From 29b125725ea777bebbc4e7b29edd1d17c23f4bfa Mon Sep 17 00:00:00 2001 From: ABelliqueux Date: Thu, 20 Oct 2022 18:27:26 +0200 Subject: [PATCH] Deploy script: fix media perm, fix /etc/hosts --- changelog_todo.md | 16 ++++++++-- linux_server_deploy.sh | 72 +++++++++++++++++++++++------------------- pilpil-server.toml | 2 +- prepa_rpios.md | 26 ++++++++++++++- 4 files changed, 80 insertions(+), 36 deletions(-) diff --git a/changelog_todo.md b/changelog_todo.md index 88eb0b9..67ba640 100644 --- a/changelog_todo.md +++ b/changelog_todo.md @@ -38,13 +38,26 @@ sha256 : * Add media folder sync (scp, rsync, http upload) * General filesystem clean up + +# FS checklist + * /etc/dhcpcd.conf + * /etc/ssh/sshd_config + * ~/.ssh/authorized_keys + * ~/Videos/* + * /etc/hostname, /etc/hosts + * /etc/ssl/private/nginx-selfsigned.key + * /etc/ssl/certs/nginx-selfsigned.crt + * /etc/wpa_supplicant/wpa_supplicant.conf + + # DOING NEXT : - * ~ Test static IP * Test with several rpis + * Define http auth secret at setup # DONE : * media sync (scp, rsync, http) * Install script ; Wifi setup, generate/install SSH keys/ nginx SSL cert/key fore each host, change hostname, static IPs + * Test static IP ok # OTHER: * get_client_rssi.sh on server @@ -55,7 +68,6 @@ sha256 : * ? Scripts hotspot linux/win/mac * ? Config sync - * ? * ? Linux Minimal Virtualbox image * ! Remove git personal details/resolv.conf, remove authorized_keys, ssh config, clean home, re-enable ssh pw login * ~ Doc diff --git a/linux_server_deploy.sh b/linux_server_deploy.sh index ee3c030..dc7aea0 100755 --- a/linux_server_deploy.sh +++ b/linux_server_deploy.sh @@ -62,28 +62,33 @@ nmcli con modify $SSID wifi-sec.key-mgmt wpa-psk nmcli con modify $SSID 802-11-wireless-security.proto rsn nmcli con modify $SSID 802-11-wireless-security.pairwise ccmp nmcli con modify $SSID wifi-sec.psk $PASSWD -nmcli radio wifi on -nmcli con up $SSID # 0.a set IP range on server -echo -e "Setting IP range in /etc/NetworkManager/system-connections/$SSID.nmconnection ... \n" -#~ sed "/\[ipv4\]/a address1=$IP_RANGE/24, $IP_RANGE" /etc/NetworkManager/system-connections/$SSID.nmconnection +echo -e "Setting IP range $IP_RANGE/24 in /etc/NetworkManager/system-connections/$SSID.nmconnection ... \n" +sudo sed -i "/method=shared/a address1=$IP_RANGE/24, $IP_RANGE" /etc/NetworkManager/system-connections/$SSID.nmconnection +sudo systemctl restart NetworkManager + +nmcli radio wifi on +nmcli con up $SSID # 0.b ask for number of clients # This will be used to determine static IP yellow "Nombre de clients à configurer : " read -n 4 CLIENT_NUMBER green "Got $CLIENT_NUMBER...\n" -# Get first IP in specified range and add 1 -IP=$(echo $IP_RANGE | awk -F. '{print $4}') - -echo -e "First IP is $(($IP+1)) ...\n" +# For some reason networkmanager finds it clever to offer only IPs in range 10-255 even when asked for a /24, /28, etc... +# So IPs start at 10 +# Get first IP in specified range +#~ IP=$(echo $IP_RANGE | awk -F. '{print $4}') +FIRST=1 +IP=10 +echo -e "First IP is $(($RANGE_START)) ...\n" # Remove IP's last byte IP_RANGE_3B=$(echo $IP_RANGE | awk -F. '{print $1"."$2"."$3"."}') # Generate SSL cert with IPs in IP_RANGE -IP_CNT=$(($IP+1)) +IP_CNT=$IP IP_ARRAY=() -while [ $IP_CNT -le $(($CLIENT_NUMBER+$IP)) ] +while [ $IP_CNT -lt $(($CLIENT_NUMBER+$IP)) ] do IP_ARRAY+=("IP:$IP_RANGE_3B$IP_CNT") ((IP_CNT++)) @@ -95,7 +100,7 @@ yellow "Got host list : $HOST_LIST \n" # https://unix.stackexchange.com/questions/104171/create-ssl-certificate-non-interactively yellow "Generating SSL crt/key for $HOST_LIST...\n" openssl req -new -newkey rsa:4096 -days 1825 -nodes -x509 \ --subj "/C=/ST=Denial/L=/O=/CN=$IP_RANGE$IP" \ +-subj "/C=/ST=Denial/L=/O=/CN=$IP_RANGE$FIRST" \ -addext "subjectAltName=$HOST_LIST" \ -keyout "$CONFIG_DIR/selfCA.key" -out "$CONFIG_DIR/selfCA.crt" #sudo openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout "$ROOTFS_MOUNT/etc/ssl/private/nginx-selfsigned.key" -out "$ROOTFS_MOUNT/etc/ssl/certs/nginx-selfsigned.crt" @@ -104,7 +109,7 @@ openssl req -new -newkey rsa:4096 -days 1825 -nodes -x509 \ for HOST in "${IP_ARRAY[@]}" do HOST=$(echo $HOST | awk -F: '{print $2}') - HOST_NAME="videopi-$(echo $HOST | awk -F. '{print $4}')" + HOST_NAME="pilpil-$(echo $HOST | awk -F. '{print $4}')" # 1. Copy img to sd green "Operation 1/13 : Imaging $SDCARD with the file $DISK_IMAGE ...\n" red "Are you sure you want to ERASE THE CONTENT of $SDCARD ? Type uppercase 'yes' to confirm." @@ -117,11 +122,11 @@ do red "Received answer $GO_DD. Running dd on $SDCARD in 5 seconds." sleep 5 GO_DD=0 - xzcat "$DISK_IMAGE" | sudo dd of=$SDCARD bs="$DD_BS" oflag=dsync status=progress && sync # unmount / remount new filesystem - green "Operation 2/13 : Unmounting $BOOT_MOUNT and $ROOTFS_MOUNT ...\n" + green "Unmounting $BOOT_MOUNT and $ROOTFS_MOUNT ...\n" umount $BOOT_MOUNT umount $ROOTFS_MOUNT + xzcat "$DISK_IMAGE" | sudo dd of=$SDCARD bs="$DD_BS" oflag=dsync status=progress && sync green "Operation 3/13 : Remounting $BOOT_MOUNT and $ROOTFS_MOUNT ...\n" echo "Remounting..." sleep 1 @@ -130,6 +135,7 @@ do green "Operation 4/13 : Changing hostname to $HOST_NAME ...\n" # Change hostname echo "$HOST_NAME" | sudo tee "$ROOTFS_MOUNT/etc/hostname" + echo -e "127.0.1.1\t$HOST_NAME" | sudo tee -a "$ROOTFS_MOUNT/etc/hosts" ## Enable SSH green "Operation 5/13 : Enabling SSH server on boot ...\n" touch "$BOOT_MOUNT/ssh" @@ -154,21 +160,20 @@ do sync # 3. Configure wifi with static IP green "Operation 9/13 : Configuring wireless connection to $SSID with pw $PASSWD : ...\n" - echo " - ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=netdev - update_config=1 - country=FR - - network={ - ssid='$SSID' # Nom du réseau auquel on se connecte - psk='$PASSWD' # Mot de passe wifi - # Optional parameters - # scan_ssid=1 # hidden ssid - # Specify 2.4 or 5G freq - # https://w1.fi/cgit/hostap/tree/wpa_supplicant/wpa_supplicant.conf#n910 - # https://fr.wikipedia.org/wiki/Liste_des_canaux_Wi-Fi#Bande_2,4_GHz - # scan_freq=2412 2437 2462 - }" | sudo tee "$ROOTFS_MOUNT/etc/wpa_supplicant/wpa_supplicant.conf" + echo "ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=netdev +update_config=1 +country=FR + +network={ + ssid=\"$SSID\" # Nom du réseau auquel on se connecte + psk=\"$PASSWD\" # Mot de passe wifi + # Optional parameters + # scan_ssid=1 # hidden ssid + # Specify 2.4 or 5G freq + # https://w1.fi/cgit/hostap/tree/wpa_supplicant/wpa_supplicant.conf#n910 + # https://fr.wikipedia.org/wiki/Liste_des_canaux_Wi-Fi#Bande_2,4_GHz + # scan_freq=2412 2437 2462 +}" | sudo tee "$ROOTFS_MOUNT/etc/wpa_supplicant/wpa_supplicant.conf" sync # Request specific IP to dhcp server green "Operation 10/13 : Setting static IP $HOST in $ROOTFS_MOUNT/etc/dhcpcd.conf...\n" @@ -182,14 +187,17 @@ do sync # 6. Copy medias green "Operation 12/13 : Syncing media folder $LOCAL_MEDIA_DIR/ with $REMOTE_MEDIA_DIR/ \n" - sudo rsync -auv "$LOCAL_MEDIA_DIR/" "$REMOTE_MEDIA_DIR/" + USER_ID=$( cat "$ROOTFS_MOUNT/etc/passwd" | grep $PI_USER | awk -F: '{print $3}' ) + GROUP_ID=$( cat "$ROOTFS_MOUNT/etc/passwd" | grep $PI_USER | awk -F: '{print $4}' ) + sudo cp "$LOCAL_MEDIA_DIR/*" "$REMOTE_MEDIA_DIR/" + sudo chown $USER_ID:$GROUP_ID "$REMOTE_MEDIA_DIR/*" sync # Unmount FS green "Operation 13/13 : Unmounting filesystems" umount $BOOT_MOUNT umount $ROOTFS_MOUNT - yellow "Client $IP/$CLIENT_NUMBER done." - if [ "$IP" -lt "$CLIENT_NUMBER" ] + yellow "Client $(($IP-10))/$CLIENT_NUMBER done." + if [ $(($IP+1)) -le $(($CLIENT_NUMBER+$IP)) ] then red "Please swap sd card in reader and enter uppercase 'yes' to proceed with next client :" read -n 4 GO_ON diff --git a/pilpil-server.toml b/pilpil-server.toml index 8e83ec7..4230676 100644 --- a/pilpil-server.toml +++ b/pilpil-server.toml @@ -10,7 +10,7 @@ media_exts = ["mp4", "avi", "mkv"] auth = "secret" # OnNlY3JldA== cmd_auth = "secret" -hosts = ["10.42.0.135", "10.42.0.156"] +hosts = ["10.42.0.10", "10.42.0.11"] # VLC http LUA port port = 8887 # Clients cmd port diff --git a/prepa_rpios.md b/prepa_rpios.md index 1d574c5..1367cea 100644 --- a/prepa_rpios.md +++ b/prepa_rpios.md @@ -393,7 +393,7 @@ server { listen 443 ssl; ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; - server_name example.com; + #server_name example.com; location / { proxy_pass http://your.ip.adress:5000; proxy_set_header X-Real-IP $remote_addr; @@ -407,6 +407,30 @@ server { ``` +#### Fix nginx startup fail if /var/log/nginx doesn't exists + +In '/etc/nginx/mklogdir.sh' : +```bash +#!/bin/bash +if [[ ! -d /var/log/nginx ]] +then + mkdir /var/log/nginx + systemctl restart nginx +fi +``` +then `sudo chmod +x /etc/nginx/mklogdir.sh`. + +After that, edit the nginx service unit to add a `ExecStartPre` directive to run the script : + +``` +sudo systemctl edit --full nginx.service + +[Service] +Type=forking +PIDFile=/run/nginx.pid +ExecStartPre=/etc/nginx/mklogdir.sh # Add this line +``` + ### Bash script ```bash