#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-11-10; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
set -Ceuo pipefail

printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"

### Declare Arrays, HashMaps, and Variables.
declare var_logfile="/root/.ciss/cdlb/log/0021_dropbear_initramfs.log"

[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
export DEBIAN_FRONTEND="noninteractive"
export INITRD="No"

apt-get install -y --no-install-recommends --no-install-suggests cryptsetup-initramfs dropbear-initramfs dropbear-bin 2>&1 | tee -a "${var_logfile}"
apt-get purge -y dropbear 2>&1 | tee -a "${var_logfile}" || true
apt-get install -y --no-install-recommends --no-install-suggests gpgv 2>&1 | tee -a "${var_logfile}"
apt-mark hold dropbear dropbear-initramfs 2>&1 | tee -a "${var_logfile}"

mkdir -p /root/.ciss/cdlb/backup/usr/share/initramfs-tools/scripts/init-premount
mv /usr/share/initramfs-tools/scripts/init-premount/dropbear /root/.ciss/cdlb/backup/usr/share/initramfs-tools/scripts/init-premount/dropbear.trixie
install -m 0755 -o root -g root /root/dropbear.file /usr/share/initramfs-tools/scripts/init-premount/dropbear
rm -f /root/dropbear.file

mkdir -p /root/.ciss/cdlb/backup/usr/sbin
mv /usr/sbin/dropbear /root/.ciss/cdlb/backup/usr/sbin/dropbear.trixie
install -m 0755 -o root -g root /root/build/dropbear-2025.88/dropbear /usr/sbin/

mkdir -p /root/.ciss/cdlb/backup/usr/bin
for var_file in dbclient dropbearconvert dropbearkey; do

  mv "/usr/bin/${var_file}" "/root/.ciss/cdlb/backup/usr/bin/${var_file}.trixie"
  install -m 0755 -o root -g root "/root/build/dropbear-2025.88/${var_file}" /usr/bin/

done

mkdir -p /etc/initramfs-tools/scripts/init-bottom

cat << 'EOF' >| /etc/initramfs-tools/scripts/init-bottom/zzzz-dropbear-kill
#!/bin/sh
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-11-10; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu

PREREQ=""
prereqs() { echo "${PREREQ}"; }
# shellcheck disable=SC2249
case "${1}" in
  prereqs) prereqs; exit 0 ;;
esac

### Stop dropbear shipped in the initramfs after root pivot.
[ -x /bin/pidof ] || exit 0

P=$(/bin/pidof dropbear 2>/dev/null) || true

[ -n "${P}" ] || exit 0

/bin/kill -TERM "${P}" 2>/dev/null || true
/bin/sleep 1

/bin/kill -KILL "${P}" 2>/dev/null || true
exit 0

# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
EOF

chmod 0755 /etc/initramfs-tools/scripts/init-bottom/zzzz-dropbear-kill

cat << EOF >| /etc/apt/preferences.d/99-mask-dropbear
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-11-10; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu

# Never install the dropbear daemon package at all.

Package: dropbear
Pin: release *
Pin-Priority: -1

# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
EOF

cat << EOF >| /etc/apt/preferences.d/99-mask-dropbear-initramfs
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-11-10; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu

# Keep the currently installed initramfs integration; never upgrade it.

Package: dropbear-initramfs
Pin: release *
Pin-Priority: -1

# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
EOF

systemctl mask dropbear.service dropbear.socket

printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"

exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh