Harden scripts and bump debian-13 ISO to 13.4

Delegate DNS to the host via the gateway IP
Fix DNS resolution
2026-05-16 16:42:15 -04:00 · 2026-02-21 09:02:16 -05:00 · 2025-11-03 21:52:15 -05:00 · 2025-11-01 23:31:43 -04:00 · 2025-08-21 23:25:27 -04:00 · 2025-08-17 19:05:57 -04:00
11 changed files with 229 additions and 27 deletions
@@ -1,11 +1,18 @@
-.PHONY: install clean
+.PHONY: default base vagrant clean

 HEADLESS ?= true

-default: install
+default:
+	@echo "Please run 'make base' or 'make vagrant'"

-install:
-	packer build -var 'headless=$(HEADLESS)' .
+base:
+	PKR_VAR_headless="$(HEADLESS)" packer build x86_64-qemu-base.pkr.hcl
+
+vagrant:
+	PKR_VAR_headless="$(HEADLESS)" packer build x86_64-qemu-vagrant.pkr.hcl
+
+package:
+	./scripts/package.sh

 clean:
 	rm -rf ./builds
@@ -1,24 +1,34 @@
 # Debian Trixie Builds

 This directory contains Packer configuration for building Debian 13 (Trixie)
-images

-## Usage
+### Overview

-Build the image:
+These builds use a multi-stage Packer workflow:

-```
-make
-```
+- The first stage creates a minimal base image from the installer ISO
+- The second stage reuses that base image to produce a Vagrant-ready box

-Remove build artifacts:
+### Usage

-```
-make clean
-```
+Build the base qemu image:

-Build with a visible VM console for debugging:
+    make base

-```
-make HEADLESS=false
-```
+Build vagrant image:
+
+    make vagrant
+
+Package vagrant box:
+
+    make package
+
+Build with visible console:
+
+    make base HEADLESS=false
+
+### Publishing
+
+Built boxes from this configuration are published at
+[krislamo.org/debian13](https://portal.cloud.hashicorp.com/vagrant/discover/krislamo.org/debian13)
+on Vagrant Cloud
@@ -12,8 +12,8 @@ d-i apt-setup/cdrom/set-first boolean false
 # (Initial) root account setup
 d-i passwd/make-user boolean false
 d-i passwd/root-login boolean true
-d-i passwd/root-password password debian
-d-i passwd/root-password-again password debian
+# d-i passwd/root-password password debian
+# d-i passwd/root-password-again password debian

 # Time
 d-i clock-setup/utc boolean true
@@ -1,3 +0,0 @@
-#!/usr/bin/env bash
-apt-get update
-apt-get upgrade -y
@@ -0,0 +1,12 @@
+#!/usr/bin/env bash
+set -x
+
+apt-get clean || exit 1
+rm -rf /var/cache/apt/archives/*
+rm -rf /var/lib/apt/lists/*
+rm -rf /var/tmp/* /var/tmp/.[!.]*
+[[ -f /var/log/wtmp ]] && truncate -s 0 /var/log/wtmp
+
+dd if=/dev/zero of=/EMPTY bs=1M
+sync || exit 1
+rm -f /EMPTY || exit 1
@@ -0,0 +1,31 @@
+#!/usr/bin/env bash
+set -x
+
+err() {
+	printf "[ERROR]: %s\n" "$1" >&2
+	exit 1
+}
+
+export DEBIAN_FRONTEND=noninteractive
+apt-get update || err "failed to update APT cache"
+apt-get install -y systemd-resolved || err "failed to install systemd-resolved"
+
+install -d -m 755 -o root -g root /etc/systemd/network ||
+	err "failed to create /etc/systemd/network"
+
+cat >/etc/systemd/network/lan0.network <<'EOF' || err "failed to write lan0"
+[Match]
+Name=e*
+Type=ether
+
+[Network]
+DHCP=ipv4
+EOF
+
+chown root:root /etc/systemd/network/lan0.network || err "failed to chown"
+chmod 644 /etc/systemd/network/lan0.network || err "failed to chmod 644"
+
+systemctl enable systemd-networkd || err "failed to enable networkd"
+systemctl enable systemd-resolved || err "failed to enable resolved"
+systemctl disable networking || err "failed to disable networking service"
+apt-get purge -y ifupdown || err "failed to purge ifupdown"
@@ -0,0 +1,36 @@
+#!/usr/bin/env bash
+set -x
+
+err() {
+	printf "[ERROR]: %s\n" "$1" >&2
+	exit 1
+}
+
+IMG_DIR="./builds/qemu/debian-13-64-vagrant"
+if [[ ! -f "$IMG_DIR/debian-13-64-vagrant" ]]; then
+	err "debian-13-64-vagrant doesn't exist"
+fi
+
+cat >"$IMG_DIR/metadata.json" <<'EOF' || err "failed to write metadata.json"
+{"provider":"libvirt","format":"qcow2","virtual_size":100}
+EOF
+
+cat >"$IMG_DIR/Vagrantfile" <<'EOF' || err "failed to write Vagrantfile"
+Vagrant.configure("2") do |config|
+	config.vm.synced_folder ".", "/vagrant", type: "nfs", nfs_version: 4
+end
+EOF
+
+mkdir -p ./builds/vagrant || err "failed to mkdir ./builds/vagrant"
+if [[ ! -f "$IMG_DIR/box.img" ]]; then
+	cp -l "$IMG_DIR/debian-13-64-vagrant" "$IMG_DIR/box.img" ||
+		err "failed to hardlink 'debian-13-64-vagrant' to 'box.img' file"
+fi
+
+if [[ ! -f ./builds/vagrant/debian-13-64-vagrant.box ]]; then
+	tar -C "$IMG_DIR" -cvzf ./builds/vagrant/debian-13-64-vagrant.box \
+		box.img metadata.json Vagrantfile || err "failed to create .box file"
+	exit 0
+fi
+
+err "debian-13-64-vagrant.box already exists"
@@ -0,0 +1,5 @@
+#!/usr/bin/env bash
+set -x
+export DEBIAN_FRONTEND=noninteractive
+apt-get update || exit 1
+apt-get upgrade -y || exit 1
@@ -0,0 +1,39 @@
+#!/usr/bin/env bash
+set -x
+
+err() {
+	printf "[ERROR]: %s\n" "$1" >&2
+	exit 1
+}
+
+export DEBIAN_FRONTEND=noninteractive
+apt-get update || err "failed to update APT cache"
+apt-get install -y \
+	qemu-guest-agent \
+	nfs-common \
+	openssl \
+	curl \
+	sudo \
+	vim \
+	python3-apt || err "failed to install packages"
+
+useradd -m -s /bin/bash -p "$(openssl passwd -1 vagrant)" vagrant ||
+	err "failed to add vagrant user"
+printf '%s\n' "vagrant ALL=(ALL) NOPASSWD:ALL" >/etc/sudoers.d/vagrant ||
+	err "failed to write sudoers file"
+chmod 440 /etc/sudoers.d/vagrant || err "failed to chmod sudoers file"
+install -d -m 0700 -o vagrant -g vagrant /home/vagrant/.ssh ||
+	err "failed to create vagrant .ssh dir"
+
+BASE_GH_URL="https://raw.githubusercontent.com/hashicorp/vagrant/refs/heads"
+curl -fsSL "${BASE_GH_URL}/main/keys/vagrant.pub" \
+	-o /home/vagrant/.ssh/authorized_keys ||
+	err "failed to download initial authorized_keys"
+chmod 600 /home/vagrant/.ssh/authorized_keys || err "failed to chmod 600 authorized_keys"
+chown vagrant:vagrant /home/vagrant/.ssh/authorized_keys ||
+	err "failed to chown initial authorized_keys"
+
+sed -i 's/PermitRootLogin.*/PermitRootLogin no/' /etc/ssh/sshd_config ||
+	err "failed to disable root login via SSH"
+passwd -d root || err "failed to delete root password"
+passwd -l root || err "failed to lock root password"
@@ -8,11 +8,11 @@ packer {
 }

 variable "iso_url" {
-  default = "https://cdimage.debian.org/debian-cd/current/amd64/iso-cd/debian-13.0.0-amd64-netinst.iso"
+  default = "https://cdimage.debian.org/debian-cd/current/amd64/iso-cd/debian-13.4.0-amd64-netinst.iso"
 }

 variable "iso_hash" {
-  default = "sha256:e363cae0f1f22ed73363d0bde50b4ca582cb2816185cf6eac28e93d9bb9e1504"
+  default = "sha256:0b813535dd76f2ea96eff908c65e8521512c92a0631fd41c95756ffd7d4896dc"
 }

 variable "disk_size" {
@@ -23,6 +23,10 @@ variable "memory" {
  default = 2048
 }

+variable "ssh_password" {
+  default = "debian"
+}
+
 variable "headless" {
  default = true
 }
@@ -40,7 +44,7 @@ source "qemu" "debian-13-64-base" {
  accelerator       = "kvm"
  http_directory    = "http"
  ssh_username      = "root"
-  ssh_password      = "debian"
+  ssh_password      = var.ssh_password
  ssh_timeout       = "60m"
  vm_name           = "debian-13-64-base"
  net_device        = "virtio-net"
@@ -50,6 +54,8 @@ source "qemu" "debian-13-64-base" {
    "<tab>",
    " auto=true",
    " priority=critical",
+    " passwd/root-password=${var.ssh_password}",
+    " passwd/root-password-again=${var.ssh_password}",
    " hostname=trixie",
    " domain=",
    " url=http://{{ .HTTPIP }}:{{ .HTTPPort }}/preseed.cfg",
@@ -63,7 +69,9 @@ build {

  provisioner "shell" {
    scripts = [
-      "scripts/aptupdate.sh",
+      "scripts/upgrade.sh",
+      "scripts/networkd.sh",
+      "scripts/clean.sh"
    ]
  }
 }
@@ -0,0 +1,57 @@
+packer {
+  required_plugins {
+    qemu = {
+      version = ">= 1.1.3"
+      source  = "github.com/hashicorp/qemu"
+    }
+  }
+}
+
+variable "memory" {
+  default = 2048
+}
+
+variable "ssh_password" {
+  default = "debian"
+}
+
+variable "headless" {
+  default = true
+}
+
+variable "disk_size" {
+  default = 102400
+}
+
+source "qemu" "debian-13-64-vagrant" {
+  iso_url           = "builds/qemu/debian-13-64-base/debian-13-64-base"
+  disk_image        = true
+  iso_checksum      = "none"
+  output_directory  = "builds/qemu/debian-13-64-vagrant"
+  shutdown_command  = "/usr/bin/systemctl poweroff"
+  disk_interface    = "virtio"
+  disk_size         = var.disk_size
+  memory            = var.memory
+  headless          = var.headless
+  format            = "qcow2"
+  accelerator       = "kvm"
+  http_directory    = "http"
+  ssh_username      = "root"
+  ssh_password      = var.ssh_password
+  ssh_timeout       = "60m"
+  vm_name           = "debian-13-64-vagrant"
+  net_device        = "virtio-net"
+  boot_wait         = "5s"
+}
+
+build {
+  name = "debian-base"
+  sources = ["source.qemu.debian-13-64-vagrant"]
+
+  provisioner "shell" {
+    scripts = [
+      "scripts/vagrant.sh",
+      "scripts/clean.sh"
+    ]
+  }
+}
Author	SHA1	Message	Date
kris	2d29791794	Harden scripts and bump debian-13 ISO to 13.4	2026-05-16 16:42:15 -04:00
kris	ac99af8517	Delegate DNS to the host via the gateway IP	2026-02-21 09:02:16 -05:00
kris	b17d132497	Fix DNS resolution	2025-11-03 21:52:15 -05:00
kris	b7d76be6ce	Add packaging for vagrant box and cleanup step	2025-11-01 23:31:43 -04:00
kris	4b49404a0c	Create Vagrant box from base image	2025-08-21 23:25:27 -04:00
kris	509b6af145	Make root password configurable	2025-08-17 19:05:57 -04:00