msw/CISS.debian.live.builder
SHA256
2
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 6 Wiki Activity

V8.13.048.2025.10.06
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m24s
Details
🔐 Generating a Private Live ISO TRIXIE. / 🔐 Generating a Private Live ISO TRIXIE. (push) Successful in 51m2s
Details

Browse Source 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
Marc S. Weidner
2025-10-07 00:08:40 +01:00
parent 1d711ea816
commit 7f678baa64
15 changed files with 249 additions and 55 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
.gitea/trigger/t_generate_PRIVATE_trixie_1.yaml
View File

@@ -10,6 +10,6 @@
# SPDX-Security-Contact: security@coresecret.eu
build:
counter: 1024
counter: 1023
version: V8.13.048.2025.10.06
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml

43
lib/lib_arg_parser.sh
View File

@@ -17,22 +17,6 @@ guard_sourcing
# Globals:
# ARY_HANDLER_JUMPHOST
# ARY_HANDLER_NETCUP_IPV6
# ERR_ARG_MSMTCH
# ERR_CONTROL_CT
# ERR_MISS_PWD_F
# ERR_MISS_PWD_P
# ERR_NOTABSPATH
# ERR_OWNS_PWD_F
# ERR_PASS_LENGH
# ERR_PASS_PLICY
# ERR_REIONICE_P
# ERR_REIO_C_VAL
# ERR_REIO_P_VAL
# ERR_RENICE_PRI
# ERR_RGHT_PWD_F
# ERR_SPLASH_PNG
# ERR_UNCRITICAL
# ERR__SSH__PORT
# VAR_ARCHITECTURE
# VAR_BUILD_LOG
# VAR_EARLY_DEBUG
@@ -49,14 +33,35 @@ guard_sourcing
# VAR_ISO8601
# VAR_REIONICE_CLASS
# VAR_REIONICE_PRIORITY
# VAR_SSHFP
# VAR_SSHPORT
# VAR_SSHPUBKEY
# VAR_SUITE
# Arguments:
# None
# Returns:
# 0: on success
# ERR_ARG_MSMTCH: on failure
# ERR_CONTROL_CT: on failure
# ERR_MISS_PWD_F: on failure
# ERR_MISS_PWD_P: on failure
# ERR_NOTABSPATH: on failure
# ERR_OWNS_PWD_F: on failure
# ERR_PASS_LENGH: on failure
# ERR_PASS_PLICY: on failure
# ERR_REIONICE_P: on failure
# ERR_REIO_C_VAL: on failure
# ERR_REIO_P_VAL: on failure
# ERR_RENICE_PRI: on failure
# ERR_RGHT_PWD_F: on failure
# ERR_SPLASH_PNG: on failure
# ERR__SSH__PORT: on failure
#######################################
arg_parser() {
while [[ $# -gt 0 ]]; do
declare argument="${1}"
case "${argument,,}" in
-a=* | --autobuild=*)
@@ -421,6 +426,12 @@ arg_parser() {
usage
;;
esac
done
return 0
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f arg_parser
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

20
lib/lib_arg_priority_check.sh
View File

@@ -20,33 +20,53 @@ guard_sourcing
# VAR_REIONICE_PRIORITY
# Arguments:
# None
# Returns:
# 0: on success
#######################################
arg_priority_check() {
declare var
### Check if nice PRIORITY is set and adjust nice priority.
if [[ "${VAR_HANDLER_PRIORITY:-}" -ne 0 ]]; then
if command -v renice >/dev/null; then
renice "${VAR_HANDLER_PRIORITY}" -p "$$"
var=$(ps -o ni= -p $$) > /dev/null 2>&1
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ New renice value: %s\e[0m\n" "${var}"
# sleep 1
unset var
else
printf "\e[93m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ renice not installed (util-linux) \e[0m\n"
fi
fi
### Check if ionice PRIORITY is set and adjust ionice priority.
if [[ "${VAR_REIONICE_CLASS:-}" -ne 2 ]]; then
if command -v ionice >/dev/null; then
ionice -c"${VAR_REIONICE_CLASS:-2}" -n"${VAR_REIONICE_PRIORITY:-4}" -p "$$"
var=$(ionice -p $$) > /dev/null 2>&1
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ New ionice value: %s\e[0m\n" "${var}"
# sleep 1
unset var
else
printf "\e[93m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ ionice not installed (util-linux) \e[0m\n"
fi
fi
return 0
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f arg_priority_check
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

17
lib/lib_boot_screen.sh
View File

@@ -19,6 +19,8 @@ guard_sourcing
# PIPE_BOOT_SCREEN
# Arguments:
# None
# Returns:
# 0: on success
#######################################
boot_screen() {
clear
@@ -34,15 +36,22 @@ boot_screen() {
< "${PIPE_BOOT_SCREEN}" &
declare -gr PID_BOOT_SCREEN="$!"
exec 3> "${PIPE_BOOT_SCREEN}"
return 0
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f boot_screen
#######################################
# Boot Screen Terminal Cleaner
# Globals:
# boot_screen_pid
# boot_screen_pipe
# PID_BOOT_SCREEN
# PIPE_BOOT_SCREEN
# Arguments:
# None
# Returns:
# 0: on success
#######################################
boot_screen_cleaner() {
exec 3>&-
@@ -51,5 +60,9 @@ boot_screen_cleaner() {
rm -f "${PIPE_BOOT_SCREEN}"
clean_screen
sleep 1
return 0
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f boot_screen_cleaner
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

9
lib/lib_cdi.sh
View File

@@ -13,7 +13,7 @@
guard_sourcing
#######################################
# CISS.2025.debian.installer GRUB and Autostart Generator
# CISS.debian.installer 'GRUB' and 'Autostart' generator.
# Globals:
# BASH_SOURCE
# VAR_HANDLER_BUILD_DIR
@@ -22,6 +22,8 @@ guard_sourcing
# VAR_WORKDIR
# Arguments:
# None
# Returns:
# 0: on success
#######################################
cdi() {
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"
@@ -63,5 +65,10 @@ EOF
fi
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ %s successfully applied. \e[0m\n" "${BASH_SOURCE[0]}"
return 0
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f cdi
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

11
lib/lib_change_splash.sh
View File

@@ -20,20 +20,31 @@ guard_sourcing
# VAR_WORKDIR
# Arguments:
# None
# Returns:
# 0: on success
#######################################
change_splash() {
if [[ ${VAR_HANDLER_SPLASH} == "club" ]]; then
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Grub Splash 'club.png' selected ...\e[0m\n"
cp -af "${VAR_WORKDIR}"/.archive/background/club.png "${VAR_HANDLER_BUILD_DIR}"/config/bootloaders/splash.png
cp -af "${VAR_WORKDIR}"/.archive/background/club.png "${VAR_HANDLER_BUILD_DIR}"/config/bootloaders/grub-efi/splash.png
cp -af "${VAR_WORKDIR}"/.archive/background/club.png "${VAR_HANDLER_BUILD_DIR}"/config/bootloaders/grub-pc/splash.png
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Grub Splash 'club.png' selected done. \e[0m\n"
elif [[ ${VAR_HANDLER_SPLASH} == "hexagon" ]]; then
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Grub Splash 'hexagon.png' selected ...\e[0m\n"
cp -af "${VAR_WORKDIR}"/.archive/background/hexagon.png "${VAR_HANDLER_BUILD_DIR}"/config/bootloaders/splash.png
cp -af "${VAR_WORKDIR}"/.archive/background/hexagon.png "${VAR_HANDLER_BUILD_DIR}"/config/bootloaders/grub-efi/splash.png
cp -af "${VAR_WORKDIR}"/.archive/background/hexagon.png "${VAR_HANDLER_BUILD_DIR}"/config/bootloaders/grub-pc/splash.png
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Grub Splash 'hexagon.png' selected done. \e[0m\n"
fi
return 0
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f change_splash
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

9
lib/lib_check_dhcp.sh
View File

@@ -19,10 +19,17 @@ guard_sourcing
# VAR_WORKDIR
# Arguments:
# None
# Returns:
# 0: on success
#######################################
check_dhcp() {
if [[ ${VAR_HANDLER_DHCP} -eq 1 ]]; then
chmod +x "${VAR_WORKDIR}"/scripts/0010_dhcp_supersede.sh && "${VAR_WORKDIR}"/scripts/0010_dhcp_supersede.sh
chmod +x "${VAR_WORKDIR}/scripts/0010_dhcp_supersede.sh" && "${VAR_WORKDIR}/scripts/0010_dhcp_supersede.sh"
fi
return 0
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f check_dhcp
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

16
lib/lib_check_hooks.sh
View File

@@ -15,10 +15,12 @@ guard_sourcing
#######################################
# Check and apply 0755 Permissions on every ./config/hooks/live/*.chroot file
# Globals:
# ERR_UNCRITICAL
# VAR_WORKDIR
# Arguments:
# None
# Returns:
# 0: on success
# ERR_UNCRITICAL: on failure
#######################################
check_hooks() {
declare ifs
@@ -27,13 +29,23 @@ check_hooks() {
declare -a files=("${VAR_WORKDIR}"/config/hooks/live/*.chroot)
if (( ${#files[@]} == 0 )); then
printf "\e[91m❌ No '*.chroot' files found in '%s/config/hooks/live'. \e[0m\n" "${VAR_WORKDIR}" >&2
exit "${ERR_UNCRITICAL}"
fi
declare file
declare file=""
for file in "${files[@]}"; do
chmod 0755 "${file}"
done
return 0
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f check_hooks
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

21
lib/lib_check_kernel.sh
View File

@@ -34,9 +34,15 @@ check_kernel() {
declare options=""
if [[ ${VAR_ARCHITECTURE} != arm64 ]]; then
# shellcheck disable=SC2312
apt-cache search linux-image | grep linux-image | grep amd64 | grep -v "meta-package" | grep -v "dbg" | grep -v "template" >> "${VAR_KERNEL_TMP}"
else
# shellcheck disable=SC2312
apt-cache search linux-image | grep linux-image | grep arm64 | grep -v "meta-package" | grep -v "dbg" | grep -v "template" >> "${VAR_KERNEL_TMP}"
fi
sort --output="${VAR_KERNEL_SRT}" "${VAR_KERNEL_TMP}" || {
@@ -47,12 +53,14 @@ check_kernel() {
}
while IFS= read -r line; do
first_string=${line%% *}
name=${first_string#linux-image-}
options+=("${name}" "${counter}" off)
((counter++))
done < "${VAR_KERNEL_SRT}"
# shellcheck disable=SC2155
if declare -gx VAR_KERNEL=$(dialog \
--no-collapse \
@@ -62,13 +70,26 @@ check_kernel() {
--title "Select the Kernel for the CISS Hardened Debian Live Image ISO" \
--radiolist "Kernel available \n *+bpo* : Debian Backported Kernel \n *cloud* : Special lightweight images for KVM \n *unsigned* : Unsigned Kernel \n *preempt_rt* : Special Kernel for real-time-computing \n Not unsigned marked are MS signed Kernel for Secure Boot \n" 0 0 "${options[@]}" 3>&1 1>&2 2>&3 3>&-); then
clear
else
clear
if [[ "${VAR_ARCHITECTURE}" == "amd64" ]]; then
declare -gx VAR_KERNEL="amd64"
elif [[ "${VAR_ARCHITECTURE}" == "arm64" ]]; then
declare -gx VAR_KERNEL="arm64"
fi
fi
return 0
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f check_kernel
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

27
lib/lib_check_pkgs.sh
View File

@@ -16,40 +16,65 @@ guard_sourcing
# Check for required Deb Packages to run the script.
# Arguments:
# None
# Returns:
# 0: on success
#######################################
check_pkgs() {
apt-get update -y > /dev/null 2>&1
apt-get update > /dev/null 2>&1
if [[ -z "$(command -v batcat || true)" ]]; then
apt-get install -y --no-install-recommends bat
fi
if [[ -z "$(command -v lsb_release || true)" ]]; then
apt-get install -y --no-install-recommends lsb-release
fi
if [[ -z "$(command -v debootstrap || true)" ]]; then
if grep -RqsE '^[[:space:]]*deb .*backports' /etc/apt/sources.list /etc/apt/sources.list.d; then
# shellcheck disable=SC2155
declare codename=$(lsb_release -sc)
apt-get install -y -t "${codename}-backports" debootstrap
else
apt-get install -y debootstrap
fi
fi
if [[ ! -f /usr/share/live/build/VERSION ]]; then
apt-get install -y live-build
fi
if [[ "${VAR_HANDLER_AUTOBUILD}" == false ]]; then
if [[ -z "$(command -v dialog || true)" ]]; then
apt-get install -y --no-install-recommends dialog
fi
fi
if [[ -z "$(command -v mkpasswd || true)" ]]; then
apt-get install -y --no-install-recommends whois
fi
return 0
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f check_pkgs
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

9
lib/lib_check_provider.sh
View File

@@ -13,9 +13,11 @@
guard_sourcing
#######################################
# Notes Textbox
# Notes Textbox.
# Arguments:
# None
# Returns:
# 0: on success
#######################################
check_provider() {
clear
@@ -64,5 +66,10 @@ EOF
--scrollbar \
--textbox "${VAR_NOTES}" 32 128
clear
return 0
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f check_provider
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

9
lib/lib_check_stats.sh
View File

@@ -18,12 +18,21 @@ guard_sourcing
# VAR_HANDLER_STA
# Arguments:
# None
# Returns:
# 0: on success
#######################################
check_stats() {
if [[ ${VAR_HANDLER_STA} -eq 1 ]]; then
clear
run_analysis
exit 0
fi
return 0
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f check_stats
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

17
lib/lib_check_var.sh
View File

@@ -13,25 +13,38 @@
guard_sourcing
#######################################
# Unbound Variable Check and call Trap on ERR
# Unbound variable check and call trap on 'ERR'.
# Globals:
# ERR_UNBOUNDVAR
# Arguments:
# $1: VAR_NAME to check
# Returns:
# "${ERR_UNBOUNDVAR}"
# {ERR_UNBOUNDVAR: on failure
#######################################
check_var() {
declare var_name_to_check="$1"
if [[ -n "${!var_name_to_check+exists}" ]]; then
if [[ -n "${!var_name_to_check}" ]]; then
printf "\e[92m✅ Variable: '%s' exists and is NOT empty: '%s' \e[0m\n" "${var_name_to_check}" "${!var_name_to_check}"
else
printf "\e[92m✅ Variable: '%s' exists but is empty. \e[0m\n" "${var_name_to_check}"
fi
else
printf "\e[91m❌ Variable: '%s' is not declared. Exiting Script. \e[0m\n" "${var_name_to_check}" >&2
return "${ERR_UNBOUNDVAR}"
fi
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f check_var
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

3
lib/lib_clean_screen.sh
View File

@@ -27,4 +27,7 @@ clean_screen() {
#tput cup $((lines-1)) 0 > /dev/tty
#printf "\n" > /dev/tty
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f clean_screen
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

61
scripts/9000-cdi-starter
View File

@@ -11,22 +11,53 @@
# SPDX-Security-Contact: security@coresecret.eu
set -Ceuo pipefail
declare -gx PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
declare -gx IFS=$' \t\n'
umask 0077
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
install -d -m 0755 /run/lock
exec 9> /run/lock/9000-cdi-starter.lock
flock -n 9 || { echo "9000-cdi-starter already running. Exiting."; exit 0; }
[[ ! -d /root/.cdi/log ]] && mkdir -p /root/.cdi/log
printf "CISS.debian.installer Master V8.13.048.2025.10.06 is up! \n" \
>| /root/.cdi/log/boot_finished_"$(date +"%Y-%m-%d_%H-%M-%S")".log
#######################################
# Wait for network connectivity by looping.
# Arguments:
# None
#######################################
net_wait() {
declare -i i=1
for i in {1..30}; do
getent hosts git.coresecret.dev >/dev/null && break
sleep 1
done
}
#######################################
# Main autostart function.
# Arguments:
# none
#######################################
main() {
declare -r repo_url="https://git.coresecret.dev/msw/CISS.debian.installer.git"
declare -r repo_dir="/root/git/CISS.debian.installer"
install -d -m 0700 /root/.cdi/log
# shellcheck disable=SC2155
declare -r log="/root/.cdi/log/9000-cdi-starter_$(date +'%F_%H-%M-%S').log"
# shellcheck disable=SC2312
exec > >(tee -a "${log}") 2>&1
printf "CISS.debian.installer Master V8.13.048.2025.10.06 is up! \n" >| /root/.cdi/log/auto_start_begin_"$(date +"%Y-%m-%d_%H-%M-%S")".log
net_wait
cd /root/git
git clone https://git.coresecret.dev/msw/CISS.debian.installer.git
[[ -d "${repo_dir}" ]] && rm -rf "${repo_dir}"
chmod 0700 /root/git/CISS.debian.installer/ciss_debian_installer.sh
git clone --depth 1 "${repo_url}" "${repo_dir}"
cd /root/git/CISS.debian.installer
chmod 0700 "${repo_dir}/ciss_debian_installer.sh"
cd "${repo_dir}"
#./ciss_debian_installer.sh \
# --autoinstall \
@@ -35,10 +66,14 @@ cd /root/git/CISS.debian.installer
# --reionice-priority 1 0 \
# --renice-priority "-19"
printf "CISS.debian.installer Master V8.13.048.2025.10.06 successfully executed! \n" \
>| /root/.cdi/log/boot_finished_"$(date +"%Y-%m-%d_%H-%M-%S")".log
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' successfully applied. \e[0m\n" "${0}"
printf "CISS.debian.installer Master V8.13.048.2025.10.06 successfully executed! \n" >| /root/.cdi/log/auto_start_finished_"$(date +"%Y-%m-%d_%H-%M-%S")".log
exit 0
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f main
main "$@"
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh