V8.00.000.2025.06.17

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-07-30 22:20:22 +02:00
parent 25d4f2aaab
commit 0ee237f3eb
10 changed files with 145 additions and 62 deletions
--- a/ciss_debian_installer.sh
+++ b/ciss_debian_installer.sh
@@ -210,15 +210,15 @@ uuid_logger
 echo "MAIN PROGRAM SEQUENCE: func_debootstrap() ..."
 func_debootstrap
 echo "MAIN PROGRAM SEQUENCE: configure_system() ..."
-configure_system  # TODO: 4020() Command: [mkdir -p /etc/systemd/system/multi-user.target.wants] failed in: '/target'.
+configure_system
 echo "MAIN PROGRAM SEQUENCE: generate_fstab() ..."
-generate_fstab    # TODO: Checks ongoing. Format errors. SWAP missing
+generate_fstab
 echo "MAIN PROGRAM SEQUENCE: generate_crypttab() ..."
-generate_crypttab # TODO: Checks ongoing.
+generate_crypttab
 echo "MAIN PROGRAM SEQUENCE: generate_sources() ..."
 generate_sources
 echo "MAIN PROGRAM SEQUENCE: minimal_toolset() ..."
-minimal_toolset
+minimal_toolset # TODO: Checks ongoing.
 echo "MAIN PROGRAM SEQUENCE: setup_skel() ..."
 setup_skel
 echo "MAIN PROGRAM SEQUENCE: setup_timezone() ..."
--- a/func/helper/1080_helper_chroot.sh
+++ b/func/helper/1080_helper_chroot.sh
@@ -35,7 +35,6 @@ do_in_target() {
  declare    var_chroot_target="$1"; shift
  declare -a ary_chroot_command=("$@")
  declare -r var_default_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
-  declare -i var_chroot_rc=0

  if (( ${#ary_chroot_command[@]} == 0 )); then

@@ -62,9 +61,7 @@ do_in_target() {

  then

-    var_chroot_rc="${?}"
    do_log "emergency" "file_only" "1080() Command: [chroot ${var_chroot_target} /usr/bin/env -i HOME=/root PATH=${var_default_path} TERM=${TERM} LANG=C.UTF-8 LC_ALL=C.UTF-8 ${ary_chroot_command[*]}] failed."
-    do_log "emergency" "file_only" "1080() Command: [Return code: '${var_chroot_rc}']."
    return "${ERR_CHRT_COMMAND}"

  else
@@ -93,7 +90,6 @@ do_in_target_script() {
  declare    var_chroot_target="$1"; shift
  declare    var_chroot_script="$1"
  declare -r var_default_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
-  declare -i var_chroot_rc=0

  if [[ -z "${var_chroot_script}" ]]; then

@@ -112,9 +108,7 @@ do_in_target_script() {

  then

-    var_chroot_rc="${?}"
    do_log "emergency" "file_only" "1080() Command: [chroot ${var_chroot_target} /usr/bin/env -i HOME=/root PATH=${var_default_path} TERM=${TERM} LANG=C.UTF-8 LC_ALL=C.UTF-8 /bin/bash -c ${var_chroot_script}] failed."
-    do_log "emergency" "file_only" "1080() Command: [Return code: '${var_chroot_rc}']."
    return "${ERR_CHRT_COMMAND}"

    # TODO: Test with Dialog Wrapper in interactive mode.
--- a/func/helper/1251_yaml_reader.sh
+++ b/func/helper/1251_yaml_reader.sh
@@ -35,7 +35,7 @@ yaml_reader() {
  # shellcheck disable=SC2034
  declare -Ag HMP_RECIPE_DEV_PARTITIONS=()
  declare -gx VAR_RECIPE_STRING="" VAR_RECIPE_HIGHEST_DEVICE="" VAR_ARCHITECTURE="" VAR_RECIPE_FIRMWARE="" VAR_NUKE="" \
-              VAR_RECIPE_TABLE="" VAR_NEED_RUN_IN_TARGET="false"
+              VAR_RECIPE_TABLE="" VAR_NEED_RUN_IN_TARGET="false" VAR_CODENAME=""
  ### Declare and substitute input files.
  declare -r  var_if="${VAR_PRESEED}"
  declare     var_line="" var_middle_part="" var_highest_dev="" var_device="" var_fields="" var_partition="" \
@@ -133,11 +133,13 @@ END { print max }

  ### Extract architecture.
  # shellcheck disable=SC2034
-  VAR_ARCHITECTURE="${architecture}"
+  VAR_ARCHITECTURE="${architecture,,}"
+  # shellcheck disable=SC2034
+  VAR_CODENAME="${distribution,,}"

  ### Extract chroot secure '/run' mounting strategy.
  # shellcheck disable=SC2034
-  VAR_NEED_RUN_IN_TARGET="${needrun}"
+  VAR_NEED_RUN_IN_TARGET="${needrun,,}"

  ### Extract chosen firmware.
  recipe_firmware_var="recipe_${VAR_RECIPE_STRING}_control_firmware"
--- a/func/system/4020_configure_system.sh
+++ b/func/system/4020_configure_system.sh
@@ -107,6 +107,7 @@ configure_system() {

  # shellcheck disable=SC2034
  declare -gx VAR_CHROOT_ACTIVATED="system"
+  do_log "info" "file_only" "4020() Command: [declare -gx VAR_CHROOT_ACTIVATED=system]"

  return 0
 }
--- a/func/system/4040_generate_fstab.sh
+++ b/func/system/4040_generate_fstab.sh
@@ -30,12 +30,12 @@ write_fstab() {

  if [[ "${write_maps}" =~ ^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}$ ]] || [[ "${write_maps}" =~ ^[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}$ ]]; then

-    printf "%-43s%-28s%-8s%-100s0 %s\n" "UUID=${write_maps}" "${write_path}" "${write_type}" "${write_opts}" "${write_pass}" >> "${TARGET}/etc/fstab"
+    printf "%-43s%-28s%-18s%-100s0 %s\n" "UUID=${write_maps}" "${write_path}" "${write_type}" "${write_opts}" "${write_pass}" >> "${TARGET}/etc/fstab"
    do_log "info" "file_only" "4040() fstab entry generated: [UUID=${write_maps}    ${write_path}    ${write_type}    ${write_opts}    0 ${write_pass}]."

  elif [[ "${write_maps}" == /dev/mapper/* ]]; then

-    printf "%-43s%-28s%-8s%-100s0 %s\n" "${write_maps}" "${write_path}" "${write_type}" "${write_opts}" "${write_pass}" >> "${TARGET}/etc/fstab"
+    printf "%-43s%-28s%-18s%-100s0 %s\n" "${write_maps}" "${write_path}" "${write_type}" "${write_opts}" "${write_pass}" >> "${TARGET}/etc/fstab"
    do_log "info" "file_only" "4040() fstab entry generated: [${write_maps}    ${write_path}    ${write_type}    ${write_opts}    0 ${write_pass}]."

  fi
@@ -47,12 +47,12 @@ write_fstab() {
 # Generate target '/etc/fstab' entries.
 # Globals:
 #   ARY_PATHS_SORTED
-#   DIR_LOG
 #   HMP_EPHEMERAL_ENCLABEL
 #   HMP_FSTAB_MOUNT_FTYPE
 #   HMP_FSTAB_MOUNT_OPTS
 #   HMP_PATH_FSUUID
 #   TARGET
+#   VAR_VERSION
 # Arguments:
 #   None
 # Returns:
@@ -61,7 +61,6 @@ write_fstab() {
 generate_fstab() {
  ### Declare Arrays, HashMaps, and Variables.
  declare    var_path="" var_dmapper="" var_fs_uuid="" var_fs_path="" var_fs_type="" var_fs_opts="" var_fs_pass=""
-  declare -i rc=0

  ### Generate '${TARGET}/etc/fstab' header.
  : >| "${TARGET}/etc/fstab"
@@ -79,7 +78,9 @@ generate_fstab() {
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu

-# CISS.debian.installer ${VAR_VERSION}
+# /etc/fstab            : Generated by CISS.debian.installer ${VAR_VERSION}
+# Architecture          : ${VAR_ARCHITECTURE}
+# Distribution          : ${VAR_CODENAME}

 # Static file system information '/etc/fstab'.
 #
@@ -171,23 +172,22 @@ EOF
 /dev/sr0                                   /media/cdrom0               udf,iso9660       user,noauto                                                                                         0 0

 EOF
-  do_log "info" "file_only" "fstab entry generated: '/dev/sr0  /media/cdrom0  udf,iso9660  user,noauto  0 0'."
+  do_log "info" "file_only" "4040() fstab entry generated: '/dev/sr0  /media/cdrom0  udf,iso9660  user,noauto  0 0'."

  cat << 'EOF' >> "${TARGET}/etc/fstab"
 ### Secure tmpfs mounts for a hardened system
-
-# Mount the proc filesystem to provide process and kernel information
+# Mount the 'proc' filesystem to provide process and kernel information.
+# Mount 'sysfs' to expose kernel device information to user space.
+# Mount the 'devpts' filesystem to enable pseudo-terminal support for user sessions.
+# Restrict '/dev/shm' to shared memory, limit size, prevent code execution.
+# System runtime directory in RAM. Do not set 'noexec' here for compatibility.
 proc                                       /proc                       proc              nodev,nosuid,noexec,hidepid=2                                                                       0 0
-# Mount sysfs to expose kernel device information to user space
 sysfs                                      /sys                        sysfs             defaults                                                                                            0 0
-# Mount the devpts filesystem to enable pseudo-terminal support for user sessions
 devpts                                     /dev/pts                    devpts            gid=5,mode=620                                                                                      0 0
-# Restrict /dev/shm to shared memory, limit size, prevent code execution
 tmpfs                                      /dev/shm                    tmpfs             rw,nodev,noexec,nosuid,relatime,size=1G                                                             0 0
-# System runtime directory in RAM; do not set noexec here for compatibility
 tmpfs                                      /run                        tmpfs             mode=0755,nodev,nosuid                                                                              0 0

-# vim: number et ts=2 sw=2 sts=2 ai tw=192 ft=sh
+# vim: number et ts=2 sw=2 sts=2 ai tw=200 ft=sh
 EOF

  return 0
--- a/func/system/4060_generate_crypttab.sh
+++ b/func/system/4060_generate_crypttab.sh
@@ -26,8 +26,10 @@ guard_sourcing
 #######################################
 write_crypttab() {
  declare write_label="$1" write_dev="$2" write_key_file="$3" write_opts="$4"
-  printf "%-43s %-45s %-29s %s\n" "${write_label}" "${write_dev}" "${write_key_file}" "${write_opts}" >> "${TARGET}/etc/crypttab"
+
+  printf "%-43s %-46s %-30s %s\n" "${write_label}" "${write_dev}" "${write_key_file}" "${write_opts}" >> "${TARGET}/etc/crypttab"
  do_log "info" "file_only" "4060() crypttab entry generated: [${write_label} ${write_dev} ${write_key_file} ${write_opts}]."
+
  return 0
 }

@@ -40,6 +42,7 @@ write_crypttab() {
 #   HMP_PATH_LUKSUUID
 #   TARGET
 #   VAR_NUKE
+#   VAR_VERSION
 #   dropbear_boot
 # Arguments:
 #  None
@@ -54,7 +57,7 @@ generate_crypttab() {
  : >| "${TARGET}/etc/crypttab"
  chmod 0600 "${TARGET}/etc/crypttab"

-  cat << 'EOF' >> "${TARGET}/etc/crypttab"
+  cat << EOF >> "${TARGET}/etc/crypttab"
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
@@ -66,6 +69,10 @@ generate_crypttab() {
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu

+# /etc/fstab            : Generated by CISS.debian.installer ${VAR_VERSION}
+# Architecture          : ${VAR_ARCHITECTURE}
+# Distribution          : ${VAR_CODENAME}
+
 # Static file system information: '/etc/crypttab'.
 #
 # Basic rule: 'discard' / 'nodiscard' are normally only set in '/etc/crypttab' when LUKS/dm-crypt is in use. Options like
@@ -91,7 +98,9 @@ EOF

      if [[ "${VAR_NUKE,,}" == "true" && "${var_key,,}" == "/" ]]; then

-        write_crypttab "${var_encryption_label}" "UUID=${var_luks_uuid}" "none" "luks,discard,initramfs,keyscript=/lib/cryptsetup/scripts/unlock_wrapper.sh"
+        # TODO: Check for cryptsetup installation errors while unlock_wrapper.sh is not yet installed.
+        #write_crypttab "${var_encryption_label}" "UUID=${var_luks_uuid}" "none" "luks,discard,initramfs,keyscript=/lib/cryptsetup/scripts/unlock_wrapper.sh"
+        write_crypttab "${var_encryption_label}" "UUID=${var_luks_uuid}" "none" "luks,discard,initramfs"
        continue

      fi
@@ -113,20 +122,29 @@ EOF
    var_host_uuid="${HMP_PATH_FSUUID["${var_key}"]}"

    case "${var_key}" in
+
      SWAP)
        write_crypttab "${var_ephemeral_enclabel}" "UUID=${var_host_uuid}" "/dev/random" "swap,offset=2048,cipher=aes-xts-plain64,size=512,sector-size=4096"
        ;;
+
      /tmp)
        write_crypttab "${var_ephemeral_enclabel}" "UUID=${var_host_uuid}" "/dev/random" "offset=2048,cipher=aes-xts-plain64,size=512,sector-size=4096,tmp=ext4"
        ;;
+
      *)
-        do_log "error" "file_only" "Only 'SWAP' and '/tmp' are valid Partitions for Ephemeral Encryption. Given value was: '${var_key}'."
+        do_log "error" "file_only" "4060() Only 'SWAP' and '/tmp' are valid Partitions for Ephemeral Encryption. Given value was: '${var_key}'."
        continue
        ;;
+
    esac

  done

+  cat << 'EOF' >> "${TARGET}/etc/crypttab"
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=200 ft=sh
+EOF
+
  return 0
 }
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/func/system/4080_generate_sources.sh
+++ b/func/system/4080_generate_sources.sh
@@ -36,8 +36,9 @@ guard_sourcing
 #   0: on success
 #######################################
 generate_sources() {
-  declare -a ary_components
-  declare var_arch var_codename var_deb_src var_dir var_hostname var_hostsecure var_url var_surl
+  ### Declare Arrays, HashMaps, and Variables.
+  declare -a ary_components=()
+  declare    var_arch="" var_codename="" var_deb_src="" var_dir="" var_hostname="" var_hostsecure="" var_url var_surl=""

  # shellcheck disable=SC2154 # "${architecture}"
  var_arch="${architecture,,}"
@@ -52,88 +53,126 @@ generate_sources() {
  # shellcheck disable=SC2154 # "${apt_sec}"
  var_hostsecure="${apt_sec,,}"

-  ary_components=(main)
-  [[ "${apt_contrib,,}" == "true" ]] && ary_components+=(contrib)
-  [[ "${apt_non_free,,}" == "true" ]] && ary_components+=(non-free)
-  [[ "${apt_non_free_firmware,,}" == "true" ]] && ary_components+=(non-free-firmware)
+  ary_components=( "main" )
+  [[ "${apt_contrib,,}" == "true" ]] && ary_components+=( "contrib" )
+  [[ "${apt_non_free,,}" == "true" ]] && ary_components+=( "non-free" )
+  [[ "${apt_non_free_firmware,,}" == "true" ]] && ary_components+=( "non-free-firmware" )

  if [[ "${apt_mirror_protocol,,}" == "https" ]]; then
+
    var_url="https://${var_hostname}${var_dir}"
    var_surl="https://${var_hostsecure}/debian-security"
+
  elif [[ "${apt_mirror_protocol,,}" == "http" ]]; then
+
    var_url="http://${var_hostname}${var_dir}"
    var_surl="http://${var_hostsecure}/debian-security"
+
  else
+
    var_url="https://${var_hostname}${var_dir}"
    var_surl="https://${var_hostsecure}/debian-security"
+
  fi

  : >| "${TARGET}/etc/apt/sources.list"
  chmod 0644 "${TARGET}/etc/apt/sources.list"

  ### Main Repository
+  # shellcheck disable=SC2153
  cat << EOF >> "${TARGET}/etc/apt/sources.list"
-# /etc/apt/sources.list : Generated by CISS.debian.installer
-# Architecture          : ${var_arch}
-# Distribution          : ${var_codename}
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
+
+# /etc/apt/sources.list : Generated by CISS.debian.installer ${VAR_VERSION}
+# Architecture          : ${VAR_ARCHITECTURE}
+# Distribution          : ${VAR_CODENAME}

 #------------------------------------------------------------------------------------------------------------------------------#
 #                                                     OFFICIAL DEBIAN REPOS                                                    #
 #------------------------------------------------------------------------------------------------------------------------------#
 deb ${var_url} ${var_codename} ${ary_components[*]}
 EOF
-  do_log "info" "file_only" "${TARGET}/etc/apt/sources.list entry generated: 'deb ${var_url} ${var_codename} ${ary_components[*]}'."
+  do_log "info" "file_only" "4080() ${TARGET}/etc/apt/sources.list entry generated: 'deb ${var_url} ${var_codename} ${ary_components[*]}'."

  if [[ "${var_deb_src}" == "true" ]]; then
+
    echo "deb-src ${var_url} ${var_codename} ${ary_components[*]}" >> "${TARGET}/etc/apt/sources.list"
-    do_log "info" "file_only" "${TARGET}/etc/apt/sources.list entry generated: 'deb-src ${var_url} ${var_codename} ${ary_components[*]}'."
+    do_log "info" "file_only" "4080() ${TARGET}/etc/apt/sources.list entry generated: 'deb-src ${var_url} ${var_codename} ${ary_components[*]}'."
+
  fi

+
  ### Security Repository
  if [[ "${apt_updates_security,,}" == "true" ]]; then
+
    cat << EOF >> "${TARGET}/etc/apt/sources.list"

 deb ${var_surl} ${var_codename}-security ${ary_components[*]}
 EOF
-    do_log "info" "file_only" "${TARGET}/etc/apt/sources.list entry generated: 'deb ${var_surl} ${var_codename}-security ${ary_components[*]}'."
+    do_log "info" "file_only" "4080() ${TARGET}/etc/apt/sources.list entry generated: 'deb ${var_surl} ${var_codename}-security ${ary_components[*]}'."
+
    if [[ "${var_deb_src}" == "true" ]]; then
+
      echo "deb-src ${var_surl} ${var_codename}-security ${ary_components[*]}" >> "${TARGET}/etc/apt/sources.list"
-      do_log "info" "file_only" "${TARGET}/etc/apt/sources.list entry generated: 'deb-src ${var_surl} ${var_codename}-security ${ary_components[*]}'."
+      do_log "info" "file_only" "4080() ${TARGET}/etc/apt/sources.list entry generated: 'deb-src ${var_surl} ${var_codename}-security ${ary_components[*]}'."
+
    fi
+
  fi

+
  ### Updates Repository
  if [[ "${apt_updates_release,,}" == "true" ]]; then
+
    cat << EOF >> "${TARGET}/etc/apt/sources.list"

 deb ${var_url} ${var_codename}-updates ${ary_components[*]}
 EOF
-    do_log "info" "file_only" "${TARGET}/etc/apt/sources.list entry generated: 'deb ${var_url} ${var_codename}-updates ${ary_components[*]}'."
+    do_log "info" "file_only" "4080() ${TARGET}/etc/apt/sources.list entry generated: 'deb ${var_url} ${var_codename}-updates ${ary_components[*]}'."
+
    if [[ "${var_deb_src}" == "true" ]]; then
+
      echo "deb-src ${var_url} ${var_codename}-updates ${ary_components[*]}" >> "${TARGET}/etc/apt/sources.list"
-      do_log "info" "file_only" "${TARGET}/etc/apt/sources.list entry generated: 'deb-src ${var_url} ${var_codename}-updates ${ary_components[*]}'."
+      do_log "info" "file_only" "4080() ${TARGET}/etc/apt/sources.list entry generated: 'deb-src ${var_url} ${var_codename}-updates ${ary_components[*]}'."
+
    fi
+
  fi

+
  ### Backports Repository
  if [[ "${apt_updates_backports,,}" == "true" ]]; then
+
    cat << EOF >> "${TARGET}/etc/apt/sources.list"

 deb ${var_url} ${var_codename}-backports ${ary_components[*]}
 EOF
-    do_log "info" "file_only" "${TARGET}/etc/apt/sources.list entry generated: 'deb ${var_url} ${var_codename}-backports ${ary_components[*]}'."
+    do_log "info" "file_only" "4080() ${TARGET}/etc/apt/sources.list entry generated: 'deb ${var_url} ${var_codename}-backports ${ary_components[*]}'."
+
    if [[ "${var_deb_src,,}" == "true" ]]; then
+
      echo "deb-src ${var_url} ${var_codename}-backports ${ary_components[*]}" >> "${TARGET}/etc/apt/sources.list"
-      do_log "info" "file_only" "${TARGET}/etc/apt/sources.list entry generated: 'deb-src ${var_url} ${var_codename}-backports ${ary_components[*]}'."
+      do_log "info" "file_only" "4080() ${TARGET}/etc/apt/sources.list entry generated: 'deb-src ${var_url} ${var_codename}-backports ${ary_components[*]}'."
+
    fi
+
  fi

+
  ### Clean up 'sources.list'
  sed -i '/^#/!s/[[:space:]]\+/ /g' "${TARGET}/etc/apt/sources.list"

  cat << EOF >> "${TARGET}/etc/apt/sources.list"

-# Copyright 2018-2025; WEIDNER, Marc S., <msw@coresecret.dev>
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
 EOF

@@ -142,7 +181,7 @@ EOF
  if [[ "${apt_updates_policy,,}" == "unattended" ]]; then

    do_in_target "${TARGET}" apt-get install -y unattended-upgrades
-    do_log "info" "file_only" "The update policy was set at installation time to '${apt_updates_policy}'."
+    do_log "info" "file_only" "4080() The update policy was set at installation time to '${apt_updates_policy}'."

  elif [[ "${apt_updates_policy,,}" == "security" ]]; then

@@ -150,17 +189,18 @@ EOF

    # shellcheck disable=SC2016
    sed -i 's/^[[:space:]]*"origin=Debian,codename=\${distro_codename},label=Debian";/\/\/ &/' "${TARGET}/etc/apt/apt.conf.d/50unattended-upgrades"
-    do_log "info" "file_only" "The update policy was set at installation time to '${apt_updates_policy}'."
+    do_log "info" "file_only" "4080() The update policy was set at installation time to '${apt_updates_policy}'."

  elif [[ "${apt_updates_policy,,}" == "none" ]]; then

-    do_log "info" "file_only" "The update policy was set at installation time to: '${apt_updates_policy}'."
+    do_log "info" "file_only" "4080() The update policy was set at installation time to: '${apt_updates_policy}'."

  else

-    do_log "warning" "file_only" "Update policy '${apt_updates_policy}': is not supported. Using 'none' as default."
+    do_log "warning" "file_only" "4080() Update policy '${apt_updates_policy}': is not supported. Using 'none' as default."

  fi
+
  return 0
 }
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/func/system/4090_minimal_toolset.sh
+++ b/func/system/4090_minimal_toolset.sh
@@ -44,6 +44,26 @@ minimal_toolset() {
    [sudo]="sudo"
    [update-initramfs]="initramfs-tools"
    [zsh]="zsh"
+    [lsblk]="util-linux"
+    [blkid]="util-linux"
+    [mount]="util-linux"
+    [umount]="util-linux"
+    [findmnt]="util-linux"
+    [parted]="parted"
+    [fdisk]="fdisk"
+    [tar]="tar"
+    [gzip]="gzip"
+    [curl]="curl"
+    [wget]="wget"
+    [tree]="tree"
+    [lsb_release]="lsb-release"
+    [btrfs]="btrfs-progs"
+    [e2label]="e2fsprogs"
+    [tune2fs]="e2fsprogs"
+    [fsck]="e2fsprogs"
+    [base64]="coreutils"
+    [xxd]="vim-common"
+    [jq]="jq"
  )

  declare     var_bin=""
@@ -58,6 +78,8 @@ minimal_toolset() {

  done

+  do_in_target "${TARGET}" apt-get install -y locales tzdata debconf
+
  ### Ensure systemd and machine-id are in place
  if ! do_in_target_script "${TARGET}" "command -v systemctl >/dev/null"; then

--- a/func/system/4095_setup_skel.sh
+++ b/func/system/4095_setup_skel.sh
@@ -16,6 +16,7 @@ guard_sourcing
 # Prepare '/etc/skel'-Directory.
 # Globals:
 #   TARGET
+#   VAR_SETUP_PATH
 # Arguments:
 #   None
 # Returns:
@@ -27,10 +28,13 @@ setup_skel() {
  install -D -m 0644 -o root -g root "${VAR_SETUP_PATH}/includes/root/.ciss/alias" "${TARGET}/etc/skel/.ciss/"
  install -D -m 0644 -o root -g root "${VAR_SETUP_PATH}/includes/root/.ciss/clean_logout.sh" "${TARGET}/etc/skel/.ciss/"
  install -D -m 0644 -o root -g root "${VAR_SETUP_PATH}/includes/root/.ciss/shortcuts" "${TARGET}/etc/skel/.ciss/"
-  # In order to be able to copy/paste from vim, one needs to create a '.vimrc' in every home directory with the following content:
+
+  ### In order to be able to copy/paste from vim, one needs to create a '.vimrc' in every home directory with the following content:
  echo 'set clipboard=unnamed' >| "${TARGET}/etc/skel/.vimrc"
  chmod 0644 "${TARGET}/etc/skel/.vimrc"
-  do_log "info" "file_only" "Installed: '/etc/skel'-Files."
+
+  do_log "info" "file_only" "4095() Installed: '/etc/skel'-Files."
+
  return 0
 }
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/func/system/4999_exiting_chroot_system.sh
+++ b/func/system/4999_exiting_chroot_system.sh
@@ -41,6 +41,8 @@ exiting_chroot_system() {

  fi

+  declare -gx VAR_CHROOT_ACTIVATED="false"
+
  return 0
 }
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh