From 0d282ae300dd487cc0ded4693870efe5b8032996 Mon Sep 17 00:00:00 2001 From: Vinicius Zavam Date: Fri, 3 Mar 2017 22:34:32 +0100 Subject: [PATCH] Do you even Slav Squat, bro? --- bootstrap.sh | 33 +++++ etc/defaults/rc.conf_patch | 21 ++++ etc/rc.conf | 4 + etc/rc.d/digitalocean | 240 +++++++++++++++++++++++++++++++++++++ etc/ssh/banner | 7 ++ etc/ssh/sshd_config | 17 +++ 6 files changed, 322 insertions(+) create mode 100644 bootstrap.sh create mode 100644 etc/defaults/rc.conf_patch create mode 100644 etc/rc.conf create mode 100644 etc/rc.d/digitalocean create mode 100644 etc/ssh/banner create mode 100644 etc/ssh/sshd_config diff --git a/bootstrap.sh b/bootstrap.sh new file mode 100644 index 0000000..c3de73b --- /dev/null +++ b/bootstrap.sh @@ -0,0 +1,33 @@ +#!/bin/sh + +GREP="/usr/bin/grep -q -i -l" + +rm -rf /etc/ssh/ssh_host_* +rm -rf /usr/local/etc/rc.d/digitalocean* +rm -rf /usr/src +sync + +install -v -o root -g wheel -m 0644 etc/rc.conf /etc/rc.conf +install -v -o root -g wheel -m 0555 etc/rc.d/digitalocean /etc/rc.d/digitalocean +install -v -o root -g wheel -m 0644 etc/ssh/banner /etc/ssh/banner +install -v -o root -g wheel -m 0644 etc/ssh/sshd_config /etc/ssh/sshd_config + +pkg delete -y -a -f +env ASSUME_ALWAYS_YES=yes env PAGER=cat freebsd-update fetch install +env ASSUME_ALWAYS_YES=yes pkg bootstrap +pkg install -y sudo +pkg clean -y -a + +if ((${GREP} zfs /boot/loader.conf*) && (${GREP} zroot /boot/loader.conf*)); then + sysrc zfs_enable="YES" + zfs destroy -vr zroot/usr/src +fi + +if ((freebsd-version | ${GREP} 10.3)); then + patch -p0 /etc/defaults/rc.conf < etc/defaults/rc.conf_patch +fi + +service sshd keygen +service digitalocean info + +reboot diff --git a/etc/defaults/rc.conf_patch b/etc/defaults/rc.conf_patch new file mode 100644 index 0000000..fccc1e8 --- /dev/null +++ b/etc/defaults/rc.conf_patch @@ -0,0 +1,21 @@ +--- /etc/defaults/rc.conf 2016-03-25 02:11:14.000000000 +0000 ++++ etc/defaults/rc.conf 2017-03-03 16:52:52.379856000 +0000 +@@ -722,5 +722,18 @@ + ;; + esac + done ++ # base/release/11.0.1/etc/defaults/rc.conf?revision=306421 ++ for i in ${rc_conf_files}; do ++ case ${sourced_files} in ++ *:$i:*) ++ ;; ++ *) ++ sourced_files="${sourced_files}:$i:" ++ if [ -r $i ]; then ++ . $i ++ fi ++ ;; ++ esac ++ done + } + fi diff --git a/etc/rc.conf b/etc/rc.conf new file mode 100644 index 0000000..ac5b1f6 --- /dev/null +++ b/etc/rc.conf @@ -0,0 +1,4 @@ +digitalocean_enable="YES" +hostname="digitalocean-freebsd" +rc_conf_files="/etc/rc.conf /etc/rc.conf.local /etc/rc.conf.digitalocean" +sshd_enable="YES" diff --git a/etc/rc.d/digitalocean b/etc/rc.d/digitalocean new file mode 100644 index 0000000..9a75997 --- /dev/null +++ b/etc/rc.d/digitalocean @@ -0,0 +1,240 @@ +#!/bin/sh + +# PROVIDE: digitalocean +# REQUIRE: var +# BEFORE: hostname netif routing + +. /etc/rc.subr + +name="digitalocean" +rcvar="${name}_enable" +info_cmd="${name}_info" +start_cmd="${name}_start" +stop_cmd=":" +extra_commands="info" + +: ${digitalocean_enable="YES"} +: ${digitalocean_config="/etc/rc.conf.digitalocean"} +: ${digitalocean_api="http://169.254.169.254/metadata/v1"} +: ${digitalocean_user="freebsd"} +: ${digitalocean_keys=".ssh/authorized_keys_digitalocean"} +: ${digitalocean_nameservers="YES"} +: ${digitalocean_uuid="NO"} +: ${digitalocean_verbose="NO"} + +fetch="/usr/bin/fetch -q -o - ${digitalocean_api}" +grep="/usr/bin/grep -q -i -l" +jot="/usr/bin/jot -r 1 11 222" +sysrc="/usr/sbin/sysrc -q -f" +tr="/usr/bin/tr '[:upper:]' '[:lower:]'" +if0="vtnet0" +if1="vtnet1" +j0=$(${jot}) +j1=$(${jot}) + +digitalocean_bootstrap() +{ + echo "DigitalOcean: Bootstraping." + + # ${sysrc} /etc/rc.conf digitalocean_enable=YES + # ${sysrc} /etc/rc.conf rc_conf_files+=${digitalocean_config} + + if ( (${grep} zfs /boot/loader.conf* /etc/rc.conf*) && (${grep} zroot /boot/loader.conf*) ); then + echo " - Recovering/Resizing Disk..." + gpart recover vtbd0 + gpart resize -i 3 vtbd0 + echo " - Expanding ZFS Pool..." + zpool online -e zroot gpt/disk0 + fi + + # cp /usr/local/etc/cloud/cloud.cfg.d/99-digitalocean.cfg /usr/local/etc/cloud/cloud.cfg + # if [ ! -e /var/lib/cloud/seed/config_drive ]; then + # mkdir -p /var/lib/cloud/seed/config_drive + # ln -sfF /var/lib/cloud/seed /var/lib/cloud/seeds + # else + # mount_cd9660 -o ro -v /dev/vtbd1 /var/lib/cloud/seed/config_drive + # fi + + touch ${digitalocean_config} +} + +digitalocean_info() +{ + $(ifconfig ${if0} inet 169.254.${j0}.${j1} netmask 255.255.0.0 alias) + + DROPLET_ID=$(${fetch}/id) + DROPLET_REGION=$(${fetch}/region) + DROPLET_HOSTNAME=$(${fetch}/hostname) + if (checkyesno digitalocean_uuid); then + DROPLET_UUID=$(dmidecode --string system-uuid | ${tr}) + fi + DROPLET_NAMESERVERS=$(${fetch}/dns/nameservers) + DROPLET_FLOATINGIP_STATUS=$(${fetch}/floating_ip/ipv4/active) + DROPLET_PUBLIC_IP4_ADDR=$(${fetch}/interfaces/public/0/ipv4/address) + DROPLET_PUBLIC_IP4_MASK=$(${fetch}/interfaces/public/0/ipv4/netmask) + DROPLET_PUBLIC_IP4_GATE=$(${fetch}/interfaces/public/0/ipv4/gateway) + DROPLET_PUBLIC_ANCHOR_IP4_ADDR=$(${fetch}/interfaces/public/0/anchor_ipv4/address) + DROPLET_PUBLIC_ANCHOR_IP4_MASK=$(${fetch}/interfaces/public/0/anchor_ipv4/netmask) + + echo "======================================================================" + echo -e "Droplet's ID\t\t" ${DROPLET_ID} + echo -e "Droplet's Region\t" ${DROPLET_REGION} + if (checkyesno digitalocean_uuid); then + echo -e "Droplet's UUID\t\t" ${DROPLET_UUID} + fi + echo -e "Droplet's Hostname\t" ${DROPLET_HOSTNAME} + echo -e "Droplet's SSH User\t" ${digitalocean_user} + echo -e "Droplet's Nameservers" + case ${digitalocean_nameservers} in + [Nn][Oo][Nn][Ee]|2) + echo " NONE" + ;; + [Yy][Ee][Ss]|1) + for NS in ${DROPLET_NAMESERVERS}; + do + echo -e " nameserver\t\t ${NS}" + done + ;; + [Nn][Oo]|0) + echo " " + ;; + *) + warn "digitalocean_nameservers is not set properly. Please check it." + return 1 + ;; + esac + + echo "Droplet's Floating IP" + if ${DROPLET_FLOATINGIP_STATUS}; then + echo " $(${fetch}/floating_ip/ipv4/ip_address)" + else + echo " DEACTIVATED" + fi + echo "----------------------------------------------------------------------" + echo "Droplet's Interfaces" + echo " Public (${if0})" + echo " inet" ${DROPLET_PUBLIC_IP4_ADDR} "netmask" ${DROPLET_PUBLIC_IP4_MASK} + echo " inet" ${DROPLET_PUBLIC_ANCHOR_IP4_ADDR} "netmask" ${DROPLET_PUBLIC_ANCHOR_IP4_MASK} alias + if [ ! -z $(${fetch}/interfaces/public/0/ipv6/address) ]; then + DROPLET_PUBLIC_IP6_ADDR=$(${fetch}/interfaces/public/0/ipv6/address | ${tr}) + DROPLET_PUBLIC_IP6_PREFIX=$(${fetch}/interfaces/public/0/ipv6/cidr) + echo " inet6" ${DROPLET_PUBLIC_IP6_ADDR} "prefixlen" ${DROPLET_PUBLIC_IP6_PREFIX} + fi + echo " Private (${if1})" + if [ ! -z $(${fetch}/interfaces/private/0/ipv4/address) ]; then + DROPLET_PRIVATE_IP4_ADDR=$(${fetch}/interfaces/private/0/ipv4/address) + DROPLET_PRIVATE_IP4_MASK=$(${fetch}/interfaces/private/0/ipv4/netmask) + echo " inet" ${DROPLET_PRIVATE_IP4_ADDR} "netmask" ${DROPLET_PRIVATE_IP4_MASK} + fi + echo "----------------------------------------------------------------------" + echo "Droplet's Gateways" + echo " IPv4 ${DROPLET_PUBLIC_IP4_GATE}" + if [ ! -z ${DROPLET_PUBLIC_IP6_ADDR} ]; then + DROPLET_PUBLIC_IP6_GATE=$(${fetch}/interfaces/public/0/ipv6/gateway | ${tr}) + echo " IPv6 ${DROPLET_PUBLIC_IP6_GATE}" + fi + echo "======================================================================" + + $(ifconfig ${if0} inet 169.254.${j0}.${j1} netmask 255.255.0.0 -alias) +} + +digitalocean_networking() +{ + service hostname restart + service netif restart + service routing restart +} + +digitalocean_start() +{ + digitalocean_bootstrap + + check_startmsgs && echo "DigitalOcean: Starting." + + if (checkyesno digitalocean_verbose); then + digitalocean_info + fi + + $(ifconfig ${if0} inet 169.254.${j0}.${j1} netmask 255.255.0.0 alias) + + DROPLET_ID=$(${fetch}/id) + DROPLET_HOSTNAME=$(${fetch}/hostname) + DROPLET_NAMESERVERS=$(${fetch}/dns/nameservers) + DROPLET_PUBLIC_IP4_ADDR=$(${fetch}/interfaces/public/0/ipv4/address) + DROPLET_PUBLIC_IP4_MASK=$(${fetch}/interfaces/public/0/ipv4/netmask) + DROPLET_PUBLIC_IP4_GATE=$(${fetch}/interfaces/public/0/ipv4/gateway) + DROPLET_PUBLIC_ANCHOR_IP4_ADDR=$(${fetch}/interfaces/public/0/anchor_ipv4/address) + DROPLET_PUBLIC_ANCHOR_IP4_MASK=$(${fetch}/interfaces/public/0/anchor_ipv4/netmask) + + echo ${DROPLET_ID} > /etc/hostid.droplet + + if (checkyesno digitalocean_uuid); then + DROPLET_UUID=$(dmidecode --string system-uuid | ${tr}) + echo ${DROPLET_UUID} > /etc/hostid + fi + + ${sysrc} ${digitalocean_config} hostname="${DROPLET_HOSTNAME}" + + case ${digitalocean_nameservers} in + [Nn][Oo][Nn][Ee]|2) + $(resolvconf -d ${if0}) + if [ ! -e "/etc/resolvconf.conf" ]; then + echo "resolvconf=NO" > /etc/resolvconf.conf + else + sed 's/resolvconf=.*/resolvconf=NO/' /etc/resolvconf.conf + fi + echo "# digitalocean_nameservers=NONE" > /etc/resolv.conf + ;; + [Yy][Ee][Ss]|1) + for NS in $(${fetch}/dns/nameservers); + do + echo -e "nameserver\t\t ${NS}" | resolvconf -a ${if0} + done + echo "# digitalocean_nameservers=YES" >> /etc/resolv.conf + if [ ! -e "/etc/resolvconf.conf" ]; then + echo "resolvconf=YES" > /etc/resolvconf.conf + else + sed 's/resolvconf=.*/resolvconf=YES/' /etc/resolvconf.conf + fi + resolvconf -u + ;; + [Nn][Oo]|0) + return 0 + ;; + *) + warn "digitalocean_nameservers is not set properly. Please check it." + return 1 + ;; + esac + + ${sysrc} ${digitalocean_config} ifconfig_${if0}="inet ${DROPLET_PUBLIC_IP4_ADDR} netmask ${DROPLET_PUBLIC_IP4_MASK}" + ${sysrc} ${digitalocean_config} ifconfig_${if0}_alias0="inet ${DROPLET_PUBLIC_ANCHOR_IP4_ADDR} netmask ${DROPLET_PUBLIC_ANCHOR_IP4_MASK}" + if [ ! -z $(${fetch}/interfaces/public/0/ipv6/address) ]; then + DROPLET_PUBLIC_IP6_ADDR=$(${fetch}/interfaces/public/0/ipv6/address | ${tr}) + DROPLET_PUBLIC_IP6_PREFIX=$(${fetch}/interfaces/public/0/ipv6/cidr) + ${sysrc} ${digitalocean_config} ifconfig_${if0}_ipv6="inet6 ${DROPLET_PUBLIC_IP6_ADDR} prefixlen ${DROPLET_PUBLIC_IP6_PREFIX}" + fi + if [ ! -z $(${fetch}/interfaces/private/0/ipv4/address) ]; then + DROPLET_PRIVATE_IP4_ADDR=$(${fetch}/interfaces/private/0/ipv4/address) + DROPLET_PRIVATE_IP4_MASK=$(${fetch}/interfaces/private/0/ipv4/netmask) + ${sysrc} ${digitalocean_config} ifconfig_${if1}="inet ${DROPLET_PRIVATE_IP4_ADDR} netmask ${DROPLET_PRIVATE_IP4_MASK}" + fi + + ${sysrc} ${digitalocean_config} defaultrouter="${DROPLET_PUBLIC_IP4_GATE}" + if [ ! -z ${DROPLET_PUBLIC_IP6_ADDR} ]; then + DROPLET_PUBLIC_IP6_GATE=$(${fetch}/interfaces/public/0/ipv6/gateway | ${tr}) + ${sysrc} ${digitalocean_config} ipv6_defaultrouter="${DROPLET_PUBLIC_IP6_GATE}" + fi + + $(${fetch}/public-keys > /home/${digitalocean_user}/${digitalocean_keys}) + $(chown ${digitalocean_user} /home/${digitalocean_user}/${digitalocean_keys}) + $(chmod 0400 /home/${digitalocean_user}/${digitalocean_keys}) + + $(ifconfig ${if0} inet 169.254.${j0}.${j1} netmask 255.255.0.0 -alias) + + digitalocean_networking +} + +load_rc_config "$name" +run_rc_command "$1" + diff --git a/etc/ssh/banner b/etc/ssh/banner new file mode 100644 index 0000000..3eb4aff --- /dev/null +++ b/etc/ssh/banner @@ -0,0 +1,7 @@ + ____ _ _ _ _ ___ + | _ \(_) __ _(_) |_ __ _| |/ _ \ ___ ___ __ _ _ __ + | | | | |/ _` | | __/ _` | | | | |/ __/ _ \/ _` | '_ \ + | |_| | | (_| | | || (_| | | |_| | (_| __/ (_| | | | | + |____/|_|\__, |_|\__\__,_|_|\___/ \___\___|\__,_|_| |_| + |___/ + diff --git a/etc/ssh/sshd_config b/etc/ssh/sshd_config new file mode 100644 index 0000000..d56f2fb --- /dev/null +++ b/etc/ssh/sshd_config @@ -0,0 +1,17 @@ +AllowAgentForwarding no +AllowTcpForwarding no +AllowUsers freebsd +AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys_digitalocean +Banner /etc/ssh/banner +ChallengeResponseAuthentication no + +LoginGraceTime 10 +LogLevel DEBUG +MaxAuthTries 1 +PermitRootLogin no +Protocol 2 +ServerKeyBits 2048 +UseDNS no +UsePAM no +VersionAddendum REFUSED +X11Forwarding no