diff --git a/.travis.yml b/.travis.yml index b58dabc..9c60b5d 100644 --- a/.travis.yml +++ b/.travis.yml @@ -1,2 +1,2 @@ language: shell -script: shellcheck ./scripts/*/*.sh +script: shellcheck $(find . -type f -name '*.sh') diff --git a/README.md b/README.md index 5cf40c5..5bb5cc1 100644 --- a/README.md +++ b/README.md @@ -56,7 +56,9 @@ $HOME/Documents/certificates/ | Contains certificates to authenticate via [certi | $HOME/Documents/recovery_codes/ | Contains files with recovery_codes e.g. for [Two-factor authentication](https://en.wikipedia.org/wiki/Multi-factor_authentication). | | $HOME/Documents/identity/ | Contains files to prove the identity of the *Core System Owner* in physical live like passports. | | $HOME/Documents/passwords/ | Contains e.g the [KeePassXC](https://keepassxc.org/) database with all *Core System Owner* passwords. | -| $HOME/Repositories/ | Contains all git repositories | +| $HOME/Repositories/ | Contains all git repository providers. | +| $HOME/Repositories/{{provider}} | Contains all git repositories of an provider. | +| $HOME/Backups | Contains all backups. The sub-folders follow the standards of [Backup Manager](https://github.com/kevinveenbirkenbach/backup-manager) | | $HOME/Games/roms | Contains all roms | | $HOME/Images/ | contains os images| diff --git a/configuration/packages/client/yay/general.txt b/configuration/packages/client/yay/general.txt index 808396d..b3c351e 100644 --- a/configuration/packages/client/yay/general.txt +++ b/configuration/packages/client/yay/general.txt @@ -10,3 +10,5 @@ eclipse-java ccls # office ttf-ms-fonts +#cloud +dropbox diff --git a/configuration/packages/client/yay/gnome.txt b/configuration/packages/client/yay/gnome.txt new file mode 100644 index 0000000..bc95204 --- /dev/null +++ b/configuration/packages/client/yay/gnome.txt @@ -0,0 +1 @@ +nautilus-dropbox diff --git a/scripts/analyze/client/not_encrypted_ssh_keys.sh b/scripts/analyze/client/not_encrypted_ssh_keys.sh new file mode 100644 index 0000000..d39191d --- /dev/null +++ b/scripts/analyze/client/not_encrypted_ssh_keys.sh @@ -0,0 +1,10 @@ +#!/bin/bash +# @see https://stackoverflow.com/questions/32408820/how-to-list-files-and-match-first-line-in-bash-script +# @see https://unix.stackexchange.com/questions/298590/using-find-non-recursively +# @see https://security.stackexchange.com/questions/129724/how-to-check-if-an-ssh-private-key-has-passphrase-or-not +find "$HOME/.ssh" -maxdepth 1 -type f -print0 | while IFS= read -r -d $'\0' file; do + if [[ $(head -n1 "$file") == "-----BEGIN OPENSSH PRIVATE KEY-----" ]]; then + echo "Test file: $file" + ssh-keygen -y -P "" -f "$file" + fi +done diff --git a/scripts/analyze/system/dd_optimal_bs_test.sh b/scripts/analyze/system/dd_optimal_bs_test.sh deleted file mode 100644 index 67837dc..0000000 --- a/scripts/analyze/system/dd_optimal_bs_test.sh +++ /dev/null @@ -1,37 +0,0 @@ -#!/bin/bash -# Wrong scripped but good as a base to optimize later. See http://blog.tdg5.com/tuning-dd-block-size/ -# Since we're dealing with dd, abort if any errors occur -set -e - -TEST_FILE=${1:-dd_obs_testfile} -[ -e "$TEST_FILE" ]; TEST_FILE_EXISTS=$? -TEST_FILE_SIZE=134217728 - -# Header -PRINTF_FORMAT="%8s : %s\n" -printf "$PRINTF_FORMAT" 'block size' 'transfer rate' - -# Block sizes of 512b 1K 2K 4K 8K 16K 32K 64K 128K 256K 512K 1M 2M 4M 8M 16M 32M 64M -for BLOCK_SIZE in 512 1024 2048 4096 8192 16384 32768 65536 131072 262144 524288 1048576 2097152 4194304 8388608 16777216 33554432 67108864 -do - # Calculate number of segments required to copy - COUNT=$(($TEST_FILE_SIZE / $BLOCK_SIZE)) - - if [ $COUNT -le 0 ]; then - echo "Block size of $BLOCK_SIZE estimated to require $COUNT blocks, aborting further tests." - break - fi - - # Create a test file with the specified block size - DD_RESULT=$(dd if=/dev/zero of=$TEST_FILE bs=$BLOCK_SIZE count=$COUNT 2>&1 1>/dev/null) - -echo $DD_RESULT - # Extract the transfer rate from dd's STDERR output - TRANSFER_RATE=$(echo $DD_RESULT | \grep --only-matching -E '[0-9.]+ ([MGk]?B|bytes)/s(ec)?') - - # Clean up the test file if we created one - [ $TEST_FILE_EXISTS -ne 0 ] && rm $TEST_FILE - - # Output the result - printf "$PRINTF_FORMAT" "$BLOCK_SIZE" "$TRANSFER_RATE" -done diff --git a/scripts/client/setup.sh b/scripts/client/setup.sh index a814aec..b23445a 100644 --- a/scripts/client/setup.sh +++ b/scripts/client/setup.sh @@ -146,7 +146,8 @@ install_gnome_extension(){ if [ "$DESKTOP_SESSION" == "gnome" ]; then info "Synchronizing gnome tools..." && - sudo pacman -S "$(get_packages 'client/pacman/gnome')" || error "Syncronisation failed." + sudo pacman -S "$(get_packages 'client/pacman/gnome')" && + install_yay_packages_if_needed "$(get_packages "client/yay/gnome")" || error "Syncronisation failed." info "Setting up gnome dash favourites..." && gsettings set org.gnome.shell favorite-apps "['org.gnome.Nautilus.desktop', 'org.gnome.Terminal.desktop', diff --git a/scripts/data/import-from-system.sh b/scripts/data/import-from-system.sh index 6bffa2a..96404c5 100644 --- a/scripts/data/import-from-system.sh +++ b/scripts/data/import-from-system.sh @@ -15,9 +15,8 @@ declare -a BACKUP_LIST=("$HOME/.ssh/" \ "$HOME/.local/share/rhythmbox/rhythmdb.xml" \ "$HOME/.config/keepassxc/keepassxc.ini" \ "$HOME/Documents/certificates/" \ - "$HOME/Documents/recovery_codes/" \ + "$HOME/Documents/security/" \ "$HOME/Documents/identity/" \ - "$HOME/Documents/passwords/" \ "$HOME/Documents/health/" \ "$HOME/Documents/licenses/"); diff --git a/scripts/encryption/storage/Readme.md b/scripts/encryption/storage/Readme.md new file mode 100644 index 0000000..844fec9 --- /dev/null +++ b/scripts/encryption/storage/Readme.md @@ -0,0 +1,2 @@ +# Storage +For security reasons storages **SHOULD** be encrypted with [LUKS](https://de.wikipedia.org/wiki/Dm-crypt#Erweiterung_mit_LUKS). To keep it standardized and easy this scripts will use [btrfs](https://de.wikipedia.org/wiki/Btrfs) as file system. diff --git a/scripts/encryption/storage/base.sh b/scripts/encryption/storage/base.sh index 11ca9c4..9136abf 100644 --- a/scripts/encryption/storage/base.sh +++ b/scripts/encryption/storage/base.sh @@ -1,5 +1,10 @@ #!/bin/bash -source "$(dirname "$(readlink -f "${0}")")/../../base.sh" || (echo "Loading base.sh failed." && exit 1) +# shellcheck disable=SC2015 # Deactivating bool hint +# shellcheck disable=SC2034 # Unused variables +# shellcheck disable=SC2154 # Referenced but not assigned +# shellcheck disable=SC1090 # Can't follow non-constant source. Use a directive to specify location. +# shellcheck disable=SC2001 # See if you can use ${variable//search/replace} instead +source "$(dirname "$(readlink -f "${0}")")/../../../base.sh" || (echo "Loading base.sh failed." && exit 1) set_device_mount_partition_and_mapper_paths(){ set_device_path && @@ -8,7 +13,72 @@ set_device_mount_partition_and_mapper_paths(){ mount_path="/media/$mapper_name" && partition_path="$device_path""1" && info "mapper name set to : $mapper_name" && - info "mapper path set to : $mapper_path" || + info "mapper path set to : $mapper_path" && info "mount path set to : $mount_path" || error } + +# @var $1 mapper_path +# @var $2 partition_path +create_luks_key_and_update_cryptab(){ + LUKS_KEY_DIRECTORY="/etc/luks-keys/" && + info "Creating luks-key-directory..." && + sudo mkdir $LUKS_KEY_DIRECTORY || warning "Directory exists: $LUKS_KEY_DIRECTORY" || error + luks_key_name="$1.keyfile" && + secret_key_path="$LUKS_KEY_DIRECTORY$luks_key_name" && + info "Generate secret key under: $secret_key_path" || error + if [ -f "$secret_key_path" ] + then + warning "File allready exist. Overwritting!" + fi + sudo dd if=/dev/urandom of="$secret_key_path" bs=512 count=8 && + sudo cryptsetup -v luksAddKey "$2" "$secret_key_path" && + info "Opening and closing device to verify that that everything works fine..." || error + sudo cryptsetup -v luksClose "$1" || info "No need to luksClose $1." + sudo cryptsetup -v luksOpen "$2" "$1" --key-file="$secret_key_path" && + sudo cryptsetup -v luksClose "$1" && + info "Reading UUID..." && + uuid_line=$(sudo cryptsetup luksDump "$2" | grep "UUID") && + uuid=$(echo "${uuid_line/UUID:/""}"|sed -e "s/[[:space:]]\+//g") && + crypttab_path="/etc/crypttab" && + crypttab_entry="$1 UUID=$uuid $secret_key_path luks" && + info "Adding crypttab entry..." || error + if sudo grep -q "$crypttab_entry" "$crypttab_path"; + then + warning "File $crypttab_path contains allready a the following entry:" && + echo "$crypttab_entry" && + info "Skipped." || + error + else + sudo sh -c "echo '$crypttab_entry' >> $crypttab_path" || + error + fi + + info "The file $crypttab_path contains now the following:" && + sudo cat $crypttab_path || + error +} + +# @var $1 mapper_name +# @var $2 mount_path +# +# If mount doesn't work adapt it manually to +# @see https://gist.github.com/MaxXor/ba1665f47d56c24018a943bb114640d7 +update_fstab(){ + fstab_path="/etc/fstab" + fstab_entry="$1 $2 btrfs defaults 0 2" + info "Adding fstab entry..." + if sudo grep -q "$fstab_entry" "$fstab_path"; then + warning "File $fstab_path contains allready a the following entry:" && + echo "$fstab_entry" && + info "Skipped." || + error + else + sudo sh -c "echo '$fstab_entry' >> $fstab_path" || + error + fi + + info "The file $fstab_path contains now the following:" && + sudo cat $fstab_path || + error +} diff --git a/scripts/encryption/storage/mount.sh b/scripts/encryption/storage/mount.sh deleted file mode 100644 index 13cf0b0..0000000 --- a/scripts/encryption/storage/mount.sh +++ /dev/null @@ -1,15 +0,0 @@ -#!/bin/bash -source "$(dirname "$(readlink -f "${0}")")/base.sh" || (echo "Loading base.sh failed." && exit 1) -echo "Mounts encrypted storages" - -set_device_mount_partition_and_mapper_paths - -info "Unlock partition..." && -sudo cryptsetup luksOpen $partition_path $mapper_name || -error - -info "Mount partition..." && -sudo mount $mapper_path $mount_path || -error - -success "Mounting successfull :)" diff --git a/scripts/encryption/storage/mount_on_boot.sh b/scripts/encryption/storage/mount_on_boot.sh deleted file mode 100644 index 7de0674..0000000 --- a/scripts/encryption/storage/mount_on_boot.sh +++ /dev/null @@ -1,70 +0,0 @@ -#!/bin/bash -source "$(dirname "$(readlink -f "${0}")")/base.sh" || (echo "Loading base.sh failed." && exit 1) -echo "Automount encrypted storages" -echo -set_device_mount_partition_and_mapper_paths - -info "Creating key luks-key-directory..." && -key_directory="/etc/luks-keys/" && -sudo mkdir $key_directory || warning "Directory exists: $key_directory" -luks_key_name="$mapper_name""_name_secret_key" && -secret_key_path="$key_directory$luks_key_name" && -info "Generate secret key under: $secret_key_path" && -if [ -f "$secret_key_path" ] - then - warning "File allready exist. Overwritting!" -fi -sudo dd if=/dev/urandom of=$secret_key_path bs=512 count=8 && -sudo cryptsetup -v luksAddKey $partition_path $secret_key_path || -error - -info "Opening and closing device to verify that that everything works fine..." && -sudo cryptsetup -v luksOpen $partition_path $mapper_name --key-file=$secret_key_path && -sudo cryptsetup -v luksClose $mapper_name || -error - -info "Reading UUID..." -uuid_line=$(sudo cryptsetup luksDump $partition_path | grep "UUID") && -uuid=$(echo "${uuid_line/UUID:/""}"|sed -e "s/[[:space:]]\+//g") || -error - -crypttab_path="/etc/crypttab" -crypttab_entry="$mapper_name UUID=$uuid $secret_key_path luks" -info "Adding crypttab entry..." -if sudo grep -q "$crypttab_entry" "$crypttab_path"; - then - warning "File $crypttab_path contains allready a the following entry:" && - echo "$crypttab_entry" && - info "Skipped." || - error - else - sudo sh -c "echo '$crypttab_entry' >> $crypttab_path" || - error -fi - -info "The file $crypttab_path contains now the following:" && -sudo cat $crypttab_path || -error - -# info "Verifying crypttab configuration..." && -# sudo cryptdisks_start $mapper_name || -# error - -fstab_path="/etc/fstab" -fstab_entry="$mapper_path $mount_path btrfs defaults 0 2" -info "Adding fstab entry..." -if sudo grep -q "$fstab_entry" "$fstab_path"; then - warning "File $crypttab_path contains allready a the following entry:" && - echo "$fstab_entry" && - info "Skipped." || - error -else - sudo sh -c "echo '$fstab_entry' >> $fstab_path" || - error -fi - -info "The file $fstab_path contains now the following:" && -sudo cat $fstab_path || -error - -success "Installation finished. Please restart :)" diff --git a/scripts/encryption/storage/raid1/base.sh b/scripts/encryption/storage/raid1/base.sh new file mode 100644 index 0000000..e2046a5 --- /dev/null +++ b/scripts/encryption/storage/raid1/base.sh @@ -0,0 +1,22 @@ +#!/bin/bash +# shellcheck disable=SC1090 # Can't follow non-constant source. Use a directive to specify location. +# shellcheck disable=SC2015 # Deactivating bool hint +# shellcheck disable=SC2034 # Unused variables +# shellcheck disable=SC2154 # Referenced but not assigned +source "$(dirname "$(readlink -f "${0}")")/../base.sh" || (echo "Loading base.sh failed." && exit 1) +set_raid1_devices_mount_partition_and_mapper_paths(){ + info "RAID1 partition 1..." && + set_device_mount_partition_and_mapper_paths && + partition_path_1=$partition_path && + mapper_name_1=$mapper_name && + mapper_path_1=$mapper_path && + mount_path_1=$mount_path && + device_path_1=$device_path && + info "RAID1 partition 2..." && + set_device_mount_partition_and_mapper_paths && + partition_path_2=$partition_path && + mapper_name_2=$mapper_name && + mapper_path_2=$mapper_path && + mount_path_2=$mount_path && + device_path_2=$device_path || error +} diff --git a/scripts/encryption/storage/raid1/mount_on_boot.sh b/scripts/encryption/storage/raid1/mount_on_boot.sh new file mode 100644 index 0000000..c335834 --- /dev/null +++ b/scripts/encryption/storage/raid1/mount_on_boot.sh @@ -0,0 +1,14 @@ +#!/bin/bash +# shellcheck disable=SC1090 # Can't follow non-constant source. Use a directive to specify location. +# shellcheck disable=SC2154 # Referenced but not assigned +# shellcheck disable=SC2015 #Deactivate bool hint +source "$(dirname "$(readlink -f "${0}")")/base.sh" || (echo "Loading base.sh failed." && exit 1) +info "Automount raid1 encrypted storages..." && +set_raid1_devices_mount_partition_and_mapper_paths && +create_luks_key_and_update_cryptab "$mapper_name_1" "$device_path_1" && +info "Creating mount folder unter \"$mount_path_1\"..." && +sudo mkdir -vp "$mount_path_1" && +create_luks_key_and_update_cryptab "$mapper_name_2" "$device_path_2" && +update_fstab "$mapper_path_1" "$mount_path_1" && +success "Installation finished. Please restart :)" || +error diff --git a/scripts/encryption/storage/raid1/setup.sh b/scripts/encryption/storage/raid1/setup.sh new file mode 100644 index 0000000..e5df98a --- /dev/null +++ b/scripts/encryption/storage/raid1/setup.sh @@ -0,0 +1,23 @@ +#!/bin/bash +# @author Kevin Veen-Birkenbach [kevin@veen.world] +# @see https://balaskas.gr/btrfs/raid1.html +# @see https://mutschler.eu/linux/install-guides/ubuntu-btrfs-raid1/ +# shellcheck disable=SC1090 # Can't follow non-constant source. Use a directive to specify location. +# shellcheck disable=SC2015 # Deactivating bool hint +# shellcheck disable=SC2154 # Referenced but not assigned +source "$(dirname "$(readlink -f "${0}")")/base.sh" || (echo "Loading base.sh failed." && exit 1) + +set_raid1_devices_mount_partition_and_mapper_paths + +info "Encrypting $device_path_1..." && +cryptsetup luksFormat "$device_path_1" && +info "Encrypting $device_path_2..." && +cryptsetup luksFormat "$device_path_2" && +blkid | tail -2 && +cryptsetup luksOpen "$device_path_1" "$mapper_name_1" && +cryptsetup luksOpen "$device_path_2" "$mapper_name_2" && +cryptsetup status "$mapper_path_1" && +cryptsetup status "$mapper_path_2" && +mkfs.btrfs -m raid1 -d raid1 "$mapper_path_1" "$mapper_path_2" && +success "Encryption successfull :)" || +error diff --git a/scripts/encryption/storage/single_drive/base.sh b/scripts/encryption/storage/single_drive/base.sh new file mode 100644 index 0000000..3c00ca1 --- /dev/null +++ b/scripts/encryption/storage/single_drive/base.sh @@ -0,0 +1,3 @@ +#!/bin/bash +# shellcheck disable=SC1090 # Can't follow non-constant source. Use a directive to specify location. +source "$(dirname "$(readlink -f "${0}")")/../base.sh" || (echo "Loading base.sh failed." && exit 1) diff --git a/scripts/encryption/storage/single_drive/mount.sh b/scripts/encryption/storage/single_drive/mount.sh new file mode 100644 index 0000000..a54896a --- /dev/null +++ b/scripts/encryption/storage/single_drive/mount.sh @@ -0,0 +1,18 @@ +#!/bin/bash +# shellcheck disable=SC1090 # Can't follow non-constant source. Use a directive to specify location. +# shellcheck disable=SC2015 # Deactivating bool hint +# shellcheck disable=SC2154 # Referenced but not assigned +source "$(dirname "$(readlink -f "${0}")")/base.sh" || (echo "Loading base.sh failed." && exit 1) +echo "Mounts encrypted storages" + +set_device_mount_partition_and_mapper_paths + +info "Unlock partition..." && +sudo cryptsetup luksOpen "$partition_path" "$mapper_name" || +error + +info "Mount partition..." && +sudo mount "$mapper_path" "$mount_path" || +error + +success "Mounting successfull :)" diff --git a/scripts/encryption/storage/single_drive/mount_on_boot.sh b/scripts/encryption/storage/single_drive/mount_on_boot.sh new file mode 100644 index 0000000..d44dff1 --- /dev/null +++ b/scripts/encryption/storage/single_drive/mount_on_boot.sh @@ -0,0 +1,13 @@ +#!/bin/bash +# shellcheck disable=SC1090 # Can't follow non-constant source. Use a directive to specify location. +# shellcheck disable=SC2154 # Referenced but not assigned +source "$(dirname "$(readlink -f "${0}")")/base.sh" || (echo "Loading base.sh failed." && exit 1) +echo "Automount encrypted storages" +echo +set_device_mount_partition_and_mapper_paths + +create_luks_key_and_update_cryptab "$mapper_name" "$partition_path" + +update_fstab "$mapper_path" "$mount_path" + +success "Installation finished. Please restart :)" diff --git a/scripts/encryption/storage/setup.sh b/scripts/encryption/storage/single_drive/setup.sh similarity index 65% rename from scripts/encryption/storage/setup.sh rename to scripts/encryption/storage/single_drive/setup.sh index fdd7b78..7071f5d 100644 --- a/scripts/encryption/storage/setup.sh +++ b/scripts/encryption/storage/single_drive/setup.sh @@ -1,3 +1,7 @@ +#!/bin/bash +# shellcheck disable=SC1090 # Can't follow non-constant source. Use a directive to specify location. +# shellcheck disable=SC2015 # Deactivating bool hint +# shellcheck disable=SC2154 # Referenced but not assigned source "$(dirname "$(readlink -f "${0}")")/base.sh" || (echo "Loading base.sh failed." && exit 1) echo "Setups disk encryption" @@ -22,25 +26,25 @@ info "Creating partition table..." error info "Encrypt $device_path..." && -sudo cryptsetup -v -y luksFormat $partition_path || +sudo cryptsetup -v -y luksFormat "$partition_path" || error info "Unlock partition..." && -sudo cryptsetup luksOpen $partition_path $mapper_name || +sudo cryptsetup luksOpen "$partition_path" "$mapper_name" || error info "Create btrfs file system..." && -sudo mkfs.btrfs $mapper_path || error +sudo mkfs.btrfs "$mapper_path" || error info "Creating mount folder unter \"$mount_path\"..." && -sudo mkdir -p $mount_path || error +sudo mkdir -p "$mount_path" || error info "Mount partition..." && -sudo mount $mapper_path $mount_path || +sudo mount "$mapper_path" "$mount_path" || error info "Own partition by user..." && -sudo chown -R $USER:$USER $mount_path || +sudo chown -R "$USER":"$USER" "$mount_path" || error success "Encryption successfull :)" diff --git a/scripts/encryption/storage/single_drive/umount.sh b/scripts/encryption/storage/single_drive/umount.sh new file mode 100644 index 0000000..cd46017 --- /dev/null +++ b/scripts/encryption/storage/single_drive/umount.sh @@ -0,0 +1,15 @@ +#!/bin/bash +# shellcheck disable=SC1090 # Can't follow non-constant source. Use a directive to specify location. +# shellcheck disable=SC2015 # Deactivating bool hint +# shellcheck disable=SC2154 # Referenced but not assigned +source "$(dirname "$(readlink -f "${0}")")/base.sh" || (echo "Loading base.sh failed." && exit 1) +echo "Unmount encrypted storages" + +set_device_mount_partition_and_mapper_paths + +info "Unmount $mapper_path..." +sudo umount "$mapper_path" && +sudo cryptsetup luksClose "$mapper_path" || +error + +success "Successfull :)" diff --git a/scripts/encryption/storage/umount.sh b/scripts/encryption/storage/umount.sh deleted file mode 100644 index d894ba7..0000000 --- a/scripts/encryption/storage/umount.sh +++ /dev/null @@ -1,12 +0,0 @@ -#!/bin/bash -source "$(dirname "$(readlink -f "${0}")")/base.sh" || (echo "Loading base.sh failed." && exit 1) -echo "Unmount encrypted storages" - -set_device_mount_partition_and_mapper_paths - -info "Unmount $mapper_path..." -sudo umount $mapper_path && -sudo cryptsetup luksClose $mapper_path || -error - -success "Successfull :)"