@@ -0,0 +1,43 | |||||
|
1 | # For more options and information see | |||
|
2 | # http://www.raspberrypi.org/documentation/configuration/config-txt.md | |||
|
3 | # Some settings may impact device functionality. See link above for details | |||
|
4 | ||||
|
5 | # uncomment if you get no picture on HDMI for a default "safe" mode | |||
|
6 | #hdmi_safe=1 | |||
|
7 | ||||
|
8 | # uncomment this if your display has a black border of unused pixels visible | |||
|
9 | # and your display can output without overscan | |||
|
10 | #disable_overscan=1 | |||
|
11 | ||||
|
12 | # uncomment the following to adjust overscan. Use positive numbers if console | |||
|
13 | # goes off screen, and negative if there is too much border | |||
|
14 | #overscan_left=16 | |||
|
15 | #overscan_right=16 | |||
|
16 | #overscan_top=16 | |||
|
17 | #overscan_bottom=16 | |||
|
18 | ||||
|
19 | # uncomment to force a console size. By default it will be display's size minus | |||
|
20 | # overscan. | |||
|
21 | #framebuffer_width=1280 | |||
|
22 | #framebuffer_height=720 | |||
|
23 | ||||
|
24 | # uncomment if hdmi display is not detected and composite is being output | |||
|
25 | #hdmi_force_hotplug=1 | |||
|
26 | ||||
|
27 | # uncomment to force a specific HDMI mode (this will force VGA) | |||
|
28 | #hdmi_group=1 | |||
|
29 | #hdmi_mode=1 | |||
|
30 | ||||
|
31 | # uncomment to force a HDMI mode rather than DVI. This can make audio work in | |||
|
32 | # DMT (computer monitor) modes | |||
|
33 | #hdmi_drive=2 | |||
|
34 | ||||
|
35 | # uncomment to increase signal to HDMI, if you have interference, blanking, or | |||
|
36 | # no display | |||
|
37 | #config_hdmi_boost=4 | |||
|
38 | ||||
|
39 | # uncomment for composite PAL | |||
|
40 | #sdtv_mode=2 | |||
|
41 | ||||
|
42 | # uncomment to overclock the arm. 700 MHz is the default. | |||
|
43 | #arm_freq=800 |
@@ -0,0 +1,8 | |||||
|
1 | logger -t "rc.firstboot" "Generating SSH host keys" | |||
|
2 | rm -f /etc/ssh/ssh_host_* | |||
|
3 | ssh-keygen -q -t rsa -N "" -f /etc/ssh/ssh_host_rsa_key | |||
|
4 | ssh-keygen -q -t dsa -N "" -f /etc/ssh/ssh_host_dsa_key | |||
|
5 | ssh-keygen -q -t ecdsa -N "" -f /etc/ssh/ssh_host_ecdsa_key | |||
|
6 | ssh-keygen -q -t ed25519 -N "" -f /etc/ssh/ssh_host_ed25519_key | |||
|
7 | ||||
|
8 | systemctl restart sshd |
@@ -0,0 +1,52 | |||||
|
1 | logger -t "rc.firstboot" "Expanding root" | |||
|
2 | ROOT_PART=$(mount | sed -n 's|^/dev/\(.*\) on / .*|\1|p') | |||
|
3 | PART_NUM=$(echo ${ROOT_PART} | grep -o '[1-9][0-9]*$') | |||
|
4 | case "${ROOT_PART}" in | |||
|
5 | mmcblk0*) ROOT_DEV=mmcblk0 ;; | |||
|
6 | sda*) ROOT_DEV=sda ;; | |||
|
7 | esac | |||
|
8 | if [ "$PART_NUM" = "$ROOT_PART" ]; then | |||
|
9 | logger -t "rc.firstboot" "$ROOT_PART is not an SD card. Don't know how to expand" | |||
|
10 | return 0 | |||
|
11 | fi | |||
|
12 | ||||
|
13 | # NOTE: the NOOBS partition layout confuses parted. For now, let's only | |||
|
14 | # agree to work with a sufficiently simple partition layout | |||
|
15 | if [ "$PART_NUM" -gt 2 ]; then | |||
|
16 | logger -t "rc.firstboot" "Your partition layout is not currently supported by this tool." | |||
|
17 | return 0 | |||
|
18 | fi | |||
|
19 | LAST_PART_NUM=$(parted /dev/${ROOT_DEV} -ms unit s p | tail -n 1 | cut -f 1 -d:) | |||
|
20 | if [ $LAST_PART_NUM -ne $PART_NUM ]; then | |||
|
21 | logger -t "rc.firstboot" "$ROOT_PART is not the last partition. Don't know how to expand" | |||
|
22 | return 0 | |||
|
23 | fi | |||
|
24 | ||||
|
25 | # Get the starting offset of the root partition | |||
|
26 | PART_START=$(parted /dev/${ROOT_DEV} -ms unit s p | grep "^${PART_NUM}" | cut -f 2 -d: | sed 's/[^0-9]//g') | |||
|
27 | [ "$PART_START" ] || return 1 | |||
|
28 | ||||
|
29 | # Get the possible last sector for the root partition | |||
|
30 | PART_LAST=$(fdisk -l /dev/${ROOT_DEV} | grep '^Disk.*sectors' | awk '{ print $7 - 1 }') | |||
|
31 | [ "$PART_LAST" ] || return 1 | |||
|
32 | ||||
|
33 | # Return value will likely be error for fdisk as it fails to reload the | |||
|
34 | # partition table because the root fs is mounted | |||
|
35 | ### Since rc.local is run with "sh -e", let's add "|| true" to prevent premature exit | |||
|
36 | fdisk /dev/${ROOT_DEV} <<EOF2 || true | |||
|
37 | p | |||
|
38 | d | |||
|
39 | $PART_NUM | |||
|
40 | n | |||
|
41 | p | |||
|
42 | $PART_NUM | |||
|
43 | $PART_START | |||
|
44 | $PART_LAST | |||
|
45 | p | |||
|
46 | w | |||
|
47 | EOF2 | |||
|
48 | ||||
|
49 | # Reload the partition table, resize root filesystem then remove resizing code from this file | |||
|
50 | partprobe && | |||
|
51 | resize2fs /dev/${ROOT_PART} && | |||
|
52 | logger -t "rc.firstboot" "Root partition successfuly resized." |
@@ -0,0 +1,3 | |||||
|
1 | logger -t "rc.firstboot" "First boot actions finished" | |||
|
2 | rm -f /etc/rc.firstboot | |||
|
3 | sed -i '/.*rc.firstboot/d' /etc/rc.local |
@@ -0,0 +1,2 | |||||
|
1 | /dev/mmcblk0p2 / ext4 noatime,nodiratime,errors=remount-ro,discard,data=writeback,commit=100 0 1 | |||
|
2 | /dev/mmcblk0p1 /boot/firmware vfat defaults,noatime,nodiratime 0 2 |
@@ -0,0 +1,15 | |||||
|
1 | #!/bin/sh | |||
|
2 | ip6tables -F | |||
|
3 | ip6tables -X | |||
|
4 | ip6tables -Z | |||
|
5 | ||||
|
6 | for table in $(</proc/net/ip6_tables_names) | |||
|
7 | do | |||
|
8 | ip6tables -t \$table -F | |||
|
9 | ip6tables -t \$table -X | |||
|
10 | ip6tables -t \$table -Z | |||
|
11 | done | |||
|
12 | ||||
|
13 | ip6tables -P INPUT ACCEPT | |||
|
14 | ip6tables -P OUTPUT ACCEPT | |||
|
15 | ip6tables -P FORWARD ACCEPT |
@@ -0,0 +1,10 | |||||
|
1 | #!/bin/sh | |||
|
2 | iptables -F | |||
|
3 | iptables -X | |||
|
4 | iptables -t nat -F | |||
|
5 | iptables -t nat -X | |||
|
6 | iptables -t mangle -F | |||
|
7 | iptables -t mangle -X | |||
|
8 | iptables -P INPUT ACCEPT | |||
|
9 | iptables -P FORWARD ACCEPT | |||
|
10 | iptables -P OUTPUT ACCEPT |
@@ -0,0 +1,48 | |||||
|
1 | *filter | |||
|
2 | :INPUT DROP [0:0] | |||
|
3 | :FORWARD DROP [0:0] | |||
|
4 | :OUTPUT ACCEPT [0:0] | |||
|
5 | :TCP - [0:0] | |||
|
6 | :UDP - [0:0] | |||
|
7 | :SSH - [0:0] | |||
|
8 | ||||
|
9 | # Drop packets with RH0 headers | |||
|
10 | -A INPUT -m rt --rt-type 0 -j DROP | |||
|
11 | -A OUTPUT -m rt --rt-type 0 -j DROP | |||
|
12 | -A FORWARD -m rt --rt-type 0 -j DROP | |||
|
13 | ||||
|
14 | # Rate limit ping requests | |||
|
15 | -A INPUT -p icmpv6 --icmpv6-type echo-request -m limit --limit 30/min --limit-burst 8 -j ACCEPT | |||
|
16 | -A INPUT -p icmpv6 --icmpv6-type echo-request -j DROP | |||
|
17 | ||||
|
18 | # Accept established connections | |||
|
19 | -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT | |||
|
20 | ||||
|
21 | # Accept all traffic on loopback interface | |||
|
22 | -A INPUT -i lo -j ACCEPT | |||
|
23 | ||||
|
24 | # Drop packets declared invalid | |||
|
25 | -A INPUT -m conntrack --ctstate INVALID -j DROP | |||
|
26 | ||||
|
27 | # SSH rate limiting | |||
|
28 | -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j SSH | |||
|
29 | -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP | |||
|
30 | -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 20 --seconds 1800 -j DROP | |||
|
31 | -A SSH -m recent --name sshbf --set -j ACCEPT | |||
|
32 | ||||
|
33 | # Send TCP and UDP connections to their respective rules chain | |||
|
34 | -A INPUT -p udp -m conntrack --ctstate NEW -j UDP | |||
|
35 | -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP | |||
|
36 | ||||
|
37 | # Reject dropped packets with a RFC compliant responce | |||
|
38 | -A INPUT -p udp -j REJECT --reject-with icmp6-adm-prohibited | |||
|
39 | -A INPUT -p tcp -j REJECT --reject-with icmp6-adm-prohibited | |||
|
40 | -A INPUT -j REJECT --reject-with icmp6-adm-prohibited | |||
|
41 | ||||
|
42 | ## TCP PORT RULES | |||
|
43 | # -A TCP -p tcp -j LOG | |||
|
44 | ||||
|
45 | ## UDP PORT RULES | |||
|
46 | # -A UDP -p udp -j LOG | |||
|
47 | ||||
|
48 | COMMIT |
@@ -0,0 +1,15 | |||||
|
1 | [Unit] | |||
|
2 | Description=Packet Filtering Framework | |||
|
3 | DefaultDependencies=no | |||
|
4 | After=systemd-sysctl.service | |||
|
5 | Before=sysinit.target | |||
|
6 | ||||
|
7 | [Service] | |||
|
8 | Type=oneshot | |||
|
9 | ExecStart=/sbin/ip6tables-restore /etc/iptables/ip6tables.rules | |||
|
10 | ExecReload=/sbin/ip6tables-restore /etc/iptables/ip6tables.rules | |||
|
11 | ExecStop=/etc/iptables/flush-ip6tables.sh | |||
|
12 | RemainAfterExit=yes | |||
|
13 | ||||
|
14 | [Install] | |||
|
15 | WantedBy=multi-user.target |
@@ -0,0 +1,43 | |||||
|
1 | *filter | |||
|
2 | :INPUT DROP [0:0] | |||
|
3 | :FORWARD DROP [0:0] | |||
|
4 | :OUTPUT ACCEPT [0:0] | |||
|
5 | :TCP - [0:0] | |||
|
6 | :UDP - [0:0] | |||
|
7 | :SSH - [0:0] | |||
|
8 | ||||
|
9 | # Rate limit ping requests | |||
|
10 | -A INPUT -p icmp --icmp-type echo-request -m limit --limit 30/min --limit-burst 8 -j ACCEPT | |||
|
11 | -A INPUT -p icmp --icmp-type echo-request -j DROP | |||
|
12 | ||||
|
13 | # Accept established connections | |||
|
14 | -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT | |||
|
15 | ||||
|
16 | # Accept all traffic on loopback interface | |||
|
17 | -A INPUT -i lo -j ACCEPT | |||
|
18 | ||||
|
19 | # Drop packets declared invalid | |||
|
20 | -A INPUT -m conntrack --ctstate INVALID -j DROP | |||
|
21 | ||||
|
22 | # SSH rate limiting | |||
|
23 | -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j SSH | |||
|
24 | -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP | |||
|
25 | -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 20 --seconds 1800 -j DROP | |||
|
26 | -A SSH -m recent --name sshbf --set -j ACCEPT | |||
|
27 | ||||
|
28 | # Send TCP and UDP connections to their respective rules chain | |||
|
29 | -A INPUT -p udp -m conntrack --ctstate NEW -j UDP | |||
|
30 | -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP | |||
|
31 | ||||
|
32 | # Reject dropped packets with a RFC compliant responce | |||
|
33 | -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable | |||
|
34 | -A INPUT -p tcp -j REJECT --reject-with tcp-rst | |||
|
35 | -A INPUT -j REJECT --reject-with icmp-proto-unreachable | |||
|
36 | ||||
|
37 | ## TCP PORT RULES | |||
|
38 | # -A TCP -p tcp -j LOG | |||
|
39 | ||||
|
40 | ## UDP PORT RULES | |||
|
41 | # -A UDP -p udp -j LOG | |||
|
42 | ||||
|
43 | COMMIT |
@@ -0,0 +1,15 | |||||
|
1 | [Unit] | |||
|
2 | Description=Packet Filtering Framework | |||
|
3 | DefaultDependencies=no | |||
|
4 | After=systemd-sysctl.service | |||
|
5 | Before=sysinit.target | |||
|
6 | ||||
|
7 | [Service] | |||
|
8 | Type=oneshot | |||
|
9 | ExecStart=/sbin/iptables-restore /etc/iptables/iptables.rules | |||
|
10 | ExecReload=/sbin/iptables-restore /etc/iptables/iptables.rules | |||
|
11 | ExecStop=/etc/iptables/flush-iptables.sh | |||
|
12 | RemainAfterExit=yes | |||
|
13 | ||||
|
14 | [Install] | |||
|
15 | WantedBy=multi-user.target |
@@ -0,0 +1,9 | |||||
|
1 | blacklist snd_soc_core | |||
|
2 | blacklist snd_pcm | |||
|
3 | blacklist snd_pcm_dmaengine | |||
|
4 | blacklist snd_timer | |||
|
5 | blacklist snd_compress | |||
|
6 | blacklist snd_soc_pcm512x_i2c | |||
|
7 | blacklist snd_soc_pcm512x | |||
|
8 | blacklist snd_soc_tas5713 | |||
|
9 | blacklist snd_soc_wm8804 |
@@ -0,0 +1,6 | |||||
|
1 | # Avoid swapping and increase cache sizes | |||
|
2 | vm.swappiness=1 | |||
|
3 | vm.dirty_background_ratio=20 | |||
|
4 | vm.dirty_ratio=40 | |||
|
5 | vm.dirty_writeback_centisecs=500 | |||
|
6 | vm.dirty_expire_centisecs=6000 |
@@ -0,0 +1,59 | |||||
|
1 | # Enable network stack hardening | |||
|
2 | net.ipv4.tcp_timestamps=0 | |||
|
3 | net.ipv4.tcp_syncookies=1 | |||
|
4 | net.ipv4.conf.all.rp_filter=1 | |||
|
5 | net.ipv4.conf.all.accept_redirects=0 | |||
|
6 | net.ipv4.conf.all.send_redirects=0 | |||
|
7 | net.ipv4.conf.all.accept_source_route=0 | |||
|
8 | net.ipv4.conf.default.rp_filter=1 | |||
|
9 | net.ipv4.conf.default.accept_redirects=0 | |||
|
10 | net.ipv4.conf.default.send_redirects=0 | |||
|
11 | net.ipv4.conf.default.accept_source_route=0 | |||
|
12 | net.ipv4.conf.lo.accept_redirects=0 | |||
|
13 | net.ipv4.conf.lo.send_redirects=0 | |||
|
14 | net.ipv4.conf.lo.accept_source_route=0 | |||
|
15 | net.ipv4.conf.eth0.accept_redirects=0 | |||
|
16 | net.ipv4.conf.eth0.send_redirects=0 | |||
|
17 | net.ipv4.conf.eth0.accept_source_route=0 | |||
|
18 | net.ipv4.icmp_echo_ignore_broadcasts=1 | |||
|
19 | net.ipv4.icmp_ignore_bogus_error_responses=1 | |||
|
20 | ||||
|
21 | net.ipv6.conf.all.accept_redirects=0 | |||
|
22 | net.ipv6.conf.all.accept_source_route=0 | |||
|
23 | net.ipv6.conf.all.router_solicitations=0 | |||
|
24 | net.ipv6.conf.all.accept_ra_rtr_pref=0 | |||
|
25 | net.ipv6.conf.all.accept_ra_pinfo=0 | |||
|
26 | net.ipv6.conf.all.accept_ra_defrtr=0 | |||
|
27 | net.ipv6.conf.all.autoconf=0 | |||
|
28 | net.ipv6.conf.all.dad_transmits=0 | |||
|
29 | net.ipv6.conf.all.max_addresses=1 | |||
|
30 | ||||
|
31 | net.ipv6.conf.default.accept_redirects=0 | |||
|
32 | net.ipv6.conf.default.accept_source_route=0 | |||
|
33 | net.ipv6.conf.default.router_solicitations=0 | |||
|
34 | net.ipv6.conf.default.accept_ra_rtr_pref=0 | |||
|
35 | net.ipv6.conf.default.accept_ra_pinfo=0 | |||
|
36 | net.ipv6.conf.default.accept_ra_defrtr=0 | |||
|
37 | net.ipv6.conf.default.autoconf=0 | |||
|
38 | net.ipv6.conf.default.dad_transmits=0 | |||
|
39 | net.ipv6.conf.default.max_addresses=1 | |||
|
40 | ||||
|
41 | net.ipv6.conf.lo.accept_redirects=0 | |||
|
42 | net.ipv6.conf.lo.accept_source_route=0 | |||
|
43 | net.ipv6.conf.lo.router_solicitations=0 | |||
|
44 | net.ipv6.conf.lo.accept_ra_rtr_pref=0 | |||
|
45 | net.ipv6.conf.lo.accept_ra_pinfo=0 | |||
|
46 | net.ipv6.conf.lo.accept_ra_defrtr=0 | |||
|
47 | net.ipv6.conf.lo.autoconf=0 | |||
|
48 | net.ipv6.conf.lo.dad_transmits=0 | |||
|
49 | net.ipv6.conf.lo.max_addresses=1 | |||
|
50 | ||||
|
51 | net.ipv6.conf.eth0.accept_redirects=0 | |||
|
52 | net.ipv6.conf.eth0.accept_source_route=0 | |||
|
53 | net.ipv6.conf.eth0.router_solicitations=0 | |||
|
54 | net.ipv6.conf.eth0.accept_ra_rtr_pref=0 | |||
|
55 | net.ipv6.conf.eth0.accept_ra_pinfo=0 | |||
|
56 | net.ipv6.conf.eth0.accept_ra_defrtr=0 | |||
|
57 | net.ipv6.conf.eth0.autoconf=0 | |||
|
58 | net.ipv6.conf.eth0.dad_transmits=0 | |||
|
59 | net.ipv6.conf.eth0.max_addresses=1 |
@@ -43,6 +43,9 Set default system locale. This setting can also be changed inside the running O | |||||
43 | ##### `TIMEZONE`="Europe/Berlin" |
|
43 | ##### `TIMEZONE`="Europe/Berlin" | |
44 | Set default system timezone. All available timezones can be found in the `/usr/share/zoneinfo/` directory. This setting can also be changed inside the running OS using the `dpkg-reconfigure tzdata` command. |
|
44 | Set default system timezone. All available timezones can be found in the `/usr/share/zoneinfo/` directory. This setting can also be changed inside the running OS using the `dpkg-reconfigure tzdata` command. | |
45 |
|
45 | |||
|
46 | ##### `EXPANDROOT`=true | |||
|
47 | Expand the root partition and filesystem automatically on first boot. | |||
|
48 | ||||
46 | #### Keyboard settings: |
|
49 | #### Keyboard settings: | |
47 | These options are used to configure keyboard layout in `/etc/default/keyboard` for console and Xorg. These settings can also be changed inside the running OS using the `dpkg-reconfigure keyboard-configuration` command. |
|
50 | These options are used to configure keyboard layout in `/etc/default/keyboard` for console and Xorg. These settings can also be changed inside the running OS using the `dpkg-reconfigure keyboard-configuration` command. | |
48 | ##### `XKBMODEL`="" |
|
51 | ##### `XKBMODEL`="" | |
@@ -87,6 +90,10 Enable IPv6 support. The network interface configuration is managed via systemd- | |||||
87 | ##### `ENABLE_SSHD`=true |
|
90 | ##### `ENABLE_SSHD`=true | |
88 | Install and enable OpenSSH service. The default configuration of the service doesn't allow `root` to login. Please use the user `pi` instead and `su -` or `sudo` to execute commands as root. |
|
91 | Install and enable OpenSSH service. The default configuration of the service doesn't allow `root` to login. Please use the user `pi` instead and `su -` or `sudo` to execute commands as root. | |
89 |
|
92 | |||
|
93 | ##### `ENABLE_RSYSLOG`=true | |||
|
94 | If set to false, disable and uninstall rsyslog (so logs will be available only | |||
|
95 | in journal files) | |||
|
96 | ||||
90 | ##### `ENABLE_SOUND`=true |
|
97 | ##### `ENABLE_SOUND`=true | |
91 | Enable sound hardware and install Advanced Linux Sound Architecture. |
|
98 | Enable sound hardware and install Advanced Linux Sound Architecture. | |
92 |
|
99 | |||
@@ -118,6 +125,16 Install and enable the hardware accelerated Xorg video driver `fbturbo`. Please | |||||
118 | ##### `ENABLE_IPTABLES`=false |
|
125 | ##### `ENABLE_IPTABLES`=false | |
119 | Enable iptables IPv4/IPv6 firewall. Simplified ruleset: Allow all outgoing connections. Block all incoming connections except to OpenSSH service. |
|
126 | Enable iptables IPv4/IPv6 firewall. Simplified ruleset: Allow all outgoing connections. Block all incoming connections except to OpenSSH service. | |
120 |
|
127 | |||
|
128 | ##### `ENABLE_USER`=true | |||
|
129 | Create pi user with password raspberry | |||
|
130 | ||||
|
131 | ##### `ENABLE_ROOT`=true | |||
|
132 | Set root user password so root login will be enabled | |||
|
133 | ||||
|
134 | ##### `ENABLE_ROOT_SSH`=true | |||
|
135 | Enable password root login via SSH. May be a security risk with default | |||
|
136 | password, use only in trusted environments. | |||
|
137 | ||||
121 | ##### `ENABLE_HARDNET`=false |
|
138 | ##### `ENABLE_HARDNET`=false | |
122 | Enable IPv4/IPv6 network stack hardening settings. |
|
139 | Enable IPv4/IPv6 network stack hardening settings. | |
123 |
|
140 |
@@ -30,11 +30,17 cleanup (){ | |||||
30 | trap - 0 1 2 3 6 |
|
30 | trap - 0 1 2 3 6 | |
31 | } |
|
31 | } | |
32 |
|
32 | |||
|
33 | # Exec command in chroot | |||
|
34 | chroot_exec() { | |||
|
35 | LANG=C LC_ALL=C chroot $R $* | |||
|
36 | } | |||
|
37 | ||||
33 | set -e |
|
38 | set -e | |
34 | set -x |
|
39 | set -x | |
35 |
|
40 | |||
36 | # Debian release |
|
41 | # Debian release | |
37 | RELEASE=${RELEASE:=jessie} |
|
42 | RELEASE=${RELEASE:=jessie} | |
|
43 | KERNEL=${KERNEL:=3.18.0-trunk-rpi2} | |||
38 |
|
44 | |||
39 | # Build settings |
|
45 | # Build settings | |
40 | BASEDIR=./images/${RELEASE} |
|
46 | BASEDIR=./images/${RELEASE} | |
@@ -49,6 +55,7 XKBMODEL=${XKBMODEL:=""} | |||||
49 | XKBLAYOUT=${XKBLAYOUT:=""} |
|
55 | XKBLAYOUT=${XKBLAYOUT:=""} | |
50 | XKBVARIANT=${XKBVARIANT:=""} |
|
56 | XKBVARIANT=${XKBVARIANT:=""} | |
51 | XKBOPTIONS=${XKBOPTIONS:=""} |
|
57 | XKBOPTIONS=${XKBOPTIONS:=""} | |
|
58 | EXPANDROOT=${EXPANDROOT:=true} | |||
52 |
|
59 | |||
53 | # Network settings |
|
60 | # Network settings | |
54 | ENABLE_DHCP=${ENABLE_DHCP:=true} |
|
61 | ENABLE_DHCP=${ENABLE_DHCP:=true} | |
@@ -76,6 +83,10 ENABLE_HWRANDOM=${ENABLE_HWRANDOM:=true} | |||||
76 | ENABLE_MINGPU=${ENABLE_MINGPU:=false} |
|
83 | ENABLE_MINGPU=${ENABLE_MINGPU:=false} | |
77 | ENABLE_XORG=${ENABLE_XORG:=false} |
|
84 | ENABLE_XORG=${ENABLE_XORG:=false} | |
78 | ENABLE_WM=${ENABLE_WM:=""} |
|
85 | ENABLE_WM=${ENABLE_WM:=""} | |
|
86 | ENABLE_RSYSLOG=${ENABLE_RSYSLOG:=true} | |||
|
87 | ENABLE_USER=${ENABLE_USER:=true} | |||
|
88 | ENABLE_ROOT=${ENABLE_ROOT:=false} | |||
|
89 | ENABLE_ROOT_SSH=${ENABLE_ROOT_SSH:=false} | |||
79 |
|
90 | |||
80 | # Advanced settings |
|
91 | # Advanced settings | |
81 | ENABLE_MINBASE=${ENABLE_MINBASE:=false} |
|
92 | ENABLE_MINBASE=${ENABLE_MINBASE:=false} | |
@@ -148,6 +159,11 else | |||||
148 | APT_INCLUDES="${APT_INCLUDES},locales,keyboard-configuration,console-setup" |
|
159 | APT_INCLUDES="${APT_INCLUDES},locales,keyboard-configuration,console-setup" | |
149 | fi |
|
160 | fi | |
150 |
|
161 | |||
|
162 | # Add parted package, required to get partprobe utility | |||
|
163 | if [ "$EXPANDROOT" = true ] ; then | |||
|
164 | APT_INCLUDES="${APT_INCLUDES},parted" | |||
|
165 | fi | |||
|
166 | ||||
151 | # Add dbus package, recommended if using systemd |
|
167 | # Add dbus package, recommended if using systemd | |
152 | if [ "$ENABLE_DBUS" = true ] ; then |
|
168 | if [ "$ENABLE_DBUS" = true ] ; then | |
153 | APT_INCLUDES="${APT_INCLUDES},dbus" |
|
169 | APT_INCLUDES="${APT_INCLUDES},dbus" | |
@@ -173,6 +189,10 if [ "$ENABLE_HWRANDOM" = true ] ; then | |||||
173 | APT_INCLUDES="${APT_INCLUDES},rng-tools" |
|
189 | APT_INCLUDES="${APT_INCLUDES},rng-tools" | |
174 | fi |
|
190 | fi | |
175 |
|
191 | |||
|
192 | if [ "$ENABLE_USER" = true ]; then | |||
|
193 | APT_INCLUDES="${APT_INCLUDES},sudo" | |||
|
194 | fi | |||
|
195 | ||||
176 | # Add fbturbo video driver |
|
196 | # Add fbturbo video driver | |
177 | if [ "$ENABLE_FBTURBO" = true ] ; then |
|
197 | if [ "$ENABLE_FBTURBO" = true ] ; then | |
178 | # Enable xorg package dependencies |
|
198 | # Enable xorg package dependencies | |
@@ -228,12 +248,12 EOM | |||||
228 |
|
248 | |||
229 | # Set up timezone |
|
249 | # Set up timezone | |
230 | echo ${TIMEZONE} >$R/etc/timezone |
|
250 | echo ${TIMEZONE} >$R/etc/timezone | |
231 |
|
|
251 | chroot_exec dpkg-reconfigure -f noninteractive tzdata | |
232 |
|
252 | |||
233 | # Upgrade collabora package index and install collabora keyring |
|
253 | # Upgrade collabora package index and install collabora keyring | |
234 | echo "deb https://repositories.collabora.co.uk/debian ${RELEASE} rpi2" >$R/etc/apt/sources.list |
|
254 | echo "deb https://repositories.collabora.co.uk/debian ${RELEASE} rpi2" >$R/etc/apt/sources.list | |
235 |
|
|
255 | chroot_exec apt-get -qq -y update | |
236 |
|
|
256 | chroot_exec apt-get -qq -y --force-yes install collabora-obs-archive-keyring | |
237 |
|
257 | |||
238 | # Set up initial sources.list |
|
258 | # Set up initial sources.list | |
239 | cat <<EOM >$R/etc/apt/sources.list |
|
259 | cat <<EOM >$R/etc/apt/sources.list | |
@@ -250,8 +270,8 deb https://repositories.collabora.co.uk/debian ${RELEASE} rpi2 | |||||
250 | EOM |
|
270 | EOM | |
251 |
|
271 | |||
252 | # Upgrade package index and update all installed packages and changed dependencies |
|
272 | # Upgrade package index and update all installed packages and changed dependencies | |
253 |
|
|
273 | chroot_exec apt-get -qq -y update | |
254 |
|
|
274 | chroot_exec apt-get -qq -y -u dist-upgrade | |
255 |
|
275 | |||
256 | # Set up default locale and keyboard configuration |
|
276 | # Set up default locale and keyboard configuration | |
257 | if [ "$ENABLE_MINBASE" = false ] ; then |
|
277 | if [ "$ENABLE_MINBASE" = false ] ; then | |
@@ -259,60 +279,50 if [ "$ENABLE_MINBASE" = false ] ; then | |||||
259 | # https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=684134 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=685957 |
|
279 | # https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=684134 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=685957 | |
260 | # ... so we have to set locales manually |
|
280 | # ... so we have to set locales manually | |
261 | if [ "$DEFLOCAL" = "en_US.UTF-8" ] ; then |
|
281 | if [ "$DEFLOCAL" = "en_US.UTF-8" ] ; then | |
262 |
|
|
282 | chroot_exec echo "locales locales/locales_to_be_generated multiselect ${DEFLOCAL} UTF-8" | debconf-set-selections | |
263 | else |
|
283 | else | |
264 | # en_US.UTF-8 should be available anyway : https://www.debian.org/doc/manuals/debian-reference/ch08.en.html#_the_reconfiguration_of_the_locale |
|
284 | # en_US.UTF-8 should be available anyway : https://www.debian.org/doc/manuals/debian-reference/ch08.en.html#_the_reconfiguration_of_the_locale | |
265 |
|
|
285 | chroot_exec echo "locales locales/locales_to_be_generated multiselect en_US.UTF-8 UTF-8, ${DEFLOCAL} UTF-8" | debconf-set-selections | |
266 |
|
|
286 | chroot_exec sed -i "/en_US.UTF-8/s/^#//" /etc/locale.gen | |
267 | fi |
|
287 | fi | |
268 |
|
|
288 | chroot_exec sed -i "/${DEFLOCAL}/s/^#//" /etc/locale.gen | |
269 |
|
|
289 | chroot_exec echo "locales locales/default_environment_locale select ${DEFLOCAL}" | debconf-set-selections | |
270 |
|
|
290 | chroot_exec locale-gen | |
271 |
|
|
291 | chroot_exec update-locale LANG=${DEFLOCAL} | |
272 |
|
292 | |||
273 | # Keyboard configuration, if requested |
|
293 | # Keyboard configuration, if requested | |
274 | if [ "$XKBMODEL" != "" ] ; then |
|
294 | if [ "$XKBMODEL" != "" ] ; then | |
275 |
|
|
295 | chroot_exec sed -i "s/^XKBMODEL.*/XKBMODEL=\"${XKBMODEL}\"/" /etc/default/keyboard | |
276 | fi |
|
296 | fi | |
277 | if [ "$XKBLAYOUT" != "" ] ; then |
|
297 | if [ "$XKBLAYOUT" != "" ] ; then | |
278 |
|
|
298 | chroot_exec sed -i "s/^XKBLAYOUT.*/XKBLAYOUT=\"${XKBLAYOUT}\"/" /etc/default/keyboard | |
279 | fi |
|
299 | fi | |
280 | if [ "$XKBVARIANT" != "" ] ; then |
|
300 | if [ "$XKBVARIANT" != "" ] ; then | |
281 |
|
|
301 | chroot_exec sed -i "s/^XKBVARIANT.*/XKBVARIANT=\"${XKBVARIANT}\"/" /etc/default/keyboard | |
282 | fi |
|
302 | fi | |
283 | if [ "$XKBOPTIONS" != "" ] ; then |
|
303 | if [ "$XKBOPTIONS" != "" ] ; then | |
284 |
|
|
304 | chroot_exec sed -i "s/^XKBOPTIONS.*/XKBOPTIONS=\"${XKBOPTIONS}\"/" /etc/default/keyboard | |
285 | fi |
|
305 | fi | |
286 |
|
|
306 | chroot_exec dpkg-reconfigure -f noninteractive keyboard-configuration | |
287 | # Set up font console |
|
307 | # Set up font console | |
288 | case "${DEFLOCAL}" in |
|
308 | case "${DEFLOCAL}" in | |
289 | *UTF-8) |
|
309 | *UTF-8) | |
290 |
|
|
310 | chroot_exec sed -i 's/^CHARMAP.*/CHARMAP="UTF-8"/' /etc/default/console-setup | |
291 | ;; |
|
311 | ;; | |
292 | *) |
|
312 | *) | |
293 |
|
|
313 | chroot_exec sed -i 's/^CHARMAP.*/CHARMAP="guess"/' /etc/default/console-setup | |
294 | ;; |
|
314 | ;; | |
295 | esac |
|
315 | esac | |
296 |
|
|
316 | chroot_exec dpkg-reconfigure -f noninteractive console-setup | |
297 | fi |
|
317 | fi | |
298 |
|
318 | |||
299 | # Kernel installation |
|
319 | # Kernel installation | |
300 | # Install flash-kernel last so it doesn't try (and fail) to detect the platform in the chroot |
|
320 | # Install flash-kernel last so it doesn't try (and fail) to detect the platform in the chroot | |
301 |
|
|
321 | chroot_exec apt-get -qq -y --no-install-recommends install linux-image-${KERNEL} raspberrypi-bootloader-nokernel | |
302 |
|
|
322 | chroot_exec apt-get -qq -y install flash-kernel | |
303 |
|
323 | |||
304 | VMLINUZ="$(ls -1 $R/boot/vmlinuz-* | sort | tail -n 1)" |
|
324 | VMLINUZ="$(ls -1 $R/boot/vmlinuz-* | sort | tail -n 1)" | |
305 | [ -z "$VMLINUZ" ] && exit 1 |
|
325 | [ -z "$VMLINUZ" ] && exit 1 | |
306 | mkdir -p $R/boot/firmware |
|
|||
307 |
|
||||
308 | # required boot binaries from raspberry/firmware github (commit: "kernel: Bump to 3.18.10") |
|
|||
309 | wget -q -O $R/boot/firmware/bootcode.bin https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/bootcode.bin |
|
|||
310 | wget -q -O $R/boot/firmware/fixup_cd.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup_cd.dat |
|
|||
311 | wget -q -O $R/boot/firmware/fixup.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup.dat |
|
|||
312 | wget -q -O $R/boot/firmware/fixup_x.dat https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/fixup_x.dat |
|
|||
313 | wget -q -O $R/boot/firmware/start_cd.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start_cd.elf |
|
|||
314 | wget -q -O $R/boot/firmware/start.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start.elf |
|
|||
315 | wget -q -O $R/boot/firmware/start_x.elf https://github.com/raspberrypi/firmware/raw/cd355a9dd4f1f4de2e79b0c8e102840885cdf1de/boot/start_x.elf |
|
|||
316 | cp $VMLINUZ $R/boot/firmware/kernel7.img |
|
326 | cp $VMLINUZ $R/boot/firmware/kernel7.img | |
317 |
|
327 | |||
318 | # Set up IPv4 hosts |
|
328 | # Set up IPv4 hosts | |
@@ -374,17 +384,27 EOM | |||||
374 | fi |
|
384 | fi | |
375 |
|
385 | |||
376 | # Enable systemd-networkd service |
|
386 | # Enable systemd-networkd service | |
377 |
|
|
387 | chroot_exec systemctl enable systemd-networkd | |
378 |
|
388 | |||
379 | # Generate crypt(3) password string |
|
389 | # Generate crypt(3) password string | |
380 | ENCRYPTED_PASSWORD=`mkpasswd -m sha-512 ${PASSWORD}` |
|
390 | ENCRYPTED_PASSWORD=`mkpasswd -m sha-512 ${PASSWORD}` | |
381 |
|
391 | |||
382 | # Set up default user |
|
392 | # Set up default user | |
383 | LANG=C chroot $R adduser --gecos "Raspberry PI user" --add_extra_groups --disabled-password pi |
|
393 | if [ "$ENABLE_USER" = true ] ; then | |
384 | LANG=C chroot $R usermod -a -G sudo -p "${ENCRYPTED_PASSWORD}" pi |
|
394 | chroot_exec adduser --gecos \"Raspberry\ PI\ user\" --add_extra_groups --disabled-password pi | |
|
395 | chroot_exec usermod -a -G sudo -p "${ENCRYPTED_PASSWORD}" pi | |||
|
396 | fi | |||
|
397 | ||||
|
398 | # Set up root password or not | |||
|
399 | if [ "$ENABLE_ROOT" = true ]; then | |||
|
400 | chroot_exec usermod -p "${ENCRYPTED_PASSWORD}" root | |||
385 |
|
401 | |||
386 | # Set up root password |
|
402 | if [ "$ENABLE_ROOT_SSH" = true ]; then | |
387 | LANG=C chroot $R usermod -p "${ENCRYPTED_PASSWORD}" root |
|
403 | sed -i 's|[#]*PermitRootLogin.*|PermitRootLogin yes|g' $R/etc/ssh/sshd_config | |
|
404 | fi | |||
|
405 | else | |||
|
406 | chroot_exec usermod -p \'!\' root | |||
|
407 | fi | |||
388 |
|
408 | |||
389 | # Set up firmware boot cmdline |
|
409 | # Set up firmware boot cmdline | |
390 | CMDLINE="dwc_otg.lpm_enable=0 root=/dev/mmcblk0p2 rootfstype=ext4 rootflags=commit=100,data=writeback elevator=deadline rootwait net.ifnames=1 console=tty1" |
|
410 | CMDLINE="dwc_otg.lpm_enable=0 root=/dev/mmcblk0p2 rootfstype=ext4 rootflags=commit=100,data=writeback elevator=deadline rootwait net.ifnames=1 console=tty1" | |
@@ -402,51 +422,7 fi | |||||
402 | echo "${CMDLINE}" >$R/boot/firmware/cmdline.txt |
|
422 | echo "${CMDLINE}" >$R/boot/firmware/cmdline.txt | |
403 |
|
423 | |||
404 | # Set up firmware config |
|
424 | # Set up firmware config | |
405 | cat <<EOM >$R/boot/firmware/config.txt |
|
425 | install -o root -g root -m 644 files/config.txt $R/boot/firmware/config.txt | |
406 | # For more options and information see |
|
|||
407 | # http://www.raspberrypi.org/documentation/configuration/config-txt.md |
|
|||
408 | # Some settings may impact device functionality. See link above for details |
|
|||
409 |
|
||||
410 | # uncomment if you get no picture on HDMI for a default "safe" mode |
|
|||
411 | #hdmi_safe=1 |
|
|||
412 |
|
||||
413 | # uncomment this if your display has a black border of unused pixels visible |
|
|||
414 | # and your display can output without overscan |
|
|||
415 | #disable_overscan=1 |
|
|||
416 |
|
||||
417 | # uncomment the following to adjust overscan. Use positive numbers if console |
|
|||
418 | # goes off screen, and negative if there is too much border |
|
|||
419 | #overscan_left=16 |
|
|||
420 | #overscan_right=16 |
|
|||
421 | #overscan_top=16 |
|
|||
422 | #overscan_bottom=16 |
|
|||
423 |
|
||||
424 | # uncomment to force a console size. By default it will be display's size minus |
|
|||
425 | # overscan. |
|
|||
426 | #framebuffer_width=1280 |
|
|||
427 | #framebuffer_height=720 |
|
|||
428 |
|
||||
429 | # uncomment if hdmi display is not detected and composite is being output |
|
|||
430 | #hdmi_force_hotplug=1 |
|
|||
431 |
|
||||
432 | # uncomment to force a specific HDMI mode (this will force VGA) |
|
|||
433 | #hdmi_group=1 |
|
|||
434 | #hdmi_mode=1 |
|
|||
435 |
|
||||
436 | # uncomment to force a HDMI mode rather than DVI. This can make audio work in |
|
|||
437 | # DMT (computer monitor) modes |
|
|||
438 | #hdmi_drive=2 |
|
|||
439 |
|
||||
440 | # uncomment to increase signal to HDMI, if you have interference, blanking, or |
|
|||
441 | # no display |
|
|||
442 | #config_hdmi_boost=4 |
|
|||
443 |
|
||||
444 | # uncomment for composite PAL |
|
|||
445 | #sdtv_mode=2 |
|
|||
446 |
|
||||
447 | # uncomment to overclock the arm. 700 MHz is the default. |
|
|||
448 | #arm_freq=800 |
|
|||
449 | EOM |
|
|||
450 |
|
426 | |||
451 | # Load snd_bcm2835 kernel module at boot time |
|
427 | # Load snd_bcm2835 kernel module at boot time | |
452 | if [ "$ENABLE_SOUND" = true ] ; then |
|
428 | if [ "$ENABLE_SOUND" = true ] ; then | |
@@ -476,99 +452,17 fi | |||||
476 | mkdir -p $R/etc/modprobe.d/ |
|
452 | mkdir -p $R/etc/modprobe.d/ | |
477 |
|
453 | |||
478 | # Blacklist sound modules |
|
454 | # Blacklist sound modules | |
479 | cat <<EOM >$R/etc/modprobe.d/raspi-blacklist.conf |
|
455 | install -o root -g root -m 644 files/modprobe.d/raspi-blacklist.conf $R/etc/modprobe.d/raspi-blacklist.conf | |
480 | blacklist snd_soc_core |
|
|||
481 | blacklist snd_pcm |
|
|||
482 | blacklist snd_pcm_dmaengine |
|
|||
483 | blacklist snd_timer |
|
|||
484 | blacklist snd_compress |
|
|||
485 | blacklist snd_soc_pcm512x_i2c |
|
|||
486 | blacklist snd_soc_pcm512x |
|
|||
487 | blacklist snd_soc_tas5713 |
|
|||
488 | blacklist snd_soc_wm8804 |
|
|||
489 | EOM |
|
|||
490 |
|
456 | |||
491 | # Create default fstab |
|
457 | # Create default fstab | |
492 | cat <<EOM >$R/etc/fstab |
|
458 | install -o root -g root -m 644 files/fstab $R/etc/fstab | |
493 | /dev/mmcblk0p2 / ext4 noatime,nodiratime,errors=remount-ro,discard,data=writeback,commit=100 0 1 |
|
|||
494 | /dev/mmcblk0p1 /boot/firmware vfat defaults,noatime,nodiratime 0 2 |
|
|||
495 | EOM |
|
|||
496 |
|
||||
497 | # Avoid swapping and increase cache sizes |
|
|||
498 | cat <<EOM >>$R/etc/sysctl.d/99-sysctl.conf |
|
|||
499 |
|
459 | |||
500 | # Avoid swapping and increase cache sizes |
|
460 | # Avoid swapping and increase cache sizes | |
501 | vm.swappiness=1 |
|
461 | install -o root -g root -m 644 files/sysctl.d/81-rpi-vm.conf $R/etc/sysctl.d/81-rpi-vm.conf | |
502 | vm.dirty_background_ratio=20 |
|
|||
503 | vm.dirty_ratio=40 |
|
|||
504 | vm.dirty_writeback_centisecs=500 |
|
|||
505 | vm.dirty_expire_centisecs=6000 |
|
|||
506 | EOM |
|
|||
507 |
|
462 | |||
508 | # Enable network stack hardening |
|
463 | # Enable network stack hardening | |
509 | if [ "$ENABLE_HARDNET" = true ] ; then |
|
464 | if [ "$ENABLE_HARDNET" = true ] ; then | |
510 | cat <<EOM >>$R/etc/sysctl.d/99-sysctl.conf |
|
465 | install -o root -g root -m 644 files/sysctl.d/81-rpi-net-hardening.conf $R/etc/sysctl.d/81-rpi-net-hardening.conf | |
511 |
|
||||
512 | # Enable network stack hardening |
|
|||
513 | net.ipv4.tcp_timestamps=0 |
|
|||
514 | net.ipv4.tcp_syncookies=1 |
|
|||
515 | net.ipv4.conf.all.rp_filter=1 |
|
|||
516 | net.ipv4.conf.all.accept_redirects=0 |
|
|||
517 | net.ipv4.conf.all.send_redirects=0 |
|
|||
518 | net.ipv4.conf.all.accept_source_route=0 |
|
|||
519 | net.ipv4.conf.default.rp_filter=1 |
|
|||
520 | net.ipv4.conf.default.accept_redirects=0 |
|
|||
521 | net.ipv4.conf.default.send_redirects=0 |
|
|||
522 | net.ipv4.conf.default.accept_source_route=0 |
|
|||
523 | net.ipv4.conf.lo.accept_redirects=0 |
|
|||
524 | net.ipv4.conf.lo.send_redirects=0 |
|
|||
525 | net.ipv4.conf.lo.accept_source_route=0 |
|
|||
526 | net.ipv4.conf.eth0.accept_redirects=0 |
|
|||
527 | net.ipv4.conf.eth0.send_redirects=0 |
|
|||
528 | net.ipv4.conf.eth0.accept_source_route=0 |
|
|||
529 | net.ipv4.icmp_echo_ignore_broadcasts=1 |
|
|||
530 | net.ipv4.icmp_ignore_bogus_error_responses=1 |
|
|||
531 |
|
||||
532 | net.ipv6.conf.all.accept_redirects=0 |
|
|||
533 | net.ipv6.conf.all.accept_source_route=0 |
|
|||
534 | net.ipv6.conf.all.router_solicitations=0 |
|
|||
535 | net.ipv6.conf.all.accept_ra_rtr_pref=0 |
|
|||
536 | net.ipv6.conf.all.accept_ra_pinfo=0 |
|
|||
537 | net.ipv6.conf.all.accept_ra_defrtr=0 |
|
|||
538 | net.ipv6.conf.all.autoconf=0 |
|
|||
539 | net.ipv6.conf.all.dad_transmits=0 |
|
|||
540 | net.ipv6.conf.all.max_addresses=1 |
|
|||
541 |
|
||||
542 | net.ipv6.conf.default.accept_redirects=0 |
|
|||
543 | net.ipv6.conf.default.accept_source_route=0 |
|
|||
544 | net.ipv6.conf.default.router_solicitations=0 |
|
|||
545 | net.ipv6.conf.default.accept_ra_rtr_pref=0 |
|
|||
546 | net.ipv6.conf.default.accept_ra_pinfo=0 |
|
|||
547 | net.ipv6.conf.default.accept_ra_defrtr=0 |
|
|||
548 | net.ipv6.conf.default.autoconf=0 |
|
|||
549 | net.ipv6.conf.default.dad_transmits=0 |
|
|||
550 | net.ipv6.conf.default.max_addresses=1 |
|
|||
551 |
|
||||
552 | net.ipv6.conf.lo.accept_redirects=0 |
|
|||
553 | net.ipv6.conf.lo.accept_source_route=0 |
|
|||
554 | net.ipv6.conf.lo.router_solicitations=0 |
|
|||
555 | net.ipv6.conf.lo.accept_ra_rtr_pref=0 |
|
|||
556 | net.ipv6.conf.lo.accept_ra_pinfo=0 |
|
|||
557 | net.ipv6.conf.lo.accept_ra_defrtr=0 |
|
|||
558 | net.ipv6.conf.lo.autoconf=0 |
|
|||
559 | net.ipv6.conf.lo.dad_transmits=0 |
|
|||
560 | net.ipv6.conf.lo.max_addresses=1 |
|
|||
561 |
|
||||
562 | net.ipv6.conf.eth0.accept_redirects=0 |
|
|||
563 | net.ipv6.conf.eth0.accept_source_route=0 |
|
|||
564 | net.ipv6.conf.eth0.router_solicitations=0 |
|
|||
565 | net.ipv6.conf.eth0.accept_ra_rtr_pref=0 |
|
|||
566 | net.ipv6.conf.eth0.accept_ra_pinfo=0 |
|
|||
567 | net.ipv6.conf.eth0.accept_ra_defrtr=0 |
|
|||
568 | net.ipv6.conf.eth0.autoconf=0 |
|
|||
569 | net.ipv6.conf.eth0.dad_transmits=0 |
|
|||
570 | net.ipv6.conf.eth0.max_addresses=1 |
|
|||
571 | EOM |
|
|||
572 |
|
466 | |||
573 | # Enable resolver warnings about spoofed addresses |
|
467 | # Enable resolver warnings about spoofed addresses | |
574 | cat <<EOM >>$R/etc/host.conf |
|
468 | cat <<EOM >>$R/etc/host.conf | |
@@ -576,15 +470,36 spoof warn | |||||
576 | EOM |
|
470 | EOM | |
577 | fi |
|
471 | fi | |
578 |
|
472 | |||
579 | # Regenerate openssh server host keys |
|
473 | # First boot actions | |
|
474 | cat files/firstboot/10-begin.sh > $R/etc/rc.firstboot | |||
|
475 | ||||
|
476 | # Ensure openssh server host keys are regenerated on first boot | |||
580 | if [ "$ENABLE_SSHD" = true ] ; then |
|
477 | if [ "$ENABLE_SSHD" = true ] ; then | |
581 | rm -fr $R/etc/ssh/ssh_host_* |
|
478 | cat files/firstboot/21-generate-ssh-keys.sh >> $R/etc/rc.firstboot | |
582 | LANG=C chroot $R dpkg-reconfigure openssh-server |
|
479 | rm -f $R/etc/ssh/ssh_host_* | |
|
480 | fi | |||
|
481 | ||||
|
482 | if [ "$EXPANDROOT" = true ] ; then | |||
|
483 | cat files/firstboot/22-expandroot.sh >> $R/etc/rc.firstboot | |||
|
484 | fi | |||
|
485 | ||||
|
486 | cat files/firstboot/99-finish.sh >> $R/etc/rc.firstboot | |||
|
487 | chmod +x $R/etc/rc.firstboot | |||
|
488 | ||||
|
489 | sed -i '/exit 0/d' $R/etc/rc.local | |||
|
490 | echo /etc/rc.firstboot >> $R/etc/rc.local | |||
|
491 | echo exit 0 >> $R/etc/rc.local | |||
|
492 | ||||
|
493 | # Disable rsyslog | |||
|
494 | if [ "$ENABLE_RSYSLOG" = false ]; then | |||
|
495 | sed -i 's|[#]*ForwardToSyslog=yes|ForwardToSyslog=no|g' $R/etc/systemd/journald.conf | |||
|
496 | chroot_exec systemctl disable rsyslog | |||
|
497 | chroot_exec apt-get purge -q -y --force-yes rsyslog | |||
583 | fi |
|
498 | fi | |
584 |
|
499 | |||
585 | # Enable serial console systemd style |
|
500 | # Enable serial console systemd style | |
586 | if [ "$ENABLE_CONSOLE" = true ] ; then |
|
501 | if [ "$ENABLE_CONSOLE" = true ] ; then | |
587 |
|
|
502 | chroot_exec systemctl enable serial-getty\@ttyAMA0.service | |
588 | fi |
|
503 | fi | |
589 |
|
504 | |||
590 | # Enable firewall based on iptables started by systemd service |
|
505 | # Enable firewall based on iptables started by systemd service | |
@@ -593,177 +508,30 if [ "$ENABLE_IPTABLES" = true ] ; then | |||||
593 | mkdir -p "$R/etc/iptables" |
|
508 | mkdir -p "$R/etc/iptables" | |
594 |
|
509 | |||
595 | # Create iptables systemd service |
|
510 | # Create iptables systemd service | |
596 | cat <<EOM >$R/etc/systemd/system/iptables.service |
|
511 | install -o root -g root -m 644 files/iptables/iptables.service $R/etc/systemd/system/iptables.service | |
597 | [Unit] |
|
|||
598 | Description=Packet Filtering Framework |
|
|||
599 | DefaultDependencies=no |
|
|||
600 | After=systemd-sysctl.service |
|
|||
601 | Before=sysinit.target |
|
|||
602 | [Service] |
|
|||
603 | Type=oneshot |
|
|||
604 | ExecStart=/sbin/iptables-restore /etc/iptables/iptables.rules |
|
|||
605 | ExecReload=/sbin/iptables-restore /etc/iptables/iptables.rules |
|
|||
606 | ExecStop=/etc/iptables/flush-iptables.sh |
|
|||
607 | RemainAfterExit=yes |
|
|||
608 | [Install] |
|
|||
609 | WantedBy=multi-user.target |
|
|||
610 | EOM |
|
|||
611 |
|
512 | |||
612 | # Create flush-table script called by iptables service |
|
513 | # Create flush-table script called by iptables service | |
613 | cat <<EOM >$R/etc/iptables/flush-iptables.sh |
|
514 | install -o root -g root -m 755 files/iptables/flush-iptables.sh $R/etc/iptables/flush-iptables.sh | |
614 | #!/bin/sh |
|
|||
615 | iptables -F |
|
|||
616 | iptables -X |
|
|||
617 | iptables -t nat -F |
|
|||
618 | iptables -t nat -X |
|
|||
619 | iptables -t mangle -F |
|
|||
620 | iptables -t mangle -X |
|
|||
621 | iptables -P INPUT ACCEPT |
|
|||
622 | iptables -P FORWARD ACCEPT |
|
|||
623 | iptables -P OUTPUT ACCEPT |
|
|||
624 | EOM |
|
|||
625 |
|
515 | |||
626 | # Create iptables rule file |
|
516 | # Create iptables rule file | |
627 | cat <<EOM >$R/etc/iptables/iptables.rules |
|
517 | install -o root -g root -m 644 files/iptables/iptables.rules $R/etc/iptables/iptables.rules | |
628 | *filter |
|
|||
629 | :INPUT DROP [0:0] |
|
|||
630 | :FORWARD DROP [0:0] |
|
|||
631 | :OUTPUT ACCEPT [0:0] |
|
|||
632 | :TCP - [0:0] |
|
|||
633 | :UDP - [0:0] |
|
|||
634 | :SSH - [0:0] |
|
|||
635 |
|
||||
636 | # Rate limit ping requests |
|
|||
637 | -A INPUT -p icmp --icmp-type echo-request -m limit --limit 30/min --limit-burst 8 -j ACCEPT |
|
|||
638 | -A INPUT -p icmp --icmp-type echo-request -j DROP |
|
|||
639 |
|
||||
640 | # Accept established connections |
|
|||
641 | -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT |
|
|||
642 |
|
||||
643 | # Accept all traffic on loopback interface |
|
|||
644 | -A INPUT -i lo -j ACCEPT |
|
|||
645 |
|
||||
646 | # Drop packets declared invalid |
|
|||
647 | -A INPUT -m conntrack --ctstate INVALID -j DROP |
|
|||
648 |
|
||||
649 | # SSH rate limiting |
|
|||
650 | -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j SSH |
|
|||
651 | -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP |
|
|||
652 | -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 20 --seconds 1800 -j DROP |
|
|||
653 | -A SSH -m recent --name sshbf --set -j ACCEPT |
|
|||
654 |
|
||||
655 | # Send TCP and UDP connections to their respective rules chain |
|
|||
656 | -A INPUT -p udp -m conntrack --ctstate NEW -j UDP |
|
|||
657 | -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP |
|
|||
658 |
|
||||
659 | # Reject dropped packets with a RFC compliant responce |
|
|||
660 | -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable |
|
|||
661 | -A INPUT -p tcp -j REJECT --reject-with tcp-rst |
|
|||
662 | -A INPUT -j REJECT --reject-with icmp-proto-unreachable |
|
|||
663 |
|
||||
664 | ## TCP PORT RULES |
|
|||
665 | # -A TCP -p tcp -j LOG |
|
|||
666 |
|
||||
667 | ## UDP PORT RULES |
|
|||
668 | # -A UDP -p udp -j LOG |
|
|||
669 |
|
||||
670 | COMMIT |
|
|||
671 | EOM |
|
|||
672 |
|
518 | |||
673 | # Reload systemd configuration and enable iptables service |
|
519 | # Reload systemd configuration and enable iptables service | |
674 |
|
|
520 | chroot_exec systemctl daemon-reload | |
675 |
|
|
521 | chroot_exec systemctl enable iptables.service | |
676 |
|
522 | |||
677 | if [ "$ENABLE_IPV6" = true ] ; then |
|
523 | if [ "$ENABLE_IPV6" = true ] ; then | |
678 | # Create ip6tables systemd service |
|
524 | # Create ip6tables systemd service | |
679 | cat <<EOM >$R/etc/systemd/system/ip6tables.service |
|
525 | install -o root -g root -m 644 files/iptables/ip6tables.service $R/etc/systemd/system/ip6tables.service | |
680 | [Unit] |
|
|||
681 | Description=Packet Filtering Framework |
|
|||
682 | DefaultDependencies=no |
|
|||
683 | After=systemd-sysctl.service |
|
|||
684 | Before=sysinit.target |
|
|||
685 | [Service] |
|
|||
686 | Type=oneshot |
|
|||
687 | ExecStart=/sbin/ip6tables-restore /etc/iptables/ip6tables.rules |
|
|||
688 | ExecReload=/sbin/ip6tables-restore /etc/iptables/ip6tables.rules |
|
|||
689 | ExecStop=/etc/iptables/flush-ip6tables.sh |
|
|||
690 | RemainAfterExit=yes |
|
|||
691 | [Install] |
|
|||
692 | WantedBy=multi-user.target |
|
|||
693 | EOM |
|
|||
694 |
|
526 | |||
695 | # Create ip6tables file |
|
527 | # Create ip6tables file | |
696 | cat <<EOM >$R/etc/iptables/flush-ip6tables.sh |
|
528 | install -o root -g root -m 755 files/iptables/flush-ip6tables.sh $R/etc/iptables/flush-ip6tables.sh | |
697 | #!/bin/sh |
|
|||
698 | ip6tables -F |
|
|||
699 | ip6tables -X |
|
|||
700 | ip6tables -Z |
|
|||
701 | for table in $(</proc/net/ip6_tables_names) |
|
|||
702 | do |
|
|||
703 | ip6tables -t \$table -F |
|
|||
704 | ip6tables -t \$table -X |
|
|||
705 | ip6tables -t \$table -Z |
|
|||
706 | done |
|
|||
707 | ip6tables -P INPUT ACCEPT |
|
|||
708 | ip6tables -P OUTPUT ACCEPT |
|
|||
709 | ip6tables -P FORWARD ACCEPT |
|
|||
710 | EOM |
|
|||
711 |
|
||||
712 | # Create ip6tables rule file |
|
|||
713 | cat <<EOM >$R/etc/iptables/ip6tables.rules |
|
|||
714 | *filter |
|
|||
715 | :INPUT DROP [0:0] |
|
|||
716 | :FORWARD DROP [0:0] |
|
|||
717 | :OUTPUT ACCEPT [0:0] |
|
|||
718 | :TCP - [0:0] |
|
|||
719 | :UDP - [0:0] |
|
|||
720 | :SSH - [0:0] |
|
|||
721 |
|
529 | |||
722 | # Drop packets with RH0 headers |
|
530 | install -o root -g root -m 644 files/iptables/ip6tables.rules $R/etc/iptables/ip6tables.rules | |
723 | -A INPUT -m rt --rt-type 0 -j DROP |
|
|||
724 | -A OUTPUT -m rt --rt-type 0 -j DROP |
|
|||
725 | -A FORWARD -m rt --rt-type 0 -j DROP |
|
|||
726 |
|
531 | |||
727 | # Rate limit ping requests |
|
532 | # Reload systemd configuration and enable iptables service | |
728 | -A INPUT -p icmpv6 --icmpv6-type echo-request -m limit --limit 30/min --limit-burst 8 -j ACCEPT |
|
533 | chroot_exec systemctl daemon-reload | |
729 | -A INPUT -p icmpv6 --icmpv6-type echo-request -j DROP |
|
534 | chroot_exec systemctl enable ip6tables.service | |
730 |
|
||||
731 | # Accept established connections |
|
|||
732 | -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT |
|
|||
733 |
|
||||
734 | # Accept all traffic on loopback interface |
|
|||
735 | -A INPUT -i lo -j ACCEPT |
|
|||
736 |
|
||||
737 | # Drop packets declared invalid |
|
|||
738 | -A INPUT -m conntrack --ctstate INVALID -j DROP |
|
|||
739 |
|
||||
740 | # SSH rate limiting |
|
|||
741 | -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j SSH |
|
|||
742 | -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP |
|
|||
743 | -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 20 --seconds 1800 -j DROP |
|
|||
744 | -A SSH -m recent --name sshbf --set -j ACCEPT |
|
|||
745 |
|
||||
746 | # Send TCP and UDP connections to their respective rules chain |
|
|||
747 | -A INPUT -p udp -m conntrack --ctstate NEW -j UDP |
|
|||
748 | -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP |
|
|||
749 |
|
||||
750 | # Reject dropped packets with a RFC compliant responce |
|
|||
751 | -A INPUT -p udp -j REJECT --reject-with icmp6-adm-prohibited |
|
|||
752 | -A INPUT -p tcp -j REJECT --reject-with icmp6-adm-prohibited |
|
|||
753 | -A INPUT -j REJECT --reject-with icmp6-adm-prohibited |
|
|||
754 |
|
||||
755 | ## TCP PORT RULES |
|
|||
756 | # -A TCP -p tcp -j LOG |
|
|||
757 |
|
||||
758 | ## UDP PORT RULES |
|
|||
759 | # -A UDP -p udp -j LOG |
|
|||
760 |
|
||||
761 | COMMIT |
|
|||
762 | EOM |
|
|||
763 |
|
||||
764 | # Reload systemd configuration and enable iptables service |
|
|||
765 | LANG=C chroot $R systemctl daemon-reload |
|
|||
766 | LANG=C chroot $R systemctl enable ip6tables.service |
|
|||
767 | fi |
|
535 | fi | |
768 | fi |
|
536 | fi | |
769 |
|
537 | |||
@@ -775,7 +543,7 fi | |||||
775 |
|
543 | |||
776 | # Install gcc/c++ build environment inside the chroot |
|
544 | # Install gcc/c++ build environment inside the chroot | |
777 | if [ "$ENABLE_UBOOT" = true ] || [ "$ENABLE_FBTURBO" = true ]; then |
|
545 | if [ "$ENABLE_UBOOT" = true ] || [ "$ENABLE_FBTURBO" = true ]; then | |
778 |
|
|
546 | chroot_exec apt-get install -q -y --force-yes --no-install-recommends linux-compiler-gcc-4.9-arm g++ make bc | |
779 | fi |
|
547 | fi | |
780 |
|
548 | |||
781 | # Fetch and build U-Boot bootloader |
|
549 | # Fetch and build U-Boot bootloader | |
@@ -784,7 +552,7 if [ "$ENABLE_UBOOT" = true ] ; then | |||||
784 | git -C $R/tmp clone git://git.denx.de/u-boot.git |
|
552 | git -C $R/tmp clone git://git.denx.de/u-boot.git | |
785 |
|
553 | |||
786 | # Build and install U-Boot inside chroot |
|
554 | # Build and install U-Boot inside chroot | |
787 |
|
|
555 | chroot_exec make -C /tmp/u-boot/ rpi_2_defconfig all | |
788 |
|
556 | |||
789 | # Copy compiled bootloader binary and set config.txt to load it |
|
557 | # Copy compiled bootloader binary and set config.txt to load it | |
790 | cp $R/tmp/u-boot/u-boot.bin $R/boot/firmware/ |
|
558 | cp $R/tmp/u-boot/u-boot.bin $R/boot/firmware/ | |
@@ -809,7 +577,7 bootz \${kernel_addr_r} | |||||
809 | EOM |
|
577 | EOM | |
810 |
|
578 | |||
811 | # Generate U-Boot image from command file |
|
579 | # Generate U-Boot image from command file | |
812 |
|
|
580 | chroot_exec mkimage -A arm -O linux -T script -C none -a 0x00000000 -e 0x00000000 -n "RPi2 Boot Script" -d /boot/firmware/uboot.mkimage /boot/firmware/boot.scr | |
813 | fi |
|
581 | fi | |
814 |
|
582 | |||
815 | # Fetch and build fbturbo Xorg driver |
|
583 | # Fetch and build fbturbo Xorg driver | |
@@ -818,10 +586,10 if [ "$ENABLE_FBTURBO" = true ] ; then | |||||
818 | git -C $R/tmp clone https://github.com/ssvb/xf86-video-fbturbo.git |
|
586 | git -C $R/tmp clone https://github.com/ssvb/xf86-video-fbturbo.git | |
819 |
|
587 | |||
820 | # Install Xorg build dependencies |
|
588 | # Install Xorg build dependencies | |
821 |
|
|
589 | chroot_exec apt-get install -q -y --no-install-recommends xorg-dev xutils-dev x11proto-dri2-dev libltdl-dev libtool automake libdrm-dev | |
822 |
|
590 | |||
823 | # Build and install fbturbo driver inside chroot |
|
591 | # Build and install fbturbo driver inside chroot | |
824 |
|
|
592 | chroot_exec /bin/bash -c "cd /tmp/xf86-video-fbturbo; autoreconf -vi; ./configure --prefix=/usr; make; make install" | |
825 |
|
593 | |||
826 | # Add fbturbo driver to Xorg configuration |
|
594 | # Add fbturbo driver to Xorg configuration | |
827 | cat <<EOM >$R/usr/share/X11/xorg.conf.d/99-fbturbo.conf |
|
595 | cat <<EOM >$R/usr/share/X11/xorg.conf.d/99-fbturbo.conf | |
@@ -834,18 +602,18 EndSection | |||||
834 | EOM |
|
602 | EOM | |
835 |
|
603 | |||
836 | # Remove Xorg build dependencies |
|
604 | # Remove Xorg build dependencies | |
837 |
|
|
605 | chroot_exec apt-get -q -y purge --auto-remove xorg-dev xutils-dev x11proto-dri2-dev libltdl-dev libtool automake libdrm-dev | |
838 | fi |
|
606 | fi | |
839 |
|
607 | |||
840 | # Remove gcc/c++ build environment from the chroot |
|
608 | # Remove gcc/c++ build environment from the chroot | |
841 | if [ "$ENABLE_UBOOT" = true ] || [ "$ENABLE_FBTURBO" = true ]; then |
|
609 | if [ "$ENABLE_UBOOT" = true ] || [ "$ENABLE_FBTURBO" = true ]; then | |
842 |
|
|
610 | chroot_exec apt-get -y -q purge --auto-remove bc binutils cpp cpp-4.9 g++ g++-4.9 gcc gcc-4.9 libasan1 libatomic1 libc-dev-bin libc6-dev libcloog-isl4 libgcc-4.9-dev libgomp1 libisl10 libmpc3 libmpfr4 libstdc++-4.9-dev libubsan0 linux-compiler-gcc-4.9-arm linux-libc-dev make | |
843 | fi |
|
611 | fi | |
844 |
|
612 | |||
845 | # Clean cached downloads |
|
613 | # Clean cached downloads | |
846 |
|
|
614 | chroot_exec apt-get -y clean | |
847 |
|
|
615 | chroot_exec apt-get -y autoclean | |
848 |
|
|
616 | chroot_exec apt-get -y autoremove | |
849 |
|
617 | |||
850 | # Unmount mounted filesystems |
|
618 | # Unmount mounted filesystems | |
851 | umount -l $R/proc |
|
619 | umount -l $R/proc |
General Comments 0
Vous devez vous connecter pour laisser un commentaire.
Se connecter maintenant