V8.13.048.2025.10.06

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-10-07 00:08:40 +01:00
parent 1d711ea816
commit 7f678baa64
15 changed files with 249 additions and 55 deletions
--- a/.gitea/trigger/t_generate_PRIVATE_trixie_1.yaml
+++ b/.gitea/trigger/t_generate_PRIVATE_trixie_1.yaml
@@ -10,6 +10,6 @@
 # SPDX-Security-Contact: security@coresecret.eu

 build:
-  counter: 1024
+  counter: 1023
  version: V8.13.048.2025.10.06
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
--- a/lib/lib_arg_parser.sh
+++ b/lib/lib_arg_parser.sh
@@ -17,22 +17,6 @@ guard_sourcing
 # Globals:
 #   ARY_HANDLER_JUMPHOST
 #   ARY_HANDLER_NETCUP_IPV6
-#   ERR_ARG_MSMTCH
-#   ERR_CONTROL_CT
-#   ERR_MISS_PWD_F
-#   ERR_MISS_PWD_P
-#   ERR_NOTABSPATH
-#   ERR_OWNS_PWD_F
-#   ERR_PASS_LENGH
-#   ERR_PASS_PLICY
-#   ERR_REIONICE_P
-#   ERR_REIO_C_VAL
-#   ERR_REIO_P_VAL
-#   ERR_RENICE_PRI
-#   ERR_RGHT_PWD_F
-#   ERR_SPLASH_PNG
-#   ERR_UNCRITICAL
-#   ERR__SSH__PORT
 #   VAR_ARCHITECTURE
 #   VAR_BUILD_LOG
 #   VAR_EARLY_DEBUG
@@ -49,14 +33,35 @@ guard_sourcing
 #   VAR_ISO8601
 #   VAR_REIONICE_CLASS
 #   VAR_REIONICE_PRIORITY
+#   VAR_SSHFP
 #   VAR_SSHPORT
 #   VAR_SSHPUBKEY
+#   VAR_SUITE
 # Arguments:
 #   None
+# Returns:
+#   0: on success
+#   ERR_ARG_MSMTCH: on failure
+#   ERR_CONTROL_CT: on failure
+#   ERR_MISS_PWD_F: on failure
+#   ERR_MISS_PWD_P: on failure
+#   ERR_NOTABSPATH: on failure
+#   ERR_OWNS_PWD_F: on failure
+#   ERR_PASS_LENGH: on failure
+#   ERR_PASS_PLICY: on failure
+#   ERR_REIONICE_P: on failure
+#   ERR_REIO_C_VAL: on failure
+#   ERR_REIO_P_VAL: on failure
+#   ERR_RENICE_PRI: on failure
+#   ERR_RGHT_PWD_F: on failure
+#   ERR_SPLASH_PNG: on failure
+#   ERR__SSH__PORT: on failure
 #######################################
 arg_parser() {
  while [[ $# -gt 0 ]]; do
+
    declare argument="${1}"
+
      case "${argument,,}" in

        -a=* | --autobuild=*)
@@ -421,6 +426,12 @@ arg_parser() {
          usage
          ;;
    esac
+
  done
+
+  return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f arg_parser
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/lib/lib_arg_priority_check.sh
+++ b/lib/lib_arg_priority_check.sh
@@ -20,33 +20,53 @@ guard_sourcing
 #   VAR_REIONICE_PRIORITY
 # Arguments:
 #   None
+# Returns:
+#   0: on success
 #######################################
 arg_priority_check() {
  declare var
+
  ### Check if nice PRIORITY is set and adjust nice priority.
  if [[  "${VAR_HANDLER_PRIORITY:-}" -ne 0 ]]; then
+
    if command -v renice >/dev/null; then
+
      renice "${VAR_HANDLER_PRIORITY}" -p "$$"
      var=$(ps -o ni= -p $$) > /dev/null 2>&1
      printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ New renice value: %s\e[0m\n" "${var}"
      # sleep 1
      unset var
+
    else
+
      printf "\e[93m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ renice not installed (util-linux) \e[0m\n"
+
    fi
+
  fi

  ### Check if ionice PRIORITY is set and adjust ionice priority.
  if [[ "${VAR_REIONICE_CLASS:-}" -ne 2 ]]; then
+
    if command -v ionice >/dev/null; then
+
      ionice -c"${VAR_REIONICE_CLASS:-2}" -n"${VAR_REIONICE_PRIORITY:-4}" -p "$$"
      var=$(ionice -p $$) > /dev/null 2>&1
      printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ New ionice value: %s\e[0m\n" "${var}"
      # sleep 1
      unset var
+
    else
+
      printf "\e[93m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ ionice not installed (util-linux) \e[0m\n"
+
    fi
+
  fi
+
+  return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f arg_priority_check
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/lib/lib_boot_screen.sh
+++ b/lib/lib_boot_screen.sh
@@ -19,6 +19,8 @@ guard_sourcing
 #   PIPE_BOOT_SCREEN
 # Arguments:
 #   None
+# Returns:
+#   0: on success
 #######################################
 boot_screen() {
  clear
@@ -34,15 +36,22 @@ boot_screen() {
                < "${PIPE_BOOT_SCREEN}" &
  declare -gr PID_BOOT_SCREEN="$!"
  exec 3> "${PIPE_BOOT_SCREEN}"
+
+  return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f boot_screen

 #######################################
 # Boot Screen Terminal Cleaner
 # Globals:
-#   boot_screen_pid
-#   boot_screen_pipe
+#   PID_BOOT_SCREEN
+#   PIPE_BOOT_SCREEN
 # Arguments:
 #   None
+# Returns:
+#   0: on success
 #######################################
 boot_screen_cleaner() {
  exec 3>&-
@@ -51,5 +60,9 @@ boot_screen_cleaner() {
  rm -f "${PIPE_BOOT_SCREEN}"
  clean_screen
  sleep 1
+  return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f boot_screen_cleaner
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/lib/lib_cdi.sh
+++ b/lib/lib_cdi.sh
@@ -13,7 +13,7 @@
 guard_sourcing

 #######################################
-# CISS.2025.debian.installer GRUB and Autostart Generator
+# CISS.debian.installer 'GRUB' and 'Autostart' generator.
 # Globals:
 #   BASH_SOURCE
 #   VAR_HANDLER_BUILD_DIR
@@ -22,6 +22,8 @@ guard_sourcing
 #   VAR_WORKDIR
 # Arguments:
 #   None
+# Returns:
+#   0: on success
 #######################################
 cdi() {
  printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"
@@ -63,5 +65,10 @@ EOF
  fi

  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ %s successfully applied. \e[0m\n" "${BASH_SOURCE[0]}"
+
+  return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f cdi
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/lib/lib_change_splash.sh
+++ b/lib/lib_change_splash.sh
@@ -20,20 +20,31 @@ guard_sourcing
 #   VAR_WORKDIR
 # Arguments:
 #   None
+# Returns:
+#   0: on success
 #######################################
 change_splash() {
  if [[ ${VAR_HANDLER_SPLASH} == "club" ]]; then
+
    printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Grub Splash 'club.png' selected ...\e[0m\n"
    cp -af "${VAR_WORKDIR}"/.archive/background/club.png "${VAR_HANDLER_BUILD_DIR}"/config/bootloaders/splash.png
    cp -af "${VAR_WORKDIR}"/.archive/background/club.png "${VAR_HANDLER_BUILD_DIR}"/config/bootloaders/grub-efi/splash.png
    cp -af "${VAR_WORKDIR}"/.archive/background/club.png "${VAR_HANDLER_BUILD_DIR}"/config/bootloaders/grub-pc/splash.png
    printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Grub Splash 'club.png' selected done. \e[0m\n"
+
  elif [[ ${VAR_HANDLER_SPLASH} == "hexagon" ]]; then
+
    printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Grub Splash 'hexagon.png' selected ...\e[0m\n"
    cp -af "${VAR_WORKDIR}"/.archive/background/hexagon.png "${VAR_HANDLER_BUILD_DIR}"/config/bootloaders/splash.png
    cp -af "${VAR_WORKDIR}"/.archive/background/hexagon.png "${VAR_HANDLER_BUILD_DIR}"/config/bootloaders/grub-efi/splash.png
    cp -af "${VAR_WORKDIR}"/.archive/background/hexagon.png "${VAR_HANDLER_BUILD_DIR}"/config/bootloaders/grub-pc/splash.png
    printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Grub Splash 'hexagon.png' selected done. \e[0m\n"
+
  fi
+
+  return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f change_splash
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/lib/lib_check_dhcp.sh
+++ b/lib/lib_check_dhcp.sh
@@ -19,10 +19,17 @@ guard_sourcing
 #   VAR_WORKDIR
 # Arguments:
 #   None
+# Returns:
+#   0: on success
 #######################################
 check_dhcp() {
  if [[ ${VAR_HANDLER_DHCP} -eq 1 ]]; then
-    chmod +x "${VAR_WORKDIR}"/scripts/0010_dhcp_supersede.sh && "${VAR_WORKDIR}"/scripts/0010_dhcp_supersede.sh
+    chmod +x "${VAR_WORKDIR}/scripts/0010_dhcp_supersede.sh" && "${VAR_WORKDIR}/scripts/0010_dhcp_supersede.sh"
  fi
+
+  return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f check_dhcp
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/lib/lib_check_hooks.sh
+++ b/lib/lib_check_hooks.sh
@@ -15,10 +15,12 @@ guard_sourcing
 #######################################
 # Check and apply 0755 Permissions on every ./config/hooks/live/*.chroot file
 # Globals:
-#   ERR_UNCRITICAL
 #   VAR_WORKDIR
 # Arguments:
 #   None
+# Returns:
+#   0: on success
+#   ERR_UNCRITICAL: on failure
 #######################################
 check_hooks() {
  declare ifs
@@ -27,13 +29,23 @@ check_hooks() {
  declare -a files=("${VAR_WORKDIR}"/config/hooks/live/*.chroot)

  if (( ${#files[@]} == 0 )); then
+
    printf "\e[91m❌ No '*.chroot' files found in '%s/config/hooks/live'. \e[0m\n" "${VAR_WORKDIR}" >&2
    exit "${ERR_UNCRITICAL}"
+
  fi

-  declare file
+  declare file=""
+
  for file in "${files[@]}"; do
+
    chmod 0755 "${file}"
+
  done
+
+  return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f check_hooks
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/lib/lib_check_kernel.sh
+++ b/lib/lib_check_kernel.sh
@@ -34,9 +34,15 @@ check_kernel() {
  declare options=""

  if [[ ${VAR_ARCHITECTURE} != arm64 ]]; then
+
+    # shellcheck disable=SC2312
    apt-cache search linux-image | grep linux-image | grep amd64 | grep -v "meta-package" | grep -v "dbg" | grep -v "template" >> "${VAR_KERNEL_TMP}"
+
  else
+
+    # shellcheck disable=SC2312
    apt-cache search linux-image | grep linux-image | grep arm64 | grep -v "meta-package" | grep -v "dbg" | grep -v "template" >> "${VAR_KERNEL_TMP}"
+
  fi

  sort --output="${VAR_KERNEL_SRT}" "${VAR_KERNEL_TMP}" || {
@@ -47,12 +53,14 @@ check_kernel() {
  }

    while IFS= read -r line; do
+
      first_string=${line%% *}
      name=${first_string#linux-image-}
      options+=("${name}" "${counter}" off)
      ((counter++))
    done < "${VAR_KERNEL_SRT}"

+
  # shellcheck disable=SC2155
  if declare -gx VAR_KERNEL=$(dialog \
                          --no-collapse \
@@ -62,13 +70,26 @@ check_kernel() {
                          --title "Select the Kernel for the CISS Hardened Debian Live Image ISO" \
                          --radiolist "Kernel available \n *+bpo*       : Debian Backported Kernel \n *cloud*      : Special lightweight images for KVM \n *unsigned*   : Unsigned Kernel \n *preempt_rt* : Special Kernel for real-time-computing \n Not unsigned marked are MS signed Kernel for Secure Boot \n" 0 0 "${options[@]}" 3>&1 1>&2 2>&3 3>&-); then
    clear
+
  else
+
    clear
+
    if [[ "${VAR_ARCHITECTURE}" == "amd64" ]]; then
+
      declare -gx VAR_KERNEL="amd64"
+
    elif [[ "${VAR_ARCHITECTURE}" == "arm64" ]]; then
+
      declare -gx VAR_KERNEL="arm64"
+
    fi
+
  fi
+
+  return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f check_kernel
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/lib/lib_check_pkgs.sh
+++ b/lib/lib_check_pkgs.sh
@@ -16,40 +16,65 @@ guard_sourcing
 # Check for required Deb Packages to run the script.
 # Arguments:
 #   None
+# Returns:
+#   0: on success
 #######################################
 check_pkgs() {
-  apt-get update -y > /dev/null 2>&1
+  apt-get update > /dev/null 2>&1

  if [[ -z "$(command -v batcat || true)" ]]; then
+
    apt-get install -y --no-install-recommends bat
+
  fi

  if [[ -z "$(command -v lsb_release || true)" ]]; then
+
    apt-get install -y --no-install-recommends lsb-release
+
  fi

  if [[ -z "$(command -v debootstrap || true)" ]]; then
+
    if grep -RqsE '^[[:space:]]*deb .*backports' /etc/apt/sources.list /etc/apt/sources.list.d; then
+
      # shellcheck disable=SC2155
      declare codename=$(lsb_release -sc)
      apt-get install -y -t "${codename}-backports" debootstrap
+
    else
+
      apt-get install -y debootstrap
+
    fi
+
  fi

  if [[ ! -f /usr/share/live/build/VERSION ]]; then
+
    apt-get install -y live-build
+
  fi

  if [[ "${VAR_HANDLER_AUTOBUILD}" == false ]]; then
+
    if [[ -z "$(command -v dialog || true)" ]]; then
+
      apt-get install -y --no-install-recommends dialog
+
    fi
+
  fi

  if [[ -z "$(command -v mkpasswd || true)" ]]; then
+
    apt-get install -y --no-install-recommends whois
+
  fi
+
+  return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f check_pkgs
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/lib/lib_check_provider.sh
+++ b/lib/lib_check_provider.sh
@@ -13,9 +13,11 @@
 guard_sourcing

 #######################################
-# Notes Textbox
+# Notes Textbox.
 # Arguments:
 #   None
+# Returns:
+#   0: on success
 #######################################
 check_provider() {
  clear
@@ -64,5 +66,10 @@ EOF
         --scrollbar \
         --textbox "${VAR_NOTES}" 32 128
  clear
+
+  return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f check_provider
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/lib/lib_check_stats.sh
+++ b/lib/lib_check_stats.sh
@@ -18,12 +18,21 @@ guard_sourcing
 #   VAR_HANDLER_STA
 # Arguments:
 #   None
+# Returns:
+#   0: on success
 #######################################
 check_stats() {
  if [[ ${VAR_HANDLER_STA} -eq 1 ]]; then
+
    clear
    run_analysis
    exit 0
+
  fi
+
+  return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f check_stats
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/lib/lib_check_var.sh
+++ b/lib/lib_check_var.sh
@@ -13,25 +13,38 @@
 guard_sourcing

 #######################################
-# Unbound Variable Check and call Trap on ERR
+# Unbound variable check and call trap on 'ERR'.
 # Globals:
 #   ERR_UNBOUNDVAR
 # Arguments:
 #   $1: VAR_NAME to check
 # Returns:
-#   "${ERR_UNBOUNDVAR}"
+#   {ERR_UNBOUNDVAR: on failure
 #######################################
 check_var() {
  declare var_name_to_check="$1"
+
  if [[ -n "${!var_name_to_check+exists}" ]]; then
+
    if [[ -n "${!var_name_to_check}" ]]; then
+
      printf "\e[92m✅ Variable: '%s' exists and is NOT empty: '%s' \e[0m\n" "${var_name_to_check}" "${!var_name_to_check}"
+
    else
+
      printf "\e[92m✅ Variable: '%s' exists but is empty. \e[0m\n" "${var_name_to_check}"
+
    fi
+
  else
+
    printf "\e[91m❌ Variable: '%s' is not declared. Exiting Script. \e[0m\n" "${var_name_to_check}" >&2
+
    return "${ERR_UNBOUNDVAR}"
+
  fi
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f check_var
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/lib/lib_clean_screen.sh
+++ b/lib/lib_clean_screen.sh
@@ -27,4 +27,7 @@ clean_screen() {
  #tput cup $((lines-1)) 0 > /dev/tty
  #printf "\n" > /dev/tty
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f clean_screen
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/scripts/9000-cdi-starter
+++ b/scripts/9000-cdi-starter
@@ -11,34 +11,69 @@
 # SPDX-Security-Contact: security@coresecret.eu

 set -Ceuo pipefail
-declare -gx PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
-declare -gx IFS=$' \t\n'
+umask 0077

-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+install -d -m 0755 /run/lock
+exec 9> /run/lock/9000-cdi-starter.lock
+flock -n 9 || { echo "9000-cdi-starter already running. Exiting."; exit 0; }

-[[ ! -d /root/.cdi/log ]] && mkdir -p /root/.cdi/log
-printf "CISS.debian.installer Master V8.13.048.2025.10.06 is up! \n" \
-  >| /root/.cdi/log/boot_finished_"$(date +"%Y-%m-%d_%H-%M-%S")".log
+#######################################
+# Wait for network connectivity by looping.
+# Arguments:
+#   None
+#######################################
+net_wait() {
+  declare -i i=1
+  for i in {1..30}; do
+    getent hosts git.coresecret.dev >/dev/null && break
+    sleep 1
+  done
+}

-cd /root/git
+#######################################
+# Main autostart function.
+# Arguments:
+#   none
+#######################################
+main() {
+  declare -r repo_url="https://git.coresecret.dev/msw/CISS.debian.installer.git"
+  declare -r repo_dir="/root/git/CISS.debian.installer"

-git clone https://git.coresecret.dev/msw/CISS.debian.installer.git
+  install -d -m 0700 /root/.cdi/log
+  # shellcheck disable=SC2155
+  declare -r log="/root/.cdi/log/9000-cdi-starter_$(date +'%F_%H-%M-%S').log"
+  # shellcheck disable=SC2312
+  exec > >(tee -a "${log}") 2>&1

-chmod 0700 /root/git/CISS.debian.installer/ciss_debian_installer.sh
+  printf "CISS.debian.installer Master V8.13.048.2025.10.06 is up! \n" >| /root/.cdi/log/auto_start_begin_"$(date +"%Y-%m-%d_%H-%M-%S")".log

-cd /root/git/CISS.debian.installer
+  net_wait

-#./ciss_debian_installer.sh \
+  cd /root/git
+
+  [[ -d "${repo_dir}" ]] && rm -rf "${repo_dir}"
+
+  git clone --depth 1 "${repo_url}" "${repo_dir}"
+
+  chmod 0700 "${repo_dir}/ciss_debian_installer.sh"
+
+  cd "${repo_dir}"
+
+  #./ciss_debian_installer.sh \
 #  --autoinstall \
 #  --debug XTRACE \
 #  --log debug \
 #  --reionice-priority 1 0 \
 #  --renice-priority "-19"

-printf "CISS.debian.installer Master V8.13.048.2025.10.06 successfully executed! \n" \
-  >| /root/.cdi/log/boot_finished_"$(date +"%Y-%m-%d_%H-%M-%S")".log
+  printf "CISS.debian.installer Master V8.13.048.2025.10.06 successfully executed! \n" >| /root/.cdi/log/auto_start_finished_"$(date +"%Y-%m-%d_%H-%M-%S")".log

-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' successfully applied. \e[0m\n" "${0}"
+  exit 0
+}
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f main
+
+main "$@"

-exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh