From cb1a600d6ed9a1008e4c3d1b25a384fdc7ad791c Mon Sep 17 00:00:00 2001
From: aptalca <aptalca@linuxserver.io>
Date: Sun, 5 Jul 2020 12:56:34 -0400
Subject: [PATCH] Add Debian updates and security repos for headers

---
 README.md                      |  1 +
 readme-vars.yml                |  1 +
 root/etc/cont-init.d/30-config | 16 +++++++++++++---
 3 files changed, 15 insertions(+), 3 deletions(-)

diff --git a/README.md b/README.md
index 1225d2ff..8375955d 100644
--- a/README.md
+++ b/README.md
@@ -268,6 +268,7 @@ Once registered you can define the dockerfile to use with `-f Dockerfile.aarch64
 
 ## Versions
 
+* **05.07.20:** - Add Debian updates and security repos for headers.
 * **25.06.20:** - Simplify module tests, prevent iptables issues from resulting in false negatives.
 * **19.06.20:** - Add support for Ubuntu Focal (20.04) kernels. Compile wireguard tools and kernel module instead of using the ubuntu packages. Make module install optional. Improve verbosity in logs.
 * **29.05.20:** - Add support for 64bit raspbian.
diff --git a/readme-vars.yml b/readme-vars.yml
index 0ed495f2..8ec94cc2 100644
--- a/readme-vars.yml
+++ b/readme-vars.yml
@@ -85,6 +85,7 @@ app_setup_block: |
   
 # changelog
 changelogs:
+  - { date: "05.07.20:", desc: "Add Debian updates and security repos for headers." }
   - { date: "25.06.20:", desc: "Simplify module tests, prevent iptables issues from resulting in false negatives." }
   - { date: "19.06.20:", desc: "Add support for Ubuntu Focal (20.04) kernels. Compile wireguard tools and kernel module instead of using the ubuntu packages. Make module install optional. Improve verbosity in logs." }
   - { date: "29.05.20:", desc: "Add support for 64bit raspbian." }
diff --git a/root/etc/cont-init.d/30-config b/root/etc/cont-init.d/30-config
index ea173709..64a169ad 100644
--- a/root/etc/cont-init.d/30-config
+++ b/root/etc/cont-init.d/30-config
@@ -59,9 +59,17 @@ if [ "$SKIP_COMPILE" != "true" ] && [ ! -e /lib/modules/$(uname -r)/build ]; the
   elif uname -v | grep -q 'Debian'; then
     echo "**** Debian host detected, attempting to install kernel headers from Debian Buster repo ****"
     curl -s https://ftp-master.debian.org/keys/archive-key-10.asc | apt-key add -
-    echo -e \
-      "deb http://deb.debian.org/debian buster main contrib non-free\ndeb-src http://deb.debian.org/debian buster main contrib non-free\ndeb http://deb.debian.org/debian buster-backports main contrib non-free\ndeb-src http://deb.debian.org/debian buster-backports main contrib non-free" \
-      > /etc/apt/sources.list.d/debian.list
+    curl -s https://ftp-master.debian.org/keys/archive-key-10-security.asc | apt-key add -
+    cat <<DUDE > /etc/apt/sources.list.d/debian.list
+deb http://deb.debian.org/debian buster main contrib non-free
+deb-src http://deb.debian.org/debian buster main contrib non-free
+deb http://deb.debian.org/debian-security/ buster/updates main contrib non-free
+deb-src http://deb.debian.org/debian-security/ buster/updates main contrib non-free
+deb http://deb.debian.org/debian buster-updates main contrib non-free
+deb-src http://deb.debian.org/debian buster-updates main contrib non-free
+deb http://deb.debian.org/debian buster-backports main contrib non-free
+deb-src http://deb.debian.org/debian buster-backports main contrib non-free
+DUDE
     apt-get update
     if apt-cache show linux-headers-$(uname -r) 2&>1 >/dev/null; then
       if uname -r | grep -qs "bpo"; then
@@ -75,6 +83,7 @@ if [ "$SKIP_COMPILE" != "true" ] && [ ! -e /lib/modules/$(uname -r)/build ]; the
     else
       echo "**** Attempting to install kernel headers from the Debian Stretch repo ****"
       curl -s https://ftp-master.debian.org/keys/archive-key-9.asc | apt-key add -
+      curl -s https://ftp-master.debian.org/keys/archive-key-9-security.asc | apt-key add -
       sed -i 's/buster/stretch/g' /etc/apt/sources.list.d/debian.list
       apt-get update
       if apt-cache show linux-headers-$(uname -r) 2&>1 >/dev/null; then
@@ -100,6 +109,7 @@ if [ "$SKIP_COMPILE" != "true" ]; then
   if [ -e /lib/modules/$(uname -r)/build ]; then 
     echo "**** Kernel headers seem to be present, attempting to build the wireguard module. . . ****"
     if [ ! -f /lib/modules/$(uname -r)/build/certs/signing_key.pem ]; then
+      mkdir -p /lib/modules/$(uname -r)/build/certs
       cd /lib/modules/$(uname -r)/build/certs
       cat <<DUDE >> x509.genkey
 [ req ]