V8.02.512.2025.05.30

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>

config/includes.chroot/preseed/.ash/0_di_preseed_include_command.sh

@@ -0,0 +1,31 @@
+#!/bin/sh
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+# No bash in the installer environment, only BusyBox.
+
+set -o errexit
+set -o nounset
+set -o noclobber
+
+export PATH="${PATH}:/sbin:/usr/sbin:/.ciss/install:/.ciss/install/.ash"
+
+echo '152.53.35.74 coresecret.eu' >> /etc/hosts
+
+touch /tmp/late-command-script
+chmod 0700 /tmp/late-command-script
+
+.  /.ciss/install/.ash/di_scripting_flexibility.sh
+
+sh /.ciss/install/.ash/di_scripting_password.sh
+
+exit 0
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config/includes.chroot/preseed/.ash/1_di_preseed_early_command.sh

@@ -0,0 +1,24 @@
+#!/bin/sh
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+# No bash in the installer environment, only BusyBox.
+
+set -o errexit
+set -o nounset
+set -o noclobber
+
+export PATH="${PATH}:/sbin:/usr/sbin:/.ciss/install:/.ciss/install/.ash"
+
+. /.ciss/install/.ash/di_scripting_flexibility.sh
+
+exit 0
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config/includes.chroot/preseed/.ash/2_di_partman_early_command.sh

@@ -0,0 +1,415 @@
+#!/bin/sh
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+# No bash in the installer environment, only BusyBox.
+
+set -o errexit
+set -o nounset
+set -o noclobber
+
+export PATH="${PATH}:/sbin:/usr/sbin:/.ciss/install:/.ciss/install/.ash"
+. /.ciss/install/.ash/di_scripting_flexibility.sh
+
+readonly DISK_NAME="sda"
+readonly DISK_PATH="/dev/${DISK_NAME}"
+readonly SLEEPTIMER="2"
+
+do_sleep() {
+  sleep "${SLEEPTIMER}"
+}
+
+modprobe btrfs || true
+modprobe ext4 || true
+
+blkdiscard "${DISK_PATH}"
+parted "${DISK_PATH}" --script -- mklabel gpt
+
+#/dev/sda1 -- ESP
+do_dev_sda1() {
+  parted "${DISK_PATH}" --script -- mkpart ESP fat32 1MiB 512MiB set 1 esp on
+  do_sleep
+
+  FORMAT_LABEL="ESP"
+  PARTITION="${DISK_PATH}1"
+
+  format_partition() {
+    if mkfs.fat -F32 -n "${FORMAT_LABEL}" "${PARTITION}"; then
+      echo "Partition: ${PARTITION} successfully formatted with FAT32."
+    else
+      echo "Partition: ${PARTITION} NOT successfully formated with FAT32."
+    fi
+
+    if blkid "${PARTITION}" | grep -q 'TYPE="vfat"'; then
+      echo "Partition: ${PARTITION} correctly formatted with FAT32."
+    else
+      echo "Partition: ${PARTITION} NOT correctly formatted with FAT32."
+    fi
+  }
+
+  ATTEMPTS=0
+  MAX_ATTEMPTS=3
+  while ! format_partition && [ ${ATTEMPTS} -lt ${MAX_ATTEMPTS} ]; do
+    echo "Repeat formatting... attempt $((ATTEMPTS + 1))"
+    ATTEMPTS=$((ATTEMPTS + 1))
+  done
+
+  if [ ${ATTEMPTS} -ge ${MAX_ATTEMPTS} ]; then
+    echo "Error: Partition ${PARTITION} could not be formatted correctly after ${MAX_ATTEMPTS} attempts."
+  else
+    echo "Partition ${PARTITION} successfully formatted and checked."
+  fi
+}
+do_dev_sda1
+
+#/dev/sda2 -- /boot
+do_dev_sda2() {
+  parted "${DISK_PATH}" --script -- mkpart primary ext4 512MiB 4096MiB
+  do_sleep
+
+  FORMAT_LABEL="boot"
+  PARTITION="${DISK_PATH}2"
+
+  format_partition() {
+    if mkfs.ext4 -L "${FORMAT_LABEL}" "${PARTITION}"; then
+      echo "Partition: ${PARTITION} successfully formatted with ext4."
+    else
+      echo "Partition: ${PARTITION} NOT successfully formated with ext4."
+    fi
+
+    if blkid "${PARTITION}" | grep -q 'TYPE="ext4"'; then
+      echo "Partition: ${PARTITION} correctly formatted with ext4."
+    else
+      echo "Partition: ${PARTITION} NOT correctly formatted with ext4."
+    fi
+  }
+
+  ATTEMPTS=0
+  MAX_ATTEMPTS=3
+  while ! format_partition && [ ${ATTEMPTS} -lt ${MAX_ATTEMPTS} ]; do
+    echo "Repeat formatting... attempt $((ATTEMPTS + 1))"
+    ATTEMPTS=$((ATTEMPTS + 1))
+  done
+
+  if [ ${ATTEMPTS} -ge ${MAX_ATTEMPTS} ]; then
+    echo "Error: Partition ${PARTITION} could not be formatted correctly after ${MAX_ATTEMPTS} attempts."
+  else
+    echo "Partition ${PARTITION} successfully formatted and checked."
+  fi
+}
+do_dev_sda2
+
+#/dev/sda3 -- preparing for crypt_ephemeral_swap
+parted "${DISK_PATH}" --script -- mkpart primary 4096MiB 8192MiB
+do_sleep
+
+#/dev/sda4 -- preparing for crypt_ephemeral_tmp
+parted "${DISK_PATH}" --script -- mkpart primary 8192MiB 12288MiB
+do_sleep
+
+#/dev/sda5 -- /home
+parted "${DISK_PATH}" --script -- mkpart primary 12288MiB 45056MiB
+do_sleep
+
+#/dev/sda6 -- /
+parted "${DISK_PATH}" --script -- mkpart primary 45056MiB 77824MiB
+do_sleep
+
+#/dev/sda7 -- /usr
+parted "${DISK_PATH}" --script -- mkpart primary 77824MiB 143360MiB
+do_sleep
+
+#/dev/sda8 -- /var
+parted "${DISK_PATH}" --script -- mkpart primary 143360MiB 208896MiB
+do_sleep
+
+#/dev/sda9 -- /var/log
+parted "${DISK_PATH}" --script -- mkpart primary 208896MiB 225280MiB
+do_sleep
+
+#/dev/sda10 -- /var/log/audit
+parted "${DISK_PATH}" --script -- mkpart primary 225280MiB 241664MiB
+do_sleep
+
+#/dev/sda11 -- /var/tmp
+parted "${DISK_PATH}" --script -- mkpart primary 241664MiB 258048MiB
+do_sleep
+
+#/dev/sda12 -- temporary installation /tmp
+do_dev_sda12() {
+  parted "${DISK_PATH}" --script -- mkpart primary 258048MiB 261120MiB
+  do_sleep
+
+  FORMAT_LABEL="installation_tmp"
+  PARTITION="${DISK_PATH}12"
+
+  format_partition() {
+    if mkfs.ext4 -L "${FORMAT_LABEL}" "${PARTITION}"; then
+      echo "Partition: ${PARTITION} successfully formatted with ext4."
+    else
+      echo "Partition: ${PARTITION} NOT successfully formated with ext4."
+    fi
+
+    if blkid "${PARTITION}" | grep -q 'TYPE="ext4"'; then
+      echo "Partition: ${PARTITION} correctly formatted with ext4."
+    else
+      echo "Partition: ${PARTITION} NOT correctly formatted with ext4."
+    fi
+  }
+
+  ATTEMPTS=0
+  MAX_ATTEMPTS=3
+  while ! format_partition && [ ${ATTEMPTS} -lt ${MAX_ATTEMPTS} ]; do
+    echo "Repeat formatting... attempt $((ATTEMPTS + 1))"
+    ATTEMPTS=$((ATTEMPTS + 1))
+  done
+
+  if [ ${ATTEMPTS} -ge ${MAX_ATTEMPTS} ]; then
+    echo "Error: Partition ${PARTITION} could not be formatted correctly after ${MAX_ATTEMPTS} attempts."
+  else
+    echo "Partition ${PARTITION} successfully formatted and checked."
+  fi
+}
+do_dev_sda12
+
+# Encrypt and open /dev/sda5 to /dev/sda11
+i=5
+while [ "${i}" -lt 12 ]; do
+  PARTITION="/dev/${DISK_NAME}${i}"
+  MAPPER_NAME="crypt_${DISK_NAME}${i}"
+
+  if cryptsetup luksFormat "${PARTITION}" --key-file=/.ciss/install/.cfg/.password.cfg --batch-mode --type luks2 --cipher aes-xts-plain64 --key-size 512 --hash sha512 --iter-time 3000 --use-random --verbose; then
+    echo  "Partition: ${PARTITION} successfully encrypted."
+    do_sleep
+
+    if cryptsetup open "${PARTITION}" "${MAPPER_NAME}" --key-file=/.ciss/install/.cfg/.password.cfg; then
+      echo  "Partition: ${PARTITION} successfully opened as: ${MAPPER_NAME}."
+
+      if mkfs.btrfs -L "${MAPPER_NAME}" /dev/mapper/"${MAPPER_NAME}"; then
+        echo  "Partition: ${PARTITION} successfully formatted."
+      else
+        echo  "Partition: ${PARTITION} NOT successfully formatted."
+      fi
+
+    else
+      echo  "Partition: ${PARTITION} NOT successfully opened as: ${MAPPER_NAME}."
+    fi
+
+  else
+    echo  "Partition: ${PARTITION} NOT successfully encrypted."
+  fi
+
+  i=$((i + 1))
+done
+
+do_sleep
+
+# Generate /target directories-
+FILE_DIR="/.ciss/install/.cfg/.directories.cfg"
+
+# Check that the file exists.
+if [ ! -f "${FILE_DIR}" ]; then
+  echo "Error: File ${FILE_DIR} cannot be read." >&2
+  exit 1
+fi
+
+while read -r DIR; do
+  sleep 1
+  # Proceed only if the row is not empty.
+  if [ -n "${DIR}" ]; then
+    # Verify if the directory already exists.
+    if [ -d "${DIR}" ]; then
+      echo "Directory ${DIR} already exists."
+    else
+      # Try to create a directory.
+      until [ -d "${DIR}" ]; do
+        mkdir -p "${DIR}"
+        if [ ! -d "${DIR}" ]; then
+          echo "Error: Creating ${DIR} directory failed. Try again. " >&2
+          sleep 1
+        fi
+      done
+      echo "Directory ${DIR} created successfully".
+    fi
+  fi
+done < "${FILE_DIR}"
+
+do_sleep
+
+mount /dev/mapper/crypt_sda6 /target
+do_sleep
+
+mkdir /target/boot
+mount /dev/sda2 /target/boot
+do_sleep
+
+mkdir /target/boot/efi
+mount /dev/sda1 /target/boot/efi
+do_sleep
+
+mkdir /target/home
+mount /dev/mapper/crypt_sda5 /target/home
+do_sleep
+
+mkdir /target/usr
+mount /dev/mapper/crypt_sda7 /target/usr
+do_sleep
+
+mkdir /target/var
+mount /dev/mapper/crypt_sda8 /target/var
+do_sleep
+
+mkdir /target/var/log
+mount /dev/mapper/crypt_sda9 /target/var/log
+do_sleep
+
+mkdir /target/var/log/audit
+mount /dev/mapper/crypt_sda10 /target/var/log/audit
+do_sleep
+
+mkdir /target/var/tmp
+mount /dev/mapper/crypt_sda11 /target/var/tmp
+do_sleep
+
+mkdir /target/tmp
+mount /dev/sda12 /target/tmp
+do_sleep
+
+mkdir /target/dev
+mount --bind /dev /target/dev
+do_sleep
+if [ -d "/target/dev/pts" ]; then
+  echo "Directory /target/dev/pts already exists."
+else
+  mkdir /target/dev/pts
+fi
+
+mkdir /target/proc
+mount --bind /proc /target/proc
+do_sleep
+
+mkdir /target/sys
+mount --bind /sys /target/sys
+do_sleep
+
+mkdir /target/run
+mount --bind /run /target/run
+do_sleep
+if [ -d "/target/run/lock" ]; then
+  echo "Directory /target/run/lock already exists."
+else
+  mkdir /target/run/lock
+fi
+
+mkdir /target/etc
+mkdir /target/etc/apt
+mkdir /target/etc/network
+touch /target/etc/fstab
+chmod 0644 /target/etc/fstab
+
+# shellcheck disable=SC2129
+cat << EOF >> /target/etc/fstab
+# /etc/fstab: static file system information.
+#
+# Use 'blkid' to print the universally unique identifier for a
+# device; this may be used with UUID= as a more robust way to name devices
+# that works even if disks are added and removed. See fstab(5).
+#
+# systemd generates mount units based on this file, see systemd.mount(5).
+# Please run 'systemctl daemon-reload' after making changes here.
+#
+# <file system> <mount point>   <type>  <options>       <dump>  <pass>
+
+EOF
+
+echo "# / was on /dev/mapper/crypt_sda6 during installation" >> /target/etc/fstab
+echo "UUID=$(blkid -s UUID -o value /dev/mapper/crypt_sda6) / btrfs defaults,errors=remount-ro 0 1" >> /target/etc/fstab
+echo "" >> /target/etc/fstab
+
+echo "# /boot was on /dev/sda2 during installation" >> /target/etc/fstab
+echo "UUID=$(blkid -s UUID -o value /dev/sda2) /boot ext4 defaults 0 2" >> /target/etc/fstab
+echo "" >> /target/etc/fstab
+
+echo "# /boot/efi was on /dev/sda1 during installation" >> /target/etc/fstab
+echo "UUID=$(blkid -s UUID -o value /dev/sda1) /boot/efi vfat umask=0077 0 1" >> /target/etc/fstab
+echo "" >> /target/etc/fstab
+
+echo "# /home was on /dev/mapper/crypt_sda5 during installation" >> /target/etc/fstab
+echo "UUID=$(blkid -s UUID -o value /dev/mapper/crypt_sda5) /home btrfs defaults 0 2" >> /target/etc/fstab
+echo "" >> /target/etc/fstab
+
+echo "# /usr was on /dev/mapper/crypt_sda7 during installation" >> /target/etc/fstab
+echo "UUID=$(blkid -s UUID -o value /dev/mapper/crypt_sda7) /usr btrfs defaults 0 2" >> /target/etc/fstab
+echo "" >> /target/etc/fstab
+
+echo "# /var was on /dev/mapper/crypt_sda8 during installation" >> /target/etc/fstab
+echo "UUID=$(blkid -s UUID -o value /dev/mapper/crypt_sda8) /var btrfs defaults 0 2" >> /target/etc/fstab
+echo "" >> /target/etc/fstab
+
+echo "# /var/log was on /dev/mapper/crypt_sda9 during installation" >> /target/etc/fstab
+echo "UUID=$(blkid -s UUID -o value /dev/mapper/crypt_sda9) /var/log btrfs defaults 0 2" >> /target/etc/fstab
+echo "" >> /target/etc/fstab
+
+echo "# /var/log/audit was on /dev/mapper/crypt_sda10 during installation" >> /target/etc/fstab
+echo "UUID=$(blkid -s UUID -o value /dev/mapper/crypt_sda10) /var/log/audit btrfs defaults 0 2" >> /target/etc/fstab
+echo "" >> /target/etc/fstab
+
+echo "# /var/tmp was on /dev/mapper/crypt_sda11 during installation" >> /target/etc/fstab
+echo "UUID=$(blkid -s UUID -o value /dev/mapper/crypt_sda11) /var/tmp btrfs defaults 0 2" >> /target/etc/fstab
+echo "" >> /target/etc/fstab
+
+echo "# /tmp was on /dev/sda12 during installation" >> /target/etc/fstab
+echo "UUID=$(blkid -s UUID -o value /dev/sda12) /tmp ext4 defaults 0 2" >> /target/etc/fstab
+echo "" >> /target/etc/fstab
+
+echo "# /media/cdrom0 was on /dev/sr0 during installation" >> /target/etc/fstab
+echo "/dev/sr0        /media/cdrom0   udf,iso9660 user,noauto     0       0" >> /target/etc/fstab
+echo "" >> /target/etc/fstab
+
+touch /target/etc/crypttab
+chmod 0644 /target/etc/crypttab
+
+# shellcheck disable=SC2129
+cat << EOF >> /target/etc/crypttab
+# <name>  <device>  <password-file-or-none>  <options>
+
+EOF
+
+echo "# / was on /dev/mapper/crypt_sda6 during installation" >> /target/etc/crypttab
+echo "crypt_sda6 UUID=$(blkid -s UUID -o value /dev/mapper/crypt_sda6) none luks,discard" >> /target/etc/crypttab
+echo "" >> /target/etc/crypttab
+
+echo "# /home was on /dev/mapper/crypt_sda5 during installation" >> /target/etc/crypttab
+echo "crypt_sda5 UUID=$(blkid -s UUID -o value /dev/mapper/crypt_sda5) none luks,discard" >> /target/etc/crypttab
+echo "" >> /target/etc/crypttab
+
+echo "# /usr was on /dev/mapper/crypt_sda7 during installation" >> /target/etc/crypttab
+echo "crypt_sda7 UUID=$(blkid -s UUID -o value /dev/mapper/crypt_sda7) none luks,discard" >> /target/etc/crypttab
+echo "" >> /target/etc/crypttab
+
+echo "# /var was on /dev/mapper/crypt_sda8 during installation" >> /target/etc/crypttab
+echo "crypt_sda8 UUID=$(blkid -s UUID -o value /dev/mapper/crypt_sda8) none luks,discard" >> /target/etc/crypttab
+echo "" >> /target/etc/crypttab
+
+echo "# /var/log was on /dev/mapper/crypt_sda9 during installation" >> /target/etc/crypttab
+echo "crypt_sda9 UUID=$(blkid -s UUID -o value /dev/mapper/crypt_sda9) none luks,discard" >> /target/etc/crypttab
+echo "" >> /target/etc/crypttab
+
+echo "# /var/log/audit was on /dev/mapper/crypt_sda10 during installation" >> /target/etc/crypttab
+echo "crypt_sda10 UUID=$(blkid -s UUID -o value /dev/mapper/crypt_sda10) none luks,discard" >> /target/etc/crypttab
+echo "" >> /target/etc/crypttab
+
+echo "# /var/tmp was on /dev/mapper/crypt_sda11 during installation" >> /target/etc/crypttab
+echo "crypt_sda11 UUID=$(blkid -s UUID -o value /dev/mapper/crypt_sda11) none luks,discard" >> /target/etc/crypttab
+echo "" >> /target/etc/crypttab
+
+exit 0
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config/includes.chroot/preseed/.ash/3_di_preseed_late_command.sh

@@ -0,0 +1,32 @@
+#!/bin/sh
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+# No bash in the installer environment, only BusyBox.
+
+set -o errexit
+set -o nounset
+set -o noclobber
+
+export PATH="${PATH}:/sbin:/usr/sbin:/.ciss/install:/.ciss/install/.ash"
+
+. /.ciss/install/.ash/di_scripting_flexibility.sh
+
+mkdir -m 0700 /target/root/.d-i-backup
+
+if [ -f /tmp/late-command-script ]; then
+  sh /tmp/late-command-script
+fi
+
+sh /.ciss/install/.ash/di_scripting_ssh.sh
+
+exit 0
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config/includes.chroot/preseed/.ash/di_scripting_flexibility.sh

@@ -0,0 +1,35 @@
+#!/bin/sh
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+# No bash in the installer environment, only BusyBox.
+
+set -o errexit
+set -o nounset
+set -o noclobber
+
+readonly     RED="\033[91m"
+                             export RED
+readonly   GREEN="\033[92m"
+                             export GREEN
+readonly  YELLOW="\033[93m"
+                             export YELLOW
+readonly    BLUE="\033[94m"
+                             export BLUE
+readonly MAGENTA="\033[95m"
+                             export MAGENTA
+readonly    CYAN="\033[96m"
+                             export CYAN
+readonly   WHITE="\033[97m"
+                             export WHITE
+readonly  NORMAL="\033[0m"
+                             export NORMAL
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config/includes.chroot/preseed/.ash/di_scripting_password.sh

@@ -0,0 +1,93 @@
+#!/bin/sh
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+# No bash in the installer environment, only BusyBox.
+
+set -o errexit
+set -o nounset
+set -o noclobber
+
+# Create a passphrase by pulling only characters in the range '!' to '~' (ASCII 0x21 to 0x7e) from /dev/random.
+umask 0077
+TMP_PASSPHRASE_FILE=$(mktemp)
+readonly TMP_PASSPHRASE_FILE
+grep -o '[!-~]' /dev/urandom | tr -d '\n' | head -c64 >> "${TMP_PASSPHRASE_FILE}"
+
+# Create an include file for debian-installer with the passphrase as answers to the questions.
+DEB_INSTALLER_CRYPT_INC_FILE=$(mktemp)
+readonly DEB_INSTALLER_CRYPT_INC_FILE
+
+# Read the first line (the passphrase) – POSIX-compliant
+# IFS= prevents leading/trailing spaces from being truncated,
+# -r ensures that backslashes are not interpreted.
+IFS= read -r passphrase < "${TMP_PASSPHRASE_FILE}"
+
+# A single printf call with exactly one redirect
+# – ShellCheck-compliant and valid in POSIX-sh
+printf 'd-i partman-crypto/passphrase string %s\n' "${passphrase}" >> "$DEB_INSTALLER_CRYPT_INC_FILE"
+
+printf 'd-i partman-crypto/passphrase-again string %s\n' "${passphrase}" >> "$DEB_INSTALLER_CRYPT_INC_FILE"
+
+# Echo the file to be included, so debian-installer will do that - assuming this command is being run via 'preseed/include_command'.
+# Without file:// will try and fetch from the webserver this preseed was served from.
+echo "file://${DEB_INSTALLER_CRYPT_INC_FILE}"
+
+# Add extra commands to the file that should be run using 'preseed/late_command' to ensure the passphrase is included in the new installation.
+readonly IN_TARGET_KEY_FILE=/etc/keys/luks-lvm.key
+
+cat - >> /tmp/late-command-script << LATE_EOF
+##### BEGIN ADDED BY preseed-crypto-key preseed/include_command
+
+umask 0077
+
+mkdir -p /target$(dirname "${IN_TARGET_KEY_FILE}")
+
+cp "${TMP_PASSPHRASE_FILE}" /target"${IN_TARGET_KEY_FILE}"
+
+# Use /root as /tmp might be noexec
+
+cat - >/target/root/configure-crypt-unlock <<EOF
+#!/usr/bin/bash
+
+# Standard bash safety features
+set -eufo pipefail
+
+if grep -q UMASK /etc/initramfs-tools/initramfs.conf
+then
+  sed -i 's-^#\?UMASK.*\\\$-UMASK=0077-' /etc/initramfs-tools/initramfs.conf
+else
+  echo -e "# Secure initramfs while it contains unlock keys for root filesystem\nUMASK=0077" >>/etc/initramfs-tools/initramfs.conf
+fi
+
+# Include keyfile in initramfs
+sed -i 's-^#\?KEYFILE_PATTERN=.*\\\$-KEYFILE_PATTERN=$(dirname ${IN_TARGET_KEY_FILE})/*.key-' /etc/cryptsetup-initramfs/conf-hook
+
+# Configure crypt to use keyfile to unlock encrypted partition(s)
+sed -i 's#\(UUID=[^ ]\+\) none#\1 ${IN_TARGET_KEY_FILE}#' /etc/crypttab
+
+# Update initramfs with key file
+update-initramfs -u
+exit 0
+EOF
+
+sleep 1
+
+chmod 500 /target/root/configure-crypt-unlock
+in-target /root/configure-crypt-unlock
+rm /target/root/configure-crypt-unlock
+
+exit 0
+##### END ADDED BY preseed-crypto-key preseed/include_command
+LATE_EOF
+
+exit 0
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config/includes.chroot/preseed/.ash/di_scripting_ssh.sh

@@ -0,0 +1,50 @@
+#!/bin/sh
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+# No bash in the installer environment, only BusyBox.
+
+set -o errexit
+set -o nounset
+set -o noclobber
+
+if [ ! -d /target/root/.ssh ]; then
+  mkdir -m 0700 /target/root/.ssh
+fi
+
+if [ -f /target/etc/ssh/ssh_host_ed25519_key ]; then
+  rm -f /target/etc/ssh/ssh_host_ed25519_key
+fi
+
+if [ -f /target/etc/ssh/ssh_host_rsa_key ]; then
+  rm -f /target/etc/ssh/ssh_host_rsa_key
+fi
+
+in-target ssh-keygen -o -a 1024 -N "" -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -C "root d-i $(date -I)"
+in-target ssh-keygen -o -a 1024 -N "" -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa_key -C "root d-i $(date -I)"
+
+cp -a /target/etc/ssh/sshd_config /target/root/.d-i-backup/sshd_config.bak
+rm -f /target/etc/ssh/sshd_config
+
+cp /cdrom/install/.lib/sshd_config.lib /target/etc/ssh/sshd_config
+chmod 0600 /target/etc/ssh/sshd_config
+
+sed -i "s/Port					22/Port					37768/" /target/etc/ssh/sshd_config
+sed -i "s/AllowUsers				DUMMYSTRING/AllowUsers				root/" /target/etc/ssh/sshd_config
+
+cp /cdrom/install/.lib/banner.lib /target/etc/banner
+chmod 0644 /target/etc/banner
+
+umask 0077
+wget --https-only --secure-protocol=TLSv1_3 -c -O /target/root/.ssh/authorized_keys https://coresecret.eu/download/developer/2024_rsa4096_developer_root.pub.key
+
+exit 0
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh