Merge pull request #17 from kristapsk/finalize-more-options

More options and features for finalize-nakamochi.sh

Author: kristapsk

tools/finalize-nakamochi.sh

@@ -34,15 +34,18 @@ patch_lnd_conf()
 
 run_main()
 {
-    if [[ -z $2 ]]; then
-        echo "Usage: $(basename "$0") [--skip-mkp224o] /dev/sda2 /dev/sdb1 [/mnt/usd [/mnt/ssd]]"
+    if [[ -z $2 ]] || [[ "$1" == "--help" ]]; then
+        echo "Usage: $(basename "$0") [options] /dev/sda2 /dev/sdb1 [/mnt/usd [/mnt/ssd]]"
         echo "Where:"
         echo "  /dev/sda2       - uSD card root partition (use '-' to not mount)"
         echo "  /dev/sdb1       - SSD data partition (use '-' to not mount)"
         echo "  /mnt/usd        - uSD card mount point / directory"
         echo "  /mnt/ssd        - SSD mount point / directory"
         echo "Options:"
         echo "  --skip-mkp224o  - skip generating onion keys (requires them to be already present on SSD)"
+        echo "  --test-image    - configure image for testing (allows ssh root access with password)"
+        # FixMe: --update-update is temporary hack, remove after https://github.com/nakamochi/sysupdates/pull/8 is merged.
+        echo "  --update-update - update /sysupdates/update.sh on SSD from local copy"
         echo "Example: $(basename "$0") /dev/sdc2 /dev/sdd1"
         exit 1
     fi
@@ -52,12 +55,29 @@ run_main()
         exit 1
     fi
 
-    if [[ "$1" == "--skip-mkp224o" ]]; then
-        shift
-        skip_mkp224o=1
-    else
-        skip_mkp224o=0
-    fi
+    skip_mkp224o=0
+    test_image=0
+    update_update=0
+    while [[ "$1" == --* ]]; do
+        case "$1" in
+            --skip-mkp224o)
+                skip_mkp224o=1
+                shift
+                ;;
+            --test-image)
+                test_image=1
+                shift
+                ;;
+            --update-update)
+                update_update=1
+                shift
+                ;;
+            *)
+                echo "Error: unknown option $1"
+                exit 1
+                ;;
+        esac
+    done
 
     if [[ "$skip_mkp224o" -eq 0 ]]; then
         if ! check_exists mkp224o; then
@@ -240,6 +260,33 @@ run_main()
     chown -R "$lnd_user_group" "$SSD_MOUNT_POINT"/lnd
     echo "done."
 
+    # finalize image for testing or production
+    if [[ "$test_image" -eq 1 ]]; then
+        echo -n "Finalizing image for testing ... "
+        sed -i "s/^#?PermitRootLogin.*/PermitRootLogin yes/" "$USD_MOUNT_POINT"/etc/ssh/sshd_config
+        sed -i "s/^#?PasswordAuthentication.*/PasswordAuthentication yes/" "$USD_MOUNT_POINT"/etc/ssh/sshd_config
+        root_pass="nakamochi"
+        crypted_root_pass="$(mkpasswd "$root_pass")"
+        sed -i "s/^root:[^:]*:/root:$crypted_root_pass:/" "$USD_MOUNT_POINT"/etc/shadow
+        echo "done."
+        echo "Test image root password is $root_pass, ssh root login allowed."
+    else
+        echo -n "Finalizing image for production ... "
+        sed -i "s/^#?PermitRootLogin.*/PermitRootLogin no/" "$USD_MOUNT_POINT"/etc/ssh/sshd_config
+        sed -i "s/^#?PasswordAuthentication.*/PasswordAuthentication no/" "$USD_MOUNT_POINT"/etc/ssh/sshd_config
+        crypted_root_pass="$(mkpasswd "$(tr -dc 'A-Za-z0-9' < /dev/urandom | head -c 13; echo)")"
+        sed -i "s/^root:[^:]*:/root:$crypted_root_pass:/" "$USD_MOUNT_POINT"/etc/shadow
+        echo "done."
+    fi
+
+    if [[ "$update_update" -eq 1 ]]; then
+        # update /sysupdates/update.sh on SSD from local copy
+        echo -n "Updating /sysupdates/update.sh on SSD ... "
+        cp "$(dirname "$0")/update.sh" "$SSD_MOUNT_POINT"/sysupdates/update.sh
+        chmod +x "$SSD_MOUNT_POINT"/sysupdates/update.sh
+        echo "done."
+    fi
+
     sync
     echo "All DONE, Nakamochi uSD and SSD should be ready!"
 }

tools/update.sh

@@ -0,0 +1,60 @@
+#!/bin/sh
+# shellcheck disable=SC2181
+
+# https://github.com/nakamochi/sysupdates
+# pull changes from a remote git repo and run the "apply" script.
+# commits are expected to be signed by gpg keys with a sufficient
+# trust level to satisfy git pull --verify-signatures.
+# the script is expected to be run as root, to allow making changes to the
+# operating system.
+# in the future, the plan is to provide an on-screen git diff and apply updates
+# after user confirmation.
+
+# git branch to pull from. defaults to master.
+# another value is "dev", for a development aka unstable version.
+BRANCH="${1:-master}"
+REMOTE_URL="${2:-https://github.com/nakamochi/sysupdates.git}"
+# output everything to a temp file and print its contents only in case of an error,
+# so that when run via a cronjob, the output is empty on success which prevents
+# needless emails, were any configured.
+LOGFILE="${LOGFILE:-/var/log/sysupdate.log}"
+# a local git repo dir where to pull the updates into.
+REPODIR="${REPODIR:-/ssd/sysupdates}"
+
+# multiple running instances of the script would certainly result in race conditions.
+# so, we serialize runs using a lock file, timing out with an error after 15min.
+if [ -z "$NAKAMOCHI_SYSUPDATE_LOCK" ]; then
+    # use the script itself as the lock file
+    lockfile=$0
+    exec env NAKAMOCHI_SYSUPDATE_LOCK=1 \
+      flock --exclusive --timeout 900 "$lockfile" "$0" "$@"
+fi
+
+# start of the sysupdate; trim prevously logged runs
+date > "$LOGFILE"
+
+# fetch updates from remote
+cd "$REPODIR" || exit 1
+{
+echo "Fetching updates from $REMOTE_URL, branch $BRANCH"
+git remote set-url origin "$REMOTE_URL"
+git fetch origin             # in case the refspec is unknown locally yet
+git reset --hard HEAD        # remove local changes
+git clean -fd                # force-delete untracked files
+git checkout "$BRANCH"
+git pull --verify-signatures
+} >> "$LOGFILE" 2>&1
+if [ $? -ne 0 ]; then
+    echo "ERROR: git pull failed"
+    cat "$LOGFILE"
+    exit 1
+fi
+
+# run repo's update script
+export SYSUPDATES_ROOTDIR="$REPODIR"
+export SYSUPDATES_CHANNEL="$BRANCH"
+if ! ./apply.sh >> "$LOGFILE" 2>&1; then
+    echo "ERROR: apply failed"
+    cat "$LOGFILE"
+    exit 1
+fi