Updated readme; Conditionalized sshd installation

README.md

@@ -1,107 +1,122 @@
 # Gentoo installation script
 
-TODO clarify:
+This script performs a reasonably minimal installation of gentoo for an EFI system.
+It does everything from the ground up, including creating partitions, downloading
+and extracting the stage3 archive, initial system configuration and optionally installing
+some additional software. The script only supports OpenRC and not systemd.
 
-* /boot will not be mounted to efi partition, instead /boot/efi ist the mountpoint.
-  this prevents /boot from getting full by automated installs, and allows the kernel
-  script to keep exactly two versions (last working kernel), and new one.
-* kernel without module loading capability for security. localyesconfig
+The system will temporarily use `sys-kernel/vanilla-kernel-bin`, which should be suitable
+to boot most systems out of the box. I strongly recommend you to replace this kernel
+with a custom built one, when the system is functional. If you are looking for a way
+to properly manage your kernel configuration parameters, have a look at [kernconf](https://github.com/oddlama/kernconf).
+There you will also find information on how to select the correct options for your system,
+and information on kernel hardening.
 
+## Overview
 
-Recommendations:
+Here is a quick overview of what this script does:
 
-* Use umask 0077
-* Edit sshd_config, change port and create a sshusers group for users which may use ssh.
-* Use LUKS encryption on the disk
-* Use a properly configured kernel, at best restrict even USB!
-* Adjust make.conf (default parallel emerge, cpu flags, binhost?)
+* Does everything minus something
+* Partition the device (efi, optional swap, linux root)
+* Download and cryptographically verify the newest stage3 tarball
+* Extract the stage3 tarball
+* Sync portage tree
+* Configure the base system
+  - Set hostname
+  - Set timezone
+  - Set keymap
+  - Generate and select locale
+  - Prepare `zz-autounmask` files for portage autounmasking
+* Select best 4 gentoo portage mirrors
+* Install git (so you can add your portage overlays later)
+* Install `sys-kernel/vanilla-kernel-bin` (temporarily, until you replace it)
+* Copy kernel to efi partition
+* Create boot entry using efibootmgr
+* Generate fstab
+* Lets you set a root password
 
+Also, optionally the following will be done:
 
-**TL;DR:** Installs gentoo on a new system, suited for both servers and desktops.
-Optionally prepares ansible for automatic system configuration.
-See [Install](#Install) for usage instructions.
+* Install sshd with secure config
+* Install dhcpcd
+* Install ansible, create ansible user and add authorized ssh key
+* Install additional packages provided in config
 
----
+Anything else is probably out of scope for this script,
+but you can obviously do anything later on when the system is booted.
+I highly recommend building a custom kernel and maybe encrypting your
+root filesystem. Have a look at the [Recommendations](#Recommendations) section.
 
-This script will install a minimal EFI bootable gentoo system, without additional bloat.
-It will stick closely to the [Gentoo AMD64 Handbook](https://wiki.gentoo.org/wiki/Handbook:AMD64)
-and [Sakaki's EFI Install Guide](https://wiki.gentoo.org/wiki/Sakaki%27s_EFI_Install_Guide).
+## Config
 
-What you will get:
+The config file `scripts/config.sh` allows you to adjust some parameters of the installation.
+The most important ones will probably be the device to partition, and the stage3 tarball name
+to install. By default you will get hardened nomultilib
 
-* Minimal system configuration
-* Temporary vanilla kernel (precompiled by gentoo), in my opinion you
-  should replace this kernel with a custom made kernel for your system.
-  See [Kernel](#Kernel) for details on how to achieve that with low effort.
+### Using existing partitions
+ 
+If you want to use existing partitions, you will have to set `ENABLE_PARTITIONING=false`.
+As the script uses uuids to refer to partitions, you will have to set the corresponding
+partition uuid variables in the config (all variables beginning with `PARTITION_UUID_`).
 
-What you can get optionally:
+## (Optional) sshd
 
-* LUKS
-* EFI secure boot
-* Initramfs (compiled into the kernel for EFIstub)
-* Preconfigured sshd
-* Ansible ready (packages, user, ssh)
-* Additional packages of your choice (only trivial installations without use flag changes)
+The script can provide a fully configured ssh daemon with reasonably good security settings.
+It will by default only allow ed25519 keys, restrict the key exchange algorithms, disable
+any password based authentication, and only allow specifically mentioned users to use ssh
+(none by default).
 
-What you will **NOT** get: (i.e. you will have to do it yourself)
+To add a user to the list of allowed users, append `AllowUsers myuser` to `/etc/ssh/sshd_config`.
+I recommend to create a separate group for all ssh users (like `sshusers`) and
+to use `AllowGroups sshusers`. You should adjust this to your preferences when
+the system is installed.
 
-* X11 desktop environment
-* A user for yourself (except `root` obviously)
-* Any form of RAID
-* A specialized kernel, see [Kernel](#Kernel) for details on how to get one.
+## (Optional) Ansible
 
-Only necessary configuration is applied to provide a common baseline system.
-If you need advanced features such as an initramfs or a different
-partitioning scheme, you can definitely use this script but will
-have to make some adjustments to it.
+This script can install ansible, create a system user for ansible and add an ssh key of
+you choice to the `.authorized_keys` file. This allows you to directly use ansible when
+the new system is up to configure the rest of the system.
 
-The main purpose of this script is to provide a universal setup
-which should be suitable for most use-cases (desktop and server installations).
+## (Optional) Additional packages
 
-#### Overview of executed tasks
+You can enter any amount of additional packages to be installed on the target system.
+These will simply be passed to a final `emerge` call before the script is done.
+Autounmasking will be done automatically.
 
-* Check live system
-* Sync time
-* Partition disks
-* Format partitions
-* Download stage3
-* Extract stage3
-* Chroot into new system
-* Update portage tree
-* ... TODO MISSING!
+# Install
 
-#### GPT
+Installing gentoo with this script is simple.
 
-The script will create GPT partition tables. If your system cannot use GPT,
-this script is not suited for it.
+1. Boot into the live system of your choice. As the script requires some utilities,
+   I recommend using a live system where you can quickly install new software.
+   Any [Arch Linux](https://www.archlinux.org/download/) live iso works fine.
+2. Clone this repository
+3. Edit `gentoo-bootstrap/scripts/config.sh`, and particularily pay attention to
+   the device which will be partitioned. The script will ask before partitioning,
+   but better be safe than sorry.
+4. Execute `bash gentoo-bootstrap/install`. The script will tell you if your live
+   system is missing any required software.
 
-#### EFI
+# Recommendations
 
-It is assumed that your system can (and will) be booted via EFI.
-This is not a strict requirement, but otherwise you will be responsible
-to make the system bootable.
+There are some things that you probably want to do after installing the base system,
+or should consider:
 
-This probably involves the following steps:
-
-* Change partition type of `efi` partition to `ef02` (BIOS boot partition)
-* Change partition name and filesystem name to `boot`
-* Install and configure syslinux
-* Adjust make.conf
-
-Maybe there will be a convenience script for this at some point.
-No promises though.
-
-# Optional: Ansible ready
-
-Optionally, this script can make the new system ready to be
-used with ansible.
-
-It will do the following steps for you:
-
-* Create an ansible user
-* Generate an ssh keypair (type configurable)
-* Setup a secure sshd (safe ciphers, login only with keypair)
-* Install ansible
+* Use a custom kernel (config and hardening, see [kernconf](https://github.com/oddlama/kernconf)), and remove `vanilla-kernel-bin`
+* Adjust `/etc/portage/make.conf`
+  - Set `CFLAGS` to `-O2 -pipe -march=native` for native builds
+  - Set `CPU_FLAGS_X86` using the `cpuid2cpuflags` tool
+  - Set `MAKEOPTS` to `-jN` with N being the amount of threads used for building
+  - Set `EMERGE_DEFAULT_OPTS` to `-jN` if you want parallel emerging
+  - Set `FEATURES="buildpkg"` if you want to build binary packages
+* Use a safe umask like `umask 0077`
+* Edit `/etc/ssh/sshd_config`, change the port and create a `sshusers` group.
+* Encrypt your system using LUKS
+  - Remount the root fs read-only
+  - Use `rsync -axHAWXS --numeric-ids --info=progress2 / /path/to/backup` to safely backup the whole
+    system including all extended attributes.
+  - Encrypt partition with LUKS
+  - Use rsync to restore the saved system root.
 
 # References
 

scripts/config.sh

@@ -79,12 +79,12 @@ STAGE3_BASENAME="stage3-$GENTOO_ARCH-hardened+nomultilib"
 
 # List of additional packages to install (will be directly passed to emerge)
 ADDITIONAL_PACKAGES="app-editors/neovim"
-
+# Install and enable dhcpcd
+INSTALL_DHCPCD=true
 # Install and configure sshd (a reasonably secure config is provided, which
 # only allows the use of ed25519 keys, and requires pubkey authentication)
 INSTALL_SSHD=true
-
-# Install ansible, and add a user for it
+# Install ansible, and add a user for it. This requires INSTALL_SSHD=true
 INSTALL_ANSIBLE=true
 # The home directory for the ansible user
 ANSIBLE_HOME="/var/lib/ansible"

scripts/functions.sh

@@ -32,6 +32,8 @@ check_config() {
 		|| die "'$HOSTNAME' is not a valid hostname"
 
 	if [[ "$INSTALL_ANSIBLE" == true ]]; then
+		[[ "$INSTALL_SSHD" == true ]] \
+			|| die "You must enable INSTALL_SSHD for ansible"
 		[[ -n "$ANSIBLE_SSH_AUTHORIZED_KEYS" ]] \
 			|| die "Missing pubkey for ansible user"
 	fi

scripts/main.sh

@@ -1,3 +1,5 @@
+#!/bin/bash
+
 ################################################
 # Initialize script environment
 
@@ -139,12 +141,6 @@ main_install_gentoo_in_chroot() {
 	local efipartnum="${efidev: -1}"
 	try efibootmgr --verbose --create --disk "$PARTITION_DEVICE" --part "$efipartnum" --label "gentoo" --loader '\EFI\vmlinuz.efi' --unicode "root=$linuxdev initrd=\\EFI\\initramfs.img"
 
-	# Install additional packages, if any.
-	if [[ -n "$ADDITIONAL_PACKAGES" ]]; then
-		einfo "Installing additional packages"
-		try emerge --verbose --autounmask-continue=y -- $ADDITIONAL_PACKAGES
-	fi
-
 	# Generate a valid fstab file
 	einfo "Generating fstab"
 	install -m0644 -o root -g root "$GENTOO_BOOTSTRAP_DIR/configs/fstab" /etc/fstab \
@@ -159,11 +155,13 @@ main_install_gentoo_in_chroot() {
 	fi
 
 	# Install and enable sshd
-	einfo "Installing sshd"
-	install -m0600 -o root -g root "$GENTOO_BOOTSTRAP_DIR/configs/sshd_config" /etc/ssh/sshd_config \
-		|| die "Could not install /etc/ssh/sshd_config"
-	rc-update add sshd default \
-		|| die "Could not add sshd to default services"
+	if [[ "$INSTALL_SSHD" == true ]]; then
+		einfo "Installing sshd"
+		install -m0600 -o root -g root "$GENTOO_BOOTSTRAP_DIR/configs/sshd_config" /etc/ssh/sshd_config \
+			|| die "Could not install /etc/ssh/sshd_config"
+		rc-update add sshd default \
+			|| die "Could not add sshd to default services"
+	fi
 
 	# Install and enable dhcpcd
 	einfo "Installing dhcpcd"
@@ -196,6 +194,12 @@ main_install_gentoo_in_chroot() {
 			|| die "Could not append to /etc/ssh/sshd_config"
 	fi
 
+	# Install additional packages, if any.
+	if [[ -n "$ADDITIONAL_PACKAGES" ]]; then
+		einfo "Installing additional packages"
+		try emerge --verbose --autounmask-continue=y -- $ADDITIONAL_PACKAGES
+	fi
+
 	if ask "Do you want to assign a root password now?"; then
 		try passwd root
 		einfo "Root password assigned"