msw/CISS.debian.live.builder
SHA256
2
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 6 Wiki Activity

V8.03.512.2025.06.06
All checks were successful
🛡️ Retrieve DNSSEC status of coresecret.dev. / 🛡️ Retrieve DNSSEC status of coresecret.dev. (push) Successful in 33s
Details
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m6s
Details

Browse Source 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
Marc S. Weidner
2025-06-06 06:56:16 +02:00
parent 86068a6b7e
commit ddd5aa3b49
9 changed files with 226 additions and 31 deletions
Download Patch File Download Diff File Expand all files Collapse all files

69
.gitea/TODO/dockerfile Normal file
View File

@@ -0,0 +1,69 @@
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
### Version Master V8.03.400.2025.06.05
FROM debian:bookworm
ENV DEBIAN_FRONTEND=noninteractive
RUN apt-get update -y \
&& apt-get upgrade -y \
&& apt-get install -y \
apt-transport-https \
apt-utils \
bash \
ca-certificates \
gnupg \
openssl \
sudo \
&& apt-get update -y \
&& apt-get upgrade -y \
&& apt-get clean \
&& apt-get autoremove --purge -y \
&& rm -rf /var/lib/apt/lists/*
RUN mkdir -p /etc/apt/sources.list.d && touch /etc/apt/sources.list.d/bookworm-backports.list \
&& echo 'deb https://deb.debian.org/debian bookworm-backports main' >| /etc/apt/sources.list.d/bookworm-backports.list \
&& apt-get update -y \
&& apt-get upgrade -y \
&& apt-get install -y --no-install-recommends \
autoconf \
automake \
build-essential \
cryptsetup \
curl \
debootstrap \
dosfstools \
efibootmgr \
gettext \
git \
haveged \
libtool \
live-build \
parted \
pkg-config \
ssh \
ssl-cert \
texinfo \
wget \
whois \
&& apt-get clean \
&& apt-get autoremove --purge -y \
&& rm -rf /var/lib/apt/lists/*
RUN useradd --create-home --shell /bin/bash runner
WORKDIR /home/runner
USER runner
ENTRYPOINT ["bash"]

66
.gitea/TODO/render-md-to-html.yaml
View File

@@ -11,7 +11,7 @@
### Version Master V8.03.400.2025.06.05
name: Render README.md to README.html.
name: 🔁 Render README.md to README.html.
permissions:
contents: write
@@ -26,7 +26,7 @@ on:
jobs:
render-md-to-html:
name: Render README.md to README.html.
name: 🔁 Render README.md to README.html.
runs-on: ubuntu-latest
steps:
@@ -111,28 +111,28 @@ jobs:
sudo apt-get update
sudo apt-get install -y pandoc
#- name: ⚙️ Ensure .html/ directory exists.
# shell: bash
# run:
# mkdir -p .html
- name: ⚙️ Ensure .html/ directory exists.
shell: bash
run:
mkdir -p .html
#- name: 🛠️ Render *.md to full standalone HTML.
# shell: bash
# run: |
# set -euo pipefail
# find . \( -path "*/.*" -prune \) -o -type f -name "*.md" -print | while read file; do
# out=$(basename "${file%.md}.html")
# pandoc -s "${file}" \
# --metadata title="${file}" \
# --metadata lang=en \
# -f gfm+footnotes \
# -t html5 \
# --no-highlight \
# --strip-comments \
# --wrap=none \
# --lua-filter=.gitea/properties/lua/linkfix.lua \
# -o .html/"${out}"
# done
- name: 🛠️ Render *.md to full standalone HTML.
shell: bash
run: |
set -euo pipefail
find . \( -path "*/.*" -prune \) -o -type f -name "*.md" -print | while read file; do
out=$(basename "${file%.md}.html")
pandoc -s "${file}" \
--metadata title="${file}" \
--metadata lang=en \
-f gfm+footnotes \
-t html5 \
--no-highlight \
--strip-comments \
--wrap=none \
--lua-filter=.gitea/properties/lua/linkfix.lua \
-o .html/"${out}"
done
- name: 🛠️ Extract HTML fragment for Gitea for *.md.
shell: bash
@@ -150,6 +150,15 @@ jobs:
-o "${out}"
done
- name: 🚧 Stash local changes (including untracked).
shell: bash
env:
GIT_SSH_COMMAND: "ssh -p 42842"
run: |
set -euo pipefail
### Temporarily store any local modifications or untracked files
git stash push --include-untracked -m "ci-temp" || echo "✔️ Nothing to stash"
- name: 🔄 Sync with remote before commit using merge strategy.
shell: bash
env:
@@ -168,6 +177,15 @@ jobs:
git status
git log --oneline -n 5
- name: 🛠️ Restore stashed changes.
shell: bash
env:
GIT_SSH_COMMAND: "ssh -p 42842"
run: |
set -euo pipefail
### Apply previously stashed changes, falls vorhanden
git stash pop || echo "✔️ Nothing to pop"
- name: 📦 Stage generated files.
shell: bash
env:
@@ -197,7 +215,7 @@ jobs:
WORKFLOW_ID="${GITHUB_WORKFLOW:-render-md-to-html.yaml}"
CI_HEADER="X-CI-Metadata: ${GIT_REF}@${GIT_SHA} at ${TIMESTAMP_UTC} on ${HOSTNAME}"
COMMIT_MSG="DEPLOY BOT: Auto-Generate *.html from *.md [skip ci]
COMMIT_MSG="DEPLOY BOT: 🔁 Auto-Generate *.html from *.md [skip ci]
${CI_HEADER}

2
.gitea/trigger/t_generate_dns.yaml
View File

@@ -11,5 +11,5 @@
build:
counter: 1023
version: V8.03.400.2025.06.05
version: V8.03.512.2025.06.06
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml

18
.gitea/workflows/generate_PRIVATE_iso_flavour_0.yaml
View File

@@ -388,6 +388,15 @@ jobs:
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text
EOF
- name: 🚧 Stash local changes (including untracked).
shell: bash
env:
GIT_SSH_COMMAND: "ssh -p 42842"
run: |
set -euo pipefail
### Temporarily store any local modifications or untracked files
git stash push --include-untracked -m "ci-temp" || echo "✔️ Nothing to stash"
- name: 🔄 Sync with remote before commit using merge strategy.
shell: bash
env:
@@ -406,6 +415,15 @@ jobs:
git status
git log --oneline -n 5
- name: 🛠️ Restore stashed changes.
shell: bash
env:
GIT_SSH_COMMAND: "ssh -p 42842"
run: |
set -euo pipefail
### Apply previously stashed changes, falls vorhanden
git stash pop || echo "✔️ Nothing to pop"
- name: 📦 Stage generated files.
shell: bash
env:

18
.gitea/workflows/generate_PRIVATE_iso_flavour_1.yaml
View File

@@ -385,6 +385,15 @@ jobs:
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text
EOF
- name: 🚧 Stash local changes (including untracked).
shell: bash
env:
GIT_SSH_COMMAND: "ssh -p 42842"
run: |
set -euo pipefail
### Temporarily store any local modifications or untracked files
git stash push --include-untracked -m "ci-temp" || echo "✔️ Nothing to stash"
- name: 🔄 Sync with remote before commit using merge strategy.
shell: bash
env:
@@ -403,6 +412,15 @@ jobs:
git status
git log --oneline -n 5
- name: 🛠️ Restore stashed changes.
shell: bash
env:
GIT_SSH_COMMAND: "ssh -p 42842"
run: |
set -euo pipefail
### Apply previously stashed changes, falls vorhanden
git stash pop || echo "✔️ Nothing to pop"
- name: 📦 Stage generated files.
shell: bash
env:

18
.gitea/workflows/generate_PUBLIC_iso.yaml
View File

@@ -385,6 +385,15 @@ jobs:
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text
EOF
- name: 🚧 Stash local changes (including untracked).
shell: bash
env:
GIT_SSH_COMMAND: "ssh -p 42842"
run: |
set -euo pipefail
### Temporarily store any local modifications or untracked files
git stash push --include-untracked -m "ci-temp" || echo "✔️ Nothing to stash"
- name: 🔄 Sync with remote before commit using merge strategy.
shell: bash
env:
@@ -403,6 +412,15 @@ jobs:
git status
git log --oneline -n 5
- name: 🛠️ Restore stashed changes.
shell: bash
env:
GIT_SSH_COMMAND: "ssh -p 42842"
run: |
set -euo pipefail
### Apply previously stashed changes, falls vorhanden
git stash pop || echo "✔️ Nothing to pop"
- name: 📦 Stage generated files.
shell: bash
env:

18
.gitea/workflows/linter_char_scripts.yaml
View File

@@ -245,6 +245,15 @@ jobs:
EOF
fi
- name: 🚧 Stash local changes (including untracked).
shell: bash
env:
GIT_SSH_COMMAND: "ssh -p 42842"
run: |
set -euo pipefail
### Temporarily store any local modifications or untracked files
git stash push --include-untracked -m "ci-temp" || echo "✔️ Nothing to stash"
- name: 🔄 Sync with remote before commit using merge strategy.
shell: bash
env:
@@ -263,6 +272,15 @@ jobs:
git status
git log --oneline -n 5
- name: 🛠️ Restore stashed changes.
shell: bash
env:
GIT_SSH_COMMAND: "ssh -p 42842"
run: |
set -euo pipefail
### Apply previously stashed changes, falls vorhanden
git stash pop || echo "✔️ Nothing to pop"
- name: 📦 Stage generated files.
shell: bash
env:

24
.gitea/workflows/render-dnssec-status.yaml
View File

@@ -11,7 +11,7 @@
### Version Master V8.03.400.2025.06.05
name: Retrieve DNSSEC status of coresecret.dev.
name: 🛡️ Retrieve DNSSEC status of coresecret.dev.
permissions:
contents: write
@@ -25,7 +25,7 @@ on:
jobs:
build-dnssec-diagram:
name: Retrieve DNSSEC status of coresecret.dev.
name: 🛡️ Retrieve DNSSEC status of coresecret.dev.
runs-on: ubuntu-latest
steps:
@@ -127,6 +127,15 @@ jobs:
dnsviz probe -s 8.8.8.8 -R SOA,A,AAAA,CAA,CDS,CDNSKEY,LOC,HTTPS,MX,NS,TXT coresecret.dev >| coresecret.dev.json
dnsviz graph -T png < coresecret.dev.json >| docs/SECURITY/coresecret.dev.png
- name: 🚧 Stash local changes (including untracked).
shell: bash
env:
GIT_SSH_COMMAND: "ssh -p 42842"
run: |
set -euo pipefail
### Temporarily store any local modifications or untracked files
git stash push --include-untracked -m "ci-temp" || echo "✔️ Nothing to stash"
- name: 🔄 Sync with remote before commit using merge strategy.
shell: bash
env:
@@ -145,6 +154,15 @@ jobs:
git status
git log --oneline -n 5
- name: 🛠️ Restore stashed changes.
shell: bash
env:
GIT_SSH_COMMAND: "ssh -p 42842"
run: |
set -euo pipefail
### Apply previously stashed changes, falls vorhanden
git stash pop || echo "✔️ Nothing to pop"
- name: 📦 Stage generated files.
shell: bash
env:
@@ -174,7 +192,7 @@ jobs:
WORKFLOW_ID="${GITHUB_WORKFLOW:-render-md-to-html.yaml}"
CI_HEADER="X-CI-Metadata: ${GIT_REF}@${GIT_SHA} at ${TIMESTAMP_UTC} on ${HOSTNAME}"
COMMIT_MSG="DEPLOY BOT: Auto-Generate DNSSEC Status [skip ci]
COMMIT_MSG="DEPLOY BOT: 🛡️ Auto-Generate DNSSEC Status [skip ci]
${CI_HEADER}

24
.gitea/workflows/render-dot-to-png.yaml
View File

@@ -11,7 +11,7 @@
### Version Master V8.03.400.2025.06.05
name: Render Graphviz Diagrams.
name: 🔁 Render Graphviz Diagrams.
permissions:
contents: write
@@ -26,7 +26,7 @@ on:
jobs:
build-graphiz-diagrams:
name: Render Graphviz Diagrams.
name: 🔁 Render Graphviz Diagrams.
runs-on: ubuntu-latest
steps:
@@ -120,6 +120,15 @@ jobs:
dot -Tpng "${file}" -o "${out}"
done
- name: 🚧 Stash local changes (including untracked).
shell: bash
env:
GIT_SSH_COMMAND: "ssh -p 42842"
run: |
set -euo pipefail
### Temporarily store any local modifications or untracked files
git stash push --include-untracked -m "ci-temp" || echo "✔️ Nothing to stash"
- name: 🔄 Sync with remote before commit using merge strategy.
shell: bash
env:
@@ -138,6 +147,15 @@ jobs:
git status
git log --oneline -n 5
- name: 🛠️ Restore stashed changes.
shell: bash
env:
GIT_SSH_COMMAND: "ssh -p 42842"
run: |
set -euo pipefail
### Apply previously stashed changes, falls vorhanden
git stash pop || echo "✔️ Nothing to pop"
- name: 📦 Stage generated files.
shell: bash
env:
@@ -167,7 +185,7 @@ jobs:
WORKFLOW_ID="${GITHUB_WORKFLOW:-render-md-to-html.yaml}"
CI_HEADER="X-CI-Metadata: ${GIT_REF}@${GIT_SHA} at ${TIMESTAMP_UTC} on ${HOSTNAME}"
COMMIT_MSG="DEPLOY BOT: DEPLOY BOT: Auto-Generate PNG from *.dot. [skip ci]
COMMIT_MSG="DEPLOY BOT: 🔁 Auto-Generate PNG from *.dot. [skip ci]
${CI_HEADER}