production-deb/shared/preseed.tpl

# debian-s8ns-prefs-iso preseed (template)
# @PLACEHOLDERS@ replaced at build time by build.sh
# Variant: @VARIANT@

# === Locale + keyboard ===
d-i debian-installer/locale string en_GB.UTF-8
d-i keyboard-configuration/xkb-keymap select gb

# === Network ===
d-i netcfg/choose_interface select auto
d-i netcfg/get_hostname string @HOSTNAME@
d-i netcfg/get_domain string
d-i netcfg/hostname string @HOSTNAME@

# === Mirror — OFFLINE install only (DVD-1 has all packages including GNOME) ===
# Disable choose-mirror entirely. DVD-1 base supplies tasksel + apt sources.
# Wifi driver (broadcom-sta-dkms) builds via DKMS post-install once user plugs
# in or runs `tailscale up`; not needed during d-i.
d-i mirror/cdrom_only boolean true
d-i mirror/country string manual
d-i mirror/protocol string http
d-i mirror/http/hostname string deb.debian.org
d-i mirror/http/directory string /debian
d-i mirror/http/proxy string
d-i apt-setup/use_mirror boolean false
d-i apt-setup/services-select multiselect
d-i apt-setup/security_host string
d-i apt-setup/cdrom/set-first boolean true
d-i apt-setup/cdrom/set-next boolean false
d-i apt-setup/cdrom/set-failed boolean false
d-i apt-setup/no_mirror boolean true
d-i netcfg/enable boolean false
d-i netcfg/disable_autoconfig boolean true
d-i netcfg/get_nameservers string
d-i netcfg/get_ipaddress string
d-i netcfg/get_netmask string
d-i netcfg/get_gateway string

# === Clock ===
d-i clock-setup/utc boolean true
d-i time/zone string Europe/London
d-i clock-setup/ntp boolean true

# === Users ===
# Root locked, primary user is sudoer.
# Password is yescrypt-crypted at build time via mkpasswd; chage -d 0 in
# late_command forces rotate on first SSH/console login.
d-i passwd/root-login boolean false
d-i passwd/make-user boolean true
d-i passwd/user-fullname string @USERNAME@
d-i passwd/username string @USERNAME@
d-i passwd/user-password-crypted password @USER_PW_CRYPTED@
d-i user-setup/encrypt-home boolean false

# === Partitioning: LUKS LVM, full disk ===
# LUKS install passphrase is generated per-build (random, NOT plaintext
# changeme-luks). late_command rotates it to a fresh random passphrase via
# luksAddKey + luksKillSlot 0 before reboot, so the install-time passphrase
# never persists on disk past the install.
d-i partman-auto/method string crypto
d-i partman-auto-lvm/guided_size string max
d-i partman-auto/disk string @DISK@
d-i partman-auto/choose_recipe select atomic
d-i partman-auto-crypto/erase_disk boolean true
d-i partman-crypto/passphrase password @LUKS_INSTALL_PW@
d-i partman-crypto/passphrase-again password @LUKS_INSTALL_PW@
d-i partman-crypto/weak_passphrase boolean true
d-i partman/confirm_write_new_label boolean true
d-i partman/choose_partition select finish
d-i partman/confirm boolean true
d-i partman/confirm_nooverwrite boolean true
d-i partman-md/confirm boolean true
d-i partman-md/confirm_nooverwrite boolean true
d-i partman-crypto/confirm boolean true
d-i partman-crypto/confirm_nooverwrite boolean true
d-i partman-lvm/device_remove_lvm boolean true
d-i partman-lvm/confirm boolean true
d-i partman-lvm/confirm_nooverwrite boolean true
d-i partman-basicfilesystems/no_swap boolean false

# === Apt ===
d-i apt-setup/non-free-firmware boolean true
d-i apt-setup/non-free boolean true
d-i apt-setup/contrib boolean true
d-i apt-setup/services-select multiselect security, updates
d-i apt-setup/use_mirror boolean true
d-i apt-setup/cdrom/set-first boolean false

# === Tasksel ===
tasksel tasksel/first multiselect @TASKSEL_TASKS@

# === Extra packages (common to all variants) ===
# Firmware blobs so wifi/eth/CPU microcode work on first boot.
# broadcom-sta-dkms (BCM4360 wl driver) is in laptop.list because it requires
# DKMS build + linux-headers — handled in late_command via in-target apt.
d-i pkgsel/include string sudo curl wget rsync git ca-certificates unattended-upgrades apt-listchanges chrony python3 python3-apt firmware-iwlwifi firmware-realtek firmware-atheros firmware-misc-nonfree firmware-brcm80211 firmware-bnx2 firmware-bnx2x firmware-libertas firmware-zd1211 firmware-ti-connectivity intel-microcode amd64-microcode
d-i pkgsel/upgrade select full-upgrade
d-i pkgsel/update-policy select unattended-upgrades
d-i pkgsel/install-language-support boolean false
popularity-contest popularity-contest/participate boolean false

# === GRUB ===
d-i grub-installer/only_debian boolean true
d-i grub-installer/with_other_os boolean true
d-i grub-installer/bootdev string @DISK@

# === Reboot when done ===
d-i finish-install/reboot_in_progress note
d-i debian-installer/exit/reboot boolean true

# === Early command — mount S8N_LOGS partition (3rd MBR entry on USB) ===
# flash.sh creates a vfat partition labeled S8N_LOGS for collecting install
# logs. Mount it at /target/var/log-usb (we'll persist there) and at
# /tmp/s8n-logs (writable during install). Find by label across sd? / nvme?.
d-i preseed/early_command string \
    set +e ; \
    mkdir -p /tmp/s8n-logs ; \
    DEV=$(blkid -L S8N_LOGS 2>/dev/null) ; \
    if [ -n "$DEV" ] ; then \
      mount -t vfat "$DEV" /tmp/s8n-logs && \
      echo "[s8n] mounted log partition $DEV at /tmp/s8n-logs" >> /tmp/s8n-logs/early.log && \
      date -u +%FT%TZ >> /tmp/s8n-logs/early.log ; \
    fi ; \
    set -e

# === Late command — wrapped in sh -c 'set -e' so partial failures abort install ===
# Steps:
#   1. Bind-mount /cdrom inside target so files stay reachable after pivot
#   2. Copy postinstall payload into installed system at /root/s8n-postinstall
#   3. Place SSH authorized_keys atomically (.tmp then mv)
#   4. Force user-pw rotation on first login (chage -d 0)
#   5. Rotate LUKS keyslot — kill the install-time pw, fresh random pw written
#      to /target/root/luks-pw.txt mode 0600 (operator reads, transcribes, deletes)
#   6. Run in-target /root/s8n-postinstall/run.sh — DKMS, ufw, dark theme, etc.
#   7. Copy d-i logs + post-install log to S8N_LOGS partition (USB) for offline
#      diagnostics. trap-style: even if earlier steps fail, the log copy still
#      runs via a separate sh -c. Mounted at /tmp/s8n-logs by early_command.
#   8. Unmount /cdrom
d-i preseed/late_command string sh -c '\
    { \
      set -e ; \
      mkdir -p /target/cdrom ; \
      mount --bind /cdrom /target/cdrom ; \
      cp -r /cdrom/postinstall /target/root/s8n-postinstall ; \
      chmod +x /target/root/s8n-postinstall/run.sh /target/root/s8n-postinstall/scripts/*.sh /target/root/s8n-postinstall/luks-rekey.sh ; \
      install -d -m 700 -o @USERNAME@ -g @USERNAME@ /target/home/@USERNAME@/.ssh ; \
      printf "%s\n" "@SSH_PUBKEY@" > /target/home/@USERNAME@/.ssh/authorized_keys.tmp ; \
      chmod 600 /target/home/@USERNAME@/.ssh/authorized_keys.tmp ; \
      chown @USERNAME@:@USERNAME@ /target/home/@USERNAME@/.ssh/authorized_keys.tmp ; \
      mv /target/home/@USERNAME@/.ssh/authorized_keys.tmp /target/home/@USERNAME@/.ssh/authorized_keys ; \
      in-target chage -d 0 @USERNAME@ ; \
      sh /target/root/s8n-postinstall/luks-rekey.sh "@LUKS_INSTALL_PW@" ; \
      in-target sh -e /root/s8n-postinstall/run.sh ; \
      umount /target/cdrom ; \
      rmdir /target/cdrom ; \
    } ; STATUS=$? ; \
    if mountpoint -q /tmp/s8n-logs ; then \
      RUN_DIR=/tmp/s8n-logs/run-$(date -u +%Y%m%dT%H%M%SZ) ; \
      mkdir -p "$RUN_DIR" ; \
      cp -r /var/log/syslog /var/log/installer "$RUN_DIR/" 2>/dev/null || true ; \
      cp /var/log/s8n-luks-rekey.log "$RUN_DIR/" 2>/dev/null || true ; \
      cp /target/var/log/s8n-post-install.log "$RUN_DIR/" 2>/dev/null || true ; \
      lsblk > "$RUN_DIR/lsblk.txt" 2>&1 ; \
      lspci -nn > "$RUN_DIR/lspci.txt" 2>&1 ; \
      dmesg > "$RUN_DIR/dmesg.txt" 2>&1 ; \
      mount > "$RUN_DIR/mount.txt" 2>&1 ; \
      df -h > "$RUN_DIR/df.txt" 2>&1 ; \
      echo "$STATUS" > "$RUN_DIR/exit-status.txt" ; \
      echo "@HOSTNAME@ @VARIANT@ $(date -u +%FT%TZ)" > "$RUN_DIR/build-info.txt" ; \
      sync ; \
      umount /tmp/s8n-logs || true ; \
    fi ; \
    exit $STATUS \
'