V8.00.000.2025.06.17

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>

.preseed/preseed.yaml

@@ -439,9 +439,32 @@ locale:
   country: "US"
   keyboard:
     layout: "de"
-    xkb-keymap: "de"
+    xkb_keymap: "de"
   language: "en"
   locale: "en_US.UTF-8"
+  override:
+    # Address format:
+    address: "de_DE.UTF-8"
+    # Sort order:
+    collate: "en_US.UTF-8"
+    # Character set, upper/lower case, character groups:
+    ctype: "de_DE.UTF-8"
+    # Metric or imperial system:
+    measurement: "de_DE.UTF-8"
+    # System language for error messages:
+    messages: "en_US.UTF-8"
+    # Currency format and symbol:
+    monetary: "en_US.UTF-8"
+    # Format of personal names:
+    name: "en_US.UTF-8"
+    # Number formatting, decimal/thousand separators:
+    numeric: "en_US.UTF-8"
+    # Standard paper format:
+    paper: "de_DE.UTF-8"
+    # Format for telephone numbers:
+    telephone: "en_US.UTF-8"
+    # Date and time format, start of week:
+    time: "de_DE.UTF-8"
   timezone: "Europe/Lisbon"
 
 ################################################################################################################################

func/cdi_4000_debootstrap/4000_debootstrap.sh

@@ -15,12 +15,13 @@ guard_sourcing
 #######################################
 # Install a minimal Debian environment using the 'debootstrap' command.
 # Globals:
+#   ERR_DEBOOTSTRAP
 #   LOG_DBS
 #   TARGET
-#   architecture
+#   VAR_ARCHITECTURE
+#   VAR_CODENAME
 #   debootstrap_includes
 #   debootstrap_mirror
-#   distribution
 # Arguments:
 #   None
 # Returns:
@@ -29,8 +30,8 @@ guard_sourcing
 #######################################
 func_debootstrap() {
   ### Declare Arrays, HashMaps, and Variables.
-  declare -r var_arch="${architecture}"
-  declare -r var_dist="${distribution}"
+  declare -r var_arch="${VAR_ARCHITECTURE}"
+  declare -r var_dist="${VAR_CODENAME}"
   declare -r var_target="${TARGET}"
   declare -r var_mirror="${debootstrap_mirror}"
   declare -r var_includes="${debootstrap_includes}"

func/cdi_4000_debootstrap/4010_prepare_mounts.sh

@@ -59,6 +59,7 @@ configure_system() {
 
   done
 
+
   for var_path in "${!HMP_SPECIAL_MOUNTS[@]}"; do
 
     IFS=" " read -r var_fs var_src var_opts <<< "${HMP_SPECIAL_MOUNTS[${var_path}]}"
@@ -81,6 +82,7 @@ configure_system() {
 
   done
 
+
   if [[ "${VAR_NEED_RUN_IN_TARGET:-false}" == "true" ]]; then
 
     mkdir -p "${TARGET}/run"
@@ -96,6 +98,7 @@ configure_system() {
 
   fi
 
+
   if ! do_in_target "${TARGET}" mkdir -p /etc/systemd/system/multi-user.target.wants; then
 
     do_log "emergency" "file_only" "4010() Command: [do_in_target ${TARGET} mkdir -p /etc/systemd/system/multi-user.target.wants] failed."

func/cdi_4000_debootstrap/4020_remove_x509.sh

@@ -22,19 +22,19 @@ guard_sourcing
 # Returns:
 #   0: on success
 #######################################
-expired_certs() {
+delete_expired_certs() {
 
-  install -m 0700 -o root -g root "${VAR_SETUP_PATH}/includes/chroot/hooks/1000_deleting_invalid_x509.sh" \
-    "${TARGET}/root/.ciss/cdi/hooks/1000_deleting_invalid_x509.sh"
+  install -m 0700 -o root -g root "${VAR_SETUP_PATH}/includes/chroot/hooks/4020_remove_x509.hooks.sh" \
+    "${TARGET}/root/.ciss/cdi/hooks/4020_remove_x509.hooks.sh"
 
 
-  if ! do_in_target_script "${TARGET}" "/root/.ciss/cdi/hooks/1000_deleting_invalid_x509.sh" "emergency"; then
+  if ! do_in_target_script "${TARGET}" "/root/.ciss/cdi/hooks/4020_remove_x509.hooks.sh" "emergency"; then
 
-    do_log "warn" "file_only" "4020() Command: [do_in_target_script ${TARGET} /root/.ciss/cdi/hooks/1000_deleting_invalid_x509.sh emergency] failed."
+    do_log "warn" "file_only" "4020() Command: [do_in_target_script ${TARGET} /root/.ciss/cdi/hooks/4020_remove_x509.hooks.sh emergency] failed."
 
   else
 
-    do_log "debug" "file_only" "4020() Command: [do_in_target_script ${TARGET} /root/.ciss/cdi/hooks/1000_deleting_invalid_x509.sh emergency] successful."
+    do_log "debug" "file_only" "4020() Command: [do_in_target_script ${TARGET} /root/.ciss/cdi/hooks/4020_remove_x509.hooks.sh emergency] successful."
 
   fi
 

func/cdi_4000_debootstrap/4050_setup_locales.sh

@@ -13,20 +13,35 @@
 guard_sourcing
 
 #######################################
-# Set locale and configure keyboard layout.
+# Set locale, locale overrides and configure keyboard layout.
 # Globals:
 #   TARGET
+#   VAR_ARCHITECTURE
+#   VAR_CODENAME
+#   VAR_VERSION
 #   locale_country
-#   locale_keyboard_layout
 #   locale_keyboard_xkb_keymap
 #   locale_language
 #   locale_locale
+#   locale_override_address
+#   locale_override_collate
+#   locale_override_ctype
+#   locale_override_measurement
+#   locale_override_messages
+#   locale_override_monetary
+#   locale_override_name
+#   locale_override_numeric
+#   locale_override_paper
+#   locale_override_telephone
+#   locale_override_time
 # Arguments:
 #   None
 # Returns:
 #   0: on success
 #######################################
 setup_locales() {
+  ### Declare Arrays, HashMaps, and Variables.
+  declare     var_locale_hook="${TARGET}/root/.ciss/cdi/hooks/4050_setup_locales.hooks.sh"
 
   ### Give priority to '${locale_locale}' over separately configured variables '${locale_country}' and '${locale_language}'.
   ### If 'locale_locale' is not set, build it from 'locale_language' and 'locale_country'.
@@ -34,20 +49,80 @@ setup_locales() {
     declare locale_locale="${locale_language}_${locale_country}.UTF-8"
   fi
 
-  [[ -n "${locale_locale:-}" ]] || do_log "error" "file_only" "4050() Variable '${locale_locale}' is not set."
+  ### Creat Hook in target.
+  cat << EOF >| "${var_locale_hook}"
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
 
-  ### Generate the specified locale
-  do_in_target "${TARGET}" locale-gen "${locale_locale}"
+set -Ceuo pipefail
 
-  ### Set the standard locale.
-  #do_in_target "${TARGET}" update-locale LANG="${locale_locale}" LC_ALL="${locale_locale}"
-  echo -e "LANG=${locale_locale}\nLC_ALL=${locale_locale}" >| "${TARGET}/etc/default/locale"
-  do_in_target "${TARGET}" locale-gen "${locale_locale}"
+sed -i '/^[[:space:]]*[^#[:space:]]/s/^/#/' /etc/locale.gen
+
+echo '${locale_locale} UTF-8' >> /etc/locale.gen
+
+dpkg-reconfigure -f noninteractive locales
+
+locale-gen
+
+update-locale \
+  LANG=${locale_locale} \
+  LC_ADDRESS=${locale_override_address:-${locale_locale}} \
+  LC_COLLATE=${locale_override_collate:-${locale_locale}} \
+  LC_CTYPE=${locale_override_ctype:-${locale_locale}} \
+  LC_MEASUREMENT=${locale_override_measurement:-${locale_locale}} \
+  LC_MESSAGES=${locale_override_messages:-${locale_locale}} \
+  LC_MONETARY=${locale_override_monetary:-${locale_locale}} \
+  LC_NAME=${locale_override_name:-${locale_locale}} \
+  LC_NUMERIC=${locale_override_numeric:-${locale_locale}} \
+  LC_PAPER=${locale_override_paper:-${locale_locale}} \
+  LC_TELEPHONE=${locale_override_telephone:-${locale_locale}} \
+  LC_TIME=${locale_override_time:-${locale_locale}} \
+  LC_IDENTIFICATION=${locale_locale} \
+  LC_ALL=
+EOF
+
+  chmod 0700 "${var_locale_hook}"
+  do_in_target "${TARGET}" "${var_locale_hook}"
 
   ### Set the keyboard layout for the system (for consoles).
-  [[ -e "${TARGET}/etc/default/keyboard" ]] || touch "${TARGET}/etc/default/keyboard"
-  sed -i "s/^KEYMAP=.*/KEYMAP=${locale_keyboard_layout}/" "${TARGET}/etc/default/keyboard"
-  do_log "info" "file_only" "4110() Keyboard layout updated: 'KEYMAP=${locale_keyboard_layout}' -> '${TARGET}/etc/default/keyboard'."
+  cat << EOF >| "${TARGET}/etc/default/keyboard"
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
+
+# /etc/default/keyboard : Generated by CISS.debian.installer ${VAR_VERSION}
+# Architecture          : ${VAR_ARCHITECTURE}
+# Distribution          : ${VAR_CODENAME}
+
+# KEYBOARD CONFIGURATION FILE
+# Consult the keyboard(5) manual page.
+
+XKBMODEL="pc105"
+XKBLAYOUT="${locale_keyboard_xkb_keymap}"
+XKBVARIANT=""
+XKBOPTIONS=""
+BACKSPACE="guess"
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
+EOF
+  chmod 0644 "${TARGET}/etc/default/keyboard"
+  do_log "info" "file_only" "4050() Keyboard layout updated: 'XKBLAYOUT=${locale_keyboard_xkb_keymap}' -> '${TARGET}/etc/default/keyboard'."
 
   ### Set the X11 keyboard layout (for graphical environments).
   do_in_target "${TARGET}" localectl set-x11-keymap "${locale_keyboard_xkb_keymap}"

func/cdi_4100_base_installation/4100_generate_sources.sh

@@ -101,12 +101,12 @@ generate_sources() {
 #------------------------------------------------------------------------------------------------------------------------------#
 deb ${var_url} ${var_codename} ${ary_components[*]}
 EOF
-  do_log "info" "file_only" "4080() ${TARGET}/etc/apt/sources.list entry generated: 'deb ${var_url} ${var_codename} ${ary_components[*]}'."
+  do_log "info" "file_only" "4100() ${TARGET}/etc/apt/sources.list entry generated: 'deb ${var_url} ${var_codename} ${ary_components[*]}'."
 
   if [[ "${var_deb_src}" == "true" ]]; then
 
     echo "deb-src ${var_url} ${var_codename} ${ary_components[*]}" >> "${TARGET}/etc/apt/sources.list"
-    do_log "info" "file_only" "4080() ${TARGET}/etc/apt/sources.list entry generated: 'deb-src ${var_url} ${var_codename} ${ary_components[*]}'."
+    do_log "info" "file_only" "4100() ${TARGET}/etc/apt/sources.list entry generated: 'deb-src ${var_url} ${var_codename} ${ary_components[*]}'."
 
   fi
 
@@ -118,12 +118,12 @@ EOF
 
 deb ${var_surl} ${var_codename}-security ${ary_components[*]}
 EOF
-    do_log "info" "file_only" "4080() ${TARGET}/etc/apt/sources.list entry generated: 'deb ${var_surl} ${var_codename}-security ${ary_components[*]}'."
+    do_log "info" "file_only" "4100() ${TARGET}/etc/apt/sources.list entry generated: 'deb ${var_surl} ${var_codename}-security ${ary_components[*]}'."
 
     if [[ "${var_deb_src}" == "true" ]]; then
 
       echo "deb-src ${var_surl} ${var_codename}-security ${ary_components[*]}" >> "${TARGET}/etc/apt/sources.list"
-      do_log "info" "file_only" "4080() ${TARGET}/etc/apt/sources.list entry generated: 'deb-src ${var_surl} ${var_codename}-security ${ary_components[*]}'."
+      do_log "info" "file_only" "4100() ${TARGET}/etc/apt/sources.list entry generated: 'deb-src ${var_surl} ${var_codename}-security ${ary_components[*]}'."
 
     fi
 
@@ -137,12 +137,12 @@ EOF
 
 deb ${var_url} ${var_codename}-updates ${ary_components[*]}
 EOF
-    do_log "info" "file_only" "4080() ${TARGET}/etc/apt/sources.list entry generated: 'deb ${var_url} ${var_codename}-updates ${ary_components[*]}'."
+    do_log "info" "file_only" "4100() ${TARGET}/etc/apt/sources.list entry generated: 'deb ${var_url} ${var_codename}-updates ${ary_components[*]}'."
 
     if [[ "${var_deb_src}" == "true" ]]; then
 
       echo "deb-src ${var_url} ${var_codename}-updates ${ary_components[*]}" >> "${TARGET}/etc/apt/sources.list"
-      do_log "info" "file_only" "4080() ${TARGET}/etc/apt/sources.list entry generated: 'deb-src ${var_url} ${var_codename}-updates ${ary_components[*]}'."
+      do_log "info" "file_only" "4100() ${TARGET}/etc/apt/sources.list entry generated: 'deb-src ${var_url} ${var_codename}-updates ${ary_components[*]}'."
 
     fi
 
@@ -156,12 +156,12 @@ EOF
 
 deb ${var_url} ${var_codename}-backports ${ary_components[*]}
 EOF
-    do_log "info" "file_only" "4080() ${TARGET}/etc/apt/sources.list entry generated: 'deb ${var_url} ${var_codename}-backports ${ary_components[*]}'."
+    do_log "info" "file_only" "4100() ${TARGET}/etc/apt/sources.list entry generated: 'deb ${var_url} ${var_codename}-backports ${ary_components[*]}'."
 
     if [[ "${var_deb_src,,}" == "true" ]]; then
 
       echo "deb-src ${var_url} ${var_codename}-backports ${ary_components[*]}" >> "${TARGET}/etc/apt/sources.list"
-      do_log "info" "file_only" "4080() ${TARGET}/etc/apt/sources.list entry generated: 'deb-src ${var_url} ${var_codename}-backports ${ary_components[*]}'."
+      do_log "info" "file_only" "4100() ${TARGET}/etc/apt/sources.list entry generated: 'deb-src ${var_url} ${var_codename}-backports ${ary_components[*]}'."
 
     fi
 
@@ -181,7 +181,7 @@ EOF
   if [[ "${apt_updates_policy,,}" == "unattended" ]]; then
 
     do_in_target "${TARGET}" apt-get install -y unattended-upgrades
-    do_log "info" "file_only" "4080() The update policy was set at installation time to '${apt_updates_policy}'."
+    do_log "info" "file_only" "4100() The update policy was set at installation time to '${apt_updates_policy}'."
 
   elif [[ "${apt_updates_policy,,}" == "security" ]]; then
 
@@ -189,15 +189,15 @@ EOF
 
     # shellcheck disable=SC2016
     sed -i 's/^[[:space:]]*"origin=Debian,codename=\${distro_codename},label=Debian";/\/\/ &/' "${TARGET}/etc/apt/apt.conf.d/50unattended-upgrades"
-    do_log "info" "file_only" "4080() The update policy was set at installation time to '${apt_updates_policy}'."
+    do_log "info" "file_only" "4100() The update policy was set at installation time to '${apt_updates_policy}'."
 
   elif [[ "${apt_updates_policy,,}" == "none" ]]; then
 
-    do_log "info" "file_only" "4080() The update policy was set at installation time to: '${apt_updates_policy}'."
+    do_log "info" "file_only" "4100() The update policy was set at installation time to: '${apt_updates_policy}'."
 
   else
 
-    do_log "warning" "file_only" "4080() Update policy '${apt_updates_policy}': is not supported. Using 'none' as default."
+    do_log "warning" "file_only" "4100() Update policy '${apt_updates_policy}': is not supported. Using 'none' as default."
 
   fi
 

func/cdi_4100_base_installation/4110_update_sources.sh

@@ -0,0 +1,37 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
+
+guard_sourcing
+
+#######################################
+# Update generated sources.
+# Globals:
+#   DIR_LOG
+#   TARGET
+# Arguments:
+#   None
+# Returns:
+#   0: on success
+#######################################
+update_sources() {
+  ### Declare Arrays, HashMaps, and Variables.
+  declare -r  var_logfile="${DIR_LOG}/4110_update_sources.sh"
+
+  ### Update generated sources.
+  # shellcheck disable=SC2312
+  do_in_target "${TARGET}" script -q -c apt-get update -y /dev/null 2>&1 | tee -a "${var_logfile}"
+
+  do_log "info" "file_only" "4110() Sources updated successfully."
+
+  return 0
+}
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

func/cdi_4100_base_installation/4120_installation_kernel.sh

@@ -0,0 +1,36 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
+
+guard_sourcing
+
+#######################################
+# Installation of the specified kernel.
+# Globals:
+#   TARGET
+#   image
+# Arguments:
+#   None
+# Returns:
+#   0: on success
+#######################################
+installation_kernel() {
+  ### Declare Arrays, HashMaps, and Variables.
+  declare -r  var_logfile="${DIR_LOG}/4120_installation_kernel.sh"
+
+  # shellcheck disable=SC2312
+  do_in_target "${TARGET}" apt-get install -y "${image}" /dev/null 2>&1 | tee -a "${var_logfile}"
+
+  do_log "info" "file_only" "4120() Kernel image: '${image}' installed successfully."
+
+  return 0
+}
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

func/cdi_4100_base_installation/4130_installation_toolset.sh

@@ -21,54 +21,64 @@ guard_sourcing
 # Returns:
 #   0: on success
 #######################################
-minimal_toolset() {
+installation_toolset() {
   ### Declare Arrays, HashMaps, and Variables.
   # shellcheck disable=SC2154
   declare -A  hmp_tool_pkg=(
-    [awk]="gawk"
+    [dig]="bind9-dnsutils"
+    [host]="bind9-dnsutils"
+    [hexdump]="bsdmainutils"
+    [btrfs]="btrfs-progs"
     [busybox]="busybox"
+    [base64]="coreutils"
     [cat]="coreutils"
     [chmod]="coreutils"
     [chown]="coreutils"
-    [chpasswd]="passwd"
-    [chsh]="passwd"
     [cp]="coreutils"
-    [cryptsetup]="cryptsetup-initramfs"
     [echo]="coreutils"
-    [grep]="grep"
-    [ip]="iproute2"
     [ln]="coreutils"
     [mkdir]="coreutils"
-    [ping]="iputils-ping"
-    [sed]="sed"
-    [sudo]="sudo"
-    [update-initramfs]="initramfs-tools"
-    [zsh]="zsh"
-    [lsblk]="util-linux"
-    [blkid]="util-linux"
-    [mount]="util-linux"
-    [umount]="util-linux"
-    [findmnt]="util-linux"
-    [parted]="parted"
-    [fdisk]="fdisk"
-    [tar]="tar"
-    [gzip]="gzip"
+    [cryptsetup]="cryptsetup-initramfs"
     [curl]="curl"
-    [wget]="wget"
-    [tree]="tree"
-    [lsb_release]="lsb-release"
-    [btrfs]="btrfs-progs"
     [e2label]="e2fsprogs"
     [tune2fs]="e2fsprogs"
     [fsck]="e2fsprogs"
-    [base64]="coreutils"
-    [xxd]="vim-common"
+    [fdisk]="fdisk"
+    [file]="file"
+    [awk]="gawk"
+    [grep]="grep"
+    [gzip]="gzip"
+    [update-initramfs]="initramfs-tools"
+    [ip]="iproute2"
+    [ping]="iputils-ping"
     [jq]="jq"
+    [modprobe]="kmod"
+    [lsb_release]="lsb-release"
+    [parted]="parted"
+    [chpasswd]="passwd"
+    [chsh]="passwd"
+    [lspci]="pciutils"
+    [sysctl]="procps"
+    [sed]="sed"
+    [sudo]="sudo"
+    [tar]="tar"
+    [tree]="tree"
+    [lsusb]="usbutils"
+    [blkid]="util-linux"
+    [dmesg]="util-linux"
+    [lsblk]="util-linux"
+    [findmnt]="util-linux"
+    [mount]="util-linux"
+    [umount]="util-linux"
+    [xxd]="vim-common"
+    [wget]="wget"
+    [whois]="whois"
+    [zsh]="zsh"
     [zstd]="zstd"
   )
 
   declare -a  ary_missing_pkgs=() ary_unique_pkgs=()
-  declare -r  var_logfile="${DIR_LOG}/4090_minimal_toolset_install.log"
+  declare -r  var_logfile="${DIR_LOG}/4130_installation_toolset.sh"
   declare     var_bin="" var_bin=""
 
   ### Installation most basic packages.
@@ -82,44 +92,20 @@ minimal_toolset() {
     fi
 
   done
-  do_log "debug" "file_only" "4090() [ary_missing_pkgs]='${ary_missing_pkgs[*]}'."
+  do_log "debug" "file_only" "4130() [ary_missing_pkgs]='${ary_missing_pkgs[*]}'."
 
-  ### Installing unique list of packages
+  ### Installing unique list of packages.
   if ((${#ary_missing_pkgs[@]})); then
 
     # shellcheck disable=SC2312
     mapfile -t ary_unique_pkgs < <(printf '%s\n' "${ary_missing_pkgs[@]}" | sort -u)
-    do_log "debug" "file_only" "4090() [ary_unique_pkgs]='${ary_unique_pkgs[*]}'."
+    do_log "debug" "file_only" "4130() [ary_unique_pkgs]='${ary_unique_pkgs[*]}'."
+
     # shellcheck disable=SC2312
-    # do_in_target "${TARGET}" apt-get install -y --no-install-recommends "${ary_unique_pkgs[@]}" 2>&1 | tee -a "${var_logfile}"
     do_in_target "${TARGET}" script -q -c "apt-get install -y --no-install-recommends ${ary_unique_pkgs[*]}" /dev/null 2>&1 | tee -a "${var_logfile}"
 
   fi
 
-  ### Ensure systemd and machine-id are in place
-  if ! do_in_target_script "${TARGET}" "command -v systemctl >/dev/null"; then
-
-    do_log "info" "file_only" "4090() 'systemctl' NOT found, installing 'systemd' and dependencies."
-    do_in_target "${TARGET}" apt-get install -y --no-install-recommends systemd systemd-sysv dbus
-
-  else
-
-    do_log "info" "file_only" "4090() 'systemctl' found, skipping installation of systemd."
-
-  fi
-
-  ### Generate machine-id if missing
-  if ! do_in_target_script "${TARGET}" "[[ -s /etc/machine-id ]]"; then
-
-    do_log "info" "file_only" "4090() Generating /etc/machine-id via systemd-machine-id-setup."
-    do_in_target "${TARGET}" systemd-machine-id-setup
-
-  else
-
-    do_log "info" "file_only" "4090() Existing 'machine-id' found, no action needed."
-
-  fi
-
   return 0
 }
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

func/cdi_4100_base_installation/4131_installation_systemd.sh

@@ -0,0 +1,40 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
+
+guard_sourcing
+
+#######################################
+# Ensure systemd is in place.
+# Globals:
+#   TARGET
+# Arguments:
+#   None
+# Returns:
+#   0: on success
+#######################################
+installation_toolset() {
+  if ! do_in_target_script "${TARGET}" "command -v systemctl >/dev/null"; then
+
+    do_log "info" "file_only" "4131() 'systemctl' NOT found, installing 'systemd' and dependencies."
+    do_in_target "${TARGET}" apt-get install -y --no-install-recommends systemd systemd-sysv dbus
+
+  else
+
+    do_log "info" "file_only" "4131() 'systemctl' found, skipping installation of systemd."
+
+  fi
+
+  do_in_target_script "${TARGET}" "systemctl --version | grep -qi 'systemd'"
+
+  return 0
+}
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

func/cdi_4100_base_installation/4132_installation_machineid.sh

@@ -0,0 +1,38 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
+
+guard_sourcing
+
+#######################################
+# Generate machine-id if missing.
+# Globals:
+#   TARGET
+# Arguments:
+#   None
+# Returns:
+#   0: on success
+#######################################
+installation_machineid() {
+  if ! do_in_target_script "${TARGET}" "[[ -s /etc/machine-id ]]"; then
+
+    do_log "info" "file_only" "4132() Generating /etc/machine-id via systemd-machine-id-setup."
+    do_in_target "${TARGET}" systemd-machine-id-setup
+
+  else
+
+    do_log "info" "file_only" "4132() Existing 'machine-id' found, no action needed."
+
+  fi
+
+  return 0
+}
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

func/cdi_4100_base_installation/4140_installation_grub.sh

@@ -46,8 +46,10 @@ guard_sourcing
 #   ERR_GRUB_EFI_FORCE
 #   0: on success
 #######################################
-setup_grub() {
+installation_grub() {
   declare -gx var_update_grub_required="false"
+
+
   get_all_boot_devs
 
   if [[ "${grub_skip,,}" != "true" ]]; then
@@ -62,7 +64,7 @@ setup_grub() {
           amd64)  do_in_target "${TARGET}" apt-get install -y -t bookworm-backports grub2 grub2-common grub-efi-amd64 ;;
           arm64)  do_in_target "${TARGET}" apt-get install -y -t bookworm-backports grub2 grub2-common grub-efi-arm64 ;;
           i386)   do_in_target "${TARGET}" apt-get install -y -t bookworm-backports grub2 grub2-common grub-efi-ia32  ;;
-          *)      do_log "emergency" "file_only" "Unsupported UEFI architecture: ${VAR_ARCHITECTURE}"; return "${ERR_GRUB_ARCHITECTURE}" ;;
+          *)      do_log "emergency" "file_only" "4140() Unsupported UEFI architecture: ${VAR_ARCHITECTURE}"; return "${ERR_GRUB_ARCHITECTURE}" ;;
         esac
 
       else
@@ -80,7 +82,7 @@ setup_grub() {
           amd64)  do_in_target "${TARGET}" apt-get install -y grub2 grub2-common grub-efi-amd64 ;;
           arm64)  do_in_target "${TARGET}" apt-get install -y grub2 grub2-common grub-efi-arm64 ;;
           i386)   do_in_target "${TARGET}" apt-get install -y grub2 grub2-common grub-efi-ia32  ;;
-          *)      do_log "emergency" "file_only" "Unsupported UEFI architecture: ${VAR_ARCHITECTURE}"; return "${ERR_GRUB_ARCHITECTURE}" ;;
+          *)      do_log "emergency" "file_only" "4140() Unsupported UEFI architecture: ${VAR_ARCHITECTURE}"; return "${ERR_GRUB_ARCHITECTURE}" ;;
         esac
 
       else
@@ -113,7 +115,7 @@ setup_grub() {
 
       else
 
-        do_log "emergency" "file_only" "Unsupported combination of partition table: '${VAR_RECIPE_TABLE,,}' and setting:  grub_force_efi '${grub_force_efi,,}'."
+        do_log "emergency" "file_only" "4140() Unsupported combination of partition table: '${VAR_RECIPE_TABLE,,}' and setting:  grub_force_efi '${grub_force_efi,,}'."
         return "${ERR_GRUB_EFI_FORCE}"
 
       fi
@@ -186,7 +188,7 @@ EOF
 
   else
 
-    do_log "info" "file_only" "GRUB2 setup skipped."
+    do_log "info" "file_only" "414() GRUB2 setup skipped."
 
   fi
 
@@ -194,7 +196,7 @@ EOF
 
   ### Setting the permissions to read and write for root only prevents non-root users from seeing the boot parameters or changing them.
   chown root:root "${TARGET}/boot/grub/grub.cfg"
-  chmod 0600 "${TARGET}/boot/grub/grub.cfg"
+  chmod 0640 "${TARGET}/boot/grub/grub.cfg"
   chmod -R 0700 "${TARGET}/etc/grub.d"
 
   return 0
@@ -215,12 +217,13 @@ EOF
 get_all_boot_devs() {
   declare -ag ary_bootdev_all=()
   declare dev="" dev_prefix="" dev_path="" letter=""
-  declare -i ascii ascii_end ascii_start
+  declare -i ascii=0 ascii_end=0 ascii_start=0
 
   ### Determine prefix from grub_bootdev (e.g., "sd", "vd", "nvme", "mmcblk")
   dev_prefix=$(basename "${grub_bootdev}" | sed -E 's/^([a-z]+)[a-z0-9]*$/\1/')
 
   case "${dev_prefix}" in
+
     sd|vd|hd)
       ascii_start=$(printf '%d' "'a")
       ascii_end=$(printf '%d' "'${VAR_RECIPE_HIGHEST_DEVICE}")
@@ -230,21 +233,25 @@ get_all_boot_devs() {
         [[ -b "${dev_path}" ]] && ary_bootdev_all+=("${dev_path}")
       done
       ;;
+
     nvme)
       # shellcheck disable=SC2312
       while read -r dev; do
         ary_bootdev_all+=("/dev/${dev}")
       done < <(lsblk -dn -o NAME | grep -E '^nvme[0-9]+n1$')
       ;;
+
     mmcblk)
       # shellcheck disable=SC2312
       while read -r dev; do
         ary_bootdev_all+=("/dev/${dev}")
       done < <(lsblk -dn -o NAME | grep -E '^mmcblk[0-9]+$')
       ;;
+
     *)
       do_log "warning" "file_only" "Unrecognized boot device prefix: ${dev_prefix}"
       ;;
+
   esac
 
   return 0
@@ -269,7 +276,7 @@ install_grub_bios_all() {
   case "${VAR_RECIPE_TABLE,,}" in
     gpt)       partmod="part_gpt"   ;;
     msdos|mbr) partmod="part_msdos" ;;
-    *)         do_log "emergency" "file_only" "Unknown partition table type: '${VAR_RECIPE_TABLE}'."; return "${ERR_PARTITIONTBL}" ;;
+    *)         do_log "emergency" "file_only" "4140() Unknown partition table type: '${VAR_RECIPE_TABLE}'."; return "${ERR_PARTITIONTBL}" ;;
   esac
 
   declare var_modules="btrfs cryptodisk luks2 gcry_rijndael gcry_sha256 gcry_sha512 ${partmod}"
@@ -304,7 +311,7 @@ install_grub_uefi_all() {
   case "${VAR_RECIPE_TABLE,,}" in
     gpt)       partmod="part_gpt"   ;;
     msdos|mbr) partmod="part_msdos" ;;
-    *)         do_log "emergency" "file_only" "4150() Unknown partition table type: '${VAR_RECIPE_TABLE}'."; return "${ERR_PARTITIONTBL}" ;;
+    *)         do_log "emergency" "file_only" "4140() Unknown partition table type: '${VAR_RECIPE_TABLE}'."; return "${ERR_PARTITIONTBL}" ;;
   esac
 
   declare var_modules="btrfs cryptodisk luks2 gcry_rijndael gcry_sha256 gcry_sha512 ${partmod}"
@@ -312,7 +319,7 @@ install_grub_uefi_all() {
 
   for dev in "${ary_bootdev_all[@]}"; do
     do_in_target "${TARGET}" grub-install "${args[@]}"
-    do_log "info" "file_only" "Installed: GRUB on Device: '${dev}' (UEFI)."
+    do_log "info" "file_only" "4140() Installed: GRUB on Device: '${dev}' (UEFI)."
     var_update_grub_required="true"
   done
 

func/system/4100_finalzie_system.sh

@@ -13,19 +13,19 @@
 guard_sourcing
 
 #######################################
-# Installation of the specified kernel.
+# Set locale, locale overrides and configure keyboard layout.
 # Globals:
 #   TARGET
-#   image
 # Arguments:
 #   None
 # Returns:
 #   0: on success
 #######################################
-installation_kernel() {
-  # Installing the chosen Kernel Image according to preseed.yaml
-  # shellcheck disable=SC2154 # "${image}"
-  do_in_target "${TARGET}" apt-get install -y "${image}"
+setup_locales() {
+
+  ### Set the X11 keyboard layout (for graphical environments).
+  do_in_target "${TARGET}" localectl set-x11-keymap "${locale_keyboard_xkb_keymap}"
+
   return 0
 }
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

meta_loader_func.sh

@@ -10,6 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
 
+### cdi_1000_helper
 source_guard "./func/cdi_1000_helper/1030_check_nic.sh"
 source_guard "./func/cdi_1000_helper/1080_helper_chroot.sh"
 source_guard "./func/cdi_1000_helper/1081_helper_grub.sh"
@@ -18,14 +19,17 @@ source_guard "./func/cdi_1000_helper/1084_helper_sanitizer.sh"
 source_guard "./func/cdi_1000_helper/1085_helper_secure_dl.sh"
 source_guard "./func/cdi_1000_helper/1086_helper_yaml.sh"
 
+### cdi_1200_validation
 source_guard "./func/cdi_1200_validation/1220_validation_element.sh"
 source_guard "./func/cdi_1200_validation/1221_validation_ip.sh"
 source_guard "./func/cdi_1200_validation/1222_validation_preseed.sh"
 
+### cdi_1250_yaml
 source_guard "./func/cdi_1250_yaml/1250_yaml_parser.sh"
 source_guard "./func/cdi_1250_yaml/1251_yaml_reader.sh"
 source_guard "./func/cdi_1250_yaml/1252_yaml_validator.sh"
 
+### cdi_3200_partitioning
 source_guard "./func/cdi_3200_partitioning/3200_partitioning.sh"
 source_guard "./func/cdi_3200_partitioning/3210_benchmarking_encryption.sh"
 source_guard "./func/cdi_3200_partitioning/3220_partition_encryption.sh"
@@ -34,23 +38,28 @@ source_guard "./func/cdi_3200_partitioning/3280_mount_partition.sh"
 source_guard "./func/cdi_3200_partitioning/3290_uuid_logger.sh"
 source_guard "./func/cdi_3200_partitioning/3295_get_label.sh"
 
+### cdi_4000_debootstrap
 source_guard "./func/cdi_4000_debootstrap/4000_debootstrap.sh"
 source_guard "./func/cdi_4000_debootstrap/4010_prepare_mounts.sh"
-source_guard "./func/cdi_4000_debootstrap/4020_remove_expired_certificates.sh"
+source_guard "./func/cdi_4000_debootstrap/4020_remove_x509.sh"
 source_guard "./func/cdi_4000_debootstrap/4030_setup_hostname.sh"
 source_guard "./func/cdi_4000_debootstrap/4035_setup_resolv.sh"
 source_guard "./func/cdi_4000_debootstrap/4040_setup_timezone.sh"
 source_guard "./func/cdi_4000_debootstrap/4050_setup_locales.sh"
 
+### cdi_4100_base_installation
+source_guard "./func/cdi_4100_base_installation/4100_generate_sources.sh"
+source_guard "./func/cdi_4100_base_installation/4110_update_sources.sh"
+source_guard "./func/cdi_4100_base_installation/4120_installation_kernel.sh"
+source_guard "./func/cdi_4100_base_installation/4130_installation_toolset.sh"
+source_guard "./func/cdi_4100_base_installation/4131_installation_systemd.sh"
+source_guard "./func/cdi_4100_base_installation/4132_installation_machineid.sh"
+source_guard "./func/cdi_4100_base_installation/4140_installation_grub.sh"
+
 source_guard "./func/system/4040_generate_fstab.sh"
 source_guard "./func/system/4060_generate_crypttab.sh"
-source_guard "./func/system/4080_generate_sources.sh"
-source_guard "./func/system/4090_minimal_toolset.sh"
 source_guard "./func/system/4095_setup_skel.sh"
-
-source_guard "./func/system/4120_installation_kernel.sh"
 source_guard "./func/system/4130_setup_network.sh"
-source_guard "./func/system/4150_setup_grub.sh"
 source_guard "./func/system/4155_setup_grub_password.sh"
 source_guard "./func/system/4160_grub_bootparameter.sh"
 source_guard "./func/system/4165_kernel_modules.sh"