msw/CISS.debian.installer
SHA256
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

V8.00.000.2025.06.17
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m45s
Details

Browse Source 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
Marc S. Weidner
2025-07-08 19:08:11 +02:00
parent 474941e291
commit b546a0d4af
5 changed files with 379 additions and 362 deletions
Download Patch File Download Diff File Expand all files Collapse all files

501
.preseed/preseed.yaml
View File

@@ -23,137 +23,88 @@ installer:
# APT settings
################################################################################################################################
apt:
# You can choose to install contrib software:
contrib: true
contrib: true # Optionally install contrib software.
deb_sources: true # Optionally includes deb-src entries for source repositories.
default_list: true # By default, source repositories are listed in '/etc/apt/sources.list'. This MUST be "true".
full_upgrade: true # Whether to upgrade packages after debootstrap.
install_recommends: true # Configure APT to not install recommended packages by default.
non_free: true # Optionally install non-free software.
non_free_firmware: true # Optionally install non-free firmware.
sec: "security.debian.org" # Debian Security Updates Archive.
# Optionally includes deb-src entries for source repositories. If set to true, source repos are enabled.
deb-sources: true
# By default, source repositories are listed in /etc/apt/sources.list. This MUST be true:
default-list: true
# Whether to upgrade packages after debootstrap.
# Allowed values: "false" for none; "true" for full-upgrade (RECOMMENDED):
full-upgrade: true
# Configure APT to not install recommended packages by default. Use of this option can
# result in an incomplete system and should only be used by very experienced users:
install-recommends: true
# A network mirror MUST be used to supplement the software not included on the
# installation media. This may also make newer versions of software available.
# This MUST be true:
##############################################################################################################################
# A network mirror MUST be used to supplement the software not included on the installation media. This may also make newer
# versions of software available.
##############################################################################################################################
mirror:
activate: true
# Country code of mirror destination:
country: "US"
# Debian archive mirror directory. Please enter the directory in which the mirror of
# the Debian archive is located:
directory: "/debian/"
# Debian archive mirror hostname. Please enter the hostname of the mirror from which
# Debian will be downloaded. An alternate port can be specified using the standard
# [hostname]:[port] format:
hostname: "deb.debian.org"
# Debian archive mirror country. The goal is to find a mirror of the Debian archive that
# is close to you on the network -- be aware that nearby countries, or even your own, may
# not be the best choice.
https-country: "US"
# Please select the protocol to be used for downloading files, where "https" is RECOMMENDED.
protocol: "https"
# HTTP proxy information (blank for none). If you need to use an HTTP proxy to access the
# outside world, enter the proxy information here. Otherwise, leave this blank. The proxy
# information should be given in the standard form of "http://[[user][:pass]@]host[:port]/".
proxy: ""
# Suite to install MUST be one of "stable", "testing", "experimental":
suite: "stable"
# You can choose to install non-free:
non-free: true
# You can choose to install non-free firmware:
non-free-firmware: true
# Debian archive security string
security-string: "security.debian.org"
activate: true # MUST be "true".
country: "US" # Country code of mirror destination.
directory: "/debian/" # Debian archive mirror directory in which the mirror of the Debian archive is located.
hostname: "deb.debian.org" # Debian archive mirror hostname.
https-country: "US" # Debian archive mirror country.
protocol: "https" # Protocol to be used for downloading files, where "https" is RECOMMENDED.
proxy: "" # HTTP proxy information (blank for none) or "http://[[user][:pass]@]host[:port]/"
##############################################################################################################################
# Debian has the following services that provide updates.
#
# Security updates help to keep your system secured against attacks.
# Enabling this service is strongly recommended.
# Backported software is adapted from the development version to work with this release. Although this software has not gone
# through such complete testings as that contained in the release, it includes newer versions of some applications that may
# provide useful features. Enabling backports here does not cause any of them to be installed by default; it only allows you
# to manually select backports to use.
#
# Release updates provide more current versions for software that changes relatively
# frequently and where not having the latest version could reduce the usability of the
# software. It also provides regression fixes. This service is only available for stable
# and oldstable releases.
# Release updates provide more current versions for software that changes relatively frequently and where not having the
# latest version could reduce the usability of the software. It also provides regression fixes. This service is only
# available for stable and oldstable releases.
#
# Backported software is adapted from the development version to work with this release.
# Although this software has not gone through such complete testings as that contained in
# the release, it includes newer versions of some applications that may provide useful
# features. Enabling backports here does not cause any of them to be installed by default;
# it only allows you to manually select backports to use.
# Security updates help to keep your system secured against attacks. Enabling this service is strongly recommended.
#
# Applying updates on a frequent basis is an important part of keeping the system secure. By default, security updates are not
# automatically installed, as security advisories should be reviewed before manual installation of the updates using standard
# package management tools.
#
# Alternatively, the unattended-upgrades package can be installed, which will install security updates automatically. Note,
# however, that automatic installation of updates may occasionally cause unexpected downtime of services provided by this
# machine in the rare cases where the update is not fully backward-compatible, or where the security advisory requires the
# administrator to perform some other manual operation. Possible choices: "none", "security", "unattended" (RECOMMENDED)
##############################################################################################################################
updates:
backports: true
release: true
security: true
# Applying updates on a frequent basis is an important part of keeping the system secure.
#
# By default, security updates are not automatically installed, as security advisories should be
# reviewed before manual installation of the updates using standard package management tools.
#
# Alternatively, the unattended-upgrades package can be installed, which will install security
# updates automatically.
# Note, however, that automatic installation of updates may occasionally cause unexpected downtime
# of services provided by this machine in the rare cases where the update is not fully backward-compatible,
# or where the security advisory requires the administrator to perform some other manual operation.
#
# Possible choices: none, security, unattended (RECOMMENDED)
policy: "unattended"
###########################################################################################
# Basic settings #
###########################################################################################
# Please specify the architecture of the server to be installed:
arch: "amd64" # MUST be "amd64" || "intel64". "arm64" is NOT supported
################################################################################################################################
# Basic settings
################################################################################################################################
architecture: "amd64" # MUST be one of "amd64" or "arm64".
distribution: "bookworm" # MUST be "bookworm".
debian_suite: "stable" # MUST be "stable". Not supported yet: "testing", "experimental".
exit:
halt: false # This is how to make the installer shutdown when finished, but not reboot.
poweroff: true # This will power off the machine instead of just halting it (RECOMMENDED).
reboot: false # This will reboot the machine.
image: "linux-image-amd64" # Could be a meta-package or a specific image like:
# "linux-image-amd64" || "linux-image-arm64"
# "linux-image-cloud-amd64" || "linux-image-cloud-arm64"
# "linux-image-rt-amd64" || "linux-image-rt-arm64"
# "linux-image-6.12.30+bpo-amd64"
firmware:
install: true # If non-free firmware is needed for the network or other hardware, autoinstall it.
lookup: "missing" # "never" Completely disables the firmware search.
# "missing" Searches only when the firmware is needed. (default)
# "always" Always searches and asks for any firmware that could be useful for the hardware.
# This is how to make the installer shutdown when finished, but not reboot:
exit-halt: false
# This will power off the machine instead of just halting it (RECOMMENDED):
exit-poweroff: true
# This will reboot the machine:
exit-reboot: false
# If non-free firmware is needed for the network or other hardware, you can configure the #
# installer to always try to load it without prompting.
firmware-install: true
# Firmware settings
# "never": Completely disables the firmware search.
# "missing": Searches only when the firmware is needed. (default)
# "always": Always searches and asks for any firmware that could be useful for the hardware.
firmware-lookup: "missing"
# The kernel image to be installed; "none" can be used if no kernel is to be installed:
kernel: "linux-image-6.12.30+bpo-amd64"
###########################################################################################
# GRUB2 settings #
###########################################################################################
################################################################################################################################
# GRUB2 settings
################################################################################################################################
grub:
background:
# If you want to change the GRUB background, please change to "true":
enable: true
# Specify the path from which the image should be loaded.
# RECOMMENDED settings: JPG 1280 x 1024 px or JPG 1920 x 1080 px
background: # RECOMMENDED settings: JPG 1280 x 1024 px or JPG 1920 x 1080 px
enable: true # If you want to add a GRUB background.
path: "/root/CISS.2025.debian.installer/.assets/background/background_hexagon_1280.jpg"
# Due notably to potential USB sticks, the location of the primary drive cannot be
# determined safely in general, so this needs to be specified:
bootdev: "/dev/sda"
# Force GRUB installation to the EFI removable media path?
bootdev: "/dev/sda" # Due notably to potential USB sticks, the location of the primary drive cannot be determined
# safely in general, so this needs to be specified.
force_efi: false # Force GRUB installation to the EFI removable media path?
# It seems that this computer is configured to boot via EFI, but maybe that configuration will
# not work for booting from the hard drive. Some EFI firmware implementations do not meet the
# EFI specification (i.e., they are buggy) and do not support proper configuration of boot
@@ -165,38 +116,25 @@ grub:
#
# Warning: If the installer failed to detect another operating system that is present on your
# computer that also depends on this fallback, installing GRUB there will make that operating
# system temporarily unbootable. GRUB can be manually configured later to boot it if necessary:
force-efi-extra-removable: false
# Set this to 'true' to install the latest GRUB2 backported package for encrypted '/boot' support.
# MUST be 'true' in the case of 'LUKS2' and / or 'dm-integrity' encrypted '/boot/':
latest: true
# This is fairly safe to set; it makes grub install automatically to the UEFI partition '/boot'
# record if no other operating system is detected on the machine:
only-debian: true
# This one makes grub-installer install to the UEFI partition/boot record, if it also finds
# some other OS, which is less safe as it might not be able to boot that other OS:
other-os: true
# OS-prober did not detect any other operating systems on your computer at this time, but you
# may still wish to enable it in case you install more in the future:
prober: false
# Skip installing grub:
skip: false
# Update NVRAM variables to automatically boot into Debian?
# system temporarily unbootable. GRUB can be manually configured later to boot it if necessary.
latest: true # Install the latest GRUB2 backported package for encrypted '/boot' support.
# MUST be "true" in the case of 'LUKS2' and / or 'dm-integrity' encrypted '/boot'
only_debian: true # This is fairly safe to set; it makes grub install automatically to the UEFI partition '/boot'
# record if no other operating system is detected on the machine.
other-os: true # This one makes grub-installer install to the UEFI partition '/boot' record, if it also finds
# some other OS, which is less safe as it might not be able to boot that other OS.
prober: false # OS-prober did not detect any other operating systems on your computer at this time, but you
# may still wish to enable it in case you install more in the future.
skip: false # Skip installing grub.
update_nvram: true # Update NVRAM variables to automatically boot into Debian?
# GRUB can configure your platform's NVRAM variables so that it boots into Debian automatically
# when powered on. However, you may prefer to disable this behavior and avoid changes to your
# boot configuration. For example, if your NVRAM variables have been set up such that your
# system contacts a PXE server on every boot, this would preserve that behavior:
update-nvram: true
###########################################################################################
# Locale settings set language, country, locale, keyboard map and timezone #
###########################################################################################
################################################################################################################################
# Locale settings set language, country, locale, keyboard map and timezone
################################################################################################################################
locale:
country: "US"
keyboard:
@@ -206,84 +144,63 @@ locale:
locale: "en_US.UTF-8"
timezone: "Europe/Lisbon"
###########################################################################################
# Network settings #
###########################################################################################
################################################################################################################################
# Network settings
################################################################################################################################
network:
autoconfig:
# Automatic network configuration is the default. If you prefer to configure the network
enable: true # Automatic network configuration is the default. If you prefer to configure the network
# manually, change 'network.autoconfig.enable' from "true" to "false" and configure
# - 'network.choose_interface.static'
# - 'network.hostname'
# - 'network.ipv6'
# - 'network.static' section
enable: true
choose_interface:
# Choose an interface that has a link if possible. Or skip this via "false" and manually configure the static NIC below.
auto: true
# If auto-detect fails, specify a particular interface instead:
static: "eth1"
# Please specify the FQDN of the server:
hostname: "nsa.usic.gov"
# Please specify if you want to use IPv6:
ipv6: "true"
# Timeout settings
auto: true # Choose an interface that has a link if possible. Or manually configure the static NIC below.
static: "eth1" # If auto-detect fails or for manual configuration, specify a particular interface.
hostname: "nsa.usic.gov" # Specify the FQDN of the server.
ipv6: true # Specify if you want to use IPv6:
timeout:
# If the dhcp server is slow, and the installer times out waiting for it, this might be useful.
dhcp: 60
# To set a different link detection timeout (default is 3 seconds):
linkwait: 60
dhcp: 60 # If the dhcp server is slow, and the installer times out waiting for it, this might be useful.
linkwait: 60 # To set a different link detection timeout (default is 3 seconds).
static:
# If you want the preconfiguration file to work on systems both with and without a dhcp
enable: true # If you want the preconfiguration file to work on systems both with and without a dhcp
# server, change 'network.static.enable' from "false" to "true" and configure the static
# configuration below.
enable: true
# Static IPv4 network configuration.
ipv4address: "192.168.128.128"
ipv4netmask: "255.255.255.0"
ipv4gateway: "192.168.128.254"
# Static IPv4 nameservers.
ipv4nameserver:
# dns01.eddns.eu
- "135.181.207.105"
# dns02.eddns.de
- "89.58.62.53"
# Static IPv4 fallback nameservers.
- "135.181.207.105" # dns01.eddns.eu
- "89.58.62.53" # dns02.eddns.de
ipv4nameserver_fallback:
# dnsforge.de
- "176.9.93.198"
- "176.9.1.117"
# Static IPv6 network configuration.
ipv6address: "192.168.128.128"
- "176.9.93.198" # dnsforge.de
- "176.9.1.117" # dnsforge.de
ipv6address: "2a0a:aaaa:bbbb:cccc:192:168:128:128"
ipv6netmask: "128"
ipv6gateway: "192.168.128.254"
# Static IPv6 nameservers.
ipv6gateway: "fe80::1"
ipv6nameserver:
# dns01.eddns.eu
- "2a01:4f9:c012:a813:135:181:207:105"
# dns02.eddns.de
- "2a0a:4cc0:1:e6:89:58:62:53"
ipv6nameserver_fallback:
# dnsforge.de
- "2a01:4f8:151:34aa::198"
- "2a01:4f8:141:316d::117"
###########################################################################################
# Security settings #
###########################################################################################
################################################################################################################################
# Security settings
################################################################################################################################
security:
# The installer will ensure that any packages are signed and authenticated.
allow_unauthenticated: false
# This ensures that the connection between the installer, and the server from which files
unauthenticated: false # The installer will ensure that any packages are signed and authenticated.
unauthenticated_ssl: false # This ensures that the connection between the installer, and the server from which files
# are downloaded, is encrypted and signed by a trusted certificate authority.
allow_unauthenticated_ssl: false
###########################################################################################
# Software installation #
###########################################################################################
################################################################################################################################
# Software installation
################################################################################################################################
software:
## software core
##############################################################################################################################
# core software
##############################################################################################################################
- apt-show-versions
- apt-transport-https
- apt-utils
@@ -332,28 +249,38 @@ software:
#- lld
#- makedev
#- ssl-cert
## software documentation
##############################################################################################################################
# documentation
##############################################################################################################################
- debian-kernel-handbook
- linux-doc-6.12
- man-db
## software encryption
##############################################################################################################################
# encryption
##############################################################################################################################
- dirmngr
- gnupg
- haveged
- pollinate
## software files
##############################################################################################################################
# files
##############################################################################################################################
- curl
- rsnapshot
- rsync
- unzip
- wget
- zip
## software malware
##############################################################################################################################
# malware detection
##############################################################################################################################
- chkrootkit
- clamav
- clamav-daemon
- rkhunter
## software network
##############################################################################################################################
# network
##############################################################################################################################
- dhcpdump
- dhcping
- iftop
@@ -364,10 +291,15 @@ software:
- net-tools
- nmap
- tshark
## software parser
- ufw
##############################################################################################################################
# parser
##############################################################################################################################
#- jq
#- yq
## software partitioning
##############################################################################################################################
# partitioning
##############################################################################################################################
- btrfs-progs
- cryptsetup
- cryptsetup-nuke-password
@@ -378,7 +310,9 @@ software:
- lvm2
- mdadm
- parted
## software password
##############################################################################################################################
# password
##############################################################################################################################
- keychain
- makepasswd
- pwgen
@@ -386,10 +320,13 @@ software:
- wbritish
- wfrench
- wngerman
## software security
##############################################################################################################################
# security
##############################################################################################################################
- fail2ban
- ufw
## software tools
##############################################################################################################################
# tools
##############################################################################################################################
- expect
- figlet
- htop
@@ -398,9 +335,9 @@ software:
- python3
- virt-what
###########################################################################################
# Time settings #
###########################################################################################
################################################################################################################################
# Time settings
################################################################################################################################
# Germany : https://www.ptb.de/cms/ptb/fachabteilungen/abtq/gruppe-q4/ref-q42/zeitsynchronisation-von-rechnern-mit-hilfe-des-network-time-protocol-ntp.html
# Germany : ptbtime1.ptb.de ptbtime2.ptb.de ptbtime3.ptb.de
# Germany : https://www.rrze.fau.de/serverdienste/infrastruktur/zeitserver/
@@ -418,58 +355,116 @@ ntp:
- "ntp.ripe.net"
- "ptbtime3.ptb.de"
- "ptbtime2.ptb.de"
- "ntp12.metas.ch"
- "ptbtime1.ptb.de"
- "ntp13.metas.ch"
- "ntp2.tecnico.ulisboa.pt"
- "time-c-b.nist.gov"
- "nts.netnod.se"
- "sth1.ntp.se"
- "ntp0.fau.de"
# Any valid setting for $TZ; see the contents of '/usr/share/zoneinfo' for valid values:
timezone: "Europe/Lisbon"
# Controls whether the hardware clock is set to UTC:
utc: true
timezone: "Europe/Lisbon" # Any valid setting for $TZ; see the contents of '/usr/share/zoneinfo' for valid values.
utc: true # Controls whether the hardware clock is set to UTC.
###########################################################################################
# User settings #
###########################################################################################
accounts:
# For whitelisting and additional hardening of SSH connections, the following IPs MUST be provided.
bastion-vpn-ipv4: 202.61.246.50
bastion-vpn-ipv6: 2a03:4000:53:f:abcd:9494:0:2
# If a secure channel for LUKS passphrase input is needed, this MUST be set to "true".
dropbear-ssh: true
# For dropbear SSH authentication, an ed25519 PubKey MUST be provided.
dropbear-pubkey: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG1RNGtD+Uwb45aQcWP//kQgy0K8EfglVsWwD6qyg6Ox 2025_dropbear_master"
# If decryption via dropbear SSH in the initramfs environment is desired, set to "true" otherwise to "false".
# MUST be "true" if Nuke Mechanism is chosen for at least one Device in partitioning.yaml.
dropbear-unlock: true
root:
# Skip creation of a root account (a normal user account will be able to use sudo):
# For best practice it is RECOMMENDED to configure root, and after setup, you should run
# the hardening script.
login: true
# Create a password hash for the root account:
# sha-512 is NOT RECOMMENDED
# SALT=$(tr -dc 'A-Za-z0-9' < /dev/random | head -c 16)
# mkpasswd --method=sha-512 --salt="${SALT}" --rounds=8388608
# Use yescrypt instead that is RECOMMENDED:
# mkpasswd --method=yescrypt
password-enabled: true
password-crypted: "$y$j9T$cyO.ibYUpLZ0GPYUkRF.q0$NhSWX5V8.uKxVKWkCH2cdl62dilvi8mWWnEWksE8Tz0"
# MUST be either "sshpubkey" or "sshcert"
ssh-method: sshcert
ssh-pubkey: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID2mSRx+Ny8cudr9vOlyfqMYPbZC3jkFaNARTOMh33De 2025_ed25519_coresecret.dev_root"
ssh-rootca: "./.preseed/ssh_root_ca.pub"
ssh-keyrounds: 1024
ssh-port: 42137
################################################################################################################################
# User settings
################################################################################################################################
user:
login: false
# In honor of the defender of the freedom of expression:
fullname: "Donald John Trump"
name: "potus"
password-enabled: true
password-crypted: "$y$j9T$cyO.ibYUpLZ0GPYUkRF.q0$NhSWX5V8.uKxVKWkCH2cdl62dilvi8mWWnEWksE8Tz0"
ssh-method: sshcert
ssh-pubkey: "ssh-ed25519 255 SHA256:glLSH13uNy04qbpDskVTB+3CwtLeuXwxzvqP9w5ZKjM 2025_ed25519_coresecret.dev_potus"
ssh-rootca: "./.preseed/ssh_root_ca.pub"
allow_policies: true # For additional hardening of SSH connections '/etc/hosts.allow'.
# If "allow_policies" = "true", at least one IP MUST be provided:
allow_ipv4:
- 202.61.246.50
allow_ipv6:
- 2a03:4000:53:f:abcd:9494:0:2
dropbear_boot: true # Dropbear initramfs integration.
ssh_port: 42137 # SSH Port. In case "dropbear_boot" = "true" the same SSH Port will be used.
ssh_rootca: "./.preseed/ssh_root_ca.pub"
##############################################################################################################################
# root Superuser account (normally disabled for direct login)
##############################################################################################################################
root:
ensure: present # Must always be 'present'.
protected: true # Prevent unintentional edits or deletions.
shell: /bin/zsh # Login shell (e.g., '/bin/bash', '/bin/zsh'); use '/usr/sbin/nologin' for non-interactive users.
password: ""
ssh_pubkeys: # List of public SSH keys for authentication.
- ""
authentication:
access:
ssh: false # Allow SSH access.
tty: true # Allow TTY (local console) login.
password_auth:
ssh: false # Allow SSH password login.
tty: true # Allow TTY (local console) password login.
2fa:
ssh: false # Require 2FA for SSH access.
tty: true # Require 2FA for TTY (local console) login.
privileges:
description: "Root user with full system access and administrative privileges."
sudo: false # Whether the user can escalate to root using sudo.
system_user: false # Whether this is a low-UID system user (e.g., for automation).
restricted: false # If true, user is limited in scope (e.g., no login, no file access).
shell_access: true # MUST be "true" if shell is not '/usr/sbin/nologin' or '/bin/false'.
##############################################################################################################################
# Primary administrative user with full sudo access
##############################################################################################################################
user0:
ensure: present # "present" = create user; "absent" = remove user
protected: true # Prevent unintentional edits or deletions.
name: "msw" # The name of the user account.
fullname: "msw" # The full name of the user account holder.
uid: 1000 # Ensures that the same user has the same UID on all systems.
gid: 1000 # Ensures that the same user has the same GID on all systems.
shell: /bin/zsh # Login shell (e.g., '/bin/bash', '/bin/zsh'); use '/usr/sbin/nologin' for non-interactive users.
password: ""
ssh_pubkeys: # List of public SSH keys for authentication.
- ""
authentication:
access:
ssh: true # Allow SSH access.
tty: true # Allow TTY (local console) login.
password_auth:
ssh: false # Allow SSH password login.
tty: true # Allow TTY (local console) password login.
2fa:
ssh: true # Require 2FA for SSH access.
tty: true # Require 2FA for TTY (local console) login.
privileges:
description: "Primary admin user with full sudo access and interactive login."
sudo: true # Whether the user can escalate to root using sudo.
system_user: false # Whether this is a low-UID system user (e.g., for automation).
restricted: false # If true, user is limited in scope (e.g., no login, no file access).
shell_access: true # MUST be "true" if shell is not '/usr/sbin/nologin' or '/bin/false'.
################################################################################
# ansible System user for automation, no interactive shell
################################################################################
user1:
ensure: present # "present" = create user; "absent" = remove user
protected: true # Prevent unintentional edits or deletions.
name: "ansible" # The name of the user account.
fullname: "ansible" # The full name of the user account holder.
uid: 137 # Ensures that the same user has the same UID on all systems.
gid: 137 # Ensures that the same user has the same GID on all systems.
shell: /usr/sbin/nologin # Login shell (e.g., '/bin/bash', '/bin/zsh'); use '/usr/sbin/nologin' for non-interactive users.
password: "" # No password set for ansible user
ssh_pubkeys: # List of public SSH keys for authentication.
- ""
authentication:
access:
ssh: true # Allow SSH access.
tty: false # Allow TTY (local console) login.
password_auth:
ssh: false # Allow SSH password login.
tty: false # Allow TTY (local console) password login.
2fa:
ssh: false # Require 2FA for SSH access.
tty: false # Require 2FA for TTY (local console) login.
privileges:
description: "Automation user without interactive shell and no sudo."
sudo: false # Whether the user can escalate to root using sudo.
system_user: true # Whether this is a low-UID system user (e.g., for automation).
restricted: true # If true, user is limited in scope (e.g., no login, no file access).
shell_access: false # MUST be "true" if shell is not '/usr/sbin/nologin' or '/bin/false'.
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml

8
func/1080_helper_chroot.sh
View File

@@ -15,10 +15,14 @@ guard_sourcing
#######################################
# Wrapper for executing commands in the desired chroot environment.
# Globals:
# ERR_CHRT_COMMAND
# TERM
# Arguments:
# $1: Target of the chroot environment.
# $@: Commands and options and parameters to be executed in chroot.
# Returns:
# "${ERR_CHRT_COMMAND}": Unsuccessfully executed commands.
# 0: Successfully executed commands.
#######################################
do_in_target() {
declare var_chroot_target="$1"; shift
@@ -28,10 +32,10 @@ do_in_target() {
PATH=/usr/sbin:/usr/bin:/sbin:/bin \
TERM="${TERM}" \
"${ary_chroot_command[@]}"; then
do_log "info" "false" "Success: chroot ${var_chroot_target}: ${ary_chroot_command[*]}"
do_log "info" "true" "Success: chroot ${var_chroot_target}: ${ary_chroot_command[*]}"
return 0
else
do_log "emergency" "false" "Failed: chroot ${var_chroot_target}: ${ary_chroot_command[*]}"
do_log "emergency" "true" "Failed: chroot ${var_chroot_target}: ${ary_chroot_command[*]}"
return "${ERR_CHRT_COMMAND}"
fi
}

11
func/4000_debootstrap.sh
View File

@@ -13,21 +13,24 @@
guard_sourcing
#######################################
# Install minimal Debian environment via debootstrap command.
# Install minimal Debian environment via 'debootstrap' command.
# Globals:
# ERR_DEBOOTSTRAP
# TARGET
# architecture
# distribution
# Arguments:
# None
# Returns:
# "${ERR_DEBOOTSTRAP}"
# 0: Successfully executed commands.
#######################################
func_debootstrap() {
if debootstrap --arch amd64 bookworm "${TARGET}" https://deb.debian.org/debian; then
do_log "info" "false" "Executing 'debootstrap --arch amd64 bookworm '${TARGET}' https://deb.debian.org/debian' successful."
if debootstrap --arch="${architecture}" "${distribution}" "${TARGET}" https://deb.debian.org/debian; then
do_log "info" "false" "Executing 'debootstrap --arch=${architecture} ${distribution} '${TARGET}' https://deb.debian.org/debian' successful."
return 0
else
do_log "emergency" "false" "Executing 'debootstrap --arch amd64 bookworm '${TARGET}' https://deb.debian.org/debian' NOT successful."
do_log "emergency" "false" "Executing 'debootstrap --arch=${architecture} ${distribution} '${TARGET}' https://deb.debian.org/debian' NOT successful."
return "${ERR_DEBOOTSTRAP}"
fi
}

6
func/4060_generate_crypttab.sh
View File

@@ -13,7 +13,7 @@
guard_sourcing
#######################################
# '/etc/crypttab' entry writer and logger.
# Generate target '/etc/crypttab' entries.
# Globals:
# TARGET
# Arguments:
@@ -39,7 +39,7 @@ write_crypttab() {
# HMP_PATH_ENCLABEL
# HMP_PATH_LUKSUUID
# TARGET
# accounts_dropbear_unlock
# user_dropbear_boot
# Arguments:
# None
# Returns:
@@ -77,7 +77,7 @@ EOF
var_encryption_label="${HMP_PATH_ENCLABEL["${var_key}"]}"
var_luks_uuid="${HMP_PATH_LUKSUUID["${var_key}"]}"
if [[ "${accounts_dropbear_unlock,,}" == "true" ]]; then
if [[ "${user_dropbear_boot,,}" == "true" ]]; then
write_crypttab "${var_encryption_label}" "UUID=${var_luks_uuid}" "none" "luks,discard,initramfs"

169
func/4080_generate_sources.sh
View File

@@ -12,33 +12,59 @@
guard_sourcing
###########################################################################################
# Generate target ${TARGET}/etc/apt/sources.list entries
#######################################
# Generate target '/etc/apt/sources.list' entries.
# Globals:
# TARGET
# apt_contrib
# apt_deb_sources
# apt_mirror_directory
# apt_mirror_hostname
# apt_mirror_protocol
# apt_non_free
# apt_non_free_firmware
# apt_sec
# apt_updates_backports
# apt_updates_policy
# apt_updates_release
# apt_updates_security
# arch
# distribution
# Arguments:
# None
#######################################
generate_sources() {
declare var_contrib var_dir var_hostname var_hostsecure var_non_free var_non_free_firmware var_protocol var_codename var_arch
declare -a ary_components
declare var_arch var_codename var_deb_src var_dir var_hostname var_hostsecure var_url var_surl
var_arch="${arch}"
var_codename=$(lsb_release --codename --short)
var_dir="${apt_mirror_directory}"
var_hostname="${apt_mirror_hostname}"
var_hostsecure="${apt_security_string}"
var_arch="${architecture,,}"
var_codename="${distribution,,}"
var_deb_src="${apt_deb_sources,,}"
var_dir="${apt_mirror_directory,,}"
var_hostname="${apt_mirror_hostname,,}"
var_hostsecure="${apt_sec,,}"
[[ "${apt_contrib,,}" == "true" ]] && var_contrib="contrib"
ary_components=(main)
[[ "${apt_contrib,,}" == true ]] && ary_components+=(contrib)
[[ "${apt_non_free,,}" == true ]] && ary_components+=(non-free)
[[ "${apt_non_free_firmware,,}" == true ]] && ary_components+=(non-free-firmware)
[[ "${apt_non_free,,}" == "true" ]] && var_non_free="non-free"
[[ "${apt_non_free_firmware,,}" == "true" ]] && var_non_free_firmware="non-free-firmware"
if [[ ${apt_mirror_protocol,,} == "https" ]]; then
var_protocol="https"
elif [[ ${apt_mirror_protocol,,} == "http" ]]; then
var_protocol="http"
if [[ "${apt_mirror_protocol,,}" == "https" ]]; then
var_url="https://${var_hostname}${var_dir}"
var_surl="https://${var_hostsecure}/debian-security"
elif [[ "${apt_mirror_protocol,,}" == "http" ]]; then
var_url="http://${var_hostname}${var_dir}"
var_surl="http://${var_hostsecure}/debian-security"
else
var_url="https://${var_hostname}${var_dir}"
var_surl="https://${var_hostsecure}/debian-security"
fi
: >| "${TARGET}/etc/apt/sources.list"
chmod 0644 "${TARGET}/etc/apt/sources.list"
cat << EOF >> "${TARGET}"/etc/apt/sources.list
### Main Repository
cat << EOF >> "${TARGET}/etc/apt/sources.list"
# /etc/apt/sources.list : Generated by CISS.debian.installer
# Architecture : ${var_arch}
# Distribution : ${var_codename}
@@ -46,97 +72,86 @@ generate_sources() {
#------------------------------------------------------------------------------------------------------------------------------#
# OFFICIAL DEBIAN REPOS #
#------------------------------------------------------------------------------------------------------------------------------#
deb ${var_protocol}://${var_hostname}${var_dir} ${var_codename} main ${var_contrib} ${var_non_free} ${var_non_free_firmware}
deb-src ${var_protocol}://${var_hostname}${var_dir} ${var_codename} main ${var_contrib} ${var_non_free} ${var_non_free_firmware}
deb ${var_url} ${var_codename} ${ary_components[*]}
EOF
do_log "info" "true" "${TARGET}/etc/apt/sources.list entry generated: 'deb ${var_url} ${var_codename} ${ary_components[*]}'."
do_log "info" "true" "${TARGET}/etc/apt/sources.list entry generated: 'deb ${var_protocol}://${var_hostname}${var_dir} ${var_codename} main ${var_contrib} ${var_non_free} ${var_non_free_firmware}'."
do_log "info" "false" "${TARGET}/etc/apt/sources.list entry generated: 'deb-src ${var_protocol}://${var_hostname}${var_dir} ${var_codename} main ${var_contrib} ${var_non_free} ${var_non_free_firmware}'."
if [[ "${var_deb_src}" == "true" ]]; then
echo "deb-src ${var_url} ${var_codename} ${ary_components[*]}" >> "${TARGET}/etc/apt/sources.list"
do_log "info" "true" "${TARGET}/etc/apt/sources.list entry generated: 'deb-src ${var_url} ${var_codename} ${ary_components[*]}'."
fi
### Security Repository
if [[ "${apt_updates_security,,}" == "true" ]]; then
cat << EOF >> "${TARGET}/etc/apt/sources.list"
cat << EOF >> "${TARGET}"/etc/apt/sources.list
deb ${var_protocol}://${var_hostsecure}/debian-security ${var_codename}-security main ${var_contrib} ${var_non_free} ${var_non_free_firmware}
deb-src ${var_protocol}://${var_hostsecure}/debian-security ${var_codename}-security main ${var_contrib} ${var_non_free} ${var_non_free_firmware}
deb ${var_surl} ${var_codename}-security ${ary_components[*]}
EOF
do_log "info" "false" "${TARGET}/etc/apt/sources.list entry generated: 'deb ${var_protocol}://${var_hostsecure}/debian-security ${var_codename}-security main ${var_contrib} ${var_non_free} ${var_non_free_firmware}'."
do_log "info" "false" "${TARGET}/etc/apt/sources.list entry generated: 'deb-src ${var_protocol}://${var_hostsecure}/debian-security ${var_codename}-security main ${var_contrib} ${var_non_free} ${var_non_free_firmware}'."
do_log "info" "true" "${TARGET}/etc/apt/sources.list entry generated: 'deb ${var_surl} ${var_codename}-security ${ary_components[*]}'."
if [[ "${var_deb_src}" == "true" ]]; then
echo "deb-src ${var_surl} ${var_codename}-security ${ary_components[*]}" >> "${TARGET}/etc/apt/sources.list"
do_log "info" "true" "${TARGET}/etc/apt/sources.list entry generated: 'deb-src ${var_surl} ${var_codename}-security ${ary_components[*]}'."
fi
fi
if [[ ${apt_updates_release,,} == "true" ]]; then
cat << EOF >> "${TARGET}"/etc/apt/sources.list
deb ${var_protocol}://${var_hostname}${var_dir} ${var_codename}-updates main ${var_contrib} ${var_non_free} ${var_non_free_firmware}
deb-src ${var_protocol}://${var_hostname}${var_dir} ${var_codename}-updates main ${var_contrib} ${var_non_free} ${var_non_free_firmware}
### Updates Repository
if [[ "${apt_updates_release,,}" == "true" ]]; then
cat << EOF >> "${TARGET}/etc/apt/sources.list"
deb ${var_url} ${var_codename}-updates ${ary_components[*]}
EOF
do_log "info" "false" "${TARGET}/etc/apt/sources.list entry generated: 'deb ${var_protocol}://${var_hostname}${var_dir} ${var_codename}-updates main ${var_contrib} ${var_non_free} ${var_non_free_firmware}'."
do_log "info" "false" "${TARGET}/etc/apt/sources.list entry generated: 'deb-src ${var_protocol}://${var_hostname}${var_dir} ${var_codename}-updates main ${var_contrib} ${var_non_free} ${var_non_free_firmware}'."
do_log "info" "true" "${TARGET}/etc/apt/sources.list entry generated: 'deb ${var_url} ${var_codename}-updates ${ary_components[*]}'."
if [[ "${var_deb_src}" == "true" ]]; then
echo "deb-src ${var_url} ${var_codename}-updates ${ary_components[*]}" >> "${TARGET}/etc/apt/sources.list"
do_log "info" "true" "${TARGET}/etc/apt/sources.list entry generated: 'deb-src ${var_url} ${var_codename}-updates ${ary_components[*]}'."
fi
fi
if [[ ${apt_updates_backports,,} == "true" ]]; then
cat << EOF >> "${TARGET}"/etc/apt/sources.list
deb ${var_protocol}://${var_hostname}${var_dir} ${var_codename}-backports main ${var_contrib} ${var_non_free} ${var_non_free_firmware}
deb-src ${var_protocol}://${var_hostname}${var_dir} ${var_codename}-backports main ${var_contrib} ${var_non_free} ${var_non_free_firmware}
### Backports Repository
if [[ "${apt_updates_backports,,}" == "true" ]]; then
cat << EOF >> "${TARGET}/etc/apt/sources.list"
deb ${var_url} ${var_codename}-backports ${ary_components[*]}
EOF
do_log "info" "false" "${TARGET}/etc/apt/sources.list entry generated: 'deb ${var_protocol}://${var_hostname}${var_dir} ${var_codename}-backports main ${var_contrib} ${var_non_free} ${var_non_free_firmware}'."
do_log "info" "false" "${TARGET}/etc/apt/sources.list entry generated: 'deb-src ${var_protocol}://${var_hostname}${var_dir} ${var_codename}-backports main ${var_contrib} ${var_non_free} ${var_non_free_firmware}'."
do_log "info" "true" "${TARGET}/etc/apt/sources.list entry generated: 'deb ${var_url} ${var_codename}-backports ${ary_components[*]}'."
if [[ "${var_deb_src,,}" == "true" ]]; then
echo "deb-src ${var_url} ${var_codename}-backports ${ary_components[*]}" >> "${TARGET}/etc/apt/sources.list"
do_log "info" "true" "${TARGET}/etc/apt/sources.list entry generated: 'deb-src ${var_url} ${var_codename}-backports ${ary_components[*]}'."
fi
fi
# Clean up 'source.list'
sed -i '/^#/!s/[[:space:]]\+/ /g' "${TARGET}"/etc/apt/sources.list
### Clean up 'sources.list'
sed -i '/^#/!s/[[:space:]]\+/ /g' "${TARGET}/etc/apt/sources.list"
cat << EOF >> "${TARGET}/etc/apt/sources.list"
cat << EOF >> "${TARGET}"/etc/apt/sources.list
# Copyright 2018-2025; WEIDNER, Marc S., <msw@coresecret.dev>
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
EOF
if do_in_target "${TARGET}" apt-get update -y; then
do_log "info" "true" "Command: 'apt-get update -y' executed in: '${TARGET}'."
else
do_log "emergency" "true" "Failed: Command: 'apt-get update -y' executed in: '${TARGET}'."
fi
do_in_target "${TARGET}" apt-get update -y
if [[ ${apt_updates_policy,,} == "unattended" ]]; then
if [[ "${apt_updates_policy,,}" == "unattended" ]]; then
if do_in_target "${TARGET}" apt-get install -y unattended-upgrades; then
do_log "info" "true" "Command: 'apt-get install -y unattended-upgrades' executed in: '${TARGET}'."
else
do_log "emergency" "true" "Failed: Command: 'apt-get install -y unattended-upgrades' executed in: '${TARGET}'."
fi
do_log "info" "false" "The update policy was set at installation time to: '${apt_updates_policy}' executed in: '${TARGET}'."
do_in_target "${TARGET}" apt-get install -y unattended-upgrades
do_log "info" "true" "The update policy was set at installation time to '${apt_updates_policy}'."
elif [[ ${apt_updates_policy,,} == "security" ]]; then
elif [[ "${apt_updates_policy,,}" == "security" ]]; then
if do_in_target "${TARGET}" apt-get install -y unattended-upgrades; then
do_log "info" "true" "Command: 'apt-get install -y unattended-upgrades' executed in: '${TARGET}'."
else
do_log "emergency" "true" "Failed: Command: 'apt-get install -y unattended-upgrades' executed in: '${TARGET}'."
fi
do_in_target "${TARGET}" apt-get install -y unattended-upgrades
# shellcheck disable=SC2016
sed -i 's/^\s*"origin=Debian,codename=\${distro_codename},label=Debian";/\/\/ &/' "${TARGET}"/etc/apt/apt.conf.d/50unattended-upgrades
do_log "info" "false" "The update policy was set at installation time to '${apt_updates_policy}' executed in: '${TARGET}'."
sed -i 's/^[[:space:]]*"origin=Debian,codename=\${distro_codename},label=Debian";/\/\/ &/' "${TARGET}/etc/apt/apt.conf.d/50unattended-upgrades"
do_log "info" "true" "The update policy was set at installation time to '${apt_updates_policy}'."
elif [[ ${apt_updates_policy,,} == "none" ]]; then
elif [[ "${apt_updates_policy,,}" == "none" ]]; then
do_log "info" "false" "The update policy was set at installation to: '${apt_updates_policy}'."
do_log "info" "true" "The update policy was set at installation time to: '${apt_updates_policy}'."
else
do_log "warning" "false" "Update policy '${apt_updates_policy}': is not supported. Using 'none' as default."
do_log "warning" "true" "Update policy '${apt_updates_policy}': is not supported. Using 'none' as default."
fi
do_show_footer "${MODULE_TXT}"
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh