rescue_hetzner_configure() {
	local hostname="${1}"
	local package
	local packages=(
		'mosh'
		'screen' 'tmux' 'byobu'
		'apt-file'
	)
	# apt / conf
	echo -n "\
Acquire::AllowInsecureRepositories False;
Acquire::AllowWeakRepositories False;
Acquire::AllowDowngradeToInsecureRepositories False;
Acquire::Check-Valid-Until True;
APT::Install-Recommends False;
APT::Install-Suggests False;
APT::Get::Show-Versions True;
Dir::Etc::SourceParts '';
Dpkg::Progress True;
" >'/etc/apt/apt.conf'
	# apt / sources
	echo -n "\
deb https://deb.debian.org/debian bookworm main non-free-firmware contrib non-free
deb https://deb.debian.org/debian bookworm-backports main non-free-firmware contrib non-free
deb https://deb.debian.org/debian bookworm-updates main non-free-firmware contrib non-free
deb https://deb.debian.org/debian-security bookworm-security main non-free-firmware contrib non-free
" >'/etc/apt/sources.list'
	# bash / rc
	main_link_bashrc
	mv .bashrc .bashrc.old
	# host name
	hostname "${hostname}"
	# locales
	echo -n "\
en_US.UTF-8 UTF-8
fr_FR.UTF-8 UTF-8
" >'/etc/locale.gen'
	# generate locales
	locale-gen
	# update catalog
	apt-get update
	#
	debian_disable_frontend
	# install packages
	for package in "${packages[@]}"; do
		echo
		echo "${package}"
		apt-get install \
			--assume-yes \
			"${package}"
		apt_clean_cache
	done
	# update catalog
	apt-get update
}

rescue_hetzner_install() {
	local package
	local release='bookworm'
	local packages=(
		# installed
		'dmidecode' 'efibootmgr' 'pciutils' 'usbutils'
		'parted' 'mdadm' 'cryptsetup-bin' 'lvm2'
		'btrfs-progs' 'dosfstools'
		'git' 'nano' 'python3' 'rsync' 'vim'
		'file' 'htop' 'lsof' 'man-db' 'tree' 'uuid-runtime'
		# install
		'lshw'
		'duperemove' 'squashfs-tools'
		'grub-efi-amd64-bin' 'grub-pc-bin'
		'libdigest-sha3-perl' 'micro'
		'iotop'
		'exa' 'ipcalc' 'lf' 'ncdu' 'nnn' 'ranger'
	)
	local backports=(
	)
	# update catalog
	apt-get update
	#
	debian_disable_frontend
	# upgrade packages
	apt-get upgrade --assume-yes
	#
	apt_clean_cache
	# install packages
	for package in "${packages[@]}"; do
		echo
		echo "${package}"
		apt-get install \
			--assume-yes \
			"${package}"
		apt_clean_cache
	done
	# install backports
	for package in "${backports[@]}"; do
		echo
		echo "${package}"
		apt-get install \
			--assume-yes \
			--target-release "${release}-backports" \
			"${package}"
		apt_clean_cache
	done
}

rescue_hetzner_upload() {
	local host="${1}"
	local hostname="${2}"
	if [ "${hostname}" ]; then
		local user='root'
		#
		local user_host="${user}@${host}"
		# remove fingerprints
		ssh-keygen -R "${host}"
		# copy ssh id
		ssh-copy-id \
			-o 'StrictHostKeyChecking=accept-new' \
			"${user_host}"
		# upload root
		rsync --delete --recursive "${MAIN_BASH_ROOT}/" "${user_host}:/etc/bash/"
		# call setup
		# TODO variable
		ssh "${user_host}" -- "source '/etc/bash/main.sh' ; rescue_hetzner_configure '${hostname}'"
		# create session
		ssh "${user_host}" -- byobu new-session -d
		# send keys
		ssh "${user_host}" -- byobu send-keys 'rescue_hetzner_install' 'C-m'
		# attach session
		mosh "${user_host}" -- byobu attach-session
	else
		echo 'Host?'
		return 1
	fi
}

rescue_hetzner_wipe_8_8_0_init() {
	local device
	local devices=(
		'/dev/sda'
		'/dev/sdb'
	)
	local members
	local number
	local passphrase
	local unit='mib'
	# read passphrase
	echo -n 'PassPhrase: '
	read -r -s passphrase
	#
	lsblk
	echo -n 'WIPE' "${devices[@]}" '/?\ OR CANCEL /!\'
	read
	#
	number=0
	for device in "${devices[@]}"; do
		((number++))
		echo
		echo "#${number}: ${device}"
		#
		parted "${device}" \
			--script \
			mktable gpt
		#
		parted "${device}" \
			unit "${unit}" \
			mkpart "crypt-${number}" 33282 7630885
		#
		parted "${device}" \
			unit "${unit}" \
			mkpart "boot-${number}" 514 33282
		#
		parted "${device}" \
			unit "${unit}" \
			mkpart "esp-${number}" 2 514
		parted "${device}" \
			set 3 esp on
		#
		parted "${device}" \
			unit "${unit}" \
			mkpart "bios-${number}" 1 2
		parted "${device}" \
			set 4 bios_grub on
	done
	#
	number=0
	for device in "${devices[@]}"; do
		((number++))
		echo
		echo "#${number}: ${device}4"
		# wipe bios
		dd \
			if='/dev/zero' of="${device}4"
	done
	#
	number=0
	for device in "${devices[@]}"; do
		((number++))
		echo
		echo "#${number}: ${device}3"
		# format esp
		dd \
			if='/dev/zero' of="${device}3" bs='1M'
		mkfs.vfat \
			-F 32 \
			-S 4096 \
			-i "0000000${number}" \
			-n "esp-${number}" \
			"${device}3"
		# mount esp
		mkdir --parents "/media/esp/${number}"
		mount "${device}3" "/media/esp/${number}"
	done
	#
	number=0
	for device in "${devices[@]}"; do
		((number++))
		echo
		echo "#${number}: ${device}2"
		# wipe boot
		dd status='progress' \
			if='/dev/zero' of="${device}2" bs='1G' count=1
	done
	#
	members=()
	for device in "${devices[@]}"; do
		members+=("${device}2")
	done
	mdadm \
		--create '/dev/md/boot' \
		--level 0 \
		--metadata 1 \
		--name 'md:boot' \
		--raid-devices ${#devices[@]} \
		--uuid '00000000:00000000:00000000:00000002' \
		"${members[@]}"
	#
	mkfs.btrfs --force \
		--checksum 'sha256' \
		--label 'boot' \
		--uuid '00000000-0000-0000-0000-00000000000b' \
		'/dev/md/boot'
	# mount boot
	mkdir --parents '/media/boot'
	mount \
		--options 'autodefrag,compress-force=zstd' \
		'/dev/md/boot' '/media/boot'
	#
	number=0
	for device in "${devices[@]}"; do
		((number++))
		echo
		echo "#${number}: ${device}1"
		# wipe crypt head
		dd status='progress' \
			if='/dev/zero' of="${device}1" bs='1G' count=1
	done
	#
	members=()
	for device in "${devices[@]}"; do
		members+=("${device}1")
	done
	mdadm \
		--create '/dev/md/crypt' \
		--level 0 \
		--metadata 1 \
		--name 'md:crypt' \
		--raid-devices ${#devices[@]} \
		--uuid '00000000:00000000:00000000:00000001' \
		"${members[@]}"
	# encrypt
	echo "${passphrase}" |
		cryptsetup \
			--verbose \
			--batch-mode \
			--type 'luks2' \
			--pbkdf 'argon2id' \
			--cipher 'aes-xts-plain64' \
			--iter-time 8192 \
			--key-size 512 \
			--hash 'sha512' \
			--use-random \
			luksFormat \
			'/dev/md/crypt'
	# open
	echo "${passphrase}" |
		cryptsetup luksOpen '/dev/md/crypt' 'crypt'
}

rescue_hetzner_wipe_8_8_1_zero() {
	# wipe crypt
	dd status='progress' \
		if='/dev/zero' of='/dev/mapper/crypt' bs='8G'
}

rescue_hetzner_wipe_8_8_2_make() {
	local passphrase
	# close
	cryptsetup luksClose 'crypt'
	# read passphrase
	echo -n 'PassPhrase: '
	read -r -s passphrase
	# encrypt
	echo "${passphrase}" |
		cryptsetup \
			--verbose \
			--batch-mode \
			--type 'luks2' \
			--pbkdf 'argon2id' \
			--cipher 'aes-xts-plain64' \
			--iter-time 8192 \
			--key-size 512 \
			--hash 'sha512' \
			--use-random \
			luksFormat \
			'/dev/md/crypt'
	# open
	echo "${passphrase}" |
		cryptsetup luksOpen '/dev/md/crypt' 'crypt'
	# format crypt
	mkfs.btrfs --force \
		--checksum 'sha256' \
		--label 'crypt' \
		--uuid '00000000-0000-0000-0000-00000000000c' \
		'/dev/mapper/crypt'
	# mount crypt
	mkdir --parents '/media/crypt'
	mount \
		--options 'autodefrag,compress-force=zstd' \
		'/dev/mapper/crypt' '/media/crypt'
	# make swap file
	btrfs filesystem mkswapfile \
		--size '64g' \
		--uuid '00000000-0000-0000-0000-000000000005' \
		'/media/crypt/swap'
}

rescue_hetzner_wipe_8_8_3_close() {
	umount '/media/boot'
	#
	umount '/media/crypt' &&
		cryptsetup luksClose 'crypt'
}