msw/CISS.debian.installer
SHA256
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

V8.00.000.2025.06.17
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m54s
Details

Browse Source 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
Marc S. Weidner
2025-10-11 22:14:22 +01:00
parent be0a6c7c6a
commit 353568eb69
60 changed files with 2267 additions and 1163 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
func/cdi_1000_helper/1030_check_nic.sh
View File

@@ -41,4 +41,7 @@ check_nic() {
do_log "info" "file_only" "1030() You have selected: '${var_nic}' - proceeding with setup."
guard_dir && return 0
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f check_nic
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

6
func/cdi_1000_helper/1081_helper_grub.sh
View File

@@ -98,6 +98,9 @@ grub_extract_current_string() {
return 0
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f grub_extract_current_string
#######################################
# Helper module to finish the modified GRUB CMDLINE strings.
@@ -146,4 +149,7 @@ EOF
return 0
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f grub_finalize_string
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

24
func/cdi_1000_helper/1082_helper_modules.sh
View File

@@ -28,6 +28,9 @@ chroot_logger() {
chmod 0600 "${var_logfile}" || "${ERR_CHROOT_LOGGER}"
return 0
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f chroot_logger
#######################################
# Helper Module to generate a Subnet Mask out of an IP in CCDIR Notation.
@@ -50,6 +53,9 @@ generate_subnetmask() {
printf '%s' "${var_has_ipv4_subnet}"
return 0
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f generate_subnetmask
#######################################
# Collect NIC driver modules for initramfs installation (no lspci required).
@@ -92,7 +98,9 @@ grep_nic_driver_modules() {
return 0
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f grep_nic_driver_modules
#######################################
# Wrapper to insert the metadata field into the specified file.
@@ -128,6 +136,9 @@ insert_comments() {
return 0
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f insert_comments
#######################################
# Wrapper to insert the SPDX Header into the specified file.
@@ -160,11 +171,18 @@ EOF
return 0
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f insert_header
#######################################
# Helper module for update, full dist-upgrade, autoclean, autopurge and autoremove.
# Globals:
# None
# Arguments:
# None
# Returns:
# 0: on success
#######################################
update_upgrade() {
apt-get update
@@ -172,5 +190,9 @@ update_upgrade() {
apt-get autoclean -y
apt-get autopurge -y
apt-get autoremove -y
return 0
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f update_upgrade
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

9
func/cdi_1000_helper/1084_helper_sanitizer.sh
View File

@@ -22,6 +22,9 @@ remove_whitespace() {
declare var_out=$(printf "%s" "$1" | xargs)
printf '%s' "${var_out}"
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f remove_whitespace
#######################################
# Function to escape all shell metacharacters
@@ -33,6 +36,9 @@ sanitize_input() {
### %q quotes the string so that the shell re-reads it as the original literal
printf '%q' "${input}"
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f sanitize_input
#######################################
# Function to remove any character not in the allowed set
@@ -46,4 +52,7 @@ sanitize_string() {
declare allowed='a-zA-Z0-9._/=\[\]:"\-+ '
printf '%s' "${input}" | tr -cd "${allowed}"
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f sanitize_string
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

6
func/cdi_1000_helper/1085_helper_secure_dl.sh
View File

@@ -42,6 +42,9 @@ scurl() {
return "${ERR_DOWNLOAD_FAILED}"
fi
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f scurl
#######################################
# Wrapper for secure wget.
@@ -73,4 +76,7 @@ swget() {
return "${ERR_DOWNLOAD_FAILED}"
fi
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f swget
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

7
func/cdi_1000_helper/1086_helper_yaml.sh
View File

@@ -13,7 +13,9 @@
guard_sourcing
#######################################
# yq_val <YQ expression> <file> - Returns value, converts null to ""
# yq_val <YQ expression> <file> - Returns value, converts null to "".
# Globals:
# None
# Arguments:
# 1: Key String to evaluate
# 2: YAML File
@@ -23,4 +25,7 @@ yq_val() {
[[ "${var_h}" == null ]] && var_h=""
printf '%s' "${var_h}"
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f yq_val
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

3
func/cdi_1200_validation/1220_validation_element.sh
View File

@@ -31,4 +31,7 @@ validation_array() {
done
return 1
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f validation_array
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

15
func/cdi_1200_validation/1221_validation_ip.sh
View File

@@ -15,7 +15,7 @@ guard_sourcing
#######################################
# IPv4 validation.
# Globals:
# ERR_INVALID_IPV4
# None
# Arguments:
# 1: IPv4 to validate.
# Returns:
@@ -30,6 +30,9 @@ validation_ipv4() {
return "${ERR_INVALID_IPV4}"
fi
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f validation_ipv4
#######################################
# IPv6 validation, including
@@ -38,7 +41,7 @@ validation_ipv4() {
# - Addresses with embedded IPv4 addresses like ::ffff:192.0.2.128
# - Link-local addresses like fe80::1%eth0
# Globals:
# ERR_INVALID_IPV6
# None
# Arguments:
# 1: IPv6 address
# Returns:
@@ -88,11 +91,14 @@ validation_ipv6() {
### Success
do_log "info" "file_only" "'${var_ip}' seems to be a valid IPv6."
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f validation_ipv6
#######################################
# Port validation.
# Globals:
# ERR_INVALID_PORT
# None
# Arguments:
# 1: Port number
# Returns:
@@ -107,4 +113,7 @@ validation_port() {
return "${ERR_INVALID_PORT}"
fi
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f validation_port
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

3
func/cdi_1200_validation/1222_validation_preseed.sh
View File

@@ -60,4 +60,7 @@ validation_preseed() {
return 0
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f validation_preseed
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

2
func/cdi_1250_yaml/1250_yaml_parser.sh
View File

@@ -46,7 +46,7 @@ yaml_parser() {
while IFS='=' read -r var_key var_value; do
var_value=${var_value#\'}
var_value=${var_value%\'}
# shellcheck disable=SC2034
# shellcheck disable=SC2034,SC2249
case "${var_key}" in
grub_parameter_[0-9]*) ARY_BOOTPARAM+=("${var_value}") ;;
locale_locale_[0-9]*) ARY_LOCALE+=("${var_value}") ;;

23
func/cdi_1250_yaml/1251_yaml_reader.sh
View File

@@ -17,19 +17,42 @@ guard_sourcing
# Globals:
# BASH_REMATCH
# HMP_RECIPE_DEV_PARTITIONS
# VAR_APT_FULL_UPGRADE
# VAR_ARCHITECTURE
# VAR_CHROOT_DEBUG
# VAR_CODENAME
# VAR_DEB822
# VAR_DROPBEAR
# VAR_GRUB_PASSWORD
# VAR_LUKS_BACKUP
# VAR_LUKS_URL
# VAR_NEED_RUN_IN_TARGET
# VAR_NUKE
# VAR_NUKE_ROUNDS
# VAR_PRESEED
# VAR_PROVIDER
# VAR_RECIPE_FIRMWARE
# VAR_RECIPE_HIGHEST_DEVICE
# VAR_RECIPE_STRING
# VAR_RECIPE_TABLE
# VAR_RECOVERY
# VAR_SEC_FW
# VAR_SSH_CA
# VAR_SSH_PORT
# VAR_UFW_OUT
# apt_default_deb822
# apt_full_upgrade
# architecture
# chroot_debug
# distribution
# dropbear_boot
# grub_password
# needrun
# provider
# security_ext
# security_ufw_out
# ssh_port
# ssh_root_ca
# Arguments:
# None
# Returns:

17
func/cdi_1250_yaml/1252_yaml_validator.sh
View File

@@ -221,9 +221,14 @@ yaml_validator() {
guard_dir && return 0
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f yaml_validator
#######################################
# Network connectivity prober.
# Globals:
# network_timeout_linkwait
# Arguments:
# 1: IP-Family
# 2: TLD to probe
@@ -237,21 +242,33 @@ probe_link() {
### 1) Try ping (quiet, 1 probe, 3s deadline)
if ping -q -c 1 -W "${network_timeout_linkwait:-3}" "-${var_fam}" "${var_target}" >/dev/null 2>&1; then
var_ok="true"
else
### 2) Fallback: mtr in report mode (non-interactive), no DNS to avoid TUI/delays.
if command -v mtr >/dev/null 2>&1; then
### Treat as success if ANY hop resolves to something other than "???".
### '-r = report', '-c 2 = two cycles', -n = no DNS, -4/-6 = address family
# shellcheck disable=SC2312
if mtr "-${var_fam}" -r -c 3 -n "${var_target}" 2>/dev/null \
| awk 'NR>2 && $2!="???"{ok=1} END{exit ok?0:1}'; then
var_ok="true"
fi
fi
fi
printf '%s' "${var_ok}"
return 0
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f probe_link
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

19
func/cdi_3200_partitioning/3200_partitioning.sh
View File

@@ -43,23 +43,28 @@ guard_sourcing
# - LUKS encryption enabled.
# - Specific device partition data for each mount path.
# Globals:
# ARY_CRYPT_MOUNT_PATHS
# ARY_FORMT_MOUNT_PATHS
# ARY_FSTAB_MOUNT_PATHS
# ARY_PATHS_SORTED
# DIR_LOG
# HMP_FSTAB_MOUNT_FTYPE
# HMP_PATH_DEV_PART
# HMP_PATH_PARTUUID
# VAR_RECIPE_FIRMWARE
# VAR_RECIPE_STRING
# VAR_RECIPE_TABLE
# VAR_ROOT_FS
# VAR_SETUP_PART
# Arguments:
# None
# Returns:
# ERR_PARTITIONTBL
# ERR_PART_CREATE
# ERR_PART_READ
# ERR_TABLE_CREATE
# ERR_TABLE_DELETE
# 0: on success
# ERR_PARTITIONTBL: on failure
# ERR_PART_CREATE: on failure
# ERR_PART_READ: on failure
# ERR_TABLE_CREATE: on failure
# ERR_TABLE_DELETE: on failure
#######################################
partitioning() {
### Declare Arrays, HashMaps, and Variables.
@@ -180,6 +185,7 @@ partitioning() {
var_end_arg="${var_end}"
fi
# shellcheck disable=SC2249
case "${VAR_RECIPE_TABLE,,}" in
gpt)
@@ -212,6 +218,7 @@ partitioning() {
### Assign the correct GPT typecode via sgdisk if the table is GPT.
if [[ "${VAR_RECIPE_TABLE,,}" == "gpt" ]]; then
# shellcheck disable=SC2249
case "${var_mount_path,,}" in
"/")
@@ -254,6 +261,7 @@ partitioning() {
esac
# shellcheck disable=SC2249
case "${var_encryption,,}" in
true)
@@ -285,6 +293,7 @@ partitioning() {
### Set the bootable flag if necessary.
if [[ "${var_boot,,}" == "true" ]]; then
# shellcheck disable=SC2249
case "${VAR_RECIPE_TABLE,,}:${VAR_RECIPE_FIRMWARE,,}" in
gpt:uefi|mbr:uefi)

3
func/cdi_3200_partitioning/3210_benchmarking_encryption.sh
View File

@@ -55,4 +55,7 @@ benchmarking_encryption() {
guard_dir && return 0
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f benchmarking_encryption
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

4
func/cdi_3200_partitioning/3280_mount_partition.sh
View File

@@ -113,7 +113,7 @@ readonly -f mount_with_dir
# Outputs '/dev/mapper/<encryption_label>'
# Outputs '/dev/<dev><partition>'
# Globals:
# none
# None
# Arguments:
# 1: Device
# 2: Partition
@@ -144,7 +144,7 @@ readonly -f resolve_device
#######################################
# Validates btrfs compression algo and level.
# Globals:
# none
# None
# Arguments:
# 1: var_fs_btrfs_compress
# 2: var_fs_btrfs_level

1
func/cdi_3200_partitioning/3295_get_label.sh
View File

@@ -64,6 +64,7 @@ get_label() {
file)
# shellcheck disable=SC2249
case "${var_path}:${var_file}" in
swap:*) var_return_label="host_swap" ;;

13
func/cdi_4000_debootstrap/4000_debootstrap.sh
View File

@@ -16,9 +16,12 @@ guard_sourcing
# Install a minimal Debian environment using the 'debootstrap' command.
# Globals:
# LOG_DBS
# LOG_REC
# RECOVERY
# TARGET
# VAR_ARCHITECTURE
# VAR_CODENAME
# VAR_RUN_RECOVERY
# debootstrap_includes
# debootstrap_mirror
# Arguments:
@@ -31,11 +34,17 @@ func_debootstrap() {
### Declare Arrays, HashMaps, and Variables.
declare -r var_arch="${VAR_ARCHITECTURE}"
declare -r var_dist="${VAR_CODENAME}"
declare -r var_target="${TARGET}"
declare -r var_mirror="${debootstrap_mirror}"
declare -r var_includes="${debootstrap_includes}"
declare -a ary_cmd=()
declare var_log="${LOG_DBS}"
declare var_target="${TARGET}"
### Check for TARGET / RECOVERY.
[[ "${VAR_RUN_RECOVERY}" == "true" ]] && var_log="${LOG_REC}"
[[ "${VAR_RUN_RECOVERY}" == "true" ]] && var_target="${RECOVERY}"
ary_cmd+=( "debootstrap" "--arch=${var_arch}" "--keep-debootstrap-dir" "--log-extra-deps" "--merged-usr" )
if [[ -n "${var_includes}" ]]; then ary_cmd+=( "--include=${var_includes}" ); fi
@@ -45,7 +54,7 @@ func_debootstrap() {
do_log "debug" "file_only" "4000() Executing: [${ary_cmd[*]}]"
# shellcheck disable=SC2312
if "${ary_cmd[@]}" | tee "${LOG_DBS}"; then
if "${ary_cmd[@]}" | tee "${var_log}"; then
do_log "info" "file_only" "4000() [${ary_cmd[*]}] successful."

10
func/cdi_4000_debootstrap/4005_debootstrap_checks.sh
View File

@@ -15,7 +15,9 @@ guard_sourcing
#######################################
# Preliminary post debootstrap checks.
# Globals:
# RECOVERY
# TARGET
# VAR_RUN_RECOVERY
# Arguments:
# None
# Returns:
@@ -24,10 +26,14 @@ guard_sourcing
check_debootstrap() {
### Declare Arrays, HashMaps, and Variables.
declare -r var_logfile="/root/.ciss/cdi/log/4005_debootstrap_checks.log"
declare var_target="${TARGET}"
chroot_logger "${TARGET}${var_logfile}"
### Check for TARGET / RECOVERY.
[[ "${VAR_RUN_RECOVERY}" == "true" ]] && var_target="${RECOVERY}"
chroot_script "${TARGET}" "
chroot_logger "${var_target}${var_logfile}"
chroot_script "${var_target}" "
{
### Header
echo '==[debootstrap checks]=='

49
func/cdi_4000_debootstrap/4010_prepare_mounts.sh
View File

@@ -15,10 +15,11 @@ guard_sourcing
#######################################
# Configure the target system for chroot.
# Globals:
# RECOVERY
# TARGET
# VAR_CHROOT_ACTIVATED
# VAR_CHROOT_SYS_MASK_HELPER
# VAR_NEED_RUN_IN_TARGET
# VAR_RUN_RECOVERY
# Arguments:
# None
# Returns:
@@ -52,10 +53,14 @@ prepare_mounts() {
)
declare var_path="" var_fs="" var_src="" var_opts=""
declare var_target="${TARGET}"
### Check for TARGET / RECOVERY.
[[ "${VAR_RUN_RECOVERY}" == "true" ]] && var_target="${RECOVERY}"
for var_path in "${!HMP_SPECIAL_MOUNTS[@]}"; do
mkdir -p "${TARGET}${var_path}"
mkdir -p "${var_target}${var_path}"
done
@@ -64,55 +69,65 @@ prepare_mounts() {
IFS=" " read -r var_fs var_src var_opts <<< "${HMP_SPECIAL_MOUNTS[${var_path}]}"
if mountpoint -q "${TARGET}${var_path}"; then
if mountpoint -q "${var_target}${var_path}"; then
do_log "info" "file_only" "4010() Skipped: '${TARGET}${var_path}' is already a mountpoint."
do_log "info" "file_only" "4010() Skipped: '${var_target}${var_path}' is already a mountpoint."
continue
fi
if ! mount -t "${var_fs}" "${var_src}" "${TARGET}${var_path}" -o "${var_opts}"; then
if ! mount -t "${var_fs}" "${var_src}" "${var_target}${var_path}" -o "${var_opts}"; then
do_log "emergency" "file_only" "4010() Command: [mount -t ${var_fs} ${var_src} ${TARGET}${var_path} -o ${var_opts}] failed."
do_log "emergency" "file_only" "4010() Command: [mount -t ${var_fs} ${var_src} ${var_target}${var_path} -o ${var_opts}] failed."
return "${ERR_CHRT_MOUNTS}"
fi
do_log "info" "file_only" "4010() Command: [mount -t ${var_fs} ${var_src} ${TARGET}${var_path} -o ${var_opts}] successful."
do_log "info" "file_only" "4010() Command: [mount -t ${var_fs} ${var_src} ${var_target}${var_path} -o ${var_opts}] successful."
done
if [[ "${VAR_NEED_RUN_IN_TARGET:-false}" == "true" ]]; then
mkdir -p "${TARGET}/run"
mkdir -p "${var_target}/run"
if ! mount --make-rslave --rbind /run "${TARGET}/run"; then
if ! mount --make-rslave --rbind /run "${var_target}/run"; then
do_log "emergency" "file_only" "4010() Command: [mount --make-rslave --rbind /run ${TARGET}/run] failed."
do_log "emergency" "file_only" "4010() Command: [mount --make-rslave --rbind /run ${var_target}/run] failed."
return "${ERR_CHRT_MOUNTS}"
fi
do_log "info" "file_only" "4010() Command: [mount --make-rslave --rbind /run ${TARGET}/run] successful."
do_log "info" "file_only" "4010() Command: [mount --make-rslave --rbind /run ${var_target}/run] successful."
fi
if ! chroot_exec "${TARGET}" mkdir -p /etc/systemd/system/multi-user.target.wants; then
if ! chroot_exec "${var_target}" mkdir -p /etc/systemd/system/multi-user.target.wants; then
do_log "emergency" "file_only" "4010() Command: [chroot_exec ${TARGET} mkdir -p /etc/systemd/system/multi-user.target.wants] failed."
do_log "emergency" "file_only" "4010() Command: [chroot_exec ${var_target} mkdir -p /etc/systemd/system/multi-user.target.wants] failed."
return "${ERR_CHRT_MOUNTS}"
fi
do_log "info" "file_only" "4010() Command: [chroot_exec ${TARGET} mkdir -p /etc/systemd/system/multi-user.target.wants] successful."
do_log "info" "file_only" "4010() Command: [chroot_exec ${var_target} mkdir -p /etc/systemd/system/multi-user.target.wants] successful."
mkdir -p "${TARGET}/media/cdrom0"
mkdir -p "${var_target}/media/cdrom0"
# shellcheck disable=SC2034
declare -gx VAR_CHROOT_ACTIVATED="system"
do_log "info" "file_only" "4010() Command: [declare -gx VAR_CHROOT_ACTIVATED=system]"
if [[ "${VAR_RUN_RECOVERY}" == "false" ]]; then
declare -gx VAR_CHROOT_ACTIVATED="system"
do_log "info" "file_only" "4010() Command: [declare -gx VAR_CHROOT_ACTIVATED=system]"
elif [[ "${VAR_RUN_RECOVERY}" == "true" ]]; then
declare -gx VAR_CHROOT_ACTIVATED="recovery"
do_log "info" "file_only" "4010() Command: [declare -gx VAR_CHROOT_ACTIVATED=recovery]"
fi
guard_dir && return 0
}

12
func/cdi_4000_debootstrap/4015_check_usr_merge.sh
View File

@@ -15,7 +15,9 @@ guard_sourcing
#######################################
# Check if the target system is not 'tainted: unmerged-usr'.
# Globals:
# RECOVERY
# TARGET
# VAR_RUN_RECOVERY
# architecture
# Arguments:
# None
@@ -25,11 +27,15 @@ guard_sourcing
check_usr_merge() {
### Declare Arrays, HashMaps, and Variables.
declare -r var_logfile="/root/.ciss/cdi/log/4015_check_usr_merge.log"
declare var_target="${TARGET}"
chroot_logger "${TARGET}${var_logfile}"
### Check for TARGET / RECOVERY.
[[ "${VAR_RUN_RECOVERY}" == "true" ]] && var_target="${RECOVERY}"
chroot_logger "${var_target}${var_logfile}"
# shellcheck disable=SC2312
chroot_script "${TARGET}" "
chroot_script "${var_target}" "
test -L /bin && test $(readlink -f /bin) = '/usr/bin' && echo 'MERGED:/bin' >> ${var_logfile} || echo 'UNMERGED:/bin' >> ${var_logfile}
test -L /sbin && test $(readlink -f /sbin) = '/usr/sbin' && echo 'MERGED:/sbin' >> ${var_logfile} || echo 'UNMERGED:/sbin' >> ${var_logfile}
test -L /lib && test $(readlink -f /lib) = '/usr/lib' && echo 'MERGED:/lib' >> ${var_logfile} || echo 'UNMERGED:/lib' >> ${var_logfile}
@@ -38,7 +44,7 @@ check_usr_merge() {
if [[ "${architecture}" == "amd64" ]]; then
# shellcheck disable=SC2312
chroot_script "${TARGET}" "
chroot_script "${var_target}" "
test -L /lib64 && test $(readlink -f /lib64) = '/usr/lib64' && echo 'MERGED:/lib64' >> ${var_logfile} || echo 'UNMERGED:/lib64' >> ${var_logfile}
echo ExitCode: \$? >> ${var_logfile}
"

15
func/cdi_4000_debootstrap/4020_remove_x509.sh
View File

@@ -15,7 +15,9 @@ guard_sourcing
#######################################
# Chroot hook for deleting all expired X.509 certificates in the target system.
# Globals:
# RECOVERY
# TARGET
# VAR_RUN_RECOVERY
# VAR_SETUP_PATH
# Arguments:
# None
@@ -23,17 +25,22 @@ guard_sourcing
# 0: on success
#######################################
remove_x509() {
### Declare Arrays, HashMaps, and Variables.
declare var_target="${TARGET}"
### Check for TARGET / RECOVERY.
[[ "${VAR_RUN_RECOVERY}" == "true" ]] && var_target="${RECOVERY}"
install -m 0700 -o root -g root "${VAR_SETUP_PATH}/includes/chroot/hooks/4020_remove_x509.hooks.sh" \
"${TARGET}/root/.ciss/cdi/hooks/4020_remove_x509.hooks.sh"
"${var_target}/root/.ciss/cdi/hooks/4020_remove_x509.hooks.sh"
if ! chroot_script "${TARGET}" "/root/.ciss/cdi/hooks/4020_remove_x509.hooks.sh" "emergency"; then
if ! chroot_script "${var_target}" "/root/.ciss/cdi/hooks/4020_remove_x509.hooks.sh" "emergency"; then
do_log "warn" "file_only" "4020() Command: [chroot_script ${TARGET} /root/.ciss/cdi/hooks/4020_remove_x509.hooks.sh emergency] failed."
do_log "warn" "file_only" "4020() Command: [chroot_script ${var_target} /root/.ciss/cdi/hooks/4020_remove_x509.hooks.sh emergency] failed."
else
do_log "debug" "file_only" "4020() Command: [chroot_script ${TARGET} /root/.ciss/cdi/hooks/4020_remove_x509.hooks.sh emergency] successful."
do_log "debug" "file_only" "4020() Command: [chroot_script ${var_target} /root/.ciss/cdi/hooks/4020_remove_x509.hooks.sh emergency] successful."
fi

41
func/cdi_4000_debootstrap/4030_setup_hostname.sh
View File

@@ -15,11 +15,13 @@ guard_sourcing
#######################################
# Configure the '/etc/hostname' | '/etc/hosts' | '/etc/mailname' files.
# Globals:
# RECOVERY
# TARGET
# VAR_FINAL_FQDN
# VAR_FINAL_IPV4
# VAR_FINAL_IPV6
# VAR_LINK_IPV6
# VAR_RUN_RECOVERY
# network_ipv6
# Arguments:
# None
@@ -27,36 +29,42 @@ guard_sourcing
# 0: on success
#######################################
setup_hostname() {
### Create the '${TARGET}/etc/hostname' file.
cat << EOF >| "${TARGET}/etc/hostname"
### Declare Arrays, HashMaps, and Variables.
declare var_target="${TARGET}"
### Check for TARGET / RECOVERY.
[[ "${VAR_RUN_RECOVERY}" == "true" ]] && var_target="${RECOVERY}"
### Create the '${var_target}/etc/hostname' file.
cat << EOF >| "${var_target}/etc/hostname"
${VAR_FINAL_FQDN}
EOF
chmod 0644 "${TARGET}/etc/hostname"
do_log "info" "file_only" "4030() File generated: '${TARGET}/etc/hostname' | hostname '${VAR_FINAL_FQDN}'."
chmod 0644 "${var_target}/etc/hostname"
do_log "info" "file_only" "4030() File generated: '${var_target}/etc/hostname' | hostname '${VAR_FINAL_FQDN}'."
### Create the '${TARGET}/etc/mailname' file.
cat << EOF >| "${TARGET}/etc/mailname"
### Create the '${var_target}/etc/mailname' file.
cat << EOF >| "${var_target}/etc/mailname"
${VAR_FINAL_FQDN}
EOF
chmod 0644 "${TARGET}/etc/mailname"
do_log "info" "file_only" "4030() File generated: '${TARGET}/etc/mailname' | mailname '${VAR_FINAL_FQDN}'."
chmod 0644 "${var_target}/etc/mailname"
do_log "info" "file_only" "4030() File generated: '${var_target}/etc/mailname' | mailname '${VAR_FINAL_FQDN}'."
### Generate '${TARGET}/etc/hosts' basic IPv4 entries
cat << EOF >| "${TARGET}/etc/hosts"
### Generate '${var_target}/etc/hosts' basic IPv4 entries
cat << EOF >| "${var_target}/etc/hosts"
127.0.0.1 localhost
${VAR_FINAL_IPV4} ${VAR_FINAL_FQDN}
EOF
chmod 0644 "${TARGET}/etc/hosts"
do_log "info" "file_only" "4030() File generated: '${TARGET}/etc/hosts' with basic IPv4 entries."
chmod 0644 "${var_target}/etc/hosts"
do_log "info" "file_only" "4030() File generated: '${var_target}/etc/hosts' with basic IPv4 entries."
### Generate '${TARGET}/etc/hosts' basic IPv6 entries
### Generate '${var_target}/etc/hosts' basic IPv6 entries
if [[ "${VAR_LINK_IPV6,,}" == "true" || "${network_ipv6,,}" == "true" ]]; then
cat << EOF >> "${TARGET}/etc/hosts"
cat << EOF >> "${var_target}/etc/hosts"
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
@@ -68,10 +76,13 @@ ${VAR_FINAL_IPV6} ${VAR_FINAL_FQDN}
EOF
do_log "info" "file_only" "4030() File updated: '${TARGET}/etc/hosts' with basic IPv6 entries."
do_log "info" "file_only" "4030() File updated: '${var_target}/etc/hosts' with basic IPv6 entries."
fi
guard_dir && return 0
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f setup_hostname
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

47
func/cdi_4000_debootstrap/4035_setup_resolv.sh
View File

@@ -17,13 +17,11 @@ guard_sourcing
# Globals:
# ARY_IPV4_NS
# ARY_IPV6_NS
# DIR_BAK
# RECOVERY
# TARGET
# VAR_ARCHITECTURE
# VAR_CODENAME
# VAR_FINAL_IPV6
# VAR_LINK_IPV6
# VAR_VERSION
# VAR_RUN_RECOVERY
# Arguments:
# None
# Returns:
@@ -32,59 +30,66 @@ guard_sourcing
setup_resolv() {
### Declare Arrays, HashMaps, and Variables.
declare ns=""
declare var_target="${TARGET}"
if [[ -f "${TARGET}/etc/resolv.conf" ]]; then
### Check for TARGET / RECOVERY.
[[ "${VAR_RUN_RECOVERY}" == "true" ]] && var_target="${RECOVERY}"
mkdir -p "${TARGET}/root/.ciss/cdi/backup/etc"
mv "${TARGET}/etc/resolv.conf" "${TARGET}/root/.ciss/cdi/backup/etc/resolv.conf.bak"
do_log "info" "file_only" "4035() Existing '${TARGET}/etc/resolv.conf' moved."
if [[ -f "${var_target}/etc/resolv.conf" ]]; then
mkdir -p "${var_target}/root/.ciss/cdi/backup/etc"
mv "${var_target}/etc/resolv.conf" "${var_target}/root/.ciss/cdi/backup/etc/resolv.conf.bak"
do_log "info" "file_only" "4035() Existing '${var_target}/etc/resolv.conf' moved."
fi
touch "${TARGET}/etc/resolv.conf"
chmod 0644 "${TARGET}/etc/resolv.conf"
touch "${var_target}/etc/resolv.conf"
chmod 0644 "${var_target}/etc/resolv.conf"
### Create '/etc/resolv.conf' IPv4 entries for static configuration.
insert_header "${TARGET}/etc/resolv.conf"
insert_comments "${TARGET}/etc/resolv.conf"
cat << EOF >> "${TARGET}/etc/resolv.conf"
insert_header "${var_target}/etc/resolv.conf"
insert_comments "${var_target}/etc/resolv.conf"
cat << EOF >> "${var_target}/etc/resolv.conf"
### Custom DNS IPv4 configuration
EOF
for ns in "${ARY_IPV4_NS[@]}"; do
echo "nameserver ${ns}" >> "${TARGET}/etc/resolv.conf"
echo "nameserver ${ns}" >> "${var_target}/etc/resolv.conf"
do_log "info" "file_only" "4035() IPv4 nameserver added: [${ns}]."
done
echo "" >> "${TARGET}/etc/resolv.conf"
do_log "info" "file_only" "4035() IPv4 nameserver at: '${TARGET}/etc/resolv.conf' configured."
echo "" >> "${var_target}/etc/resolv.conf"
do_log "info" "file_only" "4035() IPv4 nameserver at: '${var_target}/etc/resolv.conf' configured."
### Create '/etc/resolv.conf' IPv6 entries for static configuration.
if [[ "${VAR_LINK_IPV6,,}" == "true" || -n "${VAR_FINAL_IPV6}" ]]; then
cat << EOF >> "${TARGET}/etc/resolv.conf"
cat << EOF >> "${var_target}/etc/resolv.conf"
### Custom DNS IPv6 configuration
EOF
for ns in "${ARY_IPV6_NS[@]}"; do
echo "nameserver ${ns}" >> "${TARGET}/etc/resolv.conf"
echo "nameserver ${ns}" >> "${var_target}/etc/resolv.conf"
do_log "info" "file_only" "4035() IPv6 nameserver added: [${ns}]."
done
echo "" >> "${TARGET}/etc/resolv.conf"
do_log "info" "file_only" "4035() IPv6 nameserver at: '${TARGET}/etc/resolv.conf' configured."
echo "" >> "${var_target}/etc/resolv.conf"
do_log "info" "file_only" "4035() IPv6 nameserver at: '${var_target}/etc/resolv.conf' configured."
fi
cat << EOF >> "${TARGET}/etc/resolv.conf"
cat << EOF >> "${var_target}/etc/resolv.conf"
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
EOF
guard_dir && return 0
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f setup_resolv
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

23
func/cdi_4000_debootstrap/4040_setup_timezone.sh
View File

@@ -15,7 +15,9 @@ guard_sourcing
#######################################
# Configure the '/etc/timezone' | '/etc/localtime' files.
# Globals:
# RECOVERY
# TARGET
# VAR_RUN_RECOVERY
# ntp_timezone
# Arguments:
# None
@@ -23,17 +25,26 @@ guard_sourcing
# 0: on success
#######################################
setup_timezone() {
### Create '${TARGET}/etc/timezone' file.
cat << EOF >| "${TARGET}/etc/timezone"
### Declare Arrays, HashMaps, and Variables.
declare var_target="${TARGET}"
### Check for TARGET / RECOVERY.
[[ "${VAR_RUN_RECOVERY}" == "true" ]] && var_target="${RECOVERY}"
### Create the '$ {var_target}/etc / timezone' file.
cat << EOF >| "${var_target}/etc/timezone"
${ntp_timezone:-UTC}
EOF
chmod 0644 "${TARGET}/etc/timezone"
do_log "info" "file_only" "4040() File generated: '${TARGET}/etc/timezone' | timezone '${ntp_timezone:-UTC}'."
chmod 0644 "${var_target}/etc/timezone"
do_log "info" "file_only" "4040() File generated: '${var_target}/etc/timezone' | timezone '${ntp_timezone:-UTC}'."
chroot_exec "${TARGET}" ln -sf "/usr/share/zoneinfo/${ntp_timezone}" /etc/localtime
chroot_exec "${var_target}" ln -sf "/usr/share/zoneinfo/${ntp_timezone}" /etc/localtime
chroot_exec "${TARGET}" dpkg-reconfigure -f noninteractive tzdata
chroot_exec "${var_target}" dpkg-reconfigure -f noninteractive tzdata
guard_dir && return 0
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f setup_timezone
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

36
func/cdi_4000_debootstrap/4050_setup_locales.sh
View File

@@ -16,10 +16,10 @@ guard_sourcing
# Set locale, locale overrides and configure keyboard layout.
# Globals:
# ARY_LOCALE
# RECOVERY
# TARGET
# VAR_ARCHITECTURE
# VAR_CODENAME
# VAR_VERSION
# VAR_DATE
# VAR_RUN_RECOVERY
# locale_country
# locale_keyboard_xkb_keymap
# locale_language
@@ -42,15 +42,22 @@ guard_sourcing
setup_locales() {
### Declare Arrays, HashMaps, and Variables.
declare var_locale_hook="/root/.ciss/cdi/hooks/4050_setup_locales.hooks.sh"
declare var_target="${TARGET}"
### Check for TARGET / RECOVERY.
[[ "${VAR_RUN_RECOVERY}" == "true" ]] && var_target="${RECOVERY}"
### Give priority to '${locale_locale}' over separately configured variables '${locale_country}' and '${locale_language}'.
### If 'locale_locale' is not set, build it from 'locale_language' and 'locale_country'.
if [[ -n "${locale_language:-}" && -n "${locale_country:-}" && -z "${ARY_LOCALE[0]:-}" ]]; then
# shellcheck disable=SC2034
ARY_LOCALE+="${locale_language}_${locale_country}.UTF-8"
fi
### Creat Hook in target.
cat << EOF >| "${TARGET}${var_locale_hook}"
cat << EOF >| "${var_target}${var_locale_hook}"
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -72,7 +79,7 @@ declare loc=""
EOF
cat << 'EOF' >> "${TARGET}${var_locale_hook}"
cat << 'EOF' >> "${var_target}${var_locale_hook}"
ary_locale+=( "${locale_0}" )
[[ -n "${locale_1}" ]] && ary_locale+=( "${locale_1}" )
@@ -94,7 +101,7 @@ done
EOF
cat << EOF >> "${TARGET}${var_locale_hook}"
cat << EOF >> "${var_target}${var_locale_hook}"
update-locale \
LANG=${ARY_LOCALE[0]} \
LC_ADDRESS=${locale_override_address:-${ARY_LOCALE[0]}} \
@@ -112,13 +119,13 @@ LC_IDENTIFICATION=${ARY_LOCALE[0]}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
EOF
chmod 0700 "${TARGET}${var_locale_hook}"
chroot_script "${TARGET}" "${var_locale_hook}"
chmod 0700 "${var_target}${var_locale_hook}"
chroot_script "${var_target}" "${var_locale_hook}"
### Set the keyboard layout for the system (for consoles).
insert_header "${TARGET}/etc/default/keyboard"
insert_comments "${TARGET}/etc/default/keyboard"
cat << EOF >> "${TARGET}/etc/default/keyboard"
insert_header "${var_target}/etc/default/keyboard"
insert_comments "${var_target}/etc/default/keyboard"
cat << EOF >> "${var_target}/etc/default/keyboard"
# KEYBOARD CONFIGURATION FILE
# Consult the keyboard(5) manual page.
@@ -130,9 +137,12 @@ BACKSPACE="guess"
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
EOF
chmod 0644 "${TARGET}/etc/default/keyboard"
do_log "info" "file_only" "4050() Keyboard layout updated: 'XKBLAYOUT=${locale_keyboard_xkb_keymap}' -> '${TARGET}/etc/default/keyboard'."
chmod 0644 "${var_target}/etc/default/keyboard"
do_log "info" "file_only" "4050() Keyboard layout updated: 'XKBLAYOUT=${locale_keyboard_xkb_keymap}' -> '${var_target}/etc/default/keyboard'."
guard_dir && return 0
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f setup_locales
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

76
func/cdi_4100_base/4100_generate_sources.sh
View File

@@ -15,10 +15,9 @@ guard_sourcing
#######################################
# Generate target '/etc/apt/sources.list' entries.
# Globals:
# RECOVERY
# TARGET
# VAR_ARCHITECTURE
# VAR_CODENAME
# VAR_VERSION
# VAR_RUN_RECOVERY
# apt_contrib
# apt_deb_sources
# apt_mirror_directory
@@ -39,8 +38,12 @@ guard_sourcing
#######################################
generate_sources() {
### Declare Arrays, HashMaps, and Variables.
declare -a ary_components=()
declare var_arch="" var_codename="" var_deb_src="" var_dir="" var_hostname="" var_hostsecure="" var_url="" var_surl=""
declare -a ary_components=()
declare var_arch="" var_codename="" var_deb_src="" var_dir="" var_hostname="" var_hostsecure="" var_url="" var_surl=""
declare var_target="${TARGET}"
### Check for TARGET / RECOVERY.
[[ "${VAR_RUN_RECOVERY}" == "true" ]] && var_target="${RECOVERY}"
# shellcheck disable=SC2154 # "${architecture}"
var_arch="${architecture,,}"
@@ -77,25 +80,25 @@ generate_sources() {
fi
: >| "${TARGET}/etc/apt/sources.list"
chmod 0644 "${TARGET}/etc/apt/sources.list"
: >| "${var_target}/etc/apt/sources.list"
chmod 0644 "${var_target}/etc/apt/sources.list"
### Main Repository
# shellcheck disable=SC2153
insert_header "${TARGET}/etc/apt/sources.list"
insert_comments "${TARGET}/etc/apt/sources.list"
cat << EOF >> "${TARGET}/etc/apt/sources.list"
insert_header "${var_target}/etc/apt/sources.list"
insert_comments "${var_target}/etc/apt/sources.list"
cat << EOF >> "${var_target}/etc/apt/sources.list"
#------------------------------------------------------------------------------------------------------------------------------#
# OFFICIAL DEBIAN REPOS #
#------------------------------------------------------------------------------------------------------------------------------#
deb ${var_url} ${var_codename} ${ary_components[*]}
EOF
do_log "info" "file_only" "4100() ${TARGET}/etc/apt/sources.list entry generated: 'deb ${var_url} ${var_codename} ${ary_components[*]}'."
do_log "info" "file_only" "4100() ${var_target}/etc/apt/sources.list entry generated: 'deb ${var_url} ${var_codename} ${ary_components[*]}'."
if [[ "${var_deb_src}" == "true" ]]; then
echo "deb-src ${var_url} ${var_codename} ${ary_components[*]}" >> "${TARGET}/etc/apt/sources.list"
do_log "info" "file_only" "4100() ${TARGET}/etc/apt/sources.list entry generated: 'deb-src ${var_url} ${var_codename} ${ary_components[*]}'."
echo "deb-src ${var_url} ${var_codename} ${ary_components[*]}" >> "${var_target}/etc/apt/sources.list"
do_log "info" "file_only" "4100() ${var_target}/etc/apt/sources.list entry generated: 'deb-src ${var_url} ${var_codename} ${ary_components[*]}'."
fi
@@ -103,16 +106,16 @@ EOF
### Security Repository
if [[ "${apt_updates_security,,}" == "true" ]]; then
cat << EOF >> "${TARGET}/etc/apt/sources.list"
cat << EOF >> "${var_target}/etc/apt/sources.list"
deb ${var_surl} ${var_codename}-security ${ary_components[*]}
EOF
do_log "info" "file_only" "4100() ${TARGET}/etc/apt/sources.list entry generated: 'deb ${var_surl} ${var_codename}-security ${ary_components[*]}'."
do_log "info" "file_only" "4100() ${var_target}/etc/apt/sources.list entry generated: 'deb ${var_surl} ${var_codename}-security ${ary_components[*]}'."
if [[ "${var_deb_src}" == "true" ]]; then
echo "deb-src ${var_surl} ${var_codename}-security ${ary_components[*]}" >> "${TARGET}/etc/apt/sources.list"
do_log "info" "file_only" "4100() ${TARGET}/etc/apt/sources.list entry generated: 'deb-src ${var_surl} ${var_codename}-security ${ary_components[*]}'."
echo "deb-src ${var_surl} ${var_codename}-security ${ary_components[*]}" >> "${var_target}/etc/apt/sources.list"
do_log "info" "file_only" "4100() ${var_target}/etc/apt/sources.list entry generated: 'deb-src ${var_surl} ${var_codename}-security ${ary_components[*]}'."
fi
@@ -122,16 +125,16 @@ EOF
### Updates Repository
if [[ "${apt_updates_release,,}" == "true" ]]; then
cat << EOF >> "${TARGET}/etc/apt/sources.list"
cat << EOF >> "${var_target}/etc/apt/sources.list"
deb ${var_url} ${var_codename}-updates ${ary_components[*]}
EOF
do_log "info" "file_only" "4100() ${TARGET}/etc/apt/sources.list entry generated: 'deb ${var_url} ${var_codename}-updates ${ary_components[*]}'."
do_log "info" "file_only" "4100() ${var_target}/etc/apt/sources.list entry generated: 'deb ${var_url} ${var_codename}-updates ${ary_components[*]}'."
if [[ "${var_deb_src}" == "true" ]]; then
echo "deb-src ${var_url} ${var_codename}-updates ${ary_components[*]}" >> "${TARGET}/etc/apt/sources.list"
do_log "info" "file_only" "4100() ${TARGET}/etc/apt/sources.list entry generated: 'deb-src ${var_url} ${var_codename}-updates ${ary_components[*]}'."
echo "deb-src ${var_url} ${var_codename}-updates ${ary_components[*]}" >> "${var_target}/etc/apt/sources.list"
do_log "info" "file_only" "4100() ${var_target}/etc/apt/sources.list entry generated: 'deb-src ${var_url} ${var_codename}-updates ${ary_components[*]}'."
fi
@@ -141,16 +144,16 @@ EOF
### Backports Repository
if [[ "${apt_updates_backports,,}" == "true" ]]; then
cat << EOF >> "${TARGET}/etc/apt/sources.list"
cat << EOF >> "${var_target}/etc/apt/sources.list"
deb ${var_url} ${var_codename}-backports ${ary_components[*]}
EOF
do_log "info" "file_only" "4100() ${TARGET}/etc/apt/sources.list entry generated: 'deb ${var_url} ${var_codename}-backports ${ary_components[*]}'."
do_log "info" "file_only" "4100() ${var_target}/etc/apt/sources.list entry generated: 'deb ${var_url} ${var_codename}-backports ${ary_components[*]}'."
if [[ "${var_deb_src,,}" == "true" ]]; then
echo "deb-src ${var_url} ${var_codename}-backports ${ary_components[*]}" >> "${TARGET}/etc/apt/sources.list"
do_log "info" "file_only" "4100() ${TARGET}/etc/apt/sources.list entry generated: 'deb-src ${var_url} ${var_codename}-backports ${ary_components[*]}'."
echo "deb-src ${var_url} ${var_codename}-backports ${ary_components[*]}" >> "${var_target}/etc/apt/sources.list"
do_log "info" "file_only" "4100() ${var_target}/etc/apt/sources.list entry generated: 'deb-src ${var_url} ${var_codename}-backports ${ary_components[*]}'."
fi
@@ -158,32 +161,35 @@ EOF
### Clean up 'sources.list'
sed -i '/^#/!s/[[:space:]]\+/ /g' "${TARGET}/etc/apt/sources.list"
sed -i '/^#/!s/[[:space:]]\+/ /g' "${var_target}/etc/apt/sources.list"
cat << EOF >> "${TARGET}/etc/apt/sources.list"
cat << EOF >> "${var_target}/etc/apt/sources.list"
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
EOF
insert_header "${TARGET}/etc/apt/apt.conf.d/90-no-pdiffs"
insert_comments "${TARGET}/etc/apt/apt.conf.d/90-no-pdiffs"
cat << 'EOF' >> "${TARGET}/etc/apt/apt.conf.d/90-no-pdiffs"
insert_header "${var_target}/etc/apt/apt.conf.d/90-no-pdiffs"
insert_comments "${var_target}/etc/apt/apt.conf.d/90-no-pdiffs"
cat << 'EOF' >> "${var_target}/etc/apt/apt.conf.d/90-no-pdiffs"
Acquire::PDiffs "false";
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
EOF
sed -i -E 's|^([[:space:]]*)#+|\1//|' "${TARGET}/etc/apt/apt.conf.d/90-no-pdiffs"
sed -i -E 's|^([[:space:]]*)#+|\1//|' "${var_target}/etc/apt/apt.conf.d/90-no-pdiffs"
insert_header "${TARGET}/etc/apt/apt.conf.d/91-acquire"
insert_comments "${TARGET}/etc/apt/apt.conf.d/91-acquire"
cat << 'EOF' >> "${TARGET}/etc/apt/apt.conf.d/91-acquire"
insert_header "${var_target}/etc/apt/apt.conf.d/91-acquire"
insert_comments "${var_target}/etc/apt/apt.conf.d/91-acquire"
cat << 'EOF' >> "${var_target}/etc/apt/apt.conf.d/91-acquire"
Acquire::Retries "3";
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
EOF
sed -i -E 's|^([[:space:]]*)#+|\1//|' "${TARGET}/etc/apt/apt.conf.d/91-acquire"
sed -i -E 's|^([[:space:]]*)#+|\1//|' "${var_target}/etc/apt/apt.conf.d/91-acquire"
guard_dir && return 0
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f generate_sources
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

55
func/cdi_4100_base/4105_generate_sources_822.sh
View File

@@ -36,8 +36,12 @@ guard_sourcing
#######################################
generate_sources822() {
### Declare Arrays, HashMaps, and Variables.
declare -a ary_components=() ary_types=()
declare var_arch="" var_codename="" var_deb_src="" var_dir="" var_hostname="" var_hostsecure="" var_url="" var_surl=""
declare -a ary_components=() ary_types=()
declare var_arch="" var_codename="" var_deb_src="" var_dir="" var_hostname="" var_hostsecure="" var_url="" var_surl=""
declare var_target="${TARGET}"
### Check for TARGET / RECOVERY.
[[ "${VAR_RUN_RECOVERY}" == "true" ]] && var_target="${RECOVERY}"
# shellcheck disable=SC2154 # "${architecture}"
var_arch="${architecture,,}"
@@ -79,9 +83,9 @@ generate_sources822() {
### Main Repository
insert_header "${TARGET}/etc/apt/sources.list.d/trixie.sources"
insert_comments "${TARGET}/etc/apt/sources.list.d/trixie.sources"
cat << EOF >> "${TARGET}/etc/apt/sources.list.d/trixie.sources"
insert_header "${var_target}/etc/apt/sources.list.d/trixie.sources"
insert_comments "${var_target}/etc/apt/sources.list.d/trixie.sources"
cat << EOF >> "${var_target}/etc/apt/sources.list.d/trixie.sources"
#------------------------------------------------------------------------------------------------------------------------------#
# OFFICIAL DEBIAN REPOS #
#------------------------------------------------------------------------------------------------------------------------------#
@@ -98,9 +102,9 @@ EOF
### Security Repository
if [[ "${apt_updates_security,,}" == "true" ]]; then
insert_header "${TARGET}/etc/apt/sources.list.d/trixie-security.sources"
insert_comments "${TARGET}/etc/apt/sources.list.d/trixie-security.sources"
cat << EOF >> "${TARGET}/etc/apt/sources.list.d/trixie-security.sources"
insert_header "${var_target}/etc/apt/sources.list.d/trixie-security.sources"
insert_comments "${var_target}/etc/apt/sources.list.d/trixie-security.sources"
cat << EOF >> "${var_target}/etc/apt/sources.list.d/trixie-security.sources"
#------------------------------------------------------------------------------------------------------------------------------#
# OFFICIAL DEBIAN REPOS #
#------------------------------------------------------------------------------------------------------------------------------#
@@ -117,9 +121,9 @@ EOF
### Updates Repository
if [[ "${apt_updates_release,,}" == "true" ]]; then
insert_header "${TARGET}/etc/apt/sources.list.d/trixie-updates.sources"
insert_comments "${TARGET}/etc/apt/sources.list.d/trixie-updates.sources"
cat << EOF >> "${TARGET}/etc/apt/sources.list.d/trixie-updates.sources"
insert_header "${var_target}/etc/apt/sources.list.d/trixie-updates.sources"
insert_comments "${var_target}/etc/apt/sources.list.d/trixie-updates.sources"
cat << EOF >> "${var_target}/etc/apt/sources.list.d/trixie-updates.sources"
#------------------------------------------------------------------------------------------------------------------------------#
# OFFICIAL DEBIAN REPOS #
#------------------------------------------------------------------------------------------------------------------------------#
@@ -137,9 +141,9 @@ EOF
### Backports Repository
if [[ "${apt_updates_backports,,}" == "true" ]]; then
insert_header "${TARGET}/etc/apt/sources.list.d/trixie-backports.sources"
insert_comments "${TARGET}/etc/apt/sources.list.d/trixie-backports.sources"
cat << EOF >> "${TARGET}/etc/apt/sources.list.d/trixie-backports.sources"
insert_header "${var_target}/etc/apt/sources.list.d/trixie-backports.sources"
insert_comments "${var_target}/etc/apt/sources.list.d/trixie-backports.sources"
cat << EOF >> "${var_target}/etc/apt/sources.list.d/trixie-backports.sources"
#------------------------------------------------------------------------------------------------------------------------------#
# OFFICIAL DEBIAN REPOS #
#------------------------------------------------------------------------------------------------------------------------------#
@@ -156,30 +160,33 @@ EOF
fi
if [[ -f "${TARGET}/etc/apt/sources.list" ]]; then
rm -f "${TARGET}/etc/apt/sources.list"
if [[ -f "${var_target}/etc/apt/sources.list" ]]; then
rm -f "${var_target}/etc/apt/sources.list"
fi
insert_header "${TARGET}/etc/apt/apt.conf.d/90-no-pdiffs"
insert_comments "${TARGET}/etc/apt/apt.conf.d/90-no-pdiffs"
cat << 'EOF' >> "${TARGET}/etc/apt/apt.conf.d/90-no-pdiffs"
insert_header "${var_target}/etc/apt/apt.conf.d/90-no-pdiffs"
insert_comments "${var_target}/etc/apt/apt.conf.d/90-no-pdiffs"
cat << 'EOF' >> "${var_target}/etc/apt/apt.conf.d/90-no-pdiffs"
Acquire::PDiffs "false";
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
EOF
sed -i -E 's|^([[:space:]]*)#+|\1//|' "${TARGET}/etc/apt/apt.conf.d/90-no-pdiffs"
sed -i -E 's|^([[:space:]]*)#+|\1//|' "${var_target}/etc/apt/apt.conf.d/90-no-pdiffs"
insert_header "${TARGET}/etc/apt/apt.conf.d/91-acquire"
insert_comments "${TARGET}/etc/apt/apt.conf.d/91-acquire"
cat << 'EOF' >> "${TARGET}/etc/apt/apt.conf.d/91-acquire"
insert_header "${var_target}/etc/apt/apt.conf.d/91-acquire"
insert_comments "${var_target}/etc/apt/apt.conf.d/91-acquire"
cat << 'EOF' >> "${var_target}/etc/apt/apt.conf.d/91-acquire"
Acquire::Retries "3";
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
EOF
sed -i -E 's|^([[:space:]]*)#+|\1//|' "${TARGET}/etc/apt/apt.conf.d/91-acquire"
sed -i -E 's|^([[:space:]]*)#+|\1//|' "${var_target}/etc/apt/apt.conf.d/91-acquire"
guard_dir && return 0
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f generate_sources822
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

19
func/cdi_4100_base/4110_update_sources.sh
View File

@@ -18,7 +18,9 @@ guard_sourcing
# to suppress the 'update-initramfs'-Kernel-Hooks, according to the initramfs-tools manpage:
# https://manpages.debian.org/testing/initramfs-tools-core/initramfs-tools.7.en.html
# Globals:
# RECOVERY
# TARGET
# VAR_RUN_RECOVERY
# apt_updates_policy
# Arguments:
# None
@@ -28,19 +30,23 @@ guard_sourcing
update_sources() {
### Declare Arrays, HashMaps, and Variables.
declare -r var_logfile="/root/.ciss/cdi/log/4110_update_sources.log"
declare var_target="${TARGET}"
chroot_logger "${TARGET}${var_logfile}"
### Check for TARGET / RECOVERY.
[[ "${VAR_RUN_RECOVERY}" == "true" ]] && var_target="${RECOVERY}"
chroot_logger "${var_target}${var_logfile}"
### Update generated sources.
# shellcheck disable=SC2312
chroot_script "${TARGET}" "apt-get update 2>&1 | tee -a ${var_logfile}; echo ExitCode: \$? >> ${var_logfile}"
chroot_script "${var_target}" "apt-get update 2>&1 | tee -a ${var_logfile}; echo ExitCode: \$? >> ${var_logfile}"
do_log "info" "file_only" "4110() Sources lists: updated successfully."
### Update unattended, security, or no unattended updates at all.
if [[ "${apt_updates_policy,,}" == "unattended" ]]; then
chroot_script "${TARGET}" "
chroot_script "${var_target}" "
export INITRD=No
apt-get install -y --no-install-recommends --no-install-suggests unattended-upgrades 2>&1 | tee -a ${var_logfile}
echo ExitCode: \$? >> ${var_logfile}
@@ -49,14 +55,14 @@ update_sources() {
elif [[ "${apt_updates_policy,,}" == "security" ]]; then
chroot_script "${TARGET}" "
chroot_script "${var_target}" "
export INITRD=No
apt-get install -y --no-install-recommends --no-install-suggests unattended-upgrades 2>&1 | tee -a ${var_logfile}
echo ExitCode: \$? >> ${var_logfile}
"
# shellcheck disable=SC2016
sed -i 's/^[[:space:]]*"origin=Debian,codename=\${distro_codename},label=Debian";/\/\/ &/' "${TARGET}/etc/apt/apt.conf.d/50unattended-upgrades"
sed -i 's/^[[:space:]]*"origin=Debian,codename=\${distro_codename},label=Debian";/\/\/ &/' "${var_target}/etc/apt/apt.conf.d/50unattended-upgrades"
do_log "info" "file_only" "4110() The update policy was set at installation time to: '${apt_updates_policy}'."
elif [[ "${apt_updates_policy,,}" == "none" ]]; then
@@ -71,4 +77,7 @@ update_sources() {
guard_dir && return 0
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f update_sources
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

34
func/cdi_4400_hardening/4420_hardening_fail2ban.sh
View File

@@ -21,6 +21,7 @@ guard_sourcing
# VAR_FINAL_FQDN
# VAR_FINAL_IPV4
# VAR_FINAL_IPV6
# VAR_LINK_IPV6
# VAR_PROVIDER
# VAR_SSH_PORT
# Arguments:
@@ -49,6 +50,7 @@ EOF
insert_header "${TARGET}/etc/fail2ban/jail.d/centurion-default.conf"
insert_comments "${TARGET}/etc/fail2ban/jail.d/centurion-default.conf"
if [[ "${#ARY_ALLOW_IPV4[@]}" -gt 0 ]]; then
### fail2ban ufw aggressive mode, one attempt for jumphost configuration.
@@ -58,10 +60,28 @@ usedns = yes
ignoreip = 127.0.0.0/8 ::1
# ${VAR_FINAL_FQDN}
${VAR_FINAL_IPV4}
EOF
if [[ "${VAR_LINK_IPV6}" == "true" ]]; then
cat << EOF >> "${TARGET}/etc/fail2ban/jail.d/centurion-default.conf"
${VAR_FINAL_IPV6}/64
EOF
fi
cat << EOF >> "${TARGET}/etc/fail2ban/jail.d/centurion-default.conf"
# Jumphost
${ARY_ALLOW_IPV4[*]}
EOF
if [[ "${VAR_LINK_IPV6}" == "true" ]]; then
cat << EOF >> "${TARGET}/etc/fail2ban/jail.d/centurion-default.conf"
${ARY_ALLOW_IPV6[*]}
EOF
fi
cat << EOF >> "${TARGET}/etc/fail2ban/jail.d/centurion-default.conf"
maxretry = 8
findtime = 12h
bantime = 12h
@@ -106,7 +126,16 @@ usedns = yes
ignoreip = 127.0.0.0/8 ::1
# ${VAR_FINAL_FQDN}
${VAR_FINAL_IPV4}
EOF
if [[ "${VAR_LINK_IPV6}" == "true" ]]; then
cat << EOF >> "${TARGET}/etc/fail2ban/jail.d/centurion-default.conf"
${VAR_FINAL_IPV6}/64
EOF
fi
cat << EOF >> "${TARGET}/etc/fail2ban/jail.d/centurion-default.conf"
maxretry = 8
findtime = 12h
bantime = 12h
@@ -146,7 +175,9 @@ EOF
### Provider Hetzner needs special ignoreip rules.
if [[ "${VAR_PROVIDER}" == "hetzner" ]]; then
sed -i '0,/^maxretry/{s/^maxretry/# Hetzner Intern\n 172.31.1.1\/16\n&/}' "${TARGET}/etc/fail2ban/jail.d/centurion-default.conf"
fi
insert_header "${TARGET}/etc/fail2ban/filter.d/ufw.aggressive.conf"
@@ -211,4 +242,7 @@ EOF
guard_dir && return 0
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f hardening_fail2ban
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

69
func/cdi_4500_user/4520_accounts_setup.sh
View File

@@ -24,13 +24,14 @@ guard_sourcing
# user_root_authentication_access_ssh
# user_root_authentication_access_tty
# user_root_authentication_password
# user_root_password
# user_root_shell
# user_root_specific
# user_root_sshpubkey
# Arguments:
# None
# Returns:
# 0: on success
# ERR_ACCOUNT_CREATE: on failure
#######################################
accounts_setup() {
### Declare Arrays, HashMaps, and Variables.
@@ -102,19 +103,28 @@ accounts_setup() {
do_log "info" "file_only" "4520() Skeleton: 'root' successfully generated."
### 2) Check SSH access capabilities.
case "${user_root_authentication_access_ssh}" in
case "${user_root_authentication_access_ssh,,}" in
false)
sed -i -E "s|^[[:space:]]*PermitRootLogin[[:space:]]+.*$|$(printf '%-29s%s' 'PermitRootLogin' 'no')|" "${TARGET}/etc/ssh/sshd_config"
do_log "info" "file_only" "4520() User: 'root' SSH access: [PermitRootLogin no]"
;;
true)
sed -i -E "s|^[[:space:]]*PermitRootLogin[[:space:]]+.*$|$(printf '%-29s%s' 'PermitRootLogin' 'prohibit-password')|" "${TARGET}/etc/ssh/sshd_config"
do_log "info" "file_only" "4520() User: 'root' SSH access: [PermitRootLogin prohibit-password]"
;;
*)
do_log "fatal" "file_only" "4520() Not set: user_root_authentication_access_ssh [${user_root_authentication_access_ssh}]"
return "${ERR_ACCOUNT_CREATE}"
;;
esac
### 3) Check tty access capabilities.
case "${user_root_authentication_access_tty}" in
case "${user_root_authentication_access_tty,,}" in
false)
### 3) A) 1) Ensure the 'pam_access' line is not activated in '/etc/pam.d/login' and '/etc/pam.d/sshd' in parallel.
pam_access_sync_login_sshd
@@ -165,33 +175,53 @@ tty1
EOF
do_log "info" "file_only" "4520() User: 'root' tty access: [true]"
;;
*)
do_log "fatal" "file_only" "4520() Not set: user_root_authentication_access_tty [${user_root_authentication_access_tty}]"
return "${ERR_ACCOUNT_CREATE}"
;;
esac
### 4) Check the password policy for the 'root' account.
case "${user_root_authentication_password}" in
case "${user_root_authentication_password,,}" in
false)
chroot_script "${TARGET}" "passwd -l root"
do_log "info" "file_only" "4520() User: 'root' password access: [false]"
;;
true)
chroot_script "${TARGET}" "printf '%s:%s\n' root '${var_password}' | /usr/sbin/chpasswd -e"
#chroot_script "${TARGET}" "/usr/sbin/usermod -p '${user_root_password}' root"
do_log "info" "file_only" "4520() User: 'root' password access: [true]"
;;
*)
do_log "fatal" "file_only" "4520() Not set: user_root_authentication_password [${user_root_authentication_password}]"
return "${ERR_ACCOUNT_CREATE}"
;;
esac
### 5) Update the 'root' SSH pubkey, if provided via 'preseed.yaml'.
if [[ -n "${user_root_sshpubkey:-}" ]]; then
printf "%s\n" "${user_root_sshpubkey}" >| "${TARGET}/root/.ssh/authorized_keys"
do_log "info" "file_only" "4520() User: 'root' SSH public key: inserted."
fi
### 6) Update the 'root' 'totp'-policy and write the '.google_authenticator'-file.
if [[ "${user_root_authentication_2fa_ssh}" == "true" || "${user_root_authentication_2fa_tty}" == "true" ]]; then
write_google_authenticator_file "root" "0" "0"
fi
if [[ "${user_root_authentication_2fa_ssh}" == "true" ]]; then
pam_access_totp_enable "root" "sshd"
var_ssh_totp_update="true"
cat << EOF >> "${TARGET}/etc/ssh/sshd_config"
@@ -318,6 +348,11 @@ EOF
"${var_username}"
;;
*)
do_log "fatal" "file_only" "4520() Not set: var_restricted:var_system [${var_restricted}:${var_system}]"
return "${ERR_ACCOUNT_CREATE}"
;;
esac
### 1) Prepare the 'user' account.
@@ -365,7 +400,8 @@ EOF
### Nothing to do here as per-user SSH capabilities are already handled in '4330_installation_ssh.sh'.
### 3) Check tty access capabilities.
case "${var_access_tty}" in
case "${var_access_tty,,}" in
false)
### 3) A) 1) Ensure the 'pam_access' line is not activated in '/etc/pam.d/login' and '/etc/pam.d/sshd' in parallel.
pam_access_sync_login_sshd
@@ -388,33 +424,52 @@ EOF
do_log "info" "file_only" "4520() User: '${var_username}' tty access: [true]"
;;
*)
do_log "fatal" "file_only" "4520() Not set: var_access_tty [${var_access_tty}]"
return "${ERR_ACCOUNT_CREATE}"
;;
esac
### 4) Check the password policy for the 'user' account.
case "${var_auth_pwd}" in
false)
chroot_script "${TARGET}" "passwd -l ${var_username}"
do_log "info" "file_only" "4520() User: '${var_username}' password access: [false]"
;;
true)
chroot_script "${TARGET}" "printf '%s:%s\n' \"${var_username}\" '${var_password}' | /usr/sbin/chpasswd -e"
#chroot_script "${TARGET}" "/usr/sbin/usermod -p '${var_password}' ${var_username}"
do_log "info" "file_only" "4520() User: '${var_username}' password access: [true]"
;;
*)
do_log "fatal" "file_only" "4520() Not set: var_auth_pwd [${var_auth_pwd}]"
return "${ERR_ACCOUNT_CREATE}"
;;
esac
### 5) Update the 'user' SSH pubkey, if provided via 'preseed.yaml'.
if [[ -n "${var_sshpubkey:-}" ]]; then
printf "%s\n" "${var_sshpubkey}" >| "${TARGET}/home/${var_username}/.ssh/authorized_keys"
do_log "info" "file_only" "4520() User: '${var_username}' SSH public key: inserted."
fi
### 6) Update the 'root' 'totp'-policy and write the '.google_authenticator'-file.
if [[ "${var_2fa_ssh}" == "true" || "${var_2fa_tty}" == "true" ]]; then
write_google_authenticator_file "${var_username}" "${var_uid}" "${var_gid}"
fi
if [[ "${var_2fa_ssh}" == "true" ]]; then
pam_access_totp_enable "${var_username}" "sshd"
var_ssh_totp_update="true"
cat << EOF >> "${TARGET}/etc/ssh/sshd_config"
@@ -453,13 +508,17 @@ EOF
done
if [[ "${var_ssh_totp_update}" == "true" ]]; then
sed -i -E "s|^[[:space:]]*KbdInteractiveAuthentication[[:space:]]+.*$|$(printf '%-29s%s' 'KbdInteractiveAuthentication' 'yes')|" "${TARGET}/etc/ssh/sshd_config"
fi
unset VAR_TEMP_PLAIN_MFA_SEED
if ! grep -Fqx -- '-: ALL:ALL' "${TARGET}/etc/security/access.conf"; then
printf '%s\n' '-: ALL:ALL' >> "${TARGET}/etc/security/access.conf"
fi
printf "# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf \n" >> "${TARGET}/etc/security/access.conf"

73
func/cdi_5000_recovery/5000_debootstrap.sh
View File

@@ -1,73 +0,0 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
guard_sourcing
#######################################
# Install a minimal Debian environment using the 'debootstrap' command.
# Globals:
# LOG_REC
# RECOVERY
# VAR_ARCHITECTURE
# VAR_CODENAME
# debootstrap_includes
# debootstrap_mirror
# Arguments:
# None
# Returns:
# 0: on success
# ERR_DEBOOTSTRAP
#######################################
func_debootstrap_reco() {
### Declare Arrays, HashMaps, and Variables.
declare -r var_arch="${VAR_ARCHITECTURE}"
declare -r var_dist="${VAR_CODENAME}"
declare -r var_target="${RECOVERY}"
declare -r var_mirror="${debootstrap_mirror}"
declare -r var_includes="${debootstrap_includes}"
declare -a ary_cmd=()
ary_cmd+=( "debootstrap" "--arch=${var_arch}" "--keep-debootstrap-dir" "--log-extra-deps" "--merged-usr" )
if [[ -n "${var_includes}" ]]; then ary_cmd+=( "--include=${var_includes}" ); fi
ary_cmd+=( "${var_dist}" "${var_target}" "${var_mirror}" )
do_log "debug" "file_only" "5000() Executing: [${ary_cmd[*]}]"
# shellcheck disable=SC2312
if "${ary_cmd[@]}" | tee "${LOG_REC}"; then
do_log "info" "file_only" "5000() [${ary_cmd[*]}] successful."
install -d -m 0700 -o root -g root "${var_target}/root/.ciss/cdi/backup"
install -d -m 0700 -o root -g root "${var_target}/root/.ciss/cdi/debootstrap"
install -d -m 0700 -o root -g root "${var_target}/root/.ciss/cdi/hooks"
install -d -m 0700 -o root -g root "${var_target}/root/.ciss/cdi/keys"
install -d -m 0700 -o root -g root "${var_target}/root/.ciss/cdi/log"
mv -T "${var_target}/debootstrap" "${var_target}/root/.ciss/cdi/debootstrap"
chmod 0700 "${var_target}/root/.ciss"
chmod 0700 "${var_target}/root/.ciss/cdi"
chmod 0700 "${var_target}/root/.ciss/cdi/debootstrap"
guard_dir && return 0
else
do_log "emergency" "file_only" "5000() [${ary_cmd[*]}] failed."
return "${ERR_DEBOOTSTRAP}"
fi
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

83
func/cdi_5000_recovery/5005_debootstrap_checks.sh
View File

@@ -1,83 +0,0 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
guard_sourcing
#######################################
# Preliminary post debootstrap checks.
# Globals:
# RECOVERY
# Arguments:
# None
# Returns:
# 0: on success
#######################################
check_debootstrap_reco() {
### Declare Arrays, HashMaps, and Variables.
declare -r var_logfile="/root/.ciss/cdi/log/5005_debootstrap_checks.log"
chroot_logger "${RECOVERY}${var_logfile}"
chroot_script "${RECOVERY}" "
{
### Header
echo '==[debootstrap checks]=='
date -Is 2>/dev/null || true
### dpkg audit (non-fatal)
echo '### dpkg --audit'
dpkg --audit || true
### essential subset (status & version)
echo '### dpkg-query essential subset'
dpkg-query -W -f='\${db:Status-Abbrev} \${binary:Package} \${Version}\n' dpkg libc6 coreutils bash apt systemd 2>/dev/null || true
### init presence (log explicit)
echo '### init presence'
if [[ -x /sbin/init ]] || [[ -x /lib/systemd/systemd ]]; then
echo 'init_present=yes'
else
echo 'init_present=no'
fi
### awk path and alternative link (if any)
echo '### awk'
awk_path=\$(command -v awk || true)
printf 'awk_path=%s\n' \"\$awk_path\"
if [[ -L /usr/bin/awk ]]; then
printf 'awk_link=/usr/bin/awk -> %s\n' \"\$(readlink -f /usr/bin/awk 2>/dev/null || true)\"
fi
### usr-merge / tainted check
echo '### usr-merge / taint'
usr_merge_ok=yes
for p in /bin /sbin /lib /lib64; do
[[ -e \"\$p\" ]] || continue
if [[ -L \"\$p\" ]]; then
tgt=\$(readlink -f \"\$p\" 2>/dev/null || true)
printf '%s -> %s\n' \"\$p\" \"\$tgt\"
else
usr_merge_ok=no
printf '%s is not a symlink (tainted: unmerged-bin)\n' \"\$p\"
fi
done
printf 'usr_merge_ok=%s\n' \"\$usr_merge_ok\"
### architecture
echo '### architecture'
dpkg --print-architecture 2>/dev/null || true
} >> ${var_logfile}
"
guard_dir && return 0
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

119
func/cdi_5000_recovery/5010_prepare_mounts.sh
View File

@@ -1,119 +0,0 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
guard_sourcing
#######################################
# Configure the recovery system for chroot.
# Globals:
# ERR_CHRT_MOUNTS
# RECOVERY
# VAR_CHROOT_ACTIVATED
# VAR_NEED_RUN_IN_TARGET
# Arguments:
# None
# Returns:
# ERR_CHRT_MOUNTS
# 0: on success
#######################################
prepare_mounts_reco() {
### Notes
# This file mounts all necessary pseudo filesystems into the target root environment to enable chroot operations.
# --rbind: recursive binding.
# --make-rslave: In this case, the mount point is marked as 'slave'.
# This means changes to the source mount (e.g., /proc) are propagated to the target mount (e.g., "${RECOVERY}/proc").
# Conversely, changes to the target mount are not propagated back to the source mount.
# This mode is necessary to avoid problems with double or erroneous propagation effects in chroot or container environments.
#
# Some subdirectories (such as /dev/pts, /dev/shm, /sys/fs/cgroup) are remounted with more restrictive options
# like 'noexec', 'nosuid', and 'nodev' to enhance security. This ensures they override the inherited bind-mounts and
# enforce proper runtime behavior in the chroot.
### Declare Arrays, HashMaps, and Variables.
declare -A HMP_SPECIAL_MOUNTS=(
["/dev"]="devtmpfs devtmpfs mode=0755,nosuid" # Base device node FS
["/dev/pts"]="devpts devpts noexec,nosuid" # Pseudoterminals
["/dev/shm"]="tmpfs tmpfs rw,nosuid,nodev" # Shared memory
["/dev/mqueue"]="mqueue mqueue rw,nosuid,nodev,noexec" # POSIX message queues
["/dev/hugepages"]="hugetlbfs hugetlbfs rw,nosuid,nodev" # Huge pages
["/proc"]="proc proc nosuid,noexec,nodev" # procfs
["/sys"]="sysfs sysfs nosuid,noexec,nodev" # sysfs
["/sys/fs/cgroup"]="cgroup2 cgroup2 rw,nosuid,nodev,noexec,relatime" # Unified cgroup2
)
declare var_path="" var_fs="" var_src="" var_opts=""
for var_path in "${!HMP_SPECIAL_MOUNTS[@]}"; do
mkdir -p "${RECOVERY}${var_path}"
done
for var_path in "${!HMP_SPECIAL_MOUNTS[@]}"; do
IFS=" " read -r var_fs var_src var_opts <<< "${HMP_SPECIAL_MOUNTS[${var_path}]}"
if mountpoint -q "${RECOVERY}${var_path}"; then
do_log "info" "file_only" "5010() Skipped: '${RECOVERY}${var_path}' is already a mountpoint."
continue
fi
if ! mount -t "${var_fs}" "${var_src}" "${RECOVERY}${var_path}" -o "${var_opts}"; then
do_log "emergency" "file_only" "5010() Command: [mount -t ${var_fs} ${var_src} ${RECOVERY}${var_path} -o ${var_opts}] failed."
return "${ERR_CHRT_MOUNTS}"
fi
do_log "info" "file_only" "5010() Command: [mount -t ${var_fs} ${var_src} ${RECOVERY}${var_path} -o ${var_opts}] successful."
done
if [[ "${VAR_NEED_RUN_IN_TARGET:-false}" == "true" ]]; then
mkdir -p "${RECOVERY}/run"
if ! mount --make-rslave --rbind /run "${RECOVERY}/run"; then
do_log "emergency" "file_only" "5010() Command: [mount --make-rslave --rbind /run ${RECOVERY}/run] failed."
return "${ERR_CHRT_MOUNTS}"
fi
do_log "info" "file_only" "5010() Command: [mount --make-rslave --rbind /run ${RECOVERY}/run] successful."
fi
if ! chroot_exec "${RECOVERY}" mkdir -p /etc/systemd/system/multi-user.target.wants; then
do_log "emergency" "file_only" "5010() Command: [chroot_exec ${RECOVERY} mkdir -p /etc/systemd/system/multi-user.target.wants] failed."
return "${ERR_CHRT_MOUNTS}"
fi
do_log "info" "file_only" "5010() Command: [chroot_exec ${RECOVERY} mkdir -p /etc/systemd/system/multi-user.target.wants] successful."
mkdir -p "${RECOVERY}/media/cdrom0"
# shellcheck disable=SC2034
declare -gx VAR_CHROOT_ACTIVATED="recovery"
do_log "info" "file_only" "5010() Command: [declare -gx VAR_CHROOT_ACTIVATED=recovery]"
guard_dir && return 0
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

49
func/cdi_5000_recovery/5015_check_usr_merge.sh
View File

@@ -1,49 +0,0 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
guard_sourcing
#######################################
# Check if the recovery system is not 'tainted: unmerged-usr'.
# Globals:
# RECOVERY
# architecture
# Arguments:
# None
# Returns:
# 0: on success
#######################################
check_usr_merge_reco() {
### Declare Arrays, HashMaps, and Variables.
declare -r var_logfile="/root/.ciss/cdi/log/5015_check_usr_merge.log"
chroot_logger "${RECOVERY}${var_logfile}"
# shellcheck disable=SC2312
chroot_script "${RECOVERY}" "
test -L /bin && test $(readlink -f /bin) = '/usr/bin' && echo 'MERGED:/bin' >> ${var_logfile} || echo 'UNMERGED:/bin' >> ${var_logfile}
test -L /sbin && test $(readlink -f /sbin) = '/usr/sbin' && echo 'MERGED:/sbin' >> ${var_logfile} || echo 'UNMERGED:/sbin' >> ${var_logfile}
test -L /lib && test $(readlink -f /lib) = '/usr/lib' && echo 'MERGED:/lib' >> ${var_logfile} || echo 'UNMERGED:/lib' >> ${var_logfile}
echo ExitCode: \$? >> ${var_logfile}
"
if [[ "${architecture}" == "amd64" ]]; then
# shellcheck disable=SC2312
chroot_script "${RECOVERY}" "
test -L /lib64 && test $(readlink -f /lib64) = '/usr/lib64' && echo 'MERGED:/lib64' >> ${var_logfile} || echo 'UNMERGED:/lib64' >> ${var_logfile}
echo ExitCode: \$? >> ${var_logfile}
"
fi
guard_dir && return 0
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

42
func/cdi_5000_recovery/5020_remove_x509.sh
View File

@@ -1,42 +0,0 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
guard_sourcing
#######################################
# Chroot hook for deleting all expired X.509 certificates in the recovery system.
# Globals:
# RECOVERY
# VAR_SETUP_PATH
# Arguments:
# None
# Returns:
# 0: on success
#######################################
remove_x509_reco() {
install -m 0700 -o root -g root "${VAR_SETUP_PATH}/includes/chroot/hooks/4020_remove_x509.hooks.sh" \
"${RECOVERY}/root/.ciss/cdi/hooks/5020_remove_x509.hooks.sh"
if ! chroot_script "${RECOVERY}" "/root/.ciss/cdi/hooks/5020_remove_x509.hooks.sh" "emergency"; then
do_log "warn" "file_only" "5020() Command: [chroot_script ${RECOVERY} /root/.ciss/cdi/hooks/5020_remove_x509.hooks.sh emergency] failed."
else
do_log "debug" "file_only" "5020() Command: [chroot_script ${RECOVERY} /root/.ciss/cdi/hooks/5020_remove_x509.hooks.sh emergency] successful."
fi
guard_dir && return 0
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

32
func/cdi_5000_recovery/5030_setup_hostname.sh
View File

@@ -1,32 +0,0 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
guard_sourcing
#######################################
# Configure the '/etc/hostname' | '/etc/hosts' | '/etc/mailname' files.
# Globals:
# RECOVERY
# TARGET
# Arguments:
# None
# Returns:
# 0: on success
#######################################
setup_hostname_reco() {
cp -a "${TARGET}/etc/hosts" "${RECOVERY}/etc/hosts"
cp -a "${TARGET}/etc/hostname" "${RECOVERY}/etc/hostname"
cp -a "${TARGET}/etc/mailname" "${RECOVERY}/etc/mailname"
guard_dir && return 0
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

36
func/cdi_5000_recovery/5035_setup_resolv.sh
View File

@@ -1,36 +0,0 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
guard_sourcing
#######################################
# Configure the '/etc/resolv.conf' file.
# Globals:
# RECOVERY
# TARGET
# Arguments:
# None
# Returns:
# 0: on success
#######################################
setup_resolv_reco() {
if [[ -f "${RECOVERY}/etc/resolv.conf" ]]; then
mkdir -p "${RECOVERY}/root/.ciss/cdi/backup/etc"
mv "${RECOVERY}/etc/resolv.conf" "${RECOVERY}/root/.ciss/cdi/backup/etc/resolv.conf.bak"
do_log "info" "file_only" "5035() Existing '${RECOVERY}/etc/resolv.conf' moved."
fi
cp -a "${TARGET}/etc/resolv.conf" "${RECOVERY}/etc/resolv.conf"
guard_dir && return 0
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

39
func/cdi_5000_recovery/5040_setup_timezone.sh
View File

@@ -1,39 +0,0 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
guard_sourcing
#######################################
# Configure the '/etc/timezone' | '/etc/localtime' files.
# Globals:
# RECOVERY
# ntp_timezone
# Arguments:
# None
# Returns:
# 0: on success
#######################################
setup_timezone_reco() {
### Create '${RECOVERY}/etc/timezone' file.
cat << EOF >| "${RECOVERY}/etc/timezone"
${ntp_timezone:-UTC}
EOF
chmod 0644 "${RECOVERY}/etc/timezone"
do_log "info" "file_only" "5040() File generated: '${RECOVERY}/etc/timezone' | timezone '${ntp_timezone:-UTC}'."
chroot_exec "${RECOVERY}" ln -sf "/usr/share/zoneinfo/${ntp_timezone}" /etc/localtime
chroot_exec "${RECOVERY}" dpkg-reconfigure -f noninteractive tzdata
guard_dir && return 0
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

138
func/cdi_5000_recovery/5050_setup_locales.sh
View File

@@ -1,138 +0,0 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
guard_sourcing
#######################################
# Set locale, locale overrides and configure keyboard layout.
# Globals:
# ARY_LOCALE
# RECOVERY
# VAR_ARCHITECTURE
# VAR_CODENAME
# VAR_VERSION
# locale_country
# locale_keyboard_xkb_keymap
# locale_language
# locale_override_address
# locale_override_collate
# locale_override_ctype
# locale_override_measurement
# locale_override_messages
# locale_override_monetary
# locale_override_name
# locale_override_numeric
# locale_override_paper
# locale_override_telephone
# locale_override_time
# Arguments:
# None
# Returns:
# 0: on success
#######################################
setup_locales_reco() {
### Declare Arrays, HashMaps, and Variables.
declare var_locale_hook="/root/.ciss/cdi/hooks/4050_setup_locales.hooks.sh"
### Give priority to '${locale_locale}' over separately configured variables '${locale_country}' and '${locale_language}'.
### If 'locale_locale' is not set, build it from 'locale_language' and 'locale_country'.
if [[ -n "${locale_language:-}" && -n "${locale_country:-}" && -z "${ARY_LOCALE[0]:-}" ]]; then
ARY_LOCALE+="${locale_language}_${locale_country}.UTF-8"
fi
### Creat Hook in target.
cat << EOF >| "${RECOVERY}${var_locale_hook}"
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
set -Ceuo pipefail
declare -a ary_locale=()
declare -r locale_0=${ARY_LOCALE[0]:-en_US.UTF-8}
declare -r locale_1=${ARY_LOCALE[1]:-}
declare loc=""
EOF
cat << 'EOF' >> "${RECOVERY}${var_locale_hook}"
ary_locale+=( "${locale_0}" )
[[ -n "${locale_1}" ]] && ary_locale+=( "${locale_1}" )
for loc in "${ary_locale[@]}"; do
if ! grep -qx "${loc} UTF-8" /etc/locale.gen; then
sed -i "s/^# ${loc} UTF-8/${loc} UTF-8/" /etc/locale.gen || echo "${loc} UTF-8" >> /etc/locale.gen
fi
done
locale-gen --purge "${ary_locale[@]}"
for loc in "${ary_locale[@]}"; do
locale_check=$(echo "${loc}" | sed 's/UTF-8/utf8/')
if ! locale -a | grep -qx "${locale_check}"; then
echo "Locale '${loc}' has not been generated successfully." >&2
exit 1
fi
done
EOF
cat << EOF >> "${RECOVERY}${var_locale_hook}"
update-locale \
LANG=${ARY_LOCALE[0]} \
LC_ADDRESS=${locale_override_address:-${ARY_LOCALE[0]}} \
LC_COLLATE=${locale_override_collate:-${ARY_LOCALE[0]}} \
LC_CTYPE=${locale_override_ctype:-${ARY_LOCALE[0]}} \
LC_MEASUREMENT=${locale_override_measurement:-${ARY_LOCALE[0]}} \
LC_MESSAGES=${locale_override_messages:-${ARY_LOCALE[0]}} \
LC_MONETARY=${locale_override_monetary:-${ARY_LOCALE[0]}} \
LC_NAME=${locale_override_name:-${ARY_LOCALE[0]}} \
LC_NUMERIC=${locale_override_numeric:-${ARY_LOCALE[0]}} \
LC_PAPER=${locale_override_paper:-${ARY_LOCALE[0]}} \
LC_TELEPHONE=${locale_override_telephone:-${ARY_LOCALE[0]}} \
LC_TIME=${locale_override_time:-${ARY_LOCALE[0]}} \
LC_IDENTIFICATION=${ARY_LOCALE[0]}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
EOF
chmod 0700 "${RECOVERY}${var_locale_hook}"
chroot_script "${RECOVERY}" "${var_locale_hook}"
### Set the keyboard layout for the system (for consoles).
insert_header "${RECOVERY}/etc/default/keyboard"
insert_comments "${RECOVERY}/etc/default/keyboard"
cat << EOF >> "${RECOVERY}/etc/default/keyboard"
# KEYBOARD CONFIGURATION FILE
# Consult the keyboard(5) manual page.
XKBMODEL="pc105"
XKBLAYOUT="${locale_keyboard_xkb_keymap}"
XKBVARIANT=""
XKBOPTIONS=""
BACKSPACE="guess"
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
EOF
chmod 0644 "${RECOVERY}/etc/default/keyboard"
do_log "info" "file_only" "4050() Keyboard layout updated: 'XKBLAYOUT=${locale_keyboard_xkb_keymap}' -> '${RECOVERY}/etc/default/keyboard'."
guard_dir && return 0
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

185
func/cdi_5000_recovery/5105_generate_sources_822.sh
View File

@@ -1,185 +0,0 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
guard_sourcing
#######################################
# Generate target '/etc/apt/sources.list.d/' deb.822 entries.
# Globals:
# RECOVERY
# apt_contrib
# apt_deb_sources
# apt_mirror_directory
# apt_mirror_hostname
# apt_mirror_protocol
# apt_non_free
# apt_non_free_firmware
# apt_sec
# apt_updates_backports
# apt_updates_release
# apt_updates_security
# architecture
# distribution
# Arguments:
# None
# Returns:
# 0: on success
#######################################
generate_sources822_reco() {
### Declare Arrays, HashMaps, and Variables.
declare -a ary_components=() ary_types=()
declare var_arch="" var_codename="" var_deb_src="" var_dir="" var_hostname="" var_hostsecure="" var_url="" var_surl=""
# shellcheck disable=SC2154 # "${architecture}"
var_arch="${architecture,,}"
# shellcheck disable=SC2154 # "${distribution}"
var_codename="${distribution,,}"
# shellcheck disable=SC2154 # "${apt_deb_sources}"
var_deb_src="${apt_deb_sources,,}"
# shellcheck disable=SC2154 # "${apt_mirror_directory}"
var_dir="${apt_mirror_directory,,}"
# shellcheck disable=SC2154 # "${apt_mirror_hostname}"
var_hostname="${apt_mirror_hostname,,}"
# shellcheck disable=SC2154 # "${apt_sec}"
var_hostsecure="${apt_sec,,}"
ary_components=( "main" )
[[ "${apt_contrib,,}" == "true" ]] && ary_components+=( "contrib" )
[[ "${apt_non_free,,}" == "true" ]] && ary_components+=( "non-free" )
[[ "${apt_non_free_firmware,,}" == "true" ]] && ary_components+=( "non-free-firmware" )
ary_types=( "deb" )
[[ "${apt_deb_sources,,}" == "true" ]] && ary_types+=( "deb-src" )
if [[ "${apt_mirror_protocol,,}" == "https" ]]; then
var_url="https://${var_hostname}${var_dir}"
var_surl="https://${var_hostsecure}/debian-security"
elif [[ "${apt_mirror_protocol,,}" == "http" ]]; then
var_url="http://${var_hostname}${var_dir}"
var_surl="http://${var_hostsecure}/debian-security"
else
var_url="https://${var_hostname}${var_dir}"
var_surl="https://${var_hostsecure}/debian-security"
fi
### Main Repository
insert_header "${RECOVERY}/etc/apt/sources.list.d/trixie.sources"
insert_comments "${RECOVERY}/etc/apt/sources.list.d/trixie.sources"
cat << EOF >> "${RECOVERY}/etc/apt/sources.list.d/trixie.sources"
#------------------------------------------------------------------------------------------------------------------------------#
# OFFICIAL DEBIAN REPOS #
#------------------------------------------------------------------------------------------------------------------------------#
Types: ${ary_types[*]}
URIs: ${var_url}
Suites: ${var_codename}
Components: ${ary_components[*]}
Enabled: yes
Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
EOF
### Security Repository
if [[ "${apt_updates_security,,}" == "true" ]]; then
insert_header "${RECOVERY}/etc/apt/sources.list.d/trixie-security.sources"
insert_comments "${RECOVERY}/etc/apt/sources.list.d/trixie-security.sources"
cat << EOF >> "${RECOVERY}/etc/apt/sources.list.d/trixie-security.sources"
#------------------------------------------------------------------------------------------------------------------------------#
# OFFICIAL DEBIAN REPOS #
#------------------------------------------------------------------------------------------------------------------------------#
Types: ${ary_types[*]}
URIs: ${var_surl}
Suites: ${var_codename}-security
Components: ${ary_components[*]}
Enabled: yes
Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
EOF
fi
### Updates Repository
if [[ "${apt_updates_release,,}" == "true" ]]; then
insert_header "${RECOVERY}/etc/apt/sources.list.d/trixie-updates.sources"
insert_comments "${RECOVERY}/etc/apt/sources.list.d/trixie-updates.sources"
cat << EOF >> "${RECOVERY}/etc/apt/sources.list.d/trixie-updates.sources"
#------------------------------------------------------------------------------------------------------------------------------#
# OFFICIAL DEBIAN REPOS #
#------------------------------------------------------------------------------------------------------------------------------#
Types: ${ary_types[*]}
URIs: ${var_url}
Suites: ${var_codename}-updates
Components: ${ary_components[*]}
Enabled: yes
Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
EOF
fi
### Backports Repository
if [[ "${apt_updates_backports,,}" == "true" ]]; then
insert_header "${RECOVERY}/etc/apt/sources.list.d/trixie-backports.sources"
insert_comments "${RECOVERY}/etc/apt/sources.list.d/trixie-backports.sources"
cat << EOF >> "${RECOVERY}/etc/apt/sources.list.d/trixie-backports.sources"
#------------------------------------------------------------------------------------------------------------------------------#
# OFFICIAL DEBIAN REPOS #
#------------------------------------------------------------------------------------------------------------------------------#
Types: ${ary_types[*]}
URIs: ${var_url}
Suites: ${var_codename}-backports
Components: ${ary_components[*]}
Enabled: yes
Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
EOF
fi
if [[ -f "${RECOVERY}/etc/apt/sources.list" ]]; then
rm -f "${RECOVERY}/etc/apt/sources.list"
fi
insert_header "${RECOVERY}/etc/apt/apt.conf.d/90-no-pdiffs"
insert_comments "${RECOVERY}/etc/apt/apt.conf.d/90-no-pdiffs"
cat << 'EOF' >> "${RECOVERY}/etc/apt/apt.conf.d/90-no-pdiffs"
Acquire::PDiffs "false";
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
EOF
sed -i -E 's|^([[:space:]]*)#+|\1//|' "${RECOVERY}/etc/apt/apt.conf.d/90-no-pdiffs"
insert_header "${RECOVERY}/etc/apt/apt.conf.d/91-acquire"
insert_comments "${RECOVERY}/etc/apt/apt.conf.d/91-acquire"
cat << 'EOF' >> "${RECOVERY}/etc/apt/apt.conf.d/91-acquire"
Acquire::Retries "3";
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
EOF
sed -i -E 's|^([[:space:]]*)#+|\1//|' "${RECOVERY}/etc/apt/apt.conf.d/91-acquire"
guard_dir && return 0
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

74
func/cdi_5000_recovery/5110_update_sources.sh
View File

@@ -1,74 +0,0 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
guard_sourcing
#######################################
# Update generated sources.
# Every 'apt-get install' command is invoked by adding 'export INITRD=No'
# to suppress the 'update-initramfs'-Kernel-Hooks, according to the initramfs-tools manpage:
# https://manpages.debian.org/testing/initramfs-tools-core/initramfs-tools.7.en.html
# Globals:
# RECOVERY
# apt_updates_policy
# Arguments:
# None
# Returns:
# 0: on success
#######################################
update_sources_reco() {
### Declare Arrays, HashMaps, and Variables.
declare -r var_logfile="/root/.ciss/cdi/log/5110_update_sources.log"
chroot_logger "${RECOVERY}${var_logfile}"
### Update generated sources.
# shellcheck disable=SC2312
chroot_script "${RECOVERY}" "apt-get update 2>&1 | tee -a ${var_logfile}; echo ExitCode: \$? >> ${var_logfile}"
do_log "info" "file_only" "5110() Sources lists: updated successfully."
### Update unattended, security, or no unattended updates at all.
if [[ "${apt_updates_policy,,}" == "unattended" ]]; then
chroot_script "${RECOVERY}" "
export INITRD=No
apt-get install -y --no-install-recommends --no-install-suggests unattended-upgrades 2>&1 | tee -a ${var_logfile}
echo ExitCode: \$? >> ${var_logfile}
"
do_log "info" "file_only" "5110() The update policy was set at installation time to: '${apt_updates_policy}'."
elif [[ "${apt_updates_policy,,}" == "security" ]]; then
chroot_script "${RECOVERY}" "
export INITRD=No
apt-get install -y --no-install-recommends --no-install-suggests unattended-upgrades 2>&1 | tee -a ${var_logfile}
echo ExitCode: \$? >> ${var_logfile}
"
# shellcheck disable=SC2016
sed -i 's/^[[:space:]]*"origin=Debian,codename=\${distro_codename},label=Debian";/\/\/ &/' "${RECOVERY}/etc/apt/apt.conf.d/50unattended-upgrades"
do_log "info" "file_only" "5110() The update policy was set at installation time to: '${apt_updates_policy}'."
elif [[ "${apt_updates_policy,,}" == "none" ]]; then
do_log "info" "file_only" "5110() The update policy was set at installation time to: '${apt_updates_policy}'."
else
do_log "warning" "file_only" "5110() Update policy '${apt_updates_policy}': is not supported. Using 'none' as default."
fi
guard_dir && return 0
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh