msw/CISS.debian.installer
SHA256
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

V8.00.000.2025.06.17
All checks were successful
🛡️ Retrieve DNSSEC status of coresecret.dev. / 🛡️ Retrieve DNSSEC status of coresecret.dev. (push) Successful in 34s
Details
🔁 Render Graphviz Diagrams. / 🔁 Render Graphviz Diagrams. (push) Successful in 24s
Details
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m35s
Details

Browse Source 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
Marc S. Weidner
2025-06-25 10:10:41 +02:00
parent 9c19212c00
commit e8d85a39ae
134 changed files with 13933 additions and 41 deletions
Download Patch File Download Diff File Expand all files Collapse all files

473
.preseed/preseed.yaml Normal file
View File

@@ -0,0 +1,473 @@
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
%YAML 1.2
---
### This file contains configurations for the CISS.debian.installer
### Master V8.00.000.2025.06.17
### YAML specification: 1.2
### You MUST NOT change anything between START and
installer:
name: "CISS.debian.installer"
version: "V8.00.000.2025.06.17"
### END
###########################################################################################
# APT settings #
###########################################################################################
apt:
# You can choose to install contrib software:
contrib: true
# By default, source repositories are listed in /etc/apt/sources.list. This MUST be true:
default-list: true
# Whether to upgrade packages after debootstrap.
# Allowed values: "false" for none; "true" for full-upgrade (RECOMMENDED):
full-upgrade: true
# Configure APT to not install recommended packages by default. Use of this option can
# result in an incomplete system and should only be used by very experienced users:
install-recommends: true
# A network mirror MUST be used to supplement the software not included on the
# installation media. This may also make newer versions of software available.
# This MUST be true:
mirror:
activate: true
# Country code of mirror destination:
country: "US"
# Debian archive mirror directory. Please enter the directory in which the mirror of
# the Debian archive is located:
directory: "/debian/"
# Debian archive mirror hostname. Please enter the hostname of the mirror from which
# Debian will be downloaded. An alternate port can be specified using the standard
# [hostname]:[port] format:
hostname: "deb.debian.org"
# Debian archive mirror country. The goal is to find a mirror of the Debian archive that
# is close to you on the network -- be aware that nearby countries, or even your own, may
# not be the best choice.
https-country: "US"
# Please select the protocol to be used for downloading files, where "https" is RECOMMENDED.
protocol: "https"
# HTTP proxy information (blank for none). If you need to use an HTTP proxy to access the
# outside world, enter the proxy information here. Otherwise, leave this blank. The proxy
# information should be given in the standard form of "http://[[user][:pass]@]host[:port]/".
proxy: ""
# Suite to install MUST be one of "stable", "testing", "experimental":
suite: "stable"
# You can choose to install non-free:
non-free: true
# You can choose to install non-free firmware:
non-free-firmware: true
# Debian archive security string
security-string: "security.debian.org"
# Debian has the following services that provide updates.
#
# Security updates help to keep your system secured against attacks.
# Enabling this service is strongly recommended.
#
# Release updates provide more current versions for software that changes relatively
# frequently and where not having the latest version could reduce the usability of the
# software. It also provides regression fixes. This service is only available for stable
# and oldstable releases.
#
# Backported software is adapted from the development version to work with this release.
# Although this software has not gone through such complete testings as that contained in
# the release, it includes newer versions of some applications that may provide useful
# features. Enabling backports here does not cause any of them to be installed by default;
# it only allows you to manually select backports to use.
updates:
backports: true
release: true
security: true
# Applying updates on a frequent basis is an important part of keeping the system secure.
#
# By default, security updates are not automatically installed, as security advisories should be
# reviewed before manual installation of the updates using standard package management tools.
#
# Alternatively, the unattended-upgrades package can be installed, which will install security
# updates automatically.
# Note, however, that automatic installation of updates may occasionally cause unexpected downtime
# of services provided by this machine in the rare cases where the update is not fully backward-compatible,
# or where the security advisory requires the administrator to perform some other manual operation.
#
# Possible choices: none, security, unattended (RECOMMENDED)
policy: "unattended"
###########################################################################################
# Basic settings #
###########################################################################################
# Please specify the architecture of the server to be installed:
arch: "amd64" # MUST be "amd64" || "intel64". "arm64" is NOT supported
# This is how to make the installer shutdown when finished, but not reboot:
exit-halt: false
# This will power off the machine instead of just halting it (RECOMMENDED):
exit-poweroff: true
# This will reboot the machine:
exit-reboot: false
# If non-free firmware is needed for the network or other hardware, you can configure the #
# installer to always try to load it without prompting.
firmware-install: true
# Firmware settings
# "never": Completely disables the firmware search.
# "missing": Searches only when the firmware is needed. (default)
# "always": Always searches and asks for any firmware that could be useful for the hardware.
firmware-lookup: "missing"
# The kernel image to be installed; "none" can be used if no kernel is to be installed:
kernel: "linux-image-6.12.12+bpo-amd64"
###########################################################################################
# GRUB2 settings #
###########################################################################################
grub:
background:
# If you want to change the GRUB background, please change to "true":
enable: true
# Specify the path from which the image should be loaded.
# RECOMMENDED settings: JPG 1280 x 1024 px or JPG 1920 x 1080 px
path: "/root/CISS.2025.debian.installer/.assets/background/background_hexagon_1280.jpg"
# Due notably to potential USB sticks, the location of the primary drive cannot be
# determined safely in general, so this needs to be specified:
bootdev: "/dev/sda"
# Force GRUB installation to the EFI removable media path?
# It seems that this computer is configured to boot via EFI, but maybe that configuration will
# not work for booting from the hard drive. Some EFI firmware implementations do not meet the
# EFI specification (i.e., they are buggy) and do not support proper configuration of boot
# options from system hard drives.
#
# A workaround for this problem is to install an extra copy of the EFI version of the GRUB
# bootloader to a fallback location, the "removable media path". Almost all EFI systems, no
# matter how buggy, will boot GRUB that way.
#
# Warning: If the installer failed to detect another operating system that is present on your
# computer that also depends on this fallback, installing GRUB there will make that operating
# system temporarily unbootable. GRUB can be manually configured later to boot it if necessary:
force-efi-extra-removable: false
# Set this to 'true' to install the latest GRUB2 backported package for encrypted '/boot' support.
# MUST be 'true' in the case of 'LUKS2' and / or 'dm-integrity' encrypted '/boot/':
latest: true
# This is fairly safe to set; it makes grub install automatically to the UEFI partition '/boot'
# record if no other operating system is detected on the machine:
only-debian: true
# This one makes grub-installer install to the UEFI partition/boot record, if it also finds
# some other OS, which is less safe as it might not be able to boot that other OS:
other-os: true
# OS-prober did not detect any other operating systems on your computer at this time, but you
# may still wish to enable it in case you install more in the future:
prober: false
# Skip installing grub:
skip: false
# Update NVRAM variables to automatically boot into Debian?
# GRUB can configure your platform's NVRAM variables so that it boots into Debian automatically
# when powered on. However, you may prefer to disable this behavior and avoid changes to your
# boot configuration. For example, if your NVRAM variables have been set up such that your
# system contacts a PXE server on every boot, this would preserve that behavior:
update-nvram: true
###########################################################################################
# Locale settings set language, country, locale, keyboard map and timezone #
###########################################################################################
locale:
country: "US"
keyboard:
layout: "de"
xkb-keymap: "de"
language: "en"
locale: "en_US.UTF-8"
timezone: "Europe/Lisbon"
###########################################################################################
# Network settings #
###########################################################################################
network:
autoconfig:
# Automatic network configuration is the default. If you prefer to configure the network
# manually, change 'network.autoconfig.enable' from "true" to "false" and configure
# - 'network.choose_interface.static'
# - 'network.hostname'
# - 'network.ipv6'
# - 'network.static' section
enable: true
choose_interface:
# Choose an interface that has a link if possible. Or skip this via "false" and manually configure the static NIC below.
auto: true
# If auto-detect fails, specify a particular interface instead:
static: "eth1"
# Please specify the FQDN of the server:
hostname: "nsa.usic.gov"
# Please specify if you want to use IPv6:
ipv6: "true"
# Timeout settings
timeout:
# If the dhcp server is slow, and the installer times out waiting for it, this might be useful.
dhcp: 60
# To set a different link detection timeout (default is 3 seconds):
linkwait: 60
static:
# If you want the preconfiguration file to work on systems both with and without a dhcp
# server, change 'network.static.enable' from "false" to "true" and configure the static
# configuration below.
enable: true
# Static IPv4 network configuration.
ipv4address: "192.168.128.128"
ipv4netmask: "255.255.255.0"
ipv4gateway: "192.168.128.254"
# Static IPv4 nameservers.
ipv4nameserver:
# dns01.eddns.eu
- "135.181.207.105"
# dns02.eddns.de
- "89.58.62.53"
# Static IPv4 fallback nameservers.
ipv4nameserver_fallback:
# dnsforge.de
- "176.9.93.198"
- "176.9.1.117"
# Static IPv6 network configuration.
ipv6address: "192.168.128.128"
ipv6netmask: "128"
ipv6gateway: "192.168.128.254"
# Static IPv6 nameservers.
ipv6nameserver:
# dns01.eddns.eu
- "2a01:4f9:c012:a813:135:181:207:105"
# dns02.eddns.de
- "2a0a:4cc0:1:e6:89:58:62:53"
ipv6nameserver_fallback:
# dnsforge.de
- "2a01:4f8:151:34aa::198"
- "2a01:4f8:141:316d::117"
###########################################################################################
# Security settings #
###########################################################################################
security:
# The installer will ensure that any packages are signed and authenticated.
allow_unauthenticated: false
# This ensures that the connection between the installer, and the server from which files
# are downloaded, is encrypted and signed by a trusted certificate authority.
allow_unauthenticated_ssl: false
###########################################################################################
# Software installation #
###########################################################################################
software:
## software core
- apt-show-versions
- apt-transport-https
- apt-utils
- bash
- bash-completion
- bat
- bind9-dnsutils
- bc
- ca-certificates
- coreutils
- debconf
- debconf-utils
- dialog
- efibootmgr
- fzf
- gawk
- git
- grub2
- grub2-common
- knot-dnssecutils
- knot-dnsutils
- libpam-google-authenticator
- libpam-pwquality
- locate
- logrotate
- lsb-release
- nano
- openssl
- rsyslog
- screen
- shellcheck
- software-properties-common
- spectre-meltdown-checker
- ssh
- sudo
- sysstat
- tree
#- unattended-upgrades
- whois
- zsh
## software dev
#- build-essential
#- clang
#- debootstrap
#- linux-source
#- lld
#- makedev
#- ssl-cert
## software documentation
- debian-kernel-handbook
- linux-doc-6.12
- man-db
## software encryption
- dirmngr
- gnupg
- haveged
- pollinate
## software files
- curl
- rsnapshot
- rsync
- unzip
- wget
- zip
## software malware
- chkrootkit
- clamav
- clamav-daemon
- rkhunter
## software network
- dhcpdump
- dhcping
- iftop
- iproute2
- iputils-ping
- mtr
- ncat
- net-tools
- nmap
- tshark
## software parser
#- jq
#- yq
## software partitioning
- btrfs-progs
- cryptsetup
- cryptsetup-nuke-password
- dmsetup
- dosfstools
- fdisk
- gdisk
- lvm2
- mdadm
- parted
## software password
- keychain
- makepasswd
- pwgen
- wamerican
- wbritish
- wfrench
- wngerman
## software security
- fail2ban
- ufw
## software tools
- expect
- figlet
- htop
- neofetch
- neovim
- python3
- virt-what
###########################################################################################
# Time settings #
###########################################################################################
# Germany : https://www.ptb.de/cms/ptb/fachabteilungen/abtq/gruppe-q4/ref-q42/zeitsynchronisation-von-rechnern-mit-hilfe-des-network-time-protocol-ntp.html
# Germany : ptbtime1.ptb.de ptbtime2.ptb.de ptbtime3.ptb.de
# Germany : https://www.rrze.fau.de/serverdienste/infrastruktur/zeitserver/
# Germany : ntp0.fau.de ntp3.fau.de
# Portugal : https://si.tecnico.ulisboa.pt/en/servicos/servidores-e-dados/ntp/
# Portugal : ntp1.tecnico.ulisboa.pt ntp2.tecnico.ulisboa.pt
# Sweden : https://www.netnod.se/swedish-distributed-time-service
# Sweden : nts.netnod.se
# Switzerland : https://www.metas.ch/metas/de/home/fabe/zeit-und-frequenz/time-dissemination.html
# Switzerland : ntp11.metas.ch ntp12.metas.ch ntp13.metas.ch
# USA : https://tf.nist.gov/tf-cgi/servers.cgi
# USA : time-a-g.nist.gov time-c-b.nist.gov utcnist3.colorado.edu
ntp:
server:
- "ntp.ripe.net"
- "ptbtime3.ptb.de"
- "ptbtime2.ptb.de"
- "ntp12.metas.ch"
- "ntp2.tecnico.ulisboa.pt"
- "time-c-b.nist.gov"
- "nts.netnod.se"
- "ntp0.fau.de"
# Any valid setting for $TZ; see the contents of '/usr/share/zoneinfo' for valid values:
timezone: "Europe/Lisbon"
# Controls whether the hardware clock is set to UTC:
utc: true
###########################################################################################
# User settings #
###########################################################################################
accounts:
# For whitelisting and additional hardening of SSH connections, the following IPs MUST be provided.
bastion-vpn-ipv4: 202.61.246.50
bastion-vpn-ipv6: 2a03:4000:53:f:abcd:9494:0:2
# If a secure channel for LUKS passphrase input is needed, this MUST be set to "true".
dropbear-ssh: true
# For dropbear SSH authentication, an ed25519 PubKey MUST be provided.
dropbear-pubkey: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG1RNGtD+Uwb45aQcWP//kQgy0K8EfglVsWwD6qyg6Ox 2025_dropbear_master"
# If decryption via dropbear SSH in the initramfs environment is desired, set to "true" otherwise to "false".
# MUST be "true" if Nuke Mechanism is chosen for at least one Device in partitioning.yaml.
dropbear-unlock: true
root:
# Skip creation of a root account (a normal user account will be able to use sudo):
# For best practice it is RECOMMENDED to configure root, and after setup, you should run
# the hardening script.
login: true
# Create a password hash for the root account:
# sha-512 is NOT RECOMMENDED
# SALT=$(tr -dc 'A-Za-z0-9' < /dev/random | head -c 16)
# mkpasswd --method=sha-512 --salt="${SALT}" --rounds=8388608
# Use yescrypt instead that is RECOMMENDED:
# mkpasswd --method=yescrypt
password-enabled: true
password-crypted: "$y$j9T$cyO.ibYUpLZ0GPYUkRF.q0$NhSWX5V8.uKxVKWkCH2cdl62dilvi8mWWnEWksE8Tz0"
# MUST be either "sshpubkey" or "sshcert"
ssh-method: sshcert
ssh-pubkey: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID2mSRx+Ny8cudr9vOlyfqMYPbZC3jkFaNARTOMh33De 2025_ed25519_coresecret.dev_root"
ssh-rootca: "./.preseed/ssh_root_ca.pub"
ssh-keyrounds: 1024
ssh-port: 42137
user:
login: false
# In honor of the defender of the freedom of expression:
fullname: "Donald John Trump"
name: "potus"
password-enabled: true
password-crypted: "$y$j9T$cyO.ibYUpLZ0GPYUkRF.q0$NhSWX5V8.uKxVKWkCH2cdl62dilvi8mWWnEWksE8Tz0"
ssh-method: sshcert
ssh-pubkey: "ssh-ed25519 255 SHA256:glLSH13uNy04qbpDskVTB+3CwtLeuXwxzvqP9w5ZKjM 2025_ed25519_coresecret.dev_potus"
ssh-rootca: "./.preseed/ssh_root_ca.pub"
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml