commit 61b633cf33670beb26ad8248337f25514be4da11
parent 1a64b6dc2683bb6a2b2525032cac40dc3f85d9da
Author: Andreas Gruhler <agruhl@gmx.ch>
Date: Wed, 10 Aug 2022 01:24:23 +0200
feat: arm64 with Raspberry OS
Diffstat:
6 files changed, 39 insertions(+), 71 deletions(-)
diff --git a/bootstrap.sh b/bootstrap.sh
@@ -2,40 +2,22 @@
#
# Packer shell provisioner for Arch Linux on Raspberry Pi
#
-# Based on:
-# * https://github.com/mkaczanowski/packer-builder-arm/blob/master/boards/raspberry-pi/archlinuxarm.json
-# * https://github.com/bcomnes/raspi-packer
-
# set -o errexit
# set -o nounset
set -o xtrace
-# Initialize pacman keyring
-# https://archlinuxarm.org/platforms/armv6/raspberry-pi
-# https://archlinuxarm.org/platforms/armv8/broadcom/raspberry-pi-3
-pacman-key --init
-pacman-key --populate archlinuxarm
-
-# Enable network connection
-mv /etc/resolv.conf /etc/resolv.conf.bck
-echo "nameserver 8.8.8.8" > /etc/resolv.conf
-
-# Sync packages
-pacman -Syu --noconfirm
-pacman -S parted man sudo unzip inetutils jq docker nfs-utils --noconfirm
-
-# Disable software rng and enable docker
-systemctl disable haveged
-systemctl enable docker
+# Set hostname
+echo "${HOSTNAME}" > /etc/hostname
-# Set up no-password sudo
-echo '%wheel ALL=(ALL) NOPASSWD: ALL' > /etc/sudoers.d/wheel
+# Resolve hostname
+cat << EOF >> /etc/hosts
+127.0.0.1 localhost
+::1 localhost ip6-localhost ip6-loopback
+ff02::1 ip6-allnodes
+ff02::2 ip6-allrouters
-# Set up localization:
-# https://wiki.archlinux.org/index.php/Installation_guide#Localization
-sed -i 's/#en_US.UTF-8 UTF-8/en_US.UTF-8 UTF-8/g' /etc/locale.gen
-locale-gen
-echo 'LANG=en_US.UTF-8' > /etc/locale.conf
+127.0.1.1 $HOSTNAME
+EOF
# Install script to resize fs
mv /tmp/resizerootfs.service /etc/systemd/system/
@@ -43,29 +25,24 @@ chmod +x /tmp/resizerootfs
mv /tmp/resizerootfs /usr/sbin/
systemctl enable resizerootfs.service
-# Set hostname
-echo "${HOSTNAME}" > /etc/hostname
+# Install packages
+curl -sSL https://get.docker.com | sh
+DEBIAN_FRONTEND=noninteractive apt-get install -y jq
-# Resolve hostname
-cat << EOF >> /etc/hosts
-127.0.0.1 localhost
-::1 localhost
-127.0.1.1 $HOSTNAME.localdomain $HOSTNAME
-EOF
+# Set up no-password sudo
+rm /etc/sudoers.d/010_pi-nopasswd
+echo '%sudo ALL=(ALL) NOPASSWD: ALL' > /etc/sudoers.d/010_all-nopasswd
-# Disable password auth
+# Enable ssh and disable password auth
+touch /boot/ssh
sed -i 's/#PasswordAuthentication yes/PasswordAuthentication no/g' /etc/ssh/sshd_config
+# Delete default user pi
+userdel -r pi
+
# Create user
useradd -m "${USERNAME}"
-usermod -aG wheel "${USERNAME}"
-
-# Delete default user alarm:alarm
-userdel -r alarm
-
-# Disable root login root:root
-# https://wiki.archlinux.org/index.php/Sudo#Disable_root_login
-passwd -l root
+usermod -aG sudo "${USERNAME}"
# Setup ssh keys
mkdir "/home/${USERNAME}/.ssh"
diff --git a/hashi-pi.json b/hashi-pi.json
@@ -3,23 +3,23 @@
"hostname": "HashiPi0",
"username": "pi",
"authorized_keys": "",
- "img_url": "http://os.archlinuxarm.org/os/ArchLinuxARM-rpi-latest.tar.gz",
+ "img_url": "https://downloads.raspberrypi.org/raspios_lite_arm64/images/raspios_lite_arm64-2022-04-07/2022-04-04-raspios-bullseye-arm64-lite.img.xz",
"img_name": "raspi.img",
"flash_device_path": null,
"img_size": "3G",
"consul_version": "1.12.3",
- "consul_arch": "armelv5",
+ "consul_arch": "arm64",
"consul_encrypt": null,
"consul_tls_ca": null,
"consul_tls_certs": null,
"consul_retry_join": "\"HashiPi0\", \"HashiPi1\", \"HashiPi2\"",
"nomad_version": "1.3.2",
- "nomad_arch": "arm",
+ "nomad_arch": "arm64",
"nomad_nfs_server": "",
"nomad_nfs_mount": "",
"nomad_nfs_target": "",
"vault_version": "1.11.2",
- "vault_arch": "arm",
+ "vault_arch": "arm64",
"vault_tls_ca_cert": "./tls/vault/ca/vault_ca.pem",
"vault_tls_ca_key": "./tls/vault/ca/vault_ca.key",
"vault_tls_subj_alt_name": "IP:127.0.0.1"
@@ -33,11 +33,11 @@
"builders": [{
"type": "arm",
"file_urls" : ["{{ user `img_url` }}"],
- "file_checksum_url": "{{ user `img_url` }}.md5",
- "file_checksum_type": "md5",
- "file_unarchive_cmd": ["tar", "-xzf", "$ARCHIVE_PATH", "-C", "$MOUNTPOINT"],
- "file_target_extension": "tar.gz",
- "image_build_method": "new",
+ "file_checksum_url": "{{ user `img_url` }}.sha256",
+ "file_checksum_type": "sha256",
+ "file_unarchive_cmd": ["xz", "-d", "$ARCHIVE_PATH"],
+ "file_target_extension": "xz",
+ "image_build_method": "resize",
"image_path": "{{ user `img_name` }}",
"image_size": "{{ user `img_size` }}",
"image_type": "dos",
@@ -59,8 +59,9 @@
"mountpoint": "/"
}
],
- "qemu_binary_source_path": "/usr/bin/qemu-arm-static",
- "qemu_binary_destination_path": "/usr/bin/qemu-arm-static"
+ "image_chroot_env": ["PATH=/usr/local/bin:/usr/local/sbin:/usr/bin:/usr/sbin:/bin:/sbin"],
+ "qemu_binary_source_path": "/usr/bin/qemu-aarch64-static",
+ "qemu_binary_destination_path": "/usr/bin/qemu-aarch64-static"
}],
"provisioners": [
{
@@ -149,10 +150,6 @@
"VAULT_TLS_CA_KEY=/tmp/vault_ca.key",
"VAULT_TLS_SUBJ_ALT_NAME={{ user `vault_tls_subj_alt_name` }}"
]
- },
- {
- "type": "shell",
- "inline": ["mv /etc/resolv.conf.bck /etc/resolv.conf"]
}
]
}
diff --git a/hosts/pi0.json b/hosts/pi0.json
@@ -2,12 +2,10 @@
"hostname": "pi0",
"username": "pi",
"authorized_keys": "",
- "img_url": "http://os.archlinuxarm.org/os/ArchLinuxARM-rpi-armv7-latest.tar.gz",
"img_name": "HashiPi-pi0.img",
"flash_device_path": "/dev/sda",
- "consul_arch": "arm",
"consul_encrypt": "",
"consul_tls_ca": "./tls/consul/consul-agent-ca.pem",
"consul_tls_certs": "./tls/consul/certs/",
- "consul_retry_join": "\"pi0\", \"pi1\", \"pi2\""
+ "consul_retry_join": "\"pi0.lan\", \"pi1.lan\", \"pi2.lan\""
}
diff --git a/hosts/pi1.json b/hosts/pi1.json
@@ -2,12 +2,10 @@
"hostname": "pi1",
"username": "pi",
"authorized_keys": "",
- "img_url": "http://os.archlinuxarm.org/os/ArchLinuxARM-rpi-armv7-latest.tar.gz",
"img_name": "HashiPi-pi1.img",
"flash_device_path": "/dev/sda",
- "consul_arch": "arm",
"consul_encrypt": "",
"consul_tls_ca": "./tls/consul/consul-agent-ca.pem",
"consul_tls_certs": "./tls/consul/certs/",
- "consul_retry_join": "\"pi0\", \"pi1\", \"pi2\""
+ "consul_retry_join": "\"pi0.lan\", \"pi1.lan\", \"pi2.lan\""
}
diff --git a/hosts/pi2.json b/hosts/pi2.json
@@ -2,12 +2,10 @@
"hostname": "pi2",
"username": "pi",
"authorized_keys": "",
- "img_url": "http://os.archlinuxarm.org/os/ArchLinuxARM-rpi-armv7-latest.tar.gz",
"img_name": "HashiPi-pi2.img",
"flash_device_path": "/dev/sda",
- "consul_arch": "arm",
"consul_encrypt": "",
"consul_tls_ca": "./tls/consul/consul-agent-ca.pem",
"consul_tls_certs": "./tls/consul/certs/",
- "consul_retry_join": "\"pi0\", \"pi1\", \"pi2\""
+ "consul_retry_join": "\"pi0.lan\", \"pi1.lan\", \"pi2.lan\""
}
diff --git a/vault.sh b/vault.sh
@@ -65,8 +65,8 @@ chmod 644 *.pem
cat "$VAULT_TLS_CA_CERT" >> "${HOSTNAME}.pem"
# Trust the CA
-mv "$VAULT_TLS_CA_CERT" /etc/ca-certificates/trust-source/anchors/
-update-ca-trust
+mv "$VAULT_TLS_CA_CERT" /usr/local/share/ca-certificates/
+update-ca-certificates
# Allow usage of mlock syscall without root
setcap cap_ipc_lock=+ep /usr/local/bin/vault
