├── .gitignore
├── .gitlab-ci.yml
├── README.md
├── autoinstall.yaml
├── bootconfig-18.04.3.patch
├── bootconfig-20.04.patch
├── bootconfig-22.04.patch
├── make-image.sh
├── nitrokey-oem-18.04.3.seed
├── nitrokey-oem-20.04.seed
├── nitrokey-oem-22.04.seed
└── post-install.sh


/.gitignore:
--------------------------------------------------------------------------------
1 | *.iso
2 | *.mbr
3 | /unpacked-iso/
4 | /orig-iso/
5 | 


--------------------------------------------------------------------------------
/.gitlab-ci.yml:
--------------------------------------------------------------------------------
 1 | include: 'https://raw.githubusercontent.com/Nitrokey/common-ci-jobs/master/common_jobs.yml'
 2 | 
 3 | stages:
 4 |   - pull-github
 5 |   - build 
 6 |   - deploy
 7 | 
 8 | variables:
 9 |   GIT_STRATEGY: clone            
10 |   GIT_DEPTH: 0                    
11 |   GIT_SUBMODULE_STRATEGY: recursive 
12 |   REPO_NAME: ubuntu-oem
13 |   MAIN_BRANCH: nitropad
14 |   COMMON_PULL: "true"
15 |   COMMON_UPLOAD_NIGHTLY: "false"
16 |   COMMON_GITHUB_RELEASE: "false"
17 |   COMMON_UPLOAD_FILES: "true"
18 |   DEVICE_FOLDER: "nitropad"
19 |   UPLOAD_FOLDER: "ubuntu-oem"
20 | 
21 | oem-build-EN:
22 |   image: registry.git.nitrokey.com/nitrokey/gitlab-ci/ci-oem-release:latest
23 |   rules:
24 |     - if: '$CI_PIPELINE_SOURCE == "push"'
25 |     - if: '$CI_PIPELINE_SOURCE == "schedule"'
26 |   tags:
27 |     - docker
28 |   stage: build
29 |   script:
30 |     - ./make-image.sh en
31 |     - ls
32 |     - mkdir -p artifacts
33 |     - cp *nitropad*.iso artifacts/
34 |   after_script:
35 |     - wget $icon_server/checkmark/$CI_COMMIT_REF_NAME/$CI_COMMIT_SHA/$CI_JOB_NAME/$CI_JOB_STATUS/${CI_JOB_URL#*/*/*/}
36 |   artifacts:
37 |     paths:
38 |       - artifacts
39 |     expire_in: 1 hr
40 | 
41 | oem-build-DE:
42 |   image: registry.git.nitrokey.com/nitrokey/gitlab-ci/ci-oem-release:latest
43 |   rules:
44 |     - if: '$CI_PIPELINE_SOURCE == "push"'
45 |     - if: '$CI_PIPELINE_SOURCE == "schedule"'
46 |   tags:
47 |     - docker
48 |   stage: build
49 |   script:
50 |     - ./make-image.sh de
51 |     - ls
52 |     - mkdir -p artifacts
53 |     - cp *nitropad*.iso artifacts/
54 |   after_script:
55 |     - wget $icon_server/checkmark/$CI_COMMIT_REF_NAME/$CI_COMMIT_SHA/$CI_JOB_NAME/$CI_JOB_STATUS/${CI_JOB_URL#*/*/*/}
56 |   artifacts:
57 |     paths:
58 |       - artifacts
59 |     expire_in: 1 hrs
60 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # Ubuntu LTS unattended OEM installer with LUKS+LVM
 2 | 
 3 | This script creates an installer image for Ubuntu LTS that
 4 |  - works unattended (plug in, power on, leave alone for 10 minutes)
 5 |  - performs an OEM install - on the subsequent boot the user will be presented with the installer screen to set up their language, timezone, login info, etc.
 6 |  - sets up LVM on LUKS with initial password
 7 | 
 8 | # WARNING WARNING WARNING
 9 | DO NOT BOOT THIS IMAGE ON ANY COMPUER THAT CONTAINS ANY USEFUL DATA
10 | This installer is COMPLETELY UNATTENDED, it doesn't need a keypress to start, doesn't ask any questions, doesn't wait for any confirmation and IT WILL ERASE THE COMPUTERS'S STORAGE COMPLETELY AND UNCONDITIONALLY, including existing LVMs.
11 | 
12 | You have been warned. Label the disc or pendrive appropriately to avoid mistakes.
13 | 
14 | # Initial LUKS password
15 | 
16 | Yes, the initial password for LUKS is hardcoded in the preseed file. Even if it weren't literally hardcoded (which is easy enough to fix, and probably will be; not a big deal anyway), all installations performed with a single image will share the initial password. However, thanks to how LUKS uses passwords, the actual encryption master key will be different on each install. As long as the password is changed by the end user, their installation will not share any key material with other instances.
17 | 
18 | It is, of course, possible for a vendor using this installer to covertly copy the LUKS master key off the installed system between installation and first boot, to retain access to data (unless the user runs cryptsetup-reencrypt). It's also possible for the vendor to just backdoor the initrd (which contains the LUKS password prompt), or the OS itself, or the bootloader, or the firmware, or any other part of the computer. The usual caveats for using any pre-installed software/firmware/etc. still apply.
19 | 
20 | # TODO
21 | 
22 |  - parametrized preseed file, mainly to provide the initial LUKS password at build time
23 |  - additional Ubiquity installer form or initrd prompt asking the user to provide a new LUKS password on first boot
24 |  - use cryptsetup-reencrypt to replace the LUKS master key on first boot (needs to be done in initrd)
25 | 
26 | # Usage
27 | 
28 | Run make-image.sh to build an OEM image (or [download](https://www.nitrokey.com/files/ci/nitropad/ubuntu-oem/) the image). Use a DVD or pendrive like with a regular Ubuntu installer. No other actions are needed, the script will download the official ISO itself.
29 | 
30 | 


--------------------------------------------------------------------------------
/autoinstall.yaml:
--------------------------------------------------------------------------------
 1 | autoinstall:
 2 |   version: 1
 3 |   storage:
 4 |     layout:
 5 |       name: lvm
 6 |       sizing-policy: all
 7 |       password: "12345678"
 8 |   locale: de_DE
 9 |   keyboard:
10 |     layout: de
11 |   packages:
12 |     - flatpak
13 |     - gnome-software-plugin-flatpak
14 |     - nitrokey-app
15 |   late-commands:
16 |     - curtin in-target -- flatpak remote-add --if-not-exists flathub https://dl.flathub.org/repo/flathub.flatpakrepo
17 |     - curtin in-target -- flatpak install --assumeyes --noninteractive flathub com.nitrokey.nitrokey-app2
18 |     - curtin in-target -- wget https://raw.githubusercontent.com/Nitrokey/libnitrokey/master/data/41-nitrokey.rules -O /etc/udev/rules.d/41-nitrokey.rules
19 |     - curtin in-target -- chmod 644 /etc/udev/rules.d/41-nitrokey.rules
20 |     - curtin in-target -- echo "nitropad" > /etc/hostname
21 | 


--------------------------------------------------------------------------------
/bootconfig-18.04.3.patch:
--------------------------------------------------------------------------------
 1 | diff -ruw -x '*.seed' orig-iso/boot/grub/grub.cfg unpacked-iso/boot/grub/grub.cfg
 2 | --- orig-iso/boot/grub/grub.cfg	2019-08-05 21:28:48.000000000 +0200
 3 | +++ unpacked-iso/boot/grub/grub.cfg	2019-11-02 10:35:21.061123775 +0100
 4 | @@ -10,24 +10,9 @@
 5 |  set menu_color_normal=white/black
 6 |  set menu_color_highlight=black/light-gray
 7 |  
 8 | -set timeout=5
 9 | -menuentry "Try Ubuntu without installing" {
10 | -	set gfxpayload=keep
11 | -	linux	/casper/vmlinuz  file=/cdrom/preseed/ubuntu.seed boot=casper quiet splash ---
12 | -	initrd	/casper/initrd
13 | -}
14 | -menuentry "Install Ubuntu" {
15 | -	set gfxpayload=keep
16 | -	linux	/casper/vmlinuz  file=/cdrom/preseed/ubuntu.seed boot=casper only-ubiquity quiet splash ---
17 | -	initrd	/casper/initrd
18 | -}
19 | +set timeout=0
20 |  menuentry "OEM install (for manufacturers)" {
21 |  	set gfxpayload=keep
22 | -	linux	/casper/vmlinuz  file=/cdrom/preseed/ubuntu.seed boot=casper only-ubiquity quiet splash oem-config/enable=true ---
23 | -	initrd	/casper/initrd
24 | -}
25 | -menuentry "Check disc for defects" {
26 | -	set gfxpayload=keep
27 | -	linux	/casper/vmlinuz  boot=casper integrity-check quiet splash ---
28 | +	linux	/casper/vmlinuz  file=/cdrom/preseed/ubuntu.seed boot=casper automatic-ubiquity quiet splash automatic-oem-config ---
29 |  	initrd	/casper/initrd
30 |  }
31 | diff -ruw -x '*.seed' orig-iso/isolinux/gfxboot.cfg unpacked-iso/isolinux/gfxboot.cfg
32 | --- orig-iso/isolinux/gfxboot.cfg	2019-08-05 21:28:48.000000000 +0200
33 | +++ unpacked-iso/isolinux/gfxboot.cfg	2019-11-02 10:34:12.253337617 +0100
34 | @@ -2,11 +2,6 @@
35 |  background=0x958490
36 |  screen-colour=0x270A1E
37 |  hidden-timeout=2
38 | -label normal=Normal
39 | -append normal=
40 | -label driverupdates=Use driver update disc
41 | -append driverupdates=debian-installer/driver-update=true
42 | -applies driverupdates=live live-install
43 | -label oem=OEM install (for manufacturers)
44 | -append oem=oem-config/enable=true
45 | -applies oem=live live-install install
46 | +label normal=OEM install (for manufacturers)
47 | +append normal=oem-config/enable=true
48 | +applies normal=live live-install install
49 | diff -ruw -x '*.seed' orig-iso/isolinux/txt.cfg unpacked-iso/isolinux/txt.cfg
50 | --- orig-iso/isolinux/txt.cfg	2019-08-05 21:28:48.000000000 +0200
51 | +++ unpacked-iso/isolinux/txt.cfg	2019-11-02 10:35:34.701279393 +0100
52 | @@ -1,19 +1,5 @@
53 | -default live
54 | -label live
55 | -  menu label ^Try Ubuntu without installing
56 | -  kernel /casper/vmlinuz
57 | -  append  file=/cdrom/preseed/ubuntu.seed boot=casper initrd=/casper/initrd quiet splash ---
58 | +default live-install
59 |  label live-install
60 |    menu label ^Install Ubuntu
61 |    kernel /casper/vmlinuz
62 | -  append  file=/cdrom/preseed/ubuntu.seed boot=casper only-ubiquity initrd=/casper/initrd quiet splash ---
63 | -label check
64 | -  menu label ^Check disc for defects
65 | -  kernel /casper/vmlinuz
66 | -  append  boot=casper integrity-check initrd=/casper/initrd quiet splash ---
67 | -label memtest
68 | -  menu label Test ^memory
69 | -  kernel /install/mt86plus
70 | -label hd
71 | -  menu label ^Boot from first hard disk
72 | -  localboot 0x80
73 | +  append  file=/cdrom/preseed/ubuntu.seed boot=casper automatic-ubiquity initrd=/casper/initrd quiet splash automatic-oem-config ---
74 | 


--------------------------------------------------------------------------------
/bootconfig-20.04.patch:
--------------------------------------------------------------------------------
 1 | --- orig-iso/boot/grub/grub.cfg	2020-04-23 09:51:19.000000000 +0200
 2 | +++ unpacked-iso/boot/grub/grub.cfg	2020-04-28 16:12:56.313944808 +0200
 3 | @@ -23,7 +23,7 @@
 4 |  }
 5 |  menuentry "OEM install (for manufacturers)" {
 6 |  	set gfxpayload=keep
 7 | -	linux	/casper/vmlinuz  file=/cdrom/preseed/ubuntu.seed only-ubiquity quiet splash oem-config/enable=true ---
 8 | +	linux	/casper/vmlinuz  file=/cdrom/preseed/ubuntu.seed automatic-ubiquity quiet splash automatic-oem-config ---
 9 |  	initrd	/casper/initrd
10 |  }
11 |  grub_platform
12 | 


--------------------------------------------------------------------------------
/bootconfig-22.04.patch:
--------------------------------------------------------------------------------
 1 | --- orig/boot/grub/grub.cfg	2022-08-09 14:07:55.000000000 +0200
 2 | +++ unpacked-iso/boot/grub/grub.cfg	2022-09-14 13:17:59.863000000 +0200
 3 | @@ -15,9 +15,9 @@
 4 |  	linux	/casper/vmlinuz nomodeset file=/cdrom/preseed/ubuntu.seed maybe-ubiquity quiet splash --- 
 5 |  	initrd	/casper/initrd
 6 |  }
 7 | -menuentry "OEM install (for manufacturers)" {
 8 | +menuentry "Nitrokey OEM install" {
 9 |  	set gfxpayload=keep
10 | -	linux	/casper/vmlinuz file=/cdrom/preseed/ubuntu.seed only-ubiquity oem-config/enable=true quiet splash --- 
11 | +	linux	/casper/vmlinuz file=/cdrom/preseed/ubuntu.seed automatic-ubiquity quiet splash automatic-oem-config --- 
12 |  	initrd	/casper/initrd
13 |  }
14 |  grub_platform
15 | 


--------------------------------------------------------------------------------
/make-image.sh:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env bash
 2 | 
 3 | command -v xorriso >/dev/null 2>&1 || { echo >&2 "Please install 'xorriso' first.  Aborting."; exit 1; }
 4 | command -v patch >/dev/null 2>&1 || { echo >&2 "Please install 'patch' first.  Aborting."; exit 1; }
 5 | command -v wget >/dev/null 2>&1 || { echo >&2 "Please install 'wget' first.  Aborting."; exit 1; }
 6 | 
 7 | set -xe
 8 | 
 9 | # Basic parameters
10 | DEVICE=nitropad_nitropc
11 | UBUNTU_RELEASE="24.04"
12 | UBUNTU_POINT_RELEASE=""
13 | RELEASE_ISO_FILENAME="ubuntu-${UBUNTU_RELEASE}${UBUNTU_POINT_RELEASE}-desktop-amd64.iso"
14 | CUSTOM_ISO_FILENAME="ubuntu-${UBUNTU_RELEASE}${UBUNTU_POINT_RELEASE}-${DEVICE}-oem-$1-amd64.iso"
15 | DOWNLOAD_URL="https://releases.ubuntu.com/${UBUNTU_RELEASE}/${RELEASE_ISO_FILENAME}"
16 | GENISO_BOOTIMG="boot/grub/i386-pc/eltorito.img"
17 | GENISO_BOOTCATALOG="/boot.catalog"
18 | GENISO_START_SECTOR="$(LANG=C fdisk -l ${RELEASE_ISO_FILENAME} |grep iso2 | cut -d' ' -f2)"
19 | GENISO_END_SECTOR="$(LANG=C fdisk -l ${RELEASE_ISO_FILENAME} |grep iso2 | cut -d' ' -f3)"
20 | 
21 | UNPACKED_IMAGE_PATH="./unpacked-iso/"
22 | 
23 | if [ ! -f "${RELEASE_ISO_FILENAME}" ]; then
24 |         wget -q ${DOWNLOAD_URL} -O ${RELEASE_ISO_FILENAME}
25 | fi
26 | 
27 | xorriso -osirrox on -indev  "${RELEASE_ISO_FILENAME}" -- -extract / "${UNPACKED_IMAGE_PATH}"
28 | chmod -R u+w ${UNPACKED_IMAGE_PATH}
29 | 
30 | sed -i 's/Ubuntu/Nitrokey OEM/g' ${UNPACKED_IMAGE_PATH}boot/grub/grub.cfg
31 | 
32 | cp autoinstall.yaml ${UNPACKED_IMAGE_PATH}
33 | 
34 | if [ $1 == "en" ]; then
35 | 	sed -i "s/de_DE/en_US/g" ${UNPACKED_IMAGE_PATH}autoinstall.yaml
36 | 	sed -i "s/layout: de/layout: us/g" ${UNPACKED_IMAGE_PATH}autoinstall.yaml
37 | fi
38 | 
39 | 
40 | # https://github.com/YasuhiroABE/ub-autoinstall-iso/blob/main/Makefile
41 | LANG=C xorriso -as mkisofs  \
42 | 	-V 'Nitrokey OEM Ubuntu Install' \
43 | 	-output "$CUSTOM_ISO_FILENAME"  \
44 | 	-eltorito-boot "${GENISO_BOOTIMG}" \
45 | 	-eltorito-catalog "${GENISO_BOOTCATALOG}" -no-emul-boot \
46 | 	-boot-load-size 4 -boot-info-table -eltorito-alt-boot \
47 | 	-no-emul-boot -isohybrid-gpt-basdat \
48 | 	-append_partition 2 28732ac11ff8d211ba4b00a0c93ec93b --interval:local_fs:${GENISO_START_SECTOR}d-${GENISO_END_SECTOR}d::"${RELEASE_ISO_FILENAME}" \
49 | 	-e '--interval:appended_partition_2_start_1782357s_size_8496d:all::' \
50 | 	--grub2-mbr --interval:local_fs:0s-15s:zero_mbrpt,zero_gpt:"${RELEASE_ISO_FILENAME}" \
51 | 	"${UNPACKED_IMAGE_PATH}"
52 | 


--------------------------------------------------------------------------------
/nitrokey-oem-18.04.3.seed:
--------------------------------------------------------------------------------
  1 | # Based on:
  2 | # https://help.ubuntu.com/lts/installation-guide/example-preseed.txt
  3 | # https://www.chucknemeth.com/debian-9-preseed-uefi-encrypted-lvm/
  4 | # https://bugs.launchpad.net/ubuntu/+source/ubiquity/+bug/924018/comments/17
  5 | # https://github.com/FreeGeekVancouver/preseed-files/blob/master/linux/ubuntu-automatic.cfg
  6 | # and about two dozen other snippets
  7 | 
  8 | # There might still be some redundancy in this preseed thanks to Ubiquity
  9 | # ignoring some debian-installer questions and expecting answers to its own
 10 | # versions of those.
 11 | 
 12 | # Enable oem install, hide summary screen
 13 | d-i oem-config/enable boolean true
 14 | d-i ubiquity/summary note
 15 | 
 16 | # At the very end of installation:
 17 | # - install Nitrokey App
 18 | # - remove Amazon adware
 19 | # - finalize OEM install immediately
 20 | ubiquity ubiquity/success_command string \
 21 | 	cp /cdrom/post-install.sh /target/root/; \
 22 | 	chmod 0700 /target/root/post-install.sh; \
 23 | 	in-target /root/post-install.sh
 24 | 
 25 | # Preseeding only locale sets language, country and locale.
 26 | # Encoding must be set *somewhere*, such as here, otherwise
 27 | # a broken system is produced.
 28 | d-i debian-installer/locale string en_US.UTF-8
 29 | d-i time/zone string Etc/UTC
 30 | 
 31 | # Disable automatic (interactive) keymap detection.
 32 | d-i console-setup/ask_detect boolean false
 33 | d-i keyboard-configuration/xkb-keymap select us
 34 | d-i keyboard-configuration/layoutcode select us
 35 | 
 36 | # Silence a bunch of other questions
 37 | ubiquity countrychooser/shortlist select US
 38 | ubiquity languagechooser/language-name select English
 39 | ubiquity localechooser/supported-locales multiselect en_US.UTF-8
 40 | 
 41 | # netcfg will choose an interface that has link if possible. This makes it
 42 | # skip displaying a list if there is more than one interface.
 43 | d-i netcfg/choose_interface select auto
 44 | 
 45 | # Any hostname and domain names assigned from dhcp take precedence over
 46 | # values set here. However, setting the values still prevents the questions
 47 | # from being shown, even if values come from dhcp.
 48 | # Ultimately none of those even matter in an OEM installation.
 49 | d-i netcfg/get_hostname string unassigned-hostname
 50 | d-i netcfg/get_domain string unassigned-domain
 51 | 
 52 | # If non-free firmware is needed for the network or other hardware, you can
 53 | # configure the installer to always try to load it, without prompting. Or
 54 | # change to false to disable asking.
 55 | d-i hw-detect/load_firmware boolean true
 56 | 
 57 | ### Mirror settings
 58 | # If you select ftp, the mirror/country string does not need to be set.
 59 | #d-i mirror/protocol string ftp
 60 | d-i mirror/country string manual
 61 | d-i mirror/http/hostname string archive.ubuntu.com
 62 | d-i mirror/http/directory string /ubuntu
 63 | d-i mirror/http/proxy string
 64 | 
 65 | # Set password for oem user that will be removed later anyway.
 66 | # Without setting the full name, username and password here, the OEM user
 67 | # setup dialog is shown during installation.
 68 | d-i passwd/user-fullname string OEM
 69 | d-i passwd/username string oem
 70 | d-i passwd/user-password password oem
 71 | d-i passwd/user-password-again password oem
 72 | d-i user-setup/allow-password-weak boolean true
 73 | 
 74 | ###############
 75 | ## LVM SETUP ##
 76 | ###############
 77 | #
 78 | # The whole section below, related to LVM and encryption, is unintuitive to
 79 | # configure, fragile and weird.
 80 | # Leave it alone unless there's a very good reason to change it.
 81 | #
 82 | # Initial password for LUKS is set here, it's obviously safe to change.
 83 | 
 84 | # - crypto:  use LVM within an encrypted partition
 85 | d-i partman-auto/method string crypto
 86 | 
 87 | # If one of the disks that are going to be automatically partitioned
 88 | # contains an old LVM configuration, the user will normally receive a
 89 | # warning. This can be preseeded away...
 90 | d-i partman-lvm/device_remove_lvm boolean true
 91 | # The same applies to pre-existing software RAID array:
 92 | d-i partman-md/device_remove_md boolean true
 93 | # And the same goes for the confirmation to write the lvm partitions.
 94 | d-i partman-lvm/confirm boolean true
 95 | d-i partman-lvm/confirm_nooverwrite boolean true
 96 | 
 97 | # For LVM partitioning, you can select how much of the volume group to use
 98 | # for logical volumes.
 99 | d-i partman-auto-lvm/guided_size string max
100 | 
101 | # You can choose one of the three predefined partitioning recipes:
102 | # - atomic: all files in one partition
103 | # - home:   separate /home partition
104 | # - multi:  separate /home, /usr, /var, and /tmp partitions
105 | d-i partman-auto/choose_recipe select atomic
106 | 
107 | # When disk encryption is enabled, skip wiping the partitions beforehand.
108 | d-i partman-auto-crypto/erase_disks boolean false
109 | d-i partman-crypto/passphrase string PleaseChangeMe
110 | d-i partman-crypto/passphrase-again string PleaseChangeMe
111 | d-i partman-crypto/weak_passphrase boolean true
112 | 
113 | # This makes partman automatically partition without confirmation.
114 | d-i partman-md/confirm boolean true
115 | d-i partman-partitioning/confirm_write_new_label boolean true
116 | d-i partman/choose_partition select finish
117 | d-i partman/confirm boolean true
118 | d-i partman/confirm_nooverwrite boolean true
119 | 
120 | ## END LVM SECTION ##
121 | 
122 | # The options below come from the regular Ubuntu 18.04 LTS seed
123 | 
124 | # Enable extras.ubuntu.com.
125 | d-i	apt-setup/extras	boolean true
126 | # Install the Ubuntu desktop.
127 | tasksel	tasksel/first	multiselect ubuntu-desktop
128 | # On live DVDs, don't spend huge amounts of time removing substantial
129 | # application packages pulled in by language packs. Given that we clearly
130 | # have the space to include them on the DVD, they're useful and we might as
131 | # well keep them installed.
132 | ubiquity	ubiquity/keep-installed	string icedtea6-plugin openoffice.org
133 | d-i  base-installer/kernel/altmeta   string hwe-18.04
134 | 
135 | ### Finishing up the installation
136 | # Avoid that last message about the install being complete.
137 | d-i finish-install/reboot_in_progress note
138 | ubiquity ubiquity/reboot boolean true
139 | 
140 | # Ideally we'd prefer to poweroff, but it doesn't work
141 | # https://bugs.launchpad.net/ubuntu/+source/ubiquity/+bug/1329417
142 | # ubiquity ubiquity/poweroff boolean true
143 | 


--------------------------------------------------------------------------------
/nitrokey-oem-20.04.seed:
--------------------------------------------------------------------------------
  1 | # Based on:
  2 | # https://help.ubuntu.com/lts/installation-guide/example-preseed.txt
  3 | # https://www.chucknemeth.com/debian-9-preseed-uefi-encrypted-lvm/
  4 | # https://bugs.launchpad.net/ubuntu/+source/ubiquity/+bug/924018/comments/17
  5 | # https://github.com/FreeGeekVancouver/preseed-files/blob/master/linux/ubuntu-automatic.cfg
  6 | # and about two dozen other snippets
  7 | 
  8 | # There might still be some redundancy in this preseed thanks to Ubiquity
  9 | # ignoring some debian-installer questions and expecting answers to its own
 10 | # versions of those.
 11 | 
 12 | # Enable oem install, hide summary screen
 13 | d-i oem-config/enable boolean true
 14 | d-i ubiquity/summary note
 15 | 
 16 | # At the very end of installation:
 17 | # - install Nitrokey App
 18 | # - remove Amazon adware
 19 | # - finalize OEM install immediately
 20 | ubiquity ubiquity/success_command string \
 21 | 	cp /cdrom/post-install.sh /target/root/; \
 22 | 	chmod 0700 /target/root/post-install.sh; \
 23 | 	in-target /root/post-install.sh
 24 | 
 25 | # Preseeding only locale sets language, country and locale.
 26 | # Encoding must be set *somewhere*, such as here, otherwise
 27 | # a broken system is produced.
 28 | d-i debian-installer/locale string en_US.UTF-8
 29 | d-i time/zone string Etc/UTC
 30 | 
 31 | # Disable automatic (interactive) keymap detection.
 32 | d-i console-setup/ask_detect boolean false
 33 | d-i keyboard-configuration/xkb-keymap select us
 34 | d-i keyboard-configuration/layoutcode select us
 35 | 
 36 | # Silence a bunch of other questions
 37 | ubiquity countrychooser/shortlist select US
 38 | ubiquity languagechooser/language-name select English
 39 | ubiquity localechooser/supported-locales multiselect en_US.UTF-8
 40 | 
 41 | # netcfg will choose an interface that has link if possible. This makes it
 42 | # skip displaying a list if there is more than one interface.
 43 | d-i netcfg/choose_interface select auto
 44 | 
 45 | # Any hostname and domain names assigned from dhcp take precedence over
 46 | # values set here. However, setting the values still prevents the questions
 47 | # from being shown, even if values come from dhcp.
 48 | # Ultimately none of those even matter in an OEM installation.
 49 | d-i netcfg/get_hostname string unassigned-hostname
 50 | d-i netcfg/get_domain string unassigned-domain
 51 | 
 52 | # If non-free firmware is needed for the network or other hardware, you can
 53 | # configure the installer to always try to load it, without prompting. Or
 54 | # change to false to disable asking.
 55 | d-i hw-detect/load_firmware boolean true
 56 | 
 57 | ### Mirror settings
 58 | # If you select ftp, the mirror/country string does not need to be set.
 59 | #d-i mirror/protocol string ftp
 60 | d-i mirror/country string manual
 61 | d-i mirror/http/hostname string archive.ubuntu.com
 62 | d-i mirror/http/directory string /ubuntu
 63 | d-i mirror/http/proxy string
 64 | 
 65 | # Set password for oem user that will be removed later anyway.
 66 | # Without setting the full name, username and password here, the OEM user
 67 | # setup dialog is shown during installation.
 68 | d-i passwd/user-fullname string OEM
 69 | d-i passwd/username string oem
 70 | d-i passwd/user-password password oem
 71 | d-i passwd/user-password-again password oem
 72 | d-i user-setup/allow-password-weak boolean true
 73 | 
 74 | ###############
 75 | ## LVM SETUP ##
 76 | ###############
 77 | #
 78 | # The whole section below, related to LVM and encryption, is unintuitive to
 79 | # configure, fragile and weird.
 80 | # Leave it alone unless there's a very good reason to change it.
 81 | #
 82 | # Initial password for LUKS is set here, it's obviously safe to change.
 83 | 
 84 | # - crypto:  use LVM within an encrypted partition
 85 | d-i partman-auto/method string crypto
 86 | 
 87 | # If one of the disks that are going to be automatically partitioned
 88 | # contains an old LVM configuration, the user will normally receive a
 89 | # warning. This can be preseeded away...
 90 | d-i partman-lvm/device_remove_lvm boolean true
 91 | # The same applies to pre-existing software RAID array:
 92 | d-i partman-md/device_remove_md boolean true
 93 | # And the same goes for the confirmation to write the lvm partitions.
 94 | d-i partman-lvm/confirm boolean true
 95 | d-i partman-lvm/confirm_nooverwrite boolean true
 96 | 
 97 | # For LVM partitioning, you can select how much of the volume group to use
 98 | # for logical volumes.
 99 | d-i partman-auto-lvm/guided_size string max
100 | 
101 | # You can choose one of the three predefined partitioning recipes:
102 | # - atomic: all files in one partition
103 | # - home:   separate /home partition
104 | # - multi:  separate /home, /usr, /var, and /tmp partitions
105 | d-i partman-auto/choose_recipe select atomic
106 | 
107 | # When disk encryption is enabled, skip wiping the partitions beforehand.
108 | d-i partman-auto-crypto/erase_disks boolean false
109 | d-i partman-crypto/passphrase string PleaseChangeMe
110 | d-i partman-crypto/passphrase-again string PleaseChangeMe
111 | d-i partman-crypto/weak_passphrase boolean true
112 | 
113 | # This makes partman automatically partition without confirmation.
114 | d-i partman-md/confirm boolean true
115 | d-i partman-partitioning/confirm_write_new_label boolean true
116 | d-i partman/choose_partition select finish
117 | d-i partman/confirm boolean true
118 | d-i partman/confirm_nooverwrite boolean true
119 | 
120 | ## END LVM SECTION ##
121 | 
122 | # The options below come from the regular Ubuntu 18.04 LTS seed
123 | 
124 | # Enable extras.ubuntu.com.
125 | d-i	apt-setup/extras	boolean true
126 | # Install the Ubuntu desktop.
127 | tasksel	tasksel/first	multiselect ubuntu-desktop
128 | # On live DVDs, don't spend huge amounts of time removing substantial
129 | # application packages pulled in by language packs. Given that we clearly
130 | # have the space to include them on the DVD, they're useful and we might as
131 | # well keep them installed.
132 | ubiquity	ubiquity/keep-installed	string icedtea6-plugin openoffice.org
133 | 
134 | ### Finishing up the installation
135 | # Avoid that last message about the install being complete.
136 | d-i finish-install/reboot_in_progress note
137 | ubiquity ubiquity/reboot boolean true
138 | 
139 | # Ideally we'd prefer to poweroff, but it doesn't work
140 | # https://bugs.launchpad.net/ubuntu/+source/ubiquity/+bug/1329417
141 | # ubiquity ubiquity/poweroff boolean true
142 | 


--------------------------------------------------------------------------------
/nitrokey-oem-22.04.seed:
--------------------------------------------------------------------------------
  1 | # Based on:
  2 | # https://help.ubuntu.com/lts/installation-guide/example-preseed.txt
  3 | # https://www.chucknemeth.com/debian-9-preseed-uefi-encrypted-lvm/
  4 | # https://bugs.launchpad.net/ubuntu/+source/ubiquity/+bug/924018/comments/17
  5 | # https://github.com/FreeGeekVancouver/preseed-files/blob/master/linux/ubuntu-automatic.cfg
  6 | # and about two dozen other snippets
  7 | 
  8 | # There might still be some redundancy in this preseed thanks to Ubiquity
  9 | # ignoring some debian-installer questions and expecting answers to its own
 10 | # versions of those.
 11 | 
 12 | # Enable oem install, hide summary screen
 13 | d-i oem-config/enable boolean true
 14 | d-i ubiquity/summary note
 15 | 
 16 | # Preseeding only locale sets language, country and locale.
 17 | # Encoding must be set *somewhere*, such as here, otherwise
 18 | # a broken system is produced.
 19 | d-i debian-installer/locale string en_US.UTF-8
 20 | d-i time/zone string Etc/UTC
 21 | 
 22 | # Disable automatic (interactive) keymap detection.
 23 | d-i console-setup/ask_detect boolean false
 24 | d-i keyboard-configuration/xkb-keymap select us
 25 | d-i keyboard-configuration/layoutcode select us
 26 | 
 27 | # Silence a bunch of other questions
 28 | ubiquity countrychooser/shortlist select US
 29 | ubiquity languagechooser/language-name select English
 30 | ubiquity localechooser/supported-locales multiselect en_US.UTF-8
 31 | 
 32 | # netcfg will choose an interface that has link if possible. This makes it
 33 | # skip displaying a list if there is more than one interface.
 34 | d-i netcfg/choose_interface select auto
 35 | 
 36 | # Any hostname and domain names assigned from dhcp take precedence over
 37 | # values set here. However, setting the values still prevents the questions
 38 | # from being shown, even if values come from dhcp.
 39 | # Ultimately none of those even matter in an OEM installation.
 40 | d-i netcfg/get_hostname string unassigned-hostname
 41 | d-i netcfg/get_domain string unassigned-domain
 42 | 
 43 | # If non-free firmware is needed for the network or other hardware, you can
 44 | # configure the installer to always try to load it, without prompting. Or
 45 | # change to false to disable asking.
 46 | d-i hw-detect/load_firmware boolean true
 47 | 
 48 | ### Mirror settings
 49 | # If you select ftp, the mirror/country string does not need to be set.
 50 | #d-i mirror/protocol string ftp
 51 | d-i mirror/country string manual
 52 | d-i mirror/http/hostname string archive.ubuntu.com
 53 | d-i mirror/http/directory string /ubuntu
 54 | d-i mirror/http/proxy string
 55 | 
 56 | # Set password for oem user that will be removed later anyway.
 57 | # Without setting the full name, username and password here, the OEM user
 58 | # setup dialog is shown during installation.
 59 | d-i passwd/user-fullname string OEM
 60 | d-i passwd/username string oem
 61 | d-i passwd/user-password password oem
 62 | d-i passwd/user-password-again password oem
 63 | d-i user-setup/allow-password-weak boolean true
 64 | 
 65 | ###############
 66 | ## LVM SETUP ##
 67 | ###############
 68 | #
 69 | # The whole section below, related to LVM and encryption, is unintuitive to
 70 | # configure, fragile and weird.
 71 | # Leave it alone unless there's a very good reason to change it.
 72 | #
 73 | # Initial password for LUKS is set here, it's obviously safe to change.
 74 | 
 75 | # - crypto:  use LVM within an encrypted partition
 76 | d-i partman-auto/method string crypto
 77 | 
 78 | # If one of the disks that are going to be automatically partitioned
 79 | # contains an old LVM configuration, the user will normally receive a
 80 | # warning. This can be preseeded away...
 81 | d-i partman-lvm/device_remove_lvm boolean true
 82 | # The same applies to pre-existing software RAID array:
 83 | d-i partman-md/device_remove_md boolean true
 84 | # And the same goes for the confirmation to write the lvm partitions.
 85 | d-i partman-lvm/confirm boolean true
 86 | d-i partman-lvm/confirm_nooverwrite boolean true
 87 | 
 88 | # For LVM partitioning, you can select how much of the volume group to use
 89 | # for logical volumes.
 90 | d-i partman-auto-lvm/guided_size string max
 91 | 
 92 | # You can choose one of the three predefined partitioning recipes:
 93 | # - atomic: all files in one partition
 94 | # - home:   separate /home partition
 95 | # - multi:  separate /home, /usr, /var, and /tmp partitions
 96 | d-i partman-auto/choose_recipe select atomic
 97 | 
 98 | # When disk encryption is enabled, skip wiping the partitions beforehand.
 99 | d-i partman-auto-crypto/erase_disks boolean false
100 | d-i partman-crypto/passphrase string 12345678
101 | d-i partman-crypto/passphrase-again string 12345678
102 | d-i partman-crypto/weak_passphrase boolean true
103 | 
104 | # This makes partman automatically partition without confirmation.
105 | d-i partman-md/confirm boolean true
106 | d-i partman-partitioning/confirm_write_new_label boolean true
107 | d-i partman/choose_partition select finish
108 | d-i partman/confirm boolean true
109 | d-i partman/confirm_nooverwrite boolean true
110 | 
111 | ## END LVM SECTION ##
112 | 
113 | # The options below come from the regular Ubuntu 18.04 LTS seed
114 | 
115 | # Enable extras.ubuntu.com.
116 | d-i	apt-setup/extras	boolean true
117 | # Install the Ubuntu desktop.
118 | tasksel	tasksel/first	multiselect ubuntu-desktop
119 | # On live DVDs, don't spend huge amounts of time removing substantial
120 | # application packages pulled in by language packs. Given that we clearly
121 | # have the space to include them on the DVD, they're useful and we might as
122 | # well keep them installed.
123 | ubiquity	ubiquity/keep-installed	string icedtea6-plugin openoffice.org
124 | 
125 | # At the very end of installation:
126 | # - install Nitrokey App
127 | # - remove Amazon adware
128 | # - finalize OEM install immediately
129 | ubiquity ubiquity/success_command string \
130 | 	cp /cdrom/post-install.sh /target/root/; \
131 | 	chmod 0700 /target/root/post-install.sh; \
132 | 	in-target /root/post-install.sh
133 | 
134 | ### Finishing up the installation
135 | # Avoid that last message about the install being complete.
136 | d-i finish-install/reboot_in_progress note
137 | ubiquity ubiquity/reboot boolean true
138 | 
139 | # Ideally we'd prefer to poweroff, but it doesn't work
140 | # https://bugs.launchpad.net/ubuntu/+source/ubiquity/+bug/1329417
141 | # ubiquity ubiquity/poweroff boolean true
142 | 


--------------------------------------------------------------------------------
/post-install.sh:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env sh
 2 | 
 3 | # Prepare for shipping immediately
 4 | oem-config-prepare --quiet
 5 | 
 6 | # Remove Amazon ads
 7 | #apt-get -y remove ubuntu-web-launchers
 8 | 
 9 | # Install Nitrokey App
10 | add-apt-repository -y ppa:nitrokey/nitrokey
11 | apt-get -y install nitrokey-app
12 | 
13 | # Add a new dconf database and use it to append Nitrokey App to favorite apps
14 | echo "user-db:user" > /etc/dconf/profile/user
15 | echo "system-db:local" >> /etc/dconf/profile/user
16 | 
17 | mkdir -p /etc/dconf/db/local.d/ 
18 | 
19 | echo "[org/gnome/shell]" > /etc/dconf/db/local.d/01-favorites
20 | grep favorite-apps /usr/share/glib-2.0/schemas/10_ubuntu-settings.gschema.override | sed "s/ ]$/, 'nitrokey-app.desktop' ]/" >> /etc/dconf/db/local.d/01-favorites 
21 | 
22 | #dconf update
23 | 
24 | # Cleanup
25 | rm /root/post-install.sh
26 | 


--------------------------------------------------------------------------------