V8.00.000.2025.06.17

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-07-31 23:04:30 +02:00
parent 930f47f827
commit 45ff672479
103 changed files with 1011 additions and 266 deletions
--- a/lib/cdi_0000_preliminary/0001_contact.sh
+++ b/lib/cdi_0000_preliminary/0001_contact.sh
@@ -0,0 +1,42 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
+
+#######################################
+# Contact Wrapper 'CISS.debian.installer.'
+# Globals:
+#   none
+# Arguments:
+#   none
+#######################################
+contact() {
+  clear
+  cat << EOF
+$(echo -e "\e[97m################################################################################ \e[0m")
+$(echo -e "\e[92m  CISS.debian.installer from https://git.coresecret.dev/msw \e[0m")
+$(echo -e "\e[92m  A powerful Debian installer for setting up a hardened Debian environment. \e[0m")
+
+$(echo -e "\e[97m  (c) Marc S. Weidner, 2018 - 2025 \e[0m")
+$(echo -e "\e[97m  (p) Centurion Press, 2024 - 2025 \e[0m")
+
+$(echo -e "\e[95m  💬 Contact:               \e[0m")
+$(echo -e "\e[95m  🌐 https://coresecret.eu/ \e[0m")
+$(echo -e "\e[95m  📧 security@coresecret.eu \e[0m")
+$(echo -e "\e[95m  🔑 PGP Key 2D98 07F4 1030 1776 597E BDC9 9F54 8853 35A3 C9AD \e[0m")
+$(echo -e "\e[95m  🔗 https://keys.openpgp.org/vks/v1/by-fingerprint/2D9807F410301776597EBDC99F54885335A3C9AD \e[0m")
+
+$(echo -e "\e[95m  💷 Please consider donating to my work at: \e[0m")
+$(echo -e "\e[95m  🌐 https://coresecret.eu/spenden/          \e[0m")
+$(echo -e "\e[97m################################################################################ \e[0m")
+
+EOF
+}
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/lib/cdi_0000_preliminary/0002_usage.sh
+++ b/lib/cdi_0000_preliminary/0002_usage.sh
@@ -0,0 +1,133 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
+
+#######################################
+# Header, Footer wrapper for dynamically output.
+# Globals:
+#   none
+# Arguments:
+#   1: Text.
+#   2: Width of Terminal.
+#######################################
+center() {
+  declare var_text="$1"
+  declare var_width="$2"
+  declare var_padding=$(( (var_width - ${#var_text}) / 2 ))
+  printf "%*s%s%*s\n" "${var_padding}" "" "${var_text}" "${var_padding}" ""
+}
+
+#######################################
+# Usage Wrapper 'CISS.debian.installer'.
+# Globals:
+#   none
+# Arguments:
+#   0: Script Name
+#######################################
+usage() {
+  # shellcheck disable=SC2155
+  declare var_cols=$(tput cols 2> /dev/null || echo 80)
+
+  # shellcheck disable=SC2155
+  declare var_header=$(center "V8.00.000.2025.06.17                                          CISS.debian.installer" "${var_cols}")
+  # shellcheck disable=SC2155
+  declare var_footer=$(center "V8.00.000.2025.06.17                                          CISS.debian.installer" "${var_cols}")
+
+  {
+    echo -e "\e[97m${var_header} \e[0m"
+    echo
+    echo -e "\e[92mCISS.debian.installer from https://git.coresecret.dev/msw \e[0m"
+    echo -e "\e[92m${VAR_VERSION} \e[0m"
+    echo -e "\e[92mA powerful Debian installer for setting up a hardened Debian environment. \e[0m"
+    echo
+    echo -e "\e[97m(c) Marc S. Weidner, 2018 - 2025 \e[0m"
+    echo -e "\e[97m(p) Centurion Press, 2024 - 2025 \e[0m"
+    echo
+    echo -e "\e[91mUse only in trusted, non-production environments unless code audited! \e[0m"
+    echo
+    echo -e "\e[97m${0} <option>, where <option> is one or more of: \e[0m"
+    echo
+    echo -e "\e[97m  --help, -h \e[0m"
+    echo "    What you're looking at."
+    echo
+    echo -e "\e[97m  --autoinstall, -a \e[0m"
+    echo -e "\e[93m    All data on the disks specified in './.preseed/partitioning.yaml' will be destroyed! \e[0m"
+    echo "    Headless mode. Skip the dialog wrapper, provider note screen and interactive kernel selector dialog."
+    echo "    No user interaction is required in autoinstall mode."
+    echo
+    echo -e "\e[97m  --contact, -c \e[0m"
+    echo "    Show author contact information."
+    echo
+    echo -e "\e[97m  --debug, -d <MODE> \e[0m"
+    echo "    Whereas <MODE> can be one or both of the following: 'TRAP' or 'XTRACE'."
+    echo "    - XTRACE uses the 'set -x' capability to trace every command executed."
+    echo "    - TRAP uses the bash 'trap DEBUG' capability."
+    echo -e "\e[93m    Detailed debugging information is written to: \e[0m"
+    echo "    - /tmp/.ciss/log/ciss_debian_installer_$$_debug.log"
+    echo "    - /tmp/.ciss/log/ciss_debian_installer_$$_trace.log"
+    echo "    - /tmp/.ciss/log/ciss_debian_installer_$$_var.log"
+    echo
+    echo -e "\e[97m  --log, -l <LEVEL> \e[0m"
+    echo "    This changes the default log level from 'info' to one of the following values:"
+    echo "      debug"
+    echo "      info"
+    echo "      notice"
+    echo "      warn"
+    echo "      error"
+    echo "      critical"
+    echo "      fatal"
+    echo "      emergency"
+    echo "    Defaults to 'info'."
+    echo -e "\e[93m    The Installation log is written to: \e[0m"
+    echo "    - /tmp/.ciss/log/ciss_debian_installer_$$_install.log"
+    echo -e "\e[93m    The Error log is written to: \e[0m"
+    echo "    - /tmp/.ciss/log/ciss_debian_installer_$$_error.log"
+    echo
+    echo -e "\e[97m  --renice-priority <PRIORITY> \e[0m"
+    echo "    Reset the nice priority value of the script and all its children"
+    echo "    to the desired <PRIORITY>. MUST be an integer (between '-19' and 19)."
+    echo "    Negative (higher) values MUST be enclosed in double quotes '\"'."
+    echo "    Defaults to '0'."
+    echo
+    echo -e "\e[97m  --reionice-priority <CLASS> <PRIORITY> \e[0m"
+    echo "    Reset the ionice priority value of the script and all its children"
+    echo "    to the desired <CLASS>. MUST be an integer:"
+    echo "      1: realtime"
+    echo "      2: best-effort"
+    echo "      3: idle"
+    echo "    Defaults to '2'."
+    echo "    Whereas <PRIORITY> MUST be an integer as well between:"
+    echo "      0: highest priority and"
+    echo "      7: lowest priority."
+    echo "    Defaults to '4'."
+    echo "    A real-time I/O process can significantly slow down other processes"
+    echo "    or even cause them to starve if it continuously requests I/O."
+    echo
+    echo -e "\e[97m  --version, -v \e[0m"
+    echo "    Show version of ${0}."
+    echo
+    echo -e "\e[93m💡 Notes:\e[0m"
+    echo -e "\e[97m🔵 You MUST be 'root' to run this script. \e[0m"
+    echo -e "\e[97m🔵 You MUST edit './.preseed/preseed.yaml' in advance. \e[0m"
+    echo -e "\e[97m🔵 You MUST edit './.preseed/partitioning.yaml' in advance. \e[0m"
+    echo -e "\e[97m🔵 You MUST edit './.preseed/password_grub.txt' in advance. \e[0m"
+    echo -e "\e[97m🔵 You MUST edit './.preseed/password_luks_boot.txt' in advance. \e[0m"
+    echo -e "\e[97m🔵 You MUST edit './.preseed/password_luks_common.txt' in advance. \e[0m"
+    echo -e "\e[97m🔵 You MUST edit './.preseed/password_luks_nuke.txt' in advance. \e[0m"
+    echo -e "\e[97m🔵 You SHOULD use the provided YAML-Configuration-File Editor. \e[0m"
+    echo
+    echo -e "\e[95m💷 Please consider donating to my work at: \e[0m"
+    echo -e "\e[95m🌐 https://coresecret.eu/spenden/ \e[0m"
+    echo
+    echo -e "\e[97m${var_footer} \e[0m"
+  } | less -R
+}
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/lib/cdi_0000_preliminary/0003_version.sh
+++ b/lib/cdi_0000_preliminary/0003_version.sh
@@ -0,0 +1,52 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
+
+#######################################
+# Version Wrapper 'CISS.debian.installer.'
+# Globals:
+#   VAR_VERSION
+# Arguments:
+#   None
+#######################################
+version() {
+  # shellcheck disable=SC2155
+  declare -r var_repo_ver="$(git log --format='%h %ci' -1 2>/dev/null | awk '{ print $1" "$2" "$3 }')"
+  # shellcheck disable=SC2155
+  declare -r var_ds_ver="$(debootstrap --version)"
+  # shellcheck disable=SC2155
+  declare -r var_host="$(uname -n)"
+  # shellcheck disable=SC2155
+  declare -r var_bash_ver="$(bash --version | head -n1 | awk '{print $4" "$5" "$6}')"
+
+  clear
+  cat << EOF
+$(echo -e "\e[97m################################################################################ \e[0m")
+$(echo -e "\e[92m  CISS.debian.installer from https://git.coresecret.dev/msw \e[0m")
+$(echo -e "\e[92m  A powerful Debian installer for setting up a hardened Debian environment. \e[0m")
+
+  Version : ${VAR_VERSION}
+  Git     : ${var_repo_ver}
+
+$(echo -e "\e[97m  This program is free software. Distribution and modification under  \e[0m")
+$(echo -e "\e[97m  EUPL-1.2 permitted. USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK! \e[0m")
+
+  Please file bugs @
+$(echo -e "\e[95m  https://git.coresecret.dev/msw/CISS.debian.live.builder/issues \e[0m")
+$(echo -e "\e[97m################################################################################\e[0m")
+
+  Using   : debootstrap (${var_ds_ver})
+  on      : ${var_host}
+  Bash    : ${var_bash_ver}
+
+EOF
+}
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/lib/cdi_0000_preliminary/README.md
+++ b/lib/cdi_0000_preliminary/README.md
@@ -0,0 +1,70 @@
+---
+gitea: none
+include_toc: true
+---
+
+# 1. CISS.debian.installer
+
+**Centurion Intelligence Consulting Agency Information Security Standard**<br>
+*The CISS Debian Installer provides a fully automated and hardened installation process.*<br>
+**Master Version**: 8.00<br>
+**Build**: V8.00.000.2025.06.17<br>
+
+# 2. Preliminary Components – `cdi_0000_preliminary`
+
+This directory contains foundational wrapper scripts for the `CISS.debian.installer` framework. These scripts serve as minimal
+but essential building blocks to ensure consistent versioning, usage helps output, and contact information across the entire 
+installer suite.
+
+## 2.1. Purpose and Functionality
+
+The scripts in this module fulfill the following roles:
+
+- **0001_contact.sh**:  
+  Displays project-related contact details, including PGP fingerprint, security email, and project links. This is shown during
+  installer execution or upon request via CLI.
+
+- **0002_usage.sh**:  
+  Provides a user-facing, color-coded help dialog. It details available command-line options such as debugging modes 
+  (`--debug`), logging configuration, and non-interactive autoinstallation. It also enforces preconditions such as root 
+  privileges, and the presence of YAML configuration files.
+
+- **0003_version.sh**:  
+  Displays the current project version, latest Git commit, debootstrap version, and host Bash version. This helps contextualize 
+  the environment for debugging and auditing.
+
+## 2.2. Requirements
+
+- Bash version ≥ 5.1
+- Proper invocation context (`set -Ceuo pipefail` enforced)
+- Pre-populated configuration files:
+  - `.preseed/preseed.yaml`
+  - `.preseed/partitioning.yaml`
+  - Password files for GRUB, LUKS boot, common, and nuke passphrases
+
+These scripts assume they are sourced or executed within a controlled setup shell, with essential global variables 
+(e.g. `VAR_VERSION`) predeclared.
+
+
+## 2.3. Dependencies
+
+- `bash` built-ins only (no external binaries invoked except `git`, `debootstrap`, and `uname` in `0003_version.sh`)
+- ANSI color-supporting terminal (via `tput cols`, `echo -e`)
+- Git repository context for versioning (`git log`)
+
+
+## 2.4. License
+
+This component is dual-licensed under the **European Union Public License v1.2 (EUPL-1.2)** or the 
+**CoreSecret Custom Contributor License Agreement (CCLA-1.0)**. You may choose either license as per your usage context. 
+Usage is permitted under the condition that no warranty is implied. Use at your own risk.
+
+## 2.5. Author
+
+Developed and maintained by  
+**Marc S. Weidner**  
+*Centurion Intelligence Consulting Agency*  
+
+---
+**[no tracking | no logging | no advertising | no profiling | no bullshit](https://coresecret.eu/)**
+<!-- vim: set number et ts=2 sw=2 sts=2 ai tw=128 ft=markdown -->