From 60e0bad88a6959f075328e9c35c057102a6a2a3978c9fd849276b1177550c03a Mon Sep 17 00:00:00 2001 From: "Marc S. Weidner" Date: Sun, 1 Jun 2025 00:20:19 +0200 Subject: [PATCH] V8.02.644.2025.05.31 Signed-off-by: Marc S. Weidner --- .gitea/TODO/generate-iso.yaml | 169 --------------------- .gitea/workflows/generate-iso.yaml | 234 +++++++++++++++++++++++++++++ 2 files changed, 234 insertions(+), 169 deletions(-) delete mode 100644 .gitea/TODO/generate-iso.yaml create mode 100644 .gitea/workflows/generate-iso.yaml diff --git a/.gitea/TODO/generate-iso.yaml b/.gitea/TODO/generate-iso.yaml deleted file mode 100644 index 091704a..0000000 --- a/.gitea/TODO/generate-iso.yaml +++ /dev/null @@ -1,169 +0,0 @@ -# SPDX-Version: 3.0 -# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; -# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git -# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency -# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; -# SPDX-FileType: SOURCE -# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 -# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. -# SPDX-PackageName: CISS.debian.live.builder -# SPDX-Security-Contact: security@coresecret.eu - -name: Generating private Live ISO. - -permissions: - contents: write - -on: - push: - branches: - - master - paths: - - '.gitea/autobuild.yaml' - -jobs: - generating-ciss-debian-live-iso: - runs-on: ubuntu-latest - - ### Run all steps inside Debian Bookworm - container: - image: debian:bookworm - options: --user root - - steps: - - name: Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config. - run: | - rm -rf ~/.ssh && mkdir -m700 ~/.ssh - - ### Private Key - echo "${{ secrets.SSH_MSW_DEPLOY_CORESECRET_DEV }}" >| ~/.ssh/id_ed25519 - chmod 600 ~/.ssh/id_ed25519 - - ### Scan git.coresecret.dev to fill ~/.ssh/known_hosts - ssh-keyscan -p 42842 git.coresecret.dev >| ~/.ssh/known_hosts - chmod 600 ~/.ssh/known_hosts - - ### Generate SSH Config for git.coresecret.dev Custom-Port - cat <| ~/.ssh/config - Host git.coresecret.dev - HostName git.coresecret.dev - Port 42842 - IdentityFile ~/.ssh/id_ed25519 - StrictHostKeyChecking yes - UserKnownHostsFile ~/.ssh/known_hosts - EOF - chmod 600 ~/.ssh/config - - ### https://github.com/actions/checkout/issues/1843 - - name: Using manual clone via SSH to circumvent Gitea SHA-256 object issues. - run: | - git clone --branch "${GITHUB_REF_NAME}" ssh://git@git.coresecret.dev:42842/msw/CISS.debian.live.builder.git . - git fetch --unshallow || echo "Nothing to fetch - already full clone." - env: - ### GITHUB_REF_NAME contains the branch name from the push event. - GITHUB_REF_NAME: ${{ github.ref_name }} - - - name: Cleaning workspace. - run: | - git reset --hard - git clean -fd - - - name: Installing Debian Live-Build and Tools. - run: | - apt-get update - apt-get install -y live-build gnupg curl whois - - - name: Importing "CI PGP DEPLOY ONLY" Key. - run: | - ### GPG-Home relative to the Runner Workspace to avoid changing global files. - export GNUPGHOME="$(pwd)/.gnupg" - mkdir -m700 "${GNUPGHOME}" - echo "${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV }}" >| ci-bot.sec.asc - gpg --batch --import ci-bot.sec.asc - ### Trust the key automatically - KEY_ID=$(gpg --list-keys --with-colons | awk -F: '/^pub:/ {print $5}') - echo "trust-model always" >| "${GNUPGHOME}/gpg.conf" - - - name: Configuring Git for signed CI DEPLOY commits. - run: | - export GNUPGHOME="$(pwd)/.gnupg" - git config user.name "Marc S. Weidner BOT" - git config user.email "msw+bot@coresecret.dev" - git config commit.gpgsign true - git config gpg.program gpg - git config gpg.format openpgp - - - name: Preparing Build Environment. - run: | - rm -rf /opt/{config,livebuild} - mkdir -p /opt/{config,livebuild} - echo "${{ secrets.CISS_DLB_ROOT_PWD }}" >| /opt/config/password.txt - echo "${{ secrets.CISS_DLB_ROOT_SSH_PUBKEY }}" >| /opt/config/authorized_keys - chmod 0600 /opt/config/authorized_keys - - - name: Starting CISS.debian.live.builder. - run: | - timestamp=$(date -u +"%Y_%m_%d_%H_%M_Z") - ### Change "--autobuild=" to the specific kernel version you need: 6.12.22+bpo-amd64. - ./ciss_live_builder.sh \ - --autobuild=6.12.22+bpo-amd64 \ - --architecture amd64 \ - --build-directory /opt/livebuild \ - --control "${timestamp}" \ - --debug \ - --dhcp-centurion \ - --jump-host "${{ secrets.CISS_DLB_JUMP_HOSTS }}" \ - --provider-netcup-ipv6 "${{ secrets.CISS_DLB_NETCUP_IPV6 }}" \ - --renice-priority "-19" \ - --reionice-priority 1 2 \ - --root-password-file /opt/config/password.txt \ - --ssh-port 4242 \ - --ssh-pubkey /opt/config - - - name: Uploading ISO to CenturionCloud "cloud.e2ee.li" via WebDAV - env: - WEBDAV_URL: "https://cloud.e2ee.li/remote.php/dav/files/runner/PUBLIC/CISS-live/NAME.iso" - WEBDAV_USER: ${{ secrets.NC_USER }} - WEBDAV_PASS: ${{ secrets.NC_PASS }} - run: | - ### Remove old ISO if exists - curl -u "${WEBDAV_USER}:${WEBDAV_PASS}" -X DELETE "${WEBDAV_URL}" || true - ### Upload new ISO - curl -u "${WEBDAV_USER}:${WEBDAV_PASS}" -T NAME.iso "${WEBDAV_URL}" - ### Verify upload - HTTP_CODE=$(curl -o /dev/null -s -w "%{http_code}" -u "${WEBDAV_USER}:${WEBDAV_PASS}" "${WEBDAV_URL}") - if [ "$HTTP_CODE" -ne 200 ]; then - echo "Upload failed with HTTP status ${HTTP_CODE}" - exit 1 - fi - echo "ISO successfully uploaded and verified." - - - name: Generating Hash and Signing with Private Key - run: | - : - ### TODO: Implement this function - - - name: Generating Success Message to Push back into Repo - run: | - : - ### TODO: Implement this function - - - name: Stage generated files. - run: | - git add !!!!!!!!!!!!! - env: - GIT_SSH_COMMAND: "ssh -p 42842" - - - name: Commit and Sign changes. - run: | - export GNUPGHOME="$(pwd)/.gnupg" - git commit -S -m "DEPLOY BOT: Auto-Generate LIVE ISO [skip ci]" || echo "No Changes, nothing to Sign or to Commit." - env: - GIT_SSH_COMMAND: "ssh -p 42842" - - - name: Push back to Repository. - run: | - git push origin HEAD:${GITHUB_REF_NAME} - env: - GIT_SSH_COMMAND: "ssh -p 42842" -# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml diff --git a/.gitea/workflows/generate-iso.yaml b/.gitea/workflows/generate-iso.yaml new file mode 100644 index 0000000..cfa5f6c --- /dev/null +++ b/.gitea/workflows/generate-iso.yaml @@ -0,0 +1,234 @@ +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu + +name: Generating private Live ISO. + +permissions: + contents: write + +on: + push: + branches: + - master + paths: + - '.gitea/trigger/t_generate_iso.yaml' + +jobs: + generate-ciss-debian-live-iso: + name: Generating private Live ISO. + runs-on: ubuntu-latest + + ### Run all steps inside Debian Bookworm + container: + image: debian:bookworm + options: --user root + + steps: + - name: Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config. + run: | + rm -rf ~/.ssh && mkdir -m700 ~/.ssh + + ### Private Key + echo "${{ secrets.SSH_MSW_DEPLOY_CORESECRET_DEV }}" >| ~/.ssh/id_ed25519 + chmod 600 ~/.ssh/id_ed25519 + + ### Scan git.coresecret.dev to fill ~/.ssh/known_hosts + ssh-keyscan -p 42842 git.coresecret.dev >| ~/.ssh/known_hosts + chmod 600 ~/.ssh/known_hosts + + ### Generate SSH Config for git.coresecret.dev Custom-Port + cat <| ~/.ssh/config + Host git.coresecret.dev + HostName git.coresecret.dev + Port 42842 + IdentityFile ~/.ssh/id_ed25519 + StrictHostKeyChecking yes + UserKnownHostsFile ~/.ssh/known_hosts + EOF + chmod 600 ~/.ssh/config + + ### https://github.com/actions/checkout/issues/1843 + - name: Using manual clone via SSH to circumvent Gitea SHA-256 object issues. + run: | + git clone --branch "${GITHUB_REF_NAME}" ssh://git@git.coresecret.dev:42842/msw/CISS.debian.live.builder.git . + git fetch --unshallow || echo "Nothing to fetch - already full clone." + env: + ### GITHUB_REF_NAME contains the branch name from the push event. + GITHUB_REF_NAME: ${{ github.ref_name }} + + - name: Cleaning the workspace. + run: | + git reset --hard + git clean -fd + + - name: Installing Debian Live-Build and Tools. + run: | + apt-get update + apt-get install -y live-build gnupg curl whois + + - name: Importing the 'CI PGP DEPLOY ONLY' key. + run: | + ### GPG-Home relative to the Runner Workspace to avoid changing global files. + export GNUPGHOME="$(pwd)/.gnupg" + mkdir -m700 "${GNUPGHOME}" + echo "${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV }}" >| ci-bot.sec.asc + gpg --batch --import ci-bot.sec.asc + ### Trust the key automatically + KEY_ID=$(gpg --list-keys --with-colons | awk -F: '/^pub:/ {print $5}') + echo "trust-model always" >| "${GNUPGHOME}/gpg.conf" + + - name: Configuring Git for signed CI/DEPLOY commits. + run: | + export GNUPGHOME="$(pwd)/.gnupg" + git config user.name "Marc S. Weidner BOT" + git config user.email "msw+bot@coresecret.dev" + git config commit.gpgsign true + git config gpg.program gpg + git config gpg.format openpgp + + - name: Preparing the build environment. + run: | + rm -rf opt/{config,livebuild} + mkdir -p opt/{config,livebuild} + echo "${{ secrets.CISS_DLB_ROOT_PWD }}" >| opt/config/password.txt + echo "${{ secrets.CISS_DLB_ROOT_SSH_PUBKEY }}" >| opt/config/authorized_keys + chmod 0600 opt/config/authorized_keys + + - name: Starting CISS.debian.live.builder. This may take a while ... + run: | + timestamp=$(date -u +"%Y_%m_%d_%H_%M_Z") + ### Change "--autobuild=" to the specific kernel version you need: 6.12.22+bpo-amd64. + ./ciss_live_builder.sh \ + --autobuild=6.12.22+bpo-amd64 \ + --architecture amd64 \ + --build-directory opt/livebuild \ + --control "${timestamp}" \ + --debug \ + --dhcp-centurion \ + --jump-host "${{ secrets.CISS_DLB_JUMP_HOSTS }}" \ + --provider-netcup-ipv6 "${{ secrets.CISS_DLB_NETCUP_IPV6 }}" \ + --renice-priority "-19" \ + --reionice-priority 1 2 \ + --root-password-file opt/config/password.txt \ + --ssh-port 4242 \ + --ssh-pubkey opt/config + if [[ $(ls opt/livebuild/*.iso 2>/dev/null | wc -l) -ne 1 ]]; then + echo "❌ There must be exactly one .iso file in the directory!" + exit 1 + else + VAR_ISO_FILE_PATH=$(ls opt/livebuild/*.iso) + VAR_ISO_FILE_NAME=$(basename "${VAR_ISO_FILE_PATH}") + echo "✅ ISO file found: ${VAR_ISO_FILE_NAME}" + fi + + - name: Preparing Centurion Cloud for LIVE ISO Upload. + run: | + NC_BASE="https://cloud.e2ee.li" + SHARE_TOKEN="${{ secrets.CENTURION_CLOUD_UL_USER }}" + SHARE_PASS="${{ secrets.CENTURION_CLOUD_UL_PASSWD }}" + SHARE_SUBDIR="" + echo "Get directory listing via PROPFIND ..." + curl -s \ + --user "${SHARE_TOKEN}:${SHARE_PASS}" \ + -X PROPFIND \ + -H "Depth: 1" \ + "${NC_BASE}/public.php/webdav/${SHARE_SUBDIR}" \ + -o propfind_public.xml + echo "Filter .iso files from the PROPFIND response ..." + grep -oP '(?<=)[^<]+\.iso(?=)' propfind_public.xml >| public_iso_list.txt + if [[ -s public_iso_list.txt ]]; then + echo "Old ISO files found and deleted :" + while IFS= read -r href; do + FILE_URL="${NC_BASE}${href}" + echo " Delete: ${FILE_URL}" + curl -s \ + --user "${SHARE_TOKEN}:${SHARE_PASS}" \ + -X DELETE \ + "${FILE_URL}" + if [[ $? -eq 0 ]]; then + echo " ✅ Successfully deleted: $(basename "${href}")" + else + echo " ❌ Error: $(basename "${href}") could not be deleted" + fi + done < public_iso_list.txt + else + echo "No old ISO files found to delete." + fi + rm -f propfind_public.xml public_iso_list.txt + + - name: Upload the ISO file to the Centurion Cloud (cloud.e2ee.li) via WebDAV. + run: | + curl --progress-bar \ + --retry 2 \ + https://cloud.e2ee.li/public.php/webdav/"${VAR_ISO_FILE_NAME}" \ + --upload-file "${VAR_ISO_FILE_PATH}" \ + -u '${SHARE_TOKEN}:${SHARE_PASS}' | cat + if [[ $? -eq 0 ]]; then + echo "✅ New ISO successfully uploaded." + else + echo "❌ Uploading the new ISO failed." + exit 1 + fi + + - name: Generating a hash of ISO and signing with the 'CI PGP DEPLOY ONLY' key. + run: | + VAR_ISO_FILE_SHA512="${VAR_ISO_FILE_PATH}.sha512" + sha512sum "${VAR_ISO_FILE}" | awk '{print $1}' >| "${VAR_ISO_FILE_SHA512}" + VAR_ISO_FILE_SHA512=$(< "${VAR_ISO_FILE_SHA512}") + SIGNATURE_FILE="${VAR_ISO_FILE_SHA512}.sign" + gpg --batch --yes --armor --detach-sign --output "${SIGNATURE_FILE}" "${VAR_ISO_FILE_SHA512}" + rm -f "${VAR_ISO_FILE_PATH}" + + - name: Generate a success message file to push back into the repository. + run: | + PRIVATE_FILE="LIVE_ISO.private" + touch "${PRIVATE_FILE}" + cat << EOF >| "${PRIVATE_FILE}" +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-05-31; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu + +This file was automatically generated by the DEPLOY BOT on: "${timestamp}". + +CISS.debian.live.builder ISO : + "${VAR_ISO_FILE}" +CISS.debian.live.builder ISO sha512 : + "${VAR_ISO_FILE_SHA512}" +CISS.debian.live.builder ISO sha512 sign : + $(< "${SIGNATURE_FILE}") +EOF + + - name: Stage generated files. + run: | + git add "${PRIVATE_FILE}" + env: + GIT_SSH_COMMAND: "ssh -p 42842" + + - name: Commit and Sign changes. + run: | + export GNUPGHOME="$(pwd)/.gnupg" + git commit -S -m "DEPLOY BOT: Auto-Generate LIVE ISO [skip ci]" || echo "No Changes, nothing to Sign or to Commit." + env: + GIT_SSH_COMMAND: "ssh -p 42842" + + - name: Push back to Repository. + run: | + git push origin HEAD:${GITHUB_REF_NAME} + env: + GIT_SSH_COMMAND: "ssh -p 42842" +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml