#!/bin/bash # # System installer. # # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU Affero General Public License as # published by the Free Software Foundation, either version 3 of the # License, or (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU Affero General Public License for more details. # # You should have received a copy of the GNU Affero General Public # License along with this program. If not, see # . # Load. source $APP_BASE/lib/hydra/functions || exit 1 hydra_config_load # Create a logical volume. function hydra_provision_lvcreate { local volume="$1" local size="$2" local space if [ -z "$volume" ] || [ "$size" == "0" ]; then return fi if ! lvdisplay $vg/$volume &> /dev/null; then echo "Creating logical volume $volume..." if [ "$size" == "-1" ]; then space="-l 100%FREE" else space="-L $size" fi # See http://forums.funtoo.org/viewtopic.php?id=1206 # https://bbs.archlinux.org/viewtopic.php?id=124615 if [ "$disable_zeroing" == "y" ]; then hydra_sudo_run lvcreate -Z n $space -n $volume $vg else hydra_sudo_run lvcreate $space -n $volume $vg fi fi } # Cryptsetup wrapper. function hydra_cryptsetup { if [ ! -z "$1" ] && [ -b "$1" ]; then hydra_sudo_run cryptsetup --cipher aes-xts-plain64:sha256 --key-size 512 --hash sha512 --iter-time 5000 --use-random -y -q luksFormat $1 fi } # Create a physical volume. function hydra_provision_create_volume { local volume="$1" if [ -z "$volume" ] || [ ! -b "/dev/mapper/$vg-$volume" ]; then return fi if [ "$encrypt" == "y" ]; then echo "Creating encrypted $volume device..." hydra_cryptsetup /dev/mapper/$vg-$volume hydra_sudo_run cryptsetup luksOpen /dev/mapper/$vg-$volume provision-$volume hydra_sudo_run mkfs.ext4 /dev/mapper/provision-$volume if [ "$volume" == "root" ]; then install_device="/dev/mapper/provision-root" fi else echo "Creating $volume device..." hydra_sudo_run mkfs.ext4 /dev/mapper/$vg-$volume if [ "$volume" == "root" ]; then install_device="/dev/mapper/$vg-root" fi fi } # Determine optimal partition start taking into account disk alignment # This function needs to know where the last partition ends function partition_sector_start { local sector_start="$1" local last_partition_end="$2" local optimal_sector_size="$3" while (( $sector_start <= $last_partition_end + 1)); do sector_start="$(($sector_start + $optimal_sector_size))" done echo $sector_start } # Make sure there is provision config. function hydra_provision_config { local base_arch="`uname -m`" if [ "$base_arch" == "x86_64" ]; then base_arch="amd64" else base_arch="i386" fi hydra_user_config interactive y "Interactive mode? (y/n)" hydra_user_config device /dev/sdb "Physical device(s) (more than one auto sets RAID mode)" hydra_user_config swap_size 2000 "Swap size (in MB, 0 to not create it)" hydra_user_config root_size 20G "Size of root partition (-1 for all free space)" if [ "$root_size" != "-1" ]; then hydra_user_config home_size 20G "Size of home partition (0 to not create it, -1 for all free space)" else home_size="0" fi if [ "$root_size" != "-1" ] && [ "$home_size" != "-1" ]; then hydra_user_config var_size 20G "Size of var partition (0 to not create it, -1 for all free space)" else var_size="0" fi hydra_user_config encrypt y "Encrypt volumes? (if RAID, then encryption is default) (y/n)" if [ "$encrypt" == "y" ]; then hydra_user_config garbage y "Pre-fill volumes with garbage? (y/n)" fi if [ "$swap_size" != "0" ]; then hydra_user_config random_swap y "Random swap? (y/n)" fi hydra_user_config disable_zeroing n "Disable zeroing of LVM volumes? (y/n)" hydra_user_config hostname machine "Hostname" hydra_user_config domain example.org "Domain" hydra_user_config arch $base_arch "System arch" hydra_user_config version buster "Distro version" hydra_user_config vg $hostname "Install vg" hydra_user_config grub y "Setup GRUB? (y/n)" hydra_user_config initramfs initramfs-tools "Initramfs manager? (initramfs-tools/dracut)" hydra_user_config mirror https://deb.debian.org/debian/ "Debian mirror" hydra_user_config ssh y "Install openssh-server? (y/n)" # Check arch if [ "$arch" == "armel" ] || [ "$arch" == "armhf" ]; then echo "You probably want to run provision-raspi instead of provision" exit 1 fi } # Load configuration hydra_provision_config_load $1 # Parameters WORK="/tmp/debootstrap" # Set environment export LC_ALL=C # Get config parameters. hydra_provision_config # Check for requirements. for req in debootstrap cryptsetup grub-pc lvm2 parted mdadm; do hydra_install_package $req done # Warning. if [ "$interactive" == "y" ]; then echo "WARNING: about to create partitions on $device!" echo "WARNING: make sure you have backups of the important data from this device!" echo "Press ENTER to continue, Ctrl-C to abort." read answer fi # Check number of devices num_devices="`echo $device | wc -w`" # RAID: do this instead of regular partitioning. if [ "$num_devices" != "1" ]; then # Force encryption and fix device name. encrypt="y" physical_devices="$device" device="/dev/md/$hostname" for dev in $physical_devices; do hydra_sudo_run parted -s -- $dev mklabel gpt hydra_sudo_run parted -s -- $dev mkpart ext4 1M 100% hydra_sudo_run parted -s -- $dev set 1 raid on done mdadm --create --verbose $device --level=1 --raid-devices=$num_devices $physical_devices # See https://bbs.archlinux.org/viewtopic.php?id=148250 hydra_sudo_run dd if=/dev/zero of=$device bs=1M count=32 boot_device="$device" syst_device="$device" else # Partition alignment # See https://rainbow.chard.org/2013/01/30/how-to-align-partitions-for-best-performance-using-parted/ # https://www.kernel.org/doc/Documentation/ABI/testing/sysfs-block # https://people.redhat.com/msnitzer/docs/io-limits.txt megabyte="$((1024*1024))" block="`echo $device | sed -e 's|^/dev/||'`" optimal_size="`cat /sys/block/$block/queue/optimal_io_size`" alignment_offset="`cat /sys/block/$block/alignment_offset`" block_size="`cat /sys/block/$block/queue/physical_block_size`" start="$((($optimal_size + $alignment_offset) / $block_size))" optimal_sector_size="$(($optimal_size / $block_size))" # Sector size for a 1MB partition bios_grub_size="$(($megabyte/$block_size))" bios_grub_end="$(($start + $bios_grub_size - 1))" # Regular disk partitioning. hydra_sudo_run parted -s -- $device mklabel gpt #hydra_sudo_run parted -s -- $device unit MB mkpart non-fs 2 3 hydra_sudo_run parted -s -- $device mkpart non-fs ${start}s ${bios_grub_end}s hydra_sudo_run parted -s -- $device set 1 bios_grub on if [ "$encrypt" == "y" ]; then # Second partition must also be aligned by a multiple of $optimal_sector_size # So we find the minimum optimal start sector which is after the grub partition #lvm_start="$(($bios_grub_end + 1))" lvm_start="`partition_sector_start $start $bios_grub_end $optimal_sector_size`" #hydra_sudo_run parted -s -- $device unit MB mkpart ext2 3 -1 hydra_sudo_run parted -s -- $device mkpart ext2 ${lvm_start}s -1 hydra_sudo_run parted -s -- $device set 2 lvm on boot_device="$device"2 syst_device="$device"2 else # Make a 200MB boot partition #boot_start="$(($bios_grub_end + 1))" boot_size="200" boot_start="`partition_sector_start $start $bios_grub_end $optimal_sector_size`" boot_size="$(($boot_size * $megabyte / $block_size))" boot_end="$(($boot_start + $boot_size -1))" #lvm_start="$($boot_end + 1))" lvm_start="`partition_sector_start $start $boot_end $optimal_sector_size`" #hydra_sudo_run parted -s -- $device unit MB mkpart ext2 3 200 hydra_sudo_run parted -s -- $device mkpart ext2 ${boot_start}s ${boot_end}s hydra_sudo_run parted -s -- $device mkpart ext2 ${lvm_start}s -1 hydra_sudo_run parted -s -- $device set 3 lvm on boot_device="$device"2 syst_device="$device"3 fi fi hydra_sudo_run parted -s -- $device set 2 boot on # Take a small break to devices table be updated sleep 2 # Create volumes. echo "Creating the needed disk volumes..." if ! pvdisplay $syst_device &> /dev/null; then echo "Creating physical volume..." hydra_sudo_run pvcreate $syst_device fi if ! vgdisplay $vg &> /dev/null; then echo "Creating volume group..." hydra_sudo_run vgcreate $vg $syst_device fi # Activate volume group hydra_sudo_run vgchange -a y $vg # Create swap partition if [ "$swap_size" != "0" ]; then hydra_provision_lvcreate swap $swap_size fi # Create root partition. hydra_provision_lvcreate root $root_size # Create home partition. if [ "$home_size" != "0" ]; then hydra_provision_lvcreate home $home_size fi # Create var partition. if [ "$var_size" != "0" ]; then hydra_provision_lvcreate var $var_size fi # Garbage. if [ "$garbage" == "y" ]; then echo "Filling volumes with garbage..." hydra_sudo_run dd if=/dev/urandom of=/dev/mapper/$vg-root if [ -b "/dev/mapper/$vg-home" ]; then hydra_sudo_run dd if=/dev/urandom of=/dev/mapper/$vg-home fi if [ -b "/dev/mapper/$vg-var" ]; then hydra_sudo_run dd if=/dev/urandom of=/dev/mapper/$vg-var fi if [ "$swap_size" != "0" ]; then hydra_sudo_run dd if=/dev/urandom of=/dev/mapper/$vg-swap fi fi # Make sure that the mountpoint exists hydra_sudo_run mkdir -p $WORK # Setup mountpoint and make sure it's not mounted due to a failed install. if cat /proc/mounts | cut -d ' ' -f 2 | grep -q "^$WORK$"; then hydra_sudo_run umount $WORK for folder in proc dev home var boot sys; do if cat /proc/mounts | cut -d ' ' -f 2 | grep -q "^$WORK/$folder$"; then hydra_sudo_run umount $WORK/$folder fi done fi # Create swap fs. if [ "$swap_size" != "0" ] && [ "$random_swap" != "y" ]; then hydra_cryptsetup /dev/mapper/$vg-swap hydra_sudo_run cryptsetup luksOpen /dev/mapper/$vg-swap provision-swap hydra_sudo_run mkswap /dev/mapper/provision-swap fi # Create root fs hydra_provision_create_volume root # Create home fs. if [ "$home_size" != "0" ]; then hydra_provision_create_volume home fi # Create var fs. if [ "$var_size" != "0" ]; then hydra_provision_create_volume var fi # Mount root volume. hydra_sudo_run mount $install_device $WORK/ # Mount additional volumes. if [ "$home_size" != "0" ]; then mkdir $WORK/home if [ "$encrypt" == "y" ]; then hydra_sudo_run mount /dev/mapper/provision-home $WORK/home else hydra_sudo_run mount /dev/mapper/$vg-home $WORK/home fi fi if [ "$var_size" != "0" ]; then hydra_sudo_run mkdir $WORK/var if [ "$encrypt" == "y" ]; then hydra_sudo_run mount /dev/mapper/provision-var $WORK/var else hydra_sudo_run mount /dev/mapper/$vg-var $WORK/var fi fi # Non-interactive installation APT_INSTALL="hydra_sudo_run LC_ALL=C DEBIAN_FRONTEND=noninteractive chroot $WORK/ apt-get install" # Initial system install. echo "Installing base system..." hydra_sudo_run LC_ALL=C DEBIAN_FRONTEND=noninteractive debootstrap --force-check-gpg --arch=$arch $version $WORK/ $mirror # Initial configuration. echo "Applying initial configuration..." hydra_sudo_run mount none -t proc $WORK/proc hydra_sudo_run mount none -t sysfs $WORK/sys hydra_sudo_run mount -o bind /run/ $WORK/run hydra_sudo_run mount -o bind /dev/ $WORK/dev hydra_sudo_run mount -o bind /dev/pts $WORK/dev/pts echo LANG=C | $SUDO tee $WORK/etc/default/locale > /dev/null # Resolver configuration. echo "domain $domain" | $SUDO tee $WORK/etc/resolv.conf > /dev/null echo "search $hostname.$domain" | $SUDO tee -a $WORK/etc/resolv.conf > /dev/null grep nameserver /etc/resolv.conf | $SUDO tee -a $WORK/etc/resolv.conf > /dev/null # Hostname configuration. echo $hostname.$domain | $SUDO tee $WORK/etc/hostname > /dev/null echo "127.0.0.1 localhost" | $SUDO tee -a $WORK/etc/hosts > /dev/null # This ordering is important for facter correctly guess the domain name echo "127.0.0.1 $hostname.$domain $hostname" | $SUDO tee -a $WORK/etc/hosts > /dev/null # Invert hostname contents to avoid http://projects.puppetlabs.com/issues/2533 tac $WORK/etc/hosts | $SUDO tee $WORK/etc/hosts.new > /dev/null hydra_sudo_run mv $WORK/etc/hosts.new $WORK/etc/hosts # Apt if [ "$version" != "sid" ]; then echo "deb http://security.debian.org/ $version/updates main contrib non-free" | $SUDO tee -a $WORK/etc/apt/sources.list echo "deb-src http://security.debian.org/ $version/updates main contrib non-free" | $SUDO tee -a $WORK/etc/apt/sources.list fi # Initial upgrade. echo "Applying initial upgrades..." hydra_sudo_run chroot $WORK/ apt-get update hydra_sudo_run chroot $WORK/ apt-get upgrade -y $APT_INSTALL locales cryptsetup lvm2 -y # Crypttab. echo "Configuring crypttab..." echo "# " | $SUDO tee $WORK/etc/crypttab > /dev/null if [ "$encrypt" == "y" ]; then cat <<-EOF | $SUDO tee $WORK/etc/crypttab > /dev/null root /dev/mapper/$vg-root none luks EOF fi if [ "$home_size" != "0" ] && [ "$encrypt" == "y" ]; then cat <<-EOF | $SUDO tee -a $WORK/etc/crypttab > /dev/null home /dev/mapper/$vg-home none luks EOF fi if [ "$var_size" != "0" ] && [ "$encrypt" == "y" ]; then cat <<-EOF | $SUDO tee -a $WORK/etc/crypttab > /dev/null var /dev/mapper/$vg-var none luks EOF fi if [ "$swap_size" != "0" ] && [ "$random_swap" == "y" ]; then cat <<-EOF | $SUDO tee -a $WORK/etc/crypttab > /dev/null swap /dev/mapper/$vg-swap /dev/random swap,cipher=aes-xts-plain64:sha256 EOF fi if [ "$swap_size" != "0" ] && [ "$random_swap" != "y" ]; then cat <<-EOF | $SUDO tee -a $WORK/etc/crypttab > /dev/null swap /dev/mapper/$vg-swap none luks,swap EOF fi # Fstab. echo "Configuring fstab..." hydra_sudo_run touch $WORK/etc/fstab #echo "" | $SUDO tee $WORK/etc/fstab > /dev/null if [ "$swap_size" != "0" ]; then cat <<-EOF | $SUDO tee -a $WORK/etc/fstab > /dev/null /dev/mapper/swap none swap sw 0 0 EOF fi if [ "$encrypt" == "y" ]; then cat <<-EOF | $SUDO tee -a $WORK/etc/fstab > /dev/null /dev/mapper/root / ext4 defaults,errors=remount-ro 0 1 EOF else cat <<-EOF | $SUDO tee -a $WORK/etc/fstab > /dev/null /dev/mapper/$vg-root / ext4 defaults,errors=remount-ro 0 1 EOF fi if [ "$home_size" != "0" ]; then if [ "$encrypt" == "y" ]; then cat <<-EOF | $SUDO tee -a $WORK/etc/fstab > /dev/null /dev/mapper/home /home ext4 defaults,errors=remount-ro 0 2 EOF else cat <<-EOF | $SUDO tee -a $WORK/etc/fstab > /dev/null /dev/mapper/$vg-home /home ext4 defaults,errors=remount-ro 0 2 EOF fi fi if [ "$var_size" != "0" ]; then if [ "$encrypt" == "y" ]; then cat <<-EOF | $SUDO tee -a $WORK/etc/fstab > /dev/null /dev/mapper/var /var ext4 defaults,errors=remount-ro 0 2 EOF else cat <<-EOF | $SUDO tee -a $WORK/etc/fstab > /dev/null /dev/mapper/$vg-var /var ext4 defaults,errors=remount-ro 0 2 EOF fi fi # Boot device must be available before installing kernel and initramfs. if [ "$grub" == "y" ] && [ "$encrypt" != "y" ]; then echo "Boot device setup..." hydra_sudo_run mkfs.ext4 $boot_device hydra_sudo_run mount $boot_device $WORK/boot fi # Kernel. echo "Installing kernel..." cat <<-EOF | $SUDO tee $WORK/etc/kernel-img.conf > /dev/null do_initrd = Yes EOF if [ "$arch" == "i386" ]; then kernel_arch="686" else kernel_arch="$arch" fi # Kernel. $APT_INSTALL linux-image-$kernel_arch -y # Initramfs. echo "Creating initramfs..." if [ "$initramfs" == "initramfs-tools" ]; then $APT_INSTALL initramfs-tools -y cat <<-EOF | $SUDO tee $WORK/etc/initramfs-tools/modules > /dev/null dm-mod dm-crypt dm-raid aes sha256 EOF if [ -e "$WORK/etc/cryptsetup-initramfs/conf-hook" ]; then hydra_sudo_run sed -i -e 's/#CRYPTSETUP=/CRYPTSETUP=y/' $WORK/etc/cryptsetup-initramfs/conf-hook fi hydra_sudo_run chroot $WORK update-initramfs -u else $APT_INSTALL dracut -y # Ensure initramfs-tools is absent hydra_sudo_run chroot $WORK apt-get autoremove -y fi # Grub. if [ "$grub" == "y" ]; then echo "Setting up GRUB..." $APT_INSTALL grub-pc -y hydra_sudo_run sed -i -e 's/^GRUB_CMDLINE_LINUX_DEFAULT="quiet"$/GRUB_CMDLINE_LINUX_DEFAULT="quiet apparmor=1 security=apparmor"/' \ $WORK/etc/default/grub hydra_sudo_run chroot $WORK/ update-grub if [ "$encrypt" == "y" ]; then echo '' | $SUDO tee -a $WORK/etc/default/grub > /dev/null echo '# Full Disk Encryption Support' | $SUDO tee -a $WORK/etc/default/grub > /dev/null echo 'GRUB_ENABLE_CRYPTODISK=y' | $SUDO tee -a $WORK/etc/default/grub > /dev/null echo 'GRUB_PRELOAD_MODULES="lvm cryptodisk mdraid1x"' | $SUDO tee -a $WORK/etc/default/grub > /dev/null hydra_sudo_run chroot $WORK/ update-grub hydra_sudo_run chroot $WORK/ grub-install --recheck --force $device # Fix menu entry hydra_sudo_run sed -i -e "s|root=/dev/mapper/provision-root|root=/dev/mapper/root|g" $WORK/boot/grub/grub.cfg hydra_sudo_run sed -i -e "s|root=/dev/mapper/$hostname-unlocked|root=/dev/mapper/root|g" $WORK/boot/grub/grub.cfg else hydra_sudo_run chroot $WORK/ grub-install --recheck --force $device fi fi # Set boot partition config if [ "$grub" == "y" ] && [ "$encrypt" != "y" ]; then # Use UUID # Reboot device must be calculated after filesystem creation and grub installation # # We use lsblk instead of blkid. From blkid(8): # # When device is specified, tokens from only this device are displayed. It is # possible to specify multiple device arguments on the command line. If none # is given, all devices which appear in /proc/partitions are shown, if they are # recognized. # # Note that blkid reads information directly from devices and for non-root # users it returns cached unverified information. It is better to use lsblk # --fs to get a user-friendly overview of filesystems and devices. lsblk(8) # is also easy to use in scripts. blkid is mostly designed for system services # and to test libblkid functionality. #reboot_device="`blkid | grep ^$boot_device: | cut -d ' ' -f 2 | sed -e 's/"//g'`" #reboot_device="`blkid $boot_device | cut -d ' ' -f 2 | sed -e 's/"//g'`" reboot_device="`lsblk $boot_device -n -o UUID`" # Use device name: might lead to wrong results # During install boot_device might be /dev/sdb2, but on boot be /dev/sda2 #reboot_device="$boot_device" echo "UUID=$reboot_device /boot ext4 defaults,errors=remount-ro 0 2" | $SUDO tee -a $WORK/etc/fstab > /dev/null hydra_sudo_run chroot $WORK update-initramfs -u fi # Utils. echo "Installing basic utilities..." $APT_INSTALL zsh screen cron lsb-release openssl -y # Networking. hydra_provision_networking # SSH. if [ "$ssh" == "y" ]; then echo "Installing OpenSSH daemon..." $APT_INSTALL openssh-server -y hydra_sudo_run chroot $WORK/ service ssh stop fi # Sudo. echo "Installing sudo..." $APT_INSTALL sudo -y echo "%sudo ALL=NOPASSWD: ALL" | $SUDO tee $WORK/etc/sudoers.d/local > /dev/null $SUDO chmod 440 $WORK/etc/sudoers.d/local echo "Choose a root password." hydra_sudo_run chroot $WORK passwd root # Fingerprints if [ "$ssh" == "y" ]; then hydra_provision_fingerprints fi echo "Umounting installation device..." if [ "$grub" == "y" ] && [ "$encrypt" != "y" ]; then hydra_sudo_run umount $WORK/boot fi hydra_sudo_run umount $WORK/sys $WORK/proc $WORK/dev/pts $WORK/dev $WORK/run $WORK if [ "$swap_size" != "0" ]; then hydra_sudo_run cryptsetup luksClose provision-swap fi if [ "$encrypt" == "y" ]; then hydra_sudo_run cryptsetup luksClose provision-root fi hydra_sudo_run vgchange -a n $vg cat <<-EOF Now proceeed with final steps: - Create an user account with sudo privileges. - Network setup. - Review fstab, crypttab and optional GRUB configuration. See https://padrao.fluxo.info/install for more information. If you know what you're doing, you might test and finish the installation using: sudo kvm -m 512 -hda $device EOF