V8.00.000.2025.06.17

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>

func/cdi_5000_recovery/5050_setup_locales.sh

@@ -0,0 +1,138 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
+
+guard_sourcing
+
+#######################################
+# Set locale, locale overrides and configure keyboard layout.
+# Globals:
+#   ARY_LOCALE
+#   RECOVERY
+#   VAR_ARCHITECTURE
+#   VAR_CODENAME
+#   VAR_VERSION
+#   locale_country
+#   locale_keyboard_xkb_keymap
+#   locale_language
+#   locale_override_address
+#   locale_override_collate
+#   locale_override_ctype
+#   locale_override_measurement
+#   locale_override_messages
+#   locale_override_monetary
+#   locale_override_name
+#   locale_override_numeric
+#   locale_override_paper
+#   locale_override_telephone
+#   locale_override_time
+# Arguments:
+#   None
+# Returns:
+#   0: on success
+#######################################
+setup_locales_reco() {
+  ### Declare Arrays, HashMaps, and Variables.
+  declare     var_locale_hook="/root/.ciss/cdi/hooks/4050_setup_locales.hooks.sh"
+
+  ### Give priority to '${locale_locale}' over separately configured variables '${locale_country}' and '${locale_language}'.
+  ### If 'locale_locale' is not set, build it from 'locale_language' and 'locale_country'.
+  if [[ -n "${locale_language:-}" && -n "${locale_country:-}" && -z "${ARY_LOCALE[0]:-}" ]]; then
+    ARY_LOCALE+="${locale_language}_${locale_country}.UTF-8"
+  fi
+
+  ### Creat Hook in target.
+  cat << EOF >| "${RECOVERY}${var_locale_hook}"
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
+
+set -Ceuo pipefail
+
+declare -a ary_locale=()
+declare -r locale_0=${ARY_LOCALE[0]:-en_US.UTF-8}
+declare -r locale_1=${ARY_LOCALE[1]:-}
+declare    loc=""
+
+EOF
+
+  cat << 'EOF' >> "${RECOVERY}${var_locale_hook}"
+ary_locale+=( "${locale_0}" )
+[[ -n "${locale_1}" ]] && ary_locale+=( "${locale_1}" )
+
+for loc in "${ary_locale[@]}"; do
+  if ! grep -qx "${loc} UTF-8" /etc/locale.gen; then
+    sed -i "s/^# ${loc} UTF-8/${loc} UTF-8/" /etc/locale.gen || echo "${loc} UTF-8" >> /etc/locale.gen
+  fi
+done
+
+locale-gen --purge "${ary_locale[@]}"
+
+for loc in "${ary_locale[@]}"; do
+  locale_check=$(echo "${loc}" | sed 's/UTF-8/utf8/')
+  if ! locale -a | grep -qx "${locale_check}"; then
+    echo "Locale '${loc}' has not been generated successfully." >&2
+    exit 1
+  fi
+done
+
+EOF
+
+  cat << EOF >> "${RECOVERY}${var_locale_hook}"
+update-locale \
+LANG=${ARY_LOCALE[0]} \
+LC_ADDRESS=${locale_override_address:-${ARY_LOCALE[0]}} \
+LC_COLLATE=${locale_override_collate:-${ARY_LOCALE[0]}} \
+LC_CTYPE=${locale_override_ctype:-${ARY_LOCALE[0]}} \
+LC_MEASUREMENT=${locale_override_measurement:-${ARY_LOCALE[0]}} \
+LC_MESSAGES=${locale_override_messages:-${ARY_LOCALE[0]}} \
+LC_MONETARY=${locale_override_monetary:-${ARY_LOCALE[0]}} \
+LC_NAME=${locale_override_name:-${ARY_LOCALE[0]}} \
+LC_NUMERIC=${locale_override_numeric:-${ARY_LOCALE[0]}} \
+LC_PAPER=${locale_override_paper:-${ARY_LOCALE[0]}} \
+LC_TELEPHONE=${locale_override_telephone:-${ARY_LOCALE[0]}} \
+LC_TIME=${locale_override_time:-${ARY_LOCALE[0]}} \
+LC_IDENTIFICATION=${ARY_LOCALE[0]}
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
+EOF
+  chmod 0700 "${RECOVERY}${var_locale_hook}"
+  chroot_script "${RECOVERY}" "${var_locale_hook}"
+
+  ### Set the keyboard layout for the system (for consoles).
+  insert_header   "${RECOVERY}/etc/default/keyboard"
+  insert_comments "${RECOVERY}/etc/default/keyboard"
+  cat << EOF >>   "${RECOVERY}/etc/default/keyboard"
+# KEYBOARD CONFIGURATION FILE
+# Consult the keyboard(5) manual page.
+
+XKBMODEL="pc105"
+XKBLAYOUT="${locale_keyboard_xkb_keymap}"
+XKBVARIANT=""
+XKBOPTIONS=""
+BACKSPACE="guess"
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
+EOF
+  chmod 0644 "${RECOVERY}/etc/default/keyboard"
+  do_log "info" "file_only" "4050() Keyboard layout updated: 'XKBLAYOUT=${locale_keyboard_xkb_keymap}' -> '${RECOVERY}/etc/default/keyboard'."
+
+  guard_dir && return 0
+}
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

func/cdi_5000_recovery/5105_generate_sources_822.sh

@@ -0,0 +1,185 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
+
+guard_sourcing
+
+#######################################
+# Generate target '/etc/apt/sources.list.d/' deb.822 entries.
+# Globals:
+#   RECOVERY
+#   apt_contrib
+#   apt_deb_sources
+#   apt_mirror_directory
+#   apt_mirror_hostname
+#   apt_mirror_protocol
+#   apt_non_free
+#   apt_non_free_firmware
+#   apt_sec
+#   apt_updates_backports
+#   apt_updates_release
+#   apt_updates_security
+#   architecture
+#   distribution
+# Arguments:
+#   None
+# Returns:
+#   0: on success
+#######################################
+generate_sources822_reco() {
+  ### Declare Arrays, HashMaps, and Variables.
+  declare -a ary_components=() ary_types=()
+  declare    var_arch="" var_codename="" var_deb_src="" var_dir="" var_hostname="" var_hostsecure="" var_url="" var_surl=""
+
+  # shellcheck disable=SC2154 # "${architecture}"
+  var_arch="${architecture,,}"
+  # shellcheck disable=SC2154 # "${distribution}"
+  var_codename="${distribution,,}"
+  # shellcheck disable=SC2154 # "${apt_deb_sources}"
+  var_deb_src="${apt_deb_sources,,}"
+  # shellcheck disable=SC2154 # "${apt_mirror_directory}"
+  var_dir="${apt_mirror_directory,,}"
+  # shellcheck disable=SC2154 # "${apt_mirror_hostname}"
+  var_hostname="${apt_mirror_hostname,,}"
+  # shellcheck disable=SC2154 # "${apt_sec}"
+  var_hostsecure="${apt_sec,,}"
+
+  ary_components=( "main" )
+  [[ "${apt_contrib,,}" == "true" ]] && ary_components+=( "contrib" )
+  [[ "${apt_non_free,,}" == "true" ]] && ary_components+=( "non-free" )
+  [[ "${apt_non_free_firmware,,}" == "true" ]] && ary_components+=( "non-free-firmware" )
+
+  ary_types=( "deb" )
+  [[ "${apt_deb_sources,,}" == "true" ]] && ary_types+=( "deb-src" )
+
+  if [[ "${apt_mirror_protocol,,}" == "https" ]]; then
+
+    var_url="https://${var_hostname}${var_dir}"
+    var_surl="https://${var_hostsecure}/debian-security"
+
+  elif [[ "${apt_mirror_protocol,,}" == "http" ]]; then
+
+    var_url="http://${var_hostname}${var_dir}"
+    var_surl="http://${var_hostsecure}/debian-security"
+
+  else
+
+    var_url="https://${var_hostname}${var_dir}"
+    var_surl="https://${var_hostsecure}/debian-security"
+
+  fi
+
+
+  ### Main Repository
+  insert_header   "${RECOVERY}/etc/apt/sources.list.d/trixie.sources"
+  insert_comments "${RECOVERY}/etc/apt/sources.list.d/trixie.sources"
+  cat << EOF >>   "${RECOVERY}/etc/apt/sources.list.d/trixie.sources"
+#------------------------------------------------------------------------------------------------------------------------------#
+#                                                     OFFICIAL DEBIAN REPOS                                                    #
+#------------------------------------------------------------------------------------------------------------------------------#
+Types: ${ary_types[*]}
+URIs: ${var_url}
+Suites: ${var_codename}
+Components: ${ary_components[*]}
+Enabled: yes
+Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
+EOF
+
+
+  ### Security Repository
+  if [[ "${apt_updates_security,,}" == "true" ]]; then
+    insert_header   "${RECOVERY}/etc/apt/sources.list.d/trixie-security.sources"
+    insert_comments "${RECOVERY}/etc/apt/sources.list.d/trixie-security.sources"
+    cat << EOF >>   "${RECOVERY}/etc/apt/sources.list.d/trixie-security.sources"
+#------------------------------------------------------------------------------------------------------------------------------#
+#                                                     OFFICIAL DEBIAN REPOS                                                    #
+#------------------------------------------------------------------------------------------------------------------------------#
+Types: ${ary_types[*]}
+URIs: ${var_surl}
+Suites: ${var_codename}-security
+Components: ${ary_components[*]}
+Enabled: yes
+Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
+EOF
+  fi
+
+  ### Updates Repository
+  if [[ "${apt_updates_release,,}" == "true" ]]; then
+    insert_header   "${RECOVERY}/etc/apt/sources.list.d/trixie-updates.sources"
+    insert_comments "${RECOVERY}/etc/apt/sources.list.d/trixie-updates.sources"
+    cat << EOF >>   "${RECOVERY}/etc/apt/sources.list.d/trixie-updates.sources"
+#------------------------------------------------------------------------------------------------------------------------------#
+#                                                     OFFICIAL DEBIAN REPOS                                                    #
+#------------------------------------------------------------------------------------------------------------------------------#
+Types: ${ary_types[*]}
+URIs: ${var_url}
+Suites: ${var_codename}-updates
+Components: ${ary_components[*]}
+Enabled: yes
+Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
+EOF
+  fi
+
+
+  ### Backports Repository
+  if [[ "${apt_updates_backports,,}" == "true" ]]; then
+    insert_header   "${RECOVERY}/etc/apt/sources.list.d/trixie-backports.sources"
+    insert_comments "${RECOVERY}/etc/apt/sources.list.d/trixie-backports.sources"
+    cat << EOF >>   "${RECOVERY}/etc/apt/sources.list.d/trixie-backports.sources"
+#------------------------------------------------------------------------------------------------------------------------------#
+#                                                     OFFICIAL DEBIAN REPOS                                                    #
+#------------------------------------------------------------------------------------------------------------------------------#
+Types: ${ary_types[*]}
+URIs: ${var_url}
+Suites: ${var_codename}-backports
+Components: ${ary_components[*]}
+Enabled: yes
+Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
+EOF
+
+  fi
+
+
+  if [[ -f "${RECOVERY}/etc/apt/sources.list" ]]; then
+    rm -f "${RECOVERY}/etc/apt/sources.list"
+  fi
+
+
+  insert_header   "${RECOVERY}/etc/apt/apt.conf.d/90-no-pdiffs"
+  insert_comments "${RECOVERY}/etc/apt/apt.conf.d/90-no-pdiffs"
+  cat << 'EOF' >> "${RECOVERY}/etc/apt/apt.conf.d/90-no-pdiffs"
+Acquire::PDiffs "false";
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
+EOF
+  sed -i -E 's|^([[:space:]]*)#+|\1//|' "${RECOVERY}/etc/apt/apt.conf.d/90-no-pdiffs"
+
+
+  insert_header   "${RECOVERY}/etc/apt/apt.conf.d/91-acquire"
+  insert_comments "${RECOVERY}/etc/apt/apt.conf.d/91-acquire"
+  cat << 'EOF' >> "${RECOVERY}/etc/apt/apt.conf.d/91-acquire"
+Acquire::Retries "3";
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
+EOF
+  sed -i -E 's|^([[:space:]]*)#+|\1//|' "${RECOVERY}/etc/apt/apt.conf.d/91-acquire"
+
+  guard_dir && return 0
+}
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

func/cdi_5000_recovery/5110_update_sources.sh

@@ -0,0 +1,74 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
+
+guard_sourcing
+
+#######################################
+# Update generated sources.
+# Every 'apt-get install' command is invoked by adding 'export INITRD=No'
+# to suppress the 'update-initramfs'-Kernel-Hooks, according to the initramfs-tools manpage:
+# https://manpages.debian.org/testing/initramfs-tools-core/initramfs-tools.7.en.html
+# Globals:
+#   RECOVERY
+#   apt_updates_policy
+# Arguments:
+#   None
+# Returns:
+#   0: on success
+#######################################
+update_sources_reco() {
+  ### Declare Arrays, HashMaps, and Variables.
+  declare -r  var_logfile="/root/.ciss/cdi/log/5110_update_sources.log"
+
+  chroot_logger "${RECOVERY}${var_logfile}"
+
+  ### Update generated sources.
+  # shellcheck disable=SC2312
+  chroot_script "${RECOVERY}" "apt-get update 2>&1 | tee -a ${var_logfile}; echo ExitCode: \$? >> ${var_logfile}"
+  do_log "info" "file_only" "5110() Sources lists: updated successfully."
+
+
+  ### Update unattended, security, or no unattended updates at all.
+  if [[ "${apt_updates_policy,,}" == "unattended" ]]; then
+
+    chroot_script "${RECOVERY}" "
+      export INITRD=No
+      apt-get install -y --no-install-recommends --no-install-suggests unattended-upgrades 2>&1 | tee -a ${var_logfile}
+      echo ExitCode: \$? >> ${var_logfile}
+    "
+    do_log "info" "file_only" "5110() The update policy was set at installation time to: '${apt_updates_policy}'."
+
+  elif [[ "${apt_updates_policy,,}" == "security" ]]; then
+
+    chroot_script "${RECOVERY}" "
+      export INITRD=No
+      apt-get install -y --no-install-recommends --no-install-suggests unattended-upgrades 2>&1 | tee -a ${var_logfile}
+      echo ExitCode: \$? >> ${var_logfile}
+    "
+
+    # shellcheck disable=SC2016
+    sed -i 's/^[[:space:]]*"origin=Debian,codename=\${distro_codename},label=Debian";/\/\/ &/' "${RECOVERY}/etc/apt/apt.conf.d/50unattended-upgrades"
+    do_log "info" "file_only" "5110() The update policy was set at installation time to: '${apt_updates_policy}'."
+
+  elif [[ "${apt_updates_policy,,}" == "none" ]]; then
+
+    do_log "info" "file_only" "5110() The update policy was set at installation time to: '${apt_updates_policy}'."
+
+  else
+
+    do_log "warning" "file_only" "5110() Update policy '${apt_updates_policy}': is not supported. Using 'none' as default."
+
+  fi
+
+  guard_dir && return 0
+}
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

func/cdi_5000_recovery/5120_installation_kernel.sh

@@ -0,0 +1,62 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
+
+guard_sourcing
+
+#######################################
+# Installation of the specified kernel.
+# Every 'apt-get install' command is invoked by adding 'export INITRD=No'
+# to suppress the 'update-initramfs'-Kernel-Hooks, according to the initramfs-tools manpage:
+# https://manpages.debian.org/testing/initramfs-tools-core/initramfs-tools.7.en.html
+# Globals:
+#   RECOVERY
+#   VAR_KERNEL
+#   image
+# Arguments:
+#   None
+# Returns:
+#   0: on success
+#######################################
+installation_kernel_reco() {
+  ### Declare Arrays, HashMaps, and Variables.
+  declare -r  var_logfile="/root/.ciss/cdi/log/5120_installation_kernel.log"
+
+  chroot_logger "${RECOVERY}${var_logfile}"
+
+  if [[ -n "${VAR_KERNEL}" ]]; then
+
+    chroot_script "${RECOVERY}" '
+      export INITRD=No
+      apt-get install -y --no-install-recommends --no-install-suggests '"${VAR_KERNEL}"' initramfs-tools 2>&1 | tee -a '"${var_logfile}"'
+      echo ExitCode: $? >> '"${var_logfile}"'
+    '
+
+    do_log "info" "file_only" "5120() Kernel image: '${VAR_KERNEL}' installed successfully."
+
+    guard_dir && return 0
+
+  else
+
+    chroot_script "${RECOVERY}" "
+      export INITRD=No
+      apt-get install -y --no-install-recommends --no-install-suggests ${image} initramfs-tools 2>&1 | tee -a ${var_logfile}
+      echo ExitCode: \$? >> ${var_logfile}
+    "
+
+    do_log "info" "file_only" "5120() Kernel image: '${image}' installed successfully."
+
+    guard_dir && return 0
+
+  fi
+
+}
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

func/cdi_5000_recovery/5121_installation_initramfs.sh

@@ -0,0 +1,99 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
+
+guard_sourcing
+
+#######################################
+# Installation of 'initramfs'-environment.
+# Every 'apt-get install' command is invoked by adding 'export INITRD=No'
+# to suppress the 'update-initramfs'-Kernel-Hooks, according to the initramfs-tools manpage:
+# https://manpages.debian.org/testing/initramfs-tools-core/initramfs-tools.7.en.html
+# Globals:
+#   RECOVERY
+#   VAR_ROOT_FS
+#   VAR_SETUP_PATH
+# Arguments:
+#   None
+# Returns:
+#   0: on success
+#######################################
+installation_initramfs_reco() {
+  ### Declare Arrays, HashMaps, and Variables.
+  declare     var_modules="" var_whereiam=""
+
+  # shellcheck disable=SC2312
+  if [[ -x "$(command -v virt-what)" ]]; then
+    var_whereiam=$(virt-what | head -n1)
+  else
+    var_whereiam=$(grep -iE 'kvm|vmware|qemu' /sys/class/dmi/id/product_name 2>/dev/null || echo "baremetal")
+  fi
+
+  mkdir -p "${RECOVERY}/etc/initramfs-tools/files"
+
+  ### Install the script that will be called by 'update-initramfs' to install the necessary modules for the initramfs environment.
+  install -D -m 0644 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/initramfs-tools/modules" \
+    "${RECOVERY}/etc/initramfs-tools/"
+
+  insert_comments "${RECOVERY}/etc/initramfs-tools/modules"
+
+  var_modules=$(grep_nic_driver_modules)
+
+  cat << EOF >> "${RECOVERY}/etc/initramfs-tools/modules"
+### Custom NIC driver:
+${var_modules}
+
+EOF
+
+  if [[ "${var_whereiam}" =~ ^(kvm|vmware|qemu)$ ]]; then
+
+    cat << EOF >> "${RECOVERY}/etc/initramfs-tools/modules"
+### QEMU Bochs-compatible virtual machine support:
+bochs
+
+### Virtio support:
+virtio_pci
+virtio_blk
+virtio_scsi
+virtio_console
+virtio_rng
+
+EOF
+  fi
+
+  printf "%s\n" '# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf' >> "${RECOVERY}/etc/initramfs-tools/modules"
+
+  ### MODULES: [ most | netboot | dep | list ]
+  ## 'most' - Add most filesystem and all hard-drive drivers.
+  ## 'dep'  - Try and guess the modules to load.
+
+  insert_header   "${RECOVERY}/etc/initramfs-tools/conf.d/driver-policy"
+  insert_comments "${RECOVERY}/etc/initramfs-tools/conf.d/driver-policy"
+  cat << EOF >>   "${RECOVERY}/etc/initramfs-tools/conf.d/driver-policy"
+# Driver inclusion policy selected during installation.
+# Note: This setting overrides the value set in the file '/etc/initramfs-tools/initramfs.conf'.
+
+MODULES=dep
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
+EOF
+
+  insert_header   "${RECOVERY}/etc/initramfs-tools/conf.d/fsroot"
+  insert_comments "${RECOVERY}/etc/initramfs-tools/conf.d/fsroot"
+  cat << EOF >>   "${RECOVERY}/etc/initramfs-tools/conf.d/fsroot"
+FSTYPE=${VAR_ROOT_FS}
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
+EOF
+
+  guard_dir && return 0
+}
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

func/cdi_5000_recovery/5130_installation_toolset.sh

@@ -0,0 +1,106 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
+
+guard_sourcing
+
+#######################################
+# Check and set up the minimum required tools for the next installation steps.
+# Every 'apt-get install' command is invoked by adding 'export INITRD=No'
+# to suppress the 'update-initramfs'-Kernel-Hooks, according to the initramfs-tools manpage:
+# https://manpages.debian.org/testing/initramfs-tools-core/initramfs-tools.7.en.html
+# Globals:
+#   RECOVERY
+# Arguments:
+#   None
+# Returns:
+#   0: on success
+#######################################
+installation_toolset_reco() {
+  ### Declare Arrays, HashMaps, and Variables.
+  # shellcheck disable=SC2154
+  declare -A  hmp_tool_pkg=(
+    [apt-show-versions]="apt-show-versions"
+    [bc]="bc"
+    [dig]="bind9-dnsutils"
+    [host]="bind9-dnsutils"
+    [hexdump]="bsdmainutils"
+    [btrfs]="btrfs-progs"
+    [bunzip2]="bzip2"
+    [setupcon]="console-setup"
+    [curl]="curl"
+    [dirmngr]="dirmngr"
+    [dmsetup]="dmsetup"
+    [fsck.vfat]="dosfstools"
+    [mkfs.vfat]="dosfstools"
+    [e2label]="e2fsprogs"
+    [tune2fs]="e2fsprogs"
+    [fsck]="e2fsprogs"
+    [efibootmgr]="efibootmgr"
+    [file]="file"
+    [awk]="gawk"
+    [gdisk]="gdisk"
+    [gnupg]="gnupg"
+    [haveged]="haveged"
+    [update-initramfs]="initramfs-tools"
+    [jq]="jq"
+    [loadkeys]="kbd"
+    [setfont]="kbd"
+    [keyctl]="keyutils"
+    [libpam-pwquality]="libpam-pwquality"
+    [lsb_release]="lsb-release"
+    [parted]="parted"
+    [lspci]="pciutils"
+    [pwgen]="pwgen"
+    [sudo]="sudo"
+    [tree]="tree"
+    [unzip]="unzip"
+    [lsusb]="usbutils"
+    [xxd]="vim-common"
+    [wget]="wget"
+    [whois]="whois"
+    [zsh]="zsh"
+  )
+
+  declare -a  ary_missing_pkgs=() ary_unique_pkgs=()
+  declare -r  var_logfile="/root/.ciss/cdi/log/5130_installation_toolset.log"
+  declare     var_bin=""
+
+  chroot_logger "${RECOVERY}${var_logfile}"
+
+  ### Collecting missing binaries.
+  for var_bin in "${!hmp_tool_pkg[@]}"; do
+
+    if ! chroot_script "${RECOVERY}" "command -v ${var_bin} >/dev/null" "debug"; then
+      ary_missing_pkgs+=("${hmp_tool_pkg[${var_bin}]}")
+    fi
+
+  done
+  do_log "debug" "file_only" "5130() [ary_missing_pkgs]='${ary_missing_pkgs[*]}'."
+
+  ### Installing unique list of packages.
+  if ((${#ary_missing_pkgs[@]})); then
+
+    # shellcheck disable=SC2312
+    mapfile -t ary_unique_pkgs < <(printf '%s\n' "${ary_missing_pkgs[@]}" | sort -u)
+    do_log "debug" "file_only" "5130() [ary_unique_pkgs]='${ary_unique_pkgs[*]}'."
+
+    chroot_script "${RECOVERY}" "
+      export INITRD=No
+      apt-get install -y --no-install-recommends --no-install-suggests ${ary_unique_pkgs[*]} 2>&1 | tee -a ${var_logfile}
+      echo ExitCode: \$? >> ${var_logfile}
+    "
+
+  fi
+
+  guard_dir && return 0
+}
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

func/cdi_5000_recovery/5131_installation_systemd.sh

@@ -0,0 +1,54 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
+
+guard_sourcing
+
+#######################################
+# Ensure systemd is in place.
+# Every 'apt-get install' command is invoked by adding 'export INITRD=No'
+# to suppress the 'update-initramfs'-Kernel-Hooks, according to the initramfs-tools manpage:
+# https://manpages.debian.org/testing/initramfs-tools-core/initramfs-tools.7.en.html
+# Globals:
+#   RECOVERY
+# Arguments:
+#   None
+# Returns:
+#   0: on success
+#######################################
+installation_systemd_reco() {
+  ### Declare Arrays, HashMaps, and Variables.
+  declare -r  var_logfile="/root/.ciss/cdi/log/5131_installation_systemd.log"
+
+  chroot_logger "${RECOVERY}${var_logfile}"
+
+  if ! chroot_script "${RECOVERY}" "type -P systemctl >/dev/null"; then
+    do_log "info" "file_only" "5131() 'systemctl' NOT found, installing 'systemd' and dependencies."
+
+    chroot_script "${RECOVERY}" "
+      export INITRD=No
+      apt-get install -y --no-install-recommends --no-install-suggests systemd systemd-sysv dbus 2>&1 | tee -a ${var_logfile}
+      echo ExitCode: \$? >> ${var_logfile}
+    "
+
+  else
+
+    do_log "info" "file_only" "5131() 'systemctl' found, skipping installation."
+
+  fi
+
+  chroot_script "${RECOVERY}" "
+    systemctl --version 2>&1 | tee -a ${var_logfile} | grep -qi 'systemd' || echo '[WARN]: systemd not verifiable' >> ${var_logfile}
+  "
+
+  guard_dir && return 0
+}
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

func/cdi_5000_recovery/5132_installation_machineid.sh

@@ -0,0 +1,38 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
+
+guard_sourcing
+
+#######################################
+# Generate machine-id if missing.
+# Globals:
+#   RECOVERY
+# Arguments:
+#   None
+# Returns:
+#   0: on success
+#######################################
+installation_machineid_reco() {
+  if ! chroot_script "${RECOVERY}" "[[ -s /etc/machine-id ]]"; then
+
+    do_log "info" "file_only" "5132() Generating /etc/machine-id via systemd-machine-id-setup."
+    chroot_exec "${RECOVERY}" systemd-machine-id-setup
+
+  else
+
+    do_log "info" "file_only" "5132() Existing 'machine-id' found, no action needed."
+
+  fi
+
+  guard_dir && return 0
+}
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh