├── .gitignore
├── .travis.yml
├── README.rst
├── bin
    ├── hubservices.py
    ├── login_script.sh
    ├── reboot-ask.py
    ├── secalerts.py
    ├── secalerts.sh
    ├── secupdates-ask.py
    ├── setpass.py
    └── simplehttpd.py
├── debian
    ├── .gitignore
    ├── compat
    ├── control
    ├── copyright
    ├── inithooks.docs
    ├── inithooks.install
    ├── postinst
    ├── rules
    └── source
    │   └── format
├── default
    ├── inithooks
    └── turnkey-init-fence
├── docs
    └── RelNotes-0.9.txt
├── everyboot.d
    └── 01empty
├── firstboot.d
    ├── 01ipconfig
    ├── 05autogrow-fs
    ├── 09hostname
    ├── 10randomize-cronapt
    ├── 10randomize-crontab
    ├── 10regen-sshkeys
    ├── 15regen-sslcert
    ├── 29sudoadmin
    ├── 29tagid
    ├── 30rootpass
    ├── 30turnkey-init-fence
    ├── 80hub-services
    ├── 85secalerts
    ├── 95secupdates
    ├── 97turnkey-init-fence-disable
    ├── 98finalize
    └── 99reboot
├── libinithooks
    ├── __init__.py
    ├── dialog_wrapper.py
    ├── inithooks_cache.py
    └── inithooks_log.py
├── rsyslog.d
    └── inithooks.conf
├── run
├── setup.py
├── systemd
    └── system
    │   ├── container-getty@1.service.d
    │       └── 10-container-getty-tkl-login.conf
    │   └── getty@tty1.service.d
    │       └── 10-getty-tkl-login.conf
├── tests
    ├── cert.key
    ├── cert.pem
    └── test-simplehttpd.sh
├── turnkey-init
├── turnkey-init-fence
    ├── htdocs
    │   ├── index.html
    │   ├── style.css
    │   └── turnkey-init-root.png
    └── turnkey-init-fence
├── turnkey-install-security-updates
└── turnkey-sudoadmin


/.gitignore:
--------------------------------------------------------------------------------
1 | *.pyc
2 | __pycache__
3 | 


--------------------------------------------------------------------------------
/.travis.yml:
--------------------------------------------------------------------------------
 1 | sudo: required
 2 | language: generic
 3 | 
 4 | services:
 5 |   - docker
 6 | 
 7 | script:
 8 |   - wget -O- http://travis.debian.net/script.sh | sh -
 9 | 
10 | branches:
11 |   except:
12 |     - /^debian\/\d/
13 | 


--------------------------------------------------------------------------------
/README.rst:
--------------------------------------------------------------------------------
  1 | ===================================================
  2 | System initialization, configuration and preseeding
  3 | ===================================================
  4 | 
  5 | Introduction
  6 | ============
  7 | 
  8 | Before we expose a TurnKey system to a hostile Internet, we first need
  9 | to initialize it. This will setup passwords, install security updates,
 10 | and configure key applications settings.
 11 | 
 12 | This initialization process can be interactive or non-interactive
 13 | depending on what works best given where and how the system is deployed.
 14 | 
 15 | Interactive system initialization
 16 | ---------------------------------
 17 | 
 18 | A configuration wizard shows a short sequence of simple text dialogs
 19 | that look primitive but provide a quick step-by-step process that works
 20 | anywhere and requires only the bare minimum of software dependencies - a
 21 | big advantage for security sensitive applications:
 22 | 
 23 | .. image:: https://www.turnkeylinux.org/files/images/docs/inithooks/turnkey-init-root.png
 24 |    :alt: root password dialog
 25 |    :width: 650px
 26 | 
 27 | All software is potentially buggy but we can minimize the risk by
 28 | intentionally favoring simplicity over fancy eye candy.
 29 | 
 30 | The configuration dialogs run in one of two places:
 31 | 
 32 | 1) **The boot console on first boot** on build types (e.g., ISO, VM,
 33 |    VMDK) where the real or virtual machine usually provides access to
 34 |    an interactive system console.
 35 | 
 36 | 2) **The first administration login** on build types running on
 37 |    *headless* virtual machines (e.g., AWS marketplace, OpenStack,
 38 |    Xen).  that don't provide the option to interact with the system at
 39 |    boot time.
 40 |    
 41 |    After boot, a virtual fence redirects attempts to access
 42 |    potentially vulnerable services to a web page explaining how to SSH
 43 |    into the machine for the first time to initialize the system. After
 44 |    initialization the virtual fence comes down and all services can be
 45 |    accessed normally.
 46 | 
 47 | Non-interactive system initialization
 48 | -------------------------------------
 49 | 
 50 | The `TurnKey Hub`_ streamlines deployment by preseeding system
 51 | initialization settings with values the user provides before launching
 52 | an instance through the Hub's cloud deployment web app.
 53 | 
 54 | This means when the system boots for the first time it doesn't need to
 55 | interact with the user through text dialogs.
 56 | 
 57 | Preseeding is well documented and may be used by other hosting providers
 58 | or private clouds in a similar way to streamline deployment.
 59 | 
 60 | .. _TurnKey Hub: https://hub.turnkeylinux.org/
 61 | 
 62 | Under the hood: everything you wanted to know but were afraid to ask
 63 | ====================================================================
 64 | 
 65 | Users wishing to preseed headless builds (e.g. LXC) will find the
 66 | `Preseeding`_ section below of value. Otherwise, the preceding introduction
 67 | explained everything mere mortals need to know about the system
 68 | initialization process.
 69 | 
 70 | The rest of the documentation is intended for:
 71 | 
 72 | - Appliance hackers interested in learning how TurnKey works under the
 73 |   hood and developing their own configuration hooks.
 74 | 
 75 | - Expert users who want to understand how system initialization works in
 76 |   depth.
 77 | 
 78 | - Hosting providers and private cloud fullstack ninjas interested in
 79 |   implementing tight integration between TurnKey and custom control
 80 |   panels. 
 81 | 
 82 |   This isn't a requirement, just a bonus. Without any special
 83 |   integration, TurnKey images can be deployed like any other Debian or
 84 |   Debian-based image, using your existing deployments scripts. If you
 85 |   can deploy Debian or Ubuntu it should be trivial to deploy TurnKey.
 86 | 
 87 | Inithooks package design goals
 88 | ------------------------------
 89 | 
 90 | The inithooks package executes system initialization scripts
 91 | which:
 92 | 
 93 | - **Regenerate secret keys (e.g., SSH, default SSL certificate)**: This
 94 |   isn't just a good idea, it's necessary to avoid man in the middle
 95 |   attacks.
 96 | 
 97 | - **Set passwords (e.g., root, database, application)**: necessary to avoid the risk
 98 |   of `hardwired default passwords <http://www.turnkeylinux.org/blog/end-to-default-passwords>`_ 
 99 | 
100 | - **Configure basic application settings (e.g., domain, admin email)**:
101 |   especially useful when configuring the application would require hunting
102 |   down the format of a configuration file.
103 | 
104 | Also, Inithooks provides a preseeding mechanism designed to make it easy
105 | to integrate TurnKey with custom control panels provided by various
106 | virtualization solutions and cloud hosting providers.
107 | 
108 | How it works
109 | ------------
110 | 
111 | Inithooks itself is as generic and barebones as possible, leaving
112 | the bulk of functionality up to the appliance specific "hook"
113 | scripts themselves,
114 | 
115 | These scripts are located in two sub-directories under
116 | /usr/lib/inithooks - everyboot.d and firstboot.d. 
117 | 
118 | They are executed in alphanumeric ordering. This means a script named
119 | 1-foo would be executed before 2-bar, which would itself be executed
120 | before 3-foobar. That's why scripts in these directories have funny
121 | numbers at the beginning.  
122 | 
123 | The inithooks top-level init script is executed early on in system
124 | initialization, at runlevel 2 15. This enables configuration of the
125 | system prior to most services starting. This should be taken into
126 | consideration when developing hook scripts.
127 | 
128 | firstboot.d scripts
129 | '''''''''''''''''''
130 | 
131 | Scripts in the firstboot.d sub-directory are executed under the
132 | following conditions:
133 | 
134 | #. If the user executes "turnkey-init" from a root shell. This command
135 |    can be used to rerun the firstboot.d inithooks interactively to
136 |    reconfigure the appliance if needed. Certain scripts such as those that
137 |    regenerate secret keys are skipped. See BLACKLIST variable in
138 |    /usr/sbin/turnkey-init for details.
139 | 
140 | #. When the user logs in as root for the first time into a headless
141 |    system. This triggers "turnkey-init" to run so that the user can
142 |    interactively complete appliance initialization.
143 | 
144 | #. When a TurnKey appliance boots for the first time
145 | 
146 |    inithooks checks whether or not this is the first boot by checking
147 |    the value of the RUN\_FIRSTBOOT flag in /etc/default/inithooks. If
148 |    the value is false it runs the scripts and toggles the flag to true.
149 | 
150 |    The firstboot scripts may run in one of two modes, interactive or
151 |    non-interactive, depending on the type of build.
152 | 
153 |    **Interactive mode on non-headless builds - Live CD ISO, VMDK and
154 |    OVF**: With these image types interactive access to the virtual
155 |    console during boot is expected so some of the inithooks
156 |    initialization scripts will interact with the user via text dialogs
157 |    the first time the system boots (e.g., ask for passwords,
158 |    application settings, etc.). These are the same scripts that get
159 |    executed if you run "turnkey-init".
160 | 
161 |    **Non-interactive mode on headless builds - OpenStack, OpenVZ,
162 |    OpenNode, Xen**: with these image types interactive access to the
163 |    virtual console during boot can not be assumed.  The first boot has
164 |    to be capable of running non-interactively, otherwise we risk
165 |    hanging the boot while it waits for user interaction that never
166 |    happens.
167 |    
168 |    So instead of interacting with the user the system pre-initializes
169 |    application settings with dummy defaults and set all passwords to a
170 |    random value. If a root password has already been set (e.g., in a
171 |    pre-deployment script) the headless preseeding script will not
172 |    overwrite it, so your root password should work just fine.
173 |    
174 |    The output from the non-interactive running of the firstboot
175 |    scripts is logged to /var/log/inithooks.log.
176 | 
177 |    Interactive appliance configuration is delayed until the first time
178 |    the user logs in as root. This is accomplished with the help of the
179 |    /usr/lib/inithooks/firstboot.d/29preseed hook, which only exists on
180 |    headless builds::
181 | 
182 |     #!/bin/bash -e
183 |     # generic preseeding of inithooks.conf if it doesn't exist
184 | 
185 |     [ -e $INITHOOKS_CONF ] && exit 0
186 | 
187 |     MASTERPASS=$(mcookie | cut --bytes 1-8)
188 | 
189 |     cat>$INITHOOKS_CONF<<EOF
190 |     export ROOT_PASS=$MASTERPASS
191 |     export DB_PASS=$MASTERPASS
192 |     export APP_PASS=$MASTERPASS
193 |     export APP_EMAIL=admin@example.com
194 |     export APP_DOMAIN=DEFAULT
195 |     export HUB_APIKEY=SKIP
196 |     export SEC_ALERTS=SKIP
197 |     export SEC_UPDATES=FORCE
198 |     EOF
199 | 
200 |     chmod +x /usr/lib/inithooks/firstboot.d/30turnkey-init-fence
201 | 
202 | 
203 |    **Initialization fence**: the above headless preseeding hook also
204 |    activates the "initialization fence" mechanism which uses iptables to
205 |    redirect attempts to access the local web server to a static web page
206 |    served by inithooks/bin/simplehttpd.py. 
207 |    
208 |    This page explains you need to log in as root first in order to
209 |    finish initializing the system. The purpose of the fence is used to
210 |    prevent users from accessing uninitialized web applications, which in
211 |    some cases can pose a security risk.
212 | 
213 |    After the user logs in as root and completes the initialization
214 |    process the "initialization fence" is turned off. Users can then
215 |    access applications running on the local web server.
216 | 
217 |    What firstboot.d/30turnkey-init-fence does:
218 |    
219 |    1) enables turnkey-init-fence as a service and starts it
220 | 
221 |       service is enabled / disabled via update-rc.d
222 | 
223 |    2) activates ~$USERNAME/.profile.d/turnkey-init-fence
224 | 
225 |       the .profile.d script launches a dtach session bound to a socket
226 | 
227 |           if a session is already bound to the socket attach to it
228 | 
229 |           what command are we running in the dtach session?
230 | 
231 |                 turnkey-init -> deactivate initfence (service and profile.d)
232 | 
233 | everyboot.d scripts
234 | '''''''''''''''''''
235 | 
236 | Scripts that are in the everyboot.d sub-directory run on every boot. We
237 | try to minimize the number of scripts that live here because they're
238 | basically a poor man's init script and real init scripts are often a
239 | better idea.
240 | 
241 | Setting the root password in a headless deployment
242 | --------------------------------------------------
243 | 
244 | On headless deployments the user needs to login as root to complete the
245 | appliance initialization process, but how do you login as root?
246 | 
247 | Not a problem if you're using OpenNode or ProxMox - those systems
248 | prompt you to choose a root password before deploying a TurnKey image.
249 | 
250 | On OpenStack you can log in as root with your configured SSH keypair
251 | or retrieve the random root password from the "system log". 
252 | 
253 | Other virtualization / private cloud solutions should be able to use
254 | their existing deployment scripts to set the root password, just like
255 | they already do with Debian and Ubuntu.
256 | 
257 | Another more advanced option is to "preseed" the /etc/inithooks.conf
258 | file in the apliance's filesystem before booting it for the first
259 | time. This lets you leverage inithooks to pre-configure not just the
260 | root password but also the database and application passwords, admin
261 | email, domain name, etc.
262 | 
263 | However note that using preseeding deactivates the "initilization
264 | fence". If you're using preseeding TurnKey assumes you've already
265 | interacted with the user some other way (e.g., web control panel) to
266 | get the preseeded configuration values.
267 | 
268 | Preseeding
269 | ----------
270 | 
271 | By default, when an appliance is run for the first time, the firstboot
272 | scripts will prompt the user interactively, through the virtual
273 | console, to choose various passwords and basic application
274 | configuration settings. 
275 | 
276 | It is possible to bypass this interactive configuration process by
277 | creating /etc/inithooks.conf in the appliance filesystem and
278 | writing inithooks configuration variables into it before the
279 | first system boot. For example:
280 | ::
281 | 
282 |     cat>/etc/inithooks.conf<<EOF
283 |     export ROOT_PASS=supersecretrootpass
284 |     export DB_PASS=supersecretmysqlpass
285 |     export APP_EMAIL=admin@example.com
286 |     export APP_PASS=webappadminpassword
287 |     export SEC_ALERTS=admin@example.com
288 |     export SEC_UPDATES=FORCE
289 |     export HUB_APIKEY=SKIP
290 |     EOF
291 | 
292 | Don't worry about leaving sensitive passwords in there: after the
293 | first boot, inithooks blanks /etc/inithooks.conf out so important
294 | passwords aren't accidentally left in the clear.
295 | 
296 | This preseeding mechanism makes it relatively easy to integrate TurnKey
297 | with custom control panels, virtualization solutions, etc.
298 | 
299 | How exactly you create /etc/inithooks.conf is up to you and the
300 | capabilities of the virtualization platform you are using. For example,
301 | many virtualization platforms provide a facility through which you can
302 | run scripts or add files to the filesystem before the first boot.
303 | 
304 | List of initialization hooks and preseeding configuration parameters
305 | --------------------------------------------------------------------
306 | 
307 | Below is a list of firstboot hooks. All interactive hooks
308 | have preseeding options to support cloud deployment, hosting and ISV
309 | integration.
310 | 
311 | If not preseeded, the user will be asked interactively. The SKIP
312 | and FORCE options should be self explanatory. Note that secupdates
313 | is automatically skipped when in live demo mode.
314 | 
315 | Most inithooks that are configurable are interactive, however not all.
316 | Non-interactive hooks that can be adjusted via preseeding are marked
317 | below with an asterisk ('*').
318 | 
319 | Initihooks that are not relevant to a particular appliance or build will
320 | simply be ignored.
321 | 
322 | Note that almost all appliances have their own application specific
323 | secret-regeneration hooks which will run regardless. 
324 | 
325 | Common to all appliances:
326 | ::
327 | 
328 |     15regen-sslcert         DH_BITS                 [ 1024 | 2048 | 4096 ]
329 |     30rootpass*             ROOT_PASS
330 |     80tklbam                HUB_APIKEY              [ SKIP ]
331 |     85secalerts             SEC_ALERTS              [ SKIP ]
332 |     95secupdates            SEC_UPDATES             [ SKIP | FORCE ]
333 | 
334 | 
335 | Notes:
336 | 
337 |     - DH_BITS refers to the number of bits used when generating Diffie-Hellman
338 |       parameters used in TLS (i.e. HTTPS) _`Diffie-Hellman key exchange`. 2048
339 |       is recommended but can be slow to generate, particularly on low resource
340 |       servers. 4096 is another option but may take hours. 1024 is default (so
341 |       firstboot isn't too slow...). Note this one doesn't have an interactive
342 |       counterpart at the moment, but can be re-run from the commandline::
343 | 
344 |             export DH_BITS=2048 # or alternatively DH_BITS=4096
345 |             /usr/lib/inithooks/firstboot.d/15regen-dhparams
346 | 
347 |     - In LXC builds, the container root password is set via the host at
348 |       creation time. As such, 30rootpass is disabled and ROOT_PASS does not
349 |       apply.
350 | 
351 | 
352 | Specific to headless builds:
353 | ::
354 | 
355 |     29preseed               INITFENCE               [ SKIP ]
356 | 
357 | Appliance specific:
358 | ::
359 | 
360 |     35mysqlpass             DB_PASS
361 |     35pgsqlpass             DB_PASS
362 | 
363 |     40ansible               APP_PASS
364 |     40couchdb               APP_PASS
365 |     40espocrm               APP_PASS
366 |     40etherpad              APP_PASS
367 |     40githttp               APP_PASS
368 |     40icesecretset          APP_PASS
369 |     40jenkins               APP_PASS
370 |     40mediawiki             APP_PASS
371 |     40mibew                 APP_PASS
372 |     40mongodb               APP_PASS
373 |     40moodle                APP_PASS
374 |     40mumblesupw            APP_PASS
375 |     40observium             APP_PASS
376 |     40odoo                  APP_PASS
377 |     40openvas               APP_PASS
378 |     40orangehrm             APP_PASS
379 |     40otrs                  APP_PASS
380 |     40phpmumbleadmin        APP_PASS
381 |     40plone                 APP_PASS
382 |     40sugarcrm              APP_PASS
383 |     40suitecrm              APP_PASS
384 |     40torrentserver         APP_PASS
385 |     40trac                  APP_PASS
386 |     40typo3                 APP_PASS
387 |     40zoneminder            APP_PASS
388 |     40redis                 APP_PASS [, APP_IP_BIND, APP_PROTECTED]
389 |     40nextcloud             APP_PASS, APP_DOMAIN
390 |     40openldap              APP_PASS, APP_DOMAIN
391 |     40owncloud              APP_PASS, APP_DOMAIN
392 |     40zurmo                 APP_PASS, APP_DOMAIN
393 |     40domain-controller     APP_PASS, APP_DOMAIN [, APP_REALM, APP_JOIN, APP_JOIN_NS]]
394 |     40b2evolution           APP_PASS, APP_EMAIL
395 |     40collabtive            APP_PASS, APP_EMAIL
396 |     40concrete5             APP_PASS, APP_EMAIL
397 |     40django                APP_PASS, APP_EMAIL
398 |     40dokuwiki              APP_PASS, APP_EMAIL
399 |     40drupal7               APP_PASS, APP_EMAIL
400 |     40e107                  APP_PASS, APP_EMAIL
401 |     40ezplatform            APP_PASS, APP_EMAIL
402 |     40foodsoft              APP_PASS, APP_EMAIL
403 |     40gallery               APP_PASS, APP_EMAIL
404 |     40joomla                APP_PASS, APP_EMAIL
405 |     40kliqqi                APP_PASS, APP_EMAIL
406 |     40limesurvey            APP_PASS, APP_EMAIL
407 |     40mahara                APP_PASS, APP_EMAIL
408 |     40mambo                 APP_PASS, APP_EMAIL
409 |     40mantis                APP_PASS, APP_EMAIL
410 |     40mattermost            APP_PASS, APP_EMAIL
411 |     40mayan                 APP_PASS, APP_EMAIL
412 |     40moinmoin              APP_PASS, APP_EMAIL
413 |     40omeka                 APP_PASS, APP_EMAIL
414 |     40oscommerce            APP_PASS, APP_EMAIL
415 |     40phpbb                 APP_PASS, APP_EMAIL
416 |     40processmaker          APP_PASS, APP_EMAIL
417 |     40redmine               APP_PASS, APP_EMAIL
418 |     40roundup               APP_PASS, APP_EMAIL
419 |     40silverstripe          APP_PASS, APP_EMAIL
420 |     40simpleinvoices        APP_PASS, APP_EMAIL
421 |     40sitracker             APP_PASS, APP_EMAIL
422 |     40twiki                 APP_PASS, APP_EMAIL
423 |     40ushahidi              APP_PASS, APP_EMAIL
424 |     40vanilla               APP_PASS, APP_EMAIL
425 |     40vtiger                APP_PASS, APP_EMAIL
426 |     40wordpress             APP_PASS, APP_EMAIL
427 |     40xoops                 APP_PASS, APP_EMAIL
428 |     40canvas                APP_PASS, APP_EMAIL, APP_DOMAIN
429 |     40drupal8               APP_PASS, APP_EMAIL, APP_DOMAIN
430 |     40elgg                  APP_PASS, APP_EMAIL, APP_DOMAIN
431 |     40foswiki               APP_PASS, APP_EMAIL, APP_DOMAIN
432 |     40gitlab                APP_PASS, APP_EMAIL, APP_DOMAIN
433 |     40gnusocial             APP_PASS, APP_EMAIL, APP_DOMAIN
434 |     40icescrum              APP_PASS, APP_EMAIL, APP_DOMAIN
435 |     40matomo                APP_PASS, APP_EMAIL, APP_DOMAIN
436 |     40phplist               APP_PASS, APP_EMAIL, APP_DOMAIN
437 |     40opencart              APP_PASS, APP_EMAIL, APP_DOMAIN
438 |     40prestashop            APP_PASS, APP_EMAIL, APP_DOMAIN
439 |     40punbb                 APP_PASS, APP_EMAIL, APP_DOMAIN
440 |     40simplemachines        APP_PASS, APP_EMAIL, APP_DOMAIN
441 |     40zencart               APP_PASS, APP_EMAIL, APP_DOMAIN
442 |     40magento               APP_PASS, APP_EMAIL, APP_DOMAIN [, APP_PRIVKEY, APP_PUBKEY]
443 |     40bugzilla              APP_PASS, APP_EMAIL [, APP_OUTMAIL]
444 |     40ghost                 APP_PASS, APP_EMAIL, APP_DOMAIN [, APP_UNAME]
445 | 
446 | Fileserver appliance specific - LXC only:
447 | ::
448 | 
449 |     35samba-container       APP_PASS
450 | 
451 | Linux and Samba user management is separate and discrete. Previously by default
452 | Samba users were mapped 1-1 with Linux users and Samba supported syncronization
453 | of passwords between the Linux and Samba users (so essentially the difference
454 | between the 2 user management systems was hidden from the end user). However
455 | due to a significant security issue, this module has been removed. Samba4 has
456 | moved to prioritize support for AD integration (which uses a different
457 | paradigm - all Samba users are contained within a single Linux user account).
458 | 
459 | To somewhat work around this limitation, on the TurnKey Fileserver appliance,
460 | when you set the root (Linux) user password, the Samba root user password is
461 | also set. However for an LXC container, the root password is set on the host,
462 | not the guest. So this workaround is not possible. Hence the Samba root
463 | password must be set separately.
464 | 
465 | 
466 | Development notes
467 | -----------------
468 | 
469 | So you're creating a new appliance and want to add initialization
470 | hooks. Awesome! Here are some examples to get you going.
471 |  
472 | Non-interactive inithook
473 | ''''''''''''''''''''''''
474 | 
475 | The following example is used in the Joomla3 appliance. It
476 | regenerates the *secret*, and sets a random mysql password for the
477 | joomla user.
478 |  
479 | ::
480 | 
481 |     /usr/lib/inithooks/firstboot.d/20regen-joomla-secrets
482 |     
483 |     #!/bin/bash -e
484 |     # regenerate joomla secret key and mysql password
485 |     
486 |     . /etc/default/inithooks
487 |     
488 |     updateconf() {
489 |         CONF=/var/www/joomla/configuration.php
490 |         sed -i "s/var $1 = \(.*\)/var $1 = '$2';/" $CONF
491 |     }
492 |     
493 |     updateconf '\$secret' $(mcookie)$(mcookie)
494 |     
495 |     PASSWORD=$(mcookie)
496 |     updateconf '\$password' $PASSWORD
497 |     
498 |     $INITHOOKS_PATH/bin/mysqlconf.py --user=joomla --pass="$PASSWORD"
499 | 
500 |  
501 | Interactive inithook
502 | ''''''''''''''''''''
503 | 
504 | The following example is used to set the root password in
505 | all appliances. If ROOTPASS is not set, the user will be asked to
506 | enter a password interactively.
507 | 
508 | .. note::
509 | 
510 |    A *very* basic debugging setup is present in dialog_wrapper.
511 |    If you're getting odd or unexpected output, dialogs you're expecting
512 |    to see are not present or are generally paranoid about the quality
513 |    of your code you can enable debug logging by setting the environment
514 |    variable ``DIALOG_DEBUG``.
515 | 
516 |    When set extensive debugging output will be written to
517 |    ``/var/log/dialog.log``.
518 |  
519 | ::
520 | 
521 |     /usr/lib/inithooks/firstboot.d/30rootpass
522 |     
523 |     #!/bin/bash -e
524 |     # set root password
525 |     
526 |     . /etc/default/inithooks
527 |     
528 |     [ -e $INITHOOKS_CONF ] && . $INITHOOKS_CONF
529 |     $INITHOOKS_PATH/bin/setpasspass.py root --pass="$ROOTPASS"
530 | 
531 |  
532 | ::
533 | 
534 |     /usr/lib/inithooks/bin/setpass.py
535 |     
536 |     #!/usr/bin/python3
537 |     # Copyright (c) 2010 Alon Swartz <alon@turnkeylinux.org>
538 |     """Set account password
539 |     
540 |     Arguments:
541 |         username      username of account to set password for
542 |     
543 |     Options:
544 |         -p --pass=    if not provided, will ask interactively
545 |     """
546 |     
547 |     import sys
548 |     import getopt
549 |     import subprocess
550 |     from subprocess import PIPE
551 |     
552 |     from libinithooks.dialog_wrapper import Dialog
553 |     
554 |     def fatal(s):
555 |         print >> sys.stderr, "Error:", s
556 |         sys.exit(1)
557 |     
558 |     def usage(e=None):
559 |         if e:
560 |             print >> sys.stderr, "Error:", e
561 |         print >> sys.stderr, "Syntax: %s <username> [options]" % sys.argv[0]
562 |         print >> sys.stderr, __doc__
563 |         sys.exit(1)
564 |     
565 |     def main():
566 |         try:
567 |             opts, args = getopt.gnu_getopt(sys.argv[1:], "hp:", ['help', 'pass='])
568 |         except getopt.GetoptError, e:
569 |             usage(e)
570 |     
571 |         if len(args) != 1:
572 |             usage()
573 |     
574 |         username = args[0]
575 |         password = ""
576 |         for opt, val in opts:
577 |             if opt in ('-h', '--help'):
578 |                 usage()
579 |             elif opt in ('-p', '--pass'):
580 |                 password = val
581 |     
582 |         if not password:
583 |             d = Dialog('TurnKey GNU/Linux - First boot configuration')
584 |             password = d.get_password(
585 |                 "%s Password" % username.capitalize(),
586 |                 "Please enter new password for the %s account." % username)
587 |     
588 |         command = ["chpasswd"]
589 |         input = ":".join([username, password])
590 |         
591 |         p = subprocess.Popen(command, stdin=PIPE, shell=False)
592 |         p.stdin.write(input)
593 |         p.stdin.close()
594 |         err = p.wait()
595 |         if err:
596 |             fatal(err)
597 |     
598 |     if __name__ == "__main__":
599 |         main()
600 | 
601 | .. _Diffie-Hellman key exchange: https://en.wikipedia.org/wiki/Diffie-Hellman_key_exchange
602 | 


--------------------------------------------------------------------------------
/bin/hubservices.py:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/python3
  2 | # Copyright (c) 2011 Alon Swartz <alon@turnkeylinux.org>
  3 | """Initialize Hub Services (TKLBAM, HubDNS)
  4 | 
  5 | Options:
  6 |     --apikey=    if not provided, will ask interactively
  7 |     --fqdn=      if not provided, will ask interactively
  8 | """
  9 | 
 10 | import sys
 11 | import getopt
 12 | import signal
 13 | import subprocess
 14 | from subprocess import check_output, CalledProcessError, PIPE
 15 | 
 16 | from libinithooks.dialog_wrapper import Dialog
 17 | 
 18 | TEXT_SERVICES = ("1) TurnKey Backup and Migration: saves changes to files,\n"
 19 |                  "   databases and package management to encrypted storage\n"
 20 |                  "   which servers can be automatically restored from.\n"
 21 |                  "   https://www.turnkeylinux.org/tklbam\n\n"
 22 |                  "2) TurnKey Domain Management and Dynamic DNS:\n"
 23 |                  "   https://www.turnkeylinux.org/dns\n\n"
 24 |                  "You can start using these services immediately if you"
 25 |                  " initialize now. Or you can do this manually later (e.g.,"
 26 |                  " from the command line / Webmin)\n\n"
 27 |                  "API Key: (see https://hub.turnkeylinux.org/profile)")
 28 | 
 29 | TEXT_HUBDNS = ("TurnKey supports dynamic DNS configuration, powered by Amazon"
 30 |                " Route 53, a robust cloud DNS service:"
 31 |                " https://www.turnkeylinux.org/dns\n\n"
 32 |                "You can assign a hostname under:\n\n"
 33 |                "1) Any custom domain you are managing with the Hub.\n"
 34 |                "   For example: myhostname.mydomain.com\n\n"
 35 |                "2) The tklapp.com domain, if the hostname is untaken.\n"
 36 |                "   For example: myhostname.tklapp.com\n\n"
 37 |                "Set hostname (or press Enter to skip):")
 38 | 
 39 | SUCCESS_TKLBAM = ("Now that TKLBAM is initialized, you can backup using the"
 40 |                   " following shell command (no arguments required):\n\n"
 41 |                   "    tklbam-backup\n\n"
 42 |                   "You can enable daily automatic backup updates with this"
 43 |                   " command:\n\n"
 44 |                   "    chmod +x /etc/cron.daily/tklbam-backup\n\n"
 45 |                   "Documentation: https://www.turnkeylinux.org/tklbam\n"
 46 |                   "Manage your backups: https://hub.turnkeylinux.org")
 47 | 
 48 | SUCCESS_HUBDNS = ("You can enable hourly automatic updates with this"
 49 |                   " command:\n\n"
 50 |                   "    chmod +x /etc/cron.hourly/hubdns-update\n\n"
 51 |                   "Documentation: https://www.turnkeylinux.org/dns\n"
 52 |                   "Manage your hostnames: https://hub.turnkeylinux.org")
 53 | 
 54 | CONNECTIVITY_ERROR = ("Unable to connect to the Hub.\n\n"
 55 |                       "Please try again once your network settings are"
 56 |                       " configured, either via the Webmin interface, or by"
 57 |                       " using the following shell commands:\n\n"
 58 |                       "    tklbam-init APIKEY\n\n"
 59 |                       "    hubdns-init APIKEY FQDN\n"
 60 |                       "    hubdns-update")
 61 | 
 62 | 
 63 | def usage(s=None):
 64 |     if s:
 65 |         print("Error:", s, file=sys.stderr)
 66 |     print("Syntax: %s [options]" % sys.argv[0], file=sys.stderr)
 67 |     print(__doc__, file=sys.stderr)
 68 |     sys.exit(1)
 69 | 
 70 | 
 71 | def main():
 72 |     signal.signal(signal.SIGINT, signal.SIG_IGN)
 73 |     try:
 74 |         opts, args = getopt.gnu_getopt(sys.argv[1:], "h",
 75 |                                        ['help', 'apikey=', 'fqdn='])
 76 |     except getopt.GetoptError as e:
 77 |         usage(e)
 78 | 
 79 |     apikey = ""
 80 |     fqdn = ""
 81 |     for opt, val in opts:
 82 |         if opt in ('-h', '--help'):
 83 |             usage()
 84 |         elif opt == '--apikey':
 85 |             apikey = val
 86 |         elif opt == '--fqdn':
 87 |             fqdn = val
 88 | 
 89 |     if apikey:
 90 |         check_output(['tklbam-init', apikey], encoding=sys.stdin.encoding)
 91 | 
 92 |         if fqdn:
 93 |             check_output(['hubdns-init', apikey, fqdn],
 94 |                          encoding=sys.stdin.encoding)
 95 |             check_output(['hubdns-update'], encoding=sys.stdin.encoding)
 96 | 
 97 |         return
 98 | 
 99 |     initialized_tklbam = False
100 |     d = Dialog('TurnKey GNU/Linux - First boot configuration')
101 |     while 1:
102 |         retcode, apikey = d.inputbox("Initialize Hub services", TEXT_SERVICES,
103 |                                      apikey, "Apply", "Skip")
104 | 
105 |         if not apikey or retcode == 1:
106 |             break
107 | 
108 |         d.infobox("Linking TKLBAM to the TurnKey Hub...")
109 | 
110 |         try:
111 |             check_output(["host", "-W", "2", "hub.turnkeylinux.org"],
112 |                          encoding=sys.stdin.encoding)
113 |         except CalledProcessError as e:
114 |             d.error(CONNECTIVITY_ERROR)
115 |             break
116 | 
117 |         proc = subprocess.run(['tklbam-init', apikey],
118 |                               stderr=PIPE,
119 |                               encoding=sys.stdin.encoding)
120 |         if proc.returncode == 0:
121 |             d.msgbox('Success! Linked TKLBAM to Hub', SUCCESS_TKLBAM)
122 |             initialized_tklbam = True
123 |             break
124 |         else:
125 |             d.msgbox('Failure', proc.stderr)
126 |             continue
127 | 
128 |     if initialized_tklbam:
129 |         while 1:
130 |             retcode, fqdn = d.inputbox("Assign TurnKey DNS hostname",
131 |                                        TEXT_HUBDNS, fqdn, "Apply", "Skip")
132 | 
133 |             if not fqdn or retcode == 1:
134 |                 break
135 | 
136 |             d.infobox("Linking HubDNS to the TurnKey Hub...")
137 | 
138 |             proc1 = subprocess.run(['hubdns-init', apikey, fqdn],
139 |                                    stderr.PIPE,
140 |                                    encoding=sys.stdin.encoding)
141 |             proc2 = subprocess.run(['hubdns-update'],
142 |                                    stderr.PIPE,
143 |                                    encoding=sys.stdin.encoding)
144 |             if proc1 != 0:
145 |                 d.msgbox('Failure', proc1.stderr)
146 |                 continue
147 |             elif proc2 != 0:
148 |                 d.msgbox('Failure', proc2.stderr)
149 |                 continue
150 |             else:
151 |                 d.msgbox('Success! Assigned %s' % fqdn, SUCCESS_HUBDNS)
152 | 
153 | 
154 | if __name__ == "__main__":
155 |     main()
156 | 


--------------------------------------------------------------------------------
/bin/login_script.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | 
3 | . /etc/default/inithooks
4 | ${INITHOOKS_PATH}/run
5 | clear
6 | echo -en "\nDebian GNU/Linux $(lsb_release -rs) $(hostname) tty1\n\n"
7 | login -p
8 | 


--------------------------------------------------------------------------------
/bin/reboot-ask.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python3
 2 | """Reboot to install kernel upgrade"""
 3 | 
 4 | import sys
 5 | import getopt
 6 | import signal
 7 | 
 8 | from libinithooks.dialog_wrapper import Dialog
 9 | 
10 | TEXT = """A security update to the kernel requires a reboot to go into effect.
11 | 
12 | For maximum protection, we recommend rebooting now.
13 | """
14 | 
15 | 
16 | def usage(s=None):
17 |     if s:
18 |         print("Error:", s, file=sys.stderr)
19 |     print("Syntax: %s [options]" % sys.argv[0], file=sys.stderr)
20 |     print(__doc__, file=sys.stderr)
21 |     sys.exit(1)
22 | 
23 | 
24 | def main():
25 |     signal.signal(signal.SIGINT, signal.SIG_IGN)
26 |     try:
27 |         opts, args = getopt.gnu_getopt(sys.argv[1:], "h", ['help'])
28 |     except getopt.GetoptError as e:
29 |         usage(e)
30 | 
31 |     for opt, val in opts:
32 |         if opt in ('-h', '--help'):
33 |             usage()
34 | 
35 |     d = Dialog("TurnKey GNU/Linux - Reboot after kernel update")
36 |     reboot = d.yesno("Reboot now?", TEXT, "Reboot", "Skip")
37 | 
38 |     if not reboot:
39 |         sys.exit(1)
40 | 
41 | 
42 | if __name__ == "__main__":
43 |     main()
44 | 


--------------------------------------------------------------------------------
/bin/secalerts.py:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/python3
  2 | """Enable system alerts and notifications
  3 | 
  4 | Options:
  5 |     --email=                if not provided, will ask interactively
  6 |     --email-placeholder=    placeholder when asking interactively
  7 | 
  8 | """
  9 | 
 10 | import os
 11 | import sys
 12 | import getopt
 13 | import signal
 14 | import logging
 15 | import subprocess
 16 | 
 17 | from libinithooks.dialog_wrapper import Dialog, EMAIL_RE
 18 | 
 19 | TITLE = "System Notifications and Critical Security Alerts"
 20 | 
 21 | TEXT = ("Enable local system notifications (root@localhost) to be forwarded"
 22 |         " to your regular inbox. Notifications include security updates and"
 23 |         " system messages.\n\n"
 24 |         "You will also be subscribed to receive critical security and bug"
 25 |         " alerts through a low-traffic Security and News announcements"
 26 |         " newsletter. You can unsubscribe at any time.\n\n"
 27 |         "https://www.turnkeylinux.org/security-alerts\n\n"
 28 |         "Email:")
 29 | 
 30 | 
 31 | def fatal(e):
 32 |     print("Error:", e, file=sys.stderr)
 33 |     sys.exit(1)
 34 | 
 35 | 
 36 | def warn(e):
 37 |     print("Warning:", e, file=sys.stderr)
 38 | 
 39 | 
 40 | def usage(s=None):
 41 |     if s:
 42 |         print("Error:", s, file=sys.stderr)
 43 |     print("Syntax: %s [options]" % sys.argv[0], file=sys.stderr)
 44 |     print(__doc__, file=sys.stderr)
 45 |     sys.exit(1)
 46 | 
 47 | 
 48 | def main():
 49 |     signal.signal(signal.SIGINT, signal.SIG_IGN)
 50 |     try:
 51 |         l_opts = ["help", "email=", "email-placeholder="]
 52 |         opts, args = getopt.gnu_getopt(sys.argv[1:], "h", l_opts)
 53 |     except getopt.GetoptError as e:
 54 |         usage(e)
 55 | 
 56 |     email = ""
 57 |     email_placeholder = ""
 58 |     for opt, val in opts:
 59 |         if opt in ("-h", "--help"):
 60 |             usage()
 61 |         elif opt == "--email":
 62 |             email = val
 63 |         elif opt == "--email-placeholder":
 64 |             email_placeholder = val
 65 | 
 66 |     if email and not EMAIL_RE.match(email):
 67 |         fatal("email is not valid")
 68 | 
 69 |     if not email:
 70 |         d = Dialog("TurnKey Linux - First boot configuration")
 71 |         email = email_placeholder
 72 |         while 1:
 73 |             retcode, email = d.inputbox(
 74 |                 TITLE,
 75 |                 TEXT,
 76 |                 email,
 77 |                 "Enable",
 78 |                 "Skip")
 79 | 
 80 |             logging.debug(f"secalerts.main():\n\tretcode:`{retcode}'\n\temail:`{email}'")
 81 |             if retcode == 'cancel':
 82 |                 email = ""
 83 |                 break
 84 | 
 85 |             if not EMAIL_RE.match(email):
 86 |                 d.error('Email is not valid')
 87 |                 continue
 88 | 
 89 |             if d.yesno("Is your email correct?", email):
 90 |                 break
 91 | 
 92 |     if email:
 93 |         cmd = os.path.join(os.path.dirname(__file__), 'secalerts.sh')
 94 |         logging.debug(f"\tcmd:`{cmd}'")
 95 |         subprocess.run([cmd, email], check=True)
 96 | 
 97 | 
 98 | if __name__ == "__main__":
 99 |     main()
100 | 


--------------------------------------------------------------------------------
/bin/secalerts.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash -e
 2 | 
 3 | fatal() { echo "fatal [$(basename $0)]: $@" 1>&2; exit 1; }
 4 | info() { echo "info [$(basename $0)]: $@"; }
 5 | 
 6 | usage() {
 7 | cat<<EOF
 8 | Syntax: $(basename $0) email
 9 | Configure security alert emails
10 | EOF
11 | exit 1
12 | }
13 | 
14 | configure_alias() {
15 |     info $FUNCNAME $@
16 |     user=$1
17 |     email=$2
18 |     cfg=/etc/aliases
19 |     touch $cfg
20 |     grep -q ^${user}: $cfg || (echo "$user:    $email" >> $cfg; return)
21 |     sed -i "s/${user}:.*/${user}:    $email/" $cfg
22 |     newaliases
23 | }
24 | 
25 | configure_cronapt() {
26 |     info $FUNCNAME $@
27 |     key=$1
28 |     val=$2
29 |     cfg="/etc/cron-apt/config"
30 |     [ -e $cfg ] || return
31 |     grep -q ^${key}= $cfg || (echo "$key=\"$val\"" >> $cfg; return)
32 |     sed -i "s/^${key}=.*/$key=\"$val\"/" $cfg
33 | }
34 | 
35 | send_enabled_notification() {
36 |     info $FUNCNAME $@
37 |     recipient=$1
38 |     subject="[$(hostname)] system alerts and notifications enabled"
39 |     mail -s "$subject" $recipient <<EOF
40 | This server is configured to send you system alerts and notifications.
41 | For more information, see:
42 | https://www.turnkeylinux.org/security-alerts
43 | 
44 | --
45 | $(turnkey-version)
46 | EOF
47 | }
48 | 
49 | enable_security_alerts() {
50 |     info $FUNCNAME $@
51 |     email=$1
52 | 
53 |     f=/etc/apt/apt.conf.d/01turnkey
54 |     [ -e "$f" ] && turnkey_version=$(sed "s/.*(\(.*\)).*/\1/" $f)
55 |     [ -n "$turnkey_version" ] || turnkey_version=$(turnkey-version)
56 | 
57 |     script=/etc/cron.hourly/enable_secalerts
58 |     cat>$script<<EOF
59 | #!/bin/bash -e
60 | # created by: $(readlink -f $0)
61 | curl https://hub.turnkeylinux.org/api/server/secalerts/ \\
62 |     -d email="$email" \\
63 |     -d turnkey_version="$turnkey_version" \\
64 |     --silent --fail --output /dev/null || exit 0
65 | 
66 | rm -f \$0
67 | EOF
68 | 
69 |     chmod +x $script
70 |     $script
71 | }
72 | 
73 | if [[ "$#" != "1" ]]; then
74 |     usage
75 | fi
76 | 
77 | email=$1
78 | 
79 | configure_alias "root" "$email"
80 | configure_cronapt "MAILON" "output"
81 | configure_cronapt "MAILTO" "root"
82 | send_enabled_notification "root"
83 | enable_security_alerts "$email"
84 | 
85 | 


--------------------------------------------------------------------------------
/bin/secupdates-ask.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python3
 2 | # Copyright (c) 2010 Alon Swartz <alon@turnkeylinux.org>
 3 | """Install security updates"""
 4 | 
 5 | import sys
 6 | import getopt
 7 | import signal
 8 | import logging
 9 | 
10 | from subprocess import check_output, CalledProcessError
11 | from libinithooks.dialog_wrapper import Dialog
12 | 
13 | TEXT = ("By default, this system is configured to automatically install"
14 |         " security updates on a daily basis:\n\n"
15 |         "https://www.turnkeylinux.org/security-updates\n\n"
16 |         "For maximum protection, we also recommend installing the latest"
17 |         " security updates right now.\n\n"
18 |         "This can take a few minutes. You need to be online.")
19 | 
20 | CONNECTIVITY_ERROR = ("Unable to connect to package archive.\n\n"
21 |                       "Please try again once your network settings are"
22 |                       " configured by using the following shell command:\n\n"
23 |                       "    turnkey-install-security-updates")
24 | 
25 | 
26 | def usage(s=None):
27 |     if s:
28 |         print("Error:", s, file=sys.stderr)
29 |     print("Syntax: %s [options]" % sys.argv[0], file=sys.stderr)
30 |     print(__doc__, file=sys.stderr)
31 |     sys.exit(1)
32 | 
33 | 
34 | def main():
35 |     signal.signal(signal.SIGINT, signal.SIG_IGN)
36 |     try:
37 |         opts, args = getopt.gnu_getopt(sys.argv[1:], "h", ['help'])
38 |     except getopt.GetoptError as e:
39 |         usage(e)
40 | 
41 |     for opt, val in opts:
42 |         if opt in ('-h', '--help'):
43 |             usage()
44 | 
45 |     d = Dialog("TurnKey GNU/Linux - First boot configuration")
46 |     install = d.yesno("Security updates", TEXT, "Install", "Skip")
47 |     logging.debug(f"secupdates.main()\n\tinstall:`{install}'\n")
48 |     if not install:
49 |         sys.exit(1)
50 | 
51 |     try:
52 |         check_output(["host", "-W", "2", "archive.turnkeylinux.org"])
53 |     except CalledProcessError as e:
54 |         d.error(CONNECTIVITY_ERROR)
55 |         sys.exit(1)
56 | 
57 | 
58 | if __name__ == "__main__":
59 |     main()
60 | 


--------------------------------------------------------------------------------
/bin/setpass.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python3
 2 | # Copyright (c) 2010 Alon Swartz <alon@turnkeylinux.org>
 3 | """Set account password
 4 | 
 5 | Arguments:
 6 |     username      username of account to set password for
 7 | 
 8 | Options:
 9 |     -p --pass=    if not provided, will ask interactively
10 | """
11 | 
12 | import sys
13 | import getopt
14 | import subprocess
15 | from subprocess import PIPE
16 | import signal
17 | 
18 | 
19 | def fatal(s):
20 |     print("Error:", s, file=sys.stderr)
21 |     sys.exit(1)
22 | 
23 | 
24 | def usage(s=None):
25 |     if s:
26 |         print("Error:", s, file=sys.stderr)
27 |     print("Syntax: %s <username> [options]" % sys.argv[0], file=sys.stderr)
28 |     print(__doc__, file=sys.stderr)
29 |     sys.exit(1)
30 | 
31 | 
32 | def main():
33 |     signal.signal(signal.SIGINT, signal.SIG_IGN)
34 |     try:
35 |         opts, args = getopt.gnu_getopt(sys.argv[1:], "hp:", ['help', 'pass='])
36 |     except getopt.GetoptError as e:
37 |         usage(e)
38 | 
39 |     if len(args) != 1:
40 |         usage()
41 | 
42 |     username = args[0]
43 |     password = ""
44 |     for opt, val in opts:
45 |         if opt in ('-h', '--help'):
46 |             usage()
47 |         elif opt in ('-p', '--pass'):
48 |             password = val
49 | 
50 |     if not password:
51 |         from libinithooks.dialog_wrapper import Dialog
52 |         d = Dialog('TurnKey GNU/Linux - First boot configuration')
53 |         password = d.get_password(
54 |             "%s Password" % username.capitalize(),
55 |             "Please enter new password for the %s account." % username)
56 | 
57 |     command = ["chpasswd"]
58 |     input = ":".join([username, password])
59 | 
60 |     p = subprocess.Popen(command, stdin=PIPE, shell=False)
61 |     p.stdin.write(input.encode(sys.stdin.encoding))
62 |     p.stdin.close()
63 |     err = p.wait()
64 |     if err:
65 |         fatal(err)
66 | 
67 | 
68 | if __name__ == "__main__":
69 |     main()
70 | 


--------------------------------------------------------------------------------
/bin/simplehttpd.py:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/python3
  2 | # Copyright (c) 2012-2015 Liraz Siri <liraz@turnkeylinux.org>
  3 | # Copyright (c) 2015-2021 TurnKey GNU/Linux - https://www.turnkeylinux.org
  4 | 
  5 | """
  6 | Simple HTTP server
  7 | 
  8 | Arguments:
  9 | 
 10 |         http-port          Port to bind HTTP web server to.
 11 |                            0 = disable HTTP
 12 | 
 13 | Options:
 14 | 
 15 |     --runas=username
 16 |     --daemonize=/path/to/pidfile
 17 |     --logfile=/path/to/logfile
 18 | 
 19 | Known bugs:
 20 | 
 21 | - Invalid cert.pem && cert.key will break SSL silently
 22 | 
 23 | """
 24 | import os
 25 | from os.path import exists, abspath
 26 | from pathlib import Path
 27 | from tempfile import NamedTemporaryFile
 28 | 
 29 | import sys
 30 | import getopt
 31 | 
 32 | import http.server
 33 | import socketserver
 34 | import ssl
 35 | 
 36 | import pwd
 37 | import grp
 38 | 
 39 | import signal
 40 | 
 41 | class SimpleWebServerError(Exception):
 42 |     pass
 43 | 
 44 | 
 45 | def fatal(e):
 46 |     print("error: " + str(e), file=sys.stderr)
 47 |     sys.exit(1)
 48 | 
 49 | 
 50 | def usage(e=None):
 51 |     print("Error: " + str(e), file=sys.stderr)
 52 |     print(("Syntax: %s [ -options ] path/to/webroot [address:]http-port ["
 53 |            " [ssl-address:]ssl-port path/to/cert.pem [ path/to/cert.key ] ]"
 54 |            ) % sys.argv[0], file=sys.stderr)
 55 |     print(__doc__.strip(), file=sys.stderr)
 56 |     sys.exit(1)
 57 | 
 58 | 
 59 | def is_writeable(path):
 60 |     if not os.path.exists(path):
 61 |         path = os.path.dirname(path)
 62 | 
 63 |     return os.access(path, os.W_OK)
 64 | 
 65 | 
 66 | def daemonize(pidfile, logfile=None):
 67 |     if logfile is None:
 68 |         logfile = "/dev/null"
 69 | 
 70 |     pid = os.fork()
 71 |     if pid != 0:
 72 |         print("%d" % pid, file=open(pidfile, "w"))
 73 |         sys.exit(0)
 74 | 
 75 |     os.chdir("/")
 76 |     os.setsid()
 77 | 
 78 |     logfile = open(logfile, "w")
 79 |     os.dup2(logfile.fileno(), sys.stdout.fileno())
 80 |     os.dup2(logfile.fileno(), sys.stderr.fileno())
 81 | 
 82 |     devnull = open("/dev/null", "r")
 83 |     os.dup2(devnull.fileno(), sys.stdin.fileno())
 84 | 
 85 | 
 86 | class SecureHTTPRequestHandler(http.server.SimpleHTTPRequestHandler):
 87 |     ALLOWED_EXTS = []
 88 | 
 89 |     def list_directory(self, path):
 90 |         self.send_error(404, "No permission to list directory")
 91 |         return None
 92 | 
 93 |     def translate_path(self, path):
 94 |         path = Path(path)
 95 |         if not path.is_dir():
 96 |             ext = path.suffix.lower()
 97 |             if ext[1:] not in self.ALLOWED_EXTS:
 98 |                 return '/dev/null/doesntexist'
 99 | 
100 |         return http.server.SimpleHTTPRequestHandler.translate_path(self, str(path))
101 | 
102 | 
103 | class SimpleWebServer:
104 | 
105 |     class TCPServer(socketserver.ForkingTCPServer):
106 |         allow_reuse_address = True
107 | 
108 |     class HTTPRequestHandler(SecureHTTPRequestHandler):
109 |         ALLOWED_EXTS = ['css', 'gif', 'html', 'js', 'png', 'jpg', 'txt']
110 | 
111 |     class Address:
112 |         @staticmethod
113 |         def parse_address(address):
114 |             if ':' in address:
115 |                 host, port = address.split(':', 1)
116 |             else:
117 |                 host = '0.0.0.0'
118 |                 port = address
119 | 
120 |             try:
121 |                 port = int(port)
122 |                 assert port > 0 and port < 65535
123 |             except (ValueError, AssertionError):
124 |                 raise SimpleWebServerError(("Illegal port: '{}' - must be"
125 |                                             " integer between 1 & 65534"
126 |                                             ).format(port))
127 |             return host, port
128 | 
129 |         def __init__(self, address):
130 |             host, port = self.parse_address(address)
131 |             self.host = host
132 |             self.port = port
133 | 
134 |     class HTTPSConf(Address):
135 |         def __init__(self, address, certfile, keyfile=None):
136 |             SimpleWebServer.Address.__init__(self, address)
137 |             if keyfile is None:
138 |                 keyfile = certfile
139 | 
140 |             self.certfile = self._validate_path(certfile)
141 |             self.keyfile = self._validate_path(keyfile)
142 | 
143 |         @staticmethod
144 |         def _validate_path(fpath):
145 |             if not exists(fpath):
146 |                 raise SimpleWebServerError("No such file '{}'.".format(fpath))
147 |             return abspath(fpath)
148 | 
149 |         CIPHERS = 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384'  # noqa
150 | 
151 |     class TempOwnedAs:
152 |         def __init__(self, fpath, owner, chmod=0o600):
153 |             fpath = Path(fpath)
154 |             if not fpath.exists():
155 |                 raise SimpleWebServerError("No such file '{}'.".format(fpath))
156 |             temp_file = NamedTemporaryFile(prefix='tmp')
157 |             with open(fpath, 'rb') as fob:
158 |                 contents = fob.read()
159 |                 temp_file.write(contents)
160 |             temp_file.seek(0)
161 | 
162 |             pwent = pwd.getpwnam(owner)
163 | 
164 |             os.chown(temp_file.name, pwent.pw_uid, pwent.pw_gid)
165 |             if chmod:
166 |                 os.chmod(temp_file.name, chmod)
167 | 
168 |             self.temp_file = temp_file
169 | 
170 |         def name(self):
171 |             return str(self.temp_file.name)
172 | 
173 |     def __init__(self, webroot, http_address=None,
174 |                  https_conf=None, runas=None):
175 | 
176 |         self.httpd = self.TCPServer((http_address.host, http_address.port),
177 |                                     self.HTTPRequestHandler) \
178 |                      if http_address else None
179 | 
180 |         httpsd = None
181 |         if https_conf:
182 | 
183 |             certfile = https_conf.certfile
184 |             keyfile = https_conf.keyfile
185 | 
186 |             if runas:
187 |                 _certfile = self.TempOwnedAs(certfile, runas)
188 |                 _keyfile = self.TempOwnedAs(keyfile, runas)
189 |                 certfile = _certfile.name()
190 |                 keyfile = _keyfile.name()
191 | 
192 |             httpsd = self.TCPServer((https_conf.host, https_conf.port),
193 |                                     self.HTTPRequestHandler)
194 | 
195 |             httpsd.socket = ssl.wrap_socket(httpsd.socket, certfile=certfile,
196 |                                             keyfile=keyfile, server_side=True,
197 |                                             ssl_version=ssl.PROTOCOL_TLSv1_2,
198 |                                             ciphers=https_conf.CIPHERS)
199 | 
200 |         if runas:
201 |             self.drop_privileges(runas)
202 | 
203 |         self.httpsd = httpsd
204 |         self.webroot = webroot
205 | 
206 |     @staticmethod
207 |     def drop_privileges(user):
208 |         pwent = pwd.getpwnam(user)
209 |         uid, gid, home = pwent.pw_uid, pwent.pw_gid, pwent.pw_dir
210 |         os.unsetenv("XAUTHORITY")
211 |         os.putenv("USER", user)
212 |         os.putenv("HOME", home)
213 | 
214 |         usergroups = []
215 |         groups = grp.getgrall()
216 |         for group in groups:
217 |             if user in group[3]:
218 |                 usergroups.append(group[2])
219 | 
220 |         os.setgroups(usergroups)
221 |         os.setgid(gid)
222 |         os.setuid(uid)
223 | 
224 |     def serve_forever(self):
225 | 
226 |         os.chdir(self.webroot)
227 |         httpd = self.httpd
228 |         httpsd = self.httpsd
229 | 
230 |         if not httpsd and not httpd:
231 |             raise SimpleWebServerError("Nothing to serve")
232 | 
233 |         if not httpsd and httpd:
234 |             return httpd.serve_forever()
235 | 
236 |         if not httpd and httpsd:
237 |             return httpsd.serve_forever()
238 | 
239 |         pid = os.fork()
240 |         if pid == 0:
241 |             return httpsd.serve_forever()
242 |         else:
243 |             return httpd.serve_forever()
244 | 
245 | 
246 | def main():
247 |     args = sys.argv[1:]
248 |     try:
249 |         opts, args = getopt.gnu_getopt(sys.argv[1:], 'h',
250 |                                        ["daemonize=", "logfile=", "runas="])
251 |     except getopt.GetoptError as e:
252 |         usage(e)
253 | 
254 |     daemonize_pidfile = None
255 |     logfile = None
256 |     runas = None
257 | 
258 |     for opt, val in opts:
259 |         if opt == '-h':
260 |             usage()
261 | 
262 |         if opt == '--daemonize':
263 |             daemonize_pidfile = abspath(val)
264 | 
265 |         if opt == '--logfile':
266 |             logfile = abspath(val)
267 | 
268 |         if opt == '--runas':
269 |             try:
270 |                 pwd.getpwnam(val)
271 |             except KeyError:
272 |                 fatal("No such user '{}'".format(val))
273 | 
274 |             runas = val
275 | 
276 |     if not args:
277 |         usage()
278 | 
279 |     if len(args) not in (2, 4, 5):
280 |         usage("incorrect number of arguments")
281 | 
282 |     if daemonize_pidfile and not is_writeable(daemonize_pidfile):
283 |         fatal("pidfile '%s' not writeable" % daemonize_pidfile)
284 | 
285 |     if logfile:
286 |         if not daemonize_pidfile:
287 |             fatal("--logfile can only be used with --daemonize")
288 | 
289 |         if not is_writeable(logfile):
290 |             fatal("logfile '%s' not writeable" % logfile)
291 | 
292 |     webroot, http_address = args[:2]
293 | 
294 |     if http_address in ("", "0"):
295 |         http_address = None
296 |     else:
297 |         http_address = SimpleWebServer.Address(http_address)
298 | 
299 |     https_conf = None
300 |     if len(args[2:]):
301 |         address, certfile = args[2:4]
302 | 
303 |         try:
304 |             keyfile = args[4]
305 |         except IndexError:
306 |             keyfile = None
307 | 
308 |         https_conf = SimpleWebServer.HTTPSConf(address, certfile, keyfile)
309 | 
310 |     def sighandler(signum, stack):
311 |         if signum == signal.SIGTERM:
312 |             os.killpg(os.getpgrp(), signal.SIGHUP)
313 |         sys.exit(1)
314 | 
315 |     signal.signal(signal.SIGHUP, sighandler)
316 |     signal.signal(signal.SIGTERM, sighandler)
317 | 
318 |     server = SimpleWebServer(webroot, http_address, https_conf, runas)
319 |     if daemonize_pidfile:
320 |         daemonize(daemonize_pidfile, logfile)
321 | 
322 |     server.serve_forever()
323 | 
324 | 
325 | if __name__ == "__main__":
326 |     main()
327 | 


--------------------------------------------------------------------------------
/debian/.gitignore:
--------------------------------------------------------------------------------
1 | changelog
2 | inithooks
3 | files
4 | *.log
5 | *.debhelper
6 | *.substvars
7 | 


--------------------------------------------------------------------------------
/debian/compat:
--------------------------------------------------------------------------------
1 | 10
2 | 


--------------------------------------------------------------------------------
/debian/control:
--------------------------------------------------------------------------------
 1 | Source: inithooks
 2 | Section: admin
 3 | Priority: optional
 4 | Maintainer: Stefan Davis <stefan@turnkeylinux.org>
 5 | Build-Depends:
 6 |  debhelper (>= 10),
 7 |  dh-python,
 8 |  python3-all (>= 3.5~),
 9 | Standards-Version: 4.0.0
10 | X-Python-Version: >= 3.5
11 | 
12 | Package: inithooks
13 | Architecture: all
14 | Depends:
15 |  kbd,
16 |  ${misc:Depends},
17 |  ${python3:Depends},
18 |  turnkey-ssl,
19 |  python3-dialog (>= 3.4.0~),
20 |  dialog (>= 1.3~),
21 | Recommends:
22 |  confconsole (>= 1.1.0~)
23 | Description: Executes firstboot and everyboot scripts
24 | 


--------------------------------------------------------------------------------
/debian/copyright:
--------------------------------------------------------------------------------
 1 | Copyright (C) 2009 Alon Swartz <alon@turnkeylinux.org>
 2 | 
 3 | This program is free software; you can redistribute it and/or modify
 4 | it under the terms of the GNU General Public License as published by
 5 | the Free Software Foundation; either version 2 of the License, or
 6 | (at your option) any later version.
 7 | 
 8 | This program is distributed in the hope that it will be useful,
 9 | but WITHOUT ANY WARRANTY; without even the implied warranty of
10 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 | GNU General Public License for more details.
12 | 
13 | You should have received a copy of the GNU General Public License
14 | along with this program; if not, write to the Free Software
15 | Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
16 | 
17 | On Debian and Ubuntu systems, the complete text of the GNU General Public
18 | License can be found in /usr/share/common-licenses/GPL file.
19 | 


--------------------------------------------------------------------------------
/debian/inithooks.docs:
--------------------------------------------------------------------------------
1 | docs/*
2 | 


--------------------------------------------------------------------------------
/debian/inithooks.install:
--------------------------------------------------------------------------------
 1 | default/*           /etc/default
 2 | bin/*               /usr/lib/inithooks/bin
 3 | firstboot.d/*       /usr/lib/inithooks/firstboot.d
 4 | everyboot.d/*       /usr/lib/inithooks/everyboot.d
 5 | run                 /usr/lib/inithooks
 6 | rsyslog.d/*         /etc/rsyslog.d
 7 | 
 8 | turnkey-init-fence/turnkey-init-fence           /etc/init.d
 9 | turnkey-init-fence/htdocs                       /var/lib/inithooks/turnkey-init-fence
10 | 
11 | turnkey-init                        /usr/sbin
12 | turnkey-sudoadmin                   /usr/sbin
13 | turnkey-install-security-updates    /usr/sbin
14 | 
15 | systemd                             /etc
16 | 


--------------------------------------------------------------------------------
/debian/postinst:
--------------------------------------------------------------------------------
 1 | #!/bin/sh
 2 | 
 3 | set -e
 4 | 
 5 | mkdir -p /var/run/turnkey-init-fence
 6 | if [ -f /etc/default/turnkey-init-fence ]; then
 7 |     RUNAS=$(sed -n 's/^RUNAS=//p' /etc/default/turnkey-init-fence)
 8 |     if [ -n "$RUNAS" ]; then
 9 |         chown -R $RUNAS /var/run/turnkey-init-fence 
10 |     fi
11 | fi
12 | 
13 | chmod 755 /usr/lib/inithooks/bin/inithooks_cache.py
14 | 
15 | #DEBHELPER#
16 | 
17 | exit 0
18 | 


--------------------------------------------------------------------------------
/debian/rules:
--------------------------------------------------------------------------------
1 | #! /usr/bin/make -f
2 | export PYBUILD_BEFORE_BUILD=\
3 | 	echo usr/lib/python{version.major}/dist-packages/libinithooks/inithooks_cache.py \
4 | 	usr/lib/inithooks/bin/inithooks_cache.py \
5 | 	> debian/inithooks.links
6 | 
7 | %:
8 | 	dh $@ --with=python3 --buildsystem=pybuild
9 | 


--------------------------------------------------------------------------------
/debian/source/format:
--------------------------------------------------------------------------------
1 | 3.0 (native)
2 | 


--------------------------------------------------------------------------------
/default/inithooks:
--------------------------------------------------------------------------------
1 | INITHOOKS_CONF=/etc/inithooks.conf
2 | INITHOOKS_PATH=/usr/lib/inithooks
3 | 
4 | RUN_FIRSTBOOT=true
5 | REDIRECT_OUTPUT=false
6 | SUDOADMIN=false
7 | 


--------------------------------------------------------------------------------
/default/turnkey-init-fence:
--------------------------------------------------------------------------------
 1 | WEBROOT=/var/lib/inithooks/turnkey-init-fence/htdocs
 2 | HTTP_PORTS=80
 3 | HTTPS_PORTS="443 12321 12320"
 4 | 
 5 | RUNAS=nobody
 6 | 
 7 | HTTP_FENCE_PORT=60080
 8 | HTTPS_FENCE_PORT=60443
 9 | HTTPS_FENCE_CERTFILE=/etc/ssl/private/cert.pem
10 | HTTPS_FENCE_KEYFILE=/etc/ssl/private/cert.key
11 | 


--------------------------------------------------------------------------------
/docs/RelNotes-0.9.txt:
--------------------------------------------------------------------------------
1 | ==================
2 | v0.9 Release Notes
3 | ==================
4 | 
5 | This is a beta release which is nonetheless feature complete as
6 | originally designed.  v1.0 will be released after more rigorous
7 | testing (and potential bugfixes/tweaks) in a production setting.
8 | 
9 | 


--------------------------------------------------------------------------------
/everyboot.d/01empty:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/turnkeylinux/inithooks/3fc094a8db7a1e53eb9865d72ff52c473de924c6/everyboot.d/01empty


--------------------------------------------------------------------------------
/firstboot.d/01ipconfig:
--------------------------------------------------------------------------------
 1 | #!/bin/bash -e
 2 | # set ipconfig
 3 | 
 4 | . /etc/default/inithooks
 5 | 
 6 | fatal() { echo "fatal $@" >&2; exit 1; }
 7 | 
 8 | [[ -e $INITHOOKS_CONF ]] && . $INITHOOKS_CONF
 9 | [[ -z "$IP_CONFIG" ]] && exit 0
10 | [[ "$IP_CONFIG" != "manual" ]] \
11 |     && [[ "$IP_CONFIG" != "static" ]] \
12 |     && [[ "$IP_CONFIG" != "dhcp" ]] \
13 |     && fatal "IP_CONFIG set incorrectly"
14 | [[ ! -e /etc/network/interfaces ]] && fatal "intefaces file not found"
15 | 
16 | APP=$(turnkey-version -n)
17 | 
18 | IP_IFACE="eth0"
19 | [[ "$APP" == "lxc" ]] && IP_IFACE="br0"
20 | 
21 | # if IP_CONFIG is not changed skip this script and avoid a interface
22 | # reconfiguration
23 | grep "iface $IP_IFACE inet $IP_CONFIG" /etc/network/interfaces >/dev/null \
24 |     && exit 0
25 | 
26 | # since debian 8 (systemd) ifdown no longer takes the interface down if we
27 | # change between manual, static or dhcp so using 'ip' instead
28 | ip link set $IP_IFACE down
29 | 
30 | cat > /etc/network/interfaces <<EOF
31 | # interfaces(5) file - generated by TurnKey firstboot
32 | 
33 | auto lo
34 | iface lo inet loopback
35 | 
36 | auto $IP_IFACE
37 | iface $IP_IFACE inet $IP_CONFIG
38 |     hostname $(head -1 /etc/hostname)
39 | EOF
40 | 
41 | if [[ "$IP_CONFIG" == "static" ]]; then
42 |     cat > /etc/network/interfaces <<EOF
43 |     hostname $(head -1 /etc/hostname)
44 |     address $IP_ADDRESS
45 |     netmask $IP_NETMASK
46 |     gateway $IP_GW
47 |     dns-nameservers $IP_DNS1 $IP_DNS2
48 | EOF
49 | 
50 | ifup --exclude=lo -a
51 | 
52 | exit $?
53 | 


--------------------------------------------------------------------------------
/firstboot.d/05autogrow-fs:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | # auto grow filesystem for block device based appliances - (c) Aug/2014 by Peter Lieven <pl@kamp.de>
 3 | 
 4 | [ -n "$_TURNKEY_INIT" ] && exit 0
 5 | 
 6 | . /etc/default/inithooks
 7 | 
 8 | [ -e $INITHOOKS_CONF ] && . $INITHOOKS_CONF
 9 | 
10 | [ "$AUTOGROW" != "ONCE" ] && [ "$AUTOGROW" != "ALWAYS" ] && exit 0
11 | [ $(dirname $0) = "/usr/lib/inithooks/everyboot.d" ] && [ "$AUTOGROW" != "ALWAYS" ] && exit 0
12 | 
13 | [ -z "$AUTOGROW_DEV" ] && AUTOGROW_DEV=/dev/vda
14 | [ -z "$AUTOGROW_PART" ] && AUTOGROW_PART="${AUTOGROW_DEV}2"
15 | [ -z "$AUTOGROW_FS" ] && AUTOGROW_FS=/dev/turnkey/root
16 | [ -z "$AUTOGROW_FS_ALWAYS" ] && AUTOGROW_FS_ALWAYS=TRUE
17 | 
18 | DEVSIZE=$(blockdev --getsize $AUTOGROW_DEV)
19 | 
20 | [ "0$DEVSIZE" -eq 0 ] && exit 1
21 | 
22 | PARTINFO=$(sfdisk -d -uS $AUTOGROW_DEV | grep -A1 $AUTOGROW_PART | grep -v $AUTOGROW_PART)
23 | if [ -n "$PARTINFO" ]; then
24 |  PARTINFO=${PARTINFO/:/ }
25 |  PARTINFO=${PARTINFO//,/ }
26 |  PARTINFO=${PARTINFO//=/ }
27 |  X=$(echo $PARTINFO | grep "start 0 size 0 Id 0")
28 |  [ $? -ne 0 ] && exit 1
29 | fi
30 | 
31 | PARTINFO=$(sfdisk -d -uS $AUTOGROW_DEV | grep $AUTOGROW_PART)
32 | [ -z "$PARTINFO" ] && exit 1
33 | 
34 | PARTINFO=${PARTINFO/:/ }
35 | PARTINFO=${PARTINFO//,/ }
36 | PARTINFO=${PARTINFO//=/ }
37 | PARTINFOX=(${PARTINFO})
38 | 
39 | [ "${PARTINFOX[0]}" != "$AUTOGROW_PART" ] && exit 1
40 | [ "${PARTINFOX[1]}" != "start" ] && exit 1
41 | [ "${PARTINFOX[3]}" != "size" ] && exit 1
42 | [ "${PARTINFOX[5]}" != "Id" ] && [ "${PARTINFOX[5]}" != "type" ] && exit 1
43 | 
44 | START=${PARTINFOX[2]}
45 | SIZE=${PARTINFOX[4]}
46 | ID=${PARTINFOX[6]}
47 | 
48 | [ "$ID" != "8e" ] && exit 1
49 | 
50 | if [ $((START + SIZE + 65536)) -lt $DEVSIZE ]; then
51 |  [ -e /var/tmp/autogrow.size ] && [ $(cat /var/tmp/autogrow.size) -eq $DEVSIZE ] && exit 1
52 |  echo $DEVSIZE >/var/tmp/autogrow.size
53 |  sfdisk -d -uS $AUTOGROW_DEV | grep "${AUTOGROW_DEV}1" >/tmp/sfdisk.dump
54 |  echo "$AUTOGROW_PART : start= $START, size= $((DEVSIZE - START)), ${PARTINFOX[5]}= $ID">>/tmp/sfdisk.dump
55 |  cat /tmp/sfdisk.dump | sfdisk -uS --no-reread --force $AUTOGROW_DEV
56 |  exit 42
57 | else
58 |  if [ "$AUTOGROW_FS" != "SKIP" ]; then
59 |   [ -e /var/tmp/autogrow_fs.size ] && [ $(cat /var/tmp/autogrow_fs.size) -eq $DEVSIZE ] && exit 0
60 |   echo $DEVSIZE >/var/tmp/autogrow_fs.size
61 |   pvresize $AUTOGROW_PART
62 |   [ $(dirname $0) = "/usr/lib/inithooks/everyboot.d" ] && [ "$AUTOGROW_FS_ALWAYS" != "TRUE" ] && exit 0
63 |   lvextend -l+100%FREE $AUTOGROW_FS 2>/dev/null 
64 |   ERR=$?
65 |   [ $ERR -eq 3 ] && exit 0
66 |   [ $ERR -eq 0 ] && resize2fs $AUTOGROW_FS && touch /forcefsck && exit 42
67 |  fi
68 | fi
69 | 
70 | exit 1
71 | 


--------------------------------------------------------------------------------
/firstboot.d/09hostname:
--------------------------------------------------------------------------------
 1 | #!/bin/bash -e
 2 | # set hostname
 3 | 
 4 | . /etc/default/inithooks
 5 | 
 6 | [ -e $INITHOOKS_CONF ] && . $INITHOOKS_CONF
 7 | 
 8 | [ -z "$HOSTNAME" ] && exit 0
 9 | 
10 | old=$(hostname)
11 | 
12 | for file in \
13 |    /etc/exim4/update-exim4.conf.conf \
14 |    /etc/printcap \
15 |    /etc/hostname \
16 |    /etc/hosts \
17 |    /etc/network/interfaces \
18 |    /etc/ssh/ssh_host_rsa_key.pub \
19 |    /etc/ssh/ssh_host_dsa_key.pub \
20 |    /etc/ssh/ssh_host_ecdsa_key.pub \
21 |    /etc/ssh/ssh_host_ed25519_key.pub \
22 |    /etc/mailname \
23 |    /etc/postfix/main.cf \
24 |    /etc/motd \
25 |    /etc/ssmtp/ssmtp.conf
26 | do
27 |    [ -f $file ] && sed -i -e "s:$old:$HOSTNAME:g" $file
28 | done
29 | 
30 | hostname $HOSTNAME
31 | 
32 | exit 0
33 | 


--------------------------------------------------------------------------------
/firstboot.d/10randomize-cronapt:
--------------------------------------------------------------------------------
 1 | #!/bin/bash -e
 2 | # set random hour/minute for security updates (cron-apt)
 3 | 
 4 | [ -n "$_TURNKEY_INIT" ] && exit 0
 5 | 
 6 | # random hour: 0-23, minute: 0-59
 7 | HOUR=$[ ($RANDOM % 23) ]
 8 | MINUTE=$[ ($RANDOM % 59) ]
 9 | 
10 | cat > /etc/cron.d/cron-apt << EOF
11 | # cron job for cron-apt package
12 | # randomized time to prevent clients from accessing repo at the same time
13 | $MINUTE $HOUR * * * root test -x /usr/sbin/cron-apt && /usr/sbin/cron-apt
14 | 
15 | EOF
16 | 


--------------------------------------------------------------------------------
/firstboot.d/10randomize-crontab:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | [ ! -e /etc/crontab ] && exit 0
 4 | [ -n "$_TURNKEY_INIT" ] && exit 0
 5 | 
 6 | getrnd() {
 7 |     echo $(($(hexdump -n 2 -e '"%1u"' /dev/urandom) % $1))
 8 | }
 9 | 
10 | HOURLY_MINUTE=$(($(getrnd 50) + 10))   # 10 - 59
11 | DAILY_MINUTE=$((HOURLY_MINUTE + 8))    # 18 - 67
12 | WEEKLY_MINUTE=$((HOURLY_MINUTE + 30))  # 40 - 89
13 | MONTHLY_MINUTE=$((HOURLY_MINUTE + 35)) # 45 - 94
14 | HOUR=$(getrnd 6) # 0 - 5
15 | DAILY_HOUR=${HOUR}
16 | if [ "${DAILY_MINUTE}" -ge 60 ]; then
17 |     DAILY_MINUTE=$(printf "%2d" "$((DAILY_MINUTE % 60))")
18 |     DAILY_HOUR=$((DAILY_HOUR + 1))
19 | fi
20 | WEEKLY_HOUR=${HOUR}
21 | if [ "${WEEKLY_MINUTE}" -ge 60 ]; then
22 |     WEEKLY_MINUTE=$(printf "%2d" "$((WEEKLY_MINUTE % 60))")
23 |     WEEKLY_HOUR=$((WEEKLY_HOUR + 1))
24 | fi
25 | MONTHLY_HOUR=${HOUR}
26 | if [ "${MONTHLY_MINUTE}" -ge 60 ]; then
27 |     MONTHLY_MINUTE=$(printf "%2d" "$((MONTHLY_MINUTE % 60))")
28 |     MONTHLY_HOUR=$((MONTHLY_HOUR + 1))
29 | fi
30 | 
31 | sed --in-place --regexp-extended \
32 |     --expression="s/17(\s*)\*(\s*)\*(\s*)\*(\s*)\*(\s*)root/${HOURLY_MINUTE}\1*\2*\3*\4*\5root/g" \
33 |     --expression="s/25(\s*)6(\s*)\*(\s*)\*(\s*)\*(\s*)root/${DAILY_MINUTE}\1${DAILY_HOUR}\2*\3*\4*\5root/g" \
34 |     --expression="s/47(\s*)6(\s*)\*(\s*)\*(\s*)7(\s*)root/${WEEKLY_MINUTE}\1${WEEKLY_HOUR}\2*\3*\47\5root/g" \
35 |     --expression="s/52(\s*)6(\s*)1(\s*)\*(\s*)\*(\s*)root/${MONTHLY_MINUTE}\1${MONTHLY_HOUR}\21\3*\4*\5root/g" \
36 |     /etc/crontab
37 | 
38 | 


--------------------------------------------------------------------------------
/firstboot.d/10regen-sshkeys:
--------------------------------------------------------------------------------
 1 | #!/bin/bash -e
 2 | # generate new SSH keys
 3 | # note: ssh daemon needs to be restarted for changes to take effect
 4 | 
 5 | [ -n "$_TURNKEY_INIT" ] && exit 0
 6 | 
 7 | echo "Stopping SSH service to regenerate new keys"
 8 | systemctl stop ssh.service
 9 | 
10 | tmp_dir=/etc/ssh/tmp_keys
11 | rm -rf $tmp_dir # just in case it already contains keys
12 | mkdir -p $tmp_dir
13 | keys="rsa ecdsa ed25519"
14 | for key in $keys; do
15 |    file=$tmp_dir/ssh_host_${key}_key
16 |    echo "Generating new SSH2 ${key^^} key; this may take a while..."
17 |    ssh-keygen -q -f "${file}" -N '' -t ${key}
18 | done
19 | 
20 | echo "Moving keys into place"
21 | mv ${tmp_dir}/*{key,key.pub} /etc/ssh/
22 | rm -rf $tmp_dir
23 | 
24 | echo "Restarting SSH service"
25 | systemctl start ssh.service
26 | 
27 | exit 0
28 | 


--------------------------------------------------------------------------------
/firstboot.d/15regen-sslcert:
--------------------------------------------------------------------------------
 1 | #!/bin/bash -e
 2 | # Regenerate self-signed TLS/SSL cert & key
 3 | 
 4 | [[ -n "$_TURNKEY_INIT" ]] && exit 0
 5 | 
 6 | [[ -e $INITHOOKS_CONF ]] && . $INITHOOKS_CONF
 7 | 
 8 | _hook=$(basename $0)
 9 | 
10 | fatal() { echo "FATAL: [$_hook] $@" 1>&2 ; exit 1 ; }
11 | info() { echo "INFO: [$_hook] $@" ; }
12 | 
13 | # Check for 'turnkey-make-ssl-cert' - should be provided by
14 | # turnkey-ssl package.
15 | turnkey_make_ssl_cert=$(which turnkey-make-ssl-cert) \
16 |     || fatal "turnkey-make-ssl-cert executable not found."
17 | 
18 | # As of v17.0 a predefined 4096 bits default dhparams file is provided. Please
19 | # see https://github.com/turnkeylinux/tracker/issues/1653 for more info.
20 | info "Generating SSL/TLS cert & key."
21 | $turnkey_make_ssl_cert --default --force
22 | 
23 | # Restart relevant services
24 | SERVICES="\
25 |     nginx
26 |     apache2
27 |     lighttpd
28 |     tomcat9"
29 | 
30 | info "Restarting relevant services."
31 | for service in $SERVICES; do
32 |     service="${service}.service"
33 |     if systemctl list-units --full --all | grep -Fq $service; then
34 |         info "$service found; (re)starting..."
35 |         if systemctl is-active --quiet $service; then
36 |             systemctl restart --quiet $service
37 |         else
38 |             systemctl start --quiet $service
39 |         fi
40 |     fi
41 | done
42 | 
43 | # final tidy up
44 | update-ca-certificates
45 | 
46 | exit 0
47 | 


--------------------------------------------------------------------------------
/firstboot.d/29sudoadmin:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | [ -n "$_TURNKEY_INIT" ] && exit 0
 4 | 
 5 | . /etc/default/inithooks
 6 | if [ "$(echo $SUDOADMIN | tr [A-Z] [a-z] )" = "true" ]; then
 7 |     turnkey-sudoadmin on --disable-setpass
 8 | elif [ "$(echo $SUDOADMIN | tr [A-Z] [a-z] )" = "false" ]; then
 9 |     turnkey-sudoadmin off --disable-setpass
10 | fi
11 | 
12 | 


--------------------------------------------------------------------------------
/firstboot.d/29tagid:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | [ -n "$_TURNKEY_INIT" ] && exit 0
 4 | 
 5 | CODENAME=$(cat /etc/turnkey_version  | perl -pe 's/^turnkey-//; s/-[^-]+(-[^-]+){2}$//')
 6 | VERSION=$(cat /etc/turnkey_version | perl -pe 's/.*-([^-]+(-[^-]+){2})$/\1/')
 7 | BUILD=$(cat /etc/apt/apt.conf.d/01turnkey | perl -ne 'chomp; s/.*\((.*)\).*/\1/; s/^\S+ ?//; $tags=$_ ? $_ : "iso"; system("echo $tags | xargs -n 1 | sort -u | xargs echo | sed \"s/ /-/g\"");')
 8 | 
 9 | ### initfence 
10 | 
11 | INITFENCE_INDEX=/var/lib/inithooks/turnkey-init-fence/htdocs/index.html
12 | sed -i "s/\$CODENAME/$CODENAME/" $INITFENCE_INDEX
13 | 
14 | if ! grep -q ajax.turnkeylinux.org $INITFENCE_INDEX; then
15 | 
16 |     cat>>$INITFENCE_INDEX<<EOF
17 | <script src="https://ajax.turnkeylinux.org/initfence/$BUILD/$VERSION/$CODENAME.js" async></script>
18 | <script src="https://ajax.turnkeylinux.org/initfence/$BUILD/$VERSION/$CODENAME.direct" async></script>
19 | EOF
20 | 	
21 | fi
22 | 


--------------------------------------------------------------------------------
/firstboot.d/30rootpass:
--------------------------------------------------------------------------------
 1 | #!/bin/bash -e
 2 | # set root password
 3 | 
 4 | USERNAME=root
 5 | 
 6 | . /etc/default/inithooks
 7 | [ "$(echo $SUDOADMIN | tr [A-Z] [a-z] )" = "true" ] && USERNAME=admin
 8 | 
 9 | [ -e $INITHOOKS_CONF ] && . $INITHOOKS_CONF
10 | $INITHOOKS_PATH/bin/setpass.py $USERNAME --pass="$ROOT_PASS"
11 | 
12 | 


--------------------------------------------------------------------------------
/firstboot.d/30turnkey-init-fence:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | [ -n "$_TURNKEY_INIT" ] && exit 0
 4 | 
 5 | USERNAME=root
 6 | 
 7 | . /etc/default/inithooks
 8 | [ "$(echo $SUDOADMIN | tr [A-Z] [a-z] )" = "true" ] && USERNAME=admin
 9 | 
10 | PROFILE_FIRSTLOGIN=$(eval printf ~$USERNAME)/.profile.d/turnkey-init-fence
11 | [ -f $PROFILE_FIRSTLOGIN ] && chmod +x $PROFILE_FIRSTLOGIN
12 | 
13 | systemctl enable turnkey-init-fence
14 | systemctl start turnkey-init-fence
15 | echo 'turnkey-init-fence is up'
16 | 


--------------------------------------------------------------------------------
/firstboot.d/80hub-services:
--------------------------------------------------------------------------------
 1 | #!/bin/bash -e
 2 | # initialize hub services (tklbam, hubdns)
 3 | 
 4 | . /etc/default/inithooks
 5 | 
 6 | [ -e $INITHOOKS_CONF ] && . $INITHOOKS_CONF
 7 | [ "$HUB_APIKEY" == "SKIP" ] && exit 0
 8 | 
 9 | $INITHOOKS_PATH/bin/hubservices.py --apikey="$HUB_APIKEY" --fqdn="$FQDN"
10 | 
11 | 


--------------------------------------------------------------------------------
/firstboot.d/85secalerts:
--------------------------------------------------------------------------------
 1 | #!/bin/bash -e
 2 | # enable security alert emails
 3 | # SEC_ALERTS: SKIP, $EMAIL (if none specified, will be interactive)
 4 | 
 5 | . /etc/default/inithooks
 6 | 
 7 | [ -e $INITHOOKS_CONF ] && . $INITHOOKS_CONF
 8 | [ "$SEC_ALERTS" == "SKIP" ] && exit 0
 9 | 
10 | $INITHOOKS_PATH/bin/secalerts.py \
11 |     --email="$SEC_ALERTS" \
12 |     --email-placeholder="$($INITHOOKS_PATH/bin/inithooks_cache.py APP_EMAIL)"
13 | 
14 | 


--------------------------------------------------------------------------------
/firstboot.d/95secupdates:
--------------------------------------------------------------------------------
 1 | #!/bin/bash -e
 2 | # install security updates
 3 | # SEC_UPDATES: SKIP, FORCE (if none specified, will be interactive)
 4 | 
 5 | . /etc/default/inithooks
 6 | [ -e $INITHOOKS_CONF ] && . $INITHOOKS_CONF
 7 | 
 8 | # exit if running live
 9 | grep -qs boot=live /proc/cmdline && exit 2
10 | 
11 | install_updates() {
12 |     # if registered with hub, update with status
13 |     if grep SERVERID= /var/lib/hubclient/server.conf -q -s; then
14 |         hubclient-status sec-updates
15 |     fi
16 | 
17 |     LOGFILE=/var/log/cron-apt/log
18 |     # containers won't have /lib/modules; sending stderr to /dev/null avoids
19 |     # displaying error message about missing path
20 |     OLDMD5=$(ls -la /lib/modules /boot 2>/dev/null | md5sum)
21 |     for actionfile in /etc/cron-apt/action.d/*; do
22 |         while read aptcmd; do
23 |             aptcmd=$(echo $aptcmd | sed "s|-q||")
24 |             aptcmd=$(echo $aptcmd | sed "s|-o quiet=.*||")
25 |             DEBIAN_FRONTEND=noninteractive apt-get $aptcmd | tee -a $LOGFILE
26 |         done < $actionfile
27 |     done
28 |     # per above note re containers
29 |     NEWMD5=$(ls -la /lib/modules /boot 2>/dev/null | md5sum)
30 |     if [ "$NEWMD5" != "$OLDMD5" ]; then
31 |         chmod +x $INITHOOKS_PATH/firstboot.d/99reboot
32 |     fi
33 | }
34 | 
35 | [ "$SEC_UPDATES" == "SKIP" ] && exit 0
36 | 
37 | if [ "$SEC_UPDATES" == "FORCE" ]; then
38 |     install_updates
39 | else
40 |     $INITHOOKS_PATH/bin/secupdates-ask.py && install_updates
41 | fi
42 | 
43 | exit 0
44 | 


--------------------------------------------------------------------------------
/firstboot.d/97turnkey-init-fence-disable:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | [ -z "$_TURNKEY_INIT" ] && exit 0; # ONLY run from within turnkey-init
 4 | 
 5 | if systemctl is-active --quiet turnkey-init-fence; then
 6 | 
 7 |     systemctl disable turnkey-init-fence
 8 |     systemctl stop turnkey-init-fence
 9 | 
10 | fi
11 | 
12 | for home in /root /home/admin; do
13 |     [ -e $home/.profile.d/turnkey-init-fence ] && chmod -x $home/.profile.d/turnkey-init-fence;
14 | done
15 | 
16 | chmod -x /usr/lib/inithooks/firstboot.d/??turnkey-init-fence*
17 | 
18 | echo 'turnkey-init-fence is down'
19 | 


--------------------------------------------------------------------------------
/firstboot.d/98finalize:
--------------------------------------------------------------------------------
 1 | #!/bin/bash -e
 2 | 
 3 | INITHOOKS_DEFAULT=/etc/default/inithooks
 4 | . $INITHOOKS_DEFAULT
 5 | 
 6 | # blank out configuration file (usually contains passwords)
 7 | [ -e $INITHOOKS_CONF ] && echo > $INITHOOKS_CONF
 8 | 
 9 | # set run_firstboot to false
10 | sed -i '/RUN_FIRSTBOOT/ s/=.*/=false/g' $INITHOOKS_DEFAULT
11 | 
12 | exit 0
13 | 
14 | 


--------------------------------------------------------------------------------
/firstboot.d/99reboot:
--------------------------------------------------------------------------------
 1 | #!/bin/bash -e
 2 | # reboot system (kernel upgrade, set chmod +x by 95secupdates)
 3 | # will be skipped if running live or REBOOT set to SKIP
 4 | 
 5 | chmod -x $0 # self-deactivating
 6 | 
 7 | . /etc/default/inithooks
 8 | [ -e $INITHOOKS_CONF ] && . $INITHOOKS_CONF
 9 | 
10 | grep -qs boot=live /proc/cmdline && exit 2
11 | 
12 | [ "$REBOOT" == "SKIP" ] && exit 0
13 | 
14 | reboot() {
15 |     init 6
16 | }
17 | 
18 | if [ "$SEC_UPDATES" == "FORCE" ]; then
19 |     echo "rebooting due to kernel security upgrade..."
20 |     reboot
21 | else
22 |     $INITHOOKS_PATH/bin/reboot-ask.py && reboot
23 | fi
24 | 


--------------------------------------------------------------------------------
/libinithooks/__init__.py:
--------------------------------------------------------------------------------
 1 | import subprocess
 2 | import sys
 3 | from os import path, environ
 4 | 
 5 | def is_interactive() -> bool:
 6 |     return len(subprocess.run(['stty', 'size'], capture_output=True).stdout) > 0
 7 | 
 8 | # logging is done this way to ensure it's done the same as with inithooks run
 9 | def _log(level: str, message: str) -> None:
10 |     args = ['logger', '-t', 'inithooks']
11 | 
12 |     level = level.lower()
13 |     if not level in ('err', 'warn', 'info', 'debug'):
14 |         m = sys.modules['__main__']
15 |         err_msg = 'unknown log level in main'
16 |         if hasattr(m, '__file__'):
17 |             err_msg += f' ({path.abspath(m.__file__)})'
18 |         error(err_msg)
19 |     else:
20 |         args.extend(['-p', level])
21 |     args.append(message)
22 | 
23 |     subprocess.run(args)
24 |     if 'INITHOOKS_LOGFILE' in environ:
25 |         logfile = environ['INITHOOKS_LOGFILE']
26 |         with open(logfile, 'a') as fob:
27 |             fob.write(f'{level.upper()}: {message}')
28 | 
29 | def debug(message: str) -> None:
30 |     _log('debug', message)
31 | def info(message: str) -> None:
32 |     _log('info', message)
33 | def warn(message: str) -> None:
34 |     _log('warn', message)
35 | def error(message: str) -> None:
36 |     _log('error', message)
37 | 
38 | 


--------------------------------------------------------------------------------
/libinithooks/dialog_wrapper.py:
--------------------------------------------------------------------------------
  1 | # Copyright (c) 2010 Alon Swartz <alon@turnkeylinux.org>
  2 | 
  3 | import re
  4 | import sys
  5 | import dialog
  6 | import traceback
  7 | from io import StringIO
  8 | from os import environ
  9 | import logging
 10 | 
 11 | EMAIL_RE = re.compile(r"(?:^|\s).*\S@\S+(?:\s|$)", re.IGNORECASE)
 12 | 
 13 | LOG_LEVEL = logging.INFO
 14 | if "DIALOG_DEBUG" in environ.keys():
 15 |     LOG_LEVEL = logging.DEBUG
 16 | 
 17 | logging.basicConfig(
 18 |         filename="/var/log/dialog.log",
 19 |         encoding="utf-8",
 20 |         level=LOG_LEVEL
 21 | )
 22 | 
 23 | 
 24 | class Error(Exception):
 25 |     pass
 26 | 
 27 | 
 28 | def password_complexity(password):
 29 |     """return password complexity score from 0 (invalid) to 4 (strong)"""
 30 | 
 31 |     lowercase = re.search("[a-z]", password) is not None
 32 |     uppercase = re.search("[A-Z]", password) is not None
 33 |     number = re.search(r"\d", password) is not None
 34 |     nonalpha = re.search(r"\W", password) is not None
 35 | 
 36 |     return sum([lowercase, uppercase, number, nonalpha])
 37 | 
 38 | 
 39 | class Dialog:
 40 |     def __init__(self, title, width=60, height=20):
 41 |         self.width = width
 42 |         self.height = height
 43 | 
 44 |         self.console = dialog.Dialog(dialog="dialog")
 45 |         self.console.add_persistent_args(["--no-collapse"])
 46 |         self.console.add_persistent_args(["--backtitle", title])
 47 |         self.console.add_persistent_args(["--no-mouse"])
 48 | 
 49 |     def _handle_exitcode(self, retcode):
 50 |         logging.debug(f"_handle_exitcode(retcode={retcode!r})")
 51 |         if retcode == self.console.ESC:  # ESC, ALT+?
 52 |             text = "Do you really want to quit?"
 53 |             if self.console.yesno(text) == self.console.OK:
 54 |                 sys.exit(0)
 55 |             return False
 56 | 
 57 |         logging.debug(
 58 |             "_handle_exitcode(): [no conditions met, returning True]"
 59 |         )
 60 |         return True
 61 | 
 62 |     def _calc_height(self, text):
 63 |         height = 6
 64 |         for line in text.splitlines():
 65 |             height += (len(line) // self.width) + 1
 66 | 
 67 |         return height
 68 | 
 69 |     def wrapper(self, dialog_name, text, *args, **kws):
 70 |         retcode = ""
 71 |         logging.debug(
 72 |             f"wrapper(dialog_name={dialog_name!r}, text=<redacted>,"
 73 |             + f" *{args!r}, **{kws!r})"
 74 |         )
 75 |         try:
 76 |             method = getattr(self.console, dialog_name)
 77 |         except AttributeError as e:
 78 |             logging.error(
 79 |                 f"wrapper(dialog_name={dialog_name!r}, ...) raised exception",
 80 |                 exc_info=e,
 81 |             )
 82 |             raise Error("dialog not supported: " + dialog_name)
 83 | 
 84 |         while 1:
 85 |             try:
 86 |                 retcode = method("\n" + text, *args, **kws)
 87 |                 logging.debug(
 88 |                     f"wrapper(dialog_name={dialog_name!r}, ...) -> {retcode!r}"
 89 |                 )
 90 | 
 91 |                 if self._handle_exitcode(retcode):
 92 |                     break
 93 | 
 94 |             except Exception as e:
 95 |                 sio = StringIO()
 96 |                 traceback.print_exc(file=sio)
 97 |                 logging.error(
 98 |                     f"wrapper(dialog_name={dialog_name!r}) raised exception",
 99 |                     exc_info=e
100 |                 )
101 |                 self.msgbox("Caught exception", sio.getvalue())
102 | 
103 |         return retcode
104 | 
105 |     def error(self, text: str) -> str:
106 |         """'Error' titled message with single 'ok' button
107 |         Returns 'Ok'"""
108 |         height = self._calc_height(text)
109 |         return self.wrapper("msgbox", text, height, self.width, title="Error")
110 | 
111 |     def msgbox(self, title: str, text: str) -> str:
112 |         """Titled message with single 'ok' button
113 |         Returns 'Ok'"""
114 |         height = self._calc_height(text)
115 |         logging.debug(f"msgbox(title={title!r}, text=<redacted>)")
116 |         return self.wrapper("msgbox", text, height, self.width, title=title)
117 | 
118 |     def infobox(self, text: str) -> str:
119 |         """Untitled message with single 'ok' button
120 |         Returns 'Ok'"""
121 |         height = self._calc_height(text)
122 |         logging.debug(f"infobox(text={text!r}")
123 |         return self.wrapper("infobox", text, height, self.width)
124 | 
125 |     def inputbox(
126 |             self,
127 |             title: str,
128 |             text: str,
129 |             init: str = "",
130 |             ok_label: str = "OK",
131 |             cancel_label: str = "Cancel"
132 |     ) -> str:
133 |         """Titled message with text input and single choice of 2 buttons
134 |         Returns 'Ok' or "Cancel'"""
135 |         logging.debug(
136 |             f"inputbox(title={title!r}, text=<redacted>,"
137 |             + f" init={init!r}, ok_label={ok_label!r},"
138 |             + f" cancel_label={cancel_label!r})"
139 |         )
140 | 
141 |         height = self._calc_height(text) + 3
142 |         no_cancel = True if cancel_label == "" else False
143 |         logging.debug(
144 |             f"inputbox(...) [calculated height={height},"
145 |             f" no_cancel={no_cancel}]"
146 |         )
147 |         return self.wrapper(
148 |             "inputbox",
149 |             text,
150 |             height,
151 |             self.width,
152 |             title=title,
153 |             init=init,
154 |             ok_label=ok_label,
155 |             cancel_label=cancel_label,
156 |             no_cancel=no_cancel,
157 |         )
158 | 
159 |     def yesno(
160 |             self,
161 |             title: str,
162 |             text: str,
163 |             yes_label: str = "Yes",
164 |             no_label: str = "No"
165 |     ) -> bool:
166 |         """Titled message with single choice of 2 buttons
167 |         Returns True ('Yes" button) or False ('No' button)"""
168 |         height = self._calc_height(text)
169 |         retcode = self.wrapper(
170 |             "yesno",
171 |             text,
172 |             height,
173 |             self.width,
174 |             title=title,
175 |             yes_label=yes_label,
176 |             no_label=no_label,
177 |         )
178 |         logging.debug(
179 |             f"yesno(title={title!r}, text=<redacted>,"
180 |             f" yes_label={yes_label!r}, no_label={no_label!r})"
181 |             f" -> {retcode}"
182 |         )
183 |         return True if retcode == "ok" else False
184 | 
185 |     def menu(
186 |             self,
187 |             title: str,
188 |             text: str,
189 |             # [(opt1, opt1_info), (opt2, opt2_info)]
190 |             choices: list[tuple[str, str]]
191 |     ) -> str:
192 |         """Titled message with single choice of options & 'ok' button
193 |         Returns selected option - e.g. 'opt1'"""
194 |         retcode, choice = self.wrapper(
195 |             "menu",
196 |             text,
197 |             self.height,
198 |             self.width,
199 |             menu_height=len(choices) + 1,
200 |             title=title,
201 |             choices=choices,
202 |             no_cancel=True,
203 |         )
204 |         return choice
205 | 
206 |     def get_password(
207 |             self,
208 |             title: str,
209 |             text: str,
210 |             pass_req: int = 8,
211 |             min_complexity: int = 3,
212 |             blacklist: list[str] = []
213 |     ) -> str | None:
214 |         """Validated titled message with password (redacted input) box &
215 |         'ok' button - also accepts password limitations
216 |         Returns password"""
217 |         req_string = (
218 |             f"\n\nPassword Requirements\n - must be at least {pass_req}"
219 |             " characters long\n - must contain characters from at"
220 |             f" least {min_complexity} of the following categories: uppercase,"
221 |             " lowercase, numbers, symbols"
222 |         )
223 |         if blacklist:
224 |             req_string = (
225 |                 f"{req_string}. Also must NOT contain these characters:"
226 |                 f' {" ".join(blacklist)}'
227 |             )
228 |         height = self._calc_height(text + req_string) + 3
229 | 
230 |         def ask(title: str, text: str) -> str:
231 |             """Titled input box (input redacted) & 'ok' button"""
232 |             return self.wrapper(
233 |                 "passwordbox",
234 |                 text + req_string,
235 |                 height,
236 |                 self.width,
237 |                 title=title,
238 |                 ok_label="OK",
239 |                 no_cancel="True",
240 |                 insecure=True,
241 |             )[1]
242 | 
243 |         while 1:
244 |             password = ask(title, text)
245 |             if not password:
246 |                 self.error("Please enter non-empty password!")
247 |                 continue
248 | 
249 |             if isinstance(pass_req, int):
250 |                 if len(password) < pass_req:
251 |                     self.error(
252 |                         f"Password must be at least {pass_req} characters."
253 |                     )
254 |                     continue
255 |             else:
256 |                 if not re.match(pass_req, password):
257 |                     self.error("Password does not match complexity"
258 |                                " requirements.")
259 |                     continue
260 | 
261 |             if password_complexity(password) < min_complexity:
262 |                 if min_complexity <= 3:
263 |                     self.error(
264 |                         "Insecure password! Mix uppercase, lowercase,"
265 |                         " and at least one number. Multiple words and"
266 |                         " punctuation are highly recommended but not"
267 |                         " strictly required."
268 |                     )
269 |                 elif min_complexity == 4:
270 |                     self.error(
271 |                         "Insecure password! Mix uppercase, lowercase,"
272 |                         " numbers and at least one special/punctuation"
273 |                         " character. Multiple words are highly"
274 |                         " recommended but not strictly required."
275 |                     )
276 |                 continue
277 | 
278 |             found_items = []
279 |             for item in blacklist:
280 |                 if item in password:
281 |                     found_items.append(item)
282 |             if found_items:
283 |                 self.error(
284 |                     f"Password can NOT include these characters: {blacklist}."
285 |                     f" Found {found_items}"
286 |                 )
287 |                 continue
288 | 
289 |             if password == ask(title, "Confirm password"):
290 |                 return password
291 | 
292 |             self.error("Password mismatch, please try again.")
293 | 
294 |     def get_email(self, title: str, text: str, init: str = "") -> str | None:
295 |         """Vaidated input box (email) with optional prefilled value and 'Ok'
296 |         button
297 |         Returns email"""
298 |         logging.debug(
299 |             f"get_email(title={title!r}, text=<redacted>, init={init!r})"
300 |         )
301 |         while 1:
302 |             email = self.inputbox(title, text, init, "Apply", "")[1]
303 |             logging.debug(f"get_email(...) email={email!r}")
304 |             if not email:
305 |                 self.error("Email is required.")
306 |                 continue
307 | 
308 |             if not EMAIL_RE.match(email):
309 |                 self.error("Email is not valid")
310 |                 continue
311 | 
312 |             return email
313 | 
314 |     def get_input(self, title: str, text: str, init: str = "") -> str | None:
315 |         """Input box within optional prefilled value & 'Ok' button
316 |         Returns input"""
317 |         while 1:
318 |             s = self.inputbox(title, text, init, "Apply", "")[1]
319 |             if not s:
320 |                 self.error(f"{title} is required.")
321 |                 continue
322 | 
323 |             return s
324 | 


--------------------------------------------------------------------------------
/libinithooks/inithooks_cache.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python3
 2 | """Interface to inithooks cache
 3 | 
 4 | Arguments:
 5 | 
 6 |     key                 key name (required)
 7 |     value               if specified, will set as key value
 8 |                         if omitted, will return the value of key if set
 9 | 
10 | Environment:
11 | 
12 |     INITHOOKS_CACHE     path to cache (default: /var/lib/inithooks/cache)
13 | """
14 | 
15 | import os
16 | import sys
17 | 
18 | CACHE_DIR = os.environ.get("INITHOOKS_CACHE", "/var/lib/inithooks/cache")
19 | 
20 | 
21 | def fatal(e):
22 |     print("Error:", e, file=sys.stderr)
23 |     sys.exit(1)
24 | 
25 | 
26 | def usage(s=None):
27 |     if s:
28 |         print("Error:", s, file=sys.stderr)
29 |     print("Syntax: %s <key> [value]" % sys.argv[0], file=sys.stderr)
30 |     print(__doc__, file=sys.stderr)
31 |     sys.exit(1)
32 | 
33 | 
34 | class KeyStore:
35 |     def __init__(self, cache_dir=CACHE_DIR):
36 |         self.cache_dir = cache_dir
37 |         os.makedirs(self.cache_dir, mode=0o755, exist_ok=True)
38 | 
39 |     def read(self, key, fallback=None):
40 |         keypath = os.path.join(self.cache_dir, key)
41 | 
42 |         if os.path.exists(keypath):
43 |             with open(keypath, "r") as fob:
44 |                 data = fob.read()
45 |             return data
46 | 
47 |         return fallback
48 | 
49 |     def write(self, key, val):
50 |         keypath = os.path.join(self.cache_dir, key)
51 | 
52 |         with open(keypath, "w") as fob:
53 |             fob.write(val)
54 | 
55 | 
56 | # convenience functions
57 | 
58 | def read(key, fallback=None):
59 |     return KeyStore(CACHE_DIR).read(key, fallback)
60 | 
61 | 
62 | def write(key, value):
63 |     return KeyStore(CACHE_DIR).write(key, value)
64 | 
65 | 
66 | if __name__ == "__main__":
67 |     import getopt
68 |     opts = []
69 |     args = []
70 |     try:
71 |         opts, args = getopt.gnu_getopt(sys.argv[1:], "h", ["help"])
72 |     except getopt.GetoptError as e:
73 |         usage(e)
74 | 
75 |     for opt, val in opts:
76 |         if opt in ("-h", "--help"):
77 |             usage()
78 | 
79 |     if len(args) == 0:
80 |         usage()
81 | 
82 |     if len(args) > 2:
83 |         fatal("too many arguments")
84 | 
85 |     if len(args) == 1:
86 |         val = read(args[0])
87 |         if val:
88 |             print(val)
89 | 
90 |     if len(args) == 2:
91 |         write(args[0], args[1])
92 | 


--------------------------------------------------------------------------------
/libinithooks/inithooks_log.py:
--------------------------------------------------------------------------------
 1 | import os
 2 | import subprocess
 3 | from dataclasses import dataclass
 4 | 
 5 | INITHOOK_LOG = os.getenv("INITHOOKS_LOGFILE", "/var/log/inithooks.log")
 6 | LOG_LEVELS = ["err", "warn", "info", "debug"]
 7 | 
 8 | 
 9 | class InitLogError(Exception):
10 |     pass
11 | 
12 | 
13 | @dataclass
14 | class InitLog:
15 |     inithook_name: str
16 |     log_file: str = INITHOOK_LOG
17 | 
18 |     def write(self, msg: str, level: str = "info") -> None:
19 |         """Write to log & journal
20 |         valid levels: err|warn|info|debug
21 |         """
22 |         if level not in LOG_LEVELS:
23 |             raise InitLogError(f"invalid log level '{level}'")
24 |         msg = f"[{self.inithook_name}] {msg}".rstrip()
25 |         subprocess.run(
26 |             [
27 |                 "/usr/bin/logger",
28 |                 "-t",
29 |                 "inithooks",
30 |                 "-p",
31 |                 level,
32 |                 msg,
33 |             ]
34 |         )
35 |         with open(self.log_file, "a") as fob:
36 |             fob.write(f"{msg}\n")
37 | 


--------------------------------------------------------------------------------
/rsyslog.d/inithooks.conf:
--------------------------------------------------------------------------------
1 | if $programname == 'inithooks' then /var/log/inithooks.log
2 | 


--------------------------------------------------------------------------------
/run:
--------------------------------------------------------------------------------
  1 | #!/bin/bash
  2 | # Executed by init script
  3 | 
  4 | TERM=${TERM:-linux}
  5 | 
  6 | INITHOOKS_DEFAULT=/etc/default/inithooks
  7 | . "$INITHOOKS_DEFAULT"
  8 | 
  9 | TKLINFO=/var/lib/turnkey-info
 10 | 
 11 | unset PID INITHOOKS_LOGFILE
 12 | 
 13 | REDIRECT_OUTPUT="$(echo "$REDIRECT_OUTPUT" | tr '[:upper:]' '[:lower:]')"
 14 | 
 15 | everyboot_ran() {
 16 |     # read lastboot time
 17 |     lastboot_time="$(date '+%s' -d "$(cut -f1 -d. /proc/uptime) seconds ago")"
 18 |     if [[ -f /run/inithooks/everyboot_ran ]]; then
 19 |         # time stamp written
 20 |         prev_lastboot_time="$(</run/inithooks/everyboot_ran)"
 21 |         if [[ "$lastboot_time" -eq "$prev_lastboot_time" ]]; then
 22 |             # time stamp of last boot is the same as our last boot, everyboot
 23 |             # scripts already ran
 24 |             return 0
 25 |         else
 26 |             # time stamp of last boot is different from our last boot, everyboot
 27 |             # scripts not already ran
 28 |             echo "$lastboot_time" > /run/inithooks/everyboot_ran
 29 |             return 1
 30 |         fi
 31 |     else
 32 |         # no time stamp written, haven't run everyboot scripts since last boot
 33 |         mkdir -p /run/inithooks
 34 |         echo "$lastboot_time" > /run/inithooks/everyboot_ran
 35 |         return 1
 36 |     fi
 37 | }
 38 | 
 39 | log() {
 40 |     # log to journal as well as $INITHOOKS_LOGFILE
 41 |     LEVEL=$1 # err|warn|info|debug
 42 |     shift
 43 |     logger -t inithooks -p "$LEVEL" "$@"
 44 |     [[ -n "$INITHOOKS_LOGFILE" ]] \
 45 |         && echo "${LEVEL^^}: $*" >> "$INITHOOKS_LOGFILE"
 46 | }
 47 | 
 48 | if [[ "$REDIRECT_OUTPUT" == "true" ]]; then
 49 |     # redirect stdout/stderr (use when preseeding headless deployments)
 50 |     export INITHOOKS_LOGFILE=/var/log/inithooks.log
 51 |     touch $INITHOOKS_LOGFILE
 52 |     chmod 640 $INITHOOKS_LOGFILE
 53 | 
 54 |     # on xen redirection is performed by the inithooks-xen service
 55 |     # on lxc and other headless deployments, redirection is handled below
 56 |     # otherwise redirection is handled by inithooks service and redirected to
 57 |     # tty8
 58 | 
 59 |     if [[ ! -f "$TKLINFO/xen" ]]; then
 60 |         TTY=$(cat /sys/devices/virtual/tty/tty0/active)
 61 |         [[ -z $TTY ]] && TTY=console
 62 |         tail -f $INITHOOKS_LOGFILE > /dev/"$TTY" &
 63 |         PID="$!"
 64 |     fi
 65 | fi
 66 | 
 67 | exec_scripts() {
 68 |     script_dir=$1
 69 |     [[ -d "$script_dir" ]] || return 0
 70 |     for SCRIPT in $(find "$script_dir" -type f -or -type l | sort); do
 71 |         [[ -e $INITHOOKS_CONF ]] && . "$INITHOOKS_CONF"
 72 |         script="$(basename "$SCRIPT")"
 73 |         if [[ ! -x "$SCRIPT" ]]; then
 74 |             log warn "[$script] skipping"
 75 |             continue
 76 |         fi
 77 |         log info "[$script] running"
 78 |         "$SCRIPT"
 79 |         exit_code=$?
 80 |         if [[ "$exit_code" -eq 0 ]]; then
 81 |             log info "[$script] successfully completed"
 82 |         elif [[ "$script" = "95secupdates" ]] && [[ "$exit_code" -eq 2 ]]; then
 83 |             log info "[$script] detected live system - skipping"
 84 |         elif [[ "$script" = "95secupdates" ]] && [[ "$exit_code" -eq 42 ]]; then
 85 |             log warn "[$script] reboot is required"
 86 |             log err 'Rebooting now!'
 87 |             systemctl reboot
 88 |             exit 0
 89 |         else
 90 |             log err "[$script] failed - exit code $exit_code"
 91 |         fi
 92 |     done
 93 |     return 0
 94 | }
 95 | 
 96 | [[ -e $INITHOOKS_CONF ]] && . $INITHOOKS_CONF
 97 | export INITHOOKS_CONF=$INITHOOKS_CONF
 98 | 
 99 | if [[ "${RUN_FIRSTBOOT,,}" == "true" ]]; then
100 |     exec_scripts "$INITHOOKS_PATH/firstboot.d"
101 | fi
102 | 
103 | if ! everyboot_ran; then
104 |     exec_scripts "$INITHOOKS_PATH/everyboot.d"
105 | fi
106 | 
107 | if [[ -n "$PID" ]];  then
108 |     kill -9 $PID || true
109 | fi
110 | 
111 | if [[ "${REDIRECT_OUTPUT,,}" == "true" ]]; then
112 |     log info "Inithook run completed, exiting."
113 | else
114 |     log info "Inithook run completed, now starting confconsole"
115 |     sleep 2 # anyway to replace this?
116 |     confconsole --usage
117 |     log info "Confconsole started, inithooks exiting"
118 | fi
119 | 
120 | exit 0
121 | 


--------------------------------------------------------------------------------
/setup.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python3
 2 | 
 3 | from distutils.core import setup
 4 | 
 5 | setup(
 6 |     name="inithooks",
 7 |     version="1.0.3",
 8 |     author="Stefan Davis",
 9 |     author_email="stefan@turnkeylinux.org",
10 |     url="https://github.com/turnkeylinux/inithooks",
11 |     packages=["libinithooks"],
12 | )
13 | 


--------------------------------------------------------------------------------
/systemd/system/container-getty@1.service.d/10-container-getty-tkl-login.conf:
--------------------------------------------------------------------------------
1 | [Service]
2 | EnvironmentFile=
3 | EnvironmentFile=/etc/default/inithooks
4 | ExecStart=
5 | ExecStart=-/sbin/agetty -n -l /bin/bash -o "/usr/lib/inithooks/bin/login_script.sh" --noclear --keep-baud pts/%I 115200,38400,9600 $TERM
6 | 


--------------------------------------------------------------------------------
/systemd/system/getty@tty1.service.d/10-getty-tkl-login.conf:
--------------------------------------------------------------------------------
1 | [Service]
2 | EnvironmentFile=
3 | EnvironmentFile=/etc/default/inithooks
4 | ExecStart=
5 | ExecStart=-/sbin/agetty -n -l /bin/bash -o "/usr/lib/inithooks/bin/login_script.sh" --noclear %I $TERM
6 | 


--------------------------------------------------------------------------------
/tests/cert.key:
--------------------------------------------------------------------------------
 1 | -----BEGIN PRIVATE KEY-----
 2 | MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDBdbbVbbC5UqMN
 3 | 6mK/IlQyldD++LJKr+A/DXPPfYn+2Az4Bm20FVJGPKusgB/nWm00mNXRZ7PTb0bK
 4 | nFxvIffIrh9l2pyStdJ9CO5uiD0ESsMg2vEk2JHkoCIpygjzZ8ulrvU9glWfZIh7
 5 | fGqMQOEeM50XxS0YUoJjwpGX0xx5jm7tB8u6qvWKUdJrIpFC86mfg3Ys6095Iob4
 6 | LGnF/ZJG/wPlE9uHgQ8feY4wHfiDeoprUSX84G5WefhLkUAYSeLiiasPtryXjqk1
 7 | OVy1/1nQCozlXiY0g5fnU/nfrnMs2NGJD2Xpz7SdjyaFTbBW/uOgqo9x0vTJl8rL
 8 | tDqoqx6jAgMBAAECggEAHSKrTG1epipp4BiikoKLB6tEdIHj6BegwB44iNExTS4g
 9 | leHx96MWZvmQKUSKiX823yr9WLIzhO5HTRBLY3lMJe8DT4Wi+v1jG+2SaxcdiV3x
10 | ESuoEZKENlhfjMeenXnOU7+Ls53DY2PyohZUvZav0KqZSBEr/3O9q2SMJL9olG26
11 | Ar8AZxS9tYZZYRu1Il1P90n36F9ewPDxWMSR5refSEuMJ0UN8jIzeduI3MuKN8Dx
12 | PPcdFt/Q7QIKX7t2j2Vq48FqGQOHAvlVGhRyDAXvJ5jKH66IR/w86cXgY4AXsmtD
13 | 7egW67QQ5g9ahwrNI9mG+2yyD4oZsG+ZpujU3vTK4QKBgQDe+fKLxCpz+83EnUdn
14 | o56d7VdNLyBjFWV8yKU87AcHcLR3hFamyeBd0E4pvxizkiHLTvRbXijAibRMGFbk
15 | Ls+eeI6e6BcfTn+qb23uOREE3fMBiq7rfNbqI8sC8TOzp+y1uqisJ+xCfu5fM409
16 | clRdwDyJev2EWXrQdD6hp9oIKwKBgQDeHKj1UERPstONytG3FPjAq4jG1hNc2Fwh
17 | iWBoXquIMZGNf3ghNBrdgTO5tuKKAYBaUkA1EQZt69HhEOQwKN5gmmxlkzh8zI0Z
18 | jhfkIH3JKAryNXk6pvUfu0Q6Erooz5ivg5kS/JWrpSG5GHKvNMtxDOT8DNMFaD8p
19 | K8TDfmnPaQKBgQCGukIKn4IDSL+hMGNHxP5/cDxS38nS9Me4qUfmUrtAjKIOoUD2
20 | UH6oUMgZw2S6g+61eMR/PJqlE8+ENySxhXNfznpmm9f0y6qqIeArlAGrjixZ3yEo
21 | GuuE2BG/elyCDlIh0GJAe3LvDuEbVvvdh+pgJ1qsu0rZoHNr5wE9Dj3YtwKBgQCY
22 | VyPzjags2cSMHi4U2od67qwTZMVHCwa14dmD/Fq+QPFKEcG9VFWQ04s8t5lNepYk
23 | XQG45AJ65iG/sqwv8/gCXig2yvEVd97XRkRQrZBYpeRMGC0b82Nw7ipvgmS4lRpu
24 | V15oTWICpnIo2AHg9d8LnQJ5dfpOXR/lByYfx9ae8QKBgQCdFbyvIXj1k6ozgRRf
25 | BulEDdBsvWs9+zJ29NgVrBoCx8B+tKxqde5uMsOSVGVo+YYoiRaAKvzhoRrP2Jru
26 | cORRgEbmURfDVvpnoXUQaI0BWu5YMcFYleq22yBPbRaeadTauzhh39i0VQ2xGF7J
27 | j8kdhTkaTFyGFzRSjQ69cNF8yg==
28 | -----END PRIVATE KEY-----
29 | 


--------------------------------------------------------------------------------
/tests/cert.pem:
--------------------------------------------------------------------------------
 1 | -----BEGIN CERTIFICATE-----
 2 | MIIECDCCAvCgAwIBAgIJAP9iQsFQiP6sMA0GCSqGSIb3DQEBCwUAMHAxGjAYBgNV
 3 | BAoMEVR1cm5LZXkgR05VL0xpbnV4MRwwGgYDVQQLDBNTb2Z0d2FyZSBhcHBsaWFu
 4 | Y2VzMTQwMgYDVQQDDCtpcC0xMC0zNi0yMjktMTAwLmV1LXdlc3QtMS5jb21wdXRl
 5 | LmludGVybmFsMB4XDTE1MTExOTE0NDgxNloXDTI1MTExOTE0NDgxNlowcDEaMBgG
 6 | A1UECgwRVHVybktleSBHTlUvTGludXgxHDAaBgNVBAsME1NvZnR3YXJlIGFwcGxp
 7 | YW5jZXMxNDAyBgNVBAMMK2lwLTEwLTM2LTIyOS0xMDAuZXUtd2VzdC0xLmNvbXB1
 8 | dGUuaW50ZXJuYWwwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDBdbbV
 9 | bbC5UqMN6mK/IlQyldD++LJKr+A/DXPPfYn+2Az4Bm20FVJGPKusgB/nWm00mNXR
10 | Z7PTb0bKnFxvIffIrh9l2pyStdJ9CO5uiD0ESsMg2vEk2JHkoCIpygjzZ8ulrvU9
11 | glWfZIh7fGqMQOEeM50XxS0YUoJjwpGX0xx5jm7tB8u6qvWKUdJrIpFC86mfg3Ys
12 | 6095Iob4LGnF/ZJG/wPlE9uHgQ8feY4wHfiDeoprUSX84G5WefhLkUAYSeLiiasP
13 | tryXjqk1OVy1/1nQCozlXiY0g5fnU/nfrnMs2NGJD2Xpz7SdjyaFTbBW/uOgqo9x
14 | 0vTJl8rLtDqoqx6jAgMBAAGjgaQwgaEwCQYDVR0TBAIwADAdBgNVHSUEFjAUBggr
15 | BgEFBQcDAQYIKwYBBQUHAwIwdQYDVR0RBG4wbIIraXAtMTAtMzYtMjI5LTEwMC5l
16 | dS13ZXN0LTEuY29tcHV0ZS5pbnRlcm5hbIIEY29yZYIaZXUtd2VzdC0xLmNvbXB1
17 | dGUuaW50ZXJuYWyCEGlwLTEwLTM2LTIyOS0xMDCCCWxvY2FsaG9zdDANBgkqhkiG
18 | 9w0BAQsFAAOCAQEAST/pGW8VOMPCQmlLB/Kw004OTrjl2OV3cnG2+hWAnVIApAFO
19 | Jr1jCcOfV2Qxa4cuBMiXieKiC4WNvxzWHpcVuadkhHfBz/MAf4j0cqH5ahph+8ki
20 | olodf/gxeLwsnbd0LZPy4Jerje1W/HlMzWNmwyjPYLfuJJmuSve1aHPaxma2GU6s
21 | Z6l/JL7sBG03t+KyrEr5dPkgmEh8VV4L/Sr/vn4T/YSwC1HE1vV8vy8PU2CJD4ye
22 | t1UIUwnsgN8PNCvvctrZ79HovUSegbIe3YrIF4beAdbPwLGVlOoPreNOMOiwDEjs
23 | 8eCK59712Q5ysl3z/Els/T/up8Bi+3HTiySnaA==
24 | -----END CERTIFICATE-----
25 | -----BEGIN PRIVATE KEY-----
26 | MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDBdbbVbbC5UqMN
27 | 6mK/IlQyldD++LJKr+A/DXPPfYn+2Az4Bm20FVJGPKusgB/nWm00mNXRZ7PTb0bK
28 | nFxvIffIrh9l2pyStdJ9CO5uiD0ESsMg2vEk2JHkoCIpygjzZ8ulrvU9glWfZIh7
29 | fGqMQOEeM50XxS0YUoJjwpGX0xx5jm7tB8u6qvWKUdJrIpFC86mfg3Ys6095Iob4
30 | LGnF/ZJG/wPlE9uHgQ8feY4wHfiDeoprUSX84G5WefhLkUAYSeLiiasPtryXjqk1
31 | OVy1/1nQCozlXiY0g5fnU/nfrnMs2NGJD2Xpz7SdjyaFTbBW/uOgqo9x0vTJl8rL
32 | tDqoqx6jAgMBAAECggEAHSKrTG1epipp4BiikoKLB6tEdIHj6BegwB44iNExTS4g
33 | leHx96MWZvmQKUSKiX823yr9WLIzhO5HTRBLY3lMJe8DT4Wi+v1jG+2SaxcdiV3x
34 | ESuoEZKENlhfjMeenXnOU7+Ls53DY2PyohZUvZav0KqZSBEr/3O9q2SMJL9olG26
35 | Ar8AZxS9tYZZYRu1Il1P90n36F9ewPDxWMSR5refSEuMJ0UN8jIzeduI3MuKN8Dx
36 | PPcdFt/Q7QIKX7t2j2Vq48FqGQOHAvlVGhRyDAXvJ5jKH66IR/w86cXgY4AXsmtD
37 | 7egW67QQ5g9ahwrNI9mG+2yyD4oZsG+ZpujU3vTK4QKBgQDe+fKLxCpz+83EnUdn
38 | o56d7VdNLyBjFWV8yKU87AcHcLR3hFamyeBd0E4pvxizkiHLTvRbXijAibRMGFbk
39 | Ls+eeI6e6BcfTn+qb23uOREE3fMBiq7rfNbqI8sC8TOzp+y1uqisJ+xCfu5fM409
40 | clRdwDyJev2EWXrQdD6hp9oIKwKBgQDeHKj1UERPstONytG3FPjAq4jG1hNc2Fwh
41 | iWBoXquIMZGNf3ghNBrdgTO5tuKKAYBaUkA1EQZt69HhEOQwKN5gmmxlkzh8zI0Z
42 | jhfkIH3JKAryNXk6pvUfu0Q6Erooz5ivg5kS/JWrpSG5GHKvNMtxDOT8DNMFaD8p
43 | K8TDfmnPaQKBgQCGukIKn4IDSL+hMGNHxP5/cDxS38nS9Me4qUfmUrtAjKIOoUD2
44 | UH6oUMgZw2S6g+61eMR/PJqlE8+ENySxhXNfznpmm9f0y6qqIeArlAGrjixZ3yEo
45 | GuuE2BG/elyCDlIh0GJAe3LvDuEbVvvdh+pgJ1qsu0rZoHNr5wE9Dj3YtwKBgQCY
46 | VyPzjags2cSMHi4U2od67qwTZMVHCwa14dmD/Fq+QPFKEcG9VFWQ04s8t5lNepYk
47 | XQG45AJ65iG/sqwv8/gCXig2yvEVd97XRkRQrZBYpeRMGC0b82Nw7ipvgmS4lRpu
48 | V15oTWICpnIo2AHg9d8LnQJ5dfpOXR/lByYfx9ae8QKBgQCdFbyvIXj1k6ozgRRf
49 | BulEDdBsvWs9+zJ29NgVrBoCx8B+tKxqde5uMsOSVGVo+YYoiRaAKvzhoRrP2Jru
50 | cORRgEbmURfDVvpnoXUQaI0BWu5YMcFYleq22yBPbRaeadTauzhh39i0VQ2xGF7J
51 | j8kdhTkaTFyGFzRSjQ69cNF8yg==
52 | -----END PRIVATE KEY-----
53 | -----BEGIN DH PARAMETERS-----
54 | MIICDAKCAgEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
55 | +8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
56 | 87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
57 | YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
58 | 7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
59 | ssbzSibBsu/6iGtCOGEfz9zeNVs7ZRkDW7w09N75nAI4YbRvydbmyQd62R0mkff3
60 | 7lmMsPrBhtkcrv4TCYUTknC0EwyTvEN5RPT9RFLi103TZPLiHnH1S/9croKrnJ32
61 | nuhtK8UiNjoNq8Uhl5sN6todv5pC1cRITgq80Gv6U93vPBsg7j/VnXwl5B0rZp4e
62 | 8W5vUsMWTfT7eTDp5OWIV7asfV9C1p9tGHdjzx1VA0AEh/VbpX4xzHpxNciG77Qx
63 | iu1qHgEtnmgyqQdgCpGBMMRtx3j5ca0AOAkpmaMzy4t6Gh25PXFAADwqTs6p+Y0K
64 | zAqCkc3OyX3Pjsm1Wn+IpGtNtahR9EGC4caKAH5eZV9q//////////8CAQICAgFF
65 | -----END DH PARAMETERS-----
66 | 


--------------------------------------------------------------------------------
/tests/test-simplehttpd.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | 
3 | src=$(dirname $0)/..
4 | 
5 | echo "Initfence htdocs @ http://127.0.0.1:60080/ https://127.0.0.1:60443/"
6 | 
7 | set -x
8 | $src/bin/simplehttpd.py $src/turnkey-init-fence/htdocs 60080 60443 $src/tests/cert.pem $src/tests/cert.key
9 | 


--------------------------------------------------------------------------------
/turnkey-init:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/python3
  2 | #
  3 | # Copyright (c) 2012-2015 Alon Swartz <alon@turnkeylinux.org>
  4 | # Copyright (c) 2016-2019 TurnKey GNU/Linux https://www.turnkeylinux.org
  5 | #
  6 | # This file is part of InitHooks.
  7 | #
  8 | # InitHooks is free software; you can redistribute it and/or modify it
  9 | # under the terms of the GNU General Public License as published by the
 10 | # Free Software Foundation; either version 3 of the License, or (at your
 11 | # option) any later version.
 12 | #
 13 | """
 14 | Execute firstboot initialization hooks, skipping blacklist
 15 | 
 16 | firstboot.d hook execution environment:
 17 | 
 18 |     _TURNKEY_INIT=1
 19 | 
 20 | """
 21 | import os
 22 | import sys
 23 | 
 24 | from conffile import ConfFile
 25 | import subprocess
 26 | 
 27 | 
 28 | def fatal(e):
 29 |     print("error: " + str(e), file=sys.stderr)
 30 |     sys.exit(1)
 31 | 
 32 | 
 33 | def usage(e=None):
 34 |     if e:
 35 |         print("error: " + str(e), file=sys.stderr)
 36 | 
 37 |     print("Syntax: %s [-h|--help] [-c|--full-confconsole]\n" % (sys.argv[0]), file=sys.stderr)
 38 |     print(__doc__.strip(), file=sys.stderr)
 39 |     print("\nOptions:\n")
 40 |     print("  -h|--help             - print this help and exit")
 41 |     print("  -c|--full-confconsole - after initialization open full confconsole (default is basic).")
 42 |     print("                          If Confconsole not installed, will be ignored.")
 43 |     print("\nBlacklist:\n", file=sys.stderr)
 44 |     for script in BLACKLIST:
 45 |         print("    %s" % script, file=sys.stderr)
 46 |     sys.exit(1)
 47 | 
 48 | 
 49 | # deprecated: hooks can use _TURNKEY_INIT to detect if they're running under
 50 | # turnkey-init
 51 | BLACKLIST = ['15regen-sslcert',
 52 |              '92etckeeper', ]
 53 | 
 54 | 
 55 | class Config(ConfFile):
 56 |     CONF_FILE = "/etc/default/inithooks"
 57 | 
 58 | 
 59 | class InitHooks:
 60 |     def __init__(self):
 61 |         self.conf = Config()
 62 | 
 63 |     @staticmethod
 64 |     def _exec(cmd):
 65 |         subprocess.run(['env',
 66 |                         'PATH=/usr/local/sbin:/usr/local/bin:'
 67 |                         '/usr/sbin:/usr/bin:/sbin:/bin',
 68 |                         cmd])
 69 | 
 70 |     def execute(self, dname):
 71 |         os.environ['_TURNKEY_INIT'] = '1'
 72 |         dpath = os.path.join(self.conf.inithooks_path, dname)
 73 |         if not os.path.exists(dpath):
 74 |             return
 75 | 
 76 |         scripts = os.listdir(dpath)
 77 |         scripts.sort()
 78 |         for fname in scripts:
 79 |             fpath = os.path.join(dpath, fname)
 80 |             if os.access(fpath, os.X_OK) and fname not in BLACKLIST:
 81 |                 self._exec(fpath)
 82 | 
 83 | 
 84 | def main():
 85 |     if os.geteuid() != 0:
 86 |         fatal("turnkey-init must be run with root permissions")
 87 | 
 88 |     confconsole = '/usr/bin/confconsole'
 89 |     if os.path.exists(confconsole) and os.access(confconsole, os.X_OK):
 90 |         confconsole = [confconsole, '--usage']
 91 |     else:
 92 |         # /bin/true ignores args and always returns true
 93 |         confconsole = ['/bin/true', '--null']
 94 | 
 95 |     args = sys.argv[1:]
 96 |     if args:
 97 |         for arg in args:
 98 |             if arg in ('-h', '--help'):
 99 |                 usage()
100 |             if arg in ('-c', '--full-confconsole'):
101 |                 confconsole = confconsole[:-1]
102 | 
103 |     inithooks = InitHooks()
104 |     inithooks.execute('firstboot.d')
105 | 
106 |     subprocess.run(confconsole)
107 | 
108 | 
109 | if __name__ == "__main__":
110 |     main()
111 | 


--------------------------------------------------------------------------------
/turnkey-init-fence/htdocs/index.html:
--------------------------------------------------------------------------------
 1 | <html>
 2 | <head>
 3 |   <title>Initialization required</title>
 4 |   <link href="/style.css" rel="stylesheet" type="text/css">
 5 | </head>
 6 | 
 7 | <body>
 8 |   <h1>Please initialize this system...</h1>
 9 | 
10 |   <p>Welcome to TurnKey! You need to initialize this system first before
11 |   you can use it. To do that you'll need to log into the root account via SSH.
12 |   The <i>turnkey-init</i> initialization program should start
13 |   automatically:</p>
14 | 
15 |   <img src="/turnkey-init-root.png" />
16 | 
17 |   <p>After initialization try reloading this page. This message should
18 |   disappear and you'll be able to access all services on this system
19 |   normally.</p>
20 | 
21 |   <h2>Can I log in without SSH?</h2>
22 | 
23 |   <p>No. Unfortunately not.</p>
24 | 
25 |   <h2>How do I log in via SSH?</h2>
26 | 
27 |   <p>If you are connecting from Linux or MacOS, please open your terminal app
28 |   and type the command:</p>
29 | 
30 |   <pre id="p1">ssh example</pre>
31 | 
32 |   <p>If you are connecting from Windows, you will need to install an SSH client, such as
33 |   <a href="https://docs.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse">OpenSSH</a>
34 |   or <a href="https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html">PuTTY</a>.
35 |   Then connect to: <strong id="p2">IP ADDRESS OR FQDN</strong></p>
36 | 
37 |   <p>Note: to log in via SSH, you will need to have set a root password, or configured
38 |   SSH keys.</p>
39 | 
40 |   <h2>For more information, visit our website!</h2>
41 | 
42 |   <p>For further information regarding this appliance, please consult the
43 |   <a href="https://www.turnkeylinux.org/$CODENAME">product page</a> on
44 |   the <a href="https://www.turnkeylinux.org">TurnKey GNU/Linux</a> website.<br>
45 |   For support, questions and/or feedback, please open a new thread in the
46 |   <a href="https://www.turnkeylinux.org/forum">TurnKey Linux forums</a> (requires
47 |   free website user account).</p>
48 | 
49 | </body>
50 | </html>
51 | 
52 | <script src="https://ajax.googleapis.com/ajax/libs/jquery/1.11.3/jquery.min.js"></script>
53 | <script>
54 |     document.getElementById("p1").innerHTML = "ssh root@" + document.domain;
55 |     document.getElementById("p2").innerHTML = document.domain;
56 | </script>
57 | 


--------------------------------------------------------------------------------
/turnkey-init-fence/htdocs/style.css:
--------------------------------------------------------------------------------
 1 | body {
 2 |   font-family: "proxima-nova","Helvetica Neue",Helvetica,Arial,sans-serif;
 3 |   -webkit-font-smoothing: antialiased;
 4 |   width: 980px;
 5 |   margin: 20px auto;
 6 |   line-height: 30px;
 7 | }
 8 | h1 {
 9 |   color: #222;
10 |   font-size: 38px;
11 |   font-weight: 400;
12 |   text-shadow: 1px 1px 0 #eee;
13 |   text-align: center;
14 |   margin-top: 50px;
15 | }
16 | h2 {
17 |   color: #333;
18 |   font-size: 30px;
19 |   font-weight: 400;
20 | }
21 | img {
22 |   width: 980px;
23 |   text-align: center;
24 | }
25 | 


--------------------------------------------------------------------------------
/turnkey-init-fence/htdocs/turnkey-init-root.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/turnkeylinux/inithooks/3fc094a8db7a1e53eb9865d72ff52c473de924c6/turnkey-init-fence/htdocs/turnkey-init-root.png


--------------------------------------------------------------------------------
/turnkey-init-fence/turnkey-init-fence:
--------------------------------------------------------------------------------
  1 | #!/bin/bash -e
  2 | ### BEGIN INIT INFO
  3 | # Provides:          turnkey-init-fence
  4 | # Required-Start:    $remote_fs $syslog
  5 | # Required-Stop:     $remote_fs $syslog
  6 | # Default-Start:     2 3 4 5
  7 | # Default-Stop:      0 1 6
  8 | # Short-Description: Fences off appliance ports until after initialization
  9 | ### END INIT INFO
 10 | #
 11 | # Author: Liraz Siri <liraz@turnkeylinux.org>
 12 | #
 13 | # how it works: iptables redirects http/https TCP connections to simplehttpd.py
 14 | #
 15 | #    redirect $HTTP_PORTS-> $HTTP_FENCE_PORT
 16 | #    redirect $HTTPS_PORTS -> $HTTPS_FENCE_PORT
 17 | #
 18 | #    configuration @ /etc/default/turnkey-init-fence
 19 | #
 20 | #        HTTP_FENCE_PORT=60080
 21 | #        HTTPS_FENCE_PORT=60443
 22 | #        HTTP_PORT=80
 23 | #        HTTPS_PORTS=443
 24 | #
 25 | 
 26 | # PATH should only include /usr/* if it runs after the mountnfs.sh script
 27 | PATH=/sbin:/usr/sbin:/bin:/usr/bin
 28 | DESC="Description of the service"
 29 | NAME=turnkey-init-fence
 30 | DAEMON=/usr/lib/inithooks/bin/simplehttpd.py
 31 | PIDFILE=/var/run/$NAME/simplehttpd.pid
 32 | SCRIPTNAME=/etc/init.d/$NAME
 33 | 
 34 | # Exit if the package is not installed
 35 | [ -x "$DAEMON" ] || exit 0
 36 | 
 37 | # Create pidfile directory
 38 | mkdir -p $(dirname $PIDFILE)
 39 | 
 40 | # Read configuration variable file if it is present
 41 | [ -r /etc/default/$NAME ] && . /etc/default/$NAME
 42 | chown -R $RUNAS $(dirname $PIDFILE)
 43 | 
 44 | # Load the VERBOSE setting and other rcS variables
 45 | . /lib/init/vars.sh
 46 | 
 47 | # Define LSB log_* functions.
 48 | # Depend on lsb-base (>= 3.2-14) to ensure that this file is present
 49 | # and status_of_proc is working.
 50 | . /lib/lsb/init-functions
 51 | 
 52 | iptables_delete_redirect()
 53 | {
 54 |     dport=$1
 55 |     to_port=$2
 56 | 
 57 |     while true; do
 58 |         (2>&1 iptables -t nat -D PREROUTING -p tcp --dport $dport -j REDIRECT --to-port $to_port) > /dev/null || break
 59 |     done
 60 | }
 61 | 
 62 | iptables_add_redirect() 
 63 | {
 64 |     dport=$1
 65 |     to_port=$2
 66 | 
 67 |     iptables_delete_redirect $1 $2
 68 |     iptables -t nat -A PREROUTING -p tcp --dport $dport -j REDIRECT --to-port $to_port
 69 | }
 70 | 
 71 | iptables_unensure_accept()
 72 | {
 73 |     # remove ACCEPT line for fence ports (used in appliances that have a
 74 |     # `filter` policy of `DROP`)
 75 |     dport=$1
 76 |     while true; do
 77 |         (2>&1 iptables -t filter -D INPUT -p tcp -m tcp --dport $dport -j ACCEPT) > /dev/null || break
 78 |     done
 79 | }
 80 | 
 81 | iptables_ensure_accept()
 82 | {
 83 |     # add ACCEPT line for fence ports (used in appliances that have a
 84 |     # `filter` policy of `DROP`)
 85 |     dport=$1
 86 |     iptables_unensure_accept $1
 87 |     iptables -t filter -A INPUT -p tcp -m tcp --dport $dport -j ACCEPT
 88 | }
 89 | 
 90 | 
 91 | iptables_redirect()
 92 | {
 93 |     case "$1" in
 94 |       start)
 95 |           op=iptables_add_redirect
 96 |           mop=iptables_ensure_accept
 97 |         ;;
 98 |       stop)
 99 |           op=iptables_delete_redirect
100 |           mop=iptables_unensure_accept
101 |         ;;
102 |     esac
103 | 
104 |     for port in $HTTP_PORTS; do
105 |         $op $port $HTTP_FENCE_PORT
106 |     done
107 | 
108 |     for port in $HTTPS_PORTS; do
109 |         $op $port $HTTPS_FENCE_PORT
110 |     done
111 | 
112 |     $mop $HTTP_FENCE_PORT
113 |     $mop $HTTPS_FENCE_PORT
114 | }
115 | 
116 | #
117 | # Function that starts the daemon/service
118 | #
119 | do_start()
120 | {
121 | 	# Return
122 | 	#   0 if daemon has been started
123 | 	#   1 if daemon was already running
124 | 	#   2 if daemon could not be started
125 |     start-stop-daemon --start --quiet --pidfile $PIDFILE --name $(basename $DAEMON) --startas $DAEMON --test > /dev/null \
126 | 		|| return 1
127 | 	start-stop-daemon --start --pidfile $PIDFILE --exec $DAEMON -- --runas=$RUNAS \
128 |         --daemonize=$PIDFILE $WEBROOT $HTTP_FENCE_PORT $HTTPS_FENCE_PORT $HTTPS_FENCE_CERTFILE $HTTPS_FENCE_KEYFILE
129 | 
130 | 	# Add code here, if necessary, that waits for the process to be ready
131 | 	# to handle requests from services started subsequently which depend
132 | 	# on this one.  As a last resort, sleep for some time.
133 | 
134 |     iptables_redirect start
135 | }
136 | 
137 | #
138 | # Function that stops the daemon/service
139 | #
140 | do_stop()
141 | {
142 |     iptables_redirect stop
143 | 
144 | 	# Return
145 | 	#   0 if daemon has been stopped
146 | 	#   1 if daemon was already stopped
147 | 	#   2 if daemon could not be stopped
148 | 	#   other if a failure occurred
149 |     start-stop-daemon --stop --retry=TERM/30/KILL/5 --pidfile $PIDFILE --name $(basename $DAEMON)
150 | 	RETVAL="$?"
151 | 	[ "$RETVAL" = 2 ] && return 2
152 | 	# Wait for children to finish too if this is a daemon that forks
153 | 	# and if the daemon is only ever run from this initscript.
154 | 	# If the above conditions are not satisfied then add some other code
155 | 	# that waits for the process to drop all resources that could be
156 | 	# needed by services started subsequently.  A last resort is to
157 | 	# sleep for some time.
158 |     start-stop-daemon --stop --quiet --oknodo --retry=TERM/30/KILL/5 --user $RUNAS --name $(basename $DAEMON)
159 | 
160 | 	[ "$?" = 2 ] && return 2
161 | 	# Many daemons don't delete their pidfiles when they exit.
162 | 	rm -f $PIDFILE
163 | 
164 | 	return "$RETVAL"
165 | }
166 | 
167 | case "$1" in
168 |   start)
169 | 	[ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME"
170 | 	do_start
171 | 	case "$?" in
172 | 		0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
173 | 		2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
174 | 	esac
175 | 	;;
176 |   stop)
177 | 	[ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME"
178 | 	do_stop
179 | 	case "$?" in
180 | 		0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
181 | 		2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
182 | 	esac
183 | 	;;
184 |   status)
185 |        status_of_proc "$DAEMON" "$NAME" && exit 0 || exit $?
186 |        ;;
187 |   restart)
188 | 	#
189 | 	# If the "reload" option is implemented then remove the
190 | 	# 'force-reload' alias
191 | 	#
192 | 	log_daemon_msg "Restarting $DESC" "$NAME"
193 | 	do_stop
194 | 	case "$?" in
195 | 	  0|1)
196 | 		do_start
197 | 		case "$?" in
198 | 			0) log_end_msg 0 ;;
199 | 			1) log_end_msg 1 ;; # Old process is still running
200 | 			*) log_end_msg 1 ;; # Failed to start
201 | 		esac
202 | 		;;
203 | 	  *)
204 | 	  	# Failed to stop
205 | 		log_end_msg 1
206 | 		;;
207 | 	esac
208 | 	;;
209 |   *)
210 | 	echo "Usage: $SCRIPTNAME {start|stop|status|restart}" >&2
211 | 	exit 3
212 | 	;;
213 | esac
214 | 
215 | :
216 | 
217 | 


--------------------------------------------------------------------------------
/turnkey-install-security-updates:
--------------------------------------------------------------------------------
1 | #!/bin/bash -x
2 | 
3 | SEC_UPDATES=FORCE /usr/lib/inithooks/firstboot.d/95secupdates
4 | 


--------------------------------------------------------------------------------
/turnkey-sudoadmin:
--------------------------------------------------------------------------------
  1 | #!/bin/bash -e
  2 | #
  3 | # Copyright (c) 2015 Alon Swartz <alon@turnkeylinux.org>
  4 | # 
  5 | # This file is part of InitHooks.
  6 | # 
  7 | # InitHooks is free software; you can redistribute it and/or modify it
  8 | # under the terms of the GNU General Public License as published by the
  9 | # Free Software Foundation; either version 3 of the License, or (at your
 10 | # option) any later version.
 11 | # 
 12 | SUDOADMIN_STATE=/etc/sudoadmin/state
 13 | 
 14 | fatal() { echo "FATAL [$(basename $0)]: $@" 1>&2; exit 1; }
 15 | warn() { echo "WARN [$(basename $0)]: $@"; }
 16 | info() { echo "INFO [$(basename $0)]: $@"; }
 17 | 
 18 | usage() {
 19 | cat<<EOF
 20 | Syntax: $(basename $0) on|off|status [--disable-setpass]
 21 | Configure system to use admin user with sudo, or root
 22 | 
 23 | On:
 24 |     - installs sudo package
 25 |     - creates admin user and sets random password
 26 |     - configures passwordless sudo for admin user
 27 |     - configures inithooks and init-fence for admin user
 28 |     - updates confconsole services for admin user
 29 |     - merges root .ssh/authorized_keys with admin
 30 |     - locks the root user
 31 |     - disables root ssh access
 32 |     - sets root ssh login banner
 33 |     - restarts ssh daemon, if it is running
 34 |     - sets admin password interactively (unless --disable-setpass)
 35 | 
 36 | Off:
 37 |     - configures inithooks and init-fence for root
 38 |     - updates confconsole services for root
 39 |     - merges admin .ssh/authorized_keys with root
 40 |     - enables root ssh access
 41 |     - locks admin user
 42 |     - unsets root ssh login banner
 43 |     - restarts ssh daemon, if it is running
 44 |     - sets root password interactively (unless --disable-setpass)
 45 | 
 46 | Status:
 47 |     - checks turnkey-sudoadmin status, returns one of the following:
 48 |         - unconfigured
 49 |         - on
 50 |         - off
 51 | 
 52 | EOF
 53 | exit 1
 54 | }
 55 | 
 56 | install_sudo() {
 57 |     info $FUNCNAME $@
 58 |     which sudo >/dev/null && return
 59 |     apt-get update
 60 |     DEBIAN_FRONTEND=noninteractive apt-get -y install sudo
 61 | }
 62 | 
 63 | create_user() {
 64 |     info $FUNCNAME $@
 65 |     username=$1
 66 |     grep -q ^${username}: /etc/passwd && return
 67 |     useradd --create-home --skel /etc/skel --shell /bin/bash ${username}
 68 |     echo ${username}:$(mcookie) | chpasswd
 69 | }
 70 | 
 71 | passwordless_sudo() {
 72 |     info $FUNCNAME $@
 73 |     username=$1
 74 |     cfg="/etc/sudoers.d/99_${username}"
 75 |     str="${username} ALL=(ALL) NOPASSWD:ALL"
 76 |     touch $cfg
 77 |     grep -q "^${str}$" $cfg && return
 78 |     echo "$str" >> $cfg
 79 |     chmod 0440 $cfg
 80 | }
 81 | 
 82 | inithooks_sudoadmin() {
 83 |     info $FUNCNAME $@
 84 |     val=$1
 85 |     key="SUDOADMIN"
 86 |     cfg="/etc/default/inithooks"
 87 |     [ -e $cfg ] || return 0
 88 |     grep -q ^${key}= $cfg || (echo "$key=$val" >> $cfg; return)
 89 |     sed -i "s/^${key}=.*/$key=$val/" $cfg
 90 | }
 91 | 
 92 | setup_initfence() {
 93 |     info $FUNCNAME $@
 94 |     username=$1
 95 |     root_profiled=/root/.profile.d/turnkey-init-fence
 96 |     user_profiled=/home/${username}/.profile.d/turnkey-init-fence
 97 |     if [ -e $root_profiled ]; then
 98 |         if [ $username != "root" ]; then
 99 |             mkdir -p $(dirname $user_profiled)
100 |             cp $root_profiled $user_profiled
101 |             sed -i "s|^|sudo |" $user_profiled
102 |             sed -i "s|/root|/home\/${username}|g" $user_profiled
103 |             chown -R $username:$username $(dirname $user_profiled)
104 |         fi
105 |     fi
106 |     return 0
107 | }
108 | 
109 | update_confconsole_services() {
110 |     info $FUNCNAME $@
111 |     new_uname=$1
112 |     old_uname=$2
113 |     cfg="/etc/confconsole/services.txt"
114 |     [ -e $cfg ] || return 0
115 |     sed -i "s|${old_uname}@|${new_uname}@|g" $cfg
116 | }
117 | 
118 | ssh_authorizedkeys_inithook() {
119 |     info $FUNCNAME $@
120 |     username=$1
121 |     sshkeys_inithook=/usr/lib/inithooks/firstboot.d/40ec2-sshkeys
122 |     [ -e $sshkeys_inithook ] || return 0
123 |     sed -i "s|^USERNAME.*|USERNAME = \'${username}\'|" $sshkeys_inithook
124 | }
125 | 
126 | ssh_authorizedkeys_merge() {
127 |     info $FUNCNAME $@
128 |     user1=$1
129 |     user2=$2
130 | 
131 |     grep -q ^${user1}: /etc/passwd || return 0
132 |     grep -q ^${user2}: /etc/passwd || return 0
133 | 
134 |     auth1="$(eval printf ~$user1)/.ssh/authorized_keys"
135 |     mkdir -p $(dirname $auth1)
136 |     chmod 0700 $(dirname $auth1)
137 |     touch $auth1
138 | 
139 |     auth2="$(eval printf ~$user2)/.ssh/authorized_keys"
140 |     mkdir -p $(dirname $auth2)
141 |     chmod 0700 $(dirname $auth2)
142 |     touch $auth2
143 | 
144 |     cat $auth1 $auth2 | sort | uniq > $auth1.new
145 |     echo $auth1 $auth2 | xargs -n 1 cp $auth1.new
146 |     rm $auth1.new
147 | 
148 |     chown -R $user1:$user1 $(dirname $auth1)
149 |     chown -R $user2:$user2 $(dirname $auth2)
150 | }
151 | 
152 | permitrootlogin_ssh() {
153 |     info $FUNCNAME $@
154 |     val=$1
155 |     key="PermitRootLogin"
156 |     cfg="/etc/ssh/sshd_config"
157 |     grep -q ^${key} $cfg || (echo "$key $val" >> $cfg; return)
158 |     sed -i "s/^${key} .*/$key $val/" $cfg
159 | }
160 | 
161 | set_sshrootbanner() {
162 |     info $FUNCNAME $@
163 |     content=$1
164 |     banner_path="/root/.ssh/banner"
165 |     mkdir -p $(dirname $banner_path)
166 |     echo $content > $banner_path
167 | }
168 | 
169 | user_state() {
170 |     info $FUNCNAME $@
171 |     username=$1
172 |     action=$2
173 |     grep -q ^${username}: /etc/passwd || return 0
174 |     passwd --${action} $username
175 |     if [ $username != "root" ]; then
176 |         [ $action == "lock" ] && usermod --expiredate "1" $username
177 |         [ $action == "unlock" ] && usermod --expiredate "" $username
178 |     fi
179 |     return 0
180 | }
181 | 
182 | restart_sshd() {
183 |     info $FUNCNAME $@
184 |     if [ -e /var/run/sshd.pid ]; then
185 |         /etc/init.d/ssh restart
186 |     fi
187 | }
188 | 
189 | setpass() {
190 |     info $FUNCNAME $@
191 |     username=$1
192 |     script=/usr/lib/inithooks/bin/setpass.py
193 |     if [ -x $script ]; then
194 |         $script $username
195 |     else
196 |         echo "Set password for $username"
197 |         passwd $username
198 |     fi
199 | }
200 | 
201 | set_status() {
202 |     if [ ! -d $(dirname $SUDOADMIN_STATE) ]; then
203 |         mkdir $(dirname $SUDOADMIN_STATE)
204 |     fi
205 |     cat > $SUDOADMIN_STATE <<EOF
206 | # This is an automatically generated file, do not edit manually
207 | state=$1
208 | EOF
209 | }
210 | check_status() {
211 |     if [ ! -f $SUDOADMIN_STATE ]; then
212 |         echo 'unconfigured'
213 |     else
214 |         sed -rn 's/state=(.*)/\1/p' "$SUDOADMIN_STATE"
215 |     fi
216 | }
217 | 
218 | case $1 in
219 |     on)
220 |         [ "$(id -u)" != "0" ] && fatal "must be run with root permissions"
221 |         install_sudo;
222 |         create_user "admin";
223 |         passwordless_sudo "admin";
224 |         inithooks_sudoadmin "true";
225 |         setup_initfence "admin";
226 |         update_confconsole_services "admin" "root";
227 |         ssh_authorizedkeys_inithook "admin";
228 |         ssh_authorizedkeys_merge "admin" "root";
229 |         user_state "admin" "unlock";
230 |         user_state "root" "lock";
231 |         permitrootlogin_ssh "no";
232 |         set_sshrootbanner 'Please login as user "admin" rather than user "root".';
233 |         restart_sshd;
234 |         set_status "on"
235 |         [ "$2" == "--disable-setpass" ] || setpass "admin";
236 |         ;;
237 | 
238 |     off)
239 |         [ "$(id -u)" != "0" ] && fatal "must be run with root permissions"
240 |         inithooks_sudoadmin "false";
241 |         setup_initfence "root";
242 |         update_confconsole_services "root" "admin";
243 |         ssh_authorizedkeys_inithook "root";
244 |         ssh_authorizedkeys_merge "root" "admin";
245 |         permitrootlogin_ssh "yes";
246 |         user_state "root" "unlock";
247 |         user_state "admin" "lock";
248 |         set_sshrootbanner "";
249 |         restart_sshd;
250 |         set_status "off"
251 |         [ "$2" == "--disable-setpass" ] || setpass "root";
252 |         ;;
253 | 
254 |     status)
255 |         check_status;
256 |         ;;
257 | 
258 |     *)  
259 |         usage;;
260 | esac
261 | 
262 | 


--------------------------------------------------------------------------------