docadd: added shout out and note on credential repo
Initial commit
___ _ _
| _ ) __ _ ___ ___| (_)_ _ ___ _ _
| _ \/ _` (_-</ -_) | | ' \/ -_) '_|
|___/\__,_/__/\___|_|_|_||_\___|_|
sudo cp installer/local_br0 /etc/network/interfaces.d/br0 && ifup br0
sudo cp installer/local_macvtap0 /etc/network/interfaces.d/macvtap0 && ifup macvtap0
echo "source /etc/network/interfaces.d/macvtap0" >> /etc/network/interfaces
sudo make clean
CREDENTIAL_REPO="https://git.sr.ht/~lucidone/baseliner_security.git" make
make start
sudo apt show pass
pip3 install shyaml
sudo go get github.com/hashicorp/packer
The default initial password can be set via
pass edit account/ops
Please see the pass manpage for more information
It is suggested to use direnv
to manage the environment variables that
configure operation.
.envrc
export CREDENTIAL_REPO="https://git.sr.ht/~lucidone/baseliner_security.git"
export PASSWORD_PATH="production/ops"
export INSTALL_DIR="/data/production"
sudo make install_host.example.org
This tool builds Debian VMs using QEMU, packer, and Ansible.
The result of this system should be to generate a baseline image in a consistent and reproducible way. It is not meant to complete system configuration, but to make it possible.
make start
should produce a running systemops
account is created with administrators authorized_keys
make <hostname>
Builds a VM from a host_<hostname>.yml
config file
qemu disk image: build/host.example.org/host.example.org.raw
The make install
target will install build artifacts to
/data/vm/<hostname>
by default. Set INSTALL_DIR
to customize.
CREDENTIAL_REPO
is a signed git repository that contains the ssh keys of all
of the administrators. These keys should be stored in ssh/id*.pub
and will be
added to the authorized_keys
for the the ops
user.
An example is available at https://git.sr.ht/~lucidone/baseliner_security.git
The user building VMs should be a memeber of group kvm
and netdev
.
If sudo
is prefered, modifications will need to be made to securely
pass the image password as an environmental variable
edit /etc/sudoers
with visudo
Defaults env_keep+="IMAGE_PASSWORD"
There is some support for vfio-pci
based network devices. For more details,
please see this.
https://github.com/tylert/packer-build
baseliner is distributed under the terms of both
at your option.