V8.00.000.2025.06.17

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>

.preseed/preseed.yaml

@@ -84,7 +84,7 @@ debootstrap:                   # Provide a mirror for downloading the Debian pac
                                # list of official Debian packages.
   mirror: "https://deb.debian.org/debian"
                                # The following packages MUST be included in the debootstrap.
-  includes: "busybox,ca-certificates,locales,openssl,python3,python3-apt,zstd"
+  includes: "busybox,ca-certificates,git,locales,openssl,python3,python3-apt,zstd"
 distribution: "trixie"         # MUST be "trixie".
 debian_suite: "stable"         # MUST be "stable". Not supported yet: "testing", "experimental".
 exit:

ciss_debian_installer.sh

@@ -21,7 +21,6 @@
 # TODO: Check Packages for installation. Refactor preseed.yaml, 4130_installation_toolset.sh, 4700_setup_packages.sh
 # TODO: What do we need for CISS environment?
 # TODO: Hardening Scripts Integration
-# TODO: SSH 2fa integration
 # TODO: Recovery Partition Integration
 # TODO: Grub Boot Menu Update for Recovery Integration
 # TODO: update-grub Post Hook Clang, Recovery, Signing PK

func/cdi_4500_user/4520_accounts_setup.sh

@@ -59,8 +59,13 @@ accounts_setup() {
 
     if [[ -x "${TARGET}${user_root_shell}" ]]; then
 
+      zsh_omz_installer "root"
+
       chroot_exec "${TARGET}" chsh -s "${user_root_shell}" root
+
+      mv "${TARGET}/root/.zshrc" "${TARGET}/root/.zshrc.bak"
       install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/skel/.zshrc" "${TARGET}/root/"
+
       do_log "info" "file_only" "4520() Shell: '${user_root_shell}' used for: 'root'."
 
     else
@@ -262,6 +267,11 @@ EOF
 
       if [[ -x "${TARGET}${var_shell}" ]]; then
 
+        zsh_omz_installer "${var_username}"
+
+        mv "${TARGET}/home/${var_username}/.zshrc" "${TARGET}/home/${var_username}/.zshrc.bak"
+        install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/skel/.zshrc" "${TARGET}/home/${var_username}"
+
         chroot_exec "${TARGET}" chsh -s "${var_shell}" "${var_username}"
         do_log "info" "file_only" "4520() Shell: '${var_shell}' used for: '${var_username}'."
 
@@ -555,7 +565,7 @@ EOF
   ### Tighten perms on sudoers.d (idempotent).
   find "${var_sudoers_dir}" -type f -exec chmod 0440 {} \;
 
-  ### Verify sudoers syntax in chroot
+  ### Verify sudoers syntax in chroot.
   if ! chroot_script "${TARGET}" "EDITOR=/usr/bin/nano /usr/sbin/visudo -q -c >> ${var_logfile}"; then
 
     do_log "warn" "file_only" "4520() Command: [chroot_script ${TARGET} EDITOR=/usr/bin/nano /usr/sbin/visudo -q -c] failed."
@@ -567,7 +577,7 @@ EOF
 
   fi
 
-  #### Ensure logrotate for /var/log/sudo.log exists once.
+  ### Ensure logrotate for '/var/log/sudo.log' exists once.
   if ! grep -qF "/var/log/sudo.log {" "${var_lr_conf}" 2>/dev/null; then
 
     insert_header   "${var_lr_conf}"
@@ -826,11 +836,10 @@ write_google_authenticator_file() {
   {
     declare accept hex val
     printf '%s\n' "${var_secret}"
-    printf 'RATE_LIMIT 3 30\n'
-    printf 'WINDOW_SIZE 10\n'
-    printf 'TOTP_DIGITS 8\n'
-    printf 'DISALLOW_REUSE\n'
-    printf 'TOTP_AUTH\n'
+    printf '" RATE_LIMIT 3 30\n'
+    printf '" WINDOW_SIZE 10\n'
+    printf '" DISALLOW_REUSE\n'
+    printf '" TOTP_AUTH\n'
     ### Emergency Codes (8× unbiased 8-digit, CSPRNG via OpenSSL).
     for i in {1..8}; do
       ### Draw 32 bits; rejection sampling to avoid modulo bias.
@@ -860,4 +869,48 @@ write_google_authenticator_file() {
 
   return 0
 }
+
+#######################################
+# Use the official ohmyzsh-installer but force non-interactive behavior; do not run zsh; do not chsh.
+# Globals:
+#   TARGET
+# Arguments:
+#   1: Username
+# Returns:
+#   0: on success
+#######################################
+zsh_omz_installer() {
+  ### Declare Arrays, HashMaps, and Variables.
+  declare     var_user="${1}"
+
+  chroot_stdin "${TARGET}" "__payload__" -- "${var_user}" <<'EOF'
+export LC_ALL=C
+user="$1"
+### Login shell for proper HOME, PATH, etc.
+### We also set installer env to prevent zsh spawn or chsh.
+su - "${user}" -s /bin/bash -c '
+  set -euo pipefail
+  export RUNZSH=no CHSH=no KEEP_ZSHRC=yes
+  export ZSH="${HOME}/.oh-my-zsh"
+  ### Pre-create ~/.oh-my-zsh to control perms.
+  mkdir -p "${ZSH}" && chmod 0700 "${ZSH}"
+  umask 0077
+  ### Use wget or curl as available.
+  if command -v wget >/dev/null; then
+    sh -c "$(wget -qO- https://raw.githubusercontent.com/ohmyzsh/ohmyzsh/master/tools/install.sh)"
+  else
+    sh -c "$(curl -fsSL https://raw.githubusercontent.com/ohmyzsh/ohmyzsh/master/tools/install.sh)"
+  fi
+  ### Plugins (clone shallow).
+  ZSH_CUSTOM="${ZSH}/custom"
+  mkdir -p "${ZSH_CUSTOM}/plugins"
+  git clone --depth 1 https://github.com/zsh-users/zsh-autosuggestions "${ZSH_CUSTOM}/plugins/zsh-autosuggestions" || true
+  git clone --depth 1 https://github.com/zsh-users/zsh-syntax-highlighting.git "${ZSH_CUSTOM}/plugins/zsh-syntax-highlighting" || true
+'
+umask 0022
+:
+EOF
+
+  return 0
+}
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh