diff --git a/bootstrap.d/14-fstab.sh b/bootstrap.d/14-fstab.sh index 35683a0..c9e018b 100644 --- a/bootstrap.d/14-fstab.sh +++ b/bootstrap.d/14-fstab.sh @@ -45,40 +45,54 @@ if [ "$ENABLE_INITRAMFS" = true ] ; then install_exec files/initramfs/expand-premount "${ETC_DIR}/initramfs-tools/scripts/local-premount/expand-premount" install_exec files/initramfs/expand-tools "${ETC_DIR}/initramfs-tools/hooks/expand-tools" fi + + if [ "$ENABLE_DHCP" = false ] ; then + # Get cdir from NET_ADDRESS e.g. 24 + cdir=$(${NET_ADDRESS} | cut -d '/' -f2) + + # Convert cdir ro netmask e.g. 24 to 255.255.255.0 + NET_MASK=$(cdr2mask "$cdir") + + # Write static ip settings to "${ETC_DIR}"/initramfs-tools/initramfs.conf + sed -i "\$aIP=${NET_ADDRESS}::${NET_GATEWAY}:${NET_MASK}:${HOSTNAME}:" "${ETC_DIR}"/initramfs-tools/initramfs.conf + + # Regenerate initramfs + chroot_exec mkinitramfs -o "/boot/firmware/initramfs-${KERNEL_VERSION}" "${KERNEL_VERSION}" + fi if [ "$CRYPTFS_DROPBEAR" = true ]; then - if [ -n "$CRYPTFS_DROPBEAR_PUBKEY" ] && [ -f "$CRYPTFS_DROPBEAR_PUBKEY" ] ; then - install_readonly "${CRYPTFS_DROPBEAR_PUBKEY}" "${ETC_DIR}"/dropbear-initramfs/id_rsa.pub - cat "${ETC_DIR}"/dropbear-initramfs/id_rsa.pub >> "${ETC_DIR}"/dropbear-initramfs/authorized_keys - else - # Create key - chroot_exec /usr/bin/dropbearkey -t rsa -f /etc/dropbear-initramfs/id_rsa.dropbear + if [ -n "$CRYPTFS_DROPBEAR_PUBKEY" ] && [ -f "$CRYPTFS_DROPBEAR_PUBKEY" ] ; then + install_readonly "${CRYPTFS_DROPBEAR_PUBKEY}" "${ETC_DIR}"/dropbear-initramfs/id_rsa.pub + cat "${ETC_DIR}"/dropbear-initramfs/id_rsa.pub >> "${ETC_DIR}"/dropbear-initramfs/authorized_keys + else + # Create key + chroot_exec /usr/bin/dropbearkey -t rsa -f /etc/dropbear-initramfs/id_rsa.dropbear - # Convert dropbear key to openssh key - chroot_exec /usr/lib/dropbear/dropbearconvert dropbear openssh /etc/dropbear-initramfs/id_rsa.dropbear /etc/dropbear-initramfs/id_rsa + # Convert dropbear key to openssh key + chroot_exec /usr/lib/dropbear/dropbearconvert dropbear openssh /etc/dropbear-initramfs/id_rsa.dropbear /etc/dropbear-initramfs/id_rsa - # Get Public Key Part - chroot_exec /usr/bin/dropbearkey -y -f /etc/dropbear-initramfs/id_rsa.dropbear | chroot_exec tee /etc/dropbear-initramfs/id_rsa.pub + # Get Public Key Part + chroot_exec /usr/bin/dropbearkey -y -f /etc/dropbear-initramfs/id_rsa.dropbear | chroot_exec tee /etc/dropbear-initramfs/id_rsa.pub - # Delete unwanted lines - sed -i '/Public/d' "${ETC_DIR}"/dropbear-initramfs/id_rsa.pub - sed -i '/Fingerprint/d' "${ETC_DIR}"/dropbear-initramfs/id_rsa.pub + # Delete unwanted lines + sed -i '/Public/d' "${ETC_DIR}"/dropbear-initramfs/id_rsa.pub + sed -i '/Fingerprint/d' "${ETC_DIR}"/dropbear-initramfs/id_rsa.pub - # Trust the new key - cat "${ETC_DIR}"/dropbear-initramfs/id_rsa.pub > "${ETC_DIR}"/dropbear-initramfs/authorized_keys + # Trust the new key + cat "${ETC_DIR}"/dropbear-initramfs/id_rsa.pub > "${ETC_DIR}"/dropbear-initramfs/authorized_keys - # Save Keys - convert with putty from rsa/openssh to puttkey - cp -f "${ETC_DIR}"/dropbear-initramfs/id_rsa "${BASEDIR}"/dropbear_initramfs_key.rsa + # Save Keys - convert with putty from rsa/openssh to puttkey + cp -f "${ETC_DIR}"/dropbear-initramfs/id_rsa "${BASEDIR}"/dropbear_initramfs_key.rsa - # Get unlock script - install_exec files/initramfs/crypt_unlock.sh "${ETC_DIR}"/initramfs-tools/hooks/crypt_unlock.sh + # Get unlock script + install_exec files/initramfs/crypt_unlock.sh "${ETC_DIR}"/initramfs-tools/hooks/crypt_unlock.sh - # Enable Dropbear inside initramfs - printf "#\n# DROPBEAR: [ y | n ]\n#\n\nDROPBEAR=y\n" >> "${ETC_DIR}/initramfs-tools/initramfs.conf" + # Enable Dropbear inside initramfs + printf "#\n# DROPBEAR: [ y | n ]\n#\n\nDROPBEAR=y\n" >> "${ETC_DIR}/initramfs-tools/initramfs.conf" - # Enable Dropbear inside initramfs - sed -i "54 i sleep 5" "${R}"/usr/share/initramfs-tools/scripts/init-premount/dropbear - fi + # Enable Dropbear inside initramfs + sed -i "54 i sleep 5" "${R}"/usr/share/initramfs-tools/scripts/init-premount/dropbear + fi else # Disable SSHD inside initramfs printf "#\n# DROPBEAR: [ y | n ]\n#\n\nDROPBEAR=n\n" >> "${ETC_DIR}/initramfs-tools/initramfs.conf" diff --git a/bootstrap.d/15-rpi-config.sh b/bootstrap.d/15-rpi-config.sh index 25ffa35..e576f28 100644 --- a/bootstrap.d/15-rpi-config.sh +++ b/bootstrap.d/15-rpi-config.sh @@ -156,14 +156,13 @@ if [ "$RPI_MODEL" = 0 ] || [ "$RPI_MODEL" = 3 ] || [ "$RPI_MODEL" = 3P ] ; then # Switch Pi3 Bluetooth function to use the mini-UART (ttyS0) and restore UART0/ttyAMA0 over GPIOs 14 & 15. Slow Bluetooth and slow cpu. Use /dev/ttyS0 instead of /dev/ttyAMA0 if [ "$ENABLE_MINIUART_OVERLAY" = true ] ; then - # set overlay to swap ttyAMA0 and ttyS0 echo "dtoverlay=pi3-miniuart-bt" >> "${BOOT_DIR}/config.txt" - # if force_turbo didn't lock cpu at high speed, lock it at low speed (XOR logic) or miniuart will be broken if [ "$ENABLE_TURBO" = false ] ; then - echo "core_freq=250" >> "${BOOT_DIR}/config.txt" - fi + echo "core_freq=250" >> "${BOOT_DIR}/config.txt" + fi + fi # Activate services @@ -180,14 +179,18 @@ if [ "$ENABLE_CONSOLE" = true ] ; then echo "enable_uart=1" >> "${BOOT_DIR}/config.txt" # add string to cmdline CMDLINE="${CMDLINE} console=serial0,115200" + + if [ "$RPI_MODEL" = 3 ] || [ "$RPI_MODEL" = 3P ]|| [ "$RPI_MODEL" = 0 ]; then + # if force_turbo didn't lock cpu at high speed, lock it at low speed (XOR logic) or miniuart will be broken + if [ "$ENABLE_TURBO" = false ] ; then + echo "core_freq=250" >> "${BOOT_DIR}/config.txt" + fi + fi # Enable serial console systemd style - chroot_exec systemctl enable serial-getty\@serial0.service + chroot_exec systemctl enable serial-getty@serial0.service else echo "enable_uart=0" >> "${BOOT_DIR}/config.txt" - - # disable serial console systemd style - chroot_exec systemctl disable serial-getty\@"$SET_SERIAL".service fi if [ "$ENABLE_SYSTEMDSWAP" = true ] ; then @@ -200,36 +203,35 @@ if [ "$ENABLE_SYSTEMDSWAP" = true ] ; then # Copy downloaded systemd-swap sources mv "${temp_dir}/systemd-swap" "${R}/tmp/" - # Set permissions of the systemd-swap sources - chown -R root:root "${R}/tmp/systemd-swap" - - # Remove temporary directory for systemd-swap sources - rm -fr "${temp_dir}" - # Change into downloaded src dir cd "${R}/tmp/systemd-swap" || exit - + # Build package - . ./package.sh debian + bash ./package.sh debian - # Install package - chroot_exec dpkg -i /tmp/systemd-swap/systemd-swap-*any.deb + # Change back into script root dir + cd "${WORKDIR}" || exit + # Set permissions of the systemd-swap sources + chown -R root:root "${R}/tmp/systemd-swap" + + # Install package - IMPROVE AND MAKE IT POSSIBLE WITHOUT VERSION NR. + chroot_exec dpkg -i /tmp/systemd-swap/systemd-swap_4.0.1_any.deb + # Enable service chroot_exec systemctl enable systemd-swap - # Change back into script root dir - cd "${WORKDIR}" || exit + # Remove temporary directory for systemd-swap sources + rm -fr "${temp_dir}" else # Enable ZSWAP in cmdline if systemd-swap is not used if [ "$KERNEL_ZSWAP" = true ] ; then - CMDLINE="${CMDLINE} zswap.enabled=1 zswap.max_pool_percent=25 zswap.compressor=lz4" + CMDLINE="${CMDLINE} zswap.enabled=1 zswap.max_pool_percent=25 zswap.compressor=lz4" fi fi - -if [ "$KERNEL_SECURITY" = true ] ; then - CMDLINE="${CMDLINE} apparmor=1 security=apparmor" -fi + if [ "$KERNEL_SECURITY" = true ] ; then + CMDLINE="${CMDLINE} apparmor=1 security=apparmor" + fi # Install firmware boot cmdline echo "${CMDLINE}" > "${BOOT_DIR}/cmdline.txt" diff --git a/bootstrap.d/20-networking.sh b/bootstrap.d/20-networking.sh index 4e001fe..3aca05f 100644 --- a/bootstrap.d/20-networking.sh +++ b/bootstrap.d/20-networking.sh @@ -57,20 +57,6 @@ else # ENABLE_DHCP=false -e "0,/NTP=\$/ s|NTP=\$|NTP=${NET_NTP_1}|"\ -e "0,/NTP=\$/ s|NTP=\$|NTP=${NET_NTP_2}|"\ "${ETC_DIR}/systemd/network/eth.network" - - if [ "$CRYPTFS_DROPBEAR" = true ] ; then - # Get cdir from NET_ADDRESS e.g. 24 - cdir=$(${NET_ADDRESS} | cut -d '/' -f2) - - # Convert cdir ro netmask e.g. 24 to 255.255.255.0 - NET_MASK=$(cdr2mask "$cdir") - - # Write static ip settings to "${ETC_DIR}"/initramfs-tools/initramfs.conf - sed -i "\$aIP=${NET_ADDRESS}::${NET_GATEWAY}:${NET_MASK}:${HOSTNAME}:" "${ETC_DIR}"/initramfs-tools/initramfs.conf - - # Regenerate initramfs - chroot_exec mkinitramfs -o "/boot/firmware/initramfs-${KERNEL_VERSION}" "${KERNEL_VERSION}" - fi fi # Remove empty settings from network configuration diff --git a/bootstrap.d/21-firewall.sh b/bootstrap.d/21-firewall.sh index 91b6e26..ee9831d 100644 --- a/bootstrap.d/21-firewall.sh +++ b/bootstrap.d/21-firewall.sh @@ -10,7 +10,7 @@ if [ "$ENABLE_IPTABLES" = true ] ; then mkdir -p "${ETC_DIR}/iptables" if [ "$KERNEL_NF" = false ] ; then - #iptables-save and -restore are slaves of iptables and thus are set accordingly + # iptables-save and -restore are slaves of iptables and thus are set accordingly chroot_exec update-alternatives --verbose --set iptables /usr/sbin/iptables-legacy fi @@ -29,10 +29,10 @@ if [ "$ENABLE_IPTABLES" = true ] ; then if [ "$ENABLE_IPV6" = true ] ; then if [ "$KERNEL_NF" = false ] ; then - #iptables-save and -restore are slaves of iptables and thus are set accordingly + # iptables-save and -restore are slaves of iptables and thus are set accordingly chroot_exec update-alternatives --verbose --set ip6tables /usr/sbin/ip6tables-legacy - fi - + fi + # Install ip6tables systemd service install_readonly files/iptables/ip6tables.service "${ETC_DIR}/systemd/system/ip6tables.service"