Use encryption key from environment variable; Adjust default ssh config; Remove ansible integration in favor of neutral installation

TODO

@@ -1,6 +1,7 @@
 - root authorized_keys support
-- generalize ansible -> any infrastructure management by allowing only root ssh login.
 - zfs support
-- save meta information to /var/db/gentoo-install
+  - start systemd services
+  - create pool
+  - enable zstd
 - systemd settings pls
-- (dracut -> genkernel, or better?)
+- zfs selector dracut

configure

@@ -143,7 +143,6 @@ function define_swap() {
 }
 
 function define_disk_layout() {
-
 	case "$PARTITIONING_SCHEME" in
 		"classic_single_disk") define_disk_configuration_function "create_classic_single_disk_layout swap=$(define_swap) type=${PARTITIONING_BOOT_TYPE@Q} luks=${PARTITIONING_USE_LUKS@Q} root_fs=${PARTITIONING_ROOT_FS@Q}" "${PARTITIONING_DEVICE@Q}" ;;
 		"zfs_centric")         define_disk_configuration_function "create_zfs_centric_layout swap=$(define_swap) type=${PARTITIONING_BOOT_TYPE@Q} encrypt=${PARTITIONING_ZFS_ENCRYPTION@Q} pool_type=${PARTITIONING_ZFS_POOL_TYPE@Q}" "${PARTITIONING_DEVICES[@]@Q}" ;;
@@ -1062,11 +1061,11 @@ function INIT_SYSTEM_menu()  {
 function GENTOO_MIRROR_tag()   { echo "Gentoo mirror"; }
 function GENTOO_MIRROR_label() { echo "($(ellipsis 20 "$GENTOO_MIRROR"))"; }
 function GENTOO_MIRROR_show()  { return 0; }
-function GENTOO_MIRROR_help()  { echo "Enter the primary gentoo mirror that should be used for the installation process (until mirrorselect is run)."; }
+function GENTOO_MIRROR_help()  { echo "Enter the initial gentoo mirror that should be used for the installation process (until mirrorselect is run)."; }
 function GENTOO_MIRROR_menu()  {
 	dialog \
 		--title "Select gentoo mirror" \
-		--inputbox "Enter the desired gentoo mirror location." \
+		--inputbox "Enter the initial gentoo mirror that should be used for the installation process (until mirrorselect is run)." \
 		"${INPUTBOX_SIZE[@]}" "$GENTOO_MIRROR"
 	UNSAVED_CHANGES=true
 }

contrib/sshd_config

@@ -5,8 +5,8 @@
 
 Port 22
 #AddressFamily any
-#ListenAddress 0.0.0.0
-#ListenAddress ::
+ListenAddress 0.0.0.0
+ListenAddress ::
 
 #HostKey /etc/ssh/ssh_host_rsa_key
 #HostKey /etc/ssh/ssh_host_dsa_key
@@ -26,52 +26,24 @@ MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@op
 LogLevel VERBOSE
 
 #LoginGraceTime 2m
-PermitRootLogin no
+PermitRootLogin yes
 #StrictModes yes
-MaxAuthTries 2
+MaxAuthTries 3
 MaxSessions 4
 
-#PubkeyAuthentication yes
-
-# Only allow sshusers group to login, and explicitly forbid root login
-DenyUsers root
-DenyGroups root
-AllowGroups sshusers
+# Only allow root to login
+AllowGroups root
 
 # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
 # but this is overridden so installations will only check .ssh/authorized_keys
 AuthorizedKeysFile .ssh/authorized_keys
 
-#AuthorizedPrincipalsFile none
-
-#AuthorizedKeysCommand none
-#AuthorizedKeysCommandUser nobody
-
-# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
-#HostbasedAuthentication no
-# Change to yes if you don't trust ~/.ssh/known_hosts for
-# HostbasedAuthentication
-#IgnoreUserKnownHosts no
-# Don't read the user's ~/.rhosts and ~/.shosts files
-#IgnoreRhosts yes
-
 # To disable tunneled clear text passwords, change to no here!
 PasswordAuthentication no
-#PermitEmptyPasswords no
 
 # Change to no to disable s/key passwords
 ChallengeResponseAuthentication no
 
-# Kerberos options
-#KerberosAuthentication no
-#KerberosOrLocalPasswd yes
-#KerberosTicketCleanup yes
-#KerberosGetAFSToken no
-
-# GSSAPI options
-#GSSAPIAuthentication no
-#GSSAPICleanupCredentials yes
-
 # Set this to 'yes' to enable PAM authentication, account processing,
 # and session processing. If this is enabled, PAM authentication will
 # be allowed through the ChallengeResponseAuthentication and
@@ -84,7 +56,7 @@ ChallengeResponseAuthentication no
 UsePAM yes
 
 AllowAgentForwarding no
-AllowTcpForwarding no
+AllowTcpForwarding yes
 #GatewayPorts no
 #X11Forwarding no
 #X11DisplayOffset 10
@@ -105,47 +77,5 @@ ClientAliveCountMax 2
 #ChrootDirectory none
 #VersionAddendum none
 
-# no default banner path
-#Banner none
-
-# here are the new patched ldap related tokens
-# entries in your LDAP must have posixAccount & ldapPublicKey objectclass
-#UseLPK yes
-#LpkLdapConf /etc/ldap.conf
-#LpkServers  ldap://10.1.7.1/ ldap://10.1.7.2/
-#LpkUserDN   ou=users,dc=phear,dc=org
-#LpkGroupDN  ou=groups,dc=phear,dc=org
-#LpkBindDN cn=Manager,dc=phear,dc=org
-#LpkBindPw secret
-#LpkServerGroup mail
-#LpkFilter (hostAccess=master.phear.org)
-#LpkForceTLS no
-#LpkSearchTimelimit 3
-#LpkBindTimelimit 3
-#LpkPubKeyAttr sshPublicKey
-
 # override default of no subsystems
 Subsystem sftp /usr/lib64/misc/sftp-server
-
-# the following are HPN related configuration options
-# tcp receive buffer polling. disable in non autotuning kernels
-#TcpRcvBufPoll yes
-
-# disable hpn performance boosts
-#HPNDisabled no
-
-# buffer size for hpn to non-hpn connections
-#HPNBufferSize 2048
-
-# allow the use of the none cipher
-#NoneEnabled no
-
-# Example of overriding settings on a per-user basis
-#Match User anoncvs
-#	X11Forwarding no
-#	AllowTcpForwarding no
-#	PermitTTY no
-#	ForceCommand cvs server
-
-# Allow client to pass locale environment variables #367017
-AcceptEnv LANG LC_*

gentoo.conf.example

@@ -87,33 +87,42 @@ function disk_configuration() {
 
 
 ################################################
-# LUKS configuration
+# LUKS/ZFS encryption configuration
 
-# If you have selected a disk layout that uses encryption with luks,
-# you need to define the encryption key. If you have not used an encrypted
-# layout, you can skip this section and leave the defaults.
+# If you have selected a disk layout that uses encryption with LUKS or ZFS,
+# you need to define an encryption key. If you have not used an encrypted
+# layout, you can skip this section.
 #
 # ######## Example: Password
 #
-# If you want a standard password, you should do the following:
-#   1. echo -n "mypassword" > /tmp/a_strong_encryption_key
-#   2. Adjust the function below to return the path: echo -n "/tmp/a_strong_encryption_key"
+# If you want a standard password, simply export it to the variable $GENTOO_INSTALL_ENCRYPTION_KEY,
+# or echo it in the function below.
+#   1. export GENTOO_INSTALL_ENCRYPTION_KEY="my strong passphrase"
+#   2. OR: Adjust the function below to return the key: echo "my strong passphrase"
+#
+# ATTENTION: DO NOT INCLUDE A NEWLINE IN YOUR PASSWORD! Use a longer passphrase instead.
+# It will save you a lot of trouble, because most software doesn't support reading passwords
+# with newlines from stdin.
 #
 # By default, the selected KEYMAP will also be applied in the initramfs.
-# If you want to be sure, use a long passphrase with standard alphanumeric characters,
-# so that you could also type it without your selected keymap on the default english layout.
+# If you want to be safe, use a long passphrase with standard alphanumeric characters,
+# so that you can type it without your selected keymap on the default english layout.
 #
 # ######## Example: Keyfile
 #
 # If you want to generate a strong password and use it as a keyfile,
-# you can do so by generating a keyfile from /dev/urandom. I would suggest piping
+# you will have to do the necessary adjustments to the initramfs yourself.
+# Begin setup with a temporary passphrase and replace it later with a keyfile.
+#
+# Generate a strong keyfile from /dev/urandom. I would suggest piping
 # it into base64 afterwards, to avoid problems with special characters in different
 # initramfs implementations and to allow manual typing for rescue purposes.
 #
-# Be aware that the initramfs generated by this script will always ask for a passphrase.
-# If you want to use the keyfile on a USB stick or want an even more advanced setup, you
-# will have to make these modifications yourself. This basically means adjusting
-# the initramfs cmdline, which you can do here with the following statement:
+# Be aware that the initramfs generated by this script will always ask for a user
+# supplied passphrase. If you want to use the keyfile on a USB stick or want an
+# even more advanced setup, you will have to make these modifications yourself.
+# This basically means adjusting the initramfs cmdline, which you can do here with
+# the following statement:
 #   DISK_DRACUT_CMDLINE+=("rd.luks.keyfile=whatever")
 #
 # You can also adjust the boot entry manually after the installation is complete,
@@ -136,19 +145,12 @@ function disk_configuration() {
 # isn't as easy, so it's currently not part of this script, but might be later.
 # Feel free to experiment though.
 
-
-# This function will be called when the key for a luks device is needed.
-# Theoretically you can give every encrypted partition it's own key,
-# but most likely you will only have one partition.
-# By default this function returns the same keyfile for all partitions.
-# If you want to make this more granular, run the install script and
-# select here based on the id reported in the partitioning overview.
-function luks_getkeyfile() {
-	case "$1" in
-		#'my_luks_partition') echo -n '/path/to/my_luks_partition_keyfile' ;;
-		*) echo -n "/path/to/luks-keyfile" ;;
-	esac
-}
+# If you don't want to write your password to your disk, simply export it
+# in your terminal before running ./install, like so:
+#     `export GENTOO_INSTALL_ENCRYPTION_KEY="my strong passphrase"`
+# You can also just set the variable here, but this is not recommended because
+# depending on your current environment, this file might be stored on an actual disk,
+# and so your password would be written to that disk at least once.
 
 ################################################
 # System configuration
@@ -228,14 +230,10 @@ ADDITIONAL_PACKAGES=()
 # only allows the use of ed25519 keys, and requires pubkey authentication)
 INSTALL_SSHD=true
 
-# Install ansible, and add a user for it. This requires INSTALL_SSHD=true
-INSTALL_ANSIBLE=false
-# The home directory for the ansible user
-ANSIBLE_HOME="/var/lib/ansible"
-# An ssh key to add to the .authorized_keys file for the ansible user.
-# This variable will become the content of the .authorized_keys file,
-# so you may specify one key per line.
-ANSIBLE_SSH_AUTHORIZED_KEYS=""
+# An ssh key to add to the authorized_keys file for the root user.
+# This variable will become the content of the authorized_keys file,
+# so you may specify one key per line (include the newlines in the variable).
+ROOT_SSH_AUTHORIZED_KEYS=""
 
 
 ################################################

scripts/config.sh

@@ -25,6 +25,8 @@ USED_LUKS=false
 USED_ZFS=false
 # Flag to track usage of btrfs
 USED_BTRFS=false
+# Flag to track usage of encryption
+USED_ENCRYPTION=false
 
 # An array of disk related actions to perform
 DISK_ACTIONS=()
@@ -175,6 +177,7 @@ function create_raid() {
 # id:      The operand device id
 function create_luks() {
 	USED_LUKS=true
+	USED_ENCRYPTION=true
 
 	local known_arguments=('+new_id' '+name' '+device|id')
 	local extra_arguments=()
@@ -243,6 +246,7 @@ function format_zfs() {
 
 	verify_existing_unique_ids ids
 
+	USED_ENCRYPTION=${arguments[encrypt]:-false}
 	DISK_ACTIONS+=("action=format_zfs" "$@" ";")
 }
 

scripts/dispatch_chroot.sh

@@ -19,5 +19,9 @@ export NPROC_ONE="$((NPROC + 1))"
 export MAKEFLAGS="-j$NPROC"
 export EMERGE_DEFAULT_OPTS="--jobs=$NPROC_ONE --load-average=$NPROC"
 
+# Unset critical variables
+unset GENTOO_INSTALL_ENCRYPTION_KEY
+unset key
+
 # Execute the requested command
 exec "$@"

scripts/functions.sh

@@ -49,13 +49,6 @@ function check_config() {
 	else
 		IS_EFI=false
 	fi
-
-	if [[ $INSTALL_ANSIBLE == "true" ]]; then
-		[[ $INSTALL_SSHD == "true" ]] \
-			|| die "You must enable INSTALL_SSHD for ansible"
-		[[ -n $ANSIBLE_SSH_AUTHORIZED_KEYS ]] \
-			|| die "Missing pubkey for ansible user"
-	fi
 }
 
 function preprocess_config() {
@@ -85,9 +78,22 @@ function prepare_installation_environment() {
 	[[ $USED_LUKS == "true" ]] \
 		&& check_has_program cryptsetup
 
+	# Check encryption key if used
+	[[ $USED_ENCRYPTION == "true" ]] \
+		&& check_encryption_key
+
+	# Sync time now to prevent issues later
 	sync_time
 }
 
+function check_encryption_key() {
+	[[ -n "${GENTOO_INSTALL_ENCRYPTION_KEY+set}" ]] \
+		|| die "You are using encryption but GENTOO_INSTALL_ENCRYPTION_KEY is unset or empty. Export it before running this script."
+
+	[[ ${#GENTOO_INSTALL_ENCRYPTION_KEY} -ge 8 ]] \
+		|| die "Your encryption key must be at least 8 characters long."
+}
+
 function add_summary_entry() {
 	local parent="$1"
 	local id="$2"
@@ -259,13 +265,10 @@ function disk_create_luks() {
 	local uuid="${DISK_ID_TO_UUID[$new_id]}"
 
 	einfo "Creating luks ($new_id) on $device_desc"
-	local keyfile
-	keyfile="$(luks_getkeyfile "$new_id")" \
-		|| die "Error in luks_getkeyfile for $device_desc"
 	cryptsetup luksFormat \
 			--type luks2 \
 			--uuid "$uuid" \
-			--key-file "$keyfile" \
+			--key-file <(echo -n "$GENTOO_INSTALL_ENCRYPTION_KEY") \
 			--cipher aes-xts-plain64 \
 			--hash sha512 \
 			--pbkdf argon2id \

scripts/main.sh

@@ -116,8 +116,16 @@ function install_sshd() {
 	install -m0600 -o root -g root "$GENTOO_INSTALL_REPO_DIR/contrib/sshd_config" /etc/ssh/sshd_config \
 		|| die "Could not install /etc/ssh/sshd_config"
 	enable_service sshd
-	groupadd -r sshusers \
-		|| die "Could not create group 'sshusers'"
+
+	mkdir_or_die 0700 "/root/"
+	mkdir_or_die 0700 "/root/.ssh"
+
+	if [[ -n "$ROOT_SSH_AUTHORIZED_KEYS" ]]; then
+		einfo "Adding authorized keys for root"
+		touch_or_die 0600 "/root/.ssh/authorized_keys"
+		echo "$ROOT_SSH_AUTHORIZED_KEYS" > "$ROOT_HOME/.ssh/authorized_keys" \
+			|| die "Could not add ssh key to /root/.ssh/authorized_keys"
+	fi
 }
 
 function generate_initramfs() {
@@ -262,31 +270,6 @@ function generate_fstab() {
 	fi
 }
 
-function install_ansible() {
-	einfo "Installing ansible"
-	try emerge --verbose app-admin/ansible
-
-	einfo "Creating ansible user"
-	useradd -r -d "$ANSIBLE_HOME" -s /bin/bash ansible \
-		|| die "Could not create user 'ansible'"
-	mkdir_or_die 0700 "$ANSIBLE_HOME"
-	mkdir_or_die 0700 "$ANSIBLE_HOME/.ssh"
-
-	if [[ -n $ANSIBLE_SSH_AUTHORIZED_KEYS ]]; then
-		einfo "Adding authorized keys for ansible"
-		touch_or_die 0600 "$ANSIBLE_HOME/.ssh/authorized_keys"
-		echo "$ANSIBLE_SSH_AUTHORIZED_KEYS" >> "$ANSIBLE_HOME/.ssh/authorized_keys" \
-			|| die "Could not add ssh key to authorized_keys"
-	fi
-
-	chown -R ansible: "$ANSIBLE_HOME" \
-		|| die "Could not change ownership of ansible home"
-
-	einfo "Adding ansible to some auxiliary groups"
-	usermod -a -G wheel,sshusers ansible \
-		|| die "Could not add ansible to auxiliary groups"
-}
-
 function main_install_gentoo_in_chroot() {
 	[[ $# == 0 ]] || die "Too many arguments"
 
@@ -374,11 +357,6 @@ function main_install_gentoo_in_chroot() {
 			|| die "Could not change owner of '/etc/systemd/network/20-wired-dhcp.network'"
 	fi
 
-	# Install ansible
-	if [[ $INSTALL_ANSIBLE == "true" ]]; then
-		install_ansible
-	fi
-
 	# Install additional packages, if any.
 	if [[ ${#ADDITIONAL_PACKAGES[@]} -gt 0 ]]; then
 		einfo "Installing additional packages"
@@ -395,6 +373,8 @@ function main_install_gentoo_in_chroot() {
 	fi
 
 	einfo "Gentoo installation complete."
+	[[ $USED_LUKS == "true" ]] \
+		&& einfo "A backup of your luks headers can be found at '$LUKS_HEADER_BACKUP_DIR', in case you want to have a backup."
 	einfo "To chroot into the new system, simply execute the provided 'chroot' wrapper."
 	einfo "Otherwise, you may now reboot your system."
 }