From 5e70331dcde61e368d929a9d1190b70d6226a0fa Mon Sep 17 00:00:00 2001 From: Nikita Date: Wed, 31 Jan 2024 13:34:02 +0500 Subject: [PATCH] first --- Ald_pro.sh | 69 +++++++++ Astra-FreeIPA.sh | 177 +++++++++++++++++++++++ LICENSE | 44 +++--- README.md | 2 +- astra.sh | 369 +++++++++++++++++++++++++++++++++++++++++++++++ 5 files changed, 637 insertions(+), 24 deletions(-) create mode 100644 Ald_pro.sh create mode 100644 Astra-FreeIPA.sh create mode 100644 astra.sh diff --git a/Ald_pro.sh b/Ald_pro.sh new file mode 100644 index 0000000..f1a61ab --- /dev/null +++ b/Ald_pro.sh @@ -0,0 +1,69 @@ +if [ "$EUID" -ne 0 ] + then echo "Use sudo, dummy." + exit +fi +ALD_Pro () { + # переменные хоста + read -p 'Введите имя этого ПК: ' -i $(hostname -s) -e PC_NAME + read -p 'Введите имя домена: ' -i $(hostname -d) -e DOMAIN + + #Меняем имя хоста + hostnamectl set-hostname "$PC_NAME.$DOMAIN" + # переменные сети + read -p 'Введите имя интерфейса: ' -i eth0 -e INTERFACE + read -p 'Введите имя интерфейса: ' -i eth1 -e INTER + read -p 'Введите адрес этого ПК: ' -i $(hostname -i) -e IP + read -p 'Введите маску подсети: ' -i 24 -e SUBNET + + # удаляем все соединения + rm /etc/network/interfaces.d/* 2> /dev/null + nmcli --terse connection show 2> /dev/null | cut -d : -f 1 | \ + while read name; do echo nmcli connection delete "$name" 2> /dev/null; done + + # Выключаем NetworkManager + systemctl disable --now NetworkManager + systemctl mask NetworkManager + + # Настройка сети + echo "auto $INTERFACE" > "/etc/network/interfaces.d/$INTERFACE" + echo "iface $INTERFACE inet static" >> "/etc/network/interfaces.d/$INTERFACE" + echo -e "\taddress $IP" >> "/etc/network/interfaces.d/$INTERFACE" + echo -e "\tnetmask $SUBNET" >> "/etc/network/interfaces.d/$INTERFACE" + echo -e "\tdns-nameserver 127.0.0.1" >> "/etc/network/interfaces.d/$INTERFACE" + echo -e "\tdns-search $DOMAIN" >> "/etc/network/interfaces.d/$INTERFACE" + echo "auto $INTER" > "/etc/network/interfaces.d/$INTER" + echo "iface $INTER inet dhcp" >> "/etc/network/interfaces.d/$INTER" + echo "127.0.0.1 localhost.localdomain localhost" > /etc/hosts + echo "127.0.1.1 $PC_NAME" >> /etc/hosts + echo "$IP $PC_NAME.$DOMAIN $PC_NAME" >> /etc/hosts + systemctl restart networking + echo "deb https://download.astralinux.ru/aldpro/stable/repository-main/ 1.0.0 main" > /etc/apt/sources.list.d/aldpro.list + echo "deb https://download.astralinux.ru/aldpro/stable/repository-extended/ generic main" >> /etc/apt/sources.list.d/aldpro.list + echo "deb http://download.astralinux.ru/astra/frozen/1.7_x86-64/1.7.1/repository-base 1.7_x86-64 main non-free contrib" > /etc/apt/sources.list + echo "deb http://download.astralinux.ru/astra/frozen/1.7_x86-64/1.7.1/repository-extended 1.7_x86-64 main contrib non-free" >> /etc/apt/sources.list + echo "Package: *" > /etc/apt/preferences.d/aldpro + echo "Pin: release n=generic" >> /etc/apt/preferences.d/aldpro + echo "Pin-Priority: 900" >> /etc/apt/preferences.d/aldpro + apt update && apt upgrade -y + DEBIAN_FRONTEND=noninteractive apt-get install -q -y aldpro-mp && reboot +} + +Pro_Install () { + read -p 'Введите имя этого ПК: ' -i $(hostname -s) -e PC_NAME + read -p 'Введите имя домена: ' -i $(hostname -d) -e DOMAIN + read -p 'Введите адрес этого ПК: ' -i $(hostname -i) -e IP + read -p 'Введите пароль администратора домена ' -i xxXX1234 -e ADMIN_PASSWORD + /opt/rbta/aldpro/mp/bin/aldpro-server-install.sh -d $DOMAIN -n $PC_NAME -p $ADMIN_PASSWORD --ip $IP --no-reboot + reboot +} + +echo "ALD_Pro [1]" +echo "Pro_Install [2]" +read -p 'ALD_Pro [0124] ' WHICH_FUNC + +if grep -q "1" <<< "$WHICH_FUNC"; then + ALD_Pro +fi +if grep -q "2" <<< "$WHICH_FUNC"; then + Pro_Install +fi diff --git a/Astra-FreeIPA.sh b/Astra-FreeIPA.sh new file mode 100644 index 0000000..65dbe7d --- /dev/null +++ b/Astra-FreeIPA.sh @@ -0,0 +1,177 @@ +#!/usr/bin/env bash +if [[ $(whoami) == "root" ]]; then +# определение необходимостей +read -p 'Сеть [1] / Репозитории [2] / Домен [3] / Вход [4] ' whichScript + +################################## +# Настройка сети # +################################## +# проверяем необходимость запуска +if grep -q "1" <<< "$whichScript"; then +# задаём имя соединению +con="Проводное соединение 1" +# назначаем хостнейм +read -p 'Введите хостнейм FQDN: ' hostname +hostnamectl set-hostname "$hostname" +# конфигуриуем соединение +read -p 'Введите IP: ' ip +read -p 'Введите маску: ' mask +read -p 'Введите гетвей: ' gateway +read -p 'Введите DNS(для клиента указываем DNS домен): ' dns +nmcli con mod "$con" ip4 $ip/$mask gw4 $gateway +# настраиваем адресс DNS +nmcli con mod "$con" ipv4.dns "$dns" +# отключаем DHCP, Добавляем loopback строку в IPv6 +nmcli con mod "$con" ipv4.method manual +chmod 777 /etc/sysctl.d/999-astra.conf +echo "net.ipv6.conf.lo.disable_ipv6 = 0" >> /etc/sysctl.d/999-astra.conf +chmod 644 /etc/sysctl.d/999-astra.conf +# указываем данные hosts +pcDomain=$(hostname -s) +domain=$(hostname -d) +echo "$ip $hostname $pcDomain" >> /etc/hosts +# перезапускаем соединение +nmcli con down "$con" ; nmcli con up "$con" +fi + + +################################## +# Конфигурация репозиториев # +################################## +# проверяем необходимость запуска +if grep -q "2" <<< "$whichScript"; then +#!/usr/bin/env bash +# CD/DVD-1 [Smolensk-1.6] +mkdir -p /srv/repo/smolensk/main +mount /dev/sr0 /media/cdrom +cp -a /media/cdrom/* /srv/repo/smolensk/main +umount /media/cdrom +# CD/DVD 2 [Devel-Smolensk-1.6] +mkdir -p /srv/repo/smolensk/devel +mount /dev/sr1 /media/cdrom +cp -a /media/cdrom/* /srv/repo/smolensk/devel +umount /media/cdrom +# CD/DVD 3 [20200722SE16] +mkdir -p /srv/repo/smolensk/update +mount /dev/sr2 /media/cdrom +cp -a /media/cdrom/* /srv/repo/smolensk/update +umount /media/cdrom +# CD/DVD 4 [Repository-Update-Devel] +mkdir -p /srv/repo/smolensk/update-dev +mount /dev/sr3 /media/cdrom +cp -a /media/cdrom/* /srv/repo/smolensk/update-dev +umount /media/cdrom +# дополняем источники +echo -n > /etc/apt/sources.list +echo "# репозиторий основного диска" >> /etc/apt/sources.list +echo "deb file:/srv/repo/smolensk/main smolensk main contrib non-free" >> /etc/apt/sources.list +echo "# репозиторий диска со средствами разработки" >> /etc/apt/sources.list +echo "deb file:/srv/repo/smolensk/devel smolensk main contrib non-free" >> /etc/apt/sources.list +echo "# репозиторий диска с обновлением основного диска" >> /etc/apt/sources.list +echo "deb file:/srv/repo/smolensk/update smolensk main contrib non-free" >> /etc/apt/sources.list +echo "# репозиторий диска с обновлением диска со средствами разработки" >> /etc/apt/sources.list +echo "deb file:/srv/repo/smolensk/update-dev smolensk main contrib non-free" >> /etc/apt/sources.list +# обновление пакетов +apt update -y +apt dist-upgrade -y +apt -f install -y +# включение SSH +apt install ssh -y +systemctl enable ssh +systemctl start ssh +# перезагружаем +read -p 'Перезагрузить машину? ' doReboot +if [[ "$doReboot" == "y" ]]; then + reboot +fi +fi + +################################## +# Установка домена # +################################## +# проверяем необходимость запуска +if grep -q "3" <<< "$whichScript"; then +echo "dns должен быть loopback и имя сервера должно быть FQDN = astra.demo.lab" +con="Проводное соединение 1" +# добавление репозиториев и установка пакетов для УЦ Dogtag FreeIPA +echo -n > /etc/apt/sources.list +echo "# репозиторий с актуальными стабильными версиями пакетов" >> /etc/apt/sources.list +echo "deb https://download.astralinux.ru/astra/stable/orel/repository orel contrib main non-free" >> /etc/apt/sources.list +echo "# репозиторий с тестируемыми версиями пакетов" >> /etc/apt/sources.list +echo "deb https://download.astralinux.ru/astra/testing/orel/repository orel contrib main non-free" >> /etc/apt/sources.list +echo "# репозиторий с экспериментальными пакетами" >> /etc/apt/sources.list +echo "deb https://download.astralinux.ru/astra/experimental/orel/repository orel contrib main non-free" >> /etc/apt/sources.list + +# обновление пакетов +apt update -y +# установка пакетов для УЦ +apt -d install pki-ca pki-kra -y +dpkg -i /var/cache/apt/archives/*.deb + +# восстанавливаем репозитории источники +echo -n > /etc/apt/sources.list +echo "# репозиторий основного диска" >> /etc/apt/sources.list +echo "deb file:/srv/repo/smolensk/main smolensk main contrib non-free" >> /etc/apt/sources.list +echo "# репозиторий диска со средствами разработки" >> /etc/apt/sources.list +echo "deb file:/srv/repo/smolensk/devel smolensk main contrib non-free" >> /etc/apt/sources.list +echo "# репозиторий диска с обновлением основного диска" >> /etc/apt/sources.list +echo "deb file:/srv/repo/smolensk/update smolensk main contrib non-free" >> /etc/apt/sources.list +echo "# репозиторий диска с обновлением диска со средствами разработки" >> /etc/apt/sources.list +echo "deb file:/srv/repo/smolensk/update-dev smolensk main contrib non-free" >> /etc/apt/sources.list + +# обновление пакетов +apt update -y + +#read -p 'Введите хостнейм еще раз: ' hostname +# конфигуриуем соединение +read -p 'Введите DNS такой же как IP: ' dns + +# настраиваем адресс DNS +nmcli con mod "$con" ipv4.dns "$dns" + +# перезапускаем соединение +nmcli con down "$con" ; nmcli con up "$con" + +# установка пакетов FreeIPA +apt install fly-admin-freeipa-server -y +# профилактика битых пакетов +apt -f install -y +# проверяем переменные сети + +# конфигурируем данные домена +pcDomain=$(hostname -s) +domain=$(hostname -d) +ip=$(hostname -i) + +# конфигурация домена +astra-freeipa-server -d $domain -n $pcDomain -px -ip $ip -o --dogtag -y +read -p 'Перезагрузить машину? ' doReboot +if [[ "$doReboot" == "y" ]]; then + reboot +fi +fi + +################################## +# Ввод в домен # +################################## +# проверяем необходимость запуска +if grep -q "4" <<< "$whichScript"; then +# установка пакетов +apt install fly-admin-freeipa-client -y +# профилактика битых пакетов +apt -f install -y +# конфигурируем данные домена +domain=$(hostname -d) +# входим в домен +astra-freeipa-client -d $domain +fi +# перезагружаем +read -p 'Перезагрузить машину? ' doReboot +if [[ "$doReboot" == "y" ]]; then + reboot +fi +# проверка sudo +else +echo "Запусти скрипт через sudo!" +fi +fi \ No newline at end of file diff --git a/LICENSE b/LICENSE index ff185d3..acd7c47 100644 --- a/LICENSE +++ b/LICENSE @@ -1,23 +1,21 @@ -Copyright The Open Group - -Permission to use, copy, modify, distribute, and sell this software and -its documentation for any purpose is hereby granted without fee, -provided that the above copyright notice appear in all copies and that -both that copyright notice and this permission notice appear in -supporting documentation. - -The above copyright notice and this permission notice shall be included -in all copies or substantial portions of the Software. - -THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS -OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF -MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. -IN NO EVENT SHALL BE LIABLE FOR ANY CLAIM, DAMAGES -OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR -OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR -THE USE OR OTHER DEALINGS IN THE SOFTWARE. - -Except as contained in this notice, the name of The Open Group -shall not be used in advertising or otherwise to promote the sale, use -or other dealings in this Software without prior written authorization -from The Open Group. +NETHACK GENERAL PUBLIC LICENSE +(Copyright 1989 M. Stephenson) +(Based on the BISON general public license, copyright 1988 Richard M. Stallman) +Everyone is permitted to copy and distribute verbatim copies of this license, but changing it is not allowed. You can also use this wording to make the terms for other programs. +The license agreements of most software companies keep you at the mercy of those companies. By contrast, our general public license is intended to give everyone the right to share NetHack. To make sure that you get the rights we want you to have, we need to make restrictions that forbid anyone to deny you these rights or to ask you to surrender the rights. Hence this license agreement. +Specifically, we want to make sure that you have the right to give away copies of NetHack, that you receive source code or else can get it if you want it, that you can change NetHack or use pieces of it in new free programs, and that you know you can do these things. +To make sure that everyone has such rights, we have to forbid you to deprive anyone else of these rights. For example, if you distribute copies of NetHack, you must give the recipients all the rights that you have. You must make sure that they, too, receive or can get the source code. And you must tell them their rights. +Also, for our own protection, we must make certain that everyone finds out that there is no warranty for NetHack. If NetHack is modified by someone else and passed on, we want its recipients to know that what they have is not what we distributed. +Therefore we (Mike Stephenson and other holders of NetHack copyrights) make the following terms which say what you must do to be allowed to distribute or change NetHack. +COPYING POLICIES + 1. You may copy and distribute verbatim copies of NetHack source code as you receive it, in any medium, provided that you keep intact the notices on all files that refer to copyrights, to this License Agreement, and to the absence of any warranty; and give any other recipients of the NetHack program a copy of this License Agreement along with the program. + 2. You may modify your copy or copies of NetHack or any portion of it, and copy and distribute such modifications under the terms of Paragraph 1 above (including distributing this License Agreement), provided that you also do the following: + a) cause the modified files to carry prominent notices stating that you changed the files and the date of any change; and + b) cause the whole of any work that you distribute or publish, that in whole or in part contains or is a derivative of NetHack or any part thereof, to be licensed at no charge to all third parties on terms identical to those contained in this License Agreement (except that you may choose to grant more extensive warranty protection to some or all third parties, at your option) + c) You may charge a distribution fee for the physical act of transferring a copy, and you may at your option offer warranty protection in exchange for a fee. + 3. You may copy and distribute NetHack (or a portion or derivative of it, under Paragraph 2) in object code or executable form under the terms of Paragraphs 1 and 2 above provided that you also do one of the following: + a) accompany it with the complete machine-readable source code, which must be distributed under the terms of Paragraphs 1 and 2 above; or, + b) accompany it with full information as to how to obtain the complete machine-readable source code from an appropriate archive site. (This alternative is allowed only for noncommercial distribution.) + For these purposes, complete source code means either the full source distribution as originally released over Usenet or updated copies of the files in this distribution used to create the object code or executable. + 4. You may not copy, sublicense, distribute or transfer NetHack except as expressly provided under this License Agreement. Any attempt otherwise to copy, sublicense, distribute or transfer NetHack is void and your rights to use the program under this License agreement shall be automatically terminated. However, parties who have received computer software programs from you with this License Agreement will not have their licenses terminated so long as such parties remain in full compliance. +Stated plainly: You are permitted to modify NetHack, or otherwise use parts of NetHack, provided that you comply with the conditions specified above; in particular, your modified NetHack or program containing parts of NetHack must remain freely available as provided in this License Agreement. In other words, go ahead and share NetHack, but don't try to stop anyone else from sharing it farther. diff --git a/README.md b/README.md index e277ecb..fe292b5 100644 --- a/README.md +++ b/README.md @@ -1,2 +1,2 @@ -# Astra +# astra diff --git a/astra.sh b/astra.sh new file mode 100644 index 0000000..70a8b1a --- /dev/null +++ b/astra.sh @@ -0,0 +1,369 @@ +#!/usr/bin/env bash + +# проверка запуска от имени рута +if [ "$EUID" -ne 0 ] + then echo "Use sudo, dummy." + exit +fi + +network_variables () { + # переменные хоста + read -p 'Введите имя этого ПК: ' -i $(hostname -s) -e PC_NAME + read -p 'Введите имя домена: ' -i $(hostname -d) -e DOMAIN + + # меняем имя хоста + hostnamectl set-hostname "$PC_NAME" + + # переменные сети + read -p 'Введите имя интерфейса: ' -i eth0 -e INTERFACE + read -p 'Введите адрес этого ПК: ' -i $(hostname -i) -e IP + read -p 'Введите маску подсети: ' -i 24 -e SUBNET + read -p 'Введите gateway: ' -i $(echo "$IP" | grep -Eo '([0-9]+\.)+') -e GATEWAY + read -p 'Введите адрес DNS сервера: ' -i $(echo "$IP" | grep -Eo '([0-9]+\.)+') -e DNS + + # удаляем все соединения + rm /etc/network/interfaces.d/* 2> /dev/null + nmcli --terse connection show 2> /dev/null | cut -d : -f 1 | \ + while read name; do echo nmcli connection delete "$name" 2> /dev/null; done + + # поднимаем сеть + echo "auto $INTERFACE" > "/etc/network/interfaces.d/$INTERFACE" + echo "iface $INTERFACE inet static" >> "/etc/network/interfaces.d/$INTERFACE" + echo -e "\taddress $IP" >> "/etc/network/interfaces.d/$INTERFACE" + echo -e "\tnetmask $SUBNET" >> "/etc/network/interfaces.d/$INTERFACE" + echo -e "\tgateway $GATEWAY" >> "/etc/network/interfaces.d/$INTERFACE" + echo "nameserver $DNS" > '/etc/resolv.conf' + systemctl restart networking + + # прописываем хостс + echo "127.0.0.1 localhost" > /etc/hosts + echo "$IP $PC_NAME.$DOMAIN $PC_NAME" >> /etc/hosts +} + +admin_variables () { + # переменные админа (для входа в домен) + read -p 'Введите логин админимтратора: ' -i Administrator -e ADMIN_LOGIN + read -p 'Введите пароль администратора: ' -i xxXX1234 -e ADMIN_PASSWORD +} + +another_variables () { + # переменные другого пк (домен/клиент) + read -p 'Введите имя ПК: ' ANOTHER_PC_NAME + read -p 'Введите адрес ПК: ' ANOTHER_IP + + # прописываем хостс + echo "$ANOTHER_IP $ANOTHER_PC_NAME.$DOMAIN $ANOTHER_PC_NAME" >> /etc/hosts +} + +check_variables () { + if grep -L "0" <<< "$WHICH_FUNC"; then + read -p "Сеть и хостс настроены? " -i n -e QUESTION + if [[ "$QUESTION" == "n" ]]; then + network_variables + fi + fi +} + +admin_rules () { + read -p "Дать пользователю права администратора? " -i y -e QUESTION + if [[ "$QUESTION" == "y" ]]; then + read -p 'Введите имя доменного пользователя: ' USERNAME + pdpl-user -i 63 "$USERNAME" + echo "$USERNAME ALL=(ALL:ALL) ALL" | EDITOR="tee -a" visudo + fi +} + +1.6_repos_update () { + # подсказка по дискам + echo "1. Smolensk-1.6.iso" + echo "2. Devel-Smolensk-1.6.iso" + echo "3. Repository-Update.iso" + echo "4. Repository-Update-Devel.iso" + read -p "Вы вставили все диски?" + + # CD/DVD-1 [Smolensk-1.6] + while ! ls /dev/sr0 > /dev/null 2>&1; do + read -p "Вставьте Smolensk-1.6.iso" + done + mkdir -p /srv/repo/smolensk/main + mount /dev/sr0 /media/cdrom + cp -a /media/cdrom/* /srv/repo/smolensk/main + umount /media/cdrom + + # CD/DVD 2 [Devel-Smolensk-1.6] + while ! ls /dev/sr1 > /dev/null 2>&1; do + read -p "Вставьте Devel-Smolensk-1.6.iso" + done + mkdir -p /srv/repo/smolensk/devel + mount /dev/sr1 /media/cdrom + cp -a /media/cdrom/* /srv/repo/smolensk/devel + umount /media/cdrom + + # CD/DVD 3 [20200722SE16] + while ! ls /dev/sr2 > /dev/null 2>&1; do + read -p "Вставьте Repository-Update.iso" + done + mkdir -p /srv/repo/smolensk/update + mount /dev/sr2 /media/cdrom + cp -a /media/cdrom/* /srv/repo/smolensk/update + umount /media/cdrom + + # CD/DVD 4 [Repository-Update-Devel] + while ! ls /dev/sr3 > /dev/null 2>&1; do + read -p "Вставьте Repository-Update-Devel.iso" + done + mkdir -p /srv/repo/smolensk/update-dev + mount /dev/sr3 /media/cdrom + cp -a /media/cdrom/* /srv/repo/smolensk/update-dev + umount /media/cdrom + + # дополняем источники + echo "deb file:/srv/repo/smolensk/main smolensk main contrib non-free" > /etc/apt/sources.list + echo "deb file:/srv/repo/smolensk/devel smolensk main contrib non-free" >> /etc/apt/sources.list + echo "deb file:/srv/repo/smolensk/update smolensk main contrib non-free" >> /etc/apt/sources.list + echo "deb file:/srv/repo/smolensk/update-dev smolensk main contrib non-free" >> /etc/apt/sources.list +} + +1.7_repos_update () { + # дополняем источники + echo "deb https://download.astralinux.ru/astra/stable/1.7_x86-64/repository-main/ 1.7_x86-64 main contrib non-free" > /etc/apt/sources.list + echo "deb https://download.astralinux.ru/astra/stable/1.7_x86-64/repository-update/ 1.7_x86-64 main contrib non-free" >> /etc/apt/sources.list + echo "deb https://download.astralinux.ru/astra/stable/1.7_x86-64/repository-base/ 1.7_x86-64 main contrib non-free" >> /etc/apt/sources.list + echo "deb https://download.astralinux.ru/astra/stable/1.7_x86-64/repository-extended/ 1.7_x86-64 main contrib non-free" >> /etc/apt/sources.list +} + +repos_update () { + # проверяем версию Астры + ASTRA_VERISON=$(cat /etc/*-release) + + # версия 1.6 + if grep -q "1.6" <<< "$ASTRA_VERISON"; then + 1.6_repos_update + fi + + # версия 1.7 + if grep -q "1.7" <<< "$ASTRA_VERISON"; then + 1.7_repos_update + fi + + # обновление пакетов + apt update -y + apt dist-upgrade -y + apt -f install -y + apt autoremove -y +} + +ssh_server () { + # устанавливаем пакет + apt install openssh-server -y + + # включаем SSH + systemctl enable --now ssh +} + +ssh_client () { + # генерим ключи + ssh-keygen + + # логин@пароль + echo "Вводите данные сервера." + admin_variables + + # передаюм ключи на удалённый сервер + ssh-copy-id -i ~/.ssh/id_rsa.pub "$ADMIN_LOGIN"@"$ADMIN_PASSWORD" +} + +ad_join () { + # устанавливаем пакет + apt install astra-ad-sssd-client -y + + # входим в домен + check_variables + admin_variables + astra-ad-sssd-client -d "$(hostname -d)" -u "$ADMIN_LOGIN" -p "$ADMIN_PASSWORD" -y + admin_rules +} + +ald_init () { + # устанавливаем пакеты + apt install fly-admin-ald-server ald-server-common smolensk-security-ald -y + + # функции + check_variables + echo "Вводите данные клиента." + another_variables + + # иницилизируем ald + ald-init init +} + +ald_join () { + # устанавливаем пакеты + apt install ald-client-common ald-admin -y + + # функции + check_variables + echo "Вводите данные домена." + another_variables + + # входим в домен + ald-client join + admin_rules +} + +dmcli_install () { + # директория dmcli + rm -rf dmcli/; mkdir dmcli/ + + # наличие архива + while ! ls *.tar.gz > /dev/null 2>&1; do + read -p "Переместите архив клиента Device Monitor." + done + + # распаковка архива + tar -xvf *.tar.gz -C dmcli/ + + # распаковка пакета + PACKAGE=$(echo dmcli/*.deb) + dpkg-deb -x "$PACKAGE" dmcli/dpkg/ + dpkg-deb -e "$PACKAGE" dmcli/dpkg/DEBIAN + + # замена файлов (вписывает текущее ядро) + mv dmcli/dpkg/opt/iw/dmagent/lib/modules/*-$(uname -r | grep -P -o 'generic|hardened') \ + dmcli/dpkg/opt/iw/dmagent/lib/modules/$(uname -r) + + # сборка пакета + rm "$PACKAGE" && dpkg -b dmcli/dpkg "$PACKAGE" + + # удаление старых ядер + sudo apt-get remove `dpkg --list 'linux-image*' |grep ^ii | awk '{print $2}'\ | grep -v \`uname -r\`` + + # установка девайс монитор клиента + read -p 'Введите адрес и порт IWDM: ' -i 192.168.1.20:15101 -e IWDM + dmcli/install.sh $IWDM +} + +rutk_server () { + # установка библиотек для сертификатов + apt install libccid pcscd libpcsclite1 pcsc-tools opensc krb5-pkinit libpam-krb5 libengine-pkcs11-openssl1.1 -y + wget https://es.ukrtb.ru/nextcloud/s/HX6fcj5mpBASTeG/download/librtpkcs11ecp_2.3.3.0-1_amd64.deb -O /tmp/librtpkcs11ecp.deb + dpkg -i /tmp/librtpkcs11ecp.deb + + # создание сертификатов + mkdir /etc/ssl/CA ; cd "$_" + openssl genrsa -out cakey.pem 2048 + openssl req -key cakey.pem -new -x509 -days 3650 -out cacert.pem -subj "/C=RU/ST=RB/L=Ufa/O=UKRTB/OU=IB/CN=astra/emailAddress=astra@demo.lab" + openssl genrsa -out kdckey.pem 2048 + openssl req -new -out kdc.req -key kdckey.pem -subj "/C=RU/ST=RB/L=Ufa/O=UKRTB/OU=IB/CN=astra/emailAddress=astra@demo.lab" + wget https://es.ukrtb.ru/git/ukrtb/learn/raw/branch/master/pkinit_extensions + sed -i "s/КЛИЕНТ/$(hostname -s)/" pkinit_extensions + sed -i "s/РЕАЛМ/$(hostname -d)/" pkinit_extensions + openssl x509 -req -in kdc.req -CAkey cakey.pem -CA cacert.pem -out kdc.pem -extfile pkinit_extensions -extensions kdc_cert -CAcreateserial -days 365 + cp kdc.pem kdckey.pem cacert.pem /var/lib/krb5kdc/ + + # конфигурация керберос + sed -i '/kdcdefaults/a \ + pkinit_identity = FILE:/var/lib/krb5kdc/kdc.pem,/var/lib/krb5kdc/kdckey.pem \ + pkinit_anchors = FILE:/var/lib/krb5kdc/cacert.pem '\ + /etc/ald/config-templates/kdc.conf + ald-init commit-config + + # перезапуск керберос + systemctl restart krb5-admin-server + systemctl restart krb5-kdc + + # проверка наличия рутокена + while ! pkcs11-tool --module /usr/lib/librtpkcs11ecp.so -T > /dev/null 2>&1; do + read -p "Вставьте Рутокен." + done + + # форматирование и инициализация токена + pkcs15-init --erase-card -p rutoken_ecp + pkcs15-init --create-pkcs15 --so-pin "87654321" --so-puk "" + pkcs15-init --store-pin --label "User PIN" --auth-id 02 --pin "12345678" --puk "" --so-pin "87654321" --label "Rutoken" --finalize + + # генерация закрытых ключей на рутокене + pkcs11-tool --slot 0 --login --pin 12345678 --keypairgen --key-type rsa:2048 --id 42 --label “ukrtb” --module /usr/lib/librtpkcs11ecp.so + + # генерация сертификатов + openssl << EOT +engine dynamic -pre SO_PATH:/usr/lib/x86_64-linux-gnu/engines-1.1/pkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/usr/lib/librtpkcs11ecp.so +req -engine pkcs11 -new -key 0:42 -keyform engine -out client.req -subj "/C=RU/ST=RB/L=Ufa/O=UKRTB/OU=IB/CN=client/emailAddress=client@demo.lab" +x509 -CAkey cakey.pem -CA cacert.pem -req -in client.req -extensions client_cert -extfile pkinit_extensions -out client.pem -days 365 +x509 -in client.pem -out client.cer -inform PEM -outform DER +q +EOT + + # перенос сертификатов на Рутокен + pkcs15-init --store-certificate client.cer --auth-id 02 --id 42 --format der + # pkcs15-init --store-certificate cacert.pem --auth-id 02 --id 11 --format pem +} + +rutk_client () { + # установка библиотек для сертификатов + apt install libccid pcscd libpcsclite1 pcsc-tools opensc krb5-pkinit libpam-krb5 libengine-pkcs11-openssl1.1 -y + wget https://es.ukrtb.ru/nextcloud/s/HX6fcj5mpBASTeG/download/librtpkcs11ecp_2.3.3.0-1_amd64.deb -O /tmp/librtpkcs11ecp.deb + dpkg -i /tmp/librtpkcs11ecp.deb + + # создане директории для корневого сертификата + mkdir /etc/krb5/ + + # конфигурация керберос + sed -i '/default_realm/a \ + pkinit_anchors = FILE:/etc/krb5/cacert.pem \ + pkinit_identities = PKCS11:/usr/lib/librtpkcs11ecp.so ' \ + /etc/krb5.conf +} + +# определение необходимостей +echo "Сеть [0]" +echo "Репозитории [1]" +echo "Сервер SSH [2]" +echo "Беспарольный вход по SSH [3]" +echo "Вход в Active Directory [4]" +echo "Иницилизация Astra Linux Directory [5]" +echo "Вход в Astra Linux Directory [6]" +echo "Device Monitor клиент [7]" +echo "RUTK Сервер [8]" +echo "RUTK Клиент [9]" +read -p 'Выберите интересующие вас функции: [0124] ' WHICH_FUNC + +if grep -q "0" <<< "$WHICH_FUNC"; then + network_variables +fi + +if grep -q "1" <<< "$WHICH_FUNC"; then + repos_update +fi + +if grep -q "2" <<< "$WHICH_FUNC"; then + ssh_server +fi + +if grep -q "3" <<< "$WHICH_FUNC"; then + ssh_client +fi + +if grep -q "4" <<< "$WHICH_FUNC"; then + ad_join +fi + +if grep -q "5" <<< "$WHICH_FUNC"; then + ald_init +fi + +if grep -q "6" <<< "$WHICH_FUNC"; then + ald_join +fi + +if grep -q "7" <<< "$WHICH_FUNC"; then + dmcli_install +fi + +if grep -q "8" <<< "$WHICH_FUNC"; then + rutk_server +fi + +if grep -q "9" <<< "$WHICH_FUNC"; then + rutk_client +fi \ No newline at end of file