s8n/production-deb
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
production-deb/README.md
obsidian-ai 0f5bbf004a fork: production-deb v0.1.0 from debian-s8ns-prefs-iso server variant 
Server-only canonical production Debian build. Drops laptop/vanilla
variants. Interactive LUKS + hostname at install. user/123 forced rotate.
DVD-1 offline base. S8N_LOGS log-capture partition.

Lineage: forked from s8n/debian-s8ns-prefs-iso commit d4be55f.
2026-05-08 13:53:38 +01:00

83 lines
3.1 KiB
Markdown
Raw Permalink Blame History

# production-deb
Production Debian server ISO builder. Hardened headless. Interactive LUKS +
hostname at install time. user pw `123` (forced rotate first login). SSH key
pre-placed for instant remote access.
Forked from `s8n/debian-s8ns-prefs-iso` server variant; non-server variants
(laptop/vanilla) stripped. This repo is the canonical production server build.
## Install behavior
Boot the flashed USB. Two prompts at console:
1. **Hostname** — typed (default = `server-host`)
2. **LUKS passphrase** — set in person, NOT preseeded
Everything else unattended:
- Debian 13.4 trixie (DVD-1 base, offline-capable — no mirror needed)
- LUKS+LVM atomic, encrypted root
- User `user`, pw `123`, sudo, forced rotate on first SSH login (`chage -d 0`)
- SSH ed25519 key from `~/.ssh/id_ed25519.pub` pre-placed in `/home/user/.ssh/authorized_keys`
- sshd hardened: pubkey-only, no root, no password auth
- ufw default-deny, allow 22/tcp
- fail2ban + auditd + apparmor enforce + libpam-pwquality
- dropbear-initramfs + cryptsetup-initramfs (LUKS unlock-via-SSH on boot)
- Tailscale client installed, manual `tailscale up --login-server=https://hs.s8n.ru` post-boot
## Usage
```
./build.sh --variant server --hostname <name> --disk /dev/nvme0n1
sudo ./flash.sh --yes /dev/sdX out/debian-s8ns-server-DATE.iso
```
(Variant is always `server` in this repo; flag retained for compat with the
parent project's build.sh.)
After install completes:
```
ssh user@<hostname>
# PAM forces pw change → set new pw → shell
```
## Layout
```
build.sh ISO factory (DVD-1 base, hd-media kernel, mtools ESP edit)
flash.sh safe USB flash + adds S8N_LOGS log-capture partition
install.sh curl|bash post-install applier for existing systems
variants/server.cfg hardening prefs, INTERACTIVE_LUKS=1, INTERACTIVE_HOSTNAME=1
shared/
preseed.tpl offline preseed + late_command (LUKS rekey, post-install)
grub-overlay.cfg.tpl ESP grub.cfg with priority=high
packages/server.list ufw fail2ban auditd apparmor dropbear-initramfs etc.
post-install/
00-base.sh extra pkgs, sysctl hardening, ufw, unattended-upgrades
20-ssh.sh sshd hardening (key-only, no root)
30-tailscale.sh install client only (manual login post-install)
scripts/
test-vm.sh QEMU+OVMF smoke test harness
read-usb-logs.sh offline log dump from S8N_LOGS partition (post-failure)
```
## Hardening posture
Currently: G1-G6 + B1-B4 from veilor-server-bootstrap baseline. Per
`debian-s8ns-prefs-iso/AUDIT.md` the v0.5 superset is queued — covered in the
parent repo's roadmap.
## Defaults
- Locale: `en_GB.UTF-8`, keymap `gb`, timezone `Europe/London`
- Mirror: cdrom-only at install (DVD-1 has all packages; no internet required)
- Logs: install-time logs land on the USB's `S8N_LOGS` (sda3) partition for
offline diagnostics — `sudo scripts/read-usb-logs.sh /dev/sdX3 --copy`
## Why a separate repo
`debian-s8ns-prefs-iso` is the multi-variant playground (laptop/server/vanilla).
`production-deb` is the production-server-only canonical path. Changes here
should preserve the "boot, prompt 2 things, walk away" property.
Reference in a new issue View git blame Copy permalink