WiP

4 weeks ago · 26c48ea475
27 changed files with 362 additions and 11 deletions
--- a/Makefile.common
+++ b/Makefile.common
@ -120,7 +120,7 @@ PROJECT_GID ?= 0
 reverse = $(let first rest,$1,$(if $(rest),$(call reverse,$(rest)) )$(first))
 # Ensure that the Makefile is not run from the top-level directory and that it is run as root.
-pre-requisites:
+pre-requisites::
 	@if [ -z "$(TOP_LEVEL_DIR)" ]; then \
 	    echo "Do not run this Makefile from the top-level directory!" >&2; \
 		exit 1; \
@ -222,6 +222,11 @@ install-files-pre::
 # This target can be extended by Makefiles sourcing this one.
 install-files-post::
 # Generated systemd units (quadlets) cannot be enabled.
 # That's why we filter them out from the list of units to be enabled.
 install-actions uninstall: ENABLE_UNITS = $(filter-out $(QUADLET_UNIT_NAMES),$(SYSTEMD_MAIN_UNIT_NAMES) $(SYSTEMD_TIMER_NAMES))
 install-actions uninstall: START_UNITS = $(SYSTEMD_MAIN_UNIT_NAMES)
 # Perform post-installation actions such as enabling and starting units.
 install-actions: install-actions-pre
 	systemctl daemon-reload
@ -233,9 +238,13 @@ install-actions: install-actions-pre
 	fi; \
 	if [ -f /etc/sysctl.d/$(PROJECT_NAME).conf ]; then \
 		run sysctl -q -p /etc/sysctl.d/$(PROJECT_NAME).conf; \
 	fi ; \
 	if [ -n "$(ENABLE_UNITS)" ]; then \
 		run systemctl enable $(ENABLE_UNITS); \
 	fi ; \
 	if [ -n "$(START_UNITS)" ]; then \
 		run systemctl start $(START_UNITS); \
 	fi
 	systemctl enable $(SYSTEMD_MAIN_UNIT_NAMES) $(SYSTEMD_TIMER_NAMES)
 	systemctl start $(SYSTEMD_MAIN_UNIT_NAMES)
 	$(MAKE) install-actions-post
 # Custom commands to be run before performing post-installation actions.
@ -269,8 +278,14 @@ install-post::
 uninstall: FILES_TO_REMOVE := $(call reverse,$(TARGET_EXAMPLE_FILES) $(TARGET_FILES))
 uninstall: pre-requisites uninstall-pre
-	systemctl disable $(SYSTEMD_MAIN_UNIT_NAMES) $(SYSTEMD_TIMER_NAMES) || true
+	@run() { echo $$*; "$$@"; }; \
-	systemctl stop $(SYSTEMD_UNIT_NAMES) $(QUADLET_UNIT_NAMES) || true
+	set -Eeuo pipefail; \
 	if [ -n "$(ENABLE_UNITS)" ]; then \
 		run systemctl disable $(ENABLE_UNITS) || true; \
 	fi ; \
 	if [ -n "$(START_UNITS)" ]; then \
 		run systemctl stop $(START_UNITS) || true; \
 	fi
 	@run() { echo $$*; "$$@"; }; \
 	set -Eeuo pipefail; \
 	if [ -f /etc/tmpfiles.d/$(PROJECT_NAME).conf ]; then \
--- a/base/Makefile
+++ b/base/Makefile
@ -1,3 +1,14 @@
 TOP_LEVEL_DIR := ..
 include $(TOP_LEVEL_DIR)/Makefile.common
-SYSTEMD_MAIN_UNIT_NAMES := var-lib-virtiofs-data.mount rpm-ostree-install-qemu-guest-agent.service install-fastfetch.service
+SYSTEMD_MAIN_UNIT_NAMES += var-lib-virtiofs-data.mount
 SYSTEMD_MAIN_UNIT_NAMES += rpm-ostree-install-qemu-guest-agent.service
 SYSTEMD_MAIN_UNIT_NAMES += install-fastfetch.service
 pre-requisites::
 	@set -Eeuo pipefail; \
 	for tool in rpm-ostree; do \
 		if ! which $$tool &>/dev/null ; then \
 			echo "$$tool is not installed. Please install it first." >&2; \
 			exit 1; \
 		fi ; \
 	done
--- a/base/config/examples/fastfetch.env
+++ b/base/config/examples/fastfetch.env
@ -0,0 +1 @@
 FASTFETCH_VERSION="2.45.0"
--- a/base/config/install-fastfetch.sh
+++ b/base/config/install-fastfetch.sh
@ -1,11 +1,12 @@
 #!/bin/bash
 set -Eeuo pipefail
-FASTFETCH_VERSION="$(curl -sSfL https://api.github.com/repos/fastfetch-cli/fastfetch/releases | jq -r '.[] | select(.prerelease == false and .draft == false) | .tag_name' | sort -V | tail -1)"
+FASTFETCH_LATEST_VERSION="$(curl -sSfL https://api.github.com/repos/fastfetch-cli/fastfetch/releases | jq -r '.[] | select(.prerelease == false and .draft == false) | .tag_name' | sort -V | tail -1)"
 FASTFETCH_VERSION="${FASTFETCH_VERSION:-$FASTFETCH_LATEST_VERSION}"
 FASTFETCH_BIN="/usr/local/bin/fastfetch"
 declare -A ARCH_MAP=( ["aarch64"]="aarch64" ["x86_64"]="amd64" )
 if [ ! -f "$FASTFETCH_BIN" ]; then
    arch="$(arch)"
    arch=${ARCH_MAP[$arch]}
    echo "Installing fastfetch $FASTFETCH_VERSION for $arch..."
-    curl -sSfL https://github.com/fastfetch-cli/fastfetch/releases/download/$FASTFETCH_VERSION/fastfetch-linux-$arch.tar.gz | tar -zx --strip-components=2 -C /usr/local
+    curl -sSfL https://github.com/fastfetch-cli/fastfetch/releases/download/$FASTFETCH_VERSION/fastfetch-linux-$arch.tar.gz | tar -zx --strip-components=2 -C /usr/local --no-same-owner
 fi
--- a/base/install-fastfetch.service
+++ b/base/install-fastfetch.service
@ -8,6 +8,7 @@ ConditionPathExists=!/usr/local/bin/fastfetch
 Type=oneshot
 RemainAfterExit=yes
 ExecStart=/etc/quadlets/base/install-fastfetch.sh
 EnvironmentFile=-/etc/quadlets/base/fastfetch.env
 [Install]
 WantedBy=multi-user.target
--- a/samba/samba.container
+++ b/samba/samba.container
@ -23,7 +23,7 @@ User=0
 # Storage
 Volume=/var/lib/quadlets/samba/data:/var/lib/samba:Z
 Volume=/var/lib/quadlets/samba/log:/var/log/samba:Z
-Volume=/var/lib/virtiofs/data:/data
+Volume=/var/lib/virtiofs/data/storage:/data
 Volume=/etc/quadlets/samba/smb.conf.d:/etc/samba/smb.conf.d:Z
 Volume=/run/quadlets/samba/passwd:/etc/passwd:Z
 Volume=/run/quadlets/samba/group:/etc/group:Z
--- a/samba/tmpfiles.d/samba.conf
+++ b/samba/tmpfiles.d/samba.conf
@ -1,8 +1,7 @@
 d$ /var/lib/quadlets/samba/data 0755 0 0 -
 d$ /var/lib/quadlets/samba/log 0755 0 0 -
 d$ /var/lib/quadlets/samba/cache 0755 0 0 -
-d$ /var/lib/virtiofs/data/foo 0755 0 0 -
+d$ /var/lib/virtiofs/data/storage 0755 0 0 -
 d$ /var/lib/virtiofs/data/bar 0755 0 0 -
 d$ /run/quadlets/samba 0700 0 0 -
 C$ /run/quadlets/samba/passwd - - - - /etc/passwd
 C$ /run/quadlets/samba/group - - - - /etc/group
--- a/vmagent/Makefile
+++ b/vmagent/Makefile
@ -0,0 +1,16 @@
 ##
 ## Makefile for Victoria Metrics Agent quadlet
 ##
 # Victoria Metrics Agent quadlet is mapped to the 10025 user (vmagent) and 10000 group (itix-svc)
 PROJECT_UID = 10025
 PROJECT_GID = 10000
 # Include common Makefile
 TOP_LEVEL_DIR := ..
 include $(TOP_LEVEL_DIR)/Makefile.common
 SYSTEMD_MAIN_UNIT_NAMES += vmagent.service
 $(TARGET_CHROOT)/etc/quadlets/vmagent/conf.d:
 	install -d -m 0700 -o $(PROJECT_UID) -g $(PROJECT_GID) -D $< $@
--- a/vmagent/config/examples/conf.d/remotewrite.token
+++ b/vmagent/config/examples/conf.d/remotewrite.token
@ -0,0 +1 @@
 REDACTED
--- a/vmagent/config/examples/vmagent.local.env
+++ b/vmagent/config/examples/vmagent.local.env
@ -0,0 +1,3 @@
 remoteWrite_url=https://victoriametrics.example.tld/api/v1/write
 remoteWrite_basicAuth_passwordFile=/etc/vmagent/remotewrite.token
 remoteWrite_basicAuth_username=remotewrite
--- a/vmagent/config/vmagent.global.env
+++ b/vmagent/config/vmagent.global.env
@ -0,0 +1,2 @@
 httpListenAddr=127.0.0.1:8428
 remoteWrite_tmpDataPath=/var/lib/vmagent/tmp
--- a/vmagent/overlay.bu
+++ b/vmagent/overlay.bu
@ -0,0 +1,9 @@
 variant: fcos
 version: 1.4.0
 passwd:
  users:
  - name: vmagent
    uid: 10025
    gecos: Victoria Metrics Agent
    home_dir: /var/lib/quadlets/vmagent
    primary_group: itix-svc
--- a/vmagent/vmagent.container
+++ b/vmagent/vmagent.container
@ -0,0 +1,33 @@
 [Unit]
 Description=Victoria Metrics agent
 After=local-fs.target network.target
 Wants=network.target
 # Only start if the local configuration file exists
 ConditionPathExists=/etc/quadlets/vmagent/vmagent.local.env
 [Container]
 ContainerName=vmagent
 # Image
 Image=quay.io/victoriametrics/vmagent:latest
 AutoUpdate=registry
 # Security
 User=10025
 Group=10000
 # Storage
 Volume=/var/lib/quadlets/vmagent:/var/lib/vmagent:Z
 Volume=/etc/quadlets/vmagent/conf.d:/etc/vmagent:ro
 # Network
 Network=host
 # Configuration
 EnvironmentFile=/etc/quadlets/vmagent/vmagent.global.env
 EnvironmentFile=/etc/quadlets/vmagent/vmagent.local.env
 Exec=-envflag.enable
 [Install]
 WantedBy=multi-user.target
--- a/vsftpd/Makefile
+++ b/vsftpd/Makefile
@ -0,0 +1,15 @@
 ##
 ## Makefile for Vsftpd quadlet
 ##
 DEPENDENCIES = lego
 # Vsftpd quadlet is mapped to the 10015 user (vsftpd) and 10000 group (itix-svc)
 PROJECT_UID = 10015
 PROJECT_GID = 10000
 # Include common Makefile
 TOP_LEVEL_DIR := ..
 include $(TOP_LEVEL_DIR)/Makefile.common
--- a/vsftpd/config/container/Containerfile
+++ b/vsftpd/config/container/Containerfile
@ -0,0 +1,20 @@
 FROM quay.io/centos/centos:stream10
 # Install Vsftpd
 RUN dnf config-manager --set-enabled crb \
 && dnf install -y epel-release \
 && dnf install -y vsftpd procps-ng shadow-utils authselect authselect-libs pam gdbm \
 && authselect select local --force \
 && dnf clean all
 # /data holds the data to share through vsftpd
 VOLUME /data
 # Expose FTP port + ports for passive mode
 EXPOSE 21 20000-20100
 ADD container-entrypoint /
 ADD vsftpd-virtual /etc/pam.d/vsftpd-virtual
 ENTRYPOINT [ "/container-entrypoint" ]
 CMD [ ]
--- a/vsftpd/config/container/container-entrypoint
+++ b/vsftpd/config/container/container-entrypoint
@ -0,0 +1,25 @@
 #!/bin/sh
 set -Eeuo pipefail
 # Handle the virtual user database when supplied
 if [ -f /var/lib/vsftpd/users.txt ]; then
    ## Format of the "users.txt" file :
    #
    #   nicolas:$y$....
    #   john:$y$....
    #
    # Empty lines and comments are allowed
    #
    ## Hashes can be generated with :
    #
    #   mkpasswd --method=yescrypt -s
    #
    umask 0077
    touch /var/lib/vsftpd/users.txt
    rm -f /var/lib/vsftpd/users.db
    sed -r -e 's/^([^:]+):([^:]+)$/store "\1" "\2"/; t r; d; :r s/[\\]/\\\\$/g; s/[$]/\\$/g' < /var/lib/vsftpd/users.txt | gdbmtool --newdb /var/lib/vsftpd/users.db
    umask 0022
 fi
 exec /usr/sbin/vsftpd -obackground=NO /etc/vsftpd/global.conf /etc/vsftpd/local.conf "$@"
--- a/vsftpd/config/container/vsftpd-virtual
+++ b/vsftpd/config/container/vsftpd-virtual
@ -0,0 +1,27 @@
 #%PAM-1.0
 ##
 ## Debug instructions
 ##
 # 
 # - Add the "debug" option to pam_userdb.so
 #
 #   [...] pam_userdb.so db=/var/lib/vsftpd/users crypt=crypt debug
 #
 # - Execute this command in the container:
 # 
 #   socat UNIX-LISTEN:/dev/log,fork STDOUT
 #
 ##
 ## HEADS UP !!!
 ##
 #
 # pam_userdb.so is now linked to gdbm rather than berkeley db.
 # so, you have to use gdbmtool to create the database, rather than db_load.
 # Also, the path to the database has to include the final ".db".
 #
 auth       required     pam_userdb.so db=/var/lib/vsftpd/users.db crypt=crypt
 account    required     pam_userdb.so db=/var/lib/vsftpd/users.db crypt=crypt
 session    required     pam_loginuid.so
--- a/vsftpd/config/examples/vsftpd.conf.d/local-users.conf
+++ b/vsftpd/config/examples/vsftpd.conf.d/local-users.conf
@ -0,0 +1,24 @@
 # Network parameters
 pasv_address=storage.example.tld
 pasv_addr_resolve=YES
 # Authenticate local users
 local_enable=YES
 local_root=/data
 chroot_local_user=YES
 pam_service_name=vsftpd
 # Enable write on the FTP server
 write_enable=YES
 # Since /var/lib/virtiofs/data (/data) is writable only by root we can allow this
 allow_writeable_chroot=YES
 # No anonymous access
 anonymous_enable=NO
 # Misc parameters
 delete_failed_uploads=NO
 ftpd_banner=Storage
 file_open_mode=0660
 ls_recurse_enable=YES
--- a/vsftpd/config/examples/vsftpd.conf.d/tls.conf
+++ b/vsftpd/config/examples/vsftpd.conf.d/tls.conf
@ -0,0 +1,5 @@
 ssl_enable=YES
 ssl_request_cert=NO
 ssl_tlsv1_2=NO
 rsa_cert_file=/etc/vsftpd/tls/f.q.d.n.crt
 rsa_private_key_file=/etc/vsftpd/tls/f.q.d.n.key
--- a/vsftpd/config/examples/vsftpd.conf.d/virtual-users.conf
+++ b/vsftpd/config/examples/vsftpd.conf.d/virtual-users.conf
@ -0,0 +1,18 @@
 # Network parameters
 pasv_address=storage.example.tld
 pasv_addr_resolve=YES
 # Authenticate virtual users
 guest_enable=YES
 guest_username=vsftpd
 local_enable=YES
 virtual_use_local_privs=YES
 chroot_local_user=YES
 pam_service_name=vsftpd-virtual
 # Site specific config (example)
 local_root=/data
 # OR
 #user_sub_token=$USER
 #local_root=/data/$USER
--- a/vsftpd/config/vsftpd.conf.d/global.conf
+++ b/vsftpd/config/vsftpd.conf.d/global.conf
@ -0,0 +1,21 @@
 # Network parameters
 listen=YES
 listen_port=21
 pasv_min_port=20000
 pasv_max_port=20100
 pasv_enable=YES
 pasv_promiscuous=YES
 # Be strict by default
 anonymous_enable=NO
 guest_enable=NO
 local_enable=NO
 # Log file
 vsftpd_log_file=/var/log/vsftpd/vsftpd.log
 xferlog_enable=YES
 syslog_enable=NO
 # Misc parameters
 setproctitle_enable=YES
 reverse_lookup_enable=NO
--- a/vsftpd/overlay.bu
+++ b/vsftpd/overlay.bu
@ -0,0 +1,9 @@
 variant: fcos
 version: 1.4.0
 passwd:
  users:
  - name: vsftpd
    uid: 10015
    gecos: Vsftpd
    home_dir: /var/lib/quadlets/vsftpd
    primary_group: itix-svc
--- a/vsftpd/tmpfiles.d/vsftpd.conf
+++ b/vsftpd/tmpfiles.d/vsftpd.conf
@ -0,0 +1,6 @@
 d$ /run/quadlets/vsftpd 0700 0 0 -
 d$ /run/quadlets/vsftpd/cache 0700 0 0 -
 d$ /run/quadlets/vsftpd/tls 0700 0 0 -
 d$ /var/lib/virtiofs/data/storage 0755 0 0 -
 d$ /var/lib/quadlets/vsftpd/log 0755 0 0 -
 d$ /var/lib/quadlets/vsftpd/data 0755 0 0 -
--- a/vsftpd/vsftpd-load-renewed-certificate.service
+++ b/vsftpd/vsftpd-load-renewed-certificate.service
@ -0,0 +1,17 @@
 [Unit]
 Description=Restart Vsftpd if a new TLS certificate is available
 # Lego touch .renewed files when renewed certificates are available
 ConditionPathExistsGlob=/var/lib/quadlets/lego/certificates/*.renewed
 After=lego-renew.service
 [Service]
 Type=oneshot
 # Copy the renewed certificates to the vsftpd /run directory
 ExecStartPre=/bin/sh -Eeuo pipefail -c 'install -o 10015 -g 10000 -m 0600 -t /run/quadlets/vsftpd/tls /var/lib/quadlets/lego/certificates/*.crt /var/lib/quadlets/lego/certificates/*.key'
 # Restart vsftpd to load the new certificates
 ExecStart=systemctl --no-block restart vsftpd.service
 # Remove the flag files after restarting vsftpd
 ExecStartPost=/bin/sh -Eeuo pipefail -c 'rm -f /var/lib/quadlets/lego/certificates/*.renewed'
 [Install]
 WantedBy=lego-renew.service
--- a/vsftpd/vsftpd.build
+++ b/vsftpd/vsftpd.build
@ -0,0 +1,9 @@
 [Unit]
 Description=Build of the Vsftpd daemon
 Wants=network-online.target
 After=network-online.target
 [Build]
 File=/etc/quadlets/vsftpd/container/Containerfile
 ImageTag=localhost/vsftpd:latest
 SetWorkingDirectory=/etc/quadlets/vsftpd/container
--- a/vsftpd/vsftpd.container
+++ b/vsftpd/vsftpd.container
@ -0,0 +1,52 @@
 [Unit]
 Description=Vsftpd
 After=local-fs.target network.target vsftpd-build.service lego.target
 Wants=vsftpd-build.service lego.target
 # Only start if the local configuration file exists
 ConditionPathExists=/etc/quadlets/vsftpd/vsftpd.conf.d/local.conf
 # Stop when the target is stopped
 PartOf=vsftpd.target
 [Service]
 # Copy a complete version of /etc/{passwd,group,shadow} in /run/quadlets/vsftpd so that SELinux
 # does not prevent Vsftpd from reading those files.
 #
 # Oh, and by the way, mangle /etc/passwd so that local users' homes are located in /data.
 # This is required by Vsftpd to let the users login.
 ExecStartPre=/bin/sh -Eeuo pipefail -c '\
    umask 0077 ; \
    for file in passwd group shadow; do \
    getent $file | (if [[ "$file" == "passwd" ]]; then \
                        sed -r "s|^([^:]+:[^:]*:[^:]+:1[0-9][0-9][0-9]:[^:]*:)[^:]*(:.*)$|\\1/data\\2|" ; \
                    else \
                        cat ; \
                    fi) > /run/quadlets/vsftpd/cache/$file ; \
    done'
 [Container]
 ContainerName=vsftpd
 # Image
 Image=localhost/vsftpd:latest
 AutoUpdate=local
 # Security
 User=0
 # Storage
 Volume=/var/lib/quadlets/vsftpd/log:/var/log/vsftpd:Z
 Volume=/var/lib/quadlets/vsftpd/data:/var/lib/vsftpd:Z
 Volume=/var/lib/virtiofs/data/storage:/data
 Volume=/etc/quadlets/vsftpd/vsftpd.conf.d:/etc/vsftpd:ro
 Volume=/run/quadlets/vsftpd/cache/passwd:/etc/passwd:Z
 Volume=/run/quadlets/vsftpd/cache/group:/etc/group:Z
 Volume=/run/quadlets/vsftpd/cache/shadow:/etc/shadow:Z
 Volume=/run/quadlets/vsftpd/tls:/etc/vsftpd/tls:Z
 # Network
 Network=host
 [Install]
 WantedBy=vsftpd.target
--- a/vsftpd/vsftpd.target
+++ b/vsftpd/vsftpd.target
@ -0,0 +1,11 @@
 [Unit]
 Description=Vsftpd Service Target
 Documentation=man:systemd.target(5)
 Requires=vsftpd.service vsftpd-build.timer
 After=vsftpd.service vsftpd-build.timer
 # Allow isolation - can stop/start this target independently
 AllowIsolate=yes
 [Install]
 WantedBy=multi-user.target
	`@ -0,0 +1,2 @@`
					`httpListenAddr=127.0.0.1:8428`
					`remoteWrite_tmpDataPath=/var/lib/vmagent/tmp`