2021-11-02 12:16:26

README.md

@@ -10,8 +10,11 @@ auto url=https://vogsphere.baco.net/baco/born2beroot/raw/branch/master/preseed.c
 - [Preseed](https://wiki.debian.org/DebianInstaller/Preseed)
 - [Automating the installation using preseeding](https://www.debian.org/releases/stable/amd64/apb.en.html)
 - [example-preseed.txt](https://www.debian.org/releases/stable/example-preseed.txt)
+- [partman-auto recipe](https://github.com/xobs/debian-installer/blob/master/doc/devel/partman-auto-recipe.txt)
 - [Preseeding Full Disk Encryption](https://www.linuxjournal.com/content/preseeding-full-disk-encryption)
 - [Debian worldwide mirror sites](https://www.debian.org/mirror/list)
+- [PAM pwquality](https://linux.die.net/man/8/pam_pwquality)
+- [pwquality.conf](https://linux.die.net/man/5/pwquality.conf)
 
 ```
 curl -sLo preseed.cfg https://www.debian.org/releases/stable/example-preseed.txt

preseed.cfg

@@ -9,7 +9,7 @@ d-i debian-installer/language string en
 d-i debian-installer/country string CH
 d-i debian-installer/locale string en_US.UTF-8
 # Optionally specify additional locales to be generated.
-d-i localechooser/supported-locales multiselect en_US.UTF-8, fr_CH.UTF-8
+d-i localechooser/supported-locales multiselect en_US.UTF-8, C.UTF-8, fr_CH.UTF-8
 
 # Keyboard selection.
 d-i keyboard-configuration/xkb-keymap select us
@@ -30,12 +30,12 @@ d-i netcfg/choose_interface select auto
 
 # To set a different link detection timeout (default is 3 seconds).
 # Values are interpreted as seconds.
-#d-i netcfg/link_wait_timeout string 10
+d-i netcfg/link_wait_timeout string 10
 
 # If you have a slow dhcp server and the installer times out waiting for
 # it, this might be useful.
-#d-i netcfg/dhcp_timeout string 60
+d-i netcfg/dhcp_timeout string 10
-#d-i netcfg/dhcpv6_timeout string 60
+d-i netcfg/dhcpv6_timeout string 10
 
 # If you prefer to configure the network manually, uncomment this line and
 # the static network configuration below.
@@ -123,8 +123,8 @@ d-i passwd/make-user boolean true
 d-i passwd/user-fullname string gbaconni
 d-i passwd/username string gbaconni
 # Normal user's password, either in clear text
-d-i passwd/user-password password Born2beRoot
+d-i passwd/user-password password Born+2+be+Root
-d-i passwd/user-password-again password Born2beRoot
+d-i passwd/user-password-again password Born+2+be+Root
 # or encrypted using a crypt(3) hash.
 #d-i passwd/user-password-crypted password [crypt(3) hash]
 # Create the first user with the specified UID instead of the default.
@@ -165,6 +165,13 @@ d-i clock-setup/ntp-server string ntp.metas.ch
 # - lvm:     use LVM to partition the disk
 # - crypto:  use LVM within an encrypted partition
 d-i partman-auto/method string crypto
+d-i partman-crypto/confirm boolean false
+d-i partman-crypto/passphrase password Born+2+be+Root
+d-i partman-crypto/passphrase-again password Born+2+be+Root
+d-i partman-crypto/warn_erase boolean true
+d-i partman-crypto/weak_passphrase boolean false
+d-i partman-auto/purge_lvm_from_device boolean true
+d-i partman-auto/automatically_partition boolean true
 
 # You can define the amount of space that will be used for the LVM volume
 # group. It can either be a size with its unit (eg. 20 GB), a percentage of
@@ -175,6 +182,7 @@ d-i partman-auto-lvm/guided_size string max
 # contains an old LVM configuration, the user will normally receive a
 # warning. This can be preseeded away...
 d-i partman-lvm/device_remove_lvm boolean true
+d-i partman-lvm/device_remove_lvm_span boolean true
 # The same applies to pre-existing software RAID array:
 d-i partman-md/device_remove_md boolean true
 # And the same goes for the confirmation to write the lvm partitions.
@@ -186,56 +194,80 @@ d-i partman-lvm/confirm_nooverwrite boolean true
 # - home:   separate /home partition
 # - multi:  separate /home, /var, and /tmp partitions
 d-i partman-auto/choose_recipe select boot-crypto
-d-i partman-auto-lvm/new_vg_name string gbaconni42-vg
+d-i partman-auto-lvm/new_vg_name string LVMGroup
 d-i partman-auto/expert_recipe string \
       boot-crypto :: \
-              538 538 1075 free \
+              500 500 500 ext2 \
-                    $primary{ } \
+                    $primary{ } $bootable{ } \
-                    $iflabel{ gpt } \
-                    $reusemethod{ } \
-                    method{ efi } format{ } \
-              . \
-              256 512 512 ext2 \
-                    $primary{ } \
                     $defaultignore{ } \
                     method{ format } format{ } \
                     use_filesystem{ } filesystem{ ext2 } \
                     mountpoint{ /boot } \
               . \
-              14000 14000 14000 ext4 \
+              1 1 1 fat32 \
+                    $primary{ } \
+                    $defaultignore{ } \
+                    method{ format } format{ } \
+                    use_filesystem{ } filesystem{ fat32 } \
+              . \
+              31027 32768 -1 lvm \
+                      $defaultignore{ } \
+                      method{ lvm } \
+                      vg_name{ LVMGroup } \
+              . \
+              10240 10240 10240 ext4 \
                     $lvmok{ } \
+                    in_vg{ LVMGroup } \
+                    lv_name{ root } \
                     method{ format } format{ } \
                     use_filesystem{ } filesystem{ ext4 } \
                     mountpoint{ / } \
               . \
-              120000 120000 120000 ext4 \
+              2355 2355 2355 linux-swap \
                     $lvmok{ } \
+                    in_vg{ LVMGroup } \
+                    lv_name{ swap } \
+                    method{ swap } format{ } \
+              . \
+              5120 5120 5120 ext4 \
+                    $lvmok{ } \
+                    in_vg{ LVMGroup } \
+                    lv_name{ home } \
                     method{ format } format{ } \
                     use_filesystem{ } filesystem{ ext4 } \
                     mountpoint{ /home } \
               . \
-              100% 100% 100% linux-swap \
+              3072 3072 3072 ext4 \
-                    $lvmok{ } \
-                    lv_name{ swap } \
-                    method{ swap } format{ } \
-              . \
-              4000 4000 4000 ext4 \
-                    $lvmok{ } \
-                    method{ format } format{ } \
-                    use_filesystem{ } filesystem{ ext4 } \
-                    mountpoint{ /tmp } \
-              . \
-              10000 10000 10000 ext4 \
                     $lvmok{ } \
+                    in_vg{ LVMGroup } \
+                    lv_name{ var } \
                     method{ format } format{ } \
                     use_filesystem{ } filesystem{ ext4 } \
                     mountpoint{ /var } \
               . \
-              10000 100000 -1 ext4 \
+              3072 3072 3072 ext4 \
                     $lvmok{ } \
+                    in_vg{ LVMGroup } \
+                    lv_name{ srv } \
                     method{ format } format{ } \
                     use_filesystem{ } filesystem{ ext4 } \
-                    mountpoint{ /spare } \
+                    mountpoint{ /srv } \
+              . \
+              3072 3072 3072 ext4 \
+                    $lvmok{ } \
+                    in_vg{ LVMGroup } \
+                    lv_name{ tmp } \
+                    method{ format } format{ } \
+                    use_filesystem{ } filesystem{ ext4 } \
+                    mountpoint{ /tmp } \
+              . \
+              4096 4096 4096 ext4 \
+                    $lvmok{ } \
+                    in_vg{ LVMGroup } \
+                    lv_name{ var-log } \
+                    method{ format } format{ } \
+                    use_filesystem{ } filesystem{ ext4 } \
+                    mountpoint{ /var/log } \
               . \
 
 # Or provide a recipe of your own...
@@ -353,7 +385,7 @@ d-i partman/confirm_nooverwrite boolean true
 # The default is to mount by UUID, but you can also choose "traditional" to
 # use traditional device names, or "label" to try filesystem labels before
 # falling back to UUIDs.
-#d-i partman/mount_style select uuid
+d-i partman/mount_style select label
 
 ### Base system installation
 # Configure APT to not install recommended packages by default. Use of this
@@ -397,17 +429,18 @@ d-i apt-setup/security_host string security.debian.org
 #d-i debian-installer/allow_unauthenticated boolean true
 
 # Uncomment this to add multiarch configuration for i386
-d-i apt-setup/multiarch string i386
+#d-i apt-setup/multiarch string i386
 
 
 ### Package selection
-tasksel tasksel/first multiselect standard
+tasksel tasksel/first multiselect minimal
 
 # Individual additional packages to install
-d-i pkgsel/include string openssh-server vim
+d-i pkgsel/include string openssh-server sudo libpam-pwquality ufw vim
 # Whether to upgrade packages after debootstrap.
 # Allowed values: none, safe-upgrade, full-upgrade
-d-i pkgsel/upgrade select safe-upgrade
+d-i pkgsel/upgrade select full-upgrade
+d-i pkgsel/update-policy select unattended-upgrades
 
 # Some versions of the installer can report back on what software you have
 # installed, and what software you use. The default is not to report back,
@@ -425,7 +458,7 @@ d-i grub-installer/only_debian boolean true
 # This one makes grub-installer install to the UEFI partition/boot record, if
 # it also finds some other OS, which is less safe as it might not be able to
 # boot that other OS.
-d-i grub-installer/with_other_os boolean true
+d-i grub-installer/with_other_os boolean false
 
 # Due notably to potential USB sticks, the location of the primary drive can
 # not be determined safely in general, so this needs to be specified:
@@ -505,5 +538,13 @@ d-i finish-install/reboot_in_progress note
 #d-i preseed/late_command string apt-install zsh; in-target chsh -s /bin/zsh
 d-i preseed/late_command \
         in-target update-alternatives --set editor /usr/bin/vim.basic; \
-        in-target passwd --expire root
+        in-target sed -i'.orig' -r 's/^#?(Port) .*/\1 4242/; s/^#?(PermitRootLogin) .*/\1 no/;' /etc/ssh/sshd_config; \
+        in-target ufw enable; \
+        in-target ufw allow proto tcp from any to any port 4242 comment 'Allow SSH'; \
+        in-target getent group sudo >/dev/null 2>&1 || groupadd -f -r sudo; \
+        in-target getent group user42 >/dev/null 2>&1 || groupadd -f user42; \
+        in-target usermod -a -G sudo,user42 gbaconni; \
+        in-target sed -i'.orig' -r 's/^#?(PASS_MAX_DAYS).*/\1\t30/; s/^#?(PASS_MIN_DAYS).*/\1\t2/; s/^#?(PASS_WARN_AGE).*/\1\t7/; s/^#?(PASS_MIN_LEN).*/\1\t10/;' /etc/login.defs; \
+		in-target sed -i'.orig' -r 's/^[# ]?(minlen =)/\1 10/; s/^[# ]?([ud]credit =)/\1 -1/; s/^[# ]?(maxrepeat =)/\1 3/; s/^[# ]?(usercheck =)/\1 1/; s/^[# ]?(difok =)/\1 7/;' /etc/security/pwquality.conf; \
+        in-target apt-get clean