wip

2025-10-12 04:17:55 +00:00 · 2025-04-19 02:24:10 -07:00 · 2025-04-19 02:24:10 -07:00 · 32366a797e
commit 32366a797e
parent 12039fb862
4 changed files with 150 additions and 1 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,5 +1,14 @@
 .DS_Store
 __pycache__
+
+# config
+config/server.json
+config/*.bu
+config/*.ign
+
+
+
+
 compose.override.yml

 # website
--- a/README.md
+++ b/README.md
@ -7,13 +7,24 @@ Services deployed on [matthewtran.com](https://matthewtran.com).
 - monerod
 - p2pool (`xmrig -o matthewtran.com`)
 - minecraft
- ~~minecraft bedrock~~
+- minecraft bedrock
 - terraria
 - nas (`<server>/<name>` on LAN)
 - wireguard

 ## setup

+1. Designate one computer as the configuration server. Create `config/server.json` which contains the configuration for the server to be provisioned. Reference `config/server.default` for fields. Run the following.
+    - `scripts/provision.py`
+2. Create a [Fedora CoreOS](https://fedoraproject.org/coreos/download?stream=stable) installation media and boot it on the server to be provisioned. Run the following on it and reboot.
+    - `sudo coreos-installer install /dev/<boot drive> --ignition-url http://<config server ip>/server.ign --insecure-ignition`
+
+## update
+
+
+
+
+
 1. Install [Ubuntu Desktop 24.04.1 LTS](https://ubuntu.com/download/desktop) with TPM-backed FDE. Server currently has a [bug](https://bugs.launchpad.net/ubuntu/+source/cryptsetup/+bug/1980018) that makes TPM-backed FDE hard.
    - You may need to manually enable IPv6 on the network connection. Use `Automatic` not `Automatic, DHCP only`.
    - Add an SSH key if you need remote access, setup will disable password authentication.
--- a/config/server.default
+++ b/config/server.default
@ -0,0 +1,10 @@
+{
+    "core": {
+        "hostname": "<server name>",
+        "ssh_keys": [
+            "ssh-ed25519 AAAA..."
+        ],
+        "var_key": "<LUKS key>",
+        "var_wipe": false
+    }
+}
--- a/scripts/provision.py
+++ b/scripts/provision.py
@ -0,0 +1,119 @@
+#!/usr/bin/env python3
+
+import json
+import subprocess
+import yaml
+
+if __name__ == "__main__":
+    cfg = json.load(open("config/server.json"))
+    but = {
+        "variant": "fcos",
+        "version": "1.6.0",
+    }
+
+    # configure root drive
+    but["storage"] = {
+        "disks": [
+            {
+                "device": "/dev/disk/by-id/coreos-boot-disk",
+                "wipe_table": False,
+                "partitions": [
+                    {
+                        "number": 4,
+                        "label": "root",
+                        "size_mib": 16384,
+                        "resize": True,
+                    },
+                    {
+                        "label": "var",
+                        "size_mib": 0,
+                    },
+                ],
+            },
+        ],
+        "filesystems": [
+            {
+                "device": "/dev/disk/by-partlabel/root",
+                "format": "btrfs",
+                "wipe_filesystem": True,
+                "label": "root",
+            },
+            {
+                "path": "/var",
+                "device": "/dev/disk/by-partlabel/var",
+                "format": "btrfs",
+                "wipe_filesystem": cfg["core"]["var_wipe"],
+                "with_mount_unit": True,
+            },
+        ],
+    }
+
+    # set hostname
+    but["storage"]["files"] = [
+        {
+            "path": "/etc/hostname",
+            "mode": 0o644,
+            "contents": {
+                "inline": cfg["core"]["hostname"],
+            },
+        },
+    ]
+
+    # add SSH keys
+    assert(len(cfg["core"]["ssh_keys"]) > 0)
+    but["passwd"] = {
+        "users": [
+            {
+                "name": "core",
+                "ssh_authorized_keys": cfg["core"]["ssh_keys"],
+            },
+        ],
+    }
+
+    # add packages
+    # TODO update once done https://github.com/coreos/fedora-coreos-tracker/issues/681
+    but["systemd"] = {
+        "units": [
+            {
+                "name": "rpm-ostree-install.service",
+                "enabled": True,
+                "contents": "\n".join([
+                    "[Unit]",
+                    "Description=Install packages",
+                    "Wants=network-online.target",
+                    "After=network-online.target",
+                    "Before=zincati.service",
+                    "ConditionPathExists=!/etc/rpm/%N.stamp",
+                    "[Service]",
+                    "Type=oneshot",
+                    "RemainAfterExit=yes",
+                    "ExecStart=/usr/bin/rpm-ostree install -y --allow-inactive " + " ".join([
+                        "avahi",
+                        "htop",
+                    ]),
+                    "ExecStart=/bin/touch /etc/rpm/%N.stamp",
+                    "ExecStart=/bin/systemctl --no-block reboot",
+                    "[Install]",
+                    "WantedBy=multi-user.target",
+                ]),
+            },
+        ],
+    }
+
+
+
+    # TODO encrypt /var w/ key (root w/ tpm)
+    # TODO add additional drives (raid?)
+
+    # TODO make server build images on first boot?
+    # TODO serve backup.zip to restore on first boot? only if wipe specified
+
+    # TODO convert all to quadlets? whatever compose likes
+    # TODO enable bedrock => check idle cpu
+    # TODO reduce disk logging?
+
+
+    with open("config/server.bu", "w") as f:
+        f.write(yaml.dump(but, sort_keys=False))
+    subprocess.check_output(["butane", "-p", "-s", "-o", "config/server.ign", "config/server.bu"])
+    print("WARNING - Using unencrypted connections without authentication, ensure LAN is secure!")