44r0n7/pi-kit
1
0
Fork 0
Code Issues 8 Pull Requests Actions Packages Projects Releases 12 Wiki Activity

Compare commits

base: 44r0n7:v0.1.4
Branches Tags
44r0n7:main
44r0n7:v0.1.4 44r0n7:v0.1.3 44r0n7:v0.1.3-dev6 44r0n7:v0.1.3-dev5 44r0n7:v0.1.3-dev4 44r0n7:v0.1.3-dev3 44r0n7:v0.1.3-dev2 44r0n7:v0.1.3-dev1 44r0n7:v0.1.2 44r0n7:v0.1.0-dev15 44r0n7:v0.1.0 44r0n7:v0.1.0-dev14 44r0n7:v0.1.0-dev13 44r0n7:v0.1.0-dev12 44r0n7:v0.1.0-dev11 44r0n7:v0.1.1 44r0n7:v0.1.0-dev10 44r0n7:v0.1.0-dev9 44r0n7:v0.1.0-dev8 44r0n7:v0.1.0-dev7 44r0n7:v0.1.0-dev6 44r0n7:v0.1.0-dev5 44r0n7:v0.1.0-dev4 44r0n7:v0.1.0-dev3 44r0n7:v0.1.0-dev2 44r0n7:v0.1.0-dev1
..
compare: 44r0n7:main
Branches Tags
44r0n7:main
44r0n7:v0.1.4 44r0n7:v0.1.3 44r0n7:v0.1.3-dev6 44r0n7:v0.1.3-dev5 44r0n7:v0.1.3-dev4 44r0n7:v0.1.3-dev3 44r0n7:v0.1.3-dev2 44r0n7:v0.1.3-dev1 44r0n7:v0.1.2 44r0n7:v0.1.0-dev15 44r0n7:v0.1.0 44r0n7:v0.1.0-dev14 44r0n7:v0.1.0-dev13 44r0n7:v0.1.0-dev12 44r0n7:v0.1.0-dev11 44r0n7:v0.1.1 44r0n7:v0.1.0-dev10 44r0n7:v0.1.0-dev9 44r0n7:v0.1.0-dev8 44r0n7:v0.1.0-dev7 44r0n7:v0.1.0-dev6 44r0n7:v0.1.0-dev5 44r0n7:v0.1.0-dev4 44r0n7:v0.1.0-dev3 44r0n7:v0.1.0-dev2 44r0n7:v0.1.0-dev1

5 Commits
v0.1.4 ... main

Author SHA1 Message Date
Aaron
5b0cc80d0a Fix firstboot tls bundle script and prep checks 2026-01-03 17:51:11 -05:00
Aaron
452b787c30 Clean additional Pi-hole artifacts in prep 2026-01-03 17:26:29 -05:00
Aaron
808934cbec Improve prep and smoke test tooling 2026-01-03 17:20:18 -05:00
Aaron
1ddffee077 Add dns-stack profile and stable IP prompt 2026-01-03 17:17:27 -05:00
Aaron
a67b1a55d4 Update stable manifest for v0.1.4 2026-01-03 12:34:30 -05:00
9 changed files with 715 additions and 41 deletions
Expand all files Collapse all files

10
manifests/manifest-stable.json
View File

@@ -1,9 +1,9 @@
{
"version": "0.1.3",
"_release_date": "2026-01-03T05:16:09Z",
"bundle": "https://git.44r0n.cc/44r0n7/pi-kit/releases/download/v0.1.3/pikit-0.1.3.tar.gz",
"changelog": "https://git.44r0n.cc/44r0n7/pi-kit/releases/download/v0.1.3/CHANGELOG-0.1.3.txt",
"version": "0.1.4",
"_release_date": "2026-01-03T17:34:02Z",
"bundle": "https://git.44r0n.cc/44r0n7/pi-kit/releases/download/v0.1.4/pikit-0.1.4.tar.gz",
"changelog": "https://git.44r0n.cc/44r0n7/pi-kit/releases/download/v0.1.4/CHANGELOG-0.1.4.txt",
"files": [
{ "path": "bundle.tar.gz", "sha256": "a31db945f08a8cdb0906a913b3b5507cc50225e9ce6b23bef525951d23335865" }
{ "path": "bundle.tar.gz", "sha256": "9d4bc4f6eb5eaa83da28065ad664b4893095756e4584c25e7844b8098c5816ea" }
]
}

107
pikit-prep.sh
View File

@@ -23,6 +23,7 @@ DID_PREP=0
ERRORS=0
WARNINGS=0
STOPPED_PIHOLE_FTL=0
usage() {
cat <<'USAGE'
@@ -197,6 +198,40 @@ clean_home_dir() {
fi
}
reset_iface_to_dhcp() {
local iface="$1"
local file="/etc/network/interfaces"
if [ ! -f "$file" ]; then
status SKIP "network config missing: $file"
return
fi
if ! grep -Eq "^[[:space:]]*iface[[:space:]]+$iface[[:space:]]+inet" "$file"; then
status SKIP "no iface config for $iface"
return
fi
local tmp
tmp="$(mktemp)"
awk -v target="$iface" '
BEGIN{in_iface=0}
/^[[:space:]]*iface[[:space:]]+/ {
split($0, parts, /[[:space:]]+/);
if (parts[2]==target) { in_iface=1; print "iface " target " inet dhcp"; next; }
else { in_iface=0; }
}
{
if (in_iface==1) {
if ($1=="address"||$1=="netmask"||$1=="gateway"||$1=="dns-nameservers") next;
}
print;
}' "$file" > "$tmp"
if mv "$tmp" "$file"; then
status CLEANED "forced DHCP for $iface in $file"
else
rm -f "$tmp" || true
status FAIL "update $file for $iface"
fi
}
prep_image() {
section "Prep"
@@ -287,9 +322,22 @@ prep_image() {
fi
if command -v pihole >/dev/null 2>&1; then
pihole -f >/dev/null 2>&1 && status CLEANED "pihole logs via pihole -f" || status FAIL "pihole -f"
if command -v systemctl >/dev/null 2>&1; then
if systemctl stop pihole-FTL >/dev/null 2>&1; then
status CLEANED "stopped pihole-FTL"
STOPPED_PIHOLE_FTL=1
else
status WARN "unable to stop pihole-FTL"
fi
fi
clean_logs_dir /var/log/pihole '*'
clean_file /etc/pihole/pihole-FTL.db
clean_file /etc/pihole/pihole-FTL.db-wal
clean_file /etc/pihole/pihole-FTL.db-shm
clean_file /etc/pihole/dhcp.leases
clean_file /etc/pihole/install.log
clean_file /etc/pihole/gravity_old.db
truncate_file /var/log/pihole-FTL.log
fi
if [ -x /opt/AdGuardHome/AdGuardHome ]; then
@@ -418,6 +466,10 @@ prep_image() {
# --- DHCP leases ---
clean_file /var/lib/dhcp/dhclient.eth0.leases
# --- Network config ---
reset_iface_to_dhcp eth0
reset_iface_to_dhcp wlan0
# --- Nginx caches ---
if [ -d /var/lib/nginx ]; then
find /var/lib/nginx -mindepth 1 -maxdepth 1 -type d -exec rm -rf {} + 2>/dev/null
@@ -486,6 +538,20 @@ check_file_empty_or_missing() {
fi
}
check_iface_dhcp() {
local iface="$1"
local file="/etc/network/interfaces"
if [ ! -f "$file" ]; then
status WARN "network config missing: $file"
return
fi
if grep -Eq "^[[:space:]]*iface[[:space:]]+$iface[[:space:]]+inet[[:space:]]+static" "$file"; then
status WARN "$iface set to static in $file"
else
status OK "$iface not static in $file"
fi
}
check_image() {
section "Check"
@@ -551,12 +617,22 @@ check_image() {
section "Logs"
if [ -d /var/log ]; then
local nonempty
nonempty="$(find /var/log -type f -size +0c 2>/dev/null | wc -l | tr -d ' ')"
if [ "$nonempty" -gt 0 ]; then
status WARN "/var/log has non-empty files: $nonempty"
local nonempty filtered
nonempty="$(find /var/log -type f -size +0c 2>/dev/null)"
filtered="$(printf "%s\n" "$nonempty" | grep -Ev '/(lastlog|faillog|btmp|wtmp)$' || true)"
if [ -n "$filtered" ]; then
local count
count="$(printf "%s\n" "$filtered" | wc -l | tr -d ' ')"
status WARN "/var/log has non-empty files: $count"
printf "%s\n" "$filtered" | head -n 5 | sed 's/^/[WARN] /'
else
status OK "/var/log empty"
if [ -n "$nonempty" ]; then
local count
count="$(printf "%s\n" "$nonempty" | wc -l | tr -d ' ')"
status WARN "/var/log has only login tracking files: $count"
else
status OK "/var/log empty"
fi
fi
else
status WARN "/var/log missing"
@@ -580,6 +656,14 @@ check_image() {
status FAIL "DietPi RAMlog store missing"
fi
section "Pi-hole state"
check_file_missing /etc/pihole/pihole-FTL.db
check_file_missing /etc/pihole/pihole-FTL.db-wal
check_file_missing /etc/pihole/pihole-FTL.db-shm
check_file_missing /etc/pihole/dhcp.leases
check_file_missing /etc/pihole/install.log
check_file_missing /etc/pihole/gravity_old.db
section "Caches"
du -sh /var/cache/apt /var/lib/apt/lists /var/cache/debconf 2>/dev/null || true
@@ -595,6 +679,10 @@ check_image() {
section "DHCP lease"
check_file_missing /var/lib/dhcp/dhclient.eth0.leases
section "Network config"
check_iface_dhcp eth0
check_iface_dhcp wlan0
section "Nginx cache dirs"
if [ -d /var/lib/nginx ]; then
local nginx_cache
@@ -643,6 +731,13 @@ maybe_shutdown() {
status OK "Shutting down"
shutdown -f now || status FAIL "shutdown"
else
if [ "$STOPPED_PIHOLE_FTL" -eq 1 ] && command -v systemctl >/dev/null 2>&1; then
if systemctl start pihole-FTL >/dev/null 2>&1; then
status OK "restarted pihole-FTL (shutdown skipped)"
else
status WARN "failed to restart pihole-FTL after prep"
fi
fi
status OK "Shutdown skipped"
fi
}

241
pikit-smoke-test.sh
View File

@@ -25,6 +25,7 @@ Runs a quick post-prep smoke test:
- API reachable and returns JSON
- firstboot state done
- core services active (nginx, pikit-api, dietpi-dashboard-frontend)
- profile-specific checks (if /etc/pikit/profile.json exists)
Options:
--local Run locally on the Pi (skip SSH)
@@ -77,6 +78,10 @@ remote_cmd() {
fi
}
remote_sudo_cmd() {
remote_cmd "sudo bash -c \"$1\""
}
extract_json_line() {
awk 'BEGIN{found=0} /^[[:space:]]*[{[]/ {print; found=1; exit} END{if(!found) exit 0}'
}
@@ -164,6 +169,7 @@ sys.exit(1)
check_firstboot() {
local url="$1"
local body state error_present
local done_present error_file_present log_present state_present
if ! body="$(remote_cmd "curl -fsS --max-time 5 $url")"; then
status FAIL "firstboot API not reachable"
return
@@ -181,10 +187,26 @@ check_firstboot() {
status FAIL "firstboot status invalid or missing"
return
fi
done_present="$(remote_sudo_cmd "test -f /var/lib/pikit/firstboot/firstboot.done && echo yes || echo no" 2>/dev/null || true)"
error_file_present="$(remote_sudo_cmd "test -f /var/lib/pikit/firstboot/firstboot.error && echo yes || echo no" 2>/dev/null || true)"
log_present="$(remote_sudo_cmd "test -f /var/lib/pikit/firstboot/firstboot.log && echo yes || echo no" 2>/dev/null || true)"
state_present="$(remote_sudo_cmd "test -f /var/lib/pikit/firstboot/state.json && echo yes || echo no" 2>/dev/null || true)"
if [ "$state" = "done" ] && [ "$error_present" != "true" ]; then
status OK "firstboot completed"
return
fi
if [ "$state" = "error" ] || [ "$error_present" = "true" ] || [ "$error_file_present" = "yes" ]; then
status FAIL "firstboot failed (state=$state error=$error_present)"
return
fi
if [ "$done_present" = "yes" ]; then
status FAIL "firstboot state mismatch (done file present but state=$state)"
return
fi
if [ "$log_present" != "yes" ] && [ "$state_present" != "yes" ]; then
status WARN "firstboot not started yet (image prepped?)"
else
status FAIL "firstboot not complete (state=$state error=$error_present)"
status WARN "firstboot in progress (state=$state)"
fi
}
@@ -213,6 +235,188 @@ check_ports() {
fi
}
load_profile() {
local body
body="$(remote_cmd "python3 -c 'import json, pathlib, sys; p=pathlib.Path(\"/etc/pikit/profile.json\"); print(json.dumps(json.loads(p.read_text()))) if p.exists() else sys.exit(0)'" 2>/dev/null || true)"
body="$(printf "%s" "$body" | extract_json_line)"
if [ -n "$body" ]; then
printf "%s" "$body"
return 0
fi
return 1
}
json_get_list() {
local key="$1"
if command -v python3 >/dev/null 2>&1; then
python3 -c 'import json,sys
key=sys.argv[1]
try:
data=json.load(sys.stdin)
except Exception:
sys.exit(1)
val=data.get(key, [])
if not isinstance(val, list):
sys.exit(0)
for item in val:
print(json.dumps(item))
' "$key"
elif command -v jq >/dev/null 2>&1; then
jq -c --arg key "$key" '.[$key] // [] | .[]'
fi
}
check_profile_firewall() {
local firewall_enable="$1"
local ports_csv="$2"
local ufw_out
if [ "$firewall_enable" != "true" ]; then
status OK "profile firewall not required"
return
fi
if ! remote_cmd "test -x /usr/sbin/ufw || test -x /usr/bin/ufw"; then
status FAIL "ufw missing (profile expects firewall enabled)"
return
fi
ufw_out="$(remote_sudo_cmd "timeout 6 /usr/sbin/ufw status 2>/dev/null || /usr/bin/ufw status 2>/dev/null || ufw status 2>/dev/null" 2>/dev/null || true)"
if ! printf "%s" "$ufw_out" | grep -qi "Status: active"; then
status FAIL "ufw not active"
return
fi
status OK "ufw active"
if [ -n "$ports_csv" ]; then
IFS=',' read -r -a ports <<<"$ports_csv"
for port in "${ports[@]}"; do
if printf "%s" "$ufw_out" | grep -Eq "(^|[[:space:]])${port}(/|[[:space:]])"; then
status OK "ufw allows port $port"
else
status WARN "ufw rule missing for port $port"
fi
done
fi
}
check_profile_services() {
local services_json="$1"
local profile_services="$2"
if [ -z "$profile_services" ]; then
status OK "profile services: none"
return
fi
if [ -z "$services_json" ]; then
status FAIL "services.json missing (profile services expected)"
return
fi
if command -v python3 >/dev/null 2>&1; then
local result
result="$(SERVICES_JSON="$services_json" PROFILE_SERVICES="$profile_services" python3 - <<'PY'
import json, os, re
services_text = os.environ.get("SERVICES_JSON", "")
profile_text = os.environ.get("PROFILE_SERVICES", "")
try:
services_data = json.loads(services_text or "[]")
except Exception:
services_data = []
profile_lines = [line for line in profile_text.splitlines() if line.strip()]
services = [s for s in services_data if isinstance(s, dict)]
def norm(x):
return re.sub(r"\s+", " ", str(x or "")).strip().lower()
missing = []
for line in profile_lines:
try:
psvc = json.loads(line)
except Exception:
continue
name = norm(psvc.get("name"))
port = str(psvc.get("port") or "")
path = str(psvc.get("path") or "")
found = False
for svc in services:
sname = norm(svc.get("name"))
sport = str(svc.get("port") or "")
spath = str(svc.get("path") or "")
if name and sname == name:
found = True
if port and sport != port:
print(f"WARN: service {name} port mismatch ({sport} != {port})")
if path and spath != path:
print(f"WARN: service {name} path mismatch ({spath} != {path})")
break
if port and sport == port and path and spath == path:
found = True
break
if not found:
missing.append(name or f"port {port}")
if missing:
print("MISSING:" + ",".join(missing))
PY
)"
if [ -z "$result" ]; then
status OK "profile services registered"
return
fi
if echo "$result" | grep -q "^MISSING:"; then
status FAIL "profile services missing: ${result#MISSING:}"
fi
echo "$result" | grep "^WARN:" | while read -r line; do
status WARN "${line#WARN: }"
done
else
status WARN "python3 missing; profile service checks skipped"
fi
}
check_dns_stack_profile() {
section "Profile: dns-stack"
if remote_cmd "systemctl is-active --quiet pihole-FTL"; then
status OK "pihole-FTL active"
else
status FAIL "pihole-FTL not active"
fi
if remote_cmd "systemctl is-active --quiet unbound"; then
status OK "unbound active"
else
status FAIL "unbound not active"
fi
if remote_cmd "ss -lnt | grep -Eq ':53[[:space:]]'"; then
status OK "DNS port 53 listening"
else
status FAIL "DNS port 53 not listening"
fi
if remote_cmd "ss -lnt | grep -q '127.0.0.1:5335'"; then
status OK "Unbound 5335 listening on loopback"
else
status WARN "Unbound 5335 not bound to loopback"
fi
if remote_cmd "sudo grep -q '127.0.0.1#5335' /etc/pihole/pihole.toml"; then
status OK "Pi-hole upstream points to Unbound"
else
status FAIL "Pi-hole upstream not set to 127.0.0.1#5335"
fi
if remote_cmd "sudo grep -q 'interface: 127.0.0.1' /etc/unbound/unbound.conf.d/dietpi.conf"; then
status OK "Unbound listens on 127.0.0.1"
else
status WARN "Unbound interface not 127.0.0.1"
fi
if remote_cmd "sudo grep -q 'port: 5335' /etc/unbound/unbound.conf.d/dietpi.conf"; then
status OK "Unbound port 5335 configured"
else
status WARN "Unbound port 5335 not configured"
fi
if remote_sudo_cmd "test -f /etc/pihole/tls.pem && test -f /etc/pikit/certs/pikit.local.crt"; then
local fp_pikit fp_pihole
fp_pikit="$(remote_sudo_cmd "openssl x509 -in /etc/pikit/certs/pikit.local.crt -noout -fingerprint -sha256 | cut -d= -f2" 2>/dev/null || true)"
fp_pihole="$(remote_sudo_cmd "openssl x509 -in /etc/pihole/tls.pem -noout -fingerprint -sha256 | cut -d= -f2" 2>/dev/null || true)"
if [ -n "$fp_pikit" ] && [ "$fp_pikit" = "$fp_pihole" ]; then
status OK "Pi-hole TLS matches Pi-Kit cert"
else
status WARN "Pi-hole TLS does not match Pi-Kit cert"
fi
else
status WARN "Pi-hole TLS bundle missing"
fi
}
finalize() {
section "Summary"
status OK "warnings: $WARNINGS"
@@ -246,6 +450,41 @@ main() {
section "Ports"
check_ports
section "Profile"
local profile_json
profile_json="$(load_profile || true)"
if [ -z "$profile_json" ]; then
status OK "profile not present; skipping profile checks"
finalize
exit 0
fi
local profile_id firewall_enable ports_csv
profile_id="$(printf "%s" "$profile_json" | json_get "id" || true)"
firewall_enable="$(printf "%s" "$profile_json" | json_get "firewall_enable" || true)"
ports_csv="$(printf "%s" "$profile_json" | python3 - <<'PY' 2>/dev/null || true
import json, sys
try:
data=json.load(sys.stdin)
except Exception:
sys.exit(0)
ports=data.get("firewall_ports") or []
print(",".join(str(p) for p in ports))
PY
)"
status OK "profile detected: ${profile_id:-unknown}"
check_profile_firewall "$firewall_enable" "$ports_csv"
local services_json profile_services_output
services_json="$(remote_sudo_cmd "cat /etc/pikit/services.json" 2>/dev/null || true)"
profile_services_output="$(printf "%s" "$profile_json" | json_get_list "services" || true)"
check_profile_services "$services_json" "$profile_services_output"
if [ "$profile_id" = "dns-stack" ]; then
check_dns_stack_profile
else
status OK "profile-specific checks skipped"
fi
finalize
}

85
pikit-web/assets/main.js
View File

@@ -110,6 +110,13 @@ const firstbootErrorClose = document.getElementById("firstbootErrorClose");
const firstbootCopyError = document.getElementById("firstbootCopyError");
const firstbootShowRecovery = document.getElementById("firstbootShowRecovery");
const firstbootRecovery = document.getElementById("firstbootRecovery");
const networkModal = document.getElementById("networkModal");
const networkClose = document.getElementById("networkClose");
const networkReserveBtn = document.getElementById("networkReserveBtn");
const networkStaticBtn = document.getElementById("networkStaticBtn");
const networkLaterBtn = document.getElementById("networkLaterBtn");
const networkHelpBtn = document.getElementById("networkHelpBtn");
const networkProfileHint = document.getElementById("networkProfileHint");
const confirmModal = document.getElementById("confirmModal");
const confirmTitle = document.getElementById("confirmTitle");
const confirmBody = document.getElementById("confirmBody");
@@ -172,6 +179,58 @@ const firstbootUI = createFirstbootUI({
showToast,
});
const networkState = {
shown: false,
profile: null,
};
function networkKey(profile) {
const id = profile?.id || profile?.name || "profile";
return `pikit:network-setup:${id}`;
}
function markNetworkHandled(profile, message) {
if (!profile) return;
try {
localStorage.setItem(networkKey(profile), "done");
} catch (err) {
// ignore storage failures
}
if (networkModal) networkModal.classList.add("hidden");
networkState.shown = false;
if (message) showToast?.(message, "success");
}
function openNetworkModal(profile, force = false) {
if (!networkModal) return;
if (!profile?.requires_stable_ip && !force) return;
if (networkProfileHint) {
const name = profile?.name ? `${profile.name} profile` : "This profile";
networkProfileHint.textContent = `${name} needs a stable IP address so your devices can always reach DNS.`;
}
networkModal.classList.remove("hidden");
networkState.shown = true;
networkState.profile = profile;
}
function shouldShowNetworkPrompt(firstbootData) {
if (!firstbootData || firstbootData.state !== "done") return false;
const profile = firstbootData.profile || null;
if (!profile?.requires_stable_ip) return false;
if (networkState.shown) return false;
try {
return localStorage.getItem(networkKey(profile)) !== "done";
} catch (err) {
return true;
}
}
function handleFirstbootStatus(firstbootData) {
if (shouldShowNetworkPrompt(firstbootData)) {
openNetworkModal(firstbootData.profile);
}
}
const statusController = createStatusController({
heroStats,
servicesGrid,
@@ -191,6 +250,7 @@ const statusController = createStatusController({
getError: getFirstbootError,
ui: firstbootUI,
},
onFirstbootStatus: handleFirstbootStatus,
});
const { loadStatus } = statusController;
@@ -220,6 +280,30 @@ function wireDialogs() {
addServiceModal?.addEventListener("click", (e) => {
if (e.target === addServiceModal) addServiceModal.classList.add("hidden");
});
networkModal?.addEventListener("click", (e) => {
if (e.target === networkModal) {
markNetworkHandled(networkState.profile, "Network setup saved");
}
});
}
function wireNetworkSetup() {
networkClose?.addEventListener("click", () => {
markNetworkHandled(networkState.profile, "Network setup saved");
});
networkReserveBtn?.addEventListener("click", () => {
markNetworkHandled(networkState.profile, "Router reservation saved");
});
networkStaticBtn?.addEventListener("click", () => {
markNetworkHandled(networkState.profile, "Static IP reminder saved");
});
networkLaterBtn?.addEventListener("click", () => {
markNetworkHandled(networkState.profile, "Network setup saved");
});
networkHelpBtn?.addEventListener("click", () => {
if (helpModal) helpModal.classList.add("hidden");
openNetworkModal(networkState.profile || { requires_stable_ip: true }, true);
});
}
// Testing hook
@@ -348,6 +432,7 @@ function main() {
window.__pikitTest.exposeServiceForm?.();
}
wireDialogs();
wireNetworkSetup();
wireResetAndUpdates();
wireAccordions({
forceOpen: typeof window !== "undefined" && window.__pikitTest?.forceAccordionsOpen,

2
pikit-web/assets/status-controller.js
View File

@@ -18,6 +18,7 @@ export function createStatusController({
setUpdatesUI = null,
updatesFlagEl = null,
firstboot = null,
onFirstbootStatus = null,
}) {
let lastStatusData = null;
let lastFirstbootState = null;
@@ -88,6 +89,7 @@ export function createStatusController({
firstbootData = await firstboot.getStatus();
lastFirstbootState = firstbootData?.state || lastFirstbootState;
firstboot.ui.update(firstbootData);
onFirstbootStatus?.(firstbootData);
if (firstbootData?.state === "error" && firstboot.getError) {
const err = await firstboot.getError();
if (err?.present) {

44
pikit-web/index.html
View File

@@ -132,6 +132,42 @@
</div>
</div>
<div id="networkModal" class="modal hidden">
<div class="modal-card wide">
<div class="panel-header">
<div>
<p class="eyebrow">Network setup</p>
<h3>Keep DNS reliable</h3>
<p class="hint" id="networkProfileHint">
This profile needs a stable IP address so your devices can always reach DNS.
</p>
</div>
<button id="networkClose" class="ghost icon-btn close-btn" title="Close network setup">
&times;
</button>
</div>
<div class="help-body">
<p>
The easiest option is a router reservation. It keeps the Pi on the same IP without
changing anything on the Pi itself.
</p>
<ol>
<li>Open your routers admin page (often <code>http://192.168.0.1</code> or <code>http://10.0.0.1</code>).</li>
<li>Find <strong>DHCP reservations</strong> or <strong>Static leases</strong>.</li>
<li>Reserve the Pis current IP and MAC address.</li>
</ol>
<div class="control-actions wrap gap">
<button id="networkReserveBtn">I set a router reservation</button>
<button id="networkStaticBtn" class="ghost">Ill set a static IP on the Pi</button>
<button id="networkLaterBtn" class="ghost">Ill do this later</button>
</div>
<p class="hint">
You can reopen this from <strong>Help → Network setup</strong> at any time.
</p>
</div>
</div>
</div>
<div id="changelogModal" class="modal hidden">
<div class="modal-card wide">
<div class="panel-header sticky">
@@ -726,6 +762,14 @@
<li>Factory reset reverts passwords and firewall rules and reboots. Use only when you need a clean slate.</li>
</ul>
<h4>Network setup (DNS profiles)</h4>
<ul>
<li>DNS profiles work best with a stable IP (router reservation or static IP).</li>
<li>
<button id="networkHelpBtn" class="ghost">Open network setup</button>
</li>
</ul>
<h4>Troubleshooting</h4>
<ul>
<li>Service link fails? Make sure the service runs, port/path are right, and edit via the “…” menu.</li>

15
pikit_api/firstboot.py
View File

@@ -3,6 +3,8 @@ import pathlib
from typing import Any, Dict, List, Optional
from .constants import FIRSTBOOT_DIR, FIRSTBOOT_DONE, FIRSTBOOT_ERROR, FIRSTBOOT_LOG, FIRSTBOOT_STATE, WEB_ROOT
PROFILE_FILE = pathlib.Path("/etc/pikit/profile.json")
from .helpers import ensure_dir, sha256_file
DEFAULT_STEPS = [
@@ -82,6 +84,18 @@ def read_firstboot_status() -> Dict[str, Any]:
ca_path = WEB_ROOT / "assets" / "pikit-ca.crt"
ca_hash = sha256_file(ca_path) if ca_path.exists() else None
profile_summary: Dict[str, Any] = {}
if PROFILE_FILE.exists():
try:
data = json.loads(PROFILE_FILE.read_text())
profile_summary = {
"id": data.get("id"),
"name": data.get("name"),
"requires_stable_ip": bool(data.get("requires_stable_ip", False)),
}
except Exception:
profile_summary = {}
return {
"state": state,
"steps": steps,
@@ -91,6 +105,7 @@ def read_firstboot_status() -> Dict[str, Any]:
"error_path": "/api/firstboot/error",
"ca_hash": ca_hash,
"ca_url": "/assets/pikit-ca.crt",
"profile": profile_summary,
}

28
profiles/dns-stack/profile.json Normal file
View File

@@ -0,0 +1,28 @@
{
"id": "dns-stack",
"name": "DNS Stack",
"requires_stable_ip": true,
"firewall_ports": [53, 8089, 8489],
"firewall_enable": true,
"services": [
{ "name": "Pi-hole", "port": 8489, "scheme": "https", "path": "/admin/" }
],
"actions": [
{
"type": "tls_bundle",
"source_cert": "/etc/pikit/certs/pikit.local.crt",
"source_key": "/etc/pikit/certs/pikit.local.key",
"dest": "/etc/pihole/tls.pem",
"owner": "root:pihole",
"mode": "640",
"restart": "pihole-FTL"
},
{
"type": "replace_text",
"file": "/etc/pihole/pihole.toml",
"match": "domain = \"pi.hole\"",
"replace": "domain = \"pikit.local\"",
"restart": "pihole-FTL"
}
]
}

224
systemd/pikit-firstboot.sh
View File

@@ -16,6 +16,7 @@ PROFILE_FILE="/etc/pikit/profile.json"
MOTD_FILE="/etc/motd"
FIRSTBOOT_CONF="/etc/pikit/firstboot.conf"
APT_UA_OVERRIDE="/etc/apt/apt.conf.d/51pikit-unattended.conf"
SERVICE_JSON="/etc/pikit/services.json"
STEPS=(
"Preparing system"
@@ -58,7 +59,7 @@ configure_unattended_defaults() {
log "python3 missing; skipping unattended-upgrades defaults."
return
fi
PYTHONPATH=/usr/local/bin python3 - <<'PY'
PROFILE_FILE="$PROFILE_FILE" SERVICE_JSON="$SERVICE_JSON" PYTHONPATH=/usr/local/bin python3 - <<'PY'
import sys
try:
from pikit_api.auto_updates import set_updates_config
@@ -71,6 +72,198 @@ PY
log "Unattended-upgrades defaults applied (security-only)."
}
apply_profile() {
if [ ! -f "$PROFILE_FILE" ]; then
log "Profile step skipped (no profile.json)."
return
fi
PYTHONPATH=/usr/local/bin python3 - <<'PY'
import json
import os
import pathlib
import pwd
import grp
import shutil
import subprocess
profile_path = pathlib.Path(os.environ.get("PROFILE_FILE", "/etc/pikit/profile.json"))
services_path = pathlib.Path(os.environ.get("SERVICE_JSON", "/etc/pikit/services.json"))
def log(msg: str) -> None:
print(msg)
def ipv6_enabled() -> bool:
cfg = pathlib.Path("/etc/default/ufw")
if not cfg.exists():
return True
for line in cfg.read_text().splitlines():
if line.strip().startswith("IPV6="):
return line.split("=", 1)[1].strip().lower() == "yes"
return True
def get_ipv6_prefixes() -> list:
if not ipv6_enabled():
return []
try:
out = subprocess.check_output(["ip", "-6", "addr", "show", "scope", "global"], text=True)
except Exception:
return []
prefixes = set()
for line in out.splitlines():
line = line.strip()
if not line.startswith("inet6 "):
continue
if " temporary " in f" {line} ":
continue
parts = line.split()
if len(parts) < 2:
continue
prefixes.add(parts[1])
return sorted(prefixes)
try:
profile = json.loads(profile_path.read_text())
except Exception as e:
log(f"Profile load failed: {e}")
profile = {}
ports = profile.get("firewall_ports") or []
firewall_enable = bool(profile.get("firewall_enable", False))
base_ports = profile.get("firewall_base_ports") or [22, 80, 443, 5252, 5253]
if ports:
if shutil.which("ufw"):
ipv6_prefixes = get_ipv6_prefixes()
if ipv6_prefixes:
log(f"IPv6 LAN prefixes: {', '.join(ipv6_prefixes)}")
for raw in ports:
try:
port = int(raw)
except Exception:
continue
for subnet in ("10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "100.64.0.0/10", "169.254.0.0/16"):
subprocess.run(["ufw", "allow", "from", subnet, "to", "any", "port", str(port)], check=False)
for prefix in ipv6_prefixes:
subprocess.run(["ufw", "allow", "from", prefix, "to", "any", "port", str(port)], check=False)
if firewall_enable:
for raw in base_ports:
try:
port = int(raw)
except Exception:
continue
for subnet in ("10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "100.64.0.0/10", "169.254.0.0/16"):
subprocess.run(["ufw", "allow", "from", subnet, "to", "any", "port", str(port)], check=False)
for prefix in ipv6_prefixes:
subprocess.run(["ufw", "allow", "from", prefix, "to", "any", "port", str(port)], check=False)
subprocess.run(["ufw", "--force", "enable"], check=False)
log("UFW enabled.")
log("Profile firewall rules applied.")
else:
log("Profile firewall step skipped (ufw missing).")
else:
log("Profile firewall step skipped (no ports).")
def normalize_name(name: str) -> str:
return name.strip().lower()
services = []
if services_path.exists():
try:
services = json.loads(services_path.read_text())
except Exception:
services = []
if not isinstance(services, list):
services = []
profile_services = profile.get("services") or []
if isinstance(profile_services, list) and profile_services:
for psvc in profile_services:
if not isinstance(psvc, dict):
continue
p_name = normalize_name(str(psvc.get("name", "")))
p_port = str(psvc.get("port", ""))
p_path = str(psvc.get("path", "")) if psvc.get("path") is not None else ""
replaced = False
for svc in services:
if not isinstance(svc, dict):
continue
s_name = normalize_name(str(svc.get("name", "")))
s_port = str(svc.get("port", ""))
s_path = str(svc.get("path", "")) if svc.get("path") is not None else ""
if (p_name and s_name == p_name) or (p_port and s_port == p_port and s_path == p_path):
svc.update(psvc)
replaced = True
break
if not replaced:
services.append(psvc)
services_path.parent.mkdir(parents=True, exist_ok=True)
services_path.write_text(json.dumps(services, indent=2))
log("Profile services merged.")
else:
log("Profile services step skipped (none).")
actions = profile.get("actions") or []
if isinstance(actions, list) and actions:
for action in actions:
if not isinstance(action, dict):
continue
action_type = action.get("type")
if action_type == "tls_bundle":
src_cert = pathlib.Path(action.get("source_cert", ""))
src_key = pathlib.Path(action.get("source_key", ""))
dest = pathlib.Path(action.get("dest", ""))
if not src_cert.exists() or not src_key.exists():
log(f"TLS bundle skipped (missing cert/key): {dest}")
continue
dest.parent.mkdir(parents=True, exist_ok=True)
content = src_cert.read_bytes() + b"\n" + src_key.read_bytes() + b"\n"
dest.write_bytes(content)
owner = action.get("owner")
if owner:
user, _, group = str(owner).partition(":")
try:
uid = pwd.getpwnam(user).pw_uid if user else -1
except Exception:
uid = -1
try:
gid = grp.getgrnam(group).gr_gid if group else -1
except Exception:
gid = -1
if uid != -1 or gid != -1:
os.chown(dest, uid if uid != -1 else -1, gid if gid != -1 else -1)
mode = action.get("mode")
if mode:
try:
os.chmod(dest, int(str(mode), 8))
except Exception:
pass
restart = action.get("restart")
if restart:
subprocess.run(["systemctl", "restart", str(restart)], check=False)
log(f"TLS bundle written: {dest}")
continue
if action_type == "replace_text":
file_path = pathlib.Path(action.get("file", ""))
match = str(action.get("match", ""))
replacement = str(action.get("replace", ""))
if not file_path.exists():
log(f"Replace skipped (missing file): {file_path}")
continue
content = file_path.read_text()
if match not in content:
log(f"Replace skipped (pattern not found): {file_path}")
continue
file_path.write_text(content.replace(match, replacement, 1))
restart = action.get("restart")
if restart:
subprocess.run(["systemctl", "restart", str(restart)], check=False)
log(f"Replaced text in: {file_path}")
continue
else:
log("Profile actions step skipped (none).")
PY
}
write_state() {
local state="$1"
local current="$2"
@@ -260,34 +453,7 @@ finish_step 3
begin_step 4
configure_unattended_defaults
if [ -f "$PROFILE_FILE" ] && command -v ufw >/dev/null 2>&1; then
python3 - <<'PY' > /tmp/pikit-profile-ports.txt
import json
import sys
from pathlib import Path
profile = Path("/etc/pikit/profile.json")
try:
data = json.loads(profile.read_text())
except Exception:
data = {}
ports = data.get("firewall_ports") or []
for port in ports:
try:
port_int = int(port)
except Exception:
continue
print(port_int)
PY
while read -r port; do
[ -z "$port" ] && continue
for subnet in 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 100.64.0.0/10 169.254.0.0/16; do
ufw allow from "$subnet" to any port "$port" || true
done
done < /tmp/pikit-profile-ports.txt
rm -f /tmp/pikit-profile-ports.txt
else
log "Profile firewall step skipped (no profile.json or ufw missing)"
fi
apply_profile
if [ ! -f "$WEB_ASSETS/pikit-ca.crt" ]; then
echo "CA bundle missing in web assets" >&2