V8.00.000.2025.06.17

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-10-07 17:27:17 +01:00
parent 914539f166
commit 72dcf355d9
17 changed files with 100 additions and 45 deletions
--- a/.gitea/workflows/linter_char_scripts.yaml
+++ b/.gitea/workflows/linter_char_scripts.yaml
@@ -41,6 +41,10 @@ jobs:
        shell: bash
        run: |
          set -euo pipefail
+          var_wait=$(( RANDOM % 33 ))
+          printf "⏳ Waiting %s seconds to desynchronize parallel workflows...\n" "${var_wait}"
+          sleep "${var_wait}"
+
          rm -rf ~/.ssh && mkdir -m700 ~/.ssh

          ### Private Key
--- a/.gitea/workflows/render-dnssec-status.yaml
+++ b/.gitea/workflows/render-dnssec-status.yaml
@@ -33,6 +33,10 @@ jobs:
        shell: bash
        run: |
          set -euo pipefail
+          var_wait=$(( RANDOM % 33 ))
+          printf "⏳ Waiting %s seconds to desynchronize parallel workflows...\n" "${var_wait}"
+          sleep "${var_wait}"
+
          rm -rf ~/.ssh && mkdir -m700 ~/.ssh

          ### Private Key
--- a/.gitea/workflows/render-dot-to-png.yaml
+++ b/.gitea/workflows/render-dot-to-png.yaml
@@ -34,6 +34,10 @@ jobs:
        shell: bash
        run: |
          set -euo pipefail
+          var_wait=$(( RANDOM % 33 ))
+          printf "⏳ Waiting %s seconds to desynchronize parallel workflows...\n" "${var_wait}"
+          sleep "${var_wait}"
+
          rm -rf ~/.ssh && mkdir -m700 ~/.ssh

          ### Private Key
--- a/func/cdi_3200_partitioning/3200_partitioning.sh
+++ b/func/cdi_3200_partitioning/3200_partitioning.sh
@@ -306,16 +306,22 @@ partitioning() {
      udevadm settle

      for i in {1..10}; do
+
        var_uuid=$(blkid -s PARTUUID -o value "/dev/${var_dev}${var_part}") && [[ -n "${var_uuid}" ]] && break
        sleep 0.25
+
      done

      if [[ -z "${var_uuid}" ]]; then
+
        do_log "fatal" "file_only" "3200() Partition: '/dev/${var_dev}${var_part}' could not read PARTUUID."
        return "${ERR_PART_READ}"
+
      else
+
        HMP_PATH_PARTUUID["${var_mount_path}"]="${var_uuid}"
        do_log "debug" "file_only" "3200() [HMP_PATH_PARTUUID]: '${var_mount_path}' -> '${HMP_PATH_PARTUUID["${var_mount_path}"]}'."
+
      fi

      ### Gathering information for forthcoming modules 32n0().
@@ -339,17 +345,21 @@ partitioning() {

      ### Gathering information for '/etc/fstab'-generation in 4200().
      if [[ "${var_mount_true}" == "true" ]]; then
+
        # shellcheck disable=SC2034
        ARY_FSTAB_MOUNT_PATHS+=("${var_mount_path}")
        do_log "debug" "file_only" "3200() [ARY_FSTAB_MOUNT_PATHS]: '${var_mount_path}'."
        HMP_FSTAB_MOUNT_FTYPE["${var_mount_path}"]="${var_fs}"
        do_log "debug" "file_only" "3200() [HMP_FSTAB_MOUNT_FTYPE]: '${var_mount_path}' -> '${HMP_FSTAB_MOUNT_FTYPE["${var_mount_path}"]}'."
+
      fi

      ### Gathering information for '/etc/initramfs-tools/conf.d/fsroot'-generation in 4121().
      if [[ "${var_mount_path}" == "/" ]]; then
+
        # shellcheck disable=SC2034
        VAR_ROOT_FS="${var_fs}"
+
      fi

    done
--- a/func/cdi_3200_partitioning/3220_partition_encryption.sh
+++ b/func/cdi_3200_partitioning/3220_partition_encryption.sh
@@ -141,15 +141,6 @@ partition_encryption() {

          var_filesystem_label=$(get_label "${var_encryption_path}" "${var_fs}" "file")

-          #mkfs.ext4 -L "${var_filesystem_label}" "/dev/${var_dev}" 1M
-          #do_log "info" "file_only" "3220() Ephemeral: '${var_encryption_path}' prepared on: '/dev/${var_dev}'."
-
-          #var_fs_uuid=$(blkid -s UUID -o value "/dev/${var_dev}")
-          ### Gathering information for '/etc/fstab'-generation in 4040() and '/etc/crypttab'-generation in 4060().
-          # shellcheck disable=SC2034
-          #HMP_PATH_FSUUID["${var_encryption_path}"]="${var_fs_uuid}"
-          #do_log "debug" "file_only" "3220() [HMP_PATH_FSUUID]       : '${var_encryption_path}' -> '${HMP_PATH_FSUUID["${var_encryption_path}"]}'"
-
          HMP_EPHEMERAL_ENCLABEL["${var_encryption_path}"]="${var_encryption_label}"
          HMP_EPHEMERAL_FS_LABEL["${var_encryption_path}"]="${var_filesystem_label}"

--- a/func/cdi_3200_partitioning/3240_partition_formatting.sh
+++ b/func/cdi_3200_partitioning/3240_partition_formatting.sh
@@ -139,4 +139,7 @@ partition_formatting() {

  guard_dir && return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f partition_formatting
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/func/cdi_3200_partitioning/3280_mount_partition.sh
+++ b/func/cdi_3200_partitioning/3280_mount_partition.sh
@@ -15,7 +15,6 @@ guard_sourcing
 #######################################
 # Function to create the mount command, incl. mount path and options, and mount the respective device.
 # Globals:
-#   ERR_MOUNTING_DEV
 #   TARGET
 # Arguments:
 #   1: MOUNT_PATH
@@ -24,6 +23,7 @@ guard_sourcing
 #   4: MOUNT_FILESYSTEM
 # Returns:
 #   0: on success
+#   ERR_MOUNTING_DEV: on failure
 #######################################
 mount_with_dir() {
  declare var_mount_path="${1}" var_mount_device="${2}" var_mount_options="${3:-}" var_mount_fs="${4:-}"
@@ -60,7 +60,7 @@ mount_with_dir() {
  ### Already absolute path.
  elif [[ "${var_mount_device}" == /dev/* ]]; then

-    : ### Do nothing
+    : ### Do nothing.

  ### Alternative checks for LABEL and PARTUUID.
  else
@@ -104,16 +104,23 @@ mount_with_dir() {

  return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f mount_with_dir

 #######################################
 # Device Path Resolver.
 # Outputs '/dev/mapper/<encryption_label>'
 # Outputs '/dev/<dev><partition>'
+# Globals:
+#   none
 # Arguments:
 #   1: Device
 #   2: Partition
 #   3: Boolean Encryption
 #   4: Encryption Label
+# Returns:
+#   0: on success
 #######################################
 resolve_device() {
  declare local_var_dev="$1" local_var_partition="$2" local_var_enc_boolean="$3" local_var_enc_label="$4"
@@ -130,15 +137,20 @@ resolve_device() {

  return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f resolve_device

 #######################################
 # Validates btrfs compression algo and level.
+# Globals:
+#   none
 # Arguments:
 #   1: var_fs_btrfs_compress
 #   2: var_fs_btrfs_level
 # Returns:
 #   0: Valid combination.
-#   1: Invalid combination.
+#   ERR_BTRFS_OPTION: on failure
 #######################################
 validate_btrfs_compression() {
  declare var_algo="$1" var_level="$2"
@@ -151,19 +163,20 @@ validate_btrfs_compression() {

  esac
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f validate_btrfs_compression

 #######################################
 # Function for mounting all partitions for debootstrap, including the generation of btrfs subvolumes.
 # Globals:
+#   ARY_CRYPT_MOUNT_PATHS
 #   ARY_PATHS_SORTED
 #   DIR_LOG
-#   ERR_BTRFS_INITPH
-#   ERR_BTRFS_OPTION
-#   ERR_BTRFS_SUBVOL
-#   ERR_MOUNTING_DEV
 #   HMP_FSTAB_MOUNT_OPTS
 #   HMP_PATH_DEV_PART
 #   HMP_PATH_FSUUID
+#   HMP_PATH_PARTUUID
 #   NL
 #   TARGET
 #   VAR_RECIPE_STRING
@@ -173,11 +186,10 @@ validate_btrfs_compression() {
 #   None
 # Returns:
 #   0: on success
-#   ERR_BTRFS_INITPH
-#   ERR_BTRFS_OPTION
-#   ERR_BTRFS_SUBVOL
-#   ERR_MOUNTING_DEV
-#   ERR_MOUNTING_ROOT
+#   ERR_BTRFS_INITPH: on failure
+#   ERR_BTRFS_OPTION: on failure
+#   ERR_BTRFS_SUBVOL: on failure
+#   ERR_MOUNTING_DEV: on failure
 #######################################
 mount_partition() {
  ### Declare Arrays, HashMaps, and Variables.
@@ -212,22 +224,13 @@ mount_partition() {
      var_encryption_label=$(get_label "${var_mount_path}" "${var_fs_version}" "luks")
    fi

-    var_partuuid="${HMP_PATH_PARTUUID["${var_mount_path}"]}"
-
-    #if [[ -z "${var_fs_uuid}" ]]; then
-    #  do_log "error" "file_only" "3280() FS-UUID for mount path: '${var_mount_path}' not found in: 'HMP_PATH_FSUUID'."
-    #  return "${ERR_MOUNTING_DEV}"
-    #fi
-
    ### Mounting of Ephemeral 'SWAP' and '/tmp' as per https://wiki.archlinux.org/title/Dm-crypt/Swap_encryption#UUID_and_LABEL
    if [[ "${var_mount_path,,}" == "swap" ]]; then

-      #cryptsetup open --type plain --key-file /dev/random \
-      #  --offset 2048 --cipher aes-xts-plain64 --key-size 512 \
-      #  --sector-size 4096 "/dev/disk/by-uuid/${var_fs_uuid}" "${var_encryption_label}"
+      var_partuuid="${HMP_PATH_PARTUUID["${var_mount_path}"]}"

      cryptsetup open --type plain --hash=plain \
-        --key-file /dev/random --keyfile-size 256 \
+        --key-file /dev/random --keyfile-size 64 \
        --cipher aes-xts-plain64 --key-size 512 \
        "/dev/disk/by-partuuid/${var_partuuid}" "${var_encryption_label}"

@@ -244,12 +247,10 @@ mount_partition() {

    elif [[ "${var_mount_path,,}" == "/tmp" ]]; then

-      #cryptsetup open --type plain --key-file /dev/random \
-      #  --offset 2048 --cipher aes-xts-plain64 --key-size 512 \
-      #  --sector-size 4096 "/dev/disk/by-uuid/${var_fs_uuid}" "${var_encryption_label}"
+      var_partuuid="${HMP_PATH_PARTUUID["${var_mount_path}"]}"

      cryptsetup open --type plain --hash=plain \
-        --key-file /dev/random --keyfile-size 256 \
+        --key-file /dev/random --keyfile-size 64 \
        --cipher aes-xts-plain64 --key-size 512 \
        "/dev/disk/by-partuuid/${var_partuuid}" "${var_encryption_label}"

@@ -378,4 +379,7 @@ mount_partition() {

  guard_dir && return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f mount_partition
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/func/cdi_3200_partitioning/3290_uuid_logger.sh
+++ b/func/cdi_3200_partitioning/3290_uuid_logger.sh
@@ -29,30 +29,41 @@ uuid_logger() {

  printf 'PARTITION UUID Partition:\n' >> "${LOG_UID}"
  for var_key in "${!HMP_PATH_PARTUUID[@]}"; do
+
    var_mountpoint="${var_key}"
    var_uuid="${HMP_PATH_PARTUUID[${var_key}]}"
    ### Left-aligned field width 63; "UUID=" starts directly after column 64.
    printf '%-63sUUID=%s\n' "${var_mountpoint}" "${var_uuid}" >> "${LOG_UID}"
+
  done

+
  printf '\n' >> "${LOG_UID}"
  printf 'LUKS CONTAINER UUID:\n' >> "${LOG_UID}"
  for var_key in "${!HMP_PATH_LUKSUUID[@]}"; do
+
    var_mountpoint="${var_key}"
    var_uuid="${HMP_PATH_LUKSUUID[${var_key}]}"
    ### Left-aligned field width 63; "UUID=" starts directly after column 64.
    printf '%-63sUUID=%s\n' "${var_mountpoint}" "${var_uuid}" >> "${LOG_UID}"
+
  done

+
  printf '\n' >> "${LOG_UID}"
  printf 'FILESYSTEM UUID:\n' >> "${LOG_UID}"
  for var_key in "${!HMP_PATH_FSUUID[@]}"; do
+
    var_mountpoint="${var_key}"
    var_uuid="${HMP_PATH_FSUUID[${var_key}]}"
    ### Left-aligned field width 63; "UUID=" starts directly after column 64.
    printf '%-63sUUID=%s\n' "${var_mountpoint}" "${var_uuid}" >> "${LOG_UID}"
+
  done

  guard_dir && return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f uuid_logger
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/func/cdi_3200_partitioning/3295_get_label.sh
+++ b/func/cdi_3200_partitioning/3295_get_label.sh
@@ -117,4 +117,7 @@ get_label() {

  fi
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f get_label
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/func/cdi_4000_debootstrap/4000_debootstrap.sh
+++ b/func/cdi_4000_debootstrap/4000_debootstrap.sh
@@ -25,7 +25,7 @@ guard_sourcing
 #   None
 # Returns:
 #   0: on success
-#   ERR_DEBOOTSTRAP
+#   ERR_DEBOOTSTRAP: on failure
 #######################################
 func_debootstrap() {
  ### Declare Arrays, HashMaps, and Variables.
@@ -70,4 +70,7 @@ func_debootstrap() {

  fi
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f func_debootstrap
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/func/cdi_4000_debootstrap/4005_debootstrap_checks.sh
+++ b/func/cdi_4000_debootstrap/4005_debootstrap_checks.sh
@@ -80,4 +80,7 @@ check_debootstrap() {

  guard_dir && return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f check_debootstrap
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/func/cdi_4000_debootstrap/4010_prepare_mounts.sh
+++ b/func/cdi_4000_debootstrap/4010_prepare_mounts.sh
@@ -22,13 +22,13 @@ guard_sourcing
 # Arguments:
 #   None
 # Returns:
-#   ERR_CHRT_MOUNTS
 #   0: on success
+#   ERR_CHRT_MOUNTS: on failure
 #######################################
 prepare_mounts() {

  ### Notes
-  # This file mounts all necessary pseudo filesystems into the target root environment to enable chroot operations.
+  # This function mounts all necessary pseudo filesystems into the target root environment to enable chroot operations.
  # --rbind: recursive binding.
  # --make-rslave: In this case, the mount point is marked as 'slave'.
  # This means changes to the source mount (e.g., /proc) are propagated to the target mount (e.g., "${TARGET}/proc").
--- a/func/cdi_4000_debootstrap/4015_check_usr_merge.sh
+++ b/func/cdi_4000_debootstrap/4015_check_usr_merge.sh
@@ -46,4 +46,7 @@ check_usr_merge() {

  guard_dir && return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f check_usr_merge
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/func/cdi_4000_debootstrap/4020_remove_x509.sh
+++ b/func/cdi_4000_debootstrap/4020_remove_x509.sh
@@ -39,4 +39,7 @@ remove_x509() {

  guard_dir && return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f remove_x509
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/func/cdi_4200_boot/4200_generate_fstab.sh
+++ b/func/cdi_4200_boot/4200_generate_fstab.sh
@@ -42,6 +42,9 @@ write_fstab() {

  return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f write_fstab

 #######################################
 # Generate the '/etc/fstab' target entries.
@@ -155,7 +158,7 @@ EOF
  var_fs_uuid="/dev/mapper/${var_dmapper}"
  var_fs_path="none"
  var_fs_type="swap"
-  var_fs_opts="defaults,discard,nofail,x-systemd.device-timeout=10s"
+  var_fs_opts="defaults,discard,x-systemd.device-timeout=10s"
  var_fs_pass="0"
  write_fstab "${var_fs_uuid}" "${var_fs_path}" "${var_fs_type}" "${var_fs_opts}" "${var_fs_pass}"

@@ -187,4 +190,7 @@ EOF

  guard_dir && return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f generate_fstab
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/func/cdi_4200_boot/4205_check_fstab.sh
+++ b/func/cdi_4200_boot/4205_check_fstab.sh
@@ -50,4 +50,7 @@ check_fstab() {

  guard_dir && return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f check_fstab
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/func/cdi_4200_boot/4210_generate_crypttab.sh
+++ b/func/cdi_4200_boot/4210_generate_crypttab.sh
@@ -125,15 +125,15 @@ EOF
    case "${var_key,,}" in

      swap)
-        #write_crypttab "${var_ephemeral_enclabel}" "LABEL=${var_host_fs_label}" "/dev/random" "swap,offset=2048,cipher=aes-xts-plain64,size=512,sector-size=4096,discard"
-        write_crypttab "${var_ephemeral_enclabel}" "PARTUUID=${var_host_partuuid}" "/dev/random" "cipher=aes-xts-plain64,size=512,discard,swap"
+        write_crypttab "${var_ephemeral_enclabel}" "PARTUUID=${var_host_partuuid}" "/dev/random" "plain,cipher=aes-xts-plain64,size=512,hash=plain,keyfile-size=64,discard,swap"
        ;;

      /tmp)
-        #write_crypttab "${var_ephemeral_enclabel}" "LABEL=${var_host_fs_label}" "/dev/random" "offset=2048,cipher=aes-xts-plain64,size=512,sector-size=4096,discard,tmp=ext4"
-        write_crypttab "${var_ephemeral_enclabel}" "PARTUUID=${var_host_partuuid}" "/dev/random" "cipher=aes-xts-plain64,size=512,discard"
+        write_crypttab "${var_ephemeral_enclabel}" "PARTUUID=${var_host_partuuid}" "/dev/random" "plain,cipher=aes-xts-plain64,size=512,hash=plain,keyfile-size=64,discard"
+        chroot_script "${TARGET}" "systemctl unmask tmp.mount"
+        do_log "info" "file_only" "4210() Executed: [systemctl unmask tmp.mount]"
        chroot_script "${TARGET}" "systemctl disable tmp.mount"
-        do_log "info" "file_only" "4210() Masked: [tmp.mount]"
+        do_log "info" "file_only" "4210() Executed: [systemctl disable tmp.mount]"
        ;;

      *)