diff --git a/debian.sh b/debian.sh index 0157708..50900c3 100755 --- a/debian.sh +++ b/debian.sh @@ -4,20 +4,20 @@ # # An automatic installer for Debian Stable with BTRFS, Snapshots, and Full-disk-encryption # -# INSTRUCTIONS +# INSTRUCTIONS # # For new disk installs, initialize the disk to setup Encryption and partitions: # ./debian.sh initialize nvme0n1 (DO NOT SPECIFY /dev/ !) # -# Before running the install, ensure that you have Internet access. If you modify the +# Before running the install, ensure that you have Internet access. If you modify the # WIRELESS_PASSWORD and SSID in this file, you can connect to the Internet with: -# ./debian.sh wifi +# ./debian.sh wifi # -# Plesae be sure to change USER,USER_PASSWORD,DISK_PASSWORD, and ROOT_PASSWORD strings in this file +# Plesae be sure to change USER,USER_PASSWORD,DISK_PASSWORD, and ROOT_PASSWORD strings in this file # # To install/reinstall the OS: # ./debian.sh install nvme0n1 -# +# # reboot ######################## #Configure this section @@ -32,8 +32,8 @@ HARD_DISK=$2 EFI="/dev/$(lsblk | grep $HARD_DISK | head -2 | tail -1 | cut -c 7-20 | cut -d ' ' -f1)" BTRFS="/dev/$(lsblk | grep $HARD_DISK | head -4 | tail -1 | cut -c 7-20 | cut -d ' ' -f1)" BOOT="/dev/$(lsblk | grep $HARD_DISK | head -3 | tail -1 | cut -c 7-20 | cut -d ' ' -f1)" -ROOT_NAME='install2' -ROOT_MAPPER_NAME='install' +ROOT_NAME='debian' +ROOT_MAPPER_NAME='root' BACKUP_DISK='/dev/disk/by-uuid/43076025-fa41-4b02-9c69-d0193a1a0371' ###################################### USER="verita84" @@ -47,7 +47,7 @@ COMPRESSION='compress=zlib:5' DEBIAN_RELEASE='stable' CURRENT_STABLE_NAME='bullseye' AUTO_DECRYPT='True' -FLATPAKS+=( app/net.brinkervii.grapejuice org.kde.kdenlive ) +FLATPAKS+=(app/net.brinkervii.grapejuice org.kde.kdenlive) #Packages PACKAGES=" minidlna libsecret-tools libglu1-mesa preload flatpak powertop blueman acpi neofetch cockpit cockpit-podman packagekit cockpit-packagekit cockpit-pcp cockpit-storaged redis " @@ -58,35 +58,41 @@ SHARED_DESKTOP_APPS=" firefox-esr yt-dlp keepassxc rssguard telegram-desktop gno VIRTUALIZATION=" virt-manager qemu-system libvirt-daemon-system ovmf cockpit-machines" PACKAGES=$BASE_PACKAGES$PACKAGES$SHARED_DESKTOP_APPS #PACKAGES=$BASE_PACKAGES -SERVICES+=( powertop preload ); +SERVICES+=(powertop preload) -auto_login(){ +auto_login() { sed -i "/#WaylandEnable=false/a AutomaticLoginEnable=True" $TARGET/etc/gdm3/daemon.conf sed -i "/True/a AutomaticLogin=$USER" $TARGET/etc/gdm3/daemon.conf } -create-os-snapshots(){ - echo;echo "[Creating new snapshots.....]";echo +create-os-snapshots() { + echo + echo "[Creating new snapshots.....]" + echo mkdir -p $TARGET/\@install/var/lib/backup - time tar cvpzf $TARGET/\@install/var/lib/backup/$1.tgz --exclude=/volumes/* --exclude=/mnt/* --exclude=/var/tmp/* --exclude=/tmp/* --exclude=/raid/* --exclude=/root/* --exclude=/var/cache/apt/archives/* --exclude=/proc/* --exclude=/.snapshots/* --exclude=$TARGET/* --exclude=/var/lib/libvirt/* --exclude=/dev/* --exclude=/sys/* --exclude=/home/* --exclude=/var/lib/postgresql --exclude=/var/lib/containers / + time tar cvpzf $TARGET/\@install/var/lib/backup/$1.tgz --exclude=/volumes/* --exclude=/mnt/* --exclude=/var/tmp/* --exclude=/tmp/* --exclude=/raid/* --exclude=/root/* --exclude=/var/cache/apt/archives/* --exclude=/proc/* --exclude=/.snapshots/* --exclude=$TARGET/* --exclude=/var/lib/libvirt/* --exclude=/dev/* --exclude=/sys/* --exclude=/home/* --exclude=/var/lib/postgresql --exclude=/var/lib/containers / } homeBackup() { - echo;echo "[Copying USER data....]";echo + echo + echo "[Copying USER data....]" + echo rsync --progress -avz --delete /home/ --exclude=.cache/ --exclude=.local/share/containers $TARGET/\@home/ } os-backup() { umount $TARGET - echo;echo "[Mounting.....]";echo + echo + echo "[Mounting.....]" + echo printf "$DISK_PASSWORD" | cryptsetup open $BACKUP_DISK install mount /dev/mapper/install $TARGET - + if [ "$2" = "home" ]; then homeBackup fi - + create-os-snapshots "$1" ls $TARGET/ umount $TARGET @@ -94,11 +100,11 @@ os-backup() { os-restore() { partitions - rm -rf $TARGET/usr $TARGET/sbin $TARGET/lib32 $TARGET/libx32 $TARGET/lib $TARGET/vmlinuz* $TARGET/initrd* $TARGET/bin $TARGET/var $TARGET/root $TARGET/opt $TARGET/etc $TARGET/run + rm -rf $TARGET/usr $TARGET/sbin $TARGET/lib32 $TARGET/libx32 $TARGET/lib $TARGET/vmlinuz* $TARGET/initrd* $TARGET/bin $TARGET/var $TARGET/root $TARGET/opt $TARGET/etc $TARGET/run tar xfpv /var/lib/backup/$2.tgz -C $TARGET/ if [ "$3" = "home" ]; then - rsync -av --progress --delete /home/ $TARGET/home/ + rsync -av --progress --delete /home/ $TARGET/home/ fi fstab @@ -110,7 +116,7 @@ os-restore() { unmount } -systemMounts(){ +systemMounts() { mount -o rbind /dev $TARGET/dev mount -o rbind /dev/pts $TARGET/dev/pts mount -o rbind /proc $TARGET/proc @@ -118,50 +124,58 @@ systemMounts(){ mount -t efivarfs none $TARGET/sys/firmware/efi/efivars } -decryptBoot(){ +decryptBoot() { KEYFILE='keyfile.key' - echo;echo "Setting LUKS to use Keyfile for password entry";echo - echo;echo "Clearing Old Keys";echo - for i in 1 2 3 4 5 6 - do - printf "$DISK_PASSWORD" | cryptsetup luksKillSlot ${BTRFS} $i + echo + echo "Setting LUKS to use Keyfile for password entry" + echo + echo + echo "Clearing Old Keys" + echo + for i in 1 2 3 4 5 6; do + printf "$DISK_PASSWORD" | cryptsetup luksKillSlot ${BTRFS} $i done - dd if=/dev/urandom of=/etc/$KEYFILE bs=1024 count=4 + dd if=/dev/urandom of=/etc/$KEYFILE bs=1024 count=4 chown root:root /etc/$KEYFILE chmod 0400 /etc/$KEYFILE - echo;echo "Adding new key......";echo + echo + echo "Adding new key......" + echo printf "$DISK_PASSWORD" | cryptsetup luksAddKey ${BTRFS} /etc/$KEYFILE - sed -i "s/none/\/etc\/$KEYFILE/" /etc/crypttab - echo "KEYFILE_PATTERN=\"/etc/*.key\"" > /etc/cryptsetup-initramfs/conf-hook + sed -i "s/none/\/etc\/$KEYFILE/" /etc/crypttab + echo "KEYFILE_PATTERN=\"/etc/*.key\"" >/etc/cryptsetup-initramfs/conf-hook } -install-vscode(){ +install-vscode() { wget -qO - https://gitlab.com/paulcarroty/vscodium-deb-rpm-repo/raw/master/pub.gpg | gpg --dearmor | dd of=/usr/share/keyrings/vscodium-archive-keyring.gpg echo 'deb [ signed-by=/usr/share/keyrings/vscodium-archive-keyring.gpg ] https://download.vscodium.com/debs vscodium main' | tee /etc/apt/sources.list.d/vscodium.list - apt update;apt install -y codium + apt update + apt install -y codium } -install-doom(){ +install-doom() { wget -O - http://debian.drdteam.org/drdteam.gpg | apt-key add - add-apt-repository 'deb http://debian.drdteam.org/ stable multiverse' - apt update;apt install -y zandronum doomseeker-zandronum + apt update + apt install -y zandronum doomseeker-zandronum } -install-element(){ +install-element() { wget -O /usr/share/keyrings/element-io-archive-keyring.gpg https://packages.element.io/debian/element-io-archive-keyring.gpg echo "deb [signed-by=/usr/share/keyrings/element-io-archive-keyring.gpg] https://packages.element.io/debian/ default main" | tee /etc/apt/sources.list.d/element-io.list - apt update;apt install -y element-desktop + apt update + apt install -y element-desktop } -additional-software(){ +additional-software() { install-element install-doom install-vscode } -configure-repository(){ - echo 'force-unsafe-io' > $TARGET/etc/dpkg/dpkg.cfg.d/docker-apt-speedup +configure-repository() { + echo 'force-unsafe-io' >$TARGET/etc/dpkg/dpkg.cfg.d/docker-apt-speedup - if [ "$DEBIAN_RELEASE" == "testing" ];then + if [ "$DEBIAN_RELEASE" == "testing" ]; then echo "deb https://deb.debian.org/debian $DEBIAN_RELEASE main contrib non-free non-free-firmware" >$TARGET/etc/apt/sources.list chroot $TARGET /usr/bin/apt update chroot $TARGET /usr/bin/bash -c "export DEBIAN_FRONTEND=noninteractive;/usr/bin/apt install -y $PACKAGES" @@ -176,7 +190,7 @@ configure-repository(){ chroot $TARGET /usr/bin/bash -c "export DEBIAN_FRONTEND=noninteractive;/usr/bin/apt auto-remove -y" fi - echo 'DPkg::Post-Invoke {"/usr/bin/debian.sh snapshot";};' > $TARGET/etc/apt/apt.conf + echo 'DPkg::Post-Invoke {"/usr/bin/debian.sh snapshot";};' >$TARGET/etc/apt/apt.conf } install() { @@ -184,12 +198,13 @@ install() { sed -i '/^SigLevel/s/^\(.*\)$/#\1\n/' /etc/pacman.conf sed -i '/#SigLevel/a SigLevel = Never' /etc/pacman.conf pacman -Sy archlinux-keyring debootstrap --noconfirm - apt update;apt install debootstrap -y - rm -rf /debootstrap + apt update + apt install debootstrap -y + rm -rf /debootstrap debootstrap --arch amd64 $DEBIAN_RELEASE $TARGET https://deb.debian.org/debian systemMounts cp -f /etc/resolv.conf $TARGET/etc/ - echo "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" > $TARGET/setup.sh + echo "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" >$TARGET/setup.sh configure-repository cp -f debian.tar $TARGET/etc/default/ locale @@ -202,12 +217,11 @@ install() { unmount } -desktop(){ - SERVICES+=( exim4 cockpit.socket redis-server apparmor nfs-server smbd rpbind rpcbind.socket avahi-daemon bluetooth minidlna openvpn); - for i in "${SERVICES[@]}" - do - systemctl disable --now $i - done +desktop() { + SERVICES+=(exim4 cockpit.socket redis-server apparmor nfs-server smbd rpbind rpcbind.socket avahi-daemon bluetooth minidlna openvpn) + for i in "${SERVICES[@]}"; do + systemctl disable --now $i + done apt -y purge apparmor apt remove unattended-upgrades chromium chromium-common chromium-sandbox epiphany-browser epiphany-browser-data -y @@ -229,29 +243,29 @@ remove-snapshots() { } enter_chroot() { - printf "$DISK_PASSWORD" | cryptsetup open ${BTRFS} $ROOT_MAPPER_NAME + printf "$DISK_PASSWORD" | cryptsetup open ${BTRFS} $ROOT_MAPPER_NAME mounts - systemMounts + systemMounts chroot $TARGET /bin/bash } flatpaks() { - flatpak remote-add --user --if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepo + flatpak remote-add --user --if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepo for i in "${FLATPAKS[@]}"; do - echo $i + echo $i flatpak install $i -y done } -grub-snapshots(){ +grub-snapshots() { cd /opt git clone https://github.com/Antynea/grub-btrfs.git cd /opt/grub-btrfs make } -kernel-packages(){ - /usr/bin/apt install --reinstall -y linux-image-`ls /lib/modules/` grub-efi efibootmgr plymouth plymouth-themes btrfs-progs cryptsetup-initramfs linux-image-amd64 linux-headers-amd64 firmware-iwlwifi firmware-linux firmware-linux-nonfree +kernel-packages() { + /usr/bin/apt install --reinstall -y linux-image-$(ls /lib/modules/) grub-efi efibootmgr plymouth plymouth-themes btrfs-progs cryptsetup-initramfs linux-image-amd64 linux-headers-amd64 firmware-iwlwifi firmware-linux firmware-linux-nonfree } bootloader() { @@ -259,30 +273,29 @@ bootloader() { mkdir /boot/grub/themes tar xf /etc/default/debian.tar -C /boot/grub/themes/ plymouth-set-default-theme -R spacefun - echo "$ROOT_MAPPER_NAME UUID=$(/sbin/blkid | grep $BTRFS | cut -d '"' -f2) none luks" > /etc/crypttab - if [ "$AUTO_DECRYPT" == "True" ];then + echo "$ROOT_MAPPER_NAME UUID=$(/sbin/blkid | grep $BTRFS | cut -d '"' -f2) none luks" >/etc/crypttab + if [ "$AUTO_DECRYPT" == "True" ]; then decryptBoot fi /sbin/update-initramfs -c -k all - echo "GRUB_CMDLINE_LINUX_DEFAULT=\"quiet splash\"" >/etc/default/grub - echo "GRUB_CMDLINE_LINUX=cryptdevice=UUID=$(/sbin/blkid | grep $BTRFS | cut -d '"' -f2):$ROOT_MAPPER_NAME root=UUID=$(/sbin/blkid | grep $ROOT_MAPPER_NAME | cut -d '"' -f4) rootflags=subvol@${ROOT_NAME} mitigations=-off" >>/etc/default/grub - echo "GRUB_ENABLE_CRYPTODISK=y" >>/etc/default/grub - echo "GRUB_THEME=/boot/grub/themes/theme.txt" >>/etc/default/grub + echo "GRUB_CMDLINE_LINUX_DEFAULT=\"quiet splash\"" >/etc/default/grub + echo "GRUB_CMDLINE_LINUX=cryptdevice=UUID=$(/sbin/blkid | grep $BTRFS | cut -d '"' -f2):$ROOT_MAPPER_NAME root=UUID=$(/sbin/blkid | grep $ROOT_MAPPER_NAME | cut -d '"' -f4) rootflags=subvol@${ROOT_NAME} mitigations=-off" >>/etc/default/grub + echo "GRUB_ENABLE_CRYPTODISK=y" >>/etc/default/grub + echo "GRUB_THEME=/boot/grub/themes/theme.txt" >>/etc/default/grub /sbin/grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=debian /sbin/update-grub } - function setup_script() { +function setup_script() { cp -f debian.sh $TARGET/usr/bin/ echo 'bash /usr/bin/debian.sh kernel-packages' >>$TARGET/setup.sh - sed -i 's/most/dep/i' $TARGET/etc/initramfs-tools/initramfs.conf + sed -i 's/most/dep/i' $TARGET/etc/initramfs-tools/initramfs.conf echo "bash /usr/bin/debian.sh bootloader $1" >>$TARGET/setup.sh echo 'bash /usr/bin/debian.sh grub-snapshots' >>$TARGET/setup.sh echo 'bash /usr/bin/debian.sh desktop' >>$TARGET/setup.sh echo 'bash /usr/bin/debian.sh additional-software' >>$TARGET/setup.sh echo 'bash /usr/bin/debian.sh btrfs-tweaks' >>$TARGET/setup.sh - chmod +x $TARGET/usr/bin/debian.sh chmod +x $TARGET/setup.sh chroot $TARGET /setup.sh @@ -340,21 +353,26 @@ locale() { partitions() { echo echo "Setting Up Partitions....." - printf "$DISK_PASSWORD" | cryptsetup open ${BTRFS} root + printf "$DISK_PASSWORD" | cryptsetup open ${BTRFS} $ROOT_MAPPER unmount - echo - echo "Formatting $EFI" - echo - echo y | mkfs.vfat $EFI - echo "Formatting $BOOT" - echo y | mkfs.ext4 $BOOT - - mounts - - #Configure /etc/fstab - fstab + if [[ -f "/dev/mapper/$ROOT_MAPPER" ]]; then + echo + echo "Formatting $EFI" + echo + echo y | mkfs.vfat $EFI + echo "Formatting $BOOT" + echo y | mkfs.ext4 $BOOT + mounts + fstab + else + echo + echo "Aborting Install, mapper device not found!" + echo + echo + exit 1 + fi } fstab() { @@ -392,18 +410,16 @@ accounts() { } btrfs-tweaks() { -DISABLE_COW=("/var/lib/docker" "/var/lib/containers" "/volumes" "/var/lib/mysql" "/var/lib/libvirt"); + DISABLE_COW=("/var/lib/docker" "/var/lib/containers" "/volumes" "/var/lib/mysql" "/var/lib/libvirt") - for i in "${DISABLE_COW[@]}" - do - chattr -R +C $i - done + for i in "${DISABLE_COW[@]}"; do + chattr -R +C $i + done } - custom_service_files() { echo "systemctl set-default graphical.target" >>$TARGET/setup.sh - + echo "[Unit]" >$TARGET/etc/systemd/system/powertop.service echo "Description=Powertop tunings" >>$TARGET/etc/systemd/system/powertop.service echo "[Service]" >>$TARGET/etc/systemd/system/powertop.service @@ -415,27 +431,25 @@ custom_service_files() { } services() { - for i in "${SERVICES[@]}" - do - echo "systemctl enable $i" >>$TARGET/setup.sh - done + for i in "${SERVICES[@]}"; do + echo "systemctl enable $i" >>$TARGET/setup.sh + done } -server-config(){ +server-config() { cp -f ./smb.conf /etc/samba/ cp- f ./minidlna.conf /etc/ cp -f ./99-sysctl.conf /etc/sysctl.d/ cp -f *.service /etc/systemd/system/ cp -f exports /etc/ - crontab > crontab + crontab >crontab + + SERVICES+=(minidlna vip containers pmie pmielogger nfs-server.service exim4 cockpit.socket redis-server smbd) + for i in "${SERVICES[@]}"; do + systemctl enable $i + done - SERVICES+=( minidlna vip containers pmie pmielogger nfs-server.service exim4 cockpit.socket redis-server smbd); - for i in "${SERVICES[@]}" - do - systemctl enable $i - done - systemctl mask apparmor systemctl disable --now exim4 systemctl mask exim4 @@ -446,7 +460,6 @@ server-config(){ apt autoremove -y } - initialize-disk() { parted /dev/$HARD_DISK mklabel gpt parted /dev/$HARD_DISK mkpart primary fat32 1MiB 200MiB @@ -454,7 +467,7 @@ initialize-disk() { parted /dev/$HARD_DISK set 1 esp on parted /dev/$HARD_DISK mkpart P2 ext3 700MiB 100% printf "$DISK_PASSWORD\n$DISK_PASSWORD" | cryptsetup luksFormat ${BTRFS} - printf "$DISK_PASSWORD" | cryptsetup open ${BTRFS} $ROOT_MAPPER_NAME + printf "$DISK_PASSWORD" | cryptsetup open ${BTRFS} $ROOT_MAPPER_NAME echo echo "Formatting....." echo y | mkfs.btrfs /dev/mapper/$ROOT_MAPPER_NAME --force