#!/bin/bash # SPDX-Version: 3.0 # SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; # SPDX-FileType: SOURCE # SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu set -Ceuo pipefail printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}" # shellcheck disable=SC2155 declare -gx VAR_DATE="$(date +%F)" ####################################### # Generates '/etc/default/ciss-xdg-profile' # Globals: # None # Arguments: # None # Returns: # 0: on success ####################################### generate_ciss_xdg_profile() { cat << EOF >> /etc/default/ciss-xdg-profile # SPDX-Version: 3.0 # SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; # SPDX-FileType: SOURCE # SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu # Default toggles for ciss-xdg-profile # 1 = enable, 0 = disable ENABLE_XDG_BASH_HISTORY=1 ENABLE_XDG_LESS_HISTORY=1 ENABLE_XDG_ZSH_HISTORY=1 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf EOF chmod 0644 /etc/default/ciss-xdg-profile return 0 } ### Prevents accidental 'unset -f'. # shellcheck disable=SC2034 readonly -f generate_ciss_xdg_profile ####################################### # Generates '/etc/profile.d/ciss-xdg.sh' # Globals: # None # Arguments: # None # Returns: # 0: on success ####################################### generate_ciss_xdg_sh() { cat << EOF >| /etc/profile.d/ciss-xdg.sh #!/bin/sh # SPDX-Version: 3.0 # SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; # SPDX-FileType: SOURCE # SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu EOF cat << 'EOF' >> /etc/profile.d/ciss-xdg.sh # shellcheck shell=sh # This file is sourced by login shells via '/etc/profile'. Keep POSIX sh compatible. ### XDG variables (do not override if already set). export XDG_CONFIG_HOME="${XDG_CONFIG_HOME:-${HOME}/.config}" export XDG_DATA_HOME="${XDG_DATA_HOME:-${HOME}/.local/share}" export XDG_CACHE_HOME="${XDG_CACHE_HOME:-${HOME}/.cache}" export XDG_STATE_HOME="${XDG_STATE_HOME:-${HOME}/.local/state}" export XDG_CONFIG_DIRS="${XDG_CONFIG_DIRS:-/etc/xdg}" export XDG_DATA_DIRS="${XDG_DATA_DIRS:-/usr/local/share:/usr/share}" ### XDG_RUNTIME_DIR is provided by systemd-logind; do not set a persistent path. # shellcheck disable=SC2312 if [ -z "${XDG_RUNTIME_DIR:-}" ] && [ -d "/run/user/$(id -u)" ]; then # shellcheck disable=SC2155 export XDG_RUNTIME_DIR="/run/user/$(id -u)" fi ### Create canonical directories idempotently with 0700. _xdg_umask="$(umask)" umask 077 [ -d "${XDG_CONFIG_HOME}" ] || install -d -m 0700 -- "${XDG_CONFIG_HOME}" [ -d "${XDG_DATA_HOME}" ] || install -d -m 0700 -- "${XDG_DATA_HOME}" [ -d "${XDG_CACHE_HOME}" ] || install -d -m 0700 -- "${XDG_CACHE_HOME}" [ -d "${XDG_STATE_HOME}" ] || install -d -m 0700 -- "${XDG_STATE_HOME}" umask "${_xdg_umask}" unset _xdg_umask ### Optional migrations (controlled via /'etc/default/ciss-xdg-profile'). [ -f /etc/default/ciss-xdg-profile ] && . /etc/default/ciss-xdg-profile ### Bash history -> XDG_STATE_HOME (only if running bash). if [ "${ENABLE_XDG_BASH_HISTORY:-1}" = "1" ] && [ -n "${BASH_VERSION:-}" ]; then [ -d "${XDG_STATE_HOME}/bash" ] || install -d -m 0700 -- "${XDG_STATE_HOME}/bash" export HISTFILE="${XDG_STATE_HOME}/bash/history" fi ### Less history -> XDG_STATE_HOME if [ "${ENABLE_XDG_LESS_HISTORY:-1}" = "1" ]; then [ -d "${XDG_STATE_HOME}/less" ] || install -d -m 0700 -- "${XDG_STATE_HOME}/less" export LESSHISTFILE="${XDG_STATE_HOME}/less/history" fi # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh EOF chmod 0755 /etc/profile.d/ciss-xdg.sh return 0 } ### Prevents accidental 'unset -f'. # shellcheck disable=SC2034 readonly -f generate_ciss_xdg_sh ####################################### # Generates '/root/ciss_xdg_tmp.sh' # Globals: # None # Arguments: # None # Returns: # 0: on success ####################################### generate_ciss_xdg_tmp_sh() { cat << EOF >| /root/ciss_xdg_tmp.sh #!/bin/bash # SPDX-Version: 3.0 # SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; # SPDX-FileType: SOURCE # SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu ### XDG variables (do not override if already set). EOF cat << 'EOF' >> /root/ciss_xdg_tmp.sh set -a # shellcheck disable=SC2034 XDG_CONFIG_HOME="${XDG_CONFIG_HOME:-${HOME}/.config}" # shellcheck disable=SC2034 XDG_DATA_HOME="${XDG_DATA_HOME:-${HOME}/.local/share}" # shellcheck disable=SC2034 XDG_CACHE_HOME="${XDG_CACHE_HOME:-${HOME}/.cache}" # shellcheck disable=SC2034 XDG_STATE_HOME="${XDG_STATE_HOME:-${HOME}/.local/state}" # shellcheck disable=SC2034 XDG_CONFIG_DIRS="${XDG_CONFIG_DIRS:-/etc/xdg}" # shellcheck disable=SC2034 XDG_DATA_DIRS="${XDG_DATA_DIRS:-/usr/local/share:/usr/share}" ### Optional migrations (controlled via /etc/default/ciss-xdg-profile). [[ -f /etc/default/ciss-xdg-profile ]] && . /etc/default/ciss-xdg-profile ### Bash history -> XDG_STATE_HOME (only if running bash). if [[ "${ENABLE_XDG_BASH_HISTORY:-1}" = "1" ]] && [[ -n "${BASH_VERSION:-}" ]]; then HISTFILE="${XDG_STATE_HOME}/bash/history" fi set +a # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh EOF chmod 0700 /root/ciss_xdg_tmp.sh return 0 } ### Prevents accidental 'unset -f'. # shellcheck disable=SC2034 readonly -f generate_ciss_xdg_tmp_sh ### Ensuring XDG compliance: https://specifications.freedesktop.org/basedir/latest/ -------------------------------------------- generate_ciss_xdg_profile generate_ciss_xdg_sh generate_ciss_xdg_tmp_sh [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh export DEBIAN_FRONTEND="noninteractive" export INITRD="No" apt-get update -qq apt-get install -y --no-install-suggests libpam-systemd ### Installing microcode updates ----------------------------------------------------------------------------------------------- if [[ -f /root/.architecture ]]; then apt-get install -y --no-install-suggests amd64-microcode intel-microcode rm -f /root/.architecture fi ### Prepare environment -------------------------------------------------------------------------------------------------------- mkdir -p /root/.ciss/cdlb/{backup,log,private_keys} chmod 0700 /root/.ciss/cdlb/{backup,log,private_keys} mkdir -p /root/git chmod 0700 /root/git mkdir -p /etc/ciss/keys chmod 0755 /etc/ciss/keys ### Mask apt show version unit and timer --------------------------------------------------------------------------------------- ln -sf /dev/null /etc/systemd/system/apt-show-versions.timer ln -sf /dev/null /etc/systemd/system/apt-show-versions.service rm -f /etc/cron.daily/apt-show-versions || true ### Remove the original '/usr/lib/live/boot/0030-verify-checksums' ------------------------------------------------------------- [[ -e /usr/lib/live/boot/0030-verify-checksums ]] && rm -f /usr/lib/live/boot/0030-verify-checksums ### Ensure proper 0755 rights for CISS initramfs scripts ---------------------------------------------------------------------- find /usr/lib/live/boot -type f -exec chmod 0755 {} + [[ -e /etc/initramfs-tools/scripts/init-premount/1000_ciss_fixpath.sh ]] \ && chmod 0755 /etc/initramfs-tools/scripts/init-premount/1000_ciss_fixpath.sh [[ -e /etc/initramfs-tools/scripts/init-top/0000_ciss_fixpath.sh ]] \ && chmod 0755 /etc/initramfs-tools/scripts/init-top/0000_ciss_fixpath.sh ### Ensure proper systemd directories exist ------------------------------------------------------------------------------------ mkdir -p /etc/systemd/system/multi-user.target.wants mkdir -p /etc/systemd/system/sockets.target.wants mkdir -p /etc/systemd/system ### Enable clean systemd-networkd stack ---------------------------------------------------------------------------------------- apt-get -y purge ifupdown || true ln -sf /lib/systemd/system/systemd-networkd.service /etc/systemd/system/multi-user.target.wants/systemd-networkd.service ln -sf /lib/systemd/system/systemd-resolved.service /etc/systemd/system/multi-user.target.wants/systemd-resolved.service ln -sf /lib/systemd/system/systemd-resolved.socket /etc/systemd/system/sockets.target.wants/systemd-resolved.socket cat << EOF >| /etc/systemd/system/ciss-fix-resolvconf.service [Unit] Description=Force systemd-resolved stub resolv.conf After=network-online.target Before=apt-daily.service [Service] Type=oneshot ExecStart=/usr/bin/rm -f /etc/resolv.conf ExecStart=/usr/bin/ln -s /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf [Install] WantedBy=multi-user.target EOF ln -sf /etc/systemd/system/ciss-fix-resolvconf.service /etc/systemd/system/multi-user.target.wants/ciss-fix-resolvconf.service printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}" exit 0 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh