-
Notifications
You must be signed in to change notification settings - Fork 1
/
build.sh
executable file
·158 lines (136 loc) · 4.66 KB
/
build.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
#!/usr/bin/env bash
set -o errexit
set -o nounset
set -o pipefail
usage() {
echo "Usage: $0 [-u username] [-p password] [-n hostname] [-d domain] [-a package] [-i iso_url] [-s sign_key] [-o path] [-x] [-z] [-v] [-h]"
echo "Options:"
echo " -u <username> Admin username"
echo " -p <password> Admin password"
echo " -n <hostname> Machine hostname"
echo " -d <domain> Machine domain"
echo " -a <package> Additional apt package"
echo " -i <iso_url> ISO download URL"
echo " -s <sign_key> ISO pgp sign key"
echo " -o <out_file> ISO output file"
echo " -x Power off after install"
echo " -z Sudo without password"
echo " -v Enable verbose mode"
echo " -h Display this help message"
}
username="janitor"
password="$(pwgen -ns 16 1)"
password_mask="false"
hostname="undefined"
domain="home.arpa"
iso_url="https://cdimage.debian.org/debian-cd/current/amd64/iso-cd/debian-12.6.0-amd64-netinst.iso"
sign_key="DA87E80D6294BE9B"
out_file="debian-12.6.0-amd64-auto.iso"
apt_pkgs=()
poweroff=""
sudonopw=""
while getopts u:p:n:d:a:i:s:o:xzvh opt; do
case $opt in
u) username="$OPTARG" ;;
p) password="$OPTARG" ; password_mask="true" ;;
n) hostname="$OPTARG" ;;
d) domain="$OPTARG" ;;
a) apt_pkgs+=("$OPTARG") ;;
i) iso_url="$OPTARG" ;;
s) sign_key="$OPTARG" ;;
o) out_file="$OPTARG" ;;
x) poweroff="true" ;;
z) sudonopw="true" ;;
v) set -o xtrace ;;
h) usage ; exit 0 ;;
*) usage ; exit 1 ;;
esac
done
shift $((OPTIND - 1))
# go to project root
cd "$(realpath "$(dirname "$(readlink -f "$0")")")"
# download
iso_file=$(basename "${iso_url}")
if [[ ! -f ${iso_file} ]]; then
echo >&2 "Downloading iso image: ${iso_file}"
curl --progress-bar -Lo "${iso_file}" "${iso_url}"
fi
curl -sSLO "$(dirname "${iso_url}")/SHA256SUMS"
curl -sSLO "$(dirname "${iso_url}")/SHA256SUMS.sign"
# verify
gpg --keyserver keyring.debian.org --recv "${sign_key}"
gpg --verify SHA256SUMS.sign SHA256SUMS
if ! sha256sum -c <<<"$(grep "${iso_file}" SHA256SUMS)"; then
echo >&2 "Error: Checksum not matching for: ${iso_file}"
exit 1
fi
workdir="$(mktemp --directory)"
# unpack iso
xorriso \
-osirrox on \
-dev "${iso_file}" \
-extract "/isolinux/isolinux.cfg" "${workdir}/isolinux.cfg" \
-extract "/isolinux/adtxt.cfg" "${workdir}/adtxt.cfg"
# set default boot entry and parameters
sed -i "s#default vesamenu.c32#default auto#" "${workdir}/isolinux.cfg"
sed -i "s#auto=true#auto=true file=/cdrom/preseed.cfg#" "${workdir}/adtxt.cfg"
# copy files to include
cp -a configs/* "${workdir}"
cp -a installer/* "${workdir}"
# generate password hash
salt="$(pwgen -ns 16 1)"
passhash="$(mkpasswd -m sha-512 -S "${salt}" "${password}")"
if test "${password_mask}" == "true"; then
password="$(echo "${password}" | tr '[:print:]' 'x')"
fi
# replace tokens
replace_token() {
find "${workdir}" -type f -exec sed -i "s#${1}#${2}#" {} \;
}
replace_token "@USERNAME@" "${username}"
replace_token "@PASSHASH@" "${passhash}"
replace_token "@HOSTNAME@" "${hostname}"
replace_token "@DOMAIN@" "${domain}"
replace_token "@PACKAGES@" "${apt_pkgs[*]}"
# add poweroff option
if test "${poweroff}" = "true"; then
replace_token "@POWEROFF@" "true"
else
replace_token "@POWEROFF@" "false"
fi
# add sudo no-password option
if test "${sudonopw}" = "true"; then
replace_token "@SUDONOPW@" "true"
else
replace_token "@SUDONOPW@" "false"
fi
# clear existing output iso file
if test -f "${out_file}"; then
rm -f "${out_file}"
fi
# with no authorized keys, create dummy file
if test ! -f "configs/authorized_keys"; then
echo -n >"configs/authorized_keys"
fi
# repack iso
rm -f "${iso_file//.iso/-auto.iso}"
xorriso -indev "${iso_file}" \
-map "${workdir}/adtxt.cfg" "/isolinux/adtxt.cfg" \
-map "${workdir}/isolinux.cfg" "/isolinux/isolinux.cfg" \
-map "${workdir}/splash.png" "/isolinux/splash.png" \
-map "${workdir}/late.sh" "/late.sh" \
-map "${workdir}/preseed.cfg" "/preseed.cfg" \
-map "${workdir}/authorized_keys" "/configs/authorized_keys" \
-map "${workdir}/bashrc.bash" "/configs/bashrc.bash" \
-map "${workdir}/issue" "/configs/issue" \
-map "${workdir}/motd" "/configs/motd" \
-map "${workdir}/sshd_config" "/configs/sshd_config" \
-boot_image isolinux dir=/isolinux \
-outdev "${out_file}"
echo "user: ${username}"
echo "pass: ${password}"
if test "${password_mask}" == "false"; then
printf "user: %s\npass: %s\n" "${username}" "${password}" > "${out_file}.auth"
fi
rm -rf "${workdir}"
sha256sum "${out_file}" >"${out_file}.sum"