msw/CISS.debian.live.builder
SHA256
2
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 6 Wiki Activity

V8.02.512.2025.05.30

Browse Source 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
Marc S. Weidner
2025-05-30 00:28:39 +02:00
parent 2680012395
commit b2282d3475
172 changed files with 14057 additions and 41 deletions
Download Patch File Download Diff File Expand all files Collapse all files

32
config/includes.chroot/preseed/.cfg/.directories.cfg Normal file
View File

@@ -0,0 +1,32 @@
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 20242025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
/target
/target/boot
/target/boot/efi
/target/etc
/target/etc/apt
/target/etc/network
/target/dev
/target/dev/pts
/target/home
/target/proc
/target/root
/target/run
/target/run/lock
/target/sys
/target/usr
/target/var
/target/var/log
/target/var/log/audit
/target/var/log/ciss
/target/var/tmp
/target/tmp
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

78
config/includes.chroot/preseed/.cfg/apt.cfg Normal file
View File

@@ -0,0 +1,78 @@
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 20242025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
###########################################################################################
# apt settings #
###########################################################################################
# Choose, if you want to scan additional installation media (default: false):
d-i apt-setup/cdrom/set-first boolean false
# By default source repositories are listed in /etc/apt/sources.list:
d-i apt-setup/enable-source-repositories boolean true
# A network mirror can be used to supplement the software that is not included on the
# installation media. This may also make newer versions of software available:
d-i apt-setup/use_mirror boolean true
# Uncomment the following line, if you don't want to have the sources.list entry for a
# DVD/BD installation image active in the installed system:
d-i apt-setup/disable-cdrom-entries boolean true
# You can choose to install non-free firmware:
d-i apt-setup/non-free-firmware boolean true
# You can choose to install non-free and contrib software:
d-i apt-setup/non-free boolean true
d-i apt-setup/contrib boolean true
# Debian has two services that provide updates to releases:
#
# security and release updates.
# .
# Security updates help to keep your system secured against attacks.
# Enabling this service is strongly recommended.
# .
# Release updates provide more current versions for software that changes relatively
# frequently and where not having the latest version could reduce the usability of the
# software. It also provides regression fixes. This service is only available for stable
# and oldstable releases.
# .
# Backported software are adapted from the development version to work with this release.
# Although this software has not gone through such complete testing as that contained in
# the release, it includes newer versions of some applications which may provide useful
# features. Enabling backports here does not cause any of them to be installed by default;
# it only allows you to manually select backports to use.
# https://preseed.debian.net/debian-preseed/bookworm/amd64-main-full.txt
d-i apt-setup/services-select multiselect security updates, release updates, backported software
# Different spelling:
# d-i apt-setup/services-select multiselect security, updates, backports
d-i apt-setup/security_host string security.debian.org
# Whether to upgrade packages after debootstrap. Allowed values: none, safe-upgrade, full-upgrade
d-i pkgsel/upgrade select full-upgrade
# Applying updates on a frequent basis is an important part of keeping the system secure.
#
# .
# By default, security updates are not automatically installed, as security advisories should be
# reviewed before manual installation of the updates using standard package management tools.
# .
# Alternatively the unattended-upgrades package can be installed, which will install security
# updates automatically. Note however that automatic installation of updates may occasionally
# cause unexpected downtime of services provided by this machine in the rare cases where the
# update is not fully backward-compatible, or where the security advisory requires the
# administrator to perform some other manual operation.
# .
# Possible choices: No automatic updates, Install security updates automatically
d-i pkgsel/update-policy select Install security updates automatically
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

24
config/includes.chroot/preseed/.cfg/base.cfg Normal file
View File

@@ -0,0 +1,24 @@
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 20242025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
###########################################################################################
# Base installer #
###########################################################################################
# Configure APT to not install recommended packages by default. Use of this option can
# result in an incomplete system and should only be used by very experienced users:
d-i base-installer/install-recommends boolean true
# The kernel image to be installed; "none" can be used if no kernel is to be installed:
d-i base-installer/kernel/image string linux-image-amd64
# Choose to not get the tasksel dialog displayed at all (and don't install any packages):
d-i pkgsel/run_tasksel boolean false
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

26
config/includes.chroot/preseed/.cfg/finished.cfg Normal file
View File

@@ -0,0 +1,26 @@
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 20242025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
###########################################################################################
# Finishing installation #
###########################################################################################
# Avoid that last message about the install being complete:
d-i finish-install/reboot_in_progress note
# This will prevent the installer from ejecting the CD during the reboot:
d-i cdrom-detect/eject boolean true
# This is how to make the installer shutdown when finished, but not reboot:
d-i debian-installer/exit/halt boolean false
# This will power off the machine instead of just halting it:
d-i debian-installer/exit/poweroff boolean true
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

19
config/includes.chroot/preseed/.cfg/firmware.cfg Normal file
View File

@@ -0,0 +1,19 @@
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 20242025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
###########################################################################################
# Firmware settings #
###########################################################################################
# never : Completely disables the firmware search.
# missing (default) : Searches only when the firmware is needed.
# always : Always searches and asks for any firmware that could be useful for the hardware.
d-i hw-detect/firmware-lookup string missing
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

62
config/includes.chroot/preseed/.cfg/grub.cfg Normal file
View File

@@ -0,0 +1,62 @@
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 20242025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
###########################################################################################
# GRUB2 settings #
###########################################################################################
# Due notably to potential USB sticks, the location of the primary drive can not be
# determined safely in general, so this needs to be specified:
d-i grub-installer/bootdev string /dev/sda
# To install to the primary device (assuming it is not a USB stick):
# d-i grub-installer/bootdev string default
# Set this to false to install GRUB Legacy rather than GRUB 2, if possible:
d-i grub-installer/grub2_instead_of_grub_legacy boolean true
# This is fairly safe to set, it makes grub install automatically to the UEFI partition/boot
# record if no other operating system is detected on the machine:
d-i grub-installer/only_debian boolean true
# This one makes grub-installer install to the UEFI partition/boot record, if it also finds
# some other OS, which is less safe as it might not be able to boot that other OS:
d-i grub-installer/with_other_os boolean true
# OS-prober did not detect any other operating systems on your computer at this time, but you
# may still wish to enable it in case you install more in the future:
d-i grub-installer/enable_os_prober_otheros_no boolean true
# Skip installing grub:
d-i grub-installer/skip boolean false
# Force GRUB installation to the EFI removable media path?
# .
# It seems that this computer is configured to boot via EFI, but maybe that configuration will
# not work for booting from the hard drive. Some EFI firmware implementations do not meet the
# EFI specification (i.e. they are buggy!) and do not support proper configuration of boot
# options from system hard drives.
# .
# A workaround for this problem is to install an extra copy of the EFI version of the GRUB
# boot loader to a fallback location, the "removable media path". Almost all EFI systems, no
# matter how buggy, will boot GRUB that way.
# .
# Warning: If the installer failed to detect another operating system that is present on your
# computer that also depends on this fallback, installing GRUB there will make that operating
# system temporarily unbootable. GRUB can be manually configured later to boot it if necessary.
d-i grub-installer/force-efi-extra-removable boolean false
# Description: Update NVRAM variables to automatically boot into Debian?
# .
# GRUB can configure your platform's NVRAM variables so that it boots into Debian automatically
# when powered on. However, you may prefer to disable this behavior and avoid changes to your
# boot configuration. For example, if your NVRAM variables have been set up such that your
# system contacts a PXE server on every boot, this would preserve that behavior.
d-i grub-installer/update-nvram boolean true
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

25
config/includes.chroot/preseed/.cfg/locale.cfg Normal file
View File

@@ -0,0 +1,25 @@
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 20242025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
###########################################################################################
# Locale settings #
###########################################################################################
# Preseeding only locale sets language, country and locale:
# d-i debian-installer/locale string en_US
# The values can also be preseeded individually for greater flexibility:
# d-i debian-installer/language string en
# d-i debian-installer/country string NL
# d-i debian-installer/locale string en_GB.UTF-8
d-i debian-installer/locale string en_US.UTF-8
d-i keyboard-configuration/layoutcode string de
d-i keyboard-configuration/xkb-keymap select German
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

15
config/includes.chroot/preseed/.cfg/md5sum.txt Normal file
View File

@@ -0,0 +1,15 @@
336de475a23be401db656485fe2134e5 apt.cfg
9b2768bf48aada9e1fc33cfe94571826 base.cfg
95c0feba9a9ed2a1f3d86cc2bf1910f8 finished.cfg
bccbc23588d19b3057e4b4915b03538b firmware.cfg
d80da843499d8d797703b8aef2bf28d5 grub.cfg
e876c113af0630f113811e5bade71b06 locale.cfg
2b85692b087100a0535fe8711cdbcb63 modules.cfg
1c0c74ed939c34d620bde9b8f1a91a1c network.cfg
da7738a8db3d4e2c220bf3f5b3e50dcb packages.cfg
5dff498042e3d095a792951ba1bd9d2f partitioning.cfg
7f71ea76c629c4e4f0ab2f9a6c8b28ea security.cfg
8e6b49c07d678060b661f7dd2fad6f39 software.cfg
f526221c741e4e2c5090f2ff60e53d62 ssh.cfg
1ffc41f4c70be83fd6524262494bdf11 time.cfg
67b9d1aa4bb4a4b8610ca42fa45521cf user.cfg

39
config/includes.chroot/preseed/.cfg/modules.cfg Normal file
View File

@@ -0,0 +1,39 @@
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 20242025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
###########################################################################################
# Modules #
###########################################################################################
# Install standard modules:
d-i anna/standard_modules boolean true
d-i anna/choose_modules string \
crypto-dm-modules \
crypto-dm-setup-udeb \
ethdetect \
fdisk-udeb \
grub-installer \
hw-detect \
lowmem \
lvm2 \
mbr \
netcfg \
network-console \
parted \
partman-auto \
partman-auto-crypto \
partman-basicfilesystems \
partman-btrfs \
partman-crypto \
partman-ext4 \
partman-lvm \
partman-md \
rescue-mode
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

56
config/includes.chroot/preseed/.cfg/network.cfg Normal file
View File

@@ -0,0 +1,56 @@
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 20242025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
###########################################################################################
# Network setting #
###########################################################################################
# netcfg will choose an interface that has link if possible. This makes it # skip
# displaying a list if there is more than one interface:
d-i netcfg/choose_interface select auto
# To pick a particular interface instead:
# d-i netcfg/choose_interface select eth1
# To set a different link detection timeout (default is 3 seconds).
d-i netcfg/link_wait_timeout string 10
# If dhcp server is slow and the installer times out waiting for it, this might be useful.
d-i netcfg/dhcp_timeout string 60
d-i netcfg/dhcpv6_timeout string 60
###########################################################################################
# Automatic network configuration is the default. If you prefer to configure the network #
# manually, uncomment this line and the static network configuration below. #
###########################################################################################
# d-i netcfg/disable_autoconfig boolean true
###########################################################################################
# If you want the preconfiguration file to work on systems both with and without a dhcp #
# server, uncomment these lines and the static network configuration below. #
###########################################################################################
d-i netcfg/dhcp_failed note
d-i netcfg/dhcp_options select Configure network manually
###########################################################################################
# Static network configuration. #
###########################################################################################
# d-i netcfg/get_nameservers string 192.168.128.254
# d-i netcfg/get_ipaddress string 192.168.128.128
# d-i netcfg/get_netmask string 255.255.255.0
# d-i netcfg/get_gateway string 192.168.128.254
# d-i netcfg/confirm_static boolean true
###########################################################################################
# If non-free firmware is needed for the network or other hardware, you can configure the #
# installer to always try to load it, without prompting. Or change to false to disable #
# asking. #
###########################################################################################
d-i hw-detect/load_firmware boolean true
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

44
config/includes.chroot/preseed/.cfg/packages.cfg Normal file
View File

@@ -0,0 +1,44 @@
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 20242025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
###########################################################################################
# Deb packages settings #
###########################################################################################
# Please select the protocol to be used for downloading files. If unsure, select "http":
d-i mirror/protocol string https
# Country code or "manual":
d-i mirror/country string US
# Suite to install:
d-i mirror/suite string stable
# Suite to use for loading installer components (optional):
d-i mirror/udeb/suite string stable
# Debian archive mirror hostname. Please enter the hostname of the mirror from which
# Debian will be downloaded. An alternate port can be specified using the standard
# [hostname]:[port] format:
d-i mirror/http/hostname string deb.debian.org
# Debian archive mirror directory. Please enter the directory in which the mirror of
# the Debian archive is located:
d-i mirror/http/directory string /debian/
# HTTP proxy information (blank for none). If you need to use a HTTP proxy to access the
# outside world, enter the proxy information here. Otherwise, leave this blank. The proxy
# information should be given in the standard form of "http://[[user][:pass]@]host[:port]/".
d-i mirror/http/proxy string
# Debian archive mirror country. The goal is to find a mirror of the Debian archive that
# is close to you on the network -- be aware that nearby countries, or even your own, may
# not be the best choice.
d-i mirror/https/countries select US
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

360
config/includes.chroot/preseed/.cfg/partitioning.cfg Normal file
View File

@@ -0,0 +1,360 @@
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 20242025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
###########################################################################################
# Partitioning CISS.partitioning #
###########################################################################################
# If the system has free space you can choose to only partition that space. This is only
# honoured if partman-auto/method is NOT set. Alternatively, choose 'use_entire_disk':
# d-i partman-auto/init_automatically_partition select biggest_free
# Alternatively, you may specify a disk to partition.
###d-i partman-auto/disk string /dev/sda
# In addition, you'll need to specify the method to use. Presently available methods are:
# - regular : use the usual partition types for your architecture
# - lvm : use LVM to partition the disk
# - crypto : use LVM within an encrypted partition
###d-i partman-auto/method string crypto
# When disk encryption is enabled, skip wiping the partitions beforehand:
###d-i partman-auto-crypto/erase_disks boolean false
# You can define the amount of space that will be used for the LVM volume group. It can
# either be a size with its unit (eg. 20 GB), a percentage of free space or 'max' keyword:
###d-i partman-auto-lvm/guided_size string max
# Name of the volume group for the new system:
###d-i partman-auto-lvm/new_vg_name string vg_ciss
# Force UEFI booting ('BIOS compatibility' will be lost). Default: false:
###d-i partman-efi/non_efi_system boolean false
# If one of the disks that are going to be automatically partitioned contains an old LVM
# configuration, the user will normally receive a warning. This can be preseeded away:
###d-i partman-lvm/device_remove_lvm boolean true
# The same applies to pre-existing software RAID array:
###d-i partman-md/device_remove_md boolean true
# And the same goes for the confirmation to write the lvm partitions:
###d-i partman-lvm/confirm boolean true
###d-i partman-lvm/confirm_nooverwrite boolean true
###########################################################################################
# This makes partman automatically partition without confirmation, provided that it was #
# told what to do using one of the methods specified. #
###########################################################################################
# The following debconfvariables are often important for the basic configuration and for #
# mounting after manual partitioning. These ensure that the installer does not attempt to #
# make changes or overwrite already mounted partitions. They help to 'switch off' the #
# installer when it tries to apply partitioning automatically. #
###########################################################################################
# Confirm whether you actually want to create a new partition table and write it to disk:
###d-i partman-partitioning/confirm_write_new_label boolean true
###d-i partman/choose_partition select finish
###d-i partman/confirm boolean true
###d-i partman/confirm_nooverwrite boolean true
# Ensure the partition table is GPT - this is required for EFI:
###d-i partman-partitioning/choose_label select gpt
###d-i partman-partitioning/default_label string gpt
# This setting ensures that partitions without a mount point do not trigger a warning dialogue.
###d-i partman-basicfilesystems/no_mount_point boolean true
# This setting tells the Debian installer not to issue a warning if no swap partition is set up.
###d-i partman-basicfilesystems/no_swap boolean true
# Encryption settings
# d-i partman-crypto/passphrase password < set by ./preseed/.ash/0_di_preseed_include_command.sh >
# d-i partman-crypto/passphrase-again password < set by ./preseed/.ash/0_di_preseed_include_command.sh >
###d-i partman-crypto/passphrase password DEFAULT
###d-i partman-crypto/passphrase-again password DEFAULT
###d-i partman-crypto/weak_passphrase boolean true
# https://preseed.debian.net/debian-preseed/bookworm/amd64-main-full.txt
###d-i partman-crypto/entropy entropy 256
# debconf-set-selections -c ./preseed/.cfg/partitioning.cfg: "warning: Unknown type entropy, skipping line" therefore as string:
###d-i partman-crypto/entropy string 256
# Are you sure you want to use a random key?
###d-i partman-crypto/use_random_for_nonswap boolean false
###########################################################################################
# This command is run immediately before the partitioner starts. It may be useful to #
# apply dynamic partitioner preseeding that depends on the state of the disks (which may #
# not be visible when preseed/early_command runs). #
###########################################################################################
# d-i partman/early_command string /sh /.ciss/install/.ash/2_di_partman_early_command.sh
###d-i partman-auto/expert_recipe string \
\
511MiB 511MiB 511MiB EFS \
label{ ESP } \
$defaultignore{ } \
$primary{ } \
$bootable{ } \
method{ efi } \
format{ } \
use_filesystem{ } \
filesystem{ EFS } \
device{ /dev/sda } \
mountpoint{ /boot } \
. \
rescue :: \
3584MiB 3584MiB 3584MiB ext4 \
label{ rescue } \
$defaultignore{ } \
$primary{ } \
method{ format } \
format{ } \
use_filesystem{ } \
filesystem{ ext4 } \
device{ /dev/sda } \
mountpoint{ /mnt/rescue } \
. \
crypt_boot :: \
4096MiB 4096MiB 4096MiB ext4 \
label{ boot } \
$defaultignore{ } \
$primary{ } \
method{ format } \
format{ } \
use_filesystem{ } \
filesystem{ ext4 } \
device{ /dev/sda } \
mountpoint{ /boot } \
. \
crypt_ephemeral_swap :: \
4096MiB 4096MiB 4096MiB none \
label{ crypt_swap } \
$defaultignore{ } \
$primary{ } \
method{ keep } \
device{ /dev/sda } \
. \
crypt_ephemeral_tmp :: \
4096MiB 4096MiB 4096MiB none \
label{ crypt_tmp } \
$defaultignore{ } \
$primary{ } \
method{ keep } \
device{ /dev/sda } \
. \
crypt_home :: \
32768MiB 32768MiB 32768MiB crypto \
$primary{ } \
method{ crypto } \
format{ } \
use_filesystem{ } \
filesystem{ btrfs } \
label{ btrfs_home } \
options/subvol{ @snapshots } \
device{ /dev/sda } \
mountpoint{ /home } \
. \
crypt_root :: \
32768MiB 32768MiB 32768MiB crypto \
$primary{ } \
method{ crypto } \
format{ } \
use_filesystem{ } \
filesystem{ btrfs } \
label{ btrfs_root } \
options/subvol{ @snapshots } \
device{ /dev/sda } \
mountpoint{ / } \
. \
crypt_usr :: \
40960MiB 40960MiB 40960MiB crypto \
$primary{ } \
method{ crypto } \
format{ } \
use_filesystem{ } \
filesystem{ btrfs } \
label{ btrfs_usr } \
options/subvol{ @snapshots } \
device{ /dev/sda } \
mountpoint{ /usr } \
. \
crypt_var :: \
40960MiB 40960MiB 40960MiB crypto \
$primary{ } \
method{ crypto } \
format{ } \
use_filesystem{ } \
filesystem{ btrfs } \
label{ btrfs_var } \
options/subvol{ @snapshots } \
device{ /dev/sda } \
mountpoint{ /var } \
. \
crypt_var_log :: \
16384MiB 16384MiB 16384MiB crypto \
$primary{ } \
method{ crypto } \
format{ } \
use_filesystem{ } \
filesystem{ btrfs } \
label{ btrfs_var_log } \
options/subvol{ @snapshots } \
device{ /dev/sda } \
mountpoint{ /var/log } \
. \
crypt_var_log_audit :: \
16384MiB 16384MiB 16384MiB crypto \
$primary{ } \
method{ crypto } \
format{ } \
use_filesystem{ } \
filesystem{ btrfs } \
label{ btrfs_var_log_audit } \
options/subvol{ @snapshots } \
device{ /dev/sda } \
mountpoint{ /var/log/audit } \
. \
crypt_var_tmp :: \
16384MiB 16384MiB 16384MiB crypto \
$primary{ } \
method{ crypto } \
format{ } \
use_filesystem{ } \
filesystem{ btrfs } \
label{ btrfs_var_tmp } \
options/subvol{ @snapshots } \
device{ /dev/sda } \
mountpoint{ /var/tmp } \
. \
installer_tmp :: \
1024MiB 16384MiB -1 ext4 \
$defaultignore{ } \
$primary{ } \
method{ format } \
format{ } \
use_filesystem{ } \
filesystem{ ext4 } \
mountpoint{ /tmp } \
device{ /dev/sda } \
label{ installer_tmp } \
.
###########################################################################################
#d-i partman-auto/choose_recipe select ciss-2025-btrfs-ultra
#d-i partman-auto/expert_recipe string \
ciss-2025-btrfs-ultra :: \
ESP : \
511 511 511 free \
$defaultignore{ } \
$primary{ } \
$bootable{ } \
method{ efi } format{ } \
label{ ESP } \
. \
boot : \
3584 3584 3584 ext4 \
$defaultignore{ } \
$primary{ } \
method{ format } format{ } \
use_filesystem{ } filesystem{ ext4 } \
mountpoint{ /boot } \
label{ boot } \
. \
crypt_ephemeral_swap : \
4096 4096 4096 none \
$defaultignore{ } \
$primary{ } \
method{ keep } \
label{ crypt_sda3 } \
. \
crypt_ephemeral_tmp : \
4096 4096 4096 none \
$defaultignore{ } \
$primary{ } \
method{ keep } \
label{ crypt_sda4 } \
. \
lv_home : \
32768 32768 32768 btrfs \
$lvmok{ } \
lv_name{ lv_home } \
method{ format } format{ } \
use_filesystem{ } filesystem{ btrfs } \
label{ btrfs_home } \
options/subvol{ @snapshots } \
mountpoint{ /home } \
. \
lv_root : \
32768 32768 32768 btrfs \
$lvmok{ } \
lv_name{ lv_root } \
method{ format } format{ } \
use_filesystem{ } filesystem{ btrfs } \
label{ btrfs_root } \
options/subvol{ @snapshots } \
mountpoint{ / } \
. \
lv_usr : \
65536 65536 65536 btrfs \
$lvmok{ } } \
lv_name{ lv_usr } \
method{ format } format{ } \
use_filesystem{ } filesystem{ btrfs } \
label{ btrfs_usr } \
options/subvol{ @snapshots } \
mountpoint{ /usr } \
. \
lv_var : \
65536 65536 65536 btrfs \
$lvmok{ } \
lv_name{ lv_var } \
method{ format } format{ } \
use_filesystem{ } filesystem{ btrfs } \
label{ btrfs_var } \
options/subvol{ @snapshots } \
mountpoint{ /var } \
. \
lv_var_log : \
16384 16384 16384 btrfs \
$lvmok{ } \
lv_name{ lv_var_log } \
method{ format } format{ } \
use_filesystem{ } filesystem{ btrfs } \
label{ btrfs_var_log } \
options/subvol{ @snapshots } \
mountpoint{ /var/log } \
. \
lv_var_log_audit : \
16384 16384 16384 \
$lvmok{ } \
lv_name{ lv_var_log_audit } \
method{ format } format{ } \
use_filesystem{ } filesystem{ btrfs } \
label{ btrfs_var_log_audit } \
options/subvol{ @snapshots } \
mountpoint{ /var/log/audit } \
. \
lv_var_tmp : \
1 16384 -1 \
$lvmok{ } \
lv_name{ lv_var_tmp } \
method{ format } format{ } \
use_filesystem{ } filesystem{ btrfs } \
label{ btrfs_var_tmp } \
options/subvol{ @snapshots } \
mountpoint{ /var/tmp } \
. \
rescue : \
1024 8192 -1 \
$defaultignore{ } \
$primary{ } \
method{ format } format{ } \
use_filesystem{ } filesystem{ ext4 } \
mountpoint{ /tmp } \
label{ rescue } \
.
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

21
config/includes.chroot/preseed/.cfg/security.cfg Normal file
View File

@@ -0,0 +1,21 @@
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 20242025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
###########################################################################################
# Security settings #
###########################################################################################
# The installer will ensure that any packages are signed and authenticated.
d-i debian-installer/allow_unauthenticated boolean false
# This ensures that the connection between the installer and the server from which files
# are downloaded is encrypted and signed by a trusted certificate authority.
d-i debian-installer/allow_unauthenticated_ssl boolean false
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

59
config/includes.chroot/preseed/.cfg/software.cfg Normal file
View File

@@ -0,0 +1,59 @@
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 20242025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
###########################################################################################
# Software installation #
###########################################################################################
d-i pkgsel/include string \
apt-show-versions \
apt-transport-https \
apt-utils \
bat \
bc \
ca-certificates \
curl \
debconf \
debconf-utils \
dialog \
expect \
figlet \
fzf \
gawk \
git \
gnupg2 \
haveged \
htop \
iftop \
iputils-ping \
jq \
keychain \
libpam-google-authenticator \
libpam-pwquality \
locate \
lsb-release \
lvm2 \
makepasswd \
man \
mtr \
nano \
ncat \
neofetch \
net-tools \
parted \
pollinate \
pwgen \
openssh-server \
unzip \
virt-what \
whois \
wget \
zip
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

22
config/includes.chroot/preseed/.cfg/ssh.cfg Normal file
View File

@@ -0,0 +1,22 @@
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 20242025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
###########################################################################################
# SSH settings #
###########################################################################################
# Use the following settings if you wish to make use of the network-console component for #
# remote installation over SSH. This only makes sense if you intend to perform the #
# remainder of the installation manually. #
###########################################################################################
d-i network-console/authorized_keys_url string https : //coresecret.eu/download/developer/2024_rsa4096_developer_root.pub.key
# d-i network-console/password password < never ever use plain hardcoded credentials >
# d-i network-console/password-again password < never ever use plain hardcoded credentials >
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

33
config/includes.chroot/preseed/.cfg/time.cfg Normal file
View File

@@ -0,0 +1,33 @@
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 20242025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
###########################################################################################
# Time settings #
###########################################################################################
# Germany : https://www.ptb.de/cms/ptb/fachabteilungen/abtq/gruppe-q4/ref-q42/zeitsynchronisation-von-rechnern-mit-hilfe-des-network-time-protocol-ntp.html
# Germany : ptbtime1.ptb.de ptbtime2.ptb.de ptbtime3.ptb.de
# Portugal : https://si.tecnico.ulisboa.pt/en/servicos/servidores-e-dados/ntp/
# Portugal : ntp1.tecnico.ulisboa.pt ntp2.tecnico.ulisboa.pt
# Switzerland : https://www.metas.ch/metas/de/home/fabe/zeit-und-frequenz/time-dissemination.html
# Switzerland : ntp11.metas.ch ntp12.metas.ch ntp13.metas.ch
# USA : https://tf.nist.gov/tf-cgi/servers.cgi
# USA : time-a-g.nist.gov time-c-b.nist.gov utcnist3.colorado.edu
d-i clock-setup/ntp-server string ntp.ripe.net ptbtime3.ptb.de ptbtime2.ptb.de ntp12.metas.ch ntp2.tecnico.ulisboa.pt time-c-b.nist.gov
# Controls whether or not the hardware clock is set to UTC:
d-i clock-setup/utc boolean true
# Any valid setting for $TZ; see the contents of /usr/share/zoneinfo/ for valid values:
d-i time/zone string Europe/Lisbon
# Controls whether to use NTP to set the clock during the install:
d-i clock-setup/ntp boolean true
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

30
config/includes.chroot/preseed/.cfg/user.cfg Normal file
View File

@@ -0,0 +1,30 @@
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 20242025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
###########################################################################################
# User settings #
###########################################################################################
# Skip creation of a root account (normal user account will be able to use sudo):
d-i passwd/root-login boolean true
d-i passwd/root-password-crypted password $6$rounds = 4194304$4QhOp0Tdthmfky4f$1fRa/D45can2j0ttQDRoK9x8ovBFCftxn0hvyyU3.BlRRafsgs48wpikr1XODyhmgUySZHqXF3zeQeBZNYTul0
# Alternatively, to skip creation of a normal user account:
d-i passwd/make-user boolean false
# To create a normal user account:
d-i passwd/user-fullname string Debian User
d-i passwd/username string debian
d-i passwd/user-password-crypted password $6$rounds=8388608$bwnJ5ZlnOmYxFE21$LDJ4QBBmoob3pAu5JL4e4RkCt5qFnS2ZFIOm9bOEuADCcsLfOagGmkmh7Lj8OtqdgGSLg8TMXDbizLaZx.hiS1
###########################################################################################
# SALT=$(tr -dc 'A-Za-z0-9' < /dev/random | head -c 16) #
# mkpasswd --method=sha-512 --salt="${SALT}" --rounds=8388608 # which seems p4ranoid #
###########################################################################################
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh