diff --git a/contestops/configure-machines.sh b/contestops/configure-machines.sh index c3d8fd6..6e2f61e 100755 --- a/contestops/configure-machines.sh +++ b/contestops/configure-machines.sh @@ -10,9 +10,7 @@ parallel-scp -x "-F local.ssh_config" -h hostlist ./config-hosts /etc/hosts # Configure firewall. parallel-scp -x "-F local.ssh_config" -h hostlist ./config-nftables.conf /etc/nftables.conf -parallel-ssh -x "-F local.ssh_config" -h hostlist systemctl enable nftables.service -# For some unknown reason nft gets stuck the first time it is run. -parallel-ssh -x "-F local.ssh_config" -h hostlist --par 30 systemctl start nftables.service +parallel-ssh -x "-F local.ssh_config" -h hostlist systemctl reload nftables.service # Uncomment these lines if machines have 4K displays. This scales display to 2x. # parallel-scp -x "-F local.ssh_config" -h hostlist ./set-display-scale.py /usr/local/bin/set-display-scale.py diff --git a/contestops/readme.md b/contestops/readme.md index 14a3f5d..d0a392b 100644 --- a/contestops/readme.md +++ b/contestops/readme.md @@ -122,7 +122,6 @@ You can look these up with `host contest.soi.ch`. Edit `contest-lock.json` to fill in the title and start time of the contest. Apply the configuration to machines. -If the script gets stuck, press Ctrl+C and run it again. ```bash ./configure-machines.sh diff --git a/os/build.py b/os/build.py index c84070d..6ba41fd 100755 --- a/os/build.py +++ b/os/build.py @@ -129,6 +129,7 @@ def main(): # We need ca-certificates for fetching https packages repos. "--debootstrap-options", "--exclude=isc-dhcp-client,isc-dhcp-common,ifupdown --include=ca-certificates" + VARIANT_EXTRA_BOOTSTRAP.get(args.variant, ""), + "--chroot-squashfs-compression-type", "zstd", "--loadlin", "false", "--iso-volume", f"SOI {VARIANT_LABEL[args.variant]} @ISOVOLUME_TS@", "--bootappend-live", "boot=live toram=filesystem.squashfs", diff --git a/os/layers/contestant/hooks/live/2010-contestant.hook.chroot b/os/layers/contestant/hooks/live/2010-contestant.hook.chroot index e65b6fd..c8c0dea 100755 --- a/os/layers/contestant/hooks/live/2010-contestant.hook.chroot +++ b/os/layers/contestant/hooks/live/2010-contestant.hook.chroot @@ -28,3 +28,6 @@ systemctl disable kexec.service # Restrict access to the config which contains the WiFi password. chmod og= /etc/NetworkManager/system-connections/contest.nmconnection + +# Enable firewall. +systemctl enable nftables.service diff --git a/os/layers/contestant/includes.chroot/etc/nftables.conf b/os/layers/contestant/includes.chroot/etc/nftables.conf new file mode 100644 index 0000000..190685b --- /dev/null +++ b/os/layers/contestant/includes.chroot/etc/nftables.conf @@ -0,0 +1,19 @@ +#!/usr/sbin/nft -f + +flush ruleset + +table inet filter { + chain input { + type filter hook input priority filter; + # Add a rule which references conntrack, to make sure that conntrack is + # already enabled when we activate a restrictive ruleset. + ct state { established, related } accept + } + chain forward { + type filter hook forward priority filter; + } + chain output { + type filter hook output priority filter; + ct state { established, related } accept + } +} diff --git a/os/layers/live/includes.chroot/etc/default/zramswap b/os/layers/live/includes.chroot/etc/default/zramswap new file mode 100644 index 0000000..1f43fca --- /dev/null +++ b/os/layers/live/includes.chroot/etc/default/zramswap @@ -0,0 +1,2 @@ +ALGO=zstd +PERCENT=80 diff --git a/os/layers/live/includes.chroot/etc/systemd/system/detect-swap.service b/os/layers/live/includes.chroot/etc/systemd/system/detect-swap.service new file mode 100644 index 0000000..912c92e --- /dev/null +++ b/os/layers/live/includes.chroot/etc/systemd/system/detect-swap.service @@ -0,0 +1,14 @@ +[Unit] +Description=detect and enable swap partitions. +Before=basic.target +After=local-fs.target systemd-tmpfiles-setup.service +DefaultDependencies=no +ConditionKernelCommandLine=boot=live + +[Service] +Type=oneshot +RemainAfterExit=yes +ExecStart=/usr/local/bin/detect-swap + +[Install] +WantedBy=basic.target diff --git a/os/layers/live/includes.chroot/usr/local/bin/detect-swap b/os/layers/live/includes.chroot/usr/local/bin/detect-swap new file mode 100644 index 0000000..19a5042 --- /dev/null +++ b/os/layers/live/includes.chroot/usr/local/bin/detect-swap @@ -0,0 +1,13 @@ +#!/usr/bin/python3 + +import subprocess +import json + +SD_GPT_SWAP = '0657fd6d-a4ab-43c4-84e5-0933c84b4f4f' + +lsblk_result = subprocess.run(['lsblk', '--json', '--output=PATH,PARTTYPE'], check=True, stdout=subprocess.PIPE) +lablk_out = json.loads(lsblk_result.stdout) +for block in lablk_out['blockdevices']: + if block['parttype'] == SD_GPT_SWAP: + print('Enabling swap on', block['path']) + subprocess.run(['swapon', block['path']]) diff --git a/os/layers/live/package-lists/live-extra.list.chroot b/os/layers/live/package-lists/live-extra.list.chroot new file mode 100644 index 0000000..4f7a935 --- /dev/null +++ b/os/layers/live/package-lists/live-extra.list.chroot @@ -0,0 +1,5 @@ +# Show progress while copying squashfs to RAM. +rsync + +# Enable zram to make better use of available RAM. +zram-tools diff --git a/os/layers/participant/includes.chroot/etc/dconf/db/local.d/00-window-buttons b/os/layers/participant/includes.chroot/etc/dconf/db/local.d/00-window-buttons new file mode 100644 index 0000000..7ed7b76 --- /dev/null +++ b/os/layers/participant/includes.chroot/etc/dconf/db/local.d/00-window-buttons @@ -0,0 +1,4 @@ +# Enable minimize and maximize buttons, which should make gnome a bit easier to +# use for people more familiar with Windows or macOS. +[org/gnome/desktop/wm/preferences] +button-layout = 'appmenu:minimize,maximize,close' diff --git a/os/layers/training-live/package-lists/training-live.list.chroot b/os/layers/training-live/package-lists/training-live.list.chroot index 56e00e8..7864d0d 100644 --- a/os/layers/training-live/package-lists/training-live.list.chroot +++ b/os/layers/training-live/package-lists/training-live.list.chroot @@ -1,4 +1 @@ sudo - -# Show progress while copying squashfs to RAM. -rsync