source: hybrid/branches/releng-11/nanobsd/cfg/nanobsd.wleiden@ 14146

## Dit is een NanoBSD configuratie-template voor WirelessLeiden.   
## Instellingen weergegeven binnen dit bestand gelden als 
## standaard binnen de organisatie.

# Little hack to allow proper secify of KERNL/PKG location
if [ -n "$NANO_CFG_FILE" ]; then
  NANO_CONF_DIR=$(cd $(dirname $NANO_CFG_FILE); pwd -P)
else
  NANO_CONF_DIR=$(cd $(dirname $2); pwd -P)
fi

# object naam in /usr/obj/nanobsd.{obj}
NANO_NAME=wleiden-hybrid
NANO_SRC=/usr/src               # nanobsd source tree
NANO_TOOLS=$(pwd)
NANO_KERNEL=$NANO_CONF_DIR/kernel.wleiden # naam van het kernel configuratiebestand
NANO_IMAGES=2                   # aantal nanobsd code slices/installs (1/2)   

NANO_CONFSIZE=20480             # Volume van de config slice (10MB) in 512bs
NANO_DATASIZE=0                 # volume van de data slice, 0 = not configured
NANO_CODESIZE=819200            # Let buildscript the operating system slice as large as posible 

# Size of the /etc ramdisk in 512 bytes sectors
NANO_RAM_ETCSIZE=20480  

NANO_RAM_TMPVARSIZE=102400      # Volume of combined var & tmp slice (50MB) in 512bs

NANO_LABEL=WLIMG
NANO_NEWFS="-b 4096 -f 512 -i 8192"   # Overwrite the default stettings to disable Soft-updates


# Package building done using pourdriere
NANO_PACKAGE_REPOS="/usr/local/poudriere/data/packages/wlpkgbuild-default-node/"


# Dirty quirk to allow comments in part below
PACKAGE_LIST=`cat <<EOF | sed -e 's/#.*$//g' | xargs
benchmarks/iperf
devel/gdb
editors/vim-console
dns/dnsmasq
dns/nsd
dns/unbound
ftp/curl
net/ladvd
net-mgmt/iftop
net-mgmt/net-snmp
net/mtr
net/isc-dhcp43-server
net/pen 
ports-mgmt/pkg
security/sudo
security/ca_root_nss
shells/bash-static
sysutils/daemontools
sysutils/monit
sysutils/screen
sysutils/ucspi-tcp
sysutils/wait_on
www/apache24
www/tinyproxy
www/thttpd

# Extra WL ports
net/lvrouted
`
PKG_MAKE_CONF="
# www/py-cherrypy         - include apache templating
# net-mgmt/net-snmp       - no perl please (size)
# net-mgmt/nagios-plugins - no threading (single CPU)
# shells/bash-static      - logging via syslog
# net/mtr                 - no X11 (no screen)
# lang/ocaml              - no TK support (requires X11)
# devel/ocaml-findlib     - no TOOLBOX support (requires ocaml with TK support)
# ftp/curl                - GSSAPI support set to NONE (_BASE requires kerberos)
OPTIONS_SET=    APACHE FPING SYSLOG GSSAPI_NONE
OPTIONS_UNSET=  PERL PERL_EMBEDDED PYTHON X11 TK TOOLBOX GSSAPI_BASE
"

##NANO_PACKAGE_LIST=

# Warning: set to 1 to debug make build errors
# Number of recurrent parrallel make builds
if `grep -q 'acpi0: <PRLS PRLS_OEM> on motherboard' /var/run/dmesg.boot`; then
  # Mac OS X Parallels virtual machine
  NANO_PMAKE="make -B"  
else
  # Default 2 times number of CPU's inside machine
  NANO_PARALLEL_MAKE=`expr $(sysctl -n hw.ncpu) \* 2`
  NANO_PMAKE="make -j ${NANO_PARALLEL_MAKE}"    
fi

# Starting from soekris bios version 1.31 upwards boot0sio does not seems work
# anymore, but boot0 does (weird)
NANO_BOOTLOADER="boot/boot0"

# Strip down to a more acceptable size
# hints from http://people.freebsd.org/~phk/nanobsd/soekris_4x26/make.soekris_4x26.conf (46MB)
NANO_PRUNE="$NANO_PRUNE usr/share/examples"
NANO_PRUNE="$NANO_PRUNE usr/share/syscons"
NANO_PRUNE="$NANO_PRUNE usr/share/calendar"
# NB!  usr/share/misc contains termcap, vi(1) etc fails to work without it.
# NANOBSD_PRUNE +=      usr/share/misc
NANO_PRUNE="$NANO_PRUNE usr/share/pcvt"
NANO_PRUNE="$NANO_PRUNE usr/share/me"
NANO_PRUNE="$NANO_PRUNE usr/share/doc"
# Debugging removal
NANO_PRUNE="$NANO_PRUNE usr/lib/debug"
NANO_PRUNE="$NANO_PRUNE usr/tests"
# Installed ports strip down
NANO_PRUNE="$NANO_PRUNE usr/local/share/doc"
NANO_PRUNE="$NANO_PRUNE usr/local/share/examples"
# Directories not removable by installer
NANO_PRUNE="$NANO_PRUNE usr/local/lib/python2.7/test"





# Opties parsed gedurende build & install world
# Also check man 5 src.conf for details
# Some flags are misleading, e.g. could only be installworld (e.g.), for details:
#     http://phk.freebsd.dk/misc/build_options/
# For details on make options also check:
#     /usr/src/share/mk/bsd.own.mk
CONF_COMMON='
# Specific enabled options
#WITHOUT_ACPI=YES                       # geen advanced configuration power interface
#WITHOUT_BIND=YES                       # geen bind tools, dns/named geinstalleerd
#WITHOUT_CXX=YES                        # Set to not build g++(1) and related libraries.
#WITHOUT_GROFF=YES                      # Set to not build groff(1).
#WITHOUT_INET6=YES                      # geen ondersteuning inet versie 6 architectuur
#WITHOUT_INFO=YES                       # geen info bestanden, readable online docs
#WITHOUT_IPFILTER=YES                   # geen ip filtering geinstalleerd
#WITHOUT_KLDLOAD=YES                    # do not allow loading of kernel modules
#WITHOUT_MAILWRAPPER=YES                # geen mailwrapper bij gebruik sendmail
#WITHOUT_MAN=YES                        # geen handleidingen gecompileerd
#WITHOUT_MISC=YES                       # geen misc sub directory
#WITHOUT_MODULES=YES                    # geen ondersteuning toevoegen modules
#WITHOUT_PAM=YES                        # geen ondersteuning pa modules
#WITHOUT_PF=YES                         # geen packet filtering geinstalleerd 
#WITHOUT_SHARE=YES                      # geen share sub directory 
#WITHOUT_USB=YES                        # geen ondersteuning usb modules
# Specific disabled options
WITHOUT_ATM=YES                         # geen ondersteuning Asynchronous Transfer Mode
WITHOUT_AUDIT=YES                       # geen event auditing / audit trails    
WITHOUT_AUTHPF=YES                      # geen authenticating gateway user shell
WITHOUT_BLUETOOTH=YES                   # geen ondersteuning Bluetooth modules
WITHOUT_CALENDAR=YES                    # geen calendar reminder service gecompileerd
WITHOUT_CDDL=YES                        # Set to not build code licensed under Sun CDDL. (also ZFS)
WITHOUT_CPP=YES                         # Set to not build cpp(1).
WITHOUT_CXX=YES                         # Set to not build c++(1) and related libraries.
WITHOUT_CLANG=YES                       # Set to not build the Clang C/C++ compiler.
WITHOUT_CVS=YES                         # geen cvs tools geinstalleerd
WITHOUT_DICT=YES                        # geen dictionary ondersteuning
WITHOUT_EXAMPLES=YES                    # geen voorbeeld configuratiebestanden
WITHOUT_FORTRAN=YES                     # geen ondersteuning fortran compilers
WITHOUT_GAMES=YES                       # geen games gecompileerd
WITHOUT_GCOV=YES                        # geen gcov test coverage program
WITHOUT_GPIB=YES                        # geen ondersteuning gpib kaarten
WITHOUT_HTML=YES                        # geen html help bestanden gecompileerd
WITHOUT_I4B=YES                         # geen ondersteuning voor isdn
WITHOUT_IPX=YES                         # geen ondersteuning ipx protocols
WITHOUT_KERBEROS=YES                    # geen ondersteuning Kerberos authenticatie
WITHOUT_LOCALES=YES                     # geen ondersteuning lokalisatie 
WITHOUT_LPR=YES                         # geen ondersteuning print services
WITHOUT_NIS=YES                         # geen ondersteuning network information system
WITHOUT_PROFILE=YES                     # Set to avoid compiling profiled libraries.
WITHOUT_RCMDS=YES                       # geen ondersteuning rcmds,
WITHOUT_RESCUE=YES                      # geen rescue bestanden gecompileerd
WITHOUT_SENDMAIL=YES                    # geen sendmail geinstalleerd   
WITHOUT_SHAREDOCS=YES                   # geen share/docs directories
WITHOUT_SSP=YES                         # Set to not build world with propolice stack smashing protection.
WITHOUT_SYSCONS=YES                     # geen syscon devices gecompileerd
WITHOUT_UNBOUND=YES                     # Port version will be used if any is used
WITHOUT_LOCALES=YES                     # No localization support
'

CONF_BUILD="
${CONF_COMMON}
"

CONF_INSTALL="
${CONF_COMMON}
WITHOUT_TOOLCHAIN=YES                   # geen freebsd toolchain
"


# Flash disks arrived, sandisk 1g seems to match the geometry of the (blanc) cards
#FlashDevice sandisk  1g        # nanobsd flashdevice entry
#FlashDevice sandisk 512mb      # nanobsd flashdevice entry
#FlashDevice transcend 2g       # nanobsd flashdevice entry
# Calculated value of PEAK hardware 1GB CF card
# C/H/S phys 1954/16/63, logical 977/32/63    
# Mediasize is calculated as C*H*S*512        

# Using logical values reported by ALIX board
# values for PCEngines blanc 1 GB cards
# C/H/S phys 1966/16/63, logical 983/32/63
NANO_MEDIASIZE=`expr 1008451584 / 512`
NANO_HEADS=32                            
NANO_SECTS=63                            


# Version tagging
cust_version_tag() (
        VERSION_FILE="${NANO_WORLDDIR}/tools/wl-release.txt" 
        (
        echo "Generated by `id -un`@`hostname -f` at `date`"
        echo "" 
        echo "=== CONFIG specifics ==="
        svn info ${NANO_CONF_DIR}/../ || exit 0
        svn diff ${NANO_CONF_DIR}/../ || exit 0
        echo "=== BEGIN CONFIG specifics ==="
        ) > $VERSION_FILE
)

# Takes a very long time (10+) minutes to generate this file on an ALIX board,
# not practical for quick debugging and configuration.
cust_openvpn_dhparam() (
        if [ -r ${NANO_CONF_DIR}/usr/local/bin/openvpn ]; then
                DHFILE=${NANO_WORLDDIR}/etc/easy-rsa-keys/dh1024.pem
                mkdir -p `dirname $DHFILE`
                openssl dhparam -out $DHFILE 1024
        fi
)

# Unbound is running in alternative chroot location (port default) how-ever
# this directory needs to be writeable by unbound for key generation etc.
cust_unbound_rights() (
        if [ -r ${NANO_WORLDDIR}/usr/local/etc/unbound ]; then
                chroot ${NANO_WORLDDIR} sh -c "chown unbound:unbound /usr/local/etc/unbound"
        fi
)


# Assuming we are running a safe envirionment where snooping could occur during or after the build
cust_set_root_password() (
        if [ -n "${CFG_ROOT_PASSWORD}" ]; then
                pprint 2 "Set root password using CFG_ROOT_PASSWORD variable"
                chroot ${NANO_WORLDDIR} sh -c "echo '${CFG_ROOT_PASSWORD}' | pw usermod -h 0 -n root"
        else
                pprint 2 "Root password is <blank>, no password provided at variable CFG_ROOT_PASSWORD"
        fi
)



# EXPERIMENTAL patch like envirionment
# Using '*-nanobsd.patch' files to only specify the bare differences between the base/default file to 
# keep us as close as possible to the base OS
# Patches are applied to the directory they live in
#cust_apply_nanobsd_patches() (
#       for PATCHFILE in `find ${NANO_WORLDDIR} -regex '.*-nanobsd\.patch$'`; do
#               cd `dirname ${PATCHFILE}`
#       patch -t -N -p0 -i `basename ${PATCHFILE}`
#               #XX: What to with installed patch files? Delete them for the  time beeing
#               rm -v ${PATCHFILE}
#done



#)



# Customize ntpd
cust_ntpd() (
        chroot ${NANO_WORLDDIR} sh -c "ln -fs /usr/local/etc/ntp.drift /var/db/ntp.drift"       
)


# Enable Serial TTYs
cust_serial_ttys() (
        chroot ${NANO_WORLDDIR} sed -i '' -e '/ttyv[0-9]/s/on /off/' -e '/ttyu0/s/off/on/' -e '/ttyu0/s/dialup/ansi/' /etc/ttys

        # Serial login is consided to be phycically secured, so no credentials are required
        chroot ${NANO_WORLDDIR} sed -i '' -e '/ttyu0/s/std.9600/al.9600/' /etc/ttys
)

# Customize sudoers files
cust_sudo_rules() {
        chroot ${NANO_WORLDDIR} find /usr/local/etc/sudoers.d/ -type f -exec chmod 0640 {} \+
}


# Update databases of tooling like locate and apropos
cust_update_databases() {
        chroot ${NANO_WORLDDIR} sh -c '/usr/libexec/makewhatis.local `/usr/bin/manpath -q`'
        chroot ${NANO_WORLDDIR} "/usr/libexec/locate.updatedb"
}

# Install files from specific relative location
cust_install_files () (
        cd ${NANO_CONF_DIR}/../files
        find . -print | grep -v -e /CVS -e .svn  | cpio -dumpv ${NANO_WORLDDIR}
)


# Make tools available for root by default
cust_root_bin_to_tools() {
        ln -s /tools ${NANO_WORLDDIR}/root/bin
}


# Prune no needed directories of image
cust_nano_prune () (
        cd ${NANO_WORLDDIR}
        for ENTRY in ${NANO_PRUNE}; do
                rm -vfR ${ENTRY}
        done
)

# We actually do need an seperate /tmp, so undo the symlinking done in
# setup_nanobsd()
late_cust_unset_common_var_and_tmp() (
        cd ${NANO_WORLDDIR}
        rm tmp
        mkdir -m 1777 tmp
)


# Fill /cfg wmth custom files, based on 'create_i386_diskimage ( )'
last_nano_fill_cfg () (
        # Variables to be used
        IMG=${NANO_DISKIMGDIR}/${NANO_IMGNAME}
        MNT=${MAKEOBJDIRPREFIX}/_.mnt

        # Mount '/cfg' slize in image
        MD=`mdconfig -a -t vnode -f ${IMG}`
        mount /dev/${MD}s3 ${MNT}

        # Location of '/cfg' directory
        cd ${NANO_CONF_DIR}/../cfg-files
        find . -print | grep -v -e /CVS -e .svn  | cpio -dumpv ${MNT}
        
        
        # Leave in nice end state
        umount ${MNT}
        mdconfig -d -u ${MD}
) > ${MAKEOBJDIRPREFIX}/_.fc 2>&1

last_nano_disk_usage () (
        # Variables to be used
        IMG=${NANO_DISKIMGDIR}/${NANO_IMGNAME}
        MNT=${MAKEOBJDIRPREFIX}/_.mnt

        # Mount root slize 
        MD=`mdconfig -a -t vnode -f ${IMG}`
        mount /dev/${MD}s1a ${MNT}

        # Show disk usage (percent free) inc header
        pprint 2  $(df -h | head -1)
        pprint 2 "$(df -h | grep /dev/${MD})"

        # Leave in nice end state
        umount ${MNT}
        mdconfig -d -u ${MD}
)


cust_pkgng () (

        # If the package directory doesn't exist, we're done.
        if [ ! -d ${NANO_PACKAGE_REPOS} ]; then
                echo "DONE 0 packages"
                return 0
        fi

        # Find a pkg-* package
        if [ -z "${NANO_PACKAGE_REPOS}/Latest/pkg.txz" ]; then
                echo "FAILED: need a pkg/ package for bootstrapping"
                exit 2
        fi

        # Replicate the packages into the NanoBSD world (as hard links) so we can
        # access them from the chroot in which pkg is being run.
        cp -lpR ${NANO_PACKAGE_REPOS} ${NANO_WORLDDIR}/Repos

        #Bootstrap pkg
        CR env ASSUME_ALWAYS_YES=YES SIGNATURE_TYPE=none /usr/sbin/pkg add /Repos/Latest/pkg.txz
        CR pkg -N >/dev/null 2>&1
        if [ "$?" -ne "0" ]; then
                echo "FAILED: pkg bootstrapping faied"
                exit 2
        fi

        mkdir -p ${NANO_WORLDDIR}/usr/local/etc/pkg/repos
        echo "FreeBSD: { enabled: no }" > ${NANO_WORLDDIR}/usr/local/etc/pkg/repos/FreeBSD.conf

        # Generate a reference to our local repository
        cat > ${NANO_WORLDDIR}/usr/local/etc/pkg/repos/LOCAL.conf <<-EOF
        LOCAL: {
                url             : file:///Repos
                enabled         : yes
                mirror_type     : none
                signature_type  : none
        }
        EOF
        

        # Count & report how many we have to install
        todo=`echo ${PACKAGE_LIST} | /usr/bin/wc -l`
        todo=$(expr $todo + 1) # add one for pkg since it is installed already
        echo "=== TODO: $todo"
        echo "${PACKAGE_LIST}"
        echo "==="
        for PKG in ${PACKAGE_LIST}
        do
                CR env ASSUME_ALWAYS_YES=YES /usr/sbin/pkg install $PKG
        done
        rm -rf ${NANO_WORLDDIR}/Repos
)

last_orders () (
        last_nano_fill_cfg
        last_nano_disk_usage
)

# Ugly hack to 'escaping' pprint from inside a customize_cmd to output
# instead of a file
exec 3>/dev/stdout
# Progress Print
#       Print $2 at level $1 
pprint() {
    if [ "$1" -le $PPLEVEL ]; then
        printf "%.${1}s %s\n" "#####" "$2" 1>&3
    fi
}

# Cust macro`s gestart in onderstaande volgorde
# XXX: Determine size before installing all find of additions to see how much
# base we are actually using ## du -h -d 0
customize_cmd cust_pkgng
customize_cmd cust_install_files
customize_cmd cust_ntpd
customize_cmd cust_serial_ttys
customize_cmd cust_version_tag
customize_cmd cust_root_bin_to_tools
customize_cmd cust_allow_ssh_root
customize_cmd cust_openvpn_dhparam
customize_cmd cust_nano_prune
customize_cmd cust_set_root_password
customize_cmd cust_sudo_rules
customize_cmd cust_unbound_rights
customize_cmd cust_update_databases
#customize_cmd cust_apply_nanobsd_patches
late_customize_cmd late_cust_unset_common_var_and_tmp

# Standard overwrite
if [ -r "$NANO_CONF_DIR/nanobsd.local" ]; then
 . $NANO_CONF_DIR/nanobsd.local
fi

# Extra config if existing is not suffient
if [ -n "$EXTRA_NANOBSD_CONFIG" ]; then
  for FILE in $EXTRA_NANOBSD_CONFIG; do
    # File relative to config directory
    if [ "`echo $FILE | cut -c1`" != "/" ]; then
      FILE=$NANO_CONF_DIR/$FILE
    fi
    pprint 1 "Loading $FILE"
    . $FILE || exit 1
  done
fi