msw/CISS.debian.installer
SHA256
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

V8.00.000.2025.06.17
All checks were successful
🛡️ Retrieve DNSSEC status of coresecret.dev. / 🛡️ Retrieve DNSSEC status of coresecret.dev. (push) Successful in 34s
Details
🔁 Render Graphviz Diagrams. / 🔁 Render Graphviz Diagrams. (push) Successful in 24s
Details
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m35s
Details

Browse Source 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
Marc S. Weidner
2025-06-25 10:10:41 +02:00
parent 9c19212c00
commit e8d85a39ae
134 changed files with 13933 additions and 41 deletions
Download Patch File Download Diff File Expand all files Collapse all files

BIN
.archive/background/club.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 1.7 MiB

BIN
.archive/background/hexagon.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 776 KiB

81
.archive/func/0000_performing_branch_confirmation.sh Normal file
View File

@@ -0,0 +1,81 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
#######################################
# Performing Branch Selection
# Globals:
# BASH_COMMAND
# BRANCH_URL
# HANDLER_BRA
# LINENO
# LOG_ERR
# MODULE_ERR
# PPID
# PWD
# Arguments:
# None
#######################################
0000_performing_branch_confirmation() {
clear
declare BRANCH_SELECTION=""
exec 2>&1
if [[ ${HANDLER_BRA,,} = 1 ]]; then
dialog --create-rc ~/.dialogrc
sed -i 's/screen_color = (CYAN,BLUE,ON)/screen_color = (WHITE,RED,ON)/' ~/.dialogrc
sed -i 's/title_color = (BLUE,WHITE,ON)/title_color = (RED,WHITE,ON)/' ~/.dialogrc
if BRANCH_SELECTION=$(dialog --ascii-lines \
--colors \
--title "! WARNING !" \
--backtitle "CISS.2025.hardened.debian.installer" \
--yes-label "yes" \
--no-label "No" \
--yesno "You are on:\nBranch 'Testing'.\nPlease confirm to proceed.\nHit 'Yes' to stay on Branch 'Testing'.\nHit 'No' to exit." 9 60 3>&1 1>&2 2>&3 3>&-); then
declare -g -r -x BRANCH_URL="https://cendev.eu/marc.weidner/CISS.2025.debian.installer/raw/branch/testing/"
else
clear
rm -f ~/.dialogrc
do_clean_exit "0" "${LINENO}" "${BASH_COMMAND}" "${MODULE_ERR}" "$$" "${PPID}" "${PWD}" "$-"
fi
else
declare -g -r -x BRANCH_URL="https://cendev.eu/marc.weidner/CISS.2025.debian.installer/raw/branch/master/"
fi
exec 2>> "${LOG_ERR}"
clear
if [[ ${HANDLER_BRA} = 1 ]]; then
do_log "info" "true" "Branch 'testing' confirmed: '${BRANCH_SELECTION}'."
fi
if [[ -f ~/.dialogrc ]]; then
rm -f ~/.dialogrc
fi
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh:

60
.archive/icon.lib Normal file
View File

@@ -0,0 +1,60 @@
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
⚠️
🚫
🔐
🔒
🔑
✍️
🖥️
🔄
🔁
🔣
🌌
🔵
💙
🔍
💡
🔧
🛠️
🏗
⚙️
📐
🧪
✉️
📧
📨
📩
📥
📦
📑
📂
📀
🎉
😺
📉
📊
🧾
📋
🕑
🧠
📅
🎯
📱
🌐
🔗
💬
☢️
☣️
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

53
.editorconfig Normal file
View File

@@ -0,0 +1,53 @@
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
# EditorConfig is awesome: https://editorconfig.org
root = true
[*]
indent_style = space
indent_size = 2
tab_width = 2
max_line_length = 128
[*.conf]
end_of_line = lf
charset = utf-8
insert_final_newline = true
trim_trailing_whitespace = true
[*.md]
end_of_line = lf
# Markdown benefits from a final newline for POSIX tools
insert_final_newline = true
# Do not trim trailing whitespace: two spaces at end-of-line signal a hard line break in Markdown
trim_trailing_whitespace = false
#[*.toml]
#end_of_line = lf
#insert_final_newline = true
## TOML values can include strings where trailing spaces may matter; better not trim
#trim_trailing_whitespace = false
#charset = utf-8
[*.{yaml,yml}]
end_of_line = lf
insert_final_newline = true
# Trim trailing whitespace (safe, since YAML does not rely on trailing spaces)
trim_trailing_whitespace = true
[*.{sh,bash,zsh}]
end_of_line = lf
charset = utf-8
insert_final_newline = true
trim_trailing_whitespace = true
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf

92
.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml Normal file
View File

@@ -0,0 +1,92 @@
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
---
name: "Bug Report"
about: "Create a report to help us improve"
title: "[BUG | possible BUG]: "
assignees: "MSW"
body:
# Instructions for the reporter
- type: markdown
attributes:
value: |
_Please provide concise information to reproduce the bug; issues lacking detail may be closed._
# Version information
- type: input
id: version
attributes:
label: "Version"
description: "Which version are you running? Use `./setup.sh -v`."
placeholder: "e.g., Master V8.00.000.2025.06.17"
validations:
required: true
# Known issues check
- type: textarea
id: known_issue
attributes:
label: "Search for known issues"
description: "Is this a known problem? Link to related issues or state 'none found'."
placeholder: "e.g., #1234 or none found"
validations:
required: true
# Reproduction steps
- type: textarea
id: reproduction
attributes:
label: "Command line"
description: |
Which command did you run, and against which target?
If you prefer not to disclose publicly, use `security@coresecret.eu`.
placeholder: "e.g., ./setup.sh --debug"
validations:
required: true
# Expected behavior
- type: textarea
id: expected
attributes:
label: "Expected behavior"
description: "Describe clearly what you expected to happen."
placeholder: "e.g., Build completes without errors"
validations:
required: true
# System information
- type: input
id: os
attributes:
label: "Operating System"
description: "Retrieve via `awk -F\" '/PRETTY_NAME/ { print $2 }' /etc/os-release`."
placeholder: "e.g., Debian GNU/Linux 12 (bookworm)"
validations:
required: true
- type: input
id: platform
attributes:
label: "Platform"
description: "Retrieve via `uname -srm`."
placeholder: "e.g., Linux 6.12.30+bpo-amd64 x86_64"
validations:
required: true
# Additional context
- type: textarea
id: additional_context
attributes:
label: "Additional context"
description: "Any other information about the problem."
placeholder: "e.g., Logs, screenshots, configuration snippets"
validations:
required: false
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml

55
.gitea/ISSUE_TEMPLATE/PULL_REQUEST_TEMPLATE.yaml Normal file
View File

@@ -0,0 +1,55 @@
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
---
name: "Standard-PR"
about: "Please answer the following questions before submitting the PR."
title: "[PR]: "
assignees: "MSW"
body:
- type: markdown
attributes:
value: |
Thank you for your PR.
# Section for free-form description
- type: textarea
id: description
attributes:
label: "Describe your changes"
description: "Please refer to an issue here or describe the change thoroughly in your PR."
placeholder: "e.g., Fix typo in README"
validations:
required: true
# Section for categorizing the PR
- type: checkboxes
id: pr-type
attributes:
label: "What is your pull request about?"
options:
- label: "Bug fix"
- label: "Improvement"
- label: "New feature (adds functionality)"
- label: "Breaking change (existing functionality may not work)"
- label: "Typo fix"
- label: "Documentation update"
- label: "Update of other files"
# Section for code-quality checklist
- type: checkboxes
id: code-checklist
attributes:
label: "If this is a code change, please check all that apply:"
options:
- label: "My edits contain no tabs, use two-space indentation, and no trailing whitespace"
- label: "I have read ~/docs/CONTRIBUTING.md and ~/docs/CODING_CONVENTION.md"
- label: "I have tested this fix or improvement on >=2 VMs without issues"
- label: "I have tested this new feature on >=2 VMs with and without it to avoid side effects"
- label: "Documentation and/or 'usage()' and/or 'arg_parser' have been updated for the new feature"
- label: "I added myself to ~/docs/CREDITS.md (alphabetical) and updated ~/docs/CHANGELOG.md"
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml

45
.gitea/properties/json/gitea-issue-config.json Normal file
View File

@@ -0,0 +1,45 @@
{
"$schema": "http://json-schema.org/draft-07/schema#",
"$id": "https://json.schemastore.org/gitea-issue-config.json",
"$comment": "https://docs.gitea.com/usage/issue-pull-request-templates#syntax-for-issue-config",
"properties": {
"blank_issues_enabled": {
"description": "Specify whether forms have to be used or blank issue are allowed\nhttps://docs.gitea.com/usage/issue-pull-request-templates#possible-options",
"type": "boolean"
},
"contact_links": {
"title": "contact links",
"description": "Contact links\nhttps://docs.gitea.com/usage/issue-pull-request-templates#possible-options",
"type": "array",
"minItems": 1,
"items": {
"type": "object",
"required": ["name", "url", "about"],
"properties": {
"name": {
"description": "The name of your link\nhttps://docs.gitea.com/usage/issue-pull-request-templates#contact-link",
"type": "string",
"minLength": 1,
"examples": ["Sample name"]
},
"url": {
"description": "The URL of your Link\nhttps://docs.gitea.com/usage/issue-pull-request-templates#contact-link",
"type": "string",
"pattern": "^https?://",
"examples": ["https://sample/url"]
},
"about": {
"description": "A short description of your Link\nhttps://docs.gitea.com/usage/issue-pull-request-templates#contact-link",
"type": "string",
"minLength": 1,
"examples": ["Sample description"]
}
},
"additionalProperties": false
}
}
},
"additionalProperties": false,
"title": "Gitea issue template chooser config file schema",
"type": "object"
}

1715
.gitea/properties/json/github-workflow.json Normal file
View File

File diff suppressed because it is too large Load Diff

8
.gitea/properties/lua/linkfix.lua Normal file
View File

@@ -0,0 +1,8 @@
-- Linkfix.lua
function Link (el)
-- wenn Linkziel auf .md endet, ändere es zu .html
if el.target:match('%.md$') then
el.target = el.target:gsub('%.md$', '.html')
end
return el
end

15
.gitea/trigger/t_generate_dns.yaml Normal file
View File

@@ -0,0 +1,15 @@
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
build:
counter: 1023
version: V8.00.000.2025.06.17
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml

339
.gitea/workflows/linter_char_scripts.yaml Normal file
View File

@@ -0,0 +1,339 @@
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
### Version Master V8.00.000.2025.06.17
# Gitea Workflow: Shell-Script Linting
#
# This workflow scans all '*.sh', '*.zsh', '*.chroot' and all files with Shebang (#!) for:
# 1. Windows CRLF line endings
# 2. unauthorized control characters (C0 control characters except \t, \n)
# 3. non-ASCII (ambiguous UTF) characters
#
# Findings are collected and at the end of the run with file, line number,
# and the respective character in the Runner output.
name: 🛡️ Shell Script Linting
on:
push:
branches:
- master
pull_request:
branches:
- master
jobs:
shell-script-linter:
name: 🛡️ Shell Script Linting
runs-on: ubuntu-latest
steps:
- name: ⚙️ Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
shell: bash
run: |
set -euo pipefail
rm -rf ~/.ssh && mkdir -m700 ~/.ssh
### Private Key
echo "${{ secrets.SSH_MSW_DEPLOY_CORESECRET_DEV }}" >| ~/.ssh/id_ed25519
chmod 600 ~/.ssh/id_ed25519
### Scan git.coresecret.dev to fill ~/.ssh/known_hosts
ssh-keyscan -p 42842 git.coresecret.dev >| ~/.ssh/known_hosts
chmod 600 ~/.ssh/known_hosts
### Generate SSH Config for git.coresecret.dev Custom-Port
cat <<EOF >| ~/.ssh/config
Host git.coresecret.dev
HostName git.coresecret.dev
Port 42842
IdentityFile ~/.ssh/id_ed25519
StrictHostKeyChecking yes
UserKnownHostsFile ~/.ssh/known_hosts
EOF
chmod 600 ~/.ssh/config
### https://github.com/actions/checkout/issues/1843
- name: 🛠️ Using manual clone via SSH to circumvent Gitea SHA-256 object issues.
shell: bash
env:
### GITHUB_REF_NAME contains the branch name from the push event.
GITHUB_REF_NAME: ${{ github.ref_name }}
run: |
set -euo pipefail
git clone --branch "${GITHUB_REF_NAME}" ssh://git@git.coresecret.dev:42842/msw/CISS.debian.live.builder.git .
git fetch --unshallow || echo "Nothing to fetch - already full clone."
- name: 🛠️ Cleaning the workspace.
shell: bash
run: |
set -euo pipefail
git reset --hard
git clean -fd
- name: ⚙️ Importing the 'CI PGP DEPLOY ONLY' key.
shell: bash
run: |
set -euo pipefail
### GPG-Home relative to the Runner Workspace to avoid changing global files.
export GNUPGHOME="$(pwd)/.gnupg"
mkdir -m 700 "${GNUPGHOME}"
echo "${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV }}" >| ci-bot.sec.asc
gpg --batch --import ci-bot.sec.asc
### Trust the key automatically
KEY_ID=$(gpg --list-keys --with-colons | awk -F: '/^pub:/ {print $5}')
echo "trust-model always" >| "${GNUPGHOME}/gpg.conf"
- name: ⚙️ Configuring Git for signed CI/DEPLOY commits.
shell: bash
run: |
set -euo pipefail
export GNUPGHOME="$(pwd)/.gnupg"
git config user.name "Marc S. Weidner BOT"
git config user.email "msw+bot@coresecret.dev"
git config commit.gpgsign true
git config gpg.program gpg
git config gpg.format openpgp
- name: ⚙️ Convert APT sources to HTTPS.
shell: bash
run: |
set -euo pipefail
sed -i 's|http://\(archive\.ubuntu\.com\|security\.ubuntu\.com\)|https://\1|g' /etc/apt/sources.list
sed -i 's|http://\(archive\.ubuntu\.com\|security\.ubuntu\.com\)|https://\1|g' /etc/apt/sources.list.d/*.list || true
- name: 🛠️ Install dependencies.
shell: bash
run: |
### Install grep with Perl-regex support, falls noch nicht vorhanden
apt-get update
apt-get upgrade -y
apt-get install -y grep
- name: 🔍 Lint shell scripts
shell: bash
run: |
# -------------------------------
# STEP 1: Find target files.
#
# We capture:
# - All files '*.sh', '*.zsh', '*.chroot'
# - All files whose first line begins with "#!" (shebang)
# -------------------------------
mapfile -t files_to_check < <(
find . \
-path './.git' -prune -o \
-type f \( \
-iname '*.sh' -o \
-iname '*.zsh' -o \
-iname '*.chroot' -o \
-exec grep -Iq '^#!' {} \; \
\) -print
)
# -------------------------------
# STEP 2: Regex definitions
#
# - CRLF_REGEX Carriage Return (\r) for Windows CRLF
# - CTRL_REGEX C0 control characters except Tab (\x09) and Newline (\x0A)
# - Range: [\x00-\x08\x0B-\x0C\x0E-\x1F\x7F]
# - NON_ASCII_REGEX All bytes -> 0x7F, except emoji characters in defined ranges
#
# Emoji ranges that we exclude:
# - \x{1F300}-\x{1F5FF} Misc Symbols & Pictographs
# - \x{1F600}-\x{1F64F} Emoticons
# - \x{1F680}-\x{1F6FF} Transport & Map Symbols
# - \x{1F900}-\x{1F9FF} Supplemental Symbols & Pictographs
# - \x{2600}-\x{26FF} Miscellaneous Symbols
# - \x{2700}-\x{27BF} Dingbats
# -------------------------------
CRLF_REGEX=$'\r'
CTRL_REGEX='[\x00-\x08\x0B-\x0C\x0E-\x1F\x7F]'
NON_ASCII_REGEX='(?![\x{1F300}-\x{1F5FF}\x{1F600}-\x{1F64F}\x{1F680}-\x{1F6FF}\x{1F900}-\x{1F9FF}\x{2600}-\x{26FF}\x{2700}-\x{27BF}])[^\x00-\x7F]'
# -------------------------------
# STEP 3: Accumulator for findings
# -------------------------------
findings=""
# -------------------------------
# STEP 4: Perform all checks for each file
# -------------------------------
for file in "${files_to_check[@]}"; do
#
# 4.1: CRLF detection
# grep -nP returns "lineno:<line with CR>"
# -------------------------------
while IFS=: read -r lineno _rest; do
findings+="${file}: CRLF-found at line ${lineno}: <CR>"$'\n'
done < <(grep -nP "${CRLF_REGEX}" "${file}" || true)
#
# 4.2: Unallowed control characters
# grep -nP -o returns "lineno:<matched-char>"
# -------------------------------
while IFS=: read -r lineno char; do
findings+="${file}: control-char at line ${lineno}: ${char}"$'\n'
done < <(grep -nP -o "${CTRL_REGEX}" "${file}" || true)
#
# 4.3: Non-ASCII characters with emoji exception
# grep -nP -o returns "lineno:<matched-char>"
# -------------------------------
while IFS=: read -r lineno char; do
findings+="${file}: non-ascii at line ${lineno}: ${char}"$'\n'
done < <(grep -nP -o "${NON_ASCII_REGEX}" "${file}" || true)
done
# -------------------------------
# STEP 5: Output results
# -------------------------------
if [[ -n "${findings}" ]]; then
echo -e "⚠️ Linting issues detected:\n"
echo -e "${findings}"
timestamp=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
PRIVATE_FILE="LINTER_RESULTS.txt"
touch "${PRIVATE_FILE}"
cat << EOF >| "${PRIVATE_FILE}"
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
This file was automatically generated by the DEPLOY BOT on: "${timestamp}".
⚠️ The last linter check was NOT successful. ⚠️
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text
EOF
else
echo "✅ No issues found in shell scripts."
timestamp=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
PRIVATE_FILE="LINTER_RESULTS.txt"
touch "${PRIVATE_FILE}"
cat << EOF >| "${PRIVATE_FILE}"
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
This file was automatically generated by the DEPLOY BOT on: "${timestamp}".
✅ The last linter check was successful. ✅
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text
EOF
fi
- name: 🚧 Stash local changes (including untracked).
shell: bash
env:
GIT_SSH_COMMAND: "ssh -p 42842"
run: |
set -euo pipefail
### Temporarily store any local modifications or untracked files.
git stash push --include-untracked -m "ci-temp" || echo "✔️ Nothing to stash."
- name: 🔄 Sync with remote before commit using merge strategy.
shell: bash
env:
GIT_SSH_COMMAND: "ssh -p 42842"
run: |
set -euo pipefail
export GNUPGHOME="$(pwd)/.gnupg"
echo "🔄 Fetching origin/master ..."
git fetch origin master
echo "🔁 Merging origin/master into current branch ..."
git merge --no-edit origin/master || echo "✔️ Already up to date or fast-forward."
echo "📋 Post-merge status :"
git status
git log --oneline -n 5
- name: 🛠️ Restore stashed changes.
shell: bash
env:
GIT_SSH_COMMAND: "ssh -p 42842"
run: |
set -euo pipefail
### Apply previously stashed changes.
git stash pop || echo "✔️ Nothing to pop."
- name: 📦 Stage generated files.
shell: bash
env:
GIT_SSH_COMMAND: "ssh -p 42842"
run: |
set -euo pipefail
PRIVATE_FILE="LINTER_RESULTS.txt"
git add "${PRIVATE_FILE}" || echo "✔️ Nothing to add."
- name: 🔑 Commit and sign changes with CI metadata.
shell: bash
env:
GIT_SSH_COMMAND: "ssh -p 42842"
run: |
set -euo pipefail
export GNUPGHOME="$(pwd)/.gnupg"
if git diff --cached --quiet; then
echo "✔️ No staged changes to commit."
else
echo "📝 Committing changes with GPG signature ..."
### CI Metadata
TIMESTAMP_UTC="$(date -u +'%Y-%m-%dT%H:%M:%SZ')"
HOSTNAME="$(hostname -f || hostname)"
GIT_SHA="$(git rev-parse --short HEAD)"
GIT_REF="$(git symbolic-ref --short HEAD || echo detached)"
WORKFLOW_ID="${GITHUB_WORKFLOW:-render-md-to-html.yaml}"
CI_HEADER="X-CI-Metadata: ${GIT_REF}@${GIT_SHA} at ${TIMESTAMP_UTC} on ${HOSTNAME}"
COMMIT_MSG="DEPLOY BOT : 🛡️ Shell Script Linting [skip ci]
${CI_HEADER}
Generated at : ${TIMESTAMP_UTC}
Runner Host : ${HOSTNAME}
Workflow ID : ${WORKFLOW_ID}
Git Commit : ${GIT_SHA} HEAD -> ${GIT_REF}
"
echo "🔏 Commit message :"
echo "${COMMIT_MSG}"
git commit -S -m "${COMMIT_MSG}"
fi
- name: 🔁 Push back to repository.
shell: bash
env:
GIT_SSH_COMMAND: "ssh -p 42842"
run: |
set -euo pipefail
echo "📤 Pushing changes to ${GITHUB_REF_NAME} ..."
git push origin HEAD:${GITHUB_REF_NAME}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml

218
.gitea/workflows/render-dnssec-status.yaml Normal file
View File

@@ -0,0 +1,218 @@
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
### Version Master V8.00.000.2025.06.17
name: 🛡️ Retrieve DNSSEC status of coresecret.dev.
permissions:
contents: write
on:
push:
branches:
- master
paths:
- '.gitea/trigger/t_generate_dns.yaml'
jobs:
build-dnssec-diagram:
name: 🛡️ Retrieve DNSSEC status of coresecret.dev.
runs-on: ubuntu-latest
steps:
- name: ⚙️ Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
shell: bash
run: |
set -euo pipefail
rm -rf ~/.ssh && mkdir -m700 ~/.ssh
### Private Key
echo "${{ secrets.SSH_MSW_DEPLOY_CORESECRET_DEV }}" >| ~/.ssh/id_ed25519
chmod 600 ~/.ssh/id_ed25519
### Scan git.coresecret.dev to fill ~/.ssh/known_hosts
ssh-keyscan -p 42842 git.coresecret.dev >| ~/.ssh/known_hosts
chmod 600 ~/.ssh/known_hosts
### Generate SSH Config for git.coresecret.dev Custom-Port
cat <<EOF >| ~/.ssh/config
Host git.coresecret.dev
HostName git.coresecret.dev
Port 42842
IdentityFile ~/.ssh/id_ed25519
StrictHostKeyChecking yes
UserKnownHostsFile ~/.ssh/known_hosts
EOF
chmod 600 ~/.ssh/config
### https://github.com/actions/checkout/issues/1843
- name: 🛠️ Using manual clone via SSH to circumvent Gitea SHA-256 object issues.
shell: bash
env:
### GITHUB_REF_NAME contains the branch name from the push event.
GITHUB_REF_NAME: ${{ github.ref_name }}
run: |
set -euo pipefail
git clone --branch "${GITHUB_REF_NAME}" ssh://git@git.coresecret.dev:42842/msw/CISS.debian.live.builder.git .
git fetch --unshallow || echo "Nothing to fetch - already full clone."
- name: 🛠️ Cleaning the workspace.
shell: bash
run: |
set -euo pipefail
git reset --hard
git clean -fd
- name: ⚙️ Importing the 'CI PGP DEPLOY ONLY' key.
shell: bash
run: |
set -euo pipefail
### GPG-Home relative to the Runner Workspace to avoid changing global files.
export GNUPGHOME="$(pwd)/.gnupg"
mkdir -m 700 "${GNUPGHOME}"
echo "${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV }}" >| ci-bot.sec.asc
gpg --batch --import ci-bot.sec.asc
### Trust the key automatically
KEY_ID=$(gpg --list-keys --with-colons | awk -F: '/^pub:/ {print $5}')
echo "trust-model always" >| "${GNUPGHOME}/gpg.conf"
- name: ⚙️ Configuring Git for signed CI/DEPLOY commits.
shell: bash
run: |
set -euo pipefail
export GNUPGHOME="$(pwd)/.gnupg"
git config user.name "Marc S. Weidner BOT"
git config user.email "msw+bot@coresecret.dev"
git config commit.gpgsign true
git config gpg.program gpg
git config gpg.format openpgp
- name: ⚙️ Convert APT sources to HTTPS.
shell: bash
run: |
set -euo pipefail
sed -i 's|http://\(archive\.ubuntu\.com\|security\.ubuntu\.com\)|https://\1|g' /etc/apt/sources.list
sed -i 's|http://\(archive\.ubuntu\.com\|security\.ubuntu\.com\)|https://\1|g' /etc/apt/sources.list.d/*.list || true
- name: 🛠️ Install DNSViz.
shell: bash
run: |
sudo apt-get update
sudo apt-get install -y dnsviz
- name: ⚙️ Ensure docs/SECURITY/ directory exists.
shell: bash
run: |
mkdir -p docs/SECURITY/
rm -f docs/SECURITY/coresecret.dev.png
- name: 🛠️ Prepare DNS Cache.
shell: bash
run: |
sudo apt-get install -y dnsutils
dig +dnssec +multi coresecret.dev @8.8.8.8
- name: 🛠️ Retrieve Zone Dump and generate .png Visualization.
shell: bash
run: |
dnsviz probe -s 8.8.8.8 -R SOA,A,AAAA,CAA,CDS,CDNSKEY,LOC,HTTPS,MX,NS,TXT coresecret.dev >| coresecret.dev.json
dnsviz graph -T png < coresecret.dev.json >| docs/SECURITY/coresecret.dev.png
- name: 🚧 Stash local changes (including untracked).
shell: bash
env:
GIT_SSH_COMMAND: "ssh -p 42842"
run: |
set -euo pipefail
### Temporarily store any local modifications or untracked files.
git stash push --include-untracked -m "ci-temp" || echo "✔️ Nothing to stash."
- name: 🔄 Sync with remote before commit using merge strategy.
shell: bash
env:
GIT_SSH_COMMAND: "ssh -p 42842"
run: |
set -euo pipefail
export GNUPGHOME="$(pwd)/.gnupg"
echo "🔄 Fetching origin/master ..."
git fetch origin master
echo "🔁 Merging origin/master into current branch ..."
git merge --no-edit origin/master || echo "✔️ Already up to date or fast-forward."
echo "📋 Post-merge status :"
git status
git log --oneline -n 5
- name: 🛠️ Restore stashed changes.
shell: bash
env:
GIT_SSH_COMMAND: "ssh -p 42842"
run: |
set -euo pipefail
### Apply previously stashed changes.
git stash pop || echo "✔️ Nothing to pop."
- name: 📦 Stage generated files.
shell: bash
env:
GIT_SSH_COMMAND: "ssh -p 42842"
run: |
set -euo pipefail
git add docs/SECURITY/*.png || echo "✔️ Nothing to add."
- name: 🔑 Commit and sign changes with CI metadata.
shell: bash
env:
GIT_SSH_COMMAND: "ssh -p 42842"
run: |
set -euo pipefail
export GNUPGHOME="$(pwd)/.gnupg"
if git diff --cached --quiet; then
echo "✔️ No staged changes to commit."
else
echo "📝 Committing changes with GPG signature ..."
### CI Metadata
TIMESTAMP_UTC="$(date -u +'%Y-%m-%dT%H:%M:%SZ')"
HOSTNAME="$(hostname -f || hostname)"
GIT_SHA="$(git rev-parse --short HEAD)"
GIT_REF="$(git symbolic-ref --short HEAD || echo detached)"
WORKFLOW_ID="${GITHUB_WORKFLOW:-render-md-to-html.yaml}"
CI_HEADER="X-CI-Metadata: ${GIT_REF}@${GIT_SHA} at ${TIMESTAMP_UTC} on ${HOSTNAME}"
COMMIT_MSG="DEPLOY BOT : 🛡️ Auto-Generate DNSSEC Status [skip ci]
${CI_HEADER}
Generated at : ${TIMESTAMP_UTC}
Runner Host : ${HOSTNAME}
Workflow ID : ${WORKFLOW_ID}
Git Commit : ${GIT_SHA} HEAD -> ${GIT_REF}
"
echo "🔏 Commit message :"
echo "${COMMIT_MSG}"
git commit -S -m "${COMMIT_MSG}"
fi
- name: 🔁 Push back to repository.
shell: bash
env:
GIT_SSH_COMMAND: "ssh -p 42842"
run: |
set -euo pipefail
echo "📤 Pushing changes to ${GITHUB_REF_NAME} ..."
git push origin HEAD:${GITHUB_REF_NAME}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml

211
.gitea/workflows/render-dot-to-png.yaml Normal file
View File

@@ -0,0 +1,211 @@
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
### Version Master V8.00.000.2025.06.17
name: 🔁 Render Graphviz Diagrams.
permissions:
contents: write
on:
push:
branches:
- master
paths:
- "**/*.gv"
- "**/*.dot"
jobs:
build-graphiz-diagrams:
name: 🔁 Render Graphviz Diagrams.
runs-on: ubuntu-latest
steps:
- name: ⚙️ Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
shell: bash
run: |
set -euo pipefail
rm -rf ~/.ssh && mkdir -m700 ~/.ssh
### Private Key
echo "${{ secrets.SSH_MSW_DEPLOY_CORESECRET_DEV }}" >| ~/.ssh/id_ed25519
chmod 600 ~/.ssh/id_ed25519
### Scan git.coresecret.dev to fill ~/.ssh/known_hosts
ssh-keyscan -p 42842 git.coresecret.dev >| ~/.ssh/known_hosts
chmod 600 ~/.ssh/known_hosts
### Generate SSH Config for git.coresecret.dev Custom-Port
cat <<EOF >| ~/.ssh/config
Host git.coresecret.dev
HostName git.coresecret.dev
Port 42842
IdentityFile ~/.ssh/id_ed25519
StrictHostKeyChecking yes
UserKnownHostsFile ~/.ssh/known_hosts
EOF
chmod 600 ~/.ssh/config
### https://github.com/actions/checkout/issues/1843
- name: 🛠️ Using manual clone via SSH to circumvent Gitea SHA-256 object issues.
shell: bash
env:
### GITHUB_REF_NAME contains the branch name from the push event.
GITHUB_REF_NAME: ${{ github.ref_name }}
run: |
set -euo pipefail
git clone --branch "${GITHUB_REF_NAME}" ssh://git@git.coresecret.dev:42842/msw/CISS.debian.live.builder.git .
git fetch --unshallow || echo "Nothing to fetch - already full clone."
- name: 🛠️ Cleaning the workspace.
shell: bash
run: |
set -euo pipefail
git reset --hard
git clean -fd
- name: ⚙️ Importing the 'CI PGP DEPLOY ONLY' key.
shell: bash
run: |
set -euo pipefail
### GPG-Home relative to the Runner Workspace to avoid changing global files.
export GNUPGHOME="$(pwd)/.gnupg"
mkdir -m 700 "${GNUPGHOME}"
echo "${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV }}" >| ci-bot.sec.asc
gpg --batch --import ci-bot.sec.asc
### Trust the key automatically
KEY_ID=$(gpg --list-keys --with-colons | awk -F: '/^pub:/ {print $5}')
echo "trust-model always" >| "${GNUPGHOME}/gpg.conf"
- name: ⚙️ Configuring Git for signed CI/DEPLOY commits.
shell: bash
run: |
set -euo pipefail
export GNUPGHOME="$(pwd)/.gnupg"
git config user.name "Marc S. Weidner BOT"
git config user.email "msw+bot@coresecret.dev"
git config commit.gpgsign true
git config gpg.program gpg
git config gpg.format openpgp
- name: ⚙️ Convert APT sources to HTTPS.
shell: bash
run: |
set -euo pipefail
sed -i 's|http://\(archive\.ubuntu\.com\|security\.ubuntu\.com\)|https://\1|g' /etc/apt/sources.list
sed -i 's|http://\(archive\.ubuntu\.com\|security\.ubuntu\.com\)|https://\1|g' /etc/apt/sources.list.d/*.list || true
- name: 🛠️ Install Graphviz.
shell: bash
run: |
set -euo pipefail
sudo apt-get update
sudo apt-get install -y graphviz
- name: 🛠️ Render all .dot / .gv to PNG.
shell: bash
run: |
set -euo pipefail
find . -type f \( -name "*.dot" -o -name "*.gv" \) | while read file; do
out="${file%.*}.png"
dot -Tpng "${file}" -o "${out}"
done
- name: 🚧 Stash local changes (including untracked).
shell: bash
env:
GIT_SSH_COMMAND: "ssh -p 42842"
run: |
set -euo pipefail
### Temporarily store any local modifications or untracked files.
git stash push --include-untracked -m "ci-temp" || echo "✔️ Nothing to stash."
- name: 🔄 Sync with remote before commit using merge strategy.
shell: bash
env:
GIT_SSH_COMMAND: "ssh -p 42842"
run: |
set -euo pipefail
export GNUPGHOME="$(pwd)/.gnupg"
echo "🔄 Fetching origin/master ..."
git fetch origin master
echo "🔁 Merging origin/master into current branch ..."
git merge --no-edit origin/master || echo "✔️ Already up to date or fast-forward."
echo "📋 Post-merge status :"
git status
git log --oneline -n 5
- name: 🛠️ Restore stashed changes.
shell: bash
env:
GIT_SSH_COMMAND: "ssh -p 42842"
run: |
set -euo pipefail
### Apply previously stashed changes.
git stash pop || echo "✔️ Nothing to pop."
- name: 📦 Stage generated files.
shell: bash
env:
GIT_SSH_COMMAND: "ssh -p 42842"
run: |
set -euo pipefail
git add *.png || echo "✔️ Nothing to add."
- name: 🔑 Commit and sign changes with CI metadata.
shell: bash
env:
GIT_SSH_COMMAND: "ssh -p 42842"
run: |
set -euo pipefail
export GNUPGHOME="$(pwd)/.gnupg"
if git diff --cached --quiet; then
echo "✔️ No staged changes to commit."
else
echo "📝 Committing changes with GPG signature ..."
### CI Metadata
TIMESTAMP_UTC="$(date -u +'%Y-%m-%dT%H:%M:%SZ')"
HOSTNAME="$(hostname -f || hostname)"
GIT_SHA="$(git rev-parse --short HEAD)"
GIT_REF="$(git symbolic-ref --short HEAD || echo detached)"
WORKFLOW_ID="${GITHUB_WORKFLOW:-render-md-to-html.yaml}"
CI_HEADER="X-CI-Metadata: ${GIT_REF}@${GIT_SHA} at ${TIMESTAMP_UTC} on ${HOSTNAME}"
COMMIT_MSG="DEPLOY BOT : 🔁 Auto-Generate PNG from *.dot. [skip ci]
${CI_HEADER}
Generated at : ${TIMESTAMP_UTC}
Runner Host : ${HOSTNAME}
Workflow ID : ${WORKFLOW_ID}
Git Commit : ${GIT_SHA} HEAD -> ${GIT_REF}
"
echo "🔏 Commit message :"
echo "${COMMIT_MSG}"
git commit -S -m "${COMMIT_MSG}"
fi
- name: 🔁 Push back to repository.
shell: bash
env:
GIT_SSH_COMMAND: "ssh -p 42842"
run: |
set -euo pipefail
echo "📤 Pushing changes to ${GITHUB_REF_NAME} ..."
git push origin HEAD:${GITHUB_REF_NAME}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml

20
.gitignore vendored Normal file
View File

@@ -0,0 +1,20 @@
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
.checklist/
.idea/
build/
out/
target/
*.DS_Store
*.log
*.ps1
Thumbs.db
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf

525
.preseed/partitioning.yaml Normal file
View File

@@ -0,0 +1,525 @@
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
recipe:
guben0afx256r:
active: true
control:
# g=GPT || m=MBR
# u=UEFI || b=BIOS
# b=btrfs || 4=ext4 only
# e=ephemeral "/tmp" and "SWAP" || n=non-ephemeral "/tmp" and "SWAP" (yet not supported)
# n0=non RAID || m6=mdadm RAID6 || m5=mdadm RAID5 || b1=btrfs RAID1
# a="/dev/sda" only setup || b="/dev/sdb" || c="/dev/sdc" and so forth
# f=fixed size || a=automatic size
# x256=size of device in GiB
# r=rescue partition || n=no rescue partition
description: "Default: CISS 2025 - GPT - BTRFS - Ephemeral - non RAID - 256GiB - rescue"
# MUST be "UEFI" for "gpt" || "BIOS":
firmware: "UEFI"
# MUST be equal to the second part of the recipe-variables string.
id: "guben0afx256r"
name: "ciss.2025.gpt.btrfs.ephemeral.non-raid.256GiB.rescue"
# mdadm RAID settings only (not yet supported)
raid:
enable: false
disks:
member: 4
spare: 1
# Only Level "1", "5", "6" and "10" are supported
level: 6
# MUST be "gpt" for "UEFI" || "msdos":
table: "gpt"
# Only set to "true" if the recipe is tested by the authors. Otherwise, this is set to "false" by default.
syntax: true
# Version of the specific recipe.
version: "1.0.0"
dev:
sda:
1:
begin: "2MiB"
end: "512MiB"
bootable: true
encryption:
# MUST be "false" for "/boot/efi":
enable: false
# MUST be "false" for "/boot/efi":
ephemeral: false
# MUST be "false" for "/boot/efi":
integrity: false
# MUST be "false" for "/boot/efi":
nuke: false
cipher: ""
hash: ""
itertime: ""
key: ""
label: ""
metadatasize: ""
pbkdf: ""
rng: ""
filesystem:
# btrfs only
btrfs:
checksum: ""
compress: ""
level: ""
dedup: true
format: true
label: "ESP"
options: ""
version: "fat32"
mount:
# MUST be "true" for "/boot/efi":
enable: true
options: ""
path: "/boot/efi"
# Only valid for filesystem version "btrfs":
subvolume: ""
primary: primary
2:
begin: "512MiB"
end: "2GiB"
bootable: false
encryption:
enable: true
# MUST be "false" for "/boot":
ephemeral: false
# MUST be "false" for "/boot":
integrity: false
# MUST be "false" for "/boot":
nuke: false
cipher: "aes-xts-plain64"
hash: "sha512"
itertime: "3000"
key: "512"
label: "crypt_boot"
metadatasize: "32MiB"
# MUST be "pbkdf" for "/boot":
pbkdf: "pbkdf"
rng: "use-random"
filesystem:
# btrfs only
btrfs:
checksum: ""
compress: ""
level: ""
dedup: true
format: true
version: "ext4"
label: "ext4_boot"
options: ""
mount:
# MUST be "true" for "/boot":
enable: true
options: "defaults,nodev,noexec,nosuid,noatime"
path: "/boot"
# Only valid for filesystem version "btrfs":
subvolume: ""
primary: primary
3:
begin: "2GiB"
end: "6GiB"
bootable: true
encryption:
enable: true
ephemeral: false
integrity: false
nuke: false
cipher: "aes-xts-plain64"
hash: "sha512"
itertime: "3000"
key: "512"
label: "crypt_rescue"
metadatasize: "32MiB"
pbkdf: "argon2id"
rng: "use-random"
filesystem:
# btrfs only
btrfs:
checksum: ""
compress: ""
level: ""
dedup: true
format: true
label: "ext4_rescue"
options: ""
version: "ext4"
mount:
enable: true
options: "defaults,nodev"
path: "/recovery"
# Only valid for filesystem version "btrfs":
subvolume: ""
primary: primary
4:
begin: "6GiB"
end: "8GiB"
bootable: false
encryption:
# MUST be "true" for ephemeral "SWAP":
enable: true
# MUST be "true" for ephemeral "SWAP":
ephemeral: true
# MUST be "false" for ephemeral "SWAP":
integrity: false
# MUST be "false" for ephemeral "SWAP":
nuke: false
cipher: "aes-xts-plain64"
hash: "sha512"
itertime: "3000"
key: "512"
label: "crypt_ephemeral_SWAP"
metadatasize: "32MiB"
pbkdf: "argon2id"
rng: "use-random"
filesystem:
# btrfs only
btrfs:
checksum: ""
compress: ""
level: ""
dedup: true
format: true
# MUST be "SWAP" for "SWAP":
label: "SWAP"
options: ""
# MUST be "ext4" for ephemeral "SWAP":
version: "ext4"
mount:
enable: true
options: ""
path: "SWAP"
# Only valid for filesystem version "btrfs":
subvolume: ""
primary: primary
5:
begin: "8GiB"
end: "10GiB"
bootable: false
encryption:
# MUST be "true" for ephemeral "/tmp":
enable: true
# MUST be "true" for ephemeral "/tmp":
ephemeral: true
# MUST be "false" for ephemeral "/tmp":
integrity: false
# MUST be "false" for ephemeral "/tmp":
nuke: false
cipher: "aes-xts-plain64"
hash: "sha512"
itertime: "3000"
key: "512"
label: "crypt_ephemeral_tmp"
metadatasize: "32MiB"
pbkdf: "argon2id"
rng: "use-random"
filesystem:
# btrfs only
btrfs:
checksum: ""
compress: ""
level: ""
dedup: true
format: true
# MUST be "ext4_tmp" for ephemeral "/tmp"
label: "ext4_tmp"
options: ""
# MUST be "ext4" for ephemeral "/tmp"
version: "ext4"
mount:
enable: true
options: "defaults,rw,nodev,noexec,nosuid,noatime"
path: "/tmp"
# Only valid for filesystem version "btrfs":
subvolume: ""
primary: primary
6:
begin: "10GiB"
end: "42GiB"
bootable: false
encryption:
enable: true
ephemeral: false
integrity: true
nuke: true
cipher: "aes-xts-plain64"
hash: "sha512"
itertime: "3000"
key: "512"
label: "crypt_root"
metadatasize: "32MiB"
pbkdf: "argon2id"
rng: "use-random"
filesystem:
# btrfs only
btrfs:
checksum: "sha256"
compress: "zstd"
level: "7"
dedup: true
format: true
label: "btrfs_root"
options: ""
version: "btrfs"
mount:
# MUST be "true" for "/":
enable: true
options: "defaults,errors=remount-ro,noatime"
path: "/"
# Only valid for filesystem version "btrfs":
subvolume: "@"
primary: primary
7:
begin: "42GiB"
end: "84GiB"
bootable: false
encryption:
enable: true
ephemeral: false
integrity: true
nuke: true
cipher: "aes-xts-plain64"
hash: "sha512"
itertime: "3000"
key: "512"
label: "crypt_home"
metadatasize: "32MiB"
pbkdf: "argon2id"
rng: "use-random"
filesystem:
# btrfs only
btrfs:
checksum: "sha256"
compress: "zstd"
level: "7"
dedup: true
format: true
label: "btrfs_home"
options: ""
version: "btrfs"
mount:
enable: true
options: "defaults,rw,nodev,nosuid,noatime"
path: "/home"
# Only valid for filesystem version "btrfs":
subvolume: "@home"
primary: primary
8:
begin: "42GiB"
end: "84GiB"
bootable: false
encryption:
enable: true
ephemeral: false
integrity: true
nuke: true
cipher: "aes-xts-plain64"
hash: "sha512"
itertime: "3000"
key: "512"
label: "crypt_usr"
metadatasize: "32MiB"
pbkdf: "argon2id"
rng: "use-random"
filesystem:
# btrfs only
btrfs:
checksum: "sha256"
compress: "zstd"
level: "7"
dedup: true
format: true
label: "btrfs_usr"
options: ""
version: "btrfs"
mount:
enable: true
options: "defaults,rw,nodev,noatime"
path: "/usr"
# Only valid for filesystem version "btrfs":
subvolume: "@usr"
primary: primary
9:
begin: "126GiB"
end: "190GiB"
bootable: false
encryption:
enable: true
ephemeral: false
integrity: true
nuke: true
cipher: "aes-xts-plain64"
hash: "sha512"
itertime: "3000"
key: "512"
label: "crypt_var"
metadatasize: "32MiB"
pbkdf: "argon2id"
rng: "use-random"
filesystem:
# btrfs only
btrfs:
checksum: "sha256"
compress: "zstd"
level: "7"
dedup: true
format: true
label: "btrfs_var"
options: ""
version: "btrfs"
mount:
enable: true
options: "defaults,rw,nodev,nosuid,noatime"
path: "/var"
# Only valid for filesystem version "btrfs":
subvolume: "@var"
primary: primary
10:
begin: "190GiB"
end: "206GiB"
bootable: false
encryption:
enable: true
ephemeral: false
integrity: true
nuke: true
cipher: "aes-xts-plain64"
hash: "sha512"
itertime: "3000"
key: "512"
label: "crypt_var_log"
metadatasize: "32MiB"
pbkdf: "argon2id"
rng: "use-random"
filesystem:
# btrfs only
btrfs:
checksum: "sha256"
compress: "zstd"
level: "7"
dedup: true
format: true
label: "btrfs_var_log"
options: ""
version: "btrfs"
mount:
enable: true
options: "defaults,rw,nodev,noexec,nosuid,noatime"
path: "/var/log"
# Only valid for filesystem version "btrfs":
subvolume: "@var_log"
primary: primary
11:
begin: "206GiB"
end: "222GiB"
bootable: false
encryption:
enable: true
ephemeral: false
integrity: true
nuke: true
cipher: "aes-xts-plain64"
hash: "sha512"
itertime: "3000"
key: "512"
label: "crypt_var_log_audit"
metadatasize: "32MiB"
pbkdf: "argon2id"
rng: "use-random"
filesystem:
# btrfs only
btrfs:
checksum: "sha256"
compress: "zstd"
level: "7"
dedup: true
format: true
label: "btrfs_var_log_audit"
options: ""
version: "btrfs"
mount:
enable: true
options: "defaults,rw,nodev,noexec,nosuid,noatime"
path: "/var/log/audit"
# Only valid for filesystem version "btrfs":
subvolume: "@var_log_audit"
primary: primary
12:
begin: "222GiB"
end: "238GiB"
bootable: false
encryption:
enable: true
ephemeral: false
integrity: false
nuke: true
cipher: "aes-xts-plain64"
hash: "sha512"
itertime: "3000"
key: "512"
label: "crypt_var_tmp"
metadatasize: "32MiB"
pbkdf: "argon2id"
rng: "use-random"
filesystem:
# btrfs only
btrfs:
checksum: "sha256"
compress: "zstd"
level: "7"
dedup: true
format: true
label: "btrfs_var_tmp"
options: ""
version: "btrfs"
mount:
enable: true
options: "defaults,rw,nodev,noexec,nosuid,noatime"
path: "/var/tmp"
# Only valid for filesystem version "btrfs":
subvolume: "@var_tmp"
primary: primary
13:
begin: "238GiB"
end: "-1"
bootable: false
encryption:
enable: true
ephemeral: false
integrity: false
nuke: true
cipher: ""
hash: ""
itertime: ""
key: ""
label: ""
metadatasize: ""
pbkdf: ""
rng: ""
filesystem:
# btrfs only
btrfs:
checksum: ""
compress: ""
level: ""
dedup: true
format: false
label: ""
options: ""
version: ""
mount:
enable: false
options: ""
path: ""
# Only valid for filesystem version "btrfs":
subvolume: ""
primary: primary
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml:

1
.preseed/password.txt Normal file
View File

@@ -0,0 +1 @@
Ceterum_censeo_Bruxellam_et_Berolinum_delenda_esse!

1
.preseed/password_boot.txt Normal file
View File

@@ -0,0 +1 @@
PleASE_CHan3e_M!

1
.preseed/password_nuke.txt Normal file
View File

@@ -0,0 +1 @@
THIS_IS_THE_NUKE_PASSWORD!

473
.preseed/preseed.yaml Normal file
View File

@@ -0,0 +1,473 @@
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
%YAML 1.2
---
### This file contains configurations for the CISS.debian.installer
### Master V8.00.000.2025.06.17
### YAML specification: 1.2
### You MUST NOT change anything between START and
installer:
name: "CISS.debian.installer"
version: "V8.00.000.2025.06.17"
### END
###########################################################################################
# APT settings #
###########################################################################################
apt:
# You can choose to install contrib software:
contrib: true
# By default, source repositories are listed in /etc/apt/sources.list. This MUST be true:
default-list: true
# Whether to upgrade packages after debootstrap.
# Allowed values: "false" for none; "true" for full-upgrade (RECOMMENDED):
full-upgrade: true
# Configure APT to not install recommended packages by default. Use of this option can
# result in an incomplete system and should only be used by very experienced users:
install-recommends: true
# A network mirror MUST be used to supplement the software not included on the
# installation media. This may also make newer versions of software available.
# This MUST be true:
mirror:
activate: true
# Country code of mirror destination:
country: "US"
# Debian archive mirror directory. Please enter the directory in which the mirror of
# the Debian archive is located:
directory: "/debian/"
# Debian archive mirror hostname. Please enter the hostname of the mirror from which
# Debian will be downloaded. An alternate port can be specified using the standard
# [hostname]:[port] format:
hostname: "deb.debian.org"
# Debian archive mirror country. The goal is to find a mirror of the Debian archive that
# is close to you on the network -- be aware that nearby countries, or even your own, may
# not be the best choice.
https-country: "US"
# Please select the protocol to be used for downloading files, where "https" is RECOMMENDED.
protocol: "https"
# HTTP proxy information (blank for none). If you need to use an HTTP proxy to access the
# outside world, enter the proxy information here. Otherwise, leave this blank. The proxy
# information should be given in the standard form of "http://[[user][:pass]@]host[:port]/".
proxy: ""
# Suite to install MUST be one of "stable", "testing", "experimental":
suite: "stable"
# You can choose to install non-free:
non-free: true
# You can choose to install non-free firmware:
non-free-firmware: true
# Debian archive security string
security-string: "security.debian.org"
# Debian has the following services that provide updates.
#
# Security updates help to keep your system secured against attacks.
# Enabling this service is strongly recommended.
#
# Release updates provide more current versions for software that changes relatively
# frequently and where not having the latest version could reduce the usability of the
# software. It also provides regression fixes. This service is only available for stable
# and oldstable releases.
#
# Backported software is adapted from the development version to work with this release.
# Although this software has not gone through such complete testings as that contained in
# the release, it includes newer versions of some applications that may provide useful
# features. Enabling backports here does not cause any of them to be installed by default;
# it only allows you to manually select backports to use.
updates:
backports: true
release: true
security: true
# Applying updates on a frequent basis is an important part of keeping the system secure.
#
# By default, security updates are not automatically installed, as security advisories should be
# reviewed before manual installation of the updates using standard package management tools.
#
# Alternatively, the unattended-upgrades package can be installed, which will install security
# updates automatically.
# Note, however, that automatic installation of updates may occasionally cause unexpected downtime
# of services provided by this machine in the rare cases where the update is not fully backward-compatible,
# or where the security advisory requires the administrator to perform some other manual operation.
#
# Possible choices: none, security, unattended (RECOMMENDED)
policy: "unattended"
###########################################################################################
# Basic settings #
###########################################################################################
# Please specify the architecture of the server to be installed:
arch: "amd64" # MUST be "amd64" || "intel64". "arm64" is NOT supported
# This is how to make the installer shutdown when finished, but not reboot:
exit-halt: false
# This will power off the machine instead of just halting it (RECOMMENDED):
exit-poweroff: true
# This will reboot the machine:
exit-reboot: false
# If non-free firmware is needed for the network or other hardware, you can configure the #
# installer to always try to load it without prompting.
firmware-install: true
# Firmware settings
# "never": Completely disables the firmware search.
# "missing": Searches only when the firmware is needed. (default)
# "always": Always searches and asks for any firmware that could be useful for the hardware.
firmware-lookup: "missing"
# The kernel image to be installed; "none" can be used if no kernel is to be installed:
kernel: "linux-image-6.12.12+bpo-amd64"
###########################################################################################
# GRUB2 settings #
###########################################################################################
grub:
background:
# If you want to change the GRUB background, please change to "true":
enable: true
# Specify the path from which the image should be loaded.
# RECOMMENDED settings: JPG 1280 x 1024 px or JPG 1920 x 1080 px
path: "/root/CISS.2025.debian.installer/.assets/background/background_hexagon_1280.jpg"
# Due notably to potential USB sticks, the location of the primary drive cannot be
# determined safely in general, so this needs to be specified:
bootdev: "/dev/sda"
# Force GRUB installation to the EFI removable media path?
# It seems that this computer is configured to boot via EFI, but maybe that configuration will
# not work for booting from the hard drive. Some EFI firmware implementations do not meet the
# EFI specification (i.e., they are buggy) and do not support proper configuration of boot
# options from system hard drives.
#
# A workaround for this problem is to install an extra copy of the EFI version of the GRUB
# bootloader to a fallback location, the "removable media path". Almost all EFI systems, no
# matter how buggy, will boot GRUB that way.
#
# Warning: If the installer failed to detect another operating system that is present on your
# computer that also depends on this fallback, installing GRUB there will make that operating
# system temporarily unbootable. GRUB can be manually configured later to boot it if necessary:
force-efi-extra-removable: false
# Set this to 'true' to install the latest GRUB2 backported package for encrypted '/boot' support.
# MUST be 'true' in the case of 'LUKS2' and / or 'dm-integrity' encrypted '/boot/':
latest: true
# This is fairly safe to set; it makes grub install automatically to the UEFI partition '/boot'
# record if no other operating system is detected on the machine:
only-debian: true
# This one makes grub-installer install to the UEFI partition/boot record, if it also finds
# some other OS, which is less safe as it might not be able to boot that other OS:
other-os: true
# OS-prober did not detect any other operating systems on your computer at this time, but you
# may still wish to enable it in case you install more in the future:
prober: false
# Skip installing grub:
skip: false
# Update NVRAM variables to automatically boot into Debian?
# GRUB can configure your platform's NVRAM variables so that it boots into Debian automatically
# when powered on. However, you may prefer to disable this behavior and avoid changes to your
# boot configuration. For example, if your NVRAM variables have been set up such that your
# system contacts a PXE server on every boot, this would preserve that behavior:
update-nvram: true
###########################################################################################
# Locale settings set language, country, locale, keyboard map and timezone #
###########################################################################################
locale:
country: "US"
keyboard:
layout: "de"
xkb-keymap: "de"
language: "en"
locale: "en_US.UTF-8"
timezone: "Europe/Lisbon"
###########################################################################################
# Network settings #
###########################################################################################
network:
autoconfig:
# Automatic network configuration is the default. If you prefer to configure the network
# manually, change 'network.autoconfig.enable' from "true" to "false" and configure
# - 'network.choose_interface.static'
# - 'network.hostname'
# - 'network.ipv6'
# - 'network.static' section
enable: true
choose_interface:
# Choose an interface that has a link if possible. Or skip this via "false" and manually configure the static NIC below.
auto: true
# If auto-detect fails, specify a particular interface instead:
static: "eth1"
# Please specify the FQDN of the server:
hostname: "nsa.usic.gov"
# Please specify if you want to use IPv6:
ipv6: "true"
# Timeout settings
timeout:
# If the dhcp server is slow, and the installer times out waiting for it, this might be useful.
dhcp: 60
# To set a different link detection timeout (default is 3 seconds):
linkwait: 60
static:
# If you want the preconfiguration file to work on systems both with and without a dhcp
# server, change 'network.static.enable' from "false" to "true" and configure the static
# configuration below.
enable: true
# Static IPv4 network configuration.
ipv4address: "192.168.128.128"
ipv4netmask: "255.255.255.0"
ipv4gateway: "192.168.128.254"
# Static IPv4 nameservers.
ipv4nameserver:
# dns01.eddns.eu
- "135.181.207.105"
# dns02.eddns.de
- "89.58.62.53"
# Static IPv4 fallback nameservers.
ipv4nameserver_fallback:
# dnsforge.de
- "176.9.93.198"
- "176.9.1.117"
# Static IPv6 network configuration.
ipv6address: "192.168.128.128"
ipv6netmask: "128"
ipv6gateway: "192.168.128.254"
# Static IPv6 nameservers.
ipv6nameserver:
# dns01.eddns.eu
- "2a01:4f9:c012:a813:135:181:207:105"
# dns02.eddns.de
- "2a0a:4cc0:1:e6:89:58:62:53"
ipv6nameserver_fallback:
# dnsforge.de
- "2a01:4f8:151:34aa::198"
- "2a01:4f8:141:316d::117"
###########################################################################################
# Security settings #
###########################################################################################
security:
# The installer will ensure that any packages are signed and authenticated.
allow_unauthenticated: false
# This ensures that the connection between the installer, and the server from which files
# are downloaded, is encrypted and signed by a trusted certificate authority.
allow_unauthenticated_ssl: false
###########################################################################################
# Software installation #
###########################################################################################
software:
## software core
- apt-show-versions
- apt-transport-https
- apt-utils
- bash
- bash-completion
- bat
- bind9-dnsutils
- bc
- ca-certificates
- coreutils
- debconf
- debconf-utils
- dialog
- efibootmgr
- fzf
- gawk
- git
- grub2
- grub2-common
- knot-dnssecutils
- knot-dnsutils
- libpam-google-authenticator
- libpam-pwquality
- locate
- logrotate
- lsb-release
- nano
- openssl
- rsyslog
- screen
- shellcheck
- software-properties-common
- spectre-meltdown-checker
- ssh
- sudo
- sysstat
- tree
#- unattended-upgrades
- whois
- zsh
## software dev
#- build-essential
#- clang
#- debootstrap
#- linux-source
#- lld
#- makedev
#- ssl-cert
## software documentation
- debian-kernel-handbook
- linux-doc-6.12
- man-db
## software encryption
- dirmngr
- gnupg
- haveged
- pollinate
## software files
- curl
- rsnapshot
- rsync
- unzip
- wget
- zip
## software malware
- chkrootkit
- clamav
- clamav-daemon
- rkhunter
## software network
- dhcpdump
- dhcping
- iftop
- iproute2
- iputils-ping
- mtr
- ncat
- net-tools
- nmap
- tshark
## software parser
#- jq
#- yq
## software partitioning
- btrfs-progs
- cryptsetup
- cryptsetup-nuke-password
- dmsetup
- dosfstools
- fdisk
- gdisk
- lvm2
- mdadm
- parted
## software password
- keychain
- makepasswd
- pwgen
- wamerican
- wbritish
- wfrench
- wngerman
## software security
- fail2ban
- ufw
## software tools
- expect
- figlet
- htop
- neofetch
- neovim
- python3
- virt-what
###########################################################################################
# Time settings #
###########################################################################################
# Germany : https://www.ptb.de/cms/ptb/fachabteilungen/abtq/gruppe-q4/ref-q42/zeitsynchronisation-von-rechnern-mit-hilfe-des-network-time-protocol-ntp.html
# Germany : ptbtime1.ptb.de ptbtime2.ptb.de ptbtime3.ptb.de
# Germany : https://www.rrze.fau.de/serverdienste/infrastruktur/zeitserver/
# Germany : ntp0.fau.de ntp3.fau.de
# Portugal : https://si.tecnico.ulisboa.pt/en/servicos/servidores-e-dados/ntp/
# Portugal : ntp1.tecnico.ulisboa.pt ntp2.tecnico.ulisboa.pt
# Sweden : https://www.netnod.se/swedish-distributed-time-service
# Sweden : nts.netnod.se
# Switzerland : https://www.metas.ch/metas/de/home/fabe/zeit-und-frequenz/time-dissemination.html
# Switzerland : ntp11.metas.ch ntp12.metas.ch ntp13.metas.ch
# USA : https://tf.nist.gov/tf-cgi/servers.cgi
# USA : time-a-g.nist.gov time-c-b.nist.gov utcnist3.colorado.edu
ntp:
server:
- "ntp.ripe.net"
- "ptbtime3.ptb.de"
- "ptbtime2.ptb.de"
- "ntp12.metas.ch"
- "ntp2.tecnico.ulisboa.pt"
- "time-c-b.nist.gov"
- "nts.netnod.se"
- "ntp0.fau.de"
# Any valid setting for $TZ; see the contents of '/usr/share/zoneinfo' for valid values:
timezone: "Europe/Lisbon"
# Controls whether the hardware clock is set to UTC:
utc: true
###########################################################################################
# User settings #
###########################################################################################
accounts:
# For whitelisting and additional hardening of SSH connections, the following IPs MUST be provided.
bastion-vpn-ipv4: 202.61.246.50
bastion-vpn-ipv6: 2a03:4000:53:f:abcd:9494:0:2
# If a secure channel for LUKS passphrase input is needed, this MUST be set to "true".
dropbear-ssh: true
# For dropbear SSH authentication, an ed25519 PubKey MUST be provided.
dropbear-pubkey: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG1RNGtD+Uwb45aQcWP//kQgy0K8EfglVsWwD6qyg6Ox 2025_dropbear_master"
# If decryption via dropbear SSH in the initramfs environment is desired, set to "true" otherwise to "false".
# MUST be "true" if Nuke Mechanism is chosen for at least one Device in partitioning.yaml.
dropbear-unlock: true
root:
# Skip creation of a root account (a normal user account will be able to use sudo):
# For best practice it is RECOMMENDED to configure root, and after setup, you should run
# the hardening script.
login: true
# Create a password hash for the root account:
# sha-512 is NOT RECOMMENDED
# SALT=$(tr -dc 'A-Za-z0-9' < /dev/random | head -c 16)
# mkpasswd --method=sha-512 --salt="${SALT}" --rounds=8388608
# Use yescrypt instead that is RECOMMENDED:
# mkpasswd --method=yescrypt
password-enabled: true
password-crypted: "$y$j9T$cyO.ibYUpLZ0GPYUkRF.q0$NhSWX5V8.uKxVKWkCH2cdl62dilvi8mWWnEWksE8Tz0"
# MUST be either "sshpubkey" or "sshcert"
ssh-method: sshcert
ssh-pubkey: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID2mSRx+Ny8cudr9vOlyfqMYPbZC3jkFaNARTOMh33De 2025_ed25519_coresecret.dev_root"
ssh-rootca: "./.preseed/ssh_root_ca.pub"
ssh-keyrounds: 1024
ssh-port: 42137
user:
login: false
# In honor of the defender of the freedom of expression:
fullname: "Donald John Trump"
name: "potus"
password-enabled: true
password-crypted: "$y$j9T$cyO.ibYUpLZ0GPYUkRF.q0$NhSWX5V8.uKxVKWkCH2cdl62dilvi8mWWnEWksE8Tz0"
ssh-method: sshcert
ssh-pubkey: "ssh-ed25519 255 SHA256:glLSH13uNy04qbpDskVTB+3CwtLeuXwxzvqP9w5ZKjM 2025_ed25519_coresecret.dev_potus"
ssh-rootca: "./.preseed/ssh_root_ca.pub"
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml

1
.preseed/ssh_root_ca.pub Normal file
View File

@@ -0,0 +1 @@
ssh-rsa-cert-v01@openssh.com AAAAB3NzaC1yc2EtY2VydC12MDEAAABCBFtF...== root-ca@example.com

12
.pubkey/centurion_intelligence_consulting_agency_2025_root_x448_Master_Signing_Key_Offline_0x4EADE462_public.asc Normal file
View File

@@ -0,0 +1,12 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
mEkFaDXW/RYAAAA/AytlcQHI0wBCQVlX/T1P1op2zxMcvSXsIO6Ry5dVxzJyWFkB
SB0utYV5PVOcoparGuxuVV5h5q538FMowsAAtFZDZW50dXJpb24gSW50ZWxsaWdl
bmNlIENvbnN1bHRpbmcgQWdlbmN5IDIwMjUgUm9vdCB4NDQ4IChNYXN0ZXIgU2ln
bmluZyBLZXkgW09mZmxpbmVdKYjNBRMWCABNAhsBBQsJCAcCAiICBhUKCQgLAgQW
AgMBAh4HAheAIiEFb9PDFk6t5GIBJKfozM13iXXLB7VAp8veRtbuNEidacIFAmg1
4c0FCRezg7YAAJycAcdFA+KOZ0U3+AhnNJWm4SXCgzwfJ2Rg10uUt/iiKNtiagDG
xifwXGd5fh2Om/oFdYkgf48GAVVDE4ABx1x6OmN6dt6GWHCKgienVOgKhu+Cl/04
c3Sth4dGCosfFJNUaNmfja5GQ/wQKLVQ0C4TjuJXHCkEAA==
=bk/i
-----END PGP PUBLIC KEY BLOCK-----

18
.pubkey/marc_s_weidner_msw+bot@coreseret.dev_0x8733B021_public.asc Normal file
View File

@@ -0,0 +1,18 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
mDMEaDcItBYJKwYBBAHaRw8BAQdAFyGLpFASTiK4vBgycV2wjb3ZaNqhjZ33E1ir
MiU98Fu0LE1hcmMgUy4gV2VpZG5lciBCT1QgPG1zdytib3RAY29yZXNlY3JldC5k
ZXY+iJkEExYIAEEWIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaDcItAIbAwUJCKVq
fAULCQgHAgIiAgYVCgkICwIEFgIDAQIeBwIXgAAKCRA85KY4hzOwIVOoAQD9WXoh
Isjs4q7RCAtCXXWO4y4p8Dmn1AjCRN07vBYskQEAu/LjJYpjC553SnLPEN2PjZBt
pNkwp/fMg2oigxRkygyI1AUQFggAVCIhBW/TwxZOreRiASSn6MzNd4l1ywe1QKfL
3kbW7jRInWnCBQJoNwjMBYMIpYaAJBSAAAAAAA0ADnJlbUBnbnVwZy5vcmdDZW50
dXJpb24sQ0lDQQAA3TABxjNpYGUWhvt6x3h688F1KJfeWrrMetflFZBA3UzoIAAg
SltgMYRnCzpZFGnQILKgj9jyakwckxFLAAHHY/I0Fxmc5ujfkGScUhUKPhruVT2x
w4aHogEuE9Ebu94JuvBQX3+RlHjG+47qG7bmAT81E47Hih0AuDgEaDcItBIKKwYB
BAGXVQEFAQEHQOKAnInWn3Wy1fUJJD7bycrXEx6SoLejW5/0jGIG2VdGAwEIB4h+
BBgWCAAmFiEEqmJzzDShs+vWn8hwPOSmOIczsCEFAmg3CLQCGwwFCQilanwACgkQ
POSmOIczsCHztAEA2AWCPQ8V8hNdEBvYHwRye8Q9FJO7IyciwwpjH1nOBLMBAJS2
OSrjMYBFaumow950s7T2d7BEpnxJBtCwfuF+RwgI
=QwhF
-----END PGP PUBLIC KEY BLOCK-----

13
.pubkey/marc_s_weidner_msw@coresecret.dev_0xE62E84F8_public.asc Normal file
View File

@@ -0,0 +1,13 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
mDMEaCxYpRYJKwYBBAHaRw8BAQdAr9mRwJ44x3qirCRbE+qjgwBDzZLVkKXvC4UI
AHxvyMK0JE1hcmMgUy4gV2VpZG5lciA8bXN3QGNvcmVzZWNyZXQuZGV2PoiZBBMW
CABBFiEEh/wgoINpSv+4MwEbhAKZkeYuhPgFAmgsWKUCGwMFCQiwGosFCwkIBwIC
IgIGFQoJCAsCBBYCAwECHgcCF4AACgkQhAKZkeYuhPhWnQEAulGegHfBva0ezN5/
VVqLqDVTe+etr3crCcxKpj8gg7wA/3OfkCvgPht18OoIQbR1IA7jDBSOKvY8OfcR
1632dZIIuDgEaCxYpRIKKwYBBAGXVQEFAQEHQP34OGSMdCMM8Ku/QY7NC81xbL0h
kOFdDGlKlA865+kpAwEIB4h+BBgWCAAmFiEEh/wgoINpSv+4MwEbhAKZkeYuhPgF
AmgsWKUCGwwFCQiwGosACgkQhAKZkeYuhPhnjgD+IHh9XhE+s3VB3ItDIgtT9gTA
S8ET80dQcFmFGYfjs/oBALmXXxceE+aSd2VO6dumqhtzWCGE7S52/50hxRgLsi8G
=C3ox
-----END PGP PUBLIC KEY BLOCK-----

52
.pubkey/marc_s_weidner_rfc.editor@coresecret.eu_0x9A3D8CF6_public.asc Normal file
View File

@@ -0,0 +1,52 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQINBGgKhAABEADKXAZwxkr4Wlo0KKjvvxUNycajqFLSEf8CNSkZCzE6/Ya5SlCy
p/yO8bqMUiL6zFO3A7bt0HYZo3jjU7nyOap0nq2qKgSvLJPeiJF6wk3XQDvJbpCh
NBi6vlKicWMyJqVtbqQZeX7q4MFrJPQX5JurSOsauAsJ8xz8vOnhesVwh44m7jTf
Yvuelz0zh/LQkypTaeMA1CXhCtLhoS8V359azO0VHdVaFmxIjsiiU4wKUCNiUgC5
Z/QhG3v1TlIS5R8tnPrke39TkjRVBXAnW5mVTxE7+hauDhefGlpIDkIr8ACCpgLf
ZN0sEXH1+DNTvCwDsP9eoEuf5+2l+w0pQ5c0Rsi2RIbrE/Ct9PL9+cXDYOkNk4fa
5pws7LzldacBB3XTHhSgTAkF+knk+RNxyrlJ42FAo6HiP+pM3ym/ElFGF0cS/qnU
h6JR3SDUybI/89t3lPDHEj24+GLxHd/6d0WY0xYMwNElm7DK+BOgKpEQO/ZBqtRP
crpx81IDInJYjck5z8BAYwnW+CPsAi1cSSFtGBGvem7iKvz7e1nvQcxn9i9HUbiM
FjrfrFztkSE2ZINoTPUPYNEtLyAm/TQKBCS08uyYjSPaivN1yQ75dm6pIS1OJmGe
i7SwhU6j4Y8CXdpo3OioemrUuccPbxu18Iw+PovLUvmkAhqFIY6EvYw9ZwARAQAB
tCpNYXJjIFMuIFdlaWRuZXIgPHJmYy5lZGl0b3JAY29yZXNlY3JldC5ldT6JAlcE
EwEIAEEWIQR6g0Hl8VcDGdgPRBihHohRmj2M9gUCaAqEAAIbAwUJCrMisAULCQgH
AgIiAgYVCgkICwIEFgIDAQIeBwIXgAAKCRChHohRmj2M9o5aD/0ceZqsJC98RyvN
HM9+Ke+1yhwRGXJ3AdFPMdhhzajBdRpOx/N/xY9sqeWpm4S1/UsLBZsaGxASJvXq
HXOzOXY+RPlOocBcm3yAzlrz+UU/NhvSnpMOU63mR3pvf6qwwfgqGbtxozNgbb2Y
g+tV4sG+DhCWO4G0Pb2+qlitBY4vbY9W7TdA805bAWwf7E9Pb2x5kLj7uQUKi3dy
2YCqgHYqQ9yS7UztiA39zmHh2IRl72ZUKGcBMWFfSpO0Mfgr+mCe+5sTymPfIRqk
IrTmugCXgCV/xs3nE4lv8C/4eSJsLEmMaFELL7dBjn6dhl+0hEblKQYUgURZaG20
hh/uaR0X1iwA4D9ipHXCr4CM9/fq5ny2uCihPxI/6xeNU9/rOCDZ+LMpJoe/cwTM
9aY+toC4tyv4f8lm46XPWm+SujJOaVEI7NNKX/kJR9UZZBii8YYGQ1gSs4HX9PxZ
G1Nf7qG5cfFBV77M9uQsrKnsXRMZjRtyxnclU9r8NKg4jfNvzqpqAVoynhG+YjKM
krQreCr1LU9uT3O0ABf1s457C0oNr+YMva9PL5LdXEGHwAL93YgyerzEs1TIik80
YLEVDeTunMWtb1v/h516q+fk1p2bdNflQUMD3X1Cmj6qRMe1f4ku1I3zcjK0kikI
MGgOoag7efnNBDDsyhKUP/ZtNzOB9LkCDQRoCoQAARAAnoqlViizlICxSBmWkq3D
dSBfyK98uY6uA8H/lUhsG/ZTUG0y3kqEZ6JoU2G+QwTMm0/8VutwFoc38142FhqQ
Gs2imUN+sQRlKdyk8wtoq2Kv4G7XhXBGFsEfScHKQb8VTz8eoHAgtqAzJcLXDO0u
gHHk5OoOqc93TsT9rimHNNNyKqU20rRe+AJ2Yjn92dIuSQ7B7R7O9U5OflZKrVMO
e6KSXbbMx+Z/tOOoAC2EWpPE8Vcogs8CFlAUaCKaKcSTwYUZMKJg67voeIZHLKAE
k4hth+1oGcawfuA7duJBVFlK2u6Vu14c26y7tgZQWge6e7DuXlp0qGyu349M10qF
p+d0v1oN8h6cfYjDPPvTAdO20iB/c3KaDMNqcGBDUWd366YcLBAzHZO4YDjE4CF1
7TnZQNMuelg83jl4OIcyDqzATDEY+amOgzvkxsgHw+tihSulGBeliph1n5pfpD3w
wjrtMskCo4PaFWk8YofO3ZzpMCdIDXg0hR1PvThkXQQR6fccOYd8t5QEOdS9NS53
fL3ayRvMt5fgwYeo9yfzl5ByTSXeT4BSpz596SG/BdcHxHky7lM8++LuRNrOiy9Q
xLohwgPonceF4bjL944Ec13lneZunJN8nel8yrjd0cX0ZikWMWoRFk9GejNN6HLo
/FrIKxSjf8h5UK5Gtn2OgtMAEQEAAYkCPAQYAQgAJhYhBHqDQeXxVwMZ2A9EGKEe
iFGaPYz2BQJoCoQAAhsMBQkKsyKwAAoJEKEeiFGaPYz2SkMQALjeSyg8HzMLXwN4
Trt7aW5ef/38J89cav0ouvlY1OggZDiHSXjck7wI0uc0oiB9uVjBj8VfJC4op3bJ
FNlXANE2j9wDR2idQF6hFWVibznMiYOLdmAv3UPGEwm5mJw3h3oGTMqMxKllOKYk
sjRD4PwMOz9x43385PO1q0UQO69kQfnLcRm1gR5w8UHM6j1Mp6HcBapnOluf4PZj
o+5etx3MZBQtDEN5Q80ou3sS2FY23ydmpbn1AGQverr7wUH0ofAgC/xAQ/QJaxWE
ISVm+6F6gC67UU/DMtw2iq9G/CsBKOglC6anU75UEAQnhkiCaFXlghCX0LGWyVbM
OQzjlfBgswTQ4lvYV2I8FHbvgKCYuRvEeAqrIgnpK4BfoBZOXhrsanbtXth4Cl82
euveI/dbSnEa0iXucP39VbvDrzfNmpUlE9HTpiad10YmrYWIR0yEv4TGPnvtWzgj
ldqhMToXTbuz4bcIEfLLNBEVOXOpEehhpwiXPBmWjCbiSTdt9wcmMXTzjzGyVWoF
N37P3BcodQWrsIJD5rlBN+mlga2JBfaJndOoYDLTuCNp63O3QO+/B+37hOYHphyu
Z1UsyA0biHQ2exoMtUn8VrfrVaVjqeKzD5E2C2w8jKh2bNFYjbNoEhmw/ld+wTC4
h9Da4wsNzL2ADzBfxBgFgm0uI6+7
=5Jh4
-----END PGP PUBLIC KEY BLOCK-----

20
.pubkey/zimnol_andre_h_git.cs@physnet.eu_0x8A659CC7B4D63AE6_public.asc Normal file
View File

@@ -0,0 +1,20 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
mDMEaDcAphYJKwYBBAHaRw8BAQdA/9UGPKzDSRCGirPMrePXMMynIida/McCOYe6
PVcCPpG0MVpJTU5PTCwgQW5kcsOpIEguIFtkZXZlbG9wZXJdIDxnaXQuY3NAcGh5
c25ldC5ldT6IkQQTFgoAORYhBBmJL29uc6075RFbVoplnMe01jrmBQJoNwCmAhsB
BQkIpLt+AwsJCAQVCgkIAxYCAwIeBQIXgAAKCRCKZZzHtNY65jKyAQDrk2x/laEP
YIaRmS7STGBnZjWVwv/eJ5ILFqRhV3sSGQEAwfT2wgporMER+EHz2mRPAaE5TtPB
SMm4DHug4Yka2A24MwRoNwDmFgkrBgEEAdpHDwEBB0Bx3cbRd0Q/Dn73IcbEvKx5
+KcP7unYv3rNeirZTGtTfoj1BBgWCgAmFiEEGYkvb25zrTvlEVtWimWcx7TWOuYF
Amg3AOYCGwIFCQL/zz4AgQkQimWcx7TWOuZ2IAQZFgoAHRYhBEVoBW4odEqUQpSB
D1za7swLMHUzBQJoNwDmAAoJEFza7swLMHUzYw0A/05Y5GoEsbHH5+LqVf9EI8WN
ud1kp3M4WRto2KQ2abicAP0W71sTY2Po1XbBDVbFi2fvXkjuCUVeSlotaQgh1YrP
BtIXAQDabJERY+nNU9T/8pAlFhC3ImAJAXWSpxlIZWU3q12DpQEA3zCIMXBTc7w1
eREXUft3CupIIT70bCjcTbH5dIYX1w24OARoNwEMEgorBgEEAZdVAQUBAQdAmvb9
1f/tWoR4ADQytUwrXlXfp/U5Jt7KvWS5URWCjRMDAQgHiH4EGBYKACYWIQQZiS9v
bnOtO+URW1aKZZzHtNY65gUCaDcBDAIbDAUJAv/PGAAKCRCKZZzHtNY65n/UAQCR
0W40F4QaD2SnXZS8fmDBK341LTbyhy8JACmKKKB3PAD/Tq/0SfDC0i905OdWcbJ0
AQfwlnC0kTOkPh2bO1vyfwg=
=YZAU
-----END PGP PUBLIC KEY BLOCK-----

19
.version.properties Normal file
View File

@@ -0,0 +1,19 @@
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
properties_SPDX-Version="3.0"
properties_SPDX-ExternalRef="GIT https://git.coresecret.dev/msw/CISS.debian.installer.git"
properties_SPDX-FileCopyrightText="2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>"
properties_SPDX-License-Identifier="EUPL-1.2 OR LicenseRef-CCLA-1.0"
properties_SPDX-LicenseComment="This file is part of the CISS.debian.installer.secure framework."
properties_SPDX-PackageName="CISS.debian.installer"
properties_SPDX-Security-Contact="security@coresecret.eu"
properties_version="V8.00.000.2025.06.17"
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf

23
CISS.debian.installer.spdx Normal file
View File

@@ -0,0 +1,23 @@
SPDXVersion: SPDX-3.0
DataLicense: CC0-1.0
SPDX-DocumentName: CISS.debian.installer.SPDX
SPDX-DocumentNamespace: https://git.coresecret.dev/msw/CISS.debian.installer
Creator: Person: Marc S. Weidner (Centurion Intelligence Consulting Agency)
Created: 2025-06-17T12:00:00Z
Package: CISS.debian.installer
PackageName: CISS.debian.installer
PackageVersion: Master V8.00.000.2025.06.17
PackageSupplier: Organization: Centurion Intelligence Consulting Agency
PackageDownloadLocation: https://git.coresecret.dev/msw/CISS.debian.installer
PackageHomePage: https://git.coresecret.dev/msw/CISS.debian.installer
PackageLicenseDeclared: EUPL-1.2 OR LicenseRef-CCLA-1.0
PackageLicenseConcluded: EUPL-1.2
License: EUPL-1.2
LicenseID: EUPL-1.2
LicenseName: European Union Public License 1.2
LicenseCrossReference: https://joinup.ec.europa.eu/collection/eupl/eupl-text-eupl-12
License: LicenseRef-CCLA-1.0
LicenseID: LicenseRef-CCLA-1.0
LicenseName: Centurion Commercial License Agreement 1.0
LicenseCrossReference: https://coresecret.eu/imprint/licenses/
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf

142
LICENSE
View File

@@ -1,89 +1,121 @@
# SPDX-License-Identifier: EUPL-1.2
EUPL-1.2
EUROPEAN UNION PUBLIC LICENCE v. 1.2 EUROPEAN UNION PUBLIC LICENCE v. 1.2
EUPL © the European Union 2007, 2016 EUPL © the European Union 2007, 2016
This European Union Public Licence (the EUPL) applies to the Work (as defined below) which is provided under the This European Union Public Licence (the 'EUPL') applies to the Work (as defined below) which is provided under the
terms of this Licence. Any use of the Work, other than as authorised under this Licence is prohibited (to the extent such terms of this Licence. Any use of the Work, other than as authorised under this Licence is prohibited (to the extent such
use is covered by a right of the copyright holder of the Work). a use is covered by a right of the copyright holder of the Work).
The Work is provided under the terms of this Licence when the Licensor (as defined below) has placed the following The Work is provided under the terms of this Licence when the Licensor (as defined below) has placed the following
notice immediately following the copyright notice for the Work: notice immediately following the copyright notice for the Work:
Licensed under the EUPL Licensed under the EUPL
or has expressed by any other means his willingness to license under the EUPL. or has expressed by any other means his willingness to license under the EUPL.
1.Definitions 1.Definitions
In this Licence, the following terms have the following meaning: In this Licence, the following terms have the following meaning:
The Licence:this Licence.
The Original Work:the work or software distributed or communicated by the Licensor under this Licence, available 'The Licence':this Licence.
— 'The Original Work':the work or software distributed or communicated by the Licensor under this Licence, available
as Source Code and also as Executable Code as the case may be. as Source Code and also as Executable Code as the case may be.
Derivative Works:the works or software that could be created by the Licensee, based upon the Original Work or
— 'Derivative Works':the works or software that could be created by the Licensee, based upon the Original Work or
modifications thereof. This Licence does not define the extent of modification or dependence on the Original Work modifications thereof. This Licence does not define the extent of modification or dependence on the Original Work
required in order to classify a work as a Derivative Work; this extent is determined by copyright law applicable in required in order to classify a work as a Derivative Work; this extent is determined by copyright law applicable in
the country mentioned in Article 15. the country mentioned in Article 15.
The Work:the Original Work or its Derivative Works.
The Source Code:the human-readable form of the Work which is the most convenient for people to study and 'The Work':the Original Work or its Derivative Works.
— 'The Source Code':the human-readable form of the Work, which is the most convenient for people to study and
modify. modify.
The Executable Code:any code which has generally been compiled and which is meant to be interpreted by
— 'The Executable Code':any code, which has generally been compiled and, which is meant to be interpreted by
a computer as a program. a computer as a program.
The Licensor:the natural or legal person that distributes or communicates the Work under the Licence.
Contributor(s):any natural or legal person who modifies the Work under the Licence, or otherwise contributes to 'The Licensor':the natural or legal person that distributes or communicates the Work under the Licence.
— 'Contributor(s)':any natural or legal person who modifies the Work under the Licence, or otherwise contributes to
the creation of a Derivative Work. the creation of a Derivative Work.
The Licensee or You:any natural or legal person who makes any usage of the Work under the terms of the
— 'The Licensee' or 'You':any natural or legal person who makes any usage of the Work under the terms of the
Licence. Licence.
Distribution or Communication:any act of selling, giving, lending, renting, distributing, communicating,
transmitting, or otherwise making available, online or offline, copies of the Work or providing access to its essential — 'Distribution' or 'Communication':any act of selling, giving, lending, renting, distributing, communicating,
transmitting, or otherwise making available, online, or offline, copies of the Work or providing access to its essential
functionalities at the disposal of any other natural or legal person. functionalities at the disposal of any other natural or legal person.
2.Scope of the rights granted by the Licence 2.Scope of the rights granted by the Licence
The Licensor hereby grants You a worldwide, royalty-free, non-exclusive, sublicensable licence to do the following, for The Licensor hereby grants You a worldwide, royalty-free, non-exclusive, sublicensable licence to do the following, for
the duration of copyright vested in the Original Work: the duration of copyright vested in the Original Work:
— use the Work in any circumstance and for all usage,
— use the Work in any circumstances and for all usage,
— reproduce the Work, — reproduce the Work,
— modify the Work, and make Derivative Works based upon the Work,
— modify the Work and make Derivative Works based upon the Work,
— communicate to the public, including the right to make available or display the Work or copies thereof to the public — communicate to the public, including the right to make available or display the Work or copies thereof to the public
and perform publicly, as the case may be, the Work, and perform publicly, as the case may be, the Work,
— distribute the Work or copies thereof, — distribute the Work or copies thereof,
— lend and rent the Work or copies thereof, — lend and rent the Work or copies thereof,
— sublicense rights in the Work or copies thereof. — sublicense rights in the Work or copies thereof.
Those rights can be exercised on any media, supports and formats, whether now known or later invented, as far as the
Those rights can be exercised on any media, supports, and formats, whether now known or later invented, as far as the
applicable law permits so. applicable law permits so.
In the countries where moral rights apply, the Licensor waives his right to exercise his moral right to the extent allowed In the countries where moral rights apply, the Licensor waives his right to exercise his moral right to the extent allowed
by law in order to make effective the licence of the economic rights here above listed. by law in order to make effective the licence of the economic rights here above listed.
The Licensor grants to the Licensee royalty-free, non-exclusive usage rights to any patents held by the Licensor, to the The Licensor grants to the Licensee royalty-free, non-exclusive usage rights to any patents held by the Licensor, to the
extent necessary to make use of the rights granted on the Work under this Licence. extent necessary to make use of the rights granted on the Work under this Licence.
3.Communication of the Source Code 3.Communication of the Source Code
The Licensor may provide the Work either in its Source Code form, or as Executable Code. If the Work is provided as
The Licensor may provide the Work either in its Source Code form or as Executable Code. If the Work is provided as
Executable Code, the Licensor provides in addition a machine-readable copy of the Source Code of the Work along with Executable Code, the Licensor provides in addition a machine-readable copy of the Source Code of the Work along with
each copy of the Work that the Licensor distributes or indicates, in a notice following the copyright notice attached to each copy of the Work that the Licensor distributes or indicates, in a notice following the copyright notice attached to
the Work, a repository where the Source Code is easily and freely accessible for as long as the Licensor continues to the Work, a repository where the Source Code is easily and freely accessible for as long as the Licensor continues to
distribute or communicate the Work. distribute or communicate the Work.
4.Limitations on copyright 4.Limitations on copyright
Nothing in this Licence is intended to deprive the Licensee of the benefits from any exception or limitation to the Nothing in this Licence is intended to deprive the Licensee of the benefits from any exception or limitation to the
exclusive rights of the rights owners in the Work, of the exhaustion of those rights or of other applicable limitations exclusive rights of the rights owners in the Work, to the exhaustion of those rights or of other applicable limitations
thereto. thereto.
5.Obligations of the Licensee 5.Obligations of the Licensee
The grant of the rights mentioned above is subject to some restrictions and obligations imposed on the Licensee. Those The grant of the rights mentioned above is subject to some restrictions and obligations imposed on the Licensee. Those
obligations are the following: obligations are the following:
Attribution right: The Licensee shall keep intact all copyright, patent or trademarks notices and all notices that refer to Attribution right: The Licensee shall keep intact all copyright, patent or trademarks notices and all notices that refer to
the Licence and to the disclaimer of warranties. The Licensee must include a copy of such notices and a copy of the the Licence and to the disclaimer of warranties. The Licensee must include a copy of such notices, and a copy of the
Licence with every copy of the Work he/she distributes or communicates. The Licensee must cause any Derivative Work Licence with every copy of the Work he/she distributes or communicates. The Licensee must cause any Derivative Work
to carry prominent notices stating that the Work has been modified and the date of modification. to carry prominent notices stating that the Work has been modified and the date of modification.
Copyleft clause: If the Licensee distributes or communicates copies of the Original Works or Derivative Works, this Copyleft clause: If the Licensee distributes or communicates copies of the Original Works or Derivative Works, this
Distribution or Communication will be done under the terms of this Licence or of a later version of this Licence unless Distribution or Communication will be done under the terms of this Licence or of a later version of this Licence unless
the Original Work is expressly distributed only under this version of the Licence — for example by communicating the Original Work is expressly distributed only under this version of the Licence — for example, by communicating
EUPL v. 1.2 only. The Licensee (becoming Licensor) cannot offer or impose any additional terms or conditions on the 'EUPL v. 1.2 only'. The Licensee (becoming Licensor) cannot offer or impose any additional terms or conditions on the
Work or Derivative Work that alter or restrict the terms of the Licence. Work or Derivative Work that alter or restrict the terms of the Licence.
Compatibility clause: If the Licensee Distributes or Communicates Derivative Works or copies thereof based upon both Compatibility clause: If the Licensee Distributes or Communicates Derivative Works or copies thereof based upon both
the Work and another work licensed under a Compatible Licence, this Distribution or Communication can be done the Work and another work licensed under a Compatible Licence, this Distribution or Communication can be done
under the terms of this Compatible Licence. For the sake of this clause, Compatible Licence refers to the licences listed under the terms of this Compatible Licence. For the sake of this clause, 'Compatible Licence' refers to the licences listed
in the appendix attached to this Licence. Should the Licensee's obligations under the Compatible Licence conflict with in the appendix attached to this Licence. Should the Licensee's obligations under the Compatible Licence conflict with
his/her obligations under this Licence, the obligations of the Compatible Licence shall prevail. his/her obligations under this Licence, the obligations of the Compatible Licence shall prevail.
Provision of Source Code: When distributing or communicating copies of the Work, the Licensee will provide The provision of Source Code: When distributing or communicating copies of the Work, the Licensee will provide
a machine-readable copy of the Source Code or indicate a repository where this Source will be easily and freely available a machine-readable copy of the Source Code or indicate a repository where this Source will be easily and freely available
for as long as the Licensee continues to distribute or communicate the Work. for as long as the Licensee continues to distribute or communicate the Work.
Legal Protection: This Licence does not grant permission to use the trade names, trademarks, service marks, or names Legal Protection: This Licence does not grant permission to use the trade names, trademarks, service marks, or names
@@ -91,100 +123,134 @@ of the Licensor, except as required for reasonable and customary use in describi
reproducing the content of the copyright notice. reproducing the content of the copyright notice.
6.Chain of Authorship 6.Chain of Authorship
The original Licensor warrants that the copyright in the Original Work granted hereunder is owned by him/her or The original Licensor warrants that the copyright in the Original Work granted hereunder is owned by him/her or
licensed to him/her and that he/she has the power and authority to grant the Licence. licensed to him/her and that he/she has the power and authority to grant the Licence.
Each Contributor warrants that the copyright in the modifications he/she brings to the Work are owned by him/her or
Each Contributor warrants that the copyright in the modifications he/she brings to the Work is owned by him/her or
licensed to him/her and that he/she has the power and authority to grant the Licence. licensed to him/her and that he/she has the power and authority to grant the Licence.
Each time You accept the Licence, the original Licensor and subsequent Contributors grant You a licence to their contributions Each time You accept the Licence, the original Licensor and subsequent Contributors grant You a licence to their contributions
to the Work, under the terms of this Licence. to the Work, under the terms of this Licence.
7.Disclaimer of Warranty 7.Disclaimer of Warranty
The Work is a work in progress, which is continuously improved by numerous Contributors. It is not a finished work
and may therefore contain defects or bugs inherent to this type of development. The Work is a work in progress, which is continuously improved by numerous Contributors. It is not finished work
For the above reason, the Work is provided under the Licence on an as is basis and without warranties of any kind and may therefore contain defects or 'bugs' inherent to this type of development.
For the above reason, the Work is provided under the Licence on an 'as is' basis and without warranties of any kind
concerning the Work, including without limitation merchantability, fitness for a particular purpose, absence of defects or concerning the Work, including without limitation merchantability, fitness for a particular purpose, absence of defects or
errors, accuracy, non-infringement of intellectual property rights other than copyright as stated in Article 6 of this errors, accuracy, non-infringement of intellectual property rights other than copyright as stated in Article 6 of this
Licence. Licence.
This disclaimer of warranty is an essential part of the Licence and a condition for the grant of any rights to the Work. This disclaimer of warranty is an essential part of the Licence and a condition for the grant of any rights to the Work.
8.Disclaimer of Liability 8.Disclaimer of Liability
Except in the cases of wilful misconduct or damages directly caused to natural persons, the Licensor will in no event be Except in the cases of wilful misconduct or damages directly caused to natural persons, the Licensor will in no event be
liable for any direct or indirect, material or moral, damages of any kind, arising out of the Licence or of the use of the liable for any direct or indirect, material or moral, damages of any kind, arising out of the Licence or of the use of the
Work, including without limitation, damages for loss of goodwill, work stoppage, computer failure or malfunction, loss Work, including without limitation, damages for loss of goodwill, work stoppage, computer failure or malfunction, loss
of data or any commercial damage, even if the Licensor has been advised of the possibility of such damage. However, of data, or any commercial damage, even if the Licensor has been advised of the possibility of such damage. However,
the Licensor will be liable under statutory product liability laws as far such laws apply to the Work. the Licensor will be liable under statutory product liability laws as far as such laws apply to the Work.
9.Additional agreements 9.Additional agreements
While distributing the Work, You may choose to conclude an additional agreement, defining obligations or services While distributing the Work, You may choose to conclude an additional agreement, defining obligations or services
consistent with this Licence. However, if accepting obligations, You may act only on your own behalf and on your sole consistent with this Licence. However, if accepting obligations, You may act only on your own behalf and on your sole
responsibility, not on behalf of the original Licensor or any other Contributor, and only if You agree to indemnify, responsibility, not on behalf of the original Licensor or any other Contributor, and only if You agree to indemnify,
defend, and hold each Contributor harmless for any liability incurred by, or claims asserted against such Contributor by defend, and hold each Contributor harmless for any liability incurred by, or claims asserted against such a Contributor by
the fact You have accepted any warranty or additional liability. the fact You have accepted any warranty or additional liability.
10.Acceptance of the Licence 10.Acceptance of the Licence
The provisions of this Licence can be accepted by clicking on an icon I agree placed under the bottom of a window
The provisions of this Licence can be accepted by clicking on an icon 'I agree' placed under the bottom of a window
displaying the text of this Licence or by affirming consent in any other similar way, in accordance with the rules of displaying the text of this Licence or by affirming consent in any other similar way, in accordance with the rules of
applicable law. Clicking on that icon indicates your clear and irrevocable acceptance of this Licence and all of its terms applicable law. Clicking on that icon indicates your clear and irrevocable acceptance of this Licence and all of its terms
and conditions. and conditions.
Similarly, you irrevocably accept this Licence and all of its terms and conditions by exercising any rights granted to You Similarly, you irrevocably accept this Licence and all of its terms and conditions by exercising any rights granted to You
by Article 2 of this Licence, such as the use of the Work, the creation by You of a Derivative Work or the Distribution by Article 2 of this Licence, such as the use of the Work, the creation by You of a Derivative Work or the Distribution
or Communication by You of the Work or copies thereof. or Communication by You of the Work or copies thereof.
11.Information to the public 11.Information to the public
In case of any Distribution or Communication of the Work by means of electronic communication by You (for example, In case of any Distribution or Communication of the Work by means of electronic communication by You (for example,
by offering to download the Work from a remote location) the distribution channel or media (for example, a website) by offering to download the Work from a remote location) the distribution channel or media (for example, a website)
must at least provide to the public the information requested by the applicable law regarding the Licensor, the Licence must at least provide to the public the information requested by the applicable law regarding the Licensor, the Licence,
and the way it may be accessible, concluded, stored and reproduced by the Licensee. and the way it may be accessible, concluded, stored, and reproduced by the Licensee.
12.Termination of the Licence 12.Termination of the Licence
The Licence and the rights granted hereunder will terminate automatically upon any breach by the Licensee of the terms The Licence and the rights granted hereunder will terminate automatically upon any breach by the Licensee of the terms
of the Licence. of the Licence.
Such a termination will not terminate the licences of any person who has received the Work from the Licensee under Such a termination will not terminate the licences of any person who has received the Work from the Licensee under
the Licence, provided such persons remain in full compliance with the Licence. the Licence, provided such persons remain in full compliance with the Licence.
13.Miscellaneous 13.Miscellaneous
Without prejudice of Article 9 above, the Licence represents the complete agreement between the Parties as to the Without prejudice of Article 9 above, the Licence represents the complete agreement between the Parties as to the
Work. Work.
If any provision of the Licence is invalid or unenforceable under applicable law, this will not affect the validity or If any provision of the Licence is invalid or unenforceable under applicable law, this will not affect the validity or
enforceability of the Licence as a whole. Such provision will be construed or reformed so as necessary to make it valid enforceability of the Licence as a whole. Such provision will be construed or reformed so as necessary to make it valid
and enforceable. and enforceable.
The European Commission may publish other linguistic versions or new versions of this Licence or updated versions of The European Commission may publish other linguistic versions or new versions of this Licence or updated versions of
the Appendix, so far this is required and reasonable, without reducing the scope of the rights granted by the Licence. the Appendix, so far this is required and reasonable, without reducing the scope of the rights granted by the Licence.
New versions of the Licence will be published with a unique version number. New versions of the Licence will be published with a unique version number.
All linguistic versions of this Licence, approved by the European Commission, have identical value. Parties can take All linguistic versions of this Licence, approved by the European Commission, have identical value. Parties can take
advantage of the linguistic version of their choice. advantage of the linguistic version of their choice.
14.Jurisdiction 14.Jurisdiction
Without prejudice to specific agreement between parties, Without prejudice to specific agreement between parties,
— any litigation resulting from the interpretation of this License, arising between the European Union institutions, — any litigation resulting from the interpretation of this License, arising between the European Union institutions,
bodies, offices or agencies, as a Licensor, and any Licensee, will be subject to the jurisdiction of the Court of Justice bodies, offices, or agencies, as a Licensor, and any Licensee, will be subject to the jurisdiction of the Court of Justice
of the European Union, as laid down in article 272 of the Treaty on the Functioning of the European Union, of the European Union, as laid down in article 272 of the Treaty on the Functioning of the European Union,
— any litigation arising between other parties and resulting from the interpretation of this License, will be subject to
— any litigation arising between other parties and resulting from the interpretation of this License will be subject to
the exclusive jurisdiction of the competent court where the Licensor resides or conducts its primary business. the exclusive jurisdiction of the competent court where the Licensor resides or conducts its primary business.
15.Applicable Law 15.Applicable Law
Without prejudice to specific agreement between parties, Without prejudice to specific agreement between parties,
— this Licence shall be governed by the law of the European Union Member State where the Licensor has his seat, — this Licence shall be governed by the law of the European Union Member State where the Licensor has his seat,
resides or has his registered office, resides, or has his registered office
— this licence shall be governed by Belgian law if the Licensor has no seat, residence or registered office inside
— this licence shall be governed by Belgian law if the Licensor has no seat, residence, or registered office inside
a European Union Member State. a European Union Member State.
Appendix Appendix
Compatible Licences according to Article 5 EUPL are: 'Compatible Licences' according to Article 5 EUPL are:
— GNU General Public License (GPL) v. 2, v. 3 — GNU General Public License (GPL) v. 2, v. 3
— GNU Affero General Public License (AGPL) v. 3 — GNU Affero General Public License (AGPL) v. 3
— Open Software License (OSL) v. 2.1, v. 3.0 — Open Software License (OSL) v. 2.1, v. 3.0
— Eclipse Public License (EPL) v. 1.0 — Eclipse Public License (EPL) v. 1.0
— CeCILL v. 2.0, v. 2.1 — CeCILL v. 2.0, v. 2.1
— Mozilla Public Licence (MPL) v. 2 — Mozilla Public Licence (MPL) v. 2
— GNU Lesser General Public Licence (LGPL) v. 2.1, v. 3 — GNU Lesser General Public Licence (LGPL) v. 2.1, v. 3
— Creative Commons Attribution-ShareAlike v. 3.0 Unported (CC BY-SA 3.0) for works other than software — Creative Commons Attribution-ShareAlike v. 3.0 Unported (CC BY-SA 3.0) for works other than software
— European Union Public Licence (EUPL) v. 1.1, v. 1.2 — European Union Public Licence (EUPL) v. 1.1, v. 1.2
— Québec Free and Open-Source Licence — Reciprocity (LiLiQ-R) or Strong Reciprocity (LiLiQ-R+). — Québec Free and Open-Source Licence — Reciprocity (LiLiQ-R) or Strong Reciprocity (LiLiQ-R+).
The European Commission may update this Appendix to later versions of the above licences without producing The European Commission may update this Appendix to later versions of the above licences without producing
a new version of the EUPL, as long as they provide the rights granted in Article 2 of this Licence and protect the a new version of the EUPL, as long as they provide the rights granted in Article 2 of this Licence and protect the
covered Source Code from exclusive appropriation. covered Source Code from exclusive appropriation.
All other changes or additions to this Appendix require the production of a new EUPL version. All other changes or additions to this Appendix require the production of a new EUPL version.

90
README.md
View File

@@ -1,3 +1,89 @@
# CISS.debian.installer ---
gitea: none
include_toc: true
---
[![Static Badge](https://badges.coresecret.dev/badge/Release-V8.00.000.2025.06.17-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.installer)
&nbsp;
[![Static Badge](https://badges.coresecret.dev/badge/Licence-EUPL1.2-white?style=plastic&logo=europeanunion&logoColor=white&logoSize=auto&label=Licence&color=%23003399)](https://eupl.eu/1.2/en/) &nbsp;
[![Static Badge](https://badges.coresecret.dev/badge/opensourceinitiative-Compliant-white?style=plastic&logo=opensourceinitiative&logoColor=white&logoSize=auto&label=OSI&color=%233DA639)](https://opensource.org/license/eupl-1-2) &nbsp;
[![Static Badge](https://badges.coresecret.dev/badge/Bash-V5.2.15-white?style=plastic&logo=gnubash&logoColor=white&logoSize=auto&label=Bash&color=%234EAA25)](https://www.gnu.org/software/bash/) &nbsp;
[![Static Badge](https://badges.coresecret.dev/badge/shellcheck-passed-white?style=plastic&logo=gnubash&logoColor=white&logoSize=auto&label=shellcheck&color=%234EAA25)](https://shellcheck.net/) &nbsp;
[![Static Badge](https://badges.coresecret.dev/badge/shellformat-passed-white?style=plastic&logo=google&logoColor=white&logoSize=auto&label=shellformat&color=%234285F4)](https://github.com/mvdan/sh) &nbsp;
[![Static Badge](https://badges.coresecret.dev/badge/Shellstyle-Google-white?style=plastic&logo=google&logoColor=white&logoSize=auto&label=Shellstyle&color=%234285F4)](https://google.github.io/styleguide/shellguide.html)
&nbsp;
[![Static Badge](https://badges.coresecret.dev/badge/Gitea-1.23.8-white?style=plastic&logo=gitea&logoColor=white&logoSize=auto&label=gitea&color=%23609926)](https://docs.gitea.com/) &nbsp;
[![Static Badge](https://badges.coresecret.dev/badge/IntelliJ-2025.1.2-white?style=plastic&logo=intellijidea&logoColor=white&logoSize=auto&label=IntelliJ&color=%23000000)](https://www.jetbrains.com/store/?section=personal&billing=yearly) &nbsp;
[![Static Badge](https://badges.coresecret.dev/badge/keepassxc-2.7.10-white?style=plastic&logo=keepassxc&logoColor=white&logoSize=auto&label=KeePassXC&color=%236CAC4D)](https://keepassxc.org/) &nbsp;
[![Static Badge](https://badges.coresecret.dev/badge/netcup-Netcup-white?style=plastic&logo=netcup&logoColor=white&logoSize=auto&label=powered&color=%23056473)](https://www.netcup.com/de) &nbsp;
[![Static Badge](https://badges.coresecret.dev/badge/powered-Centurion-white?style=plastic&logo=europeanunion&logoColor=white&logoSize=auto&label=powered&color=%230F243E)](https://coresecret.eu/) &nbsp;
[![Static Badge](https://badges.coresecret.dev/badge/SocialMedia-@coresecret_eu-white?style=plastic&logo=x&logoColor=white&logoSize=auto&label=SocialMedia&color=%23000000)](https://x.com/coresecret_eu) &nbsp;
[![Static Badge](https://badges.coresecret.dev/badge/Donation-Donation-white?style=plastic&logo=sepa&logoColor=white&logoSize=auto&label=&color=%230F243E)](https://coresecret.eu/spenden/#sepa) &nbsp;
[![Static Badge](https://badges.coresecret.dev/badge/bitcoin-Bitcoin-white?style=plastic&logo=bitcoin&logoColor=white&logoSize=auto&label=Donation&color=%23F7931A)](https://coresecret.eu/spenden/#bitcoin) &nbsp;
[![Static Badge](https://badges.coresecret.dev/badge/simplex-Simplex-white?style=plastic&logo=simplex&logoColor=white&logoSize=auto&label=Contact&color=%23000000)](https://coresecret.eu/contact/#simplex) &nbsp;
CISS Debian Installer # 1. CISS.debian.installer
**Centurion Intelligence Consulting Agency Information Security Standard**<br>
*The CISS Debian Installer provides a fully automated and hardened installation process.*<br>
**Master Version**: 8.00<br>
**Build**: V8.00.000.2025.06.17<br>
This is a digitally signed, self-verifying shell script for installing a hardened Debian Bookworm server environment, based on
the latest server and service hardening best practices. Compared to the original Debian installer, this installer offers much
greater flexibility in terms of custom partitioning schemes and is more reliable than the Calamares suite.<br>
Check out more:
* [CenturionNet Services](https://coresecret.eu/cnet/)
* [CenturionDNS Resolver](https://eddns.eu/)
* [CenturionDNS Blocklist](https://dns.eddns.eu/blocklists/centurion_titanium_ultimate.txt)
* [CenturionNet Status](https://uptime.coresecret.eu/)
* [CenturionMeet](https://talk.e2ee.li/)
* [Contact the author](https://coresecret.eu/contact/)
## 1.1. Preliminary Remarks
### 1.1.1. HSM
Please note that all my signing keys are stored in an HSM and that the signing environment is air-gapped. The next step is to
move to a room-gapped environment. ^^
### 1.1.2. DNSSEC, HSTS, TLS
Please note that `coresecret.dev` is included in the [(HSTS Preload List)](https://hstspreload.org/) and always serves the headers:
````nginx configuration pro
add_header Expect-CT "max-age=86400, enforce" always;
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
````
* Additionally, the entire zone is dual-signed with **DNSSEC**. See the current **DNSSEC** status at: **[DNSSEC Audit Report](/docs/AUDIT_DNSSEC.md)**
* A comprehensive TLS audit of the **`git.coresecret.dev`** Gitea server is also available. See: **[TLS Audit Report](/docs/AUDIT_TLS.md)**
* The infrastructure of the **`CISS.debian.installer`** building system is visualized here. See: **[Centurion Net](/docs/CNET.md)**
### 1.1.3. Gitea Action Runner Hardening
The CI runners operate on a dedicated host system located in a completely separate Autonomous System (AS). This host is solely
dedicated to providing CI runners and does not perform any other tasks. Each runner is hermetically isolated from others using
non-privileged, shell-less user accounts with no direct login capability. Additionally, each runner executes within its own
separate directory tree, employs `DynamicUser` features, and adheres to strict systemd hardening policies
(achieving a ``systemd-analyze security``rating of **``2.6``**). Docker containers used by runners do not run in privileged
mode. Security is further enhanced through the use of both UFW software firewalls and dedicated hardware firewall appliances.
### 1.2. Keywords
The keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED",
"MAY", and "OPTIONAL" in this document are to be interpreted as described in [[BCP 14](https://www.rfc-editor.org/info/bcp14)],
[[RFC2119](https://datatracker.ietf.org/doc/html/rfc2119)], [[RFC8174](https://datatracker.ietf.org/doc/html/rfc8174)] when,
and only when, they appear in all capitals, as shown here.
# 6. Licensing & Compliance
This repository is fully SPDX-compliant. All source files include appropriate SPDX license identifiers and headers to ensure
clear and unambiguous licensing. You can verify compliance by reviewing the top of each file, which follows the SPDX
standard for license expressions and metadata.
# 7. Disclaimer
This README is provided "as-is" without any warranty. Review your organization's policies before deploying to production.
---
**[no tracking | no logging | no advertising | no profiling | no bullshit](https://coresecret.eu/)**
<!-- vim: set number et ts=2 sw=2 sts=2 ai tw=128 ft=markdown -->

23
SECURITY.md Normal file
View File

@@ -0,0 +1,23 @@
# Security Policy
## Reporting vulnerabilities
Please send your vulnerability reports to `security@coresecret.eu`
To make sure that your report reaches me, please:
Include the words `CISS.debian.installer` and `vulnerability` to the subject line as well as a short description of the vulnerability.
Make sure that the message body contains a clear description of the vulnerability.
If you have not received a reply to your email within seven days, please make sure to follow up with me again at `security@coresecret.eu`
Once again, make sure that the word `vulnerability` is in the subject line.
My security policy is available at:
[https://coresecret.eu/security-policy/](https://coresecret.eu/security-policy/)
---
**[no tracking | no logging | no advertising | no profiling | no bullshit](https://coresecret.eu/)**
<!-- vim: set number et ts=2 sw=2 sts=2 ai tw=128 ft=markdown -->

177
ciss_debian_installer.sh Normal file
View File

@@ -0,0 +1,177 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
### Contributions so far see ./docs/CREDITS.md
### WHY BASH?
# Ease of installation.
# No compiling or installing gems, CPAN modules, pip packages, etc.
# Simple to use and read. Clear syntax and straightforward output interpretation.
# Built-in power.
# Pattern matching, line processing, and regular expression support are available natively,
# no external binaries required.
# Cross-platform consistency.
# '/bin/bash' is the default shell on most Linux distributions, ensuring scripts run unmodified across systems.
# macOS compatibility.
# Since macOS Catalina (10.15), the default login shell has been zsh, but bash remains available at '/bin/bash'.
# Windows support.
# You can use bash via WSL, MSYS2, or Cygwin on Windows systems.
### PRELIMINARY CHECKS
[ -z "${BASH_VERSINFO[0]}" ] && {
. ./var/errors.var.sh; printf "\e[91m❌ Please make sure you are using 'bash'! Bye... \e[0m\n" >&2; exit "${ERR_UNSUPPORTED_BASH}"; }
[[ ${EUID} -ne 0 ]] && {
. ./var/errors.var.sh; printf "\e[91m❌ Please make sure you are 'root'! Bye... \e[0m\n" >&2; exit "${ERR_USER_IS_NOT_ROOT}"; }
[[ $(kill -l | grep -c SIG) -eq 0 ]] && {
. ./var/errors.var.sh; printf "\e[91m❌ Please make sure you are calling the script without leading 'sh'! Bye... \e[0m\n" >&2; exit "${ERR_UNSUPPORTED_BASH}"; }
[[ ${BASH_VERSINFO[0]} -lt 5 ]] && {
. ./var/errors.var.sh; printf "\e[91m❌ Minimum requirement is bash 5.1. You are using '%s'! Bye... \e[0m\n" "${BASH_VERSION}" >&2; exit "${ERR_UNSUPPORTED_BASH}"; }
[[ ${BASH_VERSINFO[0]} -le 5 ]] && [[ ${BASH_VERSINFO[1]} -le 1 ]] && {
. ./var/errors.var.sh; printf "\e[91m❌ Minimum requirement is bash 5.1. You are using '%s'! Bye... \e[0m\n" "${BASH_VERSION}" >&2; exit "${ERR_UNSUPPORTED_BASH}"; }
[[ ${#} -eq 0 ]] && {
. ./lib/1000_usage.sh; usage >&2; exit 1; }
### SOURCING MUST SET EARLY VARIABLES AND GUARD_SOURCING()
. ./var/early.var.sh
. ./lib/1007_guard_sorucing.sh
### CHECK FOR CONTACT, HELP, AND VERSION STRING
for arg in "$@"; do case "${arg,,}" in -c|--contact) . ./lib/1001_contact.sh; contact; exit 0;; esac; done
for arg in "$@"; do case "${arg,,}" in -h|--help) . ./lib/1000_usage.sh; usage; exit 0;; esac; done
for arg in "$@"; do case "${arg,,}" in -v|--version) printf "\e[95mCISS.debian.installer Version: %s\e[0m\n" "${VAR_VERSION}"; exit 0;; esac; done
### ALL CHECKS DONE. READY TO START THE SCRIPT
declare -grx VAR_SETUP="true"
### CHECK FOR AUTO INSTALL MODE
for arg in "$@"; do case "${arg,,}" in -a|--autoinstall) declare -gx VAR_AUTO_INSTALL="true";; esac; done; unset arg
### CHECKING REQUIRED PACKAGES
. ./lib/1010_check_pkgs.sh
. ./lib/1011_check_git.sh
check_pkgs
check_git
### PRE SCAN FOR DEBUG MODE
. ./lib/1015_debug_pre_scan.sh
pre_scan_debug "$@"
### ADVISORY LOCK
exec 127>/var/lock/ciss_debian_installer.lock || {
printf "\e[91m❌ Cannot open lockfile for writing! Bye... \e[0m\n" >&2
exit "${ERR_FLOCK_PROTECTED}"
}
if ! flock -x -n 127; then
printf "\e[91m❌ Another instance is running! Bye...\e[0m\n" >&2
exit "${ERR_FLOCK_COLLISION}"
fi
### SOURCING
[[ "${VAR_SETUP}" == true ]] && {
### SOURCING BASH OPTIONS
. ./var/bash.var.sh
### SOURCING FUNCTIONS
. ./meta_loader_func.sh
### SOURCING LIBRARIES
. ./meta_loader_lib.sh
### SOURCING VARIABLES
. ./meta_loader_var.sh
}
### ACTIVATING TRAPS
trap 'trap_exit "$?"' EXIT
trap 'trap_int' INT
trap 'trap_err "$?" "${BASH_SOURCE[0]}" "${LINENO}" "${FUNCNAME[0]:-main}" "${BASH_COMMAND}"' ERR
### PREPARING DIRECTORIES AND FILES
gen_dir_files
### Dialog Output for Initialization
if ! $VAR_AUTO_INSTALL; then . ./lib/1050_dialog_helper.sh && dialog_gauge; fi
### Updating Status of Dialog Gauge Bar
if ! $VAR_AUTO_INSTALL; then printf "XXX\nAdditional initialization ... \nXXX\n25\n" >&3; fi
### Initialization
declare -gr ARGUMENTS_COUNT="$#"
declare -gr ARG_STR_ORG_INPUT="$*"
#declare -ar ARG_ARY_ORG_INPUT=("$@")
# shellcheck disable=SC2155
declare -grx SCRIPT_FULLPATH="$(readlink -f "${BASH_SOURCE[0]:-$0}")"
# shellcheck disable=SC2155
declare -grx SCRIPT_BASEPATH="$(dirname "${SCRIPT_FULLPATH}")"
# shellcheck disable=SC2155
declare -grx VAR_WORKDIR="$(dirname "${SCRIPT_FULLPATH}")"
### Updating Status of Dialog Gauge Bar
if ! $VAR_AUTO_INSTALL; then printf "XXX\nSourcing Libraries ... \nXXX\n50\n" >&3; fi
# TODO Update temp File Cleaner on trap on ERR / EXIT
### Updating Status of Dialog Gauge Bar
if ! $VAR_AUTO_INSTALL; then printf "XXX\nActivate traps ... \nXXX\n55\n" >&3; fi
### Following the CISS Bash naming and ordering scheme
### Updating Status of Dialog Gauge Bar
if ! $VAR_AUTO_INSTALL; then printf "XXX\nSanitizing Arguments ... \nXXX\n70\n" >&3; fi
arg_check "$@"
declare -ar ARY_ARG_SANITIZED=("$@")
declare -gr VAR_ARG_SANITIZED="${ARY_ARG_SANITIZED[*]}"
### Updating Status of Dialog Gauge Bar
if ! $VAR_AUTO_INSTALL; then printf "XXX\nParsing Arguments ... \nXXX\n90\n" >&3; fi
arg_parser "$@"
### Updating Status of Dialog Gauge Bar
if ! $VAR_AUTO_INSTALL; then printf "XXX\nFinal checks ... \nXXX\n95\n" >&3; fi
clean_ip
### Updating Status of Dialog Gauge Bar
if ! $VAR_AUTO_INSTALL; then printf "XXX\nInitialization completed ... \nXXX\n100\n" >&3; sleep 1; fi
if ! $VAR_AUTO_INSTALL; then dialog_gauge_cleaner; fi
### MAIN Program
arg_priority_check
check_stats
if ! $VAR_AUTO_INSTALL; then check_provider; fi
if ! $VAR_AUTO_INSTALL; then check_kernel; fi
check_hooks
hardening_ssh
lb_config_start
lb_config_write
cd "${VAR_WORKDIR}"
hardening_ultra
hardening_root_pw
change_splash
check_dhcp
cdi
provider_netcup
### Start the build process
set +o errtrace
lb_build_start
set -o errtrace
run_analysis
copy_db
declare -g VAR_SCRIPT_SUCCESS=true
exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

21
docs/AUDIT_DNSSEC.md Normal file
View File

@@ -0,0 +1,21 @@
---
gitea: none
include_toc: true
---
# 1. CISS.debian.installer
**Centurion Intelligence Consulting Agency Information Security Standard**<br>
*The CISS Debian Installer provides a fully automated and hardened installation process.*<br>
**Master Version**: 8.00<br>
**Build**: V8.00.000.2025.06.17<br>
# 2. DNSSEC Status
This is an auto-generated overview of the DNSSEC status of `coresecret.dev` at the time of the last human-initiated push event.
![DNSSEC Status](/docs/SECURITY/coresecret.dev.png)
---
**[no tracking | no logging | no advertising | no profiling | no bullshit](https://coresecret.eu/)**
<!-- vim: set number et ts=2 sw=2 sts=2 ai tw=128 ft=markdown -->

316
docs/AUDIT_TLS.md Normal file
View File

@@ -0,0 +1,316 @@
---
gitea: none
include_toc: true
---
# 1. CISS.debian.installer
**Centurion Intelligence Consulting Agency Information Security Standard**<br>
*The CISS Debian Installer provides a fully automated and hardened installation process.*<br>
**Master Version**: 8.00<br>
**Build**: V8.00.000.2025.06.17<br>
# 2. TLS Audit:
````text
#####################################################################
testssl.sh version 3.2rc4 from https://testssl.sh/dev/
(6746fa5 2025-04-18 13:17:50)
This program is free software. Distribution and modification under
GPLv2 permitted. USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK!
Please file bugs @ https://testssl.sh/bugs/
#####################################################################
Using OpenSSL 1.0.2-bad (Mar 28 2025) [~179 ciphers]
on kali:./bin/openssl.Linux.x86_64
Start 2025-06-02 18:04:19 -->> 152.53.110.40:443 (coresecret.dev) <<--
Further IP addresses: 2a0a:4cc0:80:330f:152:53:110:40
rDNS (152.53.110.40): git.coresecret.dev.
Service detected: HTTP
Testing protocols via sockets except NPN+ALPN
SSLv2 not offered (OK)
SSLv3 not offered (OK)
TLS 1 not offered
TLS 1.1 not offered
TLS 1.2 offered (OK)
TLS 1.3 offered (OK): final
NPN/SPDY not offered
ALPN/HTTP2 h2, http/1.1 (offered)
Testing for server implementation bugs
No bugs found.
Testing cipher categories
NULL ciphers (no encryption) not offered (OK)
Anonymous NULL Ciphers (no authentication) not offered (OK)
Export ciphers (w/o ADH+NULL) not offered (OK)
LOW: 64 Bit + DES, RC[2,4], MD5 (w/o export) not offered (OK)
Triple DES Ciphers / IDEA not offered
Obsoleted CBC ciphers (AES, ARIA etc.) not offered
Strong encryption (AEAD ciphers) with no FS not offered
Forward Secrecy strong encryption (AEAD ciphers) offered (OK)
Testing server's cipher preferences
Hexcode Cipher Suite Name (OpenSSL) KeyExch. Encryption Bits Cipher Suite Name (IANA/RFC)
-----------------------------------------------------------------------------------------------------------------------------
SSLv2
-
SSLv3
-
TLSv1
-
TLSv1.1
-
TLSv1.2 (server order)
xc030 ECDHE-RSA-AES256-GCM-SHA384 ECDH 448 AESGCM 256 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
xcca8 ECDHE-RSA-CHACHA20-POLY1305 ECDH 448 ChaCha20 256 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
TLSv1.3 (server order)
x1302 TLS_AES_256_GCM_SHA384 ECDH 448 AESGCM 256 TLS_AES_256_GCM_SHA384
x1303 TLS_CHACHA20_POLY1305_SHA256 ECDH 448 ChaCha20 256 TLS_CHACHA20_POLY1305_SHA256
Has server cipher order? yes (OK) -- TLS 1.3 and below
Testing robust forward secrecy (FS) -- omitting Null Authentication/Encryption, 3DES, RC4
FS is offered (OK) , ciphers follow (client/browser support is important here)
Hexcode Cipher Suite Name (OpenSSL) KeyExch. Encryption Bits Cipher Suite Name (IANA/RFC)
-----------------------------------------------------------------------------------------------------------------------------
x1302 TLS_AES_256_GCM_SHA384 ECDH 448 AESGCM 256 TLS_AES_256_GCM_SHA384 available
x1303 TLS_CHACHA20_POLY1305_SHA256 ECDH 448 ChaCha20 256 TLS_CHACHA20_POLY1305_SHA256 available
xcc14 ECDHE-ECDSA-CHACHA20-POLY1305-OLD ECDH ChaCha20 256 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256_OLD not a/v
xcc13 ECDHE-RSA-CHACHA20-POLY1305-OLD ECDH ChaCha20 256 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256_OLD not a/v
xcc15 DHE-RSA-CHACHA20-POLY1305-OLD DH ChaCha20 256 TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256_OLD not a/v
xc030 ECDHE-RSA-AES256-GCM-SHA384 ECDH 521 AESGCM 256 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 available
xc02c ECDHE-ECDSA-AES256-GCM-SHA384 ECDH AESGCM 256 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 not a/v
xc028 ECDHE-RSA-AES256-SHA384 ECDH AES 256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 not a/v
xc024 ECDHE-ECDSA-AES256-SHA384 ECDH AES 256 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 not a/v
xc014 ECDHE-RSA-AES256-SHA ECDH AES 256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA not a/v
xc00a ECDHE-ECDSA-AES256-SHA ECDH AES 256 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA not a/v
xa3 DHE-DSS-AES256-GCM-SHA384 DH AESGCM 256 TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 not a/v
x9f DHE-RSA-AES256-GCM-SHA384 DH AESGCM 256 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 not a/v
xcca9 ECDHE-ECDSA-CHACHA20-POLY1305 ECDH ChaCha20 256 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 not a/v
xcca8 ECDHE-RSA-CHACHA20-POLY1305 ECDH 448 ChaCha20 256 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 available
xccaa DHE-RSA-CHACHA20-POLY1305 DH ChaCha20 256 TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 not a/v
xc0af ECDHE-ECDSA-AES256-CCM8 ECDH AESCCM8 256 TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 not a/v
xc0ad ECDHE-ECDSA-AES256-CCM ECDH AESCCM 256 TLS_ECDHE_ECDSA_WITH_AES_256_CCM not a/v
xc0a3 DHE-RSA-AES256-CCM8 DH AESCCM8 256 TLS_DHE_RSA_WITH_AES_256_CCM_8 not a/v
xc09f DHE-RSA-AES256-CCM DH AESCCM 256 TLS_DHE_RSA_WITH_AES_256_CCM not a/v
x6b DHE-RSA-AES256-SHA256 DH AES 256 TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 not a/v
x6a DHE-DSS-AES256-SHA256 DH AES 256 TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 not a/v
x39 DHE-RSA-AES256-SHA DH AES 256 TLS_DHE_RSA_WITH_AES_256_CBC_SHA not a/v
x38 DHE-DSS-AES256-SHA DH AES 256 TLS_DHE_DSS_WITH_AES_256_CBC_SHA not a/v
xc077 ECDHE-RSA-CAMELLIA256-SHA384 ECDH Camellia 256 TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 not a/v
xc073 ECDHE-ECDSA-CAMELLIA256-SHA384 ECDH Camellia 256 TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 not a/v
xc4 DHE-RSA-CAMELLIA256-SHA256 DH Camellia 256 TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 not a/v
xc3 DHE-DSS-CAMELLIA256-SHA256 DH Camellia 256 TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256 not a/v
x88 DHE-RSA-CAMELLIA256-SHA DH Camellia 256 TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA not a/v
x87 DHE-DSS-CAMELLIA256-SHA DH Camellia 256 TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA not a/v
xc043 DHE-DSS-ARIA256-CBC-SHA384 DH ARIA 256 TLS_DHE_DSS_WITH_ARIA_256_CBC_SHA384 not a/v
xc045 DHE-RSA-ARIA256-CBC-SHA384 DH ARIA 256 TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384 not a/v
xc049 ECDHE-ECDSA-ARIA256-CBC-SHA384 ECDH ARIA 256 TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384 not a/v
xc04d ECDHE-RSA-ARIA256-CBC-SHA384 ECDH ARIA 256 TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384 not a/v
xc053 DHE-RSA-ARIA256-GCM-SHA384 DH ARIAGCM 256 TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384 not a/v
xc057 DHE-DSS-ARIA256-GCM-SHA384 DH ARIAGCM 256 TLS_DHE_DSS_WITH_ARIA_256_GCM_SHA384 not a/v
xc05d ECDHE-ECDSA-ARIA256-GCM-SHA384 ECDH ARIAGCM 256 TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384 not a/v
xc061 ECDHE-ARIA256-GCM-SHA384 ECDH ARIAGCM 256 TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384 not a/v
xc07d - DH CamelliaGCM 256 TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 not a/v
xc081 - DH CamelliaGCM 256 TLS_DHE_DSS_WITH_CAMELLIA_256_GCM_SHA384 not a/v
xc087 - ECDH CamelliaGCM 256 TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 not a/v
xc08b - ECDH CamelliaGCM 256 TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 not a/v
x1301 TLS_AES_128_GCM_SHA256 any AESGCM 128 TLS_AES_128_GCM_SHA256 not a/v
x1304 TLS_AES_128_CCM_SHA256 any AESCCM 128 TLS_AES_128_CCM_SHA256 not a/v
x1305 TLS_AES_128_CCM_8_SHA256 any AESCCM8 128 TLS_AES_128_CCM_8_SHA256 not a/v
xc02f ECDHE-RSA-AES128-GCM-SHA256 ECDH AESGCM 128 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 not a/v
xc02b ECDHE-ECDSA-AES128-GCM-SHA256 ECDH AESGCM 128 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 not a/v
xc027 ECDHE-RSA-AES128-SHA256 ECDH AES 128 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 not a/v
xc023 ECDHE-ECDSA-AES128-SHA256 ECDH AES 128 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 not a/v
xc013 ECDHE-RSA-AES128-SHA ECDH AES 128 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA not a/v
xc009 ECDHE-ECDSA-AES128-SHA ECDH AES 128 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA not a/v
xa2 DHE-DSS-AES128-GCM-SHA256 DH AESGCM 128 TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 not a/v
x9e DHE-RSA-AES128-GCM-SHA256 DH AESGCM 128 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 not a/v
xc0ae ECDHE-ECDSA-AES128-CCM8 ECDH AESCCM8 128 TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 not a/v
xc0ac ECDHE-ECDSA-AES128-CCM ECDH AESCCM 128 TLS_ECDHE_ECDSA_WITH_AES_128_CCM not a/v
xc0a2 DHE-RSA-AES128-CCM8 DH AESCCM8 128 TLS_DHE_RSA_WITH_AES_128_CCM_8 not a/v
xc09e DHE-RSA-AES128-CCM DH AESCCM 128 TLS_DHE_RSA_WITH_AES_128_CCM not a/v
x67 DHE-RSA-AES128-SHA256 DH AES 128 TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 not a/v
x40 DHE-DSS-AES128-SHA256 DH AES 128 TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 not a/v
x33 DHE-RSA-AES128-SHA DH AES 128 TLS_DHE_RSA_WITH_AES_128_CBC_SHA not a/v
x32 DHE-DSS-AES128-SHA DH AES 128 TLS_DHE_DSS_WITH_AES_128_CBC_SHA not a/v
xc076 ECDHE-RSA-CAMELLIA128-SHA256 ECDH Camellia 128 TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 not a/v
xc072 ECDHE-ECDSA-CAMELLIA128-SHA256 ECDH Camellia 128 TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 not a/v
xbe DHE-RSA-CAMELLIA128-SHA256 DH Camellia 128 TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 not a/v
xbd DHE-DSS-CAMELLIA128-SHA256 DH Camellia 128 TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256 not a/v
x9a DHE-RSA-SEED-SHA DH SEED 128 TLS_DHE_RSA_WITH_SEED_CBC_SHA not a/v
x99 DHE-DSS-SEED-SHA DH SEED 128 TLS_DHE_DSS_WITH_SEED_CBC_SHA not a/v
x45 DHE-RSA-CAMELLIA128-SHA DH Camellia 128 TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA not a/v
x44 DHE-DSS-CAMELLIA128-SHA DH Camellia 128 TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA not a/v
xc042 DHE-DSS-ARIA128-CBC-SHA256 DH ARIA 128 TLS_DHE_DSS_WITH_ARIA_128_CBC_SHA256 not a/v
xc044 DHE-RSA-ARIA128-CBC-SHA256 DH ARIA 128 TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256 not a/v
xc048 ECDHE-ECDSA-ARIA128-CBC-SHA256 ECDH ARIA 128 TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256 not a/v
xc04c ECDHE-RSA-ARIA128-CBC-SHA256 ECDH ARIA 128 TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256 not a/v
xc052 DHE-RSA-ARIA128-GCM-SHA256 DH ARIAGCM 128 TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256 not a/v
xc056 DHE-DSS-ARIA128-GCM-SHA256 DH ARIAGCM 128 TLS_DHE_DSS_WITH_ARIA_128_GCM_SHA256 not a/v
xc05c ECDHE-ECDSA-ARIA128-GCM-SHA256 ECDH ARIAGCM 128 TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256 not a/v
xc060 ECDHE-ARIA128-GCM-SHA256 ECDH ARIAGCM 128 TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256 not a/v
xc07c - DH CamelliaGCM 128 TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 not a/v
xc080 - DH CamelliaGCM 128 TLS_DHE_DSS_WITH_CAMELLIA_128_GCM_SHA256 not a/v
xc086 - ECDH CamelliaGCM 128 TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 not a/v
xc08a - ECDH CamelliaGCM 128 TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 not a/v
Elliptic curves offered: secp384r1 secp521r1 X448
TLS 1.2 sig_algs offered: RSA-PSS-RSAE+SHA256 RSA-PSS-RSAE+SHA384 RSA-PSS-RSAE+SHA512 RSA+SHA256 RSA+SHA384 RSA+SHA512 RSA+SHA224
TLS 1.3 sig_algs offered: RSA-PSS-RSAE+SHA256 RSA-PSS-RSAE+SHA384 RSA-PSS-RSAE+SHA512
Testing server defaults (Server Hello)
TLS extensions (standard) "server name/#0" "max fragment length/#1" "status request/#5" "supported_groups/#10" "EC point formats/#11"
"application layer protocol negotiation/#16" "extended master secret/#23" "supported versions/#43" "key share/#51"
"renegotiation info/#65281"
Session Ticket RFC 5077 hint no -- no lifetime advertised
SSL Session ID support yes
Session Resumption Tickets no, ID: yes
TLS clock skew Random values, no fingerprinting possible
Certificate Compression none
Client Authentication none
Signature Algorithm SHA256 with RSA
Server key size RSA 4096 bits (exponent is 65537)
Server key usage Digital Signature, Key Encipherment
Server extended key usage TLS Web Server Authentication, TLS Web Client Authentication
Serial 1230B34459C6F27FA9BCD2 (OK: length 11)
Fingerprints SHA1 1A8BD98862771602E7DD46B742FB66D6C03E622E
SHA256 76B6FFCE607D8514F676C286C7C76B90F5B7AE7D041631F2EF2F0079AF8D24AC
Common Name (CN) coresecret.dev
subjectAltName (SAN) coresecret.dev git.coresecret.dev lab.coresecret.dev run.coresecret.dev www.coresecret.dev
Trust (hostname) Ok via SAN and CN (same w/o SNI)
Chain of trust Ok
EV cert (experimental) no
Certificate Validity (UTC) 174 >= 60 days (2025-05-28 09:56 --> 2025-11-23 22:59)
ETS/"eTLS", visibility info not present
In pwnedkeys.com DB not in database
Certificate Revocation List http://crl.buypass.no/crl/BPClass2CA5.crl, not revoked
OCSP URI http://ocsp.buypass.com, not revoked
OCSP stapling offered, not revoked
OCSP must staple extension --
DNS CAA RR (experimental) not offered
Certificate Transparency yes (certificate extension)
Certificates provided 2
Issuer Buypass Class 2 CA 5 (Buypass AS-983163327 from NO)
Intermediate cert validity #1: ok > 40 days (2027-05-23 12:57). Buypass Class 2 CA 5 <-- Buypass Class 2 Root CA
Intermediate Bad OCSP (exp.) Ok
Testing HTTP header response @ "/"
HTTP Status Code 301 Moved Permanently, redirecting to "https://git.coresecret.dev"
HTTP clock skew 0 sec from localtime
Strict Transport Security 730 days=63072000 s, includeSubDomains, preload
Public Key Pinning --
Server banner nginx
Application banner --
Cookie(s) (none issued at "/") -- maybe better try target URL of 30x
Security headers X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Expect-CT: max-age=86400, enforce
Permissions-Policy: interest-cohort=()
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Resource-Policy: same-origin
Cross-Origin-Embedder-Policy: require-corp
X-XSS-Protection: 1; mode=block
Permissions-Policy: interest-cohort=()
Referrer-Policy: same-origin
Cache-Control: no-cache
Reverse Proxy banner --
Testing vulnerabilities
Heartbleed (CVE-2014-0160) not vulnerable (OK), no heartbeat extension
CCS (CVE-2014-0224) not vulnerable (OK)
Ticketbleed (CVE-2016-9244), experiment. not vulnerable (OK), no session ticket extension
ROBOT Server does not support any cipher suites that use RSA key transport
Secure Renegotiation (RFC 5746) supported (OK)
Secure Client-Initiated Renegotiation not vulnerable (OK)
CRIME, TLS (CVE-2012-4929) not vulnerable (OK)
BREACH (CVE-2013-3587) no gzip/deflate/compress/br HTTP compression (OK) - only supplied "/" tested
POODLE, SSL (CVE-2014-3566) not vulnerable (OK), no SSLv3 support
TLS_FALLBACK_SCSV (RFC 7507) No fallback possible (OK), no protocol below TLS 1.2 offered
SWEET32 (CVE-2016-2183, CVE-2016-6329) not vulnerable (OK)
FREAK (CVE-2015-0204) not vulnerable (OK)
DROWN (CVE-2016-0800, CVE-2016-0703) not vulnerable on this host and port (OK)
make sure you don't use this certificate elsewhere with SSLv2 enabled services, see
https://search.censys.io/search?resource=hosts&virtual_hosts=INCLUDE&q=76B6FFCE607D8514F676C286C7C76B90F5B7AE7D041631F2EF2F0079AF8D24AC
LOGJAM (CVE-2015-4000), experimental not vulnerable (OK): no DH EXPORT ciphers, no DH key detected with <= TLS 1.2
BEAST (CVE-2011-3389) not vulnerable (OK), no SSL3 or TLS1
LUCKY13 (CVE-2013-0169), experimental not vulnerable (OK)
Winshock (CVE-2014-6321), experimental not vulnerable (OK)
RC4 (CVE-2013-2566, CVE-2015-2808) no RC4 ciphers detected (OK)
Running client simulations (HTTP) via sockets
Browser Protocol Cipher Suite Name (OpenSSL) Forward Secrecy
------------------------------------------------------------------------------------------------
Android 7.0 (native) No connection
Android 8.1 (native) TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 384 bit ECDH (P-384)
Android 9.0 (native) TLSv1.3 TLS_AES_256_GCM_SHA384 384 bit ECDH (P-384)
Android 10.0 (native) TLSv1.3 TLS_AES_256_GCM_SHA384 384 bit ECDH (P-384)
Android 11/12 (native) TLSv1.3 TLS_AES_256_GCM_SHA384 384 bit ECDH (P-384)
Android 13/14 (native) TLSv1.3 TLS_AES_256_GCM_SHA384 384 bit ECDH (P-384)
Chrome 101 (Win 10) TLSv1.3 TLS_AES_256_GCM_SHA384 384 bit ECDH (P-384)
Chromium 137 (Win 11) TLSv1.3 TLS_AES_256_GCM_SHA384 384 bit ECDH (P-384)
Firefox 100 (Win 10) TLSv1.3 TLS_AES_256_GCM_SHA384 521 bit ECDH (P-521)
Firefox 137 (Win 11) TLSv1.3 TLS_AES_256_GCM_SHA384 521 bit ECDH (P-521)
IE 8 Win 7 No connection
IE 11 Win 7 No connection
IE 11 Win 8.1 No connection
IE 11 Win Phone 8.1 No connection
IE 11 Win 10 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 384 bit ECDH (P-384)
Edge 15 Win 10 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 384 bit ECDH (P-384)
Edge 101 Win 10 21H2 TLSv1.3 TLS_AES_256_GCM_SHA384 384 bit ECDH (P-384)
Edge 133 Win 11 23H2 TLSv1.3 TLS_AES_256_GCM_SHA384 384 bit ECDH (P-384)
Safari 18.4 (iOS 18.4) TLSv1.3 TLS_AES_256_GCM_SHA384 521 bit ECDH (P-521)
Safari 15.4 (macOS 12.3.1) TLSv1.3 TLS_AES_256_GCM_SHA384 521 bit ECDH (P-521)
Safari 18.4 (macOS 15.4) TLSv1.3 TLS_AES_256_GCM_SHA384 521 bit ECDH (P-521)
Java 7u25 No connection
Java 8u442 (OpenJDK) TLSv1.3 TLS_AES_256_GCM_SHA384 448 bit ECDH (X448)
Java 11.0.2 (OpenJDK) TLSv1.3 TLS_AES_256_GCM_SHA384 521 bit ECDH (P-521)
Java 17.0.3 (OpenJDK) TLSv1.3 TLS_AES_256_GCM_SHA384 448 bit ECDH (X448)
Java 21.0.6 (OpenJDK) TLSv1.3 TLS_AES_256_GCM_SHA384 448 bit ECDH (X448)
go 1.17.8 TLSv1.3 TLS_AES_256_GCM_SHA384 521 bit ECDH (P-521)
LibreSSL 3.3.6 (macOS) TLSv1.3 TLS_AES_256_GCM_SHA384 521 bit ECDH (P-521)
OpenSSL 1.0.2e TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 521 bit ECDH (P-521)
OpenSSL 1.1.1d (Debian) TLSv1.3 TLS_AES_256_GCM_SHA384 448 bit ECDH (X448)
OpenSSL 3.0.15 (Debian) TLSv1.3 TLS_AES_256_GCM_SHA384 448 bit ECDH (X448)
OpenSSL 3.5.0 (git) TLSv1.3 TLS_AES_256_GCM_SHA384 448 bit ECDH (X448)
Apple Mail (16.0) TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 521 bit ECDH (P-521)
Thunderbird (91.9) TLSv1.3 TLS_AES_256_GCM_SHA384 521 bit ECDH (P-521)
Rating (experimental)
Rating specs (not complete) SSL Labs's 'SSL Server Rating Guide' (version 2009q from 2020-01-30)
Specification documentation https://github.com/ssllabs/research/wiki/SSL-Server-Rating-Guide
Protocol Support (weighted) 100 (30)
Key Exchange (weighted) 100 (30)
Cipher Strength (weighted) 100 (40)
Final Score 100
Overall Grade A+
Done 2025-06-02 18:05:51 [ 95s] -->> 152.53.110.40:443 (coresecret.dev) <<--
````
---
**[no tracking | no logging | no advertising | no profiling | no bullshit](https://coresecret.eu/)**
<!-- vim: set number et ts=2 sw=2 sts=2 ai tw=128 ft=markdown -->

21
docs/CHANGELOG.md Normal file
View File

@@ -0,0 +1,21 @@
---
gitea: none
include_toc: true
---
# 1. CISS.debian.installer
**Centurion Intelligence Consulting Agency Information Security Standard**<br>
*The CISS Debian Installer provides a fully automated and hardened installation process.*<br>
**Master Version**: 8.00<br>
**Build**: V8.00.000.2025.06.17<br>
# 2. Changelog
## V8.00.000.2025.06.17
* Initial Release
---
**[no tracking | no logging | no advertising | no profiling | no bullshit](https://coresecret.eu/)**
<!-- vim: set number et ts=2 sw=2 sts=2 ai tw=128 ft=markdown -->

21
docs/CNET.md Normal file
View File

@@ -0,0 +1,21 @@
---
gitea: none
include_toc: true
---
# 1. CISS.debian.installer
**Centurion Intelligence Consulting Agency Information Security Standard**<br>
*The CISS Debian Installer provides a fully automated and hardened installation process.*<br>
**Master Version**: 8.00<br>
**Build**: V8.00.000.2025.06.17<br>
# 2. Centurion Net - Developer Branch Overview
This is an automatically generated overview of the secure ``Centurion Net`` ``CISS.debian.installer`` building system.
![Centurion Net](/docs/graphviz/ciss.debian.live.builder.png)
---
**[no tracking | no logging | no advertising | no profiling | no bullshit](https://coresecret.eu/)**
<!-- vim: set number et ts=2 sw=2 sts=2 ai tw=128 ft=markdown -->

92
docs/CODING_CONVENTION.md Normal file
View File

@@ -0,0 +1,92 @@
---
gitea: none
include_toc: true
---
# 1. CISS.debian.installer
**Centurion Intelligence Consulting Agency Information Security Standard**<br>
*The CISS Debian Installer provides a fully automated and hardened installation process.*<br>
**Master Version**: 8.00<br>
**Build**: V8.00.000.2025.06.17<br>
# 2. Coding Style
## 2.1. PR
You'd make the life of the maintainers easier if you submit only _one_ patch with _one_ functional change per PR.
## 2.2 Documentation
Some people really read that ! New features would need to be documented in the appropriate section in `usage()` and in
`~/docs/DOCUMENTATION.md`.
## 2.3. Coding
### 2.3.1. Shell / bash
Bash is actually quite powerful—not only with respect to sockets. It's not as mighty as perl or python, but there are a lot of
neat features. Here's how you make use of them. Besides those short hints here, there's a wealth of information there.
* Don't use backticks anymore, use `$(..)` instead
* Use double square `[[]]` brackets (_conditional expressions)_ instead of single square `[]` brackets
* In double square brackets, avoid quoting at the right-hand side if not necessary. For regex matching (`=~`) you shouldn't
quote at all.
* The [BashPitfalls](http://mywiki.wooledge.org/BashPitfalls) is a good read!
* Whenever possible try to avoid `tr` `sed` `awk` and use bash internal functions instead, see
e.g., [bash shell parameter substitution](http://www.cyberciti.biz/tips/bash-shell-parameter-substitution-2.html). It is
slower as it forks, fopens and pipes back the result.
* `read` often can replace `awk`: `IFS=, read -ra a b c <<< "$line_with_comma"`
* Bash can also deal perfectly with regular expressions, see
e.g., [here](https://www.networkworld.com/article/2693361/unix-tip-using-bash-s-regular-expressions.html)
and [here](https://unix.stackexchange.com/questions/421460/bash-regex-and-https-regex101-com).
* If you still need to use any of `tr`, `sed` and `awk`: try to avoid a mix of several external binaries e.g., if you can
achieve the same with e.g. `awk`.
* Be careful with very advanced bash features. Mac OS X is still using bash version
3 ([differences](http://tldp.org/LDP/abs/html/bashver4.html)).
* Always use a return value for a function/method. 0 means all is fine.
* Make use of [shellcheck](https://github.com/koalaman/shellcheck) if possible.
* Follow the [shellformat](https://google.github.io/styleguide/shellguide.html) Shell-Style Guide.
### 2.3.2. Shell specific
* Security:
* Watch out for any input especially (but not only) supplied from the server. Input should never be trusted.
* Unless you're really sure where the values come from, variables need to be put in quotes.
### 2.3.3. Variables
* Use **"speaking variables"** but don't overdo it with the length.
* No _camelCase_, please. We distinguish between lowercase and uppercase only.
* Global variables:
* use them only when really necessary,
* in CAPS,
* initialize them (`declare -g VAR_EXAMPLE=""`),
* SHOULD start with:
* `ARY_` for Arrays,
* `C_` for Variables defining colored outputs,
* `ERR_` for Error Codes Variables,
* `HMP_` for HashMap Arrays,
* `LOG_` for Logfile Variables,
* `PID_` for PID Variables,
* `PIPE_` for PIPE Variables,
* `VAR_` for Variables
* Local variables:
* are lower case,
* declare them before usage (`declare` eq `local`),
* initialize them (`declare var_example=""`),
* SHOULD start with:
* `ary_` for Arrays,
* `c_` for Variables defining colored outputs,
* `err_` for Error Codes Variables,
* `hmp_` for HashMap Arrays,
* `log_` for Logfile Variables,
* `var_` for Variables.
# 3. Misc
* Test before doing a PR! Best if you check with two bad and two good examples, which should then work as expected.
---
**[no tracking | no logging | no advertising | no profiling | no bullshit](https://coresecret.eu/)**
<!-- vim: set number et ts=2 sw=2 sts=2 ai tw=128 ft=markdown -->

30
docs/CONTRIBUTING.md Normal file
View File

@@ -0,0 +1,30 @@
---
gitea: none
include_toc: true
---
# 1. CISS.debian.installer
**Centurion Intelligence Consulting Agency Information Security Standard**<br>
*The CISS Debian Installer provides a fully automated and hardened installation process.*<br>
**Master Version**: 8.00<br>
**Build**: V8.00.000.2025.06.17<br>
# 2. Contributing / participating
Contributing / participating is always welcome!
Please note the following:
* Please read the [Coding Convention](/docs/CODING_CONVENTION.md).
* If you have something new and/or bigger that you like to contribute, better open an issue first before you get frustrated.
* Please **one** pull request per feature or bug fix or improvement. Please do not mix issues.
* Documentation pays off in the long run. So please document your code, and the pull request and/or commit message.
* Please test your changes thoroughly as reliability is important for this project. You may want to check different environments with different settings.
* If it's a new feature, it would need to be documented in the appropriate section in `usage()` and in `/doc/DOCUMENTATION.md`
For questions, open an issue. Thanks for reading this!
---
**[no tracking | no logging | no advertising | no profiling | no bullshit](https://coresecret.eu/)**
<!-- vim: set number et ts=2 sw=2 sts=2 ai tw=128 ft=markdown -->

29
docs/CREDITS.md Normal file
View File

@@ -0,0 +1,29 @@
---
gitea: none
include_toc: true
---
# 1. CISS.debian.installer
**Centurion Intelligence Consulting Agency Information Security Standard**<br>
*The CISS Debian Installer provides a fully automated and hardened installation process.*<br>
**Master Version**: 8.00<br>
**Build**: V8.00.000.2025.06.17<br>
# 2. Credits
## 2.2. Authors
## 2.3. Contributors
### X
I would like to express my sincere gratitude to Mr., Who-wants-to-live-forever, for his gracious support and insightful and profound criticism.
### Ζ
* Zimnol, André H.; Private Contributor
---
**[no tracking | no logging | no advertising | no profiling | no bullshit](https://coresecret.eu/)**
<!-- vim: set number et ts=2 sw=2 sts=2 ai tw=128 ft=markdown -->

70
docs/DOCUMENTATION.md Normal file
View File

@@ -0,0 +1,70 @@
---
gitea: none
include_toc: true
---
# 1. CISS.debian.installer
**Centurion Intelligence Consulting Agency Information Security Standard**<br>
*The CISS Debian Installer provides a fully automated and hardened installation process.*<br>
**Master Version**: 8.00<br>
**Build**: V8.00.000.2025.06.17<br>
# 2. Usage
````text
CISS.debian.installer
Master V8.00.000.2025.06.17
(c) Marc S. Weidner, 2018 - 2025
(p) Centurion Press, 2024 - 2025
https://coresecret.eu/
A powerful Debian installer for setting up a hardened Debian environment.
"setup.sh <option>", where <option> is one or more of:
--help, -h
What you're looking at.
--contact, -c
Displays contact information of the author.
--debug
Enables debug logging for the main program routine. Detailed logging
information are written to "/tmp/ciss_live_builder_516151.log"
--renice-priority <PRIORITY>
Reset the nice priority value of the script and all its children
to the desired PRIORITY. MUST be an integer (between "-19" and 19).
Negative (higher) values MUST be enclosed in double quotes '"'.
--reionice-priority <CLASS> <PRIORITY>
Reset the ionice priority value of the script and all its children
to the desired CLASS. MUST be an integer:
1: realtime
2: best-effort
3: idle
defaults to "2".
PRIORITY MUST be an integer:
between 0 (highest) and 7 (lowest) priority.
defaults to "4".
A real-time I/O process can significantly slow down other processes
or even cause them to starve if it continuously requests I/O.
--version, -v
Displays version of -zsh.
NOTES:
- You MUST be 'root' to run this script.
Contact:
- https://coresecret.eu/
- security@coresecret.eu
- PGP Key 2D98 07F4 1030 1776 597E BDC9 9F54 8853 35A3 C9AD
- https://keys.openpgp.org/vks/v1/by-fingerprint/2D9807F410301776597EBDC99F54885335A3C9AD
````
---
**[no tracking | no logging | no advertising | no profiling | no bullshit](https://coresecret.eu/)**
<!-- vim: set number et ts=2 sw=2 sts=2 ai tw=128 ft=markdown -->

155
docs/LICENSES/CC-BY-NC-ND-4.0.txt Normal file
View File

@@ -0,0 +1,155 @@
Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International
Creative Commons Corporation ("Creative Commons") is not a law firm and does not provide legal services or legal advice. Distribution of Creative Commons public licenses does not create a lawyer-client or other relationship. Creative Commons makes its licenses and related information available on an "as-is" basis. Creative Commons gives no warranties regarding its licenses, any material licensed under their terms and conditions, or any related information. Creative Commons disclaims all liability for damages resulting from their use to the fullest extent possible.
Using Creative Commons Public Licenses
Creative Commons public licenses provide a standard set of terms and conditions that creators and other rights holders may use to share original works of authorship and other material subject to copyright and certain other rights specified in the public license below. The following considerations are for informational purposes only, are not exhaustive, and do not form part of our licenses.
Considerations for licensors: Our public licenses are intended for use by those authorized to give the public permission to use material in ways otherwise restricted by copyright and certain other rights. Our licenses are irrevocable. Licensors should read and understand the terms and conditions of the license they choose before applying it. Licensors should also secure all rights necessary before applying our licenses so that the public can reuse the material as expected. Licensors should clearly mark any material not subject to the license. This includes other CC-licensed material, or material used under an exception or limitation to copyright. More considerations for licensors.
Considerations for the public: By using one of our public licenses, a licensor grants the public permission to use the licensed material under specified terms and conditions. If the licensors' permission is not necessary for any reason-for example, because of any applicable exception or limitation to copyright - then that use is not regulated by the license. Our licenses grant only permissions under copyright and certain other rights that a licensor has authority to grant. Use of the licensed material may still be restricted for other reasons, including because others have copyright or other rights in the material. A licensor may make special requests, such as asking that all changes be marked or described. Although not required by our licenses, you are encouraged to respect those requests where reasonable. More considerations for the public.
Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International Public License
By exercising the Licensed Rights (defined below), You accept and agree to be bound by the terms and conditions of this Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International Public License ("Public License"). To the extent this Public License may be interpreted as a contract, You are granted the Licensed Rights in consideration of Your acceptance of these terms and conditions, and the Licensor grants You such rights in consideration of benefits the Licensor receives from making the Licensed Material available under these terms and conditions.
Section 1 - Definitions.
a. Adapted Material means material subject to Copyright and Similar Rights that are derived from or based upon the Licensed Material and in which the Licensed Material is translated, altered, arranged, transformed, or otherwise modified in a manner requiring permission under the Copyright and Similar Rights held by the Licensor. For purposes of this Public License, where the Licensed Material is a musical work, performance, or sound recording, Adapted Material is always produced where the Licensed Material is synced in timed relation with a moving image.
b. Copyright and Similar Rights mean copyright and/or similar rights closely related to copyright including, without limitation, performance, broadcast, sound recording, and Sui Generis Database Rights, without regard to how the rights are labeled or categorized. For purposes of this Public License, the rights specified in Section 2(b)(1)-(2) are not Copyright and Similar Rights.
c. Effective Technological Measures mean those measures that, in the absence of proper authority, may not be circumvented under laws fulfilling obligations under Article 11 of the WIPO Copyright Treaty adopted on December 20, 1996, and/or similar international agreements.
d. Exceptions and Limitations mean fair use, fair dealing, and/or any other exception or limitation to Copyright and Similar Rights that applies to Your use of the Licensed Material.
e. Licensed Material means the artistic or literary work, database, or other material to which the Licensor applied this Public License.
f. Licensed Rights means the rights granted to You subject to the terms and conditions of this Public License, which are limited to all Copyright and Similar Rights that apply to Your use of the Licensed Material, and that the Licensor has authority to license.
g. Licensor means the individual(s) or entity(ies) granting rights under this Public License.
h. NonCommercial means not primarily intended for or directed towards commercial advantage or monetary compensation. For purposes of this Public License, the exchange of the Licensed Material for other material subjects to Copyright and Similar Rights by digital file-sharing or similar means is NonCommercial provided there is no payment of monetary compensation in connection with the exchange.
i. Share means to provide material to the public by any means or process that requires permission under the Licensed Rights, such as reproduction, public display, public performance, distribution, dissemination, communication, or importation, and to make material available to the public including in ways that members of the public may access the material from a place and at a time individually chosen by them.
j. Sui Generis Database Rights means rights other than copyright resulting from Directive 96/9/EC of the European Parliament and of the Council of 11 March 1996 on the legal protection of databases, as amended and/or succeeded, as well as other essentially equivalent rights anywhere in the world.
k. You mean the individual or entity exercising the Licensed Rights under this Public License. 'Your' has a corresponding meaning.
Section 2 - Scope.
a. License grant.
1. Subject to the terms and conditions of this Public License, the Licensor hereby grants You a worldwide, royalty-free, non-sublicensable, non-exclusive, irrevocable license to exercise the Licensed Rights in the Licensed Material to:
A. reproduce and Share the Licensed Material, in whole or in part, for NonCommercial purposes only; and
B. produce and reproduce, but not Share, Adapted Material for NonCommercial purposes only.
2. Exceptions and Limitations. For the avoidance of doubt, where Exceptions and Limitations apply to Your use, this Public License does not apply, and You do not need to comply with its terms and conditions.
3. Term. The term of this Public License is specified in Section 6(a).
4. Media and formats; technical modifications allowed. The Licensor authorizes You to exercise the Licensed Rights in all media and formats whether now known or hereafter created, and to make technical modifications necessary to do so. The Licensor waives and/or agrees not to assert any right or authority to forbid You from making technical modifications necessary to exercise the Licensed Rights, including technical modifications necessary to circumvent Effective Technological Measures. For purposes of this Public License, simply making modifications authorized by this Section 2(a)(4) never produces Adapted Material.
5. Downstream recipients.
A. Offer from the Licensor - Licensed Material. Every recipient of the Licensed Material automatically receives an offer from the Licensor to exercise the Licensed Rights under the terms and conditions of this Public License.
B. No downstream restrictions. You may not offer or impose any additional or different terms or conditions on, or apply any Effective Technological Measures to, the Licensed Material if doing so restricts exercise of the Licensed Rights by any recipient of the Licensed Material.
6. No endorsement. Nothing in this Public License constitutes or may be construed as permission to assert or imply that You are, or that Your use of the Licensed Material is, connected with, or sponsored, endorsed, or granted official status by the Licensor or others designated to receive attribution as provided in Section 3(a)(1)(A)(i).
b. Other rights.
1. Moral rights, such as the right of integrity, are not licensed under this Public License, nor are publicity, privacy, and/or other similar personality rights; however, to the extent possible, the Licensor waives and/or agrees not to assert any such rights held by the Licensor to the limited extent necessary to allow You to exercise the Licensed Rights, but not otherwise.
2. Patent and trademark rights are not licensed under this Public License.
3. To the extent possible, the Licensor waives any right to collect royalties from You for the exercise of the Licensed Rights, whether directly or through a collecting society under any voluntary or waivable statutory or compulsory licensing scheme. In all other cases, the Licensor expressly reserves any right to collect such royalties, including when the Licensed Material is used other than for NonCommercial purposes.
Section 3 - License Conditions.
Your exercise of the Licensed Rights is expressly made subject to the following conditions.
a. Attribution.
1. If You Share the Licensed Material, You must:
A. retain the following if it is supplied by the Licensor with the Licensed Material:
i. identification of the creator(s) of the Licensed Material and any others designated to receive attribution, in any reasonable manner requested by the Licensor (including by pseudonym if designated);
ii. a copyright notice;
iii. a notice that refers to this Public License;
iv. a notice that refers to the disclaimer of warranties;
v. a URI or hyperlink to the Licensed Material to the extent reasonably practicable;
B. indicate if You modified the Licensed Material and retain an indication of any previous modifications; and
C. indicate the Licensed Material is licensed under this Public License, and include the text of, or the URI or hyperlink to, this Public License.
For the avoidance of doubt, You do not have permission under this Public License to Share Adapted Material.
2. You may satisfy the conditions in Section 3(a)(1) in any reasonable manner based on the medium, means, and context in which You Share the Licensed Material. For example, it may be reasonable to satisfy the conditions by providing a URI or hyperlink to a resource that includes the required information.
3. If requested by the Licensor, You must remove any of the information required by Section 3(a)(1)(A) to the extent reasonably practicable.
Section 4 - Sui Generis Database Rights.
Where the Licensed Rights include Sui Generis Database Rights that apply to Your use of the Licensed Material:
a. for the avoidance of doubt, Section 2(a)(1) grants You the right to extract, reuse, reproduce, and Share all, or a substantial portion of the contents of the database for NonCommercial purposes only and provided You do not Share Adapted Material;
b. if You include all, or a substantial portion of the database contents in a database in which You have Sui Generis Database Rights, then the database in which You have Sui Generis Database Rights (but not its individual contents) is Adapted Material; and
c. You must comply with the conditions in Section 3(a) if You Share all or a substantial portion of the contents of the database.
For the avoidance of doubt, this Section 4 supplements and does not replace Your obligations under this Public License where the Licensed Rights include other Copyright and Similar Rights.
Section 5 - Disclaimer of Warranties and Limitation of Liability.
a. Unless otherwise separately undertaken by the Licensor, to the extent possible, the Licensor offers the Licensed Material as-is and as-available, and makes no representations or warranties of any kind concerning the Licensed Material, whether express, implied, statutory, or other. This includes, without limitation, warranties of title, merchantability, fitness for a particular purpose, non-infringement, absence of latent or other defects, accuracy, or the presence or absence of errors, whether known or discoverable. Where disclaimers of warranties are not allowed in full or in part, this disclaimer may not apply to You.
b. To the extent possible, in no event will the Licensor be liable to You on any legal theory (including, without limitation, negligence) or otherwise for any direct, special, indirect, incidental, consequential, punitive, exemplary, or other losses, costs, expenses, or damages arising out of this Public License or use of the Licensed Material, even if the Licensor has been advised of the possibility of such losses, costs, expenses, or damages. Where a limitation of liability is not allowed in full or in part, this limitation may not apply to You.
c. The disclaimer of warranties and limitation of liability provided above shall be interpreted in a manner that, to the extent possible, most closely approximates an absolute disclaimer and waiver of all liability.
Section 6 - Term and Termination.
a. This Public License applies for the term of the Copyright and Similar Rights licensed here. However, if You fail to comply with this Public License, then Your rights under this Public License terminate automatically.
b. Where Your right to use the Licensed Material has terminated under Section 6(a), it reinstates:
1. automatically as of the date the violation is cured, provided it is cured within 30 days of Your discovery of the violation; or
2. upon express reinstatement by the Licensor.
For the avoidance of doubt, this Section 6(b) does not affect any right the Licensor may have to seek remedies for Your violations of this Public License.
c. For the avoidance of doubt, the Licensor may also offer the Licensed Material under separate terms or conditions or stop distributing the Licensed Material at any time; however, doing so will not terminate this Public License.
d. Sections 1, 5, 6, 7, and 8 survive termination of this Public License.
Section 7 - Other Terms and Conditions.
a. The Licensor shall not be bound by any additional or different terms or conditions communicated by You unless expressly agreed.
b. Any arrangements, understandings, or agreements regarding the Licensed Material not stated herein are separate from and independent of the terms and conditions of this Public License.
Section 8 - Interpretation.
a. For the avoidance of doubt, this Public License does not, and shall not be interpreted to, reduce, limit, restrict, or impose conditions on any use of the Licensed Material that could lawfully be made without permission under this Public License.
b. To the extent possible, if any provision of this Public License is deemed unenforceable, it shall be automatically reformed to the minimum extent necessary to make it enforceable. If the provision cannot be reformed, it shall be severed from this Public License without affecting the enforceability of the remaining terms and conditions.
c. No term or condition of this Public License will be waived and no failure to comply consented to unless expressly agreed to by the Licensor.
d. Nothing in this Public License constitutes or may be interpreted as a limitation upon, or waiver of, any privileges and immunities that apply to the Licensor or You, including from the legal processes of any jurisdiction or authority.
Creative Commons is not a party to its public licenses. Notwithstanding, Creative Commons may elect to apply one of its public licenses to material it publishes and in those instances will be considered the "Licensor." Except for the limited purpose of indicating that material is shared under a Creative Commons public license or as otherwise permitted by the Creative Commons policies published at creativecommons.org/policies, Creative Commons does not authorize the use of the trademark "Creative Commons" or any other trademark or logo of Creative Commons without its prior written consent, including, without limitation, in connection with any unauthorized modifications to any of its public licenses or any other arrangements, understandings, or agreements concerning use of licensed material. For the avoidance of doubt, this paragraph does not form part of the public licenses.
Creative Commons may be contacted at creativecommons.org.

84
docs/LICENSES/CCLA-1.0.md Normal file
View File

@@ -0,0 +1,84 @@
# SPDX-License-Identifier: LicenseRef-CCLA-1.0
# Centurion Commercial License Agreement 1.0
## **1. General Terms**
1.1. This Subscription License Agreement ("Agreement") governs the commercial use of the Software ("Software").
1.2. Private and open-source usage of the Software remains governed by the EUPL-1.2 license.
1.3. By purchasing and using the Software under this Agreement, you ("Licensee") agree to the terms outlined below.
1.4. Only the English version of this Agreement shall be legally binding. Translations are provided for convenience only.
## **2. Grant of License**
2.1. Subject-to-payment of applicable subscription fees, Licensor grants Licensee a
- non-exclusive,
- non-transferable,
- time-limited,
right to use the Software for commercial purposes.
2.2. This license is valid only for the duration of the subscription period and under the scope defined in this Agreement.
## **3. Subscription Fees and Payment**
3.1. Licensee agrees to pay the subscription fees as specified in the pricing agreement. These fees are non-refundable.
3.2. Licensor reserves the right to modify subscription fees upon 30 days' written notice.
## **4. Restrictions**
4.1. Licensee shall not:
- Distribute, sublicense, or resell the Software.
- Reverse engineer, decompile, or modify the Software, except as permitted by mandatory law.
4.2. The Software may not be used for illegal or unethical purposes.
## **5. Support and Updates**
5.1. Licensor will provide updates and support for the Software during the subscription period, as detailed in the accompanying
support agreement.
5.2. Support services may include bug fixes, patches, and minor updates. Major updates may incur additional fees.
## **6. Termination**
6.1. This Agreement is valid for the subscription term unless terminated earlier:
- By Licensee, with a 30-day written notice.
- By Licensor, in the event of Licensees breach of this Agreement.
6.2. Upon termination, Licensee must cease all uses of the Software and delete all copies.
## **7. Liability and Warranty**
7.1. The Software is provided "as is" without warranties of any kind, except as required by law.
7.2. Licensors' liability is limited to the number of subscription fees paid by Licensee in the preceding 12 months.
## **8. Governing Law**
8.1. This Agreement shall be governed by the laws of Portugal.
8.2. Disputes arising under this Agreement shall be subject to the exclusive jurisdiction of the courts of Portugal.
## **9. Miscellaneous**
9.1. Any changes to this Agreement must be in writing and signed by both parties.
9.2. If any provision of this Agreement is found invalid, the remaining provisions shall remain enforceable.
## 10. **Contact Information**
* Licensor : Centurion Intelligence Consulting Agency
* Email : legal@coresecret.eu
---
This Subscription License Agreement was last updated at 09.05.2025.
<!-- vim: set number et ts=2 sw=2 sts=2 ai tw=128 ft=markdown -->

5
docs/LICENSES/CCLA-1.0.spdx Normal file
View File

@@ -0,0 +1,5 @@
SPDX-License-Identifier: LicenseRef-CCLA-1.0
SPDX-FileCopyrightText: 2024-2025 Centurion Intelligence Consulting Agency
LicenseRef-CCLA-1.0 is a custom Commercial License Agreement used for projects maintained by Centurion Intelligence Consulting Agency.
The full license text can be found at: https://coresecret.eu/imprint/licenses/ or in the same directory: CCLA-1.0.md

256
docs/LICENSES/EUPL-1.2.txt Normal file
View File

@@ -0,0 +1,256 @@
# SPDX-License-Identifier: EUPL-1.2
EUPL-1.2
EUROPEAN UNION PUBLIC LICENCE v. 1.2
EUPL © the European Union 2007, 2016
This European Union Public Licence (the 'EUPL') applies to the Work (as defined below) which is provided under the
terms of this Licence. Any use of the Work, other than as authorised under this Licence is prohibited (to the extent such
a use is covered by a right of the copyright holder of the Work).
The Work is provided under the terms of this Licence when the Licensor (as defined below) has placed the following
notice immediately following the copyright notice for the Work:
Licensed under the EUPL
or has expressed by any other means his willingness to license under the EUPL.
1.Definitions
In this Licence, the following terms have the following meaning:
— 'The Licence':this Licence.
— 'The Original Work':the work or software distributed or communicated by the Licensor under this Licence, available
as Source Code and also as Executable Code as the case may be.
— 'Derivative Works':the works or software that could be created by the Licensee, based upon the Original Work or
modifications thereof. This Licence does not define the extent of modification or dependence on the Original Work
required in order to classify a work as a Derivative Work; this extent is determined by copyright law applicable in
the country mentioned in Article 15.
— 'The Work':the Original Work or its Derivative Works.
— 'The Source Code':the human-readable form of the Work, which is the most convenient for people to study and
modify.
— 'The Executable Code':any code, which has generally been compiled and, which is meant to be interpreted by
a computer as a program.
— 'The Licensor':the natural or legal person that distributes or communicates the Work under the Licence.
— 'Contributor(s)':any natural or legal person who modifies the Work under the Licence, or otherwise contributes to
the creation of a Derivative Work.
— 'The Licensee' or 'You':any natural or legal person who makes any usage of the Work under the terms of the
Licence.
— 'Distribution' or 'Communication':any act of selling, giving, lending, renting, distributing, communicating,
transmitting, or otherwise making available, online, or offline, copies of the Work or providing access to its essential
functionalities at the disposal of any other natural or legal person.
2.Scope of the rights granted by the Licence
The Licensor hereby grants You a worldwide, royalty-free, non-exclusive, sublicensable licence to do the following, for
the duration of copyright vested in the Original Work:
— use the Work in any circumstances and for all usage,
— reproduce the Work,
— modify the Work and make Derivative Works based upon the Work,
— communicate to the public, including the right to make available or display the Work or copies thereof to the public
and perform publicly, as the case may be, the Work,
— distribute the Work or copies thereof,
— lend and rent the Work or copies thereof,
— sublicense rights in the Work or copies thereof.
Those rights can be exercised on any media, supports, and formats, whether now known or later invented, as far as the
applicable law permits so.
In the countries where moral rights apply, the Licensor waives his right to exercise his moral right to the extent allowed
by law in order to make effective the licence of the economic rights here above listed.
The Licensor grants to the Licensee royalty-free, non-exclusive usage rights to any patents held by the Licensor, to the
extent necessary to make use of the rights granted on the Work under this Licence.
3.Communication of the Source Code
The Licensor may provide the Work either in its Source Code form or as Executable Code. If the Work is provided as
Executable Code, the Licensor provides in addition a machine-readable copy of the Source Code of the Work along with
each copy of the Work that the Licensor distributes or indicates, in a notice following the copyright notice attached to
the Work, a repository where the Source Code is easily and freely accessible for as long as the Licensor continues to
distribute or communicate the Work.
4.Limitations on copyright
Nothing in this Licence is intended to deprive the Licensee of the benefits from any exception or limitation to the
exclusive rights of the rights owners in the Work, to the exhaustion of those rights or of other applicable limitations
thereto.
5.Obligations of the Licensee
The grant of the rights mentioned above is subject to some restrictions and obligations imposed on the Licensee. Those
obligations are the following:
Attribution right: The Licensee shall keep intact all copyright, patent or trademarks notices and all notices that refer to
the Licence and to the disclaimer of warranties. The Licensee must include a copy of such notices, and a copy of the
Licence with every copy of the Work he/she distributes or communicates. The Licensee must cause any Derivative Work
to carry prominent notices stating that the Work has been modified and the date of modification.
Copyleft clause: If the Licensee distributes or communicates copies of the Original Works or Derivative Works, this
Distribution or Communication will be done under the terms of this Licence or of a later version of this Licence unless
the Original Work is expressly distributed only under this version of the Licence — for example, by communicating
'EUPL v. 1.2 only'. The Licensee (becoming Licensor) cannot offer or impose any additional terms or conditions on the
Work or Derivative Work that alter or restrict the terms of the Licence.
Compatibility clause: If the Licensee Distributes or Communicates Derivative Works or copies thereof based upon both
the Work and another work licensed under a Compatible Licence, this Distribution or Communication can be done
under the terms of this Compatible Licence. For the sake of this clause, 'Compatible Licence' refers to the licences listed
in the appendix attached to this Licence. Should the Licensee's obligations under the Compatible Licence conflict with
his/her obligations under this Licence, the obligations of the Compatible Licence shall prevail.
The provision of Source Code: When distributing or communicating copies of the Work, the Licensee will provide
a machine-readable copy of the Source Code or indicate a repository where this Source will be easily and freely available
for as long as the Licensee continues to distribute or communicate the Work.
Legal Protection: This Licence does not grant permission to use the trade names, trademarks, service marks, or names
of the Licensor, except as required for reasonable and customary use in describing the origin of the Work and
reproducing the content of the copyright notice.
6.Chain of Authorship
The original Licensor warrants that the copyright in the Original Work granted hereunder is owned by him/her or
licensed to him/her and that he/she has the power and authority to grant the Licence.
Each Contributor warrants that the copyright in the modifications he/she brings to the Work is owned by him/her or
licensed to him/her and that he/she has the power and authority to grant the Licence.
Each time You accept the Licence, the original Licensor and subsequent Contributors grant You a licence to their contributions
to the Work, under the terms of this Licence.
7.Disclaimer of Warranty
The Work is a work in progress, which is continuously improved by numerous Contributors. It is not finished work
and may therefore contain defects or 'bugs' inherent to this type of development.
For the above reason, the Work is provided under the Licence on an 'as is' basis and without warranties of any kind
concerning the Work, including without limitation merchantability, fitness for a particular purpose, absence of defects or
errors, accuracy, non-infringement of intellectual property rights other than copyright as stated in Article 6 of this
Licence.
This disclaimer of warranty is an essential part of the Licence and a condition for the grant of any rights to the Work.
8.Disclaimer of Liability
Except in the cases of wilful misconduct or damages directly caused to natural persons, the Licensor will in no event be
liable for any direct or indirect, material or moral, damages of any kind, arising out of the Licence or of the use of the
Work, including without limitation, damages for loss of goodwill, work stoppage, computer failure or malfunction, loss
of data, or any commercial damage, even if the Licensor has been advised of the possibility of such damage. However,
the Licensor will be liable under statutory product liability laws as far as such laws apply to the Work.
9.Additional agreements
While distributing the Work, You may choose to conclude an additional agreement, defining obligations or services
consistent with this Licence. However, if accepting obligations, You may act only on your own behalf and on your sole
responsibility, not on behalf of the original Licensor or any other Contributor, and only if You agree to indemnify,
defend, and hold each Contributor harmless for any liability incurred by, or claims asserted against such a Contributor by
the fact You have accepted any warranty or additional liability.
10.Acceptance of the Licence
The provisions of this Licence can be accepted by clicking on an icon 'I agree' placed under the bottom of a window
displaying the text of this Licence or by affirming consent in any other similar way, in accordance with the rules of
applicable law. Clicking on that icon indicates your clear and irrevocable acceptance of this Licence and all of its terms
and conditions.
Similarly, you irrevocably accept this Licence and all of its terms and conditions by exercising any rights granted to You
by Article 2 of this Licence, such as the use of the Work, the creation by You of a Derivative Work or the Distribution
or Communication by You of the Work or copies thereof.
11.Information to the public
In case of any Distribution or Communication of the Work by means of electronic communication by You (for example,
by offering to download the Work from a remote location) the distribution channel or media (for example, a website)
must at least provide to the public the information requested by the applicable law regarding the Licensor, the Licence,
and the way it may be accessible, concluded, stored, and reproduced by the Licensee.
12.Termination of the Licence
The Licence and the rights granted hereunder will terminate automatically upon any breach by the Licensee of the terms
of the Licence.
Such a termination will not terminate the licences of any person who has received the Work from the Licensee under
the Licence, provided such persons remain in full compliance with the Licence.
13.Miscellaneous
Without prejudice of Article 9 above, the Licence represents the complete agreement between the Parties as to the
Work.
If any provision of the Licence is invalid or unenforceable under applicable law, this will not affect the validity or
enforceability of the Licence as a whole. Such provision will be construed or reformed so as necessary to make it valid
and enforceable.
The European Commission may publish other linguistic versions or new versions of this Licence or updated versions of
the Appendix, so far this is required and reasonable, without reducing the scope of the rights granted by the Licence.
New versions of the Licence will be published with a unique version number.
All linguistic versions of this Licence, approved by the European Commission, have identical value. Parties can take
advantage of the linguistic version of their choice.
14.Jurisdiction
Without prejudice to specific agreement between parties,
— any litigation resulting from the interpretation of this License, arising between the European Union institutions,
bodies, offices, or agencies, as a Licensor, and any Licensee, will be subject to the jurisdiction of the Court of Justice
of the European Union, as laid down in article 272 of the Treaty on the Functioning of the European Union,
— any litigation arising between other parties and resulting from the interpretation of this License will be subject to
the exclusive jurisdiction of the competent court where the Licensor resides or conducts its primary business.
15.Applicable Law
Without prejudice to specific agreement between parties,
— this Licence shall be governed by the law of the European Union Member State where the Licensor has his seat,
resides, or has his registered office
— this licence shall be governed by Belgian law if the Licensor has no seat, residence, or registered office inside
a European Union Member State.
Appendix
'Compatible Licences' according to Article 5 EUPL are:
— GNU General Public License (GPL) v. 2, v. 3
— GNU Affero General Public License (AGPL) v. 3
— Open Software License (OSL) v. 2.1, v. 3.0
— Eclipse Public License (EPL) v. 1.0
— CeCILL v. 2.0, v. 2.1
— Mozilla Public Licence (MPL) v. 2
— GNU Lesser General Public Licence (LGPL) v. 2.1, v. 3
— Creative Commons Attribution-ShareAlike v. 3.0 Unported (CC BY-SA 3.0) for works other than software
— European Union Public Licence (EUPL) v. 1.1, v. 1.2
— Québec Free and Open-Source Licence — Reciprocity (LiLiQ-R) or Strong Reciprocity (LiLiQ-R+).
The European Commission may update this Appendix to later versions of the above licences without producing
a new version of the EUPL, as long as they provide the rights granted in Article 2 of this Licence and protect the
covered Source Code from exclusive appropriation.
All other changes or additions to this Appendix require the production of a new EUPL version.

80
docs/REFERENCES.md Normal file
View File

@@ -0,0 +1,80 @@
---
gitea: none
include_toc: true
---
# 1. CISS.debian.installer
**Centurion Intelligence Consulting Agency Information Security Standard**<br>
*The CISS Debian Installer provides a fully automated and hardened installation process.*<br>
**Master Version**: 8.00<br>
**Build**: V8.00.000.2025.06.17<br>
# 2. Resources
## 2.1. Debian Live related
- [Debian live-boot](https://salsa.debian.org/live-team/live-boot)
- [Debian Live Manual](https://live-team.pages.debian.net/live-manual/html/live-manual/index.en.html)
- [Debian Live Boot Doc](https://manpages.debian.org/bookworm/live-boot-doc/live-boot.7.en.html)
- [Debian Live Build](https://manpages.debian.org/bookworm/live-build/index.html)
- [Debian Live Config](https://manpages.debian.org/bookworm/live-config-doc/index.html)
- [Debian Live Tools](https://manpages.debian.org/bookworm/live-tools/index.html)
## 2.2. Disk Encryption related
- [https://wiki.archlinux.org/title/Dm-crypt/Encrypting_an_entire_system](https://wiki.archlinux.org/title/Dm-crypt/Encrypting_an_entire_system)
- [https://wiki.archlinux.org/title/Dm-crypt/Encrypting_an_entire_system#Encrypted_boot_partition_(GRUB)](https://wiki.archlinux.org/title/Dm-crypt/Encrypting_an_entire_system#Encrypted_boot_partition_(GRUB))
- [https://wiki.archlinux.org/title/Dm-crypt/Device_encryption#Encryption_options_for_LUKS_mode](https://wiki.archlinux.org/title/Dm-crypt/Device_encryption#Encryption_options_for_LUKS_mode)
- [https://wiki.archlinux.org/title/GRUB#Encrypted_/boot](https://wiki.archlinux.org/title/GRUB#Encrypted_/boot)
- [https://wiki.archlinux.org/title/GRUB#LUKS2](https://wiki.archlinux.org/title/GRUB#LUKS2)
- [https://wiki.archlinux.org/title/Advanced_Format](https://wiki.archlinux.org/title/Advanced_Format)
- [https://packages.debian.org/bookworm-backports/grub-common](https://packages.debian.org/bookworm-backports/grub-common)
- [https://www.kernel.org/doc/html/v5.5/admin-guide/device-mapper/dm-integrity.html](https://www.kernel.org/doc/html/v5.5/admin-guide/device-mapper/dm-integrity.html)
- [https://wiki.archlinux.org/title/Dm-crypt/Swap_encryption](https://wiki.archlinux.org/title/Dm-crypt/Swap_encryption)
- [https://gitlab.com/cryptsetup/cryptsetup/-/wikis/FrequentlyAskedQuestions#2-setup](https://gitlab.com/cryptsetup/cryptsetup/-/wikis/FrequentlyAskedQuestions#2-setup)
## 2.3. Kernel related
- [https://wiki.archlinux.org/title/Kernel](https://wiki.archlinux.org/title/Kernel)
- [https://wiki.archlinux.org/title/Kernel_parameters](https://wiki.archlinux.org/title/Kernel_parameters)
- [https://www.kernel.org/](https://www.kernel.org/)
- [https://github.com/anthraxx/linux-hardened](https://github.com/anthraxx/linux-hardened)
## 2.4. Policy related
- [https://www.debian.org/doc/manuals/securing-debian-manual/](https://www.debian.org/doc/manuals/securing-debian-manual/)
- [https://www.tenable.com/audits/CIS_Debian_Linux_12_v1.0.1_L1_Server](https://www.tenable.com/audits/CIS_Debian_Linux_12_v1.0.1_L1_Server)
- [https://www.cisecurity.org/cis-benchmarks](https://www.cisecurity.org/cis-benchmarks)
- [https://github.com/CISOfy/lynis](https://github.com/CISOfy/lynis)
- [https://github.com/lateralblast/lunar](https://github.com/lateralblast/lunar)
- [https://complianceascode.github.io/content-pages/guides/ssg-debian12-guide-standard.html](https://complianceascode.github.io/content-pages/guides/ssg-debian12-guide-standard.html)
## 2.5. Security related
- [https://wiki.archlinux.org/title/General_recommendations](https://wiki.archlinux.org/title/General_recommendations)
- [https://wiki.archlinux.org/title/Security](https://wiki.archlinux.org/title/Security)
- [https://wiki.archlinux.org/title/Identity_management](https://wiki.archlinux.org/title/Identity_management)
- [https://wiki.archlinux.org/title/Capabilities](https://wiki.archlinux.org/title/Capabilities)
- [https://privsec.dev/posts/linux/desktop-linux-hardening/](https://privsec.dev/posts/linux/desktop-linux-hardening/)
- [https://wiki.archlinux.org/title/fail2ban#Service_hardenin](https://wiki.archlinux.org/title/fail2ban#Service_hardenin)
- [https://theprivacyguide1.github.io/linux_hardening_guide](https://theprivacyguide1.github.io/linux_hardening_guide)
- [https://github.com/zabbly/linux](https://github.com/zabbly/linux)
## 2.6. Bash related
- [https://www.gnu.org/software/bash/manual/](https://www.gnu.org/software/bash/manual/)
- [https://www.shellcheck.net/](https://www.shellcheck.net/)
- [https://explainshell.com/](https://explainshell.com/)
- [https://google.github.io/styleguide/shellguide.html](https://google.github.io/styleguide/shellguide.html)
- [https://github.com/mvdan/sh](https://github.com/mvdan/sh)
- [https://gist.github.com/Potherca/4f4ce1c8d4bcf4cd4aab](https://gist.github.com/Potherca/4f4ce1c8d4bcf4cd4aab)
### 2.6.1. Error handling
- [Use set -e - Writing Robust Bash Shell Scripts - David Pashley](https://www.davidpashley.com/articles/writing-robust-shell-scripts/#id2596016)
- [Why doesn't set -e (or set -o errexit, or trap ERR) do what I expected? - BashFAQ/105 - Greg's Wiki](https://mywiki.wooledge.org/BashFAQ/105)
---
**[no tracking | no logging | no advertising | no profiling | no bullshit](https://coresecret.eu/)**
<!-- vim: set number et ts=2 sw=2 sts=2 ai tw=128 ft=markdown -->

BIN
docs/SECURITY/coresecret.dev.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 189 KiB

155
docs/graphviz/ciss.debian.live.builder.dot Normal file
View File

@@ -0,0 +1,155 @@
// SPDX-Version: 3.0
// SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
// SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
// SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
// SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
// SPDX-FileType: SOURCE
// SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
// SPDX-Comment: This file is part of the CISS.debian.installer.secure framework.
// SPDX-PackageName: CISS.debian.installer
// SPDX-Security-Contact: security@coresecret.eu
digraph CISS_debian_live_builder {
// -----------------------------
// General settings
// -----------------------------
graph [
fontsize=10,
splines=ortho,
rankdir=LR,
nodesep=0.6,
ranksep=0.8
];
node [fontname="Helvetica"];
// -----------------------------
// KNOTS: Internet clouds (NOT in a cluster)
// -----------------------------
InternetLeft [shape=oval, style=filled, fillcolor=lightblue, label="Internet"];
InternetTLS [shape=oval, style=filled, fillcolor=lightblue, label="TLS/HTTPS"];
// -----------------------------
// KNOTS: Jump Host (integrated into cluster_overall)
// -----------------------------
Jump_Host [shape=diamond, style=filled, fillcolor=green, label="Jump Host"];
// -----------------------------
// KNOTS: Hidden master (in cluster_hm)
// -----------------------------
Hidden_Master [shape=cylinder, style=filled, fillcolor=lavender, label="Hidden-Master"];
// -----------------------------
// KNOTS: Nameserver (in cluster_ns)
// -----------------------------
ns00 [shape=cylinder, style=filled, fillcolor=lightyellow, label="ns00.eddns.eu"];
ns01 [shape=cylinder, style=filled, fillcolor=lightyellow, label="ns01.eddns.eu"];
ns02 [shape=cylinder, style=filled, fillcolor=lightyellow, label="ns02.eddns.de"];
ns03 [shape=cylinder, style=filled, fillcolor=lightyellow, label="ns03.eddns.de"];
ns_anchor [shape=point, style=invis, width=0]; // unsichtbarer Anker für DNSSEC-Pfeile
// -----------------------------
// KNOTS: B-Server (in cluster_B_small & cluster_B_big)
// -----------------------------
git [shape=cylinder, style=filled, fillcolor="#FFCCCC", label="git.coresecret.dev"];
run [shape=cylinder, style=filled, fillcolor="#FFCCCC", label="run.coresecret.dev"];
lab [shape=cylinder, style=filled, fillcolor="#FFCCCC", label="lab.coresecret.dev"];
b_small_anchor [shape=point, style=invis, width=0]; // Anker für kleines B-Cluster
b_big_anchor [shape=point, style=invis, width=0]; // Anker für großes B-Cluster
// -----------------------------
// KNOTS: "cloud.e2ee.li" (in cluster_cloud)
// -----------------------------
cloud [shape=cylinder, style=filled, fillcolor="#FFCCCC", label="cloud.e2ee.li"];
cloud_anchor [shape=point, style=invis, width=0]; // Anker für cloud-Cluster
// -----------------------------
// CLUSTER: Entire system (except Internet clouds)
// -----------------------------
subgraph cluster_overall {
label="SSH-Pub-Key, 2FA, No-Root-Login, aes256-gcm@openssh.com, (No ChaCha) only";
style=solid;
color=red;
// ---- Integrate jump host into outer rectangle ----
Jump_Host;
// ---- Cluster: name server group ----
subgraph cluster_ns {
label="";
style=dashed;
color=red;
ns00;
ns01;
ns02;
ns03;
ns_anchor;
}
// ---- Cluster: Hidden-Master ----
subgraph cluster_hm {
label="";
style=dashed;
color=red;
Hidden_Master;
}
// ---- Cluster: TLS/HTTPS group (contains B-Cluster and cloud) ----
subgraph cluster_tls_group {
label="TLSv1.2 || TLSv1.3 ECDHE-RSA-AES256-GCM-SHA384 ECDH 448 AESGCM 256 & ECDHE-RSA-CHACHA20-POLY1305 ECDH 448 ChaCha20 256";
style=dashed;
color=red;
// ---- Cluster: Outer rectangle around all B nodes (lab + small rectangle) ----
subgraph cluster_B_big {
label="";
style=dashed;
color=red;
lab;
b_big_anchor;
// ---- Cluster: B a) and c) (small rectangle around git and run) ----
subgraph cluster_B_small {
label="";
style=dashed;
color=red;
git;
run;
b_small_anchor;
}
}
// ---- Cluster: "cloud.e2ee.li" ----
subgraph cluster_cloud {
label="HA: LVM on RAID6 on dm-crypt incl. dm-integrity";
style=dashed;
color=red;
cloud;
cloud_anchor;
}
}
}
// -----------------------------
// EDGES
// -----------------------------
// Left: Internet → Jump Host
InternetLeft -> Jump_Host [color=green];
// Jump Host → Hidden-Master
Jump_Host -> Hidden_Master [color=green];
// Hidden-Master → Name servers (each green with the label "HMAC SHA512")
Hidden_Master -> ns00 [color=green, label="HMAC SHA512"];
Hidden_Master -> ns01 [color=green, label="HMAC SHA512"];
Hidden_Master -> ns02 [color=green, label="HMAC SHA512"];
Hidden_Master -> ns03 [color=green, label="HMAC SHA512"];
// Red arrows "DNSSEC" from name server cluster (ns_anchor) → B cluster (b_big_anchor)
ns_anchor -> b_big_anchor [color=red, label="DNSSEC"];
// Red arrow "DNSSEC" from nameserver cluster (ns_anchor) → cloud cluster (cloud_anchor)
ns_anchor -> cloud_anchor [color=red, label="DNSSEC"];
// Red arrows from TLS Internet → B-Cluster and cloud
InternetTLS -> b_big_anchor [color=red];
InternetTLS -> cloud_anchor [color=red];
}

BIN
docs/graphviz/ciss.debian.live.builder.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 107 KiB

BIN
docs/screenshots/CISS.debian.installer_ssh_audit.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 199 KiB

102
func/2010_validation_ip.sh Normal file
View File

@@ -0,0 +1,102 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
#######################################
# IPv4 validation.
# Globals:
# ERR_INVALID_IPV4
# Arguments:
# $1: IPv4 to validate.
#######################################
validation_ipv4() {
declare var_ip="$1"
### Single-pass check: 4 octets, each 0-255, no leading zeros (unless the octet is exactly "0")
if [[ "${var_ip}" =~ ^((25[0-5]|2[0-4][0-9]|1?[0-9]{1,2})\.){3}(25[0-5]|2[0-4][0-9]|1?[0-9]{1,2})$ ]]; then
do_log "info" "true" "'${var_ip}' seems to be a valid IPv4."
else
exit "${ERR_INVALID_IPV4}"
fi
}
#######################################
# IPv6 validation, including
# - Standard IPv6 notation with eight groups such as 2001:0db8:85a3:0000:0000:8a2e:0370:7334
# - Shortened notation with :: like 2001:db8::1
# - Addresses with embedded IPv4 addresses like ::ffff:192.0.2.128
# - Link-local addresses like fe80::1%eth0
# Globals:
# ERR_INVALID_IPV6
# Arguments:
# $1: IPv6 address
#######################################
validation_ipv6() {
### Original input (may include %zone).
declare var_ip="$1"
### Strip optional zone id, e.g. fe80::1%eth0 -> fe80::1
declare var_addr="${var_ip%%\%*}"
declare var_has_double_colon=0
### Step 1 IPv4-mapped / -embedded addresses (::ffff:192.0.2.1)
if [[ "${var_addr}" == *.* ]]; then
declare var_ipv4_part="${var_addr##*:}"
validation_ipv4 "${var_ipv4_part}" || exit "${ERR_INVALID_IPV6}"
### Replace IPv4 part by a placeholder, so we can count hextets later
var_addr="${var_addr%:*}:0:0"
fi
### Step 2 Detect forbidden multiple '::'
if [[ "${var_addr}" == *::* ]]; then
var_has_double_colon=1
### Remove first '::' and check there is no second one.
[[ ${var_addr#*::*} == *::* ]] && exit "${ERR_INVALID_IPV6}"
fi
### Step 3 Split into hextets and validate format.
declare var_hextet
declare -a var_segments
IFS=':' read -ra var_segments <<< "${var_addr}"
declare seg_count=${#var_segments[@]}
for var_hextet in "${var_segments[@]}"; do
### Empty ⇔ part of '::' compression
[[ -z "${var_hextet}" ]] && continue
[[ "${var_hextet}" =~ ^[0-9a-fA-F]{1,4}$ ]] || exit "${ERR_INVALID_IPV6}"
done
### Step 4 Check total hextet count.
if (( var_has_double_colon )); then
(( seg_count <= 8 )) || exit "${ERR_INVALID_IPV6}"
else
(( seg_count == 8 )) || exit "${ERR_INVALID_IPV6}"
fi
### Success
do_log "info" "true" "'${var_ip}' seems to be a valid IPv6."
}
#######################################
# Port validation.
# Globals:
# ERR_INVALID_PORT
# Arguments:
# $1: Port number
#######################################
validation_port() {
declare var_port="$1"
if [[ "${var_port}" =~ ^[0-9]+$ ]] && (( var_port >= 1 && var_port <= 65535 )); then
do_log "info" "true" "'${var_port}' seems to be a valid port."
else
do_log "error" "false" "'${var_port}' seems to be NOT a valid port."
exit "${ERR_INVALID_PORT}"
fi
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

211
func/2015_helper_modules.sh Normal file
View File

@@ -0,0 +1,211 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
#######################################
# Wrapper for executing commands in the desired chroot environment.
# Globals:
# TERM
# Arguments:
# $1: Target of the chroot environment.
# $@: Commands and options and parameters to be executed in chroot.
#######################################
do_in_target() {
declare var_chroot_target="$1"; shift
declare ary_chroot_command=("$@")
do_log "info" "false" "Executing in the target system '${var_chroot_target}' command: '${ary_chroot_command[*]}'."
chroot "${var_chroot_target}" /usr/bin/env -i \
HOME=/root \
PATH=/usr/sbin:/usr/bin:/sbin:/bin \
TERM="${TERM}" \
"${ary_chroot_command[@]}"
}
#######################################
# Wrapper around 'printf' for clean code.
# Globals:
# C_RES
# Arguments:
# $1: One of "${C_BLA}" | "${C_RED}" | "${C_GRE}" | "${C_YEL}" | "${C_BLU}" | "${C_MAG}" | "${C_CYA}" | "${C_WHI}"
# $2: Text string to print on terminal.
#######################################
do_print_color() {
printf "%s\n" "${1}${2}${C_RES}"
}
#######################################
# Wrapper around 'printf' for clean, uniform terminal output and line fold for long text strings for better readability.
# Globals:
# C_RES
# Arguments:
# $1: One of "${C_BLA}" | "${C_RED}" | "${C_GRE}" | "${C_YEL}" | "${C_BLU}" | "${C_MAG}" | "${C_CYA}" | "${C_WHI}"
# $2: Text string to print on terminal.
#######################################
do_print_fold() {
declare var_color="$1"; shift
declare var_msg_string="$*"
declare var_formatted_String="${var_color}${var_msg_string}${C_RES}"
printf "%b\n" "${var_formatted_String}" | fold -s -w 76 | sed '1! s/^/ /'
}
#######################################
# Wrapper around 'printf' for logfile redirect.
# Arguments:
# $1: Text string to redirect to a log file.
#######################################
do_print_log() {
printf "%s\n" "${1}"
}
#######################################
# Helper Module to generate a Subnet Mask out of an IP in CCDIR Notation.
# Arguments:
# $1: IPv4 in CCDIR Notation, e.g.,: 192.168.128.128/24
# Returns:
# 0 : In every case a zero return value is delivered.
#######################################
generate_subnetmask() {
declare var_arg="$1"
declare var_prefix="${var_arg#*/}"
declare var_mask_int=""
declare var_has_ipv4_subnet=""
var_mask_int=$((0xFFFFFFFF << (32 - var_prefix) & 0xFFFFFFFF))
var_has_ipv4_subnet=$(printf "%d.%d.%d.%d" \
$(((var_mask_int >> 24) & 0xFF)) \
$(((var_mask_int >> 16) & 0xFF)) \
$(((var_mask_int >> 8) & 0xFF)) \
$((var_mask_int & 0xFF)))
echo "${var_has_ipv4_subnet}"
return 0
}
#######################################
# Converts characters such as spaces, inverted commas, backslashes, and other special
# characters so that they can be safely used as arguments in a shell command.
# Arguments:
# $1: String to sanitize.
#######################################
sanitize_input() {
# shellcheck disable=SC2155
declare var_safe_out=$(printf "%q" "$1")
echo "${var_safe_out}"
}
#######################################
# Remove any leading or trailing whitespace.
# Arguments:
# $1: String to clean.
#######################################
remove_whitespace() {
# shellcheck disable=SC2155
declare var_out=$(printf "%s" "$1" | xargs)
echo "${var_out}"
}
#######################################
# Function to escape all shell metacharacters
# Arguments:
# $1: String to Sanitize
#######################################
sanitize_shell_literal() {
declare input="$1"
### %q quotes the string so that the shell re-reads it as the original literal
printf '%q' "${input}"
}
#######################################
# Function to remove any character not in the allowed set
# Arguments:
# $1: String to Sanitize
#######################################
sanitize_string() {
declare input="$1"
### Define allowed characters:
### letters, digits, dot, underscore, slash, equals, [, ], colon, double-quote, hyphen, space.
declare allowed='a-zA-Z0-9._/=\[\]:"\-+ '
printf '%s' "${input}" | tr -cd "${allowed}"
}
#######################################
# Helper module for full upgrade, autoremove and autoclean.
# Arguments:
# None
#######################################
update_upgrade() {
apt-get update -y
apt-get upgrade -y
apt-get autoclean -y
apt-get autopurge -y
apt-get autoremove -y
}
#######################################
# Wrapper for secure curl.
# Globals:
# ERR_DOWNLOAD_FAILED
# ERR_NO_DOWNLOAD_ARG
# Arguments:
# $1: URL from which to download a specific file.
# $2: /path/to/file to be saved to.
# Returns:
# ${ERR_DOWNLOAD_FAILED}: Download failed.
# ${ERR_NO_DOWNLOAD_ARG}: No arguments specified.
#######################################
scurl() {
if [[ $# -ne 2 ]]; then
do_log "error" "false" "Usage: scurl <URL> <path/to/file>"
return "${ERR_NO_DOWNLOAD_ARG}"
fi
declare url="$1"
declare output_path="$2"
if ! curl --doh-url "https://dns01.eddns.eu/dns-query" \
--doh-cert-status \
--tlsv1.3 \
-sSf \
-o "${output_path}" \
"${url}"
then
do_log "error" "false" "Download failed for URL: '${1}'."
return "${ERR_DOWNLOAD_FAILED}"
fi
}
#######################################
# Wrapper for secure wget.
# Globals:
# ERR_DOWNLOAD_FAILED
# ERR_NO_DOWNLOAD_ARG
# Arguments:
# $1: URL from which to download a specific file.
# $2: /path/to/file to be saved to.
# Returns:
# ${ERR_DOWNLOAD_FAILED}: Download failed.
# ${ERR_NO_DOWNLOAD_ARG}: No arguments specified.
#######################################
swget() {
if [[ $# -ne 2 ]]; then
do_log "error" "false" "Usage: swget <URL> <path/to/file>"
return "${ERR_NO_DOWNLOAD_ARG}"
fi
declare url="$1"
declare output_path="$2"
if ! wget --show-progress \
--no-clobber \
--https-only \
--secure-protocol=TLSv1_3 \
-qO "${output_path}" \
"${url}"
then
do_log "error" "false" "Download failed for URL: '${1}'."
return "${ERR_DOWNLOAD_FAILED}"
fi
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

133
func/2020_logging_modules.sh Normal file
View File

@@ -0,0 +1,133 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
#######################################
# Log level values for comparison.
# Arguments:
# $1: "${LOG_LEVEL}" one of: "debug" | "info" | "notice" | "warn" | "error" | "critical" | "fatal" | "emergency"
#######################################
log_level_value() {
case "${1,,}" in
debug) echo 0 ;;
info) echo 1 ;;
notice) echo 2 ;;
warn) echo 3 ;;
error) echo 4 ;;
critical) echo 5 ;;
fatal) echo 6 ;;
emergency) echo 7 ;;
*) echo 0 ;;
esac
}
#######################################
# Filter and compare log levels.
# Globals:
# DEFAULT_LOG_LEVEL
# Arguments:
# $1: "${LOG_LEVEL}" one of: "debug" | "info" | "notice" | "warn" | "error" | "critical" | "fatal" | "emergency"
#######################################
do_should_log() {
# shellcheck disable=SC2155
declare var_desired_log_value=$(log_level_value "$1")
# shellcheck disable=SC2155
declare var_default_log_value=$(log_level_value "${DEFAULT_LOG_LEVEL}")
if [[ ${var_desired_log_value} -ge ${var_default_log_value} ]]; then
return 0
else
return 1
fi
}
#######################################
# Log level color retriever.
# Globals:
# C_BLU
# C_GRN
# C_MAG
# C_RED
# C_YEL
# Arguments:
# $1: "${LOG_LEVEL}" one of: "debug" | "info" | "notice" | "warn" | "error" | "critical" | "fatal" | "emergency"
#######################################
do_get_log_color() {
case "${1,,}" in
debug) echo "${C_WHI}" ;;
info) echo "${C_GRN}" ;;
notice) echo "${C_YEL}" ;;
warn | error | critical) echo "${C_RED}" ;;
fatal | emergency) echo "${C_MAG}" ;;
*) echo "${C_BLU}" ;;
esac
}
#######################################
# Main logger wrapper.
# Globals:
# LOG_ERR
# LOG_INS
# Arguments:
# $1: "${LOG_LEVEL}" one of: "debug" | "info" | "notice" | "warn" | "error" | "critical" | "fatal" | "emergency"
# $2: "${LOG_ONLY}" boolean "true" | "false"
# $@: "${MESSAGE[*]}" arbitrary text string to log.
#######################################
do_log() {
declare var_log_level="$1"; shift
declare var_log_only="$2"; shift
declare ary_message=("$@")
declare var_msg_string="${ary_message[*]}"
# shellcheck disable=SC2155
declare var_color=$(do_get_log_color "${var_log_level}")
# shellcheck disable=SC2155
declare var_ts="$(date -u '+%Y-%m-%dT%H:%M:%S.%4N%z')"
declare var_log_entry=("${var_ts} [${var_log_level}]: ${ary_message[*]}")
if do_should_log "${var_log_level}"; then
if [[ "${var_log_only,,}" == true ]]; then
case "${var_log_level,,}" in
debug | info | notice) do_print_log "${var_log_entry[*]}" >> "${LOG_INS}" ;;
warn | error | critical | fatal | emergency ) do_print_log "${var_log_entry[*]}" >> "${LOG_ERR}" ;;
esac
elif [[ ${var_log_only,,} == false ]]; then
case "${var_log_level,,}" in
debug | info | notice)
if [[ ${#var_msg_string} -le 76 ]]; then
do_print_color "${var_color}" "${var_log_entry[*]}"
do_print_log "${var_log_entry[*]}" >> "${LOG_INS}"
else
do_print_fold "${var_color}" "${var_log_entry[*]}"
do_print_log "${var_log_entry[*]}" >> "${LOG_INS}"
fi
;;
warn | error | critical | fatal | emergency)
if [[ ${#var_msg_string} -le 76 ]]; then
do_print_color "${var_color}" "${var_log_entry[*]}"
do_print_log "${var_log_entry[*]}" >> "${LOG_ERR}"
else
do_print_fold "${var_color}" "${var_log_entry[*]}"
do_print_log "${var_log_entry[*]}" >> "${LOG_ERR}"
fi
;;
*)
if [[ ${#var_msg_string} -le 76 ]]; then
do_print_color "${var_color}" "${var_log_entry[*]}"
do_print_log "${var_log_entry[*]}" >> "${LOG_INS}"
else
do_print_fold "${var_color}" "${var_log_entry[*]}"
do_print_log "${var_log_entry[*]}" >> "${LOG_INS}"
fi
;;
esac
fi
fi
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

38
func/2030_check_nic.sh Normal file
View File

@@ -0,0 +1,38 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
#######################################
# Specify the NIC interactively for setup.
# Globals:
# DIR_TMP
# Arguments:
# None
#######################################
2030_check_nic() {
ip -o link show | awk -F': ' '{print $2}' | sed 's!lo!!' | sed '/^$/d' | awk '{$1=$1};1' >| "${DIR_TMP}nic.tmp"
declare var_counter=1
declare var_line=""
declare var_nic=""
declare var_radiolist=""
while IFS= read -r var_line; do
var_radiolist="${var_radiolist} ${var_line} ${var_counter} on "
((var_counter++))
done < "${DIR_TMP}nic.tmp"
# shellcheck disable=SC2086 disable=SC2248
var_nic=$(dialog --ascii-lines --clear --backtitle "Specify the NIC for setup" --radiolist "NIC available" 0 0 ${var_counter} ${var_radiolist} 3>&1 1>&2 2>&3)
clear
do_log "info" "false" "You have selected: '${var_nic}' - proceeding with setup."
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

56
func/2040_grub_helper.sh Normal file
View File

@@ -0,0 +1,56 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
### Options in "VAR_GRUB_CMDLINE_LINUX" are always effective.
### Options in "VAR_GRUB_CMDLINE_LINUX_DEFAULT" are effective ONLY during normal boot (NOT during recovery mode).
#######################################
# Helper module to extract the current GRUB CMDLINE strings.
# Globals:
# TARGET
# VAR_GRUB_CMDLINE_LINUX
# VAR_GRUB_CMDLINE_LINUX_DEFAULT
# VAR_ORIG_GRUB_CMDLINE_LINUX
# VAR_ORIG_GRUB_CMDLINE_LINUX_DEFAULT
# Arguments:
# None
#######################################
2040_grub_extract_current_string() {
# shellcheck disable=SC2155
declare -gx VAR_ORIG_GRUB_CMDLINE_LINUX=$(grep -E 'VAR_GRUB_CMDLINE_LINUX=' "${TARGET}/etc/default/grub")
# shellcheck disable=SC2155
declare -gx VAR_ORIG_GRUB_CMDLINE_LINUX_DEFAULT=$(grep -E 'VAR_GRUB_CMDLINE_LINUX_DEFAULT=' "${TARGET}/etc/default/grub")
# shellcheck disable=SC2155
declare -gx VAR_GRUB_CMDLINE_LINUX=$(grep -E 'VAR_GRUB_CMDLINE_LINUX=' "${TARGET}/etc/default/grub" | sed 's/.$//')
# shellcheck disable=SC2155
declare -gx VAR_GRUB_CMDLINE_LINUX_DEFAULT=$(grep -E 'VAR_GRUB_CMDLINE_LINUX_DEFAULT=' "${TARGET}/etc/default/grub" | sed 's/.$//')
}
#######################################
# Helper module to finish the modified GRUB CMDLINE strings.
# Globals:
# TARGET
# VAR_GRUB_CMDLINE_LINUX
# VAR_GRUB_CMDLINE_LINUX_DEFAULT
# VAR_H
# VAR_ORIG_GRUB_CMDLINE_LINUX
# VAR_ORIG_GRUB_CMDLINE_LINUX_DEFAULT
# Arguments:
# None
#######################################
2040_grub_finalize_string() {
VAR_GRUB_CMDLINE_LINUX="${VAR_GRUB_CMDLINE_LINUX}${VAR_H}"
VAR_GRUB_CMDLINE_LINUX_DEFAULT="${VAR_GRUB_CMDLINE_LINUX_DEFAULT}${VAR_H}"
sed -i "s/$VAR_ORIG_GRUB_CMDLINE_LINUX/$VAR_GRUB_CMDLINE_LINUX/" "${TARGET}/etc/default/grub"
sed -i "s/$VAR_ORIG_GRUB_CMDLINE_LINUX_DEFAULT/$VAR_GRUB_CMDLINE_LINUX_DEFAULT/" "${TARGET}/etc/default/grub"
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

56
func/2050_yaml_parser.sh Normal file
View File

@@ -0,0 +1,56 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
#######################################
# Parsing './.preseed/preseed.yaml'.
# Globals:
# ARY_NTPSRVR
# ARY_PACKAGES
# DIR_CNF
# DIR_TMP
# VAR_PRESEED
# Arguments:
# None
#######################################
yaml_parser() {
cat "${DIR_CNF}/preseed.yaml" "${DIR_CNF}/partitioning.yaml" >| "${DIR_TMP}/combined.yaml"
yq -o=shell "${DIR_TMP}/combined.yaml" >| "${VAR_PRESEED}"
declare var_key var_value
while IFS='=' read -r var_key var_value; do
if [[ ${var_key} =~ ^ntp_server_[0-9]+$ ]]; then
var_value=${var_value#\'}
var_value=${var_value%\'}
declare -agx ARY_NTPSRVR+=("${var_value}")
fi
done < "${VAR_PRESEED}"
while IFS='=' read -r var_key var_value; do
if [[ ${var_key} =~ ^software_[0-9]+$ ]]; then
var_value=${var_value#\'}
var_value=${var_value%\'}
declare -agx ARY_PACKAGES+=("${var_value}")
fi
done < "${VAR_PRESEED}"
sed -i '/^software_[0-9]\+=/d' "${VAR_PRESEED}"
sed -i '/^ntp_server_[0-9]\+=/d' "${VAR_PRESEED}"
### Substitute all key= by key=""
sed -i -E 's/^(.*)=\s*$/\1=""/' "${VAR_PRESEED}"
### Wrap each key=value by '' e.g., key='value'
sed -i -E "s/^(.*)=([^'\"]+)$/\1='\2'/" "${VAR_PRESEED}"
return 0
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

140
func/2051_yaml_reader.sh Normal file
View File

@@ -0,0 +1,140 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
#######################################
# Reading and extracting variables from "${PRESEED}".
# Globals:
# ERR_NO_VALID_RECIPE
# HMP_RECIPE_DEV_PARTITIONS
# VAR_PRESEED
# VAR_RECIPE_DEV_COUNTER
# VAR_RECIPE_FIRMWARE
# VAR_RECIPE_STRING
# VAR_RECIPE_TABLE
# Arguments:
# None
#######################################
yaml_reader() {
### Declare and substitute input files
declare -r var_if="${VAR_PRESEED}"
### Search pattern for variables (recipe_<string>_active='true')
declare -r var_search_pattern="^recipe_.*_active='true'"
declare var_line=""
declare var_middle_part=""
### Read "${var_if}" line by line
while IFS= read -r var_line; do
### Check, if line matches the search pattern
if [[ "${var_line}" =~ ${var_search_pattern} ]]; then
### Extract the middle part or second position
var_middle_part=$(echo "${var_line}" | sed -E "s/^recipe_([^_]+)_active='true'/\1/")
declare -gx VAR_RECIPE_STRING="${var_middle_part}"
### Exit after first occurrence
break
fi
done < "${var_if}"
if [[ -n ${VAR_RECIPE_STRING} ]]; then
do_log "info" "false" "Found active recipe string: '${VAR_RECIPE_STRING}'."
else
do_log "fatal" "false" "Found NO active recipe string: '${VAR_RECIPE_STRING}'." >&2
exit "${ERR_NO_VALID_RECIPE}"
fi
### Variable for highest device count e.g., /dev/sdf = "f"
declare var_highest_dev
### Search "${var_if}" for matching recipe_${VAR_RECIPE_STRING}_dev_* entries and find the highest dev letter
var_highest_dev=$(grep -E "^recipe_${VAR_RECIPE_STRING}_dev_" "${var_if}" | awk -F'_' '
{
if (NF >= 4) {
### Extract 4th position (e.g., "recipe_${VAR_RECIPE_STRING}_dev_sda" or "recipe_${VAR_RECIPE_STRING}_dev_vda")
device_field = $4
### Check, if field is at least 3 char wide and last char contains a letter
if (length(device_field) >= 3) {
last_char = substr(device_field, length(device_field), 1) ### Extract last letter of respective field
if (last_char ~ /^[a-z]$/ && last_char > max) {
max = last_char
}
}
}
}
END { print max }
')
### Save the result in VAR_RECIPE_DEV_COUNTER
declare -gx VAR_RECIPE_DEV_COUNTER="${var_highest_dev}"
if [[ -n ${VAR_RECIPE_DEV_COUNTER} ]]; then
do_log "info" "false" "Found highest recipe device: '${VAR_RECIPE_DEV_COUNTER}'."
else
do_log "fatal" "false" "Found NO highest recipe device: '${VAR_RECIPE_DEV_COUNTER}'." >&2
exit "${ERR_NO_VALID_RECIPE}"
fi
declare var_device="" var_fields="" var_line="" var_partition=""
declare -Agx HMP_RECIPE_DEV_PARTITIONS=()
### Read var_if and iterate through all matching entries without executing in a subshell
while read -r var_line; do
### Extract fields of line
IFS='_' read -ra var_fields <<< "${var_line}"
### Check that enough fields are available
if [[ "${#var_fields[@]}" -ge 5 ]]; then
var_device="${var_fields[3]}" ### The fourth position includes the device (e.g., sda, vda, xvda)
var_partition="${var_fields[4]}" ### The fifth position includes the partition (e.g., 13)
### Check, if the partition is a number and higher than the current value
if [[ "${var_partition}" =~ ^[0-9]+$ ]]; then
if [[ -z "${HMP_RECIPE_DEV_PARTITIONS[${var_device}]}" || "${var_partition}" -gt ${HMP_RECIPE_DEV_PARTITIONS[${var_device}]} ]]; then
# shellcheck disable=SC2004
HMP_RECIPE_DEV_PARTITIONS[${var_device}]="${var_partition}"
fi
fi
fi
done < <(grep -E "^recipe_${VAR_RECIPE_STRING}_dev_" "${var_if}")
for var_device in "${!HMP_RECIPE_DEV_PARTITIONS[@]}"; do
do_log "info" "false" "Highest number of partitions for ${var_device}: ${HMP_RECIPE_DEV_PARTITIONS[${var_device}]}"
done
### Extract chosen partition table
declare recipe_table_var="recipe_${VAR_RECIPE_STRING}_control_table"
declare -gx VAR_RECIPE_TABLE="${!recipe_table_var}"
### Extract chosen firmware
declare recipe_firmware_var="recipe_${VAR_RECIPE_STRING}_control_firmware"
declare -gx VAR_RECIPE_FIRMWARE="${!recipe_firmware_var}"
if [[ ${VAR_RECIPE_TABLE,,} == "gpt" && ${VAR_RECIPE_FIRMWARE,,} == "uefi" ]]; then
do_log "info" "false" "Partition table: '${VAR_RECIPE_TABLE}' and firmware: '${VAR_RECIPE_FIRMWARE}' > ESP 'EF00' necessary."
elif [[ ${VAR_RECIPE_TABLE,,} == "gpt" && ${VAR_RECIPE_FIRMWARE,,} == "bios" ]]; then
do_log "info" "false" "Partition table: '${VAR_RECIPE_TABLE}' and firmware: '${VAR_RECIPE_FIRMWARE}' > BIOS Boot Partition 'EF02' necessary."
elif [[ ${VAR_RECIPE_TABLE,,} == "msdos" && ${VAR_RECIPE_FIRMWARE,,} == "uefi" ]]; then
do_log "info" "false" "Partition table: '${VAR_RECIPE_TABLE}' and firmware: '${VAR_RECIPE_FIRMWARE}' > ESP on MBR needs partition type '0xEF'."
elif [[ ${VAR_RECIPE_TABLE,,} == "msdos" && ${VAR_RECIPE_FIRMWARE,,} == "bios" ]]; then
do_log "info" "false" "Partition table: '${VAR_RECIPE_TABLE}' and firmware: '${VAR_RECIPE_FIRMWARE}' > No special firmware partition necessary."
fi
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

59
func/2056_validation_preseed.sh Normal file
View File

@@ -0,0 +1,59 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
#######################################
# Validate all preseed network variables (IPv4 & IPv6)
# Arguments:
# None
#######################################
validation_preseed() {
declare var value
### --- IPv4 variables ------------------------------------------------------
declare -a ipv4_vars=(
network_static_ipv4nameserver_0
network_static_ipv4nameserver_1
network_static_ipv4nameserver_fallback_0
network_static_ipv4nameserver_fallback_1
network_static_ipv4address
network_static_ipv4gateway
)
### --- IPv6 variables ------------------------------------------------------
declare -a ipv6_vars=(
network_static_ipv6nameserver_0
network_static_ipv6nameserver_1
network_static_ipv6nameserver_fallback_0
network_static_ipv6nameserver_fallback_1
network_static_ipv6address
)
### --- loop over both groups ----------------------------------------------
for var in "${ipv4_vars[@]}"; do
value="${!var}"
if [[ -n "${value}" ]]; then
validation_ipv4 "${value}"
else
do_log "info" "true" "'${var}' is not set."
fi
done
for var in "${ipv6_vars[@]}"; do
value="${!var}"
if [[ -n "${value}" ]]; then
validation_ipv6 "${value}"
else
do_log "info" "false" "'${var}' is not set."
fi
done
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh:

108
func/3200_partitioning.sh Normal file
View File

@@ -0,0 +1,108 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
#######################################
# Function that generates each partition on each device according to the chosen recipe string.
# Globals:
# ERR_PARTITIONTBL
# HMP_RECIPE_DEV_PARTITIONS
# HMP_UUID_PARTITION
# RECIPE_STRING
# RECIPE_TABLE
# VAR_RECIPE_TABLE
# Arguments:
# None
#######################################
partitioning() {
### REMINDER
# HashMap : "${!HMP_RECIPE_DEV_PARTITIONS[@]}"
# ${DEVICE}: "${HMP_RECIPE_DEV_PARTITIONS[$DEVICE]}"
declare var_dev var_partition var_partition_number
### Iterate through each device.
for var_dev in "${!HMP_RECIPE_DEV_PARTITIONS[@]}"; do
var_partition_number=${HMP_RECIPE_DEV_PARTITIONS[${var_dev}]}
### All current data for the respective device will be deleted.
blkdiscard /dev/"${var_dev}"
do_log "info" "false" "Partition table of '/dev/${var_dev}' discarded."
if [[ ${VAR_RECIPE_TABLE} == "gpt" ]]; then
parted -s /dev/"${var_dev}" mklabel gpt
do_log "info" "false" "Partition table '${VAR_RECIPE_TABLE}' of '/dev/${var_dev}' generated."
elif [[ ${VAR_RECIPE_TABLE} == "mbr" ]]; then
parted -s /dev/"${var_dev}" mklabel mbr
do_log "info" "false" "Partition table '${VAR_RECIPE_TABLE}' of '/dev/${var_dev}' generated."
else
do_log "fatal" "false" "No valid partition table chosen. String was '${VAR_RECIPE_TABLE}'. Exiting setup."
exit "${ERR_PARTITIONTBL}"
fi
### Iterate through each partition on the current device.
for (( var_partition=1; var_partition<=var_partition_number; var_partition++ )); do
#for var_partition in $(seq 1 "${var_partition_number}"); do
### Generate variables for the current partition.
declare begin_var="recipe_${RECIPE_STRING}_dev_${var_dev}_${var_partition}_begin"
declare end_var="recipe_${RECIPE_STRING}_dev_${var_dev}_${var_partition}_end"
declare bootable_var="recipe_${RECIPE_STRING}_dev_${var_dev}_${var_partition}_bootable"
declare primary_var="recipe_${RECIPE_STRING}_dev_${var_dev}_${var_partition}_primary"
declare filesystem_var="recipe_${RECIPE_STRING}_dev_${var_dev}_${var_partition}_filesystem_version"
### Initialise variables.
declare BEGIN=${!begin_var}
declare END=${!end_var}
declare BOOTABLE=${!bootable_var}
declare PRIMARY=${!primary_var}
declare FILESYSTEM=${!filesystem_var}
### Generate partition.
if [[ ${END} == "-1" ]]; then
parted -s /dev/"${var_dev}" mkpart "${PRIMARY}" "${FILESYSTEM}" "${BEGIN}" 100%
do_log "info" "false" "Partition generated: '${var_partition}' | on device '/dev/${var_dev}' | begin: '${BEGIN}' | end: 100 % of remaining disk."
else
parted -s /dev/"${var_dev}" mkpart "${PRIMARY}" "${FILESYSTEM}" "${BEGIN}" "${END}"
do_log "info" "false" "Partition generated: '${var_partition}' | on device '/dev/${var_dev}' | begin: '${BEGIN}' | end: '${END}'."
fi
### Set the bootable flag if necessary.
if [[ "${BOOTABLE,,}" == true ]]; then
parted -s "/dev/${var_dev}" set "${var_partition}" boot on
do_log "info" "false" "Partition: '/dev/${var_dev}${var_partition}' marked as bootable."
fi
if [[ "${PRIMARY,,}" == logical ]]; then
parted -s "/dev/${var_dev}" set "${var_partition}" "${FILESYSTEM}" on
fi
### Save UUID of the generated partition
# shellcheck disable=SC2155
declare UUID=$(blkid -s UUID -o value "/dev/${var_dev}${var_partition}")
HMP_UUID_PARTITION["UUID_${var_dev}${var_partition}"]="${UUID}"
do_log "info" "false" "Saved in HashMap HMP_UUID_PARTITION: 'UUID_${var_dev}${var_partition}' -> '${HMP_UUID_PARTITION["UUID_${var_dev}${var_partition}"]}'"
done
done
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

108
func/3200_partitioning_new.sh Normal file
View File

@@ -0,0 +1,108 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
#######################################
# Function that generates each partition on each device according to the chosen recipe string.
# Globals:
# ERR_PARTITIONTBL
# HMP_RECIPE_DEV_PARTITIONS
# HMP_UUID_PARTITION
# RECIPE_STRING
# RECIPE_TABLE
# VAR_RECIPE_TABLE
# Arguments:
# None
#######################################
partitioning() {
### REMINDER
# HashMap : "${!HMP_RECIPE_DEV_PARTITIONS[@]}"
# ${DEVICE}: "${HMP_RECIPE_DEV_PARTITIONS[$DEVICE]}"
declare var_dev var_partition var_partition_number
### Iterate through each device.
for var_dev in "${!HMP_RECIPE_DEV_PARTITIONS[@]}"; do
var_partition_number=${HMP_RECIPE_DEV_PARTITIONS[${var_dev}]}
### All current data for the respective device will be deleted.
blkdiscard /dev/"${var_dev}"
do_log "info" "false" "Partition table of '/dev/${var_dev}' discarded."
if [[ ${VAR_RECIPE_TABLE} == "gpt" ]]; then
parted -s /dev/"${var_dev}" mklabel gpt
do_log "info" "false" "Partition table '${VAR_RECIPE_TABLE}' of '/dev/${var_dev}' generated."
elif [[ ${VAR_RECIPE_TABLE} == "mbr" ]]; then
parted -s /dev/"${var_dev}" mklabel mbr
do_log "info" "false" "Partition table '${VAR_RECIPE_TABLE}' of '/dev/${var_dev}' generated."
else
do_log "fatal" "false" "No valid partition table chosen. String was '${VAR_RECIPE_TABLE}'. Exiting setup."
exit "${ERR_PARTITIONTBL}"
fi
### Iterate through each partition on the current device.
for (( var_partition=1; var_partition<=var_partition_number; var_partition++ )); do
#for var_partition in $(seq 1 "${var_partition_number}"); do
### Generate variables for the current partition.
declare begin_var="recipe_${RECIPE_STRING}_dev_${var_dev}_${var_partition}_begin"
declare end_var="recipe_${RECIPE_STRING}_dev_${var_dev}_${var_partition}_end"
declare bootable_var="recipe_${RECIPE_STRING}_dev_${var_dev}_${var_partition}_bootable"
declare primary_var="recipe_${RECIPE_STRING}_dev_${var_dev}_${var_partition}_primary"
declare filesystem_var="recipe_${RECIPE_STRING}_dev_${var_dev}_${var_partition}_filesystem_version"
### Initialise variables.
declare BEGIN=${!begin_var}
declare END=${!end_var}
declare BOOTABLE=${!bootable_var}
declare PRIMARY=${!primary_var}
declare FILESYSTEM=${!filesystem_var}
### Generate partition.
if [[ ${END} == "-1" ]]; then
parted -s /dev/"${var_dev}" mkpart "${PRIMARY}" "${FILESYSTEM}" "${BEGIN}" 100%
do_log "info" "false" "Partition generated: '${var_partition}' | on device '/dev/${var_dev}' | begin: '${BEGIN}' | end: 100 % of remaining disk."
else
parted -s /dev/"${var_dev}" mkpart "${PRIMARY}" "${FILESYSTEM}" "${BEGIN}" "${END}"
do_log "info" "false" "Partition generated: '${var_partition}' | on device '/dev/${var_dev}' | begin: '${BEGIN}' | end: '${END}'."
fi
### Set the bootable flag if necessary.
if [[ "${BOOTABLE,,}" == true ]]; then
parted -s "/dev/${var_dev}" set "${var_partition}" boot on
do_log "info" "false" "Partition: '/dev/${var_dev}${var_partition}' marked as bootable."
fi
if [[ "${PRIMARY,,}" == logical ]]; then
parted -s "/dev/${var_dev}" set "${var_partition}" "${FILESYSTEM}" on
fi
### Save UUID of the generated partition
# shellcheck disable=SC2155
declare UUID=$(blkid -s UUID -o value "/dev/${var_dev}${var_partition}")
HMP_UUID_PARTITION["UUID_${var_dev}${var_partition}"]="${UUID}"
do_log "info" "false" "Saved in HashMap HMP_UUID_PARTITION: 'UUID_${var_dev}${var_partition}' -> '${HMP_UUID_PARTITION["UUID_${var_dev}${var_partition}"]}'"
done
done
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

95
lib/1000_usage.sh Normal file
View File

@@ -0,0 +1,95 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
#######################################
# Usage Wrapper 'CISS.debian.installer'.
# Arguments:
# $0: Script Name
#######################################
usage() {
clear
cat << EOF
$(echo -e "\e[92mCISS.debian.installer\e[0m")
$(echo -e "\e[92mMaster V8.00.000.2025.06.17\e[0m")
$(echo -e "\e[92mA powerful Debian installer for setting up a hardened Debian environment.\e[0m")
$(echo -e "\e[97m(c) Marc S. Weidner, 2018 - 2025\e[0m")
$(echo -e "\e[97m(p) Centurion Press, 2024 - 2025\e[0m")
"${0} <option>", where <option> is one or more of:
--help, -h
What you're looking at.
--autoinstall, -a
No user interaction is required in autoinstall mode.
$(echo -e "\e[93m ⚡ All data on the disks specified in './.preseed/partitioning.yaml' will be destroyed! ⚡\e[0m")
--contact, -c
Displays contact information of the author.
--debug, -d <MODE>
Whereas <MODE> can be one or both of the following: 'TRAP' or 'XTRACE'.
• XTRACE uses the 'set -x' capability to trace every command executed.
• TRAP uses the bash 'trap DEBUG' capability.
$(echo -e "\e[93m Detailed debugging information is written to:\e[0m")
- /tmp/ciss_debian_installer_$$_debug.log
- /tmp/ciss_debian_installer_$$_trace.log
- /tmp/ciss_debian_installer_$$_var.log
$(echo -e "\e[93m Errors are always written to:\e[0m")
- /tmp/ciss_debian_installer_$$_error.log.
--log <LEVEL>
This changes the default log level from 'info' to one of the following values:
6: 'info'
5: 'notice'
4: 'warn'
3: 'error'
0: 'emergency'
$(echo -e "\e[93m The installation log is written to:\e[0m")
- /tmp/ciss_debian_installer_$$_install.log
--renice-priority <PRIORITY>
Reset the nice priority value of the script and all its children
to the desired <PRIORITY>. MUST be an integer (between "-19" and 19).
Negative (higher) values MUST be enclosed in double quotes '"'.
--reionice-priority <CLASS> <PRIORITY>
Reset the ionice priority value of the script and all its children
to the desired <CLASS>. MUST be an integer:
1: realtime
2: best-effort
3: idle
Defaults to '2'.
Whereas <PRIORITY> MUST be an integer as well between:
0: highest priority and
7: lowest priority.
Defaults to '4'.
A real-time I/O process can significantly slow down other processes
or even cause them to starve if it continuously requests I/O.
--version, -v
Displays version of ${0}.
$(echo -e "\e[93m💡 Notes:\e[0m")
🔵 You MUST be 'root' to run this script.
🔵 You MUST edit './.preseed/preseed.yaml' in advance.
🔵 You MUST edit './.preseed/partitioning.yaml' in advance.
🔵 You MUST edit './.preseed/password.txt' in advance.
🔵 You SHOULD use the provided YAML-Configuration-File Editor.
$(echo -e "\e[95m💷 Please consider donating to my work at:\e[0m")
$(echo -e "\e[95m🌐 https://coresecret.eu/spenden/ \e[0m")
EOF
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

39
lib/1001_contact.sh Normal file
View File

@@ -0,0 +1,39 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
#######################################
# Contact Wrapper 'CISS.debian.installer'.
# Arguments:
# None
#######################################
contact() {
clear
cat << EOF
$(echo -e "\e[92mCISS.debian.installer\e[0m")
$(echo -e "\e[92mMaster V8.00.000.2025.06.17\e[0m")
$(echo -e "\e[92mA powerful Debian installer for setting up a hardened Debian environment.\e[0m")
$(echo -e "\e[97m(c) Marc S. Weidner, 2018 - 2025\e[0m")
$(echo -e "\e[97m(p) Centurion Press, 2024 - 2025\e[0m")
$(echo -e "\e[95m💬 Contact:\e[0m")
$(echo -e "\e[95m🌐 https://coresecret.eu/ \e[0m")
$(echo -e "\e[95m📧 security@coresecret.eu \e[0m")
$(echo -e "\e[95m🔑 PGP Key 2D98 07F4 1030 1776 597E BDC9 9F54 8853 35A3 C9AD \e[0m")
$(echo -e "\e[95m🔗 https://keys.openpgp.org/vks/v1/by-fingerprint/2D9807F410301776597EBDC99F54885335A3C9AD \e[0m")
$(echo -e "\e[95m💷 Please consider donating to my work at:\e[0m")
$(echo -e "\e[95m🌐 https://coresecret.eu/spenden/ \e[0m")
EOF
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

42
lib/1003_gen_dir_files.sh Normal file
View File

@@ -0,0 +1,42 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
guard_sourcing
#######################################
# Creates the DIRs, prepares the files and mounting paths for installation.
# Globals:
# DIR_LOG
# LOG_ERR
# LOG_INS
# LOG_NIC
# VAR_PRESEED
# Arguments:
# None
#######################################
gen_dir_files() {
### MAKE DIRS
mkdir -p /tmp/.ciss/{backup,log,tmp} && chmod -R 0700 /tmp/.ciss
mkdir -p /target
mkdir -p /recovery
### TOUCH FILES
touch "${LOG_ERR}" && chmod 0600 "${LOG_ERR}"
touch "${LOG_INS}" && chmod 0600 "${LOG_INS}"
touch "${LOG_NIC}" && chmod 0600 "${LOG_NIC}"
touch "${VAR_PRESEED}" && chmod 0600 "${VAR_PRESEED}"
touch "${DIR_LOG}/btrfs.log" && chmod 0600 "${DIR_LOG}/btrfs.log"
touch "${DIR_LOG}/cpu.log" && chmod 0600 "${DIR_LOG}/cpu.log"
touch "${DIR_LOG}/ext4.log" && chmod 0600 "${DIR_LOG}/ext4.log"
touch "${DIR_LOG}/sshd_config.log" && chmod 0600 "${DIR_LOG}/sshd_config.log"
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

42
lib/1007_guard_sorucing.sh Normal file
View File

@@ -0,0 +1,42 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
#######################################
# Prevent the caller LIB-file from being sourced twice.
# Derive a safe guard-variable name from the caller script filename.
# Globals:
# BASH_SOURCE
# Arguments:
# $1: Explicitly provided Argument: filename of the caller LIB. (Better let the guard_sourcing() determine dynamically.)
# Returns:
# 0: Returns '0' in both cases as they are intended to be successful.
#######################################
1007_guard_sourcing() {
### Determine the caller script (the library being sourced).
declare var_src="${1:-${BASH_SOURCE[1]}}"
### Strip path, keep only filename
declare var_file_name="${var_src##*/}"
### Sanitize to valid var name.
declare var_safe_name="${var_file_name//[^a-zA-Z0-9_]/_}"
### Build guard-variable name.
declare var_guard_var="_${var_safe_name}_LOADED"
### If already loaded, abort sourcing
if [[ -n "${!var_guard_var:-}" ]]; then
return 0
fi
### Mark as loaded (readonly + exported)
declare -grx "${var_guard_var}"=1
return 0
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

78
lib/1010_check_pkgs.sh Normal file
View File

@@ -0,0 +1,78 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
guard_sourcing
#######################################
# Check for required Deb Packages to run the script.
# Globals:
# VAR_AUTO_INSTALL
# Arguments:
# None
#######################################
check_pkgs() {
apt-get update -y > /dev/null 2>&1
### Define HashMap: command -> package
declare -A hmp_command_packages=(
[apt-transport-https]=apt-transport-https
[bzip2]=bzip2
[ca-certificates]=ca-certificates
[curl]=curl
[expect]=expect
[fdisk]=fdisk
[gdisk]=gdisk
[git]=git
[gpg]=gnupg
[lsb_release]=lsb-release
[mkfs.btrfs]=btrfs-progs
[mkfs.ext4]=e2fsprogs
[mkfs.fat]=dosfstools
[mkswap]=util-linux
[mkfs.xfs]=xfsprogs
[parted]=parted
[pwgen]=pwgen
[tar]=tar
[wget]=wget
[whois]=whois
[xz]=xz-utils
[yq]=yq
)
### Iterate over HashMap
declare var_cmd var_pkg
for var_cmd in "${!hmp_command_packages[@]}"; do
var_pkg="${hmp_command_packages[${var_cmd}]}"
if ! command -v "${var_cmd}" &>/dev/null; then
do_log "info" "true" "Installing ${var_pkg} ..."
apt-get install -y --no-install-recommends "${var_pkg}"
do_log "info" "true" "Installing ${var_pkg} done."
else
do_log "info" "true" "${var_cmd} already installed."
fi
done
if [[ -z "$(command -v debootstrap || true)" ]]; then
if grep -RqsE '^[[:space:]]*deb .*backports' /etc/apt/sources.list /etc/apt/sources.list.d; then
# shellcheck disable=SC2155
declare codename=$(lsb_release -sc)
apt-get install -y -t "${codename}-backports" debootstrap
else
apt-get install -y debootstrap
fi
fi
if [[ -z "$(command -v dialog || true)" ]]; then
if ! ${VAR_AUTO_INSTALL}; then apt-get install -y --no-install-recommends dialog; fi
fi
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

36
lib/1011_check_git.sh Normal file
View File

@@ -0,0 +1,36 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
guard_sourcing
#######################################
# Define Git Repo related Variables.
# Globals:
# VAR_GIT_HEAD
# VAR_GIT_REL
# VAR_GIT_REL_DATE
# VAR_GIT_REL_DATE_TIME
# VAR_GIT_REL_SHORT
# Arguments:
# None
#######################################
check_git() {
# shellcheck disable=SC2155
if git rev-parse --is-inside-work-tree &>/dev/null; then
declare -grx VAR_GIT_REL="$(git log --format='%h %ci' -1 2>/dev/null | awk '{ print $1" "$2" "$3 }')"
declare -grx VAR_GIT_REL_SHORT="${VAR_GIT_REL%% *}"
declare -grx VAR_GIT_REL_DATE_TIME="${VAR_GIT_REL#* }"
declare -grx VAR_GIT_REL_DATE="${VAR_GIT_REL_DATE_TIME% *}"
declare -grx VAR_GIT_HEAD="$(git rev-parse HEAD)"
fi
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

66
lib/1015_debug_pre_scan.sh Normal file
View File

@@ -0,0 +1,66 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
guard_sourcing
#######################################
# Check for DEBUG mode.
# Arguments:
# None
#######################################
pre_scan_debug() {
# shellcheck disable=SC2155
declare script_dir="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
. "${script_dir}/1040_arg_mismatch.sh"
declare args=("$@")
declare dbg_index=-1
declare dbg_count=0
declare i j
for i in "${!args[@]}"; do
if [[ "${args[i]}" == "-d" || "${args[i]}" == "--debug" ]]; then
dbg_index=$i
. "${script_dir}/1016_debug_var_dump.sh"
declare -grx LOG_VAR="/tmp/ciss_debian_installer_$$_var.log"
touch "${LOG_VAR}" && chmod 0600 "${LOG_VAR}"
dump_vars_initial
break
fi
done
if (( dbg_index >= 0 )); then
for (( j=dbg_index+1; j<${#args[@]} && dbg_count<2; j++ )); do
[[ "${args[j]}" =~ ^- ]] && break
case "${args[j],,}" in
xtrace)
declare -gx VAR_DEBUG_TRACE="true"
. "${script_dir}/1020_debug_trace.sh"
. "${script_dir}/1021_debug_trace_header.sh"
debug_trace "$@"
;;
trap)
declare -gx VAR_DEBUG_TRAP="true"
. "${script_dir}/1025_debug_trap.sh"
. "${script_dir}/1026_debug_trap_header.sh"
trap 'debug_trap' DEBUG
;;
*)
arg_mismatch "Invalid debug option: '${args[j]}'." ;;
esac
(( dbg_count++ ))
done
if (( dbg_count == 0 )); then arg_mismatch "--debug MUST NOT be empty."; fi
if (( dbg_count > 2 )); then arg_mismatch "--debug accepts at most two options (XTRACE, TRAP)."; fi
fi
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

72
lib/1016_debug_var_dump.sh Normal file
View File

@@ -0,0 +1,72 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
guard_sourcing
#######################################
# Capture an initial snapshot of all variables (excluding '^(BASH|_).*').
# Globals:
# VAR_DUMP_VARS_INITIAL
# Arguments:
# None
#######################################
dump_vars_initial() {
# shellcheck disable=SC2155
declare -grx VAR_DUMP_VARS_INITIAL=$(mktemp)
{
declare var
while IFS= read -r var; do
declare -p "${var}" 2> /dev/null
done < <(compgen -v | grep -Ev '^(BASH|_).*')
} | sort >| "${VAR_DUMP_VARS_INITIAL}"
}
#######################################
# Gather all user-defined variables (name and value)
# Globals:
# LOG_VAR
# VAR_DUMP_VARS_INITIAL
# VAR_VERSION
# Arguments:
# None
#######################################
dump_vars_exiting() {
### Capture the final snapshot of all variables (excluding '^(BASH|_).*')
# shellcheck disable=SC2155
declare var_dump_vars_final=$(mktemp)
set +x
{
declare var
while IFS= read -r var; do
declare -p "${var}" 2>/dev/null
done < <(compgen -v | grep -Ev '^(BASH|_).*')
} | sort >| "${var_dump_vars_final}"
set -x
{
printf "✅ CISS.debian.installer Config Variable Dump. \n"
printf "✅ Version : %s \n" "${VAR_VERSION}"
printf "\n"
printf "===== Initial VAR Environment ===== \n"
} >> "${LOG_VAR}"
comm -23 "${VAR_DUMP_VARS_INITIAL}" "${var_dump_vars_final}" >> "${LOG_VAR}" || true
{
printf "\n"
printf "===== Final VAR Environment ===== \n"
} >> "${LOG_VAR}"
comm -13 "${VAR_DUMP_VARS_INITIAL}" "${var_dump_vars_final}" >> "${LOG_VAR}" || true
rm -f "${VAR_DUMP_VARS_INITIAL}" "${var_dump_vars_final}"
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

43
lib/1020_debug_trace.sh Normal file
View File

@@ -0,0 +1,43 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
guard_sourcing
#######################################
# Wrapper for XTRACE Debug.
# Globals:
# BASH_XTRACEFD
# LOG_TRACE
# PS4
# SHELLOPTS
# Arguments:
# None
#######################################
debug_trace() {
### Set a verbose PS4 prompt including timestamp, source, line, exit status of previous command, and function name
declare -grx PS4='\e[97m+\e[0m\e[96m$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)\e[0m\e[97m:\e[0m\e[92m[${BASH_SOURCE[0]}:${LINENO}]\e[0m\e[97m|\e[0m\e[93m${?}\e[0m\e[97m>\e[0m\e[95m${FUNCNAME[0]:-main}()\e[0m \e[97m>>\e[0m '
# shellcheck disable=SC2155
declare -grx LOG_TRACE="/tmp/ciss_debian_installer_$$_trace.log"
### Generates empty LOG_TRACE
touch "${LOG_TRACE}" && chmod 0600 "${LOG_TRACE}"
### Open file descriptor 42 for writing to the debug log
exec 42>| "${LOG_TRACE}"
### Write Debug Log Header https://www.gnu.org/software/bash/manual/html_node/Bash-Variables
debug_header "$#" "$*"
### Tell Bash to send xtrace output to FD 42
export BASH_XTRACEFD=42
### Enable inheritable shell options
export SHELLOPTS
### Turn on xtrace
set -x
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

64
lib/1021_debug_trace_header.sh Normal file
View File

@@ -0,0 +1,64 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
guard_sourcing
#######################################
# Generates XTRACE Debug Log Header.
# Globals:
# BASHOPTS
# BASH_VERSINFO
# EPOCHREALTIME
# EUID
# HOSTNAME
# PPID
# PWD
# SHELLOPTS
# UID
# VAR_GIT_HEAD
# VAR_SYSTEM
# VAR_VERSION
# Arguments:
# $0: Script Name $0
# $1: Argument Counter $#
# $2: Argument String $*
#######################################
debug_trace_header() {
declare -r arg_counter="$1"
declare -r arg_string="$2"
{
printf "\e[97m+\e[0m\e[92m%s: CISS.debian.installer Debug XTRACE Log \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)"
printf "\e[97m+\e[0m\e[92m%s: GIT Commit : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${VAR_GIT_HEAD}"
printf "\e[97m+\e[0m\e[92m%s: Version : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${VAR_VERSION}"
printf "\e[97m+\e[0m\e[92m%s: Epoch : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${EPOCHREALTIME}"
printf "\e[97m+\e[0m\e[92m%s: Bash MAJ Release : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${BASH_VERSINFO[0]}"
printf "\e[97m+\e[0m\e[92m%s: Bash MIN Version : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${BASH_VERSINFO[1]}"
printf "\e[97m+\e[0m\e[92m%s: Bash Patch Level : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${BASH_VERSINFO[2]}"
printf "\e[97m+\e[0m\e[92m%s: Bash Build Version : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${BASH_VERSINFO[3]}"
printf "\e[97m+\e[0m\e[92m%s: Bash Release : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${BASH_VERSINFO[4]}"
printf "\e[97m+\e[0m\e[92m%s: UID : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${UID}"
printf "\e[97m+\e[0m\e[92m%s: EUID : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${EUID}"
printf "\e[97m+\e[0m\e[92m%s: Hostname : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${HOSTNAME}"
printf "\e[97m+\e[0m\e[92m%s: Hostsystem : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${VAR_SYSTEM}"
printf "\e[97m+\e[0m\e[92m%s: Script name : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "$0"
printf "\e[97m+\e[0m\e[92m%s: Argument Counter : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${arg_counter}"
printf "\e[97m+\e[0m\e[92m%s: Argument String Original : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${arg_string}"
printf "\e[97m+\e[0m\e[92m%s: Script PID : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "$$"
printf "\e[97m+\e[0m\e[92m%s: Script Parent PID : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${PPID}"
printf "\e[97m+\e[0m\e[92m%s: Script work DIR : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${PWD}"
printf "\e[97m+\e[0m\e[92m%s: Shell Options : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "$-"
printf "\e[97m+\e[0m\e[92m%s: BASHOPTS : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${BASHOPTS}"
printf "\e[97m+\e[0m\e[92m%s: SHELLOPTS : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${SHELLOPTS}"
printf "\e[97m+\e[0m\e[92m%s: ==== Debug Log Begin ==== : \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)"
} >&42
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

102
lib/1025_debug_trap.sh Normal file
View File

@@ -0,0 +1,102 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
guard_sourcing
declare -g VAR_LAST_CMD=""
declare -g __preexec_invoke=""
# shellcheck disable=SC2155
declare -grx LOG_DEBUG="/tmp/ciss_debian_installer_$$_debug.log"
### Generates empty LOG_DEBUG
touch "${LOG_DEBUG}" && chmod 0600 "${LOG_DEBUG}"
### Write Debug Log Header https://www.gnu.org/software/bash/manual/html_node/Bash-Variables
debug_trace_header "$#" "$*"
### Define patterns and mask replacements
declare -Ag MASK_PATTERNS=(
["API_KEY"]="********"
["api_key"]="********"
["password"]="********"
["priv_key"]="********"
["secret"]="********"
["token"]="********"
)
#######################################
# Wrapper to write to DEBUG Logfile.
# Globals:
# BASH_LINENO
# BASH_SOURCE
# FUNCNAME
# LOG_DEBUG
# Arguments:
# None
#######################################
debug_trap_logger() {
declare var_rc="$1"; shift
declare var_msg="$*"
# shellcheck disable=SC2155
declare var_ts="$(date -u '+%Y-%m-%dT%H:%M:%S.%4N%z')"
declare -i i=0
for (( i=0; i<${#FUNCNAME[@]}; i++ )); do
if [[ ${FUNCNAME[i]} != "debug_trap_logger" && \
${FUNCNAME[i]} != "debug_trap" ]]; then
break
fi
done
declare var_func="${FUNCNAME[i]:-MAIN}"
declare var_line="${BASH_LINENO[i-1]:-?}"
declare var_script="${BASH_SOURCE[i]:-${BASH_SOURCE[0]}}"
declare var_script_rel="${var_script#"${PWD}"/}"
printf '%s [%s:%s] %s() |%s| RC:%s \n' "${var_ts}" "${var_script_rel}" "${var_line}" "${var_func}" "${var_msg}" "${var_rc}">> "${LOG_DEBUG}"
}
#######################################
# Trap function to be called on 'DEBUG'.
# Globals:
# BASH_COMMAND
# MASK_PATTERNS
# VAR_LAST_CMD
# __preexec_invoke
# Arguments:
# None
# Returns:
# 0: In all cases
#######################################
debug_trap() {
declare rc="$?" var_cmd="${BASH_COMMAND}"
### Skip any xtrace output or explicit set -x/+x calls
if [[ "${var_cmd}" == +* ]] || [[ "${var_cmd}" == "set -x" ]] || [[ "${var_cmd}" == "set +x" ]]; then
return 0
fi
### Mask sensitive substrings
declare key
for key in "${!MASK_PATTERNS[@]}"; do
#if [[ "${var_cmd}" =~ ${key} ]]; then
# var_cmd="${var_cmd//${key}/${MASK_PATTERNS[${key}]}}"
#fi
case "${var_cmd}" in
*"${key}"*) var_cmd="${var_cmd//${key}/${MASK_PATTERNS[${key}]}}" ;;
esac
done
if [[ -n "${__preexec_invoke:-}" ]]; then
debug_trap_logger "${rc}" "${VAR_LAST_CMD}"
declare -g __preexec_invoke=""
fi
declare -g __preexec_invoke=1
declare -g VAR_LAST_CMD="${var_cmd}"
return 0
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

63
lib/1026_debug_trap_header.sh Normal file
View File

@@ -0,0 +1,63 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
#######################################
# Generates TRAP Debug Log Header.
# Globals:
# BASHOPTS
# BASH_VERSINFO
# EPOCHREALTIME
# EUID
# HOSTNAME
# LOG_DEBUG
# PPID
# PWD
# SHELLOPTS
# UID
# VAR_GIT_HEAD
# VAR_SYSTEM
# VAR_VERSION
# Arguments:
# $0: Script Name $0
# $1: Argument Counter $#
# $2: Argument String $*
#######################################
debug_trace_header() {
declare -r arg_counter="$1"
declare -r arg_string="$2"
{
printf "\e[97m+\e[0m\e[92m%s: CISS.debian.installer Debug TRAP Log \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)"
printf "\e[97m+\e[0m\e[92m%s: GIT Commit : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${VAR_GIT_HEAD}"
printf "\e[97m+\e[0m\e[92m%s: Version : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${VAR_VERSION}"
printf "\e[97m+\e[0m\e[92m%s: Epoch : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${EPOCHREALTIME}"
printf "\e[97m+\e[0m\e[92m%s: Bash MAJ Release : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${BASH_VERSINFO[0]}"
printf "\e[97m+\e[0m\e[92m%s: Bash MIN Version : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${BASH_VERSINFO[1]}"
printf "\e[97m+\e[0m\e[92m%s: Bash Patch Level : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${BASH_VERSINFO[2]}"
printf "\e[97m+\e[0m\e[92m%s: Bash Build Version : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${BASH_VERSINFO[3]}"
printf "\e[97m+\e[0m\e[92m%s: Bash Release : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${BASH_VERSINFO[4]}"
printf "\e[97m+\e[0m\e[92m%s: UID : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${UID}"
printf "\e[97m+\e[0m\e[92m%s: EUID : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${EUID}"
printf "\e[97m+\e[0m\e[92m%s: Hostname : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${HOSTNAME}"
printf "\e[97m+\e[0m\e[92m%s: Hostsystem : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${VAR_SYSTEM}"
printf "\e[97m+\e[0m\e[92m%s: Script name : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "$0"
printf "\e[97m+\e[0m\e[92m%s: Argument Counter : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${arg_counter}"
printf "\e[97m+\e[0m\e[92m%s: Argument String Original : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${arg_string}"
printf "\e[97m+\e[0m\e[92m%s: Script PID : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "$$"
printf "\e[97m+\e[0m\e[92m%s: Script Parent PID : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${PPID}"
printf "\e[97m+\e[0m\e[92m%s: Script work DIR : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${PWD}"
printf "\e[97m+\e[0m\e[92m%s: Shell Options : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "$-"
printf "\e[97m+\e[0m\e[92m%s: BASHOPTS : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${BASHOPTS}"
printf "\e[97m+\e[0m\e[92m%s: SHELLOPTS : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${SHELLOPTS}"
printf "\e[97m+\e[0m\e[92m%s: ==== Debug Log Begin ==== : \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)"
} >| "${LOG_DEBUG}"
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

156
lib/1030_trap_err.sh Normal file
View File

@@ -0,0 +1,156 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
#######################################
# Print Error Message for Trap on 'ERR' in '${ERROR_LOG}'.
# Globals:
# ARGUMENTS_COUNT
# ARG_STR_ORG_INPUT
# ERRCMMD
# ERRCODE
# ERRFUNC
# ERRLINE
# ERRSCRT
# LOG_DEBUG
# LOG_ERROR
# LOG_TRACE
# LOG_VAR
# SECONDS
# VAR_ARG_SANITIZED
# VAR_DEBUG_TRACE
# VAR_DEBUG_TRAP
# VAR_GIT_HEAD
# VAR_SYSTEM
# VAR_VERSION
# Arguments:
# None
#######################################
print_file_err() {
{
printf "❌ CISS.debian.installer Script failed. \n"
printf "❌ GIT Commit : %s \n" "${VAR_GIT_HEAD}"
printf "❌ Version : %s \n" "${VAR_VERSION}"
printf "❌ Hostsystem : %s \n" "${VAR_SYSTEM}"
printf "❌ Error : %s \n" "${ERRCODE}"
printf "❌ Line : %s \n" "${ERRLINE}"
printf "❌ Script : %s \n" "${ERRSCRT}"
printf "❌ Function : %s \n" "${ERRFUNC}"
printf "❌ Command : %s \n" "${ERRCMMD}"
printf "❌ Script PID : %s \n" "${$}"
printf "❌ Script Runtime : %s \n" "${SECONDS}"
printf "❌ Arguments Counter : %s \n" "${ARGUMENTS_COUNT}"
printf "❌ Arguments Original : %s \n" "${ARG_STR_ORG_INPUT}"
printf "❌ Arguments Sanitized : %s \n" "${VAR_ARG_SANITIZED}"
if [[ "${VAR_DEBUG_TRACE}" || "${VAR_DEBUG_TRAP}" ]]; then
printf "❌ Vars Dump saved at : %s \n" "${LOG_VAR}"
fi
if "${VAR_DEBUG_TRAP}"; then
printf "❌ DEBUG Log saved at : %s \n" "${LOG_DEBUG}"
printf "❌ cat %s \n" "${LOG_DEBUG}"
fi
if "${VAR_DEBUG_TRACE}"; then
printf "❌ TRACE Log saved at : %s \n" "${LOG_TRACE}"
printf "❌ cat %s \n" "${LOG_TRACE}"
fi
printf "\n"
} >> "${LOG_ERROR}"
}
#######################################
# Print Error Message for Trap on 'ERR' on Terminal.
# Globals:
# ARGUMENTS_COUNT
# ARG_STR_ORG_INPUT
# ERRCMMD
# ERRCODE
# ERRFUNC
# ERRLINE
# ERRSCRT
# LOG_DEBUG
# LOG_ERROR
# LOG_TRACE
# LOG_VAR
# SECONDS
# VAR_ARG_SANITIZED
# VAR_DEBUG_TRACE
# VAR_DEBUG_TRAP
# VAR_GIT_HEAD
# VAR_SYSTEM
# VAR_VERSION
# Arguments:
# None
#######################################
print_scr_err() {
printf "\e[91m❌ CISS.debian.installer Script failed. \e[0m\n" >&2
printf "\e[91m❌ GIT Commit : %s \e[0m\n" "${VAR_GIT_HEAD}" >&2
printf "\e[91m❌ Version : %s \e[0m\n" "${VAR_VERSION}" >&2
printf "\e[91m❌ Hostsystem : %s \e[0m\n" "${VAR_SYSTEM}" >&2
printf "\e[91m❌ Error : %s \e[0m\n" "${ERRCODE}" >&2
printf "\e[91m❌ Line : %s \e[0m\n" "${ERRLINE}" >&2
printf "\e[91m❌ Script : %s \e[0m\n" "${ERRSCRT}" >&2
printf "\e[91m❌ Function : %s \e[0m\n" "${ERRFUNC}" >&2
printf "\e[91m❌ Command : %s \e[0m\n" "${ERRCMMD}" >&2
printf "\e[91m❌ Script PID : %s \e[0m\n" "${$}" >&2
printf "\e[91m❌ Script Runtime : %s \e[0m\n" "${SECONDS}" >&2
printf "\e[91m❌ Arguments Counter : %s \e[0m\n" "${ARGUMENTS_COUNT}" >&2
printf "\e[91m❌ Arguments Original : %s \e[0m\n" "${ARG_STR_ORG_INPUT}" >&2
printf "\e[91m❌ Arguments Sanitized : %s \e[0m\n" "${VAR_ARG_SANITIZED}" >&2
printf "\e[91m❌ Error Log saved at : %s \e[0m\n" "${LOG_ERROR}" >&2
printf "\e[91m❌ cat %s \e[0m\n" "${LOG_ERROR}" >&2
if [[ "${VAR_DEBUG_TRACE}" || "${VAR_DEBUG_TRAP}" ]]; then
printf "\e[91m❌ Vars Dump saved at : %s \e[0m\n" "${LOG_VAR}" >&2
fi
if "${VAR_DEBUG_TRAP}"; then
printf "\e[91m❌ Debug Log saved at : %s \e[0m\n" "${LOG_DEBUG}" >&2
printf "\e[91m❌ cat %s \e[0m\n" "${LOG_DEBUG}" >&2
fi
if "${VAR_DEBUG_TRACE}"; then
printf "\e[91m❌ Debug Log saved at : %s \e[0m\n" "${LOG_TRACE}" >&2
printf "\e[91m❌ cat %s \e[0m\n" "${LOG_TRACE}" >&2
fi
printf "\n"
}
#######################################
# Trap function to be called on 'ERR'.
# Globals:
# ERRCMMD
# ERRCODE
# ERRFUNC
# ERRLINE
# ERRSCRT
# VAR_DEBUG_TRACE
# VAR_DEBUG_TRAP
# VAR_IN_DIALOG_WR
# Arguments:
# $1: "$?"
# $2: "${BASH_SOURCE[0]}"
# $3: "${LINENO}"
# $4: "${FUNCNAME[0]:-main}"
# $5: "${BASH_COMMAND}"
#######################################
trap_err() {
trap - DEBUG ERR INT
declare -g ERRCODE="$1"
declare -g ERRSCRT="$2"
declare -g ERRLINE="$3"
declare -g ERRFUNC="$4"
declare -g ERRCMMD="$5"
if [[ "${VAR_DEBUG_TRACE}" || "${VAR_DEBUG_TRAP}" ]]; then dump_vars_exiting; fi
case "${VAR_IN_DIALOG_WR}" in
box ) dialog_box_cleaner ;;
gauge ) dialog_gauge_cleaner ;;
esac
print_file_err
print_scr_err
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

80
lib/1031_trap_exit.sh Normal file
View File

@@ -0,0 +1,80 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
#######################################
# Trap function to be called on 'EXIT'.
# Globals:
# VAR_DEBUG_TRACE
# VAR_DEBUG_TRAP
# Arguments:
# $1: "$?"
#######################################
trap_exit() {
trap - DEBUG ERR EXIT INT
declare -r var_trap_on_exit_code="$1"
if [[ -n "${__preexec_invoke:-}" ]]; then
debug_trap_logger "${var_trap_on_exit_code}" "${VAR_LAST_CMD}"
unset __preexec_invoke
fi
if (( var_trap_on_exit_code == 0 )); then
if [[ "${VAR_DEBUG_TRACE}" || "${VAR_DEBUG_TRAP}" ]]; then dump_vars_exiting; fi
clean_up "${var_trap_on_exit_code}"
print_scr_exit "${var_trap_on_exit_code}"
exit "${var_trap_on_exit_code}"
else
clean_up "${var_trap_on_exit_code}"
exit "${var_trap_on_exit_code}"
fi
}
#######################################
# Print Success Message for Trap on 'EXIT' on 'stdout'.
# Globals:
# LOG_DEBUG
# LOG_TRACE
# LOG_VAR
# VAR_DEBUG_TRACE
# VAR_DEBUG_TRAP
# VAR_SCRIPT_SUCCESS
# Arguments:
# $1: ${var_trap_on_exit_code} of trap_exit()
#######################################
print_scr_exit() {
declare -r var_print_scr_exit_code="$1"
if (( var_print_scr_exit_code == 0 )); then
if [[ "${VAR_SCRIPT_SUCCESS}" == true ]]; then
printf "\n"
printf "\e[92m✅ CISS.debian.installer Script successful. \e[0m\n"
printf "\e[92m✅ Exited with Status : %s \e[0m\n" "${var_print_scr_exit_code}"
printf "\n"
if [[ "${VAR_DEBUG_TRACE}" || "${VAR_DEBUG_TRAP}" ]]; then
printf "\e[92m✅ Vars Dump saved at : %s \e[0m\n" "${LOG_VAR}"
printf "\e[92m✅ cat %s \e[0m\n" "${LOG_VAR}"
fi
if "${VAR_DEBUG_TRAP}"; then
printf "\e[92m✅ DEBUG Log saved at : %s \e[0m\n" "${LOG_DEBUG}"
printf "\e[92m✅ cat %s \e[0m\n" "${LOG_DEBUG}"
fi
if "${VAR_DEBUG_TRACE}"; then
printf "\e[92m✅ TRACE Log saved at : %s \e[0m\n" "${LOG_TRACE}"
printf "\e[92m✅ cat %s \e[0m\n" "${LOG_TRACE}"
fi
printf "\n"
printf "\e[95m💷 Please consider donating to my work at: \e[0m\n"
printf "\e[95m🔗 https://coresecret.eu/spenden/ \e[0m\n"
printf "\n"
fi
fi
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

82
lib/1032_trap_int.sh Normal file
View File

@@ -0,0 +1,82 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
#######################################
# Restart Dialog Wrapper in case of unintentional SIGINT.
# Arguments:
# $1: Dialog Wrapper in use.
#######################################
restart_dialog() {
trap 'trap_int' INT
trap 'trap_err "$?" "${BASH_SOURCE[0]}" "${LINENO}" "${FUNCNAME[0]:-main}" "${BASH_COMMAND}"' ERR
case "$1" in
box ) dialog_box ;;
gauge ) dialog_gauge ;;
* ) ;;
esac
}
#######################################
# Trap function to be called on 'SIGINT'.
# Globals:
# ERR_TRAPPED_SIG_INT
# VAR_IN_DIALOG_WR
# Arguments:
# None
# Returns:
# 0: In case of unintentional SIGINT.
#######################################
trap_int() {
case "${VAR_IN_DIALOG_WR}" in
box ) dialog_box_cleaner; declare var_helper_dialog=box ;;
gauge ) dialog_gauge_cleaner; declare var_helper_dialog=gauge ;;
* ) declare var_helper_dialog=false ;;
esac
trap '' ERR INT
declare answer
if ! read -r -t 16 -p $'\n\e[93mCISS.debian.installer caught an INT.\e[0m \e[92mDo you want to abort the Installer? (y/N) \e[0m' answer; then
printf "\e[92mCISS.debian.installer caught an INT. No User confirmation after 16 seconds. Proceeding with Installer. \e[0m\n" >&2
if [[ "${var_helper_dialog}" == box ]]; then
restart_dialog "${var_helper_dialog}"
return 0
elif [[ "${var_helper_dialog}" == gauge ]]; then
restart_dialog "${var_helper_dialog}"
return 0
else
restart_dialog "${var_helper_dialog}"
return 0
fi
fi
case "${answer,,}" in
y|yes)
printf "\e[91mCISS.debian.installer caught an INT. SIGINT confirmed by User, exiting Installer. \e[0m\n" >&2
exit "${ERR_TRAPPED_SIG_INT}"
;;
*)
printf "\e[92mCISS.debian.installer caught an INT. SIGINT NOT confirmed by User, proceeding with Installer. \e[0m\n" >&2
if [[ "${var_helper_dialog}" == box ]]; then
restart_dialog "${var_helper_dialog}"
return 0
elif [[ "${var_helper_dialog}" == gauge ]]; then
restart_dialog "${var_helper_dialog}"
return 0
else
restart_dialog "${var_helper_dialog}"
return 0
fi
;;
esac
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

38
lib/1035_clean_up.sh Normal file
View File

@@ -0,0 +1,38 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
#######################################
# Clean Up Wrapper on Trap on 'EXIT'.
# Globals:
# LOG_ERROR
# VAR_KERNEL_INF
# VAR_KERNEL_SRT
# VAR_KERNEL_TMP
# VAR_WORKDIR
# Arguments:
# $1: ${var_trap_on_exit_code} of trap_exit()
#######################################
clean_up() {
declare var_clean_exit_code="$1"
rm -f -- "${VAR_KERNEL_INF}"
rm -f -- "${VAR_KERNEL_SRT}"
rm -f -- "${VAR_KERNEL_TMP}"
rm -f -- "${VAR_NOTES}"
# Release advisory lock on FD 127.
flock -u 127
# Close file descriptor 127.
exec 127>&-
# Remove the lockfile artifact.
rm -f /run/lock/ciss_debian_installer.lock
if (( var_clean_exit_code == 0 )); then rm -f -- "${LOG_ERROR}"; fi
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

36
lib/1040_arg_mismatch.sh Normal file
View File

@@ -0,0 +1,36 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
#######################################
# Wrapper for mismatched Arguments.
# Globals:
# ERR_ARG_MISMATCH
# VAR_AUTO_INSTALL
# VAR_IN_DIALOG_WR
# Arguments:
# $1: Error message to be printed.
#######################################
arg_mismatch() {
### Call cleaner if and only if not in auto-install mode.
if [[ "${VAR_AUTO_INSTALL}" == false ]]; then
### Dynamically select the cleaner based on the dialog wrapper type.
case "${VAR_IN_DIALOG_WR}" in
box|gauge)
"dialog_${VAR_IN_DIALOG_WR}_cleaner"
;;
esac
fi
printf "\e[91m❌ Error: %s\e[0m\n" "${1}" >&2
read -pr $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
exit "${ERR_ARG_MISMATCH}"
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

87
lib/1041_arg_sanitizer.sh Normal file
View File

@@ -0,0 +1,87 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
#######################################
# Argument Check Wrapper.
# Arguments:
# $1: "$@" of ./setup.sh
#######################################
arg_check() {
declare a
declare sanitized_args=()
for a in "$@"; do
sanitized_args+=("$( sanitize_arg "${a}")")
done
set -- "${sanitized_args[@]}"
}
#######################################
# Function to sanitize a single argument
# Globals:
# ERR_UNSAFE_CHARACTER
# LOG_ERROR
# Arguments:
# $1: Argument to check
#######################################
sanitize_arg() {
declare input="${1}"
declare disallowed_ctrl=""
### Step 1: Check for control characters
if printf '%s' "${input}" | grep -qP '[[:cntrl:]]'; then
disallowed_ctrl=$(printf '%s' "${input}" | sed -n 's/[^[:cntrl:]]//gp' | sed $'s/./&\\n/g' \
| while read -r c; do printf "%02X " "'$c"; done)
{
printf "❌ Control character : '%s'. \n" "${disallowed_ctrl}"
printf "❌ in argument : '%s'. \n" "${input}"
printf "❌ Allowed Characters : 'a-z A-Z 0-9 . _ / = [ ] : \" - + space' \n"
printf "\n"
} >> "${LOG_ERROR}"
case "${VAR_IN_DIALOG_WR}" in
box ) dialog_box_cleaner ;;
gauge ) dialog_gauge_cleaner ;;
esac
printf "\e[91m❌ Control character : '%s'. \e[0m\n" "${disallowed_ctrl}" >&2
printf "\e[91m❌ in argument : '%s'. \e[0m\n" "${input}" >&2
printf "\e[91m❌ Allowed Characters : 'a-z A-Z 0-9 . _ / = [ ] : \" - + space' \e[0m\n" >&2
# shellcheck disable=SC2162
read -p $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
exit "${ERR_UNSAFE_CHARACTER}"
fi
### Step 2: Define allowed characters:
### letters, digits, dot, underscore, slash, equals, [, ], colon, double-quote, hyphen, space.
declare allowed='a-zA-Z0-9._/=\[\]:"\-+ '
declare disallowed
disallowed=$(printf '%s' "${input}" | tr -d "${allowed}")
if [[ -n ${disallowed} ]]; then
{
printf "❌ Invalid character : '%s'. \n" "${disallowed//?/& }"
printf "❌ in argument : '%s'. \n" "${input}"
printf "❌ Allowed Characters : 'a-z A-Z 0-9 . _ / = [ ] : \" - + space' \n"
printf "\n"
} >> "${LOG_ERROR}"
case "${VAR_IN_DIALOG_WR}" in
box ) dialog_box_cleaner ;;
gauge ) dialog_gauge_cleaner ;;
esac
printf "\e[91m❌ Invalid character : '%s'. \e[0m\n" "${disallowed//?/& }" >&2
printf "\e[91m❌ in argument : '%s'. \e[0m\n" "${input}" >&2
printf "\e[91m❌ Allowed Characters : 'a-z A-Z 0-9 . _ / = [ ] : \" - + space' \e[0m\n" >&2
# shellcheck disable=SC2162
read -p $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
exit "${ERR_UNSAFE_CHARACTER}"
else
printf '%s' "${input}"
fi
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

127
lib/1042_arg_parser.sh Normal file
View File

@@ -0,0 +1,127 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
#######################################
# Argument Parser
# Globals:
# VAR_AUTO_INSTALL
# VAR_IN_DIALOG_WR
# VAR_PRIORITY
# VAR_REIONICE_CLASS
# VAR_REIONICE_PRIORITY
# Arguments:
# None
#######################################
arg_parser() {
while [[ $# -gt 0 ]]; do
declare argument="${1}"
case "${argument,,}" in
-a | --autoinstall)
if [[ -n "${2}" && "${2}" != -* ]]; then arg_mismatch "--autoinstall MUST NOT be followed by an argument."; fi
shift 1
;;
-c | --contact)
if [[ -n "${2}" && "${2}" != -* ]]; then arg_mismatch "--contact MUST NOT be followed by an argument."; fi
shift 1
;;
-d | --debug)
shift 1
while [[ $# -gt 0 && ! "$1" =~ ^- ]]; do
shift 1
done
;;
-h | --help)
if [[ -n "${2}" && "${2}" != -* ]]; then arg_mismatch "--help MUST NOT be followed by an argument."; fi
shift 1
;;
-l | --log)
case "${2,,}" in
info)
declare -gx DEFAULT_LOG_LEVEL="$2"
shift 2
;;
notice)
declare -gx DEFAULT_LOG_LEVEL="$2"
shift 2
;;
warn)
declare -gx DEFAULT_LOG_LEVEL="$2"
shift 2
;;
error)
declare -gx DEFAULT_LOG_LEVEL="$2"
shift 2
;;
emergency)
declare -gx DEFAULT_LOG_LEVEL="$2"
shift 2
;;
*)
if [[ "${VAR_AUTO_INSTALL}" == false && "${VAR_IN_DIALOG_WR}" == true ]]; then dialog_gauge_cleaner; fi
usage
;;
esac
;;
-v | --version)
if [[ -n "${2}" && "${2}" != -* ]]; then arg_mismatch "--version MUST NOT be followed by an argument."; fi
shift 1
;;
--renice-priority)
if [[ -n ${2} && ${2} =~ ^-?[0-9]+$ && ${2} -ge -19 && ${2} -le 19 ]]; then
declare -gix VAR_PRIORITY="${2}"
shift 2
else
arg_mismatch "--renice-priority MUST be an integer between '-19' and '19'."
fi
;;
--reionice-priority)
if [[ -z "${2}" ]]; then
arg_mismatch "--reionice-priority no values provided."
else
if [[ "${2}" =~ ^[1-3]$ ]]; then
declare -gix VAR_REIONICE_CLASS="${2}"
if [[ -z "${3}" ]]; then
:
else
if [[ "${3}" =~ ^[0-7]$ ]]; then
declare -gix VAR_REIONICE_PRIORITY="${3}"
else
arg_mismatch "--reionice-priority PRIORITY MUST be an integer between '0' and '7'."
fi
fi
else
arg_mismatch "--reionice-priority CLASS MUST be an integer between '1' and '3'."
fi
fi
if [[ -n ${VAR_REIONICE_PRIORITY} ]]; then
shift 3
else
shift 2
fi
;;
*)
if [[ "${VAR_AUTO_INSTALL}" == false && "${VAR_IN_DIALOG_WR}" == true ]]; then dialog_gauge_cleaner; fi
usage
;;
esac
done
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

38
lib/1043_arg_priority_check.sh Normal file
View File

@@ -0,0 +1,38 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
#######################################
# Check and setup Script Priorities
# Globals:
# VAR_PRIORITY
# VAR_REIONICE_CLASS
# VAR_REIONICE_PRIORITY
# Arguments:
# None
#######################################
arg_priority_check() {
declare var
### Check if nice PRIORITY is set and adjust nice priority.
if [[ -n ${VAR_PRIORITY} ]]; then
renice "${VAR_PRIORITY}" -p "$$"
var=$(ps -o ni= -p $$) > /dev/null 2>&1
printf "\e[92m✅ New renice value: %s\e[0m\n" "${var}"
fi
# Check if ionice PRIORITY is set and adjust ionice priority.
if [[ -n ${VAR_REIONICE_CLASS} ]]; then
ionice -c"${VAR_REIONICE_CLASS:-2}" -n"${VAR_REIONICE_PRIORITY:-4}" -p "$$"
var=$(ionice -p $$) > /dev/null 2>&1
printf "\e[92m✅ New ionice value: %s\e[0m\n" "${var}"
fi
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

151
lib/1050_dialog_helper.sh Normal file
View File

@@ -0,0 +1,151 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
#######################################
# Terminal cleaner for Dialog Wrappers.
# Arguments:
# None
#######################################
clean_screen() {
tput cnorm > /dev/tty # Cursor visible
tput sgr0 > /dev/tty # Attributes off
stty sane < /dev/tty # Sane modes
tput rmcup > /dev/tty # Back to the main buffer
clear > /dev/tty # Clear residual
#lines=$(tput lines)
#tput cup $((lines-1)) 0 > /dev/tty
#printf "\n" > /dev/tty
}
#######################################
# Wrapper for Dialog Gauge Bar.
# Globals:
# PID_DIALOG_GAUGE
# PIPE_DIALOG_GAUGE
# VAR_IN_DIALOG_WR
# Arguments:
# None
#######################################
dialog_gauge() {
clear
declare -gx VAR_IN_DIALOG_WR="gauge"
declare -gr PIPE_DIALOG_GAUGE="/tmp/dialog_gauge_$$.fifo"
if [[ -e "${PIPE_DIALOG_GAUGE}" && ! -p "${PIPE_DIALOG_GAUGE}" ]]; then
rm -f "${PIPE_DIALOG_GAUGE}"
fi
[[ -p "${PIPE_DIALOG_GAUGE}" ]] || mkfifo "${PIPE_DIALOG_GAUGE}"
setsid dialog --no-collapse \
--ascii-lines \
--keep-tite \
--title "CISS.debian.installer" \
--gauge "Starting installation..." \
10 70 0 \
< "${PIPE_DIALOG_GAUGE}" &
declare -gr PID_DIALOG_GAUGE="$!"
exec {FD_GAUGE}> "${PIPE_DIALOG_GAUGE}"
}
#######################################
# Wrapper for Dialog Program Box.
# Globals:
# COLS_USE
# PID_DIALOG_BOX
# PIPE_DIALOG_BOX
# ROWS_USE
# VAR_IN_DIALOG_WR
# Arguments:
# None
#######################################
dialog_box() {
### Save original stdout
exec {FD_SAVE_OUT}>&1
clear
declare -gx VAR_IN_DIALOG_WR="box"
declare -gr PIPE_DIALOG_BOX="/tmp/dialog_box_$$.fifo"
if [[ -e "${PIPE_DIALOG_BOX}" && ! -p "${PIPE_DIALOG_BOX}" ]]; then
rm -f "${PIPE_DIALOG_BOX}"
fi
[[ -p "${PIPE_DIALOG_BOX}" ]] || mkfifo "${PIPE_DIALOG_BOX}"
dialog --create-rc ~/.dialogrc
sed -i 's/screen_color = (CYAN,BLUE,ON)/screen_color = (WHITE,RED,ON)/' ~/.dialogrc
sed -i 's/title_color = (BLUE,WHITE,ON)/title_color = (BLACK,WHITE,ON,ON)/' ~/.dialogrc
sed -i 's/use_scrollbar = OFF/use_scrollbar = ON/' ~/.dialogrc
sed -i 's/dialog_color = (BLACK,WHITE,OFF)/dialog_color = (WHITE,BLACK,OFF)/' ~/.dialogrc
sed -i 's/border2_color = dialog_color/border2_color = (BLACK,WHITE,OFF)/' ~/.dialogrc
sed -i 's/inputbox_border_color = dialog_color/inputbox_border_color = (BLACK,WHITE,OFF)/' ~/.dialogrc
sed -i 's/inputbox_border2_color = dialog_color/inputbox_border2_color = (BLACK,WHITE,OFF)/' ~/.dialogrc
sed -i 's/menubox_border_color = border_color/menubox_border_color = (BLACK,WHITE,OFF)/' ~/.dialogrc
sed -i 's/menubox_border2_color = dialog_color/menubox_border2_color = (BLACK,WHITE,OFF)/' ~/.dialogrc
sed -i 's/searchbox_border2_color = dialog_color/searchbox_border2_color = (BLACK,WHITE,OFF)/' ~/.dialogrc
chmod 0440 ~/.dialogrc
setsid dialog --colors \
--ascii-lines \
--title "Installation Progress" \
--backtitle "CISS.2025.debian.installer" \
--programbox "${ROWS_USE}" "${COLS_USE}" \
< "${PIPE_DIALOG_BOX}" &
declare -gr PID_DIALOG_BOX="$!"
### Redirect both stdout and stderr into FIFO
exec 1> "${PIPE_DIALOG_BOX}" 2>&1
}
#######################################
# Dialog Program Box Cleaner.
# Globals:
# PID_DIALOG_BOX
# PIPE_DIALOG_BOX
# Arguments:
# None
#######################################
dialog_box_cleaner() {
[[ -n "${FD_SAVE_OUT-}" ]] && exec 1>&"${FD_SAVE_OUT}" 2>&"${FD_SAVE_OUT}"
[[ -n "${FD_SAVE_OUT-}" ]] && exec {FD_SAVE_OUT}>&-
[[ -n "${FD_SAVE_OUT-}" ]] && unset FD_SAVE_OUT
kill -TERM -- -"${PID_DIALOG_BOX}" 2>/dev/null || true
wait "${PID_DIALOG_BOX}" 2>/dev/null || true
unset PID_DIALOG_BOX
rm -f "${PIPE_DIALOG_BOX}"
unset PIPE_DIALOG_BOX
rm -f ~/.dialogrc
declare -gx VAR_IN_DIALOG_WR="false"
clean_screen
sleep 1
}
#######################################
# Dialog Gauge Bar Cleaner.
# Globals:
# PID_DIALOG_GAUGE
# PIPE_DIALOG_GAUGE
# Arguments:
# None
#######################################
dialog_gauge_cleaner() {
if [[ -n "${FD_GAUGE-}" ]]; then
exec {FD_GAUGE}>&-
unset FD_GAUGE
fi
kill -TERM -- -"${PID_DIALOG_GAUGE}" 2>/dev/null || true
wait "${PID_DIALOG_GAUGE}" 2>/dev/null || true
unset PID_DIALOG_GAUGE
rm -f "${PIPE_DIALOG_GAUGE}"
unset PIPE_DIALOG_GAUGE
declare -gx VAR_IN_DIALOG_WR="false"
clean_screen
sleep 1
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

62
lib/lib_cdi.sh Normal file
View File

@@ -0,0 +1,62 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
#######################################
# CISS.2025.debian.installer GRUB and Autostart Generator
# Globals:
# BASH_SOURCE
# VAR_HANDLER_BUILD_DIR
# VAR_HANDLER_CDI
# VAR_KERNEL
# VAR_WORKDIR
# Arguments:
# None
#######################################
cdi() {
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"
if [[ "${VAR_HANDLER_CDI}" == "true" ]]; then
if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/config" ]]; then
mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/config"
fi
cp "${VAR_WORKDIR}/scripts/9000-cdi-starter" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/config/9000-cdi-starter"
chmod 0750 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/config/9000-cdi-starter"
chown root:root "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/config/9000-cdi-starter"
declare tmp_entry
tmp_entry="$(mktemp)"
cat << EOF >| "${tmp_entry}"
menuentry "CISS Hardened DI (${VAR_KERNEL})" --hotkey=i {
linux /live/vmlinuz-${VAR_KERNEL} boot=live verify-checksums live-config.components splash nopersistence toram ramdisk-size=1024M swap=true noeject locales=en_US.UTF-8 keyboard-layouts=de keyboard-model=pc105 keyboard-options= keyboard-variants= timezone=Europe/Lisbon audit_backlog_limit=8192 audit=1 cfi=kcfi debugfs=off efi=disable_early_pci_dma efi_no_storage_paranoia hardened_usercopy=1 ia32_emulation=0 init_on_alloc=1 init_on_free=1 iommu=force kfence.sample_interval=100 kvm.nx_huge_pages=force l1d_flush=on lockdown=confidentiality loglevel=0 mce=0 mitigations=auto,nosmt mmio_stale_data=full,nosmt oops=panic page_alloc.shuffle=1 page_poison=1 panic=-1 pti=on random.trust_bootloader=off random.trust_cpu=off randomize_kstack_offset=on randomize_va_space=2 retbleed=auto,nosmt rodata=on tsx=off vdso32=0 vsyscall=none findiso=\${iso_path}
initrd /live/initrd.img-${VAR_KERNEL}
}
EOF
sed -i "/#MUST_BE_REPLACED/{
r ${tmp_entry}
d
}" "${VAR_HANDLER_BUILD_DIR}/config/bootloaders/grub-efi/grub.cfg"
sed -i "/#MUST_BE_REPLACED/{
r ${tmp_entry}
d
}" "${VAR_HANDLER_BUILD_DIR}/config/bootloaders/grub-pc/grub.cfg"
rm -f "${tmp_entry}"
else
# shellcheck disable=SC1003
sed -i '/#MUST_BE_REPLACED/c\\' "${VAR_HANDLER_BUILD_DIR}/config/bootloaders/grub-efi/grub.cfg"
fi
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ %s successful applied. \e[0m\n" "${BASH_SOURCE[0]}"
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

37
lib/lib_change_splash.sh Normal file
View File

@@ -0,0 +1,37 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
#######################################
# Change Grub Boot Screen Splash
# Globals:
# VAR_HANDLER_BUILD_DIR
# VAR_HANDLER_SPLASH
# VAR_WORKDIR
# Arguments:
# None
#######################################
change_splash() {
if [[ ${VAR_HANDLER_SPLASH} == "club" ]]; then
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Grub Splash 'club.png' selected ...\e[0m\n"
cp -af "${VAR_WORKDIR}"/.archive/background/club.png "${VAR_HANDLER_BUILD_DIR}"/config/bootloaders/splash.png
cp -af "${VAR_WORKDIR}"/.archive/background/club.png "${VAR_HANDLER_BUILD_DIR}"/config/bootloaders/grub-efi/splash.png
cp -af "${VAR_WORKDIR}"/.archive/background/club.png "${VAR_HANDLER_BUILD_DIR}"/config/bootloaders/grub-pc/splash.png
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Grub Splash 'club.png' selected done. \e[0m\n"
elif [[ ${VAR_HANDLER_SPLASH} == "hexagon" ]]; then
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Grub Splash 'hexagon.png' selected ...\e[0m\n"
cp -af "${VAR_WORKDIR}"/.archive/background/hexagon.png "${VAR_HANDLER_BUILD_DIR}"/config/bootloaders/splash.png
cp -af "${VAR_WORKDIR}"/.archive/background/hexagon.png "${VAR_HANDLER_BUILD_DIR}"/config/bootloaders/grub-efi/splash.png
cp -af "${VAR_WORKDIR}"/.archive/background/hexagon.png "${VAR_HANDLER_BUILD_DIR}"/config/bootloaders/grub-pc/splash.png
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Grub Splash 'hexagon.png' selected done. \e[0m\n"
fi
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

26
lib/lib_check_dhcp.sh Normal file
View File

@@ -0,0 +1,26 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
#######################################
# Check if hardened Centurion DNS servers are desired.
# Globals:
# VAR_HANDLER_DHCP
# VAR_WORKDIR
# Arguments:
# None
#######################################
check_dhcp() {
if [[ ${VAR_HANDLER_DHCP} -eq 1 ]]; then
chmod +x "${VAR_WORKDIR}"/scripts/0010_dhcp_supersede.sh && "${VAR_WORKDIR}"/scripts/0010_dhcp_supersede.sh
fi
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

37
lib/lib_check_hooks.sh Normal file
View File

@@ -0,0 +1,37 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
#######################################
# Check and apply 0755 Permissions on every ./config/hooks/live/*.chroot file
# Globals:
# ERR_UNCRITICAL
# VAR_WORKDIR
# Arguments:
# None
#######################################
check_hooks() {
declare ifs
ifs=$'\n\t'
shopt -s nullglob
declare -a files=("${VAR_WORKDIR}"/config/hooks/live/*.chroot)
if (( ${#files[@]} == 0 )); then
printf "\e[91m❌ No '*.chroot' files found in '%s/config/hooks/live'. \e[0m\n" "${VAR_WORKDIR}" >&2
exit "${ERR_UNCRITICAL}"
fi
declare file
for file in "${files[@]}"; do
chmod 0755 "${file}"
done
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

72
lib/lib_check_kernel.sh Normal file
View File

@@ -0,0 +1,72 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
#######################################
# Kernel Image Selector
# Globals:
# VAR_ARCHITECTURE
# VAR_KERNEL
# VAR_KERNEL_SRT
# VAR_KERNEL_TMP
# Arguments:
# None
# Returns:
# 42: Sorting Error.
#######################################
check_kernel() {
clear
declare -i counter=1
declare first_string=""
declare line=""
declare -gx VAR_KERNEL=""
declare name=""
declare options=""
if [[ ${VAR_ARCHITECTURE} != arm64 ]]; then
apt-cache search linux-image | grep linux-image | grep amd64 | grep -v "meta-package" | grep -v "dbg" | grep -v "template" >> "${VAR_KERNEL_TMP}"
else
apt-cache search linux-image | grep linux-image | grep arm64 | grep -v "meta-package" | grep -v "dbg" | grep -v "template" >> "${VAR_KERNEL_TMP}"
fi
sort --output="${VAR_KERNEL_SRT}" "${VAR_KERNEL_TMP}" || {
printf "❌ Error check_kernel() Line 40 sort failed\n" >&2
# shellcheck disable=SC2162
read -p $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
return 42
}
while IFS= read -r line; do
first_string=${line%% *}
name=${first_string#linux-image-}
options+=("${name}" "${counter}" off)
((counter++))
done < "${VAR_KERNEL_SRT}"
# shellcheck disable=SC2155
if declare -g VAR_KERNEL=$(dialog \
--no-collapse \
--ascii-lines \
--clear \
--backtitle "CISS.debian.live.builder" \
--title "Select the Kernel for the CISS Hardened Debian Live Image ISO" \
--radiolist "Kernel available \n *+bpo* : Debian Backported Kernel \n *cloud* : Special lightweight images for KVM \n *unsigned* : Unsigned Kernel \n *preempt_rt* : Special Kernel for real-time-computing \n Not unsigned marked are MS signed Kernel for Secure Boot \n" 0 0 "${options[@]}" 3>&1 1>&2 2>&3 3>&-); then
clear
else
clear
if [[ "${VAR_ARCHITECTURE}" == "amd64" ]]; then
declare -gr VAR_KERNEL="amd64"
elif [[ "${VAR_ARCHITECTURE}" == "arm64" ]]; then
declare -gr VAR_KERNEL="arm64"
fi
fi
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

65
lib/lib_check_provider.sh Normal file
View File

@@ -0,0 +1,65 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
#######################################
# Notes Textbox
# Arguments:
# None
#######################################
check_provider() {
clear
cat << 'EOF' >| "${VAR_NOTES}"
Build: Master V8.03.768.2025.06.17
Press 'EXIT' to continue with CISS.debian.live.builder.
When you provision ISO images using the Netcup provider, you MUST always supply a globally unique identifier
for each image via the --control argument. If you omit this flag or reuse an existing identifier, Netcup's
backend will automatically locate and mount the oldest ISO carrying that same name. In practice, this means
you might believe you're booting a freshly uploaded image, but in fact, the system silently reattaches an
earlier one-leading to confusing failures and wasted troubleshooting time.
A separate but related issue emerges when booting certain Debian "cloud" kernel images-specifically those
matching the patterns *.+bpo-cloud-amd64 or *.+bpo-cloud-arm64-on a Netcup G11 instance or on a Hetzner VM.
After the initramfs is loaded, the console output often becomes garbled or completely unreadable. This is not
due to a kernel panic, but rather to a mismatch between the framebuffer mode expected by the initramfs and the
one actually provided by the virtual hardware. Common workarounds, like editing the boot entry (e) and appending
- 'nomodeset', or
- 'vga=0x318',
do not resolve the issue because they address legacy VGA modes rather than the EFI framebuffer parameters used
in modern cloud images.
To mitigate this, you can:
- Use a plain Debian kernel (e.g., linux-image-amd64) instead of the bpo-cloud variants, which are optimized
for cloud-init but presume a different console setup.
- Explicitly set an EFI-compatible framebuffer by adding something like 'video=efifb:mode=auto' to the kernel
command line. This aligns the initramfs console driver with the actual firmware framebuffer.
- Build a custom initramfs that includes the correct video modules or switches back to a serial console. For
example, adding 'console=ttyS0,115200' can force all early messages to the serial port bypassing the
graphical framebuffer entirely.
EOF
dialog --no-collapse \
--ascii-lines \
--clear \
--backtitle "CISS.debian.live.builder" \
--title "Important Notes" \
--scrollbar \
--textbox "${VAR_NOTES}" 32 128
clear
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

27
lib/lib_check_stats.sh Normal file
View File

@@ -0,0 +1,27 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
#######################################
# Check if analysis run is desired only.
# Globals:
# VAR_HANDLER_STA
# Arguments:
# None
#######################################
check_stats() {
if [[ ${VAR_HANDLER_STA} -eq 1 ]]; then
clear
run_analysis
exit 0
fi
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

35
lib/lib_check_var.sh Normal file
View File

@@ -0,0 +1,35 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
#######################################
# Unbound Variable Check and call Trap on ERR
# Globals:
# ERR_UNBOUNDVAR
# Arguments:
# $1: VAR_NAME to check
# Returns:
# "${ERR_UNBOUNDVAR}"
#######################################
check_var() {
declare var_name_to_check="$1"
if [[ -n "${!var_name_to_check+exists}" ]]; then
if [[ -n "${!var_name_to_check}" ]]; then
printf "\e[92m✅ Variable: '%s' exists and is NOT empty: '%s' \e[0m\n" "${var_name_to_check}" "${!var_name_to_check}"
else
printf "\e[92m✅ Variable: '%s' exists but is empty. \e[0m\n" "${var_name_to_check}"
fi
else
printf "\e[91m❌ Variable: '%s' is not declared. Exiting Script. \e[0m\n" "${var_name_to_check}" >&2
return "${ERR_UNBOUNDVAR}"
fi
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

38
lib/lib_copy_integrity.sh Normal file
View File

@@ -0,0 +1,38 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
#######################################
# Copy Initial ISO aide Database into Host System
# Globals:
# BASH_SOURCE
# VAR_HANDLER_BUILD_DIR
# Arguments:
# None
# Returns:
# 0 : Aide Init DB copying successful.
#######################################
copy_db() {
# printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${BASH_SOURCE[0]}"
if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/.integrity" ]]; then
mkdir -p "${VAR_HANDLER_BUILD_DIR}/.integrity"
fi
if cp -p "${VAR_HANDLER_BUILD_DIR}/chroot/var/lib/aide/"* "${VAR_HANDLER_BUILD_DIR}/.integrity/"; then
chmod 0400 "${VAR_HANDLER_BUILD_DIR}/.integrity/"*
# printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' successful applied. \e[0m\n" "${BASH_SOURCE[0]}"
return 0
else
printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ '%s' NOT successful applied. \e[0m\n" "${BASH_SOURCE[0]}"
fi
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

101
lib/lib_hardening_root_pw.sh Normal file
View File

@@ -0,0 +1,101 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
#######################################
# Updates the Live ISO to use root password authentication for local console access.
# Globals:
# VAR_HANDLER_BUILD_DIR
# VAR_HASHED_PWD
# Arguments:
# None
# Returns:
# 0: In case no root password is desired.
#######################################
hardening_root_pw() {
if [[ -z ${VAR_HASHED_PWD} ]]; then
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ No Root Password for Console set, skipping root password hook.\e[0m\n"
# sleep 1
return 0
fi
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Setup Root Password for Console ... \e[0m\n"
# sleep 1
declare cfg_dir="${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/live"
declare cfg_file="${cfg_dir}/config.conf"
declare dropin_dir="${cfg_dir}/config.conf.d"
declare dropin_file="${dropin_dir}/20-root-password.conf"
mkdir -p "${dropin_dir}"
cat << 'EOF' >| "${dropin_dir}"/10-disable-autologin.conf
live-config.noautologin
EOF
if ! grep -q 'LIVE_CONFIGS=.*root-password' "${cfg_file}"; then
sed -i -E 's|LIVE_CONFIGS="([^"]*)"|LIVE_CONFIGS="\1 root-password"|' "${cfg_file}"
fi
declare clean_hash="${VAR_HASHED_PWD//\"/}"
printf 'live-config.root-password-hash=%s\n' "${clean_hash}" >| "${dropin_file}"
chmod 0600 "${dropin_file}"
chown root:root "${dropin_file}"
mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root"
printf '%s\n' "${clean_hash}" >| "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.pwd"
chmod 0600 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.pwd"
chown root:root "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.pwd"
mkdir -p "${VAR_HANDLER_BUILD_DIR}"/config/includes.chroot/etc/systemd/system/getty@tty1.service.d
cat << 'EOF' >| "${VAR_HANDLER_BUILD_DIR}"/config/includes.chroot/etc/systemd/system/getty@tty1.service.d/override.conf
[Service]
ExecStart=
#ExecStart=-/usr/sbin/agetty --noclear %I $TERM
ExecStart=-agetty --noclear %I $TERM
EOF
mkdir -p "${VAR_HANDLER_BUILD_DIR}"/config/includes.chroot/etc
cat << 'EOF' >| "${VAR_HANDLER_BUILD_DIR}"/config/includes.chroot/etc/securetty
tty1
tty2
tty3
tty4
tty5
tty6
EOF
mkdir -p "${VAR_HANDLER_BUILD_DIR}"/config/includes.chroot/usr/sbin
mkdir -p "${VAR_HANDLER_BUILD_DIR}"/config/includes.chroot/usr/bin
mkdir -p "${VAR_HANDLER_BUILD_DIR}"/config/includes.chroot/sbin
cp -af /usr/sbin/agetty "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/sbin/agetty"
cp -af /usr/sbin/agetty "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/bin/agetty"
cp -af /usr/sbin/agetty "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/sbin/agetty"
### Hotfix I
mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/systemd/system-generators"
cat << 'EOF' >| "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/systemd/system-generators/live-config-getty-generator"
#!/bin/sh
# bypass live-config-getty-generator
exit 0
EOF
chmod +x "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/systemd/system-generators/live-config-getty-generator"
### Hotfix II
#mkdir -p "${HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/systemd/system-generators"
#touch "${HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/systemd/system-generators/live-config-getty-generator"
#chmod -x "${HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/systemd/system-generators/live-config-getty-generator"
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Setup Root Password for Console done. \e[0m\n"
# sleep 1
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

63
lib/lib_hardening_ssh.sh Normal file
View File

@@ -0,0 +1,63 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
#######################################
# SSH Hardening Ultra via TCP Wrapper
# Globals:
# ARY_HANDLER_JUMPHOST
# VAR_WORKDIR
# Arguments:
# None
#######################################
hardening_ssh() {
if ((${#ARY_HANDLER_JUMPHOST[@]} > 0)); then
declare allowed=""
cat << 'EOF' >| "${VAR_WORKDIR}/hosts.allow"
# /etc/hosts.allow: list of hosts that are allowed to access the system.
# See the manual pages hosts_access(5) and hosts_options(5).
#
# Example: ALL: LOCAL @some_netgroup
# ALL: .foobar.edu EXCEPT terminalserver.foobar.edu
#
# If you're going to protect the portmapper use the name "rpcbind" for the
# daemon name. See rpcbind(8) and rpc.mountd(8) for further information.
#
EOF
allowed=$(echo "${ARY_HANDLER_JUMPHOST[*]}" | tr '\n' ' ')
printf 'sshd: %s\n' "${allowed}" >> "${VAR_WORKDIR}/hosts.allow"
cat << 'EOF' >| "${VAR_WORKDIR}/hosts.deny"
# /etc/hosts.deny: list of hosts that are _not_ allowed to access the system.
# See the manual pages hosts_access(5) and hosts_options(5).
#
# Example: ALL: some.host.name, .some.domain
# ALL EXCEPT in.fingerd: other.host.name, .other.domain
#
# If you're going to protect the portmapper use the name "rpcbind" for the
# daemon name. See rpcbind(8) and rpc.mountd(8) for further information.
#
# The PARANOID wildcard matches any host whose name does not match its
# address.
#
# You may wish to enable this to ensure any programs that don't
# validate looked-up hostnames still leave understandable logs. In past
# versions of Debian, this has been the default.
# ALL: PARANOID
ALL: ALL
EOF
fi
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

221
lib/lib_hardening_ultra.sh Normal file
View File

@@ -0,0 +1,221 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
#######################################
# Wrapper for accompanying all CISS.debian.hardening features into the Live ISO image.
# Globals:
# ARY_HANDLER_JUMPHOST
# ARY_HANDLER_JUMPHOST_UNIQUE
# VAR_ARCHITECTURE
# VAR_HANDLER_BUILD_DIR
# VAR_SSHPORT
# VAR_SSHPUBKEY
# VAR_WORKDIR
# Arguments:
# None
#######################################
hardening_ultra() {
# shellcheck disable=SC2164
cd "${VAR_WORKDIR}"
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Copying ./config/bootloaders ... \e[0m\n"
if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/config/bootloaders" ]]; then
mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/bootloaders"
cp -af ./config/bootloaders "${VAR_HANDLER_BUILD_DIR}/config"
else
cp -af ./config/bootloaders "${VAR_HANDLER_BUILD_DIR}/config"
fi
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Copying ./config/bootloaders done.\e[0m\n"
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Copying ./config/includes.binary ... \e[0m\n"
if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/config/includes.binary/boot/grub" ]]; then
mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/includes.binary/boot/grub"
cp -af ./config/includes.binary "${VAR_HANDLER_BUILD_DIR}/config"
else
cp -af ./config/includes.binary "${VAR_HANDLER_BUILD_DIR}/config"
fi
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Copying ./config/includes.binary done.\e[0m\n"
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Copying ./config/hooks/live ... \e[0m\n"
if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/config/hooks/live" ]]; then
mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/hooks/live"
cp -af ./config/hooks/live "${VAR_HANDLER_BUILD_DIR}/config/hooks"
else
cp -af ./config/hooks/live "${VAR_HANDLER_BUILD_DIR}/config/hooks"
fi
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Copying ./config/hooks/live done.\e[0m\n"
if [[ -d "${VAR_WORKDIR}/config/hooks/early" ]]; then
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Copying ./config/hooks/early ... \e[0m\n"
if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/config/hooks/early" ]]; then
mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/hooks/early"
cp -af ./config/hooks/early "${VAR_HANDLER_BUILD_DIR}/config/hooks"
else
cp -af ./config/hooks/early "${VAR_HANDLER_BUILD_DIR}/config/hooks"
fi
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Copying ./config/hooks/early done.\e[0m\n"
fi
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Copying ./config/includes.chroot ... \e[0m\n"
if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot" ]]; then
mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot"
cp -af ./config/includes.chroot "${VAR_HANDLER_BUILD_DIR}/config"
else
cp -af ./config/includes.chroot "${VAR_HANDLER_BUILD_DIR}/config"
fi
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Copying ./config/includes.chroot done.\e[0m\n"
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Copying ./config/package-lists ... \e[0m\n"
if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/config/package-lists" ]]; then
mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/package-lists"
fi
cp -af ./config/package-lists/live.list.common.chroot "${VAR_HANDLER_BUILD_DIR}/config/package-lists/live.list.chroot"
case "${VAR_ARCHITECTURE}" in
amd64)
declare arch_list="./config/package-lists/live.list.amd64.chroot"
declare arch_comment="# amd64 specific packages"
;;
arm64)
declare arch_list="./config/package-lists/live.list.arm64.chroot"
declare arch_comment="# arm64 specific packages"
;;
*)
printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ Unsupported architecture '%s'.\e[0m\n" "${VAR_ARCHITECTURE}"
exit 1
;;
esac
declare pkgs
mapfile -t pkgs < <(
grep -v '^\s*#' "${arch_list}" | sed '/^\s*$/d'
)
awk -v comment="${arch_comment}" -v n_pkgs="${#pkgs[@]}" -v pkgs="$(printf '%s\n' "${pkgs[@]}")" '
BEGIN {
split(pkgs, pkg_arr, "\n")
inserted = 0
}
{
# Detect the vim-modeline (last line marker)
if ($0 ~ /^# vim:.*$/ && !inserted) {
print comment
for (i = 1; i <= length(pkg_arr); i++) {
print pkg_arr[i]
}
inserted = 1
}
print
}
' "${VAR_HANDLER_BUILD_DIR}/config/package-lists/live.list.chroot" > temp && mv temp "${VAR_HANDLER_BUILD_DIR}/config/package-lists/live.list.chroot"
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Copying ./config/package-lists done.\e[0m\n"
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Updating SSH Keys, Ports ... \e[0m\n"
if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh" ]]; then
mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh"
cp -af "${VAR_SSHPUBKEY}/authorized_keys" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh"
chmod 0600 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh/authorized_keys"
chown root:root "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh/authorized_keys"
declare -r sshport="${VAR_SSHPORT:-22}"
sed -i "s|^port = MUST_BE_SET|port = ${sshport}|" "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9950_fail2ban_hardening.chroot"
sed -i "s|^declare -r SSHPORT=\"MUST_BE_SET\"|declare -r SSHPORT=\"${sshport}\"|" "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/0900_ufw_setup.chroot"
sed -i "s|^Port MUST_BE_CHANGED|Port ${sshport}|" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/ssh/sshd_config"
if [[ ${#ARY_HANDLER_JUMPHOST[@]} -gt 0 ]]; then
declare file="${VAR_HANDLER_BUILD_DIR}/config/hooks/live/0900_ufw_setup.chroot"
sed -i "/^ufw allow in \"\${SSHPORT}\"\/tcp comment 'Incoming SSH (Custom-Port)'$/d" "${file}"
declare line
line=$(grep -n '^ufw default deny forward$' "${file}" | cut -d: -f1)
if [[ -z "${line}" ]]; then
printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌'ufw default deny forward' not found in: '%s'\e[0m\n" "${file}" >&2
exit 1
fi
declare host
for host in "${ARY_HANDLER_JUMPHOST_UNIQUE[@]}"; do
((line++))
sed -i "${line}a ufw allow from ${host} to any port ${sshport} proto tcp comment \"Incoming SSH ([${host}]:${sshport})\"" "$file"
done
fi
else
cp -af "${VAR_SSHPUBKEY}/authorized_keys" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh"
chmod 0600 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh/authorized_keys"
chown root:root "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh/authorized_keys"
declare -r sshport="${VAR_SSHPORT:-22}"
sed -i "s|^port = MUST_BE_SET|port = ${sshport}|" "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9950_fail2ban_hardening.chroot"
sed -i "s|^declare -r SSHPORT=\"MUST_BE_SET\"|declare -r SSHPORT=\"$sshport\"|" "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/0900_ufw_setup.chroot"
sed -i "s|^Port MUST_BE_CHANGED|Port ${sshport}|" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/ssh/sshd_config"
if [[ ${#ARY_HANDLER_JUMPHOST_UNIQUE[@]} -gt 0 ]]; then
declare file="${VAR_HANDLER_BUILD_DIR}/config/hooks/live/0900_ufw_setup.chroot"
sed -i "/^ufw allow in \"\${SSHPORT}\"\/tcp comment 'Incoming SSH (Custom-Port)'$/d" "${file}"
declare line
line=$(grep -n '^ufw default deny forward$' "${file}" | cut -d: -f1)
if [[ -z "${line}" ]]; then
printf "\e[91m❌ Error: 'ufw default deny forward' not found in: '%s'\e[0m\n" "${file}" >&2
exit 1
fi
declare host
for host in "${ARY_HANDLER_JUMPHOST_UNIQUE[@]}"; do
((line++))
sed -i "${line}a ufw allow from ${host} to any port ${sshport} proto tcp comment \"Incoming SSH ([${host}]:${sshport})\"" "$file"
done
fi
fi
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Updating SSH Keys, Ports done. \e[0m\n"
if [[ -f "${VAR_WORKDIR}/hosts.allow" ]]; then
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 SSH Hardening Ultra ... \e[0m\n"
cp -af "${VAR_WORKDIR}/hosts.allow" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc"
cp -af "${VAR_WORKDIR}/hosts.deny" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc"
chmod 0644 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/hosts.allow"
chmod 0644 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/hosts.deny"
rm -f "${VAR_WORKDIR}/hosts.allow"
rm -f "${VAR_WORKDIR}/hosts.deny"
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ SSH Hardening Ultra done.\e[0m\n"
fi
if ((${#ARY_HANDLER_JUMPHOST[@]} > 0)); then
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Updating fail2ban Jumphosts IPs ... \e[0m\n"
# Join array entries with spaces, preserving any newlines
declare ips="${ARY_HANDLER_JUMPHOST[*]}"
# Flatten to a single line and strip literal brackets []
declare flat_ips
flat_ips=$(printf "%s" "${ips}" | tr '\n' ' ' | tr -d '[]')
# flat_ips now contains e.g., "123.128.111.42 2a03:ffff:0815:4711:... 2a03:.../64"
# Perform an in-place replacement of MUST_BE_SET with the cleaned list
sed -i -e "s|^\(ignoreip[[:space:]]*=[[:space:]]*127\.0\.0\.0/8 ::1[[:space:]]*\)MUST_BE_SET|\1${flat_ips}|" \
"${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9950_fail2ban_hardening.chroot"
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Updating fail2ban Jumphosts IPs done. \e[0m\n"
else
printf "\e[93m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 No jump hosts configured, removing placeholder ... \e[0m\n"
sed -i \
-e "s|^\(ignoreip[[:space:]]*=[[:space:]]*127\.0\.0\.0/8 ::1\)[[:space:]]*MUST_BE_SET|\1|" \
-e "s|\(ignoreip[[:space:]]*=[[:space:]]*127\.0\.0\.0/8 ::1\)[[:space:]]*$|\1|" \
"${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9950_fail2ban_hardening.chroot"
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Placeholder removed. \e[0m\n"
fi
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

36
lib/lib_helper_ip.sh Normal file
View File

@@ -0,0 +1,36 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
#######################################
# IP Notation cleaner for pure IP output only
# Globals:
# ARY_HANDLER_JUMPHOST
# ARY_HANDLER_JUMPHOST_UNIQUE
# Arguments:
# None
#######################################
clean_ip() {
declare host
declare stripped
for host in "${ARY_HANDLER_JUMPHOST[@]}"; do
# Remove leading '[' and trailing ']'
stripped="${host#\[}"
stripped="${stripped%\]}"
# Skip if it contains a slash (CIDR range)
if [[ ${stripped} == */* ]]; then
continue
fi
# Directly append, no duplicate check
declare -ga ARY_HANDLER_JUMPHOST_UNIQUE+=("${stripped}")
done
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

46
lib/lib_lb_build_start.sh Normal file
View File

@@ -0,0 +1,46 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
#######################################
# Wrapper to write a new 'lb config' environment.
# Globals:
# ERR_UNCRITICAL
# VAR_BUILD_LOG
# VAR_HANDLER_BUILD_DIR
# Arguments:
# None
#######################################
lb_build_start() {
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🔨 Start Build... Log file: %s \e[0m\n" "${VAR_BUILD_LOG}"
# sleep 1
# shellcheck disable=SC2164
cd "${SCRIPT_BASEPATH}"
# shellcheck disable=SC2164
cd "${VAR_HANDLER_BUILD_DIR}"
if lb build --color 2>&1 | tee "${VAR_BUILD_LOG}"; then
printf "\e[92m✅ Build successfully completed.\e[0m\n"
else
printf "\e[91m❌ Build failed!\e[0m\n" >&2
exit "${ERR_UNCRITICAL}"
fi
# shellcheck disable=SC2155
declare iso_file=$(find . -maxdepth 1 -type f -name "*.iso" | sort | tail -n1)
if [[ -z ${iso_file} || ! -f ${iso_file} ]]; then
printf "\e[91m❌ No ISO Image found.\e[0m\n" >&2
exit "${ERR_UNCRITICAL}"
fi
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

55
lib/lib_lb_config_start.sh Normal file
View File

@@ -0,0 +1,55 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
#######################################
# Wrapper for 'lb config' - set up a build environment or deleting old build artifacts.
# Globals:
# VAR_HANDLER_BUILD_DIR
# Arguments:
# $0: Script-name
#######################################
lb_config_start() {
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
if [[ ! -d ${VAR_HANDLER_BUILD_DIR} ]]; then
mkdir -p "${VAR_HANDLER_BUILD_DIR}"
# shellcheck disable=SC2164
cd "${VAR_HANDLER_BUILD_DIR}"
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' created. \e[0m\n" "${VAR_HANDLER_BUILD_DIR}"
else
# shellcheck disable=SC2164
cd "${VAR_HANDLER_BUILD_DIR}"
fi
if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/.build" ]]; then
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Preparing environment ... \e[0m\n"
# Start lb config in a completely detached shell
bash -c "lb config" &
disown
sleep 1
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Preparing environment done.\e[0m\n"
else
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Deleting former config, binary and cache ... \e[0m\n"
rm -f ./config/binary
rm -f ./config/bootstrap
rm -f ./config/chroot
rm -f ./config/common
rm -f ./config/source
rm -f ./*.{contents,files,iso,bz2,packages}
# Start lb clean in a completely detached shell
bash -c "lb clean && lb clean --binary --cache" &
disown
sleep 1
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Deleting former config, binary and cache done.\e[0m\n"
fi
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

121
lib/lib_lb_config_write.sh Normal file
View File

@@ -0,0 +1,121 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
#######################################
# Wrapper to write a new 'lb config' environment.
# Globals:
# VAR_HANDLER_ISO_COUNTER
# VAR_ARCHITECTURE
# VAR_HANDLER_BUILD_DIR
# VAR_KERNEL
# VAR_WORKDIR
# VAR_VERSION
# Arguments:
# None
#######################################
#######################################
# description
# Globals:
# Arguments:
# None
#######################################
lb_config_write() {
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Writing new config ... \e[0m\n"
lb config \
--apt apt \
--apt-indices true \
--apt-recommends true \
--apt-secure true \
--apt-source-archives true \
--architecture "${VAR_ARCHITECTURE}" \
--archive-areas main contrib non-free non-free-firmware \
--backports true \
--binary-filesystem fat32 \
--binary-image iso-hybrid \
--bootappend-install "auto=true priority=critical clock-setup/utc=true console-setup/ask_detect=false debian-installer/country=US debian-installer/language=en debian-installer/locale=en_US.UTF-8 keyboard-configuration/xkb-keymap=de keyboard-configuration/model=pc105 localechooser/supported-locales=en_US.UTF-8 time/zone=Europe/Lisbon splash audit_backlog_limit=8192 audit=1 cfi=kcfi debugfs=off efi=disable_early_pci_dma efi_no_storage_paranoia hardened_usercopy=1 ia32_emulation=0 init_on_alloc=1 init_on_free=1 iommu=force kfence.sample_interval=100 kvm.nx_huge_pages=force l1d_flush=on lockdown=confidentiality loglevel=0 mce=0 mitigations=auto,nosmt mmio_stale_data=full,nosmt oops=panic page_alloc.shuffle=1 page_poison=1 panic=-1 pti=on random.trust_bootloader=off random.trust_cpu=off randomize_kstack_offset=on randomize_va_space=2 retbleed=auto,nosmt rodata=on tsx=off vdso32=0 vsyscall=none" \
--bootappend-live "boot=live verify-checksums components nocomponents=cdi-starter locales=en_US.UTF-8 keyboard-layouts=de keyboard-model=pc105 keyboard-options= keyboard-variants= noeject nopersistence ramdisk-size=1024M splash swap=true timezone=Europe/Lisbon toram audit_backlog_limit=8192 audit=1 cfi=kcfi debugfs=off efi=disable_early_pci_dma efi_no_storage_paranoia hardened_usercopy=1 ia32_emulation=0 init_on_alloc=1 init_on_free=1 iommu=force kfence.sample_interval=100 kvm.nx_huge_pages=force l1d_flush=on lockdown=confidentiality loglevel=0 mce=0 mitigations=auto,nosmt mmio_stale_data=full,nosmt oops=panic page_alloc.shuffle=1 page_poison=1 panic=-1 pti=on random.trust_bootloader=off random.trust_cpu=off randomize_kstack_offset=on randomize_va_space=2 retbleed=auto,nosmt rodata=on tsx=off vdso32=0 vsyscall=none" \
--bootloaders grub-efi \
--cache true \
--checksums sha512 sha256 md5 \
--chroot-filesystem squashfs \
--chroot-squashfs-compression-level 22 \
--chroot-squashfs-compression-type zstd \
--color \
--compression bzip2 \
--debconf-frontend noninteractive \
--debconf-priority critical \
--debian-installer cdrom \
--debian-installer-distribution bookworm \
--debian-installer-gui true \
--debian-installer-preseedfile "preseed.cfg" \
--debug \
--distribution bookworm \
--distribution-binary bookworm \
--distribution-chroot bookworm \
--firmware-binary true \
--firmware-chroot true \
--hdd-label "CENTURIONLIVE" \
--image-name "ciss-debian-live-${VAR_HANDLER_ISO_COUNTER}" \
--initramfs "live-boot" \
--initramfs-compression gzip \
--initsystem systemd \
--iso-application "CISS.debian.live.builder: ${VAR_VERSION} - Debian-Live-Build: 20230502 - Debian-Installer: bookworm" \
--iso-preparer '(C) 2018-2025, Centurion Intelligence Consulting Agency (TM), Lisboa, Portugal' \
--iso-publisher '(P) 2018-2025, Centurion Press (TM) - powered by https://coresecret.eu/ - contact@coresecret.eu' \
--iso-volume 'CISS.debian.live' \
--linux-flavours "${VAR_KERNEL}" \
--linux-packages linux-image \
--loadlin true \
--memtest memtest86+ \
--mirror-binary 'https://deb/debian.org/debian/' \
--mirror-binary-security 'https://security.debian.org/' \
--mirror-bootstrap 'https://deb.debian.org/debian/' \
--mirror-chroot 'https://deb.debian.org/debian/' \
--mirror-chroot-security 'https://security.debian.org/' \
--mirror-debian-installer 'https://deb.debian.org/debian/' \
--mode debian \
--parent-archive-areas main contrib non-free non-free-firmware \
--parent-debian-installer-distribution bookworm \
--parent-distribution bookworm \
--parent-distribution-binary bookworm \
--parent-distribution-chroot bookworm \
--parent-mirror-binary 'https://deb.debian.org/debian/' \
--parent-mirror-binary-security 'https://security.debian.org/' \
--parent-mirror-bootstrap 'https://deb.debian.org/debian/' \
--parent-mirror-chroot 'https://deb.debian.org/debian/' \
--parent-mirror-chroot-security 'https://security.debian.org/' \
--parent-mirror-debian-installer 'https://deb.debian.org/debian/' \
--security true \
--system live \
--source false \
--source-images tar \
--uefi-secure-boot auto \
--updates true \
--utc-time true \
--verbose
sleep 1
sed -i 's/LB_CHECKSUMS="sha512 md5"/LB_CHECKSUMS="sha512 sha384 sha256"/1' ./config/binary
sed -i 's/LB_DM_VERITY=""/LB_DM_VERITY="false"/1' ./config/binary
mkdir -p "${VAR_HANDLER_BUILD_DIR}"/config/includes.chroot/usr/lib/live/boot
cp -a "${VAR_WORKDIR}/scripts/live-boot/0030-verify-checksums" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/boot/0030-verify-checksums"
chmod 0755 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/boot/0030-verify-checksums"
chown root:root "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/boot/0030-verify-checksums"
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Writing new config done.\e[0m\n"
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

45
lib/lib_provider_netcup.sh Normal file
View File

@@ -0,0 +1,45 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
#######################################
# Notes Textbox
# Arguments:
# None
#######################################
provider_netcup() {
if "${VAR_HANDLER_NETCUP_IPV6}"; then
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"
declare handler_netcup_ipv6_string="${ARY_HANDLER_NETCUP_IPV6[*]}"
mkdir -p "${VAR_HANDLER_BUILD_DIR}"/config/includes.chroot/etc/network/interfaces.d
cat << EOF >| "${VAR_HANDLER_BUILD_DIR}"/config/includes.chroot/etc/network/interfaces.d/99-netcup-static
### Static IPv6 Address for Netcup Root Server
iface ens3 inet6 static
address ${handler_netcup_ipv6_string}/128
### dns01.eddns.eu dns02.eddns.de
dns-nameservers 2a01:4f9:c012:a813:135:181:207:105 2a0a:4cc0:1:e6:89:58:62:53
gateway fe80::1
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
EOF
sed -i "s|MUST_BE_REPLACED|${handler_netcup_ipv6_string}|g" "${VAR_WORKDIR}/scripts/etc/network/9999_interfaces_update_netcup.chroot"
rm -f "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9999_interfaces_update.chroot"
cp "${VAR_WORKDIR}/scripts/etc/network/9999_interfaces_update_netcup.chroot" "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9999_interfaces_update.chroot"
chmod 0755 "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9999_interfaces_update.chroot"
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ %s successful applied. \e[0m\n" "${BASH_SOURCE[0]}"
fi
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

96
lib/lib_run_analysis.sh Normal file
View File

@@ -0,0 +1,96 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-07; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: ZIMNOL, Andre H.; Private Contributor
# SPDX-FileCopyrightText: 2025; ZIMNOL, Andre H.; <debian@zimnol.eu>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
#######################################
# Wrapper for statistic functions of the final build.
# Globals:
# ERR_UNCRITICAL
# VAR_BUILD_LOG
# VAR_CHROOT_DIR
# VAR_HANDLER_BUILD_DIR
# VAR_PACKAGES_FILE
# Arguments:
# None
#######################################
run_analysis() {
# shellcheck disable=SC2164
cd "${VAR_HANDLER_BUILD_DIR}"
# shellcheck disable=SC2155
declare iso_file=$(find . -maxdepth 1 -name "*.iso" -printf "%f\n" | sort | tail -n1)
if [[ -z ${iso_file} || ! -f ${iso_file} ]]; then
printf "\e[91m❌ No ISO Image found.\e[0m\n" >&2
exit "${ERR_UNCRITICAL}"
fi
printf "\e[92m📊 Start analysis of : %s ... \e[0m\n" "${iso_file}"
# shellcheck disable=SC2155
declare iso_size_hr=$(du -h "${iso_file}" | awk '{print $1}')
# shellcheck disable=SC2155
declare iso_size_bytes=$(du -b "${iso_file}" | awk '{print $1}')
# shellcheck disable=SC2155
declare chroot_size_hr=$(du -sh "${VAR_CHROOT_DIR}" 2> /dev/null | awk '{print $1}')
# shellcheck disable=SC2155
declare chroot_size_bytes=$(du -sb "${VAR_CHROOT_DIR}" 2> /dev/null | awk '{print $1}')
# shellcheck disable=SC2155
declare compression=$(awk -v iso="${iso_size_bytes}" -v chroot="${chroot_size_bytes}" 'BEGIN { printf "%.2f%%", 100 * iso / chroot }')
# shellcheck disable=SC2155
declare package_count=$(wc -l < "${VAR_PACKAGES_FILE}" 2> /dev/null || echo "nicht gefunden")
# shellcheck disable=SC2155
declare squash_cpu_used="$(grep -m1 -oP 'Using \K[0-9]+' "${VAR_BUILD_LOG}")"
if [[ -f "${VAR_BUILD_LOG}" ]]; then
# shellcheck disable=SC2155
declare start_line=$(grep 'lb build' "${VAR_BUILD_LOG}" | head -n1 || true)
# shellcheck disable=SC2155
declare end_line=$(grep 'lb source' "${VAR_BUILD_LOG}" | tail -n1 || true)
if [[ -n "${start_line}" && -n "${end_line}" ]]; then
# shellcheck disable=SC2155
declare start_epoch=$(echo "${start_line}" | sed -E 's/^\[([0-9:-]+ [0-9:]+)\].*/\1/' | xargs -I{} date -d "{}" +%s)
# shellcheck disable=SC2155
declare end_epoch=$(echo "${end_line}" | sed -E 's/^\[([0-9:-]+ [0-9:]+)\].*/\1/' | xargs -I{} date -d "{}" +%s)
# shellcheck disable=SC2155
declare duration_sec=$((end_epoch - start_epoch))
# shellcheck disable=SC2155
declare duration_min=$((duration_sec / 60))
# shellcheck disable=SC2155
declare duration_rest=$((duration_sec % 60))
# shellcheck disable=SC2155
declare build_duration=$(printf "%02dm:%02ds" "${duration_min}" "${duration_rest}")
else
declare build_duration="(Timestamp not found)"
fi
else
declare build_duration="(No log file found)"
fi
# shellcheck disable=SC2155
declare sha_sum=$(sha256sum "$iso_file" | tee "$iso_file.sha256" | awk '{print $1}')
# shellcheck disable=SC2155
declare time=$(date '+%Y-%m-%d %H:%M:%S')
printf "\e[92m🧾 === Build summary === \e[0m\n"
printf "\e[92m----------------------------------------------------------------------------------------\e[0m\n"
printf "\e[97m📦 ISO-File : %s \e[0m\n" "${iso_file}"
printf "\e[97m📀 ISO-Size : %s \e[0m\n" "${iso_size_hr}"
printf "\e[97m📂 Chroot-Size : %s \e[0m\n" "${chroot_size_hr}"
printf "\e[97m📉 Compression-level : %s \e[0m\n" "${compression}"
printf "\e[97m📦 Packages : %s \e[0m\n" "${package_count}"
printf "\e[97m🕐 Build Time : %s \e[0m\n" "${build_duration}"
printf "\e[97m🧠 CPUs for SquashFS : %s \e[0m\n" "${squash_cpu_used}"
printf "\e[97m🔐 SHA256SUM : %s \e[0m\n" "${sha_sum}"
printf "\e[92m----------------------------------------------------------------------------------------\e[0m\n"
printf "\e[97m📅 Analysis Time : %s \e[0m\n" "${time}"
printf "\e[92m✅ Analysis completed.\e[0m\n"
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

28
meta_loader_func.sh Normal file
View File

@@ -0,0 +1,28 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
. ./func/
. ./func/
. ./func/2015_helper_modules.sh
. ./func/2020_logging_modules.sh
. ./func/2030_check_nic.sh
. ./func/2040_grub_helper.sh
. ./func/2050_yaml_parser.sh
. ./func/2051_yaml_reader.sh
. ./func/
. ./func/
. ./func/
. ./func/
. ./func/
. ./func/
. ./func/
. ./func/
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

32
meta_loader_lib.sh Normal file
View File

@@ -0,0 +1,32 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
. ./lib/1000_usage.sh
. ./lib/1001_contact.sh
. ./lib/1003_gen_dir_files.sh
. ./lib/1010_check_pkgs.sh
. ./lib/1030_trap_err.sh
. ./lib/1031_trap_exit.sh
. ./lib/1032_trap_int.sh
. ./lib/1035_clean_up.sh
. ./lib/1040_arg_mismatch.sh
. ./lib/1041_arg_sanitizer.sh
. ./lib/1042_arg_parser.sh
. ./lib/1043_arg_priority_check.sh
. ./lib/1050_dialog_helper.sh
. ./lib/
. ./lib/
. ./lib/
. ./lib/
. ./lib/
. ./lib/
. ./lib/
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

Some files were not shown because too many files have changed in this diff Show More