getch 0.1.2 → 0.1.9

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 476822c82abc15e37ab19b3e111b4b4109beb127fb775a9075757948c9e202a4
-  data.tar.gz: 1a2290c23d28c9fb0fa45ac47882698ad4f61dfe10f699804ab53162ea337e00
+  metadata.gz: 46439ee6483306d467923074b461ad5df9d9f7a9a32981936952b586e85173f9
+  data.tar.gz: e4232a6832086eafb46e9f29da73b461762c65c6232071cf2854c9ddb7680e2f
 SHA512:
-  metadata.gz: 6b299fd1b7b9daa4be76a482ed768e85c2372c847a7f18e4ffaebf173d8d80fddbfe9b4fccc42f3037e51d53751acaf7d12f26e87b7e68fad385d280223c8471
-  data.tar.gz: 2e97a961aaa0e8a5380fa61f1dafaa958d8941287d2c16e6d493038e6bb52f94153aeb35d5762f1b8347eef8f85f0be496ca372fac6ff070caaf03b94c237b0e
+  metadata.gz: 8689b833a86f39c1b5a310ed193e588399fed86384012015f04251d39175e3bd6121a7f65540086fc1556f831017a6d56467a3325ec29f78651295adcdd3ed23
+  data.tar.gz: ac28be3804fddb3f995a8b86c438d447216547078855ca103ac4151a038934a9e7369a8a96500165b14ca38fdcac6ece31bbb5a1324e036b553ad76a0f456621

data/README.md

@@ -1,34 +1,57 @@
 # Getch
-A CLI tool to install Gentoo.
+
+<div align="center">
+<br/>
+
+[![Gem Version](https://badge.fury.io/rb/getch.svg)](https://badge.fury.io/rb/getch)
+![GitHub Workflow Status (branch)](https://img.shields.io/github/workflow/status/szorfein/getch/Rubocop/develop)
+[![Ruby Style Guide](https://img.shields.io/badge/code_style-rubocop-brightgreen.svg)](https://github.com/rubocop/rubocop)
+![GitHub](https://img.shields.io/github/license/szorfein/ardecy)
+
+</div>
+
+A CLI tool to install Gentoo or Void Linux with default:
++ DNS over HTTPS (with [Quad9](https://www.quad9.net/)).
++ Vim | Nano installed.
++ Iptables installed (not configured).
++ Sudo installed (not configured).
++ [iwd](https://iwd.wiki.kernel.org/) installed if wifi is detected.
++ No GUI installed.
+
+Hardened System:
++ sysctl.conf with TCP/IP stack hardening and more [Arch](https://wiki.archlinux.org/title/Sysctl)
++ Kernel parameters enforced (dmesg restricted, kexec disabled, etc)
++ Kernel source (Gentoo) patched with [bask](https://github.com/szorfein/bask).
 
 ## Description
-Actually, Getch support only the [AMD64 handbook](https://wiki.gentoo.org/wiki/Handbook:AMD64) and only with the last `stage3-amd64-systemd`.  
+Actually, Getch support only the `x86_64` architecture and only with the following archives:
++ **Gentoo**: `stage3-amd64-systemd` [Gentoo](https://www.gentoo.org/downloads/).
++ **Void**: `rootfs glibc` [Void](https://voidlinux.org/download/).
 
-BIOS system will use `Grub2` and `systemd-boot` for UEFI. Filesystem supported by Getch are for now:
+Filesystem supported (with or without encryption)
 + Ext4
-+ LVM
++ Lvm
 + ZFS
 
-Encryption is also supported.
+Boot Manager:
++ **Gentoo**: `BIOS` will use `Grub2` and `systemd-boot` for `UEFI`.
++ **Void**: use only Grub2, encryption for the root fs use luks1.
 
 The ISO images i was able to test and that works:
 + [Archlinux](https://www.archlinux.org/download/)
 + [Archaeidae](https://github.com/szorfein/archaeidae): Custom Archiso that includes ZFS support.
 
+## Dependencies
+Getch is build without external libs, so it only require `ruby >= 2.5`.
+
 ## Install
 Getch is cryptographically signed, so add my public key (if you haven’t already) as a trusted certificate.  
 With `gem` installed:
 
     $ gem cert --add <(curl -Ls https://raw.githubusercontent.com/szorfein/getch/master/certs/szorfein.pem)
-
     $ gem install getch -P HighSecurity
 
-When you boot from an `iso`, you can install `ruby`, `getch` and correct your `PATH=` directly with the `bin/setup.sh`:
-
-    # sh <(curl -L https://raw.githubusercontent.com/szorfein/getch/master/bin/setup.sh)
-    # source ~/.zshrc # or ~/.bashrc
-
-If you want to try the master branch:
+If you want to try from the source:
 
     # git clone https://github.com/szorfein/getch
     # cd getch
@@ -46,51 +69,62 @@ For a french user:
 
     # getch --zoneinfo "Europe/Paris" --language fr_FR --keymap fr
 
-Install Gentoo on LVM:
+Install Gentoo on LVM and use a different root disk `/dev/sdc`
 
-    # getch --format lvm --disk sda
+    # getch --format lvm --disk sdc
 
 Encrypt your disk with LVM with a french keymap
 
     # getch --format lvm --encrypt --keymap fr
 
-Encrypt with ext4 and create a home directory /home/ninja
+Encrypt with ext4 and create a new user `ninja`:
 
     # getch --format ext4 --encrypt --username ninja
 
-With ZFS:
+With ZFS, if used with `--encrypt`, it use the native ZFS encryption:
 
     # getch --format zfs
 
+With `Void Linux`:
+
+    # getch --os void --encrypt -k fr
+
 ## Troubleshooting
 
-#### LVM
-Unless your old LVM volume group is also named `vg0`, `getch` may fail to partition your disk. You have to clean up your device before proceed with `vgremove` and `pvremove`. An short example how doing this with a volume group named `vg0`:
+#### Old VG for LVM
+If a old volume group exist, `getch` may fail to partition your disk. You have to clean up your device before proceed with `vgremove` and `pvremove`. An short example how doing this with a volume group named `vg0`:
 
     # vgdisplay | grep vg0
     # vgremove -f vg0
     # pvremove -f /dev/sdb
 
 #### Encryption enable on BIOS with ext4
-To decrypt your disk on BIOS system, you have to enter your password two times. One time for Grub and another time for the initramfs (Genkernel). [post](https://wiki.archlinux.org/index.php/GRUB#Encrypted_/boot).  
+To decrypt your disk on BIOS system, you have to enter your password twice. One time for Grub and another time for Genkernel. [post](https://wiki.archlinux.org/index.php/GRUB#Encrypted_/boot).  
 Also with GRUB, only a `us` keymap is working.
 
-#### With ZFS
-When Gentoo boot, the pool may fail to start, it's happen when the pool has not been `export` to the ISO. So just reboot on your ISO:
+#### ZFS for Void Linux - Enable the boot pool
+You have some extras step to do after booting to enable the boot pool, you need this pool when you update your system. It's used mainly by Grub and Dracut.
+By default, your /boot is empty because your boot pool is not imported...
+
+    # zpool import -f -d /dev/disk/by-id -N bpool-150ed
+    # zfs mount bpool-150ed/BOOT/void
+    # ls /boot
+
+You should see something in the boot (initramfs, vmlinuz).. Recreate the initramfs.
+
+    # xbps-reconfigure -fa
 
-You need the partuuid, pool are create with the first 5 characters, just replace `sdX` by your real device:
+Make the `bpool` available at the boot:
 
-    # ls -l /dev/disk/by-partuuid/ | grep sdX4
-    -> 150ed969...
-    # zpool import -N -R /mnt rpool-150ed
+    # zfs set canmount=on bpool-150ed/BOOT/void
 
-And export them correctly:
+And reboot, the `/boot` partition should be mounted automatically after that.
 
-    # zpool export -a
+#### ZFS Encrypted with Void
+Well, another weird issue, the first time you boot on your encrypted pool, nothing append. Dracut try to mount inexistent device. Just wait for enter in the shell:
 
-It's all.
+    # ls /lib/dracut/hooks/initqueue/finished/*
+    # rm /lib/dracut/hooks/initqueue/finished/dev*
+    # exit
 
-## Issues
-If need more support for your hardware (network, sound card, ...), you can submit a [new issue](https://github.com/szorfein/getch/issues/new) and post the output of the following command:
-+ lspci
-+ lsmod
+Dracut should finally start `mount-zfs.sh` and ask for your password. After you first login, follow instructions above for recompile the initramfs and mount the boot pool and your good.

data/assets/network-stack.conf

@@ -0,0 +1,63 @@
+# https://wiki.archlinux.org/title/Sysctl#TCP/IP_stack_hardening
+# https://github.com/trimstray/the-practical-linux-hardening-guide/wiki/Network-stack
+
+# TCP SYN cookie protection
+net.ipv4.tcp_syncookies = 1
+
+# TCP rfc1337
+net.ipv4.tcp_rfc1337 = 1
+
+# Reverse path filtering
+net.ipv4.conf.default.rp_filter = 1
+net.ipv4.conf.all.rp_filter = 1
+
+# Log martian packets
+net.ipv4.conf.default.log_martians = 1
+net.ipv4.conf.all.log_martians = 1
+
+# Disable ICMP redirects
+net.ipv6.conf.all.accept_redirects = 0
+net.ipv6.conf.default.accept_redirects = 0
+
+# Disable IP source routing
+net.ipv4.conf.default.accept_source_route = 0
+net.ipv4.conf.all.accept_source_route = 0
+
+# Ignore ICMP echo requests
+net.ipv4.icmp_echo_ignore_all = 1
+net.ipv6.icmp.echo_ignore_all = 1
+
+# Ignoring broadcasts request
+net.ipv4.icmp_echo_ignore_broadcasts = 1
+
+# An illicit router advertisement message could result in a man-in-the-middle attack.
+net.ipv6.conf.default.accept_ra = 0
+net.ipv6.conf.all.accept_ra = 0
+
+# Ignore bogus ICMP error responses
+net.ipv4.icmp_ignore_bogus_error_responses = 1
+
+# ICMP redirects
+net.ipv4.conf.default.accept_redirects = 0
+net.ipv4.conf.all.accept_redirects = 0
+
+# Accepting secure redirects
+net.ipv4.conf.default.secure_redirects = 0
+net.ipv4.conf.all.secure_redirects = 0
+
+# IP forwarding
+net.ipv4.ip_forward = 0
+
+# Sending ICMP redirects
+net.ipv4.conf.default.send_redirects = 0
+net.ipv4.conf.all.send_redirects = 0
+
+# Keep sockets in FIN-WAIT-2 state
+net.ipv4.tcp_fin_timeout = 30
+
+# Keepalive packets to keep an connection alive
+net.ipv4.tcp_keepalive_time = 180
+net.ipv4.tcp_keepalive_intvl = 10
+net.ipv4.tcp_keepalive_probes = 3
+
+

data/assets/system.conf

@@ -0,0 +1,38 @@
+# Disable SysReq
+kernel.sysrq = 0
+
+# No core dump of executable setuid
+fs.suid_dumpable = 0
+
+# Prohibit unreferencing links to files
+fs.protected_symlinks = 1
+fs.protected_hardlinks = 1
+
+# Activate ASLR
+kernel.randomize_va_space = 2
+
+# Prohibit mapping of memory in low addresses (0)
+vm.mmap_min_addr = 65536
+
+# Larger choice space for PID values
+kernel.pid_max = 65536
+
+# Obfuscation of addresses memory kernel
+kernel.kptr_restrict = 1
+
+# Access restriction to the dmesg buffer
+kernel.dmesg_restrict = 1
+
+# Restricts the use of the perf system
+kernel.perf_event_paranoid = 2
+kernel.perf_event_max_sample_rate = 1
+kernel.perf_cpu_time_max_percent = 1
+
+# Avoid non-ancestor ptrace access to running processes and their credentials.
+kernel.yama.ptrace_scope = 1
+
+# Disable User Namespaces
+user.max_user_namespaces = 0
+
+# Turn off unprivileged eBPF access.
+kernel.unprivileged_bpf_disabled = 1

data/bin/getch

@@ -2,8 +2,16 @@
 
 require 'getch'
 
-def main(argv)
-  Getch::main(argv)
-end
+getch = Getch::Main.new(
+  :cli => Getch::Options.new(ARGV)
+)
 
-main(ARGV)
+getch.resume
+
+getch.partition
+getch.format
+getch.mount
+
+getch.install
+
+getch.configure

data/lib/cmdline.rb

@@ -0,0 +1,128 @@
+module CmdLine
+  def echo(path, content, mode = 0700)
+    f = File.new path, 'w'
+    f.write "#{content}\n"
+    f.chmod mode
+    f.close
+  end
+
+  class Kernel
+    include CmdLine
+
+    # man kernel-install
+    # use /etc/kernel/cmdline by default
+    def initialize(arg)
+      @dir = arg[:workdir]
+      @file = "#{@dir}/cmdline"
+      @line = ''
+    end
+
+    def main
+      puts ' > Generate cmdline for Kernel...'
+      cpu_mitigations
+      distrust_cpu
+      kernel_hardening
+      quiet
+
+      puts " >> Writing cmdline to #{@file}..."
+      echo @file, "#{@line}\n", 0644
+    end
+
+    private
+
+    def cpu_mitigations
+      @line << 'mds=full,nosmt'
+      @line << ' l1tf=full,force'
+      @line << ' kvm.nx_huge_pages=force'
+    end
+
+    def distrust_cpu
+      @line << ' random.trust_cpu=off'
+    end
+
+    def kernel_hardening
+      @line << ' slab_nomerge'
+      @line << ' slub_debug=FZ'
+      @line << ' init_on_alloc=1 init_on_free=1'
+      @line << ' mce=0'
+      @line << ' pti=on'
+      @line << ' vsyscall=none'
+      @line << ' page_alloc.shuffle=1'
+      @line << ' debugfs=off'
+    end
+
+    def quiet
+      @line << ' quiet loglevel=0'
+    end
+  end
+
+  class Grub
+    include CmdLine
+
+    def initialize(arg)
+      @conf = arg[:workdir]
+      @default_alias = 'GRUB_CMDLINE_LINUX_DEFAULT'
+      @cmd_alias = 'GRUB_CMDLINE_LINUX'
+    end
+
+    def main
+      puts ' > Generate cmdline for Grub...'
+      cpu_mitigations
+      distrust_cpu
+      kernel_hardening
+      quiet
+    end
+
+    private
+
+    def cpu_mitigations
+      lines = []
+      lines << add_linux('mds=full,nosmt')
+      lines << add_linux('l1tf=full,force')
+      lines << add_linux('kvm.nx_huge_pages=force')
+
+      puts " >> Writing to #{@conf}/40_cpu_mitigations.cfg"
+      echo "#{@conf}/40_cpu_mitigations.cfg", lines.join("\n"), 0755
+    end
+
+    def distrust_cpu
+      lines = []
+      lines << add_linux('random.trust_cpu=off')
+
+      puts " >> Writing to #{@conf}/40_distrust_cpu.cfg"
+      echo "#{@conf}/40_distrust_cpu.cfg", lines.join("\n"), 0755
+    end
+
+    def kernel_hardening
+      lines = []
+      lines << add_linux('slab_nomerge')
+      lines << add_linux('slub_debug=FZ')
+      lines << add_linux('init_on_alloc=1 init_on_free=1')
+      lines << add_linux('mce=0')
+      lines << add_linux('pti=on')
+      lines << add_linux('vsyscall=none')
+      lines << add_linux('page_alloc.shuffle=1')
+      lines << add_linux('debugfs=off')
+
+      puts " >> Writing to #{@conf}/40_kernel_hardening.cfg"
+      echo "#{@conf}/40_kernel_hardening.cfg", lines.join("\n"), 0755
+    end
+
+    def quiet
+      lines = []
+      lines << "#{@default_alias}=\"$(echo \"$#{@default_alias}\" | LANG=C str_replace \"quiet\" \"\")\""
+      lines << add_linux_default('quiet loglevel=0')
+
+      puts " >> Writing to #{@conf}/41_quiet.cfg"
+      echo "#{@conf}/41_quiet.cfg", lines.join("\n"), 0755
+    end
+
+    def add_linux(arg)
+      "#{@cmd_alias}=\"$#{@cmd_alias} #{arg}\""
+    end
+
+    def add_linux_default(arg)
+      "#{@default_alias}=\"$#{@default_alias} #{arg}\""
+    end
+  end
+end

data/lib/getch/command.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'open3'
 
 module Getch
@@ -9,7 +11,7 @@ module Getch
     end
 
     def run!
-      @log.info "Running command: " + @cmd.gsub(/\"/, '')
+      @log.info 'Running command: ' + @cmd.gsub(/\"/, '')
 
       Open3.popen3(@cmd) do |stdin, stdout, stderr, wait_thr|
         stdin.close_write
@@ -18,7 +20,7 @@ module Getch
         # only stderr
         begin
           @log.debug stderr.readline until stderr.eof.nil?
-        rescue EOFError
+        rescue
         end
 
         begin
@@ -59,9 +61,9 @@ module Getch
       block.each do |f|
         begin
           data = f.read_nonblock(@block_size)
-          puts data if DEFAULT_OPTIONS[:verbose]
+          puts data if OPTIONS[:verbose]
         rescue EOFError
-          puts ""
+          puts
         rescue => e
           puts "Fatal - #{e}"
         end
@@ -79,13 +81,13 @@ module Getch
 
     def run!
       @log.info "Running emerge: #{@cmd}"
-      system("chroot", @gentoo, "/bin/bash", "-c", "source /etc/profile && #{@cmd}")
+      system('chroot', @gentoo, '/bin/bash', '-c', "source /etc/profile && #{@cmd}")
       read_exit
     end
 
     def pkg!
       @log.info "Running emerge pkg: #{@cmd}"
-      system("chroot", @gentoo, "/bin/bash", "-c", "source /etc/profile && emerge --changed-use #{@cmd}")
+      system('chroot', @gentoo, '/bin/bash', '-c', "source /etc/profile && emerge --changed-use #{@cmd}")
       read_exit
     end
 
@@ -113,10 +115,8 @@ module Getch
         && env-update \
         && cd /usr/src/linux \
         && #{@cmd}\""
-      Open3.popen2e(cmd) do |stdin, stdout_err, wait_thr|
-        while line = stdout_err.gets
-          puts line
-        end
+      Open3.popen2e(cmd) do |_, stdout_err, wait_thr|
+        stdout_err.each { |l| puts l }
 
         exit_status = wait_thr.value
         unless exit_status.success?
@@ -129,23 +129,21 @@ module Getch
 
   class Bask
     def initialize(cmd)
-      @gentoo = MOUNTPOINT
       @cmd = cmd
       @log = Getch::Log.new
-      @version = "0.4"
+      @version = '0.6'
+      @config = "#{MOUNTPOINT}/etc/kernel/config.d"
+      download_bask unless Dir.exist? "#{MOUNTPOINT}/root/bask-#{@version}"
     end
 
     def run!
-      download_bask if ! Dir.exist? "#{MOUNTPOINT}/root/bask-#{@version}"
       @log.info "Running Bask: #{@cmd}"
-      cmd = "chroot #{@gentoo} /bin/bash -c \"source /etc/profile \
+      cmd = "chroot #{MOUNTPOINT} /bin/bash -c \"source /etc/profile \
         && env-update \
         && cd /root/bask-#{@version} \
         && ./bask.sh #{@cmd} -k /usr/src/linux\""
-      Open3.popen2e(cmd) do |stdin, stdout_err, wait_thr|
-        while line = stdout_err.gets
-          puts line
-        end
+      Open3.popen2e(cmd) do |_, stdout_err, wait_thr|
+        stdout_err.each { |l| puts l }
 
         exit_status = wait_thr.value
         unless exit_status.success?
@@ -155,15 +153,27 @@ module Getch
       end
     end
 
-    private 
+    def cp
+      Helpers.mkdir @config
+      Helpers.cp(
+        "#{MOUNTPOINT}/root/bask-#{@version}/config.d/#{@cmd}",
+        "#{@config}/#{@cmd}"
+      )
+    end
+
+    def add(content)
+      Helpers.add_file "#{@config}/#{@cmd}", content
+    end
+
+    private
 
     def download_bask
-      @log.info "Installing Bask..."
-      url = "https://github.com/szorfein/bask/archive/v#{@version}.tar.gz"
+      @log.info 'Installing Bask...'
+      url = "https://github.com/szorfein/bask/archive/refs/tags/#{@version}.tar.gz"
       file = "bask-#{@version}.tar.gz"
 
       Dir.chdir("#{MOUNTPOINT}/root")
-      Helpers::get_file_online(url, file)
+      Helpers.get_file_online(url, file)
       Getch::Command.new("tar xzf #{file}").run!
     end
   end

data/lib/getch/config/gentoo.rb

@@ -0,0 +1,58 @@
+# frozen_string_literal: true
+
+module Getch
+  module Config
+    class Gentoo
+      def initialize
+        @systemd_net_dir = "#{MOUNTPOINT}/etc/systemd"
+      end
+
+      def ethernet
+        conf = "#{@systemd_net_dir}/network/20-ethernet.network"
+        datas = [
+          '[Match]',
+          'Name=en*',
+          'Name=eth*',
+          '[Network]',
+          'DHCP=yes',
+          'IPv6PrivacyExtensions=yes',
+          '[DHCP]',
+          'RouteMetric=512',
+        ]
+        File.write(conf, datas.join("\n"), mode: 'w')
+      end
+
+      def wifi
+        conf = "#{@systemd_net_dir}/network/20-wireless.network"
+        datas = [
+          '[Match]',
+          'Name=wlp*',
+          'Name=wlan*',
+          '[Network]',
+          'DHCP=yes',
+          'IPv6PrivacyExtensions=yes',
+          '[DHCP]',
+          'RouteMetric=1024',
+        ]
+        File.write(conf, datas.join("\n"), mode: 'w')
+      end
+
+      def dns
+        conf = "#{@systemd_net_dir}/resolved.conf.d/dns_over_tls.conf"
+        datas = [
+          '[Resolve]',
+          'DNS=9.9.9.9#dns.quad9.net',
+          'DNSOverTLS=yes',
+        ]
+        Helpers.create_dir("#{@systemd_net_dir}/resolved.conf.d")
+        File.write(conf, datas.join("\n"), mode: 'w')
+
+        Getch::Chroot.new('systemctl enable systemd-networkd').run!
+        Getch::Chroot.new('systemctl enable systemd-resolved').run!
+      end
+
+      def shell
+      end
+    end
+  end
+end

data/lib/getch/config/void.rb

@@ -0,0 +1,47 @@
+# frozen_string_literal: true
+
+module Getch
+  module Config
+    class Void
+      include Helpers::Void
+
+      def initialize
+        @service_dir = '/etc/runit/runsvdir/default/'
+      end
+
+      # Enable dhcpcd service
+      def ethernet
+        command "ln -fs /etc/sv/dhcpcd #{@service_dir}"
+      end
+
+      # with Quad9
+      # https://www.dnsknowledge.com/tutorials/how-to-setup-quad9-dns-on-a-linux/
+      def dns
+        conf = "#{MOUNTPOINT}/etc/resolv.conf"
+        content = [
+          'nameserver 9.9.9.9',
+          'nameserver 2620:fe::fe',
+          'options rotate',
+        ]
+        File.write(conf, content.join("\n"), mode: 'w', chmod: 0644)
+      end
+
+      # https://docs.voidlinux.org/config/network/iwd.html
+      def wifi
+        conf = "#{MOUNTPOINT}/etc/iwd/main.conf"
+        content = [
+          '[General]',
+          'UseDefaultInterface=true',
+        ]
+        File.write(conf, content.join("\n"), mode: 'a', chmod: 0644)
+        # Enabling dbus and iwd
+        command "ln -fs /etc/sv/dbus #{@service_dir}"
+        command "ln -fs /etc/sv/iwd #{@service_dir}"
+      end
+
+      def shell
+        command 'chsh -s /bin/bash'
+      end
+    end
+  end
+end