V8.13.288.2025.10.24

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-10-24 20:02:05 +01:00
parent fcd1756cce
commit 0f85ba60b2
5 changed files with 21 additions and 4 deletions
--- a/.gitea/trigger/t_generate_PRIVATE_trixie_1.yaml
+++ b/.gitea/trigger/t_generate_PRIVATE_trixie_1.yaml
@@ -10,6 +10,6 @@
 # SPDX-Security-Contact: security@coresecret.eu

 build:
-  counter: 1024
+  counter: 1023
  version: V8.13.288.2025.10.24
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
--- a/.gitea/workflows/generate_PRIVATE_trixie_0.yaml
+++ b/.gitea/workflows/generate_PRIVATE_trixie_0.yaml
@@ -40,7 +40,7 @@ jobs:
        shell: bash
        run: |
          export DEBIAN_FRONTEND=noninteractive
-          apt-get update
+          apt-get update -qq
          apt-get upgrade -y
          apt-get install -y --no-install-recommends \
            apt-utils \
--- a/.gitea/workflows/generate_PRIVATE_trixie_1.yaml
+++ b/.gitea/workflows/generate_PRIVATE_trixie_1.yaml
@@ -40,7 +40,7 @@ jobs:
        shell: bash
        run: |
          export DEBIAN_FRONTEND=noninteractive
-          apt-get update
+          apt-get update -qq
          apt-get upgrade -y
          apt-get install -y --no-install-recommends \
            apt-utils \
@@ -152,6 +152,7 @@ jobs:
          RSA_PUB:             ${{ secrets.CISS_DLB_SSH_HOST_RSA_KEY_PUB }}
          CISS_PRIMORDIAL:     ${{ secrets.CISS_PRIMORDIAL_PRIVATE }}
          CISS_PRIMORDIAL_PUB: ${{ secrets.CISS_PRIMORDIAL_PUBLIC }}
+          CISS_PHYS_AGE:       ${{ secrets.CISS_PHYS_AGE }}
        run: |
          set -Ceuo pipefail
          umask 077
@@ -162,6 +163,7 @@ jobs:
          OUT="${REPO_ROOT}/config/hooks/live/9935_hardening_ssh.chroot"
          ID_OUT="${REPO_ROOT}/config/includes.chroot/root/.ssh/id_2025_ed25519_ciss_primordial"
          ID_OUT_PUB="${REPO_ROOT}/config/includes.chroot/root/.ssh/id_2025_ed25519_ciss_primordial.pub"
+          SOPS="${REPO_ROOT}/config/hooks/live/0860_sops.chroot"

          if [[ ! -f "${TPL}" ]]; then
            echo "Template not found: ${TPL}"
@@ -177,6 +179,7 @@ jobs:
          export RSA_PUB="${RSA_PUB//$'\r'/}"
          export CISS_PRIMORDIAL="${CISS_PRIMORDIAL//$'\r'/}"
          export CISS_PRIMORDIAL_PUB="${CISS_PRIMORDIAL_PUB//$'\r'/}"
+          export CISS_PHYS_AGE="${CISS_PHYS_AGE//$'\r'/}"

          (
          cat << EOF >| "${ID_OUT}"
@@ -212,6 +215,16 @@ jobs:
          ' "${TPL}" > "${OUT}"

          chmod 0755 "${OUT}"
+
+          perl -0777 -i -pe '
+            BEGIN {
+              our $age = $ENV{CISS_PHYS_AGE} // q{};
+            }
+            s/\{\{\s*secrets\.CISS_PHYS_AGE\s*\}\}/$age/g;
+          ' -- "${SOPS}"
+
+          chmod 0755 "${SOPS}"
+
          echo "Hook rendered: ${OUT}"

      - name: 🛠️ Starting CISS.debian.live.builder. This may take a while ...
--- a/.gitea/workflows/generate_PUBLIC_iso.yaml
+++ b/.gitea/workflows/generate_PUBLIC_iso.yaml
@@ -40,7 +40,7 @@ jobs:
        shell: bash
        run: |
          export DEBIAN_FRONTEND=noninteractive
-          apt-get update
+          apt-get update -qq
          apt-get upgrade -y
          apt-get install -y --no-install-recommends \
            apt-utils \
--- a/config/hooks/live/0860_sops.chroot
+++ b/config/hooks/live/0860_sops.chroot
@@ -51,6 +51,10 @@ rm -f "/tmp/sops-${SOPS_VER}.checksums.sig"
 umask 0077

 mkdir -p /root/.config/sops/age
+cat << 'EOF' /root/.config/sops/age/keys.txt
+{{ secrets.CISS_PHYS_AGE }}
+EOF
+chmod 0400 /root/.config/sops/age/keys.txt

 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"