V8.13.512.2025.11.27

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-11-27 23:44:42 +00:00
parent 7fc9692ce2
commit 26e22f47a5
21 changed files with 501 additions and 332 deletions
--- a/.archive/0010_dhcp_supersede.sh
+++ b/.archive/0010_dhcp_supersede.sh
@@ -0,0 +1,113 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+set -Ceuo pipefail
+
+printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+
+if [[ ! -d "${VAR_HANDLER_BUILD_DIR}"/config/includes.chroot/etc/dhcp ]]; then
+
+  mkdir -p "${VAR_HANDLER_BUILD_DIR}"/config/includes.chroot/etc/dhcp
+
+fi
+
+cat << 'EOF' >> "${VAR_HANDLER_BUILD_DIR}"/config/includes.chroot/etc/dhcp/dhclient.conf
+
+# Custom dhclient config to override DHCP DNS
+# dns01.eddns.eu, dns02.eddns.de, dns03.eddns.eu;
+
+supersede domain-name-servers 135.181.207.105, 89.58.62.53, 138.199.237.109;
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
+EOF
+
+
+cat << 'EOF' >> "${VAR_HANDLER_BUILD_DIR}"/config/includes.chroot/etc/dhcpcd.conf
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-08-12; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+### No Global APIPA-Fallback.
+noipv4ll
+
+### A ServerID is required by RFC2131.
+require dhcp_server_identifier
+
+### Respect the network MTU. This is applied to DHCP routes.
+option interface_mtu
+
+### A list of options to request from the DHCP server.
+option host_name
+option domain_name
+option domain_search
+option rapid_commit
+
+### Most distributions have NTP support.
+option ntp_servers
+
+### Ask server to update both A and PTR via FQDN (RFC 4702 semantics).
+fqdn both
+
+###-----------------------------------------------------------------------------------------------------------------------------
+### Global defaults for all interfaces.
+#option host_name
+#option domain_name
+#option domain_search
+
+### Ask server to update both A and PTR via FQDN (RFC 4702 semantics).
+#fqdn both
+###-----------------------------------------------------------------------------------------------------------------------------
+
+### Enforce static DNS and prevent dhcpcd from writing 'resolv.conf'.
+nooption domain_name_servers
+nohook resolv.conf rdnssd
+
+### Static resolvers (IPv4).
+### (This does NOT write '/etc/resolv.conf' because of nohook above.)
+static domain_name_servers=135.181.207.105 89.58.62.53 138.199.237.109
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
+EOF
+
+
+cat << 'EOF' >| "${VAR_HANDLER_BUILD_DIR}"/config/includes.chroot/etc/resolv.conf
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-08-12; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+# static /etc/resolv.conf (CISS)
+
+nameserver 135.181.207.105
+nameserver 89.58.62.53
+nameserver 138.199.237.109
+options edns0
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
+EOF
+
+printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' successfully applied. \e[0m\n" "${0}"
+
+exit 0
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/9999_interfaces_update.chroot
+++ b/config/hooks/live/9999_interfaces_update.chroot
--- a/ciss_live_builder.sh
+++ b/ciss_live_builder.sh
@@ -10,10 +10,6 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-# TODO: 0042
-# TODO: unlock-wrapper
-# TODO: /etc/network
-
 ### Contributions so far see ./docs/CREDITS.md

 ### WHY BASH?
--- a/config/hooks/live/0100_ciss_mem_wipe.chroot
+++ b/config/hooks/live/0100_ciss_mem_wipe.chroot
@@ -44,8 +44,6 @@ fi

 cp -f "${_BUSYBOX_BIN}" "${_TMP_DIR}/bin/busybox"

-###
-
 #######################################
 # Copy required shared libs into the initramfs (if the busybox is dynamic).
 # Globals:
@@ -76,7 +74,7 @@ copy_libs() {

 copy_libs "${_BUSYBOX_BIN}"

-### Generate /init script
+### Generate '/init' script ----------------------------------------------------------------------------------------------------
 cat << 'EOF' >| "${_TMP_DIR}/init"
 #!/bin/busybox sh
 # SPDX-Version: 3.0
@@ -184,7 +182,7 @@ EOF

 chmod +x "${_TMP_DIR}/init"

-### Create the initramfs archive.
+### Create the initramfs archive -----------------------------------------------------------------------------------------------
 ( cd "${_TMP_DIR}" && find . -print0 | cpio --null -ov --format=newc ) | gzip -9 > /boot/ciss-memwipe/initrd.img

 ### Default configuration.
@@ -210,7 +208,7 @@ CISS_WIPE_TMPFS_PCT=95         # percentage of MemTotal to allocate
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
 EOF

-### Helper script
+### Helper script --------------------------------------------------------------------------------------------------------------
 cat << 'EOF' >| /usr/local/sbin/ciss-memwipe
 #!/bin/bash
 # SPDX-Version: 3.0
@@ -273,7 +271,7 @@ esac
 EOF
 chmod 0755 /usr/local/sbin/ciss-memwipe

-### Systemd service: load at boot, execute on shutdown.
+### Systemd service: load at boot, execute on shutdown. ------------------------------------------------------------------------
 cat << 'EOF' >| /etc/systemd/system/ciss-memwipe.service
 [Unit]
 Description=CISS: preload and execute kexec-based RAM wipe on shutdown
--- a/config/includes.chroot/etc/initramfs-tools/files/unlock_wrapper.sh
+++ b/config/includes.chroot/etc/initramfs-tools/files/unlock_wrapper.sh
@@ -22,6 +22,8 @@ declare -g PATH="/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr"
 ### Will be replaced at build time:
 declare -gr CDLB_DB_EXP_FPR="@EXP_FPR@"
 declare -gr CDLB_DB_EXP_CA_FPR="@EXP_CA_FPR@"
+declare -gr CDLB_MAPPER_NAME="crypt_liveiso"
+declare -gr CDLB_MAPPER_DEV="/dev/mapper/${CDLB_MAPPER_NAME}"

 #######################################
 # Variable declaration
@@ -36,8 +38,6 @@ declare -r MAG='\e[0;95m'
 declare -r RED='\e[0;91m'
 declare -r RES='\e[0m'
 declare -r NL='\n'
-declare -g NUKE_ENABLED='false'
-declare -g NUKE_HASH=''
 declare -g PASSPHRASE=''

 #######################################
@@ -56,6 +56,9 @@ ask_via_stdin() {
  printf "\n" >&2
  return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f ask_via_stdin

 #######################################
 # Printed text in color.
@@ -64,6 +67,9 @@ ask_via_stdin() {
 #   *: Text to print.
 #######################################
 color_echo() { declare c="${1}"; shift; declare msg="${*}"; printf "%b%s %b%b" "${c}" "${msg}" "${RES}" "${NL}"; return 0; }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f color_echo

 #######################################
 # Die Helper: print and then exit hard.
@@ -74,6 +80,9 @@ color_echo() { declare c="${1}"; shift; declare msg="${*}"; printf "%b%s %b%b" "
 #   1: Message string to print.
 #######################################
 die() { printf "%b✘ %s %b%b" "${RED}" "$1" "${RES}" "${NL}" >&2; power_off 3; }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f die

 #######################################
 # Drop into the bash environment.
@@ -81,111 +90,9 @@ die() { printf "%b✘ %s %b%b" "${RED}" "$1" "${RES}" "${NL}" >&2; power_off 3;
 #   None
 #######################################
 drop_bash() { stty echo 2>/dev/null || true; prompt_string; exec /bin/bash -i; }
-
-#######################################
-# Extract the 'nuke=' parameter from '/proc/cmdline'.
-# Globals:
-#   GRE
-#   NUKE_ENABLED
-#   NUKE_HASH
-#   RED
-#   REGEX
-# Arguments:
-#   None
-# Returns:
-#   0: on success
-#######################################
-extract_nuke_hash() {
-  declare     ARG="" CMDLINE=""
-
-  ### Read '/proc/cmdline' into a single line safely.
-  read -r CMDLINE < /proc/cmdline
-
-  for ARG in ${CMDLINE}; do
-
-    # shellcheck disable=SC2249
-    case "${ARG,,}" in
-
-      nuke=*)
-        NUKE_HASH="${ARG#*=}"
-        if [[ "${NUKE_HASH}" =~ ${REGEX} ]]; then
-
-          declare -g NUKE_ENABLED="true"
-          color_echo "${GRE}" "✅ System self check: [ok]"
-          return 0
-
-        else
-
-          ### If there is a malformed Grub Bootparameter 'nuke=HASH', drop to bash.
-          color_echo "${RED}" "✘ Nuke Hash Malformat : [${REGEX}] [${NUKE_HASH}]."
-          color_echo "${RED}" "✘ Dropping to bash ...:"
-          drop_bash
-
-        fi
-      ;;
-
-    esac
-
-  done
-
-  color_echo "${GRE}" "✅ No Nuke Hash found."
-
-  return 0
-}
-
-#######################################
-# Gather information of all LUKS Devices available on the system.
-# Arguments:
-#   None
-#######################################
-gather_luks_devices() {
-  declare     prev=() curr=()
-  declare -i  tries=0
-
-  while ((tries < 10)); do
-
-    # shellcheck disable=SC2312
-    mapfile -t curr < <(blkid -t TYPE=crypto_LUKS -o device | /usr/bin/sort -V)
-
-    if [[ "${curr[*]}" == "${prev[*]}" ]]; then
-      break
-    fi
-
-    prev=("${curr[@]}")
-    tries=$((tries + 1))
-    sleep 1
-
-  done
-
-  printf '%s\n' "${curr[@]}"
-
-  return 0
-}
-
-#######################################
-# Erase the LUKS headers on all LUKS devices, then shut down the system.
-# Globals:
-#   DEVICES_LUKS
-#   RED
-# Arguments:
-#   None
-#######################################
-nuke() {
-  declare     dev=""
-
-  for dev in "${DEVICES_LUKS[@]}"; do
-
-    cryptsetup erase --batch-mode "${dev}" || true
-    color_echo "${RED}" "✘ Error: LUKS Device Header malfunction: [${dev}]."
-
-  done
-
-  secure_unset_pass
-
-  color_echo "${RED}" "✘ Error: LUKS Device malfunction. System Power Off in 16 seconds."
-
-  power_off 16
-}
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f drop_bash

 #######################################
 # Unified power-off routine.
@@ -200,6 +107,9 @@ power_off() {
  echo o >| /proc/sysrq-trigger
  ### The System powers off immediately; no further code is executed.
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f power_off

 #######################################
 # Print Error Message for Trap on 'ERR' on Terminal.
@@ -233,6 +143,9 @@ print_scr_err() {

  return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f print_scr_err

 #######################################
 # Print Error Message for '0'-Exit-Code on Terminal.
@@ -242,6 +155,9 @@ print_scr_err() {
 #   None
 #######################################
 print_scr_scc() { color_echo "${GRE}" "✅ Script exited successfully. Proceeding with booting."; sleep 3; }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f print_scr_scc

 #######################################
 # Generates an informative shell prompt.
@@ -264,12 +180,13 @@ else \
 fi)\
 |~\$ "
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f prompt_string

 #######################################
 # Read the passphrase interactively.
 # Globals:
-#   NUKE_ENABLED
-#   NUKE_HASH
 #   PASSPHRASE
 # Arguments:
 #   None
@@ -277,31 +194,13 @@ fi)\
 #   0: on success
 #######################################
 read_passphrase() {
-  declare -i  ROUNDS=0
-  declare     CAND="" SALT=""
-
  ### Read from SSH STDIN (or TTY fallback), never via '/lib/cryptsetup/askpass'.
  ask_via_stdin "Enter passphrase: " PASSPHRASE
-
-  ### NUKE pre-check.
-  if [[ "${NUKE_ENABLED,,}" == "true" ]]; then
-
-    ROUNDS="$(cut -d'$' -f3 <<< "${NUKE_HASH}")"
-    ROUNDS="${ROUNDS#rounds=}"
-    SALT="$(cut -d'$' -f4 <<< "${NUKE_HASH}")"
-    CAND=$(/usr/mkpasswd --method=sha-512 --salt="${SALT}" --rounds="${ROUNDS}" "${PASSPHRASE}")
-
-    ### NUKE final check.
-    if [[ "${CAND}" == "${NUKE_HASH}" ]]; then
-
-      nuke
-
-    fi
-
-  fi
-
  return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f read_passphrase

 #######################################
 # Securely unset the 'PASSPHRASE'-variable.
@@ -311,6 +210,9 @@ read_passphrase() {
 #   None
 #######################################
 secure_unset_pass() { unset PASSPHRASE; PASSPHRASE=""; return 0; }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f secure_unset_pass

 #######################################
 # Trap function to be called on 'ERR'.
@@ -334,6 +236,9 @@ trap_on_err() {
  print_scr_err "${errcode}" "${errscrt}" "${errline}" "${errfunc}" "${errcmmd}"
  power_off 16
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f trap_on_err

 #######################################
 # Security Trap on 'EXIT'.
@@ -346,6 +251,9 @@ trap_on_exit() {
  trap - ERR EXIT INT TERM
  [[ "${ERRTRAP,,}" == "false" ]] && print_scr_scc
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f trap_on_exit

 #######################################
 # Security Trap on 'INT' and 'TERM' to provide a deterministic way to not circumvent the nuke routine.
@@ -362,6 +270,9 @@ trap_on_term() {
  color_echo "${RED}" "✘ Received termination signal. System Power Off in 3 seconds."
  power_off 3
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f trap_on_term

 #######################################
 # Check the integrity and authenticity of this script itself.
@@ -382,13 +293,13 @@ verify_script() {

  for item in "${algo[@]}"; do

-    hashfile="${dir}/${script}.${item}sum.txt"
+    hashfile="${dir}/${script}.sha${item}sum.txt"
    sigfile="${hashfile}.sig"
    cmd="${item}sum"

    color_echo "${MAG}" "🔏 Verifying signature of: [${hashfile}]"

-    if ! gpgv --keyring /etc/ciss/keys/"${sigfile}".gpg "${sigfile}" "${hashfile}"; then
+    if ! gpgv --keyring "/etc/ciss/keys/${CDLB_DB_EXP_FPR}.gpg" "${sigfile}" "${hashfile}"; then

      color_echo "${RED}" "✘ Signature verification failed for: [${hashfile}]"
      color_echo "${RED}" "✘ System Power Off in 3 seconds."
@@ -423,6 +334,9 @@ verify_script() {
  color_echo "${GRE}" "🔏 All signatures and hashes verified successfully. Proceeding."
  return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f verify_script

 #######################################
 # Main Program Sequence.
@@ -438,6 +352,8 @@ verify_script() {
 #   None
 #######################################
 main() {
+  declare PASS="" COUNTER=0 PASS_SENT=0 WAIT_LOOP=0
+
  exec 1>&2

  trap 'trap_on_err "$?" "${BASH_SOURCE[0]}" "${LINENO}" "${FUNCNAME[0]:-main}" "${BASH_COMMAND}"' ERR
@@ -454,44 +370,62 @@ main() {
  color_echo "${MAG}" "Integrity self-check ..."
  verify_script

-  ### Read newline-separated output into an array.
+  while :; do
+
+    if [[ -b "${CDLB_MAPPER_DEV}" ]]; then
+
+      secure_unset_pass
+      printf "%b" "${NL}"
+      color_echo "${GRE}" "CISS LUKS Container successfully opened. Closing dropbear connection in 3 seconds."
+      sleep 3
+      exit 0
+
+    fi
+
+    if [[ "${COUNTER}" -eq 3 ]]; then
+
+      secure_unset_pass
+      break
+
+    fi
+
+    if [[ "${PASS_SENT}" -eq 0 ]]; then
+
+      # shellcheck disable=SC2310
+      read_passphrase || continue
+
+      printf '%s\n' "${PASSPHRASE}" >| /lib/cryptsetup/passfifo 2>/dev/null || :
+
+      PASS_SENT=1
+      WAIT_LOOP=0
+
+    else
+
+      WAIT_LOOP=$((WAIT_LOOP + 1))
+      COUNTER=$((COUNTER + 1))
+
+      if [[ "${WAIT_LOOP}" -ge 160 ]]; then
+
+        color_echo "${GRE}" "Please try again"
+
+        PASS_SENT=0
+        WAIT_LOOP=0
+
+      fi
+
+    fi
+
+    sleep 0.1
+
+  done
+
  printf "%b" "${NL}"
-  color_echo "${MAG}" "Scanning for LUKS devices ..."
-  # shellcheck disable=SC2312
-  mapfile -t DEVICES_LUKS < <(gather_luks_devices)
-
-  ### If there are no LUKS devices at all, drop to bash.
-  if (( ${#DEVICES_LUKS[@]} == 0 )); then
-    printf "%b" "${NL}"
-    color_echo "${RED}" "✘ No LUKS Devices found. Dropping to bash ..."
-    drop_bash
-  fi
-
-  ### Extract the 'nuke='-parameter from '/proc/cmdline'.
-  printf "%b" "${NL}"
-  extract_nuke_hash
-
-  ### Read passphrase interactively.
-  read_passphrase
-
-  if printf "%s" "${PASSPHRASE}" | cryptroot-unlock; then
-
-    secure_unset_pass
-    exit 0
-
-  else
-
-    secure_unset_pass
-
-    printf "%b" "${NL}"
-    color_echo "${RED}" "✘ Unsuccessful command 'cryptroot-unlock'."
-    color_echo "${GRE}" "  No LUKS operations performed. Dropping to bash ..."
-    color_echo "${GRE}" "  To unlock 'root' partition, and maybe others like '/home', run 'cryptroot-unlock'."
-
-    drop_bash
-
-  fi
+  color_echo "${GRE}" "No LUKS operations successful. Dropping to bash ..."
+  drop_bash
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f main

 main "${@}"
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/includes.chroot/etc/modprobe.d/30-cendev-hardening.conf
+++ b/config/includes.chroot/etc/modprobe.d/30-cendev-hardening.conf
@@ -1,3 +1,5 @@
+# bashsupport disable=BP5007
+
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
--- a/config/includes.chroot/etc/resolv.conf
+++ b/config/includes.chroot/etc/resolv.conf
@@ -0,0 +1,16 @@
+# bashsupport disable=BP5007
+
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-11-26; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+ln -s /run/systemd/resolve/stub-resolv.conf /run/systemd/resolve/stub-resolv.conf
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
--- a/config/includes.chroot/etc/systemd/network/90-ciss-ethernet.network
+++ b/config/includes.chroot/etc/systemd/network/90-ciss-ethernet.network
@@ -9,9 +9,28 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

+[Match]
+Type=ether
+
 [Network]
 DHCP=yes
+DNSOverTLS=opportunistic
+DNSSEC=yes
+IPv6AcceptRA=yes
 LinkLocalAddressing=ipv6

+[DHCPv4]
+RoutesToDNS=no
+UseDNS=yes
+UseDomains=no
+UseHostname=no
+UseNTP=no
+
+[DHCPv6]
+RoutesToDNS=no
+UseDNS=yes
+UseDomains=no
+UseHostname=no
+UseNTP=no

 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
--- a/config/includes.chroot/usr/.keep
+++ b/config/includes.chroot/usr/.keep
@@ -0,0 +1,10 @@
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-10-28; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
--- a/config/includes.chroot/usr/lib/.keep
+++ b/config/includes.chroot/usr/lib/.keep
@@ -0,0 +1,10 @@
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-10-28; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
--- a/config/includes.chroot/usr/lib/live/.keep
+++ b/config/includes.chroot/usr/lib/live/.keep
@@ -0,0 +1,10 @@
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-10-28; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
--- a/config/includes.chroot/usr/lib/systemd/.keep
+++ b/config/includes.chroot/usr/lib/systemd/.keep
@@ -0,0 +1,10 @@
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-10-28; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
--- a/config/includes.chroot/usr/lib/systemd/system-preset/90-ciss-networkd.preset
+++ b/config/includes.chroot/usr/lib/systemd/system-preset/90-ciss-networkd.preset
@@ -0,0 +1,19 @@
+# bashsupport disable=BP5007
+
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-11-26; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+enable systemd-networkd.service
+enable systemd-resolved.service
+disable networking.service
+disable NetworkManager.service
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
--- a/config/includes.chroot/usr/share/.keep
+++ b/config/includes.chroot/usr/share/.keep
@@ -0,0 +1,10 @@
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-10-28; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
--- a/config/includes.chroot/usr/share/initramfs-tools/.keep
+++ b/config/includes.chroot/usr/share/initramfs-tools/.keep
@@ -0,0 +1,10 @@
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-10-28; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
--- a/config/includes.chroot/usr/share/initramfs-tools/scripts/.keep
+++ b/config/includes.chroot/usr/share/initramfs-tools/scripts/.keep
@@ -0,0 +1,10 @@
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-10-28; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
--- a/docs/CHANGELOG.md
+++ b/docs/CHANGELOG.md
@@ -13,9 +13,16 @@ include_toc: true
 # 2. Changelog

 ## V8.13.512.2025.11.27
+* **Global**: Unified network management via ``systemd-networkd``
 * **Global**: Transition of license agreements to: 
  * [CCLA-1.1.txt](LICENSES/CCLA-1.1.txt)
  * [CNCL-1.1.txt](LICENSES/CNCL-1.1.txt)
+* **Added**: [resolv.conf](../config/includes.chroot/etc/resolv.conf)
+* **Added**: [90-ciss-ethernet.network](../config/includes.chroot/etc/systemd/network/90-ciss-ethernet.network)
+* **Added**: [90-ciss-networkd.preset](../config/includes.chroot/usr/lib/systemd/system-preset/90-ciss-networkd.preset)
+* **Changed**: [unlock_wrapper.sh](../config/includes.chroot/etc/initramfs-tools/files/unlock_wrapper.sh)
+* **Changed**: [lib_provider_netcup.sh](../lib/lib_provider_netcup.sh)
+* **Changed**: [0010_dhcp_supersede.sh](../scripts/0010_dhcp_supersede.sh)

 ## V8.13.512.2025.11.26
 * **Global**: Final adjustments for LUKS dm-integrity integration
@@ -268,7 +275,7 @@ include_toc: true
 * **Updated**: [9999-cdi-starter](../scripts/usr/local/sbin/9999_cdi_starter.sh)
 * **Updated**: [9980_usb_guard.chroot](../config/hooks/live/9980_usb_guard.chroot)
 * **Updated**: [9998_sources_list_trixie.chroot](../config/hooks/live/9998_sources_list_trixie.chroot)
-* **Updated**: [9999_interfaces_update.chroot](../config/hooks/live/9999_interfaces_update.chroot)
+* **Updated**: [9999_interfaces_update.chroot](../.archive/9999_interfaces_update.chroot)
 * **Updated**: [lib_cdi.sh](../lib/lib_cdi.sh) Unified Kernel bootparameter.
 * **Updated**: [lib_lb_config_write_trixie.sh](../lib/lib_lb_config_write_trixie.sh) Unified Kernel bootparameter.
 * **Updated**: [lib_run_analysis.sh](../lib/lib_run_analysis.sh)
--- a/docs/LICENSES/EUPL-1.2.spdx
+++ b/docs/LICENSES/EUPL-1.2.spdx
@@ -0,0 +1,4 @@
+SPDX-License-Identifier: EUPL-1.2
+SPDX-FileCopyrightText: European Union 2007, 2016
+
+The full license text can be found at: https://eupl.eu/1.2/en/ or in the same directory: EUPL-1.2.txt
--- a/docs/LICENSES/EUPL-1.2.txt
+++ b/docs/LICENSES/EUPL-1.2.txt
@@ -2,14 +2,14 @@

 EUPL-1.2

-EUROPEAN UNION PUBLIC LICENCE v. 1.2
+EUROPEAN UNION PUBLIC LICENSE v. 1.2
 EUPL © the European Union 2007, 2016

-This European Union Public Licence (the 'EUPL') applies to the Work (as defined below) which is provided under the
-terms of this Licence. Any use of the Work, other than as authorised under this Licence is prohibited (to the extent such
+This European Union Public License (the 'EUPL') applies to the Work (as defined below) which is provided under the
+terms of this License. Any use of the Work, other than as authorized under this License is prohibited (to the extent such
 a use is covered by a right of the copyright holder of the Work).

-The Work is provided under the terms of this Licence when the Licensor (as defined below) has placed the following
+The Work is provided under the terms of this License when the Licensor (as defined below) has placed the following
 notice immediately following the copyright notice for the Work:

                          Licensed under the EUPL
@@ -18,16 +18,16 @@ or has expressed by any other means his willingness to license under the EUPL.

 1.Definitions

-In this Licence, the following terms have the following meaning:
+In this License, the following terms have the following meaning:

-— 'The Licence':this Licence.
+— 'The License':this License.

-— 'The Original Work':the work or software distributed or communicated by the Licensor under this Licence, available
+— 'The Original Work':the work or software distributed or communicated by the Licensor under this License, available
 as Source Code and also as Executable Code as the case may be.

 — 'Derivative Works':the works or software that could be created by the Licensee, based upon the Original Work or
-modifications thereof. This Licence does not define the extent of modification or dependence on the Original Work
-required in order to classify a work as a Derivative Work; this extent is determined by copyright law applicable in
+modifications thereof. This License does not define the extent of modification or dependence on the Original Work
+required to classify a work as a Derivative Work; this extent is determined by copyright law applicable in
 the country mentioned in Article 15.

 — 'The Work':the Original Work or its Derivative Works.
@@ -38,21 +38,21 @@ modify.
 — 'The Executable Code':any code, which has generally been compiled and, which is meant to be interpreted by
 a computer as a program.

-— 'The Licensor':the natural or legal person that distributes or communicates the Work under the Licence.
+— 'The Licensor':the natural or legal person that distributes or communicates the Work under the License.

-— 'Contributor(s)':any natural or legal person who modifies the Work under the Licence, or otherwise contributes to
+— 'Contributor(s)':any natural or legal person who modifies the Work under the License, or otherwise contributes to
 the creation of a Derivative Work.

 — 'The Licensee' or 'You':any natural or legal person who makes any usage of the Work under the terms of the
-Licence.
+License.

 — 'Distribution' or 'Communication':any act of selling, giving, lending, renting, distributing, communicating,
 transmitting, or otherwise making available, online, or offline, copies of the Work or providing access to its essential
 functionalities at the disposal of any other natural or legal person.

-2.Scope of the rights granted by the Licence
+2.Scope of the rights granted by the License

-The Licensor hereby grants You a worldwide, royalty-free, non-exclusive, sublicensable licence to do the following, for
+The Licensor hereby grants You a worldwide, royalty-free, non-exclusive, sublicensable license to do the following, for
 the duration of copyright vested in the Original Work:

 — use the Work in any circumstances and for all usage,
@@ -74,10 +74,10 @@ Those rights can be exercised on any media, supports, and formats, whether now k
 applicable law permits so.

 In the countries where moral rights apply, the Licensor waives his right to exercise his moral right to the extent allowed
-by law in order to make effective the licence of the economic rights here above listed.
+by law to make effective the license of the economic rights here above listed.

 The Licensor grants to the Licensee royalty-free, non-exclusive usage rights to any patents held by the Licensor, to the
-extent necessary to make use of the rights granted on the Work under this Licence.
+extent necessary to make use of the rights granted on the Work under this License.

 3.Communication of the Source Code

@@ -89,7 +89,7 @@ distribute or communicate the Work.

 4.Limitations on copyright

-Nothing in this Licence is intended to deprive the Licensee of the benefits from any exception or limitation to the
+Nothing in this License is intended to deprive the Licensee of the benefits from any exception or limitation to the
 exclusive rights of the rights owners in the Work, to the exhaustion of those rights or of other applicable limitations
 thereto.

@@ -98,57 +98,57 @@ thereto.
 The grant of the rights mentioned above is subject to some restrictions and obligations imposed on the Licensee. Those
 obligations are the following:

-Attribution right: The Licensee shall keep intact all copyright, patent or trademarks notices and all notices that refer to
-the Licence and to the disclaimer of warranties. The Licensee must include a copy of such notices, and a copy of the
-Licence with every copy of the Work he/she distributes or communicates. The Licensee must cause any Derivative Work
+Attribution right: The Licensee shall keep intact all copyright, patent, or trademarks notices and all notices that refer to
+the License and to the disclaimer of warranties. The Licensee must include a copy of such notices, and a copy of the
+License with every copy of the Work he/she distributes or communicates. The Licensee must cause any Derivative Work
 to carry prominent notices stating that the Work has been modified and the date of modification.

 Copyleft clause: If the Licensee distributes or communicates copies of the Original Works or Derivative Works, this
-Distribution or Communication will be done under the terms of this Licence or of a later version of this Licence unless
-the Original Work is expressly distributed only under this version of the Licence — for example, by communicating
-'EUPL v. 1.2 only'. The Licensee (becoming Licensor) cannot offer or impose any additional terms or conditions on the
-Work or Derivative Work that alter or restrict the terms of the Licence.
+Distribution or Communication will be done under the terms of this License or of a later version of this License unless
+the Original Work is expressly distributed only under this version of the License — for example, by communicating
+'EUPL v. 1.2 only.' The Licensee (becoming Licensor) cannot offer or impose any additional terms or conditions on the
+Work or Derivative Work that alter or restrict the terms of the License.

 Compatibility clause: If the Licensee Distributes or Communicates Derivative Works or copies thereof based upon both
-the Work and another work licensed under a Compatible Licence, this Distribution or Communication can be done
-under the terms of this Compatible Licence. For the sake of this clause, 'Compatible Licence' refers to the licences listed
-in the appendix attached to this Licence. Should the Licensee's obligations under the Compatible Licence conflict with
-his/her obligations under this Licence, the obligations of the Compatible Licence shall prevail.
+the Work and another work licensed under a Compatible License, this Distribution or Communication can be done
+under the terms of this Compatible License. For the sake of this clause, 'Compatible License' refers to the licenses listed
+in the appendix attached to this License. Should the Licensee's obligations under the Compatible License conflict with
+his/her obligations under this License, the obligations of the Compatible License shall prevail.

 The provision of Source Code: When distributing or communicating copies of the Work, the Licensee will provide
 a machine-readable copy of the Source Code or indicate a repository where this Source will be easily and freely available
 for as long as the Licensee continues to distribute or communicate the Work.
-Legal Protection: This Licence does not grant permission to use the trade names, trademarks, service marks, or names
+Legal Protection: This License does not grant permission to use the trade names, trademarks, service marks, or names
 of the Licensor, except as required for reasonable and customary use in describing the origin of the Work and
 reproducing the content of the copyright notice.

 6.Chain of Authorship

 The original Licensor warrants that the copyright in the Original Work granted hereunder is owned by him/her or
-licensed to him/her and that he/she has the power and authority to grant the Licence.
+licensed to him/her and that he/she has the power and authority to grant the License.

 Each Contributor warrants that the copyright in the modifications he/she brings to the Work is owned by him/her or
-licensed to him/her and that he/she has the power and authority to grant the Licence.
+licensed to him/her and that he/she has the power and authority to grant the License.

-Each time You accept the Licence, the original Licensor and subsequent Contributors grant You a licence to their contributions
-to the Work, under the terms of this Licence.
+Each time You accept the License, the original Licensor and subsequent Contributors grant You a license to their contributions
+to the Work, under the terms of this License.

 7.Disclaimer of Warranty

 The Work is a work in progress, which is continuously improved by numerous Contributors. It is not finished work
 and may therefore contain defects or 'bugs' inherent to this type of development.

-For the above reason, the Work is provided under the Licence on an 'as is' basis and without warranties of any kind
+For the above reason, the Work is provided under the License on an 'as is' basis and without warranties of any kind
 concerning the Work, including without limitation merchantability, fitness for a particular purpose, absence of defects or
 errors, accuracy, non-infringement of intellectual property rights other than copyright as stated in Article 6 of this
-Licence.
+License.

-This disclaimer of warranty is an essential part of the Licence and a condition for the grant of any rights to the Work.
+This disclaimer of warranty is an essential part of the License and a condition for the grant of any rights to the Work.

 8.Disclaimer of Liability

 Except in the cases of wilful misconduct or damages directly caused to natural persons, the Licensor will in no event be
-liable for any direct or indirect, material or moral, damages of any kind, arising out of the Licence or of the use of the
+liable for any direct or indirect, material or moral, damages of any kind, arising out of the License or of the use of the
 Work, including without limitation, damages for loss of goodwill, work stoppage, computer failure or malfunction, loss
 of data, or any commercial damage, even if the Licensor has been advised of the possibility of such damage. However,
 the Licensor will be liable under statutory product liability laws as far as such laws apply to the Work.
@@ -156,51 +156,51 @@ the Licensor will be liable under statutory product liability laws as far as suc
 9.Additional agreements

 While distributing the Work, You may choose to conclude an additional agreement, defining obligations or services
-consistent with this Licence. However, if accepting obligations, You may act only on your own behalf and on your sole
+consistent with this License. However, if accepting obligations, You may act only on your own behalf and on your sole
 responsibility, not on behalf of the original Licensor or any other Contributor, and only if You agree to indemnify,
 defend, and hold each Contributor harmless for any liability incurred by, or claims asserted against such a Contributor by
 the fact You have accepted any warranty or additional liability.

-10.Acceptance of the Licence
+10.Acceptance of the License

-The provisions of this Licence can be accepted by clicking on an icon 'I agree' placed under the bottom of a window
-displaying the text of this Licence or by affirming consent in any other similar way, in accordance with the rules of
-applicable law. Clicking on that icon indicates your clear and irrevocable acceptance of this Licence and all of its terms
+The provisions of this License can be accepted by clicking on an icon 'I agree' placed under the bottom of a window
+displaying the text of this License or by affirming consent in any other similar way, in accordance with the rules of
+applicable law. Clicking on that icon indicates your clear and irrevocable acceptance of this License and all of its terms
 and conditions.

-Similarly, you irrevocably accept this Licence and all of its terms and conditions by exercising any rights granted to You
-by Article 2 of this Licence, such as the use of the Work, the creation by You of a Derivative Work or the Distribution
+Similarly, you irrevocably accept this License and all of its terms and conditions by exercising any rights granted to You
+by Article 2 of this License, such as the use of the Work, the creation by You of a Derivative Work or the Distribution
 or Communication by You of the Work or copies thereof.

 11.Information to the public

 In case of any Distribution or Communication of the Work by means of electronic communication by You (for example,
 by offering to download the Work from a remote location) the distribution channel or media (for example, a website)
-must at least provide to the public the information requested by the applicable law regarding the Licensor, the Licence,
+must at least provide to the public the information requested by the applicable law regarding the Licensor, the License,
 and the way it may be accessible, concluded, stored, and reproduced by the Licensee.

-12.Termination of the Licence
+12.Termination of the License

-The Licence and the rights granted hereunder will terminate automatically upon any breach by the Licensee of the terms
-of the Licence.
+The License and the rights granted hereunder will terminate automatically upon any breach by the Licensee of the terms
+of the License.

-Such a termination will not terminate the licences of any person who has received the Work from the Licensee under
-the Licence, provided such persons remain in full compliance with the Licence.
+Such a termination will not terminate the licenses of any person who has received the Work from the Licensee under
+the License, provided such persons remain in full compliance with the License.

 13.Miscellaneous

-Without prejudice of Article 9 above, the Licence represents the complete agreement between the Parties as to the
+Without prejudice of Article 9 above, the License represents the complete agreement between the Parties as to the
 Work.

-If any provision of the Licence is invalid or unenforceable under applicable law, this will not affect the validity or
-enforceability of the Licence as a whole. Such provision will be construed or reformed so as necessary to make it valid
+If any provision of the License is invalid or unenforceable under applicable law, this will not affect the validity or
+enforceability of the License as a whole. Such provision will be construed or reformed so as necessary to make it valid
 and enforceable.

-The European Commission may publish other linguistic versions or new versions of this Licence or updated versions of
-the Appendix, so far this is required and reasonable, without reducing the scope of the rights granted by the Licence.
-New versions of the Licence will be published with a unique version number.
+The European Commission may publish other linguistic versions or new versions of this License or updated versions of
+the Appendix, so far this is required and reasonable, without reducing the scope of the rights granted by the License.
+New versions of the License will be published with a unique version number.

-All linguistic versions of this Licence, approved by the European Commission, have identical value. Parties can take
+All linguistic versions of this License, approved by the European Commission, have identical value. Parties can take
 advantage of the linguistic version of their choice.

 14.Jurisdiction
@@ -218,16 +218,16 @@ the exclusive jurisdiction of the competent court where the Licensor resides or

 Without prejudice to specific agreement between parties,

-— this Licence shall be governed by the law of the European Union Member State where the Licensor has his seat,
+— this License shall be governed by the law of the European Union Member State where the Licensor has his seat,
 resides, or has his registered office

-— this licence shall be governed by Belgian law if the Licensor has no seat, residence, or registered office inside
+— this license shall be governed by Belgian law if the Licensor has no seat, residence, or registered office inside
 a European Union Member State.


                                                         Appendix

-'Compatible Licences' according to Article 5 EUPL are:
+'Compatible Licenses' according to Article 5 EUPL are:

 — GNU General Public License (GPL) v. 2, v. 3

@@ -239,18 +239,18 @@ a European Union Member State.

 — CeCILL v. 2.0, v. 2.1

-— Mozilla Public Licence (MPL) v. 2
+— Mozilla Public License (MPL) v. 2

-— GNU Lesser General Public Licence (LGPL) v. 2.1, v. 3
+— GNU Lesser General Public License (LGPL) v. 2.1, v. 3

 — Creative Commons Attribution-ShareAlike v. 3.0 Unported (CC BY-SA 3.0) for works other than software

-— European Union Public Licence (EUPL) v. 1.1, v. 1.2
+— European Union Public License (EUPL) v. 1.1, v. 1.2

-— Québec Free and Open-Source Licence — Reciprocity (LiLiQ-R) or Strong Reciprocity (LiLiQ-R+).
+— Québec Free and Open-Source License — Reciprocity (LiLiQ-R) or Strong Reciprocity (LiLiQ-R+).

-The European Commission may update this Appendix to later versions of the above licences without producing
-a new version of the EUPL, as long as they provide the rights granted in Article 2 of this Licence and protect the
+The European Commission may update this Appendix to later versions of the above licenses without producing
+a new version of the EUPL, as long as they provide the rights granted in Article 2 of this License and protect the
 covered Source Code from exclusive appropriation.

-All other changes or additions to this Appendix require the production of a new EUPL version.
+All other changes or additions to this Appendix require the production of a new EUPL version.
--- a/lib/lib_provider_netcup.sh
+++ b/lib/lib_provider_netcup.sh
@@ -32,23 +32,57 @@ provider_netcup() {

    declare handler_netcup_ipv6_string="${ARY_HANDLER_NETCUP_IPV6[*]}"

-    mkdir -p "${VAR_HANDLER_BUILD_DIR}"/config/includes.chroot/etc/network/interfaces.d
+    mkdir -p "${VAR_HANDLER_BUILD_DIR}"/config/includes.chroot/etc/systemd/network

-    cat << EOF >| "${VAR_HANDLER_BUILD_DIR}"/config/includes.chroot/etc/network/interfaces.d/99-netcup-static
-### Static IPv6 Address for Netcup Root Server
-iface ens3 inet6 static
-    address ${handler_netcup_ipv6_string}/128
-    ### dns01.eddns.eu dns02.eddns.de dns03.eddns.eu
-    dns-nameservers 2a01:4f9:c012:a813:135:181:207:105 2a0a:4cc0:1:e6:89:58:62:53 2a01:4f8:c013:8011:138:199:237:109
-    gateway fe80::1
+    cat << EOF >| "${VAR_HANDLER_BUILD_DIR}"/config/includes.chroot/etc/systemd/network/10-netcup-ens3.network
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-11-27; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu

-# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
+[Match]
+Name=ens3
+
+[Network]
+DHCP=ipv4
+DNS=135.181.207.105
+DNS=89.58.62.53
+DNS=138.199.237.109
+DNS=2a01:4f9:c012:a813:135:181:207:105
+DNS=2a0a:4cc0:1:e6:89:58:62:53
+DNS=2a01:4f8:c013:8011:138:199:237:109
+DNSOverTLS=opportunistic
+DNSSEC=yes
+IPv6AcceptRA=no
+LinkLocalAddressing=ipv6
+
+[Address]
+Address=${handler_netcup_ipv6_string}/128
+
+[Route]
+Gateway=fe80::1
+GatewayOnLink=yes
+
+[DHCPv4]
+UseDNS=no
+UseDomains=no
+RoutesToDNS=no
+UseNTP=no
+UseHostname=no
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
 EOF

-    sed -i "s|MUST_BE_REPLACED|${handler_netcup_ipv6_string}|g" "${VAR_WORKDIR}/scripts/etc/network/9999_interfaces_update_netcup.chroot"
-    rm -f "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9999_interfaces_update.chroot"
-    cp "${VAR_WORKDIR}/scripts/etc/network/9999_interfaces_update_netcup.chroot" "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9999_interfaces_update.chroot"
-    chmod 0755 "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9999_interfaces_update.chroot"
+    #sed -i "s|MUST_BE_REPLACED|${handler_netcup_ipv6_string}|g" "${VAR_WORKDIR}/scripts/etc/network/9999_interfaces_update_netcup.chroot"
+    #rm -f "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9999_interfaces_update.chroot"
+    #cp "${VAR_WORKDIR}/scripts/etc/network/9999_interfaces_update_netcup.chroot" "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9999_interfaces_update.chroot"
+    #chmod 0755 "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9999_interfaces_update.chroot"

    printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ %s successfully applied. \e[0m\n" "${BASH_SOURCE[0]}"

--- a/scripts/0010_dhcp_supersede.sh
+++ b/scripts/0010_dhcp_supersede.sh
@@ -13,26 +13,15 @@ set -Ceuo pipefail

 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"

-if [[ ! -d "${VAR_HANDLER_BUILD_DIR}"/config/includes.chroot/etc/dhcp ]]; then
+if [[ ! -d "${VAR_HANDLER_BUILD_DIR}"/config/includes.chroot/etc/systemd/network ]]; then

-  mkdir -p "${VAR_HANDLER_BUILD_DIR}"/config/includes.chroot/etc/dhcp
+  mkdir -p "${VAR_HANDLER_BUILD_DIR}"/config/includes.chroot/etc/systemd/network

 fi

-cat << 'EOF' >> "${VAR_HANDLER_BUILD_DIR}"/config/includes.chroot/etc/dhcp/dhclient.conf
-
-# Custom dhclient config to override DHCP DNS
-# dns01.eddns.eu, dns02.eddns.de, dns03.eddns.eu;
-
-supersede domain-name-servers 135.181.207.105, 89.58.62.53, 138.199.237.109;
-
-# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
-EOF
-
-
-cat << 'EOF' >> "${VAR_HANDLER_BUILD_DIR}"/config/includes.chroot/etc/dhcpcd.conf
+cat << 'EOF' >| "${VAR_HANDLER_BUILD_DIR}"/config/includes.chroot/etc/systemd/network/90-ciss-ethernet.network
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-08-12; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-11-26; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -42,67 +31,35 @@ cat << 'EOF' >> "${VAR_HANDLER_BUILD_DIR}"/config/includes.chroot/etc/dhcpcd.con
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-### No Global APIPA-Fallback.
-noipv4ll
+[Match]
+Type=ether

-### A ServerID is required by RFC2131.
-require dhcp_server_identifier
+[Network]
+DHCP=yes
+DNS=135.181.207.105
+DNS=89.58.62.53
+DNS=138.199.237.109
+DNS=2a01:4f9:c012:a813:135:181:207:105
+DNS=2a0a:4cc0:1:e6:89:58:62:53
+DNS=2a01:4f8:c013:8011:138:199:237:109
+DNSOverTLS=opportunistic
+DNSSEC=yes
+IPv6AcceptRA=yes
+LinkLocalAddressing=ipv6

-### Respect the network MTU. This is applied to DHCP routes.
-option interface_mtu
+[DHCPv4]
+RoutesToDNS=no
+UseDNS=no
+UseDomains=no
+UseHostname=no
+UseNTP=no

-### A list of options to request from the DHCP server.
-option host_name
-option domain_name
-option domain_search
-option rapid_commit
-
-### Most distributions have NTP support.
-option ntp_servers
-
-### Ask server to update both A and PTR via FQDN (RFC 4702 semantics).
-fqdn both
-
-###-----------------------------------------------------------------------------------------------------------------------------
-### Global defaults for all interfaces.
-#option host_name
-#option domain_name
-#option domain_search
-
-### Ask server to update both A and PTR via FQDN (RFC 4702 semantics).
-#fqdn both
-###-----------------------------------------------------------------------------------------------------------------------------
-
-### Enforce static DNS and prevent dhcpcd from writing 'resolv.conf'.
-nooption domain_name_servers
-nohook resolv.conf rdnssd
-
-### Static resolvers (IPv4).
-### (This does NOT write '/etc/resolv.conf' because of nohook above.)
-static domain_name_servers=135.181.207.105 89.58.62.53 138.199.237.109
-
-# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
-EOF
-
-
-cat << 'EOF' >| "${VAR_HANDLER_BUILD_DIR}"/config/includes.chroot/etc/resolv.conf
-# SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-08-12; WEIDNER, Marc S.; <msw@coresecret.dev>
-# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
-# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
-# SPDX-FileType: SOURCE
-# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
-# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
-# SPDX-PackageName: CISS.debian.live.builder
-# SPDX-Security-Contact: security@coresecret.eu
-
-# static /etc/resolv.conf (CISS)
-
-nameserver 135.181.207.105
-nameserver 89.58.62.53
-nameserver 138.199.237.109
-options edns0
+[DHCPv6]
+RoutesToDNS=no
+UseDNS=no
+UseDomains=no
+UseHostname=no
+UseNTP=no

 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
 EOF