final config ... sooo

2026-02-26 23:07:20 +01:00
parent 7c53335966
commit ba58953a8c
3 changed files with 188 additions and 43 deletions
--- a/build-iso.sh
+++ b/build-iso.sh
@@ -107,6 +107,8 @@ cp "$POST_INSTALL_SCRIPT" "$NOCLOUD_DIR/post-install.sh"
 cp "scripts/wifi.sh" "$NOCLOUD_DIR/wifi.sh"
 touch "$NOCLOUD_DIR/meta-data"
 cp $NOCLOUD_DIR/user-data* /tmp/
 # ── Patch GRUB ────────────────────────────────────────────────────────────────
 GRUB_CFG="$WORK_DIR/iso/boot/grub/grub.cfg"
 if [[ -f "$GRUB_CFG" ]]; then
--- a/scripts/post-install.sh
+++ b/scripts/post-install.sh
@@ -23,6 +23,7 @@ function desktop() {
    nautilus
  systemctl set-default graphical.target
  info "Desktop installed."
  echo desktop >>/tmp/installer
 }
 function docker() {
@@ -45,15 +46,56 @@ function docker() {
  usermod -aG docker alfoldi
  systemctl enable docker
  info "Docker installed."
  echo docker >>/tmp/installer
 }
-function himmelblau() {
+function intune() {
-  # ─── HIMMELBLAU (Azure Entra ID) ─────────────────────────────────────────────
+  #   # ─── HIMMELBLAU (Azure Entra ID) ─────────────────────────────────────────────
-  info "Installing Himmelblau..."
+  #   info "Installing Himmelblau..."
-  apt install curl && curl -fsSL https://packages.himmelblau-idm.org/himmelblau.asc | gpg --dearmor -o /etc/apt/trusted.gpg.d/himmelblau.gpg
+  #   curl -fsSL https://packages.himmelblau-idm.org/himmelblau.asc | gpg --dearmor -o /etc/apt/trusted.gpg.d/himmelblau.gpg
-  add-apt-repository "deb [arch=amd64] https://packages.himmelblau-idm.org/stable/latest/deb/ubuntu24.04/ ./"
+  #   add-apt-repository -y "deb [arch=amd64] https://packages.himmelblau-idm.org/stable/latest/deb/ubuntu24.04/ ./"
-  apt install -y himmelblau pam-himmelblau nss-himmelblau
+  #
-  info "Himmelblau installed."
+  #   # Pre-seed kerberos to avoid interactive prompts
  #   echo "krb5-config krb5-config/default_realm string EXAMPLE.COM" | debconf-set-selections
  #   echo "krb5-config krb5-config/add_servers boolean false" | debconf-set-selections
  #   echo "krb5-config krb5-config/add_servers_realm string EXAMPLE.COM" | debconf-set-selections
  #
  #   # Himmelblau
  #   DEBIAN_FRONTEND=noninteractive apt-get install -y -o Dpkg::Options::="--force-confold" \
  #     himmelblau \
  #     pam-himmelblau \
  #     nss-himmelblau \
  #     himmelblau-sshd-config \
  #     himmelblau-qr-greeter \
  #     himmelblau-sso
  #   # o365
  #   info "Himmelblau installed."
  #
  #   # 2. Fix PAM immediately after
  #   sudo tee /etc/pam.d/common-auth <<'EOF'
  # auth    required                              pam_env.so
  # auth    [default=1 ignore=ignore success=ok]  pam_localuser.so
  # auth    sufficient                            pam_unix.so nullok try_first_pass
  # auth    sufficient                            pam_himmelblau.so ignore_unknown_user
  # auth    required                              pam_deny.so
  # EOF
  #
  #   sudo tee /etc/pam.d/common-account <<'EOF'
  # account [default=1 ignore=ignore success=ok]  pam_localuser.so
  # account sufficient                            pam_unix.so
  # account sufficient                            pam_himmelblau.so ignore_unknown_user
  # account required                              pam_deny.so
  # EOF
  curl https://packages.microsoft.com/keys/microsoft.asc | gpg --dearmor >microsoft.gpg
  sudo install -o root -g root -m 644 microsoft.gpg /etc/apt/trusted.gpg.d/
  rm microsoft.gpg
  sudo sh -c 'echo "deb [arch=amd64] https://packages.microsoft.com/repos/edge stable main" > /etc/apt/sources.list.d/microsoft-edge.list'
  sudo apt update
  sudo apt install microsoft-edge-stable intune-portal
  echo intune >>/tmp/installer
 }
 function nix_home_manager() {
@@ -70,24 +112,35 @@ function nix_home_manager() {
  info "Installing home-manager..."
  nix-shell '<home-manager>' -A install
  echo nix_home_manager >>/tmp/installer
 }
 function displaylink_driver() {
  # DisplayLink
  curl -fsSL -o /tmp/synaptics-keyring.deb \
    "https://www.synaptics.com/sites/default/files/Ubuntu/pool/stable/main/all/synaptics-repository-keyring.deb"
  apt-get install -y /tmp/synaptics-keyring.deb
  apt-get update
  apt-get install -y displaylink-driver
 }
 function main() {
  desktop || true
  docker || true
-  himmelblau || true
+  intune || true
  nix_home_manager || true
-
+  displaylink_driver || true
  # ─── DARK THEME ──────────────────────────────────────────────────────────────
  info "Setting dark theme..."
  gsettings set org.gnome.desktop.interface color-scheme prefer-dark
  gsettings set org.gnome.desktop.interface gtk-theme Adwaita-dark
  # ─── DASH TO PANEL ───────────────────────────────────────────────────────────
  info "Installing Dash to Panel..."
-  # gext install dash-to-panel@jderose9.github.com
+  sudo -u alfoldi bash -c '
-  apt install gnome-shell-extension-dashtopanel
+  cd /tmp
-  gnome-extensions enable dash-to-panel@jderose9.github.com
+  git clone https://github.com/home-sweet-gnome/dash-to-panel.git || true
  cd dash-to-panel
  make install
  '
  dconf update
  # ─── SSH ─────────────────────────────────────────────────────────────────────
  info "Enabling SSH..."
@@ -99,6 +152,9 @@ function main() {
  chmod 440 /etc/sudoers.d/alfoldi
  info "Post-install complete ✓"
  systemctl start gdm
 }
-# start main
+if [[ "$1" = "main" ]]; then
  main
 fi
--- a/templates/user-data.tmpl
+++ b/templates/user-data.tmpl
@@ -40,31 +40,116 @@ autoinstall:
      encrypted: true
      password: "${LUKS_PASSPHRASE}"
-  # ─── CERT FILES ────────────────────────────────────────────────────────────
+  user-data:
-  write_files:
+    chpasswd:
-    - path: /nokia/vpn/NOKIA_Root_CA.crt
+      expire: false
-      permissions: "0600"
+      list:
-      owner: root:root
+        - root:${USER_PASSWORD_HASH}
      encoding: b64
      content: "${NOKIA_CA_CERT_B64}"
-    - path: /nokia/vpn/alfoldi.ipa.nsn-net.net.crt
+    # ─── CERT FILES ────────────────────────────────────────────────────────────
-      permissions: "0600"
+    write_files:
-      owner: root:root
+      - path: /nokia/vpn/NOKIA_Root_CA.crt
-      encoding: b64
+        permissions: "0600"
-      content: "${NOKIA_CLIENT_CERT_B64}"
+        owner: alfoldi:alfoldi
        encoding: b64
        content: "${NOKIA_CA_CERT_B64}"
-    - path: /nokia/vpn/alfoldi.ipa.nsn-net.net.key
+      - path: /nokia/vpn/alfoldi.ipa.nsn-net.net.crt
-      permissions: "0600"
+        permissions: "0600"
-      owner: root:root
+        owner: alfoldi:alfoldi
-      encoding: b64
+        encoding: b64
-      content: "${NOKIA_CLIENT_KEY_B64}"
+        content: "${NOKIA_CLIENT_CERT_B64}"
-    - path: /etc/systemd/logind.conf.d/lid.conf
+      - path: /nokia/vpn/alfoldi.ipa.nsn-net.net.key
-      content: |
+        permissions: "0600"
-        [Login]
+        owner: alfoldi:alfoldi
-        HandleLidSwitch=ignore
+        encoding: b64
-        LidSwitchIgnoreInhibited=no
+        content: "${NOKIA_CLIENT_KEY_B64}"
      # - path: /etc/himmelblau/himmelblau.conf
      #   owner: alfoldi:alfoldi
      #   content: |
      #     [global]
      #     domain = nokia.com
      #     home_attr = CN
      #     home_alias = CN
      #     use_etc_skel = true
      #     pam_allow_groups = zsolt.alfoldi@nokia.com
      #     # user_map_file = /etc/himmelblau/user-map
      #
      # - path: /etc/himmelblau/user-map
      #   owner: alfoldi:alfoldi
      #   content: |
      #     alfoldi:zsolt.alfoldi@nokia.com
      - path: /etc/ssh/sshd_config.d/99-custom.conf
        permissions: "0644"
        owner: root:root
        content: |
          X11Forwarding yes
          X11DisplayOffset 10
          X11UseLocalhost no
          GatewayPorts yes
      - path: /etc/systemd/sleep.conf
        permissions: "0644"
        owner: root:root
        content: |
          [Sleep]
          AllowSuspend=no
          AllowHibernation=no
          AllowSuspendThenHibernate=no
          AllowHybridSleep=no
      - path: /etc/systemd/logind.conf.d/no-powersave.conf
        permissions: "0644"
        owner: root:root
        content: |
          [Login]
          HandleLidSwitch=ignore
          HandleLidSwitchExternalPower=ignore
          HandleLidSwitchDocked=ignore
          HandleSuspendKey=ignore
          HandleHibernateKey=ignore
          IdleAction=ignore
      - path: /etc/dconf/db/local.d/99-custom-gnome
        permissions: "0644"
        owner: root:root
        content: |
          [org/gnome/desktop/interface]
          color-scheme='prefer-dark'
          gtk-theme='Adwaita-dark'
          [org/gnome/shell]
          enabled-extensions=['dash-to-panel@jderose9.github.com']
          disable-user-extensions=false
          [org/gnome/settings-daemon/plugins/power]
          sleep-inactive-ac-type='nothing'
          sleep-inactive-battery-type='nothing'
          # power-button-action='nothing'
          [org/gnome/desktop/session]
          idle-delay=uint32 0
          [system/proxy]
          autoconfig-url='proxyconf.glb.nokia.com/proxy.pac'
          ignore-hosts=['localhost', '127.0.0.0/8', '::1', '192.168.1.1', '192.168.0.0', '192.168.0.0/8']
          mode='none'
          [system/proxy/http]
          host='10.158.100.1'
          [system/proxy/https]
          host='10.158.100.1'
          port=8080
      - path: /etc/dconf/profile/user
        owner: root:root
        content: |
          user-db:user
          system-db:local
  # ─── PACKAGES ──────────────────────────────────────────────────────────────
  packages:
@@ -72,6 +157,7 @@ autoinstall:
    - curl
    - wget
    - vim
    - gettext
    - build-essential
    - python3
    - python3-pip
@@ -81,17 +167,18 @@ autoinstall:
    - gnupg
    - lsb-release
    - openssh-server
    - net-tools
-  early-commands:
+  # early-commands:
-    - mkdir -p /nokia/vpn
+  #   - mkdir -p /target/nokia/vpn
-    - mkdir -p /target/nokia/vpn
+  #   - mkdir -p /target/etc/himmelblau
  late-commands:
    # - cp /etc/resolv.conf /target/etc/resolv.conf
    - bash -x /cdrom/nocloud/wifi.sh
    - cp /cdrom/nocloud/post-install.sh /target/home/
-  updates: security
+  updates: all
  shutdown: poweroff
 # vim: set filetype=yaml :