diff --git a/README.md b/README.md index fe167dd..bd653e2 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,14 @@ # Gentoo installation script +TODO clarify: + +* /boot will not be mounted to efi partition, instead /boot/efi ist the mountpoint. + this prevents /boot from getting full by automated installs, and allows the kernel + script to keep exactly two versions (last working kernel), and new one. +* kernel without module loading capability for security. localyesconfig + + + **TL;DR:** Installs gentoo on a new system, suited for both servers and desktops. Optionally prepares ansible for automatic system configuration. See [Install](#Install) for usage instructions. diff --git a/configs/fstab b/configs/fstab new file mode 100644 index 0000000..f958e74 --- /dev/null +++ b/configs/fstab @@ -0,0 +1,14 @@ +# /etc/fstab: static file system information. +# +# noatime turns off atimes for increased performance (atimes normally aren't +# needed); notail increases performance of ReiserFS (at the expense of storage +# efficiency). It's safe to drop the noatime options if you want and to +# switch between notail / tail freely. +# +# The root filesystem should have a pass number of either 0 or 1. +# All other filesystems should have a pass number of 0 or greater than 1. +# +# See the manpage fstab(5) for more information. +# + +# diff --git a/configs/sshd_config b/configs/sshd_config new file mode 100644 index 0000000..5faf528 --- /dev/null +++ b/configs/sshd_config @@ -0,0 +1,150 @@ +# /etc/ssh/sshd_config +# +# This is the sshd server system-wide configuration file. See +# sshd_config(5) for more information. + +Port 22 +#AddressFamily any +#ListenAddress 0.0.0.0 +#ListenAddress :: + +#HostKey /etc/ssh/ssh_host_rsa_key +#HostKey /etc/ssh/ssh_host_dsa_key +#HostKey /etc/ssh/ssh_host_ecdsa_key +HostKey /etc/ssh/ssh_host_ed25519_key + +# Limit Host Key Algorithms +HostKeyAlgorithms ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,ssh-rsa + +# Limit Key Exchange Algorithms +KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256 +Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr +MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com + +# Logging +#SyslogFacility AUTH +LogLevel VERBOSE + +#LoginGraceTime 2m +PermitRootLogin no +#StrictModes yes +MaxAuthTries 2 +MaxSessions 4 + +#PubkeyAuthentication yes + +# only allow users to login, explicitly forbid root login +DenyUsers root +DenyGroups root + +# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 +# but this is overridden so installations will only check .ssh/authorized_keys +AuthorizedKeysFile .ssh/authorized_keys + +#AuthorizedPrincipalsFile none + +#AuthorizedKeysCommand none +#AuthorizedKeysCommandUser nobody + +# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts +#HostbasedAuthentication no +# Change to yes if you don't trust ~/.ssh/known_hosts for +# HostbasedAuthentication +#IgnoreUserKnownHosts no +# Don't read the user's ~/.rhosts and ~/.shosts files +#IgnoreRhosts yes + +# To disable tunneled clear text passwords, change to no here! +PasswordAuthentication no +#PermitEmptyPasswords no + +# Change to no to disable s/key passwords +ChallengeResponseAuthentication no + +# Kerberos options +#KerberosAuthentication no +#KerberosOrLocalPasswd yes +#KerberosTicketCleanup yes +#KerberosGetAFSToken no + +# GSSAPI options +#GSSAPIAuthentication no +#GSSAPICleanupCredentials yes + +# Set this to 'yes' to enable PAM authentication, account processing, +# and session processing. If this is enabled, PAM authentication will +# be allowed through the ChallengeResponseAuthentication and +# PasswordAuthentication. Depending on your PAM configuration, +# PAM authentication via ChallengeResponseAuthentication may bypass +# the setting of "PermitRootLogin without-password". +# If you just want the PAM account and session checks to run without +# PAM authentication, then enable this but set PasswordAuthentication +# and ChallengeResponseAuthentication to 'no'. +UsePAM yes + +AllowAgentForwarding no +AllowTcpForwarding no +#GatewayPorts no +#X11Forwarding no +#X11DisplayOffset 10 +#X11UseLocalhost yes +#PermitTTY yes +PrintMotd no +PrintLastLog yes +TCPKeepAlive no +#UseLogin no +#PermitUserEnvironment no +Compression delayed +ClientAliveInterval 300 +ClientAliveCountMax 2 +#UseDNS no +#PidFile /run/sshd.pid +#MaxStartups 10:30:100 +#PermitTunnel no +#ChrootDirectory none +#VersionAddendum none + +# no default banner path +#Banner none + +# here are the new patched ldap related tokens +# entries in your LDAP must have posixAccount & ldapPublicKey objectclass +#UseLPK yes +#LpkLdapConf /etc/ldap.conf +#LpkServers ldap://10.1.7.1/ ldap://10.1.7.2/ +#LpkUserDN ou=users,dc=phear,dc=org +#LpkGroupDN ou=groups,dc=phear,dc=org +#LpkBindDN cn=Manager,dc=phear,dc=org +#LpkBindPw secret +#LpkServerGroup mail +#LpkFilter (hostAccess=master.phear.org) +#LpkForceTLS no +#LpkSearchTimelimit 3 +#LpkBindTimelimit 3 +#LpkPubKeyAttr sshPublicKey + +# override default of no subsystems +Subsystem sftp /usr/lib64/misc/sftp-server + +# the following are HPN related configuration options +# tcp receive buffer polling. disable in non autotuning kernels +#TcpRcvBufPoll yes + +# disable hpn performance boosts +#HPNDisabled no + +# buffer size for hpn to non-hpn connections +#HPNBufferSize 2048 + +# allow the use of the none cipher +#NoneEnabled no + +# Example of overriding settings on a per-user basis +#Match User anoncvs +# X11Forwarding no +# AllowTcpForwarding no +# PermitTTY no +# ForceCommand cvs server + +# Allow client to pass locale environment variables #367017 +AcceptEnv LANG LC_* diff --git a/scripts/config.sh b/scripts/config.sh index 41fba80..6726da4 100644 --- a/scripts/config.sh +++ b/scripts/config.sh @@ -13,6 +13,11 @@ ENABLE_SWAP=false # Enable partitioning (will still ask before doing anything critical) ENABLE_PARTITIONING=true +# Format the partitions with the correct filesystems, +# if you didn't chose automatic partitioning, you will be asked +# before any formatting is done. +ENABLE_FORMATTING=true + # The device to partition PARTITION_DEVICE="/dev/sda" # Size of swap partition (if enabled) @@ -26,11 +31,6 @@ PARTITION_UUID_EFI="$(load_or_generate_uuid 'efi')" PARTITION_UUID_SWAP="$(load_or_generate_uuid 'swap')" PARTITION_UUID_LINUX="$(load_or_generate_uuid 'linux')" -# Format the partitions with the correct filesystems, -# if you didn't chose automatic partitioning, you will be asked -# before any formatting is done. -ENABLE_FORMATTING=true - ################################################ # System configuration @@ -69,9 +69,28 @@ GENTOO_MIRROR="https://mirror.eu.oneandone.net/linux/distributions/gentoo/gentoo STAGE3_BASENAME="stage3-amd64-hardened+nomultilib" #STAGE3_BASENAME="stage3-amd64-hardened-selinux+nomultilib" -# Default accept keywords (enable testing by default) -#ACCEPT_KEYWORDS="" -ACCEPT_KEYWORDS="~amd64" + +################################################ +# Additional (optional) configuration # List of additional packages to install (will be directly passed to emerge) ADDITIONAL_PACKAGES="app-editors/neovim" + +# Install and configure sshd (a reasonably secure config +# is provided, only ed25519 host key, pubkey authentication only) +INSTALL_SSHD=true + +# Install ansible, and add a user for it +INSTALL_ANSIBLE=true +# The home directory for the ansible user +ANSIBLE_HOME="/var/lib/ansible" +# An ssh key to add to the .authorized_keys file for the ansible user +ANSIBLE_SSH_PUBKEY="" + + +################################################ +# Prove that you have read the config + +# To prove that you have read and edited the config +# properly, set the following value to true. +I_HAVE_READ_AND_EDITED_THE_CONFIG_PROPERLY=false diff --git a/scripts/main.sh b/scripts/main.sh index c964bc0..18f5e20 100755 --- a/scripts/main.sh +++ b/scripts/main.sh @@ -25,7 +25,10 @@ source "$GENTOO_BOOTSTRAP_DIR/scripts/utils.sh" source "$GENTOO_BOOTSTRAP_DIR/scripts/config.sh" source "$GENTOO_BOOTSTRAP_DIR/scripts/functions.sh" -mkdir -p "$TMP_DIR" +[[ $I_HAVE_READ_AND_EDITED_THE_CONFIG_PROPERLY == true ]] \ + || die "You have not properly read the config. Set I_HAVE_READ_AND_EDITED_THE_CONFIG_PROPERLY=true to continue." + +mkdir_or_die 0755 "$TMP_DIR" [[ $EUID == 0 ]] \ || die "Must be root" @@ -52,12 +55,6 @@ main_install_gentoo_in_chroot() { passwd -l root \ || die "Could not change root password" - einfo "Selecting portage mirrors" - # TODO mirrorselect - # TODO gpg portage sync - # TODO additional binary repos - # TODO safe dns settings (claranet) - # Mount efi partition einfo "Mounting efi" mount_by_partuuid "$PARTITION_UUID_EFI" "/boot/efi" @@ -94,23 +91,98 @@ main_install_gentoo_in_chroot() { mkdir_or_die 0755 "/etc/portage/package.keywords" touch_or_die 0644 "/etc/portage/package.keywords/zz-autounmask" + einfo "Temporarily installing mirrorselect" + try emerge --verbose --oneshot app-portage/mirrorselect + + einfo "Selecting fastest portage mirrors" + try mirrorselect -s 4 -b 10 -D + # Install git (for git portage overlays) einfo "Installing git" try emerge --verbose dev-vcs/git - # Install vanilla kernel, to be able to boot the system. + # Install vanilla kernel and efibootmgr, to be able to boot the system. einfo "Installing vanilla kernel" - try emerge --verbose sys-kernel/vanilla-kernel + try emerge --verbose sys-kernel/vanilla-kernel sys-boot/efibootmgr + + # Copy kernel to EFI + local kernel_version + kernel_version="$(ls "/boot/vmlinuz-"* | sort -V | tail -1)" \ + || die "Could not list newest kernel file" + kernel_version="${kernel_version#vmlinuz-}" \ + || die "Could not find kernel version" + + mkdir_or_die 0755 "/boot/efi/EFI" + cp "/boot/initramfs-$kernel_version"* "/boot/efi/EFI/initramfs.img" \ + || die "Could not copy initramfs to EFI partition" + cp "/boot/vmlinuz-$kernel_version"* "/boot/efi/EFI/vmlinuz.efi" \ + || die "Could not copy kernel to EFI partition" + + # Create boot entry + einfo "Creating efi boot entry" + local linuxdev + linuxdev="$(get_device_by_partuuid "$PARTITION_UUID_LINUX")" \ + || die "Could not resolve partition UUID '$PARTITION_UUID_LINUX'" + local efidev + efidev="$(get_device_by_partuuid "$PARTITION_UUID_EFI")" \ + || die "Could not resolve partition UUID '$PARTITION_UUID_EFI'" + local efipartnum="${efidev: -1}" + efibootmgr --verbose --create --disk "$PARTITION_DEVICE" --part "$efipartnum" --label "gentoo" --loader '\EFI\vmlinuz.efi' --unicode "root=$linuxdev initrd=initramfs.img" \ + || die "Could not add efi boot entry" # Install additional packages, if any. if [[ -n "$ADDITIONAL_PACKAGES" ]]; then einfo "Installing additional packages" - emerge --autounmask-continue=y -- $ADDITIONAL_PACKAGES + try emerge --verbose --autounmask-continue=y -- $ADDITIONAL_PACKAGES fi - #create_ansible_user - #generate_fresh keys to become mgmnt ansible user - #install_ansible + # Generate a valid fstab file + einfo "Generating fstab" + install -m0644 -o root -g root "$GENTOO_BOOTSTRAP_DIR/configs/fstab" /etc/fstab \ + || die "Could not overwrite /etc/fstab" + echo "PARTUUID=$PARTITION_UUID_LINUX / ext4 defaults,noatime,errors=remount-ro,discard 0 1" >> /etc/fstab \ + || die "Could not append entry to fstab" + echo "PARTUUID=$PARTITION_UUID_EFI /boot/efi vfat defaults,noatime,fmask=0022,dmask=0022,noexec,nodev,nosuid,discard 0 2" >> /etc/fstab \ + || die "Could not append entry to fstab" + if [[ "$ENABLE_SWAP" == true ]]; then + echo "PARTUUID=$PARTITION_UUID_SWAP none swap defaults,discard 0 0" >> /etc/fstab \ + || die "Could not append entry to fstab" + fi + + # Install and enable sshd + einfo "Installing sshd" + install -m0600 -o root -g root "$GENTOO_BOOTSTRAP_DIR/configs/sshd_config" /etc/ssh/sshd_config \ + || die "Could not install /etc/ssh/sshd_config" + rc-update add sshd default \ + || die "Could not add sshd to default services" + + # Install and enable dhcpcd + einfo "Installing dhcpcd" + try emerge --verbose net-misc/dhcpcd sys-apps/iproute2 + rc-update add dhcpcd default \ + || die "Could not add dhcpcd to default services" + + # Install ansible + if [[ "$INSTALL_ANSIBLE" == true ]]; then + einfo "Installing ansible" + try emerge --verbose app-admin/ansible + + einfo "Creating ansible user" + useradd -r -d "$ANSIBLE_HOME" -s /bin/bash ansible + mkdir_or_die 0700 "$ANSIBLE_HOME" + mkdir_or_die 0700 "$ANSIBLE_HOME/.ssh" + + if [[ -n "$ANSIBLE_SSH_PUBKEY" ]]; then + einfo "Adding ssh key for ansible" + touch_or_die 0600 "$ANSIBLE_HOME/.ssh/authorized_keys" + echo "$ANSIBLE_SSH_PUBKEY" >> "$ANSIBLE_HOME/.ssh/authorized_keys" \ + || die "Could not add ssh key to authorized_keys" + fi + + einfo "Allowing ansible for ssh" + echo "AllowUsers ansible" >> "/etc/ssh/sshd_config" \ + || die "Could not append to /etc/ssh/sshd_config" + fi if ask "Do you want to assign a root password now?"; then passwd root