From 2d29791794dd4689ba3c4c850f153e97f54e9cfd Mon Sep 17 00:00:00 2001 From: Kris Lamoureux Date: Sat, 16 May 2026 16:42:15 -0400 Subject: [PATCH] Harden scripts and bump debian-13 ISO to 13.4 --- debian-13/scripts/clean.sh | 16 +++++-------- debian-13/scripts/networkd.sh | 31 ++++++++++++++++--------- debian-13/scripts/package.sh | 34 ++++++++++++++------------- debian-13/scripts/upgrade.sh | 6 +++-- debian-13/scripts/vagrant.sh | 37 +++++++++++++++++++----------- debian-13/x86_64-qemu-base.pkr.hcl | 4 ++-- 6 files changed, 74 insertions(+), 54 deletions(-) mode change 100644 => 100755 debian-13/scripts/clean.sh mode change 100644 => 100755 debian-13/scripts/networkd.sh mode change 100644 => 100755 debian-13/scripts/upgrade.sh mode change 100644 => 100755 debian-13/scripts/vagrant.sh diff --git a/debian-13/scripts/clean.sh b/debian-13/scripts/clean.sh old mode 100644 new mode 100755 index 25af9ec..347d91e --- a/debian-13/scripts/clean.sh +++ b/debian-13/scripts/clean.sh @@ -1,16 +1,12 @@ #!/usr/bin/env bash -set -eux +set -x -export DEBIAN_FRONTEND=noninteractive -apt-get clean -y -apt-get autoclean -y -rm -f /var/lib/dhcpcd/* +apt-get clean || exit 1 rm -rf /var/cache/apt/archives/* rm -rf /var/lib/apt/lists/* rm -rf /var/tmp/* /var/tmp/.[!.]* +[[ -f /var/log/wtmp ]] && truncate -s 0 /var/log/wtmp -truncate -s 0 /var/log/wtmp - -dd if=/dev/zero of=/EMPTY bs=1M || true -sync -rm -rf /EMPTY +dd if=/dev/zero of=/EMPTY bs=1M +sync || exit 1 +rm -f /EMPTY || exit 1 diff --git a/debian-13/scripts/networkd.sh b/debian-13/scripts/networkd.sh old mode 100644 new mode 100755 index dffe608..2a6e850 --- a/debian-13/scripts/networkd.sh +++ b/debian-13/scripts/networkd.sh @@ -1,8 +1,19 @@ #!/usr/bin/env bash -set -eux +set -x -install -d -m 755 -o root -g root /etc/systemd/network -cat > /etc/systemd/network/lan0.network << 'EOF' +err() { + printf "[ERROR]: %s\n" "$1" >&2 + exit 1 +} + +export DEBIAN_FRONTEND=noninteractive +apt-get update || err "failed to update APT cache" +apt-get install -y systemd-resolved || err "failed to install systemd-resolved" + +install -d -m 755 -o root -g root /etc/systemd/network || + err "failed to create /etc/systemd/network" + +cat >/etc/systemd/network/lan0.network <<'EOF' || err "failed to write lan0" [Match] Name=e* Type=ether @@ -11,12 +22,10 @@ Type=ether DHCP=ipv4 EOF -chown root:root /etc/systemd/network/lan0.network -chmod 644 /etc/systemd/network/lan0.network +chown root:root /etc/systemd/network/lan0.network || err "failed to chown" +chmod 644 /etc/systemd/network/lan0.network || err "failed to chmod 644" -mv /etc/network/interfaces /etc/network/interfaces.save -mv /etc/network/interfaces.d /etc/network/interfaces.d.save -systemctl enable systemd-networkd -systemctl disable networking - -echo "nameserver 192.168.121.1" >/etc/resolv.conf +systemctl enable systemd-networkd || err "failed to enable networkd" +systemctl enable systemd-resolved || err "failed to enable resolved" +systemctl disable networking || err "failed to disable networking service" +apt-get purge -y ifupdown || err "failed to purge ifupdown" diff --git a/debian-13/scripts/package.sh b/debian-13/scripts/package.sh index 8d5475d..47b9809 100755 --- a/debian-13/scripts/package.sh +++ b/debian-13/scripts/package.sh @@ -1,34 +1,36 @@ #!/usr/bin/env bash -set -xu +set -x + +err() { + printf "[ERROR]: %s\n" "$1" >&2 + exit 1 +} IMG_DIR="./builds/qemu/debian-13-64-vagrant" -if [ ! -f "$IMG_DIR/debian-13-64-vagrant" ]; then - echo "[ERROR]: debian-13-64-vagrant doesn't exist" - exit 1 +if [[ ! -f "$IMG_DIR/debian-13-64-vagrant" ]]; then + err "debian-13-64-vagrant doesn't exist" fi -cat > "$IMG_DIR/metadata.json" <"$IMG_DIR/metadata.json" <<'EOF' || err "failed to write metadata.json" {"provider":"libvirt","format":"qcow2","virtual_size":100} EOF -cat > "$IMG_DIR/Vagrantfile" <<'EOF' +cat >"$IMG_DIR/Vagrantfile" <<'EOF' || err "failed to write Vagrantfile" Vagrant.configure("2") do |config| - config.vm.synced_folder ".", "/vagrant", type: "nfs", nfs_version: 4 + config.vm.synced_folder ".", "/vagrant", type: "nfs", nfs_version: 4 end EOF -mkdir -p ./builds/vagrant - -if [ ! -f ./builds/vagrant/box.img ]; then - cp -l $IMG_DIR/debian-13-64-vagrant \ - $IMG_DIR/box.img +mkdir -p ./builds/vagrant || err "failed to mkdir ./builds/vagrant" +if [[ ! -f "$IMG_DIR/box.img" ]]; then + cp -l "$IMG_DIR/debian-13-64-vagrant" "$IMG_DIR/box.img" || + err "failed to hardlink 'debian-13-64-vagrant' to 'box.img' file" fi -if [ ! -f ./builds/vagrant/debian-13-64-vagrant.box ]; then +if [[ ! -f ./builds/vagrant/debian-13-64-vagrant.box ]]; then tar -C "$IMG_DIR" -cvzf ./builds/vagrant/debian-13-64-vagrant.box \ - box.img metadata.json Vagrantfile + box.img metadata.json Vagrantfile || err "failed to create .box file" exit 0 fi -echo "[ERROR]: debian-13-64-vagrant.box already exists" -exit 1 +err "debian-13-64-vagrant.box already exists" diff --git a/debian-13/scripts/upgrade.sh b/debian-13/scripts/upgrade.sh old mode 100644 new mode 100755 index 53b167f..e107edd --- a/debian-13/scripts/upgrade.sh +++ b/debian-13/scripts/upgrade.sh @@ -1,3 +1,5 @@ #!/usr/bin/env bash -apt-get update -apt-get upgrade -y +set -x +export DEBIAN_FRONTEND=noninteractive +apt-get update || exit 1 +apt-get upgrade -y || exit 1 diff --git a/debian-13/scripts/vagrant.sh b/debian-13/scripts/vagrant.sh old mode 100644 new mode 100755 index 8f56fc7..a54e9e8 --- a/debian-13/scripts/vagrant.sh +++ b/debian-13/scripts/vagrant.sh @@ -1,8 +1,13 @@ #!/usr/bin/env bash -set -eu +set -x + +err() { + printf "[ERROR]: %s\n" "$1" >&2 + exit 1 +} export DEBIAN_FRONTEND=noninteractive -apt-get update +apt-get update || err "failed to update APT cache" apt-get install -y \ qemu-guest-agent \ nfs-common \ @@ -10,19 +15,25 @@ apt-get install -y \ curl \ sudo \ vim \ - python3-apt + python3-apt || err "failed to install packages" -useradd -m -s /bin/bash -p "$(openssl passwd -1 vagrant)" vagrant +useradd -m -s /bin/bash -p "$(openssl passwd -1 vagrant)" vagrant || + err "failed to add vagrant user" +printf '%s\n' "vagrant ALL=(ALL) NOPASSWD:ALL" >/etc/sudoers.d/vagrant || + err "failed to write sudoers file" +chmod 440 /etc/sudoers.d/vagrant || err "failed to chmod sudoers file" +install -d -m 0700 -o vagrant -g vagrant /home/vagrant/.ssh || + err "failed to create vagrant .ssh dir" -echo "vagrant ALL=(ALL) NOPASSWD:ALL" >/etc/sudoers.d/vagrant -chmod 440 /etc/sudoers.d/vagrant - -install -d -m 0700 -o vagrant -g vagrant /home/vagrant/.ssh BASE_GH_URL="https://raw.githubusercontent.com/hashicorp/vagrant/refs/heads" curl -fsSL "${BASE_GH_URL}/main/keys/vagrant.pub" \ - -o /home/vagrant/.ssh/authorized_keys -chmod 600 /home/vagrant/.ssh/authorized_keys -chown vagrant:vagrant /home/vagrant/.ssh/authorized_keys + -o /home/vagrant/.ssh/authorized_keys || + err "failed to download initial authorized_keys" +chmod 600 /home/vagrant/.ssh/authorized_keys || err "failed to chmod 600 authorized_keys" +chown vagrant:vagrant /home/vagrant/.ssh/authorized_keys || + err "failed to chown initial authorized_keys" -sed -i 's/PermitRootLogin.*/PermitRootLogin no/' /etc/ssh/sshd_config -passwd -d root +sed -i 's/PermitRootLogin.*/PermitRootLogin no/' /etc/ssh/sshd_config || + err "failed to disable root login via SSH" +passwd -d root || err "failed to delete root password" +passwd -l root || err "failed to lock root password" diff --git a/debian-13/x86_64-qemu-base.pkr.hcl b/debian-13/x86_64-qemu-base.pkr.hcl index 8ba590c..a5d8956 100644 --- a/debian-13/x86_64-qemu-base.pkr.hcl +++ b/debian-13/x86_64-qemu-base.pkr.hcl @@ -8,11 +8,11 @@ packer { } variable "iso_url" { - default = "https://cdimage.debian.org/debian-cd/current/amd64/iso-cd/debian-13.0.0-amd64-netinst.iso" + default = "https://cdimage.debian.org/debian-cd/current/amd64/iso-cd/debian-13.4.0-amd64-netinst.iso" } variable "iso_hash" { - default = "sha256:e363cae0f1f22ed73363d0bde50b4ca582cb2816185cf6eac28e93d9bb9e1504" + default = "sha256:0b813535dd76f2ea96eff908c65e8521512c92a0631fd41c95756ffd7d4896dc" } variable "disk_size" {