# Kickstart file automatically generated by anaconda. # https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/performing_an_advanced_rhel_installation/kickstart-commands-and-options-reference_installing-rhel-as-an-experienced-user #version=DEVEL graphical #text --non-interactive %anaconda pwpolicy root --minlen=8 --minquality=1 --notstrict --nochanges --notempty pwpolicy user --minlen=8 --minquality=1 --notstrict --nochanges --notempty pwpolicy luks --minlen=8 --minquality=1 --notstrict --nochanges --notempty %end %include /tmp/repo-include #Langue et keymap keyboard --vckeymap=fr-latin9 --xlayouts='fr (latin9)' lang fr_FR.UTF-8 timezone Europe/Paris --isUtc # Skip EULA eula --agreed # Run the Setup Agent on first boot firstboot --disabled #unsupported_hardware # Installation logging level logging --level=debug # Réseaux #network --onboot yes --device eth0 --bootproto static --ip 88.190.41.95 --netmask 255.255.255.0 --gateway 88.190.41.1 --noipv6 --nameserver 88.191.254.70,88.191.254.60 --hostname max.reslinger.net #network --onboot no --device eth1 --bootproto dhcp --noipv6 %include /tmp/network-include # Authentification et Sécurité authselect --enableshadow --passalgo=sha512 --passminlen=10 --passmaxrepeat=2 --passminclass=4 --enablereqlower --enablerequpper --enablereqdigit --enablereqother #authselect select sssd with-ecryptfs #authselect select sssd # On peut ajouter --lock pour locker directement le compte root rootpw --iscrypted $6$h2g0.aIuG34zJ7U8$Nq0eFxAd7Vw1aabcJqONiS1yqkjpnk.4rAn8SkaTHRtSFljllmrtQOiiC9NKImNhvDGwltOMlhPsDuiQ1Ydol1 firewall --service=ssh selinux --enforcing user --groups=wheel --homedir=/home/adrien --name=adrien --uid=1000 --gid=1000 --password=$6$2/XYIHJ8zfgFPaJD$0eyYczGoQ5CnhT88I9brCiwr2fM23mY0Ai19XbON.NI1V/xQC1dnfw65PdYGoVrSmVerVvSFILYWhoLucwfia/ --iscrypted --gecos="Adrien Reslinger" user --homedir=/home/backup --name=backup --uid=999 --gid=999 --password=$1$L12EcXxr$vsm7y2F6Z1NzlWF3CPhwk/ #group --name=name [--gid=gid] sshkey --username=adrien "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKu3KHZzK2Q3Q7SAENONA9796WCjouo3442Du1A/QpXf adrien@Jupiter" sshkey --username=root "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKu3KHZzK2Q3Q7SAENONA9796WCjouo3442Du1A/QpXf adrien@Jupiter" #sshkey --username=backup "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAgEAvGVK9smGhhaejE2HG5oWoaMVazeFaXkjmoAFLNzkf1ag2rpz2Yqm8OnNN3Q5nCY2qehOuhEhH4sIHb7eUXR4Z+u7Nd4JAcXmn87vu/LIcZhkNZ/wzBHV2sSpS10suFkwKKwj+w6+FOJsQAJ5Em6SrZuK4ycypuGEqdDnEZDYcxi21jGiZ3tGjATHwiwdRKEtmp3B41JPmJClC+mZEwDJ3AAyIzc+nUb9E6RZo+8ypDdKqxTjhBo4pQdsn4YfZsJD5uHjcNhaQSvv6Ppi7rsJ/9j1RWN8phew/t9a8youn3mv+DhfEhFyjGDSXOam+/LyutNDZ41/8XGTtPF9FPe3GgBFFhsLhtt+BmZQnPn1wcVUn9l2V3/xHp1dlbfO4/QSgQslKYSTvwnTzbqZ+62hKickIDjgyz51EmQUrrS7iCU01oA+ETNrh+M3ywrfIl+bH7NAtFGoxOWi+ynwev/WfjGCLbqvMXbVYv7+SDiJ7OkzpZwAjFCCCDqAIb64V2GIIsam5Wsc/nZ3hbOQAUe4yU0QZ8XdT3/whSj/+ZRWsPTvM0eaClN3Rz2oIS3tZU/1NE/HL7niM2Cdb/R3gFl9J9VZ438Rz3f1kib3tqzif5dLafGsRoLSunZKzZ6OLBDAh8gAot5Xfsp5kd1YW6+nKwzy3Xa4URi6ZfQE/LPKEKk= root@max.reslinger.net" # System services services --enabled=chronyd,sshd,rngd # Accès distant sshpw --username=root --iscrypted $6$h2g0.aIuG34zJ7U8$Nq0eFxAd7Vw1aabcJqONiS1yqkjpnk.4rAn8SkaTHRtSFljllmrtQOiiC9NKImNhvDGwltOMlhPsDuiQ1Ydol1 #Booltloader %include /tmp/grub-include #Partitionement %include /tmp/part-include #module --name=NAME [--stream=STREAM] %include /tmp/packages-include #xconfig [--startxonboot] #--defaultdesktop=??? %include /tmp/distrib-include #%addon com_redhat_kdump --enable --reserve-mb='auto' # ou 128 %addon com_redhat_kdump --disable %end # https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/system_design_guide/kickstart-commands-and-options-reference_system-design-guide#addon-org_fedora_oscap_kickstart-commands-for-addons-supplied-with-the-rhel-installation-program #%addon org_fedora_oscap # content-type = scap-security-guide # profile = pci-dss #%end #Reboot apres la fin de l'install reboot ####################################################################### ####################################################################### # PRE ####################################################################### ####################################################################### %pre source /etc/os-release # Installation de la clef SSH pour l'installeur mkdir -m 700 /root/.ssh echo "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAyuDkpjZEF21cqoynQXkChSFRspyDm4QKsioHCo3EHkGeSrFYbLoa6IMF9YHesWOI4nCWu/iM64rIdFtu5O/SJXTRpzJcnCrSLrmreiUbe37KFJ5Dp23B3Q6a5KxZTgMiHRDbojU/COC7fDJLsh+u68FViPodifN0jt1S4IGmquZgohvY4OOJgRU1obluW+vV6SPDaB7BcJOuU/fKynIq3DwYbqvkZGnnZpg8qfnbGwwIqnha8LCtMvpP1g7TggE0m2AMJQvHYddZRhC9cpX9uxm5OWDTslXUbNqcAT5BWKS84VLn+aYLZBFI/K7/0Lw8W+djZlVjTXlh9eliFHvRkQ== adrien@Adrien" > /root/.ssh/authorized_keys echo "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKu3KHZzK2Q3Q7SAENONA9796WCjouo3442Du1A/QpXf adrien@Jupiter" >> /root/.ssh/authorized_keys if [ -z "${ARCH}" ]; then ARCH="`uname -m | sed 's|i.86|i386|'`" fi #On teste la machine (VMware, HP ou Dell) #MACHINE="$(dmidecode -s system-manufacturer| cut -f 1 -d "," |cut -f 1 -d " ")" #MACHINE="$(dmidecode -s system-manufacturer)" MACHINE="$(cat /sys/class/dmi/id/sys_vendor)" case "$MACHINE" in "Supermicro") SERIAL=true SERIALNB=2 HDDCRYPT=true ;; "Red Hat"|QEMU|"OpenStack Foundation") SERIAL=true SERIALNB=0 HDDCRYPT=true ;; "Microsoft Corporation") SERIAL=true SERIALNB=0 HDDCRYPT=true ;; "Dell Inc.") SERIAL=true SERIALNB=0 HDDCRYPT=true ;; "Xen") SERIAL=false HDDCRYPT=true ;; "Google") SERIAL=true SERIALNB=0 HDDCRYPT=true ;; "DigitalOcean") SERIAL=true SERIALNB=0 HDDCRYPT=true ;; *) SERIAL=false HDDCRYPT=true ;; esac if [ $(grep -E -c '\snouefi($|\s)' /proc/cmdline) -eq 1 ]; then UEFI=false else if [ -d /sys/firmware/efi ]; then UEFI=true else UEFI=false fi fi if [ $(grep -E -c '\scrypt($|\s)' /proc/cmdline) -eq 1 ]; then HDDCRYPT=true fi if [ $(grep -E -c '\snocrypt($|\s)' /proc/cmdline) -eq 1 ]; then HDDCRYPT=false fi if [ $(grep -E -c '\snopkg($|\s)' /proc/cmdline) -eq 1 ]; then PKG=false fi if [ $(grep -E -c '\sdesktop($|\s)' /proc/cmdline) -eq 1 ]; then DESKTOP=true else DESKTOP=false fi if [ $(grep -E -c '\slvmraid($|\s)' /proc/cmdline) -eq 1 ]; then LVMRAID=true elif [ $(grep -E -c '\snolvmraid($|\s)' /proc/cmdline) -eq 1 ]; then LVMRAID=false else LVMRAID=true fi if [ $(grep -E -c '\sreinstall($|\s)' /proc/cmdline) -eq 1 ]; then REINSTALL=true else REINSTALL=false fi ####################################################################### # Récupération de la configuration réseaux ####################################################################### IF="$(ip route show | grep ^default | sed 's/.* dev \([^ ]*\) *.*/\1/' | sort -u)" IP="$(ip addr show $IF | grep inet\ | awk '{print $2}' | cut -d/ -f1)" PREFIX="$(ip addr show $IF | grep inet\ | awk '{print $2}' | cut -d/ -f2)" #MASK="$(ipcalc -m $IP/$PREFIX | cut -d= -f2)" MASK="$(ifconfig $IF | grep $IP | awk '{print $4}')" GW="$(ip route show | grep ^default | sed 's/.* via \([^ ]*\) *.*/\1/' | sort -u)" MAC="$(ip addr show $IF | grep ether\ | awk '{print $2}' | cut -d/ -f2 | tr [A-Z] [a-z])" DNS="$(grep nameserver /etc/resolv.conf | grep -v 127.0.0.1 | awk '{printf $2","}' | sed 's/,$//')" #if [ $(sed 's/ /\n/g' /proc/cmdline | grep -c ip=) -gt 1 ]; then # HOSTNAME="$(sed 's/ /\n/g' /proc/cmdline | grep ip= | cut -d: -f5)" #else # HOSTNAME="$(curl --silent http://169.254.169.254/2009-04-04/meta-data/hostname | cut -f1 -d.)" #fi if [ $(grep -E -c '\sip='$IP /proc/cmdline) -eq 1 ]; then HOSTNAME="$(sed 's/ /\n/g' /proc/cmdline | grep ip= | cut -d: -f5)" echo network --onboot yes --device eth0 --bootproto static --ip $IP --netmask $MASK --gateway $GW --nameserver $DNS --hostname $HOSTNAME > /tmp/network-include #network --onboot no --device eth1 --bootproto dhcp --noipv6 # curl --silent http://169.254.169.254/2009-04-04/meta-data/hostname | cut -f1 -d. # curl --silent http://169.254.169.254/2009-04-04/meta-data/local-ipv4 # curl --silent http://169.254.169.254/2009-04-04/meta-data/public-ipv4 fi if [ ! -f /tmp/network-include ]; then touch /tmp/network-include fi ####################################################################### # Amélioration de l'entropie ####################################################################### #dd if=/dev/random of=/dev/urandom bs=1M count=2 ####################################################################### # Configuration spécifique aux distributions ####################################################################### if [[ "$NAME" == "Red Hat Enterprise Linux" ]]; then cat > /tmp/distrib-include << 'EOF' # role: Red Hat Enterprise Linux Server, Red Hat Enterprise Linux Workstation, Red Hat Enterprise Linux Compute Node # sla: Self-Support, Standard, Premium # usage: Production, Disaster Recovery, Development/Test syspurpose --sla="Self-Support" --role="Red Hat Enterprise Linux Server" --usage="Production" rhsm --activation-key=KickStart --organization=5544988 EOF else touch /tmp/distrib-include fi ####################################################################### # Configuration des dépôts ( pas d'espace dans le nom ) ####################################################################### if [ $(grep -E -c '\soffline($|\s)' /proc/cmdline) -eq 0 ]; then REPO_EPEL=false REPO_ELREPO=false REPO_RPMFORGE=false REPO_NUXDEXTOP=false REPO_TOR=false REPO_CRYPTSSH=false REPO_FORENSICS=false REPO_DIGITALOCEAN=false # if [ "$(domainname -d)" = "Saacy.Reslinger.net" ]; then ## if [ true ]; then # #echo "url --url=http://repos.reslinger.net/CentOS7/$ARCH/os/" >> /tmp/repo-include # echo "url --url=http://repos.reslinger.net/CentOS7/$ARCH/os/" >> /tmp/repo-include # echo "repo --name=\"CentOS-7-Base\" --baseurl=http://repos.reslinger.net/CentOS7/$ARCH/os/ --cost=200" >> /tmp/repo-include # echo "repo --name=\"CentOS-7-Update\" --baseurl=http://repos.reslinger.net/CentOS7/$ARCH/updates/ --cost=100" >> /tmp/repo-include # case "$ARCH" in # x86_64) # echo "repo --name=\"CentOS-7-CentOSPlus\" --baseurl=http://repos.reslinger.net/CentOS7/$ARCH/centosplus/ --cost=200" >> /tmp/repo-include # echo "repo --name=\"CentOS-7-Extras\" --baseurl=http://repos.reslinger.net/CentOS7/$ARCH/extras/ --cost=200" >> /tmp/repo-include # echo "repo --name=\"EPEL-7\" --baseurl=http://repos.reslinger.net/CentOS7/$ARCH/epel/" --cost=300 >> /tmp/repo-include # #echo "repo --name=\"ELrepo-7\" --baseurl=http://repos.reslinger.net/CentOS7/$ARCH/elrepo/" --cost=400 >> /tmp/repo-include # # drivers nvidia problématique avec kernel-ml et dracut # #echo "repo --name=\"ELrepo-7-kernel\" --baseurl=http://repos.reslinger.net/CentOS7/$ARCH/elrepo-kernel/" --cost=400 >> /tmp/repo-include # #echo "repo --name=\"ELrepo-7-extras\" --baseurl=http://repos.reslinger.net/CentOS7/$ARCH/elrepo-extras/" --cost=400 >> /tmp/repo-include # echo "repo --name=\"RPM-Forge\" --baseurl=http://repos.reslinger.net/CentOS7/$ARCH/rpmforge/" --cost=400 >> /tmp/repo-include # echo "repo --name=\"NUX-Dextop\" --baseurl=http://repos.reslinger.net/CentOS7/$ARCH/nux-dextop/" --cost=500 >> /tmp/repo-include # # "repo --name=\"Tor-EL7\" --baseurl=http://repos.reslinger.net/CentOS7/$ARCH/tor/" --cost 600 >> /tmp/repo-include # echo "repo --name=\"rbu-dracut-crypt-ssh\" --baseurl=http://repos.reslinger.net/CentOS7/$ARCH/rbu-dracut-crypt-ssh/" --cost 400 >> /tmp/repo-include # #echo "repo --name=\"CERT-Forensics-Tools\" --baseurl=http://repos.reslinger.net/CentOS7/$ARCH/CERT-Forensics-Tools/" --cost 800 >> /tmp/repo-include # echo "repo --name=\"CERT-Forensics-Tools\" --baseurl=https://forensics.cert.org/cert/7/$ARCH/" --cost 800 >> /tmp/repo-include # REPO_EPEL=true # #REPO_ELREPO=true # REPO_RPMFORGE=true # REPO_NUXDEXTOP=true # REPO_TOR=true # REPO_CRYPTSSH=true # REPO_FORENSICS=true # ;; # i386) # echo "repo --name=\"CentOS-7-CentOSPlus\" --baseurl=http://repos.reslinger.net/CentOS7/$ARCH/centosplus/ --cost=200" >> /tmp/repo-include # echo "repo --name=\"CentOS-7-Extras\" --baseurl=http://repos.reslinger.net/CentOS7/$ARCH/extras/ --cost=200" >> /tmp/repo-include # ;; # esac # # else case "$ARCH" in x86_64|ppc64le|aarch64) if [[ "$NAME" == "Oracle Linux Server" ]]; then echo "url --url=https://yum.oracle.com/repo/OracleLinux/OL8/baseos/latest/\$basearch" >> /tmp/repo-include echo "repo --name=BaseOS --baseurl=https://yum.oracle.com/repo/OracleLinux/OL8/baseos/latest/\$basearch" >> /tmp/repo-include echo "repo --name=AppStream --baseurl=https://yum.oracle.com/repo/OracleLinux/OL8/appstream/\$basearch" >> /tmp/repo-include echo "repo --name=Add-Ons --baseurl=https://yum.oracle.com/repo/OracleLinux/OL8/addons/\$basearch" >> /tmp/repo-include echo "repo --name=epel --baseurl=https://yum.oracle.com/repo/OracleLinux/OL8/developer/EPEL/\$basearch" >> /tmp/repo-include elif [[ "$NAME" == "Red Hat Enterprise Linux" ]]; then echo "url --url=https://boot.reslinger.net/repo/8/rhel" >> /tmp/repo-include echo "repo --name=BaseOS --baseurl=https://boot.reslinger.net/repo/8/rhel/BaseOS" >> /tmp/repo-include echo "repo --name=AppStream --baseurl=https://boot.reslinger.net/repo/8/rhel/AppStream" >> /tmp/repo-include echo "repo --name=epel --baseurl=https://dl.fedoraproject.org/pub/epel/8/Everything/\$basearch" >> /tmp/repo-include elif [[ "$NAME" == "AlmaLinux" ]]; then echo "url --url=https://repo.almalinux.org/almalinux/\$releasever/BaseOS/\$basearch/os/" >> /tmp/repo-include echo "repo --name=BaseOS --baseurl=https://repo.almalinux.org/almalinux/\$releasever/BaseOS/\$basearch/os/" >> /tmp/repo-include echo "repo --name=AppStream --baseurl=https://repo.almalinux.org/almalinux/\$releasever/AppStream/\$basearch/os/" >> /tmp/repo-include echo "repo --name=extras --baseurl=https://repo.almalinux.org/almalinux/\$releasever/extras/\$basearch/os/" >> /tmp/repo-include echo "repo --name=PowerTools --baseurl=https://repo.almalinux.org/almalinux/\$releasever/PowerTools/\$basearch/os/" >> /tmp/repo-include echo "repo --name=HighAvailability --baseurl=https://repo.almalinux.org/almalinux/\$releasever/HighAvailability/\$basearch/os/" >> /tmp/repo-include echo "repo --name=epel --baseurl=https://dl.fedoraproject.org/pub/epel/8/Everything/\$basearch/" >> /tmp/repo-include elif [[ "$NAME" == "Rocky Linux" ]]; then echo "url --url=https://download.rockylinux.org/pub/rocky/\$releasever/BaseOS/\$basearch/os/" >> /tmp/repo-include echo "repo --name=BaseOS --baseurl=https://download.rockylinux.org/pub/rocky/\$releasever/BaseOS/\$basearch/os/" >> /tmp/repo-include echo "repo --name=AppStream --baseurl=https://download.rockylinux.org/pub/rocky/\$releasever/AppStream/\$basearch/os/" >> /tmp/repo-include echo "repo --name=extras --baseurl=https://download.rockylinux.org/pub/rocky/\$releasever/extras/\$basearch/os/" >> /tmp/repo-include echo "repo --name=PowerTools --baseurl=https://download.rockylinux.org/pub/rocky/\$releasever/PowerTools/\$basearch/os/" >> /tmp/repo-include echo "repo --name=HighAvailability --baseurl=https://download.rockylinux.org/pub/rocky/\$releasever/HighAvailability/\$basearch/os/" >> /tmp/repo-include echo "repo --name=epel --baseurl=https://dl.fedoraproject.org/pub/epel/8/Everything/\$basearch/" >> /tmp/repo-include elif [[ "$NAME" == "CentOS Linux" ]]; then echo "url --url=http://mirror.centos.org/centos/\$releasever/BaseOS/\$basearch/os/" >> /tmp/repo-include echo "repo --name=BaseOS --baseurl=http://mirror.centos.org/centos/\$releasever/BaseOS/\$basearch/os/" >> /tmp/repo-include echo "repo --name=AppStream --baseurl=http://mirror.centos.org/centos/\$releasever/AppStream/\$basearch/os/" >> /tmp/repo-include echo "repo --name=extras --baseurl=http://mirror.centos.org/centos/\$releasever/extras/\$basearch/os/" >> /tmp/repo-include echo "repo --name=PowerTools --baseurl=http://mirror.centos.org/centos/\$releasever/PowerTools/\$basearch/os/" >> /tmp/repo-include echo "repo --name=HighAvailability --baseurl=http://mirror.centos.org/centos/\$releasever/HighAvailability/\$basearch/os/" >> /tmp/repo-include echo "repo --name=epel --baseurl=https://dl.fedoraproject.org/pub/epel/8/Everything/\$basearch/" >> /tmp/repo-include # elif [[ "$NAME" == "VZLinux" ]]; then # #https://repo.virtuozzo.com/vzlinux/8/ fi #echo "repo --name=RPMFusion-free --baseurl=https://download1.rpmfusion.org/free/el/" >> /tmp/repo-include echo "repo --name=RPMFusion-free --baseurl=https://download1.rpmfusion.org/free/el/updates/8/\$basearch/" >> /tmp/repo-include # Uniquement x86_64 # https://copr-be.cloud.fedoraproject.org/results/gsauthof/dracut-sshd/pubkey.gpg echo "repo --name=dracut-sshd --baseurl=https://download.copr.fedorainfracloud.org/results/gsauthof/dracut-sshd/epel-8-\$basearch/" >> /tmp/repo-include echo "repo --name=ELrepo-8 --baseurl=http://elrepo.org/linux/elrepo/el8/\$basearch/" >> /tmp/repo-include echo "repo --name=CERT-Forensics-Tools --baseurl=https://forensics.cert.org/centos/cert/8/\$basearch/" >> /tmp/repo-include if [[ "$MACHINE" == "DigitalOcean" ]]; then echo "repo --name=\"DigitalOcean Agent\" --baseurl=https://repos.insights.digitalocean.com/yum/do-agent/\$basearch/" >> /tmp/repo-include REPO_DIGITALOCEAN=true fi # https://cloud.google.com/compute/docs/images/install-guest-environment#in_place # https://pkgs.dyn.su/el8/base/x86_64/raven-release-1.0-2.el8.noarch.rpm # Pas de EL8 pour le moment #echo "repo --name=\"NUX-Dextop\" --baseurl=http://li.nux.ro/download/nux/dextop/el7/\$basearch/" --cost=500 >> /tmp/repo-include REPO_EPEL=true REPO_CRYPTSSH=true REPO_RPMFUSION=true REPO_ELREPO=true #REPO_NUXDEXTOP=true REPO_FORENSICS=true ;; i386) echo "url --url=http://springdale.princeton.edu/data/springdale/\$releasever/\$basearch/os" >> /tmp/repo-include echo "repo --name=BaseOS --baseurl=http://springdale.princeton.edu/data/springdale/\$releasever/\$basearch/os/BaseOS" >> /tmp/repo-include echo "repo --name=AppStream --baseurl=http://springdale.princeton.edu/data/springdale/\$releasever/\$basearch/os/AppStream" >> /tmp/repo-include # echo "repo --name=Updates-BaseOS --baseurl=http://springdale.princeton.edu/data/springdale/\$releasever/\$basearch/os/Updates-BaseOS" >> /tmp/repo-include # echo "repo --name=Updates-AppStream --baseurl=http://springdale.princeton.edu/data/springdale/\$releasever/\$basearch/os/Updates-AppStream" >> /tmp/repo-include echo "repo --name=BaseOS-Updates --baseurl=http://springdale.princeton.edu/data/springdale/updates/\$releasever/BaseOS/\$basearch" >> /tmp/repo-include echo "repo --name=AppStream-Updates --baseurl=http://springdale.princeton.edu/data/springdale/updates/\$releasever/AppStream/\$basearch" >> /tmp/repo-include echo "repo --name=Unsupported --baseurl=http://springdale.princeton.edu/data/springdale/unsupported/\$releasever/\$basearch/" >> /tmp/repo-include ;; armv7l) # armhfp echo "url --url=http://mirror.centos.org/altarch/\$releasever/BaseOS/\$basearch/os/" >> /tmp/repo-include echo "repo --name=BaseOS --baseurl=http://mirror.centos.org/altarch/\$releasever/BaseOS/\$basearch/os/" >> /tmp/repo-include echo "repo --name=AppStream --baseurl=http://mirror.centos.org/altarch/\$releasever/AppStream/\$basearch/os/" >> /tmp/repo-include # vide # echo "repo --name=extras --baseurl=http://mirror.centos.org/altarch/\$releasever/extras/\$basearch/os/" >> /tmp/repo-include echo "repo --name=PowerTools --baseurl=http://mirror.centos.org/altarch/\$releasever/PowerTools/\$basearch/os/" >> /tmp/repo-include #echo "repo --name=HighAvailability --baseurl=http://mirror.centos.org/altarch/\$releasever/HighAvailability/\$basearch/os/" >> /tmp/repo-include #echo "repo --name=epel --baseurl=https://dl.fedoraproject.org/pub/epel/\$releasever/Everything/\$basearch/" >> /tmp/repo-include # https://copr-be.cloud.fedoraproject.org/results/gsauthof/dracut-sshd/pubkey.gpg echo "repo --name=dracut-sshd --baseurl=https://download.copr.fedorainfracloud.org/results/gsauthof/dracut-sshd/epel-8-x86_64/" >> /tmp/repo-include REPO_CRYPTSSH=true ;; armv6l|armv5tel) echo "repo --name=BaseOS --baseurl=http://ftp.redsleeve.org/pub/el8/8/BaseOS/ --cost=200" >> /tmp/repo-include echo "repo --name=AppStream --baseurl=http://ftp.redsleeve.org/pub/el8/8/AppStream/ --cost=200" >> /tmp/repo-include #echo "repo --name=extra --baseurl=http://ftp.redsleeve.org/pub/el8/8/extra/ --cost=200" >> /tmp/repo-include echo "repo --name=PowerTools/ --baseurl=http://ftp.redsleeve.org/pub/el8/8/PowerTools/ --cost=200" >> /tmp/repo-include echo "repo --name=RedSleeve --baseurl=http://ftp.redsleeve.org/pub/el8/8/RedSleeve/ --cost=200" >> /tmp/repo-include echo "repo --name=CodeReady --baseurl=http://ftp.redsleeve.org/pub/el8/8/CodeReady/ --cost=200" >> /tmp/repo-include #echo "repo --name=\"RedSleeve-7-Kernel\" --baseurl=http://ftp.redsleeve.org/pub/el7/raspberrypi/ --cost=200" >> /tmp/repo-include #echo "repo --name=\"RedSleeve-7-EPEL\" --baseurl=http://ftp.redsleeve.org/pub/el7/EPEL/ --cost=400" >> /tmp/repo-include #REPO_EPEL=true ;; esac # fi else echo "url --url=http://Mercure.saacy.reslinger.net/CentOS-7/" >> /tmp/repo-include # echo "url --url=http://mirror.ovh.net/ftp.centos.org/7/os/$ARCH/" >> /tmp/repo-include # echo "repo --name=\"CentOS-7-Base\" --baseurl=http://mirror.ovh.net/ftp.centos.org/7/os/$ARCH/ --cost=200" >> /tmp/repo-include # echo "repo --name=\"CentOS-7-Update\" --baseurl=http://mirror.ovh.net/ftp.centos.org/7/updates/$ARCH/ --cost=100" >> /tmp/repo-include # echo "repo --name=\"EPEL-7\" --baseurl=https://dl.fedoraproject.org/pub/epel/7/$ARCH/" --cost=300 >> /tmp/repo-include ## # https://dl.fedoraproject.org/pub/epel/7/x86_64/e/epel-release-7-5.noarch.rpm # echo "repo --name=\"RPM-Forge\" --baseurl=http://apt.sw.be/redhat/el7/en/$ARCH/rpmforge/" --cost=400 >> /tmp/repo-include ## # http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.3-1.el7.rf.x86_64.rpm # echo "repo --name=\"NUX-Dextop\" --baseurl=http://li.nux.ro/download/nux/dextop/el7/$ARCH/" --cost=500 >> /tmp/repo-include ## # http://li.nux.ro/download/nux/dextop/el7/x86_64/nux-dextop-release-0-5.el7.nux.noarch.rpm # echo "repo --name=\"Tor-EL7\" --baseurl=https://deb.torproject.org/torproject.org/rpm/el/7/$ARCH/" --cost 600 >> /tmp/repo-include fi ####################################################################### # Configuration du boot et du partitionnement ####################################################################### clean_disk() { HDD="$1" for i in $(parted /dev/$HDD print | sed -n -e '/^Num/,$p' | sed -e '1d' -e '/^$/d' | awk '{print $1}'); do parted -s /dev/$HDD rm $i done if [ -d /sys/firmware/efi ]; then parted -s /dev/$HDD mklabel gpt else parted -s /dev/$HDD mklabel msdos fi partprobe /dev/$HDD } if [ $(grep -E -c '\snopart($|\s)' /proc/cmdline) -eq 0 ]; then cat > /tmp/part-include <> /tmp/part-include if [ $(vgs | sed 1d | wc -l) -ne 0 ]; then for i in $(vgs | sed 1d | awk '{print $1}'); do vgchange -an $i; done fi for i in $(cat /proc/mdstat | grep ^md | awk '{print $1}'); do mdadm --stop /dev/$i; done set $(list-harddrives) # $1 = 1st disk name # $2 = 1st disk size # $3 = 2nd disk name # $4 = 2nd disk size # so on let numhd=$#/2 HDD1=$1 HDD1_SIZE=$2 HDD2=$3 HDD2_SIZE=$4 HDD3=$5 HDD3_SIZE=$6 HDD4=$7 HDD4_SIZE=$8 UEFI_SIZE=128 BOOT_SIZE=1024 # SWAP_SIZE=4096 SWAP_SIZE=0 ROOT_SIZE=5120 TMP_SIZE=1024 VAR_SIZE=2048 # VARTMP_SIZE=1024 VARLOG_SIZE=1024 VARLOGAUDIT_SIZE=512 if [ "$(echo $HDD1_SIZE | cut -d. -f1)" -lt 4100 ]; then SWAP_SIZE=128 #BOOT_SIZE=250 ROOT_SIZE=3072 elif [ "$(echo $HDD1_SIZE | cut -d. -f1)" -lt 9720 ]; then SWAP_SIZE=1024 fi if $HDDCRYPT; then HDDCRYPT_OPT="--encrypted --luks-version=luks2 --cipher=aes-xts-essiv:sha256 --passphrase=Ch4ngeM3" # HDDCRYPT_OPT="$HDDCRYPT_OPT --pbkdf=argon2i --pbkdf-iterations=4 --pbkdf-memory=64" else HDDCRYPT_OPT="" fi PART_INDEX=1 MDINDEX=0 DRIVES="$(for i in $(list-harddrives | cut -d\ -f1); do echo -n "$i "; done | sed 's/ $//')" DRIVES=($DRIVES) if $DESKTOP; then if [ $(parted /dev/$HDD1 print | grep -ci ntfs) -gt 0 ]; then CLEARPART_TYPE="--linux" else CLEARPART_TYPE="--all" fi ROOT_SIZE=15360 HOME_SIZE=10240 else CLEARPART_TYPE="--all" HOME_SIZE=0 fi if [ "${CLEARPART_TYPE}" == "--all" ]; then for DRIVE in "${DRIVES[@]}"; do #wipefs --all "${DRIVE}" clean_disk "${DRIVE}" done CLEARPART_TYPE="--none" fi echo -e "clearpart --drives="$(echo ${DRIVES[@]} | tr \ \,)" ${CLEARPART_TYPE}\n" >> /tmp/part-include # Partitions UEFI if $UEFI; then if [ "${CLEARPART_TYPE}" != "--linux" ]; then # for DRIVE in "${DRIVES[@]}"; do ## parted -s -a optimal /dev/${DRIVE} unit mib mkpart primary 1 3 name ${PART_INDEX} grub set ${PART_INDEX} bios_grub on ## echo "part biosboot --fstype=biosboot --onpart=${DRIVE}${PART_INDEX}" >> /tmp/part-include ## PART_INDEX=$[${PART_INDEX}+1] # parted -s -a optimal /dev/${DRIVE} unit mib mkpart ESP 2 $[${UEFI_SIZE}-2] name ${PART_INDEX} EFI set ${PART_INDEX} esp on # done if [ "${#DRIVES[@]}" -gt 1 ]; then for i in `seq 1 ${#DRIVES[@]}`; do #echo "part raid.$[${MDINDEX}+1]${i} --onpart=$(blkid --match-token PARTLABEL=EFI | grep /dev/${DRIVES[$[${i}-1]]} | sed 's|/dev/\(.*\):.*|\1|')" >> /tmp/part-include # Si dessous, uniquement si partitionnement automatique echo "part raid.$[${MDINDEX}+1]${i} --size=32 --maxsize=${UEFI_SIZE} --grow --ondisk=${DRIVES[$[${i}-1]]}" >> /tmp/part-include done echo -n "raid /boot/efi --fstype=efi --level=RAID1 --device=md${MDINDEX}" >> /tmp/part-include for i in `seq 1 ${#DRIVES[@]}`; do echo -n " raid.$[${MDINDEX}+1]${i}" >> /tmp/part-include done echo >> /tmp/part-include MDINDEX=$[${MDINDEX}+1] else #echo "part /boot/efi --fstype=efi --onpart=$(blkid --match-token PARTLABEL=EFI | grep /dev/${DRIVE} | sed 's|/dev/\(.*\):.*|\1|')" >> /tmp/part-include echo "part /boot/efi --label=EFI --fstype=efi --ondisk=${HDD1}" >> /tmp/part-include fi else if [ "${#DRIVES[@]}" -gt 1 ]; then # Cas Windows trouvé et plusieurs disques echo "On ne touche pas le disque Windows" >&2 exit 1 else echo "part /boot/efi --label=EFI --fstype=efi --onpart=${DRIVE}$(parted /dev/${DRIVE} print | grep EFI | awk '{print $1}') --noformat" >> /tmp/part-include fi fi else UEFI_SIZE=1 fi # Partition /boot PART_INDEX=$(parted /dev/$HDD1 print | sed -n -e '/^Num/,$p' | sed -e '1d' -e '/^$/d' | wc -l) PART_INDEX=$[${PART_INDEX}+1] if [ "${#DRIVES[@]}" -gt 1 ]; then # for DRIVE in "${DRIVES[@]}"; do # parted -s -a optimal /dev/${DRIVE} unit mib mkpart primary ext4 ${UEFI_SIZE} $[${UEFI_SIZE}+${BOOT_SIZE}] name ${PART_INDEX} boot set ${PART_INDEX} raid on # done for i in `seq 1 ${#DRIVES[@]}`; do #echo "part raid.$[${MDINDEX}+1]${i} --onpart=$(blkid --match-token PARTLABEL=boot | grep /dev/${DRIVES[$[${i}-1]]} | sed 's|/dev/\(.*\):.*|\1|')" >> /tmp/part-include # Si dessous, uniquement si partitionnement automatique echo "part raid.$[${MDINDEX}+1]${i} --label=boot --size=${BOOT_SIZE} --ondisk=${DRIVES[$[${i}-1]]}" >> /tmp/part-include done echo -n "raid /boot --fstype=ext4 --level=RAID1 --device=md${MDINDEX}" >> /tmp/part-include for i in `seq 1 ${#DRIVES[@]}`; do echo -n " raid.$[${MDINDEX}+1]${i}" >> /tmp/part-include done echo >> /tmp/part-include MDINDEX=$[${MDINDEX}+1] else #parted -s -a optimal /dev/$HDD1 unit mib mkpart primary ext4 $[${UEFI_SIZE}] $[${UEFI_SIZE}+${BOOT_SIZE}] name ${PART_INDEX} boot #echo "part /boot --fstype=ext4 --onpart=$(blkid --match-token PARTLABEL=boot | grep /dev/${DRIVE} | sed 's|/dev/\(.*\):.*|\1|')" >> /tmp/part-include # Si dessous, uniquement si partitionnement automatique echo "part /boot --label=boot --fstype=ext4 --size=${BOOT_SIZE} --ondisk=${HDD1}" >> /tmp/part-include fi PART_INDEX=$[${PART_INDEX}+1] # Système # for i in `seq 1 ${#DRIVES[@]}`; do # parted -s -a optimal /dev/${DRIVES[$[${i}-1]]} unit mib mkpart primary ext4 $[${UEFI_SIZE}+${BOOT_SIZE}] 100% name ${PART_INDEX} EL8 # if $HDDCRYPT; then # echo -n Ch4ngeM3 | cryptsetup --type luks2 --cipher=aes-xts-essiv:sha256 --hash=sha256 luksFormat $(blkid --match-token PARTLABEL=EL8 | grep /dev/${DRIVES[$[${i}-1]]} | cut -d: -f1) --key-file - # sleep 1 # DEVCRYPT="luks-$(blkid --match-token PARTLABEL=EL8 | grep ^/dev/${DRIVES[$[${i}-1]]} | sed 's|.* UUID="\([^ ]*\)".*|\1|')" # echo -n Ch4ngeM3 | cryptsetup luksOpen $(blkid --match-token PARTLABEL=EL8 | grep /dev/${DRIVES[$[${i}-1]]} | cut -d: -f1) "${DEVCRYPT}" --allow-discards --key-file - # echo "part pv.0${i} --onpart=$(blkid --match-token PARTLABEL=EL8 | grep /dev/${DRIVES[$[${i}-1]]} | sed 's|/dev/\(.*\):.*|\1|') --encrypted --passphrase=Ch4ngeM3 --noformat" >> /tmp/part-include # fi # done # if [ "${#DRIVES[@]}" -gt 1 ]; then # if $HDDCRYPT; then # PVLVM="$(for UUID in `blkid --match-token PARTLABEL=EL8 -s UUID -o value`; do echo /dev/mapper/luks-${UUID}; done)" # #PVLVM="$(for DRIVE in "${DRIVES[@]}"; do echo /dev/mapper/luks-`blkid /dev/${DRIVE}${PART_INDEX} | sed 's|.* UUID="\([^ ]*\)".*|\1|'`; done)" # else # PVLVM="$(for DRIVE in "${DRIVES[@]}"; do echo /dev/${DRIVE}${PART_INDEX}; done)" # fi # else # if $HDDCRYPT; then # PVLVM="/dev/mapper/luks-$(blkid --match-token PARTLABEL=EL8 -s UUID -o value)" # else # PVLVM=/dev/${HDD1}${PART_INDEX} # fi # fi # vgcreate --autobackup y --physicalextentsize 128m --pvmetadatacopies 1 --vgmetadatacopies all --force vg_sys ${PVLVM} # echo volgroup vg_sys --noformat >> /tmp/part-include # Si dessous, uniquement si partitionnement automatique if [ "${#DRIVES[@]}" -gt 1 ]; then for i in `seq 1 ${#DRIVES[@]}`; do echo "part pv.0${i} --label=EL8 --grow --size=1 --ondisk=${DRIVES[$i-1]} ${HDDCRYPT_OPT}" >> /tmp/part-include done echo -n "volgroup vg_sys --pesize=131072" >> /tmp/part-include for i in `seq 1 ${#DRIVES[@]}`; do echo -n " pv.0${i}" >> /tmp/part-include done echo >> /tmp/part-include else echo "part pv.01 --label=EL8 --grow --size=1 --ondisk=$HDD1 ${HDDCRYPT_OPT}" >> /tmp/part-include echo "volgroup vg_sys --pesize=131072 pv.01" >> /tmp/part-include fi PART_INDEX=$[${PART_INDEX}+1] # if [ "${#DRIVES[@]}" -gt 1 ]; then # # option lvcreate disponible: --raidintegrity y # lvcreate -nsystem --type raid1 -m 1 -L$[${ROOT_SIZE}+${SWAP_SIZE}+${HOME_SIZE}+${TMP_SIZE}+${VAR_SIZE}+${VARLOG_SIZE}+${VARLOGAUDIT_SIZE}+10240] vg_sys # lvcreate -nsystemmeta --type raid1 -m 1 -L512m vg_sys # lvs -a -o +devices # lvconvert --yes --type thin-pool --poolmetadata vg_sys/systemmeta vg_sys/system # else # options supplémentaires: --chunksize=size --metadatasize=size echo logvol none --name=system --vgname=vg_sys --size=$[${ROOT_SIZE}+${SWAP_SIZE}+${HOME_SIZE}+${TMP_SIZE}+${VAR_SIZE}+${VARLOG_SIZE}+${VARLOGAUDIT_SIZE}] --maxsize=30720 --thinpool >>/tmp/part-include # fi echo logvol / --fstype=ext4 --name=lv_root --vgname=vg_sys --size=${ROOT_SIZE} --fsoptions="discard" --thin --poolname=system >> /tmp/part-include if [ "${SWAP_SIZE}" -ne 0 ]; then echo logvol swap --name=lv_swap --vgname=vg_sys --size=${SWAP_SIZE} --fsoptions="discard" --thin --poolname=system >> /tmp/part-include fi if $DESKTOP; then echo "logvol /home --fstype=ext4 --name=lv_home --vgname=vg_sys --size=${HOME_SIZE} --fsoptions=\"nodev,noexec,nosuid,discard\" --thin --poolname=system" >> /tmp/part-include else echo "logvol /tmp --fstype=ext4 --name=lv_tmp --vgname=vg_sys --size=${TMP_SIZE} --fsoptions=\"nodev,noexec,nosuid,discard\" --thin --poolname=system" >> /tmp/part-include echo "logvol /var --fstype=ext4 --name=lv_var --vgname=vg_sys --size=${VAR_SIZE} --fsoptions=\"nodev,noexec,nosuid,discard\" --thin --poolname=system" >> /tmp/part-include echo "logvol /var/log --fstype=ext4 --name=lv_log --vgname=vg_sys --size=${VARLOG_SIZE} --fsoptions=\"nodev,noexec,nosuid,discard\" --thin --poolname=system" >> /tmp/part-include echo "logvol /var/log/audit --fstype=ext4 --name=lv_logaudit --vgname=vg_sys --size=${VARLOGAUDIT_SIZE} --fsoptions=\"nodev,noexec,nosuid,discard\" --thin --poolname=system" >> /tmp/part-include fi # Configuration des options de boot # Pour des noms d'interfaces traditionnels BOOTLOAD_APPEND="net.ifnames=0 biosdevname=0" # Activation de Zswap # https://wiki.archlinux.org/index.php/Zswap # BOOTLOAD_APPEND="${BOOTLOAD_APPEND} zswap.enabled=1 zswap.compressor=lz4" if $SERIAL; then BOOTLOAD_APPEND="console=tty0 console=ttyS${SERIALNB},115200n8 ${BOOTLOAD_APPEND}" fi # if $NEW_CPU; then # # Disable Meltown and Spectre mitigation on newer CPU # BOOTLOAD_APPEND="nopti noibrs noibpb ${BOOTLOAD_APPEND}" # fi if $HDDCRYPT; then if ${REPO_CRYPTSSH}; then # if [ "$MASK" -eq "255.255.255.255" ]; then # BOOTLOAD_APPEND="rd.route=0.0.0.0/0:${GW} ${BOOTLOAD_APPEND}" # fi if [ $(grep -E -c '(^|\s)ip='$IP'($|:)' /proc/cmdline) -eq 1 ]; then # Syntaxe pour ip= https://www.systutorials.com/docs/linux/man/7-dracut.cmdline/ BOOTLOAD_APPEND="rd.neednet=1 ip=$IP::$GW:$MASK:centos-boot:$IF:off:${DNS/,*} ${BOOTLOAD_APPEND}" else if ! $DESKTOP; then BOOTLOAD_APPEND="rd.neednet=1 ip=dhcp ${BOOTLOAD_APPEND}" fi fi fi fi #$UEFI && BLL=partition || BLL=mbr BLL=mbr # grub2-mkpasswd-pbkdf2 cat > /tmp/grub-include <> /tmp/part-include # BOOTLOAD_APPEND="net.ifnames=0 biosdevname=0" # echo -e "bootloader --append=\"${BOOTLOAD_APPEND}\"" >> /tmp/grub-include fi ####################################################################### # Configuration de la liste des paquets ####################################################################### if $DESKTOP; then #touch /tmp/packages-include #echo "%packages --instLangs=fr_FR" >> /tmp/packages-include echo "%packages" >> /tmp/packages-include cat >> /tmp/packages-include <<'EOF' @gnome-desktop @fonts @guest-agents @guest-desktop-agents @input-methods @internet-browser @multimedia @network-file-system-client @print-client NetworkManager-libreswan-gnome NetworkManager-libreswan EOF if ${REPO_EPEL}; then cat >> /tmp/packages-include <<'EOF' NetworkManager-fortisslvpn-gnome NetworkManager-l2tp-gnome NetworkManager-openconnect-gnome NetworkManager-openvpn-gnome NetworkManager-pptp-gnome #NetworkManager-vpnc-gnome #NetworkManager-strongswan-gnome strongswan-charon-nm ntfs-3g ntfs-3g-system-compression ntfsprogs EOF fi if ${REPO_NUXDEXTOP}; then cat >> /tmp/packages-include <<'EOF' NetworkManager-iodine-gnome NetworkManager-ssh-gnome fuse-exfat exfat-utils EOF fi else echo "%packages --instLangs=fr_FR" >> /tmp/packages-include #echo "%packages --nobase" > /tmp/packages-include cat >> /tmp/packages-include <<'EOF' @^minimal-environment NetworkManager-config-server NetworkManager-dispatcher-routing-rules EOF fi cat >> /tmp/packages-include <<'EOF' @core #@french-support NetworkManager-team NetworkManager-bluetooth NetworkManager-wifi NetworkManager-wwan kexec-tools wget rsync screen pciutils usbutils dmidecode bash-completion chrony #dracut-config-generic -dracut-config-rescue #dracut-norescue xz drpm firewalld postfix smartmontools #ntpdate # Pas trouvé !!! rng-tools #console-setup # Pas trouvé !!! device-mapper-event gpgme ca-certificates EOF if ${REPO_EPEL}; then if [[ "$NAME" == "Oracle Linux Server" ]]; then echo "oracle-epel-release-el8" >> /tmp/packages-include #elif test "$NAME" == "CentOS Linux" || test "$NAME" == "AlmaLinux"; then else echo "epel-release" >> /tmp/packages-include fi cat >> /tmp/packages-include <<'EOF' fail2ban fail2ban-mail fail2ban-systemd fail2ban-hostsdeny pigz pxz tcp_wrappers EOF fi if ${REPO_ELREPO}; then cat >> /tmp/packages-include <<'EOF' elrepo-release EOF fi if ${REPO_RPMFUSION}; then cat >> /tmp/packages-include << 'EOF' rpmfusion-free-release EOF fi if ${REPO_NUXDEXTOP}; then cat >> /tmp/packages-include <<'EOF' nux-dextop-release EOF fi if ${REPO_CRYPTSSH}; then cat >> /tmp/packages-include <<'EOF' dracut-sshd EOF fi if ${REPO_FORENSICS}; then cat >> /tmp/packages-include <<'EOF' cert-forensics-tools-release EOF fi if $UEFI; then cat >> /tmp/packages-include <<'EOF' efivar efibootmgr grub2-efi fwupdate EOF case $ARCH in x86_64) echo shim-x64 >> /tmp/packages-include;; i386) echo shim-ia32 >> /tmp/packages-include;; *) echo shim >> /tmp/packages-include;; esac fi case "$MACHINE" in "Supermicro"|"Dell Inc.") echo ipmitool >> /tmp/packages-include ;; "Red Hat"|QEMU) echo spice-vdagent >> /tmp/packages-include echo qemu-guest-agent >> /tmp/packages-include ;; "OpenStack Foundation") echo acpid >> /tmp/packages-include echo qemu-guest-agent >> /tmp/packages-include ;; "Microsoft Corporation") # https://docs.microsoft.com/en-us/azure/virtual-machines/linux/create-upload-centos echo WALinuxAgent >> /tmp/packages-include ;; "Xen") if ${REPO_EPEL}; then echo xe-guest-utilities-latest >> /tmp/packages-include #echo xe-guest-utilities-xenstore >> /tmp/packages-include fi ;; "Google") echo -n >> /dev/null #echo gce-disk-expand >> /tmp/packages-include #echo python-google-compute-engine >> /tmp/packages-include #echo google-compute-engine >> /tmp/packages-include #echo google-compute-engine-oslogin >> /tmp/packages-include #echo google-cloud-sdk >> /tmp/packages-include ;; "VMware") echo open-vm-tools >> /tmp/packages-include ;; "DigitalOcean") echo do-agent >> /tmp/packages-include ;; *) echo -n >> /dev/null ;; esac # centos-release-qemu-ev # usbutils libvirt-client OVMF qemu-kvm-ev echo "%end" >> /tmp/packages-include $PKG || echo -n > /tmp/packages-include # Utile pour le débogage #sleep 300 ### Un zram formaté en swap est créé par l'installateur ### A t'on assez de RAM #if [ $(free -m | grep ^Mem: | awk '{print $2}') -lt 1000 ]; then # MEM=$(free -k | grep -e "^Mem:" | awk '{printf("%d\n",$2/1.2)}') # if [ $(lsmod | grep -c zram) -eq 0 ]; then # modprobe zram # ZRAMID=0 # else # ZRAMID=$(cat /sys/class/zram-control/hot_add) # fi # # echo 1 > /sys/block/zram${ZRAMID}/reset # if [ -e /sys/block/zram${ZRAMID}/comp_algorithm ]; then # if [ $(grep -c lz4 /sys/block/zram${ZRAMID}/comp_algorithm) -eq 1 ]; then # echo lz4 > /sys/block/zram${ZRAMID}/comp_algorithm # fi # fi # if [ -e /sys/block/zram${ZRAMID}/mem_limit ]; then # echo $[${MEM}*2]k > /sys/block/zram${ZRAMID}/disksize # echo ${MEM}k > /sys/block/zram${ZRAMID}/mem_limit # else # echo ${MEM}k > /sys/block/zram${ZRAMID}/disksize # fi # #mkdir /mnt/zram # #mke2fs -q -m 0 -b 4096 -O sparse_super -L zram /dev/zram${ZRAMID} # #mount -o relatime,noexec,nosuid /dev/zram${ZRAMID} /mnt/zram # #chmod 1777 /mnt/zram/ # mkswap /dev/zram${ZRAMID} # swappon -p 10 /dev/zram${ZRAMID} # # # cat /sys/block/zram${ZRAMID}/mem_used_total # # # # Activation de Zswap # #echo lz4 > /sys/module/zswap/parameters/compressor # #echo 1 > /sys/module/zswap/parameters/enabled #fi %end ####################################################################### ####################################################################### # POST ####################################################################### ####################################################################### %post --nochroot set $(list-harddrives) # $1 = 1st disk name # $2 = 1st disk size # $3 = 2nd disk name # $4 = 2nd disk size # so on let numhd=$#/2 HDD1=$1 HDD1_SIZE=$2 HDD2=$3 HDD2_SIZE=$4 HDD3=$5 HDD3_SIZE=$6 HDD4=$7 HDD4_SIZE=$8 # Configuration de LVM à faire #/sbin/lvm lvextend --poolmetadatasize +1G vg_sys/system #--config 'global {locking_type=1}' # WARNING: You have not turned on protection against thin pools running out of space. # WARNING: Set activation/thin_pool_autoextend_threshold below 100 to trigger automatic extension of thin pools before they get full. ## On met en RAID1 les volumes logiques if [ $(list-harddrives | wc -l) -gt 1 ]; then if [ "${HDD1_SIZE}" = "${HDD2_SIZE}" ]; then # lvs -a -o name,copy_percent,devices vg_sys # lvconvert --yes --type raid1 -m 1 vg_sys/system # Ne fonctionne toujours pas sur du thinpool for LV in system_tmeta system_tdata; do # if [ $(list-harddrives | wc -l) -gt 2 ]; then # if [ "${HDD2_SIZE}" = "${HDD3_SIZE}" ]; then # lvconvert --yes --type raid5 --stripes 2 --stripesize 128k vg_sys/$LV # else # lvconvert --yes --type raid1 -m 1 vg_sys/$LV # fi # else lvconvert --yes --type raid1 -m 1 vg_sys/$LV # fi done while [ $(lvs -a | grep system_tdata] | awk '{print $5}') != "100.00" ]; do sleep 5; done fi fi # On configure l'auto extend lvm parce que meta plein = FS corrompus # https://support.hpe.com/hpsc/doc/public/display?docId=mmr_kc-0126706 # Recovery : https://www.redhat.com/archives/linux-lvm/2014-December/msg00015.html sed -e 's/^\(\s*thin_pool_autoextend_threshold = \)[0-9]*/\175/' \ -e 's/^\(\s*thin_pool_autoextend_percent = \)[0-9]*/\110/' \ -e 's/^\(\s*snapshot_autoextend_threshold = \)[0-9]*/\175/' \ -e 's/^\(\s*snapshot_autoextend_percent = \)[0-9]*/\110/' \ -e 's/^\(\s*vdo_pool_autoextend_threshold = \)[0-9]*/\175/' \ -i /mnt/sysimage/etc/lvm/lvm.conf # On compresse et autodefrag tous les systèmes de fichiers BTRFS sed -e '/btrfs/ s|\(\s*/home\s*btrfs\s*\)|\1nodev,noexec,nosuid,|' -i /mnt/sysimage/etc/fstab sed -e '/btrfs/ s|\(btrfs\s*\)|\1compress=lzo,autodefrag,|' -i /mnt/sysimage/etc/fstab mount | grep btrfs | awk '{print $3}' | while read SF; do if [ "$(mount | grep on\ "$SF"\ | awk '{print $5}')" == "btrfs" ]; then btrfs filesystem defragment -r -clzo "$SF"/ fi done %end %post #On teste la machine (VMware, HP ou Dell) #MACHINE="$(dmidecode -s system-manufacturer| cut -f 1 -d "," |cut -f 1 -d " ")" #MACHINE="$(dmidecode -s system-manufacturer)" MACHINE="$(cat /sys/class/dmi/id/sys_vendor)" case "$MACHINE" in "Supermicro") SERIAL=true SERIALNB=2 HDDCRYPT=true ;; "Red Hat"|QEMU|"OpenStack Foundation") SERIAL=true SERIALNB=0 HDDCRYPT=true ;; "Microsoft Corporation") SERIAL=true SERIALNB=0 HDDCRYPT=true ;; "Dell Inc.") # Non testé SERIAL=true SERIALNB=0 HDDCRYPT=true ;; "HP") # Non testé SERIAL=true SERIALNB=0 HDDCRYPT=true ;; "Xen") SERIAL=false HDDCRYPT=true ;; "Google") SERIAL=true SERIALNB=0 HDDCRYPT=true ;; "DigitalOcean") SERIAL=true SERIALNB=0 HDDCRYPT=true ;; *) SERIAL=false HDDCRYPT=true ;; esac if [ $(grep -E -c '\scrypt($|\s)' /proc/cmdline) -eq 1 ]; then HDDCRYPT=true fi if [ $(grep -E -c '\snocrypt($|\s)' /proc/cmdline) -eq 1 ]; then HDDCRYPT=false fi if [ $(grep -E -c '\snopkg($|\s)' /proc/cmdline) -eq 1 ]; then PKG=false fi if [ $(grep -E -c '\sdesktop($|\s)' /proc/cmdline) -eq 1 ]; then DESKTOP=true else DESKTOP=false fi ####################################################################### # Importation des clés des dépots ####################################################################### for FICHIER in $(ls /etc/pki/rpm-gpg/); do if [ -f /etc/pki/rpm-gpg/"$FICHIER" ]; then rpm --import /etc/pki/rpm-gpg/"$FICHIER" fi done ####################################################################### # Restriction d'accès root ####################################################################### touch /etc/securetty #chmod 0644 /etc/securetty # restorecond ? sed '2 iauth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so' -i /etc/pam.d/login ####################################################################### # Restriction d'accès des PID dans /proc ####################################################################### if ! $DESKTOP; then echo "proc /proc proc rw,nosuid,nodev,noexec,relatime,defaults,hidepid=2 0 0" >> /etc/fstab fi ####################################################################### # Restriction d'accès ssh pour root ####################################################################### # https://stribika.github.io/2015/01/04/secure-secure-shell.html sed 's/^\(#\|\)PermitRootLogin.*/PermitRootLogin without-password/' -i /etc/ssh/sshd_config sed '/^# Ciphers and keying/ aKexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256' -i /etc/ssh/sshd_config sed '/^KexAlgorithms/ aCiphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com' -i /etc/ssh/sshd_config sed '/^Ciphers/ aMACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com' -i /etc/ssh/sshd_config echo "AllowUsers root adrien backup" >> /etc/ssh/sshd_config if [ -f /etc/ssh/moduli ]; then awk '$5 > 2000' /etc/ssh/moduli > /dev/shm/moduli if [ $(wc -l /dev/shm/moduli | cut -f1 -d\ ) -gt 0 ]; then cat /dev/shm/moduli > /etc/ssh/moduli fi #else # ssh-keygen -G /etc/ssh/moduli.all -b 4096 # ssh-keygen -T /etc/ssh/moduli.safe -f /etc/ssh/moduli.all # mv /etc/ssh/moduli.safe /etc/ssh/moduli # rm -f /etc/ssh/moduli.all fi ####################################################################### # Restriction d'accès avec TCP Wrappers ####################################################################### echo "ALL:ALL EXCEPT 127.0.0.1:DENY" >> /etc/hosts.deny cat >> /etc/hosts.allow << 'EOF' sshd:ALL # Pour NFS #portmap:172.16.0.0/255.255.255.0 172.16.2.0/255.255.255.0 172.16.255.0/255.255.255.0 #lockd:172.16.0.0/255.255.255.0 172.16.2.0/255.255.255.0 172.16.255.0/255.255.255.0 #mountd:172.16.0.0/255.255.255.0 172.16.2.0/255.255.255.0 172.16.255.0/255.255.255.0 #rquotad:172.16.0.0/255.255.255.0 172.16.2.0/255.255.255.0 172.16.255.0/255.255.255.0 #statd:172.16.0.0/255.255.255.0 172.16.2.0/255.255.255.0 172.16.255.0/255.255.255.0 # Pour Saned #sane:172.16.0.0/255.255.255.0 # Pour ProFTPd #in.ftpd:ALL # Pour le tftp #in.tftpd:172.16.0.0/255.255.255.0 192.168.1.1 # Pour VMware #vmware-authd:172.16.0.0/255.255.255.0 172.16.2.0/255.255.255.0 172.16.255.0/255.255.255.0 # Pour SNMP #snmpd:172.16.0.0/255.255.255.0 172.16.2.0/255.255.255.0 172.16.255.0/255.255.255.0 EOF ####################################################################### # Configuration de postfix ####################################################################### cp -a /etc/postfix/main.cf{,.orig} sed -e '/^#mydomain = domain.tld$/ amydomain = reslinger.net' -e 's/^#\(myorigin = $mydomain\)$/\1/' -e '/#relayhost = \[an.ip.add.ress\]/ arelayhost = mail.reslinger.net' -i /etc/postfix/main.cf sed 's/^#root:.*/root:\t\tadrien/' -i /etc/aliases postalias /etc/aliases ####################################################################### # Chargement de l'horloge initiale depus le réseau ####################################################################### case "$ARCH" in arm*) systemctl enable ntpdate echo UTC >> /etc/adjtime echo 'LANG="fr_FR.UTF-8"' > /etc/locale.conf ln -sf ../usr/share/zoneinfo/Europe/Paris /etc/localtime ;; esac ####################################################################### # Configuration de chronyd ####################################################################### #if [ $(grep -ci reslinger.net /etc/chrony.conf) -eq 0 ]; then # cp -a /etc/chrony.conf{,.old} # echo -e "# These servers were defined in the installation:\nserver Mercure.Saacy.Reslinger.net iburst" > /etc/chrony.conf # sed 's/^\(server .*pool.ntp.org.*\)/#\1/' /etc/chrony.conf.old >> /etc/chrony.conf # rm -f /etc/chrony.conf.old #fi ####################################################################### # Configuration de logrotate ####################################################################### sed 's/^#*\(compress\)/\1/' -i /etc/logrotate.conf ####################################################################### # Installation du script de post-install ####################################################################### #echo \#\!/bin/bash > /etc/rc.d/rc3.d/S99postinstall #mkdir -m 700 /root/.ssh #echo "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAyuDkpjZEF21cqoynQXkChSFRspyDm4QKsioHCo3EHkGeSrFYbLoa6IMF9YHesWOI4nCWu/iM64rIdFtu5O/SJXTRpzJcnCrSLrmreiUbe37KFJ5Dp23B3Q6a5KxZTgMiHRDbojU/COC7fDJLsh+u68FViPodifN0jt1S4IGmquZgohvY4OOJgRU1obluW+vV6SPDaB7BcJOuU/fKynIq3DwYbqvkZGnnZpg8qfnbGwwIqnha8LCtMvpP1g7TggE0m2AMJQvHYddZRhC9cpX9uxm5OWDTslXUbNqcAT5BWKS84VLn+aYLZBFI/K7/0Lw8W+djZlVjTXlh9eliFHvRkQ== adrien@Adrien" > /root/.ssh/authorized_keys #echo restorecon -v /root/.ssh/authorized_keys >> /etc/rc.d/rc3.d/S99postinstall #echo rm -f \$0 >> /etc/rc.d/rc3.d/S99postinstall #chmod 755 /etc/rc.d/rc3.d/S99postinstall ####################################################################### # Configuration Réseau ####################################################################### #sed '/GATEWAY=/d' -i /etc/sysconfig/network #echo "NETWORKING_IPV6=yes" >> /etc/sysconfig/network ####################################################################### # Configuration de sudo ####################################################################### echo "Defaults:backup !requiretty" > /etc/sudoers.d/backup echo "backup ALL=(ALL) NOPASSWD: /usr/bin/rsync" >> /etc/sudoers.d/backup echo "adrien ALL=(ALL) NOPASSWD: ALL" > /etc/sudoers.d/adrien chmod 440 /etc/sudoers.d/* ####################################################################### # Configuration des utilisateurs ####################################################################### usermod -a -G libvirt adrien ####################################################################### # Configuration de fail2ban ####################################################################### touch /etc/fail2ban/paths-overrides.local cat > /etc/fail2ban/jail.local << 'EOF' [DEFAULT] # "bantime" is the number of seconds that a host is banned. bantime = 604800 ; 1 week #bantime = 172800 ; 48h # A host is banned if it has generated "maxretry" during the last "findtime" # seconds. findtime = 86400 ; 1 day #findtime = 3600 ; 1h # Destination email address used solely for the interpolations in # jail.{conf,local,d/*} configuration files. destemail = adrien@reslinger.net # Sender email address used solely for some actions sender = root@localhost # Select mail mta instead of sendmail mta = mail # Choose default action. To change, just override value of 'action' with the # interpolation to the chosen action shortcut (e.g. action_mw, action_mwl, etc) in jail.local # globally (section [DEFAULT]) or per specific section action = %(action_mw)s EOF cat > /etc/fail2ban/jail.d/02-services.conf << 'EOF' [sshd] enabled = true EOF systemctl enable fail2ban ####################################################################### # Installation des clefs SSH ####################################################################### #mkdir -m 700 /root/.ssh #echo "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAyuDkpjZEF21cqoynQXkChSFRspyDm4QKsioHCo3EHkGeSrFYbLoa6IMF9YHesWOI4nCWu/iM64rIdFtu5O/SJXTRpzJcnCrSLrmreiUbe37KFJ5Dp23B3Q6a5KxZTgMiHRDbojU/COC7fDJLsh+u68FViPodifN0jt1S4IGmquZgohvY4OOJgRU1obluW+vV6SPDaB7BcJOuU/fKynIq3DwYbqvkZGnnZpg8qfnbGwwIqnha8LCtMvpP1g7TggE0m2AMJQvHYddZRhC9cpX9uxm5OWDTslXUbNqcAT5BWKS84VLn+aYLZBFI/K7/0Lw8W+djZlVjTXlh9eliFHvRkQ== adrien@Adrien" > /root/.ssh/authorized_keys #echo "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKu3KHZzK2Q3Q7SAENONA9796WCjouo3442Du1A/QpXf adrien@Jupiter" >> /root/.ssh/authorized_keys #chmod 600 /root/.ssh/authorized_keys #if [ -d /home/backup ]; then # install -o backup -g backup -m 700 -d /home/backup/.ssh # echo "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAgEAvGVK9smGhhaejE2HG5oWoaMVazeFaXkjmoAFLNzkf1ag2rpz2Yqm8OnNN3Q5nCY2qehOuhEhH4sIHb7eUXR4Z+u7Nd4JAcXmn87vu/LIcZhkNZ/wzBHV2sSpS10suFkwKKwj+w6+FOJsQAJ5Em6SrZuK4ycypuGEqdDnEZDYcxi21jGiZ3tGjATHwiwdRKEtmp3B41JPmJClC+mZEwDJ3AAyIzc+nUb9E6RZo+8ypDdKqxTjhBo4pQdsn4YfZsJD5uHjcNhaQSvv6Ppi7rsJ/9j1RWN8phew/t9a8youn3mv+DhfEhFyjGDSXOam+/LyutNDZ41/8XGTtPF9FPe3GgBFFhsLhtt+BmZQnPn1wcVUn9l2V3/xHp1dlbfO4/QSgQslKYSTvwnTzbqZ+62hKickIDjgyz51EmQUrrS7iCU01oA+ETNrh+M3ywrfIl+bH7NAtFGoxOWi+ynwev/WfjGCLbqvMXbVYv7+SDiJ7OkzpZwAjFCCCDqAIb64V2GIIsam5Wsc/nZ3hbOQAUe4yU0QZ8XdT3/whSj/+ZRWsPTvM0eaClN3Rz2oIS3tZU/1NE/HL7niM2Cdb/R3gFl9J9VZ438Rz3f1kib3tqzif5dLafGsRoLSunZKzZ6OLBDAh8gAot5Xfsp5kd1YW6+nKwzy3Xa4URi6ZfQE/LPKEKk= root@max.reslinger.net" >> /home/backup/.ssh/authorized_keys # chown backup:backup /home/backup/.ssh/authorized_keys # chmod 600 /home/backup/.ssh/authorized_keys #fi ####################################################################### # Configuration des accès sur port série ####################################################################### if $SERIAL; then # # Possibilité de se logger en root sur le port série # # Le fichier /etc/securetty n'existe plus dans CentOS 8 # sed -e "s/ttyS0/ttyS${SERIALNB}/" -i /etc/securetty if [ $(grep -c ttyS${SERIALNB} /etc/securetty) -eq 0 ]; then echo ttyS${SERIALNB} >> /etc/securetty fi # ##systemctl enable serial-getty@ttyUSB0.service # #cp /lib/systemd/system/serial-getty@.service \ # # /etc/systemd/system/serial-getty@ttyS1.service # #sed -i "s|^ExecStart=.*$|ExecStart=-/sbin/agetty 9600 %I $TERM|g" \ # # /etc/systemd/system/serial-getty@ttyS1.service # #chmod 644 /etc/systemd/system/serial-getty@ttyS1.service # #systemctl --system daemon-reload # #systemctl start serial-getty@ttyS1.service # #systemctl enable serial-getty@ttyS1.service # #systemctl status serial-getty@ttyS1.service fi chmod 0644 /etc/securetty ####################################################################### # Configuration de IPMI ####################################################################### cat > /usr/lib/modules-load.d/ipmi.conf <<'EOF' # auto load ipmi modules during boot ipmi_msghandler ipmi_devintf ipmi_si EOF ####################################################################### # Configuration personnalisée de grub ####################################################################### # Configuration de la console de grub sur le port série if $SERIAL; then sed -e 's/^\(GRUB_TERMINAL=\).*/\1"serial console"/' -e '/^GRUB_TERMINAL=/ aGRUB_SERIAL_COMMAND="serial --speed=115200 --unit='${SERIALNB}' --word=8 --parity=no --stop=1"' -i /etc/default/grub # Ajouter "console=ttyUSB0,115200 console=tty0" à la fin de GRUB_CMDLINE_LINUX dans /etc/default/grub pour CentOS 7 ? fi # Suppression des entrée recovery sed 's/^\(GRUB_DISABLE_RECOVERY=\).*/\1"true"/' -i /etc/default/grub ## Installation du clavier français. Nécessite console-setup #grub2-kbdcomp -o /boot/grub2/fr.gkb fr #cat > /etc/grub.d/50_keyboard <<'EOF' ##!/bin/sh #exec tail -n +3 $0 ## Clavier fr #insmod keylayouts #keymap /boot/grub2/fr.gkb #EOF #chmod +x /etc/grub.d/50_keyboard #echo 'GRUB_TERMINAL_INPUT="at_keyboard"' >> /etc/default/grub ####################################################################### # Mise à jour du mode de démarrage ####################################################################### if $DESKTOP; then # #yum groupinstall -y "Bureau GNOME" # #ln -sf /lib/systemd/system/graphical.target /etc/systemd/system/default.target systemctl set-default graphical.target # #cp -a /boot/initramfs-$(ls /lib/modules/).img{,.sav} # #dracut -f /boot/initramfs-$(ls /lib/modules/).img $(ls /lib/modules/) fi #echo yes > ~/.config/gnome-initial-setup-done ####################################################################### # Mise à jour de la configuration de grub ####################################################################### # Pas de mode rescue sed 's/yes/no/' /usr/lib/dracut/dracut.conf.d/02-rescue.conf > /etc/dracut.conf.d/02-rescue.conf # chargement des modules nécessaires pour root en lvm thin provisionning et en raid echo 'add_drivers+=" dm-mod dm-snapshot dm-thin-pool dm-mirror dm-raid raid1 raid0 raid10 raid456 "' > /etc/dracut.conf.d/thin-provisionning.conf # Drivers pour KVM echo 'force_drivers+=" virtio_net "' > /etc/dracut.conf.d/virtual.conf echo 'add_drivers+=" virtio_net virtio_balloon virtio_input virtio_console virtio_scsi virtio_blk virtio-gpu "' >> /etc/dracut.conf.d/virtual.conf # Drivers pour nvme echo 'force_drivers+=" nvme "' > /etc/dracut.conf.d/nvme.conf echo 'add_drivers+=" nvme "' >> /etc/dracut.conf.d/nvme.conf cat > /usr/local/sbin/update-grub << 'EOF' #!/usr/bin/env bash . /etc/os-release if [ -d /sys/firmware/efi -a -e /boot/efi/EFI/centos/grub.cfg ]; then CONFDIR=/boot/efi/EFI/centos elif [ -d /sys/firmware/efi -a -e /boot/efi/EFI/rocky/grub.cfg ]; then CONFDIR=/boot/efi/EFI/rocky elif [ -d /sys/firmware/efi -a -e /boot/efi/EFI/almalinux/grub.cfg ]; then CONFDIR=/boot/efi/EFI/almalinux elif [ -d /sys/firmware/efi -a -e /boot/efi/EFI/redhat/grub.cfg ]; then CONFDIR=/boot/efi/EFI/redhat else CONFDIR=/boot/grub2 fi #grep "^menuentry" /boot/grub2/grub.cfg | cut -d "'" -f2 | grep -Ev '(with debugging$|-rescue-)' | grep ^"$NAME" | sort -n | tail -n 1 # grep "^menuentry" /boot/grub2/grub.cfg | cut -d "'" -f2 | grep -Ev '(with debugging$|-rescue-)' | head -n1 # grub2-set-default "CentOS Linux (4.7.2-1.el7.elrepo.x86_64) 7 (Core)" # Contrôle : grub2-editenv list KERNLIST="$(ls -1 /boot/vmlinuz-* | grep -v rescue | sed 's|/boot/vmlinuz-\([.0-9]*\)-.*|\1|')" LASTMAJKERNEL="$(echo $KERNLIST | sed 's/ /\n/g' | cut -d. -f1 | sort -n -u | while read i; do echo $KERNLIST | sed 's/ /\n/g' | grep ^$i | cut -d. -f1-2 | sort -n -u -k2 -t. done | while read j; do echo $KERNLIST | sed 's/ /\n/g' | grep ^$j | sort -n -u -k3 -t. done | tail -n 1)" KERNLIST="$(ls -1 /boot/vmlinuz-* | grep -v rescue | sed 's|/boot/vmlinuz-'${LASTMAJKERNEL}'-\([.0-9]*\).*|\1|')" LASTKERNEL="${LASTMAJKERNEL}-$(echo $KERNLIST | sed -e 's/ /\n/g' -e 's/.$//' | cut -d. -f1 | sort -n -u | while read i; do echo $KERNLIST | sed 's/ /\n/g' | grep ^$i | cut -d. -f1-2 | sort -n -u -k2 -t. done | while read j; do echo $KERNLIST | sed 's/ /\n/g' | grep ^$j | sort -n -u -k3 -t. done | tail -n 1)" grub2-set-default "$(grep "^menuentry" "${CONFDIR}"/grub.cfg | cut -d \' -f2 | grep -Ev '(with debugging$|-rescue-)' | grep ^"$NAME" | grep $LASTKERNEL | sort -n | tail -n 1)" grub2-mkconfig -o "${CONFDIR}"/grub.cfg EOF chmod +x /usr/local/sbin/update-grub if ! $UEFI; then /usr/local/sbin/update-grub; fi ####################################################################### # Mise à jour de la seconde partion efi dans les configs en RAID1 logiciel ####################################################################### # dd if=/dev/sda2 of=/dev/sdb2 # efibootmgr --create --disk /dev/sdb --label "CentOS Backup" --load "\\EFI\\centos\\grubx64.efi" ####################################################################### # Mise à jour de l'initramfs ####################################################################### if $HDDCRYPT; then #if [ -e "/usr/lib/dracut/modules.d/46sshd/sshd_config" ]; then # https://github.com/gsauthof/dracut-sshd ssh-keygen -t rsa -f /etc/ssh/dracut_ssh_host_rsa_key -N "" ssh-keygen -t ecdsa -f /etc/ssh/dracut_ssh_host_ecdsa_key -N "" ssh-keygen -t ed25519 -f /etc/ssh/dracut_ssh_host_ed25519_key -N "" sed '1 iPort 222\n\nKexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256\nCiphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com\nMACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com\n' -i /usr/lib/dracut/modules.d/46sshd/sshd_config cp -a /boot/initramfs-$(ls -tr /lib/modules/ | tail -n 1).img{,.old} dracut --force /boot/initramfs-$(ls -tr /lib/modules/ | tail -n 1).img $(ls -tr /lib/modules/ | tail -n 1) fi if [[ "$NAME" == "Red Hat Enterprise Linux" ]]; then subscription-manager unregister subscription-manager clean fi ####################################################################### # Installation de Dropbox ####################################################################### #yum localinstall "https://linux.dropbox.com/packages/fedora/nautilus-dropbox-2020.03.04-1.fedora.x86_64.rpm" #sed 's/$releasever/21/' -i /etc/yum.repos.d/dropbox.repo #restorecon -ir /etc/sysconfig/network-scripts /var/lib /etc/lvm \ # /dev /etc/iscsi /var/lib/iscsi /root /var/lock /var/log \ # /etc/modprobe.d /etc/sysconfig /var/cache/yum # #restorecon -i /etc/rpm/macros /etc/dasd.conf /etc/zfcp.conf /lib64 /usr/lib64 \ # /etc/blkid.tab* /etc/mtab /etc/fstab /etc/resolv.conf \ # /etc/modprobe.conf* /var/log/*tmp /etc/crypttab \ # /etc/mdadm.conf /etc/sysconfig/network /root/install.log* \ # /etc/*shadow* /etc/dhcp/dhclient-*.conf /etc/localtime \ # /root/install.log* # #if [ -e /etc/zipl.conf ]; then # restorecon -i /etc/zipl.conf #fi %end %post --nochroot cp -a /tmp /mnt/sysimage/root/tmp_install %end #%onerror --interpreter=/usr/bin/bash #%end