diff options
Diffstat (limited to 'tdf-postinst-udeb/finish-install.d/07tdf-postinst')
-rwxr-xr-x | tdf-postinst-udeb/finish-install.d/07tdf-postinst | 115 |
1 files changed, 115 insertions, 0 deletions
diff --git a/tdf-postinst-udeb/finish-install.d/07tdf-postinst b/tdf-postinst-udeb/finish-install.d/07tdf-postinst new file mode 100755 index 0000000..3b92d76 --- /dev/null +++ b/tdf-postinst-udeb/finish-install.d/07tdf-postinst @@ -0,0 +1,115 @@ +#!/bin/sh +set -e + +. /usr/share/debconf/confmodule || true + +in-target modprobe 9pnet_virtio || true +in-target modprobe 9p || true + +virtfs="$(mktemp -d)" +mount -t 9p -o trans=virtio,version=9p2000.L virtfs "$virtfs" || true +trap 'umount "$virtfs"; rmdir "$virtfs"' EXIT TERM INT + + +####################################################################### +# Configuration SSHd + +if [ -d /target/etc/ssh ]; then + in-target find /etc/ssh -maxdepth 1 -type f -a \ + \( -name "ssh_host_*_key" -o -name "ssh_host_*_key.pub" \) \ + -delete + in-target ssh-keygen -b 4096 -t rsa -N '' -C /etc/ssh/ssh_host_rsa_key -f /etc/ssh/ssh_host_rsa_key + in-target ssh-keygen -t ed25519 -N '' -C /etc/ssh/ssh_host_ed25519_key -f /etc/ssh/ssh_host_ed25519_key + for pk in $(find /target/etc/ssh -maxdepth 1 -type f -name "ssh_host_*_key.pub"); do + cp -f "$pk" "$virtfs" + done + + cat >/target/etc/ssh/sshd_config <<- EOF + # What ports, IPs and protocols we listen for + Port 22 + # Use these options to restrict which interfaces/protocols sshd will + # bind to + #ListenAddress :: + #ListenAddress 0.0.0.0 + Protocol 2 + # HostKeys for protocol version 2 + HostKey /etc/ssh/ssh_host_rsa_key + HostKey /etc/ssh/ssh_host_ed25519_key + #Privilege Separation is turned on for security + UsePrivilegeSeparation yes + + # Logging + SyslogFacility AUTH + LogLevel INFO + + # Authentication: + LoginGraceTime 120 + PermitRootLogin without-password + StrictModes yes + + PubkeyAuthentication yes + #AuthorizedKeysFile %h/.ssh/authorized_keys + + # Change to yes to enable challenge-response passwords (beware issues + # with + # some PAM modules and threads) + ChallengeResponseAuthentication no + + # Change to no to disable tunnelled clear text passwords + PasswordAuthentication no + + X11Forwarding no + PrintMotd no + PrintLastLog yes + TCPKeepAlive yes + + # Allow client to pass locale environment variables + AcceptEnv LANG LC_* + + Subsystem sftp /usr/lib/openssh/sftp-server + EOF + + if [ -f "/cdrom/authorized_keys" ]; then + authorized_keys="$(mktemp -p "/target/tmp")" + cat /cdrom/authorized_keys >"$authorized_keys" + authorized_keys="${authorized_keys#/target}" + if db_get passwd/username && [ "$RET" ]; then + username="$RET" + else + username="root" + fi + in-target sh -c " + install -m0700 -o $username -g $username --directory ~$username/.ssh + install -m0600 -o $username -g $username $authorized_keys ~$username/.ssh/authorized_keys + " + fi +fi + + +####################################################################### +# Configure salt-minion + +if [ -d /target/etc/salt ]; then + in-target sh -c ' + pkidir="/etc/salt/pki/minion" + mkdir -p -m0700 "$pkidir" + + install -m0400 /dev/null "$pkidir/minion.pem" + openssl genrsa -rand /dev/urandom -f4 4096 >"$pkidir/minion.pem" + + install -m0644 /dev/null "$pkidir/minion.pub" + openssl pkey -pubout <"$pkidir/minion.pem" >"$pkidir/minion.pub" + + mkdir -p /etc/salt/minion.d + install -m0644 /dev/null /etc/salt/minion.d/999user.conf + ' + if db_get tdf-postinst/salt_master && [ "$RET" ]; then + echo "master: $RET" >>/target/etc/salt/minion.d/999user.conf + fi + if db_get tdf-postinst/salt_master_fingerprint && [ "$RET" ]; then + echo "master_finger: '$RET'" >>/target/etc/salt/minion.d/999user.conf + fi + echo "id: $(hostname).documentfoundation.org" >>/target/etc/salt/minion.d/999user.conf + + cp /target/etc/salt/pki/minion/minion.pub "$virtfs" +fi |