From 32366a797e65f38a8734c3ab96ceaeb7008a3d84 Mon Sep 17 00:00:00 2001 From: Matthew Tran Date: Sat, 19 Apr 2025 02:24:10 -0700 Subject: [PATCH] wip --- .gitignore | 9 ++++ README.md | 13 ++++- config/server.default | 10 ++++ scripts/provision.py | 119 ++++++++++++++++++++++++++++++++++++++++++ 4 files changed, 150 insertions(+), 1 deletion(-) create mode 100644 config/server.default create mode 100755 scripts/provision.py diff --git a/.gitignore b/.gitignore index c28a8b8..1066b5c 100644 --- a/.gitignore +++ b/.gitignore @@ -1,5 +1,14 @@ .DS_Store __pycache__ + +# config +config/server.json +config/*.bu +config/*.ign + + + + compose.override.yml # website diff --git a/README.md b/README.md index ce2c95a..23171db 100644 --- a/README.md +++ b/README.md @@ -7,13 +7,24 @@ Services deployed on [matthewtran.com](https://matthewtran.com). - monerod - p2pool (`xmrig -o matthewtran.com`) - minecraft -- ~~minecraft bedrock~~ +- minecraft bedrock - terraria - nas (`/` on LAN) - wireguard ## setup +1. Designate one computer as the configuration server. Create `config/server.json` which contains the configuration for the server to be provisioned. Reference `config/server.default` for fields. Run the following. + - `scripts/provision.py` +2. Create a [Fedora CoreOS](https://fedoraproject.org/coreos/download?stream=stable) installation media and boot it on the server to be provisioned. Run the following on it and reboot. + - `sudo coreos-installer install /dev/ --ignition-url http:///server.ign --insecure-ignition` + +## update + + + + + 1. Install [Ubuntu Desktop 24.04.1 LTS](https://ubuntu.com/download/desktop) with TPM-backed FDE. Server currently has a [bug](https://bugs.launchpad.net/ubuntu/+source/cryptsetup/+bug/1980018) that makes TPM-backed FDE hard. - You may need to manually enable IPv6 on the network connection. Use `Automatic` not `Automatic, DHCP only`. - Add an SSH key if you need remote access, setup will disable password authentication. diff --git a/config/server.default b/config/server.default new file mode 100644 index 0000000..5e57bea --- /dev/null +++ b/config/server.default @@ -0,0 +1,10 @@ +{ + "core": { + "hostname": "", + "ssh_keys": [ + "ssh-ed25519 AAAA..." + ], + "var_key": "", + "var_wipe": false + } +} \ No newline at end of file diff --git a/scripts/provision.py b/scripts/provision.py new file mode 100755 index 0000000..a99d1e8 --- /dev/null +++ b/scripts/provision.py @@ -0,0 +1,119 @@ +#!/usr/bin/env python3 + +import json +import subprocess +import yaml + +if __name__ == "__main__": + cfg = json.load(open("config/server.json")) + but = { + "variant": "fcos", + "version": "1.6.0", + } + + # configure root drive + but["storage"] = { + "disks": [ + { + "device": "/dev/disk/by-id/coreos-boot-disk", + "wipe_table": False, + "partitions": [ + { + "number": 4, + "label": "root", + "size_mib": 16384, + "resize": True, + }, + { + "label": "var", + "size_mib": 0, + }, + ], + }, + ], + "filesystems": [ + { + "device": "/dev/disk/by-partlabel/root", + "format": "btrfs", + "wipe_filesystem": True, + "label": "root", + }, + { + "path": "/var", + "device": "/dev/disk/by-partlabel/var", + "format": "btrfs", + "wipe_filesystem": cfg["core"]["var_wipe"], + "with_mount_unit": True, + }, + ], + } + + # set hostname + but["storage"]["files"] = [ + { + "path": "/etc/hostname", + "mode": 0o644, + "contents": { + "inline": cfg["core"]["hostname"], + }, + }, + ] + + # add SSH keys + assert(len(cfg["core"]["ssh_keys"]) > 0) + but["passwd"] = { + "users": [ + { + "name": "core", + "ssh_authorized_keys": cfg["core"]["ssh_keys"], + }, + ], + } + + # add packages + # TODO update once done https://github.com/coreos/fedora-coreos-tracker/issues/681 + but["systemd"] = { + "units": [ + { + "name": "rpm-ostree-install.service", + "enabled": True, + "contents": "\n".join([ + "[Unit]", + "Description=Install packages", + "Wants=network-online.target", + "After=network-online.target", + "Before=zincati.service", + "ConditionPathExists=!/etc/rpm/%N.stamp", + "[Service]", + "Type=oneshot", + "RemainAfterExit=yes", + "ExecStart=/usr/bin/rpm-ostree install -y --allow-inactive " + " ".join([ + "avahi", + "htop", + ]), + "ExecStart=/bin/touch /etc/rpm/%N.stamp", + "ExecStart=/bin/systemctl --no-block reboot", + "[Install]", + "WantedBy=multi-user.target", + ]), + }, + ], + } + + + + # TODO encrypt /var w/ key (root w/ tpm) + # TODO add additional drives (raid?) + + # TODO make server build images on first boot? + # TODO serve backup.zip to restore on first boot? only if wipe specified + + # TODO convert all to quadlets? whatever compose likes + # TODO enable bedrock => check idle cpu + # TODO reduce disk logging? + + + with open("config/server.bu", "w") as f: + f.write(yaml.dump(but, sort_keys=False)) + subprocess.check_output(["butane", "-p", "-s", "-o", "config/server.ign", "config/server.bu"]) + print("WARNING - Using unencrypted connections without authentication, ensure LAN is secure!")