# SPDX-Version: 3.0 # SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; # SPDX-FileType: SOURCE # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. # SPDX-PackageName: CISS.debian.installer # SPDX-Security-Contact: security@coresecret.eu %YAML 1.2 --- ### This file contains configurations for the CISS.debian.installer ### Master V8.00.000.2025.06.17 ### YAML specification: 1.2 installer: name: "CISS.debian.installer" version: "V8.00.000.2025.06.17" log: "info" ################################################################################################################################ # APT settings ################################################################################################################################ apt: contrib: true # Optionally install contrib software. deb_sources: true # Optionally includes deb-src entries for source repositories. default_list: true # By default, source repositories are listed in '/etc/apt/sources.list'. This MUST be "true". full_upgrade: true # Whether to upgrade packages after debootstrap. install_recommends: true # Configure APT to not install recommended packages by default. non_free: true # Optionally install non-free software. non_free_firmware: true # Optionally install non-free firmware. MUST be "true" for microcode updates. sec: "security.debian.org" # Debian Security Updates Archive. ############################################################################################################################## # A network mirror MUST be used to supplement the software not included on the installation media. This may also make newer # versions of software available. ############################################################################################################################## mirror: activate: true # MUST be "true". country: "US" # Country code of mirror destination. directory: "/debian/" # Debian archive mirror directory in which the mirror of the Debian archive is located. hostname: "deb.debian.org" # Debian archive mirror hostname. https-country: "US" # Debian archive mirror country. protocol: "https" # Protocol to be used for downloading files, where "https" is RECOMMENDED. proxy: "" # HTTP proxy information (blank for none) or "http://[[user][:pass]@]host[:port]/" ############################################################################################################################## # Debian has the following services that provide updates. # # Backported software is adapted from the development version to work with this release. Although this software has not gone # through such complete testings as that contained in the release, it includes newer versions of some applications that may # provide useful features. Enabling backports here does not cause any of them to be installed by default; it only allows you # to manually select backports to use. # # Release updates provide more current versions for software that changes relatively frequently and where not having the # latest version could reduce the usability of the software. It also provides regression fixes. This service is only # available for stable and oldstable releases. # # Security updates help to keep your system secured against attacks. Enabling this service is strongly recommended. # # Applying updates on a frequent basis is an important part of keeping the system secure. By default, security updates are not # automatically installed, as security advisories should be reviewed before manual installation of the updates using standard # package management tools. # # Alternatively, the unattended-upgrades package can be installed, which will install security updates automatically. Note, # however, that automatic installation of updates may occasionally cause unexpected downtime of services provided by this # machine in the rare cases where the update is not fully backward-compatible, or where the security advisory requires the # administrator to perform some other manual operation. Possible choices: "none", "security", "unattended" (RECOMMENDED) ############################################################################################################################## updates: backports: true release: true security: true policy: "unattended" ################################################################################################################################ # Basic settings ################################################################################################################################ architecture: "amd64" # MUST be one of "amd64", "intel64" or "arm64". distribution: "bookworm" # MUST be "bookworm". debian_suite: "stable" # MUST be "stable". Not supported yet: "testing", "experimental". exit: halt: false # This is how to make the installer shutdown when finished, but not reboot. poweroff: true # This will power off the machine instead of just halting it (RECOMMENDED). reboot: false # This will reboot the machine. image: "linux-image-amd64" # Could be a meta-package or a specific image like: # "linux-image-amd64" || "linux-image-arm64" # "linux-image-cloud-amd64" || "linux-image-cloud-arm64" # "linux-image-rt-amd64" || "linux-image-rt-arm64" # "linux-image-6.12.30+bpo-amd64" firmware: install: true # If non-free firmware is needed for the network or other hardware, autoinstall it. lookup: "missing" # - "never" Completely disables the firmware search. # - "missing" Searches only when the firmware is needed. (default) # - "always" Always searches and asks for any firmware that could be useful for the hardware. ################################################################################################################################ # GRUB2 settings ################################################################################################################################ grub: background: # RECOMMENDED settings: JPG 1280 x 1024 px or JPG 1920 x 1080 px enable: true # If you want to add a GRUB background. path: "/root/CISS.2025.debian.installer/.assets/background/background_hexagon_1280.jpg" bootdev: "/dev/sda" # Due notably to potential USB sticks, the location of the primary drive cannot be determined # safely in general, so this needs to be specified. force_efi: false # Force GRUB installation to the EFI removable media path? # It seems that this computer is configured to boot via EFI, but maybe that configuration will # not work for booting from the hard drive. Some EFI firmware implementations do not meet the # EFI specification (i.e., they are buggy) and do not support proper configuration of boot # options from system hard drives. # # A workaround for this problem is to install an extra copy of the EFI version of the GRUB # bootloader to a fallback location, the "removable media path". Almost all EFI systems, no # matter how buggy, will boot GRUB that way. # # Warning: If the installer failed to detect another operating system that is present on your # computer that also depends on this fallback, installing GRUB there will make that OS # temporarily unbootable. GRUB can be manually configured later to boot it if necessary. latest: true # Install the latest GRUB2 backported package for encrypted '/boot' support. # MUST be "true" in the case of 'LUKS2' and / or 'dm-integrity' encrypted '/boot' only_debian: true # This is fairly safe to set; it makes grub install automatically to the UEFI partition '/boot' # record if no other operating system is detected on the machine. other-os: true # This one makes grub-installer install to the UEFI partition '/boot' record if it also finds # some other OS, which is less safe as it might not be able to boot that other OS. prober: false # OS-prober did not detect any other operating systems on your computer at this time, but you # may still wish to enable it in case you install more in the future. skip: false # Skip installing grub. update_nvram: true # Update NVRAM variables to automatically boot into Debian? # GRUB can configure your platform's NVRAM variables so that it boots into Debian automatically # when powered on. However, you may prefer to disable this behavior and avoid changes to your # boot configuration. For example, if your NVRAM variables have been set up such that your # system contacts a PXE server on every boot, this would preserve that behavior: ################################################################################################################################ # Locale settings set language, country, locale, keyboard map and timezone ################################################################################################################################ locale: country: "US" keyboard: layout: "de" xkb-keymap: "de" language: "en" locale: "en_US.UTF-8" timezone: "Europe/Lisbon" ################################################################################################################################ # Network settings ################################################################################################################################ network: autoconfig: enable: true # Automatic network configuration 'dhcp' is the default. If you prefer to configure the network # manually, change 'network.autoconfig.enable' from "true" to "false" and configure # - 'network.choose_interface.static' # - 'network.hostname' # - 'network.ipv6' # - 'network.static' section choose_interface: auto: true # Choose an interface that has a link if possible. Or manually configure the static NIC below. static: "eth1" # For manual configuration, specify a particular interface. hostname: "nsa.usic.gov" # Specify the FQDN of the server. # If not specified and autoconfig is enabled, the given dhcp value is chosen. ipv6: true # Specify if you want to use IPv6. timeout: dhcp: 60 # If the dhcp server is slow, and the installer times out waiting for it, this might be useful. linkwait: 60 # To set a different link detection timeout (default is 3 seconds). static: enable: true # If you want the preconfiguration file to work on systems both with and without a dhcp # server, change 'network.static.enable' from "false" to "true" and configure the static # configuration below. ipv4address: "192.168.128.128" ipv4netmask: "255.255.255.0" ipv4gateway: "192.168.128.254" ipv4nameserver: - "135.181.207.105" # dns01.eddns.eu - "89.58.62.53" # dns02.eddns.de - "138.199.237.109" # dns03.eddns.eu ipv4nameserver_fallback: - "176.9.93.198" # dnsforge.de - "176.9.1.117" # dnsforge.de ipv6address: "2a0a:aaaa:bbbb:cccc:192:168:128:128" ipv6netmask: "128" ipv6gateway: "fe80::1" ipv6nameserver: - "2a01:4f9:c012:a813:135:181:207:105" - "2a0a:4cc0:1:e6:89:58:62:53" - "2a01:4f8:c013:8011:138:199:237:109" ipv6nameserver_fallback: - "2a01:4f8:151:34aa::198" - "2a01:4f8:141:316d::117" ################################################################################################################################ # Security settings ################################################################################################################################ security: unauthenticated: false # The installer will ensure that any packages are signed and authenticated. unauthenticated_ssl: false # This ensures that the connection between the installer, and the server from which files # are downloaded, is encrypted and signed by a trusted certificate authority. ################################################################################################################################ # Software installation ################################################################################################################################ software: ############################################################################################################################## # core software ############################################################################################################################## - apt-show-versions - apt-transport-https - apt-utils - bash - bash-completion - bat - bind9-dnsutils - bc - ca-certificates - coreutils - debconf - debconf-utils - dialog - efibootmgr - fzf - gawk - git - grub2 - grub2-common - knot-dnssecutils - knot-dnsutils - libpam-google-authenticator - libpam-pwquality - locate - logrotate - lsb-release - nano - openssl - rsyslog - screen - shellcheck - software-properties-common - spectre-meltdown-checker - ssh - sudo - sysstat - tree #- unattended-upgrades - whois - zsh ## software dev #- build-essential #- clang #- debootstrap #- linux-source #- lld #- makedev #- ssl-cert ############################################################################################################################## # documentation ############################################################################################################################## - debian-kernel-handbook - linux-doc-6.12 - man-db ############################################################################################################################## # encryption ############################################################################################################################## - dirmngr - gnupg - haveged - pollinate ############################################################################################################################## # files ############################################################################################################################## - curl - rsnapshot - rsync - unzip - wget - zip ############################################################################################################################## # malware detection ############################################################################################################################## - chkrootkit - clamav - clamav-daemon - rkhunter ############################################################################################################################## # network ############################################################################################################################## - dhcpdump - dhcping - iftop - iproute2 - iputils-ping - mtr - ncat - net-tools - nmap - tshark - ufw ############################################################################################################################## # parser ############################################################################################################################## #- jq #- yq ############################################################################################################################## # partitioning ############################################################################################################################## - btrfs-progs - cryptsetup - cryptsetup-nuke-password - dmsetup - dosfstools - fdisk - gdisk - lvm2 - mdadm - parted ############################################################################################################################## # password ############################################################################################################################## - keychain - makepasswd - pwgen - wamerican - wbritish - wfrench - wngerman ############################################################################################################################## # security ############################################################################################################################## - fail2ban ############################################################################################################################## # tools ############################################################################################################################## - expect - figlet - htop - neofetch - neovim - python3 - virt-what ################################################################################################################################ # Time settings ################################################################################################################################ # Germany : https://www.ptb.de/cms/ptb/fachabteilungen/abtq/gruppe-q4/ref-q42/zeitsynchronisation-von-rechnern-mit-hilfe-des-network-time-protocol-ntp.html # Germany : ptbtime1.ptb.de ptbtime2.ptb.de ptbtime3.ptb.de # Germany : https://www.rrze.fau.de/serverdienste/infrastruktur/zeitserver/ # Germany : ntp0.fau.de ntp3.fau.de # Portugal : https://si.tecnico.ulisboa.pt/en/servicos/servidores-e-dados/ntp/ # Portugal : ntp1.tecnico.ulisboa.pt ntp2.tecnico.ulisboa.pt # Sweden : https://www.netnod.se/swedish-distributed-time-service # Sweden : nts.netnod.se # Switzerland : https://www.metas.ch/metas/de/home/fabe/zeit-und-frequenz/time-dissemination.html # Switzerland : ntp11.metas.ch ntp12.metas.ch ntp13.metas.ch # USA : https://tf.nist.gov/tf-cgi/servers.cgi # USA : time-a-g.nist.gov time-c-b.nist.gov utcnist3.colorado.edu ntp: server: - "ntp.ripe.net" - "ptbtime3.ptb.de" - "ptbtime2.ptb.de" - "ptbtime1.ptb.de" - "ntp13.metas.ch" - "ntp2.tecnico.ulisboa.pt" - "time-c-b.nist.gov" - "sth1.ntp.se" - "ntp0.fau.de" timezone: "Europe/Lisbon" # Any valid setting for $TZ; see the contents of '/usr/share/zoneinfo' for valid values. utc: true # Controls whether the hardware clock is set to UTC. ################################################################################################################################ # User settings ################################################################################################################################ user: allow_policies: true # For additional hardening of SSH connections '/etc/hosts.allow'. # If "allow_policies" = "true", at least one IP MUST be provided: allow_ipv4: - 202.61.246.50 allow_ipv6: - 2a03:4000:53:f:abcd:9494:0:2 dropbear_boot: true # Dropbear initramfs integration. ssh_port: 42137 # SSH Port. In case "dropbear_boot" = "true" the same SSH Port will be used. ssh_rootca: "./.preseed/ssh_root_ca.pub" ############################################################################################################################## # root – Superuser account (normally disabled for direct login) ############################################################################################################################## root: ensure: present # Must always be 'present'. protected: true # Prevent unintentional edits or deletions. shell: /bin/zsh # Login shell (e.g., '/bin/bash', '/bin/zsh'); use '/usr/sbin/nologin' for non-interactive users. password: "" ssh_pubkeys: # List of public SSH keys for authentication. - "" authentication: access: ssh: false # Allow SSH access. tty: true # Allow TTY (local console) login. password_auth: ssh: false # Allow SSH password login. tty: true # Allow TTY (local console) password login. 2fa: ssh: false # Require 2FA for SSH access. tty: true # Require 2FA for TTY (local console) login. privileges: description: "Root user with full system access and administrative privileges." sudo: false # Whether the user can escalate to root using sudo. system_user: false # Whether this is a low-UID system user (e.g., for automation). restricted: false # If true, user is limited in scope (e.g., no login, no file access). shell_access: true # MUST be "true" if shell is not '/usr/sbin/nologin' or '/bin/false'. ############################################################################################################################## # Primary administrative user with full sudo access ############################################################################################################################## user0: ensure: present # "present" = create user; "absent" = remove user protected: true # Prevent unintentional edits or deletions. name: "msw" # The name of the user account. fullname: "msw" # The full name of the user account holder. uid: 1000 # Ensures that the same user has the same UID on all systems. gid: 1000 # Ensures that the same user has the same GID on all systems. shell: /bin/zsh # Login shell (e.g., '/bin/bash', '/bin/zsh'); use '/usr/sbin/nologin' for non-interactive users. password: "" ssh_pubkeys: # List of public SSH keys for authentication. - "" authentication: access: ssh: true # Allow SSH access. tty: true # Allow TTY (local console) login. password_auth: ssh: false # Allow SSH password login. tty: true # Allow TTY (local console) password login. 2fa: ssh: true # Require 2FA for SSH access. tty: true # Require 2FA for TTY (local console) login. privileges: description: "Primary admin user with full sudo access and interactive login." sudo: true # Whether the user can escalate to root using sudo. system_user: false # Whether this is a low-UID system user (e.g., for automation). restricted: false # If true, user is limited in scope (e.g., no login, no file access). shell_access: true # MUST be "true" if shell is not '/usr/sbin/nologin' or '/bin/false'. ################################################################################ # ansible – System user for automation, no interactive shell ################################################################################ user1: ensure: present # "present" = create user; "absent" = remove user protected: true # Prevent unintentional edits or deletions. name: "ansible" # The name of the user account. fullname: "ansible" # The full name of the user account holder. uid: 137 # Ensures that the same user has the same UID on all systems. gid: 137 # Ensures that the same user has the same GID on all systems. shell: /usr/sbin/nologin # Login shell (e.g., '/bin/bash', '/bin/zsh'); use '/usr/sbin/nologin' for non-interactive users. password: "" # No password set for ansible user ssh_pubkeys: # List of public SSH keys for authentication. - "" authentication: access: ssh: true # Allow SSH access. tty: false # Allow TTY (local console) login. password_auth: ssh: false # Allow SSH password login. tty: false # Allow TTY (local console) password login. 2fa: ssh: false # Require 2FA for SSH access. tty: false # Require 2FA for TTY (local console) login. privileges: description: "Automation user without interactive shell and no sudo." sudo: true # Whether the user can escalate to root using sudo. system_user: true # Whether this is a low-UID system user (e.g., for automation). restricted: true # If true, user is limited in scope (e.g., no login, no file access). shell_access: false # MUST be "true" if shell is not '/usr/sbin/nologin' or '/bin/false'. # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml