84 lines
3.1 KiB
Markdown
84 lines
3.1 KiB
Markdown
|
# production-deb
|
||
|
|
|
||
|
|
Production Debian server ISO builder. Hardened headless. Interactive LUKS +
|
||
|
|
hostname at install time. user pw `123` (forced rotate first login). SSH key
|
||
|
|
pre-placed for instant remote access.
|
||
|
|
|
||
|
|
Forked from `s8n/debian-s8ns-prefs-iso` server variant; non-server variants
|
||
|
|
(laptop/vanilla) stripped. This repo is the canonical production server build.
|
||
|
|
|
||
|
|
## Install behavior
|
||
|
|
|
||
|
|
Boot the flashed USB. Two prompts at console:
|
||
|
|
|
||
|
|
1. **Hostname** — typed (default = `server-host`)
|
||
|
|
2. **LUKS passphrase** — set in person, NOT preseeded
|
||
|
|
|
||
|
|
Everything else unattended:
|
||
|
|
|
||
|
|
- Debian 13.4 trixie (DVD-1 base, offline-capable — no mirror needed)
|
||
|
|
- LUKS+LVM atomic, encrypted root
|
||
|
|
- User `user`, pw `123`, sudo, forced rotate on first SSH login (`chage -d 0`)
|
||
|
|
- SSH ed25519 key from `~/.ssh/id_ed25519.pub` pre-placed in `/home/user/.ssh/authorized_keys`
|
||
|
|
- sshd hardened: pubkey-only, no root, no password auth
|
||
|
|
- ufw default-deny, allow 22/tcp
|
||
|
|
- fail2ban + auditd + apparmor enforce + libpam-pwquality
|
||
|
|
- dropbear-initramfs + cryptsetup-initramfs (LUKS unlock-via-SSH on boot)
|
||
|
|
- Tailscale client installed, manual `tailscale up --login-server=https://hs.s8n.ru` post-boot
|
||
|
|
|
||
|
|
## Usage
|
||
|
|
|
||
|
|
```
|
||
|
|
./build.sh --variant server --hostname <name> --disk /dev/nvme0n1
|
||
|
|
sudo ./flash.sh --yes /dev/sdX out/debian-s8ns-server-DATE.iso
|
||
|
|
```
|
||
|
|
|
||
|
|
(Variant is always `server` in this repo; flag retained for compat with the
|
||
|
|
parent project's build.sh.)
|
||
|
|
|
||
|
|
After install completes:
|
||
|
|
|
||
|
|
```
|
||
|
|
ssh user@<hostname>
|
||
|
|
# PAM forces pw change → set new pw → shell
|
||
|
|
```
|
||
|
|
|
||
|
|
## Layout
|
||
|
|
|
||
|
|
```
|
||
|
|
build.sh ISO factory (DVD-1 base, hd-media kernel, mtools ESP edit)
|
||
|
|
flash.sh safe USB flash + adds S8N_LOGS log-capture partition
|
||
|
|
install.sh curl|bash post-install applier for existing systems
|
||
|
|
variants/server.cfg hardening prefs, INTERACTIVE_LUKS=1, INTERACTIVE_HOSTNAME=1
|
||
|
|
shared/
|
||
|
|
preseed.tpl offline preseed + late_command (LUKS rekey, post-install)
|
||
|
|
grub-overlay.cfg.tpl ESP grub.cfg with priority=high
|
||
|
|
packages/server.list ufw fail2ban auditd apparmor dropbear-initramfs etc.
|
||
|
|
post-install/
|
||
|
|
00-base.sh extra pkgs, sysctl hardening, ufw, unattended-upgrades
|
||
|
|
20-ssh.sh sshd hardening (key-only, no root)
|
||
|
|
30-tailscale.sh install client only (manual login post-install)
|
||
|
|
scripts/
|
||
|
|
test-vm.sh QEMU+OVMF smoke test harness
|
||
|
|
read-usb-logs.sh offline log dump from S8N_LOGS partition (post-failure)
|
||
|
|
```
|
||
|
|
|
||
|
|
## Hardening posture
|
||
|
|
|
||
|
|
Currently: G1-G6 + B1-B4 from veilor-server-bootstrap baseline. Per
|
||
|
|
`debian-s8ns-prefs-iso/AUDIT.md` the v0.5 superset is queued — covered in the
|
||
|
|
parent repo's roadmap.
|
||
|
|
|
||
|
|
## Defaults
|
||
|
|
|
||
|
|
- Locale: `en_GB.UTF-8`, keymap `gb`, timezone `Europe/London`
|
||
|
|
- Mirror: cdrom-only at install (DVD-1 has all packages; no internet required)
|
||
|
|
- Logs: install-time logs land on the USB's `S8N_LOGS` (sda3) partition for
|
||
|
|
offline diagnostics — `sudo scripts/read-usb-logs.sh /dev/sdX3 --copy`
|
||
|
|
|
||
|
|
## Why a separate repo
|
||
|
|
|
||
|
|
`debian-s8ns-prefs-iso` is the multi-variant playground (laptop/server/vanilla).
|
||
|
|
`production-deb` is the production-server-only canonical path. Changes here
|
||
|
|
should preserve the "boot, prompt 2 things, walk away" property.
|