# Kickstart file automatically generated by anaconda. # https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/performing_an_advanced_rhel_installation/kickstart-commands-and-options-reference_installing-rhel-as-an-experienced-user #version=DEVEL #install graphical #text %include /tmp/repo-include #Langue et keymap keyboard --vckeymap=fr-latin9 --xlayouts='fr (latin9)' lang fr_FR.UTF-8 timezone Europe/Paris --isUtc # Skip EULA eula --agreed # Run the Setup Agent on first boot firstboot --disabled #unsupported_hardware # Installation logging level logging --level=debug # Réseaux #network --onboot yes --device eth0 --bootproto static --ip 88.190.41.95 --netmask 255.255.255.0 --gateway 88.190.41.1 --noipv6 --nameserver 88.191.254.70,88.191.254.60 --hostname max.reslinger.net #network --onboot no --device eth1 --bootproto dhcp --noipv6 %include /tmp/network-include # Authentification et Sécurité authselect --enableshadow --passalgo=sha512 --passminlen=10 --passmaxrepeat=2 --passminclass=4 --enablereqlower --enablerequpper --enablereqdigit --enablereqother #authselect select sssd with-ecryptfs #authselect select sssd rootpw --iscrypted $6$h2g0.aIuG34zJ7U8$Nq0eFxAd7Vw1aabcJqONiS1yqkjpnk.4rAn8SkaTHRtSFljllmrtQOiiC9NKImNhvDGwltOMlhPsDuiQ1Ydol1 firewall --service=ssh selinux --enforcing user --groups=wheel --homedir=/home/adrien --name=adrien --uid=1000 --gid=1000 --password=$6$2/XYIHJ8zfgFPaJD$0eyYczGoQ5CnhT88I9brCiwr2fM23mY0Ai19XbON.NI1V/xQC1dnfw65PdYGoVrSmVerVvSFILYWhoLucwfia/ --iscrypted --gecos="Adrien Reslinger" user --homedir=/home/backup --name=backup --uid=999 --gid=999 --password=$1$L12EcXxr$vsm7y2F6Z1NzlWF3CPhwk/ sshkey --username=adrien "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKu3KHZzK2Q3Q7SAENONA9796WCjouo3442Du1A/QpXf adrien@Jupiter" sshkey --username=root "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKu3KHZzK2Q3Q7SAENONA9796WCjouo3442Du1A/QpXf adrien@Jupiter" #sshkey --username=backup "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAgEAvGVK9smGhhaejE2HG5oWoaMVazeFaXkjmoAFLNzkf1ag2rpz2Yqm8OnNN3Q5nCY2qehOuhEhH4sIHb7eUXR4Z+u7Nd4JAcXmn87vu/LIcZhkNZ/wzBHV2sSpS10suFkwKKwj+w6+FOJsQAJ5Em6SrZuK4ycypuGEqdDnEZDYcxi21jGiZ3tGjATHwiwdRKEtmp3B41JPmJClC+mZEwDJ3AAyIzc+nUb9E6RZo+8ypDdKqxTjhBo4pQdsn4YfZsJD5uHjcNhaQSvv6Ppi7rsJ/9j1RWN8phew/t9a8youn3mv+DhfEhFyjGDSXOam+/LyutNDZ41/8XGTtPF9FPe3GgBFFhsLhtt+BmZQnPn1wcVUn9l2V3/xHp1dlbfO4/QSgQslKYSTvwnTzbqZ+62hKickIDjgyz51EmQUrrS7iCU01oA+ETNrh+M3ywrfIl+bH7NAtFGoxOWi+ynwev/WfjGCLbqvMXbVYv7+SDiJ7OkzpZwAjFCCCDqAIb64V2GIIsam5Wsc/nZ3hbOQAUe4yU0QZ8XdT3/whSj/+ZRWsPTvM0eaClN3Rz2oIS3tZU/1NE/HL7niM2Cdb/R3gFl9J9VZ438Rz3f1kib3tqzif5dLafGsRoLSunZKzZ6OLBDAh8gAot5Xfsp5kd1YW6+nKwzy3Xa4URi6ZfQE/LPKEKk= root@max.reslinger.net" # System services services --enabled="chronyd" services --enabled=sshd services --enabled=rngd # Accès distant sshpw --username=root --iscrypted $6$h2g0.aIuG34zJ7U8$Nq0eFxAd7Vw1aabcJqONiS1yqkjpnk.4rAn8SkaTHRtSFljllmrtQOiiC9NKImNhvDGwltOMlhPsDuiQ1Ydol1 #Booltloader %include /tmp/grub-include #Partitionement %include /tmp/part-include %anaconda pwpolicy root --minlen=8 --minquality=1 --notstrict --nochanges --notempty pwpolicy user --minlen=8 --minquality=1 --notstrict --nochanges --notempty pwpolicy luks --minlen=8 --minquality=1 --notstrict --nochanges --notempty %end #Reboot apres la fin de l'install reboot %include /tmp/packages-include # role: Red Hat Enterprise Linux Server, Red Hat Enterprise Linux Workstation, Red Hat Enterprise Linux Compute Node #syspurpose ---sla="Self-Support" -role="Red Hat Enterprise Linux Server" --usage=Production #%addon com_redhat_kdump --enable --reserve-mb='auto' # ou 128 %addon com_redhat_kdump --disable %end #%addon org_fedora_oscap # content-type = scap-security-guide # profile = pci-dss #%end ####################################################################### ####################################################################### # PRE ####################################################################### ####################################################################### %pre # Installation de la clef SSH pour l'installeur mkdir -m 700 /root/.ssh echo "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAyuDkpjZEF21cqoynQXkChSFRspyDm4QKsioHCo3EHkGeSrFYbLoa6IMF9YHesWOI4nCWu/iM64rIdFtu5O/SJXTRpzJcnCrSLrmreiUbe37KFJ5Dp23B3Q6a5KxZTgMiHRDbojU/COC7fDJLsh+u68FViPodifN0jt1S4IGmquZgohvY4OOJgRU1obluW+vV6SPDaB7BcJOuU/fKynIq3DwYbqvkZGnnZpg8qfnbGwwIqnha8LCtMvpP1g7TggE0m2AMJQvHYddZRhC9cpX9uxm5OWDTslXUbNqcAT5BWKS84VLn+aYLZBFI/K7/0Lw8W+djZlVjTXlh9eliFHvRkQ== adrien@Adrien" > /root/.ssh/authorized_keys echo "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKu3KHZzK2Q3Q7SAENONA9796WCjouo3442Du1A/QpXf adrien@Jupiter" >> /root/.ssh/authorized_keys if [ -z "${ARCH}" ]; then ARCH="`uname -m | sed 's|i.86|i386|'`" fi #On teste la machine (VMware, HP ou Dell) #MACHINE="$(dmidecode -s system-manufacturer| cut -f 1 -d "," |cut -f 1 -d " ")" #MACHINE="$(dmidecode -s system-manufacturer)" MACHINE="$(cat /sys/class/dmi/id/sys_vendor)" case "$MACHINE" in "Supermicro") SERIAL=true SERIALNB=2 HDDCRYPT=true ;; "Red Hat"|QEMU|"OpenStack Foundation") SERIAL=true SERIALNB=0 HDDCRYPT=true ;; "Microsoft Corporation") SERIAL=true SERIALNB=0 HDDCRYPT=true ;; "Dell Inc.") SERIAL=true SERIALNB=0 HDDCRYPT=true ;; "Xen") SERIAL=false HDDCRYPT=true ;; "Google") SERIAL=true SERIALNB=0 HDDCRYPT=true ;; *) SERIAL=false HDDCRYPT=true ;; esac if [ $(grep -E -c '\snouefi($|\s)' /proc/cmdline) -eq 1 ]; then UEFI=false else if [ -d /sys/firmware/efi ]; then UEFI=true else UEFI=false fi fi if [ $(grep -E -c '\scrypt($|\s)' /proc/cmdline) -eq 1 ]; then HDDCRYPT=true fi if [ $(grep -E -c '\snocrypt($|\s)' /proc/cmdline) -eq 1 ]; then HDDCRYPT=false fi if [ $(grep -E -c '\snopkg($|\s)' /proc/cmdline) -eq 1 ]; then PKG=false fi if [ $(grep -E -c '\sdesktop($|\s)' /proc/cmdline) -eq 1 ]; then DESKTOP=true else DESKTOP=false fi if [ $(grep -E -c '\slvmraid($|\s)' /proc/cmdline) -eq 1 ]; then LVMRAID=true elif [ $(grep -E -c '\snolvmraid($|\s)' /proc/cmdline) -eq 1 ]; then LVMRAID=false else LVMRAID=true fi if [ $(grep -E -c '\sreinstall($|\s)' /proc/cmdline) -eq 1 ]; then REINSTALL=true else REINSTALL=false fi ####################################################################### # Récupération de la configuration réseaux ####################################################################### IF="$(ip route show | grep ^default | sed 's/.* dev \([^ ]*\) *.*/\1/' | sort -u)" IP="$(ip addr show $IF | grep inet\ | awk '{print $2}' | cut -d/ -f1)" PREFIX="$(ip addr show $IF | grep inet\ | awk '{print $2}' | cut -d/ -f2)" MASK="$(ipcalc -m $IP/$PREFIX | cut -d= -f2)" GW="$(ip route show | grep ^default | sed 's/.* via \([^ ]*\) *.*/\1/' | sort -u)" MAC="$(ip addr show $IF | grep ether\ | awk '{print $2}' | cut -d/ -f2 | tr [A-Z] [a-z])" DNS="$(grep nameserver /etc/resolv.conf | grep -v 127.0.0.1 | awk '{printf $2","}' | sed 's/,$//')" if [ $(grep -E -c '\sip='$IP'($|\s)' /proc/cmdline) -eq 1 ]; then echo network --onboot yes --device eth0 --bootproto static --ip $IP --netmask $MASK --gateway $GW --noipv6 --nameserver $DNS --hostname $(hostname -s) > /tmp/network-include #network --onboot no --device eth1 --bootproto dhcp --noipv6 fi if [ ! -f /tmp/network-include ]; then touch /tmp/network-include fi ####################################################################### # Amélioration de l'entropie ####################################################################### #dd if=/dev/random of=/dev/urandom bs=1M count=2 ####################################################################### # Configuration des dépôts ( pas d'espace dans le nom ) ####################################################################### if [ $(grep -E -c '\soffline($|\s)' /proc/cmdline) -eq 0 ]; then REPO_EPEL=false REPO_ELREPO=false REPO_RPMFORGE=false REPO_NUXDEXTOP=false REPO_TOR=false REPO_CRYPTSSH=false REPO_FORENSICS=false if [ "$(domainname -d)" = "Saacy.Reslinger.net" ]; then # if [ true ]; then #echo "url --url=http://repos.reslinger.net/CentOS7/$ARCH/os/" >> /tmp/repo-include echo "url --url=http://repos.reslinger.net/CentOS7/$ARCH/os/" >> /tmp/repo-include echo "repo --name=\"CentOS-7-Base\" --baseurl=http://repos.reslinger.net/CentOS7/$ARCH/os/ --cost=200" >> /tmp/repo-include echo "repo --name=\"CentOS-7-Update\" --baseurl=http://repos.reslinger.net/CentOS7/$ARCH/updates/ --cost=100" >> /tmp/repo-include case "$ARCH" in x86_64) echo "repo --name=\"CentOS-7-CentOSPlus\" --baseurl=http://repos.reslinger.net/CentOS7/$ARCH/centosplus/ --cost=200" >> /tmp/repo-include echo "repo --name=\"CentOS-7-Extras\" --baseurl=http://repos.reslinger.net/CentOS7/$ARCH/extras/ --cost=200" >> /tmp/repo-include echo "repo --name=\"EPEL-7\" --baseurl=http://repos.reslinger.net/CentOS7/$ARCH/epel/" --cost=300 >> /tmp/repo-include #echo "repo --name=\"ELrepo-7\" --baseurl=http://repos.reslinger.net/CentOS7/$ARCH/elrepo/" --cost=400 >> /tmp/repo-include # drivers nvidia problématique avec kernel-ml et dracut #echo "repo --name=\"ELrepo-7-kernel\" --baseurl=http://repos.reslinger.net/CentOS7/$ARCH/elrepo-kernel/" --cost=400 >> /tmp/repo-include #echo "repo --name=\"ELrepo-7-extras\" --baseurl=http://repos.reslinger.net/CentOS7/$ARCH/elrepo-extras/" --cost=400 >> /tmp/repo-include echo "repo --name=\"RPM-Forge\" --baseurl=http://repos.reslinger.net/CentOS7/$ARCH/rpmforge/" --cost=400 >> /tmp/repo-include echo "repo --name=\"NUX-Dextop\" --baseurl=http://repos.reslinger.net/CentOS7/$ARCH/nux-dextop/" --cost=500 >> /tmp/repo-include # "repo --name=\"Tor-EL7\" --baseurl=http://repos.reslinger.net/CentOS7/$ARCH/tor/" --cost 600 >> /tmp/repo-include echo "repo --name=\"rbu-dracut-crypt-ssh\" --baseurl=http://repos.reslinger.net/CentOS7/$ARCH/rbu-dracut-crypt-ssh/" --cost 400 >> /tmp/repo-include #echo "repo --name=\"CERT-Forensics-Tools\" --baseurl=http://repos.reslinger.net/CentOS7/$ARCH/CERT-Forensics-Tools/" --cost 800 >> /tmp/repo-include echo "repo --name=\"CERT-Forensics-Tools\" --baseurl=https://forensics.cert.org/cert/7/$ARCH/" --cost 800 >> /tmp/repo-include REPO_EPEL=true #REPO_ELREPO=true REPO_RPMFORGE=true REPO_NUXDEXTOP=true REPO_TOR=true REPO_CRYPTSSH=true REPO_FORENSICS=true ;; i386) echo "repo --name=\"CentOS-7-CentOSPlus\" --baseurl=http://repos.reslinger.net/CentOS7/$ARCH/centosplus/ --cost=200" >> /tmp/repo-include echo "repo --name=\"CentOS-7-Extras\" --baseurl=http://repos.reslinger.net/CentOS7/$ARCH/extras/ --cost=200" >> /tmp/repo-include ;; esac else case "$ARCH" in x86_64|ppc64le|aarch64) echo "url --url=http://mirror.centos.org/centos/\$releasever/BaseOS/\$basearch/os/" >> /tmp/repo-include echo "repo --name=BaseOS --baseurl=http://mirror.centos.org/centos/\$releasever/BaseOS/\$basearch/os/" >> /tmp/repo-include echo "repo --name=AppStream --baseurl=http://mirror.centos.org/centos/\$releasever/AppStream/\$basearch/os/" >> /tmp/repo-include echo "repo --name=extras --baseurl=http://mirror.centos.org/centos/\$releasever/extras/\$basearch/os/" >> /tmp/repo-include echo "repo --name=PowerTools --baseurl=http://mirror.centos.org/centos/\$releasever/PowerTools/\$basearch/os/" >> /tmp/repo-include echo "repo --name=HighAvailability --baseurl=http://mirror.centos.org/centos/\$releasever/HighAvailability/\$basearch/os/" >> /tmp/repo-include echo "repo --name=epel --baseurl=https://dl.fedoraproject.org/pub/epel/\$releasever/Everything/\$basearch/" >> /tmp/repo-include # Uniquement x86_64 # https://copr-be.cloud.fedoraproject.org/results/gsauthof/dracut-sshd/pubkey.gpg echo "repo --name=dracut-sshd --baseurl=https://download.copr.fedorainfracloud.org/results/gsauthof/dracut-sshd/epel-8-x86_64/" >> /tmp/repo-include #echo "repo --name=\"ELrepo-8\" --baseurl=http://elrepo.org/linux/elrepo/el\$releasever/\$basearch/" --cost=400 >> /tmp/repo-include #echo "repo --name=\"CERT-Forensics-Tools\" --baseurl=https://forensics.cert.org/centos/cert/8/\$basearch/" --cost 800 >> /tmp/repo-include # Pas de EL8 pour le moment #echo "repo --name=\"NUX-Dextop\" --baseurl=http://li.nux.ro/download/nux/dextop/el7/\$basearch/" --cost=500 >> /tmp/repo-include REPO_EPEL=true REPO_CRYPTSSH=true #REPO_ELREPO=true #REPO_NUXDEXTOP=true #REPO_FORENSICS=true ;; i386) echo "url --url=http://springdale.princeton.edu/data/springdale/\$releasever/\$basearch/os/BaseOS/" >> /tmp/repo-include echo "repo --name=BaseOS --baseurl=http://springdale.princeton.edu/data/springdale/\$releasever/\$basearch/os/BaseOS/" >> /tmp/repo-include echo "repo --name=AppStream --baseurl=http://springdale.princeton.edu/data/springdale/\$releasever/\$basearch/os/AppStream/" >> /tmp/repo-include echo "repo --name=BaseOS-Updates --baseurl=http://springdale.princeton.edu/data/springdale/updates/\$releasever/BaseOS/\$basearch/" >> /tmp/repo-include echo "repo --name=AppStream-Updates --baseurl=http://springdale.princeton.edu/data/springdale/updates/\$releasever/AppStream/\$basearch/" >> /tmp/repo-include echo "repo --name=Unsupported --baseurl=http://springdale.princeton.edu/data/springdale/unsupported/\$releasever/\$basearch/" >> /tmp/repo-include ;; armv7l) echo "url --url=http://mirror.centos.org/altarch/\$releasever/BaseOS/\$basearch/os/" >> /tmp/repo-include echo "repo --name=BaseOS --baseurl=http://mirror.centos.org/altarch/\$releasever/BaseOS/\$basearch/os/" >> /tmp/repo-include echo "repo --name=AppStream --baseurl=http://mirror.centos.org/altarch/\$releasever/AppStream/\$basearch/os/" >> /tmp/repo-include echo "repo --name=extras --baseurl=http://mirror.centos.org/altarch/\$releasever/extras/\$basearch/os/" >> /tmp/repo-include echo "repo --name=PowerTools --baseurl=http://mirror.centos.org/altarch/\$releasever/PowerTools/\$basearch/os/" >> /tmp/repo-include echo "repo --name=HighAvailability --baseurl=http://mirror.centos.org/altarch/\$releasever/HighAvailability/\$basearch/os/" >> /tmp/repo-include #echo "repo --name=epel --baseurl=https://dl.fedoraproject.org/pub/epel/\$releasever/Everything/\$basearch/" >> /tmp/repo-include # https://copr-be.cloud.fedoraproject.org/results/gsauthof/dracut-sshd/pubkey.gpg echo "repo --name=dracut-sshd --baseurl=https://download.copr.fedorainfracloud.org/results/gsauthof/dracut-sshd/epel-8-x86_64/" >> /tmp/repo-include ;; armv6l|armv5tel) echo "repo --name=BaseOS --baseurl=http://ftp.redsleeve.org/pub/el8/8/BaseOS/ --cost=200" >> /tmp/repo-include echo "repo --name=AppStream --baseurl=http://ftp.redsleeve.org/pub/el8/8/AppStream/ --cost=200" >> /tmp/repo-include echo "repo --name=extra --baseurl=http://ftp.redsleeve.org/pub/el8/8/extra/ --cost=200" >> /tmp/repo-include echo "repo --name=PowerTools/ --baseurl=http://ftp.redsleeve.org/pub/el8/8/PowerTools/ --cost=200" >> /tmp/repo-include echo "repo --name=RedSleeve --baseurl=http://ftp.redsleeve.org/pub/el8/8/RedSleeve/ --cost=200" >> /tmp/repo-include echo "repo --name=CodeReady --baseurl=http://ftp.redsleeve.org/pub/el8/8/CodeReady/ --cost=200" >> /tmp/repo-include #echo "repo --name=\"RedSleeve-7-Kernel\" --baseurl=http://ftp.redsleeve.org/pub/el7/raspberrypi/ --cost=200" >> /tmp/repo-include #echo "repo --name=\"RedSleeve-7-EPEL\" --baseurl=http://ftp.redsleeve.org/pub/el7/EPEL/ --cost=400" >> /tmp/repo-include #REPO_EPEL=true ;; esac fi else echo "url --url=http://Mercure.saacy.reslinger.net/CentOS-7/" >> /tmp/repo-include # echo "url --url=http://mirror.ovh.net/ftp.centos.org/7/os/$ARCH/" >> /tmp/repo-include # echo "repo --name=\"CentOS-7-Base\" --baseurl=http://mirror.ovh.net/ftp.centos.org/7/os/$ARCH/ --cost=200" >> /tmp/repo-include # echo "repo --name=\"CentOS-7-Update\" --baseurl=http://mirror.ovh.net/ftp.centos.org/7/updates/$ARCH/ --cost=100" >> /tmp/repo-include # echo "repo --name=\"EPEL-7\" --baseurl=https://dl.fedoraproject.org/pub/epel/7/$ARCH/" --cost=300 >> /tmp/repo-include ## # https://dl.fedoraproject.org/pub/epel/7/x86_64/e/epel-release-7-5.noarch.rpm # echo "repo --name=\"RPM-Forge\" --baseurl=http://apt.sw.be/redhat/el7/en/$ARCH/rpmforge/" --cost=400 >> /tmp/repo-include ## # http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.3-1.el7.rf.x86_64.rpm # echo "repo --name=\"NUX-Dextop\" --baseurl=http://li.nux.ro/download/nux/dextop/el7/$ARCH/" --cost=500 >> /tmp/repo-include ## # http://li.nux.ro/download/nux/dextop/el7/x86_64/nux-dextop-release-0-5.el7.nux.noarch.rpm # echo "repo --name=\"Tor-EL7\" --baseurl=https://deb.torproject.org/torproject.org/rpm/el/7/$ARCH/" --cost 600 >> /tmp/repo-include fi ####################################################################### # Configuration du boot et du partitionnement ####################################################################### clean_disk() { HDD="$1" for i in $(parted /dev/$HDD print | sed -n -e '/^Num/,$p' | sed -e '1d' -e '/^$/d' | awk '{print $1}'); do parted -s /dev/$HDD rm $i done if [ -d /sys/firmware/efi ]; then parted -s /dev/$HDD mklabel gpt else parted -s /dev/$HDD mklabel msdos fi } if [ $(grep -E -c '\snopart($|\s)' /proc/cmdline) -eq 0 ]; then cat > /tmp/part-include <> /tmp/part-include for i in $(cat /proc/mdstat | grep ^md | awk '{print $1}'); do mdadm --stop /dev/$i; done if [ $(vgs | sed 1d | wc -l) -ne 0 ]; then for i in $(vgs | sed 1d | awk '{print $1}'); do vgchange -an $i; done fi set $(list-harddrives) # $1 = 1st disk name # $2 = 1st disk size # $3 = 2nd disk name # $4 = 2nd disk size # so on let numhd=$#/2 HDD1=$1 HDD1_SIZE=$2 HDD2=$3 HDD2_SIZE=$4 HDD3=$5 HDD3_SIZE=$6 HDD4=$7 HDD4_SIZE=$8 BOOT_SIZE=1024 SWAP_SIZE=4096 ROOT_SIZE=5120 TMP_SIZE=1024 VAR_SIZE=2048 VARLOG_SIZE=1024 VARLOGAUDIT_SIZE=512 if [ "$(echo $HDD1_SIZE | cut -d. -f1)" -lt 4100 ]; then SWAP_SIZE=128 #BOOT_SIZE=250 ROOT_SIZE=3072 elif [ "$(echo $HDD1_SIZE | cut -d. -f1)" -lt 9720 ]; then SWAP_SIZE=1024 fi if [ $(list-harddrives | wc -l) -eq 1 ]; then CONFRAID=false elif [ $(list-harddrives | wc -l) -gt 1 ]; then if [ "${HDD1_SIZE}" = "${HDD2_SIZE}" ]; then CONFRAID=true else CONFRAID=false fi fi MDINDEX=0 DRIVES="$(for i in $(list-harddrives | cut -d\ -f1); do echo -n "$i "; done | sed 's/ $//')" DRIVES=($DRIVES) if $DESKTOP; then if [ $(parted /dev/$HDD1 print | grep -ci ntfs) -gt 0 ]; then CLEARPART_TYPE="--linux" else CLEARPART_TYPE="--all" fi ROOT_SIZE=10240 HOME_SIZE=1024 else CLEARPART_TYPE="--all" fi if [ "${CLEARPART_TYPE}" == "--all" ]; then for DRIVE in "${DRIVES[@]}"; do clean_disk "${DRIVE}" done CLEARPART_TYPE="--none" fi echo -e "clearpart --drives="$(echo ${DRIVES[@]} | tr \ \,)" ${CLEARPART_TYPE}\n" >> /tmp/part-include # Partitions UEFI if $UEFI; then if [ "${CLEARPART_TYPE}" != "--linux" ]; then for DRIVE in "${DRIVES[@]}"; do parted -a optimal /dev/${DRIVE} unit mib mkpart primary 1 3 name 1 grub set 1 bios_grub on echo "part biosboot --fstype=biosboot --onpart=${DRIVE}1" >> /tmp/part-include parted -a optimal /dev/${DRIVE} unit mib mkpart primary 3 256 name 2 EFI set 2 esp on if [ "${#DRIVES[@]}" -gt 1 ]; then echo "part raid.${i}$[${MDINDEX}+1] --onpart=${DRIVE}2" >> /tmp/part-include fi done if [ "${#DRIVES[@]}" -gt 1 ]; then echo -n "raid /boot/efi --fstype=efi --level=RAID1 --device=md${MDINDEX}" >> /tmp/part-include for i in `seq 1 ${#DRIVES[@]}`; do echo -n " raid.${i}$[${MDINDEX}+1]" >> /tmp/part-include done echo >> /tmp/part-include MDINDEX=$[${MDINDEX}+1] else echo "part /boot/efi --fstype=efi --onpart=${DRIVE}2" >> /tmp/part-include fi else echo "part /boot/efi --fstype=efi --onpart=${DRIVE}$(parted /dev/${DRIVE} print | grep EFI | awk '{print $1}') --noformat" >> /tmp/part-include fi fi # Partition /boot if ! $CONFRAID; then PART_INDEX=$(parted /dev/$HDD1 print | sed -n -e '/^Num/,$p' | sed -e '1d' -e '/^$/d' | wc -l) parted -a optimal /dev/$HDD1 unit mib mkpart primary ext4 256 1280 name $[${PART_INDEX}+1] boot echo "part /boot --fstype=ext4 --onpart=${HDD1}$[${PART_INDEX}+1]" >> /tmp/part-include parted -a optimal /dev/$HDD1 unit mib mkpart primary ext4 1280 100% name $[${PART_INDEX}+2] CentOS if [ $HDDCRYPT ]; then echo -n Ch4ngeM3 | cryptsetup --type luks2 --cipher=aes-xts-essiv:sha256 --hash=sha256 luksFormat /dev/${HDD1}$[${PART_INDEX}+2] - DEVCRYPT="luks-$(blkid /dev/${HDD1}$[${PART_INDEX}+2] | sed 's|.*UUID="\([^ ]*\)".*|\1|')" echo -n Ch4ngeM3 | cryptsetup luksOpen /dev/${HDD1}$[${PART_INDEX}+2] "${DEVCRYPT}" PVLVM="/dev/mapper/${DEVCRYPT}" else PVLVM=/dev/$HDD1 fi vgcreate --autobackup y --physicalextentsize 128m vg_sys "${PVLVM}" # # echo "part pv.01 --grow --size=1 --ondisk=$HDD1 ${HDDCRYPT_OPT}" >> /tmp/part-include # echo "volgroup vg_sys --pesize=131072 pv.01" >> /tmp/part-include elif $CONFRAID; then if [ $HDDCRYPT ]; then for i in `seq 1 ${#DRIVES[@]}`; do echo "part raid.${i}$[${MDINDEX}+1] --size=${BOOT_SIZE} --ondisk=${DRIVES[$i-1]}" >> /tmp/part-include done echo -n "raid /boot --fstype=ext4 --level=RAID1 --device=md${MDINDEX}" >> /tmp/part-include for i in `seq 1 ${#DRIVES[@]}`; do echo -n " raid.${i}$[${MDINDEX}+1]" >> /tmp/part-include done echo >> /tmp/part-include MDINDEX=$[${MDINDEX}+1] fi for i in `seq 1 ${#DRIVES[@]}`; do echo "part pv.0${i} --grow --size=1 --ondisk=${DRIVES[$i-1]} ${HDDCRYPT_OPT}" >> /tmp/part-include done echo -n "volgroup vg_sys --pesize=131072" >> /tmp/part-include for i in `seq 1 ${#DRIVES[@]}`; do echo -n " pv.0${i}" >> /tmp/part-include done echo >> /tmp/part-include else echo "Pas de disques trouvés" >&2 fi cat >> /tmp/part-include <> /tmp/part-include else echo "logvol /tmp --fstype=ext4 --name=lv_tmp --vgname=vg_sys --size=${TMP_SIZE} --fsoptions=\"nodev,noexec,nosuid,discard\" --thin --poolname=system" >> /tmp/part-include echo "logvol /var --fstype=ext4 --name=lv_var --vgname=vg_sys --size=${VAR_SIZE} --fsoptions=\"nodev,noexec,nosuid,discard\" --thin --poolname=system" >> /tmp/part-include echo "logvol /var/log --fstype=ext4 --name=lv_log --vgname=vg_sys --size=${VARLOG_SIZE} --fsoptions=\"nodev,noexec,nosuid,discard\" --thin --poolname=system" >> /tmp/part-include echo "logvol /var/log/audit --fstype=ext4 --name=lv_logaudit --vgname=vg_sys --size=${VARLOGAUDIT_SIZE} --fsoptions=\"nodev,noexec,nosuid,discard\" --thin --poolname=system" >> /tmp/part-include fi # Configuration des options de boot # Pour des noms d'interfaces traditionnels BOOTLOAD_APPEND="net.ifnames=0 biosdevname=0" # Activation de Zswap # https://wiki.archlinux.org/index.php/Zswap # BOOTLOAD_APPEND="${BOOTLOAD_APPEND} zswap.enabled=1 zswap.compressor=lz4" if $SERIAL; then BOOTLOAD_APPEND="console=tty0 console=ttyS${SERIALNB},115200n8 ${BOOTLOAD_APPEND}" fi # if $NEW_CPU; then # # Disable Meltown and Spectre mitigation on newer CPU # BOOTLOAD_APPEND="nopti noibrs noibpb ${BOOTLOAD_APPEND}" # fi if $HDDCRYPT; then if ${REPO_CRYPTSSH}; then if [ $(grep -E -c '\sip='$IP'($|\s)' /proc/cmdline) -eq 1 ]; then # Syntaxe pour ip= https://www.systutorials.com/docs/linux/man/7-dracut.cmdline/ BOOTLOAD_APPEND="rd.neednet=1 ip=$IP::$GW:$MASK:centos-boot:$IF:off:${DNS/,*} ${BOOTLOAD_APPEND}" else if ! $DESKTOP; then BOOTLOAD_APPEND="rd.neednet=1 ip=dhcp ${BOOTLOAD_APPEND}" fi fi fi fi #$UEFI && BLL=partition || BLL=mbr BLL=mbr cat > /tmp/grub-include <> /tmp/part-include # BOOTLOAD_APPEND="net.ifnames=0 biosdevname=0" # echo -e "bootloader --append=\"${BOOTLOAD_APPEND}\"" >> /tmp/grub-include fi ####################################################################### # Configuration de la liste des paquets ####################################################################### if $DESKTOP; then #touch /tmp/packages-include #echo "%packages --instLangs=fr_FR" >> /tmp/packages-include echo "%packages" >> /tmp/packages-include cat >> /tmp/packages-include <<'EOF' @gnome-desktop @fonts @guest-agents @guest-desktop-agents @input-methods @internet-browser @multimedia @network-file-system-client @print-client NetworkManager-libreswan-gnome NetworkManager-libreswan EOF if ${REPO_EPEL}; then cat >> /tmp/packages-include <<'EOF' NetworkManager-fortisslvpn-gnome NetworkManager-l2tp-gnome NetworkManager-openconnect-gnome NetworkManager-openvpn-gnome NetworkManager-pptp-gnome #NetworkManager-vpnc-gnome #NetworkManager-strongswan-gnome strongswan-charon-nm ntfs-3g ntfs-3g-system-compression ntfsprogs EOF fi if ${REPO_NUXDEXTOP}; then cat >> /tmp/packages-include <<'EOF' NetworkManager-iodine-gnome NetworkManager-ssh-gnome fuse-exfat exfat-utils EOF fi else echo "%packages --instLangs=fr_FR" >> /tmp/packages-include #echo "%packages --nobase" > /tmp/packages-include cat >> /tmp/packages-include <<'EOF' @^minimal-environment NetworkManager-config-server NetworkManager-dispatcher-routing-rules usbutils EOF fi cat >> /tmp/packages-include <<'EOF' @core #@french-support NetworkManager-team NetworkManager-bluetooth NetworkManager-wifi NetworkManager-wwan kexec-tools wget rsync screen pciutils dmidecode bash-completion chrony xz #deltarpm # Pas trouvé !!! firewalld postfix smartmontools #ntpdate # Pas trouvé !!! rng-tools #console-setup # Pas trouvé !!! device-mapper-event EOF if ${REPO_EPEL}; then cat >> /tmp/packages-include <<'EOF' epel-release pigz #pxz # Pas trouvé !!! fail2ban fail2ban-mail fail2ban-systemd #fail2ban-hostsdeny # requière tcp-wrapper qui n'est plus dans CentOS 8 EOF fi if ${REPO_ELREPO}; then cat >> /tmp/packages-include <<'EOF' elrepo-release EOF fi if ${REPO_NUXDEXTOP}; then cat >> /tmp/packages-include <<'EOF' nux-dextop-release EOF fi if ${REPO_CRYPTSSH}; then cat >> /tmp/packages-include <<'EOF' dracut-sshd EOF fi if ${REPO_FORENSICS}; then cat >> /tmp/packages-include <<'EOF' cert-forensics-tools-release EOF fi if $UEFI; then cat >> /tmp/packages-include <<'EOF' efivar efibootmgr grub2-efi fwupdate EOF case $ARCH in x86_64) echo shim-x64 >> /tmp/packages-include;; i386) echo shim-ia32 >> /tmp/packages-include;; *) echo shim >> /tmp/packages-include;; esac fi case "$MACHINE" in "Supermicro"|"Dell Inc.") echo ipmitool >> /tmp/packages-include ;; "Red Hat"|QEMU) echo spice-vdagent >> /tmp/packages-include ;; "OpenStack Foundation") echo acpid >> /tmp/packages-include ;; "Microsoft Corporation") # https://docs.microsoft.com/en-us/azure/virtual-machines/linux/create-upload-centos echo WALinuxAgent >> /tmp/packages-include ;; "Xen") if ${REPO_EPEL}; then echo xe-guest-utilities-latest >> /tmp/packages-include #echo xe-guest-utilities-xenstore >> /tmp/packages-include fi ;; "Google") echo -n >> /dev/null #echo gce-disk-expand >> /tmp/packages-include #echo python-google-compute-engine >> /tmp/packages-include #echo google-compute-engine >> /tmp/packages-include #echo google-compute-engine-oslogin >> /tmp/packages-include #echo google-cloud-sdk >> /tmp/packages-include ;; "VMware") echo open-vm-tools >> /dev/null ;; *) echo -n >> /dev/null ;; esac # centos-release-qemu-ev # usbutils libvirt-client OVMF qemu-kvm-ev echo "%end" >> /tmp/packages-include $PKG || echo -n > /tmp/packages-include # Utile pour le débogage #sleep 300 ## A t'on assez de RAM if [ $(free -m | grep ^Mem: | awk '{print $2}') -lt 1000 ]; then MEM=$(free -k | grep -e "^Mem:" | awk '{printf("%d\n",$2/1.2)}') if [ $(lsmod | grep -c zram) -eq 0 ]; then modprobe zram ZRAMID=0 else ZRAMID=$(cat /sys/class/zram-control/hot_add) fi # echo 1 > /sys/block/zram0/reset if [ -e /sys/block/zram${ZRAMID}/comp_algorithm ]; then if [ $(grep -c lz4 /sys/block/zram${ZRAMID}/comp_algorithm) -eq 1 ]; then echo lz4 > /sys/block/zram${ZRAMID}/comp_algorithm fi fi if [ -e /sys/block/zram${ZRAMID}/mem_limit ]; then echo $[${MEM}*2]k > /sys/block/zram${ZRAMID}/disksize echo ${MEM}k > /sys/block/zram${ZRAMID}/mem_limit else echo ${MEM}k > /sys/block/zram${ZRAMID}/disksize fi #mkdir /mnt/zram #mke2fs -q -m 0 -b 4096 -O sparse_super -L zram /dev/zram0 #mount -o relatime,noexec,nosuid /dev/zram0 /mnt/zram #chmod 1777 /mnt/zram/ mkswap /dev/zram${ZRAMID} swappon -p 10 /dev/zram${ZRAMID} # cat /sys/block/zram0/mem_used_total # Activation de Zswap #echo lz4 > /sys/module/zswap/parameters/compressor #echo 1 > /sys/module/zswap/parameters/enabled fi %end ####################################################################### ####################################################################### # POST ####################################################################### ####################################################################### %post --nochroot set $(list-harddrives) # $1 = 1st disk name # $2 = 1st disk size # $3 = 2nd disk name # $4 = 2nd disk size # so on let numhd=$#/2 HDD1=$1 HDD1_SIZE=$2 HDD2=$3 HDD2_SIZE=$4 HDD3=$5 HDD3_SIZE=$6 HDD4=$7 HDD4_SIZE=$8 # Configuration de LVM à faire #/sbin/lvm lvextend --poolmetadatasize +1G vg_sys/system #--config 'global {locking_type=1}' # WARNING: You have not turned on protection against thin pools running out of space. # WARNING: Set activation/thin_pool_autoextend_threshold below 100 to trigger automatic extension of thin pools before they get full. # On met en RAID1 les volumes logiques if [ $(list-harddrives | wc -l) -gt 1 ]; then if [ "${HDD1_SIZE}" = "${HDD2_SIZE}" ]; then # lvs -a -o name,copy_percent,devices vg_sys if [ -e /dev/vg_sys/lv_root ]; then for LV in system_tmeta system_tdata; do if [ $(list-harddrives | wc -l) -gt 2 ]; then if [ "${HDD2_SIZE}" = "${HDD3_SIZE}" ]; then lvconvert --yes --type raid5 --stripes 2 --stripesize 128k vg_sys/$LV else lvconvert --yes --type raid1 -m 1 vg_sys/$LV fi else lvconvert --yes --type raid1 -m 1 vg_sys/$LV fi done fi fi fi # On configure l'auto extend lvm parce que meta plein = FS corrompus # https://support.hpe.com/hpsc/doc/public/display?docId=mmr_kc-0126706 # Recovery : https://www.redhat.com/archives/linux-lvm/2014-December/msg00015.html sed -e 's/^\(\s*thin_pool_autoextend_threshold = \)[0-9]*/\180/' \ -e 's/^\(\s*thin_pool_autoextend_percent = \)[0-9]*/\110/' \ -i /mnt/sysimage/etc/lvm/lvm.conf # On compresse et autodefrag tous les systèmes de fichiers BTRFS sed -e '/btrfs/ s|\(\s*/home\s*btrfs\s*\)|\1nodev,noexec,nosuid,|' -i /mnt/sysimage/etc/fstab sed -e '/btrfs/ s|\(btrfs\s*\)|\1compress=lzo,autodefrag,|' -i /mnt/sysimage/etc/fstab mount | grep btrfs | awk '{print $3}' | while read SF; do if [ "$(mount | grep on\ "$SF"\ | awk '{print $5}')" == "btrfs" ]; then btrfs filesystem defragment -r -clzo "$SF"/ fi done %end %post #On teste la machine (VMware, HP ou Dell) #MACHINE="$(dmidecode -s system-manufacturer| cut -f 1 -d "," |cut -f 1 -d " ")" #MACHINE="$(dmidecode -s system-manufacturer)" MACHINE="$(cat /sys/class/dmi/id/sys_vendor)" case "$MACHINE" in "Supermicro") SERIAL=true SERIALNB=2 HDDCRYPT=true ;; "Red Hat"|QEMU|"OpenStack Foundation") SERIAL=true SERIALNB=0 HDDCRYPT=true ;; "Microsoft Corporation") SERIAL=true SERIALNB=0 HDDCRYPT=true ;; "Dell Inc.") # Non testé SERIAL=true SERIALNB=0 HDDCRYPT=true ;; "HP") # Non testé SERIAL=true SERIALNB=0 HDDCRYPT=true ;; "Xen") SERIAL=false HDDCRYPT=true ;; "Google") SERIAL=true SERIALNB=0 HDDCRYPT=true ;; *) SERIAL=false HDDCRYPT=true ;; esac if [ $(grep -E -c '\scrypt($|\s)' /proc/cmdline) -eq 1 ]; then HDDCRYPT=true fi if [ $(grep -E -c '\snocrypt($|\s)' /proc/cmdline) -eq 1 ]; then HDDCRYPT=false fi if [ $(grep -E -c '\snopkg($|\s)' /proc/cmdline) -eq 1 ]; then PKG=false fi if [ $(grep -E -c '\sdesktop($|\s)' /proc/cmdline) -eq 1 ]; then DESKTOP=true else DESKTOP=false fi ####################################################################### # Importation des clés des dépots ####################################################################### for FICHIER in $(ls /etc/pki/rpm-gpg/); do if [ -f /etc/pki/rpm-gpg/"$FICHIER" ]; then rpm --import /etc/pki/rpm-gpg/"$FICHIER" fi done ####################################################################### # Restriction d'accès root ####################################################################### touch /etc/securetty #chmod 0644 /etc/securetty # restorecond ? sed '2 iauth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so' -i /etc/pam.d/login ####################################################################### # Restriction d'accès des PID dans /proc ####################################################################### if ! $DESKTOP; then echo "proc /proc proc rw,nosuid,nodev,noexec,relatime,defaults,hidepid=2 0 0" >> /etc/fstab fi ####################################################################### # Restriction d'accès ssh pour root ####################################################################### # https://stribika.github.io/2015/01/04/secure-secure-shell.html sed 's/^\(#\|\)PermitRootLogin.*/PermitRootLogin without-password/' -i /etc/ssh/sshd_config sed '/^# Ciphers and keying/ aKexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256' -i /etc/ssh/sshd_config sed '/^KexAlgorithms/ aCiphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com' -i /etc/ssh/sshd_config sed '/^Ciphers/ aMACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com' -i /etc/ssh/sshd_config echo "AllowUsers root adrien backup" >> /etc/ssh/sshd_config if [ -f /etc/ssh/moduli ]; then awk '$5 > 2000' /etc/ssh/moduli > /dev/shm/moduli if [ $(wc -l /dev/shm/moduli | cut -f1 -d\ ) -gt 0 ]; then cat /dev/shm/moduli > /etc/ssh/moduli fi #else # ssh-keygen -G /etc/ssh/moduli.all -b 4096 # ssh-keygen -T /etc/ssh/moduli.safe -f /etc/ssh/moduli.all # mv /etc/ssh/moduli.safe /etc/ssh/moduli # rm -f /etc/ssh/moduli.all fi ####################################################################### # Restriction d'accès avec TCP Wrappers ####################################################################### echo "ALL:ALL EXCEPT 127.0.0.1:DENY" >> /etc/hosts.deny cat >> /etc/hosts.allow << 'EOF' sshd:ALL # Pour NFS #portmap:172.16.0.0/255.255.255.0 172.16.2.0/255.255.255.0 172.16.255.0/255.255.255.0 #lockd:172.16.0.0/255.255.255.0 172.16.2.0/255.255.255.0 172.16.255.0/255.255.255.0 #mountd:172.16.0.0/255.255.255.0 172.16.2.0/255.255.255.0 172.16.255.0/255.255.255.0 #rquotad:172.16.0.0/255.255.255.0 172.16.2.0/255.255.255.0 172.16.255.0/255.255.255.0 #statd:172.16.0.0/255.255.255.0 172.16.2.0/255.255.255.0 172.16.255.0/255.255.255.0 # Pour Saned #sane:172.16.0.0/255.255.255.0 # Pour ProFTPd #in.ftpd:ALL # Pour le tftp #in.tftpd:172.16.0.0/255.255.255.0 192.168.1.1 # Pour VMware #vmware-authd:172.16.0.0/255.255.255.0 172.16.2.0/255.255.255.0 172.16.255.0/255.255.255.0 # Pour SNMP #snmpd:172.16.0.0/255.255.255.0 172.16.2.0/255.255.255.0 172.16.255.0/255.255.255.0 EOF ####################################################################### # Configuration de postfix ####################################################################### cp -a /etc/postfix/main.cf{,.orig} sed -e '/^#mydomain = domain.tld$/ amydomain = reslinger.net' -e 's/^#\(myorigin = $mydomain\)$/\1/' -e '/#relayhost = \[an.ip.add.ress\]/ arelayhost = mail.reslinger.net' -i /etc/postfix/main.cf sed 's/^#root:.*/root:\t\tadrien/' -i /etc/aliases postalias /etc/aliases ####################################################################### # Chargement de l'horloge initiale depus le réseau ####################################################################### case "$ARCH" in arm*) systemctl enable ntpdate echo UTC >> /etc/adjtime echo 'LANG="fr_FR.UTF-8"' > /etc/locale.conf ln -sf ../usr/share/zoneinfo/Europe/Paris /etc/localtime ;; esac ####################################################################### # Configuration de chronyd ####################################################################### if [ $(grep -ci reslinger.net /etc/chrony.conf) -eq 0 ]; then cp -a /etc/chrony.conf{,.old} echo -e "# These servers were defined in the installation:\nserver Mercure.Saacy.Reslinger.net iburst" > /etc/chrony.conf sed 's/^\(server .*pool.ntp.org.*\)/#\1/' /etc/chrony.conf.old >> /etc/chrony.conf rm -f /etc/chrony.conf.old fi ####################################################################### # Configuration de logrotate ####################################################################### sed 's/^#*\(compress\)/\1/' -i /etc/logrotate.conf ####################################################################### # Installation du script de post-install ####################################################################### #echo \#\!/bin/bash > /etc/rc.d/rc3.d/S99postinstall #mkdir -m 700 /root/.ssh #echo "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAyuDkpjZEF21cqoynQXkChSFRspyDm4QKsioHCo3EHkGeSrFYbLoa6IMF9YHesWOI4nCWu/iM64rIdFtu5O/SJXTRpzJcnCrSLrmreiUbe37KFJ5Dp23B3Q6a5KxZTgMiHRDbojU/COC7fDJLsh+u68FViPodifN0jt1S4IGmquZgohvY4OOJgRU1obluW+vV6SPDaB7BcJOuU/fKynIq3DwYbqvkZGnnZpg8qfnbGwwIqnha8LCtMvpP1g7TggE0m2AMJQvHYddZRhC9cpX9uxm5OWDTslXUbNqcAT5BWKS84VLn+aYLZBFI/K7/0Lw8W+djZlVjTXlh9eliFHvRkQ== adrien@Adrien" > /root/.ssh/authorized_keys #echo restorecon -v /root/.ssh/authorized_keys >> /etc/rc.d/rc3.d/S99postinstall #echo rm -f \$0 >> /etc/rc.d/rc3.d/S99postinstall #chmod 755 /etc/rc.d/rc3.d/S99postinstall ####################################################################### # Configuration Réseau ####################################################################### #sed '/GATEWAY=/d' -i /etc/sysconfig/network #echo "NETWORKING_IPV6=yes" >> /etc/sysconfig/network ####################################################################### # Configuration de sudo ####################################################################### echo "Defaults:backup !requiretty" > /etc/sudoers.d/backup echo "backup ALL=(ALL) NOPASSWD: /usr/bin/rsync" >> /etc/sudoers.d/backup echo "adrien ALL=(ALL) NOPASSWD: ALL" > /etc/sudoers.d/adrien chmod 440 /etc/sudoers.d/* ####################################################################### # Configuration des utilisateurs ####################################################################### usermod -a -G libvirt adrien ####################################################################### # Configuration de fail2ban ####################################################################### touch /etc/fail2ban/paths-overrides.local cat > /etc/fail2ban/jail.local << 'EOF' [DEFAULT] # "bantime" is the number of seconds that a host is banned. bantime = 604800 ; 1 week #bantime = 172800 ; 48h # A host is banned if it has generated "maxretry" during the last "findtime" # seconds. findtime = 86400 ; 1 day #findtime = 3600 ; 1h # Destination email address used solely for the interpolations in # jail.{conf,local,d/*} configuration files. destemail = adrien@reslinger.net # Sender email address used solely for some actions sender = root@localhost # Select mail mta instead of sendmail mta = mail # Choose default action. To change, just override value of 'action' with the # interpolation to the chosen action shortcut (e.g. action_mw, action_mwl, etc) in jail.local # globally (section [DEFAULT]) or per specific section action = %(action_mw)s EOF cat > /etc/fail2ban/jail.d/02-services.conf << 'EOF' [sshd] enabled = true EOF systemctl enable fail2ban ####################################################################### # Installation des clefs SSH ####################################################################### #mkdir -m 700 /root/.ssh #echo "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAyuDkpjZEF21cqoynQXkChSFRspyDm4QKsioHCo3EHkGeSrFYbLoa6IMF9YHesWOI4nCWu/iM64rIdFtu5O/SJXTRpzJcnCrSLrmreiUbe37KFJ5Dp23B3Q6a5KxZTgMiHRDbojU/COC7fDJLsh+u68FViPodifN0jt1S4IGmquZgohvY4OOJgRU1obluW+vV6SPDaB7BcJOuU/fKynIq3DwYbqvkZGnnZpg8qfnbGwwIqnha8LCtMvpP1g7TggE0m2AMJQvHYddZRhC9cpX9uxm5OWDTslXUbNqcAT5BWKS84VLn+aYLZBFI/K7/0Lw8W+djZlVjTXlh9eliFHvRkQ== adrien@Adrien" > /root/.ssh/authorized_keys #echo "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKu3KHZzK2Q3Q7SAENONA9796WCjouo3442Du1A/QpXf adrien@Jupiter" >> /root/.ssh/authorized_keys #chmod 600 /root/.ssh/authorized_keys #if [ -d /home/backup ]; then # install -o backup -g backup -m 700 -d /home/backup/.ssh # echo "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAgEAvGVK9smGhhaejE2HG5oWoaMVazeFaXkjmoAFLNzkf1ag2rpz2Yqm8OnNN3Q5nCY2qehOuhEhH4sIHb7eUXR4Z+u7Nd4JAcXmn87vu/LIcZhkNZ/wzBHV2sSpS10suFkwKKwj+w6+FOJsQAJ5Em6SrZuK4ycypuGEqdDnEZDYcxi21jGiZ3tGjATHwiwdRKEtmp3B41JPmJClC+mZEwDJ3AAyIzc+nUb9E6RZo+8ypDdKqxTjhBo4pQdsn4YfZsJD5uHjcNhaQSvv6Ppi7rsJ/9j1RWN8phew/t9a8youn3mv+DhfEhFyjGDSXOam+/LyutNDZ41/8XGTtPF9FPe3GgBFFhsLhtt+BmZQnPn1wcVUn9l2V3/xHp1dlbfO4/QSgQslKYSTvwnTzbqZ+62hKickIDjgyz51EmQUrrS7iCU01oA+ETNrh+M3ywrfIl+bH7NAtFGoxOWi+ynwev/WfjGCLbqvMXbVYv7+SDiJ7OkzpZwAjFCCCDqAIb64V2GIIsam5Wsc/nZ3hbOQAUe4yU0QZ8XdT3/whSj/+ZRWsPTvM0eaClN3Rz2oIS3tZU/1NE/HL7niM2Cdb/R3gFl9J9VZ438Rz3f1kib3tqzif5dLafGsRoLSunZKzZ6OLBDAh8gAot5Xfsp5kd1YW6+nKwzy3Xa4URi6ZfQE/LPKEKk= root@max.reslinger.net" >> /home/backup/.ssh/authorized_keys # chown backup:backup /home/backup/.ssh/authorized_keys # chmod 600 /home/backup/.ssh/authorized_keys #fi ####################################################################### # Configuration des accès sur port série ####################################################################### if $SERIAL; then # # Possibilité de se logger en root sur le port série # # Le fichier /etc/securetty n'existe plus dans CentOS 8 # sed -e "s/ttyS0/ttyS${SERIALNB}/" -i /etc/securetty if [ $(grep -c ttyS${SERIALNB} /etc/securetty) -eq 0 ]; then echo ttyS${SERIALNB} >> /etc/securetty fi # ##systemctl enable serial-getty@ttyUSB0.service # #cp /lib/systemd/system/serial-getty@.service \ # # /etc/systemd/system/serial-getty@ttyS1.service # #sed -i "s|^ExecStart=.*$|ExecStart=-/sbin/agetty 9600 %I $TERM|g" \ # # /etc/systemd/system/serial-getty@ttyS1.service # #chmod 644 /etc/systemd/system/serial-getty@ttyS1.service # #systemctl --system daemon-reload # #systemctl start serial-getty@ttyS1.service # #systemctl enable serial-getty@ttyS1.service # #systemctl status serial-getty@ttyS1.service fi chmod 0644 /etc/securetty ####################################################################### # Configuration de IPMI ####################################################################### cat > /usr/lib/modules-load.d/ipmi.conf <<'EOF' # auto load ipmi modules during boot ipmi_msghandler ipmi_devintf ipmi_si EOF ####################################################################### # Configuration personnalisée de grub ####################################################################### # Configuration de la console de grub sur le port série if $SERIAL; then sed -e 's/^\(GRUB_TERMINAL_OUTPUT=\).*/\1"serial console"/' -e '/^GRUB_TERMINAL_OUTPUT=/ aGRUB_SERIAL_COMMAND="serial --speed=115200 --unit='${SERIALNB}' --word=8 --parity=no --stop=1"' -i /etc/default/grub # Ajouter "console=ttyUSB0,115200 console=tty0" à la fin de GRUB_CMDLINE_LINUX dans /etc/default/grub pour CentOS 7 ? fi # Suppression des entrée recovery sed 's/^\(GRUB_DISABLE_RECOVERY=\).*/\1"true"/' -i /etc/default/grub ## Installation du clavier français. Nécessite console-setup #grub2-kbdcomp -o /boot/grub2/fr.gkb fr #cat > /etc/grub.d/50_keyboard <<'EOF' ##!/bin/sh #exec tail -n +3 $0 ## Clavier fr #insmod keylayouts #keymap /boot/grub2/fr.gkb #EOF #chmod +x /etc/grub.d/50_keyboard #echo 'GRUB_TERMINAL_INPUT="at_keyboard"' >> /etc/default/grub ####################################################################### # Mise à jour du mode de démarrage ####################################################################### #if $DESKTOP; then # #yum groupinstall -y "Bureau GNOME" # #ln -sf /lib/systemd/system/graphical.target /etc/systemd/system/default.target # systemctl set-default graphical.target # #cp -a /boot/initramfs-$(ls /lib/modules/).img{,.sav} # #dracut -f /boot/initramfs-$(ls /lib/modules/).img $(ls /lib/modules/) #fi #echo yes > ~/.config/gnome-initial-setup-done ####################################################################### # Mise à jour de la configuration de grub ####################################################################### # Pas de mode rescue sed 's/yes/no/' /usr/lib/dracut/dracut.conf.d/02-rescue.conf > /etc/dracut.conf.d/02-rescue.conf # chargement des modules nécessaires pour root en lvm thin provisionning et en raid sed 's/^#*\(add_drivers+=".*\)"/\1dm-mod dm-snapshot dm-thin-pool dm-mirror dm-raid raid1 raid0 raid10 raid456"/' -i /etc/dracut.conf cat > /usr/local/sbin/update-grub << 'EOF' #!/bin/sh . /etc/os-release if [ -d /sys/firmware/efi -a -e /boot/efi/EFI/centos/grub.cfg ]; then CONFDIR=/boot/efi/EFI/centos else CONFDIR=/boot/grub2 fi #grep "^menuentry" /boot/grub2/grub.cfg | cut -d "'" -f2 | grep -Ev '(with debugging$|-rescue-)' | grep ^"$NAME" | sort -n | tail -n 1 # grep "^menuentry" /boot/grub2/grub.cfg | cut -d "'" -f2 | grep -Ev '(with debugging$|-rescue-)' | head -n1 # grub2-set-default "CentOS Linux (4.7.2-1.el7.elrepo.x86_64) 7 (Core)" # Contrôle : grub2-editenv list KERNLIST="$(ls -1 /boot/vmlinuz-* | grep -v rescue | sed 's|/boot/vmlinuz-\([.0-9]*\)-.*|\1|')" LASTMAJKERNEL="$(echo $KERNLIST | sed 's/ /\n/g' | cut -d. -f1 | sort -n -u | while read i; do echo $KERNLIST | sed 's/ /\n/g' | grep ^$i | cut -d. -f1-2 | sort -n -u -k2 -t. done | while read j; do echo $KERNLIST | sed 's/ /\n/g' | grep ^$j | sort -n -u -k3 -t. done | tail -n 1)" KERNLIST="$(ls -1 /boot/vmlinuz-* | grep -v rescue | sed 's|/boot/vmlinuz-'${LASTMAJKERNEL}'-\([.0-9]*\).*|\1|')" LASTKERNEL="${LASTMAJKERNEL}-$(echo $KERNLIST | sed -e 's/ /\n/g' -e 's/.$//' | cut -d. -f1 | sort -n -u | while read i; do echo $KERNLIST | sed 's/ /\n/g' | grep ^$i | cut -d. -f1-2 | sort -n -u -k2 -t. done | while read j; do echo $KERNLIST | sed 's/ /\n/g' | grep ^$j | sort -n -u -k3 -t. done | tail -n 1)" grub2-set-default "$(grep "^menuentry" "${CONFDIR}"/grub.cfg | cut -d "'" -f2 | grep -Ev '(with debugging$|-rescue-)' | grep ^"$NAME" | grep $LASTKERNEL | sort -n | tail -n 1)" grub2-mkconfig -o "${CONFDIR}"/grub.cfg EOF chmod +x /usr/local/sbin/update-grub if ! $UEFI; then /usr/local/sbin/update-grub; fi ####################################################################### # Mise à jour de la seconde partion efi dans les configs en RAID1 logiciel ####################################################################### # dd if=/dev/sda2 of=/dev/sdb2 # efibootmgr --create --disk /dev/sdb --label "CentOS Backup" --load "\\EFI\\centos\\grubx64.efi" ####################################################################### # Mise à jour de l'initramfs ####################################################################### if $HDDCRYPT; then # https://github.com/gsauthof/dracut-sshd ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key -N "" ssh-keygen -t ecdsa -f /etc/ssh/ssh_host_ecdsa_key -N "" ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -N "" sed '/inst_simple \/usr\/sbin\/sshd/ i\ inst_libdir_file 'libutil*.so*' 'libfipscheck*.so*'\n' -i /usr/lib/dracut/modules.d/46sshd/module-setup.sh sed '1 iPort 222\n\nKexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256\nCiphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com\nMACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com\n' -i /usr/lib/dracut/modules.d/46sshd/sshd_config cp -a /boot/initramfs-$(ls -tr /lib/modules/ | tail -n 1).img{,.old} dracut --force /boot/initramfs-$(ls -tr /lib/modules/ | tail -n 1).img $(ls -tr /lib/modules/ | tail -n 1) fi ####################################################################### # Installation de Dropbox ####################################################################### #yum localinstall "https://www.dropbox.com/download?dl=packages/fedora/nautilus-dropbox-2015.10.28-1.fedora.x86_64.rpm" #sed 's/$releasever/19/' -i /etc/yum.repos.d/dropbox.repo #restorecon -ir /etc/sysconfig/network-scripts /var/lib /etc/lvm \ # /dev /etc/iscsi /var/lib/iscsi /root /var/lock /var/log \ # /etc/modprobe.d /etc/sysconfig /var/cache/yum # #restorecon -i /etc/rpm/macros /etc/dasd.conf /etc/zfcp.conf /lib64 /usr/lib64 \ # /etc/blkid.tab* /etc/mtab /etc/fstab /etc/resolv.conf \ # /etc/modprobe.conf* /var/log/*tmp /etc/crypttab \ # /etc/mdadm.conf /etc/sysconfig/network /root/install.log* \ # /etc/*shadow* /etc/dhcp/dhclient-*.conf /etc/localtime \ # /root/install.log* # #if [ -e /etc/zipl.conf ]; then # restorecon -i /etc/zipl.conf #fi %end %post --nochroot cp -a /tmp /mnt/sysimage/root/tmp_install %end