msw/CISS.debian.installer
SHA256
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
f76cbf9fbaaf2a32a46ea5a64769af12411e3b69cecef0a80c79033c711f5aca
CISS.debian.installer/.preseed/preseed.yaml
Marc S. Weidner ad083796f1 V8.00.000.2025.06.17 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-07-17 22:05:53 +02:00

482 lines
27 KiB
YAML
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
%YAML 1.2
---
### This file contains configurations for the CISS.debian.installer
### Master V8.00.000.2025.06.17
### YAML specification: 1.2
installer:
name: "CISS.debian.installer"
version: "V8.00.000.2025.06.17"
log: "info"
################################################################################################################################
# APT settings
################################################################################################################################
apt:
contrib: true # Optionally install contrib software.
deb_sources: true # Optionally includes deb-src entries for source repositories.
default_list: true # By default, source repositories are listed in '/etc/apt/sources.list'. This MUST be "true".
full_upgrade: true # Whether to upgrade packages after debootstrap.
install_recommends: true # Configure APT to not install recommended packages by default.
non_free: true # Optionally install non-free software.
non_free_firmware: true # Optionally install non-free firmware. MUST be "true" for microcode updates.
sec: "security.debian.org" # Debian Security Updates Archive.
##############################################################################################################################
# A network mirror MUST be used to supplement the software not included on the installation media. This may also make newer
# versions of software available.
##############################################################################################################################
mirror:
activate: true # MUST be "true".
country: "US" # Country code of mirror destination.
directory: "/debian/" # Debian archive mirror directory in which the mirror of the Debian archive is located.
hostname: "deb.debian.org" # Debian archive mirror hostname.
https-country: "US" # Debian archive mirror country.
protocol: "https" # Protocol to be used for downloading files, where "https" is RECOMMENDED.
proxy: "" # HTTP proxy information (blank for none) or "http://[[user][:pass]@]host[:port]/"
##############################################################################################################################
# Debian has the following services that provide updates.
#
# Backported software is adapted from the development version to work with this release. Although this software has not gone
# through such complete testings as that contained in the release, it includes newer versions of some applications that may
# provide useful features. Enabling backports here does not cause any of them to be installed by default; it only allows you
# to manually select backports to use.
#
# Release updates provide more current versions for software that changes relatively frequently and where not having the
# latest version could reduce the usability of the software. It also provides regression fixes. This service is only
# available for stable and oldstable releases.
#
# Security updates help to keep your system secured against attacks. Enabling this service is strongly recommended.
#
# Applying updates on a frequent basis is an important part of keeping the system secure. By default, security updates are not
# automatically installed, as security advisories should be reviewed before manual installation of the updates using standard
# package management tools.
#
# Alternatively, the unattended-upgrades package can be installed, which will install security updates automatically. Note,
# however, that automatic installation of updates may occasionally cause unexpected downtime of services provided by this
# machine in the rare cases where the update is not fully backward-compatible, or where the security advisory requires the
# administrator to perform some other manual operation. Possible choices: "none", "security", "unattended" (RECOMMENDED)
##############################################################################################################################
updates:
backports: true
release: true
security: true
policy: "unattended"
################################################################################################################################
# Basic settings
################################################################################################################################
architecture: "amd64" # MUST be one of "amd64", "intel64" or "arm64".
distribution: "bookworm" # MUST be "bookworm".
debian_suite: "stable" # MUST be "stable". Not supported yet: "testing", "experimental".
exit:
halt: false # This is how to make the installer shutdown when finished, but not reboot.
poweroff: true # This will power off the machine instead of just halting it (RECOMMENDED).
reboot: false # This will reboot the machine.
firmware:
install: true # If non-free firmware is needed for the network or other hardware, autoinstall it.
lookup: "missing" # - "never" Completely disables the firmware search.
# - "missing" Searches only when the firmware is needed. (default)
# - "always" Always searches and asks for any firmware that could be useful for the hardware.
image: "linux-image-amd64" # Could be a meta-package or a specific image like:
# "linux-image-amd64" || "linux-image-arm64"
# "linux-image-cloud-amd64" || "linux-image-cloud-arm64"
# "linux-image-rt-amd64" || "linux-image-rt-arm64"
# "linux-image-6.12.30+bpo-amd64"
################################################################################################################################
# GRUB2 settings
################################################################################################################################
grub:
background: # RECOMMENDED settings: JPG 1280 x 1024 px or JPG 1920 x 1080 px
enable: true # If you want to add a GRUB background.
path: "/root/CISS.2025.debian.installer/.assets/background/background_hexagon_1280.jpg"
bootdev: "/dev/sda" # Due notably to potential USB sticks, the location of the primary drive cannot be determined
# safely in general, so this needs to be specified.
force_efi: false # Force GRUB installation to the EFI removable media path?
# It seems that this computer is configured to boot via EFI, but maybe that configuration will
# not work for booting from the hard drive. Some EFI firmware implementations do not meet the
# EFI specification (i.e., they are buggy) and do not support proper configuration of boot
# options from system hard drives.
#
# A workaround for this problem is to install an extra copy of the EFI version of the GRUB
# bootloader to a fallback location, the "removable media path". Almost all EFI systems, no
# matter how buggy, will boot GRUB that way.
#
# Warning: If the installer failed to detect another operating system that is present on your
# computer that also depends on this fallback, installing GRUB there will make that OS
# temporarily unbootable. GRUB can be manually configured later to boot it if necessary.
latest: true # Install the latest GRUB2 backported package for encrypted '/boot' support.
# MUST be "true" in the case of 'LUKS2' and / or 'dm-integrity' encrypted '/boot'
only_debian: true # This is fairly safe to set; it makes grub install automatically to the UEFI partition '/boot'
# record if no other operating system is detected on the machine.
other-os: true # This one makes grub-installer install to the UEFI partition '/boot' record if it also finds
# some other OS, which is less safe as it might not be able to boot that other OS.
prober: false # OS-prober did not detect any other operating systems on your computer at this time, but you
# may still wish to enable it in case you install more in the future.
skip: false # Skip installing grub.
update_nvram: true # Update NVRAM variables to automatically boot into Debian?
# GRUB can configure your platform's NVRAM variables so that it boots into Debian automatically
# when powered on. However, you may prefer to disable this behavior and avoid changes to your
# boot configuration. For example, if your NVRAM variables have been set up such that your
# system contacts a PXE server on every boot, this would preserve that behavior:
################################################################################################################################
# Locale settings set language, country, locale, keyboard map and timezone
################################################################################################################################
locale:
country: "US"
keyboard:
layout: "de"
xkb-keymap: "de"
language: "en"
locale: "en_US.UTF-8"
timezone: "Europe/Lisbon"
################################################################################################################################
# Network settings
################################################################################################################################
network:
autoconfig:
enable: true # Automatic network configuration 'dhcp' is the default. If you prefer to configure the network
# manually, change 'network.autoconfig.enable' from "true" to "false" and configure
# - 'network.choose_interface.static'
# - 'network.hostname'
# - 'network.ipv6'
# - 'network.static' section
choose_interface:
auto: true # Choose an interface that has a link if possible. Or manually configure the static NIC below.
static: "eth1" # For manual configuration, specify a particular interface.
hostname: "nsa.usic.gov" # Specify the FQDN of the server.
# If not specified and autoconfig is enabled, the given dhcp value is chosen.
ipv6: true # Specify if you want to use IPv6.
timeout:
dhcp: 60 # If the dhcp server is slow, and the installer times out waiting for it, this might be useful.
linkwait: 60 # To set a different link detection timeout (default is 3 seconds).
static:
enable: true # If you want the preconfiguration file to work on systems both with and without a dhcp
# server, change 'network.static.enable' from "false" to "true" and configure the static
# configuration below.
ipv4address: "192.168.128.128"
ipv4netmask: "255.255.255.0"
ipv4gateway: "192.168.128.254"
ipv4nameserver:
- "135.181.207.105" # dns01.eddns.eu
- "89.58.62.53" # dns02.eddns.de
- "138.199.237.109" # dns03.eddns.eu
ipv4nameserver_fallback:
- "176.9.93.198" # dnsforge.de
- "176.9.1.117" # dnsforge.de
ipv6address: "2a0a:aaaa:bbbb:cccc:192:168:128:128"
ipv6netmask: "128"
ipv6gateway: "fe80::1"
ipv6nameserver:
- "2a01:4f9:c012:a813:135:181:207:105"
- "2a0a:4cc0:1:e6:89:58:62:53"
- "2a01:4f8:c013:8011:138:199:237:109"
ipv6nameserver_fallback:
- "2a01:4f8:151:34aa::198"
- "2a01:4f8:141:316d::117"
################################################################################################################################
# Security settings
################################################################################################################################
security:
unauthenticated: false # The installer will ensure that any packages are signed and authenticated.
unauthenticated_ssl: false # This ensures that the connection between the installer, and the server from which files
# are downloaded, is encrypted and signed by a trusted certificate authority.
################################################################################################################################
# Software installation
################################################################################################################################
software:
##############################################################################################################################
# core software
##############################################################################################################################
- apt-show-versions
- apt-transport-https
- apt-utils
- bash
- bash-completion
- bat
- bind9-dnsutils
- bc
- ca-certificates
- coreutils
- debconf
- debconf-utils
- dialog
- efibootmgr
- fzf
- gawk
- git
- grub2
- grub2-common
- knot-dnssecutils
- knot-dnsutils
- libpam-google-authenticator
- libpam-pwquality
- locate
- logrotate
- lsb-release
- nano
- openssl
- rsyslog
- screen
- shellcheck
- software-properties-common
- spectre-meltdown-checker
- ssh
- sudo
- sysstat
- tree
#- unattended-upgrades
- whois
- zsh
## software dev
#- build-essential
#- clang
#- debootstrap
#- linux-source
#- lld
#- makedev
#- ssl-cert
##############################################################################################################################
# documentation
##############################################################################################################################
- debian-kernel-handbook
- linux-doc-6.12
- man-db
##############################################################################################################################
# encryption
##############################################################################################################################
- dirmngr
- gnupg
- haveged
- pollinate
##############################################################################################################################
# files
##############################################################################################################################
- curl
- rsnapshot
- rsync
- unzip
- wget
- zip
##############################################################################################################################
# malware detection
##############################################################################################################################
- chkrootkit
- clamav
- clamav-daemon
- rkhunter
##############################################################################################################################
# network
##############################################################################################################################
- dhcpdump
- dhcping
- iftop
- iproute2
- iputils-ping
- mtr
- ncat
- net-tools
- nmap
- tshark
- ufw
##############################################################################################################################
# parser
##############################################################################################################################
#- jq
#- yq
##############################################################################################################################
# partitioning
##############################################################################################################################
- btrfs-progs
- cryptsetup
- cryptsetup-nuke-password
- dmsetup
- dosfstools
- fdisk
- gdisk
- lvm2
- mdadm
- parted
##############################################################################################################################
# password
##############################################################################################################################
- keychain
- makepasswd
- pwgen
- wamerican
- wbritish
- wfrench
- wngerman
##############################################################################################################################
# security
##############################################################################################################################
- fail2ban
##############################################################################################################################
# tools
##############################################################################################################################
- expect
- figlet
- htop
- neofetch
- neovim
- python3
- virt-what
################################################################################################################################
# Time settings
################################################################################################################################
# Germany : https://www.ptb.de/cms/ptb/fachabteilungen/abtq/gruppe-q4/ref-q42/zeitsynchronisation-von-rechnern-mit-hilfe-des-network-time-protocol-ntp.html
# Germany : ptbtime1.ptb.de ptbtime2.ptb.de ptbtime3.ptb.de
# Germany : https://www.rrze.fau.de/serverdienste/infrastruktur/zeitserver/
# Germany : ntp0.fau.de ntp3.fau.de
# Portugal : https://si.tecnico.ulisboa.pt/en/servicos/servidores-e-dados/ntp/
# Portugal : ntp1.tecnico.ulisboa.pt ntp2.tecnico.ulisboa.pt
# Sweden : https://www.netnod.se/swedish-distributed-time-service
# Sweden : nts.netnod.se
# Switzerland : https://www.metas.ch/metas/de/home/fabe/zeit-und-frequenz/time-dissemination.html
# Switzerland : ntp11.metas.ch ntp12.metas.ch ntp13.metas.ch
# USA : https://tf.nist.gov/tf-cgi/servers.cgi
# USA : time-a-g.nist.gov time-c-b.nist.gov utcnist3.colorado.edu
ntp:
server:
- "ntp.ripe.net"
- "ptbtime3.ptb.de"
- "ptbtime2.ptb.de"
- "ptbtime1.ptb.de"
- "ntp13.metas.ch"
- "ntp2.tecnico.ulisboa.pt"
- "time-c-b.nist.gov"
- "sth1.ntp.se"
- "ntp0.fau.de"
timezone: "Europe/Lisbon" # Any valid setting for $TZ; see the contents of '/usr/share/zoneinfo' for valid values.
utc: true # Controls whether the hardware clock is set to UTC.
################################################################################################################################
# User settings
################################################################################################################################
user:
allow_policies: true # For additional hardening of SSH connections '/etc/hosts.allow'.
# If "allow_policies" = "true", at least one 'bastion_ipv4' MUST be provided.
# One or multiple Domains could be provided as well 'allow_domain'.
bastion_enable: false # In case 'bastion_ipv4' and 'bastion_ipv6' are SSH Bastion IPs set this to "true".
# If these are Jump Server and / or static VPN-Exit-Nodes, set this to "false".
bastion_ipv4: # Provide Bastion / Jump-Server / static VPN-Exit-Nodes IPv4.
- 202.61.246.50
bastion_ipv6: # Provide Bastion / Jump-Server / static VPN-Exit-Nodes IPv6.
- 2a03:4000:53:f:abcd:9494:0:2
allow_domain: # Provide Bastion / Jump-Server / static VPN-Exit-Nodes Domains.
- vpn00.x448.eu
dropbear_boot: true # Dropbear initramfs integration.
dropbear_dhcp: true # Whether the '/etc/initramfs-tools/conf.d/ip' file should be configured statically or via DHCP.
dropbear_fw: true # Additional ultra hardening of the dropbear initramfs environment via firewall.
# The "bastion_ipv4" MUST be provided.
ssh_port: 42137 # SSH Port. In case "dropbear_boot" = "true" the same SSH Port will be used.
ssh_rootca: "/.preseed/ssh_root_ca.pub"
##############################################################################################################################
# root Superuser account (normally disabled for direct login)
##############################################################################################################################
root:
ensure: present # Must always be 'present'.
protected: true # Prevent unintentional edits or deletions.
shell: /bin/zsh # Login shell (e.g., '/bin/bash', '/bin/zsh'); use '/usr/sbin/nologin' for non-interactive users.
password: ""
ssh_pubkeys: # List of public SSH keys for authentication.
- ""
authentication:
access:
ssh: false # Allow SSH access.
tty: true # Allow TTY (local console) login.
password_auth:
ssh: false # Allow SSH password login.
tty: true # Allow TTY (local console) password login.
2fa:
ssh: false # Require 2FA for SSH access.
tty: true # Require 2FA for TTY (local console) login.
privileges:
description: "Root user with full system access and administrative privileges."
sudo: false # Whether the user can escalate to root using sudo.
system_user: false # Whether this is a low-UID system user (e.g., for automation).
restricted: false # If true, user is limited in scope (e.g., no login, no file access).
shell_access: true # MUST be "true" if shell is not '/usr/sbin/nologin' or '/bin/false'.
##############################################################################################################################
# Primary administrative user with full sudo access
##############################################################################################################################
user0:
ensure: present # "present" = create user; "absent" = remove user
protected: true # Prevent unintentional edits or deletions.
name: "msw" # The name of the user account.
fullname: "msw" # The full name of the user account holder.
uid: 1000 # Ensures that the same user has the same UID on all systems.
gid: 1000 # Ensures that the same user has the same GID on all systems.
shell: /bin/zsh # Login shell (e.g., '/bin/bash', '/bin/zsh'); use '/usr/sbin/nologin' for non-interactive users.
password: ""
ssh_pubkeys: # List of public SSH keys for authentication.
- ""
authentication:
access:
ssh: true # Allow SSH access.
tty: true # Allow TTY (local console) login.
password_auth:
ssh: false # Allow SSH password login.
tty: true # Allow TTY (local console) password login.
2fa:
ssh: true # Require 2FA for SSH access.
tty: true # Require 2FA for TTY (local console) login.
privileges:
description: "Primary admin user with full sudo access and interactive login."
sudo: true # Whether the user can escalate to root using sudo.
system_user: false # Whether this is a low-UID system user (e.g., for automation).
restricted: false # If true, user is limited in scope (e.g., no login, no file access).
shell_access: true # MUST be "true" if shell is not '/usr/sbin/nologin' or '/bin/false'.
################################################################################
# ansible System user for automation, no interactive shell
################################################################################
user1:
ensure: present # "present" = create user; "absent" = remove user
protected: true # Prevent unintentional edits or deletions.
name: "ansible" # The name of the user account.
fullname: "ansible" # The full name of the user account holder.
uid: 137 # Ensures that the same user has the same UID on all systems.
gid: 137 # Ensures that the same user has the same GID on all systems.
shell: /usr/sbin/nologin # Login shell (e.g., '/bin/bash', '/bin/zsh'); use '/usr/sbin/nologin' for non-interactive users.
password: "" # No password set for ansible user
ssh_pubkeys: # List of public SSH keys for authentication.
- ""
authentication:
access:
ssh: true # Allow SSH access.
tty: false # Allow TTY (local console) login.
password_auth:
ssh: false # Allow SSH password login.
tty: false # Allow TTY (local console) password login.
2fa:
ssh: false # Require 2FA for SSH access.
tty: false # Require 2FA for TTY (local console) login.
privileges:
description: "Automation user without interactive shell and no sudo."
sudo: true # Whether the user can escalate to root using sudo.
system_user: true # Whether this is a low-UID system user (e.g., for automation).
restricted: true # If true, user is limited in scope (e.g., no login, no file access).
shell_access: false # MUST be "true" if shell is not '/usr/sbin/nologin' or '/bin/false'.
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
Reference in New Issue View Git Blame Copy Permalink