packer: use lvm, optimize and harden debian template

3 files changed, 48 insertions, 35 deletions

diff --git a/packer/debian-server-bookworm/debian-server-bookworm.pkr.hcl b/packer/debian-server-bookworm/debian-server-bookworm.pkr.hcl
index bffea00..d91d308 100644
--- a/packer/debian-server-bookworm/debian-server-bookworm.pkr.hcl
+++ b/packer/debian-server-bookworm/debian-server-bookworm.pkr.hcl
@@ -57,13 +57,14 @@ source "proxmox-iso" "debian-server-bookworm-test-1" {
   qemu_agent = true
 
   # VM Hard Disk Settings
-  scsi_controller = "virtio-scsi-pci"
+  scsi_controller = "virtio-scsi-single"
 
   disks {
     disk_size     = "20G"
     format        = "raw"
     storage_pool  = "local-lvm"
     type          = "virtio"
+    iothread      = true
   }
 
   # VM CPU Settings
diff --git a/packer/debian-server-bookworm/files/cloud.cfg b/packer/debian-server-bookworm/files/cloud.cfg
index 29d451e..5a984b2 100644
--- a/packer/debian-server-bookworm/files/cloud.cfg
+++ b/packer/debian-server-bookworm/files/cloud.cfg
@@ -1,6 +1,12 @@
 # The top level settings are used as module
 # and system configuration.
 
+# A set of users which may be applied and/or used by various modules
+# when a 'default' entry is found it will reference the 'default_user'
+# from the distro configuration specified below
+users:
+   - default
+
 # If this is set, 'root' will not be able to ssh in and they
 # will get a message to login instead as the above $user (debian)
 disable_root: true
@@ -36,38 +42,32 @@ cloud_init_modules:
 cloud_config_modules:
 # Emit the cloud config ready event
 # this can be used by upstart jobs for 'start on cloud-config'.
- - emit_upstart
- - ssh-import-id
- - locale
- - set-passwords
- - grub-dpkg
- - apt-pipelining
- - apt-configure
- - ntp
- - timezone
- - disable-ec2-metadata
- - runcmd
- - byobu
+cloud_config_modules:
+  - emit_upstart
+  - ssh-import-id
+  - locale
+  - set-passwords
+  - grub-dpkg
+  - apt-pipelining
+  - apt-configure
+  - ntp
+  - timezone
+  - disable-ec2-metadata
+  - runcmd
+  - byobu
 
 # The modules that run in the 'final' stage
 cloud_final_modules:
- - package-update-upgrade-install
- - fan
- - puppet
- - chef
- - salt-minion
- - mcollective
- - rightscale_userdata
- - scripts-vendor
- - scripts-per-once
- - scripts-per-boot
- - scripts-per-instance
- - scripts-user
- - ssh-authkey-fingerprints
- - keys-to-console
- - phone-home
- - final-message
- - power-state-change
+  - package-update-upgrade-install
+  - scripts-vendor
+  - scripts-per-once
+  - scripts-per-boot
+  - scripts-per-instance
+  - scripts-user
+  - ssh-authkey-fingerprints
+  - keys-to-console
+  - final-message
+  - power-state-change
 
 final_message: "The system is finally up, after $UPTIME seconds"
 
@@ -85,7 +85,8 @@ system_info:
      sudo: ["ALL=(ALL) NOPASSWD:ALL"]
      shell: /bin/bash
      # Don't forget to add your public key here -- if you want. You can still add account after cloning thanks to Cloud-Init
-     #ssh_authorized_keys:
+     ssh_authorized_keys:
+       - ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCtB9NZgJMVovVR4foT0OOV9GdHeHZoPtK1TGko2W4wli/reKjpUYBhlSPWbaWD9WUbl0RRqdzkODy1fB001zxs= mas@TMV2
    # Other config here will be given to the distro class and/or path classes
    paths:
       cloud_dir: /var/lib/cloud/
diff --git a/packer/debian-server-bookworm/http/preseed.cfg b/packer/debian-server-bookworm/http/preseed.cfg
index 887dfd4..e5dd8c6 100644
--- a/packer/debian-server-bookworm/http/preseed.cfg
+++ b/packer/debian-server-bookworm/http/preseed.cfg
@@ -30,8 +30,11 @@ d-i mirror/http/directory string /debian/
 d-i mirror/http/proxy string
 d-i apt-setup/use_mirror boolean true
 
-### Partitioning (Use entire disk, no LVM, no swap)
-d-i partman-auto/method string regular
+### Partitioning (Use LVM, no swap)
+d-i partman-auto/method string lvm
+d-i partman-lvm/device_remove_lvm boolean true
+d-i partman-lvm/confirm boolean true
+d-i partman-auto-lvm/guided_size string max
 d-i partman-auto/choose_recipe select atomic
 d-i partman-partitioning/confirm_write_new_label boolean true
 d-i partman/choose_partition select finish
@@ -51,9 +54,9 @@ d-i user-setup/encrypt-home boolean false
 tasksel tasksel/first multiselect standard, ssh-server
 
 ### Install additional packages
-d-i pkgsel/include string openssh-server qemu-guest-agent sudo neovim tmux cloud-init
+d-i pkgsel/include string openssh-server qemu-guest-agent sudo cloud-init ufw
 
-### SSH setup (Disable password authentication, allow only SSH key)
+### Disable password authentication, allow only SSH key, clean up unnecessary packages, optimize and harden the system
 d-i preseed/late_command string \
     in-target mkdir -p /home/mas/.ssh && \
     in-target chmod 700 /home/mas/.ssh && \
@@ -65,13 +68,21 @@ d-i preseed/late_command string \
     in-target sed -i 's/^#\?PubkeyAuthentication.*/PubkeyAuthentication yes/' /etc/ssh/sshd_config && \
     in-target sed -i 's|^#\?AuthorizedKeysFile.*|AuthorizedKeysFile %h/.ssh/authorized_keys|' /etc/ssh/sshd_config && \
     in-target sed -i 's/^#\?PasswordAuthentication.*/PasswordAuthentication no/' /etc/ssh/sshd_config && \
+    in-targer sed -i 's/^#\?PermitRootLogin.*/PermitRootLogin no/' /etc/ssh/sshd_config && \
     in-target systemctl restart ssh && \
+    in-target apt-get purge -y snapd unattended-upgrades && \
+    in-target apt-get autoremove -y && \
+    in-target apt-get clean && \
+    in-target cloud-init clean --logs && \
+    in-target ufw allow ssh && \
+    in-target ufw enable && \
     in-target sed -i '/^deb cdrom:/s/^/#/' /etc/apt/sources.list
 
 ### Configure GRUB bootloader
 d-i grub-installer/only_debian boolean true
 d-i grub-installer/with_other_os boolean false
 d-i grub-installer/bootdev string default
+d-i grub-installer/timeout string 2
 
 ### Disable popularity contest (privacy setting)
 popularity-contest popularity-contest/participate boolean false