msw/CISS.debian.live.builder
SHA256
2
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 6 Wiki Activity

Compare commits

base: msw:d7bc22b7ff0e1f5b4fb58c093c21af25c997a8b400629c6c64f99bd9562ef30f
Branches Tags
msw:master
msw:v8.13.142-stable msw:v8.13.008-stable msw:v8.03.864-stable msw:v8.03.832-stable msw:v8.03.768-stable msw:v8.03.644-stable
...
compare: msw:ea76e9d5cbdc1c04bea4cd239cf8b3a030f932378ec2204f63f06e9c802db02d
Branches Tags
msw:master
msw:v8.13.142-stable msw:v8.13.008-stable msw:v8.03.864-stable msw:v8.03.832-stable msw:v8.03.768-stable msw:v8.03.644-stable

2 Commits
d7bc22b7ff ... ea76e9d5cb

Author SHA256 Message Date
Marc S. Weidner
ea76e9d5cb V8.02.768.2025.06.01 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
 2025-06-01 20:23:19 +02:00
Marc S. Weidner
6e1cf484ee V8.02.768.2025.06.01 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
 2025-06-01 20:20:53 +02:00
4 changed files with 70 additions and 102 deletions
Expand all files Collapse all files

150
.gitea/workflows/generate-iso.yaml
View File

@@ -36,12 +36,13 @@ jobs:
- name: Basic Image Setup and enable Bookworm Backports.
run: |
apt-get update
apt-get install -y apt-transport-https apt-utils ca-certificates openssl sudo
apt-get install -y apt-transport-https apt-utils bash ca-certificates openssl sudo
echo 'deb https://deb.debian.org/debian bookworm-backports main' \
>| /etc/apt/sources.list.d/bookworm-backports.list
apt-get update
- name: Installing Build Tools.
shell: bash
run: |
apt-get update
apt-get install -y \
@@ -63,9 +64,11 @@ jobs:
- name: Check GnuPG Version.
run: |
shell: bash
gpg --version
- name: Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
shell: bash
run: |
rm -rf ~/.ssh && mkdir -m700 ~/.ssh
@@ -90,6 +93,7 @@ jobs:
### https://github.com/actions/checkout/issues/1843
- name: Using manual clone via SSH to circumvent Gitea SHA-256 object issues.
shell: bash
run: |
git clone --branch "${GITHUB_REF_NAME}" ssh://git@git.coresecret.dev:42842/msw/CISS.debian.live.builder.git .
git fetch --unshallow || echo "Nothing to fetch - already full clone."
@@ -98,11 +102,13 @@ jobs:
GITHUB_REF_NAME: ${{ github.ref_name }}
- name: Cleaning the workspace.
shell: bash
run: |
git reset --hard
git clean -fd
- name: Importing the 'CI PGP DEPLOY ONLY' key.
shell: bash
run: |
### GPG-Home relative to the Runner Workspace to avoid changing global files.
export GNUPGHOME="$(pwd)/.gnupg"
@@ -112,9 +118,9 @@ jobs:
### Trust the key automatically
KEY_ID=$(gpg --list-keys --with-colons | awk -F: '/^pub:/ {print $5}')
echo "trust-model always" >| "${GNUPGHOME}/gpg.conf"
shell: bash
- name: Configuring Git for signed CI/DEPLOY commits.
shell: bash
run: |
export GNUPGHOME="$(pwd)/.gnupg"
git config user.name "Marc S. Weidner BOT"
@@ -124,82 +130,55 @@ jobs:
git config gpg.format openpgp
- name: Preparing the build environment.
shell: bash
run: |
mkdir -p opt/config
mkdir -p opt/livebuild
touch opt/config/password.txt && chmod 0600 opt/config/password.txt
touch opt/config/authorized_keys && chmod 0600 opt/config/authorized_keys
echo "${{ secrets.CISS_DLB_ROOT_PWD }}" >| opt/config/password.txt
echo "${{ secrets.CISS_DLB_ROOT_SSH_PUBKEY }}" >| opt/config/authorized_keys
#mkdir -p opt/livebuild/chroot/dev
#mknod opt/livebuild/chroot/dev/null c 1 3
#chmod 666 opt/livebuild/chroot/dev/null
- name: Preparing Centurion Cloud for LIVE ISO Upload.
shell: bash
run: |
set -euo pipefail
NC_BASE="https://cloud.e2ee.li"
SHARE_TOKEN="${{ secrets.CENTURION_CLOUD_UL_USER }}"
SHARE_PASS="${{ secrets.CENTURION_CLOUD_UL_PASSWD }}"
SHARE_SUBDIR=""
mkdir -p config/hooks/normal
touch config/hooks/normal/0000-fix-dev.chroot
chmod 0775 config/hooks/normal/0000-fix-dev.chroot
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ Creating 'config/hooks/normal/0000-fix-dev.chroot'. \e[0m\n"
cat << 'EOF' >| config/hooks/normal/0000-fix-dev.chroot
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 20242025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
set -C -e -u -o pipefail
if [ ! -e /dev/null ]; then
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ [0000-fix-dev.chroot] Creating /dev/null manually. \e[0m\n"
mknod -m 666 /dev/null c 1 3
echo "Get directory listing via PROPFIND ..."
curl -s \
--user "${SHARE_TOKEN}:${SHARE_PASS}" \
-X PROPFIND \
-H "Depth: 1" \
"${NC_BASE}/public.php/webdav/${SHARE_SUBDIR}" \
-o propfind_public.xml
echo "Filter .iso files from the PROPFIND response ..."
grep -oP '(?<=<d:href>)[^<]+\.iso(?=</d:href>)' propfind_public.xml >| public_iso_list.txt || true
if [[ -f public_iso_list.txt && -s public_iso_list.txt ]]; then
echo "Old ISO files found and deleted :"
while IFS= read -r href; do
FILE_URL="${NC_BASE}${href}"
echo " Delete: ${FILE_URL}"
if curl -s \
--user "${SHARE_TOKEN}:${SHARE_PASS}" \
-X DELETE "${FILE_URL}"; then
echo " ✅ Successfully deleted: $(basename "${href}")"
else
echo " ❌ Error: $(basename "${href}") could not be deleted"
fi
done < public_iso_list.txt
else
printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ [0000-fix-dev.chroot] /dev/null inside chroot present. \e[0m\n"
echo "No old ISO files found to delete."
fi
chmod 666 /dev/null
EOF
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ Creating 'config/hooks/normal/0000-fix-dev.chroot'. \e[0m\n"
ls -l config/hooks/normal/0000-fix-dev.chroot
###
mkdir -p config/hooks/early
touch config/hooks/early/0000-fix-dev
chmod 0775 config/hooks/early/0000-fix-dev
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 'Creating config/hooks/early/0000-fix-dev'. \e[0m\n"
cat << 'EOF' >| config/hooks/early/0000-fix-dev
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 20242025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
set -C -e -u -o pipefail
CHROOT="${LB_CHROOT:-chroot}"
if [[ ! -e "${CHROOT}/dev/null" ]]; then
printf "\e[95m[0000-fix-dev] Creating /dev/null inside chroot manually.\e[0m\n"
mkdir -p "${CHROOT}/dev"
mknod -m 666 "${CHROOT}/dev/null" c 1 3
else
printf "\e[92m[0000-fix-dev] /dev/null inside chroot already exists.\e[0m\n"
fi
chmod 666 "${CHROOT}/dev/null"
EOF
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ Creating 'config/hooks/early/0000-fix-dev'. \e[0m\n"
ls -l config/hooks/early/0000-fix-dev
###
rm -f propfind_public.xml public_iso_list.txt
- name: Starting CISS.debian.live.builder. This may take a while ...
shell: bash
run: |
chmod 0755 ciss_live_builder.sh
timestamp=$(date -u +"%Y_%m_%d_%H_%M_Z")
@@ -225,42 +204,8 @@ jobs:
echo "✅ ISO file found: ${VAR_ISO_FILE_NAME}"
fi
- name: Preparing Centurion Cloud for LIVE ISO Upload.
run: |
NC_BASE="https://cloud.e2ee.li"
SHARE_TOKEN="${{ secrets.CENTURION_CLOUD_UL_USER }}"
SHARE_PASS="${{ secrets.CENTURION_CLOUD_UL_PASSWD }}"
SHARE_SUBDIR=""
echo "Get directory listing via PROPFIND ..."
curl -s \
--user "${SHARE_TOKEN}:${SHARE_PASS}" \
-X PROPFIND \
-H "Depth: 1" \
"${NC_BASE}/public.php/webdav/${SHARE_SUBDIR}" \
-o propfind_public.xml
echo "Filter .iso files from the PROPFIND response ..."
grep -oP '(?<=<d:href>)[^<]+\.iso(?=</d:href>)' propfind_public.xml >| public_iso_list.txt
if [[ -s public_iso_list.txt ]]; then
echo "Old ISO files found and deleted :"
while IFS= read -r href; do
FILE_URL="${NC_BASE}${href}"
echo " Delete: ${FILE_URL}"
curl -s \
--user "${SHARE_TOKEN}:${SHARE_PASS}" \
-X DELETE \
"${FILE_URL}"
if [[ $? -eq 0 ]]; then
echo " ✅ Successfully deleted: $(basename "${href}")"
else
echo " ❌ Error: $(basename "${href}") could not be deleted"
fi
done < public_iso_list.txt
else
echo "No old ISO files found to delete."
fi
rm -f propfind_public.xml public_iso_list.txt
- name: Upload the ISO file to the Centurion Cloud (cloud.e2ee.li) via WebDAV.
shell: bash
run: |
curl --progress-bar \
--retry 2 \
@@ -275,6 +220,7 @@ jobs:
fi
- name: Generating a hash of ISO and signing with the 'CI PGP DEPLOY ONLY' key.
shell: bash
run: |
VAR_ISO_FILE_SHA512="${VAR_ISO_FILE_PATH}.sha512"
sha512sum "${VAR_ISO_FILE}" | awk '{print $1}' >| "${VAR_ISO_FILE_SHA512}"
@@ -284,6 +230,7 @@ jobs:
rm -f "${VAR_ISO_FILE_PATH}"
- name: Generate a success message file to push back into the repository.
shell: bash
run: |
PRIVATE_FILE="LIVE_ISO.private"
touch "${PRIVATE_FILE}"
@@ -310,12 +257,14 @@ jobs:
EOF
- name: Stage generated files.
shell: bash
run: |
git add "${PRIVATE_FILE}"
env:
GIT_SSH_COMMAND: "ssh -p 42842"
- name: Commit and Sign changes.
shell: bash
run: |
export GNUPGHOME="$(pwd)/.gnupg"
git commit -S -m "DEPLOY BOT: Auto-Generate LIVE ISO [skip ci]" || echo "No Changes, nothing to Sign or to Commit."
@@ -323,6 +272,7 @@ jobs:
GIT_SSH_COMMAND: "ssh -p 42842"
- name: Push back to Repository.
shell: bash
run: |
git push origin HEAD:${GITHUB_REF_NAME}
env:

14
.gitea/workflows/render-dnssec-status.yaml
View File

@@ -29,6 +29,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Prepare SSH Setup, SSH Deploy Key, Known Hosts, config.
shell: bash
run: |
rm -rf ~/.ssh
mkdir -p ~/.ssh
@@ -54,6 +55,7 @@ jobs:
### https://github.com/actions/checkout/issues/1843
- name: Use manual clone via SSH to circumvent Gitea SHA-256 object issues.
shell: bash
run: |
git clone --branch "${GITHUB_REF_NAME}" ssh://git@git.coresecret.dev:42842/msw/CISS.debian.live.builder.git .
git fetch --unshallow || echo "Nothing to fetch - already full clone."
@@ -62,21 +64,25 @@ jobs:
GITHUB_REF_NAME: ${{ github.ref_name }}
- name: Clean workspace.
shell: bash
run: |
git reset --hard
git clean -fd
- name: Convert APT sources to HTTPS.
shell: bash
run: |
sed -i 's|http://\(archive\.ubuntu\.com\|security\.ubuntu\.com\)|https://\1|g' /etc/apt/sources.list
sed -i 's|http://\(archive\.ubuntu\.com\|security\.ubuntu\.com\)|https://\1|g' /etc/apt/sources.list.d/*.list || true
- name: Install DNSViz.
shell: bash
run: |
sudo apt-get update
sudo apt-get install -y dnsviz
- name: Import CI PGP DEPLOY ONLY Key.
shell: bash
run: |
### GPG-Home relative to the Runner Workspace to avoid changing global files.
export GNUPGHOME="$(pwd)/.gnupg"
@@ -86,9 +92,9 @@ jobs:
### Trust the key automatically
KEY_ID=$(gpg --list-keys --with-colons | awk -F: '/^pub:/ {print $5}')
echo "trust-model always" >| "${GNUPGHOME}/gpg.conf"
shell: bash
- name: Configure Git for signed CI DEPLOY commits.
shell: bash
run: |
export GNUPGHOME="$(pwd)/.gnupg"
git config user.name "Marc S. Weidner BOT"
@@ -98,27 +104,32 @@ jobs:
git config gpg.format openpgp
- name: Ensure docs/SECURITY/ directory exists.
shell: bash
run: |
mkdir -p docs/SECURITY/
rm -f docs/SECURITY/coresecret.dev.png
- name: Prepare DNS Cache.
shell: bash
run: |
sudo apt-get install -y dnsutils
dig +dnssec +multi coresecret.dev @8.8.8.8
- name: Retrieve Zone Dump and generate .png Visualization.
shell: bash
run: |
dnsviz probe -s 8.8.8.8 -R SOA,A,AAAA,CAA,CDS,CDNSKEY,LOC,HTTPS,MX,NS,TXT coresecret.dev >| coresecret.dev.json
dnsviz graph -T png < coresecret.dev.json >| docs/SECURITY/coresecret.dev.png
- name: Stage generated files.
shell: bash
run: |
git add docs/SECURITY/*.png
env:
GIT_SSH_COMMAND: "ssh -p 42842"
- name: Commit and Sign changes.
shell: bash
run: |
export GNUPGHOME="$(pwd)/.gnupg"
git commit -S -m "DEPLOY BOT: Auto-Generate DNSSEC Status [skip ci]" || echo "No Changes, nothing to Sign or to Commit."
@@ -126,6 +137,7 @@ jobs:
GIT_SSH_COMMAND: "ssh -p 42842"
- name: Push back to Repository.
shell: bash
run: |
git push origin HEAD:${GITHUB_REF_NAME}
env:

5
lib/lib_arg_parser.sh
View File

@@ -144,6 +144,11 @@ arg_parser() {
--build-directory)
declare -gx VAR_HANDLER_BUILD_DIR="${2}"
if [[ ! "${VAR_HANDLER_BUILD_DIR}" =~ ^/ ]]; then
if ! $VAR_HANDLER_AUTOBUILD; then boot_screen_cleaner; fi
printf "\e[91m❌ Error: --build-directory MUST be an absolute path. Got: '%s'\n" "${VAR_HANDLER_BUILD_DIR}" >&2
exit "${ERR_NOTABSPATH}"
fi
declare -gx VAR_BUILD_LOG="${VAR_HANDLER_BUILD_DIR}/${VAR_ISO8601}_build.log"
shift 2
;;

3
var/global.var.sh
View File

@@ -55,7 +55,7 @@ declare -ga ARY_HANDLER_JUMPHOST_UNIQUE=()
declare -gir ERR_UNCRITICAL=127
declare -gir ERR_NOT_USER_0=128 # Not running as root
declare -gir ERR_FLOCK_WRTG=129 # Cannot open lockfile for writing
declare -gir ERR_FLOCK_COLL=130 # Script is already running
declare -gir ERR_FLOCK_COLL=130 # The Script is already running
declare -gir ERR_SPLASH_PNG=200 # --change-splash MUST be 'club' or 'hexagon'
declare -gir ERR_CONTROL_CT=201 # --control MUST be an integer between '1' and '65535'
declare -gir ERR_RENICE_PRI=202 # --renice-priority MUST an integer between '-19' and '19'
@@ -70,6 +70,7 @@ declare -gir ERR_PASS_LENGH=210 # --root-password-file password MUST be between
declare -gir ERR_PASS_PLICY=211 # --root-password-file password MUST NOT contain double quotes
declare -gir ERR__SSH__PORT=212 # --ssh-port MUST be an integer between '1' and '65535'
declare -gir ERR_ARG_MSMTCH=213 # Wrong Number of optional Arguments provided
declare -gir ERR_NOTABSPATH=252 # Not an absolute path
declare -gir ERR_INVLD_CHAR=253 # Invalid Character
declare -gir ERR_UNBOUNDVAR=254 # Unbound Variable
declare -gir ERR_UNSPPTBASH=255 # Unsupported Bash