|
@@ -1,284 +0,0 @@
|
|
|
-#!/bin/bash -e
|
|
|
-#----------
|
|
|
-# Interactive installation steps for Debian Bullseye from GRML using debootstrap
|
|
|
-
|
|
|
-# Design decisions
|
|
|
-# - Fokus on a simple setup, primarly for VMs
|
|
|
-# - One disk, one partion, swap-file in the same partion as safety net
|
|
|
-# - Use systemd whereever possible (network, ntp, cron, journald logging)
|
|
|
-# - Minimal number of packages & cloud kernel
|
|
|
-# - grub-pc, not efi
|
|
|
-# - random root and admin user password generation
|
|
|
-# - ssh on port 50101 limited to the admin user
|
|
|
-
|
|
|
-# Usage
|
|
|
-# Boot grml and clone repo
|
|
|
-# cp config.sh.template config.sh # copy template
|
|
|
-# vi config.sh # update installation variables
|
|
|
-# bootstrap-bookworm.sh install # start installation
|
|
|
-# !! Note down the admin passwords and reboot
|
|
|
-# sudo /installer/bootstrap-bookworm.sh postinstall # run postinstall in the new system
|
|
|
-
|
|
|
-# Variables
|
|
|
-mnt="/mnt/root" # mountpoint for the new root filesystem
|
|
|
-hostname="somehost.example.com"
|
|
|
-disk="/dev/vda" # lsblk --list
|
|
|
-disk1=$disk"1"
|
|
|
-netDev="eth0" # ip link
|
|
|
-netAddress="203.0.113.66/24"
|
|
|
-netGateway="203.0.113.1"
|
|
|
-netBroadcast="203.0.113.255"
|
|
|
-netDNS1="192.0.2.10"
|
|
|
-netDNS2="198.51.100.10"
|
|
|
-netNTP="pool.ntp.org"
|
|
|
-
|
|
|
-[ -f ./config.sh ] && source config.sh
|
|
|
-
|
|
|
-
|
|
|
-# Setup network in grml
|
|
|
-grmlnetwork(){
|
|
|
-ip link show # list interfaces
|
|
|
-ip addr add $netAddress dev $netDev
|
|
|
-ip link set $netDev up
|
|
|
-ip route add default via $netGateway
|
|
|
-echo nameserver $netDNS1 >> /etc/resolv.conf
|
|
|
-echo nameserver $netDNS2 >> /etc/resolv.conf
|
|
|
-}
|
|
|
-
|
|
|
-install(){
|
|
|
-#----------
|
|
|
-# Prepare disks
|
|
|
-# Parition disks -- pkg: parted
|
|
|
-parted $disk -s \
|
|
|
-mklabel msdos \
|
|
|
-mkpart primary ext4 512M 100% toggle 1 boot
|
|
|
-fdisk -l $disk
|
|
|
-
|
|
|
-# Format disks -- pkg: e2fsprogs dosfstools and to file system check
|
|
|
-mkfs.ext4 $disk1 && e2fsck $disk1
|
|
|
-
|
|
|
-# Prepare mount points and mount
|
|
|
-mkdir -p $mnt
|
|
|
-mount $disk1 $mnt
|
|
|
-
|
|
|
-# Create swapfile
|
|
|
-swapfile=$mnt/swapfile
|
|
|
-dd if=/dev/zero of=$swapfile bs=1M count=1024 status=progress # create 1GB file
|
|
|
-chmod 600 $swapfile #restric permissions
|
|
|
-mkswap $swapfile #format file
|
|
|
-
|
|
|
-#----------
|
|
|
-# Bootstrap -- pkg: debootstrap
|
|
|
-# Remark: Debootstrap does not install recommands!!
|
|
|
-#debootstrap --variant=minbase --arch=amd64 bookworm $mnt http://ftp2.de.debian.org/debian/
|
|
|
-tar xfzv root.tar.gz --strip-components=1 --directory /mnt/root
|
|
|
-
|
|
|
-#----------
|
|
|
-# Configuration
|
|
|
-# Configure disk mounts
|
|
|
-# Or get UUID from blkid...
|
|
|
-cat >$mnt/etc/fstab <<EOL
|
|
|
-$disk1 / ext4 rw 0 0
|
|
|
-/swapfile none swap defaults 0 0
|
|
|
-EOL
|
|
|
-
|
|
|
-# Configure sources.list
|
|
|
-cat >$mnt/etc/apt/sources.list <<EOL
|
|
|
-deb [arch=amd64] http://ftp.de.debian.org/debian/ testing main contrib non-free
|
|
|
-deb-src [arch=amd64] http://ftp.de.debian.org/debian/ testing main contrib non-free
|
|
|
-deb [arch=amd64] http://ftp.de.debian.org/debian/ testing-updates main contrib non-free
|
|
|
-deb-src [arch=amd64] http://ftp.de.debian.org/debian/ testing-updates main contrib non-free
|
|
|
-deb [arch=amd64] http://security.debian.org/ testing/updates main contrib non-free
|
|
|
-deb-src [arch=amd64] http://security.debian.org/ testing/updates main contrib non-free
|
|
|
-EOL
|
|
|
-
|
|
|
-# Configure hostname
|
|
|
-echo "127.0.0.1 $hostname" >> $mnt/etc/hosts
|
|
|
-echo "$hostname" > $mnt/etc/hostname
|
|
|
-
|
|
|
-#----------
|
|
|
-# Prepare chroot
|
|
|
-mount -o bind /dev $mnt/dev
|
|
|
-mount -o bind /dev/pts $mnt/dev/pts
|
|
|
-mount -t sysfs /sys $mnt/sys
|
|
|
-mount -t proc /proc $mnt/proc
|
|
|
-cp /proc/mounts $mnt/etc/mtab
|
|
|
-cp /etc/resolv.conf $mnt/etc/resolv.conf
|
|
|
-mkdir -p $mnt/installer
|
|
|
-cp $(dirname `realpath $0`)/*.sh $mnt/installer
|
|
|
-
|
|
|
-# Run script in chroot
|
|
|
-chroot $mnt /bin/bash /installer/bootstrap-bookworm.sh install2
|
|
|
-
|
|
|
-# Install bootloader
|
|
|
-$0 bootloader
|
|
|
-
|
|
|
-}
|
|
|
-
|
|
|
-
|
|
|
-#----------
|
|
|
-# Function executed within chroot
|
|
|
-install2(){
|
|
|
-source /installer/config.sh
|
|
|
-# Install basic system
|
|
|
-apt-get update
|
|
|
-apt-get install --yes \
|
|
|
- apt-utils dialog msmtp-mta \
|
|
|
- systemd-sysv locales tzdata haveged \
|
|
|
- linux-image-cloud-amd64 grub-pc \
|
|
|
- iproute2 netbase \
|
|
|
- ssh sudo \
|
|
|
- less vim-tiny bash-completion pwgen lsof \
|
|
|
- dnsutils iputils-ping curl
|
|
|
-
|
|
|
-# Upgrade and clean up
|
|
|
-apt-get upgrade --yes
|
|
|
-apt-get autoremove --yes
|
|
|
-apt-get clean --yes
|
|
|
-
|
|
|
-# Setup users and passwords
|
|
|
-[ -z $pwdAdmin ] && pwdAdmin=`pwgen --capitalize --numerals --ambiguous 12 1`
|
|
|
-useradd admin --create-home --shell /bin/bash
|
|
|
-echo "admin:$pwdAdmin" | chpasswd
|
|
|
-usermod -a -G sudo admin
|
|
|
-echo -e "\e[1;33;4;44mPassword for the user admin: $pwdAdmin\e[0m"
|
|
|
-pass=`pwgen --capitalize --numerals --ambiguous 12 1`
|
|
|
-[ -z $pwdRoot ] && pwdRoot=`pwgen --capitalize --numerals --ambiguous 12 1`
|
|
|
-echo "root:$pwdRoot" | chpasswd
|
|
|
-echo -e "\e[1;33;4;44mPassword for the user root: $pwdRoot\e[0m"
|
|
|
-
|
|
|
-# Harden SSHD
|
|
|
-echo AllowUsers admin >> /etc/ssh/sshd_config
|
|
|
-sed -i -e 's/#Port 22/Port 50101/g' /etc/ssh/sshd_config
|
|
|
-sed -i -e 's/#PubkeyAuthentication yes/PubkeyAuthentication yes/g' /etc/ssh/sshd_config
|
|
|
-
|
|
|
-## Configure network using systemd
|
|
|
-if [ -z $netAddress ]
|
|
|
-then
|
|
|
-## Network OPTION 1 - DHCP
|
|
|
-cat >/etc/systemd/network/20-wired.network <<EOL
|
|
|
-[Match]
|
|
|
-Name=e*
|
|
|
-
|
|
|
-[Network]
|
|
|
-DHCP=ipv4
|
|
|
-IPv6PrivacyExtensions=false
|
|
|
-IPv6AcceptRA=false
|
|
|
-NTP=$netNTP
|
|
|
-EOL
|
|
|
-
|
|
|
-else
|
|
|
-## Network OPTION 2 - static
|
|
|
-cat >/etc/systemd/network/20-wired.network <<EOL
|
|
|
-[Match]
|
|
|
-Name=$netDev
|
|
|
-
|
|
|
-[Network]
|
|
|
-Address=$netAddress
|
|
|
-Gateway=$netGateway
|
|
|
-Broadcast=$netBroadcast
|
|
|
-DNS=$netDNS1
|
|
|
-DNS=$netDNS2
|
|
|
-NTP=$netNTP
|
|
|
-EOL
|
|
|
-fi
|
|
|
-
|
|
|
-# Setup systemd resolver
|
|
|
-rm /etc/resolv.conf
|
|
|
-ln -s /run/systemd/resolve/resolv.conf /etc/resolv.conf
|
|
|
-systemctl enable systemd-networkd
|
|
|
-# to be checked why port 5353 is opened externally
|
|
|
-sed -i 's/#LLMNR=yes/LLMNR=no/' /etc/systemd/resolved.conf
|
|
|
-systemctl enable systemd-resolved
|
|
|
-
|
|
|
-# Limit journald logging to 1 month, 1 GB in total and split files per week
|
|
|
-cat >>/etc/systemd/journald.conf <<EOL
|
|
|
-# Custom settings
|
|
|
-MaxFileSec=1G
|
|
|
-MaxFileSec=1week
|
|
|
-MaxFileSec=1m
|
|
|
-EOL
|
|
|
-
|
|
|
-# Show errors in motd
|
|
|
-rm /etc/motd
|
|
|
-cat >/etc/update-motd.d/15-boot-errors<<EOL
|
|
|
-#!/bin/sh
|
|
|
-echo
|
|
|
-journalctl --boot --priority=3 --no-pager
|
|
|
-EOL
|
|
|
-chmod 755 /etc/update-motd.d/15-boot-errors
|
|
|
-
|
|
|
-# Setup keyboard layout
|
|
|
-cat >/etc/default/keyboard <<EOL
|
|
|
-XKBMODEL="pc105"
|
|
|
-XKBLAYOUT="de"
|
|
|
-XKBVARIANT="nodeadkeys"
|
|
|
-XKBOPTIONS=""
|
|
|
-BACKSPACE="guess"
|
|
|
-EOL
|
|
|
-
|
|
|
-# Leave chroot
|
|
|
-exit
|
|
|
-}
|
|
|
-
|
|
|
-
|
|
|
-bootloader(){
|
|
|
-# Install GRUB in /dev/vba
|
|
|
-chroot $mnt /bin/bash -c "grub-install $disk && update-grub"
|
|
|
-}
|
|
|
-
|
|
|
-unmount(){
|
|
|
-# Unmount if mounted
|
|
|
-! mountpoint -q $mnt/proc || umount $mnt/proc
|
|
|
-! mountpoint -q $mnt/sys || umount $mnt/sys
|
|
|
-! mountpoint -q $mnt/dev/pts || umount $mnt/dev/pts
|
|
|
-! mountpoint -q $mnt/dev || umount $mnt/dev
|
|
|
-! mountpoint -q $mnt/root || umount $mnt/root
|
|
|
-! mountpoint -q $mnt || umount $mnt
|
|
|
-# Delete mount-point if empty and not mounted
|
|
|
-[ -z "$(ls -A /mnt/)" ] && ! mountpoint -q $mnt && rm -R $mnt
|
|
|
-}
|
|
|
-
|
|
|
-
|
|
|
-postinstall(){
|
|
|
-####----REBOOT into the new system, so we'll have dbus running
|
|
|
-localectl set-locale LANG=de_DE.UTF-8 # Default for LC_* variables not set.
|
|
|
-localectl set-locale LC_MESSAGES=en_US.UTF-8 # System messages.
|
|
|
-#localectl set-locale LC_RESPONSE=en_US.UTF-8 # How responses (such as Yes and No) appear
|
|
|
-update-locale
|
|
|
-timedatectl set-timezone Europe/Berlin
|
|
|
-}
|
|
|
-
|
|
|
-
|
|
|
-# Switch to functions...
|
|
|
-case $1 in
|
|
|
- grmlnetwork)
|
|
|
- echo Setup network in grml
|
|
|
- grmlnetwork
|
|
|
- ;;
|
|
|
- install)
|
|
|
- echo "Stage 1: Start installation"
|
|
|
- install
|
|
|
- ;;
|
|
|
- install2)
|
|
|
- echo "Stage 2: Start installation in chroot"
|
|
|
- install2
|
|
|
- ;;
|
|
|
- bootloader)
|
|
|
- echo "Stage 3: Install bootloader and unmount chroot"
|
|
|
- bootloader
|
|
|
- unmount
|
|
|
- echo "We're done and can reboot now"
|
|
|
- ;;
|
|
|
- postinstall)
|
|
|
- echo "Stage 4: Start post-installation in live system"
|
|
|
- postinstall
|
|
|
- ;;
|
|
|
- unmount)
|
|
|
- echo "Unmount chroot, e.g. in case installation fails"
|
|
|
- unmount
|
|
|
- ;;
|
|
|
- *)
|
|
|
- echo "Valid functions are: grmlnetwork, install, postinstall and unmount" >&2
|
|
|
- ;;
|
|
|
-esac
|