V8.00.000.2025.06.17
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m19s
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m19s
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
@@ -33,8 +33,9 @@ recipe:
|
||||
threads: 1 # Set the parallel cost for PBKDF (number of threads, up to 4).
|
||||
time: 256 # The number of milliseconds to spend with PBKDF passphrase processing.
|
||||
luks_backup: true # Specify if LUKS Header backups should be created. If so, provide an external backup URL:
|
||||
# luks_backup_url: "https://cloud.e2ee.li/"
|
||||
# luks_backup_url: "https://cloud.e2ee.li/" or leave empty for local backup.
|
||||
# Also provide the cloud access token and access passwords via ./.preseed/password_luks_backup.txt
|
||||
# Yet Nextcloud only is supported.
|
||||
luks_backup_url: "https://cloud.e2ee.li/"
|
||||
name: "ciss.2025.gpt.btrfs.ephemeral.non-raid.256GiB.rescue"
|
||||
nuke: true # Activates Nuke-Mechanism in '/etc/crypttab' keyscript and via dropbear SSH forced command.
|
||||
@@ -50,7 +51,7 @@ recipe:
|
||||
table: "gpt" # MUST be "gpt" for "UEFI" || "msdos":
|
||||
syntax: true # This is set to "false" by default, otherwise if the recipe is tested by the authors to "true".
|
||||
### Version of the specific recipe.
|
||||
version: "1.2.0"
|
||||
version: "1.3.0"
|
||||
dev:
|
||||
sda:
|
||||
1: # MUST be always 'ESP' for [UEFI|GPT] or 'BIOS' for [BIOS|GPT].
|
||||
|
||||
@@ -43,11 +43,13 @@ yaml_reader() {
|
||||
declare -gx VAR_RECIPE_STRING="" VAR_RECIPE_HIGHEST_DEVICE="" VAR_ARCHITECTURE="" VAR_RECIPE_FIRMWARE="" VAR_NUKE="" \
|
||||
VAR_RECIPE_TABLE="" VAR_NEED_RUN_IN_TARGET="false" VAR_CODENAME="" VAR_DROPBEAR="" VAR_RECOVERY="" \
|
||||
VAR_GRUB_PASSWORD="false" VAR_SSH_PORT="22" VAR_DEB822="true" VAR_PROVIDER="" VAR_SSH_CA="" VAR_UFW_OUT="deny" \
|
||||
VAR_CHROOT_DEBUG="false" VAR_SEC_FW="selinux" VAR_APT_FULL_UPGRADE="true"
|
||||
VAR_CHROOT_DEBUG="false" VAR_SEC_FW="selinux" VAR_APT_FULL_UPGRADE="true" VAR_LUKS_BACKUP="false" \
|
||||
VAR_LUKS_URL=""
|
||||
### Declare and substitute input files.
|
||||
declare -r var_if="${VAR_PRESEED}"
|
||||
declare var_line="" var_middle_part="" var_highest_dev="" var_device="" var_fields="" var_partition="" \
|
||||
recipe_firmware_var="" recipe_nuke_var="" recipe_nuke_rounds_var="" recipe_table_var="" recipe_recovery_var=""
|
||||
recipe_firmware_var="" recipe_nuke_var="" recipe_nuke_rounds_var="" recipe_table_var="" recipe_recovery_var="" \
|
||||
recipe_luks_var="" recipe_luks_url=""
|
||||
|
||||
### Read "${var_if}" line by line.
|
||||
while IFS= read -r var_line; do
|
||||
@@ -183,6 +185,14 @@ END { print max }
|
||||
recipe_firmware_var="recipe_${VAR_RECIPE_STRING}_control_firmware"
|
||||
VAR_RECIPE_FIRMWARE="${!recipe_firmware_var,,}"
|
||||
|
||||
### Extract the chosen LUKS Backup strategy.
|
||||
recipe_luks_var="recipe_${VAR_RECIPE_STRING}_control_luks_backup"
|
||||
# shellcheck disable=SC2034
|
||||
VAR_LUKS_BACKUP="${!recipe_luks_var,,}"
|
||||
recipe_luks_url="recipe_${VAR_RECIPE_STRING}_control_luks_backup_url"
|
||||
# shellcheck disable=SC2034
|
||||
VAR_LUKS_URL="${!recipe_luks_url,,}"
|
||||
|
||||
### Extract the chosen Nuke mechanism.
|
||||
recipe_nuke_var="recipe_${VAR_RECIPE_STRING}_control_nuke"
|
||||
# shellcheck disable=SC2034
|
||||
|
||||
@@ -10,8 +10,6 @@
|
||||
# SPDX-PackageName: CISS.debian.installer
|
||||
# SPDX-Security-Contact: security@coresecret.eu
|
||||
|
||||
# TODO: LUKS Header Cloud Backup
|
||||
|
||||
guard_sourcing
|
||||
|
||||
#######################################
|
||||
@@ -27,14 +25,19 @@ guard_sourcing
|
||||
# HMP_PATH_ENCLABEL
|
||||
# HMP_PATH_FSUUID
|
||||
# HMP_PATH_LUKSUUID
|
||||
# VAR_CRYPT_BOOT
|
||||
# VAR_CRYPT_RECOVERY
|
||||
# VAR_CRYPT_ROOT
|
||||
# VAR_FINAL_FQDN
|
||||
# VAR_ITER_TIME
|
||||
# VAR_KDF_ITERATIONS
|
||||
# VAR_KDF_MEMORY
|
||||
# VAR_KDF_THREADS
|
||||
# VAR_LUKS_BACKUP
|
||||
# VAR_LUKS_URL
|
||||
# VAR_RECIPE_STRING
|
||||
# VAR_SETUP_PART
|
||||
# VAR_TEMP_PLAIN_NC_AUTH
|
||||
# Arguments:
|
||||
# None
|
||||
# Returns:
|
||||
@@ -60,10 +63,18 @@ partition_encryption() {
|
||||
var_encryption_ephemeral="" var_encryption_integrity="" var_encryption_cipher="" var_encryption_hash="" \
|
||||
var_encryption_key="" var_encryption_label="" var_encryption_meta="" var_encryption_slot="" \
|
||||
var_encryption_pbkdf="" var_encryption_rng="" var_filesystem_label="" var_mount_path="" var_uuid="" var_fs="" \
|
||||
var_fs_uuid=""
|
||||
var_fs_uuid="" var_luks_backup_file="" var_luks_backup_name=""
|
||||
|
||||
declare -a ary_luks_opts=()
|
||||
|
||||
if [[ -n "${VAR_LUKS_URL}" ]]; then
|
||||
|
||||
VAR_LUKS_URL=${VAR_LUKS_URL%/}
|
||||
read_luks_backup_token
|
||||
do_log "debug" "file_only" "3220() Command: [read_luks_backup_token]"
|
||||
|
||||
fi
|
||||
|
||||
for var_encryption_path in "${ARY_CRYPT_MOUNT_PATHS[@]}"; do
|
||||
|
||||
### Initialize Arrays and Variables
|
||||
@@ -174,10 +185,37 @@ partition_encryption() {
|
||||
|
||||
fi
|
||||
|
||||
cryptsetup luksHeaderBackup --header-backup-file="${DIR_BAK}/luks_header_${var_dev}.bak" "/dev/${var_dev}"
|
||||
do_log "info" "file_only" "3220() Partition: '/dev/${var_dev}' LUKS Header saved: '${DIR_BAK}/luks_header_${var_dev}.bak'."
|
||||
if [[ "${VAR_LUKS_BACKUP}" == "true" ]]; then
|
||||
|
||||
### Opening encrypted container.
|
||||
var_luks_backup_file="${DIR_BAK}/luks_header_${var_dev}.bak"
|
||||
var_luks_backup_name="${VAR_FINAL_FQDN}_luks_header_${var_dev}.bak"
|
||||
cryptsetup luksHeaderBackup --header-backup-file="${var_luks_backup_file}" "/dev/${var_dev}"
|
||||
do_log "info" "file_only" "3220() Partition: '/dev/${var_dev}' LUKS Header saved: '${var_luks_backup_file}'."
|
||||
|
||||
if [[ -n "${VAR_LUKS_URL}" ]]; then
|
||||
|
||||
guard_trace on
|
||||
|
||||
if curl --retry 2 "${VAR_LUKS_URL}/public.php/webdav/${var_luks_backup_name}" \
|
||||
--upload-file "${var_luks_backup_file}" --user "${VAR_TEMP_PLAIN_NC_AUTH}" > /dev/null 2>&1; then
|
||||
|
||||
do_log "info" "file_only" "3220() Partition: '/dev/${var_dev}' LUKS Header upload: '${VAR_LUKS_URL}' successful."
|
||||
|
||||
else
|
||||
|
||||
do_log "warn" "file_only" "3220() Partition: '/dev/${var_dev}' LUKS Header upload: '${VAR_LUKS_URL}' failed."
|
||||
|
||||
fi
|
||||
|
||||
guard_trace off
|
||||
|
||||
rm -f "${var_luks_backup_file}"
|
||||
|
||||
fi
|
||||
|
||||
fi
|
||||
|
||||
### Opening the encrypted container.
|
||||
if [[ "${var_encryption_path,,}" == "/boot" ]]; then
|
||||
cryptsetup luksOpen "/dev/${var_dev}" \
|
||||
--key-file="${DIR_CNF}/password_luks_boot.txt" \
|
||||
@@ -207,9 +245,43 @@ partition_encryption() {
|
||||
|
||||
done
|
||||
|
||||
[[ -n "${VAR_LUKS_URL}" ]] && unset VAR_TEMP_PLAIN_NC_AUTH
|
||||
|
||||
guard_dir && return 0
|
||||
}
|
||||
### Prevents accidental 'unset -f'.
|
||||
# shellcheck disable=SC2034
|
||||
readonly -f partition_encryption
|
||||
|
||||
#######################################
|
||||
# Reads the Nextcloud auth token from '${DIR_CNF}/password_luks_backup.txt' into VAR_TEMP_PLAIN_NC_AUTH
|
||||
# Globals:
|
||||
# DIR_CNF
|
||||
# VAR_TEMP_PLAIN_NC_AUTH
|
||||
# Arguments:
|
||||
# None
|
||||
# Returns:
|
||||
# 0: on success
|
||||
# ERR_READ_AUTH_FILE: on failure
|
||||
#######################################
|
||||
read_luks_backup_token(){
|
||||
### Declare Arrays, HashMaps, and Variables.
|
||||
declare -r var_luks_backup_auth="${DIR_CNF}/password_luks_backup.txt"
|
||||
declare -g VAR_TEMP_PLAIN_NC_AUTH=""
|
||||
|
||||
guard_trace on
|
||||
|
||||
if ! read_password_file "${var_luks_backup_auth}" VAR_TEMP_PLAIN_NC_AUTH; then
|
||||
|
||||
return "${ERR_READ_AUTH_FILE}"
|
||||
|
||||
fi
|
||||
|
||||
guard_trace off
|
||||
|
||||
return 0
|
||||
}
|
||||
### Prevents accidental 'unset -f'.
|
||||
# shellcheck disable=SC2034
|
||||
readonly -f read_luks_backup_token
|
||||
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
|
||||
|
||||
@@ -53,11 +53,29 @@ installation_ssh() {
|
||||
|
||||
rm -rf "${TARGET}"/etc/ssh/ssh_host_*key*
|
||||
|
||||
if [[ -f "${TARGET}/etc/dropbear/initramfs/dropbear_ed25519_host_key" ]]; then
|
||||
|
||||
chroot_script "${TARGET}" "
|
||||
dropbearconvert dropbear openssh /etc/dropbear/initramfs/dropbear_ed25519_host_key /etc/ssh/ssh_host_ed25519_key"
|
||||
|
||||
chroot_script "${TARGET}" "
|
||||
dropbearconvert dropbear openssh /etc/dropbear/initramfs/dropbear_rsa_host_key /etc/ssh/ssh_host_rsa_key"
|
||||
|
||||
chroot_script "${TARGET}" "
|
||||
dropbearkey -y -f /etc/dropbear/initramfs/dropbear_ed25519_host_key /etc/ssh/ssh_host_ed25519_key.pub"
|
||||
|
||||
chroot_script "${TARGET}" "
|
||||
dropbearkey -y -f /etc/dropbear/initramfs/dropbear_rsa_host_key /etc/ssh/ssh_host_rsa_key.pub"
|
||||
|
||||
else
|
||||
|
||||
# shellcheck disable=SC2312
|
||||
chroot_exec "${TARGET}" ssh-keygen -o -N "" -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -C "root@${VAR_FINAL_FQDN}-$(date -I)"
|
||||
# shellcheck disable=SC2312
|
||||
chroot_exec "${TARGET}" ssh-keygen -o -N "" -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa_key -C "root@${VAR_FINAL_FQDN}-$(date -I)"
|
||||
|
||||
fi
|
||||
|
||||
mkdir -p "${TARGET}/root/.ciss/cdi/backup/etc/ssh"
|
||||
cp "${TARGET}/etc/ssh/sshd_config" "${TARGET}/root/.ciss/cdi/backup/etc/ssh/sshd_config.bak"
|
||||
cp "${TARGET}/etc/ssh/ssh_config" "${TARGET}/root/.ciss/cdi/backup/etc/ssh/ssh_config.bak"
|
||||
|
||||
@@ -13,15 +13,14 @@
|
||||
guard_sourcing
|
||||
|
||||
#######################################
|
||||
# Generates salt.
|
||||
# Generates a 16-byte salt.
|
||||
# Globals:
|
||||
# ERR_GENERATE_SALT
|
||||
# NL
|
||||
# Arguments:
|
||||
# None
|
||||
# Returns:
|
||||
# 0: on success
|
||||
# ERR_GENERATE_SALT
|
||||
# ERR_GENERATE_SALT: on failure
|
||||
#######################################
|
||||
generate_salt() {
|
||||
declare var_salt=""
|
||||
@@ -38,18 +37,20 @@ generate_salt() {
|
||||
|
||||
return 0
|
||||
}
|
||||
### Prevents accidental 'unset -f'.
|
||||
# shellcheck disable=SC2034
|
||||
readonly -f generate_salt
|
||||
|
||||
#######################################
|
||||
# Reads and validates a secure one-line password file.
|
||||
# Globals:
|
||||
# ERR_READ_PASS_FILE
|
||||
# VAR_DEBUG_TRACE
|
||||
# Arguments:
|
||||
# 1: Path to password file
|
||||
# 2: Name of target variable (via nameref)
|
||||
# Returns:
|
||||
# 0: on success
|
||||
# ERR_READ_PASS_FILE
|
||||
# ERR_READ_PASS_FILE: on failure
|
||||
#######################################
|
||||
read_password_file() {
|
||||
declare -r var_input_file="${1}"
|
||||
@@ -106,4 +107,7 @@ read_password_file() {
|
||||
|
||||
return 0
|
||||
}
|
||||
### Prevents accidental 'unset -f'.
|
||||
# shellcheck disable=SC2034
|
||||
readonly -f read_password_file
|
||||
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
|
||||
|
||||
@@ -57,6 +57,7 @@ declare -girx ERR_CHROOT_LOGGER=216 # An error occurred while preparing the
|
||||
declare -girx ERR_READ_SEED_FILE=215 # Error reading the mfa TOTP seed file.
|
||||
declare -girx ERR_VERIFY_VISUDO=214 # Error verification by 'visudo'.
|
||||
declare -girx ERR_VERIFY_LOGROTATE=213 # Error verification by 'logrotate'.
|
||||
declare -girx ERR_READ_AUTH_FILE=212 # Error reading the Luks Backup auth token file.
|
||||
|
||||
### Definition of error trap vars.
|
||||
declare -gx ERRCODE="" # = $? = $1 = ERRCODE
|
||||
|
||||
Reference in New Issue
Block a user