#!/bin/bash set -o errexit -o nounset -o pipefail . hosts.sh [[ $# -eq 1 ]] || exit 1 readonly host=$1 readonly ip=${hosts_ipv4_address[$host]} readonly hostname=${hosts_hostname[$host]} readonly agcount=${hosts_agcount[$host]:-4} readonly swap=${hosts_swap[$host]:-2048} readonly remote=root@$ip readonly drive=$(ssh $remote '[[ -e /dev/sda ]] && echo sda || echo vda') # check for Arch ISO ssh $remote '[[ $(grep IMAGE_ID /etc/os-release) = "IMAGE_ID=archlinux" ]]' || exit 5 ssh $remote '[[ $(grep IMAGE_VERSION /etc/os-release) = "IMAGE_VERSION=2024.11.01" ]]' || exit 5 ssh $remote "sfdisk /dev/$drive -w always <<< ';'" ssh $remote "mkfs.xfs -d agcount=$agcount -f /dev/${drive}1" rsync -cv pacman.d/mirrorlist $remote:/etc/pacman.d/mirrorlist ssh $remote "mount /dev/${drive}1 /mnt" ssh $remote "pacstrap -K /mnt $(tr '\n' ' ' < packages/$host)" rsync -cv grub $remote:/mnt/etc/default/grub ssh $remote "arch-chroot /mnt grub-install /dev/$drive" ssh $remote "arch-chroot /mnt grub-mkconfig -o /boot/grub/grub.cfg" ssh $remote "echo $hostname >/mnt/etc/hostname" rsync -cpv --chmod=644 systemd/network/$host.link $remote:/mnt/etc/systemd/network/10-public.link rsync -cpv --chmod=644 systemd/network/$host.network $remote:/mnt/etc/systemd/network/10-public.network rsync -cpv --chmod=644 crypttab fstab locale.conf mkinitcpio.conf pacman.conf pacreport.conf resolv.conf $remote:/mnt/etc/ rsync -cv unbound.conf $remote:/mnt/etc/unbound/unbound.conf if [[ $host = @(0.grapheneos.network|1.grapheneos.network|2.grapheneos.network|3.grapheneos.network) ]]; then cp chrony.conf chrony.conf.tmp echo -e '\nallow' >> chrony.conf.tmp rsync -cv chrony.conf.tmp $remote:/mnt/etc/chrony.conf rm chrony.conf.tmp else rsync -cv chrony.conf $remote:/mnt/etc/chrony.conf fi ssh $remote mkdir -vp /mnt/etc/sysconfig rsync -cpv --chmod 644 sysconfig/chronyd $remote:/mnt/etc/sysconfig/chronyd rsync -cv authorized_keys $remote:/mnt/root/.ssh/authorized_keys cp ssh/sshd_config ssh/sshd_config.tmp sed -i "s/{{ssh_users}}/${hosts_ssh_users[$host]:-root}/g" ssh/sshd_config.tmp rsync -cv ssh/sshd_config.tmp $remote:/mnt/etc/ssh/sshd_config rm ssh/sshd_config.tmp rsync -cv nftables/nftables-${hosts_firewall[$host]:-web}.conf $remote:/mnt/etc/nftables.conf ssh $remote "arch-chroot /mnt systemctl enable chronyd.service fstrim.timer logrotate.timer nftables.service plocate-updatedb.timer systemd-networkd.service systemd-oomd.service sshd.service sysstat.service unbound.service" ssh $remote "arch-chroot /mnt systemctl disable remote-fs.target systemd-network-generator.service" ssh $remote "arch-chroot /mnt groupadd -g 2000 io_uring" ssh $remote "umask 077 && dd if=/dev/random of=/mnt/swapfile bs=1M count=$swap status=progress" ssh $remote "arch-chroot chsh -s /usr/bin/fish" password=$(head -c32 <(tr -dc A-Za-z0-9