V8.00.000.2025.06.17
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
@@ -1,170 +0,0 @@
|
||||
|
||||
---
|
||||
|
||||
## 🚀 **1. Btrfs RAID6 auf dm-integrity**
|
||||
|
||||
### **Technische Übersicht:**
|
||||
|
||||
```
|
||||
Physische Disks → dm-integrity → btrfs (RAID6-Modus)
|
||||
```
|
||||
|
||||
### **✅ Vorteile:**
|
||||
|
||||
* **Redundanz:** toleriert zwei gleichzeitige Plattenausfälle.
|
||||
* **Integrität:** Prüfsummen von dm-integrity + btrfs-Prüfsummen (z.B. SHA256) → doppelte Sicherheit gegen Silent Corruption.
|
||||
* **Integriert:** Weniger Komplexität als LVM+mdadm.
|
||||
* **Features:** Snapshots, Kompression, CoW integriert in btrfs.
|
||||
|
||||
### **❌ Nachteile:**
|
||||
|
||||
* RAID6-Modus von btrfs ist **2025 weiterhin experimentell** und **nicht produktiv empfohlen**.
|
||||
* Recovery-Werkzeuge bei Fehlerfällen sind limitiert.
|
||||
* Performance: dm-integrity + RAID6 in btrfs erzeugen Write-Overhead.
|
||||
|
||||
### **Fazit (Stand 2025):**
|
||||
|
||||
➡️ **nicht produktiv empfohlen**, nur experimentell und für Testumgebungen.
|
||||
|
||||
---
|
||||
|
||||
## 🌊 **2. ZFS RAIDZ2**
|
||||
|
||||
### **Technische Übersicht:**
|
||||
|
||||
```
|
||||
Physische Disks → ZFS RAIDZ2
|
||||
```
|
||||
|
||||
### **✅ Vorteile:**
|
||||
|
||||
* **Integriert:** RAIDZ2 (ähnlich RAID6) + Prüfsummen + CoW + Kompression + Snapshots in einem System.
|
||||
* **Hohe Stabilität:** RAIDZ2 extrem robust, vielfach produktiv bewährt.
|
||||
* **Einfache Verwaltung:** Pools, Datasets, integrierte Wartung und Reparaturfunktionen.
|
||||
|
||||
### **❌ Nachteile:**
|
||||
|
||||
* **RAM-Bedarf:** mind. 8 GB RAM, besser ≥ 16 GB für großen ARC-Cache.
|
||||
* **Lizenz (wichtiger Punkt):**
|
||||
|
||||
* OpenZFS (ZFS on Linux) steht unter der **CDDL-Lizenz** (frei verfügbar, Open Source).
|
||||
* Du zahlst **keine Lizenzkosten** an Oracle oder andere Anbieter, wenn Du OpenZFS nutzt (meist genutzte Variante auf Linux).
|
||||
* Lizenzprobleme treten nur bei Kernel-Integration und Distributionen auf (keine technischen Lizenzkosten für Dich).
|
||||
* **Kernel-Updates:** Integration nicht immer reibungslos nach Kernel-Updates (DKMS-Module erforderlich).
|
||||
|
||||
### **Fazit:**
|
||||
|
||||
➡️ **Keine Lizenzkosten** bei typischer Nutzung (OpenZFS). Lizenzkosten entstehen nur bei kommerziellem Oracle-ZFS-Storage-System (Storage-Appliances). OpenZFS auf Linux ist lizenzkostenfrei, nur eventuell integrationsaufwendig.
|
||||
|
||||
---
|
||||
|
||||
## 🗃️ **3. Btrfs RAID1C3 auf LUKS (reines Software-Setup)**
|
||||
|
||||
### **Technische Übersicht:**
|
||||
|
||||
```
|
||||
Physische Disks → LUKS → btrfs RAID1C3
|
||||
```
|
||||
|
||||
*(RAID1C3 = Drei vollständige Datenkopien)*
|
||||
|
||||
### **✅ Vorteile:**
|
||||
|
||||
* **Maximale Fehlertoleranz** (besser als RAID6 hinsichtlich Datenintegrität).
|
||||
* Sehr gute Integrität durch btrfs-eigene Checksums.
|
||||
* Keine dm-integrity notwendig (da drei echte Kopien automatisch bitrot erkennen/heilen können).
|
||||
* **Stabil und produktiv empfohlen** (2025).
|
||||
|
||||
### **❌ Nachteile:**
|
||||
|
||||
* **Kapazitätsverlust:** Nur 33 % nutzbarer Speicher (drei Kopien).
|
||||
* Performanz gut, aber hoher I/O-Overhead (3-fache Schreiblast).
|
||||
|
||||
### **Fazit:**
|
||||
|
||||
➡️ **Sehr gute und sichere Wahl** für wichtige Daten, aber hoher Speicher-Overhead.
|
||||
|
||||
---
|
||||
|
||||
## 🚧 **4. XFS oder btrfs (sha256) auf LVM auf mdadm RAID6 auf dm-integrity (Overkill?)**
|
||||
|
||||
### **Technische Übersicht:**
|
||||
|
||||
```
|
||||
Physische Disks → dm-integrity → mdadm RAID6 → LVM → (XFS oder btrfs sha256)
|
||||
```
|
||||
|
||||
### **Überlegung:**
|
||||
|
||||
* Prüfsummen mehrfach (dm-integrity + btrfs SHA256) → **redundant**.
|
||||
* RAID6 Redundanz via mdadm robust und etabliert.
|
||||
* btrfs-Funktionalitäten (CoW, Snapshots) sind oben noch verfügbar, aber nicht integriert mit darunterliegenden Schichten.
|
||||
|
||||
### **✅ Sinnvoll wenn:**
|
||||
|
||||
* Du extrem hohen Integritätsschutz willst (z. B. Langzeitarchiv, Bankensysteme).
|
||||
* Dir bewusst bist, dass Performance darunter leiden wird.
|
||||
|
||||
### **❌ Sonst Overkill:**
|
||||
|
||||
* Performance wird stark reduziert (doppelte Prüfsummenberechnung, RAID6 Write-Penalty).
|
||||
* Komplexität erschwert Wartung, Debugging und Recovery.
|
||||
|
||||
### **Fazit:**
|
||||
|
||||
➡️ **Technisch machbar**, aber meistens **Overkill** und praktisch nicht empfohlen.
|
||||
|
||||
---
|
||||
|
||||
## 💻 **5. Hardware RAID6 (mit Spare-Disk + Ersatzcontroller) + dm-integrity + btrfs sha256**
|
||||
|
||||
### **Technische Übersicht:**
|
||||
|
||||
```
|
||||
Physische Disks → Hardware RAID6 Controller → dm-integrity → LUKS → btrfs (sha256)
|
||||
```
|
||||
|
||||
### **✅ Vorteile:**
|
||||
|
||||
* RAID-Berechnung im HW-Controller: weniger CPU-Belastung.
|
||||
* Spare-Disk ermöglicht schnellen Rebuild.
|
||||
* dm-integrity: zusätzlicher Integritätsschutz vor Silent Corruption.
|
||||
* btrfs sha256: noch mehr Integritätsprüfungen auf Dateiebene.
|
||||
|
||||
### **❌ Nachteile:**
|
||||
|
||||
* Komplexität steigt weiterhin (HW-RAID-Controller Firmware als „Single Point of Failure“).
|
||||
* RAID-Controller oft proprietär (Firmware, Ersatzteile, Updates).
|
||||
* dm-integrity weiterhin teuer bezüglich I/O.
|
||||
|
||||
### **Alternativ (schlanker):**
|
||||
|
||||
* Nur Hardware RAID6 + LUKS + btrfs (ohne dm-integrity), da HW-RAID-Controller oft ECC/Integritätsschutz selbst bietet.
|
||||
|
||||
### **Fazit:**
|
||||
|
||||
➡️ **Performanter als reines Software-Setup**, aber immer noch hohe Komplexität.
|
||||
➡️ Wenn Dein RAID-Controller ECC, Patrol-Reads, BBU, o. ä. bietet, **ist dm-integrity meist redundant**.
|
||||
|
||||
---
|
||||
|
||||
## 💡 **Empfohlene Praxis (2025):**
|
||||
|
||||
| Anwendungsfall | Empfohlenes Setup |
|
||||
| ------------------------------- | -------------------------------------------------- |
|
||||
| Maximale Stabilität (Produktiv) | ZFS RAIDZ2 **oder** btrfs RAID1C3 (LUKS) |
|
||||
| Einfach & performant (HW-RAID) | HW RAID6 + LUKS + btrfs (sha256) ohne dm-integrity |
|
||||
| Hohe Integrität & Experimentell | btrfs RAID6 + dm-integrity (nur Testsysteme!) |
|
||||
| Langzeitarchiv/Cold Storage | LVM on mdadm RAID6 + dm-integrity + XFS/btrfs |
|
||||
|
||||
---
|
||||
|
||||
## 📌 **Abschließende Zusammenfassung:**
|
||||
|
||||
* **ZFS RAIDZ2** ist stabil, Open-Source, keine Lizenzkosten.
|
||||
* **Btrfs RAID6** ist weiterhin experimentell (nicht empfohlen).
|
||||
* **btrfs RAID1C3 + LUKS** ist sehr stabil, integritätsstark, hoher Speicherbedarf.
|
||||
* **XFS/btrfs auf LVM+RAID6+dm-integrity** meist zu komplex und Overkill.
|
||||
* **Hardware RAID6 mit LUKS + btrfs (ohne dm-integrity)**: sinnvoller Kompromiss aus Performance, Komplexität und Sicherheit.
|
||||
|
||||
---
|
||||
@@ -84,16 +84,16 @@ exit:
|
||||
halt: false # This is how to make the installer shutdown when finished, but not reboot.
|
||||
poweroff: true # This will power off the machine instead of just halting it (RECOMMENDED).
|
||||
reboot: false # This will reboot the machine.
|
||||
image: "linux-image-amd64" # Could be a meta-package or a specific image like:
|
||||
# "linux-image-amd64" || "linux-image-arm64"
|
||||
# "linux-image-cloud-amd64" || "linux-image-cloud-arm64"
|
||||
# "linux-image-rt-amd64" || "linux-image-rt-arm64"
|
||||
# "linux-image-6.12.30+bpo-amd64"
|
||||
firmware:
|
||||
install: true # If non-free firmware is needed for the network or other hardware, autoinstall it.
|
||||
lookup: "missing" # - "never" Completely disables the firmware search.
|
||||
# - "missing" Searches only when the firmware is needed. (default)
|
||||
# - "always" Always searches and asks for any firmware that could be useful for the hardware.
|
||||
image: "linux-image-amd64" # Could be a meta-package or a specific image like:
|
||||
# "linux-image-amd64" || "linux-image-arm64"
|
||||
# "linux-image-cloud-amd64" || "linux-image-cloud-arm64"
|
||||
# "linux-image-rt-amd64" || "linux-image-rt-arm64"
|
||||
# "linux-image-6.12.30+bpo-amd64"
|
||||
|
||||
################################################################################################################################
|
||||
# GRUB2 settings
|
||||
@@ -378,8 +378,9 @@ user:
|
||||
allow_ipv6:
|
||||
- 2a03:4000:53:f:abcd:9494:0:2
|
||||
dropbear_boot: true # Dropbear initramfs integration.
|
||||
dropbear_dhcp: true # Whether the '/etc/initramfs-tools/conf.d/ip' file should be configured statically or via DHCP.
|
||||
ssh_port: 42137 # SSH Port. In case "dropbear_boot" = "true" the same SSH Port will be used.
|
||||
ssh_rootca: "./.preseed/ssh_root_ca.pub"
|
||||
ssh_rootca: "/.preseed/ssh_root_ca.pub"
|
||||
|
||||
##############################################################################################################################
|
||||
# root – Superuser account (normally disabled for direct login)
|
||||
|
||||
41
.pubkey/dropbear-key-2015.asc
Normal file
41
.pubkey/dropbear-key-2015.asc
Normal file
@@ -0,0 +1,41 @@
|
||||
-----BEGIN PGP PUBLIC KEY BLOCK-----
|
||||
|
||||
mQINBFWRP60BEACmOtUkYtbGNcmXdSKJ7caplzIbjuRWgSDR860hEosRDQqwORCL
|
||||
50xAEnPxgEiryONJUgOF0NRkBGJS9BsvfO3hH0LL4YSRTi0Wv7hJHTtqyzwa9qAH
|
||||
clyzNoq25dgy3D8OS6Bx1SgKFm8UTxTiCRTD0l1pRJx9efVEcAGkLgiconmyFZpJ
|
||||
oJ5XX8786bKucx791aA/26atNIzzsSo/295YAMi3QjIL5Mh5qtprSJkFRKcMx/Ay
|
||||
KaVzFlM8A/Kqea1cFiqwCJ9UNUdfvBa6K9HvTr6mPhznvH/ORt4m0sDigEoJAqLp
|
||||
KWNmjw7yITAK72nBDi/qQEhudUk22m9cVNV/mdNFoRkl9gDkgFvlcM6JksqOxkGp
|
||||
SAOJGdOU4V82e8FDSEK9C/pY+leeWeG5h/CLtw1v+Sdhk0PPRr17VKKOLCw2FGx1
|
||||
fcRYNdsuoMN4K8fgLoCzzKbyMC+y6sENEgEHSSPQDQ75XzM2Bo1UpfcHWpjqEllu
|
||||
8slhPWagckf07n0eOAARPIARlae+Wo8cYBScoZ30P5iOmYRWsxQ0HGwcLieyhuiS
|
||||
rb/NBex/tnR5ykvJNLW59P1Q5y7dpp/fLO6DpufAf+uoIfLOChnw3S5fvSL8ftxd
|
||||
GyWS79cMUkhcnFID2qfnaykxNsunuD9pEgfo9XhDk0iKZoCEKehRTau1rQARAQAB
|
||||
tC5Ecm9wYmVhciBTU0ggUmVsZWFzZSBTaWduaW5nIDxtYXR0QHVjYy5hc24uYXU+
|
||||
iQI3BBMBCgAhBQJVkT+tAhsDBQsJCAcDBRUKCQgLBRYCAwEAAh4BAheAAAoJEEST
|
||||
FJTynGdzHgQP/1bVxV0KqXxEJpRSiu3aOEDu2WHIJahizZ94AClgPB0r14pEgT4T
|
||||
eCOdxinubENH+u1/ShlBVykTGyukmonhd10v8NGWAUldhkPi3jaHcxHSfENWXmu/
|
||||
+KBpcHQ0j2/PlO+RxpNkGUWTjTu9WKFiFeIX60QLCMDJpOvPe49yb650xMpjTROM
|
||||
5yOGdTkmAw4SZCkHmd7zgmzSHxXnNzXLvT9bYsJXVZwXB7Jqw4bwOHGpqB3kXsQ2
|
||||
LR2pMitM8YV3Gmjtvy+mpBqvdQ5fsxISFTC5wAUT9f6jsHfFLUv6OuNLrhZghioT
|
||||
fjPj58nfD1/4j7ka9mSyZV0PEhW5f5GYvt3WEeJJyZyhkjAkzjtZTi5sTs+QtRm0
|
||||
APCspF/y1afErS5adjTjuzSkyVx9VMBowqiYo6AGu7byajNf0rFPtTgDBC3j4Mae
|
||||
+vL5k1KvXuX1Hr1zZiM1OVMt4EOmY7mERmHXwVv1bOK/uUwQkCXKCFpP/v7a5VHL
|
||||
qpwCF65mBTW/G1ZKglUQT0JeyVJqqQHVKbNzgMSpDM7ra80/KFOg6zb9iNbjxRrH
|
||||
NfXeAGbmSWwbpFBNT3kbJWUqjqLkoD2R7rNN5SnzdPEGk/aCGuYZlLFE8k5/mJ3V
|
||||
K3X1t11fgu9lqYFpv7CenwXrbVCgxDkoic84+HezqXyQnoAp9n8xJI6diQIcBBAB
|
||||
CgAGBQJVkT+/AAoJEPSYMBLCC7qsbiQP/1qKpOo73GPvISknRpPYVWX0z7yMRUAB
|
||||
7gA9SYF7n0jOHwDAFKjYQdpIxff3xPbLaB9bRQFq6m67o1Ly5bwxXGPclsJQP/r3
|
||||
GQ8it7Dzs4JSi1Yk4Fg+Po4tHWSpW53uRKtryiaYEoQ9LYQd8fS3JDWFtkXYUVAM
|
||||
xKmKINr4UKExlYBpQS2AWve4Ou3xM9dxiDX4pH3azD8Qb24rC5vbkG8Sq+2+/QIV
|
||||
i/JxbSQHaJ+kaukHRufHWqgg4xOBE8gfS82RHqNxES1CeWcejNxhsXQP9cfUxsvZ
|
||||
2Lchm3leOZ/2ztVQ4O8aJOKN+ng8pqOjKuJDamQmN0L/1N3lfN+gg5Ccluyoj89f
|
||||
gxDuINJDeY7aulFcGfIIsa0AuDWyAly1Lcwz/Sle2WOA7xcg8FcdhqV9158a+BzB
|
||||
cSMvHRs0W0Xwsso3GyUfDomqWuOfERvQXRgwKR0SFYDeHAlB3dhKHt/KjDn0nqEo
|
||||
CFtg4ZjA0hh1KMgu5ceticwuEQOkPX5H3ZpqH99LBekHjgdp5m87FG2bWVVkYGIm
|
||||
BBoFNnCBVMXonmyZlFstZNDcvb4cYYY+gN6yDFqX1HkqV1RDSHMO7KEmVwPOg/LK
|
||||
lKpH//tEulZUqN0h8ldoNKEMRa1OOGl8nNygJFldoPzoY/3ZAbIJy8KwZeWUjkzv
|
||||
WieMGaws051uiEYEEBEKAAYFAlWRRVgACgkQjPn4sExkf7wC9wCgh2nBBbfhkvE4
|
||||
Xj3d7uSYCr1oLEEAnjJ+RpVfu3Gpye5Q+0X8EFiMLlXZ
|
||||
=kT6a
|
||||
-----END PGP PUBLIC KEY BLOCK-----
|
||||
@@ -22,28 +22,24 @@ guard_sourcing
|
||||
# VAR_PRESEED
|
||||
# Arguments:
|
||||
# None
|
||||
# Returns:
|
||||
# 0: on success
|
||||
#######################################
|
||||
yaml_parser() {
|
||||
cat "${DIR_CNF}/preseed.yaml" "${DIR_CNF}/partitioning.yaml" >| "${DIR_TMP}/combined.yaml"
|
||||
|
||||
yq -o=shell "${DIR_TMP}/combined.yaml" >| "${VAR_PRESEED}"
|
||||
|
||||
declare -agx ARY_NTPSRVR ARY_PACKAGES
|
||||
declare var_key var_value
|
||||
|
||||
while IFS='=' read -r var_key var_value; do
|
||||
if [[ ${var_key} =~ ^ntp_server_[0-9]+$ ]]; then
|
||||
var_value=${var_value#\'}
|
||||
var_value=${var_value%\'}
|
||||
declare -agx ARY_NTPSRVR+=("${var_value}")
|
||||
fi
|
||||
done < "${VAR_PRESEED}"
|
||||
|
||||
while IFS='=' read -r var_key var_value; do
|
||||
if [[ ${var_key} =~ ^software_[0-9]+$ ]]; then
|
||||
var_value=${var_value#\'}
|
||||
var_value=${var_value%\'}
|
||||
declare -agx ARY_PACKAGES+=("${var_value}")
|
||||
fi
|
||||
case "${var_key}" in
|
||||
ntp_server_[0-9]*) ARY_NTPSRVR+=("${var_value}") ;;
|
||||
software_[0-9]*) ARY_PACKAGES+=("${var_value}") ;;
|
||||
esac
|
||||
done < "${VAR_PRESEED}"
|
||||
|
||||
sed -i '/^software_[0-9]\+=/d' "${VAR_PRESEED}"
|
||||
@@ -53,6 +49,7 @@ yaml_parser() {
|
||||
sed -i -E 's/^(.*)=\s*$/\1=""/' "${VAR_PRESEED}"
|
||||
### Wrap each key=value by '' e.g., key='value'
|
||||
sed -i -E "s/^(.*)=([^'\"]+)$/\1='\2'/" "${VAR_PRESEED}"
|
||||
|
||||
return 0
|
||||
}
|
||||
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
|
||||
|
||||
@@ -24,6 +24,8 @@ guard_sourcing
|
||||
# VAR_RECIPE_TABLE
|
||||
# Arguments:
|
||||
# None
|
||||
# Returns:
|
||||
# 0: on success
|
||||
#######################################
|
||||
yaml_reader() {
|
||||
### Declare and substitute input files
|
||||
@@ -138,5 +140,7 @@ END { print max }
|
||||
do_log "info" "false" "Partition table: '${VAR_RECIPE_TABLE}' and firmware: '${VAR_RECIPE_FIRMWARE}' > No special firmware partition necessary."
|
||||
|
||||
fi
|
||||
|
||||
return 0
|
||||
}
|
||||
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
|
||||
|
||||
@@ -367,13 +367,19 @@ EOF
|
||||
### Export hostname and IPv4 and IPv6 addresses for further processing according to dynamic results and preseed.yaml settings.
|
||||
if [[ "${network_autoconfig_enable,,}" == "true" ]]; then
|
||||
|
||||
declare -grx VAR_FINAL_NIC="${var_auto_nic}"
|
||||
declare -grx VAR_FINAL_FQDN="${var_auto_fqdn}"
|
||||
declare -grx VAR_FINAL_IPV4="${var_auto_ipv4}"
|
||||
declare -grx VAR_FINAL_IPV4_GW="${var_auto_ipv4_gw}"
|
||||
declare -grx VAR_FINAL_IPV4_SUBNET="${var_auto_ipv4_subnet}"
|
||||
|
||||
elif [[ "${network_autoconfig_enable,,}" == "false" ]]; then
|
||||
else
|
||||
|
||||
declare -grx VAR_FINAL_NIC="${network_choose_interface_static}"
|
||||
declare -grx VAR_FINAL_FQDN="${network_hostname}"
|
||||
declare -grx VAR_FINAL_IPV4="${network_static_ipv4address}"
|
||||
declare -grx VAR_FINAL_IPV4_GW="${network_static_ipv4gateway}"
|
||||
declare -grx VAR_FINAL_IPV4_SUBNET="${network_static_ipv4netmask}"
|
||||
|
||||
fi
|
||||
|
||||
|
||||
@@ -32,7 +32,13 @@ guard_sourcing
|
||||
setup_ssh() {
|
||||
do_in_target "${TARGET}" apt-get install -y ssh
|
||||
|
||||
rm -rf "${TARGET}/etc/ssh/ssh_host_*key*"
|
||||
declare -a ary_user=()
|
||||
ary_user+=("${user_user0_name}")
|
||||
[[ -v "${user_user1_name}" ]] && ary_user+=("${user_user1_name}")
|
||||
[[ -v "${user_user2_name}" ]] && ary_user+=("${user_user2_name}")
|
||||
[[ -v "${user_user3_name}" ]] && ary_user+=("${user_user3_name}")
|
||||
|
||||
rm -rf "${TARGET}"/etc/ssh/ssh_host_*key*
|
||||
|
||||
do_in_target "${TARGET}" ssh-keygen -o -N "" -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -C "root@${VAR_FINAL_FQDN}-$(date -I)"
|
||||
do_log "info" "true" "Generated ed25519 SSH Key, executed in: '${TARGET}'."
|
||||
@@ -47,7 +53,7 @@ setup_ssh() {
|
||||
cp "${TARGET}/etc/ssh/ssh_config" "${DIR_BAK}/etc/ssh/ssh_config.bak"
|
||||
chmod 0644 "${DIR_BAK}/etc/ssh/ssh_config.bak"
|
||||
|
||||
rm "${TARGET}/etc/ssh/sshd_config"
|
||||
rm -f "${TARGET}/etc/ssh/sshd_config"
|
||||
|
||||
cp "${VAR_SETUP_PATH}/includes/etc/ssh/sshd_config" "${TARGET}/etc/ssh/sshd_config"
|
||||
chmod 0600 "${TARGET}/etc/ssh/sshd_config"
|
||||
@@ -63,12 +69,17 @@ setup_ssh() {
|
||||
|
||||
sed -i "s/Port MUST_BE_CHANGED/Port ${user_ssh_port}/" "${TARGET}/etc/ssh/sshd_config"
|
||||
|
||||
if [[ -n "${user_user0_name,,}" ]]; then
|
||||
sed -i "s/AllowUsers root/AllowUsers root ${user_user0_name}/" "${TARGET}/etc/ssh/sshd_config"
|
||||
if [[ -n "${user_user0_name}" ]]; then
|
||||
sed -i "s/AllowUsers root/AllowUsers root ${ary_user[*]}/" "${TARGET}/etc/ssh/sshd_config"
|
||||
fi
|
||||
|
||||
do_in_target "${TARGET}" sshd -T >| "${DIR_LOG}/sshd_config.log"
|
||||
do_in_target "${TARGET}" ssh-keygen -r "${VAR_FINAL_FQDN}." >| "${DIR_LOG}/ssh.log"
|
||||
if [[ -n "${user_ssh_rootca}" ]]; then
|
||||
install -D -m 0644 -o root -g root "${VAR_SETUP_PATH}${user_ssh_rootca}" "${TARGET}/etc/ssh/"
|
||||
sed -i "s/TrustedUserCAKeys none/TrustedUserCAKeys \/etc\/ssh\/${user_ssh_rootca}/" "${TARGET}/etc/ssh/sshd_config"
|
||||
fi
|
||||
|
||||
do_in_target_script "${TARGET}" "sshd -T >| ${DIR_LOG}/sshd_config.log"
|
||||
do_in_target_script "${TARGET}" "ssh-keygen -r ${VAR_FINAL_FQDN}. >| ${DIR_LOG}/ssh.log"
|
||||
|
||||
###########################################################################################
|
||||
# The file /etc/profile.d/idle-users.sh is created to set two read-only #
|
||||
|
||||
@@ -25,17 +25,26 @@ guard_sourcing
|
||||
# 0: on success
|
||||
#######################################
|
||||
build_dropbear() {
|
||||
declare file
|
||||
mkdir -p "${DIR_TMP}/build"
|
||||
declare var_dropbear_version="2025.88"
|
||||
declare var_tar="${VAR_SETUP_PATH}/upgrades/dropbear/dropbear-${var_dropbear_version}.tar.bz2"
|
||||
declare var_build_dir="${DIR_TMP}/build/dropbear-${var_dropbear_version}"
|
||||
|
||||
cp "${VAR_SETUP_PATH}/upgrades/dropbear/dropbear-2025.88.tar.bz2" "${DIR_TMP}/build"
|
||||
tar xjf "${DIR_TMP}/build/dropbear-2025.88.tar.bz2"
|
||||
cp "${VAR_SETUP_PATH}/upgrades/dropbear/localoptions.h" "${DIR_TMP}/build/dropbear-2025.88"
|
||||
cd "${DIR_TMP}/build/dropbear-2025.88" || return "${ERR_PATH_NOT_VALID}"
|
||||
mkdir -p "${DIR_TMP}/build"
|
||||
cp "${var_tar}" "${DIR_TMP}/build"
|
||||
tar xjf "${DIR_TMP}/build/dropbear-${var_dropbear_version}.tar.bz2" -C "${DIR_TMP}/build" || return "${ERR_PATH_NOT_VALID}"
|
||||
cp "${VAR_SETUP_PATH}/upgrades/dropbear/localoptions.h" "${var_build_dir}"
|
||||
cd "${var_build_dir}" || return "${ERR_PATH_NOT_VALID}"
|
||||
|
||||
# Flag Purpose
|
||||
# -fPIE: Generate position-independent executable code
|
||||
# -pie: Link the executable as PIE (so that ASLR works)
|
||||
# -static: Fully statically linked against musl
|
||||
# -s: Strip unnecessary symbols directly during linking
|
||||
# -Wl,-z,relro,-z,now: Enables full RELRO (symbol resolution at program startup)
|
||||
|
||||
CC=musl-gcc \
|
||||
CFLAGS="-Os -Wno-undef" \
|
||||
LDFLAGS="-static -s -L/usr/local/lib" \
|
||||
CFLAGS="-Os -fPIE -Wno-undef -fstack-protector-strong -D_FORTIFY_SOURCE=2" \
|
||||
LDFLAGS="-static -pie -s -Wl,-z,relro,-z,now" \
|
||||
./configure \
|
||||
--enable-static \
|
||||
--enable-openpty \
|
||||
|
||||
@@ -12,15 +12,27 @@
|
||||
|
||||
guard_sourcing
|
||||
|
||||
|
||||
#######################################
|
||||
# Install Dropbear Initramfs and replace the binaries with the previous Ultra Hardened build.
|
||||
# Globals:
|
||||
# DIR_TMP
|
||||
# TARGET
|
||||
# Arguments:
|
||||
# None
|
||||
# Returns:
|
||||
# 0: on success
|
||||
#######################################
|
||||
install_dropbear_initramfs() {
|
||||
declare var_file
|
||||
do_in_target "${TARGET}" apt-get install -y dropbear-initramfs
|
||||
do_in_target "${TARGET}" apt-mark hold -y dropbear dropbear-initramfs
|
||||
|
||||
for var_file in dbclient dropbear dropbearconvert dropbearkey; do
|
||||
install -D -m 0755 -o root -g root "${DIR_TMP}/build/dropbear-2025.88/${var_file}" "${TARGET}/usr/sbin/"
|
||||
mv "${TARGET}/usr/sbin/dropbear" "${TARGET}/usr/sbin/dropbear.2022.83"
|
||||
install -D -m 0755 -o root -g root "${DIR_TMP}/build/dropbear-2025.88/dropbear" "${TARGET}/usr/sbin/"
|
||||
|
||||
for var_file in dbclient dropbearconvert dropbearkey; do
|
||||
mv "${TARGET}/usr/bin/${var_file}" "${TARGET}/usr/bin/${var_file}.2022.83"
|
||||
install -D -m 0755 -o root -g root "${DIR_TMP}/build/dropbear-2025.88/${var_file}" "${TARGET}/usr/bin/"
|
||||
done
|
||||
|
||||
return 0
|
||||
|
||||
@@ -12,6 +12,46 @@
|
||||
|
||||
guard_sourcing
|
||||
|
||||
####
|
||||
setup_dropbear() {
|
||||
rm -f "${TARGET}"/etc/dropbear/initramfs/dropbear*key
|
||||
|
||||
do_in_target "${TARGET}" "${TARGET}/usr/bin/dropbearkey" -t rsa -s 4096 -f "${TARGET}/etc/dropbear/initramfs/dropbear_rsa_host_key"
|
||||
do_in_target "${TARGET}" "${TARGET}/usr/bin/dropbearkey" -t ed25519 -f "${TARGET}/etc/dropbear/initramfs/dropbear_ed25519_host_key"
|
||||
|
||||
chmod 0600 "${TARGET}"/etc/dropbear/initramfs/dropbear*key
|
||||
chown root:root "${TARGET}"/etc/dropbear/initramfs/dropbear*key
|
||||
|
||||
declare -a ary_user=()
|
||||
ary_user+=("${user_root_ssh_pubkeys_0}")
|
||||
[[ -n "${user_root_ssh_pubkeys_1}" ]] && ary_user+=("${user_root_ssh_pubkeys_1}")
|
||||
[[ -n "${user_root_ssh_pubkeys_2}" ]] && ary_user+=("${user_root_ssh_pubkeys_2}")
|
||||
[[ -n "${user_root_ssh_pubkeys_3}" ]] && ary_user+=("${user_root_ssh_pubkeys_3}")
|
||||
|
||||
touch "${TARGET}/etc/dropbear/initramfs/authorized_keys" && chmod 0600 "${TARGET}/etc/dropbear/initramfs/authorized_keys"
|
||||
printf "%s\n" "${ary_user[@]}" > "${TARGET}/etc/dropbear/initramfs/authorized_keys"
|
||||
install -D -m 0755 -o root -g root "${VAR_SETUP_PATH}/includes/etc/banner" "${TARGET}/etc/dropbear/initramfs/"
|
||||
|
||||
if [[ "${user_dropbear_dhcp,,}" != "true" ]]; then
|
||||
declare network_static_ipv4ntpserver_0="192.53.103.108"
|
||||
### "IP=<HOST IP>::<GATEWAY IP>:<SUBNET MASK>:<FQDN>:<NIC>:none:<NS 0 IP>:<NS 1 IP>:<NTP IP>"
|
||||
printf "IP=%s::%s:%s:%s:%s:none:%s:%s:%s\n" \
|
||||
"${VAR_FINAL_IPV4}" \
|
||||
"${VAR_FINAL_IPV4_GW}" \
|
||||
"${VAR_FINAL_IPV4_SUBNET}" \
|
||||
"${VAR_FINAL_FQDN}" \
|
||||
"${VAR_FINAL_NIC}" \
|
||||
"${network_static_ipv4nameserver_0}" \
|
||||
"${network_static_ipv4nameserver_1}" \
|
||||
"${network_static_ipv4ntpserver_0}" \
|
||||
>| "${TARGET}/etc/initramfs-tools/conf.d/ip"
|
||||
else
|
||||
### "IP=:::::<NIC>:dhcp"
|
||||
printf "IP=:::::%s:dhcp\n" "${VAR_FINAL_NIC}" >| "${TARGET}/etc/initramfs-tools/conf.d/ip"
|
||||
fi
|
||||
|
||||
}
|
||||
|
||||
# TODO Important insert cryptdevice=UUID=881366ae-61ee-4ee0-893c-0def27c78c9e:cryptroot root=/dev/mapper/vg00-root
|
||||
# TODO Important insert GRUB_CMDLINE_LINUX_DEFAULT="net.ifnames=0 biosdevname=0 ip=152.53.66.126::152.53.64.1:255.255.252.0:soc:ens3:none"
|
||||
|
||||
12
includes/banner
Normal file
12
includes/banner
Normal file
@@ -0,0 +1,12 @@
|
||||
|
||||
#######################################################################
|
||||
# #
|
||||
## ##
|
||||
###### ######## ### ## ######## ### ## ####### ### ####### ### ##
|
||||
### #### ## ### ### ## ## ### ## #### ##
|
||||
### ####### ####### ### ### ## ###### ### ## ## #######
|
||||
### ### ### ### ### ### ## ## ## ### ## ## ### ###
|
||||
###### ####### ### ## ### ##### ## ## ### ##### ### ##
|
||||
# #
|
||||
#######################################################################
|
||||
|
||||
@@ -37,6 +37,7 @@ RekeyLimit 1G 1h
|
||||
|
||||
HostKey /etc/ssh/ssh_host_ed25519_key
|
||||
HostKey /etc/ssh/ssh_host_rsa_key
|
||||
TrustedUserCAKeys none
|
||||
|
||||
PubkeyAuthentication yes
|
||||
PermitRootLogin prohibit-password
|
||||
|
||||
11
includes/issue
Normal file
11
includes/issue
Normal file
@@ -0,0 +1,11 @@
|
||||
********************************************************************
|
||||
* *
|
||||
* This system is for the use of authorized users only. Usage of *
|
||||
* this system may be monitored and recorded by system personnel. *
|
||||
* *
|
||||
* Anyone using this system expressly consents to such monitoring *
|
||||
* and is advised that if such monitoring reveals possible *
|
||||
* evidence of criminal activity, system personnel may provide the *
|
||||
* evidence from such monitoring to law enforcement officials. *
|
||||
* *
|
||||
********************************************************************
|
||||
11
includes/issue.net
Normal file
11
includes/issue.net
Normal file
@@ -0,0 +1,11 @@
|
||||
********************************************************************
|
||||
* *
|
||||
* This system is for the use of authorized users only. Usage of *
|
||||
* this system may be monitored and recorded by system personnel. *
|
||||
* *
|
||||
* Anyone using this system expressly consents to such monitoring *
|
||||
* and is advised that if such monitoring reveals possible *
|
||||
* evidence of criminal activity, system personnel may provide the *
|
||||
* evidence from such monitoring to law enforcement officials. *
|
||||
* *
|
||||
********************************************************************
|
||||
@@ -43,6 +43,6 @@
|
||||
. ./func/4160_grub_bootparameter.sh
|
||||
. ./func/4170_installation_microcode.sh
|
||||
. ./func/4180_setup_ssh.sh
|
||||
. ./func/4195_installation_dropbear.sh
|
||||
. ./func/4195_setup_dropbear.sh
|
||||
. ./func/
|
||||
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
|
||||
|
||||
24
upgrades/dropbear/SHA512SUM.asc
Normal file
24
upgrades/dropbear/SHA512SUM.asc
Normal file
@@ -0,0 +1,24 @@
|
||||
-----BEGIN PGP SIGNED MESSAGE-----
|
||||
Hash: SHA512
|
||||
|
||||
eb16a13aa44732cab4db009bd55903e45f8756598683377bfe55185fbf0e3265 CHANGES
|
||||
738b7f358547f0c64c3e1a56bbc5ef98d34d9ec6adf9ccdf01dc0bf2caa2bc8d dropbear-2025.87.tar.bz2
|
||||
af24198895f604c2e114abe29a2f0c3fe30831e6db26e0f93fd5f78e734b61be dropbear-2025.87.tar.bz2.asc
|
||||
783f50ea27b17c16da89578fafdb6decfa44bb8f6590e5698a4e4d3672dc53d4 dropbear-2025.88.tar.bz2
|
||||
fe40fd8f40a7c5498025cc2058eaecbcd9e649a833d6cdecdab35f1156f4d411 dropbear-2025.88.tar.bz2.asc
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
|
||||
iQIzBAEBCgAdFiEE9zR+8u4uB6JnYoypRJMUlPKcZ3MFAmgbUOIACgkQRJMUlPKc
|
||||
Z3OS6w//bPQkIfs5ErkEBNRJDkYCDGekydYur0e2KtA2FX+vgPYI289FM4tXaD5f
|
||||
hlBBT5oBQ740ekTLWMMnKcJV3Ut0QYnaXwiH2dHKtT4OEgRQIYqFlbAimpNPMZOL
|
||||
IiBv+v9g71XJ3MrFyJSUo00mryIIIeuVQEWl8zxzsG8sf5usOUDwiJNWPul3fOJL
|
||||
Ur+vTmCr7XYuq9kFG4YdJNLPLwDZ68e2u1fEpxpsnBmYFx5VS/WvD+qyuUfkR81h
|
||||
HmcDgQJUJgx6Taq0OQJa4KnE4+HWjMd6V6JsDTsfYp4CjASO6HP2bON4zJWyphqL
|
||||
cyrHAxiADtfU3RO59+XQ6AhTzhtGpZRgHLqetv40DjGN2lOGOdRk3TbE3/dbDl4W
|
||||
f9zaPFGXyTA49iiVMMz2GVWlydpjs9HKsIKwwO7vU/EIi4S/USNJRI9wKUji3qKH
|
||||
HO09YNoO0XuWzIpeGwfqbeaQ+SCPRPAMQMM0a2Mt10VzympY6w2kHAVbMV48kJ2i
|
||||
AMtkgsxLUFdptDSdGKc/KHkbWRR22YCSSUXr1lxCA3fuCUWkS/2pAGzfbd+sd9BS
|
||||
QkAiGVCWeFQML61aaoNxMT2+MbS80zrOWm8fjXblg3wCU6F3+TTmmDUNKI3NFi8z
|
||||
4TVeAM0oGqeI+PX4hP7pyBy06dGiWiYEAGMiyno6vRXWJrwTVzI=
|
||||
=/DnI
|
||||
-----END PGP SIGNATURE-----
|
||||
16
upgrades/dropbear/dropbear-2025.88.tar.bz2.asc
Normal file
16
upgrades/dropbear/dropbear-2025.88.tar.bz2.asc
Normal file
@@ -0,0 +1,16 @@
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
|
||||
iQIzBAABCAAdFiEE9zR+8u4uB6JnYoypRJMUlPKcZ3MFAmgbTlUACgkQRJMUlPKc
|
||||
Z3PY2xAAkSmMipofQkVDE8owIY1VrXGICpFFby7oIzog1oiWrTWlqjGPBwxrLEAa
|
||||
W5qXPez0mu9CMs0eGgqHnpUCOR2OJKXzlllSwWcO2Q9Ioi+fSYB//A/+FRK5Jyvf
|
||||
P3H6Iq4N4vCbOGS0zHwmlAhTMh1ezKuqnjCrP9z6gvOj6hiiI0DtX2YtYfXml4o8
|
||||
Xgvv+w3uReC/Pf7Z7Zia18tWlLIC1DoVC18CmLmnnyqE032Cn8HsE/scboTehgJd
|
||||
SKfpztf8/9IjAJpkoeuh3VEXeq5gUjdaW13cBvaPBg798+GsnY7ot7g2PLgnpc7w
|
||||
Y1Npg2QZebKE2KHSEGhvIfHeGC6uSEekQnNbck6/ge8ytRzvfzxtTFCMWlGVdgd4
|
||||
dFLNajFRt1VOYXMgm7w725cndXYjpvi7zNgGI/kuOQG92hGR8ZaQYYHUTI+B9sr1
|
||||
Fit8VmaOsLN7ES8UcNlWeRPHAlvkhdfjltcCSVBziJWGW5rYsuT03X/gbjSiflA5
|
||||
kwB/5A2Bf5DHtORbdtx9kfd5yqsnWaLczEKRjyikJqDUXW6CcclbEiucWIgR75cS
|
||||
Ee9cf8ILKn/Dr6z+h60y0VQ+1gUcVDnK9yxoqywS5/QoUFXltzu032ZmhyDdgfex
|
||||
93NbacgaVtges8t0S0s7PgfzpUSLgNte6aHOYwl5mDAh0zLGpoo=
|
||||
=uS3y
|
||||
-----END PGP SIGNATURE-----
|
||||
Reference in New Issue
Block a user