DEPLOY BOT : 🛡️ Shell Script Linting [skip ci]

X-CI-Metadata: master@aef00ec at 2025-10-26T18:19:48Z on 6f8f9a786bfa

Generated at : 2025-10-26T18:19:48Z
Runner Host  : 6f8f9a786bfa
Workflow ID  : 🛡️ Shell Script Linting
Git Commit   : aef00ec HEAD -> master

.archive/4620_installation_verification.sh

@@ -0,0 +1,410 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
+
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
+
+### https://github.com/linux-audit/audit-userspace/tree/master/rules
+
+#######################################
+# Installs 'aide', 'audit', and 'debsums' audit and logging packages.
+# Finalizes 'rkhunter' baseline.
+# Globals:
+#   TARGET
+#   VAR_SEC_FW
+# Arguments:
+#   None
+# Returns:
+#   0: on success
+#######################################
+install_verification() {
+  ### Declare Arrays, HashMaps, and Variables.
+  declare -r  var_logfile="/root/.ciss/cdi/log/4620_installation_verification.log"
+
+  chroot_logger "${TARGET}${var_logfile}"
+
+  chroot_script "${TARGET}" "
+    export INITRD=No
+    [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
+    apt-get install -y --no-install-recommends --no-install-suggests acct 2>&1 | tee -a ${var_logfile}
+
+    mkdir -p /etc/systemd/system/multi-user.target.wants
+
+    if ln -s /lib/systemd/system/acct.service /etc/systemd/system/multi-user.target.wants/acct.service; then
+      printf 'Process Accounting enabled successfully.'
+    else
+      printf 'Process Accounting already enabled.'
+    fi
+  "
+
+  chroot_script "${TARGET}" "
+    export INITRD=No
+    [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
+    apt-get install -y --no-install-recommends --no-install-suggests auditd 2>&1 | tee -a ${var_logfile}
+  "
+
+  rm -f "${TARGET}/etc/audit/rules.d/audit.rules"
+
+  ############################################################### /etc/audit/rules.d/10-base-config.rules
+  cat << EOF >| "${TARGET}/etc/audit/rules.d/10-base-config.rules"
+## First rule - delete all
+-D
+
+## Increase the buffers to survive stress events.
+## Make this bigger for busy systems
+-b 16384
+
+## This determine how long to wait in burst of events
+--backlog_wait_time 1024
+
+## Set failure mode to syslog
+-f 1
+EOF
+
+  ############################################################### /etc/audit/rules.d/11-loginuid.rules
+  cat << EOF >| "${TARGET}/etc/audit/rules.d/11-loginuid.rules"
+--loginuid-immutable
+EOF
+
+  ############################################################### /etc/audit/rules.d/20-dont-audit.rules
+  cat << EOF >| "${TARGET}/etc/audit/rules.d/20-dont-audit.rules"
+## This is for don't audit rules. We put these early because audit
+## is a first match wins system. Uncomment the rules you want.
+
+## Cron jobs fill the logs with stuff we normally don't want
+-a never,user
+
+## This prevents chrony from overwhelming the logs
+-a never,exit -F arch=b64 -S adjtimex -F exe=/usr/sbin/chronyd
+-a never,exit -F arch=b32 -S adjtimex -F exe=/usr/sbin/chronyd
+
+## Human-attributable time changes
+-a always,exit -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -F auid>=1000 -F auid!=4294967295 -k time-change
+-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S clock_settime -F auid>=1000 -F auid!=4294967295 -k time-change
+
+### This is not very interesting and wastes a lot of space if
+### the server is public facing
+-a always,exclude -F msgtype=CRYPTO_KEY_USER
+EOF
+
+  ############################################################### /etc/audit/rules.d/21-no32bit.rules
+  cat << EOF >| "${TARGET}/etc/audit/rules.d/21-no32bit.rules"
+## If you are on a 64 bit platform, everything _should_ be running
+## in 64 bit mode. This rule will detect any use of the 32 bit syscalls
+## because this might be a sign of someone exploiting a hole in the 32
+## bit ABI.
+-a always,exit -F arch=b32 -S all -F key=32bit-abi
+EOF
+
+  ############################################################### /etc/audit/rules.d/22-ignore-chrony.rules
+  cat << EOF >| "${TARGET}/etc/audit/rules.d/22-ignore-chrony.rules"
+## This rule suppresses the time-change event when chrony does time updates
+-a never,exit -F arch=b64 -S adjtimex -F auid=unset -F uid=_chrony
+-a never,exit -F arch=b32 -S adjtimex -F auid=unset -F uid=_chrony
+EOF
+
+  ############################################################### /etc/audit/rules.d/30-ospp-v42-1-create-failed.rules
+  cat << EOF >| "${TARGET}/etc/audit/rules.d/30-ospp-v42-1-create-failed.rules"
+## Unsuccessful file creation (open with O_CREAT)
+-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
+-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
+-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
+-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
+-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
+-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
+-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
+-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
+-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
+-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
+-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
+-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
+EOF
+
+  ############################################################### /etc/audit/rules.d/30-ospp-v42-1-create-success.rules
+  cat << EOF >| "${TARGET}/etc/audit/rules.d/30-ospp-v42-1-create-success.rules"
+## Successful file creation (open with O_CREAT)
+-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
+-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
+-a always,exit -F arch=b32 -S open -F a1&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
+-a always,exit -F arch=b64 -S open -F a1&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
+-a always,exit -F arch=b32 -S creat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
+-a always,exit -F arch=b64 -S creat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
+EOF
+
+  ############################################################### /etc/audit/rules.d/30-ospp-v42-2-modify-failed.rules
+  cat << EOF >| "${TARGET}/etc/audit/rules.d/30-ospp-v42-2-modify-failed.rules"
+## Unsuccessful file modifications (open for write or truncate)
+-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
+-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
+-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
+-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
+-a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
+-a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
+-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
+-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
+-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
+-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
+-a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
+-a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
+EOF
+
+  ############################################################### /etc/audit/rules.d/30-ospp-v42-2-modify-success.rules
+  cat << EOF >| "${TARGET}/etc/audit/rules.d/30-ospp-v42-2-modify-success.rules"
+## Successful file modifications (open for write or truncate)
+-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
+-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
+-a always,exit -F arch=b32 -S open -F a1&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
+-a always,exit -F arch=b64 -S open -F a1&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
+-a always,exit -F arch=b32 -S truncate,ftruncate -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
+-a always,exit -F arch=b64 -S truncate,ftruncate -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
+EOF
+
+  ############################################################### /etc/audit/rules.d/30-ospp-v42-3-access-failed.rules
+  cat << EOF >| "${TARGET}/etc/audit/rules.d/30-ospp-v42-3-access-failed.rules"
+## Unsuccessful file access (any other opens) This has to go last.
+-a always,exit -F arch=b32 -S open,openat,openat2,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-access
+-a always,exit -F arch=b64 -S open,openat,openat2,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-access
+-a always,exit -F arch=b32 -S open,openat,openat2,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-access
+-a always,exit -F arch=b64 -S open,openat,openat2,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-access
+EOF
+
+  ############################################################### /etc/audit/rules.d/30-ospp-v42-3-access-success.rules
+  cat << EOF >| "${TARGET}/etc/audit/rules.d/30-ospp-v42-3-access-success.rules"
+## Successful file access (any other opens) This has to go last.
+## These next two are likely to result in a whole lot of events
+-a always,exit -F arch=b32 -S open,openat,openat2,open_by_handle_at -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access
+-a always,exit -F arch=b64 -S open,openat,openat2,open_by_handle_at -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access
+EOF
+
+  ############################################################### /etc/audit/rules.d/30-ospp-v42-4-delete-failed.rules
+  cat << EOF >| "${TARGET}/etc/audit/rules.d/30-ospp-v42-4-delete-failed.rules"
+## Unsuccessful file delete
+-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
+-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
+-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
+-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
+EOF
+
+  ############################################################### /etc/audit/rules.d/30-ospp-v42-4-delete-success.rules
+  cat << EOF >| "${TARGET}/etc/audit/rules.d/30-ospp-v42-4-delete-success.rules"
+## Successful file delete
+-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-delete
+-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-delete
+EOF
+
+  ############################################################### /etc/audit/rules.d/30-ospp-v42-5-perm-change-failed.rules
+  cat << EOF >| "${TARGET}/etc/audit/rules.d/30-ospp-v42-5-perm-change-failed.rules"
+## Unsuccessful permission change
+-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change
+-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change
+-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change
+-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change
+EOF
+
+  ############################################################### /etc/audit/rules.d/30-ospp-v42-5-perm-change-success.rules
+  cat << EOF >| "${TARGET}/etc/audit/rules.d/30-ospp-v42-5-perm-change-success.rules"
+## Successful permission change
+-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change
+-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change
+EOF
+
+  ############################################################### /etc/audit/rules.d/30-ospp-v42-6-owner-change-failed.rules
+  cat << EOF >| "${TARGET}/etc/audit/rules.d/30-ospp-v42-6-owner-change-failed.rules"
+## Unsuccessful ownership change
+-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-owner-change
+-a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-owner-change
+-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-owner-change
+-a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-owner-change
+EOF
+
+  ############################################################### /etc/audit/rules.d/30-ospp-v42-6-owner-change-success.rules
+  cat << EOF >| "${TARGET}/etc/audit/rules.d/30-ospp-v42-6-owner-change-success.rules"
+## Successful ownership change
+-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-owner-change
+-a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-owner-change
+EOF
+
+  ############################################################### /etc/audit/rules.d/30-ospp-v42.rules
+  cat << EOF >| "${TARGET}/etc/audit/rules.d/30-ospp-v42.rules"
+## The purpose of these rules is to meet the requirements for Operating
+## System Protection Profile (OSPP)v4.2. These rules depends on having
+## the following rule files copied to /etc/audit/rules.d:
+##
+## 10-base-config.rules, 11-loginuid.rules,
+## 30-ospp-v42-1-create-failed.rules, 30-ospp-v42-1-create-success.rules,
+## 30-ospp-v42-2-modify-failed.rules, 30-ospp-v42-2-modify-success.rules,
+## 30-ospp-v42-3-access-failed.rules, 30-ospp-v42-3-access-success.rules,
+## 30-ospp-v42-4-delete-failed.rules, 30-ospp-v42-4-delete-success.rules,
+## 30-ospp-v42-5-perm-change-failed.rules,
+## 30-ospp-v42-5-perm-change-success.rules,
+## 30-ospp-v42-6-owner-change-failed.rules,
+## 30-ospp-v42-6-owner-change-success.rules
+##
+## original copies may be found in /usr/share/audit-rules
+
+## User add delete modify. This is covered by pam. However, someone could
+## open a file and directly create or modify a user, so we'll watch passwd and
+## shadow for writes
+-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify
+-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify
+-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify
+-a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify
+-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify
+-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify
+-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify
+-a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify
+
+## User enable and disable. This is entirely handled by pam.
+
+## Group add delete modify. This is covered by pam. However, someone could
+## open a file and directly create or modify a user, so we'll watch group and
+## gshadow for writes
+-a always,exit -F arch=b32 -F path=/etc/passwd -F perm=wa -F auid>=1000 -F auid!=unset -F key=user-modify
+-a always,exit -F arch=b64 -F path=/etc/passwd -F perm=wa -F auid>=1000 -F auid!=unset -F key=user-modify
+-a always,exit -F arch=b32 -F path=/etc/shadow -F perm=wa -F auid>=1000 -F auid!=unset -F key=user-modify
+-a always,exit -F arch=b64 -F path=/etc/shadow -F perm=wa -F auid>=1000 -F auid!=unset -F key=user-modify
+-a always,exit -F arch=b32 -F path=/etc/group -F perm=wa -F auid>=1000 -F auid!=unset -F key=group-modify
+-a always,exit -F arch=b64 -F path=/etc/group -F perm=wa -F auid>=1000 -F auid!=unset -F key=group-modify
+-a always,exit -F arch=b32 -F path=/etc/gshadow -F perm=wa -F auid>=1000 -F auid!=unset -F key=group-modify
+-a always,exit -F arch=b64 -F path=/etc/gshadow -F perm=wa -F auid>=1000 -F auid!=unset -F key=group-modify
+
+
+## Use of special rights for config changes. This would be use of setuid
+## programs that relate to user accts. This is not all setuid apps because
+## requirements are only for ones that affect system configuration.
+-a always,exit -F arch=b32 -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
+-a always,exit -F arch=b64 -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
+-a always,exit -F arch=b32 -F path=/usr/sbin/usernetctl -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
+-a always,exit -F arch=b64 -F path=/usr/sbin/usernetctl -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
+-a always,exit -F arch=b32 -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
+-a always,exit -F arch=b64 -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
+-a always,exit -F arch=b32 -F path=/usr/sbin/seunshare -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
+-a always,exit -F arch=b64 -F path=/usr/sbin/seunshare -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
+-a always,exit -F arch=b32 -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
+-a always,exit -F arch=b64 -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
+-a always,exit -F arch=b32 -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
+-a always,exit -F arch=b64 -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
+-a always,exit -F arch=b32 -F path=/usr/bin/newuidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
+-a always,exit -F arch=b64 -F path=/usr/bin/newuidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
+-a always,exit -F arch=b32 -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
+-a always,exit -F arch=b64 -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
+-a always,exit -F arch=b32 -F path=/usr/bin/newgidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
+-a always,exit -F arch=b64 -F path=/usr/bin/newgidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
+-a always,exit -F arch=b32 -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
+-a always,exit -F arch=b64 -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
+-a always,exit -F arch=b32 -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
+-a always,exit -F arch=b64 -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
+-a always,exit -F arch=b32 -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
+-a always,exit -F arch=b64 -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
+-a always,exit -F arch=b32 -F path=/usr/bin/at -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
+-a always,exit -F arch=b64 -F path=/usr/bin/at -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
+-a always,exit -F arch=b32 -F path=/usr/sbin/grub2-set-bootflag -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
+-a always,exit -F arch=b64 -F path=/usr/sbin/grub2-set-bootflag -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
+
+## Privilege escalation via su or sudo. This is entirely handled by pam.
+## Special case for systemd-run. It is not audit aware, specifically watch it
+-a always,exit -F arch=b32 -F path=/usr/bin/systemd-run -F perm=x -F auid!=unset -F key=maybe-escalation
+-a always,exit -F arch=b64 -F path=/usr/bin/systemd-run -F perm=x -F auid!=unset -F key=maybe-escalation
+
+## Special case for pkexec. It is not audit aware, specifically watch it
+-a always,exit -F arch=b32 -F path=/usr/bin/pkexec -F perm=x -F key=maybe-escalation
+-a always,exit -F arch=b64 -F path=/usr/bin/pkexec -F perm=x -F key=maybe-escalation
+
+## Watch for configuration changes to privilege escalation.
+-a always,exit -F arch=b32 -F path=/etc/sudoers -F perm=wa -F key=special-config-changes
+-a always,exit -F arch=b64 -F path=/etc/sudoers -F perm=wa -F key=special-config-changes
+-a always,exit -F arch=b32 -F dir=/etc/sudoers.d/ -F perm=wa -F key=special-config-changes
+-a always,exit -F arch=b64 -F dir=/etc/sudoers.d/ -F perm=wa -F key=special-config-changes
+
+## Audit log access
+-a always,exit -F arch=b32 -F dir=/var/log/audit/ -F perm=r -F auid>=1000 -F auid!=unset -F key=access-audit-trail
+-a always,exit -F arch=b64 -F dir=/var/log/audit/ -F perm=r -F auid>=1000 -F auid!=unset -F key=access-audit-trail
+
+## Attempts to Alter Process and Session Initiation Information
+-a always,exit -F arch=b32 -F path=/var/run/utmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session
+-a always,exit -F arch=b64 -F path=/var/run/utmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session
+-a always,exit -F arch=b32 -F path=/var/log/btmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session
+-a always,exit -F arch=b64 -F path=/var/log/btmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session
+-a always,exit -F arch=b32 -F path=/var/log/wtmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session
+-a always,exit -F arch=b64 -F path=/var/log/wtmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session
+
+## Attempts to modify MAC controls
+-a always,exit -F arch=b32 -F dir=/etc/selinux/ -F perm=wa -F auid>=1000 -F auid!=unset -F key=MAC-policy
+-a always,exit -F arch=b64 -F dir=/etc/selinux/ -F perm=wa -F auid>=1000 -F auid!=unset -F key=MAC-policy
+
+## Application invocation. The requirements list an optional requirement
+## FPT_SRP_EXT.1 Software Restriction Policies. This event is intended to
+## state results from that policy. This would be handled entirely by
+## that daemon.
+EOF
+
+  ############################################################### /etc/audit/rules.d/99-finalize.rules
+  cat << EOF >| "${TARGET}/etc/audit/rules.d/99-finalize.rules"
+-e 2
+EOF
+
+  chroot_script "${TARGET}" "
+    systemctl enable auditd.service 2>&1 | tee -a ${var_logfile}
+  "
+
+  ### Validate and build audit rules now; fail early if syntax is wrong.
+  chroot_script "${TARGET}" "
+    if command -v augenrules >/dev/null 2>&1; then
+
+      augenrules --load 2>&1 | tee -a ${var_logfile}
+
+    else
+
+      ### Fallback: build consolidated rules file without loading into the kernel.
+      if command -v bash >/dev/null 2>&1; then
+
+        bash -lc 'cat /etc/audit/rules.d/*.rules > /etc/audit/audit.rules'
+
+      fi
+
+    fi
+  "
+
+  chroot_script "${TARGET}" "
+    export INITRD=No
+    [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
+    apt-get install -y --no-install-recommends --no-install-suggests aide aide-common 2>&1 | tee -a ${var_logfile}
+
+    sed -i 's/Checksums = H/Checksums = sha512/' /etc/aide/aide.conf
+    aideinit > /dev/null 2>> ${var_logfile}
+  "
+
+  chroot_script "${TARGET}" "
+    export INITRD=No
+    [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
+    apt-get install -y --no-install-recommends --no-install-suggests debsums 2>&1 | tee -a ${var_logfile}
+
+    if ! debsums -g >> ${var_logfile} 2>> ${var_logfile}; then
+      printf 'Running debsums -g - encountered errors.' >> ${var_logfile}
+    fi
+
+    mkdir -p /root/.ciss/cdi/backup/etc/default
+    cp -a /etc/default/debsums /root/.ciss/cdi/backup/etc/default/debsums.bak
+    sed -i 's/CRON_CHECK=never/CRON_CHECK=monthly/' /etc/default/debsums
+  "
+
+  chroot_script "${TARGET}" "
+    rkhunter --propupd 2>&1 | tee -a ${var_logfile}
+  "
+
+  chroot_exec "${TARGET}" sed -i 's#^\(ENABLED=\).*#\1"true"#' /etc/default/sysstat
+
+  guard_dir; return 0
+}
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f install_verification
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

.archive/9999-custom-usrmerge.sh

@@ -0,0 +1,72 @@
+#!/bin/sh
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
+# SPDX-Comment: Enforce merged-/usr symlinks inside the initramfs image.
+
+set -e
+
+PREREQ=""
+prereqs() { echo "${PREREQ}"; }
+case "${1}" in
+  prereqs) prereqs; exit 0 ;;
+esac
+
+. /usr/share/initramfs-tools/hook-functions
+
+### Ensure target directories exist in the future initramfs root.
+mkdir -p "${DESTDIR}/usr/bin" "${DESTDIR}/usr/sbin" "${DESTDIR}/usr/lib"
+
+### /lib64 may or may not exist depending on arch; create if present on the host system.
+# shellcheck disable=2292
+[ -d "${DESTDIR}/usr/lib64" ] || mkdir -p "${DESTDIR}/usr/lib64" 2>/dev/null || true
+
+# shellcheck disable=2292
+move_dir_into_usr() {
+  ### $1: top-level name (bin|sbin|lib|lib64)
+  ### Moves all contents of /$1 into /usr/$1 and removes /$1 if it was a directory.
+  ### Then creates a symlink /$1 -> usr/$1
+  d="$1"
+  top="${DESTDIR}/${d}"
+  usr="${DESTDIR}/usr/${d}"
+
+  if [ -L "${top}" ]; then
+    ### Already a symlink, so nothing to do.
+    return 0
+  fi
+
+  if [ -d "${top}" ]; then
+    ### Copy including dotfiles; -a preserves perms/links if available (coreutils on build host).
+    ### If 'cp -a' is unavailable, fallback to 'cp -rp'.
+    if cp -a "${top}/." "${usr}/" 2>/dev/null; then
+      :
+    else
+      cp -rp "${top}/." "${usr}/"
+    fi
+    ### Remove the original directory tree, then replace with symlink
+    rm -rf "${top}"
+  fi
+
+  ### Create (or refresh) the canonical symlink
+  ln -sfn "usr/${d}" "${top}"
+
+  return 0
+}
+
+move_dir_into_usr bin
+move_dir_into_usr sbin
+move_dir_into_usr lib
+### /lib64 exists only on some arch images; harmless if empty
+# shellcheck disable=2292
+[ -d "${DESTDIR}/usr/lib64" ] && move_dir_into_usr lib64
+
+printf "\e[92mSuccessfully executed: [/etc/initramfs-tools/hooks/9999-custom-usrmerge.sh] \n\e[0m"
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

.gitea/workflows/linter_char_scripts.yaml

@@ -41,6 +41,10 @@ jobs:
         shell: bash
         run: |
           set -euo pipefail
+          var_wait=$(( RANDOM % 33 ))
+          printf "⏳ Waiting %s seconds to desynchronize parallel workflows...\n" "${var_wait}"
+          sleep "${var_wait}"
+
           rm -rf ~/.ssh && mkdir -m700 ~/.ssh
 
           ### Private Key
@@ -202,11 +206,12 @@ jobs:
             echo -e "⚠️ Linting issues detected:\n"
             echo -e "${findings}"
             timestamp=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
+            VAR_DATE="$(date +%F)"
             PRIVATE_FILE="LINTER_RESULTS.txt"
             touch "${PRIVATE_FILE}"
             cat << EOF >| "${PRIVATE_FILE}"
           # SPDX-Version: 3.0
-          # SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+          # SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev>
           # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
           # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
           # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -225,11 +230,12 @@ jobs:
           else
             echo "✅ No issues found in shell scripts."
             timestamp=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
+            VAR_DATE="$(date +%F)"
             PRIVATE_FILE="LINTER_RESULTS.txt"
             touch "${PRIVATE_FILE}"
             cat << EOF >| "${PRIVATE_FILE}"
           # SPDX-Version: 3.0
-          # SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+          # SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev>
           # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
           # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
           # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>

.gitea/workflows/render-dnssec-status.yaml

@@ -33,6 +33,10 @@ jobs:
         shell: bash
         run: |
           set -euo pipefail
+          var_wait=$(( RANDOM % 33 ))
+          printf "⏳ Waiting %s seconds to desynchronize parallel workflows...\n" "${var_wait}"
+          sleep "${var_wait}"
+
           rm -rf ~/.ssh && mkdir -m700 ~/.ssh
 
           ### Private Key

.gitea/workflows/render-dot-to-png.yaml

@@ -34,6 +34,10 @@ jobs:
         shell: bash
         run: |
           set -euo pipefail
+          var_wait=$(( RANDOM % 33 ))
+          printf "⏳ Waiting %s seconds to desynchronize parallel workflows...\n" "${var_wait}"
+          sleep "${var_wait}"
+
           rm -rf ~/.ssh && mkdir -m700 ~/.ssh
 
           ### Private Key

.gitignore

@@ -10,6 +10,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 .checklist/
 .idea/
+.todo/
 out/
 *.DS_Store
 *.log

.preseed/SECRETS.yaml

@@ -0,0 +1,115 @@
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
+#
+#
+# This file contains all required Secrets, Tokens and Public and Private Keys for the CISS.debian.installer
+# Master V8.00.000.2025.06.17
+# YAML specification: 1.2
+#
+secrets:
+  description: "Secrets for automated installation of encrypted systems on this host via primordial-workflow™."
+  created_at: "2025-10-23"
+  created_for: "host_domain_tld"
+  name: "CISS.debian.installer"
+  version: "V8.00.000.2025.06.17"
+  x_files: "false"
+  ################################################################################################################################
+  # Grub bootloader passphrase
+  ################################################################################################################################
+  grub:
+    note: "Password used to unlock the GRUB bootloader before system initialization."
+    scope: "grub"
+    type: "plain"
+    value: "PleASE_CHan3e_M!"
+  ################################################################################################################################
+  # LUKS and LUKS Nuke passphrase
+  ################################################################################################################################
+  luks:
+    backup:
+      note: "The value is [<share-identifier>:<password>] (colon-separated). Use the same dedicated destination and credentials across servers."
+      scope: "offsite-backup"
+      type: "plain"
+      value: "NextcloudFolderNameOrShareID:SuperSecurePassword123!"
+    boot:
+      note: "Dedicated passphrase for the [/boot] partition; chosen for easy manual input via the VPS web console."
+      scope: "luks"
+      type: "plain"
+      value: "Ceterum_censeo_Bruxellam_et_Berolinum_delenda_esse!"
+    common:
+      note: "Main LUKS passphrase baked into the installer for automated setup. For dropbear SSH input method only."
+      scope: "luks"
+      type: "plain"
+      value: "Ceterum_censeo_Bruxellam_et_Berolinum_delenda_esse!"
+    nuke:
+      note: "Special LUKS passphrase that triggers secure wipe of all volumes when entered."
+      scope: "luks"
+      type: "plain"
+      value: "THIS_IS_THE_NUKE_PASSWORD!"
+  ################################################################################################################################
+  # TOTP MFA seed and salt and other seed variables
+  ################################################################################################################################
+  seeds:
+    mfa:
+      info:
+        note: "MFA version identifier, e.g., [totp:v1] for seamless mfa secrets rollover."
+        scope: "mfa"
+        type: "plain"
+        value: "totp:v1"
+      salt:
+        note: "Used to add a salt to the MFA seed to derive per-host MFA secrets for remote unlock authentication."
+        scope: "mfa"
+        type: "plain"
+        value: "CISS:CDI:OTP"
+      secret:
+        note: "Master seed (hex) used to derive per-machine MFA secrets for remote unlock authentication."
+        scope: "mfa"
+        type: "plain"
+        value: "7cad63da408c27b5121c89cdd0cf878b8f8df1f34bcc0a944152261ee1481fda"
+  ################################################################################################################################
+  # User passwords and SSH keys
+  ################################################################################################################################
+  user:
+    root:
+      password:
+        note: "Password-hash, YESCRYPT only, for the root user. Leave value empty if disabled password authentication."
+        scope: "auth"
+        type: "hash"
+        value: "$y$jFT$7pQlcZrgTEGrzkEm7UQW/.$QoCamalYEAV5mN4QWIE.xpHo8kvXa9sym2Uz.9oELwA"
+      sshpubkey:
+        note: "SSH public key for the root user. This key is also used for dropbear SSH authentication."
+        scope: "auth"
+        type: "sshpubkey"
+        value: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINAYZDAqVZUk3LwJsqeVHKvLn8UKkFx642VBbiSS8uSY 2025_ciss.debian.live.ISO_PUBLIC_ONLY"
+    user0:
+      name: "user"
+      password:
+        note: "Password-hash, YESCRYPT only, for the specified user. Leave value empty if disabled password authentication."
+        scope: "auth"
+        type: "hash"
+        value: "$y$jFT$OGeZONH5ho2JSXvAbyIBQ1$5OhyHqOaMZ9BZcfMOYEwF.nMLFKd9ceiW2oNksPCHVB"
+      sshpubkey:
+        note: "SSH public key for the specified user."
+        scope: "auth"
+        type: "sshpubkey"
+        value: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINAYZDAqVZUk3LwJsqeVHKvLn8UKkFx642VBbiSS8uSY 2025_ciss.debian.live.ISO_PUBLIC_ONLY"
+    user1:
+      name: "ansible"
+      password:
+        note: "Password-hash, YESCRYPT only, for the specified user. Leave value empty if disabled password authentication."
+        scope: "auth"
+        type: "hash"
+        value: ""
+      sshpubkey:
+        note: "SSH public key for the specified user."
+        scope: "auth"
+        type: "sshpubkey"
+        value: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINAYZDAqVZUk3LwJsqeVHKvLn8UKkFx642VBbiSS8uSY 2025_ciss.debian.live.ISO_PUBLIC_ONLY"
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml

.preseed/mfa_master.txt

@@ -1 +0,0 @@
-7cad63da408c27b5121c89cdd0cf878b8f8df1f34bcc0a944152261ee1481fda

.preseed/partitioning.yaml

@@ -32,9 +32,17 @@ recipe:
       kdf:
         threads: 1             # Set the parallel cost for PBKDF (number of threads, up to 4).
         time: 256              # The number of milliseconds to spend with PBKDF passphrase processing.
+      luks_backup: true        # Specify if LUKS Header backups should be created. If so, provide an external backup URL:
+                               # luks_backup_url: "https://cloud.e2ee.li/" or leave empty for local backup.
+                               # Also provide the cloud access token and access passwords via
+                               # ./.preseed/SECRETS.yaml. Yet Nextcloud only is supported.
+      luks_backup_url: "https://cloud.e2ee.li/"
+      luks_backup_pgp: "ciss"  # Specify the trigger for use of the LUKS Header backup encryption key.
+                               # Allowed values are: 'ciss', and 'physnet'. MUST be provided.
+                               # Otherwise, the backup is NOT created.
       name: "ciss.2025.gpt.btrfs.ephemeral.non-raid.256GiB.rescue"
       nuke: true               # Activates Nuke-Mechanism in '/etc/crypttab' keyscript and via dropbear SSH forced command.
-      nuke_rounds: 8192        # SHA512 KDF Rounds for Nuke Passphrase. If omitted, the default value is '8,388,608'.
+      nuke_rounds: 16384       # SHA512 KDF Rounds for Nuke Passphrase. If omitted, the default value is '8,388,608'.
       raid:                    # mdadm RAID settings only (not yet supported).
         enable: false
         disks:
@@ -46,7 +54,7 @@ recipe:
       table: "gpt"             # MUST be "gpt" for "UEFI" || "msdos":
       syntax: true             # This is set to "false" by default, otherwise if the recipe is tested by the authors to "true".
       ### Version of the specific recipe.
-      version: "1.2.0"
+      version: "1.3.2"
     dev:
       sda:
         1:                     # MUST be always 'ESP' for [UEFI|GPT] or 'BIOS' for [BIOS|GPT].
@@ -76,7 +84,7 @@ recipe:
             version: "fat32"
           mount:
             enable: true       # MUST be "true" for "/boot/efi"
-            options: "defaults,noatime,nodev,nosuid,noexec,umask=0077"
+            options: "umask=0077,uid=0,gid=0"
             optsnap: ""
             path: "/boot/efi"
           primary: primary
@@ -106,8 +114,8 @@ recipe:
             version: "btrfs"
             options: ""
           mount:
-            enable: true       # MUST be "true" for "/boot"
+            enable: true
-            options: "defaults,nodev,nosuid,noexec,noatime,compress=no,discard=async"
+            options: "nodev,nosuid,noexec,noatime,compress=no,discard=async"
             optsnap: ""
             path: "/boot"
           primary: primary
@@ -166,12 +174,12 @@ recipe:
               mdup: ""
               snapshot: false
             format: true
-            label: "host_swap" # MUST be "host_swap" for ephemeral "SWAP"
+            label: "host_swap"
             options: ""
-            version: "ext4"    # MUST be "ext4" for ephemeral "SWAP"
+            version: "ext4"
           mount:
             enable: true
-            options: "defaults,discard"
+            options: "defaults"
             optsnap: ""
             path: "SWAP"
           primary: primary
@@ -199,10 +207,10 @@ recipe:
               snapshot: false
             format: true
             options: ""
-            version: "ext4"    # MUST be "ext4" for ephemeral "/tmp"
+            version: "ext4"
           mount:
             enable: true
-            options: "defaults,rw,nodev,noexec,nosuid,noatime,discard,mode=1777"
+            options: "defaults,rw,nodev,noexec,nosuid,noatime,discard"
             optsnap: ""
             path: "/tmp"
           primary: primary

.preseed/password_grub.txt

@@ -1 +0,0 @@
-PleASE_CHan3e_M!

.preseed/password_luks_boot.txt

@@ -1 +0,0 @@
-Ceterum_censeo_Bruxellam_et_Berolinum_delenda_esse!

.preseed/password_luks_common.txt

@@ -1 +0,0 @@
-Ceterum_censeo_Bruxellam_et_Berolinum_delenda_esse!

.preseed/password_luks_nuke.txt

@@ -1 +0,0 @@
-THIS_IS_THE_NUKE_PASSWORD!

.preseed/ssh_root_ca.pub

@@ -1 +1 @@
-ssh-rsa-cert-v01@openssh.com AAAAB3NzaC1yc2EtY2VydC12MDEAAABCBFtF...== root-ca@example.com
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN9klkdk7LwUWsLtm5p6+4aJyJ8KGX3vbKMNJlFJ2c/k Centurion 2025 SSH Root CA [offline]

.preseed/unlock_wrapper.sh.sha512

@@ -0,0 +1 @@
+2d90783e0ffba3c6972b3a0d5335cca4a37c03b417f43b62b082a83734d4e4148390ac22509e68d63aaca11baf4fb081747f83347eab08176fb647e5445372f6

.pubkey/marc_s_weidner_msw+bot@coresecret.dev_AGE_pubkey

@@ -0,0 +1,2 @@
+# created: 2025-10-11T17:22:22Z
+# public key: age1l3pm5sjg0lj5l5jlh2azllccmzflpend9hpgcg7zvsk2mr4hvpqscdwm8f

.pubkey/marc_s_weidner_msw@coresecret.dev_AGE_pubkey

@@ -0,0 +1,2 @@
+# created: 2025-10-11T17:20:35Z
+# public key: age1chzjfu3f5nxnh5yz2l6n43l6gs07qyqcfzekdfhr5gezqvemcq7qjn23kv

.shellcheckrc

@@ -9,6 +9,9 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
 
+# https://github.com/koalaman/shellcheck/wiki/directive
+# https://github.com/koalaman/shellcheck/wiki/Optional
+
 encoding=utf-8
 external-sources=true
 shell=bash
@@ -16,6 +19,8 @@ source-path=~/func
 source-path=~/lib
 source-path=~/var
 
+enable=add-default-case
+enable=avoid-negated-conditions
 enable=avoid-nullary-conditions
 enable=check-extra-masked-returns
 enable=check-set-e-suppressed
@@ -24,5 +29,6 @@ enable=deprecate-which
 enable=quote-safe-variables
 enable=require-double-brackets
 enable=require-variable-braces
+enable=useless-use-of-cat
 
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf

.sops.yaml

@@ -1,4 +1,3 @@
-#!/bin/sh
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
@@ -9,10 +8,10 @@
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
-
+creation_rules:
-set -e
+  - path_regex: '(^|.*/)\.preseed/SECRETS\.yaml$'
-
+    encrypted_regex: '^value$'
-### Make sure /usr/local/bin is in front of 'PATH'.
+stores:
-export PATH="/usr/local/bin:${PATH:-/sbin:/usr/sbin:/bin:/usr/bin}"
+  yaml:
-
+    indent: 2
-# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml

LINTER_RESULTS.txt

@@ -1,5 +1,5 @@
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-10-26; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
 
-This file was automatically generated by the DEPLOY BOT on: "2025-08-14T20:03:04Z".
+This file was automatically generated by the DEPLOY BOT on: "2025-10-26T18:19:45Z".
 
 ⚠️ The last linter check was NOT successful. ⚠️
 

README.md

@@ -6,13 +6,13 @@ include_toc: true
  
 [![Static Badge](https://badges.coresecret.dev/badge/Licence-EUPL1.2-white?style=plastic&logo=europeanunion&logoColor=white&logoSize=auto&label=Licence&color=%23003399)](https://eupl.eu/1.2/en/)  
 [![Static Badge](https://badges.coresecret.dev/badge/opensourceinitiative-Compliant-white?style=plastic&logo=opensourceinitiative&logoColor=white&logoSize=auto&label=OSI&color=%233DA639)](https://opensource.org/license/eupl-1-2)  
-[![Static Badge](https://badges.coresecret.dev/badge/Bash-V5.2.15-white?style=plastic&logo=gnubash&logoColor=white&logoSize=auto&label=Bash&color=%234EAA25)](https://www.gnu.org/software/bash/)  
+[![Static Badge](https://badges.coresecret.dev/badge/Bash-V5.2.37-white?style=plastic&logo=gnubash&logoColor=white&logoSize=auto&label=Bash&color=%234EAA25)](https://www.gnu.org/software/bash/)  
 [![Static Badge](https://badges.coresecret.dev/badge/shellcheck-passed-white?style=plastic&logo=gnubash&logoColor=white&logoSize=auto&label=shellcheck&color=%234EAA25)](https://shellcheck.net/)  
 [![Static Badge](https://badges.coresecret.dev/badge/shellformat-passed-white?style=plastic&logo=google&logoColor=white&logoSize=auto&label=shellformat&color=%234285F4)](https://github.com/mvdan/sh)  
 [![Static Badge](https://badges.coresecret.dev/badge/Shellstyle-Google-white?style=plastic&logo=google&logoColor=white&logoSize=auto&label=Shellstyle&color=%234285F4)](https://google.github.io/styleguide/shellguide.html)
  
-[![Static Badge](https://badges.coresecret.dev/badge/Gitea-1.24.2-white?style=plastic&logo=gitea&logoColor=white&logoSize=auto&label=gitea&color=%23609926)](https://docs.gitea.com/)  
+[![Static Badge](https://badges.coresecret.dev/badge/Gitea-1.24.7-white?style=plastic&logo=gitea&logoColor=white&logoSize=auto&label=gitea&color=%23609926)](https://docs.gitea.com/)  
-[![Static Badge](https://badges.coresecret.dev/badge/IntelliJ-2025.2-white?style=plastic&logo=intellijidea&logoColor=white&logoSize=auto&label=IntelliJ&color=%23000000)](https://www.jetbrains.com/store/?section=personal&billing=yearly)  
+[![Static Badge](https://badges.coresecret.dev/badge/IntelliJ-2025.2.4-white?style=plastic&logo=intellijidea&logoColor=white&logoSize=auto&label=IntelliJ&color=%23000000)](https://www.jetbrains.com/store/?section=personal&billing=yearly)  
 [![Static Badge](https://badges.coresecret.dev/badge/keepassxc-2.7.10-white?style=plastic&logo=keepassxc&logoColor=white&logoSize=auto&label=KeePassXC&color=%236CAC4D)](https://keepassxc.org/)  
 [![Static Badge](https://badges.coresecret.dev/badge/netcup-Netcup-white?style=plastic&logo=netcup&logoColor=white&logoSize=auto&label=powered&color=%23056473)](https://www.netcup.com/de)  
 [![Static Badge](https://badges.coresecret.dev/badge/powered-Centurion-white?style=plastic&logo=europeanunion&logoColor=white&logoSize=auto&label=powered&color=%230F243E)](https://coresecret.eu/)  

ciss_debian_installer.sh

@@ -12,27 +12,19 @@
 
 ### Contributions so far see ./docs/CREDITS.md
 
-# TODO: Implement this function 4215_check_crypttab.sh
+# TODO: Final warnings if interactive.
-# TODO: Change 4230_installation_grub.sh for Trixie Workflow
 # TODO: Update .dot files.
 # TODO: Update README.md for each lib and func dir.
-# TODO: Update MANPAGES.md for each func.
+# TODO: Update MANPAGE.md for each func.
-# TODO: Update preseed.yaml for pgp signing key AND / OR implementation of presigned unlock_wrapper.sh
 # TODO: Implement Clang Build Chain and Secure Boot PK CISS.ROOT.CA Signing Workflow
-# TODO: Update preseed.yaml for pgp signing key OR implementation of presigned unlock_wrapper.sh
-# TODO: Implement Console Login Deactivation and 2fa as advertised in preseed.yaml Refactor 4500_installation_accounts.sh
-# TODO: Check Packages for installation. Refactor preseed.yaml, 4130_installation_toolset.sh, 4700_setup_packages.sh
-# TODO: What do we need for CISS environment?
 # TODO: Hardening Scripts Integration
-# TODO: SSH 2fa integration
 # TODO: Recovery Partition Integration
 # TODO: Grub Boot Menu Update for Recovery Integration
 # TODO: update-grub Post Hook Clang, Recovery, Signing PK
 # TODO: Copying Log Files to final System
 # TODO: Integrate CISS.debian.installer calling arguments and preseed.yaml into CISS.debian.live.builder build chain?
 # TODO: Reboot function for Autoinstall, Clean Exit, Flush Logs, luksClose, umount
-# TODO: 0105_arg_nuke_converter.sh - implement HashRounds as argument
+# TODO: Implement loop_pass() for other passwords 1257_yaml_xnuke.sh
-# TODO: Implement loop_pass() for other passwords 0105_arg_nuke_converter.sh
 # TODO: Implement / Integrate IP, Port validation CDI_1200
 
 ### WHY BASH?
@@ -55,7 +47,7 @@ declare -grx  VAR_SETUP_FULL="$(cd "$(dirname "${0}")" && pwd)/${0##*/}" # '/opt
 
 ### PRELIMINARY CHECKS.
 ### No ash, dash, ksh, sh.
-# shellcheck disable=2292
+# shellcheck disable=SC2292
 [ -z "${BASH_VERSINFO[0]}" ] && {
   . ./meta_loader_early.sh
   printf "%b❌ Please make sure you are using 'bash'! Bye... %b%b" "${RED}" "${RES}" "${NL}" >&2
@@ -113,12 +105,15 @@ declare -grx  VAR_SETUP_FULL="$(cd "$(dirname "${0}")" && pwd)/${0##*/}" # '/opt
 }
 
 ### CHECK FOR CONTACT, HELP, AND VERSION STRING.
+# shellcheck disable=SC2249
 for arg in "$@"; do case "${arg,,}" in -c|--contact) . ./meta_loader_cuv.sh; contact; exit 0;; esac; done
+# shellcheck disable=SC2249
 for arg in "$@"; do case "${arg,,}" in -h|--help)    . ./meta_loader_cuv.sh; usage  ; exit 0;; esac; done
+# shellcheck disable=SC2249
 for arg in "$@"; do case "${arg,,}" in -v|--version) . ./meta_loader_cuv.sh; version; exit 0;; esac; done
 
-### SOURCING MUST SET EARLY VARIABLES. SOURCING COLOR_ECHO(), GUARD_SOURCING(), AND SOURCE_GUARD().
+### SOURCING MUST SET EARLY VARIABLES. SOURCING COLOR_ECHO(), guard_sourcing || return "${ERR_GUARD_SOURCE}"(), AND SOURCE_GUARD().
-. ./lib/cdi_0005_guard/0005_guard_sourcing.sh # The function guard_sourcing MUST be present in each file to source.
+. ./lib/cdi_0005_guard/0005_guard_sourcing.sh # The function guard_sourcing || return "${ERR_GUARD_SOURCE}" MUST be present in each file to source.
 . ./lib/cdi_0005_guard/0006_source_guard.sh   # Wrapper for sourcing modules, libraries, variables.
 source_guard "./var/color.var.sh"
 source_guard "./var/early.var.sh"
@@ -149,8 +144,8 @@ color_echo "${GRE}" "CISS.DEBIAN.INSTALLER PREPARATION: PREPARING DIRECTORIES AN
 gen_dir_files
 
 ### CHECKING REQUIRED PACKAGES.
-#color_echo "${GRE}" "CISS.DEBIAN.INSTALLER PREPARATION: CHECKING REQUIRED PACKAGES"
+color_echo "${GRE}" "CISS.DEBIAN.INSTALLER PREPARATION: CHECKING REQUIRED PACKAGES"
-#check_pkgs
+check_pkgs
 color_echo "${GRE}" "CISS.DEBIAN.INSTALLER PREPARATION: CHECKING GIT VARIABLES"
 check_git
 
@@ -172,6 +167,7 @@ pre_scan_debug "$@"
 
 ### CHECK FOR AUTO INSTALL MODE.
 color_echo "${GRE}" "CISS.DEBIAN.INSTALLER PREPARATION: CHECK FOR AUTO INSTALL MODE"
+# shellcheck disable=SC2249
 for arg in "$@"; do case "${arg,,}" in -a|--autoinstall) declare -gx VAR_AUTO_INSTALL="true";; esac; done; unset arg
 
 ### ACTIVATING TRAPS.
@@ -202,149 +198,316 @@ arg_parser "$@"
 info_echo "0103_arg_priority_check.sh"
 arg_priority_check
 
-### HASHING PASSWORDS.
-info_echo "0105_arg_nuke_converter.sh"
-nuke_passphrase
-
-### CDI_1200
 
 ### CDI_1250
 info_echo "1250_yaml_parser.sh"
 yaml_parser
+
 info_echo "1251_yaml_reader.sh"
 yaml_reader
+
 info_echo "1252_yaml_validator.sh"
 yaml_validator
 
+info_echo "1256_yaml_xfiles.sh"
+yaml_secret
+
+info_echo "1257_yaml_xnuke.sh"
+nuke_passphrase
+
+
 ### CDI_3200
 info_echo "3200_partitioning.sh"
 partitioning
+
 info_echo "3210_benchmarking_encryption.sh"
 benchmarking_encryption
+
 info_echo "3220_partition_encryption.sh"
 partition_encryption
+
 info_echo "3240_partition_formatting.sh"
 partition_formatting
+
 info_echo "3280_mount_partition.sh"
 mount_partition
+
 info_echo "3290_uuid_logger.sh"
 uuid_logger
 
+
 ### CDI_4000
-info_echo "4000_debootstrap.sh"
+info_echo "4000_debootstrap.sh [${TARGET}]"
 func_debootstrap
-info_echo "4010_prepare_mounts.sh"
+
+info_echo "4005_debootstrap_checks.sh [${TARGET}]"
+check_debootstrap
+
+info_echo "4010_prepare_mounts.sh [${TARGET}]"
 prepare_mounts
-info_echo "4020_remove_x509.sh"
+
+info_echo "4011_prepare_xdg_root.sh [${TARGET}]"
+prepare_xdg_root
+
+info_echo "4015_check_usr_merge.sh [${TARGET}]"
+check_usr_merge
+
+info_echo "4020_remove_x509.sh [${TARGET}]"
 remove_x509
-info_echo "4030_setup_hostname.sh"
+
+info_echo "4030_setup_hostname.sh [${TARGET}]"
 setup_hostname
-info_echo "4035_setup_resolv.sh"
+
+info_echo "4035_setup_resolv.sh [${TARGET}]"
 setup_resolv
-info_echo "4040_setup_timezone.sh"
+
+info_echo "4040_setup_timezone.sh [${TARGET}]"
 setup_timezone
-info_echo "4050_setup_locales.sh"
+
+info_echo "4050_setup_locales.sh [${TARGET}]"
 setup_locales
 
+
 ### CDI_4100
-if [[ "${apt_default_deb822}" == "true" ]]; then
+if [[ "${VAR_DEB822}" == "true" ]]; then
-  info_echo "4105_generate_sources822.sh"
+
+  info_echo "4105_generate_sources822.sh [${TARGET}]"
   generate_sources822
+
 else
-  info_echo "4100_generate_sources.sh"
+
+  info_echo "4100_generate_sources.sh [${TARGET}]"
   generate_sources
+
 fi
-info_echo "4110_update_sources.sh"
+
+info_echo "4110_update_sources.sh [${TARGET}]"
 update_sources
-info_echo "4120_installation_kernel.sh"
+
+info_echo "4120_installation_kernel.sh [${TARGET}]"
 installation_kernel
-info_echo "4121_installation_initramfs.sh"
+
+info_echo "4121_installation_initramfs.sh [${TARGET}]"
 installation_initramfs
-info_echo "4130_installation_toolset.sh"
+
+info_echo "4130_installation_toolset.sh [${TARGET}]"
 installation_toolset
-info_echo "4131_installation_systemd.sh"
+
+info_echo "4131_installation_systemd.sh [${TARGET}]"
 installation_systemd
-info_echo "4132_installation_machineid.sh"
+
+info_echo "4132_installation_machineid.sh [${TARGET}]"
 installation_machineid
-info_echo "4133_installation_masking.sh"
+
+info_echo "4133_installation_masking.sh [${TARGET}]"
 installation_masking
-info_echo "4140_installation_microcode.sh"
+
+info_echo "4140_installation_microcode.sh [${TARGET}]"
 installation_microcode
-info_echo "4150_installation_chrony.sh"
+
+info_echo "4145_installation_firmware.sh [${TARGET}]"
+installation_firmware
+
+info_echo "4150_installation_chrony.sh [${TARGET}]"
 installation_chrony
 
+info_echo "4160_installation_eza.sh [${TARGET}]"
+installation_eza
+
+info_echo "4170_installation_lynis.sh [${TARGET}]"
+installation_lynis
+
+
 ### CDI_4200
-info_echo "4200_generate_fstab.sh"
+info_echo "4200_generate_fstab.sh [${TARGET}]"
 generate_fstab
-info_echo "4205_check_fstab.sh"
+
+info_echo "4205_check_fstab.sh [${TARGET}]"
 check_fstab
-info_echo "4210_generate_crypttab.sh"
+
+info_echo "4210_generate_crypttab.sh [${TARGET}]"
 generate_crypttab
-info_echo "4215_check_crypttab.sh"
+
-check_crypttab
+info_echo "4220_installation_cryptsetup.sh [${TARGET}]"
-info_echo "4220_installation_cryptsetup.sh"
 installation_cryptsetup
-info_echo "4230_installation_grub.sh"
+
+info_echo "4230_installation_grub.sh [${TARGET}]"
 installation_grub
-info_echo "4240_update_grub_password.sh"
+
+if [[ "${VAR_GRUB_PASSWORD}" == "true" ]]; then
+
+  info_echo "4240_update_grub_password.sh [${TARGET}]"
   update_grub_password
-info_echo "4250_update_grub_bootparameter.sh"
+
+fi
+
+info_echo "4250_update_grub_bootparameter.sh [${TARGET}]"
 update_grub_bootparameter
 
+
 ### CDI_4300
-info_echo "4300_installation_network.sh"
+info_echo "4300_installation_network.sh [${TARGET}]"
 installation_network
-info_echo "4310_dropbear_build.sh"
+
+info_echo "4305_installation_netsec.sh [${TARGET}]"
+installation_netsec
+
+if [[ "${VAR_DROPBEAR}" == "true" ]]; then
+
+  info_echo "4310_dropbear_build.sh [${TARGET}]"
   dropbear_build
-info_echo "4311_dropbear_initramfs.sh"
+
+  info_echo "4311_dropbear_initramfs.sh [${TARGET}]"
   dropbear_initramfs
-info_echo "4312_dropbear_setup.sh"
+
+  info_echo "4312_dropbear_setup.sh [${TARGET}]"
   dropbear_setup
-info_echo "4320_update_initramfs.sh"
+
+fi
+
+info_echo "4320_update_initramfs.sh [${TARGET}]"
 update_initramfs
 
-### CDI_4400
+info_echo "4330_installation_ssh.sh [${TARGET}]"
-info_echo "4400_kernel_modules.sh"
-kernel_modules && kernel_modprobe
-info_echo "4410_kernel_sysctl.sh"
-kernel_sysctl
-info_echo "4420_installation_ssh.sh"
 installation_ssh
-info_echo "4430_installation_skel.sh"
+
-installation_skel
+
-info_echo "4440_hardening_files.sh"
+### CDI_4400
+info_echo "4400_kernel_modules.sh [${TARGET}]"
+kernel_modules && kernel_modprobe
+
+info_echo "4410_kernel_sysctl.sh [${TARGET}]"
+kernel_sysctl
+
+info_echo "4420_hardening_fail2ban.sh [${TARGET}]"
+hardening_fail2ban
+
+info_echo "4430_hardening_files.sh [${TARGET}]"
 hardening_files
-info_echo "4450_hardening_haveged.sh"
+
-hardening_haveged
+info_echo "4442_hardening_jitterentropy.sh [${TARGET}]"
-info_echo "4460_hardening_memory.sh"
+hardening_jitterentropy
+
+info_echo "4450_hardening_memory.sh [${TARGET}]"
 hardening_memory
 
+info_echo "4460_hardening_openssl.sh [${TARGET}]"
+hardening_openssl
+
+info_echo "4470_hardening_ufw.sh [${TARGET}]"
+hardening_ufw
+
+info_echo "4480_hardening_usb.sh [${TARGET}]"
+hardening_usb
+
+info_echo "4490_hardening_virus.sh [${TARGET}]"
+hardening_virus
+
+info_echo "4445_hardening_logrotate.sh [${TARGET}]"
+hardening_logrotate
+
+
 ### CDI_4500
-info_echo "4500_installation_accounts.sh"
+info_echo "4500_accounts_preparation.sh [${TARGET}]"
-installation_accounts # TODO: Checks ongoing
+accounts_preparation
+
+info_echo "4510_accounts_hardening.sh [${TARGET}]"
+accounts_hardening
+
+info_echo "4520_accounts_setup.sh [${TARGET}]"
+accounts_setup
+
+info_echo "4530_accounts_timings.sh [${TARGET}]"
+update_shadow
+
 
 ### CDI_4600
-#info_echo "4205_check_fstab.sh"
+info_echo "4600_installation_packages.sh [${TARGET}]"
+installation_packages
 
-#info_echo "4610_finalize_system.sh"
+info_echo "4610_installation_security.sh [${TARGET}]"
+installation_security
 
-#info_echo "4670_verify_system.sh"
+info_echo "4620_installation_verification.sh [${TARGET}]"
+install_verification
 
-#info_echo "4680_check_sshd_config_integrity.sh"
+info_echo "4630_auditing_packages.sh [${TARGET}]"
+auditing_packages
 
-#info_echo "4690_check_grub_cmdline.sh"
+### CDI_4900
+info_echo "4900_final_command.sh [${TARGET}]"
+final_commands
 
-### CDI_4700
+info_echo "4950_final_logrotate.sh [${TARGET}]"
-info_echo "4799_exiting_chroot_system.sh"
+final_logrotate
+
+info_echo "4999_exiting_chroot_system.sh [${TARGET}]"
 exiting_chroot_system
 
 ### CDI_5000
 if [[ "${VAR_RECOVERY}" == "true" ]]; then
-  wrapper_recovery
+
+  declare -gx VAR_RUN_RECOVERY="true"
+
+  info_echo "4000_debootstrap.sh [${RECOVERY}]"
+  func_debootstrap
+
+  info_echo "4005_debootstrap_checks.sh [${RECOVERY}]"
+  check_debootstrap
+
+  info_echo "4010_prepare_mounts.sh [${RECOVERY}]"
+  prepare_mounts
+
+  info_echo "4015_check_usr_merge.sh [${RECOVERY}]"
+  check_usr_merge
+
+  info_echo "4020_remove_x509.sh [${RECOVERY}]"
+  remove_x509
+
+  info_echo "4030_setup_hostname.sh [${RECOVERY}]"
+  setup_hostname
+
+  info_echo "4035_setup_resolv.sh [${RECOVERY}]"
+  setup_resolv
+
+  info_echo "4040_setup_timezone.sh [${RECOVERY}]"
+  setup_timezone
+
+  info_echo "4050_setup_locales.sh [${RECOVERY}]"
+  setup_locales
+
+  info_echo "4105_generate_sources_822.sh [${RECOVERY}]"
+  generate_sources822
+
+  info_echo "4110_update_sources.sh [${RECOVERY}]"
+  update_sources
+
+  info_echo "5120_installation_kernel.sh [${RECOVERY}]"
+  installation_kernel_reco
+
+  info_echo "5121_installation_initramfs.sh"
+  installation_initramfs_reco
+
+  info_echo "5130_installation_toolset.sh"
+  installation_toolset_reco
+
+  info_echo "5131_installation_systemd.sh"
+  installation_systemd_reco
+
+  info_echo "5132_installation_machineid.sh"
+  installation_machineid_reco
+
+  info_echo "5133_installation_masking.sh"
+  installation_masking_reco
+
+  info_echo "5999_exiting_chroot_recovery.sh"
+  exiting_chroot_recovery
+
+  declare -gx VAR_RUN_RECOVERY="false"
 fi
 
 ### Dialog Output for Initialization END
-if ! "${VAR_AUTO_INSTALL}"; then . ./lib/cdi_0200_dialog/0200_dialog_helper.sh && dialog_box_cleaner; fi
+if ! "${VAR_AUTO_INSTALL}"; then dialog_box_cleaner; fi
 
 declare -gx VAR_SCRIPT_SUCCESS="true"
 

func/cdi_1000_helper/1030_check_nic.sh

@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
 
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 
 #######################################
 # Specify the network interface card (NIC) interactively for setup.
@@ -39,6 +39,9 @@ check_nic() {
   clear
 
   do_log "info" "file_only" "1030() You have selected: '${var_nic}' - proceeding with setup."
-  guard_dir && return 0
+  guard_dir; return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f check_nic
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

func/cdi_1000_helper/1080_helper_chroot.sh

@@ -10,13 +10,17 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
 
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 
 #######################################
 # Use chroot_exec() for:
-#   - simple commands (e.g., dpkg, ln, mkdir, apt, etc.).
+#   - Simple commands (e.g., dpkg, ln, mkdir, apt, etc.).
 # Use chroot_script() for:
-#   - all shell scripts, redirects, pipes, conditions, loops, or subshells.
+#   - All shell scripts, redirects, pipes, conditions, loops, or subshells.
+# Use chroot_stdin() for:
+#   - Long, multi-line payloads without argv/ARG_MAX pain. Use it to stream robust, quoting-safe scripts via stdin (bash -s).
+#     Ideal for multi-line awk/sed edits, or any content that would otherwise suffer from nested quoting or size limits if
+#     passed via -c.
 #######################################
 
 #######################################
@@ -32,11 +36,13 @@ guard_sourcing
 #   ERR_CHRT_COMMAND: on failure
 #######################################
 chroot_exec() {
+  ### Declare Arrays, HashMaps, and Variables.
   declare    var_chroot_target="$1"; shift
   declare -a ary_chroot_command=("$@")
   declare -r var_default_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
   declare    var_mod="${BASH_SOURCE[1]##*/}"; var_mod="${var_mod%%_*}()"
 
+  ### Basic sanitation.
   if (( ${#ary_chroot_command[@]} == 0 )); then
 
     do_log "emergency" "file_only" "1080() Empty command passed to 'chroot_exec()'."
@@ -52,6 +58,7 @@ chroot_exec() {
 
   fi
 
+  ### Main wrapper.
   if ! chroot "${var_chroot_target}" /usr/bin/env -i \
     HOME="/root" \
     PATH="${var_default_path}" \
@@ -74,13 +81,19 @@ chroot_exec() {
 
   fi
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f chroot_exec
 
 #######################################
-# Execute a full shell script line inside the chroot via bash -c.
+# Run a complete shell script line inside the chroot using the command 'bash -c'.
-# TODO: Supports interactive debug shell on error.
 # Globals:
 #   BASH_SOURCE
 #   TERM
+#   VAR_CHROOT_DEBUG
+#   VAR_DEBUG_TRACE
+#   VAR_DEBUG_TRAP
+#   VAR_IN_DIALOG_WR
 # Arguments:
 #   1: Target of the chroot environment
 #   2: Command string to execute inside a shell (quoted)
@@ -90,12 +103,14 @@ chroot_exec() {
 #   ERR_CHRT_COMMAND: on failure
 #######################################
 chroot_script() {
+  ### Declare Arrays, HashMaps, and Variables.
   declare    var_chroot_target="$1"
   declare    var_chroot_script="$2"
   declare    var_log_level_on_error="${3:-emergency}"
   declare -r var_default_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
   declare    var_mod="${BASH_SOURCE[1]##*/}"; var_mod="${var_mod%%_*}()"
 
+  ### Basic sanitation.
   if [[ -z "${var_chroot_script}" ]]; then
 
     do_log "emergency" "file_only" "1080() Empty command passed to 'chroot_script()'."
@@ -103,6 +118,7 @@ chroot_script() {
 
   fi
 
+  ### Main wrapper.
   if ! chroot "${var_chroot_target}" /usr/bin/env -i \
     HOME="/root" \
     PATH="${var_default_path}" \
@@ -117,14 +133,31 @@ chroot_script() {
   then
 
     do_log "${var_log_level_on_error}" "file_only" "1080() Command of ${var_mod} [chroot ${var_chroot_target} /usr/bin/env -i HOME=/root PATH=${var_default_path} TERM=${TERM} LANG=C.UTF-8 LC_ALL=C.UTF-8 DEBIAN_FRONTEND=noninteractive APT_LISTCHANGES_FRONTEND=none /bin/bash -c ${var_chroot_script}] failed."
+
+    if [[ "${VAR_CHROOT_DEBUG}" == "true" ]]; then
+
+      if [[ "${VAR_DEBUG_TRACE}" == "true" || "${VAR_DEBUG_TRAP}" == "true" ]]; then\
+
+        dump_vars_exiting
+
+      fi
+
+      case "${VAR_IN_DIALOG_WR}" in
+        box   ) dialog_box_cleaner   ;;
+        gauge ) dialog_gauge_cleaner ;;
+        text  ) dialog_text_cleaner  ;;
+        *     ) : ;;
+      esac
+
+      do_log "emergency" "tty" "1080() Launching interactive debug shell in chroot: '${var_chroot_target}'."
+
+      chroot "${var_chroot_target}" /bin/bash -l
+
+    else
+
       return "${ERR_CHRT_COMMAND}"
 
-    # TODO: Test with Dialog Wrapper in interactive mode.
+    fi
-    # TODO: Call clean screen first to terminate dialog wrapper !
-    #if [[ "${DEBUG_INTERACTIVE}" == "true" ]]; then
-    #  do_log "warning" "true" "Launching interactive debug shell in chroot: '${var_chroot_target}'."
-    #  chroot "${var_chroot_target}" /bin/bash -l
-    #fi
 
   else
 
@@ -133,4 +166,105 @@ chroot_script() {
 
   fi
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f chroot_script
+
+#######################################
+# Run the installer-desired code incl. positional arguments via stdin (HEREDOC) inside the chroot with bash -s.
+# Globals:
+#   BASH_SOURCE
+#   TERM
+#   VAR_CHROOT_DEBUG
+#   VAR_DEBUG_TRACE
+#   VAR_DEBUG_TRAP
+#   VAR_IN_DIALOG_WR
+# Arguments:
+#   1: Target of chroot environment
+#   2: Command string to execute inside a shell (HEREDOC):
+#      chroot_stdin "${TARGET}" "__payload__" -- "${ARG1}" "${ARG2}" ... <<'EOF' ... EOF
+# Returns:
+#   0: on success
+#   ERR_CHRT_COMMAND: on failure
+#######################################
+chroot_stdin() {
+  ### Declare Arrays, HashMaps, and Variables.
+  declare     var_chroot_target="$1"; shift      ### Consume 'TARGET'.
+  declare     payload_marker="$1"; shift         ### Consume marker (e.g. "__payload__").
+  declare     var_log_level_on_error="emergency" ### Default.
+  declare     var_default_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+  declare     var_mod="${BASH_SOURCE[1]##*/}"; var_mod="${var_mod%%_*}()"
+
+  ### Optional third parameter as log level, else we expect a '--' sentinel next.
+  if [[ "${1-}" != "--" && -n "${1-}" ]]; then
+    var_log_level_on_error="$1"
+    shift
+  fi
+
+  ### If a '--' sentinel is present, drop it; the rest are payload args.
+  if [[ "${1-}" == "--" ]]; then
+    shift
+  fi
+
+  ### Now: "$@" are exactly the arguments for the chroot payload ($1,$2,... inside bash -s)
+
+  ### Basic sanitation
+  if [[ -z "${payload_marker}" ]]; then
+
+    do_log "emergency" "file_only" "1080() Empty command passed to 'chroot_script()'."
+    return "${ERR_CHRT_COMMAND}"
+
+  fi
+
+  ### Main wrapper.
+  if ! chroot "${var_chroot_target}" /usr/bin/env -i \
+    HOME="/root" \
+    PATH="${var_default_path}" \
+    TERM="${TERM}" \
+    LANG="C.UTF-8" \
+    LC_ALL="C.UTF-8" \
+    DEBIAN_FRONTEND="noninteractive" \
+    APT_LISTCHANGES_FRONTEND="none" \
+    /bin/bash -o errexit -o errtrace -o functrace -o nounset -o pipefail \
+    -O inherit_errexit -O failglob -O lastpipe -s -- "$@"
+
+  then
+
+    do_log "${var_log_level_on_error}" "file_only" "1080() Command of ${var_mod} [chroot ${var_chroot_target} /usr/bin/env -i HOME=/root PATH=${var_default_path} TERM=${TERM} LANG=C.UTF-8 LC_ALL=C.UTF-8 DEBIAN_FRONTEND=noninteractive APT_LISTCHANGES_FRONTEND=none /bin/bash -s] failed."
+
+    if [[ "${VAR_CHROOT_DEBUG}" == "true" ]]; then
+
+      if [[ "${VAR_DEBUG_TRACE}" == "true" || "${VAR_DEBUG_TRAP}" == "true" ]]; then
+
+        dump_vars_exiting
+
+      fi
+
+      case "${VAR_IN_DIALOG_WR}" in
+        box   ) dialog_box_cleaner   ;;
+        gauge ) dialog_gauge_cleaner ;;
+        text  ) dialog_text_cleaner  ;;
+        *     ) : ;;
+      esac
+
+      do_log "emergency" "tty" "1080() Launching interactive debug shell in chroot: '${var_chroot_target}'."
+
+      chroot "${var_chroot_target}" /bin/bash -l
+
+    else
+
+      return "${ERR_CHRT_COMMAND}"
+
+    fi
+
+  else
+
+    do_log "info" "file_only" "1080() Command of ${var_mod} [chroot ${var_chroot_target} /usr/bin/env -i HOME=/root PATH=${var_default_path} TERM=${TERM} LANG=C.UTF-8 LC_ALL=C.UTF-8 DEBIAN_FRONTEND=noninteractive APT_LISTCHANGES_FRONTEND=none /bin/bash -s] successful."
+    return 0
+
+  fi
+}
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f chroot_stdin
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

func/cdi_1000_helper/1081_helper_grub.sh

@@ -13,7 +13,7 @@
 ### Options in "GRUB_CMDLINE_LINUX" are always effective.
 ### Options in "GRUB_CMDLINE_LINUX_DEFAULT" are effective ONLY during normal boot (NOT during recovery mode).
 
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 
 #######################################
 # Helper module to extract the current GRUB CMDLINE strings.
@@ -98,6 +98,9 @@ grub_extract_current_string() {
 
   return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f grub_extract_current_string
 
 #######################################
 # Helper module to finish the modified GRUB CMDLINE strings.
@@ -117,32 +120,21 @@ grub_extract_current_string() {
 grub_finalize_string() {
   ### Declare Arrays, HashMaps, and Variables.
   declare     var_file="${TARGET}/etc/default/grub.d/99-ciss-cmdline.cfg"
-  declare     var_linux="${VV_GRUB_CMDLINE_LINUX//\'/\'\"\'\"\'}"
+  declare     var_linux="${VV_GRUB_CMDLINE_LINUX}"
-  declare     var_linux_default="${VV_GRUB_CMDLINE_LINUX_DEFAULT//\'/\'\"\'\"\'}"
+  declare     var_linux_default="${VV_GRUB_CMDLINE_LINUX_DEFAULT}"
   declare -gx VAR_GRUB_CMDLINE_LINUX="${VK_GRUB_CMDLINE_LINUX}'${VV_GRUB_CMDLINE_LINUX}'"
   declare -gx VAR_GRUB_CMDLINE_LINUX_DEFAULT="${VK_GRUB_CMDLINE_LINUX_DEFAULT}'${VV_GRUB_CMDLINE_LINUX_DEFAULT}'"
 
   mkdir -p "${TARGET}/etc/default/grub.d"
 
-  cat << EOF >| "${var_file}"
+  insert_header   "${var_file}"
-# SPDX-Version: 3.0
+  insert_comments "${var_file}"
-# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+  cat << EOF >>   "${var_file}"
-# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
-# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
-# SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
-# SPDX-PackageName: CISS.debian.installer
-# SPDX-Security-Contact: security@coresecret.eu
-
 ### Options in "GRUB_CMDLINE_LINUX" are always effective.
 ### Options in "GRUB_CMDLINE_LINUX_DEFAULT" are effective ONLY during normal boot (NOT during recovery mode).
 
 EOF
 
-  insert_comments "${TARGET}/etc/default/grub.d/99-ciss-cmdline.cfg"
-
   umask 0022
   {
     printf "GRUB_CMDLINE_LINUX='%s'\n"         "${var_linux}"
@@ -157,4 +149,7 @@ EOF
 
   return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f grub_finalize_string
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

func/cdi_1000_helper/1082_helper_modules.sh

@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
 
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 
 #######################################
 # Wrapper for preparing logfile inside chroot.
@@ -28,6 +28,9 @@ chroot_logger() {
   chmod 0600 "${var_logfile}" || "${ERR_CHROOT_LOGGER}"
   return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f chroot_logger
 
 #######################################
 # Helper Module to generate a Subnet Mask out of an IP in CCDIR Notation.
@@ -50,6 +53,9 @@ generate_subnetmask() {
   printf '%s' "${var_has_ipv4_subnet}"
   return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f generate_subnetmask
 
 #######################################
 # Collect NIC driver modules for initramfs installation (no lspci required).
@@ -92,7 +98,9 @@ grep_nic_driver_modules() {
 
   return 0
 }
-
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f grep_nic_driver_modules
 
 #######################################
 # Wrapper to insert the metadata field into the specified file.
@@ -128,6 +136,9 @@ insert_comments() {
 
   return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f insert_comments
 
 #######################################
 # Wrapper to insert the SPDX Header into the specified file.
@@ -160,11 +171,18 @@ EOF
 
   return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f insert_header
 
 #######################################
 # Helper module for update, full dist-upgrade, autoclean, autopurge and autoremove.
+# Globals:
+#   None
 # Arguments:
 #   None
+# Returns:
+#   0: on success
 #######################################
 update_upgrade() {
   apt-get update
@@ -172,5 +190,9 @@ update_upgrade() {
   apt-get autoclean -y
   apt-get autopurge -y
   apt-get autoremove -y
+  return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f update_upgrade
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

func/cdi_1000_helper/1084_helper_sanitizer.sh

@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
 
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 
 #######################################
 # Remove any leading or trailing whitespace.
@@ -22,6 +22,9 @@ remove_whitespace() {
   declare var_out=$(printf "%s" "$1" | xargs)
   printf '%s' "${var_out}"
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f remove_whitespace
 
 #######################################
 # Function to escape all shell metacharacters
@@ -33,6 +36,9 @@ sanitize_input() {
   ### %q quotes the string so that the shell re-reads it as the original literal
   printf '%q' "${input}"
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f sanitize_input
 
 #######################################
 # Function to remove any character not in the allowed set
@@ -46,4 +52,7 @@ sanitize_string() {
   declare allowed='a-zA-Z0-9._/=\[\]:"\-+ '
   printf '%s' "${input}" | tr -cd "${allowed}"
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f sanitize_string
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

func/cdi_1000_helper/1085_helper_secure_dl.sh

@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
 
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 
 #######################################
 # Wrapper for secure curl.
@@ -42,6 +42,9 @@ scurl() {
     return "${ERR_DOWNLOAD_FAILED}"
   fi
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f scurl
 
 #######################################
 # Wrapper for secure wget.
@@ -73,4 +76,7 @@ swget() {
     return "${ERR_DOWNLOAD_FAILED}"
   fi
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f swget
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

func/cdi_1000_helper/1086_helper_yaml.sh

@@ -10,10 +10,12 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
 
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 
 #######################################
-# yq_val <YQ expression> <file> - Returns value, converts null to ""
+# yq_val <YQ expression> <file> - Returns value, converts null to "".
+# Globals:
+#   None
 # Arguments:
 #   1: Key String to evaluate
 #   2: YAML File
@@ -23,4 +25,7 @@ yq_val() {
   [[ "${var_h}" == null ]] && var_h=""
   printf '%s' "${var_h}"
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f yq_val
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

func/cdi_1000_helper/README/README_1080.md

@@ -0,0 +1,131 @@
+---
+gitea: none
+include_toc: true
+---
+
+# 1. CISS.debian.installer
+
+**Centurion Intelligence Consulting Agency Information Security Standard**<br>
+*The CISS Debian Installer provides a fully automated and hardened installation process.*<br>
+**Master Version**: 8.00<br>
+**Build**: V8.00.000.2025.06.17<br>
+
+# 2. [1080_helper_chroot.sh](../1080_helper_chroot.sh)
+**Scope:** This note explains *what to use when* among
+* `chroot_exec()`, 
+* `chroot_script()`, and 
+* `chroot_stdin()`.
+
+## 2.1. When to use what
+- **`chroot_exec (target, argv...)`** — *Simple, argv-style commands.*  
+  Use it whenever you type a short command with discrete arguments (no shell features).  
+  Examples from the updated user provisioning flow: `getent`, `groupadd`, `useradd`, `usermod`, `chsh`.
+
+- **`chroot_script (target, "shell pipeline | redir && control-flow")`** — *Anything that needs a shell.*  
+  Use it for pipelines, redirections, variable expansions, conditionals/loops, or tools that **expect** to run under a shell
+  (e.g., `visudo` with `EDITOR=...`, `logrotate -d ... >> logfile`).
+
+- **`chroot_stdin (target) <<'EOF' ... EOF`** — *Long, multi-line payloads without argv/ARG_MAX pain.*  
+  Use it to stream robust, quoting-safe scripts via **stdin** (`bash -s`). Ideal for multi-line `awk`/`sed` edits, or any 
+  content that would otherwise suffer from nested quoting or size limits if passed via `-c`. The helper sets up `bash -s` with 
+  strict shell options; ones provide the payload on stdin.
+
+All three helpers run with a *minimal, deterministic* environment via `env -i`, reintroducing only:
+* `HOME`,
+* `PATH`,
+* `TERM`,
+* `LANG/LC_ALL`, and 
+* noninteractive APT settings. 
+This ensures reproducibility and reduces the risk of ambient-environment leakage.
+
+## 2.2. Design rationale
+
+### 2.2.1. `chroot_exec()` — argv purity, preflight, the least overhead
+**Best for:** idempotent system administration commands that do not require shell parsing.
+
+**Key traits**
+- **Preflight binary presence** with `which` inside the chroot before running the command — early, clear failure if a package 
+  was not installed yet.
+- **Sanitized environment** (`env -i` with a strict default PATH and essential variables) for deterministic behavior.
+- **Straight argv execution** — no shell interpretation; no quoting games.
+
+**When _not_ to use**  
+If you need a pipe, a redirect, variable expansion, or inline control flow — switch to `chroot_script` 
+(or `chroot_stdin` for long fragments).
+
+### 2.2.2. `chroot_script()` — controlled shell, explicit `-c`
+**Best for:** single-line pipelines and short shell snippets.
+
+**Key traits**
+- Launches `/bin/bash` with strict options: `errexit`, `errtrace`, `functrace`, `nounset`, `pipefail`, plus Bash options
+  `inherit_errexit`, `failglob`, `lastpipe`. This makes subtle failures visible and prevents masked errors in pipelines.
+- Same **minimal environment** as `chroot_exec()`.
+- **Debug path**: on failure and if debugging flags are enabled, it drops into an interactive shell in the chroot for immediate
+  triage.
+
+**Trade-offs**
+- The entire snippet becomes **one long argument** to `bash -c`. Very long or quote-dense payloads hit **`argv+env` limits** 
+and are harder to lint. Prefer `chroot_stdin` for larger edits.
+
+### 2.2.3 `chroot_stdin()` — robust multi-line scripts via `bash -s`
+**Best for:** complex, multi-line payloads (Heredoc), quoting-heavy `awk`/`sed` programs, or anything beyond a small snippet.
+
+**Key traits**
+- Uses `bash -s` under the same strict shell options as `chroot_script`, but reads the script from **stdin**.
+- Avoids **`argv`** size and **'ARG_MAX'** constraints entirely; ideal for longer program fragments.
+- Greatly simplifies quoting: with a **single-quoted** heredoc (`<<'EOF'`) in the caller, you eliminate shell expansion 
+  surprises and keep editors/IDEs happy.
+
+## 2.3. Common foundation across all helpers
+- **Minimal, controlled environment via `env -i`**, whitelisting only the necessities (`HOME`, `PATH`, `TERM`, `LANG/LC_ALL`, 
+  noninteractive APT vars). This blocks noisy caller environments from leaking into the chroot and keeps behavior reproducible 
+  across systems. 
+- **Strict Bash modes** in the shell-based helpers — the effective default for the installer — to fail fast and surface latent 
+  errors. 
+- **Structured logging** for both success and failure paths, and an **interactive debug shell** when requested by the debug flags.
+
+## 2.4. Decision guide
+- **Is it a single command with clean argv?** → `chroot_exec`.
+- **Is it a short shell line with redirection/pipe/env assignment?** → `chroot_script`.
+- **Is it long, quote-heavy, or multi-line logic?** → `chroot_stdin` with a single-quoted heredoc.
+
+If in doubt, start with `chroot_exec`. The moment you need a shell feature, jump to `chroot_script`. If your `-c` string grows
+past comfort (readability, quoting, or length), upgrade to `chroot_stdin`.
+
+## 2.5. Subtleties and gotchas (and how the helpers address them)
+- **ARG_MAX and long `-c` strings:** `bash -c` places the entire script in `argv`. On typical Linux systems you effectively have
+  ≈2 MiB for argv+env; very long strings or large environments hit `E2BIG`. `bash -s` (stdin) avoids this entirely.
+
+- **Quoting pitfalls:** Nested single quotes within single-quoted strings become painful; Heredoc's with `<<'EOF'` (stdin) 
+  eliminate accidental expansions and simplify review.
+
+- **Locale-sensitive regex:** Always set `LC_ALL=C` for tools like `awk` to get predictable `[[:class:]]` semantics and bytewise
+  collation in system config edits.
+
+- **Partially writes / truncated files:** When editing files, write to a `*.new` and then `mv -f` only after `test -s` (non-empty)
+  to guard against empty outputs in case of earlier errors.
+
+- **Debug ergonomics:** The helpers integrate a conditional drop-in shell on failures when `VAR_CHROOT_DEBUG` (and related flags)
+  is enabled, enabling immediate forensics inside the target environment.
+
+## 2.6. Antipatterns (what to avoid)
+- **Using `chroot_exec` for anything involving the shell.** That defeats the argv-only contract and will either fail or behave unexpectedly.
+- **Packing large scripts into `-c` strings.** Hard to quote, hits argv limits, and clutters process lists. Prefer stdin.
+- **Relying on the caller’s ambient environment.** The helpers intentionally use `env -i` to avoid such a leakage; do not
+  reintroduce it unless you must.
+
+# 3. Appendix — Helper signatures & guarantees
+- **`chroot_exec(target, argv...)`**
+  - Preflights the binary using `which` inside the chroot; fails early if missing.
+  - Runs with a minimal, deterministic environment.
+
+- **`chroot_script(target, "code", [loglevel])`**
+  - Executes `bash -c "code"` under strict bash options; minimal environment; rich failure logging and optional interactive debug.
+
+- **`chroot_stdin(target, "marker", [loglevel]) <<'EOF' ... EOF`**
+  - Executes `bash -s` under strict bash options; minimal environment; same debug path; payload read from stdin, avoiding 
+    argv/ARG_MAX issues.
+
+---
+**[no tracking | no logging | no advertising | no profiling | no bullshit](https://coresecret.eu/)**
+<!-- vim: set number et ts=2 sw=2 sts=2 ai tw=128 ft=markdown -->

func/cdi_1200_validation/1220_validation_element.sh

@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
 
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 
 #######################################
 # Checks if a search pattern / string / value is present in an array.
@@ -31,4 +31,7 @@ validation_array() {
   done
   return 1
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f validation_array
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

func/cdi_1200_validation/1221_validation_ip.sh

@@ -10,12 +10,12 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
 
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 
 #######################################
 # IPv4 validation.
 # Globals:
-#   ERR_INVALID_IPV4
+#   None
 # Arguments:
 #   1: IPv4 to validate.
 # Returns:
@@ -30,6 +30,9 @@ validation_ipv4() {
     return "${ERR_INVALID_IPV4}"
   fi
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f validation_ipv4
 
 #######################################
 # IPv6 validation, including
@@ -38,7 +41,7 @@ validation_ipv4() {
 #   - Addresses with embedded IPv4 addresses like ::ffff:192.0.2.128
 #   - Link-local addresses like fe80::1%eth0
 # Globals:
-#   ERR_INVALID_IPV6
+#   None
 # Arguments:
 #   1: IPv6 address
 # Returns:
@@ -88,11 +91,14 @@ validation_ipv6() {
   ### Success
   do_log "info" "file_only" "'${var_ip}' seems to be a valid IPv6."
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f validation_ipv6
 
 #######################################
 # Port validation.
 # Globals:
-#   ERR_INVALID_PORT
+#   None
 # Arguments:
 #   1: Port number
 # Returns:
@@ -107,4 +113,7 @@ validation_port() {
     return "${ERR_INVALID_PORT}"
   fi
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f validation_port
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

func/cdi_1200_validation/1222_validation_preseed.sh

@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
 
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 
 #######################################
 # Validate all preseed network variables (IPv4 & IPv6)
@@ -60,4 +60,7 @@ validation_preseed() {
 
   return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f validation_preseed
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

func/cdi_1250_yaml/1250_yaml_parser.sh

@@ -10,11 +10,13 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
 
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 
 #######################################
 # Parsing './.preseed/preseed.yaml' and './.preseed/partitioning.yaml'.
 # Globals:
+#   ARY_ALLOW_IPV4
+#   ARY_ALLOW_IPV6
 #   ARY_BOOTPARAM
 #   ARY_LOCALE
 #   ARY_NTPSRVR
@@ -32,9 +34,9 @@ guard_sourcing
 yaml_parser() {
   ### Declare Arrays, HashMaps, and Variables.
   # shellcheck disable=SC2034
-  declare -ag  ARY_BOOTPARAM=() ARY_LOCALE=() ARY_NTPSRVR=() ARY_PACKAGES=()
+  declare -ag  ARY_ALLOW_IPV4=() ARY_ALLOW_IPV6=() ARY_BOOTPARAM=() ARY_LOCALE=() ARY_NTPSRVR=() ARY_PACKAGES=()
-  declare -gix VAR_USER_MAX=0
+  declare -gix VAR_USER_MAX=-1
-  declare      var_index="" var_key="" var_value=""
+  declare      var_index="" var_key="" var_value="" _=""
 
   cat "${DIR_CNF}/preseed.yaml" "${DIR_CNF}/partitioning.yaml" >| "${DIR_TMP}/combined.yaml"
 
@@ -42,32 +44,50 @@ yaml_parser() {
 
   ### Generate Arrays for [Grub Parameter], [Locales], [NTPSec Server FQDN], [Software Packages].
   while IFS='=' read -r var_key var_value; do
+
     var_value=${var_value#\'}
     var_value=${var_value%\'}
-    # shellcheck disable=SC2034
+
+    # shellcheck disable=SC2034,SC2249
     case "${var_key}" in
+
       grub_parameter_[0-9]*) ARY_BOOTPARAM+=("${var_value}")  ;;
       locale_locale_[0-9]*)  ARY_LOCALE+=("${var_value}")     ;;
       ntp_server_[0-9]*)     ARY_NTPSRVR+=("${var_value}")    ;;
+      ssh_allow_ipv4_[0-9]*) ARY_ALLOW_IPV4+=("${var_value}") ;;
+      ssh_allow_ipv6_[0-9]*) ARY_ALLOW_IPV6+=("${var_value}") ;;
       software_[0-9]*)       ARY_PACKAGES+=("${var_value}")   ;;
+
     esac
+
   done < "${VAR_PRESEED}"
 
+  var_key=""
+
   ### Search all set variables for user_userN_name patterns.
   # shellcheck disable=SC2312
-  while IFS='=' read -r var_index; do
+  while IFS='=' read -r var_key _; do
-    if [[ "${var_index}" =~ ^user_user([0-9]+)_name$ ]]; then
-      var_index="${BASH_REMATCH[1]}"
-      (( var_index > VAR_USER_MAX )) && VAR_USER_MAX="${var_index}"
-    fi
-  done < <(compgen -v)
 
-  ### Remove obsolete variables, normalize empty assignments, wrap remaining values in single quotes
+    ### Accept any of these keys: name, fullname, uid, gid, shell, password, sshpubkey, authentication_* and privileges_*
+    if [[ "${var_key}" =~ ^user_user([0-9]+)_(name|fullname|uid|gid|shell|password|sshpubkey|authentication_[A-Za-z0-9_]+|privileges_[A-Za-z0-9_]+)$ ]]; then
+      var_index=${BASH_REMATCH[1]}
+      (( var_index > VAR_USER_MAX )) && VAR_USER_MAX=var_index
+    fi
+
+  done < "${VAR_PRESEED}"
+
+  ### If nothing matched, default to 0 (only user 0).
+  (( VAR_USER_MAX < 0 )) && VAR_USER_MAX=0
+  do_log "info" "file_only" "1250() Found highest User #: '${VAR_USER_MAX}'."
+
+  ### Remove obsolete variables, normalize empty assignments, wrap remaining values in single quotes.
   sed -i -E '
     # --- Deletions --------------------------------------------------------
     /^grub_parameter_[0-9]+=/d         # delete grub parameter variables
     /^locale_locale_[0-9]+=/d          # delete locale variables
     /^ntp_server_[0-9]+=/d             # delete NTP server variables
+    /^ssh_allow_ipv4_[0-9]+=/d         # delete ssh allow IPv4 variables
+    /^ssh_allow_ipv6_[0-9]+=/d         # delete ssh allow IPv6 variables
     /^software_[0-9]+=/d               # delete software list variables
 
     # --- Empty-value normalisation ---------------------------------------
@@ -80,6 +100,9 @@ yaml_parser() {
   # shellcheck disable=SC1090
   . "${VAR_PRESEED}"
 
-  guard_dir && return 0
+  guard_dir; return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f yaml_parser
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

func/cdi_1250_yaml/1251_yaml_reader.sh

@@ -10,42 +10,53 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
 
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 
 #######################################
 # Reading and extracting variables from "${PRESEED}".
 # Globals:
 #   BASH_REMATCH
 #   HMP_RECIPE_DEV_PARTITIONS
-#   VAR_ARCHITECTURE
+#   VAR_APT_FULL_UPGRADE       VAR_ARCHITECTURE
-#   VAR_CODENAME
+#   VAR_CHROOT_DEBUG           VAR_CODENAME
-#   VAR_NEED_RUN_IN_TARGET
+#   VAR_DEB822                 VAR_DROPBEAR
-#   VAR_NUKE
+#   VAR_GRUB_PASSWORD          VAR_LUKS_BACKUP
-#   VAR_PRESEED
+#   VAR_LUKS_PGP               VAR_LUKS_URL
-#   VAR_RECIPE_FIRMWARE
+#   VAR_NEED_RUN_IN_TARGET     VAR_NUKE
-#   VAR_RECIPE_HIGHEST_DEVICE
+#   VAR_NUKE_ROUNDS            VAR_PRESEED
-#   VAR_RECIPE_STRING
+#   VAR_PROVIDER               VAR_RECIPE_FIRMWARE
-#   VAR_RECIPE_TABLE
+#   VAR_RECIPE_HIGHEST_DEVICE  VAR_RECIPE_STRING
-#   VAR_RECOVERY
+#   VAR_RECIPE_TABLE           VAR_RECOVERY
-#   architecture
+#   VAR_SEC_FW                 VAR_SSH_CA
-#   distribution
+#   VAR_SSH_PORT               VAR_UFW_OUT
-#   needrun
+#   VAR_USER_ROOT_SPECIFIC
+#   apt_default_deb822         apt_full_upgrade
+#   architecture               chroot_debug
+#   distribution               dropbear_boot
+#   grub_password              needrun
+#   provider                   security_ext
+#   security_ufw_out           ssh_port
+#   ssh_root_ca                user_root_specific
 # Arguments:
 #   None
 # Returns:
 #   0: on success
-#   ERR_NO_VALID_RECIPE
+#   ERR_NO_VALID_RECIPE: on failure
 #######################################
 yaml_reader() {
   ### Declare Arrays, HashMaps, and Variables.
   # shellcheck disable=SC2034
   declare -Ag HMP_RECIPE_DEV_PARTITIONS=()
   declare -gx VAR_RECIPE_STRING="" VAR_RECIPE_HIGHEST_DEVICE="" VAR_ARCHITECTURE="" VAR_RECIPE_FIRMWARE="" VAR_NUKE="" \
-              VAR_RECIPE_TABLE="" VAR_NEED_RUN_IN_TARGET="false" VAR_CODENAME="" VAR_DROPBEAR="" VAR_RECOVERY=""
+              VAR_RECIPE_TABLE="" VAR_NEED_RUN_IN_TARGET="false" VAR_CODENAME="" VAR_DROPBEAR="" VAR_RECOVERY="" \
+              VAR_GRUB_PASSWORD="false" VAR_SSH_PORT="22" VAR_DEB822="true" VAR_PROVIDER="" VAR_SSH_CA="" VAR_UFW_OUT="deny" \
+              VAR_CHROOT_DEBUG="false" VAR_SEC_FW="selinux" VAR_APT_FULL_UPGRADE="true" VAR_LUKS_BACKUP="false" \
+              VAR_LUKS_URL="" VAR_LUKS_PGP="" VAR_USER_ROOT_SPECIFIC=""
   ### Declare and substitute input files.
   declare -r  var_if="${VAR_PRESEED}"
   declare     var_line="" var_middle_part="" var_highest_dev="" var_device="" var_fields="" var_partition="" \
-              recipe_firmware_var="" recipe_nuke_var="" recipe_nuke_rounds_var="" recipe_table_var="" recipe_recovery_var=""
+              recipe_firmware_var="" recipe_nuke_var="" recipe_nuke_rounds_var="" recipe_table_var="" recipe_recovery_var="" \
+              recipe_luks_var="" recipe_luks_url="" recipe_luks_pgp=""
 
   ### Read "${var_if}" line by line.
   while IFS= read -r var_line; do
@@ -137,16 +148,42 @@ END { print max }
 
   done
 
+  ### Extract APT file format.
+  # shellcheck disable=SC2034
+  VAR_DEB822="${apt_default_deb822,,}"
+
+  ### Extract Upgrade Policy.
+  # shellcheck disable=SC2034
+  VAR_APT_FULL_UPGRADE="${apt_full_upgrade,,}"
+
   ### Extract architecture.
   # shellcheck disable=SC2034
   VAR_ARCHITECTURE="${architecture,,}"
 
+  ### Extract chroot debug policy.
+  # shellcheck disable=SC2034
+  VAR_CHROOT_DEBUG="${chroot_debug,,}"
+
+  ### Extract distribution.
   # shellcheck disable=SC2034
   VAR_CODENAME="${distribution,,}"
 
+  ### Extract dropbear installation.
   # shellcheck disable=SC2034
   VAR_DROPBEAR="${dropbear_boot,,}"
 
+  ### Extract grub password installation.
+  # shellcheck disable=SC2034
+  VAR_GRUB_PASSWORD="${grub_password,,}"
+
+  ### Extract SSH Port.
+  # shellcheck disable=SC2034
+  VAR_SSH_PORT="${ssh_port,,}"
+
+  ### Extract SSH Root CA.
+  # shellcheck disable=SC2034
+  VAR_SSH_CA="${ssh_root_ca,,}"
+
   ### Extract chroot secure '/run' mounting strategy.
   # shellcheck disable=SC2034
   VAR_NEED_RUN_IN_TARGET="${needrun,,}"
@@ -155,6 +192,19 @@ END { print max }
   recipe_firmware_var="recipe_${VAR_RECIPE_STRING}_control_firmware"
   VAR_RECIPE_FIRMWARE="${!recipe_firmware_var,,}"
 
+  ### Extract the chosen LUKS Backup strategy.
+    recipe_luks_var="recipe_${VAR_RECIPE_STRING}_control_luks_backup"
+    # shellcheck disable=SC2034
+    VAR_LUKS_BACKUP="${!recipe_luks_var,,}"
+
+    recipe_luks_pgp="recipe_${VAR_RECIPE_STRING}_control_luks_backup_pgp"
+    # shellcheck disable=SC2034
+    VAR_LUKS_PGP="${!recipe_luks_pgp,,}"
+
+    recipe_luks_url="recipe_${VAR_RECIPE_STRING}_control_luks_backup_url"
+    # shellcheck disable=SC2034
+    VAR_LUKS_URL="${!recipe_luks_url,,}"
+
   ### Extract the chosen Nuke mechanism.
   recipe_nuke_var="recipe_${VAR_RECIPE_STRING}_control_nuke"
   # shellcheck disable=SC2034
@@ -187,11 +237,30 @@ END { print max }
 
   fi
 
+  ### Extract provider.
+  # shellcheck disable=SC2034
+  VAR_PROVIDER="${provider,,}"
+
   ### Extract the chosen Recovery mechanism.
   recipe_recovery_var="recipe_${VAR_RECIPE_STRING}_control_recovery"
   # shellcheck disable=SC2034
   VAR_RECOVERY="${!recipe_recovery_var,,}"
 
-  guard_dir && return 0
+  ### Extract security extensions.
+  # shellcheck disable=SC2034
+  VAR_SEC_FW="${security_ext,,}"
+
+  ### Extract ufw outgoing policy.
+  # shellcheck disable=SC2034
+  VAR_UFW_OUT="${security_ufw_out,,}"
+
+  ### Extract User Root Specific Branch.
+  # shellcheck disable=SC2034
+  VAR_USER_ROOT_SPECIFIC="${user_root_specific,,}"
+
+  guard_dir; return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f yaml_reader
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

func/cdi_1250_yaml/1252_yaml_validator.sh

@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
 
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 
 #######################################
 # Extended dynamic network variable checks and declarations depending on preseed.yaml.
@@ -22,11 +22,14 @@ guard_sourcing
 #   VAR_FINAL_IPV4_GW
 #   VAR_FINAL_IPV4_SUBNET
 #   VAR_FINAL_IPV6
+#   VAR_FINAL_IPV6_CIDR
+#   VAR_FINAL_IPV6_GW
 #   VAR_FINAL_NIC
 #   VAR_LINK_IPV6
 #   network_autoconfig_enable
 #   network_choose_interface_static
 #   network_hostname
+#   network_ipv6
 #   network_static_ipv4address
 #   network_static_ipv4gateway
 #   network_static_ipv4nameserver_0
@@ -37,12 +40,14 @@ guard_sourcing
 #   network_static_ipv4nameserver_fallback_1
 #   network_static_ipv4netmask
 #   network_static_ipv6address
+#   network_static_ipv6gateway
 #   network_static_ipv6nameserver_0
 #   network_static_ipv6nameserver_1
 #   network_static_ipv6nameserver_2
 #   network_static_ipv6nameserver_3
 #   network_static_ipv6nameserver_fallback_0
 #   network_static_ipv6nameserver_fallback_1
+#   network_static_ipv6netmask
 # Arguments:
 #   None
 # Returns:
@@ -52,10 +57,10 @@ yaml_validator() {
   ### Declare Arrays, HashMaps, and Variables.
   # shellcheck disable=SC2034
   declare -ag ARY_IPV4_NS=() ARY_IPV6_NS=()
-  declare     var_auto_nic="" var_auto_ipv4="" var_auto_ipv4_ccidr="" var_auto_ipv4_subnet="" var_auto_ipv4_gw="" \
+  declare     var_auto_nic="" var_auto_ipv4="" var_auto_ipv4_cidr="" var_auto_ipv4_subnet="" var_auto_ipv4_gw="" \
-              var_auto_ipv6="" var_auto_ipv6_ccidr="" var_auto_ipv6_gw="" var_link_ipv4="" var_link_ipv6="" var_auto_fqdn=""
+              var_auto_ipv6="" var_auto_ipv6_cidr="" var_auto_ipv6_gw="" var_link_ipv4="" var_link_ipv6="" var_auto_fqdn=""
   declare -gx VAR_FINAL_NIC="" VAR_FINAL_FQDN="" VAR_FINAL_IPV4="" VAR_FINAL_IPV4_GW="" VAR_FINAL_IPV4_SUBNET="" \
-              VAR_FINAL_IPV6="" VAR_LINK_IPV6="" VAR_FINAL_IPV6_GW="" VAR_FINAL_IPV6_SUBNET=""
+              VAR_FINAL_IPV6="" VAR_LINK_IPV6="" VAR_FINAL_IPV6_GW="" VAR_FINAL_IPV6_CIDR=""
 
   ensure_lowercase "network_autoconfig_enable"
   ensure_lowercase "network_choose_interface_auto"
@@ -93,34 +98,36 @@ yaml_validator() {
   var_auto_nic=$(ip -o link show | awk -F': ' '/state UP/ && $2!="lo" {print $2; exit}')
 
   # shellcheck disable=SC2312
-  var_auto_ipv4_ccidr=$(ip -4 -o addr show "${var_auto_nic}" | awk '{print $4; exit}')
+  var_auto_ipv4_cidr=$(ip -4 -o addr show "${var_auto_nic}" | awk '{print $4; exit}')
 
   # shellcheck disable=SC2312
-  var_auto_ipv4_subnet=$(generate_subnetmask "${var_auto_ipv4_ccidr}")
+  var_auto_ipv4_subnet=$(generate_subnetmask "${var_auto_ipv4_cidr}")
 
   # shellcheck disable=SC2312
-  var_auto_ipv4=$(echo "${var_auto_ipv4_ccidr}" | awk -F'/' '{print $1}')
+  var_auto_ipv4=$(echo "${var_auto_ipv4_cidr}" | awk -F'/' '{print $1}')
 
   # shellcheck disable=SC2312
   var_auto_ipv4_gw=$(ip route show default dev "${var_auto_nic}" | awk '/^default/ {print $3; exit}')
 
   # shellcheck disable=SC2312
-  var_auto_ipv6_ccidr=$(ip -6 -o addr show "${var_auto_nic}" | awk '/scope global/ {print $4; exit}')
+  var_auto_ipv6_cidr=$(ip -6 -o addr show "${var_auto_nic}" | awk '/scope global/ {print $4; exit}')
 
-  if [[ -n "${var_auto_ipv6_ccidr}" ]]; then
+  if [[ -n "${var_auto_ipv6_cidr}" ]]; then
 
     # shellcheck disable=SC2312
-    var_auto_ipv6=$(echo "${var_auto_ipv6_ccidr}" | awk -F'/' '{print $1}')
+    var_auto_ipv6=$(echo "${var_auto_ipv6_cidr}" | awk -F'/' '{print $1}')
     # shellcheck disable=SC2312
     var_auto_ipv6_gw=$(ip -6 route show default dev "${var_auto_nic}" | awk '/^default/ {print $3; exit}')
 
   fi
 
   # shellcheck disable=SC2312
-  var_link_ipv4=$(ping -q -c 1 -W 1 -4 debian.org > /dev/null 2>&1 && echo "true" || echo "false")
+  var_link_ipv4="$(probe_link 4 heise.de)"
+  #var_link_ipv4=$(ping -q -c 1 -W 1 -4 heise.de > /dev/null 2>&1 && echo "true" || echo "false")
 
   # shellcheck disable=SC2312
-  var_link_ipv6=$(ping -q -c 1 -W 1 -6 debian.org > /dev/null 2>&1 && echo "true" || echo "false")
+  var_link_ipv6="$(probe_link 6 heise.de)"
+  #var_link_ipv6=$(ping -q -c 1 -W 1 -6 heise.de > /dev/null 2>&1 && echo "true" || echo "false")
 
   # shellcheck disable=SC2312
   var_auto_fqdn="$( getent hosts "${var_auto_ipv4}" | awk '{print $2}' | head -n1 )"
@@ -128,17 +135,17 @@ yaml_validator() {
   var_auto_fqdn="${var_auto_fqdn%.}"
   var_auto_fqdn="${var_auto_fqdn,,}"
 
-  do_log "info" "file_only" "1252() Live environment network check: Auto NIC          ='${var_auto_nic}'."
+  do_log "info" "file_only" "1252() Live environment network check: Auto NIC          = ${var_auto_nic}"
-  do_log "info" "file_only" "1252() Live environment network check: Auto IPv4         ='${var_auto_ipv4}'."
+  do_log "info" "file_only" "1252() Live environment network check: Auto IPv4         = ${var_auto_ipv4}"
-  do_log "info" "file_only" "1252() Live environment network check: Auto IPv4 CCIDR   ='${var_auto_ipv4_ccidr}'."
+  do_log "info" "file_only" "1252() Live environment network check: Auto IPv4 CCIDR   = ${var_auto_ipv4_cidr}"
-  do_log "info" "file_only" "1252() Live environment network check: Auto IPv4 Subnet  ='${var_auto_ipv4_subnet}'."
+  do_log "info" "file_only" "1252() Live environment network check: Auto IPv4 Subnet  = ${var_auto_ipv4_subnet}"
-  do_log "info" "file_only" "1252() Live environment network check: Auto IPv4 Gateway ='${var_auto_ipv4_gw}'."
+  do_log "info" "file_only" "1252() Live environment network check: Auto IPv4 Gateway = ${var_auto_ipv4_gw}"
-  do_log "info" "file_only" "1252() Live environment network check: Auto IPv6         ='${var_auto_ipv6}'."
+  do_log "info" "file_only" "1252() Live environment network check: Auto IPv6         = ${var_auto_ipv6}"
-  do_log "info" "file_only" "1252() Live environment network check: Auto IPv6 CCIDR   ='${var_auto_ipv6_ccidr}'."
+  do_log "info" "file_only" "1252() Live environment network check: Auto IPv6 CCIDR   = ${var_auto_ipv6_cidr}"
-  do_log "info" "file_only" "1252() Live environment network check: Auto IPv6 Gateway ='${var_auto_ipv6_gw}'."
+  do_log "info" "file_only" "1252() Live environment network check: Auto IPv6 Gateway = ${var_auto_ipv6_gw}"
-  do_log "info" "file_only" "1252() Live environment network check: Auto IPv4 Link    ='${var_link_ipv4}'."
+  do_log "info" "file_only" "1252() Live environment network check: Auto IPv4 Link    = ${var_link_ipv4}"
-  do_log "info" "file_only" "1252() Live environment network check: Auto IPv6 Link    ='${var_link_ipv6}'."
+  do_log "info" "file_only" "1252() Live environment network check: Auto IPv6 Link    = ${var_link_ipv6}"
-  do_log "info" "file_only" "1252() Live environment network check: Auto FQDN         ='${var_auto_fqdn}'."
+  do_log "info" "file_only" "1252() Live environment network check: Auto FQDN         = ${var_auto_fqdn}"
 
   ### Export hostname and IPv4 and IPv6 addresses for further processing according to dynamic results and preseed.yaml settings.
   if [[ "${network_autoconfig_enable}" == "true" ]]; then
@@ -154,9 +161,9 @@ yaml_validator() {
     # shellcheck disable=SC2034
     VAR_FINAL_IPV4_SUBNET="${var_auto_ipv4_subnet}"
 
-    do_log "info" "file_only" "1252() Network IPv4 autoconfiguration: [${network_autoconfig_enable}]."
+    do_log "info" "file_only" "1252() Network IPv4 auto configuration: [${network_autoconfig_enable}] and IPv4 Link: [${var_link_ipv4}]."
 
-  else
+  elif [[ "${network_autoconfig_enable}" == "false" ]]; then
 
     # shellcheck disable=SC2034
     VAR_FINAL_NIC="${network_choose_interface_static}"
@@ -169,11 +176,16 @@ yaml_validator() {
     # shellcheck disable=SC2034
     VAR_FINAL_IPV4_SUBNET="${network_static_ipv4netmask}"
 
-    do_log "info" "file_only" "1252() Network IPv4 autoconfiguration: [${network_autoconfig_enable}]."
+    do_log "info" "file_only" "1252() Network IPv4 static configuration: [${network_static_ipv4address}] and IPv4 Link: [${var_link_ipv4}]."
+
+  elif [[ "${network_autoconfig_enable}" == "false" && -z "${network_static_ipv4address}" ]]; then
+
+    do_log "info" "file_only" "1252() Network IPv4: no IPv4 configuration applied."
 
   fi
 
-  if [[ "${network_autoconfig_enable}" == "true" && "${var_link_ipv6}" == "true" ]]; then
+
+  if [[ "${network_autoconfig_enable}" == "true" && "${network_ipv6}" == "true" && -z "${network_static_ipv6address}" ]]; then
 
     # shellcheck disable=SC2034
     VAR_FINAL_IPV6="${var_auto_ipv6}"
@@ -182,31 +194,81 @@ yaml_validator() {
     # shellcheck disable=SC2034
     VAR_FINAL_IPV6_GW="${var_auto_ipv6_gw}"
     # shellcheck disable=SC2034
-    VAR_FINAL_IPV6_SUBNET="${var_auto_ipv6_ccidr}"
+    VAR_FINAL_IPV6_CIDR="${var_auto_ipv6_cidr}"
 
     do_log "info" "file_only" "1252() Network IPv6 auto configuration: [${network_autoconfig_enable}] and IPv6 Link: [${var_link_ipv6}]."
 
-  elif [[ "${network_autoconfig_enable}" == "false" && -n "${network_static_ipv6address}" ]]; then
+  elif [[ -n "${network_static_ipv6address}" ]]; then
 
-    # shellcheck disable=SC2034
-    VAR_LINK_IPV6="${var_link_ipv6}"
     # shellcheck disable=SC2034
     VAR_FINAL_IPV6="${network_static_ipv6address}"
     # shellcheck disable=SC2034
+    VAR_LINK_IPV6="${var_link_ipv6}"
+    # shellcheck disable=SC2034
     VAR_FINAL_IPV6_GW="${network_static_ipv6gateway}"
     # shellcheck disable=SC2034
-    VAR_FINAL_IPV6_SUBNET="${network_static_ipv6netmask}"
+    VAR_FINAL_IPV6_CIDR="${network_static_ipv6address}/${network_static_ipv6netmask}"
 
-    do_log "info" "file_only" "1252() Network IPv6 autoconfiguration: [${network_autoconfig_enable}] and IPv6 static: [${network_static_ipv6address}]."
+    do_log "info" "file_only" "1252() Network IPv6 static configuration: [${network_static_ipv6address}] and IPv6 Link: [${var_link_ipv6}]."
 
   else
 
     # shellcheck disable=SC2034
     VAR_FINAL_IPV6=""
-    do_log "info" "file_only" "1252() Network IPv6 autoconfiguration: no IPv6 configuration applied."
+    do_log "info" "file_only" "1252() Network IPv6: no IPv6 configuration applied."
 
   fi
 
-  guard_dir && return 0
+  guard_dir; return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f yaml_validator
+
+#######################################
+# Network connectivity prober.
+# Globals:
+#   network_timeout_linkwait
+# Arguments:
+#   1: IP-Family
+#   2: TLD to probe
+# Returns:
+#   0: on success
+#######################################
+probe_link() {
+  declare -r  var_fam="${1:-4}"           # "4" or "6"
+  declare -r  var_target="${2:-heise.de}" # hostname or IP
+  declare     var_ok="false"
+
+  ### 1) Try ping (quiet, 1 probe, 3s deadline)
+  if ping -q -c 1 -W "${network_timeout_linkwait:-3}" "-${var_fam}" "${var_target}" >/dev/null 2>&1; then
+
+    var_ok="true"
+
+  else
+
+    ### 2) Fallback: mtr in report mode (non-interactive), no DNS to avoid TUI/delays.
+    if command -v mtr >/dev/null 2>&1; then
+
+      ### Treat as success if ANY hop resolves to something other than "???".
+      ### '-r = report', '-c 2 = two cycles', -n = no DNS, -4/-6 = address family
+
+      # shellcheck disable=SC2312
+      if mtr "-${var_fam}" -r -c 3 -n "${var_target}" 2>/dev/null \
+        | awk 'NR>2 && $2!="???"{ok=1} END{exit ok?0:1}'; then
+
+        var_ok="true"
+
+      fi
+
+    fi
+
+  fi
+
+  printf '%s' "${var_ok}"
+  return 0
+}
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f probe_link
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

func/cdi_1250_yaml/1256_yaml_xfiles.sh

@@ -0,0 +1,271 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
+
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
+
+#######################################
+# Debug helper: list variable names (no values).
+# Globals:
+#   CISS_SECRETS_MAP
+# Arguments:
+#   None
+# Returns:
+#   0: on success
+#######################################
+ciss_secrets_list_names() {
+  ### Declare Arrays, HashMaps, and Variables.
+  declare     var_k=""
+
+  for var_k in "${!CISS_SECRETS_MAP[@]}"; do
+
+    printf '%s.value -> %s\n' "${var_k}" "${CISS_SECRETS_MAP[${var_k}]}"
+
+  done
+
+  return 0
+}
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f ciss_secrets_list_names
+
+#######################################
+# Unset all previously created secret variables.
+# Globals:
+#   CISS_SECRETS_MAP
+# Arguments:
+#   None
+# Returns:
+#   0: on success
+#######################################
+ciss_secrets_unset() {
+  ### Declare Arrays, HashMaps, and Variables.
+  declare     var_k="" var_v=""
+
+  ### SECRETS handling ---------------------------------------------------------------------------------------------------------
+  guard_trace on
+
+  for var_k in "${!CISS_SECRETS_MAP[@]}"; do
+
+    var_v="${CISS_SECRETS_MAP[${var_k}]}"
+
+    if [[ -v "${var_v}" ]]; then
+
+      unset -v "${var_v}" 2>/dev/null || true
+
+    fi
+
+  done
+
+  CISS_SECRETS_MAP=()
+
+  guard_trace off
+  ### SECRETS handling ---------------------------------------------------------------------------------------------------------
+
+  return 0
+}
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f ciss_secrets_unset
+
+#######################################
+# Build the canonical var name from a dotted path (without 'secrets.' and without '.value').
+# Globals:
+#   None
+# Arguments:
+#   1: Variable path
+# Returns:
+#   0: on success
+#######################################
+ciss_secret_varname_from_path() {
+  ### Declare Arrays, HashMaps, and Variables.
+  declare     var_path="${1:-}"
+
+  var_path="${var_path//[^A-Za-z0-9_]/_}"
+  var_path="${var_path^^}"
+
+  printf 'CISS_SECRET_%s' "${var_path}"
+  return 0
+}
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f ciss_secret_varname_from_path
+
+#######################################
+# Wipes the specified file securely.
+# Globals:
+#   None
+# Arguments:
+#   1: File to wipe
+# Returns:
+#   0: on success
+#######################################
+ciss_secrets_wiper() {
+  ### Declare Arrays, HashMaps, and Variables.
+  declare     var_file="${1:-}"
+
+  if [[ -f "${var_file}" ]]; then
+    : >| "${var_file}"
+    shred -vfzu -n 5 "${var_file}" > /dev/null 2>&1 || rm -f -- "${var_file}"
+  fi
+
+  return 0
+}
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f ciss_secrets_wiper
+
+#######################################
+# Purpose:
+#   Parsing of only "*.value" keys from 'SECRETS.yaml' into Bash globals.
+#   If the file contains SOPS markers, decrypt once (streaming) with sops/age, then yq parses in a single pass.
+#   No base64, plain values preserved (including newlines). No repeated per-key decrypts or yq calls.
+# Conventions:
+#   Variables: CISS_SECRET_<UPPER_SNAKE_CASE_PATH> (PATH excludes "secrets." and trailing ".value")
+#   All with "declare -g" (no export).
+#   Mapping: CISS_SECRETS_MAP["foo.bar"]=CISS_SECRET_FOO_BAR
+# Globals:
+#   CISS_SECRETS_AGE
+#   CISS_SECRETS_MAP
+#   CISS_SECRETS_SOURCE
+#   DIR_CNF
+# Arguments:
+#   None
+# Returns:
+#   0: on success
+#   ERR_DECRYPTION_SOPS: on failure
+#   ERR_MISSING_AGE_BIN: on failure
+#   ERR_MISSING_AGE_KEY: on failure
+#######################################
+yaml_secret() {
+  ### Declare Arrays, HashMaps, and Variables.
+  declare -r  SOPS_AGE_KEY_FILE="${CISS_SECRETS_AGE}"
+  declare -a  __names=()
+  declare     secrets_encrypted="" secrets_if="${CISS_SECRETS_SOURCE}" secrets_of="${DIR_CNF}/SECRETS_DECRYPTED.yaml" \
+              __SECRETS="${DIR_CNF}/SECRETS_BASH.var" \
+              __base="" __name="" __umask="" __path_wo_prefix="" __val="" __varname=""
+
+  __umask=$(umask)
+  umask 0077
+
+  ### SECRETS handling ---------------------------------------------------------------------------------------------------------
+  guard_trace on
+
+  secrets_encrypted="$(yq -r '.secrets.x_files // false' -- "${secrets_if}")" || secrets_encrypted="false"
+  do_log "debug" "file_only" "1256() 'secrets_encrypted' according to secrets.x_files: '${secrets_encrypted}'."
+
+  if grep -qE '(^|\s)sops:\s*$' -- "${secrets_if}" 2>/dev/null || grep -q 'ENC\[' -- "${secrets_if}" 2>/dev/null; then
+
+    secrets_encrypted="true"
+    do_log "debug" "file_only" "1256() 'secrets_encrypted' according to heuristic mode: '${secrets_encrypted}'."
+
+  fi
+
+
+  if [[ "${secrets_encrypted}" == "true" ]]; then
+
+    if ! command -v sops >/dev/null 2>&1; then
+
+      do_log "fatal" "file_only" "1260() SOPS not found but SECRETS.yaml appears to be SOPS-managed."
+      return "${ERR_MISSING_AGE_BIN}"
+
+    fi
+
+    [[ -r "${SOPS_AGE_KEY_FILE}" ]] || return "${ERR_MISSING_AGE_KEY}"
+
+    sops -d --input-type=yaml --output-type=yaml -- "${secrets_if}" >| "${secrets_of}"
+
+    [[ -r "${secrets_of}" ]] || return "${ERR_DECRYPTION_SOPS}"
+
+    ciss_secrets_wiper "${secrets_if}" && mv "${secrets_of}" "${secrets_if}"
+
+  fi
+
+  yq -o=shell "${secrets_if}" >| "${__SECRETS}" && ciss_secrets_wiper "${secrets_if}"
+
+  ### Keep only '*_value=' lines, normalize empty RHS, quote unquoted simple RHS.
+  LC_ALL=C sed -n -E '
+    /^[[:space:]]*(#|$)/b
+    s/^[[:space:]]*(export|declare[[:space:]]+-x)[[:space:]]+//;
+    /^[[:space:]]*[A-Za-z_][A-Za-z0-9_]*_value=/!b
+
+    s/^([[:space:]]*[A-Za-z_][A-Za-z0-9_]*_value)=[[:space:]]*$/\1='\'''\''/; t print
+    /^[[:space:]]*[A-Za-z_][A-Za-z0-9_]*_value=[[:space:]]*('"'"'|\"|\$'"'"')/b print
+    s/^([[:space:]]*[A-Za-z_][A-Za-z0-9_]*_value)=([^[[:space:]]'"'"'$][^[:space:]]*)[[:space:]]*$/\1='"'"'\2'"'"'/; t print
+    s/^([[:space:]]*[A-Za-z_][A-Za-z0-9_]*_value)=[[:space:]]*(.+)[[:space:]]*$/\1='"'"'\2'"'"'/; t print
+    :print
+    p
+  ' -- "${__SECRETS}" >| "${__SECRETS}.value_only"
+
+  mv -f -- "${__SECRETS}.value_only" "${__SECRETS}"
+
+  # shellcheck disable=SC1091 source=./${__SECRETS}
+  source "${__SECRETS}"
+
+  ciss_secrets_wiper "${__SECRETS}"
+
+  # shellcheck disable=SC2312
+  mapfile -t __names < <(printf '%s\n' "${!secrets_@}")
+
+  for __name in "${__names[@]}"; do
+
+    ### Keep only *_value variables
+    [[ "${__name}" == *_value ]] || continue
+
+    ### Validate strict Bash identifier (defensive: strip accidental CR).
+    __name="${__name%$'\r'}"
+    [[ "${__name}" =~ ^[A-Za-z_][A-Za-z0-9_]*$ ]] || continue
+
+    ### Only read if actually set; indirect check without triggering nounset.
+    if [[ -n "${!__name+x}" ]]; then
+
+      __val="${!__name}"
+
+    else
+
+      __val=""
+
+    fi
+
+    ### Strip suffix/prefix for the map key.
+    __base="${__name%_value}"
+    __path_wo_prefix="${__base#secrets_}"
+
+    ### Canonical CISS name.
+    __varname="$(ciss_secret_varname_from_path "${__path_wo_prefix}")"
+
+    ### Assign verbatim (preserves newlines).
+    unset -v "${__varname}"
+    declare -g "${__varname}"
+    printf -v "${__varname}" '%s' "${__val}"
+
+    CISS_SECRETS_MAP["${__path_wo_prefix}"]="${__varname}"
+
+  done
+
+  ### Hygiene: remove the intermediate variables to reduce secret surface, e.g., unset 'secrets_*_value' after transfer.
+  for __name in "${__names[@]}"; do
+
+    unset -v "${__name}"
+
+  done
+
+  umask "${__umask}"
+
+  guard_trace off
+  ### SECRETS handling ---------------------------------------------------------------------------------------------------------
+
+  guard_dir; return 0
+}
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f yaml_secret
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

func/cdi_1250_yaml/1257_yaml_xnuke.sh

@@ -0,0 +1,73 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
+
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
+
+#######################################
+# Generates 'nuke=HASH' Bootparameter.
+# Globals:
+#   CISS_SECRET_LUKS_NUKE
+#   DIR_CNF
+#   VAR_NUKE_HASH
+# Arguments:
+#   None
+# Returns:
+#   0: on success
+#   ERR_GENERATE_SALT: on failure
+#######################################
+nuke_passphrase() {
+  ### SECRETS handling ---------------------------------------------------------------------------------------------------------
+  guard_trace on
+
+  ### Declare Arrays, HashMaps, and Variables.
+  declare    var_nuke_pwd="${CISS_SECRET_LUKS_NUKE}"
+  declare    var_temp_nuke_hash="" var_salt="" var_nuke_rounds=""
+
+  # shellcheck disable=SC2312
+  var_nuke_rounds="$(
+    yq -r '
+    .recipe
+    | to_entries[]            # iterate recipe items
+    | .value                  # the map under each item
+    | select(has("control") and (.control | has("nuke_rounds")))
+    | .control.nuke_rounds
+    | tostring
+  ' "${DIR_CNF}/partitioning.yaml" | head -n1
+  )"
+
+  [[ -z "${var_nuke_pwd}" ]] && return 0
+
+
+  if ! var_salt="$(generate_salt)"; then
+
+    return "${ERR_GENERATE_SALT}"
+
+  fi
+
+  var_temp_nuke_hash=$(mkpasswd --method=sha-512 --salt="${var_salt}" --rounds="${var_nuke_rounds:-8388608}" "${var_nuke_pwd}")
+
+  # shellcheck disable=SC2034
+  declare -grx VAR_NUKE_HASH="${var_temp_nuke_hash}"
+
+  unset var_temp_nuke_hash var_nuke_pwd CISS_SECRET_LUKS_NUKE
+
+  do_log "debug" "file_only" "0105() NUKE hash starts with: [${VAR_NUKE_HASH:0:32}...]"
+
+  guard_trace off
+  ### SECRETS handling ---------------------------------------------------------------------------------------------------------
+
+  guard_dir; return 0
+}
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f nuke_passphrase
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

func/cdi_3200_partitioning/3200_partitioning.sh

@@ -10,13 +10,31 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
 
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 
 #######################################
 # EFI System Partition | EF00 | UEFI Bootloader (ESP, FAT32)
 # BIOS Boot Partition  | EF02 | BIOS Bootloader area (GRUB)
 # Linux SWAP           | 8200 | Linux Swap
 # Linux ext4/btrfs     | 8300 | Linux Filesystem (root, home)
+# Linux LUKS           | 8309 | Linux LUKS
+#######################################
+
+#######################################
+# https://uapi-group.org/specifications/specs/discoverable_partitions_specification/
+# https://en.wikipedia.org/wiki/GUID_Partition_Table#Partition_type_GUIDs
+# EFI System Partition, FAT32    | c12a7328-f81f-11d2-ba4b-00a0c93ec93b
+# BIOS Boot Partition GRUB       | 21686148-6449-6e6f-744e-656564454649
+# Extended Boot Loader Partition | bc13c2ff-59e6-4262-a352-b275fd6f7172
+# Linux Generic FS (ext4/btrfs)  | 0fc63daf-8483-4772-8e79-3d69d8477de4
+# Linux LUKS                     | ca7d7ccb-63ed-4c53-861c-1742536059cc
+# Swap                           | 0657fd6d-a4ab-43c4-84e5-0933c84b4f4f
+# /    Partition (amd64/x86_64)  | 4f68bce3-e8cd-4db1-96e7-fbcaf984b709
+# /home                          | 933ac7e1-2eb4-4f13-b844-0e14e2aef915
+# /srv                           | 3b8f8425-20e0-4f3b-907f-1a25a76f98e8
+# /usr Partition (amd64/x86_64)  | 8484680c-9521-48c6-9c11-b0720656f69e
+# /var                           | 4d21b016-b534-45c2-a9fb-5c16e091fd2d
+# /var/tmp                       | 7ec6f557-3bc5-4aca-b293-16ef5df639d1
 #######################################
 
 #######################################
@@ -25,23 +43,28 @@ guard_sourcing
 # - LUKS encryption enabled.
 # - Specific device partition data for each mount path.
 # Globals:
+#   ARY_CRYPT_MOUNT_PATHS
+#   ARY_FORMT_MOUNT_PATHS
 #   ARY_FSTAB_MOUNT_PATHS
+#   ARY_PATHS_SORTED
 #   DIR_LOG
 #   HMP_FSTAB_MOUNT_FTYPE
+#   HMP_PATH_DEV_PART
 #   HMP_PATH_PARTUUID
 #   VAR_RECIPE_FIRMWARE
 #   VAR_RECIPE_STRING
 #   VAR_RECIPE_TABLE
+#   VAR_ROOT_FS
 #   VAR_SETUP_PART
 # Arguments:
 #   None
 # Returns:
-#   ERR_PARTITIONTBL
-#   ERR_PART_CREATE
-#   ERR_PART_READ
-#   ERR_TABLE_CREATE
-#   ERR_TABLE_DELETE
 #   0: on success
+#   ERR_PARTITIONTBL: on failure
+#   ERR_PART_CREATE: on failure
+#   ERR_PART_READ: on failure
+#   ERR_TABLE_CREATE: on failure
+#   ERR_TABLE_DELETE: on failure
 #######################################
 partitioning() {
   ### Declare Arrays, HashMaps, and Variables.
@@ -65,11 +88,14 @@ partitioning() {
 
   declare     var_dev="" var_part="" \
               var_begin="" var_boot="" var_encryption="" var_end="" var_end_arg="" var_end_mib="" var_format="" var_fs="" \
-              var_label="" var_mount_path="" var_mount_true="" var_pri="" var_uuid=""
+              var_label="" var_mount_path="" var_mount_true="" var_pri="" var_uuid="" \
+              typecode="0fc63daf-8483-4772-8e79-3d69d8477de4"
 
   declare -a  ary_devs=() ary_parts=() ary_paths_unsorted=()
 
   declare -i  i=0 var_dev_size=0 var_dev_end=0 var_sec_size=512
+  # shellcheck disable=SC2034
+  declare -g  VAR_ROOT_FS=""
 
   ### Iterate over all devices in the recipe.
   # shellcheck disable=SC2312
@@ -159,6 +185,7 @@ partitioning() {
         var_end_arg="${var_end}"
       fi
 
+      # shellcheck disable=SC2249
       case "${VAR_RECIPE_TABLE,,}" in
 
         gpt)
@@ -190,21 +217,43 @@ partitioning() {
 
       ### Assign the correct GPT typecode via sgdisk if the table is GPT.
       if [[ "${VAR_RECIPE_TABLE,,}" == "gpt" ]]; then
-        declare typecode="8300" # Default: Linux FS
+
+        # shellcheck disable=SC2249
+        case "${var_mount_path,,}" in
+
+          "/")
+            typecode="4f68bce3-e8cd-4db1-96e7-fbcaf984b709" ;;  ### /        Partition (amd64/x86_64)
+
+          "/home")
+            typecode="933ac7e1-2eb4-4f13-b844-0e14e2aef915" ;;  ### /home    Partition
+
+          "/srv")
+            typecode="3b8f8425-20e0-4f3b-907f-1a25a76f98e8" ;;  ### /srv     Partition
+
+          "/usr")
+            typecode="8484680c-9521-48c6-9c11-b0720656f69e" ;;  ### /usr     Partition (amd64/x86_64)
+
+          "/var")
+            typecode="4d21b016-b534-45c2-a9fb-5c16e091fd2d" ;;  ### /var     Partition
+
+          "/var/tmp")
+            typecode="7ec6f557-3bc5-4aca-b293-16ef5df639d1" ;;  ### /var/tmp Partition
+
+        esac
 
         case "${var_fs,,}" in
 
           fat32)
-            typecode="EF00" ;;  ### EFI System Partition
+            typecode="c12a7328-f81f-11d2-ba4b-00a0c93ec93b" ;;  ### EFI System Partition
 
           swap)
-            typecode="8200" ;;  ### Linux SWAP
+            typecode="0657fd6d-a4ab-43c4-84e5-0933c84b4f4f" ;;  ### Linux SWAP [NOT Ephemeral Devices]
 
           bios)
-            typecode="EF02" ;;  ### BIOS Boot Partition
+            typecode="21686148-6449-6e6f-744e-656564454649" ;;  ### BIOS Boot Partition
 
           ext4|btrfs)
-            typecode="8300" ;;  ### Linux native FS
+            typecode="0fc63daf-8483-4772-8e79-3d69d8477de4" ;;  ### Linux native FS
 
           *)
             do_log "warn" "file_only" "3200() Partition: '/dev/${var_dev}${var_part}' unknown FS type: '${var_fs}', using default GPT FS '8300'."
@@ -212,6 +261,23 @@ partitioning() {
 
         esac
 
+        # shellcheck disable=SC2249
+        case "${var_encryption,,}" in
+
+          true)
+
+            case "${var_mount_path,,}" in
+
+              /tmp|swap)
+                typecode="ca7d7ccb-63ed-4c53-861c-1742536059cc" ;;  ### Linux LUKS Partition
+
+              *)
+                typecode="ca7d7ccb-63ed-4c53-861c-1742536059cc" ;;  ### Linux LUKS Partition
+
+            esac
+
+        esac
+
         if sgdisk --typecode="${var_part}:${typecode}" "/dev/${var_dev}" &>/dev/null; then
 
           do_log "info" "file_only" "3200() Partition: '/dev/${var_dev}${var_part}' GPT typecode '${typecode}' set for '${var_fs}'."
@@ -227,6 +293,7 @@ partitioning() {
       ### Set the bootable flag if necessary.
       if [[ "${var_boot,,}" == "true" ]]; then
 
+        # shellcheck disable=SC2249
         case "${VAR_RECIPE_TABLE,,}:${VAR_RECIPE_FIRMWARE,,}" in
 
           gpt:uefi|mbr:uefi)
@@ -248,16 +315,22 @@ partitioning() {
       udevadm settle
 
       for i in {1..10}; do
+
         var_uuid=$(blkid -s PARTUUID -o value "/dev/${var_dev}${var_part}") && [[ -n "${var_uuid}" ]] && break
         sleep 0.25
+
       done
 
       if [[ -z "${var_uuid}" ]]; then
+
         do_log "fatal" "file_only" "3200() Partition: '/dev/${var_dev}${var_part}' could not read PARTUUID."
         return "${ERR_PART_READ}"
+
       else
+
         HMP_PATH_PARTUUID["${var_mount_path}"]="${var_uuid}"
         do_log "debug" "file_only" "3200() [HMP_PATH_PARTUUID]: '${var_mount_path}' -> '${HMP_PATH_PARTUUID["${var_mount_path}"]}'."
+
       fi
 
       ### Gathering information for forthcoming modules 32n0().
@@ -281,27 +354,57 @@ partitioning() {
 
       ### Gathering information for '/etc/fstab'-generation in 4200().
       if [[ "${var_mount_true}" == "true" ]]; then
+
         # shellcheck disable=SC2034
         ARY_FSTAB_MOUNT_PATHS+=("${var_mount_path}")
         do_log "debug" "file_only" "3200() [ARY_FSTAB_MOUNT_PATHS]: '${var_mount_path}'."
         HMP_FSTAB_MOUNT_FTYPE["${var_mount_path}"]="${var_fs}"
         do_log "debug" "file_only" "3200() [HMP_FSTAB_MOUNT_FTYPE]: '${var_mount_path}' -> '${HMP_FSTAB_MOUNT_FTYPE["${var_mount_path}"]}'."
+
+      fi
+
+      ### Gathering information for '/etc/initramfs-tools/conf.d/fsroot'-generation in 4121().
+      if [[ "${var_mount_path}" == "/" ]]; then
+
+        # shellcheck disable=SC2034
+        VAR_ROOT_FS="${var_fs}"
+
       fi
 
     done
 
-  lsblk -o NAME,START,SIZE,PHY-SEC,LOG-SEC,ALIGNMENT "/dev/${var_dev}" >| "${DIR_LOG}/${var_dev}_alignment.log"
+  lsblk -o NAME,START,SIZE,PHY-SEC,LOG-SEC,ALIGNMENT "/dev/${var_dev}" >| "${DIR_LOG}/3200_${var_dev}_alignment.log"
-  sgdisk -p "/dev/${var_dev}" >| "${DIR_LOG}/${var_dev}_info.log"
+  sgdisk -p "/dev/${var_dev}" >| "${DIR_LOG}/3200_${var_dev}_info.log"
 
   done
 
-  ### Prepare mount ordering scheme.
+  ### Prepare the mount ordering scheme.
   # shellcheck disable=SC2312
-  IFS=$'\n' read -r -d '' -a ARY_PATHS_SORTED < <(printf "%s\n" "${ary_paths_unsorted[@]}" | sort -u | awk 'BEGIN{FS="/"}{print NF, $0}' | sort -n | cut -d' ' -f2- && printf '\0')
+  mapfile -d '' -t ARY_PATHS_SORTED < <(\
-
+    ### a) Emit unsorted items as NUL-separated records (preserve any whitespace):
-  printf "%s\n" "${ary_paths_unsorted[@]}" >| "${DIR_LOG}/mount_paths_unsorted.log"
+    printf '%s\0' "${ary_paths_unsorted[@]}" |
-  printf "%s\n" "${ARY_PATHS_SORTED[@]}" >| "${DIR_LOG}/mount_paths_sorted.log"
+      ### b) Dedupe NUL-safely, and add a sort group:
-
+      ###    - grp=0 for the special token "SWAP" (non-path), so it comes first.
-  guard_dir && return 0
+      ###    - grp=1 for everything else (absolute paths).
+      awk -v RS='\0' -v ORS='\0' '
+    !seen[$0]++ {
+      grp = ($0=="SWAP") ? 0 : 1;
+      # Use TAB as field separator for the sort key
+      printf "%d\t%s\0", grp, $0
     }
+  ' |
+    ### c) Sort NUL-separated by the group, then lexicographically by the *full path*:
+    ###    This ensures parent before child due to prefix property:
+    ###    "/boot" < "/boot/efi", "/var/log" < "/var/log/audit" < "/var/tmp"
+    sort -z -t $'\t' -k1,1 -k2,2 | cut -z -f2-
+  )
+
+  printf "%s\n" "${ary_paths_unsorted[@]}" >| "${DIR_LOG}/3200_mount_paths_unsorted.log"
+  printf "%s\n" "${ARY_PATHS_SORTED[@]}" >| "${DIR_LOG}/3200_mount_paths_sorted.log"
+
+  guard_dir; return 0
+}
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f partitioning
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

func/cdi_3200_partitioning/3210_benchmarking_encryption.sh

@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
 
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 
 #######################################
 # Benchmark cryptsetup KDF to determine pbkdf-memory and pbkdf-force-iterations for given pbkdf-threads.
@@ -27,6 +27,7 @@ guard_sourcing
 #   0: on success
 #######################################
 benchmarking_encryption() {
+  ### Declare Arrays, HashMaps, and Variables.
   declare       var_result=""
   # shellcheck disable=SC2155
   declare -girx VAR_KDF_THREADS=$(yq_val ".recipe.${VAR_RECIPE_STRING}.control.kdf.threads" "${VAR_SETUP_PART}")
@@ -37,7 +38,7 @@ benchmarking_encryption() {
   sync
 
   echo "BENCHMARK CRYPTSETUP ARGON2ID KDF PARAMETER - DROPPING PAGES ..."
-  echo 3 >| /proc/sys/vm/drop_caches
+  echo 3 >| /proc/sys/vm/drop_caches || true
 
   # shellcheck disable=SC2312
   var_result=$(cryptsetup benchmark --pbkdf argon2id --iter-time "${VAR_ITER_TIME:-3000}" --pbkdf-parallel "${VAR_KDF_THREADS:-1}" 2>/dev/null \
@@ -53,6 +54,9 @@ benchmarking_encryption() {
   # shellcheck disable=SC2155
   declare -girx VAR_KDF_MEMORY=$(awk -F'[ ,]+' '{print $4}' <<<"${var_result}")
 
-  guard_dir && return 0
+  guard_dir; return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f benchmarking_encryption
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

func/cdi_3200_partitioning/3220_partition_encryption.sh

@@ -10,12 +10,15 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
 
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 
 #######################################
 # Function to encrypt the respective partition on each entry of 'ARY_CRYPT_MOUNT_PATHS'.
 # Globals:
 #   ARY_CRYPT_MOUNT_PATHS
+#   CISS_SECRET_LUKS_BACKUP
+#   CISS_SECRET_LUKS_BOOT
+#   CISS_SECRET_LUKS_COMMON
 #   DIR_BAK
 #   DIR_CNF
 #   DIR_LOG
@@ -23,29 +26,31 @@ guard_sourcing
 #   HMP_EPHEMERAL_FS_LABEL
 #   HMP_PATH_DEV_PART
 #   HMP_PATH_ENCLABEL
-#   HMP_PATH_FSUUID
 #   HMP_PATH_LUKSUUID
+#   VAR_CRYPT_BOOT
 #   VAR_CRYPT_RECOVERY
 #   VAR_CRYPT_ROOT
+#   VAR_FINAL_FQDN
 #   VAR_ITER_TIME
 #   VAR_KDF_ITERATIONS
 #   VAR_KDF_MEMORY
 #   VAR_KDF_THREADS
+#   VAR_LUKS_BACKUP
+#   VAR_LUKS_PGP
+#   VAR_LUKS_URL
 #   VAR_RECIPE_STRING
 #   VAR_SETUP_PART
+#   VAR_SETUP_PATH
 # Arguments:
 #   None
 # Returns:
 #   0: on success
+#   ERR_LUKS_HEADER_ENC: on failure
 #######################################
 partition_encryption() {
   ### Declare Arrays, HashMaps, and Variables.
   declare -Ag HMP_PATH_LUKSUUID      # Used in: 3290() - [Mount Path:LUKS UUID].
                                      # Used in: 4210() - [Mount Path:LUKS UUID].
-  declare -Ag HMP_PATH_FSUUID        # Used in: 3240() - [Mount Path:Filesystem UUID].
-                                     # Used in: 3290() - [Mount Path:Filesystem UUID].
-                                     # Used in: 4200() - [Mount Path:Filesystem UUID].
-                                     # Used in: 4210() - [Mount Path:Filesystem UUID].
   declare -Ag HMP_EPHEMERAL_ENCLABEL # Used in: 4200() - [Mount Path:LUKS Encryption Label].
   declare -Ag HMP_EPHEMERAL_FS_LABEL # Used in: 4210() - [Mount Path:Ephemeral Host FS Label]. Substituted by FS-UUID
 
@@ -58,10 +63,34 @@ partition_encryption() {
               var_encryption_ephemeral="" var_encryption_integrity="" var_encryption_cipher="" var_encryption_hash="" \
               var_encryption_key="" var_encryption_label="" var_encryption_meta="" var_encryption_slot="" \
               var_encryption_pbkdf="" var_encryption_rng="" var_filesystem_label="" var_mount_path="" var_uuid="" var_fs="" \
-              var_fs_uuid=""
+              var_luks_backup_file="" var_luks_backup_name="" var_pgp_publickey="" var_luks_backup_pgp="" \
+              var_temp_plain_nc_auth=""
 
   declare -a  ary_luks_opts=()
 
+  ### SECRETS handling ---------------------------------------------------------------------------------------------------------
+  guard_trace on
+  printf '%s' "${CISS_SECRET_LUKS_BOOT}" >| "${DIR_CNF}/password_luks_boot.txt" && chmod 0600 "${DIR_CNF}/password_luks_boot.txt"
+  printf '%s' "${CISS_SECRET_LUKS_COMMON}" >| "${DIR_CNF}/password_luks_common.txt" && chmod 0600 "${DIR_CNF}/password_luks_common.txt"
+  unset CISS_SECRET_LUKS_BOOT CISS_SECRET_LUKS_COMMON
+  guard_trace on
+  ### SECRETS handling ---------------------------------------------------------------------------------------------------------
+
+  if [[ -n "${VAR_LUKS_URL}" ]]; then
+
+    VAR_LUKS_URL=${VAR_LUKS_URL%/}
+
+    ### SECRETS handling -------------------------------------------------------------------------------------------------------
+    guard_trace on
+    var_temp_plain_nc_auth="${CISS_SECRET_LUKS_BACKUP}"
+    unset CISS_SECRET_LUKS_BACKUP
+    guard_trace on
+    ### SECRETS handling -------------------------------------------------------------------------------------------------------
+
+    do_log "debug" "file_only" "3220() Var: [var_temp_plain_nc_auth] set."
+
+  fi
+
   for var_encryption_path in "${ARY_CRYPT_MOUNT_PATHS[@]}"; do
 
     ### Initialize Arrays and Variables
@@ -89,15 +118,18 @@ partition_encryption() {
     if [[ "${var_encryption_path,,}" == "/boot" ]]; then
       ary_luks_opts=( --key-file "${DIR_CNF}/password_luks_boot.txt" )
       ary_luks_opts+=(
-        --iter-time "${VAR_ITER_TIME:-3000}"
+        --iter-time "${VAR_ITER_TIME:-3000}"\
       )
+
     else
+
       ary_luks_opts=( --key-file "${DIR_CNF}/password_luks_common.txt" )
       ary_luks_opts+=(
         --pbkdf-parallel "${VAR_KDF_THREADS:-1}"
         --pbkdf-memory "${VAR_KDF_MEMORY:-4}"
-        --pbkdf-force-iterations "${VAR_KDF_ITERATIONS:-4}"
+        --pbkdf-force-iterations "${VAR_KDF_ITERATIONS:-4}"\
       )
+
     fi
 
     ary_luks_opts+=(
@@ -125,15 +157,6 @@ partition_encryption() {
 
           var_filesystem_label=$(get_label "${var_encryption_path}" "${var_fs}" "file")
 
-          mkfs.ext4 -L "${var_filesystem_label}" "/dev/${var_dev}" 1M
-          do_log "info" "file_only" "3220() Ephemeral: '${var_encryption_path}' prepared on: '/dev/${var_dev}'."
-
-          var_fs_uuid=$(blkid -s UUID -o value "/dev/${var_dev}")
-          ### Gathering information for '/etc/fstab'-generation in 4040() and '/etc/crypttab'-generation in 4060().
-          # shellcheck disable=SC2034
-          HMP_PATH_FSUUID["${var_encryption_path}"]="${var_fs_uuid}"
-          do_log "debug" "file_only" "3220() [HMP_PATH_FSUUID]       : '${var_encryption_path}' -> '${HMP_PATH_FSUUID["${var_encryption_path}"]}'"
-
           HMP_EPHEMERAL_ENCLABEL["${var_encryption_path}"]="${var_encryption_label}"
           HMP_EPHEMERAL_FS_LABEL["${var_encryption_path}"]="${var_filesystem_label}"
 
@@ -169,23 +192,24 @@ partition_encryption() {
 
     fi
 
-    cryptsetup luksHeaderBackup --header-backup-file="${DIR_BAK}/luks_header_${var_dev}.bak" "/dev/${var_dev}"
+    ### Opening the encrypted container.
-    do_log "info" "file_only" "3220() Partition: '/dev/${var_dev}' LUKS Header saved: '${DIR_BAK}/luks_header_${var_dev}.bak'."
-
-    ### Opening encrypted container.
     if [[ "${var_encryption_path,,}" == "/boot" ]]; then
+
       cryptsetup luksOpen "/dev/${var_dev}" \
         --key-file="${DIR_CNF}/password_luks_boot.txt" \
         "${var_encryption_label}"
+
     else
+
       cryptsetup luksOpen "/dev/${var_dev}" \
         --key-file="${DIR_CNF}/password_luks_common.txt" \
         "${var_encryption_label}"
+
     fi
     do_log "info" "file_only" "3220() Partition: '/dev/${var_dev}' opened as '/dev/mapper/${var_encryption_label}'."
 
     ### Create luksDump log entry.
-    cryptsetup luksDump "/dev/${var_dev}" >> "${DIR_LOG}/cryptsetup_luksdump_${var_dev}.log"
+    cryptsetup luksDump "/dev/${var_dev}" >> "${DIR_LOG}/3220_cryptsetup_luksdump_${var_dev}.log"
 
     ### Store UUID of the LUKS container.
     var_uuid=$(blkid -s UUID -o value "/dev/${var_dev}")
@@ -200,8 +224,95 @@ partition_encryption() {
     do_log "debug" "file_only" "3220() [HMP_PATH_LUKSUUID]: '${var_encryption_path}' -> '${HMP_PATH_LUKSUUID["${var_encryption_path}"]}'"
     do_log "debug" "file_only" "3220() [HMP_PATH_ENCLABEL]: '${var_encryption_path}' -> '${HMP_PATH_ENCLABEL["${var_encryption_path}"]}'"
 
+    ### Backup the LUKS Header.
+    if [[ "${VAR_LUKS_BACKUP}" == "true" ]]; then
+
+      var_luks_backup_file="${DIR_BAK}/luks_header_${var_dev}.bak"
+      var_luks_backup_name="${VAR_FINAL_FQDN}_luks_header_${var_dev}.bak.pgp"
+      var_luks_backup_pgp="${DIR_BAK}/luks_header_${var_dev}.bak.pgp"
+
+      case "${VAR_LUKS_PGP}" in
+
+        ciss)    var_pgp_publickey="${VAR_SETUP_PATH}/.pubkey/marc_s_weidner_msw@coresecret.dev_0xE62E84F8_public.asc" ;;
+        physnet) var_pgp_publickey="${VAR_SETUP_PATH}/.pubkey/zimnol_andre_h_git.cs@physnet.eu_0x8A659CC7B4D63AE6_public.asc" ;;
+        none)    do_log "error" "file_only" "3220() No PGP public key for LUKS Header encryption provided."; continue ;;
+        *)       do_log "fatal" "file_only" "3220() No valid PGP public key for LUKS Header encryption provided."; return "${ERR_LUKS_HEADER_ENC}" ;;
+
+      esac
+
+      if cryptsetup luksHeaderBackup --header-backup-file="${var_luks_backup_file}" "/dev/${var_dev}"; then
+
+        do_log "info" "file_only" "3220() Partition: '/dev/${var_dev}' LUKS Header saved: '${var_luks_backup_file}'."
+
+      else
+
+        do_log "fatal" "file_only" "3220() Partition: '/dev/${var_dev}' LUKS Header backup failed for: '${var_luks_backup_file}'."
+        return "${ERR_LUKS_HEADER_ENC}"
+
+      fi
+
+      if gpg --batch --yes --no-tty --compress-level 0 \
+        --recipient-file "${var_pgp_publickey}" \
+        --encrypt -o "${var_luks_backup_pgp}" -- "${var_luks_backup_file}"; then
+
+        do_log "info" "file_only" "3220() Partition: '/dev/${var_dev}' LUKS Header encrypted: '${var_luks_backup_pgp}'."
+
+        if command -v shred >/dev/null 2>&1; then
+
+          shred -vfzu -n 5 "${var_luks_backup_file}" || rm -f "${var_luks_backup_file}"
+
+        else
+
+          rm -f "${var_luks_backup_file}"
+
+        fi
+
+      else
+
+        do_log "fatal" "file_only" "3220() GPG encryption failed for '${var_luks_backup_file}'. Keeping plaintext for diagnostics."
+        return "${ERR_LUKS_HEADER_ENC}"
+
+      fi
+
+      if [[ -n "${VAR_LUKS_URL}" ]]; then
+
+        ### SECRETS handling ---------------------------------------------------------------------------------------------------
+        guard_trace on
+
+        if curl --silent --show-error --fail --retry 2 "${VAR_LUKS_URL}/public.php/webdav/${var_luks_backup_name}" \
+          --upload-file "${var_luks_backup_pgp}" --user "${var_temp_plain_nc_auth}" > /dev/null 2>&1; then
+
+          do_log "info" "file_only" "3220() Partition: '/dev/${var_dev}' LUKS Header upload: '${VAR_LUKS_URL}' successful."
+
+          rm -f "${var_luks_backup_pgp}"
+
+        else
+
+          do_log "warn" "file_only" "3220() Partition: '/dev/${var_dev}' LUKS Header upload: '${VAR_LUKS_URL}' failed."
+
+        fi
+
+        guard_trace off
+        ### SECRETS handling ---------------------------------------------------------------------------------------------------
+
+      fi
+
+    fi
+
   done
 
-  guard_dir && return 0
+  ### SECRETS handling ---------------------------------------------------------------------------------------------------------
+  guard_trace on
+  [[ -n "${VAR_LUKS_URL}" ]] && unset var_temp_plain_nc_auth
+  guard_trace off
+  ### SECRETS handling ---------------------------------------------------------------------------------------------------------
+
+  ciss_secrets_wiper "${DIR_CNF}/password_luks_boot.txt"
+  ciss_secrets_wiper "${DIR_CNF}/password_luks_common.txt"
+
+  guard_dir; return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f partition_encryption
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

func/cdi_3200_partitioning/3240_partition_formatting.sh

@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
 
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 
 #######################################
 # Function to format the respective partition on each entry of 'ARY_FORMT_MOUNT_PATHS'.
@@ -59,10 +59,11 @@ partition_formatting() {
 
     case "${var_format_path,,}" in
       swap|/tmp)
-        do_log "info" "file_only" "3240() Partition: '/dev/${var_dev}' ephemeral encryption already prepared in 3220(): '${var_format_path}'."
+        do_log "info" "file_only" "3240() Partition: '/dev/${var_dev}' ephemeral encryption devices do not need formatting: '${var_format_path}'."
         ### Nothing more to do here.
         continue
         ;;
+      *) : ;;
     esac
 
     if [[ "${var_encryption_enable,,}" == "true" ]]; then
@@ -85,8 +86,8 @@ partition_formatting() {
         do_log "debug" "file_only" "3240() [mkfs.btrfs ${ary_opts[*]} ${var_node}]."
         do_log "info" "file_only" "3240() Partition: '${var_node}' formatted: 'btrfs' options: '${ary_opts[*]}'."
 
-        echo "Partition: '${var_node}':" >> "${DIR_LOG}/btrfs.log"
+        echo "Partition: '${var_node}':" >> "${DIR_LOG}/3240_btrfs.log"
-        btrfs filesystem show "${var_node}" >> "${DIR_LOG}/btrfs.log"
+        btrfs filesystem show "${var_node}" >> "${DIR_LOG}/3240_btrfs.log"
 
         var_fs_uuid=$(blkid -s UUID -o value "${var_node}")
         ### Gathering information for '/etc/fstab'-generation in 4040() and '/etc/crypttab'-generation in 4060().
@@ -102,8 +103,8 @@ partition_formatting() {
         do_log "debug" "file_only" "3240() [mkfs.ext4 -L ${var_fs_label} ${ary_fmt_opts[*]} ${var_node}]."
         do_log "info" "file_only" "3240() Partition: '${var_node}' formatted: 'ext4' options: '${ary_fmt_opts[*]}'."
 
-        echo "Partition: '${var_node}':" >> "${DIR_LOG}/ext4.log"
+        echo "Partition: '${var_node}':" >> "${DIR_LOG}/3240_ext4.log"
-        tune2fs -l "${var_node}" >> "${DIR_LOG}/ext4.log"
+        tune2fs -l "${var_node}" >> "${DIR_LOG}/3240_ext4.log"
 
         var_fs_uuid=$(blkid -s UUID -o value "${var_node}")
         ### Gathering information for '/etc/fstab'-generation in 4040() and '/etc/crypttab'-generation in 4060().
@@ -131,12 +132,15 @@ partition_formatting() {
     esac
 
     var_dev="${var_dev_part%.*}"
-    lsblk -o NAME,MAJ:MIN,FSTYPE,FSVER,SIZE,UUID,MOUNTPOINT,PATH "/dev/${var_dev}" >| "${DIR_LOG}/${var_dev}_overview_3240.log"
+    lsblk -o NAME,MAJ:MIN,FSTYPE,FSVER,SIZE,UUID,MOUNTPOINT,PATH "/dev/${var_dev}" >| "${DIR_LOG}/3240_${var_dev}_overview.log"
-    printf "%b" "${NL}" >> "${DIR_LOG}/${var_dev}_overview_3240.log"
+    printf "%b" "${NL}" >> "${DIR_LOG}/3240_${var_dev}_overview.log"
-    lsblk "/dev/${var_dev}" >> "${DIR_LOG}/${var_dev}_overview_3240.log"
+    lsblk "/dev/${var_dev}" >> "${DIR_LOG}/3240_${var_dev}_overview.log"
 
   done
 
-  guard_dir && return 0
+  guard_dir; return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f partition_formatting
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

func/cdi_3200_partitioning/3280_mount_partition.sh

@@ -10,12 +10,11 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
 
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 
 #######################################
 # Function to create the mount command, incl. mount path and options, and mount the respective device.
 # Globals:
-#   ERR_MOUNTING_DEV
 #   TARGET
 # Arguments:
 #   1: MOUNT_PATH
@@ -24,6 +23,7 @@ guard_sourcing
 #   4: MOUNT_FILESYSTEM
 # Returns:
 #   0: on success
+#   ERR_MOUNTING_DEV: on failure
 #######################################
 mount_with_dir() {
   declare var_mount_path="${1}" var_mount_device="${2}" var_mount_options="${3:-}" var_mount_fs="${4:-}"
@@ -60,7 +60,7 @@ mount_with_dir() {
   ### Already absolute path.
   elif [[ "${var_mount_device}" == /dev/* ]]; then
 
-    : ### Do nothing
+    : ### Do nothing.
 
   ### Alternative checks for LABEL and PARTUUID.
   else
@@ -104,16 +104,23 @@ mount_with_dir() {
 
   return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f mount_with_dir
 
 #######################################
 # Device Path Resolver.
 # Outputs '/dev/mapper/<encryption_label>'
 # Outputs '/dev/<dev><partition>'
+# Globals:
+#   None
 # Arguments:
 #   1: Device
 #   2: Partition
 #   3: Boolean Encryption
 #   4: Encryption Label
+# Returns:
+#   0: on success
 #######################################
 resolve_device() {
   declare local_var_dev="$1" local_var_partition="$2" local_var_enc_boolean="$3" local_var_enc_label="$4"
@@ -130,15 +137,20 @@ resolve_device() {
 
   return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f resolve_device
 
 #######################################
 # Validates btrfs compression algo and level.
+# Globals:
+#   None
 # Arguments:
 #   1: var_fs_btrfs_compress
 #   2: var_fs_btrfs_level
 # Returns:
 #   0: Valid combination.
-#   1: Invalid combination.
+#   ERR_BTRFS_OPTION: on failure
 #######################################
 validate_btrfs_compression() {
   declare var_algo="$1" var_level="$2"
@@ -151,19 +163,20 @@ validate_btrfs_compression() {
 
   esac
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f validate_btrfs_compression
 
 #######################################
 # Function for mounting all partitions for debootstrap, including the generation of btrfs subvolumes.
 # Globals:
+#   ARY_CRYPT_MOUNT_PATHS
 #   ARY_PATHS_SORTED
 #   DIR_LOG
-#   ERR_BTRFS_INITPH
-#   ERR_BTRFS_OPTION
-#   ERR_BTRFS_SUBVOL
-#   ERR_MOUNTING_DEV
 #   HMP_FSTAB_MOUNT_OPTS
 #   HMP_PATH_DEV_PART
 #   HMP_PATH_FSUUID
+#   HMP_PATH_PARTUUID
 #   NL
 #   TARGET
 #   VAR_RECIPE_STRING
@@ -173,11 +186,10 @@ validate_btrfs_compression() {
 #   None
 # Returns:
 #   0: on success
-#   ERR_BTRFS_INITPH
+#   ERR_BTRFS_INITPH: on failure
-#   ERR_BTRFS_OPTION
+#   ERR_BTRFS_OPTION: on failure
-#   ERR_BTRFS_SUBVOL
+#   ERR_BTRFS_SUBVOL: on failure
-#   ERR_MOUNTING_DEV
+#   ERR_MOUNTING_DEV: on failure
-#   ERR_MOUNTING_ROOT
 #######################################
 mount_partition() {
   ### Declare Arrays, HashMaps, and Variables.
@@ -187,7 +199,7 @@ mount_partition() {
   declare     var_mount_path="" var_dev_part="" var_dev="" var_btrfs_options="" \
               var_encryption_label="" var_fs_btrfs_compress="" var_fs_btrfs_level="" var_fs_btrfs_snapshot="" \
               var_fs_btrfs_subvolume="" var_fs_version="" var_mount_options="" var_mount_optsnap="" var_mount_path="" \
-              var_snapshot="" var_fs_uuid=""
+              var_snapshot="" var_fs_uuid="" var_partuuid=""
 
   declare -a  ary_cmd=() ary_cmd_mount=()
 
@@ -212,19 +224,18 @@ mount_partition() {
       var_encryption_label=$(get_label "${var_mount_path}" "${var_fs_version}" "luks")
     fi
 
-    var_fs_uuid="${HMP_PATH_FSUUID["${var_mount_path}"]}"
-
-    if [[ -z "${var_fs_uuid}" ]]; then
-      do_log "error" "file_only" "3280() FS-UUID for mount path: '${var_mount_path}' not found in: 'HMP_PATH_FSUUID'."
-      return "${ERR_MOUNTING_DEV}"
-    fi
-
     ### Mounting of Ephemeral 'SWAP' and '/tmp' as per https://wiki.archlinux.org/title/Dm-crypt/Swap_encryption#UUID_and_LABEL
     if [[ "${var_mount_path,,}" == "swap" ]]; then
 
-      cryptsetup open --type plain --key-file /dev/random \
+      var_partuuid="${HMP_PATH_PARTUUID["${var_mount_path}"]}"
-        --offset 2048 --cipher aes-xts-plain64 --key-size 512 \
+
-        --sector-size 4096 "/dev/disk/by-uuid/${var_fs_uuid}" "${var_encryption_label}"
+      ### Gathering information for '/etc/fstab'-generation in 4040().
+      HMP_FSTAB_MOUNT_OPTS["SWAP"]="${var_mount_options}"
+
+      cryptsetup open --type plain \
+        --key-file /dev/urandom \
+        --cipher aes-xts-plain64 --key-size 512 \
+        "/dev/disk/by-partuuid/${var_partuuid}" "${var_encryption_label}"
 
       mkswap "/dev/mapper/${var_encryption_label}"
       do_log "debug" "file_only" "3280() [mkswap /dev/mapper/${var_encryption_label}]."
@@ -239,9 +250,12 @@ mount_partition() {
 
     elif [[ "${var_mount_path,,}" == "/tmp" ]]; then
 
-      cryptsetup open --type plain --key-file /dev/random \
+      var_partuuid="${HMP_PATH_PARTUUID["${var_mount_path}"]}"
-        --offset 2048 --cipher aes-xts-plain64 --key-size 512 \
+
-        --sector-size 4096 "/dev/disk/by-uuid/${var_fs_uuid}" "${var_encryption_label}"
+      cryptsetup open --type plain \
+        --key-file /dev/urandom \
+        --cipher aes-xts-plain64 --key-size 512 \
+        "/dev/disk/by-partuuid/${var_partuuid}" "${var_encryption_label}"
 
       mkdir -p "${TARGET}/tmp"
 
@@ -262,6 +276,8 @@ mount_partition() {
 
     fi
 
+    var_fs_uuid="${HMP_PATH_FSUUID["${var_mount_path}"]}"
+
     if [[ "${var_fs_version,,}" == "btrfs" ]]; then
 
       var_fs_btrfs_subvolume=$(get_label "${var_mount_path}" "${var_fs_version}" "sub")
@@ -350,19 +366,27 @@ mount_partition() {
         do_log "info" "file_only" "3280() Mounted: '${var_fs_uuid}' on: '${TARGET}${var_mount_path}' Options='${var_mount_options}'."
         ;;
 
+      *)
+        do_log "info" "file_only" "3280() No valid FS found for: '${var_mount_path}'."
+        ;;
+
       esac
 
     var_dev="${var_dev_part%.*}"
-    lsblk -o NAME,MAJ:MIN,FSTYPE,FSVER,SIZE,UUID,MOUNTPOINT,PATH "/dev/${var_dev}" >| "${DIR_LOG}/${var_dev}_overview_3280.log"
+    lsblk -o NAME,MAJ:MIN,FSTYPE,FSVER,SIZE,UUID,MOUNTPOINT,PATH "/dev/${var_dev}" >| "${DIR_LOG}/3280_${var_dev}_overview.log"
+    lsblk -o NAME,PARTTYPE,FSTYPE,FSVER,UUID,MOUNTPOINT,PATH "/dev/${var_dev}" >| "${DIR_LOG}/3280_${var_dev}_parttype.log"
     {
       printf "%b" "${NL}"
       lsblk "/dev/${var_dev}"
       printf "%b" "${NL}"
       lsblk -t "/dev/${var_dev}"
-    } >> "${DIR_LOG}/${var_dev}_overview_3280.log"
+    } >> "${DIR_LOG}/3280_${var_dev}_overview.log"
 
   done
 
-  guard_dir && return 0
+  guard_dir; return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f mount_partition
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

func/cdi_3200_partitioning/3290_uuid_logger.sh

@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
 
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 
 #######################################
 # Logger for all generated partition, LUKS container and file system UUIDs.
@@ -29,30 +29,41 @@ uuid_logger() {
 
   printf 'PARTITION UUID Partition:\n' >> "${LOG_UID}"
   for var_key in "${!HMP_PATH_PARTUUID[@]}"; do
+
     var_mountpoint="${var_key}"
     var_uuid="${HMP_PATH_PARTUUID[${var_key}]}"
     ### Left-aligned field width 63; "UUID=" starts directly after column 64.
     printf '%-63sUUID=%s\n' "${var_mountpoint}" "${var_uuid}" >> "${LOG_UID}"
+
   done
 
+
   printf '\n' >> "${LOG_UID}"
   printf 'LUKS CONTAINER UUID:\n' >> "${LOG_UID}"
   for var_key in "${!HMP_PATH_LUKSUUID[@]}"; do
+
     var_mountpoint="${var_key}"
     var_uuid="${HMP_PATH_LUKSUUID[${var_key}]}"
     ### Left-aligned field width 63; "UUID=" starts directly after column 64.
     printf '%-63sUUID=%s\n' "${var_mountpoint}" "${var_uuid}" >> "${LOG_UID}"
+
   done
 
+
   printf '\n' >> "${LOG_UID}"
   printf 'FILESYSTEM UUID:\n' >> "${LOG_UID}"
   for var_key in "${!HMP_PATH_FSUUID[@]}"; do
+
     var_mountpoint="${var_key}"
     var_uuid="${HMP_PATH_FSUUID[${var_key}]}"
     ### Left-aligned field width 63; "UUID=" starts directly after column 64.
     printf '%-63sUUID=%s\n' "${var_mountpoint}" "${var_uuid}" >> "${LOG_UID}"
+
   done
 
-  guard_dir && return 0
+  guard_dir; return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f uuid_logger
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

func/cdi_3200_partitioning/3295_get_label.sh

@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
 
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 
 #######################################
 # Returns standardized labels for the provided mount path depending on filesystem and art of label.
@@ -64,6 +64,7 @@ get_label() {
 
     file)
 
+      # shellcheck disable=SC2249
       case "${var_path}:${var_file}" in
 
         swap:*)               var_return_label="host_swap" ;;
@@ -117,4 +118,7 @@ get_label() {
 
   fi
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f get_label
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

func/cdi_4000_debootstrap/4000_debootstrap.sh

@@ -10,34 +10,42 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
 
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 
 #######################################
 # Install a minimal Debian environment using the 'debootstrap' command.
 # Globals:
-#   ERR_DEBOOTSTRAP
 #   LOG_DBS
+#   LOG_REC
+#   RECOVERY
 #   TARGET
 #   VAR_ARCHITECTURE
 #   VAR_CODENAME
+#   VAR_RUN_RECOVERY
 #   debootstrap_includes
 #   debootstrap_mirror
 # Arguments:
 #   None
 # Returns:
 #   0: on success
-#   ERR_DEBOOTSTRAP
+#   ERR_DEBOOTSTRAP: on failure
 #######################################
 func_debootstrap() {
   ### Declare Arrays, HashMaps, and Variables.
   declare -r var_arch="${VAR_ARCHITECTURE}"
   declare -r var_dist="${VAR_CODENAME}"
-  declare -r var_target="${TARGET}"
   declare -r var_mirror="${debootstrap_mirror}"
   declare -r var_includes="${debootstrap_includes}"
   declare -a ary_cmd=()
 
-  ary_cmd+=( "debootstrap" "--arch=${var_arch}" )
+  declare    var_log="${LOG_DBS}"
+  declare    var_target="${TARGET}"
+
+  ### Check for TARGET / RECOVERY.
+  [[ "${VAR_RUN_RECOVERY}" == "true" ]] && var_log="${LOG_REC}"
+  [[ "${VAR_RUN_RECOVERY}" == "true" ]] && var_target="${RECOVERY}"
+
+  ary_cmd+=( "debootstrap" "--arch=${var_arch}" "--keep-debootstrap-dir" "--log-extra-deps" "--merged-usr" )
 
   if [[ -n "${var_includes}" ]]; then ary_cmd+=( "--include=${var_includes}" ); fi
 
@@ -46,13 +54,24 @@ func_debootstrap() {
   do_log "debug" "file_only" "4000() Executing: [${ary_cmd[*]}]"
 
   # shellcheck disable=SC2312
-  if "${ary_cmd[@]}" | tee "${LOG_DBS}"; then
+  if "${ary_cmd[@]}" | tee "${var_log}"; then
 
     do_log "info" "file_only" "4000() [${ary_cmd[*]}] successful."
+
     install -d -m 0700 -o root -g root "${var_target}/root/.ciss/cdi/backup"
-    install -d -m 0700 -o root -g root "${var_target}/root/.ciss/cdi/log"
+    install -d -m 0700 -o root -g root "${var_target}/root/.ciss/cdi/debootstrap"
     install -d -m 0700 -o root -g root "${var_target}/root/.ciss/cdi/hooks"
-    guard_dir && return 0
+    install -d -m 0700 -o root -g root "${var_target}/root/.ciss/cdi/keys"
+    install -d -m 0700 -o root -g root "${var_target}/root/.ciss/cdi/log"
+    install -d -m 0700 -o root -g root "${var_target}/root/.ciss/cdi/log/pre-env"
+
+    mv -T "${var_target}/debootstrap" "${var_target}/root/.ciss/cdi/debootstrap"
+
+    chmod 0700 "${var_target}/root/.ciss"
+    chmod 0700 "${var_target}/root/.ciss/cdi"
+    chmod 0700 "${var_target}/root/.ciss/cdi/debootstrap"
+
+    guard_dir; return 0
 
   else
 
@@ -61,4 +80,7 @@ func_debootstrap() {
 
   fi
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f func_debootstrap
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

func/cdi_4000_debootstrap/4005_debootstrap_checks.sh

@@ -0,0 +1,92 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
+
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
+
+#######################################
+# Preliminary post debootstrap checks.
+# Globals:
+#   RECOVERY
+#   TARGET
+#   VAR_RUN_RECOVERY
+# Arguments:
+#   None
+# Returns:
+#   0: on success
+#######################################
+check_debootstrap() {
+  ### Declare Arrays, HashMaps, and Variables.
+  declare -r  var_logfile="/root/.ciss/cdi/log/4005_debootstrap_checks.log"
+  declare     var_target="${TARGET}"
+
+  ### Check for TARGET / RECOVERY.
+  [[ "${VAR_RUN_RECOVERY}" == "true" ]] && var_target="${RECOVERY}"
+
+  chroot_logger "${var_target}${var_logfile}"
+
+  chroot_script "${var_target}" "
+    {
+      ### Header
+      echo '==[debootstrap checks]=='
+      date -Is 2>/dev/null || true
+
+      ### dpkg audit (non-fatal)
+      echo '### dpkg --audit'
+      dpkg --audit || true
+
+      ### essential subset (status & version)
+      echo '### dpkg-query essential subset'
+      dpkg-query -W -f='\${db:Status-Abbrev} \${binary:Package} \${Version}\n' dpkg libc6 coreutils bash apt systemd 2>/dev/null || true
+
+      ### init presence (log explicit)
+      echo '### init presence'
+      if [[ -x /sbin/init ]] || [[ -x /lib/systemd/systemd ]]; then
+        echo 'init_present=yes'
+      else
+        echo 'init_present=no'
+      fi
+
+      ### awk path and alternative link (if any)
+      echo '### awk'
+      awk_path=\$(command -v awk || true)
+      printf 'awk_path=%s\n' \"\$awk_path\"
+      if [[ -L /usr/bin/awk ]]; then
+        printf 'awk_link=/usr/bin/awk -> %s\n' \"\$(readlink -f /usr/bin/awk 2>/dev/null || true)\"
+      fi
+
+      ### usr-merge / tainted check
+      echo '### usr-merge / taint'
+      usr_merge_ok=yes
+      for p in /bin /sbin /lib /lib64; do
+        [[ -e \"\$p\" ]] || continue
+        if [[ -L \"\$p\" ]]; then
+          tgt=\$(readlink -f \"\$p\" 2>/dev/null || true)
+          printf '%s -> %s\n' \"\$p\" \"\$tgt\"
+        else
+          usr_merge_ok=no
+          printf '%s is not a symlink (tainted: unmerged-bin)\n' \"\$p\"
+        fi
+      done
+      printf 'usr_merge_ok=%s\n' \"\$usr_merge_ok\"
+
+      ### architecture
+      echo '### architecture'
+      dpkg --print-architecture 2>/dev/null || true
+    } >> ${var_logfile}
+  "
+
+  guard_dir; return 0
+}
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f check_debootstrap
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

func/cdi_4000_debootstrap/4010_prepare_mounts.sh

@@ -10,25 +10,26 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
 
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 
 #######################################
 # Configure the target system for chroot.
 # Globals:
-#   ERR_CHRT_MOUNTS
+#   RECOVERY
 #   TARGET
 #   VAR_CHROOT_ACTIVATED
 #   VAR_NEED_RUN_IN_TARGET
+#   VAR_RUN_RECOVERY
 # Arguments:
 #   None
 # Returns:
-#   ERR_CHRT_MOUNTS
 #   0: on success
+#   ERR_CHRT_MOUNTS: on failure
 #######################################
 prepare_mounts() {
 
   ### Notes
-  # This file mounts all necessary pseudo filesystems into the target root environment to enable chroot operations.
+  # This function mounts all necessary pseudo filesystems into the target root environment to enable chroot operations.
   # --rbind: recursive binding.
   # --make-rslave: In this case, the mount point is marked as 'slave'.
   # This means changes to the source mount (e.g., /proc) are propagated to the target mount (e.g., "${TARGET}/proc").
@@ -52,68 +53,80 @@ prepare_mounts() {
   )
 
   declare     var_path="" var_fs="" var_src="" var_opts=""
+  declare     var_target="${TARGET}"
+
+  ### Check for TARGET / RECOVERY.
+  [[ "${VAR_RUN_RECOVERY}" == "true" ]] && var_target="${RECOVERY}"
 
   for var_path in "${!HMP_SPECIAL_MOUNTS[@]}"; do
 
-    mkdir -p "${TARGET}${var_path}"
+    mkdir -p "${var_target}${var_path}"
 
   done
 
-
   for var_path in "${!HMP_SPECIAL_MOUNTS[@]}"; do
 
     IFS=" " read -r var_fs var_src var_opts <<< "${HMP_SPECIAL_MOUNTS[${var_path}]}"
 
-    if mountpoint -q "${TARGET}${var_path}"; then
+    if mountpoint -q "${var_target}${var_path}"; then
 
-      do_log "info" "file_only" "4010() Skipped: '${TARGET}${var_path}' is already a mountpoint."
+      do_log "info" "file_only" "4010() Skipped: '${var_target}${var_path}' is already a mountpoint."
       continue
 
     fi
 
-    if ! mount -t "${var_fs}" "${var_src}" "${TARGET}${var_path}" -o "${var_opts}"; then
+    if ! mount -t "${var_fs}" "${var_src}" "${var_target}${var_path}" -o "${var_opts}"; then
 
-      do_log "emergency" "file_only" "4010() Command: [mount -t ${var_fs} ${var_src} ${TARGET}${var_path} -o ${var_opts}] failed."
+      do_log "emergency" "file_only" "4010() Command: [mount -t ${var_fs} ${var_src} ${var_target}${var_path} -o ${var_opts}] failed."
       return "${ERR_CHRT_MOUNTS}"
 
     fi
 
-    do_log "info" "file_only" "4010() Command: [mount -t ${var_fs} ${var_src} ${TARGET}${var_path} -o ${var_opts}] successful."
+    do_log "info" "file_only" "4010() Command: [mount -t ${var_fs} ${var_src} ${var_target}${var_path} -o ${var_opts}] successful."
 
   done
 
-
   if [[ "${VAR_NEED_RUN_IN_TARGET:-false}" == "true" ]]; then
 
-    mkdir -p "${TARGET}/run"
+    mkdir -p "${var_target}/run"
 
-    if ! mount --make-rslave --rbind /run "${TARGET}/run"; then
+    if ! mount --make-rslave --rbind /run "${var_target}/run"; then
 
-      do_log "emergency" "file_only" "4010() Command: [mount --make-rslave --rbind /run ${TARGET}/run] failed."
+      do_log "emergency" "file_only" "4010() Command: [mount --make-rslave --rbind /run ${var_target}/run] failed."
       return "${ERR_CHRT_MOUNTS}"
 
     fi
 
-    do_log "info" "file_only" "4010() Command: [mount --make-rslave --rbind /run ${TARGET}/run] successful."
+    do_log "info" "file_only" "4010() Command: [mount --make-rslave --rbind /run ${var_target}/run] successful."
 
   fi
 
+  if ! chroot_exec "${var_target}" mkdir -p /etc/systemd/system/multi-user.target.wants; then
 
-  if ! chroot_exec "${TARGET}" mkdir -p /etc/systemd/system/multi-user.target.wants; then
+    do_log "emergency" "file_only" "4010() Command: [chroot_exec ${var_target} mkdir -p /etc/systemd/system/multi-user.target.wants] failed."
-
-    do_log "emergency" "file_only" "4010() Command: [chroot_exec ${TARGET} mkdir -p /etc/systemd/system/multi-user.target.wants] failed."
     return "${ERR_CHRT_MOUNTS}"
 
   fi
 
-  do_log "info" "file_only" "4010() Command: [chroot_exec ${TARGET} mkdir -p /etc/systemd/system/multi-user.target.wants] successful."
+  do_log "info" "file_only" "4010() Command: [chroot_exec ${var_target} mkdir -p /etc/systemd/system/multi-user.target.wants] successful."
 
-  mkdir -p "${TARGET}/media/cdrom0"
+  mkdir -p "${var_target}/media/cdrom0"
+
+  if   [[ "${VAR_RUN_RECOVERY}" == "false" ]]; then
 
-  # shellcheck disable=SC2034
     declare -gx VAR_CHROOT_ACTIVATED="system"
     do_log "info" "file_only" "4010() Command: [declare -gx VAR_CHROOT_ACTIVATED=system]"
 
-  guard_dir && return 0
+  elif [[ "${VAR_RUN_RECOVERY}" == "true" ]]; then
+
+    declare -gx VAR_CHROOT_ACTIVATED="recovery"
+    do_log "info" "file_only" "4010() Command: [declare -gx VAR_CHROOT_ACTIVATED=recovery]"
+
+  fi
+
+  guard_dir; return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f prepare_mounts
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

func/cdi_4000_debootstrap/4011_prepare_xdg_root.sh

@@ -0,0 +1,62 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
+
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
+
+#######################################
+# Prepare '/root' for XDG framework.
+# Globals:
+#   RECOVERY
+#   TARGET
+#   VAR_RUN_RECOVERY
+#   VAR_SETUP_PATH
+# Arguments:
+#   None
+# Returns:
+#   0: on success
+#######################################
+prepare_xdg_root() {
+  ### Declare Arrays, HashMaps, and Variables.
+  declare     var_target="${TARGET}"
+
+  ### Check for TARGET / RECOVERY.
+  [[ "${VAR_RUN_RECOVERY}" == "true" ]] && var_target="${RECOVERY}"
+
+  install -m 0755 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/profile.d/ciss-xdg.sh" "${var_target}/etc/profile.d/"
+  install -m 0444 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/default/ciss-xdg-profile" "${var_target}/etc/default/"
+  install -m 0700 -o root -g root "${VAR_SETUP_PATH}/includes/target/root/ciss_xdg_tmp.sh" "${var_target}/root/"
+
+  # shellcheck disable=SC2016
+  chroot_script "${var_target}" '
+    install -d -m 0755 /etc/xdg
+
+    [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
+
+    ### Create canonical directories.
+    _xdg_umask="$(umask)"
+    umask 0077
+    [[ -d "${XDG_CONFIG_HOME}"     ]] || install -d -m 0700 -- "${XDG_CONFIG_HOME}"
+    [[ -d "${XDG_DATA_HOME}"       ]] || install -d -m 0700 -- "${XDG_DATA_HOME}"
+    [[ -d "${XDG_CACHE_HOME}"      ]] || install -d -m 0700 -- "${XDG_CACHE_HOME}"
+    [[ -d "${XDG_STATE_HOME}"      ]] || install -d -m 0700 -- "${XDG_STATE_HOME}"
+    [[ -d "${XDG_STATE_HOME}/bash" ]] || install -d -m 0700 -- "${XDG_STATE_HOME}/bash"
+    [[ -d "${XDG_STATE_HOME}/less" ]] || install -d -m 0700 -- "${XDG_STATE_HOME}/less"
+    umask "$_xdg_umask"
+    unset _xdg_umask
+    '
+
+  guard_dir; return 0
+}
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f prepare_xdg_root
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

func/cdi_4000_debootstrap/4015_check_usr_merge.sh

@@ -0,0 +1,56 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
+
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
+
+#######################################
+# Check if the target system is not 'tainted: unmerged-usr'.
+# Globals:
+#   RECOVERY
+#   TARGET
+#   VAR_RUN_RECOVERY
+#   architecture
+# Arguments:
+#   None
+# Returns:
+#   0: on success
+#######################################
+check_usr_merge() {
+  ### Declare Arrays, HashMaps, and Variables.
+  declare -r  var_logfile="/root/.ciss/cdi/log/4015_check_usr_merge.log"
+  declare     var_target="${TARGET}"
+
+  ### Check for TARGET / RECOVERY.
+  [[ "${VAR_RUN_RECOVERY}" == "true" ]] && var_target="${RECOVERY}"
+
+  chroot_logger "${var_target}${var_logfile}"
+
+  # shellcheck disable=SC2312
+  chroot_script "${var_target}" "
+    test -L /bin  && test $(readlink -f /bin)  = '/usr/bin'  && echo 'MERGED:/bin'  >> ${var_logfile} || echo 'UNMERGED:/bin'  >> ${var_logfile}
+    test -L /sbin && test $(readlink -f /sbin) = '/usr/sbin' && echo 'MERGED:/sbin' >> ${var_logfile} || echo 'UNMERGED:/sbin' >> ${var_logfile}
+    test -L /lib  && test $(readlink -f /lib)  = '/usr/lib'  && echo 'MERGED:/lib'  >> ${var_logfile} || echo 'UNMERGED:/lib'  >> ${var_logfile}
+  "
+
+  if [[ "${architecture}" == "amd64" ]]; then
+    # shellcheck disable=SC2312
+    chroot_script "${var_target}" "
+      test -L /lib64 && test $(readlink -f /lib64) = '/usr/lib64' && echo 'MERGED:/lib64' >> ${var_logfile} || echo 'UNMERGED:/lib64' >> ${var_logfile}
+    "
+  fi
+
+  guard_dir; return 0
+}
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f check_usr_merge
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

func/cdi_4000_debootstrap/4020_remove_x509.sh

@@ -10,12 +10,14 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
 
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 
 #######################################
 # Chroot hook for deleting all expired X.509 certificates in the target system.
 # Globals:
+#   RECOVERY
 #   TARGET
+#   VAR_RUN_RECOVERY
 #   VAR_SETUP_PATH
 # Arguments:
 #   None
@@ -23,21 +25,28 @@ guard_sourcing
 #   0: on success
 #######################################
 remove_x509() {
+  ### Declare Arrays, HashMaps, and Variables.
+  declare     var_target="${TARGET}"
+
+  ### Check for TARGET / RECOVERY.
+  [[ "${VAR_RUN_RECOVERY}" == "true" ]] && var_target="${RECOVERY}"
 
   install -m 0700 -o root -g root "${VAR_SETUP_PATH}/includes/chroot/hooks/4020_remove_x509.hooks.sh" \
-    "${TARGET}/root/.ciss/cdi/hooks/4020_remove_x509.hooks.sh"
+    "${var_target}/root/.ciss/cdi/hooks/4020_remove_x509.hooks.sh"
 
+  if ! chroot_script "${var_target}" "/root/.ciss/cdi/hooks/4020_remove_x509.hooks.sh" "emergency"; then
 
-  if ! chroot_script "${TARGET}" "/root/.ciss/cdi/hooks/4020_remove_x509.hooks.sh" "emergency"; then
+    do_log "warn" "file_only" "4020() Command: [chroot_script ${var_target} /root/.ciss/cdi/hooks/4020_remove_x509.hooks.sh emergency] failed."
-
-    do_log "warn" "file_only" "4020() Command: [chroot_script ${TARGET} /root/.ciss/cdi/hooks/4020_remove_x509.hooks.sh emergency] failed."
 
   else
 
-    do_log "debug" "file_only" "4020() Command: [chroot_script ${TARGET} /root/.ciss/cdi/hooks/4020_remove_x509.hooks.sh emergency] successful."
+    do_log "debug" "file_only" "4020() Command: [chroot_script ${var_target} /root/.ciss/cdi/hooks/4020_remove_x509.hooks.sh emergency] successful."
 
   fi
 
-  guard_dir && return 0
+  guard_dir; return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f remove_x509
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

func/cdi_4000_debootstrap/4030_setup_hostname.sh

@@ -10,16 +10,18 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
 
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 
 #######################################
 # Configure the '/etc/hostname' | '/etc/hosts' | '/etc/mailname' files.
 # Globals:
+#   RECOVERY
 #   TARGET
 #   VAR_FINAL_FQDN
 #   VAR_FINAL_IPV4
 #   VAR_FINAL_IPV6
 #   VAR_LINK_IPV6
+#   VAR_RUN_RECOVERY
 #   network_ipv6
 # Arguments:
 #   None
@@ -27,36 +29,42 @@ guard_sourcing
 #   0: on success
 #######################################
 setup_hostname() {
-  ### Create '${TARGET}/etc/hostname' file.
+  ### Declare Arrays, HashMaps, and Variables.
-  cat << EOF >| "${TARGET}/etc/hostname"
+  declare     var_target="${TARGET}"
+
+  ### Check for TARGET / RECOVERY.
+  [[ "${VAR_RUN_RECOVERY}" == "true" ]] && var_target="${RECOVERY}"
+
+  ### Create the '${var_target}/etc/hostname' file.
+  cat << EOF >| "${var_target}/etc/hostname"
 ${VAR_FINAL_FQDN}
 EOF
-  chmod 0644 "${TARGET}/etc/hostname"
+  chmod 0644 "${var_target}/etc/hostname"
-  do_log "info" "file_only" "4030() File generated: '${TARGET}/etc/hostname' | hostname '${VAR_FINAL_FQDN}'."
+  do_log "info" "file_only" "4030() File generated: '${var_target}/etc/hostname' | hostname '${VAR_FINAL_FQDN}'."
 
 
-  ### Create '${TARGET}/etc/mailname' file.
+  ### Create the '${var_target}/etc/mailname' file.
-  cat << EOF >| "${TARGET}/etc/mailname"
+  cat << EOF >| "${var_target}/etc/mailname"
 ${VAR_FINAL_FQDN}
 EOF
-  chmod 0644 "${TARGET}/etc/mailname"
+  chmod 0644 "${var_target}/etc/mailname"
-  do_log "info" "file_only" "4030() File generated: '${TARGET}/etc/mailname' | mailname '${VAR_FINAL_FQDN}'."
+  do_log "info" "file_only" "4030() File generated: '${var_target}/etc/mailname' | mailname '${VAR_FINAL_FQDN}'."
 
 
-  ### Generate '${TARGET}/etc/hosts' basic IPv4 entries
+  ### Generate '${var_target}/etc/hosts' basic IPv4 entries
-  cat << EOF >| "${TARGET}/etc/hosts"
+  cat << EOF >| "${var_target}/etc/hosts"
 127.0.0.1 localhost
 ${VAR_FINAL_IPV4} ${VAR_FINAL_FQDN}
 
 EOF
-  chmod 0644 "${TARGET}/etc/hosts"
+  chmod 0644 "${var_target}/etc/hosts"
-  do_log "info" "file_only" "4030() File generated: '${TARGET}/etc/hosts' with basic IPv4 entries."
+  do_log "info" "file_only" "4030() File generated: '${var_target}/etc/hosts' with basic IPv4 entries."
 
 
-  ### Generate '${TARGET}/etc/hosts' basic IPv6 entries
+  ### Generate '${var_target}/etc/hosts' basic IPv6 entries
   if [[ "${VAR_LINK_IPV6,,}" == "true" || "${network_ipv6,,}" == "true" ]]; then
 
-    cat << EOF >> "${TARGET}/etc/hosts"
+    cat << EOF >> "${var_target}/etc/hosts"
 # The following lines are desirable for IPv6 capable hosts
 ::1     localhost ip6-localhost ip6-loopback
 fe00::0 ip6-localnet
@@ -68,10 +76,13 @@ ${VAR_FINAL_IPV6} ${VAR_FINAL_FQDN}
 
 EOF
 
-    do_log "info" "file_only" "4030() File updated: '${TARGET}/etc/hosts' with basic IPv6 entries."
+    do_log "info" "file_only" "4030() File updated: '${var_target}/etc/hosts' with basic IPv6 entries."
 
   fi
 
-  guard_dir && return 0
+  guard_dir; return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f setup_hostname
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

func/cdi_4000_debootstrap/4035_setup_resolv.sh

@@ -10,20 +10,18 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
 
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 
 #######################################
 # Configure the '/etc/resolv.conf' file.
 # Globals:
 #   ARY_IPV4_NS
 #   ARY_IPV6_NS
-#   DIR_BAK
+#   RECOVERY
 #   TARGET
-#   VAR_ARCHITECTURE
-#   VAR_CODENAME
 #   VAR_FINAL_IPV6
 #   VAR_LINK_IPV6
-#   VAR_VERSION
+#   VAR_RUN_RECOVERY
 # Arguments:
 #   None
 # Returns:
@@ -32,73 +30,66 @@ guard_sourcing
 setup_resolv() {
   ### Declare Arrays, HashMaps, and Variables.
   declare     ns=""
+  declare     var_target="${TARGET}"
 
-  if [[ -f "${TARGET}/etc/resolv.conf" ]]; then
+  ### Check for TARGET / RECOVERY.
+  [[ "${VAR_RUN_RECOVERY}" == "true" ]] && var_target="${RECOVERY}"
 
-    mkdir -p "${TARGET}/root/.ciss/cdi/backup/etc"
+  if [[ -f "${var_target}/etc/resolv.conf" ]]; then
-    mv "${TARGET}/etc/resolv.conf" "${TARGET}/root/.ciss/cdi/backup/etc/resolv.conf.bak"
+
-    do_log "info" "file_only" "4035() Existing '${TARGET}/etc/resolv.conf' moved."
+    mkdir -p "${var_target}/root/.ciss/cdi/backup/etc"
+    mv "${var_target}/etc/resolv.conf" "${var_target}/root/.ciss/cdi/backup/etc/resolv.conf.bak"
+    do_log "info" "file_only" "4035() Existing '${var_target}/etc/resolv.conf' moved."
 
   fi
 
-  touch "${TARGET}/etc/resolv.conf"
+  touch "${var_target}/etc/resolv.conf"
-  chmod 0644 "${TARGET}/etc/resolv.conf"
+  chmod 0644 "${var_target}/etc/resolv.conf"
 
   ### Create '/etc/resolv.conf' IPv4 entries for static configuration.
-    cat << EOF >> "${TARGET}/etc/resolv.conf"
+  insert_header "${var_target}/etc/resolv.conf"
-# SPDX-Version: 3.0
+  insert_comments "${var_target}/etc/resolv.conf"
-# SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev>
+  cat << EOF >> "${var_target}/etc/resolv.conf"
-# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
-# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
-# SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
-# SPDX-PackageName: CISS.debian.installer
-# SPDX-Security-Contact: security@coresecret.eu
-
-# Static file system information: /etc/resolv.conf
-# Generated by CISS.debian.installer ${VAR_VERSION}
-# Architecture: ${VAR_ARCHITECTURE}
-# Distribution: ${VAR_CODENAME}
-
 ### Custom DNS IPv4 configuration
 EOF
 
   for ns in "${ARY_IPV4_NS[@]}"; do
 
-    echo "nameserver ${ns}" >> "${TARGET}/etc/resolv.conf"
+    echo "nameserver ${ns}" >> "${var_target}/etc/resolv.conf"
     do_log "info" "file_only" "4035() IPv4 nameserver added: [${ns}]."
 
   done
 
-  echo "" >> "${TARGET}/etc/resolv.conf"
+  echo "" >> "${var_target}/etc/resolv.conf"
-  do_log "info" "file_only" "4035() IPv4 nameserver at: '${TARGET}/etc/resolv.conf' configured."
+  do_log "info" "file_only" "4035() IPv4 nameserver at: '${var_target}/etc/resolv.conf' configured."
 
 
   ### Create '/etc/resolv.conf' IPv6 entries for static configuration.
   if [[ "${VAR_LINK_IPV6,,}" == "true" || -n "${VAR_FINAL_IPV6}" ]]; then
 
-    cat << EOF >> "${TARGET}/etc/resolv.conf"
+    cat << EOF >> "${var_target}/etc/resolv.conf"
 ### Custom DNS IPv6 configuration
 EOF
 
     for ns in "${ARY_IPV6_NS[@]}"; do
 
-      echo "nameserver ${ns}" >> "${TARGET}/etc/resolv.conf"
+      echo "nameserver ${ns}" >> "${var_target}/etc/resolv.conf"
       do_log "info" "file_only" "4035() IPv6 nameserver added: [${ns}]."
 
     done
 
-    echo "" >> "${TARGET}/etc/resolv.conf"
+    echo "" >> "${var_target}/etc/resolv.conf"
-    do_log "info" "file_only" "4035() IPv6 nameserver at: '${TARGET}/etc/resolv.conf' configured."
+    do_log "info" "file_only" "4035() IPv6 nameserver at: '${var_target}/etc/resolv.conf' configured."
 
   fi
 
-  cat << EOF >> "${TARGET}/etc/resolv.conf"
+  cat << EOF >> "${var_target}/etc/resolv.conf"
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
 EOF
 
-  guard_dir && return 0
+  guard_dir; return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f setup_resolv
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

func/cdi_4000_debootstrap/4040_setup_timezone.sh

@@ -10,12 +10,14 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
 
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 
 #######################################
 # Configure the '/etc/timezone' | '/etc/localtime' files.
 # Globals:
+#   RECOVERY
 #   TARGET
+#   VAR_RUN_RECOVERY
 #   ntp_timezone
 # Arguments:
 #   None
@@ -23,17 +25,26 @@ guard_sourcing
 #   0: on success
 #######################################
 setup_timezone() {
-  ### Create '${TARGET}/etc/timezone' file.
+  ### Declare Arrays, HashMaps, and Variables.
-  cat << EOF >| "${TARGET}/etc/timezone"
+  declare     var_target="${TARGET}"
+
+  ### Check for TARGET / RECOVERY.
+  [[ "${VAR_RUN_RECOVERY}" == "true" ]] && var_target="${RECOVERY}"
+
+  ### Create the '$ {var_target}/etc / timezone' file.
+  cat << EOF >| "${var_target}/etc/timezone"
 ${ntp_timezone:-UTC}
 EOF
-  chmod 0644 "${TARGET}/etc/timezone"
+  chmod 0644 "${var_target}/etc/timezone"
-  do_log "info" "file_only" "4040() File generated: '${TARGET}/etc/timezone' | timezone '${ntp_timezone:-UTC}'."
+  do_log "info" "file_only" "4040() File generated: '${var_target}/etc/timezone' | timezone '${ntp_timezone:-UTC}'."
 
-  chroot_exec "${TARGET}" ln -sf "/usr/share/zoneinfo/${ntp_timezone}" /etc/localtime
+  chroot_exec "${var_target}" ln -sf "/usr/share/zoneinfo/${ntp_timezone}" /etc/localtime
 
-  chroot_exec "${TARGET}" dpkg-reconfigure -f noninteractive tzdata
+  chroot_exec "${var_target}" dpkg-reconfigure -f noninteractive tzdata
 
-  guard_dir && return 0
+  guard_dir; return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f setup_timezone
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

func/cdi_4000_debootstrap/4050_setup_locales.sh

@@ -10,16 +10,16 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
 
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 
 #######################################
 # Set locale, locale overrides and configure keyboard layout.
 # Globals:
 #   ARY_LOCALE
+#   RECOVERY
 #   TARGET
-#   VAR_ARCHITECTURE
+#   VAR_DATE
-#   VAR_CODENAME
+#   VAR_RUN_RECOVERY
-#   VAR_VERSION
 #   locale_country
 #   locale_keyboard_xkb_keymap
 #   locale_language
@@ -42,15 +42,22 @@ guard_sourcing
 setup_locales() {
   ### Declare Arrays, HashMaps, and Variables.
   declare     var_locale_hook="/root/.ciss/cdi/hooks/4050_setup_locales.hooks.sh"
+  declare     var_target="${TARGET}"
+
+  ### Check for TARGET / RECOVERY.
+  [[ "${VAR_RUN_RECOVERY}" == "true" ]] && var_target="${RECOVERY}"
 
   ### Give priority to '${locale_locale}' over separately configured variables '${locale_country}' and '${locale_language}'.
   ### If 'locale_locale' is not set, build it from 'locale_language' and 'locale_country'.
   if [[ -n "${locale_language:-}" && -n "${locale_country:-}" && -z "${ARY_LOCALE[0]:-}" ]]; then
+
+    # shellcheck disable=SC2034
     ARY_LOCALE+="${locale_language}_${locale_country}.UTF-8"
+
   fi
 
   ### Creat Hook in target.
-  cat << EOF >| "${TARGET}${var_locale_hook}"
+  cat << EOF >| "${var_target}${var_locale_hook}"
 #!/bin/bash
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -72,7 +79,7 @@ declare    loc=""
 
 EOF
 
-  cat << 'EOF' >> "${TARGET}${var_locale_hook}"
+  cat << 'EOF' >> "${var_target}${var_locale_hook}"
 ary_locale+=( "${locale_0}" )
 [[ -n "${locale_1}" ]] && ary_locale+=( "${locale_1}" )
 
@@ -94,7 +101,7 @@ done
 
 EOF
 
-  cat << EOF >> "${TARGET}${var_locale_hook}"
+  cat << EOF >> "${var_target}${var_locale_hook}"
 update-locale \
 LANG=${ARY_LOCALE[0]} \
 LC_ADDRESS=${locale_override_address:-${ARY_LOCALE[0]}} \
@@ -112,26 +119,13 @@ LC_IDENTIFICATION=${ARY_LOCALE[0]}
 
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
 EOF
-  chmod 0700 "${TARGET}${var_locale_hook}"
+  chmod 0700 "${var_target}${var_locale_hook}"
-  chroot_script "${TARGET}" "${var_locale_hook}"
+  chroot_script "${var_target}" "${var_locale_hook}"
 
   ### Set the keyboard layout for the system (for consoles).
-  cat << EOF >| "${TARGET}/etc/default/keyboard"
+  insert_header   "${var_target}/etc/default/keyboard"
-# SPDX-Version: 3.0
+  insert_comments "${var_target}/etc/default/keyboard"
-# SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev>
+  cat << EOF >>   "${var_target}/etc/default/keyboard"
-# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
-# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
-# SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
-# SPDX-PackageName: CISS.debian.installer
-# SPDX-Security-Contact: security@coresecret.eu
-
-# /etc/default/keyboard : Generated by CISS.debian.installer ${VAR_VERSION}
-# Architecture          : ${VAR_ARCHITECTURE}
-# Distribution          : ${VAR_CODENAME}
-
 # KEYBOARD CONFIGURATION FILE
 # Consult the keyboard(5) manual page.
 
@@ -143,9 +137,12 @@ BACKSPACE="guess"
 
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
 EOF
-  chmod 0644 "${TARGET}/etc/default/keyboard"
+  chmod 0644 "${var_target}/etc/default/keyboard"
-  do_log "info" "file_only" "4050() Keyboard layout updated: 'XKBLAYOUT=${locale_keyboard_xkb_keymap}' -> '${TARGET}/etc/default/keyboard'."
+  do_log "info" "file_only" "4050() Keyboard layout updated: 'XKBLAYOUT=${locale_keyboard_xkb_keymap}' -> '${var_target}/etc/default/keyboard'."
 
-  guard_dir && return 0
+  guard_dir; return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f setup_locales
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

func/cdi_4000_debootstrap/README/README_4000.md

@@ -0,0 +1,101 @@
+---
+gitea: none
+include_toc: true
+---
+
+# 1. CISS.debian.installer
+
+**Centurion Intelligence Consulting Agency Information Security Standard**<br>
+*The CISS Debian Installer provides a fully automated and hardened installation process.*<br>
+**Master Version**: 8.00<br>
+**Build**: V8.00.000.2025.06.17<br>
+
+# 2. [4000_debootstrap.sh](../4000_debootstrap.sh)
+This module provisions a minimal Debian userspace into the installers target root (`$TARGET`) using `debootstrap`.
+It encapsulates argument construction, execution, logging, and the controlled hand-off of the `/debootstrap` working tree into a
+private, permissions-hardened folder under `root/.ciss/cdi/`.
+
+## 2.1. Responsibilities
+- Resolve architecture, distribution codename, mirror, and optionally include-set from the global environment.
+- Execute `debootstrap` with deterministic flags (`--keep-debootstrap-dir`, `--log-extra-deps`, `--merged-usr`) and optional `--include=`.
+- Stream all `debootstrap` output to a dedicated log (`$LOG_DBS`) for reproducibility and forensics.
+- Post-provisioning: create a sealed directory hierarchy beneath `$TARGET/root/.ciss/cdi/` and relocate the working directory 
+  from `$TARGET/debootstrap` to `$TARGET/root/.ciss/cdi/debootstrap`.
+- Emit structured progress diagnostics via the common logging facility.
+- Return a specific non-zero error code on failure to enable consistent trap-level handling.
+
+## 2.2. Inputs & Globals
+- **`$VAR_ARCHITECTURE`** — target architecture (e.g., `amd64`, `arm64`).
+- **`$VAR_CODENAME`** — Debian release codename (e.g., `trixie`).
+- **`$debootstrap_mirror`** — HTTP/HTTPS mirror base URL.
+- **`$debootstrap_includes`** — comma-separated package list to seed into the base system (optional).
+- **`$TARGET`** — absolute mount path of the target root filesystem.
+- **`$LOG_DBS`** — file path to receive `debootstrap` combined output via `tee`.
+- **`ERR_DEBOOTSTRAP`** — module-specific error code for uniform failure signaling.
+
+> All variables are expected to be pre-validated and exported by the installer setup/bootstrap chain.
+
+## 2.3. Execution Flow
+* **Command assembly**
+  - Build `ary_cmd` as:
+    ```
+    debootstrap \
+      --arch="${VAR_ARCHITECTURE}" \
+      --keep-debootstrap-dir \
+      --log-extra-deps \
+      --merged-usr \
+      [--include="${debootstrap_includes}"] \
+      "${VAR_CODENAME}" "${TARGET}" "${debootstrap_mirror}"
+    ```
+  - Emit a debug log line with the fully materialized command.
+
+* **Run & log**
+  - Execute the array-form command; pipe stdout/stderr to `$LOG_DBS` using `tee`.
+  - On success, emit an informational log entry; on failure, emit an emergency log and `return ${ERR_DEBOOTSTRAP}`.
+
+* **Post-provisioning layout (on success)**
+  - Create (mode `0700`, owned by `root:root`) under `$TARGET/root/.ciss/cdi/`:
+    - `backup/`, `debootstrap/`, `hooks/`, `keys/`, `log/`
+  - Move the working directory:
+    - `mv -T "$TARGET/debootstrap" "$TARGET/root/.ciss/cdi/debootstrap"`
+  - Reassert restrictive permissions on `.ciss/`, `.ciss/cdi/`, and `.ciss/cdi/debootstrap/`.
+  - Invoke `guard_dir` (module guard) and return `0`.
+
+## 2.4. Design Paradigms
+- **Array-based invocation**: Prevents word-splitting and globbing pitfalls; arguments are passed verbatim to `execve`.
+- **Deterministic defaults**:
+  - `--merged-usr`: aligns the base system with usrmerge conventions (Debian ≥ 12).
+  - `--keep-debootstrap-dir`: preserves provenance and the exact state of the bootstrap transaction.
+  - `--log-extra-deps`: surfaces additional dependency resolution in logs for auditability.
+- **Fail-fast and traceable**: Execution is meant to run under global hardening (`set -Ceuo pipefail`, `inherit_errexit`) and 
+  integrates with the installer trap/debug framework; logs are persisted for triage.
+
+## 2.5. Security Considerations
+- **Least exposure of artifacts**: The bootstrap working directory is relocated into a sealed, root-only area (`0700`).
+  This avoids exposing transient metadata under world-readable paths.
+- **No shell expansion in command string**: Array execution and explicit variables reduce injection risk and ambiguity.
+- **Privilege hygiene**: Directory creation and moves are executed with explicit ownership/mode; no reliance on ambient umask.
+- **Provenance retention**: Keeping the original `debootstrap` directory (under a protected path) allows later verification of
+  package selection, scripts, and logs.
+
+## 2.6. Logging & Artifacts
+- **Primary log**: `${LOG_DBS}` receives the raw `debootstrap` stream (via `tee`).
+- **Provenance**: `${TARGET}/root/.ciss/cdi/debootstrap/` contains the retained working directory after a successful run.
+- **Installer meta-folders**: `${TARGET}/root/.ciss/cdi/{backup,debootstrap,hooks,keys,log}/` (all `0700`).
+
+These artifacts integrate with the global debug facilities when enabled.
+
+## 2.7. Failure Modes & Exit Codes
+- **Network or mirror failure** → non-zero `debootstrap` exit → module returns `ERR_DEBOOTSTRAP`.
+- **Invalid codename/arch** → early `debootstrap` abort → `ERR_DEBOOTSTRAP`.
+- **Insufficient permissions or target not writable** → directory creation/move fails → `ERR_DEBOOTSTRAP`.
+
+Errors are surfaced to the installers `ERR`/`EXIT` traps, which will record environment, stack, and runtime context.
+
+## 2.8. Best Practices
+- Use `--include` judiciously; keep the base system minimal and defer optional packages to dedicated post-bootstrap tasks.
+- Treat `${TARGET}/root/.ciss/cdi/` as sensitive metadata: back it up or snapshot it if you require later audits.
+
+---
+**[no tracking | no logging | no advertising | no profiling | no bullshit](https://coresecret.eu/)**
+<!-- vim: set number et ts=2 sw=2 sts=2 ai tw=128 ft=markdown -->

func/cdi_4100_base/4100_generate_sources.sh

@@ -10,15 +10,14 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
 
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 
 #######################################
 # Generate target '/etc/apt/sources.list' entries.
 # Globals:
+#   RECOVERY
 #   TARGET
-#   VAR_ARCHITECTURE
+#   VAR_RUN_RECOVERY
-#   VAR_CODENAME
-#   VAR_VERSION
 #   apt_contrib
 #   apt_deb_sources
 #   apt_mirror_directory
@@ -41,6 +40,10 @@ generate_sources() {
   ### Declare Arrays, HashMaps, and Variables.
   declare -a  ary_components=()
   declare     var_arch="" var_codename="" var_deb_src="" var_dir="" var_hostname="" var_hostsecure="" var_url="" var_surl=""
+  declare     var_target="${TARGET}"
+
+  ### Check for TARGET / RECOVERY.
+  [[ "${VAR_RUN_RECOVERY}" == "true" ]] && var_target="${RECOVERY}"
 
   # shellcheck disable=SC2154 # "${architecture}"
   var_arch="${architecture,,}"
@@ -77,25 +80,25 @@ generate_sources() {
 
   fi
 
-  : >| "${TARGET}/etc/apt/sources.list"
+  : >| "${var_target}/etc/apt/sources.list"
-  chmod 0644 "${TARGET}/etc/apt/sources.list"
+  chmod 0644 "${var_target}/etc/apt/sources.list"
 
   ### Main Repository
   # shellcheck disable=SC2153
-  insert_header "${TARGET}/etc/apt/sources.list"
+  insert_header   "${var_target}/etc/apt/sources.list"
-  insert_comments "${TARGET}/etc/apt/sources.list"
+  insert_comments "${var_target}/etc/apt/sources.list"
-  cat << EOF >> "${TARGET}/etc/apt/sources.list"
+  cat << EOF >>   "${var_target}/etc/apt/sources.list"
 #------------------------------------------------------------------------------------------------------------------------------#
 #                                                     OFFICIAL DEBIAN REPOS                                                    #
 #------------------------------------------------------------------------------------------------------------------------------#
 deb ${var_url} ${var_codename} ${ary_components[*]}
 EOF
-  do_log "info" "file_only" "4100() ${TARGET}/etc/apt/sources.list entry generated: 'deb ${var_url} ${var_codename} ${ary_components[*]}'."
+  do_log "info" "file_only" "4100() ${var_target}/etc/apt/sources.list entry generated: 'deb ${var_url} ${var_codename} ${ary_components[*]}'."
 
   if [[ "${var_deb_src}" == "true" ]]; then
 
-    echo "deb-src ${var_url} ${var_codename} ${ary_components[*]}" >> "${TARGET}/etc/apt/sources.list"
+    echo "deb-src ${var_url} ${var_codename} ${ary_components[*]}" >> "${var_target}/etc/apt/sources.list"
-    do_log "info" "file_only" "4100() ${TARGET}/etc/apt/sources.list entry generated: 'deb-src ${var_url} ${var_codename} ${ary_components[*]}'."
+    do_log "info" "file_only" "4100() ${var_target}/etc/apt/sources.list entry generated: 'deb-src ${var_url} ${var_codename} ${ary_components[*]}'."
 
   fi
 
@@ -103,16 +106,16 @@ EOF
   ### Security Repository
   if [[ "${apt_updates_security,,}" == "true" ]]; then
 
-    cat << EOF >> "${TARGET}/etc/apt/sources.list"
+    cat << EOF >> "${var_target}/etc/apt/sources.list"
 
 deb ${var_surl} ${var_codename}-security ${ary_components[*]}
 EOF
-    do_log "info" "file_only" "4100() ${TARGET}/etc/apt/sources.list entry generated: 'deb ${var_surl} ${var_codename}-security ${ary_components[*]}'."
+    do_log "info" "file_only" "4100() ${var_target}/etc/apt/sources.list entry generated: 'deb ${var_surl} ${var_codename}-security ${ary_components[*]}'."
 
     if [[ "${var_deb_src}" == "true" ]]; then
 
-      echo "deb-src ${var_surl} ${var_codename}-security ${ary_components[*]}" >> "${TARGET}/etc/apt/sources.list"
+      echo "deb-src ${var_surl} ${var_codename}-security ${ary_components[*]}" >> "${var_target}/etc/apt/sources.list"
-      do_log "info" "file_only" "4100() ${TARGET}/etc/apt/sources.list entry generated: 'deb-src ${var_surl} ${var_codename}-security ${ary_components[*]}'."
+      do_log "info" "file_only" "4100() ${var_target}/etc/apt/sources.list entry generated: 'deb-src ${var_surl} ${var_codename}-security ${ary_components[*]}'."
 
     fi
 
@@ -122,16 +125,16 @@ EOF
   ### Updates Repository
   if [[ "${apt_updates_release,,}" == "true" ]]; then
 
-    cat << EOF >> "${TARGET}/etc/apt/sources.list"
+    cat << EOF >> "${var_target}/etc/apt/sources.list"
 
 deb ${var_url} ${var_codename}-updates ${ary_components[*]}
 EOF
-    do_log "info" "file_only" "4100() ${TARGET}/etc/apt/sources.list entry generated: 'deb ${var_url} ${var_codename}-updates ${ary_components[*]}'."
+    do_log "info" "file_only" "4100() ${var_target}/etc/apt/sources.list entry generated: 'deb ${var_url} ${var_codename}-updates ${ary_components[*]}'."
 
     if [[ "${var_deb_src}" == "true" ]]; then
 
-      echo "deb-src ${var_url} ${var_codename}-updates ${ary_components[*]}" >> "${TARGET}/etc/apt/sources.list"
+      echo "deb-src ${var_url} ${var_codename}-updates ${ary_components[*]}" >> "${var_target}/etc/apt/sources.list"
-      do_log "info" "file_only" "4100() ${TARGET}/etc/apt/sources.list entry generated: 'deb-src ${var_url} ${var_codename}-updates ${ary_components[*]}'."
+      do_log "info" "file_only" "4100() ${var_target}/etc/apt/sources.list entry generated: 'deb-src ${var_url} ${var_codename}-updates ${ary_components[*]}'."
 
     fi
 
@@ -141,16 +144,16 @@ EOF
   ### Backports Repository
   if [[ "${apt_updates_backports,,}" == "true" ]]; then
 
-    cat << EOF >> "${TARGET}/etc/apt/sources.list"
+    cat << EOF >> "${var_target}/etc/apt/sources.list"
 
 deb ${var_url} ${var_codename}-backports ${ary_components[*]}
 EOF
-    do_log "info" "file_only" "4100() ${TARGET}/etc/apt/sources.list entry generated: 'deb ${var_url} ${var_codename}-backports ${ary_components[*]}'."
+    do_log "info" "file_only" "4100() ${var_target}/etc/apt/sources.list entry generated: 'deb ${var_url} ${var_codename}-backports ${ary_components[*]}'."
 
     if [[ "${var_deb_src,,}" == "true" ]]; then
 
-      echo "deb-src ${var_url} ${var_codename}-backports ${ary_components[*]}" >> "${TARGET}/etc/apt/sources.list"
+      echo "deb-src ${var_url} ${var_codename}-backports ${ary_components[*]}" >> "${var_target}/etc/apt/sources.list"
-      do_log "info" "file_only" "4100() ${TARGET}/etc/apt/sources.list entry generated: 'deb-src ${var_url} ${var_codename}-backports ${ary_components[*]}'."
+      do_log "info" "file_only" "4100() ${var_target}/etc/apt/sources.list entry generated: 'deb-src ${var_url} ${var_codename}-backports ${ary_components[*]}'."
 
     fi
 
@@ -158,13 +161,35 @@ EOF
 
 
   ### Clean up 'sources.list'
-  sed -i '/^#/!s/[[:space:]]\+/ /g' "${TARGET}/etc/apt/sources.list"
+  sed -i '/^#/!s/[[:space:]]\+/ /g' "${var_target}/etc/apt/sources.list"
 
-  cat << EOF >> "${TARGET}/etc/apt/sources.list"
+  cat << EOF >> "${var_target}/etc/apt/sources.list"
 
-# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
 EOF
 
-  guard_dir && return 0
+
+  insert_header   "${var_target}/etc/apt/apt.conf.d/90-no-pdiffs"
+  insert_comments "${var_target}/etc/apt/apt.conf.d/90-no-pdiffs"
+  cat << 'EOF' >> "${var_target}/etc/apt/apt.conf.d/90-no-pdiffs"
+Acquire::PDiffs "false";
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
+EOF
+  sed -i -E 's|^([[:space:]]*)#+|\1//|' "${var_target}/etc/apt/apt.conf.d/90-no-pdiffs"
+
+  insert_header   "${var_target}/etc/apt/apt.conf.d/91-acquire"
+  insert_comments "${var_target}/etc/apt/apt.conf.d/91-acquire"
+  cat << 'EOF' >> "${var_target}/etc/apt/apt.conf.d/91-acquire"
+Acquire::Retries "3";
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
+EOF
+  sed -i -E 's|^([[:space:]]*)#+|\1//|' "${var_target}/etc/apt/apt.conf.d/91-acquire"
+
+  guard_dir; return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f generate_sources
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

func/cdi_4100_base/4105_generate_sources_822.sh

@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
 
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 
 #######################################
 # Generate target '/etc/apt/sources.list.d/' deb.822 entries.
@@ -38,6 +38,10 @@ generate_sources822() {
   ### Declare Arrays, HashMaps, and Variables.
   declare -a  ary_components=() ary_types=()
   declare     var_arch="" var_codename="" var_deb_src="" var_dir="" var_hostname="" var_hostsecure="" var_url="" var_surl=""
+  declare     var_target="${TARGET}"
+
+  ### Check for TARGET / RECOVERY.
+  [[ "${VAR_RUN_RECOVERY}" == "true" ]] && var_target="${RECOVERY}"
 
   # shellcheck disable=SC2154 # "${architecture}"
   var_arch="${architecture,,}"
@@ -79,9 +83,9 @@ generate_sources822() {
 
 
   ### Main Repository
-  insert_header  "${TARGET}/etc/apt/sources.list.d/trixie.sources"
+  insert_header   "${var_target}/etc/apt/sources.list.d/trixie.sources"
-  inser_comments "${TARGET}/etc/apt/sources.list.d/trixie.sources"
+  insert_comments "${var_target}/etc/apt/sources.list.d/trixie.sources"
-  cat << EOF >>  "${TARGET}/etc/apt/sources.list.d/trixie.sources"
+  cat << EOF >>   "${var_target}/etc/apt/sources.list.d/trixie.sources"
 #------------------------------------------------------------------------------------------------------------------------------#
 #                                                     OFFICIAL DEBIAN REPOS                                                    #
 #------------------------------------------------------------------------------------------------------------------------------#
@@ -98,9 +102,9 @@ EOF
 
   ### Security Repository
   if [[ "${apt_updates_security,,}" == "true" ]]; then
-    insert_header  "${TARGET}/etc/apt/sources.list.d/trixie-security.sources"
+    insert_header   "${var_target}/etc/apt/sources.list.d/trixie-security.sources"
-    inser_comments "${TARGET}/etc/apt/sources.list.d/trixie-security.sources"
+    insert_comments "${var_target}/etc/apt/sources.list.d/trixie-security.sources"
-    cat << EOF >>  "${TARGET}/etc/apt/sources.list.d/trixie-security.sources"
+    cat << EOF >>   "${var_target}/etc/apt/sources.list.d/trixie-security.sources"
 #------------------------------------------------------------------------------------------------------------------------------#
 #                                                     OFFICIAL DEBIAN REPOS                                                    #
 #------------------------------------------------------------------------------------------------------------------------------#
@@ -117,9 +121,9 @@ EOF
 
   ### Updates Repository
   if [[ "${apt_updates_release,,}" == "true" ]]; then
-    insert_header  "${TARGET}/etc/apt/sources.list.d/trixie-updates.sources"
+    insert_header   "${var_target}/etc/apt/sources.list.d/trixie-updates.sources"
-    inser_comments "${TARGET}/etc/apt/sources.list.d/trixie-updates.sources"
+    insert_comments "${var_target}/etc/apt/sources.list.d/trixie-updates.sources"
-    cat << EOF >>  "${TARGET}/etc/apt/sources.list.d/trixie-updates.sources"
+    cat << EOF >>   "${var_target}/etc/apt/sources.list.d/trixie-updates.sources"
 #------------------------------------------------------------------------------------------------------------------------------#
 #                                                     OFFICIAL DEBIAN REPOS                                                    #
 #------------------------------------------------------------------------------------------------------------------------------#
@@ -137,9 +141,9 @@ EOF
 
   ### Backports Repository
   if [[ "${apt_updates_backports,,}" == "true" ]]; then
-    insert_header  "${TARGET}/etc/apt/sources.list.d/trixie-backports.sources"
+    insert_header   "${var_target}/etc/apt/sources.list.d/trixie-backports.sources"
-    insert_comments "${TARGET}/etc/apt/sources.list.d/trixie-backports.sources"
+    insert_comments "${var_target}/etc/apt/sources.list.d/trixie-backports.sources"
-    cat << EOF >>  "${TARGET}/etc/apt/sources.list.d/trixie-backports.sources"
+    cat << EOF >>   "${var_target}/etc/apt/sources.list.d/trixie-backports.sources"
 #------------------------------------------------------------------------------------------------------------------------------#
 #                                                     OFFICIAL DEBIAN REPOS                                                    #
 #------------------------------------------------------------------------------------------------------------------------------#
@@ -155,6 +159,34 @@ EOF
 
   fi
 
-  guard_dir && return 0
+
+  if [[ -f "${var_target}/etc/apt/sources.list" ]]; then
+    rm -f "${var_target}/etc/apt/sources.list"
+  fi
+
+
+  insert_header   "${var_target}/etc/apt/apt.conf.d/90-no-pdiffs"
+  insert_comments "${var_target}/etc/apt/apt.conf.d/90-no-pdiffs"
+  cat << 'EOF' >> "${var_target}/etc/apt/apt.conf.d/90-no-pdiffs"
+Acquire::PDiffs "false";
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
+EOF
+  sed -i -E 's|^([[:space:]]*)#+|\1//|' "${var_target}/etc/apt/apt.conf.d/90-no-pdiffs"
+
+
+  insert_header   "${var_target}/etc/apt/apt.conf.d/91-acquire"
+  insert_comments "${var_target}/etc/apt/apt.conf.d/91-acquire"
+  cat << 'EOF' >> "${var_target}/etc/apt/apt.conf.d/91-acquire"
+Acquire::Retries "3";
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
+EOF
+  sed -i -E 's|^([[:space:]]*)#+|\1//|' "${var_target}/etc/apt/apt.conf.d/91-acquire"
+
+  guard_dir; return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f generate_sources822
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

func/cdi_4100_base/4110_update_sources.sh

@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
 
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 
 #######################################
 # Update generated sources.
@@ -18,7 +18,9 @@ guard_sourcing
 # to suppress the 'update-initramfs'-Kernel-Hooks, according to the initramfs-tools manpage:
 # https://manpages.debian.org/testing/initramfs-tools-core/initramfs-tools.7.en.html
 # Globals:
+#   RECOVERY
 #   TARGET
+#   VAR_RUN_RECOVERY
 #   apt_updates_policy
 # Arguments:
 #   None
@@ -28,35 +30,42 @@ guard_sourcing
 update_sources() {
   ### Declare Arrays, HashMaps, and Variables.
   declare -r  var_logfile="/root/.ciss/cdi/log/4110_update_sources.log"
+  declare     var_target="${TARGET}"
 
-  chroot_logger "${TARGET}${var_logfile}"
+  ### Check for TARGET / RECOVERY.
+  [[ "${VAR_RUN_RECOVERY}" == "true" ]] && var_target="${RECOVERY}"
+
+  chroot_logger "${var_target}${var_logfile}"
 
   ### Update generated sources.
   # shellcheck disable=SC2312
-  chroot_script "${TARGET}" "apt-get update 2>&1 | tee -a ${var_logfile}; echo ExitCode: \$? >> ${var_logfile}"
+  chroot_script "${var_target}" "
+    [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
+    apt-get update 2>&1 | tee -a ${var_logfile}
+  "
   do_log "info" "file_only" "4110() Sources lists: updated successfully."
 
 
   ### Update unattended, security, or no unattended updates at all.
   if [[ "${apt_updates_policy,,}" == "unattended" ]]; then
 
-    chroot_script "${TARGET}" "
+    chroot_script "${var_target}" "
       export INITRD=No
+      [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
       apt-get install -y --no-install-recommends --no-install-suggests unattended-upgrades 2>&1 | tee -a ${var_logfile}
-      echo ExitCode: \$? >> ${var_logfile}
     "
     do_log "info" "file_only" "4110() The update policy was set at installation time to: '${apt_updates_policy}'."
 
   elif [[ "${apt_updates_policy,,}" == "security" ]]; then
 
-    chroot_script "${TARGET}" "
+    chroot_script "${var_target}" "
       export INITRD=No
+      [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
       apt-get install -y --no-install-recommends --no-install-suggests unattended-upgrades 2>&1 | tee -a ${var_logfile}
-      echo ExitCode: \$? >> ${var_logfile}
     "
 
     # shellcheck disable=SC2016
-    sed -i 's/^[[:space:]]*"origin=Debian,codename=\${distro_codename},label=Debian";/\/\/ &/' "${TARGET}/etc/apt/apt.conf.d/50unattended-upgrades"
+    sed -i 's/^[[:space:]]*"origin=Debian,codename=\${distro_codename},label=Debian";/\/\/ &/' "${var_target}/etc/apt/apt.conf.d/50unattended-upgrades"
     do_log "info" "file_only" "4110() The update policy was set at installation time to: '${apt_updates_policy}'."
 
   elif [[ "${apt_updates_policy,,}" == "none" ]]; then
@@ -69,6 +78,9 @@ update_sources() {
 
   fi
 
-  guard_dir && return 0
+  guard_dir; return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f update_sources
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

func/cdi_4100_base/4120_installation_kernel.sh

@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
 
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 
 #######################################
 # Installation of the specified kernel.
@@ -34,29 +34,31 @@ installation_kernel() {
 
   if [[ -n "${VAR_KERNEL}" ]]; then
 
-    chroot_script "${TARGET}" '
+    chroot_script "${TARGET}" "
       export INITRD=No
-      apt-get install -y --no-install-recommends --no-install-suggests '"${VAR_KERNEL}"' initramfs-tools 2>&1 | tee -a '"${var_logfile}"'
+      [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
-      echo ExitCode: $? >> '"${var_logfile}"'
+      apt-get install -y --no-install-recommends --no-install-suggests ${VAR_KERNEL} initramfs-tools 2>&1 | tee -a ${var_logfile}
-    '
+    "
 
     do_log "info" "file_only" "4120() Kernel image: '${VAR_KERNEL}' installed successfully."
 
-    guard_dir && return 0
+    guard_dir; return 0
 
   else
 
     chroot_script "${TARGET}" "
       export INITRD=No
+      [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
       apt-get install -y --no-install-recommends --no-install-suggests ${image} initramfs-tools 2>&1 | tee -a ${var_logfile}
-      echo ExitCode: \$? >> ${var_logfile}
     "
 
     do_log "info" "file_only" "4120() Kernel image: '${image}' installed successfully."
 
-    guard_dir && return 0
+    guard_dir; return 0
 
   fi
-
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f installation_kernel
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

func/cdi_4100_base/4121_installation_initramfs.sh

@@ -10,17 +10,17 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
 
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 
 #######################################
-# Installation of the specified kernel.
+# Installation of 'initramfs'-environment.
 # Every 'apt-get install' command is invoked by adding 'export INITRD=No'
 # to suppress the 'update-initramfs'-Kernel-Hooks, according to the initramfs-tools manpage:
 # https://manpages.debian.org/testing/initramfs-tools-core/initramfs-tools.7.en.html
 # Globals:
 #   TARGET
-#   VAR_KERNEL
+#   VAR_ROOT_FS
-#   image
+#   VAR_SETUP_PATH
 # Arguments:
 #   None
 # Returns:
@@ -28,9 +28,18 @@ guard_sourcing
 #######################################
 installation_initramfs() {
   ### Declare Arrays, HashMaps, and Variables.
-  declare     var_modules=""
+  declare     var_modules="" var_whereiam=""
 
-  ### Install the script to be called by 'update-initramfs' for installing the necessary modules to load into initramfs environment.
+  # shellcheck disable=SC2312
+  if [[ -x "$(command -v virt-what)" ]]; then
+    var_whereiam=$(virt-what | head -n1)
+  else
+    var_whereiam=$(grep -iE 'kvm|vmware|qemu' /sys/class/dmi/id/product_name 2>/dev/null || echo "baremetal")
+  fi
+
+  mkdir -p "${TARGET}/etc/initramfs-tools/files"
+
+  ### Install the script that will be called by 'update-initramfs' to install the necessary modules for the initramfs environment.
   install -D -m 0644 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/initramfs-tools/modules" \
     "${TARGET}/etc/initramfs-tools/"
 
@@ -39,34 +48,36 @@ installation_initramfs() {
   var_modules=$(grep_nic_driver_modules)
 
   cat << EOF >> "${TARGET}/etc/initramfs-tools/modules"
-
+### Custom NIC driver:
-### Custom NIC driver
 ${var_modules}
 
-# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
 EOF
 
+  if [[ "${var_whereiam}" =~ ^(kvm|vmware|qemu)$ ]]; then
+
+    cat << EOF >> "${TARGET}/etc/initramfs-tools/modules"
+### QEMU Bochs-compatible virtual machine support:
+bochs
+
+### Virtio support:
+virtio_pci
+virtio_blk
+virtio_scsi
+virtio_console
+virtio_rng
+
+EOF
+  fi
+
+  printf "%s\n" '# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf' >> "${TARGET}/etc/initramfs-tools/modules"
+
   ### MODULES: [ most | netboot | dep | list ]
   ## 'most' - Add most filesystem and all hard-drive drivers.
   ## 'dep'  - Try and guess the modules to load.
 
-  cat << EOF >| "${TARGET}/etc/initramfs-tools/conf.d/driver-policy"
+  insert_header   "${TARGET}/etc/initramfs-tools/conf.d/driver-policy"
-# SPDX-Version: 3.0
+  insert_comments "${TARGET}/etc/initramfs-tools/conf.d/driver-policy"
-# SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev>
+  cat << EOF >>   "${TARGET}/etc/initramfs-tools/conf.d/driver-policy"
-# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
-# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
-# SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
-# SPDX-PackageName: CISS.debian.installer
-# SPDX-Security-Contact: security@coresecret.eu
-
-# Static file system information: /etc/initramfs-tools/conf.d/driver-policy
-# Generated by CISS.debian.installer ${VAR_VERSION}
-# Architecture: ${VAR_ARCHITECTURE}
-# Distribution: ${VAR_CODENAME}
-
 # Driver inclusion policy selected during installation.
 # Note: This setting overrides the value set in the file '/etc/initramfs-tools/initramfs.conf'.
 
@@ -75,6 +86,21 @@ MODULES=dep
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
 EOF
 
-  guard_dir && return 0
+  insert_header   "${TARGET}/etc/initramfs-tools/conf.d/fsroot"
-}
+  insert_comments "${TARGET}/etc/initramfs-tools/conf.d/fsroot"
+  cat << EOF >>   "${TARGET}/etc/initramfs-tools/conf.d/fsroot"
+FSTYPE=${VAR_ROOT_FS}
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
+EOF
+
+  cat << EOF >>   "${TARGET}/etc/initramfs-tools/conf.d/resume"
+RESUME=none
+EOF
+
+  guard_dir; return 0
+}
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f installation_initramfs
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

func/cdi_4100_base/4130_installation_toolset.sh

@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
 
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 
 #######################################
 # Check and set up the minimum required tools for the next installation steps.
@@ -36,14 +36,6 @@ installation_toolset() {
     [btrfs]="btrfs-progs"
     [bunzip2]="bzip2"
     [setupcon]="console-setup"
-    [base64]="coreutils"
-    [cat]="coreutils"
-    [chmod]="coreutils"
-    [chown]="coreutils"
-    [cp]="coreutils"
-    [echo]="coreutils"
-    [ln]="coreutils"
-    [mkdir]="coreutils"
     [curl]="curl"
     [dirmngr]="dirmngr"
     [dmsetup]="dmsetup"
@@ -53,48 +45,31 @@ installation_toolset() {
     [tune2fs]="e2fsprogs"
     [fsck]="e2fsprogs"
     [efibootmgr]="efibootmgr"
-    [fdisk]="fdisk"
     [file]="file"
     [awk]="gawk"
     [gdisk]="gdisk"
     [gnupg]="gnupg"
-    [grep]="grep"
-    [gzip]="gzip"
-    [haveged]="haveged"
     [update-initramfs]="initramfs-tools"
-    [ip]="iproute2"
+    [jitterentropy-rngd]="jitterentropy-rngd"
-    [ping]="iputils-ping"
     [jq]="jq"
     [loadkeys]="kbd"
     [setfont]="kbd"
     [keyctl]="keyutils"
-    [modprobe]="kmod"
     [libpam-pwquality]="libpam-pwquality"
-    [logrotate]="logrotate"
     [lsb_release]="lsb-release"
     [parted]="parted"
-    [chpasswd]="passwd"
-    [chsh]="passwd"
     [lspci]="pciutils"
-    [sysctl]="procps"
     [pwgen]="pwgen"
-    [sed]="sed"
+    [rsyslogd]="rsyslog"
     [sudo]="sudo"
-    [tar]="tar"
+    [pam_systemd]="libpam-systemd"
     [tree]="tree"
     [unzip]="unzip"
     [lsusb]="usbutils"
-    [blkid]="util-linux"
-    [dmesg]="util-linux"
-    [lsblk]="util-linux"
-    [findmnt]="util-linux"
-    [mount]="util-linux"
-    [umount]="util-linux"
     [xxd]="vim-common"
     [wget]="wget"
     [whois]="whois"
     [zsh]="zsh"
-    [zstd]="zstd"
   )
 
   declare -a  ary_missing_pkgs=() ary_unique_pkgs=()
@@ -122,12 +97,15 @@ installation_toolset() {
 
     chroot_script "${TARGET}" "
       export INITRD=No
+      [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
       apt-get install -y --no-install-recommends --no-install-suggests ${ary_unique_pkgs[*]} 2>&1 | tee -a ${var_logfile}
-      echo ExitCode: \$? >> ${var_logfile}
     "
 
   fi
 
-  guard_dir && return 0
+  guard_dir; return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f installation_toolset
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

func/cdi_4100_base/4131_installation_systemd.sh

@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
 
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 
 #######################################
 # Ensure systemd is in place.
@@ -35,8 +35,8 @@ installation_systemd() {
 
     chroot_script "${TARGET}" "
       export INITRD=No
+      [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
       apt-get install -y --no-install-recommends --no-install-suggests systemd systemd-sysv dbus 2>&1 | tee -a ${var_logfile}
-      echo ExitCode: \$? >> ${var_logfile}
     "
 
   else
@@ -49,6 +49,9 @@ installation_systemd() {
     systemctl --version 2>&1 | tee -a ${var_logfile} | grep -qi 'systemd' || echo '[WARN]: systemd not verifiable' >> ${var_logfile}
   "
 
-  guard_dir && return 0
+  guard_dir; return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f installation_systemd
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

func/cdi_4100_base/4132_installation_machineid.sh

@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
 
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 
 #######################################
 # Generate machine-id if missing.
@@ -33,6 +33,9 @@ installation_machineid() {
 
   fi
 
-  guard_dir && return 0
+  guard_dir; return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f installation_machineid
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

func/cdi_4100_base/4133_installation_masking.sh

@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
 
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 
 #######################################
 # Turn off Energy saving mode and ctrl-alt-del.
@@ -25,9 +25,16 @@ installation_masking() {
   chroot_script "${TARGET}" "
     systemctl mask ctrl-alt-del.target sleep.target suspend.target hibernate.target hybrid-sleep.target
   "
+  do_log "info" "file_only" "4133() Masked: [ctrl-alt-del.target sleep.target suspend.target hibernate.target hybrid-sleep.target]"
 
-  do_log "info" "file_only" "4133() Masked: [ctrl-alt-del.target sleep.target suspend.target hibernate.target hybrid-sleep.target]."
+  chroot_script "${TARGET}" "
+    systemctl mask plymouth-start.service plymouth-quit.service plymouth-quit-wait.service plymouth-read-write.service
+  "
+  do_log "info" "file_only" "4133() Masked: [plymouth-start.service plymouth-quit.service plymouth-quit-wait.service plymouth-read-write.service]"
 
-  guard_dir && return 0
+  guard_dir; return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f installation_masking
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

func/cdi_4100_base/4140_installation_microcode.sh

@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
 
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 
 #######################################
 # Install microcode updates depending on architecture (amd64, arm64, intel64) and environment (Baremetal, VM).
@@ -56,16 +56,16 @@ installation_microcode() {
 
       chroot_script "${TARGET}" "
         export INITRD=No
+        [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
         apt-get install -y --no-install-recommends --no-install-suggests ${var_microcode_pkgs} 2>&1 | tee -a ${var_logfile}
-        echo ExitCode: \$? >> ${var_logfile}
       "
 
     else
 
       chroot_script "${TARGET}" "
         export INITRD=No
+        [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
         apt-get install -y --no-install-recommends --no-install-suggests --only-upgrade ${var_microcode_pkgs} 2>&1 | tee -a ${var_logfile}
-        echo ExitCode: \$? >> ${var_logfile}
       "
 
     fi
@@ -76,6 +76,9 @@ installation_microcode() {
 
   fi
 
-  guard_dir && return 0
+  guard_dir; return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f installation_microcode
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

func/cdi_4100_base/4145_installation_firmware.sh

@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
 
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 
 #######################################
 # Install microcode updates depending on architecture (amd64, arm64, intel64) and environment (Baremetal, VM).
@@ -90,7 +90,7 @@ installation_firmware() {
 
         if [[ -n "${var_alias}" ]]; then
 
-          if [[ -z "${hmp_alias_unique[${var_alias}]}" ]]; then
+          if [[ -z "${hmp_alias_unique[${var_alias}]:-}" ]]; then
 
             hmp_alias_unique["${var_alias}"]=1
             printf '%s\n' "${var_alias}" >> "${dir_fw}/4145_s1_mod_aliases_all.txt"
@@ -294,12 +294,15 @@ installation_firmware() {
 
   chroot_script "${TARGET}" "
     export INITRD=No
+    [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
     apt-get install -y --no-install-recommends --no-install-suggests ${ary_pkgs_resolved[*]} 2>&1 | tee -a ${var_logfile}
-    echo ExitCode: \$? >> ${var_logfile}
   "
 
-  guard_dir && return 0
+  guard_dir; return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f installation_firmware
 
 #######################################
 # Helper: Wildcardize a module alias (bus-aware, conservative)
@@ -352,4 +355,7 @@ wildcard_mod_alias() {
 
   return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f wildcard_mod_alias
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

func/cdi_4100_base/4150_installation_chrony.sh

@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
 
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 
 #######################################
 # Setup chrony NTPSec client.
@@ -49,8 +49,8 @@ installation_chrony() {
 
   chroot_script "${TARGET}" "
     export INITRD=No
+    [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
     apt-get install -y --no-install-recommends --no-install-suggests chrony 2>&1 | tee -a ${var_logfile}
-    echo ExitCode: \$? >> ${var_logfile}
   "
 
   if [[ ! -e "${TARGET}/etc/systemd/system/multi-user.target.wants/chrony.service" ]]; then
@@ -71,13 +71,15 @@ installation_chrony() {
   do_log "debug" "file_only" "4150() Executing: [chroot_script ${TARGET} chronyd -Q -f /etc/chrony/chrony.conf]."
   chroot_script "${TARGET}" "
     chronyd -Q -f /etc/chrony/chrony.conf 2>&1 | tee -a ${var_logfile}
-    echo ExitCode: \$? >> ${var_logfile}
   "
 
   do_log "info" "file_only" "4150() Chrony NTPsec client installed."
 
   rm -f "${var_of}"
 
-  guard_dir && return 0
+  guard_dir; return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f installation_chrony
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

func/cdi_4100_base/4160_installation_eza.sh

@@ -0,0 +1,62 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
+
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
+
+#######################################
+# Install Cisofy Lynis.
+# Globals:
+#   TARGET
+# Arguments:
+#   None
+# Returns:
+#   0: on success
+#######################################
+installation_eza() {
+  ### Declare Arrays, HashMaps, and Variables.
+  declare -r  var_logfile="/root/.ciss/cdi/log/4160_installation_eza.log"
+
+  chroot_logger "${TARGET}${var_logfile}"
+
+  # shellcheck disable=SC2312
+  wget -qO- https://raw.githubusercontent.com/eza-community/eza/main/deb.asc | \
+    gpg --dearmor -o  "${TARGET}/etc/apt/trusted.gpg.d/gierens.gpg"
+
+  insert_header   "${TARGET}/etc/apt/sources.list.d/gierens.sources"
+  insert_comments "${TARGET}/etc/apt/sources.list.d/gierens.sources"
+  cat << 'EOF' >> "${TARGET}/etc/apt/sources.list.d/gierens.sources"
+#------------------------------------------------------------------------------------------------------------------------------#
+#                                                     OFFICIAL GIERENS REPOS                                                   #
+#------------------------------------------------------------------------------------------------------------------------------#
+Types: deb
+URIs: https://deb.gierens.de
+Suites: stable
+Components: main
+Enabled: yes
+Signed-By: /etc/apt/trusted.gpg.d/gierens.gpg
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
+EOF
+
+  chroot_script "${TARGET}" "
+    export INITRD=No
+    [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
+    apt-get update
+    apt-get install -y --no-install-recommends --no-install-suggests eza 2>&1 | tee -a ${var_logfile}
+  "
+
+  guard_dir; return 0
+}
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f installation_eza
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

func/cdi_4100_base/4170_installation_lynis.sh

@@ -0,0 +1,62 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
+
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
+
+#######################################
+# Install Cisofy Lynis.
+# Globals:
+#   TARGET
+# Arguments:
+#   None
+# Returns:
+#   0: on success
+#######################################
+installation_lynis() {
+  ### Declare Arrays, HashMaps, and Variables.
+  declare -r  var_logfile="/root/.ciss/cdi/log/4170_installation_lynis.log"
+
+  chroot_logger "${TARGET}${var_logfile}"
+
+  # shellcheck disable=SC2312
+  curl -fsSL https://packages.cisofy.com/keys/cisofy-software-public.key | \
+    gpg --dearmor -o  "${TARGET}/etc/apt/trusted.gpg.d/cisofy-software-public.gpg"
+
+  insert_header   "${TARGET}/etc/apt/sources.list.d/cisofy-lynis.sources"
+  insert_comments "${TARGET}/etc/apt/sources.list.d/cisofy-lynis.sources"
+  cat << 'EOF' >> "${TARGET}/etc/apt/sources.list.d/cisofy-lynis.sources"
+#------------------------------------------------------------------------------------------------------------------------------#
+#                                                     OFFICIAL CISOFY REPOS                                                    #
+#------------------------------------------------------------------------------------------------------------------------------#
+Types: deb
+URIs: https://packages.cisofy.com/community/lynis/deb/
+Suites: stable
+Components: main
+Enabled: yes
+Signed-By: /etc/apt/trusted.gpg.d/cisofy-software-public.gpg
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
+EOF
+
+  chroot_script "${TARGET}" "
+    export INITRD=No
+    [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
+    apt-get update
+    apt-get install -y --no-install-recommends --no-install-suggests lynis 2>&1 | tee -a ${var_logfile}
+  "
+
+  guard_dir; return 0
+}
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f installation_lynis
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

func/cdi_4200_boot/4200_generate_fstab.sh

@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
 
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 
 #######################################
 # Wrapper to write '/etc/fstab' entries.
@@ -28,23 +28,26 @@ guard_sourcing
 write_fstab() {
   declare write_maps="$1" write_path="$2" write_type="$3" write_opts="$4" write_pass="$5"
 
-  if [[ "${write_maps}" =~ ^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}$ ]] || [[ "${write_maps}" =~ ^[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}$ ]]; then
+  if [[ "${write_maps}" == /dev/mapper/* ]]; then
-
-    printf "%-43s%-28s%-18s%-100s0 %s\n" "UUID=${write_maps}" "${write_path}" "${write_type}" "${write_opts}" "${write_pass}" >> "${TARGET}/etc/fstab"
-    do_log "info" "file_only" "4200() fstab entry generated: [UUID=${write_maps}    ${write_path}    ${write_type}    ${write_opts}    0 ${write_pass}]."
-
-  elif [[ "${write_maps}" == /dev/mapper/* ]]; then
 
     printf "%-43s%-28s%-18s%-100s0 %s\n" "${write_maps}" "${write_path}" "${write_type}" "${write_opts}" "${write_pass}" >> "${TARGET}/etc/fstab"
     do_log "info" "file_only" "4200() fstab entry generated: [${write_maps}    ${write_path}    ${write_type}    ${write_opts}    0 ${write_pass}]."
 
+  else
+
+    printf "%-43s%-28s%-18s%-100s0 %s\n" "UUID=${write_maps}" "${write_path}" "${write_type}" "${write_opts}" "${write_pass}" >> "${TARGET}/etc/fstab"
+    do_log "info" "file_only" "4200() fstab entry generated: [UUID=${write_maps}    ${write_path}    ${write_type}    ${write_opts}    0 ${write_pass}]."
+
   fi
 
   return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f write_fstab
 
 #######################################
-# Generate target '/etc/fstab' entries.
+# Generate the '/etc/fstab' target entries.
 # Globals:
 #   ARY_PATHS_SORTED
 #   HMP_EPHEMERAL_ENCLABEL
@@ -52,7 +55,6 @@ write_fstab() {
 #   HMP_FSTAB_MOUNT_OPTS
 #   HMP_PATH_FSUUID
 #   TARGET
-#   VAR_VERSION
 # Arguments:
 #   None
 # Returns:
@@ -63,26 +65,9 @@ generate_fstab() {
   declare    var_path="" var_dmapper="" var_fs_uuid="" var_fs_path="" var_fs_type="" var_fs_opts="" var_fs_pass=""
 
   ### Generate '${TARGET}/etc/fstab' header.
-  : >| "${TARGET}/etc/fstab"
+  insert_header "${TARGET}/etc/fstab"
-  chmod 0600 "${TARGET}/etc/fstab"
+  insert_comments "${TARGET}/etc/fstab"
-
   cat << EOF >> "${TARGET}/etc/fstab"
-# SPDX-Version: 3.0
-# SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev>
-# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
-# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
-# SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
-# SPDX-PackageName: CISS.debian.installer
-# SPDX-Security-Contact: security@coresecret.eu
-
-# Static file system information: /etc/fstab
-# Generated by CISS.debian.installer ${VAR_VERSION}
-# Architecture: ${VAR_ARCHITECTURE}
-# Distribution: ${VAR_CODENAME}
-
 # Use 'blkid' to print the universally unique identifier for a device; this may be used with [UUID=] as a more robust way to
 # name devices that work even if disks are added and removed. See fstab(5).
 #
@@ -96,11 +81,13 @@ EOF
   ### Generate dynamic '${TARGET}/etc/fstab' entries.
   for var_path in "${ARY_PATHS_SORTED[@]}"; do
 
+    [[ "${var_path}" == "/recovery" ]] && continue
+
     case "${var_path,,}" in
 
-      swap|SWAP) continue;;
+      swap) continue;;
 
-      /tmp)
+      "/tmp")
 
         var_dmapper="${HMP_EPHEMERAL_ENCLABEL["${var_path}"]}"
         var_fs_uuid="/dev/mapper/${var_dmapper}"
@@ -162,6 +149,9 @@ EOF
         continue
         ;;
 
+      *)
+        do_log "info" "file_only" "4200() No valid FS found for: '${var_fs_path}'."
+
     esac
 
   done
@@ -171,17 +161,18 @@ EOF
   var_fs_uuid="/dev/mapper/${var_dmapper}"
   var_fs_path="none"
   var_fs_type="swap"
-  var_fs_opts="defaults"
+  var_fs_opts="${HMP_FSTAB_MOUNT_OPTS["SWAP"]}"
   var_fs_pass="0"
   write_fstab "${var_fs_uuid}" "${var_fs_path}" "${var_fs_type}" "${var_fs_opts}" "${var_fs_pass}"
 
+  ### Generate CD-ROM entry.
+  mkdir -p "${TARGET}/media/cdrom0"
   cat << 'EOF' >> "${TARGET}/etc/fstab"
 
-/dev/sr0                                   /media/cdrom0               auto              noauto,nofail,ro,user,x-systemd.automount,x-systemd.device-timeout=0                                0 0
+# /dev/sr0                                 /media/cdrom0               auto              noauto,nofail,ro,user,x-systemd.automount,x-systemd.device-timeout=0                                0 0                                                                                        0 0
-#/dev/sr0                                  /media/cdrom0               udf,iso9660       user,noauto                                                                                         0 0
 
 EOF
-  do_log "info" "file_only" "4200() fstab entry generated: '/dev/sr0  /media/cdrom0  udf,iso9660  user,noauto  0 0'."
+  do_log "info" "file_only" "4200() fstab entry generated: '/dev/sr0  /media/cdrom0  auto  noauto,nofail,ro,user,x-systemd.automount,x-systemd.device-timeout=0  0 0'."
 
   cat << 'EOF' >> "${TARGET}/etc/fstab"
 ### Secure tmpfs mounts for a hardened system
@@ -199,6 +190,9 @@ tmpfs                                      /run                        tmpfs
 # vim: number et ts=2 sw=2 sts=2 ai tw=200 ft=sh
 EOF
 
-  guard_dir && return 0
+  guard_dir; return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f generate_fstab
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

func/cdi_4200_boot/4205_check_fstab.sh

@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
 
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 
 #######################################
 # Basic '/etc/fstab' checks inside chroot.
@@ -48,6 +48,9 @@ check_fstab() {
     } 2>&1 | tee -a '"${var_logfile}"'
   '
 
-  guard_dir && return 0
+  guard_dir; return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f check_fstab
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

func/cdi_4200_boot/4210_generate_crypttab.sh

@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
 
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 
 #######################################
 # '/etc/crypttab' entry writer and logger.
@@ -32,9 +32,12 @@ write_crypttab() {
 
   return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f write_crypttab
 
 #######################################
-# Generate target '/etc/crypttab' entries.
+# Generate the '/etc/crypttab' target entries.
 # Globals:
 #   HMP_EPHEMERAL_ENCLABEL
 #   HMP_PATH_ENCLABEL
@@ -42,8 +45,6 @@ write_crypttab() {
 #   HMP_PATH_LUKSUUID
 #   TARGET
 #   VAR_DROPBEAR
-#   VAR_NUKE
-#   VAR_VERSION
 # Arguments:
 #   None
 # Returns:
@@ -51,36 +52,23 @@ write_crypttab() {
 #######################################
 generate_crypttab() {
   ### Declare Arrays, HashMaps, and Variables.
-  declare     var_key="" var_encryption_label="" var_luks_uuid="" var_ephemeral_enclabel="" var_host_uuid=""
+  declare     var_key="" var_encryption_label="" var_luks_uuid="" var_ephemeral_enclabel="" var_host_fs_label="" \
+              var_host_partuuid=""
 
   ensure_lowercase "VAR_DROPBEAR"
 
   ### Generate '${TARGET}/etc/crypttab' header.
-  : >| "${TARGET}/etc/crypttab"
+  insert_header "${TARGET}/etc/crypttab"
-  chmod 0600 "${TARGET}/etc/crypttab"
+  insert_comments "${TARGET}/etc/crypttab"
-
   cat << EOF >> "${TARGET}/etc/crypttab"
-# SPDX-Version: 3.0
-# SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev>
-# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
-# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
-# SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
-# SPDX-PackageName: CISS.debian.installer
-# SPDX-Security-Contact: security@coresecret.eu
-
-# Static file system information: /etc/crypttab
-# Generated by CISS.debian.installer ${VAR_VERSION}
-# Architecture: ${VAR_ARCHITECTURE}
-# Distribution: ${VAR_CODENAME}
-
 # Basic rule: 'discard' / 'nodiscard' are normally only set in '/etc/crypttab' when LUKS/dm-crypt is in use. Options like
 # 'discard=async' or similar are typically only set in '/etc/fstab' (at the file system level). The crypttab determines whether
 # the underlying encrypted device (LUKS/dm-crypt) passes TRIM commands to the physical drive or not. The '/etc/fstab' determines
 # whether and how the file system itself generates the discard operations and sends them down through the LUKS layer.
 #
+# For non-ephemeral devices the respective UUID of the LUKS-device is used.
+# For the ephemeral devices the respective PART UUID of the host dummy partition is used.
+#
 # RECOMMENDED: 'discard' enables the TRIM commands to be forwarded by the dm-crypt layer to the SSD/physical device. If ones do
 # not specify discard in the '/etc/crypttab', dm-crypt blocks TRIM by default. This would render a discard in the '/etc/fstab'
 # ineffective.
@@ -92,33 +80,36 @@ EOF
   ### Generate '${TARGET}/etc/crypttab' entries.
   for var_key in "${!HMP_PATH_LUKSUUID[@]}"; do
 
+    [[ "${var_key}" == "/recovery" ]] && continue
+
     var_encryption_label="${HMP_PATH_ENCLABEL["${var_key}"]}"
     var_luks_uuid="${HMP_PATH_LUKSUUID["${var_key}"]}"
 
     if [[ "${VAR_DROPBEAR}" == "true" ]]; then
 
-      if [[ "${var_key}" == "/" ]]; then
+      case  "${var_key,,}" in
 
-        mkdir -p "${TARGET}/etc/initramfs-tools/files"
+        "/")
-        mkdir -p "${TARGET}/usr/lib/cryptsetup/scripts"
+          write_crypttab "${var_encryption_label}" "UUID=${var_luks_uuid}" "pw_main" "check,discard,initramfs,keyscript=decrypt_keyctl,luks,noauto,same-cpu-crypt,tries=1"
+          ;;
 
-        ### Install the script to be called inside initramfs environment for unlocking LUKS and NUKE Devices.
+        "/usr")
-        install -m 0755 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/initramfs-tools/files/unlock_wrapper.sh" \
+          write_crypttab "${var_encryption_label}" "UUID=${var_luks_uuid}" "pw_main" "check,discard,initramfs,keyscript=decrypt_keyctl,luks,noauto,same-cpu-crypt,tries=1"
-          "${TARGET}/etc/initramfs-tools/files/"
+          ;;
-        install -m 0755 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/initramfs-tools/files/unlock_wrapper.sh" \
-          "${TARGET}/lib/cryptsetup/scripts/"
 
-        write_crypttab "${var_encryption_label}" "UUID=${var_luks_uuid}" "none" "luks,discard,initramfs,keyscript=/lib/cryptsetup/scripts/unlock_wrapper.sh"
+        "/boot")
+          write_crypttab "${var_encryption_label}" "UUID=${var_luks_uuid}" "pw_boot" "check,discard,initramfs,keyscript=decrypt_keyctl,luks,noauto,same-cpu-crypt,tries=1"
+          ;;
+
+        *)
+          write_crypttab "${var_encryption_label}" "UUID=${var_luks_uuid}" "pw_main" "check,discard,initramfs,keyscript=decrypt_keyctl,luks,noauto,same-cpu-crypt,tries=1"
+          ;;
+
+      esac
 
     else
 
-        write_crypttab "${var_encryption_label}" "UUID=${var_luks_uuid}" "none" "luks,discard,initramfs"
+      write_crypttab "${var_encryption_label}" "UUID=${var_luks_uuid}" "none" "check,discard,luks,same-cpu-crypt"
-
-      fi
-
-    else
-
-      write_crypttab "${var_encryption_label}" "UUID=${var_luks_uuid}" "none" "luks,discard"
 
     fi
 
@@ -128,16 +119,23 @@ EOF
   for var_key in "${!HMP_EPHEMERAL_ENCLABEL[@]}"; do
 
     var_ephemeral_enclabel="${HMP_EPHEMERAL_ENCLABEL["${var_key}"]}"
-    var_host_uuid="${HMP_PATH_FSUUID["${var_key}"]}"
+    var_host_fs_label="${HMP_EPHEMERAL_FS_LABEL["${var_key}"]}"
+    var_host_partuuid="${HMP_PATH_PARTUUID["${var_key}"]}"
 
-    case "${var_key}" in
+    case "${var_key,,}" in
 
-      SWAP)
+      swap)
-        write_crypttab "${var_ephemeral_enclabel}" "UUID=${var_host_uuid}" "/dev/random" "swap,offset=2048,cipher=aes-xts-plain64,size=512,sector-size=4096"
+        write_crypttab "${var_ephemeral_enclabel}" "PARTUUID=${var_host_partuuid}" "/dev/random" "cipher=aes-xts-plain64,size=512,discard,swap"
         ;;
 
       /tmp)
-        write_crypttab "${var_ephemeral_enclabel}" "UUID=${var_host_uuid}" "/dev/random" "offset=2048,cipher=aes-xts-plain64,size=512,sector-size=4096,tmp=ext4"
+        write_crypttab "${var_ephemeral_enclabel}" "PARTUUID=${var_host_partuuid}" "/dev/random" "cipher=aes-xts-plain64,size=512,discard,tmp=ext4"
+        mkdir -p "${TARGET}/etc/tmpfiles.d"
+        insert_header   "${TARGET}/etc/tmpfiles.d/10-tmp.conf"
+        insert_comments "${TARGET}/etc/tmpfiles.d/10-tmp.conf"
+        cat << 'EOF' >> "${TARGET}/etc/tmpfiles.d/10-tmp.conf"
+d /tmp 1777 root root -
+EOF
         ;;
 
       *)
@@ -154,6 +152,9 @@ EOF
 # vim: number et ts=2 sw=2 sts=2 ai tw=200 ft=sh
 EOF
 
-  guard_dir && return 0
+  guard_dir; return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f generate_crypttab
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

func/cdi_4200_boot/4220_installation_cryptsetup.sh

@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
 
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 
 #######################################
 # Installation of 'cryptsetup' and 'cryptsetup-initramfs' after '/etc/crypttab' generation.
@@ -30,12 +30,15 @@ installation_cryptsetup() {
 
   chroot_logger "${TARGET}${var_logfile}"
 
-  chroot_script "${TARGET}" '
+  chroot_script "${TARGET}" "
     export INITRD=No
-    apt-get install -y --no-install-recommends --no-install-suggests cryptsetup cryptsetup-initramfs 2>&1 | tee -a '"${var_logfile}"'
+    [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
-    echo ExitCode: $? >> '"${var_logfile}"'
+    apt-get install -y --no-install-recommends --no-install-suggests cryptsetup cryptsetup-initramfs 2>&1 | tee -a ${var_logfile}
-  '
+  "
 
-  guard_dir && return 0
+  guard_dir; return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f installation_cryptsetup
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

func/cdi_4200_boot/4230_installation_grub.sh

@@ -10,8 +10,9 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
 
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 
+#######################################
 # --- UEFI GRUB Installation Strategy ---
 #
 # We explicitly install GRUB using '--no-nvram' to avoid modifying NVRAM entries inside the chroot environment, which is
@@ -22,6 +23,7 @@ guard_sourcing
 # - GRUB is available under 'EFI/debian/grubx64.efi' (for manual boot entries).
 # - GRUB is also available as 'EFI/BOOT/BOOTX64.EFI' (UEFI fallback path, no NVRAM needed).
 # This setup ensures compatibility with systems that do not retain NVRAM entries (e.g., removable drives, VM firmware).
+#######################################
 
 #######################################
 # Installation and setup of the GRUB2 (backported) version.
@@ -36,16 +38,17 @@ guard_sourcing
 #   VAR_SETUP_PATH
 #   grub_background_enable
 #   grub_background_path
-#   grub_latest
+#   grub_bootdev
+#   grub_force_efi
 #   grub_prober
 #   grub_skip
+#   grub_update_nvram
 #   var_update_grub_required
 # Arguments:
 #   None
 # Returns:
 #   0: on success
-#   ERR_GRUB_BACKGROUND
+#   ERR_GRUB_ARCHITECTURE: on failure
-#   ERR_GRUB_EFI_FORCE
 #######################################
 installation_grub() {
   ### Declare Arrays, HashMaps, and Variables.
@@ -75,16 +78,16 @@ installation_grub() {
         amd64)
           chroot_script "${TARGET}" "
             export INITRD=No
+            [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
             apt-get install -y --no-install-recommends grub2-common grub-efi-amd64 grub-efi-amd64-bin 2>&1 | tee -a ${var_logfile}
-            echo ExitCode: \$? >> ${var_logfile}
           "
           ;;
 
         arm64)
           chroot_script "${TARGET}" "
             export INITRD=No
+            [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
             apt-get install -y --no-install-recommends grub2-common grub-efi-arm64 grub-efi-arm64-bin 2>&1 | tee -a ${var_logfile}
-            echo ExitCode: \$? >> ${var_logfile}
           "
           ;;
 
@@ -98,8 +101,8 @@ installation_grub() {
 
       chroot_script "${TARGET}" "
         export INITRD=No
+        [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
         apt-get install -y --no-install-recommends grub2-common grub-pc grub-pc-bin 2>&1 | tee -a ${var_logfile}
-        echo ExitCode: \$? >> ${var_logfile}
       "
 
     fi
@@ -118,16 +121,18 @@ EOF
     if [[ "${grub_background_enable}" == "true" ]]; then
 
       var_background=$(basename "${grub_background_path}")
-      install -m 0640 -o root -g root "${VAR_SETUP_PATH}${grub_background_path}" "${TARGET}/etc/default/grub.d/${var_background}"
+      mkdir -p "${TARGET}/boot/grub"
+      install -m 0640 -o root -g root "${VAR_SETUP_PATH}${grub_background_path}" "${TARGET}/boot/grub/${var_background}"
 
       cat << EOF >> "${TARGET}/etc/default/grub"
 # Enable boot menu background.
-GRUB_BACKGROUND="/etc/default/grub.d/${var_background}"
+GRUB_BACKGROUND="/boot/grub/${var_background}"
 
 # The resolution used on graphical terminal
 # note that you can use only modes which your graphic card supports via VBE
 # you can see them in real GRUB with the command 'vbeinfo'
-GRUB_GFXMODE=1920x1080,1280x1024,1024x768,800x600
+# GRUB_GFXMODE=1920x1080,1280x1024,1280x720,1024x768,800x600,640x480
+GRUB_GFXMODE=1280x720
 GRUB_GFXPAYLOAD_LINUX=keep
 
 EOF
@@ -204,8 +209,11 @@ EOF
   fi
   chmod -R 0700 "${TARGET}/etc/grub.d"
 
-  guard_dir && return 0
+  guard_dir; return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f installation_grub
 
 #######################################
 # Installs GRUB to BIOS in BIOS mode.
@@ -218,7 +226,7 @@ EOF
 #   None
 # Returns:
 #   0: on success
-#   ERR_GRUB_INSTALL
+#   ERR_GRUB_INSTALL: on failure
 #######################################
 install_grub_bios() {
   ### Declare Arrays, HashMaps, and Variables.
@@ -249,21 +257,22 @@ install_grub_bios() {
 
   return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f install_grub_bios
 
 #######################################
 # Installs GRUB to ESP in UEFI mode.
 # Globals:
 #   TARGET
 #   VAR_MODINFO_PATH
-#   grub_bootdev
-#   grub_force_efi
 #   grub_update_nvram
 #   var_update_grub_required
 # Arguments:
 #   None
 # Returns:
 #   0: on success
-#   ERR_GRUB_INSTALL
+#   ERR_GRUB_INSTALL: on failure
 #######################################
 install_grub_uefi() {
   ### Declare Arrays, HashMaps, and Variables.
@@ -290,12 +299,15 @@ install_grub_uefi() {
 
   [[ "${grub_update_nvram}" == "false" ]] && ary_uefi_arg+=( --no-nvram )
 
-  chroot_exec "${TARGET}" grub-install "${ary_uefi_arg[@]}" "${grub_bootdev}" || return "${ERR_GRUB_INSTALL}"
+  chroot_exec "${TARGET}" grub-install "${ary_uefi_arg[@]}" || return "${ERR_GRUB_INSTALL}"
-  do_log "info" "file_only" "4230() Installed: GRUB on Device: '${grub_bootdev}' [UEFI]."
+  do_log "info" "file_only" "4230() Installed: GRUB on [ESP]."
   var_update_grub_required="true"
 
   return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f install_grub_uefi
 
 #######################################
 # Get the path of the required Grub modules.
@@ -312,6 +324,7 @@ get_grub_modinfo_path() {
   ### Declare Arrays, HashMaps, and Variables.
   declare -gx VAR_MODINFO_PATH=""
 
+  # shellcheck disable=SC2249
   case "${VAR_RECIPE_FIRMWARE}" in
 
     uefi)
@@ -335,4 +348,7 @@ get_grub_modinfo_path() {
 
   return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f get_grub_modinfo_path
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

func/cdi_4200_boot/4240_update_grub_password.sh

@@ -10,35 +10,36 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
 
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 
 #######################################
 # Append the GRUB superuser block to '/etc/grub.d/40_custom'.
 # Globals:
-#   DIR_CNF
+#   CISS_SECRET_GRUB
 #   TARGET
 # Arguments:
 #   None
 # Returns:
 #   0: on success
-#   ERR_READ_GRUB_FILE
+#   ERR_READ_GRUB_FILE: on failure
 #######################################
 update_grub_password() {
   ### Declare Arrays, HashMaps, and Variables.
-  declare var_username="superadmin" var_password="" var_password_file="${DIR_CNF}/password_grub.txt" \
+  declare var_username="superadmin" var_password="" \
           var_of="${TARGET}/etc/grub.d/40_custom" var_grub_entry=""
 
-  ### TODO: PASSWORD REMINDER START
+  ### SECRETS handling ---------------------------------------------------------------------------------------------------------
   guard_trace on
 
-  var_password=$(<"${var_password_file}") || return "${ERR_READ_GRUB_FILE}"
+  var_password="${CISS_SECRET_GRUB}" || return "${ERR_READ_GRUB_FILE}"
+  unset CISS_SECRET_GRUB
 
   var_grub_entry=$(generate_grub_password_pbkdf2 "${var_username}" "${var_password}")
 
-  #### TODO: PASSWORD REMINDER STOP
   guard_trace off
+  ### SECRETS handling ---------------------------------------------------------------------------------------------------------
 
-  ### Append if not already present
+  ### Append if not already present.
   if ! grep -q "set superusers=" "${var_of}"; then
     {
       echo ""
@@ -50,11 +51,16 @@ update_grub_password() {
 
   chroot_exec "${TARGET}" update-grub
 
-  guard_dir && return 0
+  guard_dir; return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f update_grub_password
 
 #######################################
 # Generate PBKDF2 password hash for GRUB.
+# Globals:
+#   None
 # Arguments:
 #   1: Username (default to superadmin).
 #   2: User password.
@@ -81,4 +87,7 @@ EOF
 
  return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f generate_grub_password_pbkdf2
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

func/cdi_4200_boot/4250_update_grub_bootparameter.sh

@@ -10,20 +10,24 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
 
-### Options in "GRUB_CMDLINE_LINUX" are always effective.
+### Options in "GRUB_CMDLINE_LINUX" are always effective, (incl. recovery).
 ### Options in "GRUB_CMDLINE_LINUX_DEFAULT" are effective ONLY during normal boot (NOT during recovery mode).
 
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 
 #######################################
-# Hardening Grub boot parameter.
+# Hardening: update the Grub boot parameter and the Dropbear and Nuke parameters if opted in.
 # Globals:
 #   ARY_BOOTPARAM
+#   HMP_PATH_ENCLABEL
 #   TARGET
-#   VAR_GRUB_CMDLINE_LINUX
+#   VAR_CRYPT_ROOT
-#   VAR_GRUB_CMDLINE_LINUX_DEFAULT
+#   VAR_DROPBEAR
 #   VAR_NUKE
 #   VAR_NUKE_HASH
+#   VAR_SEC_FW
+#   VV_GRUB_CMDLINE_LINUX
+#   VV_GRUB_CMDLINE_LINUX_DEFAULT
 # Arguments:
 #   None
 # Returns:
@@ -31,7 +35,7 @@ guard_sourcing
 #######################################
 update_grub_bootparameter() {
   ### Declare Arrays, HashMaps, and Variables.
-  declare     var_nuke_string="" var_param="" var_label=""
+  declare     var_nuke_string="" var_param="" var_label="" var_nuke_esc=""
 
   grub_extract_current_string
 
@@ -52,14 +56,25 @@ update_grub_bootparameter() {
 
   done
 
+  if [[ "${VAR_SEC_FW}" == "apparmor" ]]; then
+
+    VV_GRUB_CMDLINE_LINUX="${VV_GRUB_CMDLINE_LINUX:+${VV_GRUB_CMDLINE_LINUX} }apparmor=1 security=apparmor lsm=lockdown,yama,integrity,apparmor,bpf"
+
+  elif [[ "${VAR_SEC_FW}" == "selinux" ]]; then
+
+    ### We start in permissive mode first, so we don't pass 'enforcing=1' through the command line.
+    VV_GRUB_CMDLINE_LINUX="${VV_GRUB_CMDLINE_LINUX:+${VV_GRUB_CMDLINE_LINUX} }selinux=1 security=selinux"
+
+  fi
 
   if [[ "${VAR_DROPBEAR}" == "true" ]]; then
     var_label="${HMP_PATH_ENCLABEL["/"]}"
-    VV_GRUB_CMDLINE_LINUX="${VV_GRUB_CMDLINE_LINUX:+${VV_GRUB_CMDLINE_LINUX} }cryptdevice=${VAR_CRYPT_ROOT}:cryptroot root=/dev/mapper/${var_label}"
+    VV_GRUB_CMDLINE_LINUX="${VV_GRUB_CMDLINE_LINUX} cryptdevice=${VAR_CRYPT_ROOT}:cryptroot root=/dev/mapper/${var_label}"
   fi
 
   if [[ "${VAR_NUKE}" == "true" ]]; then
-    var_nuke_string="nuke=${VAR_NUKE_HASH}"
+    var_nuke_esc="${VAR_NUKE_HASH//$/\\$}"
+    var_nuke_string="nuke=${var_nuke_esc}"
     # shellcheck disable=SC2034
     VV_GRUB_CMDLINE_LINUX="${VV_GRUB_CMDLINE_LINUX} ${var_nuke_string}"
   fi
@@ -68,6 +83,9 @@ update_grub_bootparameter() {
 
   chroot_exec "${TARGET}" update-grub
 
-  guard_dir && return 0
+  guard_dir; return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f update_grub_bootparameter
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

func/cdi_4300_network/4300_installation_network.sh

@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
 
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 
 #######################################
 # Setup network.
@@ -18,19 +18,15 @@ guard_sourcing
 #   ARY_IPV4_NS
 #   ARY_IPV6_NS
 #   TARGET
-#   VAR_ARCHITECTURE
-#   VAR_CODENAME
 #   VAR_FINAL_IPV4
 #   VAR_FINAL_IPV4_GW
 #   VAR_FINAL_IPV4_SUBNET
-#   VAR_FINAL_IPV6
+#   VAR_FINAL_IPV6_CIDR
 #   VAR_FINAL_IPV6_GW
-#   VAR_FINAL_IPV6_SUBNET
 #   VAR_FINAL_NIC
-#   VAR_LINK_IPV6
-#   VAR_VERSION
 #   network_autoconfig_enable
 #   network_choose_interface_auto
+#   network_static_dns_dhcp_override
 #   network_static_ipv4nameserver_0
 #   network_static_ipv6address
 #   network_static_ipv6nameserver_0
@@ -41,9 +37,30 @@ guard_sourcing
 #######################################
 installation_network() {
   ### Declare Arrays, HashMaps, and Variables.
-  declare     var_supersede="" var_supersede_ipv6=""
+  declare     var_supersede=""
+  declare -a  ary_dns_supersede=()
+  declare -r  var_logfile="/root/.ciss/cdi/log/4300_installation_network.log"
+
+  chroot_logger "${TARGET}${var_logfile}"
+
+  chroot_script "${TARGET}" "
+    export INITRD=No
+    [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
+    apt-get purge -y dhcpcd isc-dhcp-client 2>&1 | tee -a ${var_logfile}
+  "
+
+  chroot_script "${TARGET}" "
+    export INITRD=No
+    [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
+    apt-get install -y --no-install-suggests dhcpcd-base ifupdown 2>&1 | tee -a ${var_logfile}
+  "
+
+  chroot_script "${TARGET}" "
+    export INITRD=No
+    [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
+    systemctl disable systemd-networkd NetworkManager 2>/dev/null | tee -a ${var_logfile} || true
+  "
 
-  chroot_exec "${TARGET}" apt-get install -y dhcpcd-base
   mkdir -p "${TARGET}/etc/network/interfaces.d"
 
   ### Create a network configuration file header.
@@ -55,261 +72,172 @@ installation_network() {
 
   fi
 
-  cat << EOF >| "${TARGET}/etc/network/interfaces"
-# SPDX-Version: 3.0
-# SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev>
-# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
-# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
-# SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
-# SPDX-PackageName: CISS.debian.installer
-# SPDX-Security-Contact: security@coresecret.eu
-
-# Static file system information: /etc/network/interfaces
-# Generated by CISS.debian.installer ${VAR_VERSION}
-# Architecture: ${VAR_ARCHITECTURE}
-# Distribution: ${VAR_CODENAME}
-
-# This file describes the network interfaces available on your system
-# and how to activate them. For more information, see interfaces(5).
-
-source /etc/network/interfaces.d/*
-
-# The loopback network interface
-auto lo
-iface lo inet loopback
-
-# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
-EOF
-  chmod 0644 "${TARGET}/etc/network/interfaces"
-  do_log "info" "file_only" "4300() Header '${TARGET}/etc/network/interfaces' created."
-
-  ### Configure network interfaces based on 'preseed.yaml' and create network configuration files for IPv4.
-  if [[ "${network_autoconfig_enable}" == "true" && "${network_choose_interface_auto}" == "true" ]]; then
-
   ### Reminder ###
   # auto:
   # For servers or systems with static interfaces that should always be available (e.g., eth0 on a server).
   # For configurations where the interface should be active regardless of the cable status.
   # allow-hotplug:
-    # For systems with dynamic or removable network devices (e.g., laptops or USB adapters).
+  # For systems with dynamic or removable network devices (e.g., laptops, USB adapters, VMs).
   # To avoid boot delays when interfaces are unavailable.
 
-    cat << EOF >| "${TARGET}/etc/network/interfaces.d/10-ipv4-dhcp"
+  insert_header   "${TARGET}/etc/network/interfaces"
-# SPDX-Version: 3.0
+  insert_comments "${TARGET}/etc/network/interfaces"
-# SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev>
+  cat << EOF >>   "${TARGET}/etc/network/interfaces"
-# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# This file describes the network interfaces available on your system
-# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# and how to activate them. For more information, see interfaces(5).
-# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
-# SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
-# SPDX-PackageName: CISS.debian.installer
-# SPDX-Security-Contact: security@coresecret.eu
 
-# Static file system information: /etc/network/interfaces.d/10-ipv4-dhcp
+# The loopback network interface
-# Generated by CISS.debian.installer ${VAR_VERSION}
+auto lo
-# Architecture: ${VAR_ARCHITECTURE}
+iface lo inet loopback
-# Distribution: ${VAR_CODENAME}
 
-# The primary network interface IPv4
+EOF
+  chmod 0644 "${TARGET}/etc/network/interfaces"
+  do_log "info" "file_only" "4300() Header '${TARGET}/etc/network/interfaces' created."
+
+
+  ### Configure network interfaces based on 'preseed.yaml' and create network configuration files for IPv4.
+  if [[ "${network_autoconfig_enable}" == "true" && "${network_choose_interface_auto}" == "true" ]]; then
+
+    cat << EOF >>   "${TARGET}/etc/network/interfaces"
+# The primary network interface: IPv4 via DHCP
 auto ${VAR_FINAL_NIC}
 iface ${VAR_FINAL_NIC} inet dhcp
 
-# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
 EOF
-    chmod 0644 "${TARGET}/etc/network/interfaces.d/10-ipv4-dhcp"
     do_log "info" "file_only" "4300() IPv4 on the primary NIC: '${VAR_FINAL_NIC}' configured with DHCP."
 
   elif [[ "${network_autoconfig_enable}" == "true" && "${network_choose_interface_auto}" == "false" ]]; then
 
-    cat << EOF >| "${TARGET}/etc/network/interfaces.d/10-ipv4-dhcp"
+    cat << EOF >>   "${TARGET}/etc/network/interfaces"
-# SPDX-Version: 3.0
+# The primary network interface: IPv4 via DHCP
-# SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev>
-# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
-# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
-# SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
-# SPDX-PackageName: CISS.debian.installer
-# SPDX-Security-Contact: security@coresecret.eu
-
-# Static file system information: /etc/network/interfaces.d/10-ipv4-dhcp
-# Generated by CISS.debian.installer ${VAR_VERSION}
-# Architecture: ${VAR_ARCHITECTURE}
-# Distribution: ${VAR_CODENAME}
-
-# The primary network interface IPv4
 auto ${VAR_FINAL_NIC}
 iface ${VAR_FINAL_NIC} inet dhcp
 
-# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
 EOF
-    chmod 0644 "${TARGET}/etc/network/interfaces.d/10-ipv4-dhcp"
     do_log "info" "file_only" "4300() IPv4 on the primary NIC: '${VAR_FINAL_NIC}' configured with DHCP."
 
   fi
 
   if [[ "${network_autoconfig_enable}" == "false" ]]; then
 
-    # shellcheck disable=SC2153
+    cat << EOF >>   "${TARGET}/etc/network/interfaces"
-    cat << EOF >| "${TARGET}/etc/network/interfaces.d/10-ipv4-static"
+# The primary network interface: IPv4 via static IP
-# SPDX-Version: 3.0
-# SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev>
-# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
-# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
-# SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
-# SPDX-PackageName: CISS.debian.installer
-# SPDX-Security-Contact: security@coresecret.eu
-
-# Static file system information: /etc/network/interfaces.d/10-ipv4-static
-# Generated by CISS.debian.installer ${VAR_VERSION}
-# Architecture: ${VAR_ARCHITECTURE}
-# Distribution: ${VAR_CODENAME}
-
-# The primary network interface IPv4
 auto ${VAR_FINAL_NIC}
 iface ${VAR_FINAL_NIC} inet static
   address ${VAR_FINAL_IPV4}
   netmask ${VAR_FINAL_IPV4_SUBNET}
   gateway ${VAR_FINAL_IPV4_GW}
-    dns-nameservers ${ARY_IPV4_NS[*]}
 
-# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
 EOF
-    chmod 0644  "${TARGET}/etc/network/interfaces.d/10-ipv4-static"
     do_log "info" "file_only" "4300() IPv4 on the primary NIC: '${VAR_FINAL_NIC}' configured statically."
 
   fi
 
   ### Configure network interfaces based on 'preseed.yaml' and create network configuration files for IPv6.
-  if [[ "${network_autoconfig_enable}" == "true" && "${VAR_LINK_IPV6}" == "true" ]]; then
+  if [[ "${network_autoconfig_enable}" == "true" && -z "${network_static_ipv6address}" ]]; then
 
-    cat << EOF >| "${TARGET}/etc/network/interfaces.d/10-ipv6-dhcp"
+    cat << EOF >>   "${TARGET}/etc/network/interfaces"
-# SPDX-Version: 3.0
+# The primary network interface: IPv6 via SLAAC (+ stateless DHCPv6 for DNS)
-# SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev>
+iface ${VAR_FINAL_NIC} inet6 auto
-# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+  accept_ra 2
-# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
-# SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
-# SPDX-PackageName: CISS.debian.installer
-# SPDX-Security-Contact: security@coresecret.eu
 
-# Static file system information: /etc/network/interfaces.d/10-ipv6-dhcp
-# Generated by CISS.debian.installer ${VAR_VERSION}
-# Architecture: ${VAR_ARCHITECTURE}
-# Distribution: ${VAR_CODENAME}
-
-# The primary network interface IPv6
-auto ${VAR_FINAL_NIC}
-iface ${VAR_FINAL_NIC} inet6 dhcp
-
-# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
 EOF
-    chmod 0644 "${TARGET}/etc/network/interfaces.d/10-ipv6-dhcp"
+    do_log "info" "file_only" "4300() IPv6 on the primary NIC: '${VAR_FINAL_NIC}' configured with stateless DHCPv6."
-    do_log "info" "file_only" "4300() IPv6 on the primary NIC: '${VAR_FINAL_NIC}' configured with DHCP."
 
-  fi
+  elif [[ "${network_autoconfig_enable}" == "false" || -n "${network_static_ipv6address}" ]]; then
 
-  if [[ "${network_autoconfig_enable}" == "false" && -n "${network_static_ipv6address}" ]]; then
+    cat << EOF >>   "${TARGET}/etc/network/interfaces"
-
+# The primary network interface: IPv6 via static IP
-    # shellcheck disable=SC2153
-    cat << EOF >| "${TARGET}/etc/network/interfaces.d/10-ipv6-static"
-# SPDX-Version: 3.0
-# SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev>
-# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
-# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
-# SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
-# SPDX-PackageName: CISS.debian.installer
-# SPDX-Security-Contact: security@coresecret.eu
-
-# Static file system information: /etc/network/interfaces.d/10-ipv6-static
-# Generated by CISS.debian.installer ${VAR_VERSION}
-# Architecture: ${VAR_ARCHITECTURE}
-# Distribution: ${VAR_CODENAME}
-
-# The primary network interface IPv6
-auto ${VAR_FINAL_NIC}
 iface ${VAR_FINAL_NIC} inet6 static
-    address ${VAR_FINAL_IPV6}/${VAR_FINAL_IPV6_SUBNET}
+  address ${VAR_FINAL_IPV6_CIDR}
   gateway ${VAR_FINAL_IPV6_GW}
-    dns-nameservers ${ARY_IPV6_NS[*]}
+  ### Optional harden, no RA on static v6
+  pre-up sysctl -w net.ipv6.conf.ens3.accept_ra=0
 
-# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
 EOF
-    chmod 0644 "${TARGET}/etc/network/interfaces.d/10-ipv6-static"
     do_log "info" "file_only" "4300() IPv6 on the primary NIC: '${VAR_FINAL_NIC}' configured statically."
 
   fi
 
+  printf '# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf\n' >> "${TARGET}/etc/network/interfaces"
 
-  ### Ensure 'dhcpcd-base' DHCP Client is not overwriting the static nameserver settings.
+  ### Prepare basic 'dhcpcd-base' DHCP Client options.
-  if [[ "${network_autoconfig_enable}" == "true" && -n "${network_static_ipv4nameserver_0}" ]]; then
-
   if [[ -f "${TARGET}/etc/dhcpcd.conf" ]]; then
 
     mkdir -p "${TARGET}/root/.ciss/cdi/backup/etc"
     mv "${TARGET}/etc/dhcpcd.conf" "${TARGET}/root/.ciss/cdi/backup/etc/dhcpcd.conf.bak"
-      do_log "info" "file_only" "4300() Existing '${TARGET}/etc/dhcpcd.con' copied."
+    do_log "info" "file_only" "4300() Existing '${TARGET}/etc/dhcpcd.conf' moved."
 
   fi
 
   insert_header   "${TARGET}/etc/dhcpcd.conf"
   insert_comments "${TARGET}/etc/dhcpcd.conf"
-    cat << EOF >> "${TARGET}/etc/dhcpcd.conf"
+  cat << 'EOF' >> "${TARGET}/etc/dhcpcd.conf"
-### Global defaults for all interfaces.
+### No Global APIPA-Fallback.
+noipv4ll
+
+### A ServerID is required by RFC2131.
+require dhcp_server_identifier
+
+### Respect the network MTU. This is applied to DHCP routes.
+option interface_mtu
+
+### A list of options to request from the DHCP server.
 option host_name
 option domain_name
 option domain_search
+option domain_name_servers
+option rapid_commit
+
+### Most distributions have NTP support.
+option ntp_servers
 
 ### Ask server to update both A and PTR via FQDN (RFC 4702 semantics).
 fqdn both
 
-### Enforce static DNS and prevent dhcpcd from writing 'resolv.conf'.
-nooption domain_name_servers
-nohook resolv.conf rdnssd
-
-### Static resolvers (IPv4).
-### (This does NOT write '/etc/resolv.conf' because of nohook above.)
 EOF
 
-    var_supersede=$(printf "%s " "${ARY_IPV4_NS[@]}")
+  ### Ensure 'dhcpcd-base' DHCP Client is not overwriting the static nameserver settings.
-    echo "static domain_name_servers=${var_supersede}" >> "${TARGET}/etc/dhcpcd.conf"
+  ### Collect static DNS from YAML (IPv4 and IPv6).
+  [[ -n "${network_static_ipv4nameserver_0:-}" ]] && ary_dns_supersede+=( "${ARY_IPV4_NS[@]}" )
+  [[ -n "${network_static_ipv6nameserver_0:-}" ]] && ary_dns_supersede+=( "${ARY_IPV6_NS[@]}" )
 
-    do_log "info" "file_only" "4300() DHCP client configuration for IPv4: '${TARGET}/etc/dhcpcd.conf' configured."
+  if [[ "${#ary_dns_supersede[@]}" -gt 0 && "${network_static_dns_dhcp_override}" == "true" ]]; then
-
-  fi
-
-
-
-  if [[ "${network_autoconfig_enable}" == "false" && -n "${network_static_ipv6nameserver_0}" ]]; then
-
-    var_supersede_ipv6=$(printf "%s " "${ARY_IPV6_NS[@]}")
-    echo "static domain_name_servers=${var_supersede_ipv6}" >> "${TARGET}/etc/dhcpcd.conf"
-
-    do_log "info" "file_only" "4300() DHCP client configuration for IPv6: '${TARGET}/etc/dhcpcd.conf' configured."
-
-  fi
-
-  if [[ "${network_autoconfig_enable}" == "true" && -n "${network_static_ipv4nameserver_0}" ]]; then
 
     cat << EOF >>   "${TARGET}/etc/dhcpcd.conf"
+### Enforce static DNS
+nooption domain_name_servers
+nohook rdnssd
+nohook resolvconf
 
-# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
+### Static DNS-resolvers
+interface ${VAR_FINAL_NIC}
 EOF
+
+    var_supersede=$(printf "%s " "${ary_dns_supersede[@]}")
+    echo "  static domain_name_servers=${var_supersede}" >> "${TARGET}/etc/dhcpcd.conf"
+
+    do_log "info" "file_only" "4300() DHCP client configuration: '${TARGET}/etc/dhcpcd.conf' configured."
+
   fi
 
-  guard_dir && return 0
+  if [[ "${VAR_LINK_IPV6}" == "true" && -n "${network_static_ipv6address}" ]]; then
+    echo "  noipv6rs" >> "${TARGET}/etc/dhcpcd.conf"
+  fi
+
+
+  ### Footer (always).
+  echo '' >> "${TARGET}/etc/dhcpcd.conf"
+  echo '# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf' >> "${TARGET}/etc/dhcpcd.conf"
+
+  ### Check dhcpcd connectivity.
+  chroot_script "${TARGET}" "
+    dhcpcd -T ${VAR_FINAL_NIC} | tee -a ${var_logfile}
+  "
+
+  guard_dir; return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f installation_network
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

func/cdi_4300_network/4305_installation_netsec.sh

@@ -10,10 +10,10 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
 
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 
 #######################################
-# Basic '/etc/crypttab' checks inside chroot.
+# Installation of packages 'fail2ban' and 'ufw'.
 # Globals:
 #   TARGET
 # Arguments:
@@ -21,12 +21,21 @@ guard_sourcing
 # Returns:
 #   0: on success
 #######################################
-check_crypttab() {
+installation_netsec() {
   ### Declare Arrays, HashMaps, and Variables.
-  #declare -r  var_logfile="/root/.ciss/cdi/log/4215_check_crypttab.log"
+  declare -r  var_logfile="/root/.ciss/cdi/log/4305_installation_netsec.log"
 
-  #chroot_logger "${TARGET}${var_logfile}"
+  chroot_logger "${TARGET}${var_logfile}"
 
-  guard_dir && return 0
+  chroot_script "${TARGET}" "
+    export INITRD=No
+    [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
+    apt-get install -y --no-install-suggests fail2ban ufw 2>&1 | tee -a ${var_logfile}
+  "
+
+  guard_dir; return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f installation_netsec
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

func/cdi_4300_network/4310_dropbear_build.sh

@@ -10,22 +10,19 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
 
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 
 #######################################
 # Build Ultra Hardened dropbear-2025.88 from sources.
 # Globals:
 #   DIR_TMP
-#   PATH
+#   TARGET
-#   PATH_SEPARATOR
-#   SHELLOPTS
-#   VAR_DEBUG_TRACE
 #   VAR_SETUP_PATH
 # Arguments:
 #   None
 # Returns:
 #   0: on success
-#   ERR_PATH_NOT_VALID
+#   ERR_PATH_NOT_VALID: on failure
 #######################################
 dropbear_build() {
   ### Declare Arrays, HashMaps, and Variables.
@@ -49,7 +46,8 @@ dropbear_build() {
   #  -s                 : Strip unnecessary symbols directly during linking
   #  -Wl,-z,relro,-z,now: Enables full RELRO (symbol resolution at program startup)
 
-  [[ "${VAR_DEBUG_TRACE,,}" == "true" ]] && set +x
+  guard_trace on
+
   # shellcheck disable=SC2016,SC2312
   setsid bash -c '
     ### Sterile environment for the build-process.
@@ -70,8 +68,12 @@ dropbear_build() {
     # shellcheck disable=2312
     make -j"$(nproc)"
   ' >> "${TARGET}${var_logfile}" 2>&1
-  [[ "${VAR_DEBUG_TRACE,,}" == "true" ]] && set -x
 
-  guard_dir && return 0
+  guard_trace off
+
+  guard_dir; return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f dropbear_build
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

func/cdi_4300_network/4311_dropbear_initramfs.sh

@@ -10,13 +10,15 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
 
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 
 #######################################
-# Install Dropbear Initramfs and replace the binaries with the previous Ultra Hardened build.
+# Install the 'dropbear-initramfs' and replace the binaries with those from the previous Ultra Hardened build.
 # Globals:
 #   DIR_TMP
+#   RECOVERY
 #   TARGET
+#   VAR_RUN_RECOVERY
 # Arguments:
 #   None
 # Returns:
@@ -26,31 +28,108 @@ dropbear_initramfs() {
   ### Declare Arrays, HashMaps, and Variables.
   declare     var_file=""
   declare -r  var_logfile="/root/.ciss/cdi/log/4311_dropbear_initramfs.log"
+  declare     var_target="${TARGET}"
 
-  chroot_logger "${TARGET}${var_logfile}"
+  ### Check for TARGET / RECOVERY.
+  [[ "${VAR_RUN_RECOVERY}" == "true" ]] && var_target="${RECOVERY}"
 
-  chroot_script "${TARGET}" '
+  chroot_logger "${var_target}${var_logfile}"
+
+  chroot_script "${var_target}" "
     export INITRD=No
-    apt-get install -y --no-install-recommends --no-install-suggests dropbear-initramfs 2>&1 | tee -a '"${var_logfile}"'
+    [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
-    echo ExitCode: $? >> '"${var_logfile}"'
+    apt-get install -y --no-install-recommends --no-install-suggests dropbear-initramfs dropbear-bin 2>&1 | tee -a ${var_logfile}
-  '
+  "
 
-  chroot_script "${TARGET}" '
+  chroot_script "${var_target}" "
     export INITRD=No
-    apt-mark hold dropbear dropbear-initramfs 2>&1 | tee -a '"${var_logfile}"'
+    [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
-    echo ExitCode: $? >> '"${var_logfile}"'
+    apt-get purge -y dropbear dropbear-run || true
-  '
+  "
 
-  mv "${TARGET}/usr/sbin/dropbear" "${TARGET}/usr/sbin/dropbear.2022.83"
+  chroot_script "${var_target}" "
-  install -D -m 0755 -o root -g root "${DIR_TMP}/build/dropbear-2025.88/dropbear" "${TARGET}/usr/sbin/"
+    export INITRD=No
+    [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
+    apt-get install -y --no-install-recommends --no-install-suggests gpgv 2>&1 | tee -a ${var_logfile}
+  "
+
+  chroot_script "${var_target}" "
+    export INITRD=No
+    [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
+    apt-mark hold dropbear dropbear-initramfs 2>&1 | tee -a ${var_logfile}
+  "
+
+  mv "${var_target}/usr/sbin/dropbear" "${var_target}/usr/sbin/dropbear.trixie"
+  install -D -m 0755 -o root -g root "${DIR_TMP}/build/dropbear-2025.88/dropbear" "${var_target}/usr/sbin/"
   do_log "debug" "file_only" "4311() Installation [dropbear] successful."
 
+
   for var_file in dbclient dropbearconvert dropbearkey; do
-    mv "${TARGET}/usr/bin/${var_file}" "${TARGET}/usr/bin/${var_file}.2022.83"
+
-    install -D -m 0755 -o root -g root "${DIR_TMP}/build/dropbear-2025.88/${var_file}" "${TARGET}/usr/bin/"
+    mv "${var_target}/usr/bin/${var_file}" "${var_target}/usr/bin/${var_file}.trixie"
+    install -D -m 0755 -o root -g root "${DIR_TMP}/build/dropbear-2025.88/${var_file}" "${var_target}/usr/bin/"
     do_log "debug" "file_only" "4311() Installation [${var_file}] successful."
+
   done
 
-  guard_dir && return 0
+  mkdir -p "${var_target}/etc/initramfs-tools/scripts/init-bottom"
-}
+
+  cat << 'EOF' >| "${var_target}/etc/initramfs-tools/scripts/init-bottom/zzzz-dropbear-kill"
+#!/bin/sh
+
+PREREQ=""
+prereqs() { echo "${PREREQ}"; }
+# shellcheck disable=SC2249
+case "${1}" in
+  prereqs) prereqs; exit 0 ;;
+esac
+
+### Stop dropbear shipped in the initramfs after root pivot.
+[ -x /bin/pidof ] || exit 0
+
+P=$(/bin/pidof dropbear 2>/dev/null) || true
+
+[ -n "${P}" ] || exit 0
+
+/bin/kill -TERM "${P}" 2>/dev/null || true
+/bin/sleep 1
+
+/bin/kill -KILL "${P}" 2>/dev/null || true
+exit 0
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
+EOF
+
+  chmod 0755 "${var_target}/etc/initramfs-tools/scripts/init-bottom/zzzz-dropbear-kill"
+
+  insert_header   "${var_target}/etc/apt/preferences.d/99-mask-dropbear"
+  insert_comments "${var_target}/etc/apt/preferences.d/99-mask-dropbear"
+  cat << 'EOF' >> "${var_target}/etc/apt/preferences.d/99-mask-dropbear"
+# Never install the dropbear daemon package at all.
+Package: dropbear
+Pin: release *
+Pin-Priority: -1
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
+EOF
+
+  insert_header   "${var_target}/etc/apt/preferences.d/99-mask-dropbear-initramfs"
+  insert_comments "${var_target}/etc/apt/preferences.d/99-mask-dropbear-initramfs"
+  cat << 'EOF' >> "${var_target}/etc/apt/preferences.d/99-mask-dropbear-initramfs"
+# Keep the currently installed initramfs integration; never upgrade it.
+Package: dropbear-initramfs
+Pin: release *
+Pin-Priority: -1
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
+EOF
+
+  chroot_script "${var_target}" "systemctl mask dropbear.service dropbear.socket"
+  do_log "info" "file_only" "4311() Masked: [dropbear.service dropbear.socket]"
+
+  guard_dir; return 0
+}
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f dropbear_initramfs
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

func/cdi_4300_network/4312_dropbear_setup.sh

@@ -10,10 +10,10 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
 
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 
 #######################################
-# Set up Dropbear Initramfs Environment.
+# Set up the 'dropbear-initramfs' environment.
 # Globals:
 #   TARGET
 #   VAR_FINAL_FQDN
@@ -25,6 +25,9 @@ guard_sourcing
 #   dropbear_dhcp
 #   dropbear_firewall
 #   dropbear_port
+#   dropbear_pub_key
+#   dropbear_sha_file
+#   dropbear_sig_file
 #   network_static_ipv4nameserver_0
 #   network_static_ipv4nameserver_1
 #   ssh_allow_ipv4_0
@@ -36,23 +39,26 @@ guard_sourcing
 #######################################
 dropbear_setup() {
   ### Declare Arrays, HashMaps, and Variables.
-  declare     network_static_ipv4ntpserver_0="192.53.103.108"
+  declare -r  network_static_ipv4ntpserver_0="192.53.103.108" \
+              var_force_command_string='command="/usr/local/bin/unlock_wrapper.sh",no-agent-forwarding,no-port-forwarding,no-X11-forwarding '
 
-  ### Prepare strong dropbear host keys
+  ### Prepare strong dropbear host keys.
-  rm -f "${TARGET}"/etc/dropbear/initramfs/dropbear*key
+  rm -f "${TARGET}"/etc/dropbear/initramfs/dropbear*key*
 
-  chroot_exec "${TARGET}" /usr/bin/dropbearkey -t rsa -s 4096 -f /etc/dropbear/initramfs/dropbear_rsa_host_key
+  # shellcheck disable=SC2312
-  chroot_exec "${TARGET}" /usr/bin/dropbearkey -t ed25519 -f /etc/dropbear/initramfs/dropbear_ed25519_host_key
+  chroot_exec "${TARGET}" /usr/bin/dropbearkey -t rsa -s 4096 -f /etc/dropbear/initramfs/dropbear_rsa_host_key -C "root@${VAR_FINAL_FQDN}-$(date -I)"
+  # shellcheck disable=SC2312
+  chroot_exec "${TARGET}" /usr/bin/dropbearkey -t ed25519 -f /etc/dropbear/initramfs/dropbear_ed25519_host_key -C "root@${VAR_FINAL_FQDN}-$(date -I)"
 
-  chmod 0600 "${TARGET}"/etc/dropbear/initramfs/dropbear*key
+  chmod 0600 "${TARGET}"/etc/dropbear/initramfs/dropbear*key*
-  chown root:root "${TARGET}"/etc/dropbear/initramfs/dropbear*key
+  chown root:root "${TARGET}"/etc/dropbear/initramfs/dropbear*key*
 
-  ### Prepare dropbear authorized_keys
+  ### Prepare dropbear authorized_keys.
   touch "${TARGET}/etc/dropbear/initramfs/authorized_keys" && chmod 0600 "${TARGET}/etc/dropbear/initramfs/authorized_keys"
-  printf "%s\n" "${user_root_sshpubkey}" >> "${TARGET}/etc/dropbear/initramfs/authorized_keys"
+  printf "%s\n" "${var_force_command_string}${user_root_sshpubkey}" >> "${TARGET}/etc/dropbear/initramfs/authorized_keys"
-  install -m 0755 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/banner" "${TARGET}/etc/dropbear/initramfs/"
+  install -m 0644 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/banner" "${TARGET}/etc/dropbear/initramfs/"
 
-  ### Check for initramfs "IP"-variable: static or dynamic configuration vai dhcp.
+  ### Check for initramfs "IP"-variable: static or dynamic configuration via dhcp.
   if [[ "${dropbear_dhcp}" = "false" ]]; then
 
     ### "IP=<HOST IP>::<GATEWAY IP>:<SUBNET MASK>:<FQDN>:<NIC>:none:<DNS 0 IP>:<DNS 1 IP>:<NTP IP>"
@@ -74,31 +80,41 @@ dropbear_setup() {
 
   fi
 
-  ### Generate dropbear configuration file
+  ### Generate dropbear configuration file.
   write_dropbear_conf
 
   ### Install the script to be called by 'update-initramfs' for updating 'PATH'-variable inside initramfs.
-  install -D -m 0755 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/initramfs-tools/scripts/init-top/fixpath.sh" \
+  install -D -m 0755 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/initramfs-tools/scripts/init-premount/1000-fixpath.sh" \
-    "${TARGET}/etc/initramfs-tools/scripts/init-top/"
+    "${TARGET}/etc/initramfs-tools/scripts/init-premount/1000-fixpath"
+  install -D -m 0755 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/initramfs-tools/scripts/init-top/0000-fixpath.sh" \
+    "${TARGET}/etc/initramfs-tools/scripts/init-top/0000-fixpath"
 
   ### Install the script to be called by 'update-initramfs' for customizing dropbear inside initramfs.
-  install -D -m 0755 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/initramfs-tools/hooks/custom-initramfs.sh" \
+  install -D -m 0755 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/initramfs-tools/hooks/9999-custom-initramfs.sh" \
     "${TARGET}/etc/initramfs-tools/hooks/"
 
   ### Install the script to be called by 'update-initramfs' for customizing prompt inside initramfs environment.
-  install -D -m 0755 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/initramfs-tools/hooks/custom-prompt.sh" \
+  install -D -m 0755 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/initramfs-tools/hooks/9999-custom-prompt.sh" \
     "${TARGET}/etc/initramfs-tools/hooks/"
 
   ### Install the script to be called inside initramfs environment for unlocking LUKS and NUKE Devices.
   install -D -m 0755 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/initramfs-tools/files/unlock_wrapper.sh" \
     "${TARGET}/etc/initramfs-tools/files/"
+  install -D -m 0640 -o root -g root "${VAR_SETUP_PATH}${dropbear_sha_file}" \
+    "${TARGET}/etc/initramfs-tools/files/"
+  install -D -m 0640 -o root -g root "${VAR_SETUP_PATH}${dropbear_sig_file}" \
+    "${TARGET}/etc/initramfs-tools/files/"
+  install -D -m 0600 -o root -g root "${VAR_SETUP_PATH}${dropbear_pub_key}" \
+    "${TARGET}/root/.ciss/cdi/keys/"
 
   ### Install the script to be called inside the Host environment for signing 'unlock_wrapper.sh'-script.
   install -D -m 0700 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/initramfs-tools/files/unlock_wrapper_signer.sh" \
     "${TARGET}/etc/initramfs-tools/files/"
 
   ### Install the script to be called inside the initramfs environment for preparing dropbear execution.
-  chroot_exec "${TARGET}" mv /usr/share/initramfs-tools/scripts/init-premount/dropbear /usr/share/initramfs-tools/scripts/init-premount/dropbear.2022.83
+  mkdir -p "${TARGET}/root/.ciss/cdi/backup/usr/share/initramfs-tools/scripts/init-premount"
+  mv "${TARGET}/usr/share/initramfs-tools/scripts/init-premount/dropbear" \
+    "${TARGET}/root/.ciss/cdi/backup/usr/share/initramfs-tools/scripts/init-premount/dropbear.trixie"
   install -D -m 0755 -o root -g root "${VAR_SETUP_PATH}/includes/target/usr/share/initramfs-tools/scripts/init-premount/dropbear" \
     "${TARGET}/usr/share/initramfs-tools/scripts/init-premount/"
 
@@ -124,8 +140,11 @@ EOF
 
   fi
 
-  guard_dir && return 0
+  guard_dir; return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f dropbear_setup
 
 #######################################
 # Write '/etc/dropbear/initramfs/dropbear.conf'.
@@ -140,23 +159,9 @@ EOF
 write_dropbear_conf() {
   [[ -z "${dropbear_port:-}" ]] && dropbear_port="2222"
 
-  cat << EOF >| "${TARGET}/etc/dropbear/initramfs/dropbear.conf"
+  insert_header   "${TARGET}/etc/dropbear/initramfs/dropbear.conf"
-# SPDX-Version: 3.0
+  insert_comments "${TARGET}/etc/dropbear/initramfs/dropbear.conf"
-# SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev>
+  cat << EOF >>   "${TARGET}/etc/dropbear/initramfs/dropbear.conf"
-# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
-# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
-# SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
-# SPDX-PackageName: CISS.debian.installer
-# SPDX-Security-Contact: security@coresecret.eu
-
-# Static file system information: /etc/dropbear/dropbear.conf
-# Generated by CISS.debian.installer ${VAR_VERSION}
-# Architecture: ${VAR_ARCHITECTURE}
-# Distribution: ${VAR_CODENAME}
-
 # Configuration options for the dropbear-initramfs boot scripts.
 # Variable assignment follow shell semantics and escaping/quoting rules.
 # You must run update-initramfs(8) to effect changes to this file (like
@@ -170,7 +175,7 @@ write_dropbear_conf() {
 # -K: Keepalive interval in seconds
 # -p: Specify port (and optionally address)
 # -w: Disable root login (SHOULD NOT be implemented for initramfs)
-DROPBEAR_OPTIONS="-b /etc/dropbear/banner -c /usr/local/bin/unlock_wrapper.sh -E -I 300 -K 60 -p ${dropbear_port}"
+DROPBEAR_OPTIONS="-b /etc/dropbear/banner -E -I 300 -K 60 -p ${dropbear_port}"
 
 # On local (non-NFS) mounts, interfaces matching this pattern are
 # brought down before exiting the ramdisk to avoid dirty network
@@ -195,6 +200,10 @@ DROPBEAR_OPTIONS="-b /etc/dropbear/banner -c /usr/local/bin/unlock_wrapper.sh -E
 EOF
 
   do_log "info" "file_only" "4312() Written: '${TARGET}/etc/dropbear/initramfs/dropbear.conf'."
+  do_log "info" "file_only" "4312() Written: 'DROPBEAR_OPTIONS=\"-b /etc/dropbear/banner -E -I 300 -K 60 -p ${dropbear_port}\"'."
   return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f write_dropbear_conf
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

func/cdi_4300_network/4320_update_initramfs.sh

@@ -10,12 +10,13 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
 
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 
 #######################################
-# Finally, deploy all changes done via 'update-grub' and 'update-initramfs'.
+# Deploy all changes made using the 'update-grub' and 'update-initramfs' commands.
 # Globals:
 #   TARGET
+#   VAR_KERNEL
 # Arguments:
 #   None
 # Returns:
@@ -24,20 +25,29 @@ guard_sourcing
 update_initramfs() {
   ### Declare Arrays, HashMaps, and Variables.
   declare -r  var_logfile="/root/.ciss/cdi/log/4320_update_initramfs.log"
+  # shellcheck disable=SC2153
+  declare -r  var_kernel="${VAR_KERNEL#linux-image-}"
 
   chroot_logger "${TARGET}${var_logfile}"
 
   chroot_script "${TARGET}" "
     update-grub 2>&1 | tee -a ${var_logfile}
-      echo ExitCode: \$? >> ${var_logfile}
   "
 
-
   chroot_script "${TARGET}" "
+    depmod -a ${var_kernel} 2>&1 | tee -a ${var_logfile}
     update-initramfs -c -v -k all 2>&1 | tee -a ${var_logfile}
-    echo ExitCode: \$? >> ${var_logfile}
   "
 
-  guard_dir && return 0
+  chroot_script "${TARGET}" "
+    update-grub 2>&1 | tee -a ${var_logfile}
+  "
+
+  chmod 0400 "${TARGET}/boot/grub/grub.cfg"
+
+  guard_dir; return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f update_initramfs
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

func/cdi_4300_network/4330_installation_ssh.sh

@@ -0,0 +1,215 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
+
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
+
+#######################################
+# Setup ssh server.
+# Globals:
+#   RECOVERY
+#   TARGET
+#   VAR_DROPBEAR
+#   VAR_FINAL_FQDN
+#   VAR_FINAL_IPV4
+#   VAR_FINAL_IPV6
+#   VAR_FINAL_NIC
+#   VAR_LINK_IPV6
+#   VAR_RUN_RECOVERY
+#   VAR_SETUP_PATH
+#   VAR_SSH_CA
+#   VAR_SSH_PORT
+#   VAR_USER_MAX
+#   network_static_ipv6address
+# Arguments:
+#   None
+# Returns:
+#   0: on success
+#######################################
+installation_ssh() {
+  ### Declare Arrays, HashMaps, and Variables.
+  declare -a  ary_user=()
+  declare -i  i=0
+  declare -r  var_logfile="/root/.ciss/cdi/log/4330_installation_ssh.log"
+  declare     var_auth="" var_name="" var_ca="" var_pub=""
+  declare     var_target="${TARGET}"
+
+  ### Check for TARGET / RECOVERY.
+  [[ "${VAR_RUN_RECOVERY}" == "true" ]] && var_target="${RECOVERY}"
+
+  chroot_logger "${var_target}${var_logfile}"
+
+  chroot_script "${var_target}" "
+    export INITRD=No
+    [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
+    apt-get install -y --no-install-recommends --no-install-suggests ssh 2>&1 | tee -a ${var_logfile}
+  "
+
+  mkdir -p "${var_target}/etc/systemd/system/ssh.service.d"
+
+  if [[ "${VAR_LINK_IPV6}" == "true" && -n "${network_static_ipv6address}" ]]; then
+
+    # shellcheck disable=SC2312
+    cat << EOF >| "${var_target}/etc/systemd/system/ssh.service.d/override.conf"
+[Unit]
+After=ifup@${VAR_FINAL_NIC}.service network.target
+Wants=ifup@${VAR_FINAL_NIC}.service
+
+[Service]
+### Block until the exact v6 address is present and not tentative.
+### If any tentative IPv6 address exists on the device, wait and retry.
+### Check for the exact global address (fixed-string match, include trailing "/").
+ExecStartPre=/bin/sh -c '\
+  for i in \$(seq 1 60); do \
+    ip -6 addr show dev ${VAR_FINAL_NIC} tentative | grep -q "inet6" && { sleep 0.5; continue; }; \
+    ip -6 addr show dev ${VAR_FINAL_NIC} scope global | grep -Fq " ${VAR_FINAL_IPV6}/" && exit 0; \
+    sleep 0.5; \
+  done; \
+  echo "IPv6 address ${VAR_FINAL_IPV6} on ${VAR_FINAL_NIC} not ready"; exit 1'
+TimeoutStartSec=40s
+Restart=on-failure
+RestartSec=2s
+EOF
+  fi
+
+  install -D -m 0644 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/banner" "${var_target}/etc/"
+  install -D -m 0644 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/motd" "${var_target}/etc/"
+  do_log "info" "file_only" "4420() Installed SSH '/etc/banner' and '/etc/motd'."
+
+  ### Only process those for which both *_name and *_authentication_access_ssh are set.
+  for ((i = 0; i <= VAR_USER_MAX; i++)); do
+    var_auth="user_user${i}_authentication_access_ssh"
+    var_name="user_user${i}_name"
+
+    if [[ -v "${var_auth}" && -v "${var_name}" && "${!var_auth}" == "true" ]]; then
+      ary_user+=("${!var_name}")
+    fi
+  done
+
+  chroot_script "${var_target}" "
+    awk '\$5 >= 4000' /etc/ssh/moduli >| /etc/ssh/moduli.safe
+    rm -rf /etc/ssh/moduli
+    mv /etc/ssh/moduli.safe /etc/ssh/moduli
+  "
+
+  rm -rf "${var_target}"/etc/ssh/ssh_host_*key*
+
+  if [[ -f "${var_target}/etc/dropbear/initramfs/dropbear_ed25519_host_key" ]]; then
+
+    chroot_script "${var_target}" "
+      dropbearconvert dropbear openssh /etc/dropbear/initramfs/dropbear_ed25519_host_key /etc/ssh/ssh_host_ed25519_key
+    "
+
+    chroot_script "${var_target}" "
+      dropbearconvert dropbear openssh /etc/dropbear/initramfs/dropbear_rsa_host_key /etc/ssh/ssh_host_rsa_key
+    "
+
+    chroot_script "${var_target}" "
+      dropbearkey -y -f /etc/dropbear/initramfs/dropbear_ed25519_host_key /etc/ssh/ssh_host_ed25519_key.pub
+    "
+
+    chroot_script "${var_target}" "
+      dropbearkey -y -f /etc/dropbear/initramfs/dropbear_rsa_host_key /etc/ssh/ssh_host_rsa_key.pub
+    "
+
+  else
+
+    # shellcheck disable=SC2312
+    chroot_exec "${var_target}" ssh-keygen -o -N "" -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -C "root@${VAR_FINAL_FQDN}-$(date -I)"
+    # shellcheck disable=SC2312
+    chroot_exec "${var_target}" ssh-keygen -o -N "" -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa_key -C "root@${VAR_FINAL_FQDN}-$(date -I)"
+
+  fi
+
+  mkdir -p "${var_target}/root/.ciss/cdi/backup/etc/ssh"
+  cp "${var_target}/etc/ssh/sshd_config" "${var_target}/root/.ciss/cdi/backup/etc/ssh/sshd_config.bak"
+  cp "${var_target}/etc/ssh/ssh_config" "${var_target}/root/.ciss/cdi/backup/etc/ssh/ssh_config.bak"
+  rm -f "${var_target}/etc/ssh/sshd_config"
+
+  install -D -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/ssh/sshd_config" "${var_target}/etc/ssh/sshd_config"
+  chmod 0600 "${var_target}/etc/ssh/ssh_config"
+
+  insert_comments "${var_target}/etc/ssh/sshd_config"
+
+  # shellcheck disable=SC2153
+  sed -i -E "s|^[[:space:]]*ListenAddressIPV4[[:space:]]+.*$|$(printf '%-29s%s' 'ListenAddress' "${VAR_FINAL_IPV4}")|" "${var_target}/etc/ssh/sshd_config"
+
+  if [[ -n "${VAR_FINAL_IPV6}" ]]; then
+    sed -i -E "s|^[[:space:]]*ListenAddressIPV6[[:space:]]+.*$|$(printf '%-29s%s' 'ListenAddress' "${VAR_FINAL_IPV6}")|" "${var_target}/etc/ssh/sshd_config"
+  else
+    sed -i "/^[[:space:]]*ListenAddressIPV6[[:space:]]*/d" "${var_target}/etc/ssh/sshd_config"
+  fi
+
+  sed -i -E "s|^[[:space:]]*Port[[:space:]]+.*$|$(printf '%-29s%s' 'Port' "${VAR_SSH_PORT}")|" "${var_target}/etc/ssh/sshd_config"
+
+  if (( ${#ary_user[@]} > 0 )); then
+    sed -i -E "s|^\s*AllowUsers\s+.*$|$(printf '%-29s%s' 'AllowUsers' "root ${ary_user[*]}")|" "${var_target}/etc/ssh/sshd_config"
+  fi
+
+  if [[ -n "${VAR_SSH_CA}" ]]; then
+    var_ca="${VAR_SSH_CA##*/}"
+    install -D -m 0644 -o root -g root "${VAR_SETUP_PATH}${VAR_SSH_CA}" "${var_target}/etc/ssh/"
+    sed -i -E "s|^\s*TrustedUserCAKeys\s+.*$|$(printf '%-29s%s' 'TrustedUserCAKeys' "/etc/ssh/${var_ca}")|" "${var_target}/etc/ssh/sshd_config"
+  fi
+
+  ### Preparing the test environment in chroot.
+  chroot_exec "${var_target}" install -d -o root -g root -m 0755 /run/sshd
+
+  ### Syntax test (hard).
+  if ! chroot_script "${var_target}" "sshd -t -f /etc/ssh/sshd_config"; then
+    do_log "emergency" "file_only" "4420() [sshd -t -f /etc/ssh/sshd_config] failed."
+    return "${ERR_CONF_VALIDATION}"
+  fi
+
+  ### Effective configuration (soft, purely informative).
+  if ! chroot_script "${var_target}" "sshd -T -f /etc/ssh/sshd_config >| /root/.ciss/cdi/log/sshd_config.log"; then
+    do_log "warn" "file_only" "4420() [sshd -T -f /etc/ssh/sshd_config] failed. Likely env. Continuing."
+  fi
+
+  chroot_script "${var_target}" "ssh-keygen -r ${VAR_FINAL_FQDN}. >| /root/.ciss/cdi/log/SSHFP.log"
+
+  if [[ "${VAR_DROPBEAR}" == "true" ]]; then
+
+    printf "### Dropbear SSHFP RR: \n" >> "${var_target}/root/.ciss/cdi/log/SSHFP.log"
+
+    for var_pub in "${var_target}"/etc/dropbear/initramfs/dropbear*.pub; do
+
+      chroot_script "${var_target}" "ssh-keygen -E sha256 -r ${VAR_FINAL_FQDN}. -f ${var_pub#/target} >> /root/.ciss/cdi/log/SSHFP.log"
+
+    done
+
+  fi
+
+  ###########################################################################################
+  # The file /etc/profile.d/idle-users.sh is created to set the read-only                   #
+  # environment variables: TMOUT                                                            #
+  # TMOUT=14400 ensures that users are automatically logged out after 4 hours of inactivity.#
+  ###########################################################################################
+  insert_header   "${var_target}/etc/profile.d/idle-users.sh"
+  insert_comments "${var_target}/etc/profile.d/idle-users.sh"
+  cat << EOF >>   "${var_target}/etc/profile.d/idle-users.sh"
+case $- in
+  *i*)
+    TMOUT=14400
+    export TMOUT
+    readonly TMOUT
+  ;;
+esac
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
+EOF
+
+  guard_dir; return 0
+}
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f installation_ssh
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

func/cdi_4400_hardening/4400_kernel_modules.sh

@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
 
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 
 #######################################
 # Entropy collection improvements '/usr/lib/modules-load.d/30_security-misc.conf'.
@@ -24,23 +24,10 @@ guard_sourcing
 kernel_modules() {
   ### Entropy collection improvements
   mkdir -p "${TARGET}/usr/lib/modules-load.d"
-  cat << EOF >| "${TARGET}/usr/lib/modules-load.d/30_security-misc.conf"
-# SPDX-Version: 3.0
-# SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev>
-# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
-# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
-# SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
-# SPDX-PackageName: CISS.debian.installer
-# SPDX-Security-Contact: security@coresecret.eu
-
-# Static file system information: /usr/lib/modules-load.d/30_security-misc.conf
-# Generated by CISS.debian.installer ${VAR_VERSION}
-# Architecture: ${VAR_ARCHITECTURE}
-# Distribution: ${VAR_CODENAME}
 
+  insert_header   "${TARGET}/usr/lib/modules-load.d/30_security-misc.conf"
+  insert_comments "${TARGET}/usr/lib/modules-load.d/30_security-misc.conf"
+  cat << EOF >>   "${TARGET}/usr/lib/modules-load.d/30_security-misc.conf"
 # The jitterentropy_rng kernel module provides a reliable and hardware-independent source of cryptographic entropy by measuring
 # minute variations in CPU execution timing (jitter). These microsecond-level differences are unpredictable and rooted in
 # physical randomness, making them suitable for high-quality entropy generation. Unlike other RNG methods that rely on hardware
@@ -60,8 +47,11 @@ EOF
 
   do_log "info" "file_only" "4400() Installed: '/usr/lib/modules-load.d/30_security-misc.conf'."
 
-  guard_dir && return 0
+  guard_dir; return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f kernel_modules
 
 #######################################
 # Blacklist some kind of potential hazardous modules via '/etc/modprobe.d/0000_ciss_debian_installer.conf'.
@@ -81,6 +71,9 @@ kernel_modprobe() {
 
   do_log "info" "file_only" "4400() Installed: '/etc/modprobe.d/0000_ciss_debian_installer.conf'."
 
-  guard_dir && return 0
+  guard_dir; return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f kernel_modprobe
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

func/cdi_4400_hardening/4410_kernel_sysctl.sh

@@ -10,10 +10,10 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
 
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 
 #######################################
-# Install Kernel Hardening-Presets '/etc/sysctl.d/99_local.hardened'.
+# Install Kernel Hardening-Presets '/etc/sysctl.d/9999_ciss_debian_installer.hardened'.
 # Globals:
 #   TARGET
 #   VAR_SETUP_PATH
@@ -23,13 +23,16 @@ guard_sourcing
 #   0: on success
 #######################################
 kernel_sysctl() {
-  install -D -m 0644 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/sysctl.d/99_local.hardened" \
+  install -D -m 0644 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/sysctl.d/9999_ciss_debian_installer.hardened" \
-    "${TARGET}/etc/sysctl.d/99_local.hardened"
+    "${TARGET}/etc/sysctl.d/9999_ciss_debian_installer.hardened"
 
-  insert_comments "${TARGET}/etc/sysctl.d/99_local.hardened"
+  insert_comments "${TARGET}/etc/sysctl.d/9999_ciss_debian_installer.hardened"
 
-  do_log "info" "file_only" "4410() Installed: '/etc/sysctl.d/99_local.hardened'."
+  do_log "info" "file_only" "4410() Installed: '/etc/sysctl.d/9999_ciss_debian_installer.hardened'."
 
-  guard_dir && return 0
+  guard_dir; return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f kernel_sysctl
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

func/cdi_4400_hardening/4420_hardening_fail2ban.sh

@@ -0,0 +1,345 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
+
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
+
+#######################################
+# Hardening 'fail2ban'.
+# Globals:
+#   ARY_ALLOW_IPV4
+#   ARY_ALLOW_IPV6
+#   RECOVERY
+#   TARGET
+#   VAR_FINAL_FQDN
+#   VAR_FINAL_IPV4
+#   VAR_FINAL_IPV6
+#   VAR_LINK_IPV6
+#   VAR_PROVIDER
+#   VAR_RUN_RECOVERY
+#   VAR_SSH_PORT
+# Arguments:
+#   None
+# Returns:
+#   0: on success
+#######################################
+hardening_fail2ban() {
+  ### Declare Arrays, HashMaps, and Variables.
+  declare -r  var_logfile="/root/.ciss/cdi/log/4420_hardening_fail2ban.log"
+  declare     var_target="${TARGET}"
+
+  ### Check for TARGET / RECOVERY.
+  [[ "${VAR_RUN_RECOVERY}" == "true" ]] && var_target="${RECOVERY}"
+
+  chroot_logger "${var_target}${var_logfile}"
+
+  mkdir -p "${var_target}/root/.ciss/cdi/backup/etc/fail2ban/jail.d"
+  cp "${var_target}/etc/fail2ban/fail2ban.conf" "${var_target}/root/.ciss/cdi/backup/etc/fail2ban/fail2ban.conf.bak"
+  mv "${var_target}/etc/fail2ban/jail.d/defaults-debian.conf" "${var_target}/root/.ciss/cdi/backup/etc/fail2ban/jail.d/defaults-debian.conf.bak"
+
+  # https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1024305
+  insert_header   "${var_target}/etc/fail2ban/fail2ban.local"
+  insert_comments "${var_target}/etc/fail2ban/fail2ban.local"
+  cat << 'EOF' >> "${var_target}/etc/fail2ban/fail2ban.local"
+[DEFAULT]
+allowipv6             = auto
+
+EOF
+
+  insert_header   "${var_target}/etc/fail2ban/jail.d/ciss-default.conf"
+  insert_comments "${var_target}/etc/fail2ban/jail.d/ciss-default.conf"
+
+  if [[ "${#ARY_ALLOW_IPV4[@]}" -gt 0 ]]; then
+
+    ### fail2ban ufw aggressive mode, one attempt for jumphost configuration.
+    cat << EOF >> "${var_target}/etc/fail2ban/jail.d/ciss-default.conf"
+[DEFAULT]
+banaction             = nftables-multiport
+banaction_allports    = nftables-allports
+dbpurgeage            = 384d
+#                       127.0.0.1/8 - IPv4 loopback range (local host)
+#                       ::1/128     - IPv6 loopback
+#                       fe80::/10   - IPv6 link-local (on-link only; NDP/RA/DAD)
+#                       ff00::/8    - IPv6 multicast (not an unicast host)
+#                       ::/128      - IPv6 unspecified (all zeros; never a real peer)
+ignoreip              = 127.0.0.1/8 ::1/128 fe80::/10 ff00::/8 ::/128
+# ${VAR_FINAL_FQDN}
+  ${VAR_FINAL_IPV4}
+EOF
+
+    if [[ "${VAR_LINK_IPV6}" == "true" ]]; then
+
+      cat << EOF >> "${var_target}/etc/fail2ban/jail.d/ciss-default.conf"
+  ${VAR_FINAL_IPV6}/64
+EOF
+    fi
+
+    cat << EOF >> "${var_target}/etc/fail2ban/jail.d/ciss-default.conf"
+# Jumphost
+  ${ARY_ALLOW_IPV4[*]}
+EOF
+
+    if [[ "${VAR_LINK_IPV6}" == "true" ]]; then
+
+      cat << EOF >> "${var_target}/etc/fail2ban/jail.d/ciss-default.conf"
+  ${ARY_ALLOW_IPV6[*]}
+EOF
+    fi
+
+    cat << EOF >> "${var_target}/etc/fail2ban/jail.d/ciss-default.conf"
+usedns                = yes
+
+[recidive]
+enabled               = true
+banaction             = nftables[type=custom, family=inet, table=f2b-table, chain=f2b-chain, blocktype=drop]
+bantime               = 8d
+bantime.increment     = true
+bantime.factor        = 1
+bantime.maxtime       = 128d
+bantime.multipliers   = 1 2 4 8 16
+bantime.overalljails  = true
+bantime.rndtime       = 877s
+filter                = recidive
+findtime              = 16d
+logpath               = /var/log/fail2ban/fail2ban.log*
+maxretry              = 3
+
+[sshd]
+enabled               = true
+backend               = systemd
+bantime               = 1h
+bantime.increment     = true
+bantime.factor        = 1
+bantime.maxtime       = 16d
+bantime.multipliers   = 1 2 4 8 16 32 64 128 256 384
+bantime.overalljails  = true
+bantime.rndtime       = 877s
+filter                = sshd
+findtime              = 16m
+mode                  = aggressive
+port                  = ${VAR_SSH_PORT}
+protocol              = tcp
+maxretry              = 4
+
+#
+# CISS aggressive approach:
+# Any valid client communicating with our server should be going directly to the service ports opened in ufw (ssh, 80, ...).
+# Any client touching other ports is treated as malicious and therefore should be blocked access to ALL ports after 1 attempt.
+#
+
+[ufw]
+enabled               = true
+banaction             = nftables[type=custom, family=inet, table=f2b-table, chain=f2b-chain, blocktype=drop]
+bantime               = 1h
+bantime.increment     = true
+bantime.factor        = 1
+bantime.maxtime       = 16d
+bantime.multipliers   = 1 2 4 8 16 32 64 128 256 384
+bantime.overalljails  = true
+bantime.rndtime       = 877s
+filter                = ciss-ufw
+findtime              = 16m
+logpath               = /var/log/ufw.log
+maxretry              = 1
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
+EOF
+
+  else
+
+    ### fail2ban ufw aggressive mode, 32 attempts for NO jumphost configuration.
+    cat << EOF >> "${var_target}/etc/fail2ban/jail.d/ciss-default.conf"
+[DEFAULT]
+banaction             = nftables-multiport
+banaction_allports    = nftables-allports
+dbpurgeage            = 384d
+#                       127.0.0.1/8 - IPv4 loopback range (local host)
+#                       ::1/128     - IPv6 loopback
+#                       fe80::/10   - IPv6 link-local (on-link only; NDP/RA/DAD)
+#                       ff00::/8    - IPv6 multicast (not an unicast host)
+#                       ::/128      - IPv6 unspecified (all zeros; never a real peer)
+ignoreip              = 127.0.0.1/8 ::1/128 fe80::/10 ff00::/8 ::/128
+# ${VAR_FINAL_FQDN}
+  ${VAR_FINAL_IPV4}
+EOF
+
+    if [[ "${VAR_LINK_IPV6}" == "true" ]]; then
+
+      cat << EOF >> "${var_target}/etc/fail2ban/jail.d/ciss-default.conf"
+  ${VAR_FINAL_IPV6}/64
+EOF
+    fi
+
+    cat << EOF >> "${var_target}/etc/fail2ban/jail.d/ciss-default.conf"
+usedns                = yes
+
+[recidive]
+enabled               = true
+banaction             = nftables[type=custom, family=inet, table=f2b-table, chain=f2b-chain, blocktype=drop]
+bantime               = 8d
+bantime.increment     = true
+bantime.factor        = 1
+bantime.maxtime       = 128d
+bantime.multipliers   = 1 2 4 8 16
+bantime.overalljails  = true
+bantime.rndtime       = 877s
+filter                = recidive
+findtime              = 16d
+logpath               = /var/log/fail2ban/fail2ban.log*
+maxretry              = 3
+
+[sshd]
+enabled               = true
+backend               = systemd
+bantime               = 1h
+bantime.increment     = true
+bantime.factor        = 1
+bantime.maxtime       = 16d
+bantime.multipliers   = 1 2 4 8 16 32 64 128 256 384
+bantime.overalljails  = true
+bantime.rndtime       = 877s
+filter                = sshd
+findtime              = 16m
+mode                  = normal
+port                  = ${VAR_SSH_PORT}
+protocol              = tcp
+maxretry              = 4
+
+#
+# CISS aggressive approach:
+# Any valid client communicating with our server should be going directly to the service ports opened in ufw (ssh, 80, ...).
+# Any client touching other ports is treated as malicious and therefore should be blocked access to ALL ports after 3 attempts.
+#
+
+[ufw]
+enabled               = true
+banaction             = nftables[type=custom, family=inet, table=f2b-table, chain=f2b-chain, blocktype=drop]
+bantime               = 1h
+bantime.increment     = true
+bantime.factor        = 1
+bantime.maxtime       = 16d
+bantime.multipliers   = 1 2 4 8 16 32 64 128 256 384
+bantime.overalljails  = true
+bantime.rndtime       = 877s
+filter                = ciss-ufw
+findtime              = 16m
+logpath               = /var/log/ufw.log
+maxretry              = 3
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
+EOF
+
+  fi
+
+  ### Provider Hetzner needs special ignoreip rules.
+  if [[ "${VAR_PROVIDER}" == "hetzner" ]]; then
+
+    sed -i '0,/^maxretry/{s/^maxretry/# Hetzner Intern\n  172.31.1.1\/16\n&/}' "${var_target}/etc/fail2ban/jail.d/ciss-default.conf"
+
+  fi
+
+  insert_header   "${var_target}/etc/fail2ban/filter.d/ciss-ufw.conf"
+  insert_comments "${var_target}/etc/fail2ban/filter.d/ciss-ufw.conf"
+  cat << EOF >>   "${var_target}/etc/fail2ban/filter.d/ciss-ufw.conf"
+[Definition]
+# Match UFW BLOCK/REJECT with a source IP and *any* port field (SPT or DPT), protocol may be missing.
+failregex             = ^.*UFW (?:BLOCK|REJECT).*?\bSRC=<HOST>\b.*?(?:\bDPT=\d+\b|\bSPT=\d+\b).*$
+ignoreregex           =
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
+EOF
+
+  # Hardening of fail2ban systemd: https://wiki.archlinux.org/title/fail2ban#Service_hardening
+  # The 'CapabilityBoundingSet' parameters 'CAP_DAC_READ_SEARCH' will allow fail2ban full read access to every directory and
+  # file. "CAP_NET_ADMIN" and "CAP_NET_RAW" allow fail2ban to operate on any firewall that has a command-line shell interface.
+  # By using 'ProtectSystem=strict' the filesystem hierarchy will only be read-only; 'ReadWritePaths' allows Fail2ban to have
+  # write access on required paths.
+  mkdir -p "${var_target}/etc/systemd/system/fail2ban.service.d"
+  mkdir -p "${var_target}/var/log/fail2ban"
+
+  insert_header   "${var_target}/etc/systemd/system/fail2ban.service.d/override.conf"
+  insert_comments "${var_target}/etc/systemd/system/fail2ban.service.d/override.conf"
+  cat << EOF >>   "${var_target}/etc/systemd/system/fail2ban.service.d/override.conf"
+[Service]
+PrivateDevices=yes
+PrivateTmp=yes
+ProtectHome=read-only
+ProtectSystem=strict
+ReadWritePaths=-/var/run/fail2ban
+ReadWritePaths=-/var/lib/fail2ban
+ReadWritePaths=-/var/log/fail2ban
+ReadWritePaths=-/var/spool/postfix/maildrop
+ReadWritePaths=-/run/xtables.lock
+CapabilityBoundingSet=CAP_AUDIT_READ CAP_DAC_READ_SEARCH CAP_NET_ADMIN CAP_NET_RAW
+ProtectClock=true
+ProtectHostname=true
+EOF
+
+  cat << 'EOF' >> "${var_target}/etc/fail2ban/fail2ban.local"
+[Definition]
+logtarget             = /var/log/fail2ban/fail2ban.log
+
+[Database]
+# Keep entries for at least 384 days to cover recidive findtime.
+dbpurgeage            = 384d
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
+EOF
+
+  ### Logrotate must be updated too.
+  mkdir -p "${var_target}/root/.ciss/cdi/backup/etc/logrotate.d"
+  cp "${var_target}/etc/logrotate.d/fail2ban" "${var_target}/root/.ciss/cdi/backup/etc/logrotate.d/fail2ban.bak"
+  cat << EOF >| "${var_target}/etc/logrotate.d/fail2ban"
+/var/log/fail2ban/fail2ban.log {
+    daily
+    rotate 384
+    maxage 384
+    notifempty
+    dateext
+    dateyesterday
+    compress
+    compresscmd /usr/bin/zstd
+    compressext .zst
+    compressoptions -20
+    uncompresscmd /usr/bin/unzstd
+    delaycompress
+    shred
+    missingok
+    postrotate
+        fail2ban-client flushlogs 1>/dev/null
+    endscript
+    # If fail2ban runs as non-root it still needs to have write access
+    # to logfiles.
+    # create 640 fail2ban adm
+    create 640 root adm
+}
+EOF
+  touch "${var_target}/var/log/fail2ban/fail2ban.log"
+  chmod 0640 "${var_target}/var/log/fail2ban/fail2ban.log"
+
+  if [[ ! -f "${var_target}/var/log/ufw.log" ]]; then
+    install -d -m 0755 "${var_target}/var/log"
+    : >| "${var_target}/var/log/ufw.log"
+    chmod 0640 "${var_target}/var/log/ufw.log"
+  fi
+
+  ### Merge / Dump-Parse via 'fail2ban-client -d'. All '*.conf', '*.local', and 'jail.*'-files are read, inherited, and merged.
+  ### Syntax, path, and key errors result in a non-zero exit.
+  chroot_script "${var_target}" "
+    fail2ban-client -d >> ${var_logfile} && echo "OK: config parsed" >> ${var_logfile} || echo "ERROR: config invalid" >> ${var_logfile}
+  "
+
+  guard_dir; return 0
+}
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f hardening_fail2ban
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

func/cdi_4400_hardening/4420_installation_ssh.sh

@@ -1,148 +0,0 @@
-#!/bin/bash
-# SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
-# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
-# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
-# SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
-# SPDX-PackageName: CISS.debian.installer
-# SPDX-Security-Contact: security@coresecret.eu
-
-guard_sourcing
-
-#######################################
-# Setup ssh server.
-# Globals:
-#   BASH_REMATCH
-#   DIR_BAK
-#   DIR_LOG
-#   TARGET
-#   VAR_FINAL_FQDN
-#   VAR_FINAL_IPV4
-#   VAR_FINAL_IPV6
-#   VAR_SETUP_PATH
-#   ssh_port
-#   ssh_root_ca
-# Arguments:
-#   None
-# Returns:
-#   0: on success
-#######################################
-installation_ssh() {
-  ### Declare Arrays, HashMaps, and Variables.
-  declare -a ary_user=()
-  declare -i i=0
-  declare    var_auth="" var_name="" var_ca=""
-
-  chroot_exec "${TARGET}" apt-get install -y --no-install-recommends --no-install-suggests ssh
-
-  install -D -m 0644 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/banner" "${TARGET}/etc/"
-  install -D -m 0644 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/motd" "${TARGET}/etc/"
-  do_log "info" "file_only" "4420() Installed SSH '/etc/banner' and '/etc/motd'."
-
-  ### Only process those for which both *_name and *_authentication_access_ssh are set.
-  for ((i = 0; i <= VAR_USER_MAX; i++)); do
-    var_auth="user_user${i}_authentication_access_ssh"
-    var_name="user_user${i}_name"
-
-    if [[ -v "${var_auth}" && -v "${var_name}" && "${!var_auth}" == "true" ]]; then
-      ary_user+=("${!var_name}")
-    fi
-  done
-
-  rm -rf "${TARGET}"/etc/ssh/ssh_host_*key*
-
-  #shellcheck disable=SC2312
-  chroot_exec "${TARGET}" ssh-keygen -o -N "" -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -C "root@${VAR_FINAL_FQDN}-$(date -I)"
-  #shellcheck disable=SC2312
-  chroot_exec "${TARGET}" ssh-keygen -o -N "" -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa_key -C "root@${VAR_FINAL_FQDN}-$(date -I)"
-
-  mkdir -p "${TARGET}/root/.ciss/cdi/backup/etc/ssh"
-  cp "${TARGET}/etc/ssh/sshd_config" "${TARGET}/root/.ciss/cdi/backup/etc/ssh/sshd_config.bak"
-  cp "${TARGET}/etc/ssh/ssh_config" "${TARGET}/root/.ciss/cdi/backup/etc/ssh/ssh_config.bak"
-  rm -f "${TARGET}/etc/ssh/sshd_config"
-
-  install -D -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/ssh/sshd_config" "${TARGET}/etc/ssh/sshd_config"
-  chmod 0600 "${TARGET}/etc/ssh/ssh_config"
-
-  insert_comments "${TARGET}/etc/ssh/sshd_config"
-
-  # shellcheck disable=SC2153
-  sed -i -E "s|^[[:space:]]*ListenAddressIPV4[[:space:]]+.*$|$(printf '%-29s%s' 'ListenAddress' "${VAR_FINAL_IPV4}")|" "${TARGET}/etc/ssh/sshd_config"
-
-  if [[ -n "${VAR_FINAL_IPV6}" ]]; then
-    sed -i -E "s|^[[:space:]]*ListenAddressIPV6[[:space:]]+.*$|$(printf '%-29s%s' 'ListenAddress' "${VAR_FINAL_IPV6}")|" "${TARGET}/etc/ssh/sshd_config"
-  else
-    sed -i "/^[[:space:]]*ListenAddressIPV6[[:space:]]*/d" "${TARGET}/etc/ssh/sshd_config"
-  fi
-
-  sed -i -E "s|^[[:space:]]*Port[[:space:]]+.*$|$(printf '%-29s%s' 'Port' "${ssh_port}")|" "${TARGET}/etc/ssh/sshd_config"
-
-  if (( ${#ary_user[@]} > 0 )); then
-    sed -i -E "s|^\s*AllowUsers\s+.*$|$(printf '%-29s%s' 'AllowUsers' "root ${ary_user[*]}")|" "${TARGET}/etc/ssh/sshd_config"
-  fi
-
-  if [[ -n "${ssh_root_ca}" ]]; then
-    var_ca="${ssh_root_ca##*/}"
-    install -D -m 0644 -o root -g root "${VAR_SETUP_PATH}${ssh_root_ca}" "${TARGET}/etc/ssh/"
-    sed -i -E "s|^\s*TrustedUserCAKeys\s+.*$|$(printf '%-29s%s' 'TrustedUserCAKeys' "/etc/ssh/${var_ca}")|" "${TARGET}/etc/ssh/sshd_config"
-  fi
-
-  ### Preparing the test environment in chroot.
-  chroot_exec "${TARGET}" install -d -o root -g root -m 0755 /run/sshd
-
-  ### Syntax test (hard).
-  if ! chroot_script "${TARGET}" "sshd -t -f /etc/ssh/sshd_config"; then
-    do_log "emergency" "file_only" "4420() [sshd -t -f /etc/ssh/sshd_config] failed."
-    return "${ERR_CONF_VALIDATION}"
-  fi
-
-  ### Effective configuration (soft, purely informative).
-  if ! chroot_script "${TARGET}" "sshd -T -f /etc/ssh/sshd_config >| /root/.ciss/cdi/log/sshd_config.log"; then
-    do_log "warn" "file_only" "4420() [sshd -T -f /etc/ssh/sshd_config] failed. Likely env. Continuing."
-  fi
-
-  chroot_script "${TARGET}" "ssh-keygen -r ${VAR_FINAL_FQDN}. >| /root/.ciss/cdi/log/SSHFP.log"
-
-  ###########################################################################################
-  # The file /etc/profile.d/idle-users.sh is created to set the read-only                   #
-  # environment variables: TMOUT                                                            #
-  # TMOUT=14400 ensures that users are automatically logged out after 4 hours of inactivity.#
-  ###########################################################################################
-  cat << EOF >| "${TARGET}/etc/profile.d/idle-users.sh"
-# SPDX-Version: 3.0
-# SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev>
-# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
-# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
-# SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
-# SPDX-PackageName: CISS.debian.installer
-# SPDX-Security-Contact: security@coresecret.eu
-
-# Static file system information: /etc/profile.d/idle-users.sh
-# Generated by CISS.debian.installer ${VAR_VERSION}
-# Architecture: ${VAR_ARCHITECTURE}
-# Distribution: ${VAR_CODENAME}
-
-EOF
-  cat << 'EOF' >> "${TARGET}/etc/profile.d/idle-users.sh"
-case $- in
-  *i*)
-    TMOUT=14400
-    export TMOUT
-    readonly TMOUT
-  ;;
-esac
-
-# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
-EOF
-  chmod 0644 "${TARGET}/etc/profile.d/idle-users.sh"
-  insert_comments "${TARGET}/etc/profile.d/idle-users.sh"
-
-  guard_dir && return 0
-}
-# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

func/cdi_4400_hardening/4430_hardening_files.sh

@@ -0,0 +1,75 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
+
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
+
+#######################################
+# Hardening files and directories.
+# Globals:
+#   RECOVERY
+#   TARGET
+#   VAR_RUN_RECOVERY
+#   VAR_SETUP_PATH
+# Arguments:
+#   None
+# Returns:
+#   0: on success
+#######################################
+hardening_files() {
+  declare     var_bin="" var_binary=""
+  declare     var_target="${TARGET}"
+
+  ### Check for TARGET / RECOVERY.
+  [[ "${VAR_RUN_RECOVERY}" == "true" ]] && var_target="${RECOVERY}"
+
+  chmod 0700 "${var_target}/etc/cron.d" "${var_target}/etc/cron.daily" "${var_target}/etc/cron.hourly" "${var_target}/etc/cron.monthly" \
+             "${var_target}/etc/cron.weekly"
+  chmod 0700 "${var_target}/etc/sudoers.d"
+  chmod 0700 "${var_target}/etc/crontab"
+
+  [[ -f "${var_target}/etc/cron.deny" ]] && rm "${var_target}/etc/cron.deny"
+
+  ### /etc/issue ---------------------------------------------------------------------------------------------------------------
+  rm -f "${var_target}/etc/issue" "${var_target}/etc/issue.net"
+  install -m 0644 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/issue" "${var_target}/etc/issue"
+  install -m 0644 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/issue.net" "${var_target}/etc/issue.net"
+
+  ### /root/.ansible -----------------------------------------------------------------------------------------------------------
+  install -d -m 0700 -o root -g root "${var_target}/root/.ansible"
+
+  ### /usr/bin/compiler --------------------------------------------------------------------------------------------------------
+  for var_bin in as gcc g++ cc clang; do
+    var_binary=$(readlink -f "${var_target}/usr/bin/${var_bin}") || {
+      do_log "info" "file_only" "4430() Binary: '${var_bin}' not found, skipping."
+      continue
+    }
+    chmod 0700 "${var_binary}" || {
+      do_log "info" "file_only" "4430() Binary chmod 0700: '${var_bin}' failed, skipping."
+    }
+  done
+
+  ### /etc/update-motd.d/10-uname ----------------------------------------------------------------------------------------------
+  mkdir -p "${var_target}/root/.ciss/cdi/backup/etc/update-motd.d"
+  cp -af "${var_target}/etc/update-motd.d/10-uname" "${var_target}/root/.ciss/cdi/backup/etc/update-motd.d/10-uname"
+
+  cat << 'EOF' >| "${var_target}/etc/update-motd.d/10-uname"
+#!/bin/sh
+uname -snrm
+EOF
+  chmod 0755 /etc/update-motd.d/10-uname
+
+  guard_dir; return 0
+}
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f hardening_files
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

func/cdi_4400_hardening/4430_installation_skel.sh

@@ -1,50 +0,0 @@
-#!/bin/bash
-# SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
-# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
-# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
-# SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
-# SPDX-PackageName: CISS.debian.installer
-# SPDX-Security-Contact: security@coresecret.eu
-
-guard_sourcing
-
-#######################################
-# Prepare '/etc/skel'-Directory.
-# Globals:
-#   TARGET
-#   VAR_SETUP_PATH
-# Arguments:
-#   None
-# Returns:
-#   0: on success
-#######################################
-installation_skel() {
-  mkdir -p "${TARGET}/etc/skel/.ciss"
-
-  install -m 0644 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/skel/.bashrc" "${TARGET}/etc/skel/.bashrc"
-  install -m 0644 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/skel/.zshrc" "${TARGET}/etc/skel/.zshrc"
-  install -m 0644 -o root -g root "${VAR_SETUP_PATH}/includes/target/root/.ciss/alias" "${TARGET}/etc/skel/.ciss/alias"
-  install -m 0644 -o root -g root "${VAR_SETUP_PATH}/includes/target/root/.ciss/clean_logout.sh" "${TARGET}/etc/skel/.ciss/clean_logout.sh"
-  install -m 0644 -o root -g root "${VAR_SETUP_PATH}/includes/target/root/.ciss/f2bchk.sh" "${TARGET}/etc/skel/.ciss/f2bchk.sh"
-  install -m 0644 -o root -g root "${VAR_SETUP_PATH}/includes/target/root/.ciss/scan_libwrap" "${TARGET}/etc/skel/.ciss/scan_libwrap"
-  install -m 0644 -o root -g root "${VAR_SETUP_PATH}/includes/target/root/.ciss/shortcuts" "${TARGET}/etc/skel/.ciss/shortcuts"
-
-  insert_comments "${TARGET}/etc/skel/.bashrc"
-  insert_comments "${TARGET}/etc/skel/.zshrc"
-  insert_comments "${TARGET}/etc/skel/.ciss/alias"
-  insert_comments "${TARGET}/etc/skel/.ciss/clean_logout.sh"
-  insert_comments "${TARGET}/etc/skel/.ciss/f2bchk.sh"
-  insert_comments "${TARGET}/etc/skel/.ciss/scan_libwrap"
-  insert_comments "${TARGET}/etc/skel/.ciss/shortcuts"
-
-  ### In order to be able to copy/paste from vim, one needs to create a '.vimrc' in every home directory with the following content:
-  echo 'set clipboard=unnamed' >| "${TARGET}/etc/skel/.vimrc"
-  chmod 0644 "${TARGET}/etc/skel/.vimrc"
-
-  guard_dir && return 0
-}
-# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

func/cdi_4400_hardening/4440_hardening_haveged.sh

@@ -10,38 +10,29 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
 
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 
 #######################################
 # Hardening haveged.
 # Globals:
+#   RECOVERY
 #   TARGET
-#   VAR_ARCHITECTURE
+#   VAR_RUN_RECOVERY
-#   VAR_CODENAME
-#   VAR_VERSION
 # Arguments:
 #   None
 # Returns:
 #   0: on success
 #######################################
 hardening_haveged() {
-  cat << EOF >| "${TARGET}/etc/default/haveged"
+  ### Declare Arrays, HashMaps, and Variables.
-# SPDX-Version: 3.0
+  declare    var_target="${TARGET}"
-# SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev>
-# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
-# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
-# SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
-# SPDX-PackageName: CISS.debian.installer
-# SPDX-Security-Contact: security@coresecret.eu
 
-# Static file system information: /etc/default/haveged
+  ### Check for TARGET / RECOVERY.
-# Generated by CISS.debian.installer ${VAR_VERSION}
+  [[ "${VAR_RUN_RECOVERY}" == "true" ]] && var_target="${RECOVERY}"
-# Architecture: ${VAR_ARCHITECTURE}
-# Distribution: ${VAR_CODENAME}
 
+  insert_header   "${var_target}/etc/default/haveged"
+  insert_comments "${var_target}/etc/default/haveged"
+  cat << EOF >>   "${var_target}/etc/default/haveged"
 # Configuration file for haveged
 # Minimal, sane defaults for server/headless systems.
 # -w <bits> : target entropy level in bits; 1024 ensures fast pool fill on boot
@@ -53,6 +44,9 @@ DAEMON_ARGS="-w 2048 -v 1"
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
 EOF
 
-  guard_dir && return 0
+  guard_dir; return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f hardening_haveged
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

func/cdi_4400_hardening/4442_hardening_jitterentropy.sh

@@ -0,0 +1,45 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
+
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
+
+#######################################
+# Hardening hardening_jitterentropy.
+# Globals:
+#   RECOVERY
+#   TARGET
+#   VAR_RUN_RECOVERY
+# Arguments:
+#   None
+# Returns:
+#   0: on success
+#######################################
+hardening_jitterentropy() {
+  declare    var_target="${TARGET}"
+
+  ### Check for TARGET / RECOVERY.
+  [[ "${VAR_RUN_RECOVERY}" == "true" ]] && var_target="${RECOVERY}"
+
+  mkdir -p "${var_target}/etc/systemd/system/jitterentropy-rngd.service.d"
+
+  cat << EOF >> "${var_target}/etc/systemd/system/jitterentropy-rngd.service.d/override.conf"
+[Service]
+ExecStart=
+ExecStart=/usr/sbin/jitterentropy-rngd --osr=2
+EOF
+
+  guard_dir; return 0
+}
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f hardening_jitterentropy
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

func/cdi_4400_hardening/4445_hardening_logrotate.sh

@@ -0,0 +1,95 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
+
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
+
+#######################################
+# Hardening '/etc/logrotate'.
+# Globals:
+#   RECOVERY
+#   TARGET
+#   VAR_RUN_RECOVERY
+# Arguments:
+#   None
+# Returns:
+#   0: on success
+#######################################
+hardening_logrotate() {
+  ### Declare Arrays, HashMaps, and Variables.
+  declare     var_target="${TARGET}"
+
+  ### Check for TARGET / RECOVERY.
+  [[ "${VAR_RUN_RECOVERY}" == "true" ]] && var_target="${RECOVERY}"
+
+  rm -f           "${var_target}/etc/logrotate.conf"
+  insert_header   "${var_target}/etc/logrotate.conf"
+  insert_comments "${var_target}/etc/logrotate.conf"
+  cat << EOF >>   "${var_target}/etc/logrotate.conf"
+# See "man logrotate" for details. Global options do not affect preceding include directives.
+
+# Rotate log files daily
+daily
+
+# Keep 384 daily worth of backlogs.
+rotate 384
+
+# Hard cap: delete rotated logs older than 384 days.
+maxage 384
+
+# Do not rotate the log if it is empty (this overrides the ifempty option).
+notifempty
+
+# Create new (empty) log files after rotating old ones.
+create
+
+# Use date as a suffix of the rotated file.
+dateext
+
+# Use yesterday's instead of today's date to create the dateext extension, so that the rotated log file has a date in its name
+# that is the same as the timestamps within it.
+dateyesterday
+
+# Enable compression
+compress
+
+# Use zstd instead of gzip.
+compresscmd /usr/bin/zstd
+
+# File extension for compressed logs.
+compressext .zst
+
+# Set zstd level 3 (default).
+compressoptions -20
+
+# How to decompress for 'logrotate -d' or similar.
+uncompresscmd /usr/bin/unzstd
+
+# Keep the most recent rotation uncompressed for one cycle.
+delaycompress
+
+# Delete log files using shred -u instead of unlink().
+shred
+
+# packages drop log rotation information into this directory
+include /etc/logrotate.d
+
+# system-specific logs may also be configured here.
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
+EOF
+
+  guard_dir; return 0
+}
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f hardening_logrotate
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

func/cdi_4400_hardening/4450_hardening_memory.sh

@@ -10,15 +10,15 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
 
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 
 #######################################
 # NOTE:
 #   According to the manual pages of limits.conf(5) and pam_limits(8),
 #   entries in '/etc/security/limits.conf' or drop-ins under
 #   '/etc/security/limits.d/' are NOT applied automatically by the system.
-#   The actual enforcement of these ulimit(2) constraints — including
+#   The actual enforcement of these ulimit(2) constraints, including
-#   '* soft core 0' and '* hard core 0' to disable kernel core dumps —
+#   '* soft core 0' and '* hard core 0' to disable kernel core dumps,
 #   requires that the PAM module 'pam_limits.so' is invoked in the
 #   'session' stack of the respective service (e.g., via
 #   '/etc/pam.d/common-session' and
@@ -43,24 +43,27 @@ guard_sourcing
 #   '/etc/pam.d/common-session'
 #   '/etc/pam.d/common-session-noninteractive'
 # Globals:
+#   RECOVERY
 #   TARGET
-#   VAR_ARCHITECTURE
+#   VAR_RUN_RECOVERY
-#   VAR_CODENAME
-#   VAR_VERSION
 # Arguments:
 #   None
 # Returns:
 #   0: on success
 #######################################
 hardening_memory() {
-  mkdir -p "${TARGET}/etc/systemd/coredump.conf.d"
+  ### Declare Arrays, HashMaps, and Variables.
-  mkdir -p "${TARGET}/etc/systemd/system.conf.d"
+  declare     var_target="${TARGET}"
 
+  ### Check for TARGET / RECOVERY.
+  [[ "${VAR_RUN_RECOVERY}" == "true" ]] && var_target="${RECOVERY}"
 
+  mkdir -p "${var_target}/etc/systemd/coredump.conf.d"
+  mkdir -p "${var_target}/etc/systemd/system.conf.d"
 
-  insert_header "${TARGET}/etc/security/limits.d/99-ciss-core.conf"
+  insert_header   "${var_target}/etc/security/limits.d/99-ciss-core.conf"
-  insert_comments "${TARGET}/etc/security/limits.d/99-ciss-core.conf"
+  insert_comments "${var_target}/etc/security/limits.d/99-ciss-core.conf"
-  cat << EOF >> "${TARGET}/etc/security/limits.d/99-ciss-core.conf"
+  cat << 'EOF' >> "${var_target}/etc/security/limits.d/99-ciss-core.conf"
 # Enforce: no core dumps for all logins by default.
 # Format: <domain> <type> <item> <value>
 *     hard core 0
@@ -72,9 +75,9 @@ root  soft core 0
 EOF
 
 
-  insert_header "${TARGET}/etc/systemd/coredump.conf.d/disable.conf"
+  insert_header   "${var_target}/etc/systemd/coredump.conf.d/disable.conf"
-  insert_comments "${TARGET}/etc/systemd/coredump.conf.d/disable.conf"
+  insert_comments "${var_target}/etc/systemd/coredump.conf.d/disable.conf"
-  cat << 'EOF' >> "${TARGET}/etc/systemd/coredump.conf.d/disable.conf"
+  cat << 'EOF' >> "${var_target}/etc/systemd/coredump.conf.d/disable.conf"
 ### Do not store core images anywhere, keep the at most minimal metadata.
 
 [Coredump]
@@ -87,30 +90,41 @@ JournalSizeMax=0
 EOF
 
 
-  [[ -f  "${TARGET}/etc/systemd/system.conf.d/10-coredump-debian.conf" ]] && \
+  [[ -f  "${var_target}/etc/systemd/system.conf.d/10-coredump-debian.conf" ]] && \
-    mv "${TARGET}/etc/systemd/system.conf.d/10-coredump-debian.conf" "${TARGET}/etc/systemd/system.conf.d/10-coredump-debian.conf.bak"
+    mv "${var_target}/etc/systemd/system.conf.d/10-coredump-debian.conf" "${var_target}/etc/systemd/system.conf.d/10-coredump-debian.conf.bak"
 
 
-  insert_header "${TARGET}/etc/systemd/system.conf.d/99-ciss-core.conf"
+  insert_header   "${var_target}/etc/systemd/system.conf.d/99-ciss-core.conf"
-  insert_comments "${TARGET}/etc/systemd/system.conf.d/99-ciss-core.conf"
+  insert_comments "${var_target}/etc/systemd/system.conf.d/99-ciss-core.conf"
-  cat << EOF >> "${TARGET}/etc/systemd/system.conf.d/99-ciss-core.conf"
+  cat << 'EOF' >> "${var_target}/etc/systemd/system.conf.d/99-ciss-core.conf"
 [Manager]
 DefaultLimitCORE=0
 
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
 EOF
 
-  guard_pam_limits
+  ### Unified in 4520()
+  #   - write_pam_login()
+  #   - write_pam_sshd()
+  #   - write_pam_su()
+  #   - write_pam_sudo()
+  #   - write_pam_sudo-i()
+  # guard_pam_limits
 
-  guard_dir && return 0
+  guard_dir; return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f hardening_memory
 
 #######################################
 # Ensure 'pam_limits.so' is activated in:
 #   '/etc/pam.d/common-session'
 #   '/etc/pam.d/common-session-noninteractive'
 # Globals:
+#   RECOVERY
 #   TARGET
+#   VAR_RUN_RECOVERY
 # Arguments:
 #   None
 # Returns:
@@ -118,8 +132,13 @@ EOF
 #######################################
 guard_pam_limits() {
   ### Declare Arrays, HashMaps, and Variables.
-  declare     var_file_0="${TARGET}/etc/pam.d/common-session"
+  declare     var_target="${TARGET}"
-  declare     var_file_1="${TARGET}/etc/pam.d/common-session-noninteractive"
+
+  ### Check for TARGET / RECOVERY.
+  [[ "${VAR_RUN_RECOVERY}" == "true" ]] && var_target="${RECOVERY}"
+
+  declare     var_file_0="${var_target}/etc/pam.d/common-session"
+  declare     var_file_1="${var_target}/etc/pam.d/common-session-noninteractive"
   declare     var_line='session required pam_limits.so' var_file=""
   declare -i  var_changed=0
 
@@ -158,6 +177,9 @@ guard_pam_limits() {
 
   (( var_changed )) && do_log "info" "file_only" "4460() Activated pam_limits.so: (common-session[*])"
 
-  guard_dir && return 0
+  guard_dir; return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f guard_pam_limits
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

func/cdi_4400_hardening/4460_hardening_openssl.sh

@@ -10,10 +10,10 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
 
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 
 #######################################
-# Updating 'machine-id' to 'whonix id'.
+# Hardening OpenSSL library defaults (system-wide), TLSv1.2-, TLSv1.3-, AES-256-only.
 # Globals:
 #   TARGET
 #   VAR_SETUP_PATH
@@ -22,19 +22,17 @@ guard_sourcing
 # Returns:
 #   0: on success
 #######################################
-setup_machineid() {
+hardening_openssl() {
-  if [[ -f "${TARGET}/var/lib/dbus/machine-id" ]]; then
+  mkdir -p "${TARGET}/root/.ciss/cdi/backup/etc/ssl"
-    rm -f "${TARGET}/var/lib/dbus/machine-id"
+  mv "${TARGET}/etc/ssl/openssl.cnf" "${TARGET}/root/.ciss/cdi/backup/etc/ssl/openssl.cnf.bak"
-  fi
-  install -m 0644 -o root -g root "${VAR_SETUP_PATH}/includes/etc/machine-id" "${TARGET}/var/lib/dbus/machine-id"
 
-  if [[ -f "${TARGET}/etc/machine-id" ]]; then
+  insert_header   "${TARGET}/etc/ssl/openssl.cnf"
-    rm -f "${TARGET}/etc/machine-id"
+  insert_comments "${TARGET}/etc/ssl/openssl.cnf"
-  fi
+  cat "${VAR_SETUP_PATH}/includes/target/etc/ssl/openssl.cnf" >> "${TARGET}/etc/ssl/openssl.cnf"
-  install -m 0644 -o root -g root "${VAR_SETUP_PATH}/includes/etc/machine-id" "${TARGET}/etc/machine-id"
 
-  do_log "info" "file_only" "Machine ID updated: 'machine-id' to 'whonix id'."
+  guard_dir; return 0
-
-  return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f hardening_openssl
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

func/cdi_4400_hardening/4470_hardening_ufw.sh

@@ -0,0 +1,110 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
+
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
+
+#######################################
+# Hardening 'ufw'.
+# Globals:
+#   RECOVERY
+#   TARGET
+#   VAR_FINAL_NIC
+#   VAR_RUN_RECOVERY
+#   VAR_SSH_PORT
+#   VAR_UFW_OUT
+# Arguments:
+#   None
+# Returns:
+#   0: on success
+#######################################
+hardening_ufw() {
+  ### Declare Arrays, HashMaps, and Variables.
+  declare -r  var_logfile="/root/.ciss/cdi/log/4470_hardening_ufw.log"
+  declare     var_target="${TARGET}"
+
+  ### Check for TARGET / RECOVERY.
+  [[ "${VAR_RUN_RECOVERY}" == "true" ]] && var_target="${RECOVERY}"
+
+  declare -r  var_rules="${var_target}/etc/ufw/before6.rules"
+
+
+  chroot_logger "${var_target}${var_logfile}"
+
+  if [[ ! -f "${var_target}/var/log/ufw.log" ]]; then
+    touch "${var_target}/var/log/ufw.log"
+    chmod 0640 "${var_target}/var/log/ufw.log"
+  fi
+
+  chroot_script "${var_target}" "
+    ufw --force reset
+    ufw logging medium
+    ufw default deny incoming
+    ufw default ${VAR_UFW_OUT} outgoing
+    ufw default deny forward
+    ufw allow in ${VAR_SSH_PORT}/tcp comment 'Incoming SSH'
+    ufw limit ${VAR_SSH_PORT}/tcp comment 'Incoming SSH'
+  "
+
+  ### Ensure that a standard set of the most commonly used ports are open if a default-'deny'-outbound policy is selected.
+  if [[ "${VAR_UFW_OUT}" = "deny" ]]; then
+
+    chroot_script "${var_target}" "
+      ufw allow out   21/tcp comment 'Outgoing FTP'
+      ufw allow out   22/tcp comment 'Outgoing SSH'
+      ufw allow out   25/tcp comment 'Outgoing SMTP'
+      ufw allow out   53/tcp comment 'Outgoing DNS'
+      ufw allow out   80/tcp comment 'Outgoing HTTP'
+      ufw allow out  123/tcp comment 'Outgoing NTP'
+      ufw allow out  143/tcp comment 'Outgoing IMAP'
+      ufw allow out  443/tcp comment 'Outgoing HTTPS'
+      ufw allow out  465/tcp comment 'Outgoing SMTPS'
+      ufw allow out  587/tcp comment 'Outgoing SMTPS'
+      ufw allow out  993/tcp comment 'Outgoing IMAPS'
+      ufw allow out 4460/tcp comment 'Outgoing NTS'
+      ufw allow out ${VAR_SSH_PORT}/tcp comment 'Outgoing SSH'
+      ufw allow out   53/udp comment 'Outgoing DNS'
+      ufw allow out  123/udp comment 'Outgoing NTP'
+      ufw allow out  443/udp comment 'Outgoing QUIC'
+      ufw allow out  853/udp comment 'Outgoing DoQ'
+    "
+
+  fi
+
+  ### Allowing ICMP IPv4 outgoing per default.
+  sed -i "/# ok icmp code for FORWARD/i \# ok icmp codes for OUTPUT" "${var_target}/etc/ufw/before.rules"
+  sed -i "/# ok icmp code for FORWARD/i \-A ufw-before-output -p icmp --icmp-type destination-unreachable -j ACCEPT" "${var_target}/etc/ufw/before.rules"
+  sed -i "/# ok icmp code for FORWARD/i \-A ufw-before-output -p icmp --icmp-type time-exceeded -j ACCEPT" "${var_target}/etc/ufw/before.rules"
+  sed -i "/# ok icmp code for FORWARD/i \-A ufw-before-output -p icmp --icmp-type parameter-problem -j ACCEPT" "${var_target}/etc/ufw/before.rules"
+  sed -i "/# ok icmp code for FORWARD/i \-A ufw-before-output -p icmp --icmp-type echo-request -j ACCEPT" "${var_target}/etc/ufw/before.rules"
+
+  ### Remove previous custom blocks (idempotent).
+  sed -i "/^# BEGIN custom MLD rules/,/^# END custom MLD rules/d" "${var_rules}"
+  sed -i "/^# BEGIN custom MLD OUTPUT rules/,/^# END custom MLD OUTPUT rules/d" "${var_rules}"
+
+  ### Inbound MLD (INPUT chain), insert before the existing echo-request rule.
+  ### Allows MLDv1 (130/131/132) and MLDv2 (143) to link-local multicast (ff02::/16)
+  sed -i "/-A ufw6-before-input .*--icmpv6-type echo-request -j ACCEPT/i # BEGIN custom MLD rules\n-A ufw6-before-input -i ${VAR_FINAL_NIC} -p icmpv6 --icmpv6-type 130 -d ff02::/16 -j ACCEPT\n-A ufw6-before-input -i ${VAR_FINAL_NIC} -p icmpv6 --icmpv6-type 131 -d ff02::/16 -j ACCEPT\n-A ufw6-before-input -i ${VAR_FINAL_NIC} -p icmpv6 --icmpv6-type 132 -d ff02::/16 -j ACCEPT\n-A ufw6-before-input -i ${VAR_FINAL_NIC} -p icmpv6 --icmpv6-type 143 -d ff02::/16 -j ACCEPT\n# END custom MLD rules" "${var_rules}"
+
+  ### Outbound MLD (OUTPUT chain), insert before echo-request.
+  ### Useful if local daemons join multicast groups, and you want clean logs.
+  sed -i "/-A ufw6-before-output .*--icmpv6-type echo-request -j ACCEPT/i # BEGIN custom MLD OUTPUT rules\n-A ufw6-before-output -o ${VAR_FINAL_NIC} -p icmpv6 --icmpv6-type 131 -d ff02::/16 -j ACCEPT\n-A ufw6-before-output -o ${VAR_FINAL_NIC} -p icmpv6 --icmpv6-type 143 -d ff02::/16 -j ACCEPT\n# END custom MLD OUTPUT rules" "${var_rules}"
+
+  chroot_script "${var_target}" "echo 'y' | ufw enable 2>&1"
+
+  chroot_script "${var_target}" "ufw status verbose >> ${var_logfile}"
+
+  guard_dir; return 0
+}
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f hardening_ufw
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

func/cdi_4400_hardening/4480_hardening_usb.sh

@@ -0,0 +1,63 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
+
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
+
+#######################################
+# Hardening 'usb-guard'.
+# Globals:
+#   TARGET
+# Arguments:
+#   None
+# Returns:
+#   0: on success
+#######################################
+hardening_usb() {
+  ### Declare Arrays, HashMaps, and Variables.
+  declare -r  var_logfile="/root/.ciss/cdi/log/4480_hardening_usb.log"
+
+  chroot_logger "${TARGET}${var_logfile}"
+
+  ### Preparing USBGuard: see https://www.privacy-handbuch.de/handbuch_91a.htm
+  chroot_script "${TARGET}" "
+    export INITRD=No
+    [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
+    apt-get install -y --no-install-recommends --no-install-suggests usbguard 2>&1 | tee -a ${var_logfile}
+
+    touch /tmp/rules.conf
+    usbguard generate-policy >| /tmp/rules.conf
+
+    if [[ -f /etc/usbguard/rules.conf && -s /etc/usbguard/rules.conf ]]; then
+
+      mkdir -p /root/.ciss/cdi/backup/etc/usbguard
+      mv /etc/usbguard/rules.conf /root/.ciss/cdi/backup/etc/usbguard/usbguard_rules.conf
+      mv /tmp/rules.conf /etc/usbguard/rules.conf
+      chmod 0600 /etc/usbguard/rules.conf
+
+    else
+
+      rm -f /etc/usbguard/rules.conf
+      mv /tmp/rules.conf /etc/usbguard/rules.conf
+      chmod 0600 /etc/usbguard/rules.conf
+
+    fi
+
+    #cp -a /etc/usbguard/usbguard-daemon.conf /root/.ciss/cdi/backup/etc/usbguard/usbguard-daemon.conf
+    #sed -i 's/PresentDevicePolicy=apply-policy/PresentDevicePolicy=allow/' /etc/usbguard/usbguard-daemon.conf
+  "
+
+  guard_dir; return 0
+}
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f hardening_usb
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh