Finished efibootmgr execution; Added installation of sshd, dhcpcd, ansible. Added mirrorselect.

README.md

@@ -1,5 +1,14 @@
 # Gentoo installation script
 
+TODO clarify:
+
+* /boot will not be mounted to efi partition, instead /boot/efi ist the mountpoint.
+  this prevents /boot from getting full by automated installs, and allows the kernel
+  script to keep exactly two versions (last working kernel), and new one.
+* kernel without module loading capability for security. localyesconfig
+
+
+
 **TL;DR:** Installs gentoo on a new system, suited for both servers and desktops.
 Optionally prepares ansible for automatic system configuration.
 See [Install](#Install) for usage instructions.

configs/fstab

@@ -0,0 +1,14 @@
+# /etc/fstab: static file system information.
+#
+# noatime turns off atimes for increased performance (atimes normally aren't
+# needed); notail increases performance of ReiserFS (at the expense of storage
+# efficiency).  It's safe to drop the noatime options if you want and to
+# switch between notail / tail freely.
+#
+# The root filesystem should have a pass number of either 0 or 1.
+# All other filesystems should have a pass number of 0 or greater than 1.
+#
+# See the manpage fstab(5) for more information.
+#
+
+# <fs> <mountpoint> <type> <opts> <dump/pass>

configs/sshd_config

@@ -0,0 +1,150 @@
+# /etc/ssh/sshd_config
+#
+# This is the sshd server system-wide configuration file.  See
+# sshd_config(5) for more information.
+
+Port 22
+#AddressFamily any
+#ListenAddress 0.0.0.0
+#ListenAddress ::
+
+#HostKey /etc/ssh/ssh_host_rsa_key
+#HostKey /etc/ssh/ssh_host_dsa_key
+#HostKey /etc/ssh/ssh_host_ecdsa_key
+HostKey /etc/ssh/ssh_host_ed25519_key
+
+# Limit Host Key Algorithms
+HostKeyAlgorithms ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,ssh-rsa
+
+# Limit Key Exchange Algorithms
+KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
+Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
+MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
+
+# Logging
+#SyslogFacility AUTH
+LogLevel VERBOSE
+
+#LoginGraceTime 2m
+PermitRootLogin no
+#StrictModes yes
+MaxAuthTries 2
+MaxSessions 4
+
+#PubkeyAuthentication yes
+
+# only allow users to login, explicitly forbid root login
+DenyUsers root
+DenyGroups root
+
+# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
+# but this is overridden so installations will only check .ssh/authorized_keys
+AuthorizedKeysFile .ssh/authorized_keys
+
+#AuthorizedPrincipalsFile none
+
+#AuthorizedKeysCommand none
+#AuthorizedKeysCommandUser nobody
+
+# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
+#HostbasedAuthentication no
+# Change to yes if you don't trust ~/.ssh/known_hosts for
+# HostbasedAuthentication
+#IgnoreUserKnownHosts no
+# Don't read the user's ~/.rhosts and ~/.shosts files
+#IgnoreRhosts yes
+
+# To disable tunneled clear text passwords, change to no here!
+PasswordAuthentication no
+#PermitEmptyPasswords no
+
+# Change to no to disable s/key passwords
+ChallengeResponseAuthentication no
+
+# Kerberos options
+#KerberosAuthentication no
+#KerberosOrLocalPasswd yes
+#KerberosTicketCleanup yes
+#KerberosGetAFSToken no
+
+# GSSAPI options
+#GSSAPIAuthentication no
+#GSSAPICleanupCredentials yes
+
+# Set this to 'yes' to enable PAM authentication, account processing,
+# and session processing. If this is enabled, PAM authentication will
+# be allowed through the ChallengeResponseAuthentication and
+# PasswordAuthentication.  Depending on your PAM configuration,
+# PAM authentication via ChallengeResponseAuthentication may bypass
+# the setting of "PermitRootLogin without-password".
+# If you just want the PAM account and session checks to run without
+# PAM authentication, then enable this but set PasswordAuthentication
+# and ChallengeResponseAuthentication to 'no'.
+UsePAM yes
+
+AllowAgentForwarding no
+AllowTcpForwarding no
+#GatewayPorts no
+#X11Forwarding no
+#X11DisplayOffset 10
+#X11UseLocalhost yes
+#PermitTTY yes
+PrintMotd no
+PrintLastLog yes
+TCPKeepAlive no
+#UseLogin no
+#PermitUserEnvironment no
+Compression delayed
+ClientAliveInterval 300
+ClientAliveCountMax 2
+#UseDNS no
+#PidFile /run/sshd.pid
+#MaxStartups 10:30:100
+#PermitTunnel no
+#ChrootDirectory none
+#VersionAddendum none
+
+# no default banner path
+#Banner none
+
+# here are the new patched ldap related tokens
+# entries in your LDAP must have posixAccount & ldapPublicKey objectclass
+#UseLPK yes
+#LpkLdapConf /etc/ldap.conf
+#LpkServers  ldap://10.1.7.1/ ldap://10.1.7.2/
+#LpkUserDN   ou=users,dc=phear,dc=org
+#LpkGroupDN  ou=groups,dc=phear,dc=org
+#LpkBindDN cn=Manager,dc=phear,dc=org
+#LpkBindPw secret
+#LpkServerGroup mail
+#LpkFilter (hostAccess=master.phear.org)
+#LpkForceTLS no
+#LpkSearchTimelimit 3
+#LpkBindTimelimit 3
+#LpkPubKeyAttr sshPublicKey
+
+# override default of no subsystems
+Subsystem sftp /usr/lib64/misc/sftp-server
+
+# the following are HPN related configuration options
+# tcp receive buffer polling. disable in non autotuning kernels
+#TcpRcvBufPoll yes
+
+# disable hpn performance boosts
+#HPNDisabled no
+
+# buffer size for hpn to non-hpn connections
+#HPNBufferSize 2048
+
+# allow the use of the none cipher
+#NoneEnabled no
+
+# Example of overriding settings on a per-user basis
+#Match User anoncvs
+#	X11Forwarding no
+#	AllowTcpForwarding no
+#	PermitTTY no
+#	ForceCommand cvs server
+
+# Allow client to pass locale environment variables #367017
+AcceptEnv LANG LC_*

scripts/config.sh

@@ -13,6 +13,11 @@ ENABLE_SWAP=false
 # Enable partitioning (will still ask before doing anything critical)
 ENABLE_PARTITIONING=true
 
+# Format the partitions with the correct filesystems,
+# if you didn't chose automatic partitioning, you will be asked
+# before any formatting is done.
+ENABLE_FORMATTING=true
+
 # The device to partition
 PARTITION_DEVICE="/dev/sda"
 # Size of swap partition (if enabled)
@@ -26,11 +31,6 @@ PARTITION_UUID_EFI="$(load_or_generate_uuid 'efi')"
 PARTITION_UUID_SWAP="$(load_or_generate_uuid 'swap')"
 PARTITION_UUID_LINUX="$(load_or_generate_uuid 'linux')"
 
-# Format the partitions with the correct filesystems,
-# if you didn't chose automatic partitioning, you will be asked
-# before any formatting is done.
-ENABLE_FORMATTING=true
-
 
 ################################################
 # System configuration
@@ -69,9 +69,28 @@ GENTOO_MIRROR="https://mirror.eu.oneandone.net/linux/distributions/gentoo/gentoo
 STAGE3_BASENAME="stage3-amd64-hardened+nomultilib"
 #STAGE3_BASENAME="stage3-amd64-hardened-selinux+nomultilib"
 
-# Default accept keywords (enable testing by default)
-#ACCEPT_KEYWORDS=""
-ACCEPT_KEYWORDS="~amd64"
+
+################################################
+# Additional (optional) configuration
 
 # List of additional packages to install (will be directly passed to emerge)
 ADDITIONAL_PACKAGES="app-editors/neovim"
+
+# Install and configure sshd (a reasonably secure config
+# is provided, only ed25519 host key, pubkey authentication only)
+INSTALL_SSHD=true
+
+# Install ansible, and add a user for it
+INSTALL_ANSIBLE=true
+# The home directory for the ansible user
+ANSIBLE_HOME="/var/lib/ansible"
+# An ssh key to add to the .authorized_keys file for the ansible user
+ANSIBLE_SSH_PUBKEY=""
+
+
+################################################
+# Prove that you have read the config
+
+# To prove that you have read and edited the config
+# properly, set the following value to true.
+I_HAVE_READ_AND_EDITED_THE_CONFIG_PROPERLY=false

scripts/main.sh

@@ -25,7 +25,10 @@ source "$GENTOO_BOOTSTRAP_DIR/scripts/utils.sh"
 source "$GENTOO_BOOTSTRAP_DIR/scripts/config.sh"
 source "$GENTOO_BOOTSTRAP_DIR/scripts/functions.sh"
 
-mkdir -p "$TMP_DIR"
+[[ $I_HAVE_READ_AND_EDITED_THE_CONFIG_PROPERLY == true ]] \
+	|| die "You have not properly read the config. Set I_HAVE_READ_AND_EDITED_THE_CONFIG_PROPERLY=true to continue."
+
+mkdir_or_die 0755 "$TMP_DIR"
 [[ $EUID == 0 ]] \
 	|| die "Must be root"
 
@@ -52,12 +55,6 @@ main_install_gentoo_in_chroot() {
 	passwd -l root \
 		|| die "Could not change root password"
 
-	einfo "Selecting portage mirrors"
-	# TODO mirrorselect
-	# TODO gpg portage sync
-	# TODO additional binary repos
-	# TODO safe dns settings (claranet)
-
 	# Mount efi partition
 	einfo "Mounting efi"
 	mount_by_partuuid "$PARTITION_UUID_EFI" "/boot/efi"
@@ -94,23 +91,98 @@ main_install_gentoo_in_chroot() {
 	mkdir_or_die 0755 "/etc/portage/package.keywords"
 	touch_or_die 0644 "/etc/portage/package.keywords/zz-autounmask"
 
+	einfo "Temporarily installing mirrorselect"
+	try emerge --verbose --oneshot app-portage/mirrorselect
+
+	einfo "Selecting fastest portage mirrors"
+	try mirrorselect -s 4 -b 10 -D
+
 	# Install git (for git portage overlays)
 	einfo "Installing git"
 	try emerge --verbose dev-vcs/git
 
-	# Install vanilla kernel, to be able to boot the system.
+	# Install vanilla kernel and efibootmgr, to be able to boot the system.
 	einfo "Installing vanilla kernel"
-	try emerge --verbose sys-kernel/vanilla-kernel
+	try emerge --verbose sys-kernel/vanilla-kernel sys-boot/efibootmgr
+
+	# Copy kernel to EFI
+	local kernel_version
+	kernel_version="$(ls "/boot/vmlinuz-"* | sort -V | tail -1)" \
+		|| die "Could not list newest kernel file"
+	kernel_version="${kernel_version#vmlinuz-}" \
+		|| die "Could not find kernel version"
+
+	mkdir_or_die 0755 "/boot/efi/EFI"
+	cp "/boot/initramfs-$kernel_version"* "/boot/efi/EFI/initramfs.img" \
+		|| die "Could not copy initramfs to EFI partition"
+	cp "/boot/vmlinuz-$kernel_version"* "/boot/efi/EFI/vmlinuz.efi" \
+		|| die "Could not copy kernel to EFI partition"
+
+	# Create boot entry
+	einfo "Creating efi boot entry"
+	local linuxdev
+	linuxdev="$(get_device_by_partuuid "$PARTITION_UUID_LINUX")" \
+		|| die "Could not resolve partition UUID '$PARTITION_UUID_LINUX'"
+	local efidev
+	efidev="$(get_device_by_partuuid "$PARTITION_UUID_EFI")" \
+		|| die "Could not resolve partition UUID '$PARTITION_UUID_EFI'"
+	local efipartnum="${efidev: -1}"
+	efibootmgr --verbose --create --disk "$PARTITION_DEVICE" --part "$efipartnum" --label "gentoo" --loader '\EFI\vmlinuz.efi' --unicode "root=$linuxdev initrd=initramfs.img" \
+		|| die "Could not add efi boot entry"
 
 	# Install additional packages, if any.
 	if [[ -n "$ADDITIONAL_PACKAGES" ]]; then
 		einfo "Installing additional packages"
-		emerge --autounmask-continue=y -- $ADDITIONAL_PACKAGES
+		try emerge --verbose --autounmask-continue=y -- $ADDITIONAL_PACKAGES
 	fi
 
-	#create_ansible_user
-	#generate_fresh keys to become mgmnt ansible user
-	#install_ansible
+	# Generate a valid fstab file
+	einfo "Generating fstab"
+	install -m0644 -o root -g root "$GENTOO_BOOTSTRAP_DIR/configs/fstab" /etc/fstab \
+		|| die "Could not overwrite /etc/fstab"
+	echo "PARTUUID=$PARTITION_UUID_LINUX    /            ext4    defaults,noatime,errors=remount-ro,discard                            0 1" >> /etc/fstab \
+		|| die "Could not append entry to fstab"
+	echo "PARTUUID=$PARTITION_UUID_EFI    /boot/efi    vfat    defaults,noatime,fmask=0022,dmask=0022,noexec,nodev,nosuid,discard    0 2" >> /etc/fstab \
+		|| die "Could not append entry to fstab"
+	if [[ "$ENABLE_SWAP" == true ]]; then
+		echo "PARTUUID=$PARTITION_UUID_SWAP    none         swap    defaults,discard                                                      0 0" >> /etc/fstab \
+			|| die "Could not append entry to fstab"
+	fi
+
+	# Install and enable sshd
+	einfo "Installing sshd"
+	install -m0600 -o root -g root "$GENTOO_BOOTSTRAP_DIR/configs/sshd_config" /etc/ssh/sshd_config \
+		|| die "Could not install /etc/ssh/sshd_config"
+	rc-update add sshd default \
+		|| die "Could not add sshd to default services"
+
+	# Install and enable dhcpcd
+	einfo "Installing dhcpcd"
+	try emerge --verbose net-misc/dhcpcd sys-apps/iproute2
+	rc-update add dhcpcd default \
+		|| die "Could not add dhcpcd to default services"
+
+	# Install ansible
+	if [[ "$INSTALL_ANSIBLE" == true ]]; then
+		einfo "Installing ansible"
+		try emerge --verbose app-admin/ansible
+
+		einfo "Creating ansible user"
+		useradd -r -d "$ANSIBLE_HOME" -s /bin/bash ansible
+		mkdir_or_die 0700 "$ANSIBLE_HOME"
+		mkdir_or_die 0700 "$ANSIBLE_HOME/.ssh"
+
+		if [[ -n "$ANSIBLE_SSH_PUBKEY" ]]; then
+			einfo "Adding ssh key for ansible"
+			touch_or_die 0600 "$ANSIBLE_HOME/.ssh/authorized_keys"
+			echo "$ANSIBLE_SSH_PUBKEY" >> "$ANSIBLE_HOME/.ssh/authorized_keys" \
+				|| die "Could not add ssh key to authorized_keys"
+		fi
+
+		einfo "Allowing ansible for ssh"
+		echo "AllowUsers ansible" >> "/etc/ssh/sshd_config" \
+			|| die "Could not append to /etc/ssh/sshd_config"
+	fi
 
 	if ask "Do you want to assign a root password now?"; then
 		passwd root