msw/CISS.debian.installer
SHA256
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

V8.00.000.2025.06.17
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 2m2s
Details

Browse Source 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
Marc S. Weidner
2025-10-26 16:48:17 +00:00
parent 1c83813ec4
commit 85c46f3c4c
5 changed files with 42 additions and 41 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
ciss_debian_installer.sh
View File

@@ -24,7 +24,7 @@
# TODO: Copying Log Files to final System # TODO: Copying Log Files to final System
# TODO: Integrate CISS.debian.installer calling arguments and preseed.yaml into CISS.debian.live.builder build chain? # TODO: Integrate CISS.debian.installer calling arguments and preseed.yaml into CISS.debian.live.builder build chain?
# TODO: Reboot function for Autoinstall, Clean Exit, Flush Logs, luksClose, umount # TODO: Reboot function for Autoinstall, Clean Exit, Flush Logs, luksClose, umount
# TODO: Implement loop_pass() for other passwords 0105_arg_nuke_converter.sh # TODO: Implement loop_pass() for other passwords 1257_yaml_xnuke.sh
# TODO: Implement / Integrate IP, Port validation CDI_1200 # TODO: Implement / Integrate IP, Port validation CDI_1200
### WHY BASH? ### WHY BASH?
@@ -198,10 +198,6 @@ arg_parser "$@"
info_echo "0103_arg_priority_check.sh" info_echo "0103_arg_priority_check.sh"
arg_priority_check arg_priority_check
### HASHING PASSWORDS.
info_echo "0105_arg_nuke_converter.sh"
nuke_passphrase
### CDI_1250 ### CDI_1250
info_echo "1250_yaml_parser.sh" info_echo "1250_yaml_parser.sh"
@@ -213,9 +209,12 @@ yaml_reader
info_echo "1252_yaml_validator.sh" info_echo "1252_yaml_validator.sh"
yaml_validator yaml_validator
info_echo "1256_secret_parser.sh" info_echo "1256_yaml_xfiles.sh"
yaml_secret yaml_secret
info_echo "1257_yaml_xnuke.sh"
nuke_passphrase
### CDI_3200 ### CDI_3200
info_echo "3200_partitioning.sh" info_echo "3200_partitioning.sh"

29
func/cdi_1250_yaml/1256_yaml_xfiles.sh
View File

@@ -122,6 +122,7 @@ ciss_secrets_wiper() {
readonly -f ciss_secrets_wiper readonly -f ciss_secrets_wiper
####################################### #######################################
# Purpose:
# Parsing of only "*.value" keys from 'SECRETS.yaml' into Bash globals. # Parsing of only "*.value" keys from 'SECRETS.yaml' into Bash globals.
# If the file contains SOPS markers, decrypt once (streaming) with sops/age, then yq parses in a single pass. # If the file contains SOPS markers, decrypt once (streaming) with sops/age, then yq parses in a single pass.
# No base64, plain values preserved (including newlines). No repeated per-key decrypts or yq calls. # No base64, plain values preserved (including newlines). No repeated per-key decrypts or yq calls.
@@ -143,8 +144,6 @@ readonly -f ciss_secrets_wiper
# ERR_MISSING_AGE_KEY: on failure # ERR_MISSING_AGE_KEY: on failure
####################################### #######################################
yaml_secret() { yaml_secret() {
# TODO: Remove debug echos
### Declare Arrays, HashMaps, and Variables. ### Declare Arrays, HashMaps, and Variables.
declare -r SOPS_AGE_KEY_FILE="${CISS_SECRETS_AGE}" declare -r SOPS_AGE_KEY_FILE="${CISS_SECRETS_AGE}"
declare -a __names=() declare -a __names=()
@@ -155,8 +154,7 @@ yaml_secret() {
__umask=$(umask) __umask=$(umask)
umask 0077 umask 0077
# TODO: guard_trace on guard_trace on
#guard_trace on
secrets_encrypted="$(yq -r '.secrets.x_files // false' -- "${secrets_if}")" || secrets_encrypted="false" secrets_encrypted="$(yq -r '.secrets.x_files // false' -- "${secrets_if}")" || secrets_encrypted="false"
do_log "debug" "file_only" "1256() 'secrets_encrypted' according to secrets.x_files: '${secrets_encrypted}'." do_log "debug" "file_only" "1256() 'secrets_encrypted' according to secrets.x_files: '${secrets_encrypted}'."
@@ -209,6 +207,8 @@ yaml_secret() {
# shellcheck disable=SC1091 source=./${__SECRETS} # shellcheck disable=SC1091 source=./${__SECRETS}
source "${__SECRETS}" source "${__SECRETS}"
ciss_secrets_wiper "${__SECRETS}"
# shellcheck disable=SC2312 # shellcheck disable=SC2312
mapfile -t __names < <(printf '%s\n' "${!secrets_@}") mapfile -t __names < <(printf '%s\n' "${!secrets_@}")
@@ -216,33 +216,30 @@ yaml_secret() {
### Keep only *_value variables ### Keep only *_value variables
[[ "${__name}" == *_value ]] || continue [[ "${__name}" == *_value ]] || continue
echo "__name ${__name}"
### Validate strict Bash identifier (defensive: strip accidental CR). ### Validate strict Bash identifier (defensive: strip accidental CR).
__name="${__name%$'\r'}" __name="${__name%$'\r'}"
[[ "${__name}" =~ ^[A-Za-z_][A-Za-z0-9_]*$ ]] || continue [[ "${__name}" =~ ^[A-Za-z_][A-Za-z0-9_]*$ ]] || continue
echo "__name ${__name}"
### Only read if actually set; indirect check without triggering nounset. ### Only read if actually set; indirect check without triggering nounset.
if [[ -n "${!__name+x}" ]]; then if [[ -n "${!__name+x}" ]]; then
__val="${!__name}" __val="${!__name}"
echo "__val ${__val}"
else else
__val="" __val=""
echo "__val ${__val}"
fi fi
### Strip suffix/prefix for the map key. ### Strip suffix/prefix for the map key.
__base="${__name%_value}" __base="${__name%_value}"
echo "__base ${__base}"
__path_wo_prefix="${__base#secrets_}" __path_wo_prefix="${__base#secrets_}"
echo "__path_wo_prefix ${__path_wo_prefix}"
### Canonical CISS name. ### Canonical CISS name.
__varname="$(ciss_secret_varname_from_path "${__path_wo_prefix}")" __varname="$(ciss_secret_varname_from_path "${__path_wo_prefix}")"
echo "__varname ${__varname}"
# Assign verbatim (preserves newlines) ### Assign verbatim (preserves newlines).
unset -v "${__varname}" unset -v "${__varname}"
declare -g "${__varname}" declare -g "${__varname}"
printf -v "${__varname}" '%s' "${__val}" printf -v "${__varname}" '%s' "${__val}"
@@ -253,16 +250,14 @@ yaml_secret() {
### Hygiene: remove the intermediate variables to reduce secret surface, e.g., unset 'secrets_*_value' after transfer. ### Hygiene: remove the intermediate variables to reduce secret surface, e.g., unset 'secrets_*_value' after transfer.
for __name in "${__names[@]}"; do for __name in "${__names[@]}"; do
unset -v "${__name}" unset -v "${__name}"
done done
umask "${__umask}" umask "${__umask}"
echo "Inside 1256()" guard_trace off
sleep 60
# TODO: guard_trace off
#guard_trace off
guard_dir; return 0 guard_dir; return 0
} }

41
lib/cdi_0100_arg/0105_arg_nuke_converter.sh → func/cdi_1250_yaml/1257_yaml_xnuke.sh
View File

@@ -15,18 +15,21 @@ guard_sourcing || return "${ERR_GUARD_SOURCE}"
####################################### #######################################
# Generates 'nuke=HASH' Bootparameter. # Generates 'nuke=HASH' Bootparameter.
# Globals: # Globals:
# CISS_SECRET_LUKS_NUKE
# DIR_CNF # DIR_CNF
# VAR_NUKE_HASH # VAR_NUKE_HASH
# Arguments: # Arguments:
# None # None
# Returns: # Returns:
# 0: on success # 0: on success
# ERR_GENERATE_SALT # ERR_GENERATE_SALT: on failure
# ERR_READ_NUKE_FILE
####################################### #######################################
nuke_passphrase() { nuke_passphrase() {
declare -r var_nuke_pwd_file="${DIR_CNF}/password_luks_nuke.txt" #guard_trace on
declare var_temp_nuke_hash="" var_temp_plain_nuke_pwd="" var_salt="" var_nuke_rounds=""
### Declare Arrays, HashMaps, and Variables.
declare var_nuke_pwd="${CISS_SECRET_LUKS_NUKE}"
declare var_temp_nuke_hash="" var_salt="" var_nuke_rounds=""
# shellcheck disable=SC2312 # shellcheck disable=SC2312
var_nuke_rounds="$( var_nuke_rounds="$(
@@ -40,30 +43,34 @@ nuke_passphrase() {
' "${DIR_CNF}/partitioning.yaml" | head -n1 ' "${DIR_CNF}/partitioning.yaml" | head -n1
)" )"
[[ ! -f "${var_nuke_pwd_file}" ]] && return 0 [[ -z "${var_nuke_pwd}" ]] && return 0
guard_trace on
if ! read_password_file "${var_nuke_pwd_file}" var_temp_plain_nuke_pwd; then
return "${ERR_READ_NUKE_FILE}"
fi
guard_trace off
if ! var_salt="$(generate_salt)"; then if ! var_salt="$(generate_salt)"; then
return "${ERR_GENERATE_SALT}" return "${ERR_GENERATE_SALT}"
fi fi
var_temp_nuke_hash=$(mkpasswd --method=sha-512 --salt="${var_salt}" --rounds="${var_nuke_rounds:-8388608}" "${var_nuke_pwd}")
guard_trace on
var_temp_nuke_hash=$(mkpasswd --method=sha-512 --salt="${var_salt}" --rounds="${var_nuke_rounds:-8388608}" "${var_temp_plain_nuke_pwd}")
guard_trace off
declare -grx VAR_NUKE_HASH="${var_temp_nuke_hash}" declare -grx VAR_NUKE_HASH="${var_temp_nuke_hash}"
unset var_temp_nuke_hash var_temp_plain_nuke_pwd
echo "Inside 1257"
echo "CISS_SECRET_LUKS_NUKE: ${CISS_SECRET_LUKS_NUKE}"
unset var_temp_nuke_hash var_nuke_pwd CISS_SECRET_LUKS_NUKE
do_log "debug" "file_only" "0105() NUKE hash starts with: [${VAR_NUKE_HASH:0:32}...]" do_log "debug" "file_only" "0105() NUKE hash starts with: [${VAR_NUKE_HASH:0:32}...]"
#guard_trace off
echo "Inside 1257"
sleep 60
guard_dir; return 0 guard_dir; return 0
} }
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f nuke_passphrase
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

1
meta_loader_func.sh
View File

@@ -29,6 +29,7 @@ source_guard "./func/cdi_1250_yaml/1250_yaml_parser.sh"
source_guard "./func/cdi_1250_yaml/1251_yaml_reader.sh" source_guard "./func/cdi_1250_yaml/1251_yaml_reader.sh"
source_guard "./func/cdi_1250_yaml/1252_yaml_validator.sh" source_guard "./func/cdi_1250_yaml/1252_yaml_validator.sh"
source_guard "./func/cdi_1250_yaml/1256_yaml_xfiles.sh" source_guard "./func/cdi_1250_yaml/1256_yaml_xfiles.sh"
source_guard "./func/cdi_1250_yaml/1257_yaml_xnuke.sh"
### cdi_3200_partitioning ### cdi_3200_partitioning
source_guard "./func/cdi_3200_partitioning/3200_partitioning.sh" source_guard "./func/cdi_3200_partitioning/3200_partitioning.sh"

1
meta_loader_lib.sh
View File

@@ -42,7 +42,6 @@ source_guard "./lib/cdi_0100_arg/0101_arg_sanitizer.sh"
source_guard "./lib/cdi_0100_arg/0102_arg_parser.sh" source_guard "./lib/cdi_0100_arg/0102_arg_parser.sh"
source_guard "./lib/cdi_0100_arg/0103_arg_priority_check.sh" source_guard "./lib/cdi_0100_arg/0103_arg_priority_check.sh"
source_guard "./lib/cdi_0100_arg/0104_arg_passphrase_modules.sh" source_guard "./lib/cdi_0100_arg/0104_arg_passphrase_modules.sh"
source_guard "./lib/cdi_0100_arg/0105_arg_nuke_converter.sh"
source_guard "./lib/cdi_0110_interactive/0110_dialog_kernel.sh" source_guard "./lib/cdi_0110_interactive/0110_dialog_kernel.sh"
source_guard "./lib/cdi_0110_interactive/0115_dialog_notes.sh" source_guard "./lib/cdi_0110_interactive/0115_dialog_notes.sh"