pilpil-setup/linux_server_deploy.sh

#!/usr/bin/env bash
# pilpil client installer v0.1
#
# https://sharats.me/posts/shell-script-best-practices/
set -o errexit
set -o nounset
set -o pipefail
if [[ "${TRACE-0}" == "1" ]]; then
    set -o xtrace
fi

# Change to script dir
cd "$(dirname "$0")"

# Colored output
#~ set +x
bold=$(tput bold)
function red(){
    echo -e "${bold}\x1B[31m$1 \x1B[0m"
    if [ ! -z "${2-}" ]; then
    echo -e "\x1B[31m $($2) \x1B[0m"
    fi
}
function green(){
    echo -e "${bold}\x1B[32m$1 \x1B[0m"
    if [ ! -z "${2-}" ]; then
    echo -e "\x1B[32m $($2) \x1B[0m"
    fi
}
function yellow(){
    echo -e "${bold}\x1B[33m$1 \x1B[0m"
    if [ ! -z "${2-}" ]; then
    echo -e "\x1B[33m $($2) \x1B[0m"
    fi
}

# Display help if -h(elpf) used
if [[ "${1-}" =~ ^-*h(elp)?$ ]]; then
    echo 'Usage: ./pilpil-server.sh path_to_device
    
This script will setup as much pilpil-clients as needed.
'
    exit
fi
# Set dry run if -d(ry) used
if [[ "${1-}" =~ ^-*d(ry)?$ ]]; then
    DRY_RUN=1
    yellow "!!! Running in dry mode. No modifications will be made.\n"
fi
# Options
# Device block to write on 
if [[ ! "$DRY_RUN" ]]; then
    SDCARD="${1-}"
else
    SDCARD="${2-}"
fi
# TODO : accomodate for devices block with name mmcblk0p1|p2
if [[ "$SDCARD" == "" ]] || [[ ! -e "$SDCARD" ]]
then 
    red "Please specify an existing device block for your sd-card, e.g: '/dev/sda'." >&2
    exit 0
fi
DD_BS="128K"
DISK_IMAGE="$HOME/niels/imgs/2022-10-25-pilpil-WIP.img.xz"
if [[ ! -f "$DISK_IMAGE" ]]; then 
    red "Disk image not found, aborting..." >&2
    exit 0
fi
CONFIG_DIR="$HOME/niels/pilpil-server"
if [[ ! -d "$CONFIG_DIR" ]]; then 
    red "Config directory not found, aborting..." >&2
    exit 0
fi
HTTP_SECRET=$(openssl rand -base64 12)
PI_USER="pil"
BOOT_MOUNT="/run/media/$USER/boot"
ROOTFS_MOUNT="/run/media/$USER/rootfs"
#~ LOCAL_MEDIA_DIR="$HOME/Videos"
LOCAL_MEDIA_DIR="$HOME/niels/medias"
if [[ ! -d "$LOCAL_MEDIA_DIR" ]]; then 
    red "Medias directory not found, aborting..." >&2
    exit 0
fi
REMOTE_MEDIA_DIR="$ROOTFS_MOUNT/home/$PI_USER/Videos"
# WIFI AP config
IP_RANGE="10.42.0.1"
SSID="omen"
PASSWD="EpQmSmXH123"
IFW="wlo1"
#Band (bg = 2.4Ghz, a= 5Ghz)
BAND="bg"
# Hidden SSID
#~ HIDE="802-11-wireless.hidden false"
# Set channel manually
CHAN="802-11-wireless.channel 1"
#
#
#  0. Create AP connection
#
green "  * Creating hotspot connection for NetworkManager \n"
if [[ ! "$DRY_RUN" ]]; then
    # If connection exists, delete it
    nmcli con delete $SSID
    nmcli con add type wifi ifname $IFW con-name $SSID autoconnect yes ssid $SSID
    nmcli con modify $SSID 802-11-wireless.mode ap 802-11-wireless.band "${BAND-}" "${CHAN-}" "${HIDE-}" ipv4.method shared
    nmcli con modify $SSID wifi-sec.key-mgmt wpa-psk
    nmcli con modify $SSID 802-11-wireless-security.proto rsn
    nmcli con modify $SSID 802-11-wireless-security.pairwise ccmp
    nmcli con modify $SSID wifi-sec.psk $PASSWD
fi
# 0.a set IP range on server
green "  * Setting IP range $IP_RANGE/24 in /etc/NetworkManager/system-connections/$SSID.nmconnection ... \n"
if [[ ! "$DRY_RUN" ]]; then
    sudo sed -i "/method=shared/a address1=$IP_RANGE/24, $IP_RANGE" /etc/NetworkManager/system-connections/$SSID.nmconnection
    # Remove existing leases
    sudo rm /var/lib/NetworkManager/dnsmasq-$IFW.leases
    # restart NM
    sudo systemctl restart NetworkManager
    # Turn hotspot on
    nmcli radio wifi on
    nmcli con up $SSID
fi
# 0.b ask for number of clients
# This will be used to determine static IP
yellow "Nombre de clients à configurer : "
read -n 4 CLIENT_NUMBER
# Check input
if [[ ! "${CLIENT_NUMBER}" =~ ^[0-9]+$ ]]; then 
    red "\nInput was not a number, aborting.\n"
    exit 0
fi
if [[ "${CLIENT_NUMBER}" -lt 1 ]]; then
        red "\nInput was 0, nothing to do.\n"
        exit 0
fi
green "Got $CLIENT_NUMBER...\n"
# For some reason networkmanager finds it clever to offer only IPs in range 10-255 even when asked for a /24, /28, etc...
# So IPs start at 10
# Get first IP in specified range
#~ IP=$(echo $IP_RANGE | awk -F. '{print $4}')
FIRST=1
IP=10
#~ echo -e "First IP is $(($RANGE_START)) ...\n"
# Remove IP's last byte
IP_RANGE_3B=$(echo $IP_RANGE | awk -F. '{print $1"."$2"."$3"."}')
echo -e "First IP is $IP_RANGE_3B$IP ...\n"
# Generate SSL cert with IPs in IP_RANGE
IP_CNT=$IP
IP_ARRAY=()

while [[ "$IP_CNT" -lt $(("${CLIENT_NUMBER-}"+"${IP-}")) ]] 
do
    IP_ARRAY+=("IP:$IP_RANGE_3B$IP_CNT")
    ((IP_CNT++))
done
# Convert array to string
HOST_LIST="$(IFS=","; echo "${IP_ARRAY[*]}")"
green "Got host list : ${HOST_LIST-} \n"
#  5. Generate valid ssl cert/key for every IP in range
# https://unix.stackexchange.com/questions/104171/create-ssl-certificate-non-interactively
green "Generating SSL crt/key for $HOST_LIST...\n"
if [[ ! "$DRY_RUN" ]]; then
    openssl req -new -newkey rsa:4096 -days 1825 -nodes -x509 \
    -subj "/C=/ST=Denial/L=/O=/CN=$IP_RANGE$FIRST" \
    -addext "subjectAltName=$HOST_LIST" \
    -keyout "$CONFIG_DIR/selfCA.key" -out "$CONFIG_DIR/selfCA.crt"
    #sudo openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout "$ROOTFS_MOUNT/etc/ssl/private/nginx-selfsigned.key" -out "$ROOTFS_MOUNT/etc/ssl/certs/nginx-selfsigned.crt"
fi
# Proceed with each host
for HOST in "${IP_ARRAY[@]}"
do
    HOST=$(echo $HOST | awk -F: '{print $2}')
    HOST_NAME="pilpil-$(echo $HOST | awk -F. '{print $4}')"
    #  1. Copy img to sd
    green "1/14 : Imaging $SDCARD with the file $DISK_IMAGE ...\n"
    red  "Are you sure you want to ERASE THE CONTENT of $SDCARD ? Type uppercase 'yes' to confirm."
    read -n 4 GO_DD
    if [[ "$GO_DD" != "YES" ]]
    then
        red "Answer was different from 'YES'. Aborting..." >&2
        break
    fi
    red "Received answer $GO_DD. Running dd on $SDCARD in 5 seconds."
    if [[ ! "$DRY_RUN" ]]; then
        sleep 5
    fi
    GO_DD=0
    # unmount / remount new filesystem
    green "2/14 : Unmounting $BOOT_MOUNT and $ROOTFS_MOUNT ...\n"
    if [[ ! "$DRY_RUN" ]]; then
        umount $BOOT_MOUNT
        umount $ROOTFS_MOUNT
        xzcat "$DISK_IMAGE" | sudo dd of=$SDCARD bs="$DD_BS" oflag=dsync status=progress && sync
    fi
    green "3/14 : Remounting $BOOT_MOUNT and $ROOTFS_MOUNT ...\n" 
    echo "Remounting..."
    if [[ ! "$DRY_RUN" ]]; then
        sleep 1
        systemctl --user restart gvfs-udisks2-volume-monitor
        sleep 3
    fi
    green "4/14 : Changing hostname to $HOST_NAME in $ROOTFS_MOUNT/etc/hostname and $ROOTFS_MOUNT/etc/hosts ...\n" 
    if [[ ! "$DRY_RUN" ]]; then
        # Change hostname
        echo "$HOST_NAME" | sudo tee "$ROOTFS_MOUNT/etc/hostname"
        # Reflect that in /etc/hosts
        sudo sed -i "$d" "$ROOTFS_MOUNT/etc/hosts"
        echo -e "127.0.1.1\t$HOST_NAME" | sudo tee -a "$ROOTFS_MOUNT/etc/hosts"
    fi
    ## Enable SSH
    green "5/14 : Enabling SSH server on boot : $BOOT_MOUNT/ssh ...\n" 
    if [[ ! "$DRY_RUN" ]]; then
        touch "$BOOT_MOUNT/ssh"
        sync
    fi
    ## Generate SSH private/public key and install it - Disable passwd login
    green "6/14 : Generating private/public SSH key as $HOME/.ssh/$HOST_NAME ...\n" 
    if [[ ! "$DRY_RUN" ]]; then
        ssh-keygen -t ed25519 -f "$HOME/.ssh/$HOST_NAME" -N ""
    fi
    red "New SSH key pair generated as $HOME/.ssh/$HOST_NAME. Add to ~/.ssh/config ? (y/n)"
    read -n 2 ADD_SSH_CONF
    if [[ "$ADD_SSH_CONF" == "y" ]];then
        green "Adding $HOST_NAME with ip $HOST in $HOME/.ssh/config"
        if [[ ! "$DRY_RUN" ]]; then
            # Add to ~/.ssh/config
            echo -e "\nHost $HOST_NAME\n\tHostname $HOST\n\tIdentityFile ~/.ssh/$HOST_NAME\n\tUser $PI_USER" | tee -a "$HOME/.ssh/config"
        fi
    else
        yellow "\nAnswer was different from 'y', skipping..."
    fi
    # Copy public key to rpi
    green "7/14 : Installing public SSH key $HOME/.ssh/$HOST.pub in $ROOTFS_MOUNT/home/$PI_USER/.ssh/authorized_keys...\n" 
    if [[ ! "$DRY_RUN" ]]; then
        sudo cp "$HOME/.ssh/$HOST_NAME.pub" "$ROOTFS_MOUNT/home/$PI_USER/.ssh/authorized_keys"
        sync
    fi
    # Disable PW login
    green "8/14 : Disabling SSH password based login in $ROOTFS_MOUNT/etc/ssh/sshd_config ...\n" 
    if [[ ! "$DRY_RUN" ]]; then
        echo -e "PasswordAuthentication no\nChallengeResponseAuthentication no\nUsePAM no" | sudo tee -a "$ROOTFS_MOUNT/etc/ssh/sshd_config"
        sync
    fi
    #  3. Configure wifi with static IP
    green "9/14 : Configuring wireless connection to $SSID with pw $PASSWD :  ...\n" 
    if [[ ! "$DRY_RUN" ]]; then
        echo "ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=netdev
update_config=1
country=FR

network={
    ssid=\"$SSID\" # Nom du réseau auquel on se connecte
    psk=\"$PASSWD\" # Mot de passe wifi
    # Optional parameters
    # scan_ssid=1 # hidden ssid 
    # Specify 2.4 or 5G freq
    # https://w1.fi/cgit/hostap/tree/wpa_supplicant/wpa_supplicant.conf#n910
    # https://fr.wikipedia.org/wiki/Liste_des_canaux_Wi-Fi#Bande_2,4_GHz
    # scan_freq=2412 2437 2462
}" | sudo tee "$ROOTFS_MOUNT/etc/wpa_supplicant/wpa_supplicant.conf"
        sync
    fi
    # Request specific IP to dhcp server
    green "10/14 : Setting static IP $HOST in $ROOTFS_MOUNT/etc/dhcpcd.conf...\n" 
    if [[ ! "$DRY_RUN" ]]; then
        echo -e "interface wlan0\nrequest $HOST" | sudo tee -a "$ROOTFS_MOUNT/etc/dhcpcd.conf"
        sync
    fi
    #  5. Install previously generated SSL key/crt
    green "11/14 : Installing SSL : $CONFIG_DIR/selfCA.crt and $CONFIG_DIR/selfCA.key in $ROOTFS_MOUNT/etc/ssl/certs/ and $ROOTFS_MOUNT/etc/ssl/private/nginx-selfsigned.key...\n" 
    if [[ ! "$DRY_RUN" ]]; then
        sudo cp "$CONFIG_DIR/selfCA.crt" "$ROOTFS_MOUNT/etc/ssl/certs/nginx-selfsigned.crt" 
        sudo cp "$CONFIG_DIR/selfCA.key" "$ROOTFS_MOUNT/etc/ssl/private/nginx-selfsigned.key"
        sync
    fi
    green "12/14 : Installing http auth secrets in $CONFIG_DIR/pilpil-server.toml, $ROOTFS_MOUNT/home/pil/.config/systemd/user/vlc.service and $ROOTFS_MOUNT/home/pil/pilpil-client/defaults.toml...\n" 
    if [[ ! "$DRY_RUN" ]]; then
        #~ Change VLC/pilpil http auth secret
        sed -i "s:secret:$HTTP_SECRET:g" "$CONFIG_DIR/pilpil-server.toml"
        sed -i "s:secret:$HTTP_SECRET:g" "$ROOTFS_MOUNT/home/pil/.config/systemd/user/vlc.service" 
        sed -i "s:secret:$HTTP_SECRET:g" "$ROOTFS_MOUNT/home/pil/pilpil-client/defaults.toml" 
    fi
    #~ #  6. Copy medias
    green "13/14 : Syncing media folder $LOCAL_MEDIA_DIR/ with $REMOTE_MEDIA_DIR/ \n" 
    if [[ ! "$DRY_RUN" ]]; then
        # Remove filler file
        if [[ -f "$REMOTE_MEDIA_DIR/remove_me"  ]]; then 
            sudo rm "$REMOTE_MEDIA_DIR/remove_me"
        fi
    fi
    if [[ -d "$ROOTFS_MOUNT" ]]; then 
        # Get available space on rootfs
        ROOTFS_AVAILABLE_SPACE=$(df -t ext4 -P "$ROOTFS_MOUNT"  | tail -1 | awk '{print $4}')
        yellow "Space available on rootfs : $ROOTFS_AVAILABLE_SPACE sectors"
        # Get Media folder size
        MEDIA_SIZE=$(du -c "$LOCAL_MEDIA_DIR" | tail -1 | awk '{print $1}')
        yellow "Size of medias : $MEDIA_SIZE sectors"
    fi
    if [[ ! "$DRY_RUN" ]]; then
        # Only copy files if enough space available
        if [[ "$MEDIA_SIZE" -lt "$ROOTFS_AVAILABLE_SPACE" ]]; then
            USER_ID=$( cat "$ROOTFS_MOUNT/etc/passwd" | grep $PI_USER | awk -F: '{print $3}' )
            GROUP_ID=$( cat "$ROOTFS_MOUNT/etc/passwd" | grep $PI_USER | awk -F: '{print $4}' )
            sudo cp "$LOCAL_MEDIA_DIR/"* "$REMOTE_MEDIA_DIR/"
            sudo chown -R $USER_ID:$GROUP_ID "$REMOTE_MEDIA_DIR"
            sync
        else
            red "Not enough space on $ROOTFS_MOUNT, skipping..." 
        fi
    fi
    # Unmount FS
    green "14/14 : Unmounting filesystems"
    if [[ ! "$DRY_RUN" ]]; then
        umount "$BOOT_MOUNT"
        umount "$ROOTFS_MOUNT"
    fi
    yellow "Client $(($IP-9))/$CLIENT_NUMBER done."
    #~ echo "$IP / $(($IP_CNT-1))"
    if [[ "$IP" -lt "$(($IP_CNT-1))" ]]; then
        red "Please swap sd card in reader and enter uppercase 'yes' to proceed with next client or hit Ctrl-C:"
        read -n 4 GO_ON
        if [ "$GO_ON" != "YES" ]
        then
            red "Answer was different from 'YES'. Aborting...\n" >&2
            break
        fi
        GO_ON=0
        ((IP++))
    else
        green "All done !"
        exit 1
    fi
done
yellow "Nothing more to do."
exit 0
#~ rm "$CONFIG_DIR/selfCA.key"
Generate http auth secret and install it 2022-10-28 19:02:46 +02:00			`#!/usr/bin/env bash`
Add dry run, sanitize bash syntax 2022-10-30 14:46:08 +01:00			`# pilpil client installer v0.1`
Generate http auth secret and install it 2022-10-28 19:02:46 +02:00			`#`
			`# https://sharats.me/posts/shell-script-best-practices/`
			`set -o errexit`
			`set -o nounset`
			`set -o pipefail`
Add dry run, sanitize bash syntax 2022-10-30 14:46:08 +01:00			`if [[ "${TRACE-0}" == "1" ]]; then`
			`set -o xtrace`
			`fi`

Generate http auth secret and install it 2022-10-28 19:02:46 +02:00			`# Change to script dir`
			`cd "$(dirname "$0")"`

Clean up, switch to pilpil 2022-10-19 14:54:58 +02:00			`# Colored output`
			`#~ set +x`
			`bold=$(tput bold)`
			`function red(){`
			`echo -e "${bold}\x1B[31m$1 \x1B[0m"`
Add dry run, sanitize bash syntax 2022-10-30 14:46:08 +01:00			`if [ ! -z "${2-}" ]; then`
Clean up, switch to pilpil 2022-10-19 14:54:58 +02:00			`echo -e "\x1B[31m $($2) \x1B[0m"`
			`fi`
			`}`
			`function green(){`
			`echo -e "${bold}\x1B[32m$1 \x1B[0m"`
Add dry run, sanitize bash syntax 2022-10-30 14:46:08 +01:00			`if [ ! -z "${2-}" ]; then`
Clean up, switch to pilpil 2022-10-19 14:54:58 +02:00			`echo -e "\x1B[32m $($2) \x1B[0m"`
			`fi`
			`}`
			`function yellow(){`
			`echo -e "${bold}\x1B[33m$1 \x1B[0m"`
Add dry run, sanitize bash syntax 2022-10-30 14:46:08 +01:00			`if [ ! -z "${2-}" ]; then`
Clean up, switch to pilpil 2022-10-19 14:54:58 +02:00			`echo -e "\x1B[33m $($2) \x1B[0m"`
			`fi`
			`}`

Add dry run, sanitize bash syntax 2022-10-30 14:46:08 +01:00			`# Display help if -h(elpf) used`
			`if [[ "${1-}" =~ ^-*h(elp)?$ ]]; then`
			`echo 'Usage: ./pilpil-server.sh path_to_device`

			`This script will setup as much pilpil-clients as needed.`
			`'`
			`exit`
			`fi`
			`# Set dry run if -d(ry) used`
			`if [[ "${1-}" =~ ^-*d(ry)?$ ]]; then`
			`DRY_RUN=1`
			`yellow "!!! Running in dry mode. No modifications will be made.\n"`
			`fi`
			`# Options`
			`# Device block to write on`
			`if [[ ! "$DRY_RUN" ]]; then`
			`SDCARD="${1-}"`
			`else`
			`SDCARD="${2-}"`
			`fi`
Fix media sync, add files checks 2022-10-22 15:04:00 +02:00			`# TODO : accomodate for devices block with name mmcblk0p1\|p2`
Generate http auth secret and install it 2022-10-28 19:02:46 +02:00			`if [[ "$SDCARD" == "" ]] \|\| [[ ! -e "$SDCARD" ]]`
Add nix deployment script, changelog, etc. 2022-10-18 17:18:55 +02:00			`then`
Generate http auth secret and install it 2022-10-28 19:02:46 +02:00			`red "Please specify an existing device block for your sd-card, e.g: '/dev/sda'." >&2`
Add nix deployment script, changelog, etc. 2022-10-18 17:18:55 +02:00			`exit 0`
			`fi`
			`DD_BS="128K"`
Disable ssl cert valid. for isup() 2022-10-25 18:43:20 +02:00			`DISK_IMAGE="$HOME/niels/imgs/2022-10-25-pilpil-WIP.img.xz"`
Add dry run, sanitize bash syntax 2022-10-30 14:46:08 +01:00			`if [[ ! -f "$DISK_IMAGE" ]]; then`
Generate http auth secret and install it 2022-10-28 19:02:46 +02:00			`red "Disk image not found, aborting..." >&2`
Fix media sync, add files checks 2022-10-22 15:04:00 +02:00			`exit 0`
			`fi`
Switch to bullseye, fix conn.close(), deploy script 2022-10-22 14:22:38 +02:00			`CONFIG_DIR="$HOME/niels/pilpil-server"`
Add dry run, sanitize bash syntax 2022-10-30 14:46:08 +01:00			`if [[ ! -d "$CONFIG_DIR" ]]; then`
Generate http auth secret and install it 2022-10-28 19:02:46 +02:00			`red "Config directory not found, aborting..." >&2`
Fix media sync, add files checks 2022-10-22 15:04:00 +02:00			`exit 0`
			`fi`
Generate http auth secret and install it 2022-10-28 19:02:46 +02:00			`HTTP_SECRET=$(openssl rand -base64 12)`
Fix deploy script 2022-10-19 18:39:23 +02:00			`PI_USER="pil"`
Add nix deployment script, changelog, etc. 2022-10-18 17:18:55 +02:00			`BOOT_MOUNT="/run/media/$USER/boot"`
			`ROOTFS_MOUNT="/run/media/$USER/rootfs"`
			`#~ LOCAL_MEDIA_DIR="$HOME/Videos"`
			`LOCAL_MEDIA_DIR="$HOME/niels/medias"`
Add dry run, sanitize bash syntax 2022-10-30 14:46:08 +01:00			`if [[ ! -d "$LOCAL_MEDIA_DIR" ]]; then`
Generate http auth secret and install it 2022-10-28 19:02:46 +02:00			`red "Medias directory not found, aborting..." >&2`
Fix media sync, add files checks 2022-10-22 15:04:00 +02:00			`exit 0`
			`fi`
Fix deploy script 2022-10-19 18:39:23 +02:00			`REMOTE_MEDIA_DIR="$ROOTFS_MOUNT/home/$PI_USER/Videos"`
Generate http auth secret and install it 2022-10-28 19:02:46 +02:00			`# WIFI AP config`
Fix deploy script 2022-10-19 18:39:23 +02:00			`IP_RANGE="10.42.0.1"`
Add nix deployment script, changelog, etc. 2022-10-18 17:18:55 +02:00			`SSID="omen"`
			`PASSWD="EpQmSmXH123"`
			`IFW="wlo1"`
			`#Band (bg = 2.4Ghz, a= 5Ghz)`
			`BAND="bg"`
			`# Hidden SSID`
			`#~ HIDE="802-11-wireless.hidden false"`
			`# Set channel manually`
Disable ssl cert valid. for isup() 2022-10-25 18:43:20 +02:00			`CHAN="802-11-wireless.channel 1"`
Add nix deployment script, changelog, etc. 2022-10-18 17:18:55 +02:00			`#`
			`#`
			`# 0. Create AP connection`
			`#`
Add dry run, sanitize bash syntax 2022-10-30 14:46:08 +01:00			`green " * Creating hotspot connection for NetworkManager \n"`
			`if [[ ! "$DRY_RUN" ]]; then`
			`# If connection exists, delete it`
			`nmcli con delete $SSID`
			`nmcli con add type wifi ifname $IFW con-name $SSID autoconnect yes ssid $SSID`
			`nmcli con modify $SSID 802-11-wireless.mode ap 802-11-wireless.band "${BAND-}" "${CHAN-}" "${HIDE-}" ipv4.method shared`
			`nmcli con modify $SSID wifi-sec.key-mgmt wpa-psk`
			`nmcli con modify $SSID 802-11-wireless-security.proto rsn`
			`nmcli con modify $SSID 802-11-wireless-security.pairwise ccmp`
			`nmcli con modify $SSID wifi-sec.psk $PASSWD`
			`fi`
Add nix deployment script, changelog, etc. 2022-10-18 17:18:55 +02:00			`# 0.a set IP range on server`
Add dry run, sanitize bash syntax 2022-10-30 14:46:08 +01:00			`green " * Setting IP range $IP_RANGE/24 in /etc/NetworkManager/system-connections/$SSID.nmconnection ... \n"`
			`if [[ ! "$DRY_RUN" ]]; then`
			`sudo sed -i "/method=shared/a address1=$IP_RANGE/24, $IP_RANGE" /etc/NetworkManager/system-connections/$SSID.nmconnection`
			`# Remove existing leases`
			`sudo rm /var/lib/NetworkManager/dnsmasq-$IFW.leases`
			`# restart NM`
			`sudo systemctl restart NetworkManager`
			`# Turn hotspot on`
			`nmcli radio wifi on`
			`nmcli con up $SSID`
			`fi`
Add nix deployment script, changelog, etc. 2022-10-18 17:18:55 +02:00			`# 0.b ask for number of clients`
			`# This will be used to determine static IP`
			`yellow "Nombre de clients à configurer : "`
			`read -n 4 CLIENT_NUMBER`
Add dry run, sanitize bash syntax 2022-10-30 14:46:08 +01:00			`# Check input`
			`if [[ ! "${CLIENT_NUMBER}" =~ ^[0-9]+$ ]]; then`
			`red "\nInput was not a number, aborting.\n"`
			`exit 0`
			`fi`
			`if [[ "${CLIENT_NUMBER}" -lt 1 ]]; then`
			`red "\nInput was 0, nothing to do.\n"`
			`exit 0`
			`fi`
Add nix deployment script, changelog, etc. 2022-10-18 17:18:55 +02:00			`green "Got $CLIENT_NUMBER...\n"`
Deploy script: fix media perm, fix /etc/hosts 2022-10-20 18:27:26 +02:00			`# For some reason networkmanager finds it clever to offer only IPs in range 10-255 even when asked for a /24, /28, etc...`
			`# So IPs start at 10`
			`# Get first IP in specified range`
			`#~ IP=$(echo $IP_RANGE \| awk -F. '{print $4}')`
			`FIRST=1`
			`IP=10`
Add dry run, sanitize bash syntax 2022-10-30 14:46:08 +01:00			`#~ echo -e "First IP is $(($RANGE_START)) ...\n"`
Add nix deployment script, changelog, etc. 2022-10-18 17:18:55 +02:00			`# Remove IP's last byte`
			`IP_RANGE_3B=$(echo $IP_RANGE \| awk -F. '{print $1"."$2"."$3"."}')`
Add dry run, sanitize bash syntax 2022-10-30 14:46:08 +01:00			`echo -e "First IP is $IP_RANGE_3B$IP ...\n"`
Add nix deployment script, changelog, etc. 2022-10-18 17:18:55 +02:00			`# Generate SSL cert with IPs in IP_RANGE`
Deploy script: fix media perm, fix /etc/hosts 2022-10-20 18:27:26 +02:00			`IP_CNT=$IP`
Add nix deployment script, changelog, etc. 2022-10-18 17:18:55 +02:00			`IP_ARRAY=()`
Add dry run, sanitize bash syntax 2022-10-30 14:46:08 +01:00
			`while [[ "$IP_CNT" -lt $(("${CLIENT_NUMBER-}"+"${IP-}")) ]]`
Add nix deployment script, changelog, etc. 2022-10-18 17:18:55 +02:00			`do`
			`IP_ARRAY+=("IP:$IP_RANGE_3B$IP_CNT")`
			`((IP_CNT++))`
			`done`
			`# Convert array to string`
			`HOST_LIST="$(IFS=","; echo "${IP_ARRAY[*]}")"`
Add dry run, sanitize bash syntax 2022-10-30 14:46:08 +01:00			`green "Got host list : ${HOST_LIST-} \n"`
Add nix deployment script, changelog, etc. 2022-10-18 17:18:55 +02:00			`# 5. Generate valid ssl cert/key for every IP in range`
			`# https://unix.stackexchange.com/questions/104171/create-ssl-certificate-non-interactively`
Add dry run, sanitize bash syntax 2022-10-30 14:46:08 +01:00			`green "Generating SSL crt/key for $HOST_LIST...\n"`
			`if [[ ! "$DRY_RUN" ]]; then`
			`openssl req -new -newkey rsa:4096 -days 1825 -nodes -x509 \`
			`-subj "/C=/ST=Denial/L=/O=/CN=$IP_RANGE$FIRST" \`
			`-addext "subjectAltName=$HOST_LIST" \`
			`-keyout "$CONFIG_DIR/selfCA.key" -out "$CONFIG_DIR/selfCA.crt"`
			`#sudo openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout "$ROOTFS_MOUNT/etc/ssl/private/nginx-selfsigned.key" -out "$ROOTFS_MOUNT/etc/ssl/certs/nginx-selfsigned.crt"`
			`fi`
Add nix deployment script, changelog, etc. 2022-10-18 17:18:55 +02:00			`# Proceed with each host`
			`for HOST in "${IP_ARRAY[@]}"`
			`do`
			`HOST=$(echo $HOST \| awk -F: '{print $2}')`
Deploy script: fix media perm, fix /etc/hosts 2022-10-20 18:27:26 +02:00			`HOST_NAME="pilpil-$(echo $HOST \| awk -F. '{print $4}')"`
Add nix deployment script, changelog, etc. 2022-10-18 17:18:55 +02:00			`# 1. Copy img to sd`
Add dry run, sanitize bash syntax 2022-10-30 14:46:08 +01:00			`green "1/14 : Imaging $SDCARD with the file $DISK_IMAGE ...\n"`
Fix deploy script 2022-10-19 18:39:23 +02:00			`red "Are you sure you want to ERASE THE CONTENT of $SDCARD ? Type uppercase 'yes' to confirm."`
Add nix deployment script, changelog, etc. 2022-10-18 17:18:55 +02:00			`read -n 4 GO_DD`
Generate http auth secret and install it 2022-10-28 19:02:46 +02:00			`if [[ "$GO_DD" != "YES" ]]`
Add nix deployment script, changelog, etc. 2022-10-18 17:18:55 +02:00			`then`
Generate http auth secret and install it 2022-10-28 19:02:46 +02:00			`red "Answer was different from 'YES'. Aborting..." >&2`
Add nix deployment script, changelog, etc. 2022-10-18 17:18:55 +02:00			`break`
			`fi`
			`red "Received answer $GO_DD. Running dd on $SDCARD in 5 seconds."`
Add dry run, sanitize bash syntax 2022-10-30 14:46:08 +01:00			`if [[ ! "$DRY_RUN" ]]; then`
			`sleep 5`
			`fi`
Add nix deployment script, changelog, etc. 2022-10-18 17:18:55 +02:00			`GO_DD=0`
			`# unmount / remount new filesystem`
Add dry run, sanitize bash syntax 2022-10-30 14:46:08 +01:00			`green "2/14 : Unmounting $BOOT_MOUNT and $ROOTFS_MOUNT ...\n"`
			`if [[ ! "$DRY_RUN" ]]; then`
			`umount $BOOT_MOUNT`
			`umount $ROOTFS_MOUNT`
			`xzcat "$DISK_IMAGE" \| sudo dd of=$SDCARD bs="$DD_BS" oflag=dsync status=progress && sync`
			`fi`
			`green "3/14 : Remounting $BOOT_MOUNT and $ROOTFS_MOUNT ...\n"`
Fix deploy script 2022-10-19 18:39:23 +02:00			`echo "Remounting..."`
Add dry run, sanitize bash syntax 2022-10-30 14:46:08 +01:00			`if [[ ! "$DRY_RUN" ]]; then`
			`sleep 1`
			`systemctl --user restart gvfs-udisks2-volume-monitor`
			`sleep 3`
			`fi`
			`green "4/14 : Changing hostname to $HOST_NAME in $ROOTFS_MOUNT/etc/hostname and $ROOTFS_MOUNT/etc/hosts ...\n"`
			`if [[ ! "$DRY_RUN" ]]; then`
			`# Change hostname`
			`echo "$HOST_NAME" \| sudo tee "$ROOTFS_MOUNT/etc/hostname"`
			`# Reflect that in /etc/hosts`
			`sudo sed -i "$d" "$ROOTFS_MOUNT/etc/hosts"`
			`echo -e "127.0.1.1\t$HOST_NAME" \| sudo tee -a "$ROOTFS_MOUNT/etc/hosts"`
			`fi`
Add nix deployment script, changelog, etc. 2022-10-18 17:18:55 +02:00			`## Enable SSH`
Add dry run, sanitize bash syntax 2022-10-30 14:46:08 +01:00			`green "5/14 : Enabling SSH server on boot : $BOOT_MOUNT/ssh ...\n"`
			`if [[ ! "$DRY_RUN" ]]; then`
			`touch "$BOOT_MOUNT/ssh"`
			`sync`
			`fi`
Add nix deployment script, changelog, etc. 2022-10-18 17:18:55 +02:00			`## Generate SSH private/public key and install it - Disable passwd login`
Add dry run, sanitize bash syntax 2022-10-30 14:46:08 +01:00			`green "6/14 : Generating private/public SSH key as $HOME/.ssh/$HOST_NAME ...\n"`
			`if [[ ! "$DRY_RUN" ]]; then`
			`ssh-keygen -t ed25519 -f "$HOME/.ssh/$HOST_NAME" -N ""`
			`fi`
Add nix deployment script, changelog, etc. 2022-10-18 17:18:55 +02:00			`red "New SSH key pair generated as $HOME/.ssh/$HOST_NAME. Add to ~/.ssh/config ? (y/n)"`
			`read -n 2 ADD_SSH_CONF`
Add dry run, sanitize bash syntax 2022-10-30 14:46:08 +01:00			`if [[ "$ADD_SSH_CONF" == "y" ]];then`
			`green "Adding $HOST_NAME with ip $HOST in $HOME/.ssh/config"`
			`if [[ ! "$DRY_RUN" ]]; then`
			`# Add to ~/.ssh/config`
			`echo -e "\nHost $HOST_NAME\n\tHostname $HOST\n\tIdentityFile ~/.ssh/$HOST_NAME\n\tUser $PI_USER" \| tee -a "$HOME/.ssh/config"`
			`fi`
			`else`
			`yellow "\nAnswer was different from 'y', skipping..."`
Add nix deployment script, changelog, etc. 2022-10-18 17:18:55 +02:00			`fi`
			`# Copy public key to rpi`
Add dry run, sanitize bash syntax 2022-10-30 14:46:08 +01:00			`green "7/14 : Installing public SSH key $HOME/.ssh/$HOST.pub in $ROOTFS_MOUNT/home/$PI_USER/.ssh/authorized_keys...\n"`
			`if [[ ! "$DRY_RUN" ]]; then`
			`sudo cp "$HOME/.ssh/$HOST_NAME.pub" "$ROOTFS_MOUNT/home/$PI_USER/.ssh/authorized_keys"`
			`sync`
			`fi`
Add nix deployment script, changelog, etc. 2022-10-18 17:18:55 +02:00			`# Disable PW login`
Add dry run, sanitize bash syntax 2022-10-30 14:46:08 +01:00			`green "8/14 : Disabling SSH password based login in $ROOTFS_MOUNT/etc/ssh/sshd_config ...\n"`
			`if [[ ! "$DRY_RUN" ]]; then`
			`echo -e "PasswordAuthentication no\nChallengeResponseAuthentication no\nUsePAM no" \| sudo tee -a "$ROOTFS_MOUNT/etc/ssh/sshd_config"`
			`sync`
			`fi`
Add nix deployment script, changelog, etc. 2022-10-18 17:18:55 +02:00			`# 3. Configure wifi with static IP`
Add dry run, sanitize bash syntax 2022-10-30 14:46:08 +01:00			`green "9/14 : Configuring wireless connection to $SSID with pw $PASSWD : ...\n"`
			`if [[ ! "$DRY_RUN" ]]; then`
			`echo "ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=netdev`
Deploy script: fix media perm, fix /etc/hosts 2022-10-20 18:27:26 +02:00			`update_config=1`
			`country=FR`

			`network={`
			`ssid=\"$SSID\" # Nom du réseau auquel on se connecte`
			`psk=\"$PASSWD\" # Mot de passe wifi`
			`# Optional parameters`
			`# scan_ssid=1 # hidden ssid`
			`# Specify 2.4 or 5G freq`
			`# https://w1.fi/cgit/hostap/tree/wpa_supplicant/wpa_supplicant.conf#n910`
			`# https://fr.wikipedia.org/wiki/Liste_des_canaux_Wi-Fi#Bande_2,4_GHz`
			`# scan_freq=2412 2437 2462`
			`}" \| sudo tee "$ROOTFS_MOUNT/etc/wpa_supplicant/wpa_supplicant.conf"`
Add dry run, sanitize bash syntax 2022-10-30 14:46:08 +01:00			`sync`
			`fi`
Add nix deployment script, changelog, etc. 2022-10-18 17:18:55 +02:00			`# Request specific IP to dhcp server`
Add dry run, sanitize bash syntax 2022-10-30 14:46:08 +01:00			`green "10/14 : Setting static IP $HOST in $ROOTFS_MOUNT/etc/dhcpcd.conf...\n"`
			`if [[ ! "$DRY_RUN" ]]; then`
			`echo -e "interface wlan0\nrequest $HOST" \| sudo tee -a "$ROOTFS_MOUNT/etc/dhcpcd.conf"`
			`sync`
			`fi`
Add nix deployment script, changelog, etc. 2022-10-18 17:18:55 +02:00			`# 5. Install previously generated SSL key/crt`
Add dry run, sanitize bash syntax 2022-10-30 14:46:08 +01:00			`green "11/14 : Installing SSL : $CONFIG_DIR/selfCA.crt and $CONFIG_DIR/selfCA.key in $ROOTFS_MOUNT/etc/ssl/certs/ and $ROOTFS_MOUNT/etc/ssl/private/nginx-selfsigned.key...\n"`
			`if [[ ! "$DRY_RUN" ]]; then`
			`sudo cp "$CONFIG_DIR/selfCA.crt" "$ROOTFS_MOUNT/etc/ssl/certs/nginx-selfsigned.crt"`
			`sudo cp "$CONFIG_DIR/selfCA.key" "$ROOTFS_MOUNT/etc/ssl/private/nginx-selfsigned.key"`
			`sync`
			`fi`
			`green "12/14 : Installing http auth secrets in $CONFIG_DIR/pilpil-server.toml, $ROOTFS_MOUNT/home/pil/.config/systemd/user/vlc.service and $ROOTFS_MOUNT/home/pil/pilpil-client/defaults.toml...\n"`
			`if [[ ! "$DRY_RUN" ]]; then`
			`#~ Change VLC/pilpil http auth secret`
			`sed -i "s:secret:$HTTP_SECRET:g" "$CONFIG_DIR/pilpil-server.toml"`
			`sed -i "s:secret:$HTTP_SECRET:g" "$ROOTFS_MOUNT/home/pil/.config/systemd/user/vlc.service"`
			`sed -i "s:secret:$HTTP_SECRET:g" "$ROOTFS_MOUNT/home/pil/pilpil-client/defaults.toml"`
			`fi`
Switch to bullseye, fix conn.close(), deploy script 2022-10-22 14:22:38 +02:00			`#~ # 6. Copy medias`
Add dry run, sanitize bash syntax 2022-10-30 14:46:08 +01:00			`green "13/14 : Syncing media folder $LOCAL_MEDIA_DIR/ with $REMOTE_MEDIA_DIR/ \n"`
			`if [[ ! "$DRY_RUN" ]]; then`
			`# Remove filler file`
			`if [[ -f "$REMOTE_MEDIA_DIR/remove_me" ]]; then`
			`sudo rm "$REMOTE_MEDIA_DIR/remove_me"`
			`fi`
Switch to bullseye, fix conn.close(), deploy script 2022-10-22 14:22:38 +02:00			`fi`
Add dry run, sanitize bash syntax 2022-10-30 14:46:08 +01:00			`if [[ -d "$ROOTFS_MOUNT" ]]; then`
			`# Get available space on rootfs`
			`ROOTFS_AVAILABLE_SPACE=$(df -t ext4 -P "$ROOTFS_MOUNT" \| tail -1 \| awk '{print $4}')`
			`yellow "Space available on rootfs : $ROOTFS_AVAILABLE_SPACE sectors"`
			`# Get Media folder size`
			`MEDIA_SIZE=$(du -c "$LOCAL_MEDIA_DIR" \| tail -1 \| awk '{print $1}')`
			`yellow "Size of medias : $MEDIA_SIZE sectors"`
			`fi`
			`if [[ ! "$DRY_RUN" ]]; then`
			`# Only copy files if enough space available`
			`if [[ "$MEDIA_SIZE" -lt "$ROOTFS_AVAILABLE_SPACE" ]]; then`
			`USER_ID=$( cat "$ROOTFS_MOUNT/etc/passwd" \| grep $PI_USER \| awk -F: '{print $3}' )`
			`GROUP_ID=$( cat "$ROOTFS_MOUNT/etc/passwd" \| grep $PI_USER \| awk -F: '{print $4}' )`
			`sudo cp "$LOCAL_MEDIA_DIR/"* "$REMOTE_MEDIA_DIR/"`
			`sudo chown -R $USER_ID:$GROUP_ID "$REMOTE_MEDIA_DIR"`
			`sync`
			`else`
			`red "Not enough space on $ROOTFS_MOUNT, skipping..."`
			`fi`
Switch to bullseye, fix conn.close(), deploy script 2022-10-22 14:22:38 +02:00			`fi`
Add nix deployment script, changelog, etc. 2022-10-18 17:18:55 +02:00			`# Unmount FS`
Add dry run, sanitize bash syntax 2022-10-30 14:46:08 +01:00			`green "14/14 : Unmounting filesystems"`
			`if [[ ! "$DRY_RUN" ]]; then`
			`umount "$BOOT_MOUNT"`
			`umount "$ROOTFS_MOUNT"`
			`fi`
Fix media sync, add files checks 2022-10-22 15:04:00 +02:00			`yellow "Client $(($IP-9))/$CLIENT_NUMBER done."`
Add dry run, sanitize bash syntax 2022-10-30 14:46:08 +01:00			`#~ echo "$IP / $(($IP_CNT-1))"`
			`if [[ "$IP" -lt "$(($IP_CNT-1))" ]]; then`
Disable ssl cert valid. for isup() 2022-10-25 18:43:20 +02:00			`red "Please swap sd card in reader and enter uppercase 'yes' to proceed with next client or hit Ctrl-C:"`
Add nix deployment script, changelog, etc. 2022-10-18 17:18:55 +02:00			`read -n 4 GO_ON`
			`if [ "$GO_ON" != "YES" ]`
			`then`
Generate http auth secret and install it 2022-10-28 19:02:46 +02:00			`red "Answer was different from 'YES'. Aborting...\n" >&2`
Add nix deployment script, changelog, etc. 2022-10-18 17:18:55 +02:00			`break`
			`fi`
			`GO_ON=0`
			`((IP++))`
			`else`
			`green "All done !"`
			`exit 1`
			`fi`
			`done`
			`yellow "Nothing more to do."`
			`exit 0`
			`#~ rm "$CONFIG_DIR/selfCA.key"`