V8.03.256.2025.06.02

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-06-02 18:28:31 +02:00
parent d914111ebe
commit 8c5d45515d
7 changed files with 407 additions and 43 deletions
--- a/.gitea/trigger/t_generate_PUBLIC_iso_flavour_0.yaml
+++ b/.gitea/trigger/t_generate_PUBLIC_iso_flavour_0.yaml
--- a/.gitea/workflows/generate_PRIVATE_iso_flavour_0.yaml
+++ b/.gitea/workflows/generate_PRIVATE_iso_flavour_0.yaml
@@ -159,7 +159,7 @@ jobs:
            --jump-host "${{ secrets.CISS_DLB_JUMP_HOSTS }}" \
            --provider-netcup-ipv6 "${{ secrets.CISS_DLB_NETCUP_IPV6 }}" \
            --root-password-file /opt/config/password.txt \
-            --ssh-port 42842 \
+            --ssh-port "${{ secrets.CISS_DLB_SSH_PORT }} \
            --ssh-pubkey /opt/config

      - name: 📥 Checking Centurion Cloud for existing LIVE ISOs.
@@ -297,7 +297,7 @@ jobs:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
          set -euo pipefail
-          PRIVATE_FILE="LIVE_ISO.private"
+          PRIVATE_FILE="LIVE_ISO_FLV_0.private"
          git add "${PRIVATE_FILE}" || echo "✔️ Nothing to add."

      - name: 🔑 Commit and sign changes with CI metadata.
@@ -321,7 +321,7 @@ jobs:
            WORKFLOW_ID="${GITHUB_WORKFLOW:-render-md-to-html.yaml}"
            CI_HEADER="X-CI-Metadata: ${GIT_REF}@${GIT_SHA} at ${TIMESTAMP_UTC} on ${HOSTNAME}"

-            COMMIT_MSG="DEPLOY BOT: Auto-Generate PRIVATE LIVE ISO [skip ci]
+            COMMIT_MSG="DEPLOY BOT: Auto-Generate PRIVATE LIVE ISO FLV 0 [skip ci]

            ${CI_HEADER}

--- a/.gitea/workflows/generate_PRIVATE_iso_flavour_1.yaml
+++ b/.gitea/workflows/generate_PRIVATE_iso_flavour_1.yaml
@@ -156,7 +156,7 @@ jobs:
            --control "${timestamp}" \
            --jump-host "${{ secrets.CISS_DLB_JUMP_HOSTS_1 }}" \
            --root-password-file /opt/config/password.txt \
-            --ssh-port 42842 \
+            --ssh-port "${{ secrets.CISS_DLB_SSH_PORT_1 }}" \
            --ssh-pubkey /opt/config

      - name: 📥 Checking Centurion Cloud for existing LIVE ISOs.
@@ -244,7 +244,7 @@ jobs:
          gpg --batch --yes --armor --detach-sign --output "${SIGNATURE_FILE}" "${VAR_ISO_FILE_SHA512}"

          timestamp=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
-          PRIVATE_FILE="LIVE_ISO_FLV_0.private"
+          PRIVATE_FILE="LIVE_ISO_FLV_1.private"
          touch "${PRIVATE_FILE}"
          cat << EOF >| "${PRIVATE_FILE}"
          # SPDX-Version: 3.0
@@ -294,7 +294,7 @@ jobs:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
          set -euo pipefail
-          PRIVATE_FILE="LIVE_ISO.private"
+          PRIVATE_FILE="LIVE_ISO_FLV_1.private"
          git add "${PRIVATE_FILE}" || echo "✔️ Nothing to add."

      - name: 🔑 Commit and sign changes with CI metadata.
@@ -318,7 +318,7 @@ jobs:
            WORKFLOW_ID="${GITHUB_WORKFLOW:-render-md-to-html.yaml}"
            CI_HEADER="X-CI-Metadata: ${GIT_REF}@${GIT_SHA} at ${TIMESTAMP_UTC} on ${HOSTNAME}"

-            COMMIT_MSG="DEPLOY BOT: Auto-Generate PRIVATE LIVE ISO [skip ci]
+            COMMIT_MSG="DEPLOY BOT: Auto-Generate PRIVATE LIVE ISO FLV 1 [skip ci]

            ${CI_HEADER}

--- a/.gitea/workflows/generate_PUBLIC_iso.yaml
+++ b/.gitea/workflows/generate_PUBLIC_iso.yaml
@@ -0,0 +1,343 @@
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+### Version Master V8.03.256.2025.06.02
+
+name: Generating a PUBLIC Live ISO.
+
+permissions:
+  contents: write
+
+on:
+  push:
+    branches:
+      - master
+    paths:
+      - '.gitea/trigger/t_generate_PUBLIC.yaml'
+
+jobs:
+  generate-private-ciss-debian-live-iso:
+    name: Generating a PUBLIC Live ISO.
+    runs-on: ciss.debian.live.builder
+
+    ### Run all steps inside Debian Bookworm
+    container:
+      image: debian:trixie
+
+    steps:
+      - name: 🛠️ Basic Image Setup and enable Bookworm Backports.
+        run: |
+          apt-get update
+          apt-get install -y apt-transport-https apt-utils bash ca-certificates openssl sudo
+          echo 'deb https://deb.debian.org/debian bookworm-backports main' \
+            >| /etc/apt/sources.list.d/bookworm-backports.list
+          apt-get update
+
+      - name: 🛠️ Installing Build Tools.
+        shell: bash
+        run: |
+          apt-get update
+          apt-get install -y \
+            cryptsetup \
+            curl \
+            debootstrap \
+            dosfstools \
+            efibootmgr \
+            gnupg \
+            git \
+            gpgv \
+            haveged \
+            live-build \
+            parted \
+            ssh \
+            ssl-cert \
+            wget \
+            whois
+
+      - name: ⚙️ Check GnuPG Version.
+        shell: bash
+        run: |
+          gpg --version
+
+      - name: ⚙️ Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
+        shell: bash
+        run: |
+          rm -rf ~/.ssh && mkdir -m700 ~/.ssh
+
+          ### Private Key
+          echo "${{ secrets.SSH_MSW_DEPLOY_CORESECRET_DEV }}" >| ~/.ssh/id_ed25519
+          chmod 600 ~/.ssh/id_ed25519
+
+          ### Scan git.coresecret.dev to fill ~/.ssh/known_hosts
+          ssh-keyscan -p 42842 git.coresecret.dev >| ~/.ssh/known_hosts
+          chmod 600 ~/.ssh/known_hosts
+
+          ### Generate SSH Config for git.coresecret.dev Custom-Port
+          cat <<EOF >| ~/.ssh/config
+          Host git.coresecret.dev
+            HostName git.coresecret.dev
+            Port 42842
+            IdentityFile ~/.ssh/id_ed25519
+            StrictHostKeyChecking yes
+            UserKnownHostsFile ~/.ssh/known_hosts
+          EOF
+          chmod 600 ~/.ssh/config
+
+      ### https://github.com/actions/checkout/issues/1843
+      - name: 🛠️ Using manual clone via SSH to circumvent Gitea SHA-256 object issues.
+        shell: bash
+        env:
+          ### GITHUB_REF_NAME contains the branch name from the push event.
+          GITHUB_REF_NAME: ${{ github.ref_name }}
+        run: |
+          git clone --branch "${GITHUB_REF_NAME}" ssh://git@git.coresecret.dev:42842/msw/CISS.debian.live.builder.git .
+          git fetch --unshallow || echo "Nothing to fetch - already full clone."
+
+      - name: 🛠️ Cleaning the workspace.
+        shell: bash
+        run: |
+          git reset --hard
+          git clean -fd
+
+      - name: ⚙️ Importing the 'CI PGP DEPLOY ONLY' key.
+        shell: bash
+        run: |
+          set -euo pipefail
+          ### GPG-Home relative to the Runner Workspace to avoid changing global files.
+          export GNUPGHOME="$(pwd)/.gnupg"
+          mkdir -m 700 "${GNUPGHOME}"
+          echo "${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV }}" >| ci-bot.sec.asc
+          gpg --batch --import ci-bot.sec.asc
+          ### Trust the key automatically
+          KEY_ID=$(gpg --list-keys --with-colons | awk -F: '/^pub:/ {print $5}')
+          echo "trust-model always" >| "${GNUPGHOME}/gpg.conf"
+
+      - name: ⚙️ Configuring Git for signed CI/DEPLOY commits.
+        shell: bash
+        run: |
+          set -euo pipefail
+          export GNUPGHOME="$(pwd)/.gnupg"
+          git config user.name "Marc S. Weidner BOT"
+          git config user.email "msw+bot@coresecret.dev"
+          git config commit.gpgsign true
+          git config gpg.program gpg
+          git config gpg.format openpgp
+
+      - name: ⚙️ Preparing the build environment.
+        shell: bash
+        run: |
+          set -euo pipefail
+          mkdir -p /opt/config
+          mkdir -p /opt/livebuild
+          touch /opt/config/password.txt && chmod 0600 /opt/config/password.txt
+          touch /opt/config/authorized_keys && chmod 0600 /opt/config/authorized_keys
+          echo 'Mvnz#zENbf2vsAYEAbfPcnbDcmct7XefPXfRJxSQQH' >| /opt/config/password.txt
+          echo 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINAYZDAqVZUk3LwJsqeVHKvLn8UKkFx642VBbiSS8uSY 2025_ciss.debian.live.ISO_PUBLIC_ONLY' >| /opt/config/authorized_keys
+
+      - name: 🛠️ Starting CISS.debian.live.builder. This may take a while ...
+        shell: bash
+        run: |
+          set -euo pipefail
+          chmod 0755 ciss_live_builder.sh
+          timestamp=$(date -u +"%Y_%m_%dT%H_%M_%SZ")
+          ### Change "--autobuild=" to the specific kernel version you need: 6.12.22+bpo-amd64.
+          ./ciss_live_builder.sh \
+            --autobuild=6.12.22+bpo-amd64 \
+            --architecture amd64 \
+            --build-directory /opt/livebuild \
+            --control "${timestamp}" \
+            --root-password-file /opt/config/password.txt \
+            --ssh-port 42137 \
+            --ssh-pubkey /opt/config
+
+      - name: 📥 Checking Centurion Cloud for existing LIVE ISOs.
+        shell: bash
+        env:
+          NC_BASE: "https://cloud.e2ee.li"
+          SHARE_TOKEN: "${{ secrets.CENTURION_CLOUD_UL_USER_PUBLIC }}"
+          SHARE_PASS: "${{ secrets.CENTURION_CLOUD_UL_PASSWD_PUBLIC }}"
+        run: |
+          set -euo pipefail
+          SHARE_SUBDIR=""
+
+          echo "📥 Get directory listing via PROPFIND ..."
+          curl -s \
+          --user "${SHARE_TOKEN}:${SHARE_PASS}" \
+          -X PROPFIND \
+          -H "Depth: 1" \
+          "${NC_BASE}/public.php/webdav/${SHARE_SUBDIR}" \
+          -o propfind_public.xml
+
+          echo "📥 Filter .iso files from the PROPFIND response ..."
+          grep -oP '(?<=<d:href>)[^<]+\.iso(?=</d:href>)' propfind_public.xml >| public_iso_list.txt || true
+
+          if [[ -f public_iso_list.txt && -s public_iso_list.txt ]]; then
+            echo "ℹ️ Old ISO files found and deleted :"
+            while IFS= read -r href; do
+              FILE_URL="${NC_BASE}${href}"
+              echo "  Delete: ${FILE_URL}"
+              if curl -s \
+                --user "${SHARE_TOKEN}:${SHARE_PASS}" \
+                  -X DELETE "${FILE_URL}"; then
+                echo "    ✅ Successfully deleted: $(basename "${href}")"
+              else
+                echo "    ❌ Error: $(basename "${href}") could not be deleted"
+              fi
+            done < public_iso_list.txt
+          else
+            echo "ℹ️ No old ISO files found to delete."
+          fi
+
+      - name: 🛠️ Upload the ISO file to the Centurion Cloud (cloud.e2ee.li) via WebDAV.
+        shell: bash
+        env:
+          NC_BASE: "https://cloud.e2ee.li"
+          SHARE_TOKEN: "${{ secrets.CENTURION_CLOUD_UL_USER_PUBLIC }}"
+          SHARE_PASS: "${{ secrets.CENTURION_CLOUD_UL_PASSWD_PUBLIC }}"
+        run: |
+          set -euo pipefail
+          if [[ $(ls /opt/livebuild/*.iso 2>/dev/null | wc -l) -ne 1 ]]; then
+            echo "❌ There must be exactly one .iso file in the directory!"
+            exit 1
+          else
+            VAR_ISO_FILE_PATH=$(ls /opt/livebuild/*.iso)
+            VAR_ISO_FILE_NAME=$(basename "${VAR_ISO_FILE_PATH}")
+            echo "✅ ISO file found: ${VAR_ISO_FILE_NAME}"
+          fi
+
+          AUTH="${SHARE_TOKEN}:${SHARE_PASS}"
+          if curl --retry 2 "${NC_BASE}"/public.php/webdav/"${VAR_ISO_FILE_NAME}" \
+          --upload-file "${VAR_ISO_FILE_PATH}" --user "${AUTH}"; then
+            echo "✅ New ISO successfully uploaded."
+          else
+            echo "❌ Uploading the new ISO failed."
+            exit 1
+          fi
+
+      - name: 🔑 Generating a sha512 Hash of ISO, signing with the 'CI PGP DEPLOY ONLY' key, generate a success message file.
+        shell: bash
+        run: |
+          if [[ $(ls /opt/livebuild/*.iso 2>/dev/null | wc -l) -ne 1 ]]; then
+            echo "❌ There must be exactly one .iso file in the directory!"
+            exit 1
+          else
+            VAR_ISO_FILE_PATH=$(ls /opt/livebuild/*.iso)
+            VAR_ISO_FILE_NAME=$(basename "${VAR_ISO_FILE_PATH}")
+            echo "✅ ISO file found: ${VAR_ISO_FILE_NAME}"
+          fi
+
+          VAR_ISO_FILE_SHA512="${VAR_ISO_FILE_NAME}.sha512"
+          touch "${VAR_ISO_FILE_SHA512}"
+          sha512sum "${VAR_ISO_FILE_PATH}" | awk '{print $1}' >| "${VAR_ISO_FILE_SHA512}"
+          SIGNATURE_FILE="${VAR_ISO_FILE_SHA512}.sign"
+          touch "${SIGNATURE_FILE}"
+          export GNUPGHOME="$(pwd)/.gnupg"
+          gpg --batch --yes --armor --detach-sign --output "${SIGNATURE_FILE}" "${VAR_ISO_FILE_SHA512}"
+
+          timestamp=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
+          PRIVATE_FILE="LIVE_ISO.public"
+          touch "${PRIVATE_FILE}"
+          cat << EOF >| "${PRIVATE_FILE}"
+          # SPDX-Version: 3.0
+          # SPDX-CreationInfo: 2025-06-01; WEIDNER, Marc S.; <msw@coresecret.dev>
+          # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+          # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+          # SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+          # SPDX-FileType: SOURCE
+          # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+          # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+          # SPDX-PackageName: CISS.debian.live.builder
+          # SPDX-Security-Contact: security@coresecret.eu
+
+          This file was automatically generated by the DEPLOY BOT on: "${timestamp}".
+
+          CISS.debian.live.builder ISO :
+            "${VAR_ISO_FILE_NAME}"
+          CISS.debian.live.builder ISO sha512 :
+            "${VAR_ISO_FILE_SHA512}"
+          CISS.debian.live.builder ISO sha512 sign :
+            $(< "${SIGNATURE_FILE}")
+
+          # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text
+          EOF
+
+      - name: 🔄 Sync with remote before commit using merge strategy.
+        shell: bash
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          export GNUPGHOME="$(pwd)/.gnupg"
+
+          echo "🔄 Fetching origin/master ..."
+          git fetch origin master
+
+          echo "🔁 Merging origin/master into current branch ..."
+          git merge --no-edit origin/master || echo "✔️ Already up to date or fast-forward."
+
+          echo "📋 Post-merge status :"
+          git status
+          git log --oneline -n 5
+
+      - name: 📦 Stage generated files.
+        shell: bash
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          PRIVATE_FILE="LIVE_ISO.public"
+          git add "${PRIVATE_FILE}" || echo "✔️ Nothing to add."
+
+      - name: 🔑 Commit and sign changes with CI metadata.
+        shell: bash
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          export GNUPGHOME="$(pwd)/.gnupg"
+
+          if git diff --cached --quiet; then
+            echo "✔️ No staged changes to commit."
+          else
+            echo "📝 Committing changes with GPG signature ..."
+
+            ### CI Metadata
+            TIMESTAMP_UTC="$(date -u +'%Y-%m-%dT%H:%M:%SZ')"
+            HOSTNAME="$(hostname -f || hostname)"
+            GIT_SHA="$(git rev-parse --short HEAD)"
+            GIT_REF="$(git symbolic-ref --short HEAD || echo detached)"
+            WORKFLOW_ID="${GITHUB_WORKFLOW:-render-md-to-html.yaml}"
+            CI_HEADER="X-CI-Metadata: ${GIT_REF}@${GIT_SHA} at ${TIMESTAMP_UTC} on ${HOSTNAME}"
+
+            COMMIT_MSG="DEPLOY BOT: Auto-Generate PUBLIC LIVE ISO [skip ci]
+
+            ${CI_HEADER}
+
+            Generated at: ${TIMESTAMP_UTC}
+            Runner Host : ${HOSTNAME}
+            Workflow ID : ${WORKFLOW_ID}
+            Git Commit  : ${GIT_SHA} HEAD → ${GIT_REF}
+            "
+
+            echo "🔏 Commit message :"
+            echo "${COMMIT_MSG}"
+            git commit -S -m "${COMMIT_MSG}"
+          fi
+
+      - name: 🔁 Push back to repository.
+        shell: bash
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          echo "📤 Pushing changes to ${GITHUB_REF_NAME} ..."
+          git push origin HEAD:${GITHUB_REF_NAME}
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
--- a/LIVE_ISO.private
+++ b/LIVE_ISO.private
@@ -1,25 +0,0 @@
-# SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-06-01; WEIDNER, Marc S.; <msw@coresecret.dev>
-# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
-# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
-# SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
-# SPDX-PackageName: CISS.debian.live.builder
-# SPDX-Security-Contact: security@coresecret.eu
-
-This file was automatically generated by the DEPLOY BOT on: "2025-06-02T07:05:05Z".
-
-CISS.debian.live.builder ISO :
-  "ciss-debian-live-2025_06_02T06_28_22Z-amd64.hybrid.iso"
-CISS.debian.live.builder ISO sha512 :
-  "ciss-debian-live-2025_06_02T06_28_22Z-amd64.hybrid.iso.sha512"
-CISS.debian.live.builder ISO sha512 sign :
-  -----BEGIN PGP SIGNATURE-----
-
-iHUEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaD1NIQAKCRA85KY4hzOw
-IUI1AQCy+C8u2sxrulp9oEsYNPEQLnVuyqGxlsaGF9soF+ay4AD/cjMt0sNK/SUd
-Rt0J3YmtZbbXgIAaUyAMKMc3Bf3nHgc=
-=Z0iZ
-----END PGP SIGNATURE-----
--- a/README.md
+++ b/README.md
@@ -30,8 +30,10 @@ include_toc: true

 This shell wrapper automates the creation of a Debian Bookworm live ISO hardened according to the latest best practices in server
 and service security. It integrates into your build pipeline to deliver an isolated, robust environment suitable for
-cloud deployment or unattended installations via the forthcoming `CISS.debian.installer`. The latest generic ISO is available at:
-[CISS.debian.live.ISO_PUBLIC](https://git.coresecret.dev/msw/CISS.debian.live.builder/src/branch/master/docs/DL_PUB_ISO.md)
+cloud deployment or unattended installations via the forthcoming `CISS.debian.installer`. Additionally, automated CI workflows 
+based on Gitea Actions are provided, enabling reproducible ISO generation. A generic ISO is automatically built upon significant
+changes and made publicly available for download. The latest generic ISO is available at:
+[CISS.debian.live.ISO PUBLIC](https://git.coresecret.dev/msw/CISS.debian.live.builder/src/branch/master/docs/DL_PUB_ISO.md)

 Check out more:
 * [CenturionNet Services](https://coresecret.eu/cnet/) 
@@ -89,11 +91,11 @@ After build and configuration, the following audit reports can be generated:
 * **SSH Audit Report**: Verifies SSH daemon configuration against the latest best-practice cipher, KEX, and MAC recommendations.
  Type `ssh-audit <IP>:<PORT>`. See example report: [SSH Audit Report](https://git.coresecret.dev/msw/CISS.debian.live.builder/src/branch/master/docs/AUDIT_SSH.md)

-## 1.2. Preview
+## 1.3. Preview

 ![CISS.debian.live.builder](https://git.coresecret.dev/msw/CISS.debian.live.builder/src/branch/master/docs/screenshots/CISS.debian.live.builder_preview.jpeg)

-## 1.3. Caution. Significant information for those considering using D-I.
+## 1.4. Caution. Significant information for those considering using D-I.

 **The Debian Installer (d-i) will ALWAYS boot a new system.**<br>

@@ -124,6 +126,17 @@ This means function status of the **CISS.2025.debian.live.builder** ISO after d-
 * Logging (rsyslog, journald) ✘ not active,
 * preseed control over the network is possible (but without any protection).

+## 1.5. Versioning Schema
+
+This project adheres strictly to a structured versioning scheme following the pattern x.y.z-Date.
+
+Example: `8.03.256.2025.06.02`
+
+x.y.z represents major (x), minor (y), and patch (z) version increments.
+
+Date (YYYY.MM.DD) denotes the build or release date, facilitating clear tracking of incremental changes and ensuring 
+reproducibility and traceability.
+
 # 2. Features & Rationale

 Below is a breakdown of each hardening component, with a summary of why each is critical to your security posture.
--- a/docs/DL_PUB_ISO.md
+++ b/docs/DL_PUB_ISO.md
@@ -12,22 +12,26 @@ include_toc: true

 # 2. Download the latest PUBLIC CISS.debian.live.ISO

-## 2.1. URL
+## 2.1. Autobuild Information
+
+The latest information about the public CISS.debian.live.ISO is available at `./LIVE_ISO.public`.
+
+## 2.2. URL

 Download the latest Auto-Generated [CISS.debian.live.ISO_PUBLIC](https://cloud.e2ee.li/s/E7FoctLroB4oF7P).

-## 2.2. Root Passwd
+## 2.3. Root Passwd

 Use the following Root Passwd:
 ````text
 Mvnz#zENbf2vsAYEAbfPcnbDcmct7XefPXfRJxSQQH
 ````

-## 2.3. Root SSH Keys
+## 2.4. Root SSH Keys

 Use the following Root SSH Key Material:

-### 2.3.1. SSH Public Key
+### 2.4.1. SSH Public Key
 ````text
 ---- BEGIN SSH2 PUBLIC KEY ----
 Comment: "2025_ciss.debian.live.ISO_PUBLIC_ONLY"
@@ -36,7 +40,7 @@ AAAAC3NzaC1lZDI1NTE5AAAAINAYZDAqVZUk3LwJsqeVHKvLn8UKkFx642VBbiSS
 ---- END SSH2 PUBLIC KEY ----
 ````

-### 2.3.2. SSH Private Key OPENSSH
+### 2.4.2. SSH Private Key OPENSSH
 ````text
 -----BEGIN OPENSSH PRIVATE KEY-----
 b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jdHIAAAAGYmNyeXB0AAAAGAAAABB0
@@ -49,7 +53,7 @@ Clw5PIdM7+BObTSD0g99dLFI
 -----END OPENSSH PRIVATE KEY-----
 ````

-### 2.3.3. SSH Private Key
+### 2.4.3. SSH Private Key
 ````text
 PuTTY-User-Key-File-3: ssh-ed25519
 Encryption: aes256-cbc
@@ -67,7 +71,36 @@ onOztqghDo2kzYMa7VosVQ+TMr1AHLknwGPMIpuDEb0GyfdVB6LqV3rAKEJRRXJg
 Private-MAC: 3c87f88ee5306c56e7b2240d7bddda3ce4369d6d296b9101d8a8c5834fdf5e25
 ````

-### 2.3.4. SSH Private Key Encryption Key (KEK)
+### 2.4.4. SSH Private Key Encryption Key (KEK)
+````text
+Mvnz#zENbf2vsAYEAbfPcnbDcmct7XefPXfRJxSQQH
+````
+
+# 3. Login
+
+## 3.1. SSH
+
+Connect to `<IP>:42137`. Please note that if you select a different port by mistake, your client IP address will be blocked 
+instantly — literally in a few microseconds — for 86,400 seconds (i.e., one full day) due to the 
+
+* `ufw`
+* `fail2ban` 
+* `/etc/hosts.deny` 
+
+ultimate hardening rules:
+
+````text
+### SSH Handling: Foreign IP (not in /etc/hosts.allow): refused to connect: immediate ban [sshd-refused]
+###               Jump host mistyped 1–3 times: no ban, only after four attempts          [sshd]
+(...)
+# ufw aggressive approach:
+# Any valid client communicating with our server should be going directly to the service ports opened in ufw (ssh, 80, 443, ...).
+# Any client touching other ports is treated as malicious and therefore should be blocked access to ALL ports after one attempt.
+````
+
+## 3.2. Console
+
+Login as root and present the following credentials:
 ````text
 Mvnz#zENbf2vsAYEAbfPcnbDcmct7XefPXfRJxSQQH
 ````