@@ -23,137 +23,88 @@ installer:
# APT settings
################################################################################################################################
apt :
# You can choose to install contrib software:
contrib : true
contrib : true # Optionally install contrib software.
deb_sources : true # Optionally includes deb-src entries for source repositories.
default_list : true # By default, source repositories are listed in '/etc/apt/sources.list'. This MUST be "true".
full_upgrade : true # Whether to upgrade packages after debootstrap.
install_recommends : true # Configure APT to not install recommended packages by default.
non_free : true # Optionally install non-free software.
non_free_firmware : true # Optionally install non-free firmware.
sec : "security.debian.org" # Debian Security Updates Archive.
# Optionally includes deb-src entries for source repositories. If set to true, source repos are enabled.
deb-sources : true
# By default, source repositories are listed in /etc/apt/sources.list. This MUST be true:
default-list : true
# Whether to upgrade packages after debootstrap.
# Allowed values: "false" for none; "true" for full-upgrade (RECOMMENDED):
full-upgrade : true
# Configure APT to not install recommended packages by default. Use of this option can
# result in an incomplete system and should only be used by very experienced users:
install-recommends : true
# A network mirror MUST be used to supplement the software not included on the
# installation media. This may also make newer versions of software available.
# This MUST be true:
##############################################################################################################################
# A network mirror MUST be used to supplement the software not included on the installation media. This may also make newer
# versions of software available.
##############################################################################################################################
mirror :
activate : true
# Country code of mirror destination:
country : "US"
# Debian archive mirror directory. Please enter the directory in which the mirror of
# the Debian archive is located:
directory : "/debian/"
# Debian archive mirror hostname. Please enter the hostname of the mirror from which
# Debian will be downloaded. An alternate port can be specified using the standard
# [hostname]:[port] format:
hostname : "deb.debian.org"
# Debian archive mirror country. The goal is to find a mirror of the Debian archive that
# is close to you on the network -- be aware that nearby countries, or even your own, may
# not be the best choice.
https-country : "US"
# Please select the protocol to be used for downloading files, where "https" is RECOMMENDED.
protocol : "https"
# HTTP proxy information (blank for none). If you need to use an HTTP proxy to access the
# outside world, enter the proxy information here. Otherwise, leave this blank. The proxy
# information should be given in the standard form of "http://[[user][:pass]@]host[:port]/".
proxy : ""
# Suite to install MUST be one of "stable", "testing", "experimental":
suite : "stable"
# You can choose to install non-free:
non-free : true
# You can choose to install non-free firmware:
non-free-firmware : true
# Debian archive security string
security-string : "security.debian.org"
activate : true # MUST be "true".
country : "US" # Country code of mirror destination.
directory : "/debian/" # Debian archive mirror directory in which the mirror of the Debian archive is located.
hostname : "deb.debian.org" # Debian archive mirror hostname.
https-country : "US" # Debian archive mirror country.
protocol : "https" # Protocol to be used for downloading files, where "https" is RECOMMENDED.
proxy : "" # HTTP proxy information (blank for none) or "http://[[user][:pass]@]host[:port]/"
##############################################################################################################################
# Debian has the following services that provide updates.
#
# Security up dates help to keep your system secured against attacks.
# Enabling this service is strongly recommended.
# Backported software is a dap ted from the development version to work with this release. Although this software has not gone
# through such complete testings as that contained in the release, it includes newer versions of some applications that may
# provide useful features. Enabling backports here does not cause any of them to be installed by default; it only allows you
# to manually select backports to use.
#
# Release updates provide more current versions for software that changes relatively
# frequently and where not having the latest version could reduce the usability of the
# software. It also provides regression fixes. This service is only available for stable
# and oldstable releases.
# Release updates provide more current versions for software that changes relatively frequently and where not having the
# latest version could reduce the usability of the software. It also provides regression fixes. This service is only
# available for stable and oldstable releases.
#
# Backported software is adapted from the development version to work with this release .
# Although this software has not gone through such complete testings as that contained in
# the release, it includes newer versions of some applications that may provide useful
# features. Enabling backports here does not cause any of them to be installed by default;
# it only allows you to manually select backports to use .
# Security updates help to keep your system secured against attacks. Enabling this service is strongly recommended .
#
# Applying updates on a frequent basis is an important part of keeping the system secure. By default, security updates are not
# automatically installed, as security advisories should be reviewed before manual installation of the updates using standard
# package management tools .
#
# Alternatively, the unattended-upgrades package can be installed, which will install security updates automatically. Note,
# however, that automatic installation of updates may occasionally cause unexpected downtime of services provided by this
# machine in the rare cases where the update is not fully backward-compatible, or where the security advisory requires the
# administrator to perform some other manual operation. Possible choices: "none", "security", "unattended" (RECOMMENDED)
##############################################################################################################################
updates :
backports : true
release : true
security : true
# Applying updates on a frequent basis is an important part of keeping the system secure.
#
# By default, security updates are not automatically installed, as security advisories should be
# reviewed before manual installation of the updates using standard package management tools.
#
# Alternatively, the unattended-upgrades package can be installed, which will install security
# updates automatically.
# Note, however, that automatic installation of updates may occasionally cause unexpected downtime
# of services provided by this machine in the rare cases where the update is not fully backward-compatible,
# or where the security advisory requires the administrator to perform some other manual operation.
#
# Possible choices: none, security, unattended (RECOMMENDED)
policy : "unattended"
###########################################################################################
# Basic settings #
###########################################################################################
# Please specify the architecture of the server to be installed:
arch : "amd64" # MUST be "amd64" || "intel64". "arm64" is NOT supported
################################################################################################################################
# Basic settings
################################################################################################################################
architecture : "amd64" # MUST be one of "amd64" or "arm64".
distribution : "bookworm" # MUST be "bookworm".
debian_suite : "stable" # MUST be "stable". Not supported yet: "testing", "experimental".
exit :
halt : false # This is how to make the installer shutdown when finished, but not reboot.
poweroff : true # This will power off the machine instead of just halting it (RECOMMENDED).
reboot : false # This will reboot the machine.
image : "linux-image-amd64" # Could be a meta-package or a specific image like:
# "linux-image-amd64" || "linux-image-arm64"
# "linux-image-cloud-amd64" || "linux-image-cloud-arm64"
# "linux-image-rt-amd64" || "linux-image-rt-arm64"
# "linux-image-6.12.30+bpo-amd64"
firmware :
install : true # If non-free firmware is needed for the network or other hardware, autoinstall it.
lookup : "missing" # "never" Completely disables the firmware search.
# "missing" Searches only when the firmware is needed. (default)
# "always" Always searches and asks for any firmware that could be useful for the hardware.
# This is how to make the installer shutdown when finished, but not reboot:
exit-halt : false
# This will power off the machine instead of just halting it (RECOMMENDED):
exit-poweroff : true
# This will reboot the machine:
exit-reboot : false
# If non-free firmware is needed for the network or other hardware, you can configure the #
# installer to always try to load it without prompting.
firmware-install : true
# Firmware settings
# "never": Completely disables the firmware search.
# "missing": Searches only when the firmware is needed. (default)
# "always": Always searches and asks for any firmware that could be useful for the hardware.
firmware-lookup : "missing"
# The kernel image to be installed; "none" can be used if no kernel is to be installed:
kernel : "linux-image-6.12.30+bpo-amd64"
###########################################################################################
# GRUB2 settings #
###########################################################################################
################################################################################################################################
# GRUB2 settings
################################################################################################################################
grub :
background :
# If you want to change the GRUB background, please change to "true":
enable : true
# Specify the path from which the image should be loaded.
# RECOMMENDED settings: JPG 1280 x 1024 px or JPG 1920 x 1080 px
background: # RECOMMENDED settings : JPG 1280 x 1024 px or JPG 1920 x 1080 px
enable : true # If you want to add a GRUB background.
path : "/root/CISS.2025.debian.installer/.assets/background/background_hexagon_1280.jpg"
# Due notably to potential USB sticks, the location of the primary drive cannot be
# determined safely in general, so this needs to be specified:
bootdev : "/dev/sda"
# Force GRUB installation to the EFI removable media path?
bootdev : "/dev/sda" # Due notably to potential USB sticks, the location of the primary drive cannot be determined
# safely in general, so this needs to be specified.
force_efi : false # Force GRUB installation to the EFI removable media path?
# It seems that this computer is configured to boot via EFI, but maybe that configuration will
# not work for booting from the hard drive. Some EFI firmware implementations do not meet the
# EFI specification (i.e., they are buggy) and do not support proper configuration of boot
@@ -165,38 +116,25 @@ grub:
#
# Warning: If the installer failed to detect another operating system that is present on your
# computer that also depends on this fallback, installing GRUB there will make that operating
# system temporarily unbootable. GRUB can be manually configured later to boot it if necessary:
force-efi-extra-removable : false
# Set this to 'true' to install the latest GRUB2 backported package for encrypted '/boot' support.
# MUST be 'true' in the case of 'LUKS2' and / or 'dm-integrity' encrypted '/boot/':
latest : true
# This is fairly safe to set; it makes grub install automatically to the UEFI partition '/boot'
# record if no other operating system is detected on the machine:
only-debian : true
# This one makes grub-installer install to the UEFI partition/boot record, if it also finds
# some other OS, which is less safe as it might not be able to boot that other OS:
other-os : true
# OS-prober did not detect any other operating systems on your computer at this time, but you
# may still wish to enable it in case you install more in the future:
prober : false
# Skip installing grub:
skip : false
# Update NVRAM variables to automatically boot into Debian?
# system temporarily unbootable. GRUB can be manually configured later to boot it if necessary.
latest : true # Install the latest GRUB2 backported package for encrypted '/boot' support.
# MUST be "true" in the case of 'LUKS2' and / or 'dm-integrity' encrypted '/boot'
only_debian : true # This is fairly safe to set; it makes grub install automatically to the UEFI partition '/boot'
# record if no other operating system is detected on the machine.
other-os : true # This one makes grub-installer install to the UEFI partition '/boot' record, if it also finds
# some other OS, which is less safe as it might not be able to boot that other OS.
prober : false # OS-prober did not detect any other operating systems on your computer at this time, but you
# may still wish to enable it in case you install more in the future.
skip : false # Skip installing grub.
update_nvram : true # Update NVRAM variables to automatically boot into Debian?
# GRUB can configure your platform's NVRAM variables so that it boots into Debian automatically
# when powered on. However, you may prefer to disable this behavior and avoid changes to your
# boot configuration. For example, if your NVRAM variables have been set up such that your
# system contacts a PXE server on every boot, this would preserve that behavior:
update-nvram : true
###########################################################################################
# Locale settings set language, country, locale, keyboard map and timezone #
###########################################################################################
################################################################################################################################
# Locale settings set language, country, locale, keyboard map and timezone
################################################################################################################################
locale :
country : "US"
keyboard :
@@ -206,84 +144,63 @@ locale:
locale : "en_US.UTF-8"
timezone : "Europe/Lisbon"
###########################################################################################
# Network settings #
###########################################################################################
################################################################################################################################
# Network settings
################################################################################################################################
network :
autoconfig :
# Automatic network configuration is the default. If you prefer to configure the network
enable : true # Automatic network configuration is the default. If you prefer to configure the network
# manually, change 'network.autoconfig.enable' from "true" to "false" and configure
# - 'network.choose_interface.static'
# - 'network.hostname'
# - 'network.ipv6'
# - 'network.static' section
enable : true
choose_interface :
# Choose an interface that has a link if possible. Or skip this via "false" and manually configure the static NIC below.
auto : true
# If auto-detect fails, specify a particular interface instead:
static : "eth1"
# Please specify the FQDN of the server:
hostname : "nsa.usic.gov"
# Please specify if you want to use IPv6:
ipv6 : "true"
# Timeout settings
auto : true # Choose an interface that has a link if possible. Or manually configure the static NIC below.
static : "eth1" # If auto-detect fails or for manual configuration, specify a particular interface.
hostname : "nsa.usic.gov" # Specify the FQDN of the server.
ipv6 : true # Specify if you want to use IPv6 :
timeout :
# If the dhcp server is slow, and the installer times out waiting for it, this might be useful.
dhcp : 60
# To set a different link detection timeout (default is 3 seconds):
linkwait : 60
dhcp : 60 # If the dhcp server is slow, and the installer times out waiting for it, this might be useful.
linkwait : 60 # To set a different link detection timeout (default is 3 seconds).
static :
# If you want the preconfiguration file to work on systems both with and without a dhcp
enable : true # If you want the preconfiguration file to work on systems both with and without a dhcp
# server, change 'network.static.enable' from "false" to "true" and configure the static
# configuration below.
enable : true
# Static IPv4 network configuration.
ipv4address : "192.168.128.128"
ipv4netmask : "255.255.255.0"
ipv4gateway : "192.168.128.254"
# Static IPv4 nameservers.
ipv4nameserver :
# dns01.eddns.eu
- "135.181.207.105"
# dns02.eddns.de
- "89.58.62.53"
# Static IPv4 fallback nameservers.
- "135.181.207.105" # dns01.eddns.eu
- "89.58.62.53" # dns02.eddns.de
ipv4nameserver_fallback :
# dnsforge.de
- "176.9.93.198"
- "176.9.1.117 "
# Static IPv6 network configuration.
ipv6address : "192.168.128.128"
- "176.9.93.198" # dnsforge.de
- "176.9.1.117" # dnsforge.de
ipv6address : "2a0a:aaaa:bbbb:cccc:192:168:128:128 "
ipv6netmask : "128"
ipv6gateway : "192.168.128.254 "
# Static IPv6 nameservers.
ipv6gateway : "fe80::1 "
ipv6nameserver :
# dns01.eddns.eu
- "2a01:4f9:c012:a813:135:181:207:105"
# dns02.eddns.de
- "2a0a:4cc0:1:e6:89:58:62:53"
ipv6nameserver_fallback :
# dnsforge.de
- "2a01:4f8:151:34aa::198"
- "2a01:4f8:141:316d::117"
###########################################################################################
# Security settings #
###########################################################################################
################################################################################################################################
# Security settings
################################################################################################################################
security :
# The installer will ensure that any packages are signed and authenticated.
allow_unauthenticated : false
# This ensures that the connection between the installer, and the server from which files
unauthenticated : false # The installer will ensure that any packages are signed and authenticated.
unauthenticated_ssl : false # This ensures that the connection between the installer, and the server from which files
# are downloaded, is encrypted and signed by a trusted certificate authority.
allow_unauthenticated_ssl : false
###########################################################################################
# Software installation #
###########################################################################################
################################################################################################################################
# Software installation
################################################################################################################################
software :
## software core
##############################################################################################################################
# core software
##############################################################################################################################
- apt-show-versions
- apt-transport-https
- apt-utils
@@ -332,28 +249,38 @@ software:
#- lld
#- makedev
#- ssl-cert
## software documentation
##############################################################################################################################
# documentation
##############################################################################################################################
- debian-kernel-handbook
- linux-doc-6.12
- man-db
## software encryption
##############################################################################################################################
# encryption
##############################################################################################################################
- dirmngr
- gnupg
- haveged
- pollinate
## software files
##############################################################################################################################
# files
##############################################################################################################################
- curl
- rsnapshot
- rsync
- unzip
- wget
- zip
## software malware
##############################################################################################################################
# malware detection
##############################################################################################################################
- chkrootkit
- clamav
- clamav-daemon
- rkhunter
## software network
##############################################################################################################################
# network
##############################################################################################################################
- dhcpdump
- dhcping
- iftop
@@ -364,10 +291,15 @@ software:
- net-tools
- nmap
- tshark
## software parser
- ufw
##############################################################################################################################
# parser
##############################################################################################################################
#- jq
#- yq
## software partitioning
##############################################################################################################################
# partitioning
##############################################################################################################################
- btrfs-progs
- cryptsetup
- cryptsetup-nuke-password
@@ -378,7 +310,9 @@ software:
- lvm2
- mdadm
- parted
## software password
##############################################################################################################################
# password
##############################################################################################################################
- keychain
- makepasswd
- pwgen
@@ -386,10 +320,13 @@ software:
- wbritish
- wfrench
- wngerman
## software security
##############################################################################################################################
# security
##############################################################################################################################
- fail2ban
- ufw
## software tools
##############################################################################################################################
# tools
##############################################################################################################################
- expect
- figlet
- htop
@@ -398,9 +335,9 @@ software:
- python3
- virt-what
###########################################################################################
# Time settings #
###########################################################################################
################################################################################################################################
# Time settings
################################################################################################################################
# Germany : https://www.ptb.de/cms/ptb/fachabteilungen/abtq/gruppe-q4/ref-q42/zeitsynchronisation-von-rechnern-mit-hilfe-des-network-time-protocol-ntp.html
# Germany : ptbtime1.ptb.de ptbtime2.ptb.de ptbtime3.ptb.de
# Germany : https://www.rrze.fau.de/serverdienste/infrastruktur/zeitserver/
@@ -418,58 +355,116 @@ ntp:
- "ntp.ripe.net"
- "ptbtime3.ptb.de"
- "ptbtime2.ptb.de"
- "ntp12.metas.ch "
- "ptbtime1.ptb.de "
- "ntp13.metas.ch"
- "ntp2.tecnico.ulisboa.pt"
- "time-c-b.nist.gov"
- "nts.netnod .se"
- "sth1.ntp .se"
- "ntp0.fau.de"
# Any valid setting for $TZ; see the contents of '/usr/share/zoneinfo' for valid values:
timezone : "Europe/Lisbon"
# Controls whether the hardware clock is set to UTC:
utc : true
timezone : "Europe/Lisbon" # Any valid setting for $TZ; see the contents of '/usr/share/zoneinfo' for valid values.
utc : true # Controls whether the hardware clock is set to UTC.
###########################################################################################
# User settings #
###########################################################################################
accounts :
# For whitelisting and additional hardening of SSH connections, the following IPs MUST be provided .
bastion-vpn-ipv4 : 202.61 .246 .50
bastion-vpn-ipv6 : 2a03:4000:53:f:abcd:9494:0:2
# If a secure channel for LUKS passphrase input is needed, this MUST be set to "true".
dropbear-ssh : true
# For dropbear SSH authentication, an ed25519 PubKey MUST be provided.
dropbear-pubkey : "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG1RNGtD+Uwb45aQcWP//kQgy0K8EfglVsWwD6qyg6Ox 2025_dropbear_master"
# If decryption via dropbear SSH in the initramfs environment is desired, set to "true" o therwise to "fal se" .
# MUST be "true" if Nuke Mechanism is chosen for at least one Device in partitioning.yaml.
dropbear-unlock : true
################################################################################################################################
# User settings
################################################################################################################################
user :
allow_policies : true # For additional hardening of SSH connections '/etc/hosts.allow' .
# If "allow_policies" = "true", at least one IP MUST be provided:
allow_ipv4 :
- 202.61 .246 .50
allow_ipv6 :
- 2a03:4000:53:f:abcd:9494:0:2
dropbear_boot : true # Dropbear initramfs integration.
ssh_port : 42137 # SSH Port. In case "dropbear_boot" = "true" the same SSH Port will be u sed .
ssh_rootca : "./.preseed/ssh_root_ca.pub"
##############################################################################################################################
# root –
##############################################################################################################################
root :
# Skip creation of a root account (a normal user account will be able to use sudo):
# For best practice it is RECOMMENDED to configure root, and after setup, you should run
# the hardening script .
login : true
# Create a password hash for the root account:
# sha-512 is NOT RECOMMENDED
# SALT=$(tr -dc 'A-Za-z0-9' < /dev/random | head -c 16)
# mkpasswd --method=sha-512 --salt="${SALT}" --rounds=8388608
# Use yescrypt instead that is RECOMMENDED:
# mkpasswd --method=yescrypt
password-enabled : true
password-crypted : "$y$j9T$cyO.ibYUpLZ0GPYUkRF.q0$NhSWX5V8.uKxVKWkCH2cdl62dilvi8mWWnEWksE8Tz0"
# MUST be either "sshpubkey" or "sshcert"
ssh-method : sshcert
ssh-pubkey : "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID2mSRx+Ny8cudr9vOlyfqMYPbZC3jkFaNARTOMh33De 2025_ed25519_coresecret.dev_root"
ssh-rootca : "./.preseed/ssh_root_ca.pub"
ssh-keyrounds : 1024
ssh-port : 42137
user :
login : false
# In honor of the defender of the freedom of expression:
fullname : "Donald John Trump"
name : "potus"
password-enabled : true
password-crypted : "$y$j9T$cyO.ibYUpLZ0GPYUkRF.q0$NhSWX5V8.uKxVKWkCH2cdl62dilvi8mWWnEWksE8Tz0"
ssh-method : sshcert
ssh-pubkey : "ssh-ed25519 255 SHA256:glLSH13uNy04qbpDskVTB+3CwtLeuXwxzvqP9w5ZKjM 2025_ed25519_coresecret.dev_potus"
ssh-rootca : "./.preseed/ssh_root_ca.pub"
ensure : present # Must always be 'present'.
protected : true # Prevent unintentional edits or deletions.
shell : /bin/zsh # Login shell (e.g., '/bin/bash', '/bin/zsh'); use '/usr/sbin/nologin' for non-interactive users .
password : ""
ssh_pubkeys : # List of public SSH keys for au thentication.
- ""
authentication :
access :
ssh : false # Allow SSH access.
tty : true # Allow TTY (local console) login.
password_auth :
ssh : false # Allow SSH password login.
tty : true # Allow TTY (local console) password login.
2fa :
ssh : false # Require 2FA for SSH access.
tty : true # Require 2FA for TTY (local console) login.
privileges :
description : "Root user with full system access and administrative privileges."
sudo : false # Whether the user can escalate to root using sudo.
system_user : false # Whether this is a low-UID system user (e.g., for automation).
restricted : false # If true, user is limited in scope (e.g., no login, no file access).
shell_access : true # MUST be "true" if shell is not '/usr/sbin/nologin' or '/bin/false'.
##############################################################################################################################
# Primary administrative user with full sudo access
##############################################################################################################################
user0 :
ensure : present # "present" = create user; "absent" = remove user
protected : true # Prevent unintentional edits or deletions.
name : "msw" # The name of the user account.
fullname : "msw" # The full name of the user account holder.
uid : 1000 # Ensures that the same user has the same UID on all systems.
gid : 1000 # Ensures that the same user has the same GID on all systems.
shell : /bin/zsh # Login shell (e.g., '/bin/bash', '/bin/zsh'); use '/usr/sbin/nologin' for non-interactive users.
password : ""
ssh_pubkeys : # List of public SSH keys for authentication.
- ""
authentication :
access :
ssh : true # Allow SSH access.
tty : true # Allow TTY (local console) login.
password_auth :
ssh : false # Allow SSH password login.
tty : true # Allow TTY (local console) password login.
2fa :
ssh : true # Require 2FA for SSH access.
tty : true # Require 2FA for TTY (local console) login.
privileges :
description : "Primary admin user with full sudo access and interactive login."
sudo : true # Whether the user can escalate to root using sudo.
system_user : false # Whether this is a low-UID system user (e.g., for automation).
restricted : false # If true, user is limited in scope (e.g., no login, no file access).
shell_access : true # MUST be "true" if shell is not '/usr/sbin/nologin' or '/bin/false'.
################################################################################
# ansible –
################################################################################
user1 :
ensure : present # "present" = create user; "absent" = remove user
protected : true # Prevent unintentional edits or deletions.
name : "ansible" # The name of the user account.
fullname : "ansible" # The full name of the user account holder.
uid : 137 # Ensures that the same user has the same UID on all systems.
gid : 137 # Ensures that the same user has the same GID on all systems.
shell : /usr/sbin/nologin # Login shell (e.g., '/bin/bash', '/bin/zsh'); use '/usr/sbin/nologin' for non-interactive users.
password : "" # No password set for ansible user
ssh_pubkeys : # List of public SSH keys for authentication.
- ""
authentication :
access :
ssh : true # Allow SSH access.
tty : false # Allow TTY (local console) login.
password_auth :
ssh : false # Allow SSH password login.
tty : false # Allow TTY (local console) password login.
2fa :
ssh : false # Require 2FA for SSH access.
tty : false # Require 2FA for TTY (local console) login.
privileges :
description : "Automation user without interactive shell and no sudo."
sudo : false # Whether the user can escalate to root using sudo.
system_user : true # Whether this is a low-UID system user (e.g., for automation).
restricted : true # If true, user is limited in scope (e.g., no login, no file access).
shell_access : false # MUST be "true" if shell is not '/usr/sbin/nologin' or '/bin/false'.
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
