V8.00.000.2025.06.17

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>

var/bash.var.sh

@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
 
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 
 ### For all options see https://www.gnu.org/software/bash/manual/bash.html#The-Set-Builtin
 set -o errexit           # Exit script when a command exits with non-zero status, the same as "set -e".

var/color.var.sh

@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
 
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 
 ### Definition of color variables.
 

var/early.var.sh

@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
 
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 
 ### Definition of MUST set early variables.
 # shellcheck disable=SC2155

var/errors.var.sh

@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
 
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 
 ### Definition of error codes.
 
@@ -60,6 +60,8 @@ declare -girx ERR_VERIFY_LOGROTATE=213  # Error verification by 'logrotate'.
 declare -girx ERR_READ_AUTH_FILE=212    # Error reading the Luks Backup auth token file.
 declare -girx ERR_ACCOUNT_CREATE=211    # Error creating user accounts.
 declare -girx ERR_LUKS_HEADER_ENC=210   # Error encrypting LUKS Header backup.
+declare -girx ERR_MISSING_AGE_KEY=129   # AGE key for decryption SECRETS.yaml values missing.
+declare -girx ERR_GUARD_SOURCE=128      # Module tried to load twice.
 
 ### Definition of error trap vars.
 declare -gx ERRCODE=""                  # = $?                   = $1 = ERRCODE

var/global.var.sh

@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
 
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 
 [[ -f /root/ciss-debian-live-builder.env ]] && . /root/ciss-debian-live-builder.env
 
@@ -50,6 +50,16 @@ declare -grx VAR_PRESEED="${DIR_TMP}/combined.var"
 declare -grx VAR_SETUP_CONF="${DIR_CNF}/preseed.yaml"
 declare -grx VAR_SETUP_PART="${DIR_CNF}/partitioning.yaml"
 
+### Initialize SECRETS.yaml variables.
+# shellcheck disable=SC2034
+declare -gA   CISS_SECRETS_MAP=()                           # YAML path (w/o '.value' and without 'secrets.') -> varname.
+# shellcheck disable=SC2034
+declare -g    CISS_SECRETS_AGE=""                           # AGE PRIVATE Keyfile to decrypt SOPS encrypted values.
+# shellcheck disable=SC2034
+declare -gr   CISS_SECRETS_SOURCE="${DIR_CNF}/SECRETS.yaml" # Effective YAML source used (plain or decrypted stream)
+# shellcheck disable=SC2034
+declare -g    CISS_SECRETS_XFILES=""                        # Derived from SOPS presence heuristic.
+
 ### Base mount paths and variables for debootstrap.
 declare -grx TARGET="/target"
 declare -grx RECOVERY="/recovery"

var/terminal.var.sh

@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
 
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 
 ### Definition of terminal variables.