msw/CISS.debian.live.builder
SHA256
2
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 6 Wiki Activity
Files
39413da4635ad55e5f5a8cd97ff1109b4749cdabbfce41ab58893833e4a6ccf4
CISS.debian.live.builder/lib/lib_lb_config_write_trixie.sh
Marc S. Weidner 8e02d6cb7d
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m11s
Details
V8.13.544.2025.12.05 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-12-05 15:31:30 +01:00

148 lines
7.1 KiB
Bash
Raw Blame History

#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
guard_sourcing || return "${ERR_GUARD_SRCE}"
#######################################
# Wrapper to write a new 'lb config' environment.
# Globals:
# BASH_SOURCE
# VAR_ARCHITECTURE
# VAR_HANDLER_BUILD_DIR
# VAR_HANDLER_ISO_COUNTER
# VAR_KERNEL
# VAR_VERSION
# Arguments:
# None
# Returns:
# 0: on success
#######################################
lb_config_write_trixie() {
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Writing new config ... \e[0m\n"
# shellcheck disable=SC2164
cd "${VAR_HANDLER_BUILD_DIR}"
lb config \
--apt apt \
--apt-indices true \
--apt-recommends true \
--apt-secure true \
--apt-source-archives true \
--architecture "${VAR_ARCHITECTURE}" \
--archive-areas main contrib non-free non-free-firmware \
--backports true \
--binary-filesystem fat32 \
--binary-image iso-hybrid \
--bootappend-install "auto=true priority=critical clock-setup/utc=true console-setup/ask_detect=false debian-installer/country=US debian-installer/language=en debian-installer/locale=en_US.UTF-8 keyboard-configuration/xkb-keymap=de keyboard-configuration/model=pc105 localechooser/supported-locales=en_US.UTF-8 time/zone=Etc/UTC splash audit_backlog_limit=262144 audit=1 debugfs=off efi=disable_early_pci_dma efi_no_storage_paranoia hardened_usercopy=1 ia32_emulation=0 init_on_alloc=1 init_on_free=1 iommu=force kfence.sample_interval=100 kvm.nx_huge_pages=force l1d_flush=on lockdown=integrity loglevel=0 mce=0 mitigations=auto,nosmt mmio_stale_data=full,nosmt oops=panic page_alloc.shuffle=1 page_poison=1 panic=-1 pti=on random.trust_bootloader=off random.trust_cpu=off randomize_kstack_offset=on retbleed=auto,nosmt rodata=on tsx=off vdso32=0 vsyscall=none" \
--bootappend-live "boot=live ciss_iso_label=CISS.debian.live ciss_crypt_path=/live/ciss_rootfs.crypt components keyboard-layouts=de keyboard-model=pc105 keyboard-options= keyboard-variants= locales=en_US.UTF-8 noautologin nottyautologin nox11autologin noeject nopersistence ramdisk-size=1024M splash swap=true timezone=Etc/UTC toram verify-checksums=sha512,sha384 verify-checksums-signatures apparmor=1 security=apparmor audit_backlog_limit=262144 audit=1 debugfs=off efi=disable_early_pci_dma hardened_usercopy=1 ia32_emulation=0 init_on_alloc=1 init_on_free=1 iommu.passthrough=0 iommu.strict=1 iommu=force kfence.sample_interval=100 kvm.nx_huge_pages=force l1d_flush=on lockdown=integrity loglevel=0 mitigations=auto,nosmt mmio_stale_data=full,force nosmt=force oops=panic page_alloc.shuffle=1 page_poison=1 panic=0 pti=on random.trust_bootloader=off random.trust_cpu=off randomize_kstack_offset=on retbleed=auto,nosmt rodata=on slab_nomerge vdso32=0 vsyscall=none" \
--bootloaders grub-efi \
--cache true \
--checksums sha512 sha384 sha256 \
--chroot-filesystem squashfs \
--chroot-squashfs-compression-level 22 \
--chroot-squashfs-compression-type zstd \
--color \
--compression bzip2 \
--debconf-frontend noninteractive \
--debconf-priority critical \
--debian-installer cdrom \
--debian-installer-distribution trixie \
--debian-installer-gui true \
--debian-installer-preseedfile "preseed.cfg" \
--debug \
--distribution trixie \
--distribution-binary trixie \
--distribution-chroot trixie \
--firmware-binary true \
--firmware-chroot true \
--hdd-label "CENTURIONLIVE" \
--image-name "ciss-debian-live-${VAR_HANDLER_ISO_COUNTER}" \
--initramfs "live-boot" \
--initramfs-compression gzip \
--initsystem systemd \
--iso-application "CISS.debian.live.builder: ${VAR_VERSION} - Debian-Live-Build: 20250505 - Debian-Installer: trixie" \
--iso-preparer '(C) 2018-2025, Centurion Intelligence Consulting Agency (TM), Lisboa, Portugal' \
--iso-publisher '(P) 2018-2025, Centurion Press (TM) - powered by https://coresecret.eu/ - contact@coresecret.eu' \
--iso-volume 'CISS.debian.live' \
--linux-flavours "${VAR_KERNEL}" \
--linux-packages linux-image \
--loadlin true \
--memtest memtest86+ \
--mirror-binary 'https://deb.debian.org/debian/' \
--mirror-binary-security 'https://security.debian.org/' \
--mirror-bootstrap 'https://deb.debian.org/debian/' \
--mirror-chroot 'https://deb.debian.org/debian/' \
--mirror-chroot-security 'https://security.debian.org/' \
--mirror-debian-installer 'https://deb.debian.org/debian/' \
--mode debian \
--parent-archive-areas main contrib non-free non-free-firmware \
--parent-debian-installer-distribution trixie \
--parent-distribution trixie \
--parent-distribution-binary trixie \
--parent-distribution-chroot trixie \
--parent-mirror-binary 'https://deb.debian.org/debian/' \
--parent-mirror-binary-security 'https://security.debian.org/' \
--parent-mirror-bootstrap 'https://deb.debian.org/debian/' \
--parent-mirror-chroot 'https://deb.debian.org/debian/' \
--parent-mirror-chroot-security 'https://security.debian.org/' \
--parent-mirror-debian-installer 'https://deb.debian.org/debian/' \
--security true \
--system live \
--source false \
--source-images tar \
--uefi-secure-boot enable \
--updates true \
--utc-time true \
--verbose
sleep 1
sed -i 's/^LB_CHECKSUMS=.*/LB_CHECKSUMS="sha512 sha384 sha256"/' ./config/binary
sed -i 's/^LB_DM_VERITY=.*/LB_DM_VERITY="false"/' ./config/binary
### https://wiki.debian.org/ReproducibleInstalls/LiveImages
### https://reproducible-builds.org/docs/system-images/
### https://gitlab.tails.boum.org/tails/tails/-/blob/stable/config/chroot_local-includes/usr/share/tails/build/mksquashfs-excludes
mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/rootfs"
cat << 'EOF' >| "${VAR_HANDLER_BUILD_DIR}/config/rootfs/excludes"
boot/initrd.img-*
boot/vmlinux-*
boot/vmlinuz-*
debootstrap
debootstrap/*
root/.wget-hsts
tmp/*
usr/lib/firmware/amd/*
usr/lib/firmware/amd-ucode/*
usr/lib/firmware/amdtee/*
usr/lib/firmware/intel-ucode/*
var/cache/apt/pkgcache.bin
var/cache/apt/srcpkgcache.bin
var/lib/apt/lists/*
var/lib/initramfs-tools/*-amd64
EOF
chmod 0644 "${VAR_HANDLER_BUILD_DIR}/config/rootfs/excludes"
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Writing new config done.\e[0m\n"
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ %s successfully applied. \e[0m\n" "${BASH_SOURCE[0]}"
return 0
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f lb_config_write_trixie
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
Reference in New Issue View Git Blame Copy Permalink