I recently wanted to automate building a headless Debian testing (codename “buster”) virtual
machine, hosted on macOS, and it turned out to be somewhat more complicated than I expected, so I
thought I’d document it here for others’ benefit.
Instead of installing VirtualBox, VMWare Fusion or Parallels which are quite heavyweight virtual
machine apps, I wanted to run a headless VM using QEMU, which can be installed easily using
Homebrew. QEMU now supports hardware accelerated x86 virtualisation on Macs using the
Hypervisor.framework built in to macOS.
The script and preseed file to perform the fully automated install is here, and I’ll explain
the details behind what it does in this post.
On Debian, there’s a group named ssl-cert which grants access to TLS certificates and private keys, so that services that don’t run as the root user can still use TLS certificates. For example, the PostgreSQL Debian package installs PostgreSQL to run as a user named postgres, which is a member of the ssl-cert group, and so it can use certificates and private keys in /etc/ssl.
The certbot Let’s Encrypt client, by default, makes the certificates and private keys it installs only readable by the root user. There is an open issue against certbot, requesting that on Debian, certbot should follow the Debian standard of making the certificates and keys readable by the ssl-cert group as well. In the meantime, until that issue is resolved, the ownership can be set by a post-hook which will be run by certbot after obtaining or renewing a certificate.