NANO_NAME=soekris
NANO_KERNEL=SOEKRIS
# ada0: 15104MB (30932992 512 byte sectors: 16H 63S/T 16383C)
NANO_DRIVE=ada0
NANO_MEDIASIZE=30932992
# 32MB
NANO_RAM_ETCSIZE=65536
# 512MB
NANO_RAM_TMPVARSIZE=1042576
# 3 GB Data partition
NANO_CODESIZE=6291456
# Zero out second disk partition for better compression
NANO_INIT_IMG2=0
# 512 MB Reserve for CONF partition
NANO_CONFSIZE=1048576
# Remainder for Data rw mounted partition
NANO_DATASIZE=-1
CONF_WORLD='
BOOT_COMCONSOLE_SPEED=19200
WIHTOUT_BLUETOOTH=YES
WITHOUT_CALENDAR=YES
WITHOUT_FREEBSD_UPDATE=YES
WITHOUT_HTML=YES
WITHOUT_NTP=YES
WITHOUT_PORTSNAP=YES
WITHOUT_RCMDS=YES
WITHOUT_ROUTED=YES
WITHOUT_SENDMAIL=YES
WITHOUT_TELNET=YES
'
add_pkgs()
{
# Put prep file/directories in place
cp /etc/resolv.conf ${NANO_WORLDDIR}/etc/resolv.conf
chroot ${NANO_WORLDDIR} sh -c \
'mkdir -p /var/www; cd /usr/local && ln -s ../../var/www www'
chroot ${NANO_WORLDDIR} sh -c \
'ln -s /mnt/data/home /home'
chroot ${NANO_WORLDDIR} sh -c \
'mkdir -p /var/run/fail2ban'
chroot ${NANO_WORLDDIR} sh -c \
'mkdir -p /mnt/data; mkdir -p /mnt/usb; mkdir -p /mnt/tmp'
# Make repo file
mkdir -p ${NANO_WORLDDIR}/usr/local/etc/pkg/repos
cat <<EOF > ${NANO_WORLDDIR}/usr/local/etc/pkg/repos/myrepo.conf
myrepo: {
url: "http://pkg.home.lan/10_0amd64-default/",
signature_type: 'none',
enabled: yes,
}
FreeBSD: {
enabled: no
}
EOF
# Install packages
env ASSUME_ALWAYS_YES=YES pkg -c ${NANO_WORLDDIR} bootstrap
env ASSUME_ALWAYS_YES=YES pkg -c ${NANO_WORLDDIR} install ports-mgmt/pkg
env ASSUME_ALWAYS_YES=YES pkg -c ${NANO_WORLDDIR} install shells/bash
env ASSUME_ALWAYS_YES=YES pkg -c ${NANO_WORLDDIR} install sysutils/tmux
env ASSUME_ALWAYS_YES=YES pkg -c ${NANO_WORLDDIR} install net/openntpd
env ASSUME_ALWAYS_YES=YES pkg -c ${NANO_WORLDDIR} install net/openbgpd
env ASSUME_ALWAYS_YES=YES pkg -c ${NANO_WORLDDIR} install sysutils/puppet
env ASSUME_ALWAYS_YES=YES pkg -c ${NANO_WORLDDIR} install security/openvpn
env ASSUME_ALWAYS_YES=YES pkg -c ${NANO_WORLDDIR} install sysutils/pstree
env ASSUME_ALWAYS_YES=YES pkg -c ${NANO_WORLDDIR} install net-mgmt/iftop
env ASSUME_ALWAYS_YES=YES pkg -c ${NANO_WORLDDIR} install sysutils/pftop
env ASSUME_ALWAYS_YES=YES pkg -c ${NANO_WORLDDIR} install security/py-fail2ban
env ASSUME_ALWAYS_YES=YES pkg -c ${NANO_WORLDDIR} install sysutils/cmdwatch
env ASSUME_ALWAYS_YES=YES pkg -c ${NANO_WORLDDIR} install sysutils/tree
env ASSUME_ALWAYS_YES=YES pkg -c ${NANO_WORLDDIR} install sysutils/uptimed
env ASSUME_ALWAYS_YES=YES pkg -c ${NANO_WORLDDIR} install editors/vim-lite
env ASSUME_ALWAYS_YES=YES pkg -c ${NANO_WORLDDIR} install benchmarks/iperf
env ASSUME_ALWAYS_YES=YES pkg -c ${NANO_WORLDDIR} install sysutils/monitorix
env ASSUME_ALWAYS_YES=YES pkg -c ${NANO_WORLDDIR} install sysutils/smartmontools
env ASSUME_ALWAYS_YES=YES pkg -c ${NANO_WORLDDIR} install net/rsync
env ASSUME_ALWAYS_YES=YES pkg -c ${NANO_WORLDDIR} install net/unison-nox11
env ASSUME_ALWAYS_YES=YES pkg -c ${NANO_WORLDDIR} install net/isc-dhcp43-server
env ASSUME_ALWAYS_YES=YES pkg -c ${NANO_WORLDDIR} install net/foreman-proxy
env ASSUME_ALWAYS_YES=YES pkg -c ${NANO_WORLDDIR} install net/relayd
env ASSUME_ALWAYS_YES=YES pkg -c ${NANO_WORLDDIR} install security/sudo
env ASSUME_ALWAYS_YES=YES pkg -c ${NANO_WORLDDIR} install dns/ddclient
env ASSUME_ALWAYS_YES=YES pkg -c ${NANO_WORLDDIR} install dns/bind99
env ASSUME_ALWAYS_YES=YES pkg -c ${NANO_WORLDDIR} install ftp/tftp-hpa
env ASSUME_ALWAYS_YES=YES pkg -c ${NANO_WORLDDIR} install ftp/vsftpd
env ASSUME_ALWAYS_YES=YES pkg -c ${NANO_WORLDDIR} install www/squid33
env ASSUME_ALWAYS_YES=YES pkg -c ${NANO_WORLDDIR} install www/nginx
env ASSUME_ALWAYS_YES=YES pkg -c ${NANO_WORLDDIR} install mail/dma
# Cleanup
rm ${NANO_WORLDDIR}/etc/resolv.conf
rm -r ${NANO_WORLDDIR}/var/cache/pkg
}
add_cfgs ()
{
# Add persistent loader.conf tuning
echo 'autoboot_delay="3"' >> ${NANO_WORLDDIR}/boot/loader.conf
echo '# Delay boot to aid picking up drives' >> ${NANO_WORLDDIR}/boot/loader.conf
echo 'kern.cam.boot_delay=10000' >> ${NANO_WORLDDIR}/boot/loader.conf
# Add persistent sysctl.conf variables
echo 'net.inet.ip.fastforwarding="1"' >> ${NANO_WORLDDIR}/etc/sysctl.conf
echo 'net.inet.ip.random_id="1"' >> ${NANO_WORLDDIR}/etc/sysctl.conf
# Add persistent mounts
echo "/dev/${NANO_DRIVE}s4 /mnt/data ufs rw,failok 2 2" >> ${NANO_WORLDDIR}/etc/fstab
# Enable openvpn to start before syslog/puppet/etc
perl -pwi -e 's^# REQUIRE: DAEMON^# REQUIRE: NETWORKING\n# BEFORE: SERVERS syslogd^g' \
${NANO_WORLDDIR}/usr/local/etc/rc.d/openvpn
# Add persistent symlinks to master OpenVPN rc.d script for multiple instances
cd ${NANO_WORLDDIR}/usr/local/etc/rc.d \
&& ln -sv openvpn openvpn_server \
&& ln -sv openvpn openvpn_client
# Make syslog settings persistent
perl -pwi -e 's^#*.*\t\t\t\t\t\t\@loghost^*.*\t\t\t\t\t\t\@10.100.102.2^g' \
${NANO_WORLDDIR}/etc/syslog.conf
# Overlay the rest of the config from Puppet's manifest
cd /usr/jails/puppet.home.lan/usr/local/etc/puppet/modules/soekris/files/common \
&& cp -Rfv * ${NANO_WORLDDIR}
# Fix permissions on temp dir?
chroot ${NANO_WORLDDIR} sh -c \
'chmod 1777 /var/tmp'
# Touch vsftpd log so fail2ban starts properly
chroot ${NANO_WORLDDIR} sh -c \
'touch /var/log/vsftpd.log'
# Stage named security log directory
chroot ${NANO_WORLDDIR} sh -c \
'mkdir -p /var/log/named && chown bind:wheel /var/log/named && chmod 640 /var/log/named'
}
customize_cmd add_pkgs
customize_cmd add_cfgs
customize_cmd cust_comconsole
customize_cmd cust_install_files