This tool can be used to create a modern installation of Debian. Our opinions of what a modern installation of Debian should look like in 2025 are:

• Debian 13 (Trixie)
• Backports and non-free enabled
• Firmware installed
• Installed on btrfs subvolumes
• Full disk encryption, unlocked by TPM
• Authenticated boot with self-generated Machine Owner Keys
• Fast installation using an image
• Browser-based installer

• The installer will take over your whole disk
• Amd64 with EFI only
• The installer is in english only

1. Download one of the live image files from the table above
2. Write the image file to a USB flash drive. Do not use ventoy or similar "clever" tools - they are not compatible with these images. If you need a GUI, use etcher or win32DiskImager or just use dd - dd if=opinionated-debian-installer*.img of=/dev/sdX bs=256M oflag=dsync status=progress where sdX is your USB flash drive
3. Boot from the USB flash drive
4. Start the installer icon from the desktop/dash, fill in the form in the browser and press the big Install button
5. (If you are using the fully authenticated boot mode: Reboot, enroll your MOK and reboot again)
6. Shutdown, remove the USB drive, boot debian and enjoy!

Screenshot of the full installer GUI:

Video of installation of Debian with KDE Plasma (Bookworm version):

I have started to be asked for disk encryption password. Can I have my passwordless boot back?

You need to re-enroll the TPM to decrypt your drive. Find the path to the underlying device (with lsblk or similar) and use the following command (replacing /dev/vda2 with your device):

sudo systemd-cryptenroll --tpm2-pcrs=secure-boot-policy+shim-policy \
    --tpm2-device=auto --tpm2-pcrlock= --wipe-slot=tpm2 /dev/vda2

The installer is very slow to start up or does not start at all

You need fast USB storage. USB3 is strongly recommended, including any hubs, converters or extension cables you might be using. On slow storage, some systemd services might time-out and the boot of the installer will not be successful.

There are two options with regards to SecureBoot: simple or full.

The simple mode will just use shim, systemd-boot and kernel signed by Microsoft and Debian. Your initrd file will not be signed.

If you Select the option Enable MOK-signed UKI in the installer, the full mode will apply. This is the most secure option. The installer will generate your Machine Owner Key (MOK) and configure the system to use Unified Kernel Image (UKI) which contains both the kernel and initrd. The MOK will be used to sign the UKI so that all the files involved in the boot process are authenticated.

After the installation, on the next boot, you will be asked to enroll your MOK. Use the password you provided in the installer. See the screenshots of the process below:

We also recommend to re-enroll the TPM device to decrypt your drive with PCRs 7 (secure-boot-policy) and 14 (shim-policy) after the installation. Identify your underlying boot device (with lsblk) and use the following command (replacing /dev/vda2 with your device):

sudo systemd-cryptenroll --tpm2-pcrs=secure-boot-policy+shim-policy \
    --tpm2-device=auto --tpm2-pcrlock= --wipe-slot=tpm2 /dev/vda2

This will prevent auto-decryption of your drive if SecureBoot is disabled or keys are tampered with.

• GPT disk partitions are created on the designated disk drive:
  • UEFI ESP partition
  • Root partition - LUKS encrypted (rest of the drive)
• GPT root partition is auto-discoverable
• Btrfs subvolumes will be called @ for /, @home for /home and @swap for swap (compatible with timeshift); the top-level subvolume will be mounted to /root/btrfs1
• The system is installed using an image from the live iso. This will speed up the installation significantly and allow off-line installation.
• Dracut is used instead of initramfs-tools
• Systemd-boot is used instead of grub
• Network-manager is used for networking
• Systemd-cryptenroll is used to unlock the disk, using TPM (if available)
• Sudo is installed and configured for the created user

Edit installer.ini on the first (vfat) partition of the installer image. It will allow you to pre-seed and automate the installation.

If you edit it directly in the booted installer image, it is /boot/efi/installer.ini Reboot after editing the file for the new values to take effect.

You can use the installer for server installation.

As a start, edit the configuration file installer.ini (see above), set option BACK_END_IP_ADDRESS to 0.0.0.0 and reboot the installer. There is no encryption or authentication in the communication so only do this on a trusted network.

You have several options to access the installer. Assuming the IP address of the installed machine is 192.168.1.29 and you can reach it from your PC:

• Use the web interface in a browser on a PC - open http://192.168.1.29:5000/

• Use the text mode interface - start opinionated-installer tui -baseUrl http://192.168.1.29:5000

• Use curl - again, see the installer.ini file for list of all options for the form data in -F parameters:

  curl -v -F "DISK=/dev/vda" -F "USER_PASSWORD=hunter2" \
    -F "ROOT_PASSWORD=changeme" -F "LUKS_PASSWORD=luke" \ 
    http://192.168.1.29:5000/install
  

• Use curl to prompt for logs:

  curl http://192.168.1.29:5000/download_log
  

If you are testing in a virtual machine, attaching the downloaded image file as a virtual disk, you need to extend it first. The image file that you downloaded is shrunk, there is no free space left in the filesystems. Use truncate -s +500M opinionated*.img to add 500MB to the virtual disk before you attach it to a virtual machine. The installer will expand the partitions and filesystem to fill the device.

To test with libvirt, make sure to create the VM with UEFI:

1. Select the Customize configuration before install option at the end of the new VM dialog
2. In the VM configuration window, Overview tab, Hypervisor Details section, select Firmware: UEFI

To add a TPM module, you need to install the swtpm-tools package.

Attach the downloaded installer image file as Device type: Disk device, not CDROM device.

To test with the MS hyper-v virtualization, make sure to create your VM with Generation 2. This will enable UEFI. TPM can be enabled in the Security tab of the Hyper-V settings.

You will also need to convert the installer image to VHDx format and make the file not sparse. You can use qemu-img (windows download) and fsutil like this:

qemu-img convert -f raw -O vhdx opinionated-debian-installer-*.img odin.vhdx
fsutil sparse setflag odin.vhdx 0

Attach the generated VHDx file as a disk, not as a CD.

Alternatively to running the whole browser based GUI, you can run the installer.sh script manually from a root shell. The end result will be exactly the same. Just don't forget to edit the configuration options (especially the DISK variable) before running it.

1. Insert a blank storage device
2. Edit the DISK and other variables at the top of make_image.sh
3. Execute make_image.sh as root

In the first stage of image generation, you will get a tasksel prompt where you can select a different set of packages for your image.

There are two GPT partitions on the installer image: EFI boot partition and a Btrfs partition.
The Btrfs filesystem is created in two phases.

In the first phase, a basic, neutral debian installation is created by debootstrap, tasksel. At this point, a snapshot called opinionated_installer_bootstrap is created. When installing the target system, the installer will detect the snapshot and copy its contents to the target root subvolume using btrfs send/receive.

In the second phase, all the installer specific files are added to the installer Btrfs filesystem. Obviously, these are not part of the target installed system.

The front-end is a vue application. You need npm to build it. Run the following commands to build it:

cd frontend
npm run build

The HTTP backend and TUI frontend is a go application. Run the following commands to build it:

cd backend
go build -o opinionated-installer

flowchart LR
    A[installer.ini] -->|EnvironmentFile| B(installer_backend.service)
    B -->|ExecStart| C[backend]
    D(Web Frontend) --->|HTTP POST| C
    E(TUI Frontend) --->|HTTP POST| C
    G(curl) --->|HTTP POST| C
    C -->|environment| F[installer.sh]

flowchart RL
    C[backend] -->|stdout| B(installer_backend.service)
    C --->|websocket| D(Web Frontend)
    C --->|websocket| E(TUI Frontend)
    C --->|HTTP GET| G(curl)
    F[installer.sh] -->|stdout| C

The following table contains comparison of features between our opinionated debian installer and official debian installers.

[1] /boot needs a separate unencrypted partition

[2] @ and @home (timeshift compatible)

[3] @rootfs

[4] Fixed partitioning (see Details above), LUKS is automatic, BTRFS is used as filesystem