V9.14.022.2026.06.10

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2026-06-10 18:57:46 +01:00
parent 800cd175fc
commit 9ef535554a
14 changed files with 468 additions and 19 deletions
@@ -38,7 +38,9 @@ guard_sourcing || return "${ERR_GUARD_SRCE}"
 #   VAR_ISO8601
 #   VAR_LUKS
 #   VAR_LUKS_KEY
+#   VAR_PRIMORDIAL_KEY
 #   VAR_PRIMORDIAL_SSH_PORT
+#   VAR_PRIMORDIAL_URL
 #   VAR_REIONICE_CLASS
 #   VAR_REIONICE_PRIORITY
 #   VAR_SIGNER
@@ -74,6 +76,9 @@ guard_sourcing || return "${ERR_GUARD_SRCE}"
 #   ERR__SSH__PORT: on failure
 #######################################
 arg_parser() {
+  declare primordial_key_regex='^[A-Za-z0-9._@%+=:,~-]+$'
+  declare primordial_url_regex='^https://[A-Za-z0-9.-]+/[A-Za-z0-9._~/%+=:@,-]+\.git$'
+
  while [[ $# -gt 0 ]]; do

    declare argument="${1}"
@@ -288,6 +293,44 @@ arg_parser() {
          shift 1
          ;;

+        --primordial-key)
+          declare primordial_key="${2-}"
+
+          if [[ -n "${primordial_key}" && "${primordial_key}" != -* && "${primordial_key}" != "." && "${primordial_key}" != ".." && "${primordial_key}" != */* && "${primordial_key}" =~ ${primordial_key_regex} ]]; then
+
+            # shellcheck disable=SC2034
+            declare -gx VAR_PRIMORDIAL_KEY="${primordial_key}"
+            shift 2
+
+          else
+
+            if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen_cleaner; fi
+            printf "\e[91m❌ Error: --primordial-key MUST be a filename matching '^[A-Za-z0-9._@%%+=:,~-]+$' and MUST NOT be '.', '..', or contain '/'.\e[0m\n" >&2
+            read -p -r $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
+            exit "${ERR_ARG_MSMTCH}"
+
+          fi
+          ;;
+
+        --primordial-key=*)
+          declare primordial_key="${1#*=}"
+
+          if [[ -n "${primordial_key}" && "${primordial_key}" != "." && "${primordial_key}" != ".." && "${primordial_key}" != */* && "${primordial_key}" =~ ${primordial_key_regex} ]]; then
+
+            # shellcheck disable=SC2034
+            declare -gx VAR_PRIMORDIAL_KEY="${primordial_key}"
+            shift 1
+
+          else
+
+            if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen_cleaner; fi
+            printf "\e[91m❌ Error: --primordial-key MUST be a filename matching '^[A-Za-z0-9._@%%+=:,~-]+$' and MUST NOT be '.', '..', or contain '/'.\e[0m\n" >&2
+            read -p -r $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
+            exit "${ERR_ARG_MSMTCH}"
+
+          fi
+          ;;
+
        --primordial-ssh)
          if [[ -n "${2-}" && "${2}" =~ ^-?[0-9]+$ && "${2}" -ge 1 && "${2}" -le 65535 ]]; then

@@ -305,6 +348,44 @@ arg_parser() {
          fi
          ;;

+        --primordial-url)
+          declare primordial_url="${2-}"
+
+          if [[ -n "${primordial_url}" && "${primordial_url}" != -* && "${primordial_url}" =~ ${primordial_url_regex} ]]; then
+
+            # shellcheck disable=SC2034
+            declare -gx VAR_PRIMORDIAL_URL="${primordial_url}"
+            shift 2
+
+          else
+
+            if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen_cleaner; fi
+            printf "\e[91m❌ Error: --primordial-url MUST be an HTTPS Git URL with non-empty host, non-empty path, and '.git' suffix.\e[0m\n" >&2
+            read -p -r $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
+            exit "${ERR_ARG_MSMTCH}"
+
+          fi
+          ;;
+
+        --primordial-url=*)
+          declare primordial_url="${1#*=}"
+
+          if [[ -n "${primordial_url}" && "${primordial_url}" =~ ${primordial_url_regex} ]]; then
+
+            # shellcheck disable=SC2034
+            declare -gx VAR_PRIMORDIAL_URL="${primordial_url}"
+            shift 1
+
+          else
+
+            if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen_cleaner; fi
+            printf "\e[91m❌ Error: --primordial-url MUST be an HTTPS Git URL with non-empty host, non-empty path, and '.git' suffix.\e[0m\n" >&2
+            read -p -r $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
+            exit "${ERR_ARG_MSMTCH}"
+
+          fi
+          ;;
+
        --provider-netcup-ipv6)
          if [[ -n "${2-}" && "${2}" != -* ]]; then
            declare -i count=0
@@ -19,6 +19,9 @@ guard_sourcing || return "${ERR_GUARD_SRCE}"
 #   VAR_HANDLER_BUILD_DIR
 #   VAR_HANDLER_CDI
 #   VAR_KERNEL
+#   VAR_PRIMORDIAL_KEY
+#   VAR_PRIMORDIAL_SSH_PORT
+#   VAR_PRIMORDIAL_URL
 #   VAR_WORKDIR
 # Arguments:
 #   None
@@ -38,7 +41,20 @@ cdi() {

    fi

-    install -m 0755 -o root -g root "${VAR_WORKDIR}/scripts/usr/local/sbin/9999_cdi_starter.sh" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/local/sbin/9999_cdi_starter.sh"
+    declare var_cdi_starter="${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/local/sbin/9999_cdi_starter.sh"
+    declare var_primordial_key_q="" var_primordial_ssh_port_q="" var_primordial_url_q=""
+
+    install -m 0755 -o root -g root "${VAR_WORKDIR}/scripts/usr/local/sbin/9999_cdi_starter.sh" "${var_cdi_starter}"
+
+    printf -v var_primordial_key_q '%q' "${VAR_PRIMORDIAL_KEY:-}"
+    printf -v var_primordial_ssh_port_q '%q' "${VAR_PRIMORDIAL_SSH_PORT:-}"
+    printf -v var_primordial_url_q '%q' "${VAR_PRIMORDIAL_URL:-}"
+
+    sed -i \
+      -e "s|^declare -gx   VAR_PRIMORDIAL_KEY=.*$|declare -gx   VAR_PRIMORDIAL_KEY=${var_primordial_key_q}          # Primordial SSH identity filename.|" \
+      -e "s|^declare -gx   VAR_PRIMORDIAL_SSH_PORT=.*$|declare -gx   VAR_PRIMORDIAL_SSH_PORT=${var_primordial_ssh_port_q}     # Primordial SSH port.|" \
+      -e "s|^declare -gx   VAR_PRIMORDIAL_URL=.*$|declare -gx   VAR_PRIMORDIAL_URL=${var_primordial_url_q}          # Primordial HTTPS Git URL.|" \
+      "${var_cdi_starter}"

    declare tmp_entry
    tmp_entry="$(mktemp)"
@@ -0,0 +1,33 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2026-06-10; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2026; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+#######################################
+# Logo Wrapper CISS.debian.live.builder
+# Globals:
+#   None
+# Arguments:
+#   None
+# Returns:
+#   0: on success
+#######################################
+logo() {
+  clear
+  printf '\033[95m'
+  cat centurion.txt
+  printf '\033[0m\n'
+  sleep 4
+  return 0
+}
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f logo
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -55,7 +55,7 @@ sanitize_arg() {
    {
      printf "❌ Control character   : '%s'. \n" "${disallowed_ctrl}"
      printf "❌         in argument : '%s'. \n" "${input}"
-      printf "❌ Allowed Characters  : 'a-z A-Z 0-9 . _ / = [ ] : \" - + space' \n"
+      printf "❌ Allowed Characters  : 'a-z A-Z 0-9 . _ / = [ ] : \" @ %% , ~ - + space' \n"
      printf "\n"
    } >> "${LOG_ERROR}"

@@ -63,7 +63,7 @@ sanitize_arg() {

    printf "\e[91m❌ Control character   : '%s'. \e[0m\n" "${disallowed_ctrl}" >&2
    printf "\e[91m❌         in argument : '%s'. \e[0m\n" "${input}" >&2
-    printf "\e[91m❌ Allowed Characters  : 'a-z A-Z 0-9 . _ / = [ ] : \" - + space' \e[0m\n" >&2
+    printf "\e[91m❌ Allowed Characters  : 'a-z A-Z 0-9 . _ / = [ ] : \" @ %% , ~ - + space' \e[0m\n" >&2

    # shellcheck disable=SC2162
    read -p  $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
@@ -73,8 +73,8 @@ sanitize_arg() {
  fi

  ### Step 2: Define allowed characters:
-  ### letters, digits, dot, underscore, slash, equals, [, ], colon, double-quote, hyphen, space.
-  declare allowed='a-zA-Z0-9._/=\[\]:"\-+ '
+  ### letters, digits, dot, underscore, slash, equals, [, ], colon, double-quote, @, %, comma, tilde, hyphen, plus, space.
+  declare allowed='a-zA-Z0-9._/=\[\]:"@%,~\-+ '
  declare disallowed
  disallowed=$(printf '%s' "${input}" | tr -d "${allowed}")

@@ -82,7 +82,7 @@ sanitize_arg() {
    {
      printf "❌ Invalid character   : '%s'. \n" "${disallowed//?/& }"
      printf "❌         in argument : '%s'. \n" "${input}"
-      printf "❌ Allowed Characters  : 'a-z A-Z 0-9 . _ / = [ ] : \" - + space' \n"
+      printf "❌ Allowed Characters  : 'a-z A-Z 0-9 . _ / = [ ] : \" @ %% , ~ - + space' \n"
      printf "\n"
    } >> "${LOG_ERROR}"

@@ -90,7 +90,7 @@ sanitize_arg() {

    printf "\e[91m❌ Invalid character   : '%s'. \e[0m\n" "${disallowed//?/& }" >&2
    printf "\e[91m❌         in argument : '%s'. \e[0m\n" "${input}" >&2
-    printf "\e[91m❌ Allowed Characters  : 'a-z A-Z 0-9 . _ / = [ ] : \" - + space' \e[0m\n" >&2
+    printf "\e[91m❌ Allowed Characters  : 'a-z A-Z 0-9 . _ / = [ ] : \" @ %% , ~ - + space' \e[0m\n" >&2

    # shellcheck disable=SC2162
    read -p  $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
@@ -119,8 +119,8 @@ readonly -f sanitize_arg
 sanitize_string() {
  declare input="$1"
  ### Define allowed characters:
-  ### letters, digits, dot, underscore, slash, equals, [, ], colon, double-quote, hyphen, space.
-  declare allowed='a-zA-Z0-9._/=\[\]:"\-+ '
+  ### letters, digits, dot, underscore, slash, equals, [, ], colon, double-quote, @, %, comma, tilde, hyphen, plus, space.
+  declare allowed='a-zA-Z0-9._/=\[\]:"@%,~\-+ '
  printf '%s' "${input}" | tr -cd "${allowed}"
 }
 ### Prevents accidental 'unset -f'.
@@ -120,12 +120,24 @@ usage() {
    echo "    Provides statistic only after successful building a CISS.debian.live-ISO. While enabling '--log-statistics-only'"
    echo "    the argument '--build-directory' MUST be provided."
    echo
+    echo -e "\e[97m  --primordial-key <ssh-identity-filename> \e[0m"
+    echo "    SSH identity filename for the Primordial overlay clone. This MUST be a filename only; the runtime path is"
+    echo "    derived as '/root/.ssh/<ssh-identity-filename>'."
+    echo "    Example fragment:"
+    echo "      ./ciss_live_builder.sh --primordial-url https://git.coresecret.dev/ahz/PhysNet.primordial.git \\"
+    echo "        --primordial-key id--git.coresecret.dev--PhysNet.primordial_deploy--ed25519--newton--2025-10 \\"
+    echo "        --primordial-ssh 42842"
+    echo
    echo -e "\e[97m  --primordial-ssh <INTEGER> \e[0m"
    echo "    Adds one outgoing UFW TCP exception for a bootstrap SSH port."
    echo "    Outgoing only: no incoming firewall rule is added, and this option does not replace '--ssh-port'."
    echo "    Effective only when the Live System's UFW outgoing policy is 'deny'."
    echo "    Port MUST be a decimal integer between '1' and '65535'."
    echo
+    echo -e "\e[97m  --primordial-url <https-git-url> \e[0m"
+    echo "    HTTPS Git repository URL for the Primordial CDI overlay. MUST start with 'https://', include a host and"
+    echo "    path, and end in '.git'. The CDI starter converts this URL to an SSH clone URL at runtime."
+    echo
    echo -e "\e[97m  --provider-netcup-ipv6 \e[0m"
    echo "    Activates IPv6 support for Netcup Root Server. One unique IPv6 address MUST be provided in this case and MUST be"
    echo "    encapsulated with [], e.g., [1234::abcd]."