkg/dpkg.cfg.d/starlingx-dpkg-sppedup new file mode 100644 index 0000000..7db9103 --- /dev/null +++ b/config/debian/bookworm/overlay/debian/etc/dpkg/dpkg.cfg.d/starlingx-dpkg-sppedup @@ -0,0 +1 @@ +force-unsafe-io diff --git a/config/debian/bookworm/overlay/debian/etc/dpkg/dpkg.cfg.d/starlingx-exclusions-docs b/config/debian/bookworm/overlay/debian/etc/dpkg/dpkg.cfg.d/starlingx-exclusions-docs new file mode 100644 index 0000000..be49342 --- /dev/null +++ b/config/debian/bookworm/overlay/debian/etc/dpkg/dpkg.cfg.d/starlingx-exclusions-docs @@ -0,0 +1,9 @@ +# Exclude all kind of docs +path-exclude=/usr/share/doc/* +path-include=/usr/share/doc/*/copyright_report* +path-include=/usr/share/doc/*/*.json* +path-exclude=/usr/share/man/* +path-exclude=/usr/share/info/* +path-exclude=/usr/share/lintian/* +path-exclude=/usr/share/linda/* +path-exclude=/var/cache/man/* diff --git a/config/debian/bookworm/overlay/debian/etc/hostname b/config/debian/bookworm/overlay/debian/etc/hostname new file mode 100644 index 0000000..2fbb50c --- /dev/null +++ b/config/debian/bookworm/overlay/debian/etc/hostname @@ -0,0 +1 @@ +localhost diff --git a/config/debian/bookworm/overlay/debian/etc/pip.conf b/config/debian/bookworm/overlay/debian/etc/pip.conf new file mode 100644 index 0000000..9d54ef9 --- /dev/null +++ b/config/debian/bookworm/overlay/debian/etc/pip.conf @@ -0,0 +1,2 @@ +[global] +break-system-packages = true diff --git a/config/debian/bookworm/overlay/debian/etc/systemd/network/dhcp.network b/config/debian/bookworm/overlay/debian/etc/systemd/network/dhcp.network new file mode 100644 index 0000000..aec1849 --- /dev/null +++ b/config/debian/bookworm/overlay/debian/etc/systemd/network/dhcp.network @@ -0,0 +1,5 @@ +[Match] +Name=en* + +[Network] +DHCP=yes diff --git a/config/debian/bookworm/overlay/debian/etc/systemd/network/wired.network b/config/debian/bookworm/overlay/debian/etc/systemd/network/wired.network new file mode 100644 index 0000000..acbc622 --- /dev/null +++ b/config/debian/bookworm/overlay/debian/etc/systemd/network/wired.network @@ -0,0 +1,6 @@ +[Match] +Name=e* +KernelCommandLine=!nfsroot + +[Network] +DHCP=yes diff --git a/config/debian/bookworm/overlay/debian/etc/systemd/system/console-getty.service.d/autologin.conf b/config/debian/bookworm/overlay/debian/etc/systemd/system/console-getty.service.d/autologin.conf new file mode 100644 index 0000000..4b3bb71 --- /dev/null +++ b/config/debian/bookworm/overlay/debian/etc/systemd/system/console-getty.service.d/autologin.conf @@ -0,0 +1,3 @@ +[Service] +ExecStart= +ExecStart=-/sbin/agetty -o '-p -f -- \\u' --noclear --keep-baud --autologin user - 115200,38400,9600 $TERM diff --git a/config/debian/bookworm/overlay/debian/etc/systemd/system/serial-getty@ttyS0.service.d/autologin.conf b/config/debian/bookworm/overlay/debian/etc/systemd/system/serial-getty@ttyS0.service.d/autologin.conf new file mode 100644 index 0000000..1a5fef1 --- /dev/null +++ b/config/debian/bookworm/overlay/debian/etc/systemd/system/serial-getty@ttyS0.service.d/autologin.conf @@ -0,0 +1,4 @@ +[Service] +Type=simple +ExecStart= +ExecStart=-/sbin/agetty --autologin user --noclear %I 38400 linux diff --git a/config/debian/bookworm/overlay/debian/usr/sbin/firstboot.sh b/config/debian/bookworm/overlay/debian/usr/sbin/firstboot.sh new file mode 100755 index 0000000..7322118 --- /dev/null +++ b/config/debian/bookworm/overlay/debian/usr/sbin/firstboot.sh @@ -0,0 +1,23 @@ +#!/bin/bash + + +if [ -f /var/.firstboot ]; then + exit 0 +fi +logger "Setting up admin user" + +adduser --gecos User user +adduser user sudo +echo "user:user" | chpasswd + +sed -i "s/\#PermitRootLogin prohibit-password/\#PermitRootLogin prohibit-password\nPermitRootLogin Yes\n/" /etc/ssh/sshd_config +systemctl restart ssh.service + +grub-install --uefi-secure-boot --target="x86_64-efi" --no-nvram --removable +grub-install --uefi-secure-boot --target="x86_64-efi" --no-nvram +update-grub +cp -rp /boot/ostree/* /ostree/ + +touch /var/.firstboot + +shutdown -r now diff --git a/config/debian/bookworm/overlay/firstboot/lib/systemd/system/firstboot.service b/config/debian/bookworm/overlay/firstboot/lib/systemd/system/firstboot.service new file mode 100644 index 0000000..4f182ee --- /dev/null +++ b/config/debian/bookworm/overlay/firstboot/lib/systemd/system/firstboot.service @@ -0,0 +1,13 @@ +[Unit] +Description=FirstBoot +After=network.target apt-daily.service apt-daily-upgrade.service +Before=rc-local.service +ConditionFileNotEmpty=/usr/sbin/firstboot.sh + +[Service] +ExecStart=/usr/sbin/firstboot.sh +Type=oneshot +RemainAfterExit=no + +[Install] +WantedBy=multi-user.target diff --git a/config/debian/bookworm/overlay/firstboot/usr/sbin/firstboot.sh b/config/debian/bookworm/overlay/firstboot/usr/sbin/firstboot.sh new file mode 100755 index 0000000..4cf272d --- /dev/null +++ b/config/debian/bookworm/overlay/firstboot/usr/sbin/firstboot.sh @@ -0,0 +1,26 @@ +#!/bin/bash + + +if [ -f /var/.firstboot ]; then + exit 0 +fi +logger "Setting up admin user" + +adduser --gecos User user +adduser user sudo +echo "user:user" | chpasswd + +mkdir -p /var/lib/apt/lists +apt-get update + +sed -i "s/\#PermitRootLogin prohibit-password/\#PermitRootLogin prohibit-password\nPermitRootLogin Yes\n/" /etc/ssh/sshd_config +systemctl restart ssh.service + +grub-install --uefi-secure-boot --target="x86_64-efi" --no-nvram --removable +grub-install --uefi-secure-boot --target="x86_64-efi" --no-nvram +update-grub +cp -rp /boot/ostree/* /ostree/ + +touch /var/.firstboot + +shutdown -r now diff --git a/config/debian/bookworm/overlay/networkd/etc/systemd/network/wired.network b/config/debian/bookworm/overlay/networkd/etc/systemd/network/wired.network new file mode 100644 index 0000000..0f6cfcf --- /dev/null +++ b/config/debian/bookworm/overlay/networkd/etc/systemd/network/wired.network @@ -0,0 +1,7 @@ +[Match] +Name=e* +KernelCommandLine=!nfsroot + +[Network] +DHCP=yes + diff --git a/config/debian/bookworm/overlay/ostree/lib/tmpfiles.d/ostree-integration.conf b/config/debian/bookworm/overlay/ostree/lib/tmpfiles.d/ostree-integration.conf index fda81f3..f186851 100644 --- a/config/debian/bookworm/overlay/ostree/lib/tmpfiles.d/ostree-integration.conf +++ b/config/debian/bookworm/overlay/ostree/lib/tmpfiles.d/ostree-integration.conf @@ -14,5 +14,3 @@ d /var/usrlocal/share 0755 root root - d /var/usrlocal/src 0755 root root - d /var/mnt 0755 root root - d /run/media 0755 root root - -d /var/lib/apt/lists/partial 0755 root root - -L /var/lib/dpkg - - - - ../../usr/rootdirs/var/lib/dpkg