Advance forge rollout, Ethereum rails, and NBC sources
This commit is contained in:
every.channel
parent
be26313225
commit
7d84510eac
88 changed files with 11230 additions and 302 deletions
|
|
@ -14,6 +14,10 @@ proxy_subnet="${EVERY_CHANNEL_NETBOOT_PROXY_SUBNET:-}"
|
|||
netboot_hostname="${EVERY_CHANNEL_NETBOOT_HOSTNAME:-}"
|
||||
http_port="${EVERY_CHANNEL_NETBOOT_HTTP_PORT:-8080}"
|
||||
dnsmasq_port="${EVERY_CHANNEL_NETBOOT_DNS_PORT:-0}"
|
||||
proxy_dhcp="${EVERY_CHANNEL_NETBOOT_PROXY_DHCP:-true}"
|
||||
tftp_boot_filename="${EVERY_CHANNEL_NETBOOT_TFTP_BOOT_FILENAME:-ipxe.efi}"
|
||||
http_allowed_cidrs="${EVERY_CHANNEL_NETBOOT_HTTP_ALLOWED_CIDRS:-}"
|
||||
chain_token="${EVERY_CHANNEL_NETBOOT_CHAIN_TOKEN:-}"
|
||||
|
||||
need_cmd() {
|
||||
local name="$1"
|
||||
|
|
@ -26,10 +30,43 @@ need_cmd() {
|
|||
need_cmd dnsmasq
|
||||
need_cmd python3
|
||||
|
||||
bool_norm() {
|
||||
local raw
|
||||
raw="$(printf '%s' "${1:-}" | tr '[:upper:]' '[:lower:]')"
|
||||
case "${raw}" in
|
||||
''|true|1|yes|y|on) echo "true" ;;
|
||||
false|0|no|n|off) echo "false" ;;
|
||||
*)
|
||||
echo "error: invalid boolean value '${1}'" >&2
|
||||
exit 2
|
||||
;;
|
||||
esac
|
||||
}
|
||||
|
||||
trim_ws() {
|
||||
local value="$1"
|
||||
value="${value#"${value%%[![:space:]]*}"}"
|
||||
value="${value%"${value##*[![:space:]]}"}"
|
||||
printf '%s' "${value}"
|
||||
}
|
||||
|
||||
validate_chain_token() {
|
||||
local value="$1"
|
||||
if [[ -z "${value}" ]]; then
|
||||
return 0
|
||||
fi
|
||||
if [[ ! "${value}" =~ ^[A-Za-z0-9._~-]{16,128}$ ]]; then
|
||||
echo "error: EVERY_CHANNEL_NETBOOT_CHAIN_TOKEN must match [A-Za-z0-9._~-]{16,128}" >&2
|
||||
exit 2
|
||||
fi
|
||||
}
|
||||
|
||||
if [[ "$(id -u)" -ne 0 ]]; then
|
||||
echo "error: netboot-serve requires root (TFTP + ProxyDHCP ports)." >&2
|
||||
echo "hint: run with sudo and pass env vars, for example:" >&2
|
||||
echo " sudo EVERY_CHANNEL_NETBOOT_LISTEN_IP=10.20.30.2 EVERY_CHANNEL_NETBOOT_INTERFACE=eth0 EVERY_CHANNEL_NETBOOT_PROXY_SUBNET=10.20.30.0/24 EVERY_CHANNEL_NETBOOT_HOSTNAME=boot.every.channel ./scripts/netboot-serve.sh" >&2
|
||||
echo "hint: run with sudo and pass env vars. Example (UniFi-only):" >&2
|
||||
echo " sudo EVERY_CHANNEL_NETBOOT_LISTEN_IP=10.20.30.2 EVERY_CHANNEL_NETBOOT_INTERFACE=eth0 EVERY_CHANNEL_NETBOOT_HOSTNAME=boot.every.channel EVERY_CHANNEL_NETBOOT_PROXY_DHCP=false EVERY_CHANNEL_NETBOOT_TFTP_BOOT_FILENAME=ec-ipxe.efi ./scripts/netboot-serve.sh" >&2
|
||||
echo "hint: Example (ProxyDHCP):" >&2
|
||||
echo " sudo EVERY_CHANNEL_NETBOOT_LISTEN_IP=10.20.30.2 EVERY_CHANNEL_NETBOOT_INTERFACE=eth0 EVERY_CHANNEL_NETBOOT_PROXY_SUBNET=10.20.30.0/24 EVERY_CHANNEL_NETBOOT_HOSTNAME=boot.every.channel EVERY_CHANNEL_NETBOOT_PROXY_DHCP=true ./scripts/netboot-serve.sh" >&2
|
||||
exit 2
|
||||
fi
|
||||
|
||||
|
|
@ -41,15 +78,25 @@ if [[ -z "${interface_name}" ]]; then
|
|||
echo "error: set EVERY_CHANNEL_NETBOOT_INTERFACE (interface on NUC VLAN)" >&2
|
||||
exit 2
|
||||
fi
|
||||
if [[ -z "${proxy_subnet}" ]]; then
|
||||
echo "error: set EVERY_CHANNEL_NETBOOT_PROXY_SUBNET (for example 10.20.30.0/24)" >&2
|
||||
exit 2
|
||||
fi
|
||||
if [[ -z "${netboot_hostname}" ]]; then
|
||||
netboot_hostname="${listen_ip}"
|
||||
fi
|
||||
proxy_dhcp="$(bool_norm "${proxy_dhcp}")"
|
||||
validate_chain_token "${chain_token}"
|
||||
if [[ "${proxy_dhcp}" == "true" && -z "${proxy_subnet}" ]]; then
|
||||
echo "error: set EVERY_CHANNEL_NETBOOT_PROXY_SUBNET (for example 10.20.30.0/24) when proxy mode is enabled" >&2
|
||||
exit 2
|
||||
fi
|
||||
if [[ -z "${http_allowed_cidrs}" && "${proxy_dhcp}" == "true" ]]; then
|
||||
http_allowed_cidrs="${proxy_subnet}"
|
||||
fi
|
||||
|
||||
for required in "${http_dir}/kernel" "${http_dir}/initrd" "${http_dir}/netboot.ipxe" "${tftp_dir}/ipxe.efi"; do
|
||||
netboot_chain_url="http://${netboot_hostname}:${http_port}/netboot.ipxe"
|
||||
if [[ -n "${chain_token}" ]]; then
|
||||
netboot_chain_url="${netboot_chain_url}?token=${chain_token}"
|
||||
fi
|
||||
|
||||
for required in "${http_dir}/kernel" "${http_dir}/initrd" "${http_dir}/netboot.ipxe" "${tftp_dir}/${tftp_boot_filename}"; do
|
||||
if [[ ! -f "${required}" ]]; then
|
||||
echo "error: missing required staged file: ${required}" >&2
|
||||
echo "hint: run ./scripts/netboot-stage.sh first" >&2
|
||||
|
|
@ -75,25 +122,73 @@ listen-address=${listen_ip}
|
|||
log-dhcp
|
||||
enable-tftp
|
||||
tftp-root=${tftp_dir}
|
||||
EOF
|
||||
|
||||
if [[ "${proxy_dhcp}" == "true" ]]; then
|
||||
cat >> "${run_dir}/dnsmasq.conf" <<EOF
|
||||
dhcp-range=${proxy_subnet},proxy
|
||||
dhcp-userclass=set:ipxe,iPXE
|
||||
dhcp-match=set:efi64,option:client-arch,7
|
||||
dhcp-match=set:efi64,option:client-arch,9
|
||||
dhcp-option=66,${netboot_hostname}
|
||||
dhcp-boot=tag:!ipxe,tag:efi64,ipxe.efi
|
||||
dhcp-boot=tag:ipxe,tag:efi64,http://${netboot_hostname}:${http_port}/netboot.ipxe
|
||||
dhcp-boot=tag:!ipxe,ipxe.efi
|
||||
dhcp-boot=tag:ipxe,http://${netboot_hostname}:${http_port}/netboot.ipxe
|
||||
dhcp-boot=tag:!ipxe,tag:efi64,${tftp_boot_filename}
|
||||
dhcp-boot=tag:ipxe,tag:efi64,${netboot_chain_url}
|
||||
dhcp-boot=tag:!ipxe,${tftp_boot_filename}
|
||||
dhcp-boot=tag:ipxe,${netboot_chain_url}
|
||||
EOF
|
||||
fi
|
||||
|
||||
python3 -m http.server "${http_port}" --bind "${listen_ip}" --directory "${http_dir}" >/tmp/every-channel-netboot-http.log 2>&1 &
|
||||
http_server_script="${root}/scripts/netboot-http-server.py"
|
||||
if [[ ! -f "${http_server_script}" ]]; then
|
||||
echo "error: missing HTTP server helper: ${http_server_script}" >&2
|
||||
exit 2
|
||||
fi
|
||||
|
||||
http_args=(python3 "${http_server_script}" --bind-ip "${listen_ip}" --port "${http_port}" --root "${http_dir}")
|
||||
if [[ -n "${chain_token}" ]]; then
|
||||
http_args+=(--netboot-token "${chain_token}")
|
||||
fi
|
||||
|
||||
if [[ -n "${http_allowed_cidrs}" ]]; then
|
||||
IFS=',' read -r -a cidr_raw <<< "${http_allowed_cidrs}"
|
||||
for raw in "${cidr_raw[@]}"; do
|
||||
cidr="$(trim_ws "${raw}")"
|
||||
if [[ -n "${cidr}" ]]; then
|
||||
http_args+=(--allow-cidr "${cidr}")
|
||||
fi
|
||||
done
|
||||
fi
|
||||
|
||||
http_log="${run_dir}/http.log"
|
||||
"${http_args[@]}" >"${http_log}" 2>&1 &
|
||||
http_pid="$!"
|
||||
sleep 0.2
|
||||
if ! kill -0 "${http_pid}" >/dev/null 2>&1; then
|
||||
echo "error: HTTP server failed to start; see ${http_log}" >&2
|
||||
cat "${http_log}" >&2 || true
|
||||
exit 2
|
||||
fi
|
||||
|
||||
echo "ok: HTTP serving ${http_dir} on http://${listen_ip}:${http_port}/"
|
||||
echo "ok: advertised netboot host: ${netboot_hostname}"
|
||||
echo "ok: TFTP serving ${tftp_dir} on ${listen_ip}:69"
|
||||
echo "ok: ProxyDHCP active for ${proxy_subnet} on interface ${interface_name}"
|
||||
echo "ok: Use normal Unifi DHCP for IP assignment; do not configure Unifi DHCP bootfile while proxy mode is active."
|
||||
echo "ok: TFTP boot filename: ${tftp_boot_filename}"
|
||||
if [[ -n "${chain_token}" ]]; then
|
||||
echo "ok: chain token enabled"
|
||||
fi
|
||||
if [[ -n "${http_allowed_cidrs}" ]]; then
|
||||
echo "ok: HTTP allowed CIDRs: ${http_allowed_cidrs}"
|
||||
else
|
||||
echo "warning: HTTP CIDR allowlist is disabled; set EVERY_CHANNEL_NETBOOT_HTTP_ALLOWED_CIDRS to lock this down"
|
||||
fi
|
||||
if [[ "${proxy_dhcp}" == "true" ]]; then
|
||||
echo "ok: ProxyDHCP active for ${proxy_subnet} on interface ${interface_name}"
|
||||
echo "ok: Use normal Unifi DHCP for IP assignment; do not configure Unifi DHCP bootfile while proxy mode is active."
|
||||
else
|
||||
echo "ok: ProxyDHCP disabled."
|
||||
echo "ok: Configure UniFi DHCP option 66=${netboot_hostname}, option 67=${tftp_boot_filename}"
|
||||
fi
|
||||
echo "ok: chain URL: ${netboot_chain_url}"
|
||||
echo
|
||||
echo "Press Ctrl+C to stop."
|
||||
dnsmasq --no-daemon --conf-file="${run_dir}/dnsmasq.conf"
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue