production-deb/shared/post-install/00-base.sh

#!/bin/sh
# 00-base.sh — install variant extra packages, baseline sysctl + ufw.
# Runs in-target (already inside installed system's chroot, /proc /sys /dev
# bind-mounted by d-i, /etc/resolv.conf working, apt sources configured).
set -eu

LIST=/root/s8n-postinstall/extra.list
if [ -s "$LIST" ]; then
  echo "[00] installing extra packages from $LIST"
  apt-get update
  PKGS=$(grep -vE '^\s*(#|$)' "$LIST" | tr '\n' ' ')
  if [ -n "$PKGS" ]; then
    # `apt-get install -- $PKGS` lets a malicious extra.list still inject `--`
    # tokens but only repo-controlled file is the source. The `--` separator
    # is hygiene against accidental flag-like names.
    # Failure here is a hard fail per `set -e` from caller — DKMS / wifi
    # depending on these packages is critical for laptop variants.
    DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends -- $PKGS
  fi
fi

echo "[00] applying sysctl hardening"
cat > /etc/sysctl.d/90-s8n.conf <<'SYSCTL'
# Personal sysctl baseline.
kernel.kptr_restrict=2
kernel.dmesg_restrict=1
kernel.unprivileged_bpf_disabled=1
net.core.bpf_jit_harden=2
net.ipv4.conf.all.rp_filter=1
net.ipv4.conf.default.rp_filter=1
net.ipv4.tcp_syncookies=1
net.ipv4.conf.all.accept_redirects=0
net.ipv6.conf.all.accept_redirects=0
net.ipv4.conf.all.send_redirects=0
net.ipv4.conf.all.accept_source_route=0
net.ipv6.conf.all.accept_source_route=0
fs.protected_hardlinks=1
fs.protected_symlinks=1
fs.protected_fifos=2
fs.protected_regular=2
SYSCTL

echo "[00] enabling ufw (if installed)"
if command -v ufw >/dev/null; then
  # Idempotent: don't reset if already active (preserves user rules on rerun).
  if ufw status 2>/dev/null | grep -q '^Status: active'; then
    echo "[00] ufw already active, skipping reset"
  else
    ufw --force reset
    ufw default deny incoming
    ufw default allow outgoing
    ufw allow 22/tcp
    ufw --force enable
  fi
fi

echo "[00] enabling unattended-upgrades"
if [ -f /etc/apt/apt.conf.d/50unattended-upgrades ]; then
  systemctl enable unattended-upgrades || true
fi
fork: production-deb v0.1.0 from debian-s8ns-prefs-iso server variant Server-only canonical production Debian build. Drops laptop/vanilla variants. Interactive LUKS + hostname at install. user/123 forced rotate. DVD-1 offline base. S8N_LOGS log-capture partition. Lineage: forked from s8n/debian-s8ns-prefs-iso commit d4be55f. 2026-05-08 13:53:38 +01:00			`#!/bin/sh`
			`# 00-base.sh — install variant extra packages, baseline sysctl + ufw.`
			`# Runs in-target (already inside installed system's chroot, /proc /sys /dev`
			`# bind-mounted by d-i, /etc/resolv.conf working, apt sources configured).`
			`set -eu`

			`LIST=/root/s8n-postinstall/extra.list`
			`if [ -s "$LIST" ]; then`
			`echo "[00] installing extra packages from $LIST"`
			`apt-get update`
			`PKGS=$(grep -vE '^\s*(#\|$)' "$LIST" \| tr '\n' ' ')`
			`if [ -n "$PKGS" ]; then`
			# `apt-get install -- $PKGS` lets a malicious extra.list still inject `--`
			# tokens but only repo-controlled file is the source. The `--` separator
			`# is hygiene against accidental flag-like names.`
			# Failure here is a hard fail per `set -e` from caller — DKMS / wifi
			`# depending on these packages is critical for laptop variants.`
			`DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends -- $PKGS`
			`fi`
			`fi`

			`echo "[00] applying sysctl hardening"`
			`cat > /etc/sysctl.d/90-s8n.conf <<'SYSCTL'`
			`# Personal sysctl baseline.`
			`kernel.kptr_restrict=2`
			`kernel.dmesg_restrict=1`
			`kernel.unprivileged_bpf_disabled=1`
			`net.core.bpf_jit_harden=2`
			`net.ipv4.conf.all.rp_filter=1`
			`net.ipv4.conf.default.rp_filter=1`
			`net.ipv4.tcp_syncookies=1`
			`net.ipv4.conf.all.accept_redirects=0`
			`net.ipv6.conf.all.accept_redirects=0`
			`net.ipv4.conf.all.send_redirects=0`
			`net.ipv4.conf.all.accept_source_route=0`
			`net.ipv6.conf.all.accept_source_route=0`
			`fs.protected_hardlinks=1`
			`fs.protected_symlinks=1`
			`fs.protected_fifos=2`
			`fs.protected_regular=2`
			`SYSCTL`

			`echo "[00] enabling ufw (if installed)"`
			`if command -v ufw >/dev/null; then`
			`# Idempotent: don't reset if already active (preserves user rules on rerun).`
			`if ufw status 2>/dev/null \| grep -q '^Status: active'; then`
			`echo "[00] ufw already active, skipping reset"`
			`else`
			`ufw --force reset`
			`ufw default deny incoming`
			`ufw default allow outgoing`
			`ufw allow 22/tcp`
			`ufw --force enable`
			`fi`
			`fi`

			`echo "[00] enabling unattended-upgrades"`
			`if [ -f /etc/apt/apt.conf.d/50unattended-upgrades ]; then`
			`systemctl enable unattended-upgrades \|\| true`
			`fi`