WiP

Makefile.common

@@ -120,7 +120,7 @@ PROJECT_GID ?= 0
 reverse = $(let first rest,$1,$(if $(rest),$(call reverse,$(rest)) )$(first))
 
 # Ensure that the Makefile is not run from the top-level directory and that it is run as root.
-pre-requisites:
+pre-requisites::
 	@if [ -z "$(TOP_LEVEL_DIR)" ]; then \
 	    echo "Do not run this Makefile from the top-level directory!" >&2; \
 		exit 1; \
@@ -222,6 +222,11 @@ install-files-pre::
 # This target can be extended by Makefiles sourcing this one.
 install-files-post::
 
+# Generated systemd units (quadlets) cannot be enabled.
+# That's why we filter them out from the list of units to be enabled.
+install-actions uninstall: ENABLE_UNITS = $(filter-out $(QUADLET_UNIT_NAMES),$(SYSTEMD_MAIN_UNIT_NAMES) $(SYSTEMD_TIMER_NAMES))
+install-actions uninstall: START_UNITS = $(SYSTEMD_MAIN_UNIT_NAMES)
+
 # Perform post-installation actions such as enabling and starting units.
 install-actions: install-actions-pre
 	systemctl daemon-reload
@@ -233,9 +238,13 @@ install-actions: install-actions-pre
 	fi; \
 	if [ -f /etc/sysctl.d/$(PROJECT_NAME).conf ]; then \
 		run sysctl -q -p /etc/sysctl.d/$(PROJECT_NAME).conf; \
+	fi ; \
+	if [ -n "$(ENABLE_UNITS)" ]; then \
+		run systemctl enable $(ENABLE_UNITS); \
+	fi ; \
+	if [ -n "$(START_UNITS)" ]; then \
+		run systemctl start $(START_UNITS); \
 	fi
-	systemctl enable $(SYSTEMD_MAIN_UNIT_NAMES) $(SYSTEMD_TIMER_NAMES)
-	systemctl start $(SYSTEMD_MAIN_UNIT_NAMES)
 	$(MAKE) install-actions-post
 
 # Custom commands to be run before performing post-installation actions.
@@ -269,8 +278,14 @@ install-post::
 
 uninstall: FILES_TO_REMOVE := $(call reverse,$(TARGET_EXAMPLE_FILES) $(TARGET_FILES))
 uninstall: pre-requisites uninstall-pre
-	systemctl disable $(SYSTEMD_MAIN_UNIT_NAMES) $(SYSTEMD_TIMER_NAMES) || true
-	systemctl stop $(SYSTEMD_UNIT_NAMES) $(QUADLET_UNIT_NAMES) || true
+	@run() { echo $$*; "$$@"; }; \
+	set -Eeuo pipefail; \
+	if [ -n "$(ENABLE_UNITS)" ]; then \
+		run systemctl disable $(ENABLE_UNITS) || true; \
+	fi ; \
+	if [ -n "$(START_UNITS)" ]; then \
+		run systemctl stop $(START_UNITS) || true; \
+	fi
 	@run() { echo $$*; "$$@"; }; \
 	set -Eeuo pipefail; \
 	if [ -f /etc/tmpfiles.d/$(PROJECT_NAME).conf ]; then \

base/Makefile

@@ -1,3 +1,14 @@
 TOP_LEVEL_DIR := ..
 include $(TOP_LEVEL_DIR)/Makefile.common
-SYSTEMD_MAIN_UNIT_NAMES := var-lib-virtiofs-data.mount rpm-ostree-install-qemu-guest-agent.service install-fastfetch.service
+SYSTEMD_MAIN_UNIT_NAMES += var-lib-virtiofs-data.mount
+SYSTEMD_MAIN_UNIT_NAMES += rpm-ostree-install-qemu-guest-agent.service
+SYSTEMD_MAIN_UNIT_NAMES += install-fastfetch.service
+
+pre-requisites::
+	@set -Eeuo pipefail; \
+	for tool in rpm-ostree; do \
+		if ! which $$tool &>/dev/null ; then \
+			echo "$$tool is not installed. Please install it first." >&2; \
+			exit 1; \
+		fi ; \
+	done

base/config/examples/fastfetch.env

@@ -0,0 +1 @@
+FASTFETCH_VERSION="2.45.0"

base/config/install-fastfetch.sh

@@ -1,11 +1,12 @@
 #!/bin/bash
 set -Eeuo pipefail
-FASTFETCH_VERSION="$(curl -sSfL https://api.github.com/repos/fastfetch-cli/fastfetch/releases | jq -r '.[] | select(.prerelease == false and .draft == false) | .tag_name' | sort -V | tail -1)"
+FASTFETCH_LATEST_VERSION="$(curl -sSfL https://api.github.com/repos/fastfetch-cli/fastfetch/releases | jq -r '.[] | select(.prerelease == false and .draft == false) | .tag_name' | sort -V | tail -1)"
+FASTFETCH_VERSION="${FASTFETCH_VERSION:-$FASTFETCH_LATEST_VERSION}"
 FASTFETCH_BIN="/usr/local/bin/fastfetch"
 declare -A ARCH_MAP=( ["aarch64"]="aarch64" ["x86_64"]="amd64" )
 if [ ! -f "$FASTFETCH_BIN" ]; then
     arch="$(arch)"
     arch=${ARCH_MAP[$arch]}
     echo "Installing fastfetch $FASTFETCH_VERSION for $arch..."
-    curl -sSfL https://github.com/fastfetch-cli/fastfetch/releases/download/$FASTFETCH_VERSION/fastfetch-linux-$arch.tar.gz | tar -zx --strip-components=2 -C /usr/local
+    curl -sSfL https://github.com/fastfetch-cli/fastfetch/releases/download/$FASTFETCH_VERSION/fastfetch-linux-$arch.tar.gz | tar -zx --strip-components=2 -C /usr/local --no-same-owner
 fi

base/install-fastfetch.service

@@ -8,6 +8,7 @@ ConditionPathExists=!/usr/local/bin/fastfetch
 Type=oneshot
 RemainAfterExit=yes
 ExecStart=/etc/quadlets/base/install-fastfetch.sh
+EnvironmentFile=-/etc/quadlets/base/fastfetch.env
 
 [Install]
 WantedBy=multi-user.target

samba/samba.container

@@ -23,7 +23,7 @@ User=0
 # Storage
 Volume=/var/lib/quadlets/samba/data:/var/lib/samba:Z
 Volume=/var/lib/quadlets/samba/log:/var/log/samba:Z
-Volume=/var/lib/virtiofs/data:/data
+Volume=/var/lib/virtiofs/data/storage:/data
 Volume=/etc/quadlets/samba/smb.conf.d:/etc/samba/smb.conf.d:Z
 Volume=/run/quadlets/samba/passwd:/etc/passwd:Z
 Volume=/run/quadlets/samba/group:/etc/group:Z

samba/tmpfiles.d/samba.conf

@@ -1,8 +1,7 @@
 d$ /var/lib/quadlets/samba/data 0755 0 0 -
 d$ /var/lib/quadlets/samba/log 0755 0 0 -
 d$ /var/lib/quadlets/samba/cache 0755 0 0 -
-d$ /var/lib/virtiofs/data/foo 0755 0 0 -
-d$ /var/lib/virtiofs/data/bar 0755 0 0 -
+d$ /var/lib/virtiofs/data/storage 0755 0 0 -
 d$ /run/quadlets/samba 0700 0 0 -
 C$ /run/quadlets/samba/passwd - - - - /etc/passwd
 C$ /run/quadlets/samba/group - - - - /etc/group

vmagent/Makefile

@@ -0,0 +1,16 @@
+##
+## Makefile for Victoria Metrics Agent quadlet
+##
+
+# Victoria Metrics Agent quadlet is mapped to the 10025 user (vmagent) and 10000 group (itix-svc)
+PROJECT_UID = 10025
+PROJECT_GID = 10000
+
+# Include common Makefile
+TOP_LEVEL_DIR := ..
+include $(TOP_LEVEL_DIR)/Makefile.common
+
+SYSTEMD_MAIN_UNIT_NAMES += vmagent.service
+
+$(TARGET_CHROOT)/etc/quadlets/vmagent/conf.d:
+	install -d -m 0700 -o $(PROJECT_UID) -g $(PROJECT_GID) -D $< $@

vmagent/config/examples/conf.d/remotewrite.token

@@ -0,0 +1 @@
+REDACTED

vmagent/config/examples/vmagent.local.env

@@ -0,0 +1,3 @@
+remoteWrite_url=https://victoriametrics.example.tld/api/v1/write
+remoteWrite_basicAuth_passwordFile=/etc/vmagent/remotewrite.token
+remoteWrite_basicAuth_username=remotewrite

vmagent/config/vmagent.global.env

@@ -0,0 +1,2 @@
+httpListenAddr=127.0.0.1:8428
+remoteWrite_tmpDataPath=/var/lib/vmagent/tmp

vmagent/overlay.bu

@@ -0,0 +1,9 @@
+variant: fcos
+version: 1.4.0
+passwd:
+  users:
+  - name: vmagent
+    uid: 10025
+    gecos: Victoria Metrics Agent
+    home_dir: /var/lib/quadlets/vmagent
+    primary_group: itix-svc

vmagent/vmagent.container

@@ -0,0 +1,33 @@
+[Unit]
+Description=Victoria Metrics agent
+After=local-fs.target network.target
+Wants=network.target
+
+# Only start if the local configuration file exists
+ConditionPathExists=/etc/quadlets/vmagent/vmagent.local.env
+
+[Container]
+ContainerName=vmagent
+
+# Image
+Image=quay.io/victoriametrics/vmagent:latest
+AutoUpdate=registry
+
+# Security
+User=10025
+Group=10000
+
+# Storage
+Volume=/var/lib/quadlets/vmagent:/var/lib/vmagent:Z
+Volume=/etc/quadlets/vmagent/conf.d:/etc/vmagent:ro
+
+# Network
+Network=host
+
+# Configuration
+EnvironmentFile=/etc/quadlets/vmagent/vmagent.global.env
+EnvironmentFile=/etc/quadlets/vmagent/vmagent.local.env
+Exec=-envflag.enable
+
+[Install]
+WantedBy=multi-user.target

vsftpd/Makefile

@@ -0,0 +1,15 @@
+##
+## Makefile for Vsftpd quadlet
+##
+
+DEPENDENCIES = lego
+
+# Vsftpd quadlet is mapped to the 10015 user (vsftpd) and 10000 group (itix-svc)
+PROJECT_UID = 10015
+PROJECT_GID = 10000
+
+# Include common Makefile
+TOP_LEVEL_DIR := ..
+include $(TOP_LEVEL_DIR)/Makefile.common
+
+

vsftpd/config/container/Containerfile

@@ -0,0 +1,20 @@
+FROM quay.io/centos/centos:stream10
+
+# Install Vsftpd
+RUN dnf config-manager --set-enabled crb \
+ && dnf install -y epel-release \
+ && dnf install -y vsftpd procps-ng shadow-utils authselect authselect-libs pam gdbm \
+ && authselect select local --force \
+ && dnf clean all
+
+# /data holds the data to share through vsftpd
+VOLUME /data
+
+# Expose FTP port + ports for passive mode
+EXPOSE 21 20000-20100
+
+ADD container-entrypoint /
+ADD vsftpd-virtual /etc/pam.d/vsftpd-virtual
+
+ENTRYPOINT [ "/container-entrypoint" ]
+CMD [ ]

vsftpd/config/container/container-entrypoint

@@ -0,0 +1,25 @@
+#!/bin/sh
+set -Eeuo pipefail
+
+# Handle the virtual user database when supplied
+if [ -f /var/lib/vsftpd/users.txt ]; then
+    ## Format of the "users.txt" file :
+    #
+    #   nicolas:$y$....
+    #   john:$y$....
+    #
+    # Empty lines and comments are allowed
+    #
+    ## Hashes can be generated with :
+    #
+    #   mkpasswd --method=yescrypt -s
+    #
+
+    umask 0077
+    touch /var/lib/vsftpd/users.txt
+    rm -f /var/lib/vsftpd/users.db
+    sed -r -e 's/^([^:]+):([^:]+)$/store "\1" "\2"/; t r; d; :r s/[\\]/\\\\$/g; s/[$]/\\$/g' < /var/lib/vsftpd/users.txt | gdbmtool --newdb /var/lib/vsftpd/users.db
+    umask 0022
+fi
+
+exec /usr/sbin/vsftpd -obackground=NO /etc/vsftpd/global.conf /etc/vsftpd/local.conf "$@"

vsftpd/config/container/vsftpd-virtual

@@ -0,0 +1,27 @@
+#%PAM-1.0
+
+##
+## Debug instructions
+##
+# 
+# - Add the "debug" option to pam_userdb.so
+#
+#   [...] pam_userdb.so db=/var/lib/vsftpd/users crypt=crypt debug
+#
+# - Execute this command in the container:
+# 
+#   socat UNIX-LISTEN:/dev/log,fork STDOUT
+#
+
+##
+## HEADS UP !!!
+##
+#
+# pam_userdb.so is now linked to gdbm rather than berkeley db.
+# so, you have to use gdbmtool to create the database, rather than db_load.
+# Also, the path to the database has to include the final ".db".
+#
+
+auth       required     pam_userdb.so db=/var/lib/vsftpd/users.db crypt=crypt
+account    required     pam_userdb.so db=/var/lib/vsftpd/users.db crypt=crypt
+session    required     pam_loginuid.so

vsftpd/config/examples/vsftpd.conf.d/local-users.conf

@@ -0,0 +1,24 @@
+# Network parameters
+pasv_address=storage.example.tld
+pasv_addr_resolve=YES
+
+# Authenticate local users
+local_enable=YES
+local_root=/data
+chroot_local_user=YES
+pam_service_name=vsftpd
+
+# Enable write on the FTP server
+write_enable=YES
+
+# Since /var/lib/virtiofs/data (/data) is writable only by root we can allow this
+allow_writeable_chroot=YES
+
+# No anonymous access
+anonymous_enable=NO
+
+# Misc parameters
+delete_failed_uploads=NO
+ftpd_banner=Storage
+file_open_mode=0660
+ls_recurse_enable=YES

vsftpd/config/examples/vsftpd.conf.d/tls.conf

@@ -0,0 +1,5 @@
+ssl_enable=YES
+ssl_request_cert=NO
+ssl_tlsv1_2=NO
+rsa_cert_file=/etc/vsftpd/tls/f.q.d.n.crt
+rsa_private_key_file=/etc/vsftpd/tls/f.q.d.n.key

vsftpd/config/examples/vsftpd.conf.d/virtual-users.conf

@@ -0,0 +1,18 @@
+# Network parameters
+pasv_address=storage.example.tld
+pasv_addr_resolve=YES
+
+# Authenticate virtual users
+guest_enable=YES
+guest_username=vsftpd
+local_enable=YES
+virtual_use_local_privs=YES
+chroot_local_user=YES
+pam_service_name=vsftpd-virtual
+
+# Site specific config (example)
+local_root=/data
+# OR
+#user_sub_token=$USER
+#local_root=/data/$USER
+

vsftpd/config/vsftpd.conf.d/global.conf

@@ -0,0 +1,21 @@
+# Network parameters
+listen=YES
+listen_port=21
+pasv_min_port=20000
+pasv_max_port=20100
+pasv_enable=YES
+pasv_promiscuous=YES
+
+# Be strict by default
+anonymous_enable=NO
+guest_enable=NO
+local_enable=NO
+
+# Log file
+vsftpd_log_file=/var/log/vsftpd/vsftpd.log
+xferlog_enable=YES
+syslog_enable=NO
+
+# Misc parameters
+setproctitle_enable=YES
+reverse_lookup_enable=NO

vsftpd/overlay.bu

@@ -0,0 +1,9 @@
+variant: fcos
+version: 1.4.0
+passwd:
+  users:
+  - name: vsftpd
+    uid: 10015
+    gecos: Vsftpd
+    home_dir: /var/lib/quadlets/vsftpd
+    primary_group: itix-svc

vsftpd/tmpfiles.d/vsftpd.conf

@@ -0,0 +1,6 @@
+d$ /run/quadlets/vsftpd 0700 0 0 -
+d$ /run/quadlets/vsftpd/cache 0700 0 0 -
+d$ /run/quadlets/vsftpd/tls 0700 0 0 -
+d$ /var/lib/virtiofs/data/storage 0755 0 0 -
+d$ /var/lib/quadlets/vsftpd/log 0755 0 0 -
+d$ /var/lib/quadlets/vsftpd/data 0755 0 0 -

vsftpd/vsftpd-load-renewed-certificate.service

@@ -0,0 +1,17 @@
+[Unit]
+Description=Restart Vsftpd if a new TLS certificate is available
+# Lego touch .renewed files when renewed certificates are available
+ConditionPathExistsGlob=/var/lib/quadlets/lego/certificates/*.renewed
+After=lego-renew.service
+
+[Service]
+Type=oneshot
+# Copy the renewed certificates to the vsftpd /run directory
+ExecStartPre=/bin/sh -Eeuo pipefail -c 'install -o 10015 -g 10000 -m 0600 -t /run/quadlets/vsftpd/tls /var/lib/quadlets/lego/certificates/*.crt /var/lib/quadlets/lego/certificates/*.key'
+# Restart vsftpd to load the new certificates
+ExecStart=systemctl --no-block restart vsftpd.service
+# Remove the flag files after restarting vsftpd
+ExecStartPost=/bin/sh -Eeuo pipefail -c 'rm -f /var/lib/quadlets/lego/certificates/*.renewed'
+
+[Install]
+WantedBy=lego-renew.service

vsftpd/vsftpd.build

@@ -0,0 +1,9 @@
+[Unit]
+Description=Build of the Vsftpd daemon
+Wants=network-online.target
+After=network-online.target
+
+[Build]
+File=/etc/quadlets/vsftpd/container/Containerfile
+ImageTag=localhost/vsftpd:latest
+SetWorkingDirectory=/etc/quadlets/vsftpd/container

vsftpd/vsftpd.container

@@ -0,0 +1,52 @@
+[Unit]
+Description=Vsftpd
+After=local-fs.target network.target vsftpd-build.service lego.target
+Wants=vsftpd-build.service lego.target
+
+# Only start if the local configuration file exists
+ConditionPathExists=/etc/quadlets/vsftpd/vsftpd.conf.d/local.conf
+
+# Stop when the target is stopped
+PartOf=vsftpd.target
+
+[Service]
+# Copy a complete version of /etc/{passwd,group,shadow} in /run/quadlets/vsftpd so that SELinux
+# does not prevent Vsftpd from reading those files.
+#
+# Oh, and by the way, mangle /etc/passwd so that local users' homes are located in /data.
+# This is required by Vsftpd to let the users login.
+ExecStartPre=/bin/sh -Eeuo pipefail -c '\
+    umask 0077 ; \
+    for file in passwd group shadow; do \
+    getent $file | (if [[ "$file" == "passwd" ]]; then \
+                        sed -r "s|^([^:]+:[^:]*:[^:]+:1[0-9][0-9][0-9]:[^:]*:)[^:]*(:.*)$|\\1/data\\2|" ; \
+                    else \
+                        cat ; \
+                    fi) > /run/quadlets/vsftpd/cache/$file ; \
+    done'
+
+[Container]
+ContainerName=vsftpd
+
+# Image
+Image=localhost/vsftpd:latest
+AutoUpdate=local
+
+# Security
+User=0
+
+# Storage
+Volume=/var/lib/quadlets/vsftpd/log:/var/log/vsftpd:Z
+Volume=/var/lib/quadlets/vsftpd/data:/var/lib/vsftpd:Z
+Volume=/var/lib/virtiofs/data/storage:/data
+Volume=/etc/quadlets/vsftpd/vsftpd.conf.d:/etc/vsftpd:ro
+Volume=/run/quadlets/vsftpd/cache/passwd:/etc/passwd:Z
+Volume=/run/quadlets/vsftpd/cache/group:/etc/group:Z
+Volume=/run/quadlets/vsftpd/cache/shadow:/etc/shadow:Z
+Volume=/run/quadlets/vsftpd/tls:/etc/vsftpd/tls:Z
+
+# Network
+Network=host
+
+[Install]
+WantedBy=vsftpd.target

vsftpd/vsftpd.target

@@ -0,0 +1,11 @@
+[Unit]
+Description=Vsftpd Service Target
+Documentation=man:systemd.target(5)
+Requires=vsftpd.service vsftpd-build.timer
+After=vsftpd.service vsftpd-build.timer
+
+# Allow isolation - can stop/start this target independently
+AllowIsolate=yes
+
+[Install]
+WantedBy=multi-user.target