V8.00.000.2025.06.17

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-06-25 19:43:29 +02:00
parent 1cf1e6d487
commit 8bf1ac8835
19 changed files with 178 additions and 110 deletions
--- a/.preseed/preseed.yaml
+++ b/.preseed/preseed.yaml
@@ -14,11 +14,10 @@
 ### Master V8.00.000.2025.06.17
 ### YAML specification: 1.2
 ### You MUST NOT change anything between START and
 installer:
  name: "CISS.debian.installer"
  version: "V8.00.000.2025.06.17"
-### END
+  log: "info"
 ###########################################################################################
 # APT settings                                                                            #
--- a/ciss_debian_installer.sh
+++ b/ciss_debian_installer.sh
@@ -42,12 +42,12 @@
 ### SOURCING MUST SET EARLY VARIABLES AND GUARD_SOURCING()
 . ./var/early.var.sh
-. ./lib/1007_guard_sorucing.sh
+. ./lib/1007_guard_sourcing.sh
 ### CHECK FOR CONTACT, HELP, AND VERSION STRING
 for arg in "$@"; do case "${arg,,}" in -c|--contact) . ./lib/1001_contact.sh; contact; exit 0;; esac; done
 for arg in "$@"; do case "${arg,,}" in -h|--help)    . ./lib/1000_usage.sh; usage; exit 0;; esac; done
-for arg in "$@"; do case "${arg,,}" in -v|--version) printf "\e[95mCISS.debian.installer Version: %s\e[0m\n" "${VAR_VERSION}"; exit 0;; esac; done
+for arg in "$@"; do case "${arg,,}" in -v|--version) . ./lib/1002_version.sh; version; exit 0;; esac; done
 ### ALL CHECKS DONE. READY TO START THE SCRIPT
 declare -grx VAR_SETUP="true"
--- a/func/2010_validation_ip.sh
+++ b/func/2010_validation_ip.sh
@@ -10,6 +10,8 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
 guard_sourcing
 #######################################
 # IPv4 validation.
 # Globals:
--- a/func/2015_helper_modules.sh
+++ b/func/2015_helper_modules.sh
@@ -10,6 +10,8 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
 guard_sourcing
 #######################################
 # Wrapper for executing commands in the desired chroot environment.
 # Globals:
--- a/func/2020_logging_modules.sh
+++ b/func/2020_logging_modules.sh
@@ -10,6 +10,8 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
 guard_sourcing
 #######################################
 # Log level values for comparison.
 # Arguments:
--- a/func/2030_check_nic.sh
+++ b/func/2030_check_nic.sh
@@ -10,6 +10,8 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
 guard_sourcing
 #######################################
 # Specify the NIC interactively for setup.
 # Globals:
--- a/func/2040_grub_helper.sh
+++ b/func/2040_grub_helper.sh
@@ -13,6 +13,8 @@
 ### Options in "VAR_GRUB_CMDLINE_LINUX" are always effective.
 ### Options in "VAR_GRUB_CMDLINE_LINUX_DEFAULT" are effective ONLY during normal boot (NOT during recovery mode).
 guard_sourcing
 #######################################
 # Helper module to extract the current GRUB CMDLINE strings.
 # Globals:
--- a/func/2050_yaml_parser.sh
+++ b/func/2050_yaml_parser.sh
@@ -10,6 +10,8 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
 guard_sourcing
 #######################################
 # Parsing './.preseed/preseed.yaml'.
 # Globals:
--- a/func/2051_yaml_reader.sh
+++ b/func/2051_yaml_reader.sh
@@ -10,6 +10,8 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
 guard_sourcing
 #######################################
 # Reading and extracting variables from "${PRESEED}".
 # Globals:
--- a/func/2056_validation_preseed.sh
+++ b/func/2056_validation_preseed.sh
@@ -10,6 +10,8 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
 guard_sourcing
 #######################################
 # Validate all preseed network variables (IPv4 & IPv6)
 # Arguments:
--- a/func/3200_partitioning.sh
+++ b/func/3200_partitioning.sh
@@ -10,6 +10,8 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
 guard_sourcing
 #######################################
 # Function that generates each partition on each device according to the chosen recipe string.
 # Globals:
--- a/func/3220_partition_encryption.sh
+++ b/func/3220_partition_encryption.sh
@@ -10,6 +10,8 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
 guard_sourcing
 #######################################
 # Function to encrypt the respective partition on each device according to the chosen recipe string.
 # Globals:
--- a/func/3240_partition_formatting.sh
+++ b/func/3240_partition_formatting.sh
@@ -10,9 +10,17 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
 guard_sourcing
-###########################################################################################
+#######################################
 # Function to format the respective partition on each device according to the recipe string chosen.
 # Globals:
 #   DIR_LOG
 #   VAR_RECIPE_STRING
 #   VAR_SETUP_PART
 # Arguments:
 #   None
 #######################################
 partition_formatting() {
  ### Declare Arrays and Variables.
  declare var_dev var_part \
--- a/func/3260_setup_filesystem.sh
+++ b/func/3260_setup_filesystem.sh
@@ -0,0 +1,73 @@
 #!/bin/bash
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
 guard_sourcing
 ###########################################################################################
 # Function to prepare the filesystem to mount each partition on the respective path.
 # Globals:
 #   MAP_MOUNTPATH_DEV
 #   MODULE_ERR
 #   MODULE_TXT
 #   RECIPE_DEV_PARTITIONS
 #   RECIPE_STRING
 # Arguments:
 #   None
 ###########################################################################################
 setup_filesystem() {
  ### Declare Arrays and Variables.
  declare -Ag HMP_MOUNTPATH_DEV
  declare var_dev var_part var_encryption_enable var_encryption_label var_mount_enable var_mount_path
  ### Iterate over all devices in the recipe.
  for var_dev in $(yq e ".recipe.${VAR_RECIPE_STRING}.dev | keys | .[]" "${VAR_SETUP_PART}"); do
    ### Iterate over all partitions for this device.
    for var_part in $(yq e ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev} | keys | .[]" "${VAR_SETUP_PART}"); do
      ### Extract parameters from YAML.
      var_encryption_enable=$(yq e ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev}.${var_part}.encryption.enable" "${VAR_SETUP_PART}")
      var_encryption_label=$(yq e ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev}.${var_part}.encryption.label"   "${VAR_SETUP_PART}")
      var_mount_enable=$(yq e ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev}.${var_part}.mount.enable"           "${VAR_SETUP_PART}")
      var_mount_path=$(yq e ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev}.${var_part}.mount.path"               "${VAR_SETUP_PART}")
      if [[ "${var_mount_enable,,}" == "true" ]]; then
        if [[ -n "${var_mount_path}" ]]; then
          if [[ "${var_encryption_enable,,}" == "true" && "${var_mount_path}" != "SWAP" && "${var_mount_path}" != "/tmp" ]]; then
            ### Encrypted partition
            HMP_MOUNTPATH_DEV["${var_mount_path}"]="/dev/mapper/${var_encryption_label}"
            do_log "info" "false" "Saved in HashMap MAP_MOUNTPATH_DEV: '${MOUNT_PATH}' -> '${HMP_MOUNTPATH_DEV["${MOUNT_PATH}"]}'"
      elif     [[ ${ENCRYPTION_ENABLE,,} == "false" && ${MOUNT_PATH} != "SWAP" && ${MOUNT_PATH} != "/tmp" ]]; then
            # Unencrypted partition
            HMP_MOUNTPATH_DEV["${MOUNT_PATH}"]="/dev/${DEV}${PARTITION}"
            do_log "info" "false" "Saved in HashMap MAP_MOUNTPATH_DEV: '${MOUNT_PATH}' -> '${HMP_MOUNTPATH_DEV["${MOUNT_PATH}"]}'"
      else
            do_log "error" "false" "Invalid value for encryption_enable: '${ENCRYPTION_ENABLE}', should be either true or false."
      fi
    fi
  fi
 done
  done
 }
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/lib/1001_contact.sh
+++ b/lib/1001_contact.sh
@@ -11,28 +11,31 @@
 # SPDX-Security-Contact: security@coresecret.eu
 #######################################
-# Contact Wrapper 'CISS.debian.installer'.
+# Contact Wrapper 'CISS.debian.installer.'
 # Globals:
 #   none
 # Arguments:
-#   None
+#   none
 #######################################
 contact() {
  clear
  cat << EOF
-$(echo -e "\e[92mCISS.debian.installer\e[0m")
+$(echo -e "\e[97m################################################################################ \e[0m")
-$(echo -e "\e[92mMaster V8.00.000.2025.06.17\e[0m")
+$(echo -e "\e[92m  CISS.debian.installer from https://git.coresecret.dev/msw \e[0m")
-$(echo -e "\e[92mA powerful Debian installer for setting up a hardened Debian environment.\e[0m")
+$(echo -e "\e[92m  Provides a fully automated and hardened installation process.\e[0m")
-$(echo -e "\e[97m(c) Marc S. Weidner, 2018 - 2025\e[0m")
+$(echo -e "\e[97m  (c) Marc S. Weidner, 2018 - 2025 \e[0m")
-$(echo -e "\e[97m(p) Centurion Press, 2024 - 2025\e[0m")
+$(echo -e "\e[97m  (p) Centurion Press, 2024 - 2025 \e[0m")
-$(echo -e "\e[95m💬 Contact:\e[0m")
+$(echo -e "\e[95m  💬 Contact:               \e[0m")
-$(echo -e "\e[95m🌐 https://coresecret.eu/ \e[0m")
+$(echo -e "\e[95m  🌐 https://coresecret.eu/ \e[0m")
-$(echo -e "\e[95m📧 security@coresecret.eu \e[0m")
+$(echo -e "\e[95m  📧 security@coresecret.eu \e[0m")
-$(echo -e "\e[95m🔑 PGP Key 2D98 07F4 1030 1776 597E BDC9 9F54 8853 35A3 C9AD \e[0m")
+$(echo -e "\e[95m  🔑 PGP Key 2D98 07F4 1030 1776 597E BDC9 9F54 8853 35A3 C9AD \e[0m")
-$(echo -e "\e[95m🔗 https://keys.openpgp.org/vks/v1/by-fingerprint/2D9807F410301776597EBDC99F54885335A3C9AD \e[0m")
+$(echo -e "\e[95m  🔗 https://keys.openpgp.org/vks/v1/by-fingerprint/2D9807F410301776597EBDC99F54885335A3C9AD \e[0m")
-$(echo -e "\e[95m💷 Please consider donating to my work at:\e[0m")
+$(echo -e "\e[95m  💷 Please consider donating to my work at: \e[0m")
-$(echo -e "\e[95m🌐 https://coresecret.eu/spenden/         \e[0m")
+$(echo -e "\e[95m  🌐 https://coresecret.eu/spenden/          \e[0m")
 $(echo -e "\e[97m################################################################################ \e[0m")
 EOF
 }
--- a/lib/1002_version.sh
+++ b/lib/1002_version.sh
@@ -0,0 +1,52 @@
 #!/bin/bash
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
 #######################################
 # Version Wrapper 'CISS.debian.installer.'
 # Globals:
 #   VAR_VERSION
 # Arguments:
 #   None
 #######################################
 version() {
  # shellcheck disable=SC2155
  declare -r var_repo_ver="$(git log --format='%h %ci' -1 2>/dev/null | awk '{ print $1" "$2" "$3 }')"
  # shellcheck disable=SC2155
  declare -r var_ds_ver="$(debootstrap --version)"
  # shellcheck disable=SC2155
  declare -r var_host="$(uname -n)"
  # shellcheck disable=SC2155
  declare -r var_bash_ver="$(bash --version | head -n1 | awk '{print $4" "$5" "$6}')"
  clear
  cat << EOF
 $(echo -e "\e[97m################################################################################ \e[0m")
 $(echo -e "\e[92m  CISS.debian.installer from https://git.coresecret.dev/msw \e[0m")
 $(echo -e "\e[92m  Provides a fully automated and hardened installation process.\e[0m")
  Version : ${VAR_VERSION}
  Git     : ${var_repo_ver}
 $(echo -e "\e[97m  This program is free software. Distribution and modification under  \e[0m")
 $(echo -e "\e[97m  EUPL-1.2 permitted. USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK! \e[0m")
  Please file bugs @
 $(echo -e "\e[95m  https://git.coresecret.dev/msw/CISS.debian.live.builder/issues \e[0m")
 $(echo -e "\e[97m################################################################################\e[0m")
  Using   : debootstrap (${var_ds_ver})
  on      : ${var_host}
  Bash    : ${var_bash_ver}
 EOF
 }
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/lib/1007_guard_sourcing.sh
+++ b/lib/1007_guard_sourcing.sh
--- a/source/func/3.6.0.functions_installation_setup_filesystem.sh
+++ b/source/func/3.6.0.functions_installation_setup_filesystem.sh
@@ -1,90 +0,0 @@
 #!/bin/bash
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-02-13; WEIDNER, Marc S.; <cendev@coresecret.eu>
 # SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.installer.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.2025.hardened.installer framework.
 # SPDX-PackageName: CISS.2025.hardened.installer
 # SPDX-Security-Contact: security@coresecret.eu
 ###########################################################################################
 # 3.6.0. Functions - installation - setup filesystem                                      #
 ###########################################################################################
 ###########################################################################################
 # Function to prepare the filesystem to mount each partition on the respective path.
 # Globals:
 #   MAP_MOUNTPATH_DEV
 #   MODULE_ERR
 #   MODULE_TXT
 #   RECIPE_DEV_PARTITIONS
 #   RECIPE_STRING
 # Arguments:
 #   None
 ###########################################################################################
 3_6_0_functions_installation_setup_filesystem() {
  declare -g -x MODULE_ERR="3_6_0_functions_installation_setup_filesystem"
  declare -g -x MODULE_TXT="Prepare filesystem to mount each partition on the respective path"
  do_show_header "${MODULE_TXT}"
  # Declare local variables
  declare DEV
  declare NUM_PARTITIONS
  declare PARTITION
  # Iterate through each device
  for DEV in "${!RECIPE_DEV_PARTITIONS[@]}"; do
    NUM_PARTITIONS=${RECIPE_DEV_PARTITIONS[${DEV}]}
    # Iterate through each partition of the current device
    for PARTITION in $(seq 1 "${NUM_PARTITIONS}"); do
      # Generate vars for the current partition
      declare MOUNT_ENABLE_VAR="recipe_${RECIPE_STRING}_dev_${DEV}_${PARTITION}_mount_enable"
      declare MOUNT_PATH_VAR="recipe_${RECIPE_STRING}_dev_${DEV}_${PARTITION}_mount_path"
      declare ENCRYPTION_ENABLE_VAR="recipe_${RECIPE_STRING}_dev_${DEV}_${PARTITION}_encryption_enable"
      declare ENCRYPTION_LABEL_VAR="recipe_${RECIPE_STRING}_dev_${DEV}_${PARTITION}_encryption_label"
      # Initialize variables
      declare MOUNT_ENABLE=${!MOUNT_ENABLE_VAR}
      declare MOUNT_PATH=${!MOUNT_PATH_VAR}
      declare ENCRYPTION_ENABLE=${!ENCRYPTION_ENABLE_VAR}
      declare ENCRYPTION_LABEL=${!ENCRYPTION_LABEL_VAR}
      # Proceed if and only if "mount_enable" equals "true".
      if [[ ${MOUNT_ENABLE,,} == "true" ]]; then
        if [[ -n ${MOUNT_PATH} ]]; then
          if [[ ${ENCRYPTION_ENABLE,,} == "true" && ${MOUNT_PATH} != "SWAP" && ${MOUNT_PATH} != "/tmp" ]]; then
            # Encrypted partition
            MAP_MOUNTPATH_DEV["${MOUNT_PATH}"]="/dev/mapper/${ENCRYPTION_LABEL}"
            do_log "info" "false" "Saved in HashMap MAP_MOUNTPATH_DEV: '${MOUNT_PATH}' -> '${MAP_MOUNTPATH_DEV["${MOUNT_PATH}"]}'"
      elif     [[ ${ENCRYPTION_ENABLE,,} == "false" && ${MOUNT_PATH} != "SWAP" && ${MOUNT_PATH} != "/tmp" ]]; then
            # Unencrypted partition
            MAP_MOUNTPATH_DEV["${MOUNT_PATH}"]="/dev/${DEV}${PARTITION}"
            do_log "info" "false" "Saved in HashMap MAP_MOUNTPATH_DEV: '${MOUNT_PATH}' -> '${MAP_MOUNTPATH_DEV["${MOUNT_PATH}"]}'"
      else
            do_log "error" "false" "Invalid value for encryption_enable: '${ENCRYPTION_ENABLE}', should be either true or false."
      fi
    fi
  fi
 done
  done
  do_show_footer
 }
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh:
--- a/var/global.var.sh
+++ b/var/global.var.sh
@@ -86,7 +86,10 @@ declare -Ag HMP_ENCRYPTIONLABEL_UUID
  ### HMP_MOUNTPATH_ENCRYPTIONLABEL["${var_mount_path}"]="${var_encryption_label}"
 declare -Ag HMP_MOUNTPATH_ENCRYPTIONLABEL
-
+### 3260_setup_filesystem.sh
  ### Assoziative Array (HashMap) to store Crypt Mapper for each Mount Path
  ### HMP_MOUNTPATH_DEV["${var_mount_path}"]="/dev/mapper/${var_encryption_label}"
 declare -Ag HMP_MOUNTPATH_DEV