+#!/bin/sh -eu
+tool=$(readlink -e "${0%/*}/..")
+. "$tool"/local/lib.sh
+
+sudo debconf-set-selections <<-EOF
+ grub-pc grub-pc/install_devices multiselect
+ EOF
+"$tool"/local/apt-get-install grub-pc
+sudo install -d -m 644 -o root -g root /boot/grub
+"$tool"/local/apt-get-install linux-image-$vm_arch
+sudo install -m 644 -o root -g root /dev/stdin \
+ /etc/default/grub <<-EOF
+ GRUB_DEFAULT=0
+ GRUB_TIMEOUT=5
+ GRUB_DISTRIBUTOR=\`lsb_release -i -s 2> /dev/null || echo Debian\`
+ GRUB_CMDLINE_LINUX_DEFAULT="quiet"
+ GRUB_CMDLINE_LINUX="vt.default_utf8=1 rootfstype=ext4 loglevel=5 console=hvc0 ip=$vm_ipv4::$vm_ipv4:255.255.255.254:$vm:eth0:off resume=/dev/mapper/${vm}_swap_deciphered"
+ GRUB_DISABLE_RECOVERY="true"
+ #GRUB_PRELOAD_MODULES="lvm"
+ EOF
+sudo install -m 644 -o root -g root /dev/stdin \
+ /boot/grub/device.map <<-EOF
+ (hd0) /dev/xvda
+ (hd0) /dev/mapper/domU-$(printf %s $vm_fqdn-disk | sed -e 's/-/--/g')
+ EOF
+sudo update-grub2 # NOTE: prend en compte /boot/grub/device.map
+"$tool"/local/initramfs-configure
+"$tool"/local/apt-get-install molly-guard
+sudo install -m 644 -o root -g root /dev/stdin \
+ /etc/molly-guard/rc <<-EOF
+ ALWAYS_QUERY_HOSTNAME=true
+ # NOTE: une alternative est de dire à sudo de conserver les SSH_*
+ # néamoins demander tout le temps n'est pas trop contraignant
+ # et davantage sécurisant.
+ EOF