getch 0.1.3 → 0.3.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- checksums.yaml.gz.sig +0 -0
- data/README.md +75 -35
- data/assets/network-stack.conf +63 -0
- data/assets/system.conf +38 -0
- data/bin/getch +14 -4
- data/lib/clean.rb +149 -0
- data/lib/cmdline.rb +128 -0
- data/lib/cryptsetup.rb +132 -0
- data/lib/devs.rb +199 -0
- data/lib/dracut/encrypt.rb +36 -0
- data/lib/dracut/hybrid.rb +15 -0
- data/lib/dracut/lvm.rb +14 -0
- data/lib/dracut/minimal.rb +11 -0
- data/lib/dracut/root.rb +45 -0
- data/lib/dracut/zfs.rb +35 -0
- data/lib/dracut.rb +11 -0
- data/lib/fstab/encrypt.rb +44 -0
- data/lib/fstab/hybrid.rb +34 -0
- data/lib/fstab/lvm.rb +25 -0
- data/lib/fstab/minimal.rb +6 -0
- data/lib/fstab/root.rb +93 -0
- data/lib/fstab/zfs.rb +23 -0
- data/lib/fstab.rb +11 -0
- data/lib/getch/assembly.rb +150 -0
- data/lib/getch/command.rb +94 -124
- data/lib/getch/config/account.rb +39 -0
- data/lib/getch/config/dhcp.rb +104 -0
- data/lib/getch/config/grub.rb +42 -0
- data/lib/getch/config/iwd.rb +60 -0
- data/lib/getch/config/keymap.rb +78 -0
- data/lib/getch/config/locale.rb +96 -0
- data/lib/getch/config/portage.rb +90 -0
- data/lib/getch/config/pre_network.rb +37 -0
- data/lib/getch/config/timezone.rb +52 -0
- data/lib/getch/config/void.rb +11 -0
- data/lib/getch/config.rb +19 -53
- data/lib/getch/device.rb +67 -0
- data/lib/getch/filesystem/ext4/encrypt/config.rb +11 -68
- data/lib/getch/filesystem/ext4/encrypt/deps.rb +17 -25
- data/lib/getch/filesystem/ext4/encrypt/device.rb +13 -5
- data/lib/getch/filesystem/ext4/encrypt/format.rb +8 -15
- data/lib/getch/filesystem/ext4/encrypt/mount.rb +9 -13
- data/lib/getch/filesystem/ext4/encrypt/partition.rb +10 -82
- data/lib/getch/filesystem/ext4/encrypt/void.rb +63 -0
- data/lib/getch/filesystem/ext4/encrypt.rb +4 -0
- data/lib/getch/filesystem/ext4/hybrid/config.rb +27 -0
- data/lib/getch/filesystem/ext4/hybrid/deps.rb +55 -0
- data/lib/getch/filesystem/ext4/hybrid/device.rb +24 -0
- data/lib/getch/filesystem/ext4/hybrid/format.rb +23 -0
- data/lib/getch/filesystem/ext4/hybrid/mount.rb +21 -0
- data/lib/getch/filesystem/ext4/hybrid/partition.rb +27 -0
- data/lib/getch/filesystem/ext4/hybrid/void.rb +62 -0
- data/lib/getch/filesystem/ext4/hybrid.rb +19 -0
- data/lib/getch/filesystem/ext4/lvm/config.rb +25 -0
- data/lib/getch/filesystem/ext4/lvm/deps.rb +56 -0
- data/lib/getch/filesystem/ext4/lvm/device.rb +28 -0
- data/lib/getch/filesystem/ext4/lvm/format.rb +21 -0
- data/lib/getch/filesystem/ext4/lvm/mount.rb +21 -0
- data/lib/getch/filesystem/ext4/lvm/partition.rb +28 -0
- data/lib/getch/filesystem/{lvm.rb → ext4/lvm.rb} +8 -3
- data/lib/getch/filesystem/ext4/minimal/config.rb +25 -0
- data/lib/getch/filesystem/ext4/{device.rb → minimal/deps.rb} +4 -3
- data/lib/getch/filesystem/ext4/minimal/device.rb +22 -0
- data/lib/getch/filesystem/ext4/minimal/format.rb +23 -0
- data/lib/getch/filesystem/ext4/minimal/mount.rb +21 -0
- data/lib/getch/filesystem/ext4/minimal/partition.rb +28 -0
- data/lib/getch/filesystem/ext4/minimal.rb +19 -0
- data/lib/getch/filesystem/ext4.rb +9 -6
- data/lib/getch/filesystem/zfs/encrypt/config.rb +12 -57
- data/lib/getch/filesystem/zfs/encrypt/deps.rb +7 -86
- data/lib/getch/filesystem/zfs/encrypt/device.rb +9 -45
- data/lib/getch/filesystem/zfs/encrypt/format.rb +8 -90
- data/lib/getch/filesystem/zfs/encrypt/mount.rb +16 -34
- data/lib/getch/filesystem/zfs/encrypt/partition.rb +8 -50
- data/lib/getch/filesystem/zfs/encrypt.rb +4 -0
- data/lib/getch/filesystem/zfs/minimal/config.rb +37 -0
- data/lib/getch/filesystem/zfs/minimal/deps.rb +126 -0
- data/lib/getch/filesystem/zfs/minimal/device.rb +24 -0
- data/lib/getch/filesystem/zfs/minimal/format.rb +23 -0
- data/lib/getch/filesystem/zfs/minimal/mount.rb +23 -0
- data/lib/getch/filesystem/zfs/minimal/partition.rb +23 -0
- data/lib/getch/filesystem/zfs/minimal.rb +19 -0
- data/lib/getch/filesystem/zfs.rb +3 -6
- data/lib/getch/filesystem.rb +2 -6
- data/lib/getch/gentoo/bootloader.rb +47 -0
- data/lib/getch/gentoo/finalize.rb +25 -0
- data/lib/getch/gentoo/post_config.rb +75 -0
- data/lib/getch/gentoo/pre_config.rb +37 -0
- data/lib/getch/gentoo/services.rb +18 -0
- data/lib/getch/gentoo/sources.rb +82 -52
- data/lib/getch/gentoo/tarball.rb +91 -0
- data/lib/getch/gentoo/terraform.rb +34 -0
- data/lib/getch/gentoo/update.rb +54 -0
- data/lib/getch/gentoo/use.rb +11 -12
- data/lib/getch/gentoo/use_flag.rb +74 -52
- data/lib/getch/gentoo.rb +11 -63
- data/lib/getch/guard.rb +71 -0
- data/lib/getch/helpers.rb +128 -48
- data/lib/getch/log.rb +91 -26
- data/lib/getch/options.rb +79 -40
- data/lib/getch/states.rb +37 -10
- data/lib/getch/tree.rb +56 -0
- data/lib/getch/version.rb +1 -1
- data/lib/getch/void/bootloader.rb +18 -0
- data/lib/getch/void/finalize.rb +31 -0
- data/lib/getch/void/post_config.rb +19 -0
- data/lib/getch/void/pre_config.rb +18 -0
- data/lib/getch/void/services.rb +18 -0
- data/lib/getch/void/tarball.rb +89 -0
- data/lib/getch/void/terraform.rb +28 -0
- data/lib/getch/void/update.rb +33 -0
- data/lib/getch/void.rb +15 -0
- data/lib/getch.rb +104 -92
- data/lib/luks.rb +239 -0
- data/lib/lvm2.rb +112 -0
- data/lib/mkfs/zfs.rb +167 -0
- data/lib/mkfs.rb +140 -0
- data/lib/mountfs.rb +154 -0
- data/lib/nito.rb +131 -0
- data/lib/sgdisk.rb +160 -0
- data.tar.gz.sig +0 -0
- metadata +96 -45
- metadata.gz.sig +0 -0
- data/.gitignore +0 -2
- data/CHANGELOG.md +0 -90
- data/Rakefile +0 -21
- data/bin/setup.sh +0 -90
- data/getch.gemspec +0 -25
- data/lib/getch/filesystem/clean.rb +0 -51
- data/lib/getch/filesystem/device.rb +0 -61
- data/lib/getch/filesystem/ext4/config.rb +0 -58
- data/lib/getch/filesystem/ext4/deps.rb +0 -22
- data/lib/getch/filesystem/ext4/format.rb +0 -28
- data/lib/getch/filesystem/ext4/mount.rb +0 -23
- data/lib/getch/filesystem/ext4/partition.rb +0 -52
- data/lib/getch/filesystem/lvm/config.rb +0 -59
- data/lib/getch/filesystem/lvm/deps.rb +0 -42
- data/lib/getch/filesystem/lvm/device.rb +0 -43
- data/lib/getch/filesystem/lvm/encrypt/config.rb +0 -71
- data/lib/getch/filesystem/lvm/encrypt/deps.rb +0 -46
- data/lib/getch/filesystem/lvm/encrypt/device.rb +0 -46
- data/lib/getch/filesystem/lvm/encrypt/format.rb +0 -32
- data/lib/getch/filesystem/lvm/encrypt/mount.rb +0 -25
- data/lib/getch/filesystem/lvm/encrypt/partition.rb +0 -80
- data/lib/getch/filesystem/lvm/encrypt.rb +0 -15
- data/lib/getch/filesystem/lvm/format.rb +0 -29
- data/lib/getch/filesystem/lvm/mount.rb +0 -23
- data/lib/getch/filesystem/lvm/partition.rb +0 -69
- data/lib/getch/filesystem/mount.rb +0 -56
- data/lib/getch/filesystem/partition.rb +0 -77
- data/lib/getch/filesystem/zfs/config.rb +0 -57
- data/lib/getch/filesystem/zfs/deps.rb +0 -95
- data/lib/getch/filesystem/zfs/device.rb +0 -58
- data/lib/getch/filesystem/zfs/format.rb +0 -114
- data/lib/getch/filesystem/zfs/mount.rb +0 -48
- data/lib/getch/filesystem/zfs/partition.rb +0 -64
- data/lib/getch/gentoo/boot.rb +0 -109
- data/lib/getch/gentoo/chroot.rb +0 -77
- data/lib/getch/gentoo/config.rb +0 -129
- data/lib/getch/gentoo/stage.rb +0 -74
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: c43bba03495a77a22b582c84f7e044383bc432fb8c8ca676d093673e836362af
|
4
|
+
data.tar.gz: 762dd43c65c336df63176b7945d75600153503c3ccdf7d899228cd18443bbda7
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 1f5a90d17518469533bfdcafd14b3e3ad155717c722182fca194bfd81fced2dc37ff0093af2da778cf53cadb5c4e23ae3fa7fe16d7809155f21f1e127c5bbc89
|
7
|
+
data.tar.gz: c533dbe161df1f6b72c3d690218547e926b219ff6bb19240f46bb040ccb2e86318cc5259b69b7692416c412e109fb5eb22fd424f9bca5d6dc1ae0ff70adc4cd0
|
checksums.yaml.gz.sig
CHANGED
Binary file
|
data/README.md
CHANGED
@@ -1,34 +1,60 @@
|
|
1
1
|
# Getch
|
2
|
-
|
2
|
+
|
3
|
+
<div align="center">
|
4
|
+
<br/>
|
5
|
+
|
6
|
+
[![Gem Version](https://badge.fury.io/rb/getch.svg)](https://badge.fury.io/rb/getch)
|
7
|
+
![GitHub Workflow Status (branch)](https://img.shields.io/github/workflow/status/szorfein/getch/Rubocop/develop)
|
8
|
+
[![Ruby Style Guide](https://img.shields.io/badge/code_style-rubocop-brightgreen.svg)](https://github.com/rubocop/rubocop)
|
9
|
+
![GitHub](https://img.shields.io/github/license/szorfein/getch)
|
10
|
+
|
11
|
+
</div>
|
12
|
+
|
13
|
+
A CLI tool to install Gentoo or Void Linux with default:
|
14
|
+
+ DNS over HTTPS (with [Quad9](https://www.quad9.net/)).
|
15
|
+
+ Vim | Nano installed.
|
16
|
+
+ Iptables installed (not configured).
|
17
|
+
+ Sudo installed (not configured).
|
18
|
+
+ [iwd](https://iwd.wiki.kernel.org/) installed if wifi is detected.
|
19
|
+
+ No GUI installed.
|
20
|
+
|
21
|
+
Hardened System:
|
22
|
+
+ sysctl.conf with TCP/IP stack hardening and more [Arch](https://wiki.archlinux.org/title/Sysctl)
|
23
|
+
+ Kernel parameters enforced (dmesg restricted, kexec disabled, etc)
|
24
|
+
+ Kernel source (Gentoo) patched with [bask](https://github.com/szorfein/bask).
|
25
|
+
+ Musl optionnal
|
3
26
|
|
4
27
|
## Description
|
5
|
-
Actually, Getch support only the
|
28
|
+
Actually, Getch support only the `x86_64` architecture with the following archives:
|
29
|
+
+ **Gentoo**: `stage3-amd64-systemd` or `stage3-amd64-musl` [Gentoo](https://www.gentoo.org/downloads/).
|
30
|
+
+ **Void**: `rootfs tarball glibc` or `rootfs tarball musl` [Void](https://voidlinux.org/download/).
|
6
31
|
|
7
|
-
|
32
|
+
Filesystem supported (with or without encryption)
|
8
33
|
+ Ext4
|
9
|
-
+
|
34
|
+
+ Lvm
|
10
35
|
+ ZFS
|
11
36
|
|
12
|
-
|
37
|
+
Boot Manager:
|
38
|
+
+ **Gentoo**: `BIOS` and `musl` will use `Grub2` and `systemd-boot` for `UEFI`.
|
39
|
+
+ **Void**: use only Grub2.
|
13
40
|
|
14
41
|
The ISO images i was able to test and that works:
|
15
42
|
+ [Archlinux](https://www.archlinux.org/download/)
|
16
43
|
+ [Archaeidae](https://github.com/szorfein/archaeidae): Custom Archiso that includes ZFS support.
|
17
44
|
|
45
|
+
You can also use your current `linux` host, just pay attention to the disk that will be used.
|
46
|
+
|
47
|
+
## Dependencies
|
48
|
+
Getch is build without external libs, so it only require `ruby >= 2.5`.
|
49
|
+
|
18
50
|
## Install
|
19
51
|
Getch is cryptographically signed, so add my public key (if you haven’t already) as a trusted certificate.
|
20
52
|
With `gem` installed:
|
21
53
|
|
22
54
|
$ gem cert --add <(curl -Ls https://raw.githubusercontent.com/szorfein/getch/master/certs/szorfein.pem)
|
23
|
-
|
24
55
|
$ gem install getch -P HighSecurity
|
25
56
|
|
26
|
-
|
27
|
-
|
28
|
-
# sh <(curl -L https://raw.githubusercontent.com/szorfein/getch/master/bin/setup.sh)
|
29
|
-
# source ~/.zshrc # or ~/.bashrc
|
30
|
-
|
31
|
-
If you want to try the master branch:
|
57
|
+
If you want to try from the source:
|
32
58
|
|
33
59
|
# git clone https://github.com/szorfein/getch
|
34
60
|
# cd getch
|
@@ -46,51 +72,65 @@ For a french user:
|
|
46
72
|
|
47
73
|
# getch --zoneinfo "Europe/Paris" --language fr_FR --keymap fr
|
48
74
|
|
49
|
-
Install Gentoo on LVM
|
75
|
+
Install Gentoo on LVM and use a different root disk `/dev/sdc`
|
50
76
|
|
51
|
-
# getch --format lvm --disk
|
77
|
+
# getch --format ext4 --lvm --disk sdc
|
52
78
|
|
53
79
|
Encrypt your disk with LVM with a french keymap
|
54
80
|
|
55
|
-
# getch --format lvm --encrypt --keymap fr
|
81
|
+
# getch --format ext4 --lvm --encrypt --keymap fr
|
56
82
|
|
57
|
-
Encrypt with ext4 and create a
|
83
|
+
Encrypt with ext4 and create a new user `ninja`:
|
58
84
|
|
59
85
|
# getch --format ext4 --encrypt --username ninja
|
60
86
|
|
61
|
-
With ZFS:
|
87
|
+
With ZFS, if used with `--encrypt`, it use the native ZFS encryption:
|
62
88
|
|
63
89
|
# getch --format zfs
|
64
90
|
|
91
|
+
With `Void Linux` and `Musl` enable:
|
92
|
+
|
93
|
+
# getch --os void --encrypt -k fr --musl
|
94
|
+
|
65
95
|
## Troubleshooting
|
66
96
|
|
67
|
-
#### LVM
|
68
|
-
|
97
|
+
#### Old VG for LVM
|
98
|
+
If a old volume group exist, `getch` may fail to partition your disk. You have to clean up your device before proceed with `vgremove` and `pvremove`. An short example how doing this with a volume group named `vg0`:
|
69
99
|
|
70
100
|
# vgdisplay | grep vg0
|
71
101
|
# vgremove -f vg0
|
72
102
|
# pvremove -f /dev/sdb
|
73
103
|
|
74
|
-
#### Encryption
|
75
|
-
To decrypt your disk on
|
76
|
-
|
104
|
+
#### Encryption with GRUB
|
105
|
+
To decrypt your disk on GRUB, only the `us` keymap is working for now.
|
106
|
+
|
107
|
+
#### ZFS with Grub
|
108
|
+
By default, if you use ZFS with `musl` or `voidlinux` the `/boot` partition is not mounted automatically, so before an update, mout the partition.
|
109
|
+
|
110
|
+
# zpool status
|
111
|
+
# zfs mount bpool/BOOT/void
|
112
|
+
# ls /boot
|
113
|
+
|
114
|
+
#### ZFS with and without encryption
|
115
|
+
First time on ZFS after 5min
|
77
116
|
|
78
|
-
|
79
|
-
|
117
|
+
```txt
|
118
|
+
dracut Warning: /dev/disk/by-uuid/<DISK> does not exist
|
119
|
+
```
|
80
120
|
|
81
|
-
|
121
|
+
Dracut try to mount inexistent device. Just wait for enter in the shell and remove the disk uuid from `/lib/dracut/hooks/initqueue/finished/`
|
82
122
|
|
83
|
-
# ls
|
84
|
-
|
85
|
-
#
|
123
|
+
# ls /lib/dracut/hooks/initqueue/finished/*
|
124
|
+
# rm /lib/dracut/hooks/initqueue/finished/dev*
|
125
|
+
# exit
|
86
126
|
|
87
|
-
|
127
|
+
Dracut should finally start `mount-zfs.sh` and ask for a password if encrypted. After you first login, mount the `/boot` partition and recompile the initramfs and your good.
|
88
128
|
|
89
|
-
|
129
|
+
+ For Gentoo: `emerge --config sys-kernel/gentoo-kernel-bin`
|
130
|
+
+ For Voidlinux: `xbps-reconfigure -fa`
|
90
131
|
|
91
|
-
|
132
|
+
If it doesn't work, try to start script manually (always in the shell):
|
92
133
|
|
93
|
-
|
94
|
-
|
95
|
-
|
96
|
-
+ lsmod
|
134
|
+
# . /lib/dracut/hooks/mount/98-mount-zsh.sh
|
135
|
+
# . /lib/dracut/hooks/mount/99-mount-root.sh
|
136
|
+
# exit
|
@@ -0,0 +1,63 @@
|
|
1
|
+
# https://wiki.archlinux.org/title/Sysctl#TCP/IP_stack_hardening
|
2
|
+
# https://github.com/trimstray/the-practical-linux-hardening-guide/wiki/Network-stack
|
3
|
+
|
4
|
+
# TCP SYN cookie protection
|
5
|
+
net.ipv4.tcp_syncookies = 1
|
6
|
+
|
7
|
+
# TCP rfc1337
|
8
|
+
net.ipv4.tcp_rfc1337 = 1
|
9
|
+
|
10
|
+
# Reverse path filtering
|
11
|
+
net.ipv4.conf.default.rp_filter = 1
|
12
|
+
net.ipv4.conf.all.rp_filter = 1
|
13
|
+
|
14
|
+
# Log martian packets
|
15
|
+
net.ipv4.conf.default.log_martians = 1
|
16
|
+
net.ipv4.conf.all.log_martians = 1
|
17
|
+
|
18
|
+
# Disable ICMP redirects
|
19
|
+
net.ipv6.conf.all.accept_redirects = 0
|
20
|
+
net.ipv6.conf.default.accept_redirects = 0
|
21
|
+
|
22
|
+
# Disable IP source routing
|
23
|
+
net.ipv4.conf.default.accept_source_route = 0
|
24
|
+
net.ipv4.conf.all.accept_source_route = 0
|
25
|
+
|
26
|
+
# Ignore ICMP echo requests
|
27
|
+
net.ipv4.icmp_echo_ignore_all = 1
|
28
|
+
net.ipv6.icmp.echo_ignore_all = 1
|
29
|
+
|
30
|
+
# Ignoring broadcasts request
|
31
|
+
net.ipv4.icmp_echo_ignore_broadcasts = 1
|
32
|
+
|
33
|
+
# An illicit router advertisement message could result in a man-in-the-middle attack.
|
34
|
+
net.ipv6.conf.default.accept_ra = 0
|
35
|
+
net.ipv6.conf.all.accept_ra = 0
|
36
|
+
|
37
|
+
# Ignore bogus ICMP error responses
|
38
|
+
net.ipv4.icmp_ignore_bogus_error_responses = 1
|
39
|
+
|
40
|
+
# ICMP redirects
|
41
|
+
net.ipv4.conf.default.accept_redirects = 0
|
42
|
+
net.ipv4.conf.all.accept_redirects = 0
|
43
|
+
|
44
|
+
# Accepting secure redirects
|
45
|
+
net.ipv4.conf.default.secure_redirects = 0
|
46
|
+
net.ipv4.conf.all.secure_redirects = 0
|
47
|
+
|
48
|
+
# IP forwarding
|
49
|
+
net.ipv4.ip_forward = 0
|
50
|
+
|
51
|
+
# Sending ICMP redirects
|
52
|
+
net.ipv4.conf.default.send_redirects = 0
|
53
|
+
net.ipv4.conf.all.send_redirects = 0
|
54
|
+
|
55
|
+
# Keep sockets in FIN-WAIT-2 state
|
56
|
+
net.ipv4.tcp_fin_timeout = 30
|
57
|
+
|
58
|
+
# Keepalive packets to keep an connection alive
|
59
|
+
net.ipv4.tcp_keepalive_time = 180
|
60
|
+
net.ipv4.tcp_keepalive_intvl = 10
|
61
|
+
net.ipv4.tcp_keepalive_probes = 3
|
62
|
+
|
63
|
+
|
data/assets/system.conf
ADDED
@@ -0,0 +1,38 @@
|
|
1
|
+
# Disable SysReq
|
2
|
+
kernel.sysrq = 0
|
3
|
+
|
4
|
+
# No core dump of executable setuid
|
5
|
+
fs.suid_dumpable = 0
|
6
|
+
|
7
|
+
# Prohibit unreferencing links to files
|
8
|
+
fs.protected_symlinks = 1
|
9
|
+
fs.protected_hardlinks = 1
|
10
|
+
|
11
|
+
# Activate ASLR
|
12
|
+
kernel.randomize_va_space = 2
|
13
|
+
|
14
|
+
# Prohibit mapping of memory in low addresses (0)
|
15
|
+
vm.mmap_min_addr = 65536
|
16
|
+
|
17
|
+
# Larger choice space for PID values
|
18
|
+
kernel.pid_max = 65536
|
19
|
+
|
20
|
+
# Obfuscation of addresses memory kernel
|
21
|
+
kernel.kptr_restrict = 1
|
22
|
+
|
23
|
+
# Access restriction to the dmesg buffer
|
24
|
+
kernel.dmesg_restrict = 1
|
25
|
+
|
26
|
+
# Restricts the use of the perf system
|
27
|
+
kernel.perf_event_paranoid = 2
|
28
|
+
kernel.perf_event_max_sample_rate = 1
|
29
|
+
kernel.perf_cpu_time_max_percent = 1
|
30
|
+
|
31
|
+
# Avoid non-ancestor ptrace access to running processes and their credentials.
|
32
|
+
kernel.yama.ptrace_scope = 1
|
33
|
+
|
34
|
+
# Disable User Namespaces
|
35
|
+
user.max_user_namespaces = 0
|
36
|
+
|
37
|
+
# Turn off unprivileged eBPF access.
|
38
|
+
kernel.unprivileged_bpf_disabled = 1
|
data/bin/getch
CHANGED
@@ -2,8 +2,18 @@
|
|
2
2
|
|
3
3
|
require 'getch'
|
4
4
|
|
5
|
-
|
6
|
-
Getch::
|
7
|
-
|
5
|
+
getch = Getch::Main.new(
|
6
|
+
cli: Getch::Options.new(ARGV)
|
7
|
+
)
|
8
8
|
|
9
|
-
|
9
|
+
getch.resume
|
10
|
+
|
11
|
+
getch.prepare_disk
|
12
|
+
|
13
|
+
getch.install_system
|
14
|
+
|
15
|
+
getch.terraform
|
16
|
+
|
17
|
+
getch.bootloader
|
18
|
+
|
19
|
+
getch.finalize
|
data/lib/clean.rb
ADDED
@@ -0,0 +1,149 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
require 'nito'
|
4
|
+
require_relative 'getch/command'
|
5
|
+
require_relative 'getch/log'
|
6
|
+
|
7
|
+
class Clean
|
8
|
+
include NiTo
|
9
|
+
|
10
|
+
def initialize(args)
|
11
|
+
@root = args[:disk] ||= nil
|
12
|
+
@boot = args[:boot_disk] ||= nil
|
13
|
+
@home = args[:home_disk] ||= nil
|
14
|
+
@cache = args[:cache_disk] ||= nil
|
15
|
+
@vg = args[:vg_name] ||= nil
|
16
|
+
@luks = args[:luks_name] ||= nil
|
17
|
+
@zfs = args[:zfs_name] ||= 'pool'
|
18
|
+
@log = Getch::Log.new
|
19
|
+
@mountpoint = args[:mountpoint] ||= '/mnt/getch'
|
20
|
+
end
|
21
|
+
|
22
|
+
def x
|
23
|
+
umount_all
|
24
|
+
swap_off
|
25
|
+
disable_lvs
|
26
|
+
cryptsetup_close
|
27
|
+
old_zfs
|
28
|
+
old_lvm
|
29
|
+
zap_all @root, @boot, @home, @cache
|
30
|
+
wipe_all @root, @boot, @home, @cache
|
31
|
+
dd
|
32
|
+
end
|
33
|
+
|
34
|
+
protected
|
35
|
+
|
36
|
+
def umount_all
|
37
|
+
paths = []
|
38
|
+
File.open('/proc/mounts').each do |l|
|
39
|
+
tmp = l.split(' ') if l =~ /#{@mountpoint}/
|
40
|
+
tmp && paths << tmp[1]
|
41
|
+
end
|
42
|
+
paths.each { |p| umount_r p }
|
43
|
+
umount '/tmp/boot'
|
44
|
+
end
|
45
|
+
|
46
|
+
def swap_off
|
47
|
+
swapoff @root
|
48
|
+
File.exist?("/dev/#{@vg}/swap") && swapoff_dm("#{@vg}-swap")
|
49
|
+
end
|
50
|
+
|
51
|
+
def disable_lvs
|
52
|
+
lvchange_n 'home'
|
53
|
+
lvchange_n 'swap'
|
54
|
+
lvchange_n 'root'
|
55
|
+
end
|
56
|
+
|
57
|
+
def cryptsetup_close
|
58
|
+
close "boot-#{@luks}"
|
59
|
+
close "root-#{@luks}"
|
60
|
+
close "home-#{@luks}"
|
61
|
+
end
|
62
|
+
|
63
|
+
def old_zfs
|
64
|
+
return unless File.exist? '/usr/bin/zpool'
|
65
|
+
|
66
|
+
destroy_zpool "b#{@zfs}"
|
67
|
+
destroy_zpool "r#{@zfs}"
|
68
|
+
cmd "rm -rf #{@mountpoint}/*" if Dir.exist? @mountpoint
|
69
|
+
end
|
70
|
+
|
71
|
+
def destroy_zpool(name)
|
72
|
+
if system("zpool list | grep #{name}")
|
73
|
+
cmd "zpool destroy -f #{name}"
|
74
|
+
end
|
75
|
+
end
|
76
|
+
|
77
|
+
def old_lvm
|
78
|
+
lvm = `lvs | grep #{@vg}`
|
79
|
+
lvm.match?(/#{@vg}/) || return
|
80
|
+
|
81
|
+
vgremove
|
82
|
+
pvremove @root, @home, @cache
|
83
|
+
end
|
84
|
+
|
85
|
+
def zap_all(*devs)
|
86
|
+
devs.each { |d| zap(d) }
|
87
|
+
end
|
88
|
+
|
89
|
+
def wipe_all(*devs)
|
90
|
+
devs.each { |d| wipe(d) }
|
91
|
+
end
|
92
|
+
|
93
|
+
def dd
|
94
|
+
cmd "dd if=/dev/zero of=/dev/#{@root} bs=1M count=100"
|
95
|
+
end
|
96
|
+
|
97
|
+
private
|
98
|
+
|
99
|
+
def wipe(dev)
|
100
|
+
dev || return
|
101
|
+
|
102
|
+
cmd "wipefs --all /dev/#{dev}"
|
103
|
+
end
|
104
|
+
|
105
|
+
def umount_r(dir)
|
106
|
+
dir || return
|
107
|
+
|
108
|
+
cmd 'umount', '-R', dir if mount? dir
|
109
|
+
end
|
110
|
+
|
111
|
+
def zap(dev)
|
112
|
+
dev || return
|
113
|
+
|
114
|
+
cmd 'sgdisk', '-Z', "/dev/#{dev}"
|
115
|
+
end
|
116
|
+
|
117
|
+
def lvchange_n(name)
|
118
|
+
return unless File.exist? "/dev/#{@vg}/#{name}"
|
119
|
+
|
120
|
+
cmd 'lvchange', '-an', "/dev/#{@vg}/#{name}"
|
121
|
+
end
|
122
|
+
|
123
|
+
def close(name)
|
124
|
+
return unless File.exist? "/dev/mapper/#{name}"
|
125
|
+
|
126
|
+
cmd 'cryptsetup', 'close', name
|
127
|
+
end
|
128
|
+
|
129
|
+
def vgremove
|
130
|
+
cmd 'vgremove', '-y', @vg
|
131
|
+
end
|
132
|
+
|
133
|
+
def pvremove(*devs)
|
134
|
+
devs.each { |d| pvdel(d) }
|
135
|
+
end
|
136
|
+
|
137
|
+
def pvdel(dev)
|
138
|
+
dev || return
|
139
|
+
|
140
|
+
disk = dev[/[a-z]*/]
|
141
|
+
disk.match?(/[a-z]{3}/) || @log.fatal("pvdel - No disk #{dev} - #{disk}")
|
142
|
+
|
143
|
+
cmd 'pvremove', '-f', "/dev/#{disk}*"
|
144
|
+
end
|
145
|
+
|
146
|
+
def cmd(*args)
|
147
|
+
Getch::Command.new(args)
|
148
|
+
end
|
149
|
+
end
|
data/lib/cmdline.rb
ADDED
@@ -0,0 +1,128 @@
|
|
1
|
+
module CmdLine
|
2
|
+
def echo(path, content, mode = 0700)
|
3
|
+
f = File.new path, 'w'
|
4
|
+
f.write "#{content}\n"
|
5
|
+
f.chmod mode
|
6
|
+
f.close
|
7
|
+
end
|
8
|
+
|
9
|
+
class Kernel
|
10
|
+
include CmdLine
|
11
|
+
|
12
|
+
# man kernel-install
|
13
|
+
# use /etc/kernel/cmdline by default
|
14
|
+
def initialize(arg)
|
15
|
+
@dir = arg[:workdir]
|
16
|
+
@file = "#{@dir}/cmdline"
|
17
|
+
@line = ''
|
18
|
+
end
|
19
|
+
|
20
|
+
def main
|
21
|
+
puts ' > Generate cmdline for Kernel...'
|
22
|
+
cpu_mitigations
|
23
|
+
distrust_cpu
|
24
|
+
kernel_hardening
|
25
|
+
quiet
|
26
|
+
|
27
|
+
puts " >> Writing cmdline to #{@file}..."
|
28
|
+
echo @file, "#{@line}\n", 0644
|
29
|
+
end
|
30
|
+
|
31
|
+
private
|
32
|
+
|
33
|
+
def cpu_mitigations
|
34
|
+
@line << 'mds=full,nosmt'
|
35
|
+
@line << ' l1tf=full,force'
|
36
|
+
@line << ' kvm.nx_huge_pages=force'
|
37
|
+
end
|
38
|
+
|
39
|
+
def distrust_cpu
|
40
|
+
@line << ' random.trust_cpu=off'
|
41
|
+
end
|
42
|
+
|
43
|
+
def kernel_hardening
|
44
|
+
@line << ' slab_nomerge'
|
45
|
+
@line << ' slub_debug=FZ'
|
46
|
+
@line << ' init_on_alloc=1 init_on_free=1'
|
47
|
+
@line << ' mce=0'
|
48
|
+
@line << ' pti=on'
|
49
|
+
@line << ' vsyscall=none'
|
50
|
+
@line << ' page_alloc.shuffle=1'
|
51
|
+
@line << ' debugfs=off'
|
52
|
+
end
|
53
|
+
|
54
|
+
def quiet
|
55
|
+
@line << ' quiet loglevel=0'
|
56
|
+
end
|
57
|
+
end
|
58
|
+
|
59
|
+
class Grub
|
60
|
+
include CmdLine
|
61
|
+
|
62
|
+
def initialize(arg)
|
63
|
+
@conf = arg[:workdir]
|
64
|
+
@default_alias = 'GRUB_CMDLINE_LINUX_DEFAULT'
|
65
|
+
@cmd_alias = 'GRUB_CMDLINE_LINUX'
|
66
|
+
end
|
67
|
+
|
68
|
+
def main
|
69
|
+
puts ' > Generate cmdline for Grub...'
|
70
|
+
cpu_mitigations
|
71
|
+
distrust_cpu
|
72
|
+
kernel_hardening
|
73
|
+
quiet
|
74
|
+
end
|
75
|
+
|
76
|
+
private
|
77
|
+
|
78
|
+
def cpu_mitigations
|
79
|
+
lines = []
|
80
|
+
lines << add_linux('mds=full,nosmt')
|
81
|
+
lines << add_linux('l1tf=full,force')
|
82
|
+
lines << add_linux('kvm.nx_huge_pages=force')
|
83
|
+
|
84
|
+
puts " >> Writing to #{@conf}/40_cpu_mitigations.cfg"
|
85
|
+
echo "#{@conf}/40_cpu_mitigations.cfg", lines.join("\n"), 0755
|
86
|
+
end
|
87
|
+
|
88
|
+
def distrust_cpu
|
89
|
+
lines = []
|
90
|
+
lines << add_linux('random.trust_cpu=off')
|
91
|
+
|
92
|
+
puts " >> Writing to #{@conf}/40_distrust_cpu.cfg"
|
93
|
+
echo "#{@conf}/40_distrust_cpu.cfg", lines.join("\n"), 0755
|
94
|
+
end
|
95
|
+
|
96
|
+
def kernel_hardening
|
97
|
+
lines = []
|
98
|
+
lines << add_linux('slab_nomerge')
|
99
|
+
lines << add_linux('slub_debug=FZ')
|
100
|
+
lines << add_linux('init_on_alloc=1 init_on_free=1')
|
101
|
+
lines << add_linux('mce=0')
|
102
|
+
lines << add_linux('pti=on')
|
103
|
+
lines << add_linux('vsyscall=none')
|
104
|
+
lines << add_linux('page_alloc.shuffle=1')
|
105
|
+
lines << add_linux('debugfs=off')
|
106
|
+
|
107
|
+
puts " >> Writing to #{@conf}/40_kernel_hardening.cfg"
|
108
|
+
echo "#{@conf}/40_kernel_hardening.cfg", lines.join("\n"), 0755
|
109
|
+
end
|
110
|
+
|
111
|
+
def quiet
|
112
|
+
lines = []
|
113
|
+
lines << "#{@default_alias}=\"$(echo \"$#{@default_alias}\" | LANG=C str_replace \"quiet\" \"\")\""
|
114
|
+
lines << add_linux_default('quiet loglevel=0')
|
115
|
+
|
116
|
+
puts " >> Writing to #{@conf}/41_quiet.cfg"
|
117
|
+
echo "#{@conf}/41_quiet.cfg", lines.join("\n"), 0755
|
118
|
+
end
|
119
|
+
|
120
|
+
def add_linux(arg)
|
121
|
+
"#{@cmd_alias}=\"$#{@cmd_alias} #{arg}\""
|
122
|
+
end
|
123
|
+
|
124
|
+
def add_linux_default(arg)
|
125
|
+
"#{@default_alias}=\"$#{@default_alias} #{arg}\""
|
126
|
+
end
|
127
|
+
end
|
128
|
+
end
|