diff --git a/.gitea/TODO/dockerfile b/.gitea/TODO/dockerfile new file mode 100644 index 0000000..c4e68dd --- /dev/null +++ b/.gitea/TODO/dockerfile @@ -0,0 +1,69 @@ +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu + +### Version Master V8.03.400.2025.06.05 + +FROM debian:bookworm + +ENV DEBIAN_FRONTEND=noninteractive + +RUN apt-get update -y \ + && apt-get upgrade -y \ + && apt-get install -y \ + apt-transport-https \ + apt-utils \ + bash \ + ca-certificates \ + gnupg \ + openssl \ + sudo \ + && apt-get update -y \ + && apt-get upgrade -y \ + && apt-get clean \ + && apt-get autoremove --purge -y \ + && rm -rf /var/lib/apt/lists/* + +RUN mkdir -p /etc/apt/sources.list.d && touch /etc/apt/sources.list.d/bookworm-backports.list \ + && echo 'deb https://deb.debian.org/debian bookworm-backports main' >| /etc/apt/sources.list.d/bookworm-backports.list \ + && apt-get update -y \ + && apt-get upgrade -y \ + && apt-get install -y --no-install-recommends \ + autoconf \ + automake \ + build-essential \ + cryptsetup \ + curl \ + debootstrap \ + dosfstools \ + efibootmgr \ + gettext \ + git \ + haveged \ + libtool \ + live-build \ + parted \ + pkg-config \ + ssh \ + ssl-cert \ + texinfo \ + wget \ + whois \ + && apt-get clean \ + && apt-get autoremove --purge -y \ + && rm -rf /var/lib/apt/lists/* + +RUN useradd --create-home --shell /bin/bash runner + +WORKDIR /home/runner + +USER runner + +ENTRYPOINT ["bash"] diff --git a/.gitea/TODO/render-md-to-html.yaml b/.gitea/TODO/render-md-to-html.yaml index 52eb366..51e8ba7 100644 --- a/.gitea/TODO/render-md-to-html.yaml +++ b/.gitea/TODO/render-md-to-html.yaml @@ -11,7 +11,7 @@ ### Version Master V8.03.400.2025.06.05 -name: Render README.md to README.html. +name: 🔁 Render README.md to README.html. permissions: contents: write @@ -26,7 +26,7 @@ on: jobs: render-md-to-html: - name: Render README.md to README.html. + name: 🔁 Render README.md to README.html. runs-on: ubuntu-latest steps: @@ -111,28 +111,28 @@ jobs: sudo apt-get update sudo apt-get install -y pandoc - #- name: ⚙️ Ensure .html/ directory exists. - # shell: bash - # run: - # mkdir -p .html + - name: ⚙️ Ensure .html/ directory exists. + shell: bash + run: + mkdir -p .html - #- name: 🛠️ Render *.md to full standalone HTML. - # shell: bash - # run: | - # set -euo pipefail - # find . \( -path "*/.*" -prune \) -o -type f -name "*.md" -print | while read file; do - # out=$(basename "${file%.md}.html") - # pandoc -s "${file}" \ - # --metadata title="${file}" \ - # --metadata lang=en \ - # -f gfm+footnotes \ - # -t html5 \ - # --no-highlight \ - # --strip-comments \ - # --wrap=none \ - # --lua-filter=.gitea/properties/lua/linkfix.lua \ - # -o .html/"${out}" - # done + - name: 🛠️ Render *.md to full standalone HTML. + shell: bash + run: | + set -euo pipefail + find . \( -path "*/.*" -prune \) -o -type f -name "*.md" -print | while read file; do + out=$(basename "${file%.md}.html") + pandoc -s "${file}" \ + --metadata title="${file}" \ + --metadata lang=en \ + -f gfm+footnotes \ + -t html5 \ + --no-highlight \ + --strip-comments \ + --wrap=none \ + --lua-filter=.gitea/properties/lua/linkfix.lua \ + -o .html/"${out}" + done - name: 🛠️ Extract HTML fragment for Gitea for *.md. shell: bash @@ -150,6 +150,15 @@ jobs: -o "${out}" done + - name: 🚧 Stash local changes (including untracked). + shell: bash + env: + GIT_SSH_COMMAND: "ssh -p 42842" + run: | + set -euo pipefail + ### Temporarily store any local modifications or untracked files + git stash push --include-untracked -m "ci-temp" || echo "✔️ Nothing to stash" + - name: 🔄 Sync with remote before commit using merge strategy. shell: bash env: @@ -168,6 +177,15 @@ jobs: git status git log --oneline -n 5 + - name: 🛠️ Restore stashed changes. + shell: bash + env: + GIT_SSH_COMMAND: "ssh -p 42842" + run: | + set -euo pipefail + ### Apply previously stashed changes, falls vorhanden + git stash pop || echo "✔️ Nothing to pop" + - name: 📦 Stage generated files. shell: bash env: @@ -197,7 +215,7 @@ jobs: WORKFLOW_ID="${GITHUB_WORKFLOW:-render-md-to-html.yaml}" CI_HEADER="X-CI-Metadata: ${GIT_REF}@${GIT_SHA} at ${TIMESTAMP_UTC} on ${HOSTNAME}" - COMMIT_MSG="DEPLOY BOT: Auto-Generate *.html from *.md [skip ci] + COMMIT_MSG="DEPLOY BOT: 🔁 Auto-Generate *.html from *.md [skip ci] ${CI_HEADER} diff --git a/.gitea/trigger/t_generate_dns.yaml b/.gitea/trigger/t_generate_dns.yaml index 7841ae1..265d162 100644 --- a/.gitea/trigger/t_generate_dns.yaml +++ b/.gitea/trigger/t_generate_dns.yaml @@ -11,5 +11,5 @@ build: counter: 1023 - version: V8.03.400.2025.06.05 + version: V8.03.512.2025.06.06 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml diff --git a/.gitea/workflows/generate_PRIVATE_iso_flavour_0.yaml b/.gitea/workflows/generate_PRIVATE_iso_flavour_0.yaml index ccc5e19..4671a95 100644 --- a/.gitea/workflows/generate_PRIVATE_iso_flavour_0.yaml +++ b/.gitea/workflows/generate_PRIVATE_iso_flavour_0.yaml @@ -388,6 +388,15 @@ jobs: # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text EOF + - name: 🚧 Stash local changes (including untracked). + shell: bash + env: + GIT_SSH_COMMAND: "ssh -p 42842" + run: | + set -euo pipefail + ### Temporarily store any local modifications or untracked files + git stash push --include-untracked -m "ci-temp" || echo "✔️ Nothing to stash" + - name: 🔄 Sync with remote before commit using merge strategy. shell: bash env: @@ -406,6 +415,15 @@ jobs: git status git log --oneline -n 5 + - name: 🛠️ Restore stashed changes. + shell: bash + env: + GIT_SSH_COMMAND: "ssh -p 42842" + run: | + set -euo pipefail + ### Apply previously stashed changes, falls vorhanden + git stash pop || echo "✔️ Nothing to pop" + - name: 📦 Stage generated files. shell: bash env: diff --git a/.gitea/workflows/generate_PRIVATE_iso_flavour_1.yaml b/.gitea/workflows/generate_PRIVATE_iso_flavour_1.yaml index 9e0fa48..9ee6a77 100644 --- a/.gitea/workflows/generate_PRIVATE_iso_flavour_1.yaml +++ b/.gitea/workflows/generate_PRIVATE_iso_flavour_1.yaml @@ -385,6 +385,15 @@ jobs: # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text EOF + - name: 🚧 Stash local changes (including untracked). + shell: bash + env: + GIT_SSH_COMMAND: "ssh -p 42842" + run: | + set -euo pipefail + ### Temporarily store any local modifications or untracked files + git stash push --include-untracked -m "ci-temp" || echo "✔️ Nothing to stash" + - name: 🔄 Sync with remote before commit using merge strategy. shell: bash env: @@ -403,6 +412,15 @@ jobs: git status git log --oneline -n 5 + - name: 🛠️ Restore stashed changes. + shell: bash + env: + GIT_SSH_COMMAND: "ssh -p 42842" + run: | + set -euo pipefail + ### Apply previously stashed changes, falls vorhanden + git stash pop || echo "✔️ Nothing to pop" + - name: 📦 Stage generated files. shell: bash env: diff --git a/.gitea/workflows/generate_PUBLIC_iso.yaml b/.gitea/workflows/generate_PUBLIC_iso.yaml index a78e086..59a69ff 100644 --- a/.gitea/workflows/generate_PUBLIC_iso.yaml +++ b/.gitea/workflows/generate_PUBLIC_iso.yaml @@ -385,6 +385,15 @@ jobs: # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text EOF + - name: 🚧 Stash local changes (including untracked). + shell: bash + env: + GIT_SSH_COMMAND: "ssh -p 42842" + run: | + set -euo pipefail + ### Temporarily store any local modifications or untracked files + git stash push --include-untracked -m "ci-temp" || echo "✔️ Nothing to stash" + - name: 🔄 Sync with remote before commit using merge strategy. shell: bash env: @@ -403,6 +412,15 @@ jobs: git status git log --oneline -n 5 + - name: 🛠️ Restore stashed changes. + shell: bash + env: + GIT_SSH_COMMAND: "ssh -p 42842" + run: | + set -euo pipefail + ### Apply previously stashed changes, falls vorhanden + git stash pop || echo "✔️ Nothing to pop" + - name: 📦 Stage generated files. shell: bash env: diff --git a/.gitea/workflows/linter_char_scripts.yaml b/.gitea/workflows/linter_char_scripts.yaml index 0bf595d..70a18f2 100644 --- a/.gitea/workflows/linter_char_scripts.yaml +++ b/.gitea/workflows/linter_char_scripts.yaml @@ -245,6 +245,15 @@ jobs: EOF fi + - name: 🚧 Stash local changes (including untracked). + shell: bash + env: + GIT_SSH_COMMAND: "ssh -p 42842" + run: | + set -euo pipefail + ### Temporarily store any local modifications or untracked files + git stash push --include-untracked -m "ci-temp" || echo "✔️ Nothing to stash" + - name: 🔄 Sync with remote before commit using merge strategy. shell: bash env: @@ -263,6 +272,15 @@ jobs: git status git log --oneline -n 5 + - name: 🛠️ Restore stashed changes. + shell: bash + env: + GIT_SSH_COMMAND: "ssh -p 42842" + run: | + set -euo pipefail + ### Apply previously stashed changes, falls vorhanden + git stash pop || echo "✔️ Nothing to pop" + - name: 📦 Stage generated files. shell: bash env: diff --git a/.gitea/workflows/render-dnssec-status.yaml b/.gitea/workflows/render-dnssec-status.yaml index 47e8648..0d4876a 100644 --- a/.gitea/workflows/render-dnssec-status.yaml +++ b/.gitea/workflows/render-dnssec-status.yaml @@ -11,7 +11,7 @@ ### Version Master V8.03.400.2025.06.05 -name: Retrieve DNSSEC status of coresecret.dev. +name: 🛡️ Retrieve DNSSEC status of coresecret.dev. permissions: contents: write @@ -25,7 +25,7 @@ on: jobs: build-dnssec-diagram: - name: Retrieve DNSSEC status of coresecret.dev. + name: 🛡️ Retrieve DNSSEC status of coresecret.dev. runs-on: ubuntu-latest steps: @@ -127,6 +127,15 @@ jobs: dnsviz probe -s 8.8.8.8 -R SOA,A,AAAA,CAA,CDS,CDNSKEY,LOC,HTTPS,MX,NS,TXT coresecret.dev >| coresecret.dev.json dnsviz graph -T png < coresecret.dev.json >| docs/SECURITY/coresecret.dev.png + - name: 🚧 Stash local changes (including untracked). + shell: bash + env: + GIT_SSH_COMMAND: "ssh -p 42842" + run: | + set -euo pipefail + ### Temporarily store any local modifications or untracked files + git stash push --include-untracked -m "ci-temp" || echo "✔️ Nothing to stash" + - name: 🔄 Sync with remote before commit using merge strategy. shell: bash env: @@ -145,6 +154,15 @@ jobs: git status git log --oneline -n 5 + - name: 🛠️ Restore stashed changes. + shell: bash + env: + GIT_SSH_COMMAND: "ssh -p 42842" + run: | + set -euo pipefail + ### Apply previously stashed changes, falls vorhanden + git stash pop || echo "✔️ Nothing to pop" + - name: 📦 Stage generated files. shell: bash env: @@ -174,7 +192,7 @@ jobs: WORKFLOW_ID="${GITHUB_WORKFLOW:-render-md-to-html.yaml}" CI_HEADER="X-CI-Metadata: ${GIT_REF}@${GIT_SHA} at ${TIMESTAMP_UTC} on ${HOSTNAME}" - COMMIT_MSG="DEPLOY BOT: Auto-Generate DNSSEC Status [skip ci] + COMMIT_MSG="DEPLOY BOT: 🛡️ Auto-Generate DNSSEC Status [skip ci] ${CI_HEADER} diff --git a/.gitea/workflows/render-dot-to-png.yaml b/.gitea/workflows/render-dot-to-png.yaml index ab138cf..68875a0 100644 --- a/.gitea/workflows/render-dot-to-png.yaml +++ b/.gitea/workflows/render-dot-to-png.yaml @@ -11,7 +11,7 @@ ### Version Master V8.03.400.2025.06.05 -name: Render Graphviz Diagrams. +name: 🔁 Render Graphviz Diagrams. permissions: contents: write @@ -26,7 +26,7 @@ on: jobs: build-graphiz-diagrams: - name: Render Graphviz Diagrams. + name: 🔁 Render Graphviz Diagrams. runs-on: ubuntu-latest steps: @@ -120,6 +120,15 @@ jobs: dot -Tpng "${file}" -o "${out}" done + - name: 🚧 Stash local changes (including untracked). + shell: bash + env: + GIT_SSH_COMMAND: "ssh -p 42842" + run: | + set -euo pipefail + ### Temporarily store any local modifications or untracked files + git stash push --include-untracked -m "ci-temp" || echo "✔️ Nothing to stash" + - name: 🔄 Sync with remote before commit using merge strategy. shell: bash env: @@ -138,6 +147,15 @@ jobs: git status git log --oneline -n 5 + - name: 🛠️ Restore stashed changes. + shell: bash + env: + GIT_SSH_COMMAND: "ssh -p 42842" + run: | + set -euo pipefail + ### Apply previously stashed changes, falls vorhanden + git stash pop || echo "✔️ Nothing to pop" + - name: 📦 Stage generated files. shell: bash env: @@ -167,7 +185,7 @@ jobs: WORKFLOW_ID="${GITHUB_WORKFLOW:-render-md-to-html.yaml}" CI_HEADER="X-CI-Metadata: ${GIT_REF}@${GIT_SHA} at ${TIMESTAMP_UTC} on ${HOSTNAME}" - COMMIT_MSG="DEPLOY BOT: DEPLOY BOT: Auto-Generate PNG from *.dot. [skip ci] + COMMIT_MSG="DEPLOY BOT: 🔁 Auto-Generate PNG from *.dot. [skip ci] ${CI_HEADER}