msw/CISS.debian.installer
SHA256
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

V8.00.000.2025.06.17
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 54s
Details

Browse Source 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
Marc S. Weidner
2025-07-30 22:20:22 +02:00
parent 25d4f2aaab
commit 0ee237f3eb
10 changed files with 145 additions and 62 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
func/system/4020_configure_system.sh
View File

@@ -107,6 +107,7 @@ configure_system() {
# shellcheck disable=SC2034
declare -gx VAR_CHROOT_ACTIVATED="system"
do_log "info" "file_only" "4020() Command: [declare -gx VAR_CHROOT_ACTIVATED=system]"
return 0
}

40
func/system/4040_generate_fstab.sh
View File

@@ -30,12 +30,12 @@ write_fstab() {
if [[ "${write_maps}" =~ ^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}$ ]] || [[ "${write_maps}" =~ ^[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}$ ]]; then
printf "%-43s%-28s%-8s%-100s0 %s\n" "UUID=${write_maps}" "${write_path}" "${write_type}" "${write_opts}" "${write_pass}" >> "${TARGET}/etc/fstab"
printf "%-43s%-28s%-18s%-100s0 %s\n" "UUID=${write_maps}" "${write_path}" "${write_type}" "${write_opts}" "${write_pass}" >> "${TARGET}/etc/fstab"
do_log "info" "file_only" "4040() fstab entry generated: [UUID=${write_maps} ${write_path} ${write_type} ${write_opts} 0 ${write_pass}]."
elif [[ "${write_maps}" == /dev/mapper/* ]]; then
printf "%-43s%-28s%-8s%-100s0 %s\n" "${write_maps}" "${write_path}" "${write_type}" "${write_opts}" "${write_pass}" >> "${TARGET}/etc/fstab"
printf "%-43s%-28s%-18s%-100s0 %s\n" "${write_maps}" "${write_path}" "${write_type}" "${write_opts}" "${write_pass}" >> "${TARGET}/etc/fstab"
do_log "info" "file_only" "4040() fstab entry generated: [${write_maps} ${write_path} ${write_type} ${write_opts} 0 ${write_pass}]."
fi
@@ -47,12 +47,12 @@ write_fstab() {
# Generate target '/etc/fstab' entries.
# Globals:
# ARY_PATHS_SORTED
# DIR_LOG
# HMP_EPHEMERAL_ENCLABEL
# HMP_FSTAB_MOUNT_FTYPE
# HMP_FSTAB_MOUNT_OPTS
# HMP_PATH_FSUUID
# TARGET
# VAR_VERSION
# Arguments:
# None
# Returns:
@@ -61,7 +61,6 @@ write_fstab() {
generate_fstab() {
### Declare Arrays, HashMaps, and Variables.
declare var_path="" var_dmapper="" var_fs_uuid="" var_fs_path="" var_fs_type="" var_fs_opts="" var_fs_pass=""
declare -i rc=0
### Generate '${TARGET}/etc/fstab' header.
: >| "${TARGET}/etc/fstab"
@@ -79,7 +78,9 @@ generate_fstab() {
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
# CISS.debian.installer ${VAR_VERSION}
# /etc/fstab : Generated by CISS.debian.installer ${VAR_VERSION}
# Architecture : ${VAR_ARCHITECTURE}
# Distribution : ${VAR_CODENAME}
# Static file system information '/etc/fstab'.
#
@@ -89,7 +90,7 @@ generate_fstab() {
# 'systemd' generates mount units based on this file. See systemd.mount(5). Please run 'systemctl daemon-reload' after making
# changes here.
#
# <file system UUID> <mount point> <type> <options> <dump> <pass>
# <file system UUID> <mount point> <type> <options> <dump> <pass>
EOF
@@ -168,26 +169,25 @@ EOF
cat << 'EOF' >> "${TARGET}/etc/fstab"
/dev/sr0 /media/cdrom0 udf,iso9660 user,noauto 0 0
/dev/sr0 /media/cdrom0 udf,iso9660 user,noauto 0 0
EOF
do_log "info" "file_only" "fstab entry generated: '/dev/sr0 /media/cdrom0 udf,iso9660 user,noauto 0 0'."
do_log "info" "file_only" "4040() fstab entry generated: '/dev/sr0 /media/cdrom0 udf,iso9660 user,noauto 0 0'."
cat << 'EOF' >> "${TARGET}/etc/fstab"
### Secure tmpfs mounts for a hardened system
# Mount the 'proc' filesystem to provide process and kernel information.
# Mount 'sysfs' to expose kernel device information to user space.
# Mount the 'devpts' filesystem to enable pseudo-terminal support for user sessions.
# Restrict '/dev/shm' to shared memory, limit size, prevent code execution.
# System runtime directory in RAM. Do not set 'noexec' here for compatibility.
proc /proc proc nodev,nosuid,noexec,hidepid=2 0 0
sysfs /sys sysfs defaults 0 0
devpts /dev/pts devpts gid=5,mode=620 0 0
tmpfs /dev/shm tmpfs rw,nodev,noexec,nosuid,relatime,size=1G 0 0
tmpfs /run tmpfs mode=0755,nodev,nosuid 0 0
# Mount the proc filesystem to provide process and kernel information
proc /proc proc nodev,nosuid,noexec,hidepid=2 0 0
# Mount sysfs to expose kernel device information to user space
sysfs /sys sysfs defaults 0 0
# Mount the devpts filesystem to enable pseudo-terminal support for user sessions
devpts /dev/pts devpts gid=5,mode=620 0 0
# Restrict /dev/shm to shared memory, limit size, prevent code execution
tmpfs /dev/shm tmpfs rw,nodev,noexec,nosuid,relatime,size=1G 0 0
# System runtime directory in RAM; do not set noexec here for compatibility
tmpfs /run tmpfs mode=0755,nodev,nosuid 0 0
# vim: number et ts=2 sw=2 sts=2 ai tw=192 ft=sh
# vim: number et ts=2 sw=2 sts=2 ai tw=200 ft=sh
EOF
return 0

28
func/system/4060_generate_crypttab.sh
View File

@@ -26,8 +26,10 @@ guard_sourcing
#######################################
write_crypttab() {
declare write_label="$1" write_dev="$2" write_key_file="$3" write_opts="$4"
printf "%-43s %-45s %-29s %s\n" "${write_label}" "${write_dev}" "${write_key_file}" "${write_opts}" >> "${TARGET}/etc/crypttab"
printf "%-43s %-46s %-30s %s\n" "${write_label}" "${write_dev}" "${write_key_file}" "${write_opts}" >> "${TARGET}/etc/crypttab"
do_log "info" "file_only" "4060() crypttab entry generated: [${write_label} ${write_dev} ${write_key_file} ${write_opts}]."
return 0
}
@@ -40,6 +42,7 @@ write_crypttab() {
# HMP_PATH_LUKSUUID
# TARGET
# VAR_NUKE
# VAR_VERSION
# dropbear_boot
# Arguments:
# None
@@ -54,7 +57,7 @@ generate_crypttab() {
: >| "${TARGET}/etc/crypttab"
chmod 0600 "${TARGET}/etc/crypttab"
cat << 'EOF' >> "${TARGET}/etc/crypttab"
cat << EOF >> "${TARGET}/etc/crypttab"
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
@@ -66,6 +69,10 @@ generate_crypttab() {
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
# /etc/fstab : Generated by CISS.debian.installer ${VAR_VERSION}
# Architecture : ${VAR_ARCHITECTURE}
# Distribution : ${VAR_CODENAME}
# Static file system information: '/etc/crypttab'.
#
# Basic rule: 'discard' / 'nodiscard' are normally only set in '/etc/crypttab' when LUKS/dm-crypt is in use. Options like
@@ -77,7 +84,7 @@ generate_crypttab() {
# not specify discard in the '/etc/crypttab', dm-crypt blocks TRIM by default. This would render a discard in the '/etc/fstab'
# ineffective.
#
# <name> <device> <password-file-or-none> <options>
# <name> <device> <password-file-or-none> <options>
EOF
@@ -91,7 +98,9 @@ EOF
if [[ "${VAR_NUKE,,}" == "true" && "${var_key,,}" == "/" ]]; then
write_crypttab "${var_encryption_label}" "UUID=${var_luks_uuid}" "none" "luks,discard,initramfs,keyscript=/lib/cryptsetup/scripts/unlock_wrapper.sh"
# TODO: Check for cryptsetup installation errors while unlock_wrapper.sh is not yet installed.
#write_crypttab "${var_encryption_label}" "UUID=${var_luks_uuid}" "none" "luks,discard,initramfs,keyscript=/lib/cryptsetup/scripts/unlock_wrapper.sh"
write_crypttab "${var_encryption_label}" "UUID=${var_luks_uuid}" "none" "luks,discard,initramfs"
continue
fi
@@ -113,20 +122,29 @@ EOF
var_host_uuid="${HMP_PATH_FSUUID["${var_key}"]}"
case "${var_key}" in
SWAP)
write_crypttab "${var_ephemeral_enclabel}" "UUID=${var_host_uuid}" "/dev/random" "swap,offset=2048,cipher=aes-xts-plain64,size=512,sector-size=4096"
;;
/tmp)
write_crypttab "${var_ephemeral_enclabel}" "UUID=${var_host_uuid}" "/dev/random" "offset=2048,cipher=aes-xts-plain64,size=512,sector-size=4096,tmp=ext4"
;;
*)
do_log "error" "file_only" "Only 'SWAP' and '/tmp' are valid Partitions for Ephemeral Encryption. Given value was: '${var_key}'."
do_log "error" "file_only" "4060() Only 'SWAP' and '/tmp' are valid Partitions for Ephemeral Encryption. Given value was: '${var_key}'."
continue
;;
esac
done
cat << 'EOF' >> "${TARGET}/etc/crypttab"
# vim: number et ts=2 sw=2 sts=2 ai tw=200 ft=sh
EOF
return 0
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

84
func/system/4080_generate_sources.sh
View File

@@ -36,8 +36,9 @@ guard_sourcing
# 0: on success
#######################################
generate_sources() {
declare -a ary_components
declare var_arch var_codename var_deb_src var_dir var_hostname var_hostsecure var_url var_surl
### Declare Arrays, HashMaps, and Variables.
declare -a ary_components=()
declare var_arch="" var_codename="" var_deb_src="" var_dir="" var_hostname="" var_hostsecure="" var_url var_surl=""
# shellcheck disable=SC2154 # "${architecture}"
var_arch="${architecture,,}"
@@ -52,88 +53,126 @@ generate_sources() {
# shellcheck disable=SC2154 # "${apt_sec}"
var_hostsecure="${apt_sec,,}"
ary_components=(main)
[[ "${apt_contrib,,}" == "true" ]] && ary_components+=(contrib)
[[ "${apt_non_free,,}" == "true" ]] && ary_components+=(non-free)
[[ "${apt_non_free_firmware,,}" == "true" ]] && ary_components+=(non-free-firmware)
ary_components=( "main" )
[[ "${apt_contrib,,}" == "true" ]] && ary_components+=( "contrib" )
[[ "${apt_non_free,,}" == "true" ]] && ary_components+=( "non-free" )
[[ "${apt_non_free_firmware,,}" == "true" ]] && ary_components+=( "non-free-firmware" )
if [[ "${apt_mirror_protocol,,}" == "https" ]]; then
var_url="https://${var_hostname}${var_dir}"
var_surl="https://${var_hostsecure}/debian-security"
elif [[ "${apt_mirror_protocol,,}" == "http" ]]; then
var_url="http://${var_hostname}${var_dir}"
var_surl="http://${var_hostsecure}/debian-security"
else
var_url="https://${var_hostname}${var_dir}"
var_surl="https://${var_hostsecure}/debian-security"
fi
: >| "${TARGET}/etc/apt/sources.list"
chmod 0644 "${TARGET}/etc/apt/sources.list"
### Main Repository
# shellcheck disable=SC2153
cat << EOF >> "${TARGET}/etc/apt/sources.list"
# /etc/apt/sources.list : Generated by CISS.debian.installer
# Architecture : ${var_arch}
# Distribution : ${var_codename}
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
# /etc/apt/sources.list : Generated by CISS.debian.installer ${VAR_VERSION}
# Architecture : ${VAR_ARCHITECTURE}
# Distribution : ${VAR_CODENAME}
#------------------------------------------------------------------------------------------------------------------------------#
# OFFICIAL DEBIAN REPOS #
#------------------------------------------------------------------------------------------------------------------------------#
deb ${var_url} ${var_codename} ${ary_components[*]}
EOF
do_log "info" "file_only" "${TARGET}/etc/apt/sources.list entry generated: 'deb ${var_url} ${var_codename} ${ary_components[*]}'."
do_log "info" "file_only" "4080() ${TARGET}/etc/apt/sources.list entry generated: 'deb ${var_url} ${var_codename} ${ary_components[*]}'."
if [[ "${var_deb_src}" == "true" ]]; then
echo "deb-src ${var_url} ${var_codename} ${ary_components[*]}" >> "${TARGET}/etc/apt/sources.list"
do_log "info" "file_only" "${TARGET}/etc/apt/sources.list entry generated: 'deb-src ${var_url} ${var_codename} ${ary_components[*]}'."
do_log "info" "file_only" "4080() ${TARGET}/etc/apt/sources.list entry generated: 'deb-src ${var_url} ${var_codename} ${ary_components[*]}'."
fi
### Security Repository
if [[ "${apt_updates_security,,}" == "true" ]]; then
cat << EOF >> "${TARGET}/etc/apt/sources.list"
deb ${var_surl} ${var_codename}-security ${ary_components[*]}
EOF
do_log "info" "file_only" "${TARGET}/etc/apt/sources.list entry generated: 'deb ${var_surl} ${var_codename}-security ${ary_components[*]}'."
do_log "info" "file_only" "4080() ${TARGET}/etc/apt/sources.list entry generated: 'deb ${var_surl} ${var_codename}-security ${ary_components[*]}'."
if [[ "${var_deb_src}" == "true" ]]; then
echo "deb-src ${var_surl} ${var_codename}-security ${ary_components[*]}" >> "${TARGET}/etc/apt/sources.list"
do_log "info" "file_only" "${TARGET}/etc/apt/sources.list entry generated: 'deb-src ${var_surl} ${var_codename}-security ${ary_components[*]}'."
do_log "info" "file_only" "4080() ${TARGET}/etc/apt/sources.list entry generated: 'deb-src ${var_surl} ${var_codename}-security ${ary_components[*]}'."
fi
fi
### Updates Repository
if [[ "${apt_updates_release,,}" == "true" ]]; then
cat << EOF >> "${TARGET}/etc/apt/sources.list"
deb ${var_url} ${var_codename}-updates ${ary_components[*]}
EOF
do_log "info" "file_only" "${TARGET}/etc/apt/sources.list entry generated: 'deb ${var_url} ${var_codename}-updates ${ary_components[*]}'."
do_log "info" "file_only" "4080() ${TARGET}/etc/apt/sources.list entry generated: 'deb ${var_url} ${var_codename}-updates ${ary_components[*]}'."
if [[ "${var_deb_src}" == "true" ]]; then
echo "deb-src ${var_url} ${var_codename}-updates ${ary_components[*]}" >> "${TARGET}/etc/apt/sources.list"
do_log "info" "file_only" "${TARGET}/etc/apt/sources.list entry generated: 'deb-src ${var_url} ${var_codename}-updates ${ary_components[*]}'."
do_log "info" "file_only" "4080() ${TARGET}/etc/apt/sources.list entry generated: 'deb-src ${var_url} ${var_codename}-updates ${ary_components[*]}'."
fi
fi
### Backports Repository
if [[ "${apt_updates_backports,,}" == "true" ]]; then
cat << EOF >> "${TARGET}/etc/apt/sources.list"
deb ${var_url} ${var_codename}-backports ${ary_components[*]}
EOF
do_log "info" "file_only" "${TARGET}/etc/apt/sources.list entry generated: 'deb ${var_url} ${var_codename}-backports ${ary_components[*]}'."
do_log "info" "file_only" "4080() ${TARGET}/etc/apt/sources.list entry generated: 'deb ${var_url} ${var_codename}-backports ${ary_components[*]}'."
if [[ "${var_deb_src,,}" == "true" ]]; then
echo "deb-src ${var_url} ${var_codename}-backports ${ary_components[*]}" >> "${TARGET}/etc/apt/sources.list"
do_log "info" "file_only" "${TARGET}/etc/apt/sources.list entry generated: 'deb-src ${var_url} ${var_codename}-backports ${ary_components[*]}'."
do_log "info" "file_only" "4080() ${TARGET}/etc/apt/sources.list entry generated: 'deb-src ${var_url} ${var_codename}-backports ${ary_components[*]}'."
fi
fi
### Clean up 'sources.list'
sed -i '/^#/!s/[[:space:]]\+/ /g' "${TARGET}/etc/apt/sources.list"
cat << EOF >> "${TARGET}/etc/apt/sources.list"
# Copyright 2018-2025; WEIDNER, Marc S., <msw@coresecret.dev>
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
EOF
@@ -142,7 +181,7 @@ EOF
if [[ "${apt_updates_policy,,}" == "unattended" ]]; then
do_in_target "${TARGET}" apt-get install -y unattended-upgrades
do_log "info" "file_only" "The update policy was set at installation time to '${apt_updates_policy}'."
do_log "info" "file_only" "4080() The update policy was set at installation time to '${apt_updates_policy}'."
elif [[ "${apt_updates_policy,,}" == "security" ]]; then
@@ -150,17 +189,18 @@ EOF
# shellcheck disable=SC2016
sed -i 's/^[[:space:]]*"origin=Debian,codename=\${distro_codename},label=Debian";/\/\/ &/' "${TARGET}/etc/apt/apt.conf.d/50unattended-upgrades"
do_log "info" "file_only" "The update policy was set at installation time to '${apt_updates_policy}'."
do_log "info" "file_only" "4080() The update policy was set at installation time to '${apt_updates_policy}'."
elif [[ "${apt_updates_policy,,}" == "none" ]]; then
do_log "info" "file_only" "The update policy was set at installation time to: '${apt_updates_policy}'."
do_log "info" "file_only" "4080() The update policy was set at installation time to: '${apt_updates_policy}'."
else
do_log "warning" "file_only" "Update policy '${apt_updates_policy}': is not supported. Using 'none' as default."
do_log "warning" "file_only" "4080() Update policy '${apt_updates_policy}': is not supported. Using 'none' as default."
fi
return 0
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

22
func/system/4090_minimal_toolset.sh
View File

@@ -44,6 +44,26 @@ minimal_toolset() {
[sudo]="sudo"
[update-initramfs]="initramfs-tools"
[zsh]="zsh"
[lsblk]="util-linux"
[blkid]="util-linux"
[mount]="util-linux"
[umount]="util-linux"
[findmnt]="util-linux"
[parted]="parted"
[fdisk]="fdisk"
[tar]="tar"
[gzip]="gzip"
[curl]="curl"
[wget]="wget"
[tree]="tree"
[lsb_release]="lsb-release"
[btrfs]="btrfs-progs"
[e2label]="e2fsprogs"
[tune2fs]="e2fsprogs"
[fsck]="e2fsprogs"
[base64]="coreutils"
[xxd]="vim-common"
[jq]="jq"
)
declare var_bin=""
@@ -58,6 +78,8 @@ minimal_toolset() {
done
do_in_target "${TARGET}" apt-get install -y locales tzdata debconf
### Ensure systemd and machine-id are in place
if ! do_in_target_script "${TARGET}" "command -v systemctl >/dev/null"; then

8
func/system/4095_setup_skel.sh
View File

@@ -16,6 +16,7 @@ guard_sourcing
# Prepare '/etc/skel'-Directory.
# Globals:
# TARGET
# VAR_SETUP_PATH
# Arguments:
# None
# Returns:
@@ -27,10 +28,13 @@ setup_skel() {
install -D -m 0644 -o root -g root "${VAR_SETUP_PATH}/includes/root/.ciss/alias" "${TARGET}/etc/skel/.ciss/"
install -D -m 0644 -o root -g root "${VAR_SETUP_PATH}/includes/root/.ciss/clean_logout.sh" "${TARGET}/etc/skel/.ciss/"
install -D -m 0644 -o root -g root "${VAR_SETUP_PATH}/includes/root/.ciss/shortcuts" "${TARGET}/etc/skel/.ciss/"
# In order to be able to copy/paste from vim, one needs to create a '.vimrc' in every home directory with the following content:
### In order to be able to copy/paste from vim, one needs to create a '.vimrc' in every home directory with the following content:
echo 'set clipboard=unnamed' >| "${TARGET}/etc/skel/.vimrc"
chmod 0644 "${TARGET}/etc/skel/.vimrc"
do_log "info" "file_only" "Installed: '/etc/skel'-Files."
do_log "info" "file_only" "4095() Installed: '/etc/skel'-Files."
return 0
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

2
func/system/4999_exiting_chroot_system.sh
View File

@@ -41,6 +41,8 @@ exiting_chroot_system() {
fi
declare -gx VAR_CHROOT_ACTIVATED="false"
return 0
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh