V8.00.000.2025.06.17

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>

.preseed/preseed.yaml

@@ -359,17 +359,6 @@ grub_parameter:
   ##############################################################################################################################
   - "randomize_kstack_offset=on"
 
-  ##############################################################################################################################
-  # ASLR (Address Space Layout Randomization) causes central areas of memory to be assigned random addresses each time a program
-  # is started. These include: Stack, Heap, Shared libraries (e.g., libc), mmap regions, VDSO/VSyscall. The executable itself
-  # (only with PIE binaries). The aim is to make it more difficult for attackers to predict memory addresses, thereby preventing
-  # classic exploits that rely on known addresses from succeeding.
-  # 0: disabled Fixed memory addresses – insecure, testable.
-  # 1: Partial ASLR Heap, mmap are randomized, stack only partially randomized.
-  # 2: Full ASLR (default) Stack, mmap, heap, VDSO, shared libraries all randomized.
-  ##############################################################################################################################
-  - "randomize_va_space=2"
-
   ##############################################################################################################################
   # Enable mitigations for RETBleed (Arbitrary Speculative Code Execution with Return Instructions) vulnerability and disable
   # SMT. If 'mitigations=auto,nosmt' is set, the kernel already activates all retbleed-relevant mitigations, provided the CPU

.pubkey/marc_s_weidner_msw+bot@coresecret.dev_AGE_pubkey

@@ -0,0 +1,2 @@
+# created: 2025-10-11T17:22:22Z
+# public key: age1l3pm5sjg0lj5l5jlh2azllccmzflpend9hpgcg7zvsk2mr4hvpqscdwm8f

.pubkey/marc_s_weidner_msw@coresecret.dev_AGE_pubkey

@@ -0,0 +1,2 @@
+# created: 2025-10-11T17:20:35Z
+# public key: age1chzjfu3f5nxnh5yz2l6n43l6gs07qyqcfzekdfhr5gezqvemcq7qjn23kv

ciss_debian_installer.sh

@@ -104,8 +104,11 @@ declare -grx  VAR_SETUP_FULL="$(cd "$(dirname "${0}")" && pwd)/${0##*/}" # '/opt
 }
 
 ### CHECK FOR CONTACT, HELP, AND VERSION STRING.
+# shellcheck disable=SC2249
 for arg in "$@"; do case "${arg,,}" in -c|--contact) . ./meta_loader_cuv.sh; contact; exit 0;; esac; done
+# shellcheck disable=SC2249
 for arg in "$@"; do case "${arg,,}" in -h|--help)    . ./meta_loader_cuv.sh; usage  ; exit 0;; esac; done
+# shellcheck disable=SC2249
 for arg in "$@"; do case "${arg,,}" in -v|--version) . ./meta_loader_cuv.sh; version; exit 0;; esac; done
 
 ### SOURCING MUST SET EARLY VARIABLES. SOURCING COLOR_ECHO(), GUARD_SOURCING(), AND SOURCE_GUARD().
@@ -163,6 +166,7 @@ pre_scan_debug "$@"
 
 ### CHECK FOR AUTO INSTALL MODE.
 color_echo "${GRE}" "CISS.DEBIAN.INSTALLER PREPARATION: CHECK FOR AUTO INSTALL MODE"
+# shellcheck disable=SC2249
 for arg in "$@"; do case "${arg,,}" in -a|--autoinstall) declare -gx VAR_AUTO_INSTALL="true";; esac; done; unset arg
 
 ### ACTIVATING TRAPS.
@@ -230,236 +234,238 @@ uuid_logger
 
 
 ### CDI_4000
-info_echo "4000_debootstrap.sh"
+info_echo "4000_debootstrap.sh [${TARGET}]"
 func_debootstrap
 
-info_echo "4005_debootstrap_checks.sh"
+info_echo "4005_debootstrap_checks.sh [${TARGET}]"
 check_debootstrap
 
-info_echo "4010_prepare_mounts.sh"
+info_echo "4010_prepare_mounts.sh [${TARGET}]"
 prepare_mounts
 
-info_echo "4015_check_usr_merge.sh"
+info_echo "4015_check_usr_merge.sh [${TARGET}]"
 check_usr_merge
 
-info_echo "4020_remove_x509.sh"
+info_echo "4020_remove_x509.sh [${TARGET}]"
 remove_x509
 
-info_echo "4030_setup_hostname.sh"
+info_echo "4030_setup_hostname.sh [${TARGET}]"
 setup_hostname
 
-info_echo "4035_setup_resolv.sh"
+info_echo "4035_setup_resolv.sh [${TARGET}]"
 setup_resolv
 
-info_echo "4040_setup_timezone.sh"
+info_echo "4040_setup_timezone.sh [${TARGET}]"
 setup_timezone
 
-info_echo "4050_setup_locales.sh"
+info_echo "4050_setup_locales.sh [${TARGET}]"
 setup_locales
 
 
 ### CDI_4100
 if [[ "${VAR_DEB822}" == "true" ]]; then
 
-  info_echo "4105_generate_sources822.sh"
+  info_echo "4105_generate_sources822.sh [${TARGET}]"
   generate_sources822
 
 else
 
-  info_echo "4100_generate_sources.sh"
+  info_echo "4100_generate_sources.sh [${TARGET}]"
   generate_sources
 
 fi
 
-info_echo "4110_update_sources.sh"
+info_echo "4110_update_sources.sh [${TARGET}]"
 update_sources
 
-info_echo "4120_installation_kernel.sh"
+info_echo "4120_installation_kernel.sh [${TARGET}]"
 installation_kernel
 
-info_echo "4121_installation_initramfs.sh"
+info_echo "4121_installation_initramfs.sh [${TARGET}]"
 installation_initramfs
 
-info_echo "4130_installation_toolset.sh"
+info_echo "4130_installation_toolset.sh [${TARGET}]"
 installation_toolset
 
-info_echo "4131_installation_systemd.sh"
+info_echo "4131_installation_systemd.sh [${TARGET}]"
 installation_systemd
 
-info_echo "4132_installation_machineid.sh"
+info_echo "4132_installation_machineid.sh [${TARGET}]"
 installation_machineid
 
-info_echo "4133_installation_masking.sh"
+info_echo "4133_installation_masking.sh [${TARGET}]"
 installation_masking
 
-info_echo "4140_installation_microcode.sh"
+info_echo "4140_installation_microcode.sh [${TARGET}]"
 installation_microcode
 
-info_echo "4145_installation_firmware.sh"
+info_echo "4145_installation_firmware.sh [${TARGET}]"
 installation_firmware
 
-info_echo "4150_installation_chrony.sh"
+info_echo "4150_installation_chrony.sh [${TARGET}]"
 installation_chrony
 
-info_echo "4160_installation_eza.sh"
+info_echo "4160_installation_eza.sh [${TARGET}]"
 installation_eza
 
-info_echo "4170_installation_lynis.sh"
+info_echo "4170_installation_lynis.sh [${TARGET}]"
 installation_lynis
 
 
 ### CDI_4200
-info_echo "4200_generate_fstab.sh"
+info_echo "4200_generate_fstab.sh [${TARGET}]"
 generate_fstab
 
-info_echo "4205_check_fstab.sh"
+info_echo "4205_check_fstab.sh [${TARGET}]"
 check_fstab
 
-info_echo "4210_generate_crypttab.sh"
+info_echo "4210_generate_crypttab.sh [${TARGET}]"
 generate_crypttab
 
-info_echo "4220_installation_cryptsetup.sh"
+info_echo "4220_installation_cryptsetup.sh [${TARGET}]"
 installation_cryptsetup
 
-info_echo "4230_installation_grub.sh"
+info_echo "4230_installation_grub.sh [${TARGET}]"
 installation_grub
 
 if [[ "${VAR_GRUB_PASSWORD}" == "true" ]]; then
 
-  info_echo "4240_update_grub_password.sh"
+  info_echo "4240_update_grub_password.sh [${TARGET}]"
   update_grub_password
 
 fi
 
-info_echo "4250_update_grub_bootparameter.sh"
+info_echo "4250_update_grub_bootparameter.sh [${TARGET}]"
 update_grub_bootparameter
 
 
 ### CDI_4300
-info_echo "4300_installation_network.sh"
+info_echo "4300_installation_network.sh [${TARGET}]"
 installation_network
 
-info_echo "4305_installation_netsec.sh"
+info_echo "4305_installation_netsec.sh [${TARGET}]"
 installation_netsec
 
 if [[ "${VAR_DROPBEAR}" == "true" ]]; then
 
-  info_echo "4310_dropbear_build.sh"
+  info_echo "4310_dropbear_build.sh [${TARGET}]"
   dropbear_build
 
-  info_echo "4311_dropbear_initramfs.sh"
+  info_echo "4311_dropbear_initramfs.sh [${TARGET}]"
   dropbear_initramfs
 
-  info_echo "4312_dropbear_setup.sh"
+  info_echo "4312_dropbear_setup.sh [${TARGET}]"
   dropbear_setup
 
 fi
 
-info_echo "4320_update_initramfs.sh"
+info_echo "4320_update_initramfs.sh [${TARGET}]"
 update_initramfs
 
-info_echo "4330_installation_ssh.sh"
+info_echo "4330_installation_ssh.sh [${TARGET}]"
 installation_ssh
 
 
 ### CDI_4400
-info_echo "4400_kernel_modules.sh"
+info_echo "4400_kernel_modules.sh [${TARGET}]"
 kernel_modules && kernel_modprobe
 
-info_echo "4410_kernel_sysctl.sh"
+info_echo "4410_kernel_sysctl.sh [${TARGET}]"
 kernel_sysctl
 
-info_echo "4420_hardening_fail2ban.sh"
+info_echo "4420_hardening_fail2ban.sh [${TARGET}]"
 hardening_fail2ban
 
-info_echo "4430_hardening_files.sh"
+info_echo "4430_hardening_files.sh [${TARGET}]"
 hardening_files
 
-info_echo "4440_hardening_haveged.sh"
+info_echo "4440_hardening_haveged.sh [${TARGET}]"
 hardening_haveged
 
-info_echo "4450_hardening_memory.sh"
+info_echo "4450_hardening_memory.sh [${TARGET}]"
 hardening_memory
 
-info_echo "4460_hardening_openssl.sh"
+info_echo "4460_hardening_openssl.sh [${TARGET}]"
 hardening_openssl
 
-info_echo "4470_hardening_ufw.sh"
+info_echo "4470_hardening_ufw.sh [${TARGET}]"
 hardening_ufw
 
-info_echo "4480_hardening_usb.sh"
+info_echo "4480_hardening_usb.sh [${TARGET}]"
 hardening_usb
 
-info_echo "4490_hardening_virus.sh"
+info_echo "4490_hardening_virus.sh [${TARGET}]"
 hardening_virus
 
-info_echo "4445_hardening_logrotate.sh"
+info_echo "4445_hardening_logrotate.sh [${TARGET}]"
 hardening_logrotate
 
 
 ### CDI_4500
-info_echo "4500_accounts_preparation.sh"
+info_echo "4500_accounts_preparation.sh [${TARGET}]"
 accounts_preparation
 
-info_echo "4510_accounts_hardening.sh"
+info_echo "4510_accounts_hardening.sh [${TARGET}]"
 accounts_hardening
 
-info_echo "4520_accounts_setup.sh"
+info_echo "4520_accounts_setup.sh [${TARGET}]"
 accounts_setup
 
 
 ### CDI_4600
-info_echo "4600_installation_packages.sh"
+info_echo "4600_installation_packages.sh [${TARGET}]"
 installation_packages
 
-#info_echo "4610_installation_security.sh"
+info_echo "4610_installation_security.sh [${TARGET}]"
-#installation_security
+installation_security
 
-info_echo "4620_installation_verification.sh"
+info_echo "4620_installation_verification.sh [${TARGET}]"
 install_verification
 
-info_echo "4630_auditing_packages.sh"
+info_echo "4630_auditing_packages.sh [${TARGET}]"
 auditing_packages
 
 ### CDI_4900
-info_echo "4999_exiting_chroot_system.sh"
+info_echo "4999_exiting_chroot_system.sh [${TARGET}]"
 exiting_chroot_system
 
 ### CDI_5000
 if [[ "${VAR_RECOVERY}" == "true" ]]; then
 
-  info_echo "5000_debootstrap.sh"
+  declare -gx VAR_RUN_RECOVERY="true"
-  func_debootstrap_reco
 
-  info_echo "5005_debootstrap_checks.sh"
+  info_echo "4000_debootstrap.sh [${RECOVERY}]"
-  check_debootstrap_reco
+  func_debootstrap
 
-  info_echo "5010_prepare_mounts.sh"
+  info_echo "4005_debootstrap_checks.sh [${RECOVERY}]"
-  prepare_mounts_reco
+  check_debootstrap
 
-  info_echo "5015_check_usr_merge.sh"
+  info_echo "4010_prepare_mounts.sh [${RECOVERY}]"
-  check_usr_merge_reco
+  prepare_mounts
 
-  info_echo "5020_remove_x509.sh"
+  info_echo "4015_check_usr_merge.sh [${RECOVERY}]"
-  remove_x509_reco
+  check_usr_merge
 
-  info_echo "5030_setup_hostname.sh"
+  info_echo "4020_remove_x509.sh [${RECOVERY}]"
-  setup_hostname_reco
+  remove_x509
 
-  info_echo "5035_setup_resolv.sh"
+  info_echo "4030_setup_hostname.sh [${RECOVERY}]"
-  setup_resolv_reco
+  setup_hostname
 
-  info_echo "5040_setup_timezone.sh"
+  info_echo "4035_setup_resolv.sh [${RECOVERY}]"
-  setup_timezone_reco
+  setup_resolv
 
-  info_echo "5050_setup_locales.sh"
+  info_echo "4040_setup_timezone.sh [${RECOVERY}]"
-  setup_locales_reco
+  setup_timezone
 
-  info_echo "5105_generate_sources_822.sh"
+  info_echo "4050_setup_locales.sh [${RECOVERY}]"
-  generate_sources822_reco
+  setup_locales
 
-  info_echo "5110_update_sources.sh"
+  info_echo "4105_generate_sources_822.sh [${RECOVERY}]"
-  update_sources_reco
+  generate_sources822
+
+  info_echo "4110_update_sources.sh [${RECOVERY}]"
+  update_sources
 
   info_echo "5120_installation_kernel.sh"
   installation_kernel_reco
@@ -482,6 +488,7 @@ if [[ "${VAR_RECOVERY}" == "true" ]]; then
   info_echo "5999_exiting_chroot_recovery.sh"
   exiting_chroot_recovery
 
+  declare -gx VAR_RUN_RECOVERY="false"
 fi
 
 ### Dialog Output for Initialization END

func/cdi_1000_helper/1030_check_nic.sh

@@ -41,4 +41,7 @@ check_nic() {
   do_log "info" "file_only" "1030() You have selected: '${var_nic}' - proceeding with setup."
   guard_dir && return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f check_nic
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

func/cdi_1000_helper/1081_helper_grub.sh

@@ -98,6 +98,9 @@ grub_extract_current_string() {
 
   return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f grub_extract_current_string
 
 #######################################
 # Helper module to finish the modified GRUB CMDLINE strings.
@@ -146,4 +149,7 @@ EOF
 
   return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f grub_finalize_string
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

func/cdi_1000_helper/1082_helper_modules.sh

@@ -28,6 +28,9 @@ chroot_logger() {
   chmod 0600 "${var_logfile}" || "${ERR_CHROOT_LOGGER}"
   return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f chroot_logger
 
 #######################################
 # Helper Module to generate a Subnet Mask out of an IP in CCDIR Notation.
@@ -50,6 +53,9 @@ generate_subnetmask() {
   printf '%s' "${var_has_ipv4_subnet}"
   return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f generate_subnetmask
 
 #######################################
 # Collect NIC driver modules for initramfs installation (no lspci required).
@@ -92,7 +98,9 @@ grep_nic_driver_modules() {
 
   return 0
 }
-
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f grep_nic_driver_modules
 
 #######################################
 # Wrapper to insert the metadata field into the specified file.
@@ -128,6 +136,9 @@ insert_comments() {
 
   return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f insert_comments
 
 #######################################
 # Wrapper to insert the SPDX Header into the specified file.
@@ -160,11 +171,18 @@ EOF
 
   return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f insert_header
 
 #######################################
 # Helper module for update, full dist-upgrade, autoclean, autopurge and autoremove.
+# Globals:
+#   None
 # Arguments:
 #   None
+# Returns:
+#   0: on success
 #######################################
 update_upgrade() {
   apt-get update
@@ -172,5 +190,9 @@ update_upgrade() {
   apt-get autoclean -y
   apt-get autopurge -y
   apt-get autoremove -y
+  return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f update_upgrade
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

func/cdi_1000_helper/1084_helper_sanitizer.sh

@@ -22,6 +22,9 @@ remove_whitespace() {
   declare var_out=$(printf "%s" "$1" | xargs)
   printf '%s' "${var_out}"
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f remove_whitespace
 
 #######################################
 # Function to escape all shell metacharacters
@@ -33,6 +36,9 @@ sanitize_input() {
   ### %q quotes the string so that the shell re-reads it as the original literal
   printf '%q' "${input}"
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f sanitize_input
 
 #######################################
 # Function to remove any character not in the allowed set
@@ -46,4 +52,7 @@ sanitize_string() {
   declare allowed='a-zA-Z0-9._/=\[\]:"\-+ '
   printf '%s' "${input}" | tr -cd "${allowed}"
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f sanitize_string
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

func/cdi_1000_helper/1085_helper_secure_dl.sh

@@ -42,6 +42,9 @@ scurl() {
     return "${ERR_DOWNLOAD_FAILED}"
   fi
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f scurl
 
 #######################################
 # Wrapper for secure wget.
@@ -73,4 +76,7 @@ swget() {
     return "${ERR_DOWNLOAD_FAILED}"
   fi
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f swget
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

func/cdi_1000_helper/1086_helper_yaml.sh

@@ -13,7 +13,9 @@
 guard_sourcing
 
 #######################################
-# yq_val <YQ expression> <file> - Returns value, converts null to ""
+# yq_val <YQ expression> <file> - Returns value, converts null to "".
+# Globals:
+#   None
 # Arguments:
 #   1: Key String to evaluate
 #   2: YAML File
@@ -23,4 +25,7 @@ yq_val() {
   [[ "${var_h}" == null ]] && var_h=""
   printf '%s' "${var_h}"
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f yq_val
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

func/cdi_1200_validation/1220_validation_element.sh

@@ -31,4 +31,7 @@ validation_array() {
   done
   return 1
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f validation_array
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

func/cdi_1200_validation/1221_validation_ip.sh

@@ -15,7 +15,7 @@ guard_sourcing
 #######################################
 # IPv4 validation.
 # Globals:
-#   ERR_INVALID_IPV4
+#   None
 # Arguments:
 #   1: IPv4 to validate.
 # Returns:
@@ -30,6 +30,9 @@ validation_ipv4() {
     return "${ERR_INVALID_IPV4}"
   fi
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f validation_ipv4
 
 #######################################
 # IPv6 validation, including
@@ -38,7 +41,7 @@ validation_ipv4() {
 #   - Addresses with embedded IPv4 addresses like ::ffff:192.0.2.128
 #   - Link-local addresses like fe80::1%eth0
 # Globals:
-#   ERR_INVALID_IPV6
+#   None
 # Arguments:
 #   1: IPv6 address
 # Returns:
@@ -88,11 +91,14 @@ validation_ipv6() {
   ### Success
   do_log "info" "file_only" "'${var_ip}' seems to be a valid IPv6."
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f validation_ipv6
 
 #######################################
 # Port validation.
 # Globals:
-#   ERR_INVALID_PORT
+#   None
 # Arguments:
 #   1: Port number
 # Returns:
@@ -107,4 +113,7 @@ validation_port() {
     return "${ERR_INVALID_PORT}"
   fi
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f validation_port
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

func/cdi_1200_validation/1222_validation_preseed.sh

@@ -60,4 +60,7 @@ validation_preseed() {
 
   return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f validation_preseed
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

func/cdi_1250_yaml/1250_yaml_parser.sh

@@ -46,7 +46,7 @@ yaml_parser() {
   while IFS='=' read -r var_key var_value; do
     var_value=${var_value#\'}
     var_value=${var_value%\'}
-    # shellcheck disable=SC2034
+    # shellcheck disable=SC2034,SC2249
     case "${var_key}" in
       grub_parameter_[0-9]*) ARY_BOOTPARAM+=("${var_value}")  ;;
       locale_locale_[0-9]*)  ARY_LOCALE+=("${var_value}")     ;;

func/cdi_1250_yaml/1251_yaml_reader.sh

@@ -17,19 +17,42 @@ guard_sourcing
 # Globals:
 #   BASH_REMATCH
 #   HMP_RECIPE_DEV_PARTITIONS
+#   VAR_APT_FULL_UPGRADE
 #   VAR_ARCHITECTURE
+#   VAR_CHROOT_DEBUG
 #   VAR_CODENAME
+#   VAR_DEB822
+#   VAR_DROPBEAR
+#   VAR_GRUB_PASSWORD
+#   VAR_LUKS_BACKUP
+#   VAR_LUKS_URL
 #   VAR_NEED_RUN_IN_TARGET
 #   VAR_NUKE
+#   VAR_NUKE_ROUNDS
 #   VAR_PRESEED
+#   VAR_PROVIDER
 #   VAR_RECIPE_FIRMWARE
 #   VAR_RECIPE_HIGHEST_DEVICE
 #   VAR_RECIPE_STRING
 #   VAR_RECIPE_TABLE
 #   VAR_RECOVERY
+#   VAR_SEC_FW
+#   VAR_SSH_CA
+#   VAR_SSH_PORT
+#   VAR_UFW_OUT
+#   apt_default_deb822
+#   apt_full_upgrade
 #   architecture
+#   chroot_debug
 #   distribution
+#   dropbear_boot
+#   grub_password
 #   needrun
+#   provider
+#   security_ext
+#   security_ufw_out
+#   ssh_port
+#   ssh_root_ca
 # Arguments:
 #   None
 # Returns:

func/cdi_1250_yaml/1252_yaml_validator.sh

@@ -221,9 +221,14 @@ yaml_validator() {
 
   guard_dir && return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f yaml_validator
 
 #######################################
 # Network connectivity prober.
+# Globals:
+#   network_timeout_linkwait
 # Arguments:
 #   1: IP-Family
 #   2: TLD to probe
@@ -237,21 +242,33 @@ probe_link() {
 
   ### 1) Try ping (quiet, 1 probe, 3s deadline)
   if ping -q -c 1 -W "${network_timeout_linkwait:-3}" "-${var_fam}" "${var_target}" >/dev/null 2>&1; then
+
     var_ok="true"
+
   else
+
     ### 2) Fallback: mtr in report mode (non-interactive), no DNS to avoid TUI/delays.
     if command -v mtr >/dev/null 2>&1; then
+
       ### Treat as success if ANY hop resolves to something other than "???".
       ### '-r = report', '-c 2 = two cycles', -n = no DNS, -4/-6 = address family
+
       # shellcheck disable=SC2312
       if mtr "-${var_fam}" -r -c 3 -n "${var_target}" 2>/dev/null \
         | awk 'NR>2 && $2!="???"{ok=1} END{exit ok?0:1}'; then
+
         var_ok="true"
+
       fi
+
     fi
+
   fi
 
   printf '%s' "${var_ok}"
   return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f probe_link
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

func/cdi_3200_partitioning/3200_partitioning.sh

@@ -43,23 +43,28 @@ guard_sourcing
 # - LUKS encryption enabled.
 # - Specific device partition data for each mount path.
 # Globals:
+#   ARY_CRYPT_MOUNT_PATHS
+#   ARY_FORMT_MOUNT_PATHS
 #   ARY_FSTAB_MOUNT_PATHS
+#   ARY_PATHS_SORTED
 #   DIR_LOG
 #   HMP_FSTAB_MOUNT_FTYPE
+#   HMP_PATH_DEV_PART
 #   HMP_PATH_PARTUUID
 #   VAR_RECIPE_FIRMWARE
 #   VAR_RECIPE_STRING
 #   VAR_RECIPE_TABLE
+#   VAR_ROOT_FS
 #   VAR_SETUP_PART
 # Arguments:
 #   None
 # Returns:
-#   ERR_PARTITIONTBL
-#   ERR_PART_CREATE
-#   ERR_PART_READ
-#   ERR_TABLE_CREATE
-#   ERR_TABLE_DELETE
 #   0: on success
+#   ERR_PARTITIONTBL: on failure
+#   ERR_PART_CREATE: on failure
+#   ERR_PART_READ: on failure
+#   ERR_TABLE_CREATE: on failure
+#   ERR_TABLE_DELETE: on failure
 #######################################
 partitioning() {
   ### Declare Arrays, HashMaps, and Variables.
@@ -180,6 +185,7 @@ partitioning() {
         var_end_arg="${var_end}"
       fi
 
+      # shellcheck disable=SC2249
       case "${VAR_RECIPE_TABLE,,}" in
 
         gpt)
@@ -212,6 +218,7 @@ partitioning() {
       ### Assign the correct GPT typecode via sgdisk if the table is GPT.
       if [[ "${VAR_RECIPE_TABLE,,}" == "gpt" ]]; then
 
+        # shellcheck disable=SC2249
         case "${var_mount_path,,}" in
 
           "/")
@@ -254,6 +261,7 @@ partitioning() {
 
         esac
 
+        # shellcheck disable=SC2249
         case "${var_encryption,,}" in
 
           true)
@@ -285,6 +293,7 @@ partitioning() {
       ### Set the bootable flag if necessary.
       if [[ "${var_boot,,}" == "true" ]]; then
 
+        # shellcheck disable=SC2249
         case "${VAR_RECIPE_TABLE,,}:${VAR_RECIPE_FIRMWARE,,}" in
 
           gpt:uefi|mbr:uefi)

func/cdi_3200_partitioning/3210_benchmarking_encryption.sh

@@ -55,4 +55,7 @@ benchmarking_encryption() {
 
   guard_dir && return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f benchmarking_encryption
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

func/cdi_3200_partitioning/3280_mount_partition.sh

@@ -113,7 +113,7 @@ readonly -f mount_with_dir
 # Outputs '/dev/mapper/<encryption_label>'
 # Outputs '/dev/<dev><partition>'
 # Globals:
-#   none
+#   None
 # Arguments:
 #   1: Device
 #   2: Partition
@@ -144,7 +144,7 @@ readonly -f resolve_device
 #######################################
 # Validates btrfs compression algo and level.
 # Globals:
-#   none
+#   None
 # Arguments:
 #   1: var_fs_btrfs_compress
 #   2: var_fs_btrfs_level

func/cdi_3200_partitioning/3295_get_label.sh

@@ -64,6 +64,7 @@ get_label() {
 
     file)
 
+      # shellcheck disable=SC2249
       case "${var_path}:${var_file}" in
 
         swap:*)               var_return_label="host_swap" ;;

func/cdi_4000_debootstrap/4000_debootstrap.sh

@@ -16,9 +16,12 @@ guard_sourcing
 # Install a minimal Debian environment using the 'debootstrap' command.
 # Globals:
 #   LOG_DBS
+#   LOG_REC
+#   RECOVERY
 #   TARGET
 #   VAR_ARCHITECTURE
 #   VAR_CODENAME
+#   VAR_RUN_RECOVERY
 #   debootstrap_includes
 #   debootstrap_mirror
 # Arguments:
@@ -31,11 +34,17 @@ func_debootstrap() {
   ### Declare Arrays, HashMaps, and Variables.
   declare -r var_arch="${VAR_ARCHITECTURE}"
   declare -r var_dist="${VAR_CODENAME}"
-  declare -r var_target="${TARGET}"
   declare -r var_mirror="${debootstrap_mirror}"
   declare -r var_includes="${debootstrap_includes}"
   declare -a ary_cmd=()
 
+  declare    var_log="${LOG_DBS}"
+  declare    var_target="${TARGET}"
+
+  ### Check for TARGET / RECOVERY.
+  [[ "${VAR_RUN_RECOVERY}" == "true" ]] && var_log="${LOG_REC}"
+  [[ "${VAR_RUN_RECOVERY}" == "true" ]] && var_target="${RECOVERY}"
+
   ary_cmd+=( "debootstrap" "--arch=${var_arch}" "--keep-debootstrap-dir" "--log-extra-deps" "--merged-usr" )
 
   if [[ -n "${var_includes}" ]]; then ary_cmd+=( "--include=${var_includes}" ); fi
@@ -45,7 +54,7 @@ func_debootstrap() {
   do_log "debug" "file_only" "4000() Executing: [${ary_cmd[*]}]"
 
   # shellcheck disable=SC2312
-  if "${ary_cmd[@]}" | tee "${LOG_DBS}"; then
+  if "${ary_cmd[@]}" | tee "${var_log}"; then
 
     do_log "info" "file_only" "4000() [${ary_cmd[*]}] successful."
 

func/cdi_4000_debootstrap/4005_debootstrap_checks.sh

@@ -15,7 +15,9 @@ guard_sourcing
 #######################################
 # Preliminary post debootstrap checks.
 # Globals:
+#   RECOVERY
 #   TARGET
+#   VAR_RUN_RECOVERY
 # Arguments:
 #   None
 # Returns:
@@ -24,10 +26,14 @@ guard_sourcing
 check_debootstrap() {
   ### Declare Arrays, HashMaps, and Variables.
   declare -r  var_logfile="/root/.ciss/cdi/log/4005_debootstrap_checks.log"
+  declare     var_target="${TARGET}"
 
-  chroot_logger "${TARGET}${var_logfile}"
+  ### Check for TARGET / RECOVERY.
+  [[ "${VAR_RUN_RECOVERY}" == "true" ]] && var_target="${RECOVERY}"
 
-  chroot_script "${TARGET}" "
+  chroot_logger "${var_target}${var_logfile}"
+
+  chroot_script "${var_target}" "
     {
       ### Header
       echo '==[debootstrap checks]=='

func/cdi_4000_debootstrap/4010_prepare_mounts.sh

@@ -15,10 +15,11 @@ guard_sourcing
 #######################################
 # Configure the target system for chroot.
 # Globals:
+#   RECOVERY
 #   TARGET
 #   VAR_CHROOT_ACTIVATED
-#   VAR_CHROOT_SYS_MASK_HELPER
 #   VAR_NEED_RUN_IN_TARGET
+#   VAR_RUN_RECOVERY
 # Arguments:
 #   None
 # Returns:
@@ -52,10 +53,14 @@ prepare_mounts() {
   )
 
   declare     var_path="" var_fs="" var_src="" var_opts=""
+  declare     var_target="${TARGET}"
+
+  ### Check for TARGET / RECOVERY.
+  [[ "${VAR_RUN_RECOVERY}" == "true" ]] && var_target="${RECOVERY}"
 
   for var_path in "${!HMP_SPECIAL_MOUNTS[@]}"; do
 
-    mkdir -p "${TARGET}${var_path}"
+    mkdir -p "${var_target}${var_path}"
 
   done
 
@@ -64,55 +69,65 @@ prepare_mounts() {
 
     IFS=" " read -r var_fs var_src var_opts <<< "${HMP_SPECIAL_MOUNTS[${var_path}]}"
 
-    if mountpoint -q "${TARGET}${var_path}"; then
+    if mountpoint -q "${var_target}${var_path}"; then
 
-      do_log "info" "file_only" "4010() Skipped: '${TARGET}${var_path}' is already a mountpoint."
+      do_log "info" "file_only" "4010() Skipped: '${var_target}${var_path}' is already a mountpoint."
       continue
 
     fi
 
-    if ! mount -t "${var_fs}" "${var_src}" "${TARGET}${var_path}" -o "${var_opts}"; then
+    if ! mount -t "${var_fs}" "${var_src}" "${var_target}${var_path}" -o "${var_opts}"; then
 
-      do_log "emergency" "file_only" "4010() Command: [mount -t ${var_fs} ${var_src} ${TARGET}${var_path} -o ${var_opts}] failed."
+      do_log "emergency" "file_only" "4010() Command: [mount -t ${var_fs} ${var_src} ${var_target}${var_path} -o ${var_opts}] failed."
       return "${ERR_CHRT_MOUNTS}"
 
     fi
 
-    do_log "info" "file_only" "4010() Command: [mount -t ${var_fs} ${var_src} ${TARGET}${var_path} -o ${var_opts}] successful."
+    do_log "info" "file_only" "4010() Command: [mount -t ${var_fs} ${var_src} ${var_target}${var_path} -o ${var_opts}] successful."
 
   done
 
 
   if [[ "${VAR_NEED_RUN_IN_TARGET:-false}" == "true" ]]; then
 
-    mkdir -p "${TARGET}/run"
+    mkdir -p "${var_target}/run"
 
-    if ! mount --make-rslave --rbind /run "${TARGET}/run"; then
+    if ! mount --make-rslave --rbind /run "${var_target}/run"; then
 
-      do_log "emergency" "file_only" "4010() Command: [mount --make-rslave --rbind /run ${TARGET}/run] failed."
+      do_log "emergency" "file_only" "4010() Command: [mount --make-rslave --rbind /run ${var_target}/run] failed."
       return "${ERR_CHRT_MOUNTS}"
 
     fi
 
-    do_log "info" "file_only" "4010() Command: [mount --make-rslave --rbind /run ${TARGET}/run] successful."
+    do_log "info" "file_only" "4010() Command: [mount --make-rslave --rbind /run ${var_target}/run] successful."
 
   fi
 
 
-  if ! chroot_exec "${TARGET}" mkdir -p /etc/systemd/system/multi-user.target.wants; then
+  if ! chroot_exec "${var_target}" mkdir -p /etc/systemd/system/multi-user.target.wants; then
 
-    do_log "emergency" "file_only" "4010() Command: [chroot_exec ${TARGET} mkdir -p /etc/systemd/system/multi-user.target.wants] failed."
+    do_log "emergency" "file_only" "4010() Command: [chroot_exec ${var_target} mkdir -p /etc/systemd/system/multi-user.target.wants] failed."
     return "${ERR_CHRT_MOUNTS}"
 
   fi
 
-  do_log "info" "file_only" "4010() Command: [chroot_exec ${TARGET} mkdir -p /etc/systemd/system/multi-user.target.wants] successful."
+  do_log "info" "file_only" "4010() Command: [chroot_exec ${var_target} mkdir -p /etc/systemd/system/multi-user.target.wants] successful."
 
-  mkdir -p "${TARGET}/media/cdrom0"
+  mkdir -p "${var_target}/media/cdrom0"
 
   # shellcheck disable=SC2034
-  declare -gx VAR_CHROOT_ACTIVATED="system"
+
-  do_log "info" "file_only" "4010() Command: [declare -gx VAR_CHROOT_ACTIVATED=system]"
+  if   [[ "${VAR_RUN_RECOVERY}" == "false" ]]; then
+
+    declare -gx VAR_CHROOT_ACTIVATED="system"
+    do_log "info" "file_only" "4010() Command: [declare -gx VAR_CHROOT_ACTIVATED=system]"
+
+  elif [[ "${VAR_RUN_RECOVERY}" == "true" ]]; then
+
+    declare -gx VAR_CHROOT_ACTIVATED="recovery"
+    do_log "info" "file_only" "4010() Command: [declare -gx VAR_CHROOT_ACTIVATED=recovery]"
+
+  fi
 
   guard_dir && return 0
 }

func/cdi_4000_debootstrap/4015_check_usr_merge.sh

@@ -15,7 +15,9 @@ guard_sourcing
 #######################################
 # Check if the target system is not 'tainted: unmerged-usr'.
 # Globals:
+#   RECOVERY
 #   TARGET
+#   VAR_RUN_RECOVERY
 #   architecture
 # Arguments:
 #   None
@@ -25,11 +27,15 @@ guard_sourcing
 check_usr_merge() {
   ### Declare Arrays, HashMaps, and Variables.
   declare -r  var_logfile="/root/.ciss/cdi/log/4015_check_usr_merge.log"
+  declare     var_target="${TARGET}"
 
-  chroot_logger "${TARGET}${var_logfile}"
+  ### Check for TARGET / RECOVERY.
+  [[ "${VAR_RUN_RECOVERY}" == "true" ]] && var_target="${RECOVERY}"
+
+  chroot_logger "${var_target}${var_logfile}"
 
   # shellcheck disable=SC2312
-  chroot_script "${TARGET}" "
+  chroot_script "${var_target}" "
     test -L /bin  && test $(readlink -f /bin)  = '/usr/bin'  && echo 'MERGED:/bin'  >> ${var_logfile} || echo 'UNMERGED:/bin'  >> ${var_logfile}
     test -L /sbin && test $(readlink -f /sbin) = '/usr/sbin' && echo 'MERGED:/sbin' >> ${var_logfile} || echo 'UNMERGED:/sbin' >> ${var_logfile}
     test -L /lib  && test $(readlink -f /lib)  = '/usr/lib'  && echo 'MERGED:/lib'  >> ${var_logfile} || echo 'UNMERGED:/lib'  >> ${var_logfile}
@@ -38,7 +44,7 @@ check_usr_merge() {
 
   if [[ "${architecture}" == "amd64" ]]; then
     # shellcheck disable=SC2312
-    chroot_script "${TARGET}" "
+    chroot_script "${var_target}" "
       test -L /lib64 && test $(readlink -f /lib64) = '/usr/lib64' && echo 'MERGED:/lib64' >> ${var_logfile} || echo 'UNMERGED:/lib64' >> ${var_logfile}
       echo ExitCode: \$? >> ${var_logfile}
     "

func/cdi_4000_debootstrap/4020_remove_x509.sh

@@ -15,7 +15,9 @@ guard_sourcing
 #######################################
 # Chroot hook for deleting all expired X.509 certificates in the target system.
 # Globals:
+#   RECOVERY
 #   TARGET
+#   VAR_RUN_RECOVERY
 #   VAR_SETUP_PATH
 # Arguments:
 #   None
@@ -23,17 +25,22 @@ guard_sourcing
 #   0: on success
 #######################################
 remove_x509() {
+  ### Declare Arrays, HashMaps, and Variables.
+  declare     var_target="${TARGET}"
+
+  ### Check for TARGET / RECOVERY.
+  [[ "${VAR_RUN_RECOVERY}" == "true" ]] && var_target="${RECOVERY}"
 
   install -m 0700 -o root -g root "${VAR_SETUP_PATH}/includes/chroot/hooks/4020_remove_x509.hooks.sh" \
-    "${TARGET}/root/.ciss/cdi/hooks/4020_remove_x509.hooks.sh"
+    "${var_target}/root/.ciss/cdi/hooks/4020_remove_x509.hooks.sh"
 
-  if ! chroot_script "${TARGET}" "/root/.ciss/cdi/hooks/4020_remove_x509.hooks.sh" "emergency"; then
+  if ! chroot_script "${var_target}" "/root/.ciss/cdi/hooks/4020_remove_x509.hooks.sh" "emergency"; then
 
-    do_log "warn" "file_only" "4020() Command: [chroot_script ${TARGET} /root/.ciss/cdi/hooks/4020_remove_x509.hooks.sh emergency] failed."
+    do_log "warn" "file_only" "4020() Command: [chroot_script ${var_target} /root/.ciss/cdi/hooks/4020_remove_x509.hooks.sh emergency] failed."
 
   else
 
-    do_log "debug" "file_only" "4020() Command: [chroot_script ${TARGET} /root/.ciss/cdi/hooks/4020_remove_x509.hooks.sh emergency] successful."
+    do_log "debug" "file_only" "4020() Command: [chroot_script ${var_target} /root/.ciss/cdi/hooks/4020_remove_x509.hooks.sh emergency] successful."
 
   fi
 

func/cdi_4000_debootstrap/4030_setup_hostname.sh

@@ -15,11 +15,13 @@ guard_sourcing
 #######################################
 # Configure the '/etc/hostname' | '/etc/hosts' | '/etc/mailname' files.
 # Globals:
+#   RECOVERY
 #   TARGET
 #   VAR_FINAL_FQDN
 #   VAR_FINAL_IPV4
 #   VAR_FINAL_IPV6
 #   VAR_LINK_IPV6
+#   VAR_RUN_RECOVERY
 #   network_ipv6
 # Arguments:
 #   None
@@ -27,36 +29,42 @@ guard_sourcing
 #   0: on success
 #######################################
 setup_hostname() {
-  ### Create the '${TARGET}/etc/hostname' file.
+  ### Declare Arrays, HashMaps, and Variables.
-  cat << EOF >| "${TARGET}/etc/hostname"
+  declare     var_target="${TARGET}"
+
+  ### Check for TARGET / RECOVERY.
+  [[ "${VAR_RUN_RECOVERY}" == "true" ]] && var_target="${RECOVERY}"
+
+  ### Create the '${var_target}/etc/hostname' file.
+  cat << EOF >| "${var_target}/etc/hostname"
 ${VAR_FINAL_FQDN}
 EOF
-  chmod 0644 "${TARGET}/etc/hostname"
+  chmod 0644 "${var_target}/etc/hostname"
-  do_log "info" "file_only" "4030() File generated: '${TARGET}/etc/hostname' | hostname '${VAR_FINAL_FQDN}'."
+  do_log "info" "file_only" "4030() File generated: '${var_target}/etc/hostname' | hostname '${VAR_FINAL_FQDN}'."
 
 
-  ### Create the '${TARGET}/etc/mailname' file.
+  ### Create the '${var_target}/etc/mailname' file.
-  cat << EOF >| "${TARGET}/etc/mailname"
+  cat << EOF >| "${var_target}/etc/mailname"
 ${VAR_FINAL_FQDN}
 EOF
-  chmod 0644 "${TARGET}/etc/mailname"
+  chmod 0644 "${var_target}/etc/mailname"
-  do_log "info" "file_only" "4030() File generated: '${TARGET}/etc/mailname' | mailname '${VAR_FINAL_FQDN}'."
+  do_log "info" "file_only" "4030() File generated: '${var_target}/etc/mailname' | mailname '${VAR_FINAL_FQDN}'."
 
 
-  ### Generate '${TARGET}/etc/hosts' basic IPv4 entries
+  ### Generate '${var_target}/etc/hosts' basic IPv4 entries
-  cat << EOF >| "${TARGET}/etc/hosts"
+  cat << EOF >| "${var_target}/etc/hosts"
 127.0.0.1 localhost
 ${VAR_FINAL_IPV4} ${VAR_FINAL_FQDN}
 
 EOF
-  chmod 0644 "${TARGET}/etc/hosts"
+  chmod 0644 "${var_target}/etc/hosts"
-  do_log "info" "file_only" "4030() File generated: '${TARGET}/etc/hosts' with basic IPv4 entries."
+  do_log "info" "file_only" "4030() File generated: '${var_target}/etc/hosts' with basic IPv4 entries."
 
 
-  ### Generate '${TARGET}/etc/hosts' basic IPv6 entries
+  ### Generate '${var_target}/etc/hosts' basic IPv6 entries
   if [[ "${VAR_LINK_IPV6,,}" == "true" || "${network_ipv6,,}" == "true" ]]; then
 
-    cat << EOF >> "${TARGET}/etc/hosts"
+    cat << EOF >> "${var_target}/etc/hosts"
 # The following lines are desirable for IPv6 capable hosts
 ::1     localhost ip6-localhost ip6-loopback
 fe00::0 ip6-localnet
@@ -68,10 +76,13 @@ ${VAR_FINAL_IPV6} ${VAR_FINAL_FQDN}
 
 EOF
 
-    do_log "info" "file_only" "4030() File updated: '${TARGET}/etc/hosts' with basic IPv6 entries."
+    do_log "info" "file_only" "4030() File updated: '${var_target}/etc/hosts' with basic IPv6 entries."
 
   fi
 
   guard_dir && return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f setup_hostname
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

func/cdi_4000_debootstrap/4035_setup_resolv.sh

@@ -17,13 +17,11 @@ guard_sourcing
 # Globals:
 #   ARY_IPV4_NS
 #   ARY_IPV6_NS
-#   DIR_BAK
+#   RECOVERY
 #   TARGET
-#   VAR_ARCHITECTURE
-#   VAR_CODENAME
 #   VAR_FINAL_IPV6
 #   VAR_LINK_IPV6
-#   VAR_VERSION
+#   VAR_RUN_RECOVERY
 # Arguments:
 #   None
 # Returns:
@@ -32,59 +30,66 @@ guard_sourcing
 setup_resolv() {
   ### Declare Arrays, HashMaps, and Variables.
   declare     ns=""
+  declare     var_target="${TARGET}"
 
-  if [[ -f "${TARGET}/etc/resolv.conf" ]]; then
+  ### Check for TARGET / RECOVERY.
+  [[ "${VAR_RUN_RECOVERY}" == "true" ]] && var_target="${RECOVERY}"
 
-    mkdir -p "${TARGET}/root/.ciss/cdi/backup/etc"
+  if [[ -f "${var_target}/etc/resolv.conf" ]]; then
-    mv "${TARGET}/etc/resolv.conf" "${TARGET}/root/.ciss/cdi/backup/etc/resolv.conf.bak"
+
-    do_log "info" "file_only" "4035() Existing '${TARGET}/etc/resolv.conf' moved."
+    mkdir -p "${var_target}/root/.ciss/cdi/backup/etc"
+    mv "${var_target}/etc/resolv.conf" "${var_target}/root/.ciss/cdi/backup/etc/resolv.conf.bak"
+    do_log "info" "file_only" "4035() Existing '${var_target}/etc/resolv.conf' moved."
 
   fi
 
-  touch "${TARGET}/etc/resolv.conf"
+  touch "${var_target}/etc/resolv.conf"
-  chmod 0644 "${TARGET}/etc/resolv.conf"
+  chmod 0644 "${var_target}/etc/resolv.conf"
 
   ### Create '/etc/resolv.conf' IPv4 entries for static configuration.
-  insert_header "${TARGET}/etc/resolv.conf"
+  insert_header "${var_target}/etc/resolv.conf"
-  insert_comments "${TARGET}/etc/resolv.conf"
+  insert_comments "${var_target}/etc/resolv.conf"
-  cat << EOF >> "${TARGET}/etc/resolv.conf"
+  cat << EOF >> "${var_target}/etc/resolv.conf"
 ### Custom DNS IPv4 configuration
 EOF
 
   for ns in "${ARY_IPV4_NS[@]}"; do
 
-    echo "nameserver ${ns}" >> "${TARGET}/etc/resolv.conf"
+    echo "nameserver ${ns}" >> "${var_target}/etc/resolv.conf"
     do_log "info" "file_only" "4035() IPv4 nameserver added: [${ns}]."
 
   done
 
-  echo "" >> "${TARGET}/etc/resolv.conf"
+  echo "" >> "${var_target}/etc/resolv.conf"
-  do_log "info" "file_only" "4035() IPv4 nameserver at: '${TARGET}/etc/resolv.conf' configured."
+  do_log "info" "file_only" "4035() IPv4 nameserver at: '${var_target}/etc/resolv.conf' configured."
 
 
   ### Create '/etc/resolv.conf' IPv6 entries for static configuration.
   if [[ "${VAR_LINK_IPV6,,}" == "true" || -n "${VAR_FINAL_IPV6}" ]]; then
 
-    cat << EOF >> "${TARGET}/etc/resolv.conf"
+    cat << EOF >> "${var_target}/etc/resolv.conf"
 ### Custom DNS IPv6 configuration
 EOF
 
     for ns in "${ARY_IPV6_NS[@]}"; do
 
-      echo "nameserver ${ns}" >> "${TARGET}/etc/resolv.conf"
+      echo "nameserver ${ns}" >> "${var_target}/etc/resolv.conf"
       do_log "info" "file_only" "4035() IPv6 nameserver added: [${ns}]."
 
     done
 
-    echo "" >> "${TARGET}/etc/resolv.conf"
+    echo "" >> "${var_target}/etc/resolv.conf"
-    do_log "info" "file_only" "4035() IPv6 nameserver at: '${TARGET}/etc/resolv.conf' configured."
+    do_log "info" "file_only" "4035() IPv6 nameserver at: '${var_target}/etc/resolv.conf' configured."
 
   fi
 
-  cat << EOF >> "${TARGET}/etc/resolv.conf"
+  cat << EOF >> "${var_target}/etc/resolv.conf"
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
 EOF
 
   guard_dir && return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f setup_resolv
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

func/cdi_4000_debootstrap/4040_setup_timezone.sh

@@ -15,7 +15,9 @@ guard_sourcing
 #######################################
 # Configure the '/etc/timezone' | '/etc/localtime' files.
 # Globals:
+#   RECOVERY
 #   TARGET
+#   VAR_RUN_RECOVERY
 #   ntp_timezone
 # Arguments:
 #   None
@@ -23,17 +25,26 @@ guard_sourcing
 #   0: on success
 #######################################
 setup_timezone() {
-  ### Create '${TARGET}/etc/timezone' file.
+  ### Declare Arrays, HashMaps, and Variables.
-  cat << EOF >| "${TARGET}/etc/timezone"
+  declare     var_target="${TARGET}"
+
+  ### Check for TARGET / RECOVERY.
+  [[ "${VAR_RUN_RECOVERY}" == "true" ]] && var_target="${RECOVERY}"
+
+  ### Create the '$ {var_target}/etc / timezone' file.
+  cat << EOF >| "${var_target}/etc/timezone"
 ${ntp_timezone:-UTC}
 EOF
-  chmod 0644 "${TARGET}/etc/timezone"
+  chmod 0644 "${var_target}/etc/timezone"
-  do_log "info" "file_only" "4040() File generated: '${TARGET}/etc/timezone' | timezone '${ntp_timezone:-UTC}'."
+  do_log "info" "file_only" "4040() File generated: '${var_target}/etc/timezone' | timezone '${ntp_timezone:-UTC}'."
 
-  chroot_exec "${TARGET}" ln -sf "/usr/share/zoneinfo/${ntp_timezone}" /etc/localtime
+  chroot_exec "${var_target}" ln -sf "/usr/share/zoneinfo/${ntp_timezone}" /etc/localtime
 
-  chroot_exec "${TARGET}" dpkg-reconfigure -f noninteractive tzdata
+  chroot_exec "${var_target}" dpkg-reconfigure -f noninteractive tzdata
 
   guard_dir && return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f setup_timezone
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

func/cdi_4000_debootstrap/4050_setup_locales.sh

@@ -16,10 +16,10 @@ guard_sourcing
 # Set locale, locale overrides and configure keyboard layout.
 # Globals:
 #   ARY_LOCALE
+#   RECOVERY
 #   TARGET
-#   VAR_ARCHITECTURE
+#   VAR_DATE
-#   VAR_CODENAME
+#   VAR_RUN_RECOVERY
-#   VAR_VERSION
 #   locale_country
 #   locale_keyboard_xkb_keymap
 #   locale_language
@@ -42,15 +42,22 @@ guard_sourcing
 setup_locales() {
   ### Declare Arrays, HashMaps, and Variables.
   declare     var_locale_hook="/root/.ciss/cdi/hooks/4050_setup_locales.hooks.sh"
+  declare     var_target="${TARGET}"
+
+  ### Check for TARGET / RECOVERY.
+  [[ "${VAR_RUN_RECOVERY}" == "true" ]] && var_target="${RECOVERY}"
 
   ### Give priority to '${locale_locale}' over separately configured variables '${locale_country}' and '${locale_language}'.
   ### If 'locale_locale' is not set, build it from 'locale_language' and 'locale_country'.
   if [[ -n "${locale_language:-}" && -n "${locale_country:-}" && -z "${ARY_LOCALE[0]:-}" ]]; then
+
+    # shellcheck disable=SC2034
     ARY_LOCALE+="${locale_language}_${locale_country}.UTF-8"
+
   fi
 
   ### Creat Hook in target.
-  cat << EOF >| "${TARGET}${var_locale_hook}"
+  cat << EOF >| "${var_target}${var_locale_hook}"
 #!/bin/bash
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -72,7 +79,7 @@ declare    loc=""
 
 EOF
 
-  cat << 'EOF' >> "${TARGET}${var_locale_hook}"
+  cat << 'EOF' >> "${var_target}${var_locale_hook}"
 ary_locale+=( "${locale_0}" )
 [[ -n "${locale_1}" ]] && ary_locale+=( "${locale_1}" )
 
@@ -94,7 +101,7 @@ done
 
 EOF
 
-  cat << EOF >> "${TARGET}${var_locale_hook}"
+  cat << EOF >> "${var_target}${var_locale_hook}"
 update-locale \
 LANG=${ARY_LOCALE[0]} \
 LC_ADDRESS=${locale_override_address:-${ARY_LOCALE[0]}} \
@@ -112,13 +119,13 @@ LC_IDENTIFICATION=${ARY_LOCALE[0]}
 
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
 EOF
-  chmod 0700 "${TARGET}${var_locale_hook}"
+  chmod 0700 "${var_target}${var_locale_hook}"
-  chroot_script "${TARGET}" "${var_locale_hook}"
+  chroot_script "${var_target}" "${var_locale_hook}"
 
   ### Set the keyboard layout for the system (for consoles).
-  insert_header   "${TARGET}/etc/default/keyboard"
+  insert_header   "${var_target}/etc/default/keyboard"
-  insert_comments "${TARGET}/etc/default/keyboard"
+  insert_comments "${var_target}/etc/default/keyboard"
-  cat << EOF >>   "${TARGET}/etc/default/keyboard"
+  cat << EOF >>   "${var_target}/etc/default/keyboard"
 # KEYBOARD CONFIGURATION FILE
 # Consult the keyboard(5) manual page.
 
@@ -130,9 +137,12 @@ BACKSPACE="guess"
 
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
 EOF
-  chmod 0644 "${TARGET}/etc/default/keyboard"
+  chmod 0644 "${var_target}/etc/default/keyboard"
-  do_log "info" "file_only" "4050() Keyboard layout updated: 'XKBLAYOUT=${locale_keyboard_xkb_keymap}' -> '${TARGET}/etc/default/keyboard'."
+  do_log "info" "file_only" "4050() Keyboard layout updated: 'XKBLAYOUT=${locale_keyboard_xkb_keymap}' -> '${var_target}/etc/default/keyboard'."
 
   guard_dir && return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f setup_locales
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

func/cdi_4100_base/4100_generate_sources.sh

@@ -15,10 +15,9 @@ guard_sourcing
 #######################################
 # Generate target '/etc/apt/sources.list' entries.
 # Globals:
+#   RECOVERY
 #   TARGET
-#   VAR_ARCHITECTURE
+#   VAR_RUN_RECOVERY
-#   VAR_CODENAME
-#   VAR_VERSION
 #   apt_contrib
 #   apt_deb_sources
 #   apt_mirror_directory
@@ -39,8 +38,12 @@ guard_sourcing
 #######################################
 generate_sources() {
   ### Declare Arrays, HashMaps, and Variables.
-  declare -a ary_components=()
+  declare -a  ary_components=()
-  declare    var_arch="" var_codename="" var_deb_src="" var_dir="" var_hostname="" var_hostsecure="" var_url="" var_surl=""
+  declare     var_arch="" var_codename="" var_deb_src="" var_dir="" var_hostname="" var_hostsecure="" var_url="" var_surl=""
+  declare     var_target="${TARGET}"
+
+  ### Check for TARGET / RECOVERY.
+  [[ "${VAR_RUN_RECOVERY}" == "true" ]] && var_target="${RECOVERY}"
 
   # shellcheck disable=SC2154 # "${architecture}"
   var_arch="${architecture,,}"
@@ -77,25 +80,25 @@ generate_sources() {
 
   fi
 
-  : >| "${TARGET}/etc/apt/sources.list"
+  : >| "${var_target}/etc/apt/sources.list"
-  chmod 0644 "${TARGET}/etc/apt/sources.list"
+  chmod 0644 "${var_target}/etc/apt/sources.list"
 
   ### Main Repository
   # shellcheck disable=SC2153
-  insert_header "${TARGET}/etc/apt/sources.list"
+  insert_header   "${var_target}/etc/apt/sources.list"
-  insert_comments "${TARGET}/etc/apt/sources.list"
+  insert_comments "${var_target}/etc/apt/sources.list"
-  cat << EOF >> "${TARGET}/etc/apt/sources.list"
+  cat << EOF >>   "${var_target}/etc/apt/sources.list"
 #------------------------------------------------------------------------------------------------------------------------------#
 #                                                     OFFICIAL DEBIAN REPOS                                                    #
 #------------------------------------------------------------------------------------------------------------------------------#
 deb ${var_url} ${var_codename} ${ary_components[*]}
 EOF
-  do_log "info" "file_only" "4100() ${TARGET}/etc/apt/sources.list entry generated: 'deb ${var_url} ${var_codename} ${ary_components[*]}'."
+  do_log "info" "file_only" "4100() ${var_target}/etc/apt/sources.list entry generated: 'deb ${var_url} ${var_codename} ${ary_components[*]}'."
 
   if [[ "${var_deb_src}" == "true" ]]; then
 
-    echo "deb-src ${var_url} ${var_codename} ${ary_components[*]}" >> "${TARGET}/etc/apt/sources.list"
+    echo "deb-src ${var_url} ${var_codename} ${ary_components[*]}" >> "${var_target}/etc/apt/sources.list"
-    do_log "info" "file_only" "4100() ${TARGET}/etc/apt/sources.list entry generated: 'deb-src ${var_url} ${var_codename} ${ary_components[*]}'."
+    do_log "info" "file_only" "4100() ${var_target}/etc/apt/sources.list entry generated: 'deb-src ${var_url} ${var_codename} ${ary_components[*]}'."
 
   fi
 
@@ -103,16 +106,16 @@ EOF
   ### Security Repository
   if [[ "${apt_updates_security,,}" == "true" ]]; then
 
-    cat << EOF >> "${TARGET}/etc/apt/sources.list"
+    cat << EOF >> "${var_target}/etc/apt/sources.list"
 
 deb ${var_surl} ${var_codename}-security ${ary_components[*]}
 EOF
-    do_log "info" "file_only" "4100() ${TARGET}/etc/apt/sources.list entry generated: 'deb ${var_surl} ${var_codename}-security ${ary_components[*]}'."
+    do_log "info" "file_only" "4100() ${var_target}/etc/apt/sources.list entry generated: 'deb ${var_surl} ${var_codename}-security ${ary_components[*]}'."
 
     if [[ "${var_deb_src}" == "true" ]]; then
 
-      echo "deb-src ${var_surl} ${var_codename}-security ${ary_components[*]}" >> "${TARGET}/etc/apt/sources.list"
+      echo "deb-src ${var_surl} ${var_codename}-security ${ary_components[*]}" >> "${var_target}/etc/apt/sources.list"
-      do_log "info" "file_only" "4100() ${TARGET}/etc/apt/sources.list entry generated: 'deb-src ${var_surl} ${var_codename}-security ${ary_components[*]}'."
+      do_log "info" "file_only" "4100() ${var_target}/etc/apt/sources.list entry generated: 'deb-src ${var_surl} ${var_codename}-security ${ary_components[*]}'."
 
     fi
 
@@ -122,16 +125,16 @@ EOF
   ### Updates Repository
   if [[ "${apt_updates_release,,}" == "true" ]]; then
 
-    cat << EOF >> "${TARGET}/etc/apt/sources.list"
+    cat << EOF >> "${var_target}/etc/apt/sources.list"
 
 deb ${var_url} ${var_codename}-updates ${ary_components[*]}
 EOF
-    do_log "info" "file_only" "4100() ${TARGET}/etc/apt/sources.list entry generated: 'deb ${var_url} ${var_codename}-updates ${ary_components[*]}'."
+    do_log "info" "file_only" "4100() ${var_target}/etc/apt/sources.list entry generated: 'deb ${var_url} ${var_codename}-updates ${ary_components[*]}'."
 
     if [[ "${var_deb_src}" == "true" ]]; then
 
-      echo "deb-src ${var_url} ${var_codename}-updates ${ary_components[*]}" >> "${TARGET}/etc/apt/sources.list"
+      echo "deb-src ${var_url} ${var_codename}-updates ${ary_components[*]}" >> "${var_target}/etc/apt/sources.list"
-      do_log "info" "file_only" "4100() ${TARGET}/etc/apt/sources.list entry generated: 'deb-src ${var_url} ${var_codename}-updates ${ary_components[*]}'."
+      do_log "info" "file_only" "4100() ${var_target}/etc/apt/sources.list entry generated: 'deb-src ${var_url} ${var_codename}-updates ${ary_components[*]}'."
 
     fi
 
@@ -141,16 +144,16 @@ EOF
   ### Backports Repository
   if [[ "${apt_updates_backports,,}" == "true" ]]; then
 
-    cat << EOF >> "${TARGET}/etc/apt/sources.list"
+    cat << EOF >> "${var_target}/etc/apt/sources.list"
 
 deb ${var_url} ${var_codename}-backports ${ary_components[*]}
 EOF
-    do_log "info" "file_only" "4100() ${TARGET}/etc/apt/sources.list entry generated: 'deb ${var_url} ${var_codename}-backports ${ary_components[*]}'."
+    do_log "info" "file_only" "4100() ${var_target}/etc/apt/sources.list entry generated: 'deb ${var_url} ${var_codename}-backports ${ary_components[*]}'."
 
     if [[ "${var_deb_src,,}" == "true" ]]; then
 
-      echo "deb-src ${var_url} ${var_codename}-backports ${ary_components[*]}" >> "${TARGET}/etc/apt/sources.list"
+      echo "deb-src ${var_url} ${var_codename}-backports ${ary_components[*]}" >> "${var_target}/etc/apt/sources.list"
-      do_log "info" "file_only" "4100() ${TARGET}/etc/apt/sources.list entry generated: 'deb-src ${var_url} ${var_codename}-backports ${ary_components[*]}'."
+      do_log "info" "file_only" "4100() ${var_target}/etc/apt/sources.list entry generated: 'deb-src ${var_url} ${var_codename}-backports ${ary_components[*]}'."
 
     fi
 
@@ -158,32 +161,35 @@ EOF
 
 
   ### Clean up 'sources.list'
-  sed -i '/^#/!s/[[:space:]]\+/ /g' "${TARGET}/etc/apt/sources.list"
+  sed -i '/^#/!s/[[:space:]]\+/ /g' "${var_target}/etc/apt/sources.list"
 
-  cat << EOF >> "${TARGET}/etc/apt/sources.list"
+  cat << EOF >> "${var_target}/etc/apt/sources.list"
 
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
 EOF
 
 
-  insert_header   "${TARGET}/etc/apt/apt.conf.d/90-no-pdiffs"
+  insert_header   "${var_target}/etc/apt/apt.conf.d/90-no-pdiffs"
-  insert_comments "${TARGET}/etc/apt/apt.conf.d/90-no-pdiffs"
+  insert_comments "${var_target}/etc/apt/apt.conf.d/90-no-pdiffs"
-  cat << 'EOF' >> "${TARGET}/etc/apt/apt.conf.d/90-no-pdiffs"
+  cat << 'EOF' >> "${var_target}/etc/apt/apt.conf.d/90-no-pdiffs"
 Acquire::PDiffs "false";
 
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
 EOF
-  sed -i -E 's|^([[:space:]]*)#+|\1//|' "${TARGET}/etc/apt/apt.conf.d/90-no-pdiffs"
+  sed -i -E 's|^([[:space:]]*)#+|\1//|' "${var_target}/etc/apt/apt.conf.d/90-no-pdiffs"
 
-  insert_header   "${TARGET}/etc/apt/apt.conf.d/91-acquire"
+  insert_header   "${var_target}/etc/apt/apt.conf.d/91-acquire"
-  insert_comments "${TARGET}/etc/apt/apt.conf.d/91-acquire"
+  insert_comments "${var_target}/etc/apt/apt.conf.d/91-acquire"
-  cat << 'EOF' >> "${TARGET}/etc/apt/apt.conf.d/91-acquire"
+  cat << 'EOF' >> "${var_target}/etc/apt/apt.conf.d/91-acquire"
 Acquire::Retries "3";
 
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
 EOF
-  sed -i -E 's|^([[:space:]]*)#+|\1//|' "${TARGET}/etc/apt/apt.conf.d/91-acquire"
+  sed -i -E 's|^([[:space:]]*)#+|\1//|' "${var_target}/etc/apt/apt.conf.d/91-acquire"
 
   guard_dir && return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f generate_sources
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

func/cdi_4100_base/4105_generate_sources_822.sh

@@ -36,8 +36,12 @@ guard_sourcing
 #######################################
 generate_sources822() {
   ### Declare Arrays, HashMaps, and Variables.
-  declare -a ary_components=() ary_types=()
+  declare -a  ary_components=() ary_types=()
-  declare    var_arch="" var_codename="" var_deb_src="" var_dir="" var_hostname="" var_hostsecure="" var_url="" var_surl=""
+  declare     var_arch="" var_codename="" var_deb_src="" var_dir="" var_hostname="" var_hostsecure="" var_url="" var_surl=""
+  declare     var_target="${TARGET}"
+
+  ### Check for TARGET / RECOVERY.
+  [[ "${VAR_RUN_RECOVERY}" == "true" ]] && var_target="${RECOVERY}"
 
   # shellcheck disable=SC2154 # "${architecture}"
   var_arch="${architecture,,}"
@@ -79,9 +83,9 @@ generate_sources822() {
 
 
   ### Main Repository
-  insert_header   "${TARGET}/etc/apt/sources.list.d/trixie.sources"
+  insert_header   "${var_target}/etc/apt/sources.list.d/trixie.sources"
-  insert_comments "${TARGET}/etc/apt/sources.list.d/trixie.sources"
+  insert_comments "${var_target}/etc/apt/sources.list.d/trixie.sources"
-  cat << EOF >>   "${TARGET}/etc/apt/sources.list.d/trixie.sources"
+  cat << EOF >>   "${var_target}/etc/apt/sources.list.d/trixie.sources"
 #------------------------------------------------------------------------------------------------------------------------------#
 #                                                     OFFICIAL DEBIAN REPOS                                                    #
 #------------------------------------------------------------------------------------------------------------------------------#
@@ -98,9 +102,9 @@ EOF
 
   ### Security Repository
   if [[ "${apt_updates_security,,}" == "true" ]]; then
-    insert_header   "${TARGET}/etc/apt/sources.list.d/trixie-security.sources"
+    insert_header   "${var_target}/etc/apt/sources.list.d/trixie-security.sources"
-    insert_comments "${TARGET}/etc/apt/sources.list.d/trixie-security.sources"
+    insert_comments "${var_target}/etc/apt/sources.list.d/trixie-security.sources"
-    cat << EOF >>   "${TARGET}/etc/apt/sources.list.d/trixie-security.sources"
+    cat << EOF >>   "${var_target}/etc/apt/sources.list.d/trixie-security.sources"
 #------------------------------------------------------------------------------------------------------------------------------#
 #                                                     OFFICIAL DEBIAN REPOS                                                    #
 #------------------------------------------------------------------------------------------------------------------------------#
@@ -117,9 +121,9 @@ EOF
 
   ### Updates Repository
   if [[ "${apt_updates_release,,}" == "true" ]]; then
-    insert_header   "${TARGET}/etc/apt/sources.list.d/trixie-updates.sources"
+    insert_header   "${var_target}/etc/apt/sources.list.d/trixie-updates.sources"
-    insert_comments "${TARGET}/etc/apt/sources.list.d/trixie-updates.sources"
+    insert_comments "${var_target}/etc/apt/sources.list.d/trixie-updates.sources"
-    cat << EOF >>   "${TARGET}/etc/apt/sources.list.d/trixie-updates.sources"
+    cat << EOF >>   "${var_target}/etc/apt/sources.list.d/trixie-updates.sources"
 #------------------------------------------------------------------------------------------------------------------------------#
 #                                                     OFFICIAL DEBIAN REPOS                                                    #
 #------------------------------------------------------------------------------------------------------------------------------#
@@ -137,9 +141,9 @@ EOF
 
   ### Backports Repository
   if [[ "${apt_updates_backports,,}" == "true" ]]; then
-    insert_header   "${TARGET}/etc/apt/sources.list.d/trixie-backports.sources"
+    insert_header   "${var_target}/etc/apt/sources.list.d/trixie-backports.sources"
-    insert_comments "${TARGET}/etc/apt/sources.list.d/trixie-backports.sources"
+    insert_comments "${var_target}/etc/apt/sources.list.d/trixie-backports.sources"
-    cat << EOF >>   "${TARGET}/etc/apt/sources.list.d/trixie-backports.sources"
+    cat << EOF >>   "${var_target}/etc/apt/sources.list.d/trixie-backports.sources"
 #------------------------------------------------------------------------------------------------------------------------------#
 #                                                     OFFICIAL DEBIAN REPOS                                                    #
 #------------------------------------------------------------------------------------------------------------------------------#
@@ -156,30 +160,33 @@ EOF
   fi
 
 
-  if [[ -f "${TARGET}/etc/apt/sources.list" ]]; then
+  if [[ -f "${var_target}/etc/apt/sources.list" ]]; then
-    rm -f "${TARGET}/etc/apt/sources.list"
+    rm -f "${var_target}/etc/apt/sources.list"
   fi
 
 
-  insert_header   "${TARGET}/etc/apt/apt.conf.d/90-no-pdiffs"
+  insert_header   "${var_target}/etc/apt/apt.conf.d/90-no-pdiffs"
-  insert_comments "${TARGET}/etc/apt/apt.conf.d/90-no-pdiffs"
+  insert_comments "${var_target}/etc/apt/apt.conf.d/90-no-pdiffs"
-  cat << 'EOF' >> "${TARGET}/etc/apt/apt.conf.d/90-no-pdiffs"
+  cat << 'EOF' >> "${var_target}/etc/apt/apt.conf.d/90-no-pdiffs"
 Acquire::PDiffs "false";
 
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
 EOF
-  sed -i -E 's|^([[:space:]]*)#+|\1//|' "${TARGET}/etc/apt/apt.conf.d/90-no-pdiffs"
+  sed -i -E 's|^([[:space:]]*)#+|\1//|' "${var_target}/etc/apt/apt.conf.d/90-no-pdiffs"
 
 
-  insert_header   "${TARGET}/etc/apt/apt.conf.d/91-acquire"
+  insert_header   "${var_target}/etc/apt/apt.conf.d/91-acquire"
-  insert_comments "${TARGET}/etc/apt/apt.conf.d/91-acquire"
+  insert_comments "${var_target}/etc/apt/apt.conf.d/91-acquire"
-  cat << 'EOF' >> "${TARGET}/etc/apt/apt.conf.d/91-acquire"
+  cat << 'EOF' >> "${var_target}/etc/apt/apt.conf.d/91-acquire"
 Acquire::Retries "3";
 
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
 EOF
-  sed -i -E 's|^([[:space:]]*)#+|\1//|' "${TARGET}/etc/apt/apt.conf.d/91-acquire"
+  sed -i -E 's|^([[:space:]]*)#+|\1//|' "${var_target}/etc/apt/apt.conf.d/91-acquire"
 
   guard_dir && return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f generate_sources822
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

func/cdi_4100_base/4110_update_sources.sh

@@ -18,7 +18,9 @@ guard_sourcing
 # to suppress the 'update-initramfs'-Kernel-Hooks, according to the initramfs-tools manpage:
 # https://manpages.debian.org/testing/initramfs-tools-core/initramfs-tools.7.en.html
 # Globals:
+#   RECOVERY
 #   TARGET
+#   VAR_RUN_RECOVERY
 #   apt_updates_policy
 # Arguments:
 #   None
@@ -28,19 +30,23 @@ guard_sourcing
 update_sources() {
   ### Declare Arrays, HashMaps, and Variables.
   declare -r  var_logfile="/root/.ciss/cdi/log/4110_update_sources.log"
+  declare     var_target="${TARGET}"
 
-  chroot_logger "${TARGET}${var_logfile}"
+  ### Check for TARGET / RECOVERY.
+  [[ "${VAR_RUN_RECOVERY}" == "true" ]] && var_target="${RECOVERY}"
+
+  chroot_logger "${var_target}${var_logfile}"
 
   ### Update generated sources.
   # shellcheck disable=SC2312
-  chroot_script "${TARGET}" "apt-get update 2>&1 | tee -a ${var_logfile}; echo ExitCode: \$? >> ${var_logfile}"
+  chroot_script "${var_target}" "apt-get update 2>&1 | tee -a ${var_logfile}; echo ExitCode: \$? >> ${var_logfile}"
   do_log "info" "file_only" "4110() Sources lists: updated successfully."
 
 
   ### Update unattended, security, or no unattended updates at all.
   if [[ "${apt_updates_policy,,}" == "unattended" ]]; then
 
-    chroot_script "${TARGET}" "
+    chroot_script "${var_target}" "
       export INITRD=No
       apt-get install -y --no-install-recommends --no-install-suggests unattended-upgrades 2>&1 | tee -a ${var_logfile}
       echo ExitCode: \$? >> ${var_logfile}
@@ -49,14 +55,14 @@ update_sources() {
 
   elif [[ "${apt_updates_policy,,}" == "security" ]]; then
 
-    chroot_script "${TARGET}" "
+    chroot_script "${var_target}" "
       export INITRD=No
       apt-get install -y --no-install-recommends --no-install-suggests unattended-upgrades 2>&1 | tee -a ${var_logfile}
       echo ExitCode: \$? >> ${var_logfile}
     "
 
     # shellcheck disable=SC2016
-    sed -i 's/^[[:space:]]*"origin=Debian,codename=\${distro_codename},label=Debian";/\/\/ &/' "${TARGET}/etc/apt/apt.conf.d/50unattended-upgrades"
+    sed -i 's/^[[:space:]]*"origin=Debian,codename=\${distro_codename},label=Debian";/\/\/ &/' "${var_target}/etc/apt/apt.conf.d/50unattended-upgrades"
     do_log "info" "file_only" "4110() The update policy was set at installation time to: '${apt_updates_policy}'."
 
   elif [[ "${apt_updates_policy,,}" == "none" ]]; then
@@ -71,4 +77,7 @@ update_sources() {
 
   guard_dir && return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f update_sources
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

func/cdi_4400_hardening/4420_hardening_fail2ban.sh

@@ -21,6 +21,7 @@ guard_sourcing
 #   VAR_FINAL_FQDN
 #   VAR_FINAL_IPV4
 #   VAR_FINAL_IPV6
+#   VAR_LINK_IPV6
 #   VAR_PROVIDER
 #   VAR_SSH_PORT
 # Arguments:
@@ -49,6 +50,7 @@ EOF
 
   insert_header   "${TARGET}/etc/fail2ban/jail.d/centurion-default.conf"
   insert_comments "${TARGET}/etc/fail2ban/jail.d/centurion-default.conf"
+
   if [[ "${#ARY_ALLOW_IPV4[@]}" -gt 0 ]]; then
 
     ### fail2ban ufw aggressive mode, one attempt for jumphost configuration.
@@ -58,10 +60,28 @@ usedns    = yes
 ignoreip  = 127.0.0.0/8 ::1
 # ${VAR_FINAL_FQDN}
   ${VAR_FINAL_IPV4}
+EOF
+
+    if [[ "${VAR_LINK_IPV6}" == "true" ]]; then
+
+      cat << EOF >> "${TARGET}/etc/fail2ban/jail.d/centurion-default.conf"
   ${VAR_FINAL_IPV6}/64
+EOF
+    fi
+
+    cat << EOF >> "${TARGET}/etc/fail2ban/jail.d/centurion-default.conf"
 # Jumphost
   ${ARY_ALLOW_IPV4[*]}
+EOF
+
+    if [[ "${VAR_LINK_IPV6}" == "true" ]]; then
+
+      cat << EOF >> "${TARGET}/etc/fail2ban/jail.d/centurion-default.conf"
   ${ARY_ALLOW_IPV6[*]}
+EOF
+    fi
+
+    cat << EOF >> "${TARGET}/etc/fail2ban/jail.d/centurion-default.conf"
 maxretry  = 8
 findtime  = 12h
 bantime   = 12h
@@ -106,7 +126,16 @@ usedns    = yes
 ignoreip  = 127.0.0.0/8 ::1
 # ${VAR_FINAL_FQDN}
   ${VAR_FINAL_IPV4}
+EOF
+
+    if [[ "${VAR_LINK_IPV6}" == "true" ]]; then
+
+      cat << EOF >> "${TARGET}/etc/fail2ban/jail.d/centurion-default.conf"
   ${VAR_FINAL_IPV6}/64
+EOF
+    fi
+
+    cat << EOF >> "${TARGET}/etc/fail2ban/jail.d/centurion-default.conf"
 maxretry  = 8
 findtime  = 12h
 bantime   = 12h
@@ -146,7 +175,9 @@ EOF
 
   ### Provider Hetzner needs special ignoreip rules.
   if [[ "${VAR_PROVIDER}" == "hetzner" ]]; then
+
     sed -i '0,/^maxretry/{s/^maxretry/# Hetzner Intern\n  172.31.1.1\/16\n&/}' "${TARGET}/etc/fail2ban/jail.d/centurion-default.conf"
+
   fi
 
   insert_header   "${TARGET}/etc/fail2ban/filter.d/ufw.aggressive.conf"
@@ -211,4 +242,7 @@ EOF
 
   guard_dir && return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f hardening_fail2ban
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

func/cdi_4500_user/4520_accounts_setup.sh

@@ -24,13 +24,14 @@ guard_sourcing
 #   user_root_authentication_access_ssh
 #   user_root_authentication_access_tty
 #   user_root_authentication_password
-#   user_root_password
 #   user_root_shell
+#   user_root_specific
 #   user_root_sshpubkey
 # Arguments:
 #   None
 # Returns:
 #   0: on success
+#   ERR_ACCOUNT_CREATE: on failure
 #######################################
 accounts_setup() {
   ### Declare Arrays, HashMaps, and Variables.
@@ -102,19 +103,28 @@ accounts_setup() {
   do_log "info" "file_only" "4520() Skeleton: 'root' successfully generated."
 
   ### 2) Check SSH access capabilities.
-  case "${user_root_authentication_access_ssh}" in
+  case "${user_root_authentication_access_ssh,,}" in
+
     false)
       sed -i -E "s|^[[:space:]]*PermitRootLogin[[:space:]]+.*$|$(printf '%-29s%s' 'PermitRootLogin' 'no')|" "${TARGET}/etc/ssh/sshd_config"
       do_log "info" "file_only" "4520() User: 'root' SSH access: [PermitRootLogin no]"
       ;;
+
     true)
       sed -i -E "s|^[[:space:]]*PermitRootLogin[[:space:]]+.*$|$(printf '%-29s%s' 'PermitRootLogin' 'prohibit-password')|" "${TARGET}/etc/ssh/sshd_config"
       do_log "info" "file_only" "4520() User: 'root' SSH access: [PermitRootLogin prohibit-password]"
       ;;
+
+    *)
+      do_log "fatal" "file_only" "4520() Not set: user_root_authentication_access_ssh [${user_root_authentication_access_ssh}]"
+      return "${ERR_ACCOUNT_CREATE}"
+      ;;
+
   esac
 
   ### 3) Check tty access capabilities.
-  case "${user_root_authentication_access_tty}" in
+  case "${user_root_authentication_access_tty,,}" in
+
     false)
       ### 3) A) 1) Ensure the 'pam_access' line is not activated in '/etc/pam.d/login' and '/etc/pam.d/sshd' in parallel.
       pam_access_sync_login_sshd
@@ -165,33 +175,53 @@ tty1
 EOF
       do_log "info" "file_only" "4520() User: 'root' tty access: [true]"
       ;;
+
+    *)
+      do_log "fatal" "file_only" "4520() Not set: user_root_authentication_access_tty [${user_root_authentication_access_tty}]"
+      return "${ERR_ACCOUNT_CREATE}"
+      ;;
+
   esac
 
   ### 4) Check the password policy for the 'root' account.
-  case "${user_root_authentication_password}" in
+  case "${user_root_authentication_password,,}" in
+
     false)
       chroot_script "${TARGET}" "passwd -l root"
       do_log "info" "file_only" "4520() User: 'root' password access: [false]"
       ;;
+
     true)
       chroot_script "${TARGET}" "printf '%s:%s\n' root '${var_password}' | /usr/sbin/chpasswd -e"
       #chroot_script "${TARGET}" "/usr/sbin/usermod -p '${user_root_password}' root"
       do_log "info" "file_only" "4520() User: 'root' password access: [true]"
       ;;
+
+    *)
+      do_log "fatal" "file_only" "4520() Not set: user_root_authentication_password [${user_root_authentication_password}]"
+      return "${ERR_ACCOUNT_CREATE}"
+      ;;
+
   esac
 
   ### 5) Update the 'root' SSH pubkey, if provided via 'preseed.yaml'.
   if [[ -n "${user_root_sshpubkey:-}" ]]; then
+
     printf "%s\n" "${user_root_sshpubkey}" >| "${TARGET}/root/.ssh/authorized_keys"
     do_log "info" "file_only" "4520() User: 'root' SSH public key: inserted."
+
   fi
 
   ### 6) Update the 'root' 'totp'-policy and write the '.google_authenticator'-file.
   if [[ "${user_root_authentication_2fa_ssh}" == "true" || "${user_root_authentication_2fa_tty}" == "true" ]]; then
+
     write_google_authenticator_file "root" "0" "0"
+
   fi
 
+
   if [[ "${user_root_authentication_2fa_ssh}" == "true" ]]; then
+
     pam_access_totp_enable "root" "sshd"
     var_ssh_totp_update="true"
     cat << EOF >> "${TARGET}/etc/ssh/sshd_config"
@@ -318,6 +348,11 @@ EOF
           "${var_username}"
         ;;
 
+      *)
+        do_log "fatal" "file_only" "4520() Not set: var_restricted:var_system [${var_restricted}:${var_system}]"
+        return "${ERR_ACCOUNT_CREATE}"
+        ;;
+
     esac
 
     ### 1) Prepare the 'user' account.
@@ -365,7 +400,8 @@ EOF
     ### Nothing to do here as per-user SSH capabilities are already handled in '4330_installation_ssh.sh'.
 
     ### 3) Check tty access capabilities.
-    case "${var_access_tty}" in
+    case "${var_access_tty,,}" in
+
       false)
         ### 3) A) 1) Ensure the 'pam_access' line is not activated in '/etc/pam.d/login' and '/etc/pam.d/sshd' in parallel.
         pam_access_sync_login_sshd
@@ -388,33 +424,52 @@ EOF
 
         do_log "info" "file_only" "4520() User: '${var_username}' tty access: [true]"
         ;;
+
+      *)
+        do_log "fatal" "file_only" "4520() Not set: var_access_tty [${var_access_tty}]"
+        return "${ERR_ACCOUNT_CREATE}"
+        ;;
+
     esac
 
     ### 4) Check the password policy for the 'user' account.
     case "${var_auth_pwd}" in
+
       false)
         chroot_script "${TARGET}" "passwd -l ${var_username}"
         do_log "info" "file_only" "4520() User: '${var_username}' password access: [false]"
         ;;
+
       true)
         chroot_script "${TARGET}" "printf '%s:%s\n' \"${var_username}\" '${var_password}' | /usr/sbin/chpasswd -e"
         #chroot_script "${TARGET}" "/usr/sbin/usermod -p '${var_password}' ${var_username}"
         do_log "info" "file_only" "4520() User: '${var_username}' password access: [true]"
         ;;
+
+      *)
+        do_log "fatal" "file_only" "4520() Not set: var_auth_pwd [${var_auth_pwd}]"
+        return "${ERR_ACCOUNT_CREATE}"
+        ;;
+
     esac
 
     ### 5) Update the 'user' SSH pubkey, if provided via 'preseed.yaml'.
     if [[ -n "${var_sshpubkey:-}" ]]; then
+
       printf "%s\n" "${var_sshpubkey}" >| "${TARGET}/home/${var_username}/.ssh/authorized_keys"
       do_log "info" "file_only" "4520() User: '${var_username}' SSH public key: inserted."
+
     fi
 
     ### 6) Update the 'root' 'totp'-policy and write the '.google_authenticator'-file.
     if [[ "${var_2fa_ssh}" == "true" || "${var_2fa_tty}" == "true" ]]; then
+
       write_google_authenticator_file "${var_username}" "${var_uid}" "${var_gid}"
+
     fi
 
     if [[ "${var_2fa_ssh}" == "true" ]]; then
+
       pam_access_totp_enable "${var_username}" "sshd"
       var_ssh_totp_update="true"
       cat << EOF >> "${TARGET}/etc/ssh/sshd_config"
@@ -453,13 +508,17 @@ EOF
   done
 
   if [[ "${var_ssh_totp_update}" == "true" ]]; then
+
     sed -i -E "s|^[[:space:]]*KbdInteractiveAuthentication[[:space:]]+.*$|$(printf '%-29s%s' 'KbdInteractiveAuthentication' 'yes')|" "${TARGET}/etc/ssh/sshd_config"
+
   fi
 
   unset VAR_TEMP_PLAIN_MFA_SEED
 
   if ! grep -Fqx -- '-: ALL:ALL' "${TARGET}/etc/security/access.conf"; then
+
     printf '%s\n' '-: ALL:ALL' >> "${TARGET}/etc/security/access.conf"
+
   fi
 
   printf "# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf \n" >> "${TARGET}/etc/security/access.conf"

func/cdi_5000_recovery/5000_debootstrap.sh

@@ -1,73 +0,0 @@
-#!/bin/bash
-# SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
-# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
-# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
-# SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
-# SPDX-PackageName: CISS.debian.installer
-# SPDX-Security-Contact: security@coresecret.eu
-
-guard_sourcing
-
-#######################################
-# Install a minimal Debian environment using the 'debootstrap' command.
-# Globals:
-#   LOG_REC
-#   RECOVERY
-#   VAR_ARCHITECTURE
-#   VAR_CODENAME
-#   debootstrap_includes
-#   debootstrap_mirror
-# Arguments:
-#   None
-# Returns:
-#   0: on success
-#   ERR_DEBOOTSTRAP
-#######################################
-func_debootstrap_reco() {
-  ### Declare Arrays, HashMaps, and Variables.
-  declare -r var_arch="${VAR_ARCHITECTURE}"
-  declare -r var_dist="${VAR_CODENAME}"
-  declare -r var_target="${RECOVERY}"
-  declare -r var_mirror="${debootstrap_mirror}"
-  declare -r var_includes="${debootstrap_includes}"
-  declare -a ary_cmd=()
-
-  ary_cmd+=( "debootstrap" "--arch=${var_arch}" "--keep-debootstrap-dir" "--log-extra-deps" "--merged-usr" )
-
-  if [[ -n "${var_includes}" ]]; then ary_cmd+=( "--include=${var_includes}" ); fi
-
-  ary_cmd+=( "${var_dist}" "${var_target}" "${var_mirror}" )
-
-  do_log "debug" "file_only" "5000() Executing: [${ary_cmd[*]}]"
-
-  # shellcheck disable=SC2312
-  if "${ary_cmd[@]}" | tee "${LOG_REC}"; then
-
-    do_log "info" "file_only" "5000() [${ary_cmd[*]}] successful."
-
-    install -d -m 0700 -o root -g root "${var_target}/root/.ciss/cdi/backup"
-    install -d -m 0700 -o root -g root "${var_target}/root/.ciss/cdi/debootstrap"
-    install -d -m 0700 -o root -g root "${var_target}/root/.ciss/cdi/hooks"
-    install -d -m 0700 -o root -g root "${var_target}/root/.ciss/cdi/keys"
-    install -d -m 0700 -o root -g root "${var_target}/root/.ciss/cdi/log"
-
-    mv -T "${var_target}/debootstrap" "${var_target}/root/.ciss/cdi/debootstrap"
-
-    chmod 0700 "${var_target}/root/.ciss"
-    chmod 0700 "${var_target}/root/.ciss/cdi"
-    chmod 0700 "${var_target}/root/.ciss/cdi/debootstrap"
-
-    guard_dir && return 0
-
-  else
-
-    do_log "emergency" "file_only" "5000() [${ary_cmd[*]}] failed."
-    return "${ERR_DEBOOTSTRAP}"
-
-  fi
-}
-# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

func/cdi_5000_recovery/5005_debootstrap_checks.sh

@@ -1,83 +0,0 @@
-#!/bin/bash
-# SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
-# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
-# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
-# SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
-# SPDX-PackageName: CISS.debian.installer
-# SPDX-Security-Contact: security@coresecret.eu
-
-guard_sourcing
-
-#######################################
-# Preliminary post debootstrap checks.
-# Globals:
-#   RECOVERY
-# Arguments:
-#   None
-# Returns:
-#   0: on success
-#######################################
-check_debootstrap_reco() {
-  ### Declare Arrays, HashMaps, and Variables.
-  declare -r  var_logfile="/root/.ciss/cdi/log/5005_debootstrap_checks.log"
-
-  chroot_logger "${RECOVERY}${var_logfile}"
-
-  chroot_script "${RECOVERY}" "
-    {
-      ### Header
-      echo '==[debootstrap checks]=='
-      date -Is 2>/dev/null || true
-
-      ### dpkg audit (non-fatal)
-      echo '### dpkg --audit'
-      dpkg --audit || true
-
-      ### essential subset (status & version)
-      echo '### dpkg-query essential subset'
-      dpkg-query -W -f='\${db:Status-Abbrev} \${binary:Package} \${Version}\n' dpkg libc6 coreutils bash apt systemd 2>/dev/null || true
-
-      ### init presence (log explicit)
-      echo '### init presence'
-      if [[ -x /sbin/init ]] || [[ -x /lib/systemd/systemd ]]; then
-        echo 'init_present=yes'
-      else
-        echo 'init_present=no'
-      fi
-
-      ### awk path and alternative link (if any)
-      echo '### awk'
-      awk_path=\$(command -v awk || true)
-      printf 'awk_path=%s\n' \"\$awk_path\"
-      if [[ -L /usr/bin/awk ]]; then
-        printf 'awk_link=/usr/bin/awk -> %s\n' \"\$(readlink -f /usr/bin/awk 2>/dev/null || true)\"
-      fi
-
-      ### usr-merge / tainted check
-      echo '### usr-merge / taint'
-      usr_merge_ok=yes
-      for p in /bin /sbin /lib /lib64; do
-        [[ -e \"\$p\" ]] || continue
-        if [[ -L \"\$p\" ]]; then
-          tgt=\$(readlink -f \"\$p\" 2>/dev/null || true)
-          printf '%s -> %s\n' \"\$p\" \"\$tgt\"
-        else
-          usr_merge_ok=no
-          printf '%s is not a symlink (tainted: unmerged-bin)\n' \"\$p\"
-        fi
-      done
-      printf 'usr_merge_ok=%s\n' \"\$usr_merge_ok\"
-
-      ### architecture
-      echo '### architecture'
-      dpkg --print-architecture 2>/dev/null || true
-    } >> ${var_logfile}
-  "
-
-  guard_dir && return 0
-}
-# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

func/cdi_5000_recovery/5010_prepare_mounts.sh

@@ -1,119 +0,0 @@
-#!/bin/bash
-# SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
-# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
-# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
-# SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
-# SPDX-PackageName: CISS.debian.installer
-# SPDX-Security-Contact: security@coresecret.eu
-
-guard_sourcing
-
-#######################################
-# Configure the recovery system for chroot.
-# Globals:
-#   ERR_CHRT_MOUNTS
-#   RECOVERY
-#   VAR_CHROOT_ACTIVATED
-#   VAR_NEED_RUN_IN_TARGET
-# Arguments:
-#   None
-# Returns:
-#   ERR_CHRT_MOUNTS
-#   0: on success
-#######################################
-prepare_mounts_reco() {
-
-  ### Notes
-  # This file mounts all necessary pseudo filesystems into the target root environment to enable chroot operations.
-  # --rbind: recursive binding.
-  # --make-rslave: In this case, the mount point is marked as 'slave'.
-  # This means changes to the source mount (e.g., /proc) are propagated to the target mount (e.g., "${RECOVERY}/proc").
-  # Conversely, changes to the target mount are not propagated back to the source mount.
-  # This mode is necessary to avoid problems with double or erroneous propagation effects in chroot or container environments.
-  #
-  # Some subdirectories (such as /dev/pts, /dev/shm, /sys/fs/cgroup) are remounted with more restrictive options
-  # like 'noexec', 'nosuid', and 'nodev' to enhance security. This ensures they override the inherited bind-mounts and
-  # enforce proper runtime behavior in the chroot.
-
-  ### Declare Arrays, HashMaps, and Variables.
-  declare -A  HMP_SPECIAL_MOUNTS=(
-    ["/dev"]="devtmpfs devtmpfs mode=0755,nosuid"                        # Base device node FS
-    ["/dev/pts"]="devpts devpts noexec,nosuid"                           # Pseudoterminals
-    ["/dev/shm"]="tmpfs tmpfs rw,nosuid,nodev"                           # Shared memory
-    ["/dev/mqueue"]="mqueue mqueue rw,nosuid,nodev,noexec"               # POSIX message queues
-    ["/dev/hugepages"]="hugetlbfs hugetlbfs rw,nosuid,nodev"             # Huge pages
-    ["/proc"]="proc proc nosuid,noexec,nodev"                            # procfs
-    ["/sys"]="sysfs sysfs nosuid,noexec,nodev"                           # sysfs
-    ["/sys/fs/cgroup"]="cgroup2 cgroup2 rw,nosuid,nodev,noexec,relatime" # Unified cgroup2
-  )
-
-  declare     var_path="" var_fs="" var_src="" var_opts=""
-
-  for var_path in "${!HMP_SPECIAL_MOUNTS[@]}"; do
-
-    mkdir -p "${RECOVERY}${var_path}"
-
-  done
-
-
-  for var_path in "${!HMP_SPECIAL_MOUNTS[@]}"; do
-
-    IFS=" " read -r var_fs var_src var_opts <<< "${HMP_SPECIAL_MOUNTS[${var_path}]}"
-
-    if mountpoint -q "${RECOVERY}${var_path}"; then
-
-      do_log "info" "file_only" "5010() Skipped: '${RECOVERY}${var_path}' is already a mountpoint."
-      continue
-
-    fi
-
-    if ! mount -t "${var_fs}" "${var_src}" "${RECOVERY}${var_path}" -o "${var_opts}"; then
-
-      do_log "emergency" "file_only" "5010() Command: [mount -t ${var_fs} ${var_src} ${RECOVERY}${var_path} -o ${var_opts}] failed."
-      return "${ERR_CHRT_MOUNTS}"
-
-    fi
-
-    do_log "info" "file_only" "5010() Command: [mount -t ${var_fs} ${var_src} ${RECOVERY}${var_path} -o ${var_opts}] successful."
-
-  done
-
-
-  if [[ "${VAR_NEED_RUN_IN_TARGET:-false}" == "true" ]]; then
-
-    mkdir -p "${RECOVERY}/run"
-
-    if ! mount --make-rslave --rbind /run "${RECOVERY}/run"; then
-
-      do_log "emergency" "file_only" "5010() Command: [mount --make-rslave --rbind /run ${RECOVERY}/run] failed."
-      return "${ERR_CHRT_MOUNTS}"
-
-    fi
-
-    do_log "info" "file_only" "5010() Command: [mount --make-rslave --rbind /run ${RECOVERY}/run] successful."
-
-  fi
-
-
-  if ! chroot_exec "${RECOVERY}" mkdir -p /etc/systemd/system/multi-user.target.wants; then
-
-    do_log "emergency" "file_only" "5010() Command: [chroot_exec ${RECOVERY} mkdir -p /etc/systemd/system/multi-user.target.wants] failed."
-    return "${ERR_CHRT_MOUNTS}"
-
-  fi
-
-  do_log "info" "file_only" "5010() Command: [chroot_exec ${RECOVERY} mkdir -p /etc/systemd/system/multi-user.target.wants] successful."
-
-  mkdir -p "${RECOVERY}/media/cdrom0"
-
-  # shellcheck disable=SC2034
-  declare -gx VAR_CHROOT_ACTIVATED="recovery"
-  do_log "info" "file_only" "5010() Command: [declare -gx VAR_CHROOT_ACTIVATED=recovery]"
-
-  guard_dir && return 0
-}
-# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

func/cdi_5000_recovery/5015_check_usr_merge.sh

@@ -1,49 +0,0 @@
-#!/bin/bash
-# SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
-# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
-# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
-# SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
-# SPDX-PackageName: CISS.debian.installer
-# SPDX-Security-Contact: security@coresecret.eu
-
-guard_sourcing
-
-#######################################
-# Check if the recovery system is not 'tainted: unmerged-usr'.
-# Globals:
-#   RECOVERY
-#   architecture
-# Arguments:
-#   None
-# Returns:
-#   0: on success
-#######################################
-check_usr_merge_reco() {
-  ### Declare Arrays, HashMaps, and Variables.
-  declare -r  var_logfile="/root/.ciss/cdi/log/5015_check_usr_merge.log"
-
-  chroot_logger "${RECOVERY}${var_logfile}"
-
-  # shellcheck disable=SC2312
-  chroot_script "${RECOVERY}" "
-    test -L /bin  && test $(readlink -f /bin)  = '/usr/bin'  && echo 'MERGED:/bin'  >> ${var_logfile} || echo 'UNMERGED:/bin'  >> ${var_logfile}
-    test -L /sbin && test $(readlink -f /sbin) = '/usr/sbin' && echo 'MERGED:/sbin' >> ${var_logfile} || echo 'UNMERGED:/sbin' >> ${var_logfile}
-    test -L /lib  && test $(readlink -f /lib)  = '/usr/lib'  && echo 'MERGED:/lib'  >> ${var_logfile} || echo 'UNMERGED:/lib'  >> ${var_logfile}
-    echo ExitCode: \$? >> ${var_logfile}
-  "
-
-  if [[ "${architecture}" == "amd64" ]]; then
-    # shellcheck disable=SC2312
-    chroot_script "${RECOVERY}" "
-      test -L /lib64 && test $(readlink -f /lib64) = '/usr/lib64' && echo 'MERGED:/lib64' >> ${var_logfile} || echo 'UNMERGED:/lib64' >> ${var_logfile}
-      echo ExitCode: \$? >> ${var_logfile}
-    "
-  fi
-
-  guard_dir && return 0
-}
-# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

func/cdi_5000_recovery/5020_remove_x509.sh

@@ -1,42 +0,0 @@
-#!/bin/bash
-# SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
-# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
-# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
-# SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
-# SPDX-PackageName: CISS.debian.installer
-# SPDX-Security-Contact: security@coresecret.eu
-
-guard_sourcing
-
-#######################################
-# Chroot hook for deleting all expired X.509 certificates in the recovery system.
-# Globals:
-#   RECOVERY
-#   VAR_SETUP_PATH
-# Arguments:
-#   None
-# Returns:
-#   0: on success
-#######################################
-remove_x509_reco() {
-
-  install -m 0700 -o root -g root "${VAR_SETUP_PATH}/includes/chroot/hooks/4020_remove_x509.hooks.sh" \
-    "${RECOVERY}/root/.ciss/cdi/hooks/5020_remove_x509.hooks.sh"
-
-  if ! chroot_script "${RECOVERY}" "/root/.ciss/cdi/hooks/5020_remove_x509.hooks.sh" "emergency"; then
-
-    do_log "warn" "file_only" "5020() Command: [chroot_script ${RECOVERY} /root/.ciss/cdi/hooks/5020_remove_x509.hooks.sh emergency] failed."
-
-  else
-
-    do_log "debug" "file_only" "5020() Command: [chroot_script ${RECOVERY} /root/.ciss/cdi/hooks/5020_remove_x509.hooks.sh emergency] successful."
-
-  fi
-
-  guard_dir && return 0
-}
-# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

func/cdi_5000_recovery/5030_setup_hostname.sh

@@ -1,32 +0,0 @@
-#!/bin/bash
-# SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
-# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
-# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
-# SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
-# SPDX-PackageName: CISS.debian.installer
-# SPDX-Security-Contact: security@coresecret.eu
-
-guard_sourcing
-
-#######################################
-# Configure the '/etc/hostname' | '/etc/hosts' | '/etc/mailname' files.
-# Globals:
-#   RECOVERY
-#   TARGET
-# Arguments:
-#   None
-# Returns:
-#   0: on success
-#######################################
-setup_hostname_reco() {
-  cp -a "${TARGET}/etc/hosts"    "${RECOVERY}/etc/hosts"
-  cp -a "${TARGET}/etc/hostname" "${RECOVERY}/etc/hostname"
-  cp -a "${TARGET}/etc/mailname" "${RECOVERY}/etc/mailname"
-
-  guard_dir && return 0
-}
-# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

func/cdi_5000_recovery/5035_setup_resolv.sh

@@ -1,36 +0,0 @@
-#!/bin/bash
-# SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
-# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
-# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
-# SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
-# SPDX-PackageName: CISS.debian.installer
-# SPDX-Security-Contact: security@coresecret.eu
-
-guard_sourcing
-
-#######################################
-# Configure the '/etc/resolv.conf' file.
-# Globals:
-#   RECOVERY
-#   TARGET
-# Arguments:
-#   None
-# Returns:
-#   0: on success
-#######################################
-setup_resolv_reco() {
-  if [[ -f "${RECOVERY}/etc/resolv.conf" ]]; then
-    mkdir -p "${RECOVERY}/root/.ciss/cdi/backup/etc"
-    mv "${RECOVERY}/etc/resolv.conf" "${RECOVERY}/root/.ciss/cdi/backup/etc/resolv.conf.bak"
-    do_log "info" "file_only" "5035() Existing '${RECOVERY}/etc/resolv.conf' moved."
-  fi
-
-  cp -a "${TARGET}/etc/resolv.conf" "${RECOVERY}/etc/resolv.conf"
-
-  guard_dir && return 0
-}
-# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

func/cdi_5000_recovery/5040_setup_timezone.sh

@@ -1,39 +0,0 @@
-#!/bin/bash
-# SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
-# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
-# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
-# SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
-# SPDX-PackageName: CISS.debian.installer
-# SPDX-Security-Contact: security@coresecret.eu
-
-guard_sourcing
-
-#######################################
-# Configure the '/etc/timezone' | '/etc/localtime' files.
-# Globals:
-#   RECOVERY
-#   ntp_timezone
-# Arguments:
-#   None
-# Returns:
-#   0: on success
-#######################################
-setup_timezone_reco() {
-  ### Create '${RECOVERY}/etc/timezone' file.
-  cat << EOF >| "${RECOVERY}/etc/timezone"
-${ntp_timezone:-UTC}
-EOF
-  chmod 0644 "${RECOVERY}/etc/timezone"
-  do_log "info" "file_only" "5040() File generated: '${RECOVERY}/etc/timezone' | timezone '${ntp_timezone:-UTC}'."
-
-  chroot_exec "${RECOVERY}" ln -sf "/usr/share/zoneinfo/${ntp_timezone}" /etc/localtime
-
-  chroot_exec "${RECOVERY}" dpkg-reconfigure -f noninteractive tzdata
-
-  guard_dir && return 0
-}
-# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

func/cdi_5000_recovery/5050_setup_locales.sh

@@ -1,138 +0,0 @@
-#!/bin/bash
-# SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
-# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
-# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
-# SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
-# SPDX-PackageName: CISS.debian.installer
-# SPDX-Security-Contact: security@coresecret.eu
-
-guard_sourcing
-
-#######################################
-# Set locale, locale overrides and configure keyboard layout.
-# Globals:
-#   ARY_LOCALE
-#   RECOVERY
-#   VAR_ARCHITECTURE
-#   VAR_CODENAME
-#   VAR_VERSION
-#   locale_country
-#   locale_keyboard_xkb_keymap
-#   locale_language
-#   locale_override_address
-#   locale_override_collate
-#   locale_override_ctype
-#   locale_override_measurement
-#   locale_override_messages
-#   locale_override_monetary
-#   locale_override_name
-#   locale_override_numeric
-#   locale_override_paper
-#   locale_override_telephone
-#   locale_override_time
-# Arguments:
-#   None
-# Returns:
-#   0: on success
-#######################################
-setup_locales_reco() {
-  ### Declare Arrays, HashMaps, and Variables.
-  declare     var_locale_hook="/root/.ciss/cdi/hooks/4050_setup_locales.hooks.sh"
-
-  ### Give priority to '${locale_locale}' over separately configured variables '${locale_country}' and '${locale_language}'.
-  ### If 'locale_locale' is not set, build it from 'locale_language' and 'locale_country'.
-  if [[ -n "${locale_language:-}" && -n "${locale_country:-}" && -z "${ARY_LOCALE[0]:-}" ]]; then
-    ARY_LOCALE+="${locale_language}_${locale_country}.UTF-8"
-  fi
-
-  ### Creat Hook in target.
-  cat << EOF >| "${RECOVERY}${var_locale_hook}"
-#!/bin/bash
-# SPDX-Version: 3.0
-# SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev>
-# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
-# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
-# SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
-# SPDX-PackageName: CISS.debian.installer
-# SPDX-Security-Contact: security@coresecret.eu
-
-set -Ceuo pipefail
-
-declare -a ary_locale=()
-declare -r locale_0=${ARY_LOCALE[0]:-en_US.UTF-8}
-declare -r locale_1=${ARY_LOCALE[1]:-}
-declare    loc=""
-
-EOF
-
-  cat << 'EOF' >> "${RECOVERY}${var_locale_hook}"
-ary_locale+=( "${locale_0}" )
-[[ -n "${locale_1}" ]] && ary_locale+=( "${locale_1}" )
-
-for loc in "${ary_locale[@]}"; do
-  if ! grep -qx "${loc} UTF-8" /etc/locale.gen; then
-    sed -i "s/^# ${loc} UTF-8/${loc} UTF-8/" /etc/locale.gen || echo "${loc} UTF-8" >> /etc/locale.gen
-  fi
-done
-
-locale-gen --purge "${ary_locale[@]}"
-
-for loc in "${ary_locale[@]}"; do
-  locale_check=$(echo "${loc}" | sed 's/UTF-8/utf8/')
-  if ! locale -a | grep -qx "${locale_check}"; then
-    echo "Locale '${loc}' has not been generated successfully." >&2
-    exit 1
-  fi
-done
-
-EOF
-
-  cat << EOF >> "${RECOVERY}${var_locale_hook}"
-update-locale \
-LANG=${ARY_LOCALE[0]} \
-LC_ADDRESS=${locale_override_address:-${ARY_LOCALE[0]}} \
-LC_COLLATE=${locale_override_collate:-${ARY_LOCALE[0]}} \
-LC_CTYPE=${locale_override_ctype:-${ARY_LOCALE[0]}} \
-LC_MEASUREMENT=${locale_override_measurement:-${ARY_LOCALE[0]}} \
-LC_MESSAGES=${locale_override_messages:-${ARY_LOCALE[0]}} \
-LC_MONETARY=${locale_override_monetary:-${ARY_LOCALE[0]}} \
-LC_NAME=${locale_override_name:-${ARY_LOCALE[0]}} \
-LC_NUMERIC=${locale_override_numeric:-${ARY_LOCALE[0]}} \
-LC_PAPER=${locale_override_paper:-${ARY_LOCALE[0]}} \
-LC_TELEPHONE=${locale_override_telephone:-${ARY_LOCALE[0]}} \
-LC_TIME=${locale_override_time:-${ARY_LOCALE[0]}} \
-LC_IDENTIFICATION=${ARY_LOCALE[0]}
-
-# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
-EOF
-  chmod 0700 "${RECOVERY}${var_locale_hook}"
-  chroot_script "${RECOVERY}" "${var_locale_hook}"
-
-  ### Set the keyboard layout for the system (for consoles).
-  insert_header   "${RECOVERY}/etc/default/keyboard"
-  insert_comments "${RECOVERY}/etc/default/keyboard"
-  cat << EOF >>   "${RECOVERY}/etc/default/keyboard"
-# KEYBOARD CONFIGURATION FILE
-# Consult the keyboard(5) manual page.
-
-XKBMODEL="pc105"
-XKBLAYOUT="${locale_keyboard_xkb_keymap}"
-XKBVARIANT=""
-XKBOPTIONS=""
-BACKSPACE="guess"
-
-# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
-EOF
-  chmod 0644 "${RECOVERY}/etc/default/keyboard"
-  do_log "info" "file_only" "4050() Keyboard layout updated: 'XKBLAYOUT=${locale_keyboard_xkb_keymap}' -> '${RECOVERY}/etc/default/keyboard'."
-
-  guard_dir && return 0
-}
-# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

func/cdi_5000_recovery/5105_generate_sources_822.sh

@@ -1,185 +0,0 @@
-#!/bin/bash
-# SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
-# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
-# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
-# SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
-# SPDX-PackageName: CISS.debian.installer
-# SPDX-Security-Contact: security@coresecret.eu
-
-guard_sourcing
-
-#######################################
-# Generate target '/etc/apt/sources.list.d/' deb.822 entries.
-# Globals:
-#   RECOVERY
-#   apt_contrib
-#   apt_deb_sources
-#   apt_mirror_directory
-#   apt_mirror_hostname
-#   apt_mirror_protocol
-#   apt_non_free
-#   apt_non_free_firmware
-#   apt_sec
-#   apt_updates_backports
-#   apt_updates_release
-#   apt_updates_security
-#   architecture
-#   distribution
-# Arguments:
-#   None
-# Returns:
-#   0: on success
-#######################################
-generate_sources822_reco() {
-  ### Declare Arrays, HashMaps, and Variables.
-  declare -a ary_components=() ary_types=()
-  declare    var_arch="" var_codename="" var_deb_src="" var_dir="" var_hostname="" var_hostsecure="" var_url="" var_surl=""
-
-  # shellcheck disable=SC2154 # "${architecture}"
-  var_arch="${architecture,,}"
-  # shellcheck disable=SC2154 # "${distribution}"
-  var_codename="${distribution,,}"
-  # shellcheck disable=SC2154 # "${apt_deb_sources}"
-  var_deb_src="${apt_deb_sources,,}"
-  # shellcheck disable=SC2154 # "${apt_mirror_directory}"
-  var_dir="${apt_mirror_directory,,}"
-  # shellcheck disable=SC2154 # "${apt_mirror_hostname}"
-  var_hostname="${apt_mirror_hostname,,}"
-  # shellcheck disable=SC2154 # "${apt_sec}"
-  var_hostsecure="${apt_sec,,}"
-
-  ary_components=( "main" )
-  [[ "${apt_contrib,,}" == "true" ]] && ary_components+=( "contrib" )
-  [[ "${apt_non_free,,}" == "true" ]] && ary_components+=( "non-free" )
-  [[ "${apt_non_free_firmware,,}" == "true" ]] && ary_components+=( "non-free-firmware" )
-
-  ary_types=( "deb" )
-  [[ "${apt_deb_sources,,}" == "true" ]] && ary_types+=( "deb-src" )
-
-  if [[ "${apt_mirror_protocol,,}" == "https" ]]; then
-
-    var_url="https://${var_hostname}${var_dir}"
-    var_surl="https://${var_hostsecure}/debian-security"
-
-  elif [[ "${apt_mirror_protocol,,}" == "http" ]]; then
-
-    var_url="http://${var_hostname}${var_dir}"
-    var_surl="http://${var_hostsecure}/debian-security"
-
-  else
-
-    var_url="https://${var_hostname}${var_dir}"
-    var_surl="https://${var_hostsecure}/debian-security"
-
-  fi
-
-
-  ### Main Repository
-  insert_header   "${RECOVERY}/etc/apt/sources.list.d/trixie.sources"
-  insert_comments "${RECOVERY}/etc/apt/sources.list.d/trixie.sources"
-  cat << EOF >>   "${RECOVERY}/etc/apt/sources.list.d/trixie.sources"
-#------------------------------------------------------------------------------------------------------------------------------#
-#                                                     OFFICIAL DEBIAN REPOS                                                    #
-#------------------------------------------------------------------------------------------------------------------------------#
-Types: ${ary_types[*]}
-URIs: ${var_url}
-Suites: ${var_codename}
-Components: ${ary_components[*]}
-Enabled: yes
-Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg
-
-# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
-EOF
-
-
-  ### Security Repository
-  if [[ "${apt_updates_security,,}" == "true" ]]; then
-    insert_header   "${RECOVERY}/etc/apt/sources.list.d/trixie-security.sources"
-    insert_comments "${RECOVERY}/etc/apt/sources.list.d/trixie-security.sources"
-    cat << EOF >>   "${RECOVERY}/etc/apt/sources.list.d/trixie-security.sources"
-#------------------------------------------------------------------------------------------------------------------------------#
-#                                                     OFFICIAL DEBIAN REPOS                                                    #
-#------------------------------------------------------------------------------------------------------------------------------#
-Types: ${ary_types[*]}
-URIs: ${var_surl}
-Suites: ${var_codename}-security
-Components: ${ary_components[*]}
-Enabled: yes
-Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg
-
-# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
-EOF
-  fi
-
-  ### Updates Repository
-  if [[ "${apt_updates_release,,}" == "true" ]]; then
-    insert_header   "${RECOVERY}/etc/apt/sources.list.d/trixie-updates.sources"
-    insert_comments "${RECOVERY}/etc/apt/sources.list.d/trixie-updates.sources"
-    cat << EOF >>   "${RECOVERY}/etc/apt/sources.list.d/trixie-updates.sources"
-#------------------------------------------------------------------------------------------------------------------------------#
-#                                                     OFFICIAL DEBIAN REPOS                                                    #
-#------------------------------------------------------------------------------------------------------------------------------#
-Types: ${ary_types[*]}
-URIs: ${var_url}
-Suites: ${var_codename}-updates
-Components: ${ary_components[*]}
-Enabled: yes
-Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg
-
-# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
-EOF
-  fi
-
-
-  ### Backports Repository
-  if [[ "${apt_updates_backports,,}" == "true" ]]; then
-    insert_header   "${RECOVERY}/etc/apt/sources.list.d/trixie-backports.sources"
-    insert_comments "${RECOVERY}/etc/apt/sources.list.d/trixie-backports.sources"
-    cat << EOF >>   "${RECOVERY}/etc/apt/sources.list.d/trixie-backports.sources"
-#------------------------------------------------------------------------------------------------------------------------------#
-#                                                     OFFICIAL DEBIAN REPOS                                                    #
-#------------------------------------------------------------------------------------------------------------------------------#
-Types: ${ary_types[*]}
-URIs: ${var_url}
-Suites: ${var_codename}-backports
-Components: ${ary_components[*]}
-Enabled: yes
-Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg
-
-# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
-EOF
-
-  fi
-
-
-  if [[ -f "${RECOVERY}/etc/apt/sources.list" ]]; then
-    rm -f "${RECOVERY}/etc/apt/sources.list"
-  fi
-
-
-  insert_header   "${RECOVERY}/etc/apt/apt.conf.d/90-no-pdiffs"
-  insert_comments "${RECOVERY}/etc/apt/apt.conf.d/90-no-pdiffs"
-  cat << 'EOF' >> "${RECOVERY}/etc/apt/apt.conf.d/90-no-pdiffs"
-Acquire::PDiffs "false";
-
-# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
-EOF
-  sed -i -E 's|^([[:space:]]*)#+|\1//|' "${RECOVERY}/etc/apt/apt.conf.d/90-no-pdiffs"
-
-
-  insert_header   "${RECOVERY}/etc/apt/apt.conf.d/91-acquire"
-  insert_comments "${RECOVERY}/etc/apt/apt.conf.d/91-acquire"
-  cat << 'EOF' >> "${RECOVERY}/etc/apt/apt.conf.d/91-acquire"
-Acquire::Retries "3";
-
-# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
-EOF
-  sed -i -E 's|^([[:space:]]*)#+|\1//|' "${RECOVERY}/etc/apt/apt.conf.d/91-acquire"
-
-  guard_dir && return 0
-}
-# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

func/cdi_5000_recovery/5110_update_sources.sh

@@ -1,74 +0,0 @@
-#!/bin/bash
-# SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
-# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
-# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
-# SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
-# SPDX-PackageName: CISS.debian.installer
-# SPDX-Security-Contact: security@coresecret.eu
-
-guard_sourcing
-
-#######################################
-# Update generated sources.
-# Every 'apt-get install' command is invoked by adding 'export INITRD=No'
-# to suppress the 'update-initramfs'-Kernel-Hooks, according to the initramfs-tools manpage:
-# https://manpages.debian.org/testing/initramfs-tools-core/initramfs-tools.7.en.html
-# Globals:
-#   RECOVERY
-#   apt_updates_policy
-# Arguments:
-#   None
-# Returns:
-#   0: on success
-#######################################
-update_sources_reco() {
-  ### Declare Arrays, HashMaps, and Variables.
-  declare -r  var_logfile="/root/.ciss/cdi/log/5110_update_sources.log"
-
-  chroot_logger "${RECOVERY}${var_logfile}"
-
-  ### Update generated sources.
-  # shellcheck disable=SC2312
-  chroot_script "${RECOVERY}" "apt-get update 2>&1 | tee -a ${var_logfile}; echo ExitCode: \$? >> ${var_logfile}"
-  do_log "info" "file_only" "5110() Sources lists: updated successfully."
-
-
-  ### Update unattended, security, or no unattended updates at all.
-  if [[ "${apt_updates_policy,,}" == "unattended" ]]; then
-
-    chroot_script "${RECOVERY}" "
-      export INITRD=No
-      apt-get install -y --no-install-recommends --no-install-suggests unattended-upgrades 2>&1 | tee -a ${var_logfile}
-      echo ExitCode: \$? >> ${var_logfile}
-    "
-    do_log "info" "file_only" "5110() The update policy was set at installation time to: '${apt_updates_policy}'."
-
-  elif [[ "${apt_updates_policy,,}" == "security" ]]; then
-
-    chroot_script "${RECOVERY}" "
-      export INITRD=No
-      apt-get install -y --no-install-recommends --no-install-suggests unattended-upgrades 2>&1 | tee -a ${var_logfile}
-      echo ExitCode: \$? >> ${var_logfile}
-    "
-
-    # shellcheck disable=SC2016
-    sed -i 's/^[[:space:]]*"origin=Debian,codename=\${distro_codename},label=Debian";/\/\/ &/' "${RECOVERY}/etc/apt/apt.conf.d/50unattended-upgrades"
-    do_log "info" "file_only" "5110() The update policy was set at installation time to: '${apt_updates_policy}'."
-
-  elif [[ "${apt_updates_policy,,}" == "none" ]]; then
-
-    do_log "info" "file_only" "5110() The update policy was set at installation time to: '${apt_updates_policy}'."
-
-  else
-
-    do_log "warning" "file_only" "5110() Update policy '${apt_updates_policy}': is not supported. Using 'none' as default."
-
-  fi
-
-  guard_dir && return 0
-}
-# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

includes/target/etc/chrony/chrony.cnf

@@ -30,4 +30,6 @@ maxupdateskew 100.0
 
 rtcsync
 
-makestep 1 3
+makestep 0.25 3
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf

includes/target/etc/skel/.ciss/check_chrony.sh

@@ -0,0 +1,142 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-10-10; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+set -Ceuo pipefail
+
+#######################################
+# Minimal leap-second probe for Debian/chrony systems.
+# - Prints kernel leap flags & TAI offset (ΔAT).
+# - Reads tzdata's leap-seconds list (authoritative TAI-UTC).
+# - Shows chrony tracking summary (incl. leap status).
+# - Demonstrates 23:59:60 rendering via TZ=right/UTC.
+# Globals:
+#   None
+# Arguments:
+#   None
+# Returns:
+#   0: on success
+#######################################
+main() {
+  ### 1) System TZ and tzdata source.
+  printf "System TZ link: [%s]\n\n" "$(readlink -f /etc/localtime || true)"
+
+  if [[ -f /usr/share/zoneinfo/leap-seconds.list ]]; then
+
+    declare tz_leap_line tz_tai tz_ntp ts_human
+
+    tz_leap_line="$(awk '($1 !~ /^#/) {L=$0} END{print L}' /usr/share/zoneinfo/leap-seconds.list)"
+    tz_ntp="$(awk '{print $1}' <<<"${tz_leap_line}")"
+    tz_tai="$(awk '{print $2}' <<<"${tz_leap_line}")"
+    ts_human="$(awk -F'#' '{gsub(/^[[:space:]]+/, "", $2); print $2}' <<<"${tz_leap_line}")"
+
+    printf "tzdata ΔAT (TAI-UTC): %s s [last change at: %s; NTP ts: %s]\n\n" "${tz_tai:-?}" "${ts_human:-?}" "${tz_ntp:-?}"
+
+  else
+
+    printf "tzdata leap-seconds.list not found.\n"
+
+  fi
+
+  ### 2) Kernel view (requires adjtimex).
+  if command -v adjtimex >/dev/null 2>&1; then
+
+    printf "Kernel time status (adjtimex -p):\n"
+    adjtimex -p | sed 's/^/  /'
+    declare k_tai
+    k_tai="$(adjtimex -p | awk '/^tai:/ {print $2}')"
+
+    if [[ -n "${k_tai:-}" ]]; then
+
+      printf "Kernel-exported ΔAT [tai]: %s s\n" "${k_tai}"
+
+    fi
+
+  else
+
+    printf "Package: 'adjtimex' not found. Install 'adjtimex' for kernel leap/TAI details.\n\n"
+
+  fi
+
+  ### 3) Chrony summary.
+  if command -v chronyc >/dev/null 2>&1; then
+
+    printf "\n"
+    printf "chronyc tracking:\n"
+    chronyc -n tracking | sed 's/^/  /'
+
+  else
+
+    printf "Package: 'chronyc' not found. Skipping chrony status.\n\n"
+
+  fi
+
+  ### 4) right/UTC demonstration of 23:59:60 (uses 2016-12-31 leap).
+  if [[ -f /usr/share/zoneinfo/right/UTC ]]; then
+
+    printf "\n"
+    printf "right/UTC leap rendering check (expect 23:59:60):\n\n"
+    TZ=right/UTC date -ud '2017-01-01 00:00:00 -1 second' || true
+
+  else
+
+    printf "\n"
+    printf "File: 'tzdata right/UTC' zone not installed; skipping 23:59:60 demo.\n\n"
+
+  fi
+
+  printf "\n"
+  printf "Hint:\n"
+
+  printf "  • ΔAT (TAI-UTC) should match tzdata and kernel (chrony sets kernel TAI if leapsectz/leapseclist is used).\n"
+  printf "  • For monotonic intervals, apps must use CLOCK_MONOTONIC, not CLOCK_REALTIME.\n"
+
+  return 0
+}
+
+### Build right/UTC from tzdata leap table if missing.
+if [[ ! -e /usr/share/zoneinfo/right/UTC ]]; then
+
+  install -d -m 0755 /usr/share/zoneinfo/right
+
+  ### Minimal zic source for a fixed UTC zone.
+  declare -r tmp_src="/tmp/UTC.src"
+  printf 'Zone UTC  0  -  UTC\n' > "${tmp_src}"
+
+  ### Prefer the zic-format leapseconds file.
+  declare leap_zic="/usr/share/zoneinfo/leapseconds"
+
+  if [[ -s "${leap_zic}" ]]; then
+
+    zic -d /usr/share/zoneinfo/right -L "${leap_zic}" "${tmp_src}"
+
+  else
+
+    echo "WARNING: ${leap_zic} not found; building right/UTC without leap info." >&2
+    zic -d /usr/share/zoneinfo/right -L /dev/null "${tmp_src}"
+
+  fi
+
+  rm -f "${tmp_src}"
+
+fi
+
+if [[ -e /usr/share/zoneinfo/right/UTC ]]; then
+
+  ### Expect to see 'Sat Dec 31 23:59:60 UTC 2016' rendered in right/UTC
+  TZ=right/UTC date -ud '2017-01-01 00:00:00 -1 second' || true
+
+fi
+
+main "$@"
+
+exit 0
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

includes/target/etc/ssh/sshd_config

@@ -64,12 +64,12 @@ GatewayPorts                 no
 ### A+ Rating 100/100
 RequiredRSASize              4096
 Ciphers                      aes256-gcm@openssh.com
-KexAlgorithms                sntrup761x25519-sha512@openssh.com,sntrup761x25519-sha512,gss-curve25519-sha256-
+KexAlgorithms                mlkem768x25519-sha256,sntrup761x25519-sha512@openssh.com,sntrup761x25519-sha512
-HostKeyAlgorithms            sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-256
+HostKeyAlgorithms            ssh-ed25519-cert-v01@openssh.com,ssh-ed25519,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-256
 MACs                         hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
-CASignatureAlgorithms        rsa-sha2-512,rsa-sha2-256,ssh-ed25519,sk-ssh-ed25519@openssh.com
+CASignatureAlgorithms        rsa-sha2-512,rsa-sha2-256,ssh-ed25519
 GSSAPIKexAlgorithms          gss-curve25519-sha256-,gss-group16-sha512-
-HostbasedAcceptedAlgorithms  sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-256
+HostbasedAcceptedAlgorithms  ssh-ed25519-cert-v01@openssh.com,ssh-ed25519,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-256
 PubkeyAcceptedAlgorithms     sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-256
 
 ### Change to yes to enable challenge-response passwords (beware issues with some PAM modules and threads)

lib/cdi_0005_guard/0006_source_guard.sh

@@ -12,6 +12,8 @@
 
 #######################################
 # Prevent the file to be sourced twice.
+# Globals:
+#   None
 # Arguments:
 #   1: File to source.
 #######################################

lib/cdi_0005_guard/0007_guard_safe_exec.sh

@@ -14,6 +14,8 @@ guard_sourcing
 
 #######################################
 # Generic safe wrapper for external commands.
+# Globals:
+#   None
 # Arguments:
 #   *: full command (array, quoted!)
 #   2: ERR_CONST on failure

lib/cdi_0005_guard/0008_guard_variable.sh

@@ -16,6 +16,8 @@ guard_sourcing
 # Converts the value of a passed variable to lowercase.
 # Example:
 #   ensure_lowercase "VAR"
+# Globals:
+#   None
 # Arguments:
 #   1: VARIABLE name only
 # Returns:
@@ -40,6 +42,8 @@ readonly -f ensure_lowercase
 # Converts the value of a passed variable to uppercase.
 # Example:
 #   ensure_uppercase "VAR"
+# Globals:
+#   None
 # Arguments:
 #   1: VARIABLE name only
 # Returns:
@@ -64,6 +68,8 @@ readonly -f ensure_uppercase
 # Removes leading and trailing spaces in the value.
 # Example:
 #   ensure_trimmed "VAR"
+# Globals:
+#   None
 # Arguments:
 #   1: VARIABLE name only
 # Returns:
@@ -89,6 +95,8 @@ readonly -f ensure_trimmed
 # Resets the value of the variable to a default value if it is empty or contains only whitespace.
 # Example:
 #   reset_to_default "VAR" "fallback"
+# Globals:
+#   None
 # Arguments:
 #   1: VARIABLE name only
 #   2: Fallback value
@@ -119,6 +127,8 @@ readonly -f reset_to_default
 # Checks whether the content of a variable matches a specific regex.
 # Example:
 #   assert_match "FOO" '^[a-z0-9_-]+$'
+# Globals:
+#   None
 # Arguments:
 #   1: VARIABLE name only
 #   2: Regex in 'single quotes'

lib/cdi_0005_guard/0009_guard_dir.sh

@@ -14,6 +14,8 @@ guard_sourcing
 
 #######################################
 # Function to log a module success message and change pwd to script root.
+# Globals:
+#   None
 # Arguments:
 #   None
 #######################################

lib/cdi_0010_basic/0010_color_echo.sh

@@ -15,9 +15,10 @@ guard_sourcing
 #######################################
 # Print-colored text.
 # Globals:
+#   MAG
 #   NL
 #   RES
-#   WHI
+#   VAR_DIALOG
 # Arguments:
 #   1: Color code.
 #   *: Text to print.
@@ -28,6 +29,9 @@ color_echo() {
   declare msg="${*}"
   printf "%b[INFO]%b%b %s %b%b" "${c}" "${RES}" "${MAG}" "${msg}" "${RES}" "${NL}" | tee -a "${VAR_DIALOG}"
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f color_echo
 
 #######################################
 # Print the current module in plain or colorful format.
@@ -45,4 +49,7 @@ info_echo() {
     color_echo "${GRE}" "MAIN PROGRAM SEQUENCE: ${module} ..."
   fi
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f info_echo
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

lib/cdi_0010_basic/0011_gen_dir_files.sh

@@ -15,11 +15,12 @@ guard_sourcing
 #######################################
 # Creates the DIRs, prepares the files and mounting paths for installation.
 # Globals:
-#   DIR_LOG
 #   LOG_DBS
 #   LOG_ERR
+#   LOG_EXT
 #   LOG_INS
 #   LOG_NIC
+#   LOG_REC
 #   LOG_UID
 #   RECOVERY
 #   TARGET
@@ -54,4 +55,7 @@ gen_dir_files() {
 
   return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f gen_dir_files
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

lib/cdi_0010_basic/0012_calculate_runtime.sh

@@ -15,9 +15,8 @@ guard_sourcing
 #######################################
 # Calculates total runtime of the CISS.debian.installer.
 # Globals:
-#   VAR_END_TIME
+#   SECONDS
 #   VAR_SCRIPT_RUNTIME
-#   VAR_START_TIME
 # Arguments:
 #   None
 # Returns:
@@ -33,4 +32,7 @@ calculate_runtime() {
   declare -grx VAR_SCRIPT_RUNTIME="$(printf "%02dh %02dm %02ds" "${var_hours}" "${var_minutes}" "${var_seconds}")"
   return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f calculate_runtime
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

meta_loader_func.sh

@@ -111,17 +111,6 @@ source_guard "./func/cdi_4600_packages/4630_auditing_packages.sh"
 source_guard "./func/cdi_4900_xtended/4999_exiting_chroot_system.sh"
 
 ### cdi_5000_recovery
-source_guard "./func/cdi_5000_recovery/5000_debootstrap.sh"
-source_guard "./func/cdi_5000_recovery/5005_debootstrap_checks.sh"
-source_guard "./func/cdi_5000_recovery/5010_prepare_mounts.sh"
-source_guard "./func/cdi_5000_recovery/5015_check_usr_merge.sh"
-source_guard "./func/cdi_5000_recovery/5020_remove_x509.sh"
-source_guard "./func/cdi_5000_recovery/5030_setup_hostname.sh"
-source_guard "./func/cdi_5000_recovery/5035_setup_resolv.sh"
-source_guard "./func/cdi_5000_recovery/5040_setup_timezone.sh"
-source_guard "./func/cdi_5000_recovery/5050_setup_locales.sh"
-source_guard "./func/cdi_5000_recovery/5105_generate_sources_822.sh"
-source_guard "./func/cdi_5000_recovery/5110_update_sources.sh"
 source_guard "./func/cdi_5000_recovery/5120_installation_kernel.sh"
 source_guard "./func/cdi_5000_recovery/5121_installation_initramfs.sh"
 source_guard "./func/cdi_5000_recovery/5130_installation_toolset.sh"

upgrades/linux-image/linux_image_clang_options.sh

@@ -11,7 +11,6 @@
 # SPDX-Security-Contact: security@coresecret.eu
 
 set   -o errexit
-set   -o ignoreeof
 set   -o noclobber
 set   -o nounset
 set   -o pipefail
@@ -23,20 +22,219 @@ shopt -u dotglob
 shopt -u extglob
 shopt -u nullglob
 
-declare -gx PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+umask 0077
+
+declare      VAR_BRANCH="${1-}"
+declare -grx VAR_BRANCH="${VAR_BRANCH,,}"
+
 declare -gx IFS=$' \t\n'
-declare -gx PATH="/usr/lib/llvm-18/bin:${PATH}"
+declare -gx PATH="/usr/lib/llvm-18/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
-declare -gx LLVM="1"
+declare -gx AR="llvm-ar-18"
 declare -gx CC="clang-18 -target x86_64-linux-gnu"
-declare -gx LD="ld.lld-18"
 declare -gx HOSTCC="clang-18"
 declare -gx HOSTCXX="clang++-18"
-declare -gx AR="llvm-ar-18" NM="llvm-nm-18" OBJCOPY="llvm-objcopy-18" STRIP="llvm-strip-18"
+declare -gx LD="ld.lld-18"
-umask 0022
+declare -gx LLVM="1"
+declare -gx LLVM_IAS="1"
+declare -gx NM="llvm-nm-18"
+declare -gx OBJCOPY="llvm-objcopy-18"
+# shellcheck disable=SC2155
+declare -gx SOURCE_DATE_EPOCH=$(date -ud '2025-10-11 00:00:00Z' +%s)
+declare -gx STRIP="llvm-strip-18"
+unset LOCALVERSION || true
+
+cd "${HOME}"
+if [[ -d "${HOME}/src/kernel" ]]; then
+  rm -rf --one-file-system -- "${HOME}/src/kernel"
+fi
+
+declare -gx DEBIAN_FRONTEND="noninteractive"
+apt-get update -qq
+apt-get install -y \
+  bc \
+  bison \
+  build-essential \
+  clang-18 \
+  dpkg-dev \
+  fakeroot \
+  flex \
+  git \
+  libelf-dev \
+  libncurses-dev \
+  libssl-dev \
+  lld-18 \
+  llvm-18-dev \
+  rsync
+
+#######################################
+# Extract the kernel version from a freshly unpacked 'apt-get source linux' tree.
+# Exports (declare -g):
+#   var_kver_debian = e.g., "6.16.3-1~deb13u1"
+#   var_kver        = e.g., "6.16.3"
+#   var_srcdir      = e.g., "linux-6.16.3"
+# Globals:
+#   var_kver
+#   var_kver_debian
+#   var_srcdir
+# Arguments:
+#   None
+# Returns:
+#   0: on success
+#   1: on failure
+#######################################
+extract_kver_from_apt_source_linux() {
+  ### Prefer debian/changelog in linux-* (more canonical), then fall back to .dsc.
+  shopt -s nullglob
+
+  ### Try A: from debian/changelog in linux-*/
+  declare -a _srcdirs=(linux-*/)
+
+  if [[ ${#_srcdirs[@]} -ge 1 ]]; then
+
+    ### Pick the first match; in a clean workdir there should be exactly one.
+    declare _dir="${_srcdirs[0]%/}"
+    declare _chg="${_dir}/debian/changelog"
+
+    if [[ -f "${_chg}" ]]; then
+
+      ### Read the first line: "linux (6.x.y-... ) suite; urgency=...".
+      declare _line
+      IFS= read -r _line < "${_chg}" || _line=
+      ### Extract between '(' and ')'
+      ### 1) strip prefix up to '('
+      declare _ver="${_line#*\(}"
+      ### 2) strip suffix after ')'
+      _ver="${_ver%%\)*}"
+
+      ### Debian full version (may include epoch and Debian revision).
+      declare -gx var_kver_debian="${_ver}"
+
+      ### Upstream version (strip optional epoch "N:" and Debian revision "-...").
+      declare _noepoch="${_ver#*:}"           # Drop "1:" if present, else no change.
+      declare -gx var_kver="${_noepoch%%-*}"  # Drop the "-deb" part.
+      declare -gx var_srcdir="${_dir}"
+      shopt -u nullglob
+      return 0
+
+    fi
+
+  fi
+
+  ### Try B: from the .dsc file (fallback).
+  declare -a _dscs=(linux_*.dsc)
+
+  if [[ ${#_dscs[@]} -ge 1 ]]; then
+
+    ### Pick the first .dsc (in a clean workdir there should be exactly one).
+    declare _dsc="${_dscs[0]}"
+    declare _verline _ver
+
+    ### Read the 'Version: ...' line without grep/sed.
+    while IFS= read -r _verline; do
+
+      # shellcheck disable=SC2249
+      case "${_verline}" in
+
+        Version:*)
+          _ver="${_verline#Version: }"
+          break
+          ;;
+
+      esac
+
+    done < "${_dsc}"
+
+    [[ -n "${_ver:-}" ]] || return 1
+
+    declare -gx var_kver_debian="${_ver}"
+    declare _noepoch="${_ver#*:}"
+    declare -gx var_kver="${_noepoch%%-*}"
+
+    ### Best-effort srcdir guess from the upstream part (common unpacking layout).
+    declare _up="${var_kver}"
+
+    if [[ -d "linux-${_up}" ]]; then
+
+      declare -gx var_srcdir="linux-${_up}"
+
+    else
+
+      declare -gx var_srcdir=""
+
+    fi
+
+    shopt -u nullglob
+    return 0
+
+  fi
+
+  ### Nothing found.
+  shopt -u nullglob
+
+  return 1
+}
+# --- Prevents accidental 'unset -f' ------------------------------------------
+# shellcheck disable=SC2034
+readonly -f extract_kver_from_apt_source_linux
+
+# --- Generate skeleton and download sources ----------------------------------
+case "${VAR_BRANCH}" in
+
+  bpo)
+    mkdir -p ~/src/kernel/bpo && cd ~/src/kernel/bpo
+    apt-get source -t trixie-backports linux
+    apt-get -y build-dep -t trixie-backports linux
+    ;;
+
+  security)
+    mkdir -p ~/src/kernel/security && cd ~/src/kernel/security
+    apt-get source -t trixie-security linux
+    apt-get -y build-dep -t trixie-security linux
+    ;;
+
+  *)
+    printf "No valid branch selected.\n"
+    exit 1
+    ;;
+
+esac
+
+extract_kver_from_apt_source_linux
+printf '%b  var_srcdir=%s\n  var_kver_debian=%s\n  var_kver=%s%b\n' '\e[92m' "${var_srcdir:-<none>}" "${var_kver_debian:-<none>}" "${var_kver:-<none>}" '\e[0m'
+
+case "${VAR_BRANCH}" in
+
+  bpo)
+    cd "${HOME}/src/kernel/bpo/${var_srcdir}"
+    ;;
+
+  security)
+    cd "${HOME}/src/kernel/security/${var_srcdir}"
+    ;;
+
+  *)
+    printf "No valid branch selected.\n"
+    exit 1
+    ;;
+
+esac
+
+# --- Identify yourself for Maintainer and Changed-By -------------------------
+declare -gx DEBFULLNAME="Marc S. Weidner"
+declare -gx DEBEMAIL="msw@coresecret.dev"
+
+# --- Embed build user/host in 'uname -v' string of the kernel ----------------
+declare -gx KBUILD_BUILD_USER="msw"
+declare -gx KBUILD_BUILD_HOST="coresecret.dev"
+
+# --- Package/version labelling for Debian packages ---------------------------
+declare -gx KDEB_PKGVERSION="${var_kver}-1ciss0"
+declare -gx KDEB_CHANGELOG_DIST="trixie"
 
 # --- Identity / naming -------------------------------------------------------
 # Ensure unique artifact names in /boot to avoid collisions with Production.
 scripts/config --set-str CONFIG_LOCALVERSION "-rescue"
+scripts/config --disable CONFIG_LOCALVERSION_AUTO
 
 # --- Control-Flow Integrity (Clang kCFI as strict default) -------------------
 # Enable Clang CFI; keep strict (no permissive), keep kCFI as default,
@@ -97,21 +295,21 @@ scripts/config --enable  CONFIG_SATA_AHCI
 scripts/config --enable  CONFIG_BLK_DEV_NVME
 scripts/config --enable  CONFIG_SCSI
 scripts/config --enable  CONFIG_BLK_DEV_SD
+scripts/config --enable  CONFIG_USB_EHCI_HCD
 scripts/config --enable  CONFIG_USB_XHCI_HCD
 scripts/config --enable  CONFIG_USB_STORAGE
 scripts/config --disable CONFIG_ATA_SFF
 scripts/config --disable CONFIG_CHR_DEV_SG
-scripts/config --disable CONFIG_USB_EHCI_HCD
 
 # --- Device-mapper and software RAID (rescue on unknown hosts) ---------------
 scripts/config --enable  CONFIG_BLK_DEV_DM
 scripts/config --enable  CONFIG_DM_CRYPT
 scripts/config --enable  CONFIG_DM_MOD
-scripts/config --disable CONFIG_MD_RAID1
+scripts/config --enable  CONFIG_MD_RAID1
-scripts/config --disable CONFIG_MD_RAID10
+scripts/config --enable  CONFIG_MD_RAID10
-scripts/config --disable CONFIG_MD_RAID456
+scripts/config --enable  CONFIG_MD_RAID456
-scripts/config --disable CONFIG_BLK_DEV_MD
+scripts/config --enable  CONFIG_BLK_DEV_MD
-scripts/config --disable CONFIG_MD
+scripts/config --enable  CONFIG_MD
 scripts/config --disable CONFIG_MD_AUTODETECT
 
 # --- Do not allow device-mapper table creation from the kernel command line --
@@ -142,8 +340,8 @@ scripts/config --enable  CONFIG_VLAN_8021Q
 scripts/config --disable CONFIG_BRIDGE
 scripts/config --disable CONFIG_BONDING
 scripts/config --disable CONFIG_BNX2X
-scripts/config --disable CONFIG_IGC
+scripts/config --enable  CONFIG_IGC
-scripts/config --disable CONFIG_R8169
+scripts/config --enable  CONFIG_R8169
 
 # --- Virtualization ----------------------------------------------------------
 scripts/config --enable  CONFIG_HW_RANDOM_VIRTIO
@@ -158,7 +356,6 @@ scripts/config --enable  CONFIG_VIRTIO_PCI
 scripts/config --enable  CONFIG_VIRTIO_SCSI
 scripts/config --disable CONFIG_HYPERV
 scripts/config --disable CONFIG_VIRTIO_GPU
-scripts/config --disable CONFIG_VMXNET3
 scripts/config --disable CONFIG_XEN
 
 # --- Media, Sound, Wireless --------------------------------------------------
@@ -169,7 +366,8 @@ scripts/config --disable CONFIG_NFC
 scripts/config --disable CONFIG_SND
 
 # --- Disable entire DRM/GPU graphics stack -----------------------------------
-scripts/config --disable CONFIG_DRM
+scripts/config --enable  CONFIG_DRM
+scripts/config --enable  CONFIG_DRM_SIMPLEDRM
 scripts/config --disable CONFIG_DRM_AMDGPU
 scripts/config --disable CONFIG_DRM_BRIDGE
 scripts/config --disable CONFIG_DRM_FBDEV_EMULATION
@@ -179,7 +377,6 @@ scripts/config --disable CONFIG_DRM_NOUVEAU
 scripts/config --disable CONFIG_DRM_PANEL
 scripts/config --disable CONFIG_DRM_QXL
 scripts/config --disable CONFIG_DRM_RADEON
-scripts/config --disable CONFIG_DRM_SIMPLEDRM
 scripts/config --disable CONFIG_DRM_VIRTIO_GPU
 scripts/config --disable CONFIG_DRM_VMWGFX
 
@@ -298,6 +495,83 @@ scripts/config --disable CONFIG_PINCTRL
 # --- Disable any other features ----------------------------------------------
 scripts/config --disable CONFIG_TEGRA_HOST1X
 
+# --- Harden memory permissions and control-flow ------------------------------
+scripts/config --enable  CONFIG_STRICT_KERNEL_RWX
+scripts/config --enable  CONFIG_DEBUG_WX
+scripts/config --enable  CONFIG_VMAP_STACK
+scripts/config --enable  CONFIG_FORTIFY_SOURCE
+scripts/config --enable  CONFIG_REFCOUNT_FULL
+scripts/config --enable  CONFIG_STACKPROTECTOR
+scripts/config --enable  CONFIG_STACKPROTECTOR_STRONG
+scripts/config --enable  CONFIG_INIT_STACK_ALL_ZERO
+scripts/config --enable  CONFIG_RANDOMIZE_BASE
+scripts/config --enable  CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT
+
+# --- Allocator hardening -----------------------------------------------------
+scripts/config --enable  CONFIG_SLAB_FREELIST_RANDOM
+scripts/config --enable  CONFIG_SLAB_FREELIST_HARDENED
+scripts/config --disable CONFIG_SLAB_MERGE_DEFAULT
+scripts/config --enable  CONFIG_SHUFFLE_PAGE_ALLOCATOR
+
+# --- LSM / Lockdown ----------------------------------------------------------
+scripts/config --enable  CONFIG_SECURITY_LOCKDOWN_LSM
+scripts/config --enable  CONFIG_SECURITY_LOCKDOWN_LSM_EARLY
+scripts/config --enable  CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY
+scripts/config --enable  CONFIG_SECURITY_YAMA
+scripts/config --enable  CONFIG_SECURITY_LANDLOCK
+
+# --- IOMMU / DMA -------------------------------------------------------------
+scripts/config --enable  CONFIG_EFI_DISABLE_PCI_DMA
+scripts/config --enable  CONFIG_IOMMU_SUPPORT
+scripts/config --enable  CONFIG_IOMMU_DEFAULT_DMA_STRICT
+scripts/config --enable  CONFIG_INTEL_IOMMU
+scripts/config --enable  CONFIG_INTEL_IOMMU_DEFAULT_ON
+scripts/config --enable  CONFIG_AMD_IOMMU
+scripts/config --enable  CONFIG_AMD_IOMMU_V2
+
+# --- Page table isolation and checks -----------------------------------------
+scripts/config --enable  CONFIG_MITIGATION_PAGE_TABLE_ISOLATION
+scripts/config --enable  CONFIG_PAGE_TABLE_CHECK
+scripts/config --enable  CONFIG_PAGE_TABLE_CHECK_ENFORCED
+
+# --- UBSAN / KFENCE (low overhead) -------------------------------------------
+scripts/config --enable  CONFIG_UBSAN
+scripts/config --enable  CONFIG_UBSAN_TRAP
+scripts/config --enable  CONFIG_UBSAN_BOUNDS
+scripts/config --enable  CONFIG_UBSAN_LOCAL_BOUNDS
+scripts/config --enable  CONFIG_KFENCE
+
+# --- x86 specifics -----------------------------------------------------------
+scripts/config --enable  CONFIG_X86_KERNEL_IBT
+scripts/config --enable  CONFIG_CFI_CLANG
+scripts/config --disable CONFIG_X86_VSYSCALL_EMULATION
+scripts/config --enable  CONFIG_LEGACY_VSYSCALL_NONE
+
+# --- Remove legacy debug / attack surfaces -----------------------------------
+scripts/config --disable CONFIG_DEVMEM
+scripts/config --enable  CONFIG_STRICT_DEVMEM
+scripts/config --enable  CONFIG_IO_STRICT_DEVMEM
+scripts/config --disable CONFIG_DEVKMEM
+scripts/config --disable CONFIG_DEBUG_FS
+scripts/config --disable CONFIG_PROC_KCORE
+
+# --- Optional, stricter ------------------------------------------------------
+scripts/config --enable  CONFIG_PANIC_ON_OOPS
+scripts/config --set-val CONFIG_PANIC_TIMEOUT -1
+
+make olddefconfig
+
+make -s kernelrelease
+grep -E '^(CONFIG_LOCALVERSION|CONFIG_LOCALVERSION_AUTO)=' .config || true
+env | grep -E '^LOCALVERSION=' || true
+
+touch build.log
+
+# shellcheck disable=SC2312
+if make -j"$(nproc)" bindeb-pkg 2>&1 | tee build.log; then
+  printf '%bBuild successful%b\n' '\e[92m' '\e[0m'
+fi
+
 exit 0
 
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

var/errors.var.sh

@@ -58,6 +58,7 @@ declare -girx ERR_READ_SEED_FILE=215    # Error reading the mfa TOTP seed file.
 declare -girx ERR_VERIFY_VISUDO=214     # Error verification by 'visudo'.
 declare -girx ERR_VERIFY_LOGROTATE=213  # Error verification by 'logrotate'.
 declare -girx ERR_READ_AUTH_FILE=212    # Error reading the Luks Backup auth token file.
+declare -girx ERR_ACCOUNT_CREATE=211    # Error creating user accounts.
 
 ### Definition of error trap vars.
 declare -gx ERRCODE=""                  # = $?                   = $1 = ERRCODE

var/global.var.sh

@@ -53,6 +53,7 @@ declare -grx TARGET="/target"
 declare -grx RECOVERY="/recovery"
 declare -grx VAR_SAFE_MNT_BASE="/run/ciss/bootstrap"
 declare -gx  VAR_NEED_RUN_IN_TARGET="false"
+declare -gx  VAR_RUN_RECOVERY="false"
 
 ### Default chroot debug policy.
 declare -gx VAR_CHROOT_DEBUG="false"