From f07929d0d658ed5ea2d75b4b5b9d259978166bb7 Mon Sep 17 00:00:00 2001 From: oddlama Date: Mon, 6 Jan 2020 16:13:42 +0100 Subject: [PATCH] Added option for HOSTNAME; chown ansible home. --- README.md | 7 +++++++ configs/sshd_config | 2 +- scripts/config.sh | 21 +++++++++++++-------- scripts/functions.sh | 12 +++++++++++- scripts/main.sh | 26 +++++++++++++++++--------- 5 files changed, 49 insertions(+), 19 deletions(-) diff --git a/README.md b/README.md index bd653e2..47a35f0 100644 --- a/README.md +++ b/README.md @@ -8,6 +8,13 @@ TODO clarify: * kernel without module loading capability for security. localyesconfig +Recommendations: + +* Use umask 0077 +* Edit sshd_config, change port and create a sshusers group for users which may use ssh. +* Use LUKS encryption on the disk +* Use a properly configured kernel, at best restrict even USB! + **TL;DR:** Installs gentoo on a new system, suited for both servers and desktops. Optionally prepares ansible for automatic system configuration. diff --git a/configs/sshd_config b/configs/sshd_config index 5faf528..0423499 100644 --- a/configs/sshd_config +++ b/configs/sshd_config @@ -14,7 +14,7 @@ Port 22 HostKey /etc/ssh/ssh_host_ed25519_key # Limit Host Key Algorithms -HostKeyAlgorithms ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,ssh-rsa +HostKeyAlgorithms ssh-ed25519-cert-v01@openssh.com,ssh-ed25519 # Limit Key Exchange Algorithms KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256 diff --git a/scripts/config.sh b/scripts/config.sh index 05938a0..f90eeb1 100644 --- a/scripts/config.sh +++ b/scripts/config.sh @@ -33,9 +33,16 @@ PARTITION_UUID_LINUX="$(load_or_generate_uuid 'linux')" ################################################ # System configuration +# Enter the desired system hostname here +HOSTNAME="gentoo" + # The timezone for the new system TIMEZONE="Europe/Berlin" +# The default keymap for the system +KEYMAP="de-latin1-nodeadkeys" +#KEYMAP="us" + # A list of additional locales to generate. You should only # add locales here if you really need them and want to localize # your system. Otherwise, leave this list empty, and use C.utf8. @@ -51,10 +58,6 @@ LOCALE="C.utf8" # " # End of LOCALES # LOCALE="de_DE.utf8" -# The default keymap for the system -KEYMAP="de-latin1-nodeadkeys" -#KEYMAP="us" - ################################################ # Gentoo configuration @@ -74,16 +77,18 @@ STAGE3_BASENAME="stage3-amd64-hardened+nomultilib" # List of additional packages to install (will be directly passed to emerge) ADDITIONAL_PACKAGES="app-editors/neovim" -# Install and configure sshd (a reasonably secure config -# is provided, only ed25519 host key, pubkey authentication only) +# Install and configure sshd (a reasonably secure config is provided, which +# only allows the use of ed25519 keys, and requires pubkey authentication) INSTALL_SSHD=true # Install ansible, and add a user for it INSTALL_ANSIBLE=true # The home directory for the ansible user ANSIBLE_HOME="/var/lib/ansible" -# An ssh key to add to the .authorized_keys file for the ansible user -ANSIBLE_SSH_PUBKEY="" +# An ssh key to add to the .authorized_keys file for the ansible user. +# This variable will become the content of the .authorized_keys file, +# so you may specify one key per line. +ANSIBLE_SSH_AUTHORIZED_KEYS="" ################################################ diff --git a/scripts/functions.sh b/scripts/functions.sh index 2de186a..3116562 100644 --- a/scripts/functions.sh +++ b/scripts/functions.sh @@ -25,6 +25,15 @@ sync_time() { check_config() { [[ "$KEYMAP" =~ ^[0-9A-Za-z-]*$ ]] \ || die "KEYMAP contains invalid characters" + + # Check hostname per RFC1123 + [[ "$HOSTNAME" ~= '^(([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9])$' ]] \ + || die "'$HOSTNAME' is not a valid hostname" + + if [[ "$INSTALL_ANSIBLE" == true ]]; then + [[ -n "$ANSIBLE_SSH_AUTHORIZED_KEYS" ]] \ + || die "Missing pubkey for ansible user" + fi } prepare_installation_environment() { @@ -160,7 +169,8 @@ mount_efivars() { # Mount efivars einfo "Mounting efivars" - mount -t efivarfs efivarfs "/sys/firmware/efi/efivars" + mount -t efivarfs efivarfs "/sys/firmware/efi/efivars" \ + || die "Could not mount efivarfs" } mount_by_partuuid() { diff --git a/scripts/main.sh b/scripts/main.sh index 4f64717..4c1b434 100755 --- a/scripts/main.sh +++ b/scripts/main.sh @@ -64,12 +64,22 @@ main_install_gentoo_in_chroot() { einfo "Syncing portage tree" try emerge-webrsync + # Set hostname + einfo "Selecting hostname" + sed -i "/hostname=/c\\hostname=\"$HOSTNAME\"" /etc/conf.d/hostname \ + || die "Could not sed replace in /etc/conf.d/hostname" + # Set timezone einfo "Selecting timezone" echo "$TIMEZONE" > /etc/timezone \ || die "Could not write /etc/timezone" try emerge -v --config sys-libs/timezone-data + # Set keymap + einfo "Selecting keymap" + sed -i "/keymap=/c\\keymap=\"$KEYMAP\"" /etc/conf.d/keymaps \ + || die "Could not sed replace in /etc/conf.d/keymaps" + # Set locale einfo "Selecting locale" echo "$LOCALES" > /etc/locale.gen \ @@ -78,11 +88,6 @@ main_install_gentoo_in_chroot() { || die "Could not generate locales" try eselect locale set "$LOCALE" - # Set keymap - einfo "Selecting keymap" - sed -i "/keymap=/c\\$KEYMAP" /etc/conf.d/keymaps \ - || die "Could not sed replace in /etc/conf.d/keymaps" - # Update environment env_update @@ -128,7 +133,7 @@ main_install_gentoo_in_chroot() { efidev="$(get_device_by_partuuid "$PARTITION_UUID_EFI")" \ || die "Could not resolve partition UUID '$PARTITION_UUID_EFI'" local efipartnum="${efidev: -1}" - try efibootmgr --verbose --create --disk "$PARTITION_DEVICE" --part "$efipartnum" --label "gentoo" --loader '\EFI\vmlinuz.efi' --unicode "root=$linuxdev initrd=initramfs.img" + try efibootmgr --verbose --create --disk "$PARTITION_DEVICE" --part "$efipartnum" --label "gentoo" --loader '\EFI\vmlinuz.efi' --unicode "root=$linuxdev initrd=\\EFI\\initramfs.img" # Install additional packages, if any. if [[ -n "$ADDITIONAL_PACKAGES" ]]; then @@ -172,13 +177,16 @@ main_install_gentoo_in_chroot() { mkdir_or_die 0700 "$ANSIBLE_HOME" mkdir_or_die 0700 "$ANSIBLE_HOME/.ssh" - if [[ -n "$ANSIBLE_SSH_PUBKEY" ]]; then - einfo "Adding ssh key for ansible" + if [[ -n "$ANSIBLE_SSH_AUTHORIZED_KEYS" ]]; then + einfo "Adding authorized keys for ansible" touch_or_die 0600 "$ANSIBLE_HOME/.ssh/authorized_keys" - echo "$ANSIBLE_SSH_PUBKEY" >> "$ANSIBLE_HOME/.ssh/authorized_keys" \ + echo "$ANSIBLE_SSH_AUTHORIZED_KEYS" >> "$ANSIBLE_HOME/.ssh/authorized_keys" \ || die "Could not add ssh key to authorized_keys" fi + chown -R ansible: "$ANSIBLE_HOME" \ + || die "Could not change ownership of ansible home" + einfo "Allowing ansible for ssh" echo "AllowUsers ansible" >> "/etc/ssh/sshd_config" \ || die "Could not append to /etc/ssh/sshd_config"