msw/CISS.debian.installer
SHA256
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

V8.00.000.2025.06.17
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 54s
Details

Browse Source 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
Marc S. Weidner
2025-08-05 20:32:52 +02:00
parent c90e7f0deb
commit 053a06d7e1
29 changed files with 276 additions and 184 deletions
Download Patch File Download Diff File Expand all files Collapse all files

185
func/cdi_4100_base/4100_generate_sources.sh Normal file
View File

@@ -0,0 +1,185 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
guard_sourcing
#######################################
# Generate target '/etc/apt/sources.list' entries.
# Globals:
# TARGET
# VAR_ARCHITECTURE
# VAR_CODENAME
# VAR_VERSION
# apt_contrib
# apt_deb_sources
# apt_mirror_directory
# apt_mirror_hostname
# apt_mirror_protocol
# apt_non_free
# apt_non_free_firmware
# apt_sec
# apt_updates_backports
# apt_updates_release
# apt_updates_security
# architecture
# distribution
# Arguments:
# None
# Returns:
# 0: on success
#######################################
generate_sources() {
### Declare Arrays, HashMaps, and Variables.
declare -a ary_components=()
declare var_arch="" var_codename="" var_deb_src="" var_dir="" var_hostname="" var_hostsecure="" var_url="" var_surl=""
# shellcheck disable=SC2154 # "${architecture}"
var_arch="${architecture,,}"
# shellcheck disable=SC2154 # "${distribution}"
var_codename="${distribution,,}"
# shellcheck disable=SC2154 # "${apt_deb_sources}"
var_deb_src="${apt_deb_sources,,}"
# shellcheck disable=SC2154 # "${apt_mirror_directory}"
var_dir="${apt_mirror_directory,,}"
# shellcheck disable=SC2154 # "${apt_mirror_hostname}"
var_hostname="${apt_mirror_hostname,,}"
# shellcheck disable=SC2154 # "${apt_sec}"
var_hostsecure="${apt_sec,,}"
ary_components=( "main" )
[[ "${apt_contrib,,}" == "true" ]] && ary_components+=( "contrib" )
[[ "${apt_non_free,,}" == "true" ]] && ary_components+=( "non-free" )
[[ "${apt_non_free_firmware,,}" == "true" ]] && ary_components+=( "non-free-firmware" )
if [[ "${apt_mirror_protocol,,}" == "https" ]]; then
var_url="https://${var_hostname}${var_dir}"
var_surl="https://${var_hostsecure}/debian-security"
elif [[ "${apt_mirror_protocol,,}" == "http" ]]; then
var_url="http://${var_hostname}${var_dir}"
var_surl="http://${var_hostsecure}/debian-security"
else
var_url="https://${var_hostname}${var_dir}"
var_surl="https://${var_hostsecure}/debian-security"
fi
: >| "${TARGET}/etc/apt/sources.list"
chmod 0644 "${TARGET}/etc/apt/sources.list"
### Main Repository
# shellcheck disable=SC2153
cat << EOF >> "${TARGET}/etc/apt/sources.list"
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
# /etc/apt/sources.list : Generated by CISS.debian.installer ${VAR_VERSION}
# Architecture : ${VAR_ARCHITECTURE}
# Distribution : ${VAR_CODENAME}
#------------------------------------------------------------------------------------------------------------------------------#
# OFFICIAL DEBIAN REPOS #
#------------------------------------------------------------------------------------------------------------------------------#
deb ${var_url} ${var_codename} ${ary_components[*]}
EOF
do_log "info" "file_only" "4100() ${TARGET}/etc/apt/sources.list entry generated: 'deb ${var_url} ${var_codename} ${ary_components[*]}'."
if [[ "${var_deb_src}" == "true" ]]; then
echo "deb-src ${var_url} ${var_codename} ${ary_components[*]}" >> "${TARGET}/etc/apt/sources.list"
do_log "info" "file_only" "4100() ${TARGET}/etc/apt/sources.list entry generated: 'deb-src ${var_url} ${var_codename} ${ary_components[*]}'."
fi
### Security Repository
if [[ "${apt_updates_security,,}" == "true" ]]; then
cat << EOF >> "${TARGET}/etc/apt/sources.list"
deb ${var_surl} ${var_codename}-security ${ary_components[*]}
EOF
do_log "info" "file_only" "4100() ${TARGET}/etc/apt/sources.list entry generated: 'deb ${var_surl} ${var_codename}-security ${ary_components[*]}'."
if [[ "${var_deb_src}" == "true" ]]; then
echo "deb-src ${var_surl} ${var_codename}-security ${ary_components[*]}" >> "${TARGET}/etc/apt/sources.list"
do_log "info" "file_only" "4100() ${TARGET}/etc/apt/sources.list entry generated: 'deb-src ${var_surl} ${var_codename}-security ${ary_components[*]}'."
fi
fi
### Updates Repository
if [[ "${apt_updates_release,,}" == "true" ]]; then
cat << EOF >> "${TARGET}/etc/apt/sources.list"
deb ${var_url} ${var_codename}-updates ${ary_components[*]}
EOF
do_log "info" "file_only" "4100() ${TARGET}/etc/apt/sources.list entry generated: 'deb ${var_url} ${var_codename}-updates ${ary_components[*]}'."
if [[ "${var_deb_src}" == "true" ]]; then
echo "deb-src ${var_url} ${var_codename}-updates ${ary_components[*]}" >> "${TARGET}/etc/apt/sources.list"
do_log "info" "file_only" "4100() ${TARGET}/etc/apt/sources.list entry generated: 'deb-src ${var_url} ${var_codename}-updates ${ary_components[*]}'."
fi
fi
### Backports Repository
if [[ "${apt_updates_backports,,}" == "true" ]]; then
cat << EOF >> "${TARGET}/etc/apt/sources.list"
deb ${var_url} ${var_codename}-backports ${ary_components[*]}
EOF
do_log "info" "file_only" "4100() ${TARGET}/etc/apt/sources.list entry generated: 'deb ${var_url} ${var_codename}-backports ${ary_components[*]}'."
if [[ "${var_deb_src,,}" == "true" ]]; then
echo "deb-src ${var_url} ${var_codename}-backports ${ary_components[*]}" >> "${TARGET}/etc/apt/sources.list"
do_log "info" "file_only" "4100() ${TARGET}/etc/apt/sources.list entry generated: 'deb-src ${var_url} ${var_codename}-backports ${ary_components[*]}'."
fi
fi
### Clean up 'sources.list'
sed -i '/^#/!s/[[:space:]]\+/ /g' "${TARGET}/etc/apt/sources.list"
cat << EOF >> "${TARGET}/etc/apt/sources.list"
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
EOF
do_log "info" "file_only" "4100() Sources lists: generated successfully."
return 0
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

70
func/cdi_4100_base/4110_update_sources.sh Normal file
View File

@@ -0,0 +1,70 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
guard_sourcing
#######################################
# Update generated sources.
# Globals:
# DIR_LOG
# TARGET
# apt_updates_policy
# Arguments:
# None
# Returns:
# 0: on success
#######################################
update_sources() {
### Declare Arrays, HashMaps, and Variables.
declare -r var_logfile="/root/.ciss/cdi/log/4110_update_sources.log"
touch "${TARGET}${var_logfile}" && chmod 0600 "${TARGET}${var_logfile}"
### Update generated sources.
# shellcheck disable=SC2312
do_in_target_script "${TARGET}" "apt-get update 2>&1 | tee -a ${var_logfile}; echo ExitCode: \$? >> ${var_logfile}"
do_log "info" "file_only" "4110() Sources lists: updated successfully."
### Update unattended, security or no unattended updates at all.
if [[ "${apt_updates_policy,,}" == "unattended" ]]; then
do_in_target_script "${TARGET}" "
apt-get install -y --no-install-recommends --no-install-suggests unattended-upgrades 2>&1 | tee -a ${var_logfile}
echo ExitCode: \$? >> ${var_logfile}
"
do_log "info" "file_only" "4110() The update policy was set at installation time to: '${apt_updates_policy}'."
elif [[ "${apt_updates_policy,,}" == "security" ]]; then
do_in_target_script "${TARGET}" "
apt-get install -y --no-install-recommends --no-install-suggests unattended-upgrades 2>&1 | tee -a ${var_logfile}
echo ExitCode: \$? >> ${var_logfile}
"
# shellcheck disable=SC2016
sed -i 's/^[[:space:]]*"origin=Debian,codename=\${distro_codename},label=Debian";/\/\/ &/' "${TARGET}/etc/apt/apt.conf.d/50unattended-upgrades"
do_log "info" "file_only" "4110() The update policy was set at installation time to: '${apt_updates_policy}'."
elif [[ "${apt_updates_policy,,}" == "none" ]]; then
do_log "info" "file_only" "4110() The update policy was set at installation time to: '${apt_updates_policy}'."
else
do_log "warning" "file_only" "4110() Update policy '${apt_updates_policy}': is not supported. Using 'none' as default."
fi
return 0
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

57
func/cdi_4100_base/4120_installation_kernel.sh Normal file
View File

@@ -0,0 +1,57 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
guard_sourcing
#######################################
# Installation of the specified kernel.
# Globals:
# DIR_LOG
# TARGET
# image
# Arguments:
# None
# Returns:
# 0: on success
#######################################
installation_kernel() {
### Declare Arrays, HashMaps, and Variables.
declare -r var_logfile="/root/.ciss/cdi/log/4120_installation_kernel.log"
touch "${TARGET}${var_logfile}" && chmod 0600 "${TARGET}${var_logfile}"
if [[ -n "${VAR_KERNEL}" ]]; then
do_in_target_script "${TARGET}" "
apt-get install -y --no-install-recommends --no-install-suggests ${VAR_KERNEL} 2>&1 | tee -a ${var_logfile}
echo ExitCode: \$? >> ${var_logfile}
"
do_log "info" "file_only" "4120() Kernel image: '${VAR_KERNEL}' installed successfully."
return 0
else
do_in_target_script "${TARGET}" "
apt-get install -y --no-install-recommends --no-install-suggests ${image} 2>&1 | tee -a ${var_logfile}
echo ExitCode: \$? >> ${var_logfile}
"
do_log "info" "file_only" "4120() Kernel image: '${image}' installed successfully."
return 0
fi
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

130
func/cdi_4100_base/4130_installation_toolset.sh Normal file
View File

@@ -0,0 +1,130 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
guard_sourcing
#######################################
# Check and set up the minimum required tools for the next installation steps.
# Globals:
# DIR_LOG
# TARGET
# Arguments:
# None
# Returns:
# 0: on success
#######################################
installation_toolset() {
### Declare Arrays, HashMaps, and Variables.
# shellcheck disable=SC2154
declare -A hmp_tool_pkg=(
[apt-show-versions]="apt-show-versions"
[bc]="bc"
[dig]="bind9-dnsutils"
[host]="bind9-dnsutils"
[hexdump]="bsdmainutils"
[btrfs]="btrfs-progs"
[busybox]="busybox"
[bunzip2]="bzip2"
[base64]="coreutils"
[cat]="coreutils"
[chmod]="coreutils"
[chown]="coreutils"
[cp]="coreutils"
[echo]="coreutils"
[ln]="coreutils"
[mkdir]="coreutils"
[curl]="curl"
[dirmngr]="dirmngr"
[dmsetup]="dmsetup"
[fsck.vfat]="dosfstools"
[mkfs.vfat]="dosfstools"
[e2label]="e2fsprogs"
[tune2fs]="e2fsprogs"
[fsck]="e2fsprogs"
[efibootmgr]="efibootmgr"
[fdisk]="fdisk"
[file]="file"
[awk]="gawk"
[gdisk]="gdisk"
[gnupg]="gnupg"
[grep]="grep"
[gzip]="gzip"
[haveged]="haveged"
[update-initramfs]="initramfs-tools"
[ip]="iproute2"
[ping]="iputils-ping"
[jq]="jq"
[loadkeys]="kbd"
[setfont]="kbd"
[keyctl]="keyutils"
[modprobe]="kmod"
[libpam-pwquality]="libpam-pwquality"
[logrotate]="logrotate"
[lsb_release]="lsb-release"
[parted]="parted"
[chpasswd]="passwd"
[chsh]="passwd"
[lspci]="pciutils"
[sysctl]="procps"
[pwgen]="pwgen"
[sed]="sed"
[sudo]="sudo"
[tar]="tar"
[tree]="tree"
[unzip]="unzip"
[lsusb]="usbutils"
[blkid]="util-linux"
[dmesg]="util-linux"
[lsblk]="util-linux"
[findmnt]="util-linux"
[mount]="util-linux"
[umount]="util-linux"
[xxd]="vim-common"
[wget]="wget"
[whois]="whois"
[zsh]="zsh"
[zstd]="zstd"
)
declare -a ary_missing_pkgs=() ary_unique_pkgs=()
declare -r var_logfile="/root/.ciss/cdi/log/4130_installation_toolset.log"
declare var_bin=""
touch "${TARGET}${var_logfile}" && chmod 0600 "${TARGET}${var_logfile}"
### Collecting missing binaries.
for var_bin in "${!hmp_tool_pkg[@]}"; do
if ! do_in_target_script "${TARGET}" "command -v ${var_bin} >/dev/null" "debug"; then
ary_missing_pkgs+=("${hmp_tool_pkg[${var_bin}]}")
fi
done
do_log "debug" "file_only" "4130() [ary_missing_pkgs]='${ary_missing_pkgs[*]}'."
### Installing unique list of packages.
if ((${#ary_missing_pkgs[@]})); then
# shellcheck disable=SC2312
mapfile -t ary_unique_pkgs < <(printf '%s\n' "${ary_missing_pkgs[@]}" | sort -u)
do_log "debug" "file_only" "4130() [ary_unique_pkgs]='${ary_unique_pkgs[*]}'."
do_in_target_script "${TARGET}" "
apt-get install -y --no-install-recommends --no-install-suggests ${ary_unique_pkgs[*]} 2>&1 | tee -a ${var_logfile}
echo ExitCode: \$? >> ${var_logfile}
"
fi
return 0
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

52
func/cdi_4100_base/4131_installation_systemd.sh Normal file
View File

@@ -0,0 +1,52 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
guard_sourcing
#######################################
# Ensure systemd is in place.
# Globals:
# DIR_LOG
# TARGET
# Arguments:
# None
# Returns:
# 0: on success
#######################################
installation_systemd() {
### Declare Arrays, HashMaps, and Variables.
declare -r var_logfile="/root/.ciss/cdi/log/4131_installation_systemd.log"
touch "${TARGET}${var_logfile}" && chmod 0600 "${TARGET}${var_logfile}"
if ! do_in_target_script "${TARGET}" "type -P systemctl >/dev/null"; then
do_log "info" "file_only" "4131() 'systemctl' NOT found, installing 'systemd' and dependencies."
do_in_target_script "${TARGET}" "
apt-get update 2>&1 | tee -a ${var_logfile}
apt-get install -y --no-install-recommends --no-install-suggests systemd systemd-sysv dbus 2>&1 | tee -a ${var_logfile}
echo ExitCode: \$? >> ${var_logfile}
"
else
do_log "info" "file_only" "4131() 'systemctl' found, skipping installation."
fi
do_in_target_script "${TARGET}" "
systemctl --version 2>&1 | tee -a ${var_logfile} | grep -qi 'systemd' || echo '[WARN]: systemd not verifiable' >> ${var_logfile}
"
return 0
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

38
func/cdi_4100_base/4132_installation_machineid.sh Normal file
View File

@@ -0,0 +1,38 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
guard_sourcing
#######################################
# Generate machine-id if missing.
# Globals:
# TARGET
# Arguments:
# None
# Returns:
# 0: on success
#######################################
installation_machineid() {
if ! do_in_target_script "${TARGET}" "[[ -s /etc/machine-id ]]"; then
do_log "info" "file_only" "4132() Generating /etc/machine-id via systemd-machine-id-setup."
do_in_target "${TARGET}" systemd-machine-id-setup
else
do_log "info" "file_only" "4132() Existing 'machine-id' found, no action needed."
fi
return 0
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

33
func/cdi_4100_base/4133_installation_masking.sh Normal file
View File

@@ -0,0 +1,33 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
guard_sourcing
#######################################
# Turn off Energy saving mode and ctrl-alt-del.
# Globals:
# TARGET
# Arguments:
# None
# Returns:
# 0: on success
#######################################
installation_masking() {
do_in_target_script "${TARGET}" "
systemctl mask ctrl-alt-del.target sleep.target suspend.target hibernate.target hybrid-sleep.target
"
do_log "info" "file_only" "4133() Masked: [ctrl-alt-del.target sleep.target suspend.target hibernate.target hybrid-sleep.target]."
return 0
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

76
func/cdi_4100_base/4140_installation_microcode.sh Normal file
View File

@@ -0,0 +1,76 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
guard_sourcing
#######################################
# Install microcode updates depending on architecture (amd64, arm64, intel64) and environment (Baremetal, VM).
# Globals:
# TARGET
# Arguments:
# None
# Returns:
# 0: on success
#######################################
installation_microcode() {
### Declare Arrays, HashMaps, and Variables.
declare var_microcode_pkgs="" var_whereiam="" var_cpu_vendor=""
declare -r var_logfile="/root/.ciss/cdi/log/4140_installation_microcode.log"
touch "${TARGET}${var_logfile}" && chmod 0600 "${TARGET}${var_logfile}"
# shellcheck disable=SC2312
if [[ -x "$(command -v virt-what)" ]]; then
var_whereiam=$(virt-what | head -n1)
else
var_whereiam=$(grep -iE 'kvm|vmware|qemu' /sys/class/dmi/id/product_name 2>/dev/null || echo "baremetal")
fi
# shellcheck disable=SC2312
var_cpu_vendor=$(</proc/cpuinfo grep 'vendor_id' | head -n1 | cut -d: -f2 | xargs)
case "${var_cpu_vendor}" in
*AuthenticAMD*) var_microcode_pkgs="amd64-microcode" ;;
*GenuineIntel*) var_microcode_pkgs="intel-microcode" ;;
*) do_log "info" "file_only" "4140() Unknown or unsupported CPU vendor: '${var_cpu_vendor}', skipping." ;;
esac
###########################################################################################
# Generally, it is best to let the hypervisor handle CPU microcode updates. #
###########################################################################################
if [[ "${var_whereiam}" != "kvm" && -n "${var_microcode_pkgs}" ]]; then
if ! do_in_target_script "${TARGET}" "dpkg -s ${var_microcode_pkgs} >/dev/null 2>&1"; then
do_in_target_script "${TARGET}" "
apt-get install -y --no-install-recommends --no-install-suggests ${var_microcode_pkgs} 2>&1 | tee -a ${var_logfile}
echo ExitCode: \$? >> ${var_logfile}
"
else
do_in_target_script "${TARGET}" "
apt-get install -y --no-install-recommends --no-install-suggests --only-upgrade ${var_microcode_pkgs} 2>&1 | tee -a ${var_logfile}
echo ExitCode: \$? >> ${var_logfile}
"
fi
else
do_log "info" "file_only" "4140() Skipping microcode install [${var_whereiam}, ${var_microcode_pkgs:-none}]."
fi
return 0
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

75
func/cdi_4100_base/4150_installation_chrony.sh Normal file
View File

@@ -0,0 +1,75 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
guard_sourcing
#######################################
# Setup chrony NTPSec client.
# Globals:
# ARY_NTPSRVR
# DIR_BAK
# NL
# TARGET
# VAR_SETUP_PATH
# Arguments:
# None
# Returns:
# 0: on success
#######################################
installation_chrony() {
### Declare Arrays, HashMaps, and Variables.
# shellcheck disable=SC2155
declare var_of=$(mktemp var_of.XXXXXXXX) var_ntp_server=""
declare -r var_logfile="/root/.ciss/cdi/log/4150_installation_chrony.log"
touch "${TARGET}${var_logfile}" && chmod 0600 "${TARGET}${var_logfile}"
for var_ntp_server in "${ARY_NTPSRVR[@]}"; do
printf "server %s iburst nts minpoll 5 maxpoll 9 %b" "${var_ntp_server}" "${NL}" >> "${var_of}"
done
printf "# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh %b" "${NL}" >> "${var_of}"
mkdir -p "${TARGET}/var/log/chrony"
do_in_target_script "${TARGET}" "
apt-get install -y --no-install-recommends --no-install-suggests chrony 2>&1 | tee -a ${var_logfile}
echo ExitCode: \$? >> ${var_logfile}
"
if [[ ! -e "${TARGET}/etc/systemd/system/multi-user.target.wants/chrony.service" ]]; then
do_in_target_script "${TARGET}" "systemctl enable chrony.service"
fi
mkdir -p "${DIR_BAK}/etc/chrony"
mv "${TARGET}/etc/chrony/chrony.conf" "${DIR_BAK}/etc/chrony/chrony.conf.bak"
install -D -m 0644 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/chrony/chrony.cnf" "${TARGET}/etc/chrony/chrony.conf"
cat "${var_of}" >> "${TARGET}/etc/chrony/chrony.conf"
do_log "debug" "file_only" "4150() Executing: [do_in_target_script ${TARGET} chronyd -Q -f /etc/chrony/chrony.conf]."
do_in_target_script "${TARGET}" "
chronyd -Q -f /etc/chrony/chrony.conf 2>&1 | tee -a ${var_logfile}
echo ExitCode: \$? >> ${var_logfile}
"
do_log "info" "file_only" "4150() Chrony NTPsec client installed."
rm -f "${var_of}"
return 0
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh