Commit 5cb907a2 authored by o@immerda.ch's avatar o@immerda.ch
Browse files

fixing some recent issues

parent 8f078d5b
...@@ -3,12 +3,10 @@ ...@@ -3,12 +3,10 @@
The main idea is to have: The main idea is to have:
1. An `ibox` template VM mirroring more or less a VM created by our [kickstart file](https://code.immerda.ch/immerda/ibox/stemcell/-/blob/master/http/centos8.ks). 1. An `ibox` template VM mirroring more or less a VM created by our [kickstart file](https://code.immerda.ch/immerda/ibox/stemcell/-/blob/master/http/centos8.ks).
1. An `ibox-base` AppVM which serves as "template" (not in the qubes sense) to create iboxes. 1. An `ibox-instance` AppVM.
The second step is merely to avoid repeatedly downloading the ibox repository. First start by checking out this repository in your development VM. We'll assume
it to be called `devqube`:
First start by checking out this repository in your development VM, that we'll assume
to be called `idev`:
``` ```
git clone git@code-ssh.immerda.ch:immerda/ibox/qubes.git ibox-qubes git clone git@code-ssh.immerda.ch:immerda/ibox/qubes.git ibox-qubes
...@@ -18,34 +16,27 @@ To create both VMs and install centos-8, there is a [setup/dom0.sh](setup/dom0.s ...@@ -18,34 +16,27 @@ To create both VMs and install centos-8, there is a [setup/dom0.sh](setup/dom0.s
You can run it in dom0 with: You can run it in dom0 with:
``` ```
qvm-run -p idev "cat /home/user/Documents/ibox-qubes/setup/dom0.sh" > setup-ibox.sh qvm-run -p devqube "cat /home/user/Documents/ibox-qubes/setup/dom0.sh" > setup-ibox.sh
sh setup-ibox.sh sh setup-ibox.sh
``` ```
Now all the vms are created and we can start setting up the `ibox` template. Start Troubleshoot: If updating centos-8-minimal fails you might have a broken template. Removing and re-installing the `qubes-template-centos-8-minimal` might help.
Now all the vms are created and we can start setting up the `ibox-template` template. Start
the VM and execute [setup/ibox.sh](setup/ibox.sh) in it, as root. It installs all the VM and execute [setup/ibox.sh](setup/ibox.sh) in it, as root. It installs all
required packages and repositories. required packages and repositories.
Stop the `ibox` VM again. Stop the `ibox-template` VM again.
Now, start the `ibox-base` and download the ibox repo: Now, start the `ibox-instance` and download the ibox repo:
``` ```
git clone https://code.immerda.ch/immerda/ibox/boilerplate.git ibox git clone https://code.immerda.ch/immerda/ibox/boilerplate.git ibox
cd ibox cd ibox
git submodule update --init --recursive git submodule update --init --recursive
``` cp hieradata/vagrant.yaml.sample hieradata/vagrant.yaml
Stop `ibox-base` again.
Finally, you can start using your custom ibox. The easiest is, you clone it first, so you keep a clean state.
In dom0 `qvm-clone ibox-base ibox1`, then start `ibox1`.
In `ibox1` get going with:
```
sudo su - sudo su -
hostnamectl set-hostname ibox1.local hostnamectl set-hostname ibox1.local
cd /home/user/ibox cd /home/user/ibox
cp hieradata/vagrant.yaml.sample hieradata/vagrant.yaml
bin/local_apply.sh bin/local_apply.sh
``` ```
sudo qubes-dom0-update --enablerepo=qubes-templates-community-testing qubes-template-centos-8-minimal sudo qubes-dom0-update --enablerepo=qubes-templates-community-testing qubes-template-centos-8-minimal
qvm-clone centos-8-minimal ibox qvm-run -p -u root centos-8-minimal 'dnf update -y && dnf swap centos-linux-repos centos-stream-repos && rpm -e --nodeps python3-docutils && dnf distro-sync -y'
qvm-run -p -u root ibox 'dnf install qubes-core-agent-networking qubes-core-agent-passwordless-root' qvm-shutdown centos-8-minimal
qvm-shutdown ibox qvm-clone centos-8-minimal ibox-template
qvm-create --label gray --template ibox ibox-base qvm-run -p -u root ibox-template 'dnf install qubes-core-agent-passwordless-root qubes-core-agent-passwordless-networking'
qvm-shutdown ibox-template
qvm-create --label gray --template ibox-template ibox-instance
set -e
sed -i 's/^enabled=.*/enabled=1/' /etc/yum.repos.d/CentOS-Linux-PowerTools.repo /etc/yum.repos.d/CentOS-Linux-ContinousRelease.repo sed -i 's/^enabled=.*/enabled=1/' /etc/yum.repos.d/CentOS-Linux-PowerTools.repo /etc/yum.repos.d/CentOS-Linux-ContinousRelease.repo
cat <<-EOF > /etc/pki/rpm-gpg/RPM-GPG-KEY-puppet cat <<-EOF > /etc/pki/rpm-gpg/RPM-GPG-KEY-puppet
...@@ -128,14 +130,22 @@ EOF ...@@ -128,14 +130,22 @@ EOF
dnf update dnf update
dnf remove unbound-libs python3-unbound dnf remove -y unbound-libs python3-unbound
dnf install ebtables firewalld-filesystem ipset python3-firewall dnf install -y ebtables firewalld-filesystem ipset python3-firewall
dnf download firewalld dnf install -y --allowerasing man-pages mlocate vim-enhanced termite-terminfo wget which virt-what sudo puppet-agent puppet-release puppet-agent-extensions epel-release drpm tmux bash-completion rkhunter cryptsetup gpm chrony tuned dnf-automatic git yum rxvt-unicode
rpm --nodeps -i firewalld*.rpm
rm firewalld*.rpm # for trocla
dnf install --allowerasing man-pages mlocate vim-enhanced termite-terminfo wget which virt-what sudo puppet-agent puppet-release puppet-agent-extensions epel-release drpm tmux bash-completion rkhunter munin-node cryptsetup gpm chrony tuned dnf-automatic fail2ban fail2ban-shorewall git yum rxvt-unicode cat <<-EOF >/etc/puppetlabs/puppet/troclarc.yaml
systemctl disable firewalld profiles:
systemctl mask firewalld sysdomain_nc:
name_constraints:
- local
store: :moneta
store_options:
adapter: :YAML
adapter_options:
:file: /home/user/trocla_data.yaml
EOF
mkdir /etc/puppet mkdir /etc/puppet
ln -s /home/user/ibox /etc/puppet/ibox ln -s /home/user/ibox /etc/puppet/ibox
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment