s8n/production-deb
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
production-deb/CHANGELOG.md
obsidian-ai 0f5bbf004a fork: production-deb v0.1.0 from debian-s8ns-prefs-iso server variant 
Server-only canonical production Debian build. Drops laptop/vanilla
variants. Interactive LUKS + hostname at install. user/123 forced rotate.
DVD-1 offline base. S8N_LOGS log-capture partition.

Lineage: forked from s8n/debian-s8ns-prefs-iso commit d4be55f.
2026-05-08 13:53:38 +01:00

7.6 KiB
Raw Permalink Blame History

Changelog (production-deb)

Forked from s8n/debian-s8ns-prefs-iso (commit d4be55f) on 2026-05-08. Server variant only; laptop/vanilla stripped.

[0.1.0] — 2026-05-08

Added

  • Initial fork from debian-s8ns-prefs-iso server variant
  • Same hardening, interactive LUKS+hostname, DVD-1 offline base, S8N_LOGS partition

Upstream changelog (debian-s8ns-prefs-iso, kept for lineage)

All notable changes to debian-s8ns-prefs-iso. Format inspired by Keep a Changelog.

[0.4.0] — 2026-05-08

Added

  • USB log-capture partition for offline diagnostics. flash.sh creates a 3rd MBR partition (vfat, label S8N_LOGS) using all remaining USB free space (~27 GiB on a 32 GiB stick). preseed early_command mounts it at /tmp/s8n-logs; late_command writes a per-run directory with:
    • syslog, installer/ (full d-i logs)
    • s8n-luks-rekey.log and s8n-post-install.log
    • lsblk, lspci, dmesg, mount, df, exit-status, build-info Even if late_command's main block fails, the trap-style outer sh -c still copies whatever logs exist before unmounting.
  • scripts/read-usb-logs.sh — dumps the latest run's logs from the S8N_LOGS partition. Auto-detects by label or takes /dev/sdX as arg. --copy flag rsyncs the entire S8N_LOGS contents to out/usb-logs-<ts>/.
  • flash.sh --yes flag for non-interactive use.

Changed

  • preseed.tpl late_command wrapped in trap-style sh -c so log-collect runs even if the install body fails. Exit status preserved via captured $STATUS.

Fixed

  • (none new — 0.4 is purely additive)

Operator workflow change

After a failed install, instead of photographing the d-i screen:

  1. Pull the USB from the target machine
  2. Plug into the build host (onyx)
  3. Run sudo scripts/read-usb-logs.sh /dev/sdX (or just --copy to grab everything)

[0.3.0] — 2026-05-07

Added

  • install.sh companion script — apply same shared/post-install/ scripts to an existing Debian system (curl|bash compatible via Forgejo tarball API)
  • Per-build randomized credentials. User pw mkpasswd -m yescrypt 16-char random; LUKS install pw 24-char random. Written to <iso>.creds mode 0600.
  • LUKS rekey in late_command. New 32-char random pw added via cryptsetup luksAddKey, throwaway slot 0 killed before reboot. Final pw written to /target/root/luks-pw.txt mode 0600.
  • Tailscale --ts-auth-key build flag. Bakes one-time tskey into ISO; installed system auto-joins tailnet via systemd oneshot on first boot, then shreds the key file.
  • VM smoke-test harness at scripts/test-vm.sh. QEMU+OVMF, virtio disk + cdrom, 30 GiB qcow2, headless. Phase 1 unattended install + Phase 2 first-boot SSH check.
  • MBA 6,1 driver superset in laptop variant:
    • mbpfan (applesmc fan control), bluez blueman (BCM4360 BT)
    • tlp tlp-rdw powertop lm-sensors (battery / thermals)
    • firmware-sof-signed (Haswell HDA SOF fallback)
    • GRUB cmdline: acpi_backlight=vendor, snd_hda_intel.model=mba6
    • /etc/modprobe.d/hid_apple.conf with fnmode=2 iso_layout=0
    • /etc/modules-load.d/apple.conf for applesmc + coretemp
    • update-initramfs -u after modprobe.d edits

Changed

  • Base ISO: trixie 13.4 stable (was forky daily). Reason: Debian bug #1106117 — forky weekly netinsts ship with kernel/udeb skew producing "no kernel modules" install failures. trixie is a coherent snapshot; intel_iommu=off in grub overlay still solves MBA 6,1 SSD detection on stable kernel 6.12.
  • late_command rewritten to use in-target (with bind-mounted /proc /sys /dev) instead of nested chroot (which had no bind-mounts → apt failed). Wrapped in sh -c 'set -e ; ...' so partial failures abort install.
  • Postinstall payload moves to /cdrom/postinstall/ in the ISO; copied to installed system at /root/s8n-postinstall/ during late_command.
  • ESP image patching via mtools. Previous v0.2 wrote grub-overlay.cfg into iso9660 namespace at /EFI/debian/grub.cfg, which Apple firmware doesn't read. v0.3:
    1. xorriso -extract /boot/grub/efi.img to grab the embedded FAT image
    2. mcopy -i efi.img grub-overlay.cfg ::/efi/debian/grub.cfg to patch FAT
    3. xorriso -dev <iso> -boot_image any keep -map ... -commit to splice back
    4. Direct-dd patched efi.img into the ISO at the El Torito EFI image LBA because xorriso's -map only updates iso9660 namespace, not the ESP-partition data range that MBR partition #2 points to
  • post-install split: 40-mba61.sh40-broadcom-wl.sh (any laptop with broadcom-sta-dkms) + 50-mba61.sh (only Apple Toshiba [1179:010b])
  • install.sh idempotence: 00-base.sh skips ufw reset if already active; 10-dark.sh grep-guards /etc/environment append; sshd_config not modified on rerun if already includes our drop-in.

Fixed (CRITICAL bugs from v0.2 audit)

  • A2-1 build.sh:65 Bash HOSTNAME builtin shadowing — renamed to HOSTNAME_OPT, default-variant-host now applies correctly
  • A2-2 build.sh:71 empty SSH pubkey file → SSH lockout. Use -s not -f
  • A2-3 build.sh:103 sha256 grep regex unanchored. Now ^${ISO_NAME}: OK$
  • A2-4 build.sh:148 chroot-empty branch removed (single in-target path)
  • A2-5 late_command bind-mounts via in-target (apt now works inside)
  • A2-6 flash.sh sed strip → lsblk -no PKNAME (handles nvme/mmcblk/RAID)

Fixed (HIGH security from v0.2 audit)

  • A1-3 late_command wrapped in sh -c 'set -e' — fail loud, no silent half-installs claiming success
  • A1-1 / A3-creds plaintext changeme removed; yescrypt hash via mkpasswd -m yescrypt baked, plain pw printed once to .creds file 0600
  • A1-2 LUKS pw auto-rotation in late_command; throwaway slot 0 killed before reboot

Fixed (MED from v0.2 audit)

  • flash.sh refuses /dev/mmcblk*, /dev/vd* in addition to nvme/sda
  • build.sh validates hostname format before render
  • build.sh drops unused 7z dep check; adds mtools + mkpasswd checks
  • Forgejo URL s8n-rus8n (user renamed 2026-05-07)

Known limits / deferred to v0.4+

  • VM smoke test currently can't proceed past GRUB on headless QEMU because d-i graphical-install requires VGA framebuffer; no console=ttyS0 redirection in our overlay. Either: add a "VM serial install" menuentry with console=ttyS0,115200n8, or run VM test with VNC display. Build-time content checks (xorriso -extract + mdir verify + direct-dd ESP read-back) are the current correctness gate.
  • SHA256SUMS not yet GPG-verified (Debian release key pin pending) — v0.4
  • Forgejo SSH key fingerprint not pinned — v0.4
  • install.sh GRUB persist still uses substring match (not word-boundary) — v0.4
  • Server hardening superset (auditd rules, apparmor enforce, faillock, login.defs YESCRYPT, journald persistent+seal, KSPP cmdline, etc.) — v0.5
  • Reproducible builds (SOURCE_DATE_EPOCH, --modification-date) + Forgejo CI — v1.0

[0.2.0] — 2026-05-07

Added

  • Smoke-tested 3 variants build clean
  • install.sh companion script
  • Wider firmware coverage in shared pkgsel/include
  • post-install split 40-mba61 → 40-broadcom-wl + 50-mba61

Fixed

  • xorriso extract chmod u+w
  • ESP grub.cfg uses overlay direct (not extracted)
  • LUKS partition path NVMe vs SATA (no more sdap3)
  • MBR PT preservation via cp + xorriso -dev (was zeroed by -indev/-outdev)

[0.1.0] — 2026-05-07

Added

  • Initial scaffold: build.sh, flash.sh, 3 variants (laptop/server/vanilla)
  • shared/preseed.tpl, grub-overlay.cfg.tpl, post-install/, packages/
  • APM strip step for single-icon Apple boot
  • Forgejo private repo at git.s8n.ru/s8n/debian-s8ns-prefs-iso