From 195a70e752d986bef6b9c7f8049dcb7bfd9b4d0b Mon Sep 17 00:00:00 2001 From: Alexandre CATTEAU Date: Mon, 15 Nov 2021 17:58:52 +0100 Subject: [PATCH] Remove TLS for FTP, and add encrypted disk config --- setup.sh | 20 ++++++++++++++------ srv-nas.mount | 10 ++++++++++ 2 files changed, 24 insertions(+), 6 deletions(-) create mode 100644 srv-nas.mount diff --git a/setup.sh b/setup.sh index d9384d5..a27f7c6 100644 --- a/setup.sh +++ b/setup.sh @@ -11,7 +11,7 @@ # Functions init() { echo "Starting initialization" - echo $hostname > /etc/hostname + echo $fqdn > /etc/hostname sed -i -e "s/$default_hostname/$fqdn $hostname/g" /etc/hosts localectl set-keymap $keymap timedatectl set-timezone $timezone @@ -23,12 +23,12 @@ install_packages() { sed -i -e "s/$deb_apt_default_repo/$deb_apt_repo/g" /etc/apt/sources.list apt update apt upgrade -y - apt install -y vim tree tmux neofetch vsftpd cryptsetup + apt install -y vim tree tmux neofetch vsftpd cryptsetup clevis clevis-luks } add_users() { echo "Adding users" - useradd -N -g users -G sudo -m -s /bin/bash $user + useradd -N -g users -G sudo -m -s /bin/bash $user # still not sure why users group and not -U... chmod 700 /home/$user } @@ -36,7 +36,9 @@ get_conf() { echo "Getting configuration" sudo -H -u $user mkdir $sync_directory_path cp $run_directory_path/conf-sync.sh $sync_directory_path/ - chown $user:users $sync_directory_path/conf-sync.sh + chown $user:users $sync_directory_path/conf-sync.sh # group + cp $run_directory_path/nas.mount $sync_directory_path/ + chown $user:users $sync_directory_path/nas.mount # group sudo -H -u $user chmod u+x $sync_directory_path/conf-sync.sh sudo -H -u $user $sync_directory_path/conf-sync.sh } @@ -70,10 +72,14 @@ ssh_pubkey() { set_vsftpd() { echo "Setting vsftpd config" + mkdir $nas_root + chown $user:users $nas_root + echo "nascrypt /dev/sda none noauto" >> /etc/crypttab sed -i -e "s/#write_enable=YES/write_enable=YES/g" /etc/vsftpd.conf sed -i -e "s/#utf8_filesystem=YES/utf8_filesystem=YES/g" /etc/vsftpd.conf - sed -i -e "s/ssl_enable=NO/ssl_enable=YES/g" /etc/vsftpd.conf - openssl req -x509 -nodes -days 7300 -newkey rsa:2048 -keyout /etc/ssl/private/ssl-cert-snakeoil.key -out /etc/ssl/certs/ssl-cert-snakeoil.pem -subj "/C=/ST=/L=/O=/OU=/CN=" + # The two lines below set up TLS wrapping with a self-signed certificate, which causes issues with clients + #sed -i -e "s/ssl_enable=NO/ssl_enable=YES/g" /etc/vsftpd.conf + #openssl req -x509 -nodes -days 7300 -newkey rsa:2048 -keyout /etc/ssl/private/ssl-cert-snakeoil.key -out /etc/ssl/certs/ssl-cert-snakeoil.pem -subj "/C=/ST=/L=/O=/OU=/CN=" } # Only run if the user is root @@ -97,6 +103,7 @@ sync_directory_path="/home/$user/.sync" systemd_units_path='/etc/systemd/system' remote_pubkey_location='https://keys.kto.black' remote_pubkey='home.pub' +nas_root='/srv/nas' # Main process # You should comment below what you do not want to happen @@ -122,5 +129,6 @@ echo "* remove password for sudo" # TODO we should automate that, with a flag echo "* use below commands to edit SSH config:" echo " sed -i 's/PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config" echo " sed -i 's/#PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config" +echo "* register an encrypted volume to a tang server" exit 0 diff --git a/srv-nas.mount b/srv-nas.mount new file mode 100644 index 0000000..3662bef --- /dev/null +++ b/srv-nas.mount @@ -0,0 +1,10 @@ +[Unit] +Description=Mount NAS Volume +# Below Requisite could be a Wants +Wants=systemd-cryptsetup@nascrypt.service +After=systemd-cryptsetup@nascrypt.service + +[Mount] +What=/dev/mapper/nascrypt +Where=/srv/nas +Options=rw,relatime