commit e43130516ea10334497ab8798b051cb0f2dac958
parent c11afebbecce4de06bc75502bf5a665be20ecab8
Author: Morel BĂ©renger <berengermorel76@gmail.com>
Date: Tue, 11 Aug 2020 08:33:59 +0200
encryption template+fix that part of script
Diffstat:
17 files changed, 68 insertions(+), 5 deletions(-)
diff --git a/install.sh b/install.sh
@@ -1,5 +1,10 @@
#!/bin/sh -ex
+#TODO: really, should generate a temp file from fstab,
+# partitions, crypttab and boot config, that would
+# be far easier to manipulate that those damned
+# readlink calls...
+
MUST_DIE=0
die()
{
@@ -154,13 +159,16 @@ then
do
if test "$keyfile" = "none"
then
- keyfile="$mapped_dev.key"
+ keyfile="$SOURCE/$mapped_dev.key"
test -f "$keyfile" ||
die "keyfile ($keyfile) is not a file"
+ else
+ keyfile="$SOURCE/root/$keyfile"
fi
OPTS="$(echo -n $params | sed -e 's/[a-z]*=/--&/g' -e 's/,/ /g')"
- cryptsetup -v $OPTS luksFormat "$dev" - < "$SOURCE/$keyfile"
- cryptsetup open "$dev" "$mapped_dev" --type luks --key-file - < "$SOURCE/$keyfile"
+ part="$(eval $(echo "$dev" | sed '/PARTLABEL=/ s!PARTLABEL=\(.*\)!readlink -f /dev/disk/by-partlabel/\1!g'))"
+ cryptsetup -v $OPTS luksFormat "$part" - < "$keyfile"
+ cryptsetup open "$part" "$mapped_dev" --type luks --key-file - < "$keyfile"
done < "$crypttab"
success "encryption done"
fi
@@ -185,11 +193,26 @@ cp -ar "$SOURCE"/root/* "$cp_target"
success "template installation done"
## bootstrap
-PKG_LIST="$(find "$SOURCE" -path 'packages' -prune -o \( -type f -name '*.list' \) -exec cat {} \+)$PKG_LIST"
+PKG_LIST="$(find "$SOURCE" -path 'packages' -prune -o \( \( -type f -o -type l \) -name '*.list' \) -exec cat {} \+)$PKG_LIST"
info "preparing to install $PKG_LIST"
debootstrap --no-merged-usr --variant=minbase "--include=$PKG_LIST" $(cat $SOURCE/name) "$cp_target" "$MIRROR"
success "install done"
+## if using cryptsetup, then it's needed to update initramfs
+## since it's *not* done (correctly?) by debootstrap
+if test -f "$crypttab"
+then
+ for metafs in dev sys proc
+ do
+ mount --bind /${metafs} /"$cp_target"/${metafs}
+ done
+ chroot /"$cp_target" update-initramfs -u
+ for metafs in dev sys proc
+ do
+ umount /"$cp_target"/${metafs}
+ done
+fi
+
info "users creation"
for user in $(cut -d: -f1 "$SOURCE/users")
do
@@ -278,7 +301,7 @@ success "unmounting done"
if test -f "$crypttab"
then
info "closing luks"
- for name in $(cut -f1 "$SOURCE/root/etc/crypttab")
+ for name in $(awk < "$SOURCE/root/etc/crypttab" '{ print $1 }' )
do
cryptsetup close $name
done
diff --git a/templates/encryption/boot b/templates/encryption/boot
@@ -0,0 +1,3 @@
+BOOTLOADER=syslinux
+FS_BOOT=vfat
+DIR=syslinux
diff --git a/templates/encryption/ecproot.key b/templates/encryption/ecproot.key
@@ -0,0 +1 @@
+trythis+
\ No newline at end of file
diff --git a/templates/encryption/name b/templates/encryption/name
@@ -0,0 +1 @@
+buster
diff --git a/templates/encryption/packages/base.list b/templates/encryption/packages/base.list
@@ -0,0 +1 @@
+../../generic/packages/base.list+
\ No newline at end of file
diff --git a/templates/encryption/packages/encryption.list b/templates/encryption/packages/encryption.list
@@ -0,0 +1 @@
+cryptsetup-initramfs,dropbear-initramfs,
diff --git a/templates/encryption/partitions b/templates/encryption/partitions
@@ -0,0 +1,7 @@
+label: gpt
+ name="BOOTLOADER",size=256M,bootable,attrs=LegacyBIOSBootable,type="C12A7328-F81F-11D2-BA4B-00A0C93EC93B"
+ name="tproot",size=2048M
+ name="tpusr",size=4096M
+ name="tpvar",size=1024M
+ name="tphome"
+write
diff --git a/templates/encryption/root/etc/crypttab b/templates/encryption/root/etc/crypttab
@@ -0,0 +1,4 @@
+ecproot PARTLABEL=tproot none cipher=aes-xts-plain64,size=512,hash=sha512
+ecpusr PARTLABEL=tpusr /etc/lukskey cipher=aes-xts-plain64,size=512,hash=sha512
+ecpvar PARTLABEL=tpvar /etc/lukskey cipher=aes-xts-plain64,size=512,hash=sha512
+ecphome PARTLABEL=tphome /etc/lukskey cipher=aes-xts-plain64,size=512,hash=sha512
diff --git a/templates/encryption/root/etc/dropbear-initramfs/authorized_keys b/templates/encryption/root/etc/dropbear-initramfs/authorized_keys
@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDIJ4173kvP1+QLFMwF5pmM0kFHQY1hc5CNdwoIcsMdwy3pKsjQpdcBxA8bWc1YEr+FoaHbFEoNSNXvxmKEhiA57LfQuAv+5rRGpLIF3rGuisZ6f8dZfnDrR3CR/SdPINyYB+q6zEUI0MDTLWg+LO2tv2/NWZAbHj7sigpWNBaqV6VEo2BGlYbmjACfEatPAxw0f0gEdg12jf62FRimLJfC0ME543r2OuUFQrZuzMhSgO7UHdXdZiTjoOP7HnsuFdB/dMayAx8T9gN1q16oMOH7JqEWgqUopzwi8s+IsBnqgiuKsgiZD4z1tPxkq7+RBHKup9roG999ygZCEEEGUgAd "used for lan behing vmproxy"
diff --git a/templates/encryption/root/etc/fstab b/templates/encryption/root/etc/fstab
@@ -0,0 +1,5 @@
+/dev/mapper/ecproot / ext4 errors=remount-ro 0 1
+/dev/mapper/ecpusr /usr ext4 nodev 0 2
+/dev/mapper/ecpvar /var ext4 nodev 0 2
+/dev/mapper/ecphome /home ext4 nodev,nosuid 0 2
+tmpfs /tmp tmpfs nosuid,nodev 0 0
diff --git a/templates/encryption/root/etc/lukskey b/templates/encryption/root/etc/lukskey
@@ -0,0 +1 @@
+helloworld
diff --git a/templates/encryption/syslinux/ldlinux.c32 b/templates/encryption/syslinux/ldlinux.c32
Binary files differ.
diff --git a/templates/encryption/syslinux/libcom32.c32 b/templates/encryption/syslinux/libcom32.c32
Binary files differ.
diff --git a/templates/encryption/syslinux/libutil.c32 b/templates/encryption/syslinux/libutil.c32
Binary files differ.
diff --git a/templates/encryption/syslinux/syslinux.cfg b/templates/encryption/syslinux/syslinux.cfg
@@ -0,0 +1,11 @@
+prompt 0
+timeout 50
+default live
+
+ui vesamenu.c32
+menu title custom live boot
+
+label live
+ linux vmlinuz
+ initrd initrd.img
+ append ro crypto=sha512:aes-xts-plain64:512:0: rootfstype=ext4 cryptroot=PARTLABEL=tproot cryptdm=root dropbear root=/dev/mapper/ecproot ip=dhcp
diff --git a/templates/encryption/syslinux/vesamenu.c32 b/templates/encryption/syslinux/vesamenu.c32
Binary files differ.
diff --git a/templates/encryption/users b/templates/encryption/users
@@ -0,0 +1,2 @@
+root:toor
+user:resu
