fix: firstboot fstab handling — no duplicates, compatible with Asahi sed

- Replace sed with grep -v / awk for fstab manipulation (Asahi Fedora's sed doesn't support \| delimiter or \? quantifier) - Use idempotent write_lab_fstab function: removes all old entries first, comments out conflicting btrfs subvol entries, adds fresh LVM entries - Fix sed for SSH hardening: use #* instead of \? (POSIX compatible) - Tested on Mac Studio: no duplicate fstab entries after multiple runs Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-01 15:40:29 +01:00
parent 87e09af941
commit c49a650888
4 changed files with 37 additions and 25 deletions
--- a/bastion/src/bastion/src/templates/asahi-firstboot.sh.ts
+++ b/bastion/src/bastion/src/templates/asahi-firstboot.sh.ts
@@ -111,6 +111,29 @@ mount_lv() {
    fi
 }

+# ── Write fstab function (idempotent) ────────────────────────────
+write_lab_fstab() {
+    # Remove any previous lab LVM entries (clean slate)
+    sed -i '/# lab-lvm:/d' /etc/fstab
+    sed -i '/# Lab LVM volumes/d' /etc/fstab
+    grep -v "/dev/labvg/" /etc/fstab > /etc/fstab.tmp && mv /etc/fstab.tmp /etc/fstab
+    # Comment out non-LVM entries for mount points we manage
+    for mp in "/var " "/var/log " "/home " "/srv "; do
+        if grep -q "$mp" /etc/fstab; then
+            awk -v m="$mp" '{if($0 !~ /^#/ && index($0,m)) print "# lab-lvm: " $0; else print}' /etc/fstab > /etc/fstab.tmp
+            mv /etc/fstab.tmp /etc/fstab
+        fi
+    done
+    # Add fresh LVM entries
+    echo "# Lab LVM volumes" >> /etc/fstab
+    echo "/dev/labvg/swap    none         swap defaults 0 0" >> /etc/fstab
+    echo "/dev/labvg/var     /var         xfs  defaults 0 0" >> /etc/fstab
+    echo "/dev/labvg/varlog  /var/log     xfs  defaults 0 0" >> /etc/fstab
+    echo "/dev/labvg/home    /home        xfs  defaults 0 0" >> /etc/fstab
+    echo "/dev/labvg/srv     /srv         xfs  defaults 0 0" >> /etc/fstab
+    ${roleFstabLines.join('\n    ')}
+}
+
 # ── Check for existing VG ────────────────────────────────────────
 if vgs labvg &>/dev/null; then
    echo "Volume group 'labvg' already exists — reprovision detected."
@@ -129,16 +152,8 @@ ${roleMountLines.map(l => `    ${l}`).join('\n')}
        echo "  Enabled swap"
    fi

-    # Ensure fstab entries exist
-    grep -q "labvg" /etc/fstab || {
-        echo "# Lab LVM volumes (re-added after reprovision)" >> /etc/fstab
-        echo "/dev/labvg/swap    none         swap defaults 0 0" >> /etc/fstab
-        echo "/dev/labvg/var     /var         xfs  defaults 0 0" >> /etc/fstab
-        echo "/dev/labvg/varlog  /var/log     xfs  defaults 0 0" >> /etc/fstab
-        echo "/dev/labvg/home    /home        xfs  defaults 0 0" >> /etc/fstab
-        echo "/dev/labvg/srv     /srv         xfs  defaults 0 0" >> /etc/fstab
-${roleFstabLines.map(l => `        ${l}`).join('\n')}
-    }
+    # Ensure fstab entries exist — comment out conflicting btrfs subvol entries
+    write_lab_fstab

    echo "Existing LVM volumes re-mounted."
 else
@@ -207,15 +222,7 @@ echo "NOTE: /var and /var/log will switch to LVM on next reboot."
 # Enable swap
 swapon /dev/labvg/swap 2>/dev/null || true

-# Write fstab entries
-echo "" >> /etc/fstab
-echo "# Lab LVM volumes" >> /etc/fstab
-echo "/dev/labvg/swap    none         swap defaults 0 0" >> /etc/fstab
-echo "/dev/labvg/var     /var         xfs  defaults 0 0" >> /etc/fstab
-echo "/dev/labvg/varlog  /var/log     xfs  defaults 0 0" >> /etc/fstab
-echo "/dev/labvg/home    /home        xfs  defaults 0 0" >> /etc/fstab
-echo "/dev/labvg/srv     /srv         xfs  defaults 0 0" >> /etc/fstab
-${roleFstabLines.join('\n')}
+write_lab_fstab

 echo "LVM setup complete."
 lvs labvg
@@ -256,8 +263,8 @@ ${rootSshKeyBlock}
 chmod 600 /root/.ssh/authorized_keys

 # ── Harden SSH (takes effect on next sshd restart/reboot) ────────
-sed -i 's/^#\\?PermitRootLogin.*/PermitRootLogin prohibit-password/' /etc/ssh/sshd_config
-sed -i 's/^#\\?PasswordAuthentication.*/PasswordAuthentication no/' /etc/ssh/sshd_config
+sed -i 's/^#*PermitRootLogin.*/PermitRootLogin prohibit-password/' /etc/ssh/sshd_config
+sed -i 's/^#*PasswordAuthentication.*/PasswordAuthentication no/' /etc/ssh/sshd_config

 # ── Write provisioning metadata ──────────────────────────────────
 cat > /etc/lab-provisioned << LABMETA
--- a/bastion/src/modules/modules/k3s/src/operations/iscsi.ts
+++ b/bastion/src/modules/modules/k3s/src/operations/iscsi.ts
@@ -17,7 +17,7 @@ export const enableIscsi: Operation = async (ctx): Promise<OperationResult> => {
  const isFedora = osLower.includes("fedora") || osLower.includes("rhel") || osLower.includes("centos");

  const pkg = isFedora ? "iscsi-initiator-utils" : "open-iscsi";
-  const installCmd = isFedora ? `dnf install -y ${pkg}` : `apt-get install -y ${pkg}`;
+  const installCmd = isFedora ? `sudo dnf install -y ${pkg}` : `sudo apt-get install -y ${pkg}`;

  const install = await ctx.ssh.exec(installCmd, { timeoutMs: 120_000 });
  if (install.exitCode !== 0) {
@@ -25,7 +25,7 @@ export const enableIscsi: Operation = async (ctx): Promise<OperationResult> => {
  }

  // Enable and start
-  await ctx.ssh.exec("systemctl enable --now iscsid", sshOpts(ctx));
+  await ctx.ssh.exec("sudo systemctl enable --now iscsid", sshOpts(ctx));

  return { success: true, changed: true, message: `Installed ${pkg} and enabled iscsid` };
 };
--- a/bastion/src/modules/modules/k3s/src/operations/k3s-config.ts
+++ b/bastion/src/modules/modules/k3s/src/operations/k3s-config.ts
@@ -9,8 +9,9 @@ function isServerRole(role: string): boolean {

 function generateServerConfig(config: K3sConfig): string {
  const tlsSans = [config.hostname, config.ip, ...(config.tlsSans ?? [])];
+  const serverLine = config.k3sServerUrl ? `server: "${config.k3sServerUrl}"\ntoken: "${config.k3sToken}"\n` : "";
  return `# k3s server configuration — CIS hardened
-protect-kernel-defaults: true
+${serverLine}protect-kernel-defaults: true
 secrets-encryption: true
 write-kubeconfig-mode: "0640"

--- a/bastion/src/modules/modules/k3s/src/operations/k3s-install.ts
+++ b/bastion/src/modules/modules/k3s/src/operations/k3s-install.ts
@@ -15,8 +15,12 @@ export const installK3sBinary: Operation = async (ctx): Promise<OperationResult>
  const alreadyInstalled = version.exitCode === 0;

  if (isServer) {
+    // If joining an existing cluster, pass K3S_URL and K3S_TOKEN
+    const joinEnv = ctx.config.k3sServerUrl && ctx.config.k3sToken
+      ? `K3S_URL="${ctx.config.k3sServerUrl}" K3S_TOKEN="${ctx.config.k3sToken}"`
+      : "";
    const result = await ctx.ssh.exec(
-      'curl -sfL https://get.k3s.io | INSTALL_K3S_EXEC="server" INSTALL_K3S_SKIP_SELINUX_RPM=true sh -',
+      `curl -sfL https://get.k3s.io | INSTALL_K3S_EXEC="server" INSTALL_K3S_SKIP_SELINUX_RPM=true ${joinEnv} sh -`,
      { timeoutMs: 300_000 },
    );
    if (result.exitCode !== 0) {