ulpeters
/
bootstrap


			
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213
							#!/bin/bash -e
#----------
# Interactive installation steps for Debian Bullseye from GRML using debootstrap

# Design decisions
# - Add a small file-based swap partition as safety net
# - Use systemd whereever possible (network, ntp, cron, journald logging)
# - One partion on /dev/vda
# - Minimal number of packages & cloud kernel

# Variables
mnt="/mnt/root"  # mountpoint for the new root filesystem
hostname="somehost.example.com"
disk="/dev/vda"  # lsblk --list
disk1=$disk"1"
netDev=eth0
netAddress=203.0.113.66/24
netGateway=203.0.113.1
netBroadcast=203.0.113.255
netDNS1=192.0.2.10
netDNS2=198.51.100.10
netNTP=pool.ntp.org

[ -f ./config.sh ] && source config.sh

# Check if the function exists
if declare -f "$1" > /dev/null
then
  # call arguments verbatim
  "$@"
else
  # Show a helpful error
  echo "Valid functions are prepare, install, bootloader, postinstall" >&2
  exit 1
fi


prepare(){
#----------
# Prepare disks
# Parition disks -- pkg: parted
parted $disk -s \
mklabel msdos \
mkpart primary ext4 512M 100% toggle 1 boot
fdisk -l $disk

# Format disks -- pkg: e2fsprogs dosfstools and to file system check
mkfs.ext4 $disk1 && e2fsck $disk1

# Prepare mount points and mount
mkdir -p $mnt
mount $disk1 $mnt

# Create swapfile
swapfile=$mnt/swapfile
dd if=/dev/zero of=$swapfile bs=1M count=1024 status=progress # create 1GB  file
chmod 600 $swapfile #restric permissions
mkswap $swapfile #format file


#----------
# Bootstrap -- pkg: debootstrap
# Remark: Debootstrap does not install recommands!! 
debootstrap --variant=minbase --arch=amd64 bullseye $mnt http://ftp2.de.debian.org/debian/

#----------
# Configuration
# Configure disk mounts
# Or get UUID from blkid...
cat >$mnt/etc/fstab <<EOL
$disk1        /                     ext4 rw       0 0
/swapfile        none                  swap defaults 0 0
EOL

# Configure sources.list
cat >/etc/apt/sources.list <<EOL
deb http://ftp2.de.debian.org/debian bullseye main contrib non-free
#deb-src http://ftp2.de.debian.org/debian bullseye main contrib non-free
deb http://deb.debian.org/debian-security/ bullseye-security main contrib non-free
#deb-src http://deb.debian.org/debian-security/ bullseye-security main contrib non-free
deb http://ftp2.de.debian.org/debian bullseye-updates main contrib non-free
#deb-src http://ftp2.de.debian.org/debian bullseye-updates main contrib non-free
EOL

# Configure hostname
echo "127.0.0.1       $hostname" >> /etc/hosts
echo $hostname > /etc/hostname

}

install(){
#----------
# Chroot
mount -o bind /dev $mnt/dev
mount -o bind /dev/pts $mnt/dev/pts
mount -t sysfs /sys $mnt/sys
mount -t proc /proc $mnt/proc
cp /proc/mounts $mnt/etc/mtab
cp /etc/resolv.conf $mnt/etc/resolv.conf
chroot $mnt /bin/bash

# Install basic system
apt-get update
apt-get install --yes \
  apt-utils dialog msmtp-mta \
  systemd-sysv locales tzdata haveged \
  linux-image-cloud-amd64 grub-pc \
  iproute2 netbase \
  ssh sudo \
  less vim-tiny bash-completion pwgen lsof \
  dnsutils iputils-ping curl

# Upgrade and clean up
apt-get upgrade --yes
apt-get autoremove --yes
apt-get clean --yes

# Setup users
pass=`pwgen --capitalize --numerals --ambiguous 12 1`
useradd admin --create-home --shell /bin/bash
echo "admin:$pass" | chpasswd
echo 'root:sa'     | chpasswd
usermod -a -G sudo admin
echo -e "\e[1;33;4;44mPassword for the user admin: $pass\e[0m"

# Harden SSHD
echo AllowUsers admin >> /etc/ssh/sshd_config
sed -i -e 's/#Port 22/Port 50101/g' /etc/ssh/sshd_config
sed -i -e 's/#PubkeyAuthentication yes/PubkeyAuthentication yes/g' /etc/ssh/sshd_config

## Configure network using systemd
if [ ! -z $netAddress ]
then
## Network OPTION 1 - DHCP
cat >/etc/systemd/network/20-wired.network <<EOL
[Match]
Name=e*

[Network]
DHCP=ipv4
IPv6PrivacyExtensions=false
IPv6AcceptRA=false
NTP=$netNTP
EOL

else
## Network OPTION 2 - static
cat >/etc/systemd/network/20-wired.network <<EOL
[Match]
Name=$netDev

[Network]
Address=$netAddress
Gateway=$netGateway
Broadcast=$netBroadcast
DNS=$netDNS1
DNS=$netDNS2
NTP=$netNTP
EOL
fi

# Setup systemd resolver
rm /etc/resolv.conf
ln -s /run/systemd/resolve/resolv.conf /etc/resolv.conf
systemctl enable systemd-networkd
# to be checked why port 5353 is opened externally
sed -i 's/#LLMNR=yes/LLMNR=no/' /etc/systemd/resolved.conf
systemctl enable systemd-resolved

# Limit journald logging to 1 month, 1 GB in total and split files per week
cat >>/etc/systemd/journald.conf <<EOL
# Custom settings
MaxFileSec=1G
MaxFileSec=1week
MaxFileSec=1m
EOL

# Show errors in motd
rm /etc/motd   
cat >/etc/update-motd.d/15-boot-errors<<EOL
#!/bin/sh
echo
journalctl --boot --priority=3 --no-pager
EOL
chmod 755 /etc/update-motd.d/15-boot-errors


# Leave chroot
exit
}


bootloader(){
# Install GRUB in /dev/vba
chroot $mnt /bin/bash -c "grub-install $disk && update-grub"

# Unmount
umount $mnt/proc
umount $mnt/sys
umount $mnt/dev/pts
umount $mnt/dev
}


postinstall(){
####----REBOOT into the new system, so we'll have dbus running
localectl set-locale LANG=de_DE.UTF-8         # Default for LC_* variables not  set. 
localectl set-locale LC_MESSAGES=en_US.UTF-8  # System messages. 
#localectl set-locale LC_RESPONSE=en_US.UTF-8  # How responses (such as Yes and No) appear
update-locale
timedatectl set-timezone Europe/Berlin
}