#!/bin/bash ######################## # What this script is: # # An automatic installer for Debian Stable with BTRFS, Snapshots, and Full-disk-encryption # # INSTRUCTIONS # # For new disk installs, initialize the disk to setup Encryption and partitions: # ./debian.sh initialize nvme0n1 (DO NOT SPECIFY /dev/ !) # # Before running the install, ensure that you have Internet access. If you modify the # WIRELESS_PASSWORD and SSID in this file, you can connect to the Internet with: # ./debian.sh wifi # # Plesae be sure to change USER,USER_PASSWORD,DISK_PASSWORD, and ROOT_PASSWORD strings in this file # # To install/reinstall the OS: # ./debian.sh install nvme0n1 # # reboot ######################## #Configure this section ######################## PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin export DEBIAN_FRONTEND=noninteractive TARGET='/install' mkdir $TARGET ###################################### echo HARD_DISK=$2 EFI="/dev/$(lsblk | grep $HARD_DISK | head -2 | tail -1 | cut -c 7-20 | cut -d ' ' -f1)" BTRFS="/dev/$(lsblk | grep $HARD_DISK | head -4 | tail -1 | cut -c 7-20 | cut -d ' ' -f1)" BOOT="/dev/$(lsblk | grep $HARD_DISK | head -3 | tail -1 | cut -c 7-20 | cut -d ' ' -f1)" ROOT_NAME='debian' ROOT_MAPPER_NAME='root' BACKUP_DISK='/dev/disk/by-uuid/727916c5-a526-47d8-8351-9a0479463738' BACKUP_DISK_MAPPER='usb' BACKUP_DISK_ROOT_NAME='usbdebian' #BACKUP_DISK_IMAGES='/home/verita84/Nextcloud/backups' BACKUP_DISK_IMAGES="$TARGET/@$BACKUP_DISK_ROOT_NAME/var/backups/" ###################################### USER="verita84" USER_PASSWORD="123456" ROOT_PASSWORD="123456" WIRELESS_PASSWORD='123456' SSID='123456' WIRELESS_INTERFACE='wlan0' DISK_PASSWORD='123456' COMPRESSION='compress=zlib:5' DEBIAN_RELEASE='stable' CURRENT_STABLE_NAME='bullseye' AUTO_DECRYPT='True' FLATPAKS+=(app/net.brinkervii.grapejuice org.kde.kdenlive) #Packages PACKAGES=" minidlna libsecret-tools libglu1-mesa preload flatpak powertop blueman acpi neofetch cockpit cockpit-podman packagekit cockpit-packagekit cockpit-pcp cockpit-storaged redis " BASE_PACKAGES=" cups apt-transport-https samba samba-common nfs-common nfs-kernel-server linux-cpupower locales zram-tools acpid podman ghostscript cifs-utils ntp vim-airline rsync screen base udev git network-manager efibootmgr linux-headers-amd64 cryptsetup network-manager-openvpn ntp screen docbook-xsl alsa-utils sysstat fuse3 build-essential unzip bash-completion parted dosfstools wget curl " SHARED_DESKTOP_APPS=" gnome-software gnome-software-plugin-flatpak gnome-screenshot cinnamon lightdm shotwell rhythmbox firefox-esr yt-dlp keepassxc rssguard telegram-desktop gimp evolution nextcloud-desktop handbrake vlc libreoffice " #Removed for Debian Bullseye. Works on Bookworm #REMOVED=" aardvark-dns podman-compose podman-toolbox " VIRTUALIZATION=" virt-manager qemu-system libvirt-daemon-system ovmf cockpit-machines" PACKAGES=$BASE_PACKAGES$PACKAGES$SHARED_DESKTOP_APPS #PACKAGES=$BASE_PACKAGES SERVICES+=(powertop preload) auto_login() { sed -i "/#WaylandEnable=false/a AutomaticLoginEnable=True" $TARGET/etc/gdm3/daemon.conf sed -i "/True/a AutomaticLogin=$USER" $TARGET/etc/gdm3/daemon.conf sed -i "s/#autologin-user=/autologin-user=$USER/" $TARGET/etc/lightdm/lightdm.conf sed -i "s/#autologin-user-timeout=0/autologin-user-timeout=0/ " $TARGET/etc/lightdm/lightdm.conf } create-os-snapshots() { echo echo "[Creating new snapshots.....]" echo #mkdir -p $TARGET/\@$BACKUP_DISK_MAPPER/var/backups time tar cvpzf $BACKUP_DISK_IMAGES/$1.tgz --exclude=/volumes/* --exclude=/mnt/* --exclude=/var/tmp/* --exclude=/tmp/* --exclude=/raid/* --exclude=/root/* --exclude=/var/cache/apt/archives/* --exclude=/proc/* --exclude=/.snapshots/* --exclude=$TARGET/* --exclude=/var/lib/libvirt/* --exclude=/dev/* --exclude=/sys/* --exclude=/home/* --exclude=/var/lib/flatpak --exclude=/var/lib/postgresql --exclude=/var/lib/containers / chown $USER:$USER $BACKUP_DISK_IMAGES/$1.tgz } homeBackup() { echo echo "[Copying USER data....]" echo rsync --progress -avz --delete /home/ --exclude=.cache --exclude=.local/share/flatpak --exclude=.local/share/containers $TARGET/\@home/ } os-backup() { umount $TARGET printf "$DISK_PASSWORD" | cryptsetup open $BACKUP_DISK $BACKUP_DISK_MAPPER if [[ -e "/dev/mapper/$BACKUP_DISK_MAPPER" ]]; then echo echo "[Mounting.....]" echo mount /dev/mapper/$BACKUP_DISK_MAPPER $TARGET if [[ -e "$TARGET/@$BACKUP_DISK_ROOT_NAME/usr/bin/bash" ]]; then if [ "$2" = "home" ]; then homeBackup fi create-os-snapshots "$1" else echo echo "Aborting Install, $TARGET/@$BACKUP_DISK_ROOT_NAME/usr/bin/bash not found!" echo echo exit 1 fi else echo echo "Aborting Install, /dev/mapper/$BACKUP_DISK_MAPPER not found!" echo echo exit 1 fi ls $TARGET/ umount $TARGET cryptsetup close $BACKUP_DISK_MAPPER } os-restore() { partitions rm -rf $TARGET/usr $TARGET/sbin $TARGET/lib32 $TARGET/libx32 $TARGET/lib $TARGET/vmlinuz* $TARGET/initrd* $TARGET/bin $TARGET/var $TARGET/root $TARGET/opt $TARGET/etc $TARGET/run tar xfpv $BACKUP_DISK_IMAGES/$2.tgz -C $TARGET/ if [ "$3" = "home" ]; then rsync -av --progress --delete /home/ $TARGET/home/ fi fstab cp -f debian.sh $TARGET/ systemMounts chmod +x $TARGET/debian.sh chroot $TARGET /debian.sh bootloader $1 chroot $TARGET /debian.sh btrfs-tweaks rm -f $TARGET/debian.sh unmount } systemMounts() { mount -o rbind /dev $TARGET/dev mount -o rbind /dev/pts $TARGET/dev/pts mount -o rbind /proc $TARGET/proc mount -o rbind /sys $TARGET/sys mount -t efivarfs none $TARGET/sys/firmware/efi/efivars } decryptBoot() { KEYFILE='keyfile.key' echo echo "Setting LUKS to use Keyfile for password entry" echo echo echo "Clearing Old Keys" echo for i in 1 2 3 4 5 6; do printf "$DISK_PASSWORD" | cryptsetup luksKillSlot ${BTRFS} $i done dd if=/dev/urandom of=/etc/$KEYFILE bs=1024 count=4 chown root:root /etc/$KEYFILE chmod 0400 /etc/$KEYFILE echo echo "Adding new key......" echo printf "$DISK_PASSWORD" | cryptsetup luksAddKey ${BTRFS} /etc/$KEYFILE sed -i "s/none/\/etc\/$KEYFILE/" /etc/crypttab echo "KEYFILE_PATTERN=\"/etc/*.key\"" >/etc/cryptsetup-initramfs/conf-hook } install-vscode() { wget -qO - https://gitlab.com/paulcarroty/vscodium-deb-rpm-repo/raw/master/pub.gpg | gpg --dearmor | dd of=/usr/share/keyrings/vscodium-archive-keyring.gpg echo 'deb [ signed-by=/usr/share/keyrings/vscodium-archive-keyring.gpg ] https://download.vscodium.com/debs vscodium main' | tee /etc/apt/sources.list.d/vscodium.list apt update apt install -y codium } install-element() { wget -O /usr/share/keyrings/element-io-archive-keyring.gpg https://packages.element.io/debian/element-io-archive-keyring.gpg echo "deb [signed-by=/usr/share/keyrings/element-io-archive-keyring.gpg] https://packages.element.io/debian/ default main" | tee /etc/apt/sources.list.d/element-io.list apt update apt install -y element-desktop } additional-software() { install-element install-vscode } configure-repository() { echo 'force-unsafe-io' >$TARGET/etc/dpkg/dpkg.cfg.d/docker-apt-speedup if [ "$DEBIAN_RELEASE" == "testing" ]; then echo "deb https://deb.debian.org/debian $DEBIAN_RELEASE main contrib non-free non-free-firmware" >$TARGET/etc/apt/sources.list chroot $TARGET /usr/bin/apt update chroot $TARGET /usr/bin/bash -c "export DEBIAN_FRONTEND=noninteractive;/usr/bin/apt install -y $PACKAGES" else echo "deb https://deb.debian.org/debian $DEBIAN_RELEASE main contrib non-free" >$TARGET/etc/apt/sources.list echo "deb https://deb.debian.org/debian-security $DEBIAN_RELEASE-security main" >>$TARGET/etc/apt/sources.list echo "deb https://deb.debian.org/debian $DEBIAN_RELEASE-updates main " >>$TARGET/etc/apt/sources.list echo "deb https://deb.debian.org/debian $CURRENT_STABLE_NAME-backports main" >>$TARGET/etc/apt/sources.list chroot $TARGET /usr/bin/apt update chroot $TARGET /usr/bin/bash -c "export DEBIAN_FRONTEND=noninteractive;/usr/bin/apt install -y $PACKAGES" chroot $TARGET /usr/bin/bash -c "export DEBIAN_FRONTEND=noninteractive;/usr/bin/apt dist-upgrade -y -t $CURRENT_STABLE_NAME-backports" chroot $TARGET /usr/bin/bash -c "export DEBIAN_FRONTEND=noninteractive;/usr/bin/apt auto-remove -y" fi echo 'DPkg::Post-Invoke {"/usr/bin/debian.sh snapshot";};' >$TARGET/etc/apt/apt.conf } install() { partitions sed -i '/^SigLevel/s/^\(.*\)$/#\1\n/' /etc/pacman.conf sed -i '/#SigLevel/a SigLevel = Never' /etc/pacman.conf pacman -Sy archlinux-keyring debootstrap --noconfirm apt update apt install debootstrap -y rm -rf /debootstrap debootstrap --arch amd64 $DEBIAN_RELEASE $TARGET https://deb.debian.org/debian systemMounts cp -f /etc/resolv.conf $TARGET/etc/ echo "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" >$TARGET/setup.sh configure-repository cp -f debian.tar $TARGET/etc/default/ locale accounts auto_login custom_service_files services setup_script "$1" echo -e "ALGO=zstd\nPERCENT=60" | tee -a $TARGET/etc/default/zramswap unmount } desktop() { SERVICES+=(pmcd pmie pmlogger pmproxy exim4 cockpit.socket redis-server apparmor nfs-server smbd rpbind rpcbind.socket avahi-daemon bluetooth minidlna openvpn) for i in "${SERVICES[@]}"; do systemctl disable --now $i done apt -y purge apparmor apt remove unattended-upgrades chromium chromium-common chromium-sandbox epiphany-browser epiphany-browser-data -y apt autoremove -y } snapshots() { echo echo "Creating Snapshots....." echo DATE=$(echo $(date +%Y-%m-%d-%H-%M-%S)) btrfs sub snapshot / /.snapshots/root-${DATE} update-grub } remove-snapshots() { btrfs sub delete /.snapshots/* rm -f /boot/loader/entries/root-* } enter_chroot() { printf "$DISK_PASSWORD" | cryptsetup open ${BTRFS} $ROOT_MAPPER_NAME mounts systemMounts chroot $TARGET /bin/bash } flatpaks() { flatpak remote-add --user --if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepo for i in "${FLATPAKS[@]}"; do echo $i flatpak install $i -y done } grub-snapshots() { cd /opt git clone https://github.com/Antynea/grub-btrfs.git cd /opt/grub-btrfs make } kernel-packages() { /usr/bin/apt install --reinstall -y linux-image-$(ls /lib/modules/) grub-efi efibootmgr plymouth plymouth-themes btrfs-progs cryptsetup-initramfs linux-image-amd64 linux-headers-amd64 firmware-iwlwifi firmware-linux firmware-linux-nonfree } bootloader() { rm -rf /boot/grub/themes mkdir /boot/grub/themes tar xf /etc/default/debian.tar -C /boot/grub/themes/ plymouth-set-default-theme -R spacefun echo "$ROOT_MAPPER_NAME UUID=$(/sbin/blkid | grep $BTRFS | cut -d '"' -f2) none luks" >/etc/crypttab if [ "$AUTO_DECRYPT" == "True" ]; then decryptBoot fi /sbin/update-initramfs -c -k all echo "GRUB_CMDLINE_LINUX_DEFAULT=\"quiet splash\"" >/etc/default/grub echo "GRUB_CMDLINE_LINUX=cryptdevice=UUID=$(/sbin/blkid | grep $BTRFS | cut -d '"' -f2):$ROOT_MAPPER_NAME root=UUID=$(/sbin/blkid | grep $ROOT_MAPPER_NAME | cut -d '"' -f4) rootflags=subvol@${ROOT_NAME} mitigations=-off" >>/etc/default/grub echo "GRUB_ENABLE_CRYPTODISK=y" >>/etc/default/grub echo "GRUB_DISABLE_OS_PROBER=false" >>/etc/default/grub echo "GRUB_THEME=/boot/grub/themes/theme.txt" >>/etc/default/grub /sbin/grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=debian /sbin/update-grub } function setup_script() { cp -f debian.sh $TARGET/usr/bin/ echo 'bash /usr/bin/debian.sh kernel-packages' >>$TARGET/setup.sh sed -i 's/most/dep/i' $TARGET/etc/initramfs-tools/initramfs.conf echo "bash /usr/bin/debian.sh bootloader $1" >>$TARGET/setup.sh echo 'bash /usr/bin/debian.sh grub-snapshots' >>$TARGET/setup.sh echo 'bash /usr/bin/debian.sh desktop' >>$TARGET/setup.sh echo 'bash /usr/bin/debian.sh additional-software' >>$TARGET/setup.sh echo 'bash /usr/bin/debian.sh btrfs-tweaks' >>$TARGET/setup.sh chmod +x $TARGET/usr/bin/debian.sh chmod +x $TARGET/setup.sh chroot $TARGET /setup.sh rm -f $TARGET/setup.sh } btrfs_filesytem() { btrfs sub create $TARGET/@$ROOT_NAME btrfs sub create $TARGET/@.snapshots btrfs sub create $TARGET/@libvirt btrfs sub create $TARGET/@home btrfs sub create $TARGET/@root btrfs sub create $TARGET/@containers echo echo "Binding BTRFS Root" echo umount $TARGET mount -o $COMPRESSION,subvol=@$ROOT_NAME /dev/mapper/$ROOT_MAPPER_NAME $TARGET } mounts() { echo echo "Mounting......." mount /dev/mapper/$ROOT_MAPPER_NAME $TARGET btrfs_filesytem mkdir -p $TARGET/boot mount -t ext4 $BOOT $TARGET/boot mkdir -p $TARGET/boot/efi mount $EFI $TARGET/boot/efi #CONFIGURE DATA DIRS (HOME) mkdir $TARGET/home mount -o subvol=@home /dev/mapper/$ROOT_MAPPER_NAME $TARGET/home } unmount() { echo echo "Unmounting....." umount $TARGET/proc umount $TARGET/dev umount $TARGET/sys umount $TARGET/boot umount $TARGET/home umount -R $TARGET/* umount -R $TARGET umount -R $TARGET cryptsetup close $ROOT_MAPPER_NAME } locale() { echo "ln -sf /usr/share/zoneinfo/US/Mountain /etc/localtime" >>$TARGET/setup.sh echo "hwclock --systohc" >>$TARGET/setup.sh echo "en_US.UTF-8 UTF-8" >$TARGET/etc/locale.gen echo "locale-gen" >>$TARGET/setup.sh } partitions() { echo echo "Setting Up Partitions....." printf "$DISK_PASSWORD" | cryptsetup open ${BTRFS} $ROOT_MAPPER_NAME if [[ -e "/dev/mapper/$ROOT_MAPPER_NAME" ]]; then echo echo "Formatting $EFI" echo echo y | mkfs.vfat $EFI echo "Formatting $BOOT" echo y | mkfs.ext4 $BOOT mounts fstab else echo echo "Aborting Install, /dev/mapper/$ROOT_MAPPER_NAME not found!" echo echo exit 1 fi } fstab() { mkdir $TARGET/etc echo "UUID=$(/sbin/blkid | grep ${BOOT} | cut -d '"' -f2) /boot ext4 defaults 0 1" >$TARGET/etc/fstab echo "UUID=$(/sbin/blkid | grep ${EFI} | cut -d '"' -f4) /boot/efi vfat umask=0077 0 1" >>$TARGET/etc/fstab echo "/dev/mapper/$ROOT_MAPPER_NAME / btrfs noatime,nodiratime,autodefrag,$COMPRESSION,subvol=@$ROOT_NAME 0 1" >>$TARGET/etc/fstab echo "/dev/mapper/$ROOT_MAPPER_NAME /.snapshots btrfs noatime,nodiratime,autodefrag,$COMPRESSION,subvol=@.snapshots 0 1" >>$TARGET/etc/fstab echo "/dev/mapper/$ROOT_MAPPER_NAME /var/lib/libvirt btrfs noatime,nodiratime,autodefrag,$COMPRESSION,subvol=@libvirt 0 1" >>$TARGET/etc/fstab echo "tmpfs /var/log tmpfs defaults 0 0" >>$TARGET/etc/fstab echo "tmpfs /var/tmp tmpfs defaults 0 0" >>$TARGET/etc/fstab echo "tmpfs /home/${USER}/.cache tmpfs rw,user,exec 0 0" >>$TARGET/etc/fstab echo "tmpfs /home/${USER}/Downloads tmpfs rw,user,exec 0 0" >>$TARGET/etc/fstab echo "/dev/mapper/$ROOT_MAPPER_NAME /home btrfs noatime,nodiratime,autodefrag,$COMPRESSION,subvol=@home 0 1" >>$TARGET/etc/fstab echo "/dev/mapper/$ROOT_MAPPER_NAME /root btrfs noatime,nodiratime,autodefrag,$COMPRESSION,subvol=@root 0 1" >>$TARGET/etc/fstab echo "/dev/mapper/$ROOT_MAPPER_NAME /var/lib/containers btrfs noatime,nodiratime,autodefrag,$COMPRESSION,subvol=@containers 0 1" >>$TARGET/etc/fstab } accounts() { echo echo "Set Password for $USER" echo "useradd -m -s /bin/bash $USER" >>$TARGET/setup.sh echo "echo \"$USER:$USER_PASSWORD\"| chpasswd " >>$TARGET/setup.sh echo "gpasswd -a $USER wheel" >>$TARGET/setup.sh echo "gpasswd -a $USER network" >>$TARGET/setup.sh echo "gpasswd -a $USER video" >>$TARGET/setup.sh echo "gpasswd -a $USER libvirt" >>$TARGET/setup.sh echo "gpasswd -a $USER netdev" >>$TARGET/setup.sh echo "$USER ALL=(ALL) ALL" >$TARGET/etc/sudoers echo "root ALL=(ALL) ALL" >>$TARGET/etc/sudoers echo echo "Setting ROOT Password:" echo "echo \"root:$ROOT_PASSWORD\"| chpasswd " >>$TARGET/setup.sh echo "/usr/bin/hostnamectl set-hostname $ROOT_NAME" >>$TARGET/setup.sh } btrfs-tweaks() { DISABLE_COW=("/var/lib/docker" "/var/lib/containers" "/volumes" "/var/lib/mysql" "/var/lib/libvirt") for i in "${DISABLE_COW[@]}"; do chattr -R +C $i done } custom_service_files() { echo "systemctl set-default graphical.target" >>$TARGET/setup.sh echo "[Unit]" >$TARGET/etc/systemd/system/powertop.service echo "Description=Powertop tunings" >>$TARGET/etc/systemd/system/powertop.service echo "[Service]" >>$TARGET/etc/systemd/system/powertop.service echo "Type=oneshot" >>$TARGET/etc/systemd/system/powertop.service echo "ExecStart=/usr/sbin/powertop --auto-tune" >>$TARGET/etc/systemd/system/powertop.service echo "[Install]" >>$TARGET/etc/systemd/system/powertop.service echo "WantedBy=multi-user.target" >>$TARGET/etc/systemd/system/powertop.service } services() { for i in "${SERVICES[@]}"; do echo "systemctl enable $i" >>$TARGET/setup.sh done } server-config() { cp -f etc/smb.conf /etc/samba/ cp- f etc/minidlna.conf /etc/ cp -f etc/99-sysctl.conf /etc/sysctl.d/ cp -f systemd/*.service /etc/systemd/system/ cp -f etc/exports /etc/ crontab >crontab SERVICES+=(minidlna vip containers pmie pmielogger nfs-server.service exim4 cockpit.socket redis-server smbd) for i in "${SERVICES[@]}"; do systemctl enable $i done systemctl mask apparmor systemctl disable --now exim4 systemctl mask exim4 rm -f /etc/systemd/system/default.target ln -s /lib/systemd/system/multi-user.target /etc/systemd/system/default.target systemctl isolate multi-user.target apt autoremove -y } initialize-disk() { parted /dev/$HARD_DISK mklabel gpt parted /dev/$HARD_DISK mkpart primary fat32 1MiB 200MiB parted /dev/$HARD_DISK mkpart primary ext3 200MiB 700MiB parted /dev/$HARD_DISK set 1 esp on parted /dev/$HARD_DISK mkpart P2 ext3 700MiB 100% printf "$DISK_PASSWORD\n$DISK_PASSWORD" | cryptsetup luksFormat ${BTRFS} printf "$DISK_PASSWORD" | cryptsetup open ${BTRFS} $ROOT_MAPPER_NAME echo echo "Formatting....." echo y | mkfs.btrfs /dev/mapper/$ROOT_MAPPER_NAME --force } wifi() { iwctl --passphrase $WIRELESS_PASSWORD station $WIRELESS_INTERFACE connect $SSID } show-help() { echo echo "debian.sh arguments:" echo echo "./debian.sh install [disk]" echo "./debian.sh backup [device name] [home]" echo "./debian.sh restore [disk] [backup name] [home]" echo "./debian.sh chroot [disk]" echo "./debian.sh wifi" echo "./debian.sh bootloader [disk]" echo "./debian.sh initialize [disk]" echo "./debian.sh tar [disk]" echo "./debian.sh snapshot" echo "./debian.sh reomve-snapshot" echo "./debian.sh btrfs-tweaks" echo } if [ "$1" = "install" ]; then install "$2" elif [ "$1" = "desktop" ]; then desktop elif [ "$1" = "tar" ]; then create-os-snapshots "$2" elif [ "$1" = "kernel-packages" ]; then kernel-packages elif [ "$1" = "upgrade-system" ]; then upgrade-system elif [ "$1" = "additional-software" ]; then additional-software elif [ "$1" = "chroot" ]; then enter_chroot elif [ "$1" = "initialize" ]; then initialize-disk elif [ "$1" = "wifi" ]; then wifi elif [ "$1" = "flatpaks" ]; then flatpaks elif [ "$1" = "bootloader" ]; then bootloader "$1" elif [ "$1" = "snapshot" ]; then snapshots elif [ "$1" = "backup" ]; then os-backup "$2" "$3" elif [ "$1" = "server-config" ]; then server-config elif [ "$1" = "grub-snapshots" ]; then grub-snapshots elif [ "$1" = "btrfs-tweaks" ]; then btrfs-tweaks elif [ "$1" = "restore" ]; then os-restore "$2" "$3" "$4" elif [ "$1" = "remove-snapshot" ]; then remove-snapshots elif [ "$1" = "help" ]; then show-help else show-help fi