# Debian Template Image Preparation and Cloning

ROUGH DRAFT

## Fresh Install of VM

### Fresh Debian Installation

To be documented

### Post-install Ubuntu Configuration

- Go to the Console tab and **Power On** the VM
- Once it comes up, login to your VM
- Get the VM IP:  
    ```
    ip addr
    ```
- SSH to the VM and login as your unprivileged user
- su to root (enter the root password)  
    ```
    su -
    ```
- Edit sources.list  
    ```
    deb http://deb.debian.org/debian bookworm main non-free-firmware
    deb-src http://deb.debian.org/debian bookworm main non-free-firmware
    
    deb http://security.debian.org/debian-security bookworm-security main non-free-firmware
    deb-src http://security.debian.org/debian-security bookworm-security main non-free-firmware
    
    deb http://deb.debian.org/debian bookworm-updates main non-free-firmware
    deb-src http://deb.debian.org/debian bookworm-updates main non-free-firmware
    ```
- Install sudo and add your user to sudo group  
    ```
    apt-get install sudo
    usermod -aG sudo johndoe
    ```
- Logout and reconnect via SSH
- Run any available upgrades and reboot
    
    ```
    sudo apt update && sudo apt upgrade -y && sudo reboot
    ```
    
    <div class="code panel pdl conf-macro output-block" data-hasbody="true" data-macro-name="code"><div class="codeContent panelContent pdl"><div><div class="syntaxhighlighter sh-confluence nogutter  python" id="bkmrk-"></div></div></div></div>
- Set up Chrony for time sync
    
    ```
    sudo apt install -y chrony && \
    sudo systemctl restart chrony && \
    chronyc tracking | grep --color=auto -e ^ -e "Last offset.*"
    ```
    
    <div class="code panel pdl conf-macro output-block" data-hasbody="true" data-macro-name="code"><div class="codeContent panelContent pdl"><div><div class="syntaxhighlighter sh-confluence nogutter  python" id="bkmrk--1"></div></div></div></div>
- Add /usr/sbin to default PATH ```
    sudo bash -c 'echo '\''PATH="/usr/sbin:$PATH"'\'' >> /etc/profile.d/usr_sbin_path.sh'
    ```

### VIM Tweaks

- Install VIM basic  
    ```
    sudo apt install vim
    ```
- Set VIM as the default editor  
    ```
    sudo update-alternatives --config editor
    ```

## Template Image Prep

### Set up OpenSSH Key Reconfiguration

<p class="callout info">If you simply clone a Debian image without resetting the OpenSSH server host keys, an attacker can take those host keys and perform a MITM SSH attack on any system that was cloned from the same image. So we have to make sure those are reset before we make the image, and then automatically regenerated on the next boot.</p>

- Copy/Paste/Run this entire chunk of script into your terminal (creates process that checks for missing keys at boot, and regenerates them if missing):
    
    ```
    if [ `systemctl is-enabled openssh-reconfigure.service 2> /dev/null > /dev/null || true && false` ] ; then \
      echo "OpenSSH Key Reconfiguration Service already installed." ; \
    else
      sudo bash -c 'cat << EOF > /usr/local/sbin/openssh-reconfigure
    #!/bin/bash
    test -f /etc/ssh/ssh_host_dsa_key || dpkg-reconfigure openssh-server
    EOF'
    sudo chmod 700 /usr/local/sbin/openssh-reconfigure
    sudo bash -c 'cat << EOF > /etc/systemd/system/openssh-reconfigure.service
    [Unit]
    Description=OpenSSH Key Reconfiguration Service
    Before=ssh.service
     
    [Service]
    Type=simple
    ExecStart=/usr/local/sbin/openssh-reconfigure
     
    [Install]
    WantedBy=multi-user.target
    EOF' ; \
      sudo chmod 644 /etc/systemd/system/openssh-reconfigure.service ; \
      sudo systemctl enable openssh-reconfigure.service ; \
    fi
    ```
- Delete the existing keys  
    ```
    sudo /bin/rm -v /etc/ssh/ssh_host_*
    ```

### Clear the Machine ID

- Run this:
    
    ```
    sudo bash -c "truncate -s0 /etc/machine-id ; \
    rm /var/lib/dbus/machine-id ; \
    ln -s /etc/machine-id /var/lib/dbus/machine-id"
    ```



### Genericize the interface config

- Make these alterations to `/etc/network/interfaces` in the `enX0` section. Leave the comments for the image/template user to understand what needs to happen to re-activate networking
    
    ```
    iface enX0 inet dhcp
    #iface enX0 inet static
    #       address 192.168.160.XXX
    #       netmask 255.255.254.0
    #       gateway 192.168.160.1
    #       dns-nameservers 192.168.160.105
    
    ```

### Clear the Bash, VIM, and other history

- Run this:
    
    ```
    rm -rf ~/.viminfo ~/.Xauthority ~/.cache
    sudo bash -c 'rm -rf ~/.viminfo ~/.Xauthority ~/.cache'
    sudo bash -c 'echo -n "" > /var/log/wtmp'
    sudo bash -c 'echo -n "" > /var/log/btmp'
    sudo bash -c 'echo -n "" > /var/log/lastlog'
     
    ### These should always run last
    sudo bash -c 'truncate -s0 ~/.bash_history ; history -c'
    truncate -s0 ~/.bash_history ; history -c
    ```

### Shutdown

- Run this:
    
    ```
    sudo shutdown -h now
    ```

## Create the Template or Image

### XCP-NG

#### Using XOA Xen Orchestra

- Go to **Home → VMs**
- Change the **Filters** to blank
- Click on your new VM
- Click on the name of the VM
- Change the name to: `TPL_D12.7.0_20240709172110`
    - `TPL` means this is a user-generated template
    - `D12.7.0` indicates this is Debian 12.7.0
    - `20240709172110` Indicates the revision date of THE DOCUMENT YOU ARE READING in UTC, ie 2024 July 9th, 17:21:10. This is used as a means of revision control.
- Click on **Advanced**
- Click **Convert to template**
- Click **OK** on the confirmation dialog