diff options
Diffstat (limited to 'packer')
| -rw-r--r-- | packer/debian-server-bookworm/debian-server-bookworm.pkr.hcl | 3 | ||||
| -rw-r--r-- | packer/debian-server-bookworm/files/cloud.cfg | 61 | ||||
| -rw-r--r-- | packer/debian-server-bookworm/http/preseed.cfg | 19 | 
3 files changed, 48 insertions, 35 deletions
| diff --git a/packer/debian-server-bookworm/debian-server-bookworm.pkr.hcl b/packer/debian-server-bookworm/debian-server-bookworm.pkr.hcl index bffea00..d91d308 100644 --- a/packer/debian-server-bookworm/debian-server-bookworm.pkr.hcl +++ b/packer/debian-server-bookworm/debian-server-bookworm.pkr.hcl @@ -57,13 +57,14 @@ source "proxmox-iso" "debian-server-bookworm-test-1" {    qemu_agent = true    # VM Hard Disk Settings -  scsi_controller = "virtio-scsi-pci" +  scsi_controller = "virtio-scsi-single"    disks {      disk_size     = "20G"      format        = "raw"      storage_pool  = "local-lvm"      type          = "virtio" +    iothread      = true    }    # VM CPU Settings diff --git a/packer/debian-server-bookworm/files/cloud.cfg b/packer/debian-server-bookworm/files/cloud.cfg index 29d451e..5a984b2 100644 --- a/packer/debian-server-bookworm/files/cloud.cfg +++ b/packer/debian-server-bookworm/files/cloud.cfg @@ -1,6 +1,12 @@  # The top level settings are used as module  # and system configuration. +# A set of users which may be applied and/or used by various modules +# when a 'default' entry is found it will reference the 'default_user' +# from the distro configuration specified below +users: +   - default +  # If this is set, 'root' will not be able to ssh in and they  # will get a message to login instead as the above $user (debian)  disable_root: true @@ -36,38 +42,32 @@ cloud_init_modules:  cloud_config_modules:  # Emit the cloud config ready event  # this can be used by upstart jobs for 'start on cloud-config'. - - emit_upstart - - ssh-import-id - - locale - - set-passwords - - grub-dpkg - - apt-pipelining - - apt-configure - - ntp - - timezone - - disable-ec2-metadata - - runcmd - - byobu +cloud_config_modules: +  - emit_upstart +  - ssh-import-id +  - locale +  - set-passwords +  - grub-dpkg +  - apt-pipelining +  - apt-configure +  - ntp +  - timezone +  - disable-ec2-metadata +  - runcmd +  - byobu  # The modules that run in the 'final' stage  cloud_final_modules: - - package-update-upgrade-install - - fan - - puppet - - chef - - salt-minion - - mcollective - - rightscale_userdata - - scripts-vendor - - scripts-per-once - - scripts-per-boot - - scripts-per-instance - - scripts-user - - ssh-authkey-fingerprints - - keys-to-console - - phone-home - - final-message - - power-state-change +  - package-update-upgrade-install +  - scripts-vendor +  - scripts-per-once +  - scripts-per-boot +  - scripts-per-instance +  - scripts-user +  - ssh-authkey-fingerprints +  - keys-to-console +  - final-message +  - power-state-change  final_message: "The system is finally up, after $UPTIME seconds" @@ -85,7 +85,8 @@ system_info:       sudo: ["ALL=(ALL) NOPASSWD:ALL"]       shell: /bin/bash       # Don't forget to add your public key here -- if you want. You can still add account after cloning thanks to Cloud-Init -     #ssh_authorized_keys: +     ssh_authorized_keys: +       - ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCtB9NZgJMVovVR4foT0OOV9GdHeHZoPtK1TGko2W4wli/reKjpUYBhlSPWbaWD9WUbl0RRqdzkODy1fB001zxs= mas@TMV2     # Other config here will be given to the distro class and/or path classes     paths:        cloud_dir: /var/lib/cloud/ diff --git a/packer/debian-server-bookworm/http/preseed.cfg b/packer/debian-server-bookworm/http/preseed.cfg index 887dfd4..e5dd8c6 100644 --- a/packer/debian-server-bookworm/http/preseed.cfg +++ b/packer/debian-server-bookworm/http/preseed.cfg @@ -30,8 +30,11 @@ d-i mirror/http/directory string /debian/  d-i mirror/http/proxy string  d-i apt-setup/use_mirror boolean true -### Partitioning (Use entire disk, no LVM, no swap) -d-i partman-auto/method string regular +### Partitioning (Use LVM, no swap) +d-i partman-auto/method string lvm +d-i partman-lvm/device_remove_lvm boolean true +d-i partman-lvm/confirm boolean true +d-i partman-auto-lvm/guided_size string max  d-i partman-auto/choose_recipe select atomic  d-i partman-partitioning/confirm_write_new_label boolean true  d-i partman/choose_partition select finish @@ -51,9 +54,9 @@ d-i user-setup/encrypt-home boolean false  tasksel tasksel/first multiselect standard, ssh-server  ### Install additional packages -d-i pkgsel/include string openssh-server qemu-guest-agent sudo neovim tmux cloud-init +d-i pkgsel/include string openssh-server qemu-guest-agent sudo cloud-init ufw -### SSH setup (Disable password authentication, allow only SSH key) +### Disable password authentication, allow only SSH key, clean up unnecessary packages, optimize and harden the system  d-i preseed/late_command string \      in-target mkdir -p /home/mas/.ssh && \      in-target chmod 700 /home/mas/.ssh && \ @@ -65,13 +68,21 @@ d-i preseed/late_command string \      in-target sed -i 's/^#\?PubkeyAuthentication.*/PubkeyAuthentication yes/' /etc/ssh/sshd_config && \      in-target sed -i 's|^#\?AuthorizedKeysFile.*|AuthorizedKeysFile %h/.ssh/authorized_keys|' /etc/ssh/sshd_config && \      in-target sed -i 's/^#\?PasswordAuthentication.*/PasswordAuthentication no/' /etc/ssh/sshd_config && \ +    in-targer sed -i 's/^#\?PermitRootLogin.*/PermitRootLogin no/' /etc/ssh/sshd_config && \      in-target systemctl restart ssh && \ +    in-target apt-get purge -y snapd unattended-upgrades && \ +    in-target apt-get autoremove -y && \ +    in-target apt-get clean && \ +    in-target cloud-init clean --logs && \ +    in-target ufw allow ssh && \ +    in-target ufw enable && \      in-target sed -i '/^deb cdrom:/s/^/#/' /etc/apt/sources.list  ### Configure GRUB bootloader  d-i grub-installer/only_debian boolean true  d-i grub-installer/with_other_os boolean false  d-i grub-installer/bootdev string default +d-i grub-installer/timeout string 2  ### Disable popularity contest (privacy setting)  popularity-contest popularity-contest/participate boolean false | 
