msw/CISS.debian.installer
SHA256
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

V8.00.000.2025.06.17
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 54s
Details

Browse Source 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
Marc S. Weidner
2025-08-05 00:18:17 +02:00
parent 7b46aa1235
commit 05b88082ea
14 changed files with 237 additions and 112 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
.preseed/partitioning.yaml
View File

@@ -81,7 +81,7 @@ recipe:
primary: primary
2:
begin: "1024MiB"
end: "2GiB"
end: "3GiB"
bootable: false
encryption:
enable: true
@@ -111,7 +111,7 @@ recipe:
path: "/boot"
primary: primary
3:
begin: "2GiB"
begin: "3GiB"
end: "10GiB"
bootable: false
encryption:

160
.preseed/preseed.yaml
View File

@@ -517,57 +517,117 @@ security:
# Software installation
################################################################################################################################
software:
##############################################################################################################################
### Installed by 4000_debootstrap.sh
##############################################################################################################################
# bash
# ca-certificates
# coreutils
# e2fsprogs
# kmod
# locales
# nano
# openssl
# passwd
# procps
# sed
# tar
# tzdata
# util-linux
# vim-common
##############################################################################################################################
### Installed by 4110_update_sources.sh
##############################################################################################################################
# unattended-upgrades
##############################################################################################################################
### Installed by 4130_installation_toolset.sh
##############################################################################################################################
# apt-show-versions
# bc
# bind9-dnsutils
# bsdmainutils
# btrfs-progs
# busybox
# bzip2
# cryptsetup
# cryptsetup-initramfs
# dirmngr
# dmsetup
# dosfstools
# efibootmgr
# fdisk
# file
# gawk
# gdisk
# gnupg
# grep
# gzip
# haveged
# initramfs-tools
# iproute2
# iputils-ping
# jq
# kbd
# keyutils
# libpam-pwquality
# logrotate
# lsb-release
# parted
# pciutils
# pwgen
# sudo
# tar
# tree
# unzip
# usbutils
# wget
# whois
# zsh
# zstd
##############################################################################################################################
### Installed by 4140_installation_microcode.sh
##############################################################################################################################
# amd64-microcode
# intel-microcode
##############################################################################################################################
### Installed by 4150_installation_chrony.sh
##############################################################################################################################
# chrony
##############################################################################################################################
### Installed by 4230_update_grub.sh
##############################################################################################################################
# grub2
# grub2-common
# grub-efi-amd64 || grub-efi-arm64 || grub-efi-ia32
##############################################################################################################################
### Installed by 4310_dropbear_build.sh
##############################################################################################################################
# dropbear
# dropbear-initramfs
##############################################################################################################################
### Installed by 4420_installation_ssh.sh
##############################################################################################################################
# ssh
##############################################################################################################################
# core software
##############################################################################################################################
- apt-show-versions
- apt-transport-https
- apt-utils
- bash
- bash-completion
- bat
- bind9-dnsutils
- bc
- ca-certificates
- coreutils
- debconf
- debconf-utils
- dialog
- efibootmgr
- fzf
- gawk
- git
- grub2
- grub2-common
- knot-dnssecutils
- knot-dnsutils
- libpam-google-authenticator
- libpam-pwquality
- locate
- logrotate
- lsb-release
- nano
- openssl
- rsyslog
- screen
- shellcheck
- software-properties-common
- spectre-meltdown-checker
- ssh
- sudo
- sysstat
- tree
#- unattended-upgrades
- whois
- zsh
## software dev
#- build-essential
#- clang
#- debootstrap
#- linux-source
#- lld
#- makedev
#- ssl-cert
##############################################################################################################################
# documentation
##############################################################################################################################
@@ -577,18 +637,12 @@ software:
##############################################################################################################################
# encryption
##############################################################################################################################
- dirmngr
- gnupg
- haveged
- pollinate
##############################################################################################################################
# files
##############################################################################################################################
- curl
- rsnapshot
- rsync
- unzip
- wget
- zip
##############################################################################################################################
# malware detection
@@ -603,38 +657,19 @@ software:
- dhcpdump
- dhcping
- iftop
- iproute2
- iputils-ping
- mtr
- ncat
- net-tools
- nmap
- tshark
- ufw
##############################################################################################################################
# parser
##############################################################################################################################
#- jq
#- yq
##############################################################################################################################
# partitioning
##############################################################################################################################
- btrfs-progs
- cryptsetup
- cryptsetup-nuke-password
- dmsetup
- dosfstools
- fdisk
- gdisk
- lvm2
- mdadm
- parted
##############################################################################################################################
# password
##############################################################################################################################
- keychain
- makepasswd
- pwgen
- wamerican
- wbritish
- wfrench
@@ -643,6 +678,18 @@ software:
# security
##############################################################################################################################
- fail2ban
- ufw
##############################################################################################################################
# sw dev
##############################################################################################################################
#- build-essential
#- clang
#- debootstrap
#- linux-source
#- lld
#- makedev
- shellcheck
#- ssl-cert
##############################################################################################################################
# tools
##############################################################################################################################
@@ -676,7 +723,6 @@ ntp:
- "ptbtime2.ptb.de"
- "ptbtime1.ptb.de"
- "ntp13.metas.ch"
- "ntp1.tecnico.ulisboa.pt"
- "time-c-b.nist.gov"
- "sth1.ntp.se"
- "ntp0.fau.de"

2
ciss_debian_installer.sh
View File

@@ -175,8 +175,8 @@ trap 'trap_err "$?" "${BASH_SOURCE[0]}" "${LINENO}" "${FUNCNAME[0]:-main}" "${B
trap 'trap_int' INT TERM
### INTERACTIVE MODE NOTES AND KERNEL SELECTION.
# TODO: Update /lib/cdi_0110_interactive/0110_check_kernel.sh & sourcing
# TODO: Update /lib/cdi_0110_interactive/0115_check_provider.sh & sourcing
check_provider
#if ! "${VAR_AUTO_INSTALL}"; then check_provider; fi
#if ! "${VAR_AUTO_INSTALL}"; then check_kernel; fi

6
func/cdi_3200_partitioning/3200_partitioning.sh
View File

@@ -146,10 +146,12 @@ partitioning() {
var_begin="2MiB"
fi
### Assign the landing zone of the last partition and reserve 16 MiB for GPT and mdadm binary metadata.
### Assign the landing zone of the last partition and reserve 64 MiB for GPT and mdadm binary metadata.
### There is no mandatory upper limit, but for particularly critical systems (FDE, RAID-6 setups, dm-integrity, etc.),
### more generous reserves between 32 and 64 MiB are recommended.
if [[ "${var_end,,}" == "max" ]]; then
var_dev_size=$(blockdev --getsize64 "/dev/${var_dev}")
var_dev_end=$(( var_dev_size - 16 * 1024 * 1024 ))
var_dev_end=$(( var_dev_size - 64 * 1024 * 1024 ))
var_end_mib=$(( var_dev_end / 1024 / 1024 ))
var_end_arg="${var_end_mib}MiB"
else

13
func/cdi_4100_base_installation/4110_update_sources.sh
View File

@@ -32,17 +32,24 @@ update_sources() {
### Update generated sources.
# shellcheck disable=SC2312
do_in_target_script "${TARGET}" "apt-get update 2>&1 | tee -a ${var_logfile}; echo ExitCode: \$? >> ${var_logfile}"
do_log "info" "file_only" "4110() Sources lists: updated successfully."
### Update unattended, security or no unattended updates at all.
if [[ "${apt_updates_policy,,}" == "unattended" ]]; then
do_in_target "${TARGET}" apt-get install -y unattended-upgrades
do_in_target_script "${TARGET}" "
apt-get install -y --no-install-suggests unattended-upgrades 2>&1 | tee -a ${var_logfile}
echo ExitCode: \$? >> ${var_logfile}
"
do_log "info" "file_only" "4110() The update policy was set at installation time to: '${apt_updates_policy}'."
elif [[ "${apt_updates_policy,,}" == "security" ]]; then
do_in_target "${TARGET}" apt-get install -y unattended-upgrades
do_in_target_script "${TARGET}" "
apt-get install -y --no-install-suggests unattended-upgrades 2>&1 | tee -a ${var_logfile}
echo ExitCode: \$? >> ${var_logfile}
"
# shellcheck disable=SC2016
sed -i 's/^[[:space:]]*"origin=Debian,codename=\${distro_codename},label=Debian";/\/\/ &/' "${TARGET}/etc/apt/apt.conf.d/50unattended-upgrades"

25
func/cdi_4100_base_installation/4120_installation_kernel.sh
View File

@@ -29,10 +29,29 @@ installation_kernel() {
touch "${TARGET}${var_logfile}" && chmod 0600 "${TARGET}${var_logfile}"
do_in_target_script "${TARGET}" "apt-get install -y ${image} 2>&1 | tee -a ${var_logfile}; echo ExitCode: \$? >> ${var_logfile}"
if [[ -n "${VAR_KERNEL}" ]]; then
do_log "info" "file_only" "4120() Kernel image: '${image}' installed successfully."
do_in_target_script "${TARGET}" "
apt-get install -y --no-install-recommends --no-install-suggests ${VAR_KERNEL} 2>&1 | tee -a ${var_logfile}
echo ExitCode: \$? >> ${var_logfile}
"
do_log "info" "file_only" "4120() Kernel image: '${VAR_KERNEL}' installed successfully."
return 0
else
do_in_target_script "${TARGET}" "
apt-get install -y --no-install-recommends --no-install-suggests ${image} 2>&1 | tee -a ${var_logfile}
echo ExitCode: \$? >> ${var_logfile}
"
do_log "info" "file_only" "4120() Kernel image: '${image}' installed successfully."
return 0
fi
return 0
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

23
func/cdi_4100_base_installation/4130_installation_toolset.sh
View File

@@ -26,11 +26,14 @@ installation_toolset() {
### Declare Arrays, HashMaps, and Variables.
# shellcheck disable=SC2154
declare -A hmp_tool_pkg=(
[apt-show-versions]="apt-show-versions"
[bc]="bc"
[dig]="bind9-dnsutils"
[host]="bind9-dnsutils"
[hexdump]="bsdmainutils"
[btrfs]="btrfs-progs"
[busybox]="busybox"
[bunzip2]="bzip2"
[base64]="coreutils"
[cat]="coreutils"
[chmod]="coreutils"
@@ -39,31 +42,47 @@ installation_toolset() {
[echo]="coreutils"
[ln]="coreutils"
[mkdir]="coreutils"
[cryptsetup]="cryptsetup-initramfs"
[cryptsetup]="cryptsetup"
[cryptsetup-initramfs]="cryptsetup-initramfs"
[curl]="curl"
[dirmngr]="dirmngr"
[dmsetup]="dmsetup"
[fsck.vfat]="dosfstools"
[mkfs.vfat]="dosfstools"
[e2label]="e2fsprogs"
[tune2fs]="e2fsprogs"
[fsck]="e2fsprogs"
[efibootmgr]="efibootmgr"
[fdisk]="fdisk"
[file]="file"
[awk]="gawk"
[gdisk]="gdisk"
[gnupg]="gnupg"
[grep]="grep"
[gzip]="gzip"
[haveged]="haveged"
[update-initramfs]="initramfs-tools"
[ip]="iproute2"
[ping]="iputils-ping"
[jq]="jq"
[loadkeys]="kbd"
[setfont]="kbd"
[keyctl]="keyutils"
[modprobe]="kmod"
[libpam-pwquality]="libpam-pwquality"
[logrotate]="logrotate"
[lsb_release]="lsb-release"
[parted]="parted"
[chpasswd]="passwd"
[chsh]="passwd"
[lspci]="pciutils"
[sysctl]="procps"
[pwgen]="pwgen"
[sed]="sed"
[sudo]="sudo"
[tar]="tar"
[tree]="tree"
[unzip]="unzip"
[lsusb]="usbutils"
[blkid]="util-linux"
[dmesg]="util-linux"
@@ -102,7 +121,7 @@ installation_toolset() {
do_log "debug" "file_only" "4130() [ary_unique_pkgs]='${ary_unique_pkgs[*]}'."
do_in_target_script "${TARGET}" "
apt-get install -y --no-install-recommends ${ary_unique_pkgs[*]} 2>&1 | tee -a ${var_logfile}
apt-get install -y --no-install-recommends --no-install-suggests ${ary_unique_pkgs[*]} 2>&1 | tee -a ${var_logfile}
echo ExitCode: \$? >> ${var_logfile}
"

6
func/cdi_4100_base_installation/4131_installation_systemd.sh
View File

@@ -30,13 +30,17 @@ installation_systemd() {
if ! do_in_target_script "${TARGET}" "type -P systemctl >/dev/null"; then
do_log "info" "file_only" "4131() 'systemctl' NOT found, installing 'systemd' and dependencies."
do_in_target_script "${TARGET}" "
apt-get update 2>&1 | tee -a ${var_logfile}
apt-get install -y --no-install-recommends systemd systemd-sysv dbus 2>&1 | tee -a ${var_logfile}
apt-get install -y --no-install-recommends --no-install-suggests systemd systemd-sysv dbus 2>&1 | tee -a ${var_logfile}
echo ExitCode: \$? >> ${var_logfile}
"
else
do_log "info" "file_only" "4131() 'systemctl' found, skipping installation."
fi
do_in_target_script "${TARGET}" "

17
func/cdi_4100_base_installation/4140_installation_microcode.sh
View File

@@ -23,7 +23,10 @@ guard_sourcing
#######################################
installation_microcode() {
### Declare Arrays, HashMaps, and Variables.
declare var_microcode_pkgs="" var_whereiam="" var_cpu_vendor=""
declare var_microcode_pkgs="" var_whereiam="" var_cpu_vendor=""
declare -r var_logfile="/root/.ciss/cdi/log/4140_installation_microcode.log"
touch "${TARGET}${var_logfile}" && chmod 0600 "${TARGET}${var_logfile}"
# shellcheck disable=SC2312
if [[ -x "$(command -v virt-what)" ]]; then
@@ -48,17 +51,23 @@ installation_microcode() {
if ! do_in_target_script "${TARGET}" "dpkg -s ${var_microcode_pkgs} >/dev/null 2>&1"; then
do_in_target "${TARGET}" apt-get install -y "${var_microcode_pkgs}"
do_in_target_script "${TARGET}" "
apt-get install -y --no-install-recommends --no-install-suggests ${var_microcode_pkgs} 2>&1 | tee -a ${var_logfile}
echo ExitCode: \$? >> ${var_logfile}
"
else
do_in_target "${TARGET}" apt-get install -y --only-upgrade "${var_microcode_pkgs}"
do_in_target_script "${TARGET}" "
apt-get install -y --no-install-recommends --no-install-suggests --only-upgrade ${var_microcode_pkgs} 2>&1 | tee -a ${var_logfile}
echo ExitCode: \$? >> ${var_logfile}
"
fi
else
do_log "info" "file_only" "4140() Skipping microcode install (${var_whereiam}, ${var_microcode_pkgs:-none})"
do_log "info" "file_only" "4140() Skipping microcode install [${var_whereiam}, ${var_microcode_pkgs:-none}]."
fi

18
func/cdi_4100_base_installation/4150_installation_chrony.sh
View File

@@ -28,7 +28,10 @@ guard_sourcing
installation_chrony() {
### Declare Arrays, HashMaps, and Variables.
# shellcheck disable=SC2155
declare var_of=$(mktemp var_of.XXXXXXXX) var_ntp_server=""
declare var_of=$(mktemp var_of.XXXXXXXX) var_ntp_server=""
declare -r var_logfile="/root/.ciss/cdi/log/4150_installation_chrony.log"
touch "${TARGET}${var_logfile}" && chmod 0600 "${TARGET}${var_logfile}"
for var_ntp_server in "${ARY_NTPSRVR[@]}"; do
@@ -39,7 +42,11 @@ installation_chrony() {
printf "# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh %b" "${NL}" >> "${var_of}"
mkdir -p "${TARGET}/var/log/chrony"
do_in_target_script "${TARGET}" "apt-get install -y --no-install-recommends chrony"
do_in_target_script "${TARGET}" "
apt-get install -y --no-install-recommends --no-install-suggests chrony 2>&1 | tee -a ${var_logfile}
echo ExitCode: \$? >> ${var_logfile}
"
if [[ ! -e "${TARGET}/etc/systemd/system/multi-user.target.wants/chrony.service" ]]; then
@@ -53,8 +60,11 @@ installation_chrony() {
install -D -m 0644 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/chrony/chrony.cnf" "${TARGET}/etc/chrony/chrony.conf"
cat "${var_of}" >> "${TARGET}/etc/chrony/chrony.conf"
do_log "debug" "file_only" "4150() Executing: [do_in_target ${TARGET} chronyd -Q -f /etc/chrony/chrony.conf]."
do_in_target "${TARGET}" chronyd -Q -f /etc/chrony/chrony.conf
do_log "debug" "file_only" "4150() Executing: [do_in_target_script ${TARGET} chronyd -Q -f /etc/chrony/chrony.conf]."
do_in_target_script "${TARGET}" "
chronyd -Q -f /etc/chrony/chrony.conf 2>&1 | tee -a ${var_logfile}
echo ExitCode: \$? >> ${var_logfile}
"
do_log "info" "file_only" "4150() Chrony NTPsec client installed."

64
lib/cdi_0110_interactive/0110_check_kernel.sh
View File

@@ -10,39 +10,44 @@
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
# TODO: Update this module
guard_sourcing
#######################################
# Kernel Image Selector
# Kernel Image Selector.
# Globals:
# VAR_ARCHITECTURE
# VAR_KERNEL
# VAR_KERNEL_SRT
# VAR_KERNEL_TMP
# Arguments:
# None
# None
# Returns:
# 42: Sorting Error.
# 0: on success
# 42: On sorting Error.
#######################################
check_kernel() {
clear
declare -i counter=1
declare first_string=""
declare line=""
declare -gx VAR_KERNEL=""
declare name=""
declare options=""
declare first_string="" line="" name="" options="" var_cpu_vendor=""
if [[ ${VAR_ARCHITECTURE} != arm64 ]]; then
apt-cache search linux-image | grep linux-image | grep amd64 | grep -v "meta-package" | grep -v "dbg" | grep -v "template" >> "${VAR_KERNEL_TMP}"
else
apt-cache search linux-image | grep linux-image | grep arm64 | grep -v "meta-package" | grep -v "dbg" | grep -v "template" >> "${VAR_KERNEL_TMP}"
fi
# shellcheck disable=SC2312
var_cpu_vendor=$(</proc/cpuinfo grep 'vendor_id' | head -n1 | cut -d: -f2 | xargs)
case "${var_cpu_vendor}" in
*AuthenticAMD*)
# shellcheck disable=SC2312
apt-cache search linux-image | grep linux-image | grep amd64 | grep -v "meta-package" | grep -v "dbg" | grep -v "template" >> "${VAR_KERNEL_TMP}"
;;
*GenuineIntel*)
# shellcheck disable=SC2312
apt-cache search linux-image | grep linux-image | grep arm64 | grep -v "meta-package" | grep -v "dbg" | grep -v "template" >> "${VAR_KERNEL_TMP}"
;;
*) do_log "info" "file_only" "4140() Unknown or unsupported CPU vendor: '${var_cpu_vendor}', skipping." ;;
esac
sort --output="${VAR_KERNEL_SRT}" "${VAR_KERNEL_TMP}" || {
printf "❌ Error check_kernel() Line 40 sort failed\n" >&2
printf "❌ Error 0110_check_kernel.sh Line 52 sort failed\n" >&2
# shellcheck disable=SC2162
read -p $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
return 42
@@ -55,22 +60,23 @@ check_kernel() {
((counter++))
done < "${VAR_KERNEL_SRT}"
# shellcheck disable=SC2155
if declare -g VAR_KERNEL=$(dialog \
# shellcheck disable=SC2034
if VAR_KERNEL=$(dialog \
--no-collapse \
--ascii-lines \
--clear \
--backtitle "CISS.debian.live.builder" \
--title "Select the Kernel for the CISS Hardened Debian Live Image ISO" \
--backtitle "CISS.debian.installer powered by CoreSecret.eu" \
--title "Select the Kernel for the CISS.debian.installer" \
--radiolist "Kernel available \n *+bpo* : Debian Backported Kernel \n *cloud* : Special lightweight images for KVM \n *unsigned* : Unsigned Kernel \n *preempt_rt* : Special Kernel for real-time-computing \n Not unsigned marked are MS signed Kernel for Secure Boot \n" 0 0 "${options[@]}" 3>&1 1>&2 2>&3 3>&-); then
clear
do_log "info" "file_only" "0110() Kernel image selected interactively: '${VAR_KERNEL}'."
else
clear
if [[ "${VAR_ARCHITECTURE}" == "amd64" ]]; then
declare -gr VAR_KERNEL="amd64"
elif [[ "${VAR_ARCHITECTURE}" == "arm64" ]]; then
declare -gr VAR_KERNEL="arm64"
fi
VAR_KERNEL=""
fi
return 0
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

4
lib/cdi_0200_dialog/0200_dialog_helper.sh
View File

@@ -49,7 +49,7 @@ dialog_gauge() {
setsid dialog --no-collapse \
--ascii-lines \
--keep-tite \
--title "CISS.debian.installer" \
--title "CISS.debian.installer powered by CoreSecret.eu" \
--gauge "Starting installation..." \
10 70 0 \
< "${PIPE_DIALOG_GAUGE}" &
@@ -97,7 +97,7 @@ dialog_box() {
setsid dialog --colors \
--ascii-lines \
--title "Installation Progress" \
--backtitle "CISS.2025.debian.installer" \
--backtitle "CISS.debian.installer powered by CoreSecret.eu" \
--programbox "${ROWS_USE}" "${COLS_USE}" \
< "${PIPE_DIALOG_BOX}" &
declare -gx PID_DIALOG_BOX="$!"

2
meta_loader_lib.sh
View File

@@ -41,7 +41,7 @@ source_guard "./lib/cdi_0100_arg/0103_arg_priority_check.sh"
source_guard "./lib/cdi_0100_arg/0104_arg_passphrase_modules.sh"
source_guard "./lib/cdi_0100_arg/0105_arg_nuke_converter.sh"
#source_guard "./lib/0110_check_kernel.sh"
source_guard "./lib/0110_check_kernel.sh"
#source_guard "./lib/0115_check_provider.sh"
source_guard "./lib/cdi_0200_dialog/0200_dialog_helper.sh"

5
var/global.var.sh
View File

@@ -60,7 +60,10 @@ declare -gix VAR_PRIORITY=0
declare -gix VAR_REIONICE_CLASS=2
declare -gix VAR_REIONICE_PRIORITY=4
### CHROOT ACTIVATION 4020()
### 4010_prepare_mounts.sh
declare -gx VAR_CHROOT_ACTIVATED="false"
### 4120_installation_kernel.sh
declare -gx VAR_KERNEL=""
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh