egeneralov · October 15, 2019 05:24
diff --git a/crypt-raid-1-1-0.sh b/crypt-raid-1-1-0.sh
 #!/bin/bash -xe

 [ -b ${DISK_1:-/dev/sda} ] || exit 1
 [ -b ${DISK_2:-/dev/sdb} ] || exit 1

 mdadm --stop --scan

 sgdisk -og ${DISK_1:-/dev/sda}
 sgdisk -n 1:2048:+${SIZE_ROOTFS:-128M} -t 1:fd00 ${DISK_1:-/dev/sda}
 sgdisk -n 128:-3M:0 -t 128:ef02 ${DISK_1:-/dev/sda}
 sgdisk -n 2:0:+${SIZE_ROOTFS:-256G} -t 2:fd00 ${DISK_1:-/dev/sda}
 sgdisk -n 3:0:0 -t 3:fd00 ${DISK_1:-/dev/sda}

 sgdisk -R ${DISK_2:-/dev/sdb} ${DISK_1:-/dev/sda}
 sgdisk -G ${DISK_2:-/dev/sdb}

 partprobe ${DISK_1:-/dev/sda}
 partprobe ${DISK_2:-/dev/sdb}

 sleep 5

 mdadm --create /dev/md0 --metadata=0.9 --level=1 --assume-clean --raid-devices=2 ${DISK_1:-/dev/sda}1 ${DISK_2:-/dev/sdb}1
 mdadm --create /dev/md1 --metadata=1.2 --level=1 --assume-clean --raid-devices=2 ${DISK_1:-/dev/sda}2 ${DISK_2:-/dev/sdb}2
 mdadm --create /dev/md2 --metadata=1.2 --level=0 --assume-clean --raid-devices=2 ${DISK_1:-/dev/sda}3 ${DISK_2:-/dev/sdb}3

 sleep 2
 cat /proc/mdstat

 echo -n ${PASSWD:-ok} | cryptsetup --cipher aes-xts-plain64 --key-size 512 --hash sha512 luksFormat /dev/md1 -
 echo -n ${PASSWD:-ok} | cryptsetup luksOpen /dev/md1 ${CNAME:-rootfs} -

 mkfs.ext4 /dev/mapper/${CNAME:-rootfs}
 mount /dev/mapper/${CNAME:-rootfs} /mnt/
 mkdir -p /mnt/boot
 mkfs.ext2 -L boot /dev/md0
 mount /dev/md0 /mnt/boot
 mkfs.ext4 /dev/md2
 mkdir -p /mnt/data
 mount /dev/md2 /mnt/data

 lsblk -f

 debootstrap \
 --include=linux-base,linux-image-amd64,linux-headers-amd64,grub-pc,mdadm,cryptsetup,initramfs-tools,openssh-server,busybox,dropbear,locales,net-tools,locales,kbd,netmask,console-setup,htop,nload,iotop,strace,lsof,lvm2 \
 --arch=amd64 \
 --no-check-certificate \
 --no-check-gpg \
 ${DIST:-buster} \
 /mnt \
 http://deb.debian.org/debian

 echo "nameserver 8.8.8.8" > /mnt/etc/resolv.conf
 echo "${HOSTNAME:-$(hostname -f)}" > /mnt/etc/hostname
 echo "${CNAME:-rootfs} UUID=$(blkid -s UUID -o value /dev/md1) none luks" > /mnt/etc/crypttab

 cat > /mnt/etc/fstab << EOF
 proc                                                       /proc   proc    defaults   0 0
 UUID=$(blkid -s UUID -o value /dev/md0)                    /boot   ext2    defaults   0 0
 UUID=$(blkid -s UUID -o value /dev/mapper/${CNAME:-rootfs})          /       ext4    defaults   0 1
 UUID=$(blkid -s UUID -o value /dev/md2)                    /data   ext4    defaults   0 0
 EOF

 echo "deb http://security.debian.org/ ${DIST:-buster}/updates main" > /mnt/etc/apt/sources.list.d/security.list

 mount -o bind /dev /mnt/dev
 mount -o bind /dev/pts /mnt/dev/pts
 mount -t sysfs /sys /mnt/sys
 mount -t proc /proc /mnt/proc

 cat << EOF | chroot /mnt /bin/bash -xe
 mkdir -p /dev/md
 ln -s /dev/md0 /dev/md/0
 ln -s /dev/md1 /dev/md/1
 ln -s /dev/md2 /dev/md/2
 cp /proc/mounts /etc/mtab
 EOF

 mkdir -p /mnt/root/.ssh/
 echo "$(cat ~/.ssh/authorized_keys | head -n 1)" > /mnt/root/.ssh/authorized_keys
 chmod 700 /mnt/root/.ssh/
 chmod 600 /mnt/root/.ssh/authorized_keys

 chroot /mnt apt-get clean -yq
 chroot /mnt apt-get update -q
 DEBIAN_FRONTEND=noninteractive chroot /mnt apt-get upgrade -qy
 chroot /mnt apt-get clean -yq

 # networking
 cat << EOF > /mnt/etc/systemd/network/wired.network
 [Match]
 Name=e*

 [Network]
 DHCP=ipv4
 EOF

 chroot /mnt systemctl enable systemd-networkd
 chroot /mnt systemctl enable systemd-resolved
 rm /mnt/etc/resolv.conf
 chroot /mnt ln -sf /run/systemd/resolve/resolv.conf /etc/resolv.conf

 sed -i "s/NO_START=1/NO_START=0/" /mnt/etc/default/dropbear
 sed -i "s/^#CRYPTSETUP=$/CRYPTSETUP=y/" /mnt/etc/cryptsetup-initramfs/conf-hook
 echo "no-port-forwarding,no-agent-forwarding,no-X11-forwarding,command=\"/bin/cryptroot-unlock\" $(cat ~/.ssh/authorized_keys | head -n 1)" > /mnt/etc/dropbear-initramfs/authorized_keys
 sed -i "s/^#DROPBEAR_OPTIONS=$/DROPBEAR_OPTIONS=\"-p 22 -s -j -k -I 60\"/" /mnt/etc/dropbear-initramfs/config
 chroot /mnt update-initramfs -u -k all
 echo "GRUB_CMDLINE_LINUX_DEFAULT=\"ip=dhcp\"" >> /mnt/etc/default/grub
 chroot /mnt grub-install ${DISK_1:-/dev/sda}
 chroot /mnt grub-install ${DISK_2:-/dev/sdb}
 chroot /mnt update-grub

 ls -lha /mnt/boot
 df -h /mnt/boot

 sed -i 's/.*en_US.UTF-8 UTF-8.*/en_US.UTF-8 UTF-8/g' /mnt/etc/locale.gen
 chroot /mnt locale-gen
 echo "LC_ALL=en_US.UTF-8" > /mnt/etc/environment
 echo "" > /mnt/etc/motd

 chroot /mnt systemctl disable dropbear

 cat << EOF > /mnt/etc/systemd/journald.conf
 [Journal]
 Storage=auto
 ForwardToSyslog=no
 ForwardToKMsg=no
 ForwardToConsole=no
 ForwardToWall=no
 SystemMaxUse=10G
 SystemKeepFree=1G
 SystemMaxFiles=10
 EOF

 mount | grep mnt | awk '{print $3}' | tac | xargs -n 1 umount
 cryptsetup luksClose ${CNAME:-rootfs}

 sync
	#!/bin/bash -xe

	[ -b ${DISK_1:-/dev/sda} ] \|\| exit 1
	[ -b ${DISK_2:-/dev/sdb} ] \|\| exit 1

	mdadm --stop --scan

	sgdisk -og ${DISK_1:-/dev/sda}
	sgdisk -n 1:2048:+${SIZE_ROOTFS:-128M} -t 1:fd00 ${DISK_1:-/dev/sda}
	sgdisk -n 128:-3M:0 -t 128:ef02 ${DISK_1:-/dev/sda}
	sgdisk -n 2:0:+${SIZE_ROOTFS:-256G} -t 2:fd00 ${DISK_1:-/dev/sda}
	sgdisk -n 3:0:0 -t 3:fd00 ${DISK_1:-/dev/sda}

	sgdisk -R ${DISK_2:-/dev/sdb} ${DISK_1:-/dev/sda}
	sgdisk -G ${DISK_2:-/dev/sdb}

	partprobe ${DISK_1:-/dev/sda}
	partprobe ${DISK_2:-/dev/sdb}

	sleep 5

	mdadm --create /dev/md0 --metadata=0.9 --level=1 --assume-clean --raid-devices=2 ${DISK_1:-/dev/sda}1 ${DISK_2:-/dev/sdb}1
	mdadm --create /dev/md1 --metadata=1.2 --level=1 --assume-clean --raid-devices=2 ${DISK_1:-/dev/sda}2 ${DISK_2:-/dev/sdb}2
	mdadm --create /dev/md2 --metadata=1.2 --level=0 --assume-clean --raid-devices=2 ${DISK_1:-/dev/sda}3 ${DISK_2:-/dev/sdb}3

	sleep 2
	cat /proc/mdstat

	echo -n ${PASSWD:-ok} \| cryptsetup --cipher aes-xts-plain64 --key-size 512 --hash sha512 luksFormat /dev/md1 -
	echo -n ${PASSWD:-ok} \| cryptsetup luksOpen /dev/md1 ${CNAME:-rootfs} -

	mkfs.ext4 /dev/mapper/${CNAME:-rootfs}
	mount /dev/mapper/${CNAME:-rootfs} /mnt/
	mkdir -p /mnt/boot
	mkfs.ext2 -L boot /dev/md0
	mount /dev/md0 /mnt/boot
	mkfs.ext4 /dev/md2
	mkdir -p /mnt/data
	mount /dev/md2 /mnt/data

	lsblk -f

	debootstrap \
	--include=linux-base,linux-image-amd64,linux-headers-amd64,grub-pc,mdadm,cryptsetup,initramfs-tools,openssh-server,busybox,dropbear,locales,net-tools,locales,kbd,netmask,console-setup,htop,nload,iotop,strace,lsof,lvm2 \
	--arch=amd64 \
	--no-check-certificate \
	--no-check-gpg \
	${DIST:-buster} \
	/mnt \
	http://deb.debian.org/debian

	echo "nameserver 8.8.8.8" > /mnt/etc/resolv.conf
	echo "${HOSTNAME:-$(hostname -f)}" > /mnt/etc/hostname
	echo "${CNAME:-rootfs} UUID=$(blkid -s UUID -o value /dev/md1) none luks" > /mnt/etc/crypttab

	cat > /mnt/etc/fstab << EOF
	proc /proc proc defaults 0 0
	UUID=$(blkid -s UUID -o value /dev/md0) /boot ext2 defaults 0 0
	UUID=$(blkid -s UUID -o value /dev/mapper/${CNAME:-rootfs}) / ext4 defaults 0 1
	UUID=$(blkid -s UUID -o value /dev/md2) /data ext4 defaults 0 0
	EOF

	echo "deb http://security.debian.org/ ${DIST:-buster}/updates main" > /mnt/etc/apt/sources.list.d/security.list

	mount -o bind /dev /mnt/dev
	mount -o bind /dev/pts /mnt/dev/pts
	mount -t sysfs /sys /mnt/sys
	mount -t proc /proc /mnt/proc

	cat << EOF \| chroot /mnt /bin/bash -xe
	mkdir -p /dev/md
	ln -s /dev/md0 /dev/md/0
	ln -s /dev/md1 /dev/md/1
	ln -s /dev/md2 /dev/md/2
	cp /proc/mounts /etc/mtab
	EOF

	mkdir -p /mnt/root/.ssh/
	echo "$(cat ~/.ssh/authorized_keys \| head -n 1)" > /mnt/root/.ssh/authorized_keys
	chmod 700 /mnt/root/.ssh/
	chmod 600 /mnt/root/.ssh/authorized_keys

	chroot /mnt apt-get clean -yq
	chroot /mnt apt-get update -q
	DEBIAN_FRONTEND=noninteractive chroot /mnt apt-get upgrade -qy
	chroot /mnt apt-get clean -yq

	# networking
	cat << EOF > /mnt/etc/systemd/network/wired.network
	[Match]
	Name=e*

	[Network]
	DHCP=ipv4
	EOF

	chroot /mnt systemctl enable systemd-networkd
	chroot /mnt systemctl enable systemd-resolved
	rm /mnt/etc/resolv.conf
	chroot /mnt ln -sf /run/systemd/resolve/resolv.conf /etc/resolv.conf

	sed -i "s/NO_START=1/NO_START=0/" /mnt/etc/default/dropbear
	sed -i "s/^#CRYPTSETUP=$/CRYPTSETUP=y/" /mnt/etc/cryptsetup-initramfs/conf-hook
	echo "no-port-forwarding,no-agent-forwarding,no-X11-forwarding,command=\"/bin/cryptroot-unlock\" $(cat ~/.ssh/authorized_keys \| head -n 1)" > /mnt/etc/dropbear-initramfs/authorized_keys
	sed -i "s/^#DROPBEAR_OPTIONS=$/DROPBEAR_OPTIONS=\"-p 22 -s -j -k -I 60\"/" /mnt/etc/dropbear-initramfs/config
	chroot /mnt update-initramfs -u -k all
	echo "GRUB_CMDLINE_LINUX_DEFAULT=\"ip=dhcp\"" >> /mnt/etc/default/grub
	chroot /mnt grub-install ${DISK_1:-/dev/sda}
	chroot /mnt grub-install ${DISK_2:-/dev/sdb}
	chroot /mnt update-grub

	ls -lha /mnt/boot
	df -h /mnt/boot

	sed -i 's/.en_US.UTF-8 UTF-8./en_US.UTF-8 UTF-8/g' /mnt/etc/locale.gen
	chroot /mnt locale-gen
	echo "LC_ALL=en_US.UTF-8" > /mnt/etc/environment
	echo "" > /mnt/etc/motd

	chroot /mnt systemctl disable dropbear

	cat << EOF > /mnt/etc/systemd/journald.conf
	[Journal]
	Storage=auto
	ForwardToSyslog=no
	ForwardToKMsg=no
	ForwardToConsole=no
	ForwardToWall=no
	SystemMaxUse=10G
	SystemKeepFree=1G
	SystemMaxFiles=10
	EOF

	mount \| grep mnt \| awk '{print $3}' \| tac \| xargs -n 1 umount
	cryptsetup luksClose ${CNAME:-rootfs}

	sync
No results found