msw/CISS.debian.installer
SHA256
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

V8.00.000.2025.06.17
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 39s
Details

Browse Source 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
Marc S. Weidner
2025-07-24 23:01:23 +02:00
parent 1983e0229f
commit c026d9a324
48 changed files with 269 additions and 284 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
func/recovery/3.8.9.functions_installation_wrapper_recovery.sh
View File

@@ -10,10 +10,6 @@
# SPDX-PackageName: CISS.2025.hardened.installer
# SPDX-Security-Contact: security@coresecret.eu
###########################################################################################
# 3.8.9. Functions - installation - wrapper recovery #
###########################################################################################
###########################################################################################
# Wrapper to check if recovery partition is selected and if so, proceed with setup of recovery OS.
# Globals:
@@ -23,10 +19,7 @@
# Arguments:
# None
###########################################################################################
3_8_9_functions_installation_wrapper_recovery() {
declare -g -x MODULE_ERR="3_8_9_functions_installation_wrapper_recovery"
declare -g -x MODULE_TXT="Wrapper recovery partition"
do_show_header "${MODULE_TXT}"
wrapper_recovery() {
declare FOUND="false"
declare MOUNT_PATH=""
@@ -44,7 +37,5 @@
3_9_0_functions_installation_setup_recovery
3_9_1_functions_installation_generate_files_recovery
fi
do_show_footer "${MODULE_TXT}"
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh:
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

33
func/recovery/3.9.0.functions_installation_setup_recovery.sh
View File

@@ -10,10 +10,6 @@
# SPDX-PackageName: CISS.2025.hardened.installer
# SPDX-Security-Contact: security@coresecret.eu
###########################################################################################
# 3.9.0. Functions - installation - setup recovery #
###########################################################################################
###########################################################################################
# Mounting '/dev/mapper/crypt_rescue', debootstrap recovery partition, preparing chroot.
# Globals:
@@ -26,10 +22,7 @@
# Arguments:
# None
###########################################################################################
3_9_0_functions_installation_setup_recovery() {
declare -g -x MODULE_ERR="3_9_0_functions_installation_setup_recovery"
declare -g -x MODULE_TXT="Setup recovery partition"
do_show_header "${MODULE_TXT}"
setup_recovery() {
# The '/dev/mapper/crypt_rescue' partition is not mounted by the installation script by default,
# as it is not required to be automatically mounted by the production system via '/etc/crypttab' and '/etc/fstab'.
@@ -37,9 +30,9 @@
# Debootstrap for a minimalistic Debian OS.
if debootstrap --arch amd64 bookworm "${RECOVERY}" https://deb.debian.org/debian; then
do_log "info" "false" "Executing 'debootstrap --arch amd64 bookworm '${RECOVERY}' https://deb.debian.org/debian' successful."
do_log "info" "file_only" "Executing 'debootstrap --arch amd64 bookworm '${RECOVERY}' https://deb.debian.org/debian' successful."
else
do_log "emergency" "false" "Executing 'debootstrap --arch amd64 bookworm '${RECOVERY}' https://deb.debian.org/debian' NOT successful."
do_log "emergency" "file_only" "Executing 'debootstrap --arch amd64 bookworm '${RECOVERY}' https://deb.debian.org/debian' NOT successful."
exit "${ERR_DE_BOOT_STRAP}"
fi
@@ -52,37 +45,37 @@
# Prepare the freshly installed Debian OS recovery system for further setup.
if mount --make-rslave --rbind /proc "${RECOVERY}"/proc; then
do_log "info" "true" "'mount --make-rslave --rbind /proc ${RECOVERY}/proc'."
do_log "info" "file_only" "'mount --make-rslave --rbind /proc ${RECOVERY}/proc'."
else
do_log "emergency" "true" "Failed: 'mount --make-rslave --rbind /proc ${RECOVERY}/proc'."
do_log "emergency" "file_only" "Failed: 'mount --make-rslave --rbind /proc ${RECOVERY}/proc'."
exit "${ERR_CHROOT_MOUNTS}"
fi
if mount --make-rslave --rbind /sys "${RECOVERY}"/sys; then
do_log "info" "true" "'mount --make-rslave --rbind /sys ${RECOVERY}/sys'."
do_log "info" "file_only" "'mount --make-rslave --rbind /sys ${RECOVERY}/sys'."
else
do_log "emergency" "true" "Failed: 'mount --make-rslave --rbind /sys ${RECOVERY}/sys'."
do_log "emergency" "file_only" "Failed: 'mount --make-rslave --rbind /sys ${RECOVERY}/sys'."
exit "${ERR_CHROOT_MOUNTS}"
fi
if mount --make-rslave --rbind /dev "${RECOVERY}"/dev; then
do_log "info" "true" "'mount --make-rslave --rbind /dev ${RECOVERY}/dev'."
do_log "info" "file_only" "'mount --make-rslave --rbind /dev ${RECOVERY}/dev'."
else
do_log "emergency" "true" "Failed: 'mount --make-rslave --rbind /dev ${RECOVERY}/dev'."
do_log "emergency" "file_only" "Failed: 'mount --make-rslave --rbind /dev ${RECOVERY}/dev'."
exit "${ERR_CHROOT_MOUNTS}"
fi
if mount --make-rslave --rbind /run "${RECOVERY}"/run; then
do_log "info" "true" "'mount --make-rslave --rbind /run ${RECOVERY}/run'."
do_log "info" "file_only" "'mount --make-rslave --rbind /run ${RECOVERY}/run'."
else
do_log "emergency" "true" "Failed: 'mount --make-rslave --rbind /run ${RECOVERY}/run'."
do_log "emergency" "file_only" "Failed: 'mount --make-rslave --rbind /run ${RECOVERY}/run'."
exit "${ERR_CHROOT_MOUNTS}"
fi
if do_in_target "${TARGET}" mkdir -p /etc/systemd/system/multi-user.target.wants; then
do_log "info" "true" "Command: 'mkdir -p /etc/systemd/system/multi-user.target.wants' executed in: '${RECOVERY}'."
do_log "info" "file_only" "Command: 'mkdir -p /etc/systemd/system/multi-user.target.wants' executed in: '${RECOVERY}'."
else
do_log "emergency" "true" "Failed: Command: 'mkdir -p /etc/systemd/system/multi-user.target.wants' executed in: '${RECOVERY}'."
do_log "emergency" "file_only" "Failed: Command: 'mkdir -p /etc/systemd/system/multi-user.target.wants' executed in: '${RECOVERY}'."
fi
do_show_footer "${MODULE_TXT}"

41
func/recovery/3.9.1.functions_installation_generate_files_recovery.sh
View File

@@ -10,10 +10,6 @@
# SPDX-PackageName: CISS.2025.hardened.installer
# SPDX-Security-Contact: security@coresecret.eu
###########################################################################################
# 3.9.1. Functions - installation - generate files recovery #
###########################################################################################
###########################################################################################
# Generates '${RECOVERY}/etc/crypttab' and '${RECOVERY}/etc/fstab' files for recovery partition.
# Globals:
@@ -21,10 +17,7 @@
# Arguments:
# None
###########################################################################################
3_9_1_functions_installation_generate_files_recovery() {
declare -g -x MODULE_ERR="3_9_1_functions_installation_generate_files_recovery"
declare -g -x MODULE_TXT="Generate 'fstab' and 'crypttab' for recovery partition"
do_show_header "${MODULE_TXT}"
generate_files_recovery() {
### BLOCK '${RECOVERY}/etc/crypttab'
@@ -62,7 +55,7 @@ EOF
echo "# ${KEY} was on /dev/mapper/${MAP_PATH_CRYPT["${KEY}"]} during installation" >> "${RECOVERY}"/etc/crypttab
echo "${MAP_PATH_CRYPT["${KEY}"]} UUID=${MAP_UUID_CRYPT["${ENCRYPTION_LABEL}"]} none luks,discard" >> "${RECOVERY}"/etc/crypttab
echo "" >> "${RECOVERY}"/etc/crypttab
do_log "info" "false" "crypttab entry generated: '${MAP_PATH_CRYPT["${KEY}"]} UUID=${MAP_UUID_CRYPT["${ENCRYPTION_LABEL}"]} none luks,discard'."
do_log "info" "file_only" "crypttab entry generated: '${MAP_PATH_CRYPT["${KEY}"]} UUID=${MAP_UUID_CRYPT["${ENCRYPTION_LABEL}"]} none luks,discard'."
# TODO: Update loop to iterate thru dynamic number of ephemeral drives.
# Generate '${RECOVERY}/etc/crypttab' special ephemeral entries.
@@ -80,7 +73,7 @@ EOF
# TODO: Change static 'LABEL=' to dynamic extraction of partitioning.yaml 'recipe_..._filesystem_label' recipe string.
echo "${MAP_EPHEMERAL_ENCLABEL[${KEY}]} LABEL=SWAP /dev/random swap,offset=2048,cipher=aes-xts-plain64,size=512,sector-size=4096" >> "${RECOVERY}"/etc/crypttab
echo "" >> "${RECOVERY}"/etc/crypttab
do_log "info" "false" "'${RECOVERY}/etc/crypttab' entry generated: '${MAP_EPHEMERAL_ENCLABEL[${KEY}]} LABEL=SWAP /dev/random swap,offset=2048,cipher=aes-xts-plain64,size=512,sector-size=4096'."
do_log "info" "file_only" "'${RECOVERY}/etc/crypttab' entry generated: '${MAP_EPHEMERAL_ENCLABEL[${KEY}]} LABEL=SWAP /dev/random swap,offset=2048,cipher=aes-xts-plain64,size=512,sector-size=4096'."
elif [[ ${KEY} == "/tmp" ]]; then
@@ -89,11 +82,11 @@ EOF
# TODO: Change static 'LABEL=' to dynamic extraction of partitioning.yaml 'recipe_..._filesystem_label' recipe string.
echo "${MAP_EPHEMERAL_ENCLABEL[${KEY}]} LABEL=ext4_tmp /dev/random offset=2048,cipher=aes-xts-plain64,size=512,sector-size=4096,tmp=ext4" >> "${RECOVERY}"/etc/crypttab
echo "" >> "${RECOVERY}"/etc/crypttab
do_log "info" "false" "'${RECOVERY}/etc/crypttab' entry generated: '${MAP_EPHEMERAL_ENCLABEL[${KEY}]} LABEL=ext4_tmp /dev/random offset=2048,cipher=aes-xts-plain64,size=512,sector-size=4096,tmp=ext4'."
do_log "info" "file_only" "'${RECOVERY}/etc/crypttab' entry generated: '${MAP_EPHEMERAL_ENCLABEL[${KEY}]} LABEL=ext4_tmp /dev/random offset=2048,cipher=aes-xts-plain64,size=512,sector-size=4096,tmp=ext4'."
else
do_log "info" "true" "${RECOVERY}/etc/crypttab (This message should never get printed.)"
do_log "info" "file_only" "${RECOVERY}/etc/crypttab (This message should never get printed.)"
fi
@@ -203,7 +196,7 @@ EOF
echo "# ${KEY} was on ${DEVICE_UUID} during installation" >> "${TARGET}"/etc/fstab
echo "${MAP_MOUNTPATH_DEV[${KEY}]} ${KEY} ${FILESYSTEM_VERSION} ${MOUNT_OPTIONS},${BTRFS_OPTIONS},subvol=${MOUNT_SUBVOLUME} 0 1" >> "${TARGET}"/etc/fstab
echo "" >> "${TARGET}"/etc/fstab
do_log "info" "false" "fstab entry generated: '${MAP_MOUNTPATH_DEV[${KEY}]} ${KEY} ${FILESYSTEM_VERSION} ${MOUNT_OPTIONS},${BTRFS_OPTIONS},subvol=${MOUNT_SUBVOLUME} 0 1'."
do_log "info" "file_only" "fstab entry generated: '${MAP_MOUNTPATH_DEV[${KEY}]} ${KEY} ${FILESYSTEM_VERSION} ${MOUNT_OPTIONS},${BTRFS_OPTIONS},subvol=${MOUNT_SUBVOLUME} 0 1'."
elif [[ ${FILESYSTEM_VERSION} == "ext4" ]]; then
@@ -212,7 +205,7 @@ EOF
echo "# ${KEY} was on ${DEVICE_UUID} during installation" >> "${TARGET}"/etc/fstab
echo "${MAP_MOUNTPATH_DEV[${KEY}]} ${KEY} ${FILESYSTEM_VERSION} ${MOUNT_OPTIONS} 0 1" >> "${TARGET}"/etc/fstab
echo "" >> "${TARGET}"/etc/fstab
do_log "info" "false" "fstab entry generated: '${MAP_MOUNTPATH_DEV[${KEY}]} ${KEY} ${FILESYSTEM_VERSION} ${MOUNT_OPTIONS} 0 1'."
do_log "info" "file_only" "fstab entry generated: '${MAP_MOUNTPATH_DEV[${KEY}]} ${KEY} ${FILESYSTEM_VERSION} ${MOUNT_OPTIONS} 0 1'."
else
@@ -230,7 +223,7 @@ EOF
echo "# ${KEY} was on ${DEVICE_UUID} during installation" >> "${TARGET}"/etc/fstab
echo "UUID=${DEVICE_UUID} ${KEY} ${FILESYSTEM_VERSION} ${MOUNT_OPTIONS},${BTRFS_OPTIONS},subvol=${MOUNT_SUBVOLUME} 0 2" >> "${TARGET}"/etc/fstab
echo "" >> "${TARGET}"/etc/fstab
do_log "info" "false" "fstab entry generated: 'UUID=${DEVICE_UUID} ${KEY} ${FILESYSTEM_VERSION} ${MOUNT_OPTIONS},${BTRFS_OPTIONS},subvol=${MOUNT_SUBVOLUME} 0 2'."
do_log "info" "file_only" "fstab entry generated: 'UUID=${DEVICE_UUID} ${KEY} ${FILESYSTEM_VERSION} ${MOUNT_OPTIONS},${BTRFS_OPTIONS},subvol=${MOUNT_SUBVOLUME} 0 2'."
elif [[ ${FILESYSTEM_VERSION} == "ext4" ]]; then
@@ -239,7 +232,7 @@ EOF
echo "# ${KEY} was on ${DEVICE_UUID} during installation" >> "${TARGET}"/etc/fstab
echo "UUID=${DEVICE_UUID} ${KEY} ${FILESYSTEM_VERSION} ${MOUNT_OPTIONS} 0 2" >> "${TARGET}"/etc/fstab
echo "" >> "${TARGET}"/etc/fstab
do_log "info" "false" "fstab entry generated: 'UUID=${DEVICE_UUID} ${KEY} ${FILESYSTEM_VERSION} ${MOUNT_OPTIONS} 0 2'."
do_log "info" "file_only" "fstab entry generated: 'UUID=${DEVICE_UUID} ${KEY} ${FILESYSTEM_VERSION} ${MOUNT_OPTIONS} 0 2'."
else
@@ -256,7 +249,7 @@ EOF
echo "# ${KEY} was on ${DEVICE_UUID} during installation" >> "${TARGET}"/etc/fstab
echo "UUID=${DEVICE_UUID} ${KEY} vfat umask=0077 0 2" >> "${TARGET}"/etc/fstab
echo "" >> "${TARGET}"/etc/fstab
do_log "info" "false" "fstab entry generated: 'UUID=${DEVICE_UUID} ${KEY} vfat umask=0077 0 2'."
do_log "info" "file_only" "fstab entry generated: 'UUID=${DEVICE_UUID} ${KEY} vfat umask=0077 0 2'."
else
@@ -339,7 +332,7 @@ EOF
echo "# ${KEY} was on ${DEVICE_UUID} during installation" >> "${TARGET}"/etc/fstab
echo "UUID=${DEVICE_UUID} ${KEY} ${FILESYSTEM_VERSION} ${MOUNT_OPTIONS},${BTRFS_OPTIONS},subvol=${MOUNT_SUBVOLUME} 0 2" >> "${TARGET}"/etc/fstab
echo "" >> "${TARGET}"/etc/fstab
do_log "info" "false" "fstab entry generated: 'UUID=${DEVICE_UUID} ${KEY} ${FILESYSTEM_VERSION} ${MOUNT_OPTIONS},${BTRFS_OPTIONS},subvol=${MOUNT_SUBVOLUME} 0 2'."
do_log "info" "file_only" "fstab entry generated: 'UUID=${DEVICE_UUID} ${KEY} ${FILESYSTEM_VERSION} ${MOUNT_OPTIONS},${BTRFS_OPTIONS},subvol=${MOUNT_SUBVOLUME} 0 2'."
elif [[ ${FILESYSTEM_VERSION} == "ext4" ]]; then
@@ -348,7 +341,7 @@ EOF
echo "# ${KEY} was on ${DEVICE_UUID} during installation" >> "${TARGET}"/etc/fstab
echo "UUID=${DEVICE_UUID} ${KEY} ${FILESYSTEM_VERSION} ${MOUNT_OPTIONS} 0 2" >> "${TARGET}"/etc/fstab
echo "" >> "${TARGET}"/etc/fstab
do_log "info" "false" "fstab entry generated: 'UUID=${DEVICE_UUID} ${KEY} ${FILESYSTEM_VERSION} ${MOUNT_OPTIONS} 0 2'."
do_log "info" "file_only" "fstab entry generated: 'UUID=${DEVICE_UUID} ${KEY} ${FILESYSTEM_VERSION} ${MOUNT_OPTIONS} 0 2'."
else
@@ -364,7 +357,7 @@ EOF
echo "# /media/cdrom0 was on /dev/sr0 during installation" >> "${TARGET}"/etc/fstab
echo "/dev/sr0 /media/cdrom0 udf,iso9660 user,noauto 0 0" >> "${TARGET}"/etc/fstab
echo "" >> "${TARGET}"/etc/fstab
do_log "info" "false" "fstab entry generated: '/dev/sr0 /media/cdrom0 udf,iso9660 user,noauto 0 0'."
do_log "info" "file_only" "fstab entry generated: '/dev/sr0 /media/cdrom0 udf,iso9660 user,noauto 0 0'."
# Add entry for proc and tmpfs device
# shellcheck disable=2129
@@ -372,8 +365,8 @@ EOF
echo "proc /proc proc nodev,nosuid,noexec,hidepid=2 0 0" >> "${TARGET}"/etc/fstab
echo "tmpfs /dev/shm tmpfs rw,nodev,nosuid,noexec,relatime,size=1G 0 0" >> "${TARGET}"/etc/fstab
echo "" >> "${TARGET}"/etc/fstab
do_log "info" "false" "fstab entry generated: 'proc /proc proc nodev,nosuid,noexec,hidepid=2 0 0'."
do_log "info" "false" "fstab entry generated: 'tmpfs /dev/shm tmpfs rw,nodev,nosuid,noexec,relatime,size=1G 0 0'."
do_log "info" "file_only" "fstab entry generated: 'proc /proc proc nodev,nosuid,noexec,hidepid=2 0 0'."
do_log "info" "file_only" "fstab entry generated: 'tmpfs /dev/shm tmpfs rw,nodev,nosuid,noexec,relatime,size=1G 0 0'."
# TODO: flexible 'SWAP' entry, not only ephemeral SWAP.
# Add entry for SWAP device
@@ -382,7 +375,7 @@ EOF
echo "##### Added by CISS.2025.debian.installer" >> "${TARGET}"/etc/fstab
echo "${MAP_EPHEMERAL_ENCLABEL["${MOUNT_PATH}"]} none swap defaults 0 0" >> "${TARGET}"/etc/fstab
echo "" >> "${TARGET}"/etc/fstab
do_log "info" "false" "fstab entry generated: '${MAP_EPHEMERAL_ENCLABEL["${MOUNT_PATH}"]} none swap defaults 0 0'."
do_log "info" "file_only" "fstab entry generated: '${MAP_EPHEMERAL_ENCLABEL["${MOUNT_PATH}"]} none swap defaults 0 0'."
# TODO: flexible '/tmp' entry, not only ephemeral SWAP.
# Add entry for '/tmp' device
@@ -391,7 +384,7 @@ EOF
echo "##### Added by CISS.2025.debian.installer" >> "${TARGET}"/etc/fstab
echo "${MAP_EPHEMERAL_ENCLABEL["${MOUNT_PATH}"]} /tmp ext4 defaults,rw,nodev,nosuid,relatime 0 0" >> "${TARGET}"/etc/fstab
echo "" >> "${TARGET}"/etc/fstab
do_log "info" "false" "fstab entry generated: '${MAP_EPHEMERAL_ENCLABEL["${MOUNT_PATH}"]} /tmp ext4 defaults,rw,nodev,nosuid,relatime 0 0'."
do_log "info" "file_only" "fstab entry generated: '${MAP_EPHEMERAL_ENCLABEL["${MOUNT_PATH}"]} /tmp ext4 defaults,rw,nodev,nosuid,relatime 0 0'."
# TODO: END: BLOCK "${RECOVERY}"/etc/fstab
# TODO: complete this block