kris/pkrbuilds
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Harden scripts and bump debian-13 ISO to 13.4

Browse Source
This commit is contained in:
Kris Lamoureux
2026-05-16 16:42:15 -04:00
parent ac99af8517
commit 2d29791794
6 changed files with 74 additions and 54 deletions
Download Patch File Download Diff File Expand all files Collapse all files
debian-13/scripts/clean.sh
Regular → Executable
+6 -10
View File
@@ -1,16 +1,12 @@
#!/usr/bin/env bash #!/usr/bin/env bash
set -eux set -x
export DEBIAN_FRONTEND=noninteractive apt-get clean || exit 1
apt-get clean -y
apt-get autoclean -y
rm -f /var/lib/dhcpcd/*
rm -rf /var/cache/apt/archives/* rm -rf /var/cache/apt/archives/*
rm -rf /var/lib/apt/lists/* rm -rf /var/lib/apt/lists/*
rm -rf /var/tmp/* /var/tmp/.[!.]* rm -rf /var/tmp/* /var/tmp/.[!.]*
[[ -f /var/log/wtmp ]] && truncate -s 0 /var/log/wtmp
truncate -s 0 /var/log/wtmp dd if=/dev/zero of=/EMPTY bs=1M
sync || exit 1
dd if=/dev/zero of=/EMPTY bs=1M || true rm -f /EMPTY || exit 1
sync
rm -rf /EMPTY
debian-13/scripts/networkd.sh
Regular → Executable
+20 -11
View File
@@ -1,8 +1,19 @@
#!/usr/bin/env bash #!/usr/bin/env bash
set -eux set -x
install -d -m 755 -o root -g root /etc/systemd/network err() {
cat > /etc/systemd/network/lan0.network << 'EOF' printf "[ERROR]: %s\n" "$1" >&2
exit 1
}
export DEBIAN_FRONTEND=noninteractive
apt-get update || err "failed to update APT cache"
apt-get install -y systemd-resolved || err "failed to install systemd-resolved"
install -d -m 755 -o root -g root /etc/systemd/network ||
err "failed to create /etc/systemd/network"
cat >/etc/systemd/network/lan0.network <<'EOF' || err "failed to write lan0"
[Match] [Match]
Name=e* Name=e*
Type=ether Type=ether
@@ -11,12 +22,10 @@ Type=ether
DHCP=ipv4 DHCP=ipv4
EOF EOF
chown root:root /etc/systemd/network/lan0.network chown root:root /etc/systemd/network/lan0.network || err "failed to chown"
chmod 644 /etc/systemd/network/lan0.network chmod 644 /etc/systemd/network/lan0.network || err "failed to chmod 644"
mv /etc/network/interfaces /etc/network/interfaces.save systemctl enable systemd-networkd || err "failed to enable networkd"
mv /etc/network/interfaces.d /etc/network/interfaces.d.save systemctl enable systemd-resolved || err "failed to enable resolved"
systemctl enable systemd-networkd systemctl disable networking || err "failed to disable networking service"
systemctl disable networking apt-get purge -y ifupdown || err "failed to purge ifupdown"
echo "nameserver 192.168.121.1" >/etc/resolv.conf
debian-13/scripts/package.sh
+17 -15
View File
@@ -1,34 +1,36 @@
#!/usr/bin/env bash #!/usr/bin/env bash
set -xu set -x
err() {
printf "[ERROR]: %s\n" "$1" >&2
exit 1
}
IMG_DIR="./builds/qemu/debian-13-64-vagrant" IMG_DIR="./builds/qemu/debian-13-64-vagrant"
if [ ! -f "$IMG_DIR/debian-13-64-vagrant" ]; then if [[ ! -f "$IMG_DIR/debian-13-64-vagrant" ]]; then
echo "[ERROR]: debian-13-64-vagrant doesn't exist" err "debian-13-64-vagrant doesn't exist"
exit 1
fi fi
cat > "$IMG_DIR/metadata.json" <<EOF cat >"$IMG_DIR/metadata.json" <<'EOF' || err "failed to write metadata.json"
{"provider":"libvirt","format":"qcow2","virtual_size":100} {"provider":"libvirt","format":"qcow2","virtual_size":100}
EOF EOF
cat > "$IMG_DIR/Vagrantfile" <<'EOF' cat >"$IMG_DIR/Vagrantfile" <<'EOF' || err "failed to write Vagrantfile"
Vagrant.configure("2") do |config| Vagrant.configure("2") do |config|
config.vm.synced_folder ".", "/vagrant", type: "nfs", nfs_version: 4 config.vm.synced_folder ".", "/vagrant", type: "nfs", nfs_version: 4
end end
EOF EOF
mkdir -p ./builds/vagrant mkdir -p ./builds/vagrant || err "failed to mkdir ./builds/vagrant"
if [[ ! -f "$IMG_DIR/box.img" ]]; then
if [ ! -f ./builds/vagrant/box.img ]; then cp -l "$IMG_DIR/debian-13-64-vagrant" "$IMG_DIR/box.img" ||
cp -l $IMG_DIR/debian-13-64-vagrant \ err "failed to hardlink 'debian-13-64-vagrant' to 'box.img' file"
$IMG_DIR/box.img
fi fi
if [ ! -f ./builds/vagrant/debian-13-64-vagrant.box ]; then if [[ ! -f ./builds/vagrant/debian-13-64-vagrant.box ]]; then
tar -C "$IMG_DIR" -cvzf ./builds/vagrant/debian-13-64-vagrant.box \ tar -C "$IMG_DIR" -cvzf ./builds/vagrant/debian-13-64-vagrant.box \
box.img metadata.json Vagrantfile box.img metadata.json Vagrantfile || err "failed to create .box file"
exit 0 exit 0
fi fi
echo "[ERROR]: debian-13-64-vagrant.box already exists" err "debian-13-64-vagrant.box already exists"
exit 1
debian-13/scripts/upgrade.sh
Regular → Executable
+4 -2
View File
@@ -1,3 +1,5 @@
#!/usr/bin/env bash #!/usr/bin/env bash
apt-get update set -x
apt-get upgrade -y export DEBIAN_FRONTEND=noninteractive
apt-get update || exit 1
apt-get upgrade -y || exit 1
debian-13/scripts/vagrant.sh
Regular → Executable
+24 -13
View File
@@ -1,8 +1,13 @@
#!/usr/bin/env bash #!/usr/bin/env bash
set -eu set -x
err() {
printf "[ERROR]: %s\n" "$1" >&2
exit 1
}
export DEBIAN_FRONTEND=noninteractive export DEBIAN_FRONTEND=noninteractive
apt-get update apt-get update || err "failed to update APT cache"
apt-get install -y \ apt-get install -y \
qemu-guest-agent \ qemu-guest-agent \
nfs-common \ nfs-common \
@@ -10,19 +15,25 @@ apt-get install -y \
curl \ curl \
sudo \ sudo \
vim \ vim \
python3-apt python3-apt || err "failed to install packages"
useradd -m -s /bin/bash -p "$(openssl passwd -1 vagrant)" vagrant useradd -m -s /bin/bash -p "$(openssl passwd -1 vagrant)" vagrant ||
err "failed to add vagrant user"
printf '%s\n' "vagrant ALL=(ALL) NOPASSWD:ALL" >/etc/sudoers.d/vagrant ||
err "failed to write sudoers file"
chmod 440 /etc/sudoers.d/vagrant || err "failed to chmod sudoers file"
install -d -m 0700 -o vagrant -g vagrant /home/vagrant/.ssh ||
err "failed to create vagrant .ssh dir"
echo "vagrant ALL=(ALL) NOPASSWD:ALL" >/etc/sudoers.d/vagrant
chmod 440 /etc/sudoers.d/vagrant
install -d -m 0700 -o vagrant -g vagrant /home/vagrant/.ssh
BASE_GH_URL="https://raw.githubusercontent.com/hashicorp/vagrant/refs/heads" BASE_GH_URL="https://raw.githubusercontent.com/hashicorp/vagrant/refs/heads"
curl -fsSL "${BASE_GH_URL}/main/keys/vagrant.pub" \ curl -fsSL "${BASE_GH_URL}/main/keys/vagrant.pub" \
-o /home/vagrant/.ssh/authorized_keys -o /home/vagrant/.ssh/authorized_keys ||
chmod 600 /home/vagrant/.ssh/authorized_keys err "failed to download initial authorized_keys"
chown vagrant:vagrant /home/vagrant/.ssh/authorized_keys chmod 600 /home/vagrant/.ssh/authorized_keys || err "failed to chmod 600 authorized_keys"
chown vagrant:vagrant /home/vagrant/.ssh/authorized_keys ||
err "failed to chown initial authorized_keys"
sed -i 's/PermitRootLogin.*/PermitRootLogin no/' /etc/ssh/sshd_config sed -i 's/PermitRootLogin.*/PermitRootLogin no/' /etc/ssh/sshd_config ||
passwd -d root err "failed to disable root login via SSH"
passwd -d root || err "failed to delete root password"
passwd -l root || err "failed to lock root password"
debian-13/x86_64-qemu-base.pkr.hcl
+2 -2
View File
@@ -8,11 +8,11 @@ packer {
} }
variable "iso_url" { variable "iso_url" {
default = "https://cdimage.debian.org/debian-cd/current/amd64/iso-cd/debian-13.0.0-amd64-netinst.iso" default = "https://cdimage.debian.org/debian-cd/current/amd64/iso-cd/debian-13.4.0-amd64-netinst.iso"
} }
variable "iso_hash" { variable "iso_hash" {
default = "sha256:e363cae0f1f22ed73363d0bde50b4ca582cb2816185cf6eac28e93d9bb9e1504" default = "sha256:0b813535dd76f2ea96eff908c65e8521512c92a0631fd41c95756ffd7d4896dc"
} }
variable "disk_size" { variable "disk_size" {