V8.13.296.2025.10.29

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>

config/hooks/live/0000_basic_chroot_setup.chroot

@@ -207,12 +207,15 @@ if [[ -f /root/.architecture ]]; then
 
 fi
 
-mkdir -p /root/.ciss/dlb/{backup,log}
-chmod 0700 /root/.ciss/dlb/{backup,log}
+mkdir -p /root/.ciss/dlb/{backup,log,private_keys}
+chmod 0700 /root/.ciss/dlb/{backup,log,private_keys}
 
 mkdir -p /root/git
 chmod 0700 /root/git
 
+mkdir -p /etc/ciss/keys
+chmod 0755 /etc/ciss/keys
+
 ### Mask apt show version unit and timer.
 ln -sf /dev/null /etc/systemd/system/apt-show-versions.timer
 ln -sf /dev/null /etc/systemd/system/apt-show-versions.service

config/hooks/live/0001_initramfs_modules.chroot

@@ -368,11 +368,11 @@ esac
 
 
 ### Ensure directory structure in initramfs
-mkdir -p "${DESTDIR}/usr/bin"
-mkdir -p "${DESTDIR}/etc/keys"
-mkdir -p "${DESTDIR}/usr/local/bin"
+mkdir -p "${DESTDIR}/etc/ciss/keys"
 mkdir -p "${DESTDIR}/etc/initramfs-tools/conf.d"
 mkdir -p "${DESTDIR}/etc/initramfs-tools/scripts/init-premount"
+mkdir -p "${DESTDIR}/usr/bin"
+mkdir -p "${DESTDIR}/usr/local/bin"
 mkdir -p "${DESTDIR}/usr/sbin"
 
 
@@ -443,10 +443,10 @@ done
 
 
 ### Install PGP Signing Keys
-install -m 0444 /root/.ciss/cdlb/keys/0x8733B021_public.gpg "${DESTDIR}/etc/keys/0x8733B021_public.gpg"
-printf "\e[92mSuccessfully executed: [install -m 0444 /root/.ciss/cdlb/keys/0x8733B021_public.gpg %s/etc/keys/0x8733B021_public.gpg] \n\e[0m" "${DESTDIR}"
-install -m 0444 /root/.ciss/cdlb/keys/0xE62E84F8_public.gpg "${DESTDIR}/etc/keys/0xE62E84F8_public.gpg"
-printf "\e[92mSuccessfully executed: [install -m 0444 /root/.ciss/cdlb/keys/0xE62E84F8_public.gpg %s/etc/keys/0xE62E84F8_public.gpg] \n\e[0m" "${DESTDIR}"
+install -m 0444 /etc/ciss/keys/0x8733B021_public.gpg "${DESTDIR}/etc/ciss/keys/0x8733B021_public.gpg"
+printf "\e[92mSuccessfully executed: [install -m 0444 /etc/ciss/keys/0x8733B021_public.gpg %s/etc/ciss/keys/0x8733B021_public.gpg] \n\e[0m" "${DESTDIR}"
+install -m 0444 /etc/ciss/keys/0xE62E84F8_public.gpg "${DESTDIR}/etc/keys/0xE62E84F8_public.gpg"
+printf "\e[92mSuccessfully executed: [install -m 0444 /etc/ciss/keys/0xE62E84F8_public.gpg %s/etc/ciss/keys/0xE62E84F8_public.gpg] \n\e[0m" "${DESTDIR}"
 
 
 printf "\e[92mSuccessfully executed: [0001_initramfs_modules.chroot] \n\e[0m"

config/hooks/live/0860_sops.chroot

@@ -56,6 +56,10 @@ cat << 'EOF' >| /root/.config/sops/age/keys.txt
 {{ secrets.CISS_PHYS_AGE }}
 EOF
 
+if grep -q '{{ secrets.' /root/.config/sops/age/keys.txt; then
+  : >| /root/.config/sops/age/keys.txt
+fi
+
 chmod 0400 /root/.config/sops/age/keys.txt
 
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"

config/hooks/live/9950_hardening_fail2ban.chroot

@@ -46,7 +46,7 @@ dbpurgeage            = 384d
 #                       ff00::/8    - IPv6 multicast (not an unicast host)
 #                       ::/128      - IPv6 unspecified (all zeros; never a real peer)
 ignoreip              = 127.0.0.1/8 ::1/128 fe80::/10 ff00::/8 ::/128 IGNORE_IP_MUST_BE_SET
-usedns		            = yes
+usedns                = yes
 
 [recidive]
 enabled               = true
@@ -61,7 +61,7 @@ bantime.rndtime       = 877s
 filter                = recidive
 findtime              = 16d
 logpath               = /var/log/fail2ban/fail2ban.log*
-maxretry              = 3
+maxretry              = 2
 
 ### SSH Handling:     Foreign IP (not in /etc/hosts.allow): refused to connect: immediate ban [sshd-refused]
 ###                   Jump host mistyped 1-3 times: no ban, only after four attempts          [sshd]

lib/lib_lb_config_write_trixie.sh

@@ -116,10 +116,21 @@ lb_config_write_trixie() {
 
 
   ### Installing PGP Public Keys for signature verification.
-  mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ciss/cdlb/keys"
-  install -m 0444 -o root -g root "${VAR_WORKDIR}/.pubkey/marc_s_weidner_msw+bot@coreseret.dev_0x8733B021_public.gpg" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ciss/cdlb/keys/0x8733B021_public.gpg"
-  install -m 0444 -o root -g root "${VAR_WORKDIR}/.pubkey/marc_s_weidner_msw@coresecret.dev_0xE62E84F8_public.gpg" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ciss/cdlb/keys/0xE62E84F8_public.gpg"
+  mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/ciss/keys"
+  install -m 0444 -o root -g root "${VAR_WORKDIR}/.pubkey/marc_s_weidner_msw+bot@coreseret.dev_0x8733B021_public.gpg" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/ciss/keys/0x8733B021_public.gpg"
+  install -m 0444 -o root -g root "${VAR_WORKDIR}/.pubkey/marc_s_weidner_msw@coresecret.dev_0xE62E84F8_public.gpg" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/ciss/keys/0xE62E84F8_public.gpg"
 
+  #### Installing PGP Private Deploy Key for signature creation
+  #mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ciss/cdlb/private_keys"
+  #cat << 'EOF' >| "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ciss/cdlb/private_keys/"
+#{{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV }}
+#EOF
+
+  #if grep -q '{{ secrets.' /root/.config/sops/age/keys.txt; then
+  #  : >| /root/.config/sops/age/keys.txt
+  #fi
+
+  #chmod 0400 /root/.config/sops/age/keys.txt
 
   ### https://wiki.debian.org/ReproducibleInstalls/LiveImages
   ### https://reproducible-builds.org/docs/system-images/

scripts/usr/lib/live/build/binary_checksums.sh

@@ -87,8 +87,12 @@ for CHECKSUM in ${LB_CHECKSUMS}; do
 		\! -path './*SUMS' \
 		\! -path './*sum.txt' \
 		\! -path './*sum.README' \
+    \! -path './*asc' \
+    \! -path './*gpg' \
+    \! -path './*sig' \
 		-print0 | LC_ALL=C sort -z | xargs -0 "${CHECKSUM}sum" >| "${CHECKSUMS}"
 
+  ### sha256sum.txt
   Echo_message "Begin creating GPG armor signature ${CHECKSUMS} ..."
   gpg --batch --yes --local-user "${LB_GPG_SIGN_KEY}" --armor --detach-sign --output "${CHECKSUMS}.asc" "${CHECKSUMS}"