##// END OF EJS Templates
formating and dropbear fix for static ip
Unknown -
r569:c84998d2e8c2
parent child
Show More
@@ -1,102 +1,116
1 #
1 #
2 # Setup fstab and initramfs
2 # Setup fstab and initramfs
3 #
3 #
4
4
5 # Load utility functions
5 # Load utility functions
6 . ./functions.sh
6 . ./functions.sh
7
7
8 # Install and setup fstab
8 # Install and setup fstab
9 install_readonly files/mount/fstab "${ETC_DIR}/fstab"
9 install_readonly files/mount/fstab "${ETC_DIR}/fstab"
10
10
11 # Add usb/sda disk root partition to fstab
11 # Add usb/sda disk root partition to fstab
12 if [ "$ENABLE_SPLITFS" = true ] && [ "$ENABLE_CRYPTFS" = false ] ; then
12 if [ "$ENABLE_SPLITFS" = true ] && [ "$ENABLE_CRYPTFS" = false ] ; then
13 sed -i "s/mmcblk0p2/sda1/" "${ETC_DIR}/fstab"
13 sed -i "s/mmcblk0p2/sda1/" "${ETC_DIR}/fstab"
14 fi
14 fi
15
15
16 # Add encrypted root partition to fstab and crypttab
16 # Add encrypted root partition to fstab and crypttab
17 if [ "$ENABLE_CRYPTFS" = true ] ; then
17 if [ "$ENABLE_CRYPTFS" = true ] ; then
18 # Replace fstab root partition with encrypted partition mapping
18 # Replace fstab root partition with encrypted partition mapping
19 sed -i "s/mmcblk0p2/mapper\/${CRYPTFS_MAPPING}/" "${ETC_DIR}/fstab"
19 sed -i "s/mmcblk0p2/mapper\/${CRYPTFS_MAPPING}/" "${ETC_DIR}/fstab"
20
20
21 # Add encrypted partition to crypttab and fstab
21 # Add encrypted partition to crypttab and fstab
22 install_readonly files/mount/crypttab "${ETC_DIR}/crypttab"
22 install_readonly files/mount/crypttab "${ETC_DIR}/crypttab"
23 echo "${CRYPTFS_MAPPING} /dev/mmcblk0p2 none luks,initramfs" >> "${ETC_DIR}/crypttab"
23 echo "${CRYPTFS_MAPPING} /dev/mmcblk0p2 none luks,initramfs" >> "${ETC_DIR}/crypttab"
24
24
25 if [ "$ENABLE_SPLITFS" = true ] ; then
25 if [ "$ENABLE_SPLITFS" = true ] ; then
26 # Add usb/sda1 disk to crypttab
26 # Add usb/sda1 disk to crypttab
27 sed -i "s/mmcblk0p2/sda1/" "${ETC_DIR}/crypttab"
27 sed -i "s/mmcblk0p2/sda1/" "${ETC_DIR}/crypttab"
28 fi
28 fi
29 fi
29 fi
30
30
31 if [ "$ENABLE_USBBOOT" = true ] ; then
31 if [ "$ENABLE_USBBOOT" = true ] ; then
32 sed -i "s/mmcblk0p1/sda1/" "${ETC_DIR}/fstab"
32 sed -i "s/mmcblk0p1/sda1/" "${ETC_DIR}/fstab"
33 sed -i "s/mmcblk0p2/sda2/" "${ETC_DIR}/fstab"
33 sed -i "s/mmcblk0p2/sda2/" "${ETC_DIR}/fstab"
34
34
35 # Add usb/sda2 disk to crypttab
35 # Add usb/sda2 disk to crypttab
36 sed -i "s/mmcblk0p2/sda2/" "${ETC_DIR}/crypttab"
36 sed -i "s/mmcblk0p2/sda2/" "${ETC_DIR}/crypttab"
37 fi
37 fi
38
38
39 # Generate initramfs file
39 # Generate initramfs file
40 if [ "$ENABLE_INITRAMFS" = true ] ; then
40 if [ "$ENABLE_INITRAMFS" = true ] ; then
41 if [ "$ENABLE_CRYPTFS" = true ] ; then
41 if [ "$ENABLE_CRYPTFS" = true ] ; then
42 # Include initramfs scripts to auto expand encrypted root partition
42 # Include initramfs scripts to auto expand encrypted root partition
43 if [ "$EXPANDROOT" = true ] ; then
43 if [ "$EXPANDROOT" = true ] ; then
44 install_exec files/initramfs/expand_encrypted_rootfs "${ETC_DIR}/initramfs-tools/scripts/init-premount/expand_encrypted_rootfs"
44 install_exec files/initramfs/expand_encrypted_rootfs "${ETC_DIR}/initramfs-tools/scripts/init-premount/expand_encrypted_rootfs"
45 install_exec files/initramfs/expand-premount "${ETC_DIR}/initramfs-tools/scripts/local-premount/expand-premount"
45 install_exec files/initramfs/expand-premount "${ETC_DIR}/initramfs-tools/scripts/local-premount/expand-premount"
46 install_exec files/initramfs/expand-tools "${ETC_DIR}/initramfs-tools/hooks/expand-tools"
46 install_exec files/initramfs/expand-tools "${ETC_DIR}/initramfs-tools/hooks/expand-tools"
47 fi
47 fi
48
49 if [ "$ENABLE_DHCP" = false ] ; then
50 # Get cdir from NET_ADDRESS e.g. 24
51 cdir=$(${NET_ADDRESS} | cut -d '/' -f2)
52
53 # Convert cdir ro netmask e.g. 24 to 255.255.255.0
54 NET_MASK=$(cdr2mask "$cdir")
55
56 # Write static ip settings to "${ETC_DIR}"/initramfs-tools/initramfs.conf
57 sed -i "\$aIP=${NET_ADDRESS}::${NET_GATEWAY}:${NET_MASK}:${HOSTNAME}:" "${ETC_DIR}"/initramfs-tools/initramfs.conf
58
59 # Regenerate initramfs
60 chroot_exec mkinitramfs -o "/boot/firmware/initramfs-${KERNEL_VERSION}" "${KERNEL_VERSION}"
61 fi
48
62
49 if [ "$CRYPTFS_DROPBEAR" = true ]; then
63 if [ "$CRYPTFS_DROPBEAR" = true ]; then
50 if [ -n "$CRYPTFS_DROPBEAR_PUBKEY" ] && [ -f "$CRYPTFS_DROPBEAR_PUBKEY" ] ; then
64 if [ -n "$CRYPTFS_DROPBEAR_PUBKEY" ] && [ -f "$CRYPTFS_DROPBEAR_PUBKEY" ] ; then
51 install_readonly "${CRYPTFS_DROPBEAR_PUBKEY}" "${ETC_DIR}"/dropbear-initramfs/id_rsa.pub
65 install_readonly "${CRYPTFS_DROPBEAR_PUBKEY}" "${ETC_DIR}"/dropbear-initramfs/id_rsa.pub
52 cat "${ETC_DIR}"/dropbear-initramfs/id_rsa.pub >> "${ETC_DIR}"/dropbear-initramfs/authorized_keys
66 cat "${ETC_DIR}"/dropbear-initramfs/id_rsa.pub >> "${ETC_DIR}"/dropbear-initramfs/authorized_keys
53 else
67 else
54 # Create key
68 # Create key
55 chroot_exec /usr/bin/dropbearkey -t rsa -f /etc/dropbear-initramfs/id_rsa.dropbear
69 chroot_exec /usr/bin/dropbearkey -t rsa -f /etc/dropbear-initramfs/id_rsa.dropbear
56
70
57 # Convert dropbear key to openssh key
71 # Convert dropbear key to openssh key
58 chroot_exec /usr/lib/dropbear/dropbearconvert dropbear openssh /etc/dropbear-initramfs/id_rsa.dropbear /etc/dropbear-initramfs/id_rsa
72 chroot_exec /usr/lib/dropbear/dropbearconvert dropbear openssh /etc/dropbear-initramfs/id_rsa.dropbear /etc/dropbear-initramfs/id_rsa
59
73
60 # Get Public Key Part
74 # Get Public Key Part
61 chroot_exec /usr/bin/dropbearkey -y -f /etc/dropbear-initramfs/id_rsa.dropbear | chroot_exec tee /etc/dropbear-initramfs/id_rsa.pub
75 chroot_exec /usr/bin/dropbearkey -y -f /etc/dropbear-initramfs/id_rsa.dropbear | chroot_exec tee /etc/dropbear-initramfs/id_rsa.pub
62
76
63 # Delete unwanted lines
77 # Delete unwanted lines
64 sed -i '/Public/d' "${ETC_DIR}"/dropbear-initramfs/id_rsa.pub
78 sed -i '/Public/d' "${ETC_DIR}"/dropbear-initramfs/id_rsa.pub
65 sed -i '/Fingerprint/d' "${ETC_DIR}"/dropbear-initramfs/id_rsa.pub
79 sed -i '/Fingerprint/d' "${ETC_DIR}"/dropbear-initramfs/id_rsa.pub
66
80
67 # Trust the new key
81 # Trust the new key
68 cat "${ETC_DIR}"/dropbear-initramfs/id_rsa.pub > "${ETC_DIR}"/dropbear-initramfs/authorized_keys
82 cat "${ETC_DIR}"/dropbear-initramfs/id_rsa.pub > "${ETC_DIR}"/dropbear-initramfs/authorized_keys
69
83
70 # Save Keys - convert with putty from rsa/openssh to puttkey
84 # Save Keys - convert with putty from rsa/openssh to puttkey
71 cp -f "${ETC_DIR}"/dropbear-initramfs/id_rsa "${BASEDIR}"/dropbear_initramfs_key.rsa
85 cp -f "${ETC_DIR}"/dropbear-initramfs/id_rsa "${BASEDIR}"/dropbear_initramfs_key.rsa
72
86
73 # Get unlock script
87 # Get unlock script
74 install_exec files/initramfs/crypt_unlock.sh "${ETC_DIR}"/initramfs-tools/hooks/crypt_unlock.sh
88 install_exec files/initramfs/crypt_unlock.sh "${ETC_DIR}"/initramfs-tools/hooks/crypt_unlock.sh
75
89
76 # Enable Dropbear inside initramfs
90 # Enable Dropbear inside initramfs
77 printf "#\n# DROPBEAR: [ y | n ]\n#\n\nDROPBEAR=y\n" >> "${ETC_DIR}/initramfs-tools/initramfs.conf"
91 printf "#\n# DROPBEAR: [ y | n ]\n#\n\nDROPBEAR=y\n" >> "${ETC_DIR}/initramfs-tools/initramfs.conf"
78
92
79 # Enable Dropbear inside initramfs
93 # Enable Dropbear inside initramfs
80 sed -i "54 i sleep 5" "${R}"/usr/share/initramfs-tools/scripts/init-premount/dropbear
94 sed -i "54 i sleep 5" "${R}"/usr/share/initramfs-tools/scripts/init-premount/dropbear
81 fi
95 fi
82 else
96 else
83 # Disable SSHD inside initramfs
97 # Disable SSHD inside initramfs
84 printf "#\n# DROPBEAR: [ y | n ]\n#\n\nDROPBEAR=n\n" >> "${ETC_DIR}/initramfs-tools/initramfs.conf"
98 printf "#\n# DROPBEAR: [ y | n ]\n#\n\nDROPBEAR=n\n" >> "${ETC_DIR}/initramfs-tools/initramfs.conf"
85 fi
99 fi
86
100
87 # Add cryptsetup modules to initramfs
101 # Add cryptsetup modules to initramfs
88 printf "#\n# CRYPTSETUP: [ y | n ]\n#\n\nCRYPTSETUP=y\n" >> "${ETC_DIR}/initramfs-tools/conf-hook"
102 printf "#\n# CRYPTSETUP: [ y | n ]\n#\n\nCRYPTSETUP=y\n" >> "${ETC_DIR}/initramfs-tools/conf-hook"
89
103
90 # Dummy mapping required by mkinitramfs
104 # Dummy mapping required by mkinitramfs
91 echo "0 1 crypt $(echo "${CRYPTFS_CIPHER}" | cut -d ':' -f 1) ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 0 7:0 4096" | chroot_exec dmsetup create "${CRYPTFS_MAPPING}"
105 echo "0 1 crypt $(echo "${CRYPTFS_CIPHER}" | cut -d ':' -f 1) ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 0 7:0 4096" | chroot_exec dmsetup create "${CRYPTFS_MAPPING}"
92
106
93 # Generate initramfs with encrypted root partition support
107 # Generate initramfs with encrypted root partition support
94 chroot_exec mkinitramfs -o "/boot/firmware/initramfs-${KERNEL_VERSION}" "${KERNEL_VERSION}"
108 chroot_exec mkinitramfs -o "/boot/firmware/initramfs-${KERNEL_VERSION}" "${KERNEL_VERSION}"
95
109
96 # Remove dummy mapping
110 # Remove dummy mapping
97 chroot_exec cryptsetup close "${CRYPTFS_MAPPING}"
111 chroot_exec cryptsetup close "${CRYPTFS_MAPPING}"
98 else
112 else
99 # Generate initramfs without encrypted root partition support
113 # Generate initramfs without encrypted root partition support
100 chroot_exec mkinitramfs -o "/boot/firmware/initramfs-${KERNEL_VERSION}" "${KERNEL_VERSION}"
114 chroot_exec mkinitramfs -o "/boot/firmware/initramfs-${KERNEL_VERSION}" "${KERNEL_VERSION}"
101 fi
115 fi
102 fi
116 fi
@@ -1,293 +1,295
1 #
1 #
2 # Setup RPi2/3 config and cmdline
2 # Setup RPi2/3 config and cmdline
3 #
3 #
4
4
5 # Load utility functions
5 # Load utility functions
6 . ./functions.sh
6 . ./functions.sh
7
7
8 if [ -n "$RPI_FIRMWARE_DIR" ] && [ -d "$RPI_FIRMWARE_DIR" ] ; then
8 if [ -n "$RPI_FIRMWARE_DIR" ] && [ -d "$RPI_FIRMWARE_DIR" ] ; then
9 # Install boot binaries from local directory
9 # Install boot binaries from local directory
10 cp "${RPI_FIRMWARE_DIR}"/boot/bootcode.bin "${BOOT_DIR}"/bootcode.bin
10 cp "${RPI_FIRMWARE_DIR}"/boot/bootcode.bin "${BOOT_DIR}"/bootcode.bin
11 cp "${RPI_FIRMWARE_DIR}"/boot/fixup.dat "${BOOT_DIR}"/fixup.dat
11 cp "${RPI_FIRMWARE_DIR}"/boot/fixup.dat "${BOOT_DIR}"/fixup.dat
12 cp "${RPI_FIRMWARE_DIR}"/boot/fixup_cd.dat "${BOOT_DIR}"/fixup_cd.dat
12 cp "${RPI_FIRMWARE_DIR}"/boot/fixup_cd.dat "${BOOT_DIR}"/fixup_cd.dat
13 cp "${RPI_FIRMWARE_DIR}"/boot/fixup_x.dat "${BOOT_DIR}"/fixup_x.dat
13 cp "${RPI_FIRMWARE_DIR}"/boot/fixup_x.dat "${BOOT_DIR}"/fixup_x.dat
14 cp "${RPI_FIRMWARE_DIR}"/boot/start.elf "${BOOT_DIR}"/start.elf
14 cp "${RPI_FIRMWARE_DIR}"/boot/start.elf "${BOOT_DIR}"/start.elf
15 cp "${RPI_FIRMWARE_DIR}"/boot/start_cd.elf "${BOOT_DIR}"/start_cd.elf
15 cp "${RPI_FIRMWARE_DIR}"/boot/start_cd.elf "${BOOT_DIR}"/start_cd.elf
16 cp "${RPI_FIRMWARE_DIR}"/boot/start_x.elf "${BOOT_DIR}"/start_x.elf
16 cp "${RPI_FIRMWARE_DIR}"/boot/start_x.elf "${BOOT_DIR}"/start_x.elf
17 else
17 else
18 # Create temporary directory for boot binaries
18 # Create temporary directory for boot binaries
19 temp_dir=$(as_nobody mktemp -d)
19 temp_dir=$(as_nobody mktemp -d)
20
20
21 # Install latest boot binaries from raspberry/firmware github
21 # Install latest boot binaries from raspberry/firmware github
22 as_nobody wget -q -O "${temp_dir}/bootcode.bin" "${FIRMWARE_URL}/bootcode.bin"
22 as_nobody wget -q -O "${temp_dir}/bootcode.bin" "${FIRMWARE_URL}/bootcode.bin"
23 as_nobody wget -q -O "${temp_dir}/fixup.dat" "${FIRMWARE_URL}/fixup.dat"
23 as_nobody wget -q -O "${temp_dir}/fixup.dat" "${FIRMWARE_URL}/fixup.dat"
24 as_nobody wget -q -O "${temp_dir}/fixup_cd.dat" "${FIRMWARE_URL}/fixup_cd.dat"
24 as_nobody wget -q -O "${temp_dir}/fixup_cd.dat" "${FIRMWARE_URL}/fixup_cd.dat"
25 as_nobody wget -q -O "${temp_dir}/fixup_x.dat" "${FIRMWARE_URL}/fixup_x.dat"
25 as_nobody wget -q -O "${temp_dir}/fixup_x.dat" "${FIRMWARE_URL}/fixup_x.dat"
26 as_nobody wget -q -O "${temp_dir}/start.elf" "${FIRMWARE_URL}/start.elf"
26 as_nobody wget -q -O "${temp_dir}/start.elf" "${FIRMWARE_URL}/start.elf"
27 as_nobody wget -q -O "${temp_dir}/start_cd.elf" "${FIRMWARE_URL}/start_cd.elf"
27 as_nobody wget -q -O "${temp_dir}/start_cd.elf" "${FIRMWARE_URL}/start_cd.elf"
28 as_nobody wget -q -O "${temp_dir}/start_x.elf" "${FIRMWARE_URL}/start_x.elf"
28 as_nobody wget -q -O "${temp_dir}/start_x.elf" "${FIRMWARE_URL}/start_x.elf"
29
29
30 # Move downloaded boot binaries
30 # Move downloaded boot binaries
31 mv "${temp_dir}/"* "${BOOT_DIR}/"
31 mv "${temp_dir}/"* "${BOOT_DIR}/"
32
32
33 # Remove temporary directory for boot binaries
33 # Remove temporary directory for boot binaries
34 rm -fr "${temp_dir}"
34 rm -fr "${temp_dir}"
35
35
36 # Set permissions of the boot binaries
36 # Set permissions of the boot binaries
37 chown -R root:root "${BOOT_DIR}"
37 chown -R root:root "${BOOT_DIR}"
38 chmod -R 600 "${BOOT_DIR}"
38 chmod -R 600 "${BOOT_DIR}"
39 fi
39 fi
40
40
41 # Setup firmware boot cmdline
41 # Setup firmware boot cmdline
42 if [ "$ENABLE_USBBOOT" = true ] ; then
42 if [ "$ENABLE_USBBOOT" = true ] ; then
43 CMDLINE="dwc_otg.lpm_enable=0 root=/dev/sda2 rootfstype=ext4 rootflags=commit=100,data=writeback elevator=deadline console=tty1 rootwait init=/bin/systemd"
43 CMDLINE="dwc_otg.lpm_enable=0 root=/dev/sda2 rootfstype=ext4 rootflags=commit=100,data=writeback elevator=deadline console=tty1 rootwait init=/bin/systemd"
44 else
44 else
45 if [ "$ENABLE_SPLITFS" = true ] ; then
45 if [ "$ENABLE_SPLITFS" = true ] ; then
46 CMDLINE="dwc_otg.lpm_enable=0 root=/dev/sda1 rootfstype=ext4 rootflags=commit=100,data=writeback elevator=deadline console=tty1 rootwait init=/bin/systemd"
46 CMDLINE="dwc_otg.lpm_enable=0 root=/dev/sda1 rootfstype=ext4 rootflags=commit=100,data=writeback elevator=deadline console=tty1 rootwait init=/bin/systemd"
47 else
47 else
48 CMDLINE="dwc_otg.lpm_enable=0 root=/dev/mmcblk0p2 rootfstype=ext4 rootflags=commit=100,data=writeback elevator=deadline console=tty1 rootwait init=/bin/systemd"
48 CMDLINE="dwc_otg.lpm_enable=0 root=/dev/mmcblk0p2 rootfstype=ext4 rootflags=commit=100,data=writeback elevator=deadline console=tty1 rootwait init=/bin/systemd"
49 fi
49 fi
50 fi
50 fi
51
51
52 # Add encrypted root partition to cmdline.txt
52 # Add encrypted root partition to cmdline.txt
53 if [ "$ENABLE_CRYPTFS" = true ] ; then
53 if [ "$ENABLE_CRYPTFS" = true ] ; then
54 if [ "$ENABLE_SPLITFS" = true ] ; then
54 if [ "$ENABLE_SPLITFS" = true ] ; then
55 CMDLINE=$(echo "${CMDLINE}" | sed "s/sda1/mapper\/${CRYPTFS_MAPPING} cryptdevice=\/dev\/sda1:${CRYPTFS_MAPPING}/")
55 CMDLINE=$(echo "${CMDLINE}" | sed "s/sda1/mapper\/${CRYPTFS_MAPPING} cryptdevice=\/dev\/sda1:${CRYPTFS_MAPPING}/")
56 else
56 else
57 if [ "$ENABLE_USBBOOT" = true ] ; then
57 if [ "$ENABLE_USBBOOT" = true ] ; then
58 CMDLINE=$(echo "${CMDLINE}" | sed "s/sda2/mapper\/${CRYPTFS_MAPPING} cryptdevice=\/dev\/sda2:${CRYPTFS_MAPPING}/")
58 CMDLINE=$(echo "${CMDLINE}" | sed "s/sda2/mapper\/${CRYPTFS_MAPPING} cryptdevice=\/dev\/sda2:${CRYPTFS_MAPPING}/")
59 else
59 else
60 CMDLINE=$(echo "${CMDLINE}" | sed "s/mmcblk0p2/mapper\/${CRYPTFS_MAPPING} cryptdevice=\/dev\/mmcblk0p2:${CRYPTFS_MAPPING}/")
60 CMDLINE=$(echo "${CMDLINE}" | sed "s/mmcblk0p2/mapper\/${CRYPTFS_MAPPING} cryptdevice=\/dev\/mmcblk0p2:${CRYPTFS_MAPPING}/")
61 fi
61 fi
62 fi
62 fi
63 fi
63 fi
64
64
65 # Enable Kernel messages on standard output
65 # Enable Kernel messages on standard output
66 if [ "$ENABLE_PRINTK" = true ] ; then
66 if [ "$ENABLE_PRINTK" = true ] ; then
67 install_readonly files/sysctl.d/83-rpi-printk.conf "${ETC_DIR}/sysctl.d/83-rpi-printk.conf"
67 install_readonly files/sysctl.d/83-rpi-printk.conf "${ETC_DIR}/sysctl.d/83-rpi-printk.conf"
68 fi
68 fi
69
69
70 # Enable Kernel messages on standard output
70 # Enable Kernel messages on standard output
71 if [ "$KERNEL_SECURITY" = true ] ; then
71 if [ "$KERNEL_SECURITY" = true ] ; then
72 install_readonly files/sysctl.d/84-rpi-ASLR.conf "${ETC_DIR}/sysctl.d/84-rpi-ASLR.conf"
72 install_readonly files/sysctl.d/84-rpi-ASLR.conf "${ETC_DIR}/sysctl.d/84-rpi-ASLR.conf"
73 fi
73 fi
74
74
75 # Install udev rule for serial alias - serial0 = console serial1=bluetooth
75 # Install udev rule for serial alias - serial0 = console serial1=bluetooth
76 install_readonly files/etc/99-com.rules "${LIB_DIR}/udev/rules.d/99-com.rules"
76 install_readonly files/etc/99-com.rules "${LIB_DIR}/udev/rules.d/99-com.rules"
77
77
78 # Remove IPv6 networking support
78 # Remove IPv6 networking support
79 if [ "$ENABLE_IPV6" = false ] ; then
79 if [ "$ENABLE_IPV6" = false ] ; then
80 CMDLINE="${CMDLINE} ipv6.disable=1"
80 CMDLINE="${CMDLINE} ipv6.disable=1"
81 fi
81 fi
82
82
83 # Automatically assign predictable network interface names
83 # Automatically assign predictable network interface names
84 if [ "$ENABLE_IFNAMES" = false ] ; then
84 if [ "$ENABLE_IFNAMES" = false ] ; then
85 CMDLINE="${CMDLINE} net.ifnames=0"
85 CMDLINE="${CMDLINE} net.ifnames=0"
86 else
86 else
87 CMDLINE="${CMDLINE} net.ifnames=1"
87 CMDLINE="${CMDLINE} net.ifnames=1"
88 fi
88 fi
89
89
90 # Disable Raspberry Pi console logo
90 # Disable Raspberry Pi console logo
91 if [ "$ENABLE_LOGO" = false ] ; then
91 if [ "$ENABLE_LOGO" = false ] ; then
92 CMDLINE="${CMDLINE} logo.nologo"
92 CMDLINE="${CMDLINE} logo.nologo"
93 fi
93 fi
94
94
95 # Strictly limit verbosity of boot up console messages
95 # Strictly limit verbosity of boot up console messages
96 if [ "$ENABLE_SILENT_BOOT" = true ] ; then
96 if [ "$ENABLE_SILENT_BOOT" = true ] ; then
97 CMDLINE="${CMDLINE} quiet loglevel=0 rd.systemd.show_status=auto rd.udev.log_priority=0"
97 CMDLINE="${CMDLINE} quiet loglevel=0 rd.systemd.show_status=auto rd.udev.log_priority=0"
98 fi
98 fi
99
99
100 # Install firmware config
100 # Install firmware config
101 install_readonly files/boot/config.txt "${BOOT_DIR}/config.txt"
101 install_readonly files/boot/config.txt "${BOOT_DIR}/config.txt"
102
102
103 # Disable Raspberry Pi console logo
103 # Disable Raspberry Pi console logo
104 if [ "$ENABLE_SLASH" = false ] ; then
104 if [ "$ENABLE_SLASH" = false ] ; then
105 echo "disable_splash=1" >> "${BOOT_DIR}/config.txt"
105 echo "disable_splash=1" >> "${BOOT_DIR}/config.txt"
106 fi
106 fi
107
107
108 # Locks CPU frequency at maximum
108 # Locks CPU frequency at maximum
109 if [ "$ENABLE_TURBO" = true ] ; then
109 if [ "$ENABLE_TURBO" = true ] ; then
110 echo "force_turbo=1" >> "${BOOT_DIR}/config.txt"
110 echo "force_turbo=1" >> "${BOOT_DIR}/config.txt"
111 # helps to avoid sdcard corruption when force_turbo is enabled.
111 # helps to avoid sdcard corruption when force_turbo is enabled.
112 echo "boot_delay=1" >> "${BOOT_DIR}/config.txt"
112 echo "boot_delay=1" >> "${BOOT_DIR}/config.txt"
113 fi
113 fi
114
114
115 if [ "$RPI_MODEL" = 0 ] || [ "$RPI_MODEL" = 3 ] || [ "$RPI_MODEL" = 3P ] ; then
115 if [ "$RPI_MODEL" = 0 ] || [ "$RPI_MODEL" = 3 ] || [ "$RPI_MODEL" = 3P ] ; then
116
116
117 # Bluetooth enabled
117 # Bluetooth enabled
118 if [ "$ENABLE_BLUETOOTH" = true ] ; then
118 if [ "$ENABLE_BLUETOOTH" = true ] ; then
119 # Create temporary directory for Bluetooth sources
119 # Create temporary directory for Bluetooth sources
120 temp_dir=$(as_nobody mktemp -d)
120 temp_dir=$(as_nobody mktemp -d)
121
121
122 # Fetch Bluetooth sources
122 # Fetch Bluetooth sources
123 as_nobody git -C "${temp_dir}" clone "${BLUETOOTH_URL}"
123 as_nobody git -C "${temp_dir}" clone "${BLUETOOTH_URL}"
124
124
125 # Copy downloaded sources
125 # Copy downloaded sources
126 mv "${temp_dir}/pi-bluetooth" "${R}/tmp/"
126 mv "${temp_dir}/pi-bluetooth" "${R}/tmp/"
127
127
128 # Bluetooth firmware from arch aur https://aur.archlinux.org/packages/pi-bluetooth/
128 # Bluetooth firmware from arch aur https://aur.archlinux.org/packages/pi-bluetooth/
129 as_nobody wget -q -O "${R}/tmp/pi-bluetooth/LICENCE.broadcom_bcm43xx" https://aur.archlinux.org/cgit/aur.git/plain/LICENCE.broadcom_bcm43xx?h=pi-bluetooth
129 as_nobody wget -q -O "${R}/tmp/pi-bluetooth/LICENCE.broadcom_bcm43xx" https://aur.archlinux.org/cgit/aur.git/plain/LICENCE.broadcom_bcm43xx?h=pi-bluetooth
130 as_nobody wget -q -O "${R}/tmp/pi-bluetooth/BCM43430A1.hcd" https://aur.archlinux.org/cgit/aur.git/plain/BCM43430A1.hcd?h=pi-bluetooth
130 as_nobody wget -q -O "${R}/tmp/pi-bluetooth/BCM43430A1.hcd" https://aur.archlinux.org/cgit/aur.git/plain/BCM43430A1.hcd?h=pi-bluetooth
131
131
132 # Set permissions
132 # Set permissions
133 chown -R root:root "${R}/tmp/pi-bluetooth"
133 chown -R root:root "${R}/tmp/pi-bluetooth"
134
134
135 # Install tools
135 # Install tools
136 install_readonly "${R}/tmp/pi-bluetooth/usr/bin/btuart" "${R}/usr/bin/btuart"
136 install_readonly "${R}/tmp/pi-bluetooth/usr/bin/btuart" "${R}/usr/bin/btuart"
137 install_readonly "${R}/tmp/pi-bluetooth/usr/bin/bthelper" "${R}/usr/bin/bthelper"
137 install_readonly "${R}/tmp/pi-bluetooth/usr/bin/bthelper" "${R}/usr/bin/bthelper"
138
138
139 # make scripts executable
139 # make scripts executable
140 chmod +x "${R}/usr/bin/bthelper"
140 chmod +x "${R}/usr/bin/bthelper"
141 chmod +x "${R}/usr/bin/btuart"
141 chmod +x "${R}/usr/bin/btuart"
142
142
143 # Install bluetooth udev rule
143 # Install bluetooth udev rule
144 install_readonly "${R}/tmp/pi-bluetooth/lib/udev/rules.d/90-pi-bluetooth.rules" "${LIB_DIR}/udev/rules.d/90-pi-bluetooth.rules"
144 install_readonly "${R}/tmp/pi-bluetooth/lib/udev/rules.d/90-pi-bluetooth.rules" "${LIB_DIR}/udev/rules.d/90-pi-bluetooth.rules"
145
145
146 # Install Firmware Flash file and apropiate licence
146 # Install Firmware Flash file and apropiate licence
147 mkdir -p "$BLUETOOTH_FIRMWARE_DIR"
147 mkdir -p "$BLUETOOTH_FIRMWARE_DIR"
148 install_readonly "${R}/tmp/pi-bluetooth/LICENCE.broadcom_bcm43xx" "${BLUETOOTH_FIRMWARE_DIR}/LICENCE.broadcom_bcm43xx"
148 install_readonly "${R}/tmp/pi-bluetooth/LICENCE.broadcom_bcm43xx" "${BLUETOOTH_FIRMWARE_DIR}/LICENCE.broadcom_bcm43xx"
149 install_readonly "${R}/tmp/pi-bluetooth/BCM43430A1.hcd" "${BLUETOOTH_FIRMWARE_DIR}/LICENCE.broadcom_bcm43xx"
149 install_readonly "${R}/tmp/pi-bluetooth/BCM43430A1.hcd" "${BLUETOOTH_FIRMWARE_DIR}/LICENCE.broadcom_bcm43xx"
150 install_readonly "${R}/tmp/pi-bluetooth/debian/pi-bluetooth.bthelper@.service" "${ETC_DIR}/systemd/system/pi-bluetooth.bthelper@.service"
150 install_readonly "${R}/tmp/pi-bluetooth/debian/pi-bluetooth.bthelper@.service" "${ETC_DIR}/systemd/system/pi-bluetooth.bthelper@.service"
151 install_readonly "${R}/tmp/pi-bluetooth/debian/pi-bluetooth.hciuart.service" "${ETC_DIR}/systemd/system/pi-bluetooth.hciuart.service"
151 install_readonly "${R}/tmp/pi-bluetooth/debian/pi-bluetooth.hciuart.service" "${ETC_DIR}/systemd/system/pi-bluetooth.hciuart.service"
152
152
153 # Remove temporary directories
153 # Remove temporary directories
154 rm -fr "${temp_dir}"
154 rm -fr "${temp_dir}"
155 rm -fr "${R}"/tmp/pi-bluetooth
155 rm -fr "${R}"/tmp/pi-bluetooth
156
156
157 # Switch Pi3 Bluetooth function to use the mini-UART (ttyS0) and restore UART0/ttyAMA0 over GPIOs 14 & 15. Slow Bluetooth and slow cpu. Use /dev/ttyS0 instead of /dev/ttyAMA0
157 # Switch Pi3 Bluetooth function to use the mini-UART (ttyS0) and restore UART0/ttyAMA0 over GPIOs 14 & 15. Slow Bluetooth and slow cpu. Use /dev/ttyS0 instead of /dev/ttyAMA0
158 if [ "$ENABLE_MINIUART_OVERLAY" = true ] ; then
158 if [ "$ENABLE_MINIUART_OVERLAY" = true ] ; then
159
160 # set overlay to swap ttyAMA0 and ttyS0
159 # set overlay to swap ttyAMA0 and ttyS0
161 echo "dtoverlay=pi3-miniuart-bt" >> "${BOOT_DIR}/config.txt"
160 echo "dtoverlay=pi3-miniuart-bt" >> "${BOOT_DIR}/config.txt"
162
161
163 # if force_turbo didn't lock cpu at high speed, lock it at low speed (XOR logic) or miniuart will be broken
164 if [ "$ENABLE_TURBO" = false ] ; then
162 if [ "$ENABLE_TURBO" = false ] ; then
165 echo "core_freq=250" >> "${BOOT_DIR}/config.txt"
163 echo "core_freq=250" >> "${BOOT_DIR}/config.txt"
166 fi
164 fi
165
167 fi
166 fi
168
167
169 # Activate services
168 # Activate services
170 chroot_exec systemctl enable pi-bluetooth.hciuart.service
169 chroot_exec systemctl enable pi-bluetooth.hciuart.service
171
170
172 else # if ENABLE_BLUETOOTH = false
171 else # if ENABLE_BLUETOOTH = false
173 # set overlay to disable bluetooth
172 # set overlay to disable bluetooth
174 echo "dtoverlay=pi3-disable-bt" >> "${BOOT_DIR}/config.txt"
173 echo "dtoverlay=pi3-disable-bt" >> "${BOOT_DIR}/config.txt"
175 fi # ENABLE_BLUETOOTH end
174 fi # ENABLE_BLUETOOTH end
176 fi
175 fi
177
176
178 # may need sudo systemctl disable hciuart
177 # may need sudo systemctl disable hciuart
179 if [ "$ENABLE_CONSOLE" = true ] ; then
178 if [ "$ENABLE_CONSOLE" = true ] ; then
180 echo "enable_uart=1" >> "${BOOT_DIR}/config.txt"
179 echo "enable_uart=1" >> "${BOOT_DIR}/config.txt"
181 # add string to cmdline
180 # add string to cmdline
182 CMDLINE="${CMDLINE} console=serial0,115200"
181 CMDLINE="${CMDLINE} console=serial0,115200"
182
183 if [ "$RPI_MODEL" = 3 ] || [ "$RPI_MODEL" = 3P ]|| [ "$RPI_MODEL" = 0 ]; then
184 # if force_turbo didn't lock cpu at high speed, lock it at low speed (XOR logic) or miniuart will be broken
185 if [ "$ENABLE_TURBO" = false ] ; then
186 echo "core_freq=250" >> "${BOOT_DIR}/config.txt"
187 fi
188 fi
183
189
184 # Enable serial console systemd style
190 # Enable serial console systemd style
185 chroot_exec systemctl enable serial-getty\@serial0.service
191 chroot_exec systemctl enable serial-getty@serial0.service
186 else
192 else
187 echo "enable_uart=0" >> "${BOOT_DIR}/config.txt"
193 echo "enable_uart=0" >> "${BOOT_DIR}/config.txt"
188
189 # disable serial console systemd style
190 chroot_exec systemctl disable serial-getty\@"$SET_SERIAL".service
191 fi
194 fi
192
195
193 if [ "$ENABLE_SYSTEMDSWAP" = true ] ; then
196 if [ "$ENABLE_SYSTEMDSWAP" = true ] ; then
194 # Create temporary directory for systemd-swap sources
197 # Create temporary directory for systemd-swap sources
195 temp_dir=$(as_nobody mktemp -d)
198 temp_dir=$(as_nobody mktemp -d)
196
199
197 # Fetch systemd-swap sources
200 # Fetch systemd-swap sources
198 as_nobody git -C "${temp_dir}" clone "${SYSTEMDSWAP_URL}"
201 as_nobody git -C "${temp_dir}" clone "${SYSTEMDSWAP_URL}"
199
202
200 # Copy downloaded systemd-swap sources
203 # Copy downloaded systemd-swap sources
201 mv "${temp_dir}/systemd-swap" "${R}/tmp/"
204 mv "${temp_dir}/systemd-swap" "${R}/tmp/"
202
205
203 # Set permissions of the systemd-swap sources
204 chown -R root:root "${R}/tmp/systemd-swap"
205
206 # Remove temporary directory for systemd-swap sources
207 rm -fr "${temp_dir}"
208
209 # Change into downloaded src dir
206 # Change into downloaded src dir
210 cd "${R}/tmp/systemd-swap" || exit
207 cd "${R}/tmp/systemd-swap" || exit
211
208
212 # Build package
209 # Build package
213 . ./package.sh debian
210 bash ./package.sh debian
214
211
215 # Install package
212 # Change back into script root dir
216 chroot_exec dpkg -i /tmp/systemd-swap/systemd-swap-*any.deb
213 cd "${WORKDIR}" || exit
217
214
215 # Set permissions of the systemd-swap sources
216 chown -R root:root "${R}/tmp/systemd-swap"
217
218 # Install package - IMPROVE AND MAKE IT POSSIBLE WITHOUT VERSION NR.
219 chroot_exec dpkg -i /tmp/systemd-swap/systemd-swap_4.0.1_any.deb
220
218 # Enable service
221 # Enable service
219 chroot_exec systemctl enable systemd-swap
222 chroot_exec systemctl enable systemd-swap
220
223
221 # Change back into script root dir
224 # Remove temporary directory for systemd-swap sources
222 cd "${WORKDIR}" || exit
225 rm -fr "${temp_dir}"
223 else
226 else
224 # Enable ZSWAP in cmdline if systemd-swap is not used
227 # Enable ZSWAP in cmdline if systemd-swap is not used
225 if [ "$KERNEL_ZSWAP" = true ] ; then
228 if [ "$KERNEL_ZSWAP" = true ] ; then
226 CMDLINE="${CMDLINE} zswap.enabled=1 zswap.max_pool_percent=25 zswap.compressor=lz4"
229 CMDLINE="${CMDLINE} zswap.enabled=1 zswap.max_pool_percent=25 zswap.compressor=lz4"
227 fi
230 fi
228 fi
231 fi
229
232 if [ "$KERNEL_SECURITY" = true ] ; then
230 if [ "$KERNEL_SECURITY" = true ] ; then
233 CMDLINE="${CMDLINE} apparmor=1 security=apparmor"
231 CMDLINE="${CMDLINE} apparmor=1 security=apparmor"
234 fi
232 fi
233
235
234 # Install firmware boot cmdline
236 # Install firmware boot cmdline
235 echo "${CMDLINE}" > "${BOOT_DIR}/cmdline.txt"
237 echo "${CMDLINE}" > "${BOOT_DIR}/cmdline.txt"
236
238
237 # Setup minimal GPU memory allocation size: 16MB (no X)
239 # Setup minimal GPU memory allocation size: 16MB (no X)
238 if [ "$ENABLE_MINGPU" = true ] ; then
240 if [ "$ENABLE_MINGPU" = true ] ; then
239 echo "gpu_mem=16" >> "${BOOT_DIR}/config.txt"
241 echo "gpu_mem=16" >> "${BOOT_DIR}/config.txt"
240 fi
242 fi
241
243
242 # Setup boot with initramfs
244 # Setup boot with initramfs
243 if [ "$ENABLE_INITRAMFS" = true ] ; then
245 if [ "$ENABLE_INITRAMFS" = true ] ; then
244 echo "initramfs initramfs-${KERNEL_VERSION} followkernel" >> "${BOOT_DIR}/config.txt"
246 echo "initramfs initramfs-${KERNEL_VERSION} followkernel" >> "${BOOT_DIR}/config.txt"
245 fi
247 fi
246
248
247 # Create firmware configuration and cmdline symlinks
249 # Create firmware configuration and cmdline symlinks
248 ln -sf firmware/config.txt "${R}/boot/config.txt"
250 ln -sf firmware/config.txt "${R}/boot/config.txt"
249 ln -sf firmware/cmdline.txt "${R}/boot/cmdline.txt"
251 ln -sf firmware/cmdline.txt "${R}/boot/cmdline.txt"
250
252
251 # Install and setup kernel modules to load at boot
253 # Install and setup kernel modules to load at boot
252 mkdir -p "${LIB_DIR}/modules-load.d/"
254 mkdir -p "${LIB_DIR}/modules-load.d/"
253 install_readonly files/modules/rpi2.conf "${LIB_DIR}/modules-load.d/rpi2.conf"
255 install_readonly files/modules/rpi2.conf "${LIB_DIR}/modules-load.d/rpi2.conf"
254
256
255 # Load hardware random module at boot
257 # Load hardware random module at boot
256 if [ "$ENABLE_HWRANDOM" = true ] && [ "$BUILD_KERNEL" = false ] ; then
258 if [ "$ENABLE_HWRANDOM" = true ] && [ "$BUILD_KERNEL" = false ] ; then
257 sed -i "s/^# bcm2708_rng/bcm2708_rng/" "${LIB_DIR}/modules-load.d/rpi2.conf"
259 sed -i "s/^# bcm2708_rng/bcm2708_rng/" "${LIB_DIR}/modules-load.d/rpi2.conf"
258 fi
260 fi
259
261
260 # Load sound module at boot
262 # Load sound module at boot
261 if [ "$ENABLE_SOUND" = true ] ; then
263 if [ "$ENABLE_SOUND" = true ] ; then
262 sed -i "s/^# snd_bcm2835/snd_bcm2835/" "${LIB_DIR}/modules-load.d/rpi2.conf"
264 sed -i "s/^# snd_bcm2835/snd_bcm2835/" "${LIB_DIR}/modules-load.d/rpi2.conf"
263 else
265 else
264 echo "dtparam=audio=off" >> "${BOOT_DIR}/config.txt"
266 echo "dtparam=audio=off" >> "${BOOT_DIR}/config.txt"
265 fi
267 fi
266
268
267 # Enable I2C interface
269 # Enable I2C interface
268 if [ "$ENABLE_I2C" = true ] ; then
270 if [ "$ENABLE_I2C" = true ] ; then
269 echo "dtparam=i2c_arm=on" >> "${BOOT_DIR}/config.txt"
271 echo "dtparam=i2c_arm=on" >> "${BOOT_DIR}/config.txt"
270 sed -i "s/^# i2c-bcm2708/i2c-bcm2708/" "${LIB_DIR}/modules-load.d/rpi2.conf"
272 sed -i "s/^# i2c-bcm2708/i2c-bcm2708/" "${LIB_DIR}/modules-load.d/rpi2.conf"
271 sed -i "s/^# i2c-dev/i2c-dev/" "${LIB_DIR}/modules-load.d/rpi2.conf"
273 sed -i "s/^# i2c-dev/i2c-dev/" "${LIB_DIR}/modules-load.d/rpi2.conf"
272 fi
274 fi
273
275
274 # Enable SPI interface
276 # Enable SPI interface
275 if [ "$ENABLE_SPI" = true ] ; then
277 if [ "$ENABLE_SPI" = true ] ; then
276 echo "dtparam=spi=on" >> "${BOOT_DIR}/config.txt"
278 echo "dtparam=spi=on" >> "${BOOT_DIR}/config.txt"
277 echo "spi-bcm2708" >> "${LIB_DIR}/modules-load.d/rpi2.conf"
279 echo "spi-bcm2708" >> "${LIB_DIR}/modules-load.d/rpi2.conf"
278 if [ "$RPI_MODEL" = 3 ] || [ "$RPI_MODEL" = 3P ]; then
280 if [ "$RPI_MODEL" = 3 ] || [ "$RPI_MODEL" = 3P ]; then
279 sed -i "s/spi-bcm2708/spi-bcm2835/" "${LIB_DIR}/modules-load.d/rpi2.conf"
281 sed -i "s/spi-bcm2708/spi-bcm2835/" "${LIB_DIR}/modules-load.d/rpi2.conf"
280 fi
282 fi
281 fi
283 fi
282
284
283 # Disable RPi2/3 under-voltage warnings
285 # Disable RPi2/3 under-voltage warnings
284 if [ -n "$DISABLE_UNDERVOLT_WARNINGS" ] ; then
286 if [ -n "$DISABLE_UNDERVOLT_WARNINGS" ] ; then
285 echo "avoid_warnings=${DISABLE_UNDERVOLT_WARNINGS}" >> "${BOOT_DIR}/config.txt"
287 echo "avoid_warnings=${DISABLE_UNDERVOLT_WARNINGS}" >> "${BOOT_DIR}/config.txt"
286 fi
288 fi
287
289
288 # Install kernel modules blacklist
290 # Install kernel modules blacklist
289 mkdir -p "${ETC_DIR}/modprobe.d/"
291 mkdir -p "${ETC_DIR}/modprobe.d/"
290 install_readonly files/modules/raspi-blacklist.conf "${ETC_DIR}/modprobe.d/raspi-blacklist.conf"
292 install_readonly files/modules/raspi-blacklist.conf "${ETC_DIR}/modprobe.d/raspi-blacklist.conf"
291
293
292 # Install sysctl.d configuration files
294 # Install sysctl.d configuration files
293 install_readonly files/sysctl.d/81-rpi-vm.conf "${ETC_DIR}/sysctl.d/81-rpi-vm.conf"
295 install_readonly files/sysctl.d/81-rpi-vm.conf "${ETC_DIR}/sysctl.d/81-rpi-vm.conf"
@@ -1,146 +1,132
1 #
1 #
2 # Setup Networking
2 # Setup Networking
3 #
3 #
4
4
5 # Load utility functions
5 # Load utility functions
6 . ./functions.sh
6 . ./functions.sh
7
7
8 # Install and setup hostname
8 # Install and setup hostname
9 install_readonly files/network/hostname "${ETC_DIR}/hostname"
9 install_readonly files/network/hostname "${ETC_DIR}/hostname"
10 sed -i "s/^RaspberryPI/${HOSTNAME}/" "${ETC_DIR}/hostname"
10 sed -i "s/^RaspberryPI/${HOSTNAME}/" "${ETC_DIR}/hostname"
11
11
12 # Install and setup hosts
12 # Install and setup hosts
13 install_readonly files/network/hosts "${ETC_DIR}/hosts"
13 install_readonly files/network/hosts "${ETC_DIR}/hosts"
14 sed -i "s/RaspberryPI/${HOSTNAME}/" "${ETC_DIR}/hosts"
14 sed -i "s/RaspberryPI/${HOSTNAME}/" "${ETC_DIR}/hosts"
15
15
16 # Setup hostname entry with static IP
16 # Setup hostname entry with static IP
17 if [ "$NET_ADDRESS" != "" ] ; then
17 if [ "$NET_ADDRESS" != "" ] ; then
18 NET_IP=$(echo "${NET_ADDRESS}" | cut -f 1 -d'/')
18 NET_IP=$(echo "${NET_ADDRESS}" | cut -f 1 -d'/')
19 sed -i "s/^127.0.1.1/${NET_IP}/" "${ETC_DIR}/hosts"
19 sed -i "s/^127.0.1.1/${NET_IP}/" "${ETC_DIR}/hosts"
20 fi
20 fi
21
21
22 # Remove IPv6 hosts
22 # Remove IPv6 hosts
23 if [ "$ENABLE_IPV6" = false ] ; then
23 if [ "$ENABLE_IPV6" = false ] ; then
24 sed -i -e "/::[1-9]/d" -e "/^$/d" "${ETC_DIR}/hosts"
24 sed -i -e "/::[1-9]/d" -e "/^$/d" "${ETC_DIR}/hosts"
25 fi
25 fi
26
26
27 # Install hint about network configuration
27 # Install hint about network configuration
28 install_readonly files/network/interfaces "${ETC_DIR}/network/interfaces"
28 install_readonly files/network/interfaces "${ETC_DIR}/network/interfaces"
29
29
30 # Install configuration for interface eth0
30 # Install configuration for interface eth0
31 install_readonly files/network/eth.network "${ETC_DIR}/systemd/network/eth.network"
31 install_readonly files/network/eth.network "${ETC_DIR}/systemd/network/eth.network"
32
32
33 # Install configuration for interface wl*
33 # Install configuration for interface wl*
34 install_readonly files/network/wlan.network "${ETC_DIR}/systemd/network/wlan.network"
34 install_readonly files/network/wlan.network "${ETC_DIR}/systemd/network/wlan.network"
35
35
36 #always with dhcp since wpa_supplicant integration is missing
36 #always with dhcp since wpa_supplicant integration is missing
37 sed -i -e "s/DHCP=.*/DHCP=yes/" -e "/DHCP/q" "${ETC_DIR}/systemd/network/wlan.network"
37 sed -i -e "s/DHCP=.*/DHCP=yes/" -e "/DHCP/q" "${ETC_DIR}/systemd/network/wlan.network"
38
38
39 if [ "$ENABLE_DHCP" = true ] ; then
39 if [ "$ENABLE_DHCP" = true ] ; then
40 # Enable DHCP configuration for interface eth0
40 # Enable DHCP configuration for interface eth0
41 sed -i -e "s/DHCP=.*/DHCP=yes/" -e "/DHCP/q" "${ETC_DIR}/systemd/network/eth.network"
41 sed -i -e "s/DHCP=.*/DHCP=yes/" -e "/DHCP/q" "${ETC_DIR}/systemd/network/eth.network"
42
42
43 # Set DHCP configuration to IPv4 only
43 # Set DHCP configuration to IPv4 only
44 if [ "$ENABLE_IPV6" = false ] ; then
44 if [ "$ENABLE_IPV6" = false ] ; then
45 sed -i "s/DHCP=.*/DHCP=v4/" "${ETC_DIR}/systemd/network/eth.network"
45 sed -i "s/DHCP=.*/DHCP=v4/" "${ETC_DIR}/systemd/network/eth.network"
46 fi
46 fi
47
47
48 else # ENABLE_DHCP=false
48 else # ENABLE_DHCP=false
49 # Set static network configuration for interface eth0
49 # Set static network configuration for interface eth0
50 sed -i\
50 sed -i\
51 -e "s|DHCP=.*|DHCP=no|"\
51 -e "s|DHCP=.*|DHCP=no|"\
52 -e "s|Address=\$|Address=${NET_ADDRESS}|"\
52 -e "s|Address=\$|Address=${NET_ADDRESS}|"\
53 -e "s|Gateway=\$|Gateway=${NET_GATEWAY}|"\
53 -e "s|Gateway=\$|Gateway=${NET_GATEWAY}|"\
54 -e "0,/DNS=\$/ s|DNS=\$|DNS=${NET_DNS_1}|"\
54 -e "0,/DNS=\$/ s|DNS=\$|DNS=${NET_DNS_1}|"\
55 -e "0,/DNS=\$/ s|DNS=\$|DNS=${NET_DNS_2}|"\
55 -e "0,/DNS=\$/ s|DNS=\$|DNS=${NET_DNS_2}|"\
56 -e "s|Domains=\$|Domains=${NET_DNS_DOMAINS}|"\
56 -e "s|Domains=\$|Domains=${NET_DNS_DOMAINS}|"\
57 -e "0,/NTP=\$/ s|NTP=\$|NTP=${NET_NTP_1}|"\
57 -e "0,/NTP=\$/ s|NTP=\$|NTP=${NET_NTP_1}|"\
58 -e "0,/NTP=\$/ s|NTP=\$|NTP=${NET_NTP_2}|"\
58 -e "0,/NTP=\$/ s|NTP=\$|NTP=${NET_NTP_2}|"\
59 "${ETC_DIR}/systemd/network/eth.network"
59 "${ETC_DIR}/systemd/network/eth.network"
60
61 if [ "$CRYPTFS_DROPBEAR" = true ] ; then
62 # Get cdir from NET_ADDRESS e.g. 24
63 cdir=$(${NET_ADDRESS} | cut -d '/' -f2)
64
65 # Convert cdir ro netmask e.g. 24 to 255.255.255.0
66 NET_MASK=$(cdr2mask "$cdir")
67
68 # Write static ip settings to "${ETC_DIR}"/initramfs-tools/initramfs.conf
69 sed -i "\$aIP=${NET_ADDRESS}::${NET_GATEWAY}:${NET_MASK}:${HOSTNAME}:" "${ETC_DIR}"/initramfs-tools/initramfs.conf
70
71 # Regenerate initramfs
72 chroot_exec mkinitramfs -o "/boot/firmware/initramfs-${KERNEL_VERSION}" "${KERNEL_VERSION}"
73 fi
74 fi
60 fi
75
61
76 # Remove empty settings from network configuration
62 # Remove empty settings from network configuration
77 sed -i "/.*=\$/d" "${ETC_DIR}/systemd/network/eth.network"
63 sed -i "/.*=\$/d" "${ETC_DIR}/systemd/network/eth.network"
78 # Remove empty settings from wlan configuration
64 # Remove empty settings from wlan configuration
79 sed -i "/.*=\$/d" "${ETC_DIR}/systemd/network/wlan.network"
65 sed -i "/.*=\$/d" "${ETC_DIR}/systemd/network/wlan.network"
80
66
81 # Move systemd network configuration if required by Debian release
67 # Move systemd network configuration if required by Debian release
82 mv -v "${ETC_DIR}/systemd/network/eth.network" "${LIB_DIR}/systemd/network/10-eth.network"
68 mv -v "${ETC_DIR}/systemd/network/eth.network" "${LIB_DIR}/systemd/network/10-eth.network"
83 # If WLAN is enabled copy wlan configuration too
69 # If WLAN is enabled copy wlan configuration too
84 if [ "$ENABLE_WIRELESS" = true ] ; then
70 if [ "$ENABLE_WIRELESS" = true ] ; then
85 mv -v "${ETC_DIR}/systemd/network/wlan.network" "${LIB_DIR}/systemd/network/11-wlan.network"
71 mv -v "${ETC_DIR}/systemd/network/wlan.network" "${LIB_DIR}/systemd/network/11-wlan.network"
86 fi
72 fi
87 rm -fr "${ETC_DIR}/systemd/network"
73 rm -fr "${ETC_DIR}/systemd/network"
88
74
89 # Enable systemd-networkd service
75 # Enable systemd-networkd service
90 chroot_exec systemctl enable systemd-networkd
76 chroot_exec systemctl enable systemd-networkd
91
77
92 # Install host.conf resolver configuration
78 # Install host.conf resolver configuration
93 install_readonly files/network/host.conf "${ETC_DIR}/host.conf"
79 install_readonly files/network/host.conf "${ETC_DIR}/host.conf"
94
80
95 # Enable network stack hardening
81 # Enable network stack hardening
96 if [ "$ENABLE_HARDNET" = true ] ; then
82 if [ "$ENABLE_HARDNET" = true ] ; then
97 # Install sysctl.d configuration files
83 # Install sysctl.d configuration files
98 install_readonly files/sysctl.d/82-rpi-net-hardening.conf "${ETC_DIR}/sysctl.d/82-rpi-net-hardening.conf"
84 install_readonly files/sysctl.d/82-rpi-net-hardening.conf "${ETC_DIR}/sysctl.d/82-rpi-net-hardening.conf"
99
85
100 # Setup resolver warnings about spoofed addresses
86 # Setup resolver warnings about spoofed addresses
101 sed -i "s/^# spoof warn/spoof warn/" "${ETC_DIR}/host.conf"
87 sed -i "s/^# spoof warn/spoof warn/" "${ETC_DIR}/host.conf"
102 fi
88 fi
103
89
104 # Enable time sync
90 # Enable time sync
105 if [ "$NET_NTP_1" != "" ] ; then
91 if [ "$NET_NTP_1" != "" ] ; then
106 chroot_exec systemctl enable systemd-timesyncd.service
92 chroot_exec systemctl enable systemd-timesyncd.service
107 fi
93 fi
108
94
109 # Download the firmware binary blob required to use the RPi3 wireless interface
95 # Download the firmware binary blob required to use the RPi3 wireless interface
110 if [ "$ENABLE_WIRELESS" = true ] ; then
96 if [ "$ENABLE_WIRELESS" = true ] ; then
111 if [ ! -d "${WLAN_FIRMWARE_DIR}" ] ; then
97 if [ ! -d "${WLAN_FIRMWARE_DIR}" ] ; then
112 mkdir -p "${WLAN_FIRMWARE_DIR}"
98 mkdir -p "${WLAN_FIRMWARE_DIR}"
113 fi
99 fi
114
100
115 # Create temporary directory for firmware binary blob
101 # Create temporary directory for firmware binary blob
116 temp_dir=$(as_nobody mktemp -d)
102 temp_dir=$(as_nobody mktemp -d)
117
103
118 # Fetch firmware binary blob for RPI3B+
104 # Fetch firmware binary blob for RPI3B+
119 if [ "$RPI_MODEL" = 3P ] ; then
105 if [ "$RPI_MODEL" = 3P ] ; then
120 # Fetch firmware binary blob for RPi3P
106 # Fetch firmware binary blob for RPi3P
121 as_nobody wget -q -O "${temp_dir}/brcmfmac43455-sdio.bin" "${WLAN_FIRMWARE_URL}/brcmfmac43455-sdio.bin"
107 as_nobody wget -q -O "${temp_dir}/brcmfmac43455-sdio.bin" "${WLAN_FIRMWARE_URL}/brcmfmac43455-sdio.bin"
122 as_nobody wget -q -O "${temp_dir}/brcmfmac43455-sdio.txt" "${WLAN_FIRMWARE_URL}/brcmfmac43455-sdio.txt"
108 as_nobody wget -q -O "${temp_dir}/brcmfmac43455-sdio.txt" "${WLAN_FIRMWARE_URL}/brcmfmac43455-sdio.txt"
123 as_nobody wget -q -O "${temp_dir}/brcmfmac43455-sdio.clm_blob" "${WLAN_FIRMWARE_URL}/brcmfmac43455-sdio.clm_blob"
109 as_nobody wget -q -O "${temp_dir}/brcmfmac43455-sdio.clm_blob" "${WLAN_FIRMWARE_URL}/brcmfmac43455-sdio.clm_blob"
124
110
125 # Move downloaded firmware binary blob
111 # Move downloaded firmware binary blob
126 mv "${temp_dir}/brcmfmac43455-sdio."* "${WLAN_FIRMWARE_DIR}/"
112 mv "${temp_dir}/brcmfmac43455-sdio."* "${WLAN_FIRMWARE_DIR}/"
127
113
128 # Set permissions of the firmware binary blob
114 # Set permissions of the firmware binary blob
129 chown root:root "${WLAN_FIRMWARE_DIR}/brcmfmac43455-sdio."*
115 chown root:root "${WLAN_FIRMWARE_DIR}/brcmfmac43455-sdio."*
130 chmod 600 "${WLAN_FIRMWARE_DIR}/brcmfmac43455-sdio."*
116 chmod 600 "${WLAN_FIRMWARE_DIR}/brcmfmac43455-sdio."*
131 elif [ "$RPI_MODEL" = 3 ] || [ "$RPI_MODEL" = 0 ] ; then
117 elif [ "$RPI_MODEL" = 3 ] || [ "$RPI_MODEL" = 0 ] ; then
132 # Fetch firmware binary blob for RPi3
118 # Fetch firmware binary blob for RPi3
133 as_nobody wget -q -O "${temp_dir}/brcmfmac43430-sdio.bin" "${WLAN_FIRMWARE_URL}/brcmfmac43430-sdio.bin"
119 as_nobody wget -q -O "${temp_dir}/brcmfmac43430-sdio.bin" "${WLAN_FIRMWARE_URL}/brcmfmac43430-sdio.bin"
134 as_nobody wget -q -O "${temp_dir}/brcmfmac43430-sdio.txt" "${WLAN_FIRMWARE_URL}/brcmfmac43430-sdio.txt"
120 as_nobody wget -q -O "${temp_dir}/brcmfmac43430-sdio.txt" "${WLAN_FIRMWARE_URL}/brcmfmac43430-sdio.txt"
135
121
136 # Move downloaded firmware binary blob
122 # Move downloaded firmware binary blob
137 mv "${temp_dir}/brcmfmac43430-sdio."* "${WLAN_FIRMWARE_DIR}/"
123 mv "${temp_dir}/brcmfmac43430-sdio."* "${WLAN_FIRMWARE_DIR}/"
138
124
139 # Set permissions of the firmware binary blob
125 # Set permissions of the firmware binary blob
140 chown root:root "${WLAN_FIRMWARE_DIR}/brcmfmac43430-sdio."*
126 chown root:root "${WLAN_FIRMWARE_DIR}/brcmfmac43430-sdio."*
141 chmod 600 "${WLAN_FIRMWARE_DIR}/brcmfmac43430-sdio."*
127 chmod 600 "${WLAN_FIRMWARE_DIR}/brcmfmac43430-sdio."*
142 fi
128 fi
143
129
144 # Remove temporary directory for firmware binary blob
130 # Remove temporary directory for firmware binary blob
145 rm -fr "${temp_dir}"
131 rm -fr "${temp_dir}"
146 fi
132 fi
@@ -1,54 +1,54
1 #
1 #
2 # Setup Firewall
2 # Setup Firewall
3 #
3 #
4
4
5 # Load utility functions
5 # Load utility functions
6 . ./functions.sh
6 . ./functions.sh
7
7
8 if [ "$ENABLE_IPTABLES" = true ] ; then
8 if [ "$ENABLE_IPTABLES" = true ] ; then
9 # Create iptables configuration directory
9 # Create iptables configuration directory
10 mkdir -p "${ETC_DIR}/iptables"
10 mkdir -p "${ETC_DIR}/iptables"
11
11
12 if [ "$KERNEL_NF" = false ] ; then
12 if [ "$KERNEL_NF" = false ] ; then
13 #iptables-save and -restore are slaves of iptables and thus are set accordingly
13 # iptables-save and -restore are slaves of iptables and thus are set accordingly
14 chroot_exec update-alternatives --verbose --set iptables /usr/sbin/iptables-legacy
14 chroot_exec update-alternatives --verbose --set iptables /usr/sbin/iptables-legacy
15 fi
15 fi
16
16
17 # Install iptables systemd service
17 # Install iptables systemd service
18 install_readonly files/iptables/iptables.service "${ETC_DIR}/systemd/system/iptables.service"
18 install_readonly files/iptables/iptables.service "${ETC_DIR}/systemd/system/iptables.service"
19
19
20 # Install flush-table script called by iptables service
20 # Install flush-table script called by iptables service
21 install_exec files/iptables/flush-iptables.sh "${ETC_DIR}/iptables/flush-iptables.sh"
21 install_exec files/iptables/flush-iptables.sh "${ETC_DIR}/iptables/flush-iptables.sh"
22
22
23 # Install iptables rule file
23 # Install iptables rule file
24 install_readonly files/iptables/iptables.rules "${ETC_DIR}/iptables/iptables.rules"
24 install_readonly files/iptables/iptables.rules "${ETC_DIR}/iptables/iptables.rules"
25
25
26 # Reload systemd configuration and enable iptables service
26 # Reload systemd configuration and enable iptables service
27 chroot_exec systemctl daemon-reload
27 chroot_exec systemctl daemon-reload
28 chroot_exec systemctl enable iptables.service
28 chroot_exec systemctl enable iptables.service
29
29
30 if [ "$ENABLE_IPV6" = true ] ; then
30 if [ "$ENABLE_IPV6" = true ] ; then
31 if [ "$KERNEL_NF" = false ] ; then
31 if [ "$KERNEL_NF" = false ] ; then
32 #iptables-save and -restore are slaves of iptables and thus are set accordingly
32 # iptables-save and -restore are slaves of iptables and thus are set accordingly
33 chroot_exec update-alternatives --verbose --set ip6tables /usr/sbin/ip6tables-legacy
33 chroot_exec update-alternatives --verbose --set ip6tables /usr/sbin/ip6tables-legacy
34 fi
34 fi
35
35
36 # Install ip6tables systemd service
36 # Install ip6tables systemd service
37 install_readonly files/iptables/ip6tables.service "${ETC_DIR}/systemd/system/ip6tables.service"
37 install_readonly files/iptables/ip6tables.service "${ETC_DIR}/systemd/system/ip6tables.service"
38
38
39 # Install ip6tables file
39 # Install ip6tables file
40 install_exec files/iptables/flush-ip6tables.sh "${ETC_DIR}/iptables/flush-ip6tables.sh"
40 install_exec files/iptables/flush-ip6tables.sh "${ETC_DIR}/iptables/flush-ip6tables.sh"
41
41
42 install_readonly files/iptables/ip6tables.rules "${ETC_DIR}/iptables/ip6tables.rules"
42 install_readonly files/iptables/ip6tables.rules "${ETC_DIR}/iptables/ip6tables.rules"
43
43
44 # Reload systemd configuration and enable iptables service
44 # Reload systemd configuration and enable iptables service
45 chroot_exec systemctl daemon-reload
45 chroot_exec systemctl daemon-reload
46 chroot_exec systemctl enable ip6tables.service
46 chroot_exec systemctl enable ip6tables.service
47 fi
47 fi
48
48
49 if [ "$ENABLE_SSHD" = false ] ; then
49 if [ "$ENABLE_SSHD" = false ] ; then
50 # Remove SSHD related iptables rules
50 # Remove SSHD related iptables rules
51 sed -i "/^#/! {/SSH/ s/^/# /}" "${ETC_DIR}/iptables/iptables.rules" 2> /dev/null
51 sed -i "/^#/! {/SSH/ s/^/# /}" "${ETC_DIR}/iptables/iptables.rules" 2> /dev/null
52 sed -i "/^#/! {/SSH/ s/^/# /}" "${ETC_DIR}/iptables/ip6tables.rules" 2> /dev/null
52 sed -i "/^#/! {/SSH/ s/^/# /}" "${ETC_DIR}/iptables/ip6tables.rules" 2> /dev/null
53 fi
53 fi
54 fi
54 fi
General Comments 0
Vous devez vous connecter pour laisser un commentaire. Se connecter maintenant