# SPDX-Version: 3.0 # SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; # SPDX-FileType: SOURCE # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. # SPDX-PackageName: CISS.debian.installer # SPDX-Security-Contact: security@coresecret.eu %YAML 1.2 --- ### This file contains configurations for the CISS.debian.installer ### Master V8.00.000.2025.06.17 ### YAML specification: 1.2 installer: name: "CISS.debian.installer" version: "V8.00.000.2025.06.17" log: "info" ########################################################################################### # APT settings # ########################################################################################### apt: # You can choose to install contrib software: contrib: true # By default, source repositories are listed in /etc/apt/sources.list. This MUST be true: default-list: true # Whether to upgrade packages after debootstrap. # Allowed values: "false" for none; "true" for full-upgrade (RECOMMENDED): full-upgrade: true # Configure APT to not install recommended packages by default. Use of this option can # result in an incomplete system and should only be used by very experienced users: install-recommends: true # A network mirror MUST be used to supplement the software not included on the # installation media. This may also make newer versions of software available. # This MUST be true: mirror: activate: true # Country code of mirror destination: country: "US" # Debian archive mirror directory. Please enter the directory in which the mirror of # the Debian archive is located: directory: "/debian/" # Debian archive mirror hostname. Please enter the hostname of the mirror from which # Debian will be downloaded. An alternate port can be specified using the standard # [hostname]:[port] format: hostname: "deb.debian.org" # Debian archive mirror country. The goal is to find a mirror of the Debian archive that # is close to you on the network -- be aware that nearby countries, or even your own, may # not be the best choice. https-country: "US" # Please select the protocol to be used for downloading files, where "https" is RECOMMENDED. protocol: "https" # HTTP proxy information (blank for none). If you need to use an HTTP proxy to access the # outside world, enter the proxy information here. Otherwise, leave this blank. The proxy # information should be given in the standard form of "http://[[user][:pass]@]host[:port]/". proxy: "" # Suite to install MUST be one of "stable", "testing", "experimental": suite: "stable" # You can choose to install non-free: non-free: true # You can choose to install non-free firmware: non-free-firmware: true # Debian archive security string security-string: "security.debian.org" # Debian has the following services that provide updates. # # Security updates help to keep your system secured against attacks. # Enabling this service is strongly recommended. # # Release updates provide more current versions for software that changes relatively # frequently and where not having the latest version could reduce the usability of the # software. It also provides regression fixes. This service is only available for stable # and oldstable releases. # # Backported software is adapted from the development version to work with this release. # Although this software has not gone through such complete testings as that contained in # the release, it includes newer versions of some applications that may provide useful # features. Enabling backports here does not cause any of them to be installed by default; # it only allows you to manually select backports to use. updates: backports: true release: true security: true # Applying updates on a frequent basis is an important part of keeping the system secure. # # By default, security updates are not automatically installed, as security advisories should be # reviewed before manual installation of the updates using standard package management tools. # # Alternatively, the unattended-upgrades package can be installed, which will install security # updates automatically. # Note, however, that automatic installation of updates may occasionally cause unexpected downtime # of services provided by this machine in the rare cases where the update is not fully backward-compatible, # or where the security advisory requires the administrator to perform some other manual operation. # # Possible choices: none, security, unattended (RECOMMENDED) policy: "unattended" ########################################################################################### # Basic settings # ########################################################################################### # Please specify the architecture of the server to be installed: arch: "amd64" # MUST be "amd64" || "intel64". "arm64" is NOT supported # This is how to make the installer shutdown when finished, but not reboot: exit-halt: false # This will power off the machine instead of just halting it (RECOMMENDED): exit-poweroff: true # This will reboot the machine: exit-reboot: false # If non-free firmware is needed for the network or other hardware, you can configure the # # installer to always try to load it without prompting. firmware-install: true # Firmware settings # "never": Completely disables the firmware search. # "missing": Searches only when the firmware is needed. (default) # "always": Always searches and asks for any firmware that could be useful for the hardware. firmware-lookup: "missing" # The kernel image to be installed; "none" can be used if no kernel is to be installed: kernel: "linux-image-6.12.12+bpo-amd64" ########################################################################################### # GRUB2 settings # ########################################################################################### grub: background: # If you want to change the GRUB background, please change to "true": enable: true # Specify the path from which the image should be loaded. # RECOMMENDED settings: JPG 1280 x 1024 px or JPG 1920 x 1080 px path: "/root/CISS.2025.debian.installer/.assets/background/background_hexagon_1280.jpg" # Due notably to potential USB sticks, the location of the primary drive cannot be # determined safely in general, so this needs to be specified: bootdev: "/dev/sda" # Force GRUB installation to the EFI removable media path? # It seems that this computer is configured to boot via EFI, but maybe that configuration will # not work for booting from the hard drive. Some EFI firmware implementations do not meet the # EFI specification (i.e., they are buggy) and do not support proper configuration of boot # options from system hard drives. # # A workaround for this problem is to install an extra copy of the EFI version of the GRUB # bootloader to a fallback location, the "removable media path". Almost all EFI systems, no # matter how buggy, will boot GRUB that way. # # Warning: If the installer failed to detect another operating system that is present on your # computer that also depends on this fallback, installing GRUB there will make that operating # system temporarily unbootable. GRUB can be manually configured later to boot it if necessary: force-efi-extra-removable: false # Set this to 'true' to install the latest GRUB2 backported package for encrypted '/boot' support. # MUST be 'true' in the case of 'LUKS2' and / or 'dm-integrity' encrypted '/boot/': latest: true # This is fairly safe to set; it makes grub install automatically to the UEFI partition '/boot' # record if no other operating system is detected on the machine: only-debian: true # This one makes grub-installer install to the UEFI partition/boot record, if it also finds # some other OS, which is less safe as it might not be able to boot that other OS: other-os: true # OS-prober did not detect any other operating systems on your computer at this time, but you # may still wish to enable it in case you install more in the future: prober: false # Skip installing grub: skip: false # Update NVRAM variables to automatically boot into Debian? # GRUB can configure your platform's NVRAM variables so that it boots into Debian automatically # when powered on. However, you may prefer to disable this behavior and avoid changes to your # boot configuration. For example, if your NVRAM variables have been set up such that your # system contacts a PXE server on every boot, this would preserve that behavior: update-nvram: true ########################################################################################### # Locale settings set language, country, locale, keyboard map and timezone # ########################################################################################### locale: country: "US" keyboard: layout: "de" xkb-keymap: "de" language: "en" locale: "en_US.UTF-8" timezone: "Europe/Lisbon" ########################################################################################### # Network settings # ########################################################################################### network: autoconfig: # Automatic network configuration is the default. If you prefer to configure the network # manually, change 'network.autoconfig.enable' from "true" to "false" and configure # - 'network.choose_interface.static' # - 'network.hostname' # - 'network.ipv6' # - 'network.static' section enable: true choose_interface: # Choose an interface that has a link if possible. Or skip this via "false" and manually configure the static NIC below. auto: true # If auto-detect fails, specify a particular interface instead: static: "eth1" # Please specify the FQDN of the server: hostname: "nsa.usic.gov" # Please specify if you want to use IPv6: ipv6: "true" # Timeout settings timeout: # If the dhcp server is slow, and the installer times out waiting for it, this might be useful. dhcp: 60 # To set a different link detection timeout (default is 3 seconds): linkwait: 60 static: # If you want the preconfiguration file to work on systems both with and without a dhcp # server, change 'network.static.enable' from "false" to "true" and configure the static # configuration below. enable: true # Static IPv4 network configuration. ipv4address: "192.168.128.128" ipv4netmask: "255.255.255.0" ipv4gateway: "192.168.128.254" # Static IPv4 nameservers. ipv4nameserver: # dns01.eddns.eu - "135.181.207.105" # dns02.eddns.de - "89.58.62.53" # Static IPv4 fallback nameservers. ipv4nameserver_fallback: # dnsforge.de - "176.9.93.198" - "176.9.1.117" # Static IPv6 network configuration. ipv6address: "192.168.128.128" ipv6netmask: "128" ipv6gateway: "192.168.128.254" # Static IPv6 nameservers. ipv6nameserver: # dns01.eddns.eu - "2a01:4f9:c012:a813:135:181:207:105" # dns02.eddns.de - "2a0a:4cc0:1:e6:89:58:62:53" ipv6nameserver_fallback: # dnsforge.de - "2a01:4f8:151:34aa::198" - "2a01:4f8:141:316d::117" ########################################################################################### # Security settings # ########################################################################################### security: # The installer will ensure that any packages are signed and authenticated. allow_unauthenticated: false # This ensures that the connection between the installer, and the server from which files # are downloaded, is encrypted and signed by a trusted certificate authority. allow_unauthenticated_ssl: false ########################################################################################### # Software installation # ########################################################################################### software: ## software core - apt-show-versions - apt-transport-https - apt-utils - bash - bash-completion - bat - bind9-dnsutils - bc - ca-certificates - coreutils - debconf - debconf-utils - dialog - efibootmgr - fzf - gawk - git - grub2 - grub2-common - knot-dnssecutils - knot-dnsutils - libpam-google-authenticator - libpam-pwquality - locate - logrotate - lsb-release - nano - openssl - rsyslog - screen - shellcheck - software-properties-common - spectre-meltdown-checker - ssh - sudo - sysstat - tree #- unattended-upgrades - whois - zsh ## software dev #- build-essential #- clang #- debootstrap #- linux-source #- lld #- makedev #- ssl-cert ## software documentation - debian-kernel-handbook - linux-doc-6.12 - man-db ## software encryption - dirmngr - gnupg - haveged - pollinate ## software files - curl - rsnapshot - rsync - unzip - wget - zip ## software malware - chkrootkit - clamav - clamav-daemon - rkhunter ## software network - dhcpdump - dhcping - iftop - iproute2 - iputils-ping - mtr - ncat - net-tools - nmap - tshark ## software parser #- jq #- yq ## software partitioning - btrfs-progs - cryptsetup - cryptsetup-nuke-password - dmsetup - dosfstools - fdisk - gdisk - lvm2 - mdadm - parted ## software password - keychain - makepasswd - pwgen - wamerican - wbritish - wfrench - wngerman ## software security - fail2ban - ufw ## software tools - expect - figlet - htop - neofetch - neovim - python3 - virt-what ########################################################################################### # Time settings # ########################################################################################### # Germany : https://www.ptb.de/cms/ptb/fachabteilungen/abtq/gruppe-q4/ref-q42/zeitsynchronisation-von-rechnern-mit-hilfe-des-network-time-protocol-ntp.html # Germany : ptbtime1.ptb.de ptbtime2.ptb.de ptbtime3.ptb.de # Germany : https://www.rrze.fau.de/serverdienste/infrastruktur/zeitserver/ # Germany : ntp0.fau.de ntp3.fau.de # Portugal : https://si.tecnico.ulisboa.pt/en/servicos/servidores-e-dados/ntp/ # Portugal : ntp1.tecnico.ulisboa.pt ntp2.tecnico.ulisboa.pt # Sweden : https://www.netnod.se/swedish-distributed-time-service # Sweden : nts.netnod.se # Switzerland : https://www.metas.ch/metas/de/home/fabe/zeit-und-frequenz/time-dissemination.html # Switzerland : ntp11.metas.ch ntp12.metas.ch ntp13.metas.ch # USA : https://tf.nist.gov/tf-cgi/servers.cgi # USA : time-a-g.nist.gov time-c-b.nist.gov utcnist3.colorado.edu ntp: server: - "ntp.ripe.net" - "ptbtime3.ptb.de" - "ptbtime2.ptb.de" - "ntp12.metas.ch" - "ntp2.tecnico.ulisboa.pt" - "time-c-b.nist.gov" - "nts.netnod.se" - "ntp0.fau.de" # Any valid setting for $TZ; see the contents of '/usr/share/zoneinfo' for valid values: timezone: "Europe/Lisbon" # Controls whether the hardware clock is set to UTC: utc: true ########################################################################################### # User settings # ########################################################################################### accounts: # For whitelisting and additional hardening of SSH connections, the following IPs MUST be provided. bastion-vpn-ipv4: 202.61.246.50 bastion-vpn-ipv6: 2a03:4000:53:f:abcd:9494:0:2 # If a secure channel for LUKS passphrase input is needed, this MUST be set to "true". dropbear-ssh: true # For dropbear SSH authentication, an ed25519 PubKey MUST be provided. dropbear-pubkey: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG1RNGtD+Uwb45aQcWP//kQgy0K8EfglVsWwD6qyg6Ox 2025_dropbear_master" # If decryption via dropbear SSH in the initramfs environment is desired, set to "true" otherwise to "false". # MUST be "true" if Nuke Mechanism is chosen for at least one Device in partitioning.yaml. dropbear-unlock: true root: # Skip creation of a root account (a normal user account will be able to use sudo): # For best practice it is RECOMMENDED to configure root, and after setup, you should run # the hardening script. login: true # Create a password hash for the root account: # sha-512 is NOT RECOMMENDED # SALT=$(tr -dc 'A-Za-z0-9' < /dev/random | head -c 16) # mkpasswd --method=sha-512 --salt="${SALT}" --rounds=8388608 # Use yescrypt instead that is RECOMMENDED: # mkpasswd --method=yescrypt password-enabled: true password-crypted: "$y$j9T$cyO.ibYUpLZ0GPYUkRF.q0$NhSWX5V8.uKxVKWkCH2cdl62dilvi8mWWnEWksE8Tz0" # MUST be either "sshpubkey" or "sshcert" ssh-method: sshcert ssh-pubkey: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID2mSRx+Ny8cudr9vOlyfqMYPbZC3jkFaNARTOMh33De 2025_ed25519_coresecret.dev_root" ssh-rootca: "./.preseed/ssh_root_ca.pub" ssh-keyrounds: 1024 ssh-port: 42137 user: login: false # In honor of the defender of the freedom of expression: fullname: "Donald John Trump" name: "potus" password-enabled: true password-crypted: "$y$j9T$cyO.ibYUpLZ0GPYUkRF.q0$NhSWX5V8.uKxVKWkCH2cdl62dilvi8mWWnEWksE8Tz0" ssh-method: sshcert ssh-pubkey: "ssh-ed25519 255 SHA256:glLSH13uNy04qbpDskVTB+3CwtLeuXwxzvqP9w5ZKjM 2025_ed25519_coresecret.dev_potus" ssh-rootca: "./.preseed/ssh_root_ca.pub" # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml