44r0n7/pi-kit
1
0
Fork 0
Code Issues 8 Pull Requests Actions Packages Projects Releases 12 Wiki Activity

Allow forcing password change after prep

Browse Source
This commit is contained in:
Aaron
2026-01-02 23:23:21 -05:00
parent 36d30da30a
commit 4632704092
2 changed files with 13 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
docs/workflow.md
View File

@@ -9,7 +9,7 @@ This documents the *current* workflow and the *target* workflow once profiles +
- DietPi dashboard - DietPi dashboard
3) Update the system if needed. 3) Update the system if needed.
4) Run the prep scrub + verify: 4) Run the prep scrub + verify:
- `sudo ./pikit-prep.sh` - `sudo PIKIT_FORCE_PASSWORD_CHANGE=1 ./pikit-prep.sh` (recommended)
- (optional) `sudo ./pikit-prep.sh --check-only` - (optional) `sudo ./pikit-prep.sh --check-only`
5) Image the SD card with DietPi Imager. 5) Image the SD card with DietPi Imager.
6) Store it as the golden base (e.g., `images/base/pikit-base-YYYYMMDD.img.xz`). 6) Store it as the golden base (e.g., `images/base/pikit-base-YYYYMMDD.img.xz`).
@@ -25,7 +25,7 @@ This documents the *current* workflow and the *target* workflow once profiles +
5) Open any needed ports in ufw (done as part of testing/config): 5) Open any needed ports in ufw (done as part of testing/config):
- `sudo ufw allow from <LAN subnet> to any port <port>` - `sudo ufw allow from <LAN subnet> to any port <port>`
6) Run the prep scrub + verify: 6) Run the prep scrub + verify:
- `sudo ./pikit-prep.sh` - `sudo PIKIT_FORCE_PASSWORD_CHANGE=1 ./pikit-prep.sh` (recommended)
- (optional) `sudo ./pikit-prep.sh --check-only` - (optional) `sudo ./pikit-prep.sh --check-only`
7) Image the SD card via the QEMU DietPi VM: 7) Image the SD card via the QEMU DietPi VM:
- Insert the SD card into your desktop. - Insert the SD card into your desktop.
@@ -53,7 +53,7 @@ This documents the *current* workflow and the *target* workflow once profiles +
5) Run the drift check (planned script): 5) Run the drift check (planned script):
- Confirms services + ports match the profile + base. - Confirms services + ports match the profile + base.
6) Run the prep scrub + verify: 6) Run the prep scrub + verify:
- `sudo ./pikit-prep.sh` - `sudo PIKIT_FORCE_PASSWORD_CHANGE=1 ./pikit-prep.sh` (recommended)
- (optional) `sudo ./pikit-prep.sh --check-only` - (optional) `sudo ./pikit-prep.sh --check-only`
7) Image the SD card with DietPi Imager. 7) Image the SD card with DietPi Imager.

10
pikit-prep.sh
View File

@@ -13,6 +13,7 @@ PIKIT_SSH_KEY="${PIKIT_SSH_KEY:-$HOME/.ssh/pikit}"
PIKIT_SSH_OPTS="${PIKIT_SSH_OPTS:-}" PIKIT_SSH_OPTS="${PIKIT_SSH_OPTS:-}"
PIKIT_REMOTE_TMP="${PIKIT_REMOTE_TMP:-/tmp/pikit-prep.sh}" PIKIT_REMOTE_TMP="${PIKIT_REMOTE_TMP:-/tmp/pikit-prep.sh}"
PIKIT_SELF_DELETE="${PIKIT_SELF_DELETE:-0}" PIKIT_SELF_DELETE="${PIKIT_SELF_DELETE:-0}"
PIKIT_FORCE_PASSWORD_CHANGE="${PIKIT_FORCE_PASSWORD_CHANGE:-0}"
MODE="both" MODE="both"
LOCAL_ONLY=0 LOCAL_ONLY=0
@@ -32,6 +33,9 @@ Options:
--check-only Run checks only (no prep) --check-only Run checks only (no prep)
--local Force local execution (no SSH copy) --local Force local execution (no SSH copy)
--help Show this help --help Show this help
Env:
PIKIT_FORCE_PASSWORD_CHANGE=1 Force dietpi to change password on next login
USAGE USAGE
} }
@@ -206,6 +210,12 @@ prep_image() {
# --- Default login --- # --- Default login ---
if id -u dietpi >/dev/null 2>&1; then if id -u dietpi >/dev/null 2>&1; then
echo "dietpi:pikit" | chpasswd && status CLEANED "reset dietpi password" || status FAIL "reset dietpi password" echo "dietpi:pikit" | chpasswd && status CLEANED "reset dietpi password" || status FAIL "reset dietpi password"
case "${PIKIT_FORCE_PASSWORD_CHANGE,,}" in
1|true|yes|on)
chage -d 0 dietpi && status CLEANED "force dietpi password change on next login" || status FAIL "force dietpi password change"
;;
*) ;;
esac
else else
status SKIP "dietpi user missing" status SKIP "dietpi user missing"
fi fi