getch 0.1.3 → 0.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: c141cfefd0484364edafbbf424bc6e3d1fe98d26d5a2fa96411ae88efaae501a
-  data.tar.gz: 117fb8c04c3525ac5c5be3da0683eac0b68de537f674955fe6d363091233ab0b
+  metadata.gz: c43bba03495a77a22b582c84f7e044383bc432fb8c8ca676d093673e836362af
+  data.tar.gz: 762dd43c65c336df63176b7945d75600153503c3ccdf7d899228cd18443bbda7
 SHA512:
-  metadata.gz: fbf00fb976d8e4a1ea8a4e3abf64de42f9804b4b33b125548021f733d27e2458d6c6ec2e9712f3f92806b66253550c600c217f3ece4bf3310f5b39c5cb58aebf
-  data.tar.gz: ed7af46af82c816f17296ba01301aece81d6655d4fc31c166fce5a013be8c20e5b89b8965c3d855913628c3566a47bd8b2ed123263c7dedaef5b3e3fdd0a6b4e
+  metadata.gz: 1f5a90d17518469533bfdcafd14b3e3ad155717c722182fca194bfd81fced2dc37ff0093af2da778cf53cadb5c4e23ae3fa7fe16d7809155f21f1e127c5bbc89
+  data.tar.gz: c533dbe161df1f6b72c3d690218547e926b219ff6bb19240f46bb040ccb2e86318cc5259b69b7692416c412e109fb5eb22fd424f9bca5d6dc1ae0ff70adc4cd0

data/README.md

@@ -1,34 +1,60 @@
 # Getch
-A CLI tool to install Gentoo.
+
+<div align="center">
+<br/>
+
+[![Gem Version](https://badge.fury.io/rb/getch.svg)](https://badge.fury.io/rb/getch)
+![GitHub Workflow Status (branch)](https://img.shields.io/github/workflow/status/szorfein/getch/Rubocop/develop)
+[![Ruby Style Guide](https://img.shields.io/badge/code_style-rubocop-brightgreen.svg)](https://github.com/rubocop/rubocop)
+![GitHub](https://img.shields.io/github/license/szorfein/getch)
+
+</div>
+
+A CLI tool to install Gentoo or Void Linux with default:
++ DNS over HTTPS (with [Quad9](https://www.quad9.net/)).
++ Vim | Nano installed.
++ Iptables installed (not configured).
++ Sudo installed (not configured).
++ [iwd](https://iwd.wiki.kernel.org/) installed if wifi is detected.
++ No GUI installed.
+
+Hardened System:
++ sysctl.conf with TCP/IP stack hardening and more [Arch](https://wiki.archlinux.org/title/Sysctl)
++ Kernel parameters enforced (dmesg restricted, kexec disabled, etc)
++ Kernel source (Gentoo) patched with [bask](https://github.com/szorfein/bask).
++ Musl optionnal
 
 ## Description
-Actually, Getch support only the [AMD64 handbook](https://wiki.gentoo.org/wiki/Handbook:AMD64) and only with the last `stage3-amd64-systemd`.  
+Actually, Getch support only the `x86_64` architecture with the following archives:
++ **Gentoo**: `stage3-amd64-systemd` or `stage3-amd64-musl` [Gentoo](https://www.gentoo.org/downloads/).
++ **Void**: `rootfs tarball glibc` or `rootfs tarball musl` [Void](https://voidlinux.org/download/).
 
-BIOS system will use `Grub2` and `systemd-boot` for UEFI. Filesystem supported by Getch are for now:
+Filesystem supported (with or without encryption)
 + Ext4
-+ LVM
++ Lvm
 + ZFS
 
-Encryption is also supported.
+Boot Manager:
++ **Gentoo**: `BIOS` and `musl` will use `Grub2` and `systemd-boot` for `UEFI`.
++ **Void**: use only Grub2.
 
 The ISO images i was able to test and that works:
 + [Archlinux](https://www.archlinux.org/download/)
 + [Archaeidae](https://github.com/szorfein/archaeidae): Custom Archiso that includes ZFS support.
 
+You can also use your current `linux` host, just pay attention to the disk that will be used.  
+
+## Dependencies
+Getch is build without external libs, so it only require `ruby >= 2.5`.
+
 ## Install
 Getch is cryptographically signed, so add my public key (if you haven’t already) as a trusted certificate.  
 With `gem` installed:
 
     $ gem cert --add <(curl -Ls https://raw.githubusercontent.com/szorfein/getch/master/certs/szorfein.pem)
-
     $ gem install getch -P HighSecurity
 
-When you boot from an `iso`, you can install `ruby`, `getch` and correct your `PATH=` directly with the `bin/setup.sh`:
-
-    # sh <(curl -L https://raw.githubusercontent.com/szorfein/getch/master/bin/setup.sh)
-    # source ~/.zshrc # or ~/.bashrc
-
-If you want to try the master branch:
+If you want to try from the source:
 
     # git clone https://github.com/szorfein/getch
     # cd getch
@@ -46,51 +72,65 @@ For a french user:
 
     # getch --zoneinfo "Europe/Paris" --language fr_FR --keymap fr
 
-Install Gentoo on LVM:
+Install Gentoo on LVM and use a different root disk `/dev/sdc`
 
-    # getch --format lvm --disk sda
+    # getch --format ext4 --lvm --disk sdc
 
 Encrypt your disk with LVM with a french keymap
 
-    # getch --format lvm --encrypt --keymap fr
+    # getch --format ext4 --lvm --encrypt --keymap fr
 
-Encrypt with ext4 and create a home directory /home/ninja
+Encrypt with ext4 and create a new user `ninja`:
 
     # getch --format ext4 --encrypt --username ninja
 
-With ZFS:
+With ZFS, if used with `--encrypt`, it use the native ZFS encryption:
 
     # getch --format zfs
 
+With `Void Linux` and `Musl` enable:
+
+    # getch --os void --encrypt -k fr --musl
+
 ## Troubleshooting
 
-#### LVM
-Unless your old LVM volume group is also named `vg0`, `getch` may fail to partition your disk. You have to clean up your device before proceed with `vgremove` and `pvremove`. An short example how doing this with a volume group named `vg0`:
+#### Old VG for LVM
+If a old volume group exist, `getch` may fail to partition your disk. You have to clean up your device before proceed with `vgremove` and `pvremove`. An short example how doing this with a volume group named `vg0`:
 
     # vgdisplay | grep vg0
     # vgremove -f vg0
     # pvremove -f /dev/sdb
 
-#### Encryption enable on BIOS with ext4
-To decrypt your disk on BIOS system, you have to enter your password two times. One time for Grub and another time for the initramfs (Genkernel). [post](https://wiki.archlinux.org/index.php/GRUB#Encrypted_/boot).  
-Also with GRUB, only a `us` keymap is working.
+#### Encryption with GRUB
+To decrypt your disk on GRUB, only the `us` keymap is working for now.
+
+#### ZFS with Grub
+By default, if you use ZFS with `musl` or `voidlinux` the `/boot` partition is not mounted automatically, so before an update, mout the partition.
+
+    # zpool status
+    # zfs mount bpool/BOOT/void
+    # ls /boot
+
+#### ZFS with and without encryption
+First time on ZFS after 5min
 
-#### With ZFS
-When Gentoo boot, the pool may fail to start, it's happen when the pool has not been `export` to the ISO. So just reboot on your ISO:
+```txt
+dracut Warning: /dev/disk/by-uuid/<DISK> does not exist
+```
 
-You need the partuuid, pool are create with the first 5 characters, just replace `sdX` by your real device:
+Dracut try to mount inexistent device. Just wait for enter in the shell and remove the disk uuid from `/lib/dracut/hooks/initqueue/finished/`
 
-    # ls -l /dev/disk/by-partuuid/ | grep sdX4
-    -> 150ed969...
-    # zpool import -N -R /mnt rpool-150ed
+    # ls /lib/dracut/hooks/initqueue/finished/*
+    # rm /lib/dracut/hooks/initqueue/finished/dev*
+    # exit
 
-And export them correctly:
+Dracut should finally start `mount-zfs.sh` and ask for a password if encrypted. After you first login, mount the `/boot` partition and recompile the initramfs and your good.
 
-    # zpool export -a
++ For Gentoo: `emerge --config sys-kernel/gentoo-kernel-bin`
++ For Voidlinux: `xbps-reconfigure -fa`
 
-It's all.
+If it doesn't work, try to start script manually (always in the shell):
 
-## Issues
-If need more support for your hardware (network, sound card, ...), you can submit a [new issue](https://github.com/szorfein/getch/issues/new) and post the output of the following command:
-+ lspci
-+ lsmod
+    # . /lib/dracut/hooks/mount/98-mount-zsh.sh
+    # . /lib/dracut/hooks/mount/99-mount-root.sh
+    # exit

data/assets/network-stack.conf

@@ -0,0 +1,63 @@
+# https://wiki.archlinux.org/title/Sysctl#TCP/IP_stack_hardening
+# https://github.com/trimstray/the-practical-linux-hardening-guide/wiki/Network-stack
+
+# TCP SYN cookie protection
+net.ipv4.tcp_syncookies = 1
+
+# TCP rfc1337
+net.ipv4.tcp_rfc1337 = 1
+
+# Reverse path filtering
+net.ipv4.conf.default.rp_filter = 1
+net.ipv4.conf.all.rp_filter = 1
+
+# Log martian packets
+net.ipv4.conf.default.log_martians = 1
+net.ipv4.conf.all.log_martians = 1
+
+# Disable ICMP redirects
+net.ipv6.conf.all.accept_redirects = 0
+net.ipv6.conf.default.accept_redirects = 0
+
+# Disable IP source routing
+net.ipv4.conf.default.accept_source_route = 0
+net.ipv4.conf.all.accept_source_route = 0
+
+# Ignore ICMP echo requests
+net.ipv4.icmp_echo_ignore_all = 1
+net.ipv6.icmp.echo_ignore_all = 1
+
+# Ignoring broadcasts request
+net.ipv4.icmp_echo_ignore_broadcasts = 1
+
+# An illicit router advertisement message could result in a man-in-the-middle attack.
+net.ipv6.conf.default.accept_ra = 0
+net.ipv6.conf.all.accept_ra = 0
+
+# Ignore bogus ICMP error responses
+net.ipv4.icmp_ignore_bogus_error_responses = 1
+
+# ICMP redirects
+net.ipv4.conf.default.accept_redirects = 0
+net.ipv4.conf.all.accept_redirects = 0
+
+# Accepting secure redirects
+net.ipv4.conf.default.secure_redirects = 0
+net.ipv4.conf.all.secure_redirects = 0
+
+# IP forwarding
+net.ipv4.ip_forward = 0
+
+# Sending ICMP redirects
+net.ipv4.conf.default.send_redirects = 0
+net.ipv4.conf.all.send_redirects = 0
+
+# Keep sockets in FIN-WAIT-2 state
+net.ipv4.tcp_fin_timeout = 30
+
+# Keepalive packets to keep an connection alive
+net.ipv4.tcp_keepalive_time = 180
+net.ipv4.tcp_keepalive_intvl = 10
+net.ipv4.tcp_keepalive_probes = 3
+
+

data/assets/system.conf

@@ -0,0 +1,38 @@
+# Disable SysReq
+kernel.sysrq = 0
+
+# No core dump of executable setuid
+fs.suid_dumpable = 0
+
+# Prohibit unreferencing links to files
+fs.protected_symlinks = 1
+fs.protected_hardlinks = 1
+
+# Activate ASLR
+kernel.randomize_va_space = 2
+
+# Prohibit mapping of memory in low addresses (0)
+vm.mmap_min_addr = 65536
+
+# Larger choice space for PID values
+kernel.pid_max = 65536
+
+# Obfuscation of addresses memory kernel
+kernel.kptr_restrict = 1
+
+# Access restriction to the dmesg buffer
+kernel.dmesg_restrict = 1
+
+# Restricts the use of the perf system
+kernel.perf_event_paranoid = 2
+kernel.perf_event_max_sample_rate = 1
+kernel.perf_cpu_time_max_percent = 1
+
+# Avoid non-ancestor ptrace access to running processes and their credentials.
+kernel.yama.ptrace_scope = 1
+
+# Disable User Namespaces
+user.max_user_namespaces = 0
+
+# Turn off unprivileged eBPF access.
+kernel.unprivileged_bpf_disabled = 1

data/bin/getch

@@ -2,8 +2,18 @@
 
 require 'getch'
 
-def main(argv)
-  Getch::main(argv)
-end
+getch = Getch::Main.new(
+  cli: Getch::Options.new(ARGV)
+)
 
-main(ARGV)
+getch.resume
+
+getch.prepare_disk
+
+getch.install_system
+
+getch.terraform
+
+getch.bootloader
+
+getch.finalize

data/lib/clean.rb

@@ -0,0 +1,149 @@
+# frozen_string_literal: true
+
+require 'nito'
+require_relative 'getch/command'
+require_relative 'getch/log'
+
+class Clean
+  include NiTo
+
+  def initialize(args)
+    @root = args[:disk] ||= nil
+    @boot = args[:boot_disk] ||= nil
+    @home = args[:home_disk] ||= nil
+    @cache = args[:cache_disk] ||= nil
+    @vg = args[:vg_name] ||= nil
+    @luks = args[:luks_name] ||= nil
+    @zfs = args[:zfs_name] ||= 'pool'
+    @log = Getch::Log.new
+    @mountpoint = args[:mountpoint] ||= '/mnt/getch'
+  end
+
+  def x
+    umount_all
+    swap_off
+    disable_lvs
+    cryptsetup_close
+    old_zfs
+    old_lvm
+    zap_all @root, @boot, @home, @cache
+    wipe_all @root, @boot, @home, @cache
+    dd
+  end
+
+  protected
+
+  def umount_all
+    paths = []
+    File.open('/proc/mounts').each do |l|
+      tmp = l.split(' ') if l =~ /#{@mountpoint}/
+      tmp && paths << tmp[1]
+    end
+    paths.each { |p| umount_r p }
+    umount '/tmp/boot'
+  end
+
+  def swap_off
+    swapoff @root
+    File.exist?("/dev/#{@vg}/swap") && swapoff_dm("#{@vg}-swap")
+  end
+
+  def disable_lvs
+    lvchange_n 'home'
+    lvchange_n 'swap'
+    lvchange_n 'root'
+  end
+
+  def cryptsetup_close
+    close "boot-#{@luks}"
+    close "root-#{@luks}"
+    close "home-#{@luks}"
+  end
+
+  def old_zfs
+    return unless File.exist? '/usr/bin/zpool'
+
+    destroy_zpool "b#{@zfs}"
+    destroy_zpool "r#{@zfs}"
+    cmd "rm -rf #{@mountpoint}/*" if Dir.exist? @mountpoint
+  end
+
+  def destroy_zpool(name)
+    if system("zpool list | grep #{name}")
+      cmd "zpool destroy -f #{name}"
+    end
+  end
+
+  def old_lvm
+    lvm = `lvs | grep #{@vg}`
+    lvm.match?(/#{@vg}/) || return
+
+    vgremove
+    pvremove @root, @home, @cache
+  end
+
+  def zap_all(*devs)
+    devs.each { |d| zap(d) }
+  end
+
+  def wipe_all(*devs)
+    devs.each { |d| wipe(d) }
+  end
+
+  def dd
+    cmd "dd if=/dev/zero of=/dev/#{@root} bs=1M count=100"
+  end
+
+  private
+
+  def wipe(dev)
+    dev || return
+
+    cmd "wipefs --all /dev/#{dev}"
+  end
+
+  def umount_r(dir)
+    dir || return
+
+    cmd 'umount', '-R', dir if mount? dir
+  end
+
+  def zap(dev)
+    dev || return
+
+    cmd 'sgdisk', '-Z', "/dev/#{dev}"
+  end
+
+  def lvchange_n(name)
+    return unless File.exist? "/dev/#{@vg}/#{name}"
+
+    cmd 'lvchange', '-an', "/dev/#{@vg}/#{name}"
+  end
+
+  def close(name)
+    return unless File.exist? "/dev/mapper/#{name}"
+
+    cmd 'cryptsetup', 'close', name
+  end
+
+  def vgremove
+    cmd 'vgremove', '-y', @vg
+  end
+
+  def pvremove(*devs)
+    devs.each { |d| pvdel(d) }
+  end
+
+  def pvdel(dev)
+    dev || return
+
+    disk = dev[/[a-z]*/]
+    disk.match?(/[a-z]{3}/) || @log.fatal("pvdel - No disk #{dev} - #{disk}")
+
+    cmd 'pvremove', '-f', "/dev/#{disk}*"
+  end
+
+  def cmd(*args)
+    Getch::Command.new(args)
+  end
+end

data/lib/cmdline.rb

@@ -0,0 +1,128 @@
+module CmdLine
+  def echo(path, content, mode = 0700)
+    f = File.new path, 'w'
+    f.write "#{content}\n"
+    f.chmod mode
+    f.close
+  end
+
+  class Kernel
+    include CmdLine
+
+    # man kernel-install
+    # use /etc/kernel/cmdline by default
+    def initialize(arg)
+      @dir = arg[:workdir]
+      @file = "#{@dir}/cmdline"
+      @line = ''
+    end
+
+    def main
+      puts ' > Generate cmdline for Kernel...'
+      cpu_mitigations
+      distrust_cpu
+      kernel_hardening
+      quiet
+
+      puts " >> Writing cmdline to #{@file}..."
+      echo @file, "#{@line}\n", 0644
+    end
+
+    private
+
+    def cpu_mitigations
+      @line << 'mds=full,nosmt'
+      @line << ' l1tf=full,force'
+      @line << ' kvm.nx_huge_pages=force'
+    end
+
+    def distrust_cpu
+      @line << ' random.trust_cpu=off'
+    end
+
+    def kernel_hardening
+      @line << ' slab_nomerge'
+      @line << ' slub_debug=FZ'
+      @line << ' init_on_alloc=1 init_on_free=1'
+      @line << ' mce=0'
+      @line << ' pti=on'
+      @line << ' vsyscall=none'
+      @line << ' page_alloc.shuffle=1'
+      @line << ' debugfs=off'
+    end
+
+    def quiet
+      @line << ' quiet loglevel=0'
+    end
+  end
+
+  class Grub
+    include CmdLine
+
+    def initialize(arg)
+      @conf = arg[:workdir]
+      @default_alias = 'GRUB_CMDLINE_LINUX_DEFAULT'
+      @cmd_alias = 'GRUB_CMDLINE_LINUX'
+    end
+
+    def main
+      puts ' > Generate cmdline for Grub...'
+      cpu_mitigations
+      distrust_cpu
+      kernel_hardening
+      quiet
+    end
+
+    private
+
+    def cpu_mitigations
+      lines = []
+      lines << add_linux('mds=full,nosmt')
+      lines << add_linux('l1tf=full,force')
+      lines << add_linux('kvm.nx_huge_pages=force')
+
+      puts " >> Writing to #{@conf}/40_cpu_mitigations.cfg"
+      echo "#{@conf}/40_cpu_mitigations.cfg", lines.join("\n"), 0755
+    end
+
+    def distrust_cpu
+      lines = []
+      lines << add_linux('random.trust_cpu=off')
+
+      puts " >> Writing to #{@conf}/40_distrust_cpu.cfg"
+      echo "#{@conf}/40_distrust_cpu.cfg", lines.join("\n"), 0755
+    end
+
+    def kernel_hardening
+      lines = []
+      lines << add_linux('slab_nomerge')
+      lines << add_linux('slub_debug=FZ')
+      lines << add_linux('init_on_alloc=1 init_on_free=1')
+      lines << add_linux('mce=0')
+      lines << add_linux('pti=on')
+      lines << add_linux('vsyscall=none')
+      lines << add_linux('page_alloc.shuffle=1')
+      lines << add_linux('debugfs=off')
+
+      puts " >> Writing to #{@conf}/40_kernel_hardening.cfg"
+      echo "#{@conf}/40_kernel_hardening.cfg", lines.join("\n"), 0755
+    end
+
+    def quiet
+      lines = []
+      lines << "#{@default_alias}=\"$(echo \"$#{@default_alias}\" | LANG=C str_replace \"quiet\" \"\")\""
+      lines << add_linux_default('quiet loglevel=0')
+
+      puts " >> Writing to #{@conf}/41_quiet.cfg"
+      echo "#{@conf}/41_quiet.cfg", lines.join("\n"), 0755
+    end
+
+    def add_linux(arg)
+      "#{@cmd_alias}=\"$#{@cmd_alias} #{arg}\""
+    end
+
+    def add_linux_default(arg)
+      "#{@default_alias}=\"$#{@default_alias} #{arg}\""
+    end
+  end
+end