s8n/production-deb
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
production-deb/shared/post-install/00-base.sh
obsidian-ai 0f5bbf004a fork: production-deb v0.1.0 from debian-s8ns-prefs-iso server variant 
Server-only canonical production Debian build. Drops laptop/vanilla
variants. Interactive LUKS + hostname at install. user/123 forced rotate.
DVD-1 offline base. S8N_LOGS log-capture partition.

Lineage: forked from s8n/debian-s8ns-prefs-iso commit d4be55f.
2026-05-08 13:53:38 +01:00

60 lines
2 KiB
Bash
Executable file
Raw Blame History

#!/bin/sh
# 00-base.sh — install variant extra packages, baseline sysctl + ufw.
# Runs in-target (already inside installed system's chroot, /proc /sys /dev
# bind-mounted by d-i, /etc/resolv.conf working, apt sources configured).
set -eu
LIST=/root/s8n-postinstall/extra.list
if [ -s "$LIST" ]; then
echo "[00] installing extra packages from $LIST"
apt-get update
PKGS=$(grep -vE '^\s*(#|$)' "$LIST" | tr '\n' ' ')
if [ -n "$PKGS" ]; then
# `apt-get install -- $PKGS` lets a malicious extra.list still inject `--`
# tokens but only repo-controlled file is the source. The `--` separator
# is hygiene against accidental flag-like names.
# Failure here is a hard fail per `set -e` from caller — DKMS / wifi
# depending on these packages is critical for laptop variants.
DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends -- $PKGS
fi
fi
echo "[00] applying sysctl hardening"
cat > /etc/sysctl.d/90-s8n.conf <<'SYSCTL'
# Personal sysctl baseline.
kernel.kptr_restrict=2
kernel.dmesg_restrict=1
kernel.unprivileged_bpf_disabled=1
net.core.bpf_jit_harden=2
net.ipv4.conf.all.rp_filter=1
net.ipv4.conf.default.rp_filter=1
net.ipv4.tcp_syncookies=1
net.ipv4.conf.all.accept_redirects=0
net.ipv6.conf.all.accept_redirects=0
net.ipv4.conf.all.send_redirects=0
net.ipv4.conf.all.accept_source_route=0
net.ipv6.conf.all.accept_source_route=0
fs.protected_hardlinks=1
fs.protected_symlinks=1
fs.protected_fifos=2
fs.protected_regular=2
SYSCTL
echo "[00] enabling ufw (if installed)"
if command -v ufw >/dev/null; then
# Idempotent: don't reset if already active (preserves user rules on rerun).
if ufw status 2>/dev/null | grep -q '^Status: active'; then
echo "[00] ufw already active, skipping reset"
else
ufw --force reset
ufw default deny incoming
ufw default allow outgoing
ufw allow 22/tcp
ufw --force enable
fi
fi
echo "[00] enabling unattended-upgrades"
if [ -f /etc/apt/apt.conf.d/50unattended-upgrades ]; then
systemctl enable unattended-upgrades || true
fi
Reference in a new issue View git blame Copy permalink