From ba58953a8c24ca389a53fecac756fe9ea4ed4409 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zsolt=20Alf=C3=B6ldi?= Date: Thu, 26 Feb 2026 23:07:20 +0100 Subject: [PATCH] final config ... sooo --- build-iso.sh | 2 + scripts/post-install.sh | 90 ++++++++++++++++++++----- templates/user-data.tmpl | 139 +++++++++++++++++++++++++++++++-------- 3 files changed, 188 insertions(+), 43 deletions(-) diff --git a/build-iso.sh b/build-iso.sh index bbc6eba..c6d4c61 100755 --- a/build-iso.sh +++ b/build-iso.sh @@ -107,6 +107,8 @@ cp "$POST_INSTALL_SCRIPT" "$NOCLOUD_DIR/post-install.sh" cp "scripts/wifi.sh" "$NOCLOUD_DIR/wifi.sh" touch "$NOCLOUD_DIR/meta-data" +cp $NOCLOUD_DIR/user-data* /tmp/ + # ── Patch GRUB ──────────────────────────────────────────────────────────────── GRUB_CFG="$WORK_DIR/iso/boot/grub/grub.cfg" if [[ -f "$GRUB_CFG" ]]; then diff --git a/scripts/post-install.sh b/scripts/post-install.sh index 352de06..3bc6218 100755 --- a/scripts/post-install.sh +++ b/scripts/post-install.sh @@ -23,6 +23,7 @@ function desktop() { nautilus systemctl set-default graphical.target info "Desktop installed." + echo desktop >>/tmp/installer } function docker() { @@ -45,15 +46,56 @@ function docker() { usermod -aG docker alfoldi systemctl enable docker info "Docker installed." + echo docker >>/tmp/installer } -function himmelblau() { - # ─── HIMMELBLAU (Azure Entra ID) ───────────────────────────────────────────── - info "Installing Himmelblau..." - apt install curl && curl -fsSL https://packages.himmelblau-idm.org/himmelblau.asc | gpg --dearmor -o /etc/apt/trusted.gpg.d/himmelblau.gpg - add-apt-repository "deb [arch=amd64] https://packages.himmelblau-idm.org/stable/latest/deb/ubuntu24.04/ ./" - apt install -y himmelblau pam-himmelblau nss-himmelblau - info "Himmelblau installed." +function intune() { + # # ─── HIMMELBLAU (Azure Entra ID) ───────────────────────────────────────────── + # info "Installing Himmelblau..." + # curl -fsSL https://packages.himmelblau-idm.org/himmelblau.asc | gpg --dearmor -o /etc/apt/trusted.gpg.d/himmelblau.gpg + # add-apt-repository -y "deb [arch=amd64] https://packages.himmelblau-idm.org/stable/latest/deb/ubuntu24.04/ ./" + # + # # Pre-seed kerberos to avoid interactive prompts + # echo "krb5-config krb5-config/default_realm string EXAMPLE.COM" | debconf-set-selections + # echo "krb5-config krb5-config/add_servers boolean false" | debconf-set-selections + # echo "krb5-config krb5-config/add_servers_realm string EXAMPLE.COM" | debconf-set-selections + # + # # Himmelblau + # DEBIAN_FRONTEND=noninteractive apt-get install -y -o Dpkg::Options::="--force-confold" \ + # himmelblau \ + # pam-himmelblau \ + # nss-himmelblau \ + # himmelblau-sshd-config \ + # himmelblau-qr-greeter \ + # himmelblau-sso + # # o365 + # info "Himmelblau installed." + # + # # 2. Fix PAM immediately after + # sudo tee /etc/pam.d/common-auth <<'EOF' + # auth required pam_env.so + # auth [default=1 ignore=ignore success=ok] pam_localuser.so + # auth sufficient pam_unix.so nullok try_first_pass + # auth sufficient pam_himmelblau.so ignore_unknown_user + # auth required pam_deny.so + # EOF + # + # sudo tee /etc/pam.d/common-account <<'EOF' + # account [default=1 ignore=ignore success=ok] pam_localuser.so + # account sufficient pam_unix.so + # account sufficient pam_himmelblau.so ignore_unknown_user + # account required pam_deny.so + # EOF + + curl https://packages.microsoft.com/keys/microsoft.asc | gpg --dearmor >microsoft.gpg + sudo install -o root -g root -m 644 microsoft.gpg /etc/apt/trusted.gpg.d/ + rm microsoft.gpg + + sudo sh -c 'echo "deb [arch=amd64] https://packages.microsoft.com/repos/edge stable main" > /etc/apt/sources.list.d/microsoft-edge.list' + + sudo apt update + sudo apt install microsoft-edge-stable intune-portal + echo intune >>/tmp/installer } function nix_home_manager() { @@ -70,24 +112,35 @@ function nix_home_manager() { info "Installing home-manager..." nix-shell '' -A install + echo nix_home_manager >>/tmp/installer +} + +function displaylink_driver() { + # DisplayLink + curl -fsSL -o /tmp/synaptics-keyring.deb \ + "https://www.synaptics.com/sites/default/files/Ubuntu/pool/stable/main/all/synaptics-repository-keyring.deb" + apt-get install -y /tmp/synaptics-keyring.deb + apt-get update + apt-get install -y displaylink-driver } function main() { desktop || true docker || true - himmelblau || true + intune || true nix_home_manager || true - - # ─── DARK THEME ────────────────────────────────────────────────────────────── - info "Setting dark theme..." - gsettings set org.gnome.desktop.interface color-scheme prefer-dark - gsettings set org.gnome.desktop.interface gtk-theme Adwaita-dark + displaylink_driver || true # ─── DASH TO PANEL ─────────────────────────────────────────────────────────── info "Installing Dash to Panel..." - # gext install dash-to-panel@jderose9.github.com - apt install gnome-shell-extension-dashtopanel - gnome-extensions enable dash-to-panel@jderose9.github.com + sudo -u alfoldi bash -c ' + cd /tmp + git clone https://github.com/home-sweet-gnome/dash-to-panel.git || true + cd dash-to-panel + make install + ' + + dconf update # ─── SSH ───────────────────────────────────────────────────────────────────── info "Enabling SSH..." @@ -99,6 +152,9 @@ function main() { chmod 440 /etc/sudoers.d/alfoldi info "Post-install complete ✓" + systemctl start gdm } -# start main +if [[ "$1" = "main" ]]; then + main +fi diff --git a/templates/user-data.tmpl b/templates/user-data.tmpl index 70be2b0..db6fe53 100644 --- a/templates/user-data.tmpl +++ b/templates/user-data.tmpl @@ -40,31 +40,116 @@ autoinstall: encrypted: true password: "${LUKS_PASSPHRASE}" - # ─── CERT FILES ──────────────────────────────────────────────────────────── - write_files: - - path: /nokia/vpn/NOKIA_Root_CA.crt - permissions: "0600" - owner: root:root - encoding: b64 - content: "${NOKIA_CA_CERT_B64}" + user-data: + chpasswd: + expire: false + list: + - root:${USER_PASSWORD_HASH} - - path: /nokia/vpn/alfoldi.ipa.nsn-net.net.crt - permissions: "0600" - owner: root:root - encoding: b64 - content: "${NOKIA_CLIENT_CERT_B64}" + # ─── CERT FILES ──────────────────────────────────────────────────────────── + write_files: + - path: /nokia/vpn/NOKIA_Root_CA.crt + permissions: "0600" + owner: alfoldi:alfoldi + encoding: b64 + content: "${NOKIA_CA_CERT_B64}" - - path: /nokia/vpn/alfoldi.ipa.nsn-net.net.key - permissions: "0600" - owner: root:root - encoding: b64 - content: "${NOKIA_CLIENT_KEY_B64}" + - path: /nokia/vpn/alfoldi.ipa.nsn-net.net.crt + permissions: "0600" + owner: alfoldi:alfoldi + encoding: b64 + content: "${NOKIA_CLIENT_CERT_B64}" - - path: /etc/systemd/logind.conf.d/lid.conf - content: | - [Login] - HandleLidSwitch=ignore - LidSwitchIgnoreInhibited=no + - path: /nokia/vpn/alfoldi.ipa.nsn-net.net.key + permissions: "0600" + owner: alfoldi:alfoldi + encoding: b64 + content: "${NOKIA_CLIENT_KEY_B64}" + + # - path: /etc/himmelblau/himmelblau.conf + # owner: alfoldi:alfoldi + # content: | + # [global] + # domain = nokia.com + # home_attr = CN + # home_alias = CN + # use_etc_skel = true + # pam_allow_groups = zsolt.alfoldi@nokia.com + # # user_map_file = /etc/himmelblau/user-map + # + # - path: /etc/himmelblau/user-map + # owner: alfoldi:alfoldi + # content: | + # alfoldi:zsolt.alfoldi@nokia.com + + - path: /etc/ssh/sshd_config.d/99-custom.conf + permissions: "0644" + owner: root:root + content: | + X11Forwarding yes + X11DisplayOffset 10 + X11UseLocalhost no + GatewayPorts yes + + - path: /etc/systemd/sleep.conf + permissions: "0644" + owner: root:root + content: | + [Sleep] + AllowSuspend=no + AllowHibernation=no + AllowSuspendThenHibernate=no + AllowHybridSleep=no + + - path: /etc/systemd/logind.conf.d/no-powersave.conf + permissions: "0644" + owner: root:root + content: | + [Login] + HandleLidSwitch=ignore + HandleLidSwitchExternalPower=ignore + HandleLidSwitchDocked=ignore + HandleSuspendKey=ignore + HandleHibernateKey=ignore + IdleAction=ignore + + - path: /etc/dconf/db/local.d/99-custom-gnome + permissions: "0644" + owner: root:root + content: | + [org/gnome/desktop/interface] + color-scheme='prefer-dark' + gtk-theme='Adwaita-dark' + + [org/gnome/shell] + enabled-extensions=['dash-to-panel@jderose9.github.com'] + disable-user-extensions=false + + [org/gnome/settings-daemon/plugins/power] + sleep-inactive-ac-type='nothing' + sleep-inactive-battery-type='nothing' + # power-button-action='nothing' + + [org/gnome/desktop/session] + idle-delay=uint32 0 + + [system/proxy] + autoconfig-url='proxyconf.glb.nokia.com/proxy.pac' + ignore-hosts=['localhost', '127.0.0.0/8', '::1', '192.168.1.1', '192.168.0.0', '192.168.0.0/8'] + mode='none' + + [system/proxy/http] + host='10.158.100.1' + + [system/proxy/https] + host='10.158.100.1' + port=8080 + + - path: /etc/dconf/profile/user + owner: root:root + content: | + user-db:user + system-db:local # ─── PACKAGES ────────────────────────────────────────────────────────────── packages: @@ -72,6 +157,7 @@ autoinstall: - curl - wget - vim + - gettext - build-essential - python3 - python3-pip @@ -81,17 +167,18 @@ autoinstall: - gnupg - lsb-release - openssh-server + - net-tools - early-commands: - - mkdir -p /nokia/vpn - - mkdir -p /target/nokia/vpn + # early-commands: + # - mkdir -p /target/nokia/vpn + # - mkdir -p /target/etc/himmelblau late-commands: # - cp /etc/resolv.conf /target/etc/resolv.conf - bash -x /cdrom/nocloud/wifi.sh - cp /cdrom/nocloud/post-install.sh /target/home/ - updates: security + updates: all shutdown: poweroff # vim: set filetype=yaml :