V8.03.384.2025.06.03

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-06-03 00:24:36 +02:00
parent 4c5bc32cae
commit 834ea8798e
32 changed files with 386 additions and 34 deletions
--- a/.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml
+++ b/.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml
@@ -27,7 +27,7 @@ body:
    attributes:
      label: "Version"
      description: "Which version are you running? Use `./ciss_live_builder.sh -v`."
-      placeholder: "e.g., Master V8.03.256.2025.06.02"
+      placeholder: "e.g., Master V8.03.384.2025.06.03"
    validations:
      required: true
--- a/.gitea/TODO/render-md-to-html.yaml
+++ b/.gitea/TODO/render-md-to-html.yaml
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-### Version Master V8.03.256.2025.06.02
+### Version Master V8.03.384.2025.06.03
 name: Render README.md to README.html.
--- a/.gitea/trigger/t_generate_PRIVATE_iso_flavour_0.yaml
+++ b/.gitea/trigger/t_generate_PRIVATE_iso_flavour_0.yaml
@@ -11,5 +11,5 @@
 build:
  counter: 1023
-  version: V8.03.256.2025.06.02
+  version: V8.03.384.2025.06.03
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
--- a/.gitea/trigger/t_generate_PRIVATE_iso_flavour_1.yaml
+++ b/.gitea/trigger/t_generate_PRIVATE_iso_flavour_1.yaml
@@ -11,5 +11,5 @@
 build:
  counter: 1023
-  version: V8.03.256.2025.06.02
+  version: V8.03.384.2025.06.03
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
--- a/.gitea/trigger/t_generate_PUBLIC.yaml
+++ b/.gitea/trigger/t_generate_PUBLIC.yaml
@@ -11,5 +11,5 @@
 build:
  counter: 1023
-  version: V8.03.256.2025.06.02
+  version: V8.03.384.2025.06.03
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
--- a/.gitea/trigger/t_generate_dns.yaml
+++ b/.gitea/trigger/t_generate_dns.yaml
@@ -10,6 +10,6 @@
 # SPDX-Security-Contact: security@coresecret.eu
 build:
-  counter: 1024
+  counter: 1023
-  version: V8.03.256.2025.06.02
+  version: V8.03.384.2025.06.03
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
--- a/.gitea/workflows/render-dnssec-status.yaml
+++ b/.gitea/workflows/render-dnssec-status.yaml
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-### Version Master V8.03.256.2025.06.02
+### Version Master V8.03.384.2025.06.03
 name: Retrieve DNSSEC status of coresecret.dev.
--- a/.gitea/workflows/render-dot-to-png.yaml
+++ b/.gitea/workflows/render-dot-to-png.yaml
@@ -0,0 +1,193 @@
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 ### Version Master V8.03.384.2025.06.03
 name: Render Graphviz Diagrams.
 permissions:
  contents: write
 on:
  push:
    branches:
      - master
    paths:
      - "**/*.gv"
      - "**/*.dot"
 jobs:
  build-graphiz-diagrams:
    name: Render Graphviz Diagrams.
    runs-on: ubuntu-latest
    steps:
      - name: ⚙️ Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
        shell: bash
        run: |
          set -euo pipefail
          rm -rf ~/.ssh && mkdir -m700 ~/.ssh
          ### Private Key
          echo "${{ secrets.SSH_MSW_DEPLOY_CORESECRET_DEV }}" >| ~/.ssh/id_ed25519
          chmod 600 ~/.ssh/id_ed25519
          ### Scan git.coresecret.dev to fill ~/.ssh/known_hosts
          ssh-keyscan -p 42842 git.coresecret.dev >| ~/.ssh/known_hosts
          chmod 600 ~/.ssh/known_hosts
          ### Generate SSH Config for git.coresecret.dev Custom-Port
          cat <<EOF >| ~/.ssh/config
          Host git.coresecret.dev
            HostName git.coresecret.dev
            Port 42842
            IdentityFile ~/.ssh/id_ed25519
            StrictHostKeyChecking yes
            UserKnownHostsFile ~/.ssh/known_hosts
          EOF
          chmod 600 ~/.ssh/config
      ### https://github.com/actions/checkout/issues/1843
      - name: 🛠️ Using manual clone via SSH to circumvent Gitea SHA-256 object issues.
        shell: bash
        env:
          ### GITHUB_REF_NAME contains the branch name from the push event.
          GITHUB_REF_NAME: ${{ github.ref_name }}
        run: |
          set -euo pipefail
          git clone --branch "${GITHUB_REF_NAME}" ssh://git@git.coresecret.dev:42842/msw/CISS.debian.live.builder.git .
          git fetch --unshallow || echo "Nothing to fetch - already full clone."
      - name: 🛠️ Cleaning the workspace.
        shell: bash
        run: |
          set -euo pipefail
          git reset --hard
          git clean -fd
      - name: ⚙️ Importing the 'CI PGP DEPLOY ONLY' key.
        shell: bash
        run: |
          set -euo pipefail
          ### GPG-Home relative to the Runner Workspace to avoid changing global files.
          export GNUPGHOME="$(pwd)/.gnupg"
          mkdir -m 700 "${GNUPGHOME}"
          echo "${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV }}" >| ci-bot.sec.asc
          gpg --batch --import ci-bot.sec.asc
          ### Trust the key automatically
          KEY_ID=$(gpg --list-keys --with-colons | awk -F: '/^pub:/ {print $5}')
          echo "trust-model always" >| "${GNUPGHOME}/gpg.conf"
      - name: ⚙️ Configuring Git for signed CI/DEPLOY commits.
        shell: bash
        run: |
          set -euo pipefail
          export GNUPGHOME="$(pwd)/.gnupg"
          git config user.name "Marc S. Weidner BOT"
          git config user.email "msw+bot@coresecret.dev"
          git config commit.gpgsign true
          git config gpg.program gpg
          git config gpg.format openpgp
      - name: ⚙️ Convert APT sources to HTTPS.
        shell: bash
        run: |
          set -euo pipefail
          sed -i 's|http://\(archive\.ubuntu\.com\|security\.ubuntu\.com\)|https://\1|g' /etc/apt/sources.list
          sed -i 's|http://\(archive\.ubuntu\.com\|security\.ubuntu\.com\)|https://\1|g' /etc/apt/sources.list.d/*.list || true
      - name: 🛠️ Install Graphviz.
        shell: bash
        run: |
          set -euo pipefail
          sudo apt-get update
          sudo apt-get install -y graphviz
      - name: 🛠️ Render all .dot / .gv to PNG.
        shell: bash
        run: |
          set -euo pipefail
          find . -type f \( -name "*.dot" -o -name "*.gv" \) | while read file; do
            out="${file%.*}.png"
            dot -Tpng "${file}" -o "${out}"
          done
      - name: 🔄 Sync with remote before commit using merge strategy.
        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
          set -euo pipefail
          export GNUPGHOME="$(pwd)/.gnupg"
          echo "🔄 Fetching origin/master ..."
          git fetch origin master
          echo "🔁 Merging origin/master into current branch ..."
          git merge --no-edit origin/master || echo "✔️ Already up to date or fast-forward."
          echo "📋 Post-merge status :"
          git status
          git log --oneline -n 5
      - name: 📦 Stage generated files.
        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
          set -euo pipefail
          git add *.png || echo "✔️ Nothing to add."
      - name: 🔑 Commit and sign changes with CI metadata.
        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
          set -euo pipefail
          export GNUPGHOME="$(pwd)/.gnupg"
          if git diff --cached --quiet; then
            echo "✔️ No staged changes to commit."
          else
            echo "📝 Committing changes with GPG signature ..."
            ### CI Metadata
            TIMESTAMP_UTC="$(date -u +'%Y-%m-%dT%H:%M:%SZ')"
            HOSTNAME="$(hostname -f || hostname)"
            GIT_SHA="$(git rev-parse --short HEAD)"
            GIT_REF="$(git symbolic-ref --short HEAD || echo detached)"
            WORKFLOW_ID="${GITHUB_WORKFLOW:-render-md-to-html.yaml}"
            CI_HEADER="X-CI-Metadata: ${GIT_REF}@${GIT_SHA} at ${TIMESTAMP_UTC} on ${HOSTNAME}"
            COMMIT_MSG="DEPLOY BOT: DEPLOY BOT: Auto-Generate PNG from *.dot. [skip ci]
            ${CI_HEADER}
            Generated at: ${TIMESTAMP_UTC}
            Runner Host : ${HOSTNAME}
            Workflow ID : ${WORKFLOW_ID}
            Git Commit  : ${GIT_SHA} HEAD → ${GIT_REF}
            "
            echo "🔏 Commit message :"
            echo "${COMMIT_MSG}"
            git commit -S -m "${COMMIT_MSG}"
          fi
      - name: 🔁 Push back to repository.
        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
          set -euo pipefail
          echo "📤 Pushing changes to ${GITHUB_REF_NAME} ..."
          git push origin HEAD:${GITHUB_REF_NAME}
      # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
--- a/.version.properties
+++ b/.version.properties
@@ -15,5 +15,5 @@ properties_SPDX-License-Identifier="EUPL-1.2 OR LicenseRef-CCLA-1.0"
 properties_SPDX-LicenseComment="This file is part of the CISS.debian.installer.secure framework."
 properties_SPDX-PackageName="CISS.debian.live.builder"
 properties_SPDX-Security-Contact="security@coresecret.eu"
-properties_version="V8.03.256.2025.06.02"
+properties_version="V8.03.384.2025.06.03"
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
--- a/CISS.debian.live.builder.spdx
+++ b/CISS.debian.live.builder.spdx
@@ -6,7 +6,7 @@ Creator: Person: Marc S. Weidner (Centurion Intelligence Consulting Agency)
 Created: 2025-05-07T12:00:00Z
 Package: CISS.debian.live.builder
 PackageName: CISS.debian.live.builder
-PackageVersion: Master V8.03.256.2025.06.02
+PackageVersion: Master V8.03.384.2025.06.03
 PackageSupplier: Organization: Centurion Intelligence Consulting Agency
 PackageDownloadLocation: https://git.coresecret.dev/msw/CISS.debian.live.builder
 PackageHomePage: https://git.coresecret.dev/msw/CISS.debian.live.builder
--- a/README.md
+++ b/README.md
@@ -2,7 +2,7 @@
 gitea: none
 include_toc: true
 ---
-[![Static Badge](https://badges.coresecret.dev/badge/Release-V8.03.256.2025.06.02-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder)
+[![Static Badge](https://badges.coresecret.dev/badge/Release-V8.03.384.2025.06.03-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder)
 &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/Licence-EUPL1.2-white?style=plastic&logo=europeanunion&logoColor=white&logoSize=auto&label=Licence&color=%23003399)](https://eupl.eu/1.2/en/) &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/opensourceinitiative-Compliant-white?style=plastic&logo=opensourceinitiative&logoColor=white&logoSize=auto&label=OSI&color=%233DA639)](https://opensource.org/license/eupl-1-2) &nbsp;
@@ -26,7 +26,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.03<br>
-**Build**: V8.03.256.2025.06.02<br>
+**Build**: V8.03.384.2025.06.03<br>
 This shell wrapper automates the creation of a Debian Bookworm live ISO hardened according to the latest best practices in server
 and service security. It integrates into your build pipeline to deliver an isolated, robust environment suitable for
@@ -141,7 +141,7 @@ This means function status of the **CISS.2025.debian.live.builder** ISO after d-
 This project adheres strictly to a structured versioning scheme following the pattern x.y.z-Date.
-Example: `8.03.256.2025.06.02`
+Example: `8.03.384.2025.06.03`
 `x.y.z` represents major (x), minor (y), and patch (z) version increments.
--- a/ciss_live_builder.sh
+++ b/ciss_live_builder.sh
@@ -40,7 +40,7 @@
 declare -g VAR_HANDLER_AUTOBUILD="false"
 declare -gr VAR_CONTACT="security@coresecret.eu"
-declare -gr VAR_VERSION="Master V8.03.256.2025.06.02"
+declare -gr VAR_VERSION="Master V8.03.384.2025.06.03"
 ### VERY EARLY CHECK FOR AUTO-BUILD, CONTACT, USAGE, AND VERSION STRING
 declare arg
--- a/config/includes.chroot/etc/ssh/sshd_config
+++ b/config/includes.chroot/etc/ssh/sshd_config
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-### Version Master V8.03.256.2025.06.02
+### Version Master V8.03.384.2025.06.03
 ### https://www.ssh-audit.com/
 ### ssh -Q cipher | cipher-auth | compression | kex | kex-gss | key | key-cert | key-plain | key-sig | mac | protocol-version | sig
--- a/config/includes.chroot/etc/sysctl.d/99_local.hardened
+++ b/config/includes.chroot/etc/sysctl.d/99_local.hardened
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-### Version Master V8.03.256.2025.06.02
+### Version Master V8.03.384.2025.06.03
 ### https://docs.kernel.org/
 ### https://github.com/a13xp0p0v/kernel-hardening-checker/
--- a/config/includes.chroot/preseed/.iso/preseed_hash_generator.sh
+++ b/config/includes.chroot/preseed/.iso/preseed_hash_generator.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-declare -gr VERSION="Master V8.03.256.2025.06.02"
+declare -gr VERSION="Master V8.03.384.2025.06.03"
 ### VERY EARLY CHECK FOR DEBUGGING
 if [[ $* == *" --debug "* ]]; then
--- a/config/includes.chroot/preseed/preseed.cfg
+++ b/config/includes.chroot/preseed/preseed.cfg
@@ -112,4 +112,4 @@ d-i preseed/late_command string sh /preseed/.ash/3_di_preseed_late_command.sh
 # Please consider donating to my work at: https://coresecret.eu/spenden/
 ###########################################################################################
-# Written by: ./preseed_hash_generator.sh Version: Master V8.03.256.2025.06.02 at: 10:18:37.9542
+# Written by: ./preseed_hash_generator.sh Version: Master V8.03.384.2025.06.03 at: 10:18:37.9542
--- a/docs/AUDIT_DNSSEC.md
+++ b/docs/AUDIT_DNSSEC.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.03<br>
-**Build**: V8.03.256.2025.06.02<br>
+**Build**: V8.03.384.2025.06.03<br>
 # 2. DNSSEC Status
--- a/docs/AUDIT_HAVEGED.md
+++ b/docs/AUDIT_HAVEGED.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.03<br>
-**Build**: V8.03.256.2025.06.02<br>
+**Build**: V8.03.384.2025.06.03<br>
 # 2. Haveged Audit on Netcup RS 2000 G11
--- a/docs/AUDIT_LYNIS.md
+++ b/docs/AUDIT_LYNIS.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.03<br>
-**Build**: V8.03.256.2025.06.02<br>
+**Build**: V8.03.384.2025.06.03<br>
 # 2. Lynis Audit:
--- a/docs/AUDIT_SSH.md
+++ b/docs/AUDIT_SSH.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.03<br>
-**Build**: V8.03.256.2025.06.02<br>
+**Build**: V8.03.384.2025.06.03<br>
 # 2. SSH Audit by ssh-audit.com
--- a/docs/AUDIT_TLS.md
+++ b/docs/AUDIT_TLS.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.03<br>
-**Build**: V8.03.256.2025.06.02<br>
+**Build**: V8.03.384.2025.06.03<br>
 # 2. TLS Audit:
--- a/docs/CHANGELOG.md
+++ b/docs/CHANGELOG.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.03<br>
-**Build**: V8.03.256.2025.06.02<br>
+**Build**: V8.03.384.2025.06.03<br>
 # 2. Changelog
--- a/docs/CODING_CONVENTION.md
+++ b/docs/CODING_CONVENTION.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.03<br>
-**Build**: V8.03.256.2025.06.02<br>
+**Build**: V8.03.384.2025.06.03<br>
 # 2. Coding Style
--- a/docs/CONTRIBUTING.md
+++ b/docs/CONTRIBUTING.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.03<br>
-**Build**: V8.03.256.2025.06.02<br>
+**Build**: V8.03.384.2025.06.03<br>
 # 2. Contributors
--- a/docs/CREDITS.md
+++ b/docs/CREDITS.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.03<br>
-**Build**: V8.03.256.2025.06.02<br>
+**Build**: V8.03.384.2025.06.03<br>
 # 2. Credits
--- a/docs/DL_PUB_ISO.md
+++ b/docs/DL_PUB_ISO.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.03<br>
-**Build**: V8.03.256.2025.06.02<br>
+**Build**: V8.03.384.2025.06.03<br>
 # 2. Download the latest PUBLIC CISS.debian.live.ISO
--- a/docs/DOCUMENTATION.md
+++ b/docs/DOCUMENTATION.md
@@ -8,12 +8,12 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.03<br>
-**Build**: V8.03.256.2025.06.02<br>
+**Build**: V8.03.384.2025.06.03<br>
 # 2. Usage
 ````text
 CISS.debian.live.builder
-Master V8.03.256.2025.06.02
+Master V8.03.384.2025.06.03
 (c) Marc S. Weidner, 2018 - 2025
 (p) Centurion Press, 2024 - 2025
--- a/docs/REFERENCES.md
+++ b/docs/REFERENCES.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.03<br>
-**Build**: V8.03.256.2025.06.02<br>
+**Build**: V8.03.384.2025.06.03<br>
 # 2. Resources
--- a/docs/graphiz/ciss.debian.live.builder.dot
+++ b/docs/graphiz/ciss.debian.live.builder.dot
@@ -0,0 +1,159 @@
 digraph CISS_debian_live_builder {
    // -----------------------------
    // General settings
    // -----------------------------
    graph [
        fontsize=10,
        splines=ortho,
        rankdir=LR,
        nodesep=0.6,
        ranksep=0.8
    ];
    node [fontname="Helvetica"];
    // -----------------------------
    // KNOTS: All hosts and auxiliary anchors
    // -----------------------------
    // Internet (links)
    InternetLeft [shape=oval, style=filled, fillcolor=lightblue, label="Internet"];
    // Jump Host
    Jump_Host [shape=diamond, style=filled, fillcolor=green, label="Jump Host"];
    // Hidden-Master
    Hidden_Master [shape=cylinder, style=filled, fillcolor=lavender, label="Hidden-Master"];
    // Nameserver (Basis-Datenbankzylinder, hellgelb)
    ns00 [shape=cylinder, style=filled, fillcolor=lightyellow, label="ns00.eddns.eu"];
    ns01 [shape=cylinder, style=filled, fillcolor=lightyellow, label="ns01.eddns.eu"];
    ns02 [shape=cylinder, style=filled, fillcolor=lightyellow, label="ns02.eddns.de"];
    ns03 [shape=cylinder, style=filled, fillcolor=lightyellow, label="ns03.eddns.de"];
    // Hilfsanker für cluster_ns (unsichtbar, damit Kanten sauber aus dem Rechteck herausgeführt werden)
    ns_anchor [shape=point, style=invis, width=0];
    // B server (light red)
    git [shape=cylinder, style=filled, fillcolor="#FFCCCC", label="git.coresecret.dev"];
    lab [shape=cylinder, style=filled, fillcolor="#FFCCCC", label="lab.coresecret.dev"];
    run [shape=cylinder, style=filled, fillcolor="#FFCCCC", label="run.coresecret.dev"];
    // Auxiliary anchor for cluster_B_small (invisible)
    b_small_anchor [shape=point, style=invis, width=0];
    // Auxiliary anchor for cluster_B_big (invisible)
    b_big_anchor [shape=point, style=invis, width=0];
    // Database “cloud.e2ee.li” (light red)
    cloud [shape=cylinder, style=filled, fillcolor="#FFCCCC", label="cloud.e2ee.li"];
    // Auxiliary anchor for cluster_cloud (invisible)
    cloud_anchor [shape=point, style=invis, width=0];
    // Internet (right, for TLS/HTTPS)
    InternetTLS [shape=oval, style=filled, fillcolor=lightblue, label="TLS/HTTPS"];
    // Auxiliary anchor for cluster_tls_group (invisible)
    tls_anchor [shape=point, style=invis, width=0];
    // -----------------------------
    // CLUSTER: Entire system (everything except the two Internet clouds)
    // -----------------------------
    subgraph cluster_overall {
        label="SSH-Pub-Key, 2FA, No-Root-Login, aes256-gcm@openssh.com, (No ChaCha), only";
        style=solid;
        color=red;
        // ----- Cluster: Name server group -----
        subgraph cluster_ns {
            label="";
            style=dashed;
            color=red;
            ns00;
            ns01;
            ns02;
            ns03;
            ns_anchor;
        }
        // ----- Cluster: Hidden-Master -----
        subgraph cluster_hm {
            label="";
            style=dashed;
            color=red;
            Hidden_Master;
        }
        // ----- Cluster: TLS/HTTPS group (contains B-Server, cloud, and the TLS cloud) -----
        subgraph cluster_tls_group {
            // The red dotted rectangle around B-Cluster, cloud, and the TLS cloud
            label="ECDHE-RSA-AES256-GCM-SHA384 ECDH 448 AESGCM 256\n\
                   ECDHE-RSA-CHACHA20-POLY1305 ECDH 448 ChaCha20 256\n\
                   TLS_AES_256_GCM_SHA384 ECDH 448 AESGCM 256\n\
                   TLS_CHACHA20_POLY1305_SHA256 ECDH 448 ChaCha20 256";
            style=dashed;
            color=red;
            // ----- Cluster: Outer rectangle around all B nodes (lab + small rectangle) -----
            subgraph cluster_B_big {
                label="";
                style=dashed;
                color=red;
                // Direct node lab
                lab;
                // Invisible anchor pointed to by DNSSEC arrows
                b_big_anchor;
                // ---- Cluster: B a) and c) (small rectangle around git and run) ----
                subgraph cluster_B_small {
                    label="";
                    style=dashed;
                    color=red;
                    git;
                    run;
                    b_small_anchor;
                }
            }
            // ----- Cluster: "cloud.e2ee.li" -----
            subgraph cluster_cloud {
                label="HA: LVM on RAID6 on dm-crypt incl. dm-integrity";
                style=dashed;
                color=red;
                cloud;
                cloud_anchor;
            }
            // ----- Node: TLS-Internet-Cloud -----
            InternetTLS;
            tls_anchor;
        }
    }
    // -----------------------------
    // EDGES
    // -----------------------------
    // Internet (left) → Jump Host
    InternetLeft -> Jump_Host [color=green];
    // Jump Host → Hidden-Master
    Jump_Host -> Hidden_Master [color=green];
    // Hidden master → Name server (green with label “HMAC SHA512”)
    Hidden_Master -> ns00 [color=green, label="HMAC SHA512"];
    Hidden_Master -> ns01 [color=green, label="HMAC SHA512"];
    Hidden_Master -> ns02 [color=green, label="HMAC SHA512"];
    Hidden_Master -> ns03 [color=green, label="HMAC SHA512"];
    // Red arrow “DNSSEC”: from cluster nameserver (ns_anchor) → B cluster (b_big_anchor)
    ns_anchor -> b_big_anchor [color=red, label="DNSSEC"];
    // Red arrow “DNSSEC”: from cluster nameserver (ns_anchor) → cloud cluster (cloud_anchor)
    ns_anchor -> cloud_anchor [color=red, label="DNSSEC"];
    // Red arrows from TLS Internet → B-Cluster and cloud
    InternetTLS -> b_big_anchor [color=red];
    InternetTLS -> cloud_anchor [color=red];
 }
--- a/lib/lib_check_provider.sh
+++ b/lib/lib_check_provider.sh
@@ -18,7 +18,7 @@
 check_provider() {
  clear
  cat << 'EOF' >| "${VAR_NOTES}"
-Build: Master V8.03.256.2025.06.02
+Build: Master V8.03.384.2025.06.03
 Press 'EXIT' to continue with CISS.debian.live.builder.
--- a/lib/lib_usage.sh
+++ b/lib/lib_usage.sh
@@ -22,7 +22,7 @@ usage() {
  cat << EOF
 $(echo -e "\e[92mCISS.debian.live.builder\e[0m")
-$(echo -e "\e[92mMaster V8.03.256.2025.06.02\e[0m")
+$(echo -e "\e[92mMaster V8.03.384.2025.06.03\e[0m")
 $(echo -e "\e[97m(c) Marc S. Weidner, 2018 - 2025\e[0m")
 $(echo -e "\e[97m(p) Centurion Press, 2024 - 2025\e[0m")
--- a/scripts/9000-cdi-starter
+++ b/scripts/9000-cdi-starter
@@ -15,7 +15,7 @@ printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "
 # sleep 1
 [[ ! -d /root/.cdi/log ]] && mkdir -p /root/.cdi/log
-printf "CISS.debian.installer Master V8.03.256.2025.06.02 is up!" >| /root/.cdi/log/boot_finished_"$(date +"%Y-%m-%d_%H-%M-%S")".log
+printf "CISS.debian.installer Master V8.03.384.2025.06.03 is up!" >| /root/.cdi/log/boot_finished_"$(date +"%Y-%m-%d_%H-%M-%S")".log
 if [[ -f /root/git/CISS.debian.installer/ciss_debian_installer.sh ]]; then
  chmod 0700 /root/git/CISS.debian.installer/ciss_debian_installer.sh