V8.00.000.2025.06.17

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>

func/cdi_4000_debootstrap/4000_debootstrap.sh

@@ -0,0 +1,60 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
+
+guard_sourcing
+
+#######################################
+# Install a minimal Debian environment using the 'debootstrap' command.
+# Globals:
+#   LOG_DBS
+#   TARGET
+#   architecture
+#   debootstrap_includes
+#   debootstrap_mirror
+#   distribution
+# Arguments:
+#   None
+# Returns:
+#   0: on success
+#   ERR_DEBOOTSTRAP
+#######################################
+func_debootstrap() {
+  ### Declare Arrays, HashMaps, and Variables.
+  declare -r var_arch="${architecture}"
+  declare -r var_dist="${distribution}"
+  declare -r var_target="${TARGET}"
+  declare -r var_mirror="${debootstrap_mirror}"
+  declare -r var_includes="${debootstrap_includes}"
+
+  declare -a ary_cmd=( "debootstrap" "--arch=${var_arch}" "${var_dist}" )
+
+  if [[ -n "${var_includes}" ]]; then ary_cmd+=( "--include=${var_includes}" ); fi
+
+  ary_cmd+=( "${var_target}" "${var_mirror}" )
+
+  do_log "debug" "file_only" "4000() Executing: [${ary_cmd[*]}]"
+
+  # shellcheck disable=SC2312
+  if "${ary_cmd[@]}" | tee "${LOG_DBS}"; then
+
+    do_log "info" "file_only" "4000() [${ary_cmd[*]}] successful."
+    install -d -m 0700 -o root -g root "${var_target}/root/.ciss/cdi/hooks"
+    return 0
+
+  else
+
+    do_log "emergency" "file_only" "4000() [${ary_cmd[*]}] failed."
+    return "${ERR_DEBOOTSTRAP}"
+
+  fi
+}
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

func/cdi_4000_debootstrap/4010_prepare_mounts.sh

@@ -0,0 +1,114 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
+
+guard_sourcing
+
+#######################################
+# Configure the target system for chroot.
+# Globals:
+#   ERR_CHRT_MOUNTS
+#   TARGET
+#   VAR_CHROOT_ACTIVATED
+#   VAR_NEED_RUN_IN_TARGET
+# Arguments:
+#   None
+# Returns:
+#   ERR_CHRT_MOUNTS
+#   0: on success
+#######################################
+configure_system() {
+
+  ### Notes
+  # This file mounts all necessary pseudo filesystems into the target root environment to enable chroot operations.
+  # --rbind: recursive binding.
+  # --make-rslave: In this case, the mount point is marked as 'slave'.
+  # This means changes to the source mount (e.g., /proc) are propagated to the target mount (e.g., "${TARGET}/proc").
+  # Conversely, changes to the target mount are not propagated back to the source mount.
+  # This mode is necessary to avoid problems with double or erroneous propagation effects in chroot or container environments.
+  #
+  # Some subdirectories (such as /dev/pts, /dev/shm, /sys/fs/cgroup) are remounted with more restrictive options
+  # like 'noexec', 'nosuid', and 'nodev' to enhance security. This ensures they override the inherited bind-mounts and
+  # enforce proper runtime behavior in the chroot.
+
+  ### Declare Arrays, HashMaps, and Variables.
+  declare -A  HMP_SPECIAL_MOUNTS=(
+    ["/dev"]="devtmpfs devtmpfs mode=0755,nosuid"                        # Base device node FS
+    ["/dev/pts"]="devpts devpts noexec,nosuid"                           # Pseudoterminals
+    ["/dev/shm"]="tmpfs tmpfs rw,nosuid,nodev"                           # Shared memory
+    ["/dev/mqueue"]="mqueue mqueue rw,nosuid,nodev,noexec"               # POSIX message queues
+    ["/dev/hugepages"]="hugetlbfs hugetlbfs rw,nosuid,nodev"             # Huge pages
+    ["/proc"]="proc proc nosuid,noexec,nodev"                            # procfs
+    ["/sys"]="sysfs sysfs nosuid,noexec,nodev"                           # sysfs
+    ["/sys/fs/cgroup"]="cgroup2 cgroup2 rw,nosuid,nodev,noexec,relatime" # Unified cgroup2
+  )
+
+  declare     var_path="" var_fs="" var_src="" var_opts=""
+
+  for var_path in "${!HMP_SPECIAL_MOUNTS[@]}"; do
+
+    mkdir -p "${TARGET}${var_path}"
+
+  done
+
+  for var_path in "${!HMP_SPECIAL_MOUNTS[@]}"; do
+
+    IFS=" " read -r var_fs var_src var_opts <<< "${HMP_SPECIAL_MOUNTS[${var_path}]}"
+
+    if mountpoint -q "${TARGET}${var_path}"; then
+
+      do_log "info" "file_only" "4010() Skipped: '${TARGET}${var_path}' is already a mountpoint."
+      continue
+
+    fi
+
+    if ! mount -t "${var_fs}" "${var_src}" "${TARGET}${var_path}" -o "${var_opts}"; then
+
+      do_log "emergency" "file_only" "4010() Command: [mount -t ${var_fs} ${var_src} ${TARGET}${var_path} -o ${var_opts}] failed."
+      return "${ERR_CHRT_MOUNTS}"
+
+    fi
+
+    do_log "info" "file_only" "4010() Command: [mount -t ${var_fs} ${var_src} ${TARGET}${var_path} -o ${var_opts}] successful."
+
+  done
+
+  if [[ "${VAR_NEED_RUN_IN_TARGET:-false}" == "true" ]]; then
+
+    mkdir -p "${TARGET}/run"
+
+    if ! mount --make-rslave --rbind /run "${TARGET}/run"; then
+
+      do_log "emergency" "file_only" "4010() Command: [mount --make-rslave --rbind /run ${TARGET}/run] failed."
+      return "${ERR_CHRT_MOUNTS}"
+
+    fi
+
+    do_log "info" "file_only" "4010() Command: [mount --make-rslave --rbind /run ${TARGET}/run] successful."
+
+  fi
+
+  if ! do_in_target "${TARGET}" mkdir -p /etc/systemd/system/multi-user.target.wants; then
+
+    do_log "emergency" "file_only" "4010() Command: [do_in_target ${TARGET} mkdir -p /etc/systemd/system/multi-user.target.wants] failed."
+    return "${ERR_CHRT_MOUNTS}"
+
+  fi
+
+  do_log "info" "file_only" "4010() Command: [do_in_target ${TARGET} mkdir -p /etc/systemd/system/multi-user.target.wants] successful."
+
+  # shellcheck disable=SC2034
+  declare -gx VAR_CHROOT_ACTIVATED="system"
+  do_log "info" "file_only" "4010() Command: [declare -gx VAR_CHROOT_ACTIVATED=system]"
+
+  return 0
+}
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

func/cdi_4000_debootstrap/4020_remove_expired_certificates.sh

@@ -0,0 +1,43 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
+
+guard_sourcing
+
+#######################################
+# Chroot hook for deleting all expired X.509 certificates in the target system.
+# Globals:
+#   TARGET
+#   VAR_SETUP_PATH
+# Arguments:
+#   None
+# Returns:
+#   0: on success
+#######################################
+expired_certs() {
+
+  install -m 0700 -o root -g root "${VAR_SETUP_PATH}/includes/chroot/hooks/1000_deleting_invalid_x509.sh" \
+    "${TARGET}/root/.ciss/cdi/hooks/1000_deleting_invalid_x509.sh"
+
+
+  if ! do_in_target_script "${TARGET}" "/root/.ciss/cdi/hooks/1000_deleting_invalid_x509.sh" "emergency"; then
+
+    do_log "warn" "file_only" "4020() Command: [do_in_target_script ${TARGET} /root/.ciss/cdi/hooks/1000_deleting_invalid_x509.sh emergency] failed."
+
+  else
+
+    do_log "debug" "file_only" "4020() Command: [do_in_target_script ${TARGET} /root/.ciss/cdi/hooks/1000_deleting_invalid_x509.sh emergency] successful."
+
+  fi
+
+  return 0
+}
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

func/cdi_4000_debootstrap/4030_setup_hostname.sh

@@ -0,0 +1,77 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
+
+guard_sourcing
+
+#######################################
+# Configure the '/etc/hostname' | '/etc/hosts' | '/etc/mailname' files.
+# Globals:
+#   TARGET
+#   VAR_FINAL_FQDN
+#   VAR_FINAL_IPV4
+#   VAR_FINAL_IPV6
+#   VAR_LINK_IPV6
+#   network_ipv6
+# Arguments:
+#   None
+# Returns:
+#   0: on success
+#######################################
+setup_hostname() {
+  ### Create '${TARGET}/etc/hostname' file.
+  cat << EOF >| "${TARGET}/etc/hostname"
+${VAR_FINAL_FQDN}
+EOF
+  chmod 0644 "${TARGET}/etc/hostname"
+  do_log "info" "file_only" "4030() File generated: '${TARGET}/etc/hostname' | hostname '${VAR_FINAL_FQDN}'."
+
+
+  ### Create '${TARGET}/etc/mailname' file.
+  cat << EOF >| "${TARGET}/etc/mailname"
+${VAR_FINAL_FQDN}
+EOF
+  chmod 0644 "${TARGET}/etc/mailname"
+  do_log "info" "file_only" "4030() File generated: '${TARGET}/etc/mailname' | mailname '${VAR_FINAL_FQDN}'."
+
+
+  ### Generate '${TARGET}/etc/hosts' basic IPv4 entries
+  cat << EOF >| "${TARGET}/etc/hosts"
+127.0.0.1 localhost
+${VAR_FINAL_IPV4} ${VAR_FINAL_FQDN}
+
+EOF
+  chmod 0644 "${TARGET}/etc/hosts"
+  do_log "info" "file_only" "4030() File generated: '${TARGET}/etc/hosts' with basic IPv4 entries."
+
+
+  ### Generate '${TARGET}/etc/hosts' basic IPv6 entries
+  if [[ "${VAR_LINK_IPV6,,}" == "true" || "${network_ipv6,,}" == "true" ]]; then
+
+    cat << EOF >> "${TARGET}/etc/hosts"
+# The following lines are desirable for IPv6 capable hosts
+::1     localhost ip6-localhost ip6-loopback
+fe00::0 ip6-localnet
+ff00::0 ip6-mcastprefix
+ff02::1 ip6-allnodes
+ff02::2 ip6-allrouters
+ff02::3 ip6-allhosts
+${VAR_FINAL_IPV6} ${VAR_FINAL_FQDN}
+
+EOF
+
+    do_log "info" "file_only" "4030() File updated: '${TARGET}/etc/hosts' with basic IPv6 entries."
+
+  fi
+
+  return 0
+}
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

func/cdi_4000_debootstrap/4035_setup_resolv.sh

@@ -0,0 +1,105 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
+
+guard_sourcing
+
+#######################################
+# Configure the '/etc/resolv.conf' file.
+# Globals:
+#   ARY_IPV4_NS
+#   ARY_IPV6_NS
+#   DIR_BAK
+#   TARGET
+#   VAR_ARCHITECTURE
+#   VAR_CODENAME
+#   VAR_FINAL_IPV6
+#   VAR_LINK_IPV6
+#   VAR_VERSION
+# Arguments:
+#   None
+# Returns:
+#   0: on success
+#######################################
+setup_resolv() {
+  ### Declare Arrays, HashMaps, and Variables.
+  declare     ns=""
+
+  if [[ -f "${TARGET}/etc/resolv.conf" ]]; then
+
+    mkdir -p "${DIR_BAK}/etc"
+    mv "${TARGET}/etc/resolv.conf" "${DIR_BAK}/etc/resolv.conf.bak"
+    do_log "info" "file_only" "4035() Existing '${TARGET}/etc/resolv.conf' moved."
+
+  fi
+
+  touch "${TARGET}/etc/resolv.conf"
+  chmod 0644 "${TARGET}/etc/resolv.conf"
+
+  ### Create '/etc/resolv.conf' IPv4 entries for static configuration.
+    cat << EOF >> "${TARGET}/etc/resolv.conf"
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
+
+# /etc/resolv.conf      : Generated by CISS.debian.installer ${VAR_VERSION}
+# Architecture          : ${VAR_ARCHITECTURE}
+# Distribution          : ${VAR_CODENAME}
+
+# Static file system information '/etc/resolv.conf '.
+
+### Custom DNS IPv4 configuration
+EOF
+
+  for ns in "${ARY_IPV4_NS[@]}"; do
+
+    echo "nameserver ${ns}" >> "${TARGET}/etc/resolv.conf"
+    do_log "info" "file_only" "4035() IPv4 nameserver added: [${ns}]."
+
+  done
+
+  echo "" >> "${TARGET}/etc/resolv.conf"
+  do_log "info" "file_only" "4035() IPv4 nameserver at: '${TARGET}/etc/resolv.conf' configured."
+
+
+  ### Create '/etc/resolv.conf' IPv6 entries for static configuration.
+  if [[ "${VAR_LINK_IPV6,,}" == "true" || -n "${VAR_FINAL_IPV6}" ]]; then
+
+    cat << EOF >> "${TARGET}/etc/resolv.conf"
+### Custom DNS IPv6 configuration
+EOF
+
+    for ns in "${ARY_IPV6_NS[@]}"; do
+
+      echo "nameserver ${ns}" >> "${TARGET}/etc/resolv.conf"
+      do_log "info" "file_only" "4035() IPv6 nameserver added: [${ns}]."
+
+    done
+
+    echo "" >> "${TARGET}/etc/resolv.conf"
+    do_log "info" "file_only" "4035() IPv6 nameserver at: '${TARGET}/etc/resolv.conf' configured."
+
+  fi
+
+  cat << EOF >> "${TARGET}/etc/resolv.conf"
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
+EOF
+
+  return 0
+}
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

func/cdi_4000_debootstrap/4040_setup_timezone.sh

@@ -0,0 +1,41 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
+
+guard_sourcing
+
+#######################################
+# Configure the '/etc/timezone' | '/etc/localtime' files.
+# Globals:
+#   TARGET
+#   ntp_timezone
+# Arguments:
+#   None
+# Returns:
+#   0: on success
+#######################################
+setup_timezone() {
+  ### Create '${TARGET}/etc/timezone' file.
+  cat << EOF >| "${TARGET}/etc/timezone"
+${ntp_timezone:-UTC}
+EOF
+  chmod 0644 "${TARGET}/etc/timezone"
+  do_log "info" "file_only" "4040() File generated: '${TARGET}/etc/timezone' | timezone '${ntp_timezone:-UTC}'."
+
+  do_in_target "${TARGET}" ln -sf "/usr/share/zoneinfo/${ntp_timezone}" /etc/localtime
+
+  do_in_target "${TARGET}" dpkg-reconfigure -f noninteractive tzdata
+
+  do_log "info" "file_only" "4040() Timezone updated successfully."
+
+  return 0
+}
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

func/cdi_4000_debootstrap/4050_setup_locales.sh

@@ -0,0 +1,57 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
+
+guard_sourcing
+
+#######################################
+# Set locale and configure keyboard layout.
+# Globals:
+#   TARGET
+#   locale_country
+#   locale_keyboard_layout
+#   locale_keyboard_xkb_keymap
+#   locale_language
+#   locale_locale
+# Arguments:
+#   None
+# Returns:
+#   0: on success
+#######################################
+setup_locales() {
+
+  ### Give priority to '${locale_locale}' over separately configured variables '${locale_country}' and '${locale_language}'.
+  ### If 'locale_locale' is not set, build it from 'locale_language' and 'locale_country'.
+  if [[ -n "${locale_language:-}" && -n "${locale_country:-}" && -z "${locale_locale:-}" ]]; then
+    declare locale_locale="${locale_language}_${locale_country}.UTF-8"
+  fi
+
+  [[ -n "${locale_locale:-}" ]] || do_log "error" "file_only" "4050() Variable '${locale_locale}' is not set."
+
+  ### Generate the specified locale
+  do_in_target "${TARGET}" locale-gen "${locale_locale}"
+
+  ### Set the standard locale.
+  #do_in_target "${TARGET}" update-locale LANG="${locale_locale}" LC_ALL="${locale_locale}"
+  echo -e "LANG=${locale_locale}\nLC_ALL=${locale_locale}" >| "${TARGET}/etc/default/locale"
+  do_in_target "${TARGET}" locale-gen "${locale_locale}"
+
+  ### Set the keyboard layout for the system (for consoles).
+  [[ -e "${TARGET}/etc/default/keyboard" ]] || touch "${TARGET}/etc/default/keyboard"
+  sed -i "s/^KEYMAP=.*/KEYMAP=${locale_keyboard_layout}/" "${TARGET}/etc/default/keyboard"
+  do_log "info" "file_only" "4110() Keyboard layout updated: 'KEYMAP=${locale_keyboard_layout}' -> '${TARGET}/etc/default/keyboard'."
+
+  ### Set the X11 keyboard layout (for graphical environments).
+  do_in_target "${TARGET}" localectl set-x11-keymap "${locale_keyboard_xkb_keymap}"
+
+  return 0
+}
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh