V8.00.000.2025.06.17

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>

.editorconfig

@@ -19,6 +19,12 @@ indent_size = 2
 tab_width = 2
 max_line_length = 128
 
+[*.{bash,sh,zsh}]
+end_of_line = lf
+charset = utf-8
+insert_final_newline = true
+trim_trailing_whitespace = true
+
 [*.h]
 charset = utf-8
 insert_final_newline = true
@@ -32,15 +38,26 @@ insert_final_newline = true
 # Do not trim trailing whitespace: two spaces at end-of-line signal a hard line break in Markdown
 trim_trailing_whitespace = false
 
+# Python files – PEP 8 compliant
+[*.py]
+indent_size = 4
+tab_width = 4
+end_of_line = lf
+charset = utf-8
+trim_trailing_whitespace = true
+insert_final_newline = true
+max_line_length = 79
+
+[*.toml]
+end_of_line = lf
+charset = utf-8
+trim_trailing_whitespace = true
+insert_final_newline = true
+
 [*.{yaml,yml}]
 end_of_line = lf
 insert_final_newline = true
 # Trim trailing whitespace (safe, since YAML does not rely on trailing spaces)
 trim_trailing_whitespace = true
 
-[*.{sh,bash,zsh}]
-end_of_line = lf
-charset = utf-8
-insert_final_newline = true
-trim_trailing_whitespace = true
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf

.preseed/mfa_master.txt

@@ -0,0 +1 @@
+7cad63da408c27b5121c89cdd0cf878b8f8df1f34bcc0a944152261ee1481fda

.preseed/partitioning.yaml

@@ -34,6 +34,7 @@ recipe:
         time: 256              # The number of milliseconds to spend with PBKDF passphrase processing.
       name: "ciss.2025.gpt.btrfs.ephemeral.non-raid.256GiB.rescue"
       nuke: true               # Activates Nuke-Mechanism in '/etc/crypttab' keyscript and via dropbear SSH forced command.
+      nuke_rounds: 8192        # SHA512 KDF Rounds for Nuke Passphrase. If omitted, the default value is '8,388,608'.
       raid:                    # mdadm RAID settings only (not yet supported).
         enable: false
         disks:

.preseed/preseed.yaml

@@ -26,6 +26,7 @@ apt:
   contrib: true                # Optionally, install contrib software.
   deb_sources: true            # Optionally includes deb-src entries for source repositories.
   default_list: true           # By default, source repositories are listed in '/etc/apt/sources.list'. This MUST be "true".
+  default_deb822: false        # Since Trixie, source repositories are listed in '/etc/apt/sources.list.d/' in deb.822 format.
   full_upgrade: true           # Whether to upgrade packages after debootstrap.
   install_recommends: true     # Configure APT to not install recommended packages by default.
   non_free: true               # Optionally, install non-free software.
@@ -748,6 +749,9 @@ ssh:
 # User settings
 ################################################################################################################################
 user:
+  mfa:
+    info: "totp:v1"
+    salt: "CISS:CDI:OTP"          # + (Server_FQDN/Username)
   ##############################################################################################################################
   # root – Superuser account (normally disabled for direct login)
   ##############################################################################################################################

ciss_debian_installer.sh

@@ -28,7 +28,7 @@
 # TODO: update-grub Post Hook Clang, Recovery, Signing PK
 # TODO: Copying Log Files to final System
 # TODO: Integrate CISS.debian.installer calling arguments and preseed.yaml into CISS.debian.live.builder build chain?
-# TODO: Reboot function for Autoinstall
+# TODO: Reboot function for Autoinstall, Clean Exit, Flush Logs, luksClose, umount
 # TODO: 0105_arg_nuke_converter.sh - implement HashRounds as argument
 # TODO: Implement loop_pass() for other passwords 0105_arg_nuke_converter.sh
 # TODO: Implement / Integrate IP, Port validation CDI_1200
@@ -245,8 +245,13 @@ info_echo "4050_setup_locales.sh"
 setup_locales
 
 ### CDI_4100
-info_echo "4100_generate_sources.sh"
-generate_sources
+if [[ "${apt_default_deb822}" == "true" ]]; then
+  info_echo "4105_generate_sources822.sh"
+  generate_sources822
+else
+  info_echo "4100_generate_sources.sh"
+  generate_sources
+fi
 info_echo "4110_update_sources.sh"
 update_sources
 info_echo "4120_installation_kernel.sh"

func/cdi_1000_helper/1082_helper_modules.sh

@@ -120,17 +120,15 @@ insert_comments() {
 #######################################
 # Wrapper to insert the SPDX Header into the specified file.
 # Globals:
-#   None
+#   VAR_DATE
 # Arguments:
 #   1: /path/to/file
 # Returns:
 #   0: on success
 #######################################
 insert_header() {
-  # shellcheck disable=SC2155
-  declare var_date="$(date +%F)"
   cat << EOF >| "${1}"
-# SPDX-CreationInfo: ${var_date}; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>

func/cdi_1250_yaml/1251_yaml_reader.sh

@@ -45,7 +45,7 @@ yaml_reader() {
   ### Declare and substitute input files.
   declare -r  var_if="${VAR_PRESEED}"
   declare     var_line="" var_middle_part="" var_highest_dev="" var_device="" var_fields="" var_partition="" \
-              recipe_firmware_var="" recipe_nuke_var="" recipe_table_var="" recipe_recovery_var=""
+              recipe_firmware_var="" recipe_nuke_var="" recipe_nuke_rounds_var="" recipe_table_var="" recipe_recovery_var=""
 
   ### Read "${var_if}" line by line.
   while IFS= read -r var_line; do
@@ -116,7 +116,7 @@ END { print max }
       var_device="${var_fields[3]}"    ### The fourth position includes the device (e.g., sda, vda, xvda)
       var_partition="${var_fields[4]}" ### The fifth position includes the partition (e.g., 13)
 
-      ### Check, if the partition is a number and higher than the current value
+      ### Check if the partition is a number and higher than the current value
       if [[ "${var_partition}" =~ ^[0-9]+$ ]]; then
         declare -i cur="${HMP_RECIPE_DEV_PARTITIONS[${var_device}]:-0}"
         if (( var_partition > cur )); then
@@ -160,6 +160,11 @@ END { print max }
   # shellcheck disable=SC2034
   VAR_NUKE="${!recipe_nuke_var,,}"
 
+  ### Extract the chosen Nuke SHA512 KDF rounds.
+  recipe_nuke_rounds_var="recipe_${VAR_RECIPE_STRING}_control_nuke_rounds"
+  # shellcheck disable=SC2034
+  VAR_NUKE_ROUNDS="${!recipe_nuke_rounds_var}"
+
   ### Extract chosen partition table.
   recipe_table_var="recipe_${VAR_RECIPE_STRING}_control_table"
   VAR_RECIPE_TABLE="${!recipe_table_var,,}"

func/cdi_4000_debootstrap/4035_setup_resolv.sh

@@ -47,7 +47,7 @@ setup_resolv() {
   ### Create '/etc/resolv.conf' IPv4 entries for static configuration.
     cat << EOF >> "${TARGET}/etc/resolv.conf"
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>

func/cdi_4000_debootstrap/4050_setup_locales.sh

@@ -53,7 +53,7 @@ setup_locales() {
   cat << EOF >| "${TARGET}${var_locale_hook}"
 #!/bin/bash
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -118,7 +118,7 @@ EOF
   ### Set the keyboard layout for the system (for consoles).
   cat << EOF >| "${TARGET}/etc/default/keyboard"
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>

func/cdi_4100_base/4100_generate_sources.sh

@@ -84,7 +84,7 @@ generate_sources() {
   # shellcheck disable=SC2153
   cat << EOF >> "${TARGET}/etc/apt/sources.list"
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>

func/cdi_4100_base/4105_generate_sources_822.sh

@@ -0,0 +1,148 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
+
+guard_sourcing
+
+#######################################
+# Generate target '/etc/apt/sources.list.d/' deb.822 entries.
+# Globals:
+#   TARGET
+#   apt_contrib
+#   apt_deb_sources
+#   apt_mirror_directory
+#   apt_mirror_hostname
+#   apt_mirror_protocol
+#   apt_non_free
+#   apt_non_free_firmware
+#   apt_sec
+#   apt_updates_backports
+#   apt_updates_release
+#   apt_updates_security
+#   architecture
+#   distribution
+# Arguments:
+#   None
+# Returns:
+#   0: on success
+#######################################
+generate_sources822() {
+  ### Declare Arrays, HashMaps, and Variables.
+  declare -a ary_components=() ary_types=()
+  declare    var_arch="" var_codename="" var_deb_src="" var_dir="" var_hostname="" var_hostsecure="" var_url="" var_surl=""
+
+  # shellcheck disable=SC2154 # "${architecture}"
+  var_arch="${architecture,,}"
+  # shellcheck disable=SC2154 # "${distribution}"
+  var_codename="${distribution,,}"
+  # shellcheck disable=SC2154 # "${apt_deb_sources}"
+  var_deb_src="${apt_deb_sources,,}"
+  # shellcheck disable=SC2154 # "${apt_mirror_directory}"
+  var_dir="${apt_mirror_directory,,}"
+  # shellcheck disable=SC2154 # "${apt_mirror_hostname}"
+  var_hostname="${apt_mirror_hostname,,}"
+  # shellcheck disable=SC2154 # "${apt_sec}"
+  var_hostsecure="${apt_sec,,}"
+
+  ary_components=( "main" )
+  [[ "${apt_contrib,,}" == "true" ]] && ary_components+=( "contrib" )
+  [[ "${apt_non_free,,}" == "true" ]] && ary_components+=( "non-free" )
+  [[ "${apt_non_free_firmware,,}" == "true" ]] && ary_components+=( "non-free-firmware" )
+
+  ary_types=( "deb" )
+  [[ "${apt_deb_sources,,}" == "true" ]] && ary_types+=( "deb-src" )
+
+  if [[ "${apt_mirror_protocol,,}" == "https" ]]; then
+
+    var_url="https://${var_hostname}${var_dir}"
+    var_surl="https://${var_hostsecure}/debian-security"
+
+  elif [[ "${apt_mirror_protocol,,}" == "http" ]]; then
+
+    var_url="http://${var_hostname}${var_dir}"
+    var_surl="http://${var_hostsecure}/debian-security"
+
+  else
+
+    var_url="https://${var_hostname}${var_dir}"
+    var_surl="https://${var_hostsecure}/debian-security"
+
+  fi
+
+
+  ### Main Repository
+  insert_header  "${TARGET}/etc/apt/sources.list.d/trixie.sources"
+  inser_comments "${TARGET}/etc/apt/sources.list.d/trixie.sources"
+  cat << EOF >>  "${TARGET}/etc/apt/sources.list.d/trixie.sources"
+Types: ${ary_types[*]}
+URIs: ${var_url}
+Suites: ${var_codename}
+Components: ${ary_components[*]}
+Enabled: yes
+Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
+EOF
+
+
+  ### Security Repository
+  if [[ "${apt_updates_security,,}" == "true" ]]; then
+    insert_header  "${TARGET}/etc/apt/sources.list.d/trixie-security.sources"
+    inser_comments "${TARGET}/etc/apt/sources.list.d/trixie-security.sources"
+    cat << EOF >>  "${TARGET}/etc/apt/sources.list.d/trixie-security.sources"
+Types: ${ary_types[*]}
+URIs: ${var_surl}
+Suites: ${var_codename}-security
+Components: ${ary_components[*]}
+Enabled: yes
+Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
+EOF
+  fi
+
+  ### Updates Repository
+  if [[ "${apt_updates_release,,}" == "true" ]]; then
+    insert_header  "${TARGET}/etc/apt/sources.list.d/trixie-updates.sources"
+    inser_comments "${TARGET}/etc/apt/sources.list.d/trixie-updates.sources"
+    cat << EOF >>  "${TARGET}/etc/apt/sources.list.d/trixie-updates.sources"
+Types: ${ary_types[*]}
+URIs: ${var_url}
+Suites: ${var_codename}-updates
+Components: ${ary_components[*]}
+Enabled: yes
+Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
+EOF
+  fi
+
+
+  ### Backports Repository
+  if [[ "${apt_updates_backports,,}" == "true" ]]; then
+    insert_header  "${TARGET}/etc/apt/sources.list.d/trixie-backports.sources"
+    inser_comments "${TARGET}/etc/apt/sources.list.d/trixie-backports.sources"
+    cat << EOF >>  "${TARGET}/etc/apt/sources.list.d/trixie-backports.sources"
+Types: ${ary_types[*]}
+URIs: ${var_url}
+Suites: ${var_codename}-backports
+Components: ${ary_components[*]}
+Enabled: yes
+Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
+EOF
+
+  fi
+
+  guard_dir && return 0
+}
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

func/cdi_4400_hardening/4460_hardening_memory.sh

@@ -12,6 +12,29 @@
 
 guard_sourcing
 
+#######################################
+# NOTE:
+#   According to the manual pages of limits.conf(5) and pam_limits(8),
+#   entries in '/etc/security/limits.conf' or drop-ins under
+#   '/etc/security/limits.d/' are NOT applied automatically by the system.
+#   The actual enforcement of these ulimit(2) constraints — including
+#   '* soft core 0' and '* hard core 0' to disable kernel core dumps —
+#   requires that the PAM module 'pam_limits.so' is invoked in the
+#   'session' stack of the respective service (e.g., via
+#   '/etc/pam.d/common-session' and
+#   '/etc/pam.d/common-session-noninteractive').
+#
+#   Without 'pam_limits.so' present in these PAM configuration files,
+#   the configured limits remain ineffective for PAM-based logins
+#   (SSH, local TTY, sudo, su, cron, etc.).
+#   Services launched by systemd bypass PAM and must have 'LimitCORE=0'
+#   or 'DefaultLimitCORE=0' set in their unit or in system.conf.d(5).
+#
+# References:
+#   - man 5 limits.conf
+#   - man 8 pam_limits
+#######################################
+
 #######################################
 # Hardening memory dump via:
 #   '/etc/systemd/coredump.conf.d/disable.conf'
@@ -161,6 +184,6 @@ guard_pam_limits() {
 
   (( var_changed )) && do_log "info" "file_only" "4460() Activated pam_limits.so: (common-session[*])"
 
-  return 0
+  guard_dir && return 0
 }
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

func/cdi_4500_user/4500_installation_accounts.sh

@@ -28,10 +28,6 @@ guard_sourcing
 #   0: on success
 #######################################
 installation_accounts() {
-
-  #######################################
-  # Declare Variables
-  #######################################
   declare -i i
   declare tmp_username="" tmp_fullname="" tmp_uid="" tmp_gid="" tmp_shell="" tmp_password="" tmp_sshpubkey="" tmp_sudo="" \
     tmp_restricted=""
@@ -159,6 +155,132 @@ installation_accounts() {
 
   done
 
+
+  unset VAR_TEMP_PLAIN_MFA_SEED
+
   guard_dir && return 0
 }
+
+#######################################
+# Writes '.google_authenticator'-file for the respective user.
+# Globals:
+#   RANDOM
+#   TARGET
+# Arguments:
+#   1: Username
+# Returns:
+#   0: on success
+#######################################
+write_google_authenticator_file() {
+  ### Declare Arrays, HashMaps, and Variables.
+  declare     var_user="${1}" var_secret=""
+  case "${1}" in
+    root) declare var_base="${TARGET}/root"             ;;
+    *)    declare var_base="${TARGET}/home/${var_user}" ;;
+  esac
+  declare -i  i=0
+
+  ### TODO: PASSWORD REMINDER START:NOT ACTIVE
+  ### No tracing for security reasons
+  #[[ "${VAR_DEBUG_TRACE,,}" == "true" ]] && set +x
+
+  var_secret="$(generate_totp_secret "${var_user}")"
+
+  umask 0077
+
+  {
+    printf '%s\n' "${var_secret}"
+    printf '"RATE_LIMIT 3 30"\n'
+    printf '"WINDOW 10"\n'
+    printf '"DISALLOW_REUSE"\n'
+    printf '"TOTP_AUTH"\n'
+    ### Emergency Codes:
+    for i in {0..7}; do printf '%08d\n' "$(( RANDOM % 100000000 ))"; done
+  } >| "${var_base}/.google_authenticator"
+
+  ### Turn on tracing again
+  #[[ "${VAR_DEBUG_TRACE,,}" == "true" ]] && set -x
+  ### TODO: PASSWORD REMINDER STOP:NOT ACTIVE
+
+  chown "${var_user}:${var_user}" "${var_base}/.google_authenticator"
+
+  chmod 0600 "${var_base}/.google_authenticator"
+
+  umask 0022
+
+  return 0
+}
+
+#######################################
+# Generates a deterministic TOTP secret based on:
+# Username, FQDN, MFA salt, MFA master seed
+# Globals:
+#   VAR_FINAL_FQDN
+#   VAR_TEMP_PLAIN_MFA_SEED
+#   user_mfa_info
+#   user_mfa_salt
+# Arguments:
+#   1: Username
+# Returns:
+#   0: on success
+#######################################
+generate_totp_secret() {
+  ### Declare Arrays, HashMaps, and Variables.
+  declare  var_user="${1}"
+  declare  var_host_id="${VAR_FINAL_FQDN}"
+  declare  var_salt="${user_mfa_salt}:${var_host_id}:${var_user}"
+  declare  var_info="${user_mfa_info}"
+  declare  var_secret=""
+
+  ### TODO: PASSWORD REMINDER START:NOT ACTIVE
+  ### No tracing for security reasons
+  #[[ "${VAR_DEBUG_TRACE,,}" == "true" ]] && set +x
+
+  ### Derive 20 bytes via HKDF-SHA256 using OpenSSL 3 kdf, output as raw, then base32 (uppercase, no padding).
+  # shellcheck disable=SC2312
+  var_secret="$(
+    printf '%s' "${VAR_TEMP_PLAIN_MFA_SEED}" | xxd -r -p | openssl kdf -keylen 20 -kdfopt digest:SHA256 \
+      -kdfopt salt:"${var_salt}" -kdfopt info:"${var_info}" -binary HKDF | base32 | tr -d '=' | tr '[:lower:]' '[:upper:]'
+  )"
+
+  ### Turn on tracing again
+  #[[ "${VAR_DEBUG_TRACE,,}" == "true" ]] && set -x
+  ### TODO: PASSWORD REMINDER STOP:NOT ACTIVE
+
+  printf '%s\n' "${var_secret}"
+  return 0
+}
+
+#######################################
+# Reads a 256-bit seed from '${DIR_CNF}/mfa_master.txt' (64 hex chars) into VAR_TEMP_PLAIN_MFA_SEED.
+# Globals:
+#   DIR_CNF
+#   VAR_TEMP_PLAIN_MFA_SEED
+# Arguments:
+#   None
+# Returns:
+#   0: on success
+#   ERR_READ_SEED_FILE
+#######################################
+read_totp_seed(){
+  ### Declare Arrays, HashMaps, and Variables.
+  declare -r var_mfa_seed_file="${DIR_CNF}/mfa_master.txt"
+  declare -g VAR_TEMP_PLAIN_MFA_SEED=""
+
+  ### TODO: PASSWORD REMINDER START:NOT ACTIVE
+  ### No tracing for security reasons
+  #[[ "${VAR_DEBUG_TRACE,,}" == "true" ]] && set +x
+  if ! read_password_file "${var_mfa_seed_file}" VAR_TEMP_PLAIN_MFA_SEED; then
+    return "${ERR_READ_SEED_FILE}"
+  fi
+
+  ### Validate: exactly 64 hex.
+  [[ "${VAR_TEMP_PLAIN_MFA_SEED}" =~ ^[0-9a-fA-F]{64}$ ]] || return "${ERR_READ_SEED_FILE}"
+
+  ### Turn on tracing again
+  #[[ "${VAR_DEBUG_TRACE,,}" == "true" ]] && set -x
+  ### TODO: PASSWORD REMINDER STOP:NOT ACTIVE
+
+  return 0
+}
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

lib/cdi_0060_traps/0070_trap_exit.sh

@@ -34,6 +34,9 @@ trap_exit() {
 
   trap - DEBUG ERR EXIT INT TERM
 
+  ### Defensive shell behavior inside trap.
+  set +e +o pipefail
+
   if [[ -n "${__preexec_invoke:-}" ]]; then
     debug_trap_logger "${var_exit_code}" "${VAR_LAST_CMD}"
     unset __preexec_invoke

lib/cdi_0100_arg/0102_arg_parser.sh

@@ -113,5 +113,7 @@ arg_parser() {
           ;;
     esac
   done
+
+  guard_dir && return 0
 }
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

lib/cdi_0100_arg/0103_arg_priority_check.sh

@@ -39,5 +39,7 @@ arg_priority_check() {
     var=$(ionice -p $$) > /dev/null 2>&1
     do_log "info" "file_only" "0103() New ionice value: '${var}'."
   fi
+
+  guard_dir && return 0
 }
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

lib/cdi_0100_arg/0104_arg_passphrase_modules.sh

@@ -25,12 +25,17 @@ guard_sourcing
 #######################################
 generate_salt() {
   declare var_salt=""
+
   while :; do
+
     # shellcheck disable=SC2312
     var_salt=$(head -c 12 /dev/random | base64 | tr -dc 'A-Za-z0-9' | head -c 16) || return "${ERR_GENERATE_SALT}"
     [[ ${#var_salt} -eq 16 ]] && break
+
   done
+
   printf '%s%b' "${var_salt}" "${NL}"
+
   return 0
 }
 
@@ -51,19 +56,24 @@ read_password_file() {
   declare -n var_output_file="${2}"
   declare -a lines=()
 
-  ### TODO: PASSWORD REMINDER
+  ### TODO: PASSWORD REMINDER START
   ### No tracing for security reasons
   [[ "${VAR_DEBUG_TRACE,,}" == "true" ]] && set +x
+
   if [[ ! -f "${var_input_file}" ]]; then
+
     do_log "fatal" "file_only" "0104() Password file '${var_input_file}' not found."
     return "${ERR_READ_PASS_FILE}"
+
   fi
 
   mapfile -t lines < "${var_input_file}"
 
   if (( ${#lines[@]} != 1 )); then
+
     do_log "fatal" "file_only" "0104() Password file '${var_input_file}' MUST contain exactly one line."
     return "${ERR_READ_PASS_FILE}"
+
   fi
 
   var_output_file="${lines[0]}"
@@ -72,15 +82,32 @@ read_password_file() {
   var_output_file="${var_output_file%"${var_output_file##*[![:space:]]}"}" ### trailing
 
   if [[ -z "${var_output_file}" ]]; then
+
     do_log "fatal" "file_only" "0104() Password file '${var_input_file}' contains only whitespace."
     return "${ERR_READ_PASS_FILE}"
+
   fi
 
   ### Turn on tracing again
   [[ "${VAR_DEBUG_TRACE,,}" == "true" ]] && set -x
-  ### TODO: PASSWORD REMINDER
+  ### TODO: PASSWORD REMINDER STOP
+
+  sync
+
+  if shred -vfzu -n 5 "${var_input_file}" > /dev/null 2>&1; then
+
+    do_log "info" "file_only" "0104() Password file '${var_input_file}': shred -vfzu -n 5 >> done."
+
+  else
+
+    do_log "warn" "file_only" "0104() Password file '${var_input_file}': shred -vfzu -n 5 >> NOT successful."
+
+  fi
+
+  sync
 
   unset lines
+
   return 0
 }
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

lib/cdi_0100_arg/0105_arg_nuke_converter.sh

@@ -29,44 +29,43 @@ nuke_passphrase() {
   declare -r var_nuke_pwd_file="${DIR_CNF}/password_luks_nuke.txt"
   declare    var_temp_nuke_hash="" var_temp_plain_nuke_pwd="" var_salt=""
 
-  ### TODO: PASSWORD REMINDER
+  ### TODO: PASSWORD REMINDER START
   ### No tracing for security reasons
+
   [[ "${VAR_DEBUG_TRACE,,}" == "true" ]] && set +x
+
   if ! read_password_file "${var_nuke_pwd_file}" var_temp_plain_nuke_pwd; then
+
     return "${ERR_READ_NUKE_FILE}"
   fi
+
+
   ### Turn on tracing again
   [[ "${VAR_DEBUG_TRACE,,}" == "true" ]] && set -x
-  ### TODO: PASSWORD REMINDER
+  ### TODO: PASSWORD REMINDER STOP
 
   if ! var_salt="$(generate_salt)"; then
+
     return "${ERR_GENERATE_SALT}"
   fi
 
-  ### TODO: PASSWORD REMINDER
-  ### No tracing for security reasons ### --rounds=8388608
+
+  ### TODO: PASSWORD REMINDER START
+  ### No tracing for security reasons
   [[ "${VAR_DEBUG_TRACE,,}" == "true" ]] && set +x
-  var_temp_nuke_hash=$(mkpasswd --method=sha-512 --salt="${var_salt}" --rounds=16384 "${var_temp_plain_nuke_pwd}")
+
+  var_temp_nuke_hash=$(mkpasswd --method=sha-512 --salt="${var_salt}" --rounds="${VAR_NUKE_ROUNDS:-8388608}" "${var_temp_plain_nuke_pwd}")
+
   ### Turn on tracing again
   [[ "${VAR_DEBUG_TRACE,,}" == "true" ]] && set -x
-  ### TODO: PASSWORD REMINDER
+  ### TODO: PASSWORD REMINDER STOP
 
   declare -grx VAR_NUKE_HASH="${var_temp_nuke_hash}"
   unset var_temp_nuke_hash var_temp_plain_nuke_pwd
 
   do_log "debug" "file_only" "0105() NUKE hash starts with: ${VAR_NUKE_HASH:0:32}..."
 
-  sync
-  if shred -vfzu -n 5 "${var_nuke_pwd_file}" > /dev/null 2>&1; then
-    do_log "info" "file_only" "0105() Password file '${var_nuke_pwd_file}': shred -vfzu -n 5 >> done."
-  else
-    do_log "warn" "file_only" "0105() Password file '${var_nuke_pwd_file}': shred -vfzu -n 5 >> NOT successful."
-  fi
-  sync
-
-  do_log "info" "file_only" "0105() Nuke Hash generated."
-
-  return 0
+  guard_dir && return 0
 }
 
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

meta_loader_func.sh

@@ -49,6 +49,7 @@ source_guard "./func/cdi_4000_debootstrap/4050_setup_locales.sh"
 
 ### cdi_4100_base
 source_guard "./func/cdi_4100_base/4100_generate_sources.sh"
+source_guard "./func/cdi_4100_base/4105_generate_sources_822.sh"
 source_guard "./func/cdi_4100_base/4110_update_sources.sh"
 source_guard "./func/cdi_4100_base/4120_installation_kernel.sh"
 source_guard "./func/cdi_4100_base/4121_installation_initramfs.sh"

py/cdc/__init__.py

@@ -0,0 +1,19 @@
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
+
+"""cdc: CISS Debian Configurator package."""
+
+__author__ = "WEIDNER, Marc S."
+__email__ = "msw@coresecret.dev"
+__version__ = "0.1.0"
+__all__: tuple[str, ...] = ()
+
+# vim: number et ts=4 sw=4 sts=4 ai tw=79 ft=python

py/cdc/cdc.py

@@ -0,0 +1 @@
+#!/usr/bin/env python3

py/pyproject.toml

@@ -0,0 +1,140 @@
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
+
+[build-system]
+requires = ["setuptools>=69"]
+build-backend = "setuptools.build_meta"
+
+[project]
+name = "ciss-debian-configurator"
+version = "8.0.0.post20250617"  # PEP 440
+description = "CDC: ncurses-like configurator for CISS.debian.installer (menuconfig style)"
+readme = "README.md"
+requires-python = ">=3.13"
+license = { text = "EUPL-1.2 OR LicenseRef-CCLA-1.0" }
+authors = [
+  { name = "WEIDNER, Marc S.", email = "msw@coresecret.dev" }
+]
+keywords = ["debian", "installer", "curses", "ncurses", "yaml", "validator", "menuconfig", "tui"]
+classifiers = [
+  "Programming Language :: Python :: 3",
+  "Programming Language :: Python :: 3.13",
+  "Environment :: Console",
+  "Intended Audience :: System Administrators",
+  "License :: OSI Approved :: European Union Public Licence 1.2 (EUPL 1.2)",
+  "Topic :: System :: Installation/Setup",
+  "Topic :: Text Processing :: Markup :: YAML",
+]
+
+# Core dependencies:
+# - ruamel.yaml: YAML round trip (preserve comments, preserve order)
+# - pydantic: validation (IPv*Address, Port, AnyUrl, etc.)
+# - jsonschema: formal schemas for your YAMLs (machine checking)
+# - urwid: robust TUI widgets (ncurses-like, mature, terminal-compatible)
+# - prompt_toolkit & rich & typer: convenient input, rendering, CLI glue
+# - platformdirs: XDG/Windows-compliant config/cache paths
+dependencies = [
+  # YAML
+  "ruamel.yaml>=0.18.6",
+
+  # Validation
+  "pydantic>=2.7.0",
+  "jsonschema>=4.21.0",
+
+  # TUI / CLI
+  "urwid>=2.6.0",
+  "prompt_toolkit>=3.0.47",
+  "rich>=13.7.0",
+  "typer>=0.12.0",
+
+  # Other
+  "platformdirs>=4.0.0"
+]
+
+[project.scripts]
+cdc = "cdc.main:main"
+
+[tool.setuptools]
+package-dir = {"" = "py"}
+packages = ["cdc"]
+
+[tool.ruff]
+line-length = 79
+target-version = "py313"
+src = ["py"]
+
+[tool.ruff.format]
+quote-style = "double"
+indent-style = "space"
+indent-width = 4
+skip-magic-trailing-comma = false
+line-ending = "lf"
+
+[tool.ruff.lint]
+select = [
+  "E",   # pycodestyle errors
+  "W",   # pycodestyle warnings
+  "F",   # pyflakes
+  "N",   # naming
+  "C4",  # comprehensions
+  "SIM", # simplifications
+  "DTZ", # tz-aware datetime
+  "S",   # security
+  "A",   # shadowed builtins
+  "ARG", # unused arguments
+  "BLE", # broad exceptions
+  "FBT", # boolean trap
+  "PTH", # pathlib preferred
+  "RUF", # ruff-specific improvements
+]
+# Compatibility with formatters
+ignore = ["E203"]
+unsafe-fixes = false
+
+[tool.ruff.lint.isort]
+known-first-party = ["cdc"]
+force-sort-within-sections = true
+combine-as-imports = true
+
+[tool.ruff.lint.mccabe]
+max-complexity = 10
+
+[tool.ruff.lint.per-file-ignores]
+# Reexports are common in __init__.py
+"py/**/__init__.py" = ["F401"]
+# CLI entry is allowed to print (TUI/CLI)
+"py/cdc/main.py" = ["T201"]
+# Test files: less strict with import residues, etc.
+"tests/**" = ["S101","ARG001","ARG002","FBT001","FBT002"]
+
+[project.optional-dependencies]
+dev = ["ruff>=0.4.0","mypy>=1.9.0","pytest>=8.0.0","pytest-cov>=5.0.0"]
+
+[tool.mypy]
+python_version = "3.13"
+mypy_path = ["py"]
+warn_unused_ignores = true
+warn_redundant_casts = true
+warn_unreachable = true
+warn_return_any = true
+warn_unused_configs = true
+strict_optional = true
+no_implicit_optional = true
+no_implicit_reexport = true
+disallow_untyped_defs = true
+disallow_incomplete_defs = true
+disallow_untyped_calls = true
+disallow_any_generics = true
+disallow_subclassing_any = true
+strict_equality = true
+plugins = ["pydantic.mypy"]
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=toml

py/requirements.txt

@@ -0,0 +1,22 @@
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
+
+# Core dependencies:
+ruamel.yaml>=0.18.6
+pydantic>=2.7.0
+jsonschema>=4.21.0
+urwid>=2.6.0
+prompt_toolkit>=3.0.47
+rich>=13.7.0
+typer>=0.12.0
+platformdirs>=4.0.0
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf

var/errors.var.sh

@@ -54,6 +54,7 @@ declare -girx ERR_GENERATE_SALT=219     # Error generating salt.
 declare -girx ERR_VAR_REGEX_CHK=218     # Error checking VAR against REGEX.
 declare -girx ERR_CONF_VALIDATION=217   # Error checking the respective configuration files.
 declare -girx ERR_CHROOT_LOGGER=216     # An error occurred while preparing the inside chroot log file.
+declare -girx ERR_READ_SEED_FILE=215    # Error reading the mfa TOTP seed file.
 
 ### Definition of error trap vars.
 declare -gx ERRCODE=""                  # = $?                   = $1 = ERRCODE

var/global.var.sh

@@ -13,7 +13,6 @@
 guard_sourcing
 
 ### Definition of MUST set global variables.
-
 # shellcheck disable=SC2155
 declare -grx VAR_KERNEL_INF=$(mktemp var_kernel_inf.XXXXXXXX)
 # shellcheck disable=SC2155
@@ -24,6 +23,8 @@ declare -grx VAR_KERNEL_SRT=$(mktemp var_kernel_srt.XXXXXXXX)
 declare -grx VAR_NOTES=$(mktemp var_notes.XXXXXXXX)
 # shellcheck disable=SC2155
 declare -grx VAR_RESOURCES=$(ulimit)
+# shellcheck disable=SC2155
+declare -grx VAR_DATE="$(date +%F)"
 
 ### Initialize variables of different directories.
 declare -grx DIR_BAK="/tmp/.ciss/backup"