CISS.debian.live.builder/ciss_live_builder.sh

#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu

### Contributions so far see ./docs/CREDITS.md

### WHY BASH?
# Ease of installation.
# No compiling or installing gems, CPAN modules, pip packages, etc.
# Simple to use and read. Clear syntax and straightforward output interpretation.
# Built-in power.
# Pattern matching, line processing, and regular expression support are available natively,
# no external binaries required.
# Cross-platform consistency.
# '/bin/bash' is the default shell on most Linux distributions, ensuring scripts run unmodified across systems.
# macOS compatibility.
# Since macOS Catalina (10.15), the default login shell has been zsh, but bash remains available at '/bin/bash'.
# Windows support.
# You can use bash via WSL, MSYS2, or Cygwin on Windows systems.

### Preliminary checks
[ -z "${BASH_VERSINFO[0]}" ] && {
  . ./var/global.var.sh; printf "\e[91m❌ Please make sure you are using 'bash'! Bye... \e[0m\n" >&2; exit "${ERR_UNSPPTBASH}"; }
[[ ${EUID} -ne 0 ]] && {
  . ./var/global.var.sh; printf "\e[91m❌ Please make sure you are 'root'! Bye... \e[0m\n" >&2; exit "${ERR_NOT_USER_0}"; }
[[ $(kill -l | grep -c SIG) -eq 0 ]] && {
  . ./var/global.var.sh; printf "\e[91m❌ Please make sure you are calling the script without leading 'sh'! Bye... \e[0m\n" >&2; exit "${ERR_UNSPPTBASH}"; }
[[ ${BASH_VERSINFO[0]} -lt 5 ]] && {
  . ./var/global.var.sh; printf "\e[91m❌ Minimum requirement is bash 5.1. You are using '%s'! Bye... \e[0m\n" "${BASH_VERSION}" >&2; exit "${ERR_UNSPPTBASH}"; }
[[ ${BASH_VERSINFO[0]} -le 5 ]] && [[ ${BASH_VERSINFO[1]} -le 1 ]] && {
  . ./var/global.var.sh; printf "\e[91m❌ Minimum requirement is bash 5.1. You are using '%s'! Bye... \e[0m\n" "${BASH_VERSION}" >&2; exit "${ERR_UNSPPTBASH}"; }

declare -g VAR_HANDLER_AUTOBUILD="false"
declare -gr VAR_CONTACT="security@coresecret.eu"
declare -gr VAR_VERSION="Master V8.02.768.2025.06.01"

### VERY EARLY CHECK FOR AUTO-BUILD, CONTACT, USAGE, AND VERSION STRING
declare arg
if [[ ${#} -eq 0 ]]; then . ./lib/lib_usage.sh; usage; exit 1; fi
for arg in "$@"; do case "${arg,,}" in -a=*|--autobuild=*) declare -g VAR_HANDLER_AUTOBUILD=true; declare -g VAR_KERNEL="${arg#*=}";; esac; done
for arg in "$@"; do case "${arg,,}" in -c|--contact) printf "\e[95mCISS.debian.live.builder Contact: %s\e[0m\n" "${VAR_CONTACT}"; exit 0;; esac; done
for arg in "$@"; do case "${arg,,}" in -h|--help) . ./lib/lib_usage.sh; usage; exit 0;; esac; done
for arg in "$@"; do case "${arg,,}" in -v|--version) printf "\e[95mCISS.debian.live.builder Version: %s\e[0m\n" "${VAR_VERSION}"; exit 0;; esac; done
unset arg

### VERY EARLY CHECK FOR XTRACE DEBUGGING
if [[ $* == *" --debug "* ]]; then
  . ./lib/lib_debug.sh
  debugger "${@}"
else
  declare -grx VAR_EARLY_DEBUG=false
fi

### Advisory Lock
exec 127>/var/lock/ciss_live_builder.lock || {
  . ./var/global.var.sh
  printf "\e[91m❌ Cannot open lockfile for writing! Bye... \e[0m\n" >&2
  exit "${ERR_FLOCK_WRTG}"
}

if ! flock -x -n 127; then
  . ./var/global.var.sh
  printf "\e[91m❌ Another instance is running! Bye...\e[0m\n" >&2
  exit "${ERR_FLOCK_COLL}"
fi

### Checking required packages
. ./lib/lib_check_pkgs.sh
check_pkgs

### Dialog Output for Initialization
if ! $VAR_HANDLER_AUTOBUILD; then . ./lib/lib_boot_screen.sh && boot_screen; fi

### Updating Status of Dialog Gauge Bar
if ! $VAR_HANDLER_AUTOBUILD; then printf "XXX\nUpdating variables ... \nXXX\n05\n" >&3; fi
. ./var/global.var.sh
. ./var/colors.var.sh

### Updating Status of Dialog Gauge Bar
if ! $VAR_HANDLER_AUTOBUILD; then printf "XXX\nEnabling Bash Error Handling ... \nXXX\n15\n" >&3; fi
### For all options see https://www.gnu.org/software/bash/manual/bash.html#The-Set-Builtin
set -o errexit   # Exit script when a command exits with non-zero status, the same as "set -e".
set -o errtrace  # Any traps on ERR are inherited in a subshell environment, the same as "set -E".
set -o functrace # Any traps on DEBUG and RETURN are inherited in a subshell environment, the same as "set -T".
set -o nounset   # Exit script on use of an undefined variable, the same as "set -u".
set -o pipefail  # Makes pipelines return the exit status of the last command in the pipe that failed.
set -o noclobber # Prevent overwriting, the same as "set -C".

### Updating Status of Dialog Gauge Bar
if ! $VAR_HANDLER_AUTOBUILD; then printf "XXX\nAdditional initialization ... \nXXX\n25\n" >&3; fi
### Initialization
declare -gr ARGUMENTS_COUNT="$#"
declare -gr ARG_STR_ORG_INPUT="$*"
#declare -ar ARG_ARY_ORG_INPUT=("$@")
# shellcheck disable=SC2155
declare -grx SCRIPT_FULLPATH="$(readlink -f "${BASH_SOURCE[0]:-$0}")"
# shellcheck disable=SC2155
declare -grx SCRIPT_BASEPATH="$(dirname "${SCRIPT_FULLPATH}")"
# shellcheck disable=SC2155
declare -grx VAR_WORKDIR="$(dirname "${SCRIPT_FULLPATH}")"

### Updating Status of Dialog Gauge Bar
if ! $VAR_HANDLER_AUTOBUILD; then printf "XXX\nSourcing Libraries ... \nXXX\n50\n" >&3; fi
. ./lib/lib_arg_parser.sh
. ./lib/lib_arg_priority_check.sh
. ./lib/lib_cdi.sh
. ./lib/lib_change_splash.sh
. ./lib/lib_check_dhcp.sh
. ./lib/lib_check_hooks.sh
. ./lib/lib_check_kernel.sh
. ./lib/lib_check_provider.sh
. ./lib/lib_check_stats.sh
. ./lib/lib_check_var.sh
. ./lib/lib_clean_screen.sh
. ./lib/lib_clean_up.sh
. ./lib/lib_copy_integrity.sh
. ./lib/lib_hardening_root_pw.sh
. ./lib/lib_hardening_ssh.sh
. ./lib/lib_hardening_ultra.sh
. ./lib/lib_helper_ip.sh
. ./lib/lib_lb_build_start.sh
. ./lib/lib_lb_config_start.sh
. ./lib/lib_lb_config_write.sh
. ./lib/lib_provider_netcup.sh
. ./lib/lib_run_analysis.sh
. ./lib/lib_sanitizer.sh
. ./lib/lib_trap_on_err.sh
. ./lib/lib_trap_on_exit.sh
. ./lib/lib_usage.sh

### Updating Status of Dialog Gauge Bar
if ! $VAR_HANDLER_AUTOBUILD; then printf "XXX\nActivate traps ... \nXXX\n55\n" >&3; fi
### Following the CISS Bash naming and ordering scheme
trap 'trap_on_exit "$?"' EXIT
trap 'trap_on_err "$?" "${BASH_SOURCE[0]}" "${LINENO}" "${FUNCNAME[0]:-main}" "${BASH_COMMAND}"' ERR

### Updating Status of Dialog Gauge Bar
if ! $VAR_HANDLER_AUTOBUILD; then printf "XXX\nSanitizing Arguments ... \nXXX\n70\n" >&3; fi
arg_check "$@"
declare -ar ARY_ARG_SANITIZED=("$@")
declare -gr VAR_ARG_SANITIZED="${ARY_ARG_SANITIZED[*]}"

### Updating Status of Dialog Gauge Bar
if ! $VAR_HANDLER_AUTOBUILD; then printf "XXX\nParsing Arguments ... \nXXX\n90\n" >&3; fi
arg_parser "$@"

### Updating Status of Dialog Gauge Bar
if ! $VAR_HANDLER_AUTOBUILD; then printf "XXX\nFinal checks ... \nXXX\n95\n" >&3; fi
clean_ip

### Updating Status of Dialog Gauge Bar
if ! $VAR_HANDLER_AUTOBUILD; then printf "XXX\nInitialization completed ... \nXXX\n100\n" >&3; sleep 1; fi

if ! $VAR_HANDLER_AUTOBUILD; then boot_screen_cleaner; fi

### MAIN Program
arg_priority_check
check_stats
if ! $VAR_HANDLER_AUTOBUILD; then check_provider; fi
if ! $VAR_HANDLER_AUTOBUILD; then check_kernel; fi
check_hooks
hardening_ssh
lb_config_start
lb_config_write

cd "${VAR_WORKDIR}"
hardening_ultra
hardening_root_pw
change_splash
check_dhcp
cdi
provider_netcup

### Start the build process
set +o errtrace
lb_build_start

set -o errtrace
run_analysis
copy_db
declare -g VAR_SCRIPT_SUCCESS=true
exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh