msw/CISS.debian.live.builder
SHA256
2
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 6 Wiki Activity

V8.13.384.2025.11.06
Some checks failed
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m37s
Details
🛡️ Retrieve DNSSEC status of coresecret.dev. / 🛡️ Retrieve DNSSEC status of coresecret.dev. (push) Successful in 1m9s
Details
🔐 Generating a Private Live ISO TRIXIE. / 🔐 Generating a Private Live ISO TRIXIE. (push) Failing after 1m0s
Details

Browse Source 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
Marc S. Weidner
2025-11-06 19:59:22 +01:00
parent d436346343
commit ef87becefe
93 changed files with 2021 additions and 1229 deletions
Download Patch File Download Diff File Expand all files Collapse all files

136
.archive/generate_PRIVATE_trixie_1.yaml
View File

@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
# Version Master V8.13.296.2025.10.29
# Version Master V8.13.384.2025.11.06
name: 🔐 Generating a Private Live ISO TRIXIE.
@@ -35,10 +35,23 @@ jobs:
container:
image: debian:trixie
steps:
- name: 🛠️ Basic Image Setup.
defaults:
run:
shell: bash
working-directory: ${{ github.workspace }}
steps:
- name: ⏳ Waiting random time to desynchronize parallel workflows.
run: |
set -euo pipefail
var_wait=$(( RANDOM % 33 ))
printf "⏳ Waiting %s seconds to desynchronize parallel workflows...\n" "${var_wait}"
sleep "${var_wait}"
- name: 🛠️ Basic Image Setup.
run: |
set -euo pipefail
umask 0077
export DEBIAN_FRONTEND=noninteractive
apt-get update -qq
apt-get upgrade -y
@@ -56,27 +69,23 @@ jobs:
util-linux
- name: ⚙️ Check GnuPG Version.
shell: bash
run: |
gpg --version
- name: ⚙️ Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
shell: bash
run: |
set -euo pipefail
var_wait=$(( RANDOM % 33 ))
printf "⏳ Waiting %s seconds to desynchronize parallel workflows...\n" "${var_wait}"
sleep "${var_wait}"
umask 0077
rm -rf ~/.ssh && mkdir -m700 ~/.ssh
### Private Key
echo "${{ secrets.SSH_MSW_DEPLOY_CORESECRET_DEV }}" >| ~/.ssh/id_ed25519
chmod 600 ~/.ssh/id_ed25519
chmod 0600 ~/.ssh/id_ed25519
### Scan git.coresecret.dev to fill ~/.ssh/known_hosts
ssh-keyscan -p 42842 git.coresecret.dev >| ~/.ssh/known_hosts
chmod 600 ~/.ssh/known_hosts
chmod 0600 ~/.ssh/known_hosts
### Generate SSH Config for git.coresecret.dev Custom-Port
cat <<EOF >| ~/.ssh/config
@@ -87,44 +96,40 @@ jobs:
StrictHostKeyChecking yes
UserKnownHostsFile ~/.ssh/known_hosts
EOF
chmod 600 ~/.ssh/config
chmod 0600 ~/.ssh/config
### https://github.com/actions/checkout/issues/1843
- name: 🛠️ Using manual clone via SSH to circumvent Gitea SHA-256 object issues.
shell: bash
env:
### GITHUB_REF_NAME contains the branch name from the push event.
GITHUB_REF_NAME: ${{ github.ref_name }}
run: |
set -euo pipefail
git clone --branch "${GITHUB_REF_NAME}" ssh://git@git.coresecret.dev:42842/msw/CISS.debian.live.builder.git .
git fetch --unshallow || echo "Nothing to fetch - already full clone."
- name: 🛠 Cleaning the workspace.
shell: bash
- name: Init GNUPGHOME.
run: |
git reset --hard
git clean -fd
set -euo pipefail
umask 0077
GNUPGHOME="/dev/shm/gnupg.${GITHUB_RUN_ID}.${GITHUB_JOB}.${GITHUB_RUN_ATTEMPT}"
mkdir -p -m 700 "${GNUPGHOME}"
echo "GNUPGHOME=${GNUPGHOME}" >> "${GITHUB_ENV}"
echo 'allow-loopback-pinentry' >| "${GNUPGHOME}/gpg-agent.conf"
gpgconf --reload gpg-agent || true
- name: ⚙️ Importing the 'CI PGP DEPLOY ONLY' key.
shell: bash
env:
PRIVATE_PGP_MSW_DEPLOY_CORESECRET_DEV: ${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV }}
run: |
set -euo pipefail
### GPG-Home relative to the Runner Workspace to avoid changing global files.
export GNUPGHOME="$(pwd)/.gnupg"
mkdir -m 700 "${GNUPGHOME}"
echo "${{ secrets.PGP_PUBKEY_CENTURION_ROOT_2025_X448 }}" >| centurion-root.PUB.asc
gpg --batch --import centurion-root.PUB.asc
echo "${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV }}" >| ci-bot.sec.asc
gpg --batch --import ci-bot.sec.asc
### Trust the key automatically
KEY_ID=$(gpg --list-keys --with-colons | awk -F: '/^pub:/ {print $5}')
echo "trust-model always" >| "${GNUPGHOME}/gpg.conf"
umask 0077
printf '%s' "${PRIVATE_PGP_MSW_DEPLOY_CORESECRET_DEV}" | gpg --batch --import
unset PRIVATE_PGP_MSW_DEPLOY_CORESECRET_DEV
- name: ⚙️ Configuring Git for signed CI/DEPLOY commits.
shell: bash
run: |
set -euo pipefail
export GNUPGHOME="$(pwd)/.gnupg"
git config user.name "Marc S. Weidner BOT"
git config user.email "msw+bot@coresecret.dev"
git config commit.gpgsign true
@@ -132,15 +137,33 @@ jobs:
git config gpg.format openpgp
- name: ⚙️ Preparing the build environment.
shell: bash
run: |
set -euo pipefail
mkdir -p /opt/config
mkdir -p /opt/livebuild
touch /opt/config/password.txt && chmod 0600 /opt/config/password.txt
touch /opt/config/authorized_keys && chmod 0600 /opt/config/authorized_keys
echo "${{ secrets.CISS_DLB_ROOT_PWD_1 }}" >| /opt/config/password.txt
echo "${{ secrets.CISS_DLB_ROOT_SSH_PUBKEY_1 }}" >| /opt/config/authorized_keys
umask 0077
mkdir -p /opt/cdlb/secrets
mkdir -p /opt/cdlb/livebuild
install -m 0600 /dev/null /opt/cdlb/secrets/password.txt
install -m 0600 /dev/null /opt/cdlb/secrets/authorized_keys
install -m 0600 /dev/null /opt/cdlb/secrets/ssh_host_ed25519_key
install -m 0600 /dev/null /opt/cdlb/secrets/ssh_host_ed25519_key.pub
install -m 0600 /dev/null /opt/cdlb/secrets/ssh_host_rsa_key
install -m 0600 /dev/null /opt/cdlb/secrets/ssh_host_rsa_key.pub
install -m 0600 /dev/null /opt/cdlb/secrets/id_2025_ed25519_ciss_primordial
install -m 0600 /dev/null /opt/cdlb/secrets/id_2025_ed25519_ciss_primordial.pub
install -m 0600 /dev/null /opt/cdlb/secrets/keys.txt
install -m 0600 /dev/null /opt/cdlb/secrets/luks.txt
echo "${{ secrets.CISS_DLB_ROOT_PWD_1 }}" >| /opt/cdlb/secrets/password.txt
echo "${{ secrets.CISS_DLB_ROOT_SSH_PUBKEY_1 }}" >| /opt/cdlb/secrets/authorized_keys
echo "${{ secrets.CISS_DLB_SSH_HOST_ED25519_KEY }}" >| /opt/cdlb/secrets/ssh_host_ed25519_key
echo "${{ secrets.CISS_DLB_SSH_HOST_ED25519_KEY_PUB }}" >| /opt/cdlb/secrets/ssh_host_ed25519_key.pub
echo "${{ secrets.CISS_DLB_SSH_HOST_RSA_KEY }}" >| /opt/cdlb/secrets/ssh_host_rsa_key
echo "${{ secrets.CISS_DLB_SSH_HOST_RSA_KEY_PUB }}" >| /opt/cdlb/secrets/ssh_host_rsa_key.pub
echo "${{ secrets.CISS_PRIMORDIAL_PRIVATE }}" >| /opt/cdlb/secrets/id_2025_ed25519_ciss_primordial
echo "${{ secrets.CISS_PRIMORDIAL_PUBLIC }}" >| /opt/cdlb/secrets/id_2025_ed25519_ciss_primordial.pub
echo "${{ secrets.CISS_PHYS_AGE }}" >| /opt/cdlb/secrets/keys.txt
echo "${{ secrets.CISS_PHYS_LUKS }}" >| /opt/cdlb/secrets/luks.txt
- name: 🔧 Render live hook with secrets.
shell: bash
@@ -153,6 +176,7 @@ jobs:
CISS_PRIMORDIAL: ${{ secrets.CISS_PRIMORDIAL_PRIVATE }}
CISS_PRIMORDIAL_PUB: ${{ secrets.CISS_PRIMORDIAL_PUBLIC }}
CISS_PHYS_AGE: ${{ secrets.CISS_PHYS_AGE }}
MSW_GPG_DEPLOY_BOT: ${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV }}
run: |
set -Ceuo pipefail
umask 077
@@ -164,6 +188,7 @@ jobs:
ID_OUT="${REPO_ROOT}/config/includes.chroot/root/.ssh/id_2025_ed25519_ciss_primordial"
ID_OUT_PUB="${REPO_ROOT}/config/includes.chroot/root/.ssh/id_2025_ed25519_ciss_primordial.pub"
SOPS="${REPO_ROOT}/config/hooks/live/0860_sops.chroot"
BINARY_CHECKSUMS="${REPO_ROOT}/scripts/usr/lib/live/build/binary_checksums.sh"
if [[ ! -f "${TPL}" ]]; then
echo "Template not found: ${TPL}"
@@ -180,6 +205,7 @@ jobs:
export CISS_PRIMORDIAL="${CISS_PRIMORDIAL//$'\r'/}"
export CISS_PRIMORDIAL_PUB="${CISS_PRIMORDIAL_PUB//$'\r'/}"
export CISS_PHYS_AGE="${CISS_PHYS_AGE//$'\r'/}"
export MSW_GPG_DEPLOY_BOT="${MSW_GPG_DEPLOY_BOT//$'\r'/}"
(
cat << EOF >| "${ID_OUT}"
@@ -216,13 +242,21 @@ jobs:
chmod 0755 "${OUT}"
#perl -0777 -i -pe '
# BEGIN {
# our $age = $ENV{CISS_PHYS_AGE} // q{};
# }
# s/\{\{\s*secrets\.CISS_PHYS_AGE\s*\}\}/$age/g;
#' -- "${SOPS}"
#chmod 0755 "${SOPS}"
perl -0777 -i -pe '
BEGIN {
our $age = $ENV{CISS_PHYS_AGE} // q{};
}
s/\{\{\s*secrets\.CISS_PHYS_AGE\s*\}\}/$age/g;
' -- "${SOPS}"
chmod 0755 "${SOPS}"
perl -0777 -i -pe '
BEGIN {
our $deploy = $ENV{MSW_GPG_DEPLOY_BOT} // q{};
}
s/\{\{\s*secrets\.MSW_GPG_DEPLOY_BOT\s*\}\}/$deploy/g;
' -- "${BINARY_CHECKSUMS}"
chmod 0755 "${BINARY_CHECKSUMS}"
echo "Hook rendered: ${OUT}"
@@ -237,19 +271,21 @@ jobs:
./ciss_live_builder.sh \
--autobuild=6.16.3+deb13-amd64 \
--architecture amd64 \
--build-directory /opt/livebuild \
--build-directory /opt/cdlb/livebuild \
--cdi \
--control "${timestamp}" \
--jump-host ${{ secrets.CISS_DLB_JUMP_HOSTS_1 }} \
--root-password-file /opt/config/password.txt \
--root-password-file /opt/cdlb/secrets/password.txt \
--ssh-port ${{ secrets.CISS_DLB_SSH_PORT_1 }} \
--ssh-pubkey /opt/config \
--ssh-pubkey /opt/cdlb/secrets \
--sshfp \
--trixie
REPO_ROOT="$(git rev-parse --show-toplevel 2>/dev/null || pwd -P)"
OUT="$REPO_ROOT/config/hooks/live/9935_hardening_ssh.chroot"
rm -f "$OUT"
echo "Hook removed: $OUT"
shred -fzu -n 5 /opt/cdlb/secrets/authorized_keys
- name: 📥 Checking Centurion Cloud for existing LIVE ISOs.
shell: bash
@@ -297,11 +333,11 @@ jobs:
SHARE_PASS: "${{ secrets.CENTURION_CLOUD_UL_PASSWD_1 }}"
run: |
set -euo pipefail
if [[ $(ls /opt/livebuild/*.iso 2>/dev/null | wc -l) -ne 1 ]]; then
if [[ $(ls /opt/cdlb/livebuild/*.iso 2>/dev/null | wc -l) -ne 1 ]]; then
echo "❌ There must be exactly one .iso file in the directory!"
exit 1
else
VAR_ISO_FILE_PATH=$(ls /opt/livebuild/*.iso)
VAR_ISO_FILE_PATH=$(ls /opt/cdlb/livebuild/*.iso)
VAR_ISO_FILE_NAME=$(basename "${VAR_ISO_FILE_PATH}")
echo "✅ ISO file found: ${VAR_ISO_FILE_NAME}"
fi
@@ -318,11 +354,11 @@ jobs:
- name: 🔑 Generating a sha512 Hash of ISO, signing with the 'CI PGP DEPLOY ONLY' key, generate a success message file.
shell: bash
run: |
if [[ $(ls /opt/livebuild/*.iso 2>/dev/null | wc -l) -ne 1 ]]; then
if [[ $(ls /opt/cdlb/livebuild/*.iso 2>/dev/null | wc -l) -ne 1 ]]; then
echo "❌ There must be exactly one .iso file in the directory!"
exit 1
else
VAR_ISO_FILE_PATH=$(ls /opt/livebuild/*.iso)
VAR_ISO_FILE_PATH=$(ls /opt/cdlb/livebuild/*.iso)
VAR_ISO_FILE_NAME=$(basename "${VAR_ISO_FILE_PATH}")
echo "✅ ISO file found: ${VAR_ISO_FILE_NAME}"
fi