msw/CISS.debian.live.builder
SHA256
2
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 6 Wiki Activity

V8.02.768.2025.06.01

Browse Source 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
Marc S. Weidner
2025-06-01 20:20:53 +02:00
parent d7bc22b7ff
commit 6e1cf484ee
3 changed files with 56 additions and 100 deletions
Download Patch File Download Diff File Expand all files Collapse all files

150
.gitea/workflows/generate-iso.yaml
View File

@@ -36,12 +36,13 @@ jobs:
- name: Basic Image Setup and enable Bookworm Backports.
run: |
apt-get update
apt-get install -y apt-transport-https apt-utils ca-certificates openssl sudo
apt-get install -y apt-transport-https apt-utils bash ca-certificates openssl sudo
echo 'deb https://deb.debian.org/debian bookworm-backports main' \
>| /etc/apt/sources.list.d/bookworm-backports.list
apt-get update
- name: Installing Build Tools.
shell: bash
run: |
apt-get update
apt-get install -y \
@@ -63,9 +64,11 @@ jobs:
- name: Check GnuPG Version.
run: |
shell: bash
gpg --version
- name: Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
shell: bash
run: |
rm -rf ~/.ssh && mkdir -m700 ~/.ssh
@@ -90,6 +93,7 @@ jobs:
### https://github.com/actions/checkout/issues/1843
- name: Using manual clone via SSH to circumvent Gitea SHA-256 object issues.
shell: bash
run: |
git clone --branch "${GITHUB_REF_NAME}" ssh://git@git.coresecret.dev:42842/msw/CISS.debian.live.builder.git .
git fetch --unshallow || echo "Nothing to fetch - already full clone."
@@ -98,11 +102,13 @@ jobs:
GITHUB_REF_NAME: ${{ github.ref_name }}
- name: Cleaning the workspace.
shell: bash
run: |
git reset --hard
git clean -fd
- name: Importing the 'CI PGP DEPLOY ONLY' key.
shell: bash
run: |
### GPG-Home relative to the Runner Workspace to avoid changing global files.
export GNUPGHOME="$(pwd)/.gnupg"
@@ -112,9 +118,9 @@ jobs:
### Trust the key automatically
KEY_ID=$(gpg --list-keys --with-colons | awk -F: '/^pub:/ {print $5}')
echo "trust-model always" >| "${GNUPGHOME}/gpg.conf"
shell: bash
- name: Configuring Git for signed CI/DEPLOY commits.
shell: bash
run: |
export GNUPGHOME="$(pwd)/.gnupg"
git config user.name "Marc S. Weidner BOT"
@@ -124,82 +130,55 @@ jobs:
git config gpg.format openpgp
- name: Preparing the build environment.
shell: bash
run: |
mkdir -p opt/config
mkdir -p opt/livebuild
touch opt/config/password.txt && chmod 0600 opt/config/password.txt
touch opt/config/authorized_keys && chmod 0600 opt/config/authorized_keys
echo "${{ secrets.CISS_DLB_ROOT_PWD }}" >| opt/config/password.txt
echo "${{ secrets.CISS_DLB_ROOT_SSH_PUBKEY }}" >| opt/config/authorized_keys
#mkdir -p opt/livebuild/chroot/dev
#mknod opt/livebuild/chroot/dev/null c 1 3
#chmod 666 opt/livebuild/chroot/dev/null
- name: Preparing Centurion Cloud for LIVE ISO Upload.
shell: bash
run: |
set -euo pipefail
NC_BASE="https://cloud.e2ee.li"
SHARE_TOKEN="${{ secrets.CENTURION_CLOUD_UL_USER }}"
SHARE_PASS="${{ secrets.CENTURION_CLOUD_UL_PASSWD }}"
SHARE_SUBDIR=""
mkdir -p config/hooks/normal
touch config/hooks/normal/0000-fix-dev.chroot
chmod 0775 config/hooks/normal/0000-fix-dev.chroot
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ Creating 'config/hooks/normal/0000-fix-dev.chroot'. \e[0m\n"
cat << 'EOF' >| config/hooks/normal/0000-fix-dev.chroot
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 20242025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
set -C -e -u -o pipefail
if [ ! -e /dev/null ]; then
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ [0000-fix-dev.chroot] Creating /dev/null manually. \e[0m\n"
mknod -m 666 /dev/null c 1 3
echo "Get directory listing via PROPFIND ..."
curl -s \
--user "${SHARE_TOKEN}:${SHARE_PASS}" \
-X PROPFIND \
-H "Depth: 1" \
"${NC_BASE}/public.php/webdav/${SHARE_SUBDIR}" \
-o propfind_public.xml
echo "Filter .iso files from the PROPFIND response ..."
grep -oP '(?<=<d:href>)[^<]+\.iso(?=</d:href>)' propfind_public.xml >| public_iso_list.txt || true
if [[ -f public_iso_list.txt && -s public_iso_list.txt ]]; then
echo "Old ISO files found and deleted :"
while IFS= read -r href; do
FILE_URL="${NC_BASE}${href}"
echo " Delete: ${FILE_URL}"
if curl -s \
--user "${SHARE_TOKEN}:${SHARE_PASS}" \
-X DELETE "${FILE_URL}"; then
echo " ✅ Successfully deleted: $(basename "${href}")"
else
echo " ❌ Error: $(basename "${href}") could not be deleted"
fi
done < public_iso_list.txt
else
printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ [0000-fix-dev.chroot] /dev/null inside chroot present. \e[0m\n"
echo "No old ISO files found to delete."
fi
chmod 666 /dev/null
EOF
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ Creating 'config/hooks/normal/0000-fix-dev.chroot'. \e[0m\n"
ls -l config/hooks/normal/0000-fix-dev.chroot
###
mkdir -p config/hooks/early
touch config/hooks/early/0000-fix-dev
chmod 0775 config/hooks/early/0000-fix-dev
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 'Creating config/hooks/early/0000-fix-dev'. \e[0m\n"
cat << 'EOF' >| config/hooks/early/0000-fix-dev
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 20242025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
set -C -e -u -o pipefail
CHROOT="${LB_CHROOT:-chroot}"
if [[ ! -e "${CHROOT}/dev/null" ]]; then
printf "\e[95m[0000-fix-dev] Creating /dev/null inside chroot manually.\e[0m\n"
mkdir -p "${CHROOT}/dev"
mknod -m 666 "${CHROOT}/dev/null" c 1 3
else
printf "\e[92m[0000-fix-dev] /dev/null inside chroot already exists.\e[0m\n"
fi
chmod 666 "${CHROOT}/dev/null"
EOF
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ Creating 'config/hooks/early/0000-fix-dev'. \e[0m\n"
ls -l config/hooks/early/0000-fix-dev
###
rm -f propfind_public.xml public_iso_list.txt
- name: Starting CISS.debian.live.builder. This may take a while ...
shell: bash
run: |
chmod 0755 ciss_live_builder.sh
timestamp=$(date -u +"%Y_%m_%d_%H_%M_Z")
@@ -225,42 +204,8 @@ jobs:
echo "✅ ISO file found: ${VAR_ISO_FILE_NAME}"
fi
- name: Preparing Centurion Cloud for LIVE ISO Upload.
run: |
NC_BASE="https://cloud.e2ee.li"
SHARE_TOKEN="${{ secrets.CENTURION_CLOUD_UL_USER }}"
SHARE_PASS="${{ secrets.CENTURION_CLOUD_UL_PASSWD }}"
SHARE_SUBDIR=""
echo "Get directory listing via PROPFIND ..."
curl -s \
--user "${SHARE_TOKEN}:${SHARE_PASS}" \
-X PROPFIND \
-H "Depth: 1" \
"${NC_BASE}/public.php/webdav/${SHARE_SUBDIR}" \
-o propfind_public.xml
echo "Filter .iso files from the PROPFIND response ..."
grep -oP '(?<=<d:href>)[^<]+\.iso(?=</d:href>)' propfind_public.xml >| public_iso_list.txt
if [[ -s public_iso_list.txt ]]; then
echo "Old ISO files found and deleted :"
while IFS= read -r href; do
FILE_URL="${NC_BASE}${href}"
echo " Delete: ${FILE_URL}"
curl -s \
--user "${SHARE_TOKEN}:${SHARE_PASS}" \
-X DELETE \
"${FILE_URL}"
if [[ $? -eq 0 ]]; then
echo " ✅ Successfully deleted: $(basename "${href}")"
else
echo " ❌ Error: $(basename "${href}") could not be deleted"
fi
done < public_iso_list.txt
else
echo "No old ISO files found to delete."
fi
rm -f propfind_public.xml public_iso_list.txt
- name: Upload the ISO file to the Centurion Cloud (cloud.e2ee.li) via WebDAV.
shell: bash
run: |
curl --progress-bar \
--retry 2 \
@@ -275,6 +220,7 @@ jobs:
fi
- name: Generating a hash of ISO and signing with the 'CI PGP DEPLOY ONLY' key.
shell: bash
run: |
VAR_ISO_FILE_SHA512="${VAR_ISO_FILE_PATH}.sha512"
sha512sum "${VAR_ISO_FILE}" | awk '{print $1}' >| "${VAR_ISO_FILE_SHA512}"
@@ -284,6 +230,7 @@ jobs:
rm -f "${VAR_ISO_FILE_PATH}"
- name: Generate a success message file to push back into the repository.
shell: bash
run: |
PRIVATE_FILE="LIVE_ISO.private"
touch "${PRIVATE_FILE}"
@@ -310,12 +257,14 @@ jobs:
EOF
- name: Stage generated files.
shell: bash
run: |
git add "${PRIVATE_FILE}"
env:
GIT_SSH_COMMAND: "ssh -p 42842"
- name: Commit and Sign changes.
shell: bash
run: |
export GNUPGHOME="$(pwd)/.gnupg"
git commit -S -m "DEPLOY BOT: Auto-Generate LIVE ISO [skip ci]" || echo "No Changes, nothing to Sign or to Commit."
@@ -323,6 +272,7 @@ jobs:
GIT_SSH_COMMAND: "ssh -p 42842"
- name: Push back to Repository.
shell: bash
run: |
git push origin HEAD:${GITHUB_REF_NAME}
env:

5
lib/lib_arg_parser.sh
View File

@@ -144,6 +144,11 @@ arg_parser() {
--build-directory)
declare -gx VAR_HANDLER_BUILD_DIR="${2}"
if [[ ! "${VAR_HANDLER_BUILD_DIR}" =~ ^/ ]]; then
if ! $VAR_HANDLER_AUTOBUILD; then boot_screen_cleaner; fi
printf "\e[91m❌ Error: --build-directory MUST be an absolute path. Got: '%s'\n" "${VAR_HANDLER_BUILD_DIR}" >&2
exit "${ERR_NOTABSPATH}"
fi
declare -gx VAR_BUILD_LOG="${VAR_HANDLER_BUILD_DIR}/${VAR_ISO8601}_build.log"
shift 2
;;

1
var/global.var.sh
View File

@@ -70,6 +70,7 @@ declare -gir ERR_PASS_LENGH=210 # --root-password-file password MUST be between
declare -gir ERR_PASS_PLICY=211 # --root-password-file password MUST NOT contain double quotes
declare -gir ERR__SSH__PORT=212 # --ssh-port MUST be an integer between '1' and '65535'
declare -gir ERR_ARG_MSMTCH=213 # Wrong Number of optional Arguments provided
declare -gir ERR_NOTABSPATH=252 # Not an absolute path
declare -gir ERR_INVLD_CHAR=253 # Invalid Character
declare -gir ERR_UNBOUNDVAR=254 # Unbound Variable
declare -gir ERR_UNSPPTBASH=255 # Unsupported Bash