msw/CISS.debian.installer
SHA256
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

V8.00.000.2025.06.17
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m41s
Details

Browse Source 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
Marc S. Weidner
2025-09-26 19:58:34 +01:00
parent e01e686ae0
commit 748007d0cb
27 changed files with 698 additions and 863 deletions
Download Patch File Download Diff File Expand all files Collapse all files

41
func/cdi_5000_recovery/3.8.9.functions_installation_wrapper_recovery.sh
View File

@@ -1,41 +0,0 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-02-13; WEIDNER, Marc S.; <cendev@coresecret.eu>
# SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.2025.hardened.installer
# SPDX-Security-Contact: security@coresecret.eu
###########################################################################################
# Wrapper to check if recovery partition is selected and if so, proceed with setup of recovery OS.
# Globals:
# MAP_MOUNTPATH_DEV
# MODULE_ERR
# MODULE_TXT
# Arguments:
# None
###########################################################################################
wrapper_recovery() {
declare FOUND="false"
declare MOUNT_PATH=""
declare HASHMAP_VALUE=""
for MOUNT_PATH in "${!MAP_MOUNTPATH_DEV[@]}"; do
HASHMAP_VALUE="${MAP_MOUNTPATH_DEV[${MOUNT_PATH}]}"
if [[ ${HASHMAP_VALUE} == "/dev/mapper/crypt_rescue" ]]; then
FOUND="true"
break
fi
done
if [[ ${FOUND} == true ]]; then
3_9_0_functions_installation_setup_recovery
3_9_1_functions_installation_generate_files_recovery
fi
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

83
func/cdi_5000_recovery/3.9.0.functions_installation_setup_recovery.sh
View File

@@ -1,83 +0,0 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-02-13; WEIDNER, Marc S.; <cendev@coresecret.eu>
# SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.2025.hardened.installer
# SPDX-Security-Contact: security@coresecret.eu
###########################################################################################
# Mounting '/dev/mapper/crypt_rescue', debootstrap recovery partition, preparing chroot.
# Globals:
# ERR_CHROOT_MOUNTS
# ERR_DE_BOOT_STRAP
# MODULE_ERR
# MODULE_TXT
# RECOVERY
# TARGET
# Arguments:
# None
###########################################################################################
setup_recovery() {
# The '/dev/mapper/crypt_rescue' partition is not mounted by the installation script by default,
# as it is not required to be automatically mounted by the production system via '/etc/crypttab' and '/etc/fstab'.
mount /dev/mapper/crypt_rescue "${RECOVERY}"
# Debootstrap for a minimalistic Debian OS.
if debootstrap --arch amd64 bookworm "${RECOVERY}" https://deb.debian.org/debian; then
do_log "info" "file_only" "Executing 'debootstrap --arch amd64 bookworm '${RECOVERY}' https://deb.debian.org/debian' successful."
else
do_log "emergency" "file_only" "Executing 'debootstrap --arch amd64 bookworm '${RECOVERY}' https://deb.debian.org/debian' NOT successful."
exit "${ERR_DE_BOOT_STRAP}"
fi
### Reminder ###
# --rbind: recursive binding.
# --make-rslave: In this case, the mount point is marked as 'slave'.
# This means changes to the source mount (e.g., /proc) are propagated to the target mount (e.g., "${TARGET}"/proc).
# Conversely, changes to the target mount are not propagated back to the source mount.
# This mode is necessary to avoid problems with double or erroneous propagation effects in chroot or container environments.
# Prepare the freshly installed Debian OS recovery system for further setup.
if mount --make-rslave --rbind /proc "${RECOVERY}"/proc; then
do_log "info" "file_only" "'mount --make-rslave --rbind /proc ${RECOVERY}/proc'."
else
do_log "emergency" "file_only" "Failed: 'mount --make-rslave --rbind /proc ${RECOVERY}/proc'."
exit "${ERR_CHROOT_MOUNTS}"
fi
if mount --make-rslave --rbind /sys "${RECOVERY}"/sys; then
do_log "info" "file_only" "'mount --make-rslave --rbind /sys ${RECOVERY}/sys'."
else
do_log "emergency" "file_only" "Failed: 'mount --make-rslave --rbind /sys ${RECOVERY}/sys'."
exit "${ERR_CHROOT_MOUNTS}"
fi
if mount --make-rslave --rbind /dev "${RECOVERY}"/dev; then
do_log "info" "file_only" "'mount --make-rslave --rbind /dev ${RECOVERY}/dev'."
else
do_log "emergency" "file_only" "Failed: 'mount --make-rslave --rbind /dev ${RECOVERY}/dev'."
exit "${ERR_CHROOT_MOUNTS}"
fi
if mount --make-rslave --rbind /run "${RECOVERY}"/run; then
do_log "info" "file_only" "'mount --make-rslave --rbind /run ${RECOVERY}/run'."
else
do_log "emergency" "file_only" "Failed: 'mount --make-rslave --rbind /run ${RECOVERY}/run'."
exit "${ERR_CHROOT_MOUNTS}"
fi
if chroot_exec "${TARGET}" mkdir -p /etc/systemd/system/multi-user.target.wants; then
do_log "info" "file_only" "Command: 'mkdir -p /etc/systemd/system/multi-user.target.wants' executed in: '${RECOVERY}'."
else
do_log "emergency" "file_only" "Failed: Command: 'mkdir -p /etc/systemd/system/multi-user.target.wants' executed in: '${RECOVERY}'."
fi
do_show_footer "${MODULE_TXT}"
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh:

387
func/cdi_5000_recovery/3.9.1.functions_installation_generate_files_recovery.sh
View File

@@ -1,387 +0,0 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-02-13; WEIDNER, Marc S.; <cendev@coresecret.eu>
# SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.2025.hardened.installer
# SPDX-Security-Contact: security@coresecret.eu
###########################################################################################
# Generates '${RECOVERY}/etc/crypttab' and '${RECOVERY}/etc/fstab' files for recovery partition.
# Globals:
# tba
# Arguments:
# None
###########################################################################################
generate_files_recovery() {
### BLOCK '${RECOVERY}/etc/crypttab'
# Generate '${RECOVERY}/etc/crypttab'
touch "${RECOVERY}"/etc/crypttab
chmod 0644 "${RECOVERY}"/etc/crypttab
# Generate '${RECOVERY}/etc/crypttab' header
# shellcheck disable=SC2129
cat << EOF >> "${RECOVERY}"/etc/crypttab
# <name> <device> <password-file-or-none> <options>
EOF
### Reminder ###
# MAP_MOUNTPATH_DEV["${MOUNT_PATH}"]="/dev/mapper/${ENCRYPTION_LABEL}"
# MAP_UUID_CRYPT["${ENCRYPTION_LABEL}"]="${UUID}"
# MAP_PATH_CRYPT["${MOUNT_PATH}"]="${ENCRYPTION_LABEL}"
# Extract the key from HashMap MAP_PATH_CRYPT["${MOUNT_PATH}"]="${ENCRYPTION_LABEL}"
declare KEY=""
declare VAR=""
for VAR in "${!MAP_PATH_CRYPT[@]}"; do
if [[ ${MAP_PATH_CRYPT[$VAR]} == "crypt_rescue" ]]; then
KEY="${VAR}"
break
fi
done
declare ENCRYPTION_LABEL
ENCRYPTION_LABEL="${MAP_PATH_CRYPT["${KEY}"]}"
# shellcheck disable=2129
echo "# ${KEY} was on /dev/mapper/${MAP_PATH_CRYPT["${KEY}"]} during installation" >> "${RECOVERY}"/etc/crypttab
echo "${MAP_PATH_CRYPT["${KEY}"]} UUID=${MAP_UUID_CRYPT["${ENCRYPTION_LABEL}"]} none luks,discard" >> "${RECOVERY}"/etc/crypttab
echo "" >> "${RECOVERY}"/etc/crypttab
do_log "info" "file_only" "crypttab entry generated: '${MAP_PATH_CRYPT["${KEY}"]} UUID=${MAP_UUID_CRYPT["${ENCRYPTION_LABEL}"]} none luks,discard'."
# Generate '${RECOVERY}/etc/crypttab' special ephemeral entries.
declare -a EPHEMERAL_MOUNT_PATH=("SWAP" "/tmp")
declare KEY=""
# MAP_EPHEMERAL_DEV["${MOUNT_PATH}"]="/dev/${DEV}${PARTITION}"
# MAP_EPHEMERAL_ENCLABEL["${MOUNT_PATH}"]="${ENCRYPTION_LABEL}"
for KEY in "${EPHEMERAL_MOUNT_PATH[@]}"; do
if [[ ${KEY} == "SWAP" ]]; then
# shellcheck disable=2129
echo "# ${KEY} was on ${MAP_EPHEMERAL_DEV[${KEY}]} during installation" >> "${RECOVERY}"/etc/crypttab
echo "${MAP_EPHEMERAL_ENCLABEL[${KEY}]} LABEL=SWAP /dev/random swap,offset=2048,cipher=aes-xts-plain64,size=512,sector-size=4096" >> "${RECOVERY}"/etc/crypttab
echo "" >> "${RECOVERY}"/etc/crypttab
do_log "info" "file_only" "'${RECOVERY}/etc/crypttab' entry generated: '${MAP_EPHEMERAL_ENCLABEL[${KEY}]} LABEL=SWAP /dev/random swap,offset=2048,cipher=aes-xts-plain64,size=512,sector-size=4096'."
elif [[ ${KEY} == "/tmp" ]]; then
# shellcheck disable=2129
echo "# ${KEY} was on ${MAP_EPHEMERAL_DEV[${KEY}]} during installation" >> "${RECOVERY}"/etc/crypttab
echo "${MAP_EPHEMERAL_ENCLABEL[${KEY}]} LABEL=ext4_tmp /dev/random offset=2048,cipher=aes-xts-plain64,size=512,sector-size=4096,tmp=ext4" >> "${RECOVERY}"/etc/crypttab
echo "" >> "${RECOVERY}"/etc/crypttab
do_log "info" "file_only" "'${RECOVERY}/etc/crypttab' entry generated: '${MAP_EPHEMERAL_ENCLABEL[${KEY}]} LABEL=ext4_tmp /dev/random offset=2048,cipher=aes-xts-plain64,size=512,sector-size=4096,tmp=ext4'."
else
do_log "info" "file_only" "${RECOVERY}/etc/crypttab (This message should never get printed.)"
fi
done
### BLOCK '${RECOVERY}/etc/fstab'
# Generate '${RECOVERY}/etc/fstab'
touch "${RECOVERY}"/etc/fstab
chmod 0644 "${RECOVERY}"/etc/fstab
# Generate '${RECOVERY}/etc/fstab' header
# shellcheck disable=SC2129
cat << EOF >> "${RECOVERY}"/etc/fstab
# /etc/fstab: static file system information.
#
# Use 'blkid' to print the universally unique identifier for a
# device; this may be used with UUID= as a more robust way to name devices
# that works even if disks are added and removed. See fstab(5).
#
# systemd generates mount units based on this file, see systemd.mount(5).
# Please run 'systemctl daemon-reload' after making changes here.
#
# <file system> <mount point> <type> <options> <dump> <pass>
EOF
### Reminder ###
# MAP_MOUNTPATH_DEV["${MOUNT_PATH}"]="/dev/mapper/${ENCRYPTION_LABEL}"
# MAP_UUID_CRYPT["${ENCRYPTION_LABEL}"]="${UUID}"
# MAP_PATH_CRYPT["${MOUNT_PATH}"]="${ENCRYPTION_LABEL}"
# Generate '${TARGET}/etc/fstab' special entries '/' '/boot' '/boot/efi'.
# Define the order of the special keys.
declare -a KEY_ORDER
KEY_ORDER=("/RECOVERY")
declare DEVICE_PATH
declare DEVICE_UUID
declare ENCRYPTION_LABEL
declare KEY
declare MATCHING_VAR
declare TRANSFORMED_STRING
for KEY in "${KEY_ORDER[@]}"; do
# Initialize variables
DEVICE_PATH="${MAP_MOUNTPATH_DEV[${KEY}]}"
DEVICE_UUID=$(blkid -s UUID -o value "${DEVICE_PATH}")
# if KEY:VALUE equals "/dev/${DEV}${PARTITION}"
if [[ ${DEVICE_PATH} =~ ^/dev/[a-zA-Z]+[0-9]+$ ]]; then
TRANSFORMED_STRING=$(echo "${DEVICE_PATH}" | sed 's|/dev/|dev_|; s|\([a-zA-Z]\)\([0-9]\)|\1_\2|')
# if KEY:VALUE equals "/dev/mapper/${ENCRYPTION_LABEL}"
elif [[ ${DEVICE_PATH} =~ ^/dev/mapper/ ]]; then
# Extract ENCRYPTION_LABEL
ENCRYPTION_LABEL="${DEVICE_PATH#/dev/mapper/}"
# Search matching variable of the sourced "${PRESEED}" variable file
MATCHING_VAR=$(declare -p | grep -oP "recipe_[^ ]+_encryption_label=${ENCRYPTION_LABEL}")
if [[ -n ${MATCHING_VAR} ]]; then
# Extract third, fourth and fifth part of the respective variable
TRANSFORMED_STRING=$(echo "${MATCHING_VAR}" | sed -E 's|recipe_[^_]+_(dev_[^_]+_[^_]+)_.*|\1|')
else
do_log "error" "false" "No matching variable found for ENCRYPTION_LABEL='${ENCRYPTION_LABEL}'."
exit "${ERR_NO_ENCR_LABEL}"
fi
else
do_log "error" "false" "Unknown DEVICE_PATH-Format: '${DEVICE_PATH}'."
exit "${ERR_NO_DEVIC_PATH}"
fi
declare BTRFS_COMPR_VAR="recipe_${RECIPE_STRING}_${TRANSFORMED_STRING}_filesystem_btrfs_compress"
declare BTRFS_LEVEL_VAR="recipe_${RECIPE_STRING}_${TRANSFORMED_STRING}_filesystem_btrfs_level"
declare FILESYSTEM_LABEL_VAR="recipe_${RECIPE_STRING}_${TRANSFORMED_STRING}_filesystem_label"
declare FILESYSTEM_VERSION_VAR="recipe_${RECIPE_STRING}_${TRANSFORMED_STRING}_filesystem_version"
declare MOUNT_OPTIONS_VAR="recipe_${RECIPE_STRING}_${TRANSFORMED_STRING}_mount_options"
declare MOUNT_SUBVOLUME_VAR="recipe_${RECIPE_STRING}_${TRANSFORMED_STRING}_mount_subvolume"
declare BTRFS_COMPR=${!BTRFS_COMPR_VAR}
declare BTRFS_LEVEL=${!BTRFS_LEVEL_VAR}
declare FILESYSTEM_LABEL=${!FILESYSTEM_LABEL_VAR}
declare FILESYSTEM_VERSION=${!FILESYSTEM_VERSION_VAR}
declare MOUNT_OPTIONS=${!MOUNT_OPTIONS_VAR}
declare MOUNT_SUBVOLUME=${!MOUNT_SUBVOLUME_VAR}
if [[ ${KEY} == "/" ]]; then
if [[ ${FILESYSTEM_VERSION} == "btrfs" ]]; then
declare BTRFS_OPTIONS="compress=${BTRFS_COMPR}:${BTRFS_LEVEL}"
# shellcheck disable=2129
echo "# ${KEY} was on ${MAP_MOUNTPATH_DEV[${KEY}]} during installation" >> "${TARGET}"/etc/fstab
echo "# ${KEY} was on ${DEVICE_UUID} during installation" >> "${TARGET}"/etc/fstab
echo "${MAP_MOUNTPATH_DEV[${KEY}]} ${KEY} ${FILESYSTEM_VERSION} ${MOUNT_OPTIONS},${BTRFS_OPTIONS},subvol=${MOUNT_SUBVOLUME} 0 1" >> "${TARGET}"/etc/fstab
echo "" >> "${TARGET}"/etc/fstab
do_log "info" "file_only" "fstab entry generated: '${MAP_MOUNTPATH_DEV[${KEY}]} ${KEY} ${FILESYSTEM_VERSION} ${MOUNT_OPTIONS},${BTRFS_OPTIONS},subvol=${MOUNT_SUBVOLUME} 0 1'."
elif [[ ${FILESYSTEM_VERSION} == "ext4" ]]; then
# shellcheck disable=2129
echo "# ${KEY} was on ${MAP_MOUNTPATH_DEV[${KEY}]} during installation" >> "${TARGET}"/etc/fstab
echo "# ${KEY} was on ${DEVICE_UUID} during installation" >> "${TARGET}"/etc/fstab
echo "${MAP_MOUNTPATH_DEV[${KEY}]} ${KEY} ${FILESYSTEM_VERSION} ${MOUNT_OPTIONS} 0 1" >> "${TARGET}"/etc/fstab
echo "" >> "${TARGET}"/etc/fstab
do_log "info" "file_only" "fstab entry generated: '${MAP_MOUNTPATH_DEV[${KEY}]} ${KEY} ${FILESYSTEM_VERSION} ${MOUNT_OPTIONS} 0 1'."
else
do_log "error" "false" "fstab entry - no valid filesystem: '${FILESYSTEM_VERSION}' found for '${KEY}'."
fi
elif [[ ${KEY} == "/boot" ]]; then
if [[ ${FILESYSTEM_VERSION} == "btrfs" ]]; then
declare BTRFS_OPTIONS="compress=${BTRFS_COMPR}:${BTRFS_LEVEL}"
# shellcheck disable=2129
echo "# ${KEY} was on ${MAP_MOUNTPATH_DEV[${KEY}]} during installation" >> "${TARGET}"/etc/fstab
echo "# ${KEY} was on ${DEVICE_UUID} during installation" >> "${TARGET}"/etc/fstab
echo "UUID=${DEVICE_UUID} ${KEY} ${FILESYSTEM_VERSION} ${MOUNT_OPTIONS},${BTRFS_OPTIONS},subvol=${MOUNT_SUBVOLUME} 0 2" >> "${TARGET}"/etc/fstab
echo "" >> "${TARGET}"/etc/fstab
do_log "info" "file_only" "fstab entry generated: 'UUID=${DEVICE_UUID} ${KEY} ${FILESYSTEM_VERSION} ${MOUNT_OPTIONS},${BTRFS_OPTIONS},subvol=${MOUNT_SUBVOLUME} 0 2'."
elif [[ ${FILESYSTEM_VERSION} == "ext4" ]]; then
# shellcheck disable=2129
echo "# ${KEY} was on ${MAP_MOUNTPATH_DEV[${KEY}]} during installation" >> "${TARGET}"/etc/fstab
echo "# ${KEY} was on ${DEVICE_UUID} during installation" >> "${TARGET}"/etc/fstab
echo "UUID=${DEVICE_UUID} ${KEY} ${FILESYSTEM_VERSION} ${MOUNT_OPTIONS} 0 2" >> "${TARGET}"/etc/fstab
echo "" >> "${TARGET}"/etc/fstab
do_log "info" "file_only" "fstab entry generated: 'UUID=${DEVICE_UUID} ${KEY} ${FILESYSTEM_VERSION} ${MOUNT_OPTIONS} 0 2'."
else
do_log "error" "false" "fstab entry - no valid filesystem: '${FILESYSTEM_VERSION}' found for '${KEY}'."
fi
elif [[ ${KEY} == "/boot/efi" ]]; then
if [[ ${FILESYSTEM_VERSION} == "fat32" ]]; then
# shellcheck disable=2129
echo "# ${KEY} was on ${MAP_MOUNTPATH_DEV[${KEY}]} during installation" >> "${TARGET}"/etc/fstab
echo "# ${KEY} was on ${DEVICE_UUID} during installation" >> "${TARGET}"/etc/fstab
echo "UUID=${DEVICE_UUID} ${KEY} vfat umask=0077 0 2" >> "${TARGET}"/etc/fstab
echo "" >> "${TARGET}"/etc/fstab
do_log "info" "file_only" "fstab entry generated: 'UUID=${DEVICE_UUID} ${KEY} vfat umask=0077 0 2'."
else
do_log "error" "false" "fstab entry - no valid filesystem: '${FILESYSTEM_VERSION}' found for '${KEY}'."
fi
else
do_log "error" "false" "fstab entry - no valid '${KEY}' for '/', '/boot', '/boot/efi' found."
fi
done
# Generate '${TARGET}/etc/fstab' remaining entries
for KEY in "${!MAP_MOUNTPATH_DEV[@]}"; do
# Initialize variables
DEVICE_PATH="${MAP_MOUNTPATH_DEV[${KEY}]}"
DEVICE_UUID=$(blkid -s UUID -o value "${DEVICE_PATH}")
# if KEY:VALUE equals "/dev/${DEV}${PARTITION}"
if [[ ${DEVICE_PATH} =~ ^/dev/[a-zA-Z]+[0-9]+$ ]]; then
TRANSFORMED_STRING=$(echo "${DEVICE_PATH}" | sed 's|/dev/|dev_|; s|\([a-zA-Z]\)\([0-9]\)|\1_\2|')
# if KEY:VALUE equals "/dev/mapper/${ENCRYPTION_LABEL}"
elif [[ ${DEVICE_PATH} =~ ^/dev/mapper/ ]]; then
# Extract ENCRYPTION_LABEL
ENCRYPTION_LABEL="${DEVICE_PATH#/dev/mapper/}"
# Search matching variable of the sourced "${PRESEED}" variable file
MATCHING_VAR=$(declare -p | grep -oP "recipe_[^ ]+_encryption_label=${ENCRYPTION_LABEL}")
if [[ -n ${MATCHING_VAR} ]]; then
# Extract third, fourth and fifth part of the respective variable
TRANSFORMED_STRING=$(echo "${MATCHING_VAR}" | sed -E 's|recipe_[^_]+_(dev_[^_]+_[^_]+)_.*|\1|')
else
do_log "error" "false" "No matching variable found for ENCRYPTION_LABEL='${ENCRYPTION_LABEL}'."
exit "${ERR_NO_ENCR_LABEL}"
fi
else
do_log "error" "false" "Unknown DEVICE_PATH-Format: '${DEVICE_PATH}'."
exit "${ERR_NO_DEVIC_PATH}"
fi
declare BTRFS_COMPR_VAR="recipe_${RECIPE_STRING}_${TRANSFORMED_STRING}_filesystem_btrfs_compress"
declare BTRFS_LEVEL_VAR="recipe_${RECIPE_STRING}_${TRANSFORMED_STRING}_filesystem_btrfs_level"
declare FILESYSTEM_LABEL_VAR="recipe_${RECIPE_STRING}_${TRANSFORMED_STRING}_filesystem_label"
declare FILESYSTEM_VERSION_VAR="recipe_${RECIPE_STRING}_${TRANSFORMED_STRING}_filesystem_version"
declare MOUNT_OPTIONS_VAR="recipe_${RECIPE_STRING}_${TRANSFORMED_STRING}_mount_options"
declare MOUNT_SUBVOLUME_VAR="recipe_${RECIPE_STRING}_${TRANSFORMED_STRING}_mount_subvolume"
declare BTRFS_COMPR=${!BTRFS_COMPR_VAR}
declare BTRFS_LEVEL=${!BTRFS_LEVEL_VAR}
declare FILESYSTEM_LABEL=${!FILESYSTEM_LABEL_VAR}
declare FILESYSTEM_VERSION=${!FILESYSTEM_VERSION_VAR}
declare MOUNT_OPTIONS=${!MOUNT_OPTIONS_VAR}
declare MOUNT_SUBVOLUME=${!MOUNT_SUBVOLUME_VAR}
# Skip already mounted paths ("/", "/boot", "/boot/efi")
if [[ " ${KEY_ORDER[*]} " == *" ${KEY} "* ]]; then
continue
fi
if [[ ${FILESYSTEM_VERSION} == "btrfs" ]]; then
declare BTRFS_OPTIONS="compress=${BTRFS_COMPR}:${BTRFS_LEVEL}"
# shellcheck disable=2129
echo "# ${KEY} was on ${MAP_MOUNTPATH_DEV[${KEY}]} during installation" >> "${TARGET}"/etc/fstab
echo "# ${KEY} was on ${DEVICE_UUID} during installation" >> "${TARGET}"/etc/fstab
echo "UUID=${DEVICE_UUID} ${KEY} ${FILESYSTEM_VERSION} ${MOUNT_OPTIONS},${BTRFS_OPTIONS},subvol=${MOUNT_SUBVOLUME} 0 2" >> "${TARGET}"/etc/fstab
echo "" >> "${TARGET}"/etc/fstab
do_log "info" "file_only" "fstab entry generated: 'UUID=${DEVICE_UUID} ${KEY} ${FILESYSTEM_VERSION} ${MOUNT_OPTIONS},${BTRFS_OPTIONS},subvol=${MOUNT_SUBVOLUME} 0 2'."
elif [[ ${FILESYSTEM_VERSION} == "ext4" ]]; then
# shellcheck disable=2129
echo "# ${KEY} was on ${MAP_MOUNTPATH_DEV[${KEY}]} during installation" >> "${TARGET}"/etc/fstab
echo "# ${KEY} was on ${DEVICE_UUID} during installation" >> "${TARGET}"/etc/fstab
echo "UUID=${DEVICE_UUID} ${KEY} ${FILESYSTEM_VERSION} ${MOUNT_OPTIONS} 0 2" >> "${TARGET}"/etc/fstab
echo "" >> "${TARGET}"/etc/fstab
do_log "info" "file_only" "fstab entry generated: 'UUID=${DEVICE_UUID} ${KEY} ${FILESYSTEM_VERSION} ${MOUNT_OPTIONS} 0 2'."
else
do_log "error" "false" "fstab entry - no valid filesystem: '${FILESYSTEM_VERSION}' found for '${KEY}'."
fi
done
# Add entry for CD-ROM device
# shellcheck disable=2129
echo "# /media/cdrom0 was on /dev/sr0 during installation" >> "${TARGET}"/etc/fstab
echo "/dev/sr0 /media/cdrom0 udf,iso9660 user,noauto 0 0" >> "${TARGET}"/etc/fstab
echo "" >> "${TARGET}"/etc/fstab
do_log "info" "file_only" "fstab entry generated: '/dev/sr0 /media/cdrom0 udf,iso9660 user,noauto 0 0'."
# Add entry for proc and tmpfs device
# shellcheck disable=2129
echo "##### Added by CISS.2025.debian.installer" >> "${TARGET}"/etc/fstab
echo "proc /proc proc nodev,nosuid,noexec,hidepid=2 0 0" >> "${TARGET}"/etc/fstab
echo "tmpfs /dev/shm tmpfs rw,nodev,nosuid,noexec,relatime,size=1G 0 0" >> "${TARGET}"/etc/fstab
echo "" >> "${TARGET}"/etc/fstab
do_log "info" "file_only" "fstab entry generated: 'proc /proc proc nodev,nosuid,noexec,hidepid=2 0 0'."
do_log "info" "file_only" "fstab entry generated: 'tmpfs /dev/shm tmpfs rw,nodev,nosuid,noexec,relatime,size=1G 0 0'."
# Add entry for SWAP device
declare MOUNT_PATH="SWAP"
# shellcheck disable=2129
echo "##### Added by CISS.2025.debian.installer" >> "${TARGET}"/etc/fstab
echo "${MAP_EPHEMERAL_ENCLABEL["${MOUNT_PATH}"]} none swap defaults 0 0" >> "${TARGET}"/etc/fstab
echo "" >> "${TARGET}"/etc/fstab
do_log "info" "file_only" "fstab entry generated: '${MAP_EPHEMERAL_ENCLABEL["${MOUNT_PATH}"]} none swap defaults 0 0'."
# Add entry for '/tmp' device
declare MOUNT_PATH="/tmp"
# shellcheck disable=2129
echo "##### Added by CISS.2025.debian.installer" >> "${TARGET}"/etc/fstab
echo "${MAP_EPHEMERAL_ENCLABEL["${MOUNT_PATH}"]} /tmp ext4 defaults,rw,nodev,nosuid,relatime 0 0" >> "${TARGET}"/etc/fstab
echo "" >> "${TARGET}"/etc/fstab
do_log "info" "file_only" "fstab entry generated: '${MAP_EPHEMERAL_ENCLABEL["${MOUNT_PATH}"]} /tmp ext4 defaults,rw,nodev,nosuid,relatime 0 0'."
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh:

73
func/cdi_5000_recovery/5000_debootstrap.sh Normal file
View File

@@ -0,0 +1,73 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
guard_sourcing
#######################################
# Install a minimal Debian environment using the 'debootstrap' command.
# Globals:
# LOG_REC
# RECOVERY
# VAR_ARCHITECTURE
# VAR_CODENAME
# debootstrap_includes
# debootstrap_mirror
# Arguments:
# None
# Returns:
# 0: on success
# ERR_DEBOOTSTRAP
#######################################
func_debootstrap_reco() {
### Declare Arrays, HashMaps, and Variables.
declare -r var_arch="${VAR_ARCHITECTURE}"
declare -r var_dist="${VAR_CODENAME}"
declare -r var_target="${RECOVERY}"
declare -r var_mirror="${debootstrap_mirror}"
declare -r var_includes="${debootstrap_includes}"
declare -a ary_cmd=()
ary_cmd+=( "debootstrap" "--arch=${var_arch}" "--keep-debootstrap-dir" "--log-extra-deps" "--merged-usr" )
if [[ -n "${var_includes}" ]]; then ary_cmd+=( "--include=${var_includes}" ); fi
ary_cmd+=( "${var_dist}" "${var_target}" "${var_mirror}" )
do_log "debug" "file_only" "5000() Executing: [${ary_cmd[*]}]"
# shellcheck disable=SC2312
if "${ary_cmd[@]}" | tee "${LOG_REC}"; then
do_log "info" "file_only" "5000() [${ary_cmd[*]}] successful."
install -d -m 0700 -o root -g root "${var_target}/root/.ciss/cdi/backup"
install -d -m 0700 -o root -g root "${var_target}/root/.ciss/cdi/debootstrap"
install -d -m 0700 -o root -g root "${var_target}/root/.ciss/cdi/hooks"
install -d -m 0700 -o root -g root "${var_target}/root/.ciss/cdi/keys"
install -d -m 0700 -o root -g root "${var_target}/root/.ciss/cdi/log"
mv -T "${var_target}/debootstrap" "${var_target}/root/.ciss/cdi/debootstrap"
chmod 0700 "${var_target}/root/.ciss"
chmod 0700 "${var_target}/root/.ciss/cdi"
chmod 0700 "${var_target}/root/.ciss/cdi/debootstrap"
guard_dir && return 0
else
do_log "emergency" "file_only" "5000() [${ary_cmd[*]}] failed."
return "${ERR_DEBOOTSTRAP}"
fi
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

83
func/cdi_5000_recovery/5005_debootstrap_checks.sh Normal file
View File

@@ -0,0 +1,83 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
guard_sourcing
#######################################
# Preliminary post debootstrap checks.
# Globals:
# RECOVERY
# Arguments:
# None
# Returns:
# 0: on success
#######################################
check_debootstrap_reco() {
### Declare Arrays, HashMaps, and Variables.
declare -r var_logfile="/root/.ciss/cdi/log/5005_debootstrap_checks.log"
chroot_logger "${RECOVERY}${var_logfile}"
chroot_script "${RECOVERY}" "
{
### Header
echo '==[debootstrap checks]=='
date -Is 2>/dev/null || true
### dpkg audit (non-fatal)
echo '### dpkg --audit'
dpkg --audit || true
### essential subset (status & version)
echo '### dpkg-query essential subset'
dpkg-query -W -f='\${db:Status-Abbrev} \${binary:Package} \${Version}\n' dpkg libc6 coreutils bash apt systemd 2>/dev/null || true
### init presence (log explicit)
echo '### init presence'
if [[ -x /sbin/init ]] || [[ -x /lib/systemd/systemd ]]; then
echo 'init_present=yes'
else
echo 'init_present=no'
fi
### awk path and alternative link (if any)
echo '### awk'
awk_path=\$(command -v awk || true)
printf 'awk_path=%s\n' \"\$awk_path\"
if [[ -L /usr/bin/awk ]]; then
printf 'awk_link=/usr/bin/awk -> %s\n' \"\$(readlink -f /usr/bin/awk 2>/dev/null || true)\"
fi
### usr-merge / tainted check
echo '### usr-merge / taint'
usr_merge_ok=yes
for p in /bin /sbin /lib /lib64; do
[[ -e \"\$p\" ]] || continue
if [[ -L \"\$p\" ]]; then
tgt=\$(readlink -f \"\$p\" 2>/dev/null || true)
printf '%s -> %s\n' \"\$p\" \"\$tgt\"
else
usr_merge_ok=no
printf '%s is not a symlink (tainted: unmerged-bin)\n' \"\$p\"
fi
done
printf 'usr_merge_ok=%s\n' \"\$usr_merge_ok\"
### architecture
echo '### architecture'
dpkg --print-architecture 2>/dev/null || true
} >> ${var_logfile}
"
guard_dir && return 0
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

119
func/cdi_5000_recovery/5010_prepare_mounts.sh Normal file
View File

@@ -0,0 +1,119 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
guard_sourcing
#######################################
# Configure the recovery system for chroot.
# Globals:
# ERR_CHRT_MOUNTS
# RECOVERY
# VAR_CHROOT_ACTIVATED
# VAR_NEED_RUN_IN_TARGET
# Arguments:
# None
# Returns:
# ERR_CHRT_MOUNTS
# 0: on success
#######################################
prepare_mounts_reco() {
### Notes
# This file mounts all necessary pseudo filesystems into the target root environment to enable chroot operations.
# --rbind: recursive binding.
# --make-rslave: In this case, the mount point is marked as 'slave'.
# This means changes to the source mount (e.g., /proc) are propagated to the target mount (e.g., "${RECOVERY}/proc").
# Conversely, changes to the target mount are not propagated back to the source mount.
# This mode is necessary to avoid problems with double or erroneous propagation effects in chroot or container environments.
#
# Some subdirectories (such as /dev/pts, /dev/shm, /sys/fs/cgroup) are remounted with more restrictive options
# like 'noexec', 'nosuid', and 'nodev' to enhance security. This ensures they override the inherited bind-mounts and
# enforce proper runtime behavior in the chroot.
### Declare Arrays, HashMaps, and Variables.
declare -A HMP_SPECIAL_MOUNTS=(
["/dev"]="devtmpfs devtmpfs mode=0755,nosuid" # Base device node FS
["/dev/pts"]="devpts devpts noexec,nosuid" # Pseudoterminals
["/dev/shm"]="tmpfs tmpfs rw,nosuid,nodev" # Shared memory
["/dev/mqueue"]="mqueue mqueue rw,nosuid,nodev,noexec" # POSIX message queues
["/dev/hugepages"]="hugetlbfs hugetlbfs rw,nosuid,nodev" # Huge pages
["/proc"]="proc proc nosuid,noexec,nodev" # procfs
["/sys"]="sysfs sysfs nosuid,noexec,nodev" # sysfs
["/sys/fs/cgroup"]="cgroup2 cgroup2 rw,nosuid,nodev,noexec,relatime" # Unified cgroup2
)
declare var_path="" var_fs="" var_src="" var_opts=""
for var_path in "${!HMP_SPECIAL_MOUNTS[@]}"; do
mkdir -p "${RECOVERY}${var_path}"
done
for var_path in "${!HMP_SPECIAL_MOUNTS[@]}"; do
IFS=" " read -r var_fs var_src var_opts <<< "${HMP_SPECIAL_MOUNTS[${var_path}]}"
if mountpoint -q "${RECOVERY}${var_path}"; then
do_log "info" "file_only" "5010() Skipped: '${RECOVERY}${var_path}' is already a mountpoint."
continue
fi
if ! mount -t "${var_fs}" "${var_src}" "${RECOVERY}${var_path}" -o "${var_opts}"; then
do_log "emergency" "file_only" "5010() Command: [mount -t ${var_fs} ${var_src} ${RECOVERY}${var_path} -o ${var_opts}] failed."
return "${ERR_CHRT_MOUNTS}"
fi
do_log "info" "file_only" "5010() Command: [mount -t ${var_fs} ${var_src} ${RECOVERY}${var_path} -o ${var_opts}] successful."
done
if [[ "${VAR_NEED_RUN_IN_TARGET:-false}" == "true" ]]; then
mkdir -p "${RECOVERY}/run"
if ! mount --make-rslave --rbind /run "${RECOVERY}/run"; then
do_log "emergency" "file_only" "5010() Command: [mount --make-rslave --rbind /run ${RECOVERY}/run] failed."
return "${ERR_CHRT_MOUNTS}"
fi
do_log "info" "file_only" "5010() Command: [mount --make-rslave --rbind /run ${RECOVERY}/run] successful."
fi
if ! chroot_exec "${RECOVERY}" mkdir -p /etc/systemd/system/multi-user.target.wants; then
do_log "emergency" "file_only" "5010() Command: [chroot_exec ${RECOVERY} mkdir -p /etc/systemd/system/multi-user.target.wants] failed."
return "${ERR_CHRT_MOUNTS}"
fi
do_log "info" "file_only" "5010() Command: [chroot_exec ${RECOVERY} mkdir -p /etc/systemd/system/multi-user.target.wants] successful."
mkdir -p "${RECOVERY}/media/cdrom0"
# shellcheck disable=SC2034
declare -gx VAR_CHROOT_ACTIVATED="recovery"
do_log "info" "file_only" "5010() Command: [declare -gx VAR_CHROOT_ACTIVATED=recovery]"
guard_dir && return 0
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

49
func/cdi_5000_recovery/5015_check_usr_merge.sh Normal file
View File

@@ -0,0 +1,49 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
guard_sourcing
#######################################
# Check if the recovery system is not 'tainted: unmerged-usr'.
# Globals:
# RECOVERY
# architecture
# Arguments:
# None
# Returns:
# 0: on success
#######################################
check_usr_merge_reco() {
### Declare Arrays, HashMaps, and Variables.
declare -r var_logfile="/root/.ciss/cdi/log/5015_check_usr_merge.log"
chroot_logger "${RECOVERY}${var_logfile}"
# shellcheck disable=SC2312
chroot_script "${RECOVERY}" "
test -L /bin && test $(readlink -f /bin) = '/usr/bin' && echo 'MERGED:/bin' >> ${var_logfile} || echo 'UNMERGED:/bin' >> ${var_logfile}
test -L /sbin && test $(readlink -f /sbin) = '/usr/sbin' && echo 'MERGED:/sbin' >> ${var_logfile} || echo 'UNMERGED:/sbin' >> ${var_logfile}
test -L /lib && test $(readlink -f /lib) = '/usr/lib' && echo 'MERGED:/lib' >> ${var_logfile} || echo 'UNMERGED:/lib' >> ${var_logfile}
echo ExitCode: \$? >> ${var_logfile}
"
if [[ "${architecture}" == "amd64" ]]; then
# shellcheck disable=SC2312
chroot_script "${RECOVERY}" "
test -L /lib64 && test $(readlink -f /lib64) = '/usr/lib64' && echo 'MERGED:/lib64' >> ${var_logfile} || echo 'UNMERGED:/lib64' >> ${var_logfile}
echo ExitCode: \$? >> ${var_logfile}
"
fi
guard_dir && return 0
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

42
func/cdi_5000_recovery/5020_remove_x509.sh Normal file
View File

@@ -0,0 +1,42 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
guard_sourcing
#######################################
# Chroot hook for deleting all expired X.509 certificates in the recovery system.
# Globals:
# RECOVERY
# VAR_SETUP_PATH
# Arguments:
# None
# Returns:
# 0: on success
#######################################
remove_x509_reco() {
install -m 0700 -o root -g root "${VAR_SETUP_PATH}/includes/chroot/hooks/4020_remove_x509.hooks.sh" \
"${RECOVERY}/root/.ciss/cdi/hooks/5020_remove_x509.hooks.sh"
if ! chroot_script "${RECOVERY}" "/root/.ciss/cdi/hooks/5020_remove_x509.hooks.sh" "emergency"; then
do_log "warn" "file_only" "5020() Command: [chroot_script ${RECOVERY} /root/.ciss/cdi/hooks/5020_remove_x509.hooks.sh emergency] failed."
else
do_log "debug" "file_only" "5020() Command: [chroot_script ${RECOVERY} /root/.ciss/cdi/hooks/5020_remove_x509.hooks.sh emergency] successful."
fi
guard_dir && return 0
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

32
func/cdi_5000_recovery/5030_setup_hostname.sh Normal file
View File

@@ -0,0 +1,32 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
guard_sourcing
#######################################
# Configure the '/etc/hostname' | '/etc/hosts' | '/etc/mailname' files.
# Globals:
# RECOVERY
# TARGET
# Arguments:
# None
# Returns:
# 0: on success
#######################################
setup_hostname_reco() {
cp -a "${TARGET}/etc/hosts" "${RECOVERY}/etc/hosts"
cp -a "${TARGET}/etc/hostname" "${RECOVERY}/etc/hostname"
cp -a "${TARGET}/etc/mailname" "${RECOVERY}/etc/mailname"
guard_dir && return 0
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

36
func/cdi_5000_recovery/5035_setup_resolv.sh Normal file
View File

@@ -0,0 +1,36 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
guard_sourcing
#######################################
# Configure the '/etc/resolv.conf' file.
# Globals:
# RECOVERY
# TARGET
# Arguments:
# None
# Returns:
# 0: on success
#######################################
setup_resolv_reco() {
if [[ -f "${RECOVERY}/etc/resolv.conf" ]]; then
mkdir -p "${RECOVERY}/root/.ciss/cdi/backup/etc"
mv "${RECOVERY}/etc/resolv.conf" "${RECOVERY}/root/.ciss/cdi/backup/etc/resolv.conf.bak"
do_log "info" "file_only" "5035() Existing '${RECOVERY}/etc/resolv.conf' moved."
fi
cp -a "${TARGET}/etc/resolv.conf" "${RECOVERY}/etc/resolv.conf"
guard_dir && return 0
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

39
func/cdi_5000_recovery/5040_setup_timezone.sh Normal file
View File

@@ -0,0 +1,39 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
guard_sourcing
#######################################
# Configure the '/etc/timezone' | '/etc/localtime' files.
# Globals:
# RECOVERY
# ntp_timezone
# Arguments:
# None
# Returns:
# 0: on success
#######################################
setup_timezone_reco() {
### Create '${RECOVERY}/etc/timezone' file.
cat << EOF >| "${RECOVERY}/etc/timezone"
${ntp_timezone:-UTC}
EOF
chmod 0644 "${RECOVERY}/etc/timezone"
do_log "info" "file_only" "5040() File generated: '${RECOVERY}/etc/timezone' | timezone '${ntp_timezone:-UTC}'."
chroot_exec "${RECOVERY}" ln -sf "/usr/share/zoneinfo/${ntp_timezone}" /etc/localtime
chroot_exec "${RECOVERY}" dpkg-reconfigure -f noninteractive tzdata
guard_dir && return 0
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

48
func/cdi_5000_recovery/5999_exiting_chroot_recovery.sh Normal file
View File

@@ -0,0 +1,48 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
guard_sourcing
#######################################
# Exiting chroot of the target system.
# Globals:
# RECOVERY
# VAR_NEED_RUN_IN_TARGET
# Arguments:
# None
# Returns:
# 0: on success
#######################################
exiting_chroot_recovery() {
### Declare Arrays, HashMaps, and Variables.
declare -a ary_umount=( "/sys/fs/cgroup" "/dev/hugepages" "/dev/mqueue" "/dev/shm" "/dev/pts" "/proc" "/sys" "/dev" )
declare var_path=""
for var_path in "${ary_umount[@]}"; do
umount -l "${RECOVERY}${var_path}" 2>/dev/null || true
do_log "info" "file_only" "5999() Command: [umount -l ${RECOVERY}${var_path} 2>/dev/null || true] issued."
done
if [[ "${VAR_NEED_RUN_IN_TARGET:-false}" == "true" ]]; then
umount -l "${RECOVERY}/run" 2>/dev/null || true
do_log "info" "file_only" "5999() Command: [umount -l ${RECOVERY}/run 2>/dev/null || true] issued."
fi
declare -gx VAR_CHROOT_ACTIVATED="false"
guard_dir && return 0
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh