reconfigure arayat

README.md

@@ -328,6 +328,12 @@ The following table is giving a list of error codes with explanation:
 | 18        | Module file don't exists or is empty                        |
 | 20        | Ambigous realm with autodetection                           |
 | 21        | Unconsistant directory structure with configured realm      |
+| 22        | Required secret management software missing                 |
+| 23        | Secret key not found in secret database                     |
+| 24        | File is not readable                                        |
+| 25        | Needed variable not set or not declared                     |
+| 26        | Secret reference missing or malformed                       |
+| 27        | Unknown secret reference                                    |
 | 50..100   | Error in module execution                                   |
 | 126       | Command exists but is not executable                        |
 | 127       | Command not found                                           |
@@ -394,7 +400,7 @@ You can mail author to fatalerrors \<at\> geoffray-levasseur \<dot\> org.
 
 -----------------------------------------------------------------------------
 
-Documentation (c) 2019-2022 Geoffray Levasseur.
+Documentation (c) 2019-2025 Geoffray Levasseur.
 
 This file is distributed under3-clause BSD license. The complete license
 agreement can be obtained at: https://opensource.org/licenses/BSD-3-Clause

README.txt

@@ -1,4 +0,0 @@
-This is deployment scripts for LEGOS git repository created on 2021-05-31-11:31:04
-An english version for general purpose is available at https://www.geoffray-levasseur.org/init
-
-Check README.md for details.

conf/auto/debian-13.conf.sh

@@ -0,0 +1,6 @@
+# Check debian.conf file for general declaration
+# This is specific for version 13
+
+export NTP_SERV=ntpsec
+export SOURCE_EXT=source
+export NO_MAIN_SOURCE=true

conf/auto/debian.conf.sh

@@ -19,6 +19,9 @@ export COM_AUTOREM="autoremove --purge -y"
 # This is not used by init.sh
 export DEBIAN_FRONTEND=noninteractive
 
+# Configure how apt behave regarding source.list files
+export NO_MAIN_SOURCE=false
+
 # Conf chemin
 export RC_SCRIPTS_PATH="/etc/init.d"
 

conf/auto/devuan-6.conf.sh

@@ -0,0 +1,4 @@
+# Check devuan.conf file for general declaration
+# This is specific for version 6
+
+export NTP_SERV=ntpsec

conf/geoffray-levasseur.org/arayat.conf.sh

@@ -41,10 +41,10 @@ NET4_NS_eth0="192.168.1.205 192.168.1.206"
 NET4_NS_SEARCH_eth0=$REALM
 
 NET4_MODE_eth1="static"
-NET4_IP_eth1="192.168.74.220/24"
+NET4_IP_eth1="192.168.74.100/24"
 
 NET4_MODE_eth2="static"
-NET4_IP_eth2="10.0.254.220/16"
+NET4_IP_eth2="10.42.250.100/16"
 
 IPV6_IFACES="eth0 eth1"
 
@@ -63,7 +63,7 @@ NET6_IP_eth1="2a03:7220:8081:b34a::dc/64"
 INTALL_MODE=full
 
 # Paquets additionnels
-PKGSEL="$PKGSEL iptables fail2ban curl"
+PKGSEL="$PKGSEL iptables curl"
 
 # ------------------------------------------------------------------------------
 # -------------------------- Section modules d'init ----------------------------

conf/geoffray-levasseur.org/labo.conf.sh

@@ -26,8 +26,6 @@ MAINUSER=root
 WITH_LDAP_KERB=no
 
 # Users to create, add or remove
-#LOCAL_USERS="$MAINUSER"
-#REMOTE_USERS="kroot"
 REMOVE_USERS="fatal"
 
 # Network
@@ -40,7 +38,7 @@ NET4_NS_eth0="192.168.1.205 192.168.1.206"
 NET4_NS_SEARCH_eth0=$REALM
 
 NET4_MODE_eth1="static"
-NET4_IP_eth1="10.42.0.207/16"
+NET4_IP_eth1="10.42.250.180/16"
 
 IPV6_IFACES=""
 
@@ -64,5 +62,5 @@ PKGSEL="$PKGSEL nsd ldnsutils haveged"
 
 # Liste des modules à executer (surchargeable en ligne de commande)
 MODULE_LIST="conf_ntp upgrade_dist conf_ceph authnz conf_locale conf_ssh \
-	conf_mail install_pkg install_profile patch_snmp install_mkagent \
+	conf_mail install_pkg install_profile patch_snmp \
         conf_syslog conf_network"

conf/geoffray-levasseur.org/latukan.conf.sh

@@ -31,29 +31,30 @@ WITH_LDAP_KERB=no
 REMOVE_USERS=
 
 # Network
-IPV4_IFACES="ens18 ens19"
+IPV4_IFACES="eth0 eth1"
 
-NET4_MODE_ens18="static"
+NET4_MODE_eth0="static"
-NET4_IP_ens18="192.168.1.235/24"
+NET4_IP_eth0="192.168.1.235/24"
-NET4_GW_ens18="192.168.1.230"
+NET4_GW_eth0="192.168.1.230"
-NET4_NS_ens18="192.168.1.205 192.168.1.206"
+NET4_NS_eth0="192.168.1.205 192.168.1.206"
-NET4_NS_SEARCH_ens18=$REALM
+NET4_NS_SEARCH_eth0=$REALM
 
-NET4_MODE_ens19="static"
+NET4_MODE_eth1="static"
-NET4_IP_ens19="10.42.250.30/24"
+NET4_IP_eth1="10.42.250.30/24"
 
-IPV6_IFACES="ens18"
+IPV6_IFACES="eth0"
-
-NET6_MODE_ens18="static"
-NET6_IP_ens18="2a03:7220:8081:b301::1e/64"
-NET6_GW_ens18="2a03:7220:8081:b301::e7"
-NET6_NS_ens18="2a03:7220:8081:b301::cd 2a03:7220:8081:b301::ce"
-NET6_NS_SEARCH_ens18=$REALM
 
+NET6_MODE_eth0="static"
+NET6_IP_eth0="2a03:7220:8081:b301::1e/64"
+NET6_GW_eth0="2a03:7220:8081:b301::e7"
+NET6_NS_eth0="2a03:7220:8081:b301::cd 2a03:7220:8081:b301::ce"
+NET6_NS_SEARCH_eth0=$REALM
 
+# Gestionnaire de paquet :
 # Mode d'installation :
 # * dev : installe les paquets un par un avec apt (lent)
 # * full : envoie d'un seul coup la liste de tous les paquets à apt (rapide)
+NO_MAIN_SOURCE=false
 INTALL_MODE=full
 
 # Paquets additionnels

conf/includes/gl.conf.sh

@@ -24,16 +24,22 @@ export CEPHIP_mayon="192.168.1.254"
 export CEPHIP_pinatubo="192.168.1.253"
 export CEPHIP_ragang="192.168.1.252"
 export CEPHIP_taal="192.168.1.251"
-export CEPH_SECRET="AQAxSf5c2A/CMxAAnOu1RrSf7Yr2h60CLttq4g=="
+export CEPH_SECRET="file:/tmp/ceph_secret"
+export CEPH_MOUNTS="datastore mediastore"
+export CEPH_MP_datastore="/srv/ceph"
+export CEPH_MP_mediastore="/srv/media"
 export SHARED_HOME="false"
 
 # SSH
 export SSHD_PERMITROOT_RANGE="192.168.1.0/24"
 
 # Check MK
-export MK_VERSION="2.3.0p27-1"
+#export MK_VERSION="2.4.0p12-1" #shoud be autodetected now
-export MK_URL="http://10.250.42.20/check_mk/check_mk/agents/check-mk-agent_${MK_VERSION}_all.deb"
+export MK_SERVER_IP="192.168.1.201"
-export MK_SERVER_IP="10.250.42.20"
+export MK_SITE="check_mk"
+export MK_URL="http://$MK_SERVER_IP/$MK_SITE/check_mk/agents/check-mk-agent_latest_all.deb"
+export MK_SECRET="file:/share/services/gestparc/mk_secret"
+export MK_USER="cmk-agent"
 
 # Samba
 export SMBSRV="silay.$REALM"

conf/includes/pkgsel.base.conf.sh

@@ -7,12 +7,12 @@ export PKGS_RMLIST="apparmor laptop-detect resolvconf snapd wamerican chafa"
 export PKGS_BLACKLIST="apparmor resolvconf chafa snapd"
 
 # Base
-export PKGS_BASE="debconf-utils debhelper deborphan ethtool cpufrequtils \
+export PKGS_BASE="debconf-utils debhelper ethtool \
     curl hwinfo lm-sensors libatasmart-bin lsscsi pciutils vim emacs-nox \
     mailutils htop lsof ltrace strace bash-completion host dnsutils \
     sysstat ifstat iftop iotop mtr-tiny tcpdump mc pbzip2 pigz \
     xz-utils zip unzip plzip lzip ftp lftp bc dc dos2unix psmisc udunits-bin \
-    whois tmux screen debconf-doc dump figlet gawk multitail neofetch nmap \
+    whois tmux screen debconf-doc dump figlet gawk multitail fastfetch nmap \
     oping pv traceroute rsync tree git qemu-guest-agent ca-certificates"
 
 # Agregation of the package lists

init.sh

@@ -1,7 +1,7 @@
 #!/usr/bin/env bash
 # ------------------------------------------------------------------------------
 # Init.sh: initialise a computer and conform it
-# Copyright (c) 2019-2023 Geoffray Levasseur <fatalerrors@geoffray-levasseur.org>
+# Copyright (c) 2019-2025 Geoffray Levasseur <fatalerrors@geoffray-levasseur.org>
 # ------------------------------------------------------------------------------
 # This file is distributed under 3-clause BSD license.
 # The complete license agreement can be obtained at:
@@ -36,7 +36,7 @@ export LC_ALL=C
 export LANG=C
 
 # Version of init
-export VERSION="0.99.22"
+export VERSION="0.99.24"
 
 # Store script's path (realpath -s resolve symlinks if init.sh is a symlink)
 export MYPATH=$(dirname "$(realpath -s "$0")")

lib/filefct.sh

@@ -231,52 +231,6 @@ export -f is_dir_empty
 # ------------------------------------------------------------------------------
 
 
-# ------------------------------------------------------------------------------
-# copy and patch a file replacing all @var@ by the corresponding value in
-# the environment or the variable list given in parameter
-patch_file()
-{
-    local srcfile=$(select_file $1) && shift
-    local dstfile=$1 && shift
-    local workfile=${dstfile}.work
-
-    if [[ ! -s $srcfile ]]; then
-	prnt E "patch_file(): Source file is empty, is not a file or don't exists!"
-	die 10
-    fi
-
-    # Create a sub-process, to avoid bash environment pollution
-    (
-	local varlist='' pattern=''
-	if [[ $# -eq 0 ]] ; then
-	    pattern="-e s/<\(.*\)>/\$\1\$\1/g"
-	else
-	    local var=
-	    for var in $* ; do
-		if ! declare -p $var >/dev/null 2>&1 ; then
-		    local $var=$(eval echo \$$var)
-		fi
-		pattern="$pattern -e s/@$var@/\$$var/g"
-		varlist=$varlist\$$var
-	    done
-	fi
-
-	# sed replace <VAR> with \$$VAR and envsubst do the replace by value
-	sed $pattern $srcfile | envsubst ${varlist:+"$varlist"} > "$workfile"
-    )
-
-    local -a rights=( $(stat --printf="%a %u %g" "$srcfile") )
-    unset srcfile
-    mv "$workfile" "$dstfile"
-    chmod ${rights[0]} "$dstfile"
-    chown ${rights[1]}:${rights[2]} "$dstfile"
-
-    unset rights dstfile
-}
-export -f patch_file
-# ------------------------------------------------------------------------------
-
-
 # ------------------------------------------------------------------------------
 # Put a small header in a file showing it have been automatically modified
 tag_file()
@@ -286,8 +240,7 @@ tag_file()
         if [[ -e $f ]]; then
             sed -i "1s/^/$text\n/" $f
         else
-	    echo $text > $f
+            echo $text | sed "s/modified/generated/" > $f
-	    sed -i -e "s/modified/generated/" $f
         fi
     done
 }

lib/secret.sh

@@ -0,0 +1,194 @@
+#!/bin/bash
+# ------------------------------------------------------------------------------
+# Secret management functions
+# This file is part of the init.sh project
+# Copyright (c) 2025 Geoffray Levasseur <fatalerrors@geoffray-levasseur.org>
+# ------------------------------------------------------------------------------
+# This file is distributed under 3-clause BSD license.
+# The complete license agreement can be obtained at:
+# https://opensource.org/licenses/BSD-3-Clause
+# ------------------------------------------------------------------------------
+
+
+# ------------------------------------------------------------------------------
+# Get Passbolt
+get_passbolt_secret()
+{
+    local name="$1" secret
+
+    if ! command -v passbolt >/dev/null 2>&1; then
+        prnt E "Passbolt CLI not found (required to fetch passbolt:$name)."
+        die 22
+    fi
+
+    # Exemple basé sur CLI Passbolt + jq
+    secret=$(passbolt secret list --json 2>/dev/null | jq -r --arg NAME "$name" \
+        '.[] | select(.name == $NAME) | .secrets[0].data' 2>/dev/null)
+
+    if [[ -z "$secret" || "$secret" == "null" ]]; then
+        prnt E "Secret '$name' not found in Passbolt."
+        die 23
+    fi
+
+    printf '%s' "$secret"
+}
+export -f get_passbolt_secret
+# ------------------------------------------------------------------------------
+
+
+# ------------------------------------------------------------------------------
+# Get File
+get_file_secret()
+{
+    local path="$1" secret
+
+    if [[ ! -s "$path" ]]; then
+        prnt E "get_file_secret: missing secret file"
+        die 10
+    fi
+    if [[ ! -r "$path" ]]; then
+        prnt E "get_file_secret: '$path' not readable"
+        die 24
+    fi
+
+    secret=$(<"$path")
+    secret="${secret%$'\r'}"
+    secret="${secret%$'\n'}"
+    printf '%s' "$secret"
+}
+export -f get_file_secret
+# ------------------------------------------------------------------------------
+
+
+# ------------------------------------------------------------------------------
+# Get Environment variable
+get_var_secret()
+{
+    local var="$1" secret
+
+    if [[ -z "$var" ]]; then
+        prnt E "get_var_secret: missing variable name"
+        die 25
+    fi
+    if ! printenv "$var" >/dev/null 2>&1; then
+        prnt E "get_var_secret: variable '$var' not set"
+        die 25
+    fi
+
+    secret="$(printenv "$var")"
+    secret="${secret%$'\r'}"
+    secret="${secret%$'\n'}"
+    printf '%s' "$secret"
+}
+export -f get_var_secret
+# ------------------------------------------------------------------------------
+
+
+# ------------------------------------------------------------------------------
+# Main get dispatcher
+# Usage: fetch_secret "scheme:identifier"
+fetch_secret()
+{
+    local ref="$1"
+    local scheme identifier func
+
+    if [[ -z "$ref" ]]; then
+        prnt E "fetch_secret: no reference provided"
+        die 26
+    fi
+
+    # par défaut, si pas de scheme -> "file"
+    if [[ "$ref" != *:* ]]; then
+        scheme="file"
+        identifier="$ref"
+    else
+        scheme="${ref%%:*}"
+        identifier="${ref#*:}"
+    fi
+
+    func="get_${scheme}_secret"
+
+    if ! declare -f "$func" >/dev/null 2>&1; then
+        prnt E "fetch_secret: unsupported scheme '$scheme' (no function $func)"
+        die 27
+    fi
+
+    "$func" "$identifier"
+}
+export -f fetch_secret
+# ------------------------------------------------------------------------------
+
+
+# ------------------------------------------------------------------------------
+# Check Passbolt
+check_passbolt_secret() {
+    local name="$1" found
+
+    if ! command -v passbolt >/dev/null 2>&1; then
+        return 1
+    fi
+
+    found=$(passbolt secret list --json 2>/dev/null | jq -e --arg NAME "$name" \
+        '.[] | select(.name == $NAME) | .secrets[0].data' 2>/dev/null)
+
+    [[ -n "$found" && "$found" != "null" ]]
+}
+export -f check_passbolt_secret
+# ------------------------------------------------------------------------------
+
+
+# ------------------------------------------------------------------------------
+# Check File
+check_file_secret() {
+    local path="$1"
+
+    [[ -r "$path" && -s "$path" ]]
+}
+export -f check_file_secret
+# ------------------------------------------------------------------------------
+
+
+# ------------------------------------------------------------------------------
+# Check Environment variable
+check_var_secret() {
+    local var="$1"
+
+    [[ -n "$var" ]] && printenv "$var" >/dev/null 2>&1
+}
+export -f check_var_secret
+# ------------------------------------------------------------------------------
+
+
+# ------------------------------------------------------------------------------
+# Check Dispatcher
+check_secret() {
+    local ref="$1"
+    local scheme identifier func
+
+    if [[ -z "$ref" ]]; then
+        prnt E "check_secret: no reference provided"
+        return 1
+    fi
+
+    if [[ "$ref" != *:* ]]; then
+        scheme="file"
+        identifier="$ref"
+    else
+        scheme="${ref%%:*}"
+        identifier="${ref#*:}"
+    fi
+
+    func="check_${scheme}_secret"
+
+    if ! declare -f "$func" >/dev/null 2>&1; then
+        prnt E "check_secret: unsupported scheme '$scheme' (no function $func)"
+        return 1
+    fi
+
+    "$func" "$identifier"
+}
+export -f check_secret
+# ------------------------------------------------------------------------------
+
+
+# EOF

lib/vars.sh

@@ -0,0 +1,108 @@
+#!/bin/bash
+# ------------------------------------------------------------------------------
+# Variables substitution function
+# This file is part of the init.sh project
+# Copyright (c) 2019-2024 Geoffray Levasseur <fatalerrors@geoffray-levasseur.org>
+# ------------------------------------------------------------------------------
+# This file is distributed under 3-clause BSD license.
+# The complete license agreement can be obtained at:
+# https://opensource.org/licenses/BSD-3-Clause
+# ------------------------------------------------------------------------------
+
+
+# ------------------------------------------------------------------------------
+# Replace @VAR@ in a text file by the corresponding $VAR value
+# The --delimiter or -d option allow to use something else than @
+setvar()
+{
+    local delimiter="@"
+    local vars=()
+    local file
+
+    # Parse arguments
+    while [[ $# -gt 0 ]]; do
+        case "$1" in
+            --delimiter|-d)
+                shift
+                delimiter="${1:-@}"
+                ;;
+            -*)
+                prnt E "setvar(): Unknown option: $1"
+                die 7
+                ;;
+            *)
+                if [[ -f $1 && $# -eq 1 ]]; then
+                    file="$1"
+                else
+                    vars+=("$1")
+                fi
+                ;;
+        esac
+        shift
+    done
+
+    if [[ -z $file ]]; then
+        prnt E "Usage: setvar [--delimiter D] VAR1 [VAR2 ...] <file>"
+        die 7
+    fi
+    if [[ ${#vars[@]} -eq 0 ]]; then
+        prnt E "No variable name(s) provided."
+        die 7
+    fi
+
+    local var val escaped pattern
+    for var in "${vars[@]}"; do
+        val="${!var}"
+        if [[ -z $val ]]; then
+            prnt W "Variable '$var' is unset or empty; skipped."
+            continue
+        fi
+
+        # Échapper les caractères spéciaux pour sed
+        escaped=$(printf '%s' "$val" | sed -e 's/[\/&]/\\&/g')
+
+        pattern="${delimiter}${var}${delimiter}"
+
+        prnt I "Replacing $pattern with $val in $file"
+        sed -i -e "s|$pattern|$escaped|g" "$file"
+    done
+}
+export -f setvar
+# ------------------------------------------------------------------------------
+
+
+# ------------------------------------------------------------------------------
+# Replace @VAR@ in a text file by the corresponding values available in the
+# environment. The --delimiter or -d option allow to use something else than @
+setvars_from_env()
+{
+    local file delimiter="@"
+    while [[ $# -gt 0 ]]; do
+        case "$1" in
+            -d|--delimiter)
+                shift
+                delimiter="${1:-@}"
+                ;;
+            *)
+                file="$1"
+                ;;
+        esac
+        shift
+    done
+
+    [[ -f $file ]] || {
+        prnt E "File not found: $file"
+        die 10
+    }
+
+    local vars
+    vars=$(grep -o "${delimiter}[A-Z0-9_]\+${delimiter}" "$file" | sort -u | tr -d "$delimiter")
+    [[ -z $vars ]] && return 0
+
+    setvar --delimiter "$delimiter" $vars "$file"
+}
+export -f setvars_from_env
+# ------------------------------------------------------------------------------
+
+
+# EOF

modules/conf_ceph.sh

@@ -21,7 +21,7 @@
 # higher priority.
 # ------------------------------------------------------------------------------
 
-export VER_conf_ceph="1.0.0"
+export VER_conf_ceph="1.0.2"
 export DEP_conf_ceph=""
 
 conf_ceph()
@@ -31,33 +31,31 @@ conf_ceph()
     # Determine the type of installation
     if [[ $SYS_ARCH == "x86_64" || $SYS_ARCH == "i386" ]]; then
         export CEPH_STATUS=ceph
-    else
+    elif [[ -n $SMBSRV ]]; then
-        if [[ -n $SMBSRV ]]; then
         export CEPH_STATUS=smb
-        else
+    elif [[ -n $NFSSRV ]]; then
-            if [[ -n $NFSSRV ]]; then
         export CEPH_STATUS=nfs
     else
         export CEPH_STATUS=none
     fi
-        fi
-    fi
 
     if [[ $CEPH_STATUS == ceph ]]; then
         # Install ceph package
         pkginst ceph-common
 
         # hosts files required for Ceph bootstrap when DNS not yet started
-        if [[ -z $(grep "# Ceph" /etc/hosts) ]]; then
+        if ! grep -q "^# Ceph" /etc/hosts; then
             prnt I "Adding server list to /etc/hosts"
             backup_dist /etc/hosts
             tag_file /etc/hosts
             echo >> /etc/hosts
             echo "# Ceph servers:" >> /etc/hosts
             for srv in $CEPH_SRV_NAMES; do
-                local line="$(eval echo \$CEPHIP_$srv)    $srv.$REALM   $srv"
+                local line
+                line="$(eval echo \$CEPHIP_$srv)    $srv.$REALM   $srv"
                 prnt m "     - Adding line $line to /etc/hosts"
                 echo "$line" >> /etc/hosts
+                unset line
             done
         else
             prnt W "Ceph servers already in /etc/hosts, nothing to do"
@@ -67,17 +65,23 @@ conf_ceph()
         prnt I "Adding ceph entries to /etc/fstab"
         tag_file /etc/fstab
         echo >> /etc/fstab
-        local srvlist=$(echo $CEPH_SRV_NAMES | sed "s/ /,/g")
+        local srvlist=${CEPH_SRV_NAMES// /,}
-        if [[ -z $(grep $srvlist /etc/fstab) ]]; then
+
+        prnt I "Fetching secret $CEPH_SECRET..."
+        local secret
+        secret=$(fetch_secret "$CEPH_SECRET")
+        if ! grep -q "$srvlist" /etc/fstab; then
             echo "# Ceph :" >> /etc/fstab
             for mnt in $CEPH_MOUNTS; do
-                mkdir -pv $mnt
+                local mp=$(eval echo \$CEPH_MP_$mnt)
-                echo "$srvlist:/    $(eval echo \$CEPH_MP_$mnt)       ceph    defaults,_netdev,name=admin,secret=$CEPH_SECRET,id=$mnt  0 0" >> /etc/fstab
+                mkdir -pv "$mp"
+                echo "$srvlist:/    $mp       ceph    defaults,_netdev,name=admin,secret=$secret,mds_namespace=$mnt  0 0" >> /etc/fstab
+                unset mp
             done
         else
             prnt W "Ceph entry already in /etc/fstab, nothing to do"
         fi
-        unset srvlist
+        unset srvlist secret
         success=yes
     elif [[ $CEPH_STATUS == smb ]]; then
         pkginst smbclient
@@ -86,10 +90,13 @@ conf_ceph()
         prnt I "Adding Samba entries to /etc/fstab"
         echo >> /etc/fstab
         tag_file /etc/fstab
-        if [[ -z $(grep $SMBSRV /etc/fstab) ]]; then
+        if ! grep -q "$SMBSRV" /etc/fstab; then
             echo "# Samba:" >> /etc/fstab
             for mnt in $CEPH_MOUNTS; do
-                echo "//$SMBSRV/$mnt       $(eval echo \$CEPH_MP_$mnt)     cifs    defaults,_netdev,username=root,password=        0 0" >> /etc/fstab
+                local mp=$(eval echo \$CEPH_MP_$mnt)
+                mkdir -pv $mp
+                echo "//$SMBSRV/$mnt       $mp     cifs    defaults,_netdev,username=root,password=        0 0" >> /etc/fstab
+                unset $mp
             done
         else
             prnt W "Samba entry already in /etc/fstab, nothing to do"
@@ -97,7 +104,7 @@ conf_ceph()
         success=yes
     elif [[ $CEPH_STATUS == nfs ]]; then
         tag_file /etc/fstab
-        : # To be implemented
+        # To be implemented
     elif [[ $CEPH_STATUS == none ]]; then
         prnt W "No alternative set for unsuported hardware, nothing will be done."
         return 0
@@ -106,9 +113,9 @@ conf_ceph()
         return 1
     fi
     if [[ $success == yes ]]; then
-        # TODO: Create some mount binds for convenience
+        # Create some mount binds for convenience
         # TODO: That part should be a different module with own configuration
-        if [[ -z $(grep "^/srv/ceph/share" /etc/fstab) ]]; then
+        if grep -q "^/srv/ceph/share" /etc/fstab; then
             echo "/srv/ceph/share       /share  none    defaults,_netdev,bind   0 0" >> /etc/fstab
             if [[ $SHARED_HOME == 1 ]]; then
                 echo "/srv/ceph/share/home      /home   none    defaults,_netdev,bind   0 0" >> /etc/fstab
@@ -122,8 +129,9 @@ conf_ceph()
     # Mount Ceph volumes if required
     prnt I "Mounting ceph volumes"
     for mnt in $CEPH_MOUNTS; do
-        if [[ -z $(mount | grep "on $(eval echo "\$CEPH_MP_mnt)")" ]]; then
+        if ! mountpoint -q "$(eval echo \$CEPH_MP_$mnt)"; then
-            mount -v $(eval echo "\$CEPH_MP_mnt)")
+            mount -v "$(eval echo \$CEPH_MP_$mnt)" ||
+                prnt W "Error while mounting CEPH filesystem (check CEPH logs), ignoring"
         fi
     done
 }
@@ -144,10 +152,13 @@ precheck_conf_ceph()
             done
             if [[ -z $CEPH_SECRET ]]; then
                 prnt E "CEPH secret key is not declared, can't continue!"
-                prnt I "If you don't want to put tour CEPH secret in configuration file,"
+                prnt I "If you don't want to put a CEPH secret var in configuration file,"
                 prnt m "you need to export it temporarily in your environment, using the"
                 prnt m "\"CEPH_SECRET\" variable."
                 die 181
+            elif ! check_secret $CEPH_SECRET; then
+                prnt E "The declared $CEPH_SECRET is not accessible."
+                die 183
             fi
             if [[ -z $CEPH_MOUNTS ]]; then
                 prnt E "No CEPH mounts declared, despite reachable servers."
@@ -158,7 +169,7 @@ precheck_conf_ceph()
             die 182
         fi
     else
-        prnt W "System incompatible with ceph, falling back to samba..."
+        prnt W "System incompatible with ceph, falling back to Samba or NFS..."
     fi
 }
 

modules/conf_network.sh

@@ -100,11 +100,10 @@ conf_network()
 	fi
     done
 
-    prnt I "Trying to raise down iface up. Allready configured iface will require a reboot"
+    prnt I "Restart network to apply changes"
-    ifup -a || true && prnt W "Ignoring errors here."
+    svc_restart networking || true && prnt W "Ignoring errors here."
 
     unset iface if_file
-    export NEED_REBOOT=true
 }
 
 precheck_conf_network()
@@ -119,7 +118,7 @@ precheck_conf_network()
 		die 175
 	    else
 		if [[ $(grep "up" /sys/class/net/$iface/operstate) ]]; then
-		    prnt W "The IPv4 iface $iface, is already configured, a reboot will be required."
+		    prnt W "The IPv4 iface $iface, is already configured, a reboot could be required."
 		fi
 	    fi
 	    if [[ -z $(eval echo \$NET4_MODE_$iface) ]]; then
@@ -157,7 +156,7 @@ precheck_conf_network()
 		die 175
 	    else
 		if [[ $(grep "up" /sys/class/net/$iface/operstate) ]]; then
-		    prnt W "The IPv6 iface $iface, is already configured, a reboot will be required."
+		    prnt W "The IPv6 iface $iface, is already configured, a reboot could be required."
 		fi
 	    fi
 	    if [[ -z $(eval echo \$NET6_MODE_$iface) ]]; then

modules/conf_ntp.sh

@@ -11,7 +11,7 @@
 #  * NTPSERVERS: list of NTP servers
 # ------------------------------------------------------------------------------
 
-export VER_conf_ntp="0.1.6"
+export VER_conf_ntp="0.2.0"
 export DEP_conf_ntp=""
 
 conf_ntp()
@@ -21,16 +21,13 @@ conf_ntp()
 	systemctl disable systemd-timesyncd || true
     fi
 
+    NTP_SERV=${NTP_SERV:-ntp}
     prnt I "Installing ntp daemon..."
-    pkginst ntp
+    pkginst $NTP_SERV
     prnt I "Stopping service ntp..."
-    if [[ -n $NTP_SERV ]]; then
     svc_stop $NTP_SERV
-    else
-	svc_stop ntp
-    fi
 
-    if [[ -n $NTP_SERV ]]; then
+    if [[ $NTP_SERV == ntpsec ]]; then
 	local conf_file="/etc/$NTP_SERV/ntp.conf"
     else
 	local conf_file="/etc/ntp.conf"

modules/install_mkagent.sh

@@ -9,43 +9,144 @@
 # ------------------------------------------------------------------------------
 # Variable:
 #  * MK_SERVER: Server IP address
-#  * MK_PORT: Port check_mk agent will use to communicate with server
+#  * MK_SITE: The check_mk site (or instance) to use
+#  * MK_URL: The URL to use to download the agent
+#  * MK_SECRET: The secret to use to register the agent
+#  * MK_USER: The user to use to register
 # ------------------------------------------------------------------------------
 
-export VER_install_mkagent="0.0.7"
+export VER_install_mkagent="0.1.0"
 export DEP_install_mkagent=""
 
+
+# ------------------------------------------------------------------------------
+# Extract CheckMK version from the server
+get_checkmk_version_from_server()
+{
+    local ip="$1"
+    local site="${2:-$MK_SITE}"
+    local proto out v header
+    local re_version='[0-9]+\.[0-9]+(\.[0-9]+)?p?[0-9]+'
+
+    [[ -n "$MK_VERSION" ]] && { printf '%s' "$MK_VERSION"; return 0; }
+
+    for proto in http https; do
+        # 1) Tentative via version.py (souvent non protégée)
+        if out=$(curl -fsS --max-time 3 "$proto://$ip/$site/check_mk/version.py" 2>/dev/null); then
+            v=$(grep -oE "$re_version" <<<"$out" | head -n1)
+            [[ -n "$v" ]] && { printf '%s' "$v"; return 0; }
+        fi
+
+        # 2) Tentative via login.py (page de connexion)
+        if out=$(curl -fsS --max-time 3 "$proto://$ip/$site/check_mk/login.py" 2>/dev/null); then
+            v=$(grep -oE "$re_version" <<<"$out" | grep -vE '2\.[0-9]{1,3}\.[0-9]{2,3}' | head -n1)
+            [[ -n "$v" ]] && { printf '%s' "$v"; return 0; }
+        fi
+
+        # 3) En-têtes HTTP éventuels
+        header=$(curl -fsSI --max-time 3 "$proto://$ip/$site/" 2>/dev/null || true)
+        if [[ -n "$header" ]]; then
+            v=$(grep -oiE "$re_version" <<<"$header" | head -n1)
+            [[ -n "$v" ]] && { printf '%s' "$v"; return 0; }
+        fi
+
+        # 4) Fallback : page d'accueil, mais filtrer les faux positifs du JS
+        out=$(curl -fsS --max-time 5 "$proto://$ip/$site/" 2>/dev/null || true)
+        if [[ -n "$out" ]]; then
+            # Filtre plus strict : commence par 1.x ou 2.x et max 2 chiffres après le point
+            v=$(grep -oE "$re_version" <<<"$out" \
+                | grep -E '^2\.[0-9]+(\.[0-9]+)?p?[0-9]*$' \
+                | grep -vE '\.[0-9]{3,}' \
+                | head -n1)
+            [[ -n "$v" ]] && { printf '%s' "$v"; return 0; }
+        fi
+    done
+
+    return 1
+}
+
 install_mkagent()
 {
-    wget $MK_URL -O /tmp/check-mk-agent_${MK_VERSION}_all.deb
+    local debfile="/tmp/check-mk-agent_latest_all.deb"
-    pkginst xinetd /tmp/check-mk-agent_${MK_VERSION}_all.deb
+    prnt I "Downloading CheckMK agent from: $MK_URL"
-    rm /tmp/check-mk-agent_${MK_VERSION}_all.deb
 
-    backup_dist /etc/xinetd.d/check_mk
+    # try primary URL
-    install_file cmk/check_mk /etc/xinetd.d/check_mk
+    if ! wget -q "$MK_URL" -O "$debfile"; then
-    tag_file /etc/xinetd.d/check_mk
+        prnt W "Primary download failed. Attempting to detect server version and fallback..."
-    sed -i -e "s/@MK_SERVER_IP@/$MK_SERVER_IP/" /etc/xinetd.d/check_mk
+        local mkver
+        mkver=$(get_checkmk_version_from_server "$MK_SERVER_IP" 2>/dev/null || true)
 
-    mkdir -pv /usr/lib/check_mk_agent/plugins/7200
+        if [[ -n "$mkver" ]]; then
-    install_file cmk/mk_apt /usr/lib/check_mk_agent/plugins/7200/mk_apt
+            prnt I "Detected Check_MK version: $mkver — building fallback URL"
-
+            # replace the literal 'latest' token in MK_URL with the detected version
-    # Cmk > 2.1, configure agent
+            local fallback_url
-    if [[ -e /var/lib/cmk-agent/cmk-agent-ctl.gz ]]; then
+            fallback_url="${MK_URL/latest/$mkver-1}"
-        gunzip /var/lib/cmk-agent/cmk-agent-ctl.gz
+            prnt I "Trying fallback URL: $fallback_url"
-        chmod +x /var/lib/cmk-agent/cmk-agent-ctl
+            if ! wget -q "$fallback_url" -O "$debfile"; then
-        scp -O $MK_SERVER_IP:/etc/check_mk/agentpwd /tmp/mk-pwd
+                prnt E "Fallback download with version $mkver failed."
-	sleep 1 # Some execution of cmk-agent-ctl have failed with file not found without that line
+                die 163
-        /var/lib/cmk-agent/cmk-agent-ctl register --hostname $HOSTNAME \
-            --server $MK_SERVER_IP --site check_mk --user check_mk --password \
-            "$(read /tmp/mk-pwd)"
             fi
+        else
+            prnt E "Unable to detect Check_MK version on $MK_SERVER_IP and primary download failed."
+            die 163
+        fi
+    fi
+
+    # On non-systemd systems, install xinetd before the .deb to avoid postinst failures
+    if ! pidof systemd >/dev/null; then
+        pkginst xinetd
+    fi
+
+    # Install agent package
+    pkginst "$debfile"
+    rm -f "$debfile"
+
+    # Enable service depending on init system
+    if pidof systemd >/dev/null; then
+        systemctl enable --now check-mk-agent.socket
+    else
+        backup_dist /etc/xinetd.d/check-mk-agent
+        install_file cmk/check_mk /etc/xinetd.d/check-mk-agent
+        tag_file /etc/xinetd.d/check-mk-agent
+        sed -i -e "s/@MK_SERVER_IP@/$MK_SERVER_IP/" /etc/xinetd.d/check-mk-agent
         svc_restart xinetd
+    fi
+
+    # Debian plugin
+    if [[ $PKG_MAN == "apt-get" ]]; then
+        mkdir -pv /usr/lib/check_mk_agent/plugins/3600
+        install_file cmk/mk_apt /usr/lib/check_mk_agent/plugins/3600/mk_apt
+    fi
+
+    # Registration (if secret provided)
+    if [[ -n $MK_SECRET ]]; then
+        local secret
+        prnt I "Fetching secret $MK_SECRET..."
+        secret=$(fetch_secret "$MK_SECRET")
+        if [[ -e /var/lib/cmk-agent/cmk-agent-ctl.gz ]]; then
+            gunzip -v -f  /var/lib/cmk-agent/cmk-agent-ctl.gz
+            chmod -v +x /var/lib/cmk-agent/cmk-agent-ctl
+        fi
+        if [[ -x /var/lib/cmk-agent/cmk-agent-ctl ]]; then
+            /var/lib/cmk-agent/cmk-agent-ctl register \
+                --hostname "$HOSTNAME" \
+                --server "$MK_SERVER_IP" \
+                --site "$MK_SITE" \
+                --user "$MK_USER" \
+                --password "$secret"
+        else
+            prnt W "Agent control tool not found; skipping registration."
+        fi
+        unset secret
+    else
+        prnt W "No secret configured, agent cannot be registered."
+    fi
 }
 
 precheck_install_mkagent()
 {
-    if [[ -z $MK_VERSION ]]; then
+    if [[ -z $MK_SITE ]]; then
-	prnt E "Undeclared check_mk version of the agent to install."
+        prnt E "Undeclared check_mk site to use."
         die 162
     fi
     if [[ -z $MK_URL ]]; then
@@ -56,7 +157,16 @@ precheck_install_mkagent()
         prnt E "Undeclared check_mk server."
         die 162
     fi
+    if [[ $PKG_MAN == "apt-get" ]]; then
         file_must_exists cmk/check_mk cmk/mk_apt
+    fi
+    if [[ -z $MK_SECRET ]]; then
+        prnt W "No secret set for CheckMK, registration won't be possible."
+        if [[ -z $MK_USER ]]; then
+            prnt E "A CheckMK user is required to register."
+            die 162
+        fi
+    fi
 }
 
 export -f install_mkagent

modules/upgrade_dist.sh

@@ -13,14 +13,19 @@
 #   * PROXY_APT_PORT: Working port for APT proxy if one declared
 #   * PROXY_SRV: General purpose proxy if PROXY_APT is undefined
 #   * PROXY_SRV_PORT: Working port for general purpose proxy if one declared
+# TODO: Split apt conf and actuel update to avoid repeating configuration if
+#       for a reason apt fail
+# TODO: This is Debian only, make this universal (at least yum/dnf compatible)
 # ------------------------------------------------------------------------------
 
-export VER_upgrade_dist="0.2.4"
+export VER_upgrade_dist="0.3.0"
 
 # As aptitude might fail if clock is too far from real time, we need to depend
 # on ntp
 export DEP_upgrade_dist="conf_ntp"
 
+export SOURCE_EXT="${SOURCE_EXT:-list}"
+
 upgrade_dist()
 {
     local proxyfile=/etc/apt/apt.conf.d/00proxy
@@ -29,6 +34,8 @@ upgrade_dist()
     # We backup entire apt dir
     backup_dist /etc/apt
     prnt I "Basic apt configuration..."
+
+    # TODO: No recommend section should be optionnal
     tag_file $norecommends
     {
         echo 'APT::Install-Recommends "false";'
@@ -39,16 +46,16 @@ upgrade_dist()
     prnt I "Configuring proxy for APT..."
     if [[ -n $PROXY_APT ]]; then
         if [[ ! -d $(dirname $proxyfile) ]]; then
-	    mkdir -pv $(dirname $proxyfile) || (
+            mkdir -pv "$(dirname $proxyfile)" || (
                 prnt E "Impossible to create directory to receive APT configuration."
                 die 60
             )
         else
             # Cleanup
             if [[ -s $proxyfile ]]; then
-                emptyflie $proxyfile
+                true > "$proxyfile"
             fi
-            if [[ $(grep "^Acquire::http::Proxy" /etc/apt/apt.conf) ]]; then
+            if grep -q "^Acquire::http::Proxy" /etc/apt/apt.conf; then
                 sed -i -e "/^Acquire::http::Proxy/d" /etc/apt/apt.conf
             fi
         fi
@@ -62,7 +69,12 @@ upgrade_dist()
     fi
 
     # Remplace source.list from dist with ours (be smarter)
-    install_file "pkgman/${SYS_DIST}_${SYS_VER}.list" /etc/apt/sources.list
+    if [[ NO_MAIN_SOURCE == true ]]; then
+        install_file "pkgman/${SYS_DIST}_${SYS_VER}.list" "/etc/apt/sources.list.d/debian.${SOURCE_EXT}"
+    else
+	# We don't use SOURCE_EXT
+        install_file "pkgman/${SYS_DIST}_${SYS_VER}.list" "/etc/apt/sources.list"
+    fi
 
     prnt I "Updating package list..."
     pkgupdt
@@ -91,6 +103,10 @@ precheck_upgrade_dist()
         die 160
     fi
     file_must_exists pkgman/${SYS_DIST}_${SYS_VER}.list
+    if [[ -z $NO_MAIN_SOURCE ]]; then
+        prnt E "A required variable to configure apt is not defined."
+        die 160
+    fi
 }
 
 cron_upgrade_dist()

repo/common/pkgman/devuan_5.list

@@ -6,4 +6,4 @@ deb http://fr.deb.devuan.org/merged daedalus-updates main contrib non-free non-f
 deb-src http://fr.deb.devuan.org/merged daedalus-updates main contrib non-free non-free-firmware
 
 deb http://fr.deb.devuan.org/merged daedalus-security main contrib non-free non-free-firmware
-deb-src http://fr.deb.devuan.org/merged daedalus-securtity main contrib non-free non-free-firmware
+deb-src http://fr.deb.devuan.org/merged daedalus-security main contrib non-free non-free-firmware

repo/common/pkgman/devuan_6.list

@@ -0,0 +1,10 @@
+deb http://fr.deb.devuan.org/merged excalibur main non-free-firmware contrib
+deb-src http://fr.deb.devuan.org/merged excalibur main non-free-firmware contrib
+
+deb http://fr.deb.devuan.org/merged excalibur-security main non-free-firmware contrib
+deb-src http://fr.deb.devuan.org/merged excalibur-security main non-free-firmware contrib
+
+# excalibur-updates, to get updates before a point release is made;
+# see https://www.debian.org/doc/manuals/debian-reference/ch02.en.html#_updates_and_backports
+deb http://fr.deb.devuan.org/merged excalibur-updates main non-free-firmware contrib
+deb-src http://fr.deb.devuan.org/merged excalibur-updates main non-free-firmware contrib

repo/hosts/cagua/ntp.conf

@@ -1,22 +1,27 @@
-*# /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help
+# /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help
 
+# State files
 driftfile /var/lib/ntp/ntp.drift
+leapfile /usr/share/zoneinfo/leap-seconds.list
 
-# Enable this if you want statistics to be logged.
+# Statistics
-#statsdir /var/log/ntpstats/
 
-statistics loopstats peerstats clockstats
+statistics loopstats peerstats clockstats sysstats
 filegen loopstats file loopstats type day enable
 filegen peerstats file peerstats type day enable
 filegen clockstats file clockstats type day enable
+filegen sysstats file sysstats type day enable
 
+# Interfaces to listen on:
+interface listen 192.168.1.0/24
+interface listen 10.250.42.0/24
+interface listen 10.42.250.0/16
+interface ignore wildcard
 
-# You do need to talk to an NTP server or two (or three).
+# NTP sources
-#server ntp.your-provider.example
+# Our other NTP server, to have consistant REFID
+server didicas prefer                   iburst
 
-# pool.ntp.org maps to about 1000 low-stratum NTP servers.  Your server will
-# pick a different set every time it starts up.  Please consider joining the
-# pool: <http://www.pool.ntp.org/join.html>
 server ntp.laas.fr                      iburst
 server ntp.sophia.cnrs.fr               iburst
 server ntp2.emn.fr                      iburst
@@ -33,32 +38,11 @@ server time.resolvlab.com		iburst
 # details.  The web page <http://support.ntp.org/bin/view/Support/AccessRestrictions>
 # might also be helpful.
 #
-# Note that "restrict" applies to both servers and clients, so a configuration
+restrict default limited nomodify notrap nopeer noquery
-# that might be intended to block requests from certain clients could also end
-# up blocking replies from your own upstream servers.
-
-# By default, exchange time with everybody, but don't allow configuration.
-restrict -4 default kod notrap nomodify nopeer noquery limited
-restrict -6 default kod notrap nomodify nopeer noquery limited
-
-# Local users may interrogate the ntp server more closely.
-restrict 192.168.1.0/24
-restrict 127.0.0.1
-restrict ::1
-
-# Needed for adding pool entries
 restrict source notrap nomodify noquery
 
-# Clients from this (example!) subnet have unlimited access, but only if
+restrict 192.168.1.0/24
-# cryptographically authenticated.
+restrict 10.250.42.0/24
-restrict 192.168.0.0 mask 255.255.0.0 trust
+restrict 10.42.250.0/16
-
+restrict 127.0.0.1
-
+restrict ::1
-# If you want to provide time to your local subnet, change the next line.
-# (Again, the address is an example only.)
-broadcast 192.168.1.255
-
-# If you want to listen to time broadcasts on your local subnet, de-comment the
-# next lines.  Please do this only if you trust everybody on the network!
-#disable auth
-#broadcastclient

repo/hosts/didicas/ntp.conf

@@ -1,22 +1,27 @@
-*# /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help
+# /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help
 
+# State files
 driftfile /var/lib/ntp/ntp.drift
+leapfile /usr/share/zoneinfo/leap-seconds.list
 
-# Enable this if you want statistics to be logged.
+# Statistics
-#statsdir /var/log/ntpstats/
 
-statistics loopstats peerstats clockstats
+statistics loopstats peerstats clockstats sysstats
 filegen loopstats file loopstats type day enable
 filegen peerstats file peerstats type day enable
 filegen clockstats file clockstats type day enable
+filegen sysstats file sysstats type day enable
 
+# Interfaces to listen on:
+interface listen 192.168.1.0/24
+interface listen 10.250.42.0/24
+interface listen 10.42.250.0/16
+interface ignore wildcard
 
-# You do need to talk to an NTP server or two (or three).
+# NTP sources
-#server ntp.your-provider.example
+# Our other NTP server, to have consistant REFID
+server cagua prefer                     iburst
 
-# pool.ntp.org maps to about 1000 low-stratum NTP servers.  Your server will
-# pick a different set every time it starts up.  Please consider joining the
-# pool: <http://www.pool.ntp.org/join.html>
 server ntp.laas.fr                      iburst
 server ntp.sophia.cnrs.fr               iburst
 server ntp2.emn.fr                      iburst
@@ -33,32 +38,11 @@ server time.resolvlab.com		iburst
 # details.  The web page <http://support.ntp.org/bin/view/Support/AccessRestrictions>
 # might also be helpful.
 #
-# Note that "restrict" applies to both servers and clients, so a configuration
+restrict default limited nomodify notrap nopeer noquery
-# that might be intended to block requests from certain clients could also end
-# up blocking replies from your own upstream servers.
-
-# By default, exchange time with everybody, but don't allow configuration.
-restrict -4 default kod notrap nomodify nopeer noquery limited
-restrict -6 default kod notrap nomodify nopeer noquery limited
-
-# Local users may interrogate the ntp server more closely.
-restrict 192.168.1.0/24
-restrict 127.0.0.1
-restrict ::1
-
-# Needed for adding pool entries
 restrict source notrap nomodify noquery
 
-# Clients from this (example!) subnet have unlimited access, but only if
+restrict 192.168.1.0/24
-# cryptographically authenticated.
+restrict 10.250.42.0/24
-restrict 192.168.0.0 mask 255.255.0.0 trust
+restrict 10.42.250.0/16
-
+restrict 127.0.0.1
-
+restrict ::1
-# If you want to provide time to your local subnet, change the next line.
-# (Again, the address is an example only.)
-broadcast 192.168.1.255
-
-# If you want to listen to time broadcasts on your local subnet, de-comment the
-# next lines.  Please do this only if you trust everybody on the network!
-#disable auth
-#broadcastclient