Updating ShadowArch installer to default to UEFI for modern firmware & LVM by default

.gitignore

@@ -4,3 +4,4 @@ __pycache__
 *.pyc
 *.tar.xz
 *.tar.zst
+wiki/**

EtcFiles/shadowarch

@@ -2,156 +2,115 @@
 
 function header () {
     tput setaf 1
-    tput bold echo $@
+    tput bold
+    echo $@
     tput sgr0
     return
 }
 function help() {
-    echo Usage: ${0} '[OPTIONS]'
-    echo '\-A      -- Audio optimizations from the Arch Wiki'
-    echo '\-d DISK -- Use the disk.'
-    echo '\-e      -- Encrypt the root partition'
-    echo '\-g      -- GUI packages and setup'
-    echo '\-h      -- This helptext'
-    echo '\-k      -- Kali Linux-like package additions'
-    echo '\-l FILE -- Log to a file'
-    echo '\-p      -- Productivity package additions'
-    echo '\-P      -- Power saving for laptops'
-    echo '\-s      -- Create a layout for an AniNIX/Spartacus'
-    echo '\-m      -- Skip disk operations and assume storage is mounted on /mnt'
-    echo '\-v      -- Verbose output.'
-    echo '\-z      -- Try to add all the packages on AniNIX/Core'
+    cat <<EOM
+Usage: ${0} [OPTIONS]
+-A      -- Audio optimizations from the Arch Wiki
+-d DISK -- Use the disk.
+-D diskspacer -- the disk spacer character, usually p for nvme
+-e      -- Encrypt the root partition
+-h      -- This helptext
+-l FILE -- Log to a file
+-m      -- Skip disk operations and assume storage is mounted on /mnt. Use this to lay out LVM RAID.
+-M      -- Tell pacman to use your local AniNIX/Maat caching
+-P      -- Power saving for laptops
+-s      -- Increase the boot size to be able to accept ISOs
+-v      -- Verbose output.
+
+Example default build for nvme local node:
+$0 -M -d /dev/nvme0n1 -D p [ -e ]
+EOM
     exit 1;
 }
 
-# Partition controls
-efipart=2;
-bootpart=3;
-rootpart=4;
-partpoint=1;
-partedcmd='mklabel gpt\nmkpart primary ext2 0 1MiB\nset 1 bios_grub on\n';
-function addNextPartition() {
-    partsize="$1"
-    parttype="$2"
-    partfs="$3"
-    nextpartpoint=$(( $partpoint + $partsize ))
-    partedcmd="${partedcmd}mkpart $parttype $partfs ${partpoint}MiB ${nextpartpoint}MiB"'\n'
-    partpoint=$nextpartpoint
-}
-
 disk="/dev/sda"
+unset diskspacer
 bootsize=500; # Size in MB for /boot
-# TODO Add LVM as an argument
-while getopts "d:egkl:pmsvz" OPTION
+while getopts "Ad:D:el:pmMsv" OPTION
 do
     case $OPTION in
         A) audio=1 ;;
         d) disk=${OPTARG} ;;
+        D) diskspacer=${OPTARG} ;;
         e) encrypt=1 ;;
-        g) gui=1 ;;
-        k) kali=1 ;;
         l) exec script -e -f -c "/bin/bash $0 $(echo $@ | sed "s#-l ${OPTARG}##")" "${OPTARG}" ;;
-        p) productivity=1; gui=1 ;;
-        P) powersave=1 ;;
         m) nodiskbuild=1 ;;
-        s) spartacus=1 ;;
+        P) powersave=1 ;;
+        M) echo "Server = http://Maat.MSN0.AniNIX.net:9129/repo/archlinux/\$repo/os/\$arch" > /etc/pacman.d/mirrorlist ;;
+        s) bootsize=10000 ;;
         v) set -x ;;
-        z) kitchensink=1 ;;
         *) help
     esac
 done
 
 header Confirm options:
-echo Spartacus set to: $spartacus
-echo Encryption set to: $encrypt
-echo GUI: $gui
-echo Productivity: $productivity
-echo Kali tools: $kali
-echo All Core packages: $kitchensink
-echo Disk to use: $disk \(Skip disk building? $nodiskbuild \)
-printf "Is this OK? Type YES to continue: "
-read answer
+cat <<EOM
+Boot size as ${bootsize}
+Encryption set to: $encrypt
+Disk to use: $disk \(Skip disk building? $nodiskbuild \)
+EOM
+read -p "Is this OK? Type YES to continue: " answer
 if [ "$answer" != "YES" ]; then
     echo User did not confirm.
     exit 1;
 fi
-echo >> /etc/pacman.conf <EOM
-[AniNIX]
-SigLevel = Optional TrustAll
-Server = https://aninix.net/maat/
-EOM
+
+umount /mnt/boot; umount /mnt
 
 pacman -Syy
 if [ -z "$nodiskbuild" ]; then
     header Allocating space
     dd if=/dev/zero of="$disk" bs=1M count=1000
 
-    if [ ! -z "$spartacus" ]; then
-        # Insert an ExFAT data partition ahead of the rest.
-        export datapart=$efipart;
-        export efipart=$((efipart+1))
-        export bootpart=$((bootpart+1))
-        export rootpart=$(($rootpart+1))
-        # Break the disk up into 4ths -- 2/4 go to data, 1/4 go to boot, and 1/4 to root
-        export disksize=$(($(fdisk -l $disk | head -n 1 | cut -f 5 -d ' ') / 1048576)) # Return disk size in MB
-        if [ "$disksize" == "" ]; then echo "Can't identify disk size"; exit 1; fi
-        if [ "$disksize" -lt 7788 ]; then echo "This drive is too small to be a Spartacus."; exit 1; fi # Must be 8GB or more to have 2GB root.
-        export bootsize=$(($disksize / 4))
-        export datasize=$(($disksize / 2))
-        addNextPartition $datasize primary ext4
-    fi
-    # 550MiB for EFI with boot toggle
-    addNextPartition 550 primary fat32
-    partedcmd="${partedcmd}toggle $efipart boot"'\n'
+    parted -s "$disk" mklabel gpt
+    parted -s "$disk" mkpart 1 fat32 1MiB ${bootsize}MiB
+    parted -s "$disk" toggle 1 boot
+    parted -s "$disk" mkpart 2 ext4 ${bootsize}MiB 100%FREE
 
-    # /boot
-    addNextPartition $bootsize primary fat32
-
-    # / (root)
-    partedcmd="${partedcmd}mkpart primary ext4 ${partpoint}MiB 100%%FREE"'\nquit\n\n'
-    printf "$partedcmd" | parted "$disk"
-    if [ ! -z "$spartacus" ]; then
-        #create data partition
-        pacman -S exfat-utils --noconfirm
-        mkfs.exfat "$disk""$datapart"
-        exfatlabel "$disk""$datapart" "AS-XPLATFRM"
-    fi
-
-    header Making fat esp partition on "$disk""$efipart"
-    mkfs.fat -F32 "$disk""$efipart"
-
-    header Making boot partition on "$disk""$bootpart"
-    mkfs.vfat "$disk""$bootpart"
+    header Making fat esp partition on "$disk""$diskspacer""1"
+    mkfs.fat -F32 "$disk""$diskspacer""1"
 
     header Making root and mountpoints
-    if [ ! -z "$encrypt" ]; then 
-        header Making encrypted root on "$disk""$rootpart"
+
+    header Making rootvg on "$disk""$diskspacer""2"
+    pvcreate "$disk""$diskspacer""2"
+    vgcreate rootvg "$disk""$diskspacer""2"
+    lvcreate -n rootlv -L5G rootvg
+    if [ ! -z "$encrypt" ]; then
+        header Making encrypted root on /dev/rootvg/rootlv
         modprobe dm-crypt
         modprobe serpent_generic
         header Formatting root -- make sure to enter YES followed by a strong passphrase.
-        cryptsetup luksFormat -c serpent-xts-plain64 -h sha512 --key-size 512 "$disk""$rootpart"
+        cryptsetup luksFormat -c serpent-xts-plain64 -h sha512 --key-size 512 /dev/rootvg/rootlv
         header Unlocking root
-        cryptsetup luksOpen "$disk""$rootpart" cryptroot
-        mkfs.xfs -f /dev/mapper/cryptroot
-        xfs_admin -L ROOT /dev/mapper/cryptroot
+        cryptsetup luksOpen /dev/rootvg/rootlv cryptroot
+        mkfs.ext4 /dev/mapper/cryptroot
+	#mkfs.xfs -f /dev/mapper/cryptroot
+        #xfs_admin -L ROOT /dev/mapper/cryptroot
         mount /dev/mapper/cryptroot /mnt
         if [ $? -ne 0 ]; then header ERROR: Cannot continue; exit 1; fi
-    else 
-        header Making root on "$disk""$rootpart"
-        mkfs.xfs -f "$disk""$rootpart"
-        xfs_admin -L ROOT "$disk""$rootpart"
-        mount "$disk""$rootpart" /mnt
+    else
+        header Making root on /dev/rootvg/rootlv
+        mkfs.ext4 /dev/rootvg/rootlv
+	#mkfs.xfs -f /dev/mapper/cryptroot
+        #xfs_admin -L ROOT "$disk""$diskspacer""2"
+        mount /dev/rootvg/rootlv /mnt
         if [ $? -ne 0 ]; then header ERROR: Cannot continue; exit 1; fi
     fi
 
     mkdir /mnt/boot
-    mount "$disk""$bootpart" /mnt/boot
-    if [ "$?" -ne 0 ]; then header ERROR: Cannot continue; exit 1; fi
-    mkdir /mnt/boot/efi
-    mount "$disk""$efipart" /mnt/boot/efi
+    mount "$disk""$diskspacer""1" /mnt/boot
     if [ "$?" -ne 0 ]; then header ERROR: Cannot continue; exit 1; fi
 fi
 
+# Backup the installer
+mkdir -p /mnt/root
+cp /root/shadowarch /mnt/root/shadowarch.installer."$(date +%F-%R)"
 
 # Install ArchLinux with basic clients for the AniNIX Services.
 # * git for Foundation
@@ -159,31 +118,8 @@ fi
 # * openssh for SSH/SFTP
 # * weechat for IRC
 # * make for source packages
-# * tor for anonymity
 header Installing ArchLinux to device\(s\) on /mnt
-export pkglist="base base-devel parted net-tools bind-tools git openssh make elinks weechat vim wget tor torsocks grub os-prober rsync openntpd tmux efibootmgr shadowarch"
-if [ ! -z "$gui" ]; then 
-    export pkglist="$pkglist"" xorg-server xfce4 hunspell hunspell-en_US thunar-archive-plugin thunar-media-tags-plugin thunar-volman chromium conky tigervnc xscreensaver"
-fi
-if [ ! -z "$spartacus" ]; then
-    export pkglist="$pkglist"" exfat-utils"
-fi
-if [ ! -z "$productivity" ]; then
-    export pkglist="$pkglist"" libreoffice-still gimp feh vlc evince openshot"
-fi
-if [ ! -z "$kali" ]; then
-    export pkglist="$pkglist"" extundelete testdisk nmap tcpdump hexedit dcfldd"
-    if [ ! -z "$gui" ]; then
-        export pkglist="$pkglist"" wireshark-gtk"
-    else 
-        export pkglist="$pkglist"" wireshark-cli"
-    fi
-fi
-if [ ! -z "$kitchensink" ]; then
-    export pkglist="base base-devel $(wget -q -O - 'https://aninix.net/installed-packages.txt' | cut -f 1 -d ' ' | tr '\n' ' ')"
-fi
-
-yes "" | pacstrap -i /mnt $pkglist 
+yes "" | pacstrap -K -i /mnt base base-devel linux linux-firmware parted net-tools bind-tools git openssh rsync make elinks weechat vim wget grub os-prober tmux efibootmgr xfsprogs chrony less lvm2 dmraid netctl dhcpcd openresolv python3 vim
 if [ $? -ne 0 ]; then header ERROR: Cannot continue -- pacstrap failed; exit 1; fi
 
 header Create FSTAB
@@ -197,62 +133,40 @@ arch-chroot /mnt hwclock --systohc --utc
 
 header Setup bootloader
 if [ -z "$nodiskbuild" ]; then
-    export rootuuid="$(blkid "$disk""$rootpart" | cut -f 2 -d '"')"
+    export rootuuid="$(blkid "$disk""$diskspacer""2" | cut -f 2 -d '"')"
+    export hookstring="$(grep 'HOOKS=' /mnt/etc/mkinitcpio.conf | grep -v '#')"
     if [ ! -z "$encrypt" ]; then
-        export hookstring="$(grep 'HOOKS=' /mnt/etc/mkinitcpio.conf | grep -v '#')"
-        sed -i 's#'"$hookstring"'#HOOKS="base udev autodetect modconf block encrypt filesystems keyboard fsck"#' /mnt/etc/mkinitcpio.conf
+        sed -i 's#'"$hookstring"'#HOOKS="base udev autodetect modconf block lvm2 dmraid encrypt filesystems keyboard fsck"#' /mnt/etc/mkinitcpio.conf
         sed -i 's#GRUB_CMDLINE_LINUX=""#GRUB_CMDLINE_LINUX="cryptdevice=UUID='$rootuuid':cryptroot"#' /mnt/etc/default/grub
-        sed -i 's/GRUB_CMDLINE_LINUX_DEFAULT="/GRUB_CMDLINE_LINUX_DEFAULT="panic=5 /' /etc/default/grub # Fix for CVE-2016-4484
+    else
+        sed -i 's#'"$hookstring"'#HOOKS="base udev autodetect modconf block lvm2 dmraid filesystems keyboard fsck"#' /mnt/etc/mkinitcpio.conf
     fi
-fi
-
-arch-chroot /mnt mkinitcpio -p linux
-if [ $? -ne 0 ]; then header ERROR: Cannot continue; exit 1; fi
-if [ -z "$nodiskbuild" ]; then
+    sed -i 's/GRUB_CMDLINE_LINUX_DEFAULT="/GRUB_CMDLINE_LINUX_DEFAULT="panic=5 /' /etc/default/grub # Fix for CVE-2016-4484
     arch-chroot /mnt grub-install --target=x86_64-efi --removable --bootloader-id=grub --efi-directory /boot "$disk"
     if [ $? -ne 0 ]; then header ERROR: Cannot continue; exit 1; fi
-    arch-chroot /mnt grub-install --target=i386-pc "$disk"
-    if [ $? -ne 0 ]; then header ERROR: Cannot continue; exit 1; fi
 fi
+
+# Remake initramfs for new changes.
+arch-chroot /mnt mkinitcpio -P
 arch-chroot /mnt grub-mkconfig -o /boot/grub/grub.cfg
 if [ $? -ne 0 ]; then header ERROR: Cannot continue; exit 1; fi
 
 header Set networking
-arch-chroot /mnt systemctl enable openntpd
-arch-chroot /mnt systemctl enable netctl
-export interface=$(ip link list | grep "state" | cut -f 2 -d ":" | cut -f 2 -d " " | grep -v lo)
+arch-chroot /mnt systemctl enable chronyd
+
+# This part may fail if there are multiple NICs. Given our hardware posture, this is rare.
+export interface=$(ip link list | grep "state" | cut -f 2 -d ":" | cut -f 2 -d " " | grep -vE lo\|wlan)
 cp /mnt/etc/netctl/examples/ethernet-dhcp /mnt/etc/netctl/$interface
 sed -i 's/eth0/'$interface'/' /mnt/etc/netctl/$interface
 echo 'DNSSearch="aninix.net"' >> /mnt/etc/netctl/$interface
 arch-chroot /mnt systemctl enable netctl
 arch-chroot /mnt netctl enable $interface
 
-ln -sf /etc/skel/.bashrc /mnt/root/.bashrc
-
-# Clone ConfigPackags from AniNIX::Foundation
-arch-chroot /mnt git -C /usr/local/src/ clone https://aninix.net/foundation/ConfigPackages
-arch-chroot /mnt git -C /usr/local/src/ clone https://aninix.net/foundation/MiscScripts
-
-arch-chroot /mnt make -C /usr/local/src/MiscScripts/Shared install
-arch-chroot /mnt make -C /usr/local/src/MiscScripts/Admin install
-arch-chroot /mnt make -C /usr/local/src/MiscScripts/ShadowArch install
-arch-chroot /mnt git -C /usr/local/src/ clone https://aur.archlinux.org/cower.git
-arch-chroot /mnt groupadd tty-allow
-arch-chroot /mnt useradd -u 1001 -G tty-allow -m depriv
-arch-chroot /mnt usermod -G "$(getent group | grep root | cut -f 1 -d ':' | tr '\n' ',')""tty-allow" root
-arch-chroot /mnt /bin/bash -c 'line="$(grep -E root"[[:space:]]"ALL /etc/sudoers)"; sed -i "s/$line/$line\ndepriv ALL=(ALL) ALL/" /etc/sudoers'
-
-# Handle AUR Packages
-
-if [ ! -z "$kali" ]; then
-    arch-chroot /mnt git -C /usr/local/src/ clone https://aur.archlinux.org/autopsy.git
-fi
-
 # Optimizations from https://wiki.archlinux.org/index.php/Power_management
 if [ ! -z "$powersave" ]; then
     if [ `lspci | grep -i intel | grep -ic audio` -eq 1 ]; then
         echo 'options snd_hda_intel power_save=1' > /mnt/etc/modprobe.d/audio_powersave.conf
-    else 
+    else
         echo 'options snd_ac97_codec power_save=1' > /mnt/etc/modprobe.d/audio_powersave.conf
     fi
     arch-chroot /mnt pacman -S rfkill cpupower --noconfirm
@@ -278,36 +192,24 @@ fi
 
 # Set password
 header Set new root passphrase and depriviledged user '(depriv)' password.
+arch-chroot /mnt useradd depriv
 arch-chroot /mnt passwd
 arch-chroot /mnt passwd depriv
-arch-chroot /mnt chown -R depriv:depriv /usr/local/src/
 
 # Set SSH host keys
 arch-chroot /mnt ssh-keygen -A
 
-cp /root/shadowarch /mnt/root/shadowarch.installer."$(date +%F-%R)"
-
-if [ ! -z "$gui" ]; then
-    echo "Remember to install your graphics drivers!
-    For NVidia, look at xf86-video-nouveau
-    For AMD, look at xf86-video-amdgpu
-    For Hyper-V, look at xf86-video-fbdev
-    For Virtual Box, look at virtualbox-guest-utils
-    For VMware, look at open-vm-tools"
-fi
-
 # Set hostname
 header Set hostname
 printf "What is your fully-qualified hostname? (i.e. host.site.example.com) "
 read hostname
 echo "$hostname" > /mnt/etc/hostname
-hostname "$hostname"
 
-header "Installed ShadowArch on $HOSTNAME!" 
+header "Installed ShadowArch on $HOSTNAME!"
 if [ ! -z "$nodiskbuild" ]; then
     header Remember to run grub-install and set up your bootloader.
     echo 'https://wiki.archlinux.org/index.php/Installation_guide#Boot_loader'
-else 
+else
     header Press enter to reboot.
     read
 

Makefile

@@ -3,11 +3,14 @@ LIST=AdminScripts UserScripts EtcFiles
 compile: ${LIST}
 	for i in ${LIST}; do make -C ./$$i; done
 
-install: compile 
+install: compile
 	for i in ${LIST}; do make -C ./$$i install; done
 
-reverse: 
-	@echo Please do this for each individual folder in ${LIST}
+clean:
+	rm -Rf `cat .gitignore`
+
+uninstall:
+	@echo Please do this for each folder.
 
 test: ${LIST}
 	@echo Please do this for each individual folder in ${LIST}
@@ -15,13 +18,13 @@ test: ${LIST}
 checkperm:
 	@echo Please do this for each individual folder in ${LIST}
 
-clean:
-	rm -Rf `cat .gitignore`
-
 diff:
 	@echo Please do this for each individual folder in ${LIST}
 
-localinstall: 
+reverse:
+	@echo Please do this for each individual folder in ${LIST}
+
+localinstall:
 	mkdir -p ~/bin/
 	for i in AdminScripts UserScripts; do cd $$i; for j in `ls -1 | grep -v Makefile`; do install -o ${USER} -m 0755 "$$j" /home/${USER}/bin/; done; cd ..; done
 	cd EtcFiles; for i in `ls -1 | grep -E -v '*.service|skel|Makefile'`; do cp "$$i" /home/${USER}/."$$i"; done

README.md

@@ -7,17 +7,11 @@ This package holds core files for our environment.
 * AdminScripts: Scripts requiring root access for administration
 * UserScripts: Useful user-space deprivileged scripts
 
-# How to Install ShadowArch
-The AniNIX provides an installer to install ShadowArch and some basic clients for its services, similar to the [KickStart concept from RHEL/CentOS](https://serverfault.com/questions/517908/how-to-create-a-custom-iso-image-in-centos#521672).
+# Etymology
 
-1. Acquire a read-write storage device and some hardware with at least 256M of RAM and one core.
-1. [https://archlinux.org/download Download the Arch ISO] and boot the VM or host from that.
-1. Run the following to minimally install ShadowArch:
-   1.  `wget https://aninix.net/shadowarch; vi shadowarch; bash shadowarch`
-   1.  Some flags are listed below.
-1. If you run across trouble, take a look at the Troubleshooting section at the bottom.
+ShadowArch is a pun on Shadow IT, the concept of side projects developed outside the normal bounds, and ArchLinux, the system on which we work.
 
-# Defaults 
+# Relevant Files and Software
 These are installed by default with the base package of ShadowArch, along with the ArchLinux base packages, grub, parted, os-prober, net-tools, bind-tools, and wget.
 * git for source-code access
 * elinks for browsing
@@ -93,9 +87,19 @@ We include the following customizations:
 1. [Chrome](https://www.google.com/chrome/) with [DuckDuckGo](https://duckduckgo.com/) as the default search engine is our browser recommendation. This can be bound to the ShadowArch-like keybind with Start > Chrome > Right-click > Open File Location > Right-click icon > Properties and set the shortcut key to B. We presently don't have a way to bind the Super key in the same way.
 1. Terminal Emulator can be provided by either Powershell or [PuTTY](http://www.putty.org/), depending on where shell activity should live. Use the same steps as the browser above to set the keybind.
 1. Default Windows Explorer and its keybinds equate to the XFCE4 thunar application used by ShadowArch. The Run and Explorer keybinds natively present in Windows will map.
-1. Default Windows Aero window managment will map to the ShaodowArch keybinds.
+1. Default Windows Aero window management will map to the ShadowArch keybinds.
 1. Workspace management won't be quite the same, but this [CNET article](https://www.cnet.com/how-to/how-to-use-multiple-desktops-in-windows-10/) offers some help on understanding the difference. The Windows environment is a bit more dynamic so it requires more keybinds.
 
+# Available Clients
+The AniNIX provides an installer to install ShadowArch and some basic clients for its services, similar to the [KickStart concept from RHEL/CentOS](https://serverfault.com/questions/517908/how-to-create-a-custom-iso-image-in-centos#521672).
+
+1. Acquire a read-write storage device and some hardware with at least 256M of RAM and one core.
+1. [https://archlinux.org/download Download the Arch ISO] and boot the VM or host from that.
+1. Run the following to minimally install ShadowArch:
+   1.  `wget https://aninix.net/shadowarch; vi shadowarch; bash shadowarch`
+   1.  Some flags are listed below.
+1. If you run across trouble, take a look at the Troubleshooting section at the bottom.
+
 # References
 * [The ArchLinux Wiki](https://wiki.archlinux.org/) is an invaluable source of information, particularly around packages deployed by ShadowArch hosts.
 These are some known issues the users of ShadowArch have come across with weird reasons.
@@ -107,3 +111,7 @@ Make sure the user is in the audio group on the system and alsamixer is not mute
 
 ## No Desktop
 Run xfdesktop -- sometimes xinit loses this execution and the desktop doesn't display.
+
+# Equivalents or Competition
+
+Raspberry Pi's Etcher, OVAs from other systems, etc. are all equivalent imaging projects.