Merge pull request #59 from macmpi/dev

Version 1.7

Author: macmpi

LICENSE

@@ -1,6 +1,6 @@
 MIT License
 
-Copyright (c) 2022-2025, macmpi
+Copyright (c) 2022-2026, macmpi
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

README.md

@@ -19,21 +19,22 @@ As with Alpine Linux initial bring-up, `root` account has no password initially.
 From there, actual system install can be performed as usual with `setup-alpine` for instance (check Alpine [wiki](https://wiki.alpinelinux.org/wiki/Alpine_setup_scripts#setup-alpine) for details).
 
 ## Extra configuration:
-Extra files may be added next to `headless.apkovl.tar.gz` to customise boostrapping configuration (check `sample_*` files):
+Extra files may be added next to `headless.apkovl.tar.gz` to customise boostrapping configuration (check [contribs](https://github.com/macmpi/alpine-linux-headless-bootstrap/tree/main/contribs) sample files):
 - `wpa_supplicant.conf`[^3] (*mandatory for wifi*): define wifi SSID, password and regulatory country [code](https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2).
-- `unattended.sh`[^3] (*optional*): provide a deployment script to automate setup & customizations during initial bootstrap *(check users' contributed [samples](https://github.com/macmpi/alpine-linux-headless-bootstrap/discussions/categories/unattended-sh-samples) and share yours)*.
+- `unattended.sh`[^3] (*optional*): provide a deployment script to automate setup & customizations during initial bootstrap *(see [contribs](https://github.com/macmpi/alpine-linux-headless-bootstrap/tree/main/contribs) or users' contributed [samples](https://github.com/macmpi/alpine-linux-headless-bootstrap/discussions/categories/unattended-sh-samples) and share yours)*.
 - `interfaces`[^3] (*optional*): define network interfaces at will, if defaults DCHP-based are not suitable.
 - `authorized_keys` (*optional*): provide client's public SSH key to secure `root` ssh login.
 - `ssh_host_*_key*` (*optional*): provide server's custom ssh keys to be injected (may be stored), instead of using temporarily bundled ones[^4] (not stored). Providing an empty key file will trigger new keys generation (ssh server may take longer to start).
 - `opt-out` (*optional*): dummy file to opt-out internet features (connection status, version check, auto-update) and related links usage anonymous [telemetry](https://is.gd/privacy.php).
 - `auto-updt` (*optional*): enable automatic `headless.apkovl.tar.gz` file update with latest from master branch. If it contains `reboot` keyword all in one line, system will reboot after succesful update (unless ssh session is active or `unattended.sh` script is available).
 
-Main execution steps are logged: `cat /var/log/messages | grep headless`.
+Main execution steps are logged: `cat /var/log/messages | grep headless`.\
+For more details: `cat /tmp/alhb`.
 
 ## Seamless USB-gadget mode:
-Devices with UDC controller (*e.g., PiZero*) can expose the following features over USB port: serial console, ethernet interface and mass-storage
+Devices with UDC controller (*e.g., PiZero*) can expose the following features over USB port: serial console, ethernet interface and mass-storage.
 
-To enable them, make sure `dwc2` (or `dwc3`) driver is **previously loaded** on capable device, **and** configuration is set to **OTG peripheral** mode: depending on devices, this may be driven by hardware (including cable) and/or software.\
+To enable them, make sure `dwc2` (or `dwc3`) driver is **previously loaded** on device, **and** configuration is set to **OTG peripheral** mode: depending on devices, this may be driven by hardware (including cable) and/or software.\
 (e.g., on supporting Pi devices[^5], just add `dtoverlay=dwc2,dr_mode=peripheral` in `usercfg.txt` to force both by software)
 
 Plug USB cable into host Computer port before booting device.

sample_auto-updt contribs/auto-updtsample_auto-updt renamed to contribs/auto-updt

@@ -1,4 +1,4 @@
-# SPDX-FileCopyrightText: Copyright 2022-2025, macmpi
+# SPDX-FileCopyrightText: Copyright 2022-2026, macmpi
 # SPDX-License-Identifier: MIT
 
 # Automated reboot after update is cancelled if:

sample_interfaces contribs/interfacessample_interfaces renamed to contribs/interfaces

@@ -1,4 +1,4 @@
-# SPDX-FileCopyrightText: Copyright 2022-2025, macmpi
+# SPDX-FileCopyrightText: Copyright 2022-2026, macmpi
 # SPDX-License-Identifier: MIT
 
 # Sample network interfaces file

sample_unattended.sh contribs/unattended.shsample_unattended.sh renamed to contribs/unattended.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 
-# SPDX-FileCopyrightText: Copyright 2022-2025, macmpi
+# SPDX-FileCopyrightText: Copyright 2022-2026, macmpi
 # SPDX-License-Identifier: MIT
 
 ## collection of few code snippets as sample unnatteded actions some may find usefull
@@ -11,19 +11,19 @@
 # only keep a single starting # on the line below
 ##NO_SSH
 
-# Uncomment to enable stdout and errors redirection to console (service won't show messages)
-# exec 1>/dev/console 2>&1
+# Uncomment to redirect stdout and errors to logfile as service won't show messages
+# exec 1>>/tmp/alhb 2>&1
 
 # shellcheck disable=SC2142  # known special case
 alias _logger='logger -st "${0##*/}"'
 
+
 ## Obvious one; reminder: is run as background service
 _logger "hello world !!"
 sleep 60
 _logger "Finished script"
-########################################################
-
 
+########################################################
 ## This snippet removes apkovl file on volume after initial boot
 # grab used ovl filename from dmesg
 ovl="$( dmesg | grep -o 'Loading user settings from .*:' | awk '{print $5}' | sed 's/:.*$//' )"
@@ -44,8 +44,6 @@ rm -f "${ovl}"
 _is_ro && mount -o remount,ro "${ovlpath}"
 
 ########################################################
-
-
 ## This snippet configures Minimal diskless environment
 # note: with INTERFACESOPTS=none, no networking will be setup so it won't work after reboot!
 # Change it or run setup-interfaces in interractive mode afterwards (and lbu commit -d thenafter)
@@ -68,7 +66,7 @@ cat <<-EOF > /tmp/ANSWERFILE
 	INTERFACESOPTS=none
 
 	# Set Public nameserver
-	DNSOPTS="-n 9.9.9.9"
+	DNSOPTS="-n 1.1.1.1"
 
 	# Set timezone to UTC
 	TIMEZONEOPTS="UTC"
@@ -77,7 +75,7 @@ cat <<-EOF > /tmp/ANSWERFILE
 	PROXYOPTS=none
 
 	# Add first mirror (CDN)
-	APKREPOSOPTS="-1"
+	APKREPOSOPTS="-1 -c"
 
 	# Do not create any user
 	USEROPTS=none

contribs/unattended_home-assistant.sh

@@ -0,0 +1,203 @@
+#!/bin/sh
+
+# SPDX-FileCopyrightText: Copyright 2025-2026, macmpi
+# SPDX-License-Identifier: MIT
+
+##  Install minimal sys-based Alpine with Home-assistant docker image (with tailscale and mosquitto)
+##  e.g., on 512MB PiZeroW (armhf), uses ~290MB RAM while running; leaves ~170MB RAM available
+##  PiZero2W should stick to 32bit (armv7) releases, as 512MB RAM is too tight for 64bit containers
+##  Home-Assistant 32bit last release is 2025.11.3 
+
+# HOW TO USE (Customize MY_xxxx values to your needs. Defaults are ok for Pi)
+# - prepare install media (Alpine 3.23 and later) as per Alpine wiki for your target hardware
+# - add headless.apkovl.tar.gz, this file (as unattended.sh) and wpa_supplicant.conf (if wifi) onto media
+# - boot machine, and let unattended install proceed & reboot (may be observed via root ssh login)
+# - after reboot, log-in as admin user via ssh (WARNING change default password in MY_PASS)
+# - execute: doas ./update_container.sh
+# - be patient as initial home-assistant image pull may take (very) long time, ~1h15 on PiZero
+# - then setup home-assistant from remote machine via Web interface (avoid logs to preserve SD)
+# - associate tailscale to your account info if needed for remote access (enabled by default)
+# - finetune mosquitto if needed (enabled by default, WARNING unsecured anonymous allowed on port 1883)
+
+## CUSTOMIZE values below to your needs
+MY_USER="alpine" # admin account user name
+MY_PASS="enipla" # password for that user
+MY_IFACE="wlan0" # network interface to be used; may be eth0, etc...(DHCP by default)
+MY_DISK="mmcblk0" # WARNING: this disk dev will be erased for good -- double-check!!
+MY_BOOT="${MY_DISK}p1" # dev partition for bootfs on related disk, usually 1st partition
+MY_ROOT="${MY_DISK}p2" # dev partition for rootfs related disk, may be 3rd if swap is present
+MY_ROOT_SIZE="$((6*2*1024))" # rootfs partition size in MB (allow twice the minimum size for containers updates)
+# set to false if willing to use none, or sibling containers (check availability for arch)
+NATIVE_TAILSCALE=true
+NATIVE_MQTT=true
+
+# Uncomment to redirect stdout and errors to logfile as service won't show messages
+# exec 1>>/tmp/alhb 2>&1
+
+# shellcheck disable=SC2142  # known special case
+alias _logger='logger -st "${0##*/}"'
+
+# Last Home Assistant docker image for 32-bit (armhf,armv7,x86) is tagged '2025.11.3' not 'stable'
+# https://www.home-assistant.io/blog/2025/06/11/release-20256/#deprecating-installation-methods-and-32-bit-architectures
+case "$(cat /etc/apk/arch)" in
+	armhf|armv7|x86) TAG="2025.11.3";;
+	aarch64|x86_64) TAG="stable";;
+	*) _logger "Unavailable container image! Exiting..."; exit 1;;
+esac
+
+# grab used ovl filename from dmesg
+ovl="$( dmesg | grep -o 'Loading user settings from .*:' | awk '{print $5}' | sed 's/:.*$//' )"
+if [ -f "${ovl}" ]; then
+	ovlpath="$( dirname "$ovl" )"
+else
+	# search path again as mountpoint have been changed later in the boot process...
+	ovl="$( basename "${ovl}" )"
+	ovlpath=$( find /media -maxdepth 2 -type d -path '*/.*' -prune -o -type f -name "${ovl}" -exec dirname {} \; | head -1 )
+	ovl="${ovlpath}/${ovl}"
+fi
+
+# Setup wifi if available
+if [ -e "$ovlpath/wpa_supplicant.conf" ]; then
+	apk add wpa_supplicant
+	cp "$ovlpath/wpa_supplicant.conf" /etc/wpa_supplicant/wpa_supplicant.conf
+	rc-update add wpa_supplicant boot
+	_logger "Wifi configured"
+fi
+
+_logger "Starting base sys disk installation"
+cat <<-EOF > /tmp/ANSWERFILE
+	KEYMAPOPTS=none
+	HOSTNAMEOPTS=home-assistant
+	DEVDOPTS=mdev
+	INTERFACESOPTS="auto lo
+	iface lo inet loopback
+
+	auto $MY_IFACE
+	iface $MY_IFACE inet dhcp
+	"
+	DNSOPTS=""
+	TIMEZONEOPTS=UTC
+	PROXYOPTS=none
+	APKREPOSOPTS="-1 -c"
+	USEROPTS="-a -u $MY_USER"
+	SSHDOPTS=openssh
+	NTPOPTS=chrony
+
+	export ERASE_DISKS=/dev/$MY_DISK
+	export ROOT_SIZE=$MY_ROOT_SIZE
+	DISKOPTS="-m sys /dev/$MY_DISK"
+	EOF
+
+SSH_CONNECTION="FAKE" setup-alpine -ef /tmp/ANSWERFILE
+
+# Prep install script for destination sys-based system
+_logger "Prepare sys-setup script"
+cat <<-EOF1 >/tmp/setup_homeassistant.sh
+	#!/bin/sh
+
+	echo "$MY_USER:$MY_PASS" | chpasswd
+	passwd -l root
+
+	apk update
+	apk upgrade --available
+
+	# On Pi, reclaim ~48MB more RAM for CPU (GPU minimal)
+	if grep -q "Raspberry Pi" /proc/device-tree/model 2>/dev/null; then
+		apk add raspberrypi-bootloader-cutdown
+		echo "gpu_mem=16" >> /boot/config.txt
+	fi
+
+	apk add bluez
+	rc-update add bluetooth default
+
+	apk add docker docker-compose
+	# TBD rootless config: https://wiki.alpinelinux.org/wiki/Docker#Docker_rootless
+#	adduser -G docker $MY_USER
+#	apk add docker-rootless-extras shadow-subids
+#	echo "# Sets config for Docker rootless >> /etc/rc.conf
+#	echo "rc_cgroup_mode=\"unified\"" >> /etc/rc.conf
+#	rc-update add cgroups default
+#	echo "$MY_USER:231072:65536" >> /etc/subuid
+#	echo "$MY_USER:231072:65536" >> /etc/subgid
+
+	rc-update add docker default
+
+	# admin account has home-assistant docker-related setup and config files
+	mkdir -p /home/$MY_USER/homeassistant # home-assistant config directory
+	chown $MY_USER /home/$MY_USER/homeassistant
+	cat <<-EOF2 >/home/$MY_USER/compose.yaml
+		services:
+		  homeassistant:
+		    image: ghcr.io/home-assistant/home-assistant:$TAG
+		    container_name: homeassistant
+		    privileged: true
+		    restart: unless-stopped
+		    network_mode: host
+		    environment:
+		      - TZ=Europe/Paris
+		      - PUID=$(id -u $MY_USER)
+		      - PGID=$(id -u $MY_USER)
+		      - UMASK=007
+		    volumes:
+		      - /run/dbus:/run/dbus:ro
+		      - /home/$MY_USER/homeassistant:/config
+		EOF2
+	chown $MY_USER /home/$MY_USER/compose.yaml
+
+	cat <<-EOF2 >/home/$MY_USER/update_container.sh
+		#!/bin/sh
+
+		! [ "$(id -u)" -eq 0 ] && { echo "Please run with administrator privileges." >&2; exit 1; }
+
+		echo "This may be (very) long...grab a coffee (or more)!"
+		docker-compose pull && \
+			docker-compose up -d && \
+			docker image prune -af
+		EOF2
+	chmod +x /home/$MY_USER/update_container.sh
+	chown $MY_USER /home/$MY_USER/update_container.sh
+
+	# Optional native add-on components (set install option accordingly)
+	if [ "$NATIVE_TAILSCALE" = "true" ]; then
+		apk add tailscale
+		# do not run as root
+		sed -i 's/^#command_user=.*/command_user=\"tailscale:tailscale\"/' /etc/conf.d/tailscale
+		rc-update add tailscale default
+	fi
+	if [ "$NATIVE_MQTT" = "true" ]; then
+		apk add mosquitto
+		# WARNING unsecured anonymous: add password file & disable anonymous
+		cat <<-EOF2 >>/etc/mosquitto/mosquitto.conf
+			allow_anonymous true
+			listener 1883
+			EOF2
+		rc-update add mosquitto default
+	fi
+
+	EOF1
+chmod +x /tmp/setup_homeassistant.sh
+
+_logger "Mounting new system for post-installation"
+mkdir -p /mnt/boot /mnt/tmp /mnt/dev /mnt/proc /mnt/sys
+mount /dev/$MY_ROOT /mnt
+mount /dev/$MY_BOOT /mnt/boot
+mount --bind /tmp /mnt/tmp
+mount --bind /dev /mnt/dev
+mount --bind /proc /mnt/proc
+mount --bind /sys /mnt/sys
+
+_logger "Running sys-setup script on disk-based system"
+chroot /mnt /tmp/setup_homeassistant.sh
+sync
+
+_logger "Cleaning up mounts"
+umount /mnt/sys
+umount /mnt/proc
+umount /mnt/dev
+umount /mnt/tmp
+umount /mnt/boot
+umount /mnt
+
+_logger "Finished unattended script - rebooting system"
+reboot
+