bootstrap-bookworm.sh 7.8 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296
  1. #!/bin/bash -e
  2. #----------
  3. # Interactive installation steps for Debian Bullseye from GRML using debootstrap
  4. # Design decisions
  5. # - Fokus on a simple setup, primarly for VMs
  6. # - One disk, one partion, swap-file in the same partion as safety net
  7. # - Use systemd whereever possible (network, ntp, cron, journald logging)
  8. # - Minimal number of packages & cloud kernel
  9. # - grub-pc, not efi
  10. # - random root and admin user password generation
  11. # - ssh on port 50101 limited to the admin user
  12. # Usage
  13. # # Boot grml
  14. # passwd root
  15. # grml-network
  16. # Start ssh
  17. # git clone https://git.in-ulm.de/ulpeters/bootstrap.git
  18. # cp config.sh.template config.sh # copy template
  19. # config-get-netconf-eth0.sh # get running grml network config
  20. # vi config.sh # update installation variables
  21. # bootstrap-bullseye.sh install # start installation
  22. # !! Note down the admin passwords and reboot
  23. # sudo /installer/bootstrap-bullseye.sh postinstall # run postinstall in the new system
  24. # Variables
  25. mnt="/mnt/root" # mountpoint for the new root filesystem
  26. hostname="somehost.example.com"
  27. disk="/dev/vda" # lsblk --list
  28. disk1=$disk"1"
  29. netDev="eth0" # ip link
  30. netAddress="203.0.113.66/24"
  31. netGateway="203.0.113.1"
  32. netBroadcast="203.0.113.255"
  33. netDNS1="192.0.2.10"
  34. netDNS2="198.51.100.10"
  35. netNTP="pool.ntp.org"
  36. extraPackages=""
  37. [ -f ./config.sh ] && source config.sh
  38. # Setup network in grml
  39. grmlnetwork(){
  40. ip link show # list interfaces
  41. ip addr add $netAddress dev $netDev
  42. ip link set $netDev up
  43. ip route add default via $netGateway
  44. echo nameserver $netDNS1 >> /etc/resolv.conf
  45. echo nameserver $netDNS2 >> /etc/resolv.conf
  46. }
  47. install(){
  48. #----------
  49. # Prepare disks
  50. # Parition disks -- pkg: parted
  51. parted $disk -s \
  52. mklabel msdos \
  53. mkpart primary ext4 512M 100% toggle 1 boot
  54. fdisk -l $disk
  55. # Format disks -- pkg: e2fsprogs dosfstools and to file system check
  56. mkfs.ext4 $disk1 && e2fsck $disk1
  57. # Prepare mount points and mount
  58. mkdir -p $mnt
  59. mount $disk1 $mnt
  60. # Create swapfile
  61. swapfile=$mnt/swapfile
  62. dd if=/dev/zero of=$swapfile bs=1M count=1024 status=progress # create 1GB file
  63. chmod 600 $swapfile #restric permissions
  64. mkswap $swapfile #format file
  65. #----------
  66. # Bootstrap -- pkg: debootstrap
  67. # Remark: Debootstrap does not install recommands!!
  68. debootstrap --variant=minbase --arch=amd64 bookworm $mnt http://ftp2.de.debian.org/debian/
  69. #----------
  70. # Configuration
  71. # Configure disk mounts
  72. # Or get UUID from blkid...
  73. cat >$mnt/etc/fstab <<EOL
  74. $disk1 / ext4 rw 0 0
  75. /swapfile none swap defaults 0 0
  76. EOL
  77. # Configure sources.list
  78. cat >$mnt/etc/apt/sources.list <<EOL
  79. deb http://deb.debian.org/debian bookworm main non-free-firmware
  80. # deb-src http://deb.debian.org/debian bookworm main non-free-firmware
  81. deb http://deb.debian.org/debian-security/ bookworm-security main non-free-firmware
  82. # deb-src http://deb.debian.org/debian-security/ bookworm-security main non-free-firmware
  83. deb http://deb.debian.org/debian bookworm-updates main non-free-firmware
  84. # deb-src http://deb.debian.org/debian bookworm-updates main non-free-firmware
  85. EOL
  86. # Configure hostname
  87. echo "127.0.0.1 $hostname" >> $mnt/etc/hosts
  88. echo "$hostname" > $mnt/etc/hostname
  89. #----------
  90. # Prepare chroot
  91. mount -o bind /dev $mnt/dev
  92. mount -o bind /dev/pts $mnt/dev/pts
  93. mount -t sysfs /sys $mnt/sys
  94. mount -t proc /proc $mnt/proc
  95. cp /proc/mounts $mnt/etc/mtab
  96. cp /etc/resolv.conf $mnt/etc/resolv.conf
  97. mkdir -p $mnt/installer
  98. cp $(dirname `realpath $0`)/*.sh $mnt/installer
  99. # Run script in chroot
  100. chroot $mnt /bin/bash /installer/bootstrap-bullseye.sh install2
  101. # Install bootloader
  102. $0 bootloader
  103. }
  104. #----------
  105. # Function executed within chroot
  106. install2(){
  107. source /installer/config.sh
  108. # Install basic system
  109. apt-get update
  110. apt-get install --yes \
  111. apt-utils dialog msmtp-mta \
  112. systemd-sysv locales tzdata haveged \
  113. linux-image-cloud-amd64 grub-pc \
  114. iproute2 netbase \
  115. ssh sudo molly-guard \
  116. less vim-tiny bash-completion pwgen lsof \
  117. dnsutils iputils-ping curl \
  118. $extraPackages
  119. # Upgrade and clean up
  120. apt-get upgrade --yes
  121. apt-get autoremove --yes
  122. apt-get clean --yes
  123. # Setup users and passwords
  124. [ -z $pwdAdmin ] && pwdAdmin=`pwgen --capitalize --numerals --ambiguous 12 1`
  125. useradd admin --create-home --shell /bin/bash
  126. echo "admin:$pwdAdmin" | chpasswd
  127. usermod -a -G sudo admin
  128. echo -e "\e[1;33;4;44mPassword for the user admin: $pwdAdmin\e[0m"
  129. pass=`pwgen --capitalize --numerals --ambiguous 12 1`
  130. [ -z $pwdRoot ] && pwdRoot=`pwgen --capitalize --numerals --ambiguous 12 1`
  131. echo "root:$pwdRoot" | chpasswd
  132. echo -e "\e[1;33;4;44mPassword for the user root: $pwdRoot\e[0m"
  133. # Harden SSHD
  134. sed -i -e 's/#Port 22/Port 50101/g' /etc/ssh/sshd_config
  135. sed -i -e 's/#PubkeyAuthentication yes/PubkeyAuthentication yes/g' /etc/ssh/sshd_config
  136. # https://infosec.mozilla.org/guidelines/openssh.html
  137. # Allow admin to sudo without password
  138. echo AllowUsers admin >> /etc/ssh/sshd_config
  139. echo "admin ALL=(ALL) NOPASSWD:ALL" > /etc/sudoers.d/admin
  140. ## Configure network using systemd
  141. if [ -z $netAddress ]
  142. then
  143. ## Network OPTION 1 - DHCP
  144. cat >/etc/systemd/network/20-wired.network <<EOL
  145. [Match]
  146. Name=e*
  147. [Network]
  148. DHCP=ipv4
  149. IPv6PrivacyExtensions=false
  150. IPv6AcceptRA=false
  151. NTP=$netNTP
  152. EOL
  153. else
  154. ## Network OPTION 2 - static
  155. cat >/etc/systemd/network/20-wired.network <<EOL
  156. [Match]
  157. Name=$netDev
  158. [Network]
  159. Address=$netAddress
  160. Gateway=$netGateway
  161. Broadcast=$netBroadcast
  162. DNS=$netDNS1
  163. DNS=$netDNS2
  164. LLMNR=no
  165. MulticastDNS=no
  166. NTP=$netNTP
  167. EOL
  168. fi
  169. ## Setup systemd resolver
  170. #apt-get install --yes systemd-resolved
  171. #rm /etc/resolv.conf
  172. #ln -s /run/systemd/resolve/resolv.conf /etc/resolv.conf
  173. #systemctl enable systemd-networkd
  174. #systemctl enable systemd-resolved
  175. # Limit journald logging to 1 month, 1 GB in total and split files per week
  176. mkdir -p /etc/systemd/journald.conf.d/
  177. cat >/etc/systemd/journald.conf.d/retention.conf <<EOL
  178. MaxRetentionSec=1month
  179. SystemMaxUse=1G
  180. MaxFileSec=1week
  181. EOL
  182. # Show errors in motd
  183. rm /etc/motd
  184. cat >/etc/update-motd.d/15-boot-errors<<EOL
  185. #!/bin/sh
  186. echo
  187. journalctl --boot --priority=3 --no-pager
  188. EOL
  189. chmod 755 /etc/update-motd.d/15-boot-errors
  190. # Setup keyboard layout
  191. cat >/etc/default/keyboard <<EOL
  192. XKBMODEL="pc105"
  193. XKBLAYOUT="de"
  194. XKBVARIANT="nodeadkeys"
  195. XKBOPTIONS=""
  196. BACKSPACE="guess"
  197. EOL
  198. # Leave chroot
  199. exit
  200. }
  201. bootloader(){
  202. # Install GRUB in /dev/vba
  203. chroot $mnt /bin/bash -c "grub-install $disk && update-grub"
  204. }
  205. unmount(){
  206. # Unmount if mounted
  207. ! mountpoint -q $mnt/proc || umount $mnt/proc
  208. ! mountpoint -q $mnt/sys || umount $mnt/sys
  209. ! mountpoint -q $mnt/dev/pts || umount $mnt/dev/pts
  210. ! mountpoint -q $mnt/dev || umount $mnt/dev
  211. ! mountpoint -q $mnt/root || umount $mnt/root
  212. ! mountpoint -q $mnt || umount $mnt
  213. # Delete mount-point if empty and not mounted
  214. [ -z "$(ls -A /mnt/)" ] && ! mountpoint -q $mnt && rm -R $mnt
  215. }
  216. postinstall(){
  217. ####----REBOOT into the new system, so we'll have dbus running
  218. localectl set-locale LANG=de_DE.UTF-8 # Default for LC_* variables not set.
  219. localectl set-locale LC_MESSAGES=en_US.UTF-8 # System messages.
  220. #localectl set-locale LC_RESPONSE=en_US.UTF-8 # How responses (such as Yes and No) appear
  221. update-locale
  222. timedatectl set-timezone Europe/Berlin
  223. }
  224. # Switch to functions...
  225. case $1 in
  226. grmlnetwork)
  227. echo Setup network in grml
  228. grmlnetwork
  229. ;;
  230. install)
  231. echo "Stage 1: Start installation"
  232. install
  233. ;;
  234. install2)
  235. echo "Stage 2: Start installation in chroot"
  236. install2
  237. ;;
  238. bootloader)
  239. echo "Stage 3: Install bootloader and unmount chroot"
  240. bootloader
  241. unmount
  242. echo "We're done and can reboot now"
  243. ;;
  244. postinstall)
  245. echo "Stage 4: Start post-installation in live system"
  246. postinstall
  247. ;;
  248. unmount)
  249. echo "Unmount chroot, e.g. in case installation fails"
  250. unmount
  251. ;;
  252. *)
  253. echo "Valid functions are: grmlnetwork, install, postinstall and unmount" >&2
  254. ;;
  255. esac