msw/CISS.debian.live.builder
SHA256
2
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 6 Wiki Activity
Files
01e8d9ef24e7272166fbfe73d87e05f5d2fbd29d02f833a6176bf8ea5d11793f
CISS.debian.live.builder/config/hooks/live/0000_basic_chroot_setup.chroot
Marc S. Weidner f0ee12513f
All checks were successful
🛡️ Retrieve DNSSEC status of coresecret.dev. / 🛡️ Retrieve DNSSEC status of coresecret.dev. (push) Successful in 1m0s
Details
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m22s
Details
V8.13.416.2025.11.17 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-11-17 06:42:57 +01:00

240 lines
8.3 KiB
Bash
Raw Blame History

#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# shellcheck disable=SC2155
declare -gx VAR_DATE="$(date +%F)"
#######################################
# Generates '/etc/default/ciss-xdg-profile'
# Globals:
# None
# Arguments:
# None
# Returns:
# 0: on success
#######################################
generate_ciss_xdg_profile() {
cat << EOF >> /etc/default/ciss-xdg-profile
# SPDX-Version: 3.0
# SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
# Default toggles for ciss-xdg-profile
# 1 = enable, 0 = disable
ENABLE_XDG_BASH_HISTORY=1
ENABLE_XDG_LESS_HISTORY=1
ENABLE_XDG_ZSH_HISTORY=1
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
EOF
chmod 0644 /etc/default/ciss-xdg-profile
return 0
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f generate_ciss_xdg_profile
#######################################
# Generates '/etc/profile.d/ciss-xdg.sh'
# Globals:
# None
# Arguments:
# None
# Returns:
# 0: on success
#######################################
generate_ciss_xdg_sh() {
cat << EOF >| /etc/profile.d/ciss-xdg.sh
#!/bin/sh
# SPDX-Version: 3.0
# SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
EOF
cat << 'EOF' >> /etc/profile.d/ciss-xdg.sh
# shellcheck shell=sh
# This file is sourced by login shells via '/etc/profile'. Keep POSIX sh compatible.
### XDG variables (do not override if already set).
export XDG_CONFIG_HOME="${XDG_CONFIG_HOME:-${HOME}/.config}"
export XDG_DATA_HOME="${XDG_DATA_HOME:-${HOME}/.local/share}"
export XDG_CACHE_HOME="${XDG_CACHE_HOME:-${HOME}/.cache}"
export XDG_STATE_HOME="${XDG_STATE_HOME:-${HOME}/.local/state}"
export XDG_CONFIG_DIRS="${XDG_CONFIG_DIRS:-/etc/xdg}"
export XDG_DATA_DIRS="${XDG_DATA_DIRS:-/usr/local/share:/usr/share}"
### XDG_RUNTIME_DIR is provided by systemd-logind; do not set a persistent path.
# shellcheck disable=SC2312
if [ -z "${XDG_RUNTIME_DIR:-}" ] && [ -d "/run/user/$(id -u)" ]; then
# shellcheck disable=SC2155
export XDG_RUNTIME_DIR="/run/user/$(id -u)"
fi
### Create canonical directories idempotently with 0700.
_xdg_umask="$(umask)"
umask 077
[ -d "${XDG_CONFIG_HOME}" ] || install -d -m 0700 -- "${XDG_CONFIG_HOME}"
[ -d "${XDG_DATA_HOME}" ] || install -d -m 0700 -- "${XDG_DATA_HOME}"
[ -d "${XDG_CACHE_HOME}" ] || install -d -m 0700 -- "${XDG_CACHE_HOME}"
[ -d "${XDG_STATE_HOME}" ] || install -d -m 0700 -- "${XDG_STATE_HOME}"
umask "${_xdg_umask}"
unset _xdg_umask
### Optional migrations (controlled via /'etc/default/ciss-xdg-profile').
[ -f /etc/default/ciss-xdg-profile ] && . /etc/default/ciss-xdg-profile
### Bash history -> XDG_STATE_HOME (only if running bash).
if [ "${ENABLE_XDG_BASH_HISTORY:-1}" = "1" ] && [ -n "${BASH_VERSION:-}" ]; then
[ -d "${XDG_STATE_HOME}/bash" ] || install -d -m 0700 -- "${XDG_STATE_HOME}/bash"
export HISTFILE="${XDG_STATE_HOME}/bash/history"
fi
### Less history -> XDG_STATE_HOME
if [ "${ENABLE_XDG_LESS_HISTORY:-1}" = "1" ]; then
[ -d "${XDG_STATE_HOME}/less" ] || install -d -m 0700 -- "${XDG_STATE_HOME}/less"
export LESSHISTFILE="${XDG_STATE_HOME}/less/history"
fi
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
EOF
chmod 0755 /etc/profile.d/ciss-xdg.sh
return 0
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f generate_ciss_xdg_sh
#######################################
# Generates '/root/ciss_xdg_tmp.sh'
# Globals:
# None
# Arguments:
# None
# Returns:
# 0: on success
#######################################
generate_ciss_xdg_tmp_sh() {
cat << EOF >| /root/ciss_xdg_tmp.sh
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
### XDG variables (do not override if already set).
EOF
cat << 'EOF' >> /root/ciss_xdg_tmp.sh
set -a
# shellcheck disable=SC2034
XDG_CONFIG_HOME="${XDG_CONFIG_HOME:-${HOME}/.config}"
# shellcheck disable=SC2034
XDG_DATA_HOME="${XDG_DATA_HOME:-${HOME}/.local/share}"
# shellcheck disable=SC2034
XDG_CACHE_HOME="${XDG_CACHE_HOME:-${HOME}/.cache}"
# shellcheck disable=SC2034
XDG_STATE_HOME="${XDG_STATE_HOME:-${HOME}/.local/state}"
# shellcheck disable=SC2034
XDG_CONFIG_DIRS="${XDG_CONFIG_DIRS:-/etc/xdg}"
# shellcheck disable=SC2034
XDG_DATA_DIRS="${XDG_DATA_DIRS:-/usr/local/share:/usr/share}"
### Optional migrations (controlled via /etc/default/ciss-xdg-profile).
[[ -f /etc/default/ciss-xdg-profile ]] && . /etc/default/ciss-xdg-profile
### Bash history -> XDG_STATE_HOME (only if running bash).
if [[ "${ENABLE_XDG_BASH_HISTORY:-1}" = "1" ]] && [[ -n "${BASH_VERSION:-}" ]]; then
HISTFILE="${XDG_STATE_HOME}/bash/history"
fi
set +a
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
EOF
chmod 0700 /root/ciss_xdg_tmp.sh
return 0
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f generate_ciss_xdg_tmp_sh
### Ensuring XDG compliance: https://specifications.freedesktop.org/basedir/latest/ --------------------------------------------
generate_ciss_xdg_profile
generate_ciss_xdg_sh
generate_ciss_xdg_tmp_sh
[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
export DEBIAN_FRONTEND="noninteractive"
export INITRD="No"
apt-get update -qq
apt-get install -y --no-install-suggests libpam-systemd
### Installing microcode updates -----------------------------------------------------------------------------------------------
if [[ -f /root/.architecture ]]; then
apt-get install -y --no-install-suggests amd64-microcode intel-microcode
rm -f /root/.architecture
fi
### Prepare environment --------------------------------------------------------------------------------------------------------
mkdir -p /root/.ciss/cdlb/{backup,log,private_keys}
chmod 0700 /root/.ciss/cdlb/{backup,log,private_keys}
mkdir -p /root/git
chmod 0700 /root/git
mkdir -p /etc/ciss/keys
chmod 0755 /etc/ciss/keys
### Mask apt show version unit and timer ---------------------------------------------------------------------------------------
ln -sf /dev/null /etc/systemd/system/apt-show-versions.timer
ln -sf /dev/null /etc/systemd/system/apt-show-versions.service
rm -f /etc/cron.daily/apt-show-versions || true
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
Reference in New Issue View Git Blame Copy Permalink