V8.00.000.2025.06.17

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>

.gitignore

@@ -11,7 +11,6 @@
 .checklist/
 .idea/
 out/
-target/
 *.DS_Store
 *.log
 *.ps1

.preseed/preseed.yaml

@@ -78,6 +78,11 @@ apt:
 # Basic settings
 ################################################################################################################################
 architecture: "amd64"          # MUST be one of "amd64", "intel64" or "arm64".
+debootstrap:                   # Provide a mirror for downloading the Debian packages for debootstrap.
+                               # Specify the packages to be included in the debootstrapping process. Include a comma-separated
+                               # list of official Debian packages.
+  mirror: "https://deb.debian.org/debian"
+  includes: "ca-certificates,openssl"
 distribution: "bookworm"       # MUST be "bookworm".
 debian_suite: "stable"         # MUST be "stable". Not supported yet: "testing", "experimental".
 exit:

ciss_debian_installer.sh

@@ -22,6 +22,7 @@
 
 ### CATCH ARGUMENTS AND DECLARE BASIC VARIABLES.
 # shellcheck disable=SC2155
+declare -girx VAR_START_TIME="${SECONDS}"                                # Start time of script execution.
 declare -grx  VAR_PARAM_COUNT="$#"                                       # Arguments passed to script.
 declare -grx  VAR_PARAM_STRNG="$*"                                       # Arguments passed to script as string.
 declare -ag   ARY_PARAM_ARRAY=("$@")                                     # Arguments passed to script as an array.
@@ -94,11 +95,11 @@ for arg in "$@"; do case "${arg,,}" in -h|--help)    . ./meta_loader_cuv.sh; usa
 for arg in "$@"; do case "${arg,,}" in -v|--version) . ./meta_loader_cuv.sh; version; exit 0;; esac; done
 
 ### SOURCING MUST SET EARLY VARIABLES. SOURCING COLOR_ECHO() AND GUARD_SOURCING().
-. ./lib/0010_guard_sourcing.sh           # The function guard_sourcing MUST be present in each file to source.
+. ./lib/cdi_0005_guard/0005_guard_sourcing.sh # The function guard_sourcing MUST be present in each file to source.
-. ./lib/0010_source_guard.sh             # Wrapper for sourcing modules, libraries, variables.
+. ./lib/cdi_0005_guard/0006_source_guard.sh   # Wrapper for sourcing modules, libraries, variables.
 source_guard "./var/color.var.sh"
 source_guard "./var/early.var.sh"
-source_guard "./lib/0004_color_echo.sh"
+source_guard "./lib/cdi_0010_basic/0010_color_echo.sh"
 
 ### ALL CHECKS DONE. READY TO START THE SCRIPT.
 color_echo "${GRE}" "ALL CHECKS DONE. READY TO START THE SCRIPT ..."
@@ -155,13 +156,13 @@ trap 'trap_int' INT TERM
 
 ### INTERACTIVE MODE NOTES AND KERNEL SELECTION.
 # TODO: Update 0110_check_kernel.sh   & sourcing
-# TODO: Update 0120_check_provider.sh & sourcing
+# TODO: Update 0115_check_provider.sh & sourcing
 #if ! "${VAR_AUTO_INSTALL}"; then check_provider; fi
 #if ! "${VAR_AUTO_INSTALL}"; then check_kernel; fi
 
 ### Dialog Output for Initialization START.
 color_echo "${GRE}" "Dialog Output for Initialization START ..."
-if ! "${VAR_AUTO_INSTALL}"; then . ./lib/0200_dialog_helper.sh && dialog_box; fi
+if ! "${VAR_AUTO_INSTALL}"; then . ./lib/cdi_0200_dialog/0200_dialog_helper.sh && dialog_box; fi
 
 ### ARGUMENT CHECKS.
 echo "ARGUMENT CHECKS ..."
@@ -206,7 +207,7 @@ mount_partition
 echo "MAIN PROGRAM SEQUENCE: uuid_logger() ..."
 uuid_logger
 
-### DEBOOTSTRAP
+### DEBOOTSTRAP # TODO: Order of Hostname, Locale, Time before first apt update and Locales individual, certificate
 echo "MAIN PROGRAM SEQUENCE: func_debootstrap() ..."
 func_debootstrap
 echo "MAIN PROGRAM SEQUENCE: configure_system() ..."
@@ -283,7 +284,7 @@ exiting_chroot
 # TODO: Reboot function for Autoinstall
 
 ### Dialog Output for Initialization END
-if ! "${VAR_AUTO_INSTALL}"; then . ./lib/0200_dialog_helper.sh && dialog_box_cleaner; fi
+if ! "${VAR_AUTO_INSTALL}"; then . ./lib/cdi_0200_dialog/0200_dialog_helper.sh && dialog_box_cleaner; fi
 
 declare -gx VAR_SCRIPT_SUCCESS="true"
 

docs/MANPAGES.md

@@ -0,0 +1,22 @@
+---
+gitea: none
+include_toc: true
+---
+
+# 1. CISS.debian.installer
+
+**Centurion Intelligence Consulting Agency Information Security Standard**<br>
+*The CISS Debian Installer provides a fully automated and hardened installation process.*<br>
+**Master Version**: 8.00<br>
+**Build**: V8.00.000.2025.06.17<br>
+
+# 2. ToC
+
+- [BOOTPARAMS.md](man/BOOTPARAMS.md)
+- [DEBUG_HANDLING.md](man/DEBUG_HANDLING.md)
+- [ERROR_HANDLING.md](man/ERROR_HANDLING.md)
+- [LINTER_CHAR.md](man/LINTER_CHAR.md)
+
+---
+**[no tracking | no logging | no advertising | no profiling | no bullshit](https://coresecret.eu/)**
+<!-- vim: set number et ts=2 sw=2 sts=2 ai tw=128 ft=markdown -->

docs/man/DEBUG_HANDLING.md

@@ -23,7 +23,7 @@ structured logs with full environmental metadata and deterministic command evalu
 
 ## 2.2. Component Modules
 
-### 2.2.1 [0050_debug_pre_scan.sh](../../lib/0050_debug_pre_scan.sh)
+### 2.2.1 [0050_debug_pre_scan.sh](../../lib/cdi_0050_debug/0050_debug_pre_scan.sh)
 
 **Purpose**: Parses the script's argument vector (`$@`) to detect and initialize debug mode before the main installer logic 
 executes.
@@ -36,7 +36,7 @@ executes.
 - Explicitly sets the necessary global flags: `VAR_DEBUG_TRACE` and/or `VAR_DEBUG_TRAP`.
 
 
-### 2.2.2. [0051_debug_var_dump.sh](../../lib/0051_debug_var_dump.sh)
+### 2.2.2. [0051_debug_var_dump.sh](../../lib/cdi_0050_debug/0051_debug_var_dump.sh)
 
 **Functions**:
 - `dump_vars_initial()`: Captures the initial state of all non-internal variables.
@@ -52,7 +52,7 @@ executes.
 - Operates with `set +x` to avoid leaking secrets to stdout.
 - Temporary files are created with `mktemp` and removed after usage.
 
-### 2.2.3. [0052_debug_trace.sh](../../lib/0052_debug_trace.sh)
+### 2.2.3. [0052_debug_trace.sh](../../lib/cdi_0050_debug/0052_debug_trace.sh)
 
 **Purpose**: Initializes Bash's `xtrace` (`set -x`) with rich metadata formatting and redirects output to `LOG_TRC`.
 
@@ -70,7 +70,7 @@ executes.
 - Serves as a non-interfering, shell-native audit mechanism.
 - Avoid collision with terminal output or stderr logging.
 
-### 2.2.4. [0053_debug_trace_header.sh](../../lib/0053_debug_trace_header.sh)
+### 2.2.4. [0053_debug_trace_header.sh](../../lib/cdi_0050_debug/0053_debug_trace_header.sh)
 
 **Purpose**: Prints an extensive contextual header to `LOG_TRC`, including:
 
@@ -82,7 +82,7 @@ executes.
 
 This header facilitates offline analysis and correlates script execution to external events or CI/CD timelines.
 
-### 2.2.5. [0054_debug_trap.sh](../../lib/0054_debug_trap.sh)
+### 2.2.5. [0054_debug_trap.sh](../../lib/cdi_0050_debug/0054_debug_trap.sh)
 
 **Purpose**: Implements runtime-level command introspection using the `DEBUG` trap.
 
@@ -101,7 +101,7 @@ This header facilitates offline analysis and correlates script execution to exte
 - Designed to be safely enabled in production with obfuscation of credentials and secrets.
 - Provides a temporal correlation of command execution and exit codes.
 
-### 2.2.6. [0055_debug_trap_header.sh](../../lib/0055_debug_trap_header.sh)
+### 2.2.6. [0055_debug_trap_header.sh](../../lib/cdi_0050_debug/0055_debug_trap_header.sh)
 
 **Purpose**: Similar to `debug_trace_header()`, this module prints an elaborate preamble into the `LOG_DBG` file.
 

docs/man/ERROR_HANDLING.md

@@ -44,7 +44,7 @@ exhaustive state introspection. The defined options anticipate and actively prev
 conditions or shell misbehavior.
 
 
-## 2.3. [0060_trap_err.sh](../../lib/0060_trap_err.sh)
+## 2.3. [0060_trap_err.sh](../../lib/cdi_0060_traps/0060_trap_err.sh)
 
 ### 2.3.1. Purpose
 
@@ -68,7 +68,7 @@ anomalies precisely, log them comprehensively, and expose them to the console an
 - Integrates gracefully with dialog-driven user interfaces (e.g., `dialog_box_cleaner`, `dialog_gauge_cleaner`).
 - Evaluates `VAR_DEBUG_TRACE` and `VAR_DEBUG_TRAP` to determine the scope of runtime introspection.
 
-## 2.4. [0070_trap_exit.sh](../../lib/0070_trap_exit.sh)
+## 2.4. [0070_trap_exit.sh](../../lib/cdi_0060_traps/0070_trap_exit.sh)
 
 ### 2.4.1. Purpose
 
@@ -95,7 +95,7 @@ error. Notably, it complements `trap_err()` by catching unbound variable errors
 - Isolates early trap context via local read-only declarations to avoid overwriting.
 - Ensures that debug logs and variable states are flushed before exit.
 
-## 2.5. [0080_trap_int.sh](../../lib/0080_trap_int.sh)
+## 2.5. [0080_trap_int.sh](../../lib/cdi_0060_traps/0080_trap_int.sh)
 
 ### 2.5.1. Purpose
 

docs/man/LINTER_CHAR.md

@@ -0,0 +1,52 @@
+---
+gitea: none
+include_toc: true
+---
+
+# 1. CISS.debian.installer
+
+**Centurion Intelligence Consulting Agency Information Security Standard**<br>
+*The CISS Debian Installer provides a fully automated and hardened installation process.*<br>
+**Master Version**: 8.00<br>
+**Build**: V8.00.000.2025.06.17<br>
+
+# 2. Git Workflow Linter — Character Set Policy Enforcement
+
+## 2.1. Overview
+
+The **[linter_char_scripts.yaml](../../.gitea/workflows/linter_char_scripts.yaml)** defines a declarative policy framework for 
+sanitizing and validating character scripts within a Git repository. It enforces linguistic and typographic constraints at the 
+commit level, preventing the introduction of ambiguous, non-printable, homoglyphic, or non-standard Unicode character classes. 
+This mechanism enhances both the integrity and auditability of the codebase, particularly in contexts where multilingual input,
+identity obfuscation, or supply-chain risk (e.g., Trojan Source attacks) must be mitigated.
+
+## 2.2. Purpose
+
+The core intent of this linter is to:
+
+- **Detect forbidden Unicode scripts or codepoints** within staged files.
+- **Ensure locale-hygienic commits** by permitting only explicitly whitelisted language/script groups.
+- **Enforce character uniformity** across source files, configuration, and metadata.
+- **Block malicious or ambiguous glyph injection**, including bidirectional override, homoglyph attacks, or zero-width characters.
+
+## 2.3. Security Considerations
+
+This linter serves as a preventive supply-chain control by reducing exposure to:
+
+- Invisible character injection (e.g. \u200e, \u202e)
+- Homoglyphic substitution (e.g. Cyrillic а vs. Latin a)
+- Bidirectional override attacks (Trojan Source)
+- Untraceable backdoors hidden in user comments or unused string literals
+
+It complements traditional static analysis and code review processes by operating at a syntactic level of representation, 
+thus neutralizing attacks that bypass semantic inspection.
+
+## 2.4. Conclusion
+The ``linter_char_scripts.yaml`` is a vital component of the **CISS.debian.installer** secure development lifecycle. It defines 
+a robust, extensible, and policy-driven control layer against linguistic abuse and typographic ambiguity in version-controlled 
+assets. Its utility is especially salient in multi-language environments, cryptographic infrastructure code, and supply-chain 
+sensitive repositories.
+
+---
+**[no tracking | no logging | no advertising | no profiling | no bullshit](https://coresecret.eu/)**
+<!-- vim: set number et ts=2 sw=2 sts=2 ai tw=128 ft=markdown -->

func/cdi_1250_yaml/1252_yaml_validator.sh

@@ -0,0 +1,190 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
+
+guard_sourcing
+
+#######################################
+# Extended dynamic network variable checks and declarations depending on preseed.yaml.
+# Globals:
+#   ARY_IPV4_NS
+#   ARY_IPV6_NS
+#   VAR_FINAL_FQDN
+#   VAR_FINAL_IPV4
+#   VAR_FINAL_IPV4_GW
+#   VAR_FINAL_IPV4_SUBNET
+#   VAR_FINAL_IPV6
+#   VAR_FINAL_NIC
+#   VAR_LINK_IPV6
+#   network_autoconfig_enable
+#   network_choose_interface_static
+#   network_hostname
+#   network_static_ipv4address
+#   network_static_ipv4gateway
+#   network_static_ipv4nameserver_0
+#   network_static_ipv4nameserver_1
+#   network_static_ipv4nameserver_2
+#   network_static_ipv4nameserver_3
+#   network_static_ipv4nameserver_fallback_0
+#   network_static_ipv4nameserver_fallback_1
+#   network_static_ipv4netmask
+#   network_static_ipv6address
+#   network_static_ipv6nameserver_0
+#   network_static_ipv6nameserver_1
+#   network_static_ipv6nameserver_2
+#   network_static_ipv6nameserver_3
+#   network_static_ipv6nameserver_fallback_0
+#   network_static_ipv6nameserver_fallback_1
+# Arguments:
+#   None
+# Returns:
+#   0: on success
+#######################################
+yaml_validator() {
+  ### Declare Arrays, HashMaps, and Variables.
+  # shellcheck disable=SC2034
+  declare -ag ARY_IPV4_NS=() ARY_IPV6_NS=()
+  declare     var_auto_nic="" var_auto_ipv4="" var_auto_ipv4_ccidr="" var_auto_ipv4_subnet="" var_auto_ipv4_gw="" \
+              var_auto_ipv6="" var_auto_ipv6_ccidr="" var_auto_ipv6_gw="" var_link_ipv4="" var_link_ipv6="" var_auto_fqdn=""
+  declare -gx VAR_FINAL_NIC="" VAR_FINAL_FQDN="" VAR_FINAL_IPV4="" VAR_FINAL_IPV4_GW="" VAR_FINAL_IPV4_SUBNET="" \
+              VAR_FINAL_IPV6="" VAR_LINK_IPV6=""
+
+  ARY_IPV4_NS+=("${network_static_ipv4nameserver_0}")
+  [[ -v network_static_ipv4nameserver_1 ]] && ARY_IPV4_NS+=( "${network_static_ipv4nameserver_1}" )
+  [[ -v network_static_ipv4nameserver_2 ]] && ARY_IPV4_NS+=( "${network_static_ipv4nameserver_2}" )
+  [[ -v network_static_ipv4nameserver_3 ]] && ARY_IPV4_NS+=( "${network_static_ipv4nameserver_3}" )
+  [[ -v network_static_ipv4nameserver_fallback_0 ]] && ARY_IPV4_NS+=( "${network_static_ipv4nameserver_fallback_0}" )
+  [[ -v network_static_ipv4nameserver_fallback_1 ]] && ARY_IPV4_NS+=( "${network_static_ipv4nameserver_fallback_1}" )
+
+  ARY_IPV6_NS+=("${network_static_ipv6nameserver_0}")
+  [[ -v network_static_ipv6nameserver_1 ]] && ARY_IPV6_NS+=( "${network_static_ipv6nameserver_1}" )
+  [[ -v network_static_ipv6nameserver_2 ]] && ARY_IPV6_NS+=( "${network_static_ipv6nameserver_2}" )
+  [[ -v network_static_ipv6nameserver_3 ]] && ARY_IPV6_NS+=( "${network_static_ipv6nameserver_3}" )
+  [[ -v network_static_ipv6nameserver_fallback_0 ]] && ARY_IPV6_NS+=( "${network_static_ipv6nameserver_fallback_0}" )
+  [[ -v network_static_ipv6nameserver_fallback_1 ]] && ARY_IPV6_NS+=( "${network_static_ipv6nameserver_fallback_1}" )
+
+  ### Check current network connection and configure variables
+  # shellcheck disable=SC2312
+  var_auto_nic=$(ip -o link show | awk -F': ' '/state UP/ && $2!="lo" {print $2; exit}')
+
+  # shellcheck disable=SC2312
+  var_auto_ipv4_ccidr=$(ip -4 -o addr show "${var_auto_nic}" | awk '{print $4; exit}')
+
+  # shellcheck disable=SC2312
+  var_auto_ipv4_subnet=$(generate_subnetmask "${var_auto_ipv4_ccidr}")
+
+  # shellcheck disable=SC2312
+  var_auto_ipv4=$(echo "${var_auto_ipv4_ccidr}" | awk -F'/' '{print $1}')
+
+  # shellcheck disable=SC2312
+  var_auto_ipv4_gw=$(ip route show default dev "${var_auto_nic}" | awk '/^default/ {print $3; exit}')
+
+  # shellcheck disable=SC2312
+  var_auto_ipv6_ccidr=$(ip -6 -o addr show "${var_auto_nic}" | awk '/scope global/ {print $4; exit}')
+
+  if [[ -n "${var_auto_ipv6_ccidr}" ]]; then
+
+    # shellcheck disable=SC2312
+    var_auto_ipv6=$(echo "${var_auto_ipv6_ccidr}" | awk -F'/' '{print $1}')
+    # shellcheck disable=SC2312
+    var_auto_ipv6_gw=$(ip -6 route show default dev "${var_auto_nic}" | awk '/^default/ {print $3; exit}')
+
+  fi
+
+  # shellcheck disable=SC2312
+  var_link_ipv4=$(ping -q -c 1 -W 1 -4 debian.org > /dev/null 2>&1 && echo "true" || echo "false")
+
+  # shellcheck disable=SC2312
+  var_link_ipv6=$(ping -q -c 1 -W 1 -6 debian.org > /dev/null 2>&1 && echo "true" || echo "false")
+
+  if [[ -f "/var/lib/dhcp/dhclient.${var_auto_nic}.leases" ]]; then
+
+    # shellcheck disable=SC2312
+    var_auto_fqdn=$(grep -m1 'option host-name' "/var/lib/dhcp/dhclient.${var_auto_nic}.leases" | sed -E 's/.*"([^"]+)".*/\1/')
+
+  else
+
+    var_auto_fqdn=""
+
+  fi
+
+  do_log "info" "file_only" "1252() Live environment network check: Auto NIC          ='${var_auto_nic}'."
+  do_log "info" "file_only" "1252() Live environment network check: Auto IPv4         ='${var_auto_ipv4}'."
+  do_log "info" "file_only" "1252() Live environment network check: Auto IPv4 CCIDR   ='${var_auto_ipv4_ccidr}'."
+  do_log "info" "file_only" "1252() Live environment network check: Auto IPv4 Subnet  ='${var_auto_ipv4_subnet}'."
+  do_log "info" "file_only" "1252() Live environment network check: Auto IPv4 Gateway ='${var_auto_ipv4_gw}'."
+  do_log "info" "file_only" "1252() Live environment network check: Auto IPv6         ='${var_auto_ipv6}'."
+  do_log "info" "file_only" "1252() Live environment network check: Auto IPv6 CCIDR   ='${var_auto_ipv6_ccidr}'."
+  do_log "info" "file_only" "1252() Live environment network check: Auto IPv6 Gateway ='${var_auto_ipv6_gw}'."
+  do_log "info" "file_only" "1252() Live environment network check: Auto IPv4 Link    ='${var_link_ipv4}'."
+  do_log "info" "file_only" "1252() Live environment network check: Auto IPv6 Link    ='${var_link_ipv6}'."
+  do_log "info" "file_only" "1252() Live environment network check: Auto FQDN         ='${var_auto_fqdn}'."
+
+  ### Export hostname and IPv4 and IPv6 addresses for further processing according to dynamic results and preseed.yaml settings.
+  if [[ "${network_autoconfig_enable,,}" == "true" ]]; then
+
+    # shellcheck disable=SC2034
+    VAR_FINAL_NIC="${var_auto_nic}"
+    # shellcheck disable=SC2034
+    VAR_FINAL_FQDN="${var_auto_fqdn}"
+    # shellcheck disable=SC2034
+    VAR_FINAL_IPV4="${var_auto_ipv4}"
+    # shellcheck disable=SC2034
+    VAR_FINAL_IPV4_GW="${var_auto_ipv4_gw}"
+    # shellcheck disable=SC2034
+    VAR_FINAL_IPV4_SUBNET="${var_auto_ipv4_subnet}"
+
+    do_log "info" "file_only" "1252() Network IPv4 autoconfiguration: [${network_autoconfig_enable,,}]."
+
+  else
+
+    # shellcheck disable=SC2034
+    VAR_FINAL_NIC="${network_choose_interface_static}"
+    # shellcheck disable=SC2034
+    VAR_FINAL_FQDN="${network_hostname}"
+    # shellcheck disable=SC2034
+    VAR_FINAL_IPV4="${network_static_ipv4address}"
+    # shellcheck disable=SC2034
+    VAR_FINAL_IPV4_GW="${network_static_ipv4gateway}"
+    # shellcheck disable=SC2034
+    VAR_FINAL_IPV4_SUBNET="${network_static_ipv4netmask}"
+
+    do_log "info" "file_only" "1252() Network IPv4 autoconfiguration: [${network_autoconfig_enable,,}]."
+
+  fi
+
+  if [[ "${network_autoconfig_enable,,}" == "true" && "${var_link_ipv6,,}" == "true" ]]; then
+
+    # shellcheck disable=SC2034
+    VAR_FINAL_IPV6="${var_auto_ipv6}"
+    # shellcheck disable=SC2034
+    VAR_LINK_IPV6="${var_link_ipv6}"
+
+    do_log "info" "file_only" "1252() Network IPv6 autoconfiguration: [${network_autoconfig_enable,,}] and IPv6 Link: [${var_link_ipv6,,}]."
+
+  elif [[ "${network_autoconfig_enable,,}" == "false" && -n "${network_static_ipv6address}" ]]; then
+
+    # shellcheck disable=SC2034
+    VAR_FINAL_IPV6="${network_static_ipv6address}"
+
+    do_log "info" "file_only" "1252() Network IPv6 autoconfiguration: [${network_autoconfig_enable,,}] and IPv6 static: [${network_static_ipv6address}]."
+
+  else
+
+    # shellcheck disable=SC2034
+    VAR_FINAL_IPV6=""
+    do_log "info" "file_only" "1252() Network IPv6 autoconfiguration: no IPv6 configuration applied."
+
+  fi
+
+  return 0
+}
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

func/cdi_4000_debootstrap/4000_debootstrap.sh

@@ -0,0 +1,60 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
+
+guard_sourcing
+
+#######################################
+# Install a minimal Debian environment using the 'debootstrap' command.
+# Globals:
+#   LOG_DBS
+#   TARGET
+#   architecture
+#   debootstrap_includes
+#   debootstrap_mirror
+#   distribution
+# Arguments:
+#   None
+# Returns:
+#   0: on success
+#   ERR_DEBOOTSTRAP
+#######################################
+func_debootstrap() {
+  ### Declare Arrays, HashMaps, and Variables.
+  declare -r var_arch="${architecture}"
+  declare -r var_dist="${distribution}"
+  declare -r var_target="${TARGET}"
+  declare -r var_mirror="${debootstrap_mirror}"
+  declare -r var_includes="${debootstrap_includes}"
+
+  declare -a ary_cmd=( "debootstrap" "--arch=${var_arch}" "${var_dist}" )
+
+  if [[ -n "${var_includes}" ]]; then ary_cmd+=( "--include=${var_includes}" ); fi
+
+  ary_cmd+=( "${var_target}" "${var_mirror}" )
+
+  do_log "debug" "file_only" "4000() Executing: [${ary_cmd[*]}]"
+
+  # shellcheck disable=SC2312
+  if "${ary_cmd[@]}" | tee "${LOG_DBS}"; then
+
+    do_log "info" "file_only" "4000() [${ary_cmd[*]}] successful."
+    install -d -m 0700 -o root -g root "${var_target}/root/.ciss/cdi/hooks"
+    return 0
+
+  else
+
+    do_log "emergency" "file_only" "4000() [${ary_cmd[*]}] failed."
+    return "${ERR_DEBOOTSTRAP}"
+
+  fi
+}
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

func/cdi_4000_debootstrap/4010_prepare_mounts.sh

@@ -13,7 +13,7 @@
 guard_sourcing
 
 #######################################
-# Configure target system for chroot.
+# Configure the target system for chroot.
 # Globals:
 #   ERR_CHRT_MOUNTS
 #   TARGET
@@ -65,19 +65,19 @@ configure_system() {
 
     if mountpoint -q "${TARGET}${var_path}"; then
 
-      do_log "info" "file_only" "4020() Skipped: '${TARGET}${var_path}' is already a mountpoint."
+      do_log "info" "file_only" "4010() Skipped: '${TARGET}${var_path}' is already a mountpoint."
       continue
 
     fi
 
     if ! mount -t "${var_fs}" "${var_src}" "${TARGET}${var_path}" -o "${var_opts}"; then
 
-      do_log "emergency" "file_only" "4020() Command: [mount -t ${var_fs} ${var_src} ${TARGET}${var_path} -o ${var_opts}] failed."
+      do_log "emergency" "file_only" "4010() Command: [mount -t ${var_fs} ${var_src} ${TARGET}${var_path} -o ${var_opts}] failed."
       return "${ERR_CHRT_MOUNTS}"
 
     fi
 
-    do_log "info" "file_only" "4020() Command: [mount -t ${var_fs} ${var_src} ${TARGET}${var_path} -o ${var_opts}] successful."
+    do_log "info" "file_only" "4010() Command: [mount -t ${var_fs} ${var_src} ${TARGET}${var_path} -o ${var_opts}] successful."
 
   done
 
@@ -87,27 +87,27 @@ configure_system() {
 
     if ! mount --make-rslave --rbind /run "${TARGET}/run"; then
 
-      do_log "emergency" "file_only" "4020() Command: [mount --make-rslave --rbind /run ${TARGET}/run] failed."
+      do_log "emergency" "file_only" "4010() Command: [mount --make-rslave --rbind /run ${TARGET}/run] failed."
       return "${ERR_CHRT_MOUNTS}"
 
     fi
 
-    do_log "info" "file_only" "4020() Command: [mount --make-rslave --rbind /run ${TARGET}/run] successful."
+    do_log "info" "file_only" "4010() Command: [mount --make-rslave --rbind /run ${TARGET}/run] successful."
 
   fi
 
   if ! do_in_target "${TARGET}" mkdir -p /etc/systemd/system/multi-user.target.wants; then
 
-    do_log "emergency" "file_only" "4020() Command: [do_in_target ${TARGET} mkdir -p /etc/systemd/system/multi-user.target.wants] failed."
+    do_log "emergency" "file_only" "4010() Command: [do_in_target ${TARGET} mkdir -p /etc/systemd/system/multi-user.target.wants] failed."
     return "${ERR_CHRT_MOUNTS}"
 
   fi
 
-  do_log "info" "file_only" "4020() Command: [do_in_target ${TARGET} mkdir -p /etc/systemd/system/multi-user.target.wants] successful."
+  do_log "info" "file_only" "4010() Command: [do_in_target ${TARGET} mkdir -p /etc/systemd/system/multi-user.target.wants] successful."
 
   # shellcheck disable=SC2034
   declare -gx VAR_CHROOT_ACTIVATED="system"
-  do_log "info" "file_only" "4020() Command: [declare -gx VAR_CHROOT_ACTIVATED=system]"
+  do_log "info" "file_only" "4010() Command: [declare -gx VAR_CHROOT_ACTIVATED=system]"
 
   return 0
 }

func/cdi_4000_debootstrap/4020_remove_expired_certificates.sh

@@ -0,0 +1,43 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
+
+guard_sourcing
+
+#######################################
+# Chroot hook for deleting all expired X.509 certificates in the target system.
+# Globals:
+#   TARGET
+#   VAR_SETUP_PATH
+# Arguments:
+#   None
+# Returns:
+#   0: on success
+#######################################
+expired_certs() {
+
+  install -m 0700 -o root -g root "${VAR_SETUP_PATH}/includes/chroot/hooks/1000_deleting_invalid_x509.sh" \
+    "${TARGET}/root/.ciss/cdi/hooks/1000_deleting_invalid_x509.sh"
+
+
+  if ! do_in_target_script "${TARGET}" "/root/.ciss/cdi/hooks/1000_deleting_invalid_x509.sh" "emergency"; then
+
+    do_log "warn" "file_only" "4020() Command: [do_in_target_script ${TARGET} /root/.ciss/cdi/hooks/1000_deleting_invalid_x509.sh emergency] failed."
+
+  else
+
+    do_log "debug" "file_only" "4020() Command: [do_in_target_script ${TARGET} /root/.ciss/cdi/hooks/1000_deleting_invalid_x509.sh emergency] successful."
+
+  fi
+
+  return 0
+}
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

func/cdi_4000_debootstrap/4030_setup_hostname.sh

@@ -13,7 +13,7 @@
 guard_sourcing
 
 #######################################
-# Generate files: '/etc/hostname' | '/etc/hosts' | '/etc/mailname'
+# Configure the '/etc/hostname' | '/etc/hosts' | '/etc/mailname' files.
 # Globals:
 #   TARGET
 #   VAR_FINAL_FQDN
@@ -32,14 +32,16 @@ setup_hostname() {
 ${VAR_FINAL_FQDN}
 EOF
   chmod 0644 "${TARGET}/etc/hostname"
-  do_log "info" "file_only" "File generated: '${TARGET}/etc/hostname' | hostname '${VAR_FINAL_FQDN}'."
+  do_log "info" "file_only" "4030() File generated: '${TARGET}/etc/hostname' | hostname '${VAR_FINAL_FQDN}'."
+
 
   ### Create '${TARGET}/etc/mailname' file.
   cat << EOF >| "${TARGET}/etc/mailname"
 ${VAR_FINAL_FQDN}
 EOF
   chmod 0644 "${TARGET}/etc/mailname"
-  do_log "info" "file_only" "File generated: '${TARGET}/etc/mailname' | mailname '${VAR_FINAL_FQDN}'."
+  do_log "info" "file_only" "4030() File generated: '${TARGET}/etc/mailname' | mailname '${VAR_FINAL_FQDN}'."
+
 
   ### Generate '${TARGET}/etc/hosts' basic IPv4 entries
   cat << EOF >| "${TARGET}/etc/hosts"
@@ -48,7 +50,8 @@ ${VAR_FINAL_IPV4} ${VAR_FINAL_FQDN}
 
 EOF
   chmod 0644 "${TARGET}/etc/hosts"
-  do_log "info" "file_only" "File generated: '${TARGET}/etc/hosts' with basic IPv4 entries."
+  do_log "info" "file_only" "4030() File generated: '${TARGET}/etc/hosts' with basic IPv4 entries."
+
 
   ### Generate '${TARGET}/etc/hosts' basic IPv6 entries
   if [[ "${VAR_LINK_IPV6,,}" == "true" || "${network_ipv6,,}" == "true" ]]; then
@@ -65,7 +68,7 @@ ${VAR_FINAL_IPV6} ${VAR_FINAL_FQDN}
 
 EOF
 
-    do_log "info" "file_only" "File updated: '${TARGET}/etc/hosts' with basic IPv6 entries."
+    do_log "info" "file_only" "4030() File updated: '${TARGET}/etc/hosts' with basic IPv6 entries."
 
   fi
 

func/cdi_4000_debootstrap/4035_setup_resolv.sh

@@ -0,0 +1,105 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
+
+guard_sourcing
+
+#######################################
+# Configure the '/etc/resolv.conf' file.
+# Globals:
+#   ARY_IPV4_NS
+#   ARY_IPV6_NS
+#   DIR_BAK
+#   TARGET
+#   VAR_ARCHITECTURE
+#   VAR_CODENAME
+#   VAR_FINAL_IPV6
+#   VAR_LINK_IPV6
+#   VAR_VERSION
+# Arguments:
+#   None
+# Returns:
+#   0: on success
+#######################################
+setup_resolv() {
+  ### Declare Arrays, HashMaps, and Variables.
+  declare     ns=""
+
+  if [[ -f "${TARGET}/etc/resolv.conf" ]]; then
+
+    mkdir -p "${DIR_BAK}/etc"
+    mv "${TARGET}/etc/resolv.conf" "${DIR_BAK}/etc/resolv.conf.bak"
+    do_log "info" "file_only" "4035() Existing '${TARGET}/etc/resolv.conf' moved."
+
+  fi
+
+  touch "${TARGET}/etc/resolv.conf"
+  chmod 0644 "${TARGET}/etc/resolv.conf"
+
+  ### Create '/etc/resolv.conf' IPv4 entries for static configuration.
+    cat << EOF >> "${TARGET}/etc/resolv.conf"
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
+
+# /etc/resolv.conf      : Generated by CISS.debian.installer ${VAR_VERSION}
+# Architecture          : ${VAR_ARCHITECTURE}
+# Distribution          : ${VAR_CODENAME}
+
+# Static file system information '/etc/resolv.conf '.
+
+### Custom DNS IPv4 configuration
+EOF
+
+  for ns in "${ARY_IPV4_NS[@]}"; do
+
+    echo "nameserver ${ns}" >> "${TARGET}/etc/resolv.conf"
+    do_log "info" "file_only" "4035() IPv4 nameserver added: [${ns}]."
+
+  done
+
+  echo "" >> "${TARGET}/etc/resolv.conf"
+  do_log "info" "file_only" "4035() IPv4 nameserver at: '${TARGET}/etc/resolv.conf' configured."
+
+
+  ### Create '/etc/resolv.conf' IPv6 entries for static configuration.
+  if [[ "${VAR_LINK_IPV6,,}" == "true" || -n "${VAR_FINAL_IPV6}" ]]; then
+
+    cat << EOF >> "${TARGET}/etc/resolv.conf"
+### Custom DNS IPv6 configuration
+EOF
+
+    for ns in "${ARY_IPV6_NS[@]}"; do
+
+      echo "nameserver ${ns}" >> "${TARGET}/etc/resolv.conf"
+      do_log "info" "file_only" "4035() IPv6 nameserver added: [${ns}]."
+
+    done
+
+    echo "" >> "${TARGET}/etc/resolv.conf"
+    do_log "info" "file_only" "4035() IPv6 nameserver at: '${TARGET}/etc/resolv.conf' configured."
+
+  fi
+
+  cat << EOF >> "${TARGET}/etc/resolv.conf"
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
+EOF
+
+  return 0
+}
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

func/cdi_4000_debootstrap/4040_setup_timezone.sh

@@ -13,7 +13,7 @@
 guard_sourcing
 
 #######################################
-# Configure timezone.
+# Configure the '/etc/timezone' | '/etc/localtime' files.
 # Globals:
 #   TARGET
 #   ntp_timezone
@@ -23,9 +23,19 @@ guard_sourcing
 #   0: on success
 #######################################
 setup_timezone() {
+  ### Create '${TARGET}/etc/timezone' file.
+  cat << EOF >| "${TARGET}/etc/timezone"
+${ntp_timezone:-UTC}
+EOF
+  chmod 0644 "${TARGET}/etc/timezone"
+  do_log "info" "file_only" "4040() File generated: '${TARGET}/etc/timezone' | timezone '${ntp_timezone:-UTC}'."
+
   do_in_target "${TARGET}" ln -sf "/usr/share/zoneinfo/${ntp_timezone}" /etc/localtime
-  do_in_target_script "${TARGET}" "echo ${ntp_timezone} | tee /etc/timezone"
+
   do_in_target "${TARGET}" dpkg-reconfigure -f noninteractive tzdata
+
+  do_log "info" "file_only" "4040() Timezone updated successfully."
+
   return 0
 }
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

func/cdi_4000_debootstrap/4050_setup_locales.sh

@@ -27,16 +27,14 @@ guard_sourcing
 #   0: on success
 #######################################
 setup_locales() {
-  do_in_target "${TARGET}" apt-get install -y locales
-  mkdir -p "${TARGET}/etc/default"
 
-  ### Give priority to '${locale_locale}' over separately configured variables '{$locale_country}' and '{$locale_language}'.
+  ### Give priority to '${locale_locale}' over separately configured variables '${locale_country}' and '${locale_language}'.
   ### If 'locale_locale' is not set, build it from 'locale_language' and 'locale_country'.
   if [[ -n "${locale_language:-}" && -n "${locale_country:-}" && -z "${locale_locale:-}" ]]; then
     declare locale_locale="${locale_language}_${locale_country}.UTF-8"
   fi
 
-  [[ -n "${locale_locale:-}" ]] || do_log "error" "file_only" "4110() Variable '${locale_locale}' is not set."
+  [[ -n "${locale_locale:-}" ]] || do_log "error" "file_only" "4050() Variable '${locale_locale}' is not set."
 
   ### Generate the specified locale
   do_in_target "${TARGET}" locale-gen "${locale_locale}"

func/system/4095_setup_skel.sh

@@ -25,11 +25,11 @@ guard_sourcing
 setup_skel() {
   mkdir -p "${TARGET}/etc/skel/.ciss"
 
-  install -m 0644 -o root -g root "${VAR_SETUP_PATH}/includes/etc/skel/.bashrc" "${TARGET}/etc/skel/.bashrc"
+  install -m 0644 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/skel/.bashrc" "${TARGET}/etc/skel/.bashrc"
-  install -m 0644 -o root -g root "${VAR_SETUP_PATH}/includes/etc/skel/.zshrc" "${TARGET}/etc/skel/.zshrc"
+  install -m 0644 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/skel/.zshrc" "${TARGET}/etc/skel/.zshrc"
-  install -m 0644 -o root -g root "${VAR_SETUP_PATH}/includes/root/.ciss/alias" "${TARGET}/etc/skel/.ciss/alias"
+  install -m 0644 -o root -g root "${VAR_SETUP_PATH}/includes/target/root/.ciss/alias" "${TARGET}/etc/skel/.ciss/alias"
-  install -m 0644 -o root -g root "${VAR_SETUP_PATH}/includes/root/.ciss/clean_logout.sh" "${TARGET}/etc/skel/.ciss/clean_logout.sh"
+  install -m 0644 -o root -g root "${VAR_SETUP_PATH}/includes/target/root/.ciss/clean_logout.sh" "${TARGET}/etc/skel/.ciss/clean_logout.sh"
-  install -m 0644 -o root -g root "${VAR_SETUP_PATH}/includes/root/.ciss/shortcuts" "${TARGET}/etc/skel/.ciss/shortcuts"
+  install -m 0644 -o root -g root "${VAR_SETUP_PATH}/includes/target/root/.ciss/shortcuts" "${TARGET}/etc/skel/.ciss/shortcuts"
 
   ### In order to be able to copy/paste from vim, one needs to create a '.vimrc' in every home directory with the following content:
   echo 'set clipboard=unnamed' >| "${TARGET}/etc/skel/.vimrc"

func/system/4130_setup_network.sh

@@ -57,59 +57,6 @@ setup_network() {
     var_auto_ipv6_ccidr="" var_auto_ipv6="" var_auto_ipv6_gw="" var_link_ipv4="" var_link_ipv6="" var_auto_fqdn="" ns=""
   declare -a ary_ipv4_ns=() ary_ipv6_ns=()
 
-  ary_ipv4_ns+=("${network_static_ipv4nameserver_0}")
-  [[ -v network_static_ipv4nameserver_1 ]] && ary_ipv4_ns+=("${network_static_ipv4nameserver_1}")
-  [[ -v network_static_ipv4nameserver_2 ]] && ary_ipv4_ns+=("${network_static_ipv4nameserver_2}")
-  [[ -v network_static_ipv4nameserver_fallback_0 ]] && ary_ipv4_ns+=("${network_static_ipv4nameserver_fallback_0}")
-  [[ -v network_static_ipv4nameserver_fallback_1 ]] && ary_ipv4_ns+=("${network_static_ipv4nameserver_fallback_1}")
-
-  ary_ipv6_ns+=("${network_static_ipv6nameserver_0}")
-  [[ -v network_static_ipv6nameserver_1 ]] && ary_ipv6_ns+=("${network_static_ipv6nameserver_1}")
-  [[ -v network_static_ipv6nameserver_2 ]] && ary_ipv6_ns+=("${network_static_ipv6nameserver_2}")
-  [[ -v network_static_ipv6nameserver_fallback_0 ]] && ary_ipv6_ns+=("${network_static_ipv6nameserver_fallback_0}")
-  [[ -v network_static_ipv6nameserver_fallback_1 ]] && ary_ipv6_ns+=("${network_static_ipv6nameserver_fallback_1}")
-
-  ### Check current network connection and configure variables
-  # shellcheck disable=SC2312
-  var_auto_nic=$(ip -o link show | awk -F': ' '/state UP/ && $2!="lo" {print $2; exit}')
-  # shellcheck disable=SC2312
-  var_auto_ipv4_ccidr=$(ip -4 -o addr show "${var_auto_nic}" | awk '{print $4; exit}')
-  # shellcheck disable=SC2312
-  var_auto_ipv4_subnet=$(generate_subnetmask "${var_auto_ipv4_ccidr}")
-  # shellcheck disable=SC2312
-  var_auto_ipv4=$(echo "${var_auto_ipv4_ccidr}" | awk -F'/' '{print $1}')
-  # shellcheck disable=SC2312
-  var_auto_ipv4_gw=$(ip route show default dev "${var_auto_nic}" | awk '/^default/ {print $3; exit}')
-  # shellcheck disable=SC2312
-  var_auto_ipv6_ccidr=$(ip -6 -o addr show "${var_auto_nic}" | awk '/scope global/ {print $4; exit}')
-  if [[ -n "${var_auto_ipv6_ccidr}" ]]; then
-    # shellcheck disable=SC2312
-    var_auto_ipv6=$(echo "${var_auto_ipv6_ccidr}" | awk -F'/' '{print $1}')
-    # shellcheck disable=SC2312
-    var_auto_ipv6_gw=$(ip -6 route show default dev "${var_auto_nic}" | awk '/^default/ {print $3; exit}')
-  fi
-  # shellcheck disable=SC2312
-  var_link_ipv4=$(ping -q -c 1 -W 1 -4 debian.org > /dev/null 2>&1 && echo "true" || echo "false")
-  # shellcheck disable=SC2312
-  var_link_ipv6=$(ping -q -c 1 -W 1 -6 debian.org > /dev/null 2>&1 && echo "true" || echo "false")
-  if [[ -f "/var/lib/dhcp/dhclient.${var_auto_nic}.leases" ]]; then
-    # shellcheck disable=SC2312
-    var_auto_fqdn=$(grep -m1 'option host-name' "/var/lib/dhcp/dhclient.${var_auto_nic}.leases" | sed -E 's/.*"([^"]+)".*/\1/')
-  else
-    var_auto_fqdn=""
-  fi
-
-  do_log "info" "file_only" "4130() Live environment network check: Auto NIC          ='${var_auto_nic}'."
-  do_log "info" "file_only" "4130() Live environment network check: Auto IPv4         ='${var_auto_ipv4}'."
-  do_log "info" "file_only" "4130() Live environment network check: Auto IPv4 CCIDR   ='${var_auto_ipv4_ccidr}'."
-  do_log "info" "file_only" "4130() Live environment network check: Auto IPv4 Subnet  ='${var_auto_ipv4_subnet}'."
-  do_log "info" "file_only" "4130() Live environment network check: Auto IPv4 Gateway ='${var_auto_ipv4_gw}'."
-  do_log "info" "file_only" "4130() Live environment network check: Auto IPv6         ='${var_auto_ipv6}'."
-  do_log "info" "file_only" "4130() Live environment network check: Auto IPv6 CCIDR   ='${var_auto_ipv6_ccidr}'."
-  do_log "info" "file_only" "4130() Live environment network check: Auto IPv6 Gateway ='${var_auto_ipv6_gw}'."
-  do_log "info" "file_only" "4130() Live environment network check: Auto IPv4 Link    ='${var_link_ipv4}'."
-  do_log "info" "file_only" "4130() Live environment network check: Auto IPv6 Link    ='${var_link_ipv6}'."
-  do_log "info" "file_only" "4130() Live environment network check: Auto FQDN         ='${var_auto_fqdn}'."
 
   ### Create network configuration file header.
   if [[ -f "${TARGET}/etc/network/interfaces" ]]; then
@@ -284,61 +231,6 @@ EOF
 
   fi
 
-  if [[ -f "${TARGET}/etc/resolv.conf" ]]; then
-    mkdir -p "${DIR_BAK}/etc"
-    mv "${TARGET}/etc/resolv.conf" "${DIR_BAK}/etc/resolv.conf.bak"
-    do_log "info" "file_only" "4130() Existing '${TARGET}/etc/resolv.conf' moved."
-  fi
-
-  touch "${TARGET}/etc/resolv.conf"
-  chmod 0644 "${TARGET}/etc/resolv.conf"
-
-  ### Create '/etc/resolv.conf' IPv4 entries for static configuration.
-  if [[ "${network_autoconfig_enable,,}" == "false" ]]; then
-    cat << EOF >> "${TARGET}/etc/resolv.conf"
-# SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
-# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
-# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
-# SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
-# SPDX-PackageName: CISS.debian.installer
-# SPDX-Security-Contact: security@coresecret.eu
-
-# Custom DNS IPv4 configuration
-EOF
-
-    for ns in "${ary_ipv4_ns[@]}"; do
-      echo "nameserver ${ns}" >> "${TARGET}/etc/resolv.conf"
-    done
-
-    echo "" >> "${TARGET}/etc/resolv.conf"
-    do_log "info" "file_only" "4130() IPv4 nameserver at: '${TARGET}/etc/resolv.conf' configured manually."
-
-  fi
-
-  ### Create '/etc/resolv.conf' IPv6 entries for static configuration.
-  if [[ "${network_autoconfig_enable,,}" == "false" && -n "${network_static_ipv6address}" ]]; then
-
-    cat << EOF >> "${TARGET}/etc/resolv.conf"
-# Custom DNS IPv6 configuration
-EOF
-
-    for ns in "${ary_ipv6_ns[@]}"; do
-      echo "nameserver ${ns}" >> "${TARGET}/etc/resolv.conf"
-    done
-
-    echo "" >> "${TARGET}/etc/resolv.conf"
-    do_log "info" "file_only" "4130() IPv6 nameserver at: '${TARGET}/etc/resolv.conf' configured manually."
-
-  fi
-
-  cat << EOF >> "${TARGET}/etc/resolv.conf"
-# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
-EOF
-
   ### Ensure Internet Systems Consortium DHCP Client is not overwriting the static nameserver settings.
   if [[ -f "${TARGET}/etc/dhcp/dhclient.conf" ]]; then
     mkdir -p "${DIR_BAK}/etc/dhcp"
@@ -378,39 +270,6 @@ EOF
 EOF
   fi
 
-  ### Export hostname and IPv4 and IPv6 addresses for further processing according to dynamic results and preseed.yaml settings.
-  if [[ "${network_autoconfig_enable,,}" == "true" ]]; then
-
-    declare -grx VAR_FINAL_NIC="${var_auto_nic}"
-    declare -grx VAR_FINAL_FQDN="${var_auto_fqdn}"
-    declare -grx VAR_FINAL_IPV4="${var_auto_ipv4}"
-    declare -grx VAR_FINAL_IPV4_GW="${var_auto_ipv4_gw}"
-    declare -grx VAR_FINAL_IPV4_SUBNET="${var_auto_ipv4_subnet}"
-
-  else
-
-    declare -grx VAR_FINAL_NIC="${network_choose_interface_static}"
-    declare -grx VAR_FINAL_FQDN="${network_hostname}"
-    declare -grx VAR_FINAL_IPV4="${network_static_ipv4address}"
-    declare -grx VAR_FINAL_IPV4_GW="${network_static_ipv4gateway}"
-    declare -grx VAR_FINAL_IPV4_SUBNET="${network_static_ipv4netmask}"
-
-  fi
-
-  if [[ "${network_autoconfig_enable,,}" == "true" && "${var_link_ipv6,,}" == "true" ]]; then
-
-    declare -grx VAR_FINAL_IPV6="${var_auto_ipv6}"
-    declare -grx VAR_LINK_IPV6="${var_link_ipv6}"
-
-  elif [[ "${network_autoconfig_enable,,}" == "false" && -n "${network_static_ipv6address}" ]]; then
-
-    declare -grx VAR_FINAL_IPV6="${network_static_ipv6address}"
-
-  else
-
-    declare -grx VAR_FINAL_IPV6=""
-
-  fi
 
   return 0
 }

includes/chroot/hooks/1000_deleting_invalid_x509.sh

@@ -0,0 +1,245 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
+set -Ceuo pipefail
+
+#######################################
+# Backup Wrapper for all x509 Root CA Certs.
+# Globals:
+#   ary_search_dir
+#   var_backup_dir
+# Arguments:
+#   None
+#######################################
+create_backup() {
+  printf "Backup Certificate: [%s] ... \n" "${var_backup_dir}"
+
+  mkdir -p "${var_backup_dir}"
+
+  declare dir=""
+
+  for dir in "${ary_search_dir[@]}"; do
+
+    if [[ -d "${dir}" ]] && compgen -G "${dir}"/* > /dev/null; then
+
+      cp -r "${dir}"/* "${var_backup_dir}"
+
+    fi
+
+  done
+
+  printf "Backup Certificate: [%s] done. \n" "${var_backup_dir}"
+}
+
+#######################################
+# Check the validity of each certificate.
+# Globals:
+#   ary_expd_certs
+#   ary_search_dir
+#   var_crrnt_date
+# Arguments:
+#   None
+#######################################
+check_certificates() {
+  declare dir=""
+  declare cert=""
+  declare cert_date=""
+  declare cert_date_seconds=""
+
+  # shellcheck disable=SC2312
+  for dir in "${ary_search_dir[@]}"; do
+
+    while IFS= read -r -d '' cert; do
+
+      cert_date=$(openssl x509 -in "${cert}" -noout -enddate | sed 's/notAfter=//')
+
+      cert_date_seconds=$(date -d "${cert_date}" +%s)
+
+      if [[ ${cert_date_seconds} -lt ${var_crrnt_date} ]]; then
+
+        declare -g ary_expd_certs+=("${cert}")
+
+      fi
+
+    done < <(find "${dir}" -type f \( -name "*.crt" -o -name "*.pem" \) -print0)
+
+  done
+}
+
+#######################################
+# Find and clean all ca-certificates.crt files in SEARCH_DIRS.
+# Globals:
+#   CURRENT_DATE
+#   SEARCH_DIRS
+#   cert
+#   line
+# Arguments:
+#  None
+#######################################
+delete_expired_from_all_bundles() {
+  declare dir="" bundle=""
+
+  for dir in "${ary_search_dir[@]}"; do
+
+    bundle="${dir}/ca-certificates.crt"
+
+    if [[ -f ${bundle} ]]; then
+
+      printf "Checking Root-CA Bundle: [%s] ... \n" "${bundle}"
+
+      # shellcheck disable=SC2155
+      declare    tmp_bundle="$(mktemp "${bundle}.XXXXXXXX")"
+      declare    enddate="" cert_date_seconds="" line=""
+      declare -a block=()
+      declare -i expired=0
+
+      : >| "${tmp_bundle}"
+
+      while IFS= read -r line; do
+
+        block+=("${line}")
+
+        if [[ ${line} == "-----END CERTIFICATE-----"   ]]; then
+
+          cert=$(printf "%s\n" "${block[@]}")
+
+          enddate=$(echo "${cert}" | openssl x509 -noout -enddate 2> /dev/null | sed 's/notAfter=//')
+
+          if [[ -n ${enddate} ]]; then
+
+            declare cert_date_seconds=""
+
+            cert_date_seconds=$(date -d "${enddate}" +%s)
+
+            if [[ ${cert_date_seconds} -lt ${var_crrnt_date} ]]; then
+
+              expired=1
+
+            else
+
+              expired=0
+
+            fi
+
+          else
+
+            expired=0
+
+          fi
+
+          if [[ ${expired} -eq 0 ]]; then
+
+            printf "%s\n" "${block[@]}" >> "${tmp_bundle}"
+
+          else
+
+            printf "Certificate deleted: [%s] Expired: [%s] \n" "${bundle}" "${enddate}"
+          fi
+
+          block=()
+
+        fi
+
+      done < "${bundle}"
+
+      mv -f "${tmp_bundle}" "${bundle}"
+
+      printf "Checking Root-CA Bundle: [%s] done. \n" "${bundle}"
+
+    fi
+
+  done
+}
+
+#######################################
+# Main() for deleting all expired x.509 Certificates in the chroot target system.
+# Globals:
+#   ary_expd_certs
+#   ary_search_dir
+#   var_backup_dir
+#   var_crrnt_date
+# Arguments:
+#   0
+#######################################
+main() {
+  printf "Chroot hook: [%s] starting ... \n" "${0}"
+  printf "Now checking and cleaning expired CA certificates in the target system. \n"
+  printf "This may take up to a minute, depending on system size. \n"
+  printf "All expired certificates will be safely removed. \n"
+
+  declare -ag  ary_search_dir=( "/etc/ssl/certs" "/usr/local/share/ca-certificates" "/usr/share/ca-certificates" "/etc/letsencrypt" )
+  declare -gx  var_backup_dir="/root/.ciss/dlb/backup/certificates"
+  declare -gx  var_crrnt_date; var_crrnt_date=$(date +%s)
+  declare -ag  ary_expd_certs=()
+  declare      exp_cert="" basename="" mozilla_entry=""
+
+  printf "Check certificates in: [%s] \n" "${ary_search_dir[*]}"
+
+  create_backup
+  delete_expired_from_all_bundles
+  check_certificates
+
+  if [[ ${#ary_expd_certs[@]} -eq 0 ]]; then
+
+    printf "No expired certificates found. \n"
+    sleep 1
+
+  else
+
+    printf "Expired certificates found: \n"
+
+    for exp_cert in "${ary_expd_certs[@]}"; do
+
+      printf "  [%s] \n" "${exp_cert}"
+
+    done
+
+    for exp_cert in "${ary_expd_certs[@]}"; do
+
+      rm -f "${exp_cert}"
+
+      printf "Certificate deleted: [%s] \n" "${exp_cert}"
+
+      basename=$(basename "${exp_cert}")
+
+      mozilla_entry="mozilla/${basename%.pem}.crt"
+
+      mozilla_entry="${mozilla_entry%.crt}.crt"
+
+      declare ca_conf="/etc/ca-certificates.conf"
+
+      if grep -Fxq "${mozilla_entry}" "${ca_conf}"; then
+
+        sed -i "s|^${mozilla_entry}$|#${mozilla_entry}|" "${ca_conf}"
+
+        printf "Entry in [ca-certificates.conf] deselected: [#%s] \n" "${mozilla_entry}"
+
+      fi
+
+    done
+
+    printf "Updating the certificate cache ...   \n"
+
+    if ! update-ca-certificates --fresh; then
+      printf "[ERROR] Failed to update certificate cache. \n" >&2
+      exit 1
+    fi
+
+    printf "Updating the certificate cache done. \n"
+
+  fi
+
+  printf "Chroot hook: [%s] applied successfully. \n" "${0}"
+  exit 0
+}
+
+main "$@"
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

lib/cdi_0000_preliminary/README.md

@@ -0,0 +1,70 @@
+---
+gitea: none
+include_toc: true
+---
+
+# 1. CISS.debian.installer
+
+**Centurion Intelligence Consulting Agency Information Security Standard**<br>
+*The CISS Debian Installer provides a fully automated and hardened installation process.*<br>
+**Master Version**: 8.00<br>
+**Build**: V8.00.000.2025.06.17<br>
+
+# 2. Preliminary Components – `cdi_0000_preliminary`
+
+This directory contains foundational wrapper scripts for the `CISS.debian.installer` framework. These scripts serve as minimal
+but essential building blocks to ensure consistent versioning, usage helps output, and contact information across the entire 
+installer suite.
+
+## 2.1. Purpose and Functionality
+
+The scripts in this module fulfill the following roles:
+
+- **0001_contact.sh**:  
+  Displays project-related contact details, including PGP fingerprint, security email, and project links. This is shown during
+  installer execution or upon request via CLI.
+
+- **0002_usage.sh**:  
+  Provides a user-facing, color-coded help dialog. It details available command-line options such as debugging modes 
+  (`--debug`), logging configuration, and non-interactive autoinstallation. It also enforces preconditions such as root 
+  privileges, and the presence of YAML configuration files.
+
+- **0003_version.sh**:  
+  Displays the current project version, latest Git commit, debootstrap version, and host Bash version. This helps contextualize 
+  the environment for debugging and auditing.
+
+## 2.2. Requirements
+
+- Bash version ≥ 5.1
+- Proper invocation context (`set -Ceuo pipefail` enforced)
+- Pre-populated configuration files:
+  - `.preseed/preseed.yaml`
+  - `.preseed/partitioning.yaml`
+  - Password files for GRUB, LUKS boot, common, and nuke passphrases
+
+These scripts assume they are sourced or executed within a controlled setup shell, with essential global variables 
+(e.g. `VAR_VERSION`) predeclared.
+
+
+## 2.3. Dependencies
+
+- `bash` built-ins only (no external binaries invoked except `git`, `debootstrap`, and `uname` in `0003_version.sh`)
+- ANSI color-supporting terminal (via `tput cols`, `echo -e`)
+- Git repository context for versioning (`git log`)
+
+
+## 2.4. License
+
+This component is dual-licensed under the **European Union Public License v1.2 (EUPL-1.2)** or the 
+**CoreSecret Custom Contributor License Agreement (CCLA-1.0)**. You may choose either license as per your usage context. 
+Usage is permitted under the condition that no warranty is implied. Use at your own risk.
+
+## 2.5. Author
+
+Developed and maintained by  
+**Marc S. Weidner**  
+*Centurion Intelligence Consulting Agency*  
+
+---
+**[no tracking | no logging | no advertising | no profiling | no bullshit](https://coresecret.eu/)**
+<!-- vim: set number et ts=2 sw=2 sts=2 ai tw=128 ft=markdown -->

lib/cdi_0005_guard/README.md

@@ -0,0 +1,61 @@
+---
+gitea: none
+include_toc: true
+---
+
+# 1. CISS.debian.installer
+
+**Centurion Intelligence Consulting Agency Information Security Standard**<br>
+*The CISS Debian Installer provides a fully automated and hardened installation process.*<br>
+**Master Version**: 8.00<br>
+**Build**: V8.00.000.2025.06.17<br>
+
+# 2. Guarding and Safe Execution – `cdi_0005_guard`
+
+This directory provides minimalistic but critical utility functions to ensure safe and idempotent sourcing and execution 
+semantics within the `CISS.debian.installer` framework. These wrappers act as foundational safeguards against redundant 
+sourcing, which are frequent sources of bugs and side effects in modular Bash-based systems.
+
+## 2.1. Purpose and Functionality
+
+- **0005_guard_sourcing.sh**  
+  Defines the `guard_sourcing()` function, which programmatically prevents a Bash library file from being sourced multiple 
+  times. It constructs a uniquely scoped read-only environment variable guard to mark the sourced state.
+
+- **0006_source_guard.sh**  
+  Implements the `source_guard()` function, which sources a given file only once. It uses the file’s basename to construct a 
+  similarly structured guard variable. Intended for cases where sourcing decisions must be made dynamically.
+
+- **0011_guard_safe_exec.sh**  
+  Provides a generic `safe_exec()` wrapper to execute external commands in a structured and error-controlled manner. It emits
+  meaningful error logs using `do_log()` and allows associating custom error codes per invocation context. This is essential 
+  for defensive script execution when `pipefail` and strict traps are enabled.
+
+## 2.2. Requirements
+
+- Bash version ≥ 5.1
+- Active error trapping via `trap 'trap_err' ERR`
+- `do_log()` must be declared elsewhere in the global context
+- All libraries must be sourced via `source_guard()` and invoke `guard_sourcing` on top
+
+## 2.3. Dependencies
+
+- Pure Bash implementation
+- Uses `declare -grx` to enforce immutability and exportability of guard variables
+- `safe_exec()` expects a predefined `do_log()` implementation
+
+## 2.4. License
+
+This component is dual-licensed under the **European Union Public License v1.2 (EUPL-1.2),** or the 
+**CoreSecret Custom Contributor License Agreement (CCLA-1.0)**. You may choose either license as per your usage context. 
+Usage is permitted under the condition that no warranty is implied. Use at your own risk.
+
+## 2.5. Author
+
+Developed and maintained by  
+**Marc S. Weidner**  
+*Centurion Intelligence Consulting Agency*  
+
+---
+**[no tracking | no logging | no advertising | no profiling | no bullshit](https://coresecret.eu/)**
+<!-- vim: set number et ts=2 sw=2 sts=2 ai tw=128 ft=markdown -->

lib/cdi_0010_basic/0012_calculate_runtime.sh

@@ -13,25 +13,24 @@
 guard_sourcing
 
 #######################################
-# Install minimal Debian environment via 'debootstrap' command.
+# Calculates total runtime of the CISS.debian.installer.
 # Globals:
-#   TARGET
+#   VAR_END_TIME
-#   architecture
+#   VAR_SCRIPT_RUNTIME
-#   distribution
+#   VAR_START_TIME
 # Arguments:
 #   None
 # Returns:
-#   ERR_DEBOOTSTRAP
 #   0: on success
 #######################################
-func_debootstrap() {
+calculate_runtime() {
-  # shellcheck disable=SC2312
+  ### Declare Arrays, HashMaps, and Variables.
-  if debootstrap --arch="${architecture}" "${distribution}" "${TARGET}" https://deb.debian.org/debian | tee "${LOG_DBS}"; then
+  declare -i   var_runtime="${SECONDS}"
-    do_log "info" "file_only" "4000() [debootstrap --arch=${architecture} ${distribution} '${TARGET}' https://deb.debian.org/debian] successful."
+  declare -i   var_hours=$(( var_runtime / 3600 ))
+  declare -i   var_minutes=$(( (var_runtime % 3600) / 60 ))
+  declare -i   var_seconds=$(( var_runtime % 60 ))
+  # shellcheck disable=SC2155
+  declare -grx VAR_SCRIPT_RUNTIME="$(printf "%02dh %02dm %02ds" "${var_hours}" "${var_minutes}" "${var_seconds}")"
   return 0
-  else
-    do_log "emergency" "file_only" "4000() [debootstrap --arch=${architecture} ${distribution} '${TARGET}' https://deb.debian.org/debian] failed."
-    return "${ERR_DEBOOTSTRAP}"
-  fi
 }
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

lib/cdi_0060_traps/0060_trap_err.sh

@@ -30,7 +30,6 @@ guard_sourcing
 #   LOG_TRC
 #   LOG_VAR
 #   NL
-#   SECONDS
 #   SHELLOPTS
 #   UID
 #   VAR_ARG_SANITIZED
@@ -40,6 +39,7 @@ guard_sourcing
 #   VAR_PARAM_COUNT
 #   VAR_PARAM_STRNG
 #   VAR_RESOURCES
+#   VAR_SCRIPT_RUNTIME
 #   VAR_SYSTEM
 #   VAR_VERSION
 # Arguments:
@@ -66,7 +66,7 @@ print_file_err() {
     printf "❌ Function            : %s %b" "${ERRFUNC}" "${NL}"
     printf "❌ Command             : %s %b" "${ERRCMMD}" "${NL}"
     printf "❌ Script PID          : %s %b" "${$}" "${NL}"
-    printf "❌ Script Runtime      : %s %b" "${SECONDS}" "${NL}"
+    printf "❌ Script Runtime      : %s %b" "${VAR_SCRIPT_RUNTIME}" "${NL}"
     printf "❌ System Resources    : %s %b" "${VAR_RESOURCES}" "${NL}"
     printf "❌ Arguments Counter   : %s %b" "${VAR_PARAM_COUNT}" "${NL}"
     printf "❌ Arguments Original  : %s %b" "${VAR_PARAM_STRNG}" "${NL}"
@@ -92,7 +92,6 @@ print_file_err() {
 #######################################
 # Print Error Message for Trap on 'ERR' on Terminal.
 # Globals:
-#   BASHOPTS
 #   BASH_VERSINFO
 #   EPOCHREALTIME
 #   ERRCMMD
@@ -109,7 +108,6 @@ print_file_err() {
 #   NL
 #   RED
 #   RES
-#   SECONDS
 #   SHELLOPTS
 #   UID
 #   VAR_ARG_SANITIZED
@@ -119,6 +117,7 @@ print_file_err() {
 #   VAR_PARAM_COUNT
 #   VAR_PARAM_STRNG
 #   VAR_RESOURCES
+#   VAR_SCRIPT_RUNTIME
 #   VAR_SYSTEM
 #   VAR_VERSION
 # Arguments:
@@ -144,7 +143,7 @@ print_scr_err() {
   printf "%b❌ Function            : %s %b%b" "${RED}" "${ERRFUNC}" "${RES}" "${NL}"
   printf "%b❌ Command             : %s %b%b" "${RED}" "${ERRCMMD}" "${RES}" "${NL}"
   printf "%b❌ Script PID          : %s %b%b" "${RED}" "${$}" "${RES}" "${NL}"
-  printf "%b❌ Script Runtime      : %s %b%b" "${RED}" "${SECONDS}" "${RES}" "${NL}"
+  printf "%b❌ Script Runtime      : %s %b%b" "${RED}" "${VAR_SCRIPT_RUNTIME}" "${RES}" "${NL}"
   printf "%b❌ System Resources    : %s %b%b" "${RED}" "${VAR_RESOURCES}" "${RES}" "${NL}"
   printf "%b❌ Arguments Counter   : %s %b%b" "${RED}" "${VAR_PARAM_COUNT}" "${RES}" "${NL}"
   printf "%b❌ Arguments Original  : %s %b%b" "${RED}" "${VAR_PARAM_STRNG}" "${RES}" "${NL}"
@@ -225,12 +224,14 @@ trap_err() {
   trap - DEBUG ERR INT TERM
 
   if [[ "${VAR_DEBUG_TRACE}" == "true" || "${VAR_DEBUG_TRAP}" == "true" ]]; then dump_vars_exiting; fi
+
   case "${VAR_IN_DIALOG_WR}" in
     box   ) dialog_box_cleaner   ;;
     gauge ) dialog_gauge_cleaner ;;
   esac
+
+  calculate_runtime
   print_file_err
   print_scr_err
-
 }
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

lib/cdi_0060_traps/0070_trap_exit.sh

@@ -58,6 +58,7 @@ trap_exit() {
 #   RES
 #   VAR_DEBUG_TRACE
 #   VAR_DEBUG_TRAP
+#   VAR_SCRIPT_RUNTIME
 #   VAR_SCRIPT_SUCCESS
 # Arguments:
 #   1: "$?" passed through by trap_exit()
@@ -68,10 +69,13 @@ trap_exit_zero() {
   if [[ "${VAR_DEBUG_TRACE}" == "true" || "${VAR_DEBUG_TRAP}" == "true" ]]; then dump_vars_exiting; fi
   clean_up "${var_trap_exit_zero_code}"
 
+  calculate_runtime
+
   if [[ "${VAR_SCRIPT_SUCCESS}" == "true" ]]; then
     printf "%b" "${NL}"
     printf "%b✅ CISS.debian.installer Script successful. %s%s" "${GRE}" "${RES}" "${NL}"
     printf "%b✅ Exited with Status : %s %b%b" "${GRE}" "${var_trap_exit_zero_code}" "${RES}" "${NL}"
+    printf "%b✅ Script Runtime     : %s %b%b" "${GRE}" "${VAR_SCRIPT_RUNTIME}" "${RES}" "${NL}"
     printf "%b" "${NL}"
     if [[ "${VAR_DEBUG_TRACE}" == "true" || "${VAR_DEBUG_TRAP}" == "true" ]]; then
       printf "%b✅ Vars Dump saved at : %s %b%b" "${GRE}" "${LOG_VAR}" "${RES}" "${NL}"
@@ -112,7 +116,6 @@ trap_exit_zero() {
 #   NL
 #   RED
 #   RES
-#   SECONDS
 #   SHELLOPTS
 #   UID
 #   VAR_ARG_SANITIZED
@@ -123,6 +126,7 @@ trap_exit_zero() {
 #   VAR_PARAM_COUNT
 #   VAR_PARAM_STRNG
 #   VAR_RESOURCES
+#   VAR_SCRIPT_RUNTIME
 #   VAR_SYSTEM
 #   VAR_VERSION
 # Arguments:
@@ -150,6 +154,8 @@ trap_exit_non_zero() {
       gauge ) dialog_gauge_cleaner ;;
     esac
 
+    calculate_runtime
+
     printf "%b❌ Trap on 'EXIT'      : CISS.debian.installer Script failed. %b%b" "${RED}" "${RES}" "${NL}" | tee -a "${LOG_EXT}"
     printf "%b❌                     : This was most probably caused by an unbound variable. %b%b" "${RED}" "${RES}" "${NL}" | tee -a "${LOG_EXT}"
     printf "%b❌ GIT Commit          : %s %b%b" "${RED}" "${VAR_GIT_REL}" "${RES}" "${NL}" | tee -a "${LOG_EXT}"
@@ -168,7 +174,7 @@ trap_exit_non_zero() {
     printf "%b❌ Function            : %s %b%b" "${RED}" "${var_func}" "${RES}" "${NL}" | tee -a "${LOG_EXT}"
     printf "%b❌ Command             : %s %b%b" "${RED}" "${var_cmmd}" "${RES}" "${NL}" | tee -a "${LOG_EXT}"
     printf "%b❌ Script PID          : %s %b%b" "${RED}" "${$}" "${RES}" "${NL}" | tee -a "${LOG_EXT}"
-    printf "%b❌ Script Runtime      : %s %b%b" "${RED}" "${SECONDS}" "${RES}" "${NL}" | tee -a "${LOG_EXT}"
+    printf "%b❌ Script Runtime      : %s %b%b" "${RED}" "${VAR_SCRIPT_RUNTIME}" "${RES}" "${NL}" | tee -a "${LOG_EXT}"
     printf "%b❌ System Resources    : %s %b%b" "${RED}" "${VAR_RESOURCES}" "${RES}" "${NL}" | tee -a "${LOG_EXT}"
     printf "%b❌ Arguments Counter   : %s %b%b" "${RED}" "${VAR_PARAM_COUNT}" "${RES}" "${NL}" | tee -a "${LOG_EXT}"
     printf "%b❌ Arguments Original  : %s %b%b" "${RED}" "${VAR_PARAM_STRNG}" "${RES}" "${NL}" | tee -a "${LOG_EXT}"

meta_loader_cuv.sh

@@ -12,10 +12,10 @@
 
 ### SOURCING CONTACT, USAGE, VERSION MODULES FOR RAPID REACTION.
 
-. ./lib/0010_guard_sourcing.sh
+. ./lib/cdi_0005_guard/0005_guard_sourcing.sh
-. ./lib/0001_contact.sh
+. ./lib/cdi_0000_preliminary/0001_contact.sh
-. ./lib/0002_usage.sh
+. ./lib/cdi_0000_preliminary/0002_usage.sh
-. ./lib/0003_version.sh
+. ./lib/cdi_0000_preliminary/0003_version.sh
 . ./var/early.var.sh
 
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh