msw/CISS.debian.installer
SHA256
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

V8.00.000.2025.06.17

Browse Source 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
Marc S. Weidner
2025-08-10 21:45:51 +02:00
parent 12c7b2eab4
commit 5560ed09c9
25 changed files with 585 additions and 43 deletions
Download Patch File Download Diff File Expand all files Collapse all files

27
.editorconfig
View File

@@ -19,6 +19,12 @@ indent_size = 2
tab_width = 2 tab_width = 2
max_line_length = 128 max_line_length = 128
[*.{bash,sh,zsh}]
end_of_line = lf
charset = utf-8
insert_final_newline = true
trim_trailing_whitespace = true
[*.h] [*.h]
charset = utf-8 charset = utf-8
insert_final_newline = true insert_final_newline = true
@@ -32,15 +38,26 @@ insert_final_newline = true
# Do not trim trailing whitespace: two spaces at end-of-line signal a hard line break in Markdown # Do not trim trailing whitespace: two spaces at end-of-line signal a hard line break in Markdown
trim_trailing_whitespace = false trim_trailing_whitespace = false
# Python files PEP 8 compliant
[*.py]
indent_size = 4
tab_width = 4
end_of_line = lf
charset = utf-8
trim_trailing_whitespace = true
insert_final_newline = true
max_line_length = 79
[*.toml]
end_of_line = lf
charset = utf-8
trim_trailing_whitespace = true
insert_final_newline = true
[*.{yaml,yml}] [*.{yaml,yml}]
end_of_line = lf end_of_line = lf
insert_final_newline = true insert_final_newline = true
# Trim trailing whitespace (safe, since YAML does not rely on trailing spaces) # Trim trailing whitespace (safe, since YAML does not rely on trailing spaces)
trim_trailing_whitespace = true trim_trailing_whitespace = true
[*.{sh,bash,zsh}]
end_of_line = lf
charset = utf-8
insert_final_newline = true
trim_trailing_whitespace = true
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf

1
.preseed/mfa_master.txt Normal file
View File

@@ -0,0 +1 @@
7cad63da408c27b5121c89cdd0cf878b8f8df1f34bcc0a944152261ee1481fda

1
.preseed/partitioning.yaml
View File

@@ -34,6 +34,7 @@ recipe:
time: 256 # The number of milliseconds to spend with PBKDF passphrase processing. time: 256 # The number of milliseconds to spend with PBKDF passphrase processing.
name: "ciss.2025.gpt.btrfs.ephemeral.non-raid.256GiB.rescue" name: "ciss.2025.gpt.btrfs.ephemeral.non-raid.256GiB.rescue"
nuke: true # Activates Nuke-Mechanism in '/etc/crypttab' keyscript and via dropbear SSH forced command. nuke: true # Activates Nuke-Mechanism in '/etc/crypttab' keyscript and via dropbear SSH forced command.
nuke_rounds: 8192 # SHA512 KDF Rounds for Nuke Passphrase. If omitted, the default value is '8,388,608'.
raid: # mdadm RAID settings only (not yet supported). raid: # mdadm RAID settings only (not yet supported).
enable: false enable: false
disks: disks:

4
.preseed/preseed.yaml
View File

@@ -26,6 +26,7 @@ apt:
contrib: true # Optionally, install contrib software. contrib: true # Optionally, install contrib software.
deb_sources: true # Optionally includes deb-src entries for source repositories. deb_sources: true # Optionally includes deb-src entries for source repositories.
default_list: true # By default, source repositories are listed in '/etc/apt/sources.list'. This MUST be "true". default_list: true # By default, source repositories are listed in '/etc/apt/sources.list'. This MUST be "true".
default_deb822: false # Since Trixie, source repositories are listed in '/etc/apt/sources.list.d/' in deb.822 format.
full_upgrade: true # Whether to upgrade packages after debootstrap. full_upgrade: true # Whether to upgrade packages after debootstrap.
install_recommends: true # Configure APT to not install recommended packages by default. install_recommends: true # Configure APT to not install recommended packages by default.
non_free: true # Optionally, install non-free software. non_free: true # Optionally, install non-free software.
@@ -748,6 +749,9 @@ ssh:
# User settings # User settings
################################################################################################################################ ################################################################################################################################
user: user:
mfa:
info: "totp:v1"
salt: "CISS:CDI:OTP" # + (Server_FQDN/Username)
############################################################################################################################## ##############################################################################################################################
# root Superuser account (normally disabled for direct login) # root Superuser account (normally disabled for direct login)
############################################################################################################################## ##############################################################################################################################

11
ciss_debian_installer.sh
View File

@@ -28,7 +28,7 @@
# TODO: update-grub Post Hook Clang, Recovery, Signing PK # TODO: update-grub Post Hook Clang, Recovery, Signing PK
# TODO: Copying Log Files to final System # TODO: Copying Log Files to final System
# TODO: Integrate CISS.debian.installer calling arguments and preseed.yaml into CISS.debian.live.builder build chain? # TODO: Integrate CISS.debian.installer calling arguments and preseed.yaml into CISS.debian.live.builder build chain?
# TODO: Reboot function for Autoinstall # TODO: Reboot function for Autoinstall, Clean Exit, Flush Logs, luksClose, umount
# TODO: 0105_arg_nuke_converter.sh - implement HashRounds as argument # TODO: 0105_arg_nuke_converter.sh - implement HashRounds as argument
# TODO: Implement loop_pass() for other passwords 0105_arg_nuke_converter.sh # TODO: Implement loop_pass() for other passwords 0105_arg_nuke_converter.sh
# TODO: Implement / Integrate IP, Port validation CDI_1200 # TODO: Implement / Integrate IP, Port validation CDI_1200
@@ -245,8 +245,13 @@ info_echo "4050_setup_locales.sh"
setup_locales setup_locales
### CDI_4100 ### CDI_4100
info_echo "4100_generate_sources.sh" if [[ "${apt_default_deb822}" == "true" ]]; then
generate_sources info_echo "4105_generate_sources822.sh"
generate_sources822
else
info_echo "4100_generate_sources.sh"
generate_sources
fi
info_echo "4110_update_sources.sh" info_echo "4110_update_sources.sh"
update_sources update_sources
info_echo "4120_installation_kernel.sh" info_echo "4120_installation_kernel.sh"

6
func/cdi_1000_helper/1082_helper_modules.sh
View File

@@ -120,17 +120,15 @@ insert_comments() {
####################################### #######################################
# Wrapper to insert the SPDX Header into the specified file. # Wrapper to insert the SPDX Header into the specified file.
# Globals: # Globals:
# None # VAR_DATE
# Arguments: # Arguments:
# 1: /path/to/file # 1: /path/to/file
# Returns: # Returns:
# 0: on success # 0: on success
####################################### #######################################
insert_header() { insert_header() {
# shellcheck disable=SC2155
declare var_date="$(date +%F)"
cat << EOF >| "${1}" cat << EOF >| "${1}"
# SPDX-CreationInfo: ${var_date}; WEIDNER, Marc S.; <msw@coresecret.dev> # SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev> # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>

9
func/cdi_1250_yaml/1251_yaml_reader.sh
View File

@@ -45,7 +45,7 @@ yaml_reader() {
### Declare and substitute input files. ### Declare and substitute input files.
declare -r var_if="${VAR_PRESEED}" declare -r var_if="${VAR_PRESEED}"
declare var_line="" var_middle_part="" var_highest_dev="" var_device="" var_fields="" var_partition="" \ declare var_line="" var_middle_part="" var_highest_dev="" var_device="" var_fields="" var_partition="" \
recipe_firmware_var="" recipe_nuke_var="" recipe_table_var="" recipe_recovery_var="" recipe_firmware_var="" recipe_nuke_var="" recipe_nuke_rounds_var="" recipe_table_var="" recipe_recovery_var=""
### Read "${var_if}" line by line. ### Read "${var_if}" line by line.
while IFS= read -r var_line; do while IFS= read -r var_line; do
@@ -116,7 +116,7 @@ END { print max }
var_device="${var_fields[3]}" ### The fourth position includes the device (e.g., sda, vda, xvda) var_device="${var_fields[3]}" ### The fourth position includes the device (e.g., sda, vda, xvda)
var_partition="${var_fields[4]}" ### The fifth position includes the partition (e.g., 13) var_partition="${var_fields[4]}" ### The fifth position includes the partition (e.g., 13)
### Check, if the partition is a number and higher than the current value ### Check if the partition is a number and higher than the current value
if [[ "${var_partition}" =~ ^[0-9]+$ ]]; then if [[ "${var_partition}" =~ ^[0-9]+$ ]]; then
declare -i cur="${HMP_RECIPE_DEV_PARTITIONS[${var_device}]:-0}" declare -i cur="${HMP_RECIPE_DEV_PARTITIONS[${var_device}]:-0}"
if (( var_partition > cur )); then if (( var_partition > cur )); then
@@ -160,6 +160,11 @@ END { print max }
# shellcheck disable=SC2034 # shellcheck disable=SC2034
VAR_NUKE="${!recipe_nuke_var,,}" VAR_NUKE="${!recipe_nuke_var,,}"
### Extract the chosen Nuke SHA512 KDF rounds.
recipe_nuke_rounds_var="recipe_${VAR_RECIPE_STRING}_control_nuke_rounds"
# shellcheck disable=SC2034
VAR_NUKE_ROUNDS="${!recipe_nuke_rounds_var}"
### Extract chosen partition table. ### Extract chosen partition table.
recipe_table_var="recipe_${VAR_RECIPE_STRING}_control_table" recipe_table_var="recipe_${VAR_RECIPE_STRING}_control_table"
VAR_RECIPE_TABLE="${!recipe_table_var,,}" VAR_RECIPE_TABLE="${!recipe_table_var,,}"

2
func/cdi_4000_debootstrap/4035_setup_resolv.sh
View File

@@ -47,7 +47,7 @@ setup_resolv() {
### Create '/etc/resolv.conf' IPv4 entries for static configuration. ### Create '/etc/resolv.conf' IPv4 entries for static configuration.
cat << EOF >> "${TARGET}/etc/resolv.conf" cat << EOF >> "${TARGET}/etc/resolv.conf"
# SPDX-Version: 3.0 # SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev> # SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev> # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>

4
func/cdi_4000_debootstrap/4050_setup_locales.sh
View File

@@ -53,7 +53,7 @@ setup_locales() {
cat << EOF >| "${TARGET}${var_locale_hook}" cat << EOF >| "${TARGET}${var_locale_hook}"
#!/bin/bash #!/bin/bash
# SPDX-Version: 3.0 # SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev> # SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev> # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -118,7 +118,7 @@ EOF
### Set the keyboard layout for the system (for consoles). ### Set the keyboard layout for the system (for consoles).
cat << EOF >| "${TARGET}/etc/default/keyboard" cat << EOF >| "${TARGET}/etc/default/keyboard"
# SPDX-Version: 3.0 # SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev> # SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev> # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>

2
func/cdi_4100_base/4100_generate_sources.sh
View File

@@ -84,7 +84,7 @@ generate_sources() {
# shellcheck disable=SC2153 # shellcheck disable=SC2153
cat << EOF >> "${TARGET}/etc/apt/sources.list" cat << EOF >> "${TARGET}/etc/apt/sources.list"
# SPDX-Version: 3.0 # SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev> # SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev> # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>

148
func/cdi_4100_base/4105_generate_sources_822.sh Normal file
View File

@@ -0,0 +1,148 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
guard_sourcing
#######################################
# Generate target '/etc/apt/sources.list.d/' deb.822 entries.
# Globals:
# TARGET
# apt_contrib
# apt_deb_sources
# apt_mirror_directory
# apt_mirror_hostname
# apt_mirror_protocol
# apt_non_free
# apt_non_free_firmware
# apt_sec
# apt_updates_backports
# apt_updates_release
# apt_updates_security
# architecture
# distribution
# Arguments:
# None
# Returns:
# 0: on success
#######################################
generate_sources822() {
### Declare Arrays, HashMaps, and Variables.
declare -a ary_components=() ary_types=()
declare var_arch="" var_codename="" var_deb_src="" var_dir="" var_hostname="" var_hostsecure="" var_url="" var_surl=""
# shellcheck disable=SC2154 # "${architecture}"
var_arch="${architecture,,}"
# shellcheck disable=SC2154 # "${distribution}"
var_codename="${distribution,,}"
# shellcheck disable=SC2154 # "${apt_deb_sources}"
var_deb_src="${apt_deb_sources,,}"
# shellcheck disable=SC2154 # "${apt_mirror_directory}"
var_dir="${apt_mirror_directory,,}"
# shellcheck disable=SC2154 # "${apt_mirror_hostname}"
var_hostname="${apt_mirror_hostname,,}"
# shellcheck disable=SC2154 # "${apt_sec}"
var_hostsecure="${apt_sec,,}"
ary_components=( "main" )
[[ "${apt_contrib,,}" == "true" ]] && ary_components+=( "contrib" )
[[ "${apt_non_free,,}" == "true" ]] && ary_components+=( "non-free" )
[[ "${apt_non_free_firmware,,}" == "true" ]] && ary_components+=( "non-free-firmware" )
ary_types=( "deb" )
[[ "${apt_deb_sources,,}" == "true" ]] && ary_types+=( "deb-src" )
if [[ "${apt_mirror_protocol,,}" == "https" ]]; then
var_url="https://${var_hostname}${var_dir}"
var_surl="https://${var_hostsecure}/debian-security"
elif [[ "${apt_mirror_protocol,,}" == "http" ]]; then
var_url="http://${var_hostname}${var_dir}"
var_surl="http://${var_hostsecure}/debian-security"
else
var_url="https://${var_hostname}${var_dir}"
var_surl="https://${var_hostsecure}/debian-security"
fi
### Main Repository
insert_header "${TARGET}/etc/apt/sources.list.d/trixie.sources"
inser_comments "${TARGET}/etc/apt/sources.list.d/trixie.sources"
cat << EOF >> "${TARGET}/etc/apt/sources.list.d/trixie.sources"
Types: ${ary_types[*]}
URIs: ${var_url}
Suites: ${var_codename}
Components: ${ary_components[*]}
Enabled: yes
Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
EOF
### Security Repository
if [[ "${apt_updates_security,,}" == "true" ]]; then
insert_header "${TARGET}/etc/apt/sources.list.d/trixie-security.sources"
inser_comments "${TARGET}/etc/apt/sources.list.d/trixie-security.sources"
cat << EOF >> "${TARGET}/etc/apt/sources.list.d/trixie-security.sources"
Types: ${ary_types[*]}
URIs: ${var_surl}
Suites: ${var_codename}-security
Components: ${ary_components[*]}
Enabled: yes
Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
EOF
fi
### Updates Repository
if [[ "${apt_updates_release,,}" == "true" ]]; then
insert_header "${TARGET}/etc/apt/sources.list.d/trixie-updates.sources"
inser_comments "${TARGET}/etc/apt/sources.list.d/trixie-updates.sources"
cat << EOF >> "${TARGET}/etc/apt/sources.list.d/trixie-updates.sources"
Types: ${ary_types[*]}
URIs: ${var_url}
Suites: ${var_codename}-updates
Components: ${ary_components[*]}
Enabled: yes
Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
EOF
fi
### Backports Repository
if [[ "${apt_updates_backports,,}" == "true" ]]; then
insert_header "${TARGET}/etc/apt/sources.list.d/trixie-backports.sources"
inser_comments "${TARGET}/etc/apt/sources.list.d/trixie-backports.sources"
cat << EOF >> "${TARGET}/etc/apt/sources.list.d/trixie-backports.sources"
Types: ${ary_types[*]}
URIs: ${var_url}
Suites: ${var_codename}-backports
Components: ${ary_components[*]}
Enabled: yes
Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
EOF
fi
guard_dir && return 0
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

25
func/cdi_4400_hardening/4460_hardening_memory.sh
View File

@@ -12,6 +12,29 @@
guard_sourcing guard_sourcing
#######################################
# NOTE:
# According to the manual pages of limits.conf(5) and pam_limits(8),
# entries in '/etc/security/limits.conf' or drop-ins under
# '/etc/security/limits.d/' are NOT applied automatically by the system.
# The actual enforcement of these ulimit(2) constraints — including
# '* soft core 0' and '* hard core 0' to disable kernel core dumps —
# requires that the PAM module 'pam_limits.so' is invoked in the
# 'session' stack of the respective service (e.g., via
# '/etc/pam.d/common-session' and
# '/etc/pam.d/common-session-noninteractive').
#
# Without 'pam_limits.so' present in these PAM configuration files,
# the configured limits remain ineffective for PAM-based logins
# (SSH, local TTY, sudo, su, cron, etc.).
# Services launched by systemd bypass PAM and must have 'LimitCORE=0'
# or 'DefaultLimitCORE=0' set in their unit or in system.conf.d(5).
#
# References:
# - man 5 limits.conf
# - man 8 pam_limits
#######################################
####################################### #######################################
# Hardening memory dump via: # Hardening memory dump via:
# '/etc/systemd/coredump.conf.d/disable.conf' # '/etc/systemd/coredump.conf.d/disable.conf'
@@ -161,6 +184,6 @@ guard_pam_limits() {
(( var_changed )) && do_log "info" "file_only" "4460() Activated pam_limits.so: (common-session[*])" (( var_changed )) && do_log "info" "file_only" "4460() Activated pam_limits.so: (common-session[*])"
return 0 guard_dir && return 0
} }
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

130
func/cdi_4500_user/4500_installation_accounts.sh
View File

@@ -28,10 +28,6 @@ guard_sourcing
# 0: on success # 0: on success
####################################### #######################################
installation_accounts() { installation_accounts() {
#######################################
# Declare Variables
#######################################
declare -i i declare -i i
declare tmp_username="" tmp_fullname="" tmp_uid="" tmp_gid="" tmp_shell="" tmp_password="" tmp_sshpubkey="" tmp_sudo="" \ declare tmp_username="" tmp_fullname="" tmp_uid="" tmp_gid="" tmp_shell="" tmp_password="" tmp_sshpubkey="" tmp_sudo="" \
tmp_restricted="" tmp_restricted=""
@@ -159,6 +155,132 @@ installation_accounts() {
done done
unset VAR_TEMP_PLAIN_MFA_SEED
guard_dir && return 0 guard_dir && return 0
} }
#######################################
# Writes '.google_authenticator'-file for the respective user.
# Globals:
# RANDOM
# TARGET
# Arguments:
# 1: Username
# Returns:
# 0: on success
#######################################
write_google_authenticator_file() {
### Declare Arrays, HashMaps, and Variables.
declare var_user="${1}" var_secret=""
case "${1}" in
root) declare var_base="${TARGET}/root" ;;
*) declare var_base="${TARGET}/home/${var_user}" ;;
esac
declare -i i=0
### TODO: PASSWORD REMINDER START:NOT ACTIVE
### No tracing for security reasons
#[[ "${VAR_DEBUG_TRACE,,}" == "true" ]] && set +x
var_secret="$(generate_totp_secret "${var_user}")"
umask 0077
{
printf '%s\n' "${var_secret}"
printf '"RATE_LIMIT 3 30"\n'
printf '"WINDOW 10"\n'
printf '"DISALLOW_REUSE"\n'
printf '"TOTP_AUTH"\n'
### Emergency Codes:
for i in {0..7}; do printf '%08d\n' "$(( RANDOM % 100000000 ))"; done
} >| "${var_base}/.google_authenticator"
### Turn on tracing again
#[[ "${VAR_DEBUG_TRACE,,}" == "true" ]] && set -x
### TODO: PASSWORD REMINDER STOP:NOT ACTIVE
chown "${var_user}:${var_user}" "${var_base}/.google_authenticator"
chmod 0600 "${var_base}/.google_authenticator"
umask 0022
return 0
}
#######################################
# Generates a deterministic TOTP secret based on:
# Username, FQDN, MFA salt, MFA master seed
# Globals:
# VAR_FINAL_FQDN
# VAR_TEMP_PLAIN_MFA_SEED
# user_mfa_info
# user_mfa_salt
# Arguments:
# 1: Username
# Returns:
# 0: on success
#######################################
generate_totp_secret() {
### Declare Arrays, HashMaps, and Variables.
declare var_user="${1}"
declare var_host_id="${VAR_FINAL_FQDN}"
declare var_salt="${user_mfa_salt}:${var_host_id}:${var_user}"
declare var_info="${user_mfa_info}"
declare var_secret=""
### TODO: PASSWORD REMINDER START:NOT ACTIVE
### No tracing for security reasons
#[[ "${VAR_DEBUG_TRACE,,}" == "true" ]] && set +x
### Derive 20 bytes via HKDF-SHA256 using OpenSSL 3 kdf, output as raw, then base32 (uppercase, no padding).
# shellcheck disable=SC2312
var_secret="$(
printf '%s' "${VAR_TEMP_PLAIN_MFA_SEED}" | xxd -r -p | openssl kdf -keylen 20 -kdfopt digest:SHA256 \
-kdfopt salt:"${var_salt}" -kdfopt info:"${var_info}" -binary HKDF | base32 | tr -d '=' | tr '[:lower:]' '[:upper:]'
)"
### Turn on tracing again
#[[ "${VAR_DEBUG_TRACE,,}" == "true" ]] && set -x
### TODO: PASSWORD REMINDER STOP:NOT ACTIVE
printf '%s\n' "${var_secret}"
return 0
}
#######################################
# Reads a 256-bit seed from '${DIR_CNF}/mfa_master.txt' (64 hex chars) into VAR_TEMP_PLAIN_MFA_SEED.
# Globals:
# DIR_CNF
# VAR_TEMP_PLAIN_MFA_SEED
# Arguments:
# None
# Returns:
# 0: on success
# ERR_READ_SEED_FILE
#######################################
read_totp_seed(){
### Declare Arrays, HashMaps, and Variables.
declare -r var_mfa_seed_file="${DIR_CNF}/mfa_master.txt"
declare -g VAR_TEMP_PLAIN_MFA_SEED=""
### TODO: PASSWORD REMINDER START:NOT ACTIVE
### No tracing for security reasons
#[[ "${VAR_DEBUG_TRACE,,}" == "true" ]] && set +x
if ! read_password_file "${var_mfa_seed_file}" VAR_TEMP_PLAIN_MFA_SEED; then
return "${ERR_READ_SEED_FILE}"
fi
### Validate: exactly 64 hex.
[[ "${VAR_TEMP_PLAIN_MFA_SEED}" =~ ^[0-9a-fA-F]{64}$ ]] || return "${ERR_READ_SEED_FILE}"
### Turn on tracing again
#[[ "${VAR_DEBUG_TRACE,,}" == "true" ]] && set -x
### TODO: PASSWORD REMINDER STOP:NOT ACTIVE
return 0
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

3
lib/cdi_0060_traps/0070_trap_exit.sh
View File

@@ -34,6 +34,9 @@ trap_exit() {
trap - DEBUG ERR EXIT INT TERM trap - DEBUG ERR EXIT INT TERM
### Defensive shell behavior inside trap.
set +e +o pipefail
if [[ -n "${__preexec_invoke:-}" ]]; then if [[ -n "${__preexec_invoke:-}" ]]; then
debug_trap_logger "${var_exit_code}" "${VAR_LAST_CMD}" debug_trap_logger "${var_exit_code}" "${VAR_LAST_CMD}"
unset __preexec_invoke unset __preexec_invoke

2
lib/cdi_0100_arg/0102_arg_parser.sh
View File

@@ -113,5 +113,7 @@ arg_parser() {
;; ;;
esac esac
done done
guard_dir && return 0
} }
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

2
lib/cdi_0100_arg/0103_arg_priority_check.sh
View File

@@ -39,5 +39,7 @@ arg_priority_check() {
var=$(ionice -p $$) > /dev/null 2>&1 var=$(ionice -p $$) > /dev/null 2>&1
do_log "info" "file_only" "0103() New ionice value: '${var}'." do_log "info" "file_only" "0103() New ionice value: '${var}'."
fi fi
guard_dir && return 0
} }
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

31
lib/cdi_0100_arg/0104_arg_passphrase_modules.sh
View File

@@ -25,12 +25,17 @@ guard_sourcing
####################################### #######################################
generate_salt() { generate_salt() {
declare var_salt="" declare var_salt=""
while :; do while :; do
# shellcheck disable=SC2312 # shellcheck disable=SC2312
var_salt=$(head -c 12 /dev/random | base64 | tr -dc 'A-Za-z0-9' | head -c 16) || return "${ERR_GENERATE_SALT}" var_salt=$(head -c 12 /dev/random | base64 | tr -dc 'A-Za-z0-9' | head -c 16) || return "${ERR_GENERATE_SALT}"
[[ ${#var_salt} -eq 16 ]] && break [[ ${#var_salt} -eq 16 ]] && break
done done
printf '%s%b' "${var_salt}" "${NL}" printf '%s%b' "${var_salt}" "${NL}"
return 0 return 0
} }
@@ -51,19 +56,24 @@ read_password_file() {
declare -n var_output_file="${2}" declare -n var_output_file="${2}"
declare -a lines=() declare -a lines=()
### TODO: PASSWORD REMINDER ### TODO: PASSWORD REMINDER START
### No tracing for security reasons ### No tracing for security reasons
[[ "${VAR_DEBUG_TRACE,,}" == "true" ]] && set +x [[ "${VAR_DEBUG_TRACE,,}" == "true" ]] && set +x
if [[ ! -f "${var_input_file}" ]]; then if [[ ! -f "${var_input_file}" ]]; then
do_log "fatal" "file_only" "0104() Password file '${var_input_file}' not found." do_log "fatal" "file_only" "0104() Password file '${var_input_file}' not found."
return "${ERR_READ_PASS_FILE}" return "${ERR_READ_PASS_FILE}"
fi fi
mapfile -t lines < "${var_input_file}" mapfile -t lines < "${var_input_file}"
if (( ${#lines[@]} != 1 )); then if (( ${#lines[@]} != 1 )); then
do_log "fatal" "file_only" "0104() Password file '${var_input_file}' MUST contain exactly one line." do_log "fatal" "file_only" "0104() Password file '${var_input_file}' MUST contain exactly one line."
return "${ERR_READ_PASS_FILE}" return "${ERR_READ_PASS_FILE}"
fi fi
var_output_file="${lines[0]}" var_output_file="${lines[0]}"
@@ -72,15 +82,32 @@ read_password_file() {
var_output_file="${var_output_file%"${var_output_file##*[![:space:]]}"}" ### trailing var_output_file="${var_output_file%"${var_output_file##*[![:space:]]}"}" ### trailing
if [[ -z "${var_output_file}" ]]; then if [[ -z "${var_output_file}" ]]; then
do_log "fatal" "file_only" "0104() Password file '${var_input_file}' contains only whitespace." do_log "fatal" "file_only" "0104() Password file '${var_input_file}' contains only whitespace."
return "${ERR_READ_PASS_FILE}" return "${ERR_READ_PASS_FILE}"
fi fi
### Turn on tracing again ### Turn on tracing again
[[ "${VAR_DEBUG_TRACE,,}" == "true" ]] && set -x [[ "${VAR_DEBUG_TRACE,,}" == "true" ]] && set -x
### TODO: PASSWORD REMINDER ### TODO: PASSWORD REMINDER STOP
sync
if shred -vfzu -n 5 "${var_input_file}" > /dev/null 2>&1; then
do_log "info" "file_only" "0104() Password file '${var_input_file}': shred -vfzu -n 5 >> done."
else
do_log "warn" "file_only" "0104() Password file '${var_input_file}': shred -vfzu -n 5 >> NOT successful."
fi
sync
unset lines unset lines
return 0 return 0
} }
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

33
lib/cdi_0100_arg/0105_arg_nuke_converter.sh
View File

@@ -29,44 +29,43 @@ nuke_passphrase() {
declare -r var_nuke_pwd_file="${DIR_CNF}/password_luks_nuke.txt" declare -r var_nuke_pwd_file="${DIR_CNF}/password_luks_nuke.txt"
declare var_temp_nuke_hash="" var_temp_plain_nuke_pwd="" var_salt="" declare var_temp_nuke_hash="" var_temp_plain_nuke_pwd="" var_salt=""
### TODO: PASSWORD REMINDER ### TODO: PASSWORD REMINDER START
### No tracing for security reasons ### No tracing for security reasons
[[ "${VAR_DEBUG_TRACE,,}" == "true" ]] && set +x [[ "${VAR_DEBUG_TRACE,,}" == "true" ]] && set +x
if ! read_password_file "${var_nuke_pwd_file}" var_temp_plain_nuke_pwd; then if ! read_password_file "${var_nuke_pwd_file}" var_temp_plain_nuke_pwd; then
return "${ERR_READ_NUKE_FILE}" return "${ERR_READ_NUKE_FILE}"
fi fi
### Turn on tracing again ### Turn on tracing again
[[ "${VAR_DEBUG_TRACE,,}" == "true" ]] && set -x [[ "${VAR_DEBUG_TRACE,,}" == "true" ]] && set -x
### TODO: PASSWORD REMINDER ### TODO: PASSWORD REMINDER STOP
if ! var_salt="$(generate_salt)"; then if ! var_salt="$(generate_salt)"; then
return "${ERR_GENERATE_SALT}" return "${ERR_GENERATE_SALT}"
fi fi
### TODO: PASSWORD REMINDER
### No tracing for security reasons ### --rounds=8388608 ### TODO: PASSWORD REMINDER START
### No tracing for security reasons
[[ "${VAR_DEBUG_TRACE,,}" == "true" ]] && set +x [[ "${VAR_DEBUG_TRACE,,}" == "true" ]] && set +x
var_temp_nuke_hash=$(mkpasswd --method=sha-512 --salt="${var_salt}" --rounds=16384 "${var_temp_plain_nuke_pwd}")
var_temp_nuke_hash=$(mkpasswd --method=sha-512 --salt="${var_salt}" --rounds="${VAR_NUKE_ROUNDS:-8388608}" "${var_temp_plain_nuke_pwd}")
### Turn on tracing again ### Turn on tracing again
[[ "${VAR_DEBUG_TRACE,,}" == "true" ]] && set -x [[ "${VAR_DEBUG_TRACE,,}" == "true" ]] && set -x
### TODO: PASSWORD REMINDER ### TODO: PASSWORD REMINDER STOP
declare -grx VAR_NUKE_HASH="${var_temp_nuke_hash}" declare -grx VAR_NUKE_HASH="${var_temp_nuke_hash}"
unset var_temp_nuke_hash var_temp_plain_nuke_pwd unset var_temp_nuke_hash var_temp_plain_nuke_pwd
do_log "debug" "file_only" "0105() NUKE hash starts with: ${VAR_NUKE_HASH:0:32}..." do_log "debug" "file_only" "0105() NUKE hash starts with: ${VAR_NUKE_HASH:0:32}..."
sync guard_dir && return 0
if shred -vfzu -n 5 "${var_nuke_pwd_file}" > /dev/null 2>&1; then
do_log "info" "file_only" "0105() Password file '${var_nuke_pwd_file}': shred -vfzu -n 5 >> done."
else
do_log "warn" "file_only" "0105() Password file '${var_nuke_pwd_file}': shred -vfzu -n 5 >> NOT successful."
fi
sync
do_log "info" "file_only" "0105() Nuke Hash generated."
return 0
} }
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

1
meta_loader_func.sh
View File

@@ -49,6 +49,7 @@ source_guard "./func/cdi_4000_debootstrap/4050_setup_locales.sh"
### cdi_4100_base ### cdi_4100_base
source_guard "./func/cdi_4100_base/4100_generate_sources.sh" source_guard "./func/cdi_4100_base/4100_generate_sources.sh"
source_guard "./func/cdi_4100_base/4105_generate_sources_822.sh"
source_guard "./func/cdi_4100_base/4110_update_sources.sh" source_guard "./func/cdi_4100_base/4110_update_sources.sh"
source_guard "./func/cdi_4100_base/4120_installation_kernel.sh" source_guard "./func/cdi_4100_base/4120_installation_kernel.sh"
source_guard "./func/cdi_4100_base/4121_installation_initramfs.sh" source_guard "./func/cdi_4100_base/4121_installation_initramfs.sh"

19
py/cdc/__init__.py Normal file
View File

@@ -0,0 +1,19 @@
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
"""cdc: CISS Debian Configurator package."""
__author__ = "WEIDNER, Marc S."
__email__ = "msw@coresecret.dev"
__version__ = "0.1.0"
__all__: tuple[str, ...] = ()
# vim: number et ts=4 sw=4 sts=4 ai tw=79 ft=python

1
py/cdc/cdc.py Normal file
View File

@@ -0,0 +1 @@
#!/usr/bin/env python3

140
py/pyproject.toml Normal file
View File

@@ -0,0 +1,140 @@
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
[build-system]
requires = ["setuptools>=69"]
build-backend = "setuptools.build_meta"
[project]
name = "ciss-debian-configurator"
version = "8.0.0.post20250617" # PEP 440
description = "CDC: ncurses-like configurator for CISS.debian.installer (menuconfig style)"
readme = "README.md"
requires-python = ">=3.13"
license = { text = "EUPL-1.2 OR LicenseRef-CCLA-1.0" }
authors = [
{ name = "WEIDNER, Marc S.", email = "msw@coresecret.dev" }
]
keywords = ["debian", "installer", "curses", "ncurses", "yaml", "validator", "menuconfig", "tui"]
classifiers = [
"Programming Language :: Python :: 3",
"Programming Language :: Python :: 3.13",
"Environment :: Console",
"Intended Audience :: System Administrators",
"License :: OSI Approved :: European Union Public Licence 1.2 (EUPL 1.2)",
"Topic :: System :: Installation/Setup",
"Topic :: Text Processing :: Markup :: YAML",
]
# Core dependencies:
# - ruamel.yaml: YAML round trip (preserve comments, preserve order)
# - pydantic: validation (IPv*Address, Port, AnyUrl, etc.)
# - jsonschema: formal schemas for your YAMLs (machine checking)
# - urwid: robust TUI widgets (ncurses-like, mature, terminal-compatible)
# - prompt_toolkit & rich & typer: convenient input, rendering, CLI glue
# - platformdirs: XDG/Windows-compliant config/cache paths
dependencies = [
# YAML
"ruamel.yaml>=0.18.6",
# Validation
"pydantic>=2.7.0",
"jsonschema>=4.21.0",
# TUI / CLI
"urwid>=2.6.0",
"prompt_toolkit>=3.0.47",
"rich>=13.7.0",
"typer>=0.12.0",
# Other
"platformdirs>=4.0.0"
]
[project.scripts]
cdc = "cdc.main:main"
[tool.setuptools]
package-dir = {"" = "py"}
packages = ["cdc"]
[tool.ruff]
line-length = 79
target-version = "py313"
src = ["py"]
[tool.ruff.format]
quote-style = "double"
indent-style = "space"
indent-width = 4
skip-magic-trailing-comma = false
line-ending = "lf"
[tool.ruff.lint]
select = [
"E", # pycodestyle errors
"W", # pycodestyle warnings
"F", # pyflakes
"N", # naming
"C4", # comprehensions
"SIM", # simplifications
"DTZ", # tz-aware datetime
"S", # security
"A", # shadowed builtins
"ARG", # unused arguments
"BLE", # broad exceptions
"FBT", # boolean trap
"PTH", # pathlib preferred
"RUF", # ruff-specific improvements
]
# Compatibility with formatters
ignore = ["E203"]
unsafe-fixes = false
[tool.ruff.lint.isort]
known-first-party = ["cdc"]
force-sort-within-sections = true
combine-as-imports = true
[tool.ruff.lint.mccabe]
max-complexity = 10
[tool.ruff.lint.per-file-ignores]
# Reexports are common in __init__.py
"py/**/__init__.py" = ["F401"]
# CLI entry is allowed to print (TUI/CLI)
"py/cdc/main.py" = ["T201"]
# Test files: less strict with import residues, etc.
"tests/**" = ["S101","ARG001","ARG002","FBT001","FBT002"]
[project.optional-dependencies]
dev = ["ruff>=0.4.0","mypy>=1.9.0","pytest>=8.0.0","pytest-cov>=5.0.0"]
[tool.mypy]
python_version = "3.13"
mypy_path = ["py"]
warn_unused_ignores = true
warn_redundant_casts = true
warn_unreachable = true
warn_return_any = true
warn_unused_configs = true
strict_optional = true
no_implicit_optional = true
no_implicit_reexport = true
disallow_untyped_defs = true
disallow_incomplete_defs = true
disallow_untyped_calls = true
disallow_any_generics = true
disallow_subclassing_any = true
strict_equality = true
plugins = ["pydantic.mypy"]
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=toml

22
py/requirements.txt Normal file
View File

@@ -0,0 +1,22 @@
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
# Core dependencies:
ruamel.yaml>=0.18.6
pydantic>=2.7.0
jsonschema>=4.21.0
urwid>=2.6.0
prompt_toolkit>=3.0.47
rich>=13.7.0
typer>=0.12.0
platformdirs>=4.0.0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf

1
var/errors.var.sh
View File

@@ -54,6 +54,7 @@ declare -girx ERR_GENERATE_SALT=219 # Error generating salt.
declare -girx ERR_VAR_REGEX_CHK=218 # Error checking VAR against REGEX. declare -girx ERR_VAR_REGEX_CHK=218 # Error checking VAR against REGEX.
declare -girx ERR_CONF_VALIDATION=217 # Error checking the respective configuration files. declare -girx ERR_CONF_VALIDATION=217 # Error checking the respective configuration files.
declare -girx ERR_CHROOT_LOGGER=216 # An error occurred while preparing the inside chroot log file. declare -girx ERR_CHROOT_LOGGER=216 # An error occurred while preparing the inside chroot log file.
declare -girx ERR_READ_SEED_FILE=215 # Error reading the mfa TOTP seed file.
### Definition of error trap vars. ### Definition of error trap vars.
declare -gx ERRCODE="" # = $? = $1 = ERRCODE declare -gx ERRCODE="" # = $? = $1 = ERRCODE

3
var/global.var.sh
View File

@@ -13,7 +13,6 @@
guard_sourcing guard_sourcing
### Definition of MUST set global variables. ### Definition of MUST set global variables.
# shellcheck disable=SC2155 # shellcheck disable=SC2155
declare -grx VAR_KERNEL_INF=$(mktemp var_kernel_inf.XXXXXXXX) declare -grx VAR_KERNEL_INF=$(mktemp var_kernel_inf.XXXXXXXX)
# shellcheck disable=SC2155 # shellcheck disable=SC2155
@@ -24,6 +23,8 @@ declare -grx VAR_KERNEL_SRT=$(mktemp var_kernel_srt.XXXXXXXX)
declare -grx VAR_NOTES=$(mktemp var_notes.XXXXXXXX) declare -grx VAR_NOTES=$(mktemp var_notes.XXXXXXXX)
# shellcheck disable=SC2155 # shellcheck disable=SC2155
declare -grx VAR_RESOURCES=$(ulimit) declare -grx VAR_RESOURCES=$(ulimit)
# shellcheck disable=SC2155
declare -grx VAR_DATE="$(date +%F)"
### Initialize variables of different directories. ### Initialize variables of different directories.
declare -grx DIR_BAK="/tmp/.ciss/backup" declare -grx DIR_BAK="/tmp/.ciss/backup"