diff --git a/.gitea/trigger/t_generate_PRIVATE_trixie.yaml b/.gitea/trigger/t_generate_PRIVATE_trixie_0.yaml similarity index 90% rename from .gitea/trigger/t_generate_PRIVATE_trixie.yaml rename to .gitea/trigger/t_generate_PRIVATE_trixie_0.yaml index b192b23..e50b869 100644 --- a/.gitea/trigger/t_generate_PRIVATE_trixie.yaml +++ b/.gitea/trigger/t_generate_PRIVATE_trixie_0.yaml @@ -1,5 +1,5 @@ # SPDX-Version: 3.0 -# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; +# SPDX-CreationInfo: 2025-08-22; WEIDNER, Marc S.; # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; diff --git a/.gitea/trigger/t_generate_PRIVATE_trixie_1.yaml b/.gitea/trigger/t_generate_PRIVATE_trixie_1.yaml new file mode 100644 index 0000000..e50b869 --- /dev/null +++ b/.gitea/trigger/t_generate_PRIVATE_trixie_1.yaml @@ -0,0 +1,15 @@ +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-08-22; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu + +build: + counter: 1023 + version: V8.13.008.2025.08.22 +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml diff --git a/.gitea/workflows/generate_PRIVATE_trixie.yaml b/.gitea/workflows/generate_PRIVATE_trixie_0.yaml similarity index 98% rename from .gitea/workflows/generate_PRIVATE_trixie.yaml rename to .gitea/workflows/generate_PRIVATE_trixie_0.yaml index 88b3a81..bbed4d6 100644 --- a/.gitea/workflows/generate_PRIVATE_trixie.yaml +++ b/.gitea/workflows/generate_PRIVATE_trixie_0.yaml @@ -1,5 +1,5 @@ # SPDX-Version: 3.0 -# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; +# SPDX-CreationInfo: 2025-08-22; WEIDNER, Marc S.; # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; @@ -25,7 +25,7 @@ on: branches: - master paths: - - '.gitea/trigger/t_generate_PRIVATE_trixie.yaml' + - '.gitea/trigger/t_generate_PRIVATE_trixie_0.yaml' jobs: generate-private-cdlb-trixie: @@ -243,7 +243,7 @@ jobs: timestamp=$(date -u +"%Y-%m-%dT%H:%M:%SZ") VAR_DATE="$(date +%F)" - PRIVATE_FILE="LIVE_ISO_FLV_0.private" + PRIVATE_FILE="LIVE_ISO_TRIXIE_0.private" touch "${PRIVATE_FILE}" cat << EOF >| "${PRIVATE_FILE}" # SPDX-Version: 3.0 @@ -311,7 +311,7 @@ jobs: GIT_SSH_COMMAND: "ssh -p 42842" run: | set -euo pipefail - PRIVATE_FILE="LIVE_ISO_FLV_0.private" + PRIVATE_FILE="LIVE_ISO_TRIXIE_0.private" git add "${PRIVATE_FILE}" || echo "✔️ Nothing to add." - name: 🔑 Commit and sign changes with CI metadata. @@ -335,7 +335,7 @@ jobs: WORKFLOW_ID="${GITHUB_WORKFLOW:-render-md-to-html.yaml}" CI_HEADER="X-CI-Metadata: ${GIT_REF}@${GIT_SHA} at ${TIMESTAMP_UTC} on ${HOSTNAME}" - COMMIT_MSG="DEPLOY BOT : 🔐 Auto-Generate PRIVATE LIVE ISO FLV 0 [skip ci] + COMMIT_MSG="DEPLOY BOT : 🔐 Auto-Generate PRIVATE LIVE ISO TRIXIE 0 [skip ci] ${CI_HEADER} diff --git a/.gitea/workflows/generate_PRIVATE_trixie_1.yaml b/.gitea/workflows/generate_PRIVATE_trixie_1.yaml new file mode 100644 index 0000000..f6fee47 --- /dev/null +++ b/.gitea/workflows/generate_PRIVATE_trixie_1.yaml @@ -0,0 +1,358 @@ +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-08-22; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu + +### Version Master V8.13.008.2025.08.22 + +name: 🔐 Generating a Private Live ISO TRIXIE. + +defaults: + run: + shell: bash + +permissions: + contents: write + +on: + push: + branches: + - master + paths: + - '.gitea/trigger/t_generate_PRIVATE_trixie_1.yaml' + +jobs: + generate-private-cdlb-trixie: + name: 🔐 Generating a Private Live ISO TRIXIE. + runs-on: cdlb.trixie + + container: + image: debian:trixie + + steps: + - name: 🛠️ Basic Image Setup. + shell: bash + run: | + export DEBIAN_FRONTEND=noninteractive + apt-get update + apt-get upgrade -y + apt-get install -y --no-install-recommends \ + apt-utils \ + bash \ + ca-certificates \ + curl \ + git \ + gnupg \ + openssh-client \ + openssl \ + sudo \ + util-linux + + - name: ⚙️ Check GnuPG Version. + shell: bash + run: | + gpg --version + + - name: ⚙️ Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config. + shell: bash + run: | + rm -rf ~/.ssh && mkdir -m700 ~/.ssh + + ### Private Key + echo "${{ secrets.SSH_MSW_DEPLOY_CORESECRET_DEV }}" >| ~/.ssh/id_ed25519 + chmod 600 ~/.ssh/id_ed25519 + + ### Scan git.coresecret.dev to fill ~/.ssh/known_hosts + ssh-keyscan -p 42842 git.coresecret.dev >| ~/.ssh/known_hosts + chmod 600 ~/.ssh/known_hosts + + ### Generate SSH Config for git.coresecret.dev Custom-Port + cat <| ~/.ssh/config + Host git.coresecret.dev + HostName git.coresecret.dev + Port 42842 + IdentityFile ~/.ssh/id_ed25519 + StrictHostKeyChecking yes + UserKnownHostsFile ~/.ssh/known_hosts + EOF + chmod 600 ~/.ssh/config + + ### https://github.com/actions/checkout/issues/1843 + - name: 🛠️ Using manual clone via SSH to circumvent Gitea SHA-256 object issues. + shell: bash + env: + ### GITHUB_REF_NAME contains the branch name from the push event. + GITHUB_REF_NAME: ${{ github.ref_name }} + run: | + git clone --branch "${GITHUB_REF_NAME}" ssh://git@git.coresecret.dev:42842/msw/CISS.debian.live.builder.git . + git fetch --unshallow || echo "Nothing to fetch - already full clone." + + - name: 🛠️ Cleaning the workspace. + shell: bash + run: | + git reset --hard + git clean -fd + + - name: ⚙️ Importing the 'CI PGP DEPLOY ONLY' key. + shell: bash + run: | + set -euo pipefail + ### GPG-Home relative to the Runner Workspace to avoid changing global files. + export GNUPGHOME="$(pwd)/.gnupg" + mkdir -m 700 "${GNUPGHOME}" + echo "${{ secrets.PGP_PUBKEY_CENTURION_ROOT_2025_X448 }}" >| centurion-root.PUB.asc + gpg --batch --import centurion-root.PUB.asc + echo "${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV }}" >| ci-bot.sec.asc + gpg --batch --import ci-bot.sec.asc + ### Trust the key automatically + KEY_ID=$(gpg --list-keys --with-colons | awk -F: '/^pub:/ {print $5}') + echo "trust-model always" >| "${GNUPGHOME}/gpg.conf" + + - name: ⚙️ Configuring Git for signed CI/DEPLOY commits. + shell: bash + run: | + set -euo pipefail + export GNUPGHOME="$(pwd)/.gnupg" + git config user.name "Marc S. Weidner BOT" + git config user.email "msw+bot@coresecret.dev" + git config commit.gpgsign true + git config gpg.program gpg + git config gpg.format openpgp + + - name: ⚙️ Preparing the build environment. + shell: bash + run: | + set -euo pipefail + mkdir -p /opt/config + mkdir -p /opt/livebuild + touch /opt/config/password.txt && chmod 0600 /opt/config/password.txt + touch /opt/config/authorized_keys && chmod 0600 /opt/config/authorized_keys + echo "${{ secrets.CISS_DLB_ROOT_PWD_1 }}" >| /opt/config/password.txt + echo "${{ secrets.CISS_DLB_ROOT_SSH_PUBKEY_1 }}" >| /opt/config/authorized_keys + + - name: 🛠️ Starting CISS.debian.live.builder. This may take a while ... + shell: bash + run: | + set -euo pipefail + chmod 0755 ciss_live_builder.sh + timestamp=$(date -u +"%Y_%m_%dT%H_%M_%SZ") + ### Change "--autobuild=" to the specific kernel version you need: '6.12.41+deb13-amd64'. + ./ciss_live_builder.sh \ + --autobuild=6.12.41+deb13-amd64 \ + --architecture amd64 \ + --build-directory /opt/livebuild \ + --control "${timestamp}" \ + --jump-host ${{ secrets.CISS_DLB_JUMP_HOSTS_1 }} \ + --root-password-file /opt/config/password.txt \ + --ssh-port ${{ secrets.CISS_DLB_SSH_PORT_1 }} \ + --ssh-pubkey /opt/config \ + --trixie + + - name: 📥 Checking Centurion Cloud for existing LIVE ISOs. + shell: bash + env: + NC_BASE: "https://cloud.e2ee.li" + SHARE_TOKEN: "${{ secrets.CENTURION_CLOUD_UL_USER_1 }}" + SHARE_PASS: "${{ secrets.CENTURION_CLOUD_UL_PASSWD_1 }}" + run: | + set -euo pipefail + SHARE_SUBDIR="" + + echo "📥 Get directory listing via PROPFIND ..." + curl -s \ + --user "${SHARE_TOKEN}:${SHARE_PASS}" \ + -X PROPFIND \ + -H "Depth: 1" \ + "${NC_BASE}/public.php/webdav/${SHARE_SUBDIR}" \ + -o propfind_public.xml + + echo "📥 Filter .iso files from the PROPFIND response ..." + grep -oP '(?<=)[^<]+\.iso(?=)' propfind_public.xml >| public_iso_list.txt || true + + if [[ -f public_iso_list.txt && -s public_iso_list.txt ]]; then + echo "💡 Old ISO files found and deleted :" + while IFS= read -r href; do + FILE_URL="${NC_BASE}${href}" + echo " Delete: ${FILE_URL}" + if curl -s \ + --user "${SHARE_TOKEN}:${SHARE_PASS}" \ + -X DELETE "${FILE_URL}"; then + echo " ✅ Successfully deleted: $(basename "${href}")" + else + echo " ❌ Error: $(basename "${href}") could not be deleted" + fi + done < public_iso_list.txt + else + echo "💡 No old ISO files found to delete." + fi + + - name: 🛠️ Upload the ISO file to the Centurion Cloud (cloud.e2ee.li) via WebDAV. + shell: bash + env: + NC_BASE: "https://cloud.e2ee.li" + SHARE_TOKEN: "${{ secrets.CENTURION_CLOUD_UL_USER_1 }}" + SHARE_PASS: "${{ secrets.CENTURION_CLOUD_UL_PASSWD_1 }}" + run: | + set -euo pipefail + if [[ $(ls /opt/livebuild/*.iso 2>/dev/null | wc -l) -ne 1 ]]; then + echo "❌ There must be exactly one .iso file in the directory!" + exit 1 + else + VAR_ISO_FILE_PATH=$(ls /opt/livebuild/*.iso) + VAR_ISO_FILE_NAME=$(basename "${VAR_ISO_FILE_PATH}") + echo "✅ ISO file found: ${VAR_ISO_FILE_NAME}" + fi + + AUTH="${SHARE_TOKEN}:${SHARE_PASS}" + if curl --retry 2 "${NC_BASE}"/public.php/webdav/"${VAR_ISO_FILE_NAME}" \ + --upload-file "${VAR_ISO_FILE_PATH}" --user "${AUTH}" > /dev/null 2>&1; then + echo "✅ New ISO successfully uploaded." + else + echo "❌ Uploading the new ISO failed." + exit 1 + fi + + - name: 🔑 Generating a sha512 Hash of ISO, signing with the 'CI PGP DEPLOY ONLY' key, generate a success message file. + shell: bash + run: | + if [[ $(ls /opt/livebuild/*.iso 2>/dev/null | wc -l) -ne 1 ]]; then + echo "❌ There must be exactly one .iso file in the directory!" + exit 1 + else + VAR_ISO_FILE_PATH=$(ls /opt/livebuild/*.iso) + VAR_ISO_FILE_NAME=$(basename "${VAR_ISO_FILE_PATH}") + echo "✅ ISO file found: ${VAR_ISO_FILE_NAME}" + fi + + VAR_ISO_FILE_SHA512="${VAR_ISO_FILE_NAME}.sha512" + touch "${VAR_ISO_FILE_SHA512}" + sha512sum "${VAR_ISO_FILE_PATH}" | awk '{print $1}' >| "${VAR_ISO_FILE_SHA512}" + SIGNATURE_FILE="${VAR_ISO_FILE_SHA512}.sign" + touch "${SIGNATURE_FILE}" + export GNUPGHOME="$(pwd)/.gnupg" + gpg --batch --yes --armor --detach-sign --output "${SIGNATURE_FILE}" "${VAR_ISO_FILE_SHA512}" + + timestamp=$(date -u +"%Y-%m-%dT%H:%M:%SZ") + VAR_DATE="$(date +%F)" + PRIVATE_FILE="LIVE_ISO_TRIXIE_1.private" + touch "${PRIVATE_FILE}" + cat << EOF >| "${PRIVATE_FILE}" + # SPDX-Version: 3.0 + # SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; + # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git + # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency + # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; + # SPDX-FileType: SOURCE + # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 + # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. + # SPDX-PackageName: CISS.debian.live.builder + # SPDX-Security-Contact: security@coresecret.eu + + This file was automatically generated by the DEPLOY BOT on: "${timestamp}" + + CISS.debian.live.builder ISO : + "${VAR_ISO_FILE_NAME}" + CISS.debian.live.builder ISO sha512 : + $(< "${VAR_ISO_FILE_SHA512}") + CISS.debian.live.builder ISO sha512 sign : + $(< "${SIGNATURE_FILE}") + + # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text + EOF + + - name: 🚧 Stash local changes (including untracked). + shell: bash + env: + GIT_SSH_COMMAND: "ssh -p 42842" + run: | + set -euo pipefail + ### Temporarily store any local modifications or untracked files. + git stash push --include-untracked -m "ci-temp" || echo "✔️ Nothing to stash." + + - name: 🔄 Sync with remote before commit using merge strategy. + shell: bash + env: + GIT_SSH_COMMAND: "ssh -p 42842" + run: | + set -euo pipefail + export GNUPGHOME="$(pwd)/.gnupg" + + echo "🔄 Fetching origin/master ..." + git fetch origin master + + echo "🔁 Merging origin/master into current branch ..." + git merge --no-edit origin/master || echo "✔️ Already up to date or fast-forward." + + echo "📋 Post-merge status :" + git status + git log --oneline -n 5 + + - name: 🛠️ Restore stashed changes. + shell: bash + env: + GIT_SSH_COMMAND: "ssh -p 42842" + run: | + set -euo pipefail + ### Apply previously stashed changes. + git stash pop || echo "✔️ Nothing to pop." + + - name: 📦 Stage generated files. + shell: bash + env: + GIT_SSH_COMMAND: "ssh -p 42842" + run: | + set -euo pipefail + PRIVATE_FILE="LIVE_ISO_TRIXIE_1.private" + git add "${PRIVATE_FILE}" || echo "✔️ Nothing to add." + + - name: 🔑 Commit and sign changes with CI metadata. + shell: bash + env: + GIT_SSH_COMMAND: "ssh -p 42842" + run: | + set -euo pipefail + export GNUPGHOME="$(pwd)/.gnupg" + + if git diff --cached --quiet; then + echo "✔️ No staged changes to commit." + else + echo "📝 Committing changes with GPG signature ..." + + ### CI Metadata + TIMESTAMP_UTC="$(date -u +'%Y-%m-%dT%H:%M:%SZ')" + HOSTNAME="$(hostname -f || hostname)" + GIT_SHA="$(git rev-parse --short HEAD)" + GIT_REF="$(git symbolic-ref --short HEAD || echo detached)" + WORKFLOW_ID="${GITHUB_WORKFLOW:-render-md-to-html.yaml}" + CI_HEADER="X-CI-Metadata: ${GIT_REF}@${GIT_SHA} at ${TIMESTAMP_UTC} on ${HOSTNAME}" + + COMMIT_MSG="DEPLOY BOT : 🔐 Auto-Generate PRIVATE LIVE ISO TRIXIE 1 [skip ci] + + ${CI_HEADER} + + Generated at : ${TIMESTAMP_UTC} + Runner Host : ${HOSTNAME} + Workflow ID : ${WORKFLOW_ID} + Git Commit : ${GIT_SHA} HEAD -> ${GIT_REF} + " + + echo "🔏 Commit message :" + echo "${COMMIT_MSG}" + git commit -S -m "${COMMIT_MSG}" + fi + + - name: 🔁 Push back to repository. + shell: bash + env: + GIT_SSH_COMMAND: "ssh -p 42842" + run: | + set -euo pipefail + echo "📤 Pushing changes to ${GITHUB_REF_NAME} ..." + git push origin HEAD:${GITHUB_REF_NAME} +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml diff --git a/ciss_live_builder.sh b/ciss_live_builder.sh index 49ca176..b6e604d 100644 --- a/ciss_live_builder.sh +++ b/ciss_live_builder.sh @@ -205,7 +205,7 @@ if ! ${VAR_HANDLER_AUTOBUILD}; then printf "XXX\nInitialization completed ... \n if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen_cleaner; fi ### MAIN Program -#arg_priority_check # TODO: Fixing workflow issues +arg_priority_check check_stats if ! ${VAR_HANDLER_AUTOBUILD}; then check_provider; fi if ! ${VAR_HANDLER_AUTOBUILD}; then check_kernel; fi diff --git a/lib/lib_arg_priority_check.sh b/lib/lib_arg_priority_check.sh index 5b14110..8d2e99e 100644 --- a/lib/lib_arg_priority_check.sh +++ b/lib/lib_arg_priority_check.sh @@ -24,7 +24,7 @@ guard_sourcing arg_priority_check() { declare var ### Check if nice PRIORITY is set and adjust nice priority. - if [[ -n "${VAR_HANDLER_PRIORITY:-}" ]]; then + if [[ "${VAR_HANDLER_PRIORITY:-}" -ne 0 ]]; then if command -v renice >/dev/null; then renice "${VAR_HANDLER_PRIORITY}" -p "$$" var=$(ps -o ni= -p $$) > /dev/null 2>&1 @@ -37,7 +37,7 @@ arg_priority_check() { fi ### Check if ionice PRIORITY is set and adjust ionice priority. - if [[ -n "${VAR_REIONICE_CLASS:-}" ]]; then + if [[ "${VAR_REIONICE_CLASS:-}" -ne 2 ]]; then if command -v ionice >/dev/null; then ionice -c"${VAR_REIONICE_CLASS:-2}" -n"${VAR_REIONICE_PRIORITY:-4}" -p "$$" var=$(ionice -p $$) > /dev/null 2>&1