dodox/nullpoint
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

FiXeS

Browse Source
This commit is contained in:
Dominik Moritz Roth 2025-08-18 00:30:35 +02:00
parent 1323fdabe4
commit bf051cba2a
1 changed files with 53 additions and 28 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

81
post-install.sh
View File

@ -82,13 +82,16 @@ chown -R ${ALMA_USER}:${ALMA_USER} /home/${ALMA_USER}/.ssh
# Install oh-my-zsh and powerlevel10k # Install oh-my-zsh and powerlevel10k
echo "[+] Installing oh-my-zsh and powerlevel10k..." echo "[+] Installing oh-my-zsh and powerlevel10k..."
# Download and run oh-my-zsh installer as the user # Download and run oh-my-zsh installer as the user with proper environment
su - ${ALMA_USER} -c 'sh -c "$(wget -O- https://raw.githubusercontent.com/ohmyzsh/ohmyzsh/master/tools/install.sh)" "" --unattended' || echo "WARNING: oh-my-zsh installation failed" export RUNZSH=no
export CHSH=no
su - ${ALMA_USER} -c 'export RUNZSH=no; export CHSH=no; sh -c "$(wget -O- https://raw.githubusercontent.com/ohmyzsh/ohmyzsh/master/tools/install.sh)"' || echo "WARNING: oh-my-zsh installation failed"
# Clone powerlevel10k theme # Clone powerlevel10k theme
su - ${ALMA_USER} -c 'git clone --depth=1 https://github.com/romkatv/powerlevel10k.git ~/.oh-my-zsh/custom/themes/powerlevel10k' || echo "WARNING: powerlevel10k installation failed" su - ${ALMA_USER} -c 'git clone --depth=1 https://github.com/romkatv/powerlevel10k.git ~/.oh-my-zsh/custom/themes/powerlevel10k' || echo "WARNING: powerlevel10k installation failed"
# Note: Dotfiles need to be copied manually after installation # Install dotfiles from git repo
echo "[!] Dotfiles will need to be configured manually after first boot" echo "[+] Installing dotfiles..."
su - ${ALMA_USER} -c 'cd ~ && git clone https://git.dominik-roth.eu/dodox/nullpoint.git /tmp/nullpoint-dotfiles && cp /tmp/nullpoint-dotfiles/dotfiles/.* . 2>/dev/null || true && rm -rf /tmp/nullpoint-dotfiles' || echo "WARNING: dotfiles installation failed"
# Set up MOTD # Set up MOTD
if [ "$ENABLE_MOTD" = true ]; then if [ "$ENABLE_MOTD" = true ]; then
@ -101,10 +104,21 @@ fi
# Install additional packages # Install additional packages
echo "[+] Installing additional packages..." echo "[+] Installing additional packages..."
dnf install -y \ dnf install -y \
clevis clevis-luks clevis-tang clevis-tpm2 tpm2-tools tpm2-tss \ clevis clevis-luks tpm2-tools tpm2-tss \
tmux neovim python3-pip \ tmux neovim python3-pip \
dracut-clevis dracut-network \ tree gcc make zlib-devel autoconf automake || exit 1
dropbear tree nano || exit 1
# Build and install dropbear from source since AlmaLinux doesn't package it
echo "[+] Installing dropbear from source..."
cd /tmp
wget -q https://matt.ucc.asn.au/dropbear/releases/dropbear-2022.83.tar.bz2
tar xf dropbear-2022.83.tar.bz2
cd dropbear-2022.83
./configure --prefix=/usr/local --enable-static
make PROGRAMS="dropbear dropbearkey" MULTI=1
make install
ln -sf /usr/local/bin/dropbear /usr/bin/dropbear
ln -sf /usr/local/bin/dropbearkey /usr/bin/dropbearkey
# Install lsd and bat # Install lsd and bat
echo "[+] Installing lsd and bat..." echo "[+] Installing lsd and bat..."
@ -178,11 +192,14 @@ systemctl enable clevis-luks-askpass.service
# Configure dropbear for remote unlock # Configure dropbear for remote unlock
echo "[+] Configuring dropbear for remote unlock..." echo "[+] Configuring dropbear for remote unlock..."
# Install dropbear-dracut module
# Create dropbear dracut module
mkdir -p /usr/lib/dracut/modules.d/60dropbear
cat > /usr/lib/dracut/modules.d/60dropbear/module-setup.sh << 'EOF' cat > /usr/lib/dracut/modules.d/60dropbear/module-setup.sh << 'EOF'
#!/bin/bash #!/bin/bash
check() { check() {
require_binaries dropbear || return 1 require_binaries dropbear dropbearkey || return 1
return 0 return 0
} }
@ -194,44 +211,53 @@ depends() {
install() { install() {
inst_multiple dropbear dropbearkey inst_multiple dropbear dropbearkey
mkdir -p "$initdir/etc/dropbear" mkdir -p "$initdir/etc/dropbear"
# Copy authorized keys # Copy authorized keys
[ -f /etc/dropbear/authorized_keys ] && inst /etc/dropbear/authorized_keys /etc/dropbear/authorized_keys [ -f /etc/dropbear/authorized_keys ] && inst /etc/dropbear/authorized_keys /etc/dropbear/authorized_keys
# Generate host keys if not present
[ -f /etc/dropbear/dropbear_rsa_host_key ] || dropbearkey -t rsa -f /etc/dropbear/dropbear_rsa_host_key # Copy host keys
[ -f /etc/dropbear/dropbear_ecdsa_host_key ] || dropbearkey -t ecdsa -f /etc/dropbear/dropbear_ecdsa_host_key inst /etc/dropbear/dropbear_*_host_key /etc/dropbear/ 2>/dev/null || true
[ -f /etc/dropbear/dropbear_ed25519_host_key ] || dropbearkey -t ed25519 -f /etc/dropbear/dropbear_ed25519_host_key
inst /etc/dropbear/dropbear_*_host_key # Install startup script
inst_hook cmdline 60 "$moddir/dropbear-start.sh" inst_hook cmdline 60 "$moddir/dropbear-start.sh"
# Install unlock script
inst_simple "$moddir/unlock-luks.sh" /bin/unlock-luks inst_simple "$moddir/unlock-luks.sh" /bin/unlock-luks
chmod +x "$initdir/bin/unlock-luks"
} }
EOF EOF
cat > /usr/lib/dracut/modules.d/60dropbear/dropbear-start.sh << 'EOF' cat > /usr/lib/dracut/modules.d/60dropbear/dropbear-start.sh << 'EOF'
#!/bin/bash #!/bin/bash
info "Starting dropbear SSH server..." info "Starting dropbear SSH server on port 2222..."
[ -d /etc/dropbear ] || mkdir -p /etc/dropbear [ -d /etc/dropbear ] || mkdir -p /etc/dropbear
[ -f /etc/dropbear/dropbear_rsa_host_key ] || dropbearkey -t rsa -f /etc/dropbear/dropbear_rsa_host_key
dropbear -E -s -j -k -p 2222 -P /var/run/dropbear.pid dropbear -E -s -j -k -p 2222 -P /var/run/dropbear.pid
EOF EOF
cat > /usr/lib/dracut/modules.d/60dropbear/unlock-luks.sh << 'EOF' cat > /usr/lib/dracut/modules.d/60dropbear/unlock-luks.sh << 'EOF'
#!/bin/bash #!/bin/bash
echo "Unlocking LUKS devices..." echo "Available LUKS devices:"
for device in /dev/mapper/luks-*; do ls /dev/mapper/luks-* 2>/dev/null
if [ -b "$device" ]; then echo "Run: systemctl start systemd-cryptsetup@<device>.service"
cryptsetup luksOpen "$device" "${device##*/}" echo "Or use: cryptsetup luksOpen /dev/md/<X> <name>"
fi echo "Then: exit"
done /bin/bash
echo "Devices unlocked. System will continue booting..."
EOF EOF
chmod +x /usr/lib/dracut/modules.d/60dropbear/*.sh chmod +x /usr/lib/dracut/modules.d/60dropbear/*.sh
# Copy SSH key for dropbear # Setup dropbear
mkdir -p /etc/dropbear mkdir -p /etc/dropbear
echo "${SSH_KEY}" > /etc/dropbear/authorized_keys echo "${SSH_KEY}" > /etc/dropbear/authorized_keys
chmod 600 /etc/dropbear/authorized_keys chmod 600 /etc/dropbear/authorized_keys
# Add dracut configuration for network and dropbear # Generate host keys
dropbearkey -t rsa -f /etc/dropbear/dropbear_rsa_host_key
dropbearkey -t ecdsa -f /etc/dropbear/dropbear_ecdsa_host_key
dropbearkey -t ed25519 -f /etc/dropbear/dropbear_ed25519_host_key
# Configure dracut
cat > /etc/dracut.conf.d/99-dropbear.conf << 'EOF' cat > /etc/dracut.conf.d/99-dropbear.conf << 'EOF'
add_dracutmodules+=" network dropbear " add_dracutmodules+=" network dropbear "
install_items+=" /etc/dropbear/authorized_keys /etc/dropbear/dropbear_*_host_key " install_items+=" /etc/dropbear/authorized_keys /etc/dropbear/dropbear_*_host_key "
@ -260,8 +286,7 @@ echo "IMPORTANT: The LUKS passphrase is set in install.conf"
echo "Save it securely for recovery purposes." echo "Save it securely for recovery purposes."
echo "" echo ""
echo "After reboot:" echo "After reboot:"
echo "- SSH to port 2222 to unlock LUKS: ssh -p 2222 root@<server-ip>" echo "- SSH to port 2222 for remote unlock: ssh -p 2222 root@<server-ip>"
echo "- Run 'unlock-luks' and enter the LUKS passphrase" echo "- Run 'unlock-luks' and follow the instructions to unlock LUKS"
echo "- Once unlocked, SSH to port 22 as user '${ALMA_USER}'" echo "- Once unlocked, SSH to port 22 as user '${ALMA_USER}'"
echo "" echo "- LUKS passphrase: [see installer output]"
echo "If TPM/Tang is configured, automatic unlock will be attempted first"