___ _ _ | _ ) __ _ ___ ___| (_)_ _ ___ _ _ | _ \/ _` (_-</ -_) | | ' \/ -_) '_| |___/\__,_/__/\___|_|_|_||_\___|_|
sudo cp installer/local_br0 /etc/network/interfaces.d/br0 && ifup br0 sudo cp installer/local_macvtap0 /etc/network/interfaces.d/macvtap0 && ifup macvtap0 echo "source /etc/network/interfaces.d/macvtap0" >> /etc/network/interfaces sudo make clean CREDENTIAL_REPO="https://git.sr.ht/~lucidone/baseliner_security.git" make make start
sudo apt show pass pip3 install shyaml sudo go get github.com/hashicorp/packer
The default initial password can be set via
pass edit account/ops
Please see the pass manpage for more information
It is suggested to use
direnv to manage the environment variables that
export CREDENTIAL_REPO="https://git.sr.ht/~lucidone/baseliner_security.git" export PASSWORD_PATH="production/ops" export INSTALL_DIR="/data/production"
sudo make install_host.example.org
This tool builds Debian VMs using QEMU, packer, and Ansible.
The result of this system should be to generate a baseline image in a consistent and reproducible way. It is not meant to complete system configuration, but to make it possible.
make startshould produce a running system
opsaccount is created with administrators
Builds a VM from a
host_<hostname>.yml config file
qemu disk image:
make install target will install build artifacts to
/data/vm/<hostname> by default. Set
INSTALL_DIR to customize.
CREDENTIAL_REPO is a signed git repository that contains the ssh keys of all
of the administrators. These keys should be stored in
ssh/id*.pub and will be
added to the
authorized_keys for the the
An example is available at https://git.sr.ht/~lucidone/baseliner_security.git
The user building VMs should be a memeber of group
sudo is prefered, modifications will need to be made to securely
pass the image password as an environmental variable
There is some support for
vfio-pci based network devices. For more details,
please see this.
baseliner is distributed under the terms of both
at your option.