msw/CISS.debian.live.builder
SHA256
2
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 6 Wiki Activity

V8.13.296.2025.10.29
Some checks failed
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 2m24s
Details
🔐 Generating a Private Live ISO TRIXIE. / 🔐 Generating a Private Live ISO TRIXIE. (push) Failing after 17m43s
Details

Browse Source 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
Marc S. Weidner
2025-10-29 18:57:45 +01:00
parent 262a8d471c
commit edd23e5be5
29 changed files with 57 additions and 28 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
.gitea/trigger/t_generate_PRIVATE_trixie_1.yaml
View File

@@ -10,6 +10,6 @@
# SPDX-Security-Contact: security@coresecret.eu
build:
counter: 1023
counter: 1024
version: V8.13.296.2025.10.29
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml

2
config/hooks/live/0000_basic_chroot_setup.chroot
View File

@@ -196,7 +196,7 @@ generate_ciss_xdg_sh
generate_ciss_xdg_tmp_sh
[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
export DEBIAN_FRONTEND="noninteractive"
export DEBIAN_FRONTEND="noninteractive" INITRD="No"
apt-get update -qq
apt-get install -y --no-install-suggests libpam-systemd

2
config/hooks/live/0001_initramfs_modules.chroot
View File

@@ -54,7 +54,7 @@ grep_nic_driver_modules() {
}
[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
export DEBIAN_FRONTEND="noninteractive"
export DEBIAN_FRONTEND="noninteractive" INITRD="No"
apt-get install -y intel-microcode amd64-microcode
# shellcheck disable=SC2155

2
config/hooks/live/0007_update_logrotate.chroot
View File

@@ -14,7 +14,7 @@ set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
export DEBIAN_FRONTEND="noninteractive"
export DEBIAN_FRONTEND="noninteractive" INITRD="No"
rm -f "/etc/logrotate.conf"
cat << EOF >| "/etc/logrotate.conf"

2
config/hooks/live/0010_install_apparmor.chroot
View File

@@ -14,7 +14,7 @@ set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
export DEBIAN_FRONTEND="noninteractive"
export DEBIAN_FRONTEND="noninteractive" INITRD="No"
apt-get install -y --no-install-recommends apparmor apparmor-utils apparmor-profiles apparmor-profiles-extra
install -d /etc/systemd/system/apparmor.service.d

2
config/hooks/live/0080_keyboard_layout.chroot
View File

@@ -22,7 +22,7 @@ BACKSPACE="guess"
EOF
[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
export DEBIAN_FRONTEND="noninteractive"
export DEBIAN_FRONTEND="noninteractive" INITRD="No"
dpkg-reconfigure -f noninteractive keyboard-configuration
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"

2
config/hooks/live/0090_jitterentropy.chroot
View File

@@ -14,7 +14,7 @@ set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
export DEBIAN_FRONTEND="noninteractive"
export DEBIAN_FRONTEND="noninteractive" INITRD="No"
apt-get install -y --no-install-recommends jitterentropy-rngd
cd /root

2
config/hooks/live/0400_eza_install.chroot
View File

@@ -24,7 +24,7 @@ echo "deb [signed-by=/etc/apt/keyrings/gierens.gpg] http://deb.gierens.de stable
chmod 644 /etc/apt/keyrings/gierens.gpg /etc/apt/sources.list.d/gierens.list
[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
export DEBIAN_FRONTEND="noninteractive"
export DEBIAN_FRONTEND="noninteractive" INITRD="No"
apt-get update -qq
apt-get install -y eza

2
config/hooks/live/0800_lynis_setup.chroot
View File

@@ -17,7 +17,7 @@ curl -fsSL https://packages.cisofy.com/keys/cisofy-software-public.key | gpg --d
echo "deb [arch=amd64,arm64 signed-by=/etc/apt/trusted.gpg.d/cisofy-software-public.gpg] https://packages.cisofy.com/community/lynis/deb/ stable main" | tee /etc/apt/sources.list.d/cisofy-lynis.list
[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
export DEBIAN_FRONTEND="noninteractive"
export DEBIAN_FRONTEND="noninteractive" INITRD="No"
apt-get update -qq
apt-get install -y lynis
lynis show version

2
config/hooks/live/0810_chrony_setup.chroot
View File

@@ -16,7 +16,7 @@ printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "
mkdir -p /var/log/chrony
[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
export DEBIAN_FRONTEND="noninteractive"
export DEBIAN_FRONTEND="noninteractive" INITRD="No"
export TZ="Etc/UTC"
apt-get install -y adjtimex chrony tzdata

2
config/hooks/live/0840_ufw_abuse_ipdb_reporter.chroot
View File

@@ -14,7 +14,7 @@ set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
export DEBIAN_FRONTEND="noninteractive"
export DEBIAN_FRONTEND="noninteractive" INITRD="No"
curl -fsSL https://deb.nodesource.com/setup_22.x | sudo -E bash - && \
apt-get install -y nodejs

2
config/hooks/live/0860_sops.chroot
View File

@@ -14,7 +14,7 @@ set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
export DEBIAN_FRONTEND="noninteractive"
export DEBIAN_FRONTEND="noninteractive" INITRD="No"
SOPS_VER="v3.11.0"
ARCH="$(dpkg --print-architecture)"

2
config/hooks/live/0865_yq.chroot
View File

@@ -14,7 +14,7 @@ set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
export DEBIAN_FRONTEND="noninteractive"
export DEBIAN_FRONTEND="noninteractive" INITRD="No"
wget https://github.com/mikefarah/yq/releases/latest/download/yq_linux_amd64 -O /usr/local/bin/yq && chmod +x /usr/local/bin/yq

2
config/hooks/live/9900_process_accounting.chroot
View File

@@ -14,7 +14,7 @@ set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
export DEBIAN_FRONTEND="noninteractive"
export DEBIAN_FRONTEND="noninteractive" INITRD="No"
apt-get install -y acct
if [[ ! -d /etc/systemd/system/multi-user.target.wants ]]; then

2
config/hooks/live/9970_remove_exim.chroot
View File

@@ -14,7 +14,7 @@ set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
export DEBIAN_FRONTEND="noninteractive"
export DEBIAN_FRONTEND="noninteractive" INITRD="No"
cd /etc

2
config/hooks/live/9980_usb_guard.chroot
View File

@@ -14,7 +14,7 @@ set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
export DEBIAN_FRONTEND="noninteractive"
export DEBIAN_FRONTEND="noninteractive" INITRD="No"
apt-get install -y usbguard
### Preparing USBGuard: see https://www.privacy-handbuch.de/handbuch_91a.htm

2
config/hooks/live/9990_final_purge.chroot
View File

@@ -15,7 +15,7 @@ printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "
[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
export DEBIAN_FRONTEND="noninteractive"
export DEBIAN_FRONTEND="noninteractive" INITRD="No"
apt-get update -qq

2
config/hooks/live/9993_aide.chroot
View File

@@ -14,7 +14,7 @@ set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
export DEBIAN_FRONTEND="noninteractive"
export DEBIAN_FRONTEND="noninteractive" INITRD="No"
apt-get install -y aide > /dev/null 2>&1
cp -u /etc/aide/aide.conf /root/.ciss/dlb/backup/aide.conf.bak

2
config/hooks/live/9996_auditd.chroot
View File

@@ -26,7 +26,7 @@ printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "
cd /root
[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
export DEBIAN_FRONTEND="noninteractive"
export DEBIAN_FRONTEND="noninteractive" INITRD="No"
apt-get install -y auditd
cp -u /etc/audit/audit.rules /root/.ciss/dlb/backup/audit.rules.bak

2
config/hooks/live/9997_debsums.chroot
View File

@@ -16,7 +16,7 @@ printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "
cd /root
[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
export DEBIAN_FRONTEND="noninteractive"
export DEBIAN_FRONTEND="noninteractive" INITRD="No"
apt-get install -y --no-install-recommends debsums
cp -a /etc/default/debsums /root/.ciss/dlb/backup/debsums.bak

2
config/hooks/live/9998_sources_list_trixie.chroot
View File

@@ -14,7 +14,7 @@ set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
export DEBIAN_FRONTEND="noninteractive"
export DEBIAN_FRONTEND="noninteractive" INITRD="No"
# shellcheck disable=SC2155
declare -r VAR_DATE="$(date +%F)"

2
config/hooks/live/9999_yyyy_logrotate.chroot
View File

@@ -34,7 +34,7 @@ declare -ar ary_logrotate=(
declare var_file="" var_log=""
[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
export DEBIAN_FRONTEND="noninteractive"
export DEBIAN_FRONTEND="noninteractive" INITRD="No"
for var_log in "${ary_logrotate[@]}"; do

18
config/includes.chroot/etc/ciss/keys/0x8733B021_public.asc Normal file
View File

@@ -0,0 +1,18 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
mDMEaDcItBYJKwYBBAHaRw8BAQdAFyGLpFASTiK4vBgycV2wjb3ZaNqhjZ33E1ir
MiU98Fu0LE1hcmMgUy4gV2VpZG5lciBCT1QgPG1zdytib3RAY29yZXNlY3JldC5k
ZXY+iJkEExYIAEEWIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaDcItAIbAwUJCKVq
fAULCQgHAgIiAgYVCgkICwIEFgIDAQIeBwIXgAAKCRA85KY4hzOwIVOoAQD9WXoh
Isjs4q7RCAtCXXWO4y4p8Dmn1AjCRN07vBYskQEAu/LjJYpjC553SnLPEN2PjZBt
pNkwp/fMg2oigxRkygyI1AUQFggAVCIhBW/TwxZOreRiASSn6MzNd4l1ywe1QKfL
3kbW7jRInWnCBQJoNwjMBYMIpYaAJBSAAAAAAA0ADnJlbUBnbnVwZy5vcmdDZW50
dXJpb24sQ0lDQQAA3TABxjNpYGUWhvt6x3h688F1KJfeWrrMetflFZBA3UzoIAAg
SltgMYRnCzpZFGnQILKgj9jyakwckxFLAAHHY/I0Fxmc5ujfkGScUhUKPhruVT2x
w4aHogEuE9Ebu94JuvBQX3+RlHjG+47qG7bmAT81E47Hih0AuDgEaDcItBIKKwYB
BAGXVQEFAQEHQOKAnInWn3Wy1fUJJD7bycrXEx6SoLejW5/0jGIG2VdGAwEIB4h+
BBgWCAAmFiEEqmJzzDShs+vWn8hwPOSmOIczsCEFAmg3CLQCGwwFCQilanwACgkQ
POSmOIczsCHztAEA2AWCPQ8V8hNdEBvYHwRye8Q9FJO7IyciwwpjH1nOBLMBAJS2
OSrjMYBFaumow950s7T2d7BEpnxJBtCwfuF+RwgI
=QwhF
-----END PGP PUBLIC KEY BLOCK-----

BIN
config/includes.chroot/etc/ciss/keys/0x8733B021_public.gpg Normal file
View File

Binary file not shown.

13
config/includes.chroot/etc/ciss/keys/0xE62E84F8_public.asc Normal file
View File

@@ -0,0 +1,13 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
mDMEaCxYpRYJKwYBBAHaRw8BAQdAr9mRwJ44x3qirCRbE+qjgwBDzZLVkKXvC4UI
AHxvyMK0JE1hcmMgUy4gV2VpZG5lciA8bXN3QGNvcmVzZWNyZXQuZGV2PoiZBBMW
CABBFiEEh/wgoINpSv+4MwEbhAKZkeYuhPgFAmgsWKUCGwMFCQiwGosFCwkIBwIC
IgIGFQoJCAsCBBYCAwECHgcCF4AACgkQhAKZkeYuhPhWnQEAulGegHfBva0ezN5/
VVqLqDVTe+etr3crCcxKpj8gg7wA/3OfkCvgPht18OoIQbR1IA7jDBSOKvY8OfcR
1632dZIIuDgEaCxYpRIKKwYBBAGXVQEFAQEHQP34OGSMdCMM8Ku/QY7NC81xbL0h
kOFdDGlKlA865+kpAwEIB4h+BBgWCAAmFiEEh/wgoINpSv+4MwEbhAKZkeYuhPgF
AmgsWKUCGwwFCQiwGosACgkQhAKZkeYuhPhnjgD+IHh9XhE+s3VB3ItDIgtT9gTA
S8ET80dQcFmFGYfjs/oBALmXXxceE+aSd2VO6dumqhtzWCGE7S52/50hxRgLsi8G
=C3ox
-----END PGP PUBLIC KEY BLOCK-----

BIN
config/includes.chroot/etc/ciss/keys/0xE62E84F8_public.gpg Normal file
View File

Binary file not shown.

2
config/package-lists/live.list.common.chroot
View File

@@ -35,7 +35,6 @@ console-setup
cosign
cpuid
cryptsetup
cryptsetup-initramfs
cryptsetup-nuke-password
curl
debconf
@@ -53,7 +52,6 @@ dmsetup
dnsviz
dosfstools
dpkg-dev
dropbear-initramfs
e2fsprogs
efibootmgr
expect

2
docs/CHANGELOG.md
View File

@@ -14,7 +14,7 @@ include_toc: true
## V8.13.296.2025.10.29
* **Changed**: ``lockdown=confidentiality`` -> ``lockdown=integrity``
* **Updated**: [live.list.common.chroot](../config/package-lists/live.list.common.chroot) - clamav, clamav-daemon // + cryptsetup-initramfs, dropbear-initramfs
* **Updated**: [live.list.common.chroot](../config/package-lists/live.list.common.chroot) - clamav, clamav-daemon
* **Removed**: [9985_clamav.chroot](../.archive/9985_clamav.chroot)
## V8.13.294.2025.10.28

6
lib/lib_lb_config_write_trixie.sh
View File

@@ -116,9 +116,9 @@ lb_config_write_trixie() {
### Installing PGP Public Keys for signature verification.
mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/ciss/keys"
install -m 0444 -o root -g root "${VAR_WORKDIR}/.pubkey/marc_s_weidner_msw+bot@coreseret.dev_0x8733B021_public.gpg" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/ciss/keys/0x8733B021_public.gpg"
install -m 0444 -o root -g root "${VAR_WORKDIR}/.pubkey/marc_s_weidner_msw@coresecret.dev_0xE62E84F8_public.gpg" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/ciss/keys/0xE62E84F8_public.gpg"
#mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/ciss/keys"
#install -m 0444 -o root -g root "${VAR_WORKDIR}/.pubkey/marc_s_weidner_msw+bot@coreseret.dev_0x8733B021_public.gpg" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/ciss/keys/0x8733B021_public.gpg"
#install -m 0444 -o root -g root "${VAR_WORKDIR}/.pubkey/marc_s_weidner_msw@coresecret.dev_0xE62E84F8_public.gpg" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/ciss/keys/0xE62E84F8_public.gpg"
#### Installing PGP Private Deploy Key for signature creation
#mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ciss/cdlb/private_keys"