added bookworm initial

bootstrap-bookworm.sh

@@ -0,0 +1,295 @@
+#!/bin/bash -e
+#----------
+# Interactive installation steps for Debian Bullseye from GRML using debootstrap
+
+# Design decisions
+# - Fokus on a simple setup, primarly for VMs
+# - One disk, one partion, swap-file in the same partion as safety net
+# - Use systemd whereever possible (network, ntp, cron, journald logging)
+# - Minimal number of packages & cloud kernel
+# - grub-pc, not efi
+# - random root and admin user password generation
+# - ssh on port 50101 limited to the admin user
+
+# Usage
+# # Boot grml
+# passwd root
+# grml-network
+# Start ssh
+# git clone https://git.in-ulm.de/ulpeters/bootstrap.git
+# cp config.sh.template config.sh                    # copy template
+# config-get-netconf-eth0.sh                         # get running grml network config
+# vi config.sh                                       # update installation variables
+# bootstrap-bullseye.sh install                      # start installation
+# !! Note down the admin passwords and reboot
+# sudo /installer/bootstrap-bullseye.sh postinstall  # run postinstall in the new system
+
+# Variables
+mnt="/mnt/root"  # mountpoint for the new root filesystem
+hostname="somehost.example.com"
+disk="/dev/vda"  # lsblk --list
+disk1=$disk"1"
+netDev="eth0"    # ip link
+netAddress="203.0.113.66/24"
+netGateway="203.0.113.1"
+netBroadcast="203.0.113.255"
+netDNS1="192.0.2.10"
+netDNS2="198.51.100.10"
+netNTP="pool.ntp.org"
+extraPackages=""
+
+[ -f ./config.sh ] && source config.sh
+
+
+# Setup network in grml
+grmlnetwork(){
+ip link show # list interfaces
+ip addr add $netAddress dev $netDev
+ip link set $netDev up
+ip route add default via $netGateway
+echo nameserver $netDNS1 >> /etc/resolv.conf
+echo nameserver $netDNS2 >> /etc/resolv.conf
+}
+
+install(){
+#----------
+# Prepare disks
+# Parition disks -- pkg: parted
+parted $disk -s \
+mklabel msdos \
+mkpart primary ext4 512M 100% toggle 1 boot
+fdisk -l $disk
+
+# Format disks -- pkg: e2fsprogs dosfstools and to file system check
+mkfs.ext4 $disk1 && e2fsck $disk1
+
+# Prepare mount points and mount
+mkdir -p $mnt
+mount $disk1 $mnt
+
+# Create swapfile
+swapfile=$mnt/swapfile
+dd if=/dev/zero of=$swapfile bs=1M count=1024 status=progress # create 1GB  file
+chmod 600 $swapfile #restric permissions
+mkswap $swapfile #format file
+
+#----------
+# Bootstrap -- pkg: debootstrap
+# Remark: Debootstrap does not install recommands!! 
+debootstrap --variant=minbase --arch=amd64 bullseye $mnt http://ftp2.de.debian.org/debian/
+
+#----------
+# Configuration
+# Configure disk mounts
+# Or get UUID from blkid...
+cat >$mnt/etc/fstab <<EOL
+$disk1        /                     ext4 rw       0 0
+/swapfile        none                  swap defaults 0 0
+EOL
+
+# Configure sources.list
+cat >$mnt/etc/apt/sources.list <<EOL
+deb http://ftp2.de.debian.org/debian bullseye main contrib non-free
+#deb-src http://ftp2.de.debian.org/debian bullseye main contrib non-free
+deb http://deb.debian.org/debian-security/ bullseye-security main contrib non-free
+#deb-src http://deb.debian.org/debian-security/ bullseye-security main contrib non-free
+deb http://ftp2.de.debian.org/debian bullseye-updates main contrib non-free
+#deb-src http://ftp2.de.debian.org/debian bullseye-updates main contrib non-free
+EOL
+
+# Configure hostname
+echo "127.0.0.1       $hostname" >> $mnt/etc/hosts
+echo "$hostname"                  > $mnt/etc/hostname
+
+#----------
+# Prepare chroot
+mount -o bind /dev $mnt/dev
+mount -o bind /dev/pts $mnt/dev/pts
+mount -t sysfs /sys $mnt/sys
+mount -t proc /proc $mnt/proc
+cp /proc/mounts $mnt/etc/mtab
+cp /etc/resolv.conf $mnt/etc/resolv.conf
+mkdir -p $mnt/installer
+cp $(dirname `realpath $0`)/*.sh $mnt/installer
+
+# Run script in chroot
+chroot $mnt /bin/bash /installer/bootstrap-bullseye.sh install2
+
+# Install bootloader
+$0 bootloader
+
+}
+
+
+#----------
+# Function executed within chroot
+install2(){
+source /installer/config.sh 
+# Install basic system
+apt-get update
+apt-get install --yes \
+  apt-utils dialog msmtp-mta \
+  systemd-sysv locales tzdata haveged \
+  linux-image-cloud-amd64 grub-pc \
+  iproute2 netbase \
+  ssh sudo molly-guard  \
+  less vim-tiny bash-completion pwgen lsof \
+  dnsutils iputils-ping curl \
+  $extraPackages
+
+# Upgrade and clean up
+apt-get upgrade --yes
+apt-get autoremove --yes
+apt-get clean --yes
+
+# Setup users and passwords
+[ -z $pwdAdmin ] && pwdAdmin=`pwgen --capitalize --numerals --ambiguous 12 1`
+useradd admin --create-home --shell /bin/bash
+echo "admin:$pwdAdmin" | chpasswd
+usermod -a -G sudo admin
+echo -e "\e[1;33;4;44mPassword for the user admin: $pwdAdmin\e[0m"
+pass=`pwgen --capitalize --numerals --ambiguous 12 1`
+[ -z $pwdRoot ] && pwdRoot=`pwgen --capitalize --numerals --ambiguous 12 1`
+echo "root:$pwdRoot"   | chpasswd
+echo -e "\e[1;33;4;44mPassword for the user root: $pwdRoot\e[0m"
+
+# Harden SSHD
+sed -i -e 's/#Port 22/Port 50101/g' /etc/ssh/sshd_config
+sed -i -e 's/#PubkeyAuthentication yes/PubkeyAuthentication yes/g' /etc/ssh/sshd_config
+# https://infosec.mozilla.org/guidelines/openssh.html
+
+
+# Allow admin to sudo without password
+echo AllowUsers admin >> /etc/ssh/sshd_config
+echo "admin ALL=(ALL) NOPASSWD:ALL" > /etc/sudoers.d/admin
+
+## Configure network using systemd
+if [ -z $netAddress ]
+then
+## Network OPTION 1 - DHCP
+cat >/etc/systemd/network/20-wired.network <<EOL
+[Match]
+Name=e*
+
+[Network]
+DHCP=ipv4
+IPv6PrivacyExtensions=false
+IPv6AcceptRA=false
+NTP=$netNTP
+EOL
+
+else
+## Network OPTION 2 - static
+cat >/etc/systemd/network/20-wired.network <<EOL
+[Match]
+Name=$netDev
+
+[Network]
+Address=$netAddress
+Gateway=$netGateway
+Broadcast=$netBroadcast
+DNS=$netDNS1
+DNS=$netDNS2
+NTP=$netNTP
+EOL
+fi
+
+# Setup systemd resolver
+rm /etc/resolv.conf
+ln -s /run/systemd/resolve/resolv.conf /etc/resolv.conf
+systemctl enable systemd-networkd
+# to be checked why port 5353 is opened externally
+sed -i 's/#LLMNR=yes/LLMNR=no/' /etc/systemd/resolved.conf
+systemctl enable systemd-resolved
+
+# Limit journald logging to 1 month, 1 GB in total and split files per week
+mkdir -p /etc/systemd/journald.conf.d/
+cat >/etc/systemd/journald.conf.d/retention.conf <<EOL
+MaxRetentionSec=1month
+SystemMaxUse=1G
+MaxFileSec=1week
+EOL
+
+# Show errors in motd
+rm /etc/motd   
+cat >/etc/update-motd.d/15-boot-errors<<EOL
+#!/bin/sh
+echo
+journalctl --boot --priority=3 --no-pager
+EOL
+chmod 755 /etc/update-motd.d/15-boot-errors
+
+# Setup keyboard layout
+cat >/etc/default/keyboard <<EOL
+XKBMODEL="pc105"
+XKBLAYOUT="de"
+XKBVARIANT="nodeadkeys"
+XKBOPTIONS=""
+BACKSPACE="guess"
+EOL
+
+# Leave chroot
+exit
+}
+
+
+bootloader(){
+# Install GRUB in /dev/vba
+chroot $mnt /bin/bash -c "grub-install $disk && update-grub"
+}
+
+unmount(){
+# Unmount if mounted
+! mountpoint -q $mnt/proc    || umount $mnt/proc
+! mountpoint -q $mnt/sys     || umount $mnt/sys
+! mountpoint -q $mnt/dev/pts || umount $mnt/dev/pts
+! mountpoint -q $mnt/dev     || umount $mnt/dev
+! mountpoint -q $mnt/root    || umount $mnt/root
+! mountpoint -q $mnt         || umount $mnt
+# Delete mount-point if empty and not mounted
+[ -z "$(ls -A /mnt/)" ] &&  ! mountpoint -q $mnt  && rm -R $mnt
+}
+
+
+postinstall(){
+####----REBOOT into the new system, so we'll have dbus running
+localectl set-locale LANG=de_DE.UTF-8         # Default for LC_* variables not  set. 
+localectl set-locale LC_MESSAGES=en_US.UTF-8  # System messages. 
+#localectl set-locale LC_RESPONSE=en_US.UTF-8  # How responses (such as Yes and No) appear
+update-locale
+timedatectl set-timezone Europe/Berlin
+}
+
+
+# Switch to functions...
+case $1 in
+  grmlnetwork)
+    echo Setup network in grml
+    grmlnetwork
+    ;;
+  install)
+    echo "Stage 1: Start installation"
+    install
+    ;;
+  install2)
+    echo "Stage 2: Start installation in chroot"
+    install2
+    ;;
+  bootloader)
+    echo "Stage 3: Install bootloader and unmount chroot"
+    bootloader
+    unmount
+    echo "We're done and can reboot now"
+    ;;
+  postinstall)
+    echo "Stage 4: Start post-installation in live system"
+    postinstall
+    ;;
+  unmount)
+    echo "Unmount chroot, e.g. in case installation fails"
+    unmount
+    ;;
+  *)
+    echo "Valid functions are: grmlnetwork, install, postinstall and unmount" >&2
+    ;;
+esac