V9.14.022.2026.06.10

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>

scripts/usr/local/sbin/9999_cdi_starter.sh

@@ -15,6 +15,10 @@ umask 0077
 
 declare -gx   VAR_RDNS_DOMAIN=""             # Forward-confirmed reverse DNS domain.
 declare -gx   VAR_RDNS_IPV4=""               # IPv4 address used for RDNS verification.
+declare -gx   VAR_RDNS_NORMALIZED=""         # RDNS domain normalized for Primordial branch names.
+declare -gx   VAR_PRIMORDIAL_KEY=""          # Primordial SSH identity filename.
+declare -gx   VAR_PRIMORDIAL_SSH_PORT=""     # Primordial SSH port.
+declare -gx   VAR_PRIMORDIAL_URL=""          # Primordial HTTPS Git URL.
 declare -grx  VAR_SEMAPHORE="/root/cdi.ciss" # Semaphore to appear.
 declare -girx VAR_TIMEOUT=3600               # Semaphore timer in seconds.
 
@@ -324,6 +328,240 @@ retrieve_rdns() {
 # shellcheck disable=SC2034
 readonly -f retrieve_rdns
 
+#######################################
+# Normalize a DNS domain into a Primordial branch name.
+# Globals:
+#   None
+# Arguments:
+#   $1: DNS domain name
+# Returns:
+#   0: on success
+#   1: on invalid DNS domain
+#######################################
+normalize_rdns_domain() {
+  ### Declare Arrays, HashMaps, and Variables.
+  declare var_domain="${1:-}"
+
+  var_domain="${var_domain%.}"
+  var_domain="${var_domain,,}"
+
+  # shellcheck disable=SC2310
+  is_dns_name "${var_domain}" || return 1
+
+  printf '%s\n' "${var_domain//./_}"
+
+  return 0
+}
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f normalize_rdns_domain
+
+#######################################
+# Convert an HTTPS Git URL into the SSH URL used for Primordial clone.
+# Globals:
+#   None
+# Arguments:
+#   $1: HTTPS Git URL
+#   $2: SSH port
+# Returns:
+#   0: on success
+#   1: on invalid URL or port
+#######################################
+derive_ssh_git_url() {
+  ### Declare Arrays, HashMaps, and Variables.
+  declare -r var_https_url="${1:-}"
+  declare -r var_ssh_port="${2:-}"
+  declare    var_host="" var_path=""
+
+  if [[ ! "${var_https_url}" =~ ^https://([A-Za-z0-9.-]+)/([A-Za-z0-9._~/%+=:@,-]+\.git)$ ]]; then
+
+    return 1
+
+  fi
+
+  var_host="${BASH_REMATCH[1]}"
+  var_path="${BASH_REMATCH[2]}"
+
+  if [[ -z "${var_host}" || -z "${var_path}" || ! "${var_ssh_port}" =~ ^[0-9]+$ ]] \
+    || ((10#${var_ssh_port} < 1 || 10#${var_ssh_port} > 65535)); then
+
+    return 1
+
+  fi
+
+  printf 'ssh://git@%s:%s/%s\n' "${var_host}" "${var_ssh_port}" "${var_path}"
+
+  return 0
+}
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f derive_ssh_git_url
+
+#######################################
+# Apply the Primordial overlay and create the CDI semaphore only on success.
+# Globals:
+#   VAR_PRIMORDIAL_KEY
+#   VAR_PRIMORDIAL_SSH_PORT
+#   VAR_PRIMORDIAL_URL
+#   VAR_RDNS_DOMAIN
+#   VAR_RDNS_NORMALIZED
+#   VAR_SEMAPHORE
+# Arguments:
+#   $1: module log file
+#   $2: CISS.debian.installer directory
+# Returns:
+#   0: on success or optional skip
+#   1: on failed configured Primordial overlay
+#######################################
+apply_primordial_overlay() {
+  ### Declare Arrays, HashMaps, and Variables.
+  declare -r var_log="${1:-}"
+  declare -r var_repo_dir="${2:-}"
+  declare -r var_overlay_dir="/root/git/overlay"
+  declare    var_identity="" var_ssh_url="" var_rdns_normalized=""
+
+  if [[ -z "${VAR_PRIMORDIAL_URL}" && -z "${VAR_PRIMORDIAL_KEY}" && -z "${VAR_PRIMORDIAL_SSH_PORT}" ]]; then
+
+    logger -t cdi-watcher "Primordial overlay not configured; continuing with existing semaphore polling."
+    printf "Command: [apply_primordial_overlay] skipped; Primordial overlay not configured.\n" >> "${var_log}"
+    return 0
+
+  fi
+
+  if ! rm -f -- "${VAR_SEMAPHORE}"; then
+
+    logger -t cdi-watcher "Failed to remove existing CDI semaphore; aborting CDI autostart."
+    printf "Command: [rm -f -- %s] failed; aborting CDI autostart.\n" "${VAR_SEMAPHORE}" >> "${var_log}"
+    return 1
+
+  fi
+
+  if [[ -z "${VAR_PRIMORDIAL_URL}" || -z "${VAR_PRIMORDIAL_KEY}" || -z "${VAR_PRIMORDIAL_SSH_PORT}" || -z "${VAR_RDNS_DOMAIN}" ]]; then
+
+    logger -t cdi-watcher "Primordial overlay configuration incomplete; aborting CDI autostart."
+    printf "Command: [apply_primordial_overlay] failed; Primordial URL, key, SSH port, and RDNS domain are required.\n" >> "${var_log}"
+    return 1
+
+  fi
+
+  # shellcheck disable=SC2310
+  if ! var_rdns_normalized="$(normalize_rdns_domain "${VAR_RDNS_DOMAIN}")"; then
+
+    logger -t cdi-watcher "Primordial overlay RDNS branch derivation failed; aborting CDI autostart."
+    printf "Command: [normalize_rdns_domain %s] failed; aborting CDI autostart.\n" "${VAR_RDNS_DOMAIN}" >> "${var_log}"
+    return 1
+
+  fi
+
+  declare -gx VAR_RDNS_NORMALIZED="${var_rdns_normalized}"
+
+  # shellcheck disable=SC2310
+  if ! var_ssh_url="$(derive_ssh_git_url "${VAR_PRIMORDIAL_URL}" "${VAR_PRIMORDIAL_SSH_PORT}")"; then
+
+    logger -t cdi-watcher "Primordial HTTPS Git URL conversion failed; aborting CDI autostart."
+    printf "Command: [derive_ssh_git_url] failed for configured Primordial URL; aborting CDI autostart.\n" >> "${var_log}"
+    return 1
+
+  fi
+
+  var_identity="/root/.ssh/${VAR_PRIMORDIAL_KEY}"
+
+  if [[ ! -e "${var_identity}" ]]; then
+
+    logger -t cdi-watcher "Primordial SSH identity file is missing; aborting CDI autostart."
+    printf "Command: [test -e /root/.ssh/<primordial-key>] failed; aborting CDI autostart.\n" >> "${var_log}"
+    return 1
+
+  fi
+
+  if [[ ! -f "${var_identity}" ]]; then
+
+    logger -t cdi-watcher "Primordial SSH identity path is not a regular file; aborting CDI autostart."
+    printf "Command: [test -f /root/.ssh/<primordial-key>] failed; aborting CDI autostart.\n" >> "${var_log}"
+    return 1
+
+  fi
+
+  if [[ ! -r "${var_identity}" ]]; then
+
+    logger -t cdi-watcher "Primordial SSH identity file is not readable by root; aborting CDI autostart."
+    printf "Command: [test -r /root/.ssh/<primordial-key>] failed; aborting CDI autostart.\n" >> "${var_log}"
+    return 1
+
+  fi
+
+  if ! rm -rf -- "${var_overlay_dir}"; then
+
+    logger -t cdi-watcher "Failed to remove existing Primordial overlay directory; aborting CDI autostart."
+    printf "Command: [rm -rf -- %s] failed; aborting CDI autostart.\n" "${var_overlay_dir}" >> "${var_log}"
+    return 1
+
+  fi
+
+  if ! GIT_SSH_COMMAND="ssh -i ${var_identity} -p ${VAR_PRIMORDIAL_SSH_PORT}" \
+    git clone --branch "${VAR_RDNS_NORMALIZED}" "${var_ssh_url}" "${var_overlay_dir}"; then
+
+    logger -t cdi-watcher "Primordial overlay clone failed; aborting CDI autostart."
+    printf "Command: [git clone --branch %s <primordial-ssh-url> %s] failed; aborting CDI autostart.\n" \
+      "${VAR_RDNS_NORMALIZED}" "${var_overlay_dir}" >> "${var_log}"
+    rm -rf -- "${var_overlay_dir}" || true
+    return 1
+
+  fi
+
+  if [[ ! -d "${var_overlay_dir}/.preseed" ]]; then
+
+    logger -t cdi-watcher "Primordial overlay .preseed directory is missing; aborting CDI autostart."
+    printf "Command: [test -d %s/.preseed] failed; aborting CDI autostart.\n" "${var_overlay_dir}" >> "${var_log}"
+    return 1
+
+  fi
+
+  if [[ ! -d "${var_overlay_dir}/includes" ]]; then
+
+    logger -t cdi-watcher "Primordial overlay includes directory is missing; aborting CDI autostart."
+    printf "Command: [test -d %s/includes] failed; aborting CDI autostart.\n" "${var_overlay_dir}" >> "${var_log}"
+    return 1
+
+  fi
+
+  install -d -m 0700 "${var_repo_dir}/.preseed" "${var_repo_dir}/includes"
+
+  if ! rsync -av "${var_overlay_dir}/.preseed/" "${var_repo_dir}/.preseed/"; then
+
+    logger -t cdi-watcher "Primordial overlay .preseed rsync failed; aborting CDI autostart."
+    printf "Command: [rsync -av %s/.preseed/ %s/.preseed/] failed; aborting CDI autostart.\n" \
+      "${var_overlay_dir}" "${var_repo_dir}" >> "${var_log}"
+    return 1
+
+  fi
+
+  if ! rsync -av "${var_overlay_dir}/includes/" "${var_repo_dir}/includes"; then
+
+    logger -t cdi-watcher "Primordial overlay includes rsync failed; aborting CDI autostart."
+    printf "Command: [rsync -av %s/includes/ %s/includes] failed; aborting CDI autostart.\n" \
+      "${var_overlay_dir}" "${var_repo_dir}" >> "${var_log}"
+    return 1
+
+  fi
+
+  if ! install -m 0600 /dev/null "${VAR_SEMAPHORE}"; then
+
+    logger -t cdi-watcher "Primordial overlay applied but semaphore creation failed; aborting CDI autostart."
+    printf "Command: [install -m 0600 /dev/null %s] failed; aborting CDI autostart.\n" "${VAR_SEMAPHORE}" >> "${var_log}"
+    return 1
+
+  fi
+
+  logger -t cdi-watcher "Primordial overlay applied for branch ${VAR_RDNS_NORMALIZED}; CDI semaphore created."
+  printf "Command: [apply_primordial_overlay] executed for branch [%s].\n" "${VAR_RDNS_NORMALIZED}" >> "${var_log}"
+
+  return 0
+}
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f apply_primordial_overlay
+
 #######################################
 # Wrapper for loading CISS hardened Kernel Parameters.
 # Globals:
@@ -363,7 +601,6 @@ main() {
   var_log="/root/.ciss/cdi/log/9999-cdi-starter_$(date +"%Y-%m-%d_%H-%M-%S").log"
   touch "${var_log}"
 
-
   printf "CISS.debian.live.builder V9.14.022.2026.06.10 calling CISS.debian.installer ... \n" >> "${var_log}"
 
   ### Sleep a moment to settle boot artifacts.
@@ -419,6 +656,16 @@ main() {
   cd "${var_repo_dir}"
   printf "Command: [git clone %s %s] executed.\n" "${var_repo_url}" "${var_repo_dir}" >> "${var_log}"
 
+  ### Apply Primordial overlay before allowing CDI autostart.
+  # shellcheck disable=SC2310
+  if ! apply_primordial_overlay "${var_log}" "${var_repo_dir}"; then
+
+    logger -t cdi-watcher "Primordial overlay failed; CDI autostart aborted before semaphore polling."
+    printf "Command: [apply_primordial_overlay] failed; CDI autostart aborted before semaphore polling.\n" >> "${var_log}"
+    exit 0
+
+  fi
+
   ### Poll up to VAR_TIMEOUT seconds for the semaphore to appear and be mode 0600.
   for ((i=0; i<VAR_TIMEOUT; i++)); do