From 0f85ba60b21ad37e40e39628272261cfa9c36dcb25421f7023a2be2cda9d286d Mon Sep 17 00:00:00 2001 From: "Marc S. Weidner" Date: Fri, 24 Oct 2025 20:02:05 +0100 Subject: [PATCH] V8.13.288.2025.10.24 Signed-off-by: Marc S. Weidner --- .gitea/trigger/t_generate_PRIVATE_trixie_1.yaml | 2 +- .gitea/workflows/generate_PRIVATE_trixie_0.yaml | 2 +- .gitea/workflows/generate_PRIVATE_trixie_1.yaml | 15 ++++++++++++++- .gitea/workflows/generate_PUBLIC_iso.yaml | 2 +- config/hooks/live/0860_sops.chroot | 4 ++++ 5 files changed, 21 insertions(+), 4 deletions(-) diff --git a/.gitea/trigger/t_generate_PRIVATE_trixie_1.yaml b/.gitea/trigger/t_generate_PRIVATE_trixie_1.yaml index eacc55c..00bece4 100644 --- a/.gitea/trigger/t_generate_PRIVATE_trixie_1.yaml +++ b/.gitea/trigger/t_generate_PRIVATE_trixie_1.yaml @@ -10,6 +10,6 @@ # SPDX-Security-Contact: security@coresecret.eu build: - counter: 1024 + counter: 1023 version: V8.13.288.2025.10.24 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml diff --git a/.gitea/workflows/generate_PRIVATE_trixie_0.yaml b/.gitea/workflows/generate_PRIVATE_trixie_0.yaml index fc47b5f..6cd9877 100644 --- a/.gitea/workflows/generate_PRIVATE_trixie_0.yaml +++ b/.gitea/workflows/generate_PRIVATE_trixie_0.yaml @@ -40,7 +40,7 @@ jobs: shell: bash run: | export DEBIAN_FRONTEND=noninteractive - apt-get update + apt-get update -qq apt-get upgrade -y apt-get install -y --no-install-recommends \ apt-utils \ diff --git a/.gitea/workflows/generate_PRIVATE_trixie_1.yaml b/.gitea/workflows/generate_PRIVATE_trixie_1.yaml index 57eab73..f184cdd 100644 --- a/.gitea/workflows/generate_PRIVATE_trixie_1.yaml +++ b/.gitea/workflows/generate_PRIVATE_trixie_1.yaml @@ -40,7 +40,7 @@ jobs: shell: bash run: | export DEBIAN_FRONTEND=noninteractive - apt-get update + apt-get update -qq apt-get upgrade -y apt-get install -y --no-install-recommends \ apt-utils \ @@ -152,6 +152,7 @@ jobs: RSA_PUB: ${{ secrets.CISS_DLB_SSH_HOST_RSA_KEY_PUB }} CISS_PRIMORDIAL: ${{ secrets.CISS_PRIMORDIAL_PRIVATE }} CISS_PRIMORDIAL_PUB: ${{ secrets.CISS_PRIMORDIAL_PUBLIC }} + CISS_PHYS_AGE: ${{ secrets.CISS_PHYS_AGE }} run: | set -Ceuo pipefail umask 077 @@ -162,6 +163,7 @@ jobs: OUT="${REPO_ROOT}/config/hooks/live/9935_hardening_ssh.chroot" ID_OUT="${REPO_ROOT}/config/includes.chroot/root/.ssh/id_2025_ed25519_ciss_primordial" ID_OUT_PUB="${REPO_ROOT}/config/includes.chroot/root/.ssh/id_2025_ed25519_ciss_primordial.pub" + SOPS="${REPO_ROOT}/config/hooks/live/0860_sops.chroot" if [[ ! -f "${TPL}" ]]; then echo "Template not found: ${TPL}" @@ -177,6 +179,7 @@ jobs: export RSA_PUB="${RSA_PUB//$'\r'/}" export CISS_PRIMORDIAL="${CISS_PRIMORDIAL//$'\r'/}" export CISS_PRIMORDIAL_PUB="${CISS_PRIMORDIAL_PUB//$'\r'/}" + export CISS_PHYS_AGE="${CISS_PHYS_AGE//$'\r'/}" ( cat << EOF >| "${ID_OUT}" @@ -212,6 +215,16 @@ jobs: ' "${TPL}" > "${OUT}" chmod 0755 "${OUT}" + + perl -0777 -i -pe ' + BEGIN { + our $age = $ENV{CISS_PHYS_AGE} // q{}; + } + s/\{\{\s*secrets\.CISS_PHYS_AGE\s*\}\}/$age/g; + ' -- "${SOPS}" + + chmod 0755 "${SOPS}" + echo "Hook rendered: ${OUT}" - name: 🛠️ Starting CISS.debian.live.builder. This may take a while ... diff --git a/.gitea/workflows/generate_PUBLIC_iso.yaml b/.gitea/workflows/generate_PUBLIC_iso.yaml index c54cd7b..904ae9f 100644 --- a/.gitea/workflows/generate_PUBLIC_iso.yaml +++ b/.gitea/workflows/generate_PUBLIC_iso.yaml @@ -40,7 +40,7 @@ jobs: shell: bash run: | export DEBIAN_FRONTEND=noninteractive - apt-get update + apt-get update -qq apt-get upgrade -y apt-get install -y --no-install-recommends \ apt-utils \ diff --git a/config/hooks/live/0860_sops.chroot b/config/hooks/live/0860_sops.chroot index 777db1a..583d8e1 100644 --- a/config/hooks/live/0860_sops.chroot +++ b/config/hooks/live/0860_sops.chroot @@ -51,6 +51,10 @@ rm -f "/tmp/sops-${SOPS_VER}.checksums.sig" umask 0077 mkdir -p /root/.config/sops/age +cat << 'EOF' /root/.config/sops/age/keys.txt +{{ secrets.CISS_PHYS_AGE }} +EOF +chmod 0400 /root/.config/sops/age/keys.txt printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"