initial import

2 years ago · 5783d0ad37
commit 5783d0ad37
5 changed files with 143 additions and 0 deletions
--- a/9
+++ b/9
@ -0,0 +1,9 @@
+The MIT License (MIT)
+
+Copyright (c) 2022 alex@cloudware.io
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
--- a/README.md
+++ b/README.md
@ -0,0 +1,25 @@
+# system updates
+
+the plan is for this repo to contain all system updates, incremental in a form
+of text/source code. a node periodically runs the `update.sh` script which pulls
+the repo to receive updates executes `apply.sh`. the latter then makes changes
+and updates the operating system.
+
+typical examples are: upgrade bitcoind, lnd and other services, update system
+packages, improve configuration of components such as firewall.
+the run sequence on the node is approximately as follows:
+
+1. fetch updates with a `git fetch`.
+2. provide a git diff on the screen and confirm with the user.
+3. pull in the changes with a `git pull --verify-signatures`.
+4. run `apply.sh`.
+
+at the moment, an on-screen diff and confirmation aren't implemented yet.
+`nd` and `ngui` is where it'll happen,
+in the [ndg](https://git.qcode.ch/nakamochi/ndg) repo.
+
+when configuring a new node, clone this repo and set up a cron job to execute
+the `update.sh` script once a day. The script requires `REPODIR` and `LOGFILE`
+env variables set.
+
+TODO: add a list of supported platforms; the "native" is void linux.
--- a/apply.sh
+++ b/apply.sh
@ -0,0 +1,6 @@
+#!/bin/sh
+# the script executes updates to a nakamochi system.
+# it must be run as root or a user with equivalent privileges.
+
+# nothing yet
+exit 0
--- a/keys/x1ddos-540189B756BF5B12.asc
+++ b/keys/x1ddos-540189B756BF5B12.asc
@ -0,0 +1,50 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQINBFaShgcBEADkx5VXVGnX92AVnc13GGbVY7yNktVyOSJOOXw6QLhd7ZgwZWB3
+r5/J0CBlrOHMRLyLaF+R7qjq7F6VKuP9g+MALh1/tRnY8A8OxVSiouZ7L8258mEe
+ishYvPB5AN8rdIx0GR83G760jVIxsHkPiVupzoR+UT8dREzUhdNTsLdQ7FjUIlSe
+uF00Kp9ddCx6S8km0zqW8q2kQB/SIkxwUx54K0jIe7a39ET4nScWLGi26ASdmiFS
+cTE6HlrMxWN/36xJnwuS4nAYsazxxZwDua55kgl/Tso6OfblqYuAexOifttr0kd
+vheu7gjzIsP1wM89sw2iOEIcBzDKCf5yYsEClOIQc/nm7zdTK2uZy6/Ei+2iH7il
+SvKtDAiyKD6T+LdekerPB2i0RkZC+/hbaVvX/4zIDvzntb8KO/yJIPgRRSK5IwA8
+kK1WhbueUxllQvL2HOOzMlIT9qxemScpwtd5Z/5bnWXDy5q4pkNHCFvhEb5PE7TN
+ZFDoENuFSYhNNKGmhpDnAjSEf5g/UNVxp8C/MsbcKJCxg/DUGxEc2Wrb1w7L92fT
+z1E1ifiCEr5X4J4s6SVgYi8034431nhojSgAa9EgX4Q7QECP7nOJiew5v6WZKYYU
+B70zXlPOhK8gwmTOG2fOnmBK8R1LzAGIEC3Rh3K4pm9N2V0Bxbuwi0HAgQARAQAB
+tB9BbGV4IFZhZ2hpbiA8YWxleEBjbG91ZHdhcmUuaW8+iQI3BBMBCgAhBQJWkoYH
+AhsDBQsJCAcDBRUKCQgLBRYCAwEAAh4BAheAAAoJEFQBibdWv1sSJUAP/3jEL9gU
+cmh9Ocs29wMzrU3FRhfpzo5ebE22n0K/xPdVD7Xf4uK/wBqj3R4u0gBIrJjEz7tW
+tBPOY8s6x/4uKQd46uaMyBorAK/I5sfeb58V9LBp8Ioa26Iy7eMdVjlk74oUrtIq
+5aOcstCtUv0BeIPICOlMuYhpmXeTSBK1AcsFIkuXXI/oOq12vDAIgL77rQmmfqlR
+mIpx3Y/ZtCBuiUeyF17iTRJWU4pFGfskddvn94FbXTKfkn76VjVqPS+3BWkQRlJV
+xhErwkR5UrTYGduICdiA3L2gX1ivF9beh35EMJm3fcrxxvSLeHttfRLu89LaZL/V
+9JfE9iC2V64aBziW9xv62foGAqerG4RhLRPflDMysfAhsEFCDkOTDjGtXLoQ9jSV
+oRHUItJbky3dmm88lrvNPzOkrBmbkeEJA03p+vqbl2EAN3fqMP/YOJGp2zt9tnD4
+u+RwGH3efqCsn8SGKnOzwTyLE8HC/wVla+EiJ9M367nfsRg6s31QwZQzWYYcv269
+uorjR+OSrrj76xRIJjYr6bOzEVMZoNBfRt35YDtYkT7wISII8E/QB60UohVsMqm9
+MY40L6uxrRq4ryXuKP+2+GVt8iz35RZpS4Jvp+pBC9OkfBtlVsDRNbaapYMIr4Ya
+9J+7CZcvOpgqxp4MRqxCnehX6EdGGPFd8FKSuQINBFaShgcBEACloJ2zXwKKGucE
+JdmC91/OT0E2PS9yEbEnRFgOafCXX3PbniraaBdDpLBrbAmsW1BBe01j4uFFzBMl
+YT6aNcFp9o4yzSd9MkXzoWYm8w52cQ/vMPaPMiTjanD4iLnoTATI5wqOxmICiku4
+eaATAn5tzm5oRv9RoliMc/n+2Bo856jkcl4yAb0FY21xxVzxw4ENaXgkldm/0uG9
+X6tcRjkdFuVwkrjv/EXzRvG1pvAyzQl55K2zTlEbElG4cDFTFFbaN5dG5YRl66T+
+c1Z2ZXm5NkFcm4F6r9hVFGoInsdqAbbYVsgnz34cXDUktztrrNv+QmeGUh9D6B+R
+BuZnWQa4F7glXqb5lkfKOKpdsglWsz/cmQk6k0cFIhA5iPb9P4d2gk6ifNDEPDWu
+eMOW+QPho7osxBCI2q+I8Zd/jxyIWDmWfek+sYku6ONGP68RkXzW/M7DKygoKlJf
+ppb4zA5Iax2LgQ+wkcSQza0BpT/1U8AsXp90ulH7fy6Db9OfOdU/PJxA04HeOxPF
+Y00vhXgrEA0Gkb0vhmv+s+3fm4YjpfmPpipdfAeod8ekPFf8X2Ey8nbaXlWrERTC
+RNEDd5yF5d7/FUpxzrc56JT2t3KnY2C3fHkrtzr0+0oxI3ySDpwJR0L3GqWxueZt
+D7TwWkhIliGpKp4NqknlpfHkoW6/swARAQABiQIfBBgBCgAJBQJWkoYHAhsMAAoJ
+EFQBibdWv1sS3kcP/0lQIYFc8cpj1LrZb3thbxLD4V5j3NO2+mN9df0sAZcs4ZfI
+2cBsOfPWSHw30sWyStgFytzKmbkMCplc1K3VjaFb9w3EfjPgh8NK+opXNKa8m4iQ
+xNQNJ3kNYLbguFgzBRKcr6p+2/CLfhHAEM1cRZKY4KNlZWNpePpdqSJpAxg5VToF
+P87GWyS/I8rn1HDEFx4morH+6TxbyyCVsPXkNiRt6Gnoo6wghrsOZCEqxku4gLq8
+XFCgEYVbb4N1R8jzTlggghTJW0JJY8M9IY+lT8J/wqXlzQQ4sfr1kOs/nYPEk4UF
+7unwN0ahMdwdoNVOb3yy/Smx1QtN4xRSrxh41m6YY6j4YKs1xsqOmBl5hbhkG7eU
+VqKfWH0jcLZgKz4Xf41s/u3hmp9erDUhsLzOJsVzvefrzwreWLV2NHfSHyOfKSNY
+lMDCp731c4mjGJbKwOKn3rZqFWDacIYOg74m9q3TJY3F8QUHleggSs3fGljxTgEU
+qrdemoTrP1ejSCfuO9UmMaxNIOrxBuJ3SOjao1OHxQCZoWhQydPhSsHv97m0AHOO
+vOmV41H5UVSA3vPWZb5U6j50bkYwiIgdg861WLbb8ZZg3H2SEzk25S4cbgM2LvLN
+HJDvz+aRs1+BWHbyptsWKRELhj3/vJwrabzPUbUQigaB/pjmC4Yz8WG3+poD
+=M/Xo
+-----END PGP PUBLIC KEY BLOCK-----
--- a/update.sh
+++ b/update.sh
@ -0,0 +1,53 @@
+#!/bin/sh
+# https://git.qcode.ch/nakamochi/sysupdates
+# pull changes from a remote git repo and run the "apply" script.
+# commits are expected to be signed by gpg keys with a sufficient
+# trust level to satisfy git pull --verify-signatures.
+# the script is expected to be run as root, to allow making changes to the
+# operating system.
+# in the future, the plan is to provide an on-screen git diff and apply updates
+# after user confirmation.
+
+# git branch to pull from. defaults to master.
+BRANCH="${1:-master}"
+# output everything to a temp file and print its contents only in case of an error,
+# so that when run via a cronjob, the output is empty on success which prevents
+# needless emails, were any configured.
+LOGFILE="${LOGFILE:-/var/log/sysupdate.log}"
+# a local git repo dir where to pull the updates into.
+REPODIR="${REPODIR:-/ssd/sysupdates}"
+
+# multiple running instances of the script would certainly result in race conditions.
+# so, we serialize runs using a lock file, timing out with an error after 15min.
+if [ -z "$NAKAMOCHI_SYSUPDATE_LOCK" ]; then
+    # use the script itself as the lock file
+    lockfile=$0
+    exec env NAKAMOCHI_SYSUPDATE_LOCK=1 \
+      flock --exclusive --timeout 900 "$lockfile" "$0" "$@"
+fi
+
+# start of the sysupdate; trim prevously logged runs
+date > $LOGFILE
+
+# fetch updates from remove
+cd "$REPO_DIR"
+{
+git fetch origin             # in case the refspec is unknown locally yet
+git reset --hard HEAD        # remove local changes
+git clean -fd                # force-delete untracked files
+git checkout "$BRANCH"
+git pull --verify-signatures
+} >> $LOGFILE 2>&1
+if [ $? -ne 0 ]; then
+    echo "ERROR: git pull failed"
+    cat $LOGFILE
+    exit 1
+fi
+
+# run repo's update script
+./apply.sh >> $LOGFILE 2>&1
+if [ $? -ne 0 ]; then
+    echo "ERROR: apply failed"
+    cat $LOGFILE
+    exit 1
+fi