production-deb/CHANGELOG.md

# Changelog (production-deb)

Forked from `s8n/debian-s8ns-prefs-iso` (commit d4be55f) on 2026-05-08.
Server variant only; laptop/vanilla stripped.

## [0.1.0] — 2026-05-08

### Added
- Initial fork from debian-s8ns-prefs-iso server variant
- Same hardening, interactive LUKS+hostname, DVD-1 offline base, S8N_LOGS partition

---

# Upstream changelog (debian-s8ns-prefs-iso, kept for lineage)

All notable changes to debian-s8ns-prefs-iso. Format inspired by Keep a Changelog.

## [0.4.0] — 2026-05-08

### Added
- **USB log-capture partition** for offline diagnostics. flash.sh creates a
  3rd MBR partition (vfat, label `S8N_LOGS`) using all remaining USB free
  space (~27 GiB on a 32 GiB stick). preseed `early_command` mounts it at
  `/tmp/s8n-logs`; `late_command` writes a per-run directory with:
  - `syslog`, `installer/` (full d-i logs)
  - `s8n-luks-rekey.log` and `s8n-post-install.log`
  - `lsblk`, `lspci`, `dmesg`, `mount`, `df`, `exit-status`, `build-info`
  Even if late_command's main block fails, the trap-style outer `sh -c`
  still copies whatever logs exist before unmounting.
- **`scripts/read-usb-logs.sh`** — dumps the latest run's logs from the
  S8N_LOGS partition. Auto-detects by label or takes `/dev/sdX` as arg.
  `--copy` flag rsyncs the entire S8N_LOGS contents to `out/usb-logs-<ts>/`.
- **flash.sh `--yes` flag** for non-interactive use.

### Changed
- preseed.tpl `late_command` wrapped in trap-style `sh -c` so log-collect
  runs even if the install body fails. Exit status preserved via captured
  `$STATUS`.

### Fixed
- (none new — 0.4 is purely additive)

### Operator workflow change
After a failed install, instead of photographing the d-i screen:
1. Pull the USB from the target machine
2. Plug into the build host (onyx)
3. Run `sudo scripts/read-usb-logs.sh /dev/sdX` (or just `--copy` to grab everything)

## [0.3.0] — 2026-05-07

### Added
- **install.sh** companion script — apply same shared/post-install/ scripts to an
  existing Debian system (curl|bash compatible via Forgejo tarball API)
- **Per-build randomized credentials.** User pw `mkpasswd -m yescrypt` 16-char
  random; LUKS install pw 24-char random. Written to `<iso>.creds` mode 0600.
- **LUKS rekey in late_command.** New 32-char random pw added via
  `cryptsetup luksAddKey`, throwaway slot 0 killed before reboot. Final pw
  written to `/target/root/luks-pw.txt` mode 0600.
- **Tailscale `--ts-auth-key` build flag.** Bakes one-time tskey into ISO;
  installed system auto-joins tailnet via systemd oneshot on first boot, then
  shreds the key file.
- **VM smoke-test harness** at `scripts/test-vm.sh`. QEMU+OVMF, virtio disk +
  cdrom, 30 GiB qcow2, headless. Phase 1 unattended install + Phase 2
  first-boot SSH check.
- **MBA 6,1 driver superset in laptop variant:**
  - `mbpfan` (applesmc fan control), `bluez` `blueman` (BCM4360 BT)
  - `tlp tlp-rdw powertop lm-sensors` (battery / thermals)
  - `firmware-sof-signed` (Haswell HDA SOF fallback)
  - GRUB cmdline: `acpi_backlight=vendor`, `snd_hda_intel.model=mba6`
  - `/etc/modprobe.d/hid_apple.conf` with `fnmode=2 iso_layout=0`
  - `/etc/modules-load.d/apple.conf` for applesmc + coretemp
  - `update-initramfs -u` after modprobe.d edits

### Changed
- **Base ISO: trixie 13.4 stable** (was forky daily). Reason: Debian bug
  [#1106117](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1106117) —
  forky weekly netinsts ship with kernel/udeb skew producing "no kernel
  modules" install failures. trixie is a coherent snapshot; intel_iommu=off
  in grub overlay still solves MBA 6,1 SSD detection on stable kernel 6.12.
- **late_command rewritten** to use `in-target` (with bind-mounted /proc /sys
  /dev) instead of nested `chroot` (which had no bind-mounts → apt failed).
  Wrapped in `sh -c 'set -e ; ...'` so partial failures abort install.
- **Postinstall payload moves to `/cdrom/postinstall/`** in the ISO; copied
  to installed system at `/root/s8n-postinstall/` during late_command.
- **ESP image patching via mtools.** Previous v0.2 wrote grub-overlay.cfg
  into iso9660 namespace at `/EFI/debian/grub.cfg`, which Apple firmware
  doesn't read. v0.3:
  1. `xorriso -extract /boot/grub/efi.img` to grab the embedded FAT image
  2. `mcopy -i efi.img grub-overlay.cfg ::/efi/debian/grub.cfg` to patch FAT
  3. `xorriso -dev <iso> -boot_image any keep -map ... -commit` to splice back
  4. **Direct-dd patched efi.img into the ISO at the El Torito EFI image LBA**
     because xorriso's `-map` only updates iso9660 namespace, not the
     ESP-partition data range that MBR partition #2 points to
- **post-install split:** `40-mba61.sh` → `40-broadcom-wl.sh` (any laptop with
  broadcom-sta-dkms) + `50-mba61.sh` (only Apple Toshiba [1179:010b])
- **install.sh idempotence:** `00-base.sh` skips ufw reset if already active;
  `10-dark.sh` grep-guards `/etc/environment` append; sshd_config not modified
  on rerun if already includes our drop-in.

### Fixed (CRITICAL bugs from v0.2 audit)
- **A2-1** `build.sh:65` Bash `HOSTNAME` builtin shadowing — renamed to
  `HOSTNAME_OPT`, default-variant-host now applies correctly
- **A2-2** `build.sh:71` empty SSH pubkey file → SSH lockout. Use `-s` not `-f`
- **A2-3** `build.sh:103` sha256 grep regex unanchored. Now `^${ISO_NAME}: OK$`
- **A2-4** `build.sh:148` chroot-empty branch removed (single in-target path)
- **A2-5** late_command bind-mounts via in-target (apt now works inside)
- **A2-6** flash.sh sed strip → `lsblk -no PKNAME` (handles nvme/mmcblk/RAID)

### Fixed (HIGH security from v0.2 audit)
- **A1-3** late_command wrapped in `sh -c 'set -e'` — fail loud, no silent
  half-installs claiming success
- **A1-1 / A3-creds** plaintext `changeme` removed; yescrypt hash via
  `mkpasswd -m yescrypt` baked, plain pw printed once to .creds file 0600
- **A1-2** LUKS pw auto-rotation in late_command; throwaway slot 0 killed
  before reboot

### Fixed (MED from v0.2 audit)
- **flash.sh** refuses `/dev/mmcblk*`, `/dev/vd*` in addition to nvme/sda
- **build.sh** validates hostname format before render
- **build.sh** drops unused 7z dep check; adds mtools + mkpasswd checks
- **Forgejo URL** `s8n-ru` → `s8n` (user renamed 2026-05-07)

### Known limits / deferred to v0.4+
- VM smoke test currently can't proceed past GRUB on headless QEMU because
  d-i graphical-install requires VGA framebuffer; no `console=ttyS0`
  redirection in our overlay. Either: add a "VM serial install" menuentry
  with console=ttyS0,115200n8, or run VM test with VNC display. **Build-time
  content checks (xorriso -extract + mdir verify + direct-dd ESP read-back)
  are the current correctness gate.**
- SHA256SUMS not yet GPG-verified (Debian release key pin pending) — v0.4
- Forgejo SSH key fingerprint not pinned — v0.4
- `install.sh` GRUB persist still uses substring match (not word-boundary) — v0.4
- Server hardening superset (auditd rules, apparmor enforce, faillock,
  login.defs YESCRYPT, journald persistent+seal, KSPP cmdline, etc.) — v0.5
- Reproducible builds (SOURCE_DATE_EPOCH, --modification-date) + Forgejo CI — v1.0

## [0.2.0] — 2026-05-07

### Added
- Smoke-tested 3 variants build clean
- `install.sh` companion script
- Wider firmware coverage in shared pkgsel/include
- post-install split 40-mba61 → 40-broadcom-wl + 50-mba61

### Fixed
- xorriso extract chmod u+w
- ESP grub.cfg uses overlay direct (not extracted)
- LUKS partition path NVMe vs SATA (no more `sdap3`)
- MBR PT preservation via cp + xorriso -dev (was zeroed by `-indev/-outdev`)

## [0.1.0] — 2026-05-07

### Added
- Initial scaffold: build.sh, flash.sh, 3 variants (laptop/server/vanilla)
- shared/preseed.tpl, grub-overlay.cfg.tpl, post-install/, packages/
- APM strip step for single-icon Apple boot
- Forgejo private repo at git.s8n.ru/s8n/debian-s8ns-prefs-iso