# User tweakable parameters. # GOLIVE - CACHE is only needed for the desktop during testing. #CACHE="sda23" DISK="sdb2" MIRROR="http://deb.devuan.org/" NS="8.8.8.8" #PASS="password" TYPE="server" TZ="Europe/Amsterdam" USER="onefang" WORK="/media/devuan_install" # Filter out the worst of the excess output. aptInstall () { chroot ${WORK} apt-get --yes install $* | grep -v -e "^Selecting previously unselected package " -e "^Preparing to unpack " -e "^ create mode " -e "^ rename " } # Setup the disk. umount /dev/${DISK} mkdir -p ${WORK} dpkg -i debootstrap_1.0.89-devuan2.1_all.deb mkfs.ext4 -j -O extent -L "" /dev/${DISK} sync mount /dev/${DISK} ${WORK} mkdir -p ${WORK}/var/cache/apt/archives #mount /dev/${CACHE} ${WORK}/var/cache/apt mount --bind /var/cache/apt/archives ${WORK}/var/cache/apt/archives # Various env variable tweaks. export DEBIAN_FRONTEND=readline export TERM=xterm-color export LANG=C.UTF-8 # Prevent some leakage. export LD_LIBRARY_PATH="" export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/bin" export PKG_CONFIG_PATH="" export PYTHONINCLUDE="" export PYTHONPATH="" export XDG_DATA_DIRS="" # Start installing it. debootstrap --arch amd64 --variant=minbase --include=makedev,apt-utils,git,etckeeper,rsyslog,swapspace,debconf-utils ascii ${WORK} ${MIRROR}/merged # Setup the chroot. mount -o bind /sys ${WORK}/sys chroot ${WORK} /bin/bash <<- zzzEOFzzz mount -t proc proc /proc mount -t devpts devpts /dev/pts cd /dev echo "Filling /dev" MAKEDEV generic mknod /dev/${DISK} b 259 5 cd / etckeeper post-install | grep -v -e "^ create mode " -e "^ rename " zzzEOFzzz # Turn off the daily etckeeper commits, and make it stop and complain when there are changes to be comitted. sed -i -e 's/#AVOID_DAILY_AUTOCOMMITS=1/AVOID_DAILY_AUTOCOMMITS=1/' -e 's/#AVOID_COMMIT_BEFORE_INSTALL=1/AVOID_COMMIT_BEFORE_INSTALL=1/' ${WORK}/etc/etckeeper/etckeeper.conf # Configure apt. cat > ${WORK}/etc/apt/sources.list <<- zzzEOFzzz deb ${MIRROR}/merged ascii main contrib non-free deb ${MIRROR}/merged ascii-security main contrib non-free deb ${MIRROR}/merged ascii-updates main contrib non-free deb ${MIRROR}/devuan ascii-proposed main contrib non-free deb ${MIRROR}/merged ascii-backports main contrib non-free zzzEOFzzz # Keep things minimal. cat > ${WORK}/etc/apt/apt.conf.d/01lean <<- zzzEOFzzz APT::Install-Recommends "0"; APT::AutoRemove::RecommendsImportant "false"; zzzEOFzzz cat > ${WORK}/etc/apt/apt.conf.d/99synaptic <<- zzzEOFzzz APT::Install-Recommends "false"; zzzEOFzzz # Not sure, but may need different "profiles" in this file. cat > ${WORK}/etc/apt/listchanges.conf <<- zzzEOFzzz [apt] frontend=pager pager=mcview email_address=root confirm=true save_seen=/var/lib/apt/listchanges.db which=both headers=1 zzzEOFzzz #cp /etc/fstab ${WORK}/etc/fstab cat > ${WORK}/etc/fstab <<- zzzEOFzzz proc /proc proc nodev,noexec,nosuid 0 0 /dev/${DISK} / ext4 errors=remount-ro 0 1 zzzEOFzzz cat > ${WORK}/etc/adjtime <<- zzzEOFzzz 0.0 0 0.0 0 UTC zzzEOFzzz cat > ${WORK}/etc/timezone <<- zzzEOFzzz ${TZ} zzzEOFzzz rm ${WORK}/etc/localtime ln -s /usr/share/zoneinfo/${TZ} ${WORK}/etc/localtime # Provide pre canned answers, so this script can run with minimal user interaction. # Use something like this to find what to set here - debconf-get-selections | grep locales chroot ${WORK} debconf-set-selections <<- zzzEOFzzz console-setup console-setup/codeset47 select # Latin1 and Latin5 - western Europe and Turkic languages locales locales/locales_to_be_generated multiselect All locales locales locales/default_environment_locale select en_AU.UTF-8 keyboard-configuration keyboard-configuration/layout select English (US) grub-pc grub-pc/install_devices multiselect /dev/${DISK} courier-base courier-base/webadmin-configmode boolean true phpmyadmin phpmyadmin/reconfigure-webserver multiselect apache2 wireshark-common wireshark-common/install-setuid boolean false zzzEOFzzz # Create user, and set passwords. cp -r fileSystem/etc/skel/.[^.]* ${WORK}/etc/skel #chroot ${WORK} useradd -m -U ${USER} -G sudo -s /bin/bash cp -r fileSystem/etc/skel/.[^.]* ${WORK}/root #if [ -z "${PASS}" ] #then # echo "User ${USER} - " # chroot ${WORK} passwd ${USER} # echo "User root - " # chroot ${WORK} passwd #else # chroot ${WORK} passwd ${USER} <<- zzzEOFzzz # ${PASS} # ${PASS} #zzzEOFzzz # chroot ${WORK} passwd <<- zzzEOFzzz # toor${PASS} # toor${PASS} #zzzEOFzzz #fi # Update the debootstrap installed stuff. chroot ${WORK} /bin/bash <<- zzzEOFzzz etckeeper commit "Initial 'manual' configurations." | grep -v -e "^ create mode " -e "^ rename " apt-get update apt-get --yes dist-upgrade | grep -v -e "^Selecting previously unselected package " -e "^Preparing to unpack " -e "^ create mode " -e "^ rename " zzzEOFzzz # Install kernel and friends. #chroot ${WORK} etckeeper commit "Tweak grub config." | grep -v -e "^ create mode " -e "^ rename " aptInstall linux-image-`dpkg --print-architecture` linux-headers-`dpkg --print-architecture` os-prober eudev bash-completion psmisc irqbalance grub2 \ firmware-linux firmware-misc-nonfree amd64-microcode intel-microcode # Install base stuff that everyone needs. aptInstall console-setup locales cat > ${WORK}/etc/default/console-setup <<- zzzEOFzzz # CONFIGURATION FILE FOR SETUPCON # Consult the console-setup(5) manual page. ACTIVE_CONSOLES="/dev/tty[2-6]" CHARMAP="UTF-8" CODESET="Lat15" FONTFACE="Terminus" FONTSIZE="6x12" VIDEOMODE= zzzEOFzzz cat > ${WORK}/etc/default/keyboard <<- zzzEOFzzz # KEYBOARD CONFIGURATION FILE # Consult the keyboard(5) manual page. XKBMODEL="pc105" XKBLAYOUT="us" XKBVARIANT="" XKBOPTIONS="" BACKSPACE="guess" zzzEOFzzz cat > ${WORK}/etc/default/locale <<- zzzEOFzzz LANG=en_AU.UTF-8 zzzEOFzzz chroot ${WORK} etckeeper commit "Tweak console and keyboard configs." | grep -v -e "^ create mode " -e "^ rename " aptInstall busybox netbase net-tools iproute2 ifupdown isc-dhcp-client inetutils-ping ntp shorewall shorewall6 dnsutils lynx wget curl \ make dns-root-data resolvconf kmod openssh-server openssh-client traceroute keychain courier-mta cron maildrop # Prevent root from sshing in, and other sshd tweaks. sed -i -e 's/#PermitRootLogin prohibit-password/PermitRootLogin no/' -e 's/#Port 22/Port 501/' \ -e 's/#PubkeyAuthentication yes/PubkeyAuthentication yes/' -e 's/#PermitEmptyPasswords no/PermitEmptyPasswords no/' ${WORK}/etc/ssh/sshd_config chroot ${WORK} etckeeper commit "Don't let root login to ssh, and other sshd tweaks." | grep -v -e "^ create mode " -e "^ rename " mkdir -p ${WORK}/etc/network/interfaces.d cp /etc/network/interfaces ${WORK}/etc/network/interfaces cp /etc/network/interfaces.d/* ${WORK}/etc/network/interfaces.d #cat > ${WORK}/etc/network/interfaces <<- zzzEOFzzz # auto lo # iface lo inet loopback # allow-hotplug eth0 # auto eth0 # iface eth0 inet dhcp # allow-hotplug eth1 # auto eth1 # iface eth1 inet dhcp # allow-hotplug eth2 # auto eth2 # iface eth2 inet dhcp #zzzEOFzzz cp /etc/hosts ${WORK}/etc/hosts cp /etc/hostname ${WORK}/etc/hostname #cat > ${WORK}/etc/hosts <<- zzzEOFzzz # 127.0.0.1 localhost # 127.0.1.1 ${HOST} # # The following lines are desirable for IPv6 capable hosts. # ::1 localhost ip6-localhost ip6-loopback ${HOST} # fe00::0 ip6-localnet # ff00::0 ip6-mcastprefix # ff02::1 ip6-allnodes # ff02::2 ip6-allrouters # ff02::3 ip6-allhosts #zzzEOFzzz # resolvconf changes this, desktop uses dnsmasq, server uses Google DNS, and we override it ourselves later anyway. #cat > ${WORK}/etc/resolv.conf <<- zzzEOFzzz # nameserver ${NS} #zzzEOFzzz chroot ${WORK} etckeeper commit "Tweak network configs." | grep -v -e "^ create mode " -e "^ rename " # Install networking (and btrfs) stuff needed only by desktop. # Currently the server uses Google DNS directly, not dnsmasq. if [ "${TYPE}" == "desktop" ] then if [ -f /etc/dnsmasq.conf ]; then aptInstall dnsmasq; fi aptInstall ppp ndisc6 radvd mailfilter fetchmail btrfs-progs # wide-dhcpv6-client cp -r /etc/dnsmasq.d ${WORK}/etc cp /etc/dnsmasq.conf ${WORK}/etc cp -r /etc/ppp ${WORK}/etc chroot ${WORK} etckeeper commit "Tweak desktop network configs." | grep -v -e "^ create mode " -e "^ rename " fi # Install other stuff that every one needs. aptInstall pciutils less man-db manpages mc sudo tmux arj bzip2 p7zip-full unace unar unrar-free sysv-rc-conf multitail logrotate logwatch \ smartmontools rkhunter nmap unhide lm-sensors tofrodos mlocate imagemagick molly-guard file expect debootstrap pinfo parted \ powermgmt-base checksecurity cruft-ng lsb-release wbritish monit gnupg2 gnupg-agent ssh-askpass whois fail2ban whiptail haveged hddtemp # logcheck tripwire | integrit | aide | samhain | fcheck debsecan ? # Install server stuff. # Don't do drupal7, coz that's a few versions behind, so still have to deal with it manually. # Plus, I'll want to upgrade to drupal8 sooner or later. aptInstall certbot courier-imap rsync mariadb-server mariadb-client apache2 polipo prosody-modules vsftpd openvpn easy-rsa bitlbee \ php7.0 php-pear php7.0-mysql php7.0-gd php7.0-mbstring php7.0-curl php7.0-bz2 libgd-tools php-apcu php-apcu-bc chroot ${WORK} adduser --system --shell /usr/sbin/nologin --no-create-home ovpn chroot ${WORK} groupadd ovpn chroot ${WORK} usermod -g ovpn ovpn #aptInstall phpmyadmin #cp -r /etc/bitlbee ${WORK}/etc #cp -r /var/lib/bitlbee ${WORK}/var/lib #chroot ${WORK} etckeeper commit "Tweak server configs." | grep -v -e "^ create mode " -e "^ rename " # Install developer stuff. aptInstall luajit luarocks uuid-runtime g++ check bison flex colorgcc colormake ccache distcc gdb pkg-config re2c lemon valgrind m4 patch \ cmake meson build-essential groff git-extras git-doc aptInstall mono-complete mono-mcs nunit autoconf autogen automake autopoint gettext libtool doxygen nasm gpsim gputils picprog if [ "${TYPE}" == "desktop" ] then # Add repos for the desktop. cat > ${WORK}/etc/apt/sources.list.d/deb-multimedia.list <<- zzzEOFzzz deb http://mirror.internode.on.net/pub/deb-multimedia/ stretch main non-free deb http://mirror.internode.on.net/pub/deb-multimedia/ stretch-backports main zzzEOFzzz cat > ${WORK}/etc/apt/sources.list.d/google-chrome.list <<- zzzEOFzzz deb [arch=amd64] http://dl.google.com/linux/chrome/deb/ stable main zzzEOFzzz cat > ${WORK}/etc/apt/sources.list.d/palemoon.list <<- zzzEOFzzz deb http://download.opensuse.org/repositories/home:/stevenpusser/Debian_9.0/ / zzzEOFzzz cat > ${WORK}/etc/apt/sources.list.d/signal.list <<- zzzEOFzzz deb [arch=amd64] https://updates.signal.org/desktop/apt xenial main zzzEOFzzz chroot ${WORK} /bin/bash <<- zzzEOFzzz wget http://www.deb-multimedia.org/pool/main/d/deb-multimedia-keyring/deb-multimedia-keyring_2016.8.1_all.deb -O deb-multimedia-keyring.deb dpkg -i deb-multimedia-keyring.deb wget -nv -O - https://dl-ssl.google.com/linux/linux_signing_key.pub | apt-key add - wget -nv -O - https://download.opensuse.org/repositories/home:stevenpusser/Debian_9.0/Release.key | apt-key add - wget -nv -O - https://updates.signal.org/desktop/apt/keys.asc | apt-key add - rm deb-multimedia-keyring.deb etckeeper commit "Adding external repos." | grep -v -e "^ create mode " -e "^ rename " apt-get update apt-get --yes dist-upgrade | grep -v -e "^Selecting previously unselected package " -e "^Preparing to unpack " -e "^ create mode " -e "^ rename " zzzEOFzzz # Install basic X stuff. aptInstall xinit x11-xserver-utils xserver-xorg libgl1-nvidia-glx nvidia-driver fonts-liberation xfonts-100dpi xfonts-75dpi xfonts-base xfonts-scalable xscreensaver # Note - the wacom driver should be installed below, rather than above, otherwise I think that's what's stopping all input. aptInstall lxdm lxde lxlauncher lxtask lxlock openbox obconf gtk2-engines-xfce menu xdg-utils menu-xdg desktop-base desktop-file-utils \ termit synaptic qgit git-cola suckless-tools stterm surf surf2 awesome awesome-extra lxqt qt4-qtconfig xserver-xorg-input-wacom # Have LXDM show the keyboard selector, not show the list of users, and not show that huge Login: image. sed -i -e 's/keyboard=0/keyboard=1/' -e 's/disable=0/disable=1/' \ -e 's\bg=/usr/share/images/desktop-base/login-background.svg\bg=/usr/share/images/desktop-base/your-way_darkpurpy-wide-large.svg\' ${WORK}/etc/lxdm/lxdm.conf cp -r fileSystem/usr/share/lxdm/themes/Industrial/login.png ${WORK}/usr/share/lxdm/themes/Industrial chroot ${WORK} etckeeper commit "Adjust lxdm config." | grep -v -e "^ create mode " -e "^ rename " # Install other desktop stuff. # NOTE - this drags in whiptail, or would if we didn't install it ourselves above. aptInstall gparted qasmixer pulseaudio pavucontrol paman paprefs pavumeter gnome-colors geeqie smplayer smplayer-themes hexchat hexchat-plugins hexchat-otr hexchat-lua \ geany geany-plugin-addons geany-plugin-lua geany-plugin-markdown geany-plugin-scope geany-plugin-spellcheck aptInstall claws-mail claws-mail-plugins claws-mail-extra-plugins claws-mail-themes claws-mail-tools clawsker keepassx keepass2 qalculate-gtk conky-all aptInstall gimp gimp-cbmplugs gimp-data-extras gimp-dds gimp-gap gimp-gluas gimp-gmic gimp-help-common gimp-help-en gimp-lensfun gimp-plugin-registry gimp-texturize gimp-ufraw \ create-resources blender meld graphicsmagick makehuman dia dia-shapes inkscape muse musescore firefox-esr chromium dillo netsurf links2 ddd wireshark etherape spacenavd \ dasher cheese libreoffice linphone tortoisehg evince galternatives aptInstall libvirt0 libvirt-deamon-system virt-manager virt-viewer virtinst qemu-utils qemu-kvm qemu-system-arm qemu-system-x86 qemu-system-misc qemu-efi fslint # These all get updated from deb-multimedia, so don't install them before that's enabled. aptInstall gstreamer1.0-plugins-good gstreamer1.0-plugins-bad gstreamer1.0-plugins-ugly vlc ffmpeg cinelerra aptInstall google-chrome-stable palemoon signal-desktop fi # monitoring shit docs # awstats collectd collectd-utils libmariadbclient18 libatasmart4 # icinga icinga-doc fping nagios-images monitoring-plugins libjson-perl libdata-validate-domain-perl libdata-validate-ip-perl libmonitoring-plugin-perl # Some hacking of the external plugins is needed. mailq, rbl. # Manually install CGraphz, coz it's not in the repo. # Make apt nicer. aptInstall apt-listbugs apt-listchanges apt-transport-https apt-show-versions apt-file apt-forktracer chroot ${WORK} apt-file update cp -r fileSystem/* ${WORK} #cp -r /etc/rsyslog.d ${WORK}/etc #cp -r /etc/sysctl.d ${WORK}/etc #cp /etc/sysctl.conf ${WORK}/etc #chroot ${WORK} chown -R ${USER}:${USER} /home/${USER} #cp /usr/share/sounds/* ${WORK}/usr/share/sounds #chroot ${WORK} etckeeper commit "Tweak the rest of the configs and file system." | grep -v -e "^ create mode " -e "^ rename " #chroot ${WORK} sensors-detect #chroot ${WORK} etckeeper commit "Detected sensors" | grep -v -e "^ create mode " -e "^ rename " # Clean up. chroot ${WORK} /bin/bash <<- zzzEOFzzz sysv-rc-conf apache2 off sysv-rc-conf avahi-daemon off sysv-rc-conf bitlbee off sysv-rc-conf courier off sysv-rc-conf courier-authdaemon off sysv-rc-conf courier-imap off sysv-rc-conf courier-imap-ssl off sysv-rc-conf courier-msa off sysv-rc-conf courier-mta off sysv-rc-conf courier-mta-ssl off sysv-rc-conf courierfilter off sysv-rc-conf distcc off sysv-rc-conf fail2ban off sysv-rc-conf fetchmail off sysv-rc-conf monit off sysv-rc-conf mysql off sysv-rc-conf openvpn off sysv-rc-conf polipo off sysv-rc-conf prosody off sysv-rc-conf radvd off sysv-rc-conf rsync off sysv-rc-conf spamassassin off sysv-rc-conf vsftpd off etckeeper commit "Turn off services." | grep -v -e "^ create mode " -e "^ rename " zzzEOFzzz chroot ${WORK} apt-get --yes autoremove chroot ${WORK} etckeeper commit "Cleaning out autoremoves." | grep -v -e "^ create mode " -e "^ rename " umount ${WORK}/dev/pts umount ${WORK}/proc umount ${WORK}/sys umount ${WORK}/var/cache/apt/archives #update-grub