def __call__(self, location: Location, system_context: SystemContext, *args: typing.Any, **kwargs: typing.Any) -> None: """Execute command.""" # Nested virtualization: create_file( system_context, "/etc/modprobe.d/kvm_amd.conf", "options kvm_amd nested=1".encode("utf-8"), ) # AMD ucode: location.set_description("Install amd-ucode") self._execute(location, system_context, "pacman", "amd-ucode") initrd_parts = os.path.join(system_context.boot_directory, "initrd-parts") os.makedirs(initrd_parts, exist_ok=True) self._execute( location, system_context, "move", "/boot/amd-ucode.img", os.path.join(initrd_parts, "00-amd-ucode"), to_outside=True, )
def _setup_kubelet(location: Location, system_context: SystemContext, *, master_ip: str, node_ip: str) -> None: create_file( system_context, "/usr/lib/tmpfiles.d/kubelet.conf", "d /var/lib/kubelet 0700 - - -".encode("utf-8"), mode=0o644, ) os.makedirs("/usr/lib/systemd/system/kubelet.service.d") create_file( system_context, "/usr/lib/systemd/system/kubelet.service.d/override.conf", textwrap.dedent("""\ [Service] EnvironmentFile= ExecStart= ExecStart=/usr/bin/kubelet --logtostderr=true --v=0 \\ --master={master_ip} \\ --address={node_ip} --port 10250 \\ --api-servers=http://{master_ip}:8080/ """).format(master_ip=master_ip, node_ip=node_ip).encode("utf-8"), mode=0o644, )
def __call__(self, location: Location, system_context: SystemContext, *args: typing.Any, **kwargs: typing.Any) -> None: """Execute command.""" file_name = args[0] to_write = system_context.substitute(args[1]).encode("utf-8") create_file(system_context, file_name, to_write, **kwargs)
def __call__(self, location: Location, system_context: SystemContext, *args: typing.Any, **kwargs: typing.Any) -> None: """Execute command.""" self._execute(location, system_context, 'pacman', 'xorg-server', 'xorg-server-xwayland') # Copy snippets from systems config folder: copy(system_context, self._config_directory(system_context) + '/*', '/etc/X11/xorg.conf.d', from_outside=True, recursive=True) chown(system_context, 0, 0, '/etc/X11/xorg.conf.d/*') chmod(system_context, 0o644, '/etc/X11/xorg.conf.d/*') create_file(system_context, '/etc/X11/xinit/xinitrc.d/99-access-to-user.sh', textwrap.dedent('''\ #!/usr/bin/bash # Allow local access for the user: xhost "+local:$$USER" ''').encode('utf-8'), mode=0o755) # Install some extra fonts: self._execute(location.next_line(), system_context, 'pkg_fonts')
def __call__(self, location: Location, system_context: SystemContext, *args: typing.Any, **kwargs: typing.Any) -> None: """Execute command.""" self._execute(location, system_context, "pacman", "xorg-server", "xorg-server-xwayland") # Copy snippets from systems config folder: copy( system_context, self._config_directory(system_context) + "/*", "/etc/X11/xorg.conf.d", from_outside=True, recursive=True, ) chown(system_context, 0, 0, "/etc/X11/xorg.conf.d/*") chmod(system_context, 0o644, "/etc/X11/xorg.conf.d/*") create_file( system_context, "/etc/X11/xinit/xinitrc.d/99-access-to-user.sh", textwrap.dedent("""\ #!/usr/bin/bash # Allow local access for the user: xhost "+local:$$USER" """).encode("utf-8"), mode=0o755, ) # Install some extra fonts: self._execute(location.next_line(), system_context, "pkg_fonts")
def _install_mkinitcpio( self, location: Location, system_context: SystemContext) -> typing.Sequence[str]: to_clean_up = [ "/etc/mkinitcpio.d", "/etc/mkinitcpio.conf", "/boot/vmlinu*" ] location.set_description("Install mkinitcpio") self._execute(location, system_context, "pacman", "mkinitcpio") location.set_description("Fix up mkinitcpio.conf") self._execute( location.next_line(), system_context, "sed", "/^HOOKS=/ " "cHOOKS=(base systemd keyboard sd-vconsole " "sd-encrypt block sd-lvm2 filesystems btrfs " "sd-shutdown)", "/etc/mkinitcpio.conf", ) self._execute( location.next_line(), system_context, "append", "/etc/mkinitcpio.conf", 'COMPRESSION="cat"', ) location.set_description("Create mkinitcpio presets") create_file( system_context, "/etc/mkinitcpio.d/cleanroom.preset", textwrap.dedent("""\ # mkinitcpio preset file for cleanroom ALL_config="/etc/mkinitcpio.conf" ALL_kver="/boot/vmlinuz" PRESETS=('default') #default_config="/etc/mkinitcpio.conf" default_image="/boot/initramfs.img" #default_options="" """).encode("utf-8"), ) self._execute( location.next_line(), system_context, "sed", "s%/initramfs-linux.*.img%/initrd%", "/etc/mkinitcpio.d/cleanroom.preset", ) return to_clean_up
def _persistent_known_hosts(self, location: Location, system_context: SystemContext) -> None: if not exists(system_context, "/usr/lib/tmpfiles.d/ssh.conf"): create_file( system_context, "/usr/lib/tmpfiles.d/ssh.conf", textwrap.dedent("""\ d /var/etc/ssh 644 root root - - f /var/etc/ssh/ssh_known_hosts 644 root root - L /etc/ssh/ssh_known_hosts - - - - /var/etc/ssh/ssh_known_hosts """).encode("utf-8"), mode=0o644, )
def _setup_kube_proxy(location: Location, system_context: SystemContext, *, master_ip: str) -> None: os.makedirs('/usr/lib/systemd/system/kube-proxy.service.d') create_file(system_context, '/usr/lib/systemd/system/kube-proxy.service.d/override.conf', textwrap.dedent('''\ [Service] EnvironmentFile= ExecStart= ExecStart=/usr/bin/kube-proxy --logtostderr=true --v=0 \\ --master={master_ip} ''').format(master_ip=master_ip).encode('utf-8'), mode=0o644)
def _setup_kube_proxy(location: Location, system_context: SystemContext, *, master_ip: str) -> None: os.makedirs("/usr/lib/systemd/system/kube-proxy.service.d") create_file( system_context, "/usr/lib/systemd/system/kube-proxy.service.d/override.conf", textwrap.dedent(f"""\ [Service] EnvironmentFile= ExecStart= ExecStart=/usr/bin/kube-proxy --logtostderr=true --v=0 \\ --master={master_ip} """).encode("utf-8"), mode=0o644, )
def _setup_docker(location: Location, system_context: SystemContext) -> None: os.makedirs( system_context.file_name('/usr/lib/systemd/system/docker.service.d')) create_file(system_context, '/usr/lib/systemd/system/docker.service.d/override.conf', textwrap.dedent('''\ [Service] ExecStart= ExecStart=/usr/bin/dockerd -H fd:// \\ --bridge=cb0 \\ --iptables=false \\ --ip-masq=false \\ --insecure-registry 10.0.0.0/8 ''').encode('utf-8'), mode=0o644)
def __call__(self, location: Location, system_context: SystemContext, *args: typing.Any, **kwargs: typing.Any) -> None: """Execute command.""" # Nested virtualization: create_file(system_context, '/etc/modprobe.d/kvm_amd.conf', 'options kvm_amd nested=1'.encode('utf-8')) # AMD ucode: location.set_description('Install amd-ucode') self._execute(location, system_context, 'pacman', 'amd-ucode') initrd_parts = os.path.join(system_context.boot_directory, 'initrd-parts') os.makedirs(initrd_parts, exist_ok=True) self._execute(location, system_context, 'move', '/boot/amd-ucode.img', os.path.join(initrd_parts, '00-amd-ucode'), to_outside=True)
def __call__(self, location: Location, system_context: SystemContext, *args: typing.Any, **kwargs: typing.Any) -> None: """Execute command.""" self._execute(location, system_context, 'pacman', 'usbguard') # Do setup: # enable the daemon (actually set up socket activation) self._execute(location.next_line(), system_context, 'systemd_enable', 'usbguard-dbus.service') create_file( system_context, '/usr/lib/tmpfiles.d/usbguard.conf', textwrap.dedent('''\ d /var/log/usbguard 0750 root root - - d /var/lib/usbguard 0750 root root - - d /var/lib/usbguard/IPCAccessControl.d 0755 root root - - f /var/lib/usbguard/rules.conf 0600 root root - - ''').encode('utf-8')) self._execute( location.next_line(), system_context, 'sed', '/RuleFile=\/etc/ cRuleFile=/var/lib/usbguard/rules.conf', '/etc/usbguard/usbguard-daemon.conf') self._execute( location.next_line(), system_context, 'sed', '/IPCAccessControlFiles=\/etc/ cIPCAccessControlFiles=/var/lib/usbguard/IPCAccessControl.d', '/etc/usbguard/usbguard-daemon.conf') remove(system_context, '/etc/usbguard/rules.conf', '/etc/usbguard/IPCAccessControl.d', recursive=True) # Fix for https://github.com/USBGuard/usbguard/issues/287 makedirs(system_context, '/usr/lib/systemd/system/usbguard.service.d') create_file( system_context, '/usr/lib/systemd/system/usbguard.service.d/bugfix.conf', textwrap.dedent('''\ [Service] CapabilityBoundingSet=CAP_DAC_OVERRIDE ReadWritePaths=-/var/lib/usbguard/rules.conf ''').encode('utf-8'))
def _install_mkinitcpio( self, location: Location, system_context: SystemContext) -> typing.Sequence[str]: to_clean_up = [ '/etc/mkinitcpio.d', '/etc/mkinitcpio.conf', '/boot/vmlinu*' ] location.set_description('Install mkinitcpio') self._execute(location, system_context, 'pacman', 'mkinitcpio') location.set_description('Fix up mkinitcpio.conf') self._execute( location.next_line(), system_context, 'sed', '/^HOOKS=/ ' 'cHOOKS="base systemd keyboard sd-vconsole ' 'sd-encrypt block sd-lvm2 filesystems btrfs ' 'sd-check-bios sd-stateless sd-verity ' 'sd-volatile sd-boot-image ' 'sd-shutdown"', '/etc/mkinitcpio.conf') location.set_description('Create mkinitcpio presets') create_file( system_context, '/etc/mkinitcpio.d/cleanroom.preset', textwrap.dedent('''\ # mkinitcpio preset file for cleanroom ALL_config="/etc/mkinitcpio.conf" ALL_kver="/boot/vmlinuz" PRESETS=('default') #default_config="/etc/mkinitcpio.conf" default_image="/boot/initramfs.img" #default_options="" ''').encode('utf-8')) self._execute(location.next_line(), system_context, 'sed', 's%/initramfs-linux.*.img%/initrd%', '/etc/mkinitcpio.d/cleanroom.preset') return to_clean_up
def __call__(self, location: Location, system_context: SystemContext, *args: typing.Any, **kwargs: typing.Any) -> None: """Execute command.""" private_key = args[0] public_key = args[1] location.set_description("Validate keys") if not "BEGIN PRIVATE KEY" in private_key: raise GenerateError("Private key blob is not a private key.", location=location) if not "BEGIN PUBLIC KEY" in public_key: raise GenerateError("Public key blob is not a public key.", location=location) # enable the daemon (actually set up socket activation) location.set_description("Enableing homed service") self._execute( location.next_line(), system_context, "systemd_enable", "systemd-homed.service", ) # Install keys into /usr: location.set_description("Setup keys") makedirs(system_context, "/usr/share/factory/var/lib/systemd/home", mode=0o700) create_file( system_context, "/usr/share/factory/var/lib/systemd/home/local.private", private_key.encode("utf-8"), mode=0o600, ) create_file( system_context, "/usr/share/factory/var/lib/systemd/home/local.public", public_key.encode("utf-8"), mode=0o600, ) chmod(system_context, 0o600, "/usr/share/factory/var/lib/systemd/home/*") chown(system_context, 0, 0, "/usr/share/factory/var/lib/systemd/home/*") # Set up copying of keys to var: create_file( system_context, "/usr/lib/tmpfiles.d/systemd-homed.conf", textwrap.dedent("""\ C /var/lib/systemd/home - - - - """).encode("utf-8"), mode=0o644, )
def _create_systemd_units( self, location: Location, system_context: SystemContext) -> typing.Sequence[str]: location.set_description("Install extra systemd units") to_clean_up = [ "/usr/lib/systemd/system/initrd-check-bios.service", "/usr/lib/systemd/system/initrd-sysroot-setup.service", "/usr/lib/systemd/system/initrd-find-root-lv-partitions.service", "/usr/lib/systemd/system/images.mount", "/usr/lib/systemd/system/initrd-find-image-partitions.service", ] create_file( system_context, "/usr/lib/systemd/system/initrd-check-bios.service", textwrap.dedent("""\ [Unit] Description=Print TPM configuration DefaultDependencies=no Requires=sysroot.mount After=sysroot.mount systemd-volatile-root.service Before=initrd-root-fs.target shutdown.target Conflicts=shutdown.target [Service] Type=oneshot RemainAfterExit=yes ExecStart=/usr/bin/initrd-check-bios.sh StandardOutput=journal+console [Install] WantedBy=initrd-root-device.target """).encode("utf-8"), mode=0o644, ) create_file( system_context, "/usr/lib/systemd/system/initrd-sysroot-setup.service", textwrap.dedent("""\ [Unit] Description=Set up root fs in /sysroot DefaultDependencies=no ConditionPathExists=/sysroot/usr/lib/boot/root-fs.tar Requires=sysroot.mount After=sysroot.mount systemd-volatile-root.service Before=initrd-root-fs.target shutdown.target Conflicts=shutdown.target AssertPathExists=/etc/initrd-release [Service] Type=oneshot RemainAfterExit=yes ExecStart=/usr/bin/tar -C /sysroot -xf /sysroot/usr/lib/boot/root-fs.tar """).encode("utf-8"), mode=0o644, ) if self._vg is not None: device_name = "dev-{}-{}".format(self._vg, self._full_name) create_file( system_context, "/usr/lib/systemd/system/initrd-find-root-lv-partitions.service", textwrap.dedent("""\ [Unit] Description=Find partitions in root LV DefaultDependencies=no ConditionPathExists=/dev/{1}/{2} After={0}.device BindsTo={0}.device Requisite={0}.device [Service] WorkingDirectory=/ Type=oneshot RemainAfterExit=yes ExecStart=/usr/bin/partprobe /dev/{1}/{2} [Install] WantedBy={0}.device """).format(device_name, self._vg, self._full_name).encode("utf-8"), mode=0o644, ) if self._image_device is not None: create_file( system_context, "/usr/lib/systemd/system/images.mount", textwrap.dedent("""\ [Unit] Description=Mount /images in initrd DefaultDependencies=no [email protected] [Mount] What={} Where=/images Type={} Options={} """).format(self._image_device, self._image_fs, self._image_options).encode("utf-8"), mode=0o644, ) create_file( system_context, "/usr/lib/systemd/system/initrd-find-image-partitions.service", textwrap.dedent("""\ [Unit] Description=Find partitions in image files DefaultDependencies=no ConditionFileNotEmpty=/images/{0} After=images.mount BindsTo=images.mount Requisite=images.mount [Service] WorkingDirectory=/ Type=oneshot RemainAfterExit=yes ExecStart=/usr/bin/losetup --find --partscan /images/{0} ExecStop=/usr/bin/losetup --detach-all [Install] WantedBy=images.mount """).format(self._full_name).encode("utf-8"), mode=0o644, ) return to_clean_up
def _create_install_hook(location: Location, system_context: SystemContext, name: str, contents: str) -> str: location.set_description("install mkinitcpio install hook {}".format(name)) path = os.path.join("/usr/lib/initcpio/install", name) create_file(system_context, path, contents.encode("utf-8")) return path
def __call__(self, location: Location, system_context: SystemContext, *args: typing.Any, **kwargs: typing.Any) -> None: """Execute command.""" private_key = args[0] public_key = args[1] location.set_description('Validate keys') if not "BEGIN PRIVATE KEY" in private_key: raise GenerateError("Private key blob is not a private key.", location=location) if not "BEGIN PUBLIC KEY" in public_key: raise GenerateError("Public key blob is not a public key.", location=location) # enable the daemon (actually set up socket activation) location.set_description('Enableing homed service') self._execute(location.next_line(), system_context, 'systemd_enable', 'systemd-homed.service') # Install keys into /usr: location.set_description('Setup keys') makedirs(system_context, '/usr/share/factory/var/lib/systemd/home', mode=0o700) create_file(system_context, '/usr/share/factory/var/lib/systemd/home/local.private', private_key.encode('utf-8'), mode=0o600) create_file(system_context, '/usr/share/factory/var/lib/systemd/home/local.public', public_key.encode('utf-8'), mode=0o600) chmod(system_context, 0o600, '/usr/share/factory/var/lib/systemd/home/*') chown(system_context, 0, 0, '/usr/share/factory/var/lib/systemd/home/*') # Set up copying of keys to var: create_file(system_context, '/usr/lib/tmpfiles.d/systemd-homed.conf', textwrap.dedent('''\ C /var/lib/systemd/home - - - - ''').encode('utf-8'), mode=0o644) # Fix up pam: location.set_description('Setting up PAM for homed') create_file(system_context, '/etc/pam.d/system-auth', textwrap.dedent('''\ #%PAM-1.0 auth [success=1 new_authtok_reqd=1 ignore=ignore user_unknown=ignore default=bad] pam_systemd_home.so auth required pam_unix.so try_first_pass nullok auth optional pam_permit.so auth required pam_env.so account [success=1 new_authtok_reqd=1 ignore=ignore user_unknown=ignore default=bad] pam_systemd_home.so account required pam_unix.so account optional pam_permit.so account required pam_time.so password [success=1 new_authtok_reqd=1 ignore=ignore user_unknown=ignore default=bad] pam_systemd_home.so password required pam_unix.so try_first_pass nullok sha512 shadow password optional pam_permit.so session required pam_limits.so session [success=1 new_authtok_reqd=1 ignore=ignore user_unknown=ignore default=bad] pam_systemd_home.so session required pam_unix.so session optional pam_permit.so ''').encode('utf-8'), mode=0o644, force=True)
def _setup_network(location: Location, system_context: SystemContext, *, cluster_name: str, cluster_id: int, node_id: int, outside_match: str, cluster_match: str, gateway: str, dns: str, ntp: str) -> None: create_file(system_context, '/usr/lib/systemd/network/20-cbr0-bridge.netdev', textwrap.dedent('''\ [NetDev] Description=Internal POD bridge Name=cbr0 Kind=bridge ''').encode('utf-8'), mode=0o644) create_file(system_context, '/usr/lib/systemd/network/10-extern.network', textwrap.dedent('''\ [Match] {outside_match} [Network] Description=Node network Address=10.128.{cluster_id}.{node_id}/8 Gateway={gateway} DNS={dns} NTP={ntp} IPForward=yes IPMasquerade=yes ''').format(outside_match=outside_match, cluster_id=cluster_id, node_id=node_id, gateway=gateway, dns=dns, ntp=ntp).encode('utf-8'), mode=0o644) create_file(system_context, '/usr/lib/systemd/network/30-cbr.network', textwrap.dedent('''\ [Match] Name=cbr0 [Network] Description={cluster_name} pod bridge setup Address=10.{cluster_offset}.{node_id}.1/16 ''').format(cluster_name=cluster_name, cluster_offset=cluster_id + 128, node_id=node_id).encode('utf-8'), mode=0o644) create_file(system_context, '/usr/lib/systemd/network/40-cbr-outside-if.network', textwrap.dedent('''\ [Match] {cluster_match} [Network] Description={cluster_name} pod bridge outside connectivity Bridge=cbr0 ''').format(cluster_name=cluster_name, cluster_match=cluster_match).encode('utf-8'), mode=0o644)
def __call__( self, location: Location, system_context: SystemContext, *args: typing.Any, **kwargs: typing.Any ) -> None: """Execute command.""" private_key = args[0] public_key = args[1] location.set_description("Validate keys") if not "BEGIN PRIVATE KEY" in private_key: raise GenerateError( "Private key blob is not a private key.", location=location ) if not "BEGIN PUBLIC KEY" in public_key: raise GenerateError( "Public key blob is not a public key.", location=location ) # enable the daemon (actually set up socket activation) location.set_description("Enableing homed service") self._execute( location.next_line(), system_context, "systemd_enable", "systemd-homed.service", ) # Install keys into /usr: location.set_description("Setup keys") makedirs(system_context, "/usr/share/factory/var/lib/systemd/home", mode=0o700) create_file( system_context, "/usr/share/factory/var/lib/systemd/home/local.private", private_key.encode("utf-8"), mode=0o600, ) create_file( system_context, "/usr/share/factory/var/lib/systemd/home/local.public", public_key.encode("utf-8"), mode=0o600, ) chmod(system_context, 0o600, "/usr/share/factory/var/lib/systemd/home/*") chown(system_context, 0, 0, "/usr/share/factory/var/lib/systemd/home/*") # Set up copying of keys to var: create_file( system_context, "/usr/lib/tmpfiles.d/systemd-homed.conf", textwrap.dedent( """\ C /var/lib/systemd/home - - - - """ ).encode("utf-8"), mode=0o644, ) # Fix up pam: location.set_description("Setting up PAM for homed") create_file( system_context, "/etc/pam.d/nss-auth", textwrap.dedent( """\ #%PAM-1.0 auth sufficient pam_unix.so try_first_pass nullok auth sufficient pam_systemd_home.so auth required pam_deny.so account sufficient pam_unix.so account sufficient pam_systemd_home.so account required pam_deny.so password sufficient pam_unix.so try_first_pass nullok sha512 shadow password sufficient pam_systemd_home.so password required pam_deny.so """ ).encode("utf-8"), mode=0o644, ) create_file( system_context, "/etc/pam.d/system-auth", textwrap.dedent( """\ #%PAM-1.0 auth substack nss-auth auth optional pam_permit.so auth required pam_env.so account substack nss-auth account optional pam_permit.so account required pam_time.so password substack nss-auth password optional pam_permit.so session required pam_limits.so session optional pam_systemd_home.so session required pam_unix.so session optional pam_permit.so """ ).encode("utf-8"), mode=0o644, force=True, )
def __call__(self, location: Location, system_context: SystemContext, *args: typing.Any, **kwargs: typing.Any) -> None: """Execute command.""" self._execute(location, system_context, "pacman", "usbguard") # Do setup: # enable the daemon (actually set up socket activation) self._execute( location.next_line(), system_context, "systemd_enable", "usbguard-dbus.service", ) create_file( system_context, "/usr/lib/tmpfiles.d/usbguard.conf", textwrap.dedent("""\ d /var/log/usbguard 0750 root root - - d /var/etc/usbguard 0750 root root - - C /var/etc/usbguard - - - - - """).encode("utf-8"), ) self._execute( location.next_line(), system_context, "sed", "/RuleFile=\\/etc/ cRuleFile=/var/etc/usbguard/rules.conf", "/etc/usbguard/usbguard-daemon.conf", ) self._execute( location.next_line(), system_context, "sed", "/IPCAccessControlFiles=\\/etc/ cIPCAccessControlFiles=/var/etc/usbguard/IPCAccessControl.d", "/etc/usbguard/usbguard-daemon.conf", ) self._execute( location.next_line(), system_context, "sed", "/ImplicitPolicyTarget=/ cImplicitPolicyTarget=allow", "/etc/usbguard/usbguard-daemon.conf", ) makedirs(system_context, "/usr/share/factory/var/etc/usbguard/IPCaccessControl.d") move( system_context, "/etc/usbguard/usbguard-daemon.conf", "/usr/share/factory/var/etc/usbguard", ) create_file( system_context, "/usr/share/factory/var/etc/usbguard/rules.conf", b"", mode=0o600, ) remove( system_context, "/etc/usbguard", recursive=True, ) # Fix for https://github.com/USBGuard/usbguard/issues/287 makedirs(system_context, "/usr/lib/systemd/system/usbguard.service.d") create_file( system_context, "/usr/lib/systemd/system/usbguard.service.d/bugfix.conf", textwrap.dedent("""\ [Service] CapabilityBoundingSet=CAP_DAC_OVERRIDE ReadWritePaths=-/var/etc/usbguard/rules.conf ExecStart= ExecStart=/usr/bin/usbguard-daemon -k -c /var/etc/usbguard/usbguard-daemon.conf """).encode("utf-8"), )
def _setup_network( location: Location, system_context: SystemContext, *, cluster_name: str, cluster_id: int, node_id: int, outside_match: str, cluster_match: str, gateway: str, dns: str, ntp: str, ) -> None: create_file( system_context, "/usr/lib/systemd/network/20-cbr0-bridge.netdev", textwrap.dedent("""\ [NetDev] Description=Internal POD bridge Name=cbr0 Kind=bridge """).encode("utf-8"), mode=0o644, ) create_file( system_context, "/usr/lib/systemd/network/10-extern.network", textwrap.dedent(f"""\ [Match] {outside_match} [Network] Description=Node network Address=10.128.{cluster_id}.{node_id}/8 Gateway={gateway} DNS={dns} NTP={ntp} IPForward=yes IPMasquerade=yes """).encode("utf-8"), mode=0o644, ) create_file( system_context, "/usr/lib/systemd/network/30-cbr.network", textwrap.dedent(f"""\ [Match] Name=cbr0 [Network] Description={cluster_name} pod bridge setup Address=10.{cluster_offset}.{node_id}.1/16 """).encode("utf-8"), mode=0o644, ) create_file( system_context, "/usr/lib/systemd/network/40-cbr-outside-if.network", textwrap.dedent(f"""\ [Match] {cluster_match} [Network] Description={cluster_name} pod bridge outside connectivity Bridge=cbr0 """).encode("utf-8"), mode=0o644, )
def __call__( self, location: Location, system_context: SystemContext, *args: typing.Any, **kwargs: typing.Any, ) -> None: """Execute command.""" password = kwargs.get("password", "") self._execute(location, system_context, "pacman", "postgresql", "postgresql-old-upgrade") self._execute( location.next_line(), system_context, "mkdir", "/usr/lib/systemd/system/postgresql.service.d/", mode=0o755, ) self._execute( location.next_line(), system_context, "systemd_harden_unit", "postgresql.service", ) create_file( system_context, "/usr/local/bin/setup-postgresql.sh", textwrap.dedent("""\ #!/usr/bin/bash DATADIR="$$1" test "x$$DATADIR" = "x" && exit 2 USER=postgres PASSWD=$$(cat /home/postgres/.pgpass | cut -d':' -f5) if test ! -d "$${DATADIR}" ; then su $${USER} -c "/usr/bin/initdb -D $${DATADIR} --encoding UTF8 --locale C" || exit 1 su $${USER} -c "/usr/bin/postgres --single -D $${DATADIR}" <<EOF > /dev/null 2>&1 ALTER USER $${USER} PASSWORD "$${PASSWD}"; EOF echo >> "$${DATADIR}/postgresql.conf" echo "listen_addresses = '*' # Listen everywhere!" >> "$${DATADIR}/postgresql.conf" cat << END_OF_CONFIG > "$${DATADIR}/pg_hba.conf" # TYPE DATABASE USER ADDRESS METHOD # "local" is for Unix domain socket connections only local all all md5 # IPv4 local connections: host all all 127.0.0.1/32 md5 host all all 172.17.0.0/16 md5 # IPv6 local connections: host all all ::1/128 md5 END_OF_CONFIG fi """).encode("utf-8"), mode=0o755, ) self._execute( location.next_line(), system_context, "usermod", "postgres", shell="/usr/bin/bash", home="/home/postgres", ) self._execute( location.next_line(), system_context, "mkdir", "/home/postgres", mode=0o755, user="******", group="postgres", ) if password: create_file( system_context, "/home/postgres/.pgpass", f"*:*:*:*:{password}".encode("utf-8"), mode=0o600, user="******", group="postgres", )
def __call__( self, location: Location, system_context: SystemContext, *args: typing.Any, **kwargs: typing.Any ) -> None: """Execute command.""" self._execute(location, system_context, "pacman", "nginx") # Do setup: # Fix missing symlink: create_file( system_context, "/etc/nginx/dhparams.pem", textwrap.dedent( """\ -----BEGIN DH PARAMETERS----- MIIBCAKCAQEAtiVyRgTKjub6YmPwk7YTp+CL6OG2zHFdUBMEUcGEsfHjPB/OXxQV iv4tHQeOxVSoiwZi9u/zWbbttpHsAXMTJsq9EzDi7uQie8iBlOOHjK7hx7LNIABJ BkWSliZgemdY/XwdH9ckZlDpVsqdQNftfPxPZL+HpKeSFDTNGWrp8DgcoINi0Vzt thVUhHF8961VGsjb66z3GJyuLtpRTfpV6eji87Njy06jOwbS0gdq1mOPptxBNfmA w4oadWDreQXxTjaq0kowz9hTk/eRgnnpb0NwZb4fTJ8oYo8m0yTHoeIWFrEDhBGR 30DFtTj6OKkkfz4tKJbcIr5+uJQZuqoXSwIBAg== -----END DH PARAMETERS----- """ ).encode("utf-8"), mode=0o640, ) create_file( system_context, "/etc/nginx/nginx.conf", textwrap.dedent( """\ user html; worker_processes 1; #error_log logs/error.log; #error_log logs/error.log notice; #error_log logs/error.log info; #pid logs/nginx.pid; events { worker_connections 1024; } http { include mime.types; default_type application/octet-stream; types_hash_max_size 4096; #log_format main '$$remote_addr - $$remote_user [$$time_local] "$$request" ' # '$$status $$body_bytes_sent "$$http_referer" ' # '"$$http_user_agent" "$$http_x_forwarded_for"'; #access_log logs/access.log main; sendfile on; #tcp_nopush on; #keepalive_timeout 0; keepalive_timeout 65; #gzip on; include sites-enabled/*; } """ ).encode("utf-8"), mode=0o644, force=True, ) os.makedirs(system_context.file_name("/usr/lib/systemd/system/nginx.service.d")) self._execute( location.next_line(), system_context, "systemd_harden_unit", "nginx.service", CapabilityBoundingSet="IGNORE", NoNewPrivileges=False, PrivateUsers=False, ) os.makedirs(system_context.file_name("/etc/nginx/sites-available")) os.makedirs(system_context.file_name("/etc/nginx/sites-enabled")) if kwargs.get("https", True): os.makedirs(system_context.file_name("/etc/nginx/ssl")) # enable the daemon (actually set up socket activation) self._execute( location.next_line(), system_context, "systemd_enable", "nginx.service" ) # Open the firewall for it: if kwargs.get("http", False): self._execute( location.next_line(), system_context, "net_firewall_open_port", "80", protocol="tcp", comment="Nginx", ) if kwargs.get("https", True): self._execute( location.next_line(), system_context, "net_firewall_open_port", "443", protocol="tcp", comment="Nginx", ) self._add_hook( location.next_line(), system_context, "_teardown", "chown", "/etc/nginx/ssl", recursive=True, user="******", group="root", ) self._add_hook( location.next_line(), system_context, "_teardown", "chmod", 0o644, "/etc/nginx/ssl/*-cert.pem", ) self._add_hook( location.next_line(), system_context, "_teardown", "chmod", 0o640, "/etc/nginx/ssl/*-key.pem", )