#!/bin/bash # SPDX-Version: 3.0 # SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; # SPDX-FileType: SOURCE # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. # SPDX-PackageName: CISS.debian.installer # SPDX-Security-Contact: security@coresecret.eu ### Contributions so far see ./docs/CREDITS.md # TODO: Update .dot files. # TODO: Update README.md for each lib and func dir. # TODO: Update MANPAGE.md for each func. # TODO: Implement Clang Build Chain and Secure Boot PK CISS.ROOT.CA Signing Workflow # TODO: Hardening Scripts Integration # TODO: Recovery Partition Integration # TODO: Grub Boot Menu Update for Recovery Integration # TODO: update-grub Post Hook Clang, Recovery, Signing PK # TODO: Copying Log Files to final System # TODO: Integrate CISS.debian.installer calling arguments and preseed.yaml into CISS.debian.live.builder build chain? # TODO: Reboot function for Autoinstall, Clean Exit, Flush Logs, luksClose, umount # TODO: Implement loop_pass() for other passwords 0105_arg_nuke_converter.sh # TODO: Implement / Integrate IP, Port validation CDI_1200 ### WHY BASH? # Ease of installation. No compiling or installing gems, CPAN modules, pip packages, etc. Simple to use and read. Clear syntax # and straightforward output interpretation. Built-in power. Pattern matching, line processing, and regular expression support # are available natively, no external binaries required. Cross-platform consistency. '/bin/bash' is the default shell on most # Linux distributions, ensuring scripts run unmodified across systems. macOS compatibility. Since macOS Catalina (10.15), the # default login shell has been zsh, but bash remains available at '/bin/bash'. Windows support. You can use bash via WSL, MSYS2, # or Cygwin on Windows systems. ### CATCH ARGUMENTS AND DECLARE BASIC VARIABLES. # shellcheck disable=SC2155 declare -girx VAR_START_TIME="${SECONDS}" # Start time of script execution. declare -grx VAR_PARAM_COUNT="$#" # Arguments passed to script. declare -grx VAR_PARAM_STRNG="$*" # Arguments passed to script as string. declare -ag ARY_PARAM_ARRAY=("$@") # Arguments passed to script as an array. declare -grx VAR_SETUP_FILE="${0##*/}" # 'setup.sh' declare -grx VAR_SETUP_PATH="$(cd "$(dirname "${0}")" && pwd)" # '/opt/git/CISS.debian.installer' declare -grx VAR_SETUP_FULL="$(cd "$(dirname "${0}")" && pwd)/${0##*/}" # '/opt/git/CISS.debian.installer/setup.sh' ### PRELIMINARY CHECKS. ### No ash, dash, ksh, sh. # shellcheck disable=SC2292 [ -z "${BASH_VERSINFO[0]}" ] && { . ./meta_loader_early.sh printf "%b❌ Please make sure you are using 'bash'! Bye... %b%b" "${RED}" "${RES}" "${NL}" >&2 exit "${ERR_UNSUPPORTED_BASH}" } ### No zsh. [[ -n "${ZSH_VERSION:-}" ]] && { . ./meta_loader_early.sh printf "%b❌ Please make sure you are using 'bash'! Bye... %b%b" "${RED}" "${RES}" "${NL}" >&2 exit "${ERR_UNSUPPORTED_BASH}" } ### Not root. [[ ${EUID} -ne 0 ]] && { . ./meta_loader_early.sh printf "%b❌ Please make sure you are 'root'! Bye... %b%b" "${RED}" "${RES}" "${NL}" >&2 exit "${ERR_USER_IS_NOT_ROOT}" } ### Not called by sh. # shellcheck disable=2312 [[ $(kill -l | grep -c SIG) -eq 0 ]] && { . ./meta_loader_early.sh printf "%b❌ Please make sure you are calling the script without leading 'sh'! Bye... %b%b" "${RED}" "${RES}" "${NL}" >&2 exit "${ERR_UNSUPPORTED_BASH}" } ### Not sourced. [[ "${BASH_SOURCE[0]}" != "$0" ]] && { . ./meta_loader_early.sh printf "%b❌ This script must be executed, not sourced. Please run './setup.sh' directly. %b%b" "${RED}" "${RES}" "${NL}" >&2 exit "${ERR_UNSUPPORTED_BASH}" } ### Minimum Bash version 5. [[ ${BASH_VERSINFO[0]} -lt 5 ]] && { . ./meta_loader_early.sh printf "%b❌ Minimum requirement is bash 5.1. You are using '%s'! Bye... %b%b" "${RED}" "${BASH_VERSION}" "${RES}" "${NL}" >&2 exit "${ERR_UNSUPPORTED_BASH}" } ### Minimum Bash version 5.1. [[ ${BASH_VERSINFO[0]} -le 5 ]] && [[ ${BASH_VERSINFO[1]} -le 1 ]] && { . ./meta_loader_early.sh printf "%b❌ Minimum requirement is bash 5.1. You are using '%s'! Bye... %b%b" "${RED}" "${BASH_VERSION}" "${RES}" "${NL}" >&2 exit "${ERR_UNSUPPORTED_BASH}" } ### No arguments. [[ ${#} -eq 0 ]] && { . ./meta_loader_early.sh usage >&2 exit 1 } ### CHECK FOR CONTACT, HELP, AND VERSION STRING. for arg in "$@"; do case "${arg,,}" in -c|--contact) . ./meta_loader_cuv.sh; contact; exit 0;; esac; done for arg in "$@"; do case "${arg,,}" in -h|--help) . ./meta_loader_cuv.sh; usage ; exit 0;; esac; done for arg in "$@"; do case "${arg,,}" in -v|--version) . ./meta_loader_cuv.sh; version; exit 0;; esac; done ### SOURCING MUST SET EARLY VARIABLES. SOURCING COLOR_ECHO(), GUARD_SOURCING(), AND SOURCE_GUARD(). . ./lib/cdi_0005_guard/0005_guard_sourcing.sh # The function guard_sourcing MUST be present in each file to source. . ./lib/cdi_0005_guard/0006_source_guard.sh # Wrapper for sourcing modules, libraries, variables. source_guard "./var/color.var.sh" source_guard "./var/early.var.sh" source_guard "./lib/cdi_0010_basic/0010_color_echo.sh" clear ### ALL CHECKS DONE. READY TO START THE SCRIPT. # shellcheck disable=SC2155 declare -grx VAR_DIALOG=$(mktemp var_dialog.XXXXXXXX) color_echo "${GRE}" "CISS.DEBIAN.INSTALLER PREPARATION: ALL CHECKS DONE. READY TO START THE SCRIPT" declare -grx VAR_SETUP="true" ### SOURCING FUNCTIONS, LIBRARIES, VARIABLES. if [[ "${VAR_SETUP}" == "true" ]]; then ### SOURCING VARIABLES color_echo "${GRE}" "CISS.DEBIAN.INSTALLER PREPARATION: SOURCING VARIABLES" . ./meta_loader_var.sh ### SOURCING FUNCTIONS color_echo "${GRE}" "CISS.DEBIAN.INSTALLER PREPARATION: SOURCING FUNCTIONS" . ./meta_loader_func.sh ### SOURCING LIBRARIES color_echo "${GRE}" "CISS.DEBIAN.INSTALLER PREPARATION: SOURCING LIBRARIES" . ./meta_loader_lib.sh fi ### PREPARING DIRECTORIES AND FILES. color_echo "${GRE}" "CISS.DEBIAN.INSTALLER PREPARATION: PREPARING DIRECTORIES AND FILES" gen_dir_files ### CHECKING REQUIRED PACKAGES. color_echo "${GRE}" "CISS.DEBIAN.INSTALLER PREPARATION: CHECKING REQUIRED PACKAGES" check_pkgs color_echo "${GRE}" "CISS.DEBIAN.INSTALLER PREPARATION: CHECKING GIT VARIABLES" check_git ### ADVISORY LOCK. color_echo "${GRE}" "CISS.DEBIAN.INSTALLER PREPARATION: ADVISORY LOCK" exec 127>/var/lock/ciss_debian_installer.lock || { printf "%b❌ Cannot open lockfile for writing! Bye... %b%b" "${RED}" "${RES}" "${NL}" >&2 exit "${ERR_FLOCK_PROTECTED}" } if ! flock -x -n 127; then printf "%b❌ Another instance is running! Bye...%b%b" "${RED}" "${RES}" "${NL}" >&2 exit "${ERR_FLOCK_COLLISION}" fi ### SCAN FOR DEBUG MODE. color_echo "${GRE}" "CISS.DEBIAN.INSTALLER PREPARATION: SCAN FOR DEBUG MODE" pre_scan_debug "$@" ### CHECK FOR AUTO INSTALL MODE. color_echo "${GRE}" "CISS.DEBIAN.INSTALLER PREPARATION: CHECK FOR AUTO INSTALL MODE" for arg in "$@"; do case "${arg,,}" in -a|--autoinstall) declare -gx VAR_AUTO_INSTALL="true";; esac; done; unset arg ### ACTIVATING TRAPS. color_echo "${GRE}" "CISS.DEBIAN.INSTALLER PREPARATION: ACTIVATING TRAPS" trap 'trap_exit "$?" "${BASH_SOURCE[0]}" "${LINENO}" "${FUNCNAME[0]:-main}" "${BASH_COMMAND}"' EXIT trap 'trap_err "$?" "${BASH_SOURCE[0]}" "${LINENO}" "${FUNCNAME[0]:-main}" "${BASH_COMMAND}"' ERR trap 'trap_int' INT TERM ### INTERACTIVE MODE NOTES AND KERNEL SELECTION. if ! "${VAR_AUTO_INSTALL}"; then dialog_kernel; fi if ! "${VAR_AUTO_INSTALL}"; then dialog_notes; fi ### Dialog Output for Initialization START. color_echo "${GRE}" "CISS.DEBIAN.INSTALLER PREPARATION: CHECK DIALOG WRAPPER" if ! "${VAR_AUTO_INSTALL}"; then dialog_box; fi ### ARGUMENT CHECKS. info_echo "0101_arg_sanitizer.sh" arg_check "$@" declare -ar ARY_ARG_SANITIZED=("$@") declare -grx VAR_ARG_SANITIZED="${ARY_ARG_SANITIZED[*]}" ### ARGUMENT PARSING. info_echo "0102_arg_parser.sh" arg_parser "$@" ### PRIORITY UPDATES. info_echo "0103_arg_priority_check.sh" arg_priority_check ### HASHING PASSWORDS. info_echo "0105_arg_nuke_converter.sh" nuke_passphrase ### CDI_1200 ### CDI_1250 info_echo "1250_yaml_parser.sh" yaml_parser info_echo "1251_yaml_reader.sh" yaml_reader info_echo "1252_yaml_validator.sh" yaml_validator ### CDI_3200 info_echo "3200_partitioning.sh" partitioning info_echo "3210_benchmarking_encryption.sh" benchmarking_encryption info_echo "3220_partition_encryption.sh" partition_encryption info_echo "3240_partition_formatting.sh" partition_formatting info_echo "3280_mount_partition.sh" mount_partition info_echo "3290_uuid_logger.sh" uuid_logger ### CDI_4000 info_echo "4000_debootstrap.sh" func_debootstrap info_echo "4005_debootstrap_checks.sh" check_debootstrap info_echo "4010_prepare_mounts.sh" prepare_mounts info_echo "4015_check_usr_merge.sh" check_usr_merge info_echo "4020_remove_x509.sh" remove_x509 info_echo "4030_setup_hostname.sh" setup_hostname info_echo "4035_setup_resolv.sh" setup_resolv info_echo "4040_setup_timezone.sh" setup_timezone info_echo "4050_setup_locales.sh" setup_locales ### CDI_4100 if [[ "${VAR_DEB822}" == "true" ]]; then info_echo "4105_generate_sources822.sh" generate_sources822 else info_echo "4100_generate_sources.sh" generate_sources fi info_echo "4110_update_sources.sh" update_sources info_echo "4120_installation_kernel.sh" installation_kernel info_echo "4121_installation_initramfs.sh" installation_initramfs info_echo "4130_installation_toolset.sh" installation_toolset info_echo "4131_installation_systemd.sh" installation_systemd info_echo "4132_installation_machineid.sh" installation_machineid info_echo "4133_installation_masking.sh" installation_masking info_echo "4140_installation_microcode.sh" installation_microcode info_echo "4145_installation_firmware.sh" installation_firmware info_echo "4150_installation_chrony.sh" installation_chrony info_echo "4160_installation_eza.sh" installation_eza info_echo "4170_installation_lynis.sh" installation_lynis ### CDI_4200 info_echo "4200_generate_fstab.sh" generate_fstab info_echo "4205_check_fstab.sh" check_fstab info_echo "4210_generate_crypttab.sh" generate_crypttab info_echo "4215_check_crypttab.sh" check_crypttab info_echo "4220_installation_cryptsetup.sh" installation_cryptsetup info_echo "4230_installation_grub.sh" installation_grub if [[ "${VAR_GRUB_PASSWORD}" == "true" ]]; then info_echo "4240_update_grub_password.sh" update_grub_password fi info_echo "4250_update_grub_bootparameter.sh" update_grub_bootparameter ### CDI_4300 info_echo "4300_installation_network.sh" installation_network info_echo "4305_installation_netsec.sh" installation_netsec if [[ "${VAR_DROPBEAR}" == "true" ]]; then info_echo "4310_dropbear_build.sh" dropbear_build info_echo "4311_dropbear_initramfs.sh" dropbear_initramfs info_echo "4312_dropbear_setup.sh" dropbear_setup fi info_echo "4320_update_initramfs.sh" update_initramfs info_echo "4330_installation_ssh.sh" installation_ssh ### CDI_4400 info_echo "4400_kernel_modules.sh" kernel_modules && kernel_modprobe info_echo "4410_kernel_sysctl.sh" kernel_sysctl info_echo "4420_hardening_fail2ban.sh" hardening_fail2ban info_echo "4430_hardening_files.sh" hardening_files info_echo "4440_hardening_haveged.sh" hardening_haveged info_echo "4450_hardening_memory.sh" hardening_memory info_echo "4460_hardening_openssl.sh" hardening_openssl info_echo "4470_hardening_ufw.sh" hardening_ufw info_echo "4480_hardening_usb.sh" hardening_usb info_echo "4490_hardening_virus.sh" hardening_virus ### CDI_4500 info_echo "4500_accounts_preparation.sh" accounts_preparation info_echo "4510_accounts_hardening.sh" accounts_hardening info_echo "4520_accounts_setup.sh" accounts_setup ### CDI_4600 info_echo "4600_installation_packages.sh" installation_packages info_echo "4610_installation_security.sh" installation_security info_echo "4620_installation_verification.sh" install_verification #info_echo "4610_finalize_system.sh" #info_echo "4670_verify_system.sh" #info_echo "4680_check_sshd_config_integrity.sh" #info_echo "4690_check_grub_cmdline.sh" ### CDI_4700 info_echo "4799_exiting_chroot_system.sh" exiting_chroot_system ### CDI_5000 if [[ "${VAR_RECOVERY}" == "true" ]]; then wrapper_recovery fi ### Dialog Output for Initialization END if ! "${VAR_AUTO_INSTALL}"; then dialog_box_cleaner; fi declare -gx VAR_SCRIPT_SUCCESS="true" exit 0 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh