msw/CISS.debian.installer
SHA256
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

V8.00.000.2025.06.17
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m54s
Details

Browse Source 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
Marc S. Weidner
2025-10-11 22:14:22 +01:00
parent be0a6c7c6a
commit 353568eb69
60 changed files with 2267 additions and 1163 deletions
Download Patch File Download Diff File Expand all files Collapse all files

73
func/cdi_5000_recovery/5000_debootstrap.sh
View File

@@ -1,73 +0,0 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
guard_sourcing
#######################################
# Install a minimal Debian environment using the 'debootstrap' command.
# Globals:
# LOG_REC
# RECOVERY
# VAR_ARCHITECTURE
# VAR_CODENAME
# debootstrap_includes
# debootstrap_mirror
# Arguments:
# None
# Returns:
# 0: on success
# ERR_DEBOOTSTRAP
#######################################
func_debootstrap_reco() {
### Declare Arrays, HashMaps, and Variables.
declare -r var_arch="${VAR_ARCHITECTURE}"
declare -r var_dist="${VAR_CODENAME}"
declare -r var_target="${RECOVERY}"
declare -r var_mirror="${debootstrap_mirror}"
declare -r var_includes="${debootstrap_includes}"
declare -a ary_cmd=()
ary_cmd+=( "debootstrap" "--arch=${var_arch}" "--keep-debootstrap-dir" "--log-extra-deps" "--merged-usr" )
if [[ -n "${var_includes}" ]]; then ary_cmd+=( "--include=${var_includes}" ); fi
ary_cmd+=( "${var_dist}" "${var_target}" "${var_mirror}" )
do_log "debug" "file_only" "5000() Executing: [${ary_cmd[*]}]"
# shellcheck disable=SC2312
if "${ary_cmd[@]}" | tee "${LOG_REC}"; then
do_log "info" "file_only" "5000() [${ary_cmd[*]}] successful."
install -d -m 0700 -o root -g root "${var_target}/root/.ciss/cdi/backup"
install -d -m 0700 -o root -g root "${var_target}/root/.ciss/cdi/debootstrap"
install -d -m 0700 -o root -g root "${var_target}/root/.ciss/cdi/hooks"
install -d -m 0700 -o root -g root "${var_target}/root/.ciss/cdi/keys"
install -d -m 0700 -o root -g root "${var_target}/root/.ciss/cdi/log"
mv -T "${var_target}/debootstrap" "${var_target}/root/.ciss/cdi/debootstrap"
chmod 0700 "${var_target}/root/.ciss"
chmod 0700 "${var_target}/root/.ciss/cdi"
chmod 0700 "${var_target}/root/.ciss/cdi/debootstrap"
guard_dir && return 0
else
do_log "emergency" "file_only" "5000() [${ary_cmd[*]}] failed."
return "${ERR_DEBOOTSTRAP}"
fi
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

83
func/cdi_5000_recovery/5005_debootstrap_checks.sh
View File

@@ -1,83 +0,0 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
guard_sourcing
#######################################
# Preliminary post debootstrap checks.
# Globals:
# RECOVERY
# Arguments:
# None
# Returns:
# 0: on success
#######################################
check_debootstrap_reco() {
### Declare Arrays, HashMaps, and Variables.
declare -r var_logfile="/root/.ciss/cdi/log/5005_debootstrap_checks.log"
chroot_logger "${RECOVERY}${var_logfile}"
chroot_script "${RECOVERY}" "
{
### Header
echo '==[debootstrap checks]=='
date -Is 2>/dev/null || true
### dpkg audit (non-fatal)
echo '### dpkg --audit'
dpkg --audit || true
### essential subset (status & version)
echo '### dpkg-query essential subset'
dpkg-query -W -f='\${db:Status-Abbrev} \${binary:Package} \${Version}\n' dpkg libc6 coreutils bash apt systemd 2>/dev/null || true
### init presence (log explicit)
echo '### init presence'
if [[ -x /sbin/init ]] || [[ -x /lib/systemd/systemd ]]; then
echo 'init_present=yes'
else
echo 'init_present=no'
fi
### awk path and alternative link (if any)
echo '### awk'
awk_path=\$(command -v awk || true)
printf 'awk_path=%s\n' \"\$awk_path\"
if [[ -L /usr/bin/awk ]]; then
printf 'awk_link=/usr/bin/awk -> %s\n' \"\$(readlink -f /usr/bin/awk 2>/dev/null || true)\"
fi
### usr-merge / tainted check
echo '### usr-merge / taint'
usr_merge_ok=yes
for p in /bin /sbin /lib /lib64; do
[[ -e \"\$p\" ]] || continue
if [[ -L \"\$p\" ]]; then
tgt=\$(readlink -f \"\$p\" 2>/dev/null || true)
printf '%s -> %s\n' \"\$p\" \"\$tgt\"
else
usr_merge_ok=no
printf '%s is not a symlink (tainted: unmerged-bin)\n' \"\$p\"
fi
done
printf 'usr_merge_ok=%s\n' \"\$usr_merge_ok\"
### architecture
echo '### architecture'
dpkg --print-architecture 2>/dev/null || true
} >> ${var_logfile}
"
guard_dir && return 0
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

119
func/cdi_5000_recovery/5010_prepare_mounts.sh
View File

@@ -1,119 +0,0 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
guard_sourcing
#######################################
# Configure the recovery system for chroot.
# Globals:
# ERR_CHRT_MOUNTS
# RECOVERY
# VAR_CHROOT_ACTIVATED
# VAR_NEED_RUN_IN_TARGET
# Arguments:
# None
# Returns:
# ERR_CHRT_MOUNTS
# 0: on success
#######################################
prepare_mounts_reco() {
### Notes
# This file mounts all necessary pseudo filesystems into the target root environment to enable chroot operations.
# --rbind: recursive binding.
# --make-rslave: In this case, the mount point is marked as 'slave'.
# This means changes to the source mount (e.g., /proc) are propagated to the target mount (e.g., "${RECOVERY}/proc").
# Conversely, changes to the target mount are not propagated back to the source mount.
# This mode is necessary to avoid problems with double or erroneous propagation effects in chroot or container environments.
#
# Some subdirectories (such as /dev/pts, /dev/shm, /sys/fs/cgroup) are remounted with more restrictive options
# like 'noexec', 'nosuid', and 'nodev' to enhance security. This ensures they override the inherited bind-mounts and
# enforce proper runtime behavior in the chroot.
### Declare Arrays, HashMaps, and Variables.
declare -A HMP_SPECIAL_MOUNTS=(
["/dev"]="devtmpfs devtmpfs mode=0755,nosuid" # Base device node FS
["/dev/pts"]="devpts devpts noexec,nosuid" # Pseudoterminals
["/dev/shm"]="tmpfs tmpfs rw,nosuid,nodev" # Shared memory
["/dev/mqueue"]="mqueue mqueue rw,nosuid,nodev,noexec" # POSIX message queues
["/dev/hugepages"]="hugetlbfs hugetlbfs rw,nosuid,nodev" # Huge pages
["/proc"]="proc proc nosuid,noexec,nodev" # procfs
["/sys"]="sysfs sysfs nosuid,noexec,nodev" # sysfs
["/sys/fs/cgroup"]="cgroup2 cgroup2 rw,nosuid,nodev,noexec,relatime" # Unified cgroup2
)
declare var_path="" var_fs="" var_src="" var_opts=""
for var_path in "${!HMP_SPECIAL_MOUNTS[@]}"; do
mkdir -p "${RECOVERY}${var_path}"
done
for var_path in "${!HMP_SPECIAL_MOUNTS[@]}"; do
IFS=" " read -r var_fs var_src var_opts <<< "${HMP_SPECIAL_MOUNTS[${var_path}]}"
if mountpoint -q "${RECOVERY}${var_path}"; then
do_log "info" "file_only" "5010() Skipped: '${RECOVERY}${var_path}' is already a mountpoint."
continue
fi
if ! mount -t "${var_fs}" "${var_src}" "${RECOVERY}${var_path}" -o "${var_opts}"; then
do_log "emergency" "file_only" "5010() Command: [mount -t ${var_fs} ${var_src} ${RECOVERY}${var_path} -o ${var_opts}] failed."
return "${ERR_CHRT_MOUNTS}"
fi
do_log "info" "file_only" "5010() Command: [mount -t ${var_fs} ${var_src} ${RECOVERY}${var_path} -o ${var_opts}] successful."
done
if [[ "${VAR_NEED_RUN_IN_TARGET:-false}" == "true" ]]; then
mkdir -p "${RECOVERY}/run"
if ! mount --make-rslave --rbind /run "${RECOVERY}/run"; then
do_log "emergency" "file_only" "5010() Command: [mount --make-rslave --rbind /run ${RECOVERY}/run] failed."
return "${ERR_CHRT_MOUNTS}"
fi
do_log "info" "file_only" "5010() Command: [mount --make-rslave --rbind /run ${RECOVERY}/run] successful."
fi
if ! chroot_exec "${RECOVERY}" mkdir -p /etc/systemd/system/multi-user.target.wants; then
do_log "emergency" "file_only" "5010() Command: [chroot_exec ${RECOVERY} mkdir -p /etc/systemd/system/multi-user.target.wants] failed."
return "${ERR_CHRT_MOUNTS}"
fi
do_log "info" "file_only" "5010() Command: [chroot_exec ${RECOVERY} mkdir -p /etc/systemd/system/multi-user.target.wants] successful."
mkdir -p "${RECOVERY}/media/cdrom0"
# shellcheck disable=SC2034
declare -gx VAR_CHROOT_ACTIVATED="recovery"
do_log "info" "file_only" "5010() Command: [declare -gx VAR_CHROOT_ACTIVATED=recovery]"
guard_dir && return 0
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

49
func/cdi_5000_recovery/5015_check_usr_merge.sh
View File

@@ -1,49 +0,0 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
guard_sourcing
#######################################
# Check if the recovery system is not 'tainted: unmerged-usr'.
# Globals:
# RECOVERY
# architecture
# Arguments:
# None
# Returns:
# 0: on success
#######################################
check_usr_merge_reco() {
### Declare Arrays, HashMaps, and Variables.
declare -r var_logfile="/root/.ciss/cdi/log/5015_check_usr_merge.log"
chroot_logger "${RECOVERY}${var_logfile}"
# shellcheck disable=SC2312
chroot_script "${RECOVERY}" "
test -L /bin && test $(readlink -f /bin) = '/usr/bin' && echo 'MERGED:/bin' >> ${var_logfile} || echo 'UNMERGED:/bin' >> ${var_logfile}
test -L /sbin && test $(readlink -f /sbin) = '/usr/sbin' && echo 'MERGED:/sbin' >> ${var_logfile} || echo 'UNMERGED:/sbin' >> ${var_logfile}
test -L /lib && test $(readlink -f /lib) = '/usr/lib' && echo 'MERGED:/lib' >> ${var_logfile} || echo 'UNMERGED:/lib' >> ${var_logfile}
echo ExitCode: \$? >> ${var_logfile}
"
if [[ "${architecture}" == "amd64" ]]; then
# shellcheck disable=SC2312
chroot_script "${RECOVERY}" "
test -L /lib64 && test $(readlink -f /lib64) = '/usr/lib64' && echo 'MERGED:/lib64' >> ${var_logfile} || echo 'UNMERGED:/lib64' >> ${var_logfile}
echo ExitCode: \$? >> ${var_logfile}
"
fi
guard_dir && return 0
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

42
func/cdi_5000_recovery/5020_remove_x509.sh
View File

@@ -1,42 +0,0 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
guard_sourcing
#######################################
# Chroot hook for deleting all expired X.509 certificates in the recovery system.
# Globals:
# RECOVERY
# VAR_SETUP_PATH
# Arguments:
# None
# Returns:
# 0: on success
#######################################
remove_x509_reco() {
install -m 0700 -o root -g root "${VAR_SETUP_PATH}/includes/chroot/hooks/4020_remove_x509.hooks.sh" \
"${RECOVERY}/root/.ciss/cdi/hooks/5020_remove_x509.hooks.sh"
if ! chroot_script "${RECOVERY}" "/root/.ciss/cdi/hooks/5020_remove_x509.hooks.sh" "emergency"; then
do_log "warn" "file_only" "5020() Command: [chroot_script ${RECOVERY} /root/.ciss/cdi/hooks/5020_remove_x509.hooks.sh emergency] failed."
else
do_log "debug" "file_only" "5020() Command: [chroot_script ${RECOVERY} /root/.ciss/cdi/hooks/5020_remove_x509.hooks.sh emergency] successful."
fi
guard_dir && return 0
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

32
func/cdi_5000_recovery/5030_setup_hostname.sh
View File

@@ -1,32 +0,0 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
guard_sourcing
#######################################
# Configure the '/etc/hostname' | '/etc/hosts' | '/etc/mailname' files.
# Globals:
# RECOVERY
# TARGET
# Arguments:
# None
# Returns:
# 0: on success
#######################################
setup_hostname_reco() {
cp -a "${TARGET}/etc/hosts" "${RECOVERY}/etc/hosts"
cp -a "${TARGET}/etc/hostname" "${RECOVERY}/etc/hostname"
cp -a "${TARGET}/etc/mailname" "${RECOVERY}/etc/mailname"
guard_dir && return 0
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

36
func/cdi_5000_recovery/5035_setup_resolv.sh
View File

@@ -1,36 +0,0 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
guard_sourcing
#######################################
# Configure the '/etc/resolv.conf' file.
# Globals:
# RECOVERY
# TARGET
# Arguments:
# None
# Returns:
# 0: on success
#######################################
setup_resolv_reco() {
if [[ -f "${RECOVERY}/etc/resolv.conf" ]]; then
mkdir -p "${RECOVERY}/root/.ciss/cdi/backup/etc"
mv "${RECOVERY}/etc/resolv.conf" "${RECOVERY}/root/.ciss/cdi/backup/etc/resolv.conf.bak"
do_log "info" "file_only" "5035() Existing '${RECOVERY}/etc/resolv.conf' moved."
fi
cp -a "${TARGET}/etc/resolv.conf" "${RECOVERY}/etc/resolv.conf"
guard_dir && return 0
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

39
func/cdi_5000_recovery/5040_setup_timezone.sh
View File

@@ -1,39 +0,0 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
guard_sourcing
#######################################
# Configure the '/etc/timezone' | '/etc/localtime' files.
# Globals:
# RECOVERY
# ntp_timezone
# Arguments:
# None
# Returns:
# 0: on success
#######################################
setup_timezone_reco() {
### Create '${RECOVERY}/etc/timezone' file.
cat << EOF >| "${RECOVERY}/etc/timezone"
${ntp_timezone:-UTC}
EOF
chmod 0644 "${RECOVERY}/etc/timezone"
do_log "info" "file_only" "5040() File generated: '${RECOVERY}/etc/timezone' | timezone '${ntp_timezone:-UTC}'."
chroot_exec "${RECOVERY}" ln -sf "/usr/share/zoneinfo/${ntp_timezone}" /etc/localtime
chroot_exec "${RECOVERY}" dpkg-reconfigure -f noninteractive tzdata
guard_dir && return 0
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

138
func/cdi_5000_recovery/5050_setup_locales.sh
View File

@@ -1,138 +0,0 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
guard_sourcing
#######################################
# Set locale, locale overrides and configure keyboard layout.
# Globals:
# ARY_LOCALE
# RECOVERY
# VAR_ARCHITECTURE
# VAR_CODENAME
# VAR_VERSION
# locale_country
# locale_keyboard_xkb_keymap
# locale_language
# locale_override_address
# locale_override_collate
# locale_override_ctype
# locale_override_measurement
# locale_override_messages
# locale_override_monetary
# locale_override_name
# locale_override_numeric
# locale_override_paper
# locale_override_telephone
# locale_override_time
# Arguments:
# None
# Returns:
# 0: on success
#######################################
setup_locales_reco() {
### Declare Arrays, HashMaps, and Variables.
declare var_locale_hook="/root/.ciss/cdi/hooks/4050_setup_locales.hooks.sh"
### Give priority to '${locale_locale}' over separately configured variables '${locale_country}' and '${locale_language}'.
### If 'locale_locale' is not set, build it from 'locale_language' and 'locale_country'.
if [[ -n "${locale_language:-}" && -n "${locale_country:-}" && -z "${ARY_LOCALE[0]:-}" ]]; then
ARY_LOCALE+="${locale_language}_${locale_country}.UTF-8"
fi
### Creat Hook in target.
cat << EOF >| "${RECOVERY}${var_locale_hook}"
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
set -Ceuo pipefail
declare -a ary_locale=()
declare -r locale_0=${ARY_LOCALE[0]:-en_US.UTF-8}
declare -r locale_1=${ARY_LOCALE[1]:-}
declare loc=""
EOF
cat << 'EOF' >> "${RECOVERY}${var_locale_hook}"
ary_locale+=( "${locale_0}" )
[[ -n "${locale_1}" ]] && ary_locale+=( "${locale_1}" )
for loc in "${ary_locale[@]}"; do
if ! grep -qx "${loc} UTF-8" /etc/locale.gen; then
sed -i "s/^# ${loc} UTF-8/${loc} UTF-8/" /etc/locale.gen || echo "${loc} UTF-8" >> /etc/locale.gen
fi
done
locale-gen --purge "${ary_locale[@]}"
for loc in "${ary_locale[@]}"; do
locale_check=$(echo "${loc}" | sed 's/UTF-8/utf8/')
if ! locale -a | grep -qx "${locale_check}"; then
echo "Locale '${loc}' has not been generated successfully." >&2
exit 1
fi
done
EOF
cat << EOF >> "${RECOVERY}${var_locale_hook}"
update-locale \
LANG=${ARY_LOCALE[0]} \
LC_ADDRESS=${locale_override_address:-${ARY_LOCALE[0]}} \
LC_COLLATE=${locale_override_collate:-${ARY_LOCALE[0]}} \
LC_CTYPE=${locale_override_ctype:-${ARY_LOCALE[0]}} \
LC_MEASUREMENT=${locale_override_measurement:-${ARY_LOCALE[0]}} \
LC_MESSAGES=${locale_override_messages:-${ARY_LOCALE[0]}} \
LC_MONETARY=${locale_override_monetary:-${ARY_LOCALE[0]}} \
LC_NAME=${locale_override_name:-${ARY_LOCALE[0]}} \
LC_NUMERIC=${locale_override_numeric:-${ARY_LOCALE[0]}} \
LC_PAPER=${locale_override_paper:-${ARY_LOCALE[0]}} \
LC_TELEPHONE=${locale_override_telephone:-${ARY_LOCALE[0]}} \
LC_TIME=${locale_override_time:-${ARY_LOCALE[0]}} \
LC_IDENTIFICATION=${ARY_LOCALE[0]}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
EOF
chmod 0700 "${RECOVERY}${var_locale_hook}"
chroot_script "${RECOVERY}" "${var_locale_hook}"
### Set the keyboard layout for the system (for consoles).
insert_header "${RECOVERY}/etc/default/keyboard"
insert_comments "${RECOVERY}/etc/default/keyboard"
cat << EOF >> "${RECOVERY}/etc/default/keyboard"
# KEYBOARD CONFIGURATION FILE
# Consult the keyboard(5) manual page.
XKBMODEL="pc105"
XKBLAYOUT="${locale_keyboard_xkb_keymap}"
XKBVARIANT=""
XKBOPTIONS=""
BACKSPACE="guess"
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
EOF
chmod 0644 "${RECOVERY}/etc/default/keyboard"
do_log "info" "file_only" "4050() Keyboard layout updated: 'XKBLAYOUT=${locale_keyboard_xkb_keymap}' -> '${RECOVERY}/etc/default/keyboard'."
guard_dir && return 0
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

185
func/cdi_5000_recovery/5105_generate_sources_822.sh
View File

@@ -1,185 +0,0 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
guard_sourcing
#######################################
# Generate target '/etc/apt/sources.list.d/' deb.822 entries.
# Globals:
# RECOVERY
# apt_contrib
# apt_deb_sources
# apt_mirror_directory
# apt_mirror_hostname
# apt_mirror_protocol
# apt_non_free
# apt_non_free_firmware
# apt_sec
# apt_updates_backports
# apt_updates_release
# apt_updates_security
# architecture
# distribution
# Arguments:
# None
# Returns:
# 0: on success
#######################################
generate_sources822_reco() {
### Declare Arrays, HashMaps, and Variables.
declare -a ary_components=() ary_types=()
declare var_arch="" var_codename="" var_deb_src="" var_dir="" var_hostname="" var_hostsecure="" var_url="" var_surl=""
# shellcheck disable=SC2154 # "${architecture}"
var_arch="${architecture,,}"
# shellcheck disable=SC2154 # "${distribution}"
var_codename="${distribution,,}"
# shellcheck disable=SC2154 # "${apt_deb_sources}"
var_deb_src="${apt_deb_sources,,}"
# shellcheck disable=SC2154 # "${apt_mirror_directory}"
var_dir="${apt_mirror_directory,,}"
# shellcheck disable=SC2154 # "${apt_mirror_hostname}"
var_hostname="${apt_mirror_hostname,,}"
# shellcheck disable=SC2154 # "${apt_sec}"
var_hostsecure="${apt_sec,,}"
ary_components=( "main" )
[[ "${apt_contrib,,}" == "true" ]] && ary_components+=( "contrib" )
[[ "${apt_non_free,,}" == "true" ]] && ary_components+=( "non-free" )
[[ "${apt_non_free_firmware,,}" == "true" ]] && ary_components+=( "non-free-firmware" )
ary_types=( "deb" )
[[ "${apt_deb_sources,,}" == "true" ]] && ary_types+=( "deb-src" )
if [[ "${apt_mirror_protocol,,}" == "https" ]]; then
var_url="https://${var_hostname}${var_dir}"
var_surl="https://${var_hostsecure}/debian-security"
elif [[ "${apt_mirror_protocol,,}" == "http" ]]; then
var_url="http://${var_hostname}${var_dir}"
var_surl="http://${var_hostsecure}/debian-security"
else
var_url="https://${var_hostname}${var_dir}"
var_surl="https://${var_hostsecure}/debian-security"
fi
### Main Repository
insert_header "${RECOVERY}/etc/apt/sources.list.d/trixie.sources"
insert_comments "${RECOVERY}/etc/apt/sources.list.d/trixie.sources"
cat << EOF >> "${RECOVERY}/etc/apt/sources.list.d/trixie.sources"
#------------------------------------------------------------------------------------------------------------------------------#
# OFFICIAL DEBIAN REPOS #
#------------------------------------------------------------------------------------------------------------------------------#
Types: ${ary_types[*]}
URIs: ${var_url}
Suites: ${var_codename}
Components: ${ary_components[*]}
Enabled: yes
Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
EOF
### Security Repository
if [[ "${apt_updates_security,,}" == "true" ]]; then
insert_header "${RECOVERY}/etc/apt/sources.list.d/trixie-security.sources"
insert_comments "${RECOVERY}/etc/apt/sources.list.d/trixie-security.sources"
cat << EOF >> "${RECOVERY}/etc/apt/sources.list.d/trixie-security.sources"
#------------------------------------------------------------------------------------------------------------------------------#
# OFFICIAL DEBIAN REPOS #
#------------------------------------------------------------------------------------------------------------------------------#
Types: ${ary_types[*]}
URIs: ${var_surl}
Suites: ${var_codename}-security
Components: ${ary_components[*]}
Enabled: yes
Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
EOF
fi
### Updates Repository
if [[ "${apt_updates_release,,}" == "true" ]]; then
insert_header "${RECOVERY}/etc/apt/sources.list.d/trixie-updates.sources"
insert_comments "${RECOVERY}/etc/apt/sources.list.d/trixie-updates.sources"
cat << EOF >> "${RECOVERY}/etc/apt/sources.list.d/trixie-updates.sources"
#------------------------------------------------------------------------------------------------------------------------------#
# OFFICIAL DEBIAN REPOS #
#------------------------------------------------------------------------------------------------------------------------------#
Types: ${ary_types[*]}
URIs: ${var_url}
Suites: ${var_codename}-updates
Components: ${ary_components[*]}
Enabled: yes
Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
EOF
fi
### Backports Repository
if [[ "${apt_updates_backports,,}" == "true" ]]; then
insert_header "${RECOVERY}/etc/apt/sources.list.d/trixie-backports.sources"
insert_comments "${RECOVERY}/etc/apt/sources.list.d/trixie-backports.sources"
cat << EOF >> "${RECOVERY}/etc/apt/sources.list.d/trixie-backports.sources"
#------------------------------------------------------------------------------------------------------------------------------#
# OFFICIAL DEBIAN REPOS #
#------------------------------------------------------------------------------------------------------------------------------#
Types: ${ary_types[*]}
URIs: ${var_url}
Suites: ${var_codename}-backports
Components: ${ary_components[*]}
Enabled: yes
Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
EOF
fi
if [[ -f "${RECOVERY}/etc/apt/sources.list" ]]; then
rm -f "${RECOVERY}/etc/apt/sources.list"
fi
insert_header "${RECOVERY}/etc/apt/apt.conf.d/90-no-pdiffs"
insert_comments "${RECOVERY}/etc/apt/apt.conf.d/90-no-pdiffs"
cat << 'EOF' >> "${RECOVERY}/etc/apt/apt.conf.d/90-no-pdiffs"
Acquire::PDiffs "false";
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
EOF
sed -i -E 's|^([[:space:]]*)#+|\1//|' "${RECOVERY}/etc/apt/apt.conf.d/90-no-pdiffs"
insert_header "${RECOVERY}/etc/apt/apt.conf.d/91-acquire"
insert_comments "${RECOVERY}/etc/apt/apt.conf.d/91-acquire"
cat << 'EOF' >> "${RECOVERY}/etc/apt/apt.conf.d/91-acquire"
Acquire::Retries "3";
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
EOF
sed -i -E 's|^([[:space:]]*)#+|\1//|' "${RECOVERY}/etc/apt/apt.conf.d/91-acquire"
guard_dir && return 0
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

74
func/cdi_5000_recovery/5110_update_sources.sh
View File

@@ -1,74 +0,0 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
guard_sourcing
#######################################
# Update generated sources.
# Every 'apt-get install' command is invoked by adding 'export INITRD=No'
# to suppress the 'update-initramfs'-Kernel-Hooks, according to the initramfs-tools manpage:
# https://manpages.debian.org/testing/initramfs-tools-core/initramfs-tools.7.en.html
# Globals:
# RECOVERY
# apt_updates_policy
# Arguments:
# None
# Returns:
# 0: on success
#######################################
update_sources_reco() {
### Declare Arrays, HashMaps, and Variables.
declare -r var_logfile="/root/.ciss/cdi/log/5110_update_sources.log"
chroot_logger "${RECOVERY}${var_logfile}"
### Update generated sources.
# shellcheck disable=SC2312
chroot_script "${RECOVERY}" "apt-get update 2>&1 | tee -a ${var_logfile}; echo ExitCode: \$? >> ${var_logfile}"
do_log "info" "file_only" "5110() Sources lists: updated successfully."
### Update unattended, security, or no unattended updates at all.
if [[ "${apt_updates_policy,,}" == "unattended" ]]; then
chroot_script "${RECOVERY}" "
export INITRD=No
apt-get install -y --no-install-recommends --no-install-suggests unattended-upgrades 2>&1 | tee -a ${var_logfile}
echo ExitCode: \$? >> ${var_logfile}
"
do_log "info" "file_only" "5110() The update policy was set at installation time to: '${apt_updates_policy}'."
elif [[ "${apt_updates_policy,,}" == "security" ]]; then
chroot_script "${RECOVERY}" "
export INITRD=No
apt-get install -y --no-install-recommends --no-install-suggests unattended-upgrades 2>&1 | tee -a ${var_logfile}
echo ExitCode: \$? >> ${var_logfile}
"
# shellcheck disable=SC2016
sed -i 's/^[[:space:]]*"origin=Debian,codename=\${distro_codename},label=Debian";/\/\/ &/' "${RECOVERY}/etc/apt/apt.conf.d/50unattended-upgrades"
do_log "info" "file_only" "5110() The update policy was set at installation time to: '${apt_updates_policy}'."
elif [[ "${apt_updates_policy,,}" == "none" ]]; then
do_log "info" "file_only" "5110() The update policy was set at installation time to: '${apt_updates_policy}'."
else
do_log "warning" "file_only" "5110() Update policy '${apt_updates_policy}': is not supported. Using 'none' as default."
fi
guard_dir && return 0
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh