Compare commits
31 Commits
0ba66ee264
...
v8.13.008-
| Author | SHA256 | Date | |
|---|---|---|---|
f35e3bff4f
|
|||
|
22d6c9a061
|
|||
|
e3206cc4be
|
|||
|
3e5ade4758
|
|||
|
3d79ff973f
|
|||
|
08653b1398
|
|||
|
440a393c67
|
|||
|
c1715f896f
|
|||
|
499bfe9c86
|
|||
|
6b397e27b1
|
|||
|
0da89626e6
|
|||
|
9c59edb3cb
|
|||
|
e0b1300538
|
|||
|
d5a3b6eca5
|
|||
|
fbc6f9e9a9
|
|||
|
bbc7fcfe56
|
|||
|
7d97dfd1b4
|
|||
|
76b3c4d49e
|
|||
|
8da33a5e38
|
|||
|
1330ed9cc9
|
|||
|
25361c66bf
|
|||
|
e52231a865
|
|||
|
5decedf83c
|
|||
|
003790123e
|
|||
|
2d3d8339de
|
|||
|
c774974171
|
|||
|
10204504ae
|
|||
|
00bd9ea193
|
|||
|
dc6f9b0d7b
|
|||
|
82b9f7395c
|
|||
|
5c16a5a097
|
@@ -1,15 +0,0 @@
|
||||
# SPDX-Version: 3.0
|
||||
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
|
||||
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
|
||||
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
|
||||
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
|
||||
# SPDX-FileType: SOURCE
|
||||
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
|
||||
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
|
||||
# SPDX-PackageName: CISS.debian.live.builder
|
||||
# SPDX-Security-Contact: security@coresecret.eu
|
||||
|
||||
build:
|
||||
counter: 1023
|
||||
version: V8.13.008.2025.08.22
|
||||
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
|
||||
@@ -1,5 +1,5 @@
|
||||
# SPDX-Version: 3.0
|
||||
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
|
||||
# SPDX-CreationInfo: 2025-08-22; WEIDNER, Marc S.; <msw@coresecret.dev>
|
||||
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
|
||||
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
|
||||
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
|
||||
@@ -1,5 +1,5 @@
|
||||
# SPDX-Version: 3.0
|
||||
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
|
||||
# SPDX-CreationInfo: 2025-08-22; WEIDNER, Marc S.; <msw@coresecret.dev>
|
||||
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
|
||||
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
|
||||
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
|
||||
@@ -1,485 +0,0 @@
|
||||
# SPDX-Version: 3.0
|
||||
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
|
||||
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
|
||||
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
|
||||
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
|
||||
# SPDX-FileType: SOURCE
|
||||
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
|
||||
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
|
||||
# SPDX-PackageName: CISS.debian.live.builder
|
||||
# SPDX-Security-Contact: security@coresecret.eu
|
||||
|
||||
### Version Master V8.13.008.2025.08.22
|
||||
|
||||
name: 🔐 Generating a Private Live ISO FLV 0.
|
||||
|
||||
permissions:
|
||||
contents: write
|
||||
|
||||
on:
|
||||
push:
|
||||
branches:
|
||||
- master
|
||||
paths:
|
||||
- '.gitea/trigger/t_generate_PRIVATE_iso_flavour_0.yaml'
|
||||
|
||||
jobs:
|
||||
generate-private-ciss-debian-live-iso:
|
||||
name: 🔐 Generating a Private Live ISO FLV 0.
|
||||
runs-on: ciss.debian.live.builder.iso.generator
|
||||
|
||||
### Run all steps inside Debian Bookworm
|
||||
container:
|
||||
image: debian:bookworm
|
||||
|
||||
steps:
|
||||
- name: 🛠️ Basic Image Setup and enable Bookworm Backports.
|
||||
run: |
|
||||
apt-get update -y
|
||||
apt-get install -y apt-transport-https apt-utils bash ca-certificates openssl sudo
|
||||
echo 'deb https://deb.debian.org/debian bookworm-backports main' \
|
||||
>| /etc/apt/sources.list.d/bookworm-backports.list
|
||||
apt-get update -y
|
||||
apt-get upgrade -y
|
||||
|
||||
- name: 🛠️ Installing Build Tools.
|
||||
shell: bash
|
||||
run: |
|
||||
apt-get update -y
|
||||
apt-get install -y \
|
||||
autoconf \
|
||||
automake \
|
||||
build-essential \
|
||||
cryptsetup \
|
||||
curl \
|
||||
debootstrap \
|
||||
dosfstools \
|
||||
efibootmgr \
|
||||
gettext \
|
||||
git \
|
||||
gnupg \
|
||||
haveged \
|
||||
libbz2-dev \
|
||||
zlib1g-dev \
|
||||
liblzma-dev \
|
||||
libtool \
|
||||
live-build \
|
||||
parted \
|
||||
pkg-config \
|
||||
ssh \
|
||||
ssl-cert \
|
||||
sudo \
|
||||
texinfo \
|
||||
wget \
|
||||
whois \
|
||||
|
||||
- name: 🛠️ Build GnuPG from the sources, as the Bookworm GPG does not understand key format 5.
|
||||
shell: bash
|
||||
run: |
|
||||
urls=(
|
||||
"https://gnupg.org/ftp/gcrypt/npth/npth-1.8.tar.bz2"
|
||||
"https://gnupg.org/ftp/gcrypt/libgpg-error/libgpg-error-1.55.tar.bz2"
|
||||
"https://gnupg.org/ftp/gcrypt/libgcrypt/libgcrypt-1.11.1.tar.bz2"
|
||||
"https://gnupg.org/ftp/gcrypt/libksba/libksba-1.6.7.tar.bz2"
|
||||
"https://gnupg.org/ftp/gcrypt/libassuan/libassuan-3.0.2.tar.bz2"
|
||||
"https://gnupg.org/ftp/gcrypt/gnupg/gnupg-2.4.8.tar.bz2"
|
||||
)
|
||||
|
||||
wget --https-only https://gnupg.org/signature_key.asc -O signature_key.asc > /dev/null 2>&1
|
||||
gpg --batch --import signature_key.asc
|
||||
|
||||
for url in "${urls[@]}"; do
|
||||
archive_name="${url##*/}"
|
||||
pkg_name="${archive_name%.tar.bz2}"
|
||||
echo "🔄 Processing ${pkg_name}"
|
||||
if [[ ! -f "${archive_name}" ]]; then
|
||||
echo "📥 Downloading: '${archive_name}'."
|
||||
if wget --https-only "${url}" -O "${archive_name}" > /dev/null 2>&1 && wget --https-only "${url}.sig" -O "${archive_name}.sig" > /dev/null 2>&1; then
|
||||
echo "✅ Download successful: '${archive_name}'."
|
||||
else
|
||||
echo "❌ Download NOT successful: '${archive_name}'."
|
||||
exit 1
|
||||
fi
|
||||
else
|
||||
echo "💡 Skipping download, package already exists: '${archive_name}'."
|
||||
fi
|
||||
|
||||
if ! gpg --verify "${archive_name}.sig" "${archive_name}"; then echo "❌ Bad Signature: '${archive_name}'.";exit 1; fi
|
||||
|
||||
if [[ ! -d "${pkg_name}" ]]; then
|
||||
echo "📂 Extracting: '${archive_name}'."
|
||||
if tar -xjf "${archive_name}"; then
|
||||
echo "✅ Extraction successful: '${archive_name}'."
|
||||
else
|
||||
echo "❌ Extraction not successful: '${archive_name}'."
|
||||
exit 1
|
||||
fi
|
||||
else
|
||||
echo "💡 Skipping directory, already exists: '${pkg_name}'."
|
||||
fi
|
||||
|
||||
echo "🏗️ Build and install the package: '${pkg_name}'."
|
||||
cd "${pkg_name}" || { echo "❌ Could not change to '${pkg_name}'."; exit 1; }
|
||||
mkdir -p build
|
||||
cd build || { echo "❌ Could not change to '/build'."; exit 1; }
|
||||
|
||||
sudo ../configure > /dev/null 2>&1 || { echo "❌ '../configure' NOT successful for '${pkg_name}'."; exit 1; }
|
||||
make > /dev/null 2>&1 || { echo "❌ 'make' NOT successful for '${pkg_name}'."; exit 1; }
|
||||
sudo make install > /dev/null 2>&1 || { echo "❌ 'make install' NOT successful for '${pkg_name}'."; exit 1; }
|
||||
|
||||
cd ../.. || { echo "❌ Could not change to '../..'."; exit 1; }
|
||||
|
||||
rm -f "${archive_name}" && rm -f "${archive_name}.sig" && echo "✅ Removed archive: '${pkg_name}'."
|
||||
rm -fr "${pkg_name}" && echo "✅ Removed build artifacts: '${pkg_name}'."
|
||||
echo "✅ Successful build and installation of '${pkg_name}'."
|
||||
echo "-------------------------------------------------------------------------------------"
|
||||
|
||||
done
|
||||
|
||||
rm -f signature_key.asc
|
||||
|
||||
echo "✅ All packages were built and installed successfully."
|
||||
|
||||
mv_bin=(
|
||||
"/usr/bin/gpg"
|
||||
"/usr/bin/gpg-agent"
|
||||
"/usr/bin/gpgconf"
|
||||
"/usr/bin/gpg-connect-agent"
|
||||
"/usr/bin/gpg-wks-client"
|
||||
"/usr/bin/gpg-preset-passphrase"
|
||||
)
|
||||
|
||||
for bin in "${mv_bin[@]}"; do
|
||||
name="${bin##*/}"
|
||||
if [[ -f "${bin}" && -f "/usr/local/bin/${name}" ]]; then
|
||||
if mv "${bin}" "${bin}.debian-backup"; then
|
||||
echo "✅ Moved successfully: '${bin}'."
|
||||
else
|
||||
echo "❌ Moved NOT successfully: '${bin}'."
|
||||
fi
|
||||
else
|
||||
echo "💡 Does not exist as build binary: '${bin}'."
|
||||
fi
|
||||
done
|
||||
|
||||
for bin in "${mv_bin[@]}"; do
|
||||
name="${bin##*/}"
|
||||
if [[ -f "/usr/local/bin/${name}" ]]; then
|
||||
if update-alternatives --install "${bin}" "${name}" "/usr/local/bin/${name}" 100; then
|
||||
echo "✅ 'update-alternatives' successfully: '${bin}'."
|
||||
else
|
||||
echo "❌ 'update-alternatives' NOT successfully: '${bin}'."
|
||||
fi
|
||||
else
|
||||
echo "💡 Does not exist: '/usr/local/bin/${name}'."
|
||||
fi
|
||||
done
|
||||
|
||||
sudo ldconfig
|
||||
|
||||
gpgconf --kill all
|
||||
/usr/local/bin/gpg-agent --daemon
|
||||
|
||||
- name: ⚙️ Check GnuPG Version.
|
||||
shell: bash
|
||||
run: |
|
||||
gpg --version
|
||||
|
||||
- name: ⚙️ Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
|
||||
shell: bash
|
||||
run: |
|
||||
rm -rf ~/.ssh && mkdir -m700 ~/.ssh
|
||||
|
||||
### Private Key
|
||||
echo "${{ secrets.SSH_MSW_DEPLOY_CORESECRET_DEV }}" >| ~/.ssh/id_ed25519
|
||||
chmod 600 ~/.ssh/id_ed25519
|
||||
|
||||
### Scan git.coresecret.dev to fill ~/.ssh/known_hosts
|
||||
ssh-keyscan -p 42842 git.coresecret.dev >| ~/.ssh/known_hosts
|
||||
chmod 600 ~/.ssh/known_hosts
|
||||
|
||||
### Generate SSH Config for git.coresecret.dev Custom-Port
|
||||
cat <<EOF >| ~/.ssh/config
|
||||
Host git.coresecret.dev
|
||||
HostName git.coresecret.dev
|
||||
Port 42842
|
||||
IdentityFile ~/.ssh/id_ed25519
|
||||
StrictHostKeyChecking yes
|
||||
UserKnownHostsFile ~/.ssh/known_hosts
|
||||
EOF
|
||||
chmod 600 ~/.ssh/config
|
||||
|
||||
### https://github.com/actions/checkout/issues/1843
|
||||
- name: 🛠️ Using manual clone via SSH to circumvent Gitea SHA-256 object issues.
|
||||
shell: bash
|
||||
env:
|
||||
### GITHUB_REF_NAME contains the branch name from the push event.
|
||||
GITHUB_REF_NAME: ${{ github.ref_name }}
|
||||
run: |
|
||||
git clone --branch "${GITHUB_REF_NAME}" ssh://git@git.coresecret.dev:42842/msw/CISS.debian.live.builder.git .
|
||||
git fetch --unshallow || echo "Nothing to fetch - already full clone."
|
||||
|
||||
- name: 🛠️ Cleaning the workspace.
|
||||
shell: bash
|
||||
run: |
|
||||
git reset --hard
|
||||
git clean -fd
|
||||
|
||||
- name: ⚙️ Importing the 'CI PGP DEPLOY ONLY' key.
|
||||
shell: bash
|
||||
run: |
|
||||
set -euo pipefail
|
||||
### GPG-Home relative to the Runner Workspace to avoid changing global files.
|
||||
export GNUPGHOME="$(pwd)/.gnupg"
|
||||
mkdir -m 700 "${GNUPGHOME}"
|
||||
echo "${{ secrets.PGP_PUBKEY_CENTURION_ROOT_2025_X448 }}" >| centurion-root.PUB.asc
|
||||
gpg --batch --import centurion-root.PUB.asc
|
||||
echo "${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV }}" >| ci-bot.sec.asc
|
||||
gpg --batch --import ci-bot.sec.asc
|
||||
### Trust the key automatically
|
||||
KEY_ID=$(gpg --list-keys --with-colons | awk -F: '/^pub:/ {print $5}')
|
||||
echo "trust-model always" >| "${GNUPGHOME}/gpg.conf"
|
||||
|
||||
- name: ⚙️ Configuring Git for signed CI/DEPLOY commits.
|
||||
shell: bash
|
||||
run: |
|
||||
set -euo pipefail
|
||||
export GNUPGHOME="$(pwd)/.gnupg"
|
||||
git config user.name "Marc S. Weidner BOT"
|
||||
git config user.email "msw+bot@coresecret.dev"
|
||||
git config commit.gpgsign true
|
||||
git config gpg.program gpg
|
||||
git config gpg.format openpgp
|
||||
|
||||
- name: ⚙️ Preparing the build environment.
|
||||
shell: bash
|
||||
run: |
|
||||
set -euo pipefail
|
||||
mkdir -p /opt/config
|
||||
mkdir -p /opt/livebuild
|
||||
touch /opt/config/password.txt && chmod 0600 /opt/config/password.txt
|
||||
touch /opt/config/authorized_keys && chmod 0600 /opt/config/authorized_keys
|
||||
echo "${{ secrets.CISS_DLB_ROOT_PWD }}" >| /opt/config/password.txt
|
||||
echo "${{ secrets.CISS_DLB_ROOT_SSH_PUBKEY }}" >| /opt/config/authorized_keys
|
||||
|
||||
- name: 🛠️ Starting CISS.debian.live.builder. This may take a while ...
|
||||
shell: bash
|
||||
run: |
|
||||
set -euo pipefail
|
||||
chmod 0755 ciss_live_builder.sh
|
||||
timestamp=$(date -u +"%Y_%m_%dT%H_%M_%SZ")
|
||||
### Change "--autobuild=" to the specific kernel version you need: 6.12.22+bpo-amd64.
|
||||
./ciss_live_builder.sh \
|
||||
--autobuild=6.1.0-37-amd64 \
|
||||
--architecture amd64 \
|
||||
--build-directory /opt/livebuild \
|
||||
--control "${timestamp}" \
|
||||
--debug \
|
||||
--dhcp-centurion \
|
||||
--jump-host ${{ secrets.CISS_DLB_JUMP_HOSTS }} \
|
||||
--provider-netcup-ipv6 ${{ secrets.CISS_DLB_NETCUP_IPV6 }} \
|
||||
--root-password-file /opt/config/password.txt \
|
||||
--ssh-port ${{ secrets.CISS_DLB_SSH_PORT }} \
|
||||
--ssh-pubkey /opt/config
|
||||
|
||||
- name: 📥 Checking Centurion Cloud for existing LIVE ISOs.
|
||||
shell: bash
|
||||
env:
|
||||
NC_BASE: "https://cloud.e2ee.li"
|
||||
SHARE_TOKEN: "${{ secrets.CENTURION_CLOUD_UL_USER }}"
|
||||
SHARE_PASS: "${{ secrets.CENTURION_CLOUD_UL_PASSWD }}"
|
||||
run: |
|
||||
set -euo pipefail
|
||||
SHARE_SUBDIR=""
|
||||
|
||||
echo "📥 Get directory listing via PROPFIND ..."
|
||||
curl -s \
|
||||
--user "${SHARE_TOKEN}:${SHARE_PASS}" \
|
||||
-X PROPFIND \
|
||||
-H "Depth: 1" \
|
||||
"${NC_BASE}/public.php/webdav/${SHARE_SUBDIR}" \
|
||||
-o propfind_public.xml
|
||||
|
||||
echo "📥 Filter .iso files from the PROPFIND response ..."
|
||||
grep -oP '(?<=<d:href>)[^<]+\.iso(?=</d:href>)' propfind_public.xml >| public_iso_list.txt || true
|
||||
|
||||
if [[ -f public_iso_list.txt && -s public_iso_list.txt ]]; then
|
||||
echo "💡 Old ISO files found and deleted :"
|
||||
while IFS= read -r href; do
|
||||
FILE_URL="${NC_BASE}${href}"
|
||||
echo " Delete: ${FILE_URL}"
|
||||
if curl -s \
|
||||
--user "${SHARE_TOKEN}:${SHARE_PASS}" \
|
||||
-X DELETE "${FILE_URL}"; then
|
||||
echo " ✅ Successfully deleted: $(basename "${href}")"
|
||||
else
|
||||
echo " ❌ Error: $(basename "${href}") could not be deleted"
|
||||
fi
|
||||
done < public_iso_list.txt
|
||||
else
|
||||
echo "💡 No old ISO files found to delete."
|
||||
fi
|
||||
|
||||
- name: 🛠️ Upload the ISO file to the Centurion Cloud (cloud.e2ee.li) via WebDAV.
|
||||
shell: bash
|
||||
env:
|
||||
NC_BASE: "https://cloud.e2ee.li"
|
||||
SHARE_TOKEN: "${{ secrets.CENTURION_CLOUD_UL_USER }}"
|
||||
SHARE_PASS: "${{ secrets.CENTURION_CLOUD_UL_PASSWD }}"
|
||||
run: |
|
||||
set -euo pipefail
|
||||
if [[ $(ls /opt/livebuild/*.iso 2>/dev/null | wc -l) -ne 1 ]]; then
|
||||
echo "❌ There must be exactly one .iso file in the directory!"
|
||||
exit 1
|
||||
else
|
||||
VAR_ISO_FILE_PATH=$(ls /opt/livebuild/*.iso)
|
||||
VAR_ISO_FILE_NAME=$(basename "${VAR_ISO_FILE_PATH}")
|
||||
echo "✅ ISO file found: ${VAR_ISO_FILE_NAME}"
|
||||
fi
|
||||
|
||||
AUTH="${SHARE_TOKEN}:${SHARE_PASS}"
|
||||
if curl --retry 2 "${NC_BASE}"/public.php/webdav/"${VAR_ISO_FILE_NAME}" \
|
||||
--upload-file "${VAR_ISO_FILE_PATH}" --user "${AUTH}" > /dev/null 2>&1; then
|
||||
echo "✅ New ISO successfully uploaded."
|
||||
else
|
||||
echo "❌ Uploading the new ISO failed."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
- name: 🔑 Generating a sha512 Hash of ISO, signing with the 'CI PGP DEPLOY ONLY' key, generate a success message file.
|
||||
shell: bash
|
||||
run: |
|
||||
if [[ $(ls /opt/livebuild/*.iso 2>/dev/null | wc -l) -ne 1 ]]; then
|
||||
echo "❌ There must be exactly one .iso file in the directory!"
|
||||
exit 1
|
||||
else
|
||||
VAR_ISO_FILE_PATH=$(ls /opt/livebuild/*.iso)
|
||||
VAR_ISO_FILE_NAME=$(basename "${VAR_ISO_FILE_PATH}")
|
||||
echo "✅ ISO file found: ${VAR_ISO_FILE_NAME}"
|
||||
fi
|
||||
|
||||
VAR_ISO_FILE_SHA512="${VAR_ISO_FILE_NAME}.sha512"
|
||||
touch "${VAR_ISO_FILE_SHA512}"
|
||||
sha512sum "${VAR_ISO_FILE_PATH}" | awk '{print $1}' >| "${VAR_ISO_FILE_SHA512}"
|
||||
SIGNATURE_FILE="${VAR_ISO_FILE_SHA512}.sign"
|
||||
touch "${SIGNATURE_FILE}"
|
||||
export GNUPGHOME="$(pwd)/.gnupg"
|
||||
gpg --batch --yes --armor --detach-sign --output "${SIGNATURE_FILE}" "${VAR_ISO_FILE_SHA512}"
|
||||
|
||||
timestamp=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
|
||||
PRIVATE_FILE="LIVE_ISO_FLV_0.private"
|
||||
touch "${PRIVATE_FILE}"
|
||||
cat << EOF >| "${PRIVATE_FILE}"
|
||||
# SPDX-Version: 3.0
|
||||
# SPDX-CreationInfo: 2025-06-01; WEIDNER, Marc S.; <msw@coresecret.dev>
|
||||
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
|
||||
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
|
||||
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
|
||||
# SPDX-FileType: SOURCE
|
||||
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
|
||||
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
|
||||
# SPDX-PackageName: CISS.debian.live.builder
|
||||
# SPDX-Security-Contact: security@coresecret.eu
|
||||
|
||||
This file was automatically generated by the DEPLOY BOT on: "${timestamp}"
|
||||
|
||||
CISS.debian.live.builder ISO :
|
||||
"${VAR_ISO_FILE_NAME}"
|
||||
CISS.debian.live.builder ISO sha512 :
|
||||
$(< "${VAR_ISO_FILE_SHA512}")
|
||||
CISS.debian.live.builder ISO sha512 sign :
|
||||
$(< "${SIGNATURE_FILE}")
|
||||
|
||||
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text
|
||||
EOF
|
||||
|
||||
- name: 🚧 Stash local changes (including untracked).
|
||||
shell: bash
|
||||
env:
|
||||
GIT_SSH_COMMAND: "ssh -p 42842"
|
||||
run: |
|
||||
set -euo pipefail
|
||||
### Temporarily store any local modifications or untracked files.
|
||||
git stash push --include-untracked -m "ci-temp" || echo "✔️ Nothing to stash."
|
||||
|
||||
- name: 🔄 Sync with remote before commit using merge strategy.
|
||||
shell: bash
|
||||
env:
|
||||
GIT_SSH_COMMAND: "ssh -p 42842"
|
||||
run: |
|
||||
set -euo pipefail
|
||||
export GNUPGHOME="$(pwd)/.gnupg"
|
||||
|
||||
echo "🔄 Fetching origin/master ..."
|
||||
git fetch origin master
|
||||
|
||||
echo "🔁 Merging origin/master into current branch ..."
|
||||
git merge --no-edit origin/master || echo "✔️ Already up to date or fast-forward."
|
||||
|
||||
echo "📋 Post-merge status :"
|
||||
git status
|
||||
git log --oneline -n 5
|
||||
|
||||
- name: 🛠️ Restore stashed changes.
|
||||
shell: bash
|
||||
env:
|
||||
GIT_SSH_COMMAND: "ssh -p 42842"
|
||||
run: |
|
||||
set -euo pipefail
|
||||
### Apply previously stashed changes.
|
||||
git stash pop || echo "✔️ Nothing to pop."
|
||||
|
||||
- name: 📦 Stage generated files.
|
||||
shell: bash
|
||||
env:
|
||||
GIT_SSH_COMMAND: "ssh -p 42842"
|
||||
run: |
|
||||
set -euo pipefail
|
||||
PRIVATE_FILE="LIVE_ISO_FLV_0.private"
|
||||
git add "${PRIVATE_FILE}" || echo "✔️ Nothing to add."
|
||||
|
||||
- name: 🔑 Commit and sign changes with CI metadata.
|
||||
shell: bash
|
||||
env:
|
||||
GIT_SSH_COMMAND: "ssh -p 42842"
|
||||
run: |
|
||||
set -euo pipefail
|
||||
export GNUPGHOME="$(pwd)/.gnupg"
|
||||
|
||||
if git diff --cached --quiet; then
|
||||
echo "✔️ No staged changes to commit."
|
||||
else
|
||||
echo "📝 Committing changes with GPG signature ..."
|
||||
|
||||
### CI Metadata
|
||||
TIMESTAMP_UTC="$(date -u +'%Y-%m-%dT%H:%M:%SZ')"
|
||||
HOSTNAME="$(hostname -f || hostname)"
|
||||
GIT_SHA="$(git rev-parse --short HEAD)"
|
||||
GIT_REF="$(git symbolic-ref --short HEAD || echo detached)"
|
||||
WORKFLOW_ID="${GITHUB_WORKFLOW:-render-md-to-html.yaml}"
|
||||
CI_HEADER="X-CI-Metadata: ${GIT_REF}@${GIT_SHA} at ${TIMESTAMP_UTC} on ${HOSTNAME}"
|
||||
|
||||
COMMIT_MSG="DEPLOY BOT : 🔐 Auto-Generate PRIVATE LIVE ISO FLV 0 [skip ci]
|
||||
|
||||
${CI_HEADER}
|
||||
|
||||
Generated at : ${TIMESTAMP_UTC}
|
||||
Runner Host : ${HOSTNAME}
|
||||
Workflow ID : ${WORKFLOW_ID}
|
||||
Git Commit : ${GIT_SHA} HEAD -> ${GIT_REF}
|
||||
"
|
||||
|
||||
echo "🔏 Commit message :"
|
||||
echo "${COMMIT_MSG}"
|
||||
git commit -S -m "${COMMIT_MSG}"
|
||||
fi
|
||||
|
||||
- name: 🔁 Push back to repository.
|
||||
shell: bash
|
||||
env:
|
||||
GIT_SSH_COMMAND: "ssh -p 42842"
|
||||
run: |
|
||||
set -euo pipefail
|
||||
echo "📤 Pushing changes to ${GITHUB_REF_NAME} ..."
|
||||
git push origin HEAD:${GITHUB_REF_NAME}
|
||||
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
|
||||
@@ -1,5 +1,5 @@
|
||||
# SPDX-Version: 3.0
|
||||
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
|
||||
# SPDX-CreationInfo: 2025-08-22; WEIDNER, Marc S.; <msw@coresecret.dev>
|
||||
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
|
||||
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
|
||||
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
|
||||
@@ -13,6 +13,10 @@
|
||||
|
||||
name: 🔐 Generating a Private Live ISO TRIXIE.
|
||||
|
||||
defaults:
|
||||
run:
|
||||
shell: bash
|
||||
|
||||
permissions:
|
||||
contents: write
|
||||
|
||||
@@ -21,30 +25,28 @@ on:
|
||||
branches:
|
||||
- master
|
||||
paths:
|
||||
- '.gitea/trigger/t_generate_PRIVATE_trixie.yaml'
|
||||
- '.gitea/trigger/t_generate_PRIVATE_trixie_0.yaml'
|
||||
|
||||
jobs:
|
||||
generate-private-ciss-debian-live-iso:
|
||||
generate-private-cdlb-trixie:
|
||||
name: 🔐 Generating a Private Live ISO TRIXIE.
|
||||
runs-on: ciss.debian.live.builder.iso.generator
|
||||
runs-on: cdlb.trixie
|
||||
|
||||
### Run all steps inside Debian Trixie
|
||||
container:
|
||||
image: debian:trixie
|
||||
options: >-
|
||||
--mount type=bind,src=/mnt/secure,dst=/work
|
||||
|
||||
steps:
|
||||
- name: 🛠️ Basic Image Setup.
|
||||
shell: bash
|
||||
run: |
|
||||
export DEBIAN_FRONTEND=noninteractive
|
||||
apt-get update -y
|
||||
apt-get update
|
||||
apt-get upgrade -y
|
||||
apt-get install -y --no-install-recommends \
|
||||
apt-utils \
|
||||
bash \
|
||||
ca-certificates \
|
||||
curl \
|
||||
git \
|
||||
gnupg \
|
||||
openssh-client \
|
||||
@@ -52,56 +54,6 @@ jobs:
|
||||
sudo \
|
||||
util-linux
|
||||
|
||||
- name: 🔎 Verify /work mount & space
|
||||
shell: bash
|
||||
run: |
|
||||
set -euxo pipefail
|
||||
df -h /work
|
||||
test -w /work
|
||||
touch /work/.bind-ok && ls -l /work/.bind-ok
|
||||
|
||||
- name: 🔎 Show workspace & mounts
|
||||
shell: bash
|
||||
run: |
|
||||
set -euo pipefail
|
||||
echo "GITHUB_WORKSPACE=$GITHUB_WORKSPACE"
|
||||
pwd
|
||||
ls -ld "$GITHUB_WORKSPACE"
|
||||
command -v findmnt >/dev/null || apt-get update && apt-get install -y findmnt || true
|
||||
findmnt -no SOURCE,TARGET "$GITHUB_WORKSPACE" || true
|
||||
df -h "$GITHUB_WORKSPACE"
|
||||
df -h .
|
||||
|
||||
- name: ⚙️ Space guards (workspace + LB_PARENTDIR)
|
||||
shell: bash
|
||||
env:
|
||||
LB_PARENTDIR: /work
|
||||
run: |
|
||||
set -euo pipefail
|
||||
need_mb=16384
|
||||
for p in "${GITHUB_WORKSPACE:?}" "${LB_PARENTDIR:?}"; do
|
||||
mkdir -p "$p"
|
||||
avail_mb=$(df -Pm "$p" | awk 'NR==2{print $4}')
|
||||
printf "[INFO] %s: %s MiB available (need %s MiB)\n" "$p" "$avail_mb" "$need_mb"
|
||||
if (( avail_mb < need_mb )); then
|
||||
printf "[\e[91mERROR\e[0m] Not enough free space at: [%s] - [%s] MiB available < [%s] MiB needed. \n" "${p}" "${avail_mb}" "${need_mb}"
|
||||
exit 1
|
||||
fi
|
||||
done
|
||||
|
||||
- name: ⚙️ Is there sufficient space available?
|
||||
shell: bash
|
||||
run: |
|
||||
set -euo pipefail
|
||||
need_mb=8192
|
||||
avail_mb=$(df -Pm . | awk 'NR==2{print $4}')
|
||||
if [[ "${avail_mb}" -lt "${need_mb}" ]]; then
|
||||
printf "[\e[91mERROR\e[0m] Not enough free space in the working directory: [%s] MiB available < [%s] MiB needed \n " "${avail_mb}" "${need_mb}"
|
||||
exit 1
|
||||
else
|
||||
printf "[\e[92mINFO\e[0m] Free space in the working directory: [%s] MiB available > [%s] MiB needed \n " "${avail_mb}" "${need_mb}"
|
||||
fi
|
||||
|
||||
- name: ⚙️ Check GnuPG Version.
|
||||
shell: bash
|
||||
run: |
|
||||
@@ -291,7 +243,7 @@ jobs:
|
||||
|
||||
timestamp=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
|
||||
VAR_DATE="$(date +%F)"
|
||||
PRIVATE_FILE="LIVE_ISO_FLV_0.private"
|
||||
PRIVATE_FILE="LIVE_ISO_TRIXIE_0.private"
|
||||
touch "${PRIVATE_FILE}"
|
||||
cat << EOF >| "${PRIVATE_FILE}"
|
||||
# SPDX-Version: 3.0
|
||||
@@ -359,7 +311,7 @@ jobs:
|
||||
GIT_SSH_COMMAND: "ssh -p 42842"
|
||||
run: |
|
||||
set -euo pipefail
|
||||
PRIVATE_FILE="LIVE_ISO_FLV_0.private"
|
||||
PRIVATE_FILE="LIVE_ISO_TRIXIE_0.private"
|
||||
git add "${PRIVATE_FILE}" || echo "✔️ Nothing to add."
|
||||
|
||||
- name: 🔑 Commit and sign changes with CI metadata.
|
||||
@@ -383,7 +335,7 @@ jobs:
|
||||
WORKFLOW_ID="${GITHUB_WORKFLOW:-render-md-to-html.yaml}"
|
||||
CI_HEADER="X-CI-Metadata: ${GIT_REF}@${GIT_SHA} at ${TIMESTAMP_UTC} on ${HOSTNAME}"
|
||||
|
||||
COMMIT_MSG="DEPLOY BOT : 🔐 Auto-Generate PRIVATE LIVE ISO FLV 0 [skip ci]
|
||||
COMMIT_MSG="DEPLOY BOT : 🔐 Auto-Generate PRIVATE LIVE ISO TRIXIE 0 [skip ci]
|
||||
|
||||
${CI_HEADER}
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
# SPDX-Version: 3.0
|
||||
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
|
||||
# SPDX-CreationInfo: 2025-08-22; WEIDNER, Marc S.; <msw@coresecret.dev>
|
||||
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
|
||||
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
|
||||
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
|
||||
@@ -11,7 +11,11 @@
|
||||
|
||||
### Version Master V8.13.008.2025.08.22
|
||||
|
||||
name: 🔐 Generating a Private Live ISO FLV 1.
|
||||
name: 🔐 Generating a Private Live ISO TRIXIE.
|
||||
|
||||
defaults:
|
||||
run:
|
||||
shell: bash
|
||||
|
||||
permissions:
|
||||
contents: write
|
||||
@@ -21,164 +25,34 @@ on:
|
||||
branches:
|
||||
- master
|
||||
paths:
|
||||
- '.gitea/trigger/t_generate_PRIVATE_iso_flavour_1.yaml'
|
||||
- '.gitea/trigger/t_generate_PRIVATE_trixie_1.yaml'
|
||||
|
||||
jobs:
|
||||
generate-private-ciss-debian-live-iso:
|
||||
name: 🔐 Generating a Private Live ISO FLV 1.
|
||||
runs-on: ciss.debian.live.builder.iso.generator
|
||||
generate-private-cdlb-trixie:
|
||||
name: 🔐 Generating a Private Live ISO TRIXIE.
|
||||
runs-on: cdlb.trixie
|
||||
|
||||
### Run all steps inside Debian Bookworm
|
||||
container:
|
||||
image: debian:bookworm
|
||||
image: debian:trixie
|
||||
|
||||
steps:
|
||||
- name: 🛠️ Basic Image Setup and enable Bookworm Backports.
|
||||
run: |
|
||||
apt-get update -y
|
||||
apt-get install -y apt-transport-https apt-utils bash ca-certificates openssl sudo
|
||||
echo 'deb https://deb.debian.org/debian bookworm-backports main' \
|
||||
>| /etc/apt/sources.list.d/bookworm-backports.list
|
||||
apt-get update -y
|
||||
apt-get upgrade -y
|
||||
|
||||
- name: 🛠️ Installing Build Tools.
|
||||
- name: 🛠️ Basic Image Setup.
|
||||
shell: bash
|
||||
run: |
|
||||
apt-get update -y
|
||||
apt-get install -y \
|
||||
autoconf \
|
||||
automake \
|
||||
build-essential \
|
||||
cryptsetup \
|
||||
export DEBIAN_FRONTEND=noninteractive
|
||||
apt-get update
|
||||
apt-get upgrade -y
|
||||
apt-get install -y --no-install-recommends \
|
||||
apt-utils \
|
||||
bash \
|
||||
ca-certificates \
|
||||
curl \
|
||||
debootstrap \
|
||||
dosfstools \
|
||||
efibootmgr \
|
||||
gettext \
|
||||
git \
|
||||
gnupg \
|
||||
haveged \
|
||||
libbz2-dev \
|
||||
zlib1g-dev \
|
||||
liblzma-dev \
|
||||
libtool \
|
||||
live-build \
|
||||
parted \
|
||||
pkg-config \
|
||||
ssh \
|
||||
ssl-cert \
|
||||
openssh-client \
|
||||
openssl \
|
||||
sudo \
|
||||
texinfo \
|
||||
wget \
|
||||
whois \
|
||||
|
||||
- name: 🛠️ Build GnuPG from the sources, as the Bookworm GPG does not understand key format 5.
|
||||
shell: bash
|
||||
run: |
|
||||
urls=(
|
||||
"https://gnupg.org/ftp/gcrypt/npth/npth-1.8.tar.bz2"
|
||||
"https://gnupg.org/ftp/gcrypt/libgpg-error/libgpg-error-1.55.tar.bz2"
|
||||
"https://gnupg.org/ftp/gcrypt/libgcrypt/libgcrypt-1.11.1.tar.bz2"
|
||||
"https://gnupg.org/ftp/gcrypt/libksba/libksba-1.6.7.tar.bz2"
|
||||
"https://gnupg.org/ftp/gcrypt/libassuan/libassuan-3.0.2.tar.bz2"
|
||||
"https://gnupg.org/ftp/gcrypt/gnupg/gnupg-2.4.8.tar.bz2"
|
||||
)
|
||||
|
||||
wget --https-only https://gnupg.org/signature_key.asc -O signature_key.asc > /dev/null 2>&1
|
||||
gpg --batch --import signature_key.asc
|
||||
|
||||
for url in "${urls[@]}"; do
|
||||
archive_name="${url##*/}"
|
||||
pkg_name="${archive_name%.tar.bz2}"
|
||||
echo "🔄 Processing ${pkg_name}"
|
||||
if [[ ! -f "${archive_name}" ]]; then
|
||||
echo "📥 Downloading: '${archive_name}'."
|
||||
if wget --https-only "${url}" -O "${archive_name}" > /dev/null 2>&1 && wget --https-only "${url}.sig" -O "${archive_name}.sig" > /dev/null 2>&1; then
|
||||
echo "✅ Download successful: '${archive_name}'."
|
||||
else
|
||||
echo "❌ Download NOT successful: '${archive_name}'."
|
||||
exit 1
|
||||
fi
|
||||
else
|
||||
echo "💡 Skipping download, package already exists: '${archive_name}'."
|
||||
fi
|
||||
|
||||
if ! gpg --verify "${archive_name}.sig" "${archive_name}"; then echo "❌ Bad Signature: '${archive_name}'.";exit 1; fi
|
||||
|
||||
if [[ ! -d "${pkg_name}" ]]; then
|
||||
echo "📂 Extracting: '${archive_name}'."
|
||||
if tar -xjf "${archive_name}"; then
|
||||
echo "✅ Extraction successful: '${archive_name}'."
|
||||
else
|
||||
echo "❌ Extraction not successful: '${archive_name}'."
|
||||
exit 1
|
||||
fi
|
||||
else
|
||||
echo "💡 Skipping directory, already exists: '${pkg_name}'."
|
||||
fi
|
||||
|
||||
echo "🏗️ Build and install the package: '${pkg_name}'."
|
||||
cd "${pkg_name}" || { echo "❌ Could not change to '${pkg_name}'."; exit 1; }
|
||||
mkdir -p build
|
||||
cd build || { echo "❌ Could not change to '/build'."; exit 1; }
|
||||
|
||||
sudo ../configure > /dev/null 2>&1 || { echo "❌ '../configure' NOT successful for '${pkg_name}'."; exit 1; }
|
||||
make > /dev/null 2>&1 || { echo "❌ 'make' NOT successful for '${pkg_name}'."; exit 1; }
|
||||
sudo make install > /dev/null 2>&1 || { echo "❌ 'make install' NOT successful for '${pkg_name}'."; exit 1; }
|
||||
|
||||
cd ../.. || { echo "❌ Could not change to '../..'."; exit 1; }
|
||||
|
||||
rm -f "${archive_name}" && rm -f "${archive_name}.sig" && echo "✅ Removed archive: '${pkg_name}'."
|
||||
rm -fr "${pkg_name}" && echo "✅ Removed build artifacts: '${pkg_name}'."
|
||||
echo "✅ Successful build and installation of '${pkg_name}'."
|
||||
echo "-------------------------------------------------------------------------------------"
|
||||
|
||||
done
|
||||
|
||||
rm -f signature_key.asc
|
||||
|
||||
echo "✅ All packages were built and installed successfully."
|
||||
|
||||
mv_bin=(
|
||||
"/usr/bin/gpg"
|
||||
"/usr/bin/gpg-agent"
|
||||
"/usr/bin/gpgconf"
|
||||
"/usr/bin/gpg-connect-agent"
|
||||
"/usr/bin/gpg-wks-client"
|
||||
"/usr/bin/gpg-preset-passphrase"
|
||||
)
|
||||
|
||||
for bin in "${mv_bin[@]}"; do
|
||||
name="${bin##*/}"
|
||||
if [[ -f "${bin}" && -f "/usr/local/bin/${name}" ]]; then
|
||||
if mv "${bin}" "${bin}.debian-backup"; then
|
||||
echo "✅ Moved successfully: '${bin}'."
|
||||
else
|
||||
echo "❌ Moved NOT successfully: '${bin}'."
|
||||
fi
|
||||
else
|
||||
echo "💡 Does not exist as build binary: '${bin}'."
|
||||
fi
|
||||
done
|
||||
|
||||
for bin in "${mv_bin[@]}"; do
|
||||
name="${bin##*/}"
|
||||
if [[ -f "/usr/local/bin/${name}" ]]; then
|
||||
if update-alternatives --install "${bin}" "${name}" "/usr/local/bin/${name}" 100; then
|
||||
echo "✅ 'update-alternatives' successfully: '${bin}'."
|
||||
else
|
||||
echo "❌ 'update-alternatives' NOT successfully: '${bin}'."
|
||||
fi
|
||||
else
|
||||
echo "💡 Does not exist: '/usr/local/bin/${name}'."
|
||||
fi
|
||||
done
|
||||
|
||||
sudo ldconfig
|
||||
|
||||
gpgconf --kill all
|
||||
/usr/local/bin/gpg-agent --daemon
|
||||
util-linux
|
||||
|
||||
- name: ⚙️ Check GnuPG Version.
|
||||
shell: bash
|
||||
@@ -268,16 +142,17 @@ jobs:
|
||||
set -euo pipefail
|
||||
chmod 0755 ciss_live_builder.sh
|
||||
timestamp=$(date -u +"%Y_%m_%dT%H_%M_%SZ")
|
||||
### Change "--autobuild=" to the specific kernel version you need: 6.12.22+bpo-amd64.
|
||||
### Change "--autobuild=" to the specific kernel version you need: '6.12.41+deb13-amd64'.
|
||||
./ciss_live_builder.sh \
|
||||
--autobuild=6.1.0-37-amd64 \
|
||||
--autobuild=6.12.41+deb13-amd64 \
|
||||
--architecture amd64 \
|
||||
--build-directory /opt/livebuild \
|
||||
--control "${timestamp}" \
|
||||
--jump-host ${{ secrets.CISS_DLB_JUMP_HOSTS_1 }} \
|
||||
--root-password-file /opt/config/password.txt \
|
||||
--ssh-port ${{ secrets.CISS_DLB_SSH_PORT_1 }} \
|
||||
--ssh-pubkey /opt/config
|
||||
--ssh-pubkey /opt/config \
|
||||
--trixie
|
||||
|
||||
- name: 📥 Checking Centurion Cloud for existing LIVE ISOs.
|
||||
shell: bash
|
||||
@@ -364,11 +239,12 @@ jobs:
|
||||
gpg --batch --yes --armor --detach-sign --output "${SIGNATURE_FILE}" "${VAR_ISO_FILE_SHA512}"
|
||||
|
||||
timestamp=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
|
||||
PRIVATE_FILE="LIVE_ISO_FLV_1.private"
|
||||
VAR_DATE="$(date +%F)"
|
||||
PRIVATE_FILE="LIVE_ISO_TRIXIE_1.private"
|
||||
touch "${PRIVATE_FILE}"
|
||||
cat << EOF >| "${PRIVATE_FILE}"
|
||||
# SPDX-Version: 3.0
|
||||
# SPDX-CreationInfo: 2025-06-01; WEIDNER, Marc S.; <msw@coresecret.dev>
|
||||
# SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev>
|
||||
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
|
||||
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
|
||||
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
|
||||
@@ -432,7 +308,7 @@ jobs:
|
||||
GIT_SSH_COMMAND: "ssh -p 42842"
|
||||
run: |
|
||||
set -euo pipefail
|
||||
PRIVATE_FILE="LIVE_ISO_FLV_1.private"
|
||||
PRIVATE_FILE="LIVE_ISO_TRIXIE_1.private"
|
||||
git add "${PRIVATE_FILE}" || echo "✔️ Nothing to add."
|
||||
|
||||
- name: 🔑 Commit and sign changes with CI metadata.
|
||||
@@ -456,7 +332,7 @@ jobs:
|
||||
WORKFLOW_ID="${GITHUB_WORKFLOW:-render-md-to-html.yaml}"
|
||||
CI_HEADER="X-CI-Metadata: ${GIT_REF}@${GIT_SHA} at ${TIMESTAMP_UTC} on ${HOSTNAME}"
|
||||
|
||||
COMMIT_MSG="DEPLOY BOT : 🔐 Auto-Generate PRIVATE LIVE ISO FLV 1 [skip ci]
|
||||
COMMIT_MSG="DEPLOY BOT : 🔐 Auto-Generate PRIVATE LIVE ISO TRIXIE 1 [skip ci]
|
||||
|
||||
${CI_HEADER}
|
||||
|
||||
@@ -202,11 +202,12 @@ jobs:
|
||||
echo -e "⚠️ Linting issues detected:\n"
|
||||
echo -e "${findings}"
|
||||
timestamp=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
|
||||
VAR_DATE="$(date +%F)"
|
||||
PRIVATE_FILE="LINTER_RESULTS.txt"
|
||||
touch "${PRIVATE_FILE}"
|
||||
cat << EOF >| "${PRIVATE_FILE}"
|
||||
# SPDX-Version: 3.0
|
||||
# SPDX-CreationInfo: 2025-06-05; WEIDNER, Marc S.; <msw@coresecret.dev>
|
||||
# SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev>
|
||||
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
|
||||
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
|
||||
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
|
||||
@@ -225,11 +226,12 @@ jobs:
|
||||
else
|
||||
echo "✅ No issues found in shell scripts."
|
||||
timestamp=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
|
||||
VAR_DATE="$(date +%F)"
|
||||
PRIVATE_FILE="LINTER_RESULTS.txt"
|
||||
touch "${PRIVATE_FILE}"
|
||||
cat << EOF >| "${PRIVATE_FILE}"
|
||||
# SPDX-Version: 3.0
|
||||
# SPDX-CreationInfo: 2025-06-05; WEIDNER, Marc S.; <msw@coresecret.dev>
|
||||
# SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev>
|
||||
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
|
||||
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
|
||||
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
# SPDX-Version: 3.0
|
||||
# SPDX-CreationInfo: 2025-06-05; WEIDNER, Marc S.; <msw@coresecret.dev>
|
||||
# SPDX-CreationInfo: 2025-08-22; WEIDNER, Marc S.; <msw@coresecret.dev>
|
||||
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
|
||||
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
|
||||
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
|
||||
@@ -9,8 +9,8 @@
|
||||
# SPDX-PackageName: CISS.debian.live.builder
|
||||
# SPDX-Security-Contact: security@coresecret.eu
|
||||
|
||||
This file was automatically generated by the DEPLOY BOT on: "2025-08-22T08:53:02Z"
|
||||
This file was automatically generated by the DEPLOY BOT on: "2025-08-22T17:25:58Z"
|
||||
|
||||
⚠️ The last linter check was NOT successful. ⚠️
|
||||
✅ The last linter check was successful. ✅
|
||||
|
||||
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
# SPDX-Version: 3.0
|
||||
# SPDX-CreationInfo: 2025-06-01; WEIDNER, Marc S.; <msw@coresecret.dev>
|
||||
# SPDX-CreationInfo: 2025-08-22; WEIDNER, Marc S.; <msw@coresecret.dev>
|
||||
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
|
||||
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
|
||||
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
|
||||
@@ -9,19 +9,19 @@
|
||||
# SPDX-PackageName: CISS.debian.live.builder
|
||||
# SPDX-Security-Contact: security@coresecret.eu
|
||||
|
||||
This file was automatically generated by the DEPLOY BOT on: "2025-08-11T21:40:41Z".
|
||||
This file was automatically generated by the DEPLOY BOT on: "2025-08-22T16:55:09Z"
|
||||
|
||||
CISS.debian.live.builder ISO :
|
||||
"ciss-debian-live-2025_08_11T20_53_16Z-amd64.hybrid.iso"
|
||||
"ciss-debian-live-2025_08_22T16_11_02Z-amd64.hybrid.iso"
|
||||
CISS.debian.live.builder ISO sha512 :
|
||||
b8bcba496881e7f4e881b6816975410f6f07bd70f069f73db4ce84d61bb9758a37087753d28b212ed26b163d84176d5df97fdb1d3356a0667e15cf81d388feb6
|
||||
35c288d96239804e244cbe99c8ce3895aec39104a7200c2ef7326d38e1ec4eea3bf60b895eaa4d981cb718ae4d27d2d4166f16252b88606a870d14c3db096a37
|
||||
CISS.debian.live.builder ISO sha512 sign :
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
|
||||
iHUEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaJpjWQAKCRA85KY4hzOw
|
||||
IVM1AQD2lkvQOmkcR4LlCk0f6FUcqIMRRlBIwjhDiaWTKjZgeAD/cc4skxFCGmLU
|
||||
EhHNg/3ZoE6PGxe4Y5UFuQnJhDZe/w8=
|
||||
=rwBS
|
||||
iHUEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaKig7QAKCRA85KY4hzOw
|
||||
IWKWAP0Wlqbi3ArURSGW5m+E+OstdsU7qHjf+e1SVRJ3BGUzaAEAr3ceyHiiA2/7
|
||||
RlXsvZxNgVDaEVSdjmt99dMrZK7DRws=
|
||||
=4Oh3
|
||||
-----END PGP SIGNATURE-----
|
||||
|
||||
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text
|
||||
@@ -1,5 +1,5 @@
|
||||
# SPDX-Version: 3.0
|
||||
# SPDX-CreationInfo: 2025-06-01; WEIDNER, Marc S.; <msw@coresecret.dev>
|
||||
# SPDX-CreationInfo: 2025-08-22; WEIDNER, Marc S.; <msw@coresecret.dev>
|
||||
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
|
||||
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
|
||||
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
|
||||
@@ -9,19 +9,19 @@
|
||||
# SPDX-PackageName: CISS.debian.live.builder
|
||||
# SPDX-Security-Contact: security@coresecret.eu
|
||||
|
||||
This file was automatically generated by the DEPLOY BOT on: "2025-08-11T20:44:02Z".
|
||||
This file was automatically generated by the DEPLOY BOT on: "2025-08-22T17:41:13Z"
|
||||
|
||||
CISS.debian.live.builder ISO :
|
||||
"ciss-debian-live-2025_08_11T19_54_44Z-amd64.hybrid.iso"
|
||||
"ciss-debian-live-2025_08_22T16_56_12Z-amd64.hybrid.iso"
|
||||
CISS.debian.live.builder ISO sha512 :
|
||||
6de2f5be12f73906f704488a38366a242d4c4755dd4bf325e6211b6a7a5f3be1b39315d95963d4565c5230c149024be796a136bd62e3243ee62a7805d6c20c14
|
||||
4925332b61dbd91f0c444624bbe7de586dbd911fbb27b080a99e44ae312c5139afc502d0415d0bef7dfbd1e5461c07e0a0700f7206e746a91cbcb5403ef003e3
|
||||
CISS.debian.live.builder ISO sha512 sign :
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
|
||||
iHUEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaJpWEgAKCRA85KY4hzOw
|
||||
IQ/xAP9rp/m86hkxhb6i7Beh7g7bxiuQYY5Q1LZX+GHmpqQ/EQEAoUzgn1Tm7+hy
|
||||
iaMUnRwNiJ0x77hZxcM6FnSkk2hTuAY=
|
||||
=9Ot8
|
||||
iHUEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaKiruQAKCRA85KY4hzOw
|
||||
IdoTAQDqyOBkGA0xDoLsDvjFSaf3tmzz8mD/5qvsDtF6y/rEWwD/dAXzMOdQjxg8
|
||||
IcK+GK6u4k5/HT5bYlCvTy/WxRb5ggQ=
|
||||
=boDM
|
||||
-----END PGP SIGNATURE-----
|
||||
|
||||
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text
|
||||
70
README.md
70
README.md
@@ -11,7 +11,7 @@ include_toc: true
|
||||
[](https://github.com/mvdan/sh)
|
||||
[](https://google.github.io/styleguide/shellguide.html)
|
||||
|
||||
[](https://docs.gitea.com/)
|
||||
[](https://docs.gitea.com/)
|
||||
[](https://www.jetbrains.com/store/?section=personal&billing=yearly)
|
||||
[](https://keepassxc.org/)
|
||||
[](https://www.netcup.com/de)
|
||||
@@ -70,7 +70,16 @@ separate directory tree, employs `DynamicUser` features, and adheres to strict s
|
||||
rating of **``2.6``**). Docker containers used by runners do not run in privileged mode. Security is further enhanced through the use
|
||||
of both UFW software firewalls and dedicated hardware firewall appliances.
|
||||
|
||||
## 1.2. Immutable Source-of-Truth System
|
||||
## 1.2. Match Host and Target Versions
|
||||
|
||||
Build, for example, a Debian Trixie live image only on a Debian Trixie host. The build toolchain and boot artifacts are
|
||||
release-specific: ``live-build``, ``live-boot``, ``live-config``, ``debootstrap``, ``kernel/initramfs`` tools, ``mksquashfs``,
|
||||
``GRUB/ISOLINUX``, and even ``dpkg/apt`` often change defaults and formats between releases (e.g., compression modes, SquashFS
|
||||
options, hook ordering, systemd/udev behavior). Building on a different host release commonly yields non-reproducible or even
|
||||
unbootable ISOs (missing modules/firmware, ABI mismatches, divergent paths). Keeping host and target on the same version ensures
|
||||
reproducible builds, matching dependencies, and compatible boot artifacts.
|
||||
|
||||
## 1.3. Immutable Source-of-Truth System
|
||||
|
||||
This live ISO establishes a secure, fully deterministic, integrity self-verifying boot environment based entirely on static
|
||||
source-code definitions. All configurations, system components, and installation routines are embedded during build time and
|
||||
@@ -103,11 +112,11 @@ After build and configuration, the following audit reports can be generated:
|
||||
* **SSH Audit Report**: Verifies SSH daemon configuration against the latest best-practice cipher, KEX, and MAC recommendations.
|
||||
Type `ssh-audit <IP>:<PORT>`. See example report: **[SSH Audit Report](/docs/AUDIT_SSH.md)**
|
||||
|
||||
## 1.3. Preview
|
||||
## 1.4. Preview
|
||||
|
||||
|
||||
|
||||
## 1.4. Caution. Significant information for those considering using D-I.
|
||||
## 1.5. Caution. Significant information for those considering using D-I.
|
||||
|
||||
**The Debian Installer (d-i) will ALWAYS boot a new system.**<br>
|
||||
|
||||
@@ -138,7 +147,7 @@ This means function status of the **CISS.2025.debian.live.builder** ISO after d-
|
||||
* Logging (rsyslog, journald) ✘ not active,
|
||||
* preseed control over the network is possible (but without any protection).
|
||||
|
||||
## 1.5. Versioning Schema
|
||||
## 1.6. Versioning Schema
|
||||
|
||||
This project adheres strictly to a structured versioning scheme following the pattern x.y.z-Date.
|
||||
|
||||
@@ -149,7 +158,7 @@ Example: `V8.13.008.2025.08.22`
|
||||
Date (YYYY.MM.DD) denotes the build or release date, facilitating clear tracking of incremental changes and ensuring
|
||||
reproducibility and traceability.
|
||||
|
||||
## 1.6. Keywords
|
||||
## 1.7. Keywords
|
||||
|
||||
The keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED",
|
||||
"MAY", and "OPTIONAL" in this Repo are to be interpreted as described in [[BCP 14](https://www.rfc-editor.org/info/bcp14)],
|
||||
@@ -414,26 +423,27 @@ predictable script behavior.
|
||||
|
||||
# 4. Prerequisites
|
||||
|
||||
* **Host**: Debian Bookworm or newer with `live-build` package installed.
|
||||
* **Host**: Debian Trixie with `live-build` and ``debootstrap`` packages installed.
|
||||
* **Privileges**: Root or sudo access to execute `ciss_live_builder.sh` and related scripts.
|
||||
* **Network**: Outbound access to Debian repositories and PTB NTPsec pool.
|
||||
|
||||
# 5. Installation & Usage
|
||||
|
||||
# 5.1. Interactive CLI / Dialog Wrapper
|
||||
## 5.1. Interactive CLI / Dialog Wrapper
|
||||
|
||||
1. Clone the repository:
|
||||
|
||||
```bash
|
||||
git clone https://git.coresecret.dev/msw/CISS.debian.live.builder.git
|
||||
cd CISS.debian.live.builder
|
||||
```
|
||||
|
||||
2. Preparation:
|
||||
1. Ensure you are root.
|
||||
2. Create the build directory `mkdir /opt/livebuild`.
|
||||
3. Place your desired SSH public key in the `authorized_keys` file, for example, in the `/opt/gitea/CISS.debian.live.builder` directory.
|
||||
4. Place your desired Password in the `password.txt` file, for example, in the `/opt/gitea/CISS.debian.live.builder` directory.
|
||||
5. Make any other changes you need to.
|
||||
|
||||
3. Run the config builder script `./ciss_live_builder.sh` and the integrated `lb build` command (example):
|
||||
|
||||
````bash
|
||||
@@ -454,6 +464,7 @@ predictable script behavior.
|
||||
--ssh-pubkey /opt/gitea/CISS.debian.live.builder \
|
||||
--trixie
|
||||
````
|
||||
|
||||
4. Locate your ISO in the `--build-directory`.
|
||||
5. Boot from the ISO and login to the live image via the console, or the multi-layer secured **coresecret** SSH tunnel.
|
||||
6. Type `sysp` for the final kernel hardening features.
|
||||
@@ -461,7 +472,46 @@ predictable script behavior.
|
||||
8. Finally, audit your environment with `lsadt` for a comprehensive Lynis audit.
|
||||
9. Type `celp` for some shortcuts.
|
||||
|
||||
# 5.2. CI/CD Gitea Runner Workflow Example
|
||||
## 5.2. Make Wrapper, Quick Usage
|
||||
|
||||
This repo ships a thin make wrapper around ``./ciss_live_builder.sh``, so you can compose a correctly quoted command and either
|
||||
preview it or run it.
|
||||
|
||||
1. Clone the repository:
|
||||
|
||||
```bash
|
||||
git clone https://git.coresecret.dev/msw/CISS.debian.live.builder.git
|
||||
cd CISS.debian.live.builder
|
||||
```
|
||||
|
||||
2. Preparation:
|
||||
1. Ensure you are root.
|
||||
2. Create the build directory `mkdir /opt/livebuild`.
|
||||
3. Place your desired SSH public key in the `authorized_keys` file, for example, in the `/opt/gitea/CISS.debian.live.builder` directory.
|
||||
4. Place your desired Password in the `password.txt` file, for example, in the `/opt/gitea/CISS.debian.live.builder` directory.
|
||||
5. Copy and edit the sample and set your options (no spaces around commas in lists):
|
||||
|
||||
````bash
|
||||
cp config.mk.sample config.mk
|
||||
````
|
||||
|
||||
````bash
|
||||
BUILD_DIR=/opt/livebuild
|
||||
ROOT_PASSWORD_FILE=/opt/gitea/CISS.debian.live.builder/password.txt
|
||||
SSH_PORT=4242
|
||||
SSH_PUBKEY=/root/.ssh
|
||||
|
||||
# Optional
|
||||
PROVIDER_NETCUP_IPV6=2001:cdb::1
|
||||
# comma-separated; IPv6 in [] is fine
|
||||
JUMP_HOSTS=[2001:db8::1],[2001:db8::2]
|
||||
````
|
||||
|
||||
3. Dry-run first (prints the exact command): ````make dry-run````
|
||||
|
||||
4. Execute the build: ````make live````
|
||||
|
||||
## 5.3. CI/CD Gitea Runner Workflow Example
|
||||
|
||||
1. Clone the repository:
|
||||
|
||||
|
||||
@@ -205,7 +205,7 @@ if ! ${VAR_HANDLER_AUTOBUILD}; then printf "XXX\nInitialization completed ... \n
|
||||
if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen_cleaner; fi
|
||||
|
||||
### MAIN Program
|
||||
#arg_priority_check # TODO: Fixing workflow issues
|
||||
arg_priority_check
|
||||
check_stats
|
||||
if ! ${VAR_HANDLER_AUTOBUILD}; then check_provider; fi
|
||||
if ! ${VAR_HANDLER_AUTOBUILD}; then check_kernel; fi
|
||||
|
||||
@@ -121,7 +121,7 @@ A lightweight Shell Wrapper for building a hardened Debian Bookworm Live ISO Ima
|
||||
specified PATH into the Live ISO. MUST be provided.
|
||||
|
||||
--trixie
|
||||
Create a Debian Trixie Live ISO. Experimental Feature.
|
||||
Create a Debian Trixie Live ISO.
|
||||
|
||||
--version, -v
|
||||
Displays version of ./ciss_live_builder.sh.
|
||||
|
||||
@@ -24,7 +24,7 @@ guard_sourcing
|
||||
arg_priority_check() {
|
||||
declare var
|
||||
### Check if nice PRIORITY is set and adjust nice priority.
|
||||
if [[ -n "${VAR_HANDLER_PRIORITY:-}" ]]; then
|
||||
if [[ "${VAR_HANDLER_PRIORITY:-}" -ne 0 ]]; then
|
||||
if command -v renice >/dev/null; then
|
||||
renice "${VAR_HANDLER_PRIORITY}" -p "$$"
|
||||
var=$(ps -o ni= -p $$) > /dev/null 2>&1
|
||||
@@ -32,12 +32,12 @@ arg_priority_check() {
|
||||
# sleep 1
|
||||
unset var
|
||||
else
|
||||
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ⚠️ renice not installed (util-linux) \e[0m\n"
|
||||
printf "\e[93m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ renice not installed (util-linux) \e[0m\n"
|
||||
fi
|
||||
fi
|
||||
|
||||
### Check if ionice PRIORITY is set and adjust ionice priority.
|
||||
if [[ -n "${VAR_REIONICE_CLASS:-}" ]]; then
|
||||
if [[ "${VAR_REIONICE_CLASS:-}" -ne 2 ]]; then
|
||||
if command -v ionice >/dev/null; then
|
||||
ionice -c"${VAR_REIONICE_CLASS:-2}" -n"${VAR_REIONICE_PRIORITY:-4}" -p "$$"
|
||||
var=$(ionice -p $$) > /dev/null 2>&1
|
||||
@@ -45,7 +45,7 @@ arg_priority_check() {
|
||||
# sleep 1
|
||||
unset var
|
||||
else
|
||||
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ⚠️ ionice not installed (util-linux) \e[0m\n"
|
||||
printf "\e[93m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ ionice not installed (util-linux) \e[0m\n"
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
@@ -119,15 +119,18 @@ print_scr_err() {
|
||||
# $5: ${BASH_COMMAND}
|
||||
#######################################
|
||||
trap_on_err() {
|
||||
trap - ERR
|
||||
trap - DEBUG ERR INT TERM
|
||||
declare -g ERRCODE="$1"
|
||||
declare -g ERRSCRT="$2"
|
||||
declare -g ERRLINE="$3"
|
||||
declare -g ERRFUNC="$4"
|
||||
declare -g ERRCMMD="$5"
|
||||
# shellcheck disable=SC2034
|
||||
declare -g ERRTRAP="true"
|
||||
|
||||
if "${VAR_EARLY_DEBUG}"; then dump_user_vars; fi
|
||||
clean_up "${ERRCODE}"
|
||||
if ! $VAR_HANDLER_AUTOBUILD; then clean_screen; fi
|
||||
if ! "${VAR_HANDLER_AUTOBUILD}"; then clean_screen; fi
|
||||
print_file_err
|
||||
print_scr_err
|
||||
}
|
||||
@@ -148,6 +151,7 @@ dump_user_vars() {
|
||||
set +x
|
||||
{
|
||||
declare var
|
||||
# shellcheck disable=SC2312
|
||||
while IFS= read -r var; do
|
||||
declare -p "${var}" 2>/dev/null
|
||||
done < <(compgen -v | grep -Ev '^(BASH|_).*')
|
||||
|
||||
@@ -20,7 +20,7 @@ guard_sourcing
|
||||
# $1: $?
|
||||
#######################################
|
||||
trap_on_exit() {
|
||||
trap - EXIT
|
||||
trap - DEBUG ERR EXIT INT TERM
|
||||
declare -r var_trap_on_exit_code="$1"
|
||||
if (( var_trap_on_exit_code == 0 )); then
|
||||
if "${VAR_EARLY_DEBUG}"; then dump_user_vars; fi
|
||||
|
||||
@@ -149,7 +149,7 @@ usage() {
|
||||
echo " specified PATH into the Live ISO. MUST be provided."
|
||||
echo
|
||||
echo -e "\e[97m --trixie \e[0m"
|
||||
echo " Create a Debian Trixie Live ISO. Experimental Feature"
|
||||
echo " Create a Debian Trixie Live ISO."
|
||||
echo
|
||||
echo -e "\e[97m --version, -v \e[0m"
|
||||
echo " Show version of ${0}."
|
||||
|
||||
Reference in New Issue
Block a user