diff options
Diffstat (limited to 'tdf-postinst-udeb')
-rw-r--r-- | tdf-postinst-udeb/debian/changelog | 5 | ||||
-rw-r--r-- | tdf-postinst-udeb/debian/compat | 1 | ||||
-rw-r--r-- | tdf-postinst-udeb/debian/control | 11 | ||||
-rw-r--r-- | tdf-postinst-udeb/debian/copyright | 15 | ||||
-rw-r--r-- | tdf-postinst-udeb/debian/install | 1 | ||||
-rwxr-xr-x | tdf-postinst-udeb/debian/rules | 4 | ||||
-rw-r--r-- | tdf-postinst-udeb/debian/templates | 9 | ||||
-rwxr-xr-x | tdf-postinst-udeb/finish-install.d/07tdf-postinst | 115 |
8 files changed, 161 insertions, 0 deletions
diff --git a/tdf-postinst-udeb/debian/changelog b/tdf-postinst-udeb/debian/changelog new file mode 100644 index 0000000..41eb167 --- /dev/null +++ b/tdf-postinst-udeb/debian/changelog @@ -0,0 +1,5 @@ +tdf-postinst-udeb (0.1) unstable; urgency=low + + * Initial release. + + -- Guilhem Moulin <guilhem@libreoffice.org> Tue, 18 Oct 2016 19:23:23 +0200 diff --git a/tdf-postinst-udeb/debian/compat b/tdf-postinst-udeb/debian/compat new file mode 100644 index 0000000..ec63514 --- /dev/null +++ b/tdf-postinst-udeb/debian/compat @@ -0,0 +1 @@ +9 diff --git a/tdf-postinst-udeb/debian/control b/tdf-postinst-udeb/debian/control new file mode 100644 index 0000000..2b1ff24 --- /dev/null +++ b/tdf-postinst-udeb/debian/control @@ -0,0 +1,11 @@ +Source: tdf-postinst-udeb +Section: debian-installer +Priority: optional +Maintainer: Guilhem Moulin <guilhem@libreoffice.org> +Build-Depends: debhelper (>= 9) + +Package: tdf-postinst-udeb +XC-Package-Type: udeb +Architecture: all +Depends: ${misc:Depends} +Description: Postinstall hook for TDF VMs setup diff --git a/tdf-postinst-udeb/debian/copyright b/tdf-postinst-udeb/debian/copyright new file mode 100644 index 0000000..409a651 --- /dev/null +++ b/tdf-postinst-udeb/debian/copyright @@ -0,0 +1,15 @@ +Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ +Source: native package + +Files: * +Copyright: © 2016 The Document Foundation <hostmaster@documentfoundation.org> +License: GPL-3+ + +License: GPL-3+ + This package is free software; you can redistribute it and/or modify it + under the terms of the GNU General Public License as published by the + Free Software Foundation; either version 3 of the License, or (at your + option) any later version. + . + On Debian systems, the complete text of the GNU General Public License + version 3 can be found in file "/usr/share/common-licenses/GPL-3". diff --git a/tdf-postinst-udeb/debian/install b/tdf-postinst-udeb/debian/install new file mode 100644 index 0000000..d477454 --- /dev/null +++ b/tdf-postinst-udeb/debian/install @@ -0,0 +1 @@ +finish-install.d/* /usr/lib/finish-install.d diff --git a/tdf-postinst-udeb/debian/rules b/tdf-postinst-udeb/debian/rules new file mode 100755 index 0000000..2d33f6a --- /dev/null +++ b/tdf-postinst-udeb/debian/rules @@ -0,0 +1,4 @@ +#!/usr/bin/make -f + +%: + dh $@ diff --git a/tdf-postinst-udeb/debian/templates b/tdf-postinst-udeb/debian/templates new file mode 100644 index 0000000..e56a68a --- /dev/null +++ b/tdf-postinst-udeb/debian/templates @@ -0,0 +1,9 @@ +Template: tdf-postinst/salt_master +Type: text +Description: Hostname or ipv4 of the Salt master + +Template: tdf-postinst/salt_master_fingerprint +Type: text +Description: Salt master fingerprint + Fingerprint of the master public key to validate the identity of + the Salt master before the initial key exchange diff --git a/tdf-postinst-udeb/finish-install.d/07tdf-postinst b/tdf-postinst-udeb/finish-install.d/07tdf-postinst new file mode 100755 index 0000000..3b92d76 --- /dev/null +++ b/tdf-postinst-udeb/finish-install.d/07tdf-postinst @@ -0,0 +1,115 @@ +#!/bin/sh +set -e + +. /usr/share/debconf/confmodule || true + +in-target modprobe 9pnet_virtio || true +in-target modprobe 9p || true + +virtfs="$(mktemp -d)" +mount -t 9p -o trans=virtio,version=9p2000.L virtfs "$virtfs" || true +trap 'umount "$virtfs"; rmdir "$virtfs"' EXIT TERM INT + + +####################################################################### +# Configuration SSHd + +if [ -d /target/etc/ssh ]; then + in-target find /etc/ssh -maxdepth 1 -type f -a \ + \( -name "ssh_host_*_key" -o -name "ssh_host_*_key.pub" \) \ + -delete + in-target ssh-keygen -b 4096 -t rsa -N '' -C /etc/ssh/ssh_host_rsa_key -f /etc/ssh/ssh_host_rsa_key + in-target ssh-keygen -t ed25519 -N '' -C /etc/ssh/ssh_host_ed25519_key -f /etc/ssh/ssh_host_ed25519_key + for pk in $(find /target/etc/ssh -maxdepth 1 -type f -name "ssh_host_*_key.pub"); do + cp -f "$pk" "$virtfs" + done + + cat >/target/etc/ssh/sshd_config <<- EOF + # What ports, IPs and protocols we listen for + Port 22 + # Use these options to restrict which interfaces/protocols sshd will + # bind to + #ListenAddress :: + #ListenAddress 0.0.0.0 + Protocol 2 + # HostKeys for protocol version 2 + HostKey /etc/ssh/ssh_host_rsa_key + HostKey /etc/ssh/ssh_host_ed25519_key + #Privilege Separation is turned on for security + UsePrivilegeSeparation yes + + # Logging + SyslogFacility AUTH + LogLevel INFO + + # Authentication: + LoginGraceTime 120 + PermitRootLogin without-password + StrictModes yes + + PubkeyAuthentication yes + #AuthorizedKeysFile %h/.ssh/authorized_keys + + # Change to yes to enable challenge-response passwords (beware issues + # with + # some PAM modules and threads) + ChallengeResponseAuthentication no + + # Change to no to disable tunnelled clear text passwords + PasswordAuthentication no + + X11Forwarding no + PrintMotd no + PrintLastLog yes + TCPKeepAlive yes + + # Allow client to pass locale environment variables + AcceptEnv LANG LC_* + + Subsystem sftp /usr/lib/openssh/sftp-server + EOF + + if [ -f "/cdrom/authorized_keys" ]; then + authorized_keys="$(mktemp -p "/target/tmp")" + cat /cdrom/authorized_keys >"$authorized_keys" + authorized_keys="${authorized_keys#/target}" + if db_get passwd/username && [ "$RET" ]; then + username="$RET" + else + username="root" + fi + in-target sh -c " + install -m0700 -o $username -g $username --directory ~$username/.ssh + install -m0600 -o $username -g $username $authorized_keys ~$username/.ssh/authorized_keys + " + fi +fi + + +####################################################################### +# Configure salt-minion + +if [ -d /target/etc/salt ]; then + in-target sh -c ' + pkidir="/etc/salt/pki/minion" + mkdir -p -m0700 "$pkidir" + + install -m0400 /dev/null "$pkidir/minion.pem" + openssl genrsa -rand /dev/urandom -f4 4096 >"$pkidir/minion.pem" + + install -m0644 /dev/null "$pkidir/minion.pub" + openssl pkey -pubout <"$pkidir/minion.pem" >"$pkidir/minion.pub" + + mkdir -p /etc/salt/minion.d + install -m0644 /dev/null /etc/salt/minion.d/999user.conf + ' + if db_get tdf-postinst/salt_master && [ "$RET" ]; then + echo "master: $RET" >>/target/etc/salt/minion.d/999user.conf + fi + if db_get tdf-postinst/salt_master_fingerprint && [ "$RET" ]; then + echo "master_finger: '$RET'" >>/target/etc/salt/minion.d/999user.conf + fi + echo "id: $(hostname).documentfoundation.org" >>/target/etc/salt/minion.d/999user.conf + + cp /target/etc/salt/pki/minion/minion.pub "$virtfs" +fi |