msw/CISS.debian.live.builder
SHA256
2
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 6 Wiki Activity

V8.13.384.2025.11.06
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m6s
Details

Browse Source 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
Marc S. Weidner
2025-11-06 23:04:22 +01:00
parent 866858f12b
commit ae0bd5f3e9
24 changed files with 100 additions and 58 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
.archive/9998_sources_list_bookworm.chroot
View File

@@ -19,7 +19,7 @@ declare -r VAR_DATE="$(date +%F)"
cd /root
if [[ -f /etc/apt/sources.list ]]; then
mv /etc/apt/sources.list /root/.ciss/dlb/backup/sources.list.bak
mv /etc/apt/sources.list /root/.ciss/cdlb/backup/sources.list.bak
fi
cat << 'EOF' >| /etc/apt/sources.list

15
.gitea/workflows/generate_PRIVATE_trixie_1.yaml
View File

@@ -121,7 +121,7 @@ jobs:
set +x
set -euo pipefail
umask 0077
GNUPGHOME="/dev/shm/gnupg.${GITHUB_RUN_ID}.${GITHUB_JOB}.${GITHUB_RUN_ATTEMPT}"
GNUPGHOME="/dev/shm/gnupg.${GITHUB_RUN_ID}.${GITHUB_JOB}"
# shellcheck disable=SC2174
mkdir -p -m 0700 "${GNUPGHOME}"
echo "GNUPGHOME=${GNUPGHOME}" >> "${GITHUB_ENV}"
@@ -190,26 +190,23 @@ jobs:
timestamp=$(date -u +"%Y_%m_%dT%H_%M_%SZ")
### Change "--autobuild=" to the specific kernel version you need: '6.16.3+deb13-amd64'.
./ciss_live_builder.sh \
--autobuild=6.16.3+deb13-amd64 \
--architecture amd64 \
--autobuild=6.16.3+deb13-amd64 \
--build-directory /opt/cdlb \
--cdi \
--control "${timestamp}" \
--jump-host ${{ secrets.CISS_DLB_JUMP_HOSTS_1 }} \
--key_age=keys.txt \
--key_luks=luks.txt \
--root-password-file /dev/shm/cdlb_secrets/password.txt \
--signing_key=signing_key.asc \
--signing_key_fpr="${{ secrets.PGP_MSW_PRIVATE_SIGNING_KEY_FPR }}" \
--signing_key_fpr=${{ secrets.PGP_MSW_PRIVATE_SIGNING_KEY_FPR }} \
--signing_key_pass=signing_key_pass.txt \
--signing_key=signing_key.asc \
--ssh-port ${{ secrets.CISS_DLB_SSH_PORT_1 }} \
--ssh-pubkey /dev/shm/cdlb_secrets \
--sshfp \
--trixie
REPO_ROOT="$(git rev-parse --show-toplevel 2>/dev/null || pwd -P)"
OUT="${REPO_ROOT}/config/hooks/live/9935_hardening_ssh.chroot"
rm -f "${OUT}"
echo "Hook removed: ${OUT}"
- name: 📥 Checking Centurion Cloud for existing LIVE ISOs.
env:
NC_BASE: "https://cloud.e2ee.li"

3
ciss_live_builder.sh
View File

@@ -242,10 +242,11 @@ provider_netcup
update_microcode
x_hooks
### Start the build process
### Start the build process ----------------------------------------------------------------------------------------------------
set +o errtrace
lb_build_start
set -o errtrace
run_analysis
copy_db
declare -grx VAR_SCRIPT_SUCCESS="true"

4
config/hooks/live/0000_basic_chroot_setup.chroot
View File

@@ -220,8 +220,8 @@ if [[ -f /root/.architecture ]]; then
fi
mkdir -p /root/.ciss/dlb/{backup,log,private_keys}
chmod 0700 /root/.ciss/dlb/{backup,log,private_keys}
mkdir -p /root/.ciss/cdlb/{backup,log,private_keys}
chmod 0700 /root/.ciss/cdlb/{backup,log,private_keys}
mkdir -p /root/git
chmod 0700 /root/git

4
config/hooks/live/0050_activate_root.chroot
View File

@@ -25,8 +25,8 @@ fi
cd /root
# shellcheck disable=SC2312
cp /etc/shadow /root/.ciss/dlb/backup/shadow.bak."$(date +%F_%T)"
chmod 0600 /root/.ciss/dlb/backup/shadow.bak.*
cp /etc/shadow /root/.ciss/cdlb/backup/shadow.bak."$(date +%F_%T)"
chmod 0600 /root/.ciss/cdlb/backup/shadow.bak.*
declare hashed_pwd
declare safe_hashed_pwd

4
config/hooks/live/0120_set_hostname.chroot
View File

@@ -13,8 +13,8 @@ set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
mv /etc/hostname /root/.ciss/dlb/backup/hostname.bak
mv /etc/mailname /root/.ciss/dlb/backup/mailname.bak
mv /etc/hostname /root/.ciss/cdlb/backup/hostname.bak
mv /etc/mailname /root/.ciss/cdlb/backup/mailname.bak
cat << 'EOF' >| /etc/hostname
live.local

4
config/hooks/live/0810_chrony_setup.chroot
View File

@@ -23,8 +23,8 @@ apt-get install -y adjtimex chrony tzdata
systemctl enable chrony.service
mv /etc/chrony/chrony.conf /root/.ciss/dlb/backup/chrony.conf.bak
chmod 0644 /root/.ciss/dlb/backup/chrony.conf.bak
mv /etc/chrony/chrony.conf /root/.ciss/cdlb/backup/chrony.conf.bak
chmod 0644 /root/.ciss/cdlb/backup/chrony.conf.bak
cat << EOF >| /etc/chrony/chrony.conf
# SPDX-Version: 3.0

16
config/hooks/live/0860_sops.chroot
View File

@@ -40,26 +40,14 @@ cosign verify-blob "sops-${SOPS_VER}.checksums.txt" \
sha256sum -c "sops-${SOPS_VER}.checksums.txt" --ignore-missing
install -m 0755 "${SOPS_FILE}" /usr/local/bin/sops
sops --version --check-for-updates
age --version
sops --version --check-for-updates >| /root/.ciss/cdlb/log/sops.log
age --version >| /root/.ciss/cdlb/log/age.log
rm -f "/tmp/${SOPS_FILE}"
rm -f "/tmp/sops-${SOPS_VER}.checksums.txt"
rm -f "/tmp/sops-${SOPS_VER}.checksums.pem"
rm -f "/tmp/sops-${SOPS_VER}.checksums.sig"
umask 0077
mkdir -p /root/.config/sops/age
cat << 'EOF' >| /root/.config/sops/age/keys.txt
{{ secrets.CISS_PHYS_AGE }}
EOF
if grep -q '{{ secrets.' /root/.config/sops/age/keys.txt; then
: >| /root/.config/sops/age/keys.txt
fi
chmod 0400 /root/.config/sops/age/keys.txt
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"

4
config/hooks/live/9910_motd.chroot
View File

@@ -13,8 +13,8 @@ set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
mkdir -p /root/.ciss/dlb/backup/update-motd.d
cp -af /etc/update-motd.d/* /root/.ciss/dlb/backup/update-motd.d
mkdir -p /root/.ciss/cdlb/backup/update-motd.d
cp -af /etc/update-motd.d/* /root/.ciss/cdlb/backup/update-motd.d
cat << 'EOF' >| /etc/update-motd.d/10-uname
#!/bin/sh

2
config/hooks/live/9920_deleting_invalid_x509.chroot
View File

@@ -14,7 +14,7 @@ set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
declare -a search_dirs=("/etc/ssl/certs" "/usr/local/share/ca-certificates" "/usr/share/ca-certificates" "/etc/letsencrypt")
declare backup_dir="/root/.ciss/dlb/backup/certificates"
declare backup_dir="/root/.ciss/cdlb/backup/certificates"
declare current_date
current_date=$(date +%s)
declare -ax expired_certificates=()

4
config/hooks/live/9940_hardening_memory.dump.chroot
View File

@@ -13,8 +13,8 @@ set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
cp -u /etc/security/limits.conf /root/.ciss/dlb/backup/limits.conf.bak
chmod 0644 /root/.ciss/dlb/backup/limits.conf.bak
cp -u /etc/security/limits.conf /root/.ciss/cdlb/backup/limits.conf.bak
chmod 0644 /root/.ciss/cdlb/backup/limits.conf.bak
grep -Eq '^[[:space:]]*\*[[:space:]]+soft[[:space:]]+core[[:space:]]+0[[:space:]]*$' /etc/security/limits.conf \
|| sed -i -E '/^[[:space:]]*#?[[:space:]]*soft[[:space:]]+core[[:space:]]+0[[:space:]]*$/ i\* soft core 0' /etc/security/limits.conf

10
config/hooks/live/9950_hardening_fail2ban.chroot
View File

@@ -15,14 +15,14 @@ printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "
cd /root
cp -u /etc/fail2ban/fail2ban.conf /root/.ciss/dlb/backup/fail2ban.conf.bak
chmod 0400 /root/.ciss/dlb/backup/fail2ban.conf.bak
cp -u /etc/fail2ban/fail2ban.conf /root/.ciss/cdlb/backup/fail2ban.conf.bak
chmod 0400 /root/.ciss/cdlb/backup/fail2ban.conf.bak
### https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1024305
sed -i 's/#allowipv6 = auto/allowipv6 = auto/1' /etc/fail2ban/fail2ban.conf
mv /etc/fail2ban/jail.d/defaults-debian.conf /root/.ciss/dlb/backup/defaults-debian.conf.bak
chmod 0400 /root/.ciss/dlb/backup/defaults-debian.conf.bak
mv /etc/fail2ban/jail.d/defaults-debian.conf /root/.ciss/cdlb/backup/defaults-debian.conf.bak
chmod 0400 /root/.ciss/cdlb/backup/defaults-debian.conf.bak
cat << EOF >| /etc/fail2ban/jail.d/ciss-default.conf
# SPDX-Version: 3.0
@@ -205,7 +205,7 @@ EOF
###########################################################################################
# Remarks: Logrotate must be updated either #
###########################################################################################
cp -a /etc/logrotate.d/fail2ban /root/.ciss/dlb/backup/fail2ban_logrotate.bak
cp -a /etc/logrotate.d/fail2ban /root/.ciss/cdlb/backup/fail2ban_logrotate.bak
cat << EOF >| /etc/logrotate.d/fail2ban
/var/log/fail2ban/fail2ban.log {
daily

4
config/hooks/live/9980_usb_guard.chroot
View File

@@ -23,7 +23,7 @@ usbguard generate-policy >> /tmp/rules.conf
if [[ -f /etc/usbguard/rules.conf && -s /etc/usbguard/rules.conf ]]; then
mv /etc/usbguard/rules.conf /root/.ciss/dlb/backup/usbguard_rules.conf.bak
mv /etc/usbguard/rules.conf /root/.ciss/cdlb/backup/usbguard_rules.conf.bak
cp -a /tmp/rules.conf /etc/usbguard/rules.conf
chmod 0600 /etc/usbguard/rules.conf
@@ -35,7 +35,7 @@ else
fi
cp -a /etc/usbguard/usbguard-daemon.conf /root/.ciss/dlb/backup/usbguard-daemon.conf.bak
cp -a /etc/usbguard/usbguard-daemon.conf /root/.ciss/cdlb/backup/usbguard-daemon.conf.bak
#sed -i "s/PresentDevicePolicy=apply-policy/PresentDevicePolicy=allow/" /etc/usbguard/usbguard-daemon.conf
rm -f /tmp/rules.conf

6
config/hooks/live/9991_file_permissions.chroot
View File

@@ -18,8 +18,8 @@ chmod 0644 /etc/issue
chmod 0644 /etc/issue.net
if [[ -f /etc/motd ]]; then
cp -a /etc/motd /root/.ciss/dlb/backup/motd.bak
chmod 0644 /root/.ciss/dlb/backup/motd.bak
cp -a /etc/motd /root/.ciss/cdlb/backup/motd.bak
chmod 0644 /root/.ciss/cdlb/backup/motd.bak
rm /etc/motd
fi
@@ -36,7 +36,7 @@ cat << EOF >| /etc/motd
EOF
cp -a /etc/login.defs /root/.ciss/dlb/backup/login.defs.bak
cp -a /etc/login.defs /root/.ciss/cdlb/backup/login.defs.bak
sed -ri 's/^(#?LOGIN_TIMEOUT)[[:space:]]+[0-9]+/\1 180/' /etc/login.defs
sed -i 's/UMASK 022/UMASK 077/' /etc/login.defs

2
config/hooks/live/9993_aide.chroot
View File

@@ -17,7 +17,7 @@ printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "
export DEBIAN_FRONTEND="noninteractive" INITRD="No"
apt-get install -y aide > /dev/null 2>&1
cp -u /etc/aide/aide.conf /root/.ciss/dlb/backup/aide.conf.bak
cp -u /etc/aide/aide.conf /root/.ciss/cdlb/backup/aide.conf.bak
sed -i "s/Checksums = H/Checksums = sha512/" /etc/aide/aide.conf
if aideinit > /dev/null 2>&1; then

4
config/hooks/live/9994_password_policy.chroot
View File

@@ -20,8 +20,8 @@ printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "
# shellcheck disable=SC2155
declare -r VAR_DATE="$(date +%F)"
cp -a /etc/security/pwquality.conf /root/.ciss/dlb/backup/pwquality.conf.bak
chmod 0644 /root/.ciss/dlb/backup/pwquality.conf.bak
cp -a /etc/security/pwquality.conf /root/.ciss/cdlb/backup/pwquality.conf.bak
chmod 0644 /root/.ciss/cdlb/backup/pwquality.conf.bak
cat << EOF >| /etc/security/pwquality.conf
# SPDX-Version: 3.0

6
config/hooks/live/9996_auditd.chroot
View File

@@ -29,9 +29,9 @@ cd /root
export DEBIAN_FRONTEND="noninteractive" INITRD="No"
apt-get install -y auditd
cp -u /etc/audit/audit.rules /root/.ciss/dlb/backup/audit.rules.bak
cp -u /etc/audit/auditd.conf /root/.ciss/dlb/backup/auditd.conf.bak
cp -u /etc/audit/rules.d/audit.rules /root/.ciss/dlb/backup/rules_d_audit.rules.bak
cp -u /etc/audit/audit.rules /root/.ciss/cdlb/backup/audit.rules.bak
cp -u /etc/audit/auditd.conf /root/.ciss/cdlb/backup/auditd.conf.bak
cp -u /etc/audit/rules.d/audit.rules /root/.ciss/cdlb/backup/rules_d_audit.rules.bak
rm -rf /etc/audit/rules.d/audit.rules
############################################################### /etc/audit/rules.d/00-base-config.rules

4
config/hooks/live/9997_debsums.chroot
View File

@@ -19,8 +19,8 @@ cd /root
export DEBIAN_FRONTEND="noninteractive" INITRD="No"
apt-get install -y --no-install-recommends debsums
cp -a /etc/default/debsums /root/.ciss/dlb/backup/debsums.bak
chmod 0644 /root/.ciss/dlb/backup/debsums.bak
cp -a /etc/default/debsums /root/.ciss/cdlb/backup/debsums.bak
chmod 0644 /root/.ciss/cdlb/backup/debsums.bak
sed -i "s/CRON_CHECK=never/CRON_CHECK=monthly/" /etc/default/debsums
if debsums -g > /dev/null 2>&1; then

2
config/hooks/live/9999_interfaces_update.chroot
View File

@@ -16,7 +16,7 @@ printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "
# shellcheck disable=SC2155
declare -r VAR_DATE="$(date +%F)"
mv /etc/network/interfaces /root/.ciss/dlb/backup/interfaces.chroot
mv /etc/network/interfaces /root/.ciss/cdlb/backup/interfaces.chroot
rm -f /etc/network/interfaces
cat << EOF >| /etc/network/interfaces

20
lib/lib_arg_parser.sh
View File

@@ -17,6 +17,8 @@ guard_sourcing
# Globals:
# ARY_HANDLER_JUMPHOST
# ARY_HANDLER_NETCUP_IPV6
# VAR_AGE
# VAR_AGE_KEY
# VAR_ARCHITECTURE
# VAR_BUILD_LOG
# VAR_EARLY_DEBUG
@@ -31,6 +33,8 @@ guard_sourcing
# VAR_HANDLER_STA
# VAR_HASHED_PWD
# VAR_ISO8601
# VAR_LUKS
# VAR_LUKS_KEY
# VAR_REIONICE_CLASS
# VAR_REIONICE_PRIORITY
# VAR_SIGNER
@@ -210,6 +214,22 @@ arg_parser() {
fi
;;
--key_age=*)
# shellcheck disable=SC2034
declare -gx VAR_AGE="true"
# shellcheck disable=SC2034
declare -gx VAR_AGE_KEY="${1#*=}"
shift 1
;;
--key_luks=*)
# shellcheck disable=SC2034
declare -gx VAR_LUKS="true"
# shellcheck disable=SC2034
declare -gx VAR_LUKS_KEY="${1#*=}"
shift 1
;;
--log-statistics-only)
if [[ -n "${2-}" && "${2}" != -* ]]; then
if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen_cleaner; fi

22
lib/lib_primordial.sh
View File

@@ -16,6 +16,8 @@ guard_sourcing
# Integrate primordial SSH identity files.
# Globals:
# BASH_SOURCE
# VAR_AGE
# VAR_AGE_KEY
# VAR_HANDLER_BUILD_DIR
# VAR_SSHFP
# VAR_TMP_SECRET
@@ -27,6 +29,24 @@ guard_sourcing
init_primordial() {
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"
### Check for SOPS AGE key integration ---------------------------------------------------------------------------------------
if [[ ! "${VAR_AGE,,}" == "true" ]]; then
if compgen -G "${VAR_TMP_SECRET}/${VAR_AGE_KEY}" > /dev/null; then
shred -fzu -n 5 -- "${VAR_TMP_SECRET}/${VAR_AGE_KEY}"
fi
else
install -d -m 0700 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.config/sops/age"
install -m 0400 "${VAR_TMP_SECRET}/${VAR_AGE_KEY}" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.config/sops/age/keys.txt"
shred -fzu -n 5 -- "${VAR_TMP_SECRET}/${VAR_AGE_KEY}" 2>/dev/null || rm -f "${VAR_TMP_SECRET}/${VAR_AGE_KEY}"
fi
### Check for SSH CISS and PhysNet primordial-workflow™ integration ----------------------------------------------------------
if [[ ! "${VAR_SSHFP,,}" == "true" ]]; then
if compgen -G "${VAR_TMP_SECRET}/id*" > /dev/null; then
@@ -53,6 +73,8 @@ init_primordial() {
fi
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ %s successfully applied. \e[0m\n" "${BASH_SOURCE[0]}"
return 0

10
lib/lib_usage.sh
View File

@@ -101,6 +101,16 @@ usage() {
echo " addresses and / or CCDIR notation. If provided, than it MUST be a <SPACE> separated list."
echo " IPv6 addresses MUST be encapsulated with [], e.g., [1234::abcd]/64."
echo
echo -e "\e[97m --key_age=* \e[0m"
echo " The SOPS AGE private keyring for decryption operations. Change '*' to your desired SOPS AGE key file."
echo " File MUST be placed in:"
echo " </dev/shm/cdlb_secrets>"
echo
echo -e "\e[97m --key_luks=* \e[0m"
echo " The LUKS encryption / decryption passphrase for '/'-fs-encryption. Change '*' to your desired passphrase file."
echo " File MUST be placed in:"
echo " </dev/shm/cdlb_secrets>"
echo
echo -e "\e[97m --log-statistics-only\e[0m"
echo " Provides statistic only after successful building a CISS.debian.live-ISO. While enabling '--log-statistics-only'"
echo " the argument '--build-directory' MUST be provided."

2
scripts/etc/network/9999_interfaces_update_netcup.chroot
View File

@@ -14,7 +14,7 @@ set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1
mv /etc/network/interfaces /root/.ciss/dlb/backup/interfaces.chroot
mv /etc/network/interfaces /root/.ciss/cdlb/backup/interfaces.chroot
rm -f /etc/network/interfaces
cat << 'EOF' >| /etc/network/interfaces

4
var/global.var.sh
View File

@@ -44,6 +44,10 @@ declare -gi VAR_REIONICE_CLASS=2
declare -gi VAR_REIONICE_PRIORITY=4
declare -gr VAR_CHROOT_DIR="chroot"
declare -gr VAR_PACKAGES_FILE="chroot.packages.live"
declare -gx VAR_AGE="false"
declare -gx VAR_AGE_KEY=""
declare -gx VAR_LUKS="false"
declare -gx VAR_LUKS_KEY=""
declare -gx VAR_SIGNER="false"
declare -gx VAR_SIGNING_KEY_FPR=""
declare -gx VAR_SIGNING_KEY_PASS=""