#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
set -Ceuo pipefail

printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"

#######################################
# Get all NIC drivers of the current Host machine.
# Globals:
#   None
# Arguments:
#   None
# Returns:
#   0: on success
#######################################
grep_nic_driver_modules() {
  declare _mods

  ### Gather all Driver and sort unique.
  # shellcheck disable=SC2312
  readarray -t _mods < <(
    lspci -k \
      | grep -A2 -i ethernet \
      | grep 'Kernel driver in use' \
      | awk '{print $5}' \
      | sort -u
  )

  declare nic_module
  declare nic_modules

  if [[ "${#_mods[@]}" -eq 1 ]]; then

    nic_module="${_mods[0]}"
    echo "${nic_module}"

  else

    nic_modules="${_mods[*]}"
    echo "${nic_modules}"

  fi

  return 0
}

[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
export DEBIAN_FRONTEND="noninteractive" INITRD="No"
apt-get install -y intel-microcode amd64-microcode

# shellcheck disable=SC2155
declare nic_driver="$(grep_nic_driver_modules)"
cat << EOF >| /etc/initramfs-tools/modules
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu

# List of modules that you want to include in your initramfs.
# They will be loaded at boot time in the order below.
#
# Syntax:  module_name [args ...]
#
# You must run update-initramfs(8) to effect this change.
#
# Examples:
#
# raid1
# sd_mod

### AppArmor -------------------------------------------------------------------------------------------------------------------
apparmor

### btrfs ----------------------------------------------------------------------------------------------------------------------
btrfs
lzo
xor
xxhash
zstd
zstd_compress

### cryptography ---------------------------------------------------------------------------------------------------------------
aes_generic
blake2b_generic
crc32c_generic
cryptd
libcrc32c
sha256_generic
sha512_generic
xts

### cryptsetup -----------------------------------------------------------------------------------------------------------------
dm_crypt
dm_integrity
dm_mod
dm_verity

### Entropy --------------------------------------------------------------------------------------------------------------------
jitterentropy_rng
rng_core

### ESP/FAT/UEFI ---------------------------------------------------------------------------------------------------------------
exfat
fat
nls_ascii
nls_cp437
nls_iso8859-1
nls_iso8859-15
nls_utf8
vfat

### ext4 -----------------------------------------------------------------------------------------------------------------------
ext4
jbd2
libcrc32c

### Live-ISO -------------------------------------------------------------------------------------------------------------------
loop
squashfs
overlay

#### nftables ------------------------------------------------------------------------------------------------------------------
#nf_log_common  # built-in
#nft_counter    # built-in
#nft_icmp       # built-in
#nft_icmpv6     # built-in
#nft_meta       # built-in
#nft_set_hash   # built-in
#nft_set_rbtree # built-in
#nft_tcp        # built-in
#nft_udp        # built-in
nf_conntrack
nf_nat
nf_reject_ipv4
nf_reject_ipv6
nf_tables
nfnetlink
nfnetlink_log
nft_ct
nft_limit
nft_log
nft_masq
nft_nat
nft_reject_inet

### NVMe -----------------------------------------------------------------------------------------------------------------------
nvme
nvme_core

### QEMU -----------------------------------------------------------------------------------------------------------------------
bochs

### RAID -----------------------------------------------------------------------------------------------------------------------
raid456
raid6_pq

### SCSI/SATA ------------------------------------------------------------------------------------------------------------------
ahci
ata_generic
libahci
libata
scsi_dh_alua
scsi_mod
sd_mod
sg
sr_mod

### USB ------------------------------------------------------------------------------------------------------------------------
ehci_pci
ohci_pci
uas
uhci_hcd
usb_storage
xhci_hcd
xhci_pci

### Virtual --------------------------------------------------------------------------------------------------------------------
virtio_blk
virtio_console
virtio_pci
virtio_rng
virtio_scsi

### Network Driver Host-machine ------------------------------------------------------------------------------------------------
"${nic_driver}"

EOF

cat << 'EOF' >| /etc/initramfs-tools/update-initramfs.conf
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu

#
# The Configuration file for update-initramfs(8)
#

#
# update_initramfs [ yes | all | no ]
#
# Default is yes
# If set to all update-initramfs will update all initramfs
# If set to no disables any update to initramfs besides kernel upgrade

update_initramfs=all

#
# backup_initramfs [ yes | no ]
#
# Default is no
# If set to no leaves no .bak backup files.

backup_initramfs=no

EOF

cat << 'EOF' >| /etc/initramfs-tools/initramfs.conf
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu

#
# initramfs.conf
# Configuration file for mkinitramfs(8). See initramfs.conf(5).
#
# Note that configuration options from this file can be overridden
# by config files in the /etc/initramfs-tools/conf.d directory.

#
# MODULES: [ most | netboot | dep | list ]
#
# most - Add most filesystem and all hard-drive drivers.
#
# dep - Try and guess that module to load.
#
# netboot - Add the base modules, network modules, but skip block devices.
#
# list - Only include modules from the 'additional modules' list
#

MODULES=most

#
# BUSYBOX: [ y | n | auto ]
#
# Use busybox shell and utilities.  If set to n, klibc utilities will be used.
# If set to auto (or unset), busybox will be used if installed and klibc will
# be used otherwise.
#

BUSYBOX=auto

#
# KEYMAP: [ y | n ]
#
# Load a keymap during the initramfs stage.
#

KEYMAP=n

#
# COMPRESS: [ gzip | bzip2 | lz4 | lzma | lzop | xz | zstd ]
#

COMPRESS=zstd

#
# COMPRESSLEVEL: ...
#
# Set a compression level for the compressor.
# Defaults vary by compressor.
#
# Valid values are:
# 1...9 for gzip|bzip2|lzma|lzop
# 0...9 for  lz4|xz
# 0...19 for zstd
COMPRESSLEVEL=16

#
# DEVICE: ...
#
# Specify a specific network interface, like eth0
# Overridden by optional ip= or BOOTIF= bootarg
#

DEVICE=

#
# NFSROOT: [ auto | HOST:MOUNT ]
#

NFSROOT=auto

#
# RUNSIZE: ...
#
# The size of the /run tmpfs mount point, like 256M or 10%
# Overridden by optional initramfs.runsize= bootarg
#

RUNSIZE=10%

#
# FSTYPE: ...
#
# The filesystem type(s) to support, or "auto" to use the current root
# filesystem type
#

FSTYPE=auto

EOF

cat << 'EOF' >> /etc/initramfs-tools/hooks/ciss_debian_live_builder
#!/bin/sh
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu

set -e

printf "\e[95mStarting: [0001_initramfs_modules.chroot] \n\e[0m"

PREREQ=""
prereqs() { echo "${PREREQ}"; }
# shellcheck disable=SC2249
case "${1}" in
  prereqs) prereqs; exit 0 ;;
esac

. /usr/share/initramfs-tools/hook-functions


### Ensure directory structure in initramfs
mkdir -p "${DESTDIR}/etc/ciss/keys"
mkdir -p "${DESTDIR}/etc/initramfs-tools/conf.d"
mkdir -p "${DESTDIR}/etc/initramfs-tools/scripts/init-premount"
mkdir -p "${DESTDIR}/usr/bin"
mkdir -p "${DESTDIR}/usr/local/bin"
mkdir -p "${DESTDIR}/usr/sbin"


### Include bash
copy_exec /usr/bin/bash /usr/bin/bash
printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/bash /usr/bin/bash] \n\e[0m"


### Include blkid
copy_exec /usr/sbin/blkid /usr/sbin/blkid
printf "\e[92mSuccessfully executed: [copy_exec /usr/sbin/blkid /usr/sbin/blkid] \n\e[0m"


### Include busybox
copy_exec /usr/bin/busybox /usr/busybox
printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/busybox /usr/busybox] \n\e[0m"


### Include GNU coreutils 'sort' (has -V)
copy_exec /usr/bin/sort /usr/bin/sort
printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/sort /usr/bin/sort] \n\e[0m"


### Include gpgv
copy_exec /usr/bin/gpgv /usr/bin/gpgv
printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/gpgv /usr/bin/gpgv] \n\e[0m"


### Include lsblk
copy_exec /usr/bin/lsblk /usr/bin/lsblk
printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/lsblk /usr/bin/lsblk] \n\e[0m"


### Include mkpasswd
copy_exec /usr/bin/mkpasswd /usr/mkpasswd
printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/mkpasswd /usr/mkpasswd] \n\e[0m"
copy_exec /usr/bin/mkpasswd /usr/bin/mkpasswd
printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/mkpasswd /usr/bin/mkpasswd] \n\e[0m"


### Include udevadm (udev management tool)
copy_exec /usr/bin/udevadm /usr/bin/udevadm
printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/udevadm /usr/bin/udevadm] \n\e[0m"


### Include sha384sum, sha512sum
copy_exec /usr/bin/sha384sum /usr/bin/sha384sum
printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/sha384sum /usr/bin/sha384sum ] \n\e[0m"
copy_exec /usr/bin/sha512sum /usr/bin/sha512sum
printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/sha512sum /usr/bin/sha512sum] \n\e[0m"


### Include tree
copy_exec /usr/bin/tree /usr/bin/tree
printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/tree /usr/bin/tree] \n\e[0m"


### Include whois
copy_exec /usr/bin/whois /usr/bin/whois
printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/whois /usr/bin/whois] \n\e[0m"


### Link busybox applets for compatibility
for dir in bin usr/bin; do
  ln -sf busybox "${DESTDIR}/${dir}/cat"
  ln -sf busybox "${DESTDIR}/${dir}/sleep"
done


### Install PGP Signing Keys
install -m 0444 /etc/ciss/keys/0x8733B021_public.gpg "${DESTDIR}/etc/ciss/keys/0x8733B021_public.gpg"
printf "\e[92mSuccessfully executed: [install -m 0444 /etc/ciss/keys/0x8733B021_public.gpg %s/etc/ciss/keys/0x8733B021_public.gpg] \n\e[0m" "${DESTDIR}"
install -m 0444 /etc/ciss/keys/0xE62E84F8_public.gpg "${DESTDIR}/etc/ciss/keys/0xE62E84F8_public.gpg"
printf "\e[92mSuccessfully executed: [install -m 0444 /etc/ciss/keys/0xE62E84F8_public.gpg %s/etc/ciss/keys/0xE62E84F8_public.gpg] \n\e[0m" "${DESTDIR}"


printf "\e[92mSuccessfully executed: [0001_initramfs_modules.chroot] \n\e[0m"

# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
EOF

chmod 0755 /etc/initramfs-tools/hooks/ciss_debian_live_builder

### Regenerate the initramfs for the live system kernel
update-initramfs -u -k all -v

printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"

exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh