CISS.debian.installer/ciss_debian_installer.sh

#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu

### Contributions so far see ./docs/CREDITS.md

### WHY BASH?
# Ease of installation. No compiling or installing gems, CPAN modules, pip packages, etc. Simple to use and read. Clear syntax
# and straightforward output interpretation. Built-in power. Pattern matching, line processing, and regular expression support
# are available natively, no external binaries required. Cross-platform consistency. '/bin/bash' is the default shell on most
# Linux distributions, ensuring scripts run unmodified across systems. macOS compatibility. Since macOS Catalina (10.15), the
# default login shell has been zsh, but bash remains available at '/bin/bash'. Windows support. You can use bash via WSL, MSYS2,
# or Cygwin on Windows systems.

### PRELIMINARY CHECKS
# shellcheck disable=2292
[ -z "${BASH_VERSINFO[0]}" ] && {
  . ./meta_loader_early.sh
  printf "%s❌ Please make sure you are using 'bash'! Bye... %s%s" "${RED}" "${RES}" "${NL}" >&2
  exit "${ERR_UNSUPPORTED_BASH}"
  }

[[ ${EUID} -ne 0 ]] && {
  . ./meta_loader_early.sh
  printf "%s❌ Please make sure you are 'root'! Bye... %s%s" "${RED}" "${RES}" "${NL}" >&2
  exit "${ERR_USER_IS_NOT_ROOT}"
  }

# shellcheck disable=2312
[[ $(kill -l | grep -c SIG) -eq 0 ]] && {
  . ./meta_loader_early.sh
  printf "%s❌ Please make sure you are calling the script without leading 'sh'! Bye... %s%s" "${RED}" "${RES}" "${NL}" >&2
  exit "${ERR_UNSUPPORTED_BASH}"
  }

[[ ${BASH_VERSINFO[0]} -lt 5 ]] && {
  . ./meta_loader_early.sh
  printf "%s❌ Minimum requirement is bash 5.1. You are using '%s'! Bye... %s%s" "${RED}" "${BASH_VERSION}" "${RES}" "${NL}" >&2
  exit "${ERR_UNSUPPORTED_BASH}"
  }

[[ ${BASH_VERSINFO[0]} -le 5 ]] && [[ ${BASH_VERSINFO[1]} -le 1 ]] && {
  . ./meta_loader_early.sh
  printf "%s❌ Minimum requirement is bash 5.1. You are using '%s'! Bye... %s%s" "${RED}" "${BASH_VERSION}" "${RES}" "${NL}" >&2
  exit "${ERR_UNSUPPORTED_BASH}"
  }

[[ ${#} -eq 0 ]] && {
  . ./lib/0000_usage.sh; usage >&2; exit 1; }

### CHECK FOR CONTACT, HELP, AND VERSION STRING.
for arg in "$@"; do case "${arg,,}" in -c|--contact) . ./meta_loader_cuv.sh; contact; exit 0;; esac; done
for arg in "$@"; do case "${arg,,}" in -h|--help)    . ./meta_loader_cuv.sh; usage; exit 0;; esac; done
for arg in "$@"; do case "${arg,,}" in -v|--version) . ./meta_loader_cuv.sh; version; exit 0;; esac; done

### SOURCING MUST SET EARLY VARIABLES. SOURCING COLOR_ECHO() AND GUARD_SOURCING().
declare -grx VAR_PARAM_COUNT="$#"
declare -grx VAR_PARAM_STRNG="$*"
declare -ag  ARY_PARAM_ARRAY=("$@")
. ./lib/0010_guard_sourcing.sh
. ./lib/0010_source_guard.sh
source_guard "./var/color.var.sh"
source_guard "./var/early.var.sh"
source_guard "./lib/0004_color_echo.sh"

### ALL CHECKS DONE. READY TO START THE SCRIPT.
color_echo "${CYA}" "ALL CHECKS DONE. READY TO START THE SCRIPT."
declare -grx VAR_SETUP="true"
umask 0022

### SOURCING FUNCTIONS, LIBRARIES, VARIABLES.
if [[ "${VAR_SETUP}" == "true" ]]; then
  ### SOURCING VARIABLES
  color_echo "${CYA}" "SOURCING VARIABLES."
  . ./meta_loader_var.sh
  ### SOURCING FUNCTIONS
  color_echo "${CYA}" "SOURCING FUNCTIONS."
  . ./meta_loader_func.sh
  ### SOURCING LIBRARIES
  color_echo "${CYA}" "SOURCING LIBRARIES."
  . ./meta_loader_lib.sh
fi

### PREPARING DIRECTORIES AND FILES.
color_echo "${CYA}" "PREPARING DIRECTORIES AND FILES."
gen_dir_files

### CHECKING REQUIRED PACKAGES.
color_echo "${CYA}" "CHECKING REQUIRED PACKAGES."
check_pkgs
check_git

### ADVISORY LOCK.
color_echo "${CYA}" "ADVISORY LOCK."
exec 127>/var/lock/ciss_debian_installer.lock || {
  printf "%s❌ Cannot open lockfile for writing! Bye... %s%s" "${RED}" "${RES}" "${NL}" >&2
  exit "${ERR_FLOCK_PROTECTED}"
}

if ! flock -x -n 127; then
  printf "%s❌ Another instance is running! Bye...%s%s" "${RED}" "${RES}" "${NL}" >&2
  exit "${ERR_FLOCK_COLLISION}"
fi

### SCAN FOR DEBUG MODE.
color_echo "${CYA}" "SCAN FOR DEBUG MODE."
pre_scan_debug "$@"

### CHECK FOR AUTO INSTALL MODE.
color_echo "${CYA}" "CHECK FOR AUTO INSTALL MODE."
for arg in "$@"; do case "${arg,,}" in -a|--autoinstall) declare -gx VAR_AUTO_INSTALL="true";; esac; done; unset arg

### ACTIVATING TRAPS.
color_echo "${CYA}" "ACTIVATING TRAPS."
trap 'trap_exit "$?" "${BASH_SOURCE[0]}" "${LINENO}" "${FUNCNAME[0]:-main}" "${BASH_COMMAND}"' EXIT
trap 'trap_int' INT TERM
trap 'trap_err  "$?" "${BASH_SOURCE[0]}" "${LINENO}" "${FUNCNAME[0]:-main}" "${BASH_COMMAND}"' ERR

### INTERACTIVE MODE NOTES AND KERNEL SELECTION.
# TODO: Update 0110_check_kernel.sh   & sourcing
# TODO: Update 0120_check_provider.sh & sourcing
#if ! "${VAR_AUTO_INSTALL}"; then check_provider; fi
#if ! "${VAR_AUTO_INSTALL}"; then check_kernel; fi

# TODO: Implement Debian Style Gauge Bar as Alternative Dialog Wrapper
### Dialog Output for Initialization START.
color_echo "${CYA}" "Dialog Output for Initialization START."
if ! "${VAR_AUTO_INSTALL}"; then . ./lib/0200_dialog_helper.sh && dialog_box; fi

### ARGUMENT CHECKS.
echo "ARGUMENT CHECKS..."
arg_check "$@"
declare -ar ARY_ARG_SANITIZED=("$@")
declare -gr VAR_ARG_SANITIZED="${ARY_ARG_SANITIZED[*]}"

### ARGUMENT PARSING.
echo "ARGUMENT PARSING..."
arg_parser "$@"

### PRIORITY UPDATES.
echo "PRIORITY UPDATES..."
arg_priority_check

### HASHING PASSWORDS.
echo "HASHING PASSWORDS..."
nuke_passphrase
# TODO: Implement loop_pass() for other passwords.

### MAIN PROGRAM SEQUENCE
echo "MAIN PROGRAM SEQUENCE: yaml_parser()"
yaml_parser
# TODO: Check: yaml_reader()
echo "MAIN PROGRAM SEQUENCE: yaml_reader()"
yaml_reader

# TODO: Implement / Activate IP, Port validation
# 1222_validation_preseed.sh 1221_validation_ip.sh
# validation_preseed

### PARTITIONING
echo "MAIN PROGRAM SEQUENCE: partitioning()"
partitioning
partition_encryption
partition_formatting
setup_filesystem
mount_partition
uuid_logger

### DEBOOTSTRAP
func_debootstrap
configure_system
generate_fstab
generate_crypttab
generate_sources
minimal_toolset
setup_skel
setup_timezone
setup_locales
# TODO: Implement Clang Build Chain and MOK Signing Workflow
installation_kernel
setup_network
setup_hostname
setup_machineid
# TODO: Implement Clang Build Chain and MOK Signing Workflow and integrate GRUB, if needed
setup_grub
setup_grub_password
setup_grub_bootparameter
setup_kernel_modules
setup_kernel_sysctl
installation_microcode
setup_ssh
build_dropbear
install_dropbear_initramfs
# TODO: Update preseed.yaml for pgp signing key AND / OR implementation of presigned unlock-wrapper.sh
setup_dropbear
# TODO: Implement Console Login Deactivation and 2fa as advertised in preseed.yaml
setup_accounts
# TODO: Check Packages for installation
setup_packages
# TODO: What do we need for CISS environment?
setup_sudo
# TODO: Any changes to the NTPSec Servers?
setup_chrony
exiting_chroot

# TODO: Hardening Scripts Integration
# TODO: SSH 2fa integration
# TODO: Recovery Partition Integration
# TODO: Grub Boot Menu Update for Recovery Integration
# TODO: update-grub Post Hook
# TODO: Copying Log Files to final System
# TODO: Integrate CISS.debian.installer calling arguments and preseed.yaml into CISS.debian.live.builder build chain?
# TODO: Reboot function for Autoinstall

### Dialog Output for Initialization END
if ! "${VAR_AUTO_INSTALL}"; then . ./lib/0200_dialog_helper.sh && dialog_box_cleaner; fi

declare -gx VAR_SCRIPT_SUCCESS="true"

exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh