V8.00.000.2025.06.17

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>

func/3.8.7.functions_installation_setup_files.sh

@@ -0,0 +1,64 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-02-13; WEIDNER, Marc S.; <cendev@coresecret.eu>
+# SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.2025.hardened.installer framework.
+# SPDX-PackageName: CISS.2025.hardened.installer
+# SPDX-Security-Contact: security@coresecret.eu
+
+###########################################################################################
+# 3.8.7. Functions - installation - updating files                                        #
+###########################################################################################
+
+###########################################################################################
+# Updating alias and banner files.
+# Globals:
+#   MODULE_ERR
+#   MODULE_TXT
+#   PATH_ABS
+#   TARGET
+#   accounts_user_login
+#   accounts_user_name
+# Arguments:
+#   None
+###########################################################################################
+3_8_7_functions_installation_setup_files() {
+  declare -g -x MODULE_ERR="3_8_7_functions_installation_setup_files"
+  declare -g -x MODULE_TXT="Updating banner files"
+  do_show_header "${MODULE_TXT}"
+
+  cp "${PATH_ABS}"/.assets/.alias "${TARGET}"/root/.alias
+  chown root:root "${TARGET}"/root/.alias
+  chmod 0600 "${TARGET}"/root/.alias
+  do_log "info" "false" "'${TARGET}/root/.alias' installed."
+
+  cp "${PATH_ABS}"/.assets/banner "${TARGET}"/etc/banner
+  chown root:root "${TARGET}"/etc/banner
+  chmod 0644 "${TARGET}"/etc/banner
+  do_log "info" "false" "'${TARGET}/etc/banner' installed."
+
+  cp "${PATH_ABS}"/.assets/.clean_logout "${TARGET}"/root/.clean_logout
+  chown root:root "${TARGET}"/root/.clean_logout
+  chmod 0600 "${TARGET}"/root/.clean_logout
+  do_log "info" "false" "'${TARGET}/root/.clean_logout' installed."
+
+  cp "${PATH_ABS}"/.assets/motd "${TARGET}"/etc/motd
+  chown root:root "${TARGET}"/etc/motd
+  chmod 0644 "${TARGET}"/etc/motd
+  do_log "info" "false" "'${TARGET}/etc/motd' installed."
+
+  cat "${PATH_ABS}"/.assets/.bashrc_cat >> "${TARGET}"/root/.bashrc
+  do_log "info" "false" "'${TARGET}/root/.bashrc' updated."
+
+  if [[ ${accounts_user_login,,} == "true" ]]; then
+    cat "${PATH_ABS}"/.assets/.bashrc_cat >> "${TARGET}"/home/"${accounts_user_name}"/.bashrc
+    do_log "info" "false" "'${TARGET}/home/${accounts_user_name}/.bashrc' updated."
+  fi
+
+  do_show_footer "${MODULE_TXT}"
+}
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh:

func/3.8.8.functions_installation_exiting_chroot.sh

@@ -0,0 +1,42 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-02-13; WEIDNER, Marc S.; <cendev@coresecret.eu>
+# SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.2025.hardened.installer framework.
+# SPDX-PackageName: CISS.2025.hardened.installer
+# SPDX-Security-Contact: security@coresecret.eu
+
+###########################################################################################
+# 3.8.8. Functions - installation - exiting chroot                                        #
+###########################################################################################
+
+###########################################################################################
+# Exiting chroot.
+# Globals:
+#   MODULE_ERR
+#   MODULE_TXT
+#   TARGET
+# Arguments:
+#   None
+###########################################################################################
+3_8_8_functions_installation_exiting_chroot() {
+  declare -g -x MODULE_ERR="3_8_8_functions_installation_exiting_chroot"
+  declare -g -x MODULE_TXT="exiting chroot"
+  do_show_header "${MODULE_TXT}"
+
+  umount -lf "${TARGET}/proc"
+  do_log "info" "true" "'umount -lf ${TARGET}/proc'."
+  umount -lf "${TARGET}/sys"
+  do_log "info" "true" "'umount -lf ${TARGET}/sys'."
+  umount -lf "${TARGET}/dev"
+  do_log "info" "true" "'umount -lf ${TARGET}/dev'."
+  umount -lf "${TARGET}/run"
+  do_log "info" "true" "'umount -lf ${TARGET}/run'."
+
+  do_show_footer "${MODULE_TXT}"
+}
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh:

func/recovery/3.8.9.functions_installation_wrapper_recovery.sh

@@ -0,0 +1,50 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-02-13; WEIDNER, Marc S.; <cendev@coresecret.eu>
+# SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.2025.hardened.installer framework.
+# SPDX-PackageName: CISS.2025.hardened.installer
+# SPDX-Security-Contact: security@coresecret.eu
+
+###########################################################################################
+# 3.8.9. Functions - installation - wrapper recovery                                      #
+###########################################################################################
+
+###########################################################################################
+# Wrapper to check if recovery partition is selected and if so, proceed with setup of recovery OS.
+# Globals:
+#   MAP_MOUNTPATH_DEV
+#   MODULE_ERR
+#   MODULE_TXT
+# Arguments:
+#   None
+###########################################################################################
+3_8_9_functions_installation_wrapper_recovery() {
+  declare -g -x MODULE_ERR="3_8_9_functions_installation_wrapper_recovery"
+  declare -g -x MODULE_TXT="Wrapper recovery partition"
+  do_show_header "${MODULE_TXT}"
+
+  declare FOUND="false"
+  declare MOUNT_PATH=""
+  declare HASHMAP_VALUE=""
+
+  for MOUNT_PATH in "${!MAP_MOUNTPATH_DEV[@]}"; do
+    HASHMAP_VALUE="${MAP_MOUNTPATH_DEV[${MOUNT_PATH}]}"
+    if [[ ${HASHMAP_VALUE} == "/dev/mapper/crypt_rescue" ]]; then
+      FOUND="true"
+      break
+    fi
+  done
+
+  if [[ ${FOUND} == true ]]; then
+    3_9_0_functions_installation_setup_recovery
+    3_9_1_functions_installation_generate_files_recovery
+  fi
+
+  do_show_footer "${MODULE_TXT}"
+}
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh:

func/recovery/3.9.0.functions_installation_setup_recovery.sh

@@ -0,0 +1,90 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-02-13; WEIDNER, Marc S.; <cendev@coresecret.eu>
+# SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.2025.hardened.installer framework.
+# SPDX-PackageName: CISS.2025.hardened.installer
+# SPDX-Security-Contact: security@coresecret.eu
+
+###########################################################################################
+# 3.9.0. Functions - installation - setup recovery                                        #
+###########################################################################################
+
+###########################################################################################
+# Mounting '/dev/mapper/crypt_rescue', debootstrap recovery partition, preparing chroot.
+# Globals:
+#   ERR_CHROOT_MOUNTS
+#   ERR_DE_BOOT_STRAP
+#   MODULE_ERR
+#   MODULE_TXT
+#   RECOVERY
+#   TARGET
+# Arguments:
+#   None
+###########################################################################################
+3_9_0_functions_installation_setup_recovery() {
+  declare -g -x MODULE_ERR="3_9_0_functions_installation_setup_recovery"
+  declare -g -x MODULE_TXT="Setup recovery partition"
+  do_show_header "${MODULE_TXT}"
+
+  # The '/dev/mapper/crypt_rescue' partition is not mounted by the installation script by default,
+  # as it is not required to be automatically mounted by the production system via '/etc/crypttab' and '/etc/fstab'.
+  mount /dev/mapper/crypt_rescue "${RECOVERY}"
+
+  # Debootstrap for a minimalistic Debian OS.
+  if debootstrap --arch amd64 bookworm "${RECOVERY}" https://deb.debian.org/debian; then
+    do_log "info" "false" "Executing 'debootstrap --arch amd64 bookworm '${RECOVERY}' https://deb.debian.org/debian' successful."
+  else
+    do_log "emergency" "false" "Executing 'debootstrap --arch amd64 bookworm '${RECOVERY}' https://deb.debian.org/debian' NOT successful."
+    exit "${ERR_DE_BOOT_STRAP}"
+  fi
+
+  ### Reminder ###
+  # --rbind: recursive binding.
+  # --make-rslave: In this case, the mount point is marked as 'slave'.
+  # This means changes to the source mount (e.g., /proc) are propagated to the target mount (e.g., "${TARGET}"/proc).
+  # Conversely, changes to the target mount are not propagated back to the source mount.
+  # This mode is necessary to avoid problems with double or erroneous propagation effects in chroot or container environments.
+
+  # Prepare the freshly installed Debian OS recovery system for further setup.
+  if mount --make-rslave --rbind /proc "${RECOVERY}"/proc; then
+    do_log "info" "true" "'mount --make-rslave --rbind /proc ${RECOVERY}/proc'."
+  else
+    do_log "emergency" "true" "Failed: 'mount --make-rslave --rbind /proc ${RECOVERY}/proc'."
+    exit "${ERR_CHROOT_MOUNTS}"
+  fi
+
+  if mount --make-rslave --rbind /sys "${RECOVERY}"/sys; then
+    do_log "info" "true" "'mount --make-rslave --rbind /sys ${RECOVERY}/sys'."
+  else
+    do_log "emergency" "true" "Failed: 'mount --make-rslave --rbind /sys ${RECOVERY}/sys'."
+    exit "${ERR_CHROOT_MOUNTS}"
+  fi
+
+  if mount --make-rslave --rbind /dev "${RECOVERY}"/dev; then
+    do_log "info" "true" "'mount --make-rslave --rbind /dev ${RECOVERY}/dev'."
+  else
+    do_log "emergency" "true" "Failed: 'mount --make-rslave --rbind /dev ${RECOVERY}/dev'."
+    exit "${ERR_CHROOT_MOUNTS}"
+  fi
+
+  if mount --make-rslave --rbind /run "${RECOVERY}"/run; then
+    do_log "info" "true" "'mount --make-rslave --rbind /run ${RECOVERY}/run'."
+  else
+    do_log "emergency" "true" "Failed: 'mount --make-rslave --rbind /run ${RECOVERY}/run'."
+    exit "${ERR_CHROOT_MOUNTS}"
+  fi
+
+  if do_in_target "${TARGET}" mkdir -p /etc/systemd/system/multi-user.target.wants; then
+    do_log "info" "true" "Command: 'mkdir -p /etc/systemd/system/multi-user.target.wants' executed in: '${RECOVERY}'."
+  else
+    do_log "emergency" "true" "Failed: Command: 'mkdir -p /etc/systemd/system/multi-user.target.wants' executed in: '${RECOVERY}'."
+  fi
+
+  do_show_footer "${MODULE_TXT}"
+}
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh:

func/recovery/3.9.1.functions_installation_generate_files_recovery.sh

@@ -0,0 +1,401 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-02-13; WEIDNER, Marc S.; <cendev@coresecret.eu>
+# SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.2025.hardened.installer framework.
+# SPDX-PackageName: CISS.2025.hardened.installer
+# SPDX-Security-Contact: security@coresecret.eu
+
+###########################################################################################
+# 3.9.1. Functions - installation - generate files recovery                               #
+###########################################################################################
+
+###########################################################################################
+# Generates '${RECOVERY}/etc/crypttab' and '${RECOVERY}/etc/fstab' files for recovery partition.
+# Globals:
+#   tba
+# Arguments:
+#   None
+###########################################################################################
+3_9_1_functions_installation_generate_files_recovery() {
+  declare -g -x MODULE_ERR="3_9_1_functions_installation_generate_files_recovery"
+  declare -g -x MODULE_TXT="Generate 'fstab' and 'crypttab' for recovery partition"
+  do_show_header "${MODULE_TXT}"
+
+  ### BLOCK '${RECOVERY}/etc/crypttab'
+
+  # Generate '${RECOVERY}/etc/crypttab'
+  touch "${RECOVERY}"/etc/crypttab
+  chmod 0644 "${RECOVERY}"/etc/crypttab
+
+  # Generate '${RECOVERY}/etc/crypttab' header
+  # shellcheck disable=SC2129
+  cat << EOF >> "${RECOVERY}"/etc/crypttab
+# <name>  <device>  <password-file-or-none>  <options>
+
+EOF
+
+  ### Reminder ###
+  # MAP_MOUNTPATH_DEV["${MOUNT_PATH}"]="/dev/mapper/${ENCRYPTION_LABEL}"
+  # MAP_UUID_CRYPT["${ENCRYPTION_LABEL}"]="${UUID}"
+  # MAP_PATH_CRYPT["${MOUNT_PATH}"]="${ENCRYPTION_LABEL}"
+
+  # Extract the key from HashMap MAP_PATH_CRYPT["${MOUNT_PATH}"]="${ENCRYPTION_LABEL}"
+  declare KEY=""
+  declare VAR=""
+
+  for VAR in "${!MAP_PATH_CRYPT[@]}"; do
+    if [[ ${MAP_PATH_CRYPT[$VAR]} == "crypt_rescue" ]]; then
+      KEY="${VAR}"
+      break
+    fi
+  done
+
+  declare ENCRYPTION_LABEL
+  ENCRYPTION_LABEL="${MAP_PATH_CRYPT["${KEY}"]}"
+
+  # shellcheck disable=2129
+  echo "# ${KEY} was on /dev/mapper/${MAP_PATH_CRYPT["${KEY}"]} during installation" >> "${RECOVERY}"/etc/crypttab
+  echo "${MAP_PATH_CRYPT["${KEY}"]} UUID=${MAP_UUID_CRYPT["${ENCRYPTION_LABEL}"]} none luks,discard" >> "${RECOVERY}"/etc/crypttab
+  echo "" >> "${RECOVERY}"/etc/crypttab
+  do_log "info" "false" "crypttab entry generated: '${MAP_PATH_CRYPT["${KEY}"]} UUID=${MAP_UUID_CRYPT["${ENCRYPTION_LABEL}"]} none luks,discard'."
+
+  # TODO: Update loop to iterate thru dynamic number of ephemeral drives.
+  # Generate '${RECOVERY}/etc/crypttab' special ephemeral entries.
+  declare -a EPHEMERAL_MOUNT_PATH=("SWAP" "/tmp")
+  declare KEY=""
+
+  # MAP_EPHEMERAL_DEV["${MOUNT_PATH}"]="/dev/${DEV}${PARTITION}"
+  # MAP_EPHEMERAL_ENCLABEL["${MOUNT_PATH}"]="${ENCRYPTION_LABEL}"
+  for KEY in "${EPHEMERAL_MOUNT_PATH[@]}"; do
+
+    if [[ ${KEY} == "SWAP" ]]; then
+
+      # shellcheck disable=2129
+      echo "# ${KEY} was on ${MAP_EPHEMERAL_DEV[${KEY}]} during installation" >> "${RECOVERY}"/etc/crypttab
+      # TODO: Change static 'LABEL=' to dynamic extraction of partitioning.yaml 'recipe_..._filesystem_label' recipe string.
+      echo "${MAP_EPHEMERAL_ENCLABEL[${KEY}]}  LABEL=SWAP  /dev/random  swap,offset=2048,cipher=aes-xts-plain64,size=512,sector-size=4096" >> "${RECOVERY}"/etc/crypttab
+      echo "" >> "${RECOVERY}"/etc/crypttab
+      do_log "info" "false" "'${RECOVERY}/etc/crypttab' entry generated: '${MAP_EPHEMERAL_ENCLABEL[${KEY}]}  LABEL=SWAP  /dev/random  swap,offset=2048,cipher=aes-xts-plain64,size=512,sector-size=4096'."
+
+    elif [[ ${KEY} == "/tmp" ]]; then
+
+      # shellcheck disable=2129
+      echo "# ${KEY} was on ${MAP_EPHEMERAL_DEV[${KEY}]} during installation" >> "${RECOVERY}"/etc/crypttab
+      # TODO: Change static 'LABEL=' to dynamic extraction of partitioning.yaml 'recipe_..._filesystem_label' recipe string.
+      echo "${MAP_EPHEMERAL_ENCLABEL[${KEY}]}  LABEL=ext4_tmp  /dev/random  offset=2048,cipher=aes-xts-plain64,size=512,sector-size=4096,tmp=ext4" >> "${RECOVERY}"/etc/crypttab
+      echo "" >> "${RECOVERY}"/etc/crypttab
+      do_log "info" "false" "'${RECOVERY}/etc/crypttab' entry generated: '${MAP_EPHEMERAL_ENCLABEL[${KEY}]}  LABEL=ext4_tmp  /dev/random  offset=2048,cipher=aes-xts-plain64,size=512,sector-size=4096,tmp=ext4'."
+
+    else
+
+      do_log "info" "true" "${RECOVERY}/etc/crypttab (This message should never get printed.)"
+
+    fi
+
+  done
+
+  ### BLOCK '${RECOVERY}/etc/fstab'
+
+  # Generate '${RECOVERY}/etc/fstab'
+  touch "${RECOVERY}"/etc/fstab
+  chmod 0644 "${RECOVERY}"/etc/fstab
+
+  # Generate '${RECOVERY}/etc/fstab' header
+  # shellcheck disable=SC2129
+  cat << EOF >> "${RECOVERY}"/etc/fstab
+# /etc/fstab: static file system information.
+#
+# Use 'blkid' to print the universally unique identifier for a
+# device; this may be used with UUID= as a more robust way to name devices
+# that works even if disks are added and removed. See fstab(5).
+#
+# systemd generates mount units based on this file, see systemd.mount(5).
+# Please run 'systemctl daemon-reload' after making changes here.
+#
+# <file system> <mount point>   <type>  <options>       <dump>  <pass>
+
+EOF
+
+  ### Reminder ###
+  # MAP_MOUNTPATH_DEV["${MOUNT_PATH}"]="/dev/mapper/${ENCRYPTION_LABEL}"
+  # MAP_UUID_CRYPT["${ENCRYPTION_LABEL}"]="${UUID}"
+  # MAP_PATH_CRYPT["${MOUNT_PATH}"]="${ENCRYPTION_LABEL}"
+
+  # TODO: BEGIN: BLOCK "${RECOVERY}"/etc/fstab
+  # TODO: complete this block
+
+  # Generate '${TARGET}/etc/fstab' special entries '/' '/boot' '/boot/efi'.
+  # Define the order of the special keys.
+  declare -a KEY_ORDER
+  KEY_ORDER=("/RECOVERY")
+
+  declare DEVICE_PATH
+  declare DEVICE_UUID
+  declare ENCRYPTION_LABEL
+  declare KEY
+  declare MATCHING_VAR
+  declare TRANSFORMED_STRING
+
+  for KEY in "${KEY_ORDER[@]}"; do
+    # Initialize variables
+    DEVICE_PATH="${MAP_MOUNTPATH_DEV[${KEY}]}"
+    DEVICE_UUID=$(blkid -s UUID -o value "${DEVICE_PATH}")
+
+    # if KEY:VALUE equals "/dev/${DEV}${PARTITION}"
+    if [[ ${DEVICE_PATH} =~ ^/dev/[a-zA-Z]+[0-9]+$ ]]; then
+
+      TRANSFORMED_STRING=$(echo "${DEVICE_PATH}" | sed 's|/dev/|dev_|; s|\([a-zA-Z]\)\([0-9]\)|\1_\2|')
+
+    # if KEY:VALUE equals "/dev/mapper/${ENCRYPTION_LABEL}"
+    elif [[ ${DEVICE_PATH} =~ ^/dev/mapper/ ]]; then
+
+      # Extract ENCRYPTION_LABEL
+      ENCRYPTION_LABEL="${DEVICE_PATH#/dev/mapper/}"
+
+      # Search matching variable of the sourced "${PRESEED}" variable file
+      MATCHING_VAR=$(declare -p | grep -oP "recipe_[^ ]+_encryption_label=${ENCRYPTION_LABEL}")
+
+      if [[ -n ${MATCHING_VAR} ]]; then
+
+        # Extract third, fourth and fifth part of the respective variable
+        TRANSFORMED_STRING=$(echo "${MATCHING_VAR}" | sed -E 's|recipe_[^_]+_(dev_[^_]+_[^_]+)_.*|\1|')
+
+      else
+
+        do_log "error" "false" "No matching variable found for ENCRYPTION_LABEL='${ENCRYPTION_LABEL}'."
+        exit "${ERR_NO_ENCR_LABEL}"
+
+      fi
+
+    else
+
+      do_log "error" "false" "Unknown DEVICE_PATH-Format: '${DEVICE_PATH}'."
+      exit "${ERR_NO_DEVIC_PATH}"
+
+    fi
+
+    declare BTRFS_COMPR_VAR="recipe_${RECIPE_STRING}_${TRANSFORMED_STRING}_filesystem_btrfs_compress"
+    declare BTRFS_LEVEL_VAR="recipe_${RECIPE_STRING}_${TRANSFORMED_STRING}_filesystem_btrfs_level"
+    declare FILESYSTEM_LABEL_VAR="recipe_${RECIPE_STRING}_${TRANSFORMED_STRING}_filesystem_label"
+    declare FILESYSTEM_VERSION_VAR="recipe_${RECIPE_STRING}_${TRANSFORMED_STRING}_filesystem_version"
+    declare MOUNT_OPTIONS_VAR="recipe_${RECIPE_STRING}_${TRANSFORMED_STRING}_mount_options"
+    declare MOUNT_SUBVOLUME_VAR="recipe_${RECIPE_STRING}_${TRANSFORMED_STRING}_mount_subvolume"
+
+    declare BTRFS_COMPR=${!BTRFS_COMPR_VAR}
+    declare BTRFS_LEVEL=${!BTRFS_LEVEL_VAR}
+    declare FILESYSTEM_LABEL=${!FILESYSTEM_LABEL_VAR}
+    declare FILESYSTEM_VERSION=${!FILESYSTEM_VERSION_VAR}
+    declare MOUNT_OPTIONS=${!MOUNT_OPTIONS_VAR}
+    declare MOUNT_SUBVOLUME=${!MOUNT_SUBVOLUME_VAR}
+
+    if [[ ${KEY} == "/" ]]; then
+
+      if [[ ${FILESYSTEM_VERSION} == "btrfs" ]]; then
+
+        declare BTRFS_OPTIONS="compress=${BTRFS_COMPR}:${BTRFS_LEVEL}"
+        # shellcheck disable=2129
+        echo "# ${KEY} was on ${MAP_MOUNTPATH_DEV[${KEY}]} during installation" >> "${TARGET}"/etc/fstab
+        echo "# ${KEY} was on ${DEVICE_UUID} during installation" >> "${TARGET}"/etc/fstab
+        echo "${MAP_MOUNTPATH_DEV[${KEY}]}  ${KEY}  ${FILESYSTEM_VERSION}  ${MOUNT_OPTIONS},${BTRFS_OPTIONS},subvol=${MOUNT_SUBVOLUME}  0  1" >> "${TARGET}"/etc/fstab
+        echo "" >> "${TARGET}"/etc/fstab
+        do_log "info" "false" "fstab entry generated: '${MAP_MOUNTPATH_DEV[${KEY}]}  ${KEY}  ${FILESYSTEM_VERSION}  ${MOUNT_OPTIONS},${BTRFS_OPTIONS},subvol=${MOUNT_SUBVOLUME}  0  1'."
+
+      elif [[ ${FILESYSTEM_VERSION} == "ext4" ]]; then
+
+        # shellcheck disable=2129
+        echo "# ${KEY} was on ${MAP_MOUNTPATH_DEV[${KEY}]} during installation" >> "${TARGET}"/etc/fstab
+        echo "# ${KEY} was on ${DEVICE_UUID} during installation" >> "${TARGET}"/etc/fstab
+        echo "${MAP_MOUNTPATH_DEV[${KEY}]}  ${KEY}  ${FILESYSTEM_VERSION}  ${MOUNT_OPTIONS}  0  1" >> "${TARGET}"/etc/fstab
+        echo "" >> "${TARGET}"/etc/fstab
+        do_log "info" "false" "fstab entry generated: '${MAP_MOUNTPATH_DEV[${KEY}]}  ${KEY} ${FILESYSTEM_VERSION}  ${MOUNT_OPTIONS}  0  1'."
+
+      else
+
+        do_log "error" "false" "fstab entry - no valid filesystem: '${FILESYSTEM_VERSION}' found for '${KEY}'."
+
+      fi
+
+    elif [[ ${KEY} == "/boot" ]]; then
+
+      if [[ ${FILESYSTEM_VERSION} == "btrfs" ]]; then
+
+        declare BTRFS_OPTIONS="compress=${BTRFS_COMPR}:${BTRFS_LEVEL}"
+        # shellcheck disable=2129
+        echo "# ${KEY} was on ${MAP_MOUNTPATH_DEV[${KEY}]} during installation" >> "${TARGET}"/etc/fstab
+        echo "# ${KEY} was on ${DEVICE_UUID} during installation" >> "${TARGET}"/etc/fstab
+        echo "UUID=${DEVICE_UUID}  ${KEY}  ${FILESYSTEM_VERSION}  ${MOUNT_OPTIONS},${BTRFS_OPTIONS},subvol=${MOUNT_SUBVOLUME}  0  2" >> "${TARGET}"/etc/fstab
+        echo "" >> "${TARGET}"/etc/fstab
+        do_log "info" "false" "fstab entry generated: 'UUID=${DEVICE_UUID}  ${KEY}  ${FILESYSTEM_VERSION}  ${MOUNT_OPTIONS},${BTRFS_OPTIONS},subvol=${MOUNT_SUBVOLUME}  0  2'."
+
+      elif [[ ${FILESYSTEM_VERSION} == "ext4" ]]; then
+
+        # shellcheck disable=2129
+        echo "# ${KEY} was on ${MAP_MOUNTPATH_DEV[${KEY}]} during installation" >> "${TARGET}"/etc/fstab
+        echo "# ${KEY} was on ${DEVICE_UUID} during installation" >> "${TARGET}"/etc/fstab
+        echo "UUID=${DEVICE_UUID}  ${KEY}  ${FILESYSTEM_VERSION}  ${MOUNT_OPTIONS}  0  2" >> "${TARGET}"/etc/fstab
+        echo "" >> "${TARGET}"/etc/fstab
+        do_log "info" "false" "fstab entry generated: 'UUID=${DEVICE_UUID}  ${KEY}  ${FILESYSTEM_VERSION}  ${MOUNT_OPTIONS}  0  2'."
+
+      else
+
+        do_log "error" "false" "fstab entry - no valid filesystem: '${FILESYSTEM_VERSION}' found for '${KEY}'."
+
+      fi
+
+    elif [[ ${KEY} == "/boot/efi" ]]; then
+
+      if [[ ${FILESYSTEM_VERSION} == "fat32" ]]; then
+
+        # shellcheck disable=2129
+        echo "# ${KEY} was on ${MAP_MOUNTPATH_DEV[${KEY}]} during installation" >> "${TARGET}"/etc/fstab
+        echo "# ${KEY} was on ${DEVICE_UUID} during installation" >> "${TARGET}"/etc/fstab
+        echo "UUID=${DEVICE_UUID}  ${KEY}  vfat  umask=0077  0  2" >> "${TARGET}"/etc/fstab
+        echo "" >> "${TARGET}"/etc/fstab
+        do_log "info" "false" "fstab entry generated: 'UUID=${DEVICE_UUID}  ${KEY}  vfat umask=0077  0  2'."
+
+      else
+
+        do_log "error" "false" "fstab entry - no valid filesystem: '${FILESYSTEM_VERSION}' found for '${KEY}'."
+
+      fi
+
+    else
+
+      do_log "error" "false" "fstab entry - no valid '${KEY}' for '/', '/boot', '/boot/efi' found."
+
+    fi
+
+  done
+
+  # Generate '${TARGET}/etc/fstab' remaining entries
+  for KEY in "${!MAP_MOUNTPATH_DEV[@]}"; do
+
+    # Initialize variables
+    DEVICE_PATH="${MAP_MOUNTPATH_DEV[${KEY}]}"
+    DEVICE_UUID=$(blkid -s UUID -o value "${DEVICE_PATH}")
+
+    # if KEY:VALUE equals "/dev/${DEV}${PARTITION}"
+    if [[ ${DEVICE_PATH} =~ ^/dev/[a-zA-Z]+[0-9]+$ ]]; then
+
+      TRANSFORMED_STRING=$(echo "${DEVICE_PATH}" | sed 's|/dev/|dev_|; s|\([a-zA-Z]\)\([0-9]\)|\1_\2|')
+
+    # if KEY:VALUE equals "/dev/mapper/${ENCRYPTION_LABEL}"
+    elif [[ ${DEVICE_PATH} =~ ^/dev/mapper/ ]]; then
+
+      # Extract ENCRYPTION_LABEL
+      ENCRYPTION_LABEL="${DEVICE_PATH#/dev/mapper/}"
+
+      # Search matching variable of the sourced "${PRESEED}" variable file
+      MATCHING_VAR=$(declare -p | grep -oP "recipe_[^ ]+_encryption_label=${ENCRYPTION_LABEL}")
+
+      if [[ -n ${MATCHING_VAR} ]]; then
+
+        # Extract third, fourth and fifth part of the respective variable
+        TRANSFORMED_STRING=$(echo "${MATCHING_VAR}" | sed -E 's|recipe_[^_]+_(dev_[^_]+_[^_]+)_.*|\1|')
+
+      else
+
+        do_log "error" "false" "No matching variable found for ENCRYPTION_LABEL='${ENCRYPTION_LABEL}'."
+        exit "${ERR_NO_ENCR_LABEL}"
+
+      fi
+
+    else
+
+      do_log "error" "false" "Unknown DEVICE_PATH-Format: '${DEVICE_PATH}'."
+      exit "${ERR_NO_DEVIC_PATH}"
+
+    fi
+
+    declare BTRFS_COMPR_VAR="recipe_${RECIPE_STRING}_${TRANSFORMED_STRING}_filesystem_btrfs_compress"
+    declare BTRFS_LEVEL_VAR="recipe_${RECIPE_STRING}_${TRANSFORMED_STRING}_filesystem_btrfs_level"
+    declare FILESYSTEM_LABEL_VAR="recipe_${RECIPE_STRING}_${TRANSFORMED_STRING}_filesystem_label"
+    declare FILESYSTEM_VERSION_VAR="recipe_${RECIPE_STRING}_${TRANSFORMED_STRING}_filesystem_version"
+    declare MOUNT_OPTIONS_VAR="recipe_${RECIPE_STRING}_${TRANSFORMED_STRING}_mount_options"
+    declare MOUNT_SUBVOLUME_VAR="recipe_${RECIPE_STRING}_${TRANSFORMED_STRING}_mount_subvolume"
+
+    declare BTRFS_COMPR=${!BTRFS_COMPR_VAR}
+    declare BTRFS_LEVEL=${!BTRFS_LEVEL_VAR}
+    declare FILESYSTEM_LABEL=${!FILESYSTEM_LABEL_VAR}
+    declare FILESYSTEM_VERSION=${!FILESYSTEM_VERSION_VAR}
+    declare MOUNT_OPTIONS=${!MOUNT_OPTIONS_VAR}
+    declare MOUNT_SUBVOLUME=${!MOUNT_SUBVOLUME_VAR}
+
+    # Skip already mounted paths ("/", "/boot", "/boot/efi")
+    if [[ " ${KEY_ORDER[*]} " == *" ${KEY} "* ]]; then
+      continue
+    fi
+
+    if [[ ${FILESYSTEM_VERSION} == "btrfs" ]]; then
+
+      declare BTRFS_OPTIONS="compress=${BTRFS_COMPR}:${BTRFS_LEVEL}"
+      # shellcheck disable=2129
+      echo "# ${KEY} was on ${MAP_MOUNTPATH_DEV[${KEY}]} during installation" >> "${TARGET}"/etc/fstab
+      echo "# ${KEY} was on ${DEVICE_UUID} during installation" >> "${TARGET}"/etc/fstab
+      echo "UUID=${DEVICE_UUID}  ${KEY}  ${FILESYSTEM_VERSION}  ${MOUNT_OPTIONS},${BTRFS_OPTIONS},subvol=${MOUNT_SUBVOLUME}  0  2" >> "${TARGET}"/etc/fstab
+      echo "" >> "${TARGET}"/etc/fstab
+      do_log "info" "false" "fstab entry generated: 'UUID=${DEVICE_UUID}  ${KEY}  ${FILESYSTEM_VERSION}  ${MOUNT_OPTIONS},${BTRFS_OPTIONS},subvol=${MOUNT_SUBVOLUME}  0  2'."
+
+    elif [[ ${FILESYSTEM_VERSION} == "ext4" ]]; then
+
+      # shellcheck disable=2129
+      echo "# ${KEY} was on ${MAP_MOUNTPATH_DEV[${KEY}]} during installation" >> "${TARGET}"/etc/fstab
+      echo "# ${KEY} was on ${DEVICE_UUID} during installation" >> "${TARGET}"/etc/fstab
+      echo "UUID=${DEVICE_UUID}  ${KEY}  ${FILESYSTEM_VERSION}  ${MOUNT_OPTIONS}  0  2" >> "${TARGET}"/etc/fstab
+      echo "" >> "${TARGET}"/etc/fstab
+      do_log "info" "false" "fstab entry generated: 'UUID=${DEVICE_UUID}  ${KEY}  ${FILESYSTEM_VERSION}  ${MOUNT_OPTIONS}  0  2'."
+
+    else
+
+      do_log "error" "false" "fstab entry - no valid filesystem: '${FILESYSTEM_VERSION}' found for '${KEY}'."
+
+    fi
+
+  done
+
+  # TODO: flexible entries for more than one CD-ROM drives.
+  # Add entry for CD-ROM device
+  # shellcheck disable=2129
+  echo "# /media/cdrom0 was on /dev/sr0 during installation" >> "${TARGET}"/etc/fstab
+  echo "/dev/sr0  /media/cdrom0  udf,iso9660  user,noauto  0  0" >> "${TARGET}"/etc/fstab
+  echo "" >> "${TARGET}"/etc/fstab
+  do_log "info" "false" "fstab entry generated: '/dev/sr0  /media/cdrom0  udf,iso9660  user,noauto  0  0'."
+
+  # Add entry for proc and tmpfs device
+  # shellcheck disable=2129
+  echo "##### Added by CISS.2025.debian.installer" >> "${TARGET}"/etc/fstab
+  echo "proc  /proc  proc  nodev,nosuid,noexec,hidepid=2  0  0" >> "${TARGET}"/etc/fstab
+  echo "tmpfs  /dev/shm  tmpfs  rw,nodev,nosuid,noexec,relatime,size=1G  0  0" >> "${TARGET}"/etc/fstab
+  echo "" >> "${TARGET}"/etc/fstab
+  do_log "info" "false" "fstab entry generated: 'proc  /proc  proc  nodev,nosuid,noexec,hidepid=2  0  0'."
+  do_log "info" "false" "fstab entry generated: 'tmpfs  /dev/shm  tmpfs  rw,nodev,nosuid,noexec,relatime,size=1G  0  0'."
+
+  # TODO: flexible 'SWAP' entry, not only ephemeral SWAP.
+  # Add entry for SWAP device
+  declare MOUNT_PATH="SWAP"
+  # shellcheck disable=2129
+  echo "##### Added by CISS.2025.debian.installer" >> "${TARGET}"/etc/fstab
+  echo "${MAP_EPHEMERAL_ENCLABEL["${MOUNT_PATH}"]}  none  swap  defaults  0  0" >> "${TARGET}"/etc/fstab
+  echo "" >> "${TARGET}"/etc/fstab
+  do_log "info" "false" "fstab entry generated: '${MAP_EPHEMERAL_ENCLABEL["${MOUNT_PATH}"]}  none  swap  defaults  0  0'."
+
+  # TODO: flexible '/tmp' entry, not only ephemeral SWAP.
+  # Add entry for '/tmp' device
+  declare MOUNT_PATH="/tmp"
+  # shellcheck disable=2129
+  echo "##### Added by CISS.2025.debian.installer" >> "${TARGET}"/etc/fstab
+  echo "${MAP_EPHEMERAL_ENCLABEL["${MOUNT_PATH}"]}  /tmp  ext4  defaults,rw,nodev,nosuid,relatime  0  0" >> "${TARGET}"/etc/fstab
+  echo "" >> "${TARGET}"/etc/fstab
+  do_log "info" "false" "fstab entry generated: '${MAP_EPHEMERAL_ENCLABEL["${MOUNT_PATH}"]}  /tmp  ext4  defaults,rw,nodev,nosuid,relatime  0  0'."
+
+  # TODO: END: BLOCK "${RECOVERY}"/etc/fstab
+  # TODO: complete this block
+
+  do_show_footer "${MODULE_TXT}"
+}
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh:

func/system/4230_setup_chrony.sh

@@ -35,8 +35,6 @@ setup_chrony() {
   done
   printf "# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh %s" "${NL}" >> "${var_of}"
 
-  # do_remove_service "systemd-timesyncd.service" "systemd-timesyncd"
-
   mkdir -p "${TARGET}/var/log/chrony"
   do_in_target "${TARGET}" apt-get install chrony -y