clawdie/clawdie-iso
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat(firstboot): opt-in require-secured knob + 'will not' skip message

Browse source 
clawdie-iso half of the .secured interlock:
- build.sh writes colibri_daemon_require_secured="YES" to the operator image's
  rc.conf. Opt-in so DEPLOYED colibri hosts (shared colibri_daemon.in via the
  FreeBSD port, no firstboot gate) are unaffected — they never set this knob.
- gate skip message upgraded to 'agent will NOT start or register until secured'.

Depends on the colibri-side consumer (colibri_daemon.in prestart): when
colibri_daemon_require_secured is YES and /var/db/colibri/.secured is absent,
export COLIBRI_AUTOSPAWN=NO (after the provider.env source block). Tracked as the
colibri follow-up; both must ship in the same 0.12 image for the message to hold.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
Sam & Claude 2026-06-25 06:16:34 +02:00
parent e135c305a4
commit 73b603d995
2 changed files with 8 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
build.sh
View file

@ -993,6 +993,11 @@ install_colibri_service() {
fi
set_config_line "${MOUNT_POINT}/etc/rc.conf" "colibri_daemon_enable=\"${COLIBRI_DAEMON_ENABLE:-YES}\""
# Operator-image only: require the first-boot password gate to have run
# (it writes /var/db/colibri/.secured) before the daemon autospawns an
# agent. Opt-in so deployed colibri hosts (no firstboot gate) are unaffected.
# Consumed by colibri_daemon.in prestart (colibri repo).
set_config_line "${MOUNT_POINT}/etc/rc.conf" 'colibri_daemon_require_secured="YES"'
set_config_line "${MOUNT_POINT}/etc/rc.conf" 'colibri_daemon_user="colibri"'
set_config_line "${MOUNT_POINT}/etc/rc.conf" 'colibri_daemon_group="colibri"'
set_config_line "${MOUNT_POINT}/etc/rc.conf" 'colibri_daemon_data_dir="/var/db/colibri"'

6
live/operator-session/clawdie-firstboot-rootpw
View file

@ -141,9 +141,9 @@ clawdie_firstboot_rootpw_start() {
_rootpw_continue_countdown 3
else
printf '\n\n [skipped] root/operator passwords NOT set — node is UNSECURED.\n'
printf ' Treat this node as untrusted until a password is set. The colibri\n'
printf ' agent should not register with mother or run tasks while unsecured.\n'
printf ' You will be prompted again on the next boot.\n'
printf ' The colibri agent will NOT start or register with mother until a\n'
printf ' password is set (colibri_daemon_require_secured). Set one to activate\n'
printf ' this node. You will be prompted again on the next boot.\n'
_rootpw_continue_countdown 3
fi
return 0