From 6a61043163d9ded1acd52e31ec4103b73256eb5769b6a8d6d82087de38f24344 Mon Sep 17 00:00:00 2001
From: "Marc S. Weidner" <msw@coresecret.dev>
Date: Wed, 29 Oct 2025 17:46:47 +0100
Subject: [PATCH] V8.13.296.2025.10.29

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
---
 .../hooks/live/0000_basic_chroot_setup.chroot   |  7 +++++--
 config/hooks/live/0001_initramfs_modules.chroot | 14 +++++++-------
 config/hooks/live/0860_sops.chroot              |  4 ++++
 .../hooks/live/9950_hardening_fail2ban.chroot   |  4 ++--
 lib/lib_lb_config_write_trixie.sh               | 17 ++++++++++++++---
 scripts/usr/lib/live/build/binary_checksums.sh  |  4 ++++
 6 files changed, 36 insertions(+), 14 deletions(-)

diff --git a/config/hooks/live/0000_basic_chroot_setup.chroot b/config/hooks/live/0000_basic_chroot_setup.chroot
index 5e6d457..9da1bb0 100644
--- a/config/hooks/live/0000_basic_chroot_setup.chroot
+++ b/config/hooks/live/0000_basic_chroot_setup.chroot
@@ -207,12 +207,15 @@ if [[ -f /root/.architecture ]]; then
 
 fi
 
-mkdir -p /root/.ciss/dlb/{backup,log}
-chmod 0700 /root/.ciss/dlb/{backup,log}
+mkdir -p /root/.ciss/dlb/{backup,log,private_keys}
+chmod 0700 /root/.ciss/dlb/{backup,log,private_keys}
 
 mkdir -p /root/git
 chmod 0700 /root/git
 
+mkdir -p /etc/ciss/keys
+chmod 0755 /etc/ciss/keys
+
 ### Mask apt show version unit and timer.
 ln -sf /dev/null /etc/systemd/system/apt-show-versions.timer
 ln -sf /dev/null /etc/systemd/system/apt-show-versions.service
diff --git a/config/hooks/live/0001_initramfs_modules.chroot b/config/hooks/live/0001_initramfs_modules.chroot
index 7e19a52..153dd94 100644
--- a/config/hooks/live/0001_initramfs_modules.chroot
+++ b/config/hooks/live/0001_initramfs_modules.chroot
@@ -368,11 +368,11 @@ esac
 
 
 ### Ensure directory structure in initramfs
-mkdir -p "${DESTDIR}/usr/bin"
-mkdir -p "${DESTDIR}/etc/keys"
-mkdir -p "${DESTDIR}/usr/local/bin"
+mkdir -p "${DESTDIR}/etc/ciss/keys"
 mkdir -p "${DESTDIR}/etc/initramfs-tools/conf.d"
 mkdir -p "${DESTDIR}/etc/initramfs-tools/scripts/init-premount"
+mkdir -p "${DESTDIR}/usr/bin"
+mkdir -p "${DESTDIR}/usr/local/bin"
 mkdir -p "${DESTDIR}/usr/sbin"
 
 
@@ -443,10 +443,10 @@ done
 
 
 ### Install PGP Signing Keys
-install -m 0444 /root/.ciss/cdlb/keys/0x8733B021_public.gpg "${DESTDIR}/etc/keys/0x8733B021_public.gpg"
-printf "\e[92mSuccessfully executed: [install -m 0444 /root/.ciss/cdlb/keys/0x8733B021_public.gpg %s/etc/keys/0x8733B021_public.gpg] \n\e[0m" "${DESTDIR}"
-install -m 0444 /root/.ciss/cdlb/keys/0xE62E84F8_public.gpg "${DESTDIR}/etc/keys/0xE62E84F8_public.gpg"
-printf "\e[92mSuccessfully executed: [install -m 0444 /root/.ciss/cdlb/keys/0xE62E84F8_public.gpg %s/etc/keys/0xE62E84F8_public.gpg] \n\e[0m" "${DESTDIR}"
+install -m 0444 /etc/ciss/keys/0x8733B021_public.gpg "${DESTDIR}/etc/ciss/keys/0x8733B021_public.gpg"
+printf "\e[92mSuccessfully executed: [install -m 0444 /etc/ciss/keys/0x8733B021_public.gpg %s/etc/ciss/keys/0x8733B021_public.gpg] \n\e[0m" "${DESTDIR}"
+install -m 0444 /etc/ciss/keys/0xE62E84F8_public.gpg "${DESTDIR}/etc/keys/0xE62E84F8_public.gpg"
+printf "\e[92mSuccessfully executed: [install -m 0444 /etc/ciss/keys/0xE62E84F8_public.gpg %s/etc/ciss/keys/0xE62E84F8_public.gpg] \n\e[0m" "${DESTDIR}"
 
 
 printf "\e[92mSuccessfully executed: [0001_initramfs_modules.chroot] \n\e[0m"
diff --git a/config/hooks/live/0860_sops.chroot b/config/hooks/live/0860_sops.chroot
index 6ee0099..ea7c502 100644
--- a/config/hooks/live/0860_sops.chroot
+++ b/config/hooks/live/0860_sops.chroot
@@ -56,6 +56,10 @@ cat << 'EOF' >| /root/.config/sops/age/keys.txt
 {{ secrets.CISS_PHYS_AGE }}
 EOF
 
+if grep -q '{{ secrets.' /root/.config/sops/age/keys.txt; then
+  : >| /root/.config/sops/age/keys.txt
+fi
+
 chmod 0400 /root/.config/sops/age/keys.txt
 
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
diff --git a/config/hooks/live/9950_hardening_fail2ban.chroot b/config/hooks/live/9950_hardening_fail2ban.chroot
index 6c666ca..037c5d7 100644
--- a/config/hooks/live/9950_hardening_fail2ban.chroot
+++ b/config/hooks/live/9950_hardening_fail2ban.chroot
@@ -46,7 +46,7 @@ dbpurgeage            = 384d
 #                       ff00::/8    - IPv6 multicast (not an unicast host)
 #                       ::/128      - IPv6 unspecified (all zeros; never a real peer)
 ignoreip              = 127.0.0.1/8 ::1/128 fe80::/10 ff00::/8 ::/128 IGNORE_IP_MUST_BE_SET
-usedns		            = yes
+usedns                = yes
 
 [recidive]
 enabled               = true
@@ -61,7 +61,7 @@ bantime.rndtime       = 877s
 filter                = recidive
 findtime              = 16d
 logpath               = /var/log/fail2ban/fail2ban.log*
-maxretry              = 3
+maxretry              = 2
 
 ### SSH Handling:     Foreign IP (not in /etc/hosts.allow): refused to connect: immediate ban [sshd-refused]
 ###                   Jump host mistyped 1-3 times: no ban, only after four attempts          [sshd]
diff --git a/lib/lib_lb_config_write_trixie.sh b/lib/lib_lb_config_write_trixie.sh
index 0bcead2..c3e04cd 100644
--- a/lib/lib_lb_config_write_trixie.sh
+++ b/lib/lib_lb_config_write_trixie.sh
@@ -116,10 +116,21 @@ lb_config_write_trixie() {
 
 
   ### Installing PGP Public Keys for signature verification.
-  mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ciss/cdlb/keys"
-  install -m 0444 -o root -g root "${VAR_WORKDIR}/.pubkey/marc_s_weidner_msw+bot@coreseret.dev_0x8733B021_public.gpg" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ciss/cdlb/keys/0x8733B021_public.gpg"
-  install -m 0444 -o root -g root "${VAR_WORKDIR}/.pubkey/marc_s_weidner_msw@coresecret.dev_0xE62E84F8_public.gpg" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ciss/cdlb/keys/0xE62E84F8_public.gpg"
+  mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/ciss/keys"
+  install -m 0444 -o root -g root "${VAR_WORKDIR}/.pubkey/marc_s_weidner_msw+bot@coreseret.dev_0x8733B021_public.gpg" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/ciss/keys/0x8733B021_public.gpg"
+  install -m 0444 -o root -g root "${VAR_WORKDIR}/.pubkey/marc_s_weidner_msw@coresecret.dev_0xE62E84F8_public.gpg" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/ciss/keys/0xE62E84F8_public.gpg"
 
+  #### Installing PGP Private Deploy Key for signature creation
+  #mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ciss/cdlb/private_keys"
+  #cat << 'EOF' >| "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ciss/cdlb/private_keys/"
+#{{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV }}
+#EOF
+
+  #if grep -q '{{ secrets.' /root/.config/sops/age/keys.txt; then
+  #  : >| /root/.config/sops/age/keys.txt
+  #fi
+
+  #chmod 0400 /root/.config/sops/age/keys.txt
 
   ### https://wiki.debian.org/ReproducibleInstalls/LiveImages
   ### https://reproducible-builds.org/docs/system-images/
diff --git a/scripts/usr/lib/live/build/binary_checksums.sh b/scripts/usr/lib/live/build/binary_checksums.sh
index 8bcef48..fc6dbdc 100644
--- a/scripts/usr/lib/live/build/binary_checksums.sh
+++ b/scripts/usr/lib/live/build/binary_checksums.sh
@@ -87,8 +87,12 @@ for CHECKSUM in ${LB_CHECKSUMS}; do
 		\! -path './*SUMS' \
 		\! -path './*sum.txt' \
 		\! -path './*sum.README' \
+    \! -path './*asc' \
+    \! -path './*gpg' \
+    \! -path './*sig' \
 		-print0 | LC_ALL=C sort -z | xargs -0 "${CHECKSUM}sum" >| "${CHECKSUMS}"
 
+  ### sha256sum.txt
   Echo_message "Begin creating GPG armor signature ${CHECKSUMS} ..."
   gpg --batch --yes --local-user "${LB_GPG_SIGN_KEY}" --armor --detach-sign --output "${CHECKSUMS}.asc" "${CHECKSUMS}"