V8.00.000.2025.06.17
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m3s
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m3s
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
@@ -84,7 +84,7 @@ debootstrap: # Provide a mirror for downloading the Debian pac
|
|||||||
# list of official Debian packages.
|
# list of official Debian packages.
|
||||||
mirror: "https://deb.debian.org/debian"
|
mirror: "https://deb.debian.org/debian"
|
||||||
# The following packages MUST be included in the debootstrap.
|
# The following packages MUST be included in the debootstrap.
|
||||||
includes: "busybox,ca-certificates,locales,openssl,python3,python3-apt,zstd"
|
includes: "busybox,ca-certificates,git,locales,openssl,python3,python3-apt,zstd"
|
||||||
distribution: "trixie" # MUST be "trixie".
|
distribution: "trixie" # MUST be "trixie".
|
||||||
debian_suite: "stable" # MUST be "stable". Not supported yet: "testing", "experimental".
|
debian_suite: "stable" # MUST be "stable". Not supported yet: "testing", "experimental".
|
||||||
exit:
|
exit:
|
||||||
|
|||||||
@@ -21,7 +21,6 @@
|
|||||||
# TODO: Check Packages for installation. Refactor preseed.yaml, 4130_installation_toolset.sh, 4700_setup_packages.sh
|
# TODO: Check Packages for installation. Refactor preseed.yaml, 4130_installation_toolset.sh, 4700_setup_packages.sh
|
||||||
# TODO: What do we need for CISS environment?
|
# TODO: What do we need for CISS environment?
|
||||||
# TODO: Hardening Scripts Integration
|
# TODO: Hardening Scripts Integration
|
||||||
# TODO: SSH 2fa integration
|
|
||||||
# TODO: Recovery Partition Integration
|
# TODO: Recovery Partition Integration
|
||||||
# TODO: Grub Boot Menu Update for Recovery Integration
|
# TODO: Grub Boot Menu Update for Recovery Integration
|
||||||
# TODO: update-grub Post Hook Clang, Recovery, Signing PK
|
# TODO: update-grub Post Hook Clang, Recovery, Signing PK
|
||||||
|
|||||||
@@ -59,8 +59,13 @@ accounts_setup() {
|
|||||||
|
|
||||||
if [[ -x "${TARGET}${user_root_shell}" ]]; then
|
if [[ -x "${TARGET}${user_root_shell}" ]]; then
|
||||||
|
|
||||||
|
zsh_omz_installer "root"
|
||||||
|
|
||||||
chroot_exec "${TARGET}" chsh -s "${user_root_shell}" root
|
chroot_exec "${TARGET}" chsh -s "${user_root_shell}" root
|
||||||
|
|
||||||
|
mv "${TARGET}/root/.zshrc" "${TARGET}/root/.zshrc.bak"
|
||||||
install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/skel/.zshrc" "${TARGET}/root/"
|
install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/skel/.zshrc" "${TARGET}/root/"
|
||||||
|
|
||||||
do_log "info" "file_only" "4520() Shell: '${user_root_shell}' used for: 'root'."
|
do_log "info" "file_only" "4520() Shell: '${user_root_shell}' used for: 'root'."
|
||||||
|
|
||||||
else
|
else
|
||||||
@@ -262,6 +267,11 @@ EOF
|
|||||||
|
|
||||||
if [[ -x "${TARGET}${var_shell}" ]]; then
|
if [[ -x "${TARGET}${var_shell}" ]]; then
|
||||||
|
|
||||||
|
zsh_omz_installer "${var_username}"
|
||||||
|
|
||||||
|
mv "${TARGET}/home/${var_username}/.zshrc" "${TARGET}/home/${var_username}/.zshrc.bak"
|
||||||
|
install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/skel/.zshrc" "${TARGET}/home/${var_username}"
|
||||||
|
|
||||||
chroot_exec "${TARGET}" chsh -s "${var_shell}" "${var_username}"
|
chroot_exec "${TARGET}" chsh -s "${var_shell}" "${var_username}"
|
||||||
do_log "info" "file_only" "4520() Shell: '${var_shell}' used for: '${var_username}'."
|
do_log "info" "file_only" "4520() Shell: '${var_shell}' used for: '${var_username}'."
|
||||||
|
|
||||||
@@ -555,7 +565,7 @@ EOF
|
|||||||
### Tighten perms on sudoers.d (idempotent).
|
### Tighten perms on sudoers.d (idempotent).
|
||||||
find "${var_sudoers_dir}" -type f -exec chmod 0440 {} \;
|
find "${var_sudoers_dir}" -type f -exec chmod 0440 {} \;
|
||||||
|
|
||||||
### Verify sudoers syntax in chroot
|
### Verify sudoers syntax in chroot.
|
||||||
if ! chroot_script "${TARGET}" "EDITOR=/usr/bin/nano /usr/sbin/visudo -q -c >> ${var_logfile}"; then
|
if ! chroot_script "${TARGET}" "EDITOR=/usr/bin/nano /usr/sbin/visudo -q -c >> ${var_logfile}"; then
|
||||||
|
|
||||||
do_log "warn" "file_only" "4520() Command: [chroot_script ${TARGET} EDITOR=/usr/bin/nano /usr/sbin/visudo -q -c] failed."
|
do_log "warn" "file_only" "4520() Command: [chroot_script ${TARGET} EDITOR=/usr/bin/nano /usr/sbin/visudo -q -c] failed."
|
||||||
@@ -567,7 +577,7 @@ EOF
|
|||||||
|
|
||||||
fi
|
fi
|
||||||
|
|
||||||
#### Ensure logrotate for /var/log/sudo.log exists once.
|
### Ensure logrotate for '/var/log/sudo.log' exists once.
|
||||||
if ! grep -qF "/var/log/sudo.log {" "${var_lr_conf}" 2>/dev/null; then
|
if ! grep -qF "/var/log/sudo.log {" "${var_lr_conf}" 2>/dev/null; then
|
||||||
|
|
||||||
insert_header "${var_lr_conf}"
|
insert_header "${var_lr_conf}"
|
||||||
@@ -826,11 +836,10 @@ write_google_authenticator_file() {
|
|||||||
{
|
{
|
||||||
declare accept hex val
|
declare accept hex val
|
||||||
printf '%s\n' "${var_secret}"
|
printf '%s\n' "${var_secret}"
|
||||||
printf 'RATE_LIMIT 3 30\n'
|
printf '" RATE_LIMIT 3 30\n'
|
||||||
printf 'WINDOW_SIZE 10\n'
|
printf '" WINDOW_SIZE 10\n'
|
||||||
printf 'TOTP_DIGITS 8\n'
|
printf '" DISALLOW_REUSE\n'
|
||||||
printf 'DISALLOW_REUSE\n'
|
printf '" TOTP_AUTH\n'
|
||||||
printf 'TOTP_AUTH\n'
|
|
||||||
### Emergency Codes (8× unbiased 8-digit, CSPRNG via OpenSSL).
|
### Emergency Codes (8× unbiased 8-digit, CSPRNG via OpenSSL).
|
||||||
for i in {1..8}; do
|
for i in {1..8}; do
|
||||||
### Draw 32 bits; rejection sampling to avoid modulo bias.
|
### Draw 32 bits; rejection sampling to avoid modulo bias.
|
||||||
@@ -860,4 +869,48 @@ write_google_authenticator_file() {
|
|||||||
|
|
||||||
return 0
|
return 0
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#######################################
|
||||||
|
# Use the official ohmyzsh-installer but force non-interactive behavior; do not run zsh; do not chsh.
|
||||||
|
# Globals:
|
||||||
|
# TARGET
|
||||||
|
# Arguments:
|
||||||
|
# 1: Username
|
||||||
|
# Returns:
|
||||||
|
# 0: on success
|
||||||
|
#######################################
|
||||||
|
zsh_omz_installer() {
|
||||||
|
### Declare Arrays, HashMaps, and Variables.
|
||||||
|
declare var_user="${1}"
|
||||||
|
|
||||||
|
chroot_stdin "${TARGET}" "__payload__" -- "${var_user}" <<'EOF'
|
||||||
|
export LC_ALL=C
|
||||||
|
user="$1"
|
||||||
|
### Login shell for proper HOME, PATH, etc.
|
||||||
|
### We also set installer env to prevent zsh spawn or chsh.
|
||||||
|
su - "${user}" -s /bin/bash -c '
|
||||||
|
set -euo pipefail
|
||||||
|
export RUNZSH=no CHSH=no KEEP_ZSHRC=yes
|
||||||
|
export ZSH="${HOME}/.oh-my-zsh"
|
||||||
|
### Pre-create ~/.oh-my-zsh to control perms.
|
||||||
|
mkdir -p "${ZSH}" && chmod 0700 "${ZSH}"
|
||||||
|
umask 0077
|
||||||
|
### Use wget or curl as available.
|
||||||
|
if command -v wget >/dev/null; then
|
||||||
|
sh -c "$(wget -qO- https://raw.githubusercontent.com/ohmyzsh/ohmyzsh/master/tools/install.sh)"
|
||||||
|
else
|
||||||
|
sh -c "$(curl -fsSL https://raw.githubusercontent.com/ohmyzsh/ohmyzsh/master/tools/install.sh)"
|
||||||
|
fi
|
||||||
|
### Plugins (clone shallow).
|
||||||
|
ZSH_CUSTOM="${ZSH}/custom"
|
||||||
|
mkdir -p "${ZSH_CUSTOM}/plugins"
|
||||||
|
git clone --depth 1 https://github.com/zsh-users/zsh-autosuggestions "${ZSH_CUSTOM}/plugins/zsh-autosuggestions" || true
|
||||||
|
git clone --depth 1 https://github.com/zsh-users/zsh-syntax-highlighting.git "${ZSH_CUSTOM}/plugins/zsh-syntax-highlighting" || true
|
||||||
|
'
|
||||||
|
umask 0022
|
||||||
|
:
|
||||||
|
EOF
|
||||||
|
|
||||||
|
return 0
|
||||||
|
}
|
||||||
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
|
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
|
||||||
|
|||||||
Reference in New Issue
Block a user