msw/CISS.debian.live.builder
SHA256
2
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 6 Wiki Activity
Files
b2282d347501a134baec647b49a88a09e41045d537c09dde2053eefa8ee37a4d
CISS.debian.live.builder/config/includes.chroot/preseed/.ash/2_di_partman_early_command.sh
Marc S. Weidner b2282d3475 V8.02.512.2025.05.30 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-05-30 00:28:39 +02:00

416 lines
13 KiB
Bash
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
#!/bin/sh
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 20242025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
# No bash in the installer environment, only BusyBox.
set -o errexit
set -o nounset
set -o noclobber
export PATH="${PATH}:/sbin:/usr/sbin:/.ciss/install:/.ciss/install/.ash"
. /.ciss/install/.ash/di_scripting_flexibility.sh
readonly DISK_NAME="sda"
readonly DISK_PATH="/dev/${DISK_NAME}"
readonly SLEEPTIMER="2"
do_sleep() {
sleep "${SLEEPTIMER}"
}
modprobe btrfs || true
modprobe ext4 || true
blkdiscard "${DISK_PATH}"
parted "${DISK_PATH}" --script -- mklabel gpt
#/dev/sda1 -- ESP
do_dev_sda1() {
parted "${DISK_PATH}" --script -- mkpart ESP fat32 1MiB 512MiB set 1 esp on
do_sleep
FORMAT_LABEL="ESP"
PARTITION="${DISK_PATH}1"
format_partition() {
if mkfs.fat -F32 -n "${FORMAT_LABEL}" "${PARTITION}"; then
echo "Partition: ${PARTITION} successfully formatted with FAT32."
else
echo "Partition: ${PARTITION} NOT successfully formated with FAT32."
fi
if blkid "${PARTITION}" | grep -q 'TYPE="vfat"'; then
echo "Partition: ${PARTITION} correctly formatted with FAT32."
else
echo "Partition: ${PARTITION} NOT correctly formatted with FAT32."
fi
}
ATTEMPTS=0
MAX_ATTEMPTS=3
while ! format_partition && [ ${ATTEMPTS} -lt ${MAX_ATTEMPTS} ]; do
echo "Repeat formatting... attempt $((ATTEMPTS + 1))"
ATTEMPTS=$((ATTEMPTS + 1))
done
if [ ${ATTEMPTS} -ge ${MAX_ATTEMPTS} ]; then
echo "Error: Partition ${PARTITION} could not be formatted correctly after ${MAX_ATTEMPTS} attempts."
else
echo "Partition ${PARTITION} successfully formatted and checked."
fi
}
do_dev_sda1
#/dev/sda2 -- /boot
do_dev_sda2() {
parted "${DISK_PATH}" --script -- mkpart primary ext4 512MiB 4096MiB
do_sleep
FORMAT_LABEL="boot"
PARTITION="${DISK_PATH}2"
format_partition() {
if mkfs.ext4 -L "${FORMAT_LABEL}" "${PARTITION}"; then
echo "Partition: ${PARTITION} successfully formatted with ext4."
else
echo "Partition: ${PARTITION} NOT successfully formated with ext4."
fi
if blkid "${PARTITION}" | grep -q 'TYPE="ext4"'; then
echo "Partition: ${PARTITION} correctly formatted with ext4."
else
echo "Partition: ${PARTITION} NOT correctly formatted with ext4."
fi
}
ATTEMPTS=0
MAX_ATTEMPTS=3
while ! format_partition && [ ${ATTEMPTS} -lt ${MAX_ATTEMPTS} ]; do
echo "Repeat formatting... attempt $((ATTEMPTS + 1))"
ATTEMPTS=$((ATTEMPTS + 1))
done
if [ ${ATTEMPTS} -ge ${MAX_ATTEMPTS} ]; then
echo "Error: Partition ${PARTITION} could not be formatted correctly after ${MAX_ATTEMPTS} attempts."
else
echo "Partition ${PARTITION} successfully formatted and checked."
fi
}
do_dev_sda2
#/dev/sda3 -- preparing for crypt_ephemeral_swap
parted "${DISK_PATH}" --script -- mkpart primary 4096MiB 8192MiB
do_sleep
#/dev/sda4 -- preparing for crypt_ephemeral_tmp
parted "${DISK_PATH}" --script -- mkpart primary 8192MiB 12288MiB
do_sleep
#/dev/sda5 -- /home
parted "${DISK_PATH}" --script -- mkpart primary 12288MiB 45056MiB
do_sleep
#/dev/sda6 -- /
parted "${DISK_PATH}" --script -- mkpart primary 45056MiB 77824MiB
do_sleep
#/dev/sda7 -- /usr
parted "${DISK_PATH}" --script -- mkpart primary 77824MiB 143360MiB
do_sleep
#/dev/sda8 -- /var
parted "${DISK_PATH}" --script -- mkpart primary 143360MiB 208896MiB
do_sleep
#/dev/sda9 -- /var/log
parted "${DISK_PATH}" --script -- mkpart primary 208896MiB 225280MiB
do_sleep
#/dev/sda10 -- /var/log/audit
parted "${DISK_PATH}" --script -- mkpart primary 225280MiB 241664MiB
do_sleep
#/dev/sda11 -- /var/tmp
parted "${DISK_PATH}" --script -- mkpart primary 241664MiB 258048MiB
do_sleep
#/dev/sda12 -- temporary installation /tmp
do_dev_sda12() {
parted "${DISK_PATH}" --script -- mkpart primary 258048MiB 261120MiB
do_sleep
FORMAT_LABEL="installation_tmp"
PARTITION="${DISK_PATH}12"
format_partition() {
if mkfs.ext4 -L "${FORMAT_LABEL}" "${PARTITION}"; then
echo "Partition: ${PARTITION} successfully formatted with ext4."
else
echo "Partition: ${PARTITION} NOT successfully formated with ext4."
fi
if blkid "${PARTITION}" | grep -q 'TYPE="ext4"'; then
echo "Partition: ${PARTITION} correctly formatted with ext4."
else
echo "Partition: ${PARTITION} NOT correctly formatted with ext4."
fi
}
ATTEMPTS=0
MAX_ATTEMPTS=3
while ! format_partition && [ ${ATTEMPTS} -lt ${MAX_ATTEMPTS} ]; do
echo "Repeat formatting... attempt $((ATTEMPTS + 1))"
ATTEMPTS=$((ATTEMPTS + 1))
done
if [ ${ATTEMPTS} -ge ${MAX_ATTEMPTS} ]; then
echo "Error: Partition ${PARTITION} could not be formatted correctly after ${MAX_ATTEMPTS} attempts."
else
echo "Partition ${PARTITION} successfully formatted and checked."
fi
}
do_dev_sda12
# Encrypt and open /dev/sda5 to /dev/sda11
i=5
while [ "${i}" -lt 12 ]; do
PARTITION="/dev/${DISK_NAME}${i}"
MAPPER_NAME="crypt_${DISK_NAME}${i}"
if cryptsetup luksFormat "${PARTITION}" --key-file=/.ciss/install/.cfg/.password.cfg --batch-mode --type luks2 --cipher aes-xts-plain64 --key-size 512 --hash sha512 --iter-time 3000 --use-random --verbose; then
echo "Partition: ${PARTITION} successfully encrypted."
do_sleep
if cryptsetup open "${PARTITION}" "${MAPPER_NAME}" --key-file=/.ciss/install/.cfg/.password.cfg; then
echo "Partition: ${PARTITION} successfully opened as: ${MAPPER_NAME}."
if mkfs.btrfs -L "${MAPPER_NAME}" /dev/mapper/"${MAPPER_NAME}"; then
echo "Partition: ${PARTITION} successfully formatted."
else
echo "Partition: ${PARTITION} NOT successfully formatted."
fi
else
echo "Partition: ${PARTITION} NOT successfully opened as: ${MAPPER_NAME}."
fi
else
echo "Partition: ${PARTITION} NOT successfully encrypted."
fi
i=$((i + 1))
done
do_sleep
# Generate /target directories-
FILE_DIR="/.ciss/install/.cfg/.directories.cfg"
# Check that the file exists.
if [ ! -f "${FILE_DIR}" ]; then
echo "Error: File ${FILE_DIR} cannot be read." >&2
exit 1
fi
while read -r DIR; do
sleep 1
# Proceed only if the row is not empty.
if [ -n "${DIR}" ]; then
# Verify if the directory already exists.
if [ -d "${DIR}" ]; then
echo "Directory ${DIR} already exists."
else
# Try to create a directory.
until [ -d "${DIR}" ]; do
mkdir -p "${DIR}"
if [ ! -d "${DIR}" ]; then
echo "Error: Creating ${DIR} directory failed. Try again. " >&2
sleep 1
fi
done
echo "Directory ${DIR} created successfully".
fi
fi
done < "${FILE_DIR}"
do_sleep
mount /dev/mapper/crypt_sda6 /target
do_sleep
mkdir /target/boot
mount /dev/sda2 /target/boot
do_sleep
mkdir /target/boot/efi
mount /dev/sda1 /target/boot/efi
do_sleep
mkdir /target/home
mount /dev/mapper/crypt_sda5 /target/home
do_sleep
mkdir /target/usr
mount /dev/mapper/crypt_sda7 /target/usr
do_sleep
mkdir /target/var
mount /dev/mapper/crypt_sda8 /target/var
do_sleep
mkdir /target/var/log
mount /dev/mapper/crypt_sda9 /target/var/log
do_sleep
mkdir /target/var/log/audit
mount /dev/mapper/crypt_sda10 /target/var/log/audit
do_sleep
mkdir /target/var/tmp
mount /dev/mapper/crypt_sda11 /target/var/tmp
do_sleep
mkdir /target/tmp
mount /dev/sda12 /target/tmp
do_sleep
mkdir /target/dev
mount --bind /dev /target/dev
do_sleep
if [ -d "/target/dev/pts" ]; then
echo "Directory /target/dev/pts already exists."
else
mkdir /target/dev/pts
fi
mkdir /target/proc
mount --bind /proc /target/proc
do_sleep
mkdir /target/sys
mount --bind /sys /target/sys
do_sleep
mkdir /target/run
mount --bind /run /target/run
do_sleep
if [ -d "/target/run/lock" ]; then
echo "Directory /target/run/lock already exists."
else
mkdir /target/run/lock
fi
mkdir /target/etc
mkdir /target/etc/apt
mkdir /target/etc/network
touch /target/etc/fstab
chmod 0644 /target/etc/fstab
# shellcheck disable=SC2129
cat << EOF >> /target/etc/fstab
# /etc/fstab: static file system information.
#
# Use 'blkid' to print the universally unique identifier for a
# device; this may be used with UUID= as a more robust way to name devices
# that works even if disks are added and removed. See fstab(5).
#
# systemd generates mount units based on this file, see systemd.mount(5).
# Please run 'systemctl daemon-reload' after making changes here.
#
# <file system> <mount point> <type> <options> <dump> <pass>
EOF
echo "# / was on /dev/mapper/crypt_sda6 during installation" >> /target/etc/fstab
echo "UUID=$(blkid -s UUID -o value /dev/mapper/crypt_sda6) / btrfs defaults,errors=remount-ro 0 1" >> /target/etc/fstab
echo "" >> /target/etc/fstab
echo "# /boot was on /dev/sda2 during installation" >> /target/etc/fstab
echo "UUID=$(blkid -s UUID -o value /dev/sda2) /boot ext4 defaults 0 2" >> /target/etc/fstab
echo "" >> /target/etc/fstab
echo "# /boot/efi was on /dev/sda1 during installation" >> /target/etc/fstab
echo "UUID=$(blkid -s UUID -o value /dev/sda1) /boot/efi vfat umask=0077 0 1" >> /target/etc/fstab
echo "" >> /target/etc/fstab
echo "# /home was on /dev/mapper/crypt_sda5 during installation" >> /target/etc/fstab
echo "UUID=$(blkid -s UUID -o value /dev/mapper/crypt_sda5) /home btrfs defaults 0 2" >> /target/etc/fstab
echo "" >> /target/etc/fstab
echo "# /usr was on /dev/mapper/crypt_sda7 during installation" >> /target/etc/fstab
echo "UUID=$(blkid -s UUID -o value /dev/mapper/crypt_sda7) /usr btrfs defaults 0 2" >> /target/etc/fstab
echo "" >> /target/etc/fstab
echo "# /var was on /dev/mapper/crypt_sda8 during installation" >> /target/etc/fstab
echo "UUID=$(blkid -s UUID -o value /dev/mapper/crypt_sda8) /var btrfs defaults 0 2" >> /target/etc/fstab
echo "" >> /target/etc/fstab
echo "# /var/log was on /dev/mapper/crypt_sda9 during installation" >> /target/etc/fstab
echo "UUID=$(blkid -s UUID -o value /dev/mapper/crypt_sda9) /var/log btrfs defaults 0 2" >> /target/etc/fstab
echo "" >> /target/etc/fstab
echo "# /var/log/audit was on /dev/mapper/crypt_sda10 during installation" >> /target/etc/fstab
echo "UUID=$(blkid -s UUID -o value /dev/mapper/crypt_sda10) /var/log/audit btrfs defaults 0 2" >> /target/etc/fstab
echo "" >> /target/etc/fstab
echo "# /var/tmp was on /dev/mapper/crypt_sda11 during installation" >> /target/etc/fstab
echo "UUID=$(blkid -s UUID -o value /dev/mapper/crypt_sda11) /var/tmp btrfs defaults 0 2" >> /target/etc/fstab
echo "" >> /target/etc/fstab
echo "# /tmp was on /dev/sda12 during installation" >> /target/etc/fstab
echo "UUID=$(blkid -s UUID -o value /dev/sda12) /tmp ext4 defaults 0 2" >> /target/etc/fstab
echo "" >> /target/etc/fstab
echo "# /media/cdrom0 was on /dev/sr0 during installation" >> /target/etc/fstab
echo "/dev/sr0 /media/cdrom0 udf,iso9660 user,noauto 0 0" >> /target/etc/fstab
echo "" >> /target/etc/fstab
touch /target/etc/crypttab
chmod 0644 /target/etc/crypttab
# shellcheck disable=SC2129
cat << EOF >> /target/etc/crypttab
# <name> <device> <password-file-or-none> <options>
EOF
echo "# / was on /dev/mapper/crypt_sda6 during installation" >> /target/etc/crypttab
echo "crypt_sda6 UUID=$(blkid -s UUID -o value /dev/mapper/crypt_sda6) none luks,discard" >> /target/etc/crypttab
echo "" >> /target/etc/crypttab
echo "# /home was on /dev/mapper/crypt_sda5 during installation" >> /target/etc/crypttab
echo "crypt_sda5 UUID=$(blkid -s UUID -o value /dev/mapper/crypt_sda5) none luks,discard" >> /target/etc/crypttab
echo "" >> /target/etc/crypttab
echo "# /usr was on /dev/mapper/crypt_sda7 during installation" >> /target/etc/crypttab
echo "crypt_sda7 UUID=$(blkid -s UUID -o value /dev/mapper/crypt_sda7) none luks,discard" >> /target/etc/crypttab
echo "" >> /target/etc/crypttab
echo "# /var was on /dev/mapper/crypt_sda8 during installation" >> /target/etc/crypttab
echo "crypt_sda8 UUID=$(blkid -s UUID -o value /dev/mapper/crypt_sda8) none luks,discard" >> /target/etc/crypttab
echo "" >> /target/etc/crypttab
echo "# /var/log was on /dev/mapper/crypt_sda9 during installation" >> /target/etc/crypttab
echo "crypt_sda9 UUID=$(blkid -s UUID -o value /dev/mapper/crypt_sda9) none luks,discard" >> /target/etc/crypttab
echo "" >> /target/etc/crypttab
echo "# /var/log/audit was on /dev/mapper/crypt_sda10 during installation" >> /target/etc/crypttab
echo "crypt_sda10 UUID=$(blkid -s UUID -o value /dev/mapper/crypt_sda10) none luks,discard" >> /target/etc/crypttab
echo "" >> /target/etc/crypttab
echo "# /var/tmp was on /dev/mapper/crypt_sda11 during installation" >> /target/etc/crypttab
echo "crypt_sda11 UUID=$(blkid -s UUID -o value /dev/mapper/crypt_sda11) none luks,discard" >> /target/etc/crypttab
echo "" >> /target/etc/crypttab
exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
Reference in New Issue View Git Blame Copy Permalink