264 lines
9.2 KiB
Bash
Executable File
264 lines
9.2 KiB
Bash
Executable File
#!/bin/bash
|
|
BANNER=$(cat << "EOF"
|
|
:^7J5GB##&&##GPY?~:
|
|
^75B&@@@@@@&&&@@@@@@@#GJ~:
|
|
5&@@@&B5?7~^^^^^~!7YP#@@@@#!
|
|
Y##P7^ :~JB#B!
|
|
:: :
|
|
7PP?: :^~!!~^: :?PP7
|
|
:B@@B: !5B&@@@@&B5! :#@@B:
|
|
:!!: ^G@@@&BPPB@@@@G^ :!!:
|
|
:B@@@5^ ^5@@@B:
|
|
:7J7: !@@@# :&@@@~ :?J7:
|
|
J@@@5 :#@@@Y: :Y@@@B: 5@@@J
|
|
!@@@&^ ~B@@@&G55G&@@@B~ ~&@@@~
|
|
5@@@G: :7P#@@@@@@#P7: :B@@@Y
|
|
:P@@@B~ :~!77!~: ~B@@@P
|
|
Y@@@&Y^ ^5@@@@J
|
|
!G@@@&P7^ ^7P&@@@G~
|
|
!P&@@@&B? :: ?B&@@@&P!
|
|
^75#&&Y :P&&5: 5&&B57^
|
|
:^^ :P&&5: ^^:
|
|
^^
|
|
|
|
[nullpoint]
|
|
EOF
|
|
)
|
|
|
|
TANG_SERVERS=(
|
|
# "https://tang1.example.com your-thumbprint-1"
|
|
# "https://tang2.example.com your-thumbprint-2"
|
|
)
|
|
TPM_ENABLED=true
|
|
TPM_PCR_BANK="sha256"
|
|
TPM_PCR_IDS="0,1,2,3,4,5,6,7,8"
|
|
ALMA_USER="null"
|
|
ENABLE_MOTD=true
|
|
# REQUIRED: Set your SSH public key here - installation will fail without it!
|
|
SSH_KEY="ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOkoTn2NreAXMriOUqzyj3YoFW6jMo9B5B+3R5k8yrMi dodox@dodox-ProArt"
|
|
|
|
########################################################
|
|
# Config End
|
|
########################################################
|
|
|
|
set -euo pipefail
|
|
|
|
echo -e "\n$BANNER"
|
|
echo -e "\n[+] Starting post-installation configuration..."
|
|
|
|
# Check for SSH key
|
|
if [ -z "${SSH_KEY:-}" ]; then
|
|
echo "ERROR: No SSH key configured!"
|
|
echo "You must set SSH_KEY variable at the top of this script."
|
|
exit 1
|
|
fi
|
|
|
|
# Check for TPM
|
|
echo "[+] Checking for TPM..."
|
|
if [ ! -d "/sys/class/tpm/tpm0" ]; then
|
|
echo "WARNING: No TPM detected!"
|
|
TPM_ENABLED=false
|
|
else
|
|
echo "TPM detected."
|
|
TPM_ENABLED=true
|
|
fi
|
|
|
|
# Create user and add SSH key
|
|
echo "[+] Creating user ${ALMA_USER}..."
|
|
useradd -m -G wheel -s /bin/zsh ${ALMA_USER}
|
|
mkdir -p /home/${ALMA_USER}/.ssh
|
|
echo "${SSH_KEY}" > /home/${ALMA_USER}/.ssh/authorized_keys
|
|
chmod 700 /home/${ALMA_USER}/.ssh
|
|
chmod 600 /home/${ALMA_USER}/.ssh/authorized_keys
|
|
chown -R ${ALMA_USER}:${ALMA_USER} /home/${ALMA_USER}/.ssh
|
|
|
|
# Install oh-my-zsh and powerlevel10k
|
|
echo "[+] Installing oh-my-zsh and powerlevel10k..."
|
|
# Run oh-my-zsh installer as the user
|
|
sudo -u ${ALMA_USER} bash -c 'sh -c "$(wget https://raw.githubusercontent.com/ohmyzsh/ohmyzsh/master/tools/install.sh -O -)" "" --unattended'
|
|
# Clone powerlevel10k theme
|
|
sudo -u ${ALMA_USER} git clone --depth=1 https://github.com/romkatv/powerlevel10k.git /home/${ALMA_USER}/.oh-my-zsh/custom/themes/powerlevel10k
|
|
|
|
# Install dotfiles
|
|
echo "[+] Setting up dotfiles..."
|
|
if [ -d /tmp/nullpoint/dotfiles ]; then
|
|
echo "[+] Installing dotfiles from repository..."
|
|
cp /tmp/nullpoint/dotfiles/.* /home/${ALMA_USER}/ 2>/dev/null || true
|
|
chown -R ${ALMA_USER}:${ALMA_USER} /home/${ALMA_USER}/
|
|
else
|
|
echo "[!] No dotfiles directory found, user will need to configure manually"
|
|
fi
|
|
|
|
# Set up MOTD
|
|
if [ "$ENABLE_MOTD" = true ]; then
|
|
echo "[+] Setting up MOTD..."
|
|
cat > /etc/motd << MOTD
|
|
$BANNER
|
|
MOTD
|
|
fi
|
|
|
|
# Install additional packages
|
|
echo "[+] Installing additional packages..."
|
|
dnf install -y epel-release
|
|
dnf config-manager --set-enabled crb
|
|
dnf install -y \
|
|
clevis clevis-luks clevis-tang clevis-tpm2 tpm2-tools tpm2-tss \
|
|
git zsh tmux neovim python3-pip \
|
|
dracut-clevis dracut-network \
|
|
dropbear tree curl wget nano
|
|
|
|
# Install lsd and bat from GitHub releases (not in repos)
|
|
echo "[+] Installing lsd and bat..."
|
|
# Get latest lsd version
|
|
LSD_VERSION=$(curl -s https://api.github.com/repos/lsd-rs/lsd/releases/latest | grep -Po '"tag_name": "v\K[0-9.]+')
|
|
curl -sL "https://github.com/lsd-rs/lsd/releases/download/v${LSD_VERSION}/lsd-v${LSD_VERSION}-x86_64-unknown-linux-musl.tar.gz" | tar xz -C /tmp
|
|
mv /tmp/lsd-*/lsd /usr/local/bin/
|
|
chmod +x /usr/local/bin/lsd
|
|
|
|
# Get latest bat version
|
|
BAT_VERSION=$(curl -s https://api.github.com/repos/sharkdp/bat/releases/latest | grep -Po '"tag_name": "v\K[0-9.]+')
|
|
curl -sL "https://github.com/sharkdp/bat/releases/download/v${BAT_VERSION}/bat-v${BAT_VERSION}-x86_64-unknown-linux-musl.tar.gz" | tar xz -C /tmp
|
|
mv /tmp/bat-*/bat /usr/local/bin/
|
|
chmod +x /usr/local/bin/bat
|
|
|
|
# Create batman script for fancy man pages
|
|
cat > /usr/local/bin/batman << 'BATMAN'
|
|
#!/bin/bash
|
|
export MANPAGER="sh -c 'col -bx | bat -l man -p'"
|
|
export MANROFFOPT="-c"
|
|
man "$@"
|
|
BATMAN
|
|
chmod +x /usr/local/bin/batman
|
|
|
|
# Create .tmp directory for user
|
|
mkdir -p /home/${ALMA_USER}/.tmp
|
|
chown ${ALMA_USER}:${ALMA_USER} /home/${ALMA_USER}/.tmp
|
|
|
|
# Configure Clevis for automatic unlock
|
|
if [ ${#TANG_SERVERS[@]} -gt 0 ] || [ "$TPM_ENABLED" = true ]; then
|
|
echo "[+] Configuring Clevis for automatic unlock..."
|
|
|
|
# Find LUKS devices
|
|
LUKS_DEVICES=$(lsblk -o NAME,FSTYPE -nr | grep crypto_LUKS | cut -d' ' -f1)
|
|
|
|
for device in $LUKS_DEVICES; do
|
|
DEVICE_PATH="/dev/${device}"
|
|
echo "Configuring Clevis for ${DEVICE_PATH}..."
|
|
|
|
if [ "$TPM_ENABLED" = true ] && [ ${#TANG_SERVERS[@]} -eq 0 ]; then
|
|
# TPM only
|
|
clevis luks bind -d "$DEVICE_PATH" tpm2 "{\"pcr_bank\":\"$TPM_PCR_BANK\",\"pcr_ids\":\"$TPM_PCR_IDS\"}"
|
|
elif [ "$TPM_ENABLED" = false ] && [ ${#TANG_SERVERS[@]} -gt 0 ]; then
|
|
# Tang only
|
|
for server in "${TANG_SERVERS[@]}"; do
|
|
read -r url thumbprint <<< "$server"
|
|
clevis luks bind -d "$DEVICE_PATH" tang "{\"url\":\"$url\",\"thp\":\"$thumbprint\"}"
|
|
done
|
|
elif [ "$TPM_ENABLED" = true ] && [ ${#TANG_SERVERS[@]} -gt 0 ]; then
|
|
# Both TPM and Tang (require both)
|
|
CONFIG="{\"t\":2,\"pins\":{"
|
|
CONFIG+="\"tpm2\":{\"pcr_bank\":\"$TPM_PCR_BANK\",\"pcr_ids\":\"$TPM_PCR_IDS\"},"
|
|
CONFIG+="\"tang\":{\"t\":1,\"tang\":["
|
|
for server in "${TANG_SERVERS[@]}"; do
|
|
read -r url thumbprint <<< "$server"
|
|
CONFIG+="{\"url\":\"$url\",\"thp\":\"$thumbprint\"},"
|
|
done
|
|
CONFIG="${CONFIG%,}]}}}"
|
|
clevis luks bind -d "$DEVICE_PATH" sss "$CONFIG"
|
|
fi
|
|
done
|
|
fi
|
|
|
|
# Enable Clevis for early boot
|
|
echo "[+] Enabling Clevis for early boot..."
|
|
systemctl enable clevis-luks-askpass.service
|
|
|
|
# Configure dropbear for remote unlock
|
|
echo "[+] Configuring dropbear for remote unlock..."
|
|
# Install dropbear-dracut module
|
|
cat > /usr/lib/dracut/modules.d/60dropbear/module-setup.sh << 'EOF'
|
|
#!/bin/bash
|
|
check() {
|
|
require_binaries dropbear || return 1
|
|
return 0
|
|
}
|
|
|
|
depends() {
|
|
echo network
|
|
return 0
|
|
}
|
|
|
|
install() {
|
|
inst_multiple dropbear dropbearkey
|
|
mkdir -p "$initdir/etc/dropbear"
|
|
# Copy authorized keys
|
|
[ -f /etc/dropbear/authorized_keys ] && inst /etc/dropbear/authorized_keys /etc/dropbear/authorized_keys
|
|
# Generate host keys if not present
|
|
[ -f /etc/dropbear/dropbear_rsa_host_key ] || dropbearkey -t rsa -f /etc/dropbear/dropbear_rsa_host_key
|
|
[ -f /etc/dropbear/dropbear_ecdsa_host_key ] || dropbearkey -t ecdsa -f /etc/dropbear/dropbear_ecdsa_host_key
|
|
[ -f /etc/dropbear/dropbear_ed25519_host_key ] || dropbearkey -t ed25519 -f /etc/dropbear/dropbear_ed25519_host_key
|
|
inst /etc/dropbear/dropbear_*_host_key
|
|
inst_hook cmdline 60 "$moddir/dropbear-start.sh"
|
|
inst_simple "$moddir/unlock-luks.sh" /bin/unlock-luks
|
|
}
|
|
EOF
|
|
|
|
cat > /usr/lib/dracut/modules.d/60dropbear/dropbear-start.sh << 'EOF'
|
|
#!/bin/bash
|
|
info "Starting dropbear SSH server..."
|
|
[ -d /etc/dropbear ] || mkdir -p /etc/dropbear
|
|
dropbear -E -s -j -k -p 2222 -P /var/run/dropbear.pid
|
|
EOF
|
|
|
|
cat > /usr/lib/dracut/modules.d/60dropbear/unlock-luks.sh << 'EOF'
|
|
#!/bin/bash
|
|
echo "Unlocking LUKS devices..."
|
|
for device in /dev/mapper/luks-*; do
|
|
if [ -b "$device" ]; then
|
|
cryptsetup luksOpen "$device" "${device##*/}"
|
|
fi
|
|
done
|
|
echo "Devices unlocked. System will continue booting..."
|
|
EOF
|
|
|
|
chmod +x /usr/lib/dracut/modules.d/60dropbear/*.sh
|
|
|
|
# Copy SSH key for dropbear
|
|
mkdir -p /etc/dropbear
|
|
echo "${SSH_KEY}" > /etc/dropbear/authorized_keys
|
|
chmod 600 /etc/dropbear/authorized_keys
|
|
|
|
# Add dracut configuration for network and dropbear
|
|
cat > /etc/dracut.conf.d/99-dropbear.conf << 'EOF'
|
|
add_dracutmodules+=" network dropbear "
|
|
install_items+=" /etc/dropbear/authorized_keys /etc/dropbear/dropbear_*_host_key "
|
|
EOF
|
|
|
|
# Regenerate initramfs
|
|
echo "[+] Regenerating initramfs..."
|
|
dracut -f --regenerate-all
|
|
|
|
# Enable required services
|
|
echo "[+] Enabling services..."
|
|
# systemctl enable stratisd # Not needed without Stratis
|
|
systemctl enable sshd
|
|
|
|
# Disable root login
|
|
echo "[+] Securing SSH..."
|
|
sed -i 's/^#PermitRootLogin.*/PermitRootLogin no/' /etc/ssh/sshd_config
|
|
|
|
# Set SELinux to enforcing
|
|
echo "[+] Setting SELinux to enforcing..."
|
|
sed -i 's/^SELINUX=.*/SELINUX=enforcing/' /etc/selinux/config
|
|
|
|
echo "✅ Post-installation complete!"
|
|
echo ""
|
|
echo "IMPORTANT: The LUKS passphrase is set in install.conf"
|
|
echo "Save it securely for recovery purposes."
|
|
echo ""
|
|
echo "After reboot:"
|
|
echo "- SSH to port 2222 to unlock LUKS: ssh -p 2222 root@<server-ip>"
|
|
echo "- Run 'unlock-luks' and enter the LUKS passphrase"
|
|
echo "- Once unlocked, SSH to port 22 as user '${ALMA_USER}'"
|
|
echo ""
|
|
echo "If TPM/Tang is configured, automatic unlock will be attempted first" |