|  | @@ -0,0 +1,213 @@
 | 
	
		
			
				|  |  | +#!/bin/bash -e
 | 
	
		
			
				|  |  | +#----------
 | 
	
		
			
				|  |  | +# Interactive installation steps for Debian Bullseye from GRML using debootstrap
 | 
	
		
			
				|  |  | +
 | 
	
		
			
				|  |  | +# Design decisions
 | 
	
		
			
				|  |  | +# - Add a small file-based swap partition as safety net
 | 
	
		
			
				|  |  | +# - Use systemd whereever possible (network, ntp, cron, journald logging)
 | 
	
		
			
				|  |  | +# - One partion on /dev/vda
 | 
	
		
			
				|  |  | +# - Minimal number of packages & cloud kernel
 | 
	
		
			
				|  |  | +
 | 
	
		
			
				|  |  | +# Variables
 | 
	
		
			
				|  |  | +mnt="/mnt/root"  # mountpoint for the new root filesystem
 | 
	
		
			
				|  |  | +hostname="somehost.example.com"
 | 
	
		
			
				|  |  | +disk="/dev/vda"  # lsblk --list
 | 
	
		
			
				|  |  | +disk1=$disk"1"
 | 
	
		
			
				|  |  | +netDev=eth0
 | 
	
		
			
				|  |  | +netAddress=203.0.113.66/24
 | 
	
		
			
				|  |  | +netGateway=203.0.113.1
 | 
	
		
			
				|  |  | +netBroadcast=203.0.113.255
 | 
	
		
			
				|  |  | +netDNS1=192.0.2.10
 | 
	
		
			
				|  |  | +netDNS2=198.51.100.10
 | 
	
		
			
				|  |  | +netNTP=pool.ntp.org
 | 
	
		
			
				|  |  | +
 | 
	
		
			
				|  |  | +[ -f ./config.sh ] && source config.sh
 | 
	
		
			
				|  |  | +
 | 
	
		
			
				|  |  | +# Check if the function exists
 | 
	
		
			
				|  |  | +if declare -f "$1" > /dev/null
 | 
	
		
			
				|  |  | +then
 | 
	
		
			
				|  |  | +  # call arguments verbatim
 | 
	
		
			
				|  |  | +  "$@"
 | 
	
		
			
				|  |  | +else
 | 
	
		
			
				|  |  | +  # Show a helpful error
 | 
	
		
			
				|  |  | +  echo "Valid functions are prepare, install, bootloader, postinstall" >&2
 | 
	
		
			
				|  |  | +  exit 1
 | 
	
		
			
				|  |  | +fi
 | 
	
		
			
				|  |  | +
 | 
	
		
			
				|  |  | +
 | 
	
		
			
				|  |  | +prepare(){
 | 
	
		
			
				|  |  | +#----------
 | 
	
		
			
				|  |  | +# Prepare disks
 | 
	
		
			
				|  |  | +# Parition disks -- pkg: parted
 | 
	
		
			
				|  |  | +parted $disk -s \
 | 
	
		
			
				|  |  | +mklabel msdos \
 | 
	
		
			
				|  |  | +mkpart primary ext4 512M 100% toggle 1 boot
 | 
	
		
			
				|  |  | +fdisk -l $disk
 | 
	
		
			
				|  |  | +
 | 
	
		
			
				|  |  | +# Format disks -- pkg: e2fsprogs dosfstools and to file system check
 | 
	
		
			
				|  |  | +mkfs.ext4 $disk1 && e2fsck $disk1
 | 
	
		
			
				|  |  | +
 | 
	
		
			
				|  |  | +# Prepare mount points and mount
 | 
	
		
			
				|  |  | +mkdir -p $mnt
 | 
	
		
			
				|  |  | +mount $disk1 $mnt
 | 
	
		
			
				|  |  | +
 | 
	
		
			
				|  |  | +# Create swapfile
 | 
	
		
			
				|  |  | +swapfile=$mnt/swapfile
 | 
	
		
			
				|  |  | +dd if=/dev/zero of=$swapfile bs=1M count=1024 status=progress # create 1GB  file
 | 
	
		
			
				|  |  | +chmod 600 $swapfile #restric permissions
 | 
	
		
			
				|  |  | +mkswap $swapfile #format file
 | 
	
		
			
				|  |  | +
 | 
	
		
			
				|  |  | +
 | 
	
		
			
				|  |  | +#----------
 | 
	
		
			
				|  |  | +# Bootstrap -- pkg: debootstrap
 | 
	
		
			
				|  |  | +# Remark: Debootstrap does not install recommands!! 
 | 
	
		
			
				|  |  | +debootstrap --variant=minbase --arch=amd64 bullseye $mnt http://ftp2.de.debian.org/debian/
 | 
	
		
			
				|  |  | +
 | 
	
		
			
				|  |  | +#----------
 | 
	
		
			
				|  |  | +# Configuration
 | 
	
		
			
				|  |  | +# Configure disk mounts
 | 
	
		
			
				|  |  | +# Or get UUID from blkid...
 | 
	
		
			
				|  |  | +cat >$mnt/etc/fstab <<EOL
 | 
	
		
			
				|  |  | +$disk1        /                     ext4 rw       0 0
 | 
	
		
			
				|  |  | +/swapfile        none                  swap defaults 0 0
 | 
	
		
			
				|  |  | +EOL
 | 
	
		
			
				|  |  | +
 | 
	
		
			
				|  |  | +# Configure sources.list
 | 
	
		
			
				|  |  | +cat >/etc/apt/sources.list <<EOL
 | 
	
		
			
				|  |  | +deb http://ftp2.de.debian.org/debian bullseye main contrib non-free
 | 
	
		
			
				|  |  | +#deb-src http://ftp2.de.debian.org/debian bullseye main contrib non-free
 | 
	
		
			
				|  |  | +deb http://deb.debian.org/debian-security/ bullseye-security main contrib non-free
 | 
	
		
			
				|  |  | +#deb-src http://deb.debian.org/debian-security/ bullseye-security main contrib non-free
 | 
	
		
			
				|  |  | +deb http://ftp2.de.debian.org/debian bullseye-updates main contrib non-free
 | 
	
		
			
				|  |  | +#deb-src http://ftp2.de.debian.org/debian bullseye-updates main contrib non-free
 | 
	
		
			
				|  |  | +EOL
 | 
	
		
			
				|  |  | +
 | 
	
		
			
				|  |  | +# Configure hostname
 | 
	
		
			
				|  |  | +echo "127.0.0.1       $hostname" >> /etc/hosts
 | 
	
		
			
				|  |  | +echo $hostname > /etc/hostname
 | 
	
		
			
				|  |  | +
 | 
	
		
			
				|  |  | +}
 | 
	
		
			
				|  |  | +
 | 
	
		
			
				|  |  | +install(){
 | 
	
		
			
				|  |  | +#----------
 | 
	
		
			
				|  |  | +# Chroot
 | 
	
		
			
				|  |  | +mount -o bind /dev $mnt/dev
 | 
	
		
			
				|  |  | +mount -o bind /dev/pts $mnt/dev/pts
 | 
	
		
			
				|  |  | +mount -t sysfs /sys $mnt/sys
 | 
	
		
			
				|  |  | +mount -t proc /proc $mnt/proc
 | 
	
		
			
				|  |  | +cp /proc/mounts $mnt/etc/mtab
 | 
	
		
			
				|  |  | +cp /etc/resolv.conf $mnt/etc/resolv.conf
 | 
	
		
			
				|  |  | +chroot $mnt /bin/bash
 | 
	
		
			
				|  |  | +
 | 
	
		
			
				|  |  | +# Install basic system
 | 
	
		
			
				|  |  | +apt-get update
 | 
	
		
			
				|  |  | +apt-get install --yes \
 | 
	
		
			
				|  |  | +  apt-utils dialog msmtp-mta \
 | 
	
		
			
				|  |  | +  systemd-sysv locales tzdata haveged \
 | 
	
		
			
				|  |  | +  linux-image-cloud-amd64 grub-pc \
 | 
	
		
			
				|  |  | +  iproute2 netbase \
 | 
	
		
			
				|  |  | +  ssh sudo \
 | 
	
		
			
				|  |  | +  less vim-tiny bash-completion pwgen lsof \
 | 
	
		
			
				|  |  | +  dnsutils iputils-ping curl
 | 
	
		
			
				|  |  | +
 | 
	
		
			
				|  |  | +# Upgrade and clean up
 | 
	
		
			
				|  |  | +apt-get upgrade --yes
 | 
	
		
			
				|  |  | +apt-get autoremove --yes
 | 
	
		
			
				|  |  | +apt-get clean --yes
 | 
	
		
			
				|  |  | +
 | 
	
		
			
				|  |  | +# Setup users
 | 
	
		
			
				|  |  | +pass=`pwgen --capitalize --numerals --ambiguous 12 1`
 | 
	
		
			
				|  |  | +useradd admin --create-home --shell /bin/bash
 | 
	
		
			
				|  |  | +echo "admin:$pass" | chpasswd
 | 
	
		
			
				|  |  | +echo 'root:sa'     | chpasswd
 | 
	
		
			
				|  |  | +usermod -a -G sudo admin
 | 
	
		
			
				|  |  | +echo -e "\e[1;33;4;44mPassword for the user admin: $pass\e[0m"
 | 
	
		
			
				|  |  | +
 | 
	
		
			
				|  |  | +# Harden SSHD
 | 
	
		
			
				|  |  | +echo AllowUsers admin >> /etc/ssh/sshd_config
 | 
	
		
			
				|  |  | +sed -i -e 's/#Port 22/Port 50101/g' /etc/ssh/sshd_config
 | 
	
		
			
				|  |  | +sed -i -e 's/#PubkeyAuthentication yes/PubkeyAuthentication yes/g' /etc/ssh/sshd_config
 | 
	
		
			
				|  |  | +
 | 
	
		
			
				|  |  | +## Configure network using systemd
 | 
	
		
			
				|  |  | +if [ ! -z $netAddress ]
 | 
	
		
			
				|  |  | +then
 | 
	
		
			
				|  |  | +## Network OPTION 1 - DHCP
 | 
	
		
			
				|  |  | +cat >/etc/systemd/network/20-wired.network <<EOL
 | 
	
		
			
				|  |  | +[Match]
 | 
	
		
			
				|  |  | +Name=e*
 | 
	
		
			
				|  |  | +
 | 
	
		
			
				|  |  | +[Network]
 | 
	
		
			
				|  |  | +DHCP=ipv4
 | 
	
		
			
				|  |  | +IPv6PrivacyExtensions=false
 | 
	
		
			
				|  |  | +IPv6AcceptRA=false
 | 
	
		
			
				|  |  | +NTP=$netNTP
 | 
	
		
			
				|  |  | +EOL
 | 
	
		
			
				|  |  | +
 | 
	
		
			
				|  |  | +else
 | 
	
		
			
				|  |  | +## Network OPTION 2 - static
 | 
	
		
			
				|  |  | +cat >/etc/systemd/network/20-wired.network <<EOL
 | 
	
		
			
				|  |  | +[Match]
 | 
	
		
			
				|  |  | +Name=$netDev
 | 
	
		
			
				|  |  | +
 | 
	
		
			
				|  |  | +[Network]
 | 
	
		
			
				|  |  | +Address=$netAddress
 | 
	
		
			
				|  |  | +Gateway=$netGateway
 | 
	
		
			
				|  |  | +Broadcast=$netBroadcast
 | 
	
		
			
				|  |  | +DNS=$netDNS1
 | 
	
		
			
				|  |  | +DNS=$netDNS2
 | 
	
		
			
				|  |  | +NTP=$netNTP
 | 
	
		
			
				|  |  | +EOL
 | 
	
		
			
				|  |  | +fi
 | 
	
		
			
				|  |  | +
 | 
	
		
			
				|  |  | +# Setup systemd resolver
 | 
	
		
			
				|  |  | +rm /etc/resolv.conf
 | 
	
		
			
				|  |  | +ln -s /run/systemd/resolve/resolv.conf /etc/resolv.conf
 | 
	
		
			
				|  |  | +systemctl enable systemd-networkd
 | 
	
		
			
				|  |  | +# to be checked why port 5353 is opened externally
 | 
	
		
			
				|  |  | +sed -i 's/#LLMNR=yes/LLMNR=no/' /etc/systemd/resolved.conf
 | 
	
		
			
				|  |  | +systemctl enable systemd-resolved
 | 
	
		
			
				|  |  | +
 | 
	
		
			
				|  |  | +# Limit journald logging to 1 month, 1 GB in total and split files per week
 | 
	
		
			
				|  |  | +cat >>/etc/systemd/journald.conf <<EOL
 | 
	
		
			
				|  |  | +# Custom settings
 | 
	
		
			
				|  |  | +MaxFileSec=1G
 | 
	
		
			
				|  |  | +MaxFileSec=1week
 | 
	
		
			
				|  |  | +MaxFileSec=1m
 | 
	
		
			
				|  |  | +EOL
 | 
	
		
			
				|  |  | +
 | 
	
		
			
				|  |  | +# Show errors in motd
 | 
	
		
			
				|  |  | +rm /etc/motd   
 | 
	
		
			
				|  |  | +cat >/etc/update-motd.d/15-boot-errors<<EOL
 | 
	
		
			
				|  |  | +#!/bin/sh
 | 
	
		
			
				|  |  | +echo
 | 
	
		
			
				|  |  | +journalctl --boot --priority=3 --no-pager
 | 
	
		
			
				|  |  | +EOL
 | 
	
		
			
				|  |  | +chmod 755 /etc/update-motd.d/15-boot-errors
 | 
	
		
			
				|  |  | +
 | 
	
		
			
				|  |  | +
 | 
	
		
			
				|  |  | +
 | 
	
		
			
				|  |  | +# Leave chroot
 | 
	
		
			
				|  |  | +exit
 | 
	
		
			
				|  |  | +}
 | 
	
		
			
				|  |  | +
 | 
	
		
			
				|  |  | +
 | 
	
		
			
				|  |  | +bootloader(){
 | 
	
		
			
				|  |  | +# Install GRUB in /dev/vba
 | 
	
		
			
				|  |  | +chroot $mnt /bin/bash -c "grub-install $disk && update-grub"
 | 
	
		
			
				|  |  | +
 | 
	
		
			
				|  |  | +# Unmount
 | 
	
		
			
				|  |  | +umount $mnt/proc
 | 
	
		
			
				|  |  | +umount $mnt/sys
 | 
	
		
			
				|  |  | +umount $mnt/dev/pts
 | 
	
		
			
				|  |  | +umount $mnt/dev
 | 
	
		
			
				|  |  | +}
 | 
	
		
			
				|  |  | +
 | 
	
		
			
				|  |  | +
 | 
	
		
			
				|  |  | +postinstall(){
 | 
	
		
			
				|  |  | +####----REBOOT into the new system, so we'll have dbus running
 | 
	
		
			
				|  |  | +localectl set-locale LANG=de_DE.UTF-8         # Default for LC_* variables not  set. 
 | 
	
		
			
				|  |  | +localectl set-locale LC_MESSAGES=en_US.UTF-8  # System messages. 
 | 
	
		
			
				|  |  | +#localectl set-locale LC_RESPONSE=en_US.UTF-8  # How responses (such as Yes and No) appear
 | 
	
		
			
				|  |  | +update-locale
 | 
	
		
			
				|  |  | +timedatectl set-timezone Europe/Berlin
 | 
	
		
			
				|  |  | +}
 |