V8.00.000.2025.06.17

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-10-06 16:39:46 +01:00
parent 6785013692
commit 2e4e403b19
6 changed files with 127 additions and 21 deletions
--- a/func/cdi_1250_yaml/1251_yaml_reader.sh
+++ b/func/cdi_1250_yaml/1251_yaml_reader.sh
@@ -43,11 +43,13 @@ yaml_reader() {
  declare -gx VAR_RECIPE_STRING="" VAR_RECIPE_HIGHEST_DEVICE="" VAR_ARCHITECTURE="" VAR_RECIPE_FIRMWARE="" VAR_NUKE="" \
              VAR_RECIPE_TABLE="" VAR_NEED_RUN_IN_TARGET="false" VAR_CODENAME="" VAR_DROPBEAR="" VAR_RECOVERY="" \
              VAR_GRUB_PASSWORD="false" VAR_SSH_PORT="22" VAR_DEB822="true" VAR_PROVIDER="" VAR_SSH_CA="" VAR_UFW_OUT="deny" \
-              VAR_CHROOT_DEBUG="false" VAR_SEC_FW="selinux" VAR_APT_FULL_UPGRADE="true"
+              VAR_CHROOT_DEBUG="false" VAR_SEC_FW="selinux" VAR_APT_FULL_UPGRADE="true" VAR_LUKS_BACKUP="false" \
+              VAR_LUKS_URL=""
  ### Declare and substitute input files.
  declare -r  var_if="${VAR_PRESEED}"
  declare     var_line="" var_middle_part="" var_highest_dev="" var_device="" var_fields="" var_partition="" \
-              recipe_firmware_var="" recipe_nuke_var="" recipe_nuke_rounds_var="" recipe_table_var="" recipe_recovery_var=""
+              recipe_firmware_var="" recipe_nuke_var="" recipe_nuke_rounds_var="" recipe_table_var="" recipe_recovery_var="" \
+              recipe_luks_var="" recipe_luks_url=""

  ### Read "${var_if}" line by line.
  while IFS= read -r var_line; do
@@ -183,6 +185,14 @@ END { print max }
  recipe_firmware_var="recipe_${VAR_RECIPE_STRING}_control_firmware"
  VAR_RECIPE_FIRMWARE="${!recipe_firmware_var,,}"

+  ### Extract the chosen LUKS Backup strategy.
+  recipe_luks_var="recipe_${VAR_RECIPE_STRING}_control_luks_backup"
+  # shellcheck disable=SC2034
+  VAR_LUKS_BACKUP="${!recipe_luks_var,,}"
+  recipe_luks_url="recipe_${VAR_RECIPE_STRING}_control_luks_backup_url"
+  # shellcheck disable=SC2034
+  VAR_LUKS_URL="${!recipe_luks_url,,}"
+
  ### Extract the chosen Nuke mechanism.
  recipe_nuke_var="recipe_${VAR_RECIPE_STRING}_control_nuke"
  # shellcheck disable=SC2034
--- a/func/cdi_3200_partitioning/3220_partition_encryption.sh
+++ b/func/cdi_3200_partitioning/3220_partition_encryption.sh
@@ -10,8 +10,6 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu

-# TODO: LUKS Header Cloud Backup
-
 guard_sourcing

 #######################################
@@ -27,14 +25,19 @@ guard_sourcing
 #   HMP_PATH_ENCLABEL
 #   HMP_PATH_FSUUID
 #   HMP_PATH_LUKSUUID
+#   VAR_CRYPT_BOOT
 #   VAR_CRYPT_RECOVERY
 #   VAR_CRYPT_ROOT
+#   VAR_FINAL_FQDN
 #   VAR_ITER_TIME
 #   VAR_KDF_ITERATIONS
 #   VAR_KDF_MEMORY
 #   VAR_KDF_THREADS
+#   VAR_LUKS_BACKUP
+#   VAR_LUKS_URL
 #   VAR_RECIPE_STRING
 #   VAR_SETUP_PART
+#   VAR_TEMP_PLAIN_NC_AUTH
 # Arguments:
 #   None
 # Returns:
@@ -42,8 +45,8 @@ guard_sourcing
 #######################################
 partition_encryption() {
  ### Declare Arrays, HashMaps, and Variables.
-  declare -Ag HMP_PATH_LUKSUUID      # Used in: 3290() - [Mount Path:LUKS UUID].
-                                     # Used in: 4210() - [Mount Path:LUKS UUID].
+  declare -Ag HMP_PATH_LUKSUUID # Used in: 3290() - [Mount Path:LUKS UUID].
+      # Used in: 4210() - [Mount Path:LUKS UUID].
  declare -Ag HMP_PATH_FSUUID        # Used in: 3240() - [Mount Path:Filesystem UUID].
                                     # Used in: 3290() - [Mount Path:Filesystem UUID].
                                     # Used in: 4200() - [Mount Path:Filesystem UUID].
@@ -60,10 +63,18 @@ partition_encryption() {
              var_encryption_ephemeral="" var_encryption_integrity="" var_encryption_cipher="" var_encryption_hash="" \
              var_encryption_key="" var_encryption_label="" var_encryption_meta="" var_encryption_slot="" \
              var_encryption_pbkdf="" var_encryption_rng="" var_filesystem_label="" var_mount_path="" var_uuid="" var_fs="" \
-              var_fs_uuid=""
+              var_fs_uuid="" var_luks_backup_file="" var_luks_backup_name=""

  declare -a  ary_luks_opts=()

+  if [[ -n "${VAR_LUKS_URL}" ]]; then
+
+    VAR_LUKS_URL=${VAR_LUKS_URL%/}
+    read_luks_backup_token
+    do_log "debug" "file_only" "3220() Command: [read_luks_backup_token]"
+
+  fi
+
  for var_encryption_path in "${ARY_CRYPT_MOUNT_PATHS[@]}"; do

    ### Initialize Arrays and Variables
@@ -174,10 +185,37 @@ partition_encryption() {

    fi

-    cryptsetup luksHeaderBackup --header-backup-file="${DIR_BAK}/luks_header_${var_dev}.bak" "/dev/${var_dev}"
-    do_log "info" "file_only" "3220() Partition: '/dev/${var_dev}' LUKS Header saved: '${DIR_BAK}/luks_header_${var_dev}.bak'."
+    if [[ "${VAR_LUKS_BACKUP}" == "true" ]]; then

-    ### Opening encrypted container.
+      var_luks_backup_file="${DIR_BAK}/luks_header_${var_dev}.bak"
+      var_luks_backup_name="${VAR_FINAL_FQDN}_luks_header_${var_dev}.bak"
+      cryptsetup luksHeaderBackup --header-backup-file="${var_luks_backup_file}" "/dev/${var_dev}"
+      do_log "info" "file_only" "3220() Partition: '/dev/${var_dev}' LUKS Header saved: '${var_luks_backup_file}'."
+
+      if [[ -n "${VAR_LUKS_URL}" ]]; then
+
+        guard_trace on
+
+        if curl --retry 2 "${VAR_LUKS_URL}/public.php/webdav/${var_luks_backup_name}" \
+          --upload-file "${var_luks_backup_file}" --user "${VAR_TEMP_PLAIN_NC_AUTH}" > /dev/null 2>&1; then
+
+          do_log "info" "file_only" "3220() Partition: '/dev/${var_dev}' LUKS Header upload: '${VAR_LUKS_URL}' successful."
+
+        else
+
+          do_log "warn" "file_only" "3220() Partition: '/dev/${var_dev}' LUKS Header upload: '${VAR_LUKS_URL}' failed."
+
+        fi
+
+        guard_trace off
+
+        rm -f "${var_luks_backup_file}"
+
+      fi
+
+    fi
+
+    ### Opening the encrypted container.
    if [[ "${var_encryption_path,,}" == "/boot" ]]; then
      cryptsetup luksOpen "/dev/${var_dev}" \
        --key-file="${DIR_CNF}/password_luks_boot.txt" \
@@ -207,9 +245,43 @@ partition_encryption() {

  done

+  [[ -n "${VAR_LUKS_URL}" ]] && unset VAR_TEMP_PLAIN_NC_AUTH
+
  guard_dir && return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
 readonly -f partition_encryption
+
+#######################################
+# Reads the Nextcloud auth token from '${DIR_CNF}/password_luks_backup.txt' into VAR_TEMP_PLAIN_NC_AUTH
+# Globals:
+#   DIR_CNF
+#   VAR_TEMP_PLAIN_NC_AUTH
+# Arguments:
+#   None
+# Returns:
+#   0: on success
+#   ERR_READ_AUTH_FILE: on failure
+#######################################
+read_luks_backup_token(){
+  ### Declare Arrays, HashMaps, and Variables.
+  declare -r var_luks_backup_auth="${DIR_CNF}/password_luks_backup.txt"
+  declare -g VAR_TEMP_PLAIN_NC_AUTH=""
+
+  guard_trace on
+
+  if ! read_password_file "${var_luks_backup_auth}" VAR_TEMP_PLAIN_NC_AUTH; then
+
+    return "${ERR_READ_AUTH_FILE}"
+
+  fi
+
+  guard_trace off
+
+  return 0
+}
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f read_luks_backup_token
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/func/cdi_4300_network/4330_installation_ssh.sh
+++ b/func/cdi_4300_network/4330_installation_ssh.sh
@@ -53,10 +53,28 @@ installation_ssh() {

  rm -rf "${TARGET}"/etc/ssh/ssh_host_*key*

-  # shellcheck disable=SC2312
-  chroot_exec "${TARGET}" ssh-keygen -o -N "" -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -C "root@${VAR_FINAL_FQDN}-$(date -I)"
-  # shellcheck disable=SC2312
-  chroot_exec "${TARGET}" ssh-keygen -o -N "" -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa_key -C "root@${VAR_FINAL_FQDN}-$(date -I)"
+  if [[ -f "${TARGET}/etc/dropbear/initramfs/dropbear_ed25519_host_key" ]]; then
+
+    chroot_script "${TARGET}" "
+      dropbearconvert dropbear openssh /etc/dropbear/initramfs/dropbear_ed25519_host_key /etc/ssh/ssh_host_ed25519_key"
+
+    chroot_script "${TARGET}" "
+      dropbearconvert dropbear openssh /etc/dropbear/initramfs/dropbear_rsa_host_key /etc/ssh/ssh_host_rsa_key"
+
+    chroot_script "${TARGET}" "
+      dropbearkey -y -f /etc/dropbear/initramfs/dropbear_ed25519_host_key /etc/ssh/ssh_host_ed25519_key.pub"
+
+    chroot_script "${TARGET}" "
+      dropbearkey -y -f /etc/dropbear/initramfs/dropbear_rsa_host_key /etc/ssh/ssh_host_rsa_key.pub"
+
+  else
+
+    # shellcheck disable=SC2312
+    chroot_exec "${TARGET}" ssh-keygen -o -N "" -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -C "root@${VAR_FINAL_FQDN}-$(date -I)"
+    # shellcheck disable=SC2312
+    chroot_exec "${TARGET}" ssh-keygen -o -N "" -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa_key -C "root@${VAR_FINAL_FQDN}-$(date -I)"
+
+  fi

  mkdir -p "${TARGET}/root/.ciss/cdi/backup/etc/ssh"
  cp "${TARGET}/etc/ssh/sshd_config" "${TARGET}/root/.ciss/cdi/backup/etc/ssh/sshd_config.bak"