Harden scripts and bump debian-13 ISO to 13.4

debian-13/scripts/vagrant.sh

@@ -1,8 +1,13 @@
 #!/usr/bin/env bash
-set -eu
+set -x
+
+err() {
+	printf "[ERROR]: %s\n" "$1" >&2
+	exit 1
+}
 
 export DEBIAN_FRONTEND=noninteractive
-apt-get update
+apt-get update || err "failed to update APT cache"
 apt-get install -y \
 	qemu-guest-agent \
 	nfs-common \
@@ -10,19 +15,25 @@ apt-get install -y \
 	curl \
 	sudo \
 	vim \
-	python3-apt
+	python3-apt || err "failed to install packages"
 
-useradd -m -s /bin/bash -p "$(openssl passwd -1 vagrant)" vagrant
+useradd -m -s /bin/bash -p "$(openssl passwd -1 vagrant)" vagrant ||
+	err "failed to add vagrant user"
+printf '%s\n' "vagrant ALL=(ALL) NOPASSWD:ALL" >/etc/sudoers.d/vagrant ||
+	err "failed to write sudoers file"
+chmod 440 /etc/sudoers.d/vagrant || err "failed to chmod sudoers file"
+install -d -m 0700 -o vagrant -g vagrant /home/vagrant/.ssh ||
+	err "failed to create vagrant .ssh dir"
 
-echo "vagrant ALL=(ALL) NOPASSWD:ALL" >/etc/sudoers.d/vagrant
-chmod 440 /etc/sudoers.d/vagrant
-
-install -d -m 0700 -o vagrant -g vagrant /home/vagrant/.ssh
 BASE_GH_URL="https://raw.githubusercontent.com/hashicorp/vagrant/refs/heads"
 curl -fsSL "${BASE_GH_URL}/main/keys/vagrant.pub" \
-	-o /home/vagrant/.ssh/authorized_keys
-chmod 600 /home/vagrant/.ssh/authorized_keys
-chown vagrant:vagrant /home/vagrant/.ssh/authorized_keys
+	-o /home/vagrant/.ssh/authorized_keys ||
+	err "failed to download initial authorized_keys"
+chmod 600 /home/vagrant/.ssh/authorized_keys || err "failed to chmod 600 authorized_keys"
+chown vagrant:vagrant /home/vagrant/.ssh/authorized_keys ||
+	err "failed to chown initial authorized_keys"
 
-sed -i 's/PermitRootLogin.*/PermitRootLogin no/' /etc/ssh/sshd_config
-passwd -d root
+sed -i 's/PermitRootLogin.*/PermitRootLogin no/' /etc/ssh/sshd_config ||
+	err "failed to disable root login via SSH"
+passwd -d root || err "failed to delete root password"
+passwd -l root || err "failed to lock root password"