# debian-s8ns-prefs-iso preseed (template) # @PLACEHOLDERS@ replaced at build time by build.sh # Variant: @VARIANT@ # === Locale + keyboard === d-i debian-installer/locale string en_GB.UTF-8 d-i keyboard-configuration/xkb-keymap select gb # === Network === d-i netcfg/choose_interface select auto d-i netcfg/get_hostname string @HOSTNAME@ d-i netcfg/get_domain string d-i netcfg/hostname string @HOSTNAME@ # === Mirror — OFFLINE install only (DVD-1 has all packages including GNOME) === # Disable choose-mirror entirely. DVD-1 base supplies tasksel + apt sources. # Wifi driver (broadcom-sta-dkms) builds via DKMS post-install once user plugs # in or runs `tailscale up`; not needed during d-i. d-i mirror/cdrom_only boolean true d-i mirror/country string manual d-i mirror/protocol string http d-i mirror/http/hostname string deb.debian.org d-i mirror/http/directory string /debian d-i mirror/http/proxy string d-i apt-setup/use_mirror boolean false d-i apt-setup/services-select multiselect d-i apt-setup/security_host string d-i apt-setup/cdrom/set-first boolean true d-i apt-setup/cdrom/set-next boolean false d-i apt-setup/cdrom/set-failed boolean false d-i apt-setup/no_mirror boolean true d-i netcfg/enable boolean false d-i netcfg/disable_autoconfig boolean true d-i netcfg/get_nameservers string d-i netcfg/get_ipaddress string d-i netcfg/get_netmask string d-i netcfg/get_gateway string # === Clock === d-i clock-setup/utc boolean true d-i time/zone string Europe/London d-i clock-setup/ntp boolean true # === Users === # Root locked, primary user is sudoer. # Password is yescrypt-crypted at build time via mkpasswd; chage -d 0 in # late_command forces rotate on first SSH/console login. d-i passwd/root-login boolean false d-i passwd/make-user boolean true d-i passwd/user-fullname string @USERNAME@ d-i passwd/username string @USERNAME@ d-i passwd/user-password-crypted password @USER_PW_CRYPTED@ d-i user-setup/encrypt-home boolean false # === Partitioning: LUKS LVM, full disk === # LUKS install passphrase is generated per-build (random, NOT plaintext # changeme-luks). late_command rotates it to a fresh random passphrase via # luksAddKey + luksKillSlot 0 before reboot, so the install-time passphrase # never persists on disk past the install. d-i partman-auto/method string crypto d-i partman-auto-lvm/guided_size string max d-i partman-auto/disk string @DISK@ d-i partman-auto/choose_recipe select atomic d-i partman-auto-crypto/erase_disk boolean true d-i partman-crypto/passphrase password @LUKS_INSTALL_PW@ d-i partman-crypto/passphrase-again password @LUKS_INSTALL_PW@ d-i partman-crypto/weak_passphrase boolean true d-i partman/confirm_write_new_label boolean true d-i partman/choose_partition select finish d-i partman/confirm boolean true d-i partman/confirm_nooverwrite boolean true d-i partman-md/confirm boolean true d-i partman-md/confirm_nooverwrite boolean true d-i partman-crypto/confirm boolean true d-i partman-crypto/confirm_nooverwrite boolean true d-i partman-lvm/device_remove_lvm boolean true d-i partman-lvm/confirm boolean true d-i partman-lvm/confirm_nooverwrite boolean true d-i partman-basicfilesystems/no_swap boolean false # === Apt === d-i apt-setup/non-free-firmware boolean true d-i apt-setup/non-free boolean true d-i apt-setup/contrib boolean true d-i apt-setup/services-select multiselect security, updates d-i apt-setup/use_mirror boolean true d-i apt-setup/cdrom/set-first boolean false # === Tasksel === tasksel tasksel/first multiselect @TASKSEL_TASKS@ # === Extra packages (common to all variants) === # Firmware blobs so wifi/eth/CPU microcode work on first boot. # broadcom-sta-dkms (BCM4360 wl driver) is in laptop.list because it requires # DKMS build + linux-headers — handled in late_command via in-target apt. d-i pkgsel/include string sudo curl wget rsync git ca-certificates unattended-upgrades apt-listchanges chrony python3 python3-apt firmware-iwlwifi firmware-realtek firmware-atheros firmware-misc-nonfree firmware-brcm80211 firmware-bnx2 firmware-bnx2x firmware-libertas firmware-zd1211 firmware-ti-connectivity intel-microcode amd64-microcode d-i pkgsel/upgrade select full-upgrade d-i pkgsel/update-policy select unattended-upgrades d-i pkgsel/install-language-support boolean false popularity-contest popularity-contest/participate boolean false # === GRUB === d-i grub-installer/only_debian boolean true d-i grub-installer/with_other_os boolean true d-i grub-installer/bootdev string @DISK@ # === Reboot when done === d-i finish-install/reboot_in_progress note d-i debian-installer/exit/reboot boolean true # === Early command — mount S8N_LOGS partition (3rd MBR entry on USB) === # flash.sh creates a vfat partition labeled S8N_LOGS for collecting install # logs. Mount it at /target/var/log-usb (we'll persist there) and at # /tmp/s8n-logs (writable during install). Find by label across sd? / nvme?. d-i preseed/early_command string \ set +e ; \ mkdir -p /tmp/s8n-logs ; \ DEV=$(blkid -L S8N_LOGS 2>/dev/null) ; \ if [ -n "$DEV" ] ; then \ mount -t vfat "$DEV" /tmp/s8n-logs && \ echo "[s8n] mounted log partition $DEV at /tmp/s8n-logs" >> /tmp/s8n-logs/early.log && \ date -u +%FT%TZ >> /tmp/s8n-logs/early.log ; \ fi ; \ set -e # === Late command — wrapped in sh -c 'set -e' so partial failures abort install === # Steps: # 1. Bind-mount /cdrom inside target so files stay reachable after pivot # 2. Copy postinstall payload into installed system at /root/s8n-postinstall # 3. Place SSH authorized_keys atomically (.tmp then mv) # 4. Force user-pw rotation on first login (chage -d 0) # 5. Rotate LUKS keyslot — kill the install-time pw, fresh random pw written # to /target/root/luks-pw.txt mode 0600 (operator reads, transcribes, deletes) # 6. Run in-target /root/s8n-postinstall/run.sh — DKMS, ufw, dark theme, etc. # 7. Copy d-i logs + post-install log to S8N_LOGS partition (USB) for offline # diagnostics. trap-style: even if earlier steps fail, the log copy still # runs via a separate sh -c. Mounted at /tmp/s8n-logs by early_command. # 8. Unmount /cdrom d-i preseed/late_command string sh -c '\ { \ set -e ; \ mkdir -p /target/cdrom ; \ mount --bind /cdrom /target/cdrom ; \ cp -r /cdrom/postinstall /target/root/s8n-postinstall ; \ chmod +x /target/root/s8n-postinstall/run.sh /target/root/s8n-postinstall/scripts/*.sh /target/root/s8n-postinstall/luks-rekey.sh ; \ install -d -m 700 -o @USERNAME@ -g @USERNAME@ /target/home/@USERNAME@/.ssh ; \ printf "%s\n" "@SSH_PUBKEY@" > /target/home/@USERNAME@/.ssh/authorized_keys.tmp ; \ chmod 600 /target/home/@USERNAME@/.ssh/authorized_keys.tmp ; \ chown @USERNAME@:@USERNAME@ /target/home/@USERNAME@/.ssh/authorized_keys.tmp ; \ mv /target/home/@USERNAME@/.ssh/authorized_keys.tmp /target/home/@USERNAME@/.ssh/authorized_keys ; \ in-target chage -d 0 @USERNAME@ ; \ sh /target/root/s8n-postinstall/luks-rekey.sh "@LUKS_INSTALL_PW@" ; \ in-target sh -e /root/s8n-postinstall/run.sh ; \ umount /target/cdrom ; \ rmdir /target/cdrom ; \ } ; STATUS=$? ; \ if mountpoint -q /tmp/s8n-logs ; then \ RUN_DIR=/tmp/s8n-logs/run-$(date -u +%Y%m%dT%H%M%SZ) ; \ mkdir -p "$RUN_DIR" ; \ cp -r /var/log/syslog /var/log/installer "$RUN_DIR/" 2>/dev/null || true ; \ cp /var/log/s8n-luks-rekey.log "$RUN_DIR/" 2>/dev/null || true ; \ cp /target/var/log/s8n-post-install.log "$RUN_DIR/" 2>/dev/null || true ; \ lsblk > "$RUN_DIR/lsblk.txt" 2>&1 ; \ lspci -nn > "$RUN_DIR/lspci.txt" 2>&1 ; \ dmesg > "$RUN_DIR/dmesg.txt" 2>&1 ; \ mount > "$RUN_DIR/mount.txt" 2>&1 ; \ df -h > "$RUN_DIR/df.txt" 2>&1 ; \ echo "$STATUS" > "$RUN_DIR/exit-status.txt" ; \ echo "@HOSTNAME@ @VARIANT@ $(date -u +%FT%TZ)" > "$RUN_DIR/build-info.txt" ; \ sync ; \ umount /tmp/s8n-logs || true ; \ fi ; \ exit $STATUS \ '