diff --git a/arch-custom/airootfs/etc/nslcd.conf b/arch-custom/airootfs/etc/nslcd.conf new file mode 100644 index 0000000..5a85b9d --- /dev/null +++ b/arch-custom/airootfs/etc/nslcd.conf @@ -0,0 +1,146 @@ +# This is the configuration file for the LDAP nameservice +# switch library's nslcd daemon. It configures the mapping +# between NSS names (see /etc/nsswitch.conf) and LDAP +# information in the directory. +# See the manual page nslcd.conf(5) for more information. + +# The user and group nslcd should run as. +uid nslcd +gid nslcd + +# The uri pointing to the LDAP server to use for name lookups. +# Multiple entries may be specified. The address that is used +# here should be resolvable without using LDAP (obviously). +#uri ldap://127.0.0.1/ +#uri ldaps://127.0.0.1/ +#uri ldapi://%2fvar%2frun%2fldapi_sock/ +# Note: %2f encodes the '/' used as directory separator +### CHANGE TO LDAP SERVER URI +uri ldap://127.0.0.1/ + +# The LDAP version to use (defaults to 3 +# if supported by client library) +#ldap_version 3 + +# The distinguished name of the search base. +### CHANGE TO LDAP BASE +base dc=example,dc=com + +# The distinguished name to bind to the server with. +# Optional: default is to bind anonymously. +### CHANGE TO BINDDN +#binddn cn=proxyuser,dc=example,dc=com + +# The credentials to bind with. +# Optional: default is no credentials. +# Note that if you set a bindpw you should check the permissions of this file. +### CHANGE TO BINDDN PASSWORD +#bindpw secret + +# The distinguished name to perform password modifications by root by. +#rootpwmoddn cn=admin,dc=example,dc=com + +# The default search scope. +#scope sub +#scope one +#scope base + +# Customize certain database lookups. +#base group ou=Groups,dc=example,dc=com +#base passwd ou=People,dc=example,dc=com +#base shadow ou=People,dc=example,dc=com +#scope group onelevel +#scope hosts sub + +# Bind/connect timelimit. +#bind_timelimit 30 + +# Search timelimit. +#timelimit 30 + +# Idle timelimit. nslcd will close connections if the +# server has not been contacted for the number of seconds. +#idle_timelimit 3600 + +# Use StartTLS without verifying the server certificate. +#ssl start_tls +#tls_reqcert never + +# CA certificates for server certificate verification +#tls_cacertdir /etc/ssl/certs +#tls_cacertfile /etc/ssl/ca.cert + +# Seed the PRNG if /dev/urandom is not provided +#tls_randfile /var/run/egd-pool + +# SSL cipher suite +# See man ciphers for syntax +#tls_ciphers TLSv1 + +# Client certificate and key +# Use these, if your server requires client authentication. +#tls_cert +#tls_key + +# Mappings for Services for UNIX 3.5 +#filter passwd (objectClass=User) +#map passwd uid msSFU30Name +#map passwd userPassword msSFU30Password +#map passwd homeDirectory msSFU30HomeDirectory +#map passwd homeDirectory msSFUHomeDirectory +#filter shadow (objectClass=User) +#map shadow uid msSFU30Name +#map shadow userPassword msSFU30Password +#filter group (objectClass=Group) +#map group member msSFU30PosixMember + +# Mappings for Services for UNIX 2.0 +#filter passwd (objectClass=User) +#map passwd uid msSFUName +#map passwd userPassword msSFUPassword +#map passwd homeDirectory msSFUHomeDirectory +#map passwd gecos msSFUName +#filter shadow (objectClass=User) +#map shadow uid msSFUName +#map shadow userPassword msSFUPassword +#map shadow shadowLastChange pwdLastSet +#filter group (objectClass=Group) +#map group member posixMember + +# Mappings for Active Directory +#pagesize 1000 +#referrals off +#idle_timelimit 800 +#filter passwd (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*)) +#map passwd uid sAMAccountName +#map passwd homeDirectory unixHomeDirectory +#map passwd gecos displayName +#filter shadow (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*)) +#map shadow uid sAMAccountName +#map shadow shadowLastChange pwdLastSet +#filter group (objectClass=group) + +# Alternative mappings for Active Directory +# (replace the SIDs in the objectSid mappings with the value for your domain) +#pagesize 1000 +#referrals off +#idle_timelimit 800 +#filter passwd (&(objectClass=user)(objectClass=person)(!(objectClass=computer))) +#map passwd uid cn +#map passwd uidNumber objectSid:S-1-5-21-3623811015-3361044348-30300820 +#map passwd gidNumber objectSid:S-1-5-21-3623811015-3361044348-30300820 +#map passwd homeDirectory "/home/$cn" +#map passwd gecos displayName +#map passwd loginShell "/bin/bash" +#filter group (|(objectClass=group)(objectClass=person)) +#map group gidNumber objectSid:S-1-5-21-3623811015-3361044348-30300820 + +# Mappings for AIX SecureWay +#filter passwd (objectClass=aixAccount) +#map passwd uid userName +#map passwd userPassword passwordChar +#map passwd uidNumber uid +#map passwd gidNumber gid +#filter group (objectClass=aixAccessGroup) +#map group cn groupName +#map group gidNumber gid diff --git a/arch-custom/airootfs/etc/nsswitch.conf b/arch-custom/airootfs/etc/nsswitch.conf new file mode 100644 index 0000000..7287735 --- /dev/null +++ b/arch-custom/airootfs/etc/nsswitch.conf @@ -0,0 +1,18 @@ +# Name Service Switch configuration file. +# See nsswitch.conf(5) for details. + +passwd: files systemd ldap +group: files [SUCCESS=merge] systemd ldap +shadow: files ldap + +publickey: files + +hosts: files mymachines myhostname resolve [!UNAVAIL=return] dns +networks: files + +protocols: files +services: files +ethers: files +rpc: files + +netgroup: files diff --git a/arch-custom/airootfs/etc/openldap/ldap.conf b/arch-custom/airootfs/etc/openldap/ldap.conf new file mode 100644 index 0000000..de7f850 --- /dev/null +++ b/arch-custom/airootfs/etc/openldap/ldap.conf @@ -0,0 +1 @@ +sudoers_base ou=sudoers,dc=example,dc=org diff --git a/arch-custom/airootfs/etc/pam.d/passwd b/arch-custom/airootfs/etc/pam.d/passwd new file mode 100644 index 0000000..f8aac9e --- /dev/null +++ b/arch-custom/airootfs/etc/pam.d/passwd @@ -0,0 +1,5 @@ +#%PAM-1.0 +password sufficient pam_ldap.so +#password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3 +#password required pam_unix.so sha512 shadow use_authtok +password required pam_unix.so sha512 shadow nullok diff --git a/arch-custom/airootfs/etc/pam.d/su b/arch-custom/airootfs/etc/pam.d/su new file mode 100644 index 0000000..d801100 --- /dev/null +++ b/arch-custom/airootfs/etc/pam.d/su @@ -0,0 +1,13 @@ +#%PAM-1.0 +auth sufficient pam_rootok.so +auth sufficient pam_ldap.so +# Uncomment the following line to implicitly trust users in the "wheel" group. +#auth sufficient pam_wheel.so trust use_uid +# Uncomment the following line to require a user to be in the "wheel" group. +#auth required pam_wheel.so use_uid +auth required pam_unix.so use_firt_pass +account required pam_unix.so +account sufficient pam_ldap.so +session required pam_unix.so +session sufficient pam_ldap.so +password include system-auth diff --git a/arch-custom/airootfs/etc/pam.d/su-l b/arch-custom/airootfs/etc/pam.d/su-l new file mode 100644 index 0000000..d801100 --- /dev/null +++ b/arch-custom/airootfs/etc/pam.d/su-l @@ -0,0 +1,13 @@ +#%PAM-1.0 +auth sufficient pam_rootok.so +auth sufficient pam_ldap.so +# Uncomment the following line to implicitly trust users in the "wheel" group. +#auth sufficient pam_wheel.so trust use_uid +# Uncomment the following line to require a user to be in the "wheel" group. +#auth required pam_wheel.so use_uid +auth required pam_unix.so use_firt_pass +account required pam_unix.so +account sufficient pam_ldap.so +session required pam_unix.so +session sufficient pam_ldap.so +password include system-auth diff --git a/arch-custom/airootfs/etc/pam.d/sudo b/arch-custom/airootfs/etc/pam.d/sudo new file mode 100644 index 0000000..1290df9 --- /dev/null +++ b/arch-custom/airootfs/etc/pam.d/sudo @@ -0,0 +1,4 @@ +#%PAM-1.0 +auth sufficient pam_ldap.so +auth required pam_unix.so try_first_pass +auth required pam_nologin.so \ No newline at end of file diff --git a/arch-custom/airootfs/etc/pam.d/system-auth b/arch-custom/airootfs/etc/pam.d/system-auth new file mode 100644 index 0000000..8fb4836 --- /dev/null +++ b/arch-custom/airootfs/etc/pam.d/system-auth @@ -0,0 +1,30 @@ +#%PAM-1.0 + +auth sufficient pam_ldap.so +auth required pam_faillock.so preauth +# Optionally use requisite above if you do not want to prompt for the password +# on locked accounts. +auth [success=2 default=ignore] pam_unix.so try_first_pass nullok +-auth [success=1 default=ignore] pam_systemd_home.so +auth [default=die] pam_faillock.so authfail +auth optional pam_permit.so +auth required pam_env.so +auth required pam_faillock.so authsucc +# If you drop the above call to pam_faillock.so the lock will be done also +# on non-consecutive authentication failures. + +account sufficient pam_ldap.so +-account [success=1 default=ignore] pam_systemd_home.so +account required pam_unix.so +account optional pam_permit.so +account required pam_time.so + +password sufficient pam_ldap.so +-password [success=1 default=ignore] pam_systemd_home.so +password required pam_unix.so try_first_pass nullok shadow sha512 +password optional pam_permit.so + +session required pam_limits.so +session required pam_unix.so +session optional pam_ldap.so +session optional pam_permit.so diff --git a/arch-custom/airootfs/etc/passwd b/arch-custom/airootfs/etc/passwd index 2807d5d..e3f8ca7 100644 --- a/arch-custom/airootfs/etc/passwd +++ b/arch-custom/airootfs/etc/passwd @@ -1 +1,2 @@ root:x:0:0:root:/root:/usr/bin/zsh +admin:x:1000:1000::/home/admin:/bin/bash diff --git a/arch-custom/airootfs/etc/shadow b/arch-custom/airootfs/etc/shadow index 7edfd69..d3c9dac 100644 --- a/arch-custom/airootfs/etc/shadow +++ b/arch-custom/airootfs/etc/shadow @@ -1 +1,2 @@ root::14871:::::: +admin:$6$kdak37IiHqX5Ox5U$Arf.I3zHqkYC3t/Oo8vxLXINqyajKXrELoDjyRmEd/UnQOi3mYFLiF6Abs27OxJsMzskuTVKoq2CyX.fkIdmI0:18820:0:99999:7::: \ No newline at end of file diff --git a/arch-custom/airootfs/root/.ssh/authorized_keys b/arch-custom/airootfs/root/.ssh/authorized_keys new file mode 100644 index 0000000..a27cf4b --- /dev/null +++ b/arch-custom/airootfs/root/.ssh/authorized_keys @@ -0,0 +1,9 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCri++HLNs7M+8NiQXPVI1W86JNrOs0rd4Kyl4mvLMvZqvucvuzI/4OmEOuBgx8mwYggquNHZ+nqOuQPhCYvIvFY6fCUI3c7XWEd2J2fe1Y1Ka9o6lNAkLvFAOLcjDboNzzLPg9i/xazfhHIDigTGijxKATcCfVRxakbfdiOLK2jEJNe7qtikGgF3+zlPktS3qRJE7wNBJVS53XcerNJe2JADSeGI7xPwLd3SwjuibirgzKbqOdPPlhfZHKZSIlVTrjtAi++q7AtWXQjMyQrc5X/a3xSB3vgHfJHZBJS5Xz2IxVjDJeF2RCTex9a6uxrVcYsDyWI7bH9lxKBB9S+HuvX9F+JvpmhYHEJ106z97Rh1iU+vxliu/W1ZKYsKd7BOaxvIAc1mM3qtKNPDLFLvbLFDtjBcLM0G3MxmoCDSl6YxBqCEHAUYvC1Ybe/NsxfCmcjkkdOfSQJIY6kzR1LBMSDhLzLWjBa2ZwhL7QNRR+a7tOEkpclcin6gCCOqh26b8= fix@radon +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPnwEtCJFnhr1FHTkIquxjMYMwzSstMV/U+AktdyPg2l fix@xenon +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAT7JSDnbl5lFjszUxFN2WpjPSW6P4pJWke46MN8UCcX fix@morty +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDESsPAjfAUKrTcyPsrddMuLhK4fYaiDnNF4cydIUDtZ6ThS53P5eNJV3B9eZFo/lrAqFXkNiItqWcbee8w2jkZJnfnIFbKy2tkPqCeEGBpD7qI+x+XetYM7s13zCoruSWWWYdfnFby6KEchXUSsqDuiHDxlm4HQYxIEp7JKNcN+EGwV8r9fASc0VK/as+VgBmcjL5GDBWVf1rkM1Vpc1zSpS1lfw7Fd9cf069emFTk/+uMJuFpu/0IhYjS435h4NY7C3gOvBVmeoGfCd+zeLj+vrbfZ/EISbCY9IUQWYE6VNegXsmek3YL6cYQI+p7gktw6IQHudxPXVTNnfcibr8/ pi@raspi +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGJ11F0P/IoUwSo9HEg75Ia9gHHoWd0zVn3+Jf0fk8AP fix@argon + +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDFhd9fhfsxtUMFJJlST/3lfCIBcoKkhm2UD9Qn/yg9O85OdN63crhpd8YkOdh8SKqz4uIzSUZ8W0rFvORbkAE2wJlrtqsrQIKOE2RyKH9WVJnZRC26zkxGNfa/QMxeoKWj+2nWUWZ8NOWbQlbQe3YNqIhmUk6EGNnniWkIkCHsQYPjL2XtOrV+fAKQYZHqDdt0PR0hGhrcTQFknYsWHmjVRUATN8A4jxAAVVHxMArVynTJf4JwbCiZeQyFC2qOO/7ISTV5dPOP3MzQ/3SiGofWVVnRk7LzgNsScPHi32GuvImXKLkcbn9TsWsqYq9uYlJMaijoxlFBfoMVT5StJBDNrb1Ca3ebvzz9ugemqB3vW00He5yf9NVAJmy0WGZmGkdBo7gExdCKekr10wC1A44yHBkU70VIVd7fvQnPpImglLueHzjtN4S8MzmO+evuo0n5ecaF51gdglW9CoCbMkEwEM75scAIJ+bnK/PQvr69GNZ7CPl+10//7ZQKmaRg/klvpBPW1Onm13A4E07f7p9hd3et1sTdWzltITdr0CXtpLO4NDP6tTPNIgvK7ytL3K4n/0w+HOYYez8mgzl1JzHSw5huuN3kc1mrkTmArVPa+hlxs/U0RkHuAggRphtWSfZ0gzf1Lmbpbv1iBmmx0I7ebUN5JW7rqAIMFSZa7uc9HQ== f.schaal@tallence.com +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBlhfBV/3uJBcfMw3o1pnxMbZdtTHskJSVY/fBvylIKM fix@apu +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMAddUJar3mtosfNShZE4HF/7o++Ty1bBhqb9Sd9R0uC fix@beth diff --git a/arch-custom/packages.x86_64 b/arch-custom/packages.x86_64 index 08f7ffe..c604ce0 100644 --- a/arch-custom/packages.x86_64 +++ b/arch-custom/packages.x86_64 @@ -1,6 +1,3 @@ -# -# SPDX-License-Identifier: GPL-3.0-or-later -# alsa-utils amd-ucode archinstall @@ -76,11 +73,14 @@ ndisc6 nfs-utils nilfs-utils nmap +nss-pam-ldapd ntfs-3g nvme-cli openconnect +openldap openssh openvpn +pambase partclone parted partimage diff --git a/arch-custom/profiledef.sh b/arch-custom/profiledef.sh index 5feb205..06989c9 100644 --- a/arch-custom/profiledef.sh +++ b/arch-custom/profiledef.sh @@ -1,10 +1,10 @@ #!/usr/bin/env bash # shellcheck disable=SC2034 -iso_name="archlinux" +iso_name="archlinux-trauma" iso_label="ARCH_$(date +%Y%m)" -iso_publisher="Arch Linux " -iso_application="Arch Linux Live/Rescue CD" +iso_publisher="fix " +iso_application="Arch Linux Trauma MR Edition" iso_version="$(date +%Y.%m.%d)" install_dir="arch" buildmodes=('iso') @@ -15,8 +15,17 @@ airootfs_image_type="squashfs" airootfs_image_tool_options=('-comp' 'xz' '-Xbcj' 'x86' '-b' '1M' '-Xdict-size' '1M') file_permissions=( ["/etc/shadow"]="0:0:400" + ["/etc/passwd"]="0:0:644" + ["/etc/nsswitch.conf"]="0:0:644" + ["/etc/nslcd.conf"]="0:0:644" + ["/etc/openldap/openldap.conf"]="0:0:644" + ["/etc/pamd.d"]="0:0:755" + ["/etc/pamd.d/system-auth", "/etc/pamd.d/sudo", "/etc/pamd.d/passwd"]="0:0:644" + ["/etc/pamd.d/su","/etc/pamd.d/su-l",]="0:0:755" ["/root"]="0:0:750" ["/root/.automated_script.sh"]="0:0:755" + ["/root/.ssh"]="0:0:600" + ["/root/.ssh/authorized_keys"]="0:0:700" ["/usr/local/bin/choose-mirror"]="0:0:755" ["/usr/local/bin/Installation_guide"]="0:0:755" ["/usr/local/bin/livecd-sound"]="0:0:755" diff --git a/arch-custom/syslinux/archiso_sys-linux.cfg b/arch-custom/syslinux/archiso_sys-linux.cfg index e1894c1..5a6acd6 100644 --- a/arch-custom/syslinux/archiso_sys-linux.cfg +++ b/arch-custom/syslinux/archiso_sys-linux.cfg @@ -3,32 +3,31 @@ LABEL arch64 TEXT HELP -Boot the Arch Linux install medium on BIOS. -It allows you to install Arch Linux or perform system maintenance. +Boot Trauma Linux ENDTEXT -MENU LABEL Arch Linux install medium (x86_64, BIOS) +MENU LABEL Trauma Linux LINUX /%INSTALL_DIR%/boot/x86_64/vmlinuz-linux INITRD /%INSTALL_DIR%/boot/intel-ucode.img,/%INSTALL_DIR%/boot/amd-ucode.img,/%INSTALL_DIR%/boot/x86_64/initramfs-linux.img APPEND archisobasedir=%INSTALL_DIR% archisolabel=%ARCHISO_LABEL% # Accessibility boot option -LABEL arch64speech -TEXT HELP -Boot the Arch Linux install medium on BIOS with speakup screen reader. -It allows you to install Arch Linux or perform system maintenance with speech feedback. -ENDTEXT -MENU LABEL Arch Linux install medium (x86_64, BIOS) with ^speech -LINUX /%INSTALL_DIR%/boot/x86_64/vmlinuz-linux -INITRD /%INSTALL_DIR%/boot/intel-ucode.img,/%INSTALL_DIR%/boot/amd-ucode.img,/%INSTALL_DIR%/boot/x86_64/initramfs-linux.img -APPEND archisobasedir=%INSTALL_DIR% archisolabel=%ARCHISO_LABEL% accessibility=on +#LABEL arch64speech +#TEXT HELP +#Boot the Arch Linux install medium on BIOS with speakup screen reader. +#It allows you to install Arch Linux or perform system maintenance with speech feedback. +#ENDTEXT +#MENU LABEL Arch Linux install medium (x86_64, BIOS) with ^speech +#LINUX /%INSTALL_DIR%/boot/x86_64/vmlinuz-linux +#INITRD /%INSTALL_DIR%/boot/intel-ucode.img,/%INSTALL_DIR%/boot/amd-ucode.img,/%INSTALL_DIR%/boot/x86_64/initramfs-linux.img +#APPEND archisobasedir=%INSTALL_DIR% archisolabel=%ARCHISO_LABEL% accessibility=on # Copy to RAM boot option -LABEL arch64ram -TEXT HELP -Boot the Arch Linux install medium on BIOS with Copy-to-RAM option -It allows you to install Arch Linux or perform system maintenance. -ENDTEXT -MENU LABEL Arch Linux install medium (x86_64, BIOS, Copy to RAM) -LINUX /%INSTALL_DIR%/boot/x86_64/vmlinuz-linux -INITRD /%INSTALL_DIR%/boot/intel-ucode.img,/%INSTALL_DIR%/boot/amd-ucode.img,/%INSTALL_DIR%/boot/x86_64/initramfs-linux.img -APPEND archisobasedir=%INSTALL_DIR% archisolabel=%ARCHISO_LABEL% copytoram +#LABEL arch64ram +#TEXT HELP +#Boot the Arch Linux install medium on BIOS with Copy-to-RAM option +#It allows you to install Arch Linux or perform system maintenance. +#ENDTEXT +#MENU LABEL Arch Linux install medium (x86_64, BIOS, Copy to RAM) +#LINUX /%INSTALL_DIR%/boot/x86_64/vmlinuz-linux +#INITRD /%INSTALL_DIR%/boot/intel-ucode.img,/%INSTALL_DIR%/boot/amd-ucode.img,/%INSTALL_DIR%/boot/x86_64/initramfs-linux.img +#APPEND archisobasedir=%INSTALL_DIR% archisolabel=%ARCHISO_LABEL% copytoram diff --git a/arch-custom/syslinux/splash.png b/arch-custom/syslinux/splash.png index 64b959a..e9d6fbe 100644 Binary files a/arch-custom/syslinux/splash.png and b/arch-custom/syslinux/splash.png differ