msw/CISS.debian.installer
SHA256
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

V8.00.000.2025.06.17

Browse Source 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
Marc S. Weidner
2025-06-29 14:48:43 +02:00
parent 4b014e2e65
commit d9cb2402a0
8 changed files with 436 additions and 353 deletions
Download Patch File Download Diff File Expand all files Collapse all files

236
.preseed/partitioning.yaml
View File

@@ -12,35 +12,35 @@ recipe:
guben0afx256r:
active: true
control:
# g=GPT || m=MBR
# u=UEFI || b=BIOS
# b=btrfs || 4=ext4 only
# e=ephemeral "/tmp" and "SWAP" || n=non-ephemeral "/tmp" and "SWAP" (yet not supported)
# n0=non RAID || m6=mdadm RAID6 || m5=mdadm RAID5 || b1=btrfs RAID1
# a="/dev/sda" only setup || b="/dev/sdb" || c="/dev/sdc" and so forth
# f=fixed size || a=automatic size
# x256=size of device in GiB
# r=rescue partition || n=no rescue partition
### g=GPT || m=MBR
### u=UEFI || b=BIOS
### b=btrfs || 4=ext4 only
### e=ephemeral "/tmp" and "SWAP" || n=non-ephemeral "/tmp" and "SWAP" (yet not supported)
### n0=non RAID || m6=mdadm RAID6 || m5=mdadm RAID5 || b1=btrfs RAID1
### a="/dev/sda" only setup || b="/dev/sdb" || c="/dev/sdc" and so forth
### f=fixed size || a=automatic size
### x256=size of device in GiB
### r=rescue partition || n=no rescue partition
description: "Default: CISS 2025 - GPT - BTRFS - Ephemeral - non RAID - 256GiB - rescue"
# MUST be "UEFI" for "gpt" || "BIOS":
### MUST be "UEFI" for "gpt" || "BIOS":
firmware: "UEFI"
# MUST be equal to the second part of the recipe-variables string.
### MUST be equal to the second part of the recipe-variables string.
id: "guben0afx256r"
name: "ciss.2025.gpt.btrfs.ephemeral.non-raid.256GiB.rescue"
# mdadm RAID settings only (not yet supported)
### mdadm RAID settings only (not yet supported)
raid:
enable: false
disks:
member: 4
spare: 1
# Only Level "1", "5", "6" and "10" are supported
### Only Level "1", "5", "6" and "10" are supported
level: 6
# MUST be "gpt" for "UEFI" || "msdos":
### MUST be "gpt" for "UEFI" || "msdos":
table: "gpt"
# Only set to "true" if the recipe is tested by the authors. Otherwise, this is set to "false" by default.
### Only set to "true" if the recipe is tested by the authors. Otherwise, this is set to "false" by default.
syntax: true
# Version of the specific recipe.
version: "1.0.0"
### Version of the specific recipe.
version: "1.1.1"
dev:
sda:
1:
@@ -48,13 +48,13 @@ recipe:
end: "512MiB"
bootable: true
encryption:
# MUST be "false" for "/boot/efi":
### MUST be "false" for "/boot/efi":
enable: false
# MUST be "false" for "/boot/efi":
### MUST be "false" for "/boot/efi":
ephemeral: false
# MUST be "false" for "/boot/efi":
### MUST be "false" for "/boot/efi":
integrity: false
# MUST be "false" for "/boot/efi":
### MUST be "false" for "/boot/efi":
nuke: false
cipher: ""
hash: ""
@@ -65,24 +65,22 @@ recipe:
pbkdf: ""
rng: ""
filesystem:
# btrfs only
btrfs:
checksum: ""
# TODO Level 0 is valid for zstd not for lzo
compress: ""
level: ""
dedup: true
subvolume: ""
snapshot: ""
format: true
label: "ESP"
options: ""
version: "fat32"
mount:
# MUST be "true" for "/boot/efi":
enable: true
options: ""
options: "defaults,nodev,nosuid,noexec,umask=0077"
options_snap: ""
path: "/boot/efi"
# Only valid for filesystem version "btrfs":
subvolume: ""
primary: primary
2:
begin: "512MiB"
@@ -90,39 +88,38 @@ recipe:
bootable: false
encryption:
enable: true
# MUST be "false" for "/boot":
### MUST be "false" for "/boot":
ephemeral: false
# MUST be "false" for "/boot":
### MUST be "false" for "/boot":
integrity: false
# MUST be "false" for "/boot":
nuke: false
nuke: true
cipher: "aes-xts-plain64"
hash: "sha512"
itertime: "3000"
key: "512"
label: "crypt_boot"
metadatasize: "32MiB"
# MUST be "pbkdf" for "/boot":
### MUST be "pbkdf" for "/boot":
pbkdf: "pbkdf"
rng: "use-random"
filesystem:
# btrfs only
btrfs:
checksum: ""
compress: ""
level: ""
checksum: "sha256"
compress: "zstd"
level: "7"
dedup: true
subvolume: "@boot"
snapshot: ""
format: true
version: "ext4"
label: "ext4_boot"
version: "btrfs"
label: "btrfs_boot"
options: ""
mount:
# MUST be "true" for "/boot":
### MUST be "true" for "/boot":
enable: true
options: "defaults,nodev,noexec,nosuid,noatime"
options: "defaults,nodev,nosuid,noexec,noatime,compress=no,discard=async,subvol=@boot"
options_snap: ""
path: "/boot"
# Only valid for filesystem version "btrfs":
subvolume: ""
primary: primary
3:
begin: "2GiB"
@@ -142,12 +139,13 @@ recipe:
pbkdf: "argon2id"
rng: "use-random"
filesystem:
# btrfs only
btrfs:
checksum: ""
compress: ""
level: ""
dedup: true
subvolume: ""
snapshot: ""
format: true
label: "ext4_rescue"
options: ""
@@ -155,22 +153,21 @@ recipe:
mount:
enable: true
options: "defaults,nodev"
options_snap: ""
path: "/recovery"
# Only valid for filesystem version "btrfs":
subvolume: ""
primary: primary
4:
begin: "6GiB"
end: "8GiB"
bootable: false
encryption:
# MUST be "true" for ephemeral "SWAP":
### MUST be "true" for ephemeral "SWAP":
enable: true
# MUST be "true" for ephemeral "SWAP":
### MUST be "true" for ephemeral "SWAP":
ephemeral: true
# MUST be "false" for ephemeral "SWAP":
### MUST be "false" for ephemeral "SWAP":
integrity: false
# MUST be "false" for ephemeral "SWAP":
### MUST be "false" for ephemeral "SWAP":
nuke: false
cipher: "aes-xts-plain64"
hash: "sha512"
@@ -181,37 +178,37 @@ recipe:
pbkdf: "argon2id"
rng: "use-random"
filesystem:
# btrfs only
btrfs:
checksum: ""
compress: ""
level: ""
dedup: true
subvolume: ""
snapshot: ""
format: true
# MUST be "crypt_swap_ephem" for "SWAP":
### MUST be "crypt_swap_ephem" for "SWAP":
label: "crypt_swap_ephem"
options: ""
# MUST be "ext4" for ephemeral "SWAP":
### MUST be "ext4" for ephemeral "SWAP":
version: "ext4"
mount:
enable: true
options: ""
options: "defaults,discard"
options_snap: ""
path: "SWAP"
# Only valid for filesystem version "btrfs":
subvolume: ""
primary: primary
5:
begin: "8GiB"
end: "10GiB"
bootable: false
encryption:
# MUST be "true" for ephemeral "/tmp":
### MUST be "true" for ephemeral "/tmp":
enable: true
# MUST be "true" for ephemeral "/tmp":
### MUST be "true" for ephemeral "/tmp":
ephemeral: true
# MUST be "false" for ephemeral "/tmp":
### MUST be "false" for ephemeral "/tmp":
integrity: false
# MUST be "false" for ephemeral "/tmp":
### MUST be "false" for ephemeral "/tmp":
nuke: false
cipher: "aes-xts-plain64"
hash: "sha512"
@@ -222,24 +219,24 @@ recipe:
pbkdf: "argon2id"
rng: "use-random"
filesystem:
# btrfs only
btrfs:
checksum: ""
compress: ""
level: ""
dedup: true
subvolume: ""
snapshot: ""
format: true
# MUST be "crypt_tmp_ephem" for ephemeral "/tmp"
### MUST be "crypt_tmp_ephem" for ephemeral "/tmp"
label: "crypt_tmp_ephem"
options: ""
# MUST be "ext4" for ephemeral "/tmp"
### MUST be "ext4" for ephemeral "/tmp"
version: "ext4"
mount:
enable: true
options: "defaults,rw,nodev,noexec,nosuid,noatime,mode=1777"
options: "defaults,rw,nodev,nosuid,noatime,discard,mode=1777"
options_snap: ""
path: "/tmp"
# Only valid for filesystem version "btrfs":
subvolume: ""
primary: primary
6:
begin: "10GiB"
@@ -248,7 +245,7 @@ recipe:
encryption:
enable: true
ephemeral: false
integrity: true
integrity: false
nuke: true
cipher: "aes-xts-plain64"
hash: "sha512"
@@ -259,23 +256,22 @@ recipe:
pbkdf: "argon2id"
rng: "use-random"
filesystem:
# btrfs only
btrfs:
checksum: "sha256"
compress: "zstd"
level: "7"
dedup: true
subvolume: "@"
snapshot: "@root_snap"
format: true
label: "btrfs_root"
options: ""
version: "btrfs"
mount:
# MUST be "true" for "/":
enable: true
options: "defaults,errors=remount-ro,noatime"
options: "defaults,errors=remount-ro,noatime,compress=zstd:7,discard=async,autodefrag,subvol=@"
options_snap: "ro,nodev,nosuid,noexec,nodatacow,subvol=@root_snap"
path: "/"
# Only valid for filesystem version "btrfs":
subvolume: "@"
primary: primary
7:
begin: "42GiB"
@@ -284,7 +280,7 @@ recipe:
encryption:
enable: true
ephemeral: false
integrity: true
integrity: false
nuke: true
cipher: "aes-xts-plain64"
hash: "sha512"
@@ -295,22 +291,22 @@ recipe:
pbkdf: "argon2id"
rng: "use-random"
filesystem:
# btrfs only
btrfs:
checksum: "sha256"
compress: "zstd"
level: "7"
dedup: true
subvolume: "@home"
snapshot: "@home_snap"
format: true
label: "btrfs_home"
options: ""
version: "btrfs"
mount:
enable: true
options: "defaults,rw,nodev,nosuid,noatime"
options: "defaults,nodev,nosuid,relatime,compress=zstd:7,discard=async,autodefrag,subvol=@home"
options_snap: "ro,nodev,nosuid,noexec,nodatacow,subvol=@home_snap"
path: "/home"
# Only valid for filesystem version "btrfs":
subvolume: "@home"
primary: primary
8:
begin: "42GiB"
@@ -319,7 +315,7 @@ recipe:
encryption:
enable: true
ephemeral: false
integrity: true
integrity: false
nuke: true
cipher: "aes-xts-plain64"
hash: "sha512"
@@ -330,22 +326,22 @@ recipe:
pbkdf: "argon2id"
rng: "use-random"
filesystem:
# btrfs only
btrfs:
checksum: "sha256"
compress: "zstd"
level: "7"
dedup: true
subvolume: "@usr"
snapshot: ""
format: true
label: "btrfs_usr"
options: ""
version: "btrfs"
mount:
enable: true
options: "defaults,rw,nodev,noatime"
options: "defaults,nodev,relatime,compress=zstd:7,discard=async,subvol=@usr"
options_snap: ""
path: "/usr"
# Only valid for filesystem version "btrfs":
subvolume: "@usr"
primary: primary
9:
begin: "126GiB"
@@ -354,7 +350,7 @@ recipe:
encryption:
enable: true
ephemeral: false
integrity: true
integrity: false
nuke: true
cipher: "aes-xts-plain64"
hash: "sha512"
@@ -365,22 +361,22 @@ recipe:
pbkdf: "argon2id"
rng: "use-random"
filesystem:
# btrfs only
btrfs:
checksum: "sha256"
compress: "zstd"
level: "7"
dedup: true
subvolume: "@var"
snapshot: "@var_snap"
format: true
label: "btrfs_var"
options: ""
version: "btrfs"
mount:
enable: true
options: "defaults,rw,nodev,nosuid,noatime"
options: "defaults,nodev,nosuid,relatime,compress=zstd:7,discard=async,subvol=@var"
options_snap: "ro,nodev,nosuid,noexec,nodatacow,subvol=@var_snap"
path: "/var"
# Only valid for filesystem version "btrfs":
subvolume: "@var"
primary: primary
10:
begin: "190GiB"
@@ -389,7 +385,7 @@ recipe:
encryption:
enable: true
ephemeral: false
integrity: true
integrity: false
nuke: true
cipher: "aes-xts-plain64"
hash: "sha512"
@@ -400,22 +396,22 @@ recipe:
pbkdf: "argon2id"
rng: "use-random"
filesystem:
# btrfs only
btrfs:
checksum: "sha256"
compress: "zstd"
level: "7"
dedup: true
subvolume: "@var_log"
snapshot: ""
format: true
label: "btrfs_var_log"
options: ""
version: "btrfs"
mount:
enable: true
options: "defaults,rw,nodev,noexec,nosuid,noatime"
options: "defaults,nodev,nosuid,noexec,noatime,nodatacow,compress=zstd:7,discard=async,subvol=@var_log"
options_snap: ""
path: "/var/log"
# Only valid for filesystem version "btrfs":
subvolume: "@var_log"
primary: primary
11:
begin: "206GiB"
@@ -424,7 +420,7 @@ recipe:
encryption:
enable: true
ephemeral: false
integrity: true
integrity: false
nuke: true
cipher: "aes-xts-plain64"
hash: "sha512"
@@ -435,22 +431,22 @@ recipe:
pbkdf: "argon2id"
rng: "use-random"
filesystem:
# btrfs only
btrfs:
checksum: "sha256"
compress: "zstd"
level: "7"
dedup: true
subvolume: "@var_log_audit"
snapshot: ""
format: true
label: "btrfs_var_log_audit"
options: ""
version: "btrfs"
mount:
enable: true
options: "defaults,rw,nodev,noexec,nosuid,noatime"
options: "defaults,nodev,nosuid,noexec,noatime,nodatacow,compress=zstd:7,discard=async,subvol=@var_log_audit"
options_snap: ""
path: "/var/log/audit"
# Only valid for filesystem version "btrfs":
subvolume: "@var_log_audit"
primary: primary
12:
begin: "222GiB"
@@ -470,22 +466,22 @@ recipe:
pbkdf: "argon2id"
rng: "use-random"
filesystem:
# btrfs only
btrfs:
checksum: "sha256"
compress: "zstd"
level: "7"
dedup: true
subvolume: "@var_tmp"
snapshot: ""
format: true
label: "btrfs_var_tmp"
options: ""
version: "btrfs"
mount:
enable: true
options: "defaults,rw,nodev,noexec,nosuid,noatime"
options: "defaults,nodev,nosuid,noatime,compress=zstd:7,nodatacow,discard=async,subvol=@var_tmp"
options_snap: ""
path: "/var/tmp"
# Only valid for filesystem version "btrfs":
subvolume: "@var_tmp"
primary: primary
13:
begin: "238GiB"
@@ -496,31 +492,31 @@ recipe:
ephemeral: false
integrity: false
nuke: true
cipher: ""
hash: ""
itertime: ""
key: ""
label: ""
metadatasize: ""
pbkdf: ""
rng: ""
cipher: "aes-xts-plain64"
hash: "sha512"
itertime: "3000"
key: "512"
label: "crypt_opt"
metadatasize: "32MiB"
pbkdf: "argon2id"
rng: "use-random"
filesystem:
# btrfs only
btrfs:
checksum: ""
compress: ""
level: ""
checksum: "sha256"
compress: "zstd"
level: "7"
dedup: true
format: false
label: ""
subvolume: "@opt"
snapshot: ""
format: true
label: "btrfs_opt"
options: ""
version: ""
version: "btrfs"
mount:
enable: false
options: ""
path: ""
# Only valid for filesystem version "btrfs":
subvolume: ""
enable: true
options: "defaults,nodev,nosuid,relatime,compress=zstd:7,discard=async,subvol=@opt"
options_snap: ""
path: "/opt"
primary: primary
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml:

145
func/2015_helper_modules.sh
View File

@@ -31,42 +31,6 @@ do_in_target() {
"${ary_chroot_command[@]}"
}
#######################################
# Wrapper around 'printf' for clean code.
# Globals:
# C_RES
# Arguments:
# $1: One of "${C_BLA}" | "${C_RED}" | "${C_GRE}" | "${C_YEL}" | "${C_BLU}" | "${C_MAG}" | "${C_CYA}" | "${C_WHI}"
# $2: Text string to print on terminal.
#######################################
do_print_color() {
printf "%s\n" "${1}${2}${C_RES}"
}
#######################################
# Wrapper around 'printf' for clean, uniform terminal output and line fold for long text strings for better readability.
# Globals:
# C_RES
# Arguments:
# $1: One of "${C_BLA}" | "${C_RED}" | "${C_GRE}" | "${C_YEL}" | "${C_BLU}" | "${C_MAG}" | "${C_CYA}" | "${C_WHI}"
# $2: Text string to print on terminal.
#######################################
do_print_fold() {
declare var_color="$1"; shift
declare var_msg_string="$*"
declare var_formatted_string="${var_color}${var_msg_string}${C_RES}"
printf "%b\n" "${var_formatted_string}" | fold -s -w 76 | sed '1! s/^/ /'
}
#######################################
# Wrapper around 'printf' for logfile redirect.
# Arguments:
# $1: Text string to redirect to a log file.
#######################################
do_print_log() {
printf "%s\n" "${1}"
}
#######################################
# Helper Module to generate a Subnet Mask out of an IP in CCDIR Notation.
# Arguments:
@@ -89,53 +53,6 @@ generate_subnetmask() {
return 0
}
#######################################
# Converts characters such as spaces, inverted commas, backslashes, and other special
# characters so that they can be safely used as arguments in a shell command.
# Arguments:
# $1: String to sanitize.
#######################################
sanitize_input() {
# shellcheck disable=SC2155
declare var_safe_out=$(printf "%q" "$1")
echo "${var_safe_out}"
}
#######################################
# Remove any leading or trailing whitespace.
# Arguments:
# $1: String to clean.
#######################################
remove_whitespace() {
# shellcheck disable=SC2155
declare var_out=$(printf "%s" "$1" | xargs)
echo "${var_out}"
}
#######################################
# Function to escape all shell metacharacters
# Arguments:
# $1: String to Sanitize
#######################################
sanitize_shell_literal() {
declare input="$1"
### %q quotes the string so that the shell re-reads it as the original literal
printf '%q' "${input}"
}
#######################################
# Function to remove any character not in the allowed set
# Arguments:
# $1: String to Sanitize
#######################################
sanitize_string() {
declare input="$1"
### Define allowed characters:
### letters, digits, dot, underscore, slash, equals, [, ], colon, double-quote, hyphen, space.
declare allowed='a-zA-Z0-9._/=\[\]:"\-+ '
printf '%s' "${input}" | tr -cd "${allowed}"
}
#######################################
# Helper module for full upgrade, autoremove and autoclean.
# Arguments:
@@ -148,66 +65,4 @@ update_upgrade() {
apt-get autopurge -y
apt-get autoremove -y
}
#######################################
# Wrapper for secure curl.
# Globals:
# ERR_DOWNLOAD_FAILED
# ERR_NO_DOWNLOAD_ARG
# Arguments:
# $1: URL from which to download a specific file.
# $2: /path/to/file to be saved to.
# Returns:
# ${ERR_DOWNLOAD_FAILED}: Download failed.
# ${ERR_NO_DOWNLOAD_ARG}: No arguments specified.
#######################################
scurl() {
if [[ $# -ne 2 ]]; then
do_log "error" "false" "Usage: scurl <URL> <path/to/file>"
return "${ERR_NO_DOWNLOAD_ARG}"
fi
declare url="$1"
declare output_path="$2"
if ! curl --doh-url "https://dns01.eddns.eu/dns-query" \
--doh-cert-status \
--tlsv1.3 \
-sSf \
-o "${output_path}" \
"${url}"
then
do_log "error" "false" "Download failed for URL: '${1}'."
return "${ERR_DOWNLOAD_FAILED}"
fi
}
#######################################
# Wrapper for secure wget.
# Globals:
# ERR_DOWNLOAD_FAILED
# ERR_NO_DOWNLOAD_ARG
# Arguments:
# $1: URL from which to download a specific file.
# $2: /path/to/file to be saved to.
# Returns:
# ${ERR_DOWNLOAD_FAILED}: Download failed.
# ${ERR_NO_DOWNLOAD_ARG}: No arguments specified.
#######################################
swget() {
if [[ $# -ne 2 ]]; then
do_log "error" "false" "Usage: swget <URL> <path/to/file>"
return "${ERR_NO_DOWNLOAD_ARG}"
fi
declare url="$1"
declare output_path="$2"
if ! wget --show-progress \
--no-clobber \
--https-only \
--secure-protocol=TLSv1_3 \
-qO "${output_path}" \
"${url}"
then
do_log "error" "false" "Download failed for URL: '${1}'."
return "${ERR_DOWNLOAD_FAILED}"
fi
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

50
func/2016_helper_print.sh Normal file
View File

@@ -0,0 +1,50 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
guard_sourcing
#######################################
# Wrapper around 'printf' for clean code.
# Globals:
# C_RES
# Arguments:
# $1: One of "${C_BLA}" | "${C_RED}" | "${C_GRE}" | "${C_YEL}" | "${C_BLU}" | "${C_MAG}" | "${C_CYA}" | "${C_WHI}"
# $2: Text string to print on terminal.
#######################################
do_print_color() {
printf "%s\n" "${1}${2}${C_RES}"
}
#######################################
# Wrapper around 'printf' for clean, uniform terminal output and line fold for long text strings for better readability.
# Globals:
# C_RES
# Arguments:
# $1: One of "${C_BLA}" | "${C_RED}" | "${C_GRE}" | "${C_YEL}" | "${C_BLU}" | "${C_MAG}" | "${C_CYA}" | "${C_WHI}"
# $2: Text string to print on terminal.
#######################################
do_print_fold() {
declare var_color="$1"; shift
declare var_msg_string="$*"
declare var_formatted_string="${var_color}${var_msg_string}${C_RES}"
printf "%b\n" "${var_formatted_string}" | fold -s -w 76 | sed '1! s/^/ /'
}
#######################################
# Wrapper around 'printf' for logfile redirect.
# Arguments:
# $1: Text string to redirect to a log file.
#######################################
do_print_log() {
printf "%s\n" "${1}"
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

49
func/2017_helper_sanitizer.sh Normal file
View File

@@ -0,0 +1,49 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
guard_sourcing
#######################################
# Remove any leading or trailing whitespace.
# Arguments:
# $1: String to clean.
#######################################
remove_whitespace() {
# shellcheck disable=SC2155
declare var_out=$(printf "%s" "$1" | xargs)
echo "${var_out}"
}
#######################################
# Function to escape all shell metacharacters
# Arguments:
# $1: String to Sanitize
#######################################
sanitize_input() {
declare input="$1"
### %q quotes the string so that the shell re-reads it as the original literal
printf '%q' "${input}"
}
#######################################
# Function to remove any character not in the allowed set
# Arguments:
# $1: String to Sanitize
#######################################
sanitize_string() {
declare input="$1"
### Define allowed characters:
### letters, digits, dot, underscore, slash, equals, [, ], colon, double-quote, hyphen, space.
declare allowed='a-zA-Z0-9._/=\[\]:"\-+ '
printf '%s' "${input}" | tr -cd "${allowed}"
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

76
func/2018_helper_secure_dl.sh Normal file
View File

@@ -0,0 +1,76 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
guard_sourcing
#######################################
# Wrapper for secure curl.
# Globals:
# ERR_DOWNLOAD_FAILED
# ERR_NO_DOWNLOAD_ARG
# Arguments:
# $1: URL from which to download a specific file.
# $2: /path/to/file to be saved to.
# Returns:
# ${ERR_DOWNLOAD_FAILED}: Download failed.
# ${ERR_NO_DOWNLOAD_ARG}: No arguments specified.
#######################################
scurl() {
if [[ $# -ne 2 ]]; then
do_log "error" "true" "Usage: scurl <URL> <path/to/file>"
return "${ERR_NO_DOWNLOAD_ARG}"
fi
declare url="$1"
declare output_path="$2"
if ! curl --doh-url "https://dns01.eddns.eu/dns-query" \
--doh-cert-status \
--tlsv1.3 \
-sSf \
-o "${output_path}" \
"${url}"
then
do_log "error" "true" "Download failed for URL: '${1}'."
return "${ERR_DOWNLOAD_FAILED}"
fi
}
#######################################
# Wrapper for secure wget.
# Globals:
# ERR_DOWNLOAD_FAILED
# ERR_NO_DOWNLOAD_ARG
# Arguments:
# $1: URL from which to download a specific file.
# $2: /path/to/file to be saved to.
# Returns:
# ${ERR_DOWNLOAD_FAILED}: Download failed.
# ${ERR_NO_DOWNLOAD_ARG}: No arguments specified.
#######################################
swget() {
if [[ $# -ne 2 ]]; then
do_log "error" "true" "Usage: swget <URL> <path/to/file>"
return "${ERR_NO_DOWNLOAD_ARG}"
fi
declare url="$1"
declare output_path="$2"
if ! wget --show-progress \
--no-clobber \
--https-only \
--secure-protocol=TLSv1_3 \
-qO "${output_path}" \
"${url}"
then
do_log "error" "true" "Download failed for URL: '${1}'."
return "${ERR_DOWNLOAD_FAILED}"
fi
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

133
func/3280_mount_partition.sh
View File

@@ -12,6 +12,21 @@
guard_sourcing
#######################################
# Validates var_mount_path to be processed.
# Arguments:
# $1 var_mount_path
# Returns:
# 0: Skip mounting,
# 1: Process mount
#######################################
skip_path() {
declare -a ary_skip=( "/" "/boot" "/boot/efi" "/recovery" )
declare p
for p in "${ary_skip[@]}"; do [[ "$1" == "$p" ]] && return 0; done
return 1
}
#######################################
# Function to generate btrfs-subvolumes.
# Globals:
@@ -25,10 +40,11 @@ create_btrfs_subvolume() {
declare var_mount_path="$1"
declare var_subvolume="$2"
btrfs subvolume create "${TARGET}${var_mount_path}/${var_subvolume}" || {
if ! btrfs subvolume create "${TARGET}${var_mount_path}/${var_subvolume}"; then
do_log "error" "false" "Error occurred at creation of subvolume: '${var_subvolume}' in: '${TARGET}${var_mount_path}'."
exit "${ERR_BTRFS_SUBVOL}"
}
return "${ERR_BTRFS_SUBVOL}"
fi
do_log "info" "false" "Created: '${var_subvolume}' at: '${TARGET}${var_mount_path}'."
}
@@ -45,22 +61,14 @@ create_btrfs_subvolume() {
mount_with_dir() {
declare var_mount_path="$1" var_mount_device="$2" var_mount_options="$3"
if [[ "${var_mount_path}" == "/" ]]; then
:
else
mkdir -p "${TARGET}${var_mount_path}"
fi
[[ "${var_mount_path}" != "/" ]] && mkdir -p "${TARGET}${var_mount_path}"
### Build the command in an array to keep word boundaries intact
declare -a ary_cmd=(mount)
ary_cmd+=("${var_mount_device}" "${TARGET}${var_mount_path}")
[[ -n "${var_mount_options}" ]] && ary_cmd+=("-o" "${var_mount_options}")
ary_cmd+=("${var_mount_device}" "${TARGET}${var_mount_path}")
"${ary_cmd[@]}" || {
do_log "error" "false" "Mounting '${var_mount_device}' on '${TARGET}${var_mount_path}' failed."
exit "${ERR_MOUNTING_DEV}"
}
safe_exec "${ary_cmd[@]}" "${ERR_MOUNTING_DEV}" || return
do_log "info" "false" "Mounted: '${var_mount_device}' on: '${TARGET}${var_mount_path}' (Options='${var_mount_options}')."
}
@@ -73,9 +81,12 @@ mount_with_dir() {
# $4: Encryption Label
#######################################
resolve_device() {
declare local_var_dev="$1" local_var_partition="$2" encryption_boolean="$3" local_var_enc_label="$4"
[[ "${encryption_boolean}" == true ]] && printf '/dev/mapper/%s' "${local_var_enc_label}" \
|| printf '/dev/%s%s' "${local_var_dev}" "${local_var_partition}"
declare local_var_dev="$1" local_var_partition="$2" local_var_enc_boolean="$3" local_var_enc_label="$4"
if [[ "${local_var_enc_boolean,,}" == true ]]; then
printf '/dev/mapper/%s' "${local_var_enc_label}"
else
printf '/dev/%s%s' "${local_var_dev}" "${local_var_partition}"
fi
}
#######################################
@@ -87,10 +98,26 @@ resolve_device() {
yq_val() {
# shellcheck disable=SC2155
declare var_helper=$(yq e "$1" "$2")
[[ "${var_helper}" == "null" ]] && var_helper=""
[[ "${var_helper}" == null ]] && var_helper=""
printf '%s' "${var_helper}"
}
#######################################
# Validates btrfs compression algo and level.
# Arguments:
# $1 var_fs_btrfs_compress
# $2 var_fs_btrfs_level
# Returns:
# 0: Valid combination.
# 1: Invalid combination.
#######################################
validate_btrfs_compression() {
declare var_algo="$1" var_level="$2"
case "${var_algo}:${var_level}" in
zstd:|zstd:[0-9]|zstd:1[0-9]|zstd:2[0-2]|lzo:) return 0 ;;
*) do_log "error" "false" "Invalid btrfs compression '${var_algo}:${var_level}'"; return "${ERR_BTRFS_OPTION}" ;;
esac
}
#######################################
# Function for mounting all partitions for debootstrap, including the generation of btrfs subvolumes.
@@ -110,12 +137,12 @@ mount_partition() {
if [[ -n ${HMP_MOUNTPATH_DEV[$var_mount_path_root]} ]]; then
mount_with_dir "${var_mount_path_root}" "${HMP_MOUNTPATH_DEV[$var_mount_path_root]}"
mount_with_dir "${var_mount_path_root}" "${HMP_MOUNTPATH_DEV[$var_mount_path_root]}" || return "${ERR_MOUNTING_DEV}"
else
do_log "error" "false" "Root-filesystem '${var_mount_path_root}' not found in Hashmap."
exit "${ERR_MOUNTING_ROOT}"
return "${ERR_MOUNTING_ROOT}"
fi
@@ -126,7 +153,7 @@ mount_partition() {
if [[ -n ${HMP_MOUNTPATH_DEV[${var_path}]} ]]; then
mount_with_dir "${var_path}" "${HMP_MOUNTPATH_DEV[${var_path}]}"
mount_with_dir "${var_path}" "${HMP_MOUNTPATH_DEV[${var_path}]}" || return "${ERR_MOUNTING_DEV}"
else
@@ -161,9 +188,7 @@ mount_partition() {
var_mount_subvolume=$(yq_val ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev}.${var_part}.mount.subvolume" "${VAR_SETUP_PART}")
### Skip already mounted paths ("/", "/boot", "/boot/efi") and skip ("/recovery")
if [[ "${var_mount_path}" == "/" || "${var_mount_path}" == "/boot" || "${var_mount_path}" == "/boot/efi" || "${var_mount_path}" == "/recovery" ]]; then
continue
fi
skip_path "${var_mount_path}" && continue
if [[ "${var_mount_path}" == "SWAP" ]]; then
@@ -173,6 +198,7 @@ mount_partition() {
mkswap "/dev/mapper/${var_encryption_label}"
swapon "/dev/mapper/${var_encryption_label}"
do_log "info" "false" "Mounted: '${var_mount_path}' on: '/dev/mapper/${var_encryption_label}'."
continue
elif [[ "${var_mount_path}" == "/tmp" ]]; then
@@ -180,43 +206,44 @@ mount_partition() {
--offset 2048 --cipher aes-xts-plain64 --key-size 512 \
--sector-size 4096 "/dev/disk/by-label/${var_fs_label}" "${var_encryption_label}"
mkdir -p "${TARGET}/tmp"
mkfs.ext4 "/dev/mapper/${var_encryption_label}" "${var_fs_options:+ $var_fs_options}"
mount "${var_mount_options:+-o $var_mount_options}" "/dev/mapper/${var_encryption_label}" "${TARGET}/tmp"
do_log "info" "false" "Mounted: '${var_mount_path}' on: '/dev/mapper/${var_encryption_label}'."
if [[ -n "${var_fs_options}" ]]; then
mkfs.ext4 -O "${var_fs_options}" "/dev/mapper/${var_encryption_label}"
else
mkfs.ext4 "/dev/mapper/${var_encryption_label}"
fi
case "${var_fs_version,,}:${var_encryption_enable}" in
btrfs:true)
### Build the command in an array to keep word boundaries intact
declare -a ary_cmd2=(mount)
[[ -n "${var_mount_options}" ]] && ary_cmd2+=("-o" "${var_mount_options}")
ary_cmd2+=("/dev/mapper/${var_encryption_label}" "${TARGET}${var_mount_path}")
safe_exec "${ary_cmd2[@]}" "${ERR_MOUNTING_DEV}" || return "${ERR_MOUNTING_DEV}"
do_log "info" "false" "Mounted: '${var_mount_path}' on: '/dev/mapper/${var_encryption_label}'."
continue
fi
declare device
device=$(resolve_device "${var_dev}" "${var_part}" "${var_encryption_enable}" "${var_encryption_label}")
case "${var_fs_version,,}:${var_encryption_enable,,}" in
btrfs:*)
validate_btrfs_compression "${var_fs_btrfs_compress}" "${var_fs_btrfs_level}" || return "${ERR_BTRFS_OPTION}"
declare var_btrfs_compression_options="compress=${var_fs_btrfs_compress}:${var_fs_btrfs_level}"
# shellcheck disable=SC2155
declare device=$(resolve_device "${var_dev}" "${var_part}" "${var_encryption_enable}" "${var_encryption_label}")
mount_with_dir "${var_mount_path}" "${device}" "${var_btrfs_compression_options}"
[[ -n "${var_mount_options}" ]] && var_btrfs_compression_options+=",${var_mount_options}"
mount_with_dir "${var_mount_path}" "${device}" "${var_btrfs_compression_options}" || return "${ERR_MOUNTING_DEV}"
[[ -n ${var_mount_subvolume} ]] && create_btrfs_subvolume "${var_mount_path}" "${var_mount_subvolume}"
do_log "info" "false" "Mounted: '${var_mount_path}' on: '${device}'."
;;
btrfs:false)
declare var_btrfs_compression_options="compress=${var_fs_btrfs_compress}:${var_fs_btrfs_level}"
# shellcheck disable=SC2155
declare device=$(resolve_device "${var_dev}" "${var_part}" "${var_encryption_enable}" "${var_encryption_label}")
mount_with_dir "${var_mount_path}" "${device}" "${var_btrfs_compression_options}"
[[ -n ${var_mount_subvolume} ]] && create_btrfs_subvolume "${var_mount_path}" "${var_mount_subvolume}"
do_log "info" "false" "Mounted: '${var_mount_path}' on: '${device}'."
;;
ext4:true)
# shellcheck disable=SC2155
declare device=$(resolve_device "${var_dev}" "${var_part}" "${var_encryption_enable}" "${var_encryption_label}")
mount_with_dir "${var_mount_path}" "${device}"
do_log "info" "false" "Mounted: '${var_mount_path}' on: '${device}'."
;;
ext4:false)
# shellcheck disable=SC2155
declare device=$(resolve_device "${var_dev}" "${var_part}" "${var_encryption_enable}" "${var_encryption_label}")
mount_with_dir "${var_mount_path}" "${device}"
do_log "info" "false" "Mounted: '${var_mount_path}' on: '${device}'."
ext4:*)
mount_with_dir "${var_mount_path}" "${device}" "${var_mount_options}" || return "${ERR_MOUNTING_DEV}"
;;
*) do_log "error" "false" "Unsupported fs/encryption combination."
exit "${ERR_MOUNTING_DEV}" ;;
return "${ERR_MOUNTING_DEV}" ;;
esac
done

28
lib/1008_guard_safe_exec.sh Normal file
View File

@@ -0,0 +1,28 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
guard_sourcing
#######################################
# Generic safe wrapper for external commands.
# Arguments:
# $*: full command (array, quoted!)
# $2: ERR_CONST on failure
#######################################
safe_exec() {
declare -a ary_cmd=("${@:1:$#-1}") # All but last arg.
declare var_errcode="${!#}" # Last arg.
"${ary_cmd[@]}" && return 0
do_log "error" "false" "Command '${ary_cmd[*]}' failed."
return "${var_errcode}"
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

10
var/errors.var.sh
View File

@@ -28,10 +28,12 @@ declare -girx ERR_ARG_MISMATCH=242 # The wrong number of optional arguments
declare -girx ERR_PARTITIONTBL=241 # The partition table is not allowed.
declare -girx ERR_READ_PARTTBL=240 # The partition could not be deleted, created, or the UUID of the partition could not be read.
declare -girx ERR_BTRFS_SUBVOL=239 # The btrfs subvolume could not be created.
declare -girx ERR_MOUNTING_DEV=238 # The Device could not be mounted.
declare -girx ERR_MOUNTING_ROOT=237 # The / Volume could not be mounted.
declare -girx ERR_MOUNTING_LUKS=236 # The LUKS Volume could not be mounted.
declare -girx ERR_UNKNOWN_DEV=235 # Unknown Device Path.
declare -girx ERR_BTRFS_OPTION=238 # Compression options algo:level not valid btrfs pairs.
declare -girx ERR_MOUNTING_DEV=237 # The Device could not be mounted.
declare -girx ERR_MOUNTING_ROOT=236 # The / Volume could not be mounted.
declare -girx ERR_MOUNTING_LUKS=235 # The LUKS Volume could not be mounted.
declare -girx ERR_UNKNOWN_DEV=234 # Unknown Device Path.