# production-deb

Production Debian server ISO builder. Hardened headless. Interactive LUKS +
hostname at install time. user pw `123` (forced rotate first login). SSH key
pre-placed for instant remote access.

Forked from `s8n/debian-s8ns-prefs-iso` server variant; non-server variants
(laptop/vanilla) stripped. This repo is the canonical production server build.

## Install behavior

Boot the flashed USB. Two prompts at console:

1. **Hostname** — typed (default = `server-host`)
2. **LUKS passphrase** — set in person, NOT preseeded

Everything else unattended:

- Debian 13.4 trixie (DVD-1 base, offline-capable — no mirror needed)
- LUKS+LVM atomic, encrypted root
- User `user`, pw `123`, sudo, forced rotate on first SSH login (`chage -d 0`)
- SSH ed25519 key from `~/.ssh/id_ed25519.pub` pre-placed in `/home/user/.ssh/authorized_keys`
- sshd hardened: pubkey-only, no root, no password auth
- ufw default-deny, allow 22/tcp
- fail2ban + auditd + apparmor enforce + libpam-pwquality
- dropbear-initramfs + cryptsetup-initramfs (LUKS unlock-via-SSH on boot)
- Tailscale client installed, manual `tailscale up --login-server=https://hs.s8n.ru` post-boot

## Usage

```
./build.sh --variant server --hostname <name> --disk /dev/nvme0n1
sudo ./flash.sh --yes /dev/sdX out/debian-s8ns-server-DATE.iso
```

(Variant is always `server` in this repo; flag retained for compat with the
parent project's build.sh.)

After install completes:

```
ssh user@<hostname>
# PAM forces pw change → set new pw → shell
```

## Layout

```
build.sh                ISO factory (DVD-1 base, hd-media kernel, mtools ESP edit)
flash.sh                safe USB flash + adds S8N_LOGS log-capture partition
install.sh              curl|bash post-install applier for existing systems
variants/server.cfg     hardening prefs, INTERACTIVE_LUKS=1, INTERACTIVE_HOSTNAME=1
shared/
  preseed.tpl           offline preseed + late_command (LUKS rekey, post-install)
  grub-overlay.cfg.tpl  ESP grub.cfg with priority=high
  packages/server.list  ufw fail2ban auditd apparmor dropbear-initramfs etc.
  post-install/
    00-base.sh          extra pkgs, sysctl hardening, ufw, unattended-upgrades
    20-ssh.sh           sshd hardening (key-only, no root)
    30-tailscale.sh     install client only (manual login post-install)
scripts/
  test-vm.sh            QEMU+OVMF smoke test harness
  read-usb-logs.sh      offline log dump from S8N_LOGS partition (post-failure)
```

## Hardening posture

Currently: G1-G6 + B1-B4 from veilor-server-bootstrap baseline. Per
`debian-s8ns-prefs-iso/AUDIT.md` the v0.5 superset is queued — covered in the
parent repo's roadmap.

## Defaults

- Locale: `en_GB.UTF-8`, keymap `gb`, timezone `Europe/London`
- Mirror: cdrom-only at install (DVD-1 has all packages; no internet required)
- Logs: install-time logs land on the USB's `S8N_LOGS` (sda3) partition for
  offline diagnostics — `sudo scripts/read-usb-logs.sh /dev/sdX3 --copy`

## Why a separate repo

`debian-s8ns-prefs-iso` is the multi-variant playground (laptop/server/vanilla).
`production-deb` is the production-server-only canonical path. Changes here
should preserve the "boot, prompt 2 things, walk away" property.