T6732: added same as vyos 1x

14 files changed, 917 insertions, 0 deletions

diff --git a/debian/changelog b/debian/changelog
new file mode 100644
index 0000000..d64c668
--- /dev/null
+++ b/debian/changelog
@@ -0,0 +1,10 @@
+vyos-1x (1.5dev0) unstable; urgency=medium
+
+  * Dummy changelog entry for vyos-1x repository
+    This is a internal VyOS package and the VyOS package process does not use
+    the debian package changelog for its changes, please refer to the
+    GitHub commitlog and the vyos release-notes for more details.
+    The correct verion number of this package is auto-generated by GIT
+    on build-time
+
+ -- VyOS maintainers and contributors <maintainers@vyos.io>  Sun, 10 Sep 2023 15:42:53 +0200
diff --git a/debian/compat b/debian/compat
new file mode 100644
index 0000000..48082f7
--- /dev/null
+++ b/debian/compat
@@ -0,0 +1 @@
+12
diff --git a/debian/control b/debian/control
new file mode 100644
index 0000000..f8cfb87
--- /dev/null
+++ b/debian/control
@@ -0,0 +1,384 @@
+Source: vyos-1x
+Section: contrib/net
+Priority: extra
+Maintainer: VyOS Package Maintainers <maintainers@vyos.net>
+Build-Depends:
+  debhelper (>= 9),
+  dh-python,
+  fakeroot,
+  gcc,
+  iproute2,
+  libvyosconfig0 (>= 0.0.7),
+  libzmq3-dev,
+  python3 (>= 3.10),
+# For QA
+  pylint,
+# For generating command definitions
+  python3-lxml,
+  python3-xmltodict,
+# For running tests
+  python3-coverage,
+  python3-hurry.filesize,
+  python3-netaddr,
+  python3-netifaces,
+  python3-nose,
+  python3-jinja2,
+  python3-paramiko,
+  python3-passlib,
+  python3-psutil,
+  python3-requests,
+  python3-setuptools,
+  python3-tabulate,
+  python3-zmq,
+  quilt,
+  whois
+Standards-Version: 3.9.6
+
+Package: vyos-1x
+Architecture: amd64 arm64
+Pre-Depends:
+  libpam-runtime [amd64],
+  libnss-tacplus [amd64],
+  libpam-tacplus [amd64],
+  libpam-radius-auth [amd64]
+Depends:
+## Fundamentals
+  ${python3:Depends} (>= 3.10),
+  dialog,
+  libvyosconfig0,
+  libpam-cap,
+  bash-completion,
+  ipvsadm,
+  udev,
+  less,
+  at,
+  rsync,
+  vyatta-bash,
+  vyatta-biosdevname,
+  vyatta-cfg,
+  vyos-http-api-tools,
+  vyos-utils,
+## End of Fundamentals
+## Python libraries used in multiple modules and scripts
+  python3,
+  python3-cryptography,
+  python3-hurry.filesize,
+  python3-inotify,
+  python3-jinja2,
+  python3-jmespath,
+  python3-netaddr,
+  python3-netifaces,
+  python3-paramiko,
+  python3-passlib,
+  python3-pyroute2,
+  python3-psutil,
+  python3-pyhumps,
+  python3-pystache,
+  python3-pyudev,
+  python3-six,
+  python3-tabulate,
+  python3-voluptuous,
+  python3-xmltodict,
+  python3-zmq,
+## End of Python libraries
+## Basic System services and utilities
+  coreutils,
+  sudo,
+  systemd,
+  bsdmainutils,
+  openssl,
+  curl,
+  dbus,
+  file,
+  iproute2 (>= 6.0.0),
+  linux-cpupower,
+# ipaddrcheck is widely used in IP value validators
+  ipaddrcheck,
+  ethtool (>= 6.10),
+  lm-sensors,
+  procps,
+  netplug,
+  sed,
+  ssl-cert,
+  tuned,
+  beep,
+  wide-dhcpv6-client,
+# Generic colorizer
+  grc,
+## End of System services and utilities
+## For the installer
+  fdisk,
+  gdisk,
+  mdadm,
+  efibootmgr,
+  libefivar1,
+  dosfstools,
+  grub-efi-amd64-signed [amd64],
+  grub-efi-arm64-bin [arm64],
+  mokutil [amd64],
+  shim-signed [amd64],
+  sbsigntool [amd64],
+# Image signature verification tool
+  minisign,
+# Live filesystem tools
+  squashfs-tools,
+  fuse-overlayfs,
+## End installer
+  auditd,
+  iputils-arping,
+  iputils-ping,
+  isc-dhcp-client,
+# For "vpn pptp", "vpn l2tp", "vpn sstp", "service ipoe-server"
+  accel-ppp,
+# End "vpn pptp", "vpn l2tp", "vpn sstp", "service ipoe-server"
+  avahi-daemon,
+  conntrack,
+  conntrackd,
+## Conf mode features
+# For "interfaces wireless"
+  hostapd,
+  hsflowd,
+  iw,
+  wireless-regdb,
+  wpasupplicant (>= 0.6.7),
+# End "interfaces wireless"
+# For "interfaces wwan"
+  modemmanager,
+  usb-modeswitch,
+  libqmi-utils,
+# End "interfaces wwan"
+# For "interfaces openvpn"
+  openvpn,
+  openvpn-auth-ldap,
+  openvpn-auth-radius,
+  openvpn-otp,
+  openvpn-dco,
+  libpam-google-authenticator,
+# End "interfaces openvpn"
+# For "interfaces wireguard"
+  wireguard-tools,
+  qrencode,
+# End "interfaces wireguard"
+# For "interfaces pppoe"
+  pppoe,
+# End "interfaces pppoe"
+# For "interfaces sstpc"
+  sstp-client,
+# End "interfaces sstpc"
+# For "protocols *"
+  frr (>= 9.1),
+  frr-pythontools,
+  frr-rpki-rtrlib,
+  frr-snmp,
+# End "protocols *"
+# For "protocols nhrp" (part of DMVPN)
+  opennhrp,
+# End "protocols nhrp"
+# For "protocols igmp-proxy"
+  igmpproxy,
+# End "protocols igmp-proxy"
+# For "pki"
+  certbot,
+# End "pki"
+# For "service console-server"
+  conserver-client,
+  conserver-server,
+  console-data,
+  dropbear,
+# End "service console-server"
+# For "service aws glb"
+  aws-gwlbtun,
+# For "service dns dynamic"
+  ddclient (>= 3.11.1),
+# End "service dns dynamic"
+# # For "service ids"
+  fastnetmon [amd64],
+  suricata,
+  suricata-update,
+# End "service ids"
+# # For "service ndp-proxy"
+  ndppd,
+# End "service ndp-proxy"
+# For "service router-advert"
+  radvd,
+# End "service route-advert"
+# For "load-balancing reverse-proxy"
+  haproxy,
+# End "load-balancing reverse-proxy"
+# For "load-balancing wan"
+  vyatta-wanloadbalance,
+# End "load-balancing wan"
+# For "service dhcp-relay"
+  isc-dhcp-relay,
+# For "service dhcp-server"
+  kea,
+# End "service dhcp-server"
+# For "service lldp"
+  lldpd,
+# End "service lldp"
+# For "service https"
+  nginx-light,
+# End "service https"
+# For "service ssh"
+  openssh-server,
+  sshguard,
+# End "service ssh"
+# For "service salt-minion"
+  salt-minion,
+# End "service salt-minion"
+# For "service snmp"
+  snmp,
+  snmpd,
+# End "service snmp"
+# For "service webproxy"
+  squid,
+  squidclient,
+  squidguard,
+# End "service webproxy"
+# For "service monitoring telegraf"
+  telegraf (>= 1.20),
+# End "service monitoring telegraf"
+# For "service monitoring zabbix-agent"
+  zabbix-agent2,
+# End "service monitoring zabbix-agent"
+# For "service tftp-server"
+  tftpd-hpa,
+# End "service tftp-server"
+# For "service dns forwarding"
+  pdns-recursor,
+# End "service dns forwarding"
+# For "service sla owamp"
+  owamp-client,
+  owamp-server,
+# End "service sla owamp"
+# For "service sla twamp"
+  twamp-client,
+  twamp-server,
+# End "service sla twamp"
+# For "service broadcast-relay"
+  udp-broadcast-relay,
+# End "service broadcast-relay"
+# For "high-availability vrrp"
+  keepalived (>=2.0.5),
+# End "high-availability-vrrp"
+# For "system console"
+  util-linux,
+# End "system console"
+# For "system task-scheduler"
+  cron,
+# End "system task-scheduler"
+# For "system lcd"
+  lcdproc,
+  lcdproc-extra-drivers,
+# End "system lcd"
+# For "system config-management commit-archive"
+  git,
+# End "system config-management commit-archive"
+# For firewall
+  libndp-tools,
+  libnetfilter-conntrack3,
+  libnfnetlink0,
+  nfct,
+  nftables (>= 0.9.3),
+# For "vpn ipsec"
+  strongswan (>= 5.9),
+  strongswan-swanctl (>= 5.9),
+  charon-systemd,
+  libcharon-extra-plugins (>=5.9),
+  libcharon-extauth-plugins (>=5.9),
+  libstrongswan-extra-plugins (>=5.9),
+  libstrongswan-standard-plugins (>=5.9),
+  python3-vici (>= 5.7.2),
+# End "vpn ipsec"
+# For "nat64"
+  jool,
+# End "nat64"
+# For "system conntrack modules rtsp"
+  nat-rtsp,
+# End "system conntrack modules rtsp"
+# For "service ntp"
+  chrony,
+# End "system ntp"
+# For "vpn openconnect"
+  ocserv,
+# End "vpn openconnect"
+# For "system flow-accounting"
+  pmacct (>= 1.6.0),
+# End "system flow-accounting"
+# For "system syslog"
+  rsyslog,
+# End "system syslog"
+# For "system option keyboard-layout"
+  kbd,
+# End "system option keyboard-layout"
+# For "container"
+  podman (>=4.9.5),
+  netavark,
+  aardvark-dns,
+# iptables is only used for containers now, not the the firewall CLI
+  iptables,
+# End container
+## End Configuration mode
+## Operational mode
+# Used for hypervisor model in "run show version"
+  hvinfo,
+# For "run traceroute"
+  traceroute,
+# For "run monitor traffic"
+  tcpdump,
+# End "run monitor traffic"
+# For "show hardware dmi"
+  dmidecode,
+# For "run show hardware storage smart"
+  smartmontools,
+# For "run show hardware scsi"
+  lsscsi,
+# For "run show hardware pci"
+  pciutils,
+# For "show hardware usb"
+  usbutils,
+# For "run show hardware storage nvme"
+  nvme-cli,
+# For "run monitor bandwidth-test"
+  iperf,
+  iperf3,
+# End "run monitor bandwidth-test"
+# For "run wake-on-lan"
+  etherwake,
+# For "run force ipv6-nd"
+  ndisc6,
+# For "run monitor bandwidth"
+  bmon,
+# For "run format disk"
+  parted,
+# End Operational mode
+## TPM tools
+  cryptsetup,
+  tpm2-tools,
+## End TPM tools
+## Optional utilities
+  easy-rsa,
+  tcptraceroute,
+  mtr-tiny,
+  telnet,
+  stunnel4,
+  uidmap
+## End optional utilities
+Description: VyOS configuration scripts and data
+ VyOS configuration scripts, interface definitions, and everything
+
+Package: vyos-1x-vmware
+Architecture: amd64
+Depends:
+ vyos-1x,
+ open-vm-tools
+Description: VyOS configuration scripts and data for VMware
+ Adds configuration files required for VyOS running on VMware hosts.
+
+Package: vyos-1x-smoketest
+Architecture: all
+Depends:
+ skopeo,
+ snmp,
+ vyos-1x
+Description: VyOS build sanity checking toolkit
diff --git a/debian/copyright b/debian/copyright
new file mode 100644
index 0000000..20704c4
--- /dev/null
+++ b/debian/copyright
@@ -0,0 +1,35 @@
+This package was debianized by Daniil Baturin <daniil@baturin.org> on
+Thu, 17 Aug 2017 20:17:04 -0400
+
+It's original content from the GIT repository <http://github.com/vyos/vyos-1x>
+
+Upstream Author: 
+
+    <maintainers@vyos.net>
+
+Copyright: 
+
+    Copyright (C) 2017 VyOS maintainers and contributors
+    All Rights Reserved.
+
+License:
+
+This program is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+This program is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+A copy of the GNU General Public License is available as
+`/usr/share/common-licenses/GPL' in the Debian GNU/Linux distribution
+or on the World Wide Web at `http://www.gnu.org/copyleft/gpl.html'.
+You can also obtain it by writing to the Free Software Foundation,
+Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston,
+MA 02110-1301, USA.
+
+The Debian packaging is (C) 2017, Daniil Baturin <daniil@baturin.org> and
+is licensed under the GPL, see above.
diff --git a/debian/lintian-overrides b/debian/lintian-overrides
new file mode 100644
index 0000000..6c5d671
--- /dev/null
+++ b/debian/lintian-overrides
@@ -0,0 +1,6 @@
+# It's FSH compliant!
+vyos-1x: file-in-unusual-dir usr/libexec/*
+vyos-1x: non-standard-dir-in-usr usr/libexec/
+
+# Nothing we can do about that right now
+vyos-1x: dir-or-file-in-opt
diff --git a/debian/rules b/debian/rules
new file mode 100644
index 0000000..df1d9e7
--- /dev/null
+++ b/debian/rules
@@ -0,0 +1,143 @@
+#!/usr/bin/make -f
+
+DIR := debian/tmp
+VYOS_SBIN_DIR := usr/sbin
+VYOS_BIN_DIR := usr/bin
+VYOS_LIBEXEC_DIR := usr/libexec/vyos
+VYOS_DATA_DIR := usr/share/vyos
+VYOS_CFG_TMPL_DIR := opt/vyatta/share/vyatta-cfg/templates
+VYOS_OP_TMPL_DIR := opt/vyatta/share/vyatta-op/templates
+VYOS_MIBS_DIR := usr/share/snmp/mibs
+VYOS_LOCALUI_DIR := srv/localui
+
+MIGRATION_SCRIPTS_DIR := opt/vyatta/etc/config-migrate/migrate
+ACTIVATION_SCRIPTS_DIR := usr/libexec/vyos/activate
+SYSTEM_SCRIPTS_DIR := usr/libexec/vyos/system
+SERVICES_DIR := usr/libexec/vyos/services
+
+DEB_TARGET_ARCH := $(shell dpkg-architecture -qDEB_TARGET_ARCH)
+
+%:
+	dh $@ --with python3, --with quilt
+
+# Skip dh_strip_nondeterminism - this is very time consuming
+# and we have no non deterministic output (yet)
+override_dh_strip_nondeterminism:
+
+override_dh_gencontrol:
+	dh_gencontrol -- -v$(shell (git describe --tags --long --match 'vyos/*' --match '1.4.*' --dirty 2>/dev/null || echo 0.0-no.git.tag) | sed -E 's%vyos/%%' | sed -E 's%-dirty%+dirty%')
+
+override_dh_auto_build:
+	make all
+
+override_dh_auto_install:
+	dh_auto_install
+
+	cd python; python3 setup.py install --install-layout=deb --root ../$(DIR); cd ..
+
+	# Install scripts
+	mkdir -p $(DIR)/$(VYOS_SBIN_DIR)
+	mkdir -p $(DIR)/$(VYOS_BIN_DIR)
+	cp -r src/utils/* $(DIR)/$(VYOS_BIN_DIR)
+	cp src/shim/vyshim $(DIR)/$(VYOS_SBIN_DIR)
+
+	# Install conf mode scripts
+	mkdir -p $(DIR)/$(VYOS_LIBEXEC_DIR)/conf_mode
+	cp -r src/conf_mode/* $(DIR)/$(VYOS_LIBEXEC_DIR)/conf_mode
+
+	# Install op mode scripts
+	mkdir -p $(DIR)/$(VYOS_LIBEXEC_DIR)/op_mode
+	cp -r src/op_mode/* $(DIR)/$(VYOS_LIBEXEC_DIR)/op_mode
+
+	# Install op mode scripts
+	mkdir -p $(DIR)/$(VYOS_LIBEXEC_DIR)/init
+	cp -r src/init/* $(DIR)/$(VYOS_LIBEXEC_DIR)/init
+
+	# Install validators
+	mkdir -p $(DIR)/$(VYOS_LIBEXEC_DIR)/validators
+	cp -r src/validators/* $(DIR)/$(VYOS_LIBEXEC_DIR)/validators
+
+	# Install completion helpers
+	mkdir -p $(DIR)/$(VYOS_LIBEXEC_DIR)/completion
+	cp -r src/completion/* $(DIR)/$(VYOS_LIBEXEC_DIR)/completion
+
+	# Install helper scripts
+	cp -r src/helpers/* $(DIR)/$(VYOS_LIBEXEC_DIR)/
+
+	# Install migration scripts
+	mkdir -p $(DIR)/$(MIGRATION_SCRIPTS_DIR)
+	cp -r src/migration-scripts/* $(DIR)/$(MIGRATION_SCRIPTS_DIR)
+
+	# Install activation scripts
+	mkdir -p $(DIR)/$(ACTIVATION_SCRIPTS_DIR)
+	cp -r src/activation-scripts/* $(DIR)/$(ACTIVATION_SCRIPTS_DIR)
+
+	# Install system scripts
+	mkdir -p $(DIR)/$(SYSTEM_SCRIPTS_DIR)
+	cp -r src/system/* $(DIR)/$(SYSTEM_SCRIPTS_DIR)
+
+	# Install system services
+	mkdir -p $(DIR)/$(SERVICES_DIR)
+	cp -r src/services/* $(DIR)/$(SERVICES_DIR)
+
+	# Install configuration command definitions
+	mkdir -p $(DIR)/$(VYOS_CFG_TMPL_DIR)
+	cp -r templates-cfg/* $(DIR)/$(VYOS_CFG_TMPL_DIR)
+
+	# Install operational command definitions
+	mkdir -p $(DIR)/$(VYOS_OP_TMPL_DIR)
+	cp -r templates-op/* $(DIR)/$(VYOS_OP_TMPL_DIR)
+
+	# Install data files
+	mkdir -p $(DIR)/$(VYOS_DATA_DIR)
+	cp -r data/* $(DIR)/$(VYOS_DATA_DIR)
+
+	# Create localui dir
+	mkdir -p $(DIR)/$(VYOS_LOCALUI_DIR)
+
+	# Install SNMP MIBs
+	mkdir -p $(DIR)/$(VYOS_MIBS_DIR)
+	cp -d mibs/* $(DIR)/$(VYOS_MIBS_DIR)
+
+	# Install etc configuration files
+	mkdir -p $(DIR)/etc
+	cp -r src/etc/* $(DIR)/etc
+
+	# Install legacy Vyatta files
+	mkdir -p $(DIR)/opt
+	cp -r src/opt/* $(DIR)/opt
+
+	# Install PAM configuration snippets
+	mkdir -p $(DIR)/usr/share/pam-configs
+	cp -r src/pam-configs/* $(DIR)/usr/share/pam-configs
+
+	# Install systemd service units
+	mkdir -p $(DIR)/lib/systemd/system
+	cp -r src/systemd/* $(DIR)/lib/systemd/system
+
+	# Make directory for generated configuration file
+	mkdir -p $(DIR)/etc/vyos
+
+	# Install smoke test scripts
+	mkdir -p $(DIR)/$(VYOS_LIBEXEC_DIR)/tests/smoke/
+	cp -r smoketest/scripts/* $(DIR)/$(VYOS_LIBEXEC_DIR)/tests/smoke
+
+	# Install smoke test configs
+	mkdir -p $(DIR)/$(VYOS_LIBEXEC_DIR)/tests/config/
+	cp -r smoketest/configs/* $(DIR)/$(VYOS_LIBEXEC_DIR)/tests/config
+
+	# Install smoke test config tests
+	mkdir -p $(DIR)/$(VYOS_LIBEXEC_DIR)/tests/config-tests/
+	cp -r smoketest/config-tests/* $(DIR)/$(VYOS_LIBEXEC_DIR)/tests/config-tests
+
+	# Install system programs
+	mkdir -p $(DIR)/$(VYOS_BIN_DIR)
+	cp -r smoketest/bin/* $(DIR)/$(VYOS_BIN_DIR)
+
+	# Install udev script
+	mkdir -p $(DIR)/usr/lib/udev
+	cp src/helpers/vyos_net_name $(DIR)/usr/lib/udev
+
+override_dh_installsystemd:
+	dh_installsystemd -pvyos-1x --name vyos-router vyos-router.service
+	dh_installsystemd -pvyos-1x --name vyos vyos.target
diff --git a/debian/vyos-1x-smoketest.install b/debian/vyos-1x-smoketest.install
new file mode 100644
index 0000000..739cb18
--- /dev/null
+++ b/debian/vyos-1x-smoketest.install
@@ -0,0 +1,6 @@
+usr/bin/vyos-smoketest
+usr/bin/vyos-configtest
+usr/bin/vyos-configtest-pki
+usr/libexec/vyos/tests/smoke
+usr/libexec/vyos/tests/config
+usr/libexec/vyos/tests/config-tests
diff --git a/debian/vyos-1x-smoketest.postinst b/debian/vyos-1x-smoketest.postinst
new file mode 100644
index 0000000..1861280
--- /dev/null
+++ b/debian/vyos-1x-smoketest.postinst
@@ -0,0 +1,10 @@
+#!/bin/sh -e
+
+BUSYBOX_TAG="docker.io/library/busybox:stable"
+OUTPUT_PATH="/usr/share/vyos/busybox-stable.tar"
+
+if [[ -f $OUTPUT_PATH ]]; then
+    rm -f $OUTPUT_PATH
+fi
+
+skopeo copy --additional-tag "$BUSYBOX_TAG" "docker://$BUSYBOX_TAG" "docker-archive:/$OUTPUT_PATH"
diff --git a/debian/vyos-1x-vmware.install b/debian/vyos-1x-vmware.install
new file mode 100644
index 0000000..7150156
--- /dev/null
+++ b/debian/vyos-1x-vmware.install
@@ -0,0 +1 @@
+etc/vmware-tools
diff --git a/debian/vyos-1x-vmware.preinst b/debian/vyos-1x-vmware.preinst
new file mode 100644
index 0000000..2e61252
--- /dev/null
+++ b/debian/vyos-1x-vmware.preinst
@@ -0,0 +1 @@
+dpkg-divert --package vyos-1x-vmware --add --rename /etc/vmware-tools/tools.conf
diff --git a/debian/vyos-1x.install b/debian/vyos-1x.install
new file mode 100644
index 0000000..7171911
--- /dev/null
+++ b/debian/vyos-1x.install
@@ -0,0 +1,43 @@
+etc/bash_completion.d
+etc/commit
+etc/default
+etc/dhcp
+etc/ipsec.d
+etc/logrotate.d
+etc/netplug
+etc/opennhrp
+etc/modprobe.d
+etc/ppp
+etc/rsyslog.conf
+etc/securetty
+etc/security
+etc/skel
+etc/sudoers.d
+etc/systemd
+etc/sysctl.d
+etc/telegraf
+etc/udev
+etc/update-motd.d
+etc/vyos
+lib/
+opt/
+srv/localui
+usr/sbin
+usr/bin/config-mgmt
+usr/bin/initial-setup
+usr/bin/vyos-config-file-query
+usr/bin/vyos-config-to-commands
+usr/bin/vyos-config-to-json
+usr/bin/vyos-hostsd-client
+usr/lib
+usr/libexec/vyos/activate
+usr/libexec/vyos/completion
+usr/libexec/vyos/conf_mode
+usr/libexec/vyos/init
+usr/libexec/vyos/op_mode
+usr/libexec/vyos/services
+usr/libexec/vyos/system
+usr/libexec/vyos/validators
+usr/libexec/vyos/*.py
+usr/libexec/vyos/*.sh
+usr/share
diff --git a/debian/vyos-1x.links b/debian/vyos-1x.links
new file mode 100644
index 0000000..402c913
--- /dev/null
+++ b/debian/vyos-1x.links
@@ -0,0 +1,2 @@
+/etc/netplug/linkup.d/vyos-python-helper /etc/netplug/linkdown.d/vyos-python-helper
+/usr/libexec/vyos/system/standalone_root_pw_reset /opt/vyatta/sbin/standalone_root_pw_reset
diff --git a/debian/vyos-1x.postinst b/debian/vyos-1x.postinst
new file mode 100644
index 0000000..dc8ada2
--- /dev/null
+++ b/debian/vyos-1x.postinst
@@ -0,0 +1,264 @@
+#!/bin/bash
+
+# Turn off Debian default for %sudo
+sed -i -e '/^%sudo/d' /etc/sudoers || true
+
+# Add minion user for salt-minion
+if ! grep -q '^minion' /etc/passwd; then
+    adduser --quiet --firstuid 100 --system --disabled-login --ingroup vyattacfg \
+        --gecos "salt minion user" --shell /bin/vbash minion
+    adduser --quiet minion frrvty
+    adduser --quiet minion sudo
+    adduser --quiet minion adm
+    adduser --quiet minion dip
+    adduser --quiet minion disk
+    adduser --quiet minion users
+    adduser --quiet minion frr
+fi
+
+# OpenVPN should get its own user
+if ! grep -q '^openvpn' /etc/passwd; then
+    adduser --quiet --firstuid 100 --system --group --shell /usr/sbin/nologin openvpn
+fi
+
+# We need to have a group for RADIUS service users to use it inside PAM rules
+if ! grep -q '^radius' /etc/group; then
+    addgroup --firstgid 1000 --quiet radius
+fi
+
+# Remove TACACS user added by base package - we use our own UID range and group
+# assignments - see below
+if grep -q '^tacacs' /etc/passwd; then
+    if [ $(id -u tacacs0) -ge 1000 ]; then
+        level=0
+        vyos_group=vyattaop
+        while [ $level -lt 16 ]; do
+            userdel tacacs${level} || true
+            rm -rf /home/tacacs${level} || true
+            level=$(( level+1 ))
+        done 2>&1
+    fi
+fi
+
+# Remove TACACS+ PAM default profile
+if [[ -e /usr/share/pam-configs/tacplus ]]; then
+    rm /usr/share/pam-configs/tacplus
+fi
+
+# Add TACACS system users required for TACACS based system authentication
+if ! grep -q '^tacacs' /etc/passwd; then
+    # Add the tacacs group and all 16 possible tacacs privilege-level users to
+    # the password file, home directories, etc. The accounts are not enabled
+    # for local login, since they are only used to provide uid/gid/homedir for
+    # the mapped TACACS+ logins (and lookups against them). The tacacs15 user
+    # is also added to the sudo group, and vyattacfg group rather than vyattaop
+    # (used for tacacs0-14).
+    level=0
+    vyos_group=vyattaop
+    while [ $level -lt 16 ]; do
+        adduser --quiet --system --firstuid 900 --disabled-login --ingroup tacacs \
+            --no-create-home --gecos "TACACS+ mapped user at privilege level ${level}" \
+            --shell /bin/vbash tacacs${level}
+        adduser --quiet tacacs${level} frrvty
+        adduser --quiet tacacs${level} adm
+        adduser --quiet tacacs${level} dip
+        adduser --quiet tacacs${level} users
+        if [ $level -lt 15 ]; then
+            adduser --quiet tacacs${level} vyattaop
+            adduser --quiet tacacs${level} operator
+        else
+            adduser --quiet tacacs${level} vyattacfg
+            adduser --quiet tacacs${level} sudo
+            adduser --quiet tacacs${level} disk
+            adduser --quiet tacacs${level} frr
+            adduser --quiet tacacs${level} _kea
+        fi
+        level=$(( level+1 ))
+    done 2>&1 | grep -v "User tacacs${level} already exists"
+fi
+
+# Add RADIUS operator user for RADIUS authenticated users to map to
+if ! grep -q '^radius_user' /etc/passwd; then
+    adduser --quiet --firstuid 1000 --disabled-login --ingroup radius \
+        --no-create-home --gecos "RADIUS mapped user at privilege level operator" \
+        --shell /sbin/radius_shell radius_user
+    adduser --quiet radius_user frrvty
+    adduser --quiet radius_user vyattaop
+    adduser --quiet radius_user operator
+    adduser --quiet radius_user adm
+    adduser --quiet radius_user dip
+    adduser --quiet radius_user users
+fi
+
+# Add RADIUS admin user for RADIUS authenticated users to map to
+if ! grep -q '^radius_priv_user' /etc/passwd; then
+    adduser --quiet --firstuid 1000 --disabled-login --ingroup radius \
+        --no-create-home --gecos "RADIUS mapped user at privilege level admin" \
+        --shell /sbin/radius_shell radius_priv_user
+    adduser --quiet radius_priv_user frrvty
+    adduser --quiet radius_priv_user vyattacfg
+    adduser --quiet radius_priv_user sudo
+    adduser --quiet radius_priv_user adm
+    adduser --quiet radius_priv_user dip
+    adduser --quiet radius_priv_user disk
+    adduser --quiet radius_priv_user users
+    adduser --quiet radius_priv_user frr
+    adduser --quiet radius_priv_user _kea
+fi
+
+# add hostsd group for vyos-hostsd
+if ! grep -q '^hostsd' /etc/group; then
+    addgroup --quiet --system hostsd
+fi
+
+# Add _kea user for kea-dhcp{4,6}-server to vyattacfg
+# The user should exist via kea-common installed as transitive dependency
+if grep -q '^_kea' /etc/passwd; then
+    adduser --quiet _kea vyattacfg
+fi
+
+# ensure the proxy user has a proper shell
+chsh -s /bin/sh proxy
+
+# Set file capabilities
+setcap cap_net_admin=pe /sbin/ethtool
+setcap cap_net_admin=pe /sbin/tc
+setcap cap_net_admin=pe /bin/ip
+setcap cap_net_admin=pe /sbin/xtables-legacy-multi
+setcap cap_net_admin=pe /sbin/xtables-nft-multi
+setcap cap_net_admin=pe /usr/sbin/conntrack
+setcap cap_net_admin=pe /usr/sbin/arp
+setcap cap_net_raw=pe /usr/bin/tcpdump
+setcap cap_net_admin,cap_sys_admin=pe /sbin/sysctl
+setcap cap_sys_module=pe /bin/kmod
+setcap cap_sys_time=pe /bin/date
+
+# create needed directories
+mkdir -p /var/log/user
+mkdir -p /var/core
+mkdir -p /opt/vyatta/etc/config/auth
+mkdir -p /opt/vyatta/etc/config/scripts
+mkdir -p /opt/vyatta/etc/config/user-data
+mkdir -p /opt/vyatta/etc/config/support
+chown -R root:vyattacfg /opt/vyatta/etc/config
+chmod -R 775 /opt/vyatta/etc/config
+mkdir -p /opt/vyatta/etc/logrotate
+mkdir -p /opt/vyatta/etc/netdevice.d
+
+touch /etc/environment
+
+if [ ! -f /etc/bash_completion ]; then
+  echo "source /etc/bash_completion.d/10vyatta-op" > /etc/bash_completion
+  echo "source /etc/bash_completion.d/20vyatta-cfg" >> /etc/bash_completion
+fi
+
+sed -i 's/^set /builtin set /' /etc/bash_completion
+
+# Fix up PAM configuration for login so that invalid users are prompted
+# for password
+sed -i 's/requisite[ \t][ \t]*pam_securetty.so/required pam_securetty.so/' $rootfsdir/etc/pam.d/login
+
+# Change default shell for new accounts
+sed -i -e ':^DSHELL:s:/bin/bash:/bin/vbash:' /etc/adduser.conf
+
+# Do not allow users to change full name field (controlled by vyos-1x)
+sed -i -e 's/^CHFN_RESTRICT/#&/' /etc/login.defs
+
+# Only allow root to use passwd command
+if ! grep -q 'pam_succeed_if.so' /etc/pam.d/passwd ; then
+    sed -i -e '/^@include/i \
+password    requisite pam_succeed_if.so user = root
+' /etc/pam.d/passwd
+fi
+
+# remove unnecessary ddclient script in /etc/ppp/ip-up.d/
+# this logs unnecessary messages trying to start ddclient
+rm -f /etc/ppp/ip-up.d/ddclient
+
+# create /opt/vyatta/etc/config/scripts/vyos-preconfig-bootup.script
+PRECONFIG_SCRIPT=/opt/vyatta/etc/config/scripts/vyos-preconfig-bootup.script
+if [ ! -x $PRECONFIG_SCRIPT ]; then
+    mkdir -p $(dirname $PRECONFIG_SCRIPT)
+    touch $PRECONFIG_SCRIPT
+    chmod 755 $PRECONFIG_SCRIPT
+    cat <<EOF >>$PRECONFIG_SCRIPT
+#!/bin/sh
+# This script is executed at boot time before VyOS configuration is applied.
+# Any modifications required to work around unfixed bugs or use
+# services not available through the VyOS CLI system can be placed here.
+
+EOF
+fi
+
+# create /opt/vyatta/etc/config/scripts/vyos-postconfig-bootup.script
+POSTCONFIG_SCRIPT=/opt/vyatta/etc/config/scripts/vyos-postconfig-bootup.script
+if [ ! -x $POSTCONFIG_SCRIPT ]; then
+    mkdir -p $(dirname $POSTCONFIG_SCRIPT)
+    touch $POSTCONFIG_SCRIPT
+    chmod 755 $POSTCONFIG_SCRIPT
+    cat <<EOF >>$POSTCONFIG_SCRIPT
+#!/bin/sh
+# This script is executed at boot time after VyOS configuration is fully applied.
+# Any modifications required to work around unfixed bugs
+# or use services not available through the VyOS CLI system can be placed here.
+
+EOF
+fi
+
+# symlink destination is deleted during ISO assembly - this generates some noise
+# when the system boots: systemd-sysv-generator[1881]: stat() failed on
+# /etc/init.d/README, ignoring: No such file or directory. Thus we simply drop
+# the file.
+if [ -L /etc/init.d/README ]; then
+    rm -f /etc/init.d/README
+fi
+
+# Remove unwanted daemon files from /etc
+# conntackd
+# pmacct
+# fastnetmon
+# ntp
+DELETE="/etc/logrotate.d/conntrackd.distrib /etc/init.d/conntrackd /etc/default/conntrackd
+        /etc/default/pmacctd /etc/pmacct
+        /etc/networks_list /etc/networks_whitelist /etc/fastnetmon.conf
+        /etc/ntp.conf /etc/default/ssh /etc/avahi/avahi-daemon.conf /etc/avahi/hosts
+        /etc/powerdns /etc/default/pdns-recursor
+        /etc/ppp/ip-up.d/0000usepeerdns /etc/ppp/ip-down.d/0000usepeerdns"
+for tmp in $DELETE; do
+    if [ -e ${tmp} ]; then
+        rm -rf ${tmp}
+    fi
+done
+
+# Remove logrotate items controlled via CLI and VyOS defaults
+sed -i '/^\/var\/log\/messages$/d' /etc/logrotate.d/rsyslog
+sed -i '/^\/var\/log\/auth.log$/d' /etc/logrotate.d/rsyslog
+
+# Fix FRR pam.d "vtysh_pam" vtysh_pam: Failed in account validation T5110
+if test -f /etc/pam.d/frr; then
+    if grep -q 'pam_rootok.so' /etc/pam.d/frr; then
+        sed -i -re 's/rootok/permit/' /etc/pam.d/frr
+    fi
+fi
+
+# Enable Cloud-init pre-configuration service
+systemctl enable vyos-config-cloud-init.service
+
+# Enable Podman API
+systemctl enable podman.service
+
+# Generate API GraphQL schema
+/usr/libexec/vyos/services/api/graphql/generate/generate_schema.py
+
+# Update XML cache
+python3 /usr/lib/python3/dist-packages/vyos/xml_ref/update_cache.py
+
+# Generate hardlinks for systemd units for multi VRF support
+# as softlinks will fail in systemd:
+# symlink target name type "ssh.service" does not match source, rejecting.
+if [ ! -f /lib/systemd/system/ssh@.service ]; then
+    ln /lib/systemd/system/ssh.service /lib/systemd/system/ssh@.service
+fi
+
+# T4287 - as we have a non-signed kernel use the upstream wireless reulatory database
+update-alternatives --set regulatory.db /lib/firmware/regulatory.db-upstream
diff --git a/debian/vyos-1x.preinst b/debian/vyos-1x.preinst
new file mode 100644
index 0000000..fbfc855
--- /dev/null
+++ b/debian/vyos-1x.preinst
@@ -0,0 +1,11 @@
+dpkg-divert --package vyos-1x --add --no-rename /etc/securetty
+dpkg-divert --package vyos-1x --add --no-rename /etc/security/capability.conf
+dpkg-divert --package vyos-1x --add --no-rename /lib/systemd/system/lcdproc.service
+dpkg-divert --package vyos-1x --add --no-rename /etc/logrotate.d/conntrackd
+dpkg-divert --package vyos-1x --add --no-rename /etc/rsyslog.conf
+dpkg-divert --package vyos-1x --add --no-rename /etc/skel/.bashrc
+dpkg-divert --package vyos-1x --add --no-rename /etc/skel/.profile
+dpkg-divert --package vyos-1x --add --no-rename /etc/netplug/netplugd.conf
+dpkg-divert --package vyos-1x --add --no-rename /etc/netplug/netplug
+dpkg-divert --package vyos-1x --add --no-rename /etc/rsyslog.d/45-frr.conf
+dpkg-divert --package vyos-1x --add --no-rename /lib/udev/rules.d/99-systemd.rules