Mp: различия между версиями
Перейти к навигации
Перейти к поиску
Vovan (обсуждение | вклад) (→Backlog) |
Vovan (обсуждение | вклад) (→do-gnome.sh) |
||
| (не показано 11 промежуточных версий этого же участника) | |||
| Строка 1: | Строка 1: | ||
| − | =Alt | + | =Alt mp-gnome= |
==Клонируем репозиторий сборочницы== | ==Клонируем репозиторий сборочницы== | ||
| Строка 9: | Строка 9: | ||
<pre> | <pre> | ||
cat << EOF > mp/pkg.in/lists/nntc | cat << EOF > mp/pkg.in/lists/nntc | ||
| − | |||
| − | |||
| − | |||
alt-tour | alt-tour | ||
cifs-utils | cifs-utils | ||
| Строка 17: | Строка 14: | ||
docker-engine | docker-engine | ||
docker-compose-v2 | docker-compose-v2 | ||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
obs-studio | obs-studio | ||
EOF | EOF | ||
| Строка 190: | Строка 125: | ||
make distclean | make distclean | ||
| − | == | + | =Файлы= |
| + | |||
| + | ==features.in/nntc-gnome/live/files/usr/share/install2/postinstall.d/00-nntc.sh== | ||
| + | |||
| + | <pre> | ||
| + | #!/bin/sh | ||
| + | ROOT_MOUNTPOINT='/mnt/destination' | ||
| + | |||
| + | # SSH Fixes | ||
| + | sed -i 's/#PermitRootLogin without-password/PermitRootLogin yes/g' ${ROOT_MOUNTPOINT}/etc/openssh/sshd_config | ||
| + | |||
| + | # Enable sudo su for WHEEL_USERS | ||
| + | sed -i 's/# WHEEL_USERS ALL=(ALL:ALL) ALL/WHEEL_USERS ALL=(ALL:ALL) ALL/g' ${ROOT_MOUNTPOINT}/etc/sudoers | ||
| + | |||
| + | # Fix GRUB timeout | ||
| + | sed -i 's/#GRUB_TIMEOUT=5/GRUB_TIMEOUT=1/g' ${ROOT_MOUNTPOINT}/etc/default/grub | ||
| + | sed -i 's/#GRUB_TIMEOUT=5/GRUB_TIMEOUT=1/g' ${ROOT_MOUNTPOINT}/etc/sysconfig/grub2 | ||
| + | |||
| + | cat << 'EEOF' > ${ROOT_MOUNTPOINT}/usr/sbin/nntc-update-grub | ||
| + | #!/bin/bash | ||
| + | update-grub | ||
| + | EEOF | ||
| + | |||
| + | # nntc-go2domain script | ||
| + | cat << 'EEOF' > ${ROOT_MOUNTPOINT}/usr/sbin/nntc-go2domain | ||
| + | #!/bin/bash | ||
| + | |||
| + | function init_pam_mount_settings() { | ||
| + | cat << 'EOF' > /etc/pam.d/system-auth-sss | ||
| + | #%PAM-1.0 | ||
| + | |||
| + | auth [success=5 perm_denied=ignore default=die] pam_localuser.so | ||
| + | auth [success=1 default=bad] pam_succeed_if.so uid >= 500 quiet | ||
| + | auth [default=1] pam_permit.so | ||
| + | auth optional pam_mount.so | ||
| + | auth substack system-auth-sss-only | ||
| + | auth [default=1] pam_permit.so | ||
| + | auth substack system-auth-local-only | ||
| + | auth substack system-auth-common | ||
| + | |||
| + | account [success=4 perm_denied=ignore default=die] pam_localuser.so | ||
| + | account [success=1 default=bad] pam_succeed_if.so uid >= 500 quiet | ||
| + | account [default=1] pam_permit.so | ||
| + | account substack system-auth-sss-only | ||
| + | account [default=1] pam_permit.so | ||
| + | account substack system-auth-local-only | ||
| + | account substack system-auth-common | ||
| + | |||
| + | password [success=4 perm_denied=ignore default=die] pam_localuser.so | ||
| + | password [success=1 default=bad] pam_succeed_if.so uid >= 500 quiet | ||
| + | password [default=1] pam_permit.so | ||
| + | password substack system-auth-sss-only | ||
| + | password [default=1] pam_permit.so | ||
| + | password substack system-auth-local-only | ||
| + | password substack system-auth-common | ||
| + | |||
| + | session [success=5 perm_denied=ignore default=die] pam_localuser.so | ||
| + | session [success=1 default=bad] pam_succeed_if.so uid >= 500 quiet | ||
| + | session [default=1] pam_permit.so | ||
| + | session required pam_mkhomedir.so silent | ||
| + | session optional pam_mount.so disable_interactive | ||
| + | session substack system-auth-sss-only | ||
| + | session [default=1] pam_permit.so | ||
| + | session substack system-auth-local-only | ||
| + | session substack system-auth-common | ||
| + | session optional pam_script.so | ||
| + | EOF | ||
| + | |||
| + | cat << 'EOF' > /etc/security/pam_mount.conf.xml | ||
| + | <?xml version="1.0" encoding="utf-8" ?> | ||
| + | <!DOCTYPE pam_mount SYSTEM "pam_mount.conf.xml.dtd"> | ||
| + | <pam_mount> | ||
| + | <debug enable="0" /> | ||
| + | <volume uid="10000-2000200000" fstype="cifs" server="dc.nntc.alt" path="share" mountpoint="~/share" options="sec=krb5,cruid=%(USERUID),nounix,uid=%(USERUID),gid=%(USERGID),file_mode=0664,dir_mode=0775" /> | ||
| + | <cifsmount>/sbin/mount.cifs //%(SERVER)/%(VOLUME) %(MNTPT) -o %(OPTIONS)</cifsmount> | ||
| + | <mntoptions allow="nosuid,nodev,loop,encryption,fsck,nonempty,allow_root,allow_other,sec" /> | ||
| + | <mntoptions require="nosuid,nodev" /> | ||
| + | <logout wait="0" hup="no" term="no" kill="no" /> | ||
| + | <mkmountpoint enable="1" remove="true" /> | ||
| + | </pam_mount> | ||
| + | EOF | ||
| + | |||
| + | cat << 'EOF' > /etc/pam-script/pam-script.d/umount_share_if_ses_close | ||
| + | #!/bin/bash | ||
| + | systemd-mount -u /home/NNTC.ALT/${PAM_USER}/share | ||
| + | exit 0 | ||
| + | EOF | ||
| + | |||
| + | } | ||
| + | |||
| + | function dlg_domain_params() { | ||
| + | echo \ | ||
| + | `dialog --stdout --title "Параметры подключения к домену" --inputbox "IP-адрес контроллера домена:" 10 60 "10.207.207.233"` \ | ||
| + | `dialog --stdout --title "Параметры подключения к домену" --inputbox "Имя контроллера домена:" 10 60 "nntc.alt"` \ | ||
| + | `dialog --stdout --title "Параметры подключения к домену" --inputbox "Логин для входа в домен:" 10 60 "administrator"` \ | ||
| + | `dialog --stdout --title "Параметры подключения к домену" --inputbox "Пароль для входа в домен:" 10 60 "Pls Enter Secret Password"` | ||
| + | } | ||
| + | |||
| + | DOMAIN_DATA=$(dlg_domain_params) | ||
| + | DOMAIN_IP=$(echo ${DOMAIN_DATA} | awk {'print $1'}) | ||
| + | DOMAIN_NAME=$(echo ${DOMAIN_DATA} | awk {'print $2'}) | ||
| + | DOMAIN_NAME_SHORT=$(echo ${DOMAIN_NAME} | awk -F '.' {'print $1'}) | ||
| + | DOMAIN_USER=$(echo ${DOMAIN_DATA} | awk {'print $3'}) | ||
| + | DOMAIN_PASSWORD=$(echo ${DOMAIN_DATA} | awk {'print $4'}) | ||
| + | MACHINE_HOST_NAME=$(hostname) | ||
| + | |||
| + | dialog --stdout --title "Монтирование каталога share" --yesno "Включить автоматическое монтирование пользовтаельских каталогов share с сервера?" 10 60 | ||
| + | ENABLE_SHARE=$? | ||
| + | |||
| + | if [ $ENABLE_SHARE -eq 0 ]; then | ||
| + | init_pam_mount_settings | ||
| + | fi | ||
| + | |||
| + | dialog --stdout --title "Включение групповых политик" --yesno "Включить применение групповых политик на этом компьютере?" 10 60 | ||
| + | ENABLE_GP=$? | ||
| + | |||
| + | if [ $ENABLE_GP -eq 0 ]; then | ||
| + | gpupdate-setup enable | ||
| + | fi | ||
| + | |||
| + | ntpdate pool.ntp.org | ||
| + | system-auth write ad ${DOMAIN_NAME} ${MACHINE_HOST_NAME} ${DOMAIN_NAME_SHORT} ${DOMAIN_USER} "${DOMAIN_PASSWORD}" | ||
| + | EEOF | ||
| + | |||
| + | # leave-domain script | ||
| + | cat << 'EEOF' > ${ROOT_MOUNTPOINT}/usr/sbin/nntc-leave-domain | ||
| + | realm leave nntc.alt Administrator | ||
| + | EEOF | ||
| + | |||
| + | cat << 'EEOF' > ${ROOT_MOUNTPOINT}/usr/sbin/nntc-rename-setup-vmbr0-enable-pve | ||
| + | #!/bin/bash | ||
| + | systemctl start NetworkManager | ||
| + | eth=$(ip a | grep ^'2:' | awk {'print $2'} | sed 's/://g') | ||
| + | dhcpcd ${eth} | ||
| + | ip=$(ifconfig ${eth} | head -2 | tail -1 | awk {'print $2'} | awk -F ':' {'print $2'}) | ||
| + | systemctl stop NetworkManager | ||
| + | hostname_p1=$(dialog --stdout --title "Префикс имени хоста" --inputbox "Введите префикс имени хоста:" 10 60 "pc-") | ||
| + | hostname_p2=$(echo ${ip} | awk -F '.' {'print $3'}) | ||
| + | hostname_p3=$(echo ${ip} | awk -F '.' {'print $4'}) | ||
| + | hostname="${hostname_p1}${hostname_p2}-${hostname_p3}" | ||
| + | |||
| + | echo ${hostname} > /etc/hostname | ||
| + | cat << EOF > /etc/hosts | ||
| + | ${ip} ${hostname} | ||
| + | 127.0.0.1 localhost | ||
| + | EOF | ||
| + | |||
| + | cat << EOF > /etc/network/interfaces | ||
| + | auto lo | ||
| + | iface lo inet loopback | ||
| − | + | auto ${eth} | |
| + | iface ${eth} inet manual | ||
| − | < | + | auto vmbr0 |
| − | + | iface vmbr0 inet dhcp | |
| + | bridge-ports ${eth} | ||
| + | bridge-stp off | ||
| + | bridge-fd 0 | ||
| + | bridge-vlan-aware yes | ||
| + | bridge-vids 2-2048 | ||
| + | post-up dhcpcd vmbr0 | ||
| + | EOF | ||
| + | |||
| + | systemctl restart networking | ||
| + | systemctl enable corosync pve-cluster pvescheduler pve-guests lxc lxc-net lxc-monitord pvedaemon pve-firewall pvestatd pve-ha-lrm pve-ha-crm spiceproxy pveproxy | ||
| + | systemctl start corosync pve-cluster pvescheduler lxc lxc-net lxc-monitord pvedaemon pve-firewall pvestatd pve-ha-lrm pve-ha-crm spiceproxy pveproxy | ||
| + | |||
| + | EEOF | ||
| + | |||
| + | #install soft from epm | ||
| + | cat << 'EEOF' > ${ROOT_MOUNTPOINT}/usr/sbin/nntc-epm-install | ||
#!/bin/bash | #!/bin/bash | ||
epm update | epm update | ||
| Строка 215: | Строка 316: | ||
epm play eagle | epm play eagle | ||
epm play blender | epm play blender | ||
| + | EEOF | ||
| + | |||
| + | cat << 'EEOF' > ${ROOT_MOUNTPOINT}/usr/sbin/nntc-disable-gdm-users-list | ||
| + | systemctl mask sleep.target suspend | ||
| + | |||
| + | cat << 'EOF' > /etc/dconf/profile/gdm | ||
| + | user-db:user | ||
| + | system-db:gdm | ||
| + | file-db:/usr/share/gdm/greeter-dconf-defaults | ||
| + | EOF | ||
| + | |||
| + | mkdir -p /etc/dconf/db/gdm.d | ||
| + | |||
| + | cat << 'EOF' > /etc/dconf/db/gdm.d/00-login-screen | ||
| + | [org/gnome/login-screen] | ||
| + | # Do not show the user list | ||
| + | disable-user-list=true | ||
| + | EOF | ||
| + | |||
| + | dconf update | ||
| + | EEOF | ||
| + | |||
| + | #enable timesync | ||
| + | cat << 'EEOF' > ${ROOT_MOUNTPOINT}/etc/systemd/timesyncd.conf | ||
| + | [Time] | ||
| + | NTP=0.pool.ntp.org | ||
| + | FallbackNTP=10.207.151.253 | ||
| + | #RootDistanceMaxSec=5 | ||
| + | #PollIntervalMinSec=32 | ||
| + | #PollIntervalMaxSec=2048 | ||
| + | ConnectionRetrySec=10 | ||
| + | #SaveIntervalSec=60 | ||
| + | EEOF | ||
| + | |||
| + | ## example - ok | ||
| + | ## epm play in chroot | ||
| + | #chroot "${ROOT_MOUNTPOINT}" bash -c ' | ||
| + | #touch /opt/test-from-chroot-ok.txt | ||
| + | #' | ||
| + | |||
| + | ## example - ok | ||
| + | ##touch ${ROOT_MOUNTPOINT}/opt/test-nntc_gnome-live | ||
| + | |||
| + | chmod +x ${ROOT_MOUNTPOINT}/usr/sbin/nntc-* | ||
| + | </pre> | ||
| + | |||
| + | ==pkg.in/lists/nntc== | ||
| + | <pre> | ||
| + | 1c-preinstall-full | ||
| + | alterator-auth | ||
| + | alterator-gpupdate | ||
| + | alt-tour | ||
| + | cifs-utils | ||
| + | dialog | ||
| + | docker-engine | ||
| + | docker-compose-v2 | ||
| + | dpkg | ||
| + | exfatprogs | ||
| + | fuse-gvfs | ||
| + | fuse-smb | ||
| + | gimp | ||
| + | git | ||
| + | gpupdate | ||
| + | gvfs-backend-mtp | ||
| + | gvfs-backend-smb | ||
| + | hplip | ||
| + | hplip-hpijs | ||
| + | kio-extras | ||
| + | umbrello | ||
| + | kf5-kio | ||
| + | lazarus | ||
| + | LibreOffice-full | ||
| + | LibreOffice-gtk3 | ||
| + | mtpfs | ||
| + | ntfs-3g | ||
| + | openssh | ||
| + | openvpn | ||
| + | pam_mount | ||
| + | pam_script | ||
| + | pve-manager | ||
| + | pwgen | ||
| + | realmd | ||
| + | remmina | ||
| + | remmina-plugins-rdp | ||
| + | remmina-plugins-vnc | ||
| + | samba-client | ||
| + | samba-common-tools | ||
| + | sendmail | ||
| + | sssd-ad | ||
| + | systemd-settings-enable-kill-user-processes | ||
| + | terminator | ||
| + | usrmerge-hier-convert | ||
| + | virtualbox | ||
| + | vlc | ||
| + | virt-viewer | ||
| + | x11vnc | ||
| + | xdg-utils | ||
| + | xsane | ||
| + | arduino | ||
| + | chromium | ||
| + | chromium-gost | ||
| + | dia | ||
| + | freecad | ||
| + | tmate | ||
| + | java-21-openjdk-devel | ||
| + | java-21-openjdk | ||
| + | emacs-gtk3 | ||
| + | gcc-c++ | ||
| + | gdb | ||
| + | ddd | ||
| + | openssl-gost-engine | ||
| + | afce | ||
| + | alien | ||
| + | rpm-build | ||
| + | snapd | ||
| + | MySQL-client | ||
| + | mysql-workbench-community | ||
| + | systemd-timesyncd | ||
| + | obs-studio | ||
| + | inkscape | ||
| + | shotcut | ||
| + | kicad | ||
</pre> | </pre> | ||
| + | |||
| + | ==conf.d/regular.mk== | ||
<pre> | <pre> | ||
| − | + | ... | |
| − | + | distro/regular-gnome: distro/.regular-desktop mixin/regular-gnome \ | |
| − | + | +plymouth use/browser/firefox use/nntc-gnome | |
| + | @$(call add,THE_LISTS,nntc) | ||
| + | @$(call add,SYSTEMD_SERVICES_ENABLE,sshd.service) | ||
| + | @$(call add,SYSTEMD_SERVICES_ENABLE,docker.service) | ||
| + | @$(call add,SYSTEMD_SERVICES_ENABLE,networking.service) | ||
| + | @$(call add,SYSTEMD_SERVICES_DISABLE,NetworkManager.service) | ||
| + | @$(call add,CONTROL,openssl-gost:enabled) | ||
| + | ... | ||
| − | + | </pre> | |
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| + | ==do-gnome.sh== | ||
| + | <pre> | ||
| + | #!/bin/bash | ||
| + | make clean | ||
| + | make distclean | ||
| + | #make REPORT=1 DEBUG=1 regular-gnome.iso | ||
| + | make regular-gnome.iso | ||
| + | # copy to pve storage | ||
| + | cp build/out/regular-gnome-latest-x86_64.iso ../template/iso/alt_regular_gnome_nntc.iso | ||
</pre> | </pre> | ||
| − | |||
| − | + | =Backlog= | |
| − | |||
| − | + | Добавить автовключение сервиса в сборку | |
| − | + | systemctl enable systemd-timesyncd | |
| − | systemctl enable | ||
Текущая версия на 09:47, 30 мая 2025
Содержание
Alt mp-gnome
Клонируем репозиторий сборочницы
git clone git://git.altlinux.org/people/antohami/packages/mkimage-profiles.git mp
Докидываем пакеты
cat << EOF > mp/pkg.in/lists/nntc alt-tour cifs-utils dialog docker-engine docker-compose-v2 obs-studio EOF
Докидываем скрипты через фичу
mkdir -p mp/features.in/nntc-gnome
cat << 'EOF' > mp/features.in/nntc-gnome/config.mk
use/nntc-gnome:
@$(call add_feature)
EOF
mkdir -p mp/features.in/nntc-gnome/live/files/usr/share/install2/postinstall.d
cat << 'EOF' > mp/features.in/nntc-gnome/live/files/usr/share/install2/postinstall.d/00-nntc-gnome-live.sh
#!/bin/sh
ROOT_MOUNTPOINT='/mnt/destination'
cat << 'EEOF' > ${ROOT_MOUNTPOINT}/usr/sbin/nntc-live-test.sh
#!/bin/sh
echo "Hello from live!" >> /tmp/nntc-live-test.log
EEOF
chmod +x ${ROOT_MOUNTPOINT}/usr/sbin/nntc-live-test.sh
EOF
Добавляем фичу, список пакетов и включение необходимых сервисов в конфиг
В файле
mp/conf.d/regular.mk
ищем секцию, похожую на:
distro/regular-gnome: distro/.regular-desktop mixin/regular-gnome \
+plymouth use/browser/epiphany \
use/live-install/vnc/listen; @:
и заменяем на секцию, похожую на:
distro/regular-gnome: distro/.regular-desktop mixin/regular-gnome \
+plymouth use/browser/firefox use/nntc-gnome \
use/live-install/vnc/listen
@$(call add,THE_LISTS,nntc)
@$(call add,SYSTEMD_SERVICES_ENABLE,sshd.service)
@$(call add,SYSTEMD_SERVICES_ENABLE,docker.service)
Важные моменты
1. Вторая и последующие строки отделяются не пробелами а табуляцией (одной!):
distro/regular-gnome: distro/.regular-desktop mixin/regular-gnome \ [здесь обязательно TAB, НЕ пробелы!]+plymouth use/browser/firefox use/nntc-gnome \ ...
2. Так включаются сервисы через systemd:
... [здесь обязательно TAB, НЕ пробелы!]@$(call add,SYSTEMD_SERVICES_ENABLE,sshd.service) [здесь обязательно TAB, НЕ пробелы!]@$(call add,SYSTEMD_SERVICES_ENABLE,docker.service) ...
3. Так включаются сервисы через control:
... [здесь обязательно TAB, НЕ пробелы!]@$(call add,CONTROL,openssl-gost:enabled) ...
4. Так можно дополнить дистрибутив пакетами из репозитория (см. выше файл в разделе "Докидываем пакеты"):
... [здесь обязательно TAB, НЕ пробелы!]@$(call add,THE_LISTS,nntc) ...
5. Так можно исключить пакеты из дистрибутива (решётка в начале означает что по факту это не применится (закоментировано)):
... #[здесь обязательно TAB, НЕ пробелы!]@$(call add,CLEANUP_BASE_PACKAGES,gnome-session-wayland) ...
Собираем
cd mp make clean make distclean make regular-gnome.iso # или (если надо с подробностями) # make REPORT=1 DEBUG=1 regular-gnome.iso
После сборки
cp build/out/regular-gnome-latest-x86_64.iso my-super-alt-regular-gnome.iso
Опционально, можно убрать за собой
make clean make distclean
Файлы
#!/bin/sh
ROOT_MOUNTPOINT='/mnt/destination'
# SSH Fixes
sed -i 's/#PermitRootLogin without-password/PermitRootLogin yes/g' ${ROOT_MOUNTPOINT}/etc/openssh/sshd_config
# Enable sudo su for WHEEL_USERS
sed -i 's/# WHEEL_USERS ALL=(ALL:ALL) ALL/WHEEL_USERS ALL=(ALL:ALL) ALL/g' ${ROOT_MOUNTPOINT}/etc/sudoers
# Fix GRUB timeout
sed -i 's/#GRUB_TIMEOUT=5/GRUB_TIMEOUT=1/g' ${ROOT_MOUNTPOINT}/etc/default/grub
sed -i 's/#GRUB_TIMEOUT=5/GRUB_TIMEOUT=1/g' ${ROOT_MOUNTPOINT}/etc/sysconfig/grub2
cat << 'EEOF' > ${ROOT_MOUNTPOINT}/usr/sbin/nntc-update-grub
#!/bin/bash
update-grub
EEOF
# nntc-go2domain script
cat << 'EEOF' > ${ROOT_MOUNTPOINT}/usr/sbin/nntc-go2domain
#!/bin/bash
function init_pam_mount_settings() {
cat << 'EOF' > /etc/pam.d/system-auth-sss
#%PAM-1.0
auth [success=5 perm_denied=ignore default=die] pam_localuser.so
auth [success=1 default=bad] pam_succeed_if.so uid >= 500 quiet
auth [default=1] pam_permit.so
auth optional pam_mount.so
auth substack system-auth-sss-only
auth [default=1] pam_permit.so
auth substack system-auth-local-only
auth substack system-auth-common
account [success=4 perm_denied=ignore default=die] pam_localuser.so
account [success=1 default=bad] pam_succeed_if.so uid >= 500 quiet
account [default=1] pam_permit.so
account substack system-auth-sss-only
account [default=1] pam_permit.so
account substack system-auth-local-only
account substack system-auth-common
password [success=4 perm_denied=ignore default=die] pam_localuser.so
password [success=1 default=bad] pam_succeed_if.so uid >= 500 quiet
password [default=1] pam_permit.so
password substack system-auth-sss-only
password [default=1] pam_permit.so
password substack system-auth-local-only
password substack system-auth-common
session [success=5 perm_denied=ignore default=die] pam_localuser.so
session [success=1 default=bad] pam_succeed_if.so uid >= 500 quiet
session [default=1] pam_permit.so
session required pam_mkhomedir.so silent
session optional pam_mount.so disable_interactive
session substack system-auth-sss-only
session [default=1] pam_permit.so
session substack system-auth-local-only
session substack system-auth-common
session optional pam_script.so
EOF
cat << 'EOF' > /etc/security/pam_mount.conf.xml
<?xml version="1.0" encoding="utf-8" ?>
<!DOCTYPE pam_mount SYSTEM "pam_mount.conf.xml.dtd">
<pam_mount>
<debug enable="0" />
<volume uid="10000-2000200000" fstype="cifs" server="dc.nntc.alt" path="share" mountpoint="~/share" options="sec=krb5,cruid=%(USERUID),nounix,uid=%(USERUID),gid=%(USERGID),file_mode=0664,dir_mode=0775" />
<cifsmount>/sbin/mount.cifs //%(SERVER)/%(VOLUME) %(MNTPT) -o %(OPTIONS)</cifsmount>
<mntoptions allow="nosuid,nodev,loop,encryption,fsck,nonempty,allow_root,allow_other,sec" />
<mntoptions require="nosuid,nodev" />
<logout wait="0" hup="no" term="no" kill="no" />
<mkmountpoint enable="1" remove="true" />
</pam_mount>
EOF
cat << 'EOF' > /etc/pam-script/pam-script.d/umount_share_if_ses_close
#!/bin/bash
systemd-mount -u /home/NNTC.ALT/${PAM_USER}/share
exit 0
EOF
}
function dlg_domain_params() {
echo \
`dialog --stdout --title "Параметры подключения к домену" --inputbox "IP-адрес контроллера домена:" 10 60 "10.207.207.233"` \
`dialog --stdout --title "Параметры подключения к домену" --inputbox "Имя контроллера домена:" 10 60 "nntc.alt"` \
`dialog --stdout --title "Параметры подключения к домену" --inputbox "Логин для входа в домен:" 10 60 "administrator"` \
`dialog --stdout --title "Параметры подключения к домену" --inputbox "Пароль для входа в домен:" 10 60 "Pls Enter Secret Password"`
}
DOMAIN_DATA=$(dlg_domain_params)
DOMAIN_IP=$(echo ${DOMAIN_DATA} | awk {'print $1'})
DOMAIN_NAME=$(echo ${DOMAIN_DATA} | awk {'print $2'})
DOMAIN_NAME_SHORT=$(echo ${DOMAIN_NAME} | awk -F '.' {'print $1'})
DOMAIN_USER=$(echo ${DOMAIN_DATA} | awk {'print $3'})
DOMAIN_PASSWORD=$(echo ${DOMAIN_DATA} | awk {'print $4'})
MACHINE_HOST_NAME=$(hostname)
dialog --stdout --title "Монтирование каталога share" --yesno "Включить автоматическое монтирование пользовтаельских каталогов share с сервера?" 10 60
ENABLE_SHARE=$?
if [ $ENABLE_SHARE -eq 0 ]; then
init_pam_mount_settings
fi
dialog --stdout --title "Включение групповых политик" --yesno "Включить применение групповых политик на этом компьютере?" 10 60
ENABLE_GP=$?
if [ $ENABLE_GP -eq 0 ]; then
gpupdate-setup enable
fi
ntpdate pool.ntp.org
system-auth write ad ${DOMAIN_NAME} ${MACHINE_HOST_NAME} ${DOMAIN_NAME_SHORT} ${DOMAIN_USER} "${DOMAIN_PASSWORD}"
EEOF
# leave-domain script
cat << 'EEOF' > ${ROOT_MOUNTPOINT}/usr/sbin/nntc-leave-domain
realm leave nntc.alt Administrator
EEOF
cat << 'EEOF' > ${ROOT_MOUNTPOINT}/usr/sbin/nntc-rename-setup-vmbr0-enable-pve
#!/bin/bash
systemctl start NetworkManager
eth=$(ip a | grep ^'2:' | awk {'print $2'} | sed 's/://g')
dhcpcd ${eth}
ip=$(ifconfig ${eth} | head -2 | tail -1 | awk {'print $2'} | awk -F ':' {'print $2'})
systemctl stop NetworkManager
hostname_p1=$(dialog --stdout --title "Префикс имени хоста" --inputbox "Введите префикс имени хоста:" 10 60 "pc-")
hostname_p2=$(echo ${ip} | awk -F '.' {'print $3'})
hostname_p3=$(echo ${ip} | awk -F '.' {'print $4'})
hostname="${hostname_p1}${hostname_p2}-${hostname_p3}"
echo ${hostname} > /etc/hostname
cat << EOF > /etc/hosts
${ip} ${hostname}
127.0.0.1 localhost
EOF
cat << EOF > /etc/network/interfaces
auto lo
iface lo inet loopback
auto ${eth}
iface ${eth} inet manual
auto vmbr0
iface vmbr0 inet dhcp
bridge-ports ${eth}
bridge-stp off
bridge-fd 0
bridge-vlan-aware yes
bridge-vids 2-2048
post-up dhcpcd vmbr0
EOF
systemctl restart networking
systemctl enable corosync pve-cluster pvescheduler pve-guests lxc lxc-net lxc-monitord pvedaemon pve-firewall pvestatd pve-ha-lrm pve-ha-crm spiceproxy pveproxy
systemctl start corosync pve-cluster pvescheduler lxc lxc-net lxc-monitord pvedaemon pve-firewall pvestatd pve-ha-lrm pve-ha-crm spiceproxy pveproxy
EEOF
#install soft from epm
cat << 'EEOF' > ${ROOT_MOUNTPOINT}/usr/sbin/nntc-epm-install
#!/bin/bash
epm update
epm play code
epm play sublime
epm play idea-community
epm play webstorm
epm play phpstorm
epm play pycharm
epm play clion
epm play datagrip
epm play dbeaver
epm play onlyoffice
epm play chrome
epm play naps2
epm play figma
epm play draw.io
epm play docker-desktop
epm play eagle
epm play blender
EEOF
cat << 'EEOF' > ${ROOT_MOUNTPOINT}/usr/sbin/nntc-disable-gdm-users-list
systemctl mask sleep.target suspend
cat << 'EOF' > /etc/dconf/profile/gdm
user-db:user
system-db:gdm
file-db:/usr/share/gdm/greeter-dconf-defaults
EOF
mkdir -p /etc/dconf/db/gdm.d
cat << 'EOF' > /etc/dconf/db/gdm.d/00-login-screen
[org/gnome/login-screen]
# Do not show the user list
disable-user-list=true
EOF
dconf update
EEOF
#enable timesync
cat << 'EEOF' > ${ROOT_MOUNTPOINT}/etc/systemd/timesyncd.conf
[Time]
NTP=0.pool.ntp.org
FallbackNTP=10.207.151.253
#RootDistanceMaxSec=5
#PollIntervalMinSec=32
#PollIntervalMaxSec=2048
ConnectionRetrySec=10
#SaveIntervalSec=60
EEOF
## example - ok
## epm play in chroot
#chroot "${ROOT_MOUNTPOINT}" bash -c '
#touch /opt/test-from-chroot-ok.txt
#'
## example - ok
##touch ${ROOT_MOUNTPOINT}/opt/test-nntc_gnome-live
chmod +x ${ROOT_MOUNTPOINT}/usr/sbin/nntc-*
pkg.in/lists/nntc
1c-preinstall-full alterator-auth alterator-gpupdate alt-tour cifs-utils dialog docker-engine docker-compose-v2 dpkg exfatprogs fuse-gvfs fuse-smb gimp git gpupdate gvfs-backend-mtp gvfs-backend-smb hplip hplip-hpijs kio-extras umbrello kf5-kio lazarus LibreOffice-full LibreOffice-gtk3 mtpfs ntfs-3g openssh openvpn pam_mount pam_script pve-manager pwgen realmd remmina remmina-plugins-rdp remmina-plugins-vnc samba-client samba-common-tools sendmail sssd-ad systemd-settings-enable-kill-user-processes terminator usrmerge-hier-convert virtualbox vlc virt-viewer x11vnc xdg-utils xsane arduino chromium chromium-gost dia freecad tmate java-21-openjdk-devel java-21-openjdk emacs-gtk3 gcc-c++ gdb ddd openssl-gost-engine afce alien rpm-build snapd MySQL-client mysql-workbench-community systemd-timesyncd obs-studio inkscape shotcut kicad
conf.d/regular.mk
...
distro/regular-gnome: distro/.regular-desktop mixin/regular-gnome \
+plymouth use/browser/firefox use/nntc-gnome
@$(call add,THE_LISTS,nntc)
@$(call add,SYSTEMD_SERVICES_ENABLE,sshd.service)
@$(call add,SYSTEMD_SERVICES_ENABLE,docker.service)
@$(call add,SYSTEMD_SERVICES_ENABLE,networking.service)
@$(call add,SYSTEMD_SERVICES_DISABLE,NetworkManager.service)
@$(call add,CONTROL,openssl-gost:enabled)
...
do-gnome.sh
#!/bin/bash make clean make distclean #make REPORT=1 DEBUG=1 regular-gnome.iso make regular-gnome.iso # copy to pve storage cp build/out/regular-gnome-latest-x86_64.iso ../template/iso/alt_regular_gnome_nntc.iso
Backlog
Добавить автовключение сервиса в сборку
systemctl enable systemd-timesyncd
