From 4f1ef8a23115418c40635569cc3ee99c16704ce2c34480e8c2f33c5990d9f089 Mon Sep 17 00:00:00 2001
From: "Marc S. Weidner" <msw@coresecret.dev>
Date: Fri, 30 May 2025 19:09:53 +0200
Subject: [PATCH] V8.02.512.2025.05.30

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
---
 .gitea/workflows/render-dnssec-status.yaml | 129 +++++++++++++++++++++
 README.md                                  |  20 +++-
 docs/AUDIT_DNSSEC.md                       |  19 +++
 3 files changed, 162 insertions(+), 6 deletions(-)
 create mode 100644 .gitea/workflows/render-dnssec-status.yaml
 create mode 100644 docs/AUDIT_DNSSEC.md

diff --git a/.gitea/workflows/render-dnssec-status.yaml b/.gitea/workflows/render-dnssec-status.yaml
new file mode 100644
index 0000000..12aa9c6
--- /dev/null
+++ b/.gitea/workflows/render-dnssec-status.yaml
@@ -0,0 +1,129 @@
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+name: Retrieve the DNSSEC status at the time of updating the repository.
+kind: pipeline
+type: docker
+
+permissions:
+  contents: write
+
+on:
+  push:
+    branches:
+      - master
+
+jobs:
+  build-diagrams:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Prepare SSH Setup, SSH Deploy Key, Known Hosts, config.
+        run: |
+          rm -rf ~/.ssh
+          mkdir -p ~/.ssh
+
+          ### Private Key
+          echo "${{ secrets.SSH_MSW_DEPLOY_CORESECRET_DEV }}" >| ~/.ssh/id_ed25519
+          chmod 600 ~/.ssh/id_ed25519
+
+          ### Scan git.coresecret.dev to fill ~/.ssh/known_hosts
+          ssh-keyscan -p 42842 git.coresecret.dev >| ~/.ssh/known_hosts
+          chmod 600 ~/.ssh/known_hosts
+
+          ### Generate SSH Config for git.coresecret.dev Custom-Port
+          cat <<EOF >| ~/.ssh/config
+          Host git.coresecret.dev
+            HostName git.coresecret.dev
+            Port 42842
+            IdentityFile ~/.ssh/id_ed25519
+            StrictHostKeyChecking yes
+            UserKnownHostsFile ~/.ssh/known_hosts
+          EOF
+          chmod 600 ~/.ssh/config
+
+      ### https://github.com/actions/checkout/issues/1843
+      - name: Use manual clone via SSH to circumvent Gitea SHA-256 object issues.
+        run: |
+          git clone --branch "${GITHUB_REF_NAME}" ssh://git@git.coresecret.dev:42842/msw/plan.git .
+          git fetch --unshallow || echo "Nothing to fetch - already full clone."
+        env:
+          ### GITHUB_REF_NAME contains the branch name from the push event.
+          GITHUB_REF_NAME: ${{ github.ref_name }}
+
+      - name: Clean workspace.
+        run: |
+          git reset --hard
+          git clean -fd
+
+      - name: Convert APT sources to HTTPS.
+        run: |
+          sed -i 's|http://\(archive\.ubuntu\.com\|security\.ubuntu\.com\)|https://\1|g' /etc/apt/sources.list
+          sed -i 's|http://\(archive\.ubuntu\.com\|security\.ubuntu\.com\)|https://\1|g' /etc/apt/sources.list.d/*.list || true
+
+      - name: Install DNSViz.
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y dnsviz
+
+      - name: Import CI PGP DEPLOY ONLY Key.
+        run: |
+          ### GPG-Home relative to the Runner Workspace to avoid changing global files.
+          export GNUPGHOME="$(pwd)/.gnupg"
+          mkdir -m 700 "${GNUPGHOME}"
+          echo "${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV }}" >| ci-bot.sec.asc
+          gpg --batch --import ci-bot.sec.asc
+          ### Trust the key automatically
+          KEY_ID=$(gpg --list-keys --with-colons | awk -F: '/^pub:/ {print $5}')
+          echo "trust-model always" >| "${GNUPGHOME}/gpg.conf"
+        shell: bash
+
+      - name: Configure Git for signed CI DEPLOY commits.
+        run: |
+          export GNUPGHOME="$(pwd)/.gnupg"
+          git config user.name "Marc S. Weidner BOT"
+          git config user.email "msw+bot@coresecret.dev"
+          git config commit.gpgsign true
+          git config gpg.program gpg
+          git config gpg.format openpgp
+
+      - name: Ensure docs/SECURITY/ directory exists.
+        run:
+          mkdir -p docs/SECURITY/
+
+      - name: Prepare DNS Cache.
+        run: |
+          sudo apt-get install -y dnsutils
+          dig +dnssec +multi coresecret.dev @8.8.8.8
+
+      - name: Retrieve Zone Dump and generate .png Visualization.
+        run: |
+          dnsviz probe -R SOA,A,AAAA,CAA,CDS,CDNSKEY,LOC,HTTPS,MX,NS,TXT coresecret.dev >| coresecret.dev.json
+          dnsviz graph -T png < coresecret.dev.json >| docs/SECURITY/coresecret.dev.png
+
+      - name: Stage generated files.
+        run: |
+          git add "*.png"
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+
+      - name: Commit and Sign changes.
+        run: |
+          export GNUPGHOME="$(pwd)/.gnupg"
+          git commit -S -m "DEPLOY BOT: Auto-Generate DNSSEC Status [skip ci]" || echo "No Changes, nothing to Sign or to Commit."
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+
+      - name: Push back to Repository.
+        run: |
+          git push origin HEAD:${GITHUB_REF_NAME}
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
diff --git a/README.md b/README.md
index f99af68..93321ce 100644
--- a/README.md
+++ b/README.md
@@ -40,8 +40,16 @@ Check out more:
 * [CenturionMeet](https://talk.e2ee.li/) 
 * [Contact the author](https://coresecret.eu/contact/)
 
-> Please note: All my signing keys are contained in an HSM and the signing environment is air gapped. Next step: move to
-> a room-gapped environment ^^
+> Please note that all my signing keys are stored in an HSM and that the signing environment is air-gapped.
+> The next step is to move to a room-gapped environment.
+
+Please note that `coresecret.dev` is included in the HSTS Preload list and always serves the headers:
+````nginx configuration pro
+add_header Expect-CT                 "max-age=86400, enforce"                       always;
+add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
+````
+Additionally, the entire zone is dual-signed with DNSSEC. See the current DNSSEC status at [DNSSEC Audit Report](https://git.coresecret.dev/msw/CISS.debian.live.builder/src/branch/master/docs/AUDIT_DNSSEC.md)
+
 
 ## 1.1. Immutable Source-of-Truth System
 
@@ -70,11 +78,11 @@ source-defined infrastructure logic.<br>
 After build and configuration, the following audit reports can be generated:
 
 * **Haveged Audit Report**: Validates entropy daemon health and confirms '/dev/random' seeding performance.
-  Type `chkhvg` at the prompt. See example report: [Haveged Audit Report](https://cendev.eu/marc.weidner/CISS.2025.debian.live.builder/src/branch/master/docs/AUDIT_HAVEGED.md)
+  Type `chkhvg` at the prompt. See example report: [Haveged Audit Report](https://git.coresecret.dev/msw/CISS.debian.live.builder/src/branch/master/docs/AUDIT_HAVEGED.md)
 * **Lynis Audit Report**: Outputs a detailed security score and recommendations, confirming a 91%+ hardening baseline.
-  Type `lsadt` at the prompt. See example report: [Lynis Audit Report](https://cendev.eu/marc.weidner/CISS.2025.debian.live.builder/src/branch/master/docs/AUDIT_LYNIS.md)
+  Type `lsadt` at the prompt. See example report: [Lynis Audit Report](https://git.coresecret.dev/msw/CISS.debian.live.builder/src/branch/master/docs/AUDIT_LYNIS.md)
 * **SSH Audit Report**: Verifies SSH daemon configuration against the latest best-practice cipher, KEX, and MAC recommendations.
-  Type `ssh-audit <IP>:<PORT>`. See example report: [SSH Audit Report](https://cendev.eu/marc.weidner/CISS.2025.debian.live.builder/src/branch/master/docs/AUDIT_SSH.md)
+  Type `ssh-audit <IP>:<PORT>`. See example report: [SSH Audit Report](https://git.coresecret.dev/msw/CISS.debian.live.builder/src/branch/master/docs/AUDIT_SSH.md)
 
 ## 1.2. Preview
 
@@ -85,7 +93,7 @@ After build and configuration, the following audit reports can be generated:
 **The Debian Installer (d-i) will ALWAYS boot a new system.**<br>
 
 Regardless of whether you start it:
-* via the boot menu of your Live ISO (grub, isolinux) like **CISS.2025.debian.live.builder**,
+* via the boot menu of your Live ISO (grub, isolinux) like **CISS.debian.live.builder**,
 * via kexec in the running system,
 * via the debian-installer-launcher package,
 * or even via a graphical installer shortcut.
diff --git a/docs/AUDIT_DNSSEC.md b/docs/AUDIT_DNSSEC.md
new file mode 100644
index 0000000..84d2d65
--- /dev/null
+++ b/docs/AUDIT_DNSSEC.md
@@ -0,0 +1,19 @@
+---
+gitea: none
+include_toc: true
+---
+
+# 1. CISS.debian.live.builder
+
+**Centurion Intelligence Consulting Agency Information Security Standard**<br>
+*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
+**Master Version**: 8.02<br>
+**Build**: V8.02.512.2025.05.30<br>
+
+# 2. DNSSEC Status
+
+![DNSSEC Status](docs/SECURITY/coresecret.dev.png)
+
+---
+**[no tracking | no logging | no advertising | no profiling | no bullshit](https://coresecret.eu/)**
+<!-- vim: set number et ts=2 sw=2 sts=2 ai tw=128 ft=markdown -->