#!/bin/bash export DEBIAN_FRONTEND=noninteractive ############################################################################ ##########################written by echoslider############################# ############################################################################ ### You can use it for automated Deployment of an encrypted Ubuntu 22.04 ### ### ### ### EFI ONLY ### ### ### ### Preinstalled: ### ### -KVM/libvirt: for run Virtual Machines, Virt-Manager ### ### -pacemaker/pcs: for Clustering (Web GUI on Port 2224) ### ### -Network Tools: like ping,nslookup,dig,lsof, ### ### Wireless Client ### ### -Disk Tools: like gdisk ### ### -ZFS: for create storage pools. Encrypted, ### ### Compressed, SelfHealing, ... ### ### -Desktop: The smallest Desktop "blackbox". ### ### Start it with "startx" after login. ### ### User "serveradmin" have a custom Menu. ### ### -Software: Firefox (no snap), w3m, Taskmanager ### ### ### ### Language/Keyboard: German ### ############################################################################ ############################################################################ ############################################################################ #Password for Encryption, "serveradmin" User PASSWORD="p@ssw0rd" #Password for "root" User PASSWORDROOT="p@ssw0rd" ############################################################################ setxkbmap de apt-get update apt-get install --yes debootstrap net-tools #List all Disks and put it into an Array. #You can choose on what DISK the System will be installed. options=() for OUTPUT in $(lsblk -dp | grep -o '^/dev[^ ]*'|grep -v "loop"|grep -v "sr") do options+=("$OUTPUT") done options+=("Exit") DISKA=`lsblk -dp | grep -o '^/dev[^ ]*'|grep -v "loop"|grep -v "sr"|head -n 1` while : do read -t20 -p "Automatic choose $DISKA in 20 Seconds (Y/N): " if [ $? -gt 128 ]; then DISK=$DISKA break fi case $REPLY in [yY]*) DISK=$DISKA break ;; [nN]*) NOAUTO="1" break ;; *) echo "Please enter Y or N" ;; esac done if [ "$NOAUTO" = "1" ]; then select opt in "${options[@]}" do case $opt in $opt) if [ ! -z "$opt" ]; then if [ "$opt" = "Exit" ]; then exit else DISK=$opt break fi fi ;; *) esac done fi #List the default Network Interface INTERFACE=`route | grep default | awk '{print $8}'` #WIPE the DISK blkdiscard -f $(echo $DISK) sgdisk --zap-all $(echo $DISK) #Calculate the Swap File Size. #Depends on your current Memory. typeset -i mema typeset -i memb typeset -i memc mem=`cat /proc/meminfo|head -n 1|awk '{ print $2 }'` mem0=`echo "$[(($mem * 1024/1024/1024/1024)+1)]"|bc` mema=`echo "$[2*(($mem * 1024/1024/1024/1024)+1)]"|bc` memb=$mem0 memc=`echo "$[0,5*(($mem * 1024/1024/1024/1024)+1)/10]"|bc` if [ "$mem0" -lt "2" ]; then memory="$mema" fi if [ "$mem0" -ge "2" ] && [ "$mem0" -le 8 ]; then memory="$memb" fi if [ "$mem0" -gt "8" ]; then memory="$membc" fi memoryb=`echo "$[(($memory * 1024))]"|bc` #Create 2 Disks. 1. for EFI. 2. for the encrypted Linux System sgdisk -n1:0:+500M -c 1:"EFI System Partition" -t 1:ef00 $(echo $DISK) sgdisk -n2:0:0 -c 2:"Linux /" -t 2:8300 $(echo $DISK) #Prepare the Disks with LUKS and a Filesystem(ext4) mkfs.vfat -F32 -n ESP $(echo $DISK)1 echo -n $PASSWORD | cryptsetup -c aes-xts-plain64 -s 512 -h sha512 luksFormat --label cryptlinux $(echo $DISK)2 echo -n $PASSWORD | cryptsetup open $(echo $DISK)2 cryptlinux mkfs.ext4 -L linux /dev/mapper/cryptlinux #Mount the encrypted Disk and create the EFI Directory mount /dev/mapper/cryptlinux /mnt mkdir -p /mnt/boot/efi mount $(echo $DISK)1 /mnt/boot/efi #Create the Swapfile and FIX the Permissions Bug dd if=/dev/zero of=/mnt/swapfile bs=1M count=$memoryb mkswap /mnt/swapfile chmod 600 /mnt/swapfile swapon /mnt/swapfile #Install a very small Basic System. "base" is a Basic System. "minbase" is a smaller Basic System debootstrap \ --arch=amd64 \ --variant=minbase \ jammy \ /mnt \ http://archive.ubuntu.com/ubuntu/ #Create the FSTAB File echo UUID=$(blkid -s UUID -o value $(echo $DISK)1) \ /boot/efi vfat defaults 0 0 >> /mnt/etc/fstab echo UUID=$(blkid -s UUID -o value $(echo $DISK)2) \ / ext4 errors=remount-ro 0 1 >> /mnt/etc/fstab #That is important for unlocking the Disk on Boot echo "cryptlinux UUID=$(blkid -s UUID -o value $(echo $DISK)2) none luks" >>/mnt/etc/crypttab #Here you can Block Packages in APT cat > /mnt/etc/apt/preferences.d/ignored-packages << EOF #Package: grub-common grub2-common grub-pc grub-pc-bin grub-gfxpayload-lists #Pin: release * #Pin-Priority: -1 Package: snapd cloud-init landscape-common popularity-contest ubuntu-advantage-tools Pin: release * Pin-Priority: -1 EOF #write the Sources File for APT cat > /mnt/etc/apt/sources.list << EOF deb http://archive.ubuntu.com/ubuntu/ jammy main restricted deb http://security.ubuntu.com/ubuntu/ jammy-security main restricted deb http://archive.ubuntu.com/ubuntu/ jammy-updates main restricted deb http://archive.canonical.com/ubuntu jammy partner deb http://de.archive.ubuntu.com/ubuntu/ jammy universe deb http://de.archive.ubuntu.com/ubuntu/ jammy-updates universe #deb http://de.archive.ubuntu.com/ubuntu/ jammy-backports main restricted universe multiverse EOF #Mount Ubuntu specific Disks mount --bind /dev /mnt/dev mount -t devpts /dev/pts /mnt/dev/pts mount -t sysfs /sys /mnt/sys mount -t proc /proc /mnt/proc mount -t tmpfs tmpfs /mnt/tmp cp /proc/mounts /mnt/etc/mtab #Write a Stage 2 Install Script into the Debootstrap Directory /mnt #You can chroot + direct run a Script. #If you just write the chroot command and after that write a command it will not be excecuted probably. ############################################################################ cat > /mnt/root/install.sh << ENDFILE #!/bin/bash export DEBIAN_FRONTEND=noninteractive #Set a random Hostname #You can activate a different Nameserver echo "SERVER-`cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 9 | head -n 1`" > /etc/hostname #echo "nameserver 8.8.8.8" >> /etc/resolv.conf #Updating the System and add Mozilla PPA apt-get update apt-get -y install software-properties-common add-apt-repository -y ppa:mozillateam/ppa apt-get -y upgrade apt-get -y dist-upgrade #Install everything from Description apt install -y --no-install-recommends \ linux-{,image-,headers-}generic linux-firmware \ initramfs-tools cryptsetup{,-initramfs} efibootmgr grub-efi \ iputils-ping dnsutils lsof isc-dhcp-client dhcpcd5 \ iproute2 net-tools netplan.io locales localepurge nano \ dosfstools vim gdisk openssh-server mlocate zfsutils-linux\ qemu-kvm libvirt-daemon-system libvirt-clients bridge-utils apt-utils pacemaker pcs \ language-pack-de console-setup tzdata plymouth plymouth-themes \ blackbox blackbox-themes xserver-xorg-core xserver-xorg xinit x11-xserver-utils lxterminal \ dunst suckless-tools compton hsetroot xsettingsd lxappearance scrot \ wireless-tools wpagui lxtask w3m firefox-esr firefox-esr-locale-de lxrandr xfe \ virt-manager virt-viewer fence* nano heartbeat #Change the Language and Keyboard Layout to "German" cp /usr/share/zoneinfo/Europe/Berlin /etc/localtime echo 'LANG="de_DE.UTF-8' > /etc/default/locale echo 'Europe/Berlin' > /etc/timezone locale-gen de_DE.UTF-8 dpkg-reconfigure -f non-interactive tzdata cat > /etc/default/keyboard << EOF # KEYBOARD CONFIGURATION FILE # Consult the keyboard(5) manual page. XKBMODEL="pc105" XKBLAYOUT="de" XKBVARIANT="nodeadkeys" XKBOPTIONS="" BACKSPACE="guess" EOF dpkg-reconfigure -f non-interactive keyboard-configuration cat > /etc/netplan/01-netcfg.yaml << EOF network: version: 2 ethernets: $INTERFACE: dhcp4: true EOF #Make the System bootable. #Implement a small HOOK for upgrade the KERNEL after using APT #If not add that maybe your System not boot after an Kernel Upgrade bootctl install cp --dereference /boot/{vmlinuz,initrd.img,efi/} cat > /boot/copykernels << EOF #!/usr/bin/env bash # copy updated kernel and initrd to efi system partition b=/boot e=/boot/efi # kernels: check versions for kern in vmlinuz{,.old}; do if [[ $(file -Lb $b/$kern 2>/dev/null) != $(file -b $e/$kern 2>/dev/null) ]]; then cp -fv --preserve $b/$kern $e/$kern fi done # initrd: check creation time for init in initrd.img{,.old}; do if [[ $b/$init -nt $e/$init ]]; then cp -fv --preserve=mode,ownership $b/$init $e/$init fi done EOF cat > /etc/apt/apt.conf.d/99-copykernels << EOF DPkg::Post-Invoke { "/boot/copykernels"; } EOF cat > /boot/efi/loader/entries/ubuntu.conf << EOF title Ubuntu linux /vmlinuz initrd /initrd.img options splash root=/dev/mapper/cryptlinux EOF cp /usr/share/systemd/tmp.mount /etc/systemd/system/ #systemctl enable tmp.mount #Set root Password, add some Groups, add "serveradmin" User, Set Password for "serveradmin" echo 'root:'$PASSWORDROOT''|chpasswd addgroup --system lpadmin addgroup --system lxd addgroup --system sambashare chown root:adm /usr/sbin/halt chown root:adm /usr/sbin/reboot adduser serveradmin --disabled-password --gecos "" cp -a /etc/skel/. /home/serveradmin usermod -a -G adm,cdrom,dip,lpadmin,lxd,plugdev,sambashare,kvm,libvirt serveradmin echo 'serveradmin:'$PASSWORD''|chpasswd #Create blackbox Style and Menu cat <<'EOF' > /home/serveradmin/.blackboxrc session.styleFile: /usr/share/blackbox/styles/Gray session.menuFile: /home/serveradmin/.blackbox/menu session.screen0.slit.placement: CenterRight session.screen0.slit.direction: Vertical session.screen0.slit.onTop: False session.screen0.slit.autoHide: False session.screen0.toolbar.onTop: False session.screen0.toolbar.autoHide: False session.screen0.toolbar.placement: BottomCenter session.screen0.toolbar.widthPercent: 66 session.screen0.enableToolbar: True session.screen0.workspaces: 1 session.screen0.workspaceNames: Workspace 1 session.screen0.strftimeFormat: %I:%M %p session.windowSnapThreshold: 0 session.autoRaiseDelay: 400 session.placementIgnoresShaded: True session.focusLastWindow: True session.opaqueMove: True session.changeWorkspaceWithMouseWheel: True session.imageDither: OrderedDither session.windowPlacement: RowSmartPlacement session.shadeWindowWithMouseWheel: True session.opaqueResize: True session.toolbarActionsWithMouseWheel: True session.rowPlacementDirection: LeftToRight session.maximumColors: 0 session.disableBindingsWithScrollLock: False session.fullMaximization: False session.colPlacementDirection: TopToBottom session.doubleClickInterval: 250 session.edgeSnapThreshold: 0 session.focusNewWindows: True session.focusModel: ClickToFocus EOF mkdir /home/serveradmin/.blackbox cat <<'EOF' > /home/serveradmin/.blackbox/menu [begin] () [exec] (Virt-Manager) {virt-manager} [exec] (Remote-Viewer) {remote-viewer} [exec] (Browser) {firefox-esr} [exec] (Filemanager) {xfe} [exec] (Terminal) {lxterminal} [exec] (Taskmanager) {lxtask} [nop] () [exec] (Screen Resolution) {lxrandr} [submenu] (System) [exec] (Neustarten) {systemctl reboot} [exec] (Beenden) {systemctl poweroff} [exit] (Exit) [end] [end] EOF chown -R serveradmin:serveradmin /home/serveradmin chmod -R ug+rwx,o-rwx /home/serveradmin #enable cluster tools systemctl enable pacemaker systemctl enable corosync systemctl enable pcsd systemctl enable heartbeat #grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=ubuntu --recheck --debug #update-grub rm /root/install.sh exit ENDFILE ############################################################################ #Make Install Script as an Executable chmod +x /mnt/root/install.sh #chroot in /mnt and run install Script chroot /mnt bash -c /root/install.sh echo "please reboot..." exit