V8.00.000.2025.06.17

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-07-24 18:28:35 +02:00
parent e9681e87c5
commit 0a2d983c7d
64 changed files with 525 additions and 1423 deletions
--- a/ciss_debian_installer.sh
+++ b/ciss_debian_installer.sh
@@ -13,20 +13,15 @@
 ### Contributions so far see ./docs/CREDITS.md
 ### WHY BASH?
-# Ease of installation.
+# Ease of installation. No compiling or installing gems, CPAN modules, pip packages, etc. Simple to use and read. Clear syntax
-# No compiling or installing gems, CPAN modules, pip packages, etc.
+# and straightforward output interpretation. Built-in power. Pattern matching, line processing, and regular expression support
-# Simple to use and read. Clear syntax and straightforward output interpretation.
+# are available natively, no external binaries required. Cross-platform consistency. '/bin/bash' is the default shell on most
-# Built-in power.
+# Linux distributions, ensuring scripts run unmodified across systems. macOS compatibility. Since macOS Catalina (10.15), the
-# Pattern matching, line processing, and regular expression support are available natively,
+# default login shell has been zsh, but bash remains available at '/bin/bash'. Windows support. You can use bash via WSL, MSYS2,
-# no external binaries required.
+# or Cygwin on Windows systems.
 # Cross-platform consistency.
 # '/bin/bash' is the default shell on most Linux distributions, ensuring scripts run unmodified across systems.
 # macOS compatibility.
 # Since macOS Catalina (10.15), the default login shell has been zsh, but bash remains available at '/bin/bash'.
 # Windows support.
 # You can use bash via WSL, MSYS2, or Cygwin on Windows systems.
 ### PRELIMINARY CHECKS
 # shellcheck disable=2292
 [ -z "${BASH_VERSINFO[0]}" ] && {
  . ./meta_loader_early.sh
  printf "%s❌ Please make sure you are using 'bash'! Bye... %s%s" "${RED}" "${RES}" "${NL}" >&2
@@ -39,6 +34,7 @@
  exit "${ERR_USER_IS_NOT_ROOT}"
  }
 # shellcheck disable=2312
 [[ $(kill -l | grep -c SIG) -eq 0 ]] && {
  . ./meta_loader_early.sh
  printf "%s❌ Please make sure you are calling the script without leading 'sh'! Bye... %s%s" "${RED}" "${RES}" "${NL}" >&2
@@ -60,17 +56,25 @@
 [[ ${#} -eq 0 ]] && {
  . ./lib/0000_usage.sh; usage >&2; exit 1; }
-### SOURCING MUST SET EARLY VARIABLES
+### SOURCING MUST SET EARLY VARIABLES. SOURCING GUARD_SOURCING()
 . ./var/early.var.sh
 . ./lib/0010_guard_sourcing.sh
 ### CHECK FOR CONTACT, HELP, AND VERSION STRING
 for arg in "$@"; do case "${arg,,}" in -c|--contact) . ./lib/0001_contact.sh; contact; exit 0;; esac; done
 for arg in "$@"; do case "${arg,,}" in -h|--help)    . ./lib/0000_usage.sh; usage; exit 0;; esac; done
 for arg in "$@"; do case "${arg,,}" in -v|--version) . ./lib/0002_version.sh; version; exit 0;; esac; done
-### ALL CHECKS DONE. READY TO START THE SCRIPT. SOURCING GUARD_SOURCING()
+### PRE SCAN FOR DEBUG MODE
 . ./lib/0050_debug_pre_scan.sh
 pre_scan_debug "$@"
 ### SOURCING BASH OPTIONS
 . ./var/bash.var.sh
 umask 0022
 ### ALL CHECKS DONE. READY TO START THE SCRIPT.
 declare -grx VAR_SETUP="true"
 . ./lib/0010_guard_sourcing.sh
 ### CHECK FOR AUTO INSTALL MODE
 for arg in "$@"; do case "${arg,,}" in -a|--autoinstall) declare -gx VAR_AUTO_INSTALL="true";; esac; done; unset arg
@@ -81,32 +85,28 @@ for arg in "$@"; do case "${arg,,}" in -a|--autoinstall) declare -gx VAR_AUTO_IN
 check_pkgs
 check_git
 ### PRE SCAN FOR DEBUG MODE
 . ./lib/0050_debug_pre_scan.sh
 pre_scan_debug "$@"
 ### ADVISORY LOCK
 exec 127>/var/lock/ciss_debian_installer.lock || {
  . ./meta_loader_early.sh
  printf "%s❌ Cannot open lockfile for writing! Bye... %s%s" "${RED}" "${RES}" "${NL}" >&2
  exit "${ERR_FLOCK_PROTECTED}"
 }
 if ! flock -x -n 127; then
  . ./meta_loader_early.sh
  printf "%s❌ Another instance is running! Bye...%s%s" "${RED}" "${RES}" "${NL}" >&2
  exit "${ERR_FLOCK_COLLISION}"
 fi
-### SOURCING
+### SOURCING FUNCTIONS, LIBRARIES, VARIABLES
-[[ "${VAR_SETUP}" == "true" ]] && {
+if [[ "${VAR_SETUP}" == "true" ]]; then
  ### SOURCING BASH OPTIONS
  . ./var/bash.var.sh
  ### SOURCING FUNCTIONS
  . ./meta_loader_func.sh
  ### SOURCING LIBRARIES
  . ./meta_loader_lib.sh
  ### SOURCING VARIABLES
  . ./meta_loader_var.sh
-}
+fi
 ### ACTIVATING TRAPS
 trap 'trap_exit "$?"' EXIT
@@ -116,82 +116,90 @@ trap 'trap_err "$?" "${BASH_SOURCE[0]}" "${LINENO}" "${FUNCNAME[0]:-main}" "${BA
 ### PREPARING DIRECTORIES AND FILES
 gen_dir_files
 ### INTERACTIVE MODE NOTES AND KERNEL SELECTION
 # TODO: Update 0110_check_kernel.sh  & sourcing
 # TODO: Update 0120_check_provider.sh & sourcing
 #if ! "${VAR_AUTO_INSTALL}"; then check_provider; fi
 #if ! "${VAR_AUTO_INSTALL}"; then check_kernel; fi
 # TODO: Implement Debian Style Gauge Bar as Alternative Dialog Wrapper
 ### Dialog Output for Initialization START
 if ! "${VAR_AUTO_INSTALL}"; then . ./lib/0200_dialog_helper.sh && dialog_box; fi
 ### Dialog Output for Initialization
 if ! "${VAR_AUTO_INSTALL}"; then . ./lib/0200_dialog_helper.sh && dialog_gauge; fi
 ### Updating Status of Dialog Gauge Bar
 if ! $VAR_AUTO_INSTALL; then printf "XXX\nAdditional initialization ... \nXXX\n25\n" >&3; fi
 ### Initialization
 declare -gr ARGUMENTS_COUNT="$#"
 declare -gr ARG_STR_ORG_INPUT="$*"
 #declare -ar ARG_ARY_ORG_INPUT=("$@")
 # shellcheck disable=SC2155
 declare -grx SCRIPT_FULLPATH="$(readlink -f "${BASH_SOURCE[0]:-$0}")"
 # shellcheck disable=SC2155
 declare -grx SCRIPT_BASEPATH="$(dirname "${SCRIPT_FULLPATH}")"
 # shellcheck disable=SC2155
 declare -grx VAR_WORKDIR="$(dirname "${SCRIPT_FULLPATH}")"
 ### Updating Status of Dialog Gauge Bar
 if ! $VAR_AUTO_INSTALL; then printf "XXX\nSourcing Libraries ... \nXXX\n50\n" >&3; fi
 # TODO Update temp File Cleaner on trap on ERR / EXIT
 ### Updating Status of Dialog Gauge Bar
 if ! $VAR_AUTO_INSTALL; then printf "XXX\nActivate traps ... \nXXX\n55\n" >&3; fi
 ### Following the CISS Bash naming and ordering scheme
 ### Updating Status of Dialog Gauge Bar
 if ! $VAR_AUTO_INSTALL; then printf "XXX\nSanitizing Arguments ... \nXXX\n70\n" >&3; fi
 arg_check "$@"
 declare -ar ARY_ARG_SANITIZED=("$@")
-declare -gr VAR_ARG_SANITIZED="${ARY_ARG_SANITIZED[*]}"
+declare -grx VAR_ARG_SANITIZED="${ARY_ARG_SANITIZED[*]}"
 ### Updating Status of Dialog Gauge Bar
 if ! $VAR_AUTO_INSTALL; then printf "XXX\nParsing Arguments ... \nXXX\n90\n" >&3; fi
 arg_parser "$@"
-### Updating Status of Dialog Gauge Bar
+### MAIN PROGRAM SEQUENCE
 if ! $VAR_AUTO_INSTALL; then printf "XXX\nFinal checks ... \nXXX\n95\n" >&3; fi
 clean_ip
 ### Updating Status of Dialog Gauge Bar
 if ! $VAR_AUTO_INSTALL; then printf "XXX\nInitialization completed ... \nXXX\n100\n" >&3; sleep 1; fi
 if ! $VAR_AUTO_INSTALL; then dialog_gauge_cleaner; fi
 ### MAIN Program
 arg_priority_check
 check_stats
 if ! $VAR_AUTO_INSTALL; then check_provider; fi
 if ! $VAR_AUTO_INSTALL; then check_kernel; fi
 check_hooks
 hardening_ssh
 lb_config_start
 lb_config_write
-cd "${VAR_WORKDIR}"
+yaml_parser
-hardening_ultra
+yaml_reader
 hardening_root_pw
 change_splash
 check_dhcp
 cdi
 provider_netcup
-### Start the build process
+# TODO: Implement / Activate IP, Port validation
-set +o errtrace
+# 1222_validation_preseed.sh 1221_validation_ip.sh
-lb_build_start
+# validation_preseed
 ### PARTITIONING
 partitioning
 partition_encryption
 partition_formatting
 setup_filesystem
 mount_partition
 uuid_logger
 ### DEBOOTSTRAP
 func_debootstrap
 configure_system
 generate_fstab
 generate_crypttab
 generate_sources
 minimal_toolset
 setup_skel
 setup_timezone
 setup_locales
 # TODO: Implement Clang Build Chain and MOK Signing Workflow
 installation_kernel
 setup_network
 setup_hostname
 setup_machineid
 # TODO: Implement Clang Build Chain and MOK Signing Workflow and integrate GRUB, if needed
 setup_grub
 setup_grub_password
 setup_grub_bootparameter
 setup_kernel_modules
 setup_kernel_sysctl
 installation_microcode
 setup_ssh
 build_dropbear
 install_dropbear_initramfs
 # TODO: Update preseed.yaml for pgp signing key AND / OR implementation of presigned unlock-wrapper.sh
 setup_dropbear
 # TODO: Implement Console Login Deactivation and 2fa as advertised in preseed.yaml
 setup_accounts
 # TODO: Check Packages for installation
 setup_packages
 # TODO: What do we need for CISS environment?
 setup_sudo
 # TODO: Any changes to the NTPSec Servers?
 setup_chrony
 exiting_chroot
 # TODO: Hardening Scripts Integration
 # TODO: SSH 2fa integration
 # TODO: Recovery Partition Integration
 # TODO: Grub Boot Menu Update for Recovery Integration
 # TODO: update-grub Post Hook
 # TODO: Copying Log Files to final System
 # TODO: Integrate CISS.debian.installer calling arguments and preseed.yaml into CISS.debian.live.builder build chain?
 # TODO: Reboot function for Autoinstall
 ### Dialog Output for Initialization END
 if ! "${VAR_AUTO_INSTALL}"; then . ./lib/0200_dialog_helper.sh && dialog_box_cleaner; fi
 declare -gx VAR_SCRIPT_SUCCESS="true"
 set -o errtrace
 run_analysis
 copy_db
 declare -g VAR_SCRIPT_SUCCESS=true
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/docs/graphviz/ciss.debian.installer.secure.boot.dot
+++ b/docs/graphviz/ciss.debian.installer.secure.boot.dot
@@ -0,0 +1,30 @@
 digraph boot_chain {
  rankdir=LR;
  node [shape=box style=filled fillcolor="#e3f2fd"];
  UEFI [label="UEFI Firmware\n(SECURE BOOT)", fillcolor="#90caf9"];
  GRUB [label="grubx64.efi\n(Secure Boot-signed)", fillcolor="#64b5f6"];
  DecryptBoot [label="GRUB decrypts\n/boot (LUKS2)", fillcolor="#4fc3f7"];
  GRUBCFG [label="Load grub.cfg\n(from decrypted /boot)"];
  Kernel [label="Load Kernel:\n/boot/vmlinuz-<ver>"];
  Initrd [label="Load Initrd:\n/boot/initrd.img-<ver>"];
  Initramfs [label="initramfs:\nUnlock Root (/)", fillcolor="#81d4fa"];
  PivotRoot [label="pivot_root/switch_root", fillcolor="#80cbc4"];
  Systemd [label="systemd (PID 1)", fillcolor="#a5d6a7"];
  MountRest [label="Decrypt + Mount:\n/home, /usr, /var, etc."];
  Ephemeral [label="Create ephemeral\nswap & /tmp", fillcolor="#ffe082"];
  Login [label="User login"];
  UEFI -> GRUB [label="Launch EFI bootloader"];
  GRUB -> DecryptBoot [label="Prompt for /boot passphrase"];
  DecryptBoot -> GRUBCFG [label="Parse GRUB config"];
  GRUBCFG -> Kernel;
  GRUBCFG -> Initrd;
  Kernel -> Initramfs [label="initrd is unpacked\nand executed"];
  Initramfs -> PivotRoot [label="Root unlocked\n(mount /)"];
  PivotRoot -> Systemd;
  Systemd -> MountRest;
  Systemd -> Ephemeral;
  MountRest -> Login;
  Ephemeral -> Login;
 }
--- a/func/3.8.7.functions_installation_setup_files.sh
+++ b/func/3.8.7.functions_installation_setup_files.sh
@@ -1,64 +0,0 @@
 #!/bin/bash
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-02-13; WEIDNER, Marc S.; <cendev@coresecret.eu>
 # SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.installer.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.2025.hardened.installer framework.
 # SPDX-PackageName: CISS.2025.hardened.installer
 # SPDX-Security-Contact: security@coresecret.eu
 ###########################################################################################
 # 3.8.7. Functions - installation - updating files                                        #
 ###########################################################################################
 ###########################################################################################
 # Updating alias and banner files.
 # Globals:
 #   MODULE_ERR
 #   MODULE_TXT
 #   PATH_ABS
 #   TARGET
 #   accounts_user_login
 #   accounts_user_name
 # Arguments:
 #   None
 ###########################################################################################
 3_8_7_functions_installation_setup_files() {
  declare -g -x MODULE_ERR="3_8_7_functions_installation_setup_files"
  declare -g -x MODULE_TXT="Updating banner files"
  do_show_header "${MODULE_TXT}"
  cp "${PATH_ABS}"/.assets/.alias "${TARGET}"/root/.alias
  chown root:root "${TARGET}"/root/.alias
  chmod 0600 "${TARGET}"/root/.alias
  do_log "info" "false" "'${TARGET}/root/.alias' installed."
  cp "${PATH_ABS}"/.assets/banner "${TARGET}"/etc/banner
  chown root:root "${TARGET}"/etc/banner
  chmod 0644 "${TARGET}"/etc/banner
  do_log "info" "false" "'${TARGET}/etc/banner' installed."
  cp "${PATH_ABS}"/.assets/.clean_logout "${TARGET}"/root/.clean_logout
  chown root:root "${TARGET}"/root/.clean_logout
  chmod 0600 "${TARGET}"/root/.clean_logout
  do_log "info" "false" "'${TARGET}/root/.clean_logout' installed."
  cp "${PATH_ABS}"/.assets/motd "${TARGET}"/etc/motd
  chown root:root "${TARGET}"/etc/motd
  chmod 0644 "${TARGET}"/etc/motd
  do_log "info" "false" "'${TARGET}/etc/motd' installed."
  cat "${PATH_ABS}"/.assets/.bashrc_cat >> "${TARGET}"/root/.bashrc
  do_log "info" "false" "'${TARGET}/root/.bashrc' updated."
  if [[ ${accounts_user_login,,} == "true" ]]; then
    cat "${PATH_ABS}"/.assets/.bashrc_cat >> "${TARGET}"/home/"${accounts_user_name}"/.bashrc
    do_log "info" "false" "'${TARGET}/home/${accounts_user_name}/.bashrc' updated."
  fi
  do_show_footer "${MODULE_TXT}"
 }
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh:
--- a/func/3.8.8.functions_installation_exiting_chroot.sh
+++ b/func/3.8.8.functions_installation_exiting_chroot.sh
@@ -1,42 +0,0 @@
 #!/bin/bash
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-02-13; WEIDNER, Marc S.; <cendev@coresecret.eu>
 # SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.installer.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.2025.hardened.installer framework.
 # SPDX-PackageName: CISS.2025.hardened.installer
 # SPDX-Security-Contact: security@coresecret.eu
 ###########################################################################################
 # 3.8.8. Functions - installation - exiting chroot                                        #
 ###########################################################################################
 ###########################################################################################
 # Exiting chroot.
 # Globals:
 #   MODULE_ERR
 #   MODULE_TXT
 #   TARGET
 # Arguments:
 #   None
 ###########################################################################################
 3_8_8_functions_installation_exiting_chroot() {
  declare -g -x MODULE_ERR="3_8_8_functions_installation_exiting_chroot"
  declare -g -x MODULE_TXT="exiting chroot"
  do_show_header "${MODULE_TXT}"
  umount -lf "${TARGET}/proc"
  do_log "info" "true" "'umount -lf ${TARGET}/proc'."
  umount -lf "${TARGET}/sys"
  do_log "info" "true" "'umount -lf ${TARGET}/sys'."
  umount -lf "${TARGET}/dev"
  do_log "info" "true" "'umount -lf ${TARGET}/dev'."
  umount -lf "${TARGET}/run"
  do_log "info" "true" "'umount -lf ${TARGET}/run'."
  do_show_footer "${MODULE_TXT}"
 }
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh:
--- a/func/helper/1080_helper_chroot.sh
+++ b/func/helper/1080_helper_chroot.sh
@@ -45,6 +45,8 @@ do_in_target() {
    HOME=/root \
    PATH=/usr/sbin:/usr/bin:/sbin:/bin \
    TERM="${TERM}" \
    LANG=C.UTF-8 \
    LC_ALL=C.UTF-8 \
    "${ary_chroot_command[@]}"
  then
    do_log "info" "true" "Success: chroot '${var_chroot_target}': '${ary_chroot_command[*]}'."
@@ -85,6 +87,8 @@ do_in_target_script() {
    HOME=/root \
    PATH=/usr/sbin:/usr/bin:/sbin:/bin \
    TERM="${TERM}" \
    LANG=C.UTF-8 \
    LC_ALL=C.UTF-8 \
    /bin/bash -c "${var_chroot_script}"
  then
--- a/func/helper/1081_helper_grub.sh
+++ b/func/helper/1081_helper_grub.sh
@@ -15,6 +15,9 @@
 guard_sourcing
 ### Variable to finish GRUB CMDLINE strings.
 declare -grx VAR_H='"'
 #######################################
 # Helper module to extract the current GRUB CMDLINE strings.
 # Globals:
--- a/func/helper/1120_logging_modules.sh
+++ b/func/helper/1120_logging_modules.sh
@@ -33,7 +33,7 @@ log_level_value() {
 #######################################
 # Filter and compare log levels.
 # Globals:
-#   DEFAULT_LOG_LEVEL
+#   VAR_DEFAULT_LOG_LEVEL
 # Arguments:
 #   1: "${LOG_LEVEL}" one of: "debug" | "info" | "notice" | "warn" | "error" | "critical" | "fatal" | "emergency"
 #######################################
@@ -41,9 +41,9 @@ do_should_log() {
  # shellcheck disable=SC2155
  declare -i var_desired_log_value=$(log_level_value "$1")                   # Desired log level
  # shellcheck disable=SC2155
-  declare -i var_default_log_value=$(log_level_value "${DEFAULT_LOG_LEVEL}") # Current threshold
+  declare -i var_default_log_value=$(log_level_value "${VAR_DEFAULT_LOG_LEVEL}") # Current threshold
  ###  Return true if a message should be logged.
-  [[ $var_desired_log_value -le $var_default_log_value ]]
+  [[ ${var_desired_log_value} -le ${var_default_log_value} ]]
 }
 #######################################
--- a/func/helper/1251_yaml_reader.sh
+++ b/func/helper/1251_yaml_reader.sh
@@ -58,6 +58,7 @@ yaml_reader() {
  declare var_highest_dev
  ### Search "${var_if}" for matching recipe_${VAR_RECIPE_STRING}_dev_* entries and find the highest dev letter
  # shellcheck disable=SC2312
  var_highest_dev=$(grep -E "^recipe_${VAR_RECIPE_STRING}_dev_" "${var_if}" | awk -F'_' '
 {
  if (NF >= 4) {
@@ -78,7 +79,7 @@ END { print max }
  ### Save the result in VAR_RECIPE_DEV_COUNTER
  declare -gx VAR_RECIPE_DEV_COUNTER="${var_highest_dev}"
-  if [[ -n ${VAR_RECIPE_DEV_COUNTER} ]]; then
+  if [[ -n "${VAR_RECIPE_DEV_COUNTER}" ]]; then
    do_log "info" "true" "Found highest recipe device: '${VAR_RECIPE_DEV_COUNTER}'."
  else
    do_log "fatal" "true" "Found NO highest recipe device: '${VAR_RECIPE_DEV_COUNTER}'." >&2
@@ -86,9 +87,10 @@ END { print max }
  fi
  declare var_device="" var_fields="" var_line="" var_partition=""
-  declare -Agx HMP_RECIPE_DEV_PARTITIONS=()
+  declare -Ag HMP_RECIPE_DEV_PARTITIONS=()
  ### Read var_if and iterate through all matching entries without executing in a subshell
  # shellcheck disable=SC2312
  while read -r var_line; do
    ### Extract fields of line
    IFS='_' read -ra var_fields <<< "${var_line}"
@@ -115,6 +117,13 @@ END { print max }
    do_log "info" "false" "Highest number of partitions for ${var_device}: ${HMP_RECIPE_DEV_PARTITIONS[${var_device}]}"
  done
  ### Extract architecture
  declare -gx VAR_ARCHITECTURE="${architecture}"
  ### Extract chosen firmware
  declare recipe_firmware_var="recipe_${VAR_RECIPE_STRING}_control_firmware"
  declare -gx VAR_RECIPE_FIRMWARE="${!recipe_firmware_var}"
  ### Extract the chosen Nuke mechanism
  declare recipe_nuke_var="recipe_${VAR_RECIPE_STRING}_control_nuke"
  declare -gx VAR_NUKE="${!recipe_nuke_var}"
@@ -123,25 +132,21 @@ END { print max }
  declare recipe_table_var="recipe_${VAR_RECIPE_STRING}_control_table"
  declare -gx VAR_RECIPE_TABLE="${!recipe_table_var}"
  ### Extract chosen firmware
  declare recipe_firmware_var="recipe_${VAR_RECIPE_STRING}_control_firmware"
  declare -gx VAR_RECIPE_FIRMWARE="${!recipe_firmware_var}"
  if [[ "${VAR_RECIPE_TABLE,,}" == "gpt" && "${VAR_RECIPE_FIRMWARE,,}" == "uefi" ]]; then
-    do_log "info" "false" "Partition table: '${VAR_RECIPE_TABLE}' and firmware: '${VAR_RECIPE_FIRMWARE}' > ESP 'EF00' necessary."
+    do_log "info" "true" "Partition table: '${VAR_RECIPE_TABLE}' and firmware: '${VAR_RECIPE_FIRMWARE}' > ESP 'EF00' necessary."
  elif [[ "${VAR_RECIPE_TABLE,,}" == "gpt" && "${VAR_RECIPE_FIRMWARE,,}" == "bios" ]]; then
-    do_log "info" "false" "Partition table: '${VAR_RECIPE_TABLE}' and firmware: '${VAR_RECIPE_FIRMWARE}' > BIOS Boot Partition 'EF02' necessary."
+    do_log "info" "true" "Partition table: '${VAR_RECIPE_TABLE}' and firmware: '${VAR_RECIPE_FIRMWARE}' > BIOS Boot Partition 'EF02' necessary."
  elif [[ "${VAR_RECIPE_TABLE,,}" == "msdos" && "${VAR_RECIPE_FIRMWARE,,}" == "uefi" ]]; then
-    do_log "info" "false" "Partition table: '${VAR_RECIPE_TABLE}' and firmware: '${VAR_RECIPE_FIRMWARE}' > ESP on MBR needs partition type '0xEF'."
+    do_log "info" "true" "Partition table: '${VAR_RECIPE_TABLE}' and firmware: '${VAR_RECIPE_FIRMWARE}' > ESP on MBR needs partition type '0xEF'."
  elif [[ "${VAR_RECIPE_TABLE,,}" == "msdos" && "${VAR_RECIPE_FIRMWARE,,}" == "bios" ]]; then
-    do_log "info" "false" "Partition table: '${VAR_RECIPE_TABLE}' and firmware: '${VAR_RECIPE_FIRMWARE}' > No special firmware partition necessary."
+    do_log "info" "true" "Partition table: '${VAR_RECIPE_TABLE}' and firmware: '${VAR_RECIPE_FIRMWARE}' > No special firmware partition necessary."
  fi
--- a/func/partitioning/3200_partitioning.sh
+++ b/func/partitioning/3200_partitioning.sh
@@ -36,6 +36,7 @@ partitioning() {
  declare -a ary_devs ary_parts
  ### Iterate over all devices in the recipe.
  # shellcheck disable=SC2312
  readarray -t ary_devs < <(yq e -r ".recipe.${VAR_RECIPE_STRING}.dev | keys | .[]" "${VAR_SETUP_PART}")
  for var_dev in "${ary_devs[@]}"; do
@@ -64,6 +65,7 @@ partitioning() {
    esac
    ### Iterate over all partitions for this device.
    # shellcheck disable=SC2312
    readarray -t ary_parts < <(yq e -r ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev} | keys | .[]" "${VAR_SETUP_PART}")
    for var_part in "${ary_parts[@]}"; do
--- a/func/partitioning/3220_partition_encryption.sh
+++ b/func/partitioning/3220_partition_encryption.sh
@@ -32,7 +32,7 @@ guard_sourcing
 #######################################
 partition_encryption() {
  ### Declare Arrays and Variables.
-  declare -Agx HMP_EPHEMERAL_DEV HMP_EPHEMERAL_ENCLABEL HMP_EPHEMERAL_FS_LABEL HMP_PATH_LUKSUUID HMP_PATH_ENCLABEL
+  declare -Ag HMP_EPHEMERAL_DEV HMP_EPHEMERAL_ENCLABEL HMP_EPHEMERAL_FS_LABEL HMP_PATH_LUKSUUID HMP_PATH_ENCLABEL
  declare var_dev var_part \
    var_encryption_enable var_encryption_ephemeral var_encryption_integrity var_encryption_cipher \
    var_encryption_hash var_encryption_iter var_encryption_key var_encryption_label var_encryption_meta \
@@ -40,10 +40,12 @@ partition_encryption() {
  declare -a ary_devs=() ary_parts=() ary_luks_opts=()
  ### Iterate over all devices in the recipe.
  # shellcheck disable=SC2312
  readarray -t ary_devs < <(yq e -r ".recipe.${VAR_RECIPE_STRING}.dev | keys | .[]" "${VAR_SETUP_PART}")
  for var_dev in "${ary_devs[@]}"; do
    ### Iterate over all partitions for this device.
    # shellcheck disable=SC2312
    readarray -t ary_parts < <(yq e -r ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev} | keys | .[]" "${VAR_SETUP_PART}")
    for var_part in "${ary_parts[@]}"; do
--- a/func/partitioning/3240_partition_formatting.sh
+++ b/func/partitioning/3240_partition_formatting.sh
@@ -33,10 +33,12 @@ partition_formatting() {
  declare -a ary_devs ary_parts ary_opts ary_fmt_opts
  ### Iterate over all devices in the recipe.
  # shellcheck disable=SC2312
  readarray -t ary_devs < <(yq e -r ".recipe.${VAR_RECIPE_STRING}.dev | keys | .[]" "${VAR_SETUP_PART}")
  for var_dev in "${ary_devs[@]}"; do
    ### Iterate over all partitions for this device.
    # shellcheck disable=SC2312
    readarray -t ary_parts < <(yq e -r ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev} | keys | .[]" "${VAR_SETUP_PART}")
    for var_part in "${ary_parts[@]}"; do
--- a/func/partitioning/3260_setup_filesystem.sh
+++ b/func/partitioning/3260_setup_filesystem.sh
@@ -30,10 +30,12 @@ setup_filesystem() {
  declare -a ary_devs ary_parts
  ### Iterate over all devices in the recipe.
  # shellcheck disable=SC2312
  readarray -t ary_devs < <(yq e -r ".recipe.${VAR_RECIPE_STRING}.dev | keys | .[]" "${VAR_SETUP_PART}")
  for var_dev in "${ary_devs[@]}"; do
    ### Iterate over all partitions for this device.
    # shellcheck disable=SC2312
    readarray -t ary_parts < <(yq e -r ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev} | keys | .[]" "${VAR_SETUP_PART}")
    for var_part in "${ary_parts[@]}"; do
--- a/func/partitioning/3280_mount_partition.sh
+++ b/func/partitioning/3280_mount_partition.sh
@@ -23,7 +23,7 @@ guard_sourcing
 skip_path() {
  declare -a ary_skip=( "/" "/boot" "/boot/efi" "/recovery" )
  declare p
-  for p in "${ary_skip[@]}"; do [[ "$1" == "$p" ]] && return 0; done
+  for p in "${ary_skip[@]}"; do [[ "$1" == "${p}" ]] && return 0; done
  return 1
 }
@@ -107,9 +107,9 @@ mount_partition() {
  ### Mount "/"-filesystem
  declare -r var_mount_path_root="/"
-  if [[ -n ${HMP_MOUNTPATH_DEV[$var_mount_path_root]} ]]; then
+  if [[ -n ${HMP_MOUNTPATH_DEV[${var_mount_path_root}]} ]]; then
-    mount_with_dir "${var_mount_path_root}" "${HMP_MOUNTPATH_DEV[$var_mount_path_root]}" || return "${ERR_MOUNTING_DEV}"
+    mount_with_dir "${var_mount_path_root}" "${HMP_MOUNTPATH_DEV[${var_mount_path_root}]}" || return "${ERR_MOUNTING_DEV}"
  else
@@ -142,10 +142,12 @@ mount_partition() {
  declare -a ary_devs ary_parts
  ### Iterate over all devices in the recipe.
  # shellcheck disable=SC2312
  readarray -t ary_devs < <(yq e -r ".recipe.${VAR_RECIPE_STRING}.dev | keys | .[]" "${VAR_SETUP_PART}")
  for var_dev in "${ary_devs[@]}"; do
    ### Iterate over all partitions for this device.
    # shellcheck disable=SC2312
    readarray -t ary_parts < <(yq e -r ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev} | keys | .[]" "${VAR_SETUP_PART}")
    for var_part in "${ary_parts[@]}"; do
--- a/func/partitioning/3290_uuid_logger.sh
+++ b/func/partitioning/3290_uuid_logger.sh
@@ -28,10 +28,10 @@ uuid_logger() {
  declare var_key var_mountpoint var_uuid
  printf 'UUID Partition:\n' >> "${LOG_UID}"
  for var_key in "${!HMP_PATH_PARTUUID[@]}"; do
-    # Remove Prefix "UUID_"
+    ### Remove Prefix "UUID_"
    var_mountpoint="${var_key#UUID_}"
    var_uuid="${HMP_PATH_PARTUUID[${var_key}]}"
-    # Left-aligned field width 63; "UUID=" starts directly after column 64.
+    ### Left-aligned field width 63; "UUID=" starts directly after column 64.
    printf '%-63sUUID=%s\n' "${var_mountpoint}:" "${var_uuid}" >> "${LOG_UID}"
  done
@@ -40,17 +40,17 @@ uuid_logger() {
  for var_key in "${!HMP_PATH_ENCLABEL[@]}"; do
    var_mountpoint="${HMP_PATH_ENCLABEL[${var_key}]}"
    var_uuid="${HMP_PATH_PARTUUID[${var_key}]}"
-    # Left-aligned field width 63; "UUID=" starts directly after column 64.
+    ### Left-aligned field width 63; "UUID=" starts directly after column 64.
    printf '%-63sUUID=%s\n' "${var_mountpoint}:" "${var_uuid}" >> "${LOG_UID}"
  done
  printf '\n' >> "${LOG_UID}"
  printf 'UUID Filesystem:\n' >> "${LOG_UID}"
  for var_key in "${!HMP_PATH_FSUUID[@]}"; do
-    # Remove Prefix "UUID_"
+    ### Remove Prefix "UUID_"
    var_mountpoint="${var_key#UUID_}"
    var_uuid="${HMP_PATH_FSUUID[${var_key}]}"
-    # Left-aligned field width 63; "UUID=" starts directly after column 64.
+    ### Left-aligned field width 63; "UUID=" starts directly after column 64.
    printf '%-63sUUID=%s\n' "${var_mountpoint}:" "${var_uuid}" >> "${LOG_UID}"
  done
--- a/func/system/4000_debootstrap.sh
+++ b/func/system/4000_debootstrap.sh
@@ -25,7 +25,7 @@ guard_sourcing
 #   0: on success
 #######################################
 func_debootstrap() {
-  # shellcheck disable=SC2154 # "${architecture}" "${distribution}"
+  # shellcheck disable=SC2312
  if debootstrap --arch="${architecture}" "${distribution}" "${TARGET}" https://deb.debian.org/debian | tee "${LOG_DBS}"; then
    do_log "info" "false" "Executing 'debootstrap --arch=${architecture} ${distribution} '${TARGET}' https://deb.debian.org/debian' successful."
    return 0
--- a/func/system/4130_setup_network.sh
+++ b/func/system/4130_setup_network.sh
@@ -70,19 +70,30 @@ setup_network() {
  [[ -v network_static_ipv6nameserver_fallback_1 ]] && ary_ipv6_ns+=("${network_static_ipv6nameserver_fallback_1}")
  ### Check current network connection and configure variables
  # shellcheck disable=SC2312
  var_auto_nic=$(ip -o link show | awk -F': ' '/state UP/ && $2!="lo" {print $2; exit}')
  # shellcheck disable=SC2312
  var_auto_ipv4_ccidr=$(ip -4 -o addr show "${var_auto_nic}" | awk '{print $4; exit}')
  # shellcheck disable=SC2312
  var_auto_ipv4_subnet=$(generate_subnetmask "${var_auto_ipv4_ccidr}")
  # shellcheck disable=SC2312
  var_auto_ipv4=$(echo "${var_auto_ipv4_ccidr}" | awk -F'/' '{print $1}')
  # shellcheck disable=SC2312
  var_auto_ipv4_gw=$(ip route show default dev "${var_auto_nic}" | awk '/^default/ {print $3; exit}')
  # shellcheck disable=SC2312
  var_auto_ipv6_ccidr=$(ip -6 -o addr show "${var_auto_nic}" | awk '/scope global/ {print $4; exit}')
  if [[ -n "${var_auto_ipv6_ccidr}" ]]; then
    # shellcheck disable=SC2312
    var_auto_ipv6=$(echo "${var_auto_ipv6_ccidr}" | awk -F'/' '{print $1}')
    # shellcheck disable=SC2312
    var_auto_ipv6_gw=$(ip -6 route show default dev "${var_auto_nic}" | awk '/^default/ {print $3; exit}')
  fi
  # shellcheck disable=SC2312
  var_link_ipv4=$(ping -q -c 1 -W 1 -4 debian.org > /dev/null 2>&1 && echo "true" || echo "false")
  # shellcheck disable=SC2312
  var_link_ipv6=$(ping -q -c 1 -W 1 -6 debian.org > /dev/null 2>&1 && echo "true" || echo "false")
  if [[ -f "/var/lib/dhcp/dhclient.${var_auto_nic}.leases" ]]; then
    # shellcheck disable=SC2312
    var_auto_fqdn=$(grep -m1 'option host-name' "/var/lib/dhcp/dhclient.${var_auto_nic}.leases" | sed -E 's/.*"([^"]+)".*/\1/')
  else
    var_auto_fqdn=""
--- a/func/system/4150_setup_grub.sh
+++ b/func/system/4150_setup_grub.sh
@@ -36,7 +36,9 @@ guard_sourcing
 #   0: on success
 #######################################
 setup_grub() {
-  declare var_update_grub_required="false"
+  declare -gx var_update_grub_required="false"
  get_all_boot_devs
  if [[ "${grub_skip,,}" != "true" ]]; then
@@ -44,37 +46,51 @@ setup_grub() {
    if [[ "${grub_latest,,}" == "true" ]]; then
      ### Install the GRUB2 backported version from the Bookworm backports repository.
-      do_in_target "${TARGET}" apt-get install -y -t bookworm-backports grub2 grub2-common
+      if [[ "${VAR_RECIPE_FIRMWARE}" == "uefi" ]]; then
        case "${VAR_ARCHITECTURE,,}" in
          amd64)  do_in_target "${TARGET}" apt-get install -y -t bookworm-backports grub2 grub2-common grub-efi-amd64 ;;
          arm64)  do_in_target "${TARGET}" apt-get install -y -t bookworm-backports grub2 grub2-common grub-efi-arm64 ;;
          i386)   do_in_target "${TARGET}" apt-get install -y -t bookworm-backports grub2 grub2-common grub-efi-ia32  ;;
          *)      do_log "emergency" "true" "Unsupported UEFI architecture: ${VAR_ARCHITECTURE}"; return "${ERR_GRUB_ARCHITECTURE}" ;;
        esac
      else
        do_in_target "${TARGET}" apt-get install -y -t bookworm-backports grub2 grub2-common grub-pc
      fi
    else
      ### Install the GRUB2 stable version.
-      do_in_target "${TARGET}" apt-get install -y grub2 grub2-common
+      if [[ "${VAR_RECIPE_FIRMWARE}" == "uefi" ]]; then
        case "${VAR_ARCHITECTURE,,}" in
          amd64)  do_in_target "${TARGET}" apt-get install -y grub2 grub2-common grub-efi-amd64 ;;
          arm64)  do_in_target "${TARGET}" apt-get install -y grub2 grub2-common grub-efi-arm64 ;;
          i386)   do_in_target "${TARGET}" apt-get install -y grub2 grub2-common grub-efi-ia32  ;;
          *)      do_log "emergency" "true" "Unsupported UEFI architecture: ${VAR_ARCHITECTURE}"; return "${ERR_GRUB_ARCHITECTURE}" ;;
        esac
      else
        do_in_target "${TARGET}" apt-get install -y grub2 grub2-common grub-pc
      fi
    fi
    ### Install grub on the specific device.
    if [[ "${grub_force_efi,,}" == "false" ]]; then
-      if [[ "${VAR_RECIPE_TABLE,,}" == "gpt" && "${VAR_RECIPE_FIRMWARE,,}" == "uefi" ]]; then
+      if [[ "${VAR_RECIPE_FIRMWARE,,}" == "uefi" ]]; then
-        do_in_target "${TARGET}" grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=Debian --modules="btrfs cryptodisk luks2 gcry_rijndael gcry_sha256 gcry_sha512 part_gpt"
+        install_grub_uefi_all
        var_update_grub_required="true"
-      elif [[ "${VAR_RECIPE_TABLE,,}" == "gpt" && "${VAR_RECIPE_FIRMWARE,,}" == "bios"  ]]; then
+      elif [[ "${VAR_RECIPE_FIRMWARE,,}" == "bios" ]]; then
-        do_in_target "${TARGET}" grub-install --target=i386-pc --boot-directory=/boot --modules="btrfs cryptodisk luks2 gcry_rijndael gcry_sha256 gcry_sha512 part_gpt" --recheck "${grub_bootdev}"
+        install_grub_bios_all
        var_update_grub_required="true"
      elif [[ "${VAR_RECIPE_TABLE,,}" == "msdos" && "${VAR_RECIPE_FIRMWARE,,}" == "uefi" ]]; then
        do_in_target "${TARGET}" grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=Debian --modules="btrfs cryptodisk luks2 gcry_rijndael gcry_sha256 gcry_sha512 part_msdos"
        var_update_grub_required="true"
      elif [[ "${VAR_RECIPE_TABLE,,}" == "msdos" && "${VAR_RECIPE_FIRMWARE,,}" == "bios" ]]; then
        do_in_target "${TARGET}" grub-install --target=i386-pc --boot-directory=/boot --modules="btrfs cryptodisk luks2 gcry_rijndael gcry_sha256 gcry_sha512 part_msdos" --recheck "${grub_bootdev}"
        var_update_grub_required="true"
      fi
@@ -173,4 +189,123 @@ EOF
  return 0
 }
 #######################################
 # Detects and collects all boot devices for GRUB installation.
 # Supports /dev/sdX, /dev/vdX, /dev/hdX, /dev/nvmeXn1, /dev/mmcblkX.
 # Globals:
 #   VAR_RECIPE_DEV_COUNTER
 #   ary_bootdev_all
 #   grub_bootdev
 # Arguments:
 #   None
 # Returns:
 #   0: on success
 #######################################
 get_all_boot_devs() {
  declare -ag ary_bootdev_all=()
  declare dev="" dev_prefix="" dev_path="" letter=""
  declare -i ascii ascii_end ascii_start
  ### Determine prefix from grub_bootdev (e.g., "sd", "vd", "nvme", "mmcblk")
  dev_prefix=$(basename "${grub_bootdev}" | sed -E 's/^([a-z]+)[a-z0-9]*$/\1/')
  case "${dev_prefix}" in
    sd|vd|hd)
      ascii_start=$(printf '%d' "'a")
      ascii_end=$(printf '%d' "'${VAR_RECIPE_DEV_COUNTER}")
      for ((ascii = ascii_start; ascii <= ascii_end; ascii++)); do
        letter=$(printf "%b" "\\$(printf '%03o' "${ascii}")")
        dev_path="/dev/${dev_prefix}${letter}"
        [[ -b "${dev_path}" ]] && ary_bootdev_all+=("${dev_path}")
      done
      ;;
    nvme)
      # shellcheck disable=SC2312
      while read -r dev; do
        ary_bootdev_all+=("/dev/${dev}")
      done < <(lsblk -dn -o NAME | grep -E '^nvme[0-9]+n1$')
      ;;
    mmcblk)
      # shellcheck disable=SC2312
      while read -r dev; do
        ary_bootdev_all+=("/dev/${dev}")
      done < <(lsblk -dn -o NAME | grep -E '^mmcblk[0-9]+$')
      ;;
    *)
      do_log "warning" "true" "Unrecognized boot device prefix: ${dev_prefix}"
      ;;
  esac
  return 0
 }
 #######################################
 # Installs GRUB in BIOS mode on all block devices.
 # Globals:
 #   TARGET
 #   VAR_RECIPE_TABLE
 #   ary_bootdev_all
 #   var_update_grub_required
 # Arguments:
 #   None
 # Returns:
 #   0: on success
 #   ERR_PARTITIONTBL on failure
 #######################################
 install_grub_bios_all() {
  declare dev="" partmod=""
  case "${VAR_RECIPE_TABLE,,}" in
    gpt)       partmod="part_gpt"   ;;
    msdos|mbr) partmod="part_msdos" ;;
    *)         do_log "emergency" "true" "Unknown partition table type: '${VAR_RECIPE_TABLE}'."; return "${ERR_PARTITIONTBL}" ;;
  esac
  declare var_modules="btrfs cryptodisk luks2 gcry_rijndael gcry_sha256 gcry_sha512 ${partmod}"
  declare -a args=(--target=i386-pc --boot-directory=/boot "--modules=${var_modules}")
  args+=(--recheck)
  for dev in "${ary_bootdev_all[@]}"; do
    do_in_target "${TARGET}" grub-install "${args[@]}" "${dev}"
    do_log "info" "true" "Installed: GRUB on Device: '${dev}' (BIOS)."
    var_update_grub_required="true"
  done
  return 0
 }
 #######################################
 # Installs GRUB to all ESPs in UEFI mode.
 # Globals:
 #   TARGET
 #   VAR_RECIPE_TABLE
 #   ary_bootdev_all
 #   var_update_grub_required
 # Arguments:
 #   None
 # Returns:
 #   0: on success
 #   ERR_PARTITIONTBL on failure
 #######################################
 install_grub_uefi_all() {
  declare dev="" partmod=""
  case "${VAR_RECIPE_TABLE,,}" in
    gpt)       partmod="part_gpt"   ;;
    msdos|mbr) partmod="part_msdos" ;;
    *)         do_log "emergency" "true" "Unknown partition table type: '${VAR_RECIPE_TABLE}'."; return "${ERR_PARTITIONTBL}" ;;
  esac
  declare var_modules="btrfs cryptodisk luks2 gcry_rijndael gcry_sha256 gcry_sha512 ${partmod}"
  declare -a args=(--target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=Debian "--modules=${var_modules}")
  for dev in "${ary_bootdev_all[@]}"; do
    do_in_target "${TARGET}" grub-install "${args[@]}"
    do_log "info" "true" "Installed: GRUB on Device: '${dev}' (UEFI)."
    var_update_grub_required="true"
  done
  return 0
 }
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/func/system/4155_setup_grub_password.sh
+++ b/func/system/4155_setup_grub_password.sh
@@ -54,9 +54,9 @@ setup_grub_password() {
    {
      echo ""
      echo "### Added by CISS.debian.installer ###"
-      echo "$var_grub_entry"
+      echo "${var_grub_entry}"
      echo "### End by CISS.debian.installer ###"
-    } >> "$var_of"
+    } >> "${var_of}"
  fi
  do_in_target "${TARGET}" update-grub
@@ -80,12 +80,12 @@ generate_grub_password_pbkdf2() {
    log_user 0
    spawn grub-mkpasswd-pbkdf2 --iteration-count=131072 --salt=64 --buflen=64
    expect "Enter password:"
-    send "$var_pass\r"
+    send "${var_pass}\r"
    expect "Reenter password:"
-    send "$var_pass\r"
+    send "${var_pass}\r"
    expect {
      -re {PBKDF2 hash of your password is (\S+)} {
-        puts "set superusers=\"$var_user\"\npassword_pbkdf2 $var_user \$expect_out(1,string)"
+        puts "set superusers=\"${var_user}\"\npassword_pbkdf2 ${var_user} \$expect_out(1,string)"
      }
    }
 EOF
--- a/func/system/4170_installation_microcode.sh
+++ b/func/system/4170_installation_microcode.sh
@@ -24,10 +24,14 @@ guard_sourcing
 installation_microcode() {
  declare var_microcode_pkgs=""
-  declare var_whereiam; var_whereiam=$(virt-what | head -n1)
+  declare var_whereiam
  # shellcheck disable=SC2312
  var_whereiam=$(virt-what | head -n1)
  [[ -z "${var_whereiam}" ]] && var_whereiam="baremetal"
-  declare var_cpu_vendor; var_cpu_vendor=$(lscpu | awk -F: '/Vendor ID/ {print $2}' | xargs)
+  declare var_cpu_vendor
  # shellcheck disable=SC2312
  var_cpu_vendor=$(lscpu | awk -F: '/Vendor ID/ {print $2}' | xargs)
  case "${var_cpu_vendor}" in
    *AuthenticAMD*)   var_microcode_pkgs="amd64-microcode" ;;
--- a/func/system/4190_build_dropbear.sh
+++ b/func/system/4190_build_dropbear.sh
@@ -51,6 +51,7 @@ build_dropbear() {
    --disable-pam \
    --disable-zlib
  # shellcheck disable=2312
  make -j"$(nproc)"
  do_log "info" "true" "Ultra Hardened dropbear-2025.88 build successfully from sources."
--- a/func/system/4195_setup_dropbear.sh
+++ b/func/system/4195_setup_dropbear.sh
@@ -103,6 +103,7 @@ setup_dropbear() {
  install -D -m 0755 -o root -g root "${VAR_SETUP_PATH}/includes/initramfs-tools/files/unlock_wrapper.sh" \
    "${TARGET}/usr/lib/cryptsetup/scripts/"
  # TODO: Update preseed.yaml for pgp signing key AND / OR implementation of presigned unlock-wrapper.sh
  ### Install the script to be called inside Host environment for signing 'unlock_wrapper.sh'-script.
  install -D -m 0700 -o root -g root "${VAR_SETUP_PATH}/includes/initramfs-tools/files/unlock_wrapper_signer.sh" \
    "${TARGET}/includes/initramfs-tools/files/"
@@ -224,6 +225,7 @@ grep_nic_driver_modules() {
  ### Collect all ethernet driver names and sort them uniquely.
  declare -a _mods
  declare var_nic_module var_nic_modules
  # shellcheck disable=SC2312
  readarray -t _mods < <(
    lspci -k \
      | grep -A2 -i ethernet \
@@ -239,7 +241,7 @@ grep_nic_driver_modules() {
    var_nic_modules="${_mods[*]}"
  fi
-  if [[ -n "$var_nic_module" ]]; then
+  if [[ -n "${var_nic_module}" ]]; then
    echo "${var_nic_module}"
  else
    echo "${var_nic_modules}"
--- a/func/system/4999_exiting_chroot_system.sh
+++ b/func/system/4999_exiting_chroot_system.sh
@@ -1,26 +1,36 @@
 #!/bin/bash
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
-# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
-# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
 guard_sourcing
 #######################################
-# Check if hardened Centurion DNS servers are desired.
+# Exiting chroot.
 # Globals:
-#   VAR_HANDLER_DHCP
+#   TARGET
 #   VAR_WORKDIR
 # Arguments:
-#  None
+#   None
 # Returns:
 #   0: on success
 #######################################
-check_dhcp() {
+exiting_chroot() {
-  if [[ ${VAR_HANDLER_DHCP} -eq 1 ]]; then
+  umount -lf "${TARGET}/proc"
-    chmod +x "${VAR_WORKDIR}"/scripts/0010_dhcp_supersede.sh && "${VAR_WORKDIR}"/scripts/0010_dhcp_supersede.sh
+  do_log "info" "true" "'umount -lf ${TARGET}/proc'."
-  fi
+  umount -lf "${TARGET}/sys"
  do_log "info" "true" "'umount -lf ${TARGET}/sys'."
  umount -lf "${TARGET}/dev"
  do_log "info" "true" "'umount -lf ${TARGET}/dev'."
  umount -lf "${TARGET}/run"
  do_log "info" "true" "'umount -lf ${TARGET}/run'."
  return 0
 }
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/func/system/5000_hardening_files.sh
+++ b/func/system/5000_hardening_files.sh
@@ -1,27 +1,27 @@
 #!/bin/bash
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
-# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
-# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
-#######################################
+guard_sourcing
-# Check if analysis run is desired only.
+
 ###########################################################################################
 # Hardening files and directories.
 # Globals:
-#   VAR_HANDLER_STA
+#   None
 # Arguments:
-#  None
+#   None
-#######################################
+# Returns:
-check_stats() {
+#   0: on success
-  if [[ ${VAR_HANDLER_STA} -eq 1 ]]; then
+###########################################################################################
-    clear
+hardening_files() {
-    run_analysis
+  return 0
    exit 0
  fi
 }
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/includes/initramfs-tools/files/unlock_wrapper.sh
+++ b/includes/initramfs-tools/files/unlock_wrapper.sh
@@ -101,7 +101,7 @@ gather_luks_devices() {
  declare -i tries=0
  while ((tries < 10)); do
-
+    # shellcheck disable=SC2312
    mapfile -t curr < <(blkid -t TYPE=crypto_LUKS -o device | sort)
    if cmp <(printf '%s\n' "${curr[@]}") <(printf '%s\n' "${prev[@]}") >/dev/null; then
@@ -299,7 +299,9 @@ trap_on_term() {
 #   0: Script Name
 #######################################
 verify_script() {
-  declare dir; dir="$(dirname "$(readlink -f "${0}")")"
+  declare dir
  # shellcheck disable=SC2312
  dir="$(dirname "$(readlink -f "${0}")")"
  declare script; script="$(basename "${0}")"
  declare -a algo=("sha512" "sha384")
  declare cmd="" computed="" expected="" hashfile="" item="" sigfile=""
@@ -359,6 +361,7 @@ main() {
  ### Read newline-separated output into an array.
  color_echo "${MAG}" "Scanning for LUKS devices ..."
  printf "%s" "${NL}"
  # shellcheck disable=SC2312
  mapfile -t DEVICES_LUKS < <(gather_luks_devices)
  ### If there are no LUKS devices at all, drop to bash.
--- a/includes/initramfs-tools/files/unlock_wrapper_signer.sh
+++ b/includes/initramfs-tools/files/unlock_wrapper_signer.sh
@@ -38,7 +38,7 @@ fi
 ### Extract fingerprint of the first secret key
 # shellcheck disable=SC2155
-declare -r FPR=$(gpg --homedir "$GNUPGHOME" --list-secret-keys --with-colons | awk -F: '/^fpr:/ { print $10; exit }')
+declare -r FPR=$(gpg --homedir "${GNUPGHOME}" --list-secret-keys --with-colons | awk -F: '/^fpr:/ { print $10; exit }')
 if [[ -z "${FPR}" ]]; then
  printf "\e[0;91m✘ Error: Could not extract fingerprint from keyring. \e[0m\n" >&2
--- a/lib/0010_guard_sourcing.sh
+++ b/lib/0010_guard_sourcing.sh
@@ -16,7 +16,7 @@
 # Globals:
 #   BASH_SOURCE
 # Arguments:
-#   $1: Explicitly provided Argument: filename of the caller LIB. (Better let the guard_sourcing() determine dynamically.)
+#   1: Explicitly provided Argument: filename of the caller LIB. (Better let the guard_sourcing() determine dynamically.)
 # Returns:
 #   0: Returns '0' in both cases as they are intended to be successful.
 #######################################
--- a/lib/0030_check_pkgs.sh
+++ b/lib/0030_check_pkgs.sh
@@ -23,6 +23,7 @@ check_pkgs() {
  apt-get update -y > /dev/null 2>&1
  ### Define HashMap: command -> package
  # shellcheck disable=SC2154
  declare -A hmp_command_packages=(
    [apt-transport-https]=apt-transport-https
    [bzip2]=bzip2
@@ -72,7 +73,7 @@ check_pkgs() {
  fi
  if [[ -z "$(command -v dialog || true)" ]]; then
-    if ! ${VAR_AUTO_INSTALL}; then apt-get install -y --no-install-recommends dialog; fi
+    if ! "${VAR_AUTO_INSTALL}"; then apt-get install -y --no-install-recommends dialog; fi
  fi
 }
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/lib/0040_check_var.sh
+++ b/lib/0040_check_var.sh
@@ -1,23 +1,25 @@
 #!/bin/bash
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
-# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
-# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
 guard_sourcing
 #######################################
-# Unbound Variable Check and call Trap on ERR
+# Unbound Variable Check and call Trap on ERR.
 # Globals:
-#   ERR_UNBOUNDVAR
+#   ERR_UNBOUND_VARIABLE
 # Arguments:
-#   $1: VAR_NAME to check
+#   1: VAR_NAME to check
 # Returns:
-#   "${ERR_UNBOUNDVAR}"
+#   ERR_UNBOUND_VARIABLE
 #######################################
 check_var() {
  declare var_name_to_check="$1"
@@ -29,7 +31,7 @@ check_var() {
    fi
  else
    printf "\e[91m❌ Variable: '%s' is not declared. Exiting Script. \e[0m\n" "${var_name_to_check}" >&2
-    return "${ERR_UNBOUNDVAR}"
+    return "${ERR_UNBOUND_VARIABLE}"
  fi
 }
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/lib/0050_debug_pre_scan.sh
+++ b/lib/0050_debug_pre_scan.sh
@@ -28,7 +28,7 @@ pre_scan_debug() {
  for i in "${!args[@]}"; do
    if [[ "${args[i]}" == "-d" || "${args[i]}" == "--debug" ]]; then
-      dbg_index=$i
+      dbg_index=${i}
      . "${script_dir}/0051_debug_var_dump.sh"
      declare -grx LOG_VAR="/tmp/ciss_debian_installer_$$_var.log"
      touch "${LOG_VAR}" && chmod 0600 "${LOG_VAR}"
--- a/lib/0051_debug_var_dump.sh
+++ b/lib/0051_debug_var_dump.sh
@@ -22,6 +22,7 @@ guard_sourcing
 dump_vars_initial() {
  # shellcheck disable=SC2155
  declare -grx VAR_DUMP_VARS_INITIAL=$(mktemp)
  # shellcheck disable=SC2312
  {
    declare var
    while IFS= read -r var; do
@@ -44,13 +45,13 @@ dump_vars_exiting() {
  # shellcheck disable=SC2155
  declare var_dump_vars_final=$(mktemp)
  set +x
  # shellcheck disable=SC2312
  {
    declare var
    while IFS= read -r var; do
      declare -p "${var}" 2>/dev/null
    done < <(compgen -v | grep -Ev '^(BASH|_).*')
  } | sort >| "${var_dump_vars_final}"
  set -x
  {
    printf "✅ CISS.debian.installer Config Variable Dump. \n"
@@ -67,6 +68,7 @@ dump_vars_exiting() {
  } >> "${LOG_VAR}"
  comm -13 "${VAR_DUMP_VARS_INITIAL}" "${var_dump_vars_final}" >> "${LOG_VAR}" || true
  set -x
  rm -f "${VAR_DUMP_VARS_INITIAL}" "${var_dump_vars_final}"
 }
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/lib/0052_debug_trace.sh
+++ b/lib/0052_debug_trace.sh
@@ -16,7 +16,7 @@ guard_sourcing
 # Wrapper for XTRACE Debug.
 # Globals:
 #   BASH_XTRACEFD
-#   LOG_TRACE
+#   LOG_TRC
 #   PS4
 #   SHELLOPTS
 # Arguments:
@@ -26,11 +26,11 @@ debug_trace() {
  ### Set a verbose PS4 prompt including timestamp, source, line, exit status of previous command, and function name
  declare -grx PS4='\e[97m+\e[0m\e[96m$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)\e[0m\e[97m:\e[0m\e[92m[${BASH_SOURCE[0]}:${LINENO}]\e[0m\e[97m|\e[0m\e[93m${?}\e[0m\e[97m>\e[0m\e[95m${FUNCNAME[0]:-main}()\e[0m \e[97m>>\e[0m '
  # shellcheck disable=SC2155
-  declare -grx LOG_TRACE="/tmp/ciss_debian_installer_$$_trace.log"
+  declare -grx LOG_TRC="${DIR_LOG}/ciss_debian_installer_$$_trace.log"
-  ### Generates empty LOG_TRACE
+  ### Generates empty LOG_TRC
-  touch "${LOG_TRACE}" && chmod 0600 "${LOG_TRACE}"
+  touch "${LOG_TRC}" && chmod 0600 "${LOG_TRC}"
  ### Open file descriptor 42 for writing to the debug log
-  exec 42>| "${LOG_TRACE}"
+  exec 42>| "${LOG_TRC}"
  ### Write Debug Log Header https://www.gnu.org/software/bash/manual/html_node/Bash-Variables
  debug_header "$#" "$*"
  ### Tell Bash to send xtrace output to FD 42
--- a/lib/0053_debug_trace_header.sh
+++ b/lib/0053_debug_trace_header.sh
@@ -35,6 +35,7 @@ guard_sourcing
 debug_trace_header() {
  declare -r arg_counter="$1"
  declare -r arg_string="$2"
  #shellcheck disable=SC2312
  {
    printf "\e[97m+\e[0m\e[92m%s: CISS.debian.installer Debug XTRACE Log \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)"
    printf "\e[97m+\e[0m\e[92m%s: GIT Commit                : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${VAR_GIT_HEAD}"
--- a/lib/0054_debug_trap.sh
+++ b/lib/0054_debug_trap.sh
@@ -15,9 +15,9 @@ guard_sourcing
 declare -g VAR_LAST_CMD=""
 declare -g __preexec_invoke=""
 # shellcheck disable=SC2155
-declare -grx LOG_DEBUG="/tmp/ciss_debian_installer_$$_debug.log"
+declare -grx LOG_DBG="${DIR_LOG}/ciss_debian_installer_$$_debug.log"
-### Generates empty LOG_DEBUG
+### Generates empty LOG_DBG
-touch "${LOG_DEBUG}" && chmod 0600 "${LOG_DEBUG}"
+touch "${LOG_DBG}" && chmod 0600 "${LOG_DBG}"
 ### Write Debug Log Header https://www.gnu.org/software/bash/manual/html_node/Bash-Variables
 debug_trace_header "$#" "$*"
 ### Define patterns and mask replacements
@@ -36,7 +36,7 @@ declare -Ag MASK_PATTERNS=(
 #   BASH_LINENO
 #   BASH_SOURCE
 #   FUNCNAME
-#   LOG_DEBUG
+#   LOG_DBG
 # Arguments:
 #  None
 #######################################
@@ -56,7 +56,7 @@ debug_trap_logger() {
  declare var_line="${BASH_LINENO[i-1]:-?}"
  declare var_script="${BASH_SOURCE[i]:-${BASH_SOURCE[0]}}"
  declare var_script_rel="${var_script#"${PWD}"/}"
-  printf '%s [%s:%s] %s() |%s| RC:%s \n' "${var_ts}" "${var_script_rel}" "${var_line}" "${var_func}" "${var_msg}" "${var_rc}">> "${LOG_DEBUG}"
+  printf '%s [%s:%s] %s() |%s| RC:%s \n' "${var_ts}" "${var_script_rel}" "${var_line}" "${var_func}" "${var_msg}" "${var_rc}">> "${LOG_DBG}"
 }
 #######################################
--- a/lib/0055_debug_trap_header.sh
+++ b/lib/0055_debug_trap_header.sh
@@ -18,7 +18,7 @@
 #   EPOCHREALTIME
 #   EUID
 #   HOSTNAME
-#   LOG_DEBUG
+#   LOG_DBG
 #   PPID
 #   PWD
 #   SHELLOPTS
@@ -34,6 +34,7 @@
 debug_trace_header() {
  declare -r arg_counter="$1"
  declare -r arg_string="$2"
  # shellcheck disable=SC2312
  {
    printf "\e[97m+\e[0m\e[92m%s: CISS.debian.installer Debug TRAP Log \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)"
    printf "\e[97m+\e[0m\e[92m%s: GIT Commit                : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${VAR_GIT_HEAD}"
@@ -58,6 +59,6 @@ debug_trace_header() {
    printf "\e[97m+\e[0m\e[92m%s: BASHOPTS                  : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${BASHOPTS}"
    printf "\e[97m+\e[0m\e[92m%s: SHELLOPTS                 : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${SHELLOPTS}"
    printf "\e[97m+\e[0m\e[92m%s: ==== Debug Log Begin ==== : \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)"
-  } >| "${LOG_DEBUG}"
+  } >| "${LOG_DBG}"
 }
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/lib/0060_trap_err.sh
+++ b/lib/0060_trap_err.sh
@@ -15,16 +15,16 @@ guard_sourcing
 #######################################
 # Print Error Message for Trap on 'ERR' in '${ERROR_LOG}'.
 # Globals:
-#   ARGUMENTS_COUNT
+#   VAR_PARAM_COUNT
 #   ARG_STR_ORG_INPUT
 #   ERRCMMD
 #   ERRCODE
 #   ERRFUNC
 #   ERRLINE
 #   ERRSCRT
-#   LOG_DEBUG
+#   LOG_DBG
-#   LOG_ERROR
+#   LOG_ERR
-#   LOG_TRACE
+#   LOG_TRC
 #   LOG_VAR
 #   NL
 #   SECONDS
@@ -50,28 +50,28 @@ print_file_err() {
    printf "❌ Command             : %s %s" "${ERRCMMD}" "${NL}"
    printf "❌ Script PID          : %s %s" "${$}" "${NL}"
    printf "❌ Script Runtime      : %s %s" "${SECONDS}" "${NL}"
-    printf "❌ Arguments Counter   : %s %s" "${ARGUMENTS_COUNT}" "${NL}"
+    printf "❌ Arguments Counter   : %s %s" "${VAR_PARAM_COUNT}" "${NL}"
    printf "❌ Arguments Original  : %s %s" "${ARG_STR_ORG_INPUT}" "${NL}"
    printf "❌ Arguments Sanitized : %s %s" "${VAR_ARG_SANITIZED}" "${NL}"
    if [[ "${VAR_DEBUG_TRACE}" == "true" || "${VAR_DEBUG_TRAP}" == "true" ]]; then
      printf "❌ Vars Dump saved at  : %s %s" "${LOG_VAR}" "${NL}"
    fi
    if "${VAR_DEBUG_TRAP}"; then
-      printf "❌ DEBUG Log saved at  : %s %s" "${LOG_DEBUG}" "${NL}"
+      printf "❌ DEBUG Log saved at  : %s %s" "${LOG_DBG}" "${NL}"
-      printf "❌                   cat %s %s" "${LOG_DEBUG}" "${NL}"
+      printf "❌                   cat %s %s" "${LOG_DBG}" "${NL}"
    fi
    if "${VAR_DEBUG_TRACE}"; then
-      printf "❌ TRACE Log saved at  : %s %s" "${LOG_TRACE}" "${NL}"
+      printf "❌ TRACE Log saved at  : %s %s" "${LOG_TRC}" "${NL}"
-      printf "❌                   cat %s %s" "${LOG_TRACE}" "${NL}"
+      printf "❌                   cat %s %s" "${LOG_TRC}" "${NL}"
    fi
    printf "%s" "${NL}"
-  } >> "${LOG_ERROR}"
+  } >> "${LOG_ERR}"
 }
 #######################################
 # Print Error Message for Trap on 'ERR' on Terminal.
 # Globals:
-#   ARGUMENTS_COUNT
+#   VAR_PARAM_COUNT
 #   ARG_STR_ORG_INPUT
 #   RED
 #   RES
@@ -80,9 +80,9 @@ print_file_err() {
 #   ERRFUNC
 #   ERRLINE
 #   ERRSCRT
-#   LOG_DEBUG
+#   LOG_DBG
-#   LOG_ERROR
+#   LOG_ERR
-#   LOG_TRACE
+#   LOG_TRC
 #   LOG_VAR
 #   NL
 #   SECONDS
@@ -107,21 +107,21 @@ print_scr_err() {
  printf "%s❌ Command             : %s %s%s" "${RED}" "${ERRCMMD}" "${RES}" "${NL}" >&2
  printf "%s❌ Script PID          : %s %s%s" "${RED}" "${$}" "${RES}" "${NL}" >&2
  printf "%s❌ Script Runtime      : %s %s%s" "${RED}" "${SECONDS}" "${RES}" "${NL}" >&2
-  printf "%s❌ Arguments Counter   : %s %s%s" "${RED}" "${ARGUMENTS_COUNT}" "${RES}" "${NL}" >&2
+  printf "%s❌ Arguments Counter   : %s %s%s" "${RED}" "${VAR_PARAM_COUNT}" "${RES}" "${NL}" >&2
  printf "%s❌ Arguments Original  : %s %s%s" "${RED}" "${ARG_STR_ORG_INPUT}" "${RES}" "${NL}" >&2
  printf "%s❌ Arguments Sanitized : %s %s%s" "${RED}" "${VAR_ARG_SANITIZED}" "${RES}" "${NL}" >&2
-  printf "%s❌ Error Log saved at  : %s %s%s" "${RED}" "${LOG_ERROR}" "${RES}" "${NL}" >&2
+  printf "%s❌ Error Log saved at  : %s %s%s" "${RED}" "${LOG_ERR}" "${RES}" "${NL}" >&2
-  printf "%s❌                   cat %s %s%s" "${RED}" "${LOG_ERROR}" "${RES}" "${NL}" >&2
+  printf "%s❌                   cat %s %s%s" "${RED}" "${LOG_ERR}" "${RES}" "${NL}" >&2
  if [[ "${VAR_DEBUG_TRACE}" == "true" || "${VAR_DEBUG_TRAP}" == "true" ]]; then
    printf "%s❌ Vars Dump saved at  : %s %s%s" "${RED}" "${LOG_VAR}" "${RES}" "${NL}" >&2
  fi
  if "${VAR_DEBUG_TRAP}"; then
-    printf "%s❌ Debug Log saved at  : %s %s%s" "${RED}" "${LOG_DEBUG}" "${RES}" "${NL}" >&2
+    printf "%s❌ Debug Log saved at  : %s %s%s" "${RED}" "${LOG_DBG}" "${RES}" "${NL}" >&2
-    printf "%s❌                   cat %s %s%s" "${RED}" "${LOG_DEBUG}" "${RES}" "${NL}" >&2
+    printf "%s❌                   cat %s %s%s" "${RED}" "${LOG_DBG}" "${RES}" "${NL}" >&2
  fi
  if "${VAR_DEBUG_TRACE}"; then
-    printf "%s❌ Debug Log saved at  : %s %s%s" "${RED}" "${LOG_TRACE}" "${RES}" "${NL}" >&2
+    printf "%s❌ Debug Log saved at  : %s %s%s" "${RED}" "${LOG_TRC}" "${RES}" "${NL}" >&2
-    printf "%s❌                   cat %s %s%s" "${RED}" "${LOG_TRACE}" "${RES}" "${NL}" >&2
+    printf "%s❌                   cat %s %s%s" "${RED}" "${LOG_TRC}" "${RES}" "${NL}" >&2
  fi
  printf "%s" "${NL}"
 }
--- a/lib/0070_trap_exit.sh
+++ b/lib/0070_trap_exit.sh
@@ -34,6 +34,7 @@ trap_exit() {
    exit "${var_trap_on_exit_code}"
  else
    clean_up "${var_trap_on_exit_code}"
    print_scr_exit "${var_trap_on_exit_code}"
    exit "${var_trap_on_exit_code}"
  fi
 }
@@ -41,8 +42,8 @@ trap_exit() {
 #######################################
 # Print Success Message for Trap on 'EXIT' on 'stdout'.
 # Globals:
-#   LOG_DEBUG
+#   LOG_DBG
-#   LOG_TRACE
+#   LOG_TRC
 #   LOG_VAR
 #   VAR_DEBUG_TRACE
 #   VAR_DEBUG_TRAP
@@ -53,7 +54,7 @@ trap_exit() {
 print_scr_exit() {
  declare -r var_print_scr_exit_code="$1"
  if (( var_print_scr_exit_code == 0 )); then
-    if [[ "${VAR_SCRIPT_SUCCESS}" == true ]]; then
+    if [[ "${VAR_SCRIPT_SUCCESS}" == "true" ]]; then
      printf "\n"
      printf "\e[92m✅ CISS.debian.installer Script successful. \e[0m\n"
      printf "\e[92m✅ Exited with Status : %s \e[0m\n" "${var_print_scr_exit_code}"
@@ -63,12 +64,12 @@ print_scr_exit() {
        printf "\e[92m✅                  cat %s \e[0m\n" "${LOG_VAR}"
      fi
      if "${VAR_DEBUG_TRAP}"; then
-        printf "\e[92m✅ DEBUG Log saved at : %s \e[0m\n" "${LOG_DEBUG}"
+        printf "\e[92m✅ DEBUG Log saved at : %s \e[0m\n" "${LOG_DBG}"
-        printf "\e[92m✅                  cat %s \e[0m\n" "${LOG_DEBUG}"
+        printf "\e[92m✅                  cat %s \e[0m\n" "${LOG_DBG}"
      fi
      if "${VAR_DEBUG_TRACE}"; then
-        printf "\e[92m✅ TRACE Log saved at : %s \e[0m\n" "${LOG_TRACE}"
+        printf "\e[92m✅ TRACE Log saved at : %s \e[0m\n" "${LOG_TRC}"
-        printf "\e[92m✅                  cat %s \e[0m\n" "${LOG_TRACE}"
+        printf "\e[92m✅                  cat %s \e[0m\n" "${LOG_TRC}"
      fi
      printf "\n"
      printf "\e[95m💷 Please consider donating to my work at: \e[0m\n"
--- a/lib/0090_clean_up.sh
+++ b/lib/0090_clean_up.sh
@@ -13,7 +13,7 @@
 #######################################
 # Clean Up Wrapper on Trap on 'EXIT'.
 # Globals:
-#   LOG_ERROR
+#   LOG_ERR
 #   VAR_KERNEL_INF
 #   VAR_KERNEL_SRT
 #   VAR_KERNEL_TMP
@@ -33,6 +33,6 @@ clean_up() {
  exec 127>&-
  # Remove the lockfile artifact.
  rm -f /run/lock/ciss_debian_installer.lock
-  if (( var_clean_exit_code == 0 )); then rm -f -- "${LOG_ERROR}"; fi
+  if (( var_clean_exit_code == 0 )); then rm -f -- "${LOG_ERR}"; fi
 }
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/lib/0100_arg_mismatch.sh
+++ b/lib/0100_arg_mismatch.sh
@@ -26,12 +26,10 @@ guard_sourcing
 #######################################
 arg_mismatch() {
  ### Call cleaner if and only if not in auto-install mode.
-  if [[ "${VAR_AUTO_INSTALL}" == false ]]; then
+  if [[ "${VAR_AUTO_INSTALL}" == "false" ]]; then
    ### Dynamically select the cleaner based on the dialog wrapper type.
    case "${VAR_IN_DIALOG_WR}" in
-      box|gauge)
+      box|gauge) "dialog_${VAR_IN_DIALOG_WR}_cleaner" ;;
        "dialog_${VAR_IN_DIALOG_WR}_cleaner"
        ;;
    esac
  fi
  printf "%s❌ Error: '%s'. %s%s" "${RED}" "${1}" "${RES}" "${NL}" >&2
--- a/lib/0101_arg_sanitizer.sh
+++ b/lib/0101_arg_sanitizer.sh
@@ -32,7 +32,7 @@ arg_check() {
 #   RED
 #   RES
 #   ERR_UNSAFE_CHARACTER
-#   LOG_ERROR
+#   LOG_ERR
 #   NL
 #   VAR_IN_DIALOG_WR
 # Arguments:
@@ -43,14 +43,15 @@ sanitize_arg() {
  declare disallowed_ctrl=""
  ### Step 1: Check for control characters
  if printf '%s' "${input}" | grep -qP '[[:cntrl:]]'; then
    # shellcheck disable=SC2312
    disallowed_ctrl=$(printf '%s' "${input}" | sed -n 's/[^[:cntrl:]]//gp' | sed $'s/./&\\n/g' \
-      | while read -r c; do printf "%02X " "'$c"; done)
+      | while read -r c; do printf "%02X " "'${c}"; done)
    {
      printf "❌ Control character   : '%s'. %s" "${disallowed_ctrl}" "${NL}"
      printf "❌         in argument : '%s'. %s" "${input}" "${NL}"
      printf "❌ Allowed Characters  : 'a-z A-Z 0-9 . _ / = [ ] : \" - + space' %s" "${NL}"
      printf "%s" "${NL}"
-    } >> "${LOG_ERROR}"
+    } >> "${LOG_ERR}"
    case "${VAR_IN_DIALOG_WR}" in
      box   ) dialog_box_cleaner   ;;
      gauge ) dialog_gauge_cleaner ;;
@@ -74,7 +75,7 @@ sanitize_arg() {
      printf "❌         in argument : '%s'. %s" "${input}" "${NL}"
      printf "❌ Allowed Characters  : 'a-z A-Z 0-9 . _ / = [ ] : \" - + space' %s" "${NL}"
      printf "%s" "${NL}"
-    } >> "${LOG_ERROR}"
+    } >> "${LOG_ERR}"
    case "${VAR_IN_DIALOG_WR}" in
      box   ) dialog_box_cleaner   ;;
      gauge ) dialog_gauge_cleaner ;;
--- a/lib/0102_arg_parser.sh
+++ b/lib/0102_arg_parser.sh
@@ -15,7 +15,7 @@ guard_sourcing
 #######################################
 # Argument Parser
 # Globals:
-#   DEFAULT_LOG_LEVEL
+#   VAR_DEFAULT_LOG_LEVEL
 #   VAR_AUTO_INSTALL
 #   VAR_IN_DIALOG_WR
 #   VAR_PRIORITY
@@ -53,28 +53,9 @@ arg_parser() {
        -l | --log)
          case "${2,,}" in
-            info)
+            info|notice|warn|error|emergency) declare -gx VAR_DEFAULT_LOG_LEVEL="$2"; shift 2 ;;
              declare -gx DEFAULT_LOG_LEVEL="$2"
              shift 2
              ;;
            notice)
              declare -gx DEFAULT_LOG_LEVEL="$2"
              shift 2
              ;;
            warn)
              declare -gx DEFAULT_LOG_LEVEL="$2"
              shift 2
              ;;
            error)
              declare -gx DEFAULT_LOG_LEVEL="$2"
              shift 2
              ;;
            emergency)
              declare -gx DEFAULT_LOG_LEVEL="$2"
              shift 2
              ;;
            *)
-              if [[ "${VAR_AUTO_INSTALL}" == false && "${VAR_IN_DIALOG_WR}" == true ]]; then dialog_gauge_cleaner; fi
+              if [[ "${VAR_AUTO_INSTALL}" == "false" && "${VAR_IN_DIALOG_WR}" == true ]]; then dialog_box_cleaner; fi
              usage
              ;;
            esac
@@ -121,7 +102,11 @@ arg_parser() {
          ;;
        *)
-          if [[ "${VAR_AUTO_INSTALL}" == false && "${VAR_IN_DIALOG_WR}" == true ]]; then dialog_gauge_cleaner; fi
+          if [[ "${VAR_AUTO_INSTALL}" == "false" && "${VAR_IN_DIALOG_WR}" == "box" ]]; then
            dialog_box_cleaner
          elif [[ "${VAR_AUTO_INSTALL}" == "false" && "${VAR_IN_DIALOG_WR}" == "gauge" ]]; then
            dialog_gauge_cleaner
          fi
          usage
          ;;
    esac
--- a/lib/0103_arg_priority_check.sh
+++ b/lib/0103_arg_priority_check.sh
@@ -30,14 +30,14 @@ arg_priority_check() {
  if [[ -n ${VAR_PRIORITY} ]]; then
    renice "${VAR_PRIORITY}" -p "$$"
    var=$(ps -o ni= -p $$) > /dev/null 2>&1
-    printf "%s✅ New renice value: '%s'. %s%s" "${GRE}" "${var}" "${RES}" "${NL}"
+    do_log "info" "true" "New renice value: '${var}'."
  fi
-  # Check if ionice PRIORITY is set and adjust ionice priority.
+  ### Check if ionice PRIORITY is set and adjust ionice priority.
  if [[ -n ${VAR_REIONICE_CLASS} ]]; then
    ionice -c"${VAR_REIONICE_CLASS:-2}" -n"${VAR_REIONICE_PRIORITY:-4}" -p "$$"
    var=$(ionice -p $$) > /dev/null 2>&1
-    printf "%s✅ New ionice value: '%s'. %s%s" "${GRE}" "${var}" "${RES}" "${NL}"
+    do_log "info" "true" "New ionice value: '${var}'."
  fi
 }
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/lib/0110_check_kernel.sh
+++ b/lib/0110_check_kernel.sh
@@ -1,15 +1,17 @@
 #!/bin/bash
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
-# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
-# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
 guard_sourcing
 #######################################
 # Kernel Image Selector
 # Globals:
--- a/lib/0120_check_provider.sh
+++ b/lib/0120_check_provider.sh
@@ -1,15 +1,17 @@
 #!/bin/bash
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
-# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
-# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
 guard_sourcing
 #######################################
 # Notes Textbox
 # Arguments:
--- a/lib/lib_cdi.sh
+++ b/lib/lib_cdi.sh
@@ -1,62 +0,0 @@
 #!/bin/bash
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 #######################################
 # CISS.2025.debian.installer GRUB and Autostart Generator
 # Globals:
 #   BASH_SOURCE
 #   VAR_HANDLER_BUILD_DIR
 #   VAR_HANDLER_CDI
 #   VAR_KERNEL
 #   VAR_WORKDIR
 # Arguments:
 #  None
 #######################################
 cdi() {
  printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"
  if [[ "${VAR_HANDLER_CDI}" == "true" ]]; then
    if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/config" ]]; then
      mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/config"
    fi
    cp "${VAR_WORKDIR}/scripts/9000-cdi-starter" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/config/9000-cdi-starter"
    chmod 0750 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/config/9000-cdi-starter"
    chown root:root "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/config/9000-cdi-starter"
    declare tmp_entry
    tmp_entry="$(mktemp)"
    cat << EOF >| "${tmp_entry}"
 menuentry "CISS Hardened DI (${VAR_KERNEL})" --hotkey=i {
        linux /live/vmlinuz-${VAR_KERNEL} boot=live verify-checksums live-config.components splash nopersistence toram ramdisk-size=1024M swap=true noeject locales=en_US.UTF-8 keyboard-layouts=de keyboard-model=pc105 keyboard-options= keyboard-variants= timezone=Europe/Lisbon audit_backlog_limit=8192 audit=1 cfi=kcfi debugfs=off efi=disable_early_pci_dma efi_no_storage_paranoia hardened_usercopy=1 ia32_emulation=0 init_on_alloc=1 init_on_free=1 iommu=force kfence.sample_interval=100 kvm.nx_huge_pages=force l1d_flush=on lockdown=confidentiality loglevel=0 mce=0 mitigations=auto,nosmt mmio_stale_data=full,nosmt oops=panic page_alloc.shuffle=1 page_poison=1 panic=-1 pti=on random.trust_bootloader=off random.trust_cpu=off randomize_kstack_offset=on randomize_va_space=2 retbleed=auto,nosmt rodata=on tsx=off vdso32=0 vsyscall=none findiso=\${iso_path}
        initrd /live/initrd.img-${VAR_KERNEL}
 }
 EOF
    sed -i "/#MUST_BE_REPLACED/{
  r ${tmp_entry}
  d
 }" "${VAR_HANDLER_BUILD_DIR}/config/bootloaders/grub-efi/grub.cfg"
    sed -i "/#MUST_BE_REPLACED/{
  r ${tmp_entry}
  d
 }" "${VAR_HANDLER_BUILD_DIR}/config/bootloaders/grub-pc/grub.cfg"
    rm -f "${tmp_entry}"
  else
    # shellcheck disable=SC1003
    sed -i '/#MUST_BE_REPLACED/c\\' "${VAR_HANDLER_BUILD_DIR}/config/bootloaders/grub-efi/grub.cfg"
  fi
  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ %s successful applied. \e[0m\n" "${BASH_SOURCE[0]}"
 }
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/lib/lib_change_splash.sh
+++ b/lib/lib_change_splash.sh
@@ -1,37 +0,0 @@
 #!/bin/bash
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 #######################################
 # Change Grub Boot Screen Splash
 # Globals:
 #   VAR_HANDLER_BUILD_DIR
 #   VAR_HANDLER_SPLASH
 #   VAR_WORKDIR
 # Arguments:
 #  None
 #######################################
 change_splash() {
  if [[ ${VAR_HANDLER_SPLASH} == "club" ]]; then
    printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Grub Splash 'club.png' selected ...\e[0m\n"
    cp -af "${VAR_WORKDIR}"/.archive/background/club.png "${VAR_HANDLER_BUILD_DIR}"/config/bootloaders/splash.png
    cp -af "${VAR_WORKDIR}"/.archive/background/club.png "${VAR_HANDLER_BUILD_DIR}"/config/bootloaders/grub-efi/splash.png
    cp -af "${VAR_WORKDIR}"/.archive/background/club.png "${VAR_HANDLER_BUILD_DIR}"/config/bootloaders/grub-pc/splash.png
    printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Grub Splash 'club.png' selected done. \e[0m\n"
  elif [[ ${VAR_HANDLER_SPLASH} == "hexagon" ]]; then
    printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Grub Splash 'hexagon.png' selected ...\e[0m\n"
    cp -af "${VAR_WORKDIR}"/.archive/background/hexagon.png "${VAR_HANDLER_BUILD_DIR}"/config/bootloaders/splash.png
    cp -af "${VAR_WORKDIR}"/.archive/background/hexagon.png "${VAR_HANDLER_BUILD_DIR}"/config/bootloaders/grub-efi/splash.png
    cp -af "${VAR_WORKDIR}"/.archive/background/hexagon.png "${VAR_HANDLER_BUILD_DIR}"/config/bootloaders/grub-pc/splash.png
    printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Grub Splash 'hexagon.png' selected done. \e[0m\n"
  fi
 }
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/lib/lib_check_hooks.sh
+++ b/lib/lib_check_hooks.sh
@@ -1,37 +0,0 @@
 #!/bin/bash
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 #######################################
 # Check and apply 0755 Permissions on every ./config/hooks/live/*.chroot file
 # Globals:
 #   ERR_UNCRITICAL
 #   VAR_WORKDIR
 # Arguments:
 #  None
 #######################################
 check_hooks() {
  declare ifs
  ifs=$'\n\t'
  shopt -s nullglob
  declare -a files=("${VAR_WORKDIR}"/config/hooks/live/*.chroot)
  if (( ${#files[@]} == 0 )); then
    printf "\e[91m❌ No '*.chroot' files found in '%s/config/hooks/live'. \e[0m\n" "${VAR_WORKDIR}" >&2
    exit "${ERR_UNCRITICAL}"
  fi
  declare file
  for file in "${files[@]}"; do
    chmod 0755 "${file}"
  done
 }
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/lib/lib_copy_integrity.sh
+++ b/lib/lib_copy_integrity.sh
@@ -1,38 +0,0 @@
 #!/bin/bash
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 #######################################
 # Copy Initial ISO aide Database into Host System
 # Globals:
 #   BASH_SOURCE
 #   VAR_HANDLER_BUILD_DIR
 # Arguments:
 #  None
 # Returns:
 #   0 : Aide Init DB copying successful.
 #######################################
 copy_db() {
  # printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${BASH_SOURCE[0]}"
  if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/.integrity" ]]; then
    mkdir -p "${VAR_HANDLER_BUILD_DIR}/.integrity"
  fi
  if cp -p "${VAR_HANDLER_BUILD_DIR}/chroot/var/lib/aide/"* "${VAR_HANDLER_BUILD_DIR}/.integrity/"; then
    chmod 0400 "${VAR_HANDLER_BUILD_DIR}/.integrity/"*
    # printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' successful applied. \e[0m\n" "${BASH_SOURCE[0]}"
    return 0
  else
    printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ '%s' NOT successful applied. \e[0m\n" "${BASH_SOURCE[0]}"
  fi
 }
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/lib/lib_hardening_root_pw.sh
+++ b/lib/lib_hardening_root_pw.sh
@@ -1,101 +0,0 @@
 #!/bin/bash
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 #######################################
 # Updates the Live ISO to use root password authentication for local console access.
 # Globals:
 #   VAR_HANDLER_BUILD_DIR
 #   VAR_HASHED_PWD
 # Arguments:
 #  None
 # Returns:
 #   0: In case no root password is desired.
 #######################################
 hardening_root_pw() {
  if [[ -z ${VAR_HASHED_PWD} ]]; then
    printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ No Root Password for Console set, skipping root password hook.\e[0m\n"
    # sleep 1
    return 0
  fi
  printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Setup Root Password for Console ... \e[0m\n"
  # sleep 1
  declare cfg_dir="${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/live"
  declare cfg_file="${cfg_dir}/config.conf"
  declare dropin_dir="${cfg_dir}/config.conf.d"
  declare dropin_file="${dropin_dir}/20-root-password.conf"
  mkdir -p "${dropin_dir}"
  cat << 'EOF' >| "${dropin_dir}"/10-disable-autologin.conf
 live-config.noautologin
 EOF
  if ! grep -q 'LIVE_CONFIGS=.*root-password' "${cfg_file}"; then
    sed -i -E 's|LIVE_CONFIGS="([^"]*)"|LIVE_CONFIGS="\1 root-password"|' "${cfg_file}"
  fi
  declare clean_hash="${VAR_HASHED_PWD//\"/}"
  printf 'live-config.root-password-hash=%s\n' "${clean_hash}" >| "${dropin_file}"
  chmod 0600 "${dropin_file}"
  chown root:root "${dropin_file}"
  mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root"
  printf '%s\n' "${clean_hash}" >| "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.pwd"
  chmod 0600 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.pwd"
  chown root:root "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.pwd"
  mkdir -p "${VAR_HANDLER_BUILD_DIR}"/config/includes.chroot/etc/systemd/system/getty@tty1.service.d
  cat << 'EOF' >| "${VAR_HANDLER_BUILD_DIR}"/config/includes.chroot/etc/systemd/system/getty@tty1.service.d/override.conf
 [Service]
 ExecStart=
 #ExecStart=-/usr/sbin/agetty --noclear %I $TERM
 ExecStart=-agetty --noclear %I $TERM
 EOF
  mkdir -p "${VAR_HANDLER_BUILD_DIR}"/config/includes.chroot/etc
  cat << 'EOF' >| "${VAR_HANDLER_BUILD_DIR}"/config/includes.chroot/etc/securetty
 tty1
 tty2
 tty3
 tty4
 tty5
 tty6
 EOF
  mkdir -p "${VAR_HANDLER_BUILD_DIR}"/config/includes.chroot/usr/sbin
  mkdir -p "${VAR_HANDLER_BUILD_DIR}"/config/includes.chroot/usr/bin
  mkdir -p "${VAR_HANDLER_BUILD_DIR}"/config/includes.chroot/sbin
  cp -af /usr/sbin/agetty "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/sbin/agetty"
  cp -af /usr/sbin/agetty "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/bin/agetty"
  cp -af /usr/sbin/agetty "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/sbin/agetty"
  ### Hotfix I
  mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/systemd/system-generators"
  cat << 'EOF' >| "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/systemd/system-generators/live-config-getty-generator"
 #!/bin/sh
 # bypass live-config-getty-generator
 exit 0
 EOF
  chmod +x "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/systemd/system-generators/live-config-getty-generator"
  ### Hotfix II
  #mkdir -p "${HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/systemd/system-generators"
  #touch "${HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/systemd/system-generators/live-config-getty-generator"
  #chmod -x "${HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/systemd/system-generators/live-config-getty-generator"
  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Setup Root Password for Console done. \e[0m\n"
  # sleep 1
 }
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/lib/lib_hardening_ssh.sh
+++ b/lib/lib_hardening_ssh.sh
@@ -1,63 +0,0 @@
 #!/bin/bash
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 #######################################
 # SSH Hardening Ultra via TCP Wrapper
 # Globals:
 #   ARY_HANDLER_JUMPHOST
 #   VAR_WORKDIR
 # Arguments:
 #  None
 #######################################
 hardening_ssh() {
  if ((${#ARY_HANDLER_JUMPHOST[@]} > 0)); then
    declare allowed=""
    cat << 'EOF' >| "${VAR_WORKDIR}/hosts.allow"
 # /etc/hosts.allow: list of hosts that are allowed to access the system.
 #                   See the manual pages hosts_access(5) and hosts_options(5).
 #
 # Example:    ALL: LOCAL @some_netgroup
 #             ALL: .foobar.edu EXCEPT terminalserver.foobar.edu
 #
 # If you're going to protect the portmapper use the name "rpcbind" for the
 # daemon name. See rpcbind(8) and rpc.mountd(8) for further information.
 #
 EOF
    allowed=$(echo "${ARY_HANDLER_JUMPHOST[*]}" | tr '\n' ' ')
    printf 'sshd: %s\n' "${allowed}" >> "${VAR_WORKDIR}/hosts.allow"
    cat << 'EOF' >| "${VAR_WORKDIR}/hosts.deny"
 # /etc/hosts.deny: list of hosts that are _not_ allowed to access the system.
 #                  See the manual pages hosts_access(5) and hosts_options(5).
 #
 # Example:    ALL: some.host.name, .some.domain
 #             ALL EXCEPT in.fingerd: other.host.name, .other.domain
 #
 # If you're going to protect the portmapper use the name "rpcbind" for the
 # daemon name. See rpcbind(8) and rpc.mountd(8) for further information.
 #
 # The PARANOID wildcard matches any host whose name does not match its
 # address.
 #
 # You may wish to enable this to ensure any programs that don't
 # validate looked-up hostnames still leave understandable logs. In past
 # versions of Debian, this has been the default.
 # ALL: PARANOID
 ALL: ALL
 EOF
  fi
 }
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/lib/lib_hardening_ultra.sh
+++ b/lib/lib_hardening_ultra.sh
@@ -1,221 +0,0 @@
 #!/bin/bash
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 #######################################
 # Wrapper for accompanying all CISS.debian.hardening features into the Live ISO image.
 # Globals:
 #   ARY_HANDLER_JUMPHOST
 #   ARY_HANDLER_JUMPHOST_UNIQUE
 #   VAR_ARCHITECTURE
 #   VAR_HANDLER_BUILD_DIR
 #   VAR_SSHPORT
 #   VAR_SSHPUBKEY
 #   VAR_WORKDIR
 # Arguments:
 #  None
 #######################################
 hardening_ultra() {
  # shellcheck disable=SC2164
  cd "${VAR_WORKDIR}"
  printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Copying ./config/bootloaders ... \e[0m\n"
  if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/config/bootloaders" ]]; then
    mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/bootloaders"
    cp -af ./config/bootloaders "${VAR_HANDLER_BUILD_DIR}/config"
  else
    cp -af ./config/bootloaders "${VAR_HANDLER_BUILD_DIR}/config"
  fi
  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Copying ./config/bootloaders done.\e[0m\n"
  printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Copying ./config/includes.binary ... \e[0m\n"
  if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/config/includes.binary/boot/grub" ]]; then
    mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/includes.binary/boot/grub"
    cp -af ./config/includes.binary "${VAR_HANDLER_BUILD_DIR}/config"
  else
    cp -af ./config/includes.binary "${VAR_HANDLER_BUILD_DIR}/config"
  fi
  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Copying ./config/includes.binary done.\e[0m\n"
  printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Copying ./config/hooks/live ... \e[0m\n"
  if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/config/hooks/live" ]]; then
    mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/hooks/live"
    cp -af ./config/hooks/live "${VAR_HANDLER_BUILD_DIR}/config/hooks"
  else
    cp -af ./config/hooks/live "${VAR_HANDLER_BUILD_DIR}/config/hooks"
  fi
  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Copying ./config/hooks/live done.\e[0m\n"
  if [[ -d "${VAR_WORKDIR}/config/hooks/early" ]]; then
    printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Copying ./config/hooks/early ... \e[0m\n"
    if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/config/hooks/early" ]]; then
      mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/hooks/early"
      cp -af ./config/hooks/early "${VAR_HANDLER_BUILD_DIR}/config/hooks"
    else
      cp -af ./config/hooks/early "${VAR_HANDLER_BUILD_DIR}/config/hooks"
    fi
    printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Copying ./config/hooks/early done.\e[0m\n"
  fi
  printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Copying ./config/includes.chroot ... \e[0m\n"
  if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot" ]]; then
    mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot"
    cp -af ./config/includes.chroot "${VAR_HANDLER_BUILD_DIR}/config"
  else
    cp -af ./config/includes.chroot "${VAR_HANDLER_BUILD_DIR}/config"
  fi
  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Copying ./config/includes.chroot done.\e[0m\n"
  printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Copying ./config/package-lists ... \e[0m\n"
  if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/config/package-lists" ]]; then
    mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/package-lists"
  fi
  cp -af ./config/package-lists/live.list.common.chroot "${VAR_HANDLER_BUILD_DIR}/config/package-lists/live.list.chroot"
  case "${VAR_ARCHITECTURE}" in
    amd64)
      declare arch_list="./config/package-lists/live.list.amd64.chroot"
      declare arch_comment="# amd64 specific packages"
      ;;
    arm64)
      declare arch_list="./config/package-lists/live.list.arm64.chroot"
      declare arch_comment="# arm64 specific packages"
      ;;
    *)
      printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ Unsupported architecture '%s'.\e[0m\n" "${VAR_ARCHITECTURE}"
      exit 1
      ;;
  esac
  declare pkgs
    mapfile -t pkgs < <(
    grep -v '^\s*#' "${arch_list}" | sed '/^\s*$/d'
  )
  awk -v comment="${arch_comment}" -v n_pkgs="${#pkgs[@]}" -v pkgs="$(printf '%s\n' "${pkgs[@]}")" '
    BEGIN {
      split(pkgs, pkg_arr, "\n")
      inserted = 0
    }
    {
    # Detect the vim-modeline (last line marker)
    if ($0 ~ /^# vim:.*$/ && !inserted) {
      print comment
      for (i = 1; i <= length(pkg_arr); i++) {
        print pkg_arr[i]
      }
      inserted = 1
    }
    print
    }
    ' "${VAR_HANDLER_BUILD_DIR}/config/package-lists/live.list.chroot" > temp && mv temp "${VAR_HANDLER_BUILD_DIR}/config/package-lists/live.list.chroot"
  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Copying ./config/package-lists done.\e[0m\n"
  printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Updating SSH Keys, Ports ... \e[0m\n"
  if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh"  ]]; then
    mkdir -p  "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh"
    cp -af "${VAR_SSHPUBKEY}/authorized_keys" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh"
    chmod 0600 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh/authorized_keys"
    chown root:root "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh/authorized_keys"
    declare -r sshport="${VAR_SSHPORT:-22}"
    sed -i "s|^port      = MUST_BE_SET|port      = ${sshport}|" "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9950_fail2ban_hardening.chroot"
    sed -i "s|^declare -r SSHPORT=\"MUST_BE_SET\"|declare -r SSHPORT=\"${sshport}\"|" "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/0900_ufw_setup.chroot"
    sed -i "s|^Port MUST_BE_CHANGED|Port ${sshport}|" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/ssh/sshd_config"
    if [[ ${#ARY_HANDLER_JUMPHOST[@]} -gt 0 ]]; then
      declare file="${VAR_HANDLER_BUILD_DIR}/config/hooks/live/0900_ufw_setup.chroot"
      sed -i "/^ufw allow in \"\${SSHPORT}\"\/tcp comment 'Incoming SSH (Custom-Port)'$/d" "${file}"
      declare line
      line=$(grep -n '^ufw default deny forward$' "${file}" | cut -d: -f1)
      if [[ -z "${line}" ]]; then
        printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌'ufw default deny forward' not found in: '%s'\e[0m\n" "${file}" >&2
        exit 1
      fi
      declare host
      for host in "${ARY_HANDLER_JUMPHOST_UNIQUE[@]}"; do
        ((line++))
        sed -i "${line}a ufw allow from ${host} to any port ${sshport} proto tcp comment \"Incoming SSH ([${host}]:${sshport})\"" "$file"
      done
    fi
  else
    cp -af "${VAR_SSHPUBKEY}/authorized_keys" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh"
    chmod 0600 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh/authorized_keys"
    chown root:root "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh/authorized_keys"
    declare -r sshport="${VAR_SSHPORT:-22}"
    sed -i "s|^port      = MUST_BE_SET|port      = ${sshport}|" "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9950_fail2ban_hardening.chroot"
    sed -i "s|^declare -r SSHPORT=\"MUST_BE_SET\"|declare -r SSHPORT=\"$sshport\"|" "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/0900_ufw_setup.chroot"
    sed -i "s|^Port MUST_BE_CHANGED|Port ${sshport}|" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/ssh/sshd_config"
    if [[ ${#ARY_HANDLER_JUMPHOST_UNIQUE[@]} -gt 0 ]]; then
      declare file="${VAR_HANDLER_BUILD_DIR}/config/hooks/live/0900_ufw_setup.chroot"
      sed -i "/^ufw allow in \"\${SSHPORT}\"\/tcp comment 'Incoming SSH (Custom-Port)'$/d" "${file}"
      declare line
      line=$(grep -n '^ufw default deny forward$' "${file}" | cut -d: -f1)
      if [[ -z "${line}" ]]; then
        printf "\e[91m❌ Error: 'ufw default deny forward' not found in: '%s'\e[0m\n" "${file}" >&2
        exit 1
      fi
      declare host
      for host in "${ARY_HANDLER_JUMPHOST_UNIQUE[@]}"; do
        ((line++))
        sed -i "${line}a ufw allow from ${host} to any port ${sshport} proto tcp comment \"Incoming SSH ([${host}]:${sshport})\"" "$file"
      done
    fi
  fi
  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Updating SSH Keys, Ports done. \e[0m\n"
  if [[ -f "${VAR_WORKDIR}/hosts.allow" ]]; then
    printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 SSH Hardening Ultra ... \e[0m\n"
    cp -af "${VAR_WORKDIR}/hosts.allow" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc"
    cp -af "${VAR_WORKDIR}/hosts.deny" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc"
    chmod 0644 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/hosts.allow"
    chmod 0644 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/hosts.deny"
    rm -f "${VAR_WORKDIR}/hosts.allow"
    rm -f "${VAR_WORKDIR}/hosts.deny"
    printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ SSH Hardening Ultra done.\e[0m\n"
  fi
  if ((${#ARY_HANDLER_JUMPHOST[@]} > 0)); then
    printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Updating fail2ban Jumphosts IPs ... \e[0m\n"
    # Join array entries with spaces, preserving any newlines
    declare ips="${ARY_HANDLER_JUMPHOST[*]}"
    # Flatten to a single line and strip literal brackets []
    declare flat_ips
    flat_ips=$(printf "%s" "${ips}" | tr '\n' ' ' | tr -d '[]')
    # flat_ips now contains e.g., "123.128.111.42 2a03:ffff:0815:4711:... 2a03:.../64"
    # Perform an in-place replacement of MUST_BE_SET with the cleaned list
    sed -i -e "s|^\(ignoreip[[:space:]]*=[[:space:]]*127\.0\.0\.0/8 ::1[[:space:]]*\)MUST_BE_SET|\1${flat_ips}|" \
        "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9950_fail2ban_hardening.chroot"
    printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Updating fail2ban Jumphosts IPs done. \e[0m\n"
  else
    printf "\e[93m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 No jump hosts configured, removing placeholder ... \e[0m\n"
    sed -i \
        -e "s|^\(ignoreip[[:space:]]*=[[:space:]]*127\.0\.0\.0/8 ::1\)[[:space:]]*MUST_BE_SET|\1|" \
        -e "s|\(ignoreip[[:space:]]*=[[:space:]]*127\.0\.0\.0/8 ::1\)[[:space:]]*$|\1|" \
        "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9950_fail2ban_hardening.chroot"
    printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Placeholder removed. \e[0m\n"
  fi
 }
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/lib/lib_helper_ip.sh
+++ b/lib/lib_helper_ip.sh
@@ -1,36 +0,0 @@
 #!/bin/bash
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 #######################################
 # IP Notation cleaner for pure IP output only
 # Globals:
 #   ARY_HANDLER_JUMPHOST
 #   ARY_HANDLER_JUMPHOST_UNIQUE
 # Arguments:
 #  None
 #######################################
 clean_ip() {
  declare host
  declare stripped
  for host in "${ARY_HANDLER_JUMPHOST[@]}"; do
    # Remove leading '[' and trailing ']'
    stripped="${host#\[}"
    stripped="${stripped%\]}"
    # Skip if it contains a slash (CIDR range)
    if [[ ${stripped} == */*   ]]; then
        continue
    fi
    # Directly append, no duplicate check
    declare -ga ARY_HANDLER_JUMPHOST_UNIQUE+=("${stripped}")
  done
 }
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/lib/lib_lb_build_start.sh
+++ b/lib/lib_lb_build_start.sh
@@ -1,46 +0,0 @@
 #!/bin/bash
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 #######################################
 # Wrapper to write a new 'lb config' environment.
 # Globals:
 #   ERR_UNCRITICAL
 #   VAR_BUILD_LOG
 #   VAR_HANDLER_BUILD_DIR
 # Arguments:
 #  None
 #######################################
 lb_build_start() {
  printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🔨 Start Build... Log file: %s \e[0m\n" "${VAR_BUILD_LOG}"
  # sleep 1
  # shellcheck disable=SC2164
  cd "${SCRIPT_BASEPATH}"
  # shellcheck disable=SC2164
  cd "${VAR_HANDLER_BUILD_DIR}"
  if lb build --color 2>&1 | tee "${VAR_BUILD_LOG}"; then
    printf "\e[92m✅ Build successfully completed.\e[0m\n"
  else
    printf "\e[91m❌ Build failed!\e[0m\n" >&2
    exit "${ERR_UNCRITICAL}"
  fi
  # shellcheck disable=SC2155
  declare iso_file=$(find . -maxdepth 1 -type f -name "*.iso" | sort | tail -n1)
  if [[ -z ${iso_file} || ! -f ${iso_file}     ]]; then
    printf "\e[91m❌ No ISO Image found.\e[0m\n" >&2
    exit "${ERR_UNCRITICAL}"
  fi
 }
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/lib/lib_lb_config_start.sh
+++ b/lib/lib_lb_config_start.sh
@@ -1,55 +0,0 @@
 #!/bin/bash
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 #######################################
 # Wrapper for 'lb config' - set up a build environment or deleting old build artifacts.
 # Globals:
 #   VAR_HANDLER_BUILD_DIR
 # Arguments:
 #   $0: Script-name
 #######################################
 lb_config_start() {
  printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
  if [[ ! -d ${VAR_HANDLER_BUILD_DIR} ]]; then
    mkdir -p "${VAR_HANDLER_BUILD_DIR}"
    # shellcheck disable=SC2164
    cd "${VAR_HANDLER_BUILD_DIR}"
    printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' created. \e[0m\n" "${VAR_HANDLER_BUILD_DIR}"
  else
    # shellcheck disable=SC2164
    cd "${VAR_HANDLER_BUILD_DIR}"
  fi
  if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/.build" ]]; then
    printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Preparing environment ... \e[0m\n"
    # Start lb config in a completely detached shell
    bash -c "lb config" &
    disown
    sleep 1
    printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Preparing environment done.\e[0m\n"
  else
    printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Deleting former config, binary and cache ... \e[0m\n"
    rm -f ./config/binary
    rm -f ./config/bootstrap
    rm -f ./config/chroot
    rm -f ./config/common
    rm -f ./config/source
    rm -f ./*.{contents,files,iso,bz2,packages}
    # Start lb clean in a completely detached shell
    bash -c "lb clean && lb clean --binary --cache" &
    disown
    sleep 1
    printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Deleting former config, binary and cache done.\e[0m\n"
  fi
 }
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/lib/lib_lb_config_write.sh
+++ b/lib/lib_lb_config_write.sh
@@ -1,121 +0,0 @@
 #!/bin/bash
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 #######################################
 # Wrapper to write a new 'lb config' environment.
 # Globals:
 #   VAR_HANDLER_ISO_COUNTER
 #   VAR_ARCHITECTURE
 #   VAR_HANDLER_BUILD_DIR
 #   VAR_KERNEL
 #   VAR_WORKDIR
 #   VAR_VERSION
 # Arguments:
 #  None
 #######################################
 #######################################
 # description
 # Globals:
 # Arguments:
 #  None
 #######################################
 lb_config_write() {
  printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Writing new config ... \e[0m\n"
  lb config \
    --apt apt \
    --apt-indices true \
    --apt-recommends true \
    --apt-secure true \
    --apt-source-archives true \
    --architecture "${VAR_ARCHITECTURE}" \
    --archive-areas main contrib non-free non-free-firmware \
    --backports true \
    --binary-filesystem fat32 \
    --binary-image iso-hybrid \
    --bootappend-install "auto=true priority=critical clock-setup/utc=true console-setup/ask_detect=false debian-installer/country=US debian-installer/language=en debian-installer/locale=en_US.UTF-8 keyboard-configuration/xkb-keymap=de keyboard-configuration/model=pc105 localechooser/supported-locales=en_US.UTF-8 time/zone=Europe/Lisbon splash audit_backlog_limit=8192 audit=1 cfi=kcfi debugfs=off efi=disable_early_pci_dma efi_no_storage_paranoia hardened_usercopy=1 ia32_emulation=0 init_on_alloc=1 init_on_free=1 iommu=force kfence.sample_interval=100 kvm.nx_huge_pages=force l1d_flush=on lockdown=confidentiality loglevel=0 mce=0 mitigations=auto,nosmt mmio_stale_data=full,nosmt oops=panic page_alloc.shuffle=1 page_poison=1 panic=-1 pti=on random.trust_bootloader=off random.trust_cpu=off randomize_kstack_offset=on randomize_va_space=2 retbleed=auto,nosmt rodata=on tsx=off vdso32=0 vsyscall=none" \
    --bootappend-live "boot=live verify-checksums components nocomponents=cdi-starter locales=en_US.UTF-8 keyboard-layouts=de keyboard-model=pc105 keyboard-options= keyboard-variants= noeject nopersistence ramdisk-size=1024M splash swap=true timezone=Europe/Lisbon toram audit_backlog_limit=8192 audit=1 cfi=kcfi debugfs=off efi=disable_early_pci_dma efi_no_storage_paranoia hardened_usercopy=1 ia32_emulation=0 init_on_alloc=1 init_on_free=1 iommu=force kfence.sample_interval=100 kvm.nx_huge_pages=force l1d_flush=on lockdown=confidentiality loglevel=0 mce=0 mitigations=auto,nosmt mmio_stale_data=full,nosmt oops=panic page_alloc.shuffle=1 page_poison=1 panic=-1 pti=on random.trust_bootloader=off random.trust_cpu=off randomize_kstack_offset=on randomize_va_space=2 retbleed=auto,nosmt rodata=on tsx=off vdso32=0 vsyscall=none" \
    --bootloaders grub-efi \
    --cache true \
    --checksums sha512 sha256 md5 \
    --chroot-filesystem squashfs \
    --chroot-squashfs-compression-level 22 \
    --chroot-squashfs-compression-type zstd \
    --color \
    --compression bzip2 \
    --debconf-frontend noninteractive \
    --debconf-priority critical \
    --debian-installer cdrom \
    --debian-installer-distribution bookworm \
    --debian-installer-gui true \
    --debian-installer-preseedfile "preseed.cfg" \
    --debug \
    --distribution bookworm \
    --distribution-binary bookworm \
    --distribution-chroot bookworm \
    --firmware-binary true \
    --firmware-chroot true \
    --hdd-label "CENTURIONLIVE" \
    --image-name "ciss-debian-live-${VAR_HANDLER_ISO_COUNTER}" \
    --initramfs "live-boot" \
    --initramfs-compression gzip \
    --initsystem systemd \
    --iso-application "CISS.debian.live.builder: ${VAR_VERSION} - Debian-Live-Build: 20230502 - Debian-Installer: bookworm" \
    --iso-preparer '(C) 2018-2025, Centurion Intelligence Consulting Agency (TM), Lisboa, Portugal' \
    --iso-publisher '(P) 2018-2025, Centurion Press (TM) - powered by https://coresecret.eu/ - contact@coresecret.eu' \
    --iso-volume 'CISS.debian.live' \
    --linux-flavours "${VAR_KERNEL}" \
    --linux-packages linux-image \
    --loadlin true \
    --memtest memtest86+ \
    --mirror-binary 'https://deb/debian.org/debian/' \
    --mirror-binary-security 'https://security.debian.org/' \
    --mirror-bootstrap 'https://deb.debian.org/debian/' \
    --mirror-chroot 'https://deb.debian.org/debian/' \
    --mirror-chroot-security 'https://security.debian.org/' \
    --mirror-debian-installer 'https://deb.debian.org/debian/' \
    --mode debian \
    --parent-archive-areas main contrib non-free non-free-firmware \
    --parent-debian-installer-distribution bookworm \
    --parent-distribution bookworm \
    --parent-distribution-binary bookworm \
    --parent-distribution-chroot bookworm \
    --parent-mirror-binary 'https://deb.debian.org/debian/' \
    --parent-mirror-binary-security 'https://security.debian.org/' \
    --parent-mirror-bootstrap 'https://deb.debian.org/debian/' \
    --parent-mirror-chroot 'https://deb.debian.org/debian/' \
    --parent-mirror-chroot-security 'https://security.debian.org/' \
    --parent-mirror-debian-installer 'https://deb.debian.org/debian/' \
    --security true \
    --system live \
    --source false \
    --source-images tar \
    --uefi-secure-boot auto \
    --updates true \
    --utc-time true \
    --verbose
  sleep 1
  sed -i 's/LB_CHECKSUMS="sha512 md5"/LB_CHECKSUMS="sha512 sha384 sha256"/1' ./config/binary
  sed -i 's/LB_DM_VERITY=""/LB_DM_VERITY="false"/1' ./config/binary
  mkdir -p "${VAR_HANDLER_BUILD_DIR}"/config/includes.chroot/usr/lib/live/boot
  cp -a "${VAR_WORKDIR}/scripts/live-boot/0030-verify-checksums" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/boot/0030-verify-checksums"
  chmod 0755 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/boot/0030-verify-checksums"
  chown root:root "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/boot/0030-verify-checksums"
  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Writing new config done.\e[0m\n"
 }
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/lib/lib_provider_netcup.sh
+++ b/lib/lib_provider_netcup.sh
@@ -1,45 +0,0 @@
 #!/bin/bash
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 #######################################
 # Notes Textbox
 # Arguments:
 #  None
 #######################################
 provider_netcup() {
  if "${VAR_HANDLER_NETCUP_IPV6}"; then
    printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"
    declare handler_netcup_ipv6_string="${ARY_HANDLER_NETCUP_IPV6[*]}"
    mkdir -p "${VAR_HANDLER_BUILD_DIR}"/config/includes.chroot/etc/network/interfaces.d
    cat << EOF >| "${VAR_HANDLER_BUILD_DIR}"/config/includes.chroot/etc/network/interfaces.d/99-netcup-static
 ### Static IPv6 Address for Netcup Root Server
 iface ens3 inet6 static
    address ${handler_netcup_ipv6_string}/128
    ### dns01.eddns.eu dns02.eddns.de
    dns-nameservers 2a01:4f9:c012:a813:135:181:207:105 2a0a:4cc0:1:e6:89:58:62:53
    gateway fe80::1
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
 EOF
  sed -i "s|MUST_BE_REPLACED|${handler_netcup_ipv6_string}|g" "${VAR_WORKDIR}/scripts/etc/network/9999_interfaces_update_netcup.chroot"
  rm -f "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9999_interfaces_update.chroot"
  cp "${VAR_WORKDIR}/scripts/etc/network/9999_interfaces_update_netcup.chroot" "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9999_interfaces_update.chroot"
  chmod 0755 "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9999_interfaces_update.chroot"
  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ %s successful applied. \e[0m\n" "${BASH_SOURCE[0]}"
  fi
 }
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/lib/lib_run_analysis.sh
+++ b/lib/lib_run_analysis.sh
@@ -1,96 +0,0 @@
 #!/bin/bash
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-05-07; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: ZIMNOL, Andre H.; Private Contributor
 # SPDX-FileCopyrightText: 2025; ZIMNOL, Andre H.; <debian@zimnol.eu>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 #######################################
 # Wrapper for statistic functions of the final build.
 # Globals:
 #   ERR_UNCRITICAL
 #   VAR_BUILD_LOG
 #   VAR_CHROOT_DIR
 #   VAR_HANDLER_BUILD_DIR
 #   VAR_PACKAGES_FILE
 # Arguments:
 #  None
 #######################################
 run_analysis() {
  # shellcheck disable=SC2164
  cd "${VAR_HANDLER_BUILD_DIR}"
  # shellcheck disable=SC2155
  declare iso_file=$(find . -maxdepth 1 -name "*.iso" -printf "%f\n" | sort | tail -n1)
  if [[ -z ${iso_file} || ! -f ${iso_file}  ]]; then
    printf "\e[91m❌ No ISO Image found.\e[0m\n" >&2
    exit "${ERR_UNCRITICAL}"
  fi
  printf "\e[92m📊 Start analysis of : %s ... \e[0m\n" "${iso_file}"
  # shellcheck disable=SC2155
  declare iso_size_hr=$(du -h "${iso_file}" | awk '{print $1}')
  # shellcheck disable=SC2155
  declare iso_size_bytes=$(du -b "${iso_file}" | awk '{print $1}')
  # shellcheck disable=SC2155
  declare chroot_size_hr=$(du -sh "${VAR_CHROOT_DIR}" 2> /dev/null | awk '{print $1}')
  # shellcheck disable=SC2155
  declare chroot_size_bytes=$(du -sb "${VAR_CHROOT_DIR}" 2> /dev/null | awk '{print $1}')
  # shellcheck disable=SC2155
  declare compression=$(awk -v iso="${iso_size_bytes}" -v chroot="${chroot_size_bytes}" 'BEGIN { printf "%.2f%%", 100 * iso / chroot }')
  # shellcheck disable=SC2155
  declare package_count=$(wc -l < "${VAR_PACKAGES_FILE}" 2> /dev/null || echo "nicht gefunden")
  # shellcheck disable=SC2155
  declare squash_cpu_used="$(grep -m1 -oP 'Using \K[0-9]+' "${VAR_BUILD_LOG}")"
  if [[ -f "${VAR_BUILD_LOG}" ]]; then
    # shellcheck disable=SC2155
    declare start_line=$(grep 'lb build' "${VAR_BUILD_LOG}" | head -n1 || true)
    # shellcheck disable=SC2155
    declare end_line=$(grep 'lb source' "${VAR_BUILD_LOG}" | tail -n1 || true)
    if [[ -n "${start_line}" && -n "${end_line}" ]]; then
      # shellcheck disable=SC2155
      declare start_epoch=$(echo "${start_line}" | sed -E 's/^\[([0-9:-]+ [0-9:]+)\].*/\1/' | xargs -I{} date -d "{}" +%s)
      # shellcheck disable=SC2155
      declare end_epoch=$(echo "${end_line}" | sed -E 's/^\[([0-9:-]+ [0-9:]+)\].*/\1/' | xargs -I{} date -d "{}" +%s)
      # shellcheck disable=SC2155
      declare duration_sec=$((end_epoch - start_epoch))
      # shellcheck disable=SC2155
      declare duration_min=$((duration_sec / 60))
      # shellcheck disable=SC2155
      declare duration_rest=$((duration_sec % 60))
      # shellcheck disable=SC2155
      declare build_duration=$(printf "%02dm:%02ds" "${duration_min}" "${duration_rest}")
    else
      declare build_duration="(Timestamp not found)"
    fi
  else
    declare build_duration="(No log file found)"
  fi
  # shellcheck disable=SC2155
  declare sha_sum=$(sha256sum "$iso_file" | tee "$iso_file.sha256" | awk '{print $1}')
  # shellcheck disable=SC2155
  declare time=$(date '+%Y-%m-%d %H:%M:%S')
  printf "\e[92m🧾 === Build summary === \e[0m\n"
  printf "\e[92m----------------------------------------------------------------------------------------\e[0m\n"
  printf "\e[97m📦 ISO-File          : %s \e[0m\n" "${iso_file}"
  printf "\e[97m📀 ISO-Size          : %s \e[0m\n" "${iso_size_hr}"
  printf "\e[97m📂 Chroot-Size       : %s \e[0m\n" "${chroot_size_hr}"
  printf "\e[97m📉 Compression-level : %s \e[0m\n" "${compression}"
  printf "\e[97m📦 Packages          : %s \e[0m\n" "${package_count}"
  printf "\e[97m🕐 Build Time        : %s \e[0m\n" "${build_duration}"
  printf "\e[97m🧠 CPUs for SquashFS : %s \e[0m\n" "${squash_cpu_used}"
  printf "\e[97m🔐 SHA256SUM         : %s \e[0m\n" "${sha_sum}"
  printf "\e[92m----------------------------------------------------------------------------------------\e[0m\n"
  printf "\e[97m📅 Analysis Time     : %s \e[0m\n" "${time}"
  printf "\e[92m✅ Analysis completed.\e[0m\n"
 }
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/meta_loader_early.sh
+++ b/meta_loader_early.sh
@@ -9,6 +9,8 @@
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
 . ./var/colors.var.sh
 . ./var/errors.var.sh
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/meta_loader_func.sh
+++ b/meta_loader_func.sh
@@ -9,6 +9,7 @@
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
 . ./func/helper/1030_check_nic.sh
 . ./func/helper/1080_helper_chroot.sh
 . ./func/helper/1081_helper_grub.sh
@@ -23,26 +24,48 @@
 . ./func/helper/1222_validation_preseed.sh
 . ./func/helper/1250_yaml_parser.sh
 . ./func/helper/1251_yaml_reader.sh
 . ./func/partitioning/3200_partitioning.sh
 . ./func/partitioning/3220_partition_encryption.sh
 . ./func/partitioning/3240_partition_formatting.sh
 . ./func/partitioning/3260_setup_filesystem.sh
 . ./func/partitioning/3280_mount_partition.sh
 . ./func/partitioning/3290_uuid_logger.sh
 . ./func/system/4000_debootstrap.sh
 . ./func/system/4020_configure_system.sh
 . ./func/system/4040_generate_fstab.sh
 . ./func/system/4060_generate_crypttab.sh
 . ./func/system/4080_generate_sources.sh
 . ./func/system/4090_minimal_toolset.sh
 . ./func/system/4095_setup_skel.sh
 . ./func/system/4100_setup_timezone.sh
 . ./func/system/4110_setup_locales.sh
 . ./func/system/4120_installation_kernel.sh
 . ./func/system/4130_setup_network.sh
 . ./func/system/4140_setup_hostname.sh
 . ./func/system/4150_setup_grub.sh
 . ./func/system/4155_setup_grub_password.sh
 . ./func/system/4160_grub_bootparameter.sh
 . ./func/system/4165_kernel_modules.sh
 . ./func/system/4166_kernel_sysctl.sh
 . ./func/system/4170_installation_microcode.sh
 . ./func/system/4180_setup_ssh.sh
 . ./func/system/4190_build_dropbear.sh
 . ./func/system/4191_install_dropbear_initramfs.sh
 . ./func/system/4195_setup_dropbear.sh
-. ./func/
+. ./func/system/4200_setup_accounts.sh
 . ./func/system/4210_setup_packages.sh
 . ./func/system/4220_setup_sudo.sh
 . ./func/system/4230_setup_chrony.sh
 . ./func/system/4999_exiting_chroot_system.sh
 . ./func/system/5000_hardening_files.sh
 #. ./func/recovery/3.8.9.functions_installation_wrapper_recovery.sh
 #. ./func/recovery/3.9.0.functions_installation_setup_recovery.sh
 #. ./func/recovery/3.9.1.functions_installation_generate_files_recovery.sh
 #. ./func/9998_check_sshd_config_integrity.sh
 #. ./func/9999_check_grub_cmdline.sh
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/meta_loader_lib.sh
+++ b/meta_loader_lib.sh
@@ -9,10 +9,7 @@
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
-. ./lib/0000_usage.sh
+
 . ./lib/0001_contact.sh
 . ./lib/0002_version.sh
 . ./lib/0010_guard_sourcing.sh
 . ./lib/0011_guard_safe_exec.sh
 . ./lib/0020_gen_dir_files.sh
 . ./lib/0030_check_pkgs.sh
@@ -31,6 +28,7 @@
 . ./lib/0101_arg_sanitizer.sh
 . ./lib/0102_arg_parser.sh
 . ./lib/0103_arg_priority_check.sh
 . ./lib/0104_arg_nuke_converter.sh
 . ./lib/0200_dialog_helper.sh
-. ./lib/
+
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/meta_loader_var.sh
+++ b/meta_loader_var.sh
@@ -9,8 +9,10 @@
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
 . ./var/colors.var.sh
 . ./var/errors.var.sh
 . ./var/global.var.sh
 . ./var/terminal.var.sh
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/var/early.var.sh
+++ b/var/early.var.sh
@@ -13,7 +13,7 @@
 ### Definition of MUST set early Variables
 # shellcheck disable=SC2155
-declare -agx ARY_PARAM_ARRAY=("$@")
+declare -ag ARY_PARAM_ARRAY=("$@")
 declare -grx VAR_PARAM_COUNT="$#"
 declare -grx VAR_PARAM_STRNG="$*"
 declare -grx VAR_CONTACT="security@coresecret.eu"
@@ -24,5 +24,5 @@ declare -gx VAR_AUTO_INSTALL="false"
 declare -gx VAR_DEBUG_TRACE="false"
 declare -gx VAR_DEBUG_TRAP="false"
 declare -gx VAR_IN_DIALOG_WR="false"
-umask 0022
+
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/var/errors.var.sh
+++ b/var/errors.var.sh
@@ -34,7 +34,7 @@ declare -girx ERR_BTRFS_INITPH=236      # The btrfs subvolume could not be initi
 declare -girx ERR_BTRFS_SUBVOL=235      # The btrfs subvolume could not be created.
 declare -girx ERR_BTRFS_OPTION=234      # Compression options algo:level not valid btrfs pairs.
 declare -girx ERR_MOUNTING_DEV=233      # The Device could not be mounted.
-declare -girx ERR_MOUNTING_ROOT=232     # The / Volume could not be mounted.
+declare -girx ERR_MOUNTING_ROOT=232     # The '/' Volume could not be mounted.
 declare -girx ERR_MOUNTING_LUKS=231     # The LUKS Volume could not be mounted.
 declare -girx ERR_UNKNOWN_DEV=230       # Unknown Device Path.
 declare -girx ERR_DEBOOTSTRAP=229       # Failure occurred on debootstrap.
@@ -42,9 +42,10 @@ declare -girx ERR_CHRT_MOUNTS=228       # Failure occurred while mounting system
 declare -girx ERR_CHRT_COMMAND=227      # Failure occurred while executing chroot environment command.
 declare -girx ERR_GRUB_EFI_FORCE=226    # Invalid combination of Partition Table and grub_force_efi.
 declare -girx ERR_GRUB_BACKGROUND=225   # Failure occurred on setting up the GRUB-background.
-declare -girx ERR_PATH_NOT_VALID=224    # Specific path is not existing.
+declare -girx ERR_GRUB_ARCHITECTURE=224 # Architecture is not supported by Grub.
-declare -girx ERR_READ_NUKE_FILE=223    # Error reading Luks Nuke password file.
+declare -girx ERR_PATH_NOT_VALID=223    # Specific path is not existing.
-declare -girx ERR_READ_GRUB_FILE=222    # Error reading Grub password file.
+declare -girx ERR_READ_NUKE_FILE=222    # Error reading Luks Nuke password file.
 declare -girx ERR_READ_GRUB_FILE=221    # Error reading Grub password file.
 ### Definition of error trap vars
 declare -gx ERRCODE=""                  # = $?                   = $1 = ERRCODE
--- a/var/global.var.sh
+++ b/var/global.var.sh
@@ -17,7 +17,6 @@ declare -grx VAR_KERNEL_INF="$(mktemp --tmpdir --mode=0600 /tmp/var_kernel_inf.X
 declare -grx VAR_KERNEL_TMP="$(mktemp --tmpdir --mode=0600 /tmp/var_kernel_tmp.XXXXXXXX)"
 declare -grx VAR_KERNEL_SRT="$(mktemp --tmpdir --mode=0600 /tmp/var_kernel_srt.XXXXXXXX)"
 declare -grx VAR_NOTES="$(mktemp --tmpdir --mode=0600 /tmp/var_notes.XXXXXXXX)"
 declare -grx LOG_ERROR="/tmp/ciss_debian_installer_$$_error.log"
 declare -grx VAR_SETUP_CONF="preseed.yaml"
 declare -grx VAR_SETUP_PART="partitioning.yaml"
 declare -grx VAR_SETUP_FILE="${0##*/}"                                  # 'setup.sh'
@@ -47,87 +46,6 @@ declare -grx RECOVERY="/recovery"
 declare -grx VAR_SAFE_MNT_BASE="/run/ciss/bootstrap"
 ### Default log level.
-declare -gx DEFAULT_LOG_LEVEL="info"
+declare -gx VAR_DEFAULT_LOG_LEVEL="info"
 ### 1081_helper_grub.sh:
  ### Variable to finish GRUB CMDLINE strings.
 declare -grx VAR_H='"'
 ### 1250_yaml_parser.sh:
  ### Indexed Arrays for 'Debian Packages' to install and 'NTPSec Server' to use.
 #declare -ag ARY_BOOTPARAM=()
 #declare -ag ARY_PACKAGES=()
 #declare -ag ARY_NTPSRVR=()
 ### 1251_yaml_reader.sh:
  ### Variable for highest device count e.g., /dev/sdf = "f"
 declare -gx VAR_RECIPE_DEV_COUNTER=""
  ### Variable for firmware ("UEFI" || "BIOS")
 declare -gx VAR_RECIPE_FIRMWARE=""
  ### Variable for active recipe (e.g., "gben0afx256")
 declare -gx VAR_RECIPE_STRING=""
  ### Variable partition table ("gpt" || "mbr")
 declare -gx VAR_RECIPE_TABLE=""
  ### Assoziative Array (HashMap) for devices and accompanying partitions
 declare -Ag HMP_RECIPE_DEV_PARTITIONS
 ### 3200_partitioning.sh
  ### Assoziative Array (HashMap) to store UUIDs for each partition
  ### HMP_UUID_PARTITION["UUID_${var_dev}${var_part}"]="${var_uuid}"
 declare -Ag HMP_UUID_PARTITION
 ### 3220_partition_encryption.sh
  ### Assoziative Array (HashMap) to store Ephemeral Device for each Mount Path
  ### HMP_EPHEMERAL_DEV["${var_mount_path}"]="/dev/${var_dev}${var_part}"
 declare -Ag HMP_EPHEMERAL_DEV
  ### Assoziative Array (HashMap) to store Ephemeral Device Encryption Label for each Mount Path
  ### HMP_EPHEMERAL_ENCLABEL["${var_mount_path}"]="${var_encryption_label}"
 declare -Ag HMP_EPHEMERAL_ENCLABEL
  ### Assoziative Array (HashMap) to store UUID for each Encryption Label
  ### HMP_ENCRYPTIONLABEL_UUID["${var_encryption_label}"]="${var_uuid}"
 declare -Ag HMP_ENCRYPTIONLABEL_UUID
  ### Assoziative Array (HashMap) to store Encryption Label for each Mount Path
  ### HMP_MOUNTPATH_ENCRYPTIONLABEL["${var_mount_path}"]="${var_encryption_label}"
 declare -Ag HMP_MOUNTPATH_ENCRYPTIONLABEL
 ### 3260_setup_filesystem.sh
  ### Assoziative Array (HashMap) to store Crypt Mapper OR Device for each Mount Path
  ### HMP_MOUNTPATH_DEV["${var_mount_path}"]="/dev/mapper/${var_encryption_label}"
  ### HMP_MOUNTPATH_DEV["${var_mount_path}"]="/dev/${var_dev}${var_part}"
 declare -Ag HMP_MOUNTPATH_DEV
 ### TODO
 # [3_5_1_functions_installation_partition_encryption()] Create a hashmap to store the device path for each ephemeral partition
 # MAP_EPHEMERAL_DEV["${MOUNT_PATH}"]="/dev/${DEV}${PARTITION}"
 declare -g -A MAP_EPHEMERAL_DEV=()
 # [3_5_1_functions_installation_partition_encryption()] Create a hashmap to store the encryption label for each ephemeral partition
 # MAP_EPHEMERAL_ENCLABEL["${MOUNT_PATH}"]="${ENCRYPTION_LABEL}"
 declare -g -A MAP_EPHEMERAL_ENCLABEL=()
 # [3_5_1_functions_installation_partition_encryption()] Create a hashmap to store UUIDs for each encrypted partition
 # MAP_UUID_CRYPT["${ENCRYPTION_LABEL}"]="${UUID}"
 declare -g -A MAP_UUID_CRYPT=()
 # [3_5_1_functions_installation_partition_encryption()] Create a hashmap to store the device path for each encrypted partition
 # MAP_PATH_CRYPT["${MOUNT_PATH}"]="${ENCRYPTION_LABEL}"
 declare -g -A MAP_PATH_CRYPT=()
 # [3_6_0_functions_installation_setup_filesystem()] Create a hashmap to store the mount paths of each partition
 declare -g -A MAP_MOUNTPATH_DEV=()
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/var/terminal.var.sh
+++ b/var/terminal.var.sh
@@ -16,4 +16,4 @@ declare -gix COLS=$(tput cols)
 declare -gix ROWS_USE=$(($(tput lines) - 8))
 declare -gix COLS_USE=$(($(tput cols) - 8))
-# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh:
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh