msw/CISS.debian.live.builder
SHA256
2
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 6 Wiki Activity

V8.13.408.2025.11.13
All checks were successful
🛡️ Retrieve DNSSEC status of coresecret.dev. / 🛡️ Retrieve DNSSEC status of coresecret.dev. (push) Successful in 1m8s
Details
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m31s
Details

Browse Source 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
Marc S. Weidner
2025-11-13 06:26:44 +01:00
parent a362db3d78
commit 5f370c2cdb
83 changed files with 1422 additions and 877 deletions
Download Patch File Download Diff File Expand all files Collapse all files

142
.archive/.0000_lib_usage.sh
View File

@@ -1,142 +0,0 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-11-10; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
#######################################
# Usage Wrapper CISS.debian.live.builder
# Globals:
# none
# Arguments:
# $0: Script name
#######################################
usage() {
clear
cat << EOF
$(echo -e "\e[92mCISS.debian.live.builder\e[0m")
$(echo -e "\e[92mMaster V8.13.404.2025.11.10\e[0m")
$(echo -e "\e[92mA lightweight Shell Wrapper for building a hardened Debian Live ISO Image.\e[0m")
$(echo -e "\e[97m(c) Marc S. Weidner, 2018 - 2025\e[0m")
$(echo -e "\e[97m(p) Centurion Press, 2024 - 2025\e[0m")
"${0} <option>", where <option> is one or more of:
$(echo -e "\e[97m --help, -h\e[0m")
What you're looking at.
$(echo -e "\e[97m --autobuild=*, -a=*\e[0m")
Headless mode. Skip the dialog wrapper, provider note screen and interactive kernel
selector dialog. Change '*' to your desired Linux kernel and trim the
'linux-image-' string to select a specific kernel, e.g. '--autobuild=6.12.30+bpo-amd64'.
$(echo -e "\e[97m --architecture <STRING> one of <amd64 | arm64>\e[0m")
A string reflecting the architecture of the Live System.
MUST be provided.
$(echo -e "\e[97m --build-directory </path/to/build_directory>\e[0m")
Where the Debian Live Build Image should be generated.
MUST be provided.
$(echo -e "\e[97m --change-splash <STRING> one of <club | hexagon>\e[0m")
A string reflecting the Grub Boot Screen Splash you want to use.
If omitted defaults to "./.archive/background/club.png".
$(echo -e "\e[97m --cdi (Experimental Feature)\e[0m")
This option generates a boot menu entry to start the forthcoming
'CISS.debian.installer', which will be executed after
the system has successfully booted up.
$(echo -e "\e[97m --contact, -c\e[0m")
Displays contact information of the author.
$(echo -e "\e[97m --control <INTEGER>\e[0m")
An integer that reflects the version of your Live ISO Image.
MUST be provided.
$(echo -e "\e[97m --debug\e[0m")
Enables debug logging for the main program routine. Detailed logging
information are written to "/tmp/ciss_live_builder_$$.log"
$(echo -e "\e[97m --dhcp-centurion\e[0m")
If a DHCP lease is provided, the provider's nameserver will be overridden,
and only the hardened, privacy-focused Centurion DNS servers will be used:
- https://dns01.eddns.eu/
- https://dns02.eddns.de/
- https://dns03.eddns.eu/
$(echo -e "\e[97m --jump-host <IP | IP | ... >\e[0m")
Provide up to 10 IPs for /etc/host.allow whitelisting of SSH access.
Could be either IPv4 and / or IPv6 addresses and / or CCDIR notation.
If provided, than it MUST be a <SPACE> separated list.
IPv6 addresses MUST be encapsulated with [], e.g., [1234::abcd]/64.
$(echo -e "\e[97m --log-statistics-only\e[0m")
Provides statistic only after successful building a
CISS.debian.live-ISO. While enabling "--log-statistics-only"
the argument "--build-directory" MUST be provided while
all further options MUST be omitted.
$(echo -e "\e[97m --provider-netcup-ipv6\e[0m")
Activates IPv6 support for Netcup Root Server. One unique
IPv6 address MUST be provided in this case and MUST be encapsulated
with [], e.g., [1234::abcd].
$(echo -e "\e[97m --renice-priority <PRIORITY>\e[0m")
Reset the nice priority value of the script and all its children
to the desired <PRIORITY>. MUST be an integer (between "-19" and 19).
Negative (higher) values MUST be enclosed in double quotes '"'.
$(echo -e "\e[97m --reionice-priority <CLASS> <PRIORITY>\e[0m")
Reset the ionice priority value of the script and all its children
to the desired <CLASS>. MUST be an integer:
1: realtime
2: best-effort
3: idle
Defaults to '2'.
Whereas <PRIORITY> MUST be an integer as well between:
0: highest priority and
7: lowest priority.
Defaults to '4'.
A real-time I/O process can significantly slow down other processes
or even cause them to starve if it continuously requests I/O.
$(echo -e "\e[97m --root-password-file </path/to/password.txt>\e[0m")
Password file for 'root', if given, MUST be a string of 20 to 64 characters,
and MUST NOT contain the special character '"'.
If the argument is omitted, no further login authentication is required for
the local console. The root password is hashed with an 16 Byte '/dev/random'
generated SALT and SHA512 Hashing function and 8,388,608 rounds. Immediately
after Hash generation all Variables containing plain password fragments are
deleted. Password file SHOULD be '0400' and 'root:root' and is deleted without
further prompt after password hash has been successfully generated via:
'shred -vfzu 5 -f'.
No tracing of any plain text password fragment in any debug log.
$(echo -e "\e[97m --ssh-port <INTEGER>\e[0m")
The desired Port SSH should listen to.
If not provided defaults to Port 22.
$(echo -e "\e[97m --ssh-pubkey </path/to/.ssh/>\e[0m")
Imports the SSH Public Key(s) from the FILE 'authorized_keys' of the
specified PATH into the Live ISO. MUST be provided.
$(echo -e "\e[97m --version, -v\e[0m")
Displays version of ${0}.
$(echo -e "\e[93m💡 Notes:\e[0m")
🔵 You MUST be 'root' to run this script.
$(echo -e "\e[95m💷 Please consider donating to my work at:\e[0m")
$(echo -e "\e[95m🌐 https://coresecret.eu/spenden/ \e[0m")
EOF
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

248
.archive/0002_verify_checksums.chroot
View File

@@ -1,248 +0,0 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
target="/usr/lib/live/boot/0030-verify-checksums"
src="$(mktemp)"
if [[ ! -d /usr/lib/live/boot ]]; then
mkdir -p /usr/lib/live/boot
fi
cat << 'EOF' >| "${src}"
#!/bin/sh
# bashsupport disable=BP5007
# shellcheck shell=sh
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-10-28; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: GPL-3.0-or-later
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
### Modified Version of the original file:
### https://salsa.debian.org/live-team/live-boot 'components/0030-verify-checksums'
### In case of successful verification of the offered checksum, proceed with booting; otherwise panic.
#######################################
# Modified checksum-integrity and authenticity-verification-script for continuing the boot process.
# Globals:
# LIVE_BOOT_CMDLINE
# _TTY
# Arguments:
# 1: _MOUNTPOINT
# Returns:
# 0 : Successful verification
#######################################
Verify_checksums() {
_MOUNTPOINT="${1}"
_TTY="/dev/tty8"
LIVE_VERIFY_CHECKSUMS_DIGESTS="${LIVE_VERIFY_CHECKSUMS_DIGESTS:-sha512 sha384 sha256}"
LIVE_VERIFY_CHECKSUMS_SIGNATURES="false"
for _PARAMETER in ${LIVE_BOOT_CMDLINE}; do
case "${_PARAMETER}" in
live-boot.verify-checksums=* | verify-checksums=*)
LIVE_VERIFY_CHECKSUMS="true"
LIVE_VERIFY_CHECKSUMS_DIGESTS="${_PARAMETER#*verify-checksums=}"
;;
live-boot.verify-checksums | verify-checksums)
LIVE_VERIFY_CHECKSUMS="true"
;;
live-boot.verify-checksums-signatures | verify-checksums-signatures)
LIVE_VERIFY_CHECKSUMS_SIGNATURES="true"
;;
esac
done
case "${LIVE_VERIFY_CHECKSUMS}" in
true)
:
;;
*)
return 0
;;
esac
# shellcheck disable=SC2164
cd "${_MOUNTPOINT}"
### CDLB verification of script integrity itself -----------------------------------------------------------------------------
if [ "${LIVE_VERIFY_CHECKSUMS_SIGNATURES}" = "true" ]; then
log_begin_msg "Verifying integrity of '0030-verify-checksums' ..."
printf "\n"
CDLB_SCRIPT="$(basename "${0}")"
CDLB_SHA="sha512"
CDLB_CMD="" CDLB_COMPUTED="" CDLB_EXPECTED="" CDLB_HASHFILE="" CDLB_ITEM="" CDLB_SIG_FILE=""
for CDLB_ITEM in ${CDLB_SHA}; do
CDLB_HASHFILE="${CDLB_SCRIPT}.${CDLB_ITEM}"
CDLB_SIG_FILE="${CDLB_HASHFILE}.sig"
CDLB_CMD="${CDLB_ITEM}sum"
printf "Verifying signature of: [%s]\n" "${CDLB_HASHFILE}"
if ! gpgv --keyring 0030-verify-checksums_public.gpg "${CDLB_SIG_FILE}" "${CDLB_HASHFILE}"; then
printf "Signature verification failed for: [%s]\n" "${CDLB_HASHFILE}"
sleep 8
# TODO: Remove debug mode
# return 0
else
printf "Signature verification successful for: [%s]\n" "${CDLB_HASHFILE}"
fi
printf "Recomputing hash for: [%s]\n" "${CDLB_ITEM}"
CDLB_COMPUTED=$("${CDLB_CMD}" "${CDLB_SCRIPT}" | { read -r first rest || exit 1; printf '%s\n' "${first}"; })
read -r CDLB_EXPECTED < "${CDLB_HASHFILE}"
if [ "${CDLB_COMPUTED}" != "${CDLB_EXPECTED}" ]; then
printf "Recomputed hash mismatch for: [%s]\n" "${CDLB_ITEM}"
sleep 8
# TODO: Remove debug mode
# return 0
fi
printf "Hash verification successful for: [%s]\n" "${CDLB_ITEM}"
done
printf "Verifying integrity of '0030-verify-checksums' successfully completed. Proceeding."
log_end_msg
printf "\n"
fi
### Checksum and checksum signature verification -----------------------------------------------------------------------------
log_begin_msg "Verifying checksums"
printf "\n"
# shellcheck disable=SC2001
for _DIGEST in $(echo "${LIVE_VERIFY_CHECKSUMS_DIGESTS}" | sed -e 's|,| |g'); do
# shellcheck disable=SC2060
_CHECKSUMS="$(echo "${_DIGEST}" | tr [a-z] [A-Z])SUMS ${_DIGEST}sum.txt"
for _CHECKSUM in ${_CHECKSUMS}; do
if [ -e "${_CHECKSUM}" ]; then
printf "Found [%s] ...\n" "${_CHECKSUM}"
if [ -e "/bin/${_DIGEST}sum" ]; then
if [ "${LIVE_VERIFY_CHECKSUMS_SIGNATURES}" = "true" ]; then
printf "Checking Signature of [%s] ...\n" "${_CHECKSUM}"
_CHECKSUM_SIGNATURE="${_CHECKSUM}.sig"
gpgv --keyring 0030-verify-checksums_public.gpg "${_CHECKSUM_SIGNATURE}" "${_CHECKSUM}"
_RETURN_PGP="${?}"
else
_RETURN_PGP="na"
fi
printf "Checking Hashes of [%s] ...\n" "${_CHECKSUM}"
# shellcheck disable=SC2312
grep -v '^#' "${_CHECKSUM}" | /bin/"${_DIGEST}"sum -c > "${_TTY}"
_RETURN_SHA="${?}"
# Stop after the first verification.
break 2
else
printf "Not found [%s] ...\n" "/bin/${_DIGEST}sum"
fi
fi
done
done
log_end_msg
case "${_RETURN_PGP},${_RETURN_SHA}" in
0,0)
log_success_msg "Verification of signature AND checksum file successful; continuing booting in 8 seconds."
sleep 8
return 0
;;
na,0)
log_success_msg "Verification of checksum file successful; continuing booting in 8 seconds."
sleep 8
return 0
;;
*,0)
panic "Verification of signature file failed while verification of checksum file successful."
;;
na,*)
panic "Verification of checksum file failed."
;;
esac
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
EOF
# Copy and make executable
install -m 0755 "${src}" "${target}"
rm -f "${src}"
unset target src
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

37
.archive/0003_install_backports.chroot
View File

@@ -1,37 +0,0 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
DEBIAN_FRONTEND=noninteractive \
apt-get update && \
DEBIAN_FRONTEND=noninteractive \
apt-get install -y --no-install-recommends \
-o Dpkg::Options::="--force-confdef" \
-o Dpkg::Options::="--force-confold" \
-t bookworm-backports \
btrfs-progs \
curl \
debootstrap \
iproute2 \
ncat \
nmap \
ssh \
systemd \
systemd-sysv \
whois
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

72
.archive/0005_tmpfile_dublette.chroot
View File

@@ -1,72 +0,0 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# Purpose: Copy vendor 'legacy.conf' to '/etc/tmpfiles.d' and drop duplicate '/run/lock' lines.
#######################################
# Simple error terminal logger.
# Arguments:
# None
#######################################
log() { printf '[tmpfiles-fix] %s\n' "$*" >&2; }
### Locate vendor 'legacy.conf' (The path can vary).
declare vendor=""
for p in /usr/lib/tmpfiles.d/legacy.conf /lib/tmpfiles.d/legacy.conf; do
if [[ -f "${p}" ]]; then vendor="${p}"; break; fi
done
if [[ -z "${vendor}" ]]; then
log "WARN: vendor legacy.conf not found; creating a minimal override"
install -D -m 0644 /dev/null /etc/tmpfiles.d/legacy.conf
else
install -D -m 0644 "${vendor}" /etc/tmpfiles.d/legacy.conf
fi
### Deduplicate: keep only the FIRST 'd /run/lock ' definition, drop subsequent ones.
# shellcheck disable=SC2155
declare tmpdir="$(mktemp -d)"
declare out="${tmpdir}/legacy.conf"
awk '
BEGIN{seen=0}
{
# Preserve everything by default
keep=1
# Match tmpfiles "d /run/lock ..." (allowing variable spacing and case of directive)
if ($1 ~ /^[dD]$/ && $2 == "/run/lock") {
if (seen==1) { keep=0 } else { seen=1 }
}
if (keep) print
}' /etc/tmpfiles.d/legacy.conf >| "${out}"
### Install the sanitized file atomically.
install -m 0644 -o root -g root "${out}" /etc/tmpfiles.d/legacy.conf
rm -rf -- "${tmpdir}"
log "Deduplicated /etc/tmpfiles.d/legacy.conf (kept only first /run/lock entry)."
command -v systemd-tmpfiles >/dev/null 2>&1 && systemd-tmpfiles --create --prefix /run/lock || true
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

60
.archive/9998_sources_list_bookworm.chroot
View File

@@ -1,60 +0,0 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# shellcheck disable=SC2155
declare -r VAR_DATE="$(date +%F)"
cd /root
if [[ -f /etc/apt/sources.list ]]; then
mv /etc/apt/sources.list /root/.ciss/cdlb/backup/sources.list.bak
fi
cat << 'EOF' >| /etc/apt/sources.list
# SPDX-Version: 3.0
# SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <cendev@coresecret.eu>
# SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
#-----------------------------------------------------------------------------------------#
# OFFICIAL DEBIAN REPOS
#-----------------------------------------------------------------------------------------#
### Debian Main Repos Bookworm
deb https://deb.debian.org/debian/ bookworm main contrib non-free non-free-firmware
deb-src https://deb.debian.org/debian/ bookworm main contrib non-free non-free-firmware
deb http://security.debian.org/debian-security bookworm-security main contrib non-free non-free-firmware
deb-src http://security.debian.org/debian-security bookworm-security main contrib non-free non-free-firmware
deb https://deb.debian.org/debian/ bookworm-updates main contrib non-free non-free-firmware
deb-src https://deb.debian.org/debian/ bookworm-updates main contrib non-free non-free-firmware
deb https://deb.debian.org/debian/ bookworm-backports main contrib non-free non-free-firmware
deb-src https://deb.debian.org/debian/ bookworm-backports main contrib non-free non-free-firmware
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
EOF
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

2
.archive/generate_PRIVATE_trixie_0.yaml
View File

@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
# Version Master V8.13.404.2025.11.10
# Version Master V8.13.408.2025.11.13
name: 🔐 Generating a Private Live ISO TRIXIE.

2
.archive/generate_PRIVATE_trixie_1.yaml
View File

@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
# Version Master V8.13.404.2025.11.10
# Version Master V8.13.408.2025.11.13
name: 🔐 Generating a Private Live ISO TRIXIE.

2
.archive/generate_PUBLIC_iso.yaml
View File

@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
# Version Master V8.13.404.2025.11.10
# Version Master V8.13.408.2025.11.13
name: 💙 Generating a PUBLIC Live ISO.

115
.archive/lib_lb_config_write.sh
View File

@@ -1,115 +0,0 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
guard_sourcing || return "${ERR_GUARD_SRCE}"
#######################################
# Wrapper to write a new 'lb config' environment.
# Globals:
# VAR_ARCHITECTURE
# VAR_HANDLER_BUILD_DIR
# VAR_HANDLER_ISO_COUNTER
# VAR_KERNEL
# VAR_VERSION
# VAR_WORKDIR
# Arguments:
# None
#######################################
lb_config_write() {
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Writing new config ... \e[0m\n"
lb config \
--apt apt \
--apt-indices true \
--apt-recommends true \
--apt-secure true \
--apt-source-archives true \
--architecture "${VAR_ARCHITECTURE}" \
--archive-areas main contrib non-free non-free-firmware \
--backports true \
--binary-filesystem fat32 \
--binary-image iso-hybrid \
--bootappend-install "auto=true priority=critical clock-setup/utc=true console-setup/ask_detect=false debian-installer/country=US debian-installer/language=en debian-installer/locale=en_US.UTF-8 keyboard-configuration/xkb-keymap=de keyboard-configuration/model=pc105 localechooser/supported-locales=en_US.UTF-8 time/zone=Etc/UTC splash audit_backlog_limit=8192 audit=1 cfi=kcfi debugfs=off efi=disable_early_pci_dma efi_no_storage_paranoia hardened_usercopy=1 ia32_emulation=0 init_on_alloc=1 init_on_free=1 iommu=force kfence.sample_interval=100 kvm.nx_huge_pages=force l1d_flush=on lockdown=integrity loglevel=0 mce=0 mitigations=auto,nosmt mmio_stale_data=full,nosmt oops=panic page_alloc.shuffle=1 page_poison=1 panic=-1 pti=on random.trust_bootloader=off random.trust_cpu=off randomize_kstack_offset=on randomize_va_space=2 retbleed=auto,nosmt rodata=on tsx=off vdso32=0 vsyscall=none" \
--bootappend-live "boot=live components keyboard-layouts=de keyboard-model=pc105 keyboard-options= keyboard-variants= locales=en_US.UTF-8 nocomponents=cdi-starter noeject nopersistence ramdisk-size=1024M splash swap=true timezone=Etc/UTC toram verify-checksums audit_backlog_limit=8192 audit=1 cfi=kcfi debugfs=off efi=disable_early_pci_dma hardened_usercopy=1 ia32_emulation=0 init_on_alloc=1 init_on_free=1 iommu.passthrough=0 iommu.strict=1 iommu=force kfence.sample_interval=100 kvm.nx_huge_pages=force l1d_flush=on lockdown=integrity loglevel=0 mitigations=auto,nosmt mmio_stale_data=full,force,nosmt nosmt=force oops=panic page_alloc.shuffle=1 page_poison=1 panic=-1 pti=on random.trust_bootloader=off random.trust_cpu=off randomize_kstack_offset=on randomize_va_space=2 retbleed=auto,nosmt rodata=on slab_nomerge vdso32=0 vsyscall=none" \
--bootloaders grub-efi \
--cache true \
--checksums sha512 sha256 md5 \
--chroot-filesystem squashfs \
--chroot-squashfs-compression-level 22 \
--chroot-squashfs-compression-type zstd \
--color \
--compression bzip2 \
--debconf-frontend noninteractive \
--debconf-priority critical \
--debian-installer cdrom \
--debian-installer-distribution bookworm \
--debian-installer-gui true \
--debian-installer-preseedfile "preseed.cfg" \
--debug \
--distribution bookworm \
--distribution-binary bookworm \
--distribution-chroot bookworm \
--firmware-binary true \
--firmware-chroot true \
--hdd-label "CENTURIONLIVE" \
--image-name "ciss-debian-live-${VAR_HANDLER_ISO_COUNTER}" \
--initramfs "live-boot" \
--initramfs-compression gzip \
--initsystem systemd \
--iso-application "CISS.debian.live.builder: ${VAR_VERSION} - Debian-Live-Build: 20230502 - Debian-Installer: bookworm" \
--iso-preparer '(C) 2018-2025, Centurion Intelligence Consulting Agency (TM), Lisboa, Portugal' \
--iso-publisher '(P) 2018-2025, Centurion Press (TM) - powered by https://coresecret.eu/ - contact@coresecret.eu' \
--iso-volume 'CISS.debian.live' \
--linux-flavours "${VAR_KERNEL}" \
--linux-packages linux-image \
--loadlin true \
--memtest memtest86+ \
--mirror-binary 'https://deb/debian.org/debian/' \
--mirror-binary-security 'https://security.debian.org/' \
--mirror-bootstrap 'https://deb.debian.org/debian/' \
--mirror-chroot 'https://deb.debian.org/debian/' \
--mirror-chroot-security 'https://security.debian.org/' \
--mirror-debian-installer 'https://deb.debian.org/debian/' \
--mode debian \
--parent-archive-areas main contrib non-free non-free-firmware \
--parent-debian-installer-distribution bookworm \
--parent-distribution bookworm \
--parent-distribution-binary bookworm \
--parent-distribution-chroot bookworm \
--parent-mirror-binary 'https://deb.debian.org/debian/' \
--parent-mirror-binary-security 'https://security.debian.org/' \
--parent-mirror-bootstrap 'https://deb.debian.org/debian/' \
--parent-mirror-chroot 'https://deb.debian.org/debian/' \
--parent-mirror-chroot-security 'https://security.debian.org/' \
--parent-mirror-debian-installer 'https://deb.debian.org/debian/' \
--security true \
--system live \
--source false \
--source-images tar \
--uefi-secure-boot auto \
--updates true \
--utc-time true \
--verbose
sleep 1
sed -i 's/LB_CHECKSUMS="sha512 md5"/LB_CHECKSUMS="sha512 sha384 sha256"/1' ./config/binary
sed -i 's/LB_DM_VERITY=""/LB_DM_VERITY="false"/1' ./config/binary
mkdir -p "${VAR_HANDLER_BUILD_DIR}"/config/includes.chroot/usr/lib/live/boot
cp -a "${VAR_WORKDIR}/scripts/live-boot/0030-verify-checksums" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/boot/0030-verify-checksums"
chmod 0755 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/boot/0030-verify-checksums"
chown root:root "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/boot/0030-verify-checksums"
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Writing new config done.\e[0m\n"
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh