#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
set -C -e -u -o pipefail

printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1

#######################################
# Get all NIC Driver of the current Host-machine
# Arguments:
#  None
#######################################
grep_nic_driver_modules() {
  declare _mods
  # Gather all Driver and sort unique
  readarray -t _mods < <(
    lspci -k \
      | grep -A2 -i ethernet \
      | grep 'Kernel driver in use' \
      | awk '{print $5}' \
      | sort -u
  )

  declare nic_module
  declare nic_modules
  if [[ "${#_mods[@]}" -eq 1 ]]; then
    nic_module="${_mods[0]}"
    echo "${nic_module}"
  else
    nic_modules="${_mods[*]}"
    echo "${nic_modules}"
  fi
}

# shellcheck disable=SC2155
declare nic_driver="$(grep_nic_driver_modules)"
cat << EOF >| /etc/initramfs-tools/modules
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu

# List of modules that you want to include in your initramfs.
# They will be loaded at boot time in the order below.
#
# Syntax:  module_name [args ...]
#
# You must run update-initramfs(8) to effect this change.
#
# Examples:
#
# raid1
# sd_mod

### QEMU Bochs-compatible virtual machine support
bochs

### Device-mapper core module (required for all dm_* features)
dm_mod

### Device-mapper integrity target (provides integrity checking)
dm-integrity

### Device-mapper crypt target (provides disk encryption)
dm-crypt

### Generic AES block cipher implementation (used by dm-crypt)
aes_generic

### Generic SHA-256 hashing algorithm (used by various crypto and integrity targets)
sha256_generic

### Generic CRC32C checksum implementation (used by btrfs and other filesystems)
crc32c_generic

### Main btrfs filesystem module
btrfs

### Zstandard compression support for btrfs
zstd_compress

### XOR parity implementation for RAID functionality
xor

### RAID6 parity generation module
raid6_pq

### Combined RAID4/5/6 support module
raid456

### Network Driver Host-machine
"${nic_driver}"

EOF

cat << 'EOF' >| /etc/initramfs-tools/update-initramfs.conf
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu

#
# The Configuration file for update-initramfs(8)
#

#
# update_initramfs [ yes | all | no ]
#
# Default is yes
# If set to all update-initramfs will update all initramfs
# If set to no disables any update to initramfs besides kernel upgrade

update_initramfs=yes

#
# backup_initramfs [ yes | no ]
#
# Default is no
# If set to no leaves no .bak backup files.

backup_initramfs=no

EOF

cat << 'EOF' >| /etc/initramfs-tools/initramfs.conf
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu

#
# initramfs.conf
# Configuration file for mkinitramfs(8). See initramfs.conf(5).
#
# Note that configuration options from this file can be overridden
# by config files in the /etc/initramfs-tools/conf.d directory.

#
# MODULES: [ most | netboot | dep | list ]
#
# most - Add most filesystem and all hard-drive drivers.
#
# dep - Try and guess that module to load.
#
# netboot - Add the base modules, network modules, but skip block devices.
#
# list - Only include modules from the 'additional modules' list
#

MODULES=most

#
# BUSYBOX: [ y | n | auto ]
#
# Use busybox shell and utilities.  If set to n, klibc utilities will be used.
# If set to auto (or unset), busybox will be used if installed and klibc will
# be used otherwise.
#

BUSYBOX=auto

#
# KEYMAP: [ y | n ]
#
# Load a keymap during the initramfs stage.
#

KEYMAP=n

#
# COMPRESS: [ gzip | bzip2 | lz4 | lzma | lzop | xz | zstd ]
#

COMPRESS=zstd

#
# COMPRESSLEVEL: ...
#
# Set a compression level for the compressor.
# Defaults vary by compressor.
#
# Valid values are:
# 1–9 for gzip|bzip2|lzma|lzop
# 0–9 for  lz4|xz
# 0–19 for zstd
# COMPRESSLEVEL=3

#
# DEVICE: ...
#
# Specify a specific network interface, like eth0
# Overridden by optional ip= or BOOTIF= bootarg
#

DEVICE=

#
# NFSROOT: [ auto | HOST:MOUNT ]
#

NFSROOT=auto

#
# RUNSIZE: ...
#
# The size of the /run tmpfs mount point, like 256M or 10%
# Overridden by optional initramfs.runsize= bootarg
#

RUNSIZE=10%

#
# FSTYPE: ...
#
# The filesystem type(s) to support, or "auto" to use the current root
# filesystem type
#

FSTYPE=auto

EOF

cat << 'EOF' >> /etc/initramfs-tools/hooks/ciss_debian_live_builder
#!/bin/sh
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu

set -e

PREREQ=""
prereqs() { echo "$PREREQ"; }
case $1 in
  prereqs) prereqs; exit 0 ;;
esac

. /usr/share/initramfs-tools/hook-functions

mkdir -p "${DESTDIR}/bin" "${DESTDIR}/usr/bin" "${DESTDIR}/usr/local/bin"

# Include Bash
copy_exec /usr/bin/bash /usr/bin

# Include lsblk (block device information tool)
copy_exec /usr/bin/lsblk /usr/bin

# Include udevadm (udev management tool)
copy_exec /usr/bin/udevadm /usr/bin
EOF

chmod 0755 /etc/initramfs-tools/hooks/ciss_debian_live_builder

### Regenerate the initramfs for the live system kernel
update-initramfs -u -k all

printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
# sleep 1

exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh