From 53642d61158520d7dfef9f9aa4244d103fe56f4c748e9969c25c2040807ea046 Mon Sep 17 00:00:00 2001
From: "Marc S. Weidner" <msw@coresecret.dev>
Date: Sat, 4 Oct 2025 05:33:30 +0100
Subject: [PATCH] V8.13.032.2025.10.03

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
---
 .../workflows/generate_PRIVATE_trixie_0.yaml  | 84 +++++++++++--------
 .../workflows/generate_PRIVATE_trixie_1.yaml  |  1 -
 scripts/9000-cdi-starter                      | 10 ++-
 3 files changed, 56 insertions(+), 39 deletions(-)

diff --git a/.gitea/workflows/generate_PRIVATE_trixie_0.yaml b/.gitea/workflows/generate_PRIVATE_trixie_0.yaml
index a5c9f2d..8b3f2f9 100644
--- a/.gitea/workflows/generate_PRIVATE_trixie_0.yaml
+++ b/.gitea/workflows/generate_PRIVATE_trixie_0.yaml
@@ -94,40 +94,6 @@ jobs:
           git clone --branch "${GITHUB_REF_NAME}" ssh://git@git.coresecret.dev:42842/msw/CISS.debian.live.builder.git .
           git fetch --unshallow || echo "Nothing to fetch - already full clone."
 
-      - name: 🔧 Render live hook with secrets.
-        shell: bash
-        env:
-          ED25519_PRIV: ${{ secrets.CISS_DLB_SSH_HOST_ED25519_KEY }}
-          ED25519_PUB:  ${{ secrets.CISS_DLB_SSH_HOST_ED25519_KEY_PUB }}
-          RSA_PRIV:     ${{ secrets.CISS_DLB_SSH_HOST_RSA_KEY }}
-          RSA_PUB:      ${{ secrets.CISS_DLB_SSH_HOST_RSA_KEY_PUB }}
-        run: |
-          set -Ceuo pipefail
-          umask 077
-
-          tmpl="CISS.debian.live.builder/config/hooks/live/9935_hardening_ssh.chroot.tmpl"
-          out="CISS.debian.live.builder/config/hooks/live/9935_hardening_ssh.chroot"
-
-          test -f "${tmpl}"
-
-          perl -0777 -pe '
-            BEGIN {
-              $ed      = $ENV{ED25519_PRIV};
-              $edpub   = $ENV{ED25519_PUB};
-              $rsa     = $ENV{RSA_PRIV};
-              $rsapub  = $ENV{RSA_PUB};
-            }
-            s/\{\{\s*secrets\.CISS_DLB_SSH_HOST_ED25519_KEY\s*\}\}/$ed/g;
-            s/\{\{\s*secrets\.CISS_DLB_SSH_HOST_ED25519_KEY_PUB\s*\}\}/$edpub/g;
-            s/\{\{\s*secrets\.CISS_DLB_SSH_HOST_RSA_KEY\s*\}\}/$rsa/g;
-            s/\{\{\s*secrets\.CISS_DLB_SSH_HOST_RSA_KEY_PUB\s*\}\}/$rsapub/g;
-          ' "$tmpl" >| "$out"
-
-          grep -q "ssh_host_ed25519_key" "${out}"
-          grep -q "ssh_host_rsa_key" "${out}"
-
-          chmod 0755 "${out}"
-
       - name: 🛠️ Cleaning the workspace.
         shell: bash
         run: |
@@ -171,8 +137,53 @@ jobs:
           echo "${{ secrets.CISS_DLB_ROOT_PWD }}" >| /opt/config/password.txt
           echo "${{ secrets.CISS_DLB_ROOT_SSH_PUBKEY }}" >| /opt/config/authorized_keys
 
+      - name: 🔧 Render live hook with secrets.
+        shell: bash
+        working-directory: ${{ github.workspace }}
+        env:
+          ED25519_PRIV: ${{ secrets.CISS_DLB_SSH_HOST_ED25519_KEY }}
+          ED25519_PUB:  ${{ secrets.CISS_DLB_SSH_HOST_ED25519_KEY_PUB }}
+          RSA_PRIV:     ${{ secrets.CISS_DLB_SSH_HOST_RSA_KEY }}
+          RSA_PUB:      ${{ secrets.CISS_DLB_SSH_HOST_RSA_KEY_PUB }}
+        run: |
+          set -Ceuo pipefail
+          umask 077
+
+          REPO_ROOT="$(git rev-parse --show-toplevel 2>/dev/null || pwd -P)"
+
+          TPL="$REPO_ROOT/config/hooks/live/9935_hardening_ssh.chroot.tmpl"
+          OUT="$REPO_ROOT/config/hooks/live/9935_hardening_ssh.chroot"
+
+          if [[ ! -f "$TPL" ]]; then
+            echo "Template not found: $TPL"
+            echo "::group::Tree of config/hooks/live"
+            ls -la "$REPO_ROOT/config/hooks/live" || true
+            echo "::endgroup::"
+            exit 2
+          fi
+
+          export ED25519_PRIV="${ED25519_PRIV//$'\r'/}"
+          export ED25519_PUB="${ED25519_PUB//$'\r'/}"
+          export RSA_PRIV="${RSA_PRIV//$'\r'/}"
+          export RSA_PUB="${RSA_PUB//$'\r'/}"
+
+          perl -0777 -pe '
+            BEGIN{
+              $ed=$ENV{ED25519_PRIV}; $edpub=$ENV{ED25519_PUB};
+              $rsa=$ENV{RSA_PRIV};    $rsapub=$ENV{RSA_PUB};
+            }
+            s/\{\{\s*secrets\.CISS_DLB_SSH_HOST_ED25519_KEY\s*\}\}/$ed/g;
+            s/\{\{\s*secrets\.CISS_DLB_SSH_HOST_ED25519_KEY_PUB\s*\}\}/$edpub/g;
+            s/\{\{\s*secrets\.CISS_DLB_SSH_HOST_RSA_KEY\s*\}\}/$rsa/g;
+            s/\{\{\s*secrets\.CISS_DLB_SSH_HOST_RSA_KEY_PUB\s*\}\}/$rsapub/g;
+          ' "$TPL" > "$OUT"
+
+          chmod 0755 "$OUT"
+          echo "Hook rendered: $OUT"
+
       - name: 🛠️ Starting CISS.debian.live.builder. This may take a while ...
         shell: bash
+        working-directory: ${{ github.workspace }}
         run: |
           set -euo pipefail
           chmod 0755 ciss_live_builder.sh
@@ -193,6 +204,11 @@ jobs:
             --sshfp \
             --trixie
 
+          REPO_ROOT="$(git rev-parse --show-toplevel 2>/dev/null || pwd -P)"
+          OUT="$REPO_ROOT/config/hooks/live/9935_hardening_ssh.chroot"
+          rm -f "$OUT"
+          echo "Hook removed: $OUT"
+
       - name: 📥 Checking Centurion Cloud for existing LIVE ISOs.
         shell: bash
         env:
diff --git a/.gitea/workflows/generate_PRIVATE_trixie_1.yaml b/.gitea/workflows/generate_PRIVATE_trixie_1.yaml
index a37376a..dce2d43 100644
--- a/.gitea/workflows/generate_PRIVATE_trixie_1.yaml
+++ b/.gitea/workflows/generate_PRIVATE_trixie_1.yaml
@@ -94,7 +94,6 @@ jobs:
           git clone --branch "${GITHUB_REF_NAME}" ssh://git@git.coresecret.dev:42842/msw/CISS.debian.live.builder.git .
           git fetch --unshallow || echo "Nothing to fetch - already full clone."
 
-
       - name: 🛠️ Cleaning the workspace.
         shell: bash
         run: |
diff --git a/scripts/9000-cdi-starter b/scripts/9000-cdi-starter
index 2c1f630..41e6aa3 100644
--- a/scripts/9000-cdi-starter
+++ b/scripts/9000-cdi-starter
@@ -12,17 +12,19 @@
 set -Ceuo pipefail
 
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
-# sleep 1
 
 [[ ! -d /root/.cdi/log ]] && mkdir -p /root/.cdi/log
-printf "CISS.debian.installer Master V8.13.032.2025.10.03 is up!" >| /root/.cdi/log/boot_finished_"$(date +"%Y-%m-%d_%H-%M-%S")".log
+printf "CISS.debian.installer Master V8.13.032.2025.10.03 is up! \n" >| /root/.cdi/log/boot_finished_"$(date +"%Y-%m-%d_%H-%M-%S")".log
 
 if [[ -f /root/git/CISS.debian.installer/ciss_debian_installer.sh ]]; then
+
   chmod 0700 /root/git/CISS.debian.installer/ciss_debian_installer.sh
-  0700 /root/git/CISS.debian.installer/ciss_debian_installer.sh
+
 fi
 
+printf "CISS.debian.installer Master V8.13.032.2025.10.03 successfully executed! \n" >| /root/.cdi/log/boot_finished_"$(date +"%Y-%m-%d_%H-%M-%S")".log
+
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' successful applied. \e[0m\n" "${0}"
-# sleep 1
+
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh