377 lines
12 KiB
Bash
377 lines
12 KiB
Bash
#!/bin/bash
|
|
# SPDX-Version: 3.0
|
|
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
|
|
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
|
|
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
|
|
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
|
|
# SPDX-FileType: SOURCE
|
|
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
|
|
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
|
|
# SPDX-PackageName: CISS.debian.installer
|
|
# SPDX-Security-Contact: security@coresecret.eu
|
|
|
|
### Contributions so far see ./docs/CREDITS.md
|
|
|
|
# TODO: Update .dot files.
|
|
# TODO: Update README.md for each lib and func dir.
|
|
# TODO: Update MANPAGE.md for each func.
|
|
# TODO: Implement Clang Build Chain and Secure Boot PK CISS.ROOT.CA Signing Workflow
|
|
# TODO: Hardening Scripts Integration
|
|
# TODO: Recovery Partition Integration
|
|
# TODO: Grub Boot Menu Update for Recovery Integration
|
|
# TODO: update-grub Post Hook Clang, Recovery, Signing PK
|
|
# TODO: Copying Log Files to final System
|
|
# TODO: Integrate CISS.debian.installer calling arguments and preseed.yaml into CISS.debian.live.builder build chain?
|
|
# TODO: Reboot function for Autoinstall, Clean Exit, Flush Logs, luksClose, umount
|
|
# TODO: Implement loop_pass() for other passwords 0105_arg_nuke_converter.sh
|
|
# TODO: Implement / Integrate IP, Port validation CDI_1200
|
|
|
|
### WHY BASH?
|
|
# Ease of installation. No compiling or installing gems, CPAN modules, pip packages, etc. Simple to use and read. Clear syntax
|
|
# and straightforward output interpretation. Built-in power. Pattern matching, line processing, and regular expression support
|
|
# are available natively, no external binaries required. Cross-platform consistency. '/bin/bash' is the default shell on most
|
|
# Linux distributions, ensuring scripts run unmodified across systems. macOS compatibility. Since macOS Catalina (10.15), the
|
|
# default login shell has been zsh, but bash remains available at '/bin/bash'. Windows support. You can use bash via WSL, MSYS2,
|
|
# or Cygwin on Windows systems.
|
|
|
|
### CATCH ARGUMENTS AND DECLARE BASIC VARIABLES.
|
|
# shellcheck disable=SC2155
|
|
declare -girx VAR_START_TIME="${SECONDS}" # Start time of script execution.
|
|
declare -grx VAR_PARAM_COUNT="$#" # Arguments passed to script.
|
|
declare -grx VAR_PARAM_STRNG="$*" # Arguments passed to script as string.
|
|
declare -ag ARY_PARAM_ARRAY=("$@") # Arguments passed to script as an array.
|
|
declare -grx VAR_SETUP_FILE="${0##*/}" # 'setup.sh'
|
|
declare -grx VAR_SETUP_PATH="$(cd "$(dirname "${0}")" && pwd)" # '/opt/git/CISS.debian.installer'
|
|
declare -grx VAR_SETUP_FULL="$(cd "$(dirname "${0}")" && pwd)/${0##*/}" # '/opt/git/CISS.debian.installer/setup.sh'
|
|
|
|
### PRELIMINARY CHECKS.
|
|
### No ash, dash, ksh, sh.
|
|
# shellcheck disable=SC2292
|
|
[ -z "${BASH_VERSINFO[0]}" ] && {
|
|
. ./meta_loader_early.sh
|
|
printf "%b❌ Please make sure you are using 'bash'! Bye... %b%b" "${RED}" "${RES}" "${NL}" >&2
|
|
exit "${ERR_UNSUPPORTED_BASH}"
|
|
}
|
|
|
|
### No zsh.
|
|
[[ -n "${ZSH_VERSION:-}" ]] && {
|
|
. ./meta_loader_early.sh
|
|
printf "%b❌ Please make sure you are using 'bash'! Bye... %b%b" "${RED}" "${RES}" "${NL}" >&2
|
|
exit "${ERR_UNSUPPORTED_BASH}"
|
|
}
|
|
|
|
### Not root.
|
|
[[ ${EUID} -ne 0 ]] && {
|
|
. ./meta_loader_early.sh
|
|
printf "%b❌ Please make sure you are 'root'! Bye... %b%b" "${RED}" "${RES}" "${NL}" >&2
|
|
exit "${ERR_USER_IS_NOT_ROOT}"
|
|
}
|
|
|
|
### Not called by sh.
|
|
# shellcheck disable=2312
|
|
[[ $(kill -l | grep -c SIG) -eq 0 ]] && {
|
|
. ./meta_loader_early.sh
|
|
printf "%b❌ Please make sure you are calling the script without leading 'sh'! Bye... %b%b" "${RED}" "${RES}" "${NL}" >&2
|
|
exit "${ERR_UNSUPPORTED_BASH}"
|
|
}
|
|
|
|
### Not sourced.
|
|
[[ "${BASH_SOURCE[0]}" != "$0" ]] && {
|
|
. ./meta_loader_early.sh
|
|
printf "%b❌ This script must be executed, not sourced. Please run './setup.sh' directly. %b%b" "${RED}" "${RES}" "${NL}" >&2
|
|
exit "${ERR_UNSUPPORTED_BASH}"
|
|
}
|
|
|
|
### Minimum Bash version 5.
|
|
[[ ${BASH_VERSINFO[0]} -lt 5 ]] && {
|
|
. ./meta_loader_early.sh
|
|
printf "%b❌ Minimum requirement is bash 5.1. You are using '%s'! Bye... %b%b" "${RED}" "${BASH_VERSION}" "${RES}" "${NL}" >&2
|
|
exit "${ERR_UNSUPPORTED_BASH}"
|
|
}
|
|
|
|
### Minimum Bash version 5.1.
|
|
[[ ${BASH_VERSINFO[0]} -le 5 ]] && [[ ${BASH_VERSINFO[1]} -le 1 ]] && {
|
|
. ./meta_loader_early.sh
|
|
printf "%b❌ Minimum requirement is bash 5.1. You are using '%s'! Bye... %b%b" "${RED}" "${BASH_VERSION}" "${RES}" "${NL}" >&2
|
|
exit "${ERR_UNSUPPORTED_BASH}"
|
|
}
|
|
|
|
### No arguments.
|
|
[[ ${#} -eq 0 ]] && {
|
|
. ./meta_loader_early.sh
|
|
usage >&2
|
|
exit 1
|
|
}
|
|
|
|
### CHECK FOR CONTACT, HELP, AND VERSION STRING.
|
|
for arg in "$@"; do case "${arg,,}" in -c|--contact) . ./meta_loader_cuv.sh; contact; exit 0;; esac; done
|
|
for arg in "$@"; do case "${arg,,}" in -h|--help) . ./meta_loader_cuv.sh; usage ; exit 0;; esac; done
|
|
for arg in "$@"; do case "${arg,,}" in -v|--version) . ./meta_loader_cuv.sh; version; exit 0;; esac; done
|
|
|
|
### SOURCING MUST SET EARLY VARIABLES. SOURCING COLOR_ECHO(), GUARD_SOURCING(), AND SOURCE_GUARD().
|
|
. ./lib/cdi_0005_guard/0005_guard_sourcing.sh # The function guard_sourcing MUST be present in each file to source.
|
|
. ./lib/cdi_0005_guard/0006_source_guard.sh # Wrapper for sourcing modules, libraries, variables.
|
|
source_guard "./var/color.var.sh"
|
|
source_guard "./var/early.var.sh"
|
|
source_guard "./lib/cdi_0010_basic/0010_color_echo.sh"
|
|
clear
|
|
|
|
### ALL CHECKS DONE. READY TO START THE SCRIPT.
|
|
# shellcheck disable=SC2155
|
|
declare -grx VAR_DIALOG=$(mktemp var_dialog.XXXXXXXX)
|
|
color_echo "${GRE}" "CISS.DEBIAN.INSTALLER PREPARATION: ALL CHECKS DONE. READY TO START THE SCRIPT"
|
|
declare -grx VAR_SETUP="true"
|
|
|
|
### SOURCING FUNCTIONS, LIBRARIES, VARIABLES.
|
|
if [[ "${VAR_SETUP}" == "true" ]]; then
|
|
### SOURCING VARIABLES
|
|
color_echo "${GRE}" "CISS.DEBIAN.INSTALLER PREPARATION: SOURCING VARIABLES"
|
|
. ./meta_loader_var.sh
|
|
### SOURCING FUNCTIONS
|
|
color_echo "${GRE}" "CISS.DEBIAN.INSTALLER PREPARATION: SOURCING FUNCTIONS"
|
|
. ./meta_loader_func.sh
|
|
### SOURCING LIBRARIES
|
|
color_echo "${GRE}" "CISS.DEBIAN.INSTALLER PREPARATION: SOURCING LIBRARIES"
|
|
. ./meta_loader_lib.sh
|
|
fi
|
|
|
|
### PREPARING DIRECTORIES AND FILES.
|
|
color_echo "${GRE}" "CISS.DEBIAN.INSTALLER PREPARATION: PREPARING DIRECTORIES AND FILES"
|
|
gen_dir_files
|
|
|
|
### CHECKING REQUIRED PACKAGES.
|
|
color_echo "${GRE}" "CISS.DEBIAN.INSTALLER PREPARATION: CHECKING REQUIRED PACKAGES"
|
|
check_pkgs
|
|
color_echo "${GRE}" "CISS.DEBIAN.INSTALLER PREPARATION: CHECKING GIT VARIABLES"
|
|
check_git
|
|
|
|
### ADVISORY LOCK.
|
|
color_echo "${GRE}" "CISS.DEBIAN.INSTALLER PREPARATION: ADVISORY LOCK"
|
|
exec 127>/var/lock/ciss_debian_installer.lock || {
|
|
printf "%b❌ Cannot open lockfile for writing! Bye... %b%b" "${RED}" "${RES}" "${NL}" >&2
|
|
exit "${ERR_FLOCK_PROTECTED}"
|
|
}
|
|
|
|
if ! flock -x -n 127; then
|
|
printf "%b❌ Another instance is running! Bye...%b%b" "${RED}" "${RES}" "${NL}" >&2
|
|
exit "${ERR_FLOCK_COLLISION}"
|
|
fi
|
|
|
|
### SCAN FOR DEBUG MODE.
|
|
color_echo "${GRE}" "CISS.DEBIAN.INSTALLER PREPARATION: SCAN FOR DEBUG MODE"
|
|
pre_scan_debug "$@"
|
|
|
|
### CHECK FOR AUTO INSTALL MODE.
|
|
color_echo "${GRE}" "CISS.DEBIAN.INSTALLER PREPARATION: CHECK FOR AUTO INSTALL MODE"
|
|
for arg in "$@"; do case "${arg,,}" in -a|--autoinstall) declare -gx VAR_AUTO_INSTALL="true";; esac; done; unset arg
|
|
|
|
### ACTIVATING TRAPS.
|
|
color_echo "${GRE}" "CISS.DEBIAN.INSTALLER PREPARATION: ACTIVATING TRAPS"
|
|
trap 'trap_exit "$?" "${BASH_SOURCE[0]}" "${LINENO}" "${FUNCNAME[0]:-main}" "${BASH_COMMAND}"' EXIT
|
|
trap 'trap_err "$?" "${BASH_SOURCE[0]}" "${LINENO}" "${FUNCNAME[0]:-main}" "${BASH_COMMAND}"' ERR
|
|
trap 'trap_int' INT TERM
|
|
|
|
### INTERACTIVE MODE NOTES AND KERNEL SELECTION.
|
|
if ! "${VAR_AUTO_INSTALL}"; then dialog_kernel; fi
|
|
if ! "${VAR_AUTO_INSTALL}"; then dialog_notes; fi
|
|
|
|
### Dialog Output for Initialization START.
|
|
color_echo "${GRE}" "CISS.DEBIAN.INSTALLER PREPARATION: CHECK DIALOG WRAPPER"
|
|
if ! "${VAR_AUTO_INSTALL}"; then dialog_box; fi
|
|
|
|
### ARGUMENT CHECKS.
|
|
info_echo "0101_arg_sanitizer.sh"
|
|
arg_check "$@"
|
|
declare -ar ARY_ARG_SANITIZED=("$@")
|
|
declare -grx VAR_ARG_SANITIZED="${ARY_ARG_SANITIZED[*]}"
|
|
|
|
### ARGUMENT PARSING.
|
|
info_echo "0102_arg_parser.sh"
|
|
arg_parser "$@"
|
|
|
|
### PRIORITY UPDATES.
|
|
info_echo "0103_arg_priority_check.sh"
|
|
arg_priority_check
|
|
|
|
### HASHING PASSWORDS.
|
|
info_echo "0105_arg_nuke_converter.sh"
|
|
nuke_passphrase
|
|
|
|
### CDI_1200
|
|
|
|
### CDI_1250
|
|
info_echo "1250_yaml_parser.sh"
|
|
yaml_parser
|
|
info_echo "1251_yaml_reader.sh"
|
|
yaml_reader
|
|
info_echo "1252_yaml_validator.sh"
|
|
yaml_validator
|
|
|
|
### CDI_3200
|
|
info_echo "3200_partitioning.sh"
|
|
partitioning
|
|
info_echo "3210_benchmarking_encryption.sh"
|
|
benchmarking_encryption
|
|
info_echo "3220_partition_encryption.sh"
|
|
partition_encryption
|
|
info_echo "3240_partition_formatting.sh"
|
|
partition_formatting
|
|
info_echo "3280_mount_partition.sh"
|
|
mount_partition
|
|
info_echo "3290_uuid_logger.sh"
|
|
uuid_logger
|
|
|
|
### CDI_4000
|
|
info_echo "4000_debootstrap.sh"
|
|
func_debootstrap
|
|
info_echo "4005_debootstrap_checks.sh"
|
|
check_debootstrap
|
|
info_echo "4010_prepare_mounts.sh"
|
|
prepare_mounts
|
|
info_echo "4015_check_usr_merge.sh"
|
|
check_usr_merge
|
|
info_echo "4020_remove_x509.sh"
|
|
remove_x509
|
|
info_echo "4030_setup_hostname.sh"
|
|
setup_hostname
|
|
info_echo "4035_setup_resolv.sh"
|
|
setup_resolv
|
|
info_echo "4040_setup_timezone.sh"
|
|
setup_timezone
|
|
info_echo "4050_setup_locales.sh"
|
|
setup_locales
|
|
|
|
### CDI_4100
|
|
if [[ "${VAR_DEB822}" == "true" ]]; then
|
|
info_echo "4105_generate_sources822.sh"
|
|
generate_sources822
|
|
else
|
|
info_echo "4100_generate_sources.sh"
|
|
generate_sources
|
|
fi
|
|
info_echo "4110_update_sources.sh"
|
|
update_sources
|
|
info_echo "4120_installation_kernel.sh"
|
|
installation_kernel
|
|
info_echo "4121_installation_initramfs.sh"
|
|
installation_initramfs
|
|
info_echo "4130_installation_toolset.sh"
|
|
installation_toolset
|
|
info_echo "4131_installation_systemd.sh"
|
|
installation_systemd
|
|
info_echo "4132_installation_machineid.sh"
|
|
installation_machineid
|
|
info_echo "4133_installation_masking.sh"
|
|
installation_masking
|
|
info_echo "4140_installation_microcode.sh"
|
|
installation_microcode
|
|
info_echo "4145_installation_firmware.sh"
|
|
installation_firmware
|
|
info_echo "4150_installation_chrony.sh"
|
|
installation_chrony
|
|
info_echo "4160_installation_eza.sh"
|
|
installation_eza
|
|
info_echo "4170_installation_lynis.sh"
|
|
installation_lynis
|
|
|
|
### CDI_4200
|
|
info_echo "4200_generate_fstab.sh"
|
|
generate_fstab
|
|
info_echo "4205_check_fstab.sh"
|
|
check_fstab
|
|
info_echo "4210_generate_crypttab.sh"
|
|
generate_crypttab
|
|
info_echo "4215_check_crypttab.sh"
|
|
check_crypttab
|
|
info_echo "4220_installation_cryptsetup.sh"
|
|
installation_cryptsetup
|
|
info_echo "4230_installation_grub.sh"
|
|
installation_grub
|
|
if [[ "${VAR_GRUB_PASSWORD}" == "true" ]]; then
|
|
info_echo "4240_update_grub_password.sh"
|
|
update_grub_password
|
|
fi
|
|
info_echo "4250_update_grub_bootparameter.sh"
|
|
update_grub_bootparameter
|
|
|
|
### CDI_4300
|
|
info_echo "4300_installation_network.sh"
|
|
installation_network
|
|
info_echo "4305_installation_netsec.sh"
|
|
installation_netsec
|
|
if [[ "${VAR_DROPBEAR}" == "true" ]]; then
|
|
info_echo "4310_dropbear_build.sh"
|
|
dropbear_build
|
|
info_echo "4311_dropbear_initramfs.sh"
|
|
dropbear_initramfs
|
|
info_echo "4312_dropbear_setup.sh"
|
|
dropbear_setup
|
|
fi
|
|
info_echo "4320_update_initramfs.sh"
|
|
update_initramfs
|
|
info_echo "4330_installation_ssh.sh"
|
|
installation_ssh
|
|
|
|
### CDI_4400
|
|
info_echo "4400_kernel_modules.sh"
|
|
kernel_modules && kernel_modprobe
|
|
info_echo "4410_kernel_sysctl.sh"
|
|
kernel_sysctl
|
|
info_echo "4420_hardening_fail2ban.sh"
|
|
hardening_fail2ban
|
|
info_echo "4430_hardening_files.sh"
|
|
hardening_files
|
|
info_echo "4440_hardening_haveged.sh"
|
|
hardening_haveged
|
|
info_echo "4450_hardening_memory.sh"
|
|
hardening_memory
|
|
info_echo "4460_hardening_openssl.sh"
|
|
hardening_openssl
|
|
info_echo "4470_hardening_ufw.sh"
|
|
hardening_ufw
|
|
info_echo "4480_hardening_usb.sh"
|
|
hardening_usb
|
|
info_echo "4490_hardening_virus.sh"
|
|
hardening_virus
|
|
|
|
### CDI_4500
|
|
info_echo "4500_accounts_preparation.sh"
|
|
accounts_preparation
|
|
info_echo "4510_accounts_hardening.sh"
|
|
accounts_hardening
|
|
info_echo "4520_accounts_setup.sh"
|
|
accounts_setup
|
|
|
|
### CDI_4600
|
|
info_echo "4600_installation_packages.sh"
|
|
installation_packages
|
|
info_echo "4610_installation_security.sh"
|
|
installation_security
|
|
info_echo "4620_installation_verification.sh"
|
|
install_verification
|
|
|
|
#info_echo "4610_finalize_system.sh"
|
|
|
|
#info_echo "4670_verify_system.sh"
|
|
|
|
#info_echo "4680_check_sshd_config_integrity.sh"
|
|
|
|
#info_echo "4690_check_grub_cmdline.sh"
|
|
|
|
### CDI_4700
|
|
info_echo "4799_exiting_chroot_system.sh"
|
|
exiting_chroot_system
|
|
|
|
### CDI_5000
|
|
if [[ "${VAR_RECOVERY}" == "true" ]]; then
|
|
wrapper_recovery
|
|
fi
|
|
|
|
### Dialog Output for Initialization END
|
|
if ! "${VAR_AUTO_INSTALL}"; then dialog_box_cleaner; fi
|
|
|
|
declare -gx VAR_SCRIPT_SUCCESS="true"
|
|
|
|
exit 0
|
|
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
|