forked from Jipok/void-infect
-
Notifications
You must be signed in to change notification settings - Fork 0
/
void-infect.sh
executable file
·335 lines (283 loc) · 14.7 KB
/
void-infect.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
#!//usr/bin/env bash
# void-infect: Install Void linux over the existing OS on VPS
# Inspired by nixos-infect (https://github.com/elitak/nixos-infect)
set -e # Exit on any error
VOID_LINK="https://repo-default.voidlinux.org/live/current/void-x86_64-ROOTFS-20240314.tar.xz"
VOID_HASH="9087a3e23367347a717f0bb11c2541e6abe93054a146cc3aa95545d32379b8a1"
ADD_LOCALE="ru_RU.UTF-8" # Optional
ADD_PKG="fuzzypkg vsv tmux dte nano gotop fd ncdu git tree neofetch"
SET_HOSTNAME=void-vps
# Colors for pretty output
RED='\033[0;31m'
GREEN='\033[0;32m'
BLUE='\033[0;34m'
NC='\033[0m'
log() {
echo -e "${GREEN}[+]${NC} $1"
}
error() {
echo -e "${RED}[!]${NC} $1"
handle_error
}
try() {
local log_file=$(mktemp)
if ! eval "$@" &> "$log_file"; then
echo -e "${RED}[!]${NC} Failed: $*"
cat "$log_file"
handle_error
fi
rm -f "$log_file"
}
export POINT_OF_NO_RETURN=false
handle_error() {
if [ "$POINT_OF_NO_RETURN" = false ]; then
echo -e "
╔════════════════════════════════════════════════════════════════════╗
║ INSTALLATION ABORTED ║
╠════════════════════════════════════════════════════════════════════╣
║ ${GREEN}The system has NOT been broken. ${NC} ║
║ You can safely: ║
║ 1. Reboot the system ║
║ 2. rm -rf /void ║
╚════════════════════════════════════════════════════════════════════╝
"
else
echo -e "
╔════════════════════════════════════════════════════════════════════╗
║ ${RED}CRITICAL ERROR${NC} ║
╠════════════════════════════════════════════════════════════════════╣
║ Installation failed during system replacement. ║
║ ║
║ You can: ║
║ 1. Try to complete Void installation manually: ║
║ - You are now in chroot environment ║
║ - Check error message above ║
║ - Continue with remaining installation steps ║
║ ║
║ 2. If unsure, just reinstall your system using VPS panel ║
╚════════════════════════════════════════════════════════════════════╝
"
fi
bash
exit 1
}
trap handle_error ERR INT TERM
###############################################################################
# First stage, before chroot
if [ -z $VOID_INFECT_STAGE_2 ]; then
[[ $(id -u) == 0 ]] || error "This script must be run as root"
[ -s /root/.ssh/authorized_keys ] || error "At least one SSH key required in root's authorized_keys"
[[ -d /void ]] && error "Remove /void before start"
command -v findmnt >/dev/null 2>&1 || error "findmnt not found. Install util-linux"
echo "
_______ _________ ______ _________ _ _______ _______ _______ _________
|\ /|( ___ )\__ __/( __ \ \__ __/( ( /|( ____ \( ____ \( ____ \\__ __/
| ) ( || ( ) | ) ( | ( \ ) ) ( | \ ( || ( \/| ( \/| ( \/ ) (
| | | || | | | | | | | ) | | | | \ | || (__ | (__ | | | |
( ( ) )| | | | | | | | | | | | | (\ \) || __) | __) | | | |
\ \_/ / | | | | | | | | ) | | | | | \ || ( | ( | | | |
\ / | (___) |___) (___| (__/ ) ___) (___| ) \ || ) | (____/\| (____/\ | |
\_/ (_______)\_______/(______/ \_______/|/ )_)|/ (_______/(_______/ )_(
"
log "Creating /void directory..."
SCRIPT_PATH=$(readlink -f "$0")
try mkdir -p /void
try cd /void
try mkdir -p {proc,sys,dev,run,oldroot}
log "Downloading $(basename "$VOID_LINK" .tar.xz)..."
if command -v curl >/dev/null 2>&1; then
try curl -fL "$VOID_LINK" -o "/void/rootfs.tar.xz"
elif command -v wget >/dev/null 2>&1; then
try wget -O "/void/rootfs.tar.xz" "$VOID_LINK"
else
echo "Error: Neither curl nor wget is available"
exit 1
fi
log "Verifying SHA256 checksum..."
CALCULATED_HASH=$(sha256sum "/void/rootfs.tar.xz" | cut -d' ' -f1)
if [ "$CALCULATED_HASH" != "$VOID_HASH" ]; then
error "SHA256 checksum verification failed!"
fi
log "Extracting rootfs..."
try tar xf "/void/rootfs.tar.xz" -C "/void"
try rm "/void/rootfs.tar.xz"
log "Configuring fstab..."
ROOT_DEV=$(findmnt -n -o SOURCE /)
ROOT_FS_TYPE=$(findmnt -n -o FSTYPE /)
export ROOT_DISK=$(echo "$ROOT_DEV" | sed 's/[0-9]*$//')
[[ -e "$ROOT_DISK" ]] || error "Could not determine root disk device"
[[ -b "$ROOT_DISK" ]] || error "Invalid root disk device: $ROOT_DISK"
echo "$ROOT_DEV / $ROOT_FS_TYPE defaults 0 1" > /etc/fstab
log "Copying essential files..."
echo "$SET_HOSTNAME" > /void/etc/hostname
# self
cp "$SCRIPT_PATH" /void/void-infect.sh
# ssh
mkdir -p /void/root/.ssh
try cp -r /root/.ssh/authorized_keys /void/root/.ssh/
chmod 700 /void/root/.ssh
chmod 600 /void/root/.ssh/authorized_keys
# Extract DNS servers, replace localhost with 1.1.1.1
grep ^nameserver /etc/resolv.conf | sed -r \
-e 's/127[0-9.]+/1.1.1.1/' \
-e 's/::1/1.1.1.1/' > /void/etc/resolv.conf
log "Stopping non-essential services..."
systemctl list-units --type=service --state=running | \
grep '\.service' | \
cut -d' ' -f1 | \
grep -vE '(sshd|systemd-journal|systemd-udev)' | \
xargs -r systemctl stop >> /dev/null
log "Unmounting all non-essential filesystems..."
swapoff -a || true
awk '$2!="/" && $2!="" && $2!="/void" && $2!="/sys" && $2!="/proc" && $2!="/dev" {print $2}' /proc/mounts | sort -r | \
while read -r mount_point; do
umount -f -l "$mount_point" 2>/dev/null || true
done
log "Mounting necessary filesystems..."
try mount --bind / /void/oldroot
try mount --bind /dev /void/dev
try mount --bind /proc /void/proc
try mount --bind /sys /void/sys
log "Entering chroot..."
env VOID_INFECT_STAGE_2=y chroot /void /void-infect.sh
exit 0
fi
###############################################################################
# Second stage, inside chroot
log "Updating xbps..."
try xbps-install -Syu xbps
log "Updating packages..."
try xbps-install -Syu
log "Configuring xbps..."
echo 'ignorepkg=linux-firmware-amd
ignorepkg=linux-firmware-intel
ignorepkg=linux-firmware-nvidia
ignorepkg=linux-firmware-network' >> /etc/xbps.d/ignore.conf
log "Installing base system..."
# Don't use `base-system` because it contains heavy and useless WiFi drivers
try xbps-install -y base-minimal linux
# Useful packages from base-system
try xbps-install -y man-pages mdocml ncurses iproute2 iputils traceroute ethtool file kmod
log "Installing necessary packages..."
# Utils used by scripts
try xbps-install -y bind-utils psmisc parallel less jq unzip bc git
# We need it
try xbps-install -y grub wget curl openssh bash
log "Installing useful packages..."
try xbps-install -y $ADD_PKG
log "Installing simple cron..."
try xbps-install -y scron
ln -sf /etc/sv/crond /etc/runit/runsvdir/default/
echo "# * (wildcard), 30 (number), */N (repeat), 1-5 (range), or 1,3,6 (list)
#
# .---------------- minute (0 - 59)
# | .------------- hour (0 - 23)
# | | .---------- day of month (1 - 31)
# | | | .------- month (1 - 12)
# | | | | .-- day of week (0 - 6)
# | | | | |
# m h dom mon dow command
0 4 * * * run-parts /etc/cron.daily &>> /var/log/cron.daily.log
" > /etc/crontab
log "Installing ufw..."
try xbps-install -y ufw
ln -sf /etc/sv/ufw /etc/runit/runsvdir/default/
sed -i 's/ENABLED=no/ENABLED=yes/' /etc/ufw/ufw.conf
echo "ufw allow ssh #VOID-INFECT-STAGE-3" >> /etc/rc.local
log "Disabling unused services (agetty, udev)..."
xbps-remove -Oo
rm /etc/runit/runsvdir/default/agetty*
rm /etc/runit/runsvdir/default/udevd
log "Setting up bash configuration..."
try wget https://raw.githubusercontent.com/Jipok/Cute-bash/master/.bashrc -O "/etc/bash/bashrc.d/cute-bash.sh"
try wget "https://raw.githubusercontent.com/trapd00r/LS_COLORS/master/LS_COLORS" -O "/etc/bash/ls_colors"
try wget "https://raw.githubusercontent.com/cykerway/complete-alias/master/complete_alias" -O "/etc/bash/complete_alias"
try wget "https://raw.githubusercontent.com/scop/bash-completion/2.11/bash_completion" -O "/etc/bash/bash-completion-2.11"
rm "/etc/skel/.bashrc" 2>/dev/null || true
usermod -s /bin/bash root || error "Failed to set bash as default shell"
if [[ ! -z "$ADD_LOCALE" ]]; then
log "Setting locales..."
sed -i "s/^# *$ADD_LOCALE/$ADD_LOCALE/" /etc/default/libc-locales
try xbps-reconfigure -f glibc-locales
fi
log "Configuring network in /etc/rc.local..."
interface=$(ip route show default | head -n1 | awk '{print $5}')
[[ -z "$interface" ]] && interface=$(ip -6 route show default 2>/dev/null | head -n1 | awk '{print $5}')
# 4
ipv4_addr=$(ip addr show dev "$interface" | grep 'inet ' | awk '{print $2}')
ipv4_gateway=$(ip route show default | head -n1 | awk '{print $3}')
# 6
ipv6_addr=$(ip -6 addr show dev "$interface" | grep 'inet6' | grep -v 'fe80' | awk '{print $2}')
ipv6_gateway=$(ip -6 route show default | head -n1 | awk '{print $3}')
#
echo "" >> /etc/rc.local
echo "# From void-infect.sh" >> /etc/rc.local
echo "ip link set dev eth0 up" >> /etc/rc.local
[ -n "$ipv4_addr" ] && echo "ip addr add $ipv4_addr dev eth0" >> /etc/rc.local
[ -n "$ipv4_gateway" ] && echo "ip route add default via $ipv4_gateway" >> /etc/rc.local
[ -n "$ipv6_addr" ] && echo "ip -6 addr add $ipv6_addr dev eth0" >> /etc/rc.local && \
[ -z "$ipv6_gateway" ] && echo "echo 1 > /proc/sys/net/ipv6/conf/eth0/accept_ra" >> /etc/rc.local
[ -n "$ipv6_gateway" ] && echo "ip -6 route add default via $ipv6_gateway" >> /etc/rc.local
echo "" >> /etc/rc.local
echo "rm -rf /void #VOID-INFECT-STAGE-3" >> /etc/rc.local
echo "sed -i '/#VOID-INFECT-STAGE-3/d' /etc/rc.local " >> /etc/rc.local
log "Configuring SSH..."
# Secure SSH configuration
sed -i 's/^#\?PermitRootLogin.*/PermitRootLogin prohibit-password/' /etc/ssh/sshd_config
sed -i 's/^#\?PasswordAuthentication.*/PasswordAuthentication no/' /etc/ssh/sshd_config
sed -i 's/^#\?ChallengeResponseAuthentication.*/ChallengeResponseAuthentication no/' /etc/ssh/sshd_config
# Generate only modern Ed25519 key (faster and more secure than RSA)
try 'ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -N ""'
SSH_FP=$(ssh-keygen -lf /etc/ssh/ssh_host_ed25519_key.pub | awk '{print $2}')
# Prevent generation of legacy keys during service start
cp -r /etc/sv/sshd /etc/runit/runsvdir/default/
sed -i '/ssh-keygen -A/d' /etc/runit/runsvdir/default//sshd/run
log "Disabling root password login..."
try passwd -l root
###############################################################################
export POINT_OF_NO_RETURN=true
log "Installing bootloader..."
try grub-install "$ROOT_DISK"
# Use traditional Linux naming scheme for interfaces
sed -i 's/GRUB_CMDLINE_LINUX_DEFAULT="/GRUB_CMDLINE_LINUX_DEFAULT="net.ifnames=0 /' /etc/default/grub
# IPv6 support
[ -n "$ipv6_addr" ] && sed -i 's/GRUB_CMDLINE_LINUX_DEFAULT="/GRUB_CMDLINE_LINUX_DEFAULT="ipv6.disable=0 /' /etc/default/grub
try update-grub
log "Removing old system..."
cd /oldroot
ls -A | grep -vE '^(dev|proc|sys|mnt|void)$' | xargs rm -rf
log "Copying new system..."
cd /
tar -cf - \
--exclude='./dev/*' \
--exclude='./proc/*' \
--exclude='./sys/*' \
--exclude='./tmp/*' \
--exclude='./run/*' \
--exclude='./media/*' \
--exclude='./lost+found' \
--exclude='./oldroot*' \
--exclude='./void-infect.sh' \
. | (cd /oldroot && tar xf -)
sync
log "System replacement complete. Rebooting..."
IP_ADDRESS=$(ip route get 1 2>/dev/null | awk '{print $7}' | head -1)
FORMATTED_IP=$(printf "%-15s" "${IP_ADDRESS}")
echo -e "
╔════════════════════════════════════════════════════════════════════╗
║ IMPORTANT INFORMATION ║
╠════════════════════════════════════════════════════════════════════╣
║ You will receive a warning about changed host key ║
║ on your next SSH connection. ║
║ ║
║ To avoid connection errors, run this command ║
║ on your local machine: ║
║ ${GREEN}ssh-keygen -R ${FORMATTED_IP}${NC} ║
║ ║
║ New SSH host key fingerprint: ║
║ ${BLUE}${SSH_FP}${NC} ║
║ ║
║ Verify the fingerprint when connecting! ║
╚════════════════════════════════════════════════════════════════════╝
"
/sbin/reboot -f