44r0n7/pi-kit
1
0
Fork 0
Code Issues 8 Pull Requests Actions Packages Projects Releases 12 Wiki Activity

Release prep tweaks and version bump 0.1.4

Browse Source
This commit is contained in:
Aaron
2026-01-03 12:29:55 -05:00
parent d07fab99a6
commit ed162d3c1d
4 changed files with 71 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
docs/workflow.md
View File

@@ -8,8 +8,10 @@ This documents the *current* workflow and the *target* workflow once profiles +
- Nginx + PiKit dashboard - Nginx + PiKit dashboard
- DietPi dashboard - DietPi dashboard
3) Update the system if needed. 3) Update the system if needed.
4) Run the prep scrub + verify: 4) Run the prep scrub + verify (prep now prompts to shut down):
- `sudo ./pikit-prep.sh` - `sudo ./pikit-prep.sh`
- (optional) `sudo ./pikit-prep.sh --no-shutdown`
- (optional) `sudo ./pikit-prep.sh --shutdown-now`
- `./pikit-smoke-test.sh` - `./pikit-smoke-test.sh`
- (optional) `sudo ./pikit-prep.sh --check-only` - (optional) `sudo ./pikit-prep.sh --check-only`
5) Image the SD card with DietPi Imager. 5) Image the SD card with DietPi Imager.
@@ -25,8 +27,10 @@ This documents the *current* workflow and the *target* workflow once profiles +
4) Add dashboard services using the UI (Add Service modal). 4) Add dashboard services using the UI (Add Service modal).
5) Open any needed ports in ufw (done as part of testing/config): 5) Open any needed ports in ufw (done as part of testing/config):
- `sudo ufw allow from <LAN subnet> to any port <port>` - `sudo ufw allow from <LAN subnet> to any port <port>`
6) Run the prep scrub + verify: 6) Run the prep scrub + verify (prep now prompts to shut down):
- `sudo ./pikit-prep.sh` - `sudo ./pikit-prep.sh`
- (optional) `sudo ./pikit-prep.sh --no-shutdown`
- (optional) `sudo ./pikit-prep.sh --shutdown-now`
- `./pikit-smoke-test.sh` - `./pikit-smoke-test.sh`
- (optional) `sudo ./pikit-prep.sh --check-only` - (optional) `sudo ./pikit-prep.sh --check-only`
7) Image the SD card via the QEMU DietPi VM: 7) Image the SD card via the QEMU DietPi VM:
@@ -54,8 +58,10 @@ This documents the *current* workflow and the *target* workflow once profiles +
- Merges services into `/etc/pikit/services.json` (idempotent). - Merges services into `/etc/pikit/services.json` (idempotent).
5) Run the drift check (planned script): 5) Run the drift check (planned script):
- Confirms services + ports match the profile + base. - Confirms services + ports match the profile + base.
6) Run the prep scrub + verify: 6) Run the prep scrub + verify (prep now prompts to shut down):
- `sudo ./pikit-prep.sh` - `sudo ./pikit-prep.sh`
- (optional) `sudo ./pikit-prep.sh --no-shutdown`
- (optional) `sudo ./pikit-prep.sh --shutdown-now`
- `./pikit-smoke-test.sh` - `./pikit-smoke-test.sh`
- (optional) `sudo ./pikit-prep.sh --check-only` - (optional) `sudo ./pikit-prep.sh --check-only`
7) Image the SD card with DietPi Imager. 7) Image the SD card with DietPi Imager.
@@ -84,8 +90,10 @@ Use the helper:
- dashboard loads - dashboard loads
- firstboot completes - firstboot completes
4) Apply any required profile/services. 4) Apply any required profile/services.
5) Run prep + verify: 5) Run prep + verify (prep now prompts to shut down):
- `sudo ./pikit-prep.sh` - `sudo ./pikit-prep.sh`
- (optional) `sudo ./pikit-prep.sh --no-shutdown`
- (optional) `sudo ./pikit-prep.sh --shutdown-now`
- `./pikit-smoke-test.sh` - `./pikit-smoke-test.sh`
6) Power down cleanly. 6) Power down cleanly.
7) Image the SD card (DietPi Imager via QEMU or ondevice). 7) Image the SD card (DietPi Imager via QEMU or ondevice).

46
pikit-prep.sh
View File

@@ -14,9 +14,12 @@ PIKIT_SSH_OPTS="${PIKIT_SSH_OPTS:-}"
PIKIT_REMOTE_TMP="${PIKIT_REMOTE_TMP:-/tmp/pikit-prep.sh}" PIKIT_REMOTE_TMP="${PIKIT_REMOTE_TMP:-/tmp/pikit-prep.sh}"
PIKIT_SELF_DELETE="${PIKIT_SELF_DELETE:-0}" PIKIT_SELF_DELETE="${PIKIT_SELF_DELETE:-0}"
PIKIT_FORCE_PASSWORD_CHANGE="${PIKIT_FORCE_PASSWORD_CHANGE:-1}" PIKIT_FORCE_PASSWORD_CHANGE="${PIKIT_FORCE_PASSWORD_CHANGE:-1}"
PIKIT_SHUTDOWN_AFTER_PREP="${PIKIT_SHUTDOWN_AFTER_PREP:-1}"
PIKIT_SHUTDOWN_PROMPT="${PIKIT_SHUTDOWN_PROMPT:-1}"
MODE="both" MODE="both"
LOCAL_ONLY=0 LOCAL_ONLY=0
DID_PREP=0
ERRORS=0 ERRORS=0
WARNINGS=0 WARNINGS=0
@@ -32,10 +35,14 @@ Options:
--prep-only Run prep only (no check) --prep-only Run prep only (no check)
--check-only Run checks only (no prep) --check-only Run checks only (no prep)
--local Force local execution (no SSH copy) --local Force local execution (no SSH copy)
--shutdown-now Shutdown after prep completes without prompting
--no-shutdown Skip shutdown prompt after prep
--help Show this help --help Show this help
Env: Env:
PIKIT_FORCE_PASSWORD_CHANGE=0 Skip forcing a password change (default is on) PIKIT_FORCE_PASSWORD_CHANGE=0 Skip forcing a password change (default is on)
PIKIT_SHUTDOWN_AFTER_PREP=0 Skip shutdown prompt after prep (default on)
PIKIT_SHUTDOWN_PROMPT=0 Skip shutdown prompt (default on)
USAGE USAGE
} }
@@ -70,6 +77,8 @@ parse_args() {
--prep-only) MODE="prep" ;; --prep-only) MODE="prep" ;;
--check-only) MODE="check" ;; --check-only) MODE="check" ;;
--local) LOCAL_ONLY=1 ;; --local) LOCAL_ONLY=1 ;;
--shutdown-now) PIKIT_SHUTDOWN_AFTER_PREP=1; PIKIT_SHUTDOWN_PROMPT=0 ;;
--no-shutdown) PIKIT_SHUTDOWN_AFTER_PREP=0 ;;
--help|-h) usage; exit 0 ;; --help|-h) usage; exit 0 ;;
*) *)
echo "[FAIL] Unknown argument: $arg" >&2 echo "[FAIL] Unknown argument: $arg" >&2
@@ -86,12 +95,16 @@ run_remote() {
[ "$arg" = "--local" ] && continue [ "$arg" = "--local" ] && continue
forward+=("$arg") forward+=("$arg")
done done
local ssh_tty=()
if [ "$PIKIT_SHUTDOWN_AFTER_PREP" -eq 1 ] && [ "$PIKIT_SHUTDOWN_PROMPT" -eq 1 ] && [ -t 0 ]; then
ssh_tty=(-t)
fi
if ! command -v scp >/dev/null 2>&1 || ! command -v ssh >/dev/null 2>&1; then if ! command -v scp >/dev/null 2>&1 || ! command -v ssh >/dev/null 2>&1; then
echo "[FAIL] ssh/scp not available for remote prep" >&2 echo "[FAIL] ssh/scp not available for remote prep" >&2
exit 1 exit 1
fi fi
scp -i "$PIKIT_SSH_KEY" $PIKIT_SSH_OPTS "$SCRIPT_PATH" "${PIKIT_USER}@${PIKIT_HOST}:${PIKIT_REMOTE_TMP}" scp -i "$PIKIT_SSH_KEY" $PIKIT_SSH_OPTS "$SCRIPT_PATH" "${PIKIT_USER}@${PIKIT_HOST}:${PIKIT_REMOTE_TMP}"
ssh -i "$PIKIT_SSH_KEY" $PIKIT_SSH_OPTS "${PIKIT_USER}@${PIKIT_HOST}" \ ssh "${ssh_tty[@]}" -i "$PIKIT_SSH_KEY" $PIKIT_SSH_OPTS "${PIKIT_USER}@${PIKIT_HOST}" \
"sudo PIKIT_SELF_DELETE=1 bash ${PIKIT_REMOTE_TMP} --local ${forward[*]}; rc=\$?; rm -f ${PIKIT_REMOTE_TMP}; exit \$rc" "sudo PIKIT_SELF_DELETE=1 bash ${PIKIT_REMOTE_TMP} --local ${forward[*]}; rc=\$?; rm -f ${PIKIT_REMOTE_TMP}; exit \$rc"
exit $? exit $?
} }
@@ -607,6 +620,33 @@ finalize() {
echo "[OK] Prep/check completed." echo "[OK] Prep/check completed."
} }
maybe_shutdown() {
if [ "$PIKIT_SHUTDOWN_AFTER_PREP" -ne 1 ] || [ "$DID_PREP" -ne 1 ]; then
return
fi
local do_shutdown=1
if [ "$PIKIT_SHUTDOWN_PROMPT" -eq 1 ]; then
if [ -t 0 ]; then
local reply=""
printf '\nShutdown now? [y/N] '
read -r reply || reply=""
case "${reply,,}" in
y|yes) do_shutdown=1 ;;
*) do_shutdown=0 ;;
esac
else
status WARN "no TTY; skipping shutdown (use --shutdown-now to force)"
do_shutdown=0
fi
fi
if [ "$do_shutdown" -eq 1 ]; then
status OK "Shutting down"
shutdown -f now || status FAIL "shutdown"
else
status OK "Shutdown skipped"
fi
}
maybe_self_delete() { maybe_self_delete() {
if [ "$PIKIT_SELF_DELETE" -eq 1 ] && [[ "$SCRIPT_PATH" == /tmp/* ]]; then if [ "$PIKIT_SELF_DELETE" -eq 1 ] && [[ "$SCRIPT_PATH" == /tmp/* ]]; then
rm -f "$SCRIPT_PATH" || true rm -f "$SCRIPT_PATH" || true
@@ -623,15 +663,17 @@ main() {
require_root require_root
case "$MODE" in case "$MODE" in
prep) prep_image ;; prep) prep_image; DID_PREP=1 ;;
check) check_image ;; check) check_image ;;
both) both)
prep_image prep_image
DID_PREP=1
check_image check_image
;; ;;
esac esac
finalize finalize
maybe_shutdown
maybe_self_delete maybe_self_delete
} }

2
pikit-web/data/version.json
View File

@@ -1,3 +1,3 @@
{ {
"version": "0.1.3" "version": "0.1.4"
} }

21
systemd/pikit-first-login.sh
View File

@@ -3,17 +3,24 @@
# Prints a one-time SSH hardening tip after the forced password change. # Prints a one-time SSH hardening tip after the forced password change.
FLAG="/var/lib/pikit/first-login.notice" FLAG="/var/lib/pikit/first-login.notice"
DONE_FILE=".pikit-first-login.done"
case "$-" in case "$-" in
*i*) interactive=1 ;; *i*) interactive=1 ;;
*) interactive=0 ;; *) interactive=0 ;;
esac esac
if [ "$interactive" -eq 1 ] && [ -f "$FLAG" ]; then USER_NAME="$(id -un 2>/dev/null || echo "")"
echo "" DONE_PATH="${HOME:-}/$DONE_FILE"
echo "Pi-Kit: For better security, set up an SSH key and disable password auth once working."
echo " Example: ssh-keygen -t ed25519" if [ "$interactive" -eq 1 ] && [ -f "$FLAG" ] && [ "$USER_NAME" = "dietpi" ]; then
echo " ssh-copy-id dietpi@pikit.local" if [ -n "${HOME:-}" ] && [ -d "${HOME:-}" ] && [ ! -f "$DONE_PATH" ]; then
echo "" echo ""
rm -f "$FLAG" 2>/dev/null || true echo "Pi-Kit: For better security, set up an SSH key and disable password auth once working."
echo " Run these from your computer (not the Pi):"
echo " ssh-keygen -t ed25519"
echo " ssh-copy-id dietpi@pikit.local"
echo ""
:> "$DONE_PATH" 2>/dev/null || true
fi
fi fi