msw/CISS.debian.live.builder
SHA256
2
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 6 Wiki Activity

V8.13.384.2025.11.06
Some checks failed
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m37s
Details
🛡️ Retrieve DNSSEC status of coresecret.dev. / 🛡️ Retrieve DNSSEC status of coresecret.dev. (push) Successful in 1m9s
Details
🔐 Generating a Private Live ISO TRIXIE. / 🔐 Generating a Private Live ISO TRIXIE. (push) Failing after 1m0s
Details

Browse Source 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
Marc S. Weidner
2025-11-06 19:59:22 +01:00
parent d436346343
commit ef87becefe
93 changed files with 2021 additions and 1229 deletions
Download Patch File Download Diff File Expand all files Collapse all files

130
ciss_live_builder.sh
View File

@@ -22,23 +22,19 @@
### CATCH ARGUMENTS AND DECLARE BASIC VARIABLES.
# shellcheck disable=SC2155
declare -agx ARY_PARAM_ARRAY=("$@") # Arguments passed to script as an array.
declare -girx VAR_START_TIME="${SECONDS}" # Start time of script execution.
declare -grx VAR_PARAM_COUNT="$#" # Arguments passed to script.
declare -grx VAR_PARAM_STRNG="$*" # Arguments passed to script as string.
declare -ag ARY_PARAM_ARRAY=("$@") # Arguments passed to script as an array.
declare -grx VAR_SETUP_FILE="${0##*/}" # 'ciss_debian_live_builder.sh'
declare -grx VAR_SETUP_PATH="$(cd "$(dirname "${0}")" && pwd)" # '/opt/git/CISS.debian.live.builder'
declare -grx VAR_SETUP_FULL="$(cd "$(dirname "${0}")" && pwd)/${0##*/}" # '/opt/git/CISS.debian.live.builder/ciss_debian_live_builder.sh'
# shellcheck disable=SC2155
declare -grx SCRIPT_FULLPATH="$(readlink -f "${BASH_SOURCE[0]:-$0}")"
# shellcheck disable=SC2155
declare -grx SCRIPT_BASEPATH="$(dirname "${SCRIPT_FULLPATH}")"
# shellcheck disable=SC2155
declare -grx VAR_WORKDIR="$(dirname "${SCRIPT_FULLPATH}")"
declare -grx VAR_SETUP_FULL="$(cd "$(dirname "${0}")" && pwd)/${0##*/}" # '/root/git/CISS.debian.live.builder/ciss_debian_live_builder.sh'
declare -grx VAR_SETUP_PATH="$(cd "$(dirname "${0}")" && pwd)" # '/root/git/CISS.debian.live.builder'
declare -grx VAR_TMP_SECRET="/dev/shm/cdlb_secrets" # Fixed tmpfs path to store securely build artifacts.
declare -grx VAR_WORKDIR="$(dirname "${VAR_SETUP_FULL}")" # '/root/git/CISS.debian.live.builder'
### PRELIMINARY CHECKS.
### No ash, dash, ksh, sh.
# shellcheck disable=2292
# shellcheck disable=SC2292
[ -z "${BASH_VERSINFO[0]}" ] && {
. ./var/global.var.sh
printf "\e[91m❌ Please make sure you are using 'bash'! Bye... \e[0m\n" >&2
@@ -60,7 +56,7 @@ declare -grx VAR_WORKDIR="$(dirname "${SCRIPT_FULLPATH}")"
}
### Check to be not called by sh.
# shellcheck disable=2312
# shellcheck disable=SC2312
[[ $(kill -l | grep -c SIG) -eq 0 ]] && {
. ./var/global.var.sh
printf "\e[91m❌ Please make sure you are calling the script without leading 'sh'! Bye... \e[0m\n" >&2
@@ -95,30 +91,29 @@ declare -grx VAR_WORKDIR="$(dirname "${SCRIPT_FULLPATH}")"
exit 1
}
### SOURCING MUST SET EARLY VARIABLES, GUARD_SOURCING(), CHECK_GIT()
### SOURCING MUST SET EARLY VARIABLES, GUARD_SOURCING(), CHECK_GIT().
. ./var/early.var.sh
. ./lib/lib_guard_sourcing.sh
. ./lib/lib_source_guard.sh
source_guard "./lib/lib_git_var.sh"
### CHECK FOR CONTACT, HELP, VERSION STRING, AND XTRACE DEBUG
for arg in "$@"; do case "${arg,,}" in -c|--contact) . ./lib/lib_contact.sh; contact; exit 0;; esac; done
for arg in "$@"; do case "${arg,,}" in -h|--help) . ./lib/lib_usage.sh ; usage ; exit 0;; esac; done
for arg in "$@"; do case "${arg,,}" in -v|--version) . ./lib/lib_version.sh; version; exit 0;; esac; done
### CHECK FOR CONTACT, HELP, VERSION STRING, AND XTRACE DEBUG.
for arg in "$@"; do case "${arg,,}" in -c|--contact) . ./lib/lib_contact.sh ; contact; exit 0;; esac; done
for arg in "$@"; do case "${arg,,}" in -h|--help) . ./lib/lib_usage.sh ; usage ; exit 0;; esac; done
for arg in "$@"; do case "${arg,,}" in -v|--version) . ./lib/lib_version.sh ; version; exit 0;; esac; done
for arg in "$@"; do case "${arg,,}" in -d|--debug) . ./meta_sources_debug.sh; debugger "${@}";; esac; done
### ALL CHECKS DONE. READY TO START THE SCRIPT
source_guard "./var/bash.var.sh"
check_git
for arg in "$@"; do case "${arg,,}" in -d|--debug) . ./meta_sources_debug.sh; debugger "${@}";; esac; done
declare -gx VAR_SETUP="true"
### ALL CHECKS DONE. READY TO START THE SCRIPT.
find "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/secret" -type f -exec chmod 0400 {} +
declare -grx VAR_SETUP="true"
### SOURCING VARIABLES
### SOURCING VARIABLES.
[[ "${VAR_SETUP}" == true ]] && {
source_guard "./var/bash.var.sh"
source_guard "./var/color.var.sh"
source_guard "./var/global.var.sh"
}
### SOURCING LIBRARIES
### SOURCING LIBRARIES.
[[ "${VAR_SETUP}" == true ]] && {
source_guard "./lib/lib_arg_parser.sh"
source_guard "./lib/lib_arg_priority_check.sh"
@@ -132,19 +127,21 @@ declare -gx VAR_SETUP="true"
source_guard "./lib/lib_check_provider.sh"
source_guard "./lib/lib_check_stats.sh"
source_guard "./lib/lib_check_var.sh"
source_guard "./lib/lib_ciss_upgrades.sh"
source_guard "./lib/lib_ciss_upgrades_boot.sh"
source_guard "./lib/lib_ciss_upgrades_build.sh"
source_guard "./lib/lib_clean_screen.sh"
source_guard "./lib/lib_clean_up.sh"
source_guard "./lib/lib_copy_integrity.sh"
source_guard "./lib/lib_gnupg.sh"
source_guard "./lib/lib_hardening_root_pw.sh"
source_guard "./lib/lib_hardening_ssh.sh"
source_guard "./lib/lib_hardening_ssh_tcp.sh"
source_guard "./lib/lib_hardening_ultra.sh"
source_guard "./lib/lib_helper_ip.sh"
source_guard "./lib/lib_lb_build_start.sh"
source_guard "./lib/lib_lb_config_start.sh"
source_guard "./lib/lib_lb_config_write.sh"
source_guard "./lib/lib_lb_config_write_trixie.sh"
source_guard "./lib/lib_note_target.sh"
source_guard "./lib/lib_primordial.sh"
source_guard "./lib/lib_provider_netcup.sh"
source_guard "./lib/lib_run_analysis.sh"
source_guard "./lib/lib_sanitizer.sh"
@@ -154,7 +151,7 @@ declare -gx VAR_SETUP="true"
source_guard "./lib/lib_usage.sh"
}
### ADVISORY LOCK
### ADVISORY LOCK.
exec 127>/var/lock/ciss_live_builder.lock || {
printf "\e[91m❌ Cannot open lockfile for writing! Bye... \e[0m\n" >&2
exit "${ERR_FLOCK_WRTG}"
@@ -165,97 +162,92 @@ if ! flock -x -n 127; then
exit "${ERR_FLOCK_COLL}"
fi
### CHECK FOR AUTOBUILD MODE
### CHECK FOR AUTOBUILD MODE.
for arg in "$@"; do case "${arg,,}" in -a=*|--autobuild=*) declare -gx VAR_HANDLER_AUTOBUILD="true"; declare -gx VAR_KERNEL="${arg#*=}";; esac; done; unset arg
for dir in /usr/local/sbin /usr/sbin; do case ":${PATH}:" in *":${dir}:"*) ;; *) PATH="${PATH}:${dir}" ;; esac; done; export PATH; unset dir
### CHECKING REQUIRED PACKAGES
### CHECKING REQUIRED PACKAGES.
check_pkgs
### DIALOG OUTPUT FOR INITIALIZATION
### DIALOG OUTPUT FOR INITIALIZATION.
if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen; fi
### Updating Status of Dialog Gauge Bar
### Updating Status of Dialog Gauge Bar.
if ! ${VAR_HANDLER_AUTOBUILD}; then printf "XXX\nInitialization done ... \nXXX\n15\n" >&3; fi
### Updating Status of Dialog Gauge Bar
### Updating Status of Dialog Gauge Bar.
if ! ${VAR_HANDLER_AUTOBUILD}; then printf "XXX\nAdditional initialization ... \nXXX\n30\n" >&3; fi
### Updating Status of Dialog Gauge Bar
### Updating Status of Dialog Gauge Bar.
if ! ${VAR_HANDLER_AUTOBUILD}; then printf "XXX\nActivate traps ... \nXXX\n50\n" >&3; fi
### Following the CISS Bash naming and ordering scheme:
trap 'trap_on_exit "$?"' EXIT
trap 'trap_on_err "$?" "${BASH_SOURCE[0]}" "${LINENO}" "${FUNCNAME[0]:-main}" "${BASH_COMMAND}"' ERR
### Updating Status of Dialog Gauge Bar
### Updating Status of Dialog Gauge Bar.
if ! ${VAR_HANDLER_AUTOBUILD}; then printf "XXX\nSanitizing Arguments ... \nXXX\n75\n" >&3; fi
arg_check "$@"
declare -ar ARY_ARG_SANITIZED=("$@")
declare -gr VAR_ARG_SANITIZED="${ARY_ARG_SANITIZED[*]}"
declare -ar ARY_ARG_SANITIZED=("$@")
declare -grx VAR_ARG_SANITIZED="${ARY_ARG_SANITIZED[*]}"
### Updating Status of Dialog Gauge Bar
### Updating Status of Dialog Gauge Bar.
if ! ${VAR_HANDLER_AUTOBUILD}; then printf "XXX\nParsing Arguments ... \nXXX\n90\n" >&3; fi
arg_parser "$@"
### Updating Status of Dialog Gauge Bar
### Updating Status of Dialog Gauge Bar.
if ! ${VAR_HANDLER_AUTOBUILD}; then printf "XXX\nFinal checks ... \nXXX\n95\n" >&3; fi
clean_ip
### Updating Status of Dialog Gauge Bar
### Updating Status of Dialog Gauge Bar.
if ! ${VAR_HANDLER_AUTOBUILD}; then printf "XXX\nInitialization completed ... \nXXX\n100\n" >&3; sleep 1; fi
### Turn off Dialog Wrapper
### Turn off the dialog wrapper.
if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen_cleaner; fi
### MAIN Program
### MAIN Program ---------------------------------------------------------------------------------------------------------------
arg_priority_check
check_stats
if ! ${VAR_HANDLER_AUTOBUILD}; then check_provider; fi
if ! ${VAR_HANDLER_AUTOBUILD}; then check_kernel; fi
if [[ ! "${VAR_SSHFP}" == "true" ]]; then
rm -f "${SCRIPT_BASEPATH}/config/includes.chroot/root/.ssh/id_2025_ed25519_ciss_primordial"
rm -f "${SCRIPT_BASEPATH}/config/includes.chroot/root/.ssh/id_2025_ed25519_ciss_primordial.pub"
fi
ciss_upgrades_build
hardening_ssh_tcp
check_hooks
hardening_ssh
ciss_upgrades
### Preparing the build environment.
lb_config_start
if [[ "${VAR_SUITE}" == "bookworm" ]]; then
lb_config_write
rm -f "${SCRIPT_BASEPATH}/config/hooks/live/9998_sources_list_trixie.chroot"
rm -f "${SCRIPT_BASEPATH}/config/includes.chroot/etc/login.defs"
else
lb_config_write_trixie
rm -f "${SCRIPT_BASEPATH}/config/hooks/live/0003_install_backports.chroot"
rm -f "${SCRIPT_BASEPATH}/config/hooks/live/9998_sources_list_bookworm.chroot"
fi
# shellcheck disable=SC2164
cd "${VAR_WORKDIR}"
hardening_ultra
hardening_root_pw
### Writing the build configuration.
lb_config_write_trixie
### Init GNUPGHOME.
init_gnupg
### Integrate primordial SSH identity files.
init_primordial
### CISS.debian.installer 'GRUB' and 'autostart' generator.
cdi
change_splash
check_dhcp
cdi
provider_netcup
ciss_upgrades_boot
hardening_root_pw
hardening_ultra
note_target
provider_netcup
update_microcode
x_hooks
### Start the build process
set +o errtrace
lb_build_start
set -o errtrace
run_analysis
copy_db
declare -g VAR_SCRIPT_SUCCESS=true
declare -grx VAR_SCRIPT_SUCCESS="true"
exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh