Use encryption key from environment variable; Adjust default ssh config; Remove ansible integration in favor of neutral installation

2021-05-02 15:29:21 +02:00 · 2021-05-02 15:29:21 +02:00 · 6daa319c17
parent 99667b2cd2
commit 6daa319c17
8 changed files with 80 additions and 161 deletions
--- a/7
+++ b/7
@ -1,6 +1,7 @@
 - root authorized_keys support
 - generalize ansible -> any infrastructure management by allowing only root ssh login.
 - zfs support
- save meta information to /var/db/gentoo-install
+  - start systemd services
  - create pool
  - enable zstd
 - systemd settings pls
- (dracut -> genkernel, or better?)
+- zfs selector dracut
--- a/5
+++ b/5
@ -143,7 +143,6 @@ function define_swap() {
 }
 function define_disk_layout() {
 	case "$PARTITIONING_SCHEME" in
 		"classic_single_disk") define_disk_configuration_function "create_classic_single_disk_layout swap=$(define_swap) type=${PARTITIONING_BOOT_TYPE@Q} luks=${PARTITIONING_USE_LUKS@Q} root_fs=${PARTITIONING_ROOT_FS@Q}" "${PARTITIONING_DEVICE@Q}" ;;
 		"zfs_centric")         define_disk_configuration_function "create_zfs_centric_layout swap=$(define_swap) type=${PARTITIONING_BOOT_TYPE@Q} encrypt=${PARTITIONING_ZFS_ENCRYPTION@Q} pool_type=${PARTITIONING_ZFS_POOL_TYPE@Q}" "${PARTITIONING_DEVICES[@]@Q}" ;;
@ -1062,11 +1061,11 @@ function INIT_SYSTEM_menu()  {
 function GENTOO_MIRROR_tag()   { echo "Gentoo mirror"; }
 function GENTOO_MIRROR_label() { echo "($(ellipsis 20 "$GENTOO_MIRROR"))"; }
 function GENTOO_MIRROR_show()  { return 0; }
-function GENTOO_MIRROR_help()  { echo "Enter the primary gentoo mirror that should be used for the installation process (until mirrorselect is run)."; }
+function GENTOO_MIRROR_help()  { echo "Enter the initial gentoo mirror that should be used for the installation process (until mirrorselect is run)."; }
 function GENTOO_MIRROR_menu()  {
 	dialog \
 		--title "Select gentoo mirror" \
-		--inputbox "Enter the desired gentoo mirror location." \
+		--inputbox "Enter the initial gentoo mirror that should be used for the installation process (until mirrorselect is run)." \
 		"${INPUTBOX_SIZE[@]}" "$GENTOO_MIRROR"
 	UNSAVED_CHANGES=true
 }
--- a/contrib/sshd_config
+++ b/contrib/sshd_config
@ -5,8 +5,8 @@
 Port 22
 #AddressFamily any
-#ListenAddress 0.0.0.0
+ListenAddress 0.0.0.0
-#ListenAddress ::
+ListenAddress ::
 #HostKey /etc/ssh/ssh_host_rsa_key
 #HostKey /etc/ssh/ssh_host_dsa_key
@ -26,52 +26,24 @@ MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@op
 LogLevel VERBOSE
 #LoginGraceTime 2m
-PermitRootLogin no
+PermitRootLogin yes
 #StrictModes yes
-MaxAuthTries 2
+MaxAuthTries 3
 MaxSessions 4
-#PubkeyAuthentication yes
+# Only allow root to login
-
+AllowGroups root
 # Only allow sshusers group to login, and explicitly forbid root login
 DenyUsers root
 DenyGroups root
 AllowGroups sshusers
 # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
 # but this is overridden so installations will only check .ssh/authorized_keys
 AuthorizedKeysFile .ssh/authorized_keys
 #AuthorizedPrincipalsFile none
 #AuthorizedKeysCommand none
 #AuthorizedKeysCommandUser nobody
 # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
 #HostbasedAuthentication no
 # Change to yes if you don't trust ~/.ssh/known_hosts for
 # HostbasedAuthentication
 #IgnoreUserKnownHosts no
 # Don't read the user's ~/.rhosts and ~/.shosts files
 #IgnoreRhosts yes
 # To disable tunneled clear text passwords, change to no here!
 PasswordAuthentication no
 #PermitEmptyPasswords no
 # Change to no to disable s/key passwords
 ChallengeResponseAuthentication no
 # Kerberos options
 #KerberosAuthentication no
 #KerberosOrLocalPasswd yes
 #KerberosTicketCleanup yes
 #KerberosGetAFSToken no
 # GSSAPI options
 #GSSAPIAuthentication no
 #GSSAPICleanupCredentials yes
 # Set this to 'yes' to enable PAM authentication, account processing,
 # and session processing. If this is enabled, PAM authentication will
 # be allowed through the ChallengeResponseAuthentication and
@ -84,7 +56,7 @@ ChallengeResponseAuthentication no
 UsePAM yes
 AllowAgentForwarding no
-AllowTcpForwarding no
+AllowTcpForwarding yes
 #GatewayPorts no
 #X11Forwarding no
 #X11DisplayOffset 10
@ -105,47 +77,5 @@ ClientAliveCountMax 2
 #ChrootDirectory none
 #VersionAddendum none
 # no default banner path
 #Banner none
 # here are the new patched ldap related tokens
 # entries in your LDAP must have posixAccount & ldapPublicKey objectclass
 #UseLPK yes
 #LpkLdapConf /etc/ldap.conf
 #LpkServers  ldap://10.1.7.1/ ldap://10.1.7.2/
 #LpkUserDN   ou=users,dc=phear,dc=org
 #LpkGroupDN  ou=groups,dc=phear,dc=org
 #LpkBindDN cn=Manager,dc=phear,dc=org
 #LpkBindPw secret
 #LpkServerGroup mail
 #LpkFilter (hostAccess=master.phear.org)
 #LpkForceTLS no
 #LpkSearchTimelimit 3
 #LpkBindTimelimit 3
 #LpkPubKeyAttr sshPublicKey
 # override default of no subsystems
 Subsystem sftp /usr/lib64/misc/sftp-server
 # the following are HPN related configuration options
 # tcp receive buffer polling. disable in non autotuning kernels
 #TcpRcvBufPoll yes
 # disable hpn performance boosts
 #HPNDisabled no
 # buffer size for hpn to non-hpn connections
 #HPNBufferSize 2048
 # allow the use of the none cipher
 #NoneEnabled no
 # Example of overriding settings on a per-user basis
 #Match User anoncvs
 #	X11Forwarding no
 #	AllowTcpForwarding no
 #	PermitTTY no
 #	ForceCommand cvs server
 # Allow client to pass locale environment variables #367017
 AcceptEnv LANG LC_*
--- a/gentoo.conf.example
+++ b/gentoo.conf.example
@ -87,33 +87,42 @@ function disk_configuration() {
 ################################################
-# LUKS configuration
+# LUKS/ZFS encryption configuration
-# If you have selected a disk layout that uses encryption with luks,
+# If you have selected a disk layout that uses encryption with LUKS or ZFS,
-# you need to define the encryption key. If you have not used an encrypted
+# you need to define an encryption key. If you have not used an encrypted
-# layout, you can skip this section and leave the defaults.
+# layout, you can skip this section.
 #
 # ######## Example: Password
 #
-# If you want a standard password, you should do the following:
+# If you want a standard password, simply export it to the variable $GENTOO_INSTALL_ENCRYPTION_KEY,
-#   1. echo -n "mypassword" > /tmp/a_strong_encryption_key
+# or echo it in the function below.
-#   2. Adjust the function below to return the path: echo -n "/tmp/a_strong_encryption_key"
+#   1. export GENTOO_INSTALL_ENCRYPTION_KEY="my strong passphrase"
 #   2. OR: Adjust the function below to return the key: echo "my strong passphrase"
 #
 # ATTENTION: DO NOT INCLUDE A NEWLINE IN YOUR PASSWORD! Use a longer passphrase instead.
 # It will save you a lot of trouble, because most software doesn't support reading passwords
 # with newlines from stdin.
 #
 # By default, the selected KEYMAP will also be applied in the initramfs.
-# If you want to be sure, use a long passphrase with standard alphanumeric characters,
+# If you want to be safe, use a long passphrase with standard alphanumeric characters,
-# so that you could also type it without your selected keymap on the default english layout.
+# so that you can type it without your selected keymap on the default english layout.
 #
 # ######## Example: Keyfile
 #
 # If you want to generate a strong password and use it as a keyfile,
-# you can do so by generating a keyfile from /dev/urandom. I would suggest piping
+# you will have to do the necessary adjustments to the initramfs yourself.
 # Begin setup with a temporary passphrase and replace it later with a keyfile.
 #
 # Generate a strong keyfile from /dev/urandom. I would suggest piping
 # it into base64 afterwards, to avoid problems with special characters in different
 # initramfs implementations and to allow manual typing for rescue purposes.
 #
-# Be aware that the initramfs generated by this script will always ask for a passphrase.
+# Be aware that the initramfs generated by this script will always ask for a user
-# If you want to use the keyfile on a USB stick or want an even more advanced setup, you
+# supplied passphrase. If you want to use the keyfile on a USB stick or want an
-# will have to make these modifications yourself. This basically means adjusting
+# even more advanced setup, you will have to make these modifications yourself.
-# the initramfs cmdline, which you can do here with the following statement:
+# This basically means adjusting the initramfs cmdline, which you can do here with
 # the following statement:
 #   DISK_DRACUT_CMDLINE+=("rd.luks.keyfile=whatever")
 #
 # You can also adjust the boot entry manually after the installation is complete,
@ -136,19 +145,12 @@ function disk_configuration() {
 # isn't as easy, so it's currently not part of this script, but might be later.
 # Feel free to experiment though.
-
+# If you don't want to write your password to your disk, simply export it
-# This function will be called when the key for a luks device is needed.
+# in your terminal before running ./install, like so:
-# Theoretically you can give every encrypted partition it's own key,
+#     `export GENTOO_INSTALL_ENCRYPTION_KEY="my strong passphrase"`
-# but most likely you will only have one partition.
+# You can also just set the variable here, but this is not recommended because
-# By default this function returns the same keyfile for all partitions.
+# depending on your current environment, this file might be stored on an actual disk,
-# If you want to make this more granular, run the install script and
+# and so your password would be written to that disk at least once.
 # select here based on the id reported in the partitioning overview.
 function luks_getkeyfile() {
 	case "$1" in
 		#'my_luks_partition') echo -n '/path/to/my_luks_partition_keyfile' ;;
 		*) echo -n "/path/to/luks-keyfile" ;;
 	esac
 }
 ################################################
 # System configuration
@ -228,14 +230,10 @@ ADDITIONAL_PACKAGES=()
 # only allows the use of ed25519 keys, and requires pubkey authentication)
 INSTALL_SSHD=true
-# Install ansible, and add a user for it. This requires INSTALL_SSHD=true
+# An ssh key to add to the authorized_keys file for the root user.
-INSTALL_ANSIBLE=false
+# This variable will become the content of the authorized_keys file,
-# The home directory for the ansible user
+# so you may specify one key per line (include the newlines in the variable).
-ANSIBLE_HOME="/var/lib/ansible"
+ROOT_SSH_AUTHORIZED_KEYS=""
 # An ssh key to add to the .authorized_keys file for the ansible user.
 # This variable will become the content of the .authorized_keys file,
 # so you may specify one key per line.
 ANSIBLE_SSH_AUTHORIZED_KEYS=""
 ################################################
--- a/scripts/config.sh
+++ b/scripts/config.sh
@ -25,6 +25,8 @@ USED_LUKS=false
 USED_ZFS=false
 # Flag to track usage of btrfs
 USED_BTRFS=false
 # Flag to track usage of encryption
 USED_ENCRYPTION=false
 # An array of disk related actions to perform
 DISK_ACTIONS=()
@ -175,6 +177,7 @@ function create_raid() {
 # id:      The operand device id
 function create_luks() {
 	USED_LUKS=true
 	USED_ENCRYPTION=true
 	local known_arguments=('+new_id' '+name' '+device|id')
 	local extra_arguments=()
@ -243,6 +246,7 @@ function format_zfs() {
 	verify_existing_unique_ids ids
 	USED_ENCRYPTION=${arguments[encrypt]:-false}
 	DISK_ACTIONS+=("action=format_zfs" "$@" ";")
 }
--- a/scripts/dispatch_chroot.sh
+++ b/scripts/dispatch_chroot.sh
@ -19,5 +19,9 @@ export NPROC_ONE="$((NPROC + 1))"
 export MAKEFLAGS="-j$NPROC"
 export EMERGE_DEFAULT_OPTS="--jobs=$NPROC_ONE --load-average=$NPROC"
 # Unset critical variables
 unset GENTOO_INSTALL_ENCRYPTION_KEY
 unset key
 # Execute the requested command
 exec "$@"
--- a/scripts/functions.sh
+++ b/scripts/functions.sh
@ -49,13 +49,6 @@ function check_config() {
 	else
 		IS_EFI=false
 	fi
 	if [[ $INSTALL_ANSIBLE == "true" ]]; then
 		[[ $INSTALL_SSHD == "true" ]] \
 			|| die "You must enable INSTALL_SSHD for ansible"
 		[[ -n $ANSIBLE_SSH_AUTHORIZED_KEYS ]] \
 			|| die "Missing pubkey for ansible user"
 	fi
 }
 function preprocess_config() {
@ -85,9 +78,22 @@ function prepare_installation_environment() {
 	[[ $USED_LUKS == "true" ]] \
 		&& check_has_program cryptsetup
 	# Check encryption key if used
 	[[ $USED_ENCRYPTION == "true" ]] \
 		&& check_encryption_key
 	# Sync time now to prevent issues later
 	sync_time
 }
 function check_encryption_key() {
 	[[ -n "${GENTOO_INSTALL_ENCRYPTION_KEY+set}" ]] \
 		|| die "You are using encryption but GENTOO_INSTALL_ENCRYPTION_KEY is unset or empty. Export it before running this script."
 	[[ ${#GENTOO_INSTALL_ENCRYPTION_KEY} -ge 8 ]] \
 		|| die "Your encryption key must be at least 8 characters long."
 }
 function add_summary_entry() {
 	local parent="$1"
 	local id="$2"
@ -259,13 +265,10 @@ function disk_create_luks() {
 	local uuid="${DISK_ID_TO_UUID[$new_id]}"
 	einfo "Creating luks ($new_id) on $device_desc"
 	local keyfile
 	keyfile="$(luks_getkeyfile "$new_id")" \
 		|| die "Error in luks_getkeyfile for $device_desc"
 	cryptsetup luksFormat \
 			--type luks2 \
 			--uuid "$uuid" \
-			--key-file "$keyfile" \
+			--key-file <(echo -n "$GENTOO_INSTALL_ENCRYPTION_KEY") \
 			--cipher aes-xts-plain64 \
 			--hash sha512 \
 			--pbkdf argon2id \
--- a/scripts/main.sh
+++ b/scripts/main.sh
@ -116,8 +116,16 @@ function install_sshd() {
 	install -m0600 -o root -g root "$GENTOO_INSTALL_REPO_DIR/contrib/sshd_config" /etc/ssh/sshd_config \
 		|| die "Could not install /etc/ssh/sshd_config"
 	enable_service sshd
-	groupadd -r sshusers \
+
-		|| die "Could not create group 'sshusers'"
+	mkdir_or_die 0700 "/root/"
 	mkdir_or_die 0700 "/root/.ssh"
 	if [[ -n "$ROOT_SSH_AUTHORIZED_KEYS" ]]; then
 		einfo "Adding authorized keys for root"
 		touch_or_die 0600 "/root/.ssh/authorized_keys"
 		echo "$ROOT_SSH_AUTHORIZED_KEYS" > "$ROOT_HOME/.ssh/authorized_keys" \
 			|| die "Could not add ssh key to /root/.ssh/authorized_keys"
 	fi
 }
 function generate_initramfs() {
@ -262,31 +270,6 @@ function generate_fstab() {
 	fi
 }
 function install_ansible() {
 	einfo "Installing ansible"
 	try emerge --verbose app-admin/ansible
 	einfo "Creating ansible user"
 	useradd -r -d "$ANSIBLE_HOME" -s /bin/bash ansible \
 		|| die "Could not create user 'ansible'"
 	mkdir_or_die 0700 "$ANSIBLE_HOME"
 	mkdir_or_die 0700 "$ANSIBLE_HOME/.ssh"
 	if [[ -n $ANSIBLE_SSH_AUTHORIZED_KEYS ]]; then
 		einfo "Adding authorized keys for ansible"
 		touch_or_die 0600 "$ANSIBLE_HOME/.ssh/authorized_keys"
 		echo "$ANSIBLE_SSH_AUTHORIZED_KEYS" >> "$ANSIBLE_HOME/.ssh/authorized_keys" \
 			|| die "Could not add ssh key to authorized_keys"
 	fi
 	chown -R ansible: "$ANSIBLE_HOME" \
 		|| die "Could not change ownership of ansible home"
 	einfo "Adding ansible to some auxiliary groups"
 	usermod -a -G wheel,sshusers ansible \
 		|| die "Could not add ansible to auxiliary groups"
 }
 function main_install_gentoo_in_chroot() {
 	[[ $# == 0 ]] || die "Too many arguments"
@ -374,11 +357,6 @@ function main_install_gentoo_in_chroot() {
 			|| die "Could not change owner of '/etc/systemd/network/20-wired-dhcp.network'"
 	fi
 	# Install ansible
 	if [[ $INSTALL_ANSIBLE == "true" ]]; then
 		install_ansible
 	fi
 	# Install additional packages, if any.
 	if [[ ${#ADDITIONAL_PACKAGES[@]} -gt 0 ]]; then
 		einfo "Installing additional packages"
@ -395,6 +373,8 @@ function main_install_gentoo_in_chroot() {
 	fi
 	einfo "Gentoo installation complete."
 	[[ $USED_LUKS == "true" ]] \
 		&& einfo "A backup of your luks headers can be found at '$LUKS_HEADER_BACKUP_DIR', in case you want to have a backup."
 	einfo "To chroot into the new system, simply execute the provided 'chroot' wrapper."
 	einfo "Otherwise, you may now reboot your system."
 }