msw/CISS.debian.live.builder
SHA256
2
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 6 Wiki Activity

Compare commits

base: msw:0da89626e685229623022455fd0a989f4c560d5787a5e747fbb2acc00b3786af
Branches Tags
msw:master
msw:v8.13.142-stable msw:v8.13.008-stable msw:v8.03.864-stable msw:v8.03.832-stable msw:v8.03.768-stable msw:v8.03.644-stable
..
compare: msw:v8.13.008-stable
Branches Tags
msw:master
msw:v8.13.142-stable msw:v8.13.008-stable msw:v8.03.864-stable msw:v8.03.832-stable msw:v8.03.768-stable msw:v8.03.644-stable

11 Commits
0da89626e6 ... v8.13.008-

Author SHA256 Message Date
Marc S. Weidner BOT
f35e3bff4f DEPLOY BOT : 🔐 Auto-Generate PRIVATE LIVE ISO TRIXIE 1 [skip ci] 
X-CI-Metadata: master@22d6c9a at 2025-08-22T17:41:17Z on 9441b3c6beee

Generated at : 2025-08-22T17:41:17Z
Runner Host  : 9441b3c6beee
Workflow ID  : 🔐 Generating a Private Live ISO TRIXIE.
Git Commit   : 22d6c9a HEAD -> master
 2025-08-22 17:41:17 +00:00
Marc S. Weidner BOT
22d6c9a061 DEPLOY BOT : 🛡️ Shell Script Linting [skip ci] 
X-CI-Metadata: master@e3206cc at 2025-08-22T17:26:01Z on c05f954e2ce1

Generated at : 2025-08-22T17:26:01Z
Runner Host  : c05f954e2ce1
Workflow ID  : 🛡️ Shell Script Linting
Git Commit   : e3206cc HEAD -> master
 2025-08-22 17:26:01 +00:00
Marc S. Weidner
e3206cc4be V8.13.008.2025.08.22
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m48s
Details 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
 2025-08-22 19:23:56 +02:00
Marc S. Weidner BOT
3e5ade4758 DEPLOY BOT : 🛡️ Shell Script Linting [skip ci] 
X-CI-Metadata: master@3d79ff9 at 2025-08-22T17:10:47Z on 53943bbe9153

Generated at : 2025-08-22T17:10:47Z
Runner Host  : 53943bbe9153
Workflow ID  : 🛡️ Shell Script Linting
Git Commit   : 3d79ff9 HEAD -> master
 2025-08-22 17:10:47 +00:00
Marc S. Weidner
3d79ff973f V8.13.008.2025.08.22
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 2m7s
Details 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
 2025-08-22 19:08:33 +02:00
Marc S. Weidner BOT
08653b1398 DEPLOY BOT : 🛡️ Shell Script Linting [skip ci] 
X-CI-Metadata: master@440a393 at 2025-08-22T17:08:10Z on 2b5e5161b3af

Generated at : 2025-08-22T17:08:10Z
Runner Host  : 2b5e5161b3af
Workflow ID  : 🛡️ Shell Script Linting
Git Commit   : 440a393 HEAD -> master
 2025-08-22 17:08:10 +00:00
Marc S. Weidner
440a393c67 V8.13.008.2025.08.22
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 2m19s
Details 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
 2025-08-22 19:05:44 +02:00
Marc S. Weidner BOT
c1715f896f DEPLOY BOT : 🛡️ Shell Script Linting [skip ci] 
X-CI-Metadata: master@499bfe9 at 2025-08-22T17:03:44Z on 632fa5ca8d8d

Generated at : 2025-08-22T17:03:44Z
Runner Host  : 632fa5ca8d8d
Workflow ID  : 🛡️ Shell Script Linting
Git Commit   : 499bfe9 HEAD -> master
 2025-08-22 17:03:44 +00:00
Marc S. Weidner
499bfe9c86 V8.13.008.2025.08.22
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 2m19s
Details 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
 2025-08-22 19:01:19 +02:00
Marc S. Weidner
6b397e27b1 Merge remote-tracking branch 'origin/master' 2025-08-22 18:56:05 +02:00
Marc S. Weidner
9c59edb3cb V8.13.008.2025.08.22 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
 2025-08-22 18:53:26 +02:00
12 changed files with 77 additions and 1047 deletions
Expand all files Collapse all files

15
.gitea/trigger/t_generate_PRIVATE_iso_flavour_0.yaml
View File

@@ -1,15 +0,0 @@
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
build:
counter: 1023
version: V8.13.008.2025.08.22
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml

15
.gitea/trigger/t_generate_PRIVATE_iso_flavour_1.yaml
View File

@@ -1,15 +0,0 @@
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
build:
counter: 1023
version: V8.13.008.2025.08.22
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml

485
.gitea/workflows/generate_PRIVATE_iso_flavour_0.yaml
View File

@@ -1,485 +0,0 @@
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
### Version Master V8.13.008.2025.08.22
name: 🔐 Generating a Private Live ISO FLV 0.
permissions:
contents: write
on:
push:
branches:
- master
paths:
- '.gitea/trigger/t_generate_PRIVATE_iso_flavour_0.yaml'
jobs:
generate-private-ciss-debian-live-iso:
name: 🔐 Generating a Private Live ISO FLV 0.
runs-on: ciss.debian.live.builder.iso.generator
### Run all steps inside Debian Bookworm
container:
image: debian:bookworm
steps:
- name: 🛠️ Basic Image Setup and enable Bookworm Backports.
run: |
apt-get update -y
apt-get install -y apt-transport-https apt-utils bash ca-certificates openssl sudo
echo 'deb https://deb.debian.org/debian bookworm-backports main' \
>| /etc/apt/sources.list.d/bookworm-backports.list
apt-get update -y
apt-get upgrade -y
- name: 🛠️ Installing Build Tools.
shell: bash
run: |
apt-get update -y
apt-get install -y \
autoconf \
automake \
build-essential \
cryptsetup \
curl \
debootstrap \
dosfstools \
efibootmgr \
gettext \
git \
gnupg \
haveged \
libbz2-dev \
zlib1g-dev \
liblzma-dev \
libtool \
live-build \
parted \
pkg-config \
ssh \
ssl-cert \
sudo \
texinfo \
wget \
whois \
- name: 🛠️ Build GnuPG from the sources, as the Bookworm GPG does not understand key format 5.
shell: bash
run: |
urls=(
"https://gnupg.org/ftp/gcrypt/npth/npth-1.8.tar.bz2"
"https://gnupg.org/ftp/gcrypt/libgpg-error/libgpg-error-1.55.tar.bz2"
"https://gnupg.org/ftp/gcrypt/libgcrypt/libgcrypt-1.11.1.tar.bz2"
"https://gnupg.org/ftp/gcrypt/libksba/libksba-1.6.7.tar.bz2"
"https://gnupg.org/ftp/gcrypt/libassuan/libassuan-3.0.2.tar.bz2"
"https://gnupg.org/ftp/gcrypt/gnupg/gnupg-2.4.8.tar.bz2"
)
wget --https-only https://gnupg.org/signature_key.asc -O signature_key.asc > /dev/null 2>&1
gpg --batch --import signature_key.asc
for url in "${urls[@]}"; do
archive_name="${url##*/}"
pkg_name="${archive_name%.tar.bz2}"
echo "🔄 Processing ${pkg_name}"
if [[ ! -f "${archive_name}" ]]; then
echo "📥 Downloading: '${archive_name}'."
if wget --https-only "${url}" -O "${archive_name}" > /dev/null 2>&1 && wget --https-only "${url}.sig" -O "${archive_name}.sig" > /dev/null 2>&1; then
echo "✅ Download successful: '${archive_name}'."
else
echo "❌ Download NOT successful: '${archive_name}'."
exit 1
fi
else
echo "💡 Skipping download, package already exists: '${archive_name}'."
fi
if ! gpg --verify "${archive_name}.sig" "${archive_name}"; then echo "❌ Bad Signature: '${archive_name}'.";exit 1; fi
if [[ ! -d "${pkg_name}" ]]; then
echo "📂 Extracting: '${archive_name}'."
if tar -xjf "${archive_name}"; then
echo "✅ Extraction successful: '${archive_name}'."
else
echo "❌ Extraction not successful: '${archive_name}'."
exit 1
fi
else
echo "💡 Skipping directory, already exists: '${pkg_name}'."
fi
echo "🏗️ Build and install the package: '${pkg_name}'."
cd "${pkg_name}" || { echo "❌ Could not change to '${pkg_name}'."; exit 1; }
mkdir -p build
cd build || { echo "❌ Could not change to '/build'."; exit 1; }
sudo ../configure > /dev/null 2>&1 || { echo "❌ '../configure' NOT successful for '${pkg_name}'."; exit 1; }
make > /dev/null 2>&1 || { echo "❌ 'make' NOT successful for '${pkg_name}'."; exit 1; }
sudo make install > /dev/null 2>&1 || { echo "❌ 'make install' NOT successful for '${pkg_name}'."; exit 1; }
cd ../.. || { echo "❌ Could not change to '../..'."; exit 1; }
rm -f "${archive_name}" && rm -f "${archive_name}.sig" && echo "✅ Removed archive: '${pkg_name}'."
rm -fr "${pkg_name}" && echo "✅ Removed build artifacts: '${pkg_name}'."
echo "✅ Successful build and installation of '${pkg_name}'."
echo "-------------------------------------------------------------------------------------"
done
rm -f signature_key.asc
echo "✅ All packages were built and installed successfully."
mv_bin=(
"/usr/bin/gpg"
"/usr/bin/gpg-agent"
"/usr/bin/gpgconf"
"/usr/bin/gpg-connect-agent"
"/usr/bin/gpg-wks-client"
"/usr/bin/gpg-preset-passphrase"
)
for bin in "${mv_bin[@]}"; do
name="${bin##*/}"
if [[ -f "${bin}" && -f "/usr/local/bin/${name}" ]]; then
if mv "${bin}" "${bin}.debian-backup"; then
echo "✅ Moved successfully: '${bin}'."
else
echo "❌ Moved NOT successfully: '${bin}'."
fi
else
echo "💡 Does not exist as build binary: '${bin}'."
fi
done
for bin in "${mv_bin[@]}"; do
name="${bin##*/}"
if [[ -f "/usr/local/bin/${name}" ]]; then
if update-alternatives --install "${bin}" "${name}" "/usr/local/bin/${name}" 100; then
echo "✅ 'update-alternatives' successfully: '${bin}'."
else
echo "❌ 'update-alternatives' NOT successfully: '${bin}'."
fi
else
echo "💡 Does not exist: '/usr/local/bin/${name}'."
fi
done
sudo ldconfig
gpgconf --kill all
/usr/local/bin/gpg-agent --daemon
- name: ⚙️ Check GnuPG Version.
shell: bash
run: |
gpg --version
- name: ⚙️ Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
shell: bash
run: |
rm -rf ~/.ssh && mkdir -m700 ~/.ssh
### Private Key
echo "${{ secrets.SSH_MSW_DEPLOY_CORESECRET_DEV }}" >| ~/.ssh/id_ed25519
chmod 600 ~/.ssh/id_ed25519
### Scan git.coresecret.dev to fill ~/.ssh/known_hosts
ssh-keyscan -p 42842 git.coresecret.dev >| ~/.ssh/known_hosts
chmod 600 ~/.ssh/known_hosts
### Generate SSH Config for git.coresecret.dev Custom-Port
cat <<EOF >| ~/.ssh/config
Host git.coresecret.dev
HostName git.coresecret.dev
Port 42842
IdentityFile ~/.ssh/id_ed25519
StrictHostKeyChecking yes
UserKnownHostsFile ~/.ssh/known_hosts
EOF
chmod 600 ~/.ssh/config
### https://github.com/actions/checkout/issues/1843
- name: 🛠️ Using manual clone via SSH to circumvent Gitea SHA-256 object issues.
shell: bash
env:
### GITHUB_REF_NAME contains the branch name from the push event.
GITHUB_REF_NAME: ${{ github.ref_name }}
run: |
git clone --branch "${GITHUB_REF_NAME}" ssh://git@git.coresecret.dev:42842/msw/CISS.debian.live.builder.git .
git fetch --unshallow || echo "Nothing to fetch - already full clone."
- name: 🛠️ Cleaning the workspace.
shell: bash
run: |
git reset --hard
git clean -fd
- name: ⚙️ Importing the 'CI PGP DEPLOY ONLY' key.
shell: bash
run: |
set -euo pipefail
### GPG-Home relative to the Runner Workspace to avoid changing global files.
export GNUPGHOME="$(pwd)/.gnupg"
mkdir -m 700 "${GNUPGHOME}"
echo "${{ secrets.PGP_PUBKEY_CENTURION_ROOT_2025_X448 }}" >| centurion-root.PUB.asc
gpg --batch --import centurion-root.PUB.asc
echo "${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV }}" >| ci-bot.sec.asc
gpg --batch --import ci-bot.sec.asc
### Trust the key automatically
KEY_ID=$(gpg --list-keys --with-colons | awk -F: '/^pub:/ {print $5}')
echo "trust-model always" >| "${GNUPGHOME}/gpg.conf"
- name: ⚙️ Configuring Git for signed CI/DEPLOY commits.
shell: bash
run: |
set -euo pipefail
export GNUPGHOME="$(pwd)/.gnupg"
git config user.name "Marc S. Weidner BOT"
git config user.email "msw+bot@coresecret.dev"
git config commit.gpgsign true
git config gpg.program gpg
git config gpg.format openpgp
- name: ⚙️ Preparing the build environment.
shell: bash
run: |
set -euo pipefail
mkdir -p /opt/config
mkdir -p /opt/livebuild
touch /opt/config/password.txt && chmod 0600 /opt/config/password.txt
touch /opt/config/authorized_keys && chmod 0600 /opt/config/authorized_keys
echo "${{ secrets.CISS_DLB_ROOT_PWD }}" >| /opt/config/password.txt
echo "${{ secrets.CISS_DLB_ROOT_SSH_PUBKEY }}" >| /opt/config/authorized_keys
- name: 🛠️ Starting CISS.debian.live.builder. This may take a while ...
shell: bash
run: |
set -euo pipefail
chmod 0755 ciss_live_builder.sh
timestamp=$(date -u +"%Y_%m_%dT%H_%M_%SZ")
### Change "--autobuild=" to the specific kernel version you need: 6.12.22+bpo-amd64.
./ciss_live_builder.sh \
--autobuild=6.1.0-37-amd64 \
--architecture amd64 \
--build-directory /opt/livebuild \
--control "${timestamp}" \
--debug \
--dhcp-centurion \
--jump-host ${{ secrets.CISS_DLB_JUMP_HOSTS }} \
--provider-netcup-ipv6 ${{ secrets.CISS_DLB_NETCUP_IPV6 }} \
--root-password-file /opt/config/password.txt \
--ssh-port ${{ secrets.CISS_DLB_SSH_PORT }} \
--ssh-pubkey /opt/config
- name: 📥 Checking Centurion Cloud for existing LIVE ISOs.
shell: bash
env:
NC_BASE: "https://cloud.e2ee.li"
SHARE_TOKEN: "${{ secrets.CENTURION_CLOUD_UL_USER }}"
SHARE_PASS: "${{ secrets.CENTURION_CLOUD_UL_PASSWD }}"
run: |
set -euo pipefail
SHARE_SUBDIR=""
echo "📥 Get directory listing via PROPFIND ..."
curl -s \
--user "${SHARE_TOKEN}:${SHARE_PASS}" \
-X PROPFIND \
-H "Depth: 1" \
"${NC_BASE}/public.php/webdav/${SHARE_SUBDIR}" \
-o propfind_public.xml
echo "📥 Filter .iso files from the PROPFIND response ..."
grep -oP '(?<=<d:href>)[^<]+\.iso(?=</d:href>)' propfind_public.xml >| public_iso_list.txt || true
if [[ -f public_iso_list.txt && -s public_iso_list.txt ]]; then
echo "💡 Old ISO files found and deleted :"
while IFS= read -r href; do
FILE_URL="${NC_BASE}${href}"
echo " Delete: ${FILE_URL}"
if curl -s \
--user "${SHARE_TOKEN}:${SHARE_PASS}" \
-X DELETE "${FILE_URL}"; then
echo " ✅ Successfully deleted: $(basename "${href}")"
else
echo " ❌ Error: $(basename "${href}") could not be deleted"
fi
done < public_iso_list.txt
else
echo "💡 No old ISO files found to delete."
fi
- name: 🛠️ Upload the ISO file to the Centurion Cloud (cloud.e2ee.li) via WebDAV.
shell: bash
env:
NC_BASE: "https://cloud.e2ee.li"
SHARE_TOKEN: "${{ secrets.CENTURION_CLOUD_UL_USER }}"
SHARE_PASS: "${{ secrets.CENTURION_CLOUD_UL_PASSWD }}"
run: |
set -euo pipefail
if [[ $(ls /opt/livebuild/*.iso 2>/dev/null | wc -l) -ne 1 ]]; then
echo "❌ There must be exactly one .iso file in the directory!"
exit 1
else
VAR_ISO_FILE_PATH=$(ls /opt/livebuild/*.iso)
VAR_ISO_FILE_NAME=$(basename "${VAR_ISO_FILE_PATH}")
echo "✅ ISO file found: ${VAR_ISO_FILE_NAME}"
fi
AUTH="${SHARE_TOKEN}:${SHARE_PASS}"
if curl --retry 2 "${NC_BASE}"/public.php/webdav/"${VAR_ISO_FILE_NAME}" \
--upload-file "${VAR_ISO_FILE_PATH}" --user "${AUTH}" > /dev/null 2>&1; then
echo "✅ New ISO successfully uploaded."
else
echo "❌ Uploading the new ISO failed."
exit 1
fi
- name: 🔑 Generating a sha512 Hash of ISO, signing with the 'CI PGP DEPLOY ONLY' key, generate a success message file.
shell: bash
run: |
if [[ $(ls /opt/livebuild/*.iso 2>/dev/null | wc -l) -ne 1 ]]; then
echo "❌ There must be exactly one .iso file in the directory!"
exit 1
else
VAR_ISO_FILE_PATH=$(ls /opt/livebuild/*.iso)
VAR_ISO_FILE_NAME=$(basename "${VAR_ISO_FILE_PATH}")
echo "✅ ISO file found: ${VAR_ISO_FILE_NAME}"
fi
VAR_ISO_FILE_SHA512="${VAR_ISO_FILE_NAME}.sha512"
touch "${VAR_ISO_FILE_SHA512}"
sha512sum "${VAR_ISO_FILE_PATH}" | awk '{print $1}' >| "${VAR_ISO_FILE_SHA512}"
SIGNATURE_FILE="${VAR_ISO_FILE_SHA512}.sign"
touch "${SIGNATURE_FILE}"
export GNUPGHOME="$(pwd)/.gnupg"
gpg --batch --yes --armor --detach-sign --output "${SIGNATURE_FILE}" "${VAR_ISO_FILE_SHA512}"
timestamp=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
PRIVATE_FILE="LIVE_ISO_FLV_0.private"
touch "${PRIVATE_FILE}"
cat << EOF >| "${PRIVATE_FILE}"
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-01; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
This file was automatically generated by the DEPLOY BOT on: "${timestamp}"
CISS.debian.live.builder ISO :
"${VAR_ISO_FILE_NAME}"
CISS.debian.live.builder ISO sha512 :
$(< "${VAR_ISO_FILE_SHA512}")
CISS.debian.live.builder ISO sha512 sign :
$(< "${SIGNATURE_FILE}")
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text
EOF
- name: 🚧 Stash local changes (including untracked).
shell: bash
env:
GIT_SSH_COMMAND: "ssh -p 42842"
run: |
set -euo pipefail
### Temporarily store any local modifications or untracked files.
git stash push --include-untracked -m "ci-temp" || echo "✔️ Nothing to stash."
- name: 🔄 Sync with remote before commit using merge strategy.
shell: bash
env:
GIT_SSH_COMMAND: "ssh -p 42842"
run: |
set -euo pipefail
export GNUPGHOME="$(pwd)/.gnupg"
echo "🔄 Fetching origin/master ..."
git fetch origin master
echo "🔁 Merging origin/master into current branch ..."
git merge --no-edit origin/master || echo "✔️ Already up to date or fast-forward."
echo "📋 Post-merge status :"
git status
git log --oneline -n 5
- name: 🛠️ Restore stashed changes.
shell: bash
env:
GIT_SSH_COMMAND: "ssh -p 42842"
run: |
set -euo pipefail
### Apply previously stashed changes.
git stash pop || echo "✔️ Nothing to pop."
- name: 📦 Stage generated files.
shell: bash
env:
GIT_SSH_COMMAND: "ssh -p 42842"
run: |
set -euo pipefail
PRIVATE_FILE="LIVE_ISO_FLV_0.private"
git add "${PRIVATE_FILE}" || echo "✔️ Nothing to add."
- name: 🔑 Commit and sign changes with CI metadata.
shell: bash
env:
GIT_SSH_COMMAND: "ssh -p 42842"
run: |
set -euo pipefail
export GNUPGHOME="$(pwd)/.gnupg"
if git diff --cached --quiet; then
echo "✔️ No staged changes to commit."
else
echo "📝 Committing changes with GPG signature ..."
### CI Metadata
TIMESTAMP_UTC="$(date -u +'%Y-%m-%dT%H:%M:%SZ')"
HOSTNAME="$(hostname -f || hostname)"
GIT_SHA="$(git rev-parse --short HEAD)"
GIT_REF="$(git symbolic-ref --short HEAD || echo detached)"
WORKFLOW_ID="${GITHUB_WORKFLOW:-render-md-to-html.yaml}"
CI_HEADER="X-CI-Metadata: ${GIT_REF}@${GIT_SHA} at ${TIMESTAMP_UTC} on ${HOSTNAME}"
COMMIT_MSG="DEPLOY BOT : 🔐 Auto-Generate PRIVATE LIVE ISO FLV 0 [skip ci]
${CI_HEADER}
Generated at : ${TIMESTAMP_UTC}
Runner Host : ${HOSTNAME}
Workflow ID : ${WORKFLOW_ID}
Git Commit : ${GIT_SHA} HEAD -> ${GIT_REF}
"
echo "🔏 Commit message :"
echo "${COMMIT_MSG}"
git commit -S -m "${COMMIT_MSG}"
fi
- name: 🔁 Push back to repository.
shell: bash
env:
GIT_SSH_COMMAND: "ssh -p 42842"
run: |
set -euo pipefail
echo "📤 Pushing changes to ${GITHUB_REF_NAME} ..."
git push origin HEAD:${GITHUB_REF_NAME}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml

482
.gitea/workflows/generate_PRIVATE_iso_flavour_1.yaml
View File

@@ -1,482 +0,0 @@
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
### Version Master V8.13.008.2025.08.22
name: 🔐 Generating a Private Live ISO FLV 1.
permissions:
contents: write
on:
push:
branches:
- master
paths:
- '.gitea/trigger/t_generate_PRIVATE_iso_flavour_1.yaml'
jobs:
generate-private-ciss-debian-live-iso:
name: 🔐 Generating a Private Live ISO FLV 1.
runs-on: ciss.debian.live.builder.iso.generator
### Run all steps inside Debian Bookworm
container:
image: debian:bookworm
steps:
- name: 🛠️ Basic Image Setup and enable Bookworm Backports.
run: |
apt-get update -y
apt-get install -y apt-transport-https apt-utils bash ca-certificates openssl sudo
echo 'deb https://deb.debian.org/debian bookworm-backports main' \
>| /etc/apt/sources.list.d/bookworm-backports.list
apt-get update -y
apt-get upgrade -y
- name: 🛠️ Installing Build Tools.
shell: bash
run: |
apt-get update -y
apt-get install -y \
autoconf \
automake \
build-essential \
cryptsetup \
curl \
debootstrap \
dosfstools \
efibootmgr \
gettext \
git \
gnupg \
haveged \
libbz2-dev \
zlib1g-dev \
liblzma-dev \
libtool \
live-build \
parted \
pkg-config \
ssh \
ssl-cert \
sudo \
texinfo \
wget \
whois \
- name: 🛠️ Build GnuPG from the sources, as the Bookworm GPG does not understand key format 5.
shell: bash
run: |
urls=(
"https://gnupg.org/ftp/gcrypt/npth/npth-1.8.tar.bz2"
"https://gnupg.org/ftp/gcrypt/libgpg-error/libgpg-error-1.55.tar.bz2"
"https://gnupg.org/ftp/gcrypt/libgcrypt/libgcrypt-1.11.1.tar.bz2"
"https://gnupg.org/ftp/gcrypt/libksba/libksba-1.6.7.tar.bz2"
"https://gnupg.org/ftp/gcrypt/libassuan/libassuan-3.0.2.tar.bz2"
"https://gnupg.org/ftp/gcrypt/gnupg/gnupg-2.4.8.tar.bz2"
)
wget --https-only https://gnupg.org/signature_key.asc -O signature_key.asc > /dev/null 2>&1
gpg --batch --import signature_key.asc
for url in "${urls[@]}"; do
archive_name="${url##*/}"
pkg_name="${archive_name%.tar.bz2}"
echo "🔄 Processing ${pkg_name}"
if [[ ! -f "${archive_name}" ]]; then
echo "📥 Downloading: '${archive_name}'."
if wget --https-only "${url}" -O "${archive_name}" > /dev/null 2>&1 && wget --https-only "${url}.sig" -O "${archive_name}.sig" > /dev/null 2>&1; then
echo "✅ Download successful: '${archive_name}'."
else
echo "❌ Download NOT successful: '${archive_name}'."
exit 1
fi
else
echo "💡 Skipping download, package already exists: '${archive_name}'."
fi
if ! gpg --verify "${archive_name}.sig" "${archive_name}"; then echo "❌ Bad Signature: '${archive_name}'.";exit 1; fi
if [[ ! -d "${pkg_name}" ]]; then
echo "📂 Extracting: '${archive_name}'."
if tar -xjf "${archive_name}"; then
echo "✅ Extraction successful: '${archive_name}'."
else
echo "❌ Extraction not successful: '${archive_name}'."
exit 1
fi
else
echo "💡 Skipping directory, already exists: '${pkg_name}'."
fi
echo "🏗️ Build and install the package: '${pkg_name}'."
cd "${pkg_name}" || { echo "❌ Could not change to '${pkg_name}'."; exit 1; }
mkdir -p build
cd build || { echo "❌ Could not change to '/build'."; exit 1; }
sudo ../configure > /dev/null 2>&1 || { echo "❌ '../configure' NOT successful for '${pkg_name}'."; exit 1; }
make > /dev/null 2>&1 || { echo "❌ 'make' NOT successful for '${pkg_name}'."; exit 1; }
sudo make install > /dev/null 2>&1 || { echo "❌ 'make install' NOT successful for '${pkg_name}'."; exit 1; }
cd ../.. || { echo "❌ Could not change to '../..'."; exit 1; }
rm -f "${archive_name}" && rm -f "${archive_name}.sig" && echo "✅ Removed archive: '${pkg_name}'."
rm -fr "${pkg_name}" && echo "✅ Removed build artifacts: '${pkg_name}'."
echo "✅ Successful build and installation of '${pkg_name}'."
echo "-------------------------------------------------------------------------------------"
done
rm -f signature_key.asc
echo "✅ All packages were built and installed successfully."
mv_bin=(
"/usr/bin/gpg"
"/usr/bin/gpg-agent"
"/usr/bin/gpgconf"
"/usr/bin/gpg-connect-agent"
"/usr/bin/gpg-wks-client"
"/usr/bin/gpg-preset-passphrase"
)
for bin in "${mv_bin[@]}"; do
name="${bin##*/}"
if [[ -f "${bin}" && -f "/usr/local/bin/${name}" ]]; then
if mv "${bin}" "${bin}.debian-backup"; then
echo "✅ Moved successfully: '${bin}'."
else
echo "❌ Moved NOT successfully: '${bin}'."
fi
else
echo "💡 Does not exist as build binary: '${bin}'."
fi
done
for bin in "${mv_bin[@]}"; do
name="${bin##*/}"
if [[ -f "/usr/local/bin/${name}" ]]; then
if update-alternatives --install "${bin}" "${name}" "/usr/local/bin/${name}" 100; then
echo "✅ 'update-alternatives' successfully: '${bin}'."
else
echo "❌ 'update-alternatives' NOT successfully: '${bin}'."
fi
else
echo "💡 Does not exist: '/usr/local/bin/${name}'."
fi
done
sudo ldconfig
gpgconf --kill all
/usr/local/bin/gpg-agent --daemon
- name: ⚙️ Check GnuPG Version.
shell: bash
run: |
gpg --version
- name: ⚙️ Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
shell: bash
run: |
rm -rf ~/.ssh && mkdir -m700 ~/.ssh
### Private Key
echo "${{ secrets.SSH_MSW_DEPLOY_CORESECRET_DEV }}" >| ~/.ssh/id_ed25519
chmod 600 ~/.ssh/id_ed25519
### Scan git.coresecret.dev to fill ~/.ssh/known_hosts
ssh-keyscan -p 42842 git.coresecret.dev >| ~/.ssh/known_hosts
chmod 600 ~/.ssh/known_hosts
### Generate SSH Config for git.coresecret.dev Custom-Port
cat <<EOF >| ~/.ssh/config
Host git.coresecret.dev
HostName git.coresecret.dev
Port 42842
IdentityFile ~/.ssh/id_ed25519
StrictHostKeyChecking yes
UserKnownHostsFile ~/.ssh/known_hosts
EOF
chmod 600 ~/.ssh/config
### https://github.com/actions/checkout/issues/1843
- name: 🛠️ Using manual clone via SSH to circumvent Gitea SHA-256 object issues.
shell: bash
env:
### GITHUB_REF_NAME contains the branch name from the push event.
GITHUB_REF_NAME: ${{ github.ref_name }}
run: |
git clone --branch "${GITHUB_REF_NAME}" ssh://git@git.coresecret.dev:42842/msw/CISS.debian.live.builder.git .
git fetch --unshallow || echo "Nothing to fetch - already full clone."
- name: 🛠️ Cleaning the workspace.
shell: bash
run: |
git reset --hard
git clean -fd
- name: ⚙️ Importing the 'CI PGP DEPLOY ONLY' key.
shell: bash
run: |
set -euo pipefail
### GPG-Home relative to the Runner Workspace to avoid changing global files.
export GNUPGHOME="$(pwd)/.gnupg"
mkdir -m 700 "${GNUPGHOME}"
echo "${{ secrets.PGP_PUBKEY_CENTURION_ROOT_2025_X448 }}" >| centurion-root.PUB.asc
gpg --batch --import centurion-root.PUB.asc
echo "${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV }}" >| ci-bot.sec.asc
gpg --batch --import ci-bot.sec.asc
### Trust the key automatically
KEY_ID=$(gpg --list-keys --with-colons | awk -F: '/^pub:/ {print $5}')
echo "trust-model always" >| "${GNUPGHOME}/gpg.conf"
- name: ⚙️ Configuring Git for signed CI/DEPLOY commits.
shell: bash
run: |
set -euo pipefail
export GNUPGHOME="$(pwd)/.gnupg"
git config user.name "Marc S. Weidner BOT"
git config user.email "msw+bot@coresecret.dev"
git config commit.gpgsign true
git config gpg.program gpg
git config gpg.format openpgp
- name: ⚙️ Preparing the build environment.
shell: bash
run: |
set -euo pipefail
mkdir -p /opt/config
mkdir -p /opt/livebuild
touch /opt/config/password.txt && chmod 0600 /opt/config/password.txt
touch /opt/config/authorized_keys && chmod 0600 /opt/config/authorized_keys
echo "${{ secrets.CISS_DLB_ROOT_PWD_1 }}" >| /opt/config/password.txt
echo "${{ secrets.CISS_DLB_ROOT_SSH_PUBKEY_1 }}" >| /opt/config/authorized_keys
- name: 🛠️ Starting CISS.debian.live.builder. This may take a while ...
shell: bash
run: |
set -euo pipefail
chmod 0755 ciss_live_builder.sh
timestamp=$(date -u +"%Y_%m_%dT%H_%M_%SZ")
### Change "--autobuild=" to the specific kernel version you need: 6.12.22+bpo-amd64.
./ciss_live_builder.sh \
--autobuild=6.1.0-37-amd64 \
--architecture amd64 \
--build-directory /opt/livebuild \
--control "${timestamp}" \
--jump-host ${{ secrets.CISS_DLB_JUMP_HOSTS_1 }} \
--root-password-file /opt/config/password.txt \
--ssh-port ${{ secrets.CISS_DLB_SSH_PORT_1 }} \
--ssh-pubkey /opt/config
- name: 📥 Checking Centurion Cloud for existing LIVE ISOs.
shell: bash
env:
NC_BASE: "https://cloud.e2ee.li"
SHARE_TOKEN: "${{ secrets.CENTURION_CLOUD_UL_USER_1 }}"
SHARE_PASS: "${{ secrets.CENTURION_CLOUD_UL_PASSWD_1 }}"
run: |
set -euo pipefail
SHARE_SUBDIR=""
echo "📥 Get directory listing via PROPFIND ..."
curl -s \
--user "${SHARE_TOKEN}:${SHARE_PASS}" \
-X PROPFIND \
-H "Depth: 1" \
"${NC_BASE}/public.php/webdav/${SHARE_SUBDIR}" \
-o propfind_public.xml
echo "📥 Filter .iso files from the PROPFIND response ..."
grep -oP '(?<=<d:href>)[^<]+\.iso(?=</d:href>)' propfind_public.xml >| public_iso_list.txt || true
if [[ -f public_iso_list.txt && -s public_iso_list.txt ]]; then
echo "💡 Old ISO files found and deleted :"
while IFS= read -r href; do
FILE_URL="${NC_BASE}${href}"
echo " Delete: ${FILE_URL}"
if curl -s \
--user "${SHARE_TOKEN}:${SHARE_PASS}" \
-X DELETE "${FILE_URL}"; then
echo " ✅ Successfully deleted: $(basename "${href}")"
else
echo " ❌ Error: $(basename "${href}") could not be deleted"
fi
done < public_iso_list.txt
else
echo "💡 No old ISO files found to delete."
fi
- name: 🛠️ Upload the ISO file to the Centurion Cloud (cloud.e2ee.li) via WebDAV.
shell: bash
env:
NC_BASE: "https://cloud.e2ee.li"
SHARE_TOKEN: "${{ secrets.CENTURION_CLOUD_UL_USER_1 }}"
SHARE_PASS: "${{ secrets.CENTURION_CLOUD_UL_PASSWD_1 }}"
run: |
set -euo pipefail
if [[ $(ls /opt/livebuild/*.iso 2>/dev/null | wc -l) -ne 1 ]]; then
echo "❌ There must be exactly one .iso file in the directory!"
exit 1
else
VAR_ISO_FILE_PATH=$(ls /opt/livebuild/*.iso)
VAR_ISO_FILE_NAME=$(basename "${VAR_ISO_FILE_PATH}")
echo "✅ ISO file found: ${VAR_ISO_FILE_NAME}"
fi
AUTH="${SHARE_TOKEN}:${SHARE_PASS}"
if curl --retry 2 "${NC_BASE}"/public.php/webdav/"${VAR_ISO_FILE_NAME}" \
--upload-file "${VAR_ISO_FILE_PATH}" --user "${AUTH}" > /dev/null 2>&1; then
echo "✅ New ISO successfully uploaded."
else
echo "❌ Uploading the new ISO failed."
exit 1
fi
- name: 🔑 Generating a sha512 Hash of ISO, signing with the 'CI PGP DEPLOY ONLY' key, generate a success message file.
shell: bash
run: |
if [[ $(ls /opt/livebuild/*.iso 2>/dev/null | wc -l) -ne 1 ]]; then
echo "❌ There must be exactly one .iso file in the directory!"
exit 1
else
VAR_ISO_FILE_PATH=$(ls /opt/livebuild/*.iso)
VAR_ISO_FILE_NAME=$(basename "${VAR_ISO_FILE_PATH}")
echo "✅ ISO file found: ${VAR_ISO_FILE_NAME}"
fi
VAR_ISO_FILE_SHA512="${VAR_ISO_FILE_NAME}.sha512"
touch "${VAR_ISO_FILE_SHA512}"
sha512sum "${VAR_ISO_FILE_PATH}" | awk '{print $1}' >| "${VAR_ISO_FILE_SHA512}"
SIGNATURE_FILE="${VAR_ISO_FILE_SHA512}.sign"
touch "${SIGNATURE_FILE}"
export GNUPGHOME="$(pwd)/.gnupg"
gpg --batch --yes --armor --detach-sign --output "${SIGNATURE_FILE}" "${VAR_ISO_FILE_SHA512}"
timestamp=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
PRIVATE_FILE="LIVE_ISO_FLV_1.private"
touch "${PRIVATE_FILE}"
cat << EOF >| "${PRIVATE_FILE}"
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-01; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
This file was automatically generated by the DEPLOY BOT on: "${timestamp}"
CISS.debian.live.builder ISO :
"${VAR_ISO_FILE_NAME}"
CISS.debian.live.builder ISO sha512 :
$(< "${VAR_ISO_FILE_SHA512}")
CISS.debian.live.builder ISO sha512 sign :
$(< "${SIGNATURE_FILE}")
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text
EOF
- name: 🚧 Stash local changes (including untracked).
shell: bash
env:
GIT_SSH_COMMAND: "ssh -p 42842"
run: |
set -euo pipefail
### Temporarily store any local modifications or untracked files.
git stash push --include-untracked -m "ci-temp" || echo "✔️ Nothing to stash."
- name: 🔄 Sync with remote before commit using merge strategy.
shell: bash
env:
GIT_SSH_COMMAND: "ssh -p 42842"
run: |
set -euo pipefail
export GNUPGHOME="$(pwd)/.gnupg"
echo "🔄 Fetching origin/master ..."
git fetch origin master
echo "🔁 Merging origin/master into current branch ..."
git merge --no-edit origin/master || echo "✔️ Already up to date or fast-forward."
echo "📋 Post-merge status :"
git status
git log --oneline -n 5
- name: 🛠️ Restore stashed changes.
shell: bash
env:
GIT_SSH_COMMAND: "ssh -p 42842"
run: |
set -euo pipefail
### Apply previously stashed changes.
git stash pop || echo "✔️ Nothing to pop."
- name: 📦 Stage generated files.
shell: bash
env:
GIT_SSH_COMMAND: "ssh -p 42842"
run: |
set -euo pipefail
PRIVATE_FILE="LIVE_ISO_FLV_1.private"
git add "${PRIVATE_FILE}" || echo "✔️ Nothing to add."
- name: 🔑 Commit and sign changes with CI metadata.
shell: bash
env:
GIT_SSH_COMMAND: "ssh -p 42842"
run: |
set -euo pipefail
export GNUPGHOME="$(pwd)/.gnupg"
if git diff --cached --quiet; then
echo "✔️ No staged changes to commit."
else
echo "📝 Committing changes with GPG signature ..."
### CI Metadata
TIMESTAMP_UTC="$(date -u +'%Y-%m-%dT%H:%M:%SZ')"
HOSTNAME="$(hostname -f || hostname)"
GIT_SHA="$(git rev-parse --short HEAD)"
GIT_REF="$(git symbolic-ref --short HEAD || echo detached)"
WORKFLOW_ID="${GITHUB_WORKFLOW:-render-md-to-html.yaml}"
CI_HEADER="X-CI-Metadata: ${GIT_REF}@${GIT_SHA} at ${TIMESTAMP_UTC} on ${HOSTNAME}"
COMMIT_MSG="DEPLOY BOT : 🔐 Auto-Generate PRIVATE LIVE ISO FLV 1 [skip ci]
${CI_HEADER}
Generated at : ${TIMESTAMP_UTC}
Runner Host : ${HOSTNAME}
Workflow ID : ${WORKFLOW_ID}
Git Commit : ${GIT_SHA} HEAD -> ${GIT_REF}
"
echo "🔏 Commit message :"
echo "${COMMIT_MSG}"
git commit -S -m "${COMMIT_MSG}"
fi
- name: 🔁 Push back to repository.
shell: bash
env:
GIT_SSH_COMMAND: "ssh -p 42842"
run: |
set -euo pipefail
echo "📤 Pushing changes to ${GITHUB_REF_NAME} ..."
git push origin HEAD:${GITHUB_REF_NAME}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml

2
LINTER_RESULTS.txt
View File

@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder # SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu # SPDX-Security-Contact: security@coresecret.eu
This file was automatically generated by the DEPLOY BOT on: "2025-08-22T16:12:01Z" This file was automatically generated by the DEPLOY BOT on: "2025-08-22T17:25:58Z"
✅ The last linter check was successful. ✅ ✅ The last linter check was successful. ✅

27
LIVE_ISO_FLV_1.private
View File

@@ -1,27 +0,0 @@
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-01; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
This file was automatically generated by the DEPLOY BOT on: "2025-08-11T21:40:41Z".
CISS.debian.live.builder ISO :
"ciss-debian-live-2025_08_11T20_53_16Z-amd64.hybrid.iso"
CISS.debian.live.builder ISO sha512 :
b8bcba496881e7f4e881b6816975410f6f07bd70f069f73db4ce84d61bb9758a37087753d28b212ed26b163d84176d5df97fdb1d3356a0667e15cf81d388feb6
CISS.debian.live.builder ISO sha512 sign :
-----BEGIN PGP SIGNATURE-----
iHUEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaJpjWQAKCRA85KY4hzOw
IVM1AQD2lkvQOmkcR4LlCk0f6FUcqIMRRlBIwjhDiaWTKjZgeAD/cc4skxFCGmLU
EhHNg/3ZoE6PGxe4Y5UFuQnJhDZe/w8=
=rwBS
-----END PGP SIGNATURE-----
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text

14
LIVE_ISO_FLV_0.private → LIVE_ISO_TRIXIE_1.private
View File

@@ -9,19 +9,19 @@
# SPDX-PackageName: CISS.debian.live.builder # SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu # SPDX-Security-Contact: security@coresecret.eu
This file was automatically generated by the DEPLOY BOT on: "2025-08-22T15:41:07Z" This file was automatically generated by the DEPLOY BOT on: "2025-08-22T17:41:13Z"
CISS.debian.live.builder ISO : CISS.debian.live.builder ISO :
"ciss-debian-live-2025_08_22T14_52_42Z-amd64.hybrid.iso" "ciss-debian-live-2025_08_22T16_56_12Z-amd64.hybrid.iso"
CISS.debian.live.builder ISO sha512 : CISS.debian.live.builder ISO sha512 :
cfc40206478bdd95fce37b864c4e73ecb91b598edd859447ead66878ae5c1c4da6c44145a8c8bb18879ba8b0b54a3663ec3cfc9b8be7661a3132a6c2cd42c0e5 4925332b61dbd91f0c444624bbe7de586dbd911fbb27b080a99e44ae312c5139afc502d0415d0bef7dfbd1e5461c07e0a0700f7206e746a91cbcb5403ef003e3
CISS.debian.live.builder ISO sha512 sign : CISS.debian.live.builder ISO sha512 sign :
-----BEGIN PGP SIGNATURE----- -----BEGIN PGP SIGNATURE-----
iHUEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaKiPkwAKCRA85KY4hzOw iHUEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaKiruQAKCRA85KY4hzOw
IZOlAP9MwC5NLBoHiyCBo2BxxAVDbpyixv9KMh/PCedExdNQ9AD+KWXXTckz8295 IdoTAQDqyOBkGA0xDoLsDvjFSaf3tmzz8mD/5qvsDtF6y/rEWwD/dAXzMOdQjxg8
so9rKEaE4GcQLAY1q6o0t3ylJoIYbQg= IcK+GK6u4k5/HT5bYlCvTy/WxRb5ggQ=
=lBu8 =boDM
-----END PGP SIGNATURE----- -----END PGP SIGNATURE-----
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text

70
README.md
View File

@@ -11,7 +11,7 @@ include_toc: true
[![Static Badge](https://badges.coresecret.dev/badge/shellformat-passed-white?style=plastic&logo=google&logoColor=white&logoSize=auto&label=shellformat&color=%234285F4)](https://github.com/mvdan/sh) &nbsp; [![Static Badge](https://badges.coresecret.dev/badge/shellformat-passed-white?style=plastic&logo=google&logoColor=white&logoSize=auto&label=shellformat&color=%234285F4)](https://github.com/mvdan/sh) &nbsp;
[![Static Badge](https://badges.coresecret.dev/badge/Shellstyle-Google-white?style=plastic&logo=google&logoColor=white&logoSize=auto&label=Shellstyle&color=%234285F4)](https://google.github.io/styleguide/shellguide.html) [![Static Badge](https://badges.coresecret.dev/badge/Shellstyle-Google-white?style=plastic&logo=google&logoColor=white&logoSize=auto&label=Shellstyle&color=%234285F4)](https://google.github.io/styleguide/shellguide.html)
&nbsp; &nbsp;
[![Static Badge](https://badges.coresecret.dev/badge/Gitea-1.24.2-white?style=plastic&logo=gitea&logoColor=white&logoSize=auto&label=gitea&color=%23609926)](https://docs.gitea.com/) &nbsp; [![Static Badge](https://badges.coresecret.dev/badge/Gitea-1.24.5-white?style=plastic&logo=gitea&logoColor=white&logoSize=auto&label=gitea&color=%23609926)](https://docs.gitea.com/) &nbsp;
[![Static Badge](https://badges.coresecret.dev/badge/IntelliJ-2025.2-white?style=plastic&logo=intellijidea&logoColor=white&logoSize=auto&label=IntelliJ&color=%23000000)](https://www.jetbrains.com/store/?section=personal&billing=yearly) &nbsp; [![Static Badge](https://badges.coresecret.dev/badge/IntelliJ-2025.2-white?style=plastic&logo=intellijidea&logoColor=white&logoSize=auto&label=IntelliJ&color=%23000000)](https://www.jetbrains.com/store/?section=personal&billing=yearly) &nbsp;
[![Static Badge](https://badges.coresecret.dev/badge/keepassxc-2.7.10-white?style=plastic&logo=keepassxc&logoColor=white&logoSize=auto&label=KeePassXC&color=%236CAC4D)](https://keepassxc.org/) &nbsp; [![Static Badge](https://badges.coresecret.dev/badge/keepassxc-2.7.10-white?style=plastic&logo=keepassxc&logoColor=white&logoSize=auto&label=KeePassXC&color=%236CAC4D)](https://keepassxc.org/) &nbsp;
[![Static Badge](https://badges.coresecret.dev/badge/netcup-Netcup-white?style=plastic&logo=netcup&logoColor=white&logoSize=auto&label=powered&color=%23056473)](https://www.netcup.com/de) &nbsp; [![Static Badge](https://badges.coresecret.dev/badge/netcup-Netcup-white?style=plastic&logo=netcup&logoColor=white&logoSize=auto&label=powered&color=%23056473)](https://www.netcup.com/de) &nbsp;
@@ -70,7 +70,16 @@ separate directory tree, employs `DynamicUser` features, and adheres to strict s
rating of **``2.6``**). Docker containers used by runners do not run in privileged mode. Security is further enhanced through the use rating of **``2.6``**). Docker containers used by runners do not run in privileged mode. Security is further enhanced through the use
of both UFW software firewalls and dedicated hardware firewall appliances. of both UFW software firewalls and dedicated hardware firewall appliances.
## 1.2. Immutable Source-of-Truth System ## 1.2. Match Host and Target Versions
Build, for example, a Debian Trixie live image only on a Debian Trixie host. The build toolchain and boot artifacts are
release-specific: ``live-build``, ``live-boot``, ``live-config``, ``debootstrap``, ``kernel/initramfs`` tools, ``mksquashfs``,
``GRUB/ISOLINUX``, and even ``dpkg/apt`` often change defaults and formats between releases (e.g., compression modes, SquashFS
options, hook ordering, systemd/udev behavior). Building on a different host release commonly yields non-reproducible or even
unbootable ISOs (missing modules/firmware, ABI mismatches, divergent paths). Keeping host and target on the same version ensures
reproducible builds, matching dependencies, and compatible boot artifacts.
## 1.3. Immutable Source-of-Truth System
This live ISO establishes a secure, fully deterministic, integrity self-verifying boot environment based entirely on static This live ISO establishes a secure, fully deterministic, integrity self-verifying boot environment based entirely on static
source-code definitions. All configurations, system components, and installation routines are embedded during build time and source-code definitions. All configurations, system components, and installation routines are embedded during build time and
@@ -103,11 +112,11 @@ After build and configuration, the following audit reports can be generated:
* **SSH Audit Report**: Verifies SSH daemon configuration against the latest best-practice cipher, KEX, and MAC recommendations. * **SSH Audit Report**: Verifies SSH daemon configuration against the latest best-practice cipher, KEX, and MAC recommendations.
Type `ssh-audit <IP>:<PORT>`. See example report: **[SSH Audit Report](/docs/AUDIT_SSH.md)** Type `ssh-audit <IP>:<PORT>`. See example report: **[SSH Audit Report](/docs/AUDIT_SSH.md)**
## 1.3. Preview ## 1.4. Preview
![CISS.debian.live.builder](/docs/screenshots/CISS.debian.live.builder_preview.jpeg) ![CISS.debian.live.builder](/docs/screenshots/CISS.debian.live.builder_preview.jpeg)
## 1.4. Caution. Significant information for those considering using D-I. ## 1.5. Caution. Significant information for those considering using D-I.
**The Debian Installer (d-i) will ALWAYS boot a new system.**<br> **The Debian Installer (d-i) will ALWAYS boot a new system.**<br>
@@ -138,7 +147,7 @@ This means function status of the **CISS.2025.debian.live.builder** ISO after d-
* Logging (rsyslog, journald) ✘ not active, * Logging (rsyslog, journald) ✘ not active,
* preseed control over the network is possible (but without any protection). * preseed control over the network is possible (but without any protection).
## 1.5. Versioning Schema ## 1.6. Versioning Schema
This project adheres strictly to a structured versioning scheme following the pattern x.y.z-Date. This project adheres strictly to a structured versioning scheme following the pattern x.y.z-Date.
@@ -149,7 +158,7 @@ Example: `V8.13.008.2025.08.22`
Date (YYYY.MM.DD) denotes the build or release date, facilitating clear tracking of incremental changes and ensuring Date (YYYY.MM.DD) denotes the build or release date, facilitating clear tracking of incremental changes and ensuring
reproducibility and traceability. reproducibility and traceability.
## 1.6. Keywords ## 1.7. Keywords
The keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", The keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED",
"MAY", and "OPTIONAL" in this Repo are to be interpreted as described in [[BCP 14](https://www.rfc-editor.org/info/bcp14)], "MAY", and "OPTIONAL" in this Repo are to be interpreted as described in [[BCP 14](https://www.rfc-editor.org/info/bcp14)],
@@ -414,26 +423,27 @@ predictable script behavior.
# 4. Prerequisites # 4. Prerequisites
* **Host**: Debian Bookworm or newer with `live-build` package installed. * **Host**: Debian Trixie with `live-build` and ``debootstrap`` packages installed.
* **Privileges**: Root or sudo access to execute `ciss_live_builder.sh` and related scripts. * **Privileges**: Root or sudo access to execute `ciss_live_builder.sh` and related scripts.
* **Network**: Outbound access to Debian repositories and PTB NTPsec pool. * **Network**: Outbound access to Debian repositories and PTB NTPsec pool.
# 5. Installation & Usage # 5. Installation & Usage
# 5.1. Interactive CLI / Dialog Wrapper ## 5.1. Interactive CLI / Dialog Wrapper
1. Clone the repository: 1. Clone the repository:
```bash ```bash
git clone https://git.coresecret.dev/msw/CISS.debian.live.builder.git git clone https://git.coresecret.dev/msw/CISS.debian.live.builder.git
cd CISS.debian.live.builder cd CISS.debian.live.builder
``` ```
2. Preparation: 2. Preparation:
1. Ensure you are root. 1. Ensure you are root.
2. Create the build directory `mkdir /opt/livebuild`. 2. Create the build directory `mkdir /opt/livebuild`.
3. Place your desired SSH public key in the `authorized_keys` file, for example, in the `/opt/gitea/CISS.debian.live.builder` directory. 3. Place your desired SSH public key in the `authorized_keys` file, for example, in the `/opt/gitea/CISS.debian.live.builder` directory.
4. Place your desired Password in the `password.txt` file, for example, in the `/opt/gitea/CISS.debian.live.builder` directory. 4. Place your desired Password in the `password.txt` file, for example, in the `/opt/gitea/CISS.debian.live.builder` directory.
5. Make any other changes you need to. 5. Make any other changes you need to.
3. Run the config builder script `./ciss_live_builder.sh` and the integrated `lb build` command (example): 3. Run the config builder script `./ciss_live_builder.sh` and the integrated `lb build` command (example):
````bash ````bash
@@ -454,6 +464,7 @@ predictable script behavior.
--ssh-pubkey /opt/gitea/CISS.debian.live.builder \ --ssh-pubkey /opt/gitea/CISS.debian.live.builder \
--trixie --trixie
```` ````
4. Locate your ISO in the `--build-directory`. 4. Locate your ISO in the `--build-directory`.
5. Boot from the ISO and login to the live image via the console, or the multi-layer secured **coresecret** SSH tunnel. 5. Boot from the ISO and login to the live image via the console, or the multi-layer secured **coresecret** SSH tunnel.
6. Type `sysp` for the final kernel hardening features. 6. Type `sysp` for the final kernel hardening features.
@@ -461,7 +472,46 @@ predictable script behavior.
8. Finally, audit your environment with `lsadt` for a comprehensive Lynis audit. 8. Finally, audit your environment with `lsadt` for a comprehensive Lynis audit.
9. Type `celp` for some shortcuts. 9. Type `celp` for some shortcuts.
# 5.2. CI/CD Gitea Runner Workflow Example ## 5.2. Make Wrapper, Quick Usage
This repo ships a thin make wrapper around ``./ciss_live_builder.sh``, so you can compose a correctly quoted command and either
preview it or run it.
1. Clone the repository:
```bash
git clone https://git.coresecret.dev/msw/CISS.debian.live.builder.git
cd CISS.debian.live.builder
```
2. Preparation:
1. Ensure you are root.
2. Create the build directory `mkdir /opt/livebuild`.
3. Place your desired SSH public key in the `authorized_keys` file, for example, in the `/opt/gitea/CISS.debian.live.builder` directory.
4. Place your desired Password in the `password.txt` file, for example, in the `/opt/gitea/CISS.debian.live.builder` directory.
5. Copy and edit the sample and set your options (no spaces around commas in lists):
````bash
cp config.mk.sample config.mk
````
````bash
BUILD_DIR=/opt/livebuild
ROOT_PASSWORD_FILE=/opt/gitea/CISS.debian.live.builder/password.txt
SSH_PORT=4242
SSH_PUBKEY=/root/.ssh
# Optional
PROVIDER_NETCUP_IPV6=2001:cdb::1
# comma-separated; IPv6 in [] is fine
JUMP_HOSTS=[2001:db8::1],[2001:db8::2]
````
3. Dry-run first (prints the exact command): ````make dry-run````
4. Execute the build: ````make live````
## 5.3. CI/CD Gitea Runner Workflow Example
1. Clone the repository: 1. Clone the repository:

2
docs/DOCUMENTATION.md
View File

@@ -121,7 +121,7 @@ A lightweight Shell Wrapper for building a hardened Debian Bookworm Live ISO Ima
specified PATH into the Live ISO. MUST be provided. specified PATH into the Live ISO. MUST be provided.
--trixie --trixie
Create a Debian Trixie Live ISO. Experimental Feature. Create a Debian Trixie Live ISO.
--version, -v --version, -v
Displays version of ./ciss_live_builder.sh. Displays version of ./ciss_live_builder.sh.

8
lib/lib_trap_on_err.sh
View File

@@ -119,15 +119,18 @@ print_scr_err() {
# $5: ${BASH_COMMAND} # $5: ${BASH_COMMAND}
####################################### #######################################
trap_on_err() { trap_on_err() {
trap - ERR trap - DEBUG ERR INT TERM
declare -g ERRCODE="$1" declare -g ERRCODE="$1"
declare -g ERRSCRT="$2" declare -g ERRSCRT="$2"
declare -g ERRLINE="$3" declare -g ERRLINE="$3"
declare -g ERRFUNC="$4" declare -g ERRFUNC="$4"
declare -g ERRCMMD="$5" declare -g ERRCMMD="$5"
# shellcheck disable=SC2034
declare -g ERRTRAP="true"
if "${VAR_EARLY_DEBUG}"; then dump_user_vars; fi if "${VAR_EARLY_DEBUG}"; then dump_user_vars; fi
clean_up "${ERRCODE}" clean_up "${ERRCODE}"
if ! $VAR_HANDLER_AUTOBUILD; then clean_screen; fi if ! "${VAR_HANDLER_AUTOBUILD}"; then clean_screen; fi
print_file_err print_file_err
print_scr_err print_scr_err
} }
@@ -148,6 +151,7 @@ dump_user_vars() {
set +x set +x
{ {
declare var declare var
# shellcheck disable=SC2312
while IFS= read -r var; do while IFS= read -r var; do
declare -p "${var}" 2>/dev/null declare -p "${var}" 2>/dev/null
done < <(compgen -v | grep -Ev '^(BASH|_).*') done < <(compgen -v | grep -Ev '^(BASH|_).*')

2
lib/lib_trap_on_exit.sh
View File

@@ -20,7 +20,7 @@ guard_sourcing
# $1: $? # $1: $?
####################################### #######################################
trap_on_exit() { trap_on_exit() {
trap - EXIT trap - DEBUG ERR EXIT INT TERM
declare -r var_trap_on_exit_code="$1" declare -r var_trap_on_exit_code="$1"
if (( var_trap_on_exit_code == 0 )); then if (( var_trap_on_exit_code == 0 )); then
if "${VAR_EARLY_DEBUG}"; then dump_user_vars; fi if "${VAR_EARLY_DEBUG}"; then dump_user_vars; fi

2
lib/lib_usage.sh
View File

@@ -149,7 +149,7 @@ usage() {
echo " specified PATH into the Live ISO. MUST be provided." echo " specified PATH into the Live ISO. MUST be provided."
echo echo
echo -e "\e[97m --trixie \e[0m" echo -e "\e[97m --trixie \e[0m"
echo " Create a Debian Trixie Live ISO. Experimental Feature" echo " Create a Debian Trixie Live ISO."
echo echo
echo -e "\e[97m --version, -v \e[0m" echo -e "\e[97m --version, -v \e[0m"
echo " Show version of ${0}." echo " Show version of ${0}."