Finished efibootmgr execution; Added installation of sshd, dhcpcd, ansible. Added mirrorselect.

2020-01-06 00:35:15 +01:00 · 2020-01-06 00:35:15 +01:00 · 8af50eb142
parent 6c47a73d75
commit 8af50eb142
5 changed files with 285 additions and 21 deletions
--- a/README.md
+++ b/README.md
@ -1,5 +1,14 @@
 # Gentoo installation script
 TODO clarify:
 * /boot will not be mounted to efi partition, instead /boot/efi ist the mountpoint.
  this prevents /boot from getting full by automated installs, and allows the kernel
  script to keep exactly two versions (last working kernel), and new one.
 * kernel without module loading capability for security. localyesconfig
 **TL;DR:** Installs gentoo on a new system, suited for both servers and desktops.
 Optionally prepares ansible for automatic system configuration.
 See [Install](#Install) for usage instructions.
--- a/configs/fstab
+++ b/configs/fstab
@ -0,0 +1,14 @@
 # /etc/fstab: static file system information.
 #
 # noatime turns off atimes for increased performance (atimes normally aren't
 # needed); notail increases performance of ReiserFS (at the expense of storage
 # efficiency).  It's safe to drop the noatime options if you want and to
 # switch between notail / tail freely.
 #
 # The root filesystem should have a pass number of either 0 or 1.
 # All other filesystems should have a pass number of 0 or greater than 1.
 #
 # See the manpage fstab(5) for more information.
 #
 # <fs> <mountpoint> <type> <opts> <dump/pass>
--- a/configs/sshd_config
+++ b/configs/sshd_config
@ -0,0 +1,150 @@
 # /etc/ssh/sshd_config
 #
 # This is the sshd server system-wide configuration file.  See
 # sshd_config(5) for more information.
 Port 22
 #AddressFamily any
 #ListenAddress 0.0.0.0
 #ListenAddress ::
 #HostKey /etc/ssh/ssh_host_rsa_key
 #HostKey /etc/ssh/ssh_host_dsa_key
 #HostKey /etc/ssh/ssh_host_ecdsa_key
 HostKey /etc/ssh/ssh_host_ed25519_key
 # Limit Host Key Algorithms
 HostKeyAlgorithms ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,ssh-rsa
 # Limit Key Exchange Algorithms
 KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
 Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
 MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
 # Logging
 #SyslogFacility AUTH
 LogLevel VERBOSE
 #LoginGraceTime 2m
 PermitRootLogin no
 #StrictModes yes
 MaxAuthTries 2
 MaxSessions 4
 #PubkeyAuthentication yes
 # only allow users to login, explicitly forbid root login
 DenyUsers root
 DenyGroups root
 # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
 # but this is overridden so installations will only check .ssh/authorized_keys
 AuthorizedKeysFile .ssh/authorized_keys
 #AuthorizedPrincipalsFile none
 #AuthorizedKeysCommand none
 #AuthorizedKeysCommandUser nobody
 # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
 #HostbasedAuthentication no
 # Change to yes if you don't trust ~/.ssh/known_hosts for
 # HostbasedAuthentication
 #IgnoreUserKnownHosts no
 # Don't read the user's ~/.rhosts and ~/.shosts files
 #IgnoreRhosts yes
 # To disable tunneled clear text passwords, change to no here!
 PasswordAuthentication no
 #PermitEmptyPasswords no
 # Change to no to disable s/key passwords
 ChallengeResponseAuthentication no
 # Kerberos options
 #KerberosAuthentication no
 #KerberosOrLocalPasswd yes
 #KerberosTicketCleanup yes
 #KerberosGetAFSToken no
 # GSSAPI options
 #GSSAPIAuthentication no
 #GSSAPICleanupCredentials yes
 # Set this to 'yes' to enable PAM authentication, account processing,
 # and session processing. If this is enabled, PAM authentication will
 # be allowed through the ChallengeResponseAuthentication and
 # PasswordAuthentication.  Depending on your PAM configuration,
 # PAM authentication via ChallengeResponseAuthentication may bypass
 # the setting of "PermitRootLogin without-password".
 # If you just want the PAM account and session checks to run without
 # PAM authentication, then enable this but set PasswordAuthentication
 # and ChallengeResponseAuthentication to 'no'.
 UsePAM yes
 AllowAgentForwarding no
 AllowTcpForwarding no
 #GatewayPorts no
 #X11Forwarding no
 #X11DisplayOffset 10
 #X11UseLocalhost yes
 #PermitTTY yes
 PrintMotd no
 PrintLastLog yes
 TCPKeepAlive no
 #UseLogin no
 #PermitUserEnvironment no
 Compression delayed
 ClientAliveInterval 300
 ClientAliveCountMax 2
 #UseDNS no
 #PidFile /run/sshd.pid
 #MaxStartups 10:30:100
 #PermitTunnel no
 #ChrootDirectory none
 #VersionAddendum none
 # no default banner path
 #Banner none
 # here are the new patched ldap related tokens
 # entries in your LDAP must have posixAccount & ldapPublicKey objectclass
 #UseLPK yes
 #LpkLdapConf /etc/ldap.conf
 #LpkServers  ldap://10.1.7.1/ ldap://10.1.7.2/
 #LpkUserDN   ou=users,dc=phear,dc=org
 #LpkGroupDN  ou=groups,dc=phear,dc=org
 #LpkBindDN cn=Manager,dc=phear,dc=org
 #LpkBindPw secret
 #LpkServerGroup mail
 #LpkFilter (hostAccess=master.phear.org)
 #LpkForceTLS no
 #LpkSearchTimelimit 3
 #LpkBindTimelimit 3
 #LpkPubKeyAttr sshPublicKey
 # override default of no subsystems
 Subsystem sftp /usr/lib64/misc/sftp-server
 # the following are HPN related configuration options
 # tcp receive buffer polling. disable in non autotuning kernels
 #TcpRcvBufPoll yes
 # disable hpn performance boosts
 #HPNDisabled no
 # buffer size for hpn to non-hpn connections
 #HPNBufferSize 2048
 # allow the use of the none cipher
 #NoneEnabled no
 # Example of overriding settings on a per-user basis
 #Match User anoncvs
 #	X11Forwarding no
 #	AllowTcpForwarding no
 #	PermitTTY no
 #	ForceCommand cvs server
 # Allow client to pass locale environment variables #367017
 AcceptEnv LANG LC_*
--- a/scripts/config.sh
+++ b/scripts/config.sh
@ -13,6 +13,11 @@ ENABLE_SWAP=false
 # Enable partitioning (will still ask before doing anything critical)
 ENABLE_PARTITIONING=true
 # Format the partitions with the correct filesystems,
 # if you didn't chose automatic partitioning, you will be asked
 # before any formatting is done.
 ENABLE_FORMATTING=true
 # The device to partition
 PARTITION_DEVICE="/dev/sda"
 # Size of swap partition (if enabled)
@ -26,11 +31,6 @@ PARTITION_UUID_EFI="$(load_or_generate_uuid 'efi')"
 PARTITION_UUID_SWAP="$(load_or_generate_uuid 'swap')"
 PARTITION_UUID_LINUX="$(load_or_generate_uuid 'linux')"
 # Format the partitions with the correct filesystems,
 # if you didn't chose automatic partitioning, you will be asked
 # before any formatting is done.
 ENABLE_FORMATTING=true
 ################################################
 # System configuration
@ -69,9 +69,28 @@ GENTOO_MIRROR="https://mirror.eu.oneandone.net/linux/distributions/gentoo/gentoo
 STAGE3_BASENAME="stage3-amd64-hardened+nomultilib"
 #STAGE3_BASENAME="stage3-amd64-hardened-selinux+nomultilib"
-# Default accept keywords (enable testing by default)
+
-#ACCEPT_KEYWORDS=""
+################################################
-ACCEPT_KEYWORDS="~amd64"
+# Additional (optional) configuration
 # List of additional packages to install (will be directly passed to emerge)
 ADDITIONAL_PACKAGES="app-editors/neovim"
 # Install and configure sshd (a reasonably secure config
 # is provided, only ed25519 host key, pubkey authentication only)
 INSTALL_SSHD=true
 # Install ansible, and add a user for it
 INSTALL_ANSIBLE=true
 # The home directory for the ansible user
 ANSIBLE_HOME="/var/lib/ansible"
 # An ssh key to add to the .authorized_keys file for the ansible user
 ANSIBLE_SSH_PUBKEY=""
 ################################################
 # Prove that you have read the config
 # To prove that you have read and edited the config
 # properly, set the following value to true.
 I_HAVE_READ_AND_EDITED_THE_CONFIG_PROPERLY=false
--- a/scripts/main.sh
+++ b/scripts/main.sh
@ -25,7 +25,10 @@ source "$GENTOO_BOOTSTRAP_DIR/scripts/utils.sh"
 source "$GENTOO_BOOTSTRAP_DIR/scripts/config.sh"
 source "$GENTOO_BOOTSTRAP_DIR/scripts/functions.sh"
-mkdir -p "$TMP_DIR"
+[[ $I_HAVE_READ_AND_EDITED_THE_CONFIG_PROPERLY == true ]] \
 	|| die "You have not properly read the config. Set I_HAVE_READ_AND_EDITED_THE_CONFIG_PROPERLY=true to continue."
 mkdir_or_die 0755 "$TMP_DIR"
 [[ $EUID == 0 ]] \
 	|| die "Must be root"
@ -52,12 +55,6 @@ main_install_gentoo_in_chroot() {
 	passwd -l root \
 		|| die "Could not change root password"
 	einfo "Selecting portage mirrors"
 	# TODO mirrorselect
 	# TODO gpg portage sync
 	# TODO additional binary repos
 	# TODO safe dns settings (claranet)
 	# Mount efi partition
 	einfo "Mounting efi"
 	mount_by_partuuid "$PARTITION_UUID_EFI" "/boot/efi"
@ -94,23 +91,98 @@ main_install_gentoo_in_chroot() {
 	mkdir_or_die 0755 "/etc/portage/package.keywords"
 	touch_or_die 0644 "/etc/portage/package.keywords/zz-autounmask"
 	einfo "Temporarily installing mirrorselect"
 	try emerge --verbose --oneshot app-portage/mirrorselect
 	einfo "Selecting fastest portage mirrors"
 	try mirrorselect -s 4 -b 10 -D
 	# Install git (for git portage overlays)
 	einfo "Installing git"
 	try emerge --verbose dev-vcs/git
-	# Install vanilla kernel, to be able to boot the system.
+	# Install vanilla kernel and efibootmgr, to be able to boot the system.
 	einfo "Installing vanilla kernel"
-	try emerge --verbose sys-kernel/vanilla-kernel
+	try emerge --verbose sys-kernel/vanilla-kernel sys-boot/efibootmgr
 	# Copy kernel to EFI
 	local kernel_version
 	kernel_version="$(ls "/boot/vmlinuz-"* | sort -V | tail -1)" \
 		|| die "Could not list newest kernel file"
 	kernel_version="${kernel_version#vmlinuz-}" \
 		|| die "Could not find kernel version"
 	mkdir_or_die 0755 "/boot/efi/EFI"
 	cp "/boot/initramfs-$kernel_version"* "/boot/efi/EFI/initramfs.img" \
 		|| die "Could not copy initramfs to EFI partition"
 	cp "/boot/vmlinuz-$kernel_version"* "/boot/efi/EFI/vmlinuz.efi" \
 		|| die "Could not copy kernel to EFI partition"
 	# Create boot entry
 	einfo "Creating efi boot entry"
 	local linuxdev
 	linuxdev="$(get_device_by_partuuid "$PARTITION_UUID_LINUX")" \
 		|| die "Could not resolve partition UUID '$PARTITION_UUID_LINUX'"
 	local efidev
 	efidev="$(get_device_by_partuuid "$PARTITION_UUID_EFI")" \
 		|| die "Could not resolve partition UUID '$PARTITION_UUID_EFI'"
 	local efipartnum="${efidev: -1}"
 	efibootmgr --verbose --create --disk "$PARTITION_DEVICE" --part "$efipartnum" --label "gentoo" --loader '\EFI\vmlinuz.efi' --unicode "root=$linuxdev initrd=initramfs.img" \
 		|| die "Could not add efi boot entry"
 	# Install additional packages, if any.
 	if [[ -n "$ADDITIONAL_PACKAGES" ]]; then
 		einfo "Installing additional packages"
-		emerge --autounmask-continue=y -- $ADDITIONAL_PACKAGES
+		try emerge --verbose --autounmask-continue=y -- $ADDITIONAL_PACKAGES
 	fi
-	#create_ansible_user
+	# Generate a valid fstab file
-	#generate_fresh keys to become mgmnt ansible user
+	einfo "Generating fstab"
-	#install_ansible
+	install -m0644 -o root -g root "$GENTOO_BOOTSTRAP_DIR/configs/fstab" /etc/fstab \
 		|| die "Could not overwrite /etc/fstab"
 	echo "PARTUUID=$PARTITION_UUID_LINUX    /            ext4    defaults,noatime,errors=remount-ro,discard                            0 1" >> /etc/fstab \
 		|| die "Could not append entry to fstab"
 	echo "PARTUUID=$PARTITION_UUID_EFI    /boot/efi    vfat    defaults,noatime,fmask=0022,dmask=0022,noexec,nodev,nosuid,discard    0 2" >> /etc/fstab \
 		|| die "Could not append entry to fstab"
 	if [[ "$ENABLE_SWAP" == true ]]; then
 		echo "PARTUUID=$PARTITION_UUID_SWAP    none         swap    defaults,discard                                                      0 0" >> /etc/fstab \
 			|| die "Could not append entry to fstab"
 	fi
 	# Install and enable sshd
 	einfo "Installing sshd"
 	install -m0600 -o root -g root "$GENTOO_BOOTSTRAP_DIR/configs/sshd_config" /etc/ssh/sshd_config \
 		|| die "Could not install /etc/ssh/sshd_config"
 	rc-update add sshd default \
 		|| die "Could not add sshd to default services"
 	# Install and enable dhcpcd
 	einfo "Installing dhcpcd"
 	try emerge --verbose net-misc/dhcpcd sys-apps/iproute2
 	rc-update add dhcpcd default \
 		|| die "Could not add dhcpcd to default services"
 	# Install ansible
 	if [[ "$INSTALL_ANSIBLE" == true ]]; then
 		einfo "Installing ansible"
 		try emerge --verbose app-admin/ansible
 		einfo "Creating ansible user"
 		useradd -r -d "$ANSIBLE_HOME" -s /bin/bash ansible
 		mkdir_or_die 0700 "$ANSIBLE_HOME"
 		mkdir_or_die 0700 "$ANSIBLE_HOME/.ssh"
 		if [[ -n "$ANSIBLE_SSH_PUBKEY" ]]; then
 			einfo "Adding ssh key for ansible"
 			touch_or_die 0600 "$ANSIBLE_HOME/.ssh/authorized_keys"
 			echo "$ANSIBLE_SSH_PUBKEY" >> "$ANSIBLE_HOME/.ssh/authorized_keys" \
 				|| die "Could not add ssh key to authorized_keys"
 		fi
 		einfo "Allowing ansible for ssh"
 		echo "AllowUsers ansible" >> "/etc/ssh/sshd_config" \
 			|| die "Could not append to /etc/ssh/sshd_config"
 	fi
 	if ask "Do you want to assign a root password now?"; then
 		passwd root