|
1
|
1 import os
|
|
|
2 from pyinfra import host
|
|
|
3 from pyinfra.operations import server, files, apt, ssh, systemd
|
|
|
4 from pyinfra.facts.server import LinuxDistribution
|
|
|
5
|
|
|
6 is_pi = host.get_fact(LinuxDistribution)['name'] == 'Debian'
|
|
|
7 is_wifi_pi = host.name in ['frontdoor', 'living']
|
|
|
8
|
|
|
9 TZ = 'America/Los_Angeles'
|
|
|
10
|
|
|
11 #
|
|
|
12 # system
|
|
|
13 #
|
|
|
14
|
|
|
15 server.hostname(hostname=host.name)
|
|
|
16 files.link(path='/etc/localtime', target=f'/usr/share/zoneinfo/{TZ}')
|
|
|
17 files.replace(path='/etc/timezone', match='.*', replace=TZ)
|
|
|
18 apt.packages(update=True,
|
|
|
19 cache_time=86400,
|
|
|
20 packages=['tzdata'],
|
|
|
21 force=True,
|
|
|
22 env={
|
|
|
23 'TZ': TZ,
|
|
|
24 'LANG': 'en_US.UTF-8',
|
|
|
25 'DEBIAN_FRONTEND': 'noninteractive'
|
|
|
26 })
|
|
|
27
|
|
|
28 #
|
|
|
29 # fstab
|
|
|
30 #
|
|
|
31
|
|
|
32 fstab_file = f'files/{host.name}_fstab'
|
|
|
33 if os.path.exists(fstab_file):
|
|
|
34 files.put(src=fstab_file, dest='/etc/fstab')
|
|
|
35 if is_pi:
|
|
|
36 for line in [
|
|
|
37 'tmpfs /var/log tmpfs defaults,noatime,mode=0755 0 0',
|
|
|
38 'tmpfs /tmp tmpfs defaults,noatime 0 0',
|
|
|
39 ]:
|
|
|
40 files.line(path="/etc/fstab", line=line, replace=line)
|
|
|
41
|
|
|
42 # stop SD card corruption (along with some mounts in fstab)
|
|
|
43 apt.packages(packages=['dphys-swapfile'], present=False)
|
|
|
44
|
|
|
45 #
|
|
|
46 # pkgs
|
|
|
47 #
|
|
|
48
|
|
|
49 if not is_pi:
|
|
|
50 apt.key(keyserver='keyserver.ubuntu.com', keyid='8B48AD6246925553')
|
|
|
51
|
|
|
52 if is_pi:
|
|
|
53 apt.packages(packages=['dirmngr', 'gnupg2', 'apt-utils'])
|
|
|
54 files.template(src='templates/pi_sources.list.j2', dest='/etc/apt/sources.list', rel='buster')
|
|
|
55
|
|
|
56 apt.key(src='https://ftp-master.debian.org/keys/archive-key-8.asc')
|
|
|
57 apt.key(src='https://ftp-master.debian.org/keys/archive-key-8-security.asc')
|
|
|
58 apt.key(src='https://ftp-master.debian.org/keys/archive-key-9-security.asc')
|
|
|
59
|
|
|
60 files.file(path='/etc/apt/sources.list.d/raspi.list', present=False)
|
|
|
61
|
|
|
62 if is_wifi_pi:
|
|
|
63 files.put(dest="/etc/network/interfaces.d/wlan0", src="files/pi_wlan0_powersave")
|
|
|
64 ssh.command(host.name, "iw wlan0 set power_save off")
|
|
|
65
|
|
|
66 # see https://www.raspberrypi.org/documentation/configuration/config-txt/memory.md#:~:text=txt-,gpu_mem,-Specifies
|
|
|
67 # to port to pyinfra
|
|
|
68 #- name: unused display; give ram to OS
|
|
|
69 # lineinfile: dest=/boot/config.txt line="gpu_mem=16" regexp="^gpu_mem="
|
|
|
70 # when: "'with_x11' not in group_names"
|
|
|
71
|
|
|
72 # for beacon
|
|
|
73 #enable_uart=1
|
|
|
74 #dtoverlay=pi3-miniuart-bt
|
|
|
75 #core_freq=250
|
|
|
76
|
|
|
77 # for tiny_screen
|
|
|
78 #to port to pyinfra
|
|
|
79 #- lineinfile: dest=/boot/config.txt line="dtparam=spi=on" regexp="^dtparam=spi="
|
|
|
80
|
|
|
81 # i hope this is deletable
|
|
|
82 # downgrade strictness so I can install from https://archive.raspberrypi.org/
|
|
|
83 # https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907788
|
|
|
84 #- lineinfile: dest=/etc/ssl/openssl.cnf line="#CipherString = DEFAULT@SECLEVEL=2" regexp="CipherString ?="
|
|
|
85
|
|
|
86 # may be fixed in k3s, not sure
|
|
|
87 # raspbian defaults to `iptables -V` -> iptables v1.8.4 (nf_tables), which won't work with k3s
|
|
|
88 # - command: update-alternatives --set iptables /usr/sbin/iptables-legacy
|
|
|
89 if not is_pi:
|
|
|
90 apt.key(src='https://dl.google.com/linux/linux_signing_key.pub')
|
|
|
91 apt.repo(src='deb [arch=amd64] http://dl.google.com/linux/chrome/deb/ stable main')
|
|
|
92
|
|
|
93 apt.key(src='https://packages.microsoft.com/keys/microsoft.asc')
|
|
|
94 apt.repo(src="deb [arch=amd64,arm64,armhf] http://packages.microsoft.com/repos/code stable main")
|
|
|
95
|
|
|
96 apt.ppa(src="ppa:savoury1/blender")
|
|
|
97
|
|
|
98 apt.key(keyserver='keyserver.ubuntu.com', keyid='F24AEA9FB05498B7')
|
|
|
99 apt.repo(src="deb [arch=amd64,i386] https://repo.steampowered.com/steam/ stable steam")
|
|
|
100
|
|
|
101 if is_pi:
|
|
|
102 apt.key(src="https://download.docker.com/linux/raspbian/gpg")
|
|
|
103 apt.repo(src="deb [arch=armhf] https://download.docker.com/linux/raspbian stretch stable")
|
|
|
104 apt.repo(src='deb http://deb.debian.org/debian/ unstable main') # maybe for WG
|
|
|
105
|
|
|
106 # don't try to get aufs-dkms on rpi-- https://github.com/docker/for-linux/issues/709
|
|
|
107 apt.packages(packages=['docker.io'], no_recommends=True)
|
|
|
108
|
|
|
109 apt.packages(packages=[
|
|
|
110 'build-essential',
|
|
2
|
111 'i2c-tools',
|
|
|
112 'keychain',
|
|
|
113 'python3-docker',
|
|
|
114 'python3-invoke',
|
|
1
|
115 'python3-pip',
|
|
|
116 'python3-virtualenv',
|
|
|
117 'rsync',
|
|
|
118 'sysstat',
|
|
|
119 ])
|
|
|
120
|
|
2
|
121 if not is_pi:
|
|
|
122 apt.packages(packages='mlocate', present=False)
|
|
|
123 apt.packages(packages='plocate')
|
|
|
124
|
|
1
|
125 #
|
|
|
126 # ssh
|
|
|
127 #
|
|
|
128
|
|
|
129 systemd.service(
|
|
|
130 service='ssh',
|
|
|
131 running=True,
|
|
|
132 enabled=True,
|
|
|
133 )
|
|
|
134
|
|
|
135 files.line(path='/etc/ssh/ssh_config', line="HashKnownHosts", replace="HashKnownHosts no")
|
|
|
136
|
|
|
137 if is_pi:
|
|
|
138 auth_keys = '/home/pi/.ssh/authorized_keys'
|
|
|
139 files.file(path=auth_keys, user='pi', group='pi', mode=600)
|
|
|
140 for pubkey in [
|
|
|
141 'ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNlR7hereUHqw/RHQau0F7+vQZKAxduM+SD4R76FhC+4Zi078Pv04ZLe9qdM/NBlB/grLGhG58vaGmnWPpJ3QJs= drewp@plus',
|
|
|
142 'ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBOR+iV8Qm/rAfmq0epXYfnp5ZTfBl8eidFzw1GmyZ3fPUFAshWn839fQ5DPj9xDPtMy9kTtrB5bK1SnynFzDqzQ= drewp@bang',
|
|
|
143 ]:
|
|
|
144 files.line(path=auth_keys, line=pubkey, replace=pubkey)
|
|
|
145
|
|
|
146 #
|
|
|
147 # docker (delete this?)
|
|
|
148 #
|
|
|
149
|
|
|
150 files.put(src='files/docker_daemon.json', dest='/etc/docker/daemon.json')
|
|
|
151 systemd.service(service='docker', running=True, enabled=True, restarted=True)
|
|
|
152
|
|
|
153 if not is_pi:
|
|
|
154 files.line(path='/etc/update-manager/release-upgrades', line="^Prompt=", replace="Prompt=normal")
|
|
|
155
|
|
|
156 files.line(path='/etc/ssh/sshd_config', line="^UseDNS\b", replace="UseDNS no")
|
|
|
157 systemd.service(service='sshd', reloaded=True)
|
|
|
158
|
|
|
159 #
|
|
|
160 # special hosts
|
|
|
161 #
|
|
|
162
|
|
|
163 if host.name == "bang":
|
|
|
164 apt.packages(packages=[
|
|
|
165 'libzfs2linux',
|
|
|
166 'zfsutils-linux',
|
|
|
167 'zfs-zed',
|
|
|
168 'zfs-auto-snapshot',
|
|
|
169 ])
|
|
|
170
|
|
|
171 # This is usable on pi where we don't care when they reboot:
|
|
|
172 #- name: apt_upgrade
|
|
|
173 # apt: upgrade=full
|
|
|
174 #- name: Check if a reboot is required
|
|
|
175 # register: file
|
|
|
176 # stat: path=/var/run/reboot-required get_md5=no
|
|
|
177 #- name: Reboot the server
|
|
|
178 # command: /sbin/reboot
|
|
|
179 # when: file.stat.exists == true
|
