#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu

guard_sourcing

#######################################
# Wrapper to write a new 'lb config' environment.
# Globals:
#   VAR_ARCHITECTURE
#   VAR_HANDLER_BUILD_DIR
#   VAR_HANDLER_ISO_COUNTER
#   VAR_KERNEL
#   VAR_VERSION
#   VAR_WORKDIR
# Arguments:
#   None
# Returns:
#   0: on success
#######################################
lb_config_write_trixie() {
  printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Writing new config ... \e[0m\n"

  lb config \
    --apt apt \
    --apt-indices true \
    --apt-recommends true \
    --apt-secure true \
    --apt-source-archives true \
    --architecture "${VAR_ARCHITECTURE}" \
    --archive-areas main contrib non-free non-free-firmware \
    --backports true \
    --binary-filesystem fat32 \
    --binary-image iso-hybrid \
    --bootappend-install "auto=true priority=critical clock-setup/utc=true console-setup/ask_detect=false debian-installer/country=US debian-installer/language=en debian-installer/locale=en_US.UTF-8 keyboard-configuration/xkb-keymap=de keyboard-configuration/model=pc105 localechooser/supported-locales=en_US.UTF-8 time/zone=Etc/UTC splash audit_backlog_limit=262144 audit=1 debugfs=off efi=disable_early_pci_dma efi_no_storage_paranoia hardened_usercopy=1 ia32_emulation=0 init_on_alloc=1 init_on_free=1 iommu=force kfence.sample_interval=100 kvm.nx_huge_pages=force l1d_flush=on lockdown=confidentiality loglevel=0 mce=0 mitigations=auto,nosmt mmio_stale_data=full,nosmt oops=panic page_alloc.shuffle=1 page_poison=1 panic=-1 pti=on random.trust_bootloader=off random.trust_cpu=off randomize_kstack_offset=on retbleed=auto,nosmt rodata=on tsx=off vdso32=0 vsyscall=none" \
    --bootappend-live "boot=live components keyboard-layouts=de keyboard-model=pc105 keyboard-options= keyboard-variants= locales=en_US.UTF-8 noautologin nottyautologin nox11autologin noeject nopersistence ramdisk-size=1024M splash swap=true timezone=Etc/UTC toram verify-checksums apparmor=1 security=apparmor audit_backlog_limit=262144 audit=1 debugfs=off efi=disable_early_pci_dma hardened_usercopy=1 ia32_emulation=0 init_on_alloc=1 init_on_free=1 iommu.passthrough=0 iommu.strict=1 iommu=force kfence.sample_interval=100 kvm.nx_huge_pages=force l1d_flush=on lockdown=confidentiality loglevel=0 mitigations=auto,nosmt mmio_stale_data=full,force nosmt=force oops=panic page_alloc.shuffle=1 page_poison=1 panic=0 pti=on random.trust_bootloader=off random.trust_cpu=off randomize_kstack_offset=on retbleed=auto,nosmt rodata=on slab_nomerge vdso32=0 vsyscall=none" \
    --bootloaders grub-efi \
    --cache true \
    --checksums sha512 sha256 md5 \
    --chroot-filesystem squashfs \
    --chroot-squashfs-compression-level 22 \
    --chroot-squashfs-compression-type zstd \
    --color \
    --compression bzip2 \
    --debconf-frontend noninteractive \
    --debconf-priority critical \
    --debian-installer cdrom \
    --debian-installer-distribution trixie \
    --debian-installer-gui true \
    --debian-installer-preseedfile "preseed.cfg" \
    --debug \
    --distribution trixie \
    --distribution-binary trixie \
    --distribution-chroot trixie \
    --firmware-binary true \
    --firmware-chroot true \
    --hdd-label "CENTURIONLIVE" \
    --image-name "ciss-debian-live-${VAR_HANDLER_ISO_COUNTER}" \
    --initramfs "live-boot" \
    --initramfs-compression gzip \
    --initsystem systemd \
    --iso-application "CISS.debian.live.builder: ${VAR_VERSION} - Debian-Live-Build: 20250505 - Debian-Installer: trixie" \
    --iso-preparer '(C) 2018-2025, Centurion Intelligence Consulting Agency (TM), Lisboa, Portugal' \
    --iso-publisher '(P) 2018-2025, Centurion Press (TM) - powered by https://coresecret.eu/ - contact@coresecret.eu' \
    --iso-volume 'CISS.debian.live' \
    --linux-flavours "${VAR_KERNEL}" \
    --linux-packages linux-image \
    --loadlin true \
    --memtest memtest86+ \
    --mirror-binary 'https://deb/debian.org/debian/' \
    --mirror-binary-security 'https://security.debian.org/' \
    --mirror-bootstrap 'https://deb.debian.org/debian/' \
    --mirror-chroot 'https://deb.debian.org/debian/' \
    --mirror-chroot-security 'https://security.debian.org/' \
    --mirror-debian-installer 'https://deb.debian.org/debian/' \
    --mode debian \
    --parent-archive-areas main contrib non-free non-free-firmware \
    --parent-debian-installer-distribution trixie \
    --parent-distribution trixie \
    --parent-distribution-binary trixie \
    --parent-distribution-chroot trixie \
    --parent-mirror-binary 'https://deb.debian.org/debian/' \
    --parent-mirror-binary-security 'https://security.debian.org/' \
    --parent-mirror-bootstrap 'https://deb.debian.org/debian/' \
    --parent-mirror-chroot 'https://deb.debian.org/debian/' \
    --parent-mirror-chroot-security 'https://security.debian.org/' \
    --parent-mirror-debian-installer 'https://deb.debian.org/debian/' \
    --security true \
    --system live \
    --source false \
    --source-images tar \
    --uefi-secure-boot auto \
    --updates true \
    --utc-time true \
    --verbose

  sleep 1

  sed -i 's/LB_CHECKSUMS="sha512 md5"/LB_CHECKSUMS="sha512 sha384 sha256"/1' ./config/binary
  sed -i 's/LB_DM_VERITY=""/LB_DM_VERITY="false"/1' ./config/binary

  mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/boot"
  cp -a "${VAR_WORKDIR}/scripts/live-boot/0030-verify-checksums" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/boot/0030-verify-checksums"
  chmod 0755 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/boot/0030-verify-checksums"
  chown root:root "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/boot/0030-verify-checksums"

  ### https://wiki.debian.org/ReproducibleInstalls/LiveImages
  ### https://reproducible-builds.org/docs/system-images/
  ### https://gitlab.tails.boum.org/tails/tails/-/blob/stable/config/chroot_local-includes/usr/share/tails/build/mksquashfs-excludes
  mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/rootfs"
  cat << 'EOF' >| "${VAR_HANDLER_BUILD_DIR}/config/rootfs/excludes"
boot/initrd.img-*
boot/vmlinux-*
boot/vmlinuz-*
debootstrap
debootstrap/*
root/.wget-hsts
tmp/*
usr/lib/firmware/amd-ucode/*
usr/lib/firmware/intel-ucode/*
var/cache/apt/pkgcache.bin
var/cache/apt/srcpkgcache.bin
var/lib/apt/lists/*
var/lib/initramfs-tools/*-amd64
EOF
  chmod 0644 "${VAR_HANDLER_BUILD_DIR}/config/rootfs/excludes"

  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Writing new config done.\e[0m\n"

  return 0
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f lb_config_write_trixie
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh