msw/CISS.debian.live.builder
SHA256
2
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 6 Wiki Activity

V8.13.384.2025.11.06
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m19s
Details

Browse Source 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
Marc S. Weidner
2025-11-06 23:36:57 +01:00
parent c2b76d08aa
commit 3e19c99af6
1 changed files with 70 additions and 74 deletions
Download Patch File Download Diff File Expand all files Collapse all files

144
docs/DOCUMENTATION.md
View File

@@ -12,83 +12,88 @@ include_toc: true
# 2.1. Usage
````text
CISS.debian.live.builder
CDLB(1) CISS.debian.live.builder CDLB(1)
CISS.debian.live.builder from https://git.coresecret.dev/msw
Master V8.13.384.2025.11.06
A lightweight Shell Wrapper for building a hardened Debian Bookworm Live ISO Image.
A lightweight Shell Wrapper for building a hardened Debian Live ISO Image.
(c) Marc S. Weidner, 2018 - 2025
(p) Centurion Press, 2024 - 2025
"./ciss_live_builder.sh <option>", where <option> is one or more of:
./ciss_live_builder.sh <option>, where <option> is one or more of:
--help, -h
What you're looking at.
--autobuild=*, -a=*
Headless mode. Skip the dialog wrapper, provider note screen and interactive kernel
selector dialog. Change '*' to your desired Linux kernel and trim the
'linux-image-' string to select a specific kernel, e.g. '--autobuild=6.12.30+bpo-amd64'.
Headless mode. Skip the dialog wrapper, provider note screen and interactive kernel selector dialog.
Change '*' to your desired Linux kernel and trim the 'linux-image-' string to select a specific kernel,
e.g. '--autobuild=6.12.30+bpo-amd64'.
--architecture <STRING> one of <amd64 | arm64>
A string reflecting the architecture of the Live System.
MUST be provided.
--build-directory </path/to/build_directory>
Where the Debian Live Build Image should be generated.
Where the Debian Live Build Image should be generated. RECOMMENDED path: </opt/cdlb>
MUST be provided.
--change-splash <STRING> one of <club | hexagon>
A string reflecting the GRub Boot Screen Splash you want to use.
If omitted defaults to "./.archive/background/club.png".
A string reflecting the Grub Boot Screen Splash you want to use. If omitted defaults to:
<./.archive/background/club.png>
--cdi (Experimental Feature)
This option generates a boot menu entry to start the forthcoming
'CISS.debian.installer', which will be executed after
the system has successfully booted up.
--cdi
This option creates a boot menu entry that starts the forthcoming 'CISS.debian.installer', which is executed
once the system has successfully booted up.
--contact, -c
Displays contact information of the author.
--contact, -c\ e[0m
Show author contact information.
--control <INTEGER>
An integer that reflects the version of your Live ISO Image.
--control <STRING>
A string, that reflects the version of your Live ISO Image.
MUST be provided.
--debug
Enables debug logging for the main program routine. Detailed logging
information are written to "/tmp/ciss_live_builder_1136873.log"
--debug, -d
Enables debug logging for the main program routine. Detailed logging information are written to:
</tmp/ciss_live_builder_1801049.log>
--dhcp-centurion
If a DHCP lease is provided, the provider's nameserver will be overridden,
and only the hardened, privacy-focused Centurion DNS servers will be used:
If a DHCP lease is provided, the provider's name server will be overridden and the hardened, privacy-focused
Centurion DNS servers will be used instead:
- https://dns01.eddns.eu/
- https://dns02.eddns.de/
- https://dns03.eddns.eu/
--jump-host <IP | IP | ... >
Provide up to 10 IPs for /etc/host.allow whitelisting of SSH access.
Could be either IPv4 and / or IPv6 addresses and / or CCDIR notation.
If provided, than it MUST be a <SPACE> separated list.
Provide up to 10 IPs for '/etc/host.allow' whitelisting of SSH access. Could be either IPv4 and / or IPv6
addresses and / or CCDIR notation. If provided, than it MUST be a <SPACE> separated list.
IPv6 addresses MUST be encapsulated with [], e.g., [1234::abcd]/64.
--key_age=*
The SOPS AGE private keyring for decryption operations. Change '*' to your desired SOPS AGE key file.
File MUST be placed in:
</dev/shm/cdlb_secrets>
--key_luks=*
The LUKS encryption / decryption passphrase for '/'-fs-encryption. Change '*' to your desired passphrase file.
File MUST be placed in:
</dev/shm/cdlb_secrets>
--log-statistics-only
Provides statistic only after successful building a
CISS.debian.live-ISO. While enabling "--log-statistics-only"
the argument "--build-directory" MUST be provided while
all further options MUST be omitted.
Provides statistic only after successful building a CISS.debian.live-ISO. While enabling '--log-statistics-only'
the argument '--build-directory' MUST be provided.
--provider-netcup-ipv6
Activates IPv6 support for Netcup Root Server. One unique
IPv6 address MUST be provided in this case and MUST be encapsulated
with [], e.g., [1234::abcd].
Activates IPv6 support for Netcup Root Server. One unique IPv6 address MUST be provided in this case and MUST be
encapsulated with [], e.g., [1234::abcd].
--renice-priority <PRIORITY>
Reset the nice priority value of the script and all its children
to the desired <PRIORITY>. MUST be an integer (between "-19" and 19).
Negative (higher) values MUST be enclosed in double quotes '"'.
Reset the nice priority value of the script and all its children to the desired <PRIORITY>. MUST be an integer
between '-19' and 19. Negative (higher) values MUST be enclosed in double quotes '"'.
--reionice-priority <CLASS> <PRIORITY>
Reset the ionice priority value of the script and all its children
to the desired <CLASS>. MUST be an integer:
Reset the ionice priority value of the script and all its children to the desired <CLASS>. MUST be an integer:
1: realtime
2: best-effort
3: idle
@@ -97,59 +102,50 @@ A lightweight Shell Wrapper for building a hardened Debian Bookworm Live ISO Ima
0: highest priority and
7: lowest priority.
Defaults to '4'.
A real-time I/O process can significantly slow down other processes
or even cause them to starve if it continuously requests I/O.
A real-time I/O process can significantly slow down other processes or even cause them to starve if it
continuously requests I/O.
--root-password-file </path/to/password.txt>
Password file for 'root', if given, MUST be a string of 20 to 64 characters,
and MUST NOT contain the special character '"'.
If the argument is omitted, no further login authentication is required for
the local console. The root password is hashed with an 16 Byte '/dev/random'
generated SALT and SHA512 Hashing function and 8,388,608 rounds. Immediately
after Hash generation all Variables containing plain password fragments are
deleted. Password file SHOULD be '0400' and 'root:root' and is deleted without
further prompt after password hash has been successfully generated via:
'shred -vfzu 5 -f'.
No tracing of any plain text password fragment in any debug log.
--root-password-file </dev/shm/cdlb_secrets/password.txt>>
Password file for 'root', if given, MUST be a string of 42 to 64 characters.
If the argument is omitted, no further login authentication is required for the local console.
MUST be placed in:
</dev/shm/cdlb_secrets/password.txt>
--signing_key=* and --signing_key_fpr=*; if desired then additionally --signing_key_pass=*
The GPG private keyring that should be used for signing artifacts such as checksum hashes and scripts is
specified via '--signing_key=*'. If the keyring is protected, then provide the passphrase in its own file.
Specify the fingerprint of the key to use via '--signing_key_fpr=*'.
Change '*' to your desired files / fingerprint. Files MUST be placed in:
</dev/shm/cdlb_secrets>
--sshfp
Desired SSH id-files that should be incorporated in '/root/.ssh/id*'.
Desired SSH host-files that should be incorporated in '/etc/ssh/ssh_host_*'.
The respective id-files and / or host-files MUST be placed in:
</dev/shm/cdlb_secrets/id*> / </dev/shm/cdlb_secrets/ssh_host_*>
--ssh-port <INTEGER>
The desired Port SSH should listen to.
If not provided defaults to Port 22.
If not provided defaults to Port '22'.
--ssh-pubkey </path/to/.ssh/>
Imports the SSH Public Key(s) from the FILE 'authorized_keys' of the
specified PATH into the Live ISO. MUST be provided.
--ssh-pubkey </dev/shm/cdlb_secrets/>
Imports the SSH Public Key from the file 'authorized_keys' into the Live ISO.
Key file MUST be placed in:
</dev/shm/cdlb_secrets/authorized_keys>
--trixie
Create a Debian Trixie Live ISO.
Creates a Debian Trixie Live ISO. If omitted defaults to 'Trixie'. No other Debian Version is supported.
--version, -v
Displays version of ./ciss_live_builder.sh.
Show version of ./ciss_live_builder.sh.
💡 Notes:
🔵 You MUST be 'root' to run this script.
💷 Please consider donating to my work at:
🌐 https://coresecret.eu/spenden/
````
# 2.2. Contact
````text
CISS.debian.live.builder
Master V8.13.384.2025.11.06
A lightweight Shell Wrapper for building a hardened Debian Bookworm Live ISO Image.
(c) Marc S. Weidner, 2018 - 2025
(p) Centurion Press, 2024 - 2025
💬 Contact:
🌐 https://coresecret.eu/
📧 security@coresecret.eu
🔑 PGP Key 2D98 07F4 1030 1776 597E BDC9 9F54 8853 35A3 C9AD
🔗 https://keys.openpgp.org/vks/v1/by-fingerprint/2D9807F410301776597EBDC99F54885335A3C9AD
💷 Please consider donating to my work at:
🌐 https://coresecret.eu/spenden/
V8.13.384.2025.11.06 2025-11-06 CDLB(1)
````
# 3. Booting