msw/CISS.debian.installer
SHA256
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

V8.00.000.2025.06.17
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 54s
Details

Browse Source 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
Marc S. Weidner
2025-07-30 22:20:22 +02:00
parent 25d4f2aaab
commit 0ee237f3eb
10 changed files with 145 additions and 62 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
ciss_debian_installer.sh
View File

@@ -210,15 +210,15 @@ uuid_logger
echo "MAIN PROGRAM SEQUENCE: func_debootstrap() ..." echo "MAIN PROGRAM SEQUENCE: func_debootstrap() ..."
func_debootstrap func_debootstrap
echo "MAIN PROGRAM SEQUENCE: configure_system() ..." echo "MAIN PROGRAM SEQUENCE: configure_system() ..."
configure_system # TODO: 4020() Command: [mkdir -p /etc/systemd/system/multi-user.target.wants] failed in: '/target'. configure_system
echo "MAIN PROGRAM SEQUENCE: generate_fstab() ..." echo "MAIN PROGRAM SEQUENCE: generate_fstab() ..."
generate_fstab # TODO: Checks ongoing. Format errors. SWAP missing generate_fstab
echo "MAIN PROGRAM SEQUENCE: generate_crypttab() ..." echo "MAIN PROGRAM SEQUENCE: generate_crypttab() ..."
generate_crypttab # TODO: Checks ongoing. generate_crypttab
echo "MAIN PROGRAM SEQUENCE: generate_sources() ..." echo "MAIN PROGRAM SEQUENCE: generate_sources() ..."
generate_sources generate_sources
echo "MAIN PROGRAM SEQUENCE: minimal_toolset() ..." echo "MAIN PROGRAM SEQUENCE: minimal_toolset() ..."
minimal_toolset minimal_toolset # TODO: Checks ongoing.
echo "MAIN PROGRAM SEQUENCE: setup_skel() ..." echo "MAIN PROGRAM SEQUENCE: setup_skel() ..."
setup_skel setup_skel
echo "MAIN PROGRAM SEQUENCE: setup_timezone() ..." echo "MAIN PROGRAM SEQUENCE: setup_timezone() ..."

6
func/helper/1080_helper_chroot.sh
View File

@@ -35,7 +35,6 @@ do_in_target() {
declare var_chroot_target="$1"; shift declare var_chroot_target="$1"; shift
declare -a ary_chroot_command=("$@") declare -a ary_chroot_command=("$@")
declare -r var_default_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" declare -r var_default_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
declare -i var_chroot_rc=0
if (( ${#ary_chroot_command[@]} == 0 )); then if (( ${#ary_chroot_command[@]} == 0 )); then
@@ -62,9 +61,7 @@ do_in_target() {
then then
var_chroot_rc="${?}"
do_log "emergency" "file_only" "1080() Command: [chroot ${var_chroot_target} /usr/bin/env -i HOME=/root PATH=${var_default_path} TERM=${TERM} LANG=C.UTF-8 LC_ALL=C.UTF-8 ${ary_chroot_command[*]}] failed." do_log "emergency" "file_only" "1080() Command: [chroot ${var_chroot_target} /usr/bin/env -i HOME=/root PATH=${var_default_path} TERM=${TERM} LANG=C.UTF-8 LC_ALL=C.UTF-8 ${ary_chroot_command[*]}] failed."
do_log "emergency" "file_only" "1080() Command: [Return code: '${var_chroot_rc}']."
return "${ERR_CHRT_COMMAND}" return "${ERR_CHRT_COMMAND}"
else else
@@ -93,7 +90,6 @@ do_in_target_script() {
declare var_chroot_target="$1"; shift declare var_chroot_target="$1"; shift
declare var_chroot_script="$1" declare var_chroot_script="$1"
declare -r var_default_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" declare -r var_default_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
declare -i var_chroot_rc=0
if [[ -z "${var_chroot_script}" ]]; then if [[ -z "${var_chroot_script}" ]]; then
@@ -112,9 +108,7 @@ do_in_target_script() {
then then
var_chroot_rc="${?}"
do_log "emergency" "file_only" "1080() Command: [chroot ${var_chroot_target} /usr/bin/env -i HOME=/root PATH=${var_default_path} TERM=${TERM} LANG=C.UTF-8 LC_ALL=C.UTF-8 /bin/bash -c ${var_chroot_script}] failed." do_log "emergency" "file_only" "1080() Command: [chroot ${var_chroot_target} /usr/bin/env -i HOME=/root PATH=${var_default_path} TERM=${TERM} LANG=C.UTF-8 LC_ALL=C.UTF-8 /bin/bash -c ${var_chroot_script}] failed."
do_log "emergency" "file_only" "1080() Command: [Return code: '${var_chroot_rc}']."
return "${ERR_CHRT_COMMAND}" return "${ERR_CHRT_COMMAND}"
# TODO: Test with Dialog Wrapper in interactive mode. # TODO: Test with Dialog Wrapper in interactive mode.

8
func/helper/1251_yaml_reader.sh
View File

@@ -35,7 +35,7 @@ yaml_reader() {
# shellcheck disable=SC2034 # shellcheck disable=SC2034
declare -Ag HMP_RECIPE_DEV_PARTITIONS=() declare -Ag HMP_RECIPE_DEV_PARTITIONS=()
declare -gx VAR_RECIPE_STRING="" VAR_RECIPE_HIGHEST_DEVICE="" VAR_ARCHITECTURE="" VAR_RECIPE_FIRMWARE="" VAR_NUKE="" \ declare -gx VAR_RECIPE_STRING="" VAR_RECIPE_HIGHEST_DEVICE="" VAR_ARCHITECTURE="" VAR_RECIPE_FIRMWARE="" VAR_NUKE="" \
VAR_RECIPE_TABLE="" VAR_NEED_RUN_IN_TARGET="false" VAR_RECIPE_TABLE="" VAR_NEED_RUN_IN_TARGET="false" VAR_CODENAME=""
### Declare and substitute input files. ### Declare and substitute input files.
declare -r var_if="${VAR_PRESEED}" declare -r var_if="${VAR_PRESEED}"
declare var_line="" var_middle_part="" var_highest_dev="" var_device="" var_fields="" var_partition="" \ declare var_line="" var_middle_part="" var_highest_dev="" var_device="" var_fields="" var_partition="" \
@@ -133,11 +133,13 @@ END { print max }
### Extract architecture. ### Extract architecture.
# shellcheck disable=SC2034 # shellcheck disable=SC2034
VAR_ARCHITECTURE="${architecture}" VAR_ARCHITECTURE="${architecture,,}"
# shellcheck disable=SC2034
VAR_CODENAME="${distribution,,}"
### Extract chroot secure '/run' mounting strategy. ### Extract chroot secure '/run' mounting strategy.
# shellcheck disable=SC2034 # shellcheck disable=SC2034
VAR_NEED_RUN_IN_TARGET="${needrun}" VAR_NEED_RUN_IN_TARGET="${needrun,,}"
### Extract chosen firmware. ### Extract chosen firmware.
recipe_firmware_var="recipe_${VAR_RECIPE_STRING}_control_firmware" recipe_firmware_var="recipe_${VAR_RECIPE_STRING}_control_firmware"

1
func/system/4020_configure_system.sh
View File

@@ -107,6 +107,7 @@ configure_system() {
# shellcheck disable=SC2034 # shellcheck disable=SC2034
declare -gx VAR_CHROOT_ACTIVATED="system" declare -gx VAR_CHROOT_ACTIVATED="system"
do_log "info" "file_only" "4020() Command: [declare -gx VAR_CHROOT_ACTIVATED=system]"
return 0 return 0
} }

40
func/system/4040_generate_fstab.sh
View File

@@ -30,12 +30,12 @@ write_fstab() {
if [[ "${write_maps}" =~ ^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}$ ]] || [[ "${write_maps}" =~ ^[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}$ ]]; then if [[ "${write_maps}" =~ ^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}$ ]] || [[ "${write_maps}" =~ ^[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}$ ]]; then
printf "%-43s%-28s%-8s%-100s0 %s\n" "UUID=${write_maps}" "${write_path}" "${write_type}" "${write_opts}" "${write_pass}" >> "${TARGET}/etc/fstab" printf "%-43s%-28s%-18s%-100s0 %s\n" "UUID=${write_maps}" "${write_path}" "${write_type}" "${write_opts}" "${write_pass}" >> "${TARGET}/etc/fstab"
do_log "info" "file_only" "4040() fstab entry generated: [UUID=${write_maps} ${write_path} ${write_type} ${write_opts} 0 ${write_pass}]." do_log "info" "file_only" "4040() fstab entry generated: [UUID=${write_maps} ${write_path} ${write_type} ${write_opts} 0 ${write_pass}]."
elif [[ "${write_maps}" == /dev/mapper/* ]]; then elif [[ "${write_maps}" == /dev/mapper/* ]]; then
printf "%-43s%-28s%-8s%-100s0 %s\n" "${write_maps}" "${write_path}" "${write_type}" "${write_opts}" "${write_pass}" >> "${TARGET}/etc/fstab" printf "%-43s%-28s%-18s%-100s0 %s\n" "${write_maps}" "${write_path}" "${write_type}" "${write_opts}" "${write_pass}" >> "${TARGET}/etc/fstab"
do_log "info" "file_only" "4040() fstab entry generated: [${write_maps} ${write_path} ${write_type} ${write_opts} 0 ${write_pass}]." do_log "info" "file_only" "4040() fstab entry generated: [${write_maps} ${write_path} ${write_type} ${write_opts} 0 ${write_pass}]."
fi fi
@@ -47,12 +47,12 @@ write_fstab() {
# Generate target '/etc/fstab' entries. # Generate target '/etc/fstab' entries.
# Globals: # Globals:
# ARY_PATHS_SORTED # ARY_PATHS_SORTED
# DIR_LOG
# HMP_EPHEMERAL_ENCLABEL # HMP_EPHEMERAL_ENCLABEL
# HMP_FSTAB_MOUNT_FTYPE # HMP_FSTAB_MOUNT_FTYPE
# HMP_FSTAB_MOUNT_OPTS # HMP_FSTAB_MOUNT_OPTS
# HMP_PATH_FSUUID # HMP_PATH_FSUUID
# TARGET # TARGET
# VAR_VERSION
# Arguments: # Arguments:
# None # None
# Returns: # Returns:
@@ -61,7 +61,6 @@ write_fstab() {
generate_fstab() { generate_fstab() {
### Declare Arrays, HashMaps, and Variables. ### Declare Arrays, HashMaps, and Variables.
declare var_path="" var_dmapper="" var_fs_uuid="" var_fs_path="" var_fs_type="" var_fs_opts="" var_fs_pass="" declare var_path="" var_dmapper="" var_fs_uuid="" var_fs_path="" var_fs_type="" var_fs_opts="" var_fs_pass=""
declare -i rc=0
### Generate '${TARGET}/etc/fstab' header. ### Generate '${TARGET}/etc/fstab' header.
: >| "${TARGET}/etc/fstab" : >| "${TARGET}/etc/fstab"
@@ -79,7 +78,9 @@ generate_fstab() {
# SPDX-PackageName: CISS.debian.installer # SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu # SPDX-Security-Contact: security@coresecret.eu
# CISS.debian.installer ${VAR_VERSION} # /etc/fstab : Generated by CISS.debian.installer ${VAR_VERSION}
# Architecture : ${VAR_ARCHITECTURE}
# Distribution : ${VAR_CODENAME}
# Static file system information '/etc/fstab'. # Static file system information '/etc/fstab'.
# #
@@ -89,7 +90,7 @@ generate_fstab() {
# 'systemd' generates mount units based on this file. See systemd.mount(5). Please run 'systemctl daemon-reload' after making # 'systemd' generates mount units based on this file. See systemd.mount(5). Please run 'systemctl daemon-reload' after making
# changes here. # changes here.
# #
# <file system UUID> <mount point> <type> <options> <dump> <pass> # <file system UUID> <mount point> <type> <options> <dump> <pass>
EOF EOF
@@ -168,26 +169,25 @@ EOF
cat << 'EOF' >> "${TARGET}/etc/fstab" cat << 'EOF' >> "${TARGET}/etc/fstab"
/dev/sr0 /media/cdrom0 udf,iso9660 user,noauto 0 0 /dev/sr0 /media/cdrom0 udf,iso9660 user,noauto 0 0
EOF EOF
do_log "info" "file_only" "fstab entry generated: '/dev/sr0 /media/cdrom0 udf,iso9660 user,noauto 0 0'." do_log "info" "file_only" "4040() fstab entry generated: '/dev/sr0 /media/cdrom0 udf,iso9660 user,noauto 0 0'."
cat << 'EOF' >> "${TARGET}/etc/fstab" cat << 'EOF' >> "${TARGET}/etc/fstab"
### Secure tmpfs mounts for a hardened system ### Secure tmpfs mounts for a hardened system
# Mount the 'proc' filesystem to provide process and kernel information.
# Mount 'sysfs' to expose kernel device information to user space.
# Mount the 'devpts' filesystem to enable pseudo-terminal support for user sessions.
# Restrict '/dev/shm' to shared memory, limit size, prevent code execution.
# System runtime directory in RAM. Do not set 'noexec' here for compatibility.
proc /proc proc nodev,nosuid,noexec,hidepid=2 0 0
sysfs /sys sysfs defaults 0 0
devpts /dev/pts devpts gid=5,mode=620 0 0
tmpfs /dev/shm tmpfs rw,nodev,noexec,nosuid,relatime,size=1G 0 0
tmpfs /run tmpfs mode=0755,nodev,nosuid 0 0
# Mount the proc filesystem to provide process and kernel information # vim: number et ts=2 sw=2 sts=2 ai tw=200 ft=sh
proc /proc proc nodev,nosuid,noexec,hidepid=2 0 0
# Mount sysfs to expose kernel device information to user space
sysfs /sys sysfs defaults 0 0
# Mount the devpts filesystem to enable pseudo-terminal support for user sessions
devpts /dev/pts devpts gid=5,mode=620 0 0
# Restrict /dev/shm to shared memory, limit size, prevent code execution
tmpfs /dev/shm tmpfs rw,nodev,noexec,nosuid,relatime,size=1G 0 0
# System runtime directory in RAM; do not set noexec here for compatibility
tmpfs /run tmpfs mode=0755,nodev,nosuid 0 0
# vim: number et ts=2 sw=2 sts=2 ai tw=192 ft=sh
EOF EOF
return 0 return 0

28
func/system/4060_generate_crypttab.sh
View File

@@ -26,8 +26,10 @@ guard_sourcing
####################################### #######################################
write_crypttab() { write_crypttab() {
declare write_label="$1" write_dev="$2" write_key_file="$3" write_opts="$4" declare write_label="$1" write_dev="$2" write_key_file="$3" write_opts="$4"
printf "%-43s %-45s %-29s %s\n" "${write_label}" "${write_dev}" "${write_key_file}" "${write_opts}" >> "${TARGET}/etc/crypttab"
printf "%-43s %-46s %-30s %s\n" "${write_label}" "${write_dev}" "${write_key_file}" "${write_opts}" >> "${TARGET}/etc/crypttab"
do_log "info" "file_only" "4060() crypttab entry generated: [${write_label} ${write_dev} ${write_key_file} ${write_opts}]." do_log "info" "file_only" "4060() crypttab entry generated: [${write_label} ${write_dev} ${write_key_file} ${write_opts}]."
return 0 return 0
} }
@@ -40,6 +42,7 @@ write_crypttab() {
# HMP_PATH_LUKSUUID # HMP_PATH_LUKSUUID
# TARGET # TARGET
# VAR_NUKE # VAR_NUKE
# VAR_VERSION
# dropbear_boot # dropbear_boot
# Arguments: # Arguments:
# None # None
@@ -54,7 +57,7 @@ generate_crypttab() {
: >| "${TARGET}/etc/crypttab" : >| "${TARGET}/etc/crypttab"
chmod 0600 "${TARGET}/etc/crypttab" chmod 0600 "${TARGET}/etc/crypttab"
cat << 'EOF' >> "${TARGET}/etc/crypttab" cat << EOF >> "${TARGET}/etc/crypttab"
# SPDX-Version: 3.0 # SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev> # SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
@@ -66,6 +69,10 @@ generate_crypttab() {
# SPDX-PackageName: CISS.debian.installer # SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu # SPDX-Security-Contact: security@coresecret.eu
# /etc/fstab : Generated by CISS.debian.installer ${VAR_VERSION}
# Architecture : ${VAR_ARCHITECTURE}
# Distribution : ${VAR_CODENAME}
# Static file system information: '/etc/crypttab'. # Static file system information: '/etc/crypttab'.
# #
# Basic rule: 'discard' / 'nodiscard' are normally only set in '/etc/crypttab' when LUKS/dm-crypt is in use. Options like # Basic rule: 'discard' / 'nodiscard' are normally only set in '/etc/crypttab' when LUKS/dm-crypt is in use. Options like
@@ -77,7 +84,7 @@ generate_crypttab() {
# not specify discard in the '/etc/crypttab', dm-crypt blocks TRIM by default. This would render a discard in the '/etc/fstab' # not specify discard in the '/etc/crypttab', dm-crypt blocks TRIM by default. This would render a discard in the '/etc/fstab'
# ineffective. # ineffective.
# #
# <name> <device> <password-file-or-none> <options> # <name> <device> <password-file-or-none> <options>
EOF EOF
@@ -91,7 +98,9 @@ EOF
if [[ "${VAR_NUKE,,}" == "true" && "${var_key,,}" == "/" ]]; then if [[ "${VAR_NUKE,,}" == "true" && "${var_key,,}" == "/" ]]; then
write_crypttab "${var_encryption_label}" "UUID=${var_luks_uuid}" "none" "luks,discard,initramfs,keyscript=/lib/cryptsetup/scripts/unlock_wrapper.sh" # TODO: Check for cryptsetup installation errors while unlock_wrapper.sh is not yet installed.
#write_crypttab "${var_encryption_label}" "UUID=${var_luks_uuid}" "none" "luks,discard,initramfs,keyscript=/lib/cryptsetup/scripts/unlock_wrapper.sh"
write_crypttab "${var_encryption_label}" "UUID=${var_luks_uuid}" "none" "luks,discard,initramfs"
continue continue
fi fi
@@ -113,20 +122,29 @@ EOF
var_host_uuid="${HMP_PATH_FSUUID["${var_key}"]}" var_host_uuid="${HMP_PATH_FSUUID["${var_key}"]}"
case "${var_key}" in case "${var_key}" in
SWAP) SWAP)
write_crypttab "${var_ephemeral_enclabel}" "UUID=${var_host_uuid}" "/dev/random" "swap,offset=2048,cipher=aes-xts-plain64,size=512,sector-size=4096" write_crypttab "${var_ephemeral_enclabel}" "UUID=${var_host_uuid}" "/dev/random" "swap,offset=2048,cipher=aes-xts-plain64,size=512,sector-size=4096"
;; ;;
/tmp) /tmp)
write_crypttab "${var_ephemeral_enclabel}" "UUID=${var_host_uuid}" "/dev/random" "offset=2048,cipher=aes-xts-plain64,size=512,sector-size=4096,tmp=ext4" write_crypttab "${var_ephemeral_enclabel}" "UUID=${var_host_uuid}" "/dev/random" "offset=2048,cipher=aes-xts-plain64,size=512,sector-size=4096,tmp=ext4"
;; ;;
*) *)
do_log "error" "file_only" "Only 'SWAP' and '/tmp' are valid Partitions for Ephemeral Encryption. Given value was: '${var_key}'." do_log "error" "file_only" "4060() Only 'SWAP' and '/tmp' are valid Partitions for Ephemeral Encryption. Given value was: '${var_key}'."
continue continue
;; ;;
esac esac
done done
cat << 'EOF' >> "${TARGET}/etc/crypttab"
# vim: number et ts=2 sw=2 sts=2 ai tw=200 ft=sh
EOF
return 0 return 0
} }
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

84
func/system/4080_generate_sources.sh
View File

@@ -36,8 +36,9 @@ guard_sourcing
# 0: on success # 0: on success
####################################### #######################################
generate_sources() { generate_sources() {
declare -a ary_components ### Declare Arrays, HashMaps, and Variables.
declare var_arch var_codename var_deb_src var_dir var_hostname var_hostsecure var_url var_surl declare -a ary_components=()
declare var_arch="" var_codename="" var_deb_src="" var_dir="" var_hostname="" var_hostsecure="" var_url var_surl=""
# shellcheck disable=SC2154 # "${architecture}" # shellcheck disable=SC2154 # "${architecture}"
var_arch="${architecture,,}" var_arch="${architecture,,}"
@@ -52,88 +53,126 @@ generate_sources() {
# shellcheck disable=SC2154 # "${apt_sec}" # shellcheck disable=SC2154 # "${apt_sec}"
var_hostsecure="${apt_sec,,}" var_hostsecure="${apt_sec,,}"
ary_components=(main) ary_components=( "main" )
[[ "${apt_contrib,,}" == "true" ]] && ary_components+=(contrib) [[ "${apt_contrib,,}" == "true" ]] && ary_components+=( "contrib" )
[[ "${apt_non_free,,}" == "true" ]] && ary_components+=(non-free) [[ "${apt_non_free,,}" == "true" ]] && ary_components+=( "non-free" )
[[ "${apt_non_free_firmware,,}" == "true" ]] && ary_components+=(non-free-firmware) [[ "${apt_non_free_firmware,,}" == "true" ]] && ary_components+=( "non-free-firmware" )
if [[ "${apt_mirror_protocol,,}" == "https" ]]; then if [[ "${apt_mirror_protocol,,}" == "https" ]]; then
var_url="https://${var_hostname}${var_dir}" var_url="https://${var_hostname}${var_dir}"
var_surl="https://${var_hostsecure}/debian-security" var_surl="https://${var_hostsecure}/debian-security"
elif [[ "${apt_mirror_protocol,,}" == "http" ]]; then elif [[ "${apt_mirror_protocol,,}" == "http" ]]; then
var_url="http://${var_hostname}${var_dir}" var_url="http://${var_hostname}${var_dir}"
var_surl="http://${var_hostsecure}/debian-security" var_surl="http://${var_hostsecure}/debian-security"
else else
var_url="https://${var_hostname}${var_dir}" var_url="https://${var_hostname}${var_dir}"
var_surl="https://${var_hostsecure}/debian-security" var_surl="https://${var_hostsecure}/debian-security"
fi fi
: >| "${TARGET}/etc/apt/sources.list" : >| "${TARGET}/etc/apt/sources.list"
chmod 0644 "${TARGET}/etc/apt/sources.list" chmod 0644 "${TARGET}/etc/apt/sources.list"
### Main Repository ### Main Repository
# shellcheck disable=SC2153
cat << EOF >> "${TARGET}/etc/apt/sources.list" cat << EOF >> "${TARGET}/etc/apt/sources.list"
# /etc/apt/sources.list : Generated by CISS.debian.installer # SPDX-Version: 3.0
# Architecture : ${var_arch} # SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# Distribution : ${var_codename} # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
# /etc/apt/sources.list : Generated by CISS.debian.installer ${VAR_VERSION}
# Architecture : ${VAR_ARCHITECTURE}
# Distribution : ${VAR_CODENAME}
#------------------------------------------------------------------------------------------------------------------------------# #------------------------------------------------------------------------------------------------------------------------------#
# OFFICIAL DEBIAN REPOS # # OFFICIAL DEBIAN REPOS #
#------------------------------------------------------------------------------------------------------------------------------# #------------------------------------------------------------------------------------------------------------------------------#
deb ${var_url} ${var_codename} ${ary_components[*]} deb ${var_url} ${var_codename} ${ary_components[*]}
EOF EOF
do_log "info" "file_only" "${TARGET}/etc/apt/sources.list entry generated: 'deb ${var_url} ${var_codename} ${ary_components[*]}'." do_log "info" "file_only" "4080() ${TARGET}/etc/apt/sources.list entry generated: 'deb ${var_url} ${var_codename} ${ary_components[*]}'."
if [[ "${var_deb_src}" == "true" ]]; then if [[ "${var_deb_src}" == "true" ]]; then
echo "deb-src ${var_url} ${var_codename} ${ary_components[*]}" >> "${TARGET}/etc/apt/sources.list" echo "deb-src ${var_url} ${var_codename} ${ary_components[*]}" >> "${TARGET}/etc/apt/sources.list"
do_log "info" "file_only" "${TARGET}/etc/apt/sources.list entry generated: 'deb-src ${var_url} ${var_codename} ${ary_components[*]}'." do_log "info" "file_only" "4080() ${TARGET}/etc/apt/sources.list entry generated: 'deb-src ${var_url} ${var_codename} ${ary_components[*]}'."
fi fi
### Security Repository ### Security Repository
if [[ "${apt_updates_security,,}" == "true" ]]; then if [[ "${apt_updates_security,,}" == "true" ]]; then
cat << EOF >> "${TARGET}/etc/apt/sources.list" cat << EOF >> "${TARGET}/etc/apt/sources.list"
deb ${var_surl} ${var_codename}-security ${ary_components[*]} deb ${var_surl} ${var_codename}-security ${ary_components[*]}
EOF EOF
do_log "info" "file_only" "${TARGET}/etc/apt/sources.list entry generated: 'deb ${var_surl} ${var_codename}-security ${ary_components[*]}'." do_log "info" "file_only" "4080() ${TARGET}/etc/apt/sources.list entry generated: 'deb ${var_surl} ${var_codename}-security ${ary_components[*]}'."
if [[ "${var_deb_src}" == "true" ]]; then if [[ "${var_deb_src}" == "true" ]]; then
echo "deb-src ${var_surl} ${var_codename}-security ${ary_components[*]}" >> "${TARGET}/etc/apt/sources.list" echo "deb-src ${var_surl} ${var_codename}-security ${ary_components[*]}" >> "${TARGET}/etc/apt/sources.list"
do_log "info" "file_only" "${TARGET}/etc/apt/sources.list entry generated: 'deb-src ${var_surl} ${var_codename}-security ${ary_components[*]}'." do_log "info" "file_only" "4080() ${TARGET}/etc/apt/sources.list entry generated: 'deb-src ${var_surl} ${var_codename}-security ${ary_components[*]}'."
fi fi
fi fi
### Updates Repository ### Updates Repository
if [[ "${apt_updates_release,,}" == "true" ]]; then if [[ "${apt_updates_release,,}" == "true" ]]; then
cat << EOF >> "${TARGET}/etc/apt/sources.list" cat << EOF >> "${TARGET}/etc/apt/sources.list"
deb ${var_url} ${var_codename}-updates ${ary_components[*]} deb ${var_url} ${var_codename}-updates ${ary_components[*]}
EOF EOF
do_log "info" "file_only" "${TARGET}/etc/apt/sources.list entry generated: 'deb ${var_url} ${var_codename}-updates ${ary_components[*]}'." do_log "info" "file_only" "4080() ${TARGET}/etc/apt/sources.list entry generated: 'deb ${var_url} ${var_codename}-updates ${ary_components[*]}'."
if [[ "${var_deb_src}" == "true" ]]; then if [[ "${var_deb_src}" == "true" ]]; then
echo "deb-src ${var_url} ${var_codename}-updates ${ary_components[*]}" >> "${TARGET}/etc/apt/sources.list" echo "deb-src ${var_url} ${var_codename}-updates ${ary_components[*]}" >> "${TARGET}/etc/apt/sources.list"
do_log "info" "file_only" "${TARGET}/etc/apt/sources.list entry generated: 'deb-src ${var_url} ${var_codename}-updates ${ary_components[*]}'." do_log "info" "file_only" "4080() ${TARGET}/etc/apt/sources.list entry generated: 'deb-src ${var_url} ${var_codename}-updates ${ary_components[*]}'."
fi fi
fi fi
### Backports Repository ### Backports Repository
if [[ "${apt_updates_backports,,}" == "true" ]]; then if [[ "${apt_updates_backports,,}" == "true" ]]; then
cat << EOF >> "${TARGET}/etc/apt/sources.list" cat << EOF >> "${TARGET}/etc/apt/sources.list"
deb ${var_url} ${var_codename}-backports ${ary_components[*]} deb ${var_url} ${var_codename}-backports ${ary_components[*]}
EOF EOF
do_log "info" "file_only" "${TARGET}/etc/apt/sources.list entry generated: 'deb ${var_url} ${var_codename}-backports ${ary_components[*]}'." do_log "info" "file_only" "4080() ${TARGET}/etc/apt/sources.list entry generated: 'deb ${var_url} ${var_codename}-backports ${ary_components[*]}'."
if [[ "${var_deb_src,,}" == "true" ]]; then if [[ "${var_deb_src,,}" == "true" ]]; then
echo "deb-src ${var_url} ${var_codename}-backports ${ary_components[*]}" >> "${TARGET}/etc/apt/sources.list" echo "deb-src ${var_url} ${var_codename}-backports ${ary_components[*]}" >> "${TARGET}/etc/apt/sources.list"
do_log "info" "file_only" "${TARGET}/etc/apt/sources.list entry generated: 'deb-src ${var_url} ${var_codename}-backports ${ary_components[*]}'." do_log "info" "file_only" "4080() ${TARGET}/etc/apt/sources.list entry generated: 'deb-src ${var_url} ${var_codename}-backports ${ary_components[*]}'."
fi fi
fi fi
### Clean up 'sources.list' ### Clean up 'sources.list'
sed -i '/^#/!s/[[:space:]]\+/ /g' "${TARGET}/etc/apt/sources.list" sed -i '/^#/!s/[[:space:]]\+/ /g' "${TARGET}/etc/apt/sources.list"
cat << EOF >> "${TARGET}/etc/apt/sources.list" cat << EOF >> "${TARGET}/etc/apt/sources.list"
# Copyright 2018-2025; WEIDNER, Marc S., <msw@coresecret.dev>
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
EOF EOF
@@ -142,7 +181,7 @@ EOF
if [[ "${apt_updates_policy,,}" == "unattended" ]]; then if [[ "${apt_updates_policy,,}" == "unattended" ]]; then
do_in_target "${TARGET}" apt-get install -y unattended-upgrades do_in_target "${TARGET}" apt-get install -y unattended-upgrades
do_log "info" "file_only" "The update policy was set at installation time to '${apt_updates_policy}'." do_log "info" "file_only" "4080() The update policy was set at installation time to '${apt_updates_policy}'."
elif [[ "${apt_updates_policy,,}" == "security" ]]; then elif [[ "${apt_updates_policy,,}" == "security" ]]; then
@@ -150,17 +189,18 @@ EOF
# shellcheck disable=SC2016 # shellcheck disable=SC2016
sed -i 's/^[[:space:]]*"origin=Debian,codename=\${distro_codename},label=Debian";/\/\/ &/' "${TARGET}/etc/apt/apt.conf.d/50unattended-upgrades" sed -i 's/^[[:space:]]*"origin=Debian,codename=\${distro_codename},label=Debian";/\/\/ &/' "${TARGET}/etc/apt/apt.conf.d/50unattended-upgrades"
do_log "info" "file_only" "The update policy was set at installation time to '${apt_updates_policy}'." do_log "info" "file_only" "4080() The update policy was set at installation time to '${apt_updates_policy}'."
elif [[ "${apt_updates_policy,,}" == "none" ]]; then elif [[ "${apt_updates_policy,,}" == "none" ]]; then
do_log "info" "file_only" "The update policy was set at installation time to: '${apt_updates_policy}'." do_log "info" "file_only" "4080() The update policy was set at installation time to: '${apt_updates_policy}'."
else else
do_log "warning" "file_only" "Update policy '${apt_updates_policy}': is not supported. Using 'none' as default." do_log "warning" "file_only" "4080() Update policy '${apt_updates_policy}': is not supported. Using 'none' as default."
fi fi
return 0 return 0
} }
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

22
func/system/4090_minimal_toolset.sh
View File

@@ -44,6 +44,26 @@ minimal_toolset() {
[sudo]="sudo" [sudo]="sudo"
[update-initramfs]="initramfs-tools" [update-initramfs]="initramfs-tools"
[zsh]="zsh" [zsh]="zsh"
[lsblk]="util-linux"
[blkid]="util-linux"
[mount]="util-linux"
[umount]="util-linux"
[findmnt]="util-linux"
[parted]="parted"
[fdisk]="fdisk"
[tar]="tar"
[gzip]="gzip"
[curl]="curl"
[wget]="wget"
[tree]="tree"
[lsb_release]="lsb-release"
[btrfs]="btrfs-progs"
[e2label]="e2fsprogs"
[tune2fs]="e2fsprogs"
[fsck]="e2fsprogs"
[base64]="coreutils"
[xxd]="vim-common"
[jq]="jq"
) )
declare var_bin="" declare var_bin=""
@@ -58,6 +78,8 @@ minimal_toolset() {
done done
do_in_target "${TARGET}" apt-get install -y locales tzdata debconf
### Ensure systemd and machine-id are in place ### Ensure systemd and machine-id are in place
if ! do_in_target_script "${TARGET}" "command -v systemctl >/dev/null"; then if ! do_in_target_script "${TARGET}" "command -v systemctl >/dev/null"; then

8
func/system/4095_setup_skel.sh
View File

@@ -16,6 +16,7 @@ guard_sourcing
# Prepare '/etc/skel'-Directory. # Prepare '/etc/skel'-Directory.
# Globals: # Globals:
# TARGET # TARGET
# VAR_SETUP_PATH
# Arguments: # Arguments:
# None # None
# Returns: # Returns:
@@ -27,10 +28,13 @@ setup_skel() {
install -D -m 0644 -o root -g root "${VAR_SETUP_PATH}/includes/root/.ciss/alias" "${TARGET}/etc/skel/.ciss/" install -D -m 0644 -o root -g root "${VAR_SETUP_PATH}/includes/root/.ciss/alias" "${TARGET}/etc/skel/.ciss/"
install -D -m 0644 -o root -g root "${VAR_SETUP_PATH}/includes/root/.ciss/clean_logout.sh" "${TARGET}/etc/skel/.ciss/" install -D -m 0644 -o root -g root "${VAR_SETUP_PATH}/includes/root/.ciss/clean_logout.sh" "${TARGET}/etc/skel/.ciss/"
install -D -m 0644 -o root -g root "${VAR_SETUP_PATH}/includes/root/.ciss/shortcuts" "${TARGET}/etc/skel/.ciss/" install -D -m 0644 -o root -g root "${VAR_SETUP_PATH}/includes/root/.ciss/shortcuts" "${TARGET}/etc/skel/.ciss/"
# In order to be able to copy/paste from vim, one needs to create a '.vimrc' in every home directory with the following content:
### In order to be able to copy/paste from vim, one needs to create a '.vimrc' in every home directory with the following content:
echo 'set clipboard=unnamed' >| "${TARGET}/etc/skel/.vimrc" echo 'set clipboard=unnamed' >| "${TARGET}/etc/skel/.vimrc"
chmod 0644 "${TARGET}/etc/skel/.vimrc" chmod 0644 "${TARGET}/etc/skel/.vimrc"
do_log "info" "file_only" "Installed: '/etc/skel'-Files."
do_log "info" "file_only" "4095() Installed: '/etc/skel'-Files."
return 0 return 0
} }
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

2
func/system/4999_exiting_chroot_system.sh
View File

@@ -41,6 +41,8 @@ exiting_chroot_system() {
fi fi
declare -gx VAR_CHROOT_ACTIVATED="false"
return 0 return 0
} }
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh