V8.02.644.2025.05.31

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-05-31 00:42:24 +02:00
parent d9fb33376d
commit efa3a5d3aa
49 changed files with 712 additions and 444 deletions
--- a/.gitea/TODO/generate-iso.yaml
+++ b/.gitea/TODO/generate-iso.yaml
@@ -0,0 +1,169 @@
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+name: Generating private Live ISO.
+
+permissions:
+  contents: write
+
+on:
+  push:
+    branches:
+      - master
+    paths:
+      - '.gitea/autobuild.yaml'
+
+jobs:
+  generating-ciss-debian-live-iso:
+    runs-on: ubuntu-latest
+
+    ### Run all steps inside Debian Bookworm
+    container:
+      image: debian:bookworm
+      options: --user root
+
+    steps:
+      - name: Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
+        run: |
+          rm -rf ~/.ssh && mkdir -m700 ~/.ssh
+
+          ### Private Key
+          echo "${{ secrets.SSH_MSW_DEPLOY_CORESECRET_DEV }}" >| ~/.ssh/id_ed25519
+          chmod 600 ~/.ssh/id_ed25519
+
+          ### Scan git.coresecret.dev to fill ~/.ssh/known_hosts
+          ssh-keyscan -p 42842 git.coresecret.dev >| ~/.ssh/known_hosts
+          chmod 600 ~/.ssh/known_hosts
+
+          ### Generate SSH Config for git.coresecret.dev Custom-Port
+          cat <<EOF >| ~/.ssh/config
+          Host git.coresecret.dev
+            HostName git.coresecret.dev
+            Port 42842
+            IdentityFile ~/.ssh/id_ed25519
+            StrictHostKeyChecking yes
+            UserKnownHostsFile ~/.ssh/known_hosts
+          EOF
+          chmod 600 ~/.ssh/config
+
+      ### https://github.com/actions/checkout/issues/1843
+      - name: Using manual clone via SSH to circumvent Gitea SHA-256 object issues.
+        run: |
+          git clone --branch "${GITHUB_REF_NAME}" ssh://git@git.coresecret.dev:42842/msw/CISS.debian.live.builder.git .
+          git fetch --unshallow || echo "Nothing to fetch - already full clone."
+        env:
+          ### GITHUB_REF_NAME contains the branch name from the push event.
+          GITHUB_REF_NAME: ${{ github.ref_name }}
+
+      - name: Cleaning workspace.
+        run: |
+          git reset --hard
+          git clean -fd
+
+      - name: Installing Debian Live-Build and Tools.
+        run: |
+          apt-get update
+          apt-get install -y live-build gnupg curl whois
+
+      - name: Importing "CI PGP DEPLOY ONLY" Key.
+        run: |
+          ### GPG-Home relative to the Runner Workspace to avoid changing global files.
+          export GNUPGHOME="$(pwd)/.gnupg"
+          mkdir -m700 "${GNUPGHOME}"
+          echo "${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV }}" >| ci-bot.sec.asc
+          gpg --batch --import ci-bot.sec.asc
+          ### Trust the key automatically
+          KEY_ID=$(gpg --list-keys --with-colons | awk -F: '/^pub:/ {print $5}')
+          echo "trust-model always" >| "${GNUPGHOME}/gpg.conf"
+
+      - name: Configuring Git for signed CI DEPLOY commits.
+        run: |
+          export GNUPGHOME="$(pwd)/.gnupg"
+          git config user.name "Marc S. Weidner BOT"
+          git config user.email "msw+bot@coresecret.dev"
+          git config commit.gpgsign true
+          git config gpg.program gpg
+          git config gpg.format openpgp
+
+      - name: Preparing Build Environment.
+        run: |
+          rm -rf /opt/{config,livebuild}
+          mkdir -p /opt/{config,livebuild}
+          echo "${{ secrets.CISS_DLB_ROOT_PWD }}" >| /opt/config/password.txt
+          echo "${{ secrets.CISS_DLB_ROOT_SSH_PUBKEY }}" >| /opt/config/authorized_keys
+          chmod 0600 /opt/config/authorized_keys
+
+      - name: Starting CISS.debian.live.builder.
+        run: |
+          timestamp=$(date -u +"%Y_%m_%d_%H_%M_Z")
+          ### Change "--autobuild=" to the specific kernel version you need: 6.12.22+bpo-amd64.
+          ./ciss_live_builder.sh \
+          --autobuild=6.12.22+bpo-amd64 \
+          --architecture amd64 \
+          --build-directory /opt/livebuild \
+          --control "${timestamp}" \
+          --debug \
+          --dhcp-centurion \
+          --jump-host "${{ secrets.CISS_DLB_JUMP_HOSTS }}" \
+          --provider-netcup-ipv6 "${{ secrets.CISS_DLB_NETCUP_IPV6 }}" \
+          --renice-priority "-19" \
+          --reionice-priority 1 2 \
+          --root-password-file /opt/config/password.txt \
+          --ssh-port 4242 \
+          --ssh-pubkey /opt/config
+
+      - name: Uploading ISO to CenturionCloud "cloud.e2ee.li" via WebDAV
+        env:
+          WEBDAV_URL: "https://cloud.e2ee.li/remote.php/dav/files/runner/PUBLIC/CISS-live/NAME.iso"
+          WEBDAV_USER: ${{ secrets.NC_USER }}
+          WEBDAV_PASS: ${{ secrets.NC_PASS }}
+        run: |
+          ### Remove old ISO if exists
+          curl -u "${WEBDAV_USER}:${WEBDAV_PASS}" -X DELETE "${WEBDAV_URL}" || true
+          ### Upload new ISO
+          curl -u "${WEBDAV_USER}:${WEBDAV_PASS}" -T NAME.iso "${WEBDAV_URL}"
+          ### Verify upload
+          HTTP_CODE=$(curl -o /dev/null -s -w "%{http_code}" -u "${WEBDAV_USER}:${WEBDAV_PASS}" "${WEBDAV_URL}")
+          if [ "$HTTP_CODE" -ne 200 ]; then
+            echo "Upload failed with HTTP status ${HTTP_CODE}"
+            exit 1
+          fi
+          echo "ISO successfully uploaded and verified."
+
+      - name: Generating Hash and Signing with Private Key
+        run: |
+          :
+          ### TODO: Implement this function
+
+      - name: Generating Success Message to Push back into Repo
+        run: |
+          :
+          ### TODO: Implement this function
+
+      - name: Stage generated files.
+        run: |
+          git add !!!!!!!!!!!!!
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+
+      - name: Commit and Sign changes.
+        run: |
+          export GNUPGHOME="$(pwd)/.gnupg"
+          git commit -S -m "DEPLOY BOT: Auto-Generate LIVE ISO [skip ci]" || echo "No Changes, nothing to Sign or to Commit."
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+
+      - name: Push back to Repository.
+        run: |
+          git push origin HEAD:${GITHUB_REF_NAME}
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
--- a/.gitea/autobuild.yaml
+++ b/.gitea/autobuild.yaml
@@ -0,0 +1,15 @@
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+build:
+  counter: 1024
+  version: V8.02.644.2025.05.31
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml