bootstrap/bootrap-bullseye.sh

#!/bin/bash -e
#----------
# Interactive installation steps for Debian Bullseye from GRML using debootstrap
# Setup network in grml
grmlnetwork(){
ip link show # list interfaces
ip addr add 203.0.113.66/24 dev eth0
ip link set eth0 up
ip route add default via 203.0.113.1
echo 1.1.1.1 > /etc/resolv.conf
}

# Design decisions
# - Add a small file-based swap partition as safety net
# - Use systemd whereever possible (network, ntp, cron, journald logging)
# - One partion on /dev/vda
# - Minimal number of packages & cloud kernel

# Variables
mnt="/mnt/root"  # mountpoint for the new root filesystem
hostname="somehost.example.com"
disk="/dev/vda"  # lsblk --list
disk1=$disk"1"
netDev=eth0
netAddress=203.0.113.66/24
netGateway=203.0.113.1
netBroadcast=203.0.113.255
netDNS1=192.0.2.10
netDNS2=198.51.100.10
netNTP=pool.ntp.org

[ -f ./config.sh ] && source config.sh


install(){
#----------
# Prepare disks
# Parition disks -- pkg: parted
parted $disk -s \
mklabel msdos \
mkpart primary ext4 512M 100% toggle 1 boot
fdisk -l $disk

# Format disks -- pkg: e2fsprogs dosfstools and to file system check
mkfs.ext4 $disk1 && e2fsck $disk1

# Prepare mount points and mount
mkdir -p $mnt
mount $disk1 $mnt

# Create swapfile
swapfile=$mnt/swapfile
dd if=/dev/zero of=$swapfile bs=1M count=1024 status=progress # create 1GB  file
chmod 600 $swapfile #restric permissions
mkswap $swapfile #format file


#----------
# Bootstrap -- pkg: debootstrap
# Remark: Debootstrap does not install recommands!! 
debootstrap --variant=minbase --arch=amd64 bullseye $mnt http://ftp2.de.debian.org/debian/

#----------
# Configuration
# Configure disk mounts
# Or get UUID from blkid...
cat >$mnt/etc/fstab <<EOL
$disk1        /                     ext4 rw       0 0
/swapfile        none                  swap defaults 0 0
EOL

# Configure sources.list
cat >/etc/apt/sources.list <<EOL
deb http://ftp2.de.debian.org/debian bullseye main contrib non-free
#deb-src http://ftp2.de.debian.org/debian bullseye main contrib non-free
deb http://deb.debian.org/debian-security/ bullseye-security main contrib non-free
#deb-src http://deb.debian.org/debian-security/ bullseye-security main contrib non-free
deb http://ftp2.de.debian.org/debian bullseye-updates main contrib non-free
#deb-src http://ftp2.de.debian.org/debian bullseye-updates main contrib non-free
EOL

# Configure hostname
echo "127.0.0.1       $hostname" >> /etc/hosts
echo $hostname > /etc/hostname

#----------
# Prepare chroot
mount -o bind /dev $mnt/dev
mount -o bind /dev/pts $mnt/dev/pts
mount -t sysfs /sys $mnt/sys
mount -t proc /proc $mnt/proc
cp /proc/mounts $mnt/etc/mtab
cp /etc/resolv.conf $mnt/etc/resolv.conf
mkdir -p $mnt/installer
cp $(dirname `realpath $0`)/*.sh $mnt/installer

# Run script in chroot
chroot $mnt /bin/bash $mnt/installer/bootrap-bullseye.sh install2

# Install bootloader
$0 bootloader

}

#----------
# Function executed within chroot
install2(){
# Install basic system
apt-get update
apt-get install --yes \
  apt-utils dialog msmtp-mta \
  systemd-sysv locales tzdata haveged \
  linux-image-cloud-amd64 grub-pc \
  iproute2 netbase \
  ssh sudo \
  less vim-tiny bash-completion pwgen lsof \
  dnsutils iputils-ping curl

# Upgrade and clean up
apt-get upgrade --yes
apt-get autoremove --yes
apt-get clean --yes

# Setup users
pass=`pwgen --capitalize --numerals --ambiguous 12 1`
useradd admin --create-home --shell /bin/bash
echo "admin:$pass" | chpasswd
echo 'root:sa'     | chpasswd
usermod -a -G sudo admin
echo -e "\e[1;33;4;44mPassword for the user admin: $pass\e[0m"

# Harden SSHD
echo AllowUsers admin >> /etc/ssh/sshd_config
sed -i -e 's/#Port 22/Port 50101/g' /etc/ssh/sshd_config
sed -i -e 's/#PubkeyAuthentication yes/PubkeyAuthentication yes/g' /etc/ssh/sshd_config

## Configure network using systemd
if [ ! -z $netAddress ]
then
## Network OPTION 1 - DHCP
cat >/etc/systemd/network/20-wired.network <<EOL
[Match]
Name=e*

[Network]
DHCP=ipv4
IPv6PrivacyExtensions=false
IPv6AcceptRA=false
NTP=$netNTP
EOL

else
## Network OPTION 2 - static
cat >/etc/systemd/network/20-wired.network <<EOL
[Match]
Name=$netDev

[Network]
Address=$netAddress
Gateway=$netGateway
Broadcast=$netBroadcast
DNS=$netDNS1
DNS=$netDNS2
NTP=$netNTP
EOL
fi

# Setup systemd resolver
rm /etc/resolv.conf
ln -s /run/systemd/resolve/resolv.conf /etc/resolv.conf
systemctl enable systemd-networkd
# to be checked why port 5353 is opened externally
sed -i 's/#LLMNR=yes/LLMNR=no/' /etc/systemd/resolved.conf
systemctl enable systemd-resolved

# Limit journald logging to 1 month, 1 GB in total and split files per week
cat >>/etc/systemd/journald.conf <<EOL
# Custom settings
MaxFileSec=1G
MaxFileSec=1week
MaxFileSec=1m
EOL

# Show errors in motd
rm /etc/motd   
cat >/etc/update-motd.d/15-boot-errors<<EOL
#!/bin/sh
echo
journalctl --boot --priority=3 --no-pager
EOL
chmod 755 /etc/update-motd.d/15-boot-errors



# Leave chroot
exit
}


bootloader(){
# Install GRUB in /dev/vba
chroot $mnt /bin/bash -c "grub-install $disk && update-grub"

# Unmount
umount $mnt/proc
umount $mnt/sys
umount $mnt/dev/pts
umount $mnt/dev
}


postinstall(){
####----REBOOT into the new system, so we'll have dbus running
localectl set-locale LANG=de_DE.UTF-8         # Default for LC_* variables not  set. 
localectl set-locale LC_MESSAGES=en_US.UTF-8  # System messages. 
#localectl set-locale LC_RESPONSE=en_US.UTF-8  # How responses (such as Yes and No) appear
update-locale
timedatectl set-timezone Europe/Berlin
}


# Switch to functions...
case $1 in
  grmlnetwork) 
    grmlnetwork
    ;;
  install)
    install
    ;;
  install2)
    install2
    ;;
  bootloader)
    bootloader
    ;;
  postinstall)
    postinstall
    ;;
  *)
    echo "Valid functions are: grmlnetwork, install, postinstall" >&2
    ;;
esac