V8.00.000.2025.06.17

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>

.preseed/partitioning.yaml

@@ -9,38 +9,31 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
 recipe:
-  guben0afx256r:
+  guben0afx256r:               # g=GPT || m=MBR
-    active: true
+                               # u=UEFI || b=BIOS
+                               # b=btrfs || 4=ext4 only
+                               # e=ephemeral "/tmp" and "SWAP" || n=non-ephemeral "/tmp" and "SWAP" (yet not supported)
+                               # n0=non RAID || m6=mdadm RAID6 || m5=mdadm RAID5 || b1=btrfs RAID1 (yet not supported)
+                               # a="/dev/sda" only setup || b="/dev/sdb" || c="/dev/sdc" and so forth
+                               # f=fixed size || a=automatic size (yet not supported)
+                               # x256=size of device in GiB
+                               # r=rescue partition || n=no rescue partition
+    active: true               # Choose this recipe.
     control:
-      ### g=GPT || m=MBR
+      description: "CISS 2025 - GPT - BTRFS - Ephemeral - non RAID - 256GiB - rescue"
-      ### u=UEFI || b=BIOS
+      firmware: "UEFI"         # MUST be "UEFI" for "gpt" || "BIOS":
-      ### b=btrfs || 4=ext4 only
+      id: "guben0afx256r"      # MUST be equal to the second part of the recipe-variables string.
-      ### e=ephemeral "/tmp" and "SWAP" || n=non-ephemeral "/tmp" and "SWAP" (yet not supported)
-      ### n0=non RAID || m6=mdadm RAID6 || m5=mdadm RAID5 || b1=btrfs RAID1
-      ### a="/dev/sda" only setup || b="/dev/sdb" || c="/dev/sdc" and so forth
-      ### f=fixed size || a=automatic size
-      ### x256=size of device in GiB
-      ### r=rescue partition || n=no rescue partition
-      description: "Default: CISS 2025 - GPT - BTRFS - Ephemeral - non RAID - 256GiB - rescue"
-      ### MUST be "UEFI" for "gpt" || "BIOS":
-      firmware: "UEFI"
-      ### MUST be equal to the second part of the recipe-variables string.
-      id: "guben0afx256r"
       name: "ciss.2025.gpt.btrfs.ephemeral.non-raid.256GiB.rescue"
-      ### mdadm RAID settings only (not yet supported)
+      raid:                    # mdadm RAID settings only (not yet supported).
-      raid:
         enable: false
         disks:
           member: 4
           spare: 1
-        ### Only Level "1", "5", "6" and "10" are supported
+        level: 6               # Only Level "1", "5", "6" and "10" are supported.
-        level: 6
+      table: "gpt"             # MUST be "gpt" for "UEFI" || "msdos":
-      ### MUST be "gpt" for "UEFI" || "msdos":
+      syntax: true             # This is set to "false" by default, otherwise if the recipe is tested by the authors to "true".
-      table: "gpt"
-      ### Only set to "true" if the recipe is tested by the authors. Otherwise, this is set to "false" by default.
-      syntax: true
       ### Version of the specific recipe.
-      version: "1.1.1"
+      version: "1.1.2"
     dev:
       sda:
         1:
@@ -48,14 +41,10 @@ recipe:
           end: "512MiB"
           bootable: true
           encryption:
-            ### MUST be "false" for "/boot/efi":
+            enable: false      # MUST be "false" for "/boot/efi"
-            enable: false
+            ephemeral: false   # MUST be "false" for "/boot/efi"
-            ### MUST be "false" for "/boot/efi":
+            integrity: false   # MUST be "false" for "/boot/efi"
-            ephemeral: false
+            nuke: false        # MUST be "false" for "/boot/efi"
-            ### MUST be "false" for "/boot/efi":
-            integrity: false
-            ### MUST be "false" for "/boot/efi":
-            nuke: false
             cipher: ""
             hash: ""
             itertime: ""
@@ -77,8 +66,8 @@ recipe:
             options: ""
             version: "fat32"
           mount:
-            enable: true
+            enable: true       # MUST be "true" for "/boot/efi"
-            options: "defaults,nodev,nosuid,noexec,umask=0077"
+            options: "umask=0077,uid=0,gid=0"
             optsnap: ""
             path: "/boot/efi"
           primary: primary
@@ -88,10 +77,8 @@ recipe:
           bootable: false
           encryption:
             enable: true
-            ### MUST be "false" for "/boot":
+            ephemeral: false   # MUST be "false" for "/boot"
-            ephemeral: false
+            integrity: false   # MUST be "false" for "/boot"
-            ### MUST be "false" for "/boot":
-            integrity: false
             nuke: true
             cipher: "aes-xts-plain64"
             hash: "sha512"
@@ -99,8 +86,7 @@ recipe:
             key: "512"
             label: "crypt_boot"
             metadatasize: "32MiB"
-            ### MUST be "pbkdf" for "/boot":
+            pbkdf: "pbkdf"     # MUST be "pbkdf" for "/boot"
-            pbkdf: "pbkdf"
             rng: "use-random"
           filesystem:
             btrfs:
@@ -115,8 +101,7 @@ recipe:
             label: "btrfs_boot"
             options: ""
           mount:
-            ### MUST be "true" for "/boot":
+            enable: true       # MUST be "true" for "/boot"
-            enable: true
             options: "defaults,nodev,nosuid,noexec,noatime,compress=no,discard=async,subvol=@boot"
             optsnap: ""
             path: "/boot"
@@ -161,14 +146,10 @@ recipe:
           end: "8GiB"
           bootable: false
           encryption:
-            ### MUST be "true" for ephemeral "SWAP":
+            enable: true       # MUST be "true" for ephemeral "SWAP"
-            enable: true
+            ephemeral: true    # MUST be "true" for ephemeral "SWAP"
-            ### MUST be "true" for ephemeral "SWAP":
+            integrity: false   # MUST be "false" for ephemeral "SWAP"
-            ephemeral: true
+            nuke: false        # MUST be "false" for ephemeral "SWAP"
-            ### MUST be "false" for ephemeral "SWAP":
-            integrity: false
-            ### MUST be "false" for ephemeral "SWAP":
-            nuke: false
             cipher: "aes-xts-plain64"
             hash: "sha512"
             itertime: "3000"
@@ -186,11 +167,9 @@ recipe:
               subvolume: ""
               snapshot: ""
             format: true
-            ### MUST be "crypt_swap_ephem" for "SWAP":
+            label: "host_swap" # MUST be "host_swap" for ephemeral "SWAP"
-            label: "crypt_swap_ephem"
             options: ""
-            ### MUST be "ext4" for ephemeral "SWAP":
+            version: "ext4"    # MUST be "ext4" for ephemeral "SWAP"
-            version: "ext4"
           mount:
             enable: true
             options: "defaults,discard"
@@ -202,14 +181,10 @@ recipe:
           end: "10GiB"
           bootable: false
           encryption:
-            ### MUST be "true" for ephemeral "/tmp":
+            enable: true       # MUST be "true" for ephemeral "/tmp"
-            enable: true
+            ephemeral: true    # MUST be "true" for ephemeral "/tmp"
-            ### MUST be "true" for ephemeral "/tmp":
+            integrity: false   # MUST be "false" for ephemeral "/tmp"
-            ephemeral: true
+            nuke: false        # MUST be "false" for ephemeral "/tmp"
-            ### MUST be "false" for ephemeral "/tmp":
-            integrity: false
-            ### MUST be "false" for ephemeral "/tmp":
-            nuke: false
             cipher: "aes-xts-plain64"
             hash: "sha512"
             itertime: "3000"
@@ -227,11 +202,9 @@ recipe:
               subvolume: ""
               snapshot: ""
             format: true
-            ### MUST be "crypt_tmp_ephem" for ephemeral "/tmp"
+            label: "host_tmp"  # MUST be "host_tmp" for ephemeral "/tmp"
-            label: "crypt_tmp_ephem"
             options: ""
-            ### MUST be "ext4" for ephemeral "/tmp"
+            version: "ext4"    # MUST be "ext4" for ephemeral "/tmp"
-            version: "ext4"
           mount:
             enable: true
             options: "defaults,rw,nodev,nosuid,noatime,discard,mode=1777"

.preseed/preseed.yaml

@@ -91,9 +91,9 @@ image: "linux-image-amd64"     # Could be a meta-package or a specific image lik
                                # "linux-image-6.12.30+bpo-amd64"
 firmware:
   install: true                # If non-free firmware is needed for the network or other hardware, autoinstall it.
-  lookup: "missing"            # "never"   Completely disables the firmware search.
+  lookup: "missing"            # - "never"   Completely disables the firmware search.
-                               # "missing" Searches only when the firmware is needed. (default)
+                               # - "missing" Searches only when the firmware is needed. (default)
-                               # "always"  Always searches and asks for any firmware that could be useful for the hardware.
+                               # - "always"  Always searches and asks for any firmware that could be useful for the hardware.
 
 ################################################################################################################################
 # GRUB2 settings
@@ -115,13 +115,13 @@ grub:
                                # matter how buggy, will boot GRUB that way.
                                #
                                # Warning: If the installer failed to detect another operating system that is present on your
-                               # computer that also depends on this fallback, installing GRUB there will make that operating
+                               # computer that also depends on this fallback, installing GRUB there will make that OS
-                               # system temporarily unbootable. GRUB can be manually configured later to boot it if necessary.
+                               # temporarily unbootable. GRUB can be manually configured later to boot it if necessary.
   latest: true                 # Install the latest GRUB2 backported package for encrypted '/boot' support.
                                # MUST be "true" in the case of 'LUKS2' and / or 'dm-integrity' encrypted '/boot'
   only_debian: true            # This is fairly safe to set; it makes grub install automatically to the UEFI partition '/boot'
                                # record if no other operating system is detected on the machine.
-  other-os: true               # This one makes grub-installer install to the UEFI partition '/boot' record, if it also finds
+  other-os: true               # This one makes grub-installer install to the UEFI partition '/boot' record if it also finds
                                # some other OS, which is less safe as it might not be able to boot that other OS.
   prober: false                # OS-prober did not detect any other operating systems on your computer at this time, but you
                                # may still wish to enable it in case you install more in the future.

func/1030_check_nic.sh

@@ -19,7 +19,7 @@ guard_sourcing
 # Arguments:
 #  None
 #######################################
-2030_check_nic() {
+check_nic() {
   ip -o link show | awk -F': ' '{print $2}' | sed 's!lo!!' | sed '/^$/d' | awk '{$1=$1};1' >| "${DIR_TMP}nic.tmp"
   declare var_counter=1
   declare var_line=""

func/1081_helper_grub.sh

@@ -26,7 +26,7 @@ guard_sourcing
 # Arguments:
 #   None
 #######################################
-2040_grub_extract_current_string() {
+grub_extract_current_string() {
   # shellcheck disable=SC2155
   declare -gx VAR_ORIG_GRUB_CMDLINE_LINUX=$(grep -E 'VAR_GRUB_CMDLINE_LINUX=' "${TARGET}/etc/default/grub")
   # shellcheck disable=SC2155
@@ -49,7 +49,7 @@ guard_sourcing
 # Arguments:
 #   None
 #######################################
-2040_grub_finalize_string() {
+grub_finalize_string() {
   VAR_GRUB_CMDLINE_LINUX="${VAR_GRUB_CMDLINE_LINUX}${VAR_H}"
   VAR_GRUB_CMDLINE_LINUX_DEFAULT="${VAR_GRUB_CMDLINE_LINUX_DEFAULT}${VAR_H}"
   sed -i "s/$VAR_ORIG_GRUB_CMDLINE_LINUX/$VAR_GRUB_CMDLINE_LINUX/" "${TARGET}/etc/default/grub"

lib/0010_guard_sourcing.sh

@@ -20,7 +20,7 @@
 # Returns:
 #   0: Returns '0' in both cases as they are intended to be successful.
 #######################################
-1007_guard_sourcing() {
+guard_sourcing() {
   ### Determine the caller script (the library being sourced).
   declare var_src="${1:-${BASH_SOURCE[1]}}"
   ### Strip path, keep only filename