git Service of IN-Ulm e.V. Explore Help
Sign In
ulpeters
/
bootstrap
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: a93bf76682
Branches Tags
bootstrap
/
bootstrap-bullseye.sh

bootstrap-bullseye.sh 6.9 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269 
  1. #!/bin/bash -e
    2. 

  2. #----------
    3. 

  3. # Interactive installation steps for Debian Bullseye from GRML using debootstrap
    4. 

  4. 

  5. # Design decisions
    6. 

  6. # - Fokus on a simple setup, primarly for VMs
    7. 

  7. # - One disk, one partion, swap-file in the same partion as safety net
    8. 

  8. # - Use systemd whereever possible (network, ntp, cron, journald logging)
    9. 

  9. # - Minimal number of packages & cloud kernel
    10. 

  10. # - grub-pc, not efi
    11. 

  11. # - random root and admin user password generation
    12. 

  12. 

  13. # Usage
    14. 

  14. # Boot grml and clone repo
    15. 

  15. # cp config.sh.template config.sh                    # copy template
    16. 

  16. # vi config.sh                                       # update installation variables
    17. 

  17. # bootstrap-bullseye.sh install                      # start installation
    18. 

  18. # !! Note down the admin passwords and reboot
    19. 

  19. # sudo /installer/bootstrap-bullseye.sh postinstall  # run postinstall in the new system
    20. 

  20. 

  21. # Variables
    22. 

  22. mnt="/mnt/root"  # mountpoint for the new root filesystem
    23. 

  23. hostname="somehost.example.com"
    24. 

  24. disk="/dev/vda"  # lsblk --list
    25. 

  25. disk1=$disk"1"
    26. 

  26. netDev="eth0"    # ip link
    27. 

  27. netAddress="203.0.113.66/24"
    28. 

  28. netGateway="203.0.113.1"
    29. 

  29. netBroadcast="203.0.113.255"
    30. 

  30. netDNS1="192.0.2.10"
    31. 

  31. netDNS2="198.51.100.10"
    32. 

  32. netNTP="pool.ntp.org"
    33. 

  33. 

  34. [ -f ./config.sh ] && source config.sh
    35. 

  35. 

  36. 

  37. # Setup network in grml
    38. 

  38. grmlnetwork(){
    39. 

  39. ip link show # list interfaces
    40. 

  40. ip addr add $netAddress dev $netDev
    41. 

  41. ip link set $netDev up
    42. 

  42. ip route add default via §netGateway
    43. 

  43. echo nameserver $netDNS1 >> /etc/resolv.conf
    44. 

  44. echo nameserver $netDNS2 >> /etc/resolv.conf
    45. 

  45. }
    46. 

  46. 

  47. 

  48. install(){
    49. 

  49. #----------
    50. 

  50. # Prepare disks
    51. 

  51. # Parition disks -- pkg: parted
    52. 

  52. parted $disk -s \
    53. 

  53. mklabel msdos \
    54. 

  54. mkpart primary ext4 512M 100% toggle 1 boot
    55. 

  55. fdisk -l $disk
    56. 

  56. 

  57. # Format disks -- pkg: e2fsprogs dosfstools and to file system check
    58. 

  58. mkfs.ext4 $disk1 && e2fsck $disk1
    59. 

  59. 

  60. # Prepare mount points and mount
    61. 

  61. mkdir -p $mnt
    62. 

  62. mount $disk1 $mnt
    63. 

  63. 

  64. # Create swapfile
    65. 

  65. swapfile=$mnt/swapfile
    66. 

  66. dd if=/dev/zero of=$swapfile bs=1M count=1024 status=progress # create 1GB  file
    67. 

  67. chmod 600 $swapfile #restric permissions
    68. 

  68. mkswap $swapfile #format file
    69. 

  69. 

  70. #----------
    71. 

  71. # Bootstrap -- pkg: debootstrap
    72. 

  72. # Remark: Debootstrap does not install recommands!! 
    73. 

  73. debootstrap --variant=minbase --arch=amd64 bullseye $mnt http://ftp2.de.debian.org/debian/
    74. 

  74. 

  75. #----------
    76. 

  76. # Configuration
    77. 

  77. # Configure disk mounts
    78. 

  78. # Or get UUID from blkid...
    79. 

  79. cat >$mnt/etc/fstab <<EOL
    80. 

  80. $disk1        /                     ext4 rw       0 0
    81. 

  81. /swapfile        none                  swap defaults 0 0
    82. 

  82. EOL
    83. 

  83. 

  84. # Configure sources.list
    85. 

  85. cat >/etc/apt/sources.list <<EOL
    86. 

  86. deb http://ftp2.de.debian.org/debian bullseye main contrib non-free
    87. 

  87. #deb-src http://ftp2.de.debian.org/debian bullseye main contrib non-free
    88. 

  88. deb http://deb.debian.org/debian-security/ bullseye-security main contrib non-free
    89. 

  89. #deb-src http://deb.debian.org/debian-security/ bullseye-security main contrib non-free
    90. 

  90. deb http://ftp2.de.debian.org/debian bullseye-updates main contrib non-free
    91. 

  91. #deb-src http://ftp2.de.debian.org/debian bullseye-updates main contrib non-free
    92. 

  92. EOL
    93. 

  93. 

  94. # Configure hostname
    95. 

  95. echo "127.0.0.1       $hostname" >> /etc/hosts
    96. 

  96. echo $hostname > /etc/hostname
    97. 

  97. 

  98. #----------
    99. 

  99. # Prepare chroot
    100. 

  100. mount -o bind /dev $mnt/dev
    101. 

  101. mount -o bind /dev/pts $mnt/dev/pts
    102. 

  102. mount -t sysfs /sys $mnt/sys
    103. 

  103. mount -t proc /proc $mnt/proc
    104. 

  104. cp /proc/mounts $mnt/etc/mtab
    105. 

  105. cp /etc/resolv.conf $mnt/etc/resolv.conf
    106. 

  106. mkdir -p $mnt/installer
    107. 

  107. cp $(dirname `realpath $0`)/*.sh $mnt/installer
    108. 

  108. 

  109. # Run script in chroot
    110. 

  110. chroot $mnt /bin/bash /installer/bootstrap-bullseye.sh install2
    111. 

  111. 

  112. # Install bootloader
    113. 

  113. $0 bootloader
    114. 

  114. 

  115. }
    116. 

  116. 

  117. 

  118. #----------
    119. 

  119. # Function executed within chroot
    120. 

  120. install2(){
    121. 

  121. # Install basic system
    122. 

  122. apt-get update
    123. 

  123. apt-get install --yes \
    124. 

  124.   apt-utils dialog msmtp-mta \
    125. 

  125.   systemd-sysv locales tzdata haveged \
    126. 

  126.   linux-image-cloud-amd64 grub-pc \
    127. 

  127.   iproute2 netbase \
    128. 

  128.   ssh sudo \
    129. 

  129.   less vim-tiny bash-completion pwgen lsof \
    130. 

  130.   dnsutils iputils-ping curl
    131. 

  131. 

  132. # Upgrade and clean up
    133. 

  133. apt-get upgrade --yes
    134. 

  134. apt-get autoremove --yes
    135. 

  135. apt-get clean --yes
    136. 

  136. 

  137. # Setup users and passwords
    138. 

  138. pass=`pwgen --capitalize --numerals --ambiguous 12 1`
    139. 

  139. useradd admin --create-home --shell /bin/bash
    140. 

  140. echo "admin:$pass" | chpasswd
    141. 

  141. usermod -a -G sudo admin
    142. 

  142. echo -e "\e[1;33;4;44mPassword for the user admin: $pass\e[0m"
    143. 

  143. pass=`pwgen --capitalize --numerals --ambiguous 12 1`
    144. 

  144. echo 'root:$pass'     | chpasswd
    145. 

  145. echo -e "\e[1;33;4;44mPassword for the user root: $pass\e[0m"
    146. 

  146. 

  147. # Harden SSHD
    148. 

  148. echo AllowUsers admin >> /etc/ssh/sshd_config
    149. 

  149. sed -i -e 's/#Port 22/Port 50101/g' /etc/ssh/sshd_config
    150. 

  150. sed -i -e 's/#PubkeyAuthentication yes/PubkeyAuthentication yes/g' /etc/ssh/sshd_config
    151. 

  151. 

  152. ## Configure network using systemd
    153. 

  153. if [ -z $netAddress ]
    154. 

  154. then
    155. 

  155. ## Network OPTION 1 - DHCP
    156. 

  156. cat >/etc/systemd/network/20-wired.network <<EOL
    157. 

  157. [Match]
    158. 

  158. Name=e*
    159. 

  159. 

  160. [Network]
    161. 

  161. DHCP=ipv4
    162. 

  162. IPv6PrivacyExtensions=false
    163. 

  163. IPv6AcceptRA=false
    164. 

  164. NTP=$netNTP
    165. 

  165. EOL
    166. 

  166. 

  167. else
    168. 

  168. ## Network OPTION 2 - static
    169. 

  169. cat >/etc/systemd/network/20-wired.network <<EOL
    170. 

  170. [Match]
    171. 

  171. Name=$netDev
    172. 

  172. 

  173. [Network]
    174. 

  174. Address=$netAddress
    175. 

  175. Gateway=$netGateway
    176. 

  176. Broadcast=$netBroadcast
    177. 

  177. DNS=$netDNS1
    178. 

  178. DNS=$netDNS2
    179. 

  179. NTP=$netNTP
    180. 

  180. EOL
    181. 

  181. fi
    182. 

  182. 

  183. # Setup systemd resolver
    184. 

  184. rm /etc/resolv.conf
    185. 

  185. ln -s /run/systemd/resolve/resolv.conf /etc/resolv.conf
    186. 

  186. systemctl enable systemd-networkd
    187. 

  187. # to be checked why port 5353 is opened externally
    188. 

  188. sed -i 's/#LLMNR=yes/LLMNR=no/' /etc/systemd/resolved.conf
    189. 

  189. systemctl enable systemd-resolved
    190. 

  190. 

  191. # Limit journald logging to 1 month, 1 GB in total and split files per week
    192. 

  192. cat >>/etc/systemd/journald.conf <<EOL
    193. 

  193. # Custom settings
    194. 

  194. MaxFileSec=1G
    195. 

  195. MaxFileSec=1week
    196. 

  196. MaxFileSec=1m
    197. 

  197. EOL
    198. 

  198. 

  199. # Show errors in motd
    200. 

  200. rm /etc/motd   
    201. 

  201. cat >/etc/update-motd.d/15-boot-errors<<EOL
    202. 

  202. #!/bin/sh
    203. 

  203. echo
    204. 

  204. journalctl --boot --priority=3 --no-pager
    205. 

  205. EOL
    206. 

  206. chmod 755 /etc/update-motd.d/15-boot-errors
    207. 

  207. 

  208. # Leave chroot
    209. 

  209. exit
    210. 

  210. }
    211. 

  211. 

  212. 

  213. bootloader(){
    214. 

  214. # Install GRUB in /dev/vba
    215. 

  215. chroot $mnt /bin/bash -c "grub-install $disk && update-grub"
    216. 

  216. }
    217. 

  217. 

  218. unmount(){
    219. 

  219. # Unmount if mounted
    220. 

  220. ! mountpoint -q $mnt/proc    || umount $mnt/proc
    221. 

  221. ! mountpoint -q $mnt/sys     || umount $mnt/sys
    222. 

  222. ! mountpoint -q $mnt/dev/pts || umount $mnt/dev/pts
    223. 

  223. ! mountpoint -q $mnt/dev     || umount $mnt/dev
    224. 

  224. ! mountpoint -q $mnt/root    || umount $mnt/root
    225. 

  225. }
    226. 

  226. 

  227. 

  228. postinstall(){
    229. 

  229. ####----REBOOT into the new system, so we'll have dbus running
    230. 

  230. localectl set-locale LANG=de_DE.UTF-8         # Default for LC_* variables not  set. 
    231. 

  231. localectl set-locale LC_MESSAGES=en_US.UTF-8  # System messages. 
    232. 

  232. #localectl set-locale LC_RESPONSE=en_US.UTF-8  # How responses (such as Yes and No) appear
    233. 

  233. update-locale
    234. 

  234. timedatectl set-timezone Europe/Berlin
    235. 

  235. }
    236. 

  236. 

  237. 

  238. # Switch to functions...
    239. 

  239. case $1 in
    240. 

  240.   grmlnetwork)
    241. 

  241.     echo Setup network in grml
    242. 

  242.     grmlnetwork
    243. 

  243.     ;;
    244. 

  244.   install)
    245. 

  245.     echo "Stage 1: Start installation"
    246. 

  246.     install
    247. 

  247.     ;;
    248. 

  248.   install2)
    249. 

  249.     echo "Stage 2: Start installation in chroot"
    250. 

  250.     install2
    251. 

  251.     ;;
    252. 

  252.   bootloader)
    253. 

  253.     echo "Stage 3: Install bootloader and unmount chroot"
    254. 

  254.     bootloader
    255. 

  255.     unmount
    256. 

  256.     echo "We're done and can reboot now"
    257. 

  257.     ;;
    258. 

  258.   postinstall)
    259. 

  259.     echo "Stage 4: Start post-installation in live system"
    260. 

  260.     postinstall
    261. 

  261.     ;;
    262. 

  262.   unmount)
    263. 

  263.     echo "Unmount chroot, e.g. in case installation fails"
    264. 

  264.     unmount
    265. 

  265.     ;;
    266. 

  266.   *)
    267. 

  267.     echo "Valid functions are: grmlnetwork, install, postinstall and umount" >&2
    268. 

  268.     ;;
    269. 

  269. esac
    270.