V8.00.000.2025.06.17

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>

.preseed/partitioning.yaml

@@ -41,6 +41,7 @@ recipe:
           spare: 1
         level: 6               # Only Level "1", "5", "6" and "10" are supported.
         meta: 1.2              # Metadata Format. Default to '1.2'.
+      recovery: false          # MUST be "true" for recovery partition in use.
       table: "gpt"             # MUST be "gpt" for "UEFI" || "msdos":
       syntax: true             # This is set to "false" by default, otherwise if the recipe is tested by the authors to "true".
       ### Version of the specific recipe.

ciss_debian_installer.sh

@@ -12,6 +12,23 @@
 
 ### Contributions so far see ./docs/CREDITS.md
 
+# TODO: Implement Clang Build Chain and Secure Boot PK CISS.ROOT.CA Signing Workflow
+# TODO: Copy Grub Boot Loader to default path via manuel cp. Refactor 4230_update_grub.sh
+# TODO: Update preseed.yaml for pgp signing key OR implementation of presigned unlock-wrapper.sh
+# TODO: Implement Console Login Deactivation and 2fa as advertised in preseed.yaml Refactor 4500_installation_accounts.sh
+# TODO: Check Packages for installation. Refactor preseed.yaml, 4130_installation_toolset.sh, 4700_setup_packages.sh
+# TODO: What do we need for CISS environment?
+# TODO: Any changes to the NTPSec Servers?
+# TODO: Hibernate deactivation
+# TODO: Hardening Scripts Integration
+# TODO: SSH 2fa integration
+# TODO: Recovery Partition Integration
+# TODO: Grub Boot Menu Update for Recovery Integration
+# TODO: update-grub Post Hook Clang, Recovery, Signing PK
+# TODO: Copying Log Files to final System
+# TODO: Integrate CISS.debian.installer calling arguments and preseed.yaml into CISS.debian.live.builder build chain?
+# TODO: Reboot function for Autoinstall
+
 ### WHY BASH?
 # Ease of installation. No compiling or installing gems, CPAN modules, pip packages, etc. Simple to use and read. Clear syntax
 # and straightforward output interpretation. Built-in power. Pattern matching, line processing, and regular expression support
@@ -155,8 +172,8 @@ trap 'trap_err  "$?" "${BASH_SOURCE[0]}" "${LINENO}" "${FUNCNAME[0]:-main}" "${B
 trap 'trap_int' INT TERM
 
 ### INTERACTIVE MODE NOTES AND KERNEL SELECTION.
-# TODO: Update 0110_check_kernel.sh   & sourcing
+# TODO: Update /lib/cdi_0110_interactive/0110_check_kernel.sh   & sourcing
-# TODO: Update 0115_check_provider.sh & sourcing
+# TODO: Update /lib/cdi_0110_interactive/0115_check_provider.sh & sourcing
 #if ! "${VAR_AUTO_INSTALL}"; then check_provider; fi
 #if ! "${VAR_AUTO_INSTALL}"; then check_kernel; fi
 
@@ -178,110 +195,129 @@ arg_parser "$@"
 echo "PRIORITY UPDATES ..."
 arg_priority_check
 
+# TODO: Implement loop_pass() for other passwords.
 ### HASHING PASSWORDS.
 echo "HASHING PASSWORDS ..."
 nuke_passphrase
-# TODO: Implement loop_pass() for other passwords.
 
-### MAIN PROGRAM SEQUENCE
+# TODO: Implement / Integrate IP, Port validation
-echo "MAIN PROGRAM SEQUENCE: yaml_parser() ..."
+### CDI_1200
+
+### CDI_1250
+echo "MAIN PROGRAM SEQUENCE: 1250_yaml_parser.sh ..."
 yaml_parser
-echo "MAIN PROGRAM SEQUENCE: yaml_reader() ..."
+echo "MAIN PROGRAM SEQUENCE: 1251_yaml_reader.sh ..."
 yaml_reader
+echo "MAIN PROGRAM SEQUENCE: 1252_yaml_validator.sh ..."
+yaml_validator
 
-# TODO: Implement / Activate IP, Port validation
+### CDI_3200
-# 1222_validation_preseed.sh 1221_validation_ip.sh
+echo "MAIN PROGRAM SEQUENCE: 3200_partitioning.sh ..."
-# validation_preseed
-
-### PARTITIONING
-echo "MAIN PROGRAM SEQUENCE: partitioning() ..."
 partitioning
-echo "MAIN PROGRAM SEQUENCE: benchmarking_encryption() ..."
+echo "MAIN PROGRAM SEQUENCE: 3210_benchmarking_encryption.sh ..."
 benchmarking_encryption
-echo "MAIN PROGRAM SEQUENCE: partition_encryption() ..."
+echo "MAIN PROGRAM SEQUENCE: 3220_partition_encryption.sh ..."
 partition_encryption
-echo "MAIN PROGRAM SEQUENCE: partition_formatting() ..."
+echo "MAIN PROGRAM SEQUENCE: 3240_partition_formatting.sh ..."
 partition_formatting
-echo "MAIN PROGRAM SEQUENCE: mount_partition() ..."
+echo "MAIN PROGRAM SEQUENCE: 3280_mount_partition.sh ..."
 mount_partition
-echo "MAIN PROGRAM SEQUENCE: uuid_logger() ..."
+echo "MAIN PROGRAM SEQUENCE: 3290_uuid_logger.sh ..."
 uuid_logger
 
-### DEBOOTSTRAP # TODO: Order of Hostname, Locale, Time before first apt update and Locales individual, certificate
+### CDI_4000
-echo "MAIN PROGRAM SEQUENCE: func_debootstrap() ..."
+echo "MAIN PROGRAM SEQUENCE: 4000_debootstrap.sh ..."
 func_debootstrap
-echo "MAIN PROGRAM SEQUENCE: configure_system() ..."
+echo "MAIN PROGRAM SEQUENCE: 4010_prepare_mounts.sh ..."
-configure_system
+prepare_mounts
-echo "MAIN PROGRAM SEQUENCE: generate_fstab() ..."
+echo "MAIN PROGRAM SEQUENCE: 4020_remove_x509.sh ..."
-generate_fstab
+remove_x509
-echo "MAIN PROGRAM SEQUENCE: generate_crypttab() ..."
+echo "MAIN PROGRAM SEQUENCE: 4030_setup_hostname.sh ..."
-generate_crypttab
-echo "MAIN PROGRAM SEQUENCE: generate_sources() ..."
-generate_sources
-echo "MAIN PROGRAM SEQUENCE: minimal_toolset() ..."
-minimal_toolset
-echo "MAIN PROGRAM SEQUENCE: setup_skel() ..."
-setup_skel
-echo "MAIN PROGRAM SEQUENCE: setup_timezone() ..."
-setup_timezone # TODO: Checks ongoing.
-echo "MAIN PROGRAM SEQUENCE: setup_locales() ..."
-setup_locales
-# TODO: Implement Clang Build Chain and MOK Signing Workflow
-echo "MAIN PROGRAM SEQUENCE: installation_kernel() ..."
-installation_kernel
-echo "MAIN PROGRAM SEQUENCE: setup_network() ..."
-setup_network
-echo "MAIN PROGRAM SEQUENCE: setup_hostname() ..."
 setup_hostname
-echo "MAIN PROGRAM SEQUENCE: setup_machineid() ..."
+echo "MAIN PROGRAM SEQUENCE: 4035_setup_resolv.sh ..."
-setup_machineid
+setup_resolv
-# TODO: Implement Clang Build Chain and MOK Signing Workflow and integrate GRUB, if needed
+echo "MAIN PROGRAM SEQUENCE: 4040_setup_timezone.sh ..."
-# TODO: Copy Grub Boot Loader to default path
+setup_timezone
-echo "MAIN PROGRAM SEQUENCE: setup_grub() ..."
+echo "MAIN PROGRAM SEQUENCE: 4050_setup_locales.sh ..."
-setup_grub
+setup_locales
-echo "MAIN PROGRAM SEQUENCE: setup_grub_password() ..."
-setup_grub_password
-echo "MAIN PROGRAM SEQUENCE: setup_grub_bootparameter() ..."
-setup_grub_bootparameter
-echo "MAIN PROGRAM SEQUENCE: setup_kernel_modules() ..."
-setup_kernel_modules
-echo "MAIN PROGRAM SEQUENCE: setup_kernel_sysctl() ..."
-setup_kernel_sysctl
-echo "MAIN PROGRAM SEQUENCE: installation_microcode() ..."
-installation_microcode
-echo "MAIN PROGRAM SEQUENCE: setup_ssh() ..."
-setup_ssh
-echo "MAIN PROGRAM SEQUENCE: build_dropbear() ..."
-build_dropbear
-echo "MAIN PROGRAM SEQUENCE: install_dropbear_initramfs() ..."
-install_dropbear_initramfs
-# TODO: Update preseed.yaml for pgp signing key AND / OR implementation of presigned unlock-wrapper.sh
-echo "MAIN PROGRAM SEQUENCE: setup_dropbear() ..."
-setup_dropbear
-# TODO: Implement Console Login Deactivation and 2fa as advertised in preseed.yaml
-echo "MAIN PROGRAM SEQUENCE: setup_accounts() ..."
-setup_accounts
-# TODO: Check Packages for installation
-echo "MAIN PROGRAM SEQUENCE: setup_packages() ..."
-setup_packages
-# TODO: What do we need for CISS environment?
-echo "MAIN PROGRAM SEQUENCE: setup_sudo() ..."
-setup_sudo
-# TODO: Any changes to the NTPSec Servers?
-echo "MAIN PROGRAM SEQUENCE: setup_chrony() ..."
-setup_chrony
-echo "MAIN PROGRAM SEQUENCE: exiting_chroot() ..."
-exiting_chroot
 
-# TODO: Hibernate deactivation
+### CDI_4100
-# TODO: Hardening Scripts Integration
+echo "MAIN PROGRAM SEQUENCE: 4100_generate_sources.sh ..."
-# TODO: SSH 2fa integration
+generate_sources
-# TODO: Recovery Partition Integration
+echo "MAIN PROGRAM SEQUENCE: 4110_update_sources.sh ..."
-# TODO: Grub Boot Menu Update for Recovery Integration
+update_sources
-# TODO: update-grub Post Hook Clang, Recovery, Signing MOK
+echo "MAIN PROGRAM SEQUENCE: 4120_installation_kernel.sh ..."
-# TODO: Copying Log Files to final System
+installation_kernel
-# TODO: Integrate CISS.debian.installer calling arguments and preseed.yaml into CISS.debian.live.builder build chain?
+echo "MAIN PROGRAM SEQUENCE: 4130_installation_toolset.sh ..."
-# TODO: Reboot function for Autoinstall
+installation_toolset
+echo "MAIN PROGRAM SEQUENCE: 4131_installation_systemd.sh ..."
+installation_systemd
+echo "MAIN PROGRAM SEQUENCE: 4132_installation_machineid.sh ..."
+installation_machineid
+echo "MAIN PROGRAM SEQUENCE: 4140_installation_microcode.sh ..."
+installation_microcode
+echo "MAIN PROGRAM SEQUENCE: 4150_installation_chrony.sh ..."
+installation_chrony
+
+### CDI_4200
+echo "MAIN PROGRAM SEQUENCE: 4200_generate_fstab.sh ..."
+generate_fstab
+echo "MAIN PROGRAM SEQUENCE: 4210_generate_crypttab.sh ..."
+generate_crypttab
+echo "MAIN PROGRAM SEQUENCE: 4220_update_initramfs.sh ..."
+update_initramfs
+echo "MAIN PROGRAM SEQUENCE: 4230_update_grub.sh ..."
+update_grub
+echo "MAIN PROGRAM SEQUENCE: 4240_update_grub_password.sh ..."
+update_grub_password
+echo "MAIN PROGRAM SEQUENCE: 4250_update_grub_bootparameter.sh ..."
+update_grub_bootparameter
+
+### CDI_4300
+echo "MAIN PROGRAM SEQUENCE: 4300_installation_network.sh ..."
+installation_network
+echo "MAIN PROGRAM SEQUENCE: 4310_dropbear_build.sh ..."
+dropbear_build
+echo "MAIN PROGRAM SEQUENCE: 4311_dropbear_initramfs.sh ..."
+dropbear_initramfs
+echo "MAIN PROGRAM SEQUENCE: 4312_dropbear_setup.sh ..."
+dropbear_setup
+
+### CDI_4400
+echo "MAIN PROGRAM SEQUENCE: 4400_kernel_modules.sh ..."
+kernel_modules
+echo "MAIN PROGRAM SEQUENCE: 4410_kernel_sysctl.sh ..."
+kernel_sysctl
+echo "MAIN PROGRAM SEQUENCE: 4420_installation_ssh.sh ..."
+installation_ssh
+echo "MAIN PROGRAM SEQUENCE: 4430_installation_skel.sh ..."
+installation_skel
+echo "MAIN PROGRAM SEQUENCE: 4440_hardening_files.sh ..."
+hardening_files
+
+### CDI_4500
+echo "MAIN PROGRAM SEQUENCE: 4500_installation_accounts.sh ..."
+installation_accounts
+
+### CDI_4600
+#echo "MAIN PROGRAM SEQUENCE: 4600_minimal_checks.sh ..."
+
+#echo "MAIN PROGRAM SEQUENCE: 4610_finalize_system.sh ..."
+
+#echo "MAIN PROGRAM SEQUENCE: 4670_verify_system.sh ..."
+
+#echo "MAIN PROGRAM SEQUENCE: 4680_check_sshd_config_integrity.sh ..."
+
+#echo "MAIN PROGRAM SEQUENCE: 4690_check_grub_cmdline.sh ..."
+
+### CDI_4700
+echo "MAIN PROGRAM SEQUENCE: 4799_exiting_chroot_system.sh ..."
+exiting_chroot_system
+
+### CDI_5000
+if [[ "${VAR_RECOVERY}" == "true" ]]; then
+  wrapper_recovery
+fi
 
 ### Dialog Output for Initialization END
 if ! "${VAR_AUTO_INSTALL}"; then . ./lib/cdi_0200_dialog/0200_dialog_helper.sh && dialog_box_cleaner; fi

func/cdi_1250_yaml/1251_yaml_reader.sh

@@ -35,11 +35,11 @@ yaml_reader() {
   # shellcheck disable=SC2034
   declare -Ag HMP_RECIPE_DEV_PARTITIONS=()
   declare -gx VAR_RECIPE_STRING="" VAR_RECIPE_HIGHEST_DEVICE="" VAR_ARCHITECTURE="" VAR_RECIPE_FIRMWARE="" VAR_NUKE="" \
-              VAR_RECIPE_TABLE="" VAR_NEED_RUN_IN_TARGET="false" VAR_CODENAME=""
+              VAR_RECIPE_TABLE="" VAR_NEED_RUN_IN_TARGET="false" VAR_CODENAME="" VAR_RECOVERY=""
   ### Declare and substitute input files.
   declare -r  var_if="${VAR_PRESEED}"
   declare     var_line="" var_middle_part="" var_highest_dev="" var_device="" var_fields="" var_partition="" \
-              recipe_firmware_var="" recipe_nuke_var="" recipe_table_var=""
+              recipe_firmware_var="" recipe_nuke_var="" recipe_table_var="" recipe_recovery_var=""
 
   ### Read "${var_if}" line by line.
   while IFS= read -r var_line; do
@@ -172,6 +172,11 @@ END { print max }
 
   fi
 
+  ### Extract the chosen Recovery mechanism.
+  recipe_recovery_var="recipe_${VAR_RECIPE_STRING}_control_recovery"
+  # shellcheck disable=SC2034
+  VAR_RECOVERY="${!recipe_recovery_var}"
+
   return 0
 }
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

func/cdi_3200_partitioning/3200_partitioning.sh

@@ -48,7 +48,7 @@ partitioning() {
   # shellcheck disable=SC2034
   declare -Ag HMP_PATH_PARTUUID        # Used in: 3290() - [Mount Path:Partition UUID].
   # shellcheck disable=SC2034
-  declare -Ag HMP_FSTAB_MOUNT_FTYPE    # Used in: 4040() - [Mount Path:Filesystem type].
+  declare -Ag HMP_FSTAB_MOUNT_FTYPE    # Used in: 4200() - [Mount Path:Filesystem type].
   # shellcheck disable=SC2034
   declare -Ag HMP_PATH_DEV_PART        # Used in: 3220() - [Mount Path:DEV.PARTITION].
                                        # Used in: 3240() - [Mount Path:DEV.PARTITION].
@@ -58,10 +58,10 @@ partitioning() {
   # shellcheck disable=SC2034
   declare -ag ARY_FORMT_MOUNT_PATHS=() # Used in: 3240() - Only entries [/paths] for filesystem generation.
   # shellcheck disable=SC2034
-  declare -ag ARY_FSTAB_MOUNT_PATHS=() # Used in: 4040() - Only entries [/paths] for '/etc/fstab' generation.
+  declare -ag ARY_FSTAB_MOUNT_PATHS=() # Used in: 4200() - Only entries [/paths] for '/etc/fstab' generation.
   # shellcheck disable=SC2034
   declare -ag ARY_PATHS_SORTED=()      # Used in: 3280() - All entries [/paths] in a mount ordering scheme.
-                                       # Used in: 4040() - All entries [/paths] in a mount ordering scheme.
+                                       # Used in: 4200() - All entries [/paths] in a mount ordering scheme.
 
   declare     var_dev="" var_part="" \
               var_begin="" var_boot="" var_encryption="" var_end="" var_end_arg="" var_end_mib="" var_format="" var_fs="" \
@@ -276,7 +276,7 @@ partitioning() {
       ### Gathering information for mounting module 3280().
       ary_paths_unsorted+=("${var_mount_path}")
 
-      ### Gathering information for '/etc/fstab'-generation in 4040().
+      ### Gathering information for '/etc/fstab'-generation in 4200().
       if [[ "${var_mount_true}" == "true" ]]; then
         # shellcheck disable=SC2034
         ARY_FSTAB_MOUNT_PATHS+=("${var_mount_path}")
@@ -285,7 +285,6 @@ partitioning() {
         do_log "debug" "file_only" "3200() [HMP_FSTAB_MOUNT_FTYPE]: '${var_mount_path}' -> '${HMP_FSTAB_MOUNT_FTYPE["${var_mount_path}"]}'."
       fi
 
-
     done
 
   lsblk -o NAME,START,SIZE,PHY-SEC,LOG-SEC,ALIGNMENT "/dev/${var_dev}" >| "${DIR_LOG}/${var_dev}_alignment.log"

func/cdi_3200_partitioning/3220_partition_encryption.sh

@@ -41,15 +41,15 @@ guard_sourcing
 partition_encryption() {
   ### Declare Arrays, HashMaps, and Variables.
   declare -Ag HMP_PATH_LUKSUUID      # Used in: 3290() - [Mount Path:LUKS UUID].
-                                     # Used in: 4060() - [Mount Path:LUKS UUID].
+                                     # Used in: 4210() - [Mount Path:LUKS UUID].
   declare -Ag HMP_PATH_FSUUID        # Used in: 3240() - [Mount Path:Filesystem UUID].
                                      # Used in: 3290() - [Mount Path:Filesystem UUID].
-                                     # Used in: 4040() - [Mount Path:Filesystem UUID].
+                                     # Used in: 4200() - [Mount Path:Filesystem UUID].
-                                     # Used in: 4060() - [Mount Path:Filesystem UUID].
+                                     # Used in: 4210() - [Mount Path:Filesystem UUID].
-  declare -Ag HMP_EPHEMERAL_ENCLABEL # Used in: 4040() - [Mount Path:LUKS Encryption Label].
+  declare -Ag HMP_EPHEMERAL_ENCLABEL # Used in: 4200() - [Mount Path:LUKS Encryption Label].
-  declare -Ag HMP_EPHEMERAL_FS_LABEL # Used in: 4060() - [Mount Path:Ephemeral Host FS Label]. Substituted by FS-UUID
+  declare -Ag HMP_EPHEMERAL_FS_LABEL # Used in: 4210() - [Mount Path:Ephemeral Host FS Label]. Substituted by FS-UUID
 
-  declare -Ag HMP_PATH_ENCLABEL      # Used in: 4060() - [Mount Path:LUKS Encryption Label].
+  declare -Ag HMP_PATH_ENCLABEL      # Used in: 4210() - [Mount Path:LUKS Encryption Label].
 
   declare -gx VAR_CRYPT_ROOT=""      # LUKS UUID of '/'.
   declare -gx VAR_CRYPT_RECOVERY=""  # LUKS UUID of '/recovery'.

func/cdi_3200_partitioning/3240_partition_formatting.sh

@@ -31,8 +31,8 @@ partition_formatting() {
   ### Declare Arrays, HashMaps, and Variables.
   # shellcheck disable=SC2034
   declare -Ag HMP_PATH_FSUUID        # Used in: 3290() - [Mount Path:Filesystem UUID].
-                                     # Used in: 4040() - [Mount Path:Filesystem UUID].
+                                     # Used in: 4200() - [Mount Path:Filesystem UUID].
-                                     # Used in: 4060() - [Mount Path:Filesystem UUID].
+                                     # Used in: 4210() - [Mount Path:Filesystem UUID].
   declare     var_dev="" var_dev_part="" var_dev="" \
               var_encryption_enable="" var_encryption_label="" var_format_path="" var_fs_btrfs_checksum="" \
               var_fs_btrfs_compress="" var_fs_btrfs_mdup="" var_fs_label="" var_fs_options="" var_fs_version="" \

func/cdi_4000_debootstrap/4010_prepare_mounts.sh

@@ -25,7 +25,7 @@ guard_sourcing
 #   ERR_CHRT_MOUNTS
 #   0: on success
 #######################################
-configure_system() {
+prepare_mounts() {
 
   ### Notes
   # This file mounts all necessary pseudo filesystems into the target root environment to enable chroot operations.

func/cdi_4000_debootstrap/4020_remove_x509.sh

@@ -22,7 +22,7 @@ guard_sourcing
 # Returns:
 #   0: on success
 #######################################
-delete_expired_certs() {
+remove_x509() {
 
   install -m 0700 -o root -g root "${VAR_SETUP_PATH}/includes/chroot/hooks/4020_remove_x509.hooks.sh" \
     "${TARGET}/root/.ciss/cdi/hooks/4020_remove_x509.hooks.sh"

func/cdi_4100_base_installation/4131_installation_systemd.sh

@@ -21,7 +21,7 @@ guard_sourcing
 # Returns:
 #   0: on success
 #######################################
-installation_toolset() {
+installation_systemd() {
   if ! do_in_target_script "${TARGET}" "command -v systemctl >/dev/null"; then
 
     do_log "info" "file_only" "4131() 'systemctl' NOT found, installing 'systemd' and dependencies."

func/cdi_4100_base_installation/4140_installation_microcode.sh

@@ -22,21 +22,19 @@ guard_sourcing
 #   0: on success
 #######################################
 installation_microcode() {
-  declare var_microcode_pkgs=""
+  ### Declare Arrays, HashMaps, and Variables.
+  declare var_microcode_pkgs="" var_whereiam="" var_cpu_vendor=""
 
-  declare var_whereiam
   # shellcheck disable=SC2312
   var_whereiam=$(virt-what | head -n1)
   [[ -z "${var_whereiam}" ]] && var_whereiam="baremetal"
-
-  declare var_cpu_vendor
   # shellcheck disable=SC2312
   var_cpu_vendor=$(lscpu | awk -F: '/Vendor ID/ {print $2}' | xargs)
 
   case "${var_cpu_vendor}" in
     *AuthenticAMD*)   var_microcode_pkgs="amd64-microcode" ;;
     *GenuineIntel*)   var_microcode_pkgs="intel-microcode" ;;
-    ""|*ARM*|*arm*|*) var_microcode_pkgs=""; do_log "info" "file_only" "ARM or unknown CPU detected, skipping microcode installation." ;;
+    ""|*ARM*|*arm*|*) var_microcode_pkgs=""; do_log "info" "file_only" "4140() ARM or unknown CPU detected, skipping microcode installation." ;;
   esac
 
   ###########################################################################################
@@ -50,7 +48,7 @@ installation_microcode() {
 
   else
 
-    do_log "info" "file_only" "Skipping microcode install (${var_whereiam}, ${var_microcode_pkgs:-none})"
+    do_log "info" "file_only" "4140() Skipping microcode install (${var_whereiam}, ${var_microcode_pkgs:-none})"
 
   fi
 

func/cdi_4100_base_installation/4150_installation_chrony.sh

@@ -25,30 +25,35 @@ guard_sourcing
 # Returns:
 #   0: on success
 #######################################
-setup_chrony() {
+installation_chrony() {
+  ### Declare Arrays, HashMaps, and Variables.
   # shellcheck disable=SC2155
-  declare var_of=$(mktemp var_of.XXXXXXXX)
+  declare var_of=$(mktemp var_of.XXXXXXXX) var_ntp_server=""
-  declare var_ntp_server
 
   for var_ntp_server in "${ARY_NTPSRVR[@]}"; do
-    printf "server %s iburst nts minpoll 5 maxpoll 9 %s" "${var_ntp_server}" "${NL}" >> "${var_of}"
+
+    printf "server %s iburst nts minpoll 5 maxpoll 9 %b" "${var_ntp_server}" "${NL}" >> "${var_of}"
+
   done
-  printf "# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh %s" "${NL}" >> "${var_of}"
+
+  printf "# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh %b" "${NL}" >> "${var_of}"
 
   mkdir -p "${TARGET}/var/log/chrony"
   do_in_target "${TARGET}" apt-get install chrony -y
 
   if [[ ! -e "${TARGET}/etc/systemd/system/multi-user.target.wants/chrony.service" ]]; then
+
     ln -s "${TARGET}/lib/systemd/system/chrony.service" "${TARGET}/etc/systemd/system/multi-user.target.wants/chrony.service"
   fi
 
+
   mkdir -p "${DIR_BAK}/etc/chrony"
   mv "${TARGET}/etc/chrony/chrony.conf" "${DIR_BAK}/etc/chrony/chrony.conf.bak"
 
   install -D -m 0644 -o root -g root "${VAR_SETUP_PATH}/includes/etc/chrony/chrony.cnf" "${TARGET}/etc/chrony/chrony.conf"
   cat "${var_of}" >> "${TARGET}/etc/chrony/chrony.conf"
 
-  do_log "info" "file_only" "Chrony NTPsec client installed."
+  do_log "info" "file_only" "4150() Chrony NTPsec client installed."
 
   rm -f "${var_of}"
   unset var_of

func/cdi_4200_boot_installation/4200_generate_fstab.sh

@@ -31,12 +31,12 @@ write_fstab() {
   if [[ "${write_maps}" =~ ^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}$ ]] || [[ "${write_maps}" =~ ^[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}$ ]]; then
 
     printf "%-43s%-28s%-18s%-100s0 %s\n" "UUID=${write_maps}" "${write_path}" "${write_type}" "${write_opts}" "${write_pass}" >> "${TARGET}/etc/fstab"
-    do_log "info" "file_only" "4040() fstab entry generated: [UUID=${write_maps}    ${write_path}    ${write_type}    ${write_opts}    0 ${write_pass}]."
+    do_log "info" "file_only" "4200() fstab entry generated: [UUID=${write_maps}    ${write_path}    ${write_type}    ${write_opts}    0 ${write_pass}]."
 
   elif [[ "${write_maps}" == /dev/mapper/* ]]; then
 
     printf "%-43s%-28s%-18s%-100s0 %s\n" "${write_maps}" "${write_path}" "${write_type}" "${write_opts}" "${write_pass}" >> "${TARGET}/etc/fstab"
-    do_log "info" "file_only" "4040() fstab entry generated: [${write_maps}    ${write_path}    ${write_type}    ${write_opts}    0 ${write_pass}]."
+    do_log "info" "file_only" "4200() fstab entry generated: [${write_maps}    ${write_path}    ${write_type}    ${write_opts}    0 ${write_pass}]."
 
   fi
 
@@ -131,14 +131,23 @@ EOF
       btrfs)
 
         write_fstab "${var_fs_uuid}" "${var_fs_path}" "${var_fs_type}" "${var_fs_opts}" "${var_fs_pass}"
+
         if [[ -v HMP_FSTAB_MOUNT_OPTS["${var_path}/.snapshots"] ]]; then
+
           var_fs_opts="${HMP_FSTAB_MOUNT_OPTS["${var_path}/.snapshots"]}"
+
           if [[ "${var_fs_path}" == "/" ]]; then
+
             write_fstab "${var_fs_uuid}" "/.snapshots" "${var_fs_type}" "${var_fs_opts}" "${var_fs_pass}"
+
           else
+
             write_fstab "${var_fs_uuid}" "${var_fs_path}/.snapshots" "${var_fs_type}" "${var_fs_opts}" "${var_fs_pass}"
+
           fi
+
         fi
+
         continue
         ;;
 
@@ -172,7 +181,7 @@ EOF
 /dev/sr0                                   /media/cdrom0               udf,iso9660       user,noauto                                                                                         0 0
 
 EOF
-  do_log "info" "file_only" "4040() fstab entry generated: '/dev/sr0  /media/cdrom0  udf,iso9660  user,noauto  0 0'."
+  do_log "info" "file_only" "4200() fstab entry generated: '/dev/sr0  /media/cdrom0  udf,iso9660  user,noauto  0 0'."
 
   cat << 'EOF' >> "${TARGET}/etc/fstab"
 ### Secure tmpfs mounts for a hardened system

func/cdi_4200_boot_installation/4210_generate_crypttab.sh

@@ -28,7 +28,7 @@ write_crypttab() {
   declare write_label="$1" write_dev="$2" write_key_file="$3" write_opts="$4"
 
   printf "%-43s%-46s%-40s%s \n" "${write_label}" "${write_dev}" "${write_key_file}" "${write_opts}" >> "${TARGET}/etc/crypttab"
-  do_log "info" "file_only" "4060() crypttab entry generated: [${write_label} ${write_dev} ${write_key_file} ${write_opts}]."
+  do_log "info" "file_only" "4210() crypttab entry generated: [${write_label} ${write_dev} ${write_key_file} ${write_opts}]."
 
   return 0
 }
@@ -96,15 +96,6 @@ EOF
 
     if [[ "${dropbear_boot,,}" == "true" ]]; then
 
-      if [[ "${VAR_NUKE,,}" == "true" && "${var_key,,}" == "/" ]]; then
-
-        # TODO: Check for cryptsetup installation errors while unlock_wrapper.sh is not yet installed.
-        #write_crypttab "${var_encryption_label}" "UUID=${var_luks_uuid}" "none" "luks,discard,initramfs,keyscript=/lib/cryptsetup/scripts/unlock_wrapper.sh"
-        write_crypttab "${var_encryption_label}" "UUID=${var_luks_uuid}" "none" "luks,discard,initramfs"
-        continue
-
-      fi
-
       write_crypttab "${var_encryption_label}" "UUID=${var_luks_uuid}" "none" "luks,discard,initramfs"
 
     else

func/cdi_4200_boot_installation/4220_update_initramfs.sh

@@ -0,0 +1,30 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
+
+guard_sourcing
+
+#######################################
+# Calling 'update-initramfs -u -v -k all' inside Target.
+# Globals:
+#   TARGET
+#   VAR_ARCHITECTURE
+# Arguments:
+#   None
+# Returns:
+#   0: on success
+#######################################
+update_initramfs() {
+  do_in_target "${TARGET}" update-initramfs -u -v -k all
+
+  return 0
+}
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

func/cdi_4200_boot_installation/4230_update_grub.sh

@@ -46,10 +46,9 @@ guard_sourcing
 #   ERR_GRUB_EFI_FORCE
 #   0: on success
 #######################################
-installation_grub() {
+update_grub() {
   declare -gx var_update_grub_required="false"
 
-
   get_all_boot_devs
 
   if [[ "${grub_skip,,}" != "true" ]]; then
@@ -279,7 +278,7 @@ install_grub_bios_all() {
     *)         do_log "emergency" "file_only" "4140() Unknown partition table type: '${VAR_RECIPE_TABLE}'."; return "${ERR_PARTITIONTBL}" ;;
   esac
 
-  declare var_modules="btrfs cryptodisk luks2 gcry_rijndael gcry_sha256 gcry_sha512 ${partmod}"
+  declare var_modules="biosdisk btrfs cryptodisk luks2 gcry_rijndael gcry_sha256 gcry_sha512 ${partmod}"
   declare -a args=(--target=i386-pc --boot-directory=/boot "--modules=${var_modules}")
   args+=(--recheck)
 
@@ -306,21 +305,33 @@ install_grub_bios_all() {
 #   ERR_PARTITIONTBL on failure
 #######################################
 install_grub_uefi_all() {
-  declare dev="" partmod=""
+  ### Declare Arrays, HashMaps, and Variables.
+  declare -a ary_uefi_arg=()
+  declare    var_uefi_dev="" var_uefi_mod=""
 
-  case "${VAR_RECIPE_TABLE,,}" in
+  ### Cryptographic modules.
-    gpt)       partmod="part_gpt"   ;;
+  var_uefi_mod+="cryptodisk gcry_rijndael gcry_sha256 gcry_sha512 gcry_whirlpool gcry_serpent gcry_twofish luks luks2"
-    msdos|mbr) partmod="part_msdos" ;;
+  ### Filesystem modules.
-    *)         do_log "emergency" "file_only" "4140() Unknown partition table type: '${VAR_RECIPE_TABLE}'."; return "${ERR_PARTITIONTBL}" ;;
+  var_uefi_mod+="btrfs ext2"
-  esac
+  ### Partitioning / Device / GPT
+  var_uefi_mod+="biosdisk mdraid1x part_gpt part_msdos"
+  ### Device / Terminal modules.
+  var_uefi_mod+="boot linux efi_gop efi_uga gfxterm gfxterm_background gfxterm_menu normal search search_fs_uuid search_label"
+  ### Debug modules.
+  var_uefi_mod+="cat echo hexdump ls test terminfo"
 
-  declare var_modules="btrfs cryptodisk luks2 gcry_rijndael gcry_sha256 gcry_sha512 ${partmod}"
+  [[ "${grub_force_efi,,}" == "true" ]] && ary_uefi_arg+=( --force-extra-removable )
-  declare -a args=(--target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=Debian "--modules=${var_modules}")
+  [[ "${grub_update_nvram,,}" == "false" ]] && ary_uefi_arg+=( --no-nvram )
 
-  for dev in "${ary_bootdev_all[@]}"; do
+  ary_uefi_arg+=( --target=x86_64-efi --boot-directory=/boot --efi-directory=/boot/efi --bootloader-id=Debian "--modules=${var_uefi_mod}" )
-    do_in_target "${TARGET}" grub-install "${args[@]}"
+
-    do_log "info" "file_only" "4140() Installed: GRUB on Device: '${dev}' (UEFI)."
+  for var_uefi_dev in "${ary_bootdev_all[@]}"; do
+
+    ary_uefi_arg+=( "--recheck ${var_uefi_dev}" )
+    do_in_target "${TARGET}" grub-install "${ary_uefi_arg[@]}"
+    do_log "info" "file_only" "4140() Installed: GRUB on Device: '${var_uefi_dev}' (UEFI)."
     var_update_grub_required="true"
+
   done
 
   return 0

func/cdi_4200_boot_installation/4240_update_grub_password.sh

@@ -25,7 +25,7 @@ guard_sourcing
 #   0: on success
 #   ERR_READ_GRUB_FILE
 #######################################
-setup_grub_password() {
+update_grub_password() {
   declare var_username="superadmin"
   declare var_password=""
   declare var_password_file="${DIR_CNF}/password_grub.txt"

func/cdi_4200_boot_installation/4250_update_grub_bootparameter.sh

@@ -26,7 +26,7 @@ guard_sourcing
 # Returns:
 #   0: on success
 #######################################
-setup_grub_bootparameter() {
+update_grub_bootparameter() {
   declare var_nuke_string="" var_param=""
 
   grub_extract_current_string

func/cdi_4300_network/4300_installation_network.sh

@@ -49,7 +49,7 @@ guard_sourcing
 # Returns:
 #   0: on success
 #######################################
-setup_network() {
+installation_network() {
   do_in_target "${TARGET}" apt-get install -y isc-dhcp-client ifupdown
   mkdir -p "${TARGET}/etc/network/interfaces/interfaces.d"
 

func/cdi_4300_network/4310_dropbear_build.sh

@@ -24,7 +24,7 @@ guard_sourcing
 #   ERR_PATH_NOT_VALID
 #   0: on success
 #######################################
-build_dropbear() {
+dropbear_build() {
   declare var_dropbear_version="2025.88"
   declare var_tar="${VAR_SETUP_PATH}/upgrades/dropbear/dropbear-${var_dropbear_version}.tar.bz2"
   declare var_build_dir="${DIR_TMP}/build/dropbear-${var_dropbear_version}"

func/cdi_4300_network/4311_dropbear_initramfs.sh

@@ -22,7 +22,7 @@ guard_sourcing
 # Returns:
 #   0: on success
 #######################################
-install_dropbear_initramfs() {
+dropbear_initramfs() {
   declare var_file
   do_in_target "${TARGET}" apt-get install -y dropbear-initramfs
   do_in_target "${TARGET}" apt-mark hold -y dropbear dropbear-initramfs

func/cdi_4300_network/4312_dropbear_setup.sh

@@ -12,6 +12,13 @@
 
 guard_sourcing
 
+# TODO: Implement this update:
+# if [[ "${VAR_NUKE,,}" == "true" && "${var_key,,}" == "/" ]]; then
+#  #write_crypttab "${var_encryption_label}" "UUID=${var_luks_uuid}" "none" "luks,discard,initramfs,keyscript=/lib/cryptsetup/scripts/unlock_wrapper.sh"
+#  write_crypttab "${var_encryption_label}" "UUID=${var_luks_uuid}" "none" "luks,discard,initramfs"
+#  continue
+#fi
+
 #######################################
 # Setup Dropbear Initramfs Environment.
 # Globals:
@@ -40,7 +47,7 @@ guard_sourcing
 # Returns:
 #   0: on success
 #######################################
-setup_dropbear() {
+dropbear_setup() {
   ### Prepare strong dropbear host keys
   rm -f "${TARGET}"/etc/dropbear/initramfs/dropbear*key
 

func/cdi_4400_hardening/4400_kernel_modules.sh

@@ -21,7 +21,7 @@ guard_sourcing
 # Returns:
 #   0: on success
 #######################################
-setup_kernel_modules() {
+kernel_modules() {
   ### Entropy collection improvements
   mkdir -p "${TARGET}/usr/lib/modules-load.d"
   cat << EOF >| "${TARGET}/usr/lib/modules-load.d/30_security-misc.conf"

func/cdi_4400_hardening/4410_kernel_sysctl.sh

@@ -22,7 +22,7 @@ guard_sourcing
 # Returns:
 #   0: on success
 #######################################
-setup_kernel_sysctl() {
+kernel_sysctl() {
   install -D -m 0644 -o root -g root "${VAR_SETUP_PATH}/includes/etc/sysctl.d/99_local.hardened.ini" \
     "${TARGET}/etc/sysctl.d/99_local.hardened"
   do_log "info" "file_only" "Installed: '/etc/sysctl.d/99_local.hardened'."

func/cdi_4400_hardening/4420_installation_ssh.sh

@@ -30,7 +30,7 @@ guard_sourcing
 # Returns:
 #   0: on success
 #######################################
-setup_ssh() {
+installation_ssh() {
   do_in_target "${TARGET}" apt-get install -y ssh
 
   #######################################

func/cdi_4400_hardening/4430_installation_skel.sh

@@ -22,7 +22,7 @@ guard_sourcing
 # Returns:
 #   0: on success
 #######################################
-setup_skel() {
+installation_skel() {
   mkdir -p "${TARGET}/etc/skel/.ciss"
 
   install -m 0644 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/skel/.bashrc" "${TARGET}/etc/skel/.bashrc"

func/cdi_4500_user/4500_installation_accounts.sh

@@ -27,7 +27,7 @@ guard_sourcing
 # Returns:
 #   0: on success
 #######################################
-setup_accounts() {
+installation_accounts() {
 
   #######################################
   # Declare Variables

meta_loader_func.sh

@@ -54,33 +54,47 @@ source_guard "./func/cdi_4100_base_installation/4120_installation_kernel.sh"
 source_guard "./func/cdi_4100_base_installation/4130_installation_toolset.sh"
 source_guard "./func/cdi_4100_base_installation/4131_installation_systemd.sh"
 source_guard "./func/cdi_4100_base_installation/4132_installation_machineid.sh"
-source_guard "./func/cdi_4100_base_installation/4140_installation_grub.sh"
+source_guard "./func/cdi_4100_base_installation/4140_installation_microcode.sh"
+source_guard "./func/cdi_4100_base_installation/4150_installation_chrony.sh"
 
-source_guard "./func/system/4040_generate_fstab.sh"
+### cdi_4200_boot_installation
-source_guard "./func/system/4060_generate_crypttab.sh"
+source_guard "./func/cdi_4200_boot_installation/4200_generate_fstab.sh"
-source_guard "./func/system/4095_setup_skel.sh"
+source_guard "./func/cdi_4200_boot_installation/4210_generate_crypttab.sh"
-source_guard "./func/system/4130_setup_network.sh"
+source_guard "./func/cdi_4200_boot_installation/4220_update_initramfs.sh"
-source_guard "./func/system/4155_setup_grub_password.sh"
+source_guard "./func/cdi_4200_boot_installation/4230_update_grub.sh"
-source_guard "./func/system/4160_grub_bootparameter.sh"
+source_guard "./func/cdi_4200_boot_installation/4240_update_grub_password.sh"
-source_guard "./func/system/4165_kernel_modules.sh"
+source_guard "./func/cdi_4200_boot_installation/4250_update_grub_bootparameter.sh"
-source_guard "./func/system/4166_kernel_sysctl.sh"
-source_guard "./func/system/4170_installation_microcode.sh"
-source_guard "./func/system/4180_setup_ssh.sh"
-source_guard "./func/system/4190_build_dropbear.sh"
-source_guard "./func/system/4191_install_dropbear_initramfs.sh"
-source_guard "./func/system/4195_setup_dropbear.sh"
-source_guard "./func/system/4200_setup_accounts.sh"
-source_guard "./func/system/4210_setup_packages.sh"
-source_guard "./func/system/4220_setup_sudo.sh"
-source_guard "./func/system/4230_setup_chrony.sh"
-source_guard "./func/system/4999_exiting_chroot_system.sh"
-source_guard "./func/system/5000_hardening_files.sh"
 
-#source_guard "./func/recovery/3.8.9.functions_installation_wrapper_recovery.sh"
+### cdi_4300_network
-#source_guard "./func/recovery/3.9.0.functions_installation_setup_recovery.sh"
+source_guard "./func/cdi_4300_network/4300_installation_network.sh"
-#source_guard "./func/recovery/3.9.1.functions_installation_generate_files_recovery.sh"
+source_guard "./func/cdi_4300_network/4310_dropbear_build.sh"
+source_guard "./func/cdi_4300_network/4311_dropbear_initramfs.sh"
+source_guard "./func/cdi_4300_network/4312_dropbear_setup.sh"
 
-#source_guard "./func/9998_check_sshd_config_integrity.sh"
+### cdi_4400_hardening
-#source_guard "./func/9999_check_grub_cmdline.sh"
+source_guard "./func/cdi_4400_hardening/4400_kernel_modules.sh"
+source_guard "./func/cdi_4400_hardening/4410_kernel_sysctl.sh"
+source_guard "./func/cdi_4400_hardening/4420_installation_ssh.sh"
+source_guard "./func/cdi_4400_hardening/4430_installation_skel.sh"
+source_guard "./func/cdi_4400_hardening/4440_hardening_files.sh"
+
+### cdi_4500_user
+source_guard "./func/cdi_4500_user/4500_installation_accounts.sh"
+
+### cdi_4600_verification
+#source_guard "./func/cdi_4600_verification/4600_minimal_checks.sh"
+#source_guard "./func/cdi_4600_verification/4610_finalize_system.sh"
+#source_guard "./func/cdi_4600_verification/4670_verify_system.sh"
+#source_guard "./func/cdi_4600_verification/4680_check_sshd_config_integrity.sh"
+#source_guard "./func/cdi_4600_verification/4690_check_grub_cmdline.sh"
+
+### cdi_4700_xtended
+source_guard "./func/cdi_4700_xtended/4700_setup_packages.sh"
+source_guard "./func/cdi_4700_xtended/4799_exiting_chroot_system.sh"
+
+### cdi_5000_recovery
+#source_guard "./func/cdi_5000_recovery/3.8.9.functions_installation_wrapper_recovery.sh"
+#source_guard "./func/cdi_5000_recovery/3.9.0.functions_installation_setup_recovery.sh"
+#source_guard "./func/cdi_5000_recovery/3.9.1.functions_installation_generate_files_recovery.sh"
 
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh