WiP

Makefile.common

@@ -73,28 +73,32 @@ SYSTEMD_TIMER_NAMES := $(wildcard *.timer)
 SYSTEMD_MAIN_UNIT_NAMES := $(wildcard *.target)
 
 # Configuration files
-CONFIG_FILES := $(shell find config/ -mindepth 1 \! -path "config/examples/*")
+CONFIG_FILES := $(shell find config/ -mindepth 1 \! -path "config/examples/*" \! -path "config/examples" 2>/dev/null)
 TMPFILESD_FILES = $(filter-out %/examples, $(wildcard tmpfiles.d/*))
 SYSCTLD_FILES = $(filter-out %/examples, $(wildcard sysctl.d/*))
+PROFILED_FILES = $(filter-out %/examples, $(wildcard profile.d/*))
 TARGET_CONFIG_FILES = $(patsubst config/%, $(TARGET_CHROOT)/etc/quadlets/$(PROJECT_NAME)/%, $(CONFIG_FILES))
 TARGET_TMPFILESD_FILES = $(patsubst tmpfiles.d/%, $(TARGET_CHROOT)/etc/tmpfiles.d/%, $(TMPFILESD_FILES))
 TARGET_SYSCTLD_FILES = $(patsubst sysctl.d/%, $(TARGET_CHROOT)/etc/sysctl.d/%, $(SYSCTLD_FILES))
+TARGET_PROFILED_FILES = $(patsubst profile.d/%, $(TARGET_CHROOT)/etc/profile.d/%, $(PROFILED_FILES))
 
 # Example configuration files
-EXAMPLES_CONFIG_FILES := $(shell find config/examples -mindepth 1)
+EXAMPLES_CONFIG_FILES := $(shell find config/examples -mindepth 1 2>/dev/null)
 EXAMPLES_TMPFILESD_FILES = $(wildcard tmpfiles.d/examples/*)
 EXAMPLES_SYSCTLD_FILES = $(wildcard sysctl.d/examples/*)
+EXAMPLES_PROFILED_FILES = $(wildcard profile.d/examples/*)
 TARGET_EXAMPLES_CONFIG_FILES = $(patsubst config/examples/%, $(TARGET_CHROOT)/etc/quadlets/$(PROJECT_NAME)/%, $(EXAMPLES_CONFIG_FILES))
 TARGET_EXAMPLES_TMPFILESD_FILES = $(patsubst tmpfiles.d/examples/%, $(TARGET_CHROOT)/etc/tmpfiles.d/%, $(EXAMPLES_TMPFILESD_FILES))
 TARGET_EXAMPLES_SYSCTLD_FILES = $(patsubst sysctl.d/examples/%, $(TARGET_CHROOT)/etc/sysctl.d/%, $(EXAMPLES_SYSCTLD_FILES))
+TARGET_EXAMPLES_PROFILED_FILES = $(patsubst profile.d/examples/%, $(TARGET_CHROOT)/etc/profile.d/%, $(EXAMPLES_PROFILED_FILES))
 
 # All configuration files to be installed
 TARGET_FILES = $(addprefix $(TARGET_CHROOT)/etc/containers/systemd/, $(QUADLETS_FILES)) \
 				$(addprefix $(TARGET_CHROOT)/etc/systemd/system/, $(SYSTEMD_FILES)) \
-				$(TARGET_CONFIG_FILES) $(TARGET_TMPFILESD_FILES) $(TARGET_SYSCTLD_FILES)
+				$(TARGET_CONFIG_FILES) $(TARGET_TMPFILESD_FILES) $(TARGET_SYSCTLD_FILES) $(TARGET_PROFILED_FILES)
 
 # All example configuration files to be installed
-TARGET_EXAMPLE_FILES = $(TARGET_EXAMPLES_CONFIG_FILES) $(TARGET_EXAMPLES_TMPFILESD_FILES) $(TARGET_EXAMPLES_SYSCTLD_FILES)
+TARGET_EXAMPLE_FILES = $(TARGET_EXAMPLES_CONFIG_FILES) $(TARGET_EXAMPLES_TMPFILESD_FILES) $(TARGET_EXAMPLES_SYSCTLD_FILES) $(TARGET_EXAMPLES_PROFILED_FILES)
 
 # Dependencies on other projects
 # List here the names of other projects (directories at the top-level) that this project depends on.
@@ -111,6 +115,10 @@ DEPENDENCIES_IGNITION_FILES := $(shell for dep in base $(DEPENDENCIES); do echo
 PROJECT_UID ?= 0
 PROJECT_GID ?= 0
 
+# Function to reverse a list of words
+# Usage: $(call reverse,word1 word2 word3)
+reverse = $(let first rest,$1,$(if $(rest),$(call reverse,$(rest)) )$(first))
+
 # Ensure that the Makefile is not run from the top-level directory and that it is run as root.
 pre-requisites:
 	@if [ -z "$(TOP_LEVEL_DIR)" ]; then \
@@ -181,6 +189,12 @@ $(TARGET_EXAMPLES_SYSCTLD_FILES): $(TARGET_CHROOT)/etc/sysctl.d/%: sysctl.d/exam
 $(TARGET_SYSCTLD_FILES) $(TARGET_EXAMPLES_SYSCTLD_FILES):
 	install -D -m 0644 -o root -g root $< $@
 
+# Copy profile.d files
+$(TARGET_PROFILED_FILES): $(TARGET_CHROOT)/etc/profile.d/%: profile.d/% $(TARGET_CHROOT)/etc/profile.d
+$(TARGET_EXAMPLES_PROFILED_FILES): $(TARGET_CHROOT)/etc/profile.d/%: profile.d/examples/% $(TARGET_CHROOT)/etc/profile.d
+$(TARGET_PROFILED_FILES) $(TARGET_EXAMPLES_PROFILED_FILES):
+	install -D -m 0644 -o root -g root $< $@
+
 # Create the directory to store quadlet state and data.
 $(TARGET_CHROOT)/var/lib/quadlets/$(PROJECT_NAME):
 	install -d -m 0755 -o $(PROJECT_UID) -g $(PROJECT_GID) $@
@@ -252,6 +266,8 @@ install-pre::
 install-post::
 
 # Uninstall all quadlets and systemd units installed by this project.
+
+uninstall: FILES_TO_REMOVE := $(call reverse,$(TARGET_EXAMPLE_FILES) $(TARGET_FILES))
 uninstall: pre-requisites uninstall-pre
 	systemctl disable $(SYSTEMD_MAIN_UNIT_NAMES) $(SYSTEMD_TIMER_NAMES) || true
 	systemctl stop $(SYSTEMD_UNIT_NAMES) $(QUADLET_UNIT_NAMES) || true
@@ -260,7 +276,7 @@ uninstall: pre-requisites uninstall-pre
 	if [ -f /etc/tmpfiles.d/$(PROJECT_NAME).conf ]; then \
 		run systemd-tmpfiles --purge /etc/tmpfiles.d/$(PROJECT_NAME).conf; \
 	fi
-	rm -df $(TARGET_FILES) $(TARGET_EXAMPLE_FILES)
+	rm -df $(FILES_TO_REMOVE)
 	systemctl daemon-reload
 	$(MAKE) uninstall-post
 

base/Makefile

@@ -1,3 +1,3 @@
 TOP_LEVEL_DIR := ..
 include $(TOP_LEVEL_DIR)/Makefile.common
-SYSTEMD_MAIN_UNIT_NAMES := var-lib-virtiofs-data.mount rpm-ostree-install-qemu-guest-agent.service
+SYSTEMD_MAIN_UNIT_NAMES := var-lib-virtiofs-data.mount rpm-ostree-install-qemu-guest-agent.service install-fastfetch.service

base/config/fastfetch.jsonc

@@ -0,0 +1,110 @@
+{
+    "$schema": "https://github.com/fastfetch-cli/fastfetch/raw/dev/doc/json_schema.json",
+    "logo": {
+        "padding": {
+            "top": 2
+        }
+    },
+    "display": {
+        "showErrors": false,
+        "size": {
+            "ndigits": 0,
+            "maxPrefix": "GB"
+        },
+        "separator": "",
+        "color": {
+            "keys": "blue",
+            "title": "blue"
+        },
+        "key": {
+            "width": 36,
+            "type": "string"
+        },
+        "bar": {
+            "width": 16,
+            "charElapsed": "■",
+            "charTotal": "-"
+        },
+        "percent": {
+            "type": 3,
+            "color": {
+                "green": "green",
+                "yellow": "light_yellow",
+                "red": "light_red"
+            }
+        }
+    },
+    "modules": [
+        {
+            "type": "custom",
+            "key": "     ------- Software -------     ",
+            "format": " "
+        },
+        "os",
+        "kernel",
+        "break",
+        {
+            "type": "custom",
+            "key": "     ------- Hardware -------     ",
+            "format": " "
+        },
+        "host",
+        "cpu",
+        {
+            "type": "physicaldisk",
+            "key": "Disk {dev-path}",
+            "format": "{size>10}  {serial}"
+        },
+        "break",
+        {
+            "type": "custom",
+            "key": "     ---- Resource Usage ----     ",
+            "format": " "
+        },
+        {
+            "type": "memory",
+            "key": "Memory",
+            "format": "{percentage-bar} {percentage>4}"
+        },
+        {
+            "type": "disk",
+            "format": "{size-percentage-bar} {size-percentage>4}",
+            "key": "Vol. /",
+            "folders": "/sysroot",
+            "percent": {
+                "green": 75,
+                "yellow": 90
+            }
+        },
+        {
+            "type": "disk",
+            "format": "{size-percentage-bar} {size-percentage>4}",
+            "key": "Vol. {mountpoint}",
+            "folders": "/var:/var/lib/virtiofs/data",
+            "percent": {
+                "green": 75,
+                "yellow": 90
+            }
+        },
+        "break",
+        {
+            "type": "custom",
+            "key": "     ------ Environment ------     ",
+            "format": " "
+        },
+        {
+            "type": "title",
+            "key": "User",
+            "format": "{user-name-colored}"
+        },
+        "uptime",
+        {
+            "type": "title",
+            "key": "Hostname",
+            "format": "{host-name}",
+            "fqdn": true
+        },
+        "localip",
+        "publicip"
+    ]
+}

base/config/install-fastfetch.sh

@@ -0,0 +1,11 @@
+#!/bin/bash
+set -Eeuo pipefail
+FASTFETCH_VERSION="$(curl -sSfL https://api.github.com/repos/fastfetch-cli/fastfetch/releases | jq -r '.[] | select(.prerelease == false and .draft == false) | .tag_name' | sort -V | tail -1)"
+FASTFETCH_BIN="/usr/local/bin/fastfetch"
+declare -A ARCH_MAP=( ["aarch64"]="aarch64" ["x86_64"]="amd64" )
+if [ ! -f "$FASTFETCH_BIN" ]; then
+    arch="$(arch)"
+    arch=${ARCH_MAP[$arch]}
+    echo "Installing fastfetch $FASTFETCH_VERSION for $arch..."
+    curl -sSfL https://github.com/fastfetch-cli/fastfetch/releases/download/$FASTFETCH_VERSION/fastfetch-linux-$arch.tar.gz | tar -zx --strip-components=2 -C /usr/local
+fi

base/install-fastfetch.service

@@ -0,0 +1,13 @@
+[Unit]
+Description=Install fastfetch
+Wants=network-online.target
+After=network-online.target
+ConditionPathExists=!/usr/local/bin/fastfetch
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=/etc/quadlets/base/install-fastfetch.sh
+
+[Install]
+WantedBy=multi-user.target

base/profile.d/fastfetch.sh

@@ -0,0 +1,9 @@
+#!/bin/sh
+declare -a FASTFETCH_OPTIONS=( -c /etc/quadlets/base/fastfetch.jsonc )
+if [ "$USER" == "root" ]; then
+    FASTFETCH_OPTIONS+=( --custom-key-color dim_red --color-keys red --title-color-user red )
+else
+    FASTFETCH_OPTIONS+=( --custom-key-color dim_blue --color-keys blue --title-color-user green )
+fi
+fastfetch "${FASTFETCH_OPTIONS[@]}"
+unset FASTFETCH_OPTIONS

butane.blocklist

@@ -9,3 +9,4 @@
 /etc/containers/systemd
 /etc/tmpfiles.d
 /etc/sysctl.d
+/etc/profile.d

lego/Makefile

@@ -0,0 +1,13 @@
+##
+## Makefile for Lego quadlet
+##
+
+# Lego quadlet is mapped to the 10023 user (lego) and 10000 group (itix-svc)
+PROJECT_UID = 10023
+PROJECT_GID = 10000
+
+# Include common Makefile
+TOP_LEVEL_DIR := ..
+include $(TOP_LEVEL_DIR)/Makefile.common
+
+

lego/config/examples/config.env

@@ -0,0 +1,3 @@
+LEGO_GLOBAL_ARGS=-a -m nicolas.masse@itix.fr -d changeme.example.tld --http
+LEGO_RUN_ARGS=
+LEGO_RENEW_ARGS=--days 30 --renew-hook=/etc/lego/hooks/flag-as-renewed.sh

lego/config/hooks/flag-as-renewed.sh

@@ -0,0 +1,3 @@
+#!/bin/sh
+set -Eeuo pipefail
+touch ${LEGO_CERT_PATH%.*}.renewed

lego/lego-renew.container

@@ -0,0 +1,52 @@
+[Unit]
+Description=Lego Let's Encrypt client - Renew a certificate
+Documentation=https://go-acme.github.io/lego/
+
+# Only start if there are certificates to renew
+ConditionPathExistsGlob=/var/lib/quadlets/lego/certificates/*.crt
+# and if Lego has been configured !
+ConditionPathExists=/etc/quadlets/lego/config.env
+
+[Container]
+ContainerName=lego-renew
+
+# No need for root privileges
+User=10023
+Group=10000
+
+# Image
+Image=docker.io/goacme/lego:latest
+AutoUpdate=registry
+
+# Network configuration
+Network=host
+
+# Environment variables from config
+EnvironmentFile=/etc/quadlets/lego/config.env
+
+# Volume mounts
+Volume=/var/lib/quadlets/lego:/.lego:z
+Volume=/etc/quadlets/lego/hooks:/etc/lego/hooks:ro
+
+# Be safe, set the umask to 0077 so that private keys are not world-readable
+PodmanArgs=--umask=0077
+
+# Command to run
+Exec=$LEGO_GLOBAL_ARGS renew $LEGO_RENEW_ARGS
+
+[Service]
+# If the command fails, don't try to restart it.
+# Otherwise, we would hammer the Let's Encrypt servers and possibly get banned.
+Restart=no
+
+# Getting a certificate may take some time
+TimeoutStartSec=600
+
+# This container is a job - run once to completion
+Type=oneshot
+
+# These environment variables are sourced to be used by systemd in the Exec* commands
+EnvironmentFile=/etc/quadlets/lego/config.env
+
+[Install]
+WantedBy=lego.target

lego/lego-renew.timer

@@ -0,0 +1,12 @@
+[Unit]
+Description=Lego Let's Encrypt client - Renew a certificate
+Documentation=https://go-acme.github.io/lego/
+PartOf=lego.target
+
+[Timer]
+OnCalendar=daily
+RandomizedDelaySec=1h
+Persistent=true
+
+[Install]
+WantedBy=lego.target

lego/lego-run.container

@@ -0,0 +1,52 @@
+[Unit]
+Description=Lego Let's Encrypt client - Fetch a certificate
+Documentation=https://go-acme.github.io/lego/
+PartOf=lego.target
+
+# Only start if no certificates exist yet
+ConditionPathExistsGlob=!/var/lib/quadlets/lego/certificates/*.crt
+# and if Lego has been configured !
+ConditionPathExists=/etc/quadlets/lego/config.env
+
+[Container]
+ContainerName=lego-run
+
+# No need for root privileges
+User=10023
+Group=10000
+
+# Image
+Image=docker.io/goacme/lego:latest
+AutoUpdate=registry
+
+# Network configuration
+Network=host
+
+# Environment variables from config
+EnvironmentFile=/etc/quadlets/lego/config.env
+
+# Volume mounts
+Volume=/var/lib/quadlets/lego:/.lego:z
+
+# Be safe, set the umask to 0077 so that private keys are not world-readable
+PodmanArgs=--umask=0077
+
+# Command to run
+Exec=$LEGO_GLOBAL_ARGS run $LEGO_RUN_ARGS
+
+[Service]
+# If the command fails, don't try to restart it.
+# Otherwise, we would hammer the Let's Encrypt servers and possibly get banned.
+Restart=no
+
+# Getting a certificate may take some time
+TimeoutStartSec=600
+
+# This container is a job - run once to completion
+Type=oneshot
+
+# These environment variables are sourced to be used by systemd in the Exec* commands
+EnvironmentFile=/etc/quadlets/lego/config.env
+
+[Install]
+WantedBy=lego.target

lego/lego.target

@@ -0,0 +1,12 @@
+[Unit]
+Description=Lego Let's Encrypt client
+Documentation=https://go-acme.github.io/lego/
+Requires=lego-run.service lego-renew.timer
+After=lego-run.service lego-renew.timer
+
+# Allow isolation - can stop/start this target independently
+AllowIsolate=yes
+
+[Install]
+# Start by default on boot
+WantedBy=multi-user.target default.target

lego/overlay.bu

@@ -0,0 +1,9 @@
+variant: fcos
+version: 1.4.0
+passwd:
+  users:
+  - name: lego
+    uid: 10023
+    gecos: Lego Let's Encrypt client
+    home_dir: /var/lib/quadlets/lego
+    primary_group: itix-svc

qemu-user-static/Makefile

@@ -1,8 +1,2 @@
 TOP_LEVEL_DIR := ..
 include $(TOP_LEVEL_DIR)/Makefile.common
-
-.PHONY: test
-
-test: uninstall clean install
-	@echo "Running $(PROJECT_NAME) tests..."
-	curl -sSfL -I http://localhost/

qemu-user-static/qemu-user-static.build

@@ -5,6 +5,6 @@ Wants=network-online.target
 After=network-online.target
 
 [Build]
-File=/etc/quadlets/qemu-user-static/Containerfile
+File=/etc/quadlets/qemu-user-static/container/Containerfile
 ImageTag=localhost/qemu-user-static:latest
-SetWorkingDirectory=/etc/quadlets/qemu-user-static
+SetWorkingDirectory=/etc/quadlets/qemu-user-static/container

samba/Makefile

@@ -0,0 +1,5 @@
+TOP_LEVEL_DIR := ..
+include $(TOP_LEVEL_DIR)/Makefile.common
+
+$(TARGET_CHROOT)/etc/quadlets/samba/smb.conf.d:
+	install -d -m 0700 -o $(PROJECT_UID) -g $(PROJECT_GID) -D $< $@

samba/config/container/Containerfile

@@ -0,0 +1,15 @@
+FROM quay.io/centos/centos:stream10
+
+# Install Samba
+RUN dnf install -y samba samba-client cifs-utils shadow-utils procps-ng \
+    && dnf clean all
+
+# /data holds the samba shares, /run/samba is for temporary files (non-persistent)
+VOLUME /data /run
+
+# We only run smb (no nmb)
+EXPOSE 445
+
+ADD container-entrypoint /
+ENTRYPOINT [ "/container-entrypoint" ]
+CMD [ ]

samba/config/container/container-entrypoint

@@ -0,0 +1,10 @@
+#!/bin/bash
+set -Eeuo pipefail
+echo -n > /etc/samba/smb.conf
+for file in /etc/samba/smb.conf.d/*.conf; do
+    echo "Using config file from $file..."
+    cat $file >> /etc/samba/smb.conf
+    echo >> /etc/samba/smb.conf
+done
+mkdir -p /var/lib/samba/lock /var/lib/samba/private /run/samba
+exec /usr/sbin/smbd --foreground --no-process-group --debug-stdout "$@"

samba/config/examples/smb.conf.d/10-shares.conf

@@ -0,0 +1,19 @@
+server string = Storage
+
+[foo]
+path = /data/foo
+comment = Foo
+valid users = @itix
+write list = @itix
+group = itix
+directory mask = 0770
+create mask = 0660
+
+[bar]
+path = /data/bar
+comment = Bar
+valid users = @itix
+write list = @itix
+group = itix
+directory mask = 0775
+create mask = 0664

samba/config/smb.conf.d/00-global.conf

@@ -0,0 +1,8 @@
+[global]
+workgroup = ITIX
+passdb backend = tdbsam:/var/lib/samba/private/sam.tdb
+map to guest = Bad User
+load printers = no
+private dir = /var/lib/samba/private
+disable netbios = yes
+debug syslog format = always

samba/samba-build.timer

@@ -0,0 +1,10 @@
+[Unit]
+Description=Rebuild the samba container image
+PartOf=samba.target
+
+[Timer]
+OnCalendar=daily
+Persistent=true
+
+[Install]
+WantedBy=samba.target

samba/samba.build

@@ -0,0 +1,9 @@
+[Unit]
+Description=Build of the Samba daemon
+Wants=network-online.target
+After=network-online.target
+
+[Build]
+File=/etc/quadlets/samba/container/Containerfile
+ImageTag=localhost/samba:latest
+SetWorkingDirectory=/etc/quadlets/samba/container

samba/samba.container

@@ -0,0 +1,39 @@
+[Unit]
+Description=Samba
+After=samba-build.service
+Wants=samba-build.service
+Requires=var-lib-virtiofs-data.mount
+
+# Start/stop this unit when the target is started/stopped
+PartOf=samba.target
+
+# Start Samba only if at least one share configuration file exists
+ConditionPathExistsGlob=/etc/quadlets/samba/smb.conf.d/*shares.conf
+
+[Container]
+ContainerName=samba
+
+# Image
+Image=localhost/samba:latest
+AutoUpdate=local
+
+# Security
+User=0
+
+# Storage
+Volume=/var/lib/quadlets/samba/data:/var/lib/samba:Z
+Volume=/var/lib/quadlets/samba/log:/var/log/samba:Z
+Volume=/var/lib/virtiofs/data:/data
+Volume=/etc/quadlets/samba/smb.conf.d:/etc/samba/smb.conf.d:Z
+Volume=/run/quadlets/samba/passwd:/etc/passwd:Z
+Volume=/run/quadlets/samba/group:/etc/group:Z
+Volume=/run/quadlets/samba/shadow:/etc/shadow:Z
+
+# Network
+Network=host
+
+# Samba debug level
+Exec=--debuglevel=1
+
+[Install]
+WantedBy=samba.target

samba/samba.target

@@ -0,0 +1,14 @@
+[Unit]
+Description=Samba Service Target
+Documentation=man:systemd.target(5)
+Requires=samba.service
+After=samba.service
+
+# Allow isolation - can stop/start this target independently
+AllowIsolate=yes
+
+# Start Samba only if at least one share configuration file exists
+ConditionPathExistsGlob=/etc/quadlets/samba/smb.conf.d/*shares.conf
+
+[Install]
+WantedBy=multi-user.target

samba/tmpfiles.d/samba.conf

@@ -0,0 +1,9 @@
+d$ /var/lib/quadlets/samba/data 0755 0 0 -
+d$ /var/lib/quadlets/samba/log 0755 0 0 -
+d$ /var/lib/quadlets/samba/cache 0755 0 0 -
+d$ /var/lib/virtiofs/data/foo 0755 0 0 -
+d$ /var/lib/virtiofs/data/bar 0755 0 0 -
+d$ /run/quadlets/samba 0700 0 0 -
+C$ /run/quadlets/samba/passwd - - - - /etc/passwd
+C$ /run/quadlets/samba/group - - - - /etc/group
+C$ /run/quadlets/samba/shadow - - - - /etc/shadow