V8.00.000.2025.06.17

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-07-31 23:04:30 +02:00
parent 930f47f827
commit 45ff672479
103 changed files with 1011 additions and 266 deletions
--- a/lib/cdi_0000_preliminary/0001_contact.sh
+++ b/lib/cdi_0000_preliminary/0001_contact.sh
--- a/lib/cdi_0000_preliminary/0002_usage.sh
+++ b/lib/cdi_0000_preliminary/0002_usage.sh
--- a/lib/cdi_0000_preliminary/0003_version.sh
+++ b/lib/cdi_0000_preliminary/0003_version.sh
--- a/lib/cdi_0000_preliminary/README.md
+++ b/lib/cdi_0000_preliminary/README.md
@@ -0,0 +1,70 @@
+---
+gitea: none
+include_toc: true
+---
+
+# 1. CISS.debian.installer
+
+**Centurion Intelligence Consulting Agency Information Security Standard**<br>
+*The CISS Debian Installer provides a fully automated and hardened installation process.*<br>
+**Master Version**: 8.00<br>
+**Build**: V8.00.000.2025.06.17<br>
+
+# 2. Preliminary Components – `cdi_0000_preliminary`
+
+This directory contains foundational wrapper scripts for the `CISS.debian.installer` framework. These scripts serve as minimal
+but essential building blocks to ensure consistent versioning, usage helps output, and contact information across the entire 
+installer suite.
+
+## 2.1. Purpose and Functionality
+
+The scripts in this module fulfill the following roles:
+
+- **0001_contact.sh**:  
+  Displays project-related contact details, including PGP fingerprint, security email, and project links. This is shown during
+  installer execution or upon request via CLI.
+
+- **0002_usage.sh**:  
+  Provides a user-facing, color-coded help dialog. It details available command-line options such as debugging modes 
+  (`--debug`), logging configuration, and non-interactive autoinstallation. It also enforces preconditions such as root 
+  privileges, and the presence of YAML configuration files.
+
+- **0003_version.sh**:  
+  Displays the current project version, latest Git commit, debootstrap version, and host Bash version. This helps contextualize 
+  the environment for debugging and auditing.
+
+## 2.2. Requirements
+
+- Bash version ≥ 5.1
+- Proper invocation context (`set -Ceuo pipefail` enforced)
+- Pre-populated configuration files:
+  - `.preseed/preseed.yaml`
+  - `.preseed/partitioning.yaml`
+  - Password files for GRUB, LUKS boot, common, and nuke passphrases
+
+These scripts assume they are sourced or executed within a controlled setup shell, with essential global variables 
+(e.g. `VAR_VERSION`) predeclared.
+
+
+## 2.3. Dependencies
+
+- `bash` built-ins only (no external binaries invoked except `git`, `debootstrap`, and `uname` in `0003_version.sh`)
+- ANSI color-supporting terminal (via `tput cols`, `echo -e`)
+- Git repository context for versioning (`git log`)
+
+
+## 2.4. License
+
+This component is dual-licensed under the **European Union Public License v1.2 (EUPL-1.2)** or the 
+**CoreSecret Custom Contributor License Agreement (CCLA-1.0)**. You may choose either license as per your usage context. 
+Usage is permitted under the condition that no warranty is implied. Use at your own risk.
+
+## 2.5. Author
+
+Developed and maintained by  
+**Marc S. Weidner**  
+*Centurion Intelligence Consulting Agency*  
+
+---
+**[no tracking | no logging | no advertising | no profiling | no bullshit](https://coresecret.eu/)**
+<!-- vim: set number et ts=2 sw=2 sts=2 ai tw=128 ft=markdown -->
--- a/lib/cdi_0005_guard/0005_guard_sourcing.sh
+++ b/lib/cdi_0005_guard/0005_guard_sourcing.sh
--- a/lib/cdi_0005_guard/0006_source_guard.sh
+++ b/lib/cdi_0005_guard/0006_source_guard.sh
--- a/lib/cdi_0005_guard/0007_guard_safe_exec.sh
+++ b/lib/cdi_0005_guard/0007_guard_safe_exec.sh
--- a/lib/cdi_0005_guard/README.md
+++ b/lib/cdi_0005_guard/README.md
@@ -0,0 +1,61 @@
+---
+gitea: none
+include_toc: true
+---
+
+# 1. CISS.debian.installer
+
+**Centurion Intelligence Consulting Agency Information Security Standard**<br>
+*The CISS Debian Installer provides a fully automated and hardened installation process.*<br>
+**Master Version**: 8.00<br>
+**Build**: V8.00.000.2025.06.17<br>
+
+# 2. Guarding and Safe Execution – `cdi_0005_guard`
+
+This directory provides minimalistic but critical utility functions to ensure safe and idempotent sourcing and execution 
+semantics within the `CISS.debian.installer` framework. These wrappers act as foundational safeguards against redundant 
+sourcing, which are frequent sources of bugs and side effects in modular Bash-based systems.
+
+## 2.1. Purpose and Functionality
+
+- **0005_guard_sourcing.sh**  
+  Defines the `guard_sourcing()` function, which programmatically prevents a Bash library file from being sourced multiple 
+  times. It constructs a uniquely scoped read-only environment variable guard to mark the sourced state.
+
+- **0006_source_guard.sh**  
+  Implements the `source_guard()` function, which sources a given file only once. It uses the file’s basename to construct a 
+  similarly structured guard variable. Intended for cases where sourcing decisions must be made dynamically.
+
+- **0011_guard_safe_exec.sh**  
+  Provides a generic `safe_exec()` wrapper to execute external commands in a structured and error-controlled manner. It emits
+  meaningful error logs using `do_log()` and allows associating custom error codes per invocation context. This is essential 
+  for defensive script execution when `pipefail` and strict traps are enabled.
+
+## 2.2. Requirements
+
+- Bash version ≥ 5.1
+- Active error trapping via `trap 'trap_err' ERR`
+- `do_log()` must be declared elsewhere in the global context
+- All libraries must be sourced via `source_guard()` and invoke `guard_sourcing` on top
+
+## 2.3. Dependencies
+
+- Pure Bash implementation
+- Uses `declare -grx` to enforce immutability and exportability of guard variables
+- `safe_exec()` expects a predefined `do_log()` implementation
+
+## 2.4. License
+
+This component is dual-licensed under the **European Union Public License v1.2 (EUPL-1.2),** or the 
+**CoreSecret Custom Contributor License Agreement (CCLA-1.0)**. You may choose either license as per your usage context. 
+Usage is permitted under the condition that no warranty is implied. Use at your own risk.
+
+## 2.5. Author
+
+Developed and maintained by  
+**Marc S. Weidner**  
+*Centurion Intelligence Consulting Agency*  
+
+---
+**[no tracking | no logging | no advertising | no profiling | no bullshit](https://coresecret.eu/)**
+<!-- vim: set number et ts=2 sw=2 sts=2 ai tw=128 ft=markdown -->
--- a/lib/cdi_0010_basic/0010_color_echo.sh
+++ b/lib/cdi_0010_basic/0010_color_echo.sh
--- a/lib/cdi_0010_basic/0011_gen_dir_files.sh
+++ b/lib/cdi_0010_basic/0011_gen_dir_files.sh
--- a/lib/cdi_0010_basic/0012_calculate_runtime.sh
+++ b/lib/cdi_0010_basic/0012_calculate_runtime.sh
@@ -0,0 +1,36 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
+
+guard_sourcing
+
+#######################################
+# Calculates total runtime of the CISS.debian.installer.
+# Globals:
+#   VAR_END_TIME
+#   VAR_SCRIPT_RUNTIME
+#   VAR_START_TIME
+# Arguments:
+#   None
+# Returns:
+#   0: on success
+#######################################
+calculate_runtime() {
+  ### Declare Arrays, HashMaps, and Variables.
+  declare -i   var_runtime="${SECONDS}"
+  declare -i   var_hours=$(( var_runtime / 3600 ))
+  declare -i   var_minutes=$(( (var_runtime % 3600) / 60 ))
+  declare -i   var_seconds=$(( var_runtime % 60 ))
+  # shellcheck disable=SC2155
+  declare -grx VAR_SCRIPT_RUNTIME="$(printf "%02dh %02dm %02ds" "${var_hours}" "${var_minutes}" "${var_seconds}")"
+  return 0
+}
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/lib/cdi_0025_logging/0024_logging_helper.sh
+++ b/lib/cdi_0025_logging/0024_logging_helper.sh
--- a/lib/cdi_0025_logging/0025_logging_modules.sh
+++ b/lib/cdi_0025_logging/0025_logging_modules.sh
--- a/lib/cdi_0030_checks/0030_check_pkgs.sh
+++ b/lib/cdi_0030_checks/0030_check_pkgs.sh
--- a/lib/cdi_0030_checks/0031_check_git.sh
+++ b/lib/cdi_0030_checks/0031_check_git.sh
--- a/lib/cdi_0030_checks/0040_check_var.sh
+++ b/lib/cdi_0030_checks/0040_check_var.sh
--- a/lib/cdi_0050_debug/0050_debug_pre_scan.sh
+++ b/lib/cdi_0050_debug/0050_debug_pre_scan.sh
--- a/lib/cdi_0050_debug/0051_debug_var_dump.sh
+++ b/lib/cdi_0050_debug/0051_debug_var_dump.sh
--- a/lib/cdi_0050_debug/0052_debug_trace.sh
+++ b/lib/cdi_0050_debug/0052_debug_trace.sh
--- a/lib/cdi_0050_debug/0053_debug_trace_header.sh
+++ b/lib/cdi_0050_debug/0053_debug_trace_header.sh
--- a/lib/cdi_0050_debug/0054_debug_trap.sh
+++ b/lib/cdi_0050_debug/0054_debug_trap.sh
--- a/lib/cdi_0050_debug/0055_debug_trap_header.sh
+++ b/lib/cdi_0050_debug/0055_debug_trap_header.sh
--- a/lib/cdi_0060_traps/0060_trap_err.sh
+++ b/lib/cdi_0060_traps/0060_trap_err.sh
@@ -30,7 +30,6 @@ guard_sourcing
 #   LOG_TRC
 #   LOG_VAR
 #   NL
-#   SECONDS
 #   SHELLOPTS
 #   UID
 #   VAR_ARG_SANITIZED
@@ -40,6 +39,7 @@ guard_sourcing
 #   VAR_PARAM_COUNT
 #   VAR_PARAM_STRNG
 #   VAR_RESOURCES
+#   VAR_SCRIPT_RUNTIME
 #   VAR_SYSTEM
 #   VAR_VERSION
 # Arguments:
@@ -66,7 +66,7 @@ print_file_err() {
    printf "❌ Function            : %s %b" "${ERRFUNC}" "${NL}"
    printf "❌ Command             : %s %b" "${ERRCMMD}" "${NL}"
    printf "❌ Script PID          : %s %b" "${$}" "${NL}"
-    printf "❌ Script Runtime      : %s %b" "${SECONDS}" "${NL}"
+    printf "❌ Script Runtime      : %s %b" "${VAR_SCRIPT_RUNTIME}" "${NL}"
    printf "❌ System Resources    : %s %b" "${VAR_RESOURCES}" "${NL}"
    printf "❌ Arguments Counter   : %s %b" "${VAR_PARAM_COUNT}" "${NL}"
    printf "❌ Arguments Original  : %s %b" "${VAR_PARAM_STRNG}" "${NL}"
@@ -92,7 +92,6 @@ print_file_err() {
 #######################################
 # Print Error Message for Trap on 'ERR' on Terminal.
 # Globals:
-#   BASHOPTS
 #   BASH_VERSINFO
 #   EPOCHREALTIME
 #   ERRCMMD
@@ -109,7 +108,6 @@ print_file_err() {
 #   NL
 #   RED
 #   RES
-#   SECONDS
 #   SHELLOPTS
 #   UID
 #   VAR_ARG_SANITIZED
@@ -119,6 +117,7 @@ print_file_err() {
 #   VAR_PARAM_COUNT
 #   VAR_PARAM_STRNG
 #   VAR_RESOURCES
+#   VAR_SCRIPT_RUNTIME
 #   VAR_SYSTEM
 #   VAR_VERSION
 # Arguments:
@@ -144,7 +143,7 @@ print_scr_err() {
  printf "%b❌ Function            : %s %b%b" "${RED}" "${ERRFUNC}" "${RES}" "${NL}"
  printf "%b❌ Command             : %s %b%b" "${RED}" "${ERRCMMD}" "${RES}" "${NL}"
  printf "%b❌ Script PID          : %s %b%b" "${RED}" "${$}" "${RES}" "${NL}"
-  printf "%b❌ Script Runtime      : %s %b%b" "${RED}" "${SECONDS}" "${RES}" "${NL}"
+  printf "%b❌ Script Runtime      : %s %b%b" "${RED}" "${VAR_SCRIPT_RUNTIME}" "${RES}" "${NL}"
  printf "%b❌ System Resources    : %s %b%b" "${RED}" "${VAR_RESOURCES}" "${RES}" "${NL}"
  printf "%b❌ Arguments Counter   : %s %b%b" "${RED}" "${VAR_PARAM_COUNT}" "${RES}" "${NL}"
  printf "%b❌ Arguments Original  : %s %b%b" "${RED}" "${VAR_PARAM_STRNG}" "${RES}" "${NL}"
@@ -225,12 +224,14 @@ trap_err() {
  trap - DEBUG ERR INT TERM

  if [[ "${VAR_DEBUG_TRACE}" == "true" || "${VAR_DEBUG_TRAP}" == "true" ]]; then dump_vars_exiting; fi
+
  case "${VAR_IN_DIALOG_WR}" in
    box   ) dialog_box_cleaner   ;;
    gauge ) dialog_gauge_cleaner ;;
  esac
+
+  calculate_runtime
  print_file_err
  print_scr_err
-
 }
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/lib/cdi_0060_traps/0070_trap_exit.sh
+++ b/lib/cdi_0060_traps/0070_trap_exit.sh
@@ -58,6 +58,7 @@ trap_exit() {
 #   RES
 #   VAR_DEBUG_TRACE
 #   VAR_DEBUG_TRAP
+#   VAR_SCRIPT_RUNTIME
 #   VAR_SCRIPT_SUCCESS
 # Arguments:
 #   1: "$?" passed through by trap_exit()
@@ -68,10 +69,13 @@ trap_exit_zero() {
  if [[ "${VAR_DEBUG_TRACE}" == "true" || "${VAR_DEBUG_TRAP}" == "true" ]]; then dump_vars_exiting; fi
  clean_up "${var_trap_exit_zero_code}"

+  calculate_runtime
+
  if [[ "${VAR_SCRIPT_SUCCESS}" == "true" ]]; then
    printf "%b" "${NL}"
    printf "%b✅ CISS.debian.installer Script successful. %s%s" "${GRE}" "${RES}" "${NL}"
    printf "%b✅ Exited with Status : %s %b%b" "${GRE}" "${var_trap_exit_zero_code}" "${RES}" "${NL}"
+    printf "%b✅ Script Runtime     : %s %b%b" "${GRE}" "${VAR_SCRIPT_RUNTIME}" "${RES}" "${NL}"
    printf "%b" "${NL}"
    if [[ "${VAR_DEBUG_TRACE}" == "true" || "${VAR_DEBUG_TRAP}" == "true" ]]; then
      printf "%b✅ Vars Dump saved at : %s %b%b" "${GRE}" "${LOG_VAR}" "${RES}" "${NL}"
@@ -112,7 +116,6 @@ trap_exit_zero() {
 #   NL
 #   RED
 #   RES
-#   SECONDS
 #   SHELLOPTS
 #   UID
 #   VAR_ARG_SANITIZED
@@ -123,6 +126,7 @@ trap_exit_zero() {
 #   VAR_PARAM_COUNT
 #   VAR_PARAM_STRNG
 #   VAR_RESOURCES
+#   VAR_SCRIPT_RUNTIME
 #   VAR_SYSTEM
 #   VAR_VERSION
 # Arguments:
@@ -150,6 +154,8 @@ trap_exit_non_zero() {
      gauge ) dialog_gauge_cleaner ;;
    esac

+    calculate_runtime
+
    printf "%b❌ Trap on 'EXIT'      : CISS.debian.installer Script failed. %b%b" "${RED}" "${RES}" "${NL}" | tee -a "${LOG_EXT}"
    printf "%b❌                     : This was most probably caused by an unbound variable. %b%b" "${RED}" "${RES}" "${NL}" | tee -a "${LOG_EXT}"
    printf "%b❌ GIT Commit          : %s %b%b" "${RED}" "${VAR_GIT_REL}" "${RES}" "${NL}" | tee -a "${LOG_EXT}"
@@ -168,7 +174,7 @@ trap_exit_non_zero() {
    printf "%b❌ Function            : %s %b%b" "${RED}" "${var_func}" "${RES}" "${NL}" | tee -a "${LOG_EXT}"
    printf "%b❌ Command             : %s %b%b" "${RED}" "${var_cmmd}" "${RES}" "${NL}" | tee -a "${LOG_EXT}"
    printf "%b❌ Script PID          : %s %b%b" "${RED}" "${$}" "${RES}" "${NL}" | tee -a "${LOG_EXT}"
-    printf "%b❌ Script Runtime      : %s %b%b" "${RED}" "${SECONDS}" "${RES}" "${NL}" | tee -a "${LOG_EXT}"
+    printf "%b❌ Script Runtime      : %s %b%b" "${RED}" "${VAR_SCRIPT_RUNTIME}" "${RES}" "${NL}" | tee -a "${LOG_EXT}"
    printf "%b❌ System Resources    : %s %b%b" "${RED}" "${VAR_RESOURCES}" "${RES}" "${NL}" | tee -a "${LOG_EXT}"
    printf "%b❌ Arguments Counter   : %s %b%b" "${RED}" "${VAR_PARAM_COUNT}" "${RES}" "${NL}" | tee -a "${LOG_EXT}"
    printf "%b❌ Arguments Original  : %s %b%b" "${RED}" "${VAR_PARAM_STRNG}" "${RES}" "${NL}" | tee -a "${LOG_EXT}"
--- a/lib/cdi_0060_traps/0080_trap_int.sh
+++ b/lib/cdi_0060_traps/0080_trap_int.sh
--- a/lib/cdi_0060_traps/0090_clean_up.sh
+++ b/lib/cdi_0060_traps/0090_clean_up.sh
--- a/lib/cdi_0100_arg/0100_arg_mismatch.sh
+++ b/lib/cdi_0100_arg/0100_arg_mismatch.sh
--- a/lib/cdi_0100_arg/0101_arg_sanitizer.sh
+++ b/lib/cdi_0100_arg/0101_arg_sanitizer.sh
--- a/lib/cdi_0100_arg/0102_arg_parser.sh
+++ b/lib/cdi_0100_arg/0102_arg_parser.sh
--- a/lib/cdi_0100_arg/0103_arg_priority_check.sh
+++ b/lib/cdi_0100_arg/0103_arg_priority_check.sh
--- a/lib/cdi_0100_arg/0104_arg_passphrase_modules.sh
+++ b/lib/cdi_0100_arg/0104_arg_passphrase_modules.sh
--- a/lib/cdi_0100_arg/0105_arg_nuke_converter.sh
+++ b/lib/cdi_0100_arg/0105_arg_nuke_converter.sh
--- a/lib/cdi_0110_interactive/0110_check_kernel.sh
+++ b/lib/cdi_0110_interactive/0110_check_kernel.sh
--- a/lib/cdi_0110_interactive/0115_check_provider.sh
+++ b/lib/cdi_0110_interactive/0115_check_provider.sh
--- a/lib/cdi_0200_dialog/0200_dialog_helper.sh
+++ b/lib/cdi_0200_dialog/0200_dialog_helper.sh