# Changelog (production-deb) Forked from `s8n/debian-s8ns-prefs-iso` (commit d4be55f) on 2026-05-08. Server variant only; laptop/vanilla stripped. ## [0.1.0] — 2026-05-08 ### Added - Initial fork from debian-s8ns-prefs-iso server variant - Same hardening, interactive LUKS+hostname, DVD-1 offline base, S8N_LOGS partition --- # Upstream changelog (debian-s8ns-prefs-iso, kept for lineage) All notable changes to debian-s8ns-prefs-iso. Format inspired by Keep a Changelog. ## [0.4.0] — 2026-05-08 ### Added - **USB log-capture partition** for offline diagnostics. flash.sh creates a 3rd MBR partition (vfat, label `S8N_LOGS`) using all remaining USB free space (~27 GiB on a 32 GiB stick). preseed `early_command` mounts it at `/tmp/s8n-logs`; `late_command` writes a per-run directory with: - `syslog`, `installer/` (full d-i logs) - `s8n-luks-rekey.log` and `s8n-post-install.log` - `lsblk`, `lspci`, `dmesg`, `mount`, `df`, `exit-status`, `build-info` Even if late_command's main block fails, the trap-style outer `sh -c` still copies whatever logs exist before unmounting. - **`scripts/read-usb-logs.sh`** — dumps the latest run's logs from the S8N_LOGS partition. Auto-detects by label or takes `/dev/sdX` as arg. `--copy` flag rsyncs the entire S8N_LOGS contents to `out/usb-logs-/`. - **flash.sh `--yes` flag** for non-interactive use. ### Changed - preseed.tpl `late_command` wrapped in trap-style `sh -c` so log-collect runs even if the install body fails. Exit status preserved via captured `$STATUS`. ### Fixed - (none new — 0.4 is purely additive) ### Operator workflow change After a failed install, instead of photographing the d-i screen: 1. Pull the USB from the target machine 2. Plug into the build host (onyx) 3. Run `sudo scripts/read-usb-logs.sh /dev/sdX` (or just `--copy` to grab everything) ## [0.3.0] — 2026-05-07 ### Added - **install.sh** companion script — apply same shared/post-install/ scripts to an existing Debian system (curl|bash compatible via Forgejo tarball API) - **Per-build randomized credentials.** User pw `mkpasswd -m yescrypt` 16-char random; LUKS install pw 24-char random. Written to `.creds` mode 0600. - **LUKS rekey in late_command.** New 32-char random pw added via `cryptsetup luksAddKey`, throwaway slot 0 killed before reboot. Final pw written to `/target/root/luks-pw.txt` mode 0600. - **Tailscale `--ts-auth-key` build flag.** Bakes one-time tskey into ISO; installed system auto-joins tailnet via systemd oneshot on first boot, then shreds the key file. - **VM smoke-test harness** at `scripts/test-vm.sh`. QEMU+OVMF, virtio disk + cdrom, 30 GiB qcow2, headless. Phase 1 unattended install + Phase 2 first-boot SSH check. - **MBA 6,1 driver superset in laptop variant:** - `mbpfan` (applesmc fan control), `bluez` `blueman` (BCM4360 BT) - `tlp tlp-rdw powertop lm-sensors` (battery / thermals) - `firmware-sof-signed` (Haswell HDA SOF fallback) - GRUB cmdline: `acpi_backlight=vendor`, `snd_hda_intel.model=mba6` - `/etc/modprobe.d/hid_apple.conf` with `fnmode=2 iso_layout=0` - `/etc/modules-load.d/apple.conf` for applesmc + coretemp - `update-initramfs -u` after modprobe.d edits ### Changed - **Base ISO: trixie 13.4 stable** (was forky daily). Reason: Debian bug [#1106117](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1106117) — forky weekly netinsts ship with kernel/udeb skew producing "no kernel modules" install failures. trixie is a coherent snapshot; intel_iommu=off in grub overlay still solves MBA 6,1 SSD detection on stable kernel 6.12. - **late_command rewritten** to use `in-target` (with bind-mounted /proc /sys /dev) instead of nested `chroot` (which had no bind-mounts → apt failed). Wrapped in `sh -c 'set -e ; ...'` so partial failures abort install. - **Postinstall payload moves to `/cdrom/postinstall/`** in the ISO; copied to installed system at `/root/s8n-postinstall/` during late_command. - **ESP image patching via mtools.** Previous v0.2 wrote grub-overlay.cfg into iso9660 namespace at `/EFI/debian/grub.cfg`, which Apple firmware doesn't read. v0.3: 1. `xorriso -extract /boot/grub/efi.img` to grab the embedded FAT image 2. `mcopy -i efi.img grub-overlay.cfg ::/efi/debian/grub.cfg` to patch FAT 3. `xorriso -dev -boot_image any keep -map ... -commit` to splice back 4. **Direct-dd patched efi.img into the ISO at the El Torito EFI image LBA** because xorriso's `-map` only updates iso9660 namespace, not the ESP-partition data range that MBR partition #2 points to - **post-install split:** `40-mba61.sh` → `40-broadcom-wl.sh` (any laptop with broadcom-sta-dkms) + `50-mba61.sh` (only Apple Toshiba [1179:010b]) - **install.sh idempotence:** `00-base.sh` skips ufw reset if already active; `10-dark.sh` grep-guards `/etc/environment` append; sshd_config not modified on rerun if already includes our drop-in. ### Fixed (CRITICAL bugs from v0.2 audit) - **A2-1** `build.sh:65` Bash `HOSTNAME` builtin shadowing — renamed to `HOSTNAME_OPT`, default-variant-host now applies correctly - **A2-2** `build.sh:71` empty SSH pubkey file → SSH lockout. Use `-s` not `-f` - **A2-3** `build.sh:103` sha256 grep regex unanchored. Now `^${ISO_NAME}: OK$` - **A2-4** `build.sh:148` chroot-empty branch removed (single in-target path) - **A2-5** late_command bind-mounts via in-target (apt now works inside) - **A2-6** flash.sh sed strip → `lsblk -no PKNAME` (handles nvme/mmcblk/RAID) ### Fixed (HIGH security from v0.2 audit) - **A1-3** late_command wrapped in `sh -c 'set -e'` — fail loud, no silent half-installs claiming success - **A1-1 / A3-creds** plaintext `changeme` removed; yescrypt hash via `mkpasswd -m yescrypt` baked, plain pw printed once to .creds file 0600 - **A1-2** LUKS pw auto-rotation in late_command; throwaway slot 0 killed before reboot ### Fixed (MED from v0.2 audit) - **flash.sh** refuses `/dev/mmcblk*`, `/dev/vd*` in addition to nvme/sda - **build.sh** validates hostname format before render - **build.sh** drops unused 7z dep check; adds mtools + mkpasswd checks - **Forgejo URL** `s8n-ru` → `s8n` (user renamed 2026-05-07) ### Known limits / deferred to v0.4+ - VM smoke test currently can't proceed past GRUB on headless QEMU because d-i graphical-install requires VGA framebuffer; no `console=ttyS0` redirection in our overlay. Either: add a "VM serial install" menuentry with console=ttyS0,115200n8, or run VM test with VNC display. **Build-time content checks (xorriso -extract + mdir verify + direct-dd ESP read-back) are the current correctness gate.** - SHA256SUMS not yet GPG-verified (Debian release key pin pending) — v0.4 - Forgejo SSH key fingerprint not pinned — v0.4 - `install.sh` GRUB persist still uses substring match (not word-boundary) — v0.4 - Server hardening superset (auditd rules, apparmor enforce, faillock, login.defs YESCRYPT, journald persistent+seal, KSPP cmdline, etc.) — v0.5 - Reproducible builds (SOURCE_DATE_EPOCH, --modification-date) + Forgejo CI — v1.0 ## [0.2.0] — 2026-05-07 ### Added - Smoke-tested 3 variants build clean - `install.sh` companion script - Wider firmware coverage in shared pkgsel/include - post-install split 40-mba61 → 40-broadcom-wl + 50-mba61 ### Fixed - xorriso extract chmod u+w - ESP grub.cfg uses overlay direct (not extracted) - LUKS partition path NVMe vs SATA (no more `sdap3`) - MBR PT preservation via cp + xorriso -dev (was zeroed by `-indev/-outdev`) ## [0.1.0] — 2026-05-07 ### Added - Initial scaffold: build.sh, flash.sh, 3 variants (laptop/server/vanilla) - shared/preseed.tpl, grub-overlay.cfg.tpl, post-install/, packages/ - APM strip step for single-icon Apple boot - Forgejo private repo at git.s8n.ru/s8n/debian-s8ns-prefs-iso