From 19ab070b1377c2d6a5f732fe54306b8bab641d42 Mon Sep 17 00:00:00 2001 From: Baco Date: Tue, 2 Nov 2021 12:16:26 +0100 Subject: [PATCH] 2021-11-02 12:16:26 --- README.md | 3 ++ preseed.cfg | 117 +++++++++++++++++++++++++++++++++++----------------- 2 files changed, 82 insertions(+), 38 deletions(-) diff --git a/README.md b/README.md index a3a8f1f..1878abb 100644 --- a/README.md +++ b/README.md @@ -10,8 +10,11 @@ auto url=https://vogsphere.baco.net/baco/born2beroot/raw/branch/master/preseed.c - [Preseed](https://wiki.debian.org/DebianInstaller/Preseed) - [Automating the installation using preseeding](https://www.debian.org/releases/stable/amd64/apb.en.html) - [example-preseed.txt](https://www.debian.org/releases/stable/example-preseed.txt) +- [partman-auto recipe](https://github.com/xobs/debian-installer/blob/master/doc/devel/partman-auto-recipe.txt) - [Preseeding Full Disk Encryption](https://www.linuxjournal.com/content/preseeding-full-disk-encryption) - [Debian worldwide mirror sites](https://www.debian.org/mirror/list) +- [PAM pwquality](https://linux.die.net/man/8/pam_pwquality) +- [pwquality.conf](https://linux.die.net/man/5/pwquality.conf) ``` curl -sLo preseed.cfg https://www.debian.org/releases/stable/example-preseed.txt diff --git a/preseed.cfg b/preseed.cfg index 02550a7..d3f060a 100644 --- a/preseed.cfg +++ b/preseed.cfg @@ -9,7 +9,7 @@ d-i debian-installer/language string en d-i debian-installer/country string CH d-i debian-installer/locale string en_US.UTF-8 # Optionally specify additional locales to be generated. -d-i localechooser/supported-locales multiselect en_US.UTF-8, fr_CH.UTF-8 +d-i localechooser/supported-locales multiselect en_US.UTF-8, C.UTF-8, fr_CH.UTF-8 # Keyboard selection. d-i keyboard-configuration/xkb-keymap select us @@ -30,12 +30,12 @@ d-i netcfg/choose_interface select auto # To set a different link detection timeout (default is 3 seconds). # Values are interpreted as seconds. -#d-i netcfg/link_wait_timeout string 10 +d-i netcfg/link_wait_timeout string 10 # If you have a slow dhcp server and the installer times out waiting for # it, this might be useful. -#d-i netcfg/dhcp_timeout string 60 -#d-i netcfg/dhcpv6_timeout string 60 +d-i netcfg/dhcp_timeout string 10 +d-i netcfg/dhcpv6_timeout string 10 # If you prefer to configure the network manually, uncomment this line and # the static network configuration below. @@ -123,8 +123,8 @@ d-i passwd/make-user boolean true d-i passwd/user-fullname string gbaconni d-i passwd/username string gbaconni # Normal user's password, either in clear text -d-i passwd/user-password password Born2beRoot -d-i passwd/user-password-again password Born2beRoot +d-i passwd/user-password password Born+2+be+Root +d-i passwd/user-password-again password Born+2+be+Root # or encrypted using a crypt(3) hash. #d-i passwd/user-password-crypted password [crypt(3) hash] # Create the first user with the specified UID instead of the default. @@ -165,6 +165,13 @@ d-i clock-setup/ntp-server string ntp.metas.ch # - lvm: use LVM to partition the disk # - crypto: use LVM within an encrypted partition d-i partman-auto/method string crypto +d-i partman-crypto/confirm boolean false +d-i partman-crypto/passphrase password Born+2+be+Root +d-i partman-crypto/passphrase-again password Born+2+be+Root +d-i partman-crypto/warn_erase boolean true +d-i partman-crypto/weak_passphrase boolean false +d-i partman-auto/purge_lvm_from_device boolean true +d-i partman-auto/automatically_partition boolean true # You can define the amount of space that will be used for the LVM volume # group. It can either be a size with its unit (eg. 20 GB), a percentage of @@ -175,6 +182,7 @@ d-i partman-auto-lvm/guided_size string max # contains an old LVM configuration, the user will normally receive a # warning. This can be preseeded away... d-i partman-lvm/device_remove_lvm boolean true +d-i partman-lvm/device_remove_lvm_span boolean true # The same applies to pre-existing software RAID array: d-i partman-md/device_remove_md boolean true # And the same goes for the confirmation to write the lvm partitions. @@ -186,56 +194,80 @@ d-i partman-lvm/confirm_nooverwrite boolean true # - home: separate /home partition # - multi: separate /home, /var, and /tmp partitions d-i partman-auto/choose_recipe select boot-crypto -d-i partman-auto-lvm/new_vg_name string gbaconni42-vg +d-i partman-auto-lvm/new_vg_name string LVMGroup d-i partman-auto/expert_recipe string \ boot-crypto :: \ - 538 538 1075 free \ - $primary{ } \ - $iflabel{ gpt } \ - $reusemethod{ } \ - method{ efi } format{ } \ - . \ - 256 512 512 ext2 \ - $primary{ } \ + 500 500 500 ext2 \ + $primary{ } $bootable{ } \ $defaultignore{ } \ method{ format } format{ } \ use_filesystem{ } filesystem{ ext2 } \ mountpoint{ /boot } \ . \ - 14000 14000 14000 ext4 \ + 1 1 1 fat32 \ + $primary{ } \ + $defaultignore{ } \ + method{ format } format{ } \ + use_filesystem{ } filesystem{ fat32 } \ + . \ + 31027 32768 -1 lvm \ + $defaultignore{ } \ + method{ lvm } \ + vg_name{ LVMGroup } \ + . \ + 10240 10240 10240 ext4 \ $lvmok{ } \ + in_vg{ LVMGroup } \ + lv_name{ root } \ method{ format } format{ } \ use_filesystem{ } filesystem{ ext4 } \ mountpoint{ / } \ . \ - 120000 120000 120000 ext4 \ + 2355 2355 2355 linux-swap \ $lvmok{ } \ + in_vg{ LVMGroup } \ + lv_name{ swap } \ + method{ swap } format{ } \ + . \ + 5120 5120 5120 ext4 \ + $lvmok{ } \ + in_vg{ LVMGroup } \ + lv_name{ home } \ method{ format } format{ } \ use_filesystem{ } filesystem{ ext4 } \ mountpoint{ /home } \ . \ - 100% 100% 100% linux-swap \ - $lvmok{ } \ - lv_name{ swap } \ - method{ swap } format{ } \ - . \ - 4000 4000 4000 ext4 \ - $lvmok{ } \ - method{ format } format{ } \ - use_filesystem{ } filesystem{ ext4 } \ - mountpoint{ /tmp } \ - . \ - 10000 10000 10000 ext4 \ + 3072 3072 3072 ext4 \ $lvmok{ } \ + in_vg{ LVMGroup } \ + lv_name{ var } \ method{ format } format{ } \ use_filesystem{ } filesystem{ ext4 } \ mountpoint{ /var } \ . \ - 10000 100000 -1 ext4 \ + 3072 3072 3072 ext4 \ $lvmok{ } \ + in_vg{ LVMGroup } \ + lv_name{ srv } \ method{ format } format{ } \ use_filesystem{ } filesystem{ ext4 } \ - mountpoint{ /spare } \ + mountpoint{ /srv } \ + . \ + 3072 3072 3072 ext4 \ + $lvmok{ } \ + in_vg{ LVMGroup } \ + lv_name{ tmp } \ + method{ format } format{ } \ + use_filesystem{ } filesystem{ ext4 } \ + mountpoint{ /tmp } \ + . \ + 4096 4096 4096 ext4 \ + $lvmok{ } \ + in_vg{ LVMGroup } \ + lv_name{ var-log } \ + method{ format } format{ } \ + use_filesystem{ } filesystem{ ext4 } \ + mountpoint{ /var/log } \ . \ # Or provide a recipe of your own... @@ -353,7 +385,7 @@ d-i partman/confirm_nooverwrite boolean true # The default is to mount by UUID, but you can also choose "traditional" to # use traditional device names, or "label" to try filesystem labels before # falling back to UUIDs. -#d-i partman/mount_style select uuid +d-i partman/mount_style select label ### Base system installation # Configure APT to not install recommended packages by default. Use of this @@ -397,17 +429,18 @@ d-i apt-setup/security_host string security.debian.org #d-i debian-installer/allow_unauthenticated boolean true # Uncomment this to add multiarch configuration for i386 -d-i apt-setup/multiarch string i386 +#d-i apt-setup/multiarch string i386 ### Package selection -tasksel tasksel/first multiselect standard +tasksel tasksel/first multiselect minimal # Individual additional packages to install -d-i pkgsel/include string openssh-server vim +d-i pkgsel/include string openssh-server sudo libpam-pwquality ufw vim # Whether to upgrade packages after debootstrap. # Allowed values: none, safe-upgrade, full-upgrade -d-i pkgsel/upgrade select safe-upgrade +d-i pkgsel/upgrade select full-upgrade +d-i pkgsel/update-policy select unattended-upgrades # Some versions of the installer can report back on what software you have # installed, and what software you use. The default is not to report back, @@ -425,7 +458,7 @@ d-i grub-installer/only_debian boolean true # This one makes grub-installer install to the UEFI partition/boot record, if # it also finds some other OS, which is less safe as it might not be able to # boot that other OS. -d-i grub-installer/with_other_os boolean true +d-i grub-installer/with_other_os boolean false # Due notably to potential USB sticks, the location of the primary drive can # not be determined safely in general, so this needs to be specified: @@ -505,5 +538,13 @@ d-i finish-install/reboot_in_progress note #d-i preseed/late_command string apt-install zsh; in-target chsh -s /bin/zsh d-i preseed/late_command \ in-target update-alternatives --set editor /usr/bin/vim.basic; \ - in-target passwd --expire root + in-target sed -i'.orig' -r 's/^#?(Port) .*/\1 4242/; s/^#?(PermitRootLogin) .*/\1 no/;' /etc/ssh/sshd_config; \ + in-target ufw enable; \ + in-target ufw allow proto tcp from any to any port 4242 comment 'Allow SSH'; \ + in-target getent group sudo >/dev/null 2>&1 || groupadd -f -r sudo; \ + in-target getent group user42 >/dev/null 2>&1 || groupadd -f user42; \ + in-target usermod -a -G sudo,user42 gbaconni; \ + in-target sed -i'.orig' -r 's/^#?(PASS_MAX_DAYS).*/\1\t30/; s/^#?(PASS_MIN_DAYS).*/\1\t2/; s/^#?(PASS_WARN_AGE).*/\1\t7/; s/^#?(PASS_MIN_LEN).*/\1\t10/;' /etc/login.defs; \ + in-target sed -i'.orig' -r 's/^[# ]?(minlen =)/\1 10/; s/^[# ]?([ud]credit =)/\1 -1/; s/^[# ]?(maxrepeat =)/\1 3/; s/^[# ]?(usercheck =)/\1 1/; s/^[# ]?(difok =)/\1 7/;' /etc/security/pwquality.conf; \ + in-target apt-get clean