Prototype-X · August 20, 2023 19:40
diff --git a/firstboot.sh.erb b/firstboot.sh.erb
 #!/bin/sh

 # set hostname
 echo <%= hostname %> > /etc/hostname
 /etc/init.d/hostname.sh

 # Set up networking
 cat > /etc/network/interfaces << EOF
 # The loopback network interface
 auto lo
 iface lo inet loopback

 # The primary network interface
 auto eth0
 iface eth0 inet static
 address 10.100.0.<%= ip_suffix %>
 netmask 255.255.255.0
 gateway 10.100.0.1
 dns-nameservers 10.100.0.11 10.100.2.11
 dns-search int.mtak.nl

 iface eth0 inet6 static
 address 2001:470:7927::<%= ip_suffix %>
 netmask 64
 gateway 2001:470:7927::1
 EOF

 cat > /etc/resolv.conf << EOF
 domain int.mtak.nl
 search int.mtak.nl
 nameserver 10.100.0.11
 nameserver 10.100.2.11
 EOF
 ifdown eth0 
 ifup eth0

 # Set up MOTD
 cat > /etc/motd << EOF
 THIS IS A PRIVATE COMPUTER SYSTEM. Unauthorized access prohibited.
 EOF

 # Set up sudoers
 cat >> /etc/sudoers << EOF
 mtak	ALL=(ALL) NOPASSWD: ALL
 EOF

 # Set up mail relaying

 # System settings
 update-alternatives --set editor /usr/bin/vim.tiny
 cp /etc/locale.gen /etc/locale.gen.orig
 cat > /etc/locale.gen << EOF
 en_US ISO-8859-1
 nl_NL.UTF-8 UTF-8
 EOF
 locale-gen

 # TODO: upgrade to ldap+kerberos realm INT.MTAK.NL
 # Set up SSH key for mtak
 mkdir -p /home/mtak/.ssh
 echo 'ssh-rsa AAAAB3Nz6nTkZGXMchiG0K4aNp5MiZguDs9o8CiwnZhm9Nmz4Tcyg7j/6y1T7iZehaLeC0MCsUGVwBqYX8c= mtak@fs1' >> /home/mtak/.ssh/authorized_keys
 chown -R mtak: /home/mtak
 chmod 700 /home/mtak/.ssh
 chmod 600 /home/mtak/.ssh/authorized_keys

 # Set up Postfix
 cat > /etc/mailname << EOF
 <%= hostname %>.int.mtak.nl
 EOF

 cat > /etc/postfix/main.cf << EOF
 myorigin = /etc/mailname

 smtpd_banner = $myhostname ESMTP $mail_name
 biff = no
 append_dot_mydomain = no
 readme_directory = no

 smtpd_use_tls=no

 myhostname = <%= hostname %>.int.mtak.nl
 alias_maps = hash:/etc/aliases
 alias_database = hash:/etc/aliases
 mydestination = <%= hostname %>.int.mtak.nl, localhost.int.mtak.nl, localhost
 relayhost = smtp.int.mtak.nl
 mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
 mailbox_command = procmail -a "$EXTENSION"
 mailbox_size_limit = 0
 recipient_delimiter = +
 inet_interfaces = all
 EOF

 #
 # End of script
 #
 # Remove our firstboot service so that it won't run again
 update-rc.d firstboot remove
 rm /etc/init.d/firstboot /root/firstboot

 # Reboot into the new kernel
 /sbin/reboot
diff --git a/generate_preseed.rb b/generate_preseed.rb
 #!/usr/bin/env ruby

 require 'erb'

 if ARGV.count != 1
 	puts "Error, no hostname specified"
 	puts "Usage: #{$0} hostname"
 	exit 1
 end

 hostname = ARGV[0]

 dig_output = `dig -t A #{hostname}.int.mtak.nl @10.100.0.11 +short`
 if dig_output.nil? || dig_output.length == 0 
 	puts "No DNS entry found for #{hostname}.int.mtak.nl"
 	exit 1
 end

 dig_output =~ /^(\d*)\.(\d*)\.(\d*)\.(\d*)$/
 ip_suffix = $4

 preseed_template = File.read("preseed.erb")
 template = ERB.new(preseed_template)
 erb_output = template.result(binding)
 File.write("#{hostname}_preseed.cfg", erb_output)

 postinstall_template = File.read("postinstall.sh.erb")
 postinstall = ERB.new(postinstall_template)
 erb_output = postinstall.result(binding)
 File.write("#{hostname}_postinstall.sh", erb_output)

 firstboot_template = File.read("firstboot.sh.erb")
 firstboot = ERB.new(firstboot_template)
 erb_output = firstboot.result(binding)
 File.write("#{hostname}_firstboot.sh", erb_output)

 puts "Preseed file at http://gen1.int.mtak.nl/mtak/preseed/#{hostname}_preseed.cfg"
diff --git a/postinstall.sh.erb b/postinstall.sh.erb
 #!/bin/sh

 # grab our firstboot script
 /usr/bin/curl -o /root/firstboot http://gen1.int.mtak.nl/mtak/preseed/<%= hostname %>_firstboot.sh
 chmod +x /root/firstboot

 # create a service that will run our firstboot script
 cat > /etc/init.d/firstboot << EOF
 ### BEGIN INIT INFO
 # Provides:        firstboot
 # Required-Start:  $networking
 # Required-Stop:   $networking
 # Default-Start:   2 3 4 5
 # Default-Stop:    0 1 6
 # Short-Description: A script that runs once
 # Description: A script that runs once
 ### END INIT INFO

 cd /root ; /usr/bin/nohup sh -x /root/firstboot &


 EOF

 # install the firstboot service
 chmod +x /etc/init.d/firstboot
 update-rc.d firstboot defaults

 echo "finished postinst"
diff --git a/preseed.erb b/preseed.erb
 # Contents of the preconfiguration file (for wheezy)
 # Localization
 d-i debian-installer/locale string en_US
 d-i keymap select us


 # Static network configuration.
 # IPv4 example
 d-i netcfg/choose_interface select auto
 #d-i netcfg/ipaddress string 10.100.0.<%= ip_suffix %>
 #d-i netcfg/netmask string 255.255.255.0
 #d-i netcfg/gateway string 10.100.0.1
 #d-i netcfg/nameservers string 10.100.0.11 10.100.2.11
 #d-i netcfg/confirm_static boolean true
 #d-i netcfg/disable_dhcp boolean true

 # IPv6 example
 #d-i netcfg/get_ipaddress string 2001:470:7927::<%= ip_suffix %>
 #d-i netcfg/get_netmask string ffff:ffff:ffff:ffff::
 #d-i netcfg/get_gateway string 2001:470:7927::1
 #d-i netcfg/get_nameservers string 2001:470:7927::11
 #d-i netcfg/confirm_static boolean true

 d-i netcfg/get_hostname string <%= hostname %>
 d-i netcfg/get_hostname seen true
 d-i netcfg/get_domain string int.mtak.nl
 d-i netcfg/get_domain seen true

 # If you want to force a hostname, regardless of what either the DHCP
 # server returns or what the reverse DNS entry for the IP is, uncomment
 # and adjust the following line.
 d-i netcfg/hostname string <%= hostname %>

 ### Mirror settings
 # If you select ftp, the mirror/country string does not need to be set.
 #d-i mirror/protocol string ftp
 d-i mirror/country string manual
 d-i mirror/http/hostname string ftp.nluug.nl
 d-i mirror/http/directory string /pub/os/Linux/distr/debian/
 d-i mirror/http/proxy string

 ### Account setup
 d-i passwd/root-password-crypted password <some-enc_hash>

 # To create a normal user account.
 d-i passwd/user-fullname string mtak
 d-i passwd/username string mtak
 d-i passwd/user-password-crypted password <some-enc_hash>

 # The user account will be added to some standard initial groups. To
 # override that, use this.
 #d-i passwd/user-default-groups string audio cdrom video

 ### Clock and time zone setup
 # Controls whether or not the hardware clock is set to UTC.
 d-i clock-setup/utc boolean true

 # You may set this to any valid setting for $TZ; see the contents of
 # /usr/share/zoneinfo/ for valid values.
 d-i time/zone string Europe/Amsterdam

 # Controls whether to use NTP to set the clock during the install
 d-i clock-setup/ntp boolean true
 # NTP server to use. The default is almost always fine here.
 d-i clock-setup/ntp-server string 0.nl.pool.ntp.org

 # Disk stuff
 d-i partman-auto/method string lvm
 d-i partman-lvm/device_remove_lvm boolean true
 d-i partman-md/device_remove_md boolean true
 d-i partman-lvm/confirm boolean true
 d-i partman-lvm/confirm_nooverwrite boolean true
 d-i partman-auto/choose_recipe select atomic

 d-i partman-partitioning/confirm_write_new_label boolean true
 d-i partman/choose_partition select finish
 d-i partman/confirm boolean true
 d-i partman/confirm_nooverwrite boolean true

 d-i partman-md/confirm boolean true
 d-i partman-partitioning/confirm_write_new_label boolean true
 d-i partman/choose_partition select finish
 d-i partman/confirm boolean true
 d-i partman/confirm_nooverwrite boolean true


 ### Package selection
 tasksel tasksel/first multiselect standard
 # If the desktop task is selected, install the kde and xfce desktops
 # instead of the default gnome desktop.
 #tasksel tasksel/desktop multiselect kde, xfce

 # Individual additional packages to install
 d-i pkgsel/include string openssh-server build-essential curl sudo postfix
 # Whether to upgrade packages after debootstrap.
 # Allowed values: none, safe-upgrade, full-upgrade
 d-i pkgsel/upgrade select full-upgrade

 # Some versions of the installer can report back on what software you have
 # installed, and what software you use. The default is not to report back,
 # but sending reports helps the project determine what software is most
 # popular and include it on CDs.
 #popularity-contest popularity-contest/participate boolean false

 ### Finishing up the installation
 # During installations from serial console, the regular virtual consoles
 # (VT1-VT6) are normally disabled in /etc/inittab. Uncomment the next
 # line to prevent this.
 #d-i finish-install/keep-consoles boolean true

 # Avoid that last message about the install being complete.
 d-i finish-install/reboot_in_progress note

 # This will prevent the installer from ejecting the CD during the reboot,
 # which is useful in some situations.
 #d-i cdrom-detect/eject boolean false

 # This is how to make the installer shutdown when finished, but not
 # reboot into the installed system.
 #d-i debian-installer/exit/halt boolean true
 # This will power off the machine instead of just halting it.
 #d-i debian-installer/exit/poweroff boolean true

 ### Preseeding other packages
 # Depending on what software you choose to install, or if things go wrong
 # during the installation process, it's possible that other questions may
 # be asked. You can preseed those too, of course. To get a list of every
 # possible question that could be asked during an install, do an
 # installation, and then run these commands:
 #   debconf-get-selections --installer > file
 #   debconf-get-selections >> file


 #### Advanced options
 ### Running custom commands during the installation
 # d-i preseeding is inherently not secure. Nothing in the installer checks
 # for attempts at buffer overflows or other exploits of the values of a
 # preconfiguration file like this one. Only use preconfiguration files from
 # trusted locations! To drive that home, and because it's generally useful,
 # here's a way to run any shell command you'd like inside the installer,
 # automatically.

 # This first command is run as early as possible, just after
 # preseeding is read.
 #d-i preseed/early_command string anna-install some-udeb
 # This command is run immediately before the partitioner starts. It may be
 # useful to apply dynamic partitioner preseeding that depends on the state
 # of the disks (which may not be visible when preseed/early_command runs).
 #d-i partman/early_command \
 #       string debconf-set partman-auto/disk "$(list-devices disk | head -n1)"
 # This command is run just before the install finishes, but when there is
 # still a usable /target directory. You can chroot to /target and use it
 # directly, or use the apt-install and in-target commands to easily install
 # packages and run commands in the target system.

 d-i preseed/late_command string chroot /target sh -c "/usr/bin/curl -o /tmp/postinstall http://gen1.int.mtak.nl/mtak/preseed/<%= hostname %>_postinstall.sh && /bin/sh -x /tmp/postinstall"
	#!/bin/sh

	# set hostname
	echo <%= hostname %> > /etc/hostname
	/etc/init.d/hostname.sh

	# Set up networking
	cat > /etc/network/interfaces << EOF
	# The loopback network interface
	auto lo
	iface lo inet loopback

	# The primary network interface
	auto eth0
	iface eth0 inet static
	address 10.100.0.<%= ip_suffix %>
	netmask 255.255.255.0
	gateway 10.100.0.1
	dns-nameservers 10.100.0.11 10.100.2.11
	dns-search int.mtak.nl

	iface eth0 inet6 static
	address 2001:470:7927::<%= ip_suffix %>
	netmask 64
	gateway 2001:470:7927::1
	EOF

	cat > /etc/resolv.conf << EOF
	domain int.mtak.nl
	search int.mtak.nl
	nameserver 10.100.0.11
	nameserver 10.100.2.11
	EOF
	ifdown eth0
	ifup eth0

	# Set up MOTD
	cat > /etc/motd << EOF
	THIS IS A PRIVATE COMPUTER SYSTEM. Unauthorized access prohibited.
	EOF

	# Set up sudoers
	cat >> /etc/sudoers << EOF
	mtak ALL=(ALL) NOPASSWD: ALL
	EOF

	# Set up mail relaying

	# System settings
	update-alternatives --set editor /usr/bin/vim.tiny
	cp /etc/locale.gen /etc/locale.gen.orig
	cat > /etc/locale.gen << EOF
	en_US ISO-8859-1
	nl_NL.UTF-8 UTF-8
	EOF
	locale-gen

	# TODO: upgrade to ldap+kerberos realm INT.MTAK.NL
	# Set up SSH key for mtak
	mkdir -p /home/mtak/.ssh
	echo 'ssh-rsa AAAAB3Nz6nTkZGXMchiG0K4aNp5MiZguDs9o8CiwnZhm9Nmz4Tcyg7j/6y1T7iZehaLeC0MCsUGVwBqYX8c= mtak@fs1' >> /home/mtak/.ssh/authorized_keys
	chown -R mtak: /home/mtak
	chmod 700 /home/mtak/.ssh
	chmod 600 /home/mtak/.ssh/authorized_keys

	# Set up Postfix
	cat > /etc/mailname << EOF
	<%= hostname %>.int.mtak.nl
	EOF

	cat > /etc/postfix/main.cf << EOF
	myorigin = /etc/mailname

	smtpd_banner = $myhostname ESMTP $mail_name
	biff = no
	append_dot_mydomain = no
	readme_directory = no

	smtpd_use_tls=no

	myhostname = <%= hostname %>.int.mtak.nl
	alias_maps = hash:/etc/aliases
	alias_database = hash:/etc/aliases
	mydestination = <%= hostname %>.int.mtak.nl, localhost.int.mtak.nl, localhost
	relayhost = smtp.int.mtak.nl
	mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
	mailbox_command = procmail -a "$EXTENSION"
	mailbox_size_limit = 0
	recipient_delimiter = +
	inet_interfaces = all
	EOF

	#
	# End of script
	#
	# Remove our firstboot service so that it won't run again
	update-rc.d firstboot remove
	rm /etc/init.d/firstboot /root/firstboot

	# Reboot into the new kernel
	/sbin/reboot
	#!/usr/bin/env ruby

	require 'erb'

	if ARGV.count != 1
	puts "Error, no hostname specified"
	puts "Usage: #{$0} hostname"
	exit 1
	end

	hostname = ARGV[0]

	dig_output = `dig -t A #{hostname}.int.mtak.nl @10.100.0.11 +short`
	if dig_output.nil? \|\| dig_output.length == 0
	puts "No DNS entry found for #{hostname}.int.mtak.nl"
	exit 1
	end

	dig_output =~ /^(\d)\.(\d)\.(\d)\.(\d)$/
	ip_suffix = $4

	preseed_template = File.read("preseed.erb")
	template = ERB.new(preseed_template)
	erb_output = template.result(binding)
	File.write("#{hostname}_preseed.cfg", erb_output)

	postinstall_template = File.read("postinstall.sh.erb")
	postinstall = ERB.new(postinstall_template)
	erb_output = postinstall.result(binding)
	File.write("#{hostname}_postinstall.sh", erb_output)

	firstboot_template = File.read("firstboot.sh.erb")
	firstboot = ERB.new(firstboot_template)
	erb_output = firstboot.result(binding)
	File.write("#{hostname}_firstboot.sh", erb_output)

	puts "Preseed file at http://gen1.int.mtak.nl/mtak/preseed/#{hostname}_preseed.cfg"
	#!/bin/sh

	# grab our firstboot script
	/usr/bin/curl -o /root/firstboot http://gen1.int.mtak.nl/mtak/preseed/<%= hostname %>_firstboot.sh
	chmod +x /root/firstboot

	# create a service that will run our firstboot script
	cat > /etc/init.d/firstboot << EOF
	### BEGIN INIT INFO
	# Provides: firstboot
	# Required-Start: $networking
	# Required-Stop: $networking
	# Default-Start: 2 3 4 5
	# Default-Stop: 0 1 6
	# Short-Description: A script that runs once
	# Description: A script that runs once
	### END INIT INFO

	cd /root ; /usr/bin/nohup sh -x /root/firstboot &


	EOF

	# install the firstboot service
	chmod +x /etc/init.d/firstboot
	update-rc.d firstboot defaults

	echo "finished postinst"
	# Contents of the preconfiguration file (for wheezy)
	# Localization
	d-i debian-installer/locale string en_US
	d-i keymap select us


	# Static network configuration.
	# IPv4 example
	d-i netcfg/choose_interface select auto
	#d-i netcfg/ipaddress string 10.100.0.<%= ip_suffix %>
	#d-i netcfg/netmask string 255.255.255.0
	#d-i netcfg/gateway string 10.100.0.1
	#d-i netcfg/nameservers string 10.100.0.11 10.100.2.11
	#d-i netcfg/confirm_static boolean true
	#d-i netcfg/disable_dhcp boolean true

	# IPv6 example
	#d-i netcfg/get_ipaddress string 2001:470:7927::<%= ip_suffix %>
	#d-i netcfg/get_netmask string ffff:ffff:ffff:ffff::
	#d-i netcfg/get_gateway string 2001:470:7927::1
	#d-i netcfg/get_nameservers string 2001:470:7927::11
	#d-i netcfg/confirm_static boolean true

	d-i netcfg/get_hostname string <%= hostname %>
	d-i netcfg/get_hostname seen true
	d-i netcfg/get_domain string int.mtak.nl
	d-i netcfg/get_domain seen true

	# If you want to force a hostname, regardless of what either the DHCP
	# server returns or what the reverse DNS entry for the IP is, uncomment
	# and adjust the following line.
	d-i netcfg/hostname string <%= hostname %>

	### Mirror settings
	# If you select ftp, the mirror/country string does not need to be set.
	#d-i mirror/protocol string ftp
	d-i mirror/country string manual
	d-i mirror/http/hostname string ftp.nluug.nl
	d-i mirror/http/directory string /pub/os/Linux/distr/debian/
	d-i mirror/http/proxy string

	### Account setup
	d-i passwd/root-password-crypted password <some-enc_hash>

	# To create a normal user account.
	d-i passwd/user-fullname string mtak
	d-i passwd/username string mtak
	d-i passwd/user-password-crypted password <some-enc_hash>

	# The user account will be added to some standard initial groups. To
	# override that, use this.
	#d-i passwd/user-default-groups string audio cdrom video

	### Clock and time zone setup
	# Controls whether or not the hardware clock is set to UTC.
	d-i clock-setup/utc boolean true

	# You may set this to any valid setting for $TZ; see the contents of
	# /usr/share/zoneinfo/ for valid values.
	d-i time/zone string Europe/Amsterdam

	# Controls whether to use NTP to set the clock during the install
	d-i clock-setup/ntp boolean true
	# NTP server to use. The default is almost always fine here.
	d-i clock-setup/ntp-server string 0.nl.pool.ntp.org

	# Disk stuff
	d-i partman-auto/method string lvm
	d-i partman-lvm/device_remove_lvm boolean true
	d-i partman-md/device_remove_md boolean true
	d-i partman-lvm/confirm boolean true
	d-i partman-lvm/confirm_nooverwrite boolean true
	d-i partman-auto/choose_recipe select atomic

	d-i partman-partitioning/confirm_write_new_label boolean true
	d-i partman/choose_partition select finish
	d-i partman/confirm boolean true
	d-i partman/confirm_nooverwrite boolean true

	d-i partman-md/confirm boolean true
	d-i partman-partitioning/confirm_write_new_label boolean true
	d-i partman/choose_partition select finish
	d-i partman/confirm boolean true
	d-i partman/confirm_nooverwrite boolean true


	### Package selection
	tasksel tasksel/first multiselect standard
	# If the desktop task is selected, install the kde and xfce desktops
	# instead of the default gnome desktop.
	#tasksel tasksel/desktop multiselect kde, xfce

	# Individual additional packages to install
	d-i pkgsel/include string openssh-server build-essential curl sudo postfix
	# Whether to upgrade packages after debootstrap.
	# Allowed values: none, safe-upgrade, full-upgrade
	d-i pkgsel/upgrade select full-upgrade

	# Some versions of the installer can report back on what software you have
	# installed, and what software you use. The default is not to report back,
	# but sending reports helps the project determine what software is most
	# popular and include it on CDs.
	#popularity-contest popularity-contest/participate boolean false

	### Finishing up the installation
	# During installations from serial console, the regular virtual consoles
	# (VT1-VT6) are normally disabled in /etc/inittab. Uncomment the next
	# line to prevent this.
	#d-i finish-install/keep-consoles boolean true

	# Avoid that last message about the install being complete.
	d-i finish-install/reboot_in_progress note

	# This will prevent the installer from ejecting the CD during the reboot,
	# which is useful in some situations.
	#d-i cdrom-detect/eject boolean false

	# This is how to make the installer shutdown when finished, but not
	# reboot into the installed system.
	#d-i debian-installer/exit/halt boolean true
	# This will power off the machine instead of just halting it.
	#d-i debian-installer/exit/poweroff boolean true

	### Preseeding other packages
	# Depending on what software you choose to install, or if things go wrong
	# during the installation process, it's possible that other questions may
	# be asked. You can preseed those too, of course. To get a list of every
	# possible question that could be asked during an install, do an
	# installation, and then run these commands:
	# debconf-get-selections --installer > file
	# debconf-get-selections >> file


	#### Advanced options
	### Running custom commands during the installation
	# d-i preseeding is inherently not secure. Nothing in the installer checks
	# for attempts at buffer overflows or other exploits of the values of a
	# preconfiguration file like this one. Only use preconfiguration files from
	# trusted locations! To drive that home, and because it's generally useful,
	# here's a way to run any shell command you'd like inside the installer,
	# automatically.

	# This first command is run as early as possible, just after
	# preseeding is read.
	#d-i preseed/early_command string anna-install some-udeb
	# This command is run immediately before the partitioner starts. It may be
	# useful to apply dynamic partitioner preseeding that depends on the state
	# of the disks (which may not be visible when preseed/early_command runs).
	#d-i partman/early_command \
	# string debconf-set partman-auto/disk "$(list-devices disk \| head -n1)"
	# This command is run just before the install finishes, but when there is
	# still a usable /target directory. You can chroot to /target and use it
	# directly, or use the apt-install and in-target commands to easily install
	# packages and run commands in the target system.

	d-i preseed/late_command string chroot /target sh -c "/usr/bin/curl -o /tmp/postinstall http://gen1.int.mtak.nl/mtak/preseed/<%= hostname %>_postinstall.sh && /bin/sh -x /tmp/postinstall"