From 440a393c673e4fb5953abd8b61bfe4b4af451d632992f7e8dc032f4a57c13a26 Mon Sep 17 00:00:00 2001 From: "Marc S. Weidner" Date: Fri, 22 Aug 2025 19:05:44 +0200 Subject: [PATCH] V8.13.008.2025.08.22 Signed-off-by: Marc S. Weidner --- .../t_generate_PRIVATE_iso_flavour_0.yaml | 15 - .../t_generate_PRIVATE_iso_flavour_1.yaml | 15 - .../generate_PRIVATE_iso_flavour_0.yaml | 485 ------------------ .../generate_PRIVATE_iso_flavour_1.yaml | 482 ----------------- LIVE_ISO_FLV_0.private | 27 - LIVE_ISO_FLV_1.private | 27 - README.md | 7 +- 7 files changed, 4 insertions(+), 1054 deletions(-) delete mode 100644 .gitea/trigger/t_generate_PRIVATE_iso_flavour_0.yaml delete mode 100644 .gitea/trigger/t_generate_PRIVATE_iso_flavour_1.yaml delete mode 100644 .gitea/workflows/generate_PRIVATE_iso_flavour_0.yaml delete mode 100644 .gitea/workflows/generate_PRIVATE_iso_flavour_1.yaml delete mode 100644 LIVE_ISO_FLV_0.private delete mode 100644 LIVE_ISO_FLV_1.private diff --git a/.gitea/trigger/t_generate_PRIVATE_iso_flavour_0.yaml b/.gitea/trigger/t_generate_PRIVATE_iso_flavour_0.yaml deleted file mode 100644 index b192b23..0000000 --- a/.gitea/trigger/t_generate_PRIVATE_iso_flavour_0.yaml +++ /dev/null @@ -1,15 +0,0 @@ -# SPDX-Version: 3.0 -# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; -# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git -# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency -# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; -# SPDX-FileType: SOURCE -# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 -# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. -# SPDX-PackageName: CISS.debian.live.builder -# SPDX-Security-Contact: security@coresecret.eu - -build: - counter: 1023 - version: V8.13.008.2025.08.22 -# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml diff --git a/.gitea/trigger/t_generate_PRIVATE_iso_flavour_1.yaml b/.gitea/trigger/t_generate_PRIVATE_iso_flavour_1.yaml deleted file mode 100644 index b192b23..0000000 --- a/.gitea/trigger/t_generate_PRIVATE_iso_flavour_1.yaml +++ /dev/null @@ -1,15 +0,0 @@ -# SPDX-Version: 3.0 -# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; -# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git -# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency -# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; -# SPDX-FileType: SOURCE -# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 -# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. -# SPDX-PackageName: CISS.debian.live.builder -# SPDX-Security-Contact: security@coresecret.eu - -build: - counter: 1023 - version: V8.13.008.2025.08.22 -# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml diff --git a/.gitea/workflows/generate_PRIVATE_iso_flavour_0.yaml b/.gitea/workflows/generate_PRIVATE_iso_flavour_0.yaml deleted file mode 100644 index d03fcaa..0000000 --- a/.gitea/workflows/generate_PRIVATE_iso_flavour_0.yaml +++ /dev/null @@ -1,485 +0,0 @@ -# SPDX-Version: 3.0 -# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; -# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git -# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency -# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; -# SPDX-FileType: SOURCE -# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 -# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. -# SPDX-PackageName: CISS.debian.live.builder -# SPDX-Security-Contact: security@coresecret.eu - -### Version Master V8.13.008.2025.08.22 - -name: 🔐 Generating a Private Live ISO FLV 0. - -permissions: - contents: write - -on: - push: - branches: - - master - paths: - - '.gitea/trigger/t_generate_PRIVATE_iso_flavour_0.yaml' - -jobs: - generate-private-ciss-debian-live-iso: - name: 🔐 Generating a Private Live ISO FLV 0. - runs-on: ciss.debian.live.builder.iso.generator - - ### Run all steps inside Debian Bookworm - container: - image: debian:bookworm - - steps: - - name: 🛠️ Basic Image Setup and enable Bookworm Backports. - run: | - apt-get update -y - apt-get install -y apt-transport-https apt-utils bash ca-certificates openssl sudo - echo 'deb https://deb.debian.org/debian bookworm-backports main' \ - >| /etc/apt/sources.list.d/bookworm-backports.list - apt-get update -y - apt-get upgrade -y - - - name: 🛠️ Installing Build Tools. - shell: bash - run: | - apt-get update -y - apt-get install -y \ - autoconf \ - automake \ - build-essential \ - cryptsetup \ - curl \ - debootstrap \ - dosfstools \ - efibootmgr \ - gettext \ - git \ - gnupg \ - haveged \ - libbz2-dev \ - zlib1g-dev \ - liblzma-dev \ - libtool \ - live-build \ - parted \ - pkg-config \ - ssh \ - ssl-cert \ - sudo \ - texinfo \ - wget \ - whois \ - - - name: 🛠️ Build GnuPG from the sources, as the Bookworm GPG does not understand key format 5. - shell: bash - run: | - urls=( - "https://gnupg.org/ftp/gcrypt/npth/npth-1.8.tar.bz2" - "https://gnupg.org/ftp/gcrypt/libgpg-error/libgpg-error-1.55.tar.bz2" - "https://gnupg.org/ftp/gcrypt/libgcrypt/libgcrypt-1.11.1.tar.bz2" - "https://gnupg.org/ftp/gcrypt/libksba/libksba-1.6.7.tar.bz2" - "https://gnupg.org/ftp/gcrypt/libassuan/libassuan-3.0.2.tar.bz2" - "https://gnupg.org/ftp/gcrypt/gnupg/gnupg-2.4.8.tar.bz2" - ) - - wget --https-only https://gnupg.org/signature_key.asc -O signature_key.asc > /dev/null 2>&1 - gpg --batch --import signature_key.asc - - for url in "${urls[@]}"; do - archive_name="${url##*/}" - pkg_name="${archive_name%.tar.bz2}" - echo "🔄 Processing ${pkg_name}" - if [[ ! -f "${archive_name}" ]]; then - echo "📥 Downloading: '${archive_name}'." - if wget --https-only "${url}" -O "${archive_name}" > /dev/null 2>&1 && wget --https-only "${url}.sig" -O "${archive_name}.sig" > /dev/null 2>&1; then - echo "✅ Download successful: '${archive_name}'." - else - echo "❌ Download NOT successful: '${archive_name}'." - exit 1 - fi - else - echo "💡 Skipping download, package already exists: '${archive_name}'." - fi - - if ! gpg --verify "${archive_name}.sig" "${archive_name}"; then echo "❌ Bad Signature: '${archive_name}'.";exit 1; fi - - if [[ ! -d "${pkg_name}" ]]; then - echo "📂 Extracting: '${archive_name}'." - if tar -xjf "${archive_name}"; then - echo "✅ Extraction successful: '${archive_name}'." - else - echo "❌ Extraction not successful: '${archive_name}'." - exit 1 - fi - else - echo "💡 Skipping directory, already exists: '${pkg_name}'." - fi - - echo "🏗️ Build and install the package: '${pkg_name}'." - cd "${pkg_name}" || { echo "❌ Could not change to '${pkg_name}'."; exit 1; } - mkdir -p build - cd build || { echo "❌ Could not change to '/build'."; exit 1; } - - sudo ../configure > /dev/null 2>&1 || { echo "❌ '../configure' NOT successful for '${pkg_name}'."; exit 1; } - make > /dev/null 2>&1 || { echo "❌ 'make' NOT successful for '${pkg_name}'."; exit 1; } - sudo make install > /dev/null 2>&1 || { echo "❌ 'make install' NOT successful for '${pkg_name}'."; exit 1; } - - cd ../.. || { echo "❌ Could not change to '../..'."; exit 1; } - - rm -f "${archive_name}" && rm -f "${archive_name}.sig" && echo "✅ Removed archive: '${pkg_name}'." - rm -fr "${pkg_name}" && echo "✅ Removed build artifacts: '${pkg_name}'." - echo "✅ Successful build and installation of '${pkg_name}'." - echo "-------------------------------------------------------------------------------------" - - done - - rm -f signature_key.asc - - echo "✅ All packages were built and installed successfully." - - mv_bin=( - "/usr/bin/gpg" - "/usr/bin/gpg-agent" - "/usr/bin/gpgconf" - "/usr/bin/gpg-connect-agent" - "/usr/bin/gpg-wks-client" - "/usr/bin/gpg-preset-passphrase" - ) - - for bin in "${mv_bin[@]}"; do - name="${bin##*/}" - if [[ -f "${bin}" && -f "/usr/local/bin/${name}" ]]; then - if mv "${bin}" "${bin}.debian-backup"; then - echo "✅ Moved successfully: '${bin}'." - else - echo "❌ Moved NOT successfully: '${bin}'." - fi - else - echo "💡 Does not exist as build binary: '${bin}'." - fi - done - - for bin in "${mv_bin[@]}"; do - name="${bin##*/}" - if [[ -f "/usr/local/bin/${name}" ]]; then - if update-alternatives --install "${bin}" "${name}" "/usr/local/bin/${name}" 100; then - echo "✅ 'update-alternatives' successfully: '${bin}'." - else - echo "❌ 'update-alternatives' NOT successfully: '${bin}'." - fi - else - echo "💡 Does not exist: '/usr/local/bin/${name}'." - fi - done - - sudo ldconfig - - gpgconf --kill all - /usr/local/bin/gpg-agent --daemon - - - name: ⚙️ Check GnuPG Version. - shell: bash - run: | - gpg --version - - - name: ⚙️ Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config. - shell: bash - run: | - rm -rf ~/.ssh && mkdir -m700 ~/.ssh - - ### Private Key - echo "${{ secrets.SSH_MSW_DEPLOY_CORESECRET_DEV }}" >| ~/.ssh/id_ed25519 - chmod 600 ~/.ssh/id_ed25519 - - ### Scan git.coresecret.dev to fill ~/.ssh/known_hosts - ssh-keyscan -p 42842 git.coresecret.dev >| ~/.ssh/known_hosts - chmod 600 ~/.ssh/known_hosts - - ### Generate SSH Config for git.coresecret.dev Custom-Port - cat <| ~/.ssh/config - Host git.coresecret.dev - HostName git.coresecret.dev - Port 42842 - IdentityFile ~/.ssh/id_ed25519 - StrictHostKeyChecking yes - UserKnownHostsFile ~/.ssh/known_hosts - EOF - chmod 600 ~/.ssh/config - - ### https://github.com/actions/checkout/issues/1843 - - name: 🛠️ Using manual clone via SSH to circumvent Gitea SHA-256 object issues. - shell: bash - env: - ### GITHUB_REF_NAME contains the branch name from the push event. - GITHUB_REF_NAME: ${{ github.ref_name }} - run: | - git clone --branch "${GITHUB_REF_NAME}" ssh://git@git.coresecret.dev:42842/msw/CISS.debian.live.builder.git . - git fetch --unshallow || echo "Nothing to fetch - already full clone." - - - name: 🛠️ Cleaning the workspace. - shell: bash - run: | - git reset --hard - git clean -fd - - - name: ⚙️ Importing the 'CI PGP DEPLOY ONLY' key. - shell: bash - run: | - set -euo pipefail - ### GPG-Home relative to the Runner Workspace to avoid changing global files. - export GNUPGHOME="$(pwd)/.gnupg" - mkdir -m 700 "${GNUPGHOME}" - echo "${{ secrets.PGP_PUBKEY_CENTURION_ROOT_2025_X448 }}" >| centurion-root.PUB.asc - gpg --batch --import centurion-root.PUB.asc - echo "${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV }}" >| ci-bot.sec.asc - gpg --batch --import ci-bot.sec.asc - ### Trust the key automatically - KEY_ID=$(gpg --list-keys --with-colons | awk -F: '/^pub:/ {print $5}') - echo "trust-model always" >| "${GNUPGHOME}/gpg.conf" - - - name: ⚙️ Configuring Git for signed CI/DEPLOY commits. - shell: bash - run: | - set -euo pipefail - export GNUPGHOME="$(pwd)/.gnupg" - git config user.name "Marc S. Weidner BOT" - git config user.email "msw+bot@coresecret.dev" - git config commit.gpgsign true - git config gpg.program gpg - git config gpg.format openpgp - - - name: ⚙️ Preparing the build environment. - shell: bash - run: | - set -euo pipefail - mkdir -p /opt/config - mkdir -p /opt/livebuild - touch /opt/config/password.txt && chmod 0600 /opt/config/password.txt - touch /opt/config/authorized_keys && chmod 0600 /opt/config/authorized_keys - echo "${{ secrets.CISS_DLB_ROOT_PWD }}" >| /opt/config/password.txt - echo "${{ secrets.CISS_DLB_ROOT_SSH_PUBKEY }}" >| /opt/config/authorized_keys - - - name: 🛠️ Starting CISS.debian.live.builder. This may take a while ... - shell: bash - run: | - set -euo pipefail - chmod 0755 ciss_live_builder.sh - timestamp=$(date -u +"%Y_%m_%dT%H_%M_%SZ") - ### Change "--autobuild=" to the specific kernel version you need: 6.12.22+bpo-amd64. - ./ciss_live_builder.sh \ - --autobuild=6.1.0-37-amd64 \ - --architecture amd64 \ - --build-directory /opt/livebuild \ - --control "${timestamp}" \ - --debug \ - --dhcp-centurion \ - --jump-host ${{ secrets.CISS_DLB_JUMP_HOSTS }} \ - --provider-netcup-ipv6 ${{ secrets.CISS_DLB_NETCUP_IPV6 }} \ - --root-password-file /opt/config/password.txt \ - --ssh-port ${{ secrets.CISS_DLB_SSH_PORT }} \ - --ssh-pubkey /opt/config - - - name: 📥 Checking Centurion Cloud for existing LIVE ISOs. - shell: bash - env: - NC_BASE: "https://cloud.e2ee.li" - SHARE_TOKEN: "${{ secrets.CENTURION_CLOUD_UL_USER }}" - SHARE_PASS: "${{ secrets.CENTURION_CLOUD_UL_PASSWD }}" - run: | - set -euo pipefail - SHARE_SUBDIR="" - - echo "📥 Get directory listing via PROPFIND ..." - curl -s \ - --user "${SHARE_TOKEN}:${SHARE_PASS}" \ - -X PROPFIND \ - -H "Depth: 1" \ - "${NC_BASE}/public.php/webdav/${SHARE_SUBDIR}" \ - -o propfind_public.xml - - echo "📥 Filter .iso files from the PROPFIND response ..." - grep -oP '(?<=)[^<]+\.iso(?=)' propfind_public.xml >| public_iso_list.txt || true - - if [[ -f public_iso_list.txt && -s public_iso_list.txt ]]; then - echo "💡 Old ISO files found and deleted :" - while IFS= read -r href; do - FILE_URL="${NC_BASE}${href}" - echo " Delete: ${FILE_URL}" - if curl -s \ - --user "${SHARE_TOKEN}:${SHARE_PASS}" \ - -X DELETE "${FILE_URL}"; then - echo " ✅ Successfully deleted: $(basename "${href}")" - else - echo " ❌ Error: $(basename "${href}") could not be deleted" - fi - done < public_iso_list.txt - else - echo "💡 No old ISO files found to delete." - fi - - - name: 🛠️ Upload the ISO file to the Centurion Cloud (cloud.e2ee.li) via WebDAV. - shell: bash - env: - NC_BASE: "https://cloud.e2ee.li" - SHARE_TOKEN: "${{ secrets.CENTURION_CLOUD_UL_USER }}" - SHARE_PASS: "${{ secrets.CENTURION_CLOUD_UL_PASSWD }}" - run: | - set -euo pipefail - if [[ $(ls /opt/livebuild/*.iso 2>/dev/null | wc -l) -ne 1 ]]; then - echo "❌ There must be exactly one .iso file in the directory!" - exit 1 - else - VAR_ISO_FILE_PATH=$(ls /opt/livebuild/*.iso) - VAR_ISO_FILE_NAME=$(basename "${VAR_ISO_FILE_PATH}") - echo "✅ ISO file found: ${VAR_ISO_FILE_NAME}" - fi - - AUTH="${SHARE_TOKEN}:${SHARE_PASS}" - if curl --retry 2 "${NC_BASE}"/public.php/webdav/"${VAR_ISO_FILE_NAME}" \ - --upload-file "${VAR_ISO_FILE_PATH}" --user "${AUTH}" > /dev/null 2>&1; then - echo "✅ New ISO successfully uploaded." - else - echo "❌ Uploading the new ISO failed." - exit 1 - fi - - - name: 🔑 Generating a sha512 Hash of ISO, signing with the 'CI PGP DEPLOY ONLY' key, generate a success message file. - shell: bash - run: | - if [[ $(ls /opt/livebuild/*.iso 2>/dev/null | wc -l) -ne 1 ]]; then - echo "❌ There must be exactly one .iso file in the directory!" - exit 1 - else - VAR_ISO_FILE_PATH=$(ls /opt/livebuild/*.iso) - VAR_ISO_FILE_NAME=$(basename "${VAR_ISO_FILE_PATH}") - echo "✅ ISO file found: ${VAR_ISO_FILE_NAME}" - fi - - VAR_ISO_FILE_SHA512="${VAR_ISO_FILE_NAME}.sha512" - touch "${VAR_ISO_FILE_SHA512}" - sha512sum "${VAR_ISO_FILE_PATH}" | awk '{print $1}' >| "${VAR_ISO_FILE_SHA512}" - SIGNATURE_FILE="${VAR_ISO_FILE_SHA512}.sign" - touch "${SIGNATURE_FILE}" - export GNUPGHOME="$(pwd)/.gnupg" - gpg --batch --yes --armor --detach-sign --output "${SIGNATURE_FILE}" "${VAR_ISO_FILE_SHA512}" - - timestamp=$(date -u +"%Y-%m-%dT%H:%M:%SZ") - PRIVATE_FILE="LIVE_ISO_FLV_0.private" - touch "${PRIVATE_FILE}" - cat << EOF >| "${PRIVATE_FILE}" - # SPDX-Version: 3.0 - # SPDX-CreationInfo: 2025-06-01; WEIDNER, Marc S.; - # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git - # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency - # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; - # SPDX-FileType: SOURCE - # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 - # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. - # SPDX-PackageName: CISS.debian.live.builder - # SPDX-Security-Contact: security@coresecret.eu - - This file was automatically generated by the DEPLOY BOT on: "${timestamp}" - - CISS.debian.live.builder ISO : - "${VAR_ISO_FILE_NAME}" - CISS.debian.live.builder ISO sha512 : - $(< "${VAR_ISO_FILE_SHA512}") - CISS.debian.live.builder ISO sha512 sign : - $(< "${SIGNATURE_FILE}") - - # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text - EOF - - - name: 🚧 Stash local changes (including untracked). - shell: bash - env: - GIT_SSH_COMMAND: "ssh -p 42842" - run: | - set -euo pipefail - ### Temporarily store any local modifications or untracked files. - git stash push --include-untracked -m "ci-temp" || echo "✔️ Nothing to stash." - - - name: 🔄 Sync with remote before commit using merge strategy. - shell: bash - env: - GIT_SSH_COMMAND: "ssh -p 42842" - run: | - set -euo pipefail - export GNUPGHOME="$(pwd)/.gnupg" - - echo "🔄 Fetching origin/master ..." - git fetch origin master - - echo "🔁 Merging origin/master into current branch ..." - git merge --no-edit origin/master || echo "✔️ Already up to date or fast-forward." - - echo "📋 Post-merge status :" - git status - git log --oneline -n 5 - - - name: 🛠️ Restore stashed changes. - shell: bash - env: - GIT_SSH_COMMAND: "ssh -p 42842" - run: | - set -euo pipefail - ### Apply previously stashed changes. - git stash pop || echo "✔️ Nothing to pop." - - - name: 📦 Stage generated files. - shell: bash - env: - GIT_SSH_COMMAND: "ssh -p 42842" - run: | - set -euo pipefail - PRIVATE_FILE="LIVE_ISO_FLV_0.private" - git add "${PRIVATE_FILE}" || echo "✔️ Nothing to add." - - - name: 🔑 Commit and sign changes with CI metadata. - shell: bash - env: - GIT_SSH_COMMAND: "ssh -p 42842" - run: | - set -euo pipefail - export GNUPGHOME="$(pwd)/.gnupg" - - if git diff --cached --quiet; then - echo "✔️ No staged changes to commit." - else - echo "📝 Committing changes with GPG signature ..." - - ### CI Metadata - TIMESTAMP_UTC="$(date -u +'%Y-%m-%dT%H:%M:%SZ')" - HOSTNAME="$(hostname -f || hostname)" - GIT_SHA="$(git rev-parse --short HEAD)" - GIT_REF="$(git symbolic-ref --short HEAD || echo detached)" - WORKFLOW_ID="${GITHUB_WORKFLOW:-render-md-to-html.yaml}" - CI_HEADER="X-CI-Metadata: ${GIT_REF}@${GIT_SHA} at ${TIMESTAMP_UTC} on ${HOSTNAME}" - - COMMIT_MSG="DEPLOY BOT : 🔐 Auto-Generate PRIVATE LIVE ISO FLV 0 [skip ci] - - ${CI_HEADER} - - Generated at : ${TIMESTAMP_UTC} - Runner Host : ${HOSTNAME} - Workflow ID : ${WORKFLOW_ID} - Git Commit : ${GIT_SHA} HEAD -> ${GIT_REF} - " - - echo "🔏 Commit message :" - echo "${COMMIT_MSG}" - git commit -S -m "${COMMIT_MSG}" - fi - - - name: 🔁 Push back to repository. - shell: bash - env: - GIT_SSH_COMMAND: "ssh -p 42842" - run: | - set -euo pipefail - echo "📤 Pushing changes to ${GITHUB_REF_NAME} ..." - git push origin HEAD:${GITHUB_REF_NAME} -# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml diff --git a/.gitea/workflows/generate_PRIVATE_iso_flavour_1.yaml b/.gitea/workflows/generate_PRIVATE_iso_flavour_1.yaml deleted file mode 100644 index 2e88718..0000000 --- a/.gitea/workflows/generate_PRIVATE_iso_flavour_1.yaml +++ /dev/null @@ -1,482 +0,0 @@ -# SPDX-Version: 3.0 -# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; -# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git -# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency -# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; -# SPDX-FileType: SOURCE -# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 -# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. -# SPDX-PackageName: CISS.debian.live.builder -# SPDX-Security-Contact: security@coresecret.eu - -### Version Master V8.13.008.2025.08.22 - -name: 🔐 Generating a Private Live ISO FLV 1. - -permissions: - contents: write - -on: - push: - branches: - - master - paths: - - '.gitea/trigger/t_generate_PRIVATE_iso_flavour_1.yaml' - -jobs: - generate-private-ciss-debian-live-iso: - name: 🔐 Generating a Private Live ISO FLV 1. - runs-on: ciss.debian.live.builder.iso.generator - - ### Run all steps inside Debian Bookworm - container: - image: debian:bookworm - - steps: - - name: 🛠️ Basic Image Setup and enable Bookworm Backports. - run: | - apt-get update -y - apt-get install -y apt-transport-https apt-utils bash ca-certificates openssl sudo - echo 'deb https://deb.debian.org/debian bookworm-backports main' \ - >| /etc/apt/sources.list.d/bookworm-backports.list - apt-get update -y - apt-get upgrade -y - - - name: 🛠️ Installing Build Tools. - shell: bash - run: | - apt-get update -y - apt-get install -y \ - autoconf \ - automake \ - build-essential \ - cryptsetup \ - curl \ - debootstrap \ - dosfstools \ - efibootmgr \ - gettext \ - git \ - gnupg \ - haveged \ - libbz2-dev \ - zlib1g-dev \ - liblzma-dev \ - libtool \ - live-build \ - parted \ - pkg-config \ - ssh \ - ssl-cert \ - sudo \ - texinfo \ - wget \ - whois \ - - - name: 🛠️ Build GnuPG from the sources, as the Bookworm GPG does not understand key format 5. - shell: bash - run: | - urls=( - "https://gnupg.org/ftp/gcrypt/npth/npth-1.8.tar.bz2" - "https://gnupg.org/ftp/gcrypt/libgpg-error/libgpg-error-1.55.tar.bz2" - "https://gnupg.org/ftp/gcrypt/libgcrypt/libgcrypt-1.11.1.tar.bz2" - "https://gnupg.org/ftp/gcrypt/libksba/libksba-1.6.7.tar.bz2" - "https://gnupg.org/ftp/gcrypt/libassuan/libassuan-3.0.2.tar.bz2" - "https://gnupg.org/ftp/gcrypt/gnupg/gnupg-2.4.8.tar.bz2" - ) - - wget --https-only https://gnupg.org/signature_key.asc -O signature_key.asc > /dev/null 2>&1 - gpg --batch --import signature_key.asc - - for url in "${urls[@]}"; do - archive_name="${url##*/}" - pkg_name="${archive_name%.tar.bz2}" - echo "🔄 Processing ${pkg_name}" - if [[ ! -f "${archive_name}" ]]; then - echo "📥 Downloading: '${archive_name}'." - if wget --https-only "${url}" -O "${archive_name}" > /dev/null 2>&1 && wget --https-only "${url}.sig" -O "${archive_name}.sig" > /dev/null 2>&1; then - echo "✅ Download successful: '${archive_name}'." - else - echo "❌ Download NOT successful: '${archive_name}'." - exit 1 - fi - else - echo "💡 Skipping download, package already exists: '${archive_name}'." - fi - - if ! gpg --verify "${archive_name}.sig" "${archive_name}"; then echo "❌ Bad Signature: '${archive_name}'.";exit 1; fi - - if [[ ! -d "${pkg_name}" ]]; then - echo "📂 Extracting: '${archive_name}'." - if tar -xjf "${archive_name}"; then - echo "✅ Extraction successful: '${archive_name}'." - else - echo "❌ Extraction not successful: '${archive_name}'." - exit 1 - fi - else - echo "💡 Skipping directory, already exists: '${pkg_name}'." - fi - - echo "🏗️ Build and install the package: '${pkg_name}'." - cd "${pkg_name}" || { echo "❌ Could not change to '${pkg_name}'."; exit 1; } - mkdir -p build - cd build || { echo "❌ Could not change to '/build'."; exit 1; } - - sudo ../configure > /dev/null 2>&1 || { echo "❌ '../configure' NOT successful for '${pkg_name}'."; exit 1; } - make > /dev/null 2>&1 || { echo "❌ 'make' NOT successful for '${pkg_name}'."; exit 1; } - sudo make install > /dev/null 2>&1 || { echo "❌ 'make install' NOT successful for '${pkg_name}'."; exit 1; } - - cd ../.. || { echo "❌ Could not change to '../..'."; exit 1; } - - rm -f "${archive_name}" && rm -f "${archive_name}.sig" && echo "✅ Removed archive: '${pkg_name}'." - rm -fr "${pkg_name}" && echo "✅ Removed build artifacts: '${pkg_name}'." - echo "✅ Successful build and installation of '${pkg_name}'." - echo "-------------------------------------------------------------------------------------" - - done - - rm -f signature_key.asc - - echo "✅ All packages were built and installed successfully." - - mv_bin=( - "/usr/bin/gpg" - "/usr/bin/gpg-agent" - "/usr/bin/gpgconf" - "/usr/bin/gpg-connect-agent" - "/usr/bin/gpg-wks-client" - "/usr/bin/gpg-preset-passphrase" - ) - - for bin in "${mv_bin[@]}"; do - name="${bin##*/}" - if [[ -f "${bin}" && -f "/usr/local/bin/${name}" ]]; then - if mv "${bin}" "${bin}.debian-backup"; then - echo "✅ Moved successfully: '${bin}'." - else - echo "❌ Moved NOT successfully: '${bin}'." - fi - else - echo "💡 Does not exist as build binary: '${bin}'." - fi - done - - for bin in "${mv_bin[@]}"; do - name="${bin##*/}" - if [[ -f "/usr/local/bin/${name}" ]]; then - if update-alternatives --install "${bin}" "${name}" "/usr/local/bin/${name}" 100; then - echo "✅ 'update-alternatives' successfully: '${bin}'." - else - echo "❌ 'update-alternatives' NOT successfully: '${bin}'." - fi - else - echo "💡 Does not exist: '/usr/local/bin/${name}'." - fi - done - - sudo ldconfig - - gpgconf --kill all - /usr/local/bin/gpg-agent --daemon - - - name: ⚙️ Check GnuPG Version. - shell: bash - run: | - gpg --version - - - name: ⚙️ Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config. - shell: bash - run: | - rm -rf ~/.ssh && mkdir -m700 ~/.ssh - - ### Private Key - echo "${{ secrets.SSH_MSW_DEPLOY_CORESECRET_DEV }}" >| ~/.ssh/id_ed25519 - chmod 600 ~/.ssh/id_ed25519 - - ### Scan git.coresecret.dev to fill ~/.ssh/known_hosts - ssh-keyscan -p 42842 git.coresecret.dev >| ~/.ssh/known_hosts - chmod 600 ~/.ssh/known_hosts - - ### Generate SSH Config for git.coresecret.dev Custom-Port - cat <| ~/.ssh/config - Host git.coresecret.dev - HostName git.coresecret.dev - Port 42842 - IdentityFile ~/.ssh/id_ed25519 - StrictHostKeyChecking yes - UserKnownHostsFile ~/.ssh/known_hosts - EOF - chmod 600 ~/.ssh/config - - ### https://github.com/actions/checkout/issues/1843 - - name: 🛠️ Using manual clone via SSH to circumvent Gitea SHA-256 object issues. - shell: bash - env: - ### GITHUB_REF_NAME contains the branch name from the push event. - GITHUB_REF_NAME: ${{ github.ref_name }} - run: | - git clone --branch "${GITHUB_REF_NAME}" ssh://git@git.coresecret.dev:42842/msw/CISS.debian.live.builder.git . - git fetch --unshallow || echo "Nothing to fetch - already full clone." - - - name: 🛠️ Cleaning the workspace. - shell: bash - run: | - git reset --hard - git clean -fd - - - name: ⚙️ Importing the 'CI PGP DEPLOY ONLY' key. - shell: bash - run: | - set -euo pipefail - ### GPG-Home relative to the Runner Workspace to avoid changing global files. - export GNUPGHOME="$(pwd)/.gnupg" - mkdir -m 700 "${GNUPGHOME}" - echo "${{ secrets.PGP_PUBKEY_CENTURION_ROOT_2025_X448 }}" >| centurion-root.PUB.asc - gpg --batch --import centurion-root.PUB.asc - echo "${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV }}" >| ci-bot.sec.asc - gpg --batch --import ci-bot.sec.asc - ### Trust the key automatically - KEY_ID=$(gpg --list-keys --with-colons | awk -F: '/^pub:/ {print $5}') - echo "trust-model always" >| "${GNUPGHOME}/gpg.conf" - - - name: ⚙️ Configuring Git for signed CI/DEPLOY commits. - shell: bash - run: | - set -euo pipefail - export GNUPGHOME="$(pwd)/.gnupg" - git config user.name "Marc S. Weidner BOT" - git config user.email "msw+bot@coresecret.dev" - git config commit.gpgsign true - git config gpg.program gpg - git config gpg.format openpgp - - - name: ⚙️ Preparing the build environment. - shell: bash - run: | - set -euo pipefail - mkdir -p /opt/config - mkdir -p /opt/livebuild - touch /opt/config/password.txt && chmod 0600 /opt/config/password.txt - touch /opt/config/authorized_keys && chmod 0600 /opt/config/authorized_keys - echo "${{ secrets.CISS_DLB_ROOT_PWD_1 }}" >| /opt/config/password.txt - echo "${{ secrets.CISS_DLB_ROOT_SSH_PUBKEY_1 }}" >| /opt/config/authorized_keys - - - name: 🛠️ Starting CISS.debian.live.builder. This may take a while ... - shell: bash - run: | - set -euo pipefail - chmod 0755 ciss_live_builder.sh - timestamp=$(date -u +"%Y_%m_%dT%H_%M_%SZ") - ### Change "--autobuild=" to the specific kernel version you need: 6.12.22+bpo-amd64. - ./ciss_live_builder.sh \ - --autobuild=6.1.0-37-amd64 \ - --architecture amd64 \ - --build-directory /opt/livebuild \ - --control "${timestamp}" \ - --jump-host ${{ secrets.CISS_DLB_JUMP_HOSTS_1 }} \ - --root-password-file /opt/config/password.txt \ - --ssh-port ${{ secrets.CISS_DLB_SSH_PORT_1 }} \ - --ssh-pubkey /opt/config - - - name: 📥 Checking Centurion Cloud for existing LIVE ISOs. - shell: bash - env: - NC_BASE: "https://cloud.e2ee.li" - SHARE_TOKEN: "${{ secrets.CENTURION_CLOUD_UL_USER_1 }}" - SHARE_PASS: "${{ secrets.CENTURION_CLOUD_UL_PASSWD_1 }}" - run: | - set -euo pipefail - SHARE_SUBDIR="" - - echo "📥 Get directory listing via PROPFIND ..." - curl -s \ - --user "${SHARE_TOKEN}:${SHARE_PASS}" \ - -X PROPFIND \ - -H "Depth: 1" \ - "${NC_BASE}/public.php/webdav/${SHARE_SUBDIR}" \ - -o propfind_public.xml - - echo "📥 Filter .iso files from the PROPFIND response ..." - grep -oP '(?<=)[^<]+\.iso(?=)' propfind_public.xml >| public_iso_list.txt || true - - if [[ -f public_iso_list.txt && -s public_iso_list.txt ]]; then - echo "💡 Old ISO files found and deleted :" - while IFS= read -r href; do - FILE_URL="${NC_BASE}${href}" - echo " Delete: ${FILE_URL}" - if curl -s \ - --user "${SHARE_TOKEN}:${SHARE_PASS}" \ - -X DELETE "${FILE_URL}"; then - echo " ✅ Successfully deleted: $(basename "${href}")" - else - echo " ❌ Error: $(basename "${href}") could not be deleted" - fi - done < public_iso_list.txt - else - echo "💡 No old ISO files found to delete." - fi - - - name: 🛠️ Upload the ISO file to the Centurion Cloud (cloud.e2ee.li) via WebDAV. - shell: bash - env: - NC_BASE: "https://cloud.e2ee.li" - SHARE_TOKEN: "${{ secrets.CENTURION_CLOUD_UL_USER_1 }}" - SHARE_PASS: "${{ secrets.CENTURION_CLOUD_UL_PASSWD_1 }}" - run: | - set -euo pipefail - if [[ $(ls /opt/livebuild/*.iso 2>/dev/null | wc -l) -ne 1 ]]; then - echo "❌ There must be exactly one .iso file in the directory!" - exit 1 - else - VAR_ISO_FILE_PATH=$(ls /opt/livebuild/*.iso) - VAR_ISO_FILE_NAME=$(basename "${VAR_ISO_FILE_PATH}") - echo "✅ ISO file found: ${VAR_ISO_FILE_NAME}" - fi - - AUTH="${SHARE_TOKEN}:${SHARE_PASS}" - if curl --retry 2 "${NC_BASE}"/public.php/webdav/"${VAR_ISO_FILE_NAME}" \ - --upload-file "${VAR_ISO_FILE_PATH}" --user "${AUTH}" > /dev/null 2>&1; then - echo "✅ New ISO successfully uploaded." - else - echo "❌ Uploading the new ISO failed." - exit 1 - fi - - - name: 🔑 Generating a sha512 Hash of ISO, signing with the 'CI PGP DEPLOY ONLY' key, generate a success message file. - shell: bash - run: | - if [[ $(ls /opt/livebuild/*.iso 2>/dev/null | wc -l) -ne 1 ]]; then - echo "❌ There must be exactly one .iso file in the directory!" - exit 1 - else - VAR_ISO_FILE_PATH=$(ls /opt/livebuild/*.iso) - VAR_ISO_FILE_NAME=$(basename "${VAR_ISO_FILE_PATH}") - echo "✅ ISO file found: ${VAR_ISO_FILE_NAME}" - fi - - VAR_ISO_FILE_SHA512="${VAR_ISO_FILE_NAME}.sha512" - touch "${VAR_ISO_FILE_SHA512}" - sha512sum "${VAR_ISO_FILE_PATH}" | awk '{print $1}' >| "${VAR_ISO_FILE_SHA512}" - SIGNATURE_FILE="${VAR_ISO_FILE_SHA512}.sign" - touch "${SIGNATURE_FILE}" - export GNUPGHOME="$(pwd)/.gnupg" - gpg --batch --yes --armor --detach-sign --output "${SIGNATURE_FILE}" "${VAR_ISO_FILE_SHA512}" - - timestamp=$(date -u +"%Y-%m-%dT%H:%M:%SZ") - PRIVATE_FILE="LIVE_ISO_FLV_1.private" - touch "${PRIVATE_FILE}" - cat << EOF >| "${PRIVATE_FILE}" - # SPDX-Version: 3.0 - # SPDX-CreationInfo: 2025-06-01; WEIDNER, Marc S.; - # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git - # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency - # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; - # SPDX-FileType: SOURCE - # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 - # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. - # SPDX-PackageName: CISS.debian.live.builder - # SPDX-Security-Contact: security@coresecret.eu - - This file was automatically generated by the DEPLOY BOT on: "${timestamp}" - - CISS.debian.live.builder ISO : - "${VAR_ISO_FILE_NAME}" - CISS.debian.live.builder ISO sha512 : - $(< "${VAR_ISO_FILE_SHA512}") - CISS.debian.live.builder ISO sha512 sign : - $(< "${SIGNATURE_FILE}") - - # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text - EOF - - - name: 🚧 Stash local changes (including untracked). - shell: bash - env: - GIT_SSH_COMMAND: "ssh -p 42842" - run: | - set -euo pipefail - ### Temporarily store any local modifications or untracked files. - git stash push --include-untracked -m "ci-temp" || echo "✔️ Nothing to stash." - - - name: 🔄 Sync with remote before commit using merge strategy. - shell: bash - env: - GIT_SSH_COMMAND: "ssh -p 42842" - run: | - set -euo pipefail - export GNUPGHOME="$(pwd)/.gnupg" - - echo "🔄 Fetching origin/master ..." - git fetch origin master - - echo "🔁 Merging origin/master into current branch ..." - git merge --no-edit origin/master || echo "✔️ Already up to date or fast-forward." - - echo "📋 Post-merge status :" - git status - git log --oneline -n 5 - - - name: 🛠️ Restore stashed changes. - shell: bash - env: - GIT_SSH_COMMAND: "ssh -p 42842" - run: | - set -euo pipefail - ### Apply previously stashed changes. - git stash pop || echo "✔️ Nothing to pop." - - - name: 📦 Stage generated files. - shell: bash - env: - GIT_SSH_COMMAND: "ssh -p 42842" - run: | - set -euo pipefail - PRIVATE_FILE="LIVE_ISO_FLV_1.private" - git add "${PRIVATE_FILE}" || echo "✔️ Nothing to add." - - - name: 🔑 Commit and sign changes with CI metadata. - shell: bash - env: - GIT_SSH_COMMAND: "ssh -p 42842" - run: | - set -euo pipefail - export GNUPGHOME="$(pwd)/.gnupg" - - if git diff --cached --quiet; then - echo "✔️ No staged changes to commit." - else - echo "📝 Committing changes with GPG signature ..." - - ### CI Metadata - TIMESTAMP_UTC="$(date -u +'%Y-%m-%dT%H:%M:%SZ')" - HOSTNAME="$(hostname -f || hostname)" - GIT_SHA="$(git rev-parse --short HEAD)" - GIT_REF="$(git symbolic-ref --short HEAD || echo detached)" - WORKFLOW_ID="${GITHUB_WORKFLOW:-render-md-to-html.yaml}" - CI_HEADER="X-CI-Metadata: ${GIT_REF}@${GIT_SHA} at ${TIMESTAMP_UTC} on ${HOSTNAME}" - - COMMIT_MSG="DEPLOY BOT : 🔐 Auto-Generate PRIVATE LIVE ISO FLV 1 [skip ci] - - ${CI_HEADER} - - Generated at : ${TIMESTAMP_UTC} - Runner Host : ${HOSTNAME} - Workflow ID : ${WORKFLOW_ID} - Git Commit : ${GIT_SHA} HEAD -> ${GIT_REF} - " - - echo "🔏 Commit message :" - echo "${COMMIT_MSG}" - git commit -S -m "${COMMIT_MSG}" - fi - - - name: 🔁 Push back to repository. - shell: bash - env: - GIT_SSH_COMMAND: "ssh -p 42842" - run: | - set -euo pipefail - echo "📤 Pushing changes to ${GITHUB_REF_NAME} ..." - git push origin HEAD:${GITHUB_REF_NAME} -# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml diff --git a/LIVE_ISO_FLV_0.private b/LIVE_ISO_FLV_0.private deleted file mode 100644 index 8458ff8..0000000 --- a/LIVE_ISO_FLV_0.private +++ /dev/null @@ -1,27 +0,0 @@ -# SPDX-Version: 3.0 -# SPDX-CreationInfo: 2025-08-22; WEIDNER, Marc S.; -# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git -# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency -# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; -# SPDX-FileType: SOURCE -# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 -# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. -# SPDX-PackageName: CISS.debian.live.builder -# SPDX-Security-Contact: security@coresecret.eu - -This file was automatically generated by the DEPLOY BOT on: "2025-08-22T15:41:07Z" - -CISS.debian.live.builder ISO : - "ciss-debian-live-2025_08_22T14_52_42Z-amd64.hybrid.iso" -CISS.debian.live.builder ISO sha512 : - cfc40206478bdd95fce37b864c4e73ecb91b598edd859447ead66878ae5c1c4da6c44145a8c8bb18879ba8b0b54a3663ec3cfc9b8be7661a3132a6c2cd42c0e5 -CISS.debian.live.builder ISO sha512 sign : - -----BEGIN PGP SIGNATURE----- - -iHUEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaKiPkwAKCRA85KY4hzOw -IZOlAP9MwC5NLBoHiyCBo2BxxAVDbpyixv9KMh/PCedExdNQ9AD+KWXXTckz8295 -so9rKEaE4GcQLAY1q6o0t3ylJoIYbQg= -=lBu8 ------END PGP SIGNATURE----- - -# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text diff --git a/LIVE_ISO_FLV_1.private b/LIVE_ISO_FLV_1.private deleted file mode 100644 index 0c4c589..0000000 --- a/LIVE_ISO_FLV_1.private +++ /dev/null @@ -1,27 +0,0 @@ -# SPDX-Version: 3.0 -# SPDX-CreationInfo: 2025-06-01; WEIDNER, Marc S.; -# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git -# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency -# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; -# SPDX-FileType: SOURCE -# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 -# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. -# SPDX-PackageName: CISS.debian.live.builder -# SPDX-Security-Contact: security@coresecret.eu - -This file was automatically generated by the DEPLOY BOT on: "2025-08-11T21:40:41Z". - -CISS.debian.live.builder ISO : - "ciss-debian-live-2025_08_11T20_53_16Z-amd64.hybrid.iso" -CISS.debian.live.builder ISO sha512 : - b8bcba496881e7f4e881b6816975410f6f07bd70f069f73db4ce84d61bb9758a37087753d28b212ed26b163d84176d5df97fdb1d3356a0667e15cf81d388feb6 -CISS.debian.live.builder ISO sha512 sign : - -----BEGIN PGP SIGNATURE----- - -iHUEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaJpjWQAKCRA85KY4hzOw -IVM1AQD2lkvQOmkcR4LlCk0f6FUcqIMRRlBIwjhDiaWTKjZgeAD/cc4skxFCGmLU -EhHNg/3ZoE6PGxe4Y5UFuQnJhDZe/w8= -=rwBS ------END PGP SIGNATURE----- - -# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text diff --git a/README.md b/README.md index b94fc90..ccdce7a 100644 --- a/README.md +++ b/README.md @@ -503,12 +503,13 @@ preview it or run it. # Optional PROVIDER_NETCUP_IPV6=2001:cdb::1 - JUMP_HOSTS=[2001:db8::1],[2001:db8::2] # comma-separated; IPv6 in [] is fine + # comma-separated; IPv6 in [] is fine + JUMP_HOSTS=[2001:db8::1],[2001:db8::2] ```` -3. Dry-run first (prints the exact command): ````bash make dry-run```` +3. Dry-run first (prints the exact command): ````make dry-run```` -4. Execute the build: ````bash make live```` +4. Execute the build: ````make live```` ## 5.3. CI/CD Gitea Runner Workflow Example