diff --git a/.gitea/trigger/t_generate_PRIVATE_trixie_1.yaml b/.gitea/trigger/t_generate_PRIVATE_trixie_1.yaml
index 4338d20..ce18224 100644
--- a/.gitea/trigger/t_generate_PRIVATE_trixie_1.yaml
+++ b/.gitea/trigger/t_generate_PRIVATE_trixie_1.yaml
@@ -10,6 +10,6 @@
 # SPDX-Security-Contact: security@coresecret.eu
 
 build:
-  counter: 1024
+  counter: 1023
   version: V8.13.032.2025.10.03
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
diff --git a/.gitea/workflows/generate_PRIVATE_trixie_1.yaml b/.gitea/workflows/generate_PRIVATE_trixie_1.yaml
index 7015744..a37376a 100644
--- a/.gitea/workflows/generate_PRIVATE_trixie_1.yaml
+++ b/.gitea/workflows/generate_PRIVATE_trixie_1.yaml
@@ -94,49 +94,6 @@ jobs:
           git clone --branch "${GITHUB_REF_NAME}" ssh://git@git.coresecret.dev:42842/msw/CISS.debian.live.builder.git .
           git fetch --unshallow || echo "Nothing to fetch - already full clone."
 
-      - name: 🔧 Render live hook with secrets.
-        shell: bash
-        working-directory: ${{ github.workspace }}
-        env:
-          ED25519_PRIV: ${{ secrets.CISS_DLB_SSH_HOST_ED25519_KEY }}
-          ED25519_PUB:  ${{ secrets.CISS_DLB_SSH_HOST_ED25519_KEY_PUB }}
-          RSA_PRIV:     ${{ secrets.CISS_DLB_SSH_HOST_RSA_KEY }}
-          RSA_PUB:      ${{ secrets.CISS_DLB_SSH_HOST_RSA_KEY_PUB }}
-        run: |
-          set -Ceuo pipefail
-          umask 077
-
-          REPO_ROOT="$(git rev-parse --show-toplevel 2>/dev/null || pwd -P)"
-
-          TPL="$REPO_ROOT/config/hooks/live/9935_hardening_ssh.chroot.tmpl"
-          OUT="$REPO_ROOT/config/hooks/live/9935_hardening_ssh.chroot"
-
-          if [[ ! -f "$TPL" ]]; then
-            echo "Template not found: $TPL"
-            echo "::group::Tree of config/hooks/live"
-            ls -la "$REPO_ROOT/config/hooks/live" || true
-            echo "::endgroup::"
-            exit 2
-          fi
-
-          export ED25519_PRIV="${ED25519_PRIV//$'\r'/}"
-          export ED25519_PUB="${ED25519_PUB//$'\r'/}"
-          export RSA_PRIV="${RSA_PRIV//$'\r'/}"
-          export RSA_PUB="${RSA_PUB//$'\r'/}"
-
-          perl -0777 -pe '
-            BEGIN{
-              $ed=$ENV{ED25519_PRIV}; $edpub=$ENV{ED25519_PUB};
-              $rsa=$ENV{RSA_PRIV};    $rsapub=$ENV{RSA_PUB};
-            }
-            s/\{\{\s*secrets\.CISS_DLB_SSH_HOST_ED25519_KEY\s*\}\}/$ed/g;
-            s/\{\{\s*secrets\.CISS_DLB_SSH_HOST_ED25519_KEY_PUB\s*\}\}/$edpub/g;
-            s/\{\{\s*secrets\.CISS_DLB_SSH_HOST_RSA_KEY\s*\}\}/$rsa/g;
-            s/\{\{\s*secrets\.CISS_DLB_SSH_HOST_RSA_KEY_PUB\s*\}\}/$rsapub/g;
-          ' "$TPL" > "$OUT"
-
-          chmod 0755 "${OUT}"
-          echo "Hook rendered: ${OUT}"
 
       - name: 🛠️ Cleaning the workspace.
         shell: bash
@@ -181,6 +138,50 @@ jobs:
           echo "${{ secrets.CISS_DLB_ROOT_PWD_1 }}" >| /opt/config/password.txt
           echo "${{ secrets.CISS_DLB_ROOT_SSH_PUBKEY_1 }}" >| /opt/config/authorized_keys
 
+      - name: 🔧 Render live hook with secrets.
+        shell: bash
+        working-directory: ${{ github.workspace }}
+        env:
+          ED25519_PRIV: ${{ secrets.CISS_DLB_SSH_HOST_ED25519_KEY }}
+          ED25519_PUB:  ${{ secrets.CISS_DLB_SSH_HOST_ED25519_KEY_PUB }}
+          RSA_PRIV:     ${{ secrets.CISS_DLB_SSH_HOST_RSA_KEY }}
+          RSA_PUB:      ${{ secrets.CISS_DLB_SSH_HOST_RSA_KEY_PUB }}
+        run: |
+          set -Ceuo pipefail
+          umask 077
+
+          REPO_ROOT="$(git rev-parse --show-toplevel 2>/dev/null || pwd -P)"
+
+          TPL="$REPO_ROOT/config/hooks/live/9935_hardening_ssh.chroot.tmpl"
+          OUT="$REPO_ROOT/config/hooks/live/9935_hardening_ssh.chroot"
+
+          if [[ ! -f "$TPL" ]]; then
+            echo "Template not found: $TPL"
+            echo "::group::Tree of config/hooks/live"
+            ls -la "$REPO_ROOT/config/hooks/live" || true
+            echo "::endgroup::"
+            exit 2
+          fi
+
+          export ED25519_PRIV="${ED25519_PRIV//$'\r'/}"
+          export ED25519_PUB="${ED25519_PUB//$'\r'/}"
+          export RSA_PRIV="${RSA_PRIV//$'\r'/}"
+          export RSA_PUB="${RSA_PUB//$'\r'/}"
+
+          perl -0777 -pe '
+            BEGIN{
+              $ed=$ENV{ED25519_PRIV}; $edpub=$ENV{ED25519_PUB};
+              $rsa=$ENV{RSA_PRIV};    $rsapub=$ENV{RSA_PUB};
+            }
+            s/\{\{\s*secrets\.CISS_DLB_SSH_HOST_ED25519_KEY\s*\}\}/$ed/g;
+            s/\{\{\s*secrets\.CISS_DLB_SSH_HOST_ED25519_KEY_PUB\s*\}\}/$edpub/g;
+            s/\{\{\s*secrets\.CISS_DLB_SSH_HOST_RSA_KEY\s*\}\}/$rsa/g;
+            s/\{\{\s*secrets\.CISS_DLB_SSH_HOST_RSA_KEY_PUB\s*\}\}/$rsapub/g;
+          ' "$TPL" > "$OUT"
+
+          chmod 0755 "$OUT"
+          echo "Hook rendered: $OUT"
+
       - name: 🛠️ Starting CISS.debian.live.builder. This may take a while ...
         shell: bash
         working-directory: ${{ github.workspace }}
@@ -202,8 +203,9 @@ jobs:
             --trixie
 
           REPO_ROOT="$(git rev-parse --show-toplevel 2>/dev/null || pwd -P)"
-          OUT="${REPO_ROOT}/config/hooks/live/9935_hardening_ssh.chroot"
-          rm -f "${OUT}"
+          OUT="$REPO_ROOT/config/hooks/live/9935_hardening_ssh.chroot"
+          rm -f "$OUT"
+          echo "Hook removed: $OUT"
 
       - name: 📥 Checking Centurion Cloud for existing LIVE ISOs.
         shell: bash
diff --git a/lib/lib_hardening_ultra.sh b/lib/lib_hardening_ultra.sh
index fdafe6f..e27a451 100644
--- a/lib/lib_hardening_ultra.sh
+++ b/lib/lib_hardening_ultra.sh
@@ -175,9 +175,11 @@ hardening_ultra() {
   if [[ "${VAR_SSHFP}" == "true" ]]; then
 
     rm -f "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9930_hardening_ssh.chroot"
+    rm -f "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9935_hardening_ssh.chroot.tmpl"
 
   else
 
+    rm -f "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9935_hardening_ssh.chroot"
     rm -f "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9935_hardening_ssh.chroot.tmpl"
 
   fi