diff --git a/.archive/generate_PRIVATE_trixie_1.yaml b/.archive/generate_PRIVATE_trixie_1.yaml new file mode 100644 index 0000000..93a2916 --- /dev/null +++ b/.archive/generate_PRIVATE_trixie_1.yaml @@ -0,0 +1,455 @@ +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-08-22; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu + +# Version Master V8.13.288.2025.10.24 + +name: 🔐 Generating a Private Live ISO TRIXIE. + +defaults: + run: + shell: bash + +permissions: + contents: write + +on: + push: + branches: + - master + paths: + - '.gitea/trigger/t_generate_PRIVATE_trixie_1.yaml' + +jobs: + generate-private-cdlb-trixie: + name: 🔐 Generating a Private Live ISO TRIXIE. + runs-on: cdlb.trixie + + container: + image: debian:trixie + + steps: + - name: 🛠️ Basic Image Setup. + shell: bash + run: | + export DEBIAN_FRONTEND=noninteractive + apt-get update -qq + apt-get upgrade -y + apt-get install -y --no-install-recommends \ + apt-utils \ + bash \ + ca-certificates \ + curl \ + git \ + gnupg \ + openssh-client \ + openssl \ + perl \ + sudo \ + util-linux + + - name: ⚙️ Check GnuPG Version. + shell: bash + run: | + gpg --version + + - name: ⚙️ Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config. + shell: bash + run: | + set -euo pipefail + var_wait=$(( RANDOM % 33 )) + printf "⏳ Waiting %s seconds to desynchronize parallel workflows...\n" "${var_wait}" + sleep "${var_wait}" + + rm -rf ~/.ssh && mkdir -m700 ~/.ssh + + ### Private Key + echo "${{ secrets.SSH_MSW_DEPLOY_CORESECRET_DEV }}" >| ~/.ssh/id_ed25519 + chmod 600 ~/.ssh/id_ed25519 + + ### Scan git.coresecret.dev to fill ~/.ssh/known_hosts + ssh-keyscan -p 42842 git.coresecret.dev >| ~/.ssh/known_hosts + chmod 600 ~/.ssh/known_hosts + + ### Generate SSH Config for git.coresecret.dev Custom-Port + cat <| ~/.ssh/config + Host git.coresecret.dev + HostName git.coresecret.dev + Port 42842 + IdentityFile ~/.ssh/id_ed25519 + StrictHostKeyChecking yes + UserKnownHostsFile ~/.ssh/known_hosts + EOF + chmod 600 ~/.ssh/config + + ### https://github.com/actions/checkout/issues/1843 + - name: 🛠️ Using manual clone via SSH to circumvent Gitea SHA-256 object issues. + shell: bash + env: + ### GITHUB_REF_NAME contains the branch name from the push event. + GITHUB_REF_NAME: ${{ github.ref_name }} + run: | + git clone --branch "${GITHUB_REF_NAME}" ssh://git@git.coresecret.dev:42842/msw/CISS.debian.live.builder.git . + git fetch --unshallow || echo "Nothing to fetch - already full clone." + + - name: 🛠️ Cleaning the workspace. + shell: bash + run: | + git reset --hard + git clean -fd + + - name: ⚙️ Importing the 'CI PGP DEPLOY ONLY' key. + shell: bash + run: | + set -euo pipefail + ### GPG-Home relative to the Runner Workspace to avoid changing global files. + export GNUPGHOME="$(pwd)/.gnupg" + mkdir -m 700 "${GNUPGHOME}" + echo "${{ secrets.PGP_PUBKEY_CENTURION_ROOT_2025_X448 }}" >| centurion-root.PUB.asc + gpg --batch --import centurion-root.PUB.asc + echo "${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV }}" >| ci-bot.sec.asc + gpg --batch --import ci-bot.sec.asc + ### Trust the key automatically + KEY_ID=$(gpg --list-keys --with-colons | awk -F: '/^pub:/ {print $5}') + echo "trust-model always" >| "${GNUPGHOME}/gpg.conf" + + - name: ⚙️ Configuring Git for signed CI/DEPLOY commits. + shell: bash + run: | + set -euo pipefail + export GNUPGHOME="$(pwd)/.gnupg" + git config user.name "Marc S. Weidner BOT" + git config user.email "msw+bot@coresecret.dev" + git config commit.gpgsign true + git config gpg.program gpg + git config gpg.format openpgp + + - name: ⚙️ Preparing the build environment. + shell: bash + run: | + set -euo pipefail + mkdir -p /opt/config + mkdir -p /opt/livebuild + touch /opt/config/password.txt && chmod 0600 /opt/config/password.txt + touch /opt/config/authorized_keys && chmod 0600 /opt/config/authorized_keys + echo "${{ secrets.CISS_DLB_ROOT_PWD_1 }}" >| /opt/config/password.txt + echo "${{ secrets.CISS_DLB_ROOT_SSH_PUBKEY_1 }}" >| /opt/config/authorized_keys + + - name: 🔧 Render live hook with secrets. + shell: bash + working-directory: ${{ github.workspace }} + env: + ED25519_PRIV: ${{ secrets.CISS_DLB_SSH_HOST_ED25519_KEY }} + ED25519_PUB: ${{ secrets.CISS_DLB_SSH_HOST_ED25519_KEY_PUB }} + RSA_PRIV: ${{ secrets.CISS_DLB_SSH_HOST_RSA_KEY }} + RSA_PUB: ${{ secrets.CISS_DLB_SSH_HOST_RSA_KEY_PUB }} + CISS_PRIMORDIAL: ${{ secrets.CISS_PRIMORDIAL_PRIVATE }} + CISS_PRIMORDIAL_PUB: ${{ secrets.CISS_PRIMORDIAL_PUBLIC }} + CISS_PHYS_AGE: ${{ secrets.CISS_PHYS_AGE }} + run: | + set -Ceuo pipefail + umask 077 + + REPO_ROOT="$(git rev-parse --show-toplevel 2>/dev/null || pwd -P)" + + TPL="${REPO_ROOT}/config/hooks/live/9935_hardening_ssh.chroot.tmpl" + OUT="${REPO_ROOT}/config/hooks/live/9935_hardening_ssh.chroot" + ID_OUT="${REPO_ROOT}/config/includes.chroot/root/.ssh/id_2025_ed25519_ciss_primordial" + ID_OUT_PUB="${REPO_ROOT}/config/includes.chroot/root/.ssh/id_2025_ed25519_ciss_primordial.pub" + SOPS="${REPO_ROOT}/config/hooks/live/0860_sops.chroot" + + if [[ ! -f "${TPL}" ]]; then + echo "Template not found: ${TPL}" + echo "::group::Tree of config/hooks/live" + ls -la "${REPO_ROOT}/config/hooks/live" || true + echo "::endgroup::" + exit 2 + fi + + export ED25519_PRIV="${ED25519_PRIV//$'\r'/}" + export ED25519_PUB="${ED25519_PUB//$'\r'/}" + export RSA_PRIV="${RSA_PRIV//$'\r'/}" + export RSA_PUB="${RSA_PUB//$'\r'/}" + export CISS_PRIMORDIAL="${CISS_PRIMORDIAL//$'\r'/}" + export CISS_PRIMORDIAL_PUB="${CISS_PRIMORDIAL_PUB//$'\r'/}" + export CISS_PHYS_AGE="${CISS_PHYS_AGE//$'\r'/}" + + ( + cat << EOF >| "${ID_OUT}" + ${CISS_PRIMORDIAL} + EOF + ) && chmod 0600 "${ID_OUT}" + if [[ -f "${ID_OUT}" ]]; then + echo "Written: ${ID_OUT}" + else + echo "Error: ${ID_OUT} not written." + fi + + ( + cat << EOF >| "${ID_OUT_PUB}" + ${CISS_PRIMORDIAL_PUB} + EOF + ) && chmod 0600 "${ID_OUT_PUB}" + if [[ -f "${ID_OUT_PUB}" ]]; then + echo "Written: ${ID_OUT_PUB}" + else + echo "Error: ${ID_OUT_PUB} not written." + fi + + perl -0777 -pe ' + BEGIN{ + $ed=$ENV{ED25519_PRIV}; $edpub=$ENV{ED25519_PUB}; + $rsa=$ENV{RSA_PRIV}; $rsapub=$ENV{RSA_PUB}; + } + s/\{\{\s*secrets\.CISS_DLB_SSH_HOST_ED25519_KEY\s*\}\}/$ed/g; + s/\{\{\s*secrets\.CISS_DLB_SSH_HOST_ED25519_KEY_PUB\s*\}\}/$edpub/g; + s/\{\{\s*secrets\.CISS_DLB_SSH_HOST_RSA_KEY\s*\}\}/$rsa/g; + s/\{\{\s*secrets\.CISS_DLB_SSH_HOST_RSA_KEY_PUB\s*\}\}/$rsapub/g; + ' "${TPL}" > "${OUT}" + + chmod 0755 "${OUT}" + + #perl -0777 -i -pe ' + # BEGIN { + # our $age = $ENV{CISS_PHYS_AGE} // q{}; + # } + # s/\{\{\s*secrets\.CISS_PHYS_AGE\s*\}\}/$age/g; + #' -- "${SOPS}" + #chmod 0755 "${SOPS}" + + echo "Hook rendered: ${OUT}" + + - name: 🛠️ Starting CISS.debian.live.builder. This may take a while ... + shell: bash + working-directory: ${{ github.workspace }} + run: | + set -euo pipefail + chmod 0755 ciss_live_builder.sh + timestamp=$(date -u +"%Y_%m_%dT%H_%M_%SZ") + ### Change "--autobuild=" to the specific kernel version you need: '6.16.3+deb13-amd64'. + ./ciss_live_builder.sh \ + --autobuild=6.16.3+deb13-amd64 \ + --architecture amd64 \ + --build-directory /opt/livebuild \ + --cdi \ + --control "${timestamp}" \ + --jump-host ${{ secrets.CISS_DLB_JUMP_HOSTS_1 }} \ + --root-password-file /opt/config/password.txt \ + --ssh-port ${{ secrets.CISS_DLB_SSH_PORT_1 }} \ + --ssh-pubkey /opt/config \ + --trixie + + REPO_ROOT="$(git rev-parse --show-toplevel 2>/dev/null || pwd -P)" + OUT="$REPO_ROOT/config/hooks/live/9935_hardening_ssh.chroot" + rm -f "$OUT" + echo "Hook removed: $OUT" + + - name: 📥 Checking Centurion Cloud for existing LIVE ISOs. + shell: bash + env: + NC_BASE: "https://cloud.e2ee.li" + SHARE_TOKEN: "${{ secrets.CENTURION_CLOUD_UL_USER_1 }}" + SHARE_PASS: "${{ secrets.CENTURION_CLOUD_UL_PASSWD_1 }}" + run: | + set -euo pipefail + SHARE_SUBDIR="" + + echo "📥 Get directory listing via PROPFIND ..." + curl -s \ + --user "${SHARE_TOKEN}:${SHARE_PASS}" \ + -X PROPFIND \ + -H "Depth: 1" \ + "${NC_BASE}/public.php/webdav/${SHARE_SUBDIR}" \ + -o propfind_public.xml + + echo "📥 Filter .iso files from the PROPFIND response ..." + grep -oP '(?<=)[^<]+\.iso(?=)' propfind_public.xml >| public_iso_list.txt || true + + if [[ -f public_iso_list.txt && -s public_iso_list.txt ]]; then + echo "💡 Old ISO files found and deleted :" + while IFS= read -r href; do + FILE_URL="${NC_BASE}${href}" + echo " Delete: ${FILE_URL}" + if curl -s \ + --user "${SHARE_TOKEN}:${SHARE_PASS}" \ + -X DELETE "${FILE_URL}"; then + echo " ✅ Successfully deleted: $(basename "${href}")" + else + echo " ❌ Error: $(basename "${href}") could not be deleted" + fi + done < public_iso_list.txt + else + echo "💡 No old ISO files found to delete." + fi + + - name: 🛠️ Upload the ISO file to the Centurion Cloud (cloud.e2ee.li) via WebDAV. + shell: bash + env: + NC_BASE: "https://cloud.e2ee.li" + SHARE_TOKEN: "${{ secrets.CENTURION_CLOUD_UL_USER_1 }}" + SHARE_PASS: "${{ secrets.CENTURION_CLOUD_UL_PASSWD_1 }}" + run: | + set -euo pipefail + if [[ $(ls /opt/livebuild/*.iso 2>/dev/null | wc -l) -ne 1 ]]; then + echo "❌ There must be exactly one .iso file in the directory!" + exit 1 + else + VAR_ISO_FILE_PATH=$(ls /opt/livebuild/*.iso) + VAR_ISO_FILE_NAME=$(basename "${VAR_ISO_FILE_PATH}") + echo "✅ ISO file found: ${VAR_ISO_FILE_NAME}" + fi + + AUTH="${SHARE_TOKEN}:${SHARE_PASS}" + if curl --retry 2 "${NC_BASE}"/public.php/webdav/"${VAR_ISO_FILE_NAME}" \ + --upload-file "${VAR_ISO_FILE_PATH}" --user "${AUTH}" > /dev/null 2>&1; then + echo "✅ New ISO successfully uploaded." + else + echo "❌ Uploading the new ISO failed." + exit 1 + fi + + - name: 🔑 Generating a sha512 Hash of ISO, signing with the 'CI PGP DEPLOY ONLY' key, generate a success message file. + shell: bash + run: | + if [[ $(ls /opt/livebuild/*.iso 2>/dev/null | wc -l) -ne 1 ]]; then + echo "❌ There must be exactly one .iso file in the directory!" + exit 1 + else + VAR_ISO_FILE_PATH=$(ls /opt/livebuild/*.iso) + VAR_ISO_FILE_NAME=$(basename "${VAR_ISO_FILE_PATH}") + echo "✅ ISO file found: ${VAR_ISO_FILE_NAME}" + fi + + VAR_ISO_FILE_SHA512="${VAR_ISO_FILE_NAME}.sha512" + touch "${VAR_ISO_FILE_SHA512}" + sha512sum "${VAR_ISO_FILE_PATH}" | awk '{print $1}' >| "${VAR_ISO_FILE_SHA512}" + SIGNATURE_FILE="${VAR_ISO_FILE_SHA512}.sign" + touch "${SIGNATURE_FILE}" + export GNUPGHOME="$(pwd)/.gnupg" + gpg --batch --yes --armor --detach-sign --output "${SIGNATURE_FILE}" "${VAR_ISO_FILE_SHA512}" + + timestamp=$(date -u +"%Y-%m-%dT%H:%M:%SZ") + VAR_DATE="$(date +%F)" + PRIVATE_FILE="LIVE_ISO_TRIXIE_1.private" + touch "${PRIVATE_FILE}" + cat << EOF >| "${PRIVATE_FILE}" + # SPDX-Version: 3.0 + # SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; + # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git + # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency + # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; + # SPDX-FileType: SOURCE + # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 + # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. + # SPDX-PackageName: CISS.debian.live.builder + # SPDX-Security-Contact: security@coresecret.eu + + This file was automatically generated by the DEPLOY BOT on: "${timestamp}" + + CISS.debian.live.builder ISO : + "${VAR_ISO_FILE_NAME}" + CISS.debian.live.builder ISO sha512 : + $(< "${VAR_ISO_FILE_SHA512}") + CISS.debian.live.builder ISO sha512 sign : + $(< "${SIGNATURE_FILE}") + + # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text + EOF + + - name: 🚧 Stash local changes (including untracked). + shell: bash + env: + GIT_SSH_COMMAND: "ssh -p 42842" + run: | + set -euo pipefail + ### Temporarily store any local modifications or untracked files. + git stash push --include-untracked -m "ci-temp" || echo "✔️ Nothing to stash." + + - name: 🔄 Sync with remote before commit using merge strategy. + shell: bash + env: + GIT_SSH_COMMAND: "ssh -p 42842" + run: | + set -euo pipefail + export GNUPGHOME="$(pwd)/.gnupg" + + echo "🔄 Fetching origin/master ..." + git fetch origin master + + echo "🔁 Merging origin/master into current branch ..." + git merge --no-edit origin/master || echo "✔️ Already up to date or fast-forward." + + echo "📋 Post-merge status :" + git status + git log --oneline -n 5 + + - name: 🛠️ Restore stashed changes. + shell: bash + env: + GIT_SSH_COMMAND: "ssh -p 42842" + run: | + set -euo pipefail + ### Apply previously stashed changes. + git stash pop || echo "✔️ Nothing to pop." + + - name: 📦 Stage generated files. + shell: bash + env: + GIT_SSH_COMMAND: "ssh -p 42842" + run: | + set -euo pipefail + PRIVATE_FILE="LIVE_ISO_TRIXIE_1.private" + git add "${PRIVATE_FILE}" || echo "✔️ Nothing to add." + + - name: 🔑 Commit and sign changes with CI metadata. + shell: bash + env: + GIT_SSH_COMMAND: "ssh -p 42842" + run: | + set -euo pipefail + export GNUPGHOME="$(pwd)/.gnupg" + + if git diff --cached --quiet; then + echo "✔️ No staged changes to commit." + else + echo "📝 Committing changes with GPG signature ..." + + ### CI Metadata + TIMESTAMP_UTC="$(date -u +'%Y-%m-%dT%H:%M:%SZ')" + HOSTNAME="$(hostname -f || hostname)" + GIT_SHA="$(git rev-parse --short HEAD)" + GIT_REF="$(git symbolic-ref --short HEAD || echo detached)" + WORKFLOW_ID="${GITHUB_WORKFLOW:-render-md-to-html.yaml}" + CI_HEADER="X-CI-Metadata: ${GIT_REF}@${GIT_SHA} at ${TIMESTAMP_UTC} on ${HOSTNAME}" + + COMMIT_MSG="DEPLOY BOT : 🔐 Auto-Generate PRIVATE LIVE ISO TRIXIE 1 [skip ci] + + ${CI_HEADER} + + Generated at : ${TIMESTAMP_UTC} + Runner Host : ${HOSTNAME} + Workflow ID : ${WORKFLOW_ID} + Git Commit : ${GIT_SHA} HEAD -> ${GIT_REF} + " + + echo "🔏 Commit message :" + echo "${COMMIT_MSG}" + git commit -S -m "${COMMIT_MSG}" + fi + + - name: 🔁 Push back to repository. + shell: bash + env: + GIT_SSH_COMMAND: "ssh -p 42842" + run: | + set -euo pipefail + echo "📤 Pushing changes to ${GITHUB_REF_NAME} ..." + git push origin HEAD:${GITHUB_REF_NAME} +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml diff --git a/.gitea/trigger/t_generate_PRIVATE_trixie_1.yaml b/.gitea/trigger/t_generate_PRIVATE_trixie_1.yaml index eacc55c..00bece4 100644 --- a/.gitea/trigger/t_generate_PRIVATE_trixie_1.yaml +++ b/.gitea/trigger/t_generate_PRIVATE_trixie_1.yaml @@ -10,6 +10,6 @@ # SPDX-Security-Contact: security@coresecret.eu build: - counter: 1024 + counter: 1023 version: V8.13.288.2025.10.24 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml diff --git a/.gitea/workflows/generate_PRIVATE_trixie_1.yaml b/.gitea/workflows/generate_PRIVATE_trixie_1.yaml index 685d558..179fb3e 100644 --- a/.gitea/workflows/generate_PRIVATE_trixie_1.yaml +++ b/.gitea/workflows/generate_PRIVATE_trixie_1.yaml @@ -142,90 +142,6 @@ jobs: echo "${{ secrets.CISS_DLB_ROOT_PWD_1 }}" >| /opt/config/password.txt echo "${{ secrets.CISS_DLB_ROOT_SSH_PUBKEY_1 }}" >| /opt/config/authorized_keys - - name: 🔧 Render live hook with secrets. - shell: bash - working-directory: ${{ github.workspace }} - env: - ED25519_PRIV: ${{ secrets.CISS_DLB_SSH_HOST_ED25519_KEY }} - ED25519_PUB: ${{ secrets.CISS_DLB_SSH_HOST_ED25519_KEY_PUB }} - RSA_PRIV: ${{ secrets.CISS_DLB_SSH_HOST_RSA_KEY }} - RSA_PUB: ${{ secrets.CISS_DLB_SSH_HOST_RSA_KEY_PUB }} - CISS_PRIMORDIAL: ${{ secrets.CISS_PRIMORDIAL_PRIVATE }} - CISS_PRIMORDIAL_PUB: ${{ secrets.CISS_PRIMORDIAL_PUBLIC }} - CISS_PHYS_AGE: ${{ secrets.CISS_PHYS_AGE }} - run: | - set -Ceuo pipefail - umask 077 - - REPO_ROOT="$(git rev-parse --show-toplevel 2>/dev/null || pwd -P)" - - TPL="${REPO_ROOT}/config/hooks/live/9935_hardening_ssh.chroot.tmpl" - OUT="${REPO_ROOT}/config/hooks/live/9935_hardening_ssh.chroot" - ID_OUT="${REPO_ROOT}/config/includes.chroot/root/.ssh/id_2025_ed25519_ciss_primordial" - ID_OUT_PUB="${REPO_ROOT}/config/includes.chroot/root/.ssh/id_2025_ed25519_ciss_primordial.pub" - SOPS="${REPO_ROOT}/config/hooks/live/0860_sops.chroot" - - if [[ ! -f "${TPL}" ]]; then - echo "Template not found: ${TPL}" - echo "::group::Tree of config/hooks/live" - ls -la "${REPO_ROOT}/config/hooks/live" || true - echo "::endgroup::" - exit 2 - fi - - export ED25519_PRIV="${ED25519_PRIV//$'\r'/}" - export ED25519_PUB="${ED25519_PUB//$'\r'/}" - export RSA_PRIV="${RSA_PRIV//$'\r'/}" - export RSA_PUB="${RSA_PUB//$'\r'/}" - export CISS_PRIMORDIAL="${CISS_PRIMORDIAL//$'\r'/}" - export CISS_PRIMORDIAL_PUB="${CISS_PRIMORDIAL_PUB//$'\r'/}" - export CISS_PHYS_AGE="${CISS_PHYS_AGE//$'\r'/}" - - ( - cat << EOF >| "${ID_OUT}" - ${CISS_PRIMORDIAL} - EOF - ) && chmod 0600 "${ID_OUT}" - if [[ -f "${ID_OUT}" ]]; then - echo "Written: ${ID_OUT}" - else - echo "Error: ${ID_OUT} not written." - fi - - ( - cat << EOF >| "${ID_OUT_PUB}" - ${CISS_PRIMORDIAL_PUB} - EOF - ) && chmod 0600 "${ID_OUT_PUB}" - if [[ -f "${ID_OUT_PUB}" ]]; then - echo "Written: ${ID_OUT_PUB}" - else - echo "Error: ${ID_OUT_PUB} not written." - fi - - perl -0777 -pe ' - BEGIN{ - $ed=$ENV{ED25519_PRIV}; $edpub=$ENV{ED25519_PUB}; - $rsa=$ENV{RSA_PRIV}; $rsapub=$ENV{RSA_PUB}; - } - s/\{\{\s*secrets\.CISS_DLB_SSH_HOST_ED25519_KEY\s*\}\}/$ed/g; - s/\{\{\s*secrets\.CISS_DLB_SSH_HOST_ED25519_KEY_PUB\s*\}\}/$edpub/g; - s/\{\{\s*secrets\.CISS_DLB_SSH_HOST_RSA_KEY\s*\}\}/$rsa/g; - s/\{\{\s*secrets\.CISS_DLB_SSH_HOST_RSA_KEY_PUB\s*\}\}/$rsapub/g; - ' "${TPL}" > "${OUT}" - - chmod 0755 "${OUT}" - - #perl -0777 -i -pe ' - # BEGIN { - # our $age = $ENV{CISS_PHYS_AGE} // q{}; - # } - # s/\{\{\s*secrets\.CISS_PHYS_AGE\s*\}\}/$age/g; - #' -- "${SOPS}" - #chmod 0755 "${SOPS}" - - echo "Hook rendered: ${OUT}" - - name: 🛠️ Starting CISS.debian.live.builder. This may take a while ... shell: bash working-directory: ${{ github.workspace }} @@ -244,7 +160,6 @@ jobs: --root-password-file /opt/config/password.txt \ --ssh-port ${{ secrets.CISS_DLB_SSH_PORT_1 }} \ --ssh-pubkey /opt/config \ - --sshfp \ --trixie REPO_ROOT="$(git rev-parse --show-toplevel 2>/dev/null || pwd -P)"