#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-11-10; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
set -Ceuo pipefail

printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"

#######################################
# Get all NIC drivers of the current Host machine.
# Globals:
#   None
# Arguments:
#   None
# Returns:
#   0: on success
#######################################
grep_nic_driver_modules() {
  declare _mods

  ### Gather all Driver and sort unique.
  # shellcheck disable=SC2312
  readarray -t _mods < <(
    lspci -k \
      | grep -A2 -i ethernet \
      | grep 'Kernel driver in use' \
      | awk '{print $5}' \
      | sort -u
  )

  declare nic_module
  declare nic_modules

  if [[ "${#_mods[@]}" -eq 1 ]]; then

    nic_module="${_mods[0]}"
    echo "${nic_module}"

  else

    nic_modules="${_mods[*]}"
    echo "${nic_modules}"

  fi

  return 0
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f grep_nic_driver_modules

# shellcheck disable=SC2155
declare nic_driver="$(grep_nic_driver_modules)" VAR_DATE="$(date +%F)"

cat << EOF >| /etc/initramfs-tools/modules
# SPDX-Version: 3.0
# SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu

# List of modules that you want to include in your initramfs.
# They will be loaded at boot time in the order below.
#
# Syntax:  module_name [args ...]
#
# You must run update-initramfs(8) to effect this change.
#
# Examples:
#
# raid1
# sd_mod

### AppArmor -------------------------------------------------------------------------------------------------------------------
apparmor

### btrfs ----------------------------------------------------------------------------------------------------------------------
btrfs
lzo
xor
xxhash
zstd
zstd_compress

### cryptography ---------------------------------------------------------------------------------------------------------------
aes_generic
blake2b_generic
crc32c_generic
cryptd
libcrc32c
sha256_generic
sha512_generic
xts

### cryptsetup -----------------------------------------------------------------------------------------------------------------
dm_crypt
dm_integrity
dm_mod
dm_verity

### Entropy --------------------------------------------------------------------------------------------------------------------
jitterentropy_rng
rng_core

### ESP/FAT/UEFI ---------------------------------------------------------------------------------------------------------------
exfat
fat
nls_ascii
nls_cp437
nls_iso8859-1
nls_iso8859-15
nls_utf8
vfat

### ext4 -----------------------------------------------------------------------------------------------------------------------
ext4
jbd2
libcrc32c

### Live-ISO -------------------------------------------------------------------------------------------------------------------
loop
squashfs
overlay

#### nftables ------------------------------------------------------------------------------------------------------------------
#nf_log_common  # built-in
#nft_counter    # built-in
#nft_icmp       # built-in
#nft_icmpv6     # built-in
#nft_meta       # built-in
#nft_set_hash   # built-in
#nft_set_rbtree # built-in
#nft_tcp        # built-in
#nft_udp        # built-in
nf_conntrack
nf_nat
nf_reject_ipv4
nf_reject_ipv6
nf_tables
nfnetlink
nfnetlink_log
nft_ct
nft_limit
nft_log
nft_masq
nft_nat
nft_reject_inet

### NVMe -----------------------------------------------------------------------------------------------------------------------
nvme
nvme_core

### QEMU -----------------------------------------------------------------------------------------------------------------------
bochs

### RAID -----------------------------------------------------------------------------------------------------------------------
raid456
raid6_pq

### SCSI/SATA ------------------------------------------------------------------------------------------------------------------
ahci
ata_generic
libahci
libata
scsi_dh_alua
scsi_mod
sd_mod
sg
sr_mod

### USB ------------------------------------------------------------------------------------------------------------------------
ehci_pci
ohci_pci
uas
uhci_hcd
usb_storage
xhci_hcd
xhci_pci

### Virtual --------------------------------------------------------------------------------------------------------------------
virtio_blk
virtio_console
virtio_pci
virtio_rng
virtio_scsi

### Network Driver Host-machine ------------------------------------------------------------------------------------------------
"${nic_driver}"

EOF

cat << EOF >| /etc/initramfs-tools/update-initramfs.conf
# SPDX-Version: 3.0
# SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu

#
# The Configuration file for update-initramfs(8)
#

#
# update_initramfs [ yes | all | no ]
#
# Default is yes
# If set to all update-initramfs will update all initramfs
# If set to no disables any update to initramfs besides kernel upgrade

update_initramfs=all

#
# backup_initramfs [ yes | no ]
#
# Default is no
# If set to no leaves no .bak backup files.

backup_initramfs=no

EOF

cat << EOF >| /etc/initramfs-tools/initramfs.conf
# SPDX-Version: 3.0
# SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu

#
# initramfs.conf
# Configuration file for mkinitramfs(8). See initramfs.conf(5).
#
# Note that configuration options from this file can be overridden
# by config files in the /etc/initramfs-tools/conf.d directory.

#
# MODULES: [ most | netboot | dep | list ]
#
# most - Add most filesystem and all hard-drive drivers.
#
# dep - Try and guess that module to load.
#
# netboot - Add the base modules, network modules, but skip block devices.
#
# list - Only include modules from the 'additional modules' list
#

MODULES=most

#
# BUSYBOX: [ y | n | auto ]
#
# Use busybox shell and utilities.  If set to n, klibc utilities will be used.
# If set to auto (or unset), busybox will be used if installed and klibc will
# be used otherwise.
#

BUSYBOX=auto

#
# KEYMAP: [ y | n ]
#
# Load a keymap during the initramfs stage.
#

KEYMAP=n

#
# COMPRESS: [ gzip | bzip2 | lz4 | lzma | lzop | xz | zstd ]
#

COMPRESS=zstd

#
# COMPRESSLEVEL: ...
#
# Set a compression level for the compressor.
# Defaults vary by compressor.
#
# Valid values are:
# 1...9 for gzip|bzip2|lzma|lzop
# 0...9 for  lz4|xz
# 0...19 for zstd
COMPRESSLEVEL=16

#
# DEVICE: ...
#
# Specify a specific network interface, like eth0
# Overridden by optional ip= or BOOTIF= bootarg
#

DEVICE=

#
# NFSROOT: [ auto | HOST:MOUNT ]
#

NFSROOT=auto

#
# RUNSIZE: ...
#
# The size of the /run tmpfs mount point, like 256M or 10%
# Overridden by optional initramfs.runsize= bootarg
#

RUNSIZE=10%

#
# FSTYPE: ...
#
# The filesystem type(s) to support, or "auto" to use the current root
# filesystem type
#

FSTYPE=auto

EOF

chmod 0755 /etc/initramfs-tools/hooks/9999_ciss_custom_prompt.sh
chmod 0755 /etc/initramfs-tools/hooks/9999_ciss_debian_live_builder.sh
chmod 0755 /etc/initramfs-tools/scripts/init-premount/1000_ciss_fixpath.sh
chmod 0755 /etc/initramfs-tools/scripts/init-top/0000_ciss_fixpath.sh

printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"

exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh