[debian-lan-devel] [SCM] Debian-LAN development and packaging branch, master, updated. debian/0.12-3-gbd74568
Andreas B. Mundt
andi at debian.org
Sun Jul 14 11:24:37 UTC 2013
The following commit has been merged in the master branch:
commit bd74568efda439b7deee31d3f3e68d5cb66f1429
Author: Andreas B. Mundt <andi at debian.org>
Date: Sun Jul 14 12:45:45 2013 +0200
New machine: 'gateway'. Simple gateway/firewall machine.
In addition, move 'unattended-upgrades' and 'anacron' from the DESKTOP
to the CLIENT_A class.
diff --git a/fai/config/class/50-host-classes b/fai/config/class/50-host-classes
index 1338c49..596b9c2 100755
--- a/fai/config/class/50-host-classes
+++ b/fai/config/class/50-host-classes
@@ -67,6 +67,8 @@ case $HOSTNAME in
##
## These hosts are part of the Debian-LAN:
##
+ gateway)
+ echo "FAIBASE DEBIAN DHCPC FIREWALL GATEWAY_A" ;;
mainserver)
echo "FAIBASE DEBIAN FAISERVER $MAINSERVER_A" ;;
## For individualizing machines, define the host before the
diff --git a/fai/config/class/CLIENT_A.var b/fai/config/class/GATEWAY_A.var
similarity index 64%
copy from fai/config/class/CLIENT_A.var
copy to fai/config/class/GATEWAY_A.var
index 340da64..ed01d9a 100644
--- a/fai/config/class/CLIENT_A.var
+++ b/fai/config/class/GATEWAY_A.var
@@ -1,4 +1,4 @@
-# Default values for installation CLIENT_A.
+# Default values for installation GATEWAY_A.
# allow installation of packages from unsigned repositories
FAI_ALLOW_UNSIGNED=0
@@ -13,11 +13,12 @@ TIMEZONE=Europe/Berlin
# Use: 'mkpasswd -Hsha-256 <PASSWORD>' to create the password hash
# pw is "fai":
#ROOTPW='$1$kBnWcO.E$djxB128U7dMkrltJHPf6d1'
-ROOTPW='*'
+# If $ROOTPW is empty, you will be prompted during installation:
+ROOTPW=${ROOTPW:-''}
-## URL of the local site's APT repository.
-## Set empty to skip this feature.
-APT_URL="http://www.intern/debian/"
+GATEWAY_IPADDR=${GATEWAY_IPADDR:-'10.0.0.1'}
+BROADCAST_LAN=${BROADCAST_LAN:-'10.0.255.255'}
+NETMASK="255.255.0.0"
# erros in tasks greater than this value will cause the installation to stop
STOP_ON_ERROR=700
diff --git a/fai/config/debconf/CLIENT_A b/fai/config/debconf/CLIENT_A
index bfbb279..f4e825b 100644
--- a/fai/config/debconf/CLIENT_A
+++ b/fai/config/debconf/CLIENT_A
@@ -1,2 +1,3 @@
nullmailer nullmailer/adminaddr string postmaster at mail.intern
nullmailer nullmailer/relayhost string mail.intern smtp --starttls --insecure
+unattended-upgrades unattended-upgrades/enable_auto_updates boolean true
diff --git a/fai/config/debconf/DESKTOP b/fai/config/debconf/GATEWAY_A
similarity index 100%
rename from fai/config/debconf/DESKTOP
rename to fai/config/debconf/GATEWAY_A
diff --git a/fai/config/disk_config/GATEWAY_A b/fai/config/disk_config/GATEWAY_A
new file mode 100644
index 0000000..67ae992
--- /dev/null
+++ b/fai/config/disk_config/GATEWAY_A
@@ -0,0 +1,7 @@
+disk_config disk1 disklabel:msdos bootable:1 fstabkey:uuid
+
+primary / 500-1G ext4 errors=remount-ro
+logical swap 200-1000 swap sw
+logical /var 1G- ext4 defaults
+logical /tmp 100-1G ext4 defaults
+logical /usr 1G-4G ext4 defaults
diff --git a/fai/config/files/etc/apt/sources.list/CLIENT_A b/fai/config/files/etc/apt/sources.list/GATEWAY_A
similarity index 100%
copy from fai/config/files/etc/apt/sources.list/CLIENT_A
copy to fai/config/files/etc/apt/sources.list/GATEWAY_A
diff --git a/fai/config/files/etc/fai/grub.cfg/SERVER_A b/fai/config/files/etc/fai/grub.cfg/SERVER_A
index 2eaf369..4bf0fd9 100644
--- a/fai/config/files/etc/fai/grub.cfg/SERVER_A
+++ b/fai/config/files/etc/fai/grub.cfg/SERVER_A
@@ -58,6 +58,13 @@ menuentry " Fully Automatic Installation - Debian-LAN: mainserver" {
initrd /boot/initrd.img
}
+menuentry " Fully Automatic Installation - Debian-LAN: gateway" {
+ set gfxpayload=1024x768
+ set root=(cd)
+ linux /boot/vmlinuz boot=live FAI_FLAGS="verbose,createvt" FAI_ACTION=install hostname=gateway
+ initrd /boot/initrd.img
+}
+
menuentry " FAI - System Information" {
set gfxpayload=1024x768
set root=(cd)
diff --git a/fai/config/files/etc/motd/SERVER_A b/fai/config/files/etc/motd/GATEWAY_A
similarity index 75%
copy from fai/config/files/etc/motd/SERVER_A
copy to fai/config/files/etc/motd/GATEWAY_A
index d3e4a0f..cb5b31c 100644
--- a/fai/config/files/etc/motd/SERVER_A
+++ b/fai/config/files/etc/motd/GATEWAY_A
@@ -1,6 +1,6 @@
- Debian-LAN -- Debian Local Area Network SERVER_A
- ===================================================
+ Debian-LAN -- Debian Local Area Network GATEWAY_A
+ ====================================================
Realized by FAI:
diff --git a/fai/config/package_config/CLIENT_A b/fai/config/package_config/CLIENT_A
index 5abd6aa..5cb4804 100644
--- a/fai/config/package_config/CLIENT_A
+++ b/fai/config/package_config/CLIENT_A
@@ -1,6 +1,8 @@
## Here are all default packages for the given setup that do not fit
## another class.
PACKAGES aptitude
+anacron
sudo-ldap
quota
+unattended-upgrades
#unburden-home-dir
diff --git a/fai/config/package_config/DESKTOP b/fai/config/package_config/DESKTOP
index 0cded47..9232b02 100644
--- a/fai/config/package_config/DESKTOP
+++ b/fai/config/package_config/DESKTOP
@@ -37,9 +37,7 @@ gimp
libreoffice
-anacron
krb5-auth-dialog
-unattended-upgrades
## non-free packages, if you need those, make sure you add 'contrib'
## and 'non-free' to the 'main' repository in
diff --git a/fai/config/package_config/GATEWAY_A b/fai/config/package_config/GATEWAY_A
new file mode 100644
index 0000000..bea7a61
--- /dev/null
+++ b/fai/config/package_config/GATEWAY_A
@@ -0,0 +1,4 @@
+PACKAGES aptitude
+etckeeper
+anacron
+unattended-upgrades
diff --git a/fai/config/scripts/FIREWALL/10-config b/fai/config/scripts/FIREWALL/10-config
index 7c2a3a9..20a9940 100755
--- a/fai/config/scripts/FIREWALL/10-config
+++ b/fai/config/scripts/FIREWALL/10-config
@@ -9,7 +9,7 @@ fi
CONFDIR="${target}/etc/shorewall/"
-if [ "$MAINSERVER_IPADDR" = "$GATEWAY" ] ; then
+prepare_shorewall(){
## mainserver = gateway, use shorewall's "two-interfaces" example as base setup:
for FILE in interfaces masq policy routestopped rules zones ; do
cp -v ${target}/usr/share/doc/shorewall/examples/two-interfaces/$FILE $CONFDIR
@@ -23,6 +23,14 @@ if [ "$MAINSERVER_IPADDR" = "$GATEWAY" ] ; then
sed -i -e 's/eth0/\$NET_IF/' -e 's/eth1/\$LOC_IF/' $CONFDIR/interfaces $CONFDIR/masq $CONFDIR/routestopped
sed -i -e '$i LOC_IF=eth0' -e '$i NET_IF=eth1' $CONFDIR/params
+ ## Limited ssh access:
+ sed -i -e 's%^\(SSH(ACCEPT).*\)$%\1 - - - - s:1/min:1%' $CONFDIR/rules
+}
+
+
+if [ "$HOSTNAME" = "mainserver" ] && [ "$MAINSERVER_IPADDR" = "$GATEWAY" ] ; then
+ prepare_shorewall
+
## Allow access from the LAN to the firewall and from the firewall to LAN and internet:
sed -i -e '/^loc/a loc \$FW ACCEPT' \
-e '/^net/a $FW net ACCEPT' \
@@ -36,7 +44,25 @@ if [ "$MAINSERVER_IPADDR" = "$GATEWAY" ] ; then
#
# Limit ssh connections from everywhere
#
-SSH(ACCEPT) all \$FW - - - - s:1/min:1
+SSH(ACCEPT) all \$FW - - - - s:1/min:1
+
+EOF
+
+elif [ "$HOSTNAME" = "gateway" ] ; then
+ prepare_shorewall
+
+ ## Allow access from firewall to LAN:
+ sed -i -e '/.*MUST BE LAST/i $FW loc ACCEPT' $CONFDIR/policy
+
+ ## Debian-LAN rules:
+ cat >> $CONFDIR/rules <<EOF
+##
+## Debian-LAN
+##
+#
+# Limit ssh connections from everywhere
+#
+SSH(ACCEPT) all \$FW - - - - s:1/min:1
EOF
diff --git a/fai/config/scripts/GATEWAY_A/10-misc b/fai/config/scripts/GATEWAY_A/10-misc
new file mode 100755
index 0000000..2723043
--- /dev/null
+++ b/fai/config/scripts/GATEWAY_A/10-misc
@@ -0,0 +1,30 @@
+#!/bin/bash
+
+set -e
+
+## Switch on apt-cacher-ng:
+# FIXME: resolv.conf does not use the internal name server, so DNS fails here:
+ainsl -a /etc/apt/apt.conf '#Acquire::http::Proxy "http://aptcache.intern:3142/";'
+
+if [ "$FAI_ACTION" != "install" ] && [ "$CONVERT" != "true" ] ; then
+ exit 0
+fi
+
+## Generate '/etc/network/interfaces':
+cat > $target/etc/network/interfaces <<EOF
+# The loopback network interface
+auto lo
+iface lo inet loopback
+ dns-search intern
+
+# The internal network interface
+auto eth0
+iface eth0 inet static
+ address ${GATEWAY_IPADDR}
+ netmask ${NETMASK}
+ broadcast ${BROADCAST_LAN}
+
+# The external network interface
+auto eth1
+iface eth1 inet dhcp
+EOF
--
Debian-LAN development and packaging
More information about the debian-lan-devel
mailing list