msw/CISS.debian.installer
SHA256
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

V8.00.000.2025.06.17
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m0s
Details

Browse Source 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
Marc S. Weidner
2025-07-27 23:14:35 +02:00
parent cbb9f6cec0
commit 0fe2a74bf0
11 changed files with 73 additions and 29 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
ciss_debian_installer.sh
View File

@@ -152,7 +152,6 @@ trap 'trap_int' INT TERM
#if ! "${VAR_AUTO_INSTALL}"; then check_provider; fi #if ! "${VAR_AUTO_INSTALL}"; then check_provider; fi
#if ! "${VAR_AUTO_INSTALL}"; then check_kernel; fi #if ! "${VAR_AUTO_INSTALL}"; then check_kernel; fi
# TODO: Implement Debian Style Gauge Bar as Alternative Dialog Wrapper
### Dialog Output for Initialization START. ### Dialog Output for Initialization START.
color_echo "${CYA}" "Dialog Output for Initialization START." color_echo "${CYA}" "Dialog Output for Initialization START."
if ! "${VAR_AUTO_INSTALL}"; then . ./lib/0200_dialog_helper.sh && dialog_box; fi if ! "${VAR_AUTO_INSTALL}"; then . ./lib/0200_dialog_helper.sh && dialog_box; fi
@@ -200,7 +199,7 @@ setup_filesystem
echo "MAIN PROGRAM SEQUENCE: mount_partition()" echo "MAIN PROGRAM SEQUENCE: mount_partition()"
mount_partition mount_partition
echo "MAIN PROGRAM SEQUENCE: uuid_logger()" echo "MAIN PROGRAM SEQUENCE: uuid_logger()"
uuid_logger # TODO: Checks ongoing. uuid_logger
### DEBOOTSTRAP ### DEBOOTSTRAP
echo "MAIN PROGRAM SEQUENCE: func_debootstrap()" echo "MAIN PROGRAM SEQUENCE: func_debootstrap()"
@@ -208,9 +207,9 @@ func_debootstrap
echo "MAIN PROGRAM SEQUENCE: configure_system()" echo "MAIN PROGRAM SEQUENCE: configure_system()"
configure_system configure_system
echo "MAIN PROGRAM SEQUENCE: generate_fstab()" echo "MAIN PROGRAM SEQUENCE: generate_fstab()"
generate_fstab generate_fstab # TODO: Checks ongoing.
echo "MAIN PROGRAM SEQUENCE: generate_crypttab()" echo "MAIN PROGRAM SEQUENCE: generate_crypttab()"
generate_crypttab generate_crypttab # TODO: Checks ongoing.
echo "MAIN PROGRAM SEQUENCE: generate_sources()" echo "MAIN PROGRAM SEQUENCE: generate_sources()"
generate_sources generate_sources
echo "MAIN PROGRAM SEQUENCE: minimal_toolset()" echo "MAIN PROGRAM SEQUENCE: minimal_toolset()"
@@ -268,6 +267,7 @@ setup_chrony
echo "MAIN PROGRAM SEQUENCE: exiting_chroot()" echo "MAIN PROGRAM SEQUENCE: exiting_chroot()"
exiting_chroot exiting_chroot
# TODO: Hibernate deactivation
# TODO: Hardening Scripts Integration # TODO: Hardening Scripts Integration
# TODO: SSH 2fa integration # TODO: SSH 2fa integration
# TODO: Recovery Partition Integration # TODO: Recovery Partition Integration

6
func/partitioning/3290_uuid_logger.sh
View File

@@ -33,7 +33,7 @@ uuid_logger() {
var_mountpoint="${var_key#PARTUUID_}" var_mountpoint="${var_key#PARTUUID_}"
var_uuid="${HMP_PATH_PARTUUID[${var_key}]}" var_uuid="${HMP_PATH_PARTUUID[${var_key}]}"
### Left-aligned field width 63; "UUID=" starts directly after column 64. ### Left-aligned field width 63; "UUID=" starts directly after column 64.
printf '%-63sUUID=%s\n' "${var_mountpoint}:" "${var_uuid}" >> "${LOG_UID}" printf '%-63sUUID=%s\n' "${var_mountpoint}" "${var_uuid}" >> "${LOG_UID}"
done done
printf '\n' >> "${LOG_UID}" printf '\n' >> "${LOG_UID}"
@@ -43,7 +43,7 @@ uuid_logger() {
var_mountpoint="${var_key#UUID_}" var_mountpoint="${var_key#UUID_}"
var_uuid="${HMP_PATH_LUKSUUID[${var_key}]}" var_uuid="${HMP_PATH_LUKSUUID[${var_key}]}"
### Left-aligned field width 63; "UUID=" starts directly after column 64. ### Left-aligned field width 63; "UUID=" starts directly after column 64.
printf '%-63sUUID=%s\n' "${var_mountpoint}:" "${var_uuid}" >> "${LOG_UID}" printf '%-63sUUID=%s\n' "${var_mountpoint}" "${var_uuid}" >> "${LOG_UID}"
done done
printf '\n' >> "${LOG_UID}" printf '\n' >> "${LOG_UID}"
@@ -53,7 +53,7 @@ uuid_logger() {
var_mountpoint="${var_key#UUID_}" var_mountpoint="${var_key#UUID_}"
var_uuid="${HMP_PATH_FSUUID[${var_key}]}" var_uuid="${HMP_PATH_FSUUID[${var_key}]}"
### Left-aligned field width 63; "UUID=" starts directly after column 64. ### Left-aligned field width 63; "UUID=" starts directly after column 64.
printf '%-63sUUID=%s\n' "${var_mountpoint}:" "${var_uuid}" >> "${LOG_UID}" printf '%-63sUUID=%s\n' "${var_mountpoint}" "${var_uuid}" >> "${LOG_UID}"
done done
return 0 return 0

4
func/system/4000_debootstrap.sh
View File

@@ -27,10 +27,10 @@ guard_sourcing
func_debootstrap() { func_debootstrap() {
# shellcheck disable=SC2312 # shellcheck disable=SC2312
if debootstrap --arch="${architecture}" "${distribution}" "${TARGET}" https://deb.debian.org/debian | tee "${LOG_DBS}"; then if debootstrap --arch="${architecture}" "${distribution}" "${TARGET}" https://deb.debian.org/debian | tee "${LOG_DBS}"; then
do_log "info" "file_only" "Executing 'debootstrap --arch=${architecture} ${distribution} '${TARGET}' https://deb.debian.org/debian' successful." do_log "info" "file_only" "4000() Command: [debootstrap --arch=${architecture} ${distribution} '${TARGET}' https://deb.debian.org/debian] successful."
return 0 return 0
else else
do_log "emergency" "file_only" "Executing 'debootstrap --arch=${architecture} ${distribution} '${TARGET}' https://deb.debian.org/debian' NOT successful." do_log "emergency" "file_only" "4000() Command: [debootstrap --arch=${architecture} ${distribution} '${TARGET}' https://deb.debian.org/debian] failed."
return "${ERR_DEBOOTSTRAP}" return "${ERR_DEBOOTSTRAP}"
fi fi
} }

9
func/system/4020_configure_system.sh
View File

@@ -40,11 +40,11 @@ configure_system() {
mkdir -p "${var_dst}" mkdir -p "${var_dst}"
if ! mount --make-rslave --rbind "/${var_src}" "${var_dst}"; then if ! mount --make-rslave --rbind "/${var_src}" "${var_dst}"; then
do_log "emergency" "file_only" "Failed: 'mount --make-rslave --rbind /${var_src} ${var_dst}'." do_log "emergency" "file_only" "4020() Command: [mount --make-rslave --rbind /${var_src} ${var_dst}] failed."
return "${ERR_CHRT_MOUNTS}" return "${ERR_CHRT_MOUNTS}"
fi fi
do_log "info" "file_only" "Success: 'mount --make-rslave --rbind /${var_src} ${var_dst}'." do_log "info" "file_only" "4020() Command: [mount --make-rslave --rbind /${var_src} ${var_dst}] successful."
done done
@@ -52,7 +52,10 @@ configure_system() {
return "${ERR_CHRT_MOUNTS}" return "${ERR_CHRT_MOUNTS}"
fi fi
do_log "info" "file_only" "Command: 'mkdir -p /etc/systemd/system/multi-user.target.wants' executed in: '${TARGET}'." do_log "info" "file_only" "4020() Command: [mkdir -p /etc/systemd/system/multi-user.target.wants] successful in: '${TARGET}'."
declare -gx VAR_CHROOT_ACTIVATED="system"
return 0 return 0
} }
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

26
func/system/4040_generate_fstab.sh
View File

@@ -28,7 +28,7 @@ guard_sourcing
write_fstab() { write_fstab() {
declare _uuid="$1" _path="$2" _fs="$3" _opts="$4" _pass="$5" declare _uuid="$1" _path="$2" _fs="$3" _opts="$4" _pass="$5"
printf "UUID=%s %s %s %s 0 %s\n" "${_uuid}" "${_path}" "${_fs}" "${_opts}" "${_pass}" >> "${TARGET}/etc/fstab" printf "UUID=%s %s %s %s 0 %s\n" "${_uuid}" "${_path}" "${_fs}" "${_opts}" "${_pass}" >> "${TARGET}/etc/fstab"
do_log "info" "file_only" "fstab entry generated: 'UUID=${_uuid} ${_path} ${_fs} ${_opts} 0 ${_pass}'." do_log "info" "file_only" "4040() fstab entry generated: [UUID=${_uuid} ${_path} ${_fs} ${_opts} 0 ${_pass}]."
return 0 return 0
} }
@@ -52,18 +52,30 @@ generate_fstab() {
chmod 0600 "${TARGET}/etc/fstab" chmod 0600 "${TARGET}/etc/fstab"
cat << 'EOF' >> "${TARGET}/etc/fstab" cat << 'EOF' >> "${TARGET}/etc/fstab"
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
# /etc/fstab: static file system information. # /etc/fstab: static file system information.
# #
# Use 'blkid' to print the universally unique identifier for a # Use 'blkid' to print the universally unique identifier for a device; this may be used with [UUID=] as a more robust way to
# device; this may be used with UUID= as a more robust way to name devices # name devices that work even if disks are added and removed. See fstab(5).
# that works even if disks are added and removed. See fstab(5).
# #
# systemd generates mount units based on this file, see systemd.mount(5). # 'systemd' generates mount units based on this file. See systemd.mount(5). Please run 'systemctl daemon-reload' after making
# Please run 'systemctl daemon-reload' after making changes here. # changes here.
# #
# <file system> <mount point> <type> <options> <dump> <pass> # <file system> <mount point> <type> <options> <dump> <pass>
# Secure tmpfs mounts for a hardened system
### Secure tmpfs mounts for a hardened system
# Mount the proc filesystem to provide process and kernel information # Mount the proc filesystem to provide process and kernel information
proc /proc proc nodev,nosuid,noexec,hidepid=2 0 0 proc /proc proc nodev,nosuid,noexec,hidepid=2 0 0
# Mount sysfs to expose kernel device information to user space # Mount sysfs to expose kernel device information to user space

28
func/system/4060_generate_crypttab.sh
View File

@@ -27,7 +27,7 @@ guard_sourcing
write_crypttab() { write_crypttab() {
declare _label="$1" _device="$2" _key_file="$3" _opts="$4" declare _label="$1" _device="$2" _key_file="$3" _opts="$4"
printf "%s %s %s %s\n" "${_label}" "${_device}" "${_key_file}" "${_opts}" >> "${TARGET}/etc/crypttab" printf "%s %s %s %s\n" "${_label}" "${_device}" "${_key_file}" "${_opts}" >> "${TARGET}/etc/crypttab"
do_log "info" "file_only" "crypttab entry generated: '${_label} ${_device} ${_key_file} ${_opts}'." do_log "info" "file_only" "4060() crypttab entry generated: [${_label} ${_device} ${_key_file} ${_opts}]."
return 0 return 0
} }
@@ -55,17 +55,27 @@ generate_crypttab() {
chmod 0600 "${TARGET}/etc/crypttab" chmod 0600 "${TARGET}/etc/crypttab"
cat << 'EOF' >> "${TARGET}/etc/crypttab" cat << 'EOF' >> "${TARGET}/etc/crypttab"
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
# /etc/crypttab: static file system information. # /etc/crypttab: static file system information.
# #
# Basic rule: 'discard' / 'nodiscard' are normally only set in '/etc/crypttab' when LUKS/dm-crypt is in use. # Basic rule: 'discard' / 'nodiscard' are normally only set in '/etc/crypttab' when LUKS/dm-crypt is in use. Options like
# Options like 'discard=async' or similar are typically only set in '/etc/fstab' (at the file system level). # 'discard=async' or similar are typically only set in '/etc/fstab' (at the file system level). The crypttab determines whether
# The crypttab determines whether the underlying encrypted device (LUKS/dm-crypt) passes TRIM commands to the # the underlying encrypted device (LUKS/dm-crypt) passes TRIM commands to the physical drive or not. The '/etc/fstab' determines
# physical drive or not. The fstab determines whether and how the file system itself generates the discard # whether and how the file system itself generates the discard operations and sends them down through the LUKS layer.
# operations and sends them down through the LUKS layer.
# #
# RECOMMENDED: 'discard' enables the TRIM commands to be forwarded by the dm-crypt layer to the SSD/physical # RECOMMENDED: 'discard' enables the TRIM commands to be forwarded by the dm-crypt layer to the SSD/physical device. If ones do
# device. If you do not specify discard in the crypttab, dm-crypt blocks TRIM by default. This would render a # not specify discard in the '/etc/crypttab', dm-crypt blocks TRIM by default. This would render a discard in the '/etc/fstab'
# discard in the fstab ineffective. # ineffective.
# #
# <name> <device> <password-file-or-none> <options> # <name> <device> <password-file-or-none> <options>

2
func/system/4999_exiting_chroot_system.sh
View File

@@ -21,7 +21,7 @@ guard_sourcing
# Returns: # Returns:
# 0: on success # 0: on success
####################################### #######################################
exiting_chroot() { exiting_chroot_system() {
umount -lf "${TARGET}/proc" umount -lf "${TARGET}/proc"
do_log "info" "file_only" "'umount -lf ${TARGET}/proc'." do_log "info" "file_only" "'umount -lf ${TARGET}/proc'."
umount -lf "${TARGET}/sys" umount -lf "${TARGET}/sys"

1
lib/0060_trap_err.sh
View File

@@ -217,5 +217,6 @@ trap_err() {
esac esac
print_file_err print_file_err
print_scr_err print_scr_err
} }
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

4
lib/0070_trap_exit.sh
View File

@@ -131,12 +131,16 @@ trap_exit_non_zero() {
declare -r var_cmmd="$5" declare -r var_cmmd="$5"
if [[ "${ERRTRAP}" == "false" ]]; then if [[ "${ERRTRAP}" == "false" ]]; then
if [[ "${VAR_DEBUG_TRACE}" == "true" || "${VAR_DEBUG_TRAP}" == "true" ]]; then dump_vars_exiting; fi if [[ "${VAR_DEBUG_TRACE}" == "true" || "${VAR_DEBUG_TRAP}" == "true" ]]; then dump_vars_exiting; fi
case "${VAR_IN_DIALOG_WR}" in case "${VAR_IN_DIALOG_WR}" in
box ) dialog_box_cleaner ;; box ) dialog_box_cleaner ;;
gauge ) dialog_gauge_cleaner ;; gauge ) dialog_gauge_cleaner ;;
esac esac
clean_up "${var_code}" clean_up "${var_code}"
printf "%b❌ Trap on 'EXIT' : CISS.debian.installer Script failed. %b%b" "${RED}" "${RES}" "${NL}" | tee -a "${LOG_EXT}" printf "%b❌ Trap on 'EXIT' : CISS.debian.installer Script failed. %b%b" "${RED}" "${RES}" "${NL}" | tee -a "${LOG_EXT}"
printf "%b❌ : This was most probably caused by an unbound variable. %b%b" "${RED}" "${RES}" "${NL}" | tee -a "${LOG_EXT}" printf "%b❌ : This was most probably caused by an unbound variable. %b%b" "${RED}" "${RES}" "${NL}" | tee -a "${LOG_EXT}"
printf "%b❌ GIT Commit : %s %b%b" "${RED}" "${VAR_GIT_REL}" "${RES}" "${NL}" | tee -a "${LOG_EXT}" printf "%b❌ GIT Commit : %s %b%b" "${RED}" "${VAR_GIT_REL}" "${RES}" "${NL}" | tee -a "${LOG_EXT}"

11
lib/0090_clean_up.sh
View File

@@ -27,17 +27,28 @@ guard_sourcing
####################################### #######################################
clean_up() { clean_up() {
declare var_clean_exit_code="$1" declare var_clean_exit_code="$1"
rm -f -- "${VAR_KERNEL_INF}" rm -f -- "${VAR_KERNEL_INF}"
rm -f -- "${VAR_KERNEL_SRT}" rm -f -- "${VAR_KERNEL_SRT}"
rm -f -- "${VAR_KERNEL_TMP}" rm -f -- "${VAR_KERNEL_TMP}"
rm -f -- "${VAR_NOTES}" rm -f -- "${VAR_NOTES}"
if [[ "${VAR_CHROOT_ACTIVATED}" == "system" ]]; then
exiting_chroot_system
elif [[ "${VAR_CHROOT_ACTIVATED}" == "recovery" ]]; then
exiting_chroot_recovery
fi
### Release advisory lock on FD 127. ### Release advisory lock on FD 127.
flock -u 127 flock -u 127
### Close file descriptor 127. ### Close file descriptor 127.
exec 127>&- exec 127>&-
### Remove the lockfile artifact. ### Remove the lockfile artifact.
rm -f /run/lock/ciss_debian_installer.lock rm -f /run/lock/ciss_debian_installer.lock
if (( var_clean_exit_code == 0 )); then rm -f -- "${LOG_ERR}"; fi if (( var_clean_exit_code == 0 )); then rm -f -- "${LOG_ERR}"; fi
return 0 return 0
} }
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

3
var/global.var.sh
View File

@@ -57,4 +57,7 @@ declare -gix VAR_PRIORITY=0
declare -gix VAR_REIONICE_CLASS=2 declare -gix VAR_REIONICE_CLASS=2
declare -gix VAR_REIONICE_PRIORITY=4 declare -gix VAR_REIONICE_PRIORITY=4
### CHROOT ACTIVATION 4020()
declare -gx VAR_CHROOT_ACTIVATED="false"
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh