summaryrefslogtreecommitdiffstats
path: root/vagrant/definitions/tails-builder/postinstall.sh
blob: a0ab2e5765f0f2984a17dba4e1fa665a7aaf6080 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
#!/bin/sh
set -e
set -u

# Based on ypcs' scripts found at:
#     https://github.com/ypcs/vmdebootstrap-vagrant/

echo "$(date)" > /var/lib/vagrant_box_build_time

export DEBIAN_FRONTEND="noninteractive"

echo "I: Add sudo permissions to user vagrant..."
cat > /etc/sudoers.d/vagrant << EOF
vagrant         ALL=(ALL) NOPASSWD: ALL
EOF

echo "I: Add pubkey for vagrant..."
mkdir -p /home/vagrant/.ssh
cat > /home/vagrant/.ssh/authorized_keys << EOF
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA6NF8iallvQVp22WDkTkyrtvp9eWW6A8YVr+kz4TjGYe7gHzIw+niNltGEFHzD8+v1I2YJ6oXevct1YeS0o9HZyN1Q9qgCgzUFtdOKLv6IedplqoPkcmF0aYet2PkEDo3MlTBckFXPITAMzF8dJSIFo9D8HfdOV0IAdx4O7PtixWKn5y2hMNG0zQPyUecp4pzC6kivAIhyfHilFR61RGL+GPXQ2MWZWFYbAGjyiYJnAmCP3NOTd0jMZEnDkbUvxhMmBYSdETk1rRgm+R4LOzFUGaHqHDLKLX+FIPKcF96hrucXzcWyLbIbEgE98OHlnVYCzRdK8jlqm8tehUc9c9WhQ== vagrant insecure public key
EOF
chown -R vagrant:vagrant /home/vagrant
chmod 0700 /home/vagrant/.ssh

echo "I: Configuring APT..."
cat > /etc/apt/apt.conf.d/99recommends << EOF
APT::Install-Recommends "false";
APT::Install-Suggests "false";
EOF
cat > /etc/apt/apt.conf.d/99retries << EOF
APT::Acquire::Retries "20";
EOF

echo "I: Install Tails APT repo signing key."
apt-key add /tmp/tails.binary.gpg

echo "I: Add standard APT suites."
cat "/etc/apt/sources.list" | \
	sed -e 's/stretch/stretch-updates/' \
	> "/etc/apt/sources.list.d/stretch-updates.list"

echo "deb http://time-based.snapshots.deb.tails.boum.org/debian-security/${DEBIAN_SECURITY_SERIAL}/ stretch/updates main" \
	> "/etc/apt/sources.list.d/stretch-security.list"

echo "I: Adding our builder-jessie suite with live-build, pin it low."
echo "deb http://time-based.snapshots.deb.tails.boum.org/tails/${TAILS_SERIAL}/ builder-jessie main" > "/etc/apt/sources.list.d/tails.list"
sed -e 's/^[[:blank:]]*//' > /etc/apt/preferences.d/tails <<EOF
	Package: *
	Pin: release o=Tails,n=builder-jessie
	Pin-Priority: 99
EOF
sed -e 's/^[[:blank:]]*//' > /etc/apt/preferences.d/live-build <<EOF
	Package: live-build
	Pin: release o=Tails,n=builder-jessie
	Pin-Priority: 999
EOF

sed -e 's/^[[:blank:]]*//' > /etc/apt/preferences.d/stretch-backports << EOF
	Package: *
	Pin: release n=stretch-backports
	Pin-Priority: 100
EOF

apt-get update

echo "I: Installing Vagrant dependencies..."
apt-get -y install ca-certificates curl grub2 openssh-server wget

echo "I: Configuring GRUB..."
sed -i 's,^GRUB_TIMEOUT=5,GRUB_TIMEOUT=1,g' /etc/default/grub

echo "I: Installing Tails build dependencies."
apt-get -y install \
        debootstrap \
        dpkg-dev \
        eatmydata \
        faketime \
        gettext \
        git \
        ikiwiki \
        intltool \
        libfile-chdir-perl \
        libfile-slurp-perl \
        libhtml-scrubber-perl \
        libhtml-template-perl \
        liblist-moreutils-perl \
        libtext-multimarkdown-perl \
        libtimedate-perl \
        liburi-perl libhtml-parser-perl \
        libxml-simple-perl \
        libyaml-libyaml-perl po4a \
        libyaml-perl \
        libyaml-syck-perl \
        live-build \
        lsof \
        perlmagick \
        psmisc \
        rsync \
        ruby \
        syslinux-utils \
        time \
        whois

# Ensure we can use timedatectl
apt-get -y install dbus

# Start apt-cacher-ng inside the VM only if the "in-VM proxy" is to be used.
echo "I: Installing the caching proxy..."
apt-get -o Dpkg::Options::="--force-confold" -y install apt-cacher-ng
systemctl disable apt-cacher-ng.service

echo "I: Upgrading system..."
apt-get -y dist-upgrade

echo "I: Disable DNS checks to speed-up SSH logins..."
echo "UseDNS no" >>/etc/ssh/sshd_config

# By default, Debian's ssh client forwards the locale env vars, and by
# default, Debian's sshd accepts them. The locale used while building
# could have affects on the resulting image, so let's fix on a single
# locale for all (namely the one we won't purge below).
echo "I: Disable sshd AcceptEnv..."
sed -i 's/^AcceptEnv/#AcceptEnv/' /etc/ssh/sshd_config

echo "I: Running localepurge..."
TEMPFILE="$(mktemp)"

cat > "${TEMPFILE}" << EOF
localepurge  localepurge/dontbothernew     boolean false
localepurge  localepurge/quickndirtycalc   boolean true
localepurge  localepurge/mandelete         boolean true
localepurge  localepurge/use-dpkg-feature  boolean false
localepurge  localepurge/showfreedspace    boolean true
localepurge  localepurge/verbose           boolean false
localepurge  localepurge/remove_no         note
localepurge  localepurge/nopurge           multiselect en, en_US, en_US.UTF-8
localepurge  localepurge/none_selected     boolean false
EOF

debconf-set-selections < "${TEMPFILE}"
apt-get -y install localepurge
localepurge
apt-get -y remove localepurge
rm -f "${TEMPFILE}"

echo "I: Cleaning up..."
apt-get -y autoremove
apt-get clean
rm -rf \
   /var/lib/apt/lists/* \
   /var/lib/apt/lists/partial/* \
   /var/cache/apt/*.bin \
   /var/cache/apt/archives/*.deb \
   /var/log/installer \
   /var/lib/dhcp/*

exit 0