initial

bootrap_bullseye.sh

@@ -0,0 +1,213 @@
+#!/bin/bash -e
+#----------
+# Interactive installation steps for Debian Bullseye from GRML using debootstrap
+
+# Design decisions
+# - Add a small file-based swap partition as safety net
+# - Use systemd whereever possible (network, ntp, cron, journald logging)
+# - One partion on /dev/vda
+# - Minimal number of packages & cloud kernel
+
+# Variables
+mnt="/mnt/root"  # mountpoint for the new root filesystem
+hostname="somehost.example.com"
+disk="/dev/vda"  # lsblk --list
+disk1=$disk"1"
+netDev=eth0
+netAddress=203.0.113.66/24
+netGateway=203.0.113.1
+netBroadcast=203.0.113.255
+netDNS1=192.0.2.10
+netDNS2=198.51.100.10
+netNTP=pool.ntp.org
+
+[ -f ./config.sh ] && source config.sh
+
+# Check if the function exists
+if declare -f "$1" > /dev/null
+then
+  # call arguments verbatim
+  "$@"
+else
+  # Show a helpful error
+  echo "Valid functions are prepare, install, bootloader, postinstall" >&2
+  exit 1
+fi
+
+
+prepare(){
+#----------
+# Prepare disks
+# Parition disks -- pkg: parted
+parted $disk -s \
+mklabel msdos \
+mkpart primary ext4 512M 100% toggle 1 boot
+fdisk -l $disk
+
+# Format disks -- pkg: e2fsprogs dosfstools and to file system check
+mkfs.ext4 $disk1 && e2fsck $disk1
+
+# Prepare mount points and mount
+mkdir -p $mnt
+mount $disk1 $mnt
+
+# Create swapfile
+swapfile=$mnt/swapfile
+dd if=/dev/zero of=$swapfile bs=1M count=1024 status=progress # create 1GB  file
+chmod 600 $swapfile #restric permissions
+mkswap $swapfile #format file
+
+
+#----------
+# Bootstrap -- pkg: debootstrap
+# Remark: Debootstrap does not install recommands!! 
+debootstrap --variant=minbase --arch=amd64 bullseye $mnt http://ftp2.de.debian.org/debian/
+
+#----------
+# Configuration
+# Configure disk mounts
+# Or get UUID from blkid...
+cat >$mnt/etc/fstab <<EOL
+$disk1        /                     ext4 rw       0 0
+/swapfile        none                  swap defaults 0 0
+EOL
+
+# Configure sources.list
+cat >/etc/apt/sources.list <<EOL
+deb http://ftp2.de.debian.org/debian bullseye main contrib non-free
+#deb-src http://ftp2.de.debian.org/debian bullseye main contrib non-free
+deb http://deb.debian.org/debian-security/ bullseye-security main contrib non-free
+#deb-src http://deb.debian.org/debian-security/ bullseye-security main contrib non-free
+deb http://ftp2.de.debian.org/debian bullseye-updates main contrib non-free
+#deb-src http://ftp2.de.debian.org/debian bullseye-updates main contrib non-free
+EOL
+
+# Configure hostname
+echo "127.0.0.1       $hostname" >> /etc/hosts
+echo $hostname > /etc/hostname
+
+}
+
+install(){
+#----------
+# Chroot
+mount -o bind /dev $mnt/dev
+mount -o bind /dev/pts $mnt/dev/pts
+mount -t sysfs /sys $mnt/sys
+mount -t proc /proc $mnt/proc
+cp /proc/mounts $mnt/etc/mtab
+cp /etc/resolv.conf $mnt/etc/resolv.conf
+chroot $mnt /bin/bash
+
+# Install basic system
+apt-get update
+apt-get install --yes \
+  apt-utils dialog msmtp-mta \
+  systemd-sysv locales tzdata haveged \
+  linux-image-cloud-amd64 grub-pc \
+  iproute2 netbase \
+  ssh sudo \
+  less vim-tiny bash-completion pwgen lsof \
+  dnsutils iputils-ping curl
+
+# Upgrade and clean up
+apt-get upgrade --yes
+apt-get autoremove --yes
+apt-get clean --yes
+
+# Setup users
+pass=`pwgen --capitalize --numerals --ambiguous 12 1`
+useradd admin --create-home --shell /bin/bash
+echo "admin:$pass" | chpasswd
+echo 'root:sa'     | chpasswd
+usermod -a -G sudo admin
+echo -e "\e[1;33;4;44mPassword for the user admin: $pass\e[0m"
+
+# Harden SSHD
+echo AllowUsers admin >> /etc/ssh/sshd_config
+sed -i -e 's/#Port 22/Port 50101/g' /etc/ssh/sshd_config
+sed -i -e 's/#PubkeyAuthentication yes/PubkeyAuthentication yes/g' /etc/ssh/sshd_config
+
+## Configure network using systemd
+if [ ! -z $netAddress ]
+then
+## Network OPTION 1 - DHCP
+cat >/etc/systemd/network/20-wired.network <<EOL
+[Match]
+Name=e*
+
+[Network]
+DHCP=ipv4
+IPv6PrivacyExtensions=false
+IPv6AcceptRA=false
+NTP=$netNTP
+EOL
+
+else
+## Network OPTION 2 - static
+cat >/etc/systemd/network/20-wired.network <<EOL
+[Match]
+Name=$netDev
+
+[Network]
+Address=$netAddress
+Gateway=$netGateway
+Broadcast=$netBroadcast
+DNS=$netDNS1
+DNS=$netDNS2
+NTP=$netNTP
+EOL
+fi
+
+# Setup systemd resolver
+rm /etc/resolv.conf
+ln -s /run/systemd/resolve/resolv.conf /etc/resolv.conf
+systemctl enable systemd-networkd
+# to be checked why port 5353 is opened externally
+sed -i 's/#LLMNR=yes/LLMNR=no/' /etc/systemd/resolved.conf
+systemctl enable systemd-resolved
+
+# Limit journald logging to 1 month, 1 GB in total and split files per week
+cat >>/etc/systemd/journald.conf <<EOL
+# Custom settings
+MaxFileSec=1G
+MaxFileSec=1week
+MaxFileSec=1m
+EOL
+
+# Show errors in motd
+rm /etc/motd   
+cat >/etc/update-motd.d/15-boot-errors<<EOL
+#!/bin/sh
+echo
+journalctl --boot --priority=3 --no-pager
+EOL
+chmod 755 /etc/update-motd.d/15-boot-errors
+
+
+
+# Leave chroot
+exit
+}
+
+
+bootloader(){
+# Install GRUB in /dev/vba
+chroot $mnt /bin/bash -c "grub-install $disk && update-grub"
+
+# Unmount
+umount $mnt/proc
+umount $mnt/sys
+umount $mnt/dev/pts
+umount $mnt/dev
+}
+
+
+postinstall(){
+####----REBOOT into the new system, so we'll have dbus running
+localectl set-locale LANG=de_DE.UTF-8         # Default for LC_* variables not  set. 
+localectl set-locale LC_MESSAGES=en_US.UTF-8  # System messages. 
+#localectl set-locale LC_RESPONSE=en_US.UTF-8  # How responses (such as Yes and No) appear
+update-locale
+timedatectl set-timezone Europe/Berlin
+}