Alt m-p

Клонируем репозиторий сборочницы

git clone git://git.altlinux.org/people/antohami/packages/mkimage-profiles.git mp

Докидываем пакеты

cat << EOF > mp/pkg.in/lists/nntc
1c-preinstall-full
alterator-auth
alterator-gpupdate
alt-tour
cifs-utils
dialog
docker-engine
docker-compose-v2
dpkg
exfatprogs
fuse-gvfs 
fuse-smb
gimp
git
gpupdate
gvfs-backend-mtp
gvfs-backend-smb
hplip
hplip-hpijs
kio-extras
umbrello 
kf5-kio
lazarus
LibreOffice-full
LibreOffice-gtk3
mtpfs
ntfs-3g
openssh
openvpn
pam_mount
pam_script
pve-manager
pwgen
realmd
remmina
remmina-plugins-rdp
remmina-plugins-vnc
samba-client
samba-common-tools
sendmail
sssd-ad
systemd-settings-enable-kill-user-processes
terminator
usrmerge-hier-convert
virtualbox
vlc
virt-viewer
x11vnc
xdg-utils
xsane
arduino
chromium
chromium-gost
dia
freecad
tmate
java-21-openjdk-devel
java-21-openjdk
emacs-gtk3
gcc-c++
gdb
ddd
openssl-gost-engine
afce
alien
rpm-build
snapd
MySQL-client
mysql-workbench-community
systemd-timesyncd
obs-studio
EOF

Докидываем скрипты через фичу

mkdir -p mp/features.in/nntc-gnome
cat << 'EOF' > mp/features.in/nntc-gnome/config.mk
use/nntc-gnome:
	@$(call add_feature)
EOF

mkdir -p mp/features.in/nntc-gnome/live/files/usr/share/install2/postinstall.d

cat << 'EOF' > mp/features.in/nntc-gnome/live/files/usr/share/install2/postinstall.d/00-nntc-gnome-live.sh
#!/bin/sh

ROOT_MOUNTPOINT='/mnt/destination'

cat << 'EEOF' > ${ROOT_MOUNTPOINT}/usr/sbin/nntc-live-test.sh
#!/bin/sh
echo "Hello from live!" >> /tmp/nntc-live-test.log

EEOF

chmod +x ${ROOT_MOUNTPOINT}/usr/sbin/nntc-live-test.sh
EOF

Добавляем фичу, список пакетов и включение необходимых сервисов в конфиг

В файле

mp/conf.d/regular.mk

ищем секцию, похожую на:

distro/regular-gnome: distro/.regular-desktop mixin/regular-gnome \
        +plymouth use/browser/epiphany \
        use/live-install/vnc/listen; @:

и заменяем на секцию, похожую на:

distro/regular-gnome: distro/.regular-desktop mixin/regular-gnome \
        +plymouth use/browser/firefox use/nntc-gnome \
        use/live-install/vnc/listen
        @$(call add,THE_LISTS,nntc)
        @$(call add,SYSTEMD_SERVICES_ENABLE,sshd.service)
        @$(call add,SYSTEMD_SERVICES_ENABLE,docker.service)

Важные моменты

1. Вторая и последующие строки отделяются не пробелами а табуляцией (одной!):

distro/regular-gnome: distro/.regular-desktop mixin/regular-gnome \
[здесь обязательно TAB, НЕ пробелы!]+plymouth use/browser/firefox use/nntc-gnome \
...

2. Так включаются сервисы через systemd:

...
[здесь обязательно TAB, НЕ пробелы!]@$(call add,SYSTEMD_SERVICES_ENABLE,sshd.service)
[здесь обязательно TAB, НЕ пробелы!]@$(call add,SYSTEMD_SERVICES_ENABLE,docker.service)
...

3. Так включаются сервисы через control:

...
[здесь обязательно TAB, НЕ пробелы!]@$(call add,CONTROL,openssl-gost:enabled)
...

4. Так можно дополнить дистрибутив пакетами из репозитория (см. выше файл в разделе "Докидываем пакеты"):

...
[здесь обязательно TAB, НЕ пробелы!]@$(call add,THE_LISTS,nntc)
...

5. Так можно исключить пакеты из дистрибутива (решётка в начале означает что по факту это не применится (закоментировано)):

...
#[здесь обязательно TAB, НЕ пробелы!]@$(call add,CLEANUP_BASE_PACKAGES,gnome-session-wayland)
...

Собираем

cd mp
make clean
make distclean
make regular-gnome.iso
# или (если надо с подробностями)
# make REPORT=1 DEBUG=1 regular-gnome.iso

После сборки

cp build/out/regular-gnome-latest-x86_64.iso my-super-alt-regular-gnome.iso

Опционально, можно убрать за собой

make clean
make distclean

Backlog

pkgs: inkscape, shotcut, kicad

cat /usr/sbin/nntc-epm-install
#!/bin/bash
epm update
epm play code
epm play sublime
epm play idea-community
epm play webstorm
epm play phpstorm
epm play pycharm
epm play clion
epm play datagrip
epm play dbeaver
epm play onlyoffice
epm play chrome
epm play naps2
epm play figma
epm play draw.io
epm play docker-desktop
epm play eagle
epm play blender

cat /etc/network/interfaces

auto lo
iface lo inet loopback

auto eno1
iface eno1 inet manual

auto vmbr0
iface vmbr0 inet dhcp
	bridge-ports eno1
	bridge-stp off
	bridge-fd 0
	bridge-vlan-aware yes
	bridge-vids 2-2048
	post-up dhcpcd vmbr0

Важно потушить сервис NetworkManager

systemctl stop NetworkManager
systemctl disable NetworkManager

и вроде бы надо включить networking

systemctl start networking
systemctl enable networking

cat /usr/sbin/nntc-rename-pve 
#!/bin/bash
eth=$(ip a | grep '10.207.' -B 4 | head -1 | awk {'print $2'} | sed 's/://g')
ip=$(ifconfig ${eth} | head -2 | tail -1 | awk {'print $2'} | awk -F ':' {'print $2'})
mask=$(ifconfig ${eth} | head -2 | tail -1 | awk {'print $4'} | awk -F ':' {'print $2'})

Файлы

features.in/nntc-gnome/live/files/usr/share/install2/postinstall.d/00-nntc.sh

 
#!/bin/sh
ROOT_MOUNTPOINT='/mnt/destination'

# SSH Fixes
sed -i 's/#PermitRootLogin without-password/PermitRootLogin yes/g' ${ROOT_MOUNTPOINT}/etc/openssh/sshd_config

# Enable sudo su for WHEEL_USERS
sed -i 's/# WHEEL_USERS ALL=(ALL:ALL) ALL/WHEEL_USERS ALL=(ALL:ALL) ALL/g' ${ROOT_MOUNTPOINT}/etc/sudoers

# Fix GRUB timeout
sed -i 's/#GRUB_TIMEOUT=5/GRUB_TIMEOUT=1/g' ${ROOT_MOUNTPOINT}/etc/default/grub
sed -i 's/#GRUB_TIMEOUT=5/GRUB_TIMEOUT=1/g' ${ROOT_MOUNTPOINT}/etc/sysconfig/grub2

cat << 'EEOF' > ${ROOT_MOUNTPOINT}/usr/sbin/nntc-update-grub
#!/bin/bash
update-grub
EEOF

# nntc-go2domain script
cat << 'EEOF' > ${ROOT_MOUNTPOINT}/usr/sbin/nntc-go2domain
#!/bin/bash

function init_pam_mount_settings() {
cat << 'EOF' > /etc/pam.d/system-auth-sss
#%PAM-1.0

auth [success=5 perm_denied=ignore default=die] pam_localuser.so
auth [success=1 default=bad] pam_succeed_if.so uid >= 500 quiet
auth [default=1] pam_permit.so
auth optional pam_mount.so
auth substack system-auth-sss-only
auth [default=1] pam_permit.so
auth substack system-auth-local-only
auth substack system-auth-common

account [success=4 perm_denied=ignore default=die] pam_localuser.so
account [success=1 default=bad] pam_succeed_if.so uid >= 500 quiet
account [default=1] pam_permit.so
account substack system-auth-sss-only
account [default=1] pam_permit.so
account substack system-auth-local-only
account substack system-auth-common

password [success=4 perm_denied=ignore default=die] pam_localuser.so
password [success=1 default=bad] pam_succeed_if.so uid >= 500 quiet
password [default=1] pam_permit.so
password substack system-auth-sss-only
password [default=1] pam_permit.so
password substack system-auth-local-only
password substack system-auth-common

session [success=5 perm_denied=ignore default=die] pam_localuser.so
session [success=1 default=bad] pam_succeed_if.so uid >= 500 quiet
session [default=1] pam_permit.so
session required pam_mkhomedir.so silent
session optional pam_mount.so disable_interactive
session substack system-auth-sss-only
session [default=1] pam_permit.so
session substack system-auth-local-only
session substack system-auth-common
session optional pam_script.so
EOF

cat << 'EOF' > /etc/security/pam_mount.conf.xml
<?xml version="1.0" encoding="utf-8" ?>
<!DOCTYPE pam_mount SYSTEM "pam_mount.conf.xml.dtd">
<pam_mount>
    <debug enable="0" />
    <volume uid="10000-2000200000" fstype="cifs" server="dc.nntc.alt" path="share" mountpoint="~/share" options="sec=krb5,cruid=%(USERUID),nounix,uid=%(USERUID),gid=%(USERGID),file_mode=0664,dir_mode=0775" />
    <cifsmount>/sbin/mount.cifs //%(SERVER)/%(VOLUME) %(MNTPT) -o %(OPTIONS)</cifsmount>
    <mntoptions allow="nosuid,nodev,loop,encryption,fsck,nonempty,allow_root,allow_other,sec" />
    <mntoptions require="nosuid,nodev" />
    <logout wait="0" hup="no" term="no" kill="no" />
    <mkmountpoint enable="1" remove="true" />
</pam_mount>
EOF

cat << 'EOF' > /etc/pam-script/pam-script.d/umount_share_if_ses_close
#!/bin/bash
systemd-mount -u /home/NNTC.ALT/${PAM_USER}/share
exit 0
EOF

}

function dlg_domain_params() {
    echo \
    `dialog --stdout --title "Параметры подключения к домену" --inputbox "IP-адрес контроллера домена:" 10 60 "10.207.207.233"` \
    `dialog --stdout --title "Параметры подключения к домену" --inputbox "Имя контроллера домена:" 10 60 "nntc.alt"` \
    `dialog --stdout --title "Параметры подключения к домену" --inputbox "Логин для входа в домен:" 10 60 "administrator"` \
    `dialog --stdout --title "Параметры подключения к домену" --inputbox "Пароль для входа в домен:" 10 60 "Pls Enter Secret Password"`
}

DOMAIN_DATA=$(dlg_domain_params)
DOMAIN_IP=$(echo ${DOMAIN_DATA} | awk {'print $1'})
DOMAIN_NAME=$(echo ${DOMAIN_DATA} | awk {'print $2'})
DOMAIN_NAME_SHORT=$(echo ${DOMAIN_NAME} | awk -F '.' {'print $1'})
DOMAIN_USER=$(echo ${DOMAIN_DATA} | awk {'print $3'})
DOMAIN_PASSWORD=$(echo ${DOMAIN_DATA} | awk {'print $4'})
MACHINE_HOST_NAME=$(hostname)

dialog --stdout --title "Монтирование каталога share" --yesno "Включить автоматическое монтирование пользовтаельских каталогов share с сервера?" 10 60
ENABLE_SHARE=$?

if [ $ENABLE_SHARE -eq 0 ]; then
init_pam_mount_settings
fi

dialog --stdout --title "Включение групповых политик" --yesno "Включить применение групповых политик на этом компьютере?" 10 60
ENABLE_GP=$?

if [ $ENABLE_GP -eq 0 ]; then
gpupdate-setup enable
fi

ntpdate pool.ntp.org
system-auth write ad ${DOMAIN_NAME} ${MACHINE_HOST_NAME} ${DOMAIN_NAME_SHORT} ${DOMAIN_USER} "${DOMAIN_PASSWORD}"
EEOF

# leave-domain script
cat << 'EEOF' > ${ROOT_MOUNTPOINT}/usr/sbin/nntc-leave-domain
realm leave nntc.alt Administrator
EEOF

cat << 'EEOF' > ${ROOT_MOUNTPOINT}/usr/sbin/nntc-rename-setup-vmbr0-enable-pve
#!/bin/bash
systemctl start NetworkManager
eth=$(ip a | grep ^'2:' | awk {'print $2'} | sed 's/://g')
dhcpcd ${eth}
ip=$(ifconfig ${eth} | head -2 | tail -1 | awk {'print $2'} | awk -F ':' {'print $2'})
systemctl stop NetworkManager
hostname_p1=$(dialog --stdout --title "Префикс имени хоста" --inputbox "Введите префикс имени хоста:" 10 60 "pc-")
hostname_p2=$(echo ${ip} | awk -F '.' {'print $3'})
hostname_p3=$(echo ${ip} | awk -F '.' {'print $4'})
hostname="${hostname_p1}${hostname_p2}-${hostname_p3}"

echo ${hostname} > /etc/hostname
cat << EOF > /etc/hosts
${ip} ${hostname}
127.0.0.1 localhost
EOF

cat << EOF > /etc/network/interfaces
auto lo
iface lo inet loopback

auto ${eth}
iface ${eth} inet manual

auto vmbr0
iface vmbr0 inet dhcp
	bridge-ports ${eth}
	bridge-stp off
	bridge-fd 0
	bridge-vlan-aware yes
	bridge-vids 2-2048
	post-up dhcpcd vmbr0
EOF

systemctl restart networking
systemctl enable corosync pve-cluster pvescheduler pve-guests lxc lxc-net lxc-monitord pvedaemon pve-firewall pvestatd pve-ha-lrm pve-ha-crm spiceproxy pveproxy
systemctl start corosync pve-cluster pvescheduler lxc lxc-net lxc-monitord pvedaemon pve-firewall pvestatd pve-ha-lrm pve-ha-crm spiceproxy pveproxy

EEOF

#install soft from epm
cat << 'EEOF' > ${ROOT_MOUNTPOINT}/usr/sbin/nntc-epm-install
#!/bin/bash
epm update
epm play code
epm play sublime
epm play idea-community
epm play webstorm
epm play phpstorm
epm play pycharm
epm play clion
epm play datagrip
epm play dbeaver
epm play onlyoffice
epm play chrome
epm play naps2
epm play figma
epm play draw.io
epm play docker-desktop
epm play eagle
epm play blender
EEOF

cat << 'EEOF' > ${ROOT_MOUNTPOINT}/usr/sbin/nntc-disable-gdm-users-list
systemctl mask sleep.target suspend

cat << 'EOF' > /etc/dconf/profile/gdm
user-db:user
system-db:gdm
file-db:/usr/share/gdm/greeter-dconf-defaults
EOF

mkdir -p /etc/dconf/db/gdm.d

cat << 'EOF' > /etc/dconf/db/gdm.d/00-login-screen
[org/gnome/login-screen]
# Do not show the user list
disable-user-list=true
EOF

dconf update
EEOF

#enable timesync
cat << 'EEOF' > ${ROOT_MOUNTPOINT}/etc/systemd/timesyncd.conf
[Time]
NTP=0.pool.ntp.org
FallbackNTP=10.207.151.253
#RootDistanceMaxSec=5
#PollIntervalMinSec=32
#PollIntervalMaxSec=2048
ConnectionRetrySec=10
#SaveIntervalSec=60
EEOF

## example - ok
## epm play in chroot
#chroot "${ROOT_MOUNTPOINT}" bash -c '
#touch /opt/test-from-chroot-ok.txt
#'

## example - ok
##touch ${ROOT_MOUNTPOINT}/opt/test-nntc_gnome-live

chmod +x ${ROOT_MOUNTPOINT}/usr/sbin/nntc-*

pkg.in/lists/nntc

 
1c-preinstall-full
alterator-auth
alterator-gpupdate
alt-tour
cifs-utils
dialog
docker-engine
docker-compose-v2
dpkg
exfatprogs
fuse-gvfs 
fuse-smb
gimp
git
gpupdate
gvfs-backend-mtp
gvfs-backend-smb
hplip
hplip-hpijs
kio-extras
umbrello 
kf5-kio
lazarus
LibreOffice-full
LibreOffice-gtk3
mtpfs
ntfs-3g
openssh
openvpn
pam_mount
pam_script
pve-manager
pwgen
realmd
remmina
remmina-plugins-rdp
remmina-plugins-vnc
samba-client
samba-common-tools
sendmail
sssd-ad
systemd-settings-enable-kill-user-processes
terminator
usrmerge-hier-convert
virtualbox
vlc
virt-viewer
x11vnc
xdg-utils
xsane
arduino
chromium
chromium-gost
dia
freecad
tmate
java-21-openjdk-devel
java-21-openjdk
emacs-gtk3
gcc-c++
gdb
ddd
openssl-gost-engine
afce
alien
rpm-build
snapd
MySQL-client
mysql-workbench-community
systemd-timesyncd
obs-studio
inkscape
shotcut
kicad

conf.d/regular.mk

...

distro/regular-gnome: distro/.regular-desktop mixin/regular-gnome \
        +plymouth use/browser/firefox use/nntc-gnome
        @$(call add,THE_LISTS,nntc)
        @$(call add,SYSTEMD_SERVICES_ENABLE,sshd.service)
        @$(call add,SYSTEMD_SERVICES_ENABLE,docker.service)
        @$(call add,SYSTEMD_SERVICES_ENABLE,networking.service)
        @$(call add,SYSTEMD_SERVICES_DISABLE,NetworkManager.service)
        @$(call add,CONTROL,openssl-gost:enabled)
...

do-gnome.sh

 
#!/bin/bash
make clean
make distclean
#make REPORT=1 DEBUG=1 regular-gnome.iso
make regular-gnome.iso
# copy to pve storage
cp build/out/regular-gnome-latest-x86_64.iso ../template/iso/alt_regular_gnome_nntc.iso