msw/CISS.debian.live.builder
SHA256
2
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 6 Wiki Activity

V8.03.832.2025.06.25
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m31s
Details

Browse Source 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
Marc S. Weidner
2025-06-25 16:39:38 +02:00
parent 844981489a
commit dda53a41aa
2 changed files with 289 additions and 118 deletions
Download Patch File Download Diff File Expand all files Collapse all files

142
.archive/.0000_lib_usage.sh Normal file
View File

@@ -0,0 +1,142 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
#######################################
# Usage Wrapper CISS.debian.live.builder
# Globals:
# none
# Arguments:
# $0: Script name
#######################################
usage() {
clear
cat << EOF
$(echo -e "\e[92mCISS.debian.live.builder\e[0m")
$(echo -e "\e[92mMaster V8.03.832.2025.06.25\e[0m")
$(echo -e "\e[92mA lightweight Shell Wrapper for building a hardened Debian Live ISO Image.\e[0m")
$(echo -e "\e[97m(c) Marc S. Weidner, 2018 - 2025\e[0m")
$(echo -e "\e[97m(p) Centurion Press, 2024 - 2025\e[0m")
"${0} <option>", where <option> is one or more of:
$(echo -e "\e[97m --help, -h\e[0m")
What you're looking at.
$(echo -e "\e[97m --autobuild=*, -a=*\e[0m")
Headless mode. Skip the dialog wrapper, provider note screen and interactive kernel
selector dialog. Change '*' to your desired Linux kernel and trim the
'linux-image-' string to select a specific kernel, e.g. '--autobuild=6.12.30+bpo-amd64'.
$(echo -e "\e[97m --architecture <STRING> one of <amd64 | arm64>\e[0m")
A string reflecting the architecture of the Live System.
MUST be provided.
$(echo -e "\e[97m --build-directory </path/to/build_directory>\e[0m")
Where the Debian Live Build Image should be generated.
MUST be provided.
$(echo -e "\e[97m --change-splash <STRING> one of <club | hexagon>\e[0m")
A string reflecting the GRub Boot Screen Splash you want to use.
If omitted defaults to "./.archive/background/club.png".
$(echo -e "\e[97m --cdi (Experimental Feature)\e[0m")
This option generates a boot menu entry to start the forthcoming
'CISS.debian.installer', which will be executed after
the system has successfully booted up.
$(echo -e "\e[97m --contact, -c\e[0m")
Displays contact information of the author.
$(echo -e "\e[97m --control <INTEGER>\e[0m")
An integer that reflects the version of your Live ISO Image.
MUST be provided.
$(echo -e "\e[97m --debug\e[0m")
Enables debug logging for the main program routine. Detailed logging
information are written to "/tmp/ciss_live_builder_$$.log"
$(echo -e "\e[97m --dhcp-centurion\e[0m")
If a DHCP lease is provided, the provider's nameserver will be overridden,
and only the hardened, privacy-focused Centurion DNS servers will be used:
- https://dns01.eddns.eu/
- https://dns02.eddns.de/
- https://dns03.eddns.eu/
$(echo -e "\e[97m --jump-host <IP | IP | ... >\e[0m")
Provide up to 10 IPs for /etc/host.allow whitelisting of SSH access.
Could be either IPv4 and / or IPv6 addresses and / or CCDIR notation.
If provided, than it MUST be a <SPACE> separated list.
IPv6 addresses MUST be encapsulated with [], e.g., [1234::abcd]/64.
$(echo -e "\e[97m --log-statistics-only\e[0m")
Provides statistic only after successful building a
CISS.debian.live-ISO. While enabling "--log-statistics-only"
the argument "--build-directory" MUST be provided while
all further options MUST be omitted.
$(echo -e "\e[97m --provider-netcup-ipv6\e[0m")
Activates IPv6 support for Netcup Root Server. One unique
IPv6 address MUST be provided in this case and MUST be encapsulated
with [], e.g., [1234::abcd].
$(echo -e "\e[97m --renice-priority <PRIORITY>\e[0m")
Reset the nice priority value of the script and all its children
to the desired <PRIORITY>. MUST be an integer (between "-19" and 19).
Negative (higher) values MUST be enclosed in double quotes '"'.
$(echo -e "\e[97m --reionice-priority <CLASS> <PRIORITY>\e[0m")
Reset the ionice priority value of the script and all its children
to the desired <CLASS>. MUST be an integer:
1: realtime
2: best-effort
3: idle
Defaults to '2'.
Whereas <PRIORITY> MUST be an integer as well between:
0: highest priority and
7: lowest priority.
Defaults to '4'.
A real-time I/O process can significantly slow down other processes
or even cause them to starve if it continuously requests I/O.
$(echo -e "\e[97m --root-password-file </path/to/password.txt>\e[0m")
Password file for 'root', if given, MUST be a string of 20 to 64 characters,
and MUST NOT contain the special character '"'.
If the argument is omitted, no further login authentication is required for
the local console. The root password is hashed with an 16 Byte '/dev/random'
generated SALT and SHA512 Hashing function and 8,388,608 rounds. Immediately
after Hash generation all Variables containing plain password fragments are
deleted. Password file SHOULD be '0400' and 'root:root' and is deleted without
further prompt after password hash has been successfully generated via:
'shred -vfzu 5 -f'.
No tracing of any plain text password fragment in any debug log.
$(echo -e "\e[97m --ssh-port <INTEGER>\e[0m")
The desired Port SSH should listen to.
If not provided defaults to Port 22.
$(echo -e "\e[97m --ssh-pubkey </path/to/.ssh/>\e[0m")
Imports the SSH Public Key(s) from the FILE 'authorized_keys' of the
specified PATH into the Live ISO. MUST be provided.
$(echo -e "\e[97m --version, -v\e[0m")
Displays version of ${0}.
$(echo -e "\e[93m💡 Notes:\e[0m")
🔵 You MUST be 'root' to run this script.
$(echo -e "\e[95m💷 Please consider donating to my work at:\e[0m")
$(echo -e "\e[95m🌐 https://coresecret.eu/spenden/ \e[0m")
EOF
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

265
lib/lib_usage.sh
View File

@@ -1,6 +1,6 @@
#!/bin/bash #!/bin/bash
# SPDX-Version: 3.0 # SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev> # SPDX-CreationInfo: 2025-06-25; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev> # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -17,126 +17,155 @@
# Arguments: # Arguments:
# $0: Script name # $0: Script name
####################################### #######################################
#######################################
# Usage Wrapper CISS.debian.live.builder
# Arguments:
# $0: Script name
#######################################
usage() { usage() {
clear # shellcheck disable=SC2155
cat << EOF declare var_cols=$(tput cols 2>/dev/null || echo 80)
$(echo -e "\e[92mCISS.debian.live.builder\e[0m")
$(echo -e "\e[92mMaster V8.03.832.2025.06.25\e[0m")
$(echo -e "\e[92mA lightweight Shell Wrapper for building a hardened Debian Bookworm Live ISO Image.\e[0m")
$(echo -e "\e[97m(c) Marc S. Weidner, 2018 - 2025\e[0m") #######################################
$(echo -e "\e[97m(p) Centurion Press, 2024 - 2025\e[0m") # Header, Footer wrapper for dynamically output.
# Arguments:
# $1: Text.
# $2: Width of Terminal.
#######################################
center() {
declare var_text="$1"
declare var_width="$2"
declare var_padding=$(( (var_width - ${#var_text}) / 2 ))
printf "%*s%s%*s\n" "${var_padding}" "" "${var_text}" "${var_padding}" ""
}
"${0} <option>", where <option> is one or more of: # shellcheck disable=SC2155
declare var_header=$(center "CLB(1) CISS.debian.live.builder CLB(1)" "${var_cols}")
# shellcheck disable=SC2155
declare var_footer=$(center "V8.03.832.2025.06.25 2025-06-25 CLB(1)" "${var_cols}")
$(echo -e "\e[97m --help, -h\e[0m") {
What you're looking at. echo -e "\e[1;97m${var_header}\e[0m"
echo
$(echo -e "\e[97m --autobuild=*, -a=*\e[0m") echo -e "\e[92mCISS.debian.live.builder from https://git.coresecret.dev/msw \e[0m"
Headless mode. Skip the dialog wrapper, provider note screen and interactive kernel echo -e "\e[92mMaster V8.03.832.2025.06.25\e[0m"
selector dialog. Change '*' to your desired Linux kernel and trim the echo -e "\e[92mA lightweight Shell Wrapper for building a hardened Debian Live ISO Image.\e[0m"
'linux-image-' string to select a specific kernel, e.g. '--autobuild=6.12.30+bpo-amd64'. echo
echo -e "\e[97m(c) Marc S. Weidner, 2018 - 2025 \e[0m"
$(echo -e "\e[97m --architecture <STRING> one of <amd64 | arm64>\e[0m") echo -e "\e[97m(p) Centurion Press, 2024 - 2025 \e[0m"
A string reflecting the architecture of the Live System. echo
MUST be provided. echo -e "\e[97m${0} <option>, where <option> is one or more of: \e[0m"
echo
$(echo -e "\e[97m --build-directory </path/to/build_directory>\e[0m") echo -e "\e[97m --help, -h \e[0m"
Where the Debian Live Build Image should be generated. echo " What you're looking at."
MUST be provided. echo
echo -e "\e[97m --autobuild=*, -a=* \e[0m"
$(echo -e "\e[97m --change-splash <STRING> one of <club | hexagon>\e[0m") echo " Headless mode. Skip the dialog wrapper, provider note screen and interactive kernel"
A string reflecting the GRub Boot Screen Splash you want to use. echo " selector dialog. Change '*' to your desired Linux kernel and trim the"
If omitted defaults to "./.archive/background/club.png". echo " 'linux-image-' string to select a specific kernel, e.g. '--autobuild=6.12.30+bpo-amd64'."
echo
$(echo -e "\e[97m --cdi (Experimental Feature)\e[0m") echo -e "\e[97m --architecture <STRING> one of <amd64 | arm64> \e[0m"
This option generates a boot menu entry to start the forthcoming echo " A string reflecting the architecture of the Live System."
'CISS.debian.installer', which will be executed after echo " MUST be provided."
the system has successfully booted up. echo
echo -e "\e[97m --build-directory </path/to/build_directory> \e[0m"
$(echo -e "\e[97m --contact, -c\e[0m") echo " Where the Debian Live Build Image should be generated."
Displays contact information of the author. echo " MUST be provided."
echo
$(echo -e "\e[97m --control <INTEGER>\e[0m") echo -e "\e[97m --change-splash <STRING> one of <club | hexagon>\e[0m"
An integer that reflects the version of your Live ISO Image. echo " A string reflecting the Grub Boot Screen Splash you want to use."
MUST be provided. echo " If omitted defaults to './.archive/background/club.png'."
echo
$(echo -e "\e[97m --debug\e[0m") echo -e "\e[97m --cdi (Experimental Feature)\e[0m"
Enables debug logging for the main program routine. Detailed logging echo " This option generates a boot menu entry to start the forthcoming"
information are written to "/tmp/ciss_live_builder_$$.log" echo " 'CISS.debian.installer', which will be executed after"
echo " the system has successfully booted up."
$(echo -e "\e[97m --dhcp-centurion\e[0m") echo
If a DHCP lease is provided, the provider's nameserver will be overridden, echo -e "\e[97m --contact, -c\ e[0m"
and only the hardened, privacy-focused Centurion DNS servers will be used: echo " Show author contact information."
- https://dns01.eddns.eu/ echo
- https://dns02.eddns.de/ echo -e "\e[97m --control <INTEGER>\e[0m"
- https://dns03.eddns.eu/ echo " An integer that reflects the version of your Live ISO Image."
echo " MUST be provided."
$(echo -e "\e[97m --jump-host <IP | IP | ... >\e[0m") echo
Provide up to 10 IPs for /etc/host.allow whitelisting of SSH access. echo -e "\e[97m --debug, -d \e[0m"
Could be either IPv4 and / or IPv6 addresses and / or CCDIR notation. echo " Enables debug logging for the main program routine. Detailed logging"
If provided, than it MUST be a <SPACE> separated list. echo " information are written to '/tmp/ciss_live_builder_$$.log'."
IPv6 addresses MUST be encapsulated with [], e.g., [1234::abcd]/64. echo
echo -e "\e[97m --dhcp-centurion \e[0m"
$(echo -e "\e[97m --log-statistics-only\e[0m") echo " If a DHCP lease is provided, the provider's nameserver will be overridden,"
Provides statistic only after successful building a echo " and only the hardened, privacy-focused Centurion DNS servers will be used:"
CISS.debian.live-ISO. While enabling "--log-statistics-only" echo " - https://dns01.eddns.eu/"
the argument "--build-directory" MUST be provided while echo " - https://dns02.eddns.de/"
all further options MUST be omitted. echo " - https://dns03.eddns.eu/"
echo
$(echo -e "\e[97m --provider-netcup-ipv6\e[0m") echo -e "\e[97m --jump-host <IP | IP | ... > \e[0m"
Activates IPv6 support for Netcup Root Server. One unique echo " Provide up to 10 IPs for /etc/host.allow whitelisting of SSH access."
IPv6 address MUST be provided in this case and MUST be encapsulated echo " Could be either IPv4 and / or IPv6 addresses and / or CCDIR notation."
with [], e.g., [1234::abcd]. echo " If provided, than it MUST be a <SPACE> separated list."
echo " IPv6 addresses MUST be encapsulated with [], e.g., [1234::abcd]/64."
$(echo -e "\e[97m --renice-priority <PRIORITY>\e[0m") echo
Reset the nice priority value of the script and all its children echo -e "\e[97m --log-statistics-only\e[0m"
to the desired <PRIORITY>. MUST be an integer (between "-19" and 19). echo " Provides statistic only after successful building a"
Negative (higher) values MUST be enclosed in double quotes '"'. echo " CISS.debian.live-ISO. While enabling '--log-statistics-only'"
echo " the argument '--build-directory' MUST be provided while"
$(echo -e "\e[97m --reionice-priority <CLASS> <PRIORITY>\e[0m") echo " all further options MUST be omitted."
Reset the ionice priority value of the script and all its children echo
to the desired <CLASS>. MUST be an integer: echo -e "\e[97m --provider-netcup-ipv6 \e[0m"
1: realtime echo " Activates IPv6 support for Netcup Root Server. One unique"
2: best-effort echo " IPv6 address MUST be provided in this case and MUST be encapsulated"
3: idle echo " with [], e.g., [1234::abcd]."
Defaults to '2'. echo
Whereas <PRIORITY> MUST be an integer as well between: echo -e "\e[97m --renice-priority <PRIORITY> \e[0m"
0: highest priority and echo " Reset the nice priority value of the script and all its children"
7: lowest priority. echo " to the desired <PRIORITY>. MUST be an integer (between '-19' and 19)."
Defaults to '4'. echo " Negative (higher) values MUST be enclosed in double quotes '\"'."
A real-time I/O process can significantly slow down other processes echo
or even cause them to starve if it continuously requests I/O. echo -e "\e[97m --reionice-priority <CLASS> <PRIORITY> \e[0m"
echo " Reset the ionice priority value of the script and all its children"
$(echo -e "\e[97m --root-password-file </path/to/password.txt>\e[0m") echo " to the desired <CLASS>. MUST be an integer:"
Password file for 'root', if given, MUST be a string of 20 to 64 characters, echo " 1: realtime"
and MUST NOT contain the special character '"'. echo " 2: best-effort"
If the argument is omitted, no further login authentication is required for echo " 3: idle"
the local console. The root password is hashed with an 16 Byte '/dev/random' echo " Defaults to '2'."
generated SALT and SHA512 Hashing function and 8,388,608 rounds. Immediately echo " Whereas <PRIORITY> MUST be an integer as well between:"
after Hash generation all Variables containing plain password fragments are echo " 0: highest priority and"
deleted. Password file SHOULD be '0400' and 'root:root' and is deleted without echo " 7: lowest priority."
further prompt after password hash has been successfully generated via: echo " Defaults to '4'."
'shred -vfzu 5 -f'. echo " A real-time I/O process can significantly slow down other processes"
No tracing of any plain text password fragment in any debug log. echo " or even cause them to starve if it continuously requests I/O."
echo
$(echo -e "\e[97m --ssh-port <INTEGER>\e[0m") echo -e "\e[97m --root-password-file </path/to/password.txt> \e[0m"
The desired Port SSH should listen to. echo " Password file for 'root', if given, MUST be a string of 20 to 64 characters,"
If not provided defaults to Port 22. echo " and MUST NOT contain the special character '\"'."
echo " If the argument is omitted, no further login authentication is required for"
$(echo -e "\e[97m --ssh-pubkey </path/to/.ssh/>\e[0m") echo " the local console. The root password is hashed with an 16 Byte '/dev/random'"
Imports the SSH Public Key(s) from the FILE 'authorized_keys' of the echo " generated SALT and SHA512 Hashing function and 8,388,608 rounds. Immediately"
specified PATH into the Live ISO. MUST be provided. echo " after Hash generation all Variables containing plain password fragments are"
echo " deleted. Password file SHOULD be '0400' and 'root:root' and is deleted without"
$(echo -e "\e[97m --version, -v\e[0m") echo " further prompt after password hash has been successfully generated via:"
Displays version of ${0}. echo " 'shred -vfzu 5 -f'."
echo " 'No tracing of any plain text password fragment in any debug log."
$(echo -e "\e[93m💡 Notes:\e[0m") echo
🔵 You MUST be 'root' to run this script. echo -e "\e[97m --ssh-port <INTEGER> \e[0m"
echo " The desired Port SSH should listen to."
$(echo -e "\e[95m💷 Please consider donating to my work at:\e[0m") echo " If not provided defaults to Port '22'."
$(echo -e "\e[95m🌐 https://coresecret.eu/spenden/ \e[0m") echo
echo -e "\e[97m --ssh-pubkey </path/to/.ssh/> \e[0m"
EOF echo " Imports the SSH Public Key from the FILE 'authorized_keys' of the"
echo " specified PATH into the Live ISO. MUST be provided."
echo
echo -e "\e[97m --version, -v \e[0m"
echo " Show version of ${0}."
echo
echo -e "\e[93m💡 Notes:\e[0m"
echo -e "\e[93m🔵 You MUST be 'root' to run this script.\e[0m"
echo
echo -e "\e[95m💷 Please consider donating to my work at: \e[0m"
echo -e "\e[95m🌐 https://coresecret.eu/spenden/ \e[0m"
echo
echo -e "\e[1;97m${var_footer}\e[0m"
} | less -R
} }
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh