#!/bin/sh -eux # usage: # ssh -p 22 root@target curl -sLo /tmp/depenguinator.sh https://git.io/JeQM5 # ssh -p 22 root@target chmod +x /tmp/depenguinator.sh # ssh -p 22 root@target /tmp/depenguinator.sh ### depenguinator pick your poison #SITE=https://download.freebsd.org/ftp SITE=https://koan-ci.com VENDOR=$(lscpu --json | jq -r '.lscpu[] | select(.field == "Vendor ID:") | .data') case "$VENDOR" in APM) ### ampere echo Ampere BASE=${SITE}/snapshots/arm64/aarch64/13.0-CURRENT ;; CAVIUM) ### cavium thunderX echo ThunderX BASE=${SITE}/releases/arm64/aarch64/12.1-RELEASE ;; esac ### update the ubuntu bits export DEBIAN_FRONTEND=noninteractive apt update -yq ## apt upgrade -yq apt install -yq zfsutils-linux ### give us back the swap partition and convert type to zfs swapoff --all sed -i '/swap/d' /etc/fstab ### man https://rodsbooks.com/gdisk/sgdisk.html zpool destroy zroot || true sgdisk -t 2:a504 /dev/sda sgdisk -t 2:516e7cba-6ecf-11d6-8ff8-00022d09712b /dev/sda sgdisk -c 2:zfs /dev/sda time dd if=/dev/zero of=/dev/sda2 bs=1024 conv=sync || true sgdisk -z /dev/sda2 kpartx /dev/sda sgdisk -i 2 /dev/sda # Partition GUID code: 516E7CBA-6ECF-11D6-8FF8-00022D09712B (FreeBSD ZFS) # Partition unique GUID: 9216D1FD-8855-46F5-B336-C565C9BA4267 # First sector: 1026048 (at 501.0 MiB) # Last sector: 10403077 (at 5.0 GiB) # Partition size: 9377030 sectors (4.5 GiB) # Attribute flags: 0000000000000000 # Partition name: 'zfs' ### download bits from a geo-DNS appropriate server cd /var/tmp echo nameserver 9.9.9.9 | tee /etc/resolv.conf for f in base base-dbg kernel kernel-dbg; do test -f ${f}.txz || curl -#LO ${BASE}/${f}.txz echo fetched ${BASE}/${f}.txz done ### make a compatible zpool with all the good things # -o autoexpand=on \ # -o delegation=on \ # -o failmode=continue \ # -o feature@multi_vdev_crash_dump=enabled \ # -o feature@sha512=enabled \ # -o feature@skein=enabled \ # -o feature@spacemap_histogram=enabled \ # -o feature@async_destroy=enabled \ # -o feature@bookmarks=enabled \ # -o feature@embedded_data=enabled \ # -o feature@empty_bpobj=enabled \ # -o feature@enabled_txg=enabled \ # -o feature@extensible_dataset=enabled \ # -o feature@filesystem_limits=enabled \ # -o feature@hole_birth=enabled \ # -o feature@large_blocks=enabled \ # -o feature@large_dnode=enabled \ zpool create -d \ -o ashift=12 \ -o feature@lz4_compress=enabled \ -O checksum=sha256 \ -O compression=lz4 \ -O atime=off \ -R /mnt \ zroot /dev/disk/by-partlabel/zfs zpool get all zroot ### create a FreeBSD-friendly zfs layout zfs create -o canmount=off zroot/ROOT zfs create -o canmount=noauto -o mountpoint=/ zroot/ROOT/default zfs set canmount=off mountpoint=none zroot zpool set bootfs=zroot/ROOT/default zroot zpool export zroot zpool import -R /mnt zroot # it wont mount itself and then stuff ends up in the wrong places zfs mount zroot/ROOT/default zfs create -o canmount=off -o mountpoint=/usr zroot/usr zfs create -o setuid=off zroot/usr/home zfs create -o setuid=off zroot/usr/ports zfs create -o setuid=off zroot/usr/src zfs create -o canmount=off -o mountpoint=/var zroot/var zfs create -o setuid=off -o exec=off zroot/var/audit zfs create -o setuid=off -o exec=off zroot/var/crash zfs create -o setuid=off -o exec=off zroot/var/log zfs create -o setuid=off -o exec=off -o atime=on zroot/var/mail zfs create -o setuid=off -o exec=off zroot/var/tmp # readonly=off toggle later otherwise untar of base.txz fails zfs create -o setuid=off -o exec=off zroot/var/empty ln -s /usr/home /mnt/home zfs list -o canmount,mounted,mountpoint,name,referenced ### daemonise ### linux tar isn't perfect *but* it is good enough ### tar: Ignoring unknown extended header keyword 'SCHILY.fflags' for f in base base-dbg kernel kernel-dbg; do tar xJ -C /mnt -f /var/tmp/${f}.txz done zfs set readonly=on zroot/var/empty zfs snapshot -r zroot@unpacked ### these bits live outside zfs cp /mnt/boot/loader.efi /boot/efi/EFI/BOOT/BOOTAA64.EFI ### ensure we can get in remotely afterwards tee /mnt/etc/resolv.conf <<- DNS nameserver 9.9.9.9 DNS tee -a /mnt/etc/ssh/sshd_config <<- SSHD PermitRootLogin without-password UseDNS no UsePAM no Port 22 Port 2200 ChallengeResponseAuthentication no SSHD mkdir -m 0700 /mnt/root/.ssh tee /mnt/root/.ssh/authorized_keys <<- KEYS ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBxKqF4cbpw79SXH6Tvzn+oZuz4W2CiYZli4n9g+B8nm dch@skunkwerks.at 20170905 KEYS ### misc fstab # mkdir /mnt/dev/fd /mnt/efi echo tmpfs /tmp tmpfs rw,mode=01777,size=120g 0 0 > /mnt/etc/fstab # Device Mountpoint FStype Options Dump Pass# #/dev/gpt/swap none swap sw 0 0 #/dev/gpt/BIOS /efi msdosfs rw,late 0 0 #tmpfs /tmp tmpfs rw,mode=01777,size=12g 0 0 #proc /proc procfs rw 0 0 #fdescfs /dev/fd fdescfs rw 0 0' > /mnt/etc/fstab # ## linux64 #linprocfs /compat/linux/proc linprocfs rw 0 0 #linsysfs /compat/linux/sys linsysfs rw 0 0 #tmpfs /compat/linux/dev/shm tmpfs rw,mode=1777 0 0 tee -a /mnt/boot/loader.conf <<- LOADER autoboot_delay="30" beastie_disable="YES" boot_multicons="YES" boot_serial="YES" console="efi" zfs_load="YES" opensolaris_load="YES" mlx5_load="YES" mlx5en_load="YES" mlxfw_load="YES" linuxkpi_load="YES" xz_load="YES" tmpfs_load="YES" kern.geom.label.disk_ident.enable="0" kern.geom.label.gptid.enable="0" LOADER # extract IP info for later ip -j addr | jq -r '.[] | select(.ifname == "bond0") | .addr_info[]' \ > /tmp/addr.json IP=$(jq -r 'select(.label == "bond0") | .local' /tmp/addr.json) IP6=$(jq -r 'select(.prefixlen == 127) | .local' /tmp/addr.json) ROUTE=$(ip -f inet route | grep -Po '(?<=default via )([0-9.]+)') ROUTE6=$(ip -f inet6 route | grep -Po '(?<=default via )([0-9.:a-f]+)') tee -a /mnt/etc/rc.conf <<- RCCONF hostname="a01" cloned_interfaces="lagg0" ifconfig_lagg0_alias0="inet ${IP}/30" # ifconfig_lagg0_alias1="inet PRIVATE/31" ifconfig_lagg0_ipv6="inet6 ${IP6}/127" defaultrouter="${ROUTE}" ipv6_defaultrouter="${ROUTE6}" # static_routes="private" # route_private="-net 10.0.0.0/8 ROUTEPRIVATE" sshd_enable="YES" sendmail_enable="NONE" inetd_enable="NO" growfs_enable="YES" cloudinit_enable="YES" zfs_enable="YES" RCCONF case "$VENDOR" in APM) ### ampere tee -a /mnt/etc/rc.conf <<- AMPERE ifconfig_mce0="up" ifconfig_mce1="up" ifconfig_lagg0="laggproto lacp laggport mce0 laggport mce1" AMPERE ;; CAVIUM) ### cavium thunderX tee -a /mnt/etc/rc.conf <<- CAVIUM ifconfig_vnic0="up" ifconfig_vnic1="up" ifconfig_lagg0="laggproto lacp laggport vnic0 laggport vnic1" iovctl_files="/etc/iov/vnicpf0.conf" CAVIUM ;; esac ## enable latest pkg repo mkdir -p /mnt/usr/local/etc/pkg/repos/ tee /mnt/usr/local/etc/pkg/repos/FreeBSD.conf <<- REPO FreeBSD: { url: "pkg+http://pkg.FreeBSD.org/${ABI}/latest", mirror_type: "srv", signature_type: "fingerprints", fingerprints: "/usr/share/keys/pkg", enabled: yes } REPO ## install firstboot_pkgs script mkdir -p /mnt/usr/local/etc/rc.d curl -#L https://git.io/Je7Z4 -o /mnt/usr/local/etc/rc.d/firstboot_pkgs chmod +x /mnt/usr/local/etc/rc.d/firstboot_pkgs ## enable firstboot setup tee /mnt/etc/rc.conf.d/firstboot_pkgs <<- PKGS firstboot_pkgs_enable=YES firstboot_pkgs_list="net/mosh ftp/curl sysutils/tmux net/rsync \ lang/erlang-runtime22 devel/git sysutils/fd textproc/ripgrep htop \ spidermonkey60 devel/elixir-hex net/rabbiteer net/haproxy21 \ devel/git devel/rebar3 sysutils/htop sysutils/ec2-scripts \ textproc/libucl security/sudo devel/ccache devel/llvm10 \ devel/cmake editors/neovim" PKGS ## enable sudo mkdir -p /mnt/usr/local/etc/sudoers.d tee /mnt/usr/local/etc//sudoers.d/wheel <<- SUDOERS %wheel ALL=(ALL) NOPASSWD: ALL SUDOERS zfs snapshot -r zroot@tweaked zpool set autoexpand=on zroot tee /mnt/etc/rc.conf.d/growfs <<- GROWZFS growfs_enable=YES GROWZFS ############# clean up ################## sync zpool get all zfs list -o canmount,mounted,mountpoint,name,referenced sleep 10 zpool export zroot sgdisk -A 3:clear:2 -d 3 /dev/sda reboot