hardware-setup/post-debootstrap-installer.sh

#!/bin/bash -e
export DEBIAN_FRONTEND=noninteractive


# config files
cp -a /hardware-setup/config/* /

# update apt because sources.list.d is also in config/*
apt-get update
apt-get -y dist-upgrade


# locales

echo 'console-setup console-setup/charmap47 select UTF-8' | debconf-set-selections
echo 'keyboard-configuration keyboard-configuration/variant select English (US)' | debconf-set-selections
echo 'keyboard-configuration kekeyboard-configuration keyboard-configuration/layout select English (US)' | debconf-set-selections
echo 'locales locales/default_environment_locale select en_US.UTF-8' | debconf-set-selections
echo 'locales locales/locales_to_be_generated multiselect en_US.UTF-8 UTF-8' | debconf-set-selections

apt-get -y install locales


### boot

apt-get -y install mdadm cryptsetup systemd systemd-sysv firmware-linux
systemctl enable fstrim.timer

# --force-confold because we already provide /etc/dropbear/initramfs/dropbear.conf
apt-get -y -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold" install dropbear-initramfs

# generate minimal mdadm.conf
mdadm --examine --scan | perl -pe 's/.*\/dev\/md\/?([0-9]+) .*UUID\=(.+?) .*/ARRAY \/dev\/md$1 UUID=$2/' > /etc/mdadm/mdadm.conf

# concat user keys for cryptsetup unlocking at boot
cat /hardware-setup/authorized_keys/* > /etc/dropbear/initramfs/authorized_keys

# install grub
if [ -d /sys/firmware/efi ]; then
    apt-get -y install grub-efi-amd64
    grub-install
else
    apt-get -y install grub-pc

    root_disk="/dev/$(lsblk -no pkname $(cryptsetup status root-unlocked | grep device | perl -pe 's#.*device.* (.*)#$1#') | sort | head -n1)"
    grub-install "$root_disk"
fi

# edit uuids in fstab
root_uuid=$(blkid --output value "$(cryptsetup status root-unlocked | grep device | perl -pe 's#.*device.* (.*)#$1#')" | head -n1)
boot_uuid=$(blkid --output value "/hardware-setup/hardware/${1}/boot" | head -n1)
esp_uuid=$(blkid --output value "/hardware-setup/hardware/${1}/esp" | head -n1)
disk1_uuid=$(blkid --output value "/dev/nvme1n1p1" | head -n1)
disk2_uuid=$(blkid --output value "/dev/nvme2n1p1" | head -n1)
sed -i "s/%root_uuid%/${root_uuid}/" /etc/crypttab
sed -i "s/%boot_uuid%/${boot_uuid}/" /etc/fstab
sed -i "s/%esp_uuid%/${esp_uuid}/" /etc/fstab
sed -i "s/%disk1_uuid%/${disk1_uuid}/" /etc/fstab
sed -i "s/%disk2_uuid%/${disk2_uuid}/" /etc/fstab

# install longhorn dependencies
apt-get -y install open-iscsi nfs-common
systemctl disable rpcbind.service # rpcbind is not used with NFS v4

# after cryptsetup, mdadm, ... because of update-initramfs
apt-get -y install linux-image-amd64
update-grub



### networking

apt-get -y install iproute2

# generate configs for systemd-networkd.service
# this is template specific
"/hardware-setup/hardware/${1}/network.sh"
systemctl enable systemd-networkd.service


### ntp

# automatically disables systemd-timesyncd.service
apt-get -y install chrony


### users

apt-get -y install sudo

for key in /hardware-setup/authorized_keys/*; do
    user=$(basename "$key")
    
    adduser --gecos '' --disabled-password "$user"
    
    mkdir -p /home/"$user"/.ssh
    cp "$key" /home/"$user"/.ssh/authorized_keys
    chown "$user": /home/"$user"/.ssh/authorized_keys
    
    adduser "$user" sudo
done


### administration tools

apt-get -y install \
    man-db \
    byobu \
    vim \
    bash-completion \
    htop \
    rsync \
    curl \
    iputils-ping \
    dnsutils \
    traceroute \
    tcpdump \
    openssh-server


### clean up some things
apt-get -y purge exim4-base
apt-get -y --purge autoremove


### dns

apt-get -y install unbound

# add fqdn to hosts file to mitigate nameserver failure
sed -i "s/%fqdn%/$(hostname)/g" /etc/hosts

# as last step set dns to local,
# as unbound isn't running in the live/rescue system chroot,
# which is where this script usually runs
echo 'nameserver 127.0.0.1' > /etc/resolv.conf