msw/CISS.debian.installer
SHA256
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

V8.00.000.2025.06.17
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m19s
Details

Browse Source 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
Marc S. Weidner
2025-10-06 16:39:46 +01:00
parent 6785013692
commit 2e4e403b19
6 changed files with 127 additions and 21 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
.preseed/partitioning.yaml
View File

@@ -33,8 +33,9 @@ recipe:
threads: 1 # Set the parallel cost for PBKDF (number of threads, up to 4). threads: 1 # Set the parallel cost for PBKDF (number of threads, up to 4).
time: 256 # The number of milliseconds to spend with PBKDF passphrase processing. time: 256 # The number of milliseconds to spend with PBKDF passphrase processing.
luks_backup: true # Specify if LUKS Header backups should be created. If so, provide an external backup URL: luks_backup: true # Specify if LUKS Header backups should be created. If so, provide an external backup URL:
# luks_backup_url: "https://cloud.e2ee.li/" # luks_backup_url: "https://cloud.e2ee.li/" or leave empty for local backup.
# Also provide the cloud access token and access passwords via ./.preseed/password_luks_backup.txt # Also provide the cloud access token and access passwords via ./.preseed/password_luks_backup.txt
# Yet Nextcloud only is supported.
luks_backup_url: "https://cloud.e2ee.li/" luks_backup_url: "https://cloud.e2ee.li/"
name: "ciss.2025.gpt.btrfs.ephemeral.non-raid.256GiB.rescue" name: "ciss.2025.gpt.btrfs.ephemeral.non-raid.256GiB.rescue"
nuke: true # Activates Nuke-Mechanism in '/etc/crypttab' keyscript and via dropbear SSH forced command. nuke: true # Activates Nuke-Mechanism in '/etc/crypttab' keyscript and via dropbear SSH forced command.
@@ -50,7 +51,7 @@ recipe:
table: "gpt" # MUST be "gpt" for "UEFI" || "msdos": table: "gpt" # MUST be "gpt" for "UEFI" || "msdos":
syntax: true # This is set to "false" by default, otherwise if the recipe is tested by the authors to "true". syntax: true # This is set to "false" by default, otherwise if the recipe is tested by the authors to "true".
### Version of the specific recipe. ### Version of the specific recipe.
version: "1.2.0" version: "1.3.0"
dev: dev:
sda: sda:
1: # MUST be always 'ESP' for [UEFI|GPT] or 'BIOS' for [BIOS|GPT]. 1: # MUST be always 'ESP' for [UEFI|GPT] or 'BIOS' for [BIOS|GPT].

14
func/cdi_1250_yaml/1251_yaml_reader.sh
View File

@@ -43,11 +43,13 @@ yaml_reader() {
declare -gx VAR_RECIPE_STRING="" VAR_RECIPE_HIGHEST_DEVICE="" VAR_ARCHITECTURE="" VAR_RECIPE_FIRMWARE="" VAR_NUKE="" \ declare -gx VAR_RECIPE_STRING="" VAR_RECIPE_HIGHEST_DEVICE="" VAR_ARCHITECTURE="" VAR_RECIPE_FIRMWARE="" VAR_NUKE="" \
VAR_RECIPE_TABLE="" VAR_NEED_RUN_IN_TARGET="false" VAR_CODENAME="" VAR_DROPBEAR="" VAR_RECOVERY="" \ VAR_RECIPE_TABLE="" VAR_NEED_RUN_IN_TARGET="false" VAR_CODENAME="" VAR_DROPBEAR="" VAR_RECOVERY="" \
VAR_GRUB_PASSWORD="false" VAR_SSH_PORT="22" VAR_DEB822="true" VAR_PROVIDER="" VAR_SSH_CA="" VAR_UFW_OUT="deny" \ VAR_GRUB_PASSWORD="false" VAR_SSH_PORT="22" VAR_DEB822="true" VAR_PROVIDER="" VAR_SSH_CA="" VAR_UFW_OUT="deny" \
VAR_CHROOT_DEBUG="false" VAR_SEC_FW="selinux" VAR_APT_FULL_UPGRADE="true" VAR_CHROOT_DEBUG="false" VAR_SEC_FW="selinux" VAR_APT_FULL_UPGRADE="true" VAR_LUKS_BACKUP="false" \
VAR_LUKS_URL=""
### Declare and substitute input files. ### Declare and substitute input files.
declare -r var_if="${VAR_PRESEED}" declare -r var_if="${VAR_PRESEED}"
declare var_line="" var_middle_part="" var_highest_dev="" var_device="" var_fields="" var_partition="" \ declare var_line="" var_middle_part="" var_highest_dev="" var_device="" var_fields="" var_partition="" \
recipe_firmware_var="" recipe_nuke_var="" recipe_nuke_rounds_var="" recipe_table_var="" recipe_recovery_var="" recipe_firmware_var="" recipe_nuke_var="" recipe_nuke_rounds_var="" recipe_table_var="" recipe_recovery_var="" \
recipe_luks_var="" recipe_luks_url=""
### Read "${var_if}" line by line. ### Read "${var_if}" line by line.
while IFS= read -r var_line; do while IFS= read -r var_line; do
@@ -183,6 +185,14 @@ END { print max }
recipe_firmware_var="recipe_${VAR_RECIPE_STRING}_control_firmware" recipe_firmware_var="recipe_${VAR_RECIPE_STRING}_control_firmware"
VAR_RECIPE_FIRMWARE="${!recipe_firmware_var,,}" VAR_RECIPE_FIRMWARE="${!recipe_firmware_var,,}"
### Extract the chosen LUKS Backup strategy.
recipe_luks_var="recipe_${VAR_RECIPE_STRING}_control_luks_backup"
# shellcheck disable=SC2034
VAR_LUKS_BACKUP="${!recipe_luks_var,,}"
recipe_luks_url="recipe_${VAR_RECIPE_STRING}_control_luks_backup_url"
# shellcheck disable=SC2034
VAR_LUKS_URL="${!recipe_luks_url,,}"
### Extract the chosen Nuke mechanism. ### Extract the chosen Nuke mechanism.
recipe_nuke_var="recipe_${VAR_RECIPE_STRING}_control_nuke" recipe_nuke_var="recipe_${VAR_RECIPE_STRING}_control_nuke"
# shellcheck disable=SC2034 # shellcheck disable=SC2034

84
func/cdi_3200_partitioning/3220_partition_encryption.sh
View File

@@ -10,8 +10,6 @@
# SPDX-PackageName: CISS.debian.installer # SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu # SPDX-Security-Contact: security@coresecret.eu
# TODO: LUKS Header Cloud Backup
guard_sourcing guard_sourcing
####################################### #######################################
@@ -27,14 +25,19 @@ guard_sourcing
# HMP_PATH_ENCLABEL # HMP_PATH_ENCLABEL
# HMP_PATH_FSUUID # HMP_PATH_FSUUID
# HMP_PATH_LUKSUUID # HMP_PATH_LUKSUUID
# VAR_CRYPT_BOOT
# VAR_CRYPT_RECOVERY # VAR_CRYPT_RECOVERY
# VAR_CRYPT_ROOT # VAR_CRYPT_ROOT
# VAR_FINAL_FQDN
# VAR_ITER_TIME # VAR_ITER_TIME
# VAR_KDF_ITERATIONS # VAR_KDF_ITERATIONS
# VAR_KDF_MEMORY # VAR_KDF_MEMORY
# VAR_KDF_THREADS # VAR_KDF_THREADS
# VAR_LUKS_BACKUP
# VAR_LUKS_URL
# VAR_RECIPE_STRING # VAR_RECIPE_STRING
# VAR_SETUP_PART # VAR_SETUP_PART
# VAR_TEMP_PLAIN_NC_AUTH
# Arguments: # Arguments:
# None # None
# Returns: # Returns:
@@ -60,10 +63,18 @@ partition_encryption() {
var_encryption_ephemeral="" var_encryption_integrity="" var_encryption_cipher="" var_encryption_hash="" \ var_encryption_ephemeral="" var_encryption_integrity="" var_encryption_cipher="" var_encryption_hash="" \
var_encryption_key="" var_encryption_label="" var_encryption_meta="" var_encryption_slot="" \ var_encryption_key="" var_encryption_label="" var_encryption_meta="" var_encryption_slot="" \
var_encryption_pbkdf="" var_encryption_rng="" var_filesystem_label="" var_mount_path="" var_uuid="" var_fs="" \ var_encryption_pbkdf="" var_encryption_rng="" var_filesystem_label="" var_mount_path="" var_uuid="" var_fs="" \
var_fs_uuid="" var_fs_uuid="" var_luks_backup_file="" var_luks_backup_name=""
declare -a ary_luks_opts=() declare -a ary_luks_opts=()
if [[ -n "${VAR_LUKS_URL}" ]]; then
VAR_LUKS_URL=${VAR_LUKS_URL%/}
read_luks_backup_token
do_log "debug" "file_only" "3220() Command: [read_luks_backup_token]"
fi
for var_encryption_path in "${ARY_CRYPT_MOUNT_PATHS[@]}"; do for var_encryption_path in "${ARY_CRYPT_MOUNT_PATHS[@]}"; do
### Initialize Arrays and Variables ### Initialize Arrays and Variables
@@ -174,10 +185,37 @@ partition_encryption() {
fi fi
cryptsetup luksHeaderBackup --header-backup-file="${DIR_BAK}/luks_header_${var_dev}.bak" "/dev/${var_dev}" if [[ "${VAR_LUKS_BACKUP}" == "true" ]]; then
do_log "info" "file_only" "3220() Partition: '/dev/${var_dev}' LUKS Header saved: '${DIR_BAK}/luks_header_${var_dev}.bak'."
### Opening encrypted container. var_luks_backup_file="${DIR_BAK}/luks_header_${var_dev}.bak"
var_luks_backup_name="${VAR_FINAL_FQDN}_luks_header_${var_dev}.bak"
cryptsetup luksHeaderBackup --header-backup-file="${var_luks_backup_file}" "/dev/${var_dev}"
do_log "info" "file_only" "3220() Partition: '/dev/${var_dev}' LUKS Header saved: '${var_luks_backup_file}'."
if [[ -n "${VAR_LUKS_URL}" ]]; then
guard_trace on
if curl --retry 2 "${VAR_LUKS_URL}/public.php/webdav/${var_luks_backup_name}" \
--upload-file "${var_luks_backup_file}" --user "${VAR_TEMP_PLAIN_NC_AUTH}" > /dev/null 2>&1; then
do_log "info" "file_only" "3220() Partition: '/dev/${var_dev}' LUKS Header upload: '${VAR_LUKS_URL}' successful."
else
do_log "warn" "file_only" "3220() Partition: '/dev/${var_dev}' LUKS Header upload: '${VAR_LUKS_URL}' failed."
fi
guard_trace off
rm -f "${var_luks_backup_file}"
fi
fi
### Opening the encrypted container.
if [[ "${var_encryption_path,,}" == "/boot" ]]; then if [[ "${var_encryption_path,,}" == "/boot" ]]; then
cryptsetup luksOpen "/dev/${var_dev}" \ cryptsetup luksOpen "/dev/${var_dev}" \
--key-file="${DIR_CNF}/password_luks_boot.txt" \ --key-file="${DIR_CNF}/password_luks_boot.txt" \
@@ -207,9 +245,43 @@ partition_encryption() {
done done
[[ -n "${VAR_LUKS_URL}" ]] && unset VAR_TEMP_PLAIN_NC_AUTH
guard_dir && return 0 guard_dir && return 0
} }
### Prevents accidental 'unset -f'. ### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034 # shellcheck disable=SC2034
readonly -f partition_encryption readonly -f partition_encryption
#######################################
# Reads the Nextcloud auth token from '${DIR_CNF}/password_luks_backup.txt' into VAR_TEMP_PLAIN_NC_AUTH
# Globals:
# DIR_CNF
# VAR_TEMP_PLAIN_NC_AUTH
# Arguments:
# None
# Returns:
# 0: on success
# ERR_READ_AUTH_FILE: on failure
#######################################
read_luks_backup_token(){
### Declare Arrays, HashMaps, and Variables.
declare -r var_luks_backup_auth="${DIR_CNF}/password_luks_backup.txt"
declare -g VAR_TEMP_PLAIN_NC_AUTH=""
guard_trace on
if ! read_password_file "${var_luks_backup_auth}" VAR_TEMP_PLAIN_NC_AUTH; then
return "${ERR_READ_AUTH_FILE}"
fi
guard_trace off
return 0
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f read_luks_backup_token
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

18
func/cdi_4300_network/4330_installation_ssh.sh
View File

@@ -53,11 +53,29 @@ installation_ssh() {
rm -rf "${TARGET}"/etc/ssh/ssh_host_*key* rm -rf "${TARGET}"/etc/ssh/ssh_host_*key*
if [[ -f "${TARGET}/etc/dropbear/initramfs/dropbear_ed25519_host_key" ]]; then
chroot_script "${TARGET}" "
dropbearconvert dropbear openssh /etc/dropbear/initramfs/dropbear_ed25519_host_key /etc/ssh/ssh_host_ed25519_key"
chroot_script "${TARGET}" "
dropbearconvert dropbear openssh /etc/dropbear/initramfs/dropbear_rsa_host_key /etc/ssh/ssh_host_rsa_key"
chroot_script "${TARGET}" "
dropbearkey -y -f /etc/dropbear/initramfs/dropbear_ed25519_host_key /etc/ssh/ssh_host_ed25519_key.pub"
chroot_script "${TARGET}" "
dropbearkey -y -f /etc/dropbear/initramfs/dropbear_rsa_host_key /etc/ssh/ssh_host_rsa_key.pub"
else
# shellcheck disable=SC2312 # shellcheck disable=SC2312
chroot_exec "${TARGET}" ssh-keygen -o -N "" -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -C "root@${VAR_FINAL_FQDN}-$(date -I)" chroot_exec "${TARGET}" ssh-keygen -o -N "" -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -C "root@${VAR_FINAL_FQDN}-$(date -I)"
# shellcheck disable=SC2312 # shellcheck disable=SC2312
chroot_exec "${TARGET}" ssh-keygen -o -N "" -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa_key -C "root@${VAR_FINAL_FQDN}-$(date -I)" chroot_exec "${TARGET}" ssh-keygen -o -N "" -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa_key -C "root@${VAR_FINAL_FQDN}-$(date -I)"
fi
mkdir -p "${TARGET}/root/.ciss/cdi/backup/etc/ssh" mkdir -p "${TARGET}/root/.ciss/cdi/backup/etc/ssh"
cp "${TARGET}/etc/ssh/sshd_config" "${TARGET}/root/.ciss/cdi/backup/etc/ssh/sshd_config.bak" cp "${TARGET}/etc/ssh/sshd_config" "${TARGET}/root/.ciss/cdi/backup/etc/ssh/sshd_config.bak"
cp "${TARGET}/etc/ssh/ssh_config" "${TARGET}/root/.ciss/cdi/backup/etc/ssh/ssh_config.bak" cp "${TARGET}/etc/ssh/ssh_config" "${TARGET}/root/.ciss/cdi/backup/etc/ssh/ssh_config.bak"

14
lib/cdi_0100_arg/0104_arg_passphrase_modules.sh
View File

@@ -13,15 +13,14 @@
guard_sourcing guard_sourcing
####################################### #######################################
# Generates salt. # Generates a 16-byte salt.
# Globals: # Globals:
# ERR_GENERATE_SALT
# NL # NL
# Arguments: # Arguments:
# None # None
# Returns: # Returns:
# 0: on success # 0: on success
# ERR_GENERATE_SALT # ERR_GENERATE_SALT: on failure
####################################### #######################################
generate_salt() { generate_salt() {
declare var_salt="" declare var_salt=""
@@ -38,18 +37,20 @@ generate_salt() {
return 0 return 0
} }
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f generate_salt
####################################### #######################################
# Reads and validates a secure one-line password file. # Reads and validates a secure one-line password file.
# Globals: # Globals:
# ERR_READ_PASS_FILE
# VAR_DEBUG_TRACE # VAR_DEBUG_TRACE
# Arguments: # Arguments:
# 1: Path to password file # 1: Path to password file
# 2: Name of target variable (via nameref) # 2: Name of target variable (via nameref)
# Returns: # Returns:
# 0: on success # 0: on success
# ERR_READ_PASS_FILE # ERR_READ_PASS_FILE: on failure
####################################### #######################################
read_password_file() { read_password_file() {
declare -r var_input_file="${1}" declare -r var_input_file="${1}"
@@ -106,4 +107,7 @@ read_password_file() {
return 0 return 0
} }
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f read_password_file
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

1
var/errors.var.sh
View File

@@ -57,6 +57,7 @@ declare -girx ERR_CHROOT_LOGGER=216 # An error occurred while preparing the
declare -girx ERR_READ_SEED_FILE=215 # Error reading the mfa TOTP seed file. declare -girx ERR_READ_SEED_FILE=215 # Error reading the mfa TOTP seed file.
declare -girx ERR_VERIFY_VISUDO=214 # Error verification by 'visudo'. declare -girx ERR_VERIFY_VISUDO=214 # Error verification by 'visudo'.
declare -girx ERR_VERIFY_LOGROTATE=213 # Error verification by 'logrotate'. declare -girx ERR_VERIFY_LOGROTATE=213 # Error verification by 'logrotate'.
declare -girx ERR_READ_AUTH_FILE=212 # Error reading the Luks Backup auth token file.
### Definition of error trap vars. ### Definition of error trap vars.
declare -gx ERRCODE="" # = $? = $1 = ERRCODE declare -gx ERRCODE="" # = $? = $1 = ERRCODE