diff --git a/01-basic.sh b/01-basic.sh index ca48f2d..68ff11f 100755 --- a/01-basic.sh +++ b/01-basic.sh @@ -1,153 +1,51 @@ -#!/bin/bash +#!/bin/sh SOURCE_DIR=$(realpath $(dirname "${0}"))/basic -export DEBIAN_FRONTEND="noninteractive" -# Uninstall unnecessary packages -apt-get -y purge bsdmainutils dictionaries-common emacsen-common iamerican ibritish ienglish-common installation-report ispell laptop-detect nano os-prober task-english tasksel tasksel-data wamerican - -# Install useful packages -apt-get -y update -apt-get -y --no-install-recommends install apt-transport-https bash-completion ca-certificates curl file git htop ntp openssl sudo tree unzip vim - - -###### -# OpenSSH and user settings -##### - -# Install OpenSSH server -apt-get -y --no-install-recommends install openssh-server -mkdir ~/.ssh -cp ${SOURCE_DIR}/root/.ssh/authorized_keys /root/.ssh/authorized_keys +# Install packages +apk --no-cache add docker gettext git htop kbd-misc libressl openssh-server openssh-sftp-server postfix nginx # Copy profile files and settings +mkdir /root/.ssh mkdir -p /root/.config/htop -cp ${SOURCE_DIR}/root/.bashrc /root/.bashrc +cp ${SOURCE_DIR}/root/.ssh/authorized_keys /root/.ssh/authorized_keys cp ${SOURCE_DIR}/root/.config/htop/htoprc /root/.config/htop/htoprc -cp ${SOURCE_DIR}/root/.vimrc /root/.vimrc -# Remove default user -deluser --remove-all-files user 2>/dev/null - - -##### -# System boot -##### - -# Rename encrypted partition -sed -i 's/sda2_crypt/system/' /etc/crypttab -dmsetup rename sda2_crypt system - -# Suppress warnings during boot -cp ${SOURCE_DIR}/usr/share/initramfs-tools/scripts/local-top/lvm2 /usr/share/initramfs-tools/scripts/local-top/lvm2 -cp ${SOURCE_DIR}/usr/share/initramfs-tools/scripts/local-top/cryptroot /usr/share/initramfs-tools/scripts/local-top/cryptroot - -# Set GRUB options -cp ${SOURCE_DIR}/etc/default/grub /etc/default/grub - -# Set legal banner with URL + latin2 character set -cp ${SOURCE_DIR}/etc/default/console-setup /etc/default/console-setup -cp ${SOURCE_DIR}/etc/issue /etc/issue -dpkg-reconfigure console-setup +# Copy boot configuration +cp ${SOURCE_DIR}/boot/extlinux.conf /boot/extlinux.conf # Forbid login on tty1, disable tty2-6 -cp ${SOURCE_DIR}/lib/systemd/system/getty@.service /lib/systemd/system/getty@.service -systemctl mask getty-static +cp ${SOURCE_DIR}/etc/inittab /etc/inittab -# Update initramfs and GRUB -update-initramfs -u -update-grub +# Enable support for Czech characters +cp ${SOURCE_DIR}/etc/rc.conf /etc/rc.conf +cp ${SOURCE_DIR}/etc/conf.d/consolefont /etc/conf.d/consolefont +rc-update add consolefont boot - -##### -# Postfix -##### - -# Preconfigure -echo postfix postfix/main_mailer_type string "Satellite system" | debconf-set-selections -echo postfix postfix/mailname string "$(hostname -f)" | debconf-set-selections -echo postfix postfix/relayhost string "" | debconf-set-selections - -# Install packages -apt-get -y --no-install-recommends install postfix +# Set legal banner with URL +cp ${SOURCE_DIR}/etc/issue.template /etc/issue.template +cp ${SOURCE_DIR}/sbin/issue-gen /sbin/issue-gen # TODO: Make executable # Configure Postfix -cp ${SOURCE_DIR}/etc/postfix/main.cf /etc/postfix/main.cf - -# Restart services -systemctl restart postfix - - -##### -# Docker -##### - -# Add Docker repository -echo 'deb https://download.docker.com/linux/debian stretch stable' > /etc/apt/sources.list.d/docker.list -wget https://download.docker.com/linux/debian/gpg -O - | apt-key add - -apt-get -y update - -# Install packages -apt-get -y --no-install-recommends install docker-ce - -# Install docker-compose -# wget https://github.com/docker/compose/releases/download/1.17.1/docker-compose-Linux-x86_64 -O /usr/local/bin/docker-compose -# chmod +x /usr/local/bin/docker-compose - - -##### -# Nginx + uWSGI -##### - -# Install packages -apt-get -y --no-install-recommends install nginx-light uwsgi uwsgi-plugin-python +# cp ${SOURCE_DIR}/etc/postfix/main.cf /etc/postfix/main.cf # Create a self-signed certificate +mkdir /etc/ssl/private openssl req -x509 -new -out /etc/ssl/certs/services.pem -keyout /etc/ssl/private/services.key -nodes -days 3654 -subj "/C=CZ/CN=$(hostname -f)" -chgrp ssl-cert /etc/ssl/private/services.key chmod 640 /etc/ssl/private/services.key # Configure nginx -mkdir /etc/nginx/apps-available /etc/nginx/apps-enabled -cp ${SOURCE_DIR}/etc/nginx/nginx.conf /etc/nginx/nginx.conf -cp ${SOURCE_DIR}/etc/nginx/sites-available/default /etc/nginx/sites-available/default - -# Workaround for web2py shutdown problem, see https://github.com/web2py/web2py/issues/1769 -sed -i 's|QUIT/30|QUIT/5|' /usr/share/uwsgi/init/specific_daemon +# cp ${SOURCE_DIR}/etc/nginx/nginx.conf /etc/nginx/nginx.conf +# cp ${SOURCE_DIR}/etc/nginx/sites-available/default /etc/nginx/sites-available/default # Copy Portal resources -cp -r ${SOURCE_DIR}/usr/local/bin/portal-app-manager /usr/local/bin/portal-app-manager +cp ${SOURCE_DIR}/usr/local/bin/portal-app-manager /usr/local/bin/portal-app-manager cp -r ${SOURCE_DIR}/srv/portal /srv/portal -chown -R www-data:www-data /srv/portal -# Restart -systemctl restart nginx +# Configure services +for SERVICE in docker nginx postfix sshd; do + rc-update add ${SERVICE} boot + service ${SERVICE} start +done -##### -# MariaDB -##### - -# Install packages -apt-get -y --no-install-recommends install mariadb-server - -# Enable query logging. Only if the DEBUG environment variable is set -if [ ${DEBUG:-0} -eq 1 ]; then - sed -i 's/#general_log/general_log/g' /etc/mysql/mariadb.conf.d/50-server.cnf -fi - -# Restart -systemctl restart mysqld - - -##### -# Tomcat -##### - -# Install packages -apt-get -y --no-install-recommends install libservlet3.1-java openjdk-8-jre-headless tomcat8 - -# Configure -cp ${SOURCE_DIR}/etc/tomcat8/server.xml /etc/tomcat8/server.xml - -# Restart -systemctl restart tomcat8 +# TODO: Hide OpenRC output diff --git a/basic/boot/extlinux.conf b/basic/boot/extlinux.conf new file mode 100644 index 0000000..1a12bf4 --- /dev/null +++ b/basic/boot/extlinux.conf @@ -0,0 +1,6 @@ +DEFAULT vm +SAY Startuji SpotterVM... +LABEL vm + LINUX vmlinuz-virthardened + INITRD initramfs-virthardened + APPEND root=/dev/vg0/root modules=sd-mod,usb-storage,ext4 pax_nouderef quiet rootfstype=ext4 cryptroot=/dev/sda2 cryptdm=system diff --git a/basic/etc/conf.d/consolefont b/basic/etc/conf.d/consolefont new file mode 100644 index 0000000..03753e1 --- /dev/null +++ b/basic/etc/conf.d/consolefont @@ -0,0 +1,11 @@ +# The consolefont service is not activated by default. If you need to +# use it, you should run "rc-update add consolefont boot" as root. +# +# consolefont specifies the default font that you'd like Linux to use on the +# console. You can find a good selection of fonts in /usr/share/consolefonts; +consolefont="lat2-sun16.psfu.gz" + +# consoletranslation is the charset map file to use. Leave commented to use +# the default one. Have a look in /usr/share/consoletrans for a selection of +# map files you can use. +consoletranslation="8859-2_to_uni.trans" diff --git a/basic/etc/default/console-setup b/basic/etc/default/console-setup deleted file mode 100644 index 24bda85..0000000 --- a/basic/etc/default/console-setup +++ /dev/null @@ -1,16 +0,0 @@ -# CONFIGURATION FILE FOR SETUPCON - -# Consult the console-setup(5) manual page. - -ACTIVE_CONSOLES="/dev/tty[1-6]" - -CHARMAP="UTF-8" - -CODESET="Lat2" -FONTFACE="Fixed" -FONTSIZE="8x16" - -VIDEOMODE= - -# The following is an example how to use a braille font -# FONT='lat9w-08.psf.gz brl-8x8.psf' diff --git a/basic/etc/default/grub b/basic/etc/default/grub deleted file mode 100644 index d748b3d..0000000 --- a/basic/etc/default/grub +++ /dev/null @@ -1,34 +0,0 @@ -# If you change this file, run 'update-grub' afterwards to update -# /boot/grub/grub.cfg. -# For full documentation of the options in this file, see: -# info -f grub -n 'Simple configuration' - -GRUB_DEFAULT=0 -GRUB_TIMEOUT=0 -GRUB_RECORDFAIL_TIMEOUT=0 -GRUB_FORCE_HIDDEN_MENU="true" -GRUB_DISTRIBUTOR=`lsb_release -i -s 2> /dev/null || echo Debian` -GRUB_CMDLINE_LINUX_DEFAULT="quiet loglevel=0" -GRUB_CMDLINE_LINUX="" - -# Uncomment to enable BadRAM filtering, modify to suit your needs -# This works with Linux (no patch required) and with any kernel that obtains -# the memory map information from GRUB (GNU Mach, kernel of FreeBSD ...) -#GRUB_BADRAM="0x01234567,0xfefefefe,0x89abcdef,0xefefefef" - -# Uncomment to disable graphical terminal (grub-pc only) -#GRUB_TERMINAL=console - -# The resolution used on graphical terminal -# note that you can use only modes which your graphic card supports via VBE -# you can see them in real GRUB with the command `vbeinfo' -#GRUB_GFXMODE=640x480 - -# Uncomment if you don't want GRUB to pass "root=UUID=xxx" parameter to Linux -#GRUB_DISABLE_LINUX_UUID=true - -# Uncomment to disable generation of recovery mode menu entries -GRUB_DISABLE_RECOVERY="true" - -# Uncomment to get a beep at grub start -#GRUB_INIT_TUNE="480 440 1" diff --git a/basic/etc/inittab b/basic/etc/inittab new file mode 100644 index 0000000..e243d63 --- /dev/null +++ b/basic/etc/inittab @@ -0,0 +1,26 @@ +# /etc/inittab + +::sysinit:/sbin/openrc sysinit +::sysinit:/sbin/openrc boot +::wait:/sbin/openrc default + +# Set up a couple of getty's +::wait:/sbin/issue-gen +tty1::respawn:/sbin/getty -l /sbin/nologin 38400 tty1 +#tty2::respawn:/sbin/getty 38400 tty2 +#tty3::respawn:/sbin/getty 38400 tty3 +#tty4::respawn:/sbin/getty 38400 tty4 +#tty5::respawn:/sbin/getty 38400 tty5 +#tty6::respawn:/sbin/getty 38400 tty6 + +# Put a getty on the serial port +#ttyS0::respawn:/sbin/getty -L ttyS0 115200 vt100 + +# Stuff to do for the 3-finger salute +::ctrlaltdel:/sbin/reboot + +# Stuff to do before rebooting +::shutdown:/sbin/openrc shutdown + +# enable login on alternative console +#ttyS0::respawn:/sbin/getty -L 115200 ttyS0 vt100 diff --git a/basic/etc/issue b/basic/etc/issue.template similarity index 51% rename from basic/etc/issue rename to basic/etc/issue.template index 16055ec..6298de1 100644 --- a/basic/etc/issue +++ b/basic/etc/issue.template @@ -1,11 +1,11 @@ - _____ _ _ _____ _ _ - / ____| | | | | / ____| | | | - | (___ _ __ ___ | |_| |_ ___ _ __ | | | |_ _ ___| |_ ___ _ __ - \\___ \\| '_ \\ / _ \\| __| __/ _ \\ '__| | | | | | | / __| __/ _ \\ '__| - ____) | |_) | (_) | |_| || __/ | | |____| | |_| \\__ \\ || __/ | - |_____/| .__/ \\___/ \\__|\\__\\___|_| \\_____|_|\\__,_|___/\\__\\___|_| - | | + _____ _ _ __ ____ __ + / ____| | | | | \\ \\ / / \\/ | + | (___ _ __ ___ | |_| |_ ___ _ _\\ \\ / /| \\ / | + \\___ \\| '_ \\ / _ \\| __| __/ _ \\ '__\\ \\/ / | |\\/| | + ____) | |_) | (_) | |_| || __/ | \\ / | | | | + |_____/| .__/ \\___/ \\__|\\__\\___|_| \\/ |_| |_| + | | |_| @@ -25,7 +25,7 @@ - Pro přístup k aplikacím otevřete URL https://\4/ ve Vašem + Pro přístup k aplikacím otevřete URL https://${URL}/ ve Vašem internetovém prohlížeči. diff --git a/basic/etc/rc.conf b/basic/etc/rc.conf new file mode 100644 index 0000000..b0ca59b --- /dev/null +++ b/basic/etc/rc.conf @@ -0,0 +1,251 @@ +# Global OpenRC configuration settings + +# Set to "YES" if you want the rc system to try and start services +# in parallel for a slight speed improvement. When running in parallel we +# prefix the service output with its name as the output will get +# jumbled up. +# WARNING: whilst we have improved parallel, it can still potentially lock +# the boot process. Don't file bugs about this unless you can supply +# patches that fix it without breaking other things! +#rc_parallel="NO" + +# Set rc_interactive to "YES" and you'll be able to press the I key during +# boot so you can choose to start specific services. Set to "NO" to disable +# this feature. This feature is automatically disabled if rc_parallel is +# set to YES. +#rc_interactive="YES" + +# If we need to drop to a shell, you can specify it here. +# If not specified we use $SHELL, otherwise the one specified in /etc/passwd, +# otherwise /bin/sh +# Linux users could specify /sbin/sulogin +#rc_shell=/bin/sh + +# Do we allow any started service in the runlevel to satisfy the dependency +# or do we want all of them regardless of state? For example, if net.eth0 +# and net.eth1 are in the default runlevel then with rc_depend_strict="NO" +# both will be started, but services that depend on 'net' will work if either +# one comes up. With rc_depend_strict="YES" we would require them both to +# come up. +#rc_depend_strict="YES" + +# rc_hotplug controls which services we allow to be hotplugged. +# A hotplugged service is one started by a dynamic dev manager when a matching +# hardware device is found. +# Hotplugged services appear in the "hotplugged" runlevel. +# If rc_hotplug is set to any value, we compare the name of this service +# to every pattern in the value, from left to right, and we allow the +# service to be hotplugged if it matches a pattern, or if it matches no +# patterns. Patterns can include shell wildcards. +# To disable services from being hotplugged, prefix patterns with "!". +#If rc_hotplug is not set or is empty, all hotplugging is disabled. +# Example - rc_hotplug="net.wlan !net.*" +# This allows net.wlan and any service not matching net.* to be hotplugged. +# Example - rc_hotplug="!net.*" +# This allows services that do not match "net.*" to be hotplugged. + +# rc_logger launches a logging daemon to log the entire rc process to +# /var/log/rc.log +# NOTE: Linux systems require the devfs service to be started before +# logging can take place and as such cannot log the sysinit runlevel. +#rc_logger="NO" + +# Through rc_log_path you can specify a custom log file. +# The default value is: /var/log/rc.log +#rc_log_path="/var/log/rc.log" + +# If you want verbose output for OpenRC, set this to yes. If you want +# verbose output for service foo only, set it to yes in /etc/conf.d/foo. +#rc_verbose=no + +# By default we filter the environment for our running scripts. To allow other +# variables through, add them here. Use a * to allow all variables through. +#rc_env_allow="VAR1 VAR2" + +# By default we assume that all daemons will start correctly. +# However, some do not - a classic example is that they fork and return 0 AND +# then child barfs on a configuration error. Or the daemon has a bug and the +# child crashes. You can set the number of milliseconds start-stop-daemon +# waits to check that the daemon is still running after starting here. +# The default is 0 - no checking. +#rc_start_wait=100 + +# rc_nostop is a list of services which will not stop when changing runlevels. +# This still allows the service itself to be stopped when called directly. +#rc_nostop="" + +# rc will attempt to start crashed services by default. +# However, it will not stop them by default as that could bring down other +# critical services. +#rc_crashed_stop=NO +#rc_crashed_start=YES + +# Set rc_nocolor to yes if you do not want colors displayed in OpenRC +# output. +#rc_nocolor=NO + +############################################################################## +# MISC CONFIGURATION VARIABLES +# There variables are shared between many init scripts + +# Set unicode to YES to turn on unicode support for keyboards and screens. +#unicode="NO" +unicode="YES" + +# This is how long fuser should wait for a remote server to respond. The +# default is 60 seconds, but it can be adjusted here. +#rc_fuser_timeout=60 + +# Below is the default list of network fstypes. +# +# afs ceph cifs coda davfs fuse fuse.sshfs gfs glusterfs lustre ncpfs +# nfs nfs4 ocfs2 shfs smbfs +# +# If you would like to add to this list, you can do so by adding your +# own fstypes to the following variable. +#extra_net_fs_list="" + +############################################################################## +# SERVICE CONFIGURATION VARIABLES +# These variables are documented here, but should be configured in +# /etc/conf.d/foo for service foo and NOT enabled here unless you +# really want them to work on a global basis. +# If your service has characters in its name which are not legal in +# shell variable names and you configure the variables for it in this +# file, those characters should be replaced with underscores in the +# variable names as shown below. + +# Some daemons are started and stopped via start-stop-daemon. +# We can set some things on a per service basis, like the nicelevel. +#SSD_NICELEVEL="-19" +# Or the ionice level. The format is class[:data] , just like the +# --ionice start-stop-daemon parameter. +#SSD_IONICELEVEL="2:2" + +# Pass ulimit parameters +# If you are using bash in POSIX mode for your shell, note that the +# ulimit command uses a block size of 512 bytes for the -c and -f +# options +#rc_ulimit="-u 30" + +# It's possible to define extra dependencies for services like so +#rc_config="/etc/foo" +#rc_need="openvpn" +#rc_use="net.eth0" +#rc_after="clock" +#rc_before="local" +#rc_provide="!net" + +# You can also enable the above commands here for each service. Below is an +# example for service foo. +#rc_foo_config="/etc/foo" +#rc_foo_need="openvpn" +#rc_foo_after="clock" + +# Below is an example for service foo-bar. Note that the '-' is illegal +# in a shell variable name, so we convert it to an underscore. +# example for service foo-bar. +#rc_foo_bar_config="/etc/foo-bar" +#rc_foo_bar_need="openvpn" +#rc_foo_bar_after="clock" + +# You can also remove dependencies. +# This is mainly used for saying which services do NOT provide net. +#rc_net_tap0_provide="!net" + +# This is the subsystem type. +# It is used to match against keywords set by the keyword call in the +# depend function of service scripts. +# +# It should be set to the value representing the environment this file is +# PRESENTLY in, not the virtualization the environment is capable of. +# If it is commented out, automatic detection will be used. +# +# The list below shows all possible settings as well as the host +# operating systems where they can be used and autodetected. +# +# "" - nothing special +# "docker" - Docker container manager (Linux) +# "jail" - Jail (DragonflyBSD or FreeBSD) +# "lxc" - Linux Containers +# "openvz" - Linux OpenVZ +# "prefix" - Prefix +# "rkt" - CoreOS container management system (Linux) +# "subhurd" - Hurd subhurds (to be checked) +# "systemd-nspawn" - Container created by systemd-nspawn (Linux) +# "uml" - Usermode Linux +# "vserver" - Linux vserver +# "xen0" - Xen0 Domain (Linux and NetBSD) +# "xenU" - XenU Domain (Linux and NetBSD) +#rc_sys="" + +# on Linux and Hurd, this is the number of ttys allocated for logins +# It is used in the consolefont, keymaps, numlock and termencoding +# service scripts. +rc_tty_number=12 + +############################################################################## +# LINUX CGROUPS RESOURCE MANAGEMENT + +# If you have cgroups turned on in your kernel, this switch controls +# whether or not a group for each controller is mounted under +# /sys/fs/cgroup. +# None of the other options in this section work if this is set to "NO". +#rc_controller_cgroups="YES" + +# The following settings allow you to set up values for the cgroup +# controllers for your services. +# They can be set in this file;, however, if you do this, the settings +# will apply to all of your services. +# If you want different settings for each service, place the settings in +# /etc/conf.d/foo for service foo. +# The format is to specify the names of the settings followed by their +# values. Each variable can hold multiple settings. +# For example, you would use this to set the cpu.shares setting in the +# cpu controller to 512 for your service. +# rc_cgroup_cpu=" +# cpu.shares 512 +# " +# +#For more information about the adjustments that can be made with +#cgroups, see Documentation/cgroups/* in the linux kernel source tree. + +# Set the blkio controller settings for this service. +#rc_cgroup_blkio="" + +# Set the cpu controller settings for this service. +#rc_cgroup_cpu="" + +# Add this service to the cpuacct controller (any value means yes). +#rc_cgroup_cpuacct="" + +# Set the cpuset controller settings for this service. +#rc_cgroup_cpuset="" + +# Set the devices controller settings for this service. +#rc_cgroup_devices="" + +# Set the hugetlb controller settings for this service. +#rc_cgroup_hugetlb="" + +# Set the memory controller settings for this service. +#rc_cgroup_memory="" + +# Set the net_cls controller settings for this service. +#rc_cgroup_net_cls="" + +# Set the net_prio controller settings for this service. +#rc_cgroup_net_prio="" + +# Set the pids controller settings for this service. +#rc_cgroup_pids="" + +# Set this to YES if you want all of the processes in a service's cgroup +# killed when the service is stopped or restarted. +# This should not be set globally because it kills all of the service's +# child processes, and most of the time this is undesirable. Please set +# it in /etc/conf.d/. +# To perform this cleanup manually for a stopped service, you can +# execute cgroup_cleanup with /etc/init.d/ cgroup_cleanup or +# rc-service cgroup_cleanup. +# rc_cgroup_cleanup="NO" diff --git a/basic/etc/tomcat8/server.xml b/basic/etc/tomcat8/server.xml deleted file mode 100644 index d431128..0000000 --- a/basic/etc/tomcat8/server.xml +++ /dev/null @@ -1,169 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - diff --git a/basic/lib/systemd/system/getty@.service b/basic/lib/systemd/system/getty@.service deleted file mode 100644 index 2747d22..0000000 --- a/basic/lib/systemd/system/getty@.service +++ /dev/null @@ -1,53 +0,0 @@ -# This file is part of systemd. -# -# systemd is free software; you can redistribute it and/or modify it -# under the terms of the GNU Lesser General Public License as published by -# the Free Software Foundation; either version 2.1 of the License, or -# (at your option) any later version. - -[Unit] -Description=Getty on %I -Documentation=man:agetty(8) man:systemd-getty-generator(8) -Documentation=http://0pointer.de/blog/projects/serial-console.html -After=systemd-user-sessions.service plymouth-quit-wait.service -After=rc-local.service - -# If additional gettys are spawned during boot then we should make -# sure that this is synchronized before getty.target, even though -# getty.target didn't actually pull it in. -Before=getty.target -IgnoreOnIsolate=yes - -# IgnoreOnIsolate causes issues with sulogin, if someone isolates -# rescue.target or starts rescue.service from multi-user.target or -# graphical.target. -Conflicts=rescue.service -Before=rescue.service - -# On systems without virtual consoles, don't start any getty. Note -# that serial gettys are covered by serial-getty@.service, not this -# unit. -ConditionPathExists=/dev/tty0 - -[Service] -# the VT is cleared by TTYVTDisallocate -ExecStart=-/sbin/agetty -l /usr/sbin/nologin %I $TERM -Type=idle -Restart=always -RestartSec=0 -UtmpIdentifier=%I -TTYPath=/dev/%I -TTYReset=yes -TTYVHangup=yes -TTYVTDisallocate=yes -KillMode=process -IgnoreSIGPIPE=no -SendSIGHUP=yes - -# Unset locale for the console getty since the console has problems -# displaying some internationalized messages. -Environment=LANG= LANGUAGE= LC_CTYPE= LC_NUMERIC= LC_TIME= LC_COLLATE= LC_MONETARY= LC_MESSAGES= LC_PAPER= LC_NAME= LC_ADDRESS= LC_TELEPHONE= LC_MEASUREMENT= LC_IDENTIFICATION= - -[Install] -WantedBy=getty.target -DefaultInstance=tty1 diff --git a/basic/root/.bashrc b/basic/root/.bashrc deleted file mode 100644 index f572b7d..0000000 --- a/basic/root/.bashrc +++ /dev/null @@ -1,25 +0,0 @@ -shopt -s histappend -HISTSIZE=10000 -HISTFILESIZE=20000 -HISTTIMEFORMAT="(%F %T) " -PROMPT_COMMAND="history -a" - -case "$TERM" in -xterm*|rxvt*) - PS1="\[\e]0;${debian_chroot:+($debian_chroot)}\u@\H:\w\a\]$PS1" - ;; -*) - ;; -esac - -eval "`dircolors`" -COLOR="--color=auto" - -if [ -f /etc/bash_completion ]; then - . /etc/bash_completion -fi - -alias ls='ls --color=auto' -alias ll='ls -la --color=auto' -alias l='ls -a --color=auto' -alias grep='grep --color=auto' diff --git a/basic/root/.vimrc b/basic/root/.vimrc deleted file mode 100644 index 15b0c7d..0000000 --- a/basic/root/.vimrc +++ /dev/null @@ -1,2 +0,0 @@ -runtime! defaults.vim -set mouse-=a diff --git a/basic/sbin/issue-gen b/basic/sbin/issue-gen new file mode 100755 index 0000000..981947f --- /dev/null +++ b/basic/sbin/issue-gen @@ -0,0 +1,4 @@ +#!/bin/sh + +export URL=$(ip route get 1 | awk '{print $NF;exit}') +envsubst /etc/issue diff --git a/basic/usr/share/initramfs-tools/scripts/local-top/cryptroot b/basic/usr/share/initramfs-tools/scripts/local-top/cryptroot deleted file mode 100644 index 6eae4f0..0000000 --- a/basic/usr/share/initramfs-tools/scripts/local-top/cryptroot +++ /dev/null @@ -1,425 +0,0 @@ -#!/bin/sh - -PREREQ="cryptroot-prepare" - -# -# Standard initramfs preamble -# -prereqs() -{ - # Make sure that cryptroot is run last in local-top - for req in $(dirname $0)/*; do - script=${req##*/} - if [ $script != cryptroot ]; then - echo $script - fi - done -} - -case $1 in -prereqs) - prereqs - exit 0 - ;; -esac - -# source for log_*_msg() functions, see LP: #272301 -. /scripts/functions - -# -# Helper functions -# -message() -{ - if [ -x /bin/plymouth ] && plymouth --ping; then - plymouth message --text="$@" - else - echo "$@" >&2 - fi - return 0 -} - -udev_settle() -{ - # Wait for udev to be ready, see https://launchpad.net/bugs/85640 - if command -v udevadm >/dev/null 2>&1; then - udevadm settle --timeout=30 - elif command -v udevsettle >/dev/null 2>&1; then - udevsettle --timeout=30 - fi - return 0 -} - -parse_options() -{ - local cryptopts - cryptopts="$1" - - if [ -z "$cryptopts" ]; then - return 1 - fi - - # Defaults - cryptcipher=aes-cbc-essiv:sha256 - cryptsize=256 - crypthash=ripemd160 - crypttarget=cryptroot - cryptsource="" - cryptheader="" - cryptlvm="" - cryptkeyscript="" - cryptkey="" # This is only used as an argument to an eventual keyscript - cryptkeyslot="" - crypttries=3 - crypttcrypt="" - cryptveracrypt="" - cryptrootdev="" - cryptdiscard="" - CRYPTTAB_OPTIONS="" - - local IFS=" ," - for x in $cryptopts; do - case $x in - hash=*) - crypthash=${x#hash=} - ;; - size=*) - cryptsize=${x#size=} - ;; - cipher=*) - cryptcipher=${x#cipher=} - ;; - target=*) - crypttarget=${x#target=} - export CRYPTTAB_NAME="$crypttarget" - ;; - source=*) - cryptsource=${x#source=} - if [ ${cryptsource#UUID=} != $cryptsource ]; then - cryptsource="/dev/disk/by-uuid/${cryptsource#UUID=}" - elif [ ${cryptsource#LABEL=} != $cryptsource ]; then - cryptsource="/dev/disk/by-label/$(printf '%s' "${cryptsource#LABEL=}" | sed 's,/,\\x2f,g')" - fi - export CRYPTTAB_SOURCE="$cryptsource" - ;; - header=*) - cryptheader=${x#header=} - if [ ! -e "$cryptheader" ] && [ -e "/conf/conf.d/cryptheader/$cryptheader" ]; then - cryptheader="/conf/conf.d/cryptheader/$cryptheader" - fi - export CRYPTTAB_HEADER="$cryptheader" - ;; - lvm=*) - cryptlvm=${x#lvm=} - ;; - keyscript=*) - cryptkeyscript=${x#keyscript=} - ;; - key=*) - if [ "${x#key=}" != "none" ]; then - cryptkey=${x#key=} - fi - export CRYPTTAB_KEY="$cryptkey" - ;; - keyslot=*) - cryptkeyslot=${x#keyslot=} - ;; - tries=*) - crypttries="${x#tries=}" - case "$crypttries" in - *[![:digit:].]*) - crypttries=3 - ;; - esac - ;; - tcrypt) - crypttcrypt="yes" - ;; - veracrypt) - cryptveracrypt="--veracrypt" - ;; - rootdev) - cryptrootdev="yes" - ;; - discard) - cryptdiscard="yes" - ;; - esac - PARAM="${x%=*}" - if [ "$PARAM" = "$x" ]; then - VALUE="yes" - else - VALUE="${x#*=}" - fi - CRYPTTAB_OPTIONS="$CRYPTTAB_OPTIONS $PARAM" - eval export CRYPTTAB_OPTION_$PARAM="\"$VALUE\"" - done - export CRYPTTAB_OPTIONS - - if [ -z "$cryptsource" ]; then - message "cryptsetup ($crypttarget): source parameter missing" - return 1 - fi - return 0 -} - -activate_vg() -{ - # Sanity checks - if [ ! -x /sbin/lvm ]; then - message "cryptsetup ($crypttarget): lvm is not available" - return 1 - fi - - # Detect and activate available volume groups - /sbin/lvm vgscan >/dev/null 2>&1 - /sbin/lvm vgchange -a y --sysinit >/dev/null 2>&1 - return $? -} - -setup_mapping() -{ - local opts count cryptopen cryptremove NEWROOT - opts="$1" - - if [ -z "$opts" ]; then - return 0 - fi - - parse_options "$opts" || return 1 - - if [ -z "$cryptkeyscript" ]; then - if [ ${cryptsource#/dev/disk/by-uuid/} != $cryptsource ]; then - # UUIDs are not very helpful - diskname="$crypttarget" - else - diskname="$cryptsource ($crypttarget)" - fi - cryptkeyscript="/lib/cryptsetup/askpass" - cryptkey="Please unlock disk $diskname: " - elif ! type "$cryptkeyscript" >/dev/null; then - message "cryptsetup ($crypttarget): error - script \"$cryptkeyscript\" missing" - return 1 - fi - - if [ "$cryptkeyscript" = "cat" ] && [ "${cryptkey#/root/}" != "$cryptkey" ]; then - # skip the mapping if the root FS is not mounted yet - sed -rn 's/^\s*[^#]\S*\s+(\S+)\s.*/\1/p' /proc/mounts | grep -Fxq "$rootmnt" || return 1 - # substitute the "/root" prefix by the real root FS mountpoint otherwise - cryptkey="${rootmnt}/${cryptkey#/root/}" - fi - - if [ -n "$cryptheader" ] && ! type "$cryptheader" >/dev/null; then - message "cryptsetup ($crypttarget): error - LUKS header \"$cryptheader\" missing" - return 1 - fi - - # The same target can be specified multiple times - # e.g. root and resume lvs-on-lvm-on-crypto - if [ -e "/dev/mapper/$crypttarget" ]; then - return 0 - fi - - modprobe -q dm_crypt - - # Make sure the cryptsource device is available - if [ ! -e $cryptsource ]; then - activate_vg - fi - - # If the encrypted source device hasn't shown up yet, give it a - # little while to deal with removable devices - - # the following lines below have been taken from - # /usr/share/initramfs-tools/scripts/local, as suggested per - # https://launchpad.net/bugs/164044 - if [ ! -e "$cryptsource" ]; then - log_begin_msg "Waiting for encrypted source device..." - - # Default delay is 180s - if [ -z "${ROOTDELAY}" ]; then - slumber=180 - else - slumber=${ROOTDELAY} - fi - - slumber=$(( ${slumber} * 10 )) - while [ ! -e "$cryptsource" ]; do - # retry for LVM devices every 10 seconds - if [ ${slumber} -eq $(( ${slumber}/100*100 )) ]; then - activate_vg - fi - - /bin/sleep 0.1 - slumber=$(( ${slumber} - 1 )) - [ ${slumber} -gt 0 ] || break - done - - if [ ${slumber} -gt 0 ]; then - log_end_msg 0 - else - log_end_msg 1 || true - fi - fi - udev_settle - - # We've given up, but we'll let the user fix matters if they can - if [ ! -e "${cryptsource}" ]; then - - echo " ALERT! ${cryptsource} does not exist." - echo " Check cryptopts=source= bootarg: cat /proc/cmdline" - echo " or missing modules, devices: cat /proc/modules; ls /dev" - panic -r "Dropping to a shell. Will skip ${cryptsource} if you can't fix." - fi - - if [ ! -e "${cryptsource}" ]; then - return 1 - fi - - - # Prepare commands - cryptopen="/sbin/cryptsetup -T 1" - if [ "$cryptdiscard" = "yes" ]; then - cryptopen="$cryptopen --allow-discards" - fi - if [ -n "$cryptheader" ]; then - cryptopen="$cryptopen --header=$cryptheader" - fi - if [ -n "$cryptkeyslot" ]; then - cryptopen="$cryptopen --key-slot=$cryptkeyslot" - fi - if /sbin/cryptsetup isLuks ${cryptheader:-$cryptsource} >/dev/null 2>&1; then - cryptopen="$cryptopen open --type luks $cryptsource $crypttarget --key-file=-" - elif [ "$crypttcrypt" = "yes" ]; then - cryptopen="$cryptopen open --type tcrypt $cryptveracrypt $cryptsource $crypttarget" - else - cryptopen="$cryptopen -c $cryptcipher -s $cryptsize -h $crypthash open --type plain $cryptsource $crypttarget --key-file=-" - fi - cryptremove="/sbin/cryptsetup remove $crypttarget" - NEWROOT="/dev/mapper/$crypttarget" - - # Try to get a satisfactory password $crypttries times - count=0 - while [ $crypttries -le 0 ] || [ $count -lt $crypttries ]; do - export CRYPTTAB_TRIED="$count" - count=$(( $count + 1 )) - - if [ ! -e "$NEWROOT" ]; then - if ! crypttarget="$crypttarget" cryptsource="$cryptsource" \ - $cryptkeyscript "$cryptkey" | $cryptopen; then - message "cryptsetup ($crypttarget): cryptsetup failed, bad password or options?" - continue - fi - fi - - if [ ! -e "$NEWROOT" ]; then - message "cryptsetup ($crypttarget): unknown error setting up device mapping" - return 1 - fi - - #FSTYPE='' - #eval $(fstype < "$NEWROOT") - FSTYPE="$(/sbin/blkid -s TYPE -o value "$NEWROOT")" - - # See if we need to setup lvm on the crypto device - #if [ "$FSTYPE" = "lvm" ] || [ "$FSTYPE" = "lvm2" ]; then - if [ "$FSTYPE" = "LVM_member" ] || [ "$FSTYPE" = "LVM2_member" ]; then - if [ -z "$cryptlvm" ]; then - message "cryptsetup ($crypttarget): lvm fs found but no lvm configured" - return 1 - elif ! activate_vg; then - # disable error message, LP: #151532 - #message "cryptsetup ($crypttarget): failed to setup lvm device" - return 1 - fi - - # Apparently ROOT is already set in /conf/param.conf for - # flashed kernels at least. See bugreport #759720. - if [ -f /conf/param.conf ] && grep -q "^ROOT=" /conf/param.conf; then - NEWROOT=$(sed -n 's/^ROOT=//p' /conf/param.conf) - else - NEWROOT=${cmdline_root:-/dev/mapper/$cryptlvm} - if [ "$cryptrootdev" = "yes" ]; then - # required for lilo to find the root device - echo "ROOT=$NEWROOT" >>/conf/param.conf - fi - fi - #eval $(fstype < "$NEWROOT") - FSTYPE="$(/sbin/blkid -s TYPE -o value "$NEWROOT")" - fi - - #if [ -z "$FSTYPE" ] || [ "$FSTYPE" = "unknown" ]; then - if [ -z "$FSTYPE" ]; then - message "cryptsetup ($crypttarget): unknown fstype, bad password or options?" - udev_settle - $cryptremove - continue - fi - - # decrease $count by 1, apparently last try was successful. - count=$(( $count - 1 )) - - message "cryptsetup ($crypttarget): set up successfully" - break - done - - failsleep=60 # make configurable later? - - if [ "$cryptrootdev" = "yes" ] && [ $crypttries -gt 0 ] && [ $count -ge $crypttries ]; then - message "cryptsetup ($crypttarget): maximum number of tries exceeded" - message "cryptsetup: going to sleep for $failsleep seconds..." - sleep $failsleep - exit 1 - fi - - udev_settle - return 0 -} - -# -# Begin real processing -# - -# Do we have any kernel boot arguments? -cmdline_cryptopts='' -unset cmdline_root -for opt in $(cat /proc/cmdline); do - case $opt in - cryptopts=*) - opt="${opt#cryptopts=}" - if [ -n "$opt" ]; then - if [ -n "$cmdline_cryptopts" ]; then - cmdline_cryptopts="$cmdline_cryptopts $opt" - else - cmdline_cryptopts="$opt" - fi - fi - ;; - root=*) - opt="${opt#root=}" - case $opt in - /*) # Absolute path given. Not lilo major/minor number. - cmdline_root=$opt - ;; - *) # lilo major/minor number (See #398957). Ignore - esac - ;; - esac -done - -if [ -n "$cmdline_cryptopts" ]; then - # Call setup_mapping separately for each possible cryptopts= setting - for cryptopt in $cmdline_cryptopts; do - setup_mapping "$cryptopt" - done - exit 0 -fi - -# Do we have any settings from the /conf/conf.d/cryptroot file? -if [ -r /conf/conf.d/cryptroot ]; then - while read mapping <&3; do - setup_mapping "$mapping" 3<&- - done 3< /conf/conf.d/cryptroot -fi - -exit 0 diff --git a/basic/usr/share/initramfs-tools/scripts/local-top/lvm2 b/basic/usr/share/initramfs-tools/scripts/local-top/lvm2 deleted file mode 100644 index 33fa987..0000000 --- a/basic/usr/share/initramfs-tools/scripts/local-top/lvm2 +++ /dev/null @@ -1,65 +0,0 @@ -#!/bin/sh - -PREREQ="mdadm mdrun multipath" - -prereqs() -{ - echo "$PREREQ" -} - -case $1 in -# get pre-requisites -prereqs) - prereqs - exit 0 - ;; -esac - -if [ ! -e /sbin/lvm ]; then - exit 0 -fi - -lvchange_activate() { - lvm lvchange -aay -y --sysinit --ignoreskippedcluster "$@" >/dev/null 2>&1 -} - -activate() { - local dev="$1" - - # Make sure that we have a non-empty argument - if [ -z "$dev" ]; then - return 1 - fi - - case "$dev" in - # Take care of lilo boot arg, risky activating of all vg - fe[0-9]*) - lvchange_activate - exit 0 - ;; - # FIXME: check major - /dev/root) - lvchange_activate - exit 0 - ;; - - /dev/mapper/*) - eval $(dmsetup splitname --nameprefixes --noheadings --rows "${dev#/dev/mapper/}") - if [ "$DM_VG_NAME" ] && [ "$DM_LV_NAME" ]; then - lvchange_activate "$DM_VG_NAME/$DM_LV_NAME" - fi - ;; - - /dev/*/*) - # Could be /dev/VG/LV; use lvs to check - if lvm lvs -- "$dev" >/dev/null 2>&1; then - lvchange_activate "$dev" - fi - ;; - esac -} - -activate "$ROOT" -activate "$resume" - -exit 0