# Localization d-i debian-installer/locale string en_US d-i console-setup/ask_detect boolean false d-i console-keymaps-at/keymap select us # Keyboard d-i keyboard-configuration/xkb-keymap select us # Network configuration (no network config - will be configured via WireGuard) d-i netcfg/choose_interface select auto d-i netcfg/get_hostname string knel-football d-i netcfg/get_domain string local # Mirror configuration d-i mirror/country string manual d-i mirror/http/hostname string deb.debian.org d-i mirror/http/directory string /debian d-i mirror/http/proxy string # Clock and time zone setup d-i time/zone string US/Chicago d-i clock-setup/utc boolean true d-i clock-setup/ntp boolean true # User setup # SECURITY: Passwords are prompted during installation, not hardcoded # This ensures each installation has unique credentials d-i passwd/user-fullname string KNEL User d-i passwd/username string kneluser # Force password prompt during installation d-i passwd/user-password-crypted string ! d-i passwd/root-password-crypted string ! d-i passwd/root-login boolean true # Password quality enforcement (MANDATORY for tier0 security) d-i passwd/make-user boolean true d-i passwd/user-default-groups string sudo,audio,video,plugdev,input,cdrom,floppy # PAM password quality configuration (enforced in installed system) # This will be configured in post-installation hooks # Partitioning (LUKS full disk encryption - MANDATORY) d-i partman-auto/disk string /dev/sda d-i partman-auto/method string crypto d-i partman-auto-lvm/device_remove_lvs boolean true d-i partman-auto-lvm/device_remove_lvs_span boolean true d-i partman-auto-lvm/guided_size string max d-i partman-auto-lvm/new_vg_name string knel_vg d-i partman-auto/expert_recipe string \ boot-root :: \ 256 512 256 ext4 \ $primary{ } $bootable{ } \ method{ format } format{ } \ use_filesystem{ } filesystem{ ext4 } \ mountpoint{ /boot } \ . \ 1024 10000 1000000000 ext4 \ $lvmok{ } \ method{ format } format{ } \ use_filesystem{ } filesystem{ ext4 } \ mountpoint{ / } \ . \ 512 200% 2048 linux-swap \ $lvmok{ } \ method{ swap } format{ } \ . # LUKS encryption configuration (AES-XTS, 256-bit key) # NOTE: Passphrase will be prompted during installation # REQUIREMENTS: 14+ characters, mix of upper/lower/digits/special # This passphrase unlocks the encrypted disk at boot time d-i partman-crypto/erase_disks boolean true d-i partman-crypto/erase_disks_secure boolean true # LUKS cipher selection d-i partman-crypto/cipher aes-xts-plain64 d-i partman-crypto/keysize 512 d-i partman-crypto/lvm boolean true # LUKS2 format (modern, more secure) d-i partman-crypto/use-luks2 boolean true # Confirm partitioning d-i partman-partitioning/confirm_write_new_label boolean true d-i partman/choose_partition select finish d-i partman/confirm boolean true d-i partman/confirm_nooverwrite boolean true # Package selection tasksel tasksel/first multiselect standard, ssh-server d-i pkgsel/include string \ icewm \ lightdm \ remmina \ wireguard \ wireguard-tools \ mousepad \ zbar-tools \ nftables \ openssh-server \ cryptsetup \ cryptsetup-initramfs \ busybox \ dmsetup \ libpam-pwquality # Boot loader configuration d-i grub-installer/only_debian boolean true d-i grub-installer/with_other_os boolean false d-i grub-installer/bootdev string default d-i grub-installer/force-efi-extra-removable boolean true # Security configuration d-i security/updates select none d-i passwd/shadow boolean true # Finish d-i finish-install/reboot_in_progress note d-i cdrom-detect/eject boolean false