msw/CISS.debian.installer
SHA256
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

V8.00.000.2025.06.17
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m45s
Details

Browse Source 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
Marc S. Weidner
2025-07-08 19:08:11 +02:00
parent 474941e291
commit b546a0d4af
5 changed files with 379 additions and 362 deletions
Download Patch File Download Diff File Expand all files Collapse all files

547
.preseed/preseed.yaml
View File

@@ -23,180 +23,118 @@ installer:
# APT settings # APT settings
################################################################################################################################ ################################################################################################################################
apt: apt:
# You can choose to install contrib software: contrib: true # Optionally install contrib software.
contrib: true deb_sources: true # Optionally includes deb-src entries for source repositories.
default_list: true # By default, source repositories are listed in '/etc/apt/sources.list'. This MUST be "true".
full_upgrade: true # Whether to upgrade packages after debootstrap.
install_recommends: true # Configure APT to not install recommended packages by default.
non_free: true # Optionally install non-free software.
non_free_firmware: true # Optionally install non-free firmware.
sec: "security.debian.org" # Debian Security Updates Archive.
# Optionally includes deb-src entries for source repositories. If set to true, source repos are enabled. ##############################################################################################################################
deb-sources: true # A network mirror MUST be used to supplement the software not included on the installation media. This may also make newer
# versions of software available.
# By default, source repositories are listed in /etc/apt/sources.list. This MUST be true: ##############################################################################################################################
default-list: true
# Whether to upgrade packages after debootstrap.
# Allowed values: "false" for none; "true" for full-upgrade (RECOMMENDED):
full-upgrade: true
# Configure APT to not install recommended packages by default. Use of this option can
# result in an incomplete system and should only be used by very experienced users:
install-recommends: true
# A network mirror MUST be used to supplement the software not included on the
# installation media. This may also make newer versions of software available.
# This MUST be true:
mirror: mirror:
activate: true activate: true # MUST be "true".
# Country code of mirror destination: country: "US" # Country code of mirror destination.
country: "US" directory: "/debian/" # Debian archive mirror directory in which the mirror of the Debian archive is located.
# Debian archive mirror directory. Please enter the directory in which the mirror of hostname: "deb.debian.org" # Debian archive mirror hostname.
# the Debian archive is located: https-country: "US" # Debian archive mirror country.
directory: "/debian/" protocol: "https" # Protocol to be used for downloading files, where "https" is RECOMMENDED.
# Debian archive mirror hostname. Please enter the hostname of the mirror from which proxy: "" # HTTP proxy information (blank for none) or "http://[[user][:pass]@]host[:port]/"
# Debian will be downloaded. An alternate port can be specified using the standard
# [hostname]:[port] format:
hostname: "deb.debian.org"
# Debian archive mirror country. The goal is to find a mirror of the Debian archive that
# is close to you on the network -- be aware that nearby countries, or even your own, may
# not be the best choice.
https-country: "US"
# Please select the protocol to be used for downloading files, where "https" is RECOMMENDED.
protocol: "https"
# HTTP proxy information (blank for none). If you need to use an HTTP proxy to access the
# outside world, enter the proxy information here. Otherwise, leave this blank. The proxy
# information should be given in the standard form of "http://[[user][:pass]@]host[:port]/".
proxy: ""
# Suite to install MUST be one of "stable", "testing", "experimental":
suite: "stable"
# You can choose to install non-free:
non-free: true
# You can choose to install non-free firmware:
non-free-firmware: true
# Debian archive security string
security-string: "security.debian.org"
##############################################################################################################################
# Debian has the following services that provide updates. # Debian has the following services that provide updates.
# #
# Security updates help to keep your system secured against attacks. # Backported software is adapted from the development version to work with this release. Although this software has not gone
# Enabling this service is strongly recommended. # through such complete testings as that contained in the release, it includes newer versions of some applications that may
# provide useful features. Enabling backports here does not cause any of them to be installed by default; it only allows you
# to manually select backports to use.
# #
# Release updates provide more current versions for software that changes relatively # Release updates provide more current versions for software that changes relatively frequently and where not having the
# frequently and where not having the latest version could reduce the usability of the # latest version could reduce the usability of the software. It also provides regression fixes. This service is only
# software. It also provides regression fixes. This service is only available for stable # available for stable and oldstable releases.
# and oldstable releases.
# #
# Backported software is adapted from the development version to work with this release. # Security updates help to keep your system secured against attacks. Enabling this service is strongly recommended.
# Although this software has not gone through such complete testings as that contained in #
# the release, it includes newer versions of some applications that may provide useful # Applying updates on a frequent basis is an important part of keeping the system secure. By default, security updates are not
# features. Enabling backports here does not cause any of them to be installed by default; # automatically installed, as security advisories should be reviewed before manual installation of the updates using standard
# it only allows you to manually select backports to use. # package management tools.
#
# Alternatively, the unattended-upgrades package can be installed, which will install security updates automatically. Note,
# however, that automatic installation of updates may occasionally cause unexpected downtime of services provided by this
# machine in the rare cases where the update is not fully backward-compatible, or where the security advisory requires the
# administrator to perform some other manual operation. Possible choices: "none", "security", "unattended" (RECOMMENDED)
##############################################################################################################################
updates: updates:
backports: true backports: true
release: true release: true
security: true security: true
# Applying updates on a frequent basis is an important part of keeping the system secure.
#
# By default, security updates are not automatically installed, as security advisories should be
# reviewed before manual installation of the updates using standard package management tools.
#
# Alternatively, the unattended-upgrades package can be installed, which will install security
# updates automatically.
# Note, however, that automatic installation of updates may occasionally cause unexpected downtime
# of services provided by this machine in the rare cases where the update is not fully backward-compatible,
# or where the security advisory requires the administrator to perform some other manual operation.
#
# Possible choices: none, security, unattended (RECOMMENDED)
policy: "unattended" policy: "unattended"
########################################################################################### ################################################################################################################################
# Basic settings # # Basic settings
########################################################################################### ################################################################################################################################
# Please specify the architecture of the server to be installed: architecture: "amd64" # MUST be one of "amd64" or "arm64".
arch: "amd64" # MUST be "amd64" || "intel64". "arm64" is NOT supported distribution: "bookworm" # MUST be "bookworm".
debian_suite: "stable" # MUST be "stable". Not supported yet: "testing", "experimental".
exit:
halt: false # This is how to make the installer shutdown when finished, but not reboot.
poweroff: true # This will power off the machine instead of just halting it (RECOMMENDED).
reboot: false # This will reboot the machine.
image: "linux-image-amd64" # Could be a meta-package or a specific image like:
# "linux-image-amd64" || "linux-image-arm64"
# "linux-image-cloud-amd64" || "linux-image-cloud-arm64"
# "linux-image-rt-amd64" || "linux-image-rt-arm64"
# "linux-image-6.12.30+bpo-amd64"
firmware:
install: true # If non-free firmware is needed for the network or other hardware, autoinstall it.
lookup: "missing" # "never" Completely disables the firmware search.
# "missing" Searches only when the firmware is needed. (default)
# "always" Always searches and asks for any firmware that could be useful for the hardware.
# This is how to make the installer shutdown when finished, but not reboot: ################################################################################################################################
exit-halt: false # GRUB2 settings
################################################################################################################################
# This will power off the machine instead of just halting it (RECOMMENDED):
exit-poweroff: true
# This will reboot the machine:
exit-reboot: false
# If non-free firmware is needed for the network or other hardware, you can configure the #
# installer to always try to load it without prompting.
firmware-install: true
# Firmware settings
# "never": Completely disables the firmware search.
# "missing": Searches only when the firmware is needed. (default)
# "always": Always searches and asks for any firmware that could be useful for the hardware.
firmware-lookup: "missing"
# The kernel image to be installed; "none" can be used if no kernel is to be installed:
kernel: "linux-image-6.12.30+bpo-amd64"
###########################################################################################
# GRUB2 settings #
###########################################################################################
grub: grub:
background: background: # RECOMMENDED settings: JPG 1280 x 1024 px or JPG 1920 x 1080 px
# If you want to change the GRUB background, please change to "true": enable: true # If you want to add a GRUB background.
enable: true
# Specify the path from which the image should be loaded.
# RECOMMENDED settings: JPG 1280 x 1024 px or JPG 1920 x 1080 px
path: "/root/CISS.2025.debian.installer/.assets/background/background_hexagon_1280.jpg" path: "/root/CISS.2025.debian.installer/.assets/background/background_hexagon_1280.jpg"
bootdev: "/dev/sda" # Due notably to potential USB sticks, the location of the primary drive cannot be determined
# safely in general, so this needs to be specified.
force_efi: false # Force GRUB installation to the EFI removable media path?
# It seems that this computer is configured to boot via EFI, but maybe that configuration will
# not work for booting from the hard drive. Some EFI firmware implementations do not meet the
# EFI specification (i.e., they are buggy) and do not support proper configuration of boot
# options from system hard drives.
#
# A workaround for this problem is to install an extra copy of the EFI version of the GRUB
# bootloader to a fallback location, the "removable media path". Almost all EFI systems, no
# matter how buggy, will boot GRUB that way.
#
# Warning: If the installer failed to detect another operating system that is present on your
# computer that also depends on this fallback, installing GRUB there will make that operating
# system temporarily unbootable. GRUB can be manually configured later to boot it if necessary.
latest: true # Install the latest GRUB2 backported package for encrypted '/boot' support.
# MUST be "true" in the case of 'LUKS2' and / or 'dm-integrity' encrypted '/boot'
only_debian: true # This is fairly safe to set; it makes grub install automatically to the UEFI partition '/boot'
# record if no other operating system is detected on the machine.
other-os: true # This one makes grub-installer install to the UEFI partition '/boot' record, if it also finds
# some other OS, which is less safe as it might not be able to boot that other OS.
prober: false # OS-prober did not detect any other operating systems on your computer at this time, but you
# may still wish to enable it in case you install more in the future.
skip: false # Skip installing grub.
update_nvram: true # Update NVRAM variables to automatically boot into Debian?
# GRUB can configure your platform's NVRAM variables so that it boots into Debian automatically
# when powered on. However, you may prefer to disable this behavior and avoid changes to your
# boot configuration. For example, if your NVRAM variables have been set up such that your
# system contacts a PXE server on every boot, this would preserve that behavior:
# Due notably to potential USB sticks, the location of the primary drive cannot be ################################################################################################################################
# determined safely in general, so this needs to be specified: # Locale settings set language, country, locale, keyboard map and timezone
bootdev: "/dev/sda" ################################################################################################################################
# Force GRUB installation to the EFI removable media path?
# It seems that this computer is configured to boot via EFI, but maybe that configuration will
# not work for booting from the hard drive. Some EFI firmware implementations do not meet the
# EFI specification (i.e., they are buggy) and do not support proper configuration of boot
# options from system hard drives.
#
# A workaround for this problem is to install an extra copy of the EFI version of the GRUB
# bootloader to a fallback location, the "removable media path". Almost all EFI systems, no
# matter how buggy, will boot GRUB that way.
#
# Warning: If the installer failed to detect another operating system that is present on your
# computer that also depends on this fallback, installing GRUB there will make that operating
# system temporarily unbootable. GRUB can be manually configured later to boot it if necessary:
force-efi-extra-removable: false
# Set this to 'true' to install the latest GRUB2 backported package for encrypted '/boot' support.
# MUST be 'true' in the case of 'LUKS2' and / or 'dm-integrity' encrypted '/boot/':
latest: true
# This is fairly safe to set; it makes grub install automatically to the UEFI partition '/boot'
# record if no other operating system is detected on the machine:
only-debian: true
# This one makes grub-installer install to the UEFI partition/boot record, if it also finds
# some other OS, which is less safe as it might not be able to boot that other OS:
other-os: true
# OS-prober did not detect any other operating systems on your computer at this time, but you
# may still wish to enable it in case you install more in the future:
prober: false
# Skip installing grub:
skip: false
# Update NVRAM variables to automatically boot into Debian?
# GRUB can configure your platform's NVRAM variables so that it boots into Debian automatically
# when powered on. However, you may prefer to disable this behavior and avoid changes to your
# boot configuration. For example, if your NVRAM variables have been set up such that your
# system contacts a PXE server on every boot, this would preserve that behavior:
update-nvram: true
###########################################################################################
# Locale settings set language, country, locale, keyboard map and timezone #
###########################################################################################
locale: locale:
country: "US" country: "US"
keyboard: keyboard:
@@ -206,84 +144,63 @@ locale:
locale: "en_US.UTF-8" locale: "en_US.UTF-8"
timezone: "Europe/Lisbon" timezone: "Europe/Lisbon"
########################################################################################### ################################################################################################################################
# Network settings # # Network settings
########################################################################################### ################################################################################################################################
network: network:
autoconfig: autoconfig:
# Automatic network configuration is the default. If you prefer to configure the network enable: true # Automatic network configuration is the default. If you prefer to configure the network
# manually, change 'network.autoconfig.enable' from "true" to "false" and configure # manually, change 'network.autoconfig.enable' from "true" to "false" and configure
# - 'network.choose_interface.static' # - 'network.choose_interface.static'
# - 'network.hostname' # - 'network.hostname'
# - 'network.ipv6' # - 'network.ipv6'
# - 'network.static' section # - 'network.static' section
enable: true
choose_interface: choose_interface:
# Choose an interface that has a link if possible. Or skip this via "false" and manually configure the static NIC below. auto: true # Choose an interface that has a link if possible. Or manually configure the static NIC below.
auto: true static: "eth1" # If auto-detect fails or for manual configuration, specify a particular interface.
# If auto-detect fails, specify a particular interface instead: hostname: "nsa.usic.gov" # Specify the FQDN of the server.
static: "eth1" ipv6: true # Specify if you want to use IPv6:
# Please specify the FQDN of the server:
hostname: "nsa.usic.gov"
# Please specify if you want to use IPv6:
ipv6: "true"
# Timeout settings
timeout: timeout:
# If the dhcp server is slow, and the installer times out waiting for it, this might be useful. dhcp: 60 # If the dhcp server is slow, and the installer times out waiting for it, this might be useful.
dhcp: 60 linkwait: 60 # To set a different link detection timeout (default is 3 seconds).
# To set a different link detection timeout (default is 3 seconds):
linkwait: 60
static: static:
# If you want the preconfiguration file to work on systems both with and without a dhcp enable: true # If you want the preconfiguration file to work on systems both with and without a dhcp
# server, change 'network.static.enable' from "false" to "true" and configure the static # server, change 'network.static.enable' from "false" to "true" and configure the static
# configuration below. # configuration below.
enable: true
# Static IPv4 network configuration.
ipv4address: "192.168.128.128" ipv4address: "192.168.128.128"
ipv4netmask: "255.255.255.0" ipv4netmask: "255.255.255.0"
ipv4gateway: "192.168.128.254" ipv4gateway: "192.168.128.254"
# Static IPv4 nameservers.
ipv4nameserver: ipv4nameserver:
# dns01.eddns.eu - "135.181.207.105" # dns01.eddns.eu
- "135.181.207.105" - "89.58.62.53" # dns02.eddns.de
# dns02.eddns.de
- "89.58.62.53"
# Static IPv4 fallback nameservers.
ipv4nameserver_fallback: ipv4nameserver_fallback:
# dnsforge.de - "176.9.93.198" # dnsforge.de
- "176.9.93.198" - "176.9.1.117" # dnsforge.de
- "176.9.1.117" ipv6address: "2a0a:aaaa:bbbb:cccc:192:168:128:128"
# Static IPv6 network configuration.
ipv6address: "192.168.128.128"
ipv6netmask: "128" ipv6netmask: "128"
ipv6gateway: "192.168.128.254" ipv6gateway: "fe80::1"
# Static IPv6 nameservers.
ipv6nameserver: ipv6nameserver:
# dns01.eddns.eu
- "2a01:4f9:c012:a813:135:181:207:105" - "2a01:4f9:c012:a813:135:181:207:105"
# dns02.eddns.de
- "2a0a:4cc0:1:e6:89:58:62:53" - "2a0a:4cc0:1:e6:89:58:62:53"
ipv6nameserver_fallback: ipv6nameserver_fallback:
# dnsforge.de
- "2a01:4f8:151:34aa::198" - "2a01:4f8:151:34aa::198"
- "2a01:4f8:141:316d::117" - "2a01:4f8:141:316d::117"
########################################################################################### ################################################################################################################################
# Security settings # # Security settings
########################################################################################### ################################################################################################################################
security: security:
# The installer will ensure that any packages are signed and authenticated. unauthenticated: false # The installer will ensure that any packages are signed and authenticated.
allow_unauthenticated: false unauthenticated_ssl: false # This ensures that the connection between the installer, and the server from which files
# are downloaded, is encrypted and signed by a trusted certificate authority.
# This ensures that the connection between the installer, and the server from which files ################################################################################################################################
# are downloaded, is encrypted and signed by a trusted certificate authority. # Software installation
allow_unauthenticated_ssl: false ################################################################################################################################
###########################################################################################
# Software installation #
###########################################################################################
software: software:
## software core ##############################################################################################################################
# core software
##############################################################################################################################
- apt-show-versions - apt-show-versions
- apt-transport-https - apt-transport-https
- apt-utils - apt-utils
@@ -332,28 +249,38 @@ software:
#- lld #- lld
#- makedev #- makedev
#- ssl-cert #- ssl-cert
## software documentation ##############################################################################################################################
# documentation
##############################################################################################################################
- debian-kernel-handbook - debian-kernel-handbook
- linux-doc-6.12 - linux-doc-6.12
- man-db - man-db
## software encryption ##############################################################################################################################
# encryption
##############################################################################################################################
- dirmngr - dirmngr
- gnupg - gnupg
- haveged - haveged
- pollinate - pollinate
## software files ##############################################################################################################################
# files
##############################################################################################################################
- curl - curl
- rsnapshot - rsnapshot
- rsync - rsync
- unzip - unzip
- wget - wget
- zip - zip
## software malware ##############################################################################################################################
# malware detection
##############################################################################################################################
- chkrootkit - chkrootkit
- clamav - clamav
- clamav-daemon - clamav-daemon
- rkhunter - rkhunter
## software network ##############################################################################################################################
# network
##############################################################################################################################
- dhcpdump - dhcpdump
- dhcping - dhcping
- iftop - iftop
@@ -364,10 +291,15 @@ software:
- net-tools - net-tools
- nmap - nmap
- tshark - tshark
## software parser - ufw
##############################################################################################################################
# parser
##############################################################################################################################
#- jq #- jq
#- yq #- yq
## software partitioning ##############################################################################################################################
# partitioning
##############################################################################################################################
- btrfs-progs - btrfs-progs
- cryptsetup - cryptsetup
- cryptsetup-nuke-password - cryptsetup-nuke-password
@@ -378,7 +310,9 @@ software:
- lvm2 - lvm2
- mdadm - mdadm
- parted - parted
## software password ##############################################################################################################################
# password
##############################################################################################################################
- keychain - keychain
- makepasswd - makepasswd
- pwgen - pwgen
@@ -386,10 +320,13 @@ software:
- wbritish - wbritish
- wfrench - wfrench
- wngerman - wngerman
## software security ##############################################################################################################################
# security
##############################################################################################################################
- fail2ban - fail2ban
- ufw ##############################################################################################################################
## software tools # tools
##############################################################################################################################
- expect - expect
- figlet - figlet
- htop - htop
@@ -398,9 +335,9 @@ software:
- python3 - python3
- virt-what - virt-what
########################################################################################### ################################################################################################################################
# Time settings # # Time settings
########################################################################################### ################################################################################################################################
# Germany : https://www.ptb.de/cms/ptb/fachabteilungen/abtq/gruppe-q4/ref-q42/zeitsynchronisation-von-rechnern-mit-hilfe-des-network-time-protocol-ntp.html # Germany : https://www.ptb.de/cms/ptb/fachabteilungen/abtq/gruppe-q4/ref-q42/zeitsynchronisation-von-rechnern-mit-hilfe-des-network-time-protocol-ntp.html
# Germany : ptbtime1.ptb.de ptbtime2.ptb.de ptbtime3.ptb.de # Germany : ptbtime1.ptb.de ptbtime2.ptb.de ptbtime3.ptb.de
# Germany : https://www.rrze.fau.de/serverdienste/infrastruktur/zeitserver/ # Germany : https://www.rrze.fau.de/serverdienste/infrastruktur/zeitserver/
@@ -418,58 +355,116 @@ ntp:
- "ntp.ripe.net" - "ntp.ripe.net"
- "ptbtime3.ptb.de" - "ptbtime3.ptb.de"
- "ptbtime2.ptb.de" - "ptbtime2.ptb.de"
- "ntp12.metas.ch" - "ptbtime1.ptb.de"
- "ntp13.metas.ch"
- "ntp2.tecnico.ulisboa.pt" - "ntp2.tecnico.ulisboa.pt"
- "time-c-b.nist.gov" - "time-c-b.nist.gov"
- "nts.netnod.se" - "sth1.ntp.se"
- "ntp0.fau.de" - "ntp0.fau.de"
# Any valid setting for $TZ; see the contents of '/usr/share/zoneinfo' for valid values: timezone: "Europe/Lisbon" # Any valid setting for $TZ; see the contents of '/usr/share/zoneinfo' for valid values.
timezone: "Europe/Lisbon" utc: true # Controls whether the hardware clock is set to UTC.
# Controls whether the hardware clock is set to UTC:
utc: true
########################################################################################### ################################################################################################################################
# User settings # # User settings
########################################################################################### ################################################################################################################################
accounts: user:
# For whitelisting and additional hardening of SSH connections, the following IPs MUST be provided. allow_policies: true # For additional hardening of SSH connections '/etc/hosts.allow'.
bastion-vpn-ipv4: 202.61.246.50 # If "allow_policies" = "true", at least one IP MUST be provided:
bastion-vpn-ipv6: 2a03:4000:53:f:abcd:9494:0:2 allow_ipv4:
# If a secure channel for LUKS passphrase input is needed, this MUST be set to "true". - 202.61.246.50
dropbear-ssh: true allow_ipv6:
# For dropbear SSH authentication, an ed25519 PubKey MUST be provided. - 2a03:4000:53:f:abcd:9494:0:2
dropbear-pubkey: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG1RNGtD+Uwb45aQcWP//kQgy0K8EfglVsWwD6qyg6Ox 2025_dropbear_master" dropbear_boot: true # Dropbear initramfs integration.
# If decryption via dropbear SSH in the initramfs environment is desired, set to "true" otherwise to "false". ssh_port: 42137 # SSH Port. In case "dropbear_boot" = "true" the same SSH Port will be used.
# MUST be "true" if Nuke Mechanism is chosen for at least one Device in partitioning.yaml. ssh_rootca: "./.preseed/ssh_root_ca.pub"
dropbear-unlock: true
##############################################################################################################################
# root Superuser account (normally disabled for direct login)
##############################################################################################################################
root: root:
# Skip creation of a root account (a normal user account will be able to use sudo): ensure: present # Must always be 'present'.
# For best practice it is RECOMMENDED to configure root, and after setup, you should run protected: true # Prevent unintentional edits or deletions.
# the hardening script. shell: /bin/zsh # Login shell (e.g., '/bin/bash', '/bin/zsh'); use '/usr/sbin/nologin' for non-interactive users.
login: true password: ""
# Create a password hash for the root account: ssh_pubkeys: # List of public SSH keys for authentication.
# sha-512 is NOT RECOMMENDED - ""
# SALT=$(tr -dc 'A-Za-z0-9' < /dev/random | head -c 16) authentication:
# mkpasswd --method=sha-512 --salt="${SALT}" --rounds=8388608 access:
# Use yescrypt instead that is RECOMMENDED: ssh: false # Allow SSH access.
# mkpasswd --method=yescrypt tty: true # Allow TTY (local console) login.
password-enabled: true password_auth:
password-crypted: "$y$j9T$cyO.ibYUpLZ0GPYUkRF.q0$NhSWX5V8.uKxVKWkCH2cdl62dilvi8mWWnEWksE8Tz0" ssh: false # Allow SSH password login.
# MUST be either "sshpubkey" or "sshcert" tty: true # Allow TTY (local console) password login.
ssh-method: sshcert 2fa:
ssh-pubkey: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID2mSRx+Ny8cudr9vOlyfqMYPbZC3jkFaNARTOMh33De 2025_ed25519_coresecret.dev_root" ssh: false # Require 2FA for SSH access.
ssh-rootca: "./.preseed/ssh_root_ca.pub" tty: true # Require 2FA for TTY (local console) login.
ssh-keyrounds: 1024 privileges:
ssh-port: 42137 description: "Root user with full system access and administrative privileges."
user: sudo: false # Whether the user can escalate to root using sudo.
login: false system_user: false # Whether this is a low-UID system user (e.g., for automation).
# In honor of the defender of the freedom of expression: restricted: false # If true, user is limited in scope (e.g., no login, no file access).
fullname: "Donald John Trump" shell_access: true # MUST be "true" if shell is not '/usr/sbin/nologin' or '/bin/false'.
name: "potus"
password-enabled: true ##############################################################################################################################
password-crypted: "$y$j9T$cyO.ibYUpLZ0GPYUkRF.q0$NhSWX5V8.uKxVKWkCH2cdl62dilvi8mWWnEWksE8Tz0" # Primary administrative user with full sudo access
ssh-method: sshcert ##############################################################################################################################
ssh-pubkey: "ssh-ed25519 255 SHA256:glLSH13uNy04qbpDskVTB+3CwtLeuXwxzvqP9w5ZKjM 2025_ed25519_coresecret.dev_potus" user0:
ssh-rootca: "./.preseed/ssh_root_ca.pub" ensure: present # "present" = create user; "absent" = remove user
protected: true # Prevent unintentional edits or deletions.
name: "msw" # The name of the user account.
fullname: "msw" # The full name of the user account holder.
uid: 1000 # Ensures that the same user has the same UID on all systems.
gid: 1000 # Ensures that the same user has the same GID on all systems.
shell: /bin/zsh # Login shell (e.g., '/bin/bash', '/bin/zsh'); use '/usr/sbin/nologin' for non-interactive users.
password: ""
ssh_pubkeys: # List of public SSH keys for authentication.
- ""
authentication:
access:
ssh: true # Allow SSH access.
tty: true # Allow TTY (local console) login.
password_auth:
ssh: false # Allow SSH password login.
tty: true # Allow TTY (local console) password login.
2fa:
ssh: true # Require 2FA for SSH access.
tty: true # Require 2FA for TTY (local console) login.
privileges:
description: "Primary admin user with full sudo access and interactive login."
sudo: true # Whether the user can escalate to root using sudo.
system_user: false # Whether this is a low-UID system user (e.g., for automation).
restricted: false # If true, user is limited in scope (e.g., no login, no file access).
shell_access: true # MUST be "true" if shell is not '/usr/sbin/nologin' or '/bin/false'.
################################################################################
# ansible System user for automation, no interactive shell
################################################################################
user1:
ensure: present # "present" = create user; "absent" = remove user
protected: true # Prevent unintentional edits or deletions.
name: "ansible" # The name of the user account.
fullname: "ansible" # The full name of the user account holder.
uid: 137 # Ensures that the same user has the same UID on all systems.
gid: 137 # Ensures that the same user has the same GID on all systems.
shell: /usr/sbin/nologin # Login shell (e.g., '/bin/bash', '/bin/zsh'); use '/usr/sbin/nologin' for non-interactive users.
password: "" # No password set for ansible user
ssh_pubkeys: # List of public SSH keys for authentication.
- ""
authentication:
access:
ssh: true # Allow SSH access.
tty: false # Allow TTY (local console) login.
password_auth:
ssh: false # Allow SSH password login.
tty: false # Allow TTY (local console) password login.
2fa:
ssh: false # Require 2FA for SSH access.
tty: false # Require 2FA for TTY (local console) login.
privileges:
description: "Automation user without interactive shell and no sudo."
sudo: false # Whether the user can escalate to root using sudo.
system_user: true # Whether this is a low-UID system user (e.g., for automation).
restricted: true # If true, user is limited in scope (e.g., no login, no file access).
shell_access: false # MUST be "true" if shell is not '/usr/sbin/nologin' or '/bin/false'.
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml

8
func/1080_helper_chroot.sh
View File

@@ -15,10 +15,14 @@ guard_sourcing
####################################### #######################################
# Wrapper for executing commands in the desired chroot environment. # Wrapper for executing commands in the desired chroot environment.
# Globals: # Globals:
# ERR_CHRT_COMMAND
# TERM # TERM
# Arguments: # Arguments:
# $1: Target of the chroot environment. # $1: Target of the chroot environment.
# $@: Commands and options and parameters to be executed in chroot. # $@: Commands and options and parameters to be executed in chroot.
# Returns:
# "${ERR_CHRT_COMMAND}": Unsuccessfully executed commands.
# 0: Successfully executed commands.
####################################### #######################################
do_in_target() { do_in_target() {
declare var_chroot_target="$1"; shift declare var_chroot_target="$1"; shift
@@ -28,10 +32,10 @@ do_in_target() {
PATH=/usr/sbin:/usr/bin:/sbin:/bin \ PATH=/usr/sbin:/usr/bin:/sbin:/bin \
TERM="${TERM}" \ TERM="${TERM}" \
"${ary_chroot_command[@]}"; then "${ary_chroot_command[@]}"; then
do_log "info" "false" "Success: chroot ${var_chroot_target}: ${ary_chroot_command[*]}" do_log "info" "true" "Success: chroot ${var_chroot_target}: ${ary_chroot_command[*]}"
return 0 return 0
else else
do_log "emergency" "false" "Failed: chroot ${var_chroot_target}: ${ary_chroot_command[*]}" do_log "emergency" "true" "Failed: chroot ${var_chroot_target}: ${ary_chroot_command[*]}"
return "${ERR_CHRT_COMMAND}" return "${ERR_CHRT_COMMAND}"
fi fi
} }

11
func/4000_debootstrap.sh
View File

@@ -13,21 +13,24 @@
guard_sourcing guard_sourcing
####################################### #######################################
# Install minimal Debian environment via debootstrap command. # Install minimal Debian environment via 'debootstrap' command.
# Globals: # Globals:
# ERR_DEBOOTSTRAP # ERR_DEBOOTSTRAP
# TARGET # TARGET
# architecture
# distribution
# Arguments: # Arguments:
# None # None
# Returns: # Returns:
# "${ERR_DEBOOTSTRAP}" # "${ERR_DEBOOTSTRAP}"
# 0: Successfully executed commands.
####################################### #######################################
func_debootstrap() { func_debootstrap() {
if debootstrap --arch amd64 bookworm "${TARGET}" https://deb.debian.org/debian; then if debootstrap --arch="${architecture}" "${distribution}" "${TARGET}" https://deb.debian.org/debian; then
do_log "info" "false" "Executing 'debootstrap --arch amd64 bookworm '${TARGET}' https://deb.debian.org/debian' successful." do_log "info" "false" "Executing 'debootstrap --arch=${architecture} ${distribution} '${TARGET}' https://deb.debian.org/debian' successful."
return 0 return 0
else else
do_log "emergency" "false" "Executing 'debootstrap --arch amd64 bookworm '${TARGET}' https://deb.debian.org/debian' NOT successful." do_log "emergency" "false" "Executing 'debootstrap --arch=${architecture} ${distribution} '${TARGET}' https://deb.debian.org/debian' NOT successful."
return "${ERR_DEBOOTSTRAP}" return "${ERR_DEBOOTSTRAP}"
fi fi
} }

6
func/4060_generate_crypttab.sh
View File

@@ -13,7 +13,7 @@
guard_sourcing guard_sourcing
####################################### #######################################
# '/etc/crypttab' entry writer and logger. # Generate target '/etc/crypttab' entries.
# Globals: # Globals:
# TARGET # TARGET
# Arguments: # Arguments:
@@ -39,7 +39,7 @@ write_crypttab() {
# HMP_PATH_ENCLABEL # HMP_PATH_ENCLABEL
# HMP_PATH_LUKSUUID # HMP_PATH_LUKSUUID
# TARGET # TARGET
# accounts_dropbear_unlock # user_dropbear_boot
# Arguments: # Arguments:
# None # None
# Returns: # Returns:
@@ -77,7 +77,7 @@ EOF
var_encryption_label="${HMP_PATH_ENCLABEL["${var_key}"]}" var_encryption_label="${HMP_PATH_ENCLABEL["${var_key}"]}"
var_luks_uuid="${HMP_PATH_LUKSUUID["${var_key}"]}" var_luks_uuid="${HMP_PATH_LUKSUUID["${var_key}"]}"
if [[ "${accounts_dropbear_unlock,,}" == "true" ]]; then if [[ "${user_dropbear_boot,,}" == "true" ]]; then
write_crypttab "${var_encryption_label}" "UUID=${var_luks_uuid}" "none" "luks,discard,initramfs" write_crypttab "${var_encryption_label}" "UUID=${var_luks_uuid}" "none" "luks,discard,initramfs"

169
func/4080_generate_sources.sh
View File

@@ -12,33 +12,59 @@
guard_sourcing guard_sourcing
########################################################################################### #######################################
# Generate target ${TARGET}/etc/apt/sources.list entries # Generate target '/etc/apt/sources.list' entries.
# Globals:
# TARGET
# apt_contrib
# apt_deb_sources
# apt_mirror_directory
# apt_mirror_hostname
# apt_mirror_protocol
# apt_non_free
# apt_non_free_firmware
# apt_sec
# apt_updates_backports
# apt_updates_policy
# apt_updates_release
# apt_updates_security
# arch
# distribution
# Arguments:
# None
#######################################
generate_sources() { generate_sources() {
declare var_contrib var_dir var_hostname var_hostsecure var_non_free var_non_free_firmware var_protocol var_codename var_arch declare -a ary_components
declare var_arch var_codename var_deb_src var_dir var_hostname var_hostsecure var_url var_surl
var_arch="${arch}" var_arch="${architecture,,}"
var_codename=$(lsb_release --codename --short) var_codename="${distribution,,}"
var_dir="${apt_mirror_directory}" var_deb_src="${apt_deb_sources,,}"
var_hostname="${apt_mirror_hostname}" var_dir="${apt_mirror_directory,,}"
var_hostsecure="${apt_security_string}" var_hostname="${apt_mirror_hostname,,}"
var_hostsecure="${apt_sec,,}"
[[ "${apt_contrib,,}" == "true" ]] && var_contrib="contrib" ary_components=(main)
[[ "${apt_contrib,,}" == true ]] && ary_components+=(contrib)
[[ "${apt_non_free,,}" == true ]] && ary_components+=(non-free)
[[ "${apt_non_free_firmware,,}" == true ]] && ary_components+=(non-free-firmware)
[[ "${apt_non_free,,}" == "true" ]] && var_non_free="non-free" if [[ "${apt_mirror_protocol,,}" == "https" ]]; then
var_url="https://${var_hostname}${var_dir}"
[[ "${apt_non_free_firmware,,}" == "true" ]] && var_non_free_firmware="non-free-firmware" var_surl="https://${var_hostsecure}/debian-security"
elif [[ "${apt_mirror_protocol,,}" == "http" ]]; then
if [[ ${apt_mirror_protocol,,} == "https" ]]; then var_url="http://${var_hostname}${var_dir}"
var_protocol="https" var_surl="http://${var_hostsecure}/debian-security"
elif [[ ${apt_mirror_protocol,,} == "http" ]]; then else
var_protocol="http" var_url="https://${var_hostname}${var_dir}"
var_surl="https://${var_hostsecure}/debian-security"
fi fi
: >| "${TARGET}/etc/apt/sources.list" : >| "${TARGET}/etc/apt/sources.list"
chmod 0644 "${TARGET}/etc/apt/sources.list" chmod 0644 "${TARGET}/etc/apt/sources.list"
cat << EOF >> "${TARGET}"/etc/apt/sources.list ### Main Repository
cat << EOF >> "${TARGET}/etc/apt/sources.list"
# /etc/apt/sources.list : Generated by CISS.debian.installer # /etc/apt/sources.list : Generated by CISS.debian.installer
# Architecture : ${var_arch} # Architecture : ${var_arch}
# Distribution : ${var_codename} # Distribution : ${var_codename}
@@ -46,97 +72,86 @@ generate_sources() {
#------------------------------------------------------------------------------------------------------------------------------# #------------------------------------------------------------------------------------------------------------------------------#
# OFFICIAL DEBIAN REPOS # # OFFICIAL DEBIAN REPOS #
#------------------------------------------------------------------------------------------------------------------------------# #------------------------------------------------------------------------------------------------------------------------------#
deb ${var_protocol}://${var_hostname}${var_dir} ${var_codename} main ${var_contrib} ${var_non_free} ${var_non_free_firmware} deb ${var_url} ${var_codename} ${ary_components[*]}
deb-src ${var_protocol}://${var_hostname}${var_dir} ${var_codename} main ${var_contrib} ${var_non_free} ${var_non_free_firmware}
EOF EOF
do_log "info" "true" "${TARGET}/etc/apt/sources.list entry generated: 'deb ${var_url} ${var_codename} ${ary_components[*]}'."
do_log "info" "true" "${TARGET}/etc/apt/sources.list entry generated: 'deb ${var_protocol}://${var_hostname}${var_dir} ${var_codename} main ${var_contrib} ${var_non_free} ${var_non_free_firmware}'." if [[ "${var_deb_src}" == "true" ]]; then
do_log "info" "false" "${TARGET}/etc/apt/sources.list entry generated: 'deb-src ${var_protocol}://${var_hostname}${var_dir} ${var_codename} main ${var_contrib} ${var_non_free} ${var_non_free_firmware}'." echo "deb-src ${var_url} ${var_codename} ${ary_components[*]}" >> "${TARGET}/etc/apt/sources.list"
do_log "info" "true" "${TARGET}/etc/apt/sources.list entry generated: 'deb-src ${var_url} ${var_codename} ${ary_components[*]}'."
fi
### Security Repository
if [[ "${apt_updates_security,,}" == "true" ]]; then if [[ "${apt_updates_security,,}" == "true" ]]; then
cat << EOF >> "${TARGET}/etc/apt/sources.list"
cat << EOF >> "${TARGET}"/etc/apt/sources.list deb ${var_surl} ${var_codename}-security ${ary_components[*]}
deb ${var_protocol}://${var_hostsecure}/debian-security ${var_codename}-security main ${var_contrib} ${var_non_free} ${var_non_free_firmware}
deb-src ${var_protocol}://${var_hostsecure}/debian-security ${var_codename}-security main ${var_contrib} ${var_non_free} ${var_non_free_firmware}
EOF EOF
do_log "info" "true" "${TARGET}/etc/apt/sources.list entry generated: 'deb ${var_surl} ${var_codename}-security ${ary_components[*]}'."
do_log "info" "false" "${TARGET}/etc/apt/sources.list entry generated: 'deb ${var_protocol}://${var_hostsecure}/debian-security ${var_codename}-security main ${var_contrib} ${var_non_free} ${var_non_free_firmware}'." if [[ "${var_deb_src}" == "true" ]]; then
do_log "info" "false" "${TARGET}/etc/apt/sources.list entry generated: 'deb-src ${var_protocol}://${var_hostsecure}/debian-security ${var_codename}-security main ${var_contrib} ${var_non_free} ${var_non_free_firmware}'." echo "deb-src ${var_surl} ${var_codename}-security ${ary_components[*]}" >> "${TARGET}/etc/apt/sources.list"
do_log "info" "true" "${TARGET}/etc/apt/sources.list entry generated: 'deb-src ${var_surl} ${var_codename}-security ${ary_components[*]}'."
fi
fi fi
if [[ ${apt_updates_release,,} == "true" ]]; then ### Updates Repository
if [[ "${apt_updates_release,,}" == "true" ]]; then
cat << EOF >> "${TARGET}"/etc/apt/sources.list cat << EOF >> "${TARGET}/etc/apt/sources.list"
deb ${var_protocol}://${var_hostname}${var_dir} ${var_codename}-updates main ${var_contrib} ${var_non_free} ${var_non_free_firmware}
deb-src ${var_protocol}://${var_hostname}${var_dir} ${var_codename}-updates main ${var_contrib} ${var_non_free} ${var_non_free_firmware}
deb ${var_url} ${var_codename}-updates ${ary_components[*]}
EOF EOF
do_log "info" "true" "${TARGET}/etc/apt/sources.list entry generated: 'deb ${var_url} ${var_codename}-updates ${ary_components[*]}'."
do_log "info" "false" "${TARGET}/etc/apt/sources.list entry generated: 'deb ${var_protocol}://${var_hostname}${var_dir} ${var_codename}-updates main ${var_contrib} ${var_non_free} ${var_non_free_firmware}'." if [[ "${var_deb_src}" == "true" ]]; then
do_log "info" "false" "${TARGET}/etc/apt/sources.list entry generated: 'deb-src ${var_protocol}://${var_hostname}${var_dir} ${var_codename}-updates main ${var_contrib} ${var_non_free} ${var_non_free_firmware}'." echo "deb-src ${var_url} ${var_codename}-updates ${ary_components[*]}" >> "${TARGET}/etc/apt/sources.list"
do_log "info" "true" "${TARGET}/etc/apt/sources.list entry generated: 'deb-src ${var_url} ${var_codename}-updates ${ary_components[*]}'."
fi
fi fi
if [[ ${apt_updates_backports,,} == "true" ]]; then ### Backports Repository
if [[ "${apt_updates_backports,,}" == "true" ]]; then
cat << EOF >> "${TARGET}"/etc/apt/sources.list cat << EOF >> "${TARGET}/etc/apt/sources.list"
deb ${var_protocol}://${var_hostname}${var_dir} ${var_codename}-backports main ${var_contrib} ${var_non_free} ${var_non_free_firmware}
deb-src ${var_protocol}://${var_hostname}${var_dir} ${var_codename}-backports main ${var_contrib} ${var_non_free} ${var_non_free_firmware}
deb ${var_url} ${var_codename}-backports ${ary_components[*]}
EOF EOF
do_log "info" "true" "${TARGET}/etc/apt/sources.list entry generated: 'deb ${var_url} ${var_codename}-backports ${ary_components[*]}'."
do_log "info" "false" "${TARGET}/etc/apt/sources.list entry generated: 'deb ${var_protocol}://${var_hostname}${var_dir} ${var_codename}-backports main ${var_contrib} ${var_non_free} ${var_non_free_firmware}'." if [[ "${var_deb_src,,}" == "true" ]]; then
do_log "info" "false" "${TARGET}/etc/apt/sources.list entry generated: 'deb-src ${var_protocol}://${var_hostname}${var_dir} ${var_codename}-backports main ${var_contrib} ${var_non_free} ${var_non_free_firmware}'." echo "deb-src ${var_url} ${var_codename}-backports ${ary_components[*]}" >> "${TARGET}/etc/apt/sources.list"
do_log "info" "true" "${TARGET}/etc/apt/sources.list entry generated: 'deb-src ${var_url} ${var_codename}-backports ${ary_components[*]}'."
fi
fi fi
# Clean up 'source.list' ### Clean up 'sources.list'
sed -i '/^#/!s/[[:space:]]\+/ /g' "${TARGET}"/etc/apt/sources.list sed -i '/^#/!s/[[:space:]]\+/ /g' "${TARGET}/etc/apt/sources.list"
cat << EOF >> "${TARGET}/etc/apt/sources.list"
cat << EOF >> "${TARGET}"/etc/apt/sources.list
# Copyright 2018-2025; WEIDNER, Marc S., <msw@coresecret.dev> # Copyright 2018-2025; WEIDNER, Marc S., <msw@coresecret.dev>
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
EOF EOF
if do_in_target "${TARGET}" apt-get update -y; then do_in_target "${TARGET}" apt-get update -y
do_log "info" "true" "Command: 'apt-get update -y' executed in: '${TARGET}'."
else
do_log "emergency" "true" "Failed: Command: 'apt-get update -y' executed in: '${TARGET}'."
fi
if [[ ${apt_updates_policy,,} == "unattended" ]]; then if [[ "${apt_updates_policy,,}" == "unattended" ]]; then
if do_in_target "${TARGET}" apt-get install -y unattended-upgrades; then do_in_target "${TARGET}" apt-get install -y unattended-upgrades
do_log "info" "true" "Command: 'apt-get install -y unattended-upgrades' executed in: '${TARGET}'." do_log "info" "true" "The update policy was set at installation time to '${apt_updates_policy}'."
else
do_log "emergency" "true" "Failed: Command: 'apt-get install -y unattended-upgrades' executed in: '${TARGET}'."
fi
do_log "info" "false" "The update policy was set at installation time to: '${apt_updates_policy}' executed in: '${TARGET}'."
elif [[ ${apt_updates_policy,,} == "security" ]]; then elif [[ "${apt_updates_policy,,}" == "security" ]]; then
if do_in_target "${TARGET}" apt-get install -y unattended-upgrades; then do_in_target "${TARGET}" apt-get install -y unattended-upgrades
do_log "info" "true" "Command: 'apt-get install -y unattended-upgrades' executed in: '${TARGET}'."
else
do_log "emergency" "true" "Failed: Command: 'apt-get install -y unattended-upgrades' executed in: '${TARGET}'."
fi
# shellcheck disable=SC2016 # shellcheck disable=SC2016
sed -i 's/^\s*"origin=Debian,codename=\${distro_codename},label=Debian";/\/\/ &/' "${TARGET}"/etc/apt/apt.conf.d/50unattended-upgrades sed -i 's/^[[:space:]]*"origin=Debian,codename=\${distro_codename},label=Debian";/\/\/ &/' "${TARGET}/etc/apt/apt.conf.d/50unattended-upgrades"
do_log "info" "false" "The update policy was set at installation time to '${apt_updates_policy}' executed in: '${TARGET}'." do_log "info" "true" "The update policy was set at installation time to '${apt_updates_policy}'."
elif [[ ${apt_updates_policy,,} == "none" ]]; then elif [[ "${apt_updates_policy,,}" == "none" ]]; then
do_log "info" "false" "The update policy was set at installation to: '${apt_updates_policy}'." do_log "info" "true" "The update policy was set at installation time to: '${apt_updates_policy}'."
else else
do_log "warning" "false" "Update policy '${apt_updates_policy}': is not supported. Using 'none' as default." do_log "warning" "true" "Update policy '${apt_updates_policy}': is not supported. Using 'none' as default."
fi fi
do_show_footer "${MODULE_TXT}"
} }
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh