msw/CISS.debian.installer
SHA256
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

V8.00.000.2025.06.17
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m54s
Details

Browse Source 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
Marc S. Weidner
2025-10-11 22:14:22 +01:00
parent be0a6c7c6a
commit 353568eb69
60 changed files with 2267 additions and 1163 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1222
.archive/4520_accounts_setup.sh Normal file
View File

File diff suppressed because it is too large Load Diff

11
.preseed/preseed.yaml
View File

@@ -359,17 +359,6 @@ grub_parameter:
##############################################################################################################################
- "randomize_kstack_offset=on"
##############################################################################################################################
# ASLR (Address Space Layout Randomization) causes central areas of memory to be assigned random addresses each time a program
# is started. These include: Stack, Heap, Shared libraries (e.g., libc), mmap regions, VDSO/VSyscall. The executable itself
# (only with PIE binaries). The aim is to make it more difficult for attackers to predict memory addresses, thereby preventing
# classic exploits that rely on known addresses from succeeding.
# 0: disabled Fixed memory addresses insecure, testable.
# 1: Partial ASLR Heap, mmap are randomized, stack only partially randomized.
# 2: Full ASLR (default) Stack, mmap, heap, VDSO, shared libraries all randomized.
##############################################################################################################################
- "randomize_va_space=2"
##############################################################################################################################
# Enable mitigations for RETBleed (Arbitrary Speculative Code Execution with Return Instructions) vulnerability and disable
# SMT. If 'mitigations=auto,nosmt' is set, the kernel already activates all retbleed-relevant mitigations, provided the CPU

2
.pubkey/marc_s_weidner_msw+bot@coresecret.dev_AGE_pubkey Normal file
View File

@@ -0,0 +1,2 @@
# created: 2025-10-11T17:22:22Z
# public key: age1l3pm5sjg0lj5l5jlh2azllccmzflpend9hpgcg7zvsk2mr4hvpqscdwm8f

2
.pubkey/marc_s_weidner_msw@coresecret.dev_AGE_pubkey Normal file
View File

@@ -0,0 +1,2 @@
# created: 2025-10-11T17:20:35Z
# public key: age1chzjfu3f5nxnh5yz2l6n43l6gs07qyqcfzekdfhr5gezqvemcq7qjn23kv

165
ciss_debian_installer.sh
View File

@@ -104,8 +104,11 @@ declare -grx VAR_SETUP_FULL="$(cd "$(dirname "${0}")" && pwd)/${0##*/}" # '/opt
}
### CHECK FOR CONTACT, HELP, AND VERSION STRING.
# shellcheck disable=SC2249
for arg in "$@"; do case "${arg,,}" in -c|--contact) . ./meta_loader_cuv.sh; contact; exit 0;; esac; done
# shellcheck disable=SC2249
for arg in "$@"; do case "${arg,,}" in -h|--help) . ./meta_loader_cuv.sh; usage ; exit 0;; esac; done
# shellcheck disable=SC2249
for arg in "$@"; do case "${arg,,}" in -v|--version) . ./meta_loader_cuv.sh; version; exit 0;; esac; done
### SOURCING MUST SET EARLY VARIABLES. SOURCING COLOR_ECHO(), GUARD_SOURCING(), AND SOURCE_GUARD().
@@ -163,6 +166,7 @@ pre_scan_debug "$@"
### CHECK FOR AUTO INSTALL MODE.
color_echo "${GRE}" "CISS.DEBIAN.INSTALLER PREPARATION: CHECK FOR AUTO INSTALL MODE"
# shellcheck disable=SC2249
for arg in "$@"; do case "${arg,,}" in -a|--autoinstall) declare -gx VAR_AUTO_INSTALL="true";; esac; done; unset arg
### ACTIVATING TRAPS.
@@ -230,236 +234,238 @@ uuid_logger
### CDI_4000
info_echo "4000_debootstrap.sh"
info_echo "4000_debootstrap.sh [${TARGET}]"
func_debootstrap
info_echo "4005_debootstrap_checks.sh"
info_echo "4005_debootstrap_checks.sh [${TARGET}]"
check_debootstrap
info_echo "4010_prepare_mounts.sh"
info_echo "4010_prepare_mounts.sh [${TARGET}]"
prepare_mounts
info_echo "4015_check_usr_merge.sh"
info_echo "4015_check_usr_merge.sh [${TARGET}]"
check_usr_merge
info_echo "4020_remove_x509.sh"
info_echo "4020_remove_x509.sh [${TARGET}]"
remove_x509
info_echo "4030_setup_hostname.sh"
info_echo "4030_setup_hostname.sh [${TARGET}]"
setup_hostname
info_echo "4035_setup_resolv.sh"
info_echo "4035_setup_resolv.sh [${TARGET}]"
setup_resolv
info_echo "4040_setup_timezone.sh"
info_echo "4040_setup_timezone.sh [${TARGET}]"
setup_timezone
info_echo "4050_setup_locales.sh"
info_echo "4050_setup_locales.sh [${TARGET}]"
setup_locales
### CDI_4100
if [[ "${VAR_DEB822}" == "true" ]]; then
info_echo "4105_generate_sources822.sh"
info_echo "4105_generate_sources822.sh [${TARGET}]"
generate_sources822
else
info_echo "4100_generate_sources.sh"
info_echo "4100_generate_sources.sh [${TARGET}]"
generate_sources
fi
info_echo "4110_update_sources.sh"
info_echo "4110_update_sources.sh [${TARGET}]"
update_sources
info_echo "4120_installation_kernel.sh"
info_echo "4120_installation_kernel.sh [${TARGET}]"
installation_kernel
info_echo "4121_installation_initramfs.sh"
info_echo "4121_installation_initramfs.sh [${TARGET}]"
installation_initramfs
info_echo "4130_installation_toolset.sh"
info_echo "4130_installation_toolset.sh [${TARGET}]"
installation_toolset
info_echo "4131_installation_systemd.sh"
info_echo "4131_installation_systemd.sh [${TARGET}]"
installation_systemd
info_echo "4132_installation_machineid.sh"
info_echo "4132_installation_machineid.sh [${TARGET}]"
installation_machineid
info_echo "4133_installation_masking.sh"
info_echo "4133_installation_masking.sh [${TARGET}]"
installation_masking
info_echo "4140_installation_microcode.sh"
info_echo "4140_installation_microcode.sh [${TARGET}]"
installation_microcode
info_echo "4145_installation_firmware.sh"
info_echo "4145_installation_firmware.sh [${TARGET}]"
installation_firmware
info_echo "4150_installation_chrony.sh"
info_echo "4150_installation_chrony.sh [${TARGET}]"
installation_chrony
info_echo "4160_installation_eza.sh"
info_echo "4160_installation_eza.sh [${TARGET}]"
installation_eza
info_echo "4170_installation_lynis.sh"
info_echo "4170_installation_lynis.sh [${TARGET}]"
installation_lynis
### CDI_4200
info_echo "4200_generate_fstab.sh"
info_echo "4200_generate_fstab.sh [${TARGET}]"
generate_fstab
info_echo "4205_check_fstab.sh"
info_echo "4205_check_fstab.sh [${TARGET}]"
check_fstab
info_echo "4210_generate_crypttab.sh"
info_echo "4210_generate_crypttab.sh [${TARGET}]"
generate_crypttab
info_echo "4220_installation_cryptsetup.sh"
info_echo "4220_installation_cryptsetup.sh [${TARGET}]"
installation_cryptsetup
info_echo "4230_installation_grub.sh"
info_echo "4230_installation_grub.sh [${TARGET}]"
installation_grub
if [[ "${VAR_GRUB_PASSWORD}" == "true" ]]; then
info_echo "4240_update_grub_password.sh"
info_echo "4240_update_grub_password.sh [${TARGET}]"
update_grub_password
fi
info_echo "4250_update_grub_bootparameter.sh"
info_echo "4250_update_grub_bootparameter.sh [${TARGET}]"
update_grub_bootparameter
### CDI_4300
info_echo "4300_installation_network.sh"
info_echo "4300_installation_network.sh [${TARGET}]"
installation_network
info_echo "4305_installation_netsec.sh"
info_echo "4305_installation_netsec.sh [${TARGET}]"
installation_netsec
if [[ "${VAR_DROPBEAR}" == "true" ]]; then
info_echo "4310_dropbear_build.sh"
info_echo "4310_dropbear_build.sh [${TARGET}]"
dropbear_build
info_echo "4311_dropbear_initramfs.sh"
info_echo "4311_dropbear_initramfs.sh [${TARGET}]"
dropbear_initramfs
info_echo "4312_dropbear_setup.sh"
info_echo "4312_dropbear_setup.sh [${TARGET}]"
dropbear_setup
fi
info_echo "4320_update_initramfs.sh"
info_echo "4320_update_initramfs.sh [${TARGET}]"
update_initramfs
info_echo "4330_installation_ssh.sh"
info_echo "4330_installation_ssh.sh [${TARGET}]"
installation_ssh
### CDI_4400
info_echo "4400_kernel_modules.sh"
info_echo "4400_kernel_modules.sh [${TARGET}]"
kernel_modules && kernel_modprobe
info_echo "4410_kernel_sysctl.sh"
info_echo "4410_kernel_sysctl.sh [${TARGET}]"
kernel_sysctl
info_echo "4420_hardening_fail2ban.sh"
info_echo "4420_hardening_fail2ban.sh [${TARGET}]"
hardening_fail2ban
info_echo "4430_hardening_files.sh"
info_echo "4430_hardening_files.sh [${TARGET}]"
hardening_files
info_echo "4440_hardening_haveged.sh"
info_echo "4440_hardening_haveged.sh [${TARGET}]"
hardening_haveged
info_echo "4450_hardening_memory.sh"
info_echo "4450_hardening_memory.sh [${TARGET}]"
hardening_memory
info_echo "4460_hardening_openssl.sh"
info_echo "4460_hardening_openssl.sh [${TARGET}]"
hardening_openssl
info_echo "4470_hardening_ufw.sh"
info_echo "4470_hardening_ufw.sh [${TARGET}]"
hardening_ufw
info_echo "4480_hardening_usb.sh"
info_echo "4480_hardening_usb.sh [${TARGET}]"
hardening_usb
info_echo "4490_hardening_virus.sh"
info_echo "4490_hardening_virus.sh [${TARGET}]"
hardening_virus
info_echo "4445_hardening_logrotate.sh"
info_echo "4445_hardening_logrotate.sh [${TARGET}]"
hardening_logrotate
### CDI_4500
info_echo "4500_accounts_preparation.sh"
info_echo "4500_accounts_preparation.sh [${TARGET}]"
accounts_preparation
info_echo "4510_accounts_hardening.sh"
info_echo "4510_accounts_hardening.sh [${TARGET}]"
accounts_hardening
info_echo "4520_accounts_setup.sh"
info_echo "4520_accounts_setup.sh [${TARGET}]"
accounts_setup
### CDI_4600
info_echo "4600_installation_packages.sh"
info_echo "4600_installation_packages.sh [${TARGET}]"
installation_packages
#info_echo "4610_installation_security.sh"
#installation_security
info_echo "4610_installation_security.sh [${TARGET}]"
installation_security
info_echo "4620_installation_verification.sh"
info_echo "4620_installation_verification.sh [${TARGET}]"
install_verification
info_echo "4630_auditing_packages.sh"
info_echo "4630_auditing_packages.sh [${TARGET}]"
auditing_packages
### CDI_4900
info_echo "4999_exiting_chroot_system.sh"
info_echo "4999_exiting_chroot_system.sh [${TARGET}]"
exiting_chroot_system
### CDI_5000
if [[ "${VAR_RECOVERY}" == "true" ]]; then
info_echo "5000_debootstrap.sh"
func_debootstrap_reco
declare -gx VAR_RUN_RECOVERY="true"
info_echo "5005_debootstrap_checks.sh"
check_debootstrap_reco
info_echo "4000_debootstrap.sh [${RECOVERY}]"
func_debootstrap
info_echo "5010_prepare_mounts.sh"
prepare_mounts_reco
info_echo "4005_debootstrap_checks.sh [${RECOVERY}]"
check_debootstrap
info_echo "5015_check_usr_merge.sh"
check_usr_merge_reco
info_echo "4010_prepare_mounts.sh [${RECOVERY}]"
prepare_mounts
info_echo "5020_remove_x509.sh"
remove_x509_reco
info_echo "4015_check_usr_merge.sh [${RECOVERY}]"
check_usr_merge
info_echo "5030_setup_hostname.sh"
setup_hostname_reco
info_echo "4020_remove_x509.sh [${RECOVERY}]"
remove_x509
info_echo "5035_setup_resolv.sh"
setup_resolv_reco
info_echo "4030_setup_hostname.sh [${RECOVERY}]"
setup_hostname
info_echo "5040_setup_timezone.sh"
setup_timezone_reco
info_echo "4035_setup_resolv.sh [${RECOVERY}]"
setup_resolv
info_echo "5050_setup_locales.sh"
setup_locales_reco
info_echo "4040_setup_timezone.sh [${RECOVERY}]"
setup_timezone
info_echo "5105_generate_sources_822.sh"
generate_sources822_reco
info_echo "4050_setup_locales.sh [${RECOVERY}]"
setup_locales
info_echo "5110_update_sources.sh"
update_sources_reco
info_echo "4105_generate_sources_822.sh [${RECOVERY}]"
generate_sources822
info_echo "4110_update_sources.sh [${RECOVERY}]"
update_sources
info_echo "5120_installation_kernel.sh"
installation_kernel_reco
@@ -482,6 +488,7 @@ if [[ "${VAR_RECOVERY}" == "true" ]]; then
info_echo "5999_exiting_chroot_recovery.sh"
exiting_chroot_recovery
declare -gx VAR_RUN_RECOVERY="false"
fi
### Dialog Output for Initialization END

3
func/cdi_1000_helper/1030_check_nic.sh
View File

@@ -41,4 +41,7 @@ check_nic() {
do_log "info" "file_only" "1030() You have selected: '${var_nic}' - proceeding with setup."
guard_dir && return 0
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f check_nic
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

6
func/cdi_1000_helper/1081_helper_grub.sh
View File

@@ -98,6 +98,9 @@ grub_extract_current_string() {
return 0
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f grub_extract_current_string
#######################################
# Helper module to finish the modified GRUB CMDLINE strings.
@@ -146,4 +149,7 @@ EOF
return 0
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f grub_finalize_string
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

24
func/cdi_1000_helper/1082_helper_modules.sh
View File

@@ -28,6 +28,9 @@ chroot_logger() {
chmod 0600 "${var_logfile}" || "${ERR_CHROOT_LOGGER}"
return 0
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f chroot_logger
#######################################
# Helper Module to generate a Subnet Mask out of an IP in CCDIR Notation.
@@ -50,6 +53,9 @@ generate_subnetmask() {
printf '%s' "${var_has_ipv4_subnet}"
return 0
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f generate_subnetmask
#######################################
# Collect NIC driver modules for initramfs installation (no lspci required).
@@ -92,7 +98,9 @@ grep_nic_driver_modules() {
return 0
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f grep_nic_driver_modules
#######################################
# Wrapper to insert the metadata field into the specified file.
@@ -128,6 +136,9 @@ insert_comments() {
return 0
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f insert_comments
#######################################
# Wrapper to insert the SPDX Header into the specified file.
@@ -160,11 +171,18 @@ EOF
return 0
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f insert_header
#######################################
# Helper module for update, full dist-upgrade, autoclean, autopurge and autoremove.
# Globals:
# None
# Arguments:
# None
# Returns:
# 0: on success
#######################################
update_upgrade() {
apt-get update
@@ -172,5 +190,9 @@ update_upgrade() {
apt-get autoclean -y
apt-get autopurge -y
apt-get autoremove -y
return 0
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f update_upgrade
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

9
func/cdi_1000_helper/1084_helper_sanitizer.sh
View File

@@ -22,6 +22,9 @@ remove_whitespace() {
declare var_out=$(printf "%s" "$1" | xargs)
printf '%s' "${var_out}"
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f remove_whitespace
#######################################
# Function to escape all shell metacharacters
@@ -33,6 +36,9 @@ sanitize_input() {
### %q quotes the string so that the shell re-reads it as the original literal
printf '%q' "${input}"
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f sanitize_input
#######################################
# Function to remove any character not in the allowed set
@@ -46,4 +52,7 @@ sanitize_string() {
declare allowed='a-zA-Z0-9._/=\[\]:"\-+ '
printf '%s' "${input}" | tr -cd "${allowed}"
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f sanitize_string
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

6
func/cdi_1000_helper/1085_helper_secure_dl.sh
View File

@@ -42,6 +42,9 @@ scurl() {
return "${ERR_DOWNLOAD_FAILED}"
fi
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f scurl
#######################################
# Wrapper for secure wget.
@@ -73,4 +76,7 @@ swget() {
return "${ERR_DOWNLOAD_FAILED}"
fi
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f swget
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

7
func/cdi_1000_helper/1086_helper_yaml.sh
View File

@@ -13,7 +13,9 @@
guard_sourcing
#######################################
# yq_val <YQ expression> <file> - Returns value, converts null to ""
# yq_val <YQ expression> <file> - Returns value, converts null to "".
# Globals:
# None
# Arguments:
# 1: Key String to evaluate
# 2: YAML File
@@ -23,4 +25,7 @@ yq_val() {
[[ "${var_h}" == null ]] && var_h=""
printf '%s' "${var_h}"
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f yq_val
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

3
func/cdi_1200_validation/1220_validation_element.sh
View File

@@ -31,4 +31,7 @@ validation_array() {
done
return 1
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f validation_array
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

15
func/cdi_1200_validation/1221_validation_ip.sh
View File

@@ -15,7 +15,7 @@ guard_sourcing
#######################################
# IPv4 validation.
# Globals:
# ERR_INVALID_IPV4
# None
# Arguments:
# 1: IPv4 to validate.
# Returns:
@@ -30,6 +30,9 @@ validation_ipv4() {
return "${ERR_INVALID_IPV4}"
fi
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f validation_ipv4
#######################################
# IPv6 validation, including
@@ -38,7 +41,7 @@ validation_ipv4() {
# - Addresses with embedded IPv4 addresses like ::ffff:192.0.2.128
# - Link-local addresses like fe80::1%eth0
# Globals:
# ERR_INVALID_IPV6
# None
# Arguments:
# 1: IPv6 address
# Returns:
@@ -88,11 +91,14 @@ validation_ipv6() {
### Success
do_log "info" "file_only" "'${var_ip}' seems to be a valid IPv6."
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f validation_ipv6
#######################################
# Port validation.
# Globals:
# ERR_INVALID_PORT
# None
# Arguments:
# 1: Port number
# Returns:
@@ -107,4 +113,7 @@ validation_port() {
return "${ERR_INVALID_PORT}"
fi
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f validation_port
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

3
func/cdi_1200_validation/1222_validation_preseed.sh
View File

@@ -60,4 +60,7 @@ validation_preseed() {
return 0
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f validation_preseed
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

2
func/cdi_1250_yaml/1250_yaml_parser.sh
View File

@@ -46,7 +46,7 @@ yaml_parser() {
while IFS='=' read -r var_key var_value; do
var_value=${var_value#\'}
var_value=${var_value%\'}
# shellcheck disable=SC2034
# shellcheck disable=SC2034,SC2249
case "${var_key}" in
grub_parameter_[0-9]*) ARY_BOOTPARAM+=("${var_value}") ;;
locale_locale_[0-9]*) ARY_LOCALE+=("${var_value}") ;;

23
func/cdi_1250_yaml/1251_yaml_reader.sh
View File

@@ -17,19 +17,42 @@ guard_sourcing
# Globals:
# BASH_REMATCH
# HMP_RECIPE_DEV_PARTITIONS
# VAR_APT_FULL_UPGRADE
# VAR_ARCHITECTURE
# VAR_CHROOT_DEBUG
# VAR_CODENAME
# VAR_DEB822
# VAR_DROPBEAR
# VAR_GRUB_PASSWORD
# VAR_LUKS_BACKUP
# VAR_LUKS_URL
# VAR_NEED_RUN_IN_TARGET
# VAR_NUKE
# VAR_NUKE_ROUNDS
# VAR_PRESEED
# VAR_PROVIDER
# VAR_RECIPE_FIRMWARE
# VAR_RECIPE_HIGHEST_DEVICE
# VAR_RECIPE_STRING
# VAR_RECIPE_TABLE
# VAR_RECOVERY
# VAR_SEC_FW
# VAR_SSH_CA
# VAR_SSH_PORT
# VAR_UFW_OUT
# apt_default_deb822
# apt_full_upgrade
# architecture
# chroot_debug
# distribution
# dropbear_boot
# grub_password
# needrun
# provider
# security_ext
# security_ufw_out
# ssh_port
# ssh_root_ca
# Arguments:
# None
# Returns:

17
func/cdi_1250_yaml/1252_yaml_validator.sh
View File

@@ -221,9 +221,14 @@ yaml_validator() {
guard_dir && return 0
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f yaml_validator
#######################################
# Network connectivity prober.
# Globals:
# network_timeout_linkwait
# Arguments:
# 1: IP-Family
# 2: TLD to probe
@@ -237,21 +242,33 @@ probe_link() {
### 1) Try ping (quiet, 1 probe, 3s deadline)
if ping -q -c 1 -W "${network_timeout_linkwait:-3}" "-${var_fam}" "${var_target}" >/dev/null 2>&1; then
var_ok="true"
else
### 2) Fallback: mtr in report mode (non-interactive), no DNS to avoid TUI/delays.
if command -v mtr >/dev/null 2>&1; then
### Treat as success if ANY hop resolves to something other than "???".
### '-r = report', '-c 2 = two cycles', -n = no DNS, -4/-6 = address family
# shellcheck disable=SC2312
if mtr "-${var_fam}" -r -c 3 -n "${var_target}" 2>/dev/null \
| awk 'NR>2 && $2!="???"{ok=1} END{exit ok?0:1}'; then
var_ok="true"
fi
fi
fi
printf '%s' "${var_ok}"
return 0
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f probe_link
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

19
func/cdi_3200_partitioning/3200_partitioning.sh
View File

@@ -43,23 +43,28 @@ guard_sourcing
# - LUKS encryption enabled.
# - Specific device partition data for each mount path.
# Globals:
# ARY_CRYPT_MOUNT_PATHS
# ARY_FORMT_MOUNT_PATHS
# ARY_FSTAB_MOUNT_PATHS
# ARY_PATHS_SORTED
# DIR_LOG
# HMP_FSTAB_MOUNT_FTYPE
# HMP_PATH_DEV_PART
# HMP_PATH_PARTUUID
# VAR_RECIPE_FIRMWARE
# VAR_RECIPE_STRING
# VAR_RECIPE_TABLE
# VAR_ROOT_FS
# VAR_SETUP_PART
# Arguments:
# None
# Returns:
# ERR_PARTITIONTBL
# ERR_PART_CREATE
# ERR_PART_READ
# ERR_TABLE_CREATE
# ERR_TABLE_DELETE
# 0: on success
# ERR_PARTITIONTBL: on failure
# ERR_PART_CREATE: on failure
# ERR_PART_READ: on failure
# ERR_TABLE_CREATE: on failure
# ERR_TABLE_DELETE: on failure
#######################################
partitioning() {
### Declare Arrays, HashMaps, and Variables.
@@ -180,6 +185,7 @@ partitioning() {
var_end_arg="${var_end}"
fi
# shellcheck disable=SC2249
case "${VAR_RECIPE_TABLE,,}" in
gpt)
@@ -212,6 +218,7 @@ partitioning() {
### Assign the correct GPT typecode via sgdisk if the table is GPT.
if [[ "${VAR_RECIPE_TABLE,,}" == "gpt" ]]; then
# shellcheck disable=SC2249
case "${var_mount_path,,}" in
"/")
@@ -254,6 +261,7 @@ partitioning() {
esac
# shellcheck disable=SC2249
case "${var_encryption,,}" in
true)
@@ -285,6 +293,7 @@ partitioning() {
### Set the bootable flag if necessary.
if [[ "${var_boot,,}" == "true" ]]; then
# shellcheck disable=SC2249
case "${VAR_RECIPE_TABLE,,}:${VAR_RECIPE_FIRMWARE,,}" in
gpt:uefi|mbr:uefi)

3
func/cdi_3200_partitioning/3210_benchmarking_encryption.sh
View File

@@ -55,4 +55,7 @@ benchmarking_encryption() {
guard_dir && return 0
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f benchmarking_encryption
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

4
func/cdi_3200_partitioning/3280_mount_partition.sh
View File

@@ -113,7 +113,7 @@ readonly -f mount_with_dir
# Outputs '/dev/mapper/<encryption_label>'
# Outputs '/dev/<dev><partition>'
# Globals:
# none
# None
# Arguments:
# 1: Device
# 2: Partition
@@ -144,7 +144,7 @@ readonly -f resolve_device
#######################################
# Validates btrfs compression algo and level.
# Globals:
# none
# None
# Arguments:
# 1: var_fs_btrfs_compress
# 2: var_fs_btrfs_level

1
func/cdi_3200_partitioning/3295_get_label.sh
View File

@@ -64,6 +64,7 @@ get_label() {
file)
# shellcheck disable=SC2249
case "${var_path}:${var_file}" in
swap:*) var_return_label="host_swap" ;;

13
func/cdi_4000_debootstrap/4000_debootstrap.sh
View File

@@ -16,9 +16,12 @@ guard_sourcing
# Install a minimal Debian environment using the 'debootstrap' command.
# Globals:
# LOG_DBS
# LOG_REC
# RECOVERY
# TARGET
# VAR_ARCHITECTURE
# VAR_CODENAME
# VAR_RUN_RECOVERY
# debootstrap_includes
# debootstrap_mirror
# Arguments:
@@ -31,11 +34,17 @@ func_debootstrap() {
### Declare Arrays, HashMaps, and Variables.
declare -r var_arch="${VAR_ARCHITECTURE}"
declare -r var_dist="${VAR_CODENAME}"
declare -r var_target="${TARGET}"
declare -r var_mirror="${debootstrap_mirror}"
declare -r var_includes="${debootstrap_includes}"
declare -a ary_cmd=()
declare var_log="${LOG_DBS}"
declare var_target="${TARGET}"
### Check for TARGET / RECOVERY.
[[ "${VAR_RUN_RECOVERY}" == "true" ]] && var_log="${LOG_REC}"
[[ "${VAR_RUN_RECOVERY}" == "true" ]] && var_target="${RECOVERY}"
ary_cmd+=( "debootstrap" "--arch=${var_arch}" "--keep-debootstrap-dir" "--log-extra-deps" "--merged-usr" )
if [[ -n "${var_includes}" ]]; then ary_cmd+=( "--include=${var_includes}" ); fi
@@ -45,7 +54,7 @@ func_debootstrap() {
do_log "debug" "file_only" "4000() Executing: [${ary_cmd[*]}]"
# shellcheck disable=SC2312
if "${ary_cmd[@]}" | tee "${LOG_DBS}"; then
if "${ary_cmd[@]}" | tee "${var_log}"; then
do_log "info" "file_only" "4000() [${ary_cmd[*]}] successful."

10
func/cdi_4000_debootstrap/4005_debootstrap_checks.sh
View File

@@ -15,7 +15,9 @@ guard_sourcing
#######################################
# Preliminary post debootstrap checks.
# Globals:
# RECOVERY
# TARGET
# VAR_RUN_RECOVERY
# Arguments:
# None
# Returns:
@@ -24,10 +26,14 @@ guard_sourcing
check_debootstrap() {
### Declare Arrays, HashMaps, and Variables.
declare -r var_logfile="/root/.ciss/cdi/log/4005_debootstrap_checks.log"
declare var_target="${TARGET}"
chroot_logger "${TARGET}${var_logfile}"
### Check for TARGET / RECOVERY.
[[ "${VAR_RUN_RECOVERY}" == "true" ]] && var_target="${RECOVERY}"
chroot_script "${TARGET}" "
chroot_logger "${var_target}${var_logfile}"
chroot_script "${var_target}" "
{
### Header
echo '==[debootstrap checks]=='

49
func/cdi_4000_debootstrap/4010_prepare_mounts.sh
View File

@@ -15,10 +15,11 @@ guard_sourcing
#######################################
# Configure the target system for chroot.
# Globals:
# RECOVERY
# TARGET
# VAR_CHROOT_ACTIVATED
# VAR_CHROOT_SYS_MASK_HELPER
# VAR_NEED_RUN_IN_TARGET
# VAR_RUN_RECOVERY
# Arguments:
# None
# Returns:
@@ -52,10 +53,14 @@ prepare_mounts() {
)
declare var_path="" var_fs="" var_src="" var_opts=""
declare var_target="${TARGET}"
### Check for TARGET / RECOVERY.
[[ "${VAR_RUN_RECOVERY}" == "true" ]] && var_target="${RECOVERY}"
for var_path in "${!HMP_SPECIAL_MOUNTS[@]}"; do
mkdir -p "${TARGET}${var_path}"
mkdir -p "${var_target}${var_path}"
done
@@ -64,55 +69,65 @@ prepare_mounts() {
IFS=" " read -r var_fs var_src var_opts <<< "${HMP_SPECIAL_MOUNTS[${var_path}]}"
if mountpoint -q "${TARGET}${var_path}"; then
if mountpoint -q "${var_target}${var_path}"; then
do_log "info" "file_only" "4010() Skipped: '${TARGET}${var_path}' is already a mountpoint."
do_log "info" "file_only" "4010() Skipped: '${var_target}${var_path}' is already a mountpoint."
continue
fi
if ! mount -t "${var_fs}" "${var_src}" "${TARGET}${var_path}" -o "${var_opts}"; then
if ! mount -t "${var_fs}" "${var_src}" "${var_target}${var_path}" -o "${var_opts}"; then
do_log "emergency" "file_only" "4010() Command: [mount -t ${var_fs} ${var_src} ${TARGET}${var_path} -o ${var_opts}] failed."
do_log "emergency" "file_only" "4010() Command: [mount -t ${var_fs} ${var_src} ${var_target}${var_path} -o ${var_opts}] failed."
return "${ERR_CHRT_MOUNTS}"
fi
do_log "info" "file_only" "4010() Command: [mount -t ${var_fs} ${var_src} ${TARGET}${var_path} -o ${var_opts}] successful."
do_log "info" "file_only" "4010() Command: [mount -t ${var_fs} ${var_src} ${var_target}${var_path} -o ${var_opts}] successful."
done
if [[ "${VAR_NEED_RUN_IN_TARGET:-false}" == "true" ]]; then
mkdir -p "${TARGET}/run"
mkdir -p "${var_target}/run"
if ! mount --make-rslave --rbind /run "${TARGET}/run"; then
if ! mount --make-rslave --rbind /run "${var_target}/run"; then
do_log "emergency" "file_only" "4010() Command: [mount --make-rslave --rbind /run ${TARGET}/run] failed."
do_log "emergency" "file_only" "4010() Command: [mount --make-rslave --rbind /run ${var_target}/run] failed."
return "${ERR_CHRT_MOUNTS}"
fi
do_log "info" "file_only" "4010() Command: [mount --make-rslave --rbind /run ${TARGET}/run] successful."
do_log "info" "file_only" "4010() Command: [mount --make-rslave --rbind /run ${var_target}/run] successful."
fi
if ! chroot_exec "${TARGET}" mkdir -p /etc/systemd/system/multi-user.target.wants; then
if ! chroot_exec "${var_target}" mkdir -p /etc/systemd/system/multi-user.target.wants; then
do_log "emergency" "file_only" "4010() Command: [chroot_exec ${TARGET} mkdir -p /etc/systemd/system/multi-user.target.wants] failed."
do_log "emergency" "file_only" "4010() Command: [chroot_exec ${var_target} mkdir -p /etc/systemd/system/multi-user.target.wants] failed."
return "${ERR_CHRT_MOUNTS}"
fi
do_log "info" "file_only" "4010() Command: [chroot_exec ${TARGET} mkdir -p /etc/systemd/system/multi-user.target.wants] successful."
do_log "info" "file_only" "4010() Command: [chroot_exec ${var_target} mkdir -p /etc/systemd/system/multi-user.target.wants] successful."
mkdir -p "${TARGET}/media/cdrom0"
mkdir -p "${var_target}/media/cdrom0"
# shellcheck disable=SC2034
declare -gx VAR_CHROOT_ACTIVATED="system"
do_log "info" "file_only" "4010() Command: [declare -gx VAR_CHROOT_ACTIVATED=system]"
if [[ "${VAR_RUN_RECOVERY}" == "false" ]]; then
declare -gx VAR_CHROOT_ACTIVATED="system"
do_log "info" "file_only" "4010() Command: [declare -gx VAR_CHROOT_ACTIVATED=system]"
elif [[ "${VAR_RUN_RECOVERY}" == "true" ]]; then
declare -gx VAR_CHROOT_ACTIVATED="recovery"
do_log "info" "file_only" "4010() Command: [declare -gx VAR_CHROOT_ACTIVATED=recovery]"
fi
guard_dir && return 0
}

12
func/cdi_4000_debootstrap/4015_check_usr_merge.sh
View File

@@ -15,7 +15,9 @@ guard_sourcing
#######################################
# Check if the target system is not 'tainted: unmerged-usr'.
# Globals:
# RECOVERY
# TARGET
# VAR_RUN_RECOVERY
# architecture
# Arguments:
# None
@@ -25,11 +27,15 @@ guard_sourcing
check_usr_merge() {
### Declare Arrays, HashMaps, and Variables.
declare -r var_logfile="/root/.ciss/cdi/log/4015_check_usr_merge.log"
declare var_target="${TARGET}"
chroot_logger "${TARGET}${var_logfile}"
### Check for TARGET / RECOVERY.
[[ "${VAR_RUN_RECOVERY}" == "true" ]] && var_target="${RECOVERY}"
chroot_logger "${var_target}${var_logfile}"
# shellcheck disable=SC2312
chroot_script "${TARGET}" "
chroot_script "${var_target}" "
test -L /bin && test $(readlink -f /bin) = '/usr/bin' && echo 'MERGED:/bin' >> ${var_logfile} || echo 'UNMERGED:/bin' >> ${var_logfile}
test -L /sbin && test $(readlink -f /sbin) = '/usr/sbin' && echo 'MERGED:/sbin' >> ${var_logfile} || echo 'UNMERGED:/sbin' >> ${var_logfile}
test -L /lib && test $(readlink -f /lib) = '/usr/lib' && echo 'MERGED:/lib' >> ${var_logfile} || echo 'UNMERGED:/lib' >> ${var_logfile}
@@ -38,7 +44,7 @@ check_usr_merge() {
if [[ "${architecture}" == "amd64" ]]; then
# shellcheck disable=SC2312
chroot_script "${TARGET}" "
chroot_script "${var_target}" "
test -L /lib64 && test $(readlink -f /lib64) = '/usr/lib64' && echo 'MERGED:/lib64' >> ${var_logfile} || echo 'UNMERGED:/lib64' >> ${var_logfile}
echo ExitCode: \$? >> ${var_logfile}
"

15
func/cdi_4000_debootstrap/4020_remove_x509.sh
View File

@@ -15,7 +15,9 @@ guard_sourcing
#######################################
# Chroot hook for deleting all expired X.509 certificates in the target system.
# Globals:
# RECOVERY
# TARGET
# VAR_RUN_RECOVERY
# VAR_SETUP_PATH
# Arguments:
# None
@@ -23,17 +25,22 @@ guard_sourcing
# 0: on success
#######################################
remove_x509() {
### Declare Arrays, HashMaps, and Variables.
declare var_target="${TARGET}"
### Check for TARGET / RECOVERY.
[[ "${VAR_RUN_RECOVERY}" == "true" ]] && var_target="${RECOVERY}"
install -m 0700 -o root -g root "${VAR_SETUP_PATH}/includes/chroot/hooks/4020_remove_x509.hooks.sh" \
"${TARGET}/root/.ciss/cdi/hooks/4020_remove_x509.hooks.sh"
"${var_target}/root/.ciss/cdi/hooks/4020_remove_x509.hooks.sh"
if ! chroot_script "${TARGET}" "/root/.ciss/cdi/hooks/4020_remove_x509.hooks.sh" "emergency"; then
if ! chroot_script "${var_target}" "/root/.ciss/cdi/hooks/4020_remove_x509.hooks.sh" "emergency"; then
do_log "warn" "file_only" "4020() Command: [chroot_script ${TARGET} /root/.ciss/cdi/hooks/4020_remove_x509.hooks.sh emergency] failed."
do_log "warn" "file_only" "4020() Command: [chroot_script ${var_target} /root/.ciss/cdi/hooks/4020_remove_x509.hooks.sh emergency] failed."
else
do_log "debug" "file_only" "4020() Command: [chroot_script ${TARGET} /root/.ciss/cdi/hooks/4020_remove_x509.hooks.sh emergency] successful."
do_log "debug" "file_only" "4020() Command: [chroot_script ${var_target} /root/.ciss/cdi/hooks/4020_remove_x509.hooks.sh emergency] successful."
fi

41
func/cdi_4000_debootstrap/4030_setup_hostname.sh
View File

@@ -15,11 +15,13 @@ guard_sourcing
#######################################
# Configure the '/etc/hostname' | '/etc/hosts' | '/etc/mailname' files.
# Globals:
# RECOVERY
# TARGET
# VAR_FINAL_FQDN
# VAR_FINAL_IPV4
# VAR_FINAL_IPV6
# VAR_LINK_IPV6
# VAR_RUN_RECOVERY
# network_ipv6
# Arguments:
# None
@@ -27,36 +29,42 @@ guard_sourcing
# 0: on success
#######################################
setup_hostname() {
### Create the '${TARGET}/etc/hostname' file.
cat << EOF >| "${TARGET}/etc/hostname"
### Declare Arrays, HashMaps, and Variables.
declare var_target="${TARGET}"
### Check for TARGET / RECOVERY.
[[ "${VAR_RUN_RECOVERY}" == "true" ]] && var_target="${RECOVERY}"
### Create the '${var_target}/etc/hostname' file.
cat << EOF >| "${var_target}/etc/hostname"
${VAR_FINAL_FQDN}
EOF
chmod 0644 "${TARGET}/etc/hostname"
do_log "info" "file_only" "4030() File generated: '${TARGET}/etc/hostname' | hostname '${VAR_FINAL_FQDN}'."
chmod 0644 "${var_target}/etc/hostname"
do_log "info" "file_only" "4030() File generated: '${var_target}/etc/hostname' | hostname '${VAR_FINAL_FQDN}'."
### Create the '${TARGET}/etc/mailname' file.
cat << EOF >| "${TARGET}/etc/mailname"
### Create the '${var_target}/etc/mailname' file.
cat << EOF >| "${var_target}/etc/mailname"
${VAR_FINAL_FQDN}
EOF
chmod 0644 "${TARGET}/etc/mailname"
do_log "info" "file_only" "4030() File generated: '${TARGET}/etc/mailname' | mailname '${VAR_FINAL_FQDN}'."
chmod 0644 "${var_target}/etc/mailname"
do_log "info" "file_only" "4030() File generated: '${var_target}/etc/mailname' | mailname '${VAR_FINAL_FQDN}'."
### Generate '${TARGET}/etc/hosts' basic IPv4 entries
cat << EOF >| "${TARGET}/etc/hosts"
### Generate '${var_target}/etc/hosts' basic IPv4 entries
cat << EOF >| "${var_target}/etc/hosts"
127.0.0.1 localhost
${VAR_FINAL_IPV4} ${VAR_FINAL_FQDN}
EOF
chmod 0644 "${TARGET}/etc/hosts"
do_log "info" "file_only" "4030() File generated: '${TARGET}/etc/hosts' with basic IPv4 entries."
chmod 0644 "${var_target}/etc/hosts"
do_log "info" "file_only" "4030() File generated: '${var_target}/etc/hosts' with basic IPv4 entries."
### Generate '${TARGET}/etc/hosts' basic IPv6 entries
### Generate '${var_target}/etc/hosts' basic IPv6 entries
if [[ "${VAR_LINK_IPV6,,}" == "true" || "${network_ipv6,,}" == "true" ]]; then
cat << EOF >> "${TARGET}/etc/hosts"
cat << EOF >> "${var_target}/etc/hosts"
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
@@ -68,10 +76,13 @@ ${VAR_FINAL_IPV6} ${VAR_FINAL_FQDN}
EOF
do_log "info" "file_only" "4030() File updated: '${TARGET}/etc/hosts' with basic IPv6 entries."
do_log "info" "file_only" "4030() File updated: '${var_target}/etc/hosts' with basic IPv6 entries."
fi
guard_dir && return 0
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f setup_hostname
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

47
func/cdi_4000_debootstrap/4035_setup_resolv.sh
View File

@@ -17,13 +17,11 @@ guard_sourcing
# Globals:
# ARY_IPV4_NS
# ARY_IPV6_NS
# DIR_BAK
# RECOVERY
# TARGET
# VAR_ARCHITECTURE
# VAR_CODENAME
# VAR_FINAL_IPV6
# VAR_LINK_IPV6
# VAR_VERSION
# VAR_RUN_RECOVERY
# Arguments:
# None
# Returns:
@@ -32,59 +30,66 @@ guard_sourcing
setup_resolv() {
### Declare Arrays, HashMaps, and Variables.
declare ns=""
declare var_target="${TARGET}"
if [[ -f "${TARGET}/etc/resolv.conf" ]]; then
### Check for TARGET / RECOVERY.
[[ "${VAR_RUN_RECOVERY}" == "true" ]] && var_target="${RECOVERY}"
mkdir -p "${TARGET}/root/.ciss/cdi/backup/etc"
mv "${TARGET}/etc/resolv.conf" "${TARGET}/root/.ciss/cdi/backup/etc/resolv.conf.bak"
do_log "info" "file_only" "4035() Existing '${TARGET}/etc/resolv.conf' moved."
if [[ -f "${var_target}/etc/resolv.conf" ]]; then
mkdir -p "${var_target}/root/.ciss/cdi/backup/etc"
mv "${var_target}/etc/resolv.conf" "${var_target}/root/.ciss/cdi/backup/etc/resolv.conf.bak"
do_log "info" "file_only" "4035() Existing '${var_target}/etc/resolv.conf' moved."
fi
touch "${TARGET}/etc/resolv.conf"
chmod 0644 "${TARGET}/etc/resolv.conf"
touch "${var_target}/etc/resolv.conf"
chmod 0644 "${var_target}/etc/resolv.conf"
### Create '/etc/resolv.conf' IPv4 entries for static configuration.
insert_header "${TARGET}/etc/resolv.conf"
insert_comments "${TARGET}/etc/resolv.conf"
cat << EOF >> "${TARGET}/etc/resolv.conf"
insert_header "${var_target}/etc/resolv.conf"
insert_comments "${var_target}/etc/resolv.conf"
cat << EOF >> "${var_target}/etc/resolv.conf"
### Custom DNS IPv4 configuration
EOF
for ns in "${ARY_IPV4_NS[@]}"; do
echo "nameserver ${ns}" >> "${TARGET}/etc/resolv.conf"
echo "nameserver ${ns}" >> "${var_target}/etc/resolv.conf"
do_log "info" "file_only" "4035() IPv4 nameserver added: [${ns}]."
done
echo "" >> "${TARGET}/etc/resolv.conf"
do_log "info" "file_only" "4035() IPv4 nameserver at: '${TARGET}/etc/resolv.conf' configured."
echo "" >> "${var_target}/etc/resolv.conf"
do_log "info" "file_only" "4035() IPv4 nameserver at: '${var_target}/etc/resolv.conf' configured."
### Create '/etc/resolv.conf' IPv6 entries for static configuration.
if [[ "${VAR_LINK_IPV6,,}" == "true" || -n "${VAR_FINAL_IPV6}" ]]; then
cat << EOF >> "${TARGET}/etc/resolv.conf"
cat << EOF >> "${var_target}/etc/resolv.conf"
### Custom DNS IPv6 configuration
EOF
for ns in "${ARY_IPV6_NS[@]}"; do
echo "nameserver ${ns}" >> "${TARGET}/etc/resolv.conf"
echo "nameserver ${ns}" >> "${var_target}/etc/resolv.conf"
do_log "info" "file_only" "4035() IPv6 nameserver added: [${ns}]."
done
echo "" >> "${TARGET}/etc/resolv.conf"
do_log "info" "file_only" "4035() IPv6 nameserver at: '${TARGET}/etc/resolv.conf' configured."
echo "" >> "${var_target}/etc/resolv.conf"
do_log "info" "file_only" "4035() IPv6 nameserver at: '${var_target}/etc/resolv.conf' configured."
fi
cat << EOF >> "${TARGET}/etc/resolv.conf"
cat << EOF >> "${var_target}/etc/resolv.conf"
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
EOF
guard_dir && return 0
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f setup_resolv
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

23
func/cdi_4000_debootstrap/4040_setup_timezone.sh
View File

@@ -15,7 +15,9 @@ guard_sourcing
#######################################
# Configure the '/etc/timezone' | '/etc/localtime' files.
# Globals:
# RECOVERY
# TARGET
# VAR_RUN_RECOVERY
# ntp_timezone
# Arguments:
# None
@@ -23,17 +25,26 @@ guard_sourcing
# 0: on success
#######################################
setup_timezone() {
### Create '${TARGET}/etc/timezone' file.
cat << EOF >| "${TARGET}/etc/timezone"
### Declare Arrays, HashMaps, and Variables.
declare var_target="${TARGET}"
### Check for TARGET / RECOVERY.
[[ "${VAR_RUN_RECOVERY}" == "true" ]] && var_target="${RECOVERY}"
### Create the '$ {var_target}/etc / timezone' file.
cat << EOF >| "${var_target}/etc/timezone"
${ntp_timezone:-UTC}
EOF
chmod 0644 "${TARGET}/etc/timezone"
do_log "info" "file_only" "4040() File generated: '${TARGET}/etc/timezone' | timezone '${ntp_timezone:-UTC}'."
chmod 0644 "${var_target}/etc/timezone"
do_log "info" "file_only" "4040() File generated: '${var_target}/etc/timezone' | timezone '${ntp_timezone:-UTC}'."
chroot_exec "${TARGET}" ln -sf "/usr/share/zoneinfo/${ntp_timezone}" /etc/localtime
chroot_exec "${var_target}" ln -sf "/usr/share/zoneinfo/${ntp_timezone}" /etc/localtime
chroot_exec "${TARGET}" dpkg-reconfigure -f noninteractive tzdata
chroot_exec "${var_target}" dpkg-reconfigure -f noninteractive tzdata
guard_dir && return 0
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f setup_timezone
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

36
func/cdi_4000_debootstrap/4050_setup_locales.sh
View File

@@ -16,10 +16,10 @@ guard_sourcing
# Set locale, locale overrides and configure keyboard layout.
# Globals:
# ARY_LOCALE
# RECOVERY
# TARGET
# VAR_ARCHITECTURE
# VAR_CODENAME
# VAR_VERSION
# VAR_DATE
# VAR_RUN_RECOVERY
# locale_country
# locale_keyboard_xkb_keymap
# locale_language
@@ -42,15 +42,22 @@ guard_sourcing
setup_locales() {
### Declare Arrays, HashMaps, and Variables.
declare var_locale_hook="/root/.ciss/cdi/hooks/4050_setup_locales.hooks.sh"
declare var_target="${TARGET}"
### Check for TARGET / RECOVERY.
[[ "${VAR_RUN_RECOVERY}" == "true" ]] && var_target="${RECOVERY}"
### Give priority to '${locale_locale}' over separately configured variables '${locale_country}' and '${locale_language}'.
### If 'locale_locale' is not set, build it from 'locale_language' and 'locale_country'.
if [[ -n "${locale_language:-}" && -n "${locale_country:-}" && -z "${ARY_LOCALE[0]:-}" ]]; then
# shellcheck disable=SC2034
ARY_LOCALE+="${locale_language}_${locale_country}.UTF-8"
fi
### Creat Hook in target.
cat << EOF >| "${TARGET}${var_locale_hook}"
cat << EOF >| "${var_target}${var_locale_hook}"
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -72,7 +79,7 @@ declare loc=""
EOF
cat << 'EOF' >> "${TARGET}${var_locale_hook}"
cat << 'EOF' >> "${var_target}${var_locale_hook}"
ary_locale+=( "${locale_0}" )
[[ -n "${locale_1}" ]] && ary_locale+=( "${locale_1}" )
@@ -94,7 +101,7 @@ done
EOF
cat << EOF >> "${TARGET}${var_locale_hook}"
cat << EOF >> "${var_target}${var_locale_hook}"
update-locale \
LANG=${ARY_LOCALE[0]} \
LC_ADDRESS=${locale_override_address:-${ARY_LOCALE[0]}} \
@@ -112,13 +119,13 @@ LC_IDENTIFICATION=${ARY_LOCALE[0]}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
EOF
chmod 0700 "${TARGET}${var_locale_hook}"
chroot_script "${TARGET}" "${var_locale_hook}"
chmod 0700 "${var_target}${var_locale_hook}"
chroot_script "${var_target}" "${var_locale_hook}"
### Set the keyboard layout for the system (for consoles).
insert_header "${TARGET}/etc/default/keyboard"
insert_comments "${TARGET}/etc/default/keyboard"
cat << EOF >> "${TARGET}/etc/default/keyboard"
insert_header "${var_target}/etc/default/keyboard"
insert_comments "${var_target}/etc/default/keyboard"
cat << EOF >> "${var_target}/etc/default/keyboard"
# KEYBOARD CONFIGURATION FILE
# Consult the keyboard(5) manual page.
@@ -130,9 +137,12 @@ BACKSPACE="guess"
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
EOF
chmod 0644 "${TARGET}/etc/default/keyboard"
do_log "info" "file_only" "4050() Keyboard layout updated: 'XKBLAYOUT=${locale_keyboard_xkb_keymap}' -> '${TARGET}/etc/default/keyboard'."
chmod 0644 "${var_target}/etc/default/keyboard"
do_log "info" "file_only" "4050() Keyboard layout updated: 'XKBLAYOUT=${locale_keyboard_xkb_keymap}' -> '${var_target}/etc/default/keyboard'."
guard_dir && return 0
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f setup_locales
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

76
func/cdi_4100_base/4100_generate_sources.sh
View File

@@ -15,10 +15,9 @@ guard_sourcing
#######################################
# Generate target '/etc/apt/sources.list' entries.
# Globals:
# RECOVERY
# TARGET
# VAR_ARCHITECTURE
# VAR_CODENAME
# VAR_VERSION
# VAR_RUN_RECOVERY
# apt_contrib
# apt_deb_sources
# apt_mirror_directory
@@ -39,8 +38,12 @@ guard_sourcing
#######################################
generate_sources() {
### Declare Arrays, HashMaps, and Variables.
declare -a ary_components=()
declare var_arch="" var_codename="" var_deb_src="" var_dir="" var_hostname="" var_hostsecure="" var_url="" var_surl=""
declare -a ary_components=()
declare var_arch="" var_codename="" var_deb_src="" var_dir="" var_hostname="" var_hostsecure="" var_url="" var_surl=""
declare var_target="${TARGET}"
### Check for TARGET / RECOVERY.
[[ "${VAR_RUN_RECOVERY}" == "true" ]] && var_target="${RECOVERY}"
# shellcheck disable=SC2154 # "${architecture}"
var_arch="${architecture,,}"
@@ -77,25 +80,25 @@ generate_sources() {
fi
: >| "${TARGET}/etc/apt/sources.list"
chmod 0644 "${TARGET}/etc/apt/sources.list"
: >| "${var_target}/etc/apt/sources.list"
chmod 0644 "${var_target}/etc/apt/sources.list"
### Main Repository
# shellcheck disable=SC2153
insert_header "${TARGET}/etc/apt/sources.list"
insert_comments "${TARGET}/etc/apt/sources.list"
cat << EOF >> "${TARGET}/etc/apt/sources.list"
insert_header "${var_target}/etc/apt/sources.list"
insert_comments "${var_target}/etc/apt/sources.list"
cat << EOF >> "${var_target}/etc/apt/sources.list"
#------------------------------------------------------------------------------------------------------------------------------#
# OFFICIAL DEBIAN REPOS #
#------------------------------------------------------------------------------------------------------------------------------#
deb ${var_url} ${var_codename} ${ary_components[*]}
EOF
do_log "info" "file_only" "4100() ${TARGET}/etc/apt/sources.list entry generated: 'deb ${var_url} ${var_codename} ${ary_components[*]}'."
do_log "info" "file_only" "4100() ${var_target}/etc/apt/sources.list entry generated: 'deb ${var_url} ${var_codename} ${ary_components[*]}'."
if [[ "${var_deb_src}" == "true" ]]; then
echo "deb-src ${var_url} ${var_codename} ${ary_components[*]}" >> "${TARGET}/etc/apt/sources.list"
do_log "info" "file_only" "4100() ${TARGET}/etc/apt/sources.list entry generated: 'deb-src ${var_url} ${var_codename} ${ary_components[*]}'."
echo "deb-src ${var_url} ${var_codename} ${ary_components[*]}" >> "${var_target}/etc/apt/sources.list"
do_log "info" "file_only" "4100() ${var_target}/etc/apt/sources.list entry generated: 'deb-src ${var_url} ${var_codename} ${ary_components[*]}'."
fi
@@ -103,16 +106,16 @@ EOF
### Security Repository
if [[ "${apt_updates_security,,}" == "true" ]]; then
cat << EOF >> "${TARGET}/etc/apt/sources.list"
cat << EOF >> "${var_target}/etc/apt/sources.list"
deb ${var_surl} ${var_codename}-security ${ary_components[*]}
EOF
do_log "info" "file_only" "4100() ${TARGET}/etc/apt/sources.list entry generated: 'deb ${var_surl} ${var_codename}-security ${ary_components[*]}'."
do_log "info" "file_only" "4100() ${var_target}/etc/apt/sources.list entry generated: 'deb ${var_surl} ${var_codename}-security ${ary_components[*]}'."
if [[ "${var_deb_src}" == "true" ]]; then
echo "deb-src ${var_surl} ${var_codename}-security ${ary_components[*]}" >> "${TARGET}/etc/apt/sources.list"
do_log "info" "file_only" "4100() ${TARGET}/etc/apt/sources.list entry generated: 'deb-src ${var_surl} ${var_codename}-security ${ary_components[*]}'."
echo "deb-src ${var_surl} ${var_codename}-security ${ary_components[*]}" >> "${var_target}/etc/apt/sources.list"
do_log "info" "file_only" "4100() ${var_target}/etc/apt/sources.list entry generated: 'deb-src ${var_surl} ${var_codename}-security ${ary_components[*]}'."
fi
@@ -122,16 +125,16 @@ EOF
### Updates Repository
if [[ "${apt_updates_release,,}" == "true" ]]; then
cat << EOF >> "${TARGET}/etc/apt/sources.list"
cat << EOF >> "${var_target}/etc/apt/sources.list"
deb ${var_url} ${var_codename}-updates ${ary_components[*]}
EOF
do_log "info" "file_only" "4100() ${TARGET}/etc/apt/sources.list entry generated: 'deb ${var_url} ${var_codename}-updates ${ary_components[*]}'."
do_log "info" "file_only" "4100() ${var_target}/etc/apt/sources.list entry generated: 'deb ${var_url} ${var_codename}-updates ${ary_components[*]}'."
if [[ "${var_deb_src}" == "true" ]]; then
echo "deb-src ${var_url} ${var_codename}-updates ${ary_components[*]}" >> "${TARGET}/etc/apt/sources.list"
do_log "info" "file_only" "4100() ${TARGET}/etc/apt/sources.list entry generated: 'deb-src ${var_url} ${var_codename}-updates ${ary_components[*]}'."
echo "deb-src ${var_url} ${var_codename}-updates ${ary_components[*]}" >> "${var_target}/etc/apt/sources.list"
do_log "info" "file_only" "4100() ${var_target}/etc/apt/sources.list entry generated: 'deb-src ${var_url} ${var_codename}-updates ${ary_components[*]}'."
fi
@@ -141,16 +144,16 @@ EOF
### Backports Repository
if [[ "${apt_updates_backports,,}" == "true" ]]; then
cat << EOF >> "${TARGET}/etc/apt/sources.list"
cat << EOF >> "${var_target}/etc/apt/sources.list"
deb ${var_url} ${var_codename}-backports ${ary_components[*]}
EOF
do_log "info" "file_only" "4100() ${TARGET}/etc/apt/sources.list entry generated: 'deb ${var_url} ${var_codename}-backports ${ary_components[*]}'."
do_log "info" "file_only" "4100() ${var_target}/etc/apt/sources.list entry generated: 'deb ${var_url} ${var_codename}-backports ${ary_components[*]}'."
if [[ "${var_deb_src,,}" == "true" ]]; then
echo "deb-src ${var_url} ${var_codename}-backports ${ary_components[*]}" >> "${TARGET}/etc/apt/sources.list"
do_log "info" "file_only" "4100() ${TARGET}/etc/apt/sources.list entry generated: 'deb-src ${var_url} ${var_codename}-backports ${ary_components[*]}'."
echo "deb-src ${var_url} ${var_codename}-backports ${ary_components[*]}" >> "${var_target}/etc/apt/sources.list"
do_log "info" "file_only" "4100() ${var_target}/etc/apt/sources.list entry generated: 'deb-src ${var_url} ${var_codename}-backports ${ary_components[*]}'."
fi
@@ -158,32 +161,35 @@ EOF
### Clean up 'sources.list'
sed -i '/^#/!s/[[:space:]]\+/ /g' "${TARGET}/etc/apt/sources.list"
sed -i '/^#/!s/[[:space:]]\+/ /g' "${var_target}/etc/apt/sources.list"
cat << EOF >> "${TARGET}/etc/apt/sources.list"
cat << EOF >> "${var_target}/etc/apt/sources.list"
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
EOF
insert_header "${TARGET}/etc/apt/apt.conf.d/90-no-pdiffs"
insert_comments "${TARGET}/etc/apt/apt.conf.d/90-no-pdiffs"
cat << 'EOF' >> "${TARGET}/etc/apt/apt.conf.d/90-no-pdiffs"
insert_header "${var_target}/etc/apt/apt.conf.d/90-no-pdiffs"
insert_comments "${var_target}/etc/apt/apt.conf.d/90-no-pdiffs"
cat << 'EOF' >> "${var_target}/etc/apt/apt.conf.d/90-no-pdiffs"
Acquire::PDiffs "false";
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
EOF
sed -i -E 's|^([[:space:]]*)#+|\1//|' "${TARGET}/etc/apt/apt.conf.d/90-no-pdiffs"
sed -i -E 's|^([[:space:]]*)#+|\1//|' "${var_target}/etc/apt/apt.conf.d/90-no-pdiffs"
insert_header "${TARGET}/etc/apt/apt.conf.d/91-acquire"
insert_comments "${TARGET}/etc/apt/apt.conf.d/91-acquire"
cat << 'EOF' >> "${TARGET}/etc/apt/apt.conf.d/91-acquire"
insert_header "${var_target}/etc/apt/apt.conf.d/91-acquire"
insert_comments "${var_target}/etc/apt/apt.conf.d/91-acquire"
cat << 'EOF' >> "${var_target}/etc/apt/apt.conf.d/91-acquire"
Acquire::Retries "3";
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
EOF
sed -i -E 's|^([[:space:]]*)#+|\1//|' "${TARGET}/etc/apt/apt.conf.d/91-acquire"
sed -i -E 's|^([[:space:]]*)#+|\1//|' "${var_target}/etc/apt/apt.conf.d/91-acquire"
guard_dir && return 0
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f generate_sources
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

55
func/cdi_4100_base/4105_generate_sources_822.sh
View File

@@ -36,8 +36,12 @@ guard_sourcing
#######################################
generate_sources822() {
### Declare Arrays, HashMaps, and Variables.
declare -a ary_components=() ary_types=()
declare var_arch="" var_codename="" var_deb_src="" var_dir="" var_hostname="" var_hostsecure="" var_url="" var_surl=""
declare -a ary_components=() ary_types=()
declare var_arch="" var_codename="" var_deb_src="" var_dir="" var_hostname="" var_hostsecure="" var_url="" var_surl=""
declare var_target="${TARGET}"
### Check for TARGET / RECOVERY.
[[ "${VAR_RUN_RECOVERY}" == "true" ]] && var_target="${RECOVERY}"
# shellcheck disable=SC2154 # "${architecture}"
var_arch="${architecture,,}"
@@ -79,9 +83,9 @@ generate_sources822() {
### Main Repository
insert_header "${TARGET}/etc/apt/sources.list.d/trixie.sources"
insert_comments "${TARGET}/etc/apt/sources.list.d/trixie.sources"
cat << EOF >> "${TARGET}/etc/apt/sources.list.d/trixie.sources"
insert_header "${var_target}/etc/apt/sources.list.d/trixie.sources"
insert_comments "${var_target}/etc/apt/sources.list.d/trixie.sources"
cat << EOF >> "${var_target}/etc/apt/sources.list.d/trixie.sources"
#------------------------------------------------------------------------------------------------------------------------------#
# OFFICIAL DEBIAN REPOS #
#------------------------------------------------------------------------------------------------------------------------------#
@@ -98,9 +102,9 @@ EOF
### Security Repository
if [[ "${apt_updates_security,,}" == "true" ]]; then
insert_header "${TARGET}/etc/apt/sources.list.d/trixie-security.sources"
insert_comments "${TARGET}/etc/apt/sources.list.d/trixie-security.sources"
cat << EOF >> "${TARGET}/etc/apt/sources.list.d/trixie-security.sources"
insert_header "${var_target}/etc/apt/sources.list.d/trixie-security.sources"
insert_comments "${var_target}/etc/apt/sources.list.d/trixie-security.sources"
cat << EOF >> "${var_target}/etc/apt/sources.list.d/trixie-security.sources"
#------------------------------------------------------------------------------------------------------------------------------#
# OFFICIAL DEBIAN REPOS #
#------------------------------------------------------------------------------------------------------------------------------#
@@ -117,9 +121,9 @@ EOF
### Updates Repository
if [[ "${apt_updates_release,,}" == "true" ]]; then
insert_header "${TARGET}/etc/apt/sources.list.d/trixie-updates.sources"
insert_comments "${TARGET}/etc/apt/sources.list.d/trixie-updates.sources"
cat << EOF >> "${TARGET}/etc/apt/sources.list.d/trixie-updates.sources"
insert_header "${var_target}/etc/apt/sources.list.d/trixie-updates.sources"
insert_comments "${var_target}/etc/apt/sources.list.d/trixie-updates.sources"
cat << EOF >> "${var_target}/etc/apt/sources.list.d/trixie-updates.sources"
#------------------------------------------------------------------------------------------------------------------------------#
# OFFICIAL DEBIAN REPOS #
#------------------------------------------------------------------------------------------------------------------------------#
@@ -137,9 +141,9 @@ EOF
### Backports Repository
if [[ "${apt_updates_backports,,}" == "true" ]]; then
insert_header "${TARGET}/etc/apt/sources.list.d/trixie-backports.sources"
insert_comments "${TARGET}/etc/apt/sources.list.d/trixie-backports.sources"
cat << EOF >> "${TARGET}/etc/apt/sources.list.d/trixie-backports.sources"
insert_header "${var_target}/etc/apt/sources.list.d/trixie-backports.sources"
insert_comments "${var_target}/etc/apt/sources.list.d/trixie-backports.sources"
cat << EOF >> "${var_target}/etc/apt/sources.list.d/trixie-backports.sources"
#------------------------------------------------------------------------------------------------------------------------------#
# OFFICIAL DEBIAN REPOS #
#------------------------------------------------------------------------------------------------------------------------------#
@@ -156,30 +160,33 @@ EOF
fi
if [[ -f "${TARGET}/etc/apt/sources.list" ]]; then
rm -f "${TARGET}/etc/apt/sources.list"
if [[ -f "${var_target}/etc/apt/sources.list" ]]; then
rm -f "${var_target}/etc/apt/sources.list"
fi
insert_header "${TARGET}/etc/apt/apt.conf.d/90-no-pdiffs"
insert_comments "${TARGET}/etc/apt/apt.conf.d/90-no-pdiffs"
cat << 'EOF' >> "${TARGET}/etc/apt/apt.conf.d/90-no-pdiffs"
insert_header "${var_target}/etc/apt/apt.conf.d/90-no-pdiffs"
insert_comments "${var_target}/etc/apt/apt.conf.d/90-no-pdiffs"
cat << 'EOF' >> "${var_target}/etc/apt/apt.conf.d/90-no-pdiffs"
Acquire::PDiffs "false";
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
EOF
sed -i -E 's|^([[:space:]]*)#+|\1//|' "${TARGET}/etc/apt/apt.conf.d/90-no-pdiffs"
sed -i -E 's|^([[:space:]]*)#+|\1//|' "${var_target}/etc/apt/apt.conf.d/90-no-pdiffs"
insert_header "${TARGET}/etc/apt/apt.conf.d/91-acquire"
insert_comments "${TARGET}/etc/apt/apt.conf.d/91-acquire"
cat << 'EOF' >> "${TARGET}/etc/apt/apt.conf.d/91-acquire"
insert_header "${var_target}/etc/apt/apt.conf.d/91-acquire"
insert_comments "${var_target}/etc/apt/apt.conf.d/91-acquire"
cat << 'EOF' >> "${var_target}/etc/apt/apt.conf.d/91-acquire"
Acquire::Retries "3";
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
EOF
sed -i -E 's|^([[:space:]]*)#+|\1//|' "${TARGET}/etc/apt/apt.conf.d/91-acquire"
sed -i -E 's|^([[:space:]]*)#+|\1//|' "${var_target}/etc/apt/apt.conf.d/91-acquire"
guard_dir && return 0
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f generate_sources822
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

19
func/cdi_4100_base/4110_update_sources.sh
View File

@@ -18,7 +18,9 @@ guard_sourcing
# to suppress the 'update-initramfs'-Kernel-Hooks, according to the initramfs-tools manpage:
# https://manpages.debian.org/testing/initramfs-tools-core/initramfs-tools.7.en.html
# Globals:
# RECOVERY
# TARGET
# VAR_RUN_RECOVERY
# apt_updates_policy
# Arguments:
# None
@@ -28,19 +30,23 @@ guard_sourcing
update_sources() {
### Declare Arrays, HashMaps, and Variables.
declare -r var_logfile="/root/.ciss/cdi/log/4110_update_sources.log"
declare var_target="${TARGET}"
chroot_logger "${TARGET}${var_logfile}"
### Check for TARGET / RECOVERY.
[[ "${VAR_RUN_RECOVERY}" == "true" ]] && var_target="${RECOVERY}"
chroot_logger "${var_target}${var_logfile}"
### Update generated sources.
# shellcheck disable=SC2312
chroot_script "${TARGET}" "apt-get update 2>&1 | tee -a ${var_logfile}; echo ExitCode: \$? >> ${var_logfile}"
chroot_script "${var_target}" "apt-get update 2>&1 | tee -a ${var_logfile}; echo ExitCode: \$? >> ${var_logfile}"
do_log "info" "file_only" "4110() Sources lists: updated successfully."
### Update unattended, security, or no unattended updates at all.
if [[ "${apt_updates_policy,,}" == "unattended" ]]; then
chroot_script "${TARGET}" "
chroot_script "${var_target}" "
export INITRD=No
apt-get install -y --no-install-recommends --no-install-suggests unattended-upgrades 2>&1 | tee -a ${var_logfile}
echo ExitCode: \$? >> ${var_logfile}
@@ -49,14 +55,14 @@ update_sources() {
elif [[ "${apt_updates_policy,,}" == "security" ]]; then
chroot_script "${TARGET}" "
chroot_script "${var_target}" "
export INITRD=No
apt-get install -y --no-install-recommends --no-install-suggests unattended-upgrades 2>&1 | tee -a ${var_logfile}
echo ExitCode: \$? >> ${var_logfile}
"
# shellcheck disable=SC2016
sed -i 's/^[[:space:]]*"origin=Debian,codename=\${distro_codename},label=Debian";/\/\/ &/' "${TARGET}/etc/apt/apt.conf.d/50unattended-upgrades"
sed -i 's/^[[:space:]]*"origin=Debian,codename=\${distro_codename},label=Debian";/\/\/ &/' "${var_target}/etc/apt/apt.conf.d/50unattended-upgrades"
do_log "info" "file_only" "4110() The update policy was set at installation time to: '${apt_updates_policy}'."
elif [[ "${apt_updates_policy,,}" == "none" ]]; then
@@ -71,4 +77,7 @@ update_sources() {
guard_dir && return 0
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f update_sources
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

34
func/cdi_4400_hardening/4420_hardening_fail2ban.sh
View File

@@ -21,6 +21,7 @@ guard_sourcing
# VAR_FINAL_FQDN
# VAR_FINAL_IPV4
# VAR_FINAL_IPV6
# VAR_LINK_IPV6
# VAR_PROVIDER
# VAR_SSH_PORT
# Arguments:
@@ -49,6 +50,7 @@ EOF
insert_header "${TARGET}/etc/fail2ban/jail.d/centurion-default.conf"
insert_comments "${TARGET}/etc/fail2ban/jail.d/centurion-default.conf"
if [[ "${#ARY_ALLOW_IPV4[@]}" -gt 0 ]]; then
### fail2ban ufw aggressive mode, one attempt for jumphost configuration.
@@ -58,10 +60,28 @@ usedns = yes
ignoreip = 127.0.0.0/8 ::1
# ${VAR_FINAL_FQDN}
${VAR_FINAL_IPV4}
EOF
if [[ "${VAR_LINK_IPV6}" == "true" ]]; then
cat << EOF >> "${TARGET}/etc/fail2ban/jail.d/centurion-default.conf"
${VAR_FINAL_IPV6}/64
EOF
fi
cat << EOF >> "${TARGET}/etc/fail2ban/jail.d/centurion-default.conf"
# Jumphost
${ARY_ALLOW_IPV4[*]}
EOF
if [[ "${VAR_LINK_IPV6}" == "true" ]]; then
cat << EOF >> "${TARGET}/etc/fail2ban/jail.d/centurion-default.conf"
${ARY_ALLOW_IPV6[*]}
EOF
fi
cat << EOF >> "${TARGET}/etc/fail2ban/jail.d/centurion-default.conf"
maxretry = 8
findtime = 12h
bantime = 12h
@@ -106,7 +126,16 @@ usedns = yes
ignoreip = 127.0.0.0/8 ::1
# ${VAR_FINAL_FQDN}
${VAR_FINAL_IPV4}
EOF
if [[ "${VAR_LINK_IPV6}" == "true" ]]; then
cat << EOF >> "${TARGET}/etc/fail2ban/jail.d/centurion-default.conf"
${VAR_FINAL_IPV6}/64
EOF
fi
cat << EOF >> "${TARGET}/etc/fail2ban/jail.d/centurion-default.conf"
maxretry = 8
findtime = 12h
bantime = 12h
@@ -146,7 +175,9 @@ EOF
### Provider Hetzner needs special ignoreip rules.
if [[ "${VAR_PROVIDER}" == "hetzner" ]]; then
sed -i '0,/^maxretry/{s/^maxretry/# Hetzner Intern\n 172.31.1.1\/16\n&/}' "${TARGET}/etc/fail2ban/jail.d/centurion-default.conf"
fi
insert_header "${TARGET}/etc/fail2ban/filter.d/ufw.aggressive.conf"
@@ -211,4 +242,7 @@ EOF
guard_dir && return 0
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f hardening_fail2ban
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

69
func/cdi_4500_user/4520_accounts_setup.sh
View File

@@ -24,13 +24,14 @@ guard_sourcing
# user_root_authentication_access_ssh
# user_root_authentication_access_tty
# user_root_authentication_password
# user_root_password
# user_root_shell
# user_root_specific
# user_root_sshpubkey
# Arguments:
# None
# Returns:
# 0: on success
# ERR_ACCOUNT_CREATE: on failure
#######################################
accounts_setup() {
### Declare Arrays, HashMaps, and Variables.
@@ -102,19 +103,28 @@ accounts_setup() {
do_log "info" "file_only" "4520() Skeleton: 'root' successfully generated."
### 2) Check SSH access capabilities.
case "${user_root_authentication_access_ssh}" in
case "${user_root_authentication_access_ssh,,}" in
false)
sed -i -E "s|^[[:space:]]*PermitRootLogin[[:space:]]+.*$|$(printf '%-29s%s' 'PermitRootLogin' 'no')|" "${TARGET}/etc/ssh/sshd_config"
do_log "info" "file_only" "4520() User: 'root' SSH access: [PermitRootLogin no]"
;;
true)
sed -i -E "s|^[[:space:]]*PermitRootLogin[[:space:]]+.*$|$(printf '%-29s%s' 'PermitRootLogin' 'prohibit-password')|" "${TARGET}/etc/ssh/sshd_config"
do_log "info" "file_only" "4520() User: 'root' SSH access: [PermitRootLogin prohibit-password]"
;;
*)
do_log "fatal" "file_only" "4520() Not set: user_root_authentication_access_ssh [${user_root_authentication_access_ssh}]"
return "${ERR_ACCOUNT_CREATE}"
;;
esac
### 3) Check tty access capabilities.
case "${user_root_authentication_access_tty}" in
case "${user_root_authentication_access_tty,,}" in
false)
### 3) A) 1) Ensure the 'pam_access' line is not activated in '/etc/pam.d/login' and '/etc/pam.d/sshd' in parallel.
pam_access_sync_login_sshd
@@ -165,33 +175,53 @@ tty1
EOF
do_log "info" "file_only" "4520() User: 'root' tty access: [true]"
;;
*)
do_log "fatal" "file_only" "4520() Not set: user_root_authentication_access_tty [${user_root_authentication_access_tty}]"
return "${ERR_ACCOUNT_CREATE}"
;;
esac
### 4) Check the password policy for the 'root' account.
case "${user_root_authentication_password}" in
case "${user_root_authentication_password,,}" in
false)
chroot_script "${TARGET}" "passwd -l root"
do_log "info" "file_only" "4520() User: 'root' password access: [false]"
;;
true)
chroot_script "${TARGET}" "printf '%s:%s\n' root '${var_password}' | /usr/sbin/chpasswd -e"
#chroot_script "${TARGET}" "/usr/sbin/usermod -p '${user_root_password}' root"
do_log "info" "file_only" "4520() User: 'root' password access: [true]"
;;
*)
do_log "fatal" "file_only" "4520() Not set: user_root_authentication_password [${user_root_authentication_password}]"
return "${ERR_ACCOUNT_CREATE}"
;;
esac
### 5) Update the 'root' SSH pubkey, if provided via 'preseed.yaml'.
if [[ -n "${user_root_sshpubkey:-}" ]]; then
printf "%s\n" "${user_root_sshpubkey}" >| "${TARGET}/root/.ssh/authorized_keys"
do_log "info" "file_only" "4520() User: 'root' SSH public key: inserted."
fi
### 6) Update the 'root' 'totp'-policy and write the '.google_authenticator'-file.
if [[ "${user_root_authentication_2fa_ssh}" == "true" || "${user_root_authentication_2fa_tty}" == "true" ]]; then
write_google_authenticator_file "root" "0" "0"
fi
if [[ "${user_root_authentication_2fa_ssh}" == "true" ]]; then
pam_access_totp_enable "root" "sshd"
var_ssh_totp_update="true"
cat << EOF >> "${TARGET}/etc/ssh/sshd_config"
@@ -318,6 +348,11 @@ EOF
"${var_username}"
;;
*)
do_log "fatal" "file_only" "4520() Not set: var_restricted:var_system [${var_restricted}:${var_system}]"
return "${ERR_ACCOUNT_CREATE}"
;;
esac
### 1) Prepare the 'user' account.
@@ -365,7 +400,8 @@ EOF
### Nothing to do here as per-user SSH capabilities are already handled in '4330_installation_ssh.sh'.
### 3) Check tty access capabilities.
case "${var_access_tty}" in
case "${var_access_tty,,}" in
false)
### 3) A) 1) Ensure the 'pam_access' line is not activated in '/etc/pam.d/login' and '/etc/pam.d/sshd' in parallel.
pam_access_sync_login_sshd
@@ -388,33 +424,52 @@ EOF
do_log "info" "file_only" "4520() User: '${var_username}' tty access: [true]"
;;
*)
do_log "fatal" "file_only" "4520() Not set: var_access_tty [${var_access_tty}]"
return "${ERR_ACCOUNT_CREATE}"
;;
esac
### 4) Check the password policy for the 'user' account.
case "${var_auth_pwd}" in
false)
chroot_script "${TARGET}" "passwd -l ${var_username}"
do_log "info" "file_only" "4520() User: '${var_username}' password access: [false]"
;;
true)
chroot_script "${TARGET}" "printf '%s:%s\n' \"${var_username}\" '${var_password}' | /usr/sbin/chpasswd -e"
#chroot_script "${TARGET}" "/usr/sbin/usermod -p '${var_password}' ${var_username}"
do_log "info" "file_only" "4520() User: '${var_username}' password access: [true]"
;;
*)
do_log "fatal" "file_only" "4520() Not set: var_auth_pwd [${var_auth_pwd}]"
return "${ERR_ACCOUNT_CREATE}"
;;
esac
### 5) Update the 'user' SSH pubkey, if provided via 'preseed.yaml'.
if [[ -n "${var_sshpubkey:-}" ]]; then
printf "%s\n" "${var_sshpubkey}" >| "${TARGET}/home/${var_username}/.ssh/authorized_keys"
do_log "info" "file_only" "4520() User: '${var_username}' SSH public key: inserted."
fi
### 6) Update the 'root' 'totp'-policy and write the '.google_authenticator'-file.
if [[ "${var_2fa_ssh}" == "true" || "${var_2fa_tty}" == "true" ]]; then
write_google_authenticator_file "${var_username}" "${var_uid}" "${var_gid}"
fi
if [[ "${var_2fa_ssh}" == "true" ]]; then
pam_access_totp_enable "${var_username}" "sshd"
var_ssh_totp_update="true"
cat << EOF >> "${TARGET}/etc/ssh/sshd_config"
@@ -453,13 +508,17 @@ EOF
done
if [[ "${var_ssh_totp_update}" == "true" ]]; then
sed -i -E "s|^[[:space:]]*KbdInteractiveAuthentication[[:space:]]+.*$|$(printf '%-29s%s' 'KbdInteractiveAuthentication' 'yes')|" "${TARGET}/etc/ssh/sshd_config"
fi
unset VAR_TEMP_PLAIN_MFA_SEED
if ! grep -Fqx -- '-: ALL:ALL' "${TARGET}/etc/security/access.conf"; then
printf '%s\n' '-: ALL:ALL' >> "${TARGET}/etc/security/access.conf"
fi
printf "# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf \n" >> "${TARGET}/etc/security/access.conf"

73
func/cdi_5000_recovery/5000_debootstrap.sh
View File

@@ -1,73 +0,0 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
guard_sourcing
#######################################
# Install a minimal Debian environment using the 'debootstrap' command.
# Globals:
# LOG_REC
# RECOVERY
# VAR_ARCHITECTURE
# VAR_CODENAME
# debootstrap_includes
# debootstrap_mirror
# Arguments:
# None
# Returns:
# 0: on success
# ERR_DEBOOTSTRAP
#######################################
func_debootstrap_reco() {
### Declare Arrays, HashMaps, and Variables.
declare -r var_arch="${VAR_ARCHITECTURE}"
declare -r var_dist="${VAR_CODENAME}"
declare -r var_target="${RECOVERY}"
declare -r var_mirror="${debootstrap_mirror}"
declare -r var_includes="${debootstrap_includes}"
declare -a ary_cmd=()
ary_cmd+=( "debootstrap" "--arch=${var_arch}" "--keep-debootstrap-dir" "--log-extra-deps" "--merged-usr" )
if [[ -n "${var_includes}" ]]; then ary_cmd+=( "--include=${var_includes}" ); fi
ary_cmd+=( "${var_dist}" "${var_target}" "${var_mirror}" )
do_log "debug" "file_only" "5000() Executing: [${ary_cmd[*]}]"
# shellcheck disable=SC2312
if "${ary_cmd[@]}" | tee "${LOG_REC}"; then
do_log "info" "file_only" "5000() [${ary_cmd[*]}] successful."
install -d -m 0700 -o root -g root "${var_target}/root/.ciss/cdi/backup"
install -d -m 0700 -o root -g root "${var_target}/root/.ciss/cdi/debootstrap"
install -d -m 0700 -o root -g root "${var_target}/root/.ciss/cdi/hooks"
install -d -m 0700 -o root -g root "${var_target}/root/.ciss/cdi/keys"
install -d -m 0700 -o root -g root "${var_target}/root/.ciss/cdi/log"
mv -T "${var_target}/debootstrap" "${var_target}/root/.ciss/cdi/debootstrap"
chmod 0700 "${var_target}/root/.ciss"
chmod 0700 "${var_target}/root/.ciss/cdi"
chmod 0700 "${var_target}/root/.ciss/cdi/debootstrap"
guard_dir && return 0
else
do_log "emergency" "file_only" "5000() [${ary_cmd[*]}] failed."
return "${ERR_DEBOOTSTRAP}"
fi
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

83
func/cdi_5000_recovery/5005_debootstrap_checks.sh
View File

@@ -1,83 +0,0 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
guard_sourcing
#######################################
# Preliminary post debootstrap checks.
# Globals:
# RECOVERY
# Arguments:
# None
# Returns:
# 0: on success
#######################################
check_debootstrap_reco() {
### Declare Arrays, HashMaps, and Variables.
declare -r var_logfile="/root/.ciss/cdi/log/5005_debootstrap_checks.log"
chroot_logger "${RECOVERY}${var_logfile}"
chroot_script "${RECOVERY}" "
{
### Header
echo '==[debootstrap checks]=='
date -Is 2>/dev/null || true
### dpkg audit (non-fatal)
echo '### dpkg --audit'
dpkg --audit || true
### essential subset (status & version)
echo '### dpkg-query essential subset'
dpkg-query -W -f='\${db:Status-Abbrev} \${binary:Package} \${Version}\n' dpkg libc6 coreutils bash apt systemd 2>/dev/null || true
### init presence (log explicit)
echo '### init presence'
if [[ -x /sbin/init ]] || [[ -x /lib/systemd/systemd ]]; then
echo 'init_present=yes'
else
echo 'init_present=no'
fi
### awk path and alternative link (if any)
echo '### awk'
awk_path=\$(command -v awk || true)
printf 'awk_path=%s\n' \"\$awk_path\"
if [[ -L /usr/bin/awk ]]; then
printf 'awk_link=/usr/bin/awk -> %s\n' \"\$(readlink -f /usr/bin/awk 2>/dev/null || true)\"
fi
### usr-merge / tainted check
echo '### usr-merge / taint'
usr_merge_ok=yes
for p in /bin /sbin /lib /lib64; do
[[ -e \"\$p\" ]] || continue
if [[ -L \"\$p\" ]]; then
tgt=\$(readlink -f \"\$p\" 2>/dev/null || true)
printf '%s -> %s\n' \"\$p\" \"\$tgt\"
else
usr_merge_ok=no
printf '%s is not a symlink (tainted: unmerged-bin)\n' \"\$p\"
fi
done
printf 'usr_merge_ok=%s\n' \"\$usr_merge_ok\"
### architecture
echo '### architecture'
dpkg --print-architecture 2>/dev/null || true
} >> ${var_logfile}
"
guard_dir && return 0
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

119
func/cdi_5000_recovery/5010_prepare_mounts.sh
View File

@@ -1,119 +0,0 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
guard_sourcing
#######################################
# Configure the recovery system for chroot.
# Globals:
# ERR_CHRT_MOUNTS
# RECOVERY
# VAR_CHROOT_ACTIVATED
# VAR_NEED_RUN_IN_TARGET
# Arguments:
# None
# Returns:
# ERR_CHRT_MOUNTS
# 0: on success
#######################################
prepare_mounts_reco() {
### Notes
# This file mounts all necessary pseudo filesystems into the target root environment to enable chroot operations.
# --rbind: recursive binding.
# --make-rslave: In this case, the mount point is marked as 'slave'.
# This means changes to the source mount (e.g., /proc) are propagated to the target mount (e.g., "${RECOVERY}/proc").
# Conversely, changes to the target mount are not propagated back to the source mount.
# This mode is necessary to avoid problems with double or erroneous propagation effects in chroot or container environments.
#
# Some subdirectories (such as /dev/pts, /dev/shm, /sys/fs/cgroup) are remounted with more restrictive options
# like 'noexec', 'nosuid', and 'nodev' to enhance security. This ensures they override the inherited bind-mounts and
# enforce proper runtime behavior in the chroot.
### Declare Arrays, HashMaps, and Variables.
declare -A HMP_SPECIAL_MOUNTS=(
["/dev"]="devtmpfs devtmpfs mode=0755,nosuid" # Base device node FS
["/dev/pts"]="devpts devpts noexec,nosuid" # Pseudoterminals
["/dev/shm"]="tmpfs tmpfs rw,nosuid,nodev" # Shared memory
["/dev/mqueue"]="mqueue mqueue rw,nosuid,nodev,noexec" # POSIX message queues
["/dev/hugepages"]="hugetlbfs hugetlbfs rw,nosuid,nodev" # Huge pages
["/proc"]="proc proc nosuid,noexec,nodev" # procfs
["/sys"]="sysfs sysfs nosuid,noexec,nodev" # sysfs
["/sys/fs/cgroup"]="cgroup2 cgroup2 rw,nosuid,nodev,noexec,relatime" # Unified cgroup2
)
declare var_path="" var_fs="" var_src="" var_opts=""
for var_path in "${!HMP_SPECIAL_MOUNTS[@]}"; do
mkdir -p "${RECOVERY}${var_path}"
done
for var_path in "${!HMP_SPECIAL_MOUNTS[@]}"; do
IFS=" " read -r var_fs var_src var_opts <<< "${HMP_SPECIAL_MOUNTS[${var_path}]}"
if mountpoint -q "${RECOVERY}${var_path}"; then
do_log "info" "file_only" "5010() Skipped: '${RECOVERY}${var_path}' is already a mountpoint."
continue
fi
if ! mount -t "${var_fs}" "${var_src}" "${RECOVERY}${var_path}" -o "${var_opts}"; then
do_log "emergency" "file_only" "5010() Command: [mount -t ${var_fs} ${var_src} ${RECOVERY}${var_path} -o ${var_opts}] failed."
return "${ERR_CHRT_MOUNTS}"
fi
do_log "info" "file_only" "5010() Command: [mount -t ${var_fs} ${var_src} ${RECOVERY}${var_path} -o ${var_opts}] successful."
done
if [[ "${VAR_NEED_RUN_IN_TARGET:-false}" == "true" ]]; then
mkdir -p "${RECOVERY}/run"
if ! mount --make-rslave --rbind /run "${RECOVERY}/run"; then
do_log "emergency" "file_only" "5010() Command: [mount --make-rslave --rbind /run ${RECOVERY}/run] failed."
return "${ERR_CHRT_MOUNTS}"
fi
do_log "info" "file_only" "5010() Command: [mount --make-rslave --rbind /run ${RECOVERY}/run] successful."
fi
if ! chroot_exec "${RECOVERY}" mkdir -p /etc/systemd/system/multi-user.target.wants; then
do_log "emergency" "file_only" "5010() Command: [chroot_exec ${RECOVERY} mkdir -p /etc/systemd/system/multi-user.target.wants] failed."
return "${ERR_CHRT_MOUNTS}"
fi
do_log "info" "file_only" "5010() Command: [chroot_exec ${RECOVERY} mkdir -p /etc/systemd/system/multi-user.target.wants] successful."
mkdir -p "${RECOVERY}/media/cdrom0"
# shellcheck disable=SC2034
declare -gx VAR_CHROOT_ACTIVATED="recovery"
do_log "info" "file_only" "5010() Command: [declare -gx VAR_CHROOT_ACTIVATED=recovery]"
guard_dir && return 0
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

49
func/cdi_5000_recovery/5015_check_usr_merge.sh
View File

@@ -1,49 +0,0 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
guard_sourcing
#######################################
# Check if the recovery system is not 'tainted: unmerged-usr'.
# Globals:
# RECOVERY
# architecture
# Arguments:
# None
# Returns:
# 0: on success
#######################################
check_usr_merge_reco() {
### Declare Arrays, HashMaps, and Variables.
declare -r var_logfile="/root/.ciss/cdi/log/5015_check_usr_merge.log"
chroot_logger "${RECOVERY}${var_logfile}"
# shellcheck disable=SC2312
chroot_script "${RECOVERY}" "
test -L /bin && test $(readlink -f /bin) = '/usr/bin' && echo 'MERGED:/bin' >> ${var_logfile} || echo 'UNMERGED:/bin' >> ${var_logfile}
test -L /sbin && test $(readlink -f /sbin) = '/usr/sbin' && echo 'MERGED:/sbin' >> ${var_logfile} || echo 'UNMERGED:/sbin' >> ${var_logfile}
test -L /lib && test $(readlink -f /lib) = '/usr/lib' && echo 'MERGED:/lib' >> ${var_logfile} || echo 'UNMERGED:/lib' >> ${var_logfile}
echo ExitCode: \$? >> ${var_logfile}
"
if [[ "${architecture}" == "amd64" ]]; then
# shellcheck disable=SC2312
chroot_script "${RECOVERY}" "
test -L /lib64 && test $(readlink -f /lib64) = '/usr/lib64' && echo 'MERGED:/lib64' >> ${var_logfile} || echo 'UNMERGED:/lib64' >> ${var_logfile}
echo ExitCode: \$? >> ${var_logfile}
"
fi
guard_dir && return 0
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

42
func/cdi_5000_recovery/5020_remove_x509.sh
View File

@@ -1,42 +0,0 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
guard_sourcing
#######################################
# Chroot hook for deleting all expired X.509 certificates in the recovery system.
# Globals:
# RECOVERY
# VAR_SETUP_PATH
# Arguments:
# None
# Returns:
# 0: on success
#######################################
remove_x509_reco() {
install -m 0700 -o root -g root "${VAR_SETUP_PATH}/includes/chroot/hooks/4020_remove_x509.hooks.sh" \
"${RECOVERY}/root/.ciss/cdi/hooks/5020_remove_x509.hooks.sh"
if ! chroot_script "${RECOVERY}" "/root/.ciss/cdi/hooks/5020_remove_x509.hooks.sh" "emergency"; then
do_log "warn" "file_only" "5020() Command: [chroot_script ${RECOVERY} /root/.ciss/cdi/hooks/5020_remove_x509.hooks.sh emergency] failed."
else
do_log "debug" "file_only" "5020() Command: [chroot_script ${RECOVERY} /root/.ciss/cdi/hooks/5020_remove_x509.hooks.sh emergency] successful."
fi
guard_dir && return 0
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

32
func/cdi_5000_recovery/5030_setup_hostname.sh
View File

@@ -1,32 +0,0 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
guard_sourcing
#######################################
# Configure the '/etc/hostname' | '/etc/hosts' | '/etc/mailname' files.
# Globals:
# RECOVERY
# TARGET
# Arguments:
# None
# Returns:
# 0: on success
#######################################
setup_hostname_reco() {
cp -a "${TARGET}/etc/hosts" "${RECOVERY}/etc/hosts"
cp -a "${TARGET}/etc/hostname" "${RECOVERY}/etc/hostname"
cp -a "${TARGET}/etc/mailname" "${RECOVERY}/etc/mailname"
guard_dir && return 0
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

36
func/cdi_5000_recovery/5035_setup_resolv.sh
View File

@@ -1,36 +0,0 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
guard_sourcing
#######################################
# Configure the '/etc/resolv.conf' file.
# Globals:
# RECOVERY
# TARGET
# Arguments:
# None
# Returns:
# 0: on success
#######################################
setup_resolv_reco() {
if [[ -f "${RECOVERY}/etc/resolv.conf" ]]; then
mkdir -p "${RECOVERY}/root/.ciss/cdi/backup/etc"
mv "${RECOVERY}/etc/resolv.conf" "${RECOVERY}/root/.ciss/cdi/backup/etc/resolv.conf.bak"
do_log "info" "file_only" "5035() Existing '${RECOVERY}/etc/resolv.conf' moved."
fi
cp -a "${TARGET}/etc/resolv.conf" "${RECOVERY}/etc/resolv.conf"
guard_dir && return 0
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

39
func/cdi_5000_recovery/5040_setup_timezone.sh
View File

@@ -1,39 +0,0 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
guard_sourcing
#######################################
# Configure the '/etc/timezone' | '/etc/localtime' files.
# Globals:
# RECOVERY
# ntp_timezone
# Arguments:
# None
# Returns:
# 0: on success
#######################################
setup_timezone_reco() {
### Create '${RECOVERY}/etc/timezone' file.
cat << EOF >| "${RECOVERY}/etc/timezone"
${ntp_timezone:-UTC}
EOF
chmod 0644 "${RECOVERY}/etc/timezone"
do_log "info" "file_only" "5040() File generated: '${RECOVERY}/etc/timezone' | timezone '${ntp_timezone:-UTC}'."
chroot_exec "${RECOVERY}" ln -sf "/usr/share/zoneinfo/${ntp_timezone}" /etc/localtime
chroot_exec "${RECOVERY}" dpkg-reconfigure -f noninteractive tzdata
guard_dir && return 0
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

138
func/cdi_5000_recovery/5050_setup_locales.sh
View File

@@ -1,138 +0,0 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
guard_sourcing
#######################################
# Set locale, locale overrides and configure keyboard layout.
# Globals:
# ARY_LOCALE
# RECOVERY
# VAR_ARCHITECTURE
# VAR_CODENAME
# VAR_VERSION
# locale_country
# locale_keyboard_xkb_keymap
# locale_language
# locale_override_address
# locale_override_collate
# locale_override_ctype
# locale_override_measurement
# locale_override_messages
# locale_override_monetary
# locale_override_name
# locale_override_numeric
# locale_override_paper
# locale_override_telephone
# locale_override_time
# Arguments:
# None
# Returns:
# 0: on success
#######################################
setup_locales_reco() {
### Declare Arrays, HashMaps, and Variables.
declare var_locale_hook="/root/.ciss/cdi/hooks/4050_setup_locales.hooks.sh"
### Give priority to '${locale_locale}' over separately configured variables '${locale_country}' and '${locale_language}'.
### If 'locale_locale' is not set, build it from 'locale_language' and 'locale_country'.
if [[ -n "${locale_language:-}" && -n "${locale_country:-}" && -z "${ARY_LOCALE[0]:-}" ]]; then
ARY_LOCALE+="${locale_language}_${locale_country}.UTF-8"
fi
### Creat Hook in target.
cat << EOF >| "${RECOVERY}${var_locale_hook}"
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
set -Ceuo pipefail
declare -a ary_locale=()
declare -r locale_0=${ARY_LOCALE[0]:-en_US.UTF-8}
declare -r locale_1=${ARY_LOCALE[1]:-}
declare loc=""
EOF
cat << 'EOF' >> "${RECOVERY}${var_locale_hook}"
ary_locale+=( "${locale_0}" )
[[ -n "${locale_1}" ]] && ary_locale+=( "${locale_1}" )
for loc in "${ary_locale[@]}"; do
if ! grep -qx "${loc} UTF-8" /etc/locale.gen; then
sed -i "s/^# ${loc} UTF-8/${loc} UTF-8/" /etc/locale.gen || echo "${loc} UTF-8" >> /etc/locale.gen
fi
done
locale-gen --purge "${ary_locale[@]}"
for loc in "${ary_locale[@]}"; do
locale_check=$(echo "${loc}" | sed 's/UTF-8/utf8/')
if ! locale -a | grep -qx "${locale_check}"; then
echo "Locale '${loc}' has not been generated successfully." >&2
exit 1
fi
done
EOF
cat << EOF >> "${RECOVERY}${var_locale_hook}"
update-locale \
LANG=${ARY_LOCALE[0]} \
LC_ADDRESS=${locale_override_address:-${ARY_LOCALE[0]}} \
LC_COLLATE=${locale_override_collate:-${ARY_LOCALE[0]}} \
LC_CTYPE=${locale_override_ctype:-${ARY_LOCALE[0]}} \
LC_MEASUREMENT=${locale_override_measurement:-${ARY_LOCALE[0]}} \
LC_MESSAGES=${locale_override_messages:-${ARY_LOCALE[0]}} \
LC_MONETARY=${locale_override_monetary:-${ARY_LOCALE[0]}} \
LC_NAME=${locale_override_name:-${ARY_LOCALE[0]}} \
LC_NUMERIC=${locale_override_numeric:-${ARY_LOCALE[0]}} \
LC_PAPER=${locale_override_paper:-${ARY_LOCALE[0]}} \
LC_TELEPHONE=${locale_override_telephone:-${ARY_LOCALE[0]}} \
LC_TIME=${locale_override_time:-${ARY_LOCALE[0]}} \
LC_IDENTIFICATION=${ARY_LOCALE[0]}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
EOF
chmod 0700 "${RECOVERY}${var_locale_hook}"
chroot_script "${RECOVERY}" "${var_locale_hook}"
### Set the keyboard layout for the system (for consoles).
insert_header "${RECOVERY}/etc/default/keyboard"
insert_comments "${RECOVERY}/etc/default/keyboard"
cat << EOF >> "${RECOVERY}/etc/default/keyboard"
# KEYBOARD CONFIGURATION FILE
# Consult the keyboard(5) manual page.
XKBMODEL="pc105"
XKBLAYOUT="${locale_keyboard_xkb_keymap}"
XKBVARIANT=""
XKBOPTIONS=""
BACKSPACE="guess"
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
EOF
chmod 0644 "${RECOVERY}/etc/default/keyboard"
do_log "info" "file_only" "4050() Keyboard layout updated: 'XKBLAYOUT=${locale_keyboard_xkb_keymap}' -> '${RECOVERY}/etc/default/keyboard'."
guard_dir && return 0
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

185
func/cdi_5000_recovery/5105_generate_sources_822.sh
View File

@@ -1,185 +0,0 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
guard_sourcing
#######################################
# Generate target '/etc/apt/sources.list.d/' deb.822 entries.
# Globals:
# RECOVERY
# apt_contrib
# apt_deb_sources
# apt_mirror_directory
# apt_mirror_hostname
# apt_mirror_protocol
# apt_non_free
# apt_non_free_firmware
# apt_sec
# apt_updates_backports
# apt_updates_release
# apt_updates_security
# architecture
# distribution
# Arguments:
# None
# Returns:
# 0: on success
#######################################
generate_sources822_reco() {
### Declare Arrays, HashMaps, and Variables.
declare -a ary_components=() ary_types=()
declare var_arch="" var_codename="" var_deb_src="" var_dir="" var_hostname="" var_hostsecure="" var_url="" var_surl=""
# shellcheck disable=SC2154 # "${architecture}"
var_arch="${architecture,,}"
# shellcheck disable=SC2154 # "${distribution}"
var_codename="${distribution,,}"
# shellcheck disable=SC2154 # "${apt_deb_sources}"
var_deb_src="${apt_deb_sources,,}"
# shellcheck disable=SC2154 # "${apt_mirror_directory}"
var_dir="${apt_mirror_directory,,}"
# shellcheck disable=SC2154 # "${apt_mirror_hostname}"
var_hostname="${apt_mirror_hostname,,}"
# shellcheck disable=SC2154 # "${apt_sec}"
var_hostsecure="${apt_sec,,}"
ary_components=( "main" )
[[ "${apt_contrib,,}" == "true" ]] && ary_components+=( "contrib" )
[[ "${apt_non_free,,}" == "true" ]] && ary_components+=( "non-free" )
[[ "${apt_non_free_firmware,,}" == "true" ]] && ary_components+=( "non-free-firmware" )
ary_types=( "deb" )
[[ "${apt_deb_sources,,}" == "true" ]] && ary_types+=( "deb-src" )
if [[ "${apt_mirror_protocol,,}" == "https" ]]; then
var_url="https://${var_hostname}${var_dir}"
var_surl="https://${var_hostsecure}/debian-security"
elif [[ "${apt_mirror_protocol,,}" == "http" ]]; then
var_url="http://${var_hostname}${var_dir}"
var_surl="http://${var_hostsecure}/debian-security"
else
var_url="https://${var_hostname}${var_dir}"
var_surl="https://${var_hostsecure}/debian-security"
fi
### Main Repository
insert_header "${RECOVERY}/etc/apt/sources.list.d/trixie.sources"
insert_comments "${RECOVERY}/etc/apt/sources.list.d/trixie.sources"
cat << EOF >> "${RECOVERY}/etc/apt/sources.list.d/trixie.sources"
#------------------------------------------------------------------------------------------------------------------------------#
# OFFICIAL DEBIAN REPOS #
#------------------------------------------------------------------------------------------------------------------------------#
Types: ${ary_types[*]}
URIs: ${var_url}
Suites: ${var_codename}
Components: ${ary_components[*]}
Enabled: yes
Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
EOF
### Security Repository
if [[ "${apt_updates_security,,}" == "true" ]]; then
insert_header "${RECOVERY}/etc/apt/sources.list.d/trixie-security.sources"
insert_comments "${RECOVERY}/etc/apt/sources.list.d/trixie-security.sources"
cat << EOF >> "${RECOVERY}/etc/apt/sources.list.d/trixie-security.sources"
#------------------------------------------------------------------------------------------------------------------------------#
# OFFICIAL DEBIAN REPOS #
#------------------------------------------------------------------------------------------------------------------------------#
Types: ${ary_types[*]}
URIs: ${var_surl}
Suites: ${var_codename}-security
Components: ${ary_components[*]}
Enabled: yes
Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
EOF
fi
### Updates Repository
if [[ "${apt_updates_release,,}" == "true" ]]; then
insert_header "${RECOVERY}/etc/apt/sources.list.d/trixie-updates.sources"
insert_comments "${RECOVERY}/etc/apt/sources.list.d/trixie-updates.sources"
cat << EOF >> "${RECOVERY}/etc/apt/sources.list.d/trixie-updates.sources"
#------------------------------------------------------------------------------------------------------------------------------#
# OFFICIAL DEBIAN REPOS #
#------------------------------------------------------------------------------------------------------------------------------#
Types: ${ary_types[*]}
URIs: ${var_url}
Suites: ${var_codename}-updates
Components: ${ary_components[*]}
Enabled: yes
Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
EOF
fi
### Backports Repository
if [[ "${apt_updates_backports,,}" == "true" ]]; then
insert_header "${RECOVERY}/etc/apt/sources.list.d/trixie-backports.sources"
insert_comments "${RECOVERY}/etc/apt/sources.list.d/trixie-backports.sources"
cat << EOF >> "${RECOVERY}/etc/apt/sources.list.d/trixie-backports.sources"
#------------------------------------------------------------------------------------------------------------------------------#
# OFFICIAL DEBIAN REPOS #
#------------------------------------------------------------------------------------------------------------------------------#
Types: ${ary_types[*]}
URIs: ${var_url}
Suites: ${var_codename}-backports
Components: ${ary_components[*]}
Enabled: yes
Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
EOF
fi
if [[ -f "${RECOVERY}/etc/apt/sources.list" ]]; then
rm -f "${RECOVERY}/etc/apt/sources.list"
fi
insert_header "${RECOVERY}/etc/apt/apt.conf.d/90-no-pdiffs"
insert_comments "${RECOVERY}/etc/apt/apt.conf.d/90-no-pdiffs"
cat << 'EOF' >> "${RECOVERY}/etc/apt/apt.conf.d/90-no-pdiffs"
Acquire::PDiffs "false";
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
EOF
sed -i -E 's|^([[:space:]]*)#+|\1//|' "${RECOVERY}/etc/apt/apt.conf.d/90-no-pdiffs"
insert_header "${RECOVERY}/etc/apt/apt.conf.d/91-acquire"
insert_comments "${RECOVERY}/etc/apt/apt.conf.d/91-acquire"
cat << 'EOF' >> "${RECOVERY}/etc/apt/apt.conf.d/91-acquire"
Acquire::Retries "3";
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
EOF
sed -i -E 's|^([[:space:]]*)#+|\1//|' "${RECOVERY}/etc/apt/apt.conf.d/91-acquire"
guard_dir && return 0
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

74
func/cdi_5000_recovery/5110_update_sources.sh
View File

@@ -1,74 +0,0 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
guard_sourcing
#######################################
# Update generated sources.
# Every 'apt-get install' command is invoked by adding 'export INITRD=No'
# to suppress the 'update-initramfs'-Kernel-Hooks, according to the initramfs-tools manpage:
# https://manpages.debian.org/testing/initramfs-tools-core/initramfs-tools.7.en.html
# Globals:
# RECOVERY
# apt_updates_policy
# Arguments:
# None
# Returns:
# 0: on success
#######################################
update_sources_reco() {
### Declare Arrays, HashMaps, and Variables.
declare -r var_logfile="/root/.ciss/cdi/log/5110_update_sources.log"
chroot_logger "${RECOVERY}${var_logfile}"
### Update generated sources.
# shellcheck disable=SC2312
chroot_script "${RECOVERY}" "apt-get update 2>&1 | tee -a ${var_logfile}; echo ExitCode: \$? >> ${var_logfile}"
do_log "info" "file_only" "5110() Sources lists: updated successfully."
### Update unattended, security, or no unattended updates at all.
if [[ "${apt_updates_policy,,}" == "unattended" ]]; then
chroot_script "${RECOVERY}" "
export INITRD=No
apt-get install -y --no-install-recommends --no-install-suggests unattended-upgrades 2>&1 | tee -a ${var_logfile}
echo ExitCode: \$? >> ${var_logfile}
"
do_log "info" "file_only" "5110() The update policy was set at installation time to: '${apt_updates_policy}'."
elif [[ "${apt_updates_policy,,}" == "security" ]]; then
chroot_script "${RECOVERY}" "
export INITRD=No
apt-get install -y --no-install-recommends --no-install-suggests unattended-upgrades 2>&1 | tee -a ${var_logfile}
echo ExitCode: \$? >> ${var_logfile}
"
# shellcheck disable=SC2016
sed -i 's/^[[:space:]]*"origin=Debian,codename=\${distro_codename},label=Debian";/\/\/ &/' "${RECOVERY}/etc/apt/apt.conf.d/50unattended-upgrades"
do_log "info" "file_only" "5110() The update policy was set at installation time to: '${apt_updates_policy}'."
elif [[ "${apt_updates_policy,,}" == "none" ]]; then
do_log "info" "file_only" "5110() The update policy was set at installation time to: '${apt_updates_policy}'."
else
do_log "warning" "file_only" "5110() Update policy '${apt_updates_policy}': is not supported. Using 'none' as default."
fi
guard_dir && return 0
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

4
includes/target/etc/chrony/chrony.cnf
View File

@@ -30,4 +30,6 @@ maxupdateskew 100.0
rtcsync
makestep 1 3
makestep 0.25 3
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf

142
includes/target/etc/skel/.ciss/check_chrony.sh Normal file
View File

@@ -0,0 +1,142 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-10-10; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
set -Ceuo pipefail
#######################################
# Minimal leap-second probe for Debian/chrony systems.
# - Prints kernel leap flags & TAI offset (ΔAT).
# - Reads tzdata's leap-seconds list (authoritative TAI-UTC).
# - Shows chrony tracking summary (incl. leap status).
# - Demonstrates 23:59:60 rendering via TZ=right/UTC.
# Globals:
# None
# Arguments:
# None
# Returns:
# 0: on success
#######################################
main() {
### 1) System TZ and tzdata source.
printf "System TZ link: [%s]\n\n" "$(readlink -f /etc/localtime || true)"
if [[ -f /usr/share/zoneinfo/leap-seconds.list ]]; then
declare tz_leap_line tz_tai tz_ntp ts_human
tz_leap_line="$(awk '($1 !~ /^#/) {L=$0} END{print L}' /usr/share/zoneinfo/leap-seconds.list)"
tz_ntp="$(awk '{print $1}' <<<"${tz_leap_line}")"
tz_tai="$(awk '{print $2}' <<<"${tz_leap_line}")"
ts_human="$(awk -F'#' '{gsub(/^[[:space:]]+/, "", $2); print $2}' <<<"${tz_leap_line}")"
printf "tzdata ΔAT (TAI-UTC): %s s [last change at: %s; NTP ts: %s]\n\n" "${tz_tai:-?}" "${ts_human:-?}" "${tz_ntp:-?}"
else
printf "tzdata leap-seconds.list not found.\n"
fi
### 2) Kernel view (requires adjtimex).
if command -v adjtimex >/dev/null 2>&1; then
printf "Kernel time status (adjtimex -p):\n"
adjtimex -p | sed 's/^/ /'
declare k_tai
k_tai="$(adjtimex -p | awk '/^tai:/ {print $2}')"
if [[ -n "${k_tai:-}" ]]; then
printf "Kernel-exported ΔAT [tai]: %s s\n" "${k_tai}"
fi
else
printf "Package: 'adjtimex' not found. Install 'adjtimex' for kernel leap/TAI details.\n\n"
fi
### 3) Chrony summary.
if command -v chronyc >/dev/null 2>&1; then
printf "\n"
printf "chronyc tracking:\n"
chronyc -n tracking | sed 's/^/ /'
else
printf "Package: 'chronyc' not found. Skipping chrony status.\n\n"
fi
### 4) right/UTC demonstration of 23:59:60 (uses 2016-12-31 leap).
if [[ -f /usr/share/zoneinfo/right/UTC ]]; then
printf "\n"
printf "right/UTC leap rendering check (expect 23:59:60):\n\n"
TZ=right/UTC date -ud '2017-01-01 00:00:00 -1 second' || true
else
printf "\n"
printf "File: 'tzdata right/UTC' zone not installed; skipping 23:59:60 demo.\n\n"
fi
printf "\n"
printf "Hint:\n"
printf " • ΔAT (TAI-UTC) should match tzdata and kernel (chrony sets kernel TAI if leapsectz/leapseclist is used).\n"
printf " • For monotonic intervals, apps must use CLOCK_MONOTONIC, not CLOCK_REALTIME.\n"
return 0
}
### Build right/UTC from tzdata leap table if missing.
if [[ ! -e /usr/share/zoneinfo/right/UTC ]]; then
install -d -m 0755 /usr/share/zoneinfo/right
### Minimal zic source for a fixed UTC zone.
declare -r tmp_src="/tmp/UTC.src"
printf 'Zone UTC 0 - UTC\n' > "${tmp_src}"
### Prefer the zic-format leapseconds file.
declare leap_zic="/usr/share/zoneinfo/leapseconds"
if [[ -s "${leap_zic}" ]]; then
zic -d /usr/share/zoneinfo/right -L "${leap_zic}" "${tmp_src}"
else
echo "WARNING: ${leap_zic} not found; building right/UTC without leap info." >&2
zic -d /usr/share/zoneinfo/right -L /dev/null "${tmp_src}"
fi
rm -f "${tmp_src}"
fi
if [[ -e /usr/share/zoneinfo/right/UTC ]]; then
### Expect to see 'Sat Dec 31 23:59:60 UTC 2016' rendered in right/UTC
TZ=right/UTC date -ud '2017-01-01 00:00:00 -1 second' || true
fi
main "$@"
exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

8
includes/target/etc/ssh/sshd_config
View File

@@ -64,12 +64,12 @@ GatewayPorts no
### A+ Rating 100/100
RequiredRSASize 4096
Ciphers aes256-gcm@openssh.com
KexAlgorithms sntrup761x25519-sha512@openssh.com,sntrup761x25519-sha512,gss-curve25519-sha256-
HostKeyAlgorithms sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-256
KexAlgorithms mlkem768x25519-sha256,sntrup761x25519-sha512@openssh.com,sntrup761x25519-sha512
HostKeyAlgorithms ssh-ed25519-cert-v01@openssh.com,ssh-ed25519,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-256
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
CASignatureAlgorithms rsa-sha2-512,rsa-sha2-256,ssh-ed25519,sk-ssh-ed25519@openssh.com
CASignatureAlgorithms rsa-sha2-512,rsa-sha2-256,ssh-ed25519
GSSAPIKexAlgorithms gss-curve25519-sha256-,gss-group16-sha512-
HostbasedAcceptedAlgorithms sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-256
HostbasedAcceptedAlgorithms ssh-ed25519-cert-v01@openssh.com,ssh-ed25519,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-256
PubkeyAcceptedAlgorithms sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-256
### Change to yes to enable challenge-response passwords (beware issues with some PAM modules and threads)

2
lib/cdi_0005_guard/0006_source_guard.sh
View File

@@ -12,6 +12,8 @@
#######################################
# Prevent the file to be sourced twice.
# Globals:
# None
# Arguments:
# 1: File to source.
#######################################

2
lib/cdi_0005_guard/0007_guard_safe_exec.sh
View File

@@ -14,6 +14,8 @@ guard_sourcing
#######################################
# Generic safe wrapper for external commands.
# Globals:
# None
# Arguments:
# *: full command (array, quoted!)
# 2: ERR_CONST on failure

10
lib/cdi_0005_guard/0008_guard_variable.sh
View File

@@ -16,6 +16,8 @@ guard_sourcing
# Converts the value of a passed variable to lowercase.
# Example:
# ensure_lowercase "VAR"
# Globals:
# None
# Arguments:
# 1: VARIABLE name only
# Returns:
@@ -40,6 +42,8 @@ readonly -f ensure_lowercase
# Converts the value of a passed variable to uppercase.
# Example:
# ensure_uppercase "VAR"
# Globals:
# None
# Arguments:
# 1: VARIABLE name only
# Returns:
@@ -64,6 +68,8 @@ readonly -f ensure_uppercase
# Removes leading and trailing spaces in the value.
# Example:
# ensure_trimmed "VAR"
# Globals:
# None
# Arguments:
# 1: VARIABLE name only
# Returns:
@@ -89,6 +95,8 @@ readonly -f ensure_trimmed
# Resets the value of the variable to a default value if it is empty or contains only whitespace.
# Example:
# reset_to_default "VAR" "fallback"
# Globals:
# None
# Arguments:
# 1: VARIABLE name only
# 2: Fallback value
@@ -119,6 +127,8 @@ readonly -f reset_to_default
# Checks whether the content of a variable matches a specific regex.
# Example:
# assert_match "FOO" '^[a-z0-9_-]+$'
# Globals:
# None
# Arguments:
# 1: VARIABLE name only
# 2: Regex in 'single quotes'

2
lib/cdi_0005_guard/0009_guard_dir.sh
View File

@@ -14,6 +14,8 @@ guard_sourcing
#######################################
# Function to log a module success message and change pwd to script root.
# Globals:
# None
# Arguments:
# None
#######################################

9
lib/cdi_0010_basic/0010_color_echo.sh
View File

@@ -15,9 +15,10 @@ guard_sourcing
#######################################
# Print-colored text.
# Globals:
# MAG
# NL
# RES
# WHI
# VAR_DIALOG
# Arguments:
# 1: Color code.
# *: Text to print.
@@ -28,6 +29,9 @@ color_echo() {
declare msg="${*}"
printf "%b[INFO]%b%b %s %b%b" "${c}" "${RES}" "${MAG}" "${msg}" "${RES}" "${NL}" | tee -a "${VAR_DIALOG}"
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f color_echo
#######################################
# Print the current module in plain or colorful format.
@@ -45,4 +49,7 @@ info_echo() {
color_echo "${GRE}" "MAIN PROGRAM SEQUENCE: ${module} ..."
fi
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f info_echo
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

6
lib/cdi_0010_basic/0011_gen_dir_files.sh
View File

@@ -15,11 +15,12 @@ guard_sourcing
#######################################
# Creates the DIRs, prepares the files and mounting paths for installation.
# Globals:
# DIR_LOG
# LOG_DBS
# LOG_ERR
# LOG_EXT
# LOG_INS
# LOG_NIC
# LOG_REC
# LOG_UID
# RECOVERY
# TARGET
@@ -54,4 +55,7 @@ gen_dir_files() {
return 0
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f gen_dir_files
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

6
lib/cdi_0010_basic/0012_calculate_runtime.sh
View File

@@ -15,9 +15,8 @@ guard_sourcing
#######################################
# Calculates total runtime of the CISS.debian.installer.
# Globals:
# VAR_END_TIME
# SECONDS
# VAR_SCRIPT_RUNTIME
# VAR_START_TIME
# Arguments:
# None
# Returns:
@@ -33,4 +32,7 @@ calculate_runtime() {
declare -grx VAR_SCRIPT_RUNTIME="$(printf "%02dh %02dm %02ds" "${var_hours}" "${var_minutes}" "${var_seconds}")"
return 0
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f calculate_runtime
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

11
meta_loader_func.sh
View File

@@ -111,17 +111,6 @@ source_guard "./func/cdi_4600_packages/4630_auditing_packages.sh"
source_guard "./func/cdi_4900_xtended/4999_exiting_chroot_system.sh"
### cdi_5000_recovery
source_guard "./func/cdi_5000_recovery/5000_debootstrap.sh"
source_guard "./func/cdi_5000_recovery/5005_debootstrap_checks.sh"
source_guard "./func/cdi_5000_recovery/5010_prepare_mounts.sh"
source_guard "./func/cdi_5000_recovery/5015_check_usr_merge.sh"
source_guard "./func/cdi_5000_recovery/5020_remove_x509.sh"
source_guard "./func/cdi_5000_recovery/5030_setup_hostname.sh"
source_guard "./func/cdi_5000_recovery/5035_setup_resolv.sh"
source_guard "./func/cdi_5000_recovery/5040_setup_timezone.sh"
source_guard "./func/cdi_5000_recovery/5050_setup_locales.sh"
source_guard "./func/cdi_5000_recovery/5105_generate_sources_822.sh"
source_guard "./func/cdi_5000_recovery/5110_update_sources.sh"
source_guard "./func/cdi_5000_recovery/5120_installation_kernel.sh"
source_guard "./func/cdi_5000_recovery/5121_installation_initramfs.sh"
source_guard "./func/cdi_5000_recovery/5130_installation_toolset.sh"

310
upgrades/linux-image/linux_image_clang_options.sh
View File

@@ -11,7 +11,6 @@
# SPDX-Security-Contact: security@coresecret.eu
set -o errexit
set -o ignoreeof
set -o noclobber
set -o nounset
set -o pipefail
@@ -23,20 +22,219 @@ shopt -u dotglob
shopt -u extglob
shopt -u nullglob
declare -gx PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
umask 0077
declare VAR_BRANCH="${1-}"
declare -grx VAR_BRANCH="${VAR_BRANCH,,}"
declare -gx IFS=$' \t\n'
declare -gx PATH="/usr/lib/llvm-18/bin:${PATH}"
declare -gx LLVM="1"
declare -gx PATH="/usr/lib/llvm-18/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
declare -gx AR="llvm-ar-18"
declare -gx CC="clang-18 -target x86_64-linux-gnu"
declare -gx LD="ld.lld-18"
declare -gx HOSTCC="clang-18"
declare -gx HOSTCXX="clang++-18"
declare -gx AR="llvm-ar-18" NM="llvm-nm-18" OBJCOPY="llvm-objcopy-18" STRIP="llvm-strip-18"
umask 0022
declare -gx LD="ld.lld-18"
declare -gx LLVM="1"
declare -gx LLVM_IAS="1"
declare -gx NM="llvm-nm-18"
declare -gx OBJCOPY="llvm-objcopy-18"
# shellcheck disable=SC2155
declare -gx SOURCE_DATE_EPOCH=$(date -ud '2025-10-11 00:00:00Z' +%s)
declare -gx STRIP="llvm-strip-18"
unset LOCALVERSION || true
cd "${HOME}"
if [[ -d "${HOME}/src/kernel" ]]; then
rm -rf --one-file-system -- "${HOME}/src/kernel"
fi
declare -gx DEBIAN_FRONTEND="noninteractive"
apt-get update -qq
apt-get install -y \
bc \
bison \
build-essential \
clang-18 \
dpkg-dev \
fakeroot \
flex \
git \
libelf-dev \
libncurses-dev \
libssl-dev \
lld-18 \
llvm-18-dev \
rsync
#######################################
# Extract the kernel version from a freshly unpacked 'apt-get source linux' tree.
# Exports (declare -g):
# var_kver_debian = e.g., "6.16.3-1~deb13u1"
# var_kver = e.g., "6.16.3"
# var_srcdir = e.g., "linux-6.16.3"
# Globals:
# var_kver
# var_kver_debian
# var_srcdir
# Arguments:
# None
# Returns:
# 0: on success
# 1: on failure
#######################################
extract_kver_from_apt_source_linux() {
### Prefer debian/changelog in linux-* (more canonical), then fall back to .dsc.
shopt -s nullglob
### Try A: from debian/changelog in linux-*/
declare -a _srcdirs=(linux-*/)
if [[ ${#_srcdirs[@]} -ge 1 ]]; then
### Pick the first match; in a clean workdir there should be exactly one.
declare _dir="${_srcdirs[0]%/}"
declare _chg="${_dir}/debian/changelog"
if [[ -f "${_chg}" ]]; then
### Read the first line: "linux (6.x.y-... ) suite; urgency=...".
declare _line
IFS= read -r _line < "${_chg}" || _line=
### Extract between '(' and ')'
### 1) strip prefix up to '('
declare _ver="${_line#*\(}"
### 2) strip suffix after ')'
_ver="${_ver%%\)*}"
### Debian full version (may include epoch and Debian revision).
declare -gx var_kver_debian="${_ver}"
### Upstream version (strip optional epoch "N:" and Debian revision "-...").
declare _noepoch="${_ver#*:}" # Drop "1:" if present, else no change.
declare -gx var_kver="${_noepoch%%-*}" # Drop the "-deb" part.
declare -gx var_srcdir="${_dir}"
shopt -u nullglob
return 0
fi
fi
### Try B: from the .dsc file (fallback).
declare -a _dscs=(linux_*.dsc)
if [[ ${#_dscs[@]} -ge 1 ]]; then
### Pick the first .dsc (in a clean workdir there should be exactly one).
declare _dsc="${_dscs[0]}"
declare _verline _ver
### Read the 'Version: ...' line without grep/sed.
while IFS= read -r _verline; do
# shellcheck disable=SC2249
case "${_verline}" in
Version:*)
_ver="${_verline#Version: }"
break
;;
esac
done < "${_dsc}"
[[ -n "${_ver:-}" ]] || return 1
declare -gx var_kver_debian="${_ver}"
declare _noepoch="${_ver#*:}"
declare -gx var_kver="${_noepoch%%-*}"
### Best-effort srcdir guess from the upstream part (common unpacking layout).
declare _up="${var_kver}"
if [[ -d "linux-${_up}" ]]; then
declare -gx var_srcdir="linux-${_up}"
else
declare -gx var_srcdir=""
fi
shopt -u nullglob
return 0
fi
### Nothing found.
shopt -u nullglob
return 1
}
# --- Prevents accidental 'unset -f' ------------------------------------------
# shellcheck disable=SC2034
readonly -f extract_kver_from_apt_source_linux
# --- Generate skeleton and download sources ----------------------------------
case "${VAR_BRANCH}" in
bpo)
mkdir -p ~/src/kernel/bpo && cd ~/src/kernel/bpo
apt-get source -t trixie-backports linux
apt-get -y build-dep -t trixie-backports linux
;;
security)
mkdir -p ~/src/kernel/security && cd ~/src/kernel/security
apt-get source -t trixie-security linux
apt-get -y build-dep -t trixie-security linux
;;
*)
printf "No valid branch selected.\n"
exit 1
;;
esac
extract_kver_from_apt_source_linux
printf '%b var_srcdir=%s\n var_kver_debian=%s\n var_kver=%s%b\n' '\e[92m' "${var_srcdir:-<none>}" "${var_kver_debian:-<none>}" "${var_kver:-<none>}" '\e[0m'
case "${VAR_BRANCH}" in
bpo)
cd "${HOME}/src/kernel/bpo/${var_srcdir}"
;;
security)
cd "${HOME}/src/kernel/security/${var_srcdir}"
;;
*)
printf "No valid branch selected.\n"
exit 1
;;
esac
# --- Identify yourself for Maintainer and Changed-By -------------------------
declare -gx DEBFULLNAME="Marc S. Weidner"
declare -gx DEBEMAIL="msw@coresecret.dev"
# --- Embed build user/host in 'uname -v' string of the kernel ----------------
declare -gx KBUILD_BUILD_USER="msw"
declare -gx KBUILD_BUILD_HOST="coresecret.dev"
# --- Package/version labelling for Debian packages ---------------------------
declare -gx KDEB_PKGVERSION="${var_kver}-1ciss0"
declare -gx KDEB_CHANGELOG_DIST="trixie"
# --- Identity / naming -------------------------------------------------------
# Ensure unique artifact names in /boot to avoid collisions with Production.
scripts/config --set-str CONFIG_LOCALVERSION "-rescue"
scripts/config --disable CONFIG_LOCALVERSION_AUTO
# --- Control-Flow Integrity (Clang kCFI as strict default) -------------------
# Enable Clang CFI; keep strict (no permissive), keep kCFI as default,
@@ -97,21 +295,21 @@ scripts/config --enable CONFIG_SATA_AHCI
scripts/config --enable CONFIG_BLK_DEV_NVME
scripts/config --enable CONFIG_SCSI
scripts/config --enable CONFIG_BLK_DEV_SD
scripts/config --enable CONFIG_USB_EHCI_HCD
scripts/config --enable CONFIG_USB_XHCI_HCD
scripts/config --enable CONFIG_USB_STORAGE
scripts/config --disable CONFIG_ATA_SFF
scripts/config --disable CONFIG_CHR_DEV_SG
scripts/config --disable CONFIG_USB_EHCI_HCD
# --- Device-mapper and software RAID (rescue on unknown hosts) ---------------
scripts/config --enable CONFIG_BLK_DEV_DM
scripts/config --enable CONFIG_DM_CRYPT
scripts/config --enable CONFIG_DM_MOD
scripts/config --disable CONFIG_MD_RAID1
scripts/config --disable CONFIG_MD_RAID10
scripts/config --disable CONFIG_MD_RAID456
scripts/config --disable CONFIG_BLK_DEV_MD
scripts/config --disable CONFIG_MD
scripts/config --enable CONFIG_MD_RAID1
scripts/config --enable CONFIG_MD_RAID10
scripts/config --enable CONFIG_MD_RAID456
scripts/config --enable CONFIG_BLK_DEV_MD
scripts/config --enable CONFIG_MD
scripts/config --disable CONFIG_MD_AUTODETECT
# --- Do not allow device-mapper table creation from the kernel command line --
@@ -142,8 +340,8 @@ scripts/config --enable CONFIG_VLAN_8021Q
scripts/config --disable CONFIG_BRIDGE
scripts/config --disable CONFIG_BONDING
scripts/config --disable CONFIG_BNX2X
scripts/config --disable CONFIG_IGC
scripts/config --disable CONFIG_R8169
scripts/config --enable CONFIG_IGC
scripts/config --enable CONFIG_R8169
# --- Virtualization ----------------------------------------------------------
scripts/config --enable CONFIG_HW_RANDOM_VIRTIO
@@ -158,7 +356,6 @@ scripts/config --enable CONFIG_VIRTIO_PCI
scripts/config --enable CONFIG_VIRTIO_SCSI
scripts/config --disable CONFIG_HYPERV
scripts/config --disable CONFIG_VIRTIO_GPU
scripts/config --disable CONFIG_VMXNET3
scripts/config --disable CONFIG_XEN
# --- Media, Sound, Wireless --------------------------------------------------
@@ -169,7 +366,8 @@ scripts/config --disable CONFIG_NFC
scripts/config --disable CONFIG_SND
# --- Disable entire DRM/GPU graphics stack -----------------------------------
scripts/config --disable CONFIG_DRM
scripts/config --enable CONFIG_DRM
scripts/config --enable CONFIG_DRM_SIMPLEDRM
scripts/config --disable CONFIG_DRM_AMDGPU
scripts/config --disable CONFIG_DRM_BRIDGE
scripts/config --disable CONFIG_DRM_FBDEV_EMULATION
@@ -179,7 +377,6 @@ scripts/config --disable CONFIG_DRM_NOUVEAU
scripts/config --disable CONFIG_DRM_PANEL
scripts/config --disable CONFIG_DRM_QXL
scripts/config --disable CONFIG_DRM_RADEON
scripts/config --disable CONFIG_DRM_SIMPLEDRM
scripts/config --disable CONFIG_DRM_VIRTIO_GPU
scripts/config --disable CONFIG_DRM_VMWGFX
@@ -298,6 +495,83 @@ scripts/config --disable CONFIG_PINCTRL
# --- Disable any other features ----------------------------------------------
scripts/config --disable CONFIG_TEGRA_HOST1X
# --- Harden memory permissions and control-flow ------------------------------
scripts/config --enable CONFIG_STRICT_KERNEL_RWX
scripts/config --enable CONFIG_DEBUG_WX
scripts/config --enable CONFIG_VMAP_STACK
scripts/config --enable CONFIG_FORTIFY_SOURCE
scripts/config --enable CONFIG_REFCOUNT_FULL
scripts/config --enable CONFIG_STACKPROTECTOR
scripts/config --enable CONFIG_STACKPROTECTOR_STRONG
scripts/config --enable CONFIG_INIT_STACK_ALL_ZERO
scripts/config --enable CONFIG_RANDOMIZE_BASE
scripts/config --enable CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT
# --- Allocator hardening -----------------------------------------------------
scripts/config --enable CONFIG_SLAB_FREELIST_RANDOM
scripts/config --enable CONFIG_SLAB_FREELIST_HARDENED
scripts/config --disable CONFIG_SLAB_MERGE_DEFAULT
scripts/config --enable CONFIG_SHUFFLE_PAGE_ALLOCATOR
# --- LSM / Lockdown ----------------------------------------------------------
scripts/config --enable CONFIG_SECURITY_LOCKDOWN_LSM
scripts/config --enable CONFIG_SECURITY_LOCKDOWN_LSM_EARLY
scripts/config --enable CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY
scripts/config --enable CONFIG_SECURITY_YAMA
scripts/config --enable CONFIG_SECURITY_LANDLOCK
# --- IOMMU / DMA -------------------------------------------------------------
scripts/config --enable CONFIG_EFI_DISABLE_PCI_DMA
scripts/config --enable CONFIG_IOMMU_SUPPORT
scripts/config --enable CONFIG_IOMMU_DEFAULT_DMA_STRICT
scripts/config --enable CONFIG_INTEL_IOMMU
scripts/config --enable CONFIG_INTEL_IOMMU_DEFAULT_ON
scripts/config --enable CONFIG_AMD_IOMMU
scripts/config --enable CONFIG_AMD_IOMMU_V2
# --- Page table isolation and checks -----------------------------------------
scripts/config --enable CONFIG_MITIGATION_PAGE_TABLE_ISOLATION
scripts/config --enable CONFIG_PAGE_TABLE_CHECK
scripts/config --enable CONFIG_PAGE_TABLE_CHECK_ENFORCED
# --- UBSAN / KFENCE (low overhead) -------------------------------------------
scripts/config --enable CONFIG_UBSAN
scripts/config --enable CONFIG_UBSAN_TRAP
scripts/config --enable CONFIG_UBSAN_BOUNDS
scripts/config --enable CONFIG_UBSAN_LOCAL_BOUNDS
scripts/config --enable CONFIG_KFENCE
# --- x86 specifics -----------------------------------------------------------
scripts/config --enable CONFIG_X86_KERNEL_IBT
scripts/config --enable CONFIG_CFI_CLANG
scripts/config --disable CONFIG_X86_VSYSCALL_EMULATION
scripts/config --enable CONFIG_LEGACY_VSYSCALL_NONE
# --- Remove legacy debug / attack surfaces -----------------------------------
scripts/config --disable CONFIG_DEVMEM
scripts/config --enable CONFIG_STRICT_DEVMEM
scripts/config --enable CONFIG_IO_STRICT_DEVMEM
scripts/config --disable CONFIG_DEVKMEM
scripts/config --disable CONFIG_DEBUG_FS
scripts/config --disable CONFIG_PROC_KCORE
# --- Optional, stricter ------------------------------------------------------
scripts/config --enable CONFIG_PANIC_ON_OOPS
scripts/config --set-val CONFIG_PANIC_TIMEOUT -1
make olddefconfig
make -s kernelrelease
grep -E '^(CONFIG_LOCALVERSION|CONFIG_LOCALVERSION_AUTO)=' .config || true
env | grep -E '^LOCALVERSION=' || true
touch build.log
# shellcheck disable=SC2312
if make -j"$(nproc)" bindeb-pkg 2>&1 | tee build.log; then
printf '%bBuild successful%b\n' '\e[92m' '\e[0m'
fi
exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

1
var/errors.var.sh
View File

@@ -58,6 +58,7 @@ declare -girx ERR_READ_SEED_FILE=215 # Error reading the mfa TOTP seed file.
declare -girx ERR_VERIFY_VISUDO=214 # Error verification by 'visudo'.
declare -girx ERR_VERIFY_LOGROTATE=213 # Error verification by 'logrotate'.
declare -girx ERR_READ_AUTH_FILE=212 # Error reading the Luks Backup auth token file.
declare -girx ERR_ACCOUNT_CREATE=211 # Error creating user accounts.
### Definition of error trap vars.
declare -gx ERRCODE="" # = $? = $1 = ERRCODE

1
var/global.var.sh
View File

@@ -53,6 +53,7 @@ declare -grx TARGET="/target"
declare -grx RECOVERY="/recovery"
declare -grx VAR_SAFE_MNT_BASE="/run/ciss/bootstrap"
declare -gx VAR_NEED_RUN_IN_TARGET="false"
declare -gx VAR_RUN_RECOVERY="false"
### Default chroot debug policy.
declare -gx VAR_CHROOT_DEBUG="false"