underpost 2.8.799 → 2.8.812

package/bin/deploy.js

@@ -27,6 +27,7 @@ import {
   setUpProxyMaintenanceServer,
   writeEnv,
   getUnderpostRootPath,
+  buildCliDoc,
 } from '../src/server/conf.js';
 import { buildClient } from '../src/server/client-build.js';
 import { range, s4, setPad, timer, uniqueArray } from '../src/client/components/core/CommonJs.js';
@@ -37,10 +38,10 @@ import { JSONweb } from '../src/server/client-formatted.js';
 
 import { Xampp } from '../src/runtime/xampp/Xampp.js';
 import { ejs } from '../src/server/json-schema.js';
-import { buildCliDoc } from '../src/cli/index.js';
 import { getLocalIPv4Address, ip } from '../src/server/dns.js';
 import { Downloader } from '../src/server/downloader.js';
 import colors from 'colors';
+import { program } from '../src/cli/index.js';
 
 colors.enable();
 
@@ -50,53 +51,139 @@ logger.info('argv', process.argv);
 
 const [exe, dir, operator] = process.argv;
 
-const updateVirtualRoot = async ({ nfsHostPath, IP_ADDRESS, ipaddr }) => {
-  const steps = [
+const updateVirtualRoot = async ({ IP_ADDRESS, architecture, host, nfsHostPath, ipaddr, update, gatewayip }) => {
+  // <consumer_key>:<consumer_token>:<secret>
+  const MAAS_API_TOKEN = shellExec(`maas apikey --username ${process.env.MAAS_ADMIN_USERNAME}`, {
+    stdout: true,
+  }).trim();
+  const [consumer_key, consumer_token, secret] = MAAS_API_TOKEN.split(`\n`)[0].split(':');
+  const chronyConfPath = `/etc/chrony/chrony.conf`;
+  const timezone = 'America/New_York';
+  const timeZoneSteps = [
+    `apt-get update`,
+
+    `export DEBIAN_FRONTEND=noninteractive`,
+
+    `ln -fs /usr/share/zoneinfo/${timezone} /etc/localtime`,
+
+    `DEBIAN_FRONTEND=noninteractive apt-get install -y tzdata`,
+    `dpkg-reconfigure --frontend noninteractive tzdata`,
+  ];
+  const keyboardSteps = [
+    `sudo locale-gen en_US.UTF-8`,
+    `sudo update-locale LANG=en_US.UTF-8`,
+    `sudo sed -i 's/XKBLAYOUT="us"/XKBLAYOUT="es"/' /etc/default/keyboard`,
+    `sudo dpkg-reconfigure --frontend noninteractive keyboard-configuration`,
+    `sudo systemctl restart keyboard-setup.service`,
+  ];
+  // #  - ${JSON.stringify([...timeZoneSteps, ...chronySetUp(chronyConfPath)])}
+  const installSteps = [
     `apt update`,
+    `apt install -y cloud-init systemd-sysv openssh-server sudo locales udev util-linux systemd-sysv iproute2 netplan.io ca-certificates curl wget chrony ntpdate keyboard-configuration`,
     `ln -sf /lib/systemd/systemd /sbin/init`,
-    // `sudo apt install linux-modules-extra-6.8.0-31-generic`,
-    `apt install -y sudo`,
-    `apt install -y ntp`,
-    `apt install -y openssh-server`,
-    `apt install -y iptables`,
-    `update-alternatives --set iptables /usr/sbin/iptables-legacy`,
-    `update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy`,
-    `apt install -y locales`,
-    `apt install -y cloud-init`,
-    `mkdir -p /var/lib/cloud`,
-    `chown -R root:root /var/lib/cloud`,
-    `chmod -R 0755 /var/lib/cloud`,
+
+    `echo 'deb http://ports.ubuntu.com/ubuntu-ports noble main restricted universe multiverse
+deb http://ports.ubuntu.com/ubuntu-ports noble-updates main restricted universe multiverse
+deb http://ports.ubuntu.com/ubuntu-ports noble-security main restricted universe multiverse
+
+# Uncomment the following lines if you also need source packages (for building from source)
+# deb-src http://ports.ubuntu.com/ubuntu-ports noble main restricted universe multiverse
+# deb-src http://ports.ubuntu.com/ubuntu-ports noble-updates main restricted universe multiverse
+# deb-src http://ports.ubuntu.com/ubuntu-ports noble-security main restricted universe multiverse
+' > /etc/apt/sources.list`,
+    `apt update`,
+    `apt -y full-upgrade`,
+    // `apt install -y cloud-init=25.1.2-0ubuntu0~24.04.1`,
+
+    `systemctl enable ssh`,
+
+    `apt update -qq`,
+    `apt install -y xinput x11-xkb-utils usbutils`,
+
+    // `date -s "${shellExec(`date '+%Y-%m-%d %H:%M:%S'`, { stdout: true }).trim()}"`,
+    // `date`,
+
+    ...timeZoneSteps,
+    ...chronySetUp(chronyConfPath),
+    ...keyboardSteps,
+
+    // Create root user
+    `useradd -m -s /bin/bash -G sudo root`,
+    `echo 'root:root' | chpasswd`,
     `mkdir -p /home/root/.ssh`,
     `echo '${fs.readFileSync(
       `/home/dd/engine/engine-private/deploy/id_rsa.pub`,
       'utf8',
-    )}' >> /home/root/.ssh/authorized_keys`,
+    )}' > /home/root/.ssh/authorized_keys`,
+    `chown -R root /home/root/.ssh`,
     `chmod 700 /home/root/.ssh`,
     `chmod 600 /home/root/.ssh/authorized_keys`,
-    `systemctl enable ssh`,
-    `systemctl enable ntp`,
-    `apt install -y linux-generic-hwe-24.04`,
-    `modprobe ip_tables`,
+  ];
+
+  let steps = [
+    // Configure cloud-init for MAAS
     `cat <<EOF_MAAS_CFG > /etc/cloud/cloud.cfg.d/90_maas.cfg
+#cloud-config
+
+hostname: ${host}
+# fqdn: server01.midominio.cl
+# prefer_fqdn_over_hostname: true
+# metadata_url: http://${IP_ADDRESS}:5240/MAAS/metadata
+# metadata_url: http://${IP_ADDRESS}:5248/MAAS/metadata
+
+# Check:
+# /MAAS/metadata/latest/enlist-preseed/?op=get_enlist_preseed
+
+# Debug:
+# https://maas.io/docs/how-to-use-logging
+
 datasource_list: [ MAAS ]
 datasource:
   MAAS:
-    metadata_url: http://${IP_ADDRESS}:5248/MAAS/metadata
+    metadata_url: http://${IP_ADDRESS}:5240/MAAS/metadata
+    consumer_key: ${consumer_key}
+    token_key: ${consumer_token}
+    token_secret: ${secret}
 users:
-  - name: ${process.env.MAAS_ADMIN_USERNAME}
+  - name: rpiadmin
+    sudo: ['ALL=(ALL) NOPASSWD:ALL']
+    shell: /bin/bash
+    lock_passwd: true
     ssh_authorized_keys:
       - ${fs.readFileSync(`/home/dd/engine/engine-private/deploy/id_rsa.pub`, 'utf8')}
-    sudo: "ALL=(ALL) NOPASSWD:ALL"
-    groups: sudo
-    shell: /bin/bash
+
+
+# keyboard:
+#   layout: es
+
+  
+# check timedatectl on host
+# timezone: America/Santiago
+timezone: ${timezone}
+
+ntp:
+  enabled: true
+  servers:
+    - ${IP_ADDRESS}
+  ntp_client: chrony
+  config:
+    confpath: ${chronyConfPath}
+    packages:
+      - chrony
+    service_name: chrony
+
+# ssh:
+#   allow-pw: false
+#   install-server: true
+
+# ssh_pwauth: false
+
+package_update: true
+package_upgrade: true
 packages:
   - git
   - htop
-  - ufw
-# package_update: true
-runcmd:
-  - ufw enable
-  - ufw allow ssh
+  - snapd
 resize_rootfs: false
 growpart:
   mode: off
@@ -104,26 +191,141 @@ network:
   version: 2
   ethernets:
     ${process.env.RPI4_INTERFACE_NAME}:
-        dhcp4: true
+        dhcp4: false
         addresses:
           - ${ipaddr}/24
+        routes:
+          - to: default
+            via: ${gatewayip}
+
+# chpasswd:
+#   expire: false
+#   users:
+#   - {name: rpiadmin, password: changeme, type: text}
+
+final_message: "The system is up, after $UPTIME seconds"
+
+# power_state:
+#   mode: reboot
+#   message: Rebooting after initial setup
+#   timeout: 30
+#   condition: True
+bootcmd:
+  - echo "- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -"
+  - echo "Init bootcmd"
+  - echo "- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -"
+  - ntpdate -u ${IP_ADDRESS} || ntpdate -u ${process.env.MAAS_NTP_SERVER}
+runcmd:
+  - echo "- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -"
+  - echo "Init runcmd"
+  - echo "- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -"
 EOF_MAAS_CFG`,
   ];
 
-  shellExec(`sudo chroot ${nfsHostPath} /usr/bin/qemu-aarch64-static /bin/bash <<'EOF'
-${steps
-  .map(
-    (s, i) => `echo "step ${i + 1}/${steps.length}: ${s.split('\n')[0]}"
-${s}
-`,
-  )
-  .join(``)}
+  const runSteps = (steps = []) => {
+    const script = steps
+      .map(
+        (s, i) => `echo "step ${i + 1}/${steps.length}: ${s.split('\n')[0]}"
+${s}`,
+      )
+      .join('\n');
+
+    const cmd = `sudo chroot ${nfsHostPath} /usr/bin/qemu-aarch64-static /bin/bash <<'EOF_OUTER'
+${script}
+EOF_OUTER`;
+
+    shellExec(cmd);
+  };
+
+  if (update) {
+    // --reboot
+    shellExec(`sudo chroot ${nfsHostPath} /usr/bin/qemu-aarch64-static /bin/bash <<'EOF'
+sudo cloud-init clean --logs --seed --configs all --machine-id
+sudo rm -rf /var/lib/cloud/*
 EOF`);
 
-  shellExec(`sudo chroot ${nfsHostPath} /usr/bin/qemu-aarch64-static /bin/bash <<'EOF'
+    if (fs.existsSync(`${nfsHostPath}/var/log/`)) {
+      fs.writeFileSync(`${nfsHostPath}/var/log/cloud-init.log`, '', 'utf8');
+      fs.writeFileSync(`${nfsHostPath}/var/log/cloud-init-output.log`, '', 'utf8');
+    }
+
+    runSteps(steps);
+  } else {
+    runSteps(installSteps.concat(steps));
+
+    shellExec(`sudo chroot ${nfsHostPath} /usr/bin/qemu-aarch64-static /bin/bash <<'EOF'
 echo "nameserver ${process.env.MAAS_DNS}" | tee /etc/resolv.conf > /dev/null
 apt update
 EOF`);
+    fs.writeFileSync(
+      `${nfsHostPath}/dns.sh`,
+      `rm /etc/resolv.conf
+echo 'nameserver 8.8.8.8' > /run/systemd/resolve/stub-resolv.conf
+ln -sf /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf`,
+      'utf8',
+    );
+  }
+};
+
+const chronySetUp = (path) => {
+  return [
+    `echo '
+# Use public servers from the pool.ntp.org project.
+# Please consider joining the pool (http://www.pool.ntp.org/join.html).
+# pool 2.pool.ntp.org iburst
+server ${process.env.MAAS_NTP_SERVER} iburst
+
+# Record the rate at which the system clock gains/losses time.
+driftfile /var/lib/chrony/drift
+
+# Allow the system clock to be stepped in the first three updates
+# if its offset is larger than 1 second.
+makestep 1.0 3
+
+# Enable kernel synchronization of the real-time clock (RTC).
+rtcsync
+
+# Enable hardware timestamping on all interfaces that support it.
+#hwtimestamp *
+
+# Increase the minimum number of selectable sources required to adjust
+# the system clock.
+#minsources 2
+
+# Allow NTP client access from local network.
+#allow 192.168.0.0/16
+
+# Serve time even if not synchronized to a time source.
+#local stratum 10
+
+# Specify file containing keys for NTP authentication.
+keyfile /etc/chrony.keys
+
+# Get TAI-UTC offset and leap seconds from the system tz database.
+leapsectz right/UTC
+
+# Specify directory for log files.
+logdir /var/log/chrony
+
+# Select which information is logged.
+#log measurements statistics tracking
+' > ${path} `,
+    `sudo systemctl stop chronyd`,
+
+    // `chronyd -q 'server 0.europe.pool.ntp.org iburst'`,
+    `chronyd -q 'server ntp.ubuntu.com iburst'`,
+
+    `sudo systemctl enable --now chronyd`,
+    `sudo systemctl restart chronyd`,
+    `sudo systemctl status chronyd`,
+
+    `chronyc sources`,
+    `chronyc tracking`,
+    // sudo firewall-cmd --add-service=ntp --permanent
+    // sudo firewall-cmd --reload
+
+    `chronyc sourcestats -v`,
+  ];
 };
 
 try {
@@ -1158,7 +1360,7 @@ EOF`);
     }
 
     case 'cli-docs': {
-      buildCliDoc();
+      buildCliDoc(program);
       break;
     }
 
@@ -1210,12 +1412,63 @@ EOF`);
       break;
     }
 
+    case 'postgresql-17': {
+      if (process.argv.includes('install')) {
+        shellExec(`sudo dnf module reset postgresql -y`);
+        shellExec(`sudo dnf -qy module disable postgresql`);
+        shellExec(
+          `sudo dnf install -y https://download.postgresql.org/pub/repos/yum/reporpms/EL-9-x86_64/pgdg-redhat-repo-latest.noarch.rpm`,
+        );
+        shellExec(`sudo dnf -qy module disable postgresql`);
+        shellExec(`sudo dnf install -y postgresql17 postgresql17-server postgresql17-contrib`);
+
+        shellExec(`sudo /usr/pgsql-17/bin/postgresql-17-setup initdb`);
+      }
+      if (process.argv.includes('uninstall')) {
+        shellExec(`sudo systemctl stop postgresql-17`);
+        shellExec(`sudo systemctl disable postgresql-17`);
+
+        // Remove PostgreSQL 17 packages and repo
+        shellExec(`sudo dnf remove -y postgresql17 postgresql17-server postgresql17-contrib`);
+        shellExec(`sudo rpm -e pgdg-redhat-repo-$(rpm -q pgdg-redhat-repo --qf '%{VERSION}-%{RELEASE}') || true`);
+        shellExec(`sudo rm -f /etc/yum.repos.d/pgdg-redhat-*.repo`);
+
+        // Clean up data, logs, config, and the postgres user
+        shellExec(`sudo rm -rf /var/lib/pgsql/17 /var/log/pgsql`);
+        shellExec(`sudo rm -rf /etc/postgresql`);
+      } else {
+        shellExec(`sudo systemctl enable postgresql-17`);
+        shellExec(`sudo systemctl start postgresql-17`);
+      }
+      break;
+    }
+
     case 'postgresql-14': {
-      shellExec(`sudo /usr/pgsql-14/bin/postgresql-14-setup initdb`);
-      shellExec(`sudo systemctl start postgresql-14`);
-      shellExec(`sudo systemctl enable postgresql-14`);
-      shellExec(`sudo systemctl status postgresql-14`);
-      // sudo dnf install postgresql14-contrib
+      if (process.argv.includes('install')) {
+        shellExec(`sudo dnf module reset postgresql -y`);
+        shellExec(`sudo dnf -qy module disable postgresql`);
+
+        shellExec(`sudo systemctl stop postgresql-14`);
+        shellExec(`sudo systemctl disable postgresql-14`);
+
+        shellExec(`sudo dnf remove -y postgresql14 postgresql14-server postgresql14-contrib`);
+        shellExec(`sudo rm -rf /var/lib/pgsql`);
+
+        shellExec(`sudo dnf install postgresql14 postgresql14-server postgresql14-contrib -y`);
+      }
+      if (process.argv.includes('uninstall')) {
+        shellExec(`sudo systemctl stop postgresql-14`);
+        shellExec(`sudo systemctl disable postgresql-14`);
+        shellExec(`sudo dnf remove -y postgresql14 postgresql14-server postgresql14-contrib`);
+        shellExec(`sudo rm -rf /var/lib/pgsql /var/log/pgsql /etc/postgresql`);
+      } else {
+        shellExec(`sudo /usr/pgsql-14/bin/postgresql-14-setup initdb`);
+        shellExec(`sudo systemctl start postgresql-14`);
+        shellExec(`sudo systemctl enable postgresql-14`);
+        shellExec(`sudo systemctl status postgresql-14`);
+        // sudo dnf install postgresql14-contrib
+      }
+
       break;
     }
 
@@ -1252,6 +1505,9 @@ EOF`);
     }
 
     case 'maas': {
+      shellExec(
+        `underpost secret underpost --create-from-file /home/dd/engine/engine-private/conf/dd-cron/.env.production`,
+      );
       dotenv.config({ path: `${getUnderpostRootPath()}/.env`, override: true });
       const IP_ADDRESS = getLocalIPv4Address();
       const serverip = IP_ADDRESS;
@@ -1260,6 +1516,13 @@ EOF`);
       const netmask = process.env.NETMASK;
       const gatewayip = process.env.GATEWAY_IP;
 
+      const machineFactory = (m) => ({
+        system_id: m.interface_set[0].system_id,
+        mac_address: m.interface_set[0].mac_address,
+        hostname: m.hostname,
+        status_name: m.status_name,
+      });
+
       let resources;
       try {
         resources = JSON.parse(
@@ -1276,13 +1539,6 @@ EOF`);
         logger.error(error);
       }
 
-      const machineFactory = (m) => ({
-        system_id: m.interface_set[0].system_id,
-        mac_address: m.interface_set[0].mac_address,
-        hostname: m.hostname,
-        status_name: m.status_name,
-      });
-
       let machines;
       try {
         machines = JSON.parse(
@@ -1295,6 +1551,25 @@ EOF`);
         logger.error(error);
       }
 
+      if (process.argv.includes('ls')) {
+        shellExec(`maas ${process.env.MAAS_ADMIN_USERNAME} boot-sources read`);
+        shellExec(`maas ${process.env.MAAS_ADMIN_USERNAME} commissioning-scripts read`);
+        // shellExec(`maas ${process.env.MAAS_ADMIN_USERNAME} boot-source-selections read 60`);
+        logger.info('Resources');
+        console.table(resources);
+        logger.info('Machines');
+        console.table(machines);
+        process.exit(0);
+      }
+
+      if (process.argv.includes('config')) {
+        shellExec(`sudo sed -i 's/^#Storage=auto/Storage=volatile/' /etc/systemd/journald.conf`);
+        shellExec(`sudo systemctl daemon-reload`);
+        shellExec(`sudo systemctl restart systemd-journald`);
+        shellExec(`journalctl --disk-usage`);
+        process.exit(0);
+      }
+
       if (process.argv.includes('db')) {
         // DROP, ALTER, CREATE, WITH ENCRYPTED
         // sudo -u <user> -h <host> psql <db-name>
@@ -1315,20 +1590,13 @@ EOF`);
         shellExec(`sudo -i -u postgres createdb -O "$DB_PG_MAAS_USER" "$DB_PG_MAAS_NAME"`);
 
         shellExec(`sudo -i -u postgres psql -c "\\l"`);
-      }
-
-      if (process.argv.includes('ls')) {
-        shellExec(`maas ${process.env.MAAS_ADMIN_USERNAME} boot-sources read`);
-        shellExec(`maas ${process.env.MAAS_ADMIN_USERNAME} commissioning-scripts read`);
-        // shellExec(`maas ${process.env.MAAS_ADMIN_USERNAME} boot-source-selections read 60`);
-        console.table(resources);
-        console.table(machines);
         process.exit(0);
       }
 
       // TODO: - Disable maas proxy (egress forwarding to public dns)
+      //       - Configure maas dhcp control server
       //       - Configure maas dns forwarding ${process.env.MAAS_DNS}
-      //       - Enable DNSSEC validation of upstream zones: Automatic (use default root key)
+      //       - Disable DNSSEC validation to No (Disable DNSSEC; useful when upstream DNS is misconfigured)
 
       if (process.argv.includes('clear')) {
         for (const machine of machines) {
@@ -1370,35 +1638,23 @@ EOF`);
         pbcopy(cmd);
         process.exit(0);
       }
-      if (process.argv.includes('dhcp')) {
-        const snippets = JSON.parse(
-          shellExec(`maas ${process.env.MAAS_ADMIN_USERNAME} dhcpsnippets read`, {
-            stdout: true,
-            silent: true,
-            disableLog: true,
-          }),
-        );
-        for (const snippet of snippets) {
-          switch (snippet.name) {
-            case 'arm64':
-              snippet.value = snippet.value.split(`\n`);
-              snippet.value[1] = `          filename "http://${IP_ADDRESS}:5248/images/bootloaders/uefi/arm64/grubaa64.efi";`;
-              snippet.value[5] = `          filename "http://${IP_ADDRESS}:5248/images/bootloaders/uefi/arm64/grubaa64.efi";`;
-              snippet.value = snippet.value.join(`\n`);
-              shellExec(
-                `maas ${process.env.MAAS_ADMIN_USERNAME} dhcpsnippet update ${snippet.name} value='${snippet.value}'`,
-              );
-              break;
 
-            default:
-              break;
-          }
+      if (process.argv.includes('restart')) {
+        shellExec(`sudo snap restart maas.pebble`);
+        let secs = 0;
+        while (
+          !(
+            shellExec(`maas status`, { silent: true, disableLog: true, stdout: true })
+              .split(' ')
+              .filter((l) => l.match('inactive')).length === 1
+          )
+        ) {
+          await timer(1000);
+          console.log(`Waiting... (${++secs}s)`);
         }
-
-        console.log(snippets);
-
         process.exit(0);
       }
+
       // shellExec(`MAAS_ADMIN_USERNAME=${process.env.MAAS_ADMIN_USERNAME}`);
       // shellExec(`MAAS_ADMIN_EMAIL=${process.env.MAAS_ADMIN_EMAIL}`);
       // shellExec(`maas createadmin --username $MAAS_ADMIN_USERNAME --email $MAAS_ADMIN_EMAIL`);
@@ -1509,7 +1765,6 @@ EOF`);
 
       switch (process.argv[3]) {
         case 'rpi4mb':
-          const resourceId = process.argv[4] ?? '39';
           tftpSubDir = '/rpi4mb';
           zipFirmwareFileName = `RPi4_UEFI_Firmware_v1.41.zip`;
           zipFirmwareName = zipFirmwareFileName.split('.zip')[0];
@@ -1521,7 +1776,7 @@ EOF`);
             await Downloader(zipFirmwareUrl, `../${zipFirmwareFileName}`);
             shellExec(`cd .. && mkdir ${zipFirmwareName} && cd ${zipFirmwareName} && unzip ../${zipFirmwareFileName}`);
           }
-          resource = resources.find((o) => o.id == resourceId);
+          resource = resources.find((o) => o.architecture === 'arm64/ga-24.04' && o.name === 'ubuntu/noble');
           name = resource.name;
           architecture = resource.architecture;
           resource = resources.find((o) => o.name === name && o.architecture === architecture);
@@ -1594,13 +1849,48 @@ EOF`);
             // 'boot=casper',
             // 'ro',
             'netboot=nfs',
-            `cloud-config-url=/dev/null`,
+            `init=/sbin/init`,
+            // `cloud-config-url=/dev/null`,
             // 'ip=dhcp',
             // 'ip=dfcp',
             // 'autoinstall',
             // 'rd.break',
           ];
 
+          // TODO: use autoinstall cloud-config-url=http://<MAAS_IP>:5240/MAAS/metadata/latest
+          // #cloud-config
+          // autoinstall:
+          //   version: 1
+
+          //   keyboard:
+          //     layout: es
+          //     variant: latinamerican
+
+          //   identity:
+          //     hostname: rpi4
+          //     username: rpiadmin
+          //     password: "{{PASSWORD}}"
+
+          //   ssh:
+          //     install-server: true
+          //     allow-pw: true
+          //     authorized-keys:
+          //       - "{{SSH_KEY}}"
+
+          //   locale: es_ES.UTF-8
+          //   timezone: America/Santiago
+
+          //   packages:
+          //     - cloud-init
+          //     - systemd-sysv
+          //     - openssh-server
+          //     - sudo
+          //     - udev
+          //     - netplan.io
+
+          //   late-commands:
+          //     - curtin in-target --target=/target ln -sf /lib/systemd/systemd /sbin/init
+
           nfsConnectStr = cmd.join(' ');
           bootConf = `[all]
 MAC_ADDRESS=00:00:00:00:00:00
@@ -1618,7 +1908,8 @@ DHCP_TIMEOUT=45000
 DHCP_REQ_TIMEOUT=4000
 TFTP_FILE_TIMEOUT=30000
 BOOT_ORDER=0x21`;
-
+          // CLIENT_IP=${ipaddr}
+          // SUBNET=255.255.255.0
           break;
 
         default:
@@ -1635,21 +1926,6 @@ BOOT_ORDER=0x21`;
 
       shellExec(`node bin/deploy nfs`);
 
-      if (process.argv.includes('restart')) {
-        shellExec(`sudo snap restart maas.pebble`);
-        let secs = 0;
-        while (
-          !(
-            shellExec(`maas status`, { silent: true, disableLog: true, stdout: true })
-              .split(' ')
-              .filter((l) => l.match('inactive')).length === 1
-          )
-        ) {
-          await timer(1000);
-          console.log(`Waiting... (${++secs}s)`);
-        }
-      }
-
       switch (process.argv[3]) {
         case 'rpi4mb':
           {
@@ -1815,9 +2091,13 @@ BOOT_ORDER=0x21`;
             newMachine = machineFactory(JSON.parse(newMachine));
             machines.push(newMachine);
             console.log(newMachine);
-            shellExec(`maas ${process.env.MAAS_ADMIN_USERNAME} machine commission ${newMachine.system_id}`, {
-              silent: true,
-            });
+            // commissioning_scripts=90-verify-user.sh
+            shellExec(
+              `maas ${process.env.MAAS_ADMIN_USERNAME} machine commission ${newMachine.system_id} enable_ssh=1 skip_bmc_config=1 skip_networking=1 skip_storage=1`,
+              {
+                silent: true,
+              },
+            );
           } catch (error) {
             logger.error(error, error.stack);
           }
@@ -1919,12 +2199,15 @@ udp-port = 32766
       const host = process.argv[4];
       const nfsHostPath = `${process.env.NFS_EXPORT_PATH}/${host}`;
       const ipaddr = process.env.RPI4_IP;
+      const gatewayip = process.env.GATEWAY_IP;
       await updateVirtualRoot({
         IP_ADDRESS,
         architecture,
         host,
         nfsHostPath,
         ipaddr,
+        update: true,
+        gatewayip,
       });
       break;
     }
@@ -1934,6 +2217,7 @@ udp-port = 32766
       const architecture = process.argv[3];
       const host = process.argv[4];
       const nfsHostPath = `${process.env.NFS_EXPORT_PATH}/${host}`;
+      const gatewayip = process.env.GATEWAY_IP;
       shellExec(`sudo dnf install -y iptables-legacy`);
       shellExec(`sudo dnf install -y debootstrap`);
       shellExec(`sudo dnf install kernel-modules-extra-$(uname -r)`);
@@ -1963,7 +2247,7 @@ udp-port = 32766
               `--arch=arm64`,
               `--variant=minbase`,
               `--foreign`, // arm64 on amd64
-              `noble`,
+              [`noble`, `jammy`][0],
               nfsHostPath,
               `http://ports.ubuntu.com/ubuntu-ports/`,
             ];
@@ -1995,8 +2279,10 @@ EOF`);
       }
       if (process.argv.includes('mount')) {
         shellExec(`sudo mount --bind /proc ${nfsHostPath}/proc`);
-        shellExec(`sudo mount --bind /sys  ${nfsHostPath}/sys`);
-        shellExec(`sudo mount --rbind /dev  ${nfsHostPath}/dev`);
+        shellExec(`sudo mount --bind /sys ${nfsHostPath}/sys`);
+        shellExec(`sudo mount --rbind /dev ${nfsHostPath}/dev`);
+        shellExec(`sudo mount --rbind /dev/pts ${nfsHostPath}/dev/pts`);
+        shellExec(`sudo mount --bind /run ${nfsHostPath}/run`);
       }
 
       if (process.argv.includes('build')) {
@@ -2010,6 +2296,7 @@ EOF`);
               host,
               nfsHostPath,
               ipaddr,
+              gatewayip,
             });
 
             break;
@@ -2031,7 +2318,9 @@ EOF`);
       const nfsHostPath = `${process.env.NFS_EXPORT_PATH}/${host}`;
       shellExec(`sudo umount ${nfsHostPath}/proc`);
       shellExec(`sudo umount ${nfsHostPath}/sys`);
+      shellExec(`sudo umount ${nfsHostPath}/dev/pts`);
       shellExec(`sudo umount ${nfsHostPath}/dev`);
+      shellExec(`sudo umount ${nfsHostPath}/run`);
       // shellExec(`sudo umount ${nfsHostPath}/lib/modules`);
       break;
     }
@@ -2425,6 +2714,14 @@ nvidia/gpu-operator \
       // sudo yum install sbt
       break;
     }
+
+    case 'chrony': {
+      shellExec(`sudo dnf install chrony -y`);
+      // debian chroot: sudo apt install chrony
+      for (const cmd of chronySetUp(`/etc/chrony.conf`)) shellExec(cmd);
+
+      break;
+    }
   }
 } catch (error) {
   logger.error(error, error.stack);