DEPLOY BOT : 🛡️ Shell Script Linting [skip ci]

X-CI-Metadata: master@aef00ec at 2025-10-26T18:19:48Z on 6f8f9a786bfa

Generated at : 2025-10-26T18:19:48Z
Runner Host  : 6f8f9a786bfa
Workflow ID  : 🛡️ Shell Script Linting
Git Commit   : aef00ec HEAD -> master

.preseed/mfa_master.txt

@@ -1 +0,0 @@
-7cad63da408c27b5121c89cdd0cf878b8f8df1f34bcc0a944152261ee1481fda

.preseed/partitioning.yaml

@@ -35,7 +35,7 @@ recipe:
       luks_backup: true        # Specify if LUKS Header backups should be created. If so, provide an external backup URL:
                                # luks_backup_url: "https://cloud.e2ee.li/" or leave empty for local backup.
                                # Also provide the cloud access token and access passwords via
-                               # ./.preseed/password_luks_backup.txt. Yet Nextcloud only is supported.
+                               # ./.preseed/SECRETS.yaml. Yet Nextcloud only is supported.
       luks_backup_url: "https://cloud.e2ee.li/"
       luks_backup_pgp: "ciss"  # Specify the trigger for use of the LUKS Header backup encryption key.
                                # Allowed values are: 'ciss', and 'physnet'. MUST be provided.

.preseed/password_grub.txt

@@ -1 +0,0 @@
-PleASE_CHan3e_M!

.preseed/password_luks_backup.txt

@@ -1 +0,0 @@
-SJF3kOdvm0o9xwT:VdmXE^2w^VTFJeJPdHkd7qNwQVf^7SDmcyZKjcfadS

.preseed/password_luks_boot.txt

@@ -1 +0,0 @@
-Ceterum_censeo_Bruxellam_et_Berolinum_delenda_esse!

.preseed/password_luks_common.txt

@@ -1 +0,0 @@
-Ceterum_censeo_Bruxellam_et_Berolinum_delenda_esse!

.preseed/password_luks_nuke.txt

@@ -1 +0,0 @@
-THIS_IS_THE_NUKE_PASSWORD!

.preseed/preseed.yaml

@@ -454,7 +454,7 @@ grub:
   other-os: true               # This one makes grub-installer install to the UEFI partition '/boot' record if it also finds
                                # some other OS, which is less safe as it might not be able to boot that other OS.
   password: true               # If you want to set a password for GRUB. The password MUST be set at:
-                               # '/.preseed/password_grub.txt'.
+                               # '/.preseed/SECRETS.yaml'.
   prober: false                # OS-prober did not detect any other operating systems on your computer at this time, but you
                                # may still wish to enable it in case you install more in the future.
   skip: false                  # Skip installing grub.
@@ -839,9 +839,6 @@ ssh:
 # User settings
 ################################################################################################################################
 user:
-  mfa:
-    info: "totp:v1"
-    salt: "CISS:CDI:OTP"       # + (Server_FQDN/Username)
   ##############################################################################################################################
   # Root: The superuser account (normally disabled for direct login).
   #       Key 'user.root.password' MUST contain a valid yescrypt hashed password string.

LINTER_RESULTS.txt

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
 
-This file was automatically generated by the DEPLOY BOT on: "2025-10-26T16:06:55Z".
+This file was automatically generated by the DEPLOY BOT on: "2025-10-26T18:19:45Z".
 
 ⚠️ The last linter check was NOT successful. ⚠️
 

ciss_debian_installer.sh

@@ -24,7 +24,7 @@
 # TODO: Copying Log Files to final System
 # TODO: Integrate CISS.debian.installer calling arguments and preseed.yaml into CISS.debian.live.builder build chain?
 # TODO: Reboot function for Autoinstall, Clean Exit, Flush Logs, luksClose, umount
-# TODO: Implement loop_pass() for other passwords 0105_arg_nuke_converter.sh
+# TODO: Implement loop_pass() for other passwords 1257_yaml_xnuke.sh
 # TODO: Implement / Integrate IP, Port validation CDI_1200
 
 ### WHY BASH?
@@ -198,10 +198,6 @@ arg_parser "$@"
 info_echo "0103_arg_priority_check.sh"
 arg_priority_check
 
-### HASHING PASSWORDS.
-info_echo "0105_arg_nuke_converter.sh"
-nuke_passphrase
-
 
 ### CDI_1250
 info_echo "1250_yaml_parser.sh"
@@ -213,9 +209,12 @@ yaml_reader
 info_echo "1252_yaml_validator.sh"
 yaml_validator
 
-info_echo "1256_secret_parser.sh"
+info_echo "1256_yaml_xfiles.sh"
 yaml_secret
 
+info_echo "1257_yaml_xnuke.sh"
+nuke_passphrase
+
 
 ### CDI_3200
 info_echo "3200_partitioning.sh"

func/cdi_1250_yaml/1256_yaml_xfiles.sh

@@ -50,6 +50,7 @@ ciss_secrets_unset() {
   ### Declare Arrays, HashMaps, and Variables.
   declare     var_k="" var_v=""
 
+  ### SECRETS handling ---------------------------------------------------------------------------------------------------------
   guard_trace on
 
   for var_k in "${!CISS_SECRETS_MAP[@]}"; do
@@ -67,6 +68,7 @@ ciss_secrets_unset() {
   CISS_SECRETS_MAP=()
 
   guard_trace off
+  ### SECRETS handling ---------------------------------------------------------------------------------------------------------
 
   return 0
 }
@@ -122,6 +124,7 @@ ciss_secrets_wiper() {
 readonly -f ciss_secrets_wiper
 
 #######################################
+# Purpose:
 #   Parsing of only "*.value" keys from 'SECRETS.yaml' into Bash globals.
 #   If the file contains SOPS markers, decrypt once (streaming) with sops/age, then yq parses in a single pass.
 #   No base64, plain values preserved (including newlines). No repeated per-key decrypts or yq calls.
@@ -143,8 +146,6 @@ readonly -f ciss_secrets_wiper
 #   ERR_MISSING_AGE_KEY: on failure
 #######################################
 yaml_secret() {
-  # TODO: Remove debug echos
-
   ### Declare Arrays, HashMaps, and Variables.
   declare -r  SOPS_AGE_KEY_FILE="${CISS_SECRETS_AGE}"
   declare -a  __names=()
@@ -155,8 +156,8 @@ yaml_secret() {
   __umask=$(umask)
   umask 0077
 
-  # TODO: guard_trace on
-  #guard_trace on
+  ### SECRETS handling ---------------------------------------------------------------------------------------------------------
+  guard_trace on
 
   secrets_encrypted="$(yq -r '.secrets.x_files // false' -- "${secrets_if}")" || secrets_encrypted="false"
   do_log "debug" "file_only" "1256() 'secrets_encrypted' according to secrets.x_files: '${secrets_encrypted}'."
@@ -199,6 +200,7 @@ yaml_secret() {
     s/^([[:space:]]*[A-Za-z_][A-Za-z0-9_]*_value)=[[:space:]]*$/\1='\'''\''/; t print
     /^[[:space:]]*[A-Za-z_][A-Za-z0-9_]*_value=[[:space:]]*('"'"'|\"|\$'"'"')/b print
     s/^([[:space:]]*[A-Za-z_][A-Za-z0-9_]*_value)=([^[[:space:]]'"'"'$][^[:space:]]*)[[:space:]]*$/\1='"'"'\2'"'"'/; t print
+    s/^([[:space:]]*[A-Za-z_][A-Za-z0-9_]*_value)=[[:space:]]*(.+)[[:space:]]*$/\1='"'"'\2'"'"'/; t print
     :print
     p
   ' -- "${__SECRETS}" >| "${__SECRETS}.value_only"
@@ -208,35 +210,42 @@ yaml_secret() {
   # shellcheck disable=SC1091 source=./${__SECRETS}
   source "${__SECRETS}"
 
-  ### Iterate only variables ending in '_value'.
+  ciss_secrets_wiper "${__SECRETS}"
+
   # shellcheck disable=SC2312
-  mapfile -t __names < <(compgen -A variable 'secrets_*_value')
+  mapfile -t __names < <(printf '%s\n' "${!secrets_@}")
 
   for __name in "${__names[@]}"; do
 
-    ### Value of the generated variable:
-    __val="${!__name}"
-    echo "${__val}"
+    ### Keep only *_value variables
+    [[ "${__name}" == *_value ]] || continue
 
-    ### Strip suffix and leading namespace:
-    # secrets_db_password_value -> base="secrets_db_password"
+    ### Validate strict Bash identifier (defensive: strip accidental CR).
+    __name="${__name%$'\r'}"
+    [[ "${__name}" =~ ^[A-Za-z_][A-Za-z0-9_]*$ ]] || continue
+
+    ### Only read if actually set; indirect check without triggering nounset.
+    if [[ -n "${!__name+x}" ]]; then
+
+      __val="${!__name}"
+
+    else
+
+      __val=""
+
+    fi
+
+    ### Strip suffix/prefix for the map key.
     __base="${__name%_value}"
-    echo "${__base}"
-    # secrets_db_password -> path_wo_prefix="db_password"
     __path_wo_prefix="${__base#secrets_}"
-    echo "${__path_wo_prefix}"
 
-    ### Canonical CISS name:
+    ### Canonical CISS name.
     __varname="$(ciss_secret_varname_from_path "${__path_wo_prefix}")"
-    echo "${__varname}"
 
-    ### Assign as global (verbatim, preserves newlines).
+    ### Assign verbatim (preserves newlines).
     unset -v "${__varname}"
     declare -g "${__varname}"
-    echo "declare -g ${__varname}"
-
     printf -v "${__varname}" '%s' "${__val}"
-    echo "printf -v ${__varname} ${__val}"
 
     CISS_SECRETS_MAP["${__path_wo_prefix}"]="${__varname}"
 
@@ -244,16 +253,15 @@ yaml_secret() {
 
   ### Hygiene: remove the intermediate variables to reduce secret surface, e.g., unset 'secrets_*_value' after transfer.
   for __name in "${__names[@]}"; do
+
     unset -v "${__name}"
+
   done
 
   umask "${__umask}"
 
-  echo "Inside 1256()"
-  sleep 60
-
-  # TODO: guard_trace off
-  #guard_trace off
+  guard_trace off
+  ### SECRETS handling ---------------------------------------------------------------------------------------------------------
 
   guard_dir; return 0
 }

func/cdi_1250_yaml/1257_yaml_xnuke.sh

@@ -15,18 +15,22 @@ guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #######################################
 # Generates 'nuke=HASH' Bootparameter.
 # Globals:
+#   CISS_SECRET_LUKS_NUKE
 #   DIR_CNF
 #   VAR_NUKE_HASH
 # Arguments:
 #   None
 # Returns:
 #   0: on success
-#   ERR_GENERATE_SALT
-#   ERR_READ_NUKE_FILE
+#   ERR_GENERATE_SALT: on failure
 #######################################
 nuke_passphrase() {
-  declare -r var_nuke_pwd_file="${DIR_CNF}/password_luks_nuke.txt"
-  declare    var_temp_nuke_hash="" var_temp_plain_nuke_pwd="" var_salt="" var_nuke_rounds=""
+  ### SECRETS handling ---------------------------------------------------------------------------------------------------------
+  guard_trace on
+
+  ### Declare Arrays, HashMaps, and Variables.
+  declare    var_nuke_pwd="${CISS_SECRET_LUKS_NUKE}"
+  declare    var_temp_nuke_hash="" var_salt="" var_nuke_rounds=""
 
   # shellcheck disable=SC2312
   var_nuke_rounds="$(
@@ -40,30 +44,30 @@ nuke_passphrase() {
   ' "${DIR_CNF}/partitioning.yaml" | head -n1
   )"
 
-  [[ ! -f "${var_nuke_pwd_file}" ]] && return 0
-
-  guard_trace on
-  if ! read_password_file "${var_nuke_pwd_file}" var_temp_plain_nuke_pwd; then
-    return "${ERR_READ_NUKE_FILE}"
-  fi
-  guard_trace off
+  [[ -z "${var_nuke_pwd}" ]] && return 0
 
 
   if ! var_salt="$(generate_salt)"; then
+
     return "${ERR_GENERATE_SALT}"
+
   fi
 
+  var_temp_nuke_hash=$(mkpasswd --method=sha-512 --salt="${var_salt}" --rounds="${var_nuke_rounds:-8388608}" "${var_nuke_pwd}")
 
-  guard_trace on
-  var_temp_nuke_hash=$(mkpasswd --method=sha-512 --salt="${var_salt}" --rounds="${var_nuke_rounds:-8388608}" "${var_temp_plain_nuke_pwd}")
-  guard_trace off
-
+  # shellcheck disable=SC2034
   declare -grx VAR_NUKE_HASH="${var_temp_nuke_hash}"
-  unset var_temp_nuke_hash var_temp_plain_nuke_pwd
+
+  unset var_temp_nuke_hash var_nuke_pwd CISS_SECRET_LUKS_NUKE
 
   do_log "debug" "file_only" "0105() NUKE hash starts with: [${VAR_NUKE_HASH:0:32}...]"
 
+  guard_trace off
+  ### SECRETS handling ---------------------------------------------------------------------------------------------------------
+
   guard_dir; return 0
 }
-
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f nuke_passphrase
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

func/cdi_3200_partitioning/3210_benchmarking_encryption.sh

@@ -27,7 +27,8 @@ guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #   0: on success
 #######################################
 benchmarking_encryption() {
-  declare var_result=""
+  ### Declare Arrays, HashMaps, and Variables.
+  declare       var_result=""
   # shellcheck disable=SC2155
   declare -girx VAR_KDF_THREADS=$(yq_val ".recipe.${VAR_RECIPE_STRING}.control.kdf.threads" "${VAR_SETUP_PART}")
   # shellcheck disable=SC2155
@@ -37,7 +38,7 @@ benchmarking_encryption() {
   sync
 
   echo "BENCHMARK CRYPTSETUP ARGON2ID KDF PARAMETER - DROPPING PAGES ..."
-  echo 3 >| /proc/sys/vm/drop_caches
+  echo 3 >| /proc/sys/vm/drop_caches || true
 
   # shellcheck disable=SC2312
   var_result=$(cryptsetup benchmark --pbkdf argon2id --iter-time "${VAR_ITER_TIME:-3000}" --pbkdf-parallel "${VAR_KDF_THREADS:-1}" 2>/dev/null \

func/cdi_3200_partitioning/3220_partition_encryption.sh

@@ -16,6 +16,9 @@ guard_sourcing || return "${ERR_GUARD_SOURCE}"
 # Function to encrypt the respective partition on each entry of 'ARY_CRYPT_MOUNT_PATHS'.
 # Globals:
 #   ARY_CRYPT_MOUNT_PATHS
+#   CISS_SECRET_LUKS_BACKUP
+#   CISS_SECRET_LUKS_BOOT
+#   CISS_SECRET_LUKS_COMMON
 #   DIR_BAK
 #   DIR_CNF
 #   DIR_LOG
@@ -38,7 +41,6 @@ guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #   VAR_RECIPE_STRING
 #   VAR_SETUP_PART
 #   VAR_SETUP_PATH
-#   VAR_TEMP_PLAIN_NC_AUTH
 # Arguments:
 #   None
 # Returns:
@@ -61,15 +63,31 @@ partition_encryption() {
               var_encryption_ephemeral="" var_encryption_integrity="" var_encryption_cipher="" var_encryption_hash="" \
               var_encryption_key="" var_encryption_label="" var_encryption_meta="" var_encryption_slot="" \
               var_encryption_pbkdf="" var_encryption_rng="" var_filesystem_label="" var_mount_path="" var_uuid="" var_fs="" \
-              var_luks_backup_file="" var_luks_backup_name="" var_pgp_publickey="" var_luks_backup_pgp=""
+              var_luks_backup_file="" var_luks_backup_name="" var_pgp_publickey="" var_luks_backup_pgp="" \
+              var_temp_plain_nc_auth=""
 
   declare -a  ary_luks_opts=()
 
+  ### SECRETS handling ---------------------------------------------------------------------------------------------------------
+  guard_trace on
+  printf '%s' "${CISS_SECRET_LUKS_BOOT}" >| "${DIR_CNF}/password_luks_boot.txt" && chmod 0600 "${DIR_CNF}/password_luks_boot.txt"
+  printf '%s' "${CISS_SECRET_LUKS_COMMON}" >| "${DIR_CNF}/password_luks_common.txt" && chmod 0600 "${DIR_CNF}/password_luks_common.txt"
+  unset CISS_SECRET_LUKS_BOOT CISS_SECRET_LUKS_COMMON
+  guard_trace on
+  ### SECRETS handling ---------------------------------------------------------------------------------------------------------
+
   if [[ -n "${VAR_LUKS_URL}" ]]; then
 
     VAR_LUKS_URL=${VAR_LUKS_URL%/}
-    read_luks_backup_token
-    do_log "debug" "file_only" "3220() Command: [read_luks_backup_token]"
+
+    ### SECRETS handling -------------------------------------------------------------------------------------------------------
+    guard_trace on
+    var_temp_plain_nc_auth="${CISS_SECRET_LUKS_BACKUP}"
+    unset CISS_SECRET_LUKS_BACKUP
+    guard_trace on
+    ### SECRETS handling -------------------------------------------------------------------------------------------------------
+
+    do_log "debug" "file_only" "3220() Var: [var_temp_plain_nc_auth] set."
 
   fi
 
@@ -176,13 +194,17 @@ partition_encryption() {
 
     ### Opening the encrypted container.
     if [[ "${var_encryption_path,,}" == "/boot" ]]; then
+
       cryptsetup luksOpen "/dev/${var_dev}" \
         --key-file="${DIR_CNF}/password_luks_boot.txt" \
         "${var_encryption_label}"
+
     else
+
       cryptsetup luksOpen "/dev/${var_dev}" \
         --key-file="${DIR_CNF}/password_luks_common.txt" \
         "${var_encryption_label}"
+
     fi
     do_log "info" "file_only" "3220() Partition: '/dev/${var_dev}' opened as '/dev/mapper/${var_encryption_label}'."
 
@@ -254,10 +276,11 @@ partition_encryption() {
 
       if [[ -n "${VAR_LUKS_URL}" ]]; then
 
+        ### SECRETS handling ---------------------------------------------------------------------------------------------------
         guard_trace on
 
         if curl --silent --show-error --fail --retry 2 "${VAR_LUKS_URL}/public.php/webdav/${var_luks_backup_name}" \
-          --upload-file "${var_luks_backup_pgp}" --user "${VAR_TEMP_PLAIN_NC_AUTH}" > /dev/null 2>&1; then
+          --upload-file "${var_luks_backup_pgp}" --user "${var_temp_plain_nc_auth}" > /dev/null 2>&1; then
 
           do_log "info" "file_only" "3220() Partition: '/dev/${var_dev}' LUKS Header upload: '${VAR_LUKS_URL}' successful."
 
@@ -270,6 +293,7 @@ partition_encryption() {
         fi
 
         guard_trace off
+        ### SECRETS handling ---------------------------------------------------------------------------------------------------
 
       fi
 
@@ -277,43 +301,18 @@ partition_encryption() {
 
   done
 
-  [[ -n "${VAR_LUKS_URL}" ]] && unset VAR_TEMP_PLAIN_NC_AUTH
+  ### SECRETS handling ---------------------------------------------------------------------------------------------------------
+  guard_trace on
+  [[ -n "${VAR_LUKS_URL}" ]] && unset var_temp_plain_nc_auth
+  guard_trace off
+  ### SECRETS handling ---------------------------------------------------------------------------------------------------------
+
+  ciss_secrets_wiper "${DIR_CNF}/password_luks_boot.txt"
+  ciss_secrets_wiper "${DIR_CNF}/password_luks_common.txt"
 
   guard_dir; return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
 readonly -f partition_encryption
-
-#######################################
-# Reads the Nextcloud auth token from '${DIR_CNF}/password_luks_backup.txt' into VAR_TEMP_PLAIN_NC_AUTH
-# Globals:
-#   DIR_CNF
-#   VAR_TEMP_PLAIN_NC_AUTH
-# Arguments:
-#   None
-# Returns:
-#   0: on success
-#   ERR_READ_AUTH_FILE: on failure
-#######################################
-read_luks_backup_token(){
-  ### Declare Arrays, HashMaps, and Variables.
-  declare -r var_luks_backup_auth="${DIR_CNF}/password_luks_backup.txt"
-  declare -g VAR_TEMP_PLAIN_NC_AUTH=""
-
-  guard_trace on
-
-  if ! read_password_file "${var_luks_backup_auth}" VAR_TEMP_PLAIN_NC_AUTH; then
-
-    return "${ERR_READ_AUTH_FILE}"
-
-  fi
-
-  guard_trace off
-
-  return 0
-}
-### Prevents accidental 'unset -f'.
-# shellcheck disable=SC2034
-readonly -f read_luks_backup_token
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

func/cdi_4200_boot/4240_update_grub_password.sh

@@ -15,26 +15,29 @@ guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #######################################
 # Append the GRUB superuser block to '/etc/grub.d/40_custom'.
 # Globals:
-#   DIR_CNF
+#   CISS_SECRET_GRUB
 #   TARGET
 # Arguments:
 #   None
 # Returns:
 #   0: on success
-#   ERR_READ_GRUB_FILE
+#   ERR_READ_GRUB_FILE: on failure
 #######################################
 update_grub_password() {
   ### Declare Arrays, HashMaps, and Variables.
-  declare var_username="superadmin" var_password="" var_password_file="${DIR_CNF}/password_grub.txt" \
+  declare var_username="superadmin" var_password="" \
           var_of="${TARGET}/etc/grub.d/40_custom" var_grub_entry=""
 
+  ### SECRETS handling ---------------------------------------------------------------------------------------------------------
   guard_trace on
 
-  var_password=$(<"${var_password_file}") || return "${ERR_READ_GRUB_FILE}"
+  var_password="${CISS_SECRET_GRUB}" || return "${ERR_READ_GRUB_FILE}"
+  unset CISS_SECRET_GRUB
 
   var_grub_entry=$(generate_grub_password_pbkdf2 "${var_username}" "${var_password}")
 
   guard_trace off
+  ### SECRETS handling ---------------------------------------------------------------------------------------------------------
 
   ### Append if not already present.
   if ! grep -q "set superusers=" "${var_of}"; then
@@ -56,6 +59,8 @@ readonly -f update_grub_password
 
 #######################################
 # Generate PBKDF2 password hash for GRUB.
+# Globals:
+#   None
 # Arguments:
 #   1: Username (default to superadmin).
 #   2: User password.

func/cdi_4500_user/4520_accounts_setup.sh

@@ -15,6 +15,9 @@ guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #######################################
 # Updating root account and generation user accounts.
 # Globals:
+#   CISS_SECRET_USER_ROOT_PASSWORD
+#   CISS_SECRET_USER_ROOT_SSHPUBKEY
+#   LOG_ERR
 #   RECOVERY
 #   TARGET
 #   VAR_RUN_RECOVERY
@@ -27,8 +30,6 @@ guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #   user_root_authentication_access_ssh
 #   user_root_authentication_access_tty
 #   user_root_authentication_password
-#   user_root_password
-#   user_root_sshpubkey
 # Arguments:
 #   None
 # Returns:
@@ -152,7 +153,9 @@ EOF
   esac
 
   ### 4) Check the password policy for the 'root' account.
-  chroot_script "${var_target}" "printf '%s:%s\n' 'root' '${user_root_password}' | /usr/sbin/chpasswd -e"
+  chroot_script "${var_target}" "printf '%s:%s\n' 'root' '${CISS_SECRET_USER_ROOT_PASSWORD}' | /usr/sbin/chpasswd -e"
+  do_log "info" "file_only" "4520() User: 'root' password: inserted."
+  unset CISS_SECRET_USER_ROOT_PASSWORD
 
   case "${user_root_authentication_password,,}" in
 
@@ -174,9 +177,10 @@ EOF
   esac
 
   ### 5) Update the 'root' SSH pubkey, if provided via 'preseed.yaml'.
-  if [[ -n "${user_root_sshpubkey:-}" ]]; then
+  if [[ -n "${CISS_SECRET_USER_ROOT_SSHPUBKEY:-}" ]]; then
 
-    printf "%s\n" "${user_root_sshpubkey}" >| "${var_target}/root/.ssh/authorized_keys"
+    printf "%s\n" "${CISS_SECRET_USER_ROOT_SSHPUBKEY}" >| "${var_target}/root/.ssh/authorized_keys"
+    unset CISS_SECRET_USER_ROOT_SSHPUBKEY
     do_log "info" "file_only" "4520() User: 'root' SSH public key: inserted."
 
   fi
@@ -231,8 +235,8 @@ EOF
     tmp_uid="user_user${i}_uid"
     tmp_gid="user_user${i}_gid"
     tmp_shell="user_user${i}_shell"
-    tmp_password="user_user${i}_password"
-    tmp_sshpubkey="user_user${i}_sshpubkey"
+    tmp_password="CISS_SECRET_USER_USER${i}_PASSWORD"
+    tmp_sshpubkey="CISS_SECRET_USER_USER${i}_SSHPUBKEY"
     tmp_access_tty="user_user${i}_authentication_access_tty"
     tmp_auth_pwd="user_user${i}_authentication_password"
     tmp_2fa_ssh="user_user${i}_authentication_2fa_ssh"
@@ -450,6 +454,7 @@ EOF
     find "${var_target}/home/${var_username}" -xdev -exec chown -h "${var_uid}:${var_gid}" {} +
 
     ### 9) Final status logging.
+    unset var_password var_sshpubkey
     do_log "info" "file_only" "4520() Created user: [${var_username}] UID: [${var_uid}] GID: [${var_gid}]"
 
   done
@@ -460,8 +465,6 @@ EOF
 
   fi
 
-  unset VAR_TEMP_PLAIN_MFA_SEED
-
   if ! grep -Fqx -- '-: ALL:ALL' "${var_target}/etc/security/access.conf"; then
 
     printf '%s\n' '-: ALL:ALL' >> "${var_target}/etc/security/access.conf"
@@ -471,6 +474,8 @@ EOF
   printf "# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf \n" >> "${var_target}/etc/security/access.conf"
   printf "# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf \n" >> "${var_target}/etc/ssh/sshd_config"
 
+  unset VAR_TEMP_PLAIN_MFA_SEED
+
   guard_dir; return 0
 }
 ### Prevents accidental 'unset -f'.
@@ -511,12 +516,12 @@ readonly -f eza_installer
 
 #######################################
 # Generates a deterministic TOTP secret based on:
-# Username, FQDN, MFA salt, MFA master seed
+#   Username, FQDN, MFA salt, MFA master seed
 # Globals:
+#   CISS_SECRET_SEEDS_MFA_INFO
+#   CISS_SECRET_SEEDS_MFA_SALT
 #   VAR_FINAL_FQDN
 #   VAR_TEMP_PLAIN_MFA_SEED
-#   user_mfa_info
-#   user_mfa_salt
 # Arguments:
 #   1: Username
 # Returns:
@@ -526,10 +531,11 @@ generate_totp_secret() {
   ### Declare Arrays, HashMaps, and Variables.
   declare  var_user="${1}"
   declare  var_host_id="${VAR_FINAL_FQDN}"
-  declare  var_salt="${user_mfa_salt}:${var_host_id}:${var_user}"
-  declare  var_info="${user_mfa_info}"
+  declare  var_salt="${CISS_SECRET_SEEDS_MFA_SALT}:${var_host_id}:${var_user}"
+  declare  var_info="${CISS_SECRET_SEEDS_MFA_INFO}"
   declare  var_secret=""
 
+  ### SECRETS handling ---------------------------------------------------------------------------------------------------------
   guard_trace on
 
   ### Derive 20 bytes via HKDF-SHA256 using OpenSSL 3 kdf, output as raw, then base32 (uppercase, no padding).
@@ -550,6 +556,7 @@ generate_totp_secret() {
   printf '%s\n' "${var_secret}"
 
   guard_trace off
+  ### SECRETS handling ---------------------------------------------------------------------------------------------------------
 
   return 0
 }
@@ -717,33 +724,31 @@ EOF
 readonly -f hardening_sudo
 
 #######################################
-# Reads a 256-bit seed from '${DIR_CNF}/mfa_master.txt' (64 hex chars) into VAR_TEMP_PLAIN_MFA_SEED.
+# Reads a 256-bit seed from '${CISS_SECRET_SEEDS_MFA_SECRET}' '(64 hex chars) into VAR_TEMP_PLAIN_MFA_SEED.
 # Globals:
-#   DIR_CNF
+#   CISS_SECRET_SEEDS_MFA_SECRET
 #   VAR_TEMP_PLAIN_MFA_SEED
 # Arguments:
 #   None
 # Returns:
 #   0: on success
-#   ERR_READ_SEED_FILE
+#   ERR_READ_SEED_FILE: on failure
 #######################################
 read_totp_seed(){
   ### Declare Arrays, HashMaps, and Variables.
-  declare -r var_mfa_seed_file="${DIR_CNF}/mfa_master.txt"
   declare -g VAR_TEMP_PLAIN_MFA_SEED=""
 
+  ### SECRETS handling ---------------------------------------------------------------------------------------------------------
   guard_trace on
 
-  if ! read_password_file "${var_mfa_seed_file}" VAR_TEMP_PLAIN_MFA_SEED; then
-
-    return "${ERR_READ_SEED_FILE}"
-
-  fi
+  VAR_TEMP_PLAIN_MFA_SEED="${CISS_SECRET_SEEDS_MFA_SECRET}"
+  unset CISS_SECRET_SEEDS_MFA_SECRET
 
   ### Validate: exactly 64 hex.
   [[ "${VAR_TEMP_PLAIN_MFA_SEED}" =~ ^[0-9a-fA-F]{64}$ ]] || return "${ERR_READ_SEED_FILE}"
 
   guard_trace off
+  ### SECRETS handling ---------------------------------------------------------------------------------------------------------
 
   return 0
 }
@@ -889,14 +894,17 @@ readonly -f write_ciss_2fa_user
 write_google_authenticator_file() {
   ### Declare Arrays, HashMaps, and Variables.
   declare -r  var_user="${1}" var_user_id="${2}" var_group_id="${3}" var_target="${4}"
-  declare     var_secret=""
+  declare -i  i=0
+  declare     var_secret="" __umask=""
+
+  __umask=$(umask)
 
   case "${1}" in
     root) declare var_base="${var_target}/root"             ;;
     *)    declare var_base="${var_target}/home/${var_user}" ;;
   esac
-  declare -i  i=0
 
+  ### SECRETS handling ---------------------------------------------------------------------------------------------------------
   guard_trace on
 
   var_secret="$(generate_totp_secret "${var_user}")"
@@ -941,9 +949,10 @@ write_google_authenticator_file() {
   } >| "${DIR_TMP}/TOTP_${var_user}.secret"
   chmod 0400 "${DIR_TMP}/TOTP_${var_user}.secret"
 
-  umask 0022
-
   guard_trace off
+  ### SECRETS handling ---------------------------------------------------------------------------------------------------------
+
+  umask "${__umask}"
 
   return 0
 }

lib/cdi_0050_debug/0051_debug_var_dump.sh

@@ -13,11 +13,13 @@
 guard_sourcing || return "${ERR_GUARD_SOURCE}"
 
 #######################################
-# Capture an initial snapshot of all variables (excluding '^(BASH|_).*').
+# Capture an initial snapshot of all variables (excluding '^(BASH|_|CISS_SECRET_)').
 # Globals:
 #   VAR_DUMP_VARS_INITIAL
 # Arguments:
 #   None
+# Returns:
+#   0: on success
 #######################################
 dump_vars_initial() {
   # shellcheck disable=SC2312
@@ -25,12 +27,16 @@ dump_vars_initial() {
     declare var
     while IFS= read -r var; do
       declare -p "${var}" 2> /dev/null
-    done < <(compgen -v | grep -Ev '^(BASH|_).*')
+    done < <(compgen -v | grep -Ev '^(BASH|_|CISS_SECRET_)')
   } | sort >| "${VAR_DUMP_VARS_INITIAL}"
+  return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f dump_vars_initial
 
 #######################################
-# Capture the final snapshot of all variables (excluding '^(BASH|_).*').
+# Capture the final snapshot of all variables (excluding '^(BASH|_|CISS_SECRET_)').
 # Globals:
 #   LOG_VAR
 #   VAR_DUMP_VARS_FINAL
@@ -38,6 +44,8 @@ dump_vars_initial() {
 #   VAR_VERSION
 # Arguments:
 #   None
+# Returns:
+#   0: on success
 #######################################
 dump_vars_exiting() {
   set +x
@@ -46,7 +54,7 @@ dump_vars_exiting() {
     declare var
     while IFS= read -r var; do
       declare -p "${var}" 2>/dev/null
-    done < <(compgen -v | grep -Ev '^(BASH|_).*')
+    done < <(compgen -v | grep -Ev '^(BASH|_|CISS_SECRET_)')
   } | sort >| "${VAR_DUMP_VARS_FINAL}"
   set -x
 
@@ -71,5 +79,10 @@ dump_vars_exiting() {
   set -x
 
   rm -f "${VAR_DUMP_VARS_INITIAL}" "${VAR_DUMP_VARS_FINAL}"
+
+  return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f dump_vars_exiting
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

meta_loader_func.sh

@@ -29,6 +29,7 @@ source_guard "./func/cdi_1250_yaml/1250_yaml_parser.sh"
 source_guard "./func/cdi_1250_yaml/1251_yaml_reader.sh"
 source_guard "./func/cdi_1250_yaml/1252_yaml_validator.sh"
 source_guard "./func/cdi_1250_yaml/1256_yaml_xfiles.sh"
+source_guard "./func/cdi_1250_yaml/1257_yaml_xnuke.sh"
 
 ### cdi_3200_partitioning
 source_guard "./func/cdi_3200_partitioning/3200_partitioning.sh"

meta_loader_lib.sh

@@ -42,7 +42,6 @@ source_guard "./lib/cdi_0100_arg/0101_arg_sanitizer.sh"
 source_guard "./lib/cdi_0100_arg/0102_arg_parser.sh"
 source_guard "./lib/cdi_0100_arg/0103_arg_priority_check.sh"
 source_guard "./lib/cdi_0100_arg/0104_arg_passphrase_modules.sh"
-source_guard "./lib/cdi_0100_arg/0105_arg_nuke_converter.sh"
 
 source_guard "./lib/cdi_0110_interactive/0110_dialog_kernel.sh"
 source_guard "./lib/cdi_0110_interactive/0115_dialog_notes.sh"