V8.00.000.2025.06.17

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-06-29 14:48:43 +02:00
parent 4b014e2e65
commit d9cb2402a0
8 changed files with 436 additions and 353 deletions
--- a/func/2015_helper_modules.sh
+++ b/func/2015_helper_modules.sh
@@ -31,42 +31,6 @@ do_in_target() {
    "${ary_chroot_command[@]}"
 }

-#######################################
-# Wrapper around 'printf' for clean code.
-# Globals:
-#   C_RES
-# Arguments:
-#   $1: One of "${C_BLA}" | "${C_RED}" | "${C_GRE}" | "${C_YEL}" | "${C_BLU}" | "${C_MAG}" | "${C_CYA}" | "${C_WHI}"
-#   $2: Text string to print on terminal.
-#######################################
-do_print_color() {
-  printf "%s\n" "${1}${2}${C_RES}"
-}
-
-#######################################
-# Wrapper around 'printf' for clean, uniform terminal output and line fold for long text strings for better readability.
-# Globals:
-#   C_RES
-# Arguments:
-#   $1: One of "${C_BLA}" | "${C_RED}" | "${C_GRE}" | "${C_YEL}" | "${C_BLU}" | "${C_MAG}" | "${C_CYA}" | "${C_WHI}"
-#   $2: Text string to print on terminal.
-#######################################
-do_print_fold() {
-  declare var_color="$1"; shift
-  declare var_msg_string="$*"
-  declare var_formatted_string="${var_color}${var_msg_string}${C_RES}"
-  printf "%b\n" "${var_formatted_string}" | fold -s -w 76 | sed '1! s/^/    /'
-}
-
-#######################################
-# Wrapper around 'printf' for logfile redirect.
-# Arguments:
-#   $1: Text string to redirect to a log file.
-#######################################
-do_print_log() {
-  printf "%s\n" "${1}"
-}
-
 #######################################
 # Helper Module to generate a Subnet Mask out of an IP in CCDIR Notation.
 # Arguments:
@@ -89,53 +53,6 @@ generate_subnetmask() {
  return 0
 }

-#######################################
-# Converts characters such as spaces, inverted commas, backslashes, and other special
-# characters so that they can be safely used as arguments in a shell command.
-# Arguments:
-#   $1: String to sanitize.
-#######################################
-sanitize_input() {
-  # shellcheck disable=SC2155
-  declare var_safe_out=$(printf "%q" "$1")
-  echo "${var_safe_out}"
-}
-
-#######################################
-# Remove any leading or trailing whitespace.
-# Arguments:
-#   $1: String to clean.
-#######################################
-remove_whitespace() {
-  # shellcheck disable=SC2155
-  declare var_out=$(printf "%s" "$1" | xargs)
-  echo "${var_out}"
-}
-
-#######################################
-# Function to escape all shell metacharacters
-# Arguments:
-#   $1: String to Sanitize
-#######################################
-sanitize_shell_literal() {
-  declare input="$1"
-  ### %q quotes the string so that the shell re-reads it as the original literal
-  printf '%q' "${input}"
-}
-
-#######################################
-# Function to remove any character not in the allowed set
-# Arguments:
-#   $1: String to Sanitize
-#######################################
-sanitize_string() {
-  declare input="$1"
-  ### Define allowed characters:
-  ### letters, digits, dot, underscore, slash, equals, [, ], colon, double-quote, hyphen, space.
-  declare allowed='a-zA-Z0-9._/=\[\]:"\-+ '
-  printf '%s' "${input}" | tr -cd "${allowed}"
-}
-
 #######################################
 # Helper module for full upgrade, autoremove and autoclean.
 # Arguments:
@@ -148,66 +65,4 @@ update_upgrade() {
  apt-get autopurge -y
  apt-get autoremove -y
 }
-
-#######################################
-# Wrapper for secure curl.
-# Globals:
-#   ERR_DOWNLOAD_FAILED
-#   ERR_NO_DOWNLOAD_ARG
-# Arguments:
-#   $1: URL from which to download a specific file.
-#   $2: /path/to/file to be saved to.
-# Returns:
-#   ${ERR_DOWNLOAD_FAILED}: Download failed.
-#   ${ERR_NO_DOWNLOAD_ARG}: No arguments specified.
-#######################################
-scurl() {
-  if [[ $# -ne 2 ]]; then
-    do_log "error" "false" "Usage: scurl <URL> <path/to/file>"
-    return "${ERR_NO_DOWNLOAD_ARG}"
-  fi
-  declare url="$1"
-  declare output_path="$2"
-  if ! curl --doh-url "https://dns01.eddns.eu/dns-query" \
-            --doh-cert-status \
-            --tlsv1.3 \
-            -sSf \
-            -o "${output_path}" \
-            "${url}"
-  then
-    do_log "error" "false" "Download failed for URL: '${1}'."
-    return "${ERR_DOWNLOAD_FAILED}"
-  fi
-}
-
-#######################################
-# Wrapper for secure wget.
-# Globals:
-#   ERR_DOWNLOAD_FAILED
-#   ERR_NO_DOWNLOAD_ARG
-# Arguments:
-#   $1: URL from which to download a specific file.
-#   $2: /path/to/file to be saved to.
-# Returns:
-#   ${ERR_DOWNLOAD_FAILED}: Download failed.
-#   ${ERR_NO_DOWNLOAD_ARG}: No arguments specified.
-#######################################
-swget() {
-  if [[ $# -ne 2 ]]; then
-    do_log "error" "false" "Usage: swget <URL> <path/to/file>"
-    return "${ERR_NO_DOWNLOAD_ARG}"
-  fi
-  declare url="$1"
-  declare output_path="$2"
-  if ! wget --show-progress \
-            --no-clobber \
-            --https-only \
-            --secure-protocol=TLSv1_3 \
-            -qO "${output_path}" \
-            "${url}"
-  then
-    do_log "error" "false" "Download failed for URL: '${1}'."
-    return "${ERR_DOWNLOAD_FAILED}"
-  fi
-}
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/func/2016_helper_print.sh
+++ b/func/2016_helper_print.sh
@@ -0,0 +1,50 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
+
+guard_sourcing
+
+#######################################
+# Wrapper around 'printf' for clean code.
+# Globals:
+#   C_RES
+# Arguments:
+#   $1: One of "${C_BLA}" | "${C_RED}" | "${C_GRE}" | "${C_YEL}" | "${C_BLU}" | "${C_MAG}" | "${C_CYA}" | "${C_WHI}"
+#   $2: Text string to print on terminal.
+#######################################
+do_print_color() {
+  printf "%s\n" "${1}${2}${C_RES}"
+}
+
+#######################################
+# Wrapper around 'printf' for clean, uniform terminal output and line fold for long text strings for better readability.
+# Globals:
+#   C_RES
+# Arguments:
+#   $1: One of "${C_BLA}" | "${C_RED}" | "${C_GRE}" | "${C_YEL}" | "${C_BLU}" | "${C_MAG}" | "${C_CYA}" | "${C_WHI}"
+#   $2: Text string to print on terminal.
+#######################################
+do_print_fold() {
+  declare var_color="$1"; shift
+  declare var_msg_string="$*"
+  declare var_formatted_string="${var_color}${var_msg_string}${C_RES}"
+  printf "%b\n" "${var_formatted_string}" | fold -s -w 76 | sed '1! s/^/    /'
+}
+
+#######################################
+# Wrapper around 'printf' for logfile redirect.
+# Arguments:
+#   $1: Text string to redirect to a log file.
+#######################################
+do_print_log() {
+  printf "%s\n" "${1}"
+}
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/func/2017_helper_sanitizer.sh
+++ b/func/2017_helper_sanitizer.sh
@@ -0,0 +1,49 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
+
+guard_sourcing
+
+#######################################
+# Remove any leading or trailing whitespace.
+# Arguments:
+#   $1: String to clean.
+#######################################
+remove_whitespace() {
+  # shellcheck disable=SC2155
+  declare var_out=$(printf "%s" "$1" | xargs)
+  echo "${var_out}"
+}
+
+#######################################
+# Function to escape all shell metacharacters
+# Arguments:
+#   $1: String to Sanitize
+#######################################
+sanitize_input() {
+  declare input="$1"
+  ### %q quotes the string so that the shell re-reads it as the original literal
+  printf '%q' "${input}"
+}
+
+#######################################
+# Function to remove any character not in the allowed set
+# Arguments:
+#   $1: String to Sanitize
+#######################################
+sanitize_string() {
+  declare input="$1"
+  ### Define allowed characters:
+  ### letters, digits, dot, underscore, slash, equals, [, ], colon, double-quote, hyphen, space.
+  declare allowed='a-zA-Z0-9._/=\[\]:"\-+ '
+  printf '%s' "${input}" | tr -cd "${allowed}"
+}
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/func/2018_helper_secure_dl.sh
+++ b/func/2018_helper_secure_dl.sh
@@ -0,0 +1,76 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
+
+guard_sourcing
+
+#######################################
+# Wrapper for secure curl.
+# Globals:
+#   ERR_DOWNLOAD_FAILED
+#   ERR_NO_DOWNLOAD_ARG
+# Arguments:
+#   $1: URL from which to download a specific file.
+#   $2: /path/to/file to be saved to.
+# Returns:
+#   ${ERR_DOWNLOAD_FAILED}: Download failed.
+#   ${ERR_NO_DOWNLOAD_ARG}: No arguments specified.
+#######################################
+scurl() {
+  if [[ $# -ne 2 ]]; then
+    do_log "error" "true" "Usage: scurl <URL> <path/to/file>"
+    return "${ERR_NO_DOWNLOAD_ARG}"
+  fi
+  declare url="$1"
+  declare output_path="$2"
+  if ! curl --doh-url "https://dns01.eddns.eu/dns-query" \
+            --doh-cert-status \
+            --tlsv1.3 \
+            -sSf \
+            -o "${output_path}" \
+            "${url}"
+  then
+    do_log "error" "true" "Download failed for URL: '${1}'."
+    return "${ERR_DOWNLOAD_FAILED}"
+  fi
+}
+
+#######################################
+# Wrapper for secure wget.
+# Globals:
+#   ERR_DOWNLOAD_FAILED
+#   ERR_NO_DOWNLOAD_ARG
+# Arguments:
+#   $1: URL from which to download a specific file.
+#   $2: /path/to/file to be saved to.
+# Returns:
+#   ${ERR_DOWNLOAD_FAILED}: Download failed.
+#   ${ERR_NO_DOWNLOAD_ARG}: No arguments specified.
+#######################################
+swget() {
+  if [[ $# -ne 2 ]]; then
+    do_log "error" "true" "Usage: swget <URL> <path/to/file>"
+    return "${ERR_NO_DOWNLOAD_ARG}"
+  fi
+  declare url="$1"
+  declare output_path="$2"
+  if ! wget --show-progress \
+            --no-clobber \
+            --https-only \
+            --secure-protocol=TLSv1_3 \
+            -qO "${output_path}" \
+            "${url}"
+  then
+    do_log "error" "true" "Download failed for URL: '${1}'."
+    return "${ERR_DOWNLOAD_FAILED}"
+  fi
+}
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/func/3280_mount_partition.sh
+++ b/func/3280_mount_partition.sh
@@ -12,6 +12,21 @@

 guard_sourcing

+#######################################
+# Validates var_mount_path to be processed.
+# Arguments:
+#   $1 var_mount_path
+# Returns:
+#   0: Skip mounting,
+#   1: Process mount
+#######################################
+skip_path() {
+  declare -a ary_skip=( "/" "/boot" "/boot/efi" "/recovery" )
+  declare p
+  for p in "${ary_skip[@]}"; do [[ "$1" == "$p" ]] && return 0; done
+  return 1
+}
+
 #######################################
 # Function to generate btrfs-subvolumes.
 # Globals:
@@ -25,10 +40,11 @@ create_btrfs_subvolume() {
  declare var_mount_path="$1"
  declare var_subvolume="$2"

-  btrfs subvolume create "${TARGET}${var_mount_path}/${var_subvolume}" || {
+  if ! btrfs subvolume create "${TARGET}${var_mount_path}/${var_subvolume}"; then
    do_log "error" "false" "Error occurred at creation of subvolume: '${var_subvolume}' in: '${TARGET}${var_mount_path}'."
-    exit "${ERR_BTRFS_SUBVOL}"
-  }
+    return "${ERR_BTRFS_SUBVOL}"
+  fi
+
  do_log "info" "false" "Created: '${var_subvolume}' at: '${TARGET}${var_mount_path}'."
 }

@@ -45,22 +61,14 @@ create_btrfs_subvolume() {
 mount_with_dir() {
  declare var_mount_path="$1" var_mount_device="$2" var_mount_options="$3"

-  if [[ "${var_mount_path}" == "/" ]]; then
-    :
-  else
-    mkdir -p "${TARGET}${var_mount_path}"
-  fi
+  [[ "${var_mount_path}" != "/" ]] && mkdir -p "${TARGET}${var_mount_path}"

  ### Build the command in an array to keep word boundaries intact
  declare -a ary_cmd=(mount)
-  ary_cmd+=("${var_mount_device}" "${TARGET}${var_mount_path}")
  [[ -n "${var_mount_options}" ]] && ary_cmd+=("-o" "${var_mount_options}")
+  ary_cmd+=("${var_mount_device}" "${TARGET}${var_mount_path}")

-  "${ary_cmd[@]}" || {
-    do_log "error" "false" "Mounting '${var_mount_device}' on '${TARGET}${var_mount_path}' failed."
-    exit "${ERR_MOUNTING_DEV}"
-    }
-
+  safe_exec "${ary_cmd[@]}" "${ERR_MOUNTING_DEV}" || return
  do_log "info" "false" "Mounted: '${var_mount_device}' on: '${TARGET}${var_mount_path}' (Options='${var_mount_options}')."
 }

@@ -73,9 +81,12 @@ mount_with_dir() {
 #   $4: Encryption Label
 #######################################
 resolve_device() {
-  declare local_var_dev="$1" local_var_partition="$2" encryption_boolean="$3" local_var_enc_label="$4"
-  [[ "${encryption_boolean}" == true ]] && printf '/dev/mapper/%s' "${local_var_enc_label}" \
-                                        || printf '/dev/%s%s' "${local_var_dev}" "${local_var_partition}"
+  declare local_var_dev="$1" local_var_partition="$2" local_var_enc_boolean="$3" local_var_enc_label="$4"
+  if [[ "${local_var_enc_boolean,,}" == true ]]; then
+    printf '/dev/mapper/%s' "${local_var_enc_label}"
+  else
+    printf '/dev/%s%s' "${local_var_dev}" "${local_var_partition}"
+  fi
 }

 #######################################
@@ -87,10 +98,26 @@ resolve_device() {
 yq_val() {
  # shellcheck disable=SC2155
  declare var_helper=$(yq e "$1" "$2")
-  [[ "${var_helper}" == "null" ]] && var_helper=""
+  [[ "${var_helper}" == null ]] && var_helper=""
  printf '%s' "${var_helper}"
 }

+#######################################
+# Validates btrfs compression algo and level.
+# Arguments:
+#   $1 var_fs_btrfs_compress
+#   $2 var_fs_btrfs_level
+# Returns:
+#   0: Valid combination.
+#   1: Invalid combination.
+#######################################
+validate_btrfs_compression() {
+  declare var_algo="$1" var_level="$2"
+  case "${var_algo}:${var_level}" in
+    zstd:|zstd:[0-9]|zstd:1[0-9]|zstd:2[0-2]|lzo:) return 0 ;;
+    *) do_log "error" "false" "Invalid btrfs compression '${var_algo}:${var_level}'"; return "${ERR_BTRFS_OPTION}" ;;
+  esac
+}

 #######################################
 # Function for mounting all partitions for debootstrap, including the generation of btrfs subvolumes.
@@ -110,12 +137,12 @@ mount_partition() {

  if [[ -n ${HMP_MOUNTPATH_DEV[$var_mount_path_root]} ]]; then

-    mount_with_dir "${var_mount_path_root}" "${HMP_MOUNTPATH_DEV[$var_mount_path_root]}"
+    mount_with_dir "${var_mount_path_root}" "${HMP_MOUNTPATH_DEV[$var_mount_path_root]}" || return "${ERR_MOUNTING_DEV}"

  else

    do_log "error" "false" "Root-filesystem '${var_mount_path_root}' not found in Hashmap."
-    exit "${ERR_MOUNTING_ROOT}"
+    return "${ERR_MOUNTING_ROOT}"

  fi

@@ -126,7 +153,7 @@ mount_partition() {

    if [[ -n ${HMP_MOUNTPATH_DEV[${var_path}]} ]]; then

-      mount_with_dir "${var_path}" "${HMP_MOUNTPATH_DEV[${var_path}]}"
+      mount_with_dir "${var_path}" "${HMP_MOUNTPATH_DEV[${var_path}]}" || return "${ERR_MOUNTING_DEV}"

    else

@@ -148,76 +175,76 @@ mount_partition() {
    readarray -t ary_parts < <(yq e ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev} | keys | .[]" "${VAR_SETUP_PART}")
    for var_part in "${ary_parts[@]}"; do

-    ### Extract parameters from YAML.
-    var_fs_btrfs_compress=$(yq_val ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev}.${var_part}.filesystem.btrfs.compress" "${VAR_SETUP_PART}")
-    var_fs_btrfs_level=$(yq_val ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev}.${var_part}.filesystem.btrfs.level"       "${VAR_SETUP_PART}")
-    var_encryption_enable=$(yq_val ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev}.${var_part}.encryption.enable"         "${VAR_SETUP_PART}")
-    var_encryption_label=$(yq_val ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev}.${var_part}.encryption.label"           "${VAR_SETUP_PART}")
-    var_fs_label=$(yq_val ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev}.${var_part}.filesystem.label"                   "${VAR_SETUP_PART}")
-    var_fs_options=$(yq_val ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev}.${var_part}.filesystem.options"               "${VAR_SETUP_PART}")
-    var_fs_version=$(yq_val ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev}.${var_part}.filesystem.version"               "${VAR_SETUP_PART}")
-    var_mount_path=$(yq_val ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev}.${var_part}.mount.path"                       "${VAR_SETUP_PART}")
-    var_mount_options=$(yq_val ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev}.${var_part}.mount.options"                 "${VAR_SETUP_PART}")
-    var_mount_subvolume=$(yq_val ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev}.${var_part}.mount.subvolume"             "${VAR_SETUP_PART}")
+      ### Extract parameters from YAML.
+      var_fs_btrfs_compress=$(yq_val ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev}.${var_part}.filesystem.btrfs.compress" "${VAR_SETUP_PART}")
+      var_fs_btrfs_level=$(yq_val ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev}.${var_part}.filesystem.btrfs.level"       "${VAR_SETUP_PART}")
+      var_encryption_enable=$(yq_val ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev}.${var_part}.encryption.enable"         "${VAR_SETUP_PART}")
+      var_encryption_label=$(yq_val ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev}.${var_part}.encryption.label"           "${VAR_SETUP_PART}")
+      var_fs_label=$(yq_val ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev}.${var_part}.filesystem.label"                   "${VAR_SETUP_PART}")
+      var_fs_options=$(yq_val ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev}.${var_part}.filesystem.options"               "${VAR_SETUP_PART}")
+      var_fs_version=$(yq_val ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev}.${var_part}.filesystem.version"               "${VAR_SETUP_PART}")
+      var_mount_path=$(yq_val ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev}.${var_part}.mount.path"                       "${VAR_SETUP_PART}")
+      var_mount_options=$(yq_val ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev}.${var_part}.mount.options"                 "${VAR_SETUP_PART}")
+      var_mount_subvolume=$(yq_val ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev}.${var_part}.mount.subvolume"             "${VAR_SETUP_PART}")

-    ### Skip already mounted paths ("/", "/boot", "/boot/efi") and skip ("/recovery")
-    if [[ "${var_mount_path}" == "/" || "${var_mount_path}" == "/boot" || "${var_mount_path}" == "/boot/efi" || "${var_mount_path}" == "/recovery" ]]; then
-      continue
-    fi
+      ### Skip already mounted paths ("/", "/boot", "/boot/efi") and skip ("/recovery")
+      skip_path "${var_mount_path}" && continue

-    if [[ "${var_mount_path}" == "SWAP" ]]; then
+      if [[ "${var_mount_path}" == "SWAP" ]]; then

-      cryptsetup open --type plain --key-file /dev/random \
-        --offset 2048 --cipher aes-xts-plain64 --key-size 512 \
-        --sector-size 4096 "/dev/disk/by-label/${var_fs_label}" "${var_encryption_label}"
-      mkswap "/dev/mapper/${var_encryption_label}"
-      swapon "/dev/mapper/${var_encryption_label}"
-      do_log "info" "false" "Mounted: '${var_mount_path}' on: '/dev/mapper/${var_encryption_label}'."
+        cryptsetup open --type plain --key-file /dev/random \
+          --offset 2048 --cipher aes-xts-plain64 --key-size 512 \
+          --sector-size 4096 "/dev/disk/by-label/${var_fs_label}" "${var_encryption_label}"
+        mkswap "/dev/mapper/${var_encryption_label}"
+        swapon "/dev/mapper/${var_encryption_label}"
+        do_log "info" "false" "Mounted: '${var_mount_path}' on: '/dev/mapper/${var_encryption_label}'."
+        continue

-    elif [[ "${var_mount_path}" == "/tmp" ]]; then
+      elif [[ "${var_mount_path}" == "/tmp" ]]; then

-      cryptsetup open --type plain --key-file /dev/random \
-        --offset 2048 --cipher aes-xts-plain64 --key-size 512 \
-        --sector-size 4096 "/dev/disk/by-label/${var_fs_label}" "${var_encryption_label}"
-      mkdir -p "${TARGET}/tmp"
-      mkfs.ext4 "/dev/mapper/${var_encryption_label}" "${var_fs_options:+ $var_fs_options}"
-      mount "${var_mount_options:+-o $var_mount_options}" "/dev/mapper/${var_encryption_label}" "${TARGET}/tmp"
-      do_log "info" "false" "Mounted: '${var_mount_path}' on: '/dev/mapper/${var_encryption_label}'."
+        cryptsetup open --type plain --key-file /dev/random \
+          --offset 2048 --cipher aes-xts-plain64 --key-size 512 \
+          --sector-size 4096 "/dev/disk/by-label/${var_fs_label}" "${var_encryption_label}"
+        mkdir -p "${TARGET}/tmp"

-    fi
+        if [[ -n "${var_fs_options}" ]]; then

-    case "${var_fs_version,,}:${var_encryption_enable}" in
-      btrfs:true)
-        declare var_btrfs_compression_options="compress=${var_fs_btrfs_compress}:${var_fs_btrfs_level}"
-        # shellcheck disable=SC2155
-        declare device=$(resolve_device "${var_dev}" "${var_part}" "${var_encryption_enable}" "${var_encryption_label}")
-        mount_with_dir "${var_mount_path}" "${device}" "${var_btrfs_compression_options}"
-        [[ -n ${var_mount_subvolume} ]] && create_btrfs_subvolume "${var_mount_path}" "${var_mount_subvolume}"
-        do_log "info" "false" "Mounted: '${var_mount_path}' on: '${device}'."
-        ;;
-      btrfs:false)
-        declare var_btrfs_compression_options="compress=${var_fs_btrfs_compress}:${var_fs_btrfs_level}"
-        # shellcheck disable=SC2155
-        declare device=$(resolve_device "${var_dev}" "${var_part}" "${var_encryption_enable}" "${var_encryption_label}")
-        mount_with_dir "${var_mount_path}" "${device}" "${var_btrfs_compression_options}"
-        [[ -n ${var_mount_subvolume} ]] && create_btrfs_subvolume "${var_mount_path}" "${var_mount_subvolume}"
-        do_log "info" "false" "Mounted: '${var_mount_path}' on: '${device}'."
-        ;;
-      ext4:true)
-        # shellcheck disable=SC2155
-        declare device=$(resolve_device "${var_dev}" "${var_part}" "${var_encryption_enable}" "${var_encryption_label}")
-        mount_with_dir "${var_mount_path}" "${device}"
-        do_log "info" "false" "Mounted: '${var_mount_path}' on: '${device}'."
-        ;;
-      ext4:false)
-        # shellcheck disable=SC2155
-        declare device=$(resolve_device "${var_dev}" "${var_part}" "${var_encryption_enable}" "${var_encryption_label}")
-        mount_with_dir "${var_mount_path}" "${device}"
-        do_log "info" "false" "Mounted: '${var_mount_path}' on: '${device}'."
-        ;;
-      *) do_log "error" "false" "Unsupported fs/encryption combination."
-         exit "${ERR_MOUNTING_DEV}" ;;
-    esac
+          mkfs.ext4 -O "${var_fs_options}" "/dev/mapper/${var_encryption_label}"
+
+        else
+
+          mkfs.ext4 "/dev/mapper/${var_encryption_label}"
+
+        fi
+
+        ### Build the command in an array to keep word boundaries intact
+        declare -a ary_cmd2=(mount)
+        [[ -n "${var_mount_options}" ]] && ary_cmd2+=("-o" "${var_mount_options}")
+        ary_cmd2+=("/dev/mapper/${var_encryption_label}" "${TARGET}${var_mount_path}")
+
+        safe_exec "${ary_cmd2[@]}" "${ERR_MOUNTING_DEV}" || return "${ERR_MOUNTING_DEV}"
+        do_log "info" "false" "Mounted: '${var_mount_path}' on: '/dev/mapper/${var_encryption_label}'."
+        continue
+
+      fi
+
+      declare device
+      device=$(resolve_device "${var_dev}" "${var_part}" "${var_encryption_enable}" "${var_encryption_label}")
+
+      case "${var_fs_version,,}:${var_encryption_enable,,}" in
+        btrfs:*)
+          validate_btrfs_compression "${var_fs_btrfs_compress}" "${var_fs_btrfs_level}" || return "${ERR_BTRFS_OPTION}"
+          declare var_btrfs_compression_options="compress=${var_fs_btrfs_compress}:${var_fs_btrfs_level}"
+          [[ -n "${var_mount_options}" ]] && var_btrfs_compression_options+=",${var_mount_options}"
+          mount_with_dir "${var_mount_path}" "${device}" "${var_btrfs_compression_options}" || return "${ERR_MOUNTING_DEV}"
+          [[ -n ${var_mount_subvolume} ]] && create_btrfs_subvolume "${var_mount_path}" "${var_mount_subvolume}"
+          ;;
+        ext4:*)
+          mount_with_dir "${var_mount_path}" "${device}" "${var_mount_options}" || return "${ERR_MOUNTING_DEV}"
+          ;;
+        *) do_log "error" "false" "Unsupported fs/encryption combination."
+           return "${ERR_MOUNTING_DEV}" ;;
+      esac

    done