getch 0.1.6 → 0.1.9

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 9291f8df276b462cd310f6dc759d6c0526a9d8fdc7c47116f4c22e53d1aec6e6
-  data.tar.gz: c7c325c4fbc228110630b98f9d52d110bdc7d5654566efb0a136bbcfedbe5331
+  metadata.gz: 46439ee6483306d467923074b461ad5df9d9f7a9a32981936952b586e85173f9
+  data.tar.gz: e4232a6832086eafb46e9f29da73b461762c65c6232071cf2854c9ddb7680e2f
 SHA512:
-  metadata.gz: f7634afba44f36e31c1ab56bc373afbf1b20cce50d97445410ffc496d4c803b3c5d978c98d1a0949dc41de725db25236185df5492a0c9115425a4dc08d1c73e8
-  data.tar.gz: d807dbcdf3fc769473c5c14200ad91c3e8c878f6f6627a0a242481601be05e57ffe58d623c1e0431b510546f896e7fdb0f0c98bd719298977cef15ad50a76c65
+  metadata.gz: 8689b833a86f39c1b5a310ed193e588399fed86384012015f04251d39175e3bd6121a7f65540086fc1556f831017a6d56467a3325ec29f78651295adcdd3ed23
+  data.tar.gz: ac28be3804fddb3f995a8b86c438d447216547078855ca103ac4151a038934a9e7369a8a96500165b14ca38fdcac6ece31bbb5a1324e036b553ad76a0f456621

data/README.md

@@ -1,4 +1,15 @@
 # Getch
+
+<div align="center">
+<br/>
+
+[![Gem Version](https://badge.fury.io/rb/getch.svg)](https://badge.fury.io/rb/getch)
+![GitHub Workflow Status (branch)](https://img.shields.io/github/workflow/status/szorfein/getch/Rubocop/develop)
+[![Ruby Style Guide](https://img.shields.io/badge/code_style-rubocop-brightgreen.svg)](https://github.com/rubocop/rubocop)
+![GitHub](https://img.shields.io/github/license/szorfein/ardecy)
+
+</div>
+
 A CLI tool to install Gentoo or Void Linux with default:
 + DNS over HTTPS (with [Quad9](https://www.quad9.net/)).
 + Vim | Nano installed.
@@ -40,7 +51,7 @@ With `gem` installed:
     $ gem cert --add <(curl -Ls https://raw.githubusercontent.com/szorfein/getch/master/certs/szorfein.pem)
     $ gem install getch -P HighSecurity
 
-If you want to try the master branch (can be unstable):
+If you want to try from the source:
 
     # git clone https://github.com/szorfein/getch
     # cd getch
@@ -91,43 +102,23 @@ If a old volume group exist, `getch` may fail to partition your disk. You have t
 To decrypt your disk on BIOS system, you have to enter your password twice. One time for Grub and another time for Genkernel. [post](https://wiki.archlinux.org/index.php/GRUB#Encrypted_/boot).  
 Also with GRUB, only a `us` keymap is working.
 
-#### ZFS for Gentoo
-When Gentoo boot the first time, the pool may fail to start, it's happen when the pool has not been `export` to the ISO. So just `export` your pool from the genkernel shell:
-
-The zpool name should be visible (rpool-150ed here), so enter in the Genkernel shell:
-
-    > shell
-    zpool import -f -N -R /tmp rpool-150ed
-    zpool export -a
-
-Then, just reboot now, it's all.
-
-*INFO*: To create the zpool, getch use the 5 fist characters from the `partuuid`, just replace `sdX` by your real device:
-
-    # ls -l /dev/disk/by-partuuid/ | grep sdX4
-    -> 150ed969...
-
-The pool will be called `rpool-150ed`.
-
 #### ZFS for Void Linux - Enable the boot pool
 You have some extras step to do after booting to enable the boot pool, you need this pool when you update your system. It's used mainly by Grub and Dracut.
 By default, your /boot is empty because your boot pool is not imported...
 
-    # zpool import -N bpool150ed
-    # zfs mount bpool150ed/BOOT/void
+    # zpool import -f -d /dev/disk/by-id -N bpool-150ed
+    # zfs mount bpool-150ed/BOOT/void
     # ls /boot
 
 You should see something in the boot (initramfs, vmlinuz).. Recreate the initramfs.
 
     # xbps-reconfigure -fa
 
-Transform the boot pool in legacy mode and add this to the fstab:
+Make the `bpool` available at the boot:
 
-    # zfs set mountpoint=legacy bpool150ed/BOOT/void
-    # echo "bpool150ed/BOOT/void /boot zfs defaults 0 0" >> /etc/fstab
-    # mount /boot
+    # zfs set canmount=on bpool-150ed/BOOT/void
 
-The /boot should not be empty again and then, reboot. `fstab` should do this automatically now.   
+And reboot, the `/boot` partition should be mounted automatically after that.
 
 #### ZFS Encrypted with Void
 Well, another weird issue, the first time you boot on your encrypted pool, nothing append. Dracut try to mount inexistent device. Just wait for enter in the shell:

data/assets/system.conf

@@ -0,0 +1,38 @@
+# Disable SysReq
+kernel.sysrq = 0
+
+# No core dump of executable setuid
+fs.suid_dumpable = 0
+
+# Prohibit unreferencing links to files
+fs.protected_symlinks = 1
+fs.protected_hardlinks = 1
+
+# Activate ASLR
+kernel.randomize_va_space = 2
+
+# Prohibit mapping of memory in low addresses (0)
+vm.mmap_min_addr = 65536
+
+# Larger choice space for PID values
+kernel.pid_max = 65536
+
+# Obfuscation of addresses memory kernel
+kernel.kptr_restrict = 1
+
+# Access restriction to the dmesg buffer
+kernel.dmesg_restrict = 1
+
+# Restricts the use of the perf system
+kernel.perf_event_paranoid = 2
+kernel.perf_event_max_sample_rate = 1
+kernel.perf_cpu_time_max_percent = 1
+
+# Avoid non-ancestor ptrace access to running processes and their credentials.
+kernel.yama.ptrace_scope = 1
+
+# Disable User Namespaces
+user.max_user_namespaces = 0
+
+# Turn off unprivileged eBPF access.
+kernel.unprivileged_bpf_disabled = 1

data/lib/cmdline.rb

@@ -0,0 +1,128 @@
+module CmdLine
+  def echo(path, content, mode = 0700)
+    f = File.new path, 'w'
+    f.write "#{content}\n"
+    f.chmod mode
+    f.close
+  end
+
+  class Kernel
+    include CmdLine
+
+    # man kernel-install
+    # use /etc/kernel/cmdline by default
+    def initialize(arg)
+      @dir = arg[:workdir]
+      @file = "#{@dir}/cmdline"
+      @line = ''
+    end
+
+    def main
+      puts ' > Generate cmdline for Kernel...'
+      cpu_mitigations
+      distrust_cpu
+      kernel_hardening
+      quiet
+
+      puts " >> Writing cmdline to #{@file}..."
+      echo @file, "#{@line}\n", 0644
+    end
+
+    private
+
+    def cpu_mitigations
+      @line << 'mds=full,nosmt'
+      @line << ' l1tf=full,force'
+      @line << ' kvm.nx_huge_pages=force'
+    end
+
+    def distrust_cpu
+      @line << ' random.trust_cpu=off'
+    end
+
+    def kernel_hardening
+      @line << ' slab_nomerge'
+      @line << ' slub_debug=FZ'
+      @line << ' init_on_alloc=1 init_on_free=1'
+      @line << ' mce=0'
+      @line << ' pti=on'
+      @line << ' vsyscall=none'
+      @line << ' page_alloc.shuffle=1'
+      @line << ' debugfs=off'
+    end
+
+    def quiet
+      @line << ' quiet loglevel=0'
+    end
+  end
+
+  class Grub
+    include CmdLine
+
+    def initialize(arg)
+      @conf = arg[:workdir]
+      @default_alias = 'GRUB_CMDLINE_LINUX_DEFAULT'
+      @cmd_alias = 'GRUB_CMDLINE_LINUX'
+    end
+
+    def main
+      puts ' > Generate cmdline for Grub...'
+      cpu_mitigations
+      distrust_cpu
+      kernel_hardening
+      quiet
+    end
+
+    private
+
+    def cpu_mitigations
+      lines = []
+      lines << add_linux('mds=full,nosmt')
+      lines << add_linux('l1tf=full,force')
+      lines << add_linux('kvm.nx_huge_pages=force')
+
+      puts " >> Writing to #{@conf}/40_cpu_mitigations.cfg"
+      echo "#{@conf}/40_cpu_mitigations.cfg", lines.join("\n"), 0755
+    end
+
+    def distrust_cpu
+      lines = []
+      lines << add_linux('random.trust_cpu=off')
+
+      puts " >> Writing to #{@conf}/40_distrust_cpu.cfg"
+      echo "#{@conf}/40_distrust_cpu.cfg", lines.join("\n"), 0755
+    end
+
+    def kernel_hardening
+      lines = []
+      lines << add_linux('slab_nomerge')
+      lines << add_linux('slub_debug=FZ')
+      lines << add_linux('init_on_alloc=1 init_on_free=1')
+      lines << add_linux('mce=0')
+      lines << add_linux('pti=on')
+      lines << add_linux('vsyscall=none')
+      lines << add_linux('page_alloc.shuffle=1')
+      lines << add_linux('debugfs=off')
+
+      puts " >> Writing to #{@conf}/40_kernel_hardening.cfg"
+      echo "#{@conf}/40_kernel_hardening.cfg", lines.join("\n"), 0755
+    end
+
+    def quiet
+      lines = []
+      lines << "#{@default_alias}=\"$(echo \"$#{@default_alias}\" | LANG=C str_replace \"quiet\" \"\")\""
+      lines << add_linux_default('quiet loglevel=0')
+
+      puts " >> Writing to #{@conf}/41_quiet.cfg"
+      echo "#{@conf}/41_quiet.cfg", lines.join("\n"), 0755
+    end
+
+    def add_linux(arg)
+      "#{@cmd_alias}=\"$#{@cmd_alias} #{arg}\""
+    end
+
+    def add_linux_default(arg)
+      "#{@default_alias}=\"$#{@default_alias} #{arg}\""
+    end
+  end
+end

data/lib/getch/command.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'open3'
 
 module Getch
@@ -9,7 +11,7 @@ module Getch
     end
 
     def run!
-      @log.info "Running command: " + @cmd.gsub(/\"/, '')
+      @log.info 'Running command: ' + @cmd.gsub(/\"/, '')
 
       Open3.popen3(@cmd) do |stdin, stdout, stderr, wait_thr|
         stdin.close_write
@@ -18,7 +20,7 @@ module Getch
         # only stderr
         begin
           @log.debug stderr.readline until stderr.eof.nil?
-        rescue EOFError
+        rescue
         end
 
         begin
@@ -61,7 +63,7 @@ module Getch
           data = f.read_nonblock(@block_size)
           puts data if OPTIONS[:verbose]
         rescue EOFError
-          puts ""
+          puts
         rescue => e
           puts "Fatal - #{e}"
         end
@@ -79,13 +81,13 @@ module Getch
 
     def run!
       @log.info "Running emerge: #{@cmd}"
-      system("chroot", @gentoo, "/bin/bash", "-c", "source /etc/profile && #{@cmd}")
+      system('chroot', @gentoo, '/bin/bash', '-c', "source /etc/profile && #{@cmd}")
       read_exit
     end
 
     def pkg!
       @log.info "Running emerge pkg: #{@cmd}"
-      system("chroot", @gentoo, "/bin/bash", "-c", "source /etc/profile && emerge --changed-use #{@cmd}")
+      system('chroot', @gentoo, '/bin/bash', '-c', "source /etc/profile && emerge --changed-use #{@cmd}")
       read_exit
     end
 
@@ -113,10 +115,8 @@ module Getch
         && env-update \
         && cd /usr/src/linux \
         && #{@cmd}\""
-      Open3.popen2e(cmd) do |stdin, stdout_err, wait_thr|
-        while line = stdout_err.gets
-          puts line
-        end
+      Open3.popen2e(cmd) do |_, stdout_err, wait_thr|
+        stdout_err.each { |l| puts l }
 
         exit_status = wait_thr.value
         unless exit_status.success?
@@ -129,23 +129,21 @@ module Getch
 
   class Bask
     def initialize(cmd)
-      @gentoo = MOUNTPOINT
       @cmd = cmd
       @log = Getch::Log.new
-      @version = "0.5"
+      @version = '0.6'
+      @config = "#{MOUNTPOINT}/etc/kernel/config.d"
+      download_bask unless Dir.exist? "#{MOUNTPOINT}/root/bask-#{@version}"
     end
 
     def run!
-      download_bask if ! Dir.exist? "#{MOUNTPOINT}/root/bask-#{@version}"
       @log.info "Running Bask: #{@cmd}"
-      cmd = "chroot #{@gentoo} /bin/bash -c \"source /etc/profile \
+      cmd = "chroot #{MOUNTPOINT} /bin/bash -c \"source /etc/profile \
         && env-update \
         && cd /root/bask-#{@version} \
         && ./bask.sh #{@cmd} -k /usr/src/linux\""
-      Open3.popen2e(cmd) do |stdin, stdout_err, wait_thr|
-        while line = stdout_err.gets
-          puts line
-        end
+      Open3.popen2e(cmd) do |_, stdout_err, wait_thr|
+        stdout_err.each { |l| puts l }
 
         exit_status = wait_thr.value
         unless exit_status.success?
@@ -155,15 +153,27 @@ module Getch
       end
     end
 
-    private 
+    def cp
+      Helpers.mkdir @config
+      Helpers.cp(
+        "#{MOUNTPOINT}/root/bask-#{@version}/config.d/#{@cmd}",
+        "#{@config}/#{@cmd}"
+      )
+    end
+
+    def add(content)
+      Helpers.add_file "#{@config}/#{@cmd}", content
+    end
+
+    private
 
     def download_bask
-      @log.info "Installing Bask..."
-      url = "https://github.com/szorfein/bask/archive/v#{@version}.tar.gz"
+      @log.info 'Installing Bask...'
+      url = "https://github.com/szorfein/bask/archive/refs/tags/#{@version}.tar.gz"
       file = "bask-#{@version}.tar.gz"
 
       Dir.chdir("#{MOUNTPOINT}/root")
-      Helpers::get_file_online(url, file)
+      Helpers.get_file_online(url, file)
       Getch::Command.new("tar xzf #{file}").run!
     end
   end

data/lib/getch/config/gentoo.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module Getch
   module Config
     class Gentoo
@@ -8,15 +10,14 @@ module Getch
       def ethernet
         conf = "#{@systemd_net_dir}/network/20-ethernet.network"
         datas = [
-          "[Match]",
-          "Name=en*",
-          "Name=eth*",
-          "[Network]",
-          "DHCP=yes",
-          "IPv6PrivacyExtensions=yes",
-          "[DHCP]",
-          "RouteMetric=512",
-          "",
+          '[Match]',
+          'Name=en*',
+          'Name=eth*',
+          '[Network]',
+          'DHCP=yes',
+          'IPv6PrivacyExtensions=yes',
+          '[DHCP]',
+          'RouteMetric=512',
         ]
         File.write(conf, datas.join("\n"), mode: 'w')
       end
@@ -24,15 +25,14 @@ module Getch
       def wifi
         conf = "#{@systemd_net_dir}/network/20-wireless.network"
         datas = [
-          "[Match]",
-          "Name=wlp*",
-          "Name=wlan*",
-          "[Network]",
-          "DHCP=yes",
-          "IPv6PrivacyExtensions=yes",
-          "[DHCP]",
-          "RouteMetric=1024",
-          "",
+          '[Match]',
+          'Name=wlp*',
+          'Name=wlan*',
+          '[Network]',
+          'DHCP=yes',
+          'IPv6PrivacyExtensions=yes',
+          '[DHCP]',
+          'RouteMetric=1024',
         ]
         File.write(conf, datas.join("\n"), mode: 'w')
       end
@@ -40,12 +40,11 @@ module Getch
       def dns
         conf = "#{@systemd_net_dir}/resolved.conf.d/dns_over_tls.conf"
         datas = [
-          "[Resolve]",
-          "DNS=9.9.9.9#dns.quad9.net",
-          "DNSOverTLS=yes",
-          "",
+          '[Resolve]',
+          'DNS=9.9.9.9#dns.quad9.net',
+          'DNSOverTLS=yes',
         ]
-        Helpers::create_dir("#{@systemd_net_dir}/resolved.conf.d")
+        Helpers.create_dir("#{@systemd_net_dir}/resolved.conf.d")
         File.write(conf, datas.join("\n"), mode: 'w')
 
         Getch::Chroot.new('systemctl enable systemd-networkd').run!

data/lib/getch/config/void.rb

@@ -1,4 +1,4 @@
-require_relative '../helpers'
+# frozen_string_literal: true
 
 module Getch
   module Config
@@ -6,7 +6,7 @@ module Getch
       include Helpers::Void
 
       def initialize
-        @service_dir = "/etc/runit/runsvdir/default/"
+        @service_dir = '/etc/runit/runsvdir/default/'
       end
 
       # Enable dhcpcd service
@@ -19,10 +19,9 @@ module Getch
       def dns
         conf = "#{MOUNTPOINT}/etc/resolv.conf"
         content = [
-          "nameserver 9.9.9.9",
-          "nameserver 2620:fe::fe",
-          "options rotate",
-          "",
+          'nameserver 9.9.9.9',
+          'nameserver 2620:fe::fe',
+          'options rotate',
         ]
         File.write(conf, content.join("\n"), mode: 'w', chmod: 0644)
       end
@@ -31,9 +30,8 @@ module Getch
       def wifi
         conf = "#{MOUNTPOINT}/etc/iwd/main.conf"
         content = [
-          "[General]",
-          "UseDefaultInterface=true",
-          "",
+          '[General]',
+          'UseDefaultInterface=true',
         ]
         File.write(conf, content.join("\n"), mode: 'a', chmod: 0644)
         # Enabling dbus and iwd
@@ -42,7 +40,7 @@ module Getch
       end
 
       def shell
-        command "chsh -s /bin/bash"
+        command 'chsh -s /bin/bash'
       end
     end
   end

data/lib/getch/config.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require_relative 'config/gentoo'
 require_relative 'config/void'
 
@@ -30,8 +32,9 @@ module Getch
         pwd = File.expand_path(File.dirname(__FILE__))
         dest = "#{Getch::MOUNTPOINT}/etc/sysctl.d/"
 
-        Helpers::mkdir dest
-        Helpers::cp("#{pwd}/../../assets/network-stack.conf", dest)
+        Helpers.mkdir dest
+        Helpers.cp("#{pwd}/../../assets/network-stack.conf", dest)
+        Helpers.cp("#{pwd}/../../assets/system.conf", dest)
       end
       
       def shell

data/lib/getch/filesystem/clean.rb

@@ -2,24 +2,24 @@ module Getch
   module FileSystem
     module Clean
       def self.clean_hdd(disk)
-        return if ! disk
+        return unless disk
         raise ArgumentError, "Disk #{disk} is no found." if ! File.exist? "/dev/#{disk}"
+
         puts
         print "Cleaning data on #{disk}, can be long, avoid this on Flash Memory (SSD,USB,...) ? [y,N] "
         case gets.chomp
         when /^y|^Y/
           bloc=`blockdev --getbsz /dev/#{disk}`.chomp
-          Helpers::sys("dd if=/dev/urandom of=/dev/#{disk} bs=#{bloc} status=progress")
-        else
-          return
+          Helpers.sys("dd if=/dev/urandom of=/dev/#{disk} bs=#{bloc} status=progress")
         end
       end
 
       def self.clean_struct(disk)
-        return if ! disk
-        raise ArgumentError, "Disk #{disk} is no found." if ! File.exist? "/dev/#{disk}"
-        Helpers::sys("sgdisk -Z /dev/#{disk}")
-        Helpers::sys("wipefs -a /dev/#{disk}")
+        return unless disk
+        raise ArgumentError, "Disk #{disk} is no found." unless File.exist? "/dev/#{disk}"
+
+        Helpers.sys("sgdisk -Z /dev/#{disk}")
+        Helpers.sys("wipefs -a /dev/#{disk}")
       end
 
       def self.hdd(*disks)
@@ -34,23 +34,23 @@ module Getch
       end
 
       def self.external_disk(root_disk, *disks)
-        disks.each { |d|
-          unless d && d != "" && d != nil && d == root_disk
+        disks.each do |d|
+          unless d && d != '' && d != nil && d == root_disk
             hdd(d)
           end
-        }
+        end
       end
 
       def self.old_vg(disk, vg)
         oldvg = `vgdisplay | grep #{vg}`.chomp
-        Helpers::sys("vgremove -f #{vg}") if oldvg != ''
-        Helpers::sys("pvremove -f #{disk}") if oldvg != '' and File.exist? disk
+        Helpers.sys("vgremove -f #{vg}") if oldvg != ''
+        Helpers.sys("pvremove -f #{disk}") if oldvg != '' and File.exist? disk
       end
 
       def self.old_zpool
         oldzpool = `zpool status | grep pool:`.gsub(/pool: /, '').delete(' ').split("\n")
-        if oldzpool[0] != "" and $?.success?
-          oldzpool.each { |p| Helpers::sys("zpool destroy #{p}") if p }
+        if oldzpool[0] != '' and $?.success?
+          oldzpool.each { |p| Helpers.sys("zpool destroy #{p}") if p }
         end
       end
     end

data/lib/getch/filesystem/device.rb

@@ -1,8 +1,10 @@
+# frozen_string_literal: true
+
 module Getch
   module FileSystem
     class Device
       def initialize
-        @efi = Helpers::efi?
+        @efi = Helpers.efi?
         @root_part = 1
         @user = Getch::OPTIONS[:username]
 

data/lib/getch/filesystem/ext4/config.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module Getch
   module FileSystem
     module Ext4
@@ -16,7 +18,8 @@ module Getch
         end
 
         def systemd_boot
-          return if ! Helpers::efi? 
+          return unless Helpers.efi?
+
           esp = '/efi'
           dir = "#{@root_dir}/#{esp}/loader/entries/"
           datas_gentoo = [
@@ -28,7 +31,8 @@ module Getch
         end
 
         def grub
-          return if Helpers::efi?
+          return if Helpers.efi?
+
           file = "#{@root_dir}/etc/default/grub"
           cmdline = "GRUB_CMDLINE_LINUX=\"resume=PARTUUID=#{@partuuid_swap} root=PARTUUID=#{@partuuid_root} init=#{@init} rw slub_debug=P page_poison=1 slab_nomerge pti=on vsyscall=none spectre_v2=on spec_store_bypass_disable=seccomp iommu=force\"\n"
           File.write(file, cmdline, mode: 'a')
@@ -37,8 +41,8 @@ module Getch
         private
 
         def gen_uuid
-          @partuuid_root = Helpers::partuuid(@dev_root)
-          @partuuid_swap = Helpers::partuuid(@dev_swap)
+          @partuuid_root = Helpers.partuuid(@dev_root)
+          @partuuid_swap = Helpers.partuuid(@dev_swap)
           @uuid_root = `lsblk -o "UUID" #{@dev_root} | tail -1`.chomp() if @dev_root
           @uuid_esp = `lsblk -o "UUID" #{@dev_esp} | tail -1`.chomp() if @dev_esp
           @uuid_home = `lsblk -o "UUID" #{@dev_home} | tail -1`.chomp() if @dev_home

data/lib/getch/filesystem/ext4/deps.rb

@@ -1,9 +1,11 @@
+# frozen_string_literal: true
+
 module Getch
   module FileSystem
     module Ext4
       class Deps
         def initialize
-          if Helpers::efi?
+          if Helpers.efi?
             install_efi
           else
             install_bios

data/lib/getch/filesystem/ext4/device.rb

@@ -1,10 +1,9 @@
+# frozen_string_literal: true
+
 module Getch
   module FileSystem
     module Ext4
       class Device < Getch::FileSystem::Device
-        def initialize
-          super
-        end
       end
     end
   end