git Service of IN-Ulm e.V. Explore Help
Sign In
ulpeters
/
bootstrap
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: 200fb133a5
Branches Tags
bootstrap
/
bootstrap-bookworm.sh

bootstrap-bookworm.sh 10 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353 
  1. #!/bin/bash -e
    2. 

  2. #----------
    3. 

  3. # Interactive installation steps for Debian Bullseye from GRML using debootstrap
    4. 

  4. 

  5. # Design decisions
    6. 

  6. # - Fokus on a simple setup, primarly for VMs
    7. 

  7. # - One disk, one partion, swap-file in the same partion as safety net
    8. 

  8. # - Use systemd whereever possible (network, ntp, cron, journald logging)
    9. 

  9. # - Minimal number of packages & cloud kernel
    10. 

  10. # - support for grub-pc and grub-efi
    11. 

  11. # - random root and admin user password generation
    12. 

  12. # - ssh on port 50101 limited to the admin user
    13. 

  13. 

  14. # Usage
    15. 

  15. # # Boot grml
    16. 

  16. # passwd root
    17. 

  17. # grml-network
    18. 

  18. # Start ssh
    19. 

  19. # git clone https://git.in-ulm.de/ulpeters/bootstrap.git
    20. 

  20. # cp config.sh.template config.sh                    # copy template
    21. 

  21. # config-get-netconf-eth0.sh                         # get running grml network config
    22. 

  22. # vi config.sh                                       # update installation variables
    23. 

  23. # bootstrap-bullseye.sh install                      # start installation
    24. 

  24. # !! Note down the admin passwords and reboot
    25. 

  25. # sudo /installer/bootstrap-bullseye.sh postinstall  # run postinstall in the new system
    26. 

  26. 

  27. # Variables
    28. 

  28. mnt="/mnt/root"                  # mountpoint for the new root filesystem
    29. 

  29. hostname="somehost.example.com"
    30. 

  30. kernel="linux-image-cloud-amd64" # alternative: linux-image-amd64
    31. 

  31. partition="mbr-single"           # mbr-single or efi-crypt
    32. 

  32. disk="/dev/vda"                  # find with: lsblk --list
    33. 

  33. disk0=$disk"p1"                  # efi partion, only relevant if partion="efi"
    34. 

  34. disk1=$disk"1"                   # "p1" for nbd or nvme mounts
    35. 

  35. netDev="eth0"                    # find with: ip link
    36. 

  36. netAddress="203.0.113.66/24"     # "" blank for dhcp on e*
    37. 

  37. netGateway="203.0.113.1"
    38. 

  38. netBroadcast="203.0.113.255"
    39. 

  39. netDNS1="192.0.2.10"
    40. 

  40. netDNS2="198.51.100.10"
    41. 

  41. netNTP="pool.ntp.org"
    42. 

  42. pwdAdmin=""                      # "" blank for auto-generation
    43. 

  43. pwdRoot=""                       # "" blank for auto-generation
    44. 

  44. extraPackages="qemu-guest-agent"
    45. 

  45. 

  46. [ -f ./config.sh ] && source config.sh
    47. 

  47. 

  48. 

  49. # Setup network in grml
    50. 

  50. grmlnetwork(){
    51. 

  51. ip link show # list interfaces
    52. 

  52. ip addr add $netAddress dev $netDev
    53. 

  53. ip link set $netDev up
    54. 

  54. ip route add default via $netGateway
    55. 

  55. echo nameserver $netDNS1 >> /etc/resolv.conf
    56. 

  56. echo nameserver $netDNS2 >> /etc/resolv.conf
    57. 

  57. }
    58. 

  58. 

  59. install(){
    60. 

  60. 

  61. 

  62. # Wipe existing partition table
    63. 

  63. dd if=/dev/zero of=$disk bs=512 count=34
    64. 

  64. 

  65. # Parition disks -- pkg: parted
    66. 

  66. # Prepare partition tables and partitions
    67. 

  67. # -parted --script does not accept blanks in partition names
    68. 

  68. 

  69. if [ "$partition" = "mbr-single" ]
    70. 

  70. then
    71. 

  71.   #----------
    72. 

  72.   # Prepare disks with a single partition
    73. 

  73.   parted $disk --script \
    74. 

  74.   mklabel msdos \
    75. 

  75.   mkpart primary ext4 512M 100% toggle 1 boot
    76. 

  76.   fdisk -l $disk
    77. 

  77. 

  78.   # Format disks -- pkg: e2fsprogs dosfstools and to file system check
    79. 

  79.   mkfs.ext4 $disk1 && e2fsck $disk1
    80. 

  80. 

  81.   # Prepare mount points and mount
    82. 

  82.   mkdir -p $mnt
    83. 

  83.   mount $disk1 $mnt
    84. 

  84. fi
    85. 

  85. 

  86. if [ "$partition" = "efi-crypt" ]
    87. 

  87. then
    88. 

  88.   #----------
    89. 

  89.   # Prepare disks with following layout
    90. 

  90.   # - 301 MB partition for EFI                          --> p1
    91. 

  91.   # - 50  GB root partition for the OS (includes /boot) --> p2
    92. 

  92.   # - Remaining disk left to create a luks container    --> p3
    93. 

  93.   parted $disk --script                                \
    94. 

  94.   mklabel gpt                                        \
    95. 

  95.   mkpart EFI_system_partition  fat32    1MiB 301MiB  \
    96. 

  96.   set  1 esp  on                                     \
    97. 

  97.   set  1 boot on                                     \
    98. 

  98.   align-check optimal 1                              \
    99. 

  99.   mkpart Linux_system_parition  ext4  301MiB   50GiB \
    100. 

  100.   align-check optimal 2                              \
    101. 

  101.   mkpart Data_partion                  50GiB   100%  \
    102. 

  102.   align-check optimal 3                              \
    103. 

  103.   unit MiB                                           \
    104. 

  104.   print
    105. 

  105.   
    106. 

  106.   # Format disks -- pkg: e2fsprogs dosfstools and to file system check
    107. 

  107.   mkfs.fat  -F 32 -n EFIBOOT $disk0 && fsck $disk0
    108. 

  108.   mkfs.ext4 $disk1 && fsck $disk1
    109. 

  109. 

  110.   # Prepare mount points and mount
    111. 

  111.   mkdir -p $mnt $mnt"/boot/efi"
    112. 

  112.   mount $disk1 $mnt
    113. 

  113.   mount $disk0 $mnt"/boot/efi"
    114. 

  114. fi
    115. 

  115. 

  116. 

  117. # Create swapfile
    118. 

  118. swapfile=$mnt/swapfile
    119. 

  119. dd if=/dev/zero of=$swapfile bs=1M count=1024 status=progress # create 1GB  file
    120. 

  120. chmod 600 $swapfile #restric permissions
    121. 

  121. mkswap $swapfile #format file
    122. 

  122. 

  123. #----------
    124. 

  124. # Bootstrap -- pkg: debootstrap
    125. 

  125. # Remark: Debootstrap does not install recommands!! 
    126. 

  126. debootstrap --variant=minbase --arch=amd64 bookworm $mnt http://ftp2.de.debian.org/debian/
    127. 

  127. 

  128. #----------
    129. 

  129. # Configuration
    130. 

  130. # Configure disk mounts
    131. 

  131. # Or get UUID from blkid...
    132. 

  132. cat >$mnt/etc/fstab <<EOL
    133. 

  133. $disk1        /                     ext4 rw       0 0
    134. 

  134. /swapfile        none                  swap defaults 0 0
    135. 

  135. EOL
    136. 

  136. 

  137. # Configure sources.list
    138. 

  138. cat >$mnt/etc/apt/sources.list <<EOL
    139. 

  139. deb http://deb.debian.org/debian bookworm main non-free-firmware
    140. 

  140. # deb-src http://deb.debian.org/debian bookworm main non-free-firmware
    141. 

  141. deb http://deb.debian.org/debian-security/ bookworm-security main non-free-firmware
    142. 

  142. # deb-src http://deb.debian.org/debian-security/ bookworm-security main non-free-firmware
    143. 

  143. deb http://deb.debian.org/debian bookworm-updates main non-free-firmware
    144. 

  144. # deb-src http://deb.debian.org/debian bookworm-updates main non-free-firmware
    145. 

  145. EOL
    146. 

  146. 

  147. # Configure hostname
    148. 

  148. echo "127.0.0.1       $hostname" >> $mnt/etc/hosts
    149. 

  149. echo "$hostname"                  > $mnt/etc/hostname
    150. 

  150. 

  151. #----------
    152. 

  152. # Prepare chroot
    153. 

  153. mount -o bind /dev $mnt/dev
    154. 

  154. mount -o bind /dev/pts $mnt/dev/pts
    155. 

  155. mount -t sysfs /sys $mnt/sys
    156. 

  156. mount -t proc /proc $mnt/proc
    157. 

  157. cp /proc/mounts $mnt/etc/mtab
    158. 

  158. cp /etc/resolv.conf $mnt/etc/resolv.conf
    159. 

  159. mkdir -p $mnt/installer
    160. 

  160. cp $(dirname `realpath $0`)/*.sh $mnt/installer
    161. 

  161. 

  162. # Run script in chroot
    163. 

  163. chroot $mnt /bin/bash /installer/bootstrap-bullseye.sh install2
    164. 

  164. 

  165. # Install bootloader
    166. 

  166. $0 bootloader
    167. 

  167. 

  168. }
    169. 

  169. 

  170. 

  171. #----------
    172. 

  172. # Function executed within chroot
    173. 

  173. install2(){
    174. 

  174. source /installer/config.sh 
    175. 

  175. # Install basic system
    176. 

  176. apt-get update
    177. 

  177. apt-get install --yes \
    178. 

  178.   apt-utils dialog msmtp-mta \
    179. 

  179.   systemd-sysv locales tzdata haveged \
    180. 

  180.   linux-image-cloud-amd64 grub-pc \
    181. 

  181.   iproute2 netbase \
    182. 

  182.   ssh sudo molly-guard  \
    183. 

  183.   less vim-tiny bash-completion pwgen lsof \
    184. 

  184.   dnsutils iputils-ping curl \
    185. 

  185.   $extraPackages
    186. 

  186. 

  187. # Upgrade and clean up
    188. 

  188. apt-get upgrade --yes
    189. 

  189. apt-get autoremove --yes
    190. 

  190. apt-get clean --yes
    191. 

  191. 

  192. # Setup users and passwords
    193. 

  193. [ -z $pwdAdmin ] && pwdAdmin=`pwgen --capitalize --numerals --ambiguous 12 1`
    194. 

  194. useradd admin --create-home --shell /bin/bash
    195. 

  195. echo "admin:$pwdAdmin" | chpasswd
    196. 

  196. usermod -a -G sudo admin
    197. 

  197. echo -e "\e[1;33;4;44mPassword for the user admin: $pwdAdmin\e[0m"
    198. 

  198. pass=`pwgen --capitalize --numerals --ambiguous 12 1`
    199. 

  199. [ -z $pwdRoot ] && pwdRoot=`pwgen --capitalize --numerals --ambiguous 12 1`
    200. 

  200. echo "root:$pwdRoot"   | chpasswd
    201. 

  201. echo -e "\e[1;33;4;44mPassword for the user root: $pwdRoot\e[0m"
    202. 

  202. 

  203. # Harden SSHD
    204. 

  204. sed -i -e 's/#Port 22/Port 50101/g' /etc/ssh/sshd_config
    205. 

  205. sed -i -e 's/#PubkeyAuthentication yes/PubkeyAuthentication yes/g' /etc/ssh/sshd_config
    206. 

  206. # https://infosec.mozilla.org/guidelines/openssh.html
    207. 

  207. 

  208. 

  209. # Allow admin to sudo without password
    210. 

  210. echo AllowUsers admin >> /etc/ssh/sshd_config
    211. 

  211. echo "admin ALL=(ALL) NOPASSWD:ALL" > /etc/sudoers.d/admin
    212. 

  212. 

  213. ## Configure network using systemd
    214. 

  214. if [ -z $netAddress ]
    215. 

  215. then
    216. 

  216. ## Network OPTION 1 - DHCP
    217. 

  217. cat >/etc/systemd/network/20-wired.network <<EOL
    218. 

  218. [Match]
    219. 

  219. Name=e*
    220. 

  220. 

  221. [Network]
    222. 

  222. DHCP=ipv4
    223. 

  223. IPv6PrivacyExtensions=false
    224. 

  224. IPv6AcceptRA=false
    225. 

  225. NTP=$netNTP
    226. 

  226. EOL
    227. 

  227. 

  228. else
    229. 

  229. ## Network OPTION 2 - static
    230. 

  230. cat >/etc/systemd/network/20-wired.network <<EOL
    231. 

  231. [Match]
    232. 

  232. Name=$netDev
    233. 

  233. 

  234. [Network]
    235. 

  235. Address=$netAddress
    236. 

  236. Gateway=$netGateway
    237. 

  237. Broadcast=$netBroadcast
    238. 

  238. DNS=$netDNS1
    239. 

  239. DNS=$netDNS2
    240. 

  240. NTP=$netNTP
    241. 

  241. EOL
    242. 

  242. fi
    243. 

  243. 

  244. ## Setup systemd resolver
    245. 

  245. apt-get install --yes systemd-resolved
    246. 

  246. echo -e "\n# Disable local name resolution"  >> /etc/systemd/resolved.conf
    247. 

  247. echo "LLMNR=no" >> /etc/systemd/resolved.conf
    248. 

  248. echo "MulticastDNS=no" >> /etc/systemd/resolved.conf
    249. 

  249. systemctl enable systemd-networkd
    250. 

  250. systemctl enable systemd-resolved
    251. 

  251. 

  252. # Limit journald logging to 1 month, 1 GB in total and split files per week
    253. 

  253. mkdir -p /etc/systemd/journald.conf.d/
    254. 

  254. cat >/etc/systemd/journald.conf.d/retention.conf <<EOL
    255. 

  255. MaxRetentionSec=1month
    256. 

  256. SystemMaxUse=1G
    257. 

  257. MaxFileSec=1week
    258. 

  258. EOL
    259. 

  259. 

  260. # Show errors in motd
    261. 

  261. rm /etc/motd   
    262. 

  262. cat >/etc/update-motd.d/15-boot-errors<<EOL
    263. 

  263. #!/bin/sh
    264. 

  264. echo
    265. 

  265. journalctl --boot --priority=3 --no-pager
    266. 

  266. EOL
    267. 

  267. chmod 755 /etc/update-motd.d/15-boot-errors
    268. 

  268. 

  269. # Setup keyboard layout
    270. 

  270. cat >/etc/default/keyboard <<EOL
    271. 

  271. XKBMODEL="pc105"
    272. 

  272. XKBLAYOUT="de"
    273. 

  273. XKBVARIANT="nodeadkeys"
    274. 

  274. XKBOPTIONS=""
    275. 

  275. BACKSPACE="guess"
    276. 

  276. EOL
    277. 

  277. 

  278. # Leave chroot
    279. 

  279. exit
    280. 

  280. }
    281. 

  281. 

  282. 

  283. bootloader(){
    284. 

  284. 

  285. # Install grub in the mbr
    286. 

  286. if [ $partition="mbr-single" ]
    287. 

  287. then
    288. 

  288.   chroot $mnt /bin/bash -c "grub-install $disk && update-grub"
    289. 

  289. fi
    290. 

  290. 

  291. # Install grub in the efi partition
    292. 

  292. if [ $partition="efi-crypt" ]
    293. 

  293. then
    294. 

  294.   chroot $mnt /bin/bash -c \
    295. 

  295.   "grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=grub && update-grub" 
    296. 

  296. fi
    297. 

  297. }
    298. 

  298. 

  299. unmount(){
    300. 

  300. # Unmount if mounted
    301. 

  301. ! mountpoint -q $mnt/proc    || umount $mnt/proc
    302. 

  302. ! mountpoint -q $mnt/sys     || umount $mnt/sys
    303. 

  303. ! mountpoint -q $mnt/dev/pts || umount $mnt/dev/pts
    304. 

  304. ! mountpoint -q $mnt/dev     || umount $mnt/dev
    305. 

  305. ! mountpoint -q $mnt/root    || umount $mnt/root
    306. 

  306. ! mountpoint -q $mnt         || umount $mnt
    307. 

  307. # Delete mount-point if empty and not mounted
    308. 

  308. [ -z "$(ls -A /mnt/)" ] &&  ! mountpoint -q $mnt  && rm -R $mnt
    309. 

  309. }
    310. 

  310. 

  311. 

  312. postinstall(){
    313. 

  313. ####----REBOOT into the new system, so we'll have dbus running
    314. 

  314. localectl set-locale LANG=de_DE.UTF-8         # Default for LC_* variables not  set. 
    315. 

  315. localectl set-locale LC_MESSAGES=en_US.UTF-8  # System messages. 
    316. 

  316. #localectl set-locale LC_RESPONSE=en_US.UTF-8  # How responses (such as Yes and No) appear
    317. 

  317. update-locale
    318. 

  318. timedatectl set-timezone Europe/Berlin
    319. 

  319. }
    320. 

  320. 

  321. 

  322. # Switch to functions...
    323. 

  323. case $1 in
    324. 

  324.   grmlnetwork)
    325. 

  325.     echo Setup network in grml
    326. 

  326.     grmlnetwork
    327. 

  327.     ;;
    328. 

  328.   install)
    329. 

  329.     echo "Stage 1: Start installation"
    330. 

  330.     install
    331. 

  331.     ;;
    332. 

  332.   install2)
    333. 

  333.     echo "Stage 2: Start installation in chroot"
    334. 

  334.     install2
    335. 

  335.     ;;
    336. 

  336.   bootloader)
    337. 

  337.     echo "Stage 3: Install bootloader and unmount chroot"
    338. 

  338.     bootloader
    339. 

  339.     unmount
    340. 

  340.     echo "We're done and can reboot now"
    341. 

  341.     ;;
    342. 

  342.   postinstall)
    343. 

  343.     echo "Stage 4: Start post-installation in live system"
    344. 

  344.     postinstall
    345. 

  345.     ;;
    346. 

  346.   unmount)
    347. 

  347.     echo "Unmount chroot, e.g. in case installation fails"
    348. 

  348.     unmount
    349. 

  349.     ;;
    350. 

  350.   *)
    351. 

  351.     echo "Valid functions are: grmlnetwork, install, postinstall and unmount" >&2
    352. 

  352.     ;;
    353. 

  353. esac
    354.