Added option for HOSTNAME; chown ansible home.

README.md

@@ -8,6 +8,13 @@ TODO clarify:
 * kernel without module loading capability for security. localyesconfig
 
 
+Recommendations:
+
+* Use umask 0077
+* Edit sshd_config, change port and create a sshusers group for users which may use ssh.
+* Use LUKS encryption on the disk
+* Use a properly configured kernel, at best restrict even USB!
+
 
 **TL;DR:** Installs gentoo on a new system, suited for both servers and desktops.
 Optionally prepares ansible for automatic system configuration.

configs/sshd_config

@@ -14,7 +14,7 @@ Port 22
 HostKey /etc/ssh/ssh_host_ed25519_key
 
 # Limit Host Key Algorithms
-HostKeyAlgorithms ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,ssh-rsa
+HostKeyAlgorithms ssh-ed25519-cert-v01@openssh.com,ssh-ed25519
 
 # Limit Key Exchange Algorithms
 KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256

scripts/config.sh

@@ -33,9 +33,16 @@ PARTITION_UUID_LINUX="$(load_or_generate_uuid 'linux')"
 ################################################
 # System configuration
 
+# Enter the desired system hostname here
+HOSTNAME="gentoo"
+
 # The timezone for the new system
 TIMEZONE="Europe/Berlin"
 
+# The default keymap for the system
+KEYMAP="de-latin1-nodeadkeys"
+#KEYMAP="us"
+
 # A list of additional locales to generate. You should only
 # add locales here if you really need them and want to localize
 # your system. Otherwise, leave this list empty, and use C.utf8.
@@ -51,10 +58,6 @@ LOCALE="C.utf8"
 # " # End of LOCALES
 # LOCALE="de_DE.utf8"
 
-# The default keymap for the system
-KEYMAP="de-latin1-nodeadkeys"
-#KEYMAP="us"
-
 
 ################################################
 # Gentoo configuration
@@ -74,16 +77,18 @@ STAGE3_BASENAME="stage3-amd64-hardened+nomultilib"
 # List of additional packages to install (will be directly passed to emerge)
 ADDITIONAL_PACKAGES="app-editors/neovim"
 
-# Install and configure sshd (a reasonably secure config
+# Install and configure sshd (a reasonably secure config is provided, which
-# is provided, only ed25519 host key, pubkey authentication only)
+# only allows the use of ed25519 keys, and requires pubkey authentication)
 INSTALL_SSHD=true
 
 # Install ansible, and add a user for it
 INSTALL_ANSIBLE=true
 # The home directory for the ansible user
 ANSIBLE_HOME="/var/lib/ansible"
-# An ssh key to add to the .authorized_keys file for the ansible user
+# An ssh key to add to the .authorized_keys file for the ansible user.
-ANSIBLE_SSH_PUBKEY=""
+# This variable will become the content of the .authorized_keys file,
+# so you may specify one key per line.
+ANSIBLE_SSH_AUTHORIZED_KEYS=""
 
 
 ################################################

scripts/functions.sh

@@ -25,6 +25,15 @@ sync_time() {
 check_config() {
 	[[ "$KEYMAP" =~ ^[0-9A-Za-z-]*$ ]] \
 		|| die "KEYMAP contains invalid characters"
+
+	# Check hostname per RFC1123
+	[[ "$HOSTNAME" ~= '^(([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9])$' ]] \
+		|| die "'$HOSTNAME' is not a valid hostname"
+
+	if [[ "$INSTALL_ANSIBLE" == true ]]; then
+		[[ -n "$ANSIBLE_SSH_AUTHORIZED_KEYS" ]] \
+			|| die "Missing pubkey for ansible user"
+	fi
 }
 
 prepare_installation_environment() {
@@ -160,7 +169,8 @@ mount_efivars() {
 
 	# Mount efivars
 	einfo "Mounting efivars"
-	mount -t efivarfs efivarfs "/sys/firmware/efi/efivars"
+	mount -t efivarfs efivarfs "/sys/firmware/efi/efivars" \
+		|| die "Could not mount efivarfs"
 }
 
 mount_by_partuuid() {

scripts/main.sh

@@ -64,12 +64,22 @@ main_install_gentoo_in_chroot() {
 	einfo "Syncing portage tree"
 	try emerge-webrsync
 
+	# Set hostname
+	einfo "Selecting hostname"
+	sed -i "/hostname=/c\\hostname=\"$HOSTNAME\"" /etc/conf.d/hostname \
+		|| die "Could not sed replace in /etc/conf.d/hostname"
+
 	# Set timezone
 	einfo "Selecting timezone"
 	echo "$TIMEZONE" > /etc/timezone \
 		|| die "Could not write /etc/timezone"
 	try emerge -v --config sys-libs/timezone-data
 
+	# Set keymap
+	einfo "Selecting keymap"
+	sed -i "/keymap=/c\\keymap=\"$KEYMAP\"" /etc/conf.d/keymaps \
+		|| die "Could not sed replace in /etc/conf.d/keymaps"
+
 	# Set locale
 	einfo "Selecting locale"
 	echo "$LOCALES" > /etc/locale.gen \
@@ -78,11 +88,6 @@ main_install_gentoo_in_chroot() {
 		|| die "Could not generate locales"
 	try eselect locale set "$LOCALE"
 
-	# Set keymap
-	einfo "Selecting keymap"
-	sed -i "/keymap=/c\\$KEYMAP" /etc/conf.d/keymaps \
-		|| die "Could not sed replace in /etc/conf.d/keymaps"
-
 	# Update environment
 	env_update
 
@@ -128,7 +133,7 @@ main_install_gentoo_in_chroot() {
 	efidev="$(get_device_by_partuuid "$PARTITION_UUID_EFI")" \
 		|| die "Could not resolve partition UUID '$PARTITION_UUID_EFI'"
 	local efipartnum="${efidev: -1}"
-	try efibootmgr --verbose --create --disk "$PARTITION_DEVICE" --part "$efipartnum" --label "gentoo" --loader '\EFI\vmlinuz.efi' --unicode "root=$linuxdev initrd=initramfs.img"
+	try efibootmgr --verbose --create --disk "$PARTITION_DEVICE" --part "$efipartnum" --label "gentoo" --loader '\EFI\vmlinuz.efi' --unicode "root=$linuxdev initrd=\\EFI\\initramfs.img"
 
 	# Install additional packages, if any.
 	if [[ -n "$ADDITIONAL_PACKAGES" ]]; then
@@ -172,13 +177,16 @@ main_install_gentoo_in_chroot() {
 		mkdir_or_die 0700 "$ANSIBLE_HOME"
 		mkdir_or_die 0700 "$ANSIBLE_HOME/.ssh"
 
-		if [[ -n "$ANSIBLE_SSH_PUBKEY" ]]; then
+		if [[ -n "$ANSIBLE_SSH_AUTHORIZED_KEYS" ]]; then
-			einfo "Adding ssh key for ansible"
+			einfo "Adding authorized keys for ansible"
 			touch_or_die 0600 "$ANSIBLE_HOME/.ssh/authorized_keys"
-			echo "$ANSIBLE_SSH_PUBKEY" >> "$ANSIBLE_HOME/.ssh/authorized_keys" \
+			echo "$ANSIBLE_SSH_AUTHORIZED_KEYS" >> "$ANSIBLE_HOME/.ssh/authorized_keys" \
 				|| die "Could not add ssh key to authorized_keys"
 		fi
 
+		chown -R ansible: "$ANSIBLE_HOME" \
+			|| die "Could not change ownership of ansible home"
+
 		einfo "Allowing ansible for ssh"
 		echo "AllowUsers ansible" >> "/etc/ssh/sshd_config" \
 			|| die "Could not append to /etc/ssh/sshd_config"