s8n/production-deb
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
Production Debian server ISO builder. Hardened headless (sshd-only, ufw, fail2ban, apparmor, auditd, KSPP). Interactive LUKS+hostname at install. Forked from s8n/debian-s8ns-prefs-iso server variant. user/123 forced rotate.
1 commit 1 branch 1 tag 53 KiB
Shell 78.2%
Smarty 21.8%
Find a file
obsidian-ai 0f5bbf004a fork: production-deb v0.1.0 from debian-s8ns-prefs-iso server variant 
Server-only canonical production Debian build. Drops laptop/vanilla
variants. Interactive LUKS + hostname at install. user/123 forced rotate.
DVD-1 offline base. S8N_LOGS log-capture partition.

Lineage: forked from s8n/debian-s8ns-prefs-iso commit d4be55f.
2026-05-08 13:53:38 +01:00
scripts fork: production-deb v0.1.0 from debian-s8ns-prefs-iso server variant 2026-05-08 13:53:38 +01:00
shared fork: production-deb v0.1.0 from debian-s8ns-prefs-iso server variant 2026-05-08 13:53:38 +01:00
variants fork: production-deb v0.1.0 from debian-s8ns-prefs-iso server variant 2026-05-08 13:53:38 +01:00
.gitignore fork: production-deb v0.1.0 from debian-s8ns-prefs-iso server variant 2026-05-08 13:53:38 +01:00
build.sh fork: production-deb v0.1.0 from debian-s8ns-prefs-iso server variant 2026-05-08 13:53:38 +01:00
CHANGELOG.md fork: production-deb v0.1.0 from debian-s8ns-prefs-iso server variant 2026-05-08 13:53:38 +01:00
flash.sh fork: production-deb v0.1.0 from debian-s8ns-prefs-iso server variant 2026-05-08 13:53:38 +01:00
install.sh fork: production-deb v0.1.0 from debian-s8ns-prefs-iso server variant 2026-05-08 13:53:38 +01:00
README.md fork: production-deb v0.1.0 from debian-s8ns-prefs-iso server variant 2026-05-08 13:53:38 +01:00

README.md

production-deb

Production Debian server ISO builder. Hardened headless. Interactive LUKS + hostname at install time. user pw 123 (forced rotate first login). SSH key pre-placed for instant remote access.

Forked from s8n/debian-s8ns-prefs-iso server variant; non-server variants (laptop/vanilla) stripped. This repo is the canonical production server build.

Install behavior

Boot the flashed USB. Two prompts at console:

  1. Hostname — typed (default = server-host)
  2. LUKS passphrase — set in person, NOT preseeded

Everything else unattended:

  • Debian 13.4 trixie (DVD-1 base, offline-capable — no mirror needed)
  • LUKS+LVM atomic, encrypted root
  • User user, pw 123, sudo, forced rotate on first SSH login (chage -d 0)
  • SSH ed25519 key from ~/.ssh/id_ed25519.pub pre-placed in /home/user/.ssh/authorized_keys
  • sshd hardened: pubkey-only, no root, no password auth
  • ufw default-deny, allow 22/tcp
  • fail2ban + auditd + apparmor enforce + libpam-pwquality
  • dropbear-initramfs + cryptsetup-initramfs (LUKS unlock-via-SSH on boot)
  • Tailscale client installed, manual tailscale up --login-server=https://hs.s8n.ru post-boot

Usage

./build.sh --variant server --hostname <name> --disk /dev/nvme0n1
sudo ./flash.sh --yes /dev/sdX out/debian-s8ns-server-DATE.iso

(Variant is always server in this repo; flag retained for compat with the parent project's build.sh.)

After install completes:

ssh user@<hostname>
# PAM forces pw change → set new pw → shell

Layout

build.sh                ISO factory (DVD-1 base, hd-media kernel, mtools ESP edit)
flash.sh                safe USB flash + adds S8N_LOGS log-capture partition
install.sh              curl|bash post-install applier for existing systems
variants/server.cfg     hardening prefs, INTERACTIVE_LUKS=1, INTERACTIVE_HOSTNAME=1
shared/
  preseed.tpl           offline preseed + late_command (LUKS rekey, post-install)
  grub-overlay.cfg.tpl  ESP grub.cfg with priority=high
  packages/server.list  ufw fail2ban auditd apparmor dropbear-initramfs etc.
  post-install/
    00-base.sh          extra pkgs, sysctl hardening, ufw, unattended-upgrades
    20-ssh.sh           sshd hardening (key-only, no root)
    30-tailscale.sh     install client only (manual login post-install)
scripts/
  test-vm.sh            QEMU+OVMF smoke test harness
  read-usb-logs.sh      offline log dump from S8N_LOGS partition (post-failure)

Hardening posture

Currently: G1-G6 + B1-B4 from veilor-server-bootstrap baseline. Per debian-s8ns-prefs-iso/AUDIT.md the v0.5 superset is queued — covered in the parent repo's roadmap.

Defaults

  • Locale: en_GB.UTF-8, keymap gb, timezone Europe/London
  • Mirror: cdrom-only at install (DVD-1 has all packages; no internet required)
  • Logs: install-time logs land on the USB's S8N_LOGS (sda3) partition for offline diagnostics — sudo scripts/read-usb-logs.sh /dev/sdX3 --copy

Why a separate repo

debian-s8ns-prefs-iso is the multi-variant playground (laptop/server/vanilla). production-deb is the production-server-only canonical path. Changes here should preserve the "boot, prompt 2 things, walk away" property.