DEPLOY BOT : 🛡️ Shell Script Linting [skip ci]

X-CI-Metadata: master@99d669d at 2025-12-06T04:39:52Z on 941bb339cd9a Generated at : 2025-12-06T04:39:52Z Runner Host : 941bb339cd9a Workflow ID : 🛡️ Shell Script Linting Git Commit : 99d669d HEAD -> master
V8.13.768.2025.12.06
2025-12-06 04:39:52 +00:00 · 2025-12-06 05:38:13 +01:00 · 2025-12-06 04:35:39 +00:00 · 2025-12-06 03:44:33 +00:00 · 2025-12-06 02:57:35 +00:00 · 2025-12-06 02:53:47 +00:00
271 changed files with 5173 additions and 2322 deletions
--- a/.archive/0010_dhcp_supersede.sh
+++ b/.archive/0010_dhcp_supersede.sh
@@ -0,0 +1,113 @@
 #!/bin/bash
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 if [[ ! -d "${VAR_HANDLER_BUILD_DIR}"/config/includes.chroot/etc/dhcp ]]; then
  mkdir -p "${VAR_HANDLER_BUILD_DIR}"/config/includes.chroot/etc/dhcp
 fi
 cat << 'EOF' >> "${VAR_HANDLER_BUILD_DIR}"/config/includes.chroot/etc/dhcp/dhclient.conf
 # Custom dhclient config to override DHCP DNS
 # dns01.eddns.eu, dns02.eddns.de, dns03.eddns.eu;
 supersede domain-name-servers 135.181.207.105, 89.58.62.53, 138.199.237.109;
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
 EOF
 cat << 'EOF' >> "${VAR_HANDLER_BUILD_DIR}"/config/includes.chroot/etc/dhcpcd.conf
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-08-12; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 ### No Global APIPA-Fallback.
 noipv4ll
 ### A ServerID is required by RFC2131.
 require dhcp_server_identifier
 ### Respect the network MTU. This is applied to DHCP routes.
 option interface_mtu
 ### A list of options to request from the DHCP server.
 option host_name
 option domain_name
 option domain_search
 option rapid_commit
 ### Most distributions have NTP support.
 option ntp_servers
 ### Ask server to update both A and PTR via FQDN (RFC 4702 semantics).
 fqdn both
 ###-----------------------------------------------------------------------------------------------------------------------------
 ### Global defaults for all interfaces.
 #option host_name
 #option domain_name
 #option domain_search
 ### Ask server to update both A and PTR via FQDN (RFC 4702 semantics).
 #fqdn both
 ###-----------------------------------------------------------------------------------------------------------------------------
 ### Enforce static DNS and prevent dhcpcd from writing 'resolv.conf'.
 nooption domain_name_servers
 nohook resolv.conf rdnssd
 ### Static resolvers (IPv4).
 ### (This does NOT write '/etc/resolv.conf' because of nohook above.)
 static domain_name_servers=135.181.207.105 89.58.62.53 138.199.237.109
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
 EOF
 cat << 'EOF' >| "${VAR_HANDLER_BUILD_DIR}"/config/includes.chroot/etc/resolv.conf
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-08-12; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 # static /etc/resolv.conf (CISS)
 nameserver 135.181.207.105
 nameserver 89.58.62.53
 nameserver 138.199.237.109
 options edns0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
 EOF
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' successfully applied. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/.archive/0100_ciss_mem_wipe.chroot
+++ b/.archive/0100_ciss_mem_wipe.chroot
@@ -0,0 +1,302 @@
 #!/bin/bash
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
 export DEBIAN_FRONTEND="noninteractive"
 export INITRD="No"
 apt-get install -y --no-install-recommends kexec-tools
 install -d -m 0755 /boot/ciss-memwipe
 install -d -m 0755 /usr/local/sbin
 install -d -m 0755 /etc/systemd/system
 install -d -m 0755 /etc/default
 ### Pick a kernel to kexec into: use the latest installed vmlinuz. -------------------------------------------------------------
 # shellcheck disable=SC2012,SC2155
 declare _KERNEL="$(cd /boot && ls -1 vmlinuz-* | sed 's|vmlinuz-||' | sort -V | tail -n1)"
 cp -f "/boot/vmlinuz-${_KERNEL}" /boot/ciss-memwipe/vmlinuz
 ### Build minimal initramfs with a busybox and a tiny '/init'. -----------------------------------------------------------------
 declare _TMP_DIR; _TMP_DIR="$(mktemp -d)"
 trap 'rm -rf "${_TMP_DIR}"' EXIT
 mkdir -p "${_TMP_DIR}"/{bin,dev,proc,sys,wipe}
 ### Locate the current busybox binary. -----------------------------------------------------------------------------------------
 declare _BUSYBOX_BIN; _BUSYBOX_BIN="$(command -v busybox || true)"
 if [[ -z "${_BUSYBOX_BIN}" ]]; then
  echo "ERROR: busybox not found after installation attempt." >&2
  exit 42
 fi
 cp -f "${_BUSYBOX_BIN}" "${_TMP_DIR}/bin/busybox"
 #######################################
 # Copy required shared libs into the initramfs (if the busybox is dynamic).
 # Globals:
 #   _TMP_DIR
 # Arguments:
 #   1: _BUSYBOX_BIN
 # Returns:
 #   0: on success
 #######################################
 copy_libs() {
  declare bin="$1"
  if ldd "${bin}" 2>&1 | grep -q 'not a dynamic executable'; then
    return 0
  fi
  ldd "${bin}" | awk '
    /=> \// {print $3}
    # some libs are printed as absolute path without "=>"
    /^\//    {print $1}
  ' | while read -r lib; do
    [[ -n "${lib}" ]] || continue
    dest="${_TMP_DIR}$(dirname "${lib}")"
    install -d -m 0755 "${dest}"
    cp -f "${lib}" "${dest}"
  done
 }
 copy_libs "${_BUSYBOX_BIN}"
 ### Generate '/init' script ----------------------------------------------------------------------------------------------------
 cat << 'EOF' >| "${_TMP_DIR}/init"
 #!/bin/busybox sh
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 # Minimal init to wipe RAM, then power off.
 # Parses cmdline: ciss_wipe_passes=2 ciss_wipe_mode=zero+random ciss_dd_bs=64M ciss_tmpfs_pct=95
 set -eu
 #######################################
 # Helper
 # Globals:
 #   None
 # Arguments:
 #   1: key
 # Returns:
 #   0: on success
 #######################################
 get_arg() { # $1=key ; echoes value or empty
  for tok in $(cat /proc/cmdline); do
    case "$tok" in
      $1=*) echo "${tok#*=}"; return 0;;
    esac
  done
  echo ""
 }
 mount -t devtmpfs devtmpfs /dev 2>/dev/null || true
 [ -e /dev/console ] || mknod -m 600 /dev/console c 5 1
 [ -e /dev/null ]    || mknod -m 666 /dev/null c 1 3
 [ -e /dev/urandom ] || mknod -m 444 /dev/urandom c 1 9
 mount -t proc proc /proc
 mount -t sysfs sysfs /sys
 PASSES="$(get_arg ciss_wipe_passes)"; [ -n "${PASSES}" ] || PASSES=2
 MODE="$(get_arg ciss_wipe_mode)"; [ -n "${MODE}" ] || MODE="zero+random"
 BS="$(get_arg ciss_dd_bs)"; [ -n "${BS}" ] || BS=64M
 PCT="$(get_arg ciss_tmpfs_pct)"; [ -n "${PCT}" ] || PCT=95
 echo 1 >| /proc/sys/kernel/printk 2>/dev/null || true
 MEM_KB="$(awk '/MemTotal:/ {print $2}' /proc/meminfo)"
 SIZE_KB=$(( MEM_KB * PCT / 100 ))
 mount -t tmpfs -o "size=${SIZE_KB}k,nodev,nosuid,noexec,mode=0700" tmpfs /wipe
 #######################################
 # Wipe helper
 # Globals:
 #   None
 # Arguments:
 #   1: pattern
 # Returns:
 #   0: on success
 #######################################
 wipe_pass() {
  pattern="$1" # zero or random
  if [ "$pattern" = "zero" ]; then
    src="/dev/zero"
  else
    src="/dev/urandom"
  fi
  i=0
  while :; do
    # Use busybox dd explicitly to avoid surprises
    busybox dd if="$src" of="/wipe/block_$i" bs="$BS" status=none || break
    i=$((i+1))
  done
  sync
  echo 3 > /proc/sys/vm/drop_caches 2>/dev/null || true
  rm -f /wipe/block_* 2>/dev/null || true
  sync
  return 0
 }
 DO_ZERO=0; DO_RANDOM=0
 case "$MODE" in
  zero) DO_ZERO=1 ;;
  random) DO_RANDOM=1 ;;
  zero+random|random+zero) DO_ZERO=1; DO_RANDOM=1 ;;
  *) DO_ZERO=1 ;;
 esac
 p=1
 while [ $p -le "$PASSES" ]; do
  [ $DO_ZERO -eq 1 ] && wipe_pass zero
  [ $DO_RANDOM -eq 1 ] && wipe_pass random
  p=$((p+1))
 done
 sync
 busybox poweroff -f || echo o >| /proc/sysrq-trigger
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
 EOF
 chmod +x "${_TMP_DIR}/init"
 ### Create the initramfs archive -----------------------------------------------------------------------------------------------
 ( cd "${_TMP_DIR}" && find . -print0 | cpio --null -ov --format=newc ) | gzip -9 > /boot/ciss-memwipe/initrd.img
 ### Default configuration.
 cat << 'EOF' >| /etc/default/ciss-memwipe
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 # CISS Memory Wipe defaults:
 CISS_WIPE_PASSES=2             # number of passes
 CISS_WIPE_MODE="zero+random"   # zero | random | zero+random
 CISS_WIPE_DD_BS="64M"          # dd block size
 CISS_WIPE_TMPFS_PCT=95         # percentage of MemTotal to allocate
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
 EOF
 ### Helper script --------------------------------------------------------------------------------------------------------------
 cat << 'EOF' >| /usr/local/sbin/ciss-memwipe
 #!/bin/bash
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 set -euo pipefail
 . /etc/default/ciss-memwipe || true
 KERNEL="/boot/ciss-memwipe/vmlinuz"
 INITRD="/boot/ciss-memwipe/initrd.img"
 append_common="quiet loglevel=1 ciss_wipe_passes=${CISS_WIPE_PASSES:-2} ciss_wipe_mode=${CISS_WIPE_MODE:-zero+random} ciss_dd_bs=${CISS_WIPE_DD_BS:-64M} ciss_tmpfs_pct=${CISS_WIPE_TMPFS_PCT:-95}"
 prepare() {
  if [ -w /proc/sys/kernel/kexec_load_disabled ] && [ "$(cat /proc/sys/kernel/kexec_load_disabled)" = "1" ]; then
    echo 0 > /proc/sys/kernel/kexec_load_disabled || true
  fi
  if command -v kexec >/dev/null 2>&1 && [ -s "$KERNEL" ] && [ -s "$INITRD" ]; then
    kexec -l "$KERNEL" --initrd="$INITRD" --append="$append_common" || true
  fi
 }
 fallback_inplace() {
  mount -t tmpfs -o "size=95%,nodev,nosuid,noexec,mode=0700" tmpfs /run/wipe 2>/dev/null || mkdir -p /run/wipe
  i=0
  while :; do
    dd if=/dev/zero of="/run/wipe/blk_$i" bs="${CISS_WIPE_DD_BS:-64M}" status=none || break
    i=$((i+1))
  done
  sync; echo 3 > /proc/sys/vm/drop_caches 2>/dev/null || true
  rm -f /run/wipe/blk_* 2>/dev/null || true
  sync
  systemctl poweroff -f || poweroff -f || echo o > /proc/sysrq-trigger
 }
 execute() {
  sync; echo 3 > /proc/sys/vm/drop_caches 2>/dev/null || true
  if command -v systemctl >/dev/null 2>&1 && systemctl --quiet is-system-running; then
    systemctl kexec || kexec -e || fallback_inplace
  else
    kexec -e || fallback_inplace
  fi
 }
 case "${1:-}" in
  prepare) prepare ;;
  execute) execute ;;
  *) echo "Usage: $0 {prepare|execute}" >&2; exit 2 ;;
 esac
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
 EOF
 chmod 0755 /usr/local/sbin/ciss-memwipe
 ### Systemd service: load at boot, execute on shutdown. ------------------------------------------------------------------------
 cat << 'EOF' >| /etc/systemd/system/ciss-memwipe.service
 [Unit]
 Description=CISS: preload and execute kexec-based RAM wipe on shutdown
 DefaultDependencies=no
 Before=shutdown.target
 After=local-fs.target network.target multi-user.target
 [Service]
 Type=oneshot
 RemainAfterExit=yes
 ExecStart=/usr/local/sbin/ciss-memwipe prepare
 ExecStop=/usr/local/sbin/ciss-memwipe execute
 TimeoutStartSec=20s
 TimeoutStopSec=infinity
 [Install]
 WantedBy=multi-user.target
 EOF
 install -d -m 0755 /etc/systemd/system/multi-user.target.wants
 ln -sf /etc/systemd/system/ciss-memwipe.service /etc/systemd/system/multi-user.target.wants/ciss-memwipe.service
 systemctl enable ciss-memwipe.service
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/.archive/90-ciss-networkd.preset
+++ b/.archive/90-ciss-networkd.preset
@@ -0,0 +1,19 @@
 # bashsupport disable=BP5007
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-11-26; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 enable systemd-networkd.service
 enable systemd-resolved.service
 disable networking.service
 disable NetworkManager.service
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
--- a/.archive/9985_clamav.chroot
+++ b/.archive/9985_clamav.chroot
@@ -5,7 +5,7 @@
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
--- a/config/hooks/live/9999_interfaces_update.chroot
+++ b/config/hooks/live/9999_interfaces_update.chroot
@@ -5,7 +5,7 @@
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
@@ -26,7 +26,7 @@ cat << EOF >| /etc/network/interfaces
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
--- a/.archive/generate_PRIVATE_trixie_0.yaml
+++ b/.archive/generate_PRIVATE_trixie_0.yaml
@@ -4,12 +4,12 @@
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V8.13.408.2025.11.13
+# Version Master V8.13.768.2025.12.06
 name: 🔐 Generating a Private Live ISO TRIXIE.
@@ -339,7 +339,7 @@ jobs:
          # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
          # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
          # SPDX-FileType: SOURCE
-          # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+          # SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
          # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
          # SPDX-PackageName: CISS.debian.live.builder
          # SPDX-Security-Contact: security@coresecret.eu
--- a/.archive/generate_PRIVATE_trixie_1.yaml
+++ b/.archive/generate_PRIVATE_trixie_1.yaml
@@ -4,12 +4,12 @@
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V8.13.408.2025.11.13
+# Version Master V8.13.768.2025.12.06
 name: 🔐 Generating a Private Live ISO TRIXIE.
@@ -382,7 +382,7 @@ jobs:
          # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
          # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
          # SPDX-FileType: SOURCE
-          # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+          # SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
          # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
          # SPDX-PackageName: CISS.debian.live.builder
          # SPDX-Security-Contact: security@coresecret.eu
--- a/.archive/generate_PUBLIC_iso.yaml
+++ b/.archive/generate_PUBLIC_iso.yaml
@@ -4,12 +4,12 @@
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V8.13.408.2025.11.13
+# Version Master V8.13.768.2025.12.06
 name: 💙 Generating a PUBLIC Live ISO.
@@ -257,7 +257,7 @@ jobs:
          # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
          # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
          # SPDX-FileType: SOURCE
-          # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+          # SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
          # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
          # SPDX-PackageName: CISS.debian.live.builder
          # SPDX-Security-Contact: security@coresecret.eu
--- a/.archive/icon.lib
+++ b/.archive/icon.lib
@@ -4,60 +4,67 @@
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 ⏫
 ⬆️
 ☁️
 ☢️
 ☣️
 ✍️
 ✅
 ❌
 ⚠️
-🚫
+•
 🔐
 🔒
 🔑
 ✍️
 🖥️
 ⬆️
 ⏫
 🔼
 🆙
 🔄
 🔁
 🌌
 🔵
 💙
 🔍
 💡
 🔧
 🛠️
 🏗
 ⚙️
-📐
+🆙
-🧪
+🌌
-📩
+🌐
 📥
 📤
 📦
 📑
 📂
 📀
 🎉
-😺
+🎯
 🏗
 💙
 💡
 💬
 💽
 💾
 💿
 📀
 📁
 📂
 📅
 📉
 📊
 🧾
 📋
-🕑
+📐
-🧠
+📑
 📅
 🎯
 🌐
 🔗
 💬
 ☢️
 ☣️
 •
 ☁️
 📡
 📤
 📥
 📦
 📩
 🔁
 🔄
 🔍
 🔐
 🔑
 🔒
 🔗
 🔧
 🔵
 🔼
 🕑
 🖥️
 🗂️
 🗄️
 🗜️
 😺
 🚫
 🛠️
 🛡️
 🧠
 🧪
 🧾
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/includes.chroot/etc/network/interfaces
+++ b/config/includes.chroot/etc/network/interfaces
@@ -4,7 +4,7 @@
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
--- a/.editorconfig
+++ b/.editorconfig
@@ -4,7 +4,7 @@
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
--- a/.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml
+++ b/.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml
@@ -4,7 +4,7 @@
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
@@ -25,7 +25,7 @@ body:
    attributes:
      label: "Version"
      description: "Which version are you running? Use `./ciss_live_builder.sh -v`."
-      placeholder: "e.g., Master V8.13.408.2025.11.13"
+      placeholder: "e.g., Master V8.13.768.2025.12.06"
    validations:
      required: true
--- a/.gitea/ISSUE_TEMPLATE/PULL_REQUEST_TEMPLATE.yaml
+++ b/.gitea/ISSUE_TEMPLATE/PULL_REQUEST_TEMPLATE.yaml
@@ -4,7 +4,7 @@
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
--- a/.gitea/TODO/dockerfile
+++ b/.gitea/TODO/dockerfile
@@ -4,12 +4,12 @@
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V8.13.408.2025.11.13
+# Version Master V8.13.768.2025.12.06
 FROM debian:bookworm
--- a/.gitea/TODO/render-md-to-html.yaml
+++ b/.gitea/TODO/render-md-to-html.yaml
@@ -4,12 +4,12 @@
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V8.13.408.2025.11.13
+# Version Master V8.13.768.2025.12.06
 name: 🔁 Render README.md to README.html.
--- a/.gitea/trigger/t_generate_PRIVATE_trixie_0.yaml
+++ b/.gitea/trigger/t_generate_PRIVATE_trixie_0.yaml
@@ -4,12 +4,12 @@
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 build:
  counter: 1023
-  version: V8.13.400.2025.11.08
+  version: V8.13.768.2025.12.06
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
--- a/.gitea/trigger/t_generate_PRIVATE_trixie_1.yaml
+++ b/.gitea/trigger/t_generate_PRIVATE_trixie_1.yaml
@@ -4,12 +4,12 @@
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 build:
  counter: 1023
-  version: V8.13.400.2025.11.08
+  version: V8.13.768.2025.12.06
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
--- a/.gitea/trigger/t_generate_PUBLIC.yaml
+++ b/.gitea/trigger/t_generate_PUBLIC.yaml
@@ -4,12 +4,12 @@
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 build:
  counter: 1023
-  version: V8.13.400.2025.11.08
+  version: V8.13.768.2025.12.06
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
--- a/.gitea/trigger/t_generate_dns.yaml
+++ b/.gitea/trigger/t_generate_dns.yaml
@@ -4,12 +4,12 @@
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 build:
  counter: 1023
-  version: V8.13.408.2025.11.13
+  version: V8.13.768.2025.12.06
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
--- a/.gitea/workflows/generate_PRIVATE_trixie_0.yaml
+++ b/.gitea/workflows/generate_PRIVATE_trixie_0.yaml
@@ -4,12 +4,12 @@
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V8.13.408.2025.11.13
+# Version Master V8.13.768.2025.12.06
 name: 🔐 Generating a Private Live ISO TRIXIE.
@@ -65,6 +65,7 @@ jobs:
            bash \
            bat \
            ca-certificates \
            cryptsetup \
            curl \
            debootstrap \
            git \
@@ -183,6 +184,7 @@ jobs:
          install -m 0600 /dev/null /dev/shm/cdlb_secrets/id_2025_ed25519_ciss_primordial.pub
          install -m 0600 /dev/null /dev/shm/cdlb_secrets/keys.txt
          install -m 0600 /dev/null /dev/shm/cdlb_secrets/luks.txt
          install -m 0600 /dev/null /dev/shm/cdlb_secrets/signing_ca.asc
          install -m 0600 /dev/null /dev/shm/cdlb_secrets/signing_key.asc
          install -m 0600 /dev/null /dev/shm/cdlb_secrets/signing_key_pass.txt
@@ -196,6 +198,7 @@ jobs:
          echo "${{ secrets.CISS_PRIMORDIAL_PUBLIC }}"            >| /dev/shm/cdlb_secrets/id_2025_ed25519_ciss_primordial.pub
          echo "${{ secrets.CISS_PHYS_AGE }}"                     >| /dev/shm/cdlb_secrets/keys.txt
          echo "${{ secrets.CISS_PHYS_LUKS }}"                    >| /dev/shm/cdlb_secrets/luks.txt
          echo "${{ secrets.PGP_CISS_CA_PUBLIC_KEY }}"            >| /dev/shm/cdlb_secrets/signing_ca.asc
          echo "${{ secrets.PGP_MSW_PRIVATE_SIGNING_KEY }}"       >| /dev/shm/cdlb_secrets/signing_key.asc
          echo "${{ secrets.PGP_MSW_PRIVATE_SIGNING_KEY_PASS }}"  >| /dev/shm/cdlb_secrets/signing_key_pass.txt
@@ -204,20 +207,22 @@ jobs:
          set -euo pipefail
          chmod 0700 ciss_live_builder.sh
          timestamp=$(date -u +"%Y_%m_%dT%H_%M_%SZ")
-          ### Change "--autobuild=" to the specific kernel version you need: '6.16.3+deb13-amd64'.
+          ### Change "--autobuild=" to the specific kernel version you need: '6.17.8+deb13-amd64'.
          chmod 0400 /dev/shm/cdlb_secrets/*
          ./ciss_live_builder.sh \
            --architecture amd64 \
-            --autobuild=6.16.3+deb13-amd64 \
+            --autobuild=6.17.8+deb13-amd64 \
            --build-directory /opt/cdlb \
            --cdi \
            --change-splash hexagon \
            --control "${timestamp}" \
            --debug \
            --dhcp-centurion \
            --jump-host ${{ secrets.CISS_DLB_JUMP_HOSTS }} \
            --key_age=keys.txt \
            --key_luks=luks.txt \
            --provider-netcup-ipv6 ${{ secrets.CISS_DLB_NETCUP_IPV6 }} \
            --root-password-file /dev/shm/cdlb_secrets/password.txt \
            --signing_ca=signing_ca.asc \
            --signing_key_fpr=${{ secrets.PGP_MSW_PRIVATE_SIGNING_KEY_FPR }} \
            --signing_key_pass=signing_key_pass.txt \
            --signing_key=signing_key.asc \
@@ -227,7 +232,6 @@ jobs:
            --trixie
      - name: 📥 Checking Centurion Cloud for existing LIVE ISOs.
        shell: bash
        env:
          NC_BASE: "https://cloud.e2ee.li"
          SHARE_TOKEN: "${{ secrets.CENTURION_CLOUD_UL_USER }}"
@@ -237,11 +241,8 @@ jobs:
          SHARE_SUBDIR=""
          echo "📥 Get directory listing via PROPFIND ..."
-          curl -s \
+
-          --user "${SHARE_TOKEN}:${SHARE_PASS}" \
+          curl -s --user "${SHARE_TOKEN}:${SHARE_PASS}" -X PROPFIND -H "Depth: 1" "${NC_BASE}/public.php/webdav/${SHARE_SUBDIR}" \
          -X PROPFIND \
          -H "Depth: 1" \
          "${NC_BASE}/public.php/webdav/${SHARE_SUBDIR}" \
          -o propfind_public.xml
          echo "📥 Filter .iso files from the PROPFIND response ..."
@@ -249,46 +250,65 @@ jobs:
          grep -oP '(?<=<d:href>)[^<]+\.iso(?=</d:href>)' propfind_public.xml >| public_iso_list.txt || true
          if [[ -f public_iso_list.txt && -s public_iso_list.txt ]]; then
            echo "💡 Old ISO files found and deleted :"
            while IFS= read -r href; do
              FILE_URL="${NC_BASE}${href}"
              echo "  Delete: ${FILE_URL}"
-              if curl -s \
+
-                --user "${SHARE_TOKEN}:${SHARE_PASS}" \
+              if curl -s --user "${SHARE_TOKEN}:${SHARE_PASS}" -X DELETE "${FILE_URL}"; then
-                  -X DELETE "${FILE_URL}"; then
+
                echo "    ✅ Successfully deleted: $(basename "${href}")"
              else
                echo "    ❌ Error: $(basename "${href}") could not be deleted"
              fi
            done < public_iso_list.txt
          else
            echo "💡 No old ISO files found to delete."
          fi
      - name: ⬆️ Upload the ISO file to the Centurion Cloud (cloud.e2ee.li) via WebDAV.
        shell: bash
        env:
          NC_BASE: "https://cloud.e2ee.li"
          SHARE_TOKEN: "${{ secrets.CENTURION_CLOUD_UL_USER }}"
          SHARE_PASS: "${{ secrets.CENTURION_CLOUD_UL_PASSWD }}"
        run: |
          set -euo pipefail
          if [[ $(ls /opt/cdlb/*.iso 2>/dev/null | wc -l) -ne 1 ]]; then
            echo "❌ There must be exactly one .iso file in the directory!"
            exit 1
          else
            VAR_ISO_FILE_PATH=$(ls /opt/cdlb/*.iso)
            VAR_ISO_FILE_NAME=$(basename "${VAR_ISO_FILE_PATH}")
            echo "✅ ISO file found: ${VAR_ISO_FILE_NAME}"
          fi
          AUTH="${SHARE_TOKEN}:${SHARE_PASS}"
          if curl --retry 2 "${NC_BASE}"/public.php/webdav/"${VAR_ISO_FILE_NAME}" \
          --upload-file "${VAR_ISO_FILE_PATH}" --user "${AUTH}" > /dev/null 2>&1; then
            echo "✅ New ISO successfully uploaded."
          else
            echo "❌ Uploading the new ISO failed."
            exit 1
          fi
      - name: 🔑 Generating a sha512 Hash of ISO, signing with the 'CI PGP DEPLOY ONLY' key, generate a success message file.
@@ -328,7 +348,7 @@ jobs:
          # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
          # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
          # SPDX-FileType: SOURCE
-          # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+          # SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
          # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
          # SPDX-PackageName: CISS.debian.live.builder
          # SPDX-Security-Contact: security@coresecret.eu
--- a/.gitea/workflows/generate_PRIVATE_trixie_1.yaml
+++ b/.gitea/workflows/generate_PRIVATE_trixie_1.yaml
@@ -4,12 +4,12 @@
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V8.13.408.2025.11.13
+# Version Master V8.13.768.2025.12.06
 name: 🔐 Generating a Private Live ISO TRIXIE.
@@ -65,6 +65,7 @@ jobs:
            bash \
            bat \
            ca-certificates \
            cryptsetup \
            curl \
            debootstrap \
            git \
@@ -183,6 +184,7 @@ jobs:
          install -m 0600 /dev/null /dev/shm/cdlb_secrets/id_2025_ed25519_ciss_primordial.pub
          install -m 0600 /dev/null /dev/shm/cdlb_secrets/keys.txt
          install -m 0600 /dev/null /dev/shm/cdlb_secrets/luks.txt
          install -m 0600 /dev/null /dev/shm/cdlb_secrets/signing_ca.asc
          install -m 0600 /dev/null /dev/shm/cdlb_secrets/signing_key.asc
          install -m 0600 /dev/null /dev/shm/cdlb_secrets/signing_key_pass.txt
@@ -196,6 +198,7 @@ jobs:
          echo "${{ secrets.CISS_PRIMORDIAL_PUBLIC }}"            >| /dev/shm/cdlb_secrets/id_2025_ed25519_ciss_primordial.pub
          echo "${{ secrets.CISS_PHYS_AGE }}"                     >| /dev/shm/cdlb_secrets/keys.txt
          echo "${{ secrets.CISS_PHYS_LUKS }}"                    >| /dev/shm/cdlb_secrets/luks.txt
          echo "${{ secrets.PGP_CISS_CA_PUBLIC_KEY }}"            >| /dev/shm/cdlb_secrets/signing_ca.asc
          echo "${{ secrets.PGP_MSW_PRIVATE_SIGNING_KEY }}"       >| /dev/shm/cdlb_secrets/signing_key.asc
          echo "${{ secrets.PGP_MSW_PRIVATE_SIGNING_KEY_PASS }}"  >| /dev/shm/cdlb_secrets/signing_key_pass.txt
@@ -204,17 +207,20 @@ jobs:
          set -euo pipefail
          chmod 0700 ciss_live_builder.sh
          timestamp=$(date -u +"%Y_%m_%dT%H_%M_%SZ")
-          ### Change "--autobuild=" to the specific kernel version you need: '6.16.3+deb13-amd64'.
+          ### Change "--autobuild=" to the specific kernel version you need: '6.17.8+deb13-amd64'.
          chmod 0400 /dev/shm/cdlb_secrets/*
          ./ciss_live_builder.sh \
            --architecture amd64 \
-            --autobuild=6.16.3+deb13-amd64 \
+            --autobuild=6.17.8+deb13-amd64 \
            --build-directory /opt/cdlb \
            --cdi \
            --change-splash hexagon \
            --control "${timestamp}" \
            --jump-host ${{ secrets.CISS_DLB_JUMP_HOSTS_1 }} \
            --key_age=keys.txt \
            --key_luks=luks.txt \
            --root-password-file /dev/shm/cdlb_secrets/password.txt \
            --signing_ca=signing_ca.asc \
            --signing_key_fpr=${{ secrets.PGP_MSW_PRIVATE_SIGNING_KEY_FPR }} \
            --signing_key_pass=signing_key_pass.txt \
            --signing_key=signing_key.asc \
@@ -291,7 +297,7 @@ jobs:
          AUTH="${SHARE_TOKEN}:${SHARE_PASS}"
-          if curl --retry 2 "${NC_BASE}"/public.php/webdav/"${VAR_ISO_FILE_NAME}"
+          if curl --retry 2 "${NC_BASE}"/public.php/webdav/"${VAR_ISO_FILE_NAME}" \
          --upload-file "${VAR_ISO_FILE_PATH}" --user "${AUTH}" > /dev/null 2>&1; then
            echo "✅ New ISO successfully uploaded."
@@ -340,7 +346,7 @@ jobs:
          # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
          # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
          # SPDX-FileType: SOURCE
-          # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+          # SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
          # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
          # SPDX-PackageName: CISS.debian.live.builder
          # SPDX-Security-Contact: security@coresecret.eu
--- a/.gitea/workflows/generate_PUBLIC_iso.yaml
+++ b/.gitea/workflows/generate_PUBLIC_iso.yaml
@@ -4,12 +4,12 @@
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V8.13.408.2025.11.13
+# Version Master V8.13.768.2025.12.06
 name: 💙 Generating a PUBLIC Live ISO.
@@ -65,6 +65,7 @@ jobs:
            bash \
            bat \
            ca-certificates \
            cryptsetup \
            curl \
            debootstrap \
            git \
@@ -183,14 +184,14 @@ jobs:
          set -euo pipefail
          chmod 0700 ciss_live_builder.sh
          timestamp=$(date -u +"%Y_%m_%dT%H_%M_%SZ")
-          ### Change "--autobuild=" to the specific kernel version you need: '6.16.3+deb13-amd64'.
+          ### Change "--autobuild=" to the specific kernel version you need: '6.17.8+deb13-amd64'.
          chmod 0400 /dev/shm/cdlb_secrets/*
          ./ciss_live_builder.sh \
            --architecture amd64 \
-            --autobuild=6.16.3+deb13-amd64 \
+            --autobuild=6.17.8+deb13-amd64 \
            --build-directory /opt/cdlb \
-            --cdi \
+            --change-splash hexagon \
            --control "${timestamp}" \
            --debug \
            --root-password-file /dev/shm/cdlb_secrets/password.txt \
            --ssh-port 42137 \
            --ssh-pubkey /dev/shm/cdlb_secrets \
@@ -264,7 +265,7 @@ jobs:
          AUTH="${SHARE_TOKEN}:${SHARE_PASS}"
-          if curl --retry 2 "${NC_BASE}"/public.php/webdav/"${VAR_ISO_FILE_NAME}"
+          if curl --retry 2 "${NC_BASE}"/public.php/webdav/"${VAR_ISO_FILE_NAME}" \
          --upload-file "${VAR_ISO_FILE_PATH}" --user "${AUTH}" > /dev/null 2>&1; then
            echo "✅ New ISO successfully uploaded."
@@ -313,7 +314,7 @@ jobs:
          # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
          # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
          # SPDX-FileType: SOURCE
-          # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+          # SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
          # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
          # SPDX-PackageName: CISS.debian.live.builder
          # SPDX-Security-Contact: security@coresecret.eu
--- a/.gitea/workflows/linter_char_scripts.yaml
+++ b/.gitea/workflows/linter_char_scripts.yaml
@@ -4,12 +4,12 @@
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V8.13.408.2025.11.13
+# Version Master V8.13.768.2025.12.06
 # Gitea Workflow: Shell-Script Linting
 #
@@ -218,7 +218,7 @@ jobs:
          # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
          # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
          # SPDX-FileType: SOURCE
-          # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+          # SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
          # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
          # SPDX-PackageName: CISS.debian.live.builder
          # SPDX-Security-Contact: security@coresecret.eu
@@ -242,7 +242,7 @@ jobs:
          # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
          # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
          # SPDX-FileType: SOURCE
-          # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+          # SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
          # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
          # SPDX-PackageName: CISS.debian.live.builder
          # SPDX-Security-Contact: security@coresecret.eu
--- a/.gitea/workflows/render-dnssec-status.yaml
+++ b/.gitea/workflows/render-dnssec-status.yaml
@@ -4,12 +4,12 @@
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V8.13.408.2025.11.13
+# Version Master V8.13.768.2025.12.06
 name: 🛡️ Retrieve DNSSEC status of coresecret.dev.
--- a/.gitea/workflows/render-dot-to-png.yaml
+++ b/.gitea/workflows/render-dot-to-png.yaml
@@ -4,12 +4,12 @@
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V8.13.408.2025.11.13
+# Version Master V8.13.768.2025.12.06
 name: 🔁 Render Graphviz Diagrams.
--- a/.gitignore
+++ b/.gitignore
@@ -4,7 +4,7 @@
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
--- a/.shellcheckrc
+++ b/.shellcheckrc
@@ -4,7 +4,7 @@
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
--- a/.version.properties
+++ b/.version.properties
@@ -4,16 +4,16 @@
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1 
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 properties_SPDX-Version="3.0"
 properties_SPDX-ExternalRef="GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git"
 properties_SPDX-FileCopyrightText="2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>"
-properties_SPDX-License-Identifier="EUPL-1.2 OR LicenseRef-CCLA-1.0"
+properties_SPDX-License-Identifier="LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1 "
 properties_SPDX-LicenseComment="This file is part of the CISS.debian.installer.secure framework."
 properties_SPDX-PackageName="CISS.debian.live.builder"
 properties_SPDX-Security-Contact="security@coresecret.eu"
-properties_version="V8.13.408.2025.11.13"
+properties_version="V8.13.768.2025.12.06"
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
--- a/CISS.debian.live.builder.spdx
+++ b/CISS.debian.live.builder.spdx
@@ -6,7 +6,7 @@ Creator: Person: Marc S. Weidner (Centurion Intelligence Consulting Agency)
 Created: 2025-05-07T12:00:00Z
 Package: CISS.debian.live.builder
 PackageName: CISS.debian.live.builder
-PackageVersion: Master V8.13.408.2025.11.13
+PackageVersion: Master V8.13.768.2025.12.06
 PackageSupplier: Organization: Centurion Intelligence Consulting Agency
 PackageDownloadLocation: https://git.coresecret.dev/msw/CISS.debian.live.builder
 PackageHomePage: https://git.coresecret.dev/msw/CISS.debian.live.builder
--- a/280
+++ b/280
@@ -1,256 +1,100 @@
-# SPDX-License-Identifier: EUPL-1.2
+SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
-EUPL-1.2
+Centurion Licensing Overview
 ============================
-EUROPEAN UNION PUBLIC LICENCE v. 1.2
+This repository uses a dual-licensing model combining a non-commercial "source-available" license with a separate commercial
-EUPL © the European Union 2007, 2016
+subscription license.
-This European Union Public Licence (the 'EUPL') applies to the Work (as defined below) which is provided under the
+1. Default License: Centurion Non-Commercial License 1.1 (CNCL-1.1)
-terms of this Licence. Any use of the Work, other than as authorised under this Licence is prohibited (to the extent such
+---------------------------------------------------------------
 a use is covered by a right of the copyright holder of the Work).
-The Work is provided under the terms of this Licence when the Licensor (as defined below) has placed the following
+Unless explicitly stated otherwise in an individual file or directory, all original content in this repository is licensed under the
 notice immediately following the copyright notice for the Work:
-                          Licensed under the EUPL
+    Centurion Non-Commercial License 1.1 (CNCL-1.1)
    SPDX-Identifier: LicenseRef-CNCL-1.1
-or has expressed by any other means his willingness to license under the EUPL.
+Under CNCL-1.1 you may:
-1.Definitions
+  - use, study and modify the Software for non-commercial purposes;
  - share the Software and your modifications for non-commercial purposes;
  - NOT use the Software for any Commercial Use (as defined in CNCL-1.1).
-In this Licence, the following terms have the following meaning:
+Any Commercial Use of the Software (in whole or in part) is NOT permitted under CNCL-1.1 and requires a separate commercial
 license agreement with the Licensor (see section 2 below).
-— 'The Licence':this Licence.
+The full text of CNCL-1.1 is provided in:
-— 'The Original Work':the work or software distributed or communicated by the Licensor under this Licence, available
+    ./docs/LICENSES/CNCL-1.1.txt
 as Source Code and also as Executable Code as the case may be.
 — 'Derivative Works':the works or software that could be created by the Licensee, based upon the Original Work or
 modifications thereof. This Licence does not define the extent of modification or dependence on the Original Work
 required in order to classify a work as a Derivative Work; this extent is determined by copyright law applicable in
 the country mentioned in Article 15.
-— 'The Work':the Original Work or its Derivative Works.
+2. Commercial Use: Centurion Commercial License Agreement 1.1 (CCLA-1.1)
 ---------------------------------------------------------------------
-— 'The Source Code':the human-readable form of the Work, which is the most convenient for people to study and
+For any Commercial Use (including but not limited to use in paid services, SaaS offerings, commercial products, or internal use
-modify.
+that contributes to revenue generation or cost reduction), a valid commercial subscription license is required.
-— 'The Executable Code':any code, which has generally been compiled and, which is meant to be interpreted by
+Commercial rights are governed exclusively by the:
 a computer as a program.
-— 'The Licensor':the natural or legal person that distributes or communicates the Work under the Licence.
+    Centurion Commercial License Agreement 1.1 (CCLA-1.1)
    SPDX-Identifier: LicenseRef-CCLA-1.1
-— 'Contributor(s)':any natural or legal person who modifies the Work under the Licence, or otherwise contributes to
+The CCLA-1.1 grants time-limited, non-transferable rights to use the Software for commercial purposes, subject to subscription
-the creation of a Derivative Work.
+fees, support terms and the liability limitations described therein.
-— 'The Licensee' or 'You':any natural or legal person who makes any usage of the Work under the terms of the
+The full text of CCLA-1.1 is provided in:
 Licence.
-— 'Distribution' or 'Communication':any act of selling, giving, lending, renting, distributing, communicating,
+    ./docs/LICENSES/CCLA-1.1.txt
 transmitting, or otherwise making available, online, or offline, copies of the Work or providing access to its essential
 functionalities at the disposal of any other natural or legal person.
-2.Scope of the rights granted by the Licence
+If you are unsure whether your intended use case qualifies as Commercial Use, you must assume that it does and contact the
 Licensor at:
-The Licensor hereby grants You a worldwide, royalty-free, non-exclusive, sublicensable licence to do the following, for
+    legal@coresecret.eu
 the duration of copyright vested in the Original Work:
 — use the Work in any circumstances and for all usage,
-— reproduce the Work,
+3. Open-Source Components and Third-Party Code
 -------------------------------------------
-— modify the Work and make Derivative Works based upon the Work,
+This repository may contain or depend on third-party components that are licensed under separate open-source licenses, including
 but not limited to:
-— communicate to the public, including the right to make available or display the Work or copies thereof to the public
+  - EUPL-1.2 (European Union Public Licence)
-and perform publicly, as the case may be, the Work,
+  - other FOSS licenses as stated in the respective files or directories.
-— distribute the Work or copies thereof,
+Such components are clearly marked, typically via SPDX-License-Identifier headers and / or dedicated license files. For those
 components, the respective third-party license terms apply and take precedence over CNCL-1.1 and CCLA-1.1 with respect to that
 code.
-— lend and rent the Work or copies thereof,
+Where code from other projects is incorporated, the original copyright notices and license texts are preserved, and their terms
 remain in force for those portions.
 — sublicense rights in the Work or copies thereof.
-Those rights can be exercised on any media, supports, and formats, whether now known or later invented, as far as the
+4. SPDX Usage and Per-File Licensing
-applicable law permits so.
+------------------------------------
-In the countries where moral rights apply, the Licensor waives his right to exercise his moral right to the extent allowed
+Each source file SHOULD contain an SPDX-License-Identifier line indicating the applicable license for that file, for example:
 by law in order to make effective the licence of the economic rights here above listed.
-The Licensor grants to the Licensee royalty-free, non-exclusive usage rights to any patents held by the Licensor, to the
+  - For non-commercial Centurion code:
-extent necessary to make use of the rights granted on the Work under this Licence.
+        SPDX-License-Identifier: LicenseRef-CNCL-1.1
-3.Communication of the Source Code
+  - For commercial-only Centurion deliverables (if applicable in private branches):
        SPDX-License-Identifier: LicenseRef-CCLA-1.1
-The Licensor may provide the Work either in its Source Code form or as Executable Code. If the Work is provided as
+  - For EUPL-licensed parts:
-Executable Code, the Licensor provides in addition a machine-readable copy of the Source Code of the Work along with
+        SPDX-License-Identifier: EUPL-1.2
 each copy of the Work that the Licensor distributes or indicates, in a notice following the copyright notice attached to
 the Work, a repository where the Source Code is easily and freely accessible for as long as the Licensor continues to
 distribute or communicate the Work.
-4.Limitations on copyright
+In case of any apparent conflict between this overview file and the SPDX-License-Identifier in a specific file, the
 SPDX-License-Identifier in that file SHALL prevail for that file.
 Nothing in this Licence is intended to deprive the Licensee of the benefits from any exception or limitation to the
 exclusive rights of the rights owners in the Work, to the exhaustion of those rights or of other applicable limitations
 thereto.
-5.Obligations of the Licensee
+5. No Legal Advice; Governing Documents
 ---------------------------------------
-The grant of the rights mentioned above is subject to some restrictions and obligations imposed on the Licensee. Those
+This LICENSE file is an informational overview only. The legally binding terms governing your use of the Software are
-obligations are the following:
+exclusively those set out in:
-Attribution right: The Licensee shall keep intact all copyright, patent or trademarks notices and all notices that refer to
+  - Centurion Non-Commercial License 1.1 (CNCL-1.1)
-the Licence and to the disclaimer of warranties. The Licensee must include a copy of such notices, and a copy of the
+  - Centurion Commercial License Agreement 1.1 (CCLA-1.1)
-Licence with every copy of the Work he/she distributes or communicates. The Licensee must cause any Derivative Work
+  - and any applicable third-party licenses as referenced above.
 to carry prominent notices stating that the Work has been modified and the date of modification.
-Copyleft clause: If the Licensee distributes or communicates copies of the Original Works or Derivative Works, this
+In the event of any conflict between this overview and the full license texts, the full license texts shall prevail.
 Distribution or Communication will be done under the terms of this Licence or of a later version of this Licence unless
 the Original Work is expressly distributed only under this version of the Licence — for example, by communicating
 'EUPL v. 1.2 only'. The Licensee (becoming Licensor) cannot offer or impose any additional terms or conditions on the
 Work or Derivative Work that alter or restrict the terms of the Licence.
 Compatibility clause: If the Licensee Distributes or Communicates Derivative Works or copies thereof based upon both
 the Work and another work licensed under a Compatible Licence, this Distribution or Communication can be done
 under the terms of this Compatible Licence. For the sake of this clause, 'Compatible Licence' refers to the licences listed
 in the appendix attached to this Licence. Should the Licensee's obligations under the Compatible Licence conflict with
 his/her obligations under this Licence, the obligations of the Compatible Licence shall prevail.
 The provision of Source Code: When distributing or communicating copies of the Work, the Licensee will provide
 a machine-readable copy of the Source Code or indicate a repository where this Source will be easily and freely available
 for as long as the Licensee continues to distribute or communicate the Work.
 Legal Protection: This Licence does not grant permission to use the trade names, trademarks, service marks, or names
 of the Licensor, except as required for reasonable and customary use in describing the origin of the Work and
 reproducing the content of the copyright notice.
 6.Chain of Authorship
 The original Licensor warrants that the copyright in the Original Work granted hereunder is owned by him/her or
 licensed to him/her and that he/she has the power and authority to grant the Licence.
 Each Contributor warrants that the copyright in the modifications he/she brings to the Work is owned by him/her or
 licensed to him/her and that he/she has the power and authority to grant the Licence.
 Each time You accept the Licence, the original Licensor and subsequent Contributors grant You a licence to their contributions
 to the Work, under the terms of this Licence.
 7.Disclaimer of Warranty
 The Work is a work in progress, which is continuously improved by numerous Contributors. It is not finished work
 and may therefore contain defects or 'bugs' inherent to this type of development.
 For the above reason, the Work is provided under the Licence on an 'as is' basis and without warranties of any kind
 concerning the Work, including without limitation merchantability, fitness for a particular purpose, absence of defects or
 errors, accuracy, non-infringement of intellectual property rights other than copyright as stated in Article 6 of this
 Licence.
 This disclaimer of warranty is an essential part of the Licence and a condition for the grant of any rights to the Work.
 8.Disclaimer of Liability
 Except in the cases of wilful misconduct or damages directly caused to natural persons, the Licensor will in no event be
 liable for any direct or indirect, material or moral, damages of any kind, arising out of the Licence or of the use of the
 Work, including without limitation, damages for loss of goodwill, work stoppage, computer failure or malfunction, loss
 of data, or any commercial damage, even if the Licensor has been advised of the possibility of such damage. However,
 the Licensor will be liable under statutory product liability laws as far as such laws apply to the Work.
 9.Additional agreements
 While distributing the Work, You may choose to conclude an additional agreement, defining obligations or services
 consistent with this Licence. However, if accepting obligations, You may act only on your own behalf and on your sole
 responsibility, not on behalf of the original Licensor or any other Contributor, and only if You agree to indemnify,
 defend, and hold each Contributor harmless for any liability incurred by, or claims asserted against such a Contributor by
 the fact You have accepted any warranty or additional liability.
 10.Acceptance of the Licence
 The provisions of this Licence can be accepted by clicking on an icon 'I agree' placed under the bottom of a window
 displaying the text of this Licence or by affirming consent in any other similar way, in accordance with the rules of
 applicable law. Clicking on that icon indicates your clear and irrevocable acceptance of this Licence and all of its terms
 and conditions.
 Similarly, you irrevocably accept this Licence and all of its terms and conditions by exercising any rights granted to You
 by Article 2 of this Licence, such as the use of the Work, the creation by You of a Derivative Work or the Distribution
 or Communication by You of the Work or copies thereof.
 11.Information to the public
 In case of any Distribution or Communication of the Work by means of electronic communication by You (for example,
 by offering to download the Work from a remote location) the distribution channel or media (for example, a website)
 must at least provide to the public the information requested by the applicable law regarding the Licensor, the Licence,
 and the way it may be accessible, concluded, stored, and reproduced by the Licensee.
 12.Termination of the Licence
 The Licence and the rights granted hereunder will terminate automatically upon any breach by the Licensee of the terms
 of the Licence.
 Such a termination will not terminate the licences of any person who has received the Work from the Licensee under
 the Licence, provided such persons remain in full compliance with the Licence.
 13.Miscellaneous
 Without prejudice of Article 9 above, the Licence represents the complete agreement between the Parties as to the
 Work.
 If any provision of the Licence is invalid or unenforceable under applicable law, this will not affect the validity or
 enforceability of the Licence as a whole. Such provision will be construed or reformed so as necessary to make it valid
 and enforceable.
 The European Commission may publish other linguistic versions or new versions of this Licence or updated versions of
 the Appendix, so far this is required and reasonable, without reducing the scope of the rights granted by the Licence.
 New versions of the Licence will be published with a unique version number.
 All linguistic versions of this Licence, approved by the European Commission, have identical value. Parties can take
 advantage of the linguistic version of their choice.
 14.Jurisdiction
 Without prejudice to specific agreement between parties,
 — any litigation resulting from the interpretation of this License, arising between the European Union institutions,
 bodies, offices, or agencies, as a Licensor, and any Licensee, will be subject to the jurisdiction of the Court of Justice
 of the European Union, as laid down in article 272 of the Treaty on the Functioning of the European Union,
 — any litigation arising between other parties and resulting from the interpretation of this License will be subject to
 the exclusive jurisdiction of the competent court where the Licensor resides or conducts its primary business.
 15.Applicable Law
 Without prejudice to specific agreement between parties,
 — this Licence shall be governed by the law of the European Union Member State where the Licensor has his seat,
 resides, or has his registered office
 — this licence shall be governed by Belgian law if the Licensor has no seat, residence, or registered office inside
 a European Union Member State.
                                                         Appendix
 'Compatible Licences' according to Article 5 EUPL are:
 — GNU General Public License (GPL) v. 2, v. 3
 — GNU Affero General Public License (AGPL) v. 3
 — Open Software License (OSL) v. 2.1, v. 3.0
 — Eclipse Public License (EPL) v. 1.0
 — CeCILL v. 2.0, v. 2.1
 — Mozilla Public Licence (MPL) v. 2
 — GNU Lesser General Public Licence (LGPL) v. 2.1, v. 3
 — Creative Commons Attribution-ShareAlike v. 3.0 Unported (CC BY-SA 3.0) for works other than software
 — European Union Public Licence (EUPL) v. 1.1, v. 1.2
 — Québec Free and Open-Source Licence — Reciprocity (LiLiQ-R) or Strong Reciprocity (LiLiQ-R+).
 The European Commission may update this Appendix to later versions of the above licences without producing
 a new version of the EUPL, as long as they provide the rights granted in Article 2 of this Licence and protect the
 covered Source Code from exclusive appropriation.
 All other changes or additions to this Appendix require the production of a new EUPL version.
--- a/LINTER_RESULTS.txt
+++ b/LINTER_RESULTS.txt
@@ -1,15 +1,15 @@
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-11-13; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-12-06; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-This file was automatically generated by the DEPLOY BOT on: "2025-11-13T09:05:08Z"
+This file was automatically generated by the DEPLOY BOT on: "2025-12-06T04:39:51Z"
 ✅ The last linter check was successful. ✅
--- a/LIVE_ISO.public
+++ b/LIVE_ISO.public
@@ -4,7 +4,7 @@
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
--- a/LIVE_ISO_TRIXIE_0.private
+++ b/LIVE_ISO_TRIXIE_0.private
@@ -1,27 +1,27 @@
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-11-08; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-12-06; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-This file was automatically generated by the DEPLOY BOT on: "2025-11-08T19:46:24Z"
+This file was automatically generated by the DEPLOY BOT on: "2025-12-06T03:44:29Z"
 CISS.debian.live.builder ISO :
-  "ciss-debian-live-2025_11_08T18_57_19Z-amd64.hybrid.iso"
+  "ciss-debian-live-2025_12_06T02_53_28Z-amd64.hybrid.iso"
 CISS.debian.live.builder ISO sha512 :
-  11065e6ed8f99b533352ad86bd5b4cc9b407652e79a34718da6aad46a5f603738553fde6fbcceaa3128bfbbfa4c1674c05552232d4620ea250bc029545600718
+  2bf967b902455fe1f4d3ba1cb0b3c5983c6812181ae95b10ce837c0aaae084207bf15c22add2709c21c45f4262db2a2f787b2c93f3a1c507289c020e70314707
 CISS.debian.live.builder ISO sha512 sign :
  -----BEGIN PGP SIGNATURE-----
-iHUEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaQ+eEAAKCRA85KY4hzOw
+iHUEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaTOmnQAKCRA85KY4hzOw
-IcJaAP9FYAzawGRXQqt5mEL3SQy4cSDkc5/r/KDhy+ABdVNMvAEA1ReKZ7qXrESP
+IcItAQDvE6vEkbslGR5BLMVV+DKi2GDnIzIMVs7zROiPsKb3BgEA1Koqx7ccc+H2
-rgP2MsHaXHVBWGJUvFyMf6dUpbjEnA8=
+MmNv12w674dS2xmTZHOViYePe2KWLw0=
-=SkUY
+=I8w2
 -----END PGP SIGNATURE-----
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text
--- a/LIVE_ISO_TRIXIE_1.private
+++ b/LIVE_ISO_TRIXIE_1.private
@@ -1,27 +1,27 @@
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-10-29; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-12-06; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-This file was automatically generated by the DEPLOY BOT on: "2025-10-29T21:52:45Z"
+This file was automatically generated by the DEPLOY BOT on: "2025-12-06T04:35:36Z"
 CISS.debian.live.builder ISO :
-  "ciss-debian-live-2025_10_29T20_59_34Z-amd64.hybrid.iso"
+  "ciss-debian-live-2025_12_06T03_45_41Z-amd64.hybrid.iso"
 CISS.debian.live.builder ISO sha512 :
-  c2b295aa3bd7ccfbe6c83aa27aeeace796251ad93ebfbf999bc6b1ae7c3c881efeeeda5e9235c5f5b7ad022ee465bc61e04c46906c6a7ca79214866ae62e160d
+  fe9481d92cf61554da92ff883a58d9aaa2ae5fe86d9c3dd634a1c3a79e1b6ca5e08693d4f9b0870077fc0bf2f840a3e678d9c9dc44f9b8dae5d474a6d39e16b2
 CISS.debian.live.builder ISO sha512 sign :
  -----BEGIN PGP SIGNATURE-----
-iHUEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaQKMrQAKCRA85KY4hzOw
+iHUEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaTOymAAKCRA85KY4hzOw
-ISgMAQDy82Yr4/F3cI/ZzLQJyoFSY2qgPl8d84eJZFhhTFpD3AEAmMBws55fQAzz
+Ic1iAQDVxT891Nv+LHzQs3vL31/1wqeOjiGmZbEJR8XvBoRe4wEAjdmvUpEXyb1Y
-Q9DBRAvRYgMDLmqsog+m3FEH7cXtDAg=
+qhaFcxWDrRgiVKaitGkbNo2w6yICdgY=
-=o+0d
+=TQPs
 -----END PGP SIGNATURE-----
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text
--- a/README.md
+++ b/README.md
@@ -2,7 +2,7 @@
 gitea: none
 include_toc: true
 ---
-[![Static Badge](https://badges.coresecret.dev/badge/Release-V8.13.408.2025.11.13-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder)
+[![Static Badge](https://badges.coresecret.dev/badge/Release-V8.13.768.2025.12.06-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder)
 &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/Licence-EUPL1.2-white?style=plastic&logo=europeanunion&logoColor=white&logoSize=auto&label=Licence&color=%23003399)](https://eupl.eu/1.2/en/) &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/opensourceinitiative-Compliant-white?style=plastic&logo=opensourceinitiative&logoColor=white&logoSize=auto&label=OSI&color=%233DA639)](https://opensource.org/license/eupl-1-2) &nbsp;
@@ -27,26 +27,67 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.408.2025.11.13<br>
+**Build**: V8.13.768.2025.12.06<br>
-This shell wrapper automates the creation of a Debian Bookworm live ISO hardened according to the latest best practices in server
+**CISS.debian.live.builder — First of its own.**<br>
-and service security. It integrates into your build pipeline to deliver an isolated, robust environment suitable for
+**World-class CIA: Designed, handcrafted and powered by Centurion Intelligence Consulting Agency.**
-cloud deployment or unattended installations via the forthcoming `CISS.debian.installer`. Additionally, automated CI workflows 
+
-based on Gitea Actions are provided, enabling reproducible ISO generation. A generic ISO is automatically built upon significant
+Developed and maintained as a one-man, security-driven engineering effort since 2024, **CISS.debian.live.builder** is designed 
 to serve as a reference implementation for hardened, image-based Debian deployments.
 This shell wrapper automates the creation of a Debian Trixie live ISO hardened according to the latest best practices in server
 and service security. It integrates into your build pipeline to deliver an isolated, robust environment suitable for cloud
 deployment or unattended installations via the forthcoming `CISS.debian.installer`. Additionally, automated CI workflows based
 on Gitea Actions are provided, enabling reproducible ISO generation. A generic ISO is automatically built upon significant
 changes and made publicly available for download. The latest generic ISO is available at:
 **[PUBLIC CISS.debian.live.ISO](/docs/DL_PUB_ISO.md)**
-Check out more:
+Beyond a conventional live system, **CISS.debian.live.builder** assembles a **fully encrypted, integrity-protected live medium**
-* [CenturionNet Services](https://coresecret.eu/cnet/) 
+in a single, deterministic build step: a LUKS2 container backed by `dm-integrity` hosting the SquashFS root filesystem, combined
 with a hardened initramfs chain including a dedicated Dropbear build pipeline for remote LUKS unlock. The resulting ISO ships 
 with a hardened kernel configuration, strict sysctl and network tuning, pre-configured SSH hardening and fail2ban, and a 
 customised `verify-checksums` path providing both ISO-edge verification and runtime attestation of the live root. All components
 are aligned with the `CISS.debian.installer` baseline, ensuring a unified cryptographic and security posture from first boot to 
 an installed system. For an overview of the entire build process, see:
 **[MAN_CISS_ISO_BOOT_CHAIN.md](docs/MAN_CISS_ISO_BOOT_CHAIN.md)**
 When built with the ``--dhcp-centurion`` profile, the live system ships with a strict network and resolver policy: 
 ``systemd-networkd`` and ``systemd-resolved`` are pre-configured to use ``DNS-over-TLS (DoT)`` exclusively against the 
 **CenturionDNS** resolver infrastructure; plain DNS is not used and connectivity failures are treated as hard errors. DNSSEC 
 validation is enforced in a fail-closed manner: zones with invalid or broken signatures result in ``SERVFAIL`` and are not 
 silently downgraded. Multicast name resolution via ``mDNS`` and ``LLMNR`` is disabled globally to avoid unintended name leakage
 and spoofing surfaces.
 Internally, the builder employs a dedicated secret-handling pipeline backed by a tmpfs-only secrets directory
 (`/dev/shm/cdlb_secrets`). Sensitive material such as root passwords, SSH keys, and signing keys never appears on the command
 line, is guarded by strict `0400 root:root` permissions, and any symlink inside the secret path is treated as a hard failure
 that aborts the run. Critical code paths temporarily disable Bash xtrace so that credentials never leak into debug logs, and
 transient secret files are shredded (`shred -fzu`) as soon as they are no longer needed. GNUPG homes used for signing are
 wiped, unencrypted chroot artifacts and includes are removed after `lb build`, and the final artifact is reduced to the
 encrypted SquashFS inside the LUKS2 container. At runtime, LUKS passphrases in the live ISO and installer are transported via
 named pipes inside the initramfs instead of process arguments, further minimizing exposure in process listings.
 Check out more leading world-class services powered by Centurion Intelligence Consulting Agency:
 * [CenturionDNS Resolver](https://eddns.eu/)
 * [CenturionDNS Blocklist](https://dns.eddns.eu/blocklists/centurion_titanium_ultimate.txt) 
 * [CenturionNet Status](https://uptime.coresecret.eu/) 
 * [CenturionMeet](https://talk.e2ee.li/)
 * [CenturionNet Services](https://coresecret.eu/cnet/)
 * [CenturionNet Status](https://uptime.coresecret.eu/) 
 **Contact the author:**
 * [Contact the author](https://coresecret.eu/contact/)
 **Legal Disclaimer:**
 * This project is not affiliated with, authorized, maintained, sponsored, or endorsed by the [Debian Project](https://www.debian.org/) 
 * [Licensing & Compliance](#6-licensing--compliance)
 * [Disclaimer](#7-disclaimer)
 * [Centurion Imprint & Legal Notice](https://coresecret.eu/imprint/)
 * [Centurion Privacy Policy](https://coresecret.eu/privacy/)
 ## 1.1. Preliminary Remarks
 ### 1.1.1. HSM
 Please note that all my signing keys are stored in an HSM and that the signing environment is air-gapped. The next step is to 
 move to a room-gapped environment. ^^
@@ -58,57 +99,48 @@ add_header Expect-CT                 "max-age=86400, enforce"
 add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
 ````
-* Additionally, the entire zone is dual-signed with **DNSSEC**. See the current **DNSSEC** status at: **[DNSSEC Audit Report](/docs/AUDIT_DNSSEC.md)**
+* The zones behind this project are dual-signed with **DNSSEC**. The current validation state is documented in the **[DNSSEC Audit Report](/docs/AUDIT_DNSSEC.md)**
-* A comprehensive TLS audit of the **`git.coresecret.dev`** Gitea server is also available. See: **[TLS Audit Report](/docs/AUDIT_TLS.md)**
+* The TLS surface of **``git.coresecret.dev``** is independently audited, and the findings are held in the **[TLS Audit Report](/docs/AUDIT_TLS.md)**
-* The infrastructure of the **`CISS.debian.live.builder`** building system is visualized here. See: **[Centurion Net](/docs/CNET.md)**
+* The topology of the underlying **`CISS.debian.live.builder`** building infrastructure is described in **[Centurion Net](/docs/CNET.md)**
 ### 1.1.3. Gitea Action Runner Hardening
-The CI runners operate on a dedicated host system located in a completely separate Autonomous System (AS). This host is solely 
+The CI runners live on a host in a separate autonomous system, and that host has exactly one purpose: run Gitea Actions runners. 
-dedicated to providing CI runners and does not perform any other tasks. Each runner is hermetically isolated from others using 
+Each runner receives its own service account without a login shell, is bound to a separate directory tree, and inherits a 
-non-privileged, shell-less user accounts with no direct login capability. Additionally, each runner executes within its own 
+hardened systemd unit with ``DynamicUser``, reduced capabilities, and restrictive sandboxing. A ``systemd-analyze security`` score 
-separate directory tree, employs `DynamicUser` features, and adheres to strict systemd hardening policies (achieving a ``systemd-analyze security`` 
+of around **``2.6``** is the baseline, not an aspiration. Traffic from those runners traverses both a software firewall (UFW) 
-rating of **``2.6``**). Docker containers used by runners do not run in privileged mode. Security is further enhanced through the use 
+and dedicated hardware firewall appliances. Docker, where used, runs unprivileged.
 of both UFW software firewalls and dedicated hardware firewall appliances.
 ## 1.2. Match Host and Target Versions
-Build, for example, a Debian Trixie live image only on a Debian Trixie host. The build toolchain and boot artifacts are 
+I always build a Debian Trixie live image on a Debian Trixie host. The toolchain and all boot components that matter to 
-release-specific: ``live-build``, ``live-boot``, ``live-config``, ``debootstrap``, ``kernel/initramfs`` tools, ``mksquashfs``, 
+reproducibility are release-specific: ``live-build``, ``live-boot``, ``live-config``, ``debootstrap``, ``mksquashfs``, ``grub``, 
-``GRUB/ISOLINUX``, and even ``dpkg/apt`` often change defaults and formats between releases (e.g., compression modes, SquashFS 
+the ``kernel``, ``initramfs`` tooling, and even ``dpkg`` and ``apt`` defaults evolve from one release to the next. Mixing 
-options, hook ordering, systemd/udev behavior). Building on a different host release commonly yields non-reproducible or even 
+generations produces fragile or outright broken ISOs, sometimes subtly, sometimes catastrophically. Keeping host and target in 
-unbootable ISOs (missing modules/firmware, ABI mismatches, divergent paths). Keeping host and target on the same version ensures
+lockstep avoids those mismatches and gives me predictable artifacts across builds.
 reproducible builds, matching dependencies, and compatible boot artifacts.
-## 1.3. Immutable Source-of-Truth System
+## 1.3. Immutable Source-of-Truth System and Encrypted Live Root
-This live ISO establishes a secure, fully deterministic, integrity self-verifying boot environment based entirely on static
+The live ISO acts as a sealed, immutable execution environment. All relevant configuration, all installation logic, and all 
-source-code definitions. All configurations, system components, and installation routines are embedded during build time and 
+security decisions are rendered into the image at build time and treated as read-only at runtime. On top of that logical 
-locked for runtime immutability. This ensures that the live environment functions as a trusted **Source of Truth** — not only 
+ immutability, I now layer cryptographic protection of the live root file system itself. The live image contains a LUKS2 container
-for boot-time operations, but for deploying entire systems in a secure and reproducible way.<br>
+file with dm-integrity that wraps the SquashFS payload. The initramfs knows how to locate this container, unlock it, verify its 
 integrity, and then present the decrypted SquashFS as the root component of an OverlayFS stack. The detailed boot and 
 verification chain is documented separately in **[CISS ISO Boot Chain](docs/MAN_CISS_ISO_BOOT_CHAIN.md)**<br>
-Once booted, the environment optionally launches a fully scripted installer, via the forthcoming `CISS.debian.installer`,
+In compact form, my expectations for the system are:<br>
 yet to deploy, that provisions the target system (the hardware the DVD is running on). The installer pulls no external 
 dependencies besides of the necessary Debian debootstrap and Debian Packages and never exposes the target system in a not 
 secure manner to the internet during installation. It operates strictly from within the verified image content, providing fully 
 secured provisioning. Combined with checksum verification, **activated by default**, at boot and strict firewall defaults, this 
 architecture guarantees that what is executed has not been tampered with and corresponds exactly to the intended source definition.<br>
-An even more secure deployment variant — an unattended and headless version — can be built without any active network interface
+* Every bit that matters for boot and provisioning is covered by checksums that I control and that are signed with keys under my solely authoritative HSM.
-or shell-access, also via the forthcoming `CISS.debian.installer`. Such a version performs all verification steps autonomously, 
+* The live root runs out of a LUKS2 dm-integrity container so that a tampered or bit-rotted SquashFS never becomes a trusted root.
-provisions the target device from embedded source artifacts, and reboots into a fully encrypted system image. The system then 
+* Verification steps are not advisory. Any anomaly causes a hard abort during boot.
-awaits the decryption passphrase input via an embedded Dropbear SSH server (SSH PubKey only) in the initramfs, exposing no ports
+* After the live environment has reached a stable, verified state, it can hand off to ``CISS.debian.installer``. The installer operates from the same image, does not pull random payloads from the internet, and keeps the target system behind a hardened firewall until the entire provisioning process has completed.
-without cryptographic hardened access, while also the `/boot` partition could be encrypted via the built-in support of 
+* For unattended, headless scenarios I also support builds where the target system is installed without ever exposing a shell over the console. After installation and reboot, the machine waits for a decryption passphrase via an embedded Dropbear SSH instance in the initramfs, limited to public key authentication and guarded by strict cryptographic policies. In such variants even ``/boot`` can be encrypted, with GRUB taking care of unlocking the boot partition.
 `grub2 (2.12-9)`.<br>
-This approach provides a fully reproducible, audit-friendly, and tamper-resistant provisioning workflow rooted entirely in 
+These combinations give me a provisioning chain that is auditable, reproducible, and robust against both casual and targeted tampering.<br>
 source-defined infrastructure logic.<br>
-After build and configuration, the following audit reports can be generated:
+Once the system is up, I can trigger a set of audits from within the live environment:
-* **Haveged Audit Report**: Validates entropy daemon health and confirms `/dev/random` seeding performance.
+* **Lynis Audit Report**: Outputs a detailed security score and recommendations, confirming a 93%+ hardening baseline.
  Type `chkhvg` at the prompt. See example report: **[Haveged Audit Report](/docs/AUDIT_HAVEGED.md)**
 * **Lynis Audit Report**: Outputs a detailed security score and recommendations, confirming a 91%+ hardening baseline.
  Type `lsadt` at the prompt. See example report: **[Lynis Audit Report](/docs/AUDIT_LYNIS.md)**
 * **SSH Audit Report**: Verifies SSH daemon configuration against the latest best-practice cipher, KEX, and MAC recommendations.
  Type `ssh-audit <IP>:<PORT>`. See example report: **[SSH Audit Report](/docs/AUDIT_SSH.md)**
@@ -117,42 +149,33 @@ After build and configuration, the following audit reports can be generated:
 ![CISS.debian.live.builder](/docs/screenshots/CISS.debian.live.builder_preview.jpeg)
-## 1.5. Caution. Significant information for those considering using D-I.
+## 1.5. Caution. Debian Installer and Security Context
 **The Debian Installer (d-i) will ALWAYS boot a new system.**<br>
-Regardless of whether you start it:
+The classical Debian Installer (d-i) always boots its own kernel and its own initramfs. That effect is independent of the way it
-* via the boot menu of your Live ISO (grub, isolinux) like **CISS.debian.live.builder**,
+is launched: 
 * via kexec in the running system,
 * via the debian-installer-launcher package,
 * or even via a graphical installer shortcut.
-The following happens in all cases:
+* from a GRUB entry on the live medium, 
-* The installer kernel (/install/vmlinuz) + initrd.gz are started.
+* from within a running live session via a graphical shortcut, 
-* The existing live system is exited.
+* through kexec, 
-* The memory is overwritten.
+* or via helper packages such as debian-installer-launcher.
 * All running processes - e.g., firewall, hardened SSH access, etc. pp. - cease to exist.
-The Debian Installer loads:
+In all of these cases the running live system is discarded. The memory contents of the hardened live environment vanish, the 
-* its own kernel,
+firewall disappears, the hardened SSH daemon is terminated, and the hardened kernel is replaced by the installer kernel. The 
-* its own initramfs,
+installer brings its own minimal root file system, usually BusyBox plus a limited set of udeb packages, and it does not 
-* its own minimal root filesystem (BusyBox + udeb packages),
+implement my firewall, my AppArmor profiles, my logging configuration, or my remote access policies, unless I explicitly 
-* no SSH access (unless explicitly enabled via preseed)
+reintroduce those elements via preseed.
 * no firewall, AppArmor, logging, etc. pp.,
 * it disables all running network services, even if you were previously in the live system.
-This means function status of the **CISS.2025.debian.live.builder** ISO after d-i start:
+In that phase the security properties are therefore those of d-i, not those of CISS.debian.live.builder. This is not a defect in
-* ufw, iptables, nftables ✘ disabled, not loaded,
+Debian, it is a property of how any installer that boots its own kernel behaves. It is important to keep this distinction in 
-* sshd with hardening ✘ stopped (processes gone),
+mind when deciding whether a workflow must stay inside the hardened live context or may trade that environment for the standard 
-* the running kernel ✘ replaced,
+installer toolchain.
 * Logging (rsyslog, journald) ✘ not active,
 * preseed control over the network is possible (but without any protection).
 ## 1.6. Versioning Schema
 This project adheres strictly to a structured versioning scheme following the pattern x.y.z-Date.
-Example: `V8.13.408.2025.11.13`
+Example: `V8.13.768.2025.12.06`
 `x.y.z` represents major (x), minor (y), and patch (z) version increments.
@@ -168,74 +191,76 @@ and only when, they appear in all capitals, as shown here.
 # 2. Features & Rationale
-Below is a breakdown of each hardening component, with a summary of why each is critical to your security posture.
+Below I walk through the major hardening components, with a focus on why I implemented them the way I did and how they interact.
 I treat this builder as a reference implementation for my own infrastructure; **it is not a toy**.
 ## 2.1. Kernel Hardening
-### 2.1.1. Boot Parameters
+### 2.1.1. Unified Hardened Boot Parameters
-* **Description**: Customizes kernel command-line flags to disable unused features and enable mitigations.
+Both the ``CISS.debian.live.builder`` LIVE ISO and the ``CISS.debian.installer`` rely on the same kernel command line. I consider
-* **Key Parameters**:
+a diverging kernel baseline between installer and live system operationally dangerous, because it leads to two distinct sets of 
-  * `audit_backlog_limit=8192`: Ensures the audit subsystem can queue up to 8192 events to avoid dropped logs under heavy loads.
+expectations about mitigations and attack surface. The boot parameters I apply are:
-  * `audit=1`: Enables kernel auditing from boot to record system calls and security events.
+
-  * `cfi=kcfi`: Activates kernel control-flow integrity using kCFI to protect against control-flow hijacking.
+````bash
-  * `debugfs=off`: Disables debugfs to prevent non-privileged access to kernel internals.
+apparmor=1 security=apparmor audit_backlog_limit=262144 audit=1 debugfs=off \
-  * `efi=disable_early_pci_dma`: Stops early PCI DMA under EFI to mitigate DMA-based attacks during boot.
+efi=disable_early_pci_dma hardened_usercopy=1 ia32_emulation=0 \
-  * `efi_no_storage_paranoia`: Disables extra EFI storage checks to streamline boot without compromising expected storage integrity.
+init_on_alloc=1 init_on_free=1 \
-  * `hardened_usercopy=1`: Enables stringent checks on copy operations between user and kernel space to prevent buffer overflows.
+iommu.passthrough=0 iommu.strict=1 iommu=force \
-  * `ia32_emulation=0`: Turns off 32-bit compatibility modes to reduce attack surface on 64-bit hosts.
+kfence.sample_interval=100 kvm.nx_huge_pages=force \
-  * `init_on_alloc=1`: Zeroes memory on allocation to prevent leakage of previous data.
+l1d_flush=on lockdown=integrity loglevel=0 \
-  * `init_on_free=1`: Initializes memory on free to catch use-after-free bugs.
+mitigations=auto,nosmt mmio_stale_data=full,force nosmt=force \
-  * `iommu=force`: Enforces IOMMU for all devices to isolate DMA-capable hardware.
+oops=panic page_alloc.shuffle=1 page_poison=1 panic=0 pti=on \
-  * `kfence.sample_interval=100`: Configures the kernel fence memory safety tool to sample every 100 allocations.
+random.trust_bootloader=off random.trust_cpu=off randomize_kstack_offset=on \
-  * `kvm.nx_huge_pages=force`: Enforces non-executable huge pages in KVM to mitigate code injection.
+retbleed=auto,nosmt rodata=on slab_nomerge vdso32=0 vsyscall=none
-  * `l1d_flush=on`: Flushes L1 data cache on context switch to mitigate L1D vulnerabilities.
+````
-  * `lockdown=confidentiality`: Puts the kernel in confidentiality lockdown to restrict direct hardware access.
+
-  * `loglevel=0`: Suppresses non-critical kernel messages to reduce information leakage.
+The parameters fall into several categories.
-  * `mce=0`: Disables machine check exceptions to prevent side-channel data leaks from hardware error reporting.
+
-  * `mitigations=auto,nosmt`: Enables all automatic CPU mitigations and disables SMT to reduce side-channel risks.
+* The AppArmor-related flags ``apparmor=1``, ``security=apparmor`` guarantee that AppArmor is not an afterthought but an integral part of the security architecture from the first instruction. I do not accept a boot sequence that comes up without LSM enforcement and then attempts to enable it later.
-  * `mmio_stale_data=full,nosmt`: Ensures stale MMIO data is fully flushed and disables SMT for added protection.
+* The audit subsystem is configured to be always on ``audit=1`` and to tolerate heavy bursts without dropping events ``audit_backlog_limit=262144``. I treat the audit trail as an evidentiary artifact; truncation because of backlog limits is not acceptable in that model.
-  * `oops=panic`: Forces a kernel oops to trigger a panic, preventing the system from running in an inconsistent state.
+* The debug surface of the kernel is reduced aggressively. ``debugfs=off`` avoids a traditional footgun that exposes kernel internals in a way that is friendly to attackers and rarely necessary in production.
-  * `page_alloc.shuffle=1`: Randomizes physical page allocation to hinder memory layout prediction attacks.
+* Memory is hardened on several levels at allocation time and at free time. ``init_on_alloc=1`` and ``init_on_free=1`` provide deterministic zeroing, ``page_poison=1`` fills freed pages with a poison pattern, and ``page_alloc.shuffle=1`` shuffles the allocator so that a process can no longer rely on stable physical patterns. Together these measures raise the cost of use-after-free exploitation and other memory corruption attacks.
-  * `page_poison=1`: Fills freed pages with a poison pattern to detect use-after-free.
+* The IOMMU is not optional. I force it on ``iommu=force``, disable passthrough ``iommu.passthrough=0`` and require strict behavior ``iommu.strict=``1. Any environment that contains devices capable of DMA must have a correctly configured IOMMU, otherwise the trust model for the CPU and for the memory hierarchy collapses as soon as a hostile device is introduced.
-  * `panic=-1`: Disables automatic reboot on panic to preserve the system state for forensic analysis.
+* ``kfence.sample_interval=100`` activates KFENCE with a sampling interval that is still usable in production but sensitive enough to catch a meaningful subset of memory safety bugs under real workloads.
-  * `pti=on`: Enables page table isolation to mitigate Meltdown attacks.
+* Virtualization-specific knobs include ``kvm.nx_huge_pages=force``, to keep huge pages non-executable, and ``l1d_flush=on`` so that context switches flush the L1 data cache where needed.
-  * `random.trust_bootloader=off`: Prevents trusting entropy provided by the bootloader.
+* ``lockdown=integrity`` places the kernel into lockdown mode with an emphasis on integrity. In this project I consider the integrity of the system more critical than the ability to introspect a running kernel from userspace.
-  * `random.trust_cpu=off`: Disables trusting CPU-provided randomness, enforcing external entropy sources.
+* Speculative execution and microarchitectural issues are covered by ``mitigations=auto,nosmt``,`` mmio_stale_data=full,force``, and ``retbleed=auto,nosmt``. I combine the automatic mitigation set provided by the kernel with a forced Single Thread mode where it is required because simultaneous multithreading is simply not worth the residual risk profile in many server contexts.
-  * `randomize_kstack_offset=on`: Randomizes the kernel stack offset on each syscall entry to harden against stack probing.
+* ``nosmt=force`` acts as a guardrail here. It prevents a misconfiguration from quietly re-enabling SMT while the system operator assumes it is disabled.
-  * `randomize_va_space=2`: Enables full address space layout randomization (ASLR) for user space.
+* Fault handling is configured through ``oops=panic`` and ``panic=0``. An oops triggers a panic so that I do not continue to run a kernel in an undefined state. At the same time I instruct the system not to reboot automatically on panic, to preserve the state for post-mortem analysis rather than cutting the ground away under a debugging session.
-  * `retbleed=auto,nosmt`: Enables automatic RETBLEED mitigations and disables SMT for better side-channel resistance.
+* ``pti=on``, ``rodata=on``, and ``slab_nomerge`` are classical hardening parameters that I still consider essential. Page-table isolation, read-only data segments, and prohibiting slab merging collectively prevent a wide range of exploits, especially under pressure from speculative execution attacks.
-  * `rodata=on`: Marks kernel read-only data sections to prevent runtime modification.
+* To avoid brittle side assumptions, I remove legacy or obsolete interfaces: ``vdso32=0`` and ``vsyscall=none`` shut down the remaining vestiges of 32-bit vDSO and vsyscall support on 64-bit systems. ``ia32_emulation=0`` it again narrows the attack surface by disabling full 32-bit compatibility on 64-bit kernels.
-  * `tsx=off`: Disables Intel TSX extensions to eliminate related speculative execution vulnerabilities.
+* Finally, I do not trust entropy claims either from the bootloader or the CPU itself. I opt out of both with ``random.trust_bootloader=off`` and ``random.trust_cpu=off`` and rely on my own entropy strategy described later.
-  * `vdso32=0`: Disables 32-bit vDSO to prevent unintended cross-mode calls.
+
-  * `vsyscall=none`: Disables legacy vsyscall support to close a potential attack vector.
+All of these parameters are applied in exactly the same way for the live ISO and for the installer environment. That is a 
-* **Rationale**: Ensures early activation of protections, reducing exposure to CPU vulnerabilities before the system fully boots.
+deliberate design decision.
 ### 2.1.2. CPU Vulnerability Mitigations
-* **Description**: Enables all known kernel-level mitigations (Spectre, Meltdown, MDS, L1TF, etc.).
+I build the kernels with the relevant mitigations for Spectre, Meltdown, L1TF, MDS, TAA, Retbleed, and related families activated. 
-* **Rationale**: Prevents side-channel attacks that exploit speculative execution, which remain a high-risk vector in
+The ``mitigations=auto,nosmt`` flag ensures that new mitigations integrated into the mainline kernel become effective as they 
-  multi-tenant cloud environments.
+are added, instead of requiring that I micromanage every single toggle. The residual performance cost is acceptable in the 
 context I am targeting; stale mitigations can be revisited, but missing mitigations will not be.
 ### 2.1.3. Kernel Self-Protection
-* **Description**: Activates `CONFIG_DEBUG_RODATA`, `CONFIG_STRICT_MODULE_RWX`, and other self-protections.
+I enable the standard set of self-protection options, such as strict module page permissions, read-only data enforcement, and 
-* **Rationale**: Hardens kernel memory regions against unauthorized writings and enforces stricter module loading policies.
+restrictions around kprobes and BPF. The builder is not a kernel configuration tool, but it carries the expectation that the 
 kernels it runs with are compiled according to this hardening profile. I treat deviations from that profile as unsupported.
 ### 2.1.4. Local Kernel Hardening
-* **Description**: The wrapper `sysp()`provides a function to apply and audit local kernel hardening rules from `/etc/sysctl.d/99_local.hardened`:
+The wrapper `sysp()`provides a function to apply and audit local kernel hardening rules from `/etc/sysctl.d/90-ciss-local.hardened`:
 ````bash
-###########################################################################################
+#######################################
-# Globals: Wrapper for loading CISS.2025 hardened Kernel Parameters
+# Wrapper for loading CISS hardened Kernel Parameters.
 # Arguments:
-#  none
+#   None
-###########################################################################################
+#######################################
 # shellcheck disable=SC2317
 sysp() {
-  sysctl -p /etc/sysctl.d/99_local.hardened
+  sysctl -p /etc/sysctl.d/90-ciss-local.hardened
-  # sleep 1
+  # shellcheck disable=SC2312
-  sysctl -a | grep -E 'kernel|vm|net' > /var/log/sysctl_check"$(date +"%Y-%m-%d_%H:%M:%S")".log
+  sysctl -a | grep -E 'kernel|vm|net' >| /var/log/sysctl_check"$(date +"%Y-%m-%d_%H:%M:%S")".log
 }
 ````
 * **Key measures loaded by this file include:**
@@ -251,16 +276,36 @@ Once applied, some hardening settings cannot be undone via `sysctl` without a re
 until the next boot. Automatic enforcement at startup is therefore omitted by design—run `sysp()` manually and plan a reboot to 
 apply or revert these controls.
 In case you provide the ``--cdi`` option to the installer, the ``sysp()`` function is automatically applied at the boot process via:
 [9999_cdi_starter.sh](scripts/usr/local/sbin/9999_cdi_starter.sh).
 For further details see: **[90-ciss-local.hardened.md](docs/documentation/90-ciss-local.hardened.md)**
 ## 2.2. Module Blacklisting
 * **Description**: Disables and blacklists non-essential or insecure kernel modules.
 * **Rationale**: Minimizes attack surface by preventing loads of drivers or modules not required by the live environment.
 For further details see: **[30-ciss-hardening.conf.md](docs/documentation/30-ciss-hardening.conf.md)**
 ## 2.3. Network Hardening
-* **Description**: Applies `sysctl` settings (e.g., `net.ipv4.conf.all.rp_filter=1`, `arp_ignore`, `arp_announce`) to restrict
+At the kernel level classical ``sysctl`` settings are applied that defend against spoofing and sloppy network behavior. Reverse path 
-  inbound/outbound traffic behaviors.
+filtering is enabled, ARP handling is pinned down, and loose binding of addresses is discouraged. Where appropriate, IPv6 
-* **Rationale**: Mitigates ARP spoofing, IP spoofing, and reduces the risk of man-in-the-middle on internal networks.
+receives the same level of attention as IPv4. The network stack is switched firmly to ``systemd-networkd`` and ``systemd-resolved``. 
 The hook [0000_basic_chroot_setup.chroot](config/hooks/live/0000_basic_chroot_setup.chroot) removes ``ifupdown``, wires up 
 ``systemd-networkd`` and ``systemd-resolved`` via explicit WantedBy symlinks, and ensures that the stub resolver at ``127.0.0.53``
 is the canonical ``resolv.conf`` target. The same hook writes dedicated configuration snippets:
 ``/etc/systemd/resolved.conf.d/10-ciss-dnssec.conf`` enforces opportunistic ``DNS-over-TLS`` and full ``DNSSEC`` validation 
 while disabling ``LLMNR`` and ``MulticastDNS``.
 This converges the system on a single, hardened DNS resolution path and avoids the common situation where multiple name 
 resolution mechanisms step on each other. Where desired, this resolution chain can be plugged into **CenturionDNS**, a resolver
 infrastructure that I control and that enforces DNSSEC validation, QNAME minimisation, and a curated blocklist. For sensitive 
 deployments, this stack is used as the default.
 For further details see: **[90-ciss-local.hardened.md](docs/documentation/90-ciss-local.hardened.md)**
 ## 2.4. Core Dump & Kernel Hardening
@@ -424,9 +469,12 @@ predictable script behavior.
 # 4. Prerequisites
-* **Host**: Debian Trixie with `live-build` and ``debootstrap`` packages installed.
+To use **``CISS.debian.live.builder``** as intended, the following baseline is expected:<br>
-* **Privileges**: Root or sudo access to execute `ciss_live_builder.sh` and related scripts.
+
-* **Network**: Outbound access to Debian repositories and PTB NTPsec pool.
+* The build host runs Debian 13 Trixie, fully updated. Building a Trixie image on an older or newer release is technically possible but explicitly not supported.
 * The host has the standard live-build stack installed ``live-build``, ``live-boot``, ``live-config``, ``debootstrap`` and the cryptographic tooling required for ``LUKS2``, ``dm-integrity``, ``cryptsetup``, ``gpg``.
 * Disk space must be sufficient to hold the chroot, the temporary build artifacts, and the final ISO with encrypted root. For comfortable work I assume around 30–40 gigabytes of free space.
 * The user running the builder has root privileges and understands that the script is capable of creating, mounting, and manipulating block devices.
 # 5. Installation & Usage
@@ -589,13 +637,22 @@ preview it or run it.
 # 6. Licensing & Compliance
-This repository is fully SPDX-compliant. All source files include appropriate SPDX license identifiers and headers to ensure
+Unless stated otherwise in individual files via SPDX headers, this project is licensed under the European Union Public License (EUPL 1.2).
-clear and unambiguous licensing. You can verify compliance by reviewing the top of each file, which follows the SPDX
+That license is OSI-approved and compatible with internal use in both public sector and private environments. Several files carry
-standard for license expressions and metadata.
+dual or multi-license statements, for example **``LicenseRef-CNCL-1.1``** and / or **``LicenseRef-CCLA-1.1``**, where I offer a 
 non-commercial license for community use and a commercial license for professional integration. The SPDX headers in each file 
 are authoritative. If you plan to integrate **``CISS.debian.live.builder``** into a commercial product or a managed service 
 offering, you should treat these license markers as binding and reach out for a proper agreement where required.
 # 7. Disclaimer
-This README is provided "as-is" without any warranty. Review your organization's policies before deploying to production.
+This repository is designed for well-experienced administrators and security professionals who are comfortable with low-level 
 Linux tooling, cryptography, and automation. It can and will create, format, and encrypt devices. It is entirely possible to 
 destroy data if you use it carelessly. I publish this work in good faith and with a strong focus on correctness and robustness. 
 Nevertheless, there is no warranty of any kind. You are responsible for understanding what you are doing, for validating your 
 own threat model, and for ensuring that this tool fits your regulatory and operational environment. If you treat the builder, and 
 the resulting images with the same discipline with which they were created, you will obtain a hardened, reproducible, and 
 auditable base for serious systems. If you treat them casually, they will not save you from yourself.
 ---
 **[no tracking | no logging | no advertising | no profiling | no bullshit](https://coresecret.eu/)**
--- a/REPOSITORY.md
+++ b/REPOSITORY.md
@@ -8,15 +8,15 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.408.2025.11.13<br>
+**Build**: V8.13.768.2025.12.06<br>
-# 2.1. Repository Structure
+# 2. Repository Structure
 **Project:** Centurion Intelligence Consulting Agency Information Security Standard (CISS) — Debian Live Builder  
 **Branch:** `master`  
-**Repository State:** Master Version **8.13**, Build **V8.13.408.2025.11.13** (as of 2025-10-11)
+**Repository State:** Master Version **8.13**, Build **V8.13.768.2025.12.06** (as of 2025-10-11)
-## 2.2. Top-Level Layout
+## 3.1. Top-Level Layout
 ````text
 CISS.debian.live.builder/
@@ -59,15 +59,15 @@ CISS.debian.live.builder/
 > **Note:** The ISO marker files (`LIVE_ISO.*`) are produced by CI workflows for convenient retrieval of generated images.
-## 2.3. Directory Semantics
+## 3.2. Directory Semantics
-### 2.3.1. `.gitea/` — CI/CD Orchestration
+### 3.2.1. `.gitea/` — CI/CD Orchestration
 - **`workflows/`**: Declarative Gitea Actions to lint shell scripts, render Graphviz/DNSSEC status, and generate **PUBLIC**/**PRIVATE (TRIXIE)** ISOs reproducibly.
 - **`trigger/`**: Manual/auxiliary trigger manifests (`t_generate_PUBLIC.yaml`, `t_generate_PRIVATE_trixie_{0,1}.yaml`, `t_generate_dns.yaml`) to drive pipeline variants.
 - **`ISSUE_TEMPLATE/`**: Issue and pull request templates to standardize change management.
 - **`properties/`** and **`TODO/`**: Auxiliary config fragments (JSON/Lua) and maintenance utilities (e.g., `render-md-to-html.yaml`).
-### 2.3.2. `config/` — Live-Build Configuration
+### 3.2.2. `config/` — Live-Build Configuration
 - **`bootloaders/`**: Boot assets for GRUB in EFI and PC modes, incl. a branded splash image.
 - **`hooks/live/`**: **Ordered** `*.chroot` hooks implementing system configuration and hardening during image creation; the numeric prefixes dictate execution (e.g., `0000_basic_chroot_setup.chroot`, `0810_chrony_setup.chroot`, `0900_ufw_setup.chroot`, `9930_hardening_ssh.chroot`, `9950_hardening_fail2ban.chroot`).
 - **`includes.binary/boot/grub/`**: Static GRUB configuration embedded in the binary image (`config.cfg`).
@@ -77,40 +77,40 @@ CISS.debian.live.builder/
  - `root/` (administrator dotfiles and keys).
 - **`package-lists/`**: Architecture-specific and common package manifests (`amd64`, `arm64`, `common`) used by `live-build`.
-### 2.3.3. `docs/` — Documentation Corpus
+### 3.2.3. `docs/` — Documentation Corpus
 Audit reports (DNSSEC, Lynis, SSH, TLS, Haveged), **BOOTPARAMS**, **CHANGELOG**, **CODING_CONVENTION**, **CONTRIBUTING**, **REFERENCES**; plus `SECURITY/`, `LICENSES/`, architecture diagrams under `graphviz/`, and illustrative `screenshots/`.
-### 2.3.4. `lib/` — Shell Library Modules
+### 3.2.4. `lib/` — Shell Library Modules
 Composable, single-purpose modules used by the wrapper and CI steps (argument parsing and validation, kernel/CPU mitigation checks, provider support, `lb config/build` scaffolding, usage/version banners, sanitization and traps, SSH/root-password hardening, ultra-hardening profile, etc.).
-### 2.3.5. `scripts/` — Operational Helpers
+### 3.2.5. `scripts/` — Operational Helpers
 Ancillary scripts for DHCP supersedes, resolver bootstrapping, and live-boot verification; targeted paths such as `scripts/etc/network/` and `scripts/live-boot/` encapsulate deploy-time adjustments and integrity checks.
-### 2.3.6. `var/` — Variables & Defaults
+### 3.2.6. `var/` — Variables & Defaults
 Layered variable sets (`early.var.sh`, `global.var.sh`, `bash.var.sh`, `color.var.sh`) providing early-boot defaults, global tuning, and TTY/UI niceties.
-## 2.4. Key Files
+## 3.3. Key Files
 - **`ciss_live_builder.sh`** — Primary entrypoint; orchestrates argument parsing, environment preparation, `lb config`/`lb build` execution and post-processing.
 - **`makefile`** & **`config.mk.sample`** — Make-based convenience wrapper and a sample configuration surface.
 - **`README.md`, `SECURITY.md`, `LICENSE`, `CISS.debian.live.builder.spdx`** — Project overview, security policy, licensing, and SPDX manifest for compliance.
 - **ISO markers**: `LIVE_ISO.public`, `LIVE_ISO_TRIXIE_{0,1}.private` reflect CI pipeline outputs.
-## 2.5. Conventions & Build Logic
+## 3.4. Conventions & Build Logic
 - **Hook Ordering**: Numeric prefixes (`0000_…` → `99xx_…`) strictly determine execution sequencing within `config/hooks/live/`. Early hooks establish base state (initramfs modules, checksums), mid-range hooks integrate security services (AppArmor, Chrony/NTPsec, Lynis, UFW, Fail2Ban, SSH auditing), late hooks enforce hardening and cleanup (SSH tightening, memory-dump policies, service disablement).
 - **Binary vs. Chroot Includes**: Assets under `includes.binary/` affect the ISO’s bootloader stage; `includes.chroot/` become part of the runtime filesystem.
 - **Architecture Scoping**: Package lists are split into `*amd64*`, `*arm64*`, and `*common*` to keep images minimal and deterministic.
 - **CI/CD**: Reproducible ISO builds are executed via Gitea workflows; dedicated `trigger/` manifests parameterize public vs. private images and auxiliary rendering jobs (e.g., DNSSEC status, Graphviz diagrams).
-## 2.6. Cross-References (Documentation)
+## 3.5. Cross-References (Documentation)
 - **Boot Parameters**: see `docs/BOOTPARAMS.md`.
 - **Audits**: `docs/AUDIT_*.md` (DNSSEC, Lynis, SSH, TLS, Haveged).
 - **Coding & Contribution**: `docs/CODING_CONVENTION.md`, `docs/CONTRIBUTING.md`.
 - **Change Log & References**: `docs/CHANGELOG.md`, `docs/REFERENCES.md`.
-## 2.7. Licensing & Compliance
+## 3.6. Licensing & Compliance
 The repository is **SPDX-compliant**; source files carry SPDX identifiers. See `CISS.debian.live.builder.spdx` and `LICENSE` for details.
--- a/ciss_live_builder.sh
+++ b/ciss_live_builder.sh
@@ -5,7 +5,7 @@
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
@@ -20,6 +20,15 @@
 # default login shell has been zsh, but bash remains available at '/bin/bash'. Windows support. You can use bash via WSL, MSYS2,
 # or Cygwin on Windows systems.
 ### RESOURCES
 # https://github.com/koalaman/shellcheck
 # https://github.com/mvdan/sh
 # https://google.github.io/styleguide/shellguide.html
 # https://mywiki.wooledge.org/BashGuide
 # https://styles.goatbytes.io/lang/shell/
 # https://www.bashsupport.com/de/
 # https://www.gnu.org/software/bash/manual/
 ### CATCH ARGUMENTS AND DECLARE BASIC VARIABLES.
 # shellcheck disable=SC2155,SC2249
 declare -agx  ARY_PARAM_ARRAY=("$@")                                     # Arguments passed to script as an array.
--- a/config.mk.sample
+++ b/config.mk.sample
@@ -4,7 +4,7 @@
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
--- a/config/bootloaders/grub-efi/grub.cfg
+++ b/config/bootloaders/grub-efi/grub.cfg
@@ -4,7 +4,7 @@
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
--- a/config/bootloaders/grub-pc/grub.cfg
+++ b/config/bootloaders/grub-pc/grub.cfg
@@ -4,7 +4,7 @@
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
--- a/config/hooks/.keep
+++ b/config/hooks/.keep
@@ -4,7 +4,7 @@
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
--- a/config/hooks/live/0000_basic_chroot_setup.chroot
+++ b/config/hooks/live/0000_basic_chroot_setup.chroot
@@ -5,7 +5,7 @@
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
@@ -33,7 +33,7 @@ generate_ciss_xdg_profile() {
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
@@ -74,7 +74,7 @@ generate_ciss_xdg_sh() {
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
@@ -154,7 +154,7 @@ generate_ciss_xdg_tmp_sh() {
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
@@ -204,11 +204,11 @@ generate_ciss_xdg_sh
 generate_ciss_xdg_tmp_sh
 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
-export DEBIAN_FRONTEND="noninteractive" INITRD="No"
+export DEBIAN_FRONTEND="noninteractive"
 export INITRD="No"
 apt-get update -qq
 apt-get install -y --no-install-suggests libpam-systemd
 ### Installing microcode updates -----------------------------------------------------------------------------------------------
 if [[ -f /root/.architecture ]]; then
@@ -232,6 +232,58 @@ ln -sf /dev/null /etc/systemd/system/apt-show-versions.timer
 ln -sf /dev/null /etc/systemd/system/apt-show-versions.service
 rm -f /etc/cron.daily/apt-show-versions || true
 ### Remove the original '/usr/lib/live/boot/0030-verify-checksums' -------------------------------------------------------------
 [[ -e /usr/lib/live/boot/0030-verify-checksums ]] && rm -f /usr/lib/live/boot/0030-verify-checksums
 ### Ensure proper 0755 rights for CISS initramfs scripts  ----------------------------------------------------------------------
 find /usr/lib/live/boot -type f -exec chmod 0755 {} +
 [[ -e /etc/initramfs-tools/scripts/init-premount/1000_ciss_fixpath.sh ]] \
  && chmod 0755 /etc/initramfs-tools/scripts/init-premount/1000_ciss_fixpath.sh
 [[ -e /etc/initramfs-tools/scripts/init-top/0000_ciss_fixpath.sh ]] \
  && chmod 0755 /etc/initramfs-tools/scripts/init-top/0000_ciss_fixpath.sh
 ### Ensure proper systemd directories exist ------------------------------------------------------------------------------------
 mkdir -p /etc/systemd/resolved.conf.d
 mkdir -p /etc/systemd/system
 mkdir -p /etc/systemd/system/multi-user.target.wants
 mkdir -p /etc/systemd/system/sockets.target.wants
 ### Enable clean systemd-networkd stack ----------------------------------------------------------------------------------------
 apt-get -y purge ifupdown || true
 ln -sf /lib/systemd/system/systemd-networkd.service /etc/systemd/system/multi-user.target.wants/systemd-networkd.service
 ln -sf /lib/systemd/system/systemd-resolved.service /etc/systemd/system/multi-user.target.wants/systemd-resolved.service
 ln -sf /lib/systemd/system/systemd-resolved.socket  /etc/systemd/system/sockets.target.wants/systemd-resolved.socket
 cat << EOF >| /etc/systemd/system/ciss-fix-resolvconf.service
 [Unit]
 Description=Force systemd-resolved stub resolv.conf
 After=network-online.target
 Before=apt-daily.service
 [Service]
 Type=oneshot
 ExecStart=/usr/bin/rm -f /etc/resolv.conf
 ExecStart=/usr/bin/ln -s /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf
 [Install]
 WantedBy=multi-user.target
 EOF
 ln -sf /etc/systemd/system/ciss-fix-resolvconf.service /etc/systemd/system/multi-user.target.wants/ciss-fix-resolvconf.service
 cat << EOF >| /etc/systemd/resolved.conf.d/10-ciss-dnssec.conf
 [Resolve]
 DNSOverTLS=opportunistic
 DNSSEC=yes
 LLMNR=no
 MulticastDNS=no
 EOF
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
--- a/config/hooks/live/0001_initramfs_modules.chroot
+++ b/config/hooks/live/0001_initramfs_modules.chroot
@@ -5,7 +5,7 @@
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
@@ -66,7 +66,7 @@ cat << EOF >| /etc/initramfs-tools/modules
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
@@ -208,7 +208,7 @@ cat << EOF >| /etc/initramfs-tools/update-initramfs.conf
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
@@ -243,7 +243,7 @@ cat << EOF >| /etc/initramfs-tools/initramfs.conf
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
--- a/config/hooks/live/0002_hardening_overlay_tmpfs.chroot
+++ b/config/hooks/live/0002_hardening_overlay_tmpfs.chroot
@@ -5,7 +5,7 @@
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
@@ -22,7 +22,7 @@ cat << EOF >| /etc/systemd/system/ciss-remount-root.service
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
--- a/config/hooks/live/0003_cdi_autostart.chroot
+++ b/config/hooks/live/0003_cdi_autostart.chroot
@@ -5,7 +5,7 @@
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
@@ -19,17 +19,19 @@ if [[ -f /root/.cdi ]]; then
 [Unit]
 Description=CISS CDI post-boot starter
 Documentation=https://git.coresecret.dev/msw/CISS.debian.live.builder.git
-ConditionPathIsExecutable=/usr/local/sbin/9999_cdi_starter.sh
+ConditionFileIsExecutable=/usr/local/sbin/9999_cdi_starter.sh
 After=live-config.service systemd-user-sessions.service getty.target
-After=network-online.target NetworkManager-wait-online.service systemd-networkd-wait-online.service
+After=network-online.target NetworkManager-wait-online.service
 Wants=network-online.target
 [Service]
-Type=idle
+Type=simple
 RemainAfterExit=yes
 ExecStart=/usr/local/sbin/9999_cdi_starter.sh
-TimeoutStartSec=1min
+TimeoutStartSec=0
 Nice=5
 IOSchedulingClass=best-effort
 IOSchedulingPriority=7
 Environment=LANG=C.UTF-8
 StandardOutput=journal
 StandardError=journal
--- a/config/hooks/live/0007_update_logrotate.chroot
+++ b/config/hooks/live/0007_update_logrotate.chroot
@@ -5,7 +5,7 @@
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
@@ -14,7 +14,8 @@ set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
-export DEBIAN_FRONTEND="noninteractive" INITRD="No"
+export DEBIAN_FRONTEND="noninteractive"
 export INITRD="No"
 rm -f         "/etc/logrotate.conf"
 cat << EOF >| "/etc/logrotate.conf"
--- a/config/hooks/live/0010_install_apparmor.chroot
+++ b/config/hooks/live/0010_install_apparmor.chroot
@@ -5,7 +5,7 @@
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
@@ -14,7 +14,8 @@ set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
-export DEBIAN_FRONTEND="noninteractive" INITRD="No"
+export DEBIAN_FRONTEND="noninteractive"
 export INITRD="No"
 apt-get install -y --no-install-recommends apparmor apparmor-utils apparmor-profiles apparmor-profiles-extra
 install -d /etc/systemd/system/apparmor.service.d
--- a/config/hooks/live/0020_dropbear_build.chroot
+++ b/config/hooks/live/0020_dropbear_build.chroot
@@ -5,7 +5,7 @@
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
@@ -14,7 +14,8 @@ set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
-export DEBIAN_FRONTEND="noninteractive" INITRD="No"
+export DEBIAN_FRONTEND="noninteractive"
 export INITRD="No"
 ### Declare Arrays, HashMaps, and Variables.
 declare var_dropbear_version="2025.88"
--- a/config/hooks/live/0021_dropbear_initramfs.chroot
+++ b/config/hooks/live/0021_dropbear_initramfs.chroot
@@ -5,7 +5,7 @@
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
@@ -17,7 +17,8 @@ printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "
 declare var_logfile="/root/.ciss/cdlb/log/0021_dropbear_initramfs.log"
 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
-export DEBIAN_FRONTEND="noninteractive" INITRD="No"
+export DEBIAN_FRONTEND="noninteractive"
 export INITRD="No"
 apt-get install -y --no-install-recommends --no-install-suggests cryptsetup-initramfs dropbear-initramfs dropbear-bin 2>&1 | tee -a "${var_logfile}"
 apt-get purge -y dropbear 2>&1 | tee -a "${var_logfile}" || true
@@ -29,9 +30,11 @@ mv /usr/share/initramfs-tools/scripts/init-premount/dropbear /root/.ciss/cdlb/ba
 install -m 0755 -o root -g root /root/dropbear.file /usr/share/initramfs-tools/scripts/init-premount/dropbear
 rm -f /root/dropbear.file
 mkdir -p /root/.ciss/cdlb/backup/usr/sbin
 mv /usr/sbin/dropbear /root/.ciss/cdlb/backup/usr/sbin/dropbear.trixie
 install -m 0755 -o root -g root /root/build/dropbear-2025.88/dropbear /usr/sbin/
 mkdir -p /root/.ciss/cdlb/backup/usr/bin
 for var_file in dbclient dropbearconvert dropbearkey; do
  mv "/usr/bin/${var_file}" "/root/.ciss/cdlb/backup/usr/bin/${var_file}.trixie"
@@ -49,7 +52,7 @@ cat << 'EOF' >| /etc/initramfs-tools/scripts/init-bottom/zzzz-dropbear-kill
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
@@ -86,7 +89,7 @@ cat << EOF >| /etc/apt/preferences.d/99-mask-dropbear
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
@@ -107,7 +110,7 @@ cat << EOF >| /etc/apt/preferences.d/99-mask-dropbear-initramfs
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
--- a/config/hooks/live/0022_dropbear_setup.chroot
+++ b/config/hooks/live/0022_dropbear_setup.chroot
@@ -5,7 +5,7 @@
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
@@ -14,7 +14,8 @@ set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
-export DEBIAN_FRONTEND="noninteractive" INITRD="No"
+export DEBIAN_FRONTEND="noninteractive"
 export INITRD="No"
 #######################################
 # Set up the 'dropbear-initramfs' environment.
@@ -39,6 +40,13 @@ dropbear_setup() {
    dropbearconvert openssh dropbear /root/ssh/ssh_host_ed25519_key        /etc/dropbear/initramfs/dropbear_ed25519_host_key
    dropbearkey -y -f /etc/dropbear/initramfs/dropbear_ed25519_host_key >| /etc/dropbear/initramfs/dropbear_ed25519_host_key.pub
    if [[ -f /root/ssh/ssh_host_rsa_key ]]; then
      dropbearconvert openssh dropbear /root/ssh/ssh_host_rsa_key          /etc/dropbear/initramfs/dropbear_rsa_host_key
      dropbearkey -y -f /etc/dropbear/initramfs/dropbear_rsa_host_key   >| /etc/dropbear/initramfs/dropbear_rsa_host_key.pub
    fi
  else
    # shellcheck disable=SC2312
@@ -96,7 +104,7 @@ write_dropbear_conf() {
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
--- a/config/hooks/live/0040_ssh_config_setup.chroot
+++ b/config/hooks/live/0040_ssh_config_setup.chroot
@@ -5,7 +5,7 @@
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
@@ -20,7 +20,7 @@ cat << EOF >> /etc/ssh/ssh_config.d/10-sshfp.conf
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
--- a/config/hooks/live/0050_activate_root.chroot
+++ b/config/hooks/live/0050_activate_root.chroot
@@ -5,7 +5,7 @@
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
--- a/config/hooks/live/0080_keyboard_layout.chroot
+++ b/config/hooks/live/0080_keyboard_layout.chroot
@@ -5,7 +5,7 @@
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
@@ -22,7 +22,8 @@ BACKSPACE="guess"
 EOF
 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
-export DEBIAN_FRONTEND="noninteractive" INITRD="No"
+export DEBIAN_FRONTEND="noninteractive"
 export INITRD="No"
 dpkg-reconfigure -f noninteractive keyboard-configuration
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
--- a/config/hooks/live/0090_jitterentropy.chroot
+++ b/config/hooks/live/0090_jitterentropy.chroot
@@ -5,7 +5,7 @@
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
@@ -14,7 +14,8 @@ set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
-export DEBIAN_FRONTEND="noninteractive" INITRD="No"
+export DEBIAN_FRONTEND="noninteractive"
 export INITRD="No"
 apt-get install -y --no-install-recommends jitterentropy-rngd
 cd /root
--- a/config/hooks/live/0100_ciss_mem_wipe.chroot
+++ b/config/hooks/live/0100_ciss_mem_wipe.chroot
@@ -1,209 +0,0 @@
 #!/bin/bash
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
 export DEBIAN_FRONTEND="noninteractive" INITRD="No"
 apt-get install -y --no-install-recommends kexec-tools busybox-static
 install -d -m 0755 /boot/ciss-memwipe
 install -d -m 0755 /usr/local/sbin
 install -d -m 0755 /etc/systemd/system
 install -d -m 0755 /etc/default
 ### Pick a kernel to kexec into: use the latest installed vmlinuz. -------------------------------------------------------------
 # shellcheck disable=SC2012,SC2155
 declare _kernel="$(cd /boot && ls -1 vmlinuz-* | sed 's|vmlinuz-||' | sort -V | tail -n1)"
 cp -f "/boot/vmlinuz-${_kernel}" /boot/ciss-memwipe/vmlinuz
 ### Build minimal initramfs with a busybox and a tiny '/init'. -----------------------------------------------------------------
 declare TMPDIR; TMPDIR="$(mktemp -d)"
 trap 'rm -rf "${TMPDIR}"' EXIT
 mkdir -p "${TMPDIR}"/{bin,dev,proc,sys,wipe}
 cp -f /bin/busybox.static "${TMPDIR}/bin/busybox"
 cat << 'EOF' >| "${TMPDIR}/init"
 #!/bin/busybox sh
 ### Minimal init to wipe RAM, then power off.
 ### Parses cmdline: ciss_wipe_passes=2 ciss_wipe_mode=zero+random ciss_dd_bs=64M ciss_tmpfs_pct=95
 set -eu
 get_arg() { # $1=key ; echoes value or empty
  for tok in $(cat /proc/cmdline); do
    case "${tok}" in
      $1=*) echo "${tok#*=}"; return 0;;
    esac
  done
  echo ""
 }
 mount -t devtmpfs devtmpfs /dev 2>/dev/null || true
 [ -e /dev/console ] || mknod -m 600 /dev/console c 5 1
 [ -e /dev/null ]    || mknod -m 666 /dev/null c 1 3
 [ -e /dev/urandom ] || mknod -m 444 /dev/urandom c 1 9
 mount -t proc proc /proc
 mount -t sysfs sysfs /sys
 PASSES="$(get_arg ciss_wipe_passes)"; [ -n "${PASSES}" ] || PASSES=2
 MODE="$(get_arg ciss_wipe_mode)"; [ -n "${MODE}" ] || MODE="zero+random"
 BS="$(get_arg ciss_dd_bs)"; [ -n "${BS}" ] || BS=64M
 PCT="$(get_arg ciss_tmpfs_pct)"; [ -n "${PCT}" ] || PCT=95
 echo 1 > /proc/sys/kernel/printk 2>/dev/null || true
 MEM_KB="$(awk '/MemTotal:/ {print $2}' /proc/meminfo)"
 SIZE_KB=$(( MEM_KB * PCT / 100 ))
 mount -t tmpfs -o "size=${SIZE_KB}k,nodev,nosuid,noexec,mode=0700" tmpfs /wipe
 wipe_pass() {
  pattern="$1"
  if [ "${pattern}" = "zero" ]; then
    src="/dev/zero"
  else
    src="/dev/urandom"
  fi
  i=0
  while :; do
    busybox dd if="${src}" of="/wipe/block_${i}" bs="${BS}" status=none || break
    i=$((i+1))
  done
  sync
  echo 3 > /proc/sys/vm/drop_caches 2>/dev/null || true
  rm -f /wipe/block_* 2>/dev/null || true
  sync
 }
 DO_ZERO=0; DO_RANDOM=0
 case "${MODE}" in
  zero) DO_ZERO=1 ;;
  random) DO_RANDOM=1 ;;
  zero+random|random+zero) DO_ZERO=1; DO_RANDOM=1 ;;
  *) DO_ZERO=1 ;;
 esac
 p=1
 while [ ${p} -le "${PASSES}" ]; do
  [ ${DO_ZERO} -eq 1 ] && wipe_pass zero
  [ ${DO_RANDOM} -eq 1 ] && wipe_pass random
  p=$((p+1))
 done
 sync
 busybox poweroff -f || echo o >| /proc/sysrq-trigger
 EOF
 chmod +x "${TMPDIR}/init"
 ( cd "${TMPDIR}" && find . -print0 | cpio --null -ov --format=newc ) | gzip -9 > /boot/ciss-memwipe/initrd.img
 cat << 'EOF' >| /etc/default/ciss-memwipe
 ### CISS Memory Wipe defaults
 CISS_WIPE_PASSES=2           # number of passes
 CISS_WIPE_MODE="zero+random" # zero | random | zero+random
 CISS_WIPE_DD_BS="64M"        # dd block size
 CISS_WIPE_TMPFS_PCT=95       # percentage of MemTotal to allocate
 EOF
 cat << 'EOF' >| /usr/local/sbin/ciss-memwipe
 #!/bin/bash
 # Prepare and execute kexec-based memory wipe.
 set -euo pipefail
 . /etc/default/ciss-memwipe || true
 KERNEL="/boot/ciss-memwipe/vmlinuz"
 INITRD="/boot/ciss-memwipe/initrd.img"
 append_common="quiet loglevel=1 ciss_wipe_passes=${CISS_WIPE_PASSES:-2} ciss_wipe_mode=${CISS_WIPE_MODE:-zero+random} ciss_dd_bs=${CISS_WIPE_DD_BS:-64M} ciss_tmpfs_pct=${CISS_WIPE_TMPFS_PCT:-95}"
 prepare() {
  # Try to allow kexec if not locked down
  if [ -w /proc/sys/kernel/kexec_load_disabled ] && [ "$(cat /proc/sys/kernel/kexec_load_disabled)" = "1" ]; then
    echo 0 > /proc/sys/kernel/kexec_load_disabled || true
  fi
  # Load wipe kernel
  if command -v kexec >/dev/null 2>&1 && [ -s "${KERNEL}" ] && [ -s "${INITRD}" ]; then
    kexec -l "${KERNEL}" --initrd="${INITRD}" --append="${append_common}" || true
  fi
 }
 fallback_inplace() {
  # Last-resort: wipe in-place via tmpfs and then power off
  mount -t tmpfs -o "size=95%,nodev,nosuid,noexec,mode=0700" tmpfs /run/wipe 2>/dev/null || mkdir -p /run/wipe
  i=0
  while :; do
    dd if=/dev/zero of="/run/wipe/blk_${i}" bs="${CISS_WIPE_DD_BS:-64M}" status=none || break
    i=$((i+1))
  done
  sync; echo 3 > /proc/sys/vm/drop_caches 2>/dev/null || true
  rm -f /run/wipe/blk_* 2>/dev/null || true
  sync
  systemctl poweroff -f || poweroff -f || echo o > /proc/sysrq-trigger
 }
 execute() {
  sync; echo 3 > /proc/sys/vm/drop_caches 2>/dev/null || true
  # Prefer systemd's path if possible
  if command -v systemctl >/dev/null 2>&1 && systemctl --quiet is-system-running; then
    # If kexec image was loaded, systemctl kexec will use it
    systemctl kexec || kexec -e || fallback_inplace
  else
    kexec -e || fallback_inplace
  fi
 }
 case "${1:-}" in
  prepare) prepare ;;
  execute) execute ;;
  *) echo "Usage: $0 {prepare|execute}" >&2; exit 2 ;;
 esac
 EOF
 chmod 0755 /usr/local/sbin/ciss-memwipe
 ### Systemd service: load at boot, execute on shutdown
 cat << 'EOF' >| /etc/systemd/system/ciss-memwipe.service
 [Unit]
 Description=CISS: preload and execute kexec-based RAM wipe on shutdown
 DefaultDependencies=no
 # Ensure we run late enough on shutdown, but early enough to take over
 Before=shutdown.target
 After=local-fs.target network.target multi-user.target
 [Service]
 Type=oneshot
 RemainAfterExit=yes
 ExecStart=/usr/local/sbin/ciss-memwipe prepare
 # ExecStop runs during shutdown: jump into wipe kernel
 ExecStop=/usr/local/sbin/ciss-memwipe execute
 TimeoutStartSec=20s
 TimeoutStopSec=infinity
 [Install]
 WantedBy=multi-user.target
 EOF
 systemctl enable ciss-memwipe.service
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/0120_set_hostname.chroot
+++ b/config/hooks/live/0120_set_hostname.chroot
@@ -5,7 +5,7 @@
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
--- a/config/hooks/live/0130_machineid.chroot
+++ b/config/hooks/live/0130_machineid.chroot
@@ -5,7 +5,7 @@
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
--- a/config/hooks/live/0400_eza_install.chroot
+++ b/config/hooks/live/0400_eza_install.chroot
@@ -5,7 +5,7 @@
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
@@ -24,7 +24,8 @@ echo "deb [signed-by=/etc/apt/keyrings/gierens.gpg] http://deb.gierens.de stable
 chmod 644 /etc/apt/keyrings/gierens.gpg /etc/apt/sources.list.d/gierens.list
 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
-export DEBIAN_FRONTEND="noninteractive" INITRD="No"
+export DEBIAN_FRONTEND="noninteractive"
 export INITRD="No"
 apt-get update -qq
 apt-get install -y eza
--- a/config/hooks/live/0800_lynis_setup.chroot
+++ b/config/hooks/live/0800_lynis_setup.chroot
@@ -5,7 +5,7 @@
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
@@ -17,7 +17,8 @@ curl -fsSL https://packages.cisofy.com/keys/cisofy-software-public.key | gpg --d
 echo "deb [arch=amd64,arm64 signed-by=/etc/apt/trusted.gpg.d/cisofy-software-public.gpg] https://packages.cisofy.com/community/lynis/deb/ stable main" | tee /etc/apt/sources.list.d/cisofy-lynis.list
 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
-export DEBIAN_FRONTEND="noninteractive" INITRD="No"
+export DEBIAN_FRONTEND="noninteractive"
 export INITRD="No"
 apt-get update -qq
 apt-get install -y lynis
 lynis show version
--- a/config/hooks/live/0810_chrony_setup.chroot
+++ b/config/hooks/live/0810_chrony_setup.chroot
@@ -5,7 +5,7 @@
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
@@ -16,7 +16,8 @@ printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "
 mkdir -p /var/log/chrony
 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
-export DEBIAN_FRONTEND="noninteractive" INITRD="No"
+export DEBIAN_FRONTEND="noninteractive"
 export INITRD="No"
 export TZ="Etc/UTC"
 apt-get install -y adjtimex chrony tzdata
@@ -33,7 +34,7 @@ cat << EOF >| /etc/chrony/chrony.conf
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
--- a/config/hooks/live/0820_kernel_hardening_checker.chroot
+++ b/config/hooks/live/0820_kernel_hardening_checker.chroot
@@ -5,7 +5,7 @@
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
--- a/config/hooks/live/0822_ssh_restart_hook.chroot
+++ b/config/hooks/live/0822_ssh_restart_hook.chroot
@@ -5,7 +5,7 @@
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
@@ -13,36 +13,17 @@ set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
-cd /root
+mkdir -p /etc/systemd/system/ssh.service.d
 declare target_script="/etc/cron.d/restart-ssh"
-cat << 'EOF' >| "${target_script}"
+cat << EOF >| /etc/systemd/system/ssh.service.d/10-ciss-network.conf
-@reboot root /usr/local/bin/restart-ssh.sh
+[Unit]
 After=network-online.target ufw.service fail2ban.service
 Wants=network-online.target
 [Service]
 ExecStartPre=/bin/sleep 5
 EOF
 chmod 0444 "${target_script}"
 cat << 'EOF' >| /usr/local/bin/restart-ssh.sh
 #!/bin/bash
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 # Script to restart SSH at boot
 systemctl stop ssh
 sleep 5
 systemctl start ssh
 EOF
 chmod +x /usr/local/bin/restart-ssh.sh
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
--- a/config/hooks/live/0825_my_sqltuner_perl.chroot
+++ b/config/hooks/live/0825_my_sqltuner_perl.chroot
@@ -5,7 +5,7 @@
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
--- a/config/hooks/live/0830_download_yq.chroot
+++ b/config/hooks/live/0830_download_yq.chroot
@@ -5,7 +5,7 @@
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
--- a/config/hooks/live/0835_testssl.sh.chroot
+++ b/config/hooks/live/0835_testssl.sh.chroot
@@ -5,7 +5,7 @@
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
--- a/config/hooks/live/0840_ufw_abuse_ipdb_reporter.chroot
+++ b/config/hooks/live/0840_ufw_abuse_ipdb_reporter.chroot
@@ -5,7 +5,7 @@
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
@@ -14,7 +14,8 @@ set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
-export DEBIAN_FRONTEND="noninteractive" INITRD="No"
+export DEBIAN_FRONTEND="noninteractive"
 export INITRD="No"
 curl -fsSL https://deb.nodesource.com/setup_22.x | sudo -E bash - && \
 apt-get install -y nodejs
--- a/config/hooks/live/0845_harbian_audit.chroot
+++ b/config/hooks/live/0845_harbian_audit.chroot
@@ -5,7 +5,7 @@
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
--- a/config/hooks/live/0850_ssh_audit.chroot
+++ b/config/hooks/live/0850_ssh_audit.chroot
@@ -5,7 +5,7 @@
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
--- a/config/hooks/live/0855_dnsviz.chroot
+++ b/config/hooks/live/0855_dnsviz.chroot
@@ -5,7 +5,7 @@
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
--- a/config/hooks/live/0860_sops.chroot
+++ b/config/hooks/live/0860_sops.chroot
@@ -5,7 +5,7 @@
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
@@ -14,7 +14,8 @@ set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
-export DEBIAN_FRONTEND="noninteractive" INITRD="No"
+export DEBIAN_FRONTEND="noninteractive"
 export INITRD="No"
 SOPS_VER="v3.11.0"
 ARCH="$(dpkg --print-architecture)"
--- a/config/hooks/live/0865_yq.chroot
+++ b/config/hooks/live/0865_yq.chroot
@@ -5,7 +5,7 @@
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
@@ -14,7 +14,8 @@ set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
-export DEBIAN_FRONTEND="noninteractive" INITRD="No"
+export DEBIAN_FRONTEND="noninteractive"
 export INITRD="No"
 wget https://github.com/mikefarah/yq/releases/latest/download/yq_linux_amd64 -O /usr/local/bin/yq && chmod +x /usr/local/bin/yq
--- a/config/hooks/live/0870_bashdb.chroot
+++ b/config/hooks/live/0870_bashdb.chroot
@@ -5,7 +5,7 @@
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
@@ -16,7 +16,8 @@ printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "
 umask 0077
 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
-export DEBIAN_FRONTEND="noninteractive" INITRD="No"
+export DEBIAN_FRONTEND="noninteractive"
 export INITRD="No"
 apt-get install -y texinfo
--- a/config/hooks/live/0900_ufw_setup.chroot
+++ b/config/hooks/live/0900_ufw_setup.chroot
@@ -5,7 +5,7 @@
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
@@ -41,6 +41,7 @@ if [[ ${UFW_OUT_POLICY,,} == "deny"  ]]; then
  ufw allow out  443/tcp comment 'Outgoing HTTPS'
  ufw allow out  465/tcp comment 'Outgoing SMTPS'
  ufw allow out  587/tcp comment 'Outgoing SMTPS'
  ufw allow out  853/tcp comment 'Outgoing DoT'
  ufw allow out  993/tcp comment 'Outgoing IMAPS'
  ufw allow out 4460/tcp comment 'Outgoing NTS'
  ufw allow out "${SSHPORT}"/tcp comment 'Outgoing SSH (Custom-Port)'
--- a/config/hooks/live/9900_process_accounting.chroot
+++ b/config/hooks/live/9900_process_accounting.chroot
@@ -5,7 +5,7 @@
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
@@ -14,7 +14,8 @@ set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
-export DEBIAN_FRONTEND="noninteractive" INITRD="No"
+export DEBIAN_FRONTEND="noninteractive"
 export INITRD="No"
 apt-get install -y acct
 if [[ ! -d /etc/systemd/system/multi-user.target.wants ]]; then
--- a/config/hooks/live/9910_motd.chroot
+++ b/config/hooks/live/9910_motd.chroot
@@ -5,7 +5,7 @@
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
--- a/config/hooks/live/9920_deleting_invalid_x509.chroot
+++ b/config/hooks/live/9920_deleting_invalid_x509.chroot
@@ -5,7 +5,7 @@
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
--- a/config/hooks/live/9930_hardening_ssh.chroot
+++ b/config/hooks/live/9930_hardening_ssh.chroot
@@ -5,7 +5,7 @@
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
@@ -36,7 +36,7 @@ else
  ssh-keygen -o -N "" -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -C "root@live-$(date -I)"
  # shellcheck disable=SC2312
-  ssh-keygen -o -N "" -t rsa -b 8192 -f /etc/ssh/ssh_host_rsa_key -C "root@live-$(date -I)"
+  ssh-keygen -o -N "" -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa_key -C "root@live-$(date -I)"
 fi
@@ -44,8 +44,11 @@ chmod 0600 /etc/ssh/ssh_host_*_key
 chown root:root /etc/ssh/ssh_host_*_key
 chmod 0644 /etc/ssh/ssh_host_*_key.pub
 chown root:root /etc/ssh/ssh_host_*_key.pub
 if compgen -G "/etc/ssh/*sha256sum.txt" > /dev/null; then
  chmod 0440 /etc/ssh/*sha256sum.txt
  chown root:root /etc/ssh/*sha256sum.txt
 fi
 awk '$5 >= 4000' /etc/ssh/moduli >| /etc/ssh/moduli.safe
 rm -rf /etc/ssh/moduli
@@ -69,7 +72,7 @@ cat << 'EOF' >| /etc/profile.d/idle-users.sh
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
--- a/config/hooks/live/9935_hardening_ssl.chroot
+++ b/config/hooks/live/9935_hardening_ssl.chroot
@@ -0,0 +1,454 @@
 #!/bin/bash
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-12-03; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 mkdir -p /root/.ciss/cdlb/backup/etc/ssl
 mv /etc/ssl/openssl.cnf /root/.ciss/cdlb/backup/etc/ssl/openssl.cnf.bak
 cat << 'EOF' >| /etc/ssl/openssl.cnf
 #
 # OpenSSL example configuration file.
 # See doc/man5/config.pod for more information.
 #
 # This is mostly being used for generation of certificate requests,
 # but may be used for autoloading of providers
 # Note that you can include other files from the main configuration
 # file using the .include directive.
 #.include filename
 openssl_conf = default_conf
 # This definition stops the following lines choking if HOME isn't
 # defined.
 HOME			= .
 # Use this to automatically load providers.
 openssl_conf = openssl_init
 # Comment out the next line to ignore configuration errors
 config_diagnostics = 1
 # Extra OBJECT IDENTIFIER information:
 # oid_file       = $ENV::HOME/.oid
 oid_section = new_oids
 # To use this configuration file with the "-extfile" option of the
 # "openssl x509" utility, name here the section containing the
 # X.509v3 extensions to use:
 # extensions		=
 # (Alternatively, use a configuration file that has only
 # X.509v3 extensions in its main [= default] section.)
 [ new_oids ]
 # We can add new OIDs in here for use by 'ca,' 'req,' and 'ts.'
 # Add a simple OID like this:
 # testoid1=1.2.3.4
 # Or use config file substitution like this:
 # testoid2=${testoid1}.5.6
 # Policies used by the TSA examples.
 tsa_policy1 = 1.2.3.4.1
 tsa_policy2 = 1.2.3.4.5.6
 tsa_policy3 = 1.2.3.4.5.7
 # For FIPS
 # Optionally include a file that is generated by the OpenSSL fipsinstall
 # application. This file contains configuration data required by the OpenSSL
 # fips provider. It contains a named section e.g., [fips_sect] which is
 # referenced from the [provider_sect] below.
 # Refer to the OpenSSL security policy for more information.
 # .include fipsmodule.cnf
 [openssl_init]
 providers = provider_sect
 # List of providers to load
 [provider_sect]
 default = default_sect
 # The fips section name should match the section name inside the
 # included fipsmodule.cnf.
 # fips = fips_sect
 # If no providers are activated explicitly, the default one is activated implicitly.
 # See man 7 OSSL_PROVIDER-default for more details.
 #
 # If you add a section explicitly activating any other provider(s), you most
 # probably need to explicitly activate the default provider, otherwise it
 # becomes unavailable in openssl.  As a consequence, applications depending on
 # OpenSSL may not work correctly, which could lead to significant system
 # problems including inability to remotely access the system.
 [default_sect]
 # activate = 1
 ####################################################################
 [ ca ]
 default_ca	= CA_default		# The default ca section
 ####################################################################
 [ CA_default ]
 dir		= ./demoCA		# Where everything is kept
 certs		= $dir/certs		# Where the issued certs are kept
 crl_dir		= $dir/crl		# Where the issued crl are kept
 database	= $dir/index.txt	# database index file.
 #unique_subject	= no			# Set to 'no' to allow creation of several certs with the same subject.
 new_certs_dir	= $dir/newcerts		# default place for new certs.
 certificate	= $dir/cacert.pem 	# The CA certificate
 serial		= $dir/serial 		# The current serial number
 crlnumber	= $dir/crlnumber	# the current crl number
 					# must be commented out to leave a V1 CRL
 crl		= $dir/crl.pem 		# The current CRL
 private_key	= $dir/private/cakey.pem # The private key
 x509_extensions	= usr_cert		# The extensions to add to the cert
 # Comment out the following two lines for the "traditional"
 # (and highly broken) format.
 name_opt 	= ca_default		# Subject Name options
 cert_opt 	= ca_default		# Certificate field options
 # Extension copying option: use with caution.
 # copy_extensions = copy
 # Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
 # so this is commented out by default to leave a V1 CRL.
 # crlnumber must also be commented out to leave a V1 CRL.
 # crl_extensions	= crl_ext
 default_days	= 365			# how long to certify for
 default_crl_days= 30			# how long before next CRL
 default_md	= default		# use public key default MD
 preserve	= no			# keep passed DN ordering
 # A few different ways of specifying how similar the request should look
 # For type CA, the listed attributes must be the same, and the optional
 # and supplied fields are just that.
 policy		= policy_match
 # For the CA policy
 [ policy_match ]
 countryName		= match
 stateOrProvinceName	= match
 organizationName	= match
 organizationalUnitName	= optional
 commonName		= supplied
 emailAddress		= optional
 # For the 'anything' policy
 # At this point in time, you must list all acceptable 'object'
 # types.
 [ policy_anything ]
 countryName		= optional
 stateOrProvinceName	= optional
 localityName		= optional
 organizationName	= optional
 organizationalUnitName	= optional
 commonName		= supplied
 emailAddress		= optional
 ####################################################################
 [ req ]
 default_bits		= 4096
 default_keyfile 	= privkey.pem
 distinguished_name	= req_distinguished_name
 attributes		= req_attributes
 x509_extensions	= v3_ca	# The extensions to add to the self-signed cert
 # Passwords for private keys if not present, they will be prompted for
 # input_password = secret
 # output_password = secret
 # This sets a mask for permitted string types. There are several options.
 # default: PrintableString, T61String, BMPString.
 # pkix	 : PrintableString, BMPString (PKIX recommendation before 2004)
 # utf8only: only UTF8Strings (PKIX recommendation after 2004).
 # nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
 # MASK:XXXX a literal mask value.
 # WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings.
 string_mask = utf8only
 # req_extensions = v3_req # The extensions to add to a certificate request
 [ req_distinguished_name ]
 countryName			= Country Name (2-letter code)
 countryName_default		= AU
 countryName_min			= 2
 countryName_max			= 2
 stateOrProvinceName		= State or Province Name (full name)
 stateOrProvinceName_default	= Some-State
 localityName			= Locality Name (e.g., city)
 0.organizationName		= Organization Name (e.g., company)
 0.organizationName_default	= Internet Widgits Pty Ltd
 # we can do this, but it is unnecessary normally
 #1.organizationName		= Second Organization Name (e.g., company)
 #1.organizationName_default	= World Wide Web Pty Ltd
 organizationalUnitName		= Organizational Unit Name (e.g., section)
 #organizationalUnitName_default	=
 commonName			= Common Name (e.g., server FQDN or YOUR name)
 commonName_max			= 64
 emailAddress			= Email Address
 emailAddress_max		= 64
 # SET-ex3			= SET extension number 3
 [ req_attributes ]
 challengePassword		= A challenge password
 challengePassword_min		= 4
 challengePassword_max		= 20
 unstructuredName		= An optional company name
 [ usr_cert ]
 # These extensions are added when 'ca' signs a request.
 # This goes against PKIX guidelines, but some CAs do it, and some software
 # requires this to avoid interpreting an end user certificate as a CA.
 basicConstraints=CA:FALSE
 # This is typical in keyUsage for a client certificate.
 # keyUsage = nonRepudiation, digitalSignature, keyEncipherment
 # PKIX recommendations harmless if included in all certificates.
 subjectKeyIdentifier=hash
 authorityKeyIdentifier=keyid,issuer
 # This stuff is for subjectAltName and issuerAltname.
 # Import the email address.
 # subjectAltName=email:copy
 # An alternative to produce certificates that aren't
 # deprecated, according to PKIX.
 # subjectAltName=email:move
 # Copy subject details
 # issuerAltName=issuer:copy
 # This is required for TSA certificates.
 # extendedKeyUsage = critical,timeStamping
 [ v3_req ]
 # Extensions to add to a certificate request
 basicConstraints = CA:FALSE
 keyUsage = nonRepudiation, digitalSignature, keyEncipherment
 [ v3_ca ]
 # Extensions for a typical CA
 # PKIX recommendation.
 subjectKeyIdentifier=hash
 authorityKeyIdentifier=keyid:always,issuer
 basicConstraints = critical,CA:true
 # Key usage: this is typical for a CA certificate. However, since it will
 # prevent it being used as a test self-signed certificate, it is best
 # left out by default.
 # keyUsage = cRLSign, keyCertSign
 # Include email address in subject alt name: another PKIX recommendation
 # subjectAltName=email:copy
 # Copy issuer details
 # issuerAltName=issuer:copy
 # DER hex encoding of an extension: beware experts only!
 # obj=DER:02:03
 # Where 'obj' is a standard or added object
 # You can even override a supported extension:
 # basicConstraints= critical, DER:30:03:01:01:FF
 [ crl_ext ]
 # CRL extensions.
 # Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
 # issuerAltName=issuer:copy
 authorityKeyIdentifier=keyid:always
 [ proxy_cert_ext ]
 # These extensions should be added when creating a proxy certificate
 # This goes against PKIX guidelines, but some CAs do it, and some software
 # requires this to avoid interpreting an end user certificate as a CA.
 basicConstraints=CA:FALSE
 # This is typical in keyUsage for a client certificate.
 # keyUsage = nonRepudiation, digitalSignature, keyEncipherment
 # PKIX recommendations harmless if included in all certificates.
 subjectKeyIdentifier=hash
 authorityKeyIdentifier=keyid,issuer
 # This stuff is for subjectAltName and issuerAltname.
 # Import the email address.
 # subjectAltName=email:copy
 # An alternative to produce certificates that aren't
 # deprecated, according to PKIX.
 # subjectAltName=email:move
 # Copy subject details
 # issuerAltName=issuer:copy
 # This really needs to be in place for it to be a proxy certificate.
 proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
 ####################################################################
 [ tsa ]
 default_tsa = tsa_config1	# the default TSA section
 [ tsa_config1 ]
 # These are used by the TSA reply generation only.
 dir		= ./demoCA		# TSA root directory
 serial		= $dir/tsaserial	# The current serial number (mandatory)
 crypto_device	= builtin		# OpenSSL engine to use for signing
 signer_cert	= $dir/tsacert.pem 	# The TSA signing certificate
 					# (optional)
 certs		= $dir/cacert.pem	# Certificate chain to include in reply
 					# (optional)
 signer_key	= $dir/private/tsakey.pem # The TSA private key (optional)
 signer_digest  = sha256			# Signing digest to use. (Optional)
 default_policy	= tsa_policy1		# Policy if request did not specify it
 					# (optional)
 other_policies	= tsa_policy2, tsa_policy3	# acceptable policies (optional)
 digests     = sha1, sha256, sha384, sha512  # Acceptable message digests (mandatory)
 accuracy	= secs:1, millisecs:500, microsecs:100	# (optional)
 clock_precision_digits  = 0	# number of digits after dot. (optional)
 ordering		= yes	# Is ordering defined for timestamps?
 				# (optional, default: no)
 tsa_name		= yes	# Must the TSA name be included in the reply?
 				# (optional, default: no)
 ess_cert_id_chain	= no	# Must the ESS cert id chain be included?
 				# (optional, default: no)
 ess_cert_id_alg		= sha256	# algorithm to compute certificate
 				# identifier (optional, default: sha256)
 [insta] # CMP using Insta Demo CA
 # Message transfer
 server = pki.certificate.fi:8700
 # proxy = # set this as far as needed, e.g., http://192.168.1.1:8080
 # tls_use = 0
 path = pkix/
 # Server authentication
 recipient = "/C=FI/O=Insta Demo/CN=Insta Demo CA" # or set srvcert or issuer
 ignore_keyusage = 1 # quirk needed to accept Insta CA cert not including digitalsignature
 unprotected_errors = 1 # quirk needed to accept negative responses possibly not protected
 extracertsout = insta.extracerts.pem
 # Client authentication
 ref = 3078 # user identification
 secret = pass:insta # can be used for both client and server side
 # Generic message options
 cmd = ir # default operation, can be overridden on cmd line with, e.g., kur
 # Certificate enrollment
 subject = "/CN=openssl-cmp-test"
 newkey = insta.priv.pem
 out_trusted = apps/insta.ca.crt # does not include keyUsage digitalSignature
 certout = insta.cert.pem
 [pbm] # Password-based protection for Insta CA
 # Server and client authentication
 ref = $insta::ref # 3078
 secret = $insta::secret # pass:insta
 [signature] # Signature-based protection for Insta CA
 # Server authentication
 trusted = $insta::out_trusted # apps/insta.ca.crt
 # Client authentication
 secret = # disable the PBM
 key = $insta::newkey # insta.priv.pem
 cert = $insta::certout # insta.cert.pem
 [ir]
 cmd = ir
 [cr]
 cmd = cr
 [kur]
 # Certificate update
 cmd = kur
 oldcert = $insta::certout # insta.cert.pem
 [rr]
 # Certificate revocation
 cmd = rr
 oldcert = $insta::certout # insta.cert.pem
 ##### Added by CISS.debian.live.builder #####
 [default_conf]
 ssl_conf = ssl_sect
 [ssl_sect]
 system_default = system_default_sect
 [system_default_sect]
 # Protocol floor / ceiling:
 # - only TLS 1.2 and 1.3.
 # - TLS 1.3 is FS by design;
 # - TLS 1.2 FS enforced via the cipher list.
 MinProtocol = TLSv1.2
 MaxProtocol = TLSv1.3
 # TLS 1.2 cipher policy:
 # - Forward secrecy only: ECDHE or DHE (no static RSA kx);
 # - AES-256 *GCM* only (no DHE (dheatattack), no AES-128, no CBC);
 # - Keep distro default SECLEVEL=2 explicitly.
 CipherString = ECDHE+AES256-GCM:ECDHE+CHACHA20:ECDHE+ARIA256-GCM:ECDHE+CAMELLIA256-GCM:!kRSA:!PSK:!SRP:!aNULL:!eNULL:@SECLEVEL=2
 # TLS 1.3 cipher policy: AES-256 and ChaCha20-Poly1305 only:
 Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
 # Prefer strong, widely supported ECDHE groups (first = most preferred):
 Groups = X448:P-521:P-384
 SignatureAlgorithms = rsa_pss_rsae_sha512:rsa_pss_rsae_sha384:rsa_pss_rsae_sha256
 # Operational flags:
 # -SessionTicket  : disable TLS session tickets (TLS 1.2 + 1.3)
 # ServerPreference: honor server cipher order (TLS 1.2)
 # NoRenegotiation : disallow TLS 1.2 renegotiation
 Options = -SessionTicket,ServerPreference,NoRenegotiation
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
 EOF
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/9940_hardening_memory.dump.chroot
+++ b/config/hooks/live/9940_hardening_memory.dump.chroot
@@ -5,7 +5,7 @@
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
@@ -44,7 +44,7 @@ cat << EOF >| /etc/security/limits.d/9999-ciss-coredump-disable.conf
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
@@ -65,7 +65,7 @@ cat << EOF >| /etc/systemd/coredump.conf.d/9999-ciss-coredump-disable.conf
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
--- a/config/hooks/live/9950_hardening_fail2ban.chroot
+++ b/config/hooks/live/9950_hardening_fail2ban.chroot
@@ -5,7 +5,7 @@
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
@@ -31,7 +31,7 @@ cat << EOF >| /etc/fail2ban/jail.d/ciss-default.conf
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
@@ -130,7 +130,7 @@ cat << EOF >| /etc/fail2ban/filter.d/ciss-ufw.conf
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
@@ -150,7 +150,7 @@ cat << 'EOF' >| /etc/fail2ban/filter.d/ciss-sshd-refused.conf
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
--- a/config/hooks/live/9960_disable_services.chroot
+++ b/config/hooks/live/9960_disable_services.chroot
@@ -5,7 +5,7 @@
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
--- a/config/hooks/live/9970_remove_exim.chroot
+++ b/config/hooks/live/9970_remove_exim.chroot
@@ -5,7 +5,7 @@
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
@@ -14,7 +14,8 @@ set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
-export DEBIAN_FRONTEND="noninteractive" INITRD="No"
+export DEBIAN_FRONTEND="noninteractive"
 export INITRD="No"
 cd /etc
--- a/config/hooks/live/9980_usb_guard.chroot
+++ b/config/hooks/live/9980_usb_guard.chroot
@@ -5,7 +5,7 @@
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
@@ -14,7 +14,8 @@ set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
-export DEBIAN_FRONTEND="noninteractive" INITRD="No"
+export DEBIAN_FRONTEND="noninteractive"
 export INITRD="No"
 apt-get install -y usbguard
 ### Preparing USBGuard: see https://www.privacy-handbuch.de/handbuch_91a.htm
--- a/config/hooks/live/9990_final_purge.chroot
+++ b/config/hooks/live/9990_final_purge.chroot
@@ -5,7 +5,7 @@
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
@@ -15,7 +15,8 @@ printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "
 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
-export DEBIAN_FRONTEND="noninteractive" INITRD="No"
+export DEBIAN_FRONTEND="noninteractive"
 export INITRD="No"
 apt-get update -qq
--- a/config/hooks/live/9991_file_permissions.chroot
+++ b/config/hooks/live/9991_file_permissions.chroot
@@ -5,7 +5,7 @@
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
--- a/config/hooks/live/9992_password_expiration.chroot
+++ b/config/hooks/live/9992_password_expiration.chroot
@@ -5,7 +5,7 @@
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
--- a/config/hooks/live/9993_aide.chroot
+++ b/config/hooks/live/9993_aide.chroot
@@ -5,7 +5,7 @@
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
@@ -14,7 +14,8 @@ set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
-export DEBIAN_FRONTEND="noninteractive" INITRD="No"
+export DEBIAN_FRONTEND="noninteractive"
 export INITRD="No"
 apt-get install -y aide > /dev/null 2>&1
 cp -u /etc/aide/aide.conf /root/.ciss/cdlb/backup/aide.conf.bak
--- a/config/hooks/live/9994_password_policy.chroot
+++ b/config/hooks/live/9994_password_policy.chroot
@@ -5,7 +5,7 @@
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
@@ -30,7 +30,7 @@ cat << EOF >| /etc/security/pwquality.conf
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
--- a/config/hooks/live/9995_sysstat.chroot
+++ b/config/hooks/live/9995_sysstat.chroot
@@ -5,7 +5,7 @@
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
--- a/config/hooks/live/9996_auditd.chroot
+++ b/config/hooks/live/9996_auditd.chroot
@@ -5,7 +5,7 @@
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
@@ -26,7 +26,8 @@ printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "
 cd /root
 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
-export DEBIAN_FRONTEND="noninteractive" INITRD="No"
+export DEBIAN_FRONTEND="noninteractive"
 export INITRD="No"
 apt-get install -y auditd
 cp -u /etc/audit/audit.rules /root/.ciss/cdlb/backup/audit.rules.bak
@@ -362,7 +363,7 @@ cat << EOF >| /etc/systemd/system/audit-rules.service.d/10-ciss.conf
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
--- a/config/hooks/live/9997_debsums.chroot
+++ b/config/hooks/live/9997_debsums.chroot
@@ -5,7 +5,7 @@
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
@@ -16,7 +16,8 @@ printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "
 cd /root
 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
-export DEBIAN_FRONTEND="noninteractive" INITRD="No"
+export DEBIAN_FRONTEND="noninteractive"
 export INITRD="No"
 apt-get install -y --no-install-recommends debsums
 cp -a /etc/default/debsums /root/.ciss/cdlb/backup/debsums.bak
--- a/config/hooks/live/9998_sources_list_trixie.chroot
+++ b/config/hooks/live/9998_sources_list_trixie.chroot
@@ -5,7 +5,7 @@
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
@@ -14,7 +14,8 @@ set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
-export DEBIAN_FRONTEND="noninteractive" INITRD="No"
+export DEBIAN_FRONTEND="noninteractive"
 export INITRD="No"
 # shellcheck disable=SC2155
 declare -r VAR_DATE="$(date +%F)"
@@ -39,7 +40,7 @@ if [[ ! -f /etc/apt/sources.list.d/trixie.sources ]]; then
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
@@ -62,7 +63,7 @@ if [[ ! -f /etc/apt/sources.list.d/trixie-security.sources ]]; then
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
@@ -85,7 +86,7 @@ if [[ ! -f /etc/apt/sources.list.d/trixie-updates.sources ]]; then
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
@@ -109,7 +110,7 @@ if [[ ! -f /etc/apt/sources.list.d/trixie-backports.sources ]]; then
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
--- a/config/hooks/live/9999_yyyy_logrotate.chroot
+++ b/config/hooks/live/9999_yyyy_logrotate.chroot
@@ -5,7 +5,7 @@
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
@@ -34,7 +34,8 @@ declare -ar ary_logrotate=(
 declare     var_file="" var_log=""
 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
-export DEBIAN_FRONTEND="noninteractive" INITRD="No"
+export DEBIAN_FRONTEND="noninteractive"
 export INITRD="No"
 for var_log in "${ary_logrotate[@]}"; do
--- a/config/hooks/live/9999_zzzz.chroot
+++ b/config/hooks/live/9999_zzzz.chroot
@@ -5,7 +5,7 @@
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
@@ -18,11 +18,11 @@ declare var_dm="" var_unit_dir="" var_link="/etc/systemd/system/default.target"
 ### Remove CDLB artifacts ------------------------------------------------------------------------------------------------------
 rm -f  /root/ciss_xdg_tmp.sh
 rm -fr /root/build
-find / -xdev \( -path /proc -o -path /sys -o -path /dev -o -path /run \) -prune -o -type f -name '.keep' -exec rm -f -- {} +
+find /etc /home /root /usr /var -type f -name '.keep' -print -delete
-### Securing '/.ciss' ----------------------------------------------------------------------------------------------------------
+### Securing '/root/.ciss' -----------------------------------------------------------------------------------------------------
-find /.ciss -type d -exec chmod 0700 {} +
+find /root/.ciss -type d -exec chmod 0700 {} +
-find /.ciss -type f -exec chmod 0440 {} +
+find /root/.ciss -type f -exec chmod 0440 {} +
 ### Securing '/etc/ciss/keys' --------------------------------------------------------------------------------------------------
 find /etc/ciss/keys -type f -exec chmod 0440 {} +
@@ -30,6 +30,10 @@ find /etc/ciss/keys -type f -exec chmod 0440 {} +
 ### Regenerate the initramfs for the live system kernel ------------------------------------------------------------------------
 update-initramfs -u -k all -v
 ### Prepare '/etc/resolv.conf' for systemd-networkd ----------------------------------------------------------------------------
 rm -f /etc/resolv.conf
 ln -s /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf
 ### Determine the canonical systemd unit dir inside chroot ---------------------------------------------------------------------
 if [[ -d /lib/systemd/system ]]; then
--- a/config/hooks/live/zzzz_ciss_crypt_squash.hook.binary
+++ b/config/hooks/live/zzzz_ciss_crypt_squash.hook.binary
@@ -5,12 +5,14 @@
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 __umask=$(umask)
 umask 0077
@@ -57,29 +59,29 @@ preallocate() {
 # shellcheck disable=SC2034
 readonly -f preallocate
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 declare ROOTFS="${VAR_HANDLER_BUILD_DIR}/binary/live/filesystem.squashfs"
 declare LUKSFS="${VAR_HANDLER_BUILD_DIR}/binary/live/ciss_rootfs.crypt"
 declare KEYFD=""
 # shellcheck disable=SC2155
-declare -i SIZE=$(stat -c%s -- "${ROOTFS}")
+declare -i VAR_ROOTFS_SIZE=$(stat -c%s -- "${ROOTFS}")
 ### Safety margin:
 #   - LUKS2-Header and Metadata
 #   - dm-integrity Overhead (Tags and Journal)
 #   - Filesystem-Slack
 declare -i OVERHEAD_FIXED=$((64 * 1024 * 1024))
-declare -i OVERHEAD_PCT=3
+declare -i OVERHEAD_PCT=2
-declare -i ALIGN_BYTES=$(( 2048 * 1024 ))
+declare -i ALIGN_BYTES=$(( 4096 * 1024 ))
-declare -i BASE_SIZE=$(( SIZE + OVERHEAD_FIXED + (SIZE * OVERHEAD_PCT / 100) ))
+declare -i BASE_SIZE=$(( VAR_ROOTFS_SIZE + OVERHEAD_FIXED + (VAR_ROOTFS_SIZE * OVERHEAD_PCT / 100) ))
-declare -i LUKSFS_SIZE=$(( ( (BASE_SIZE + ALIGN_BYTES - 1) / ALIGN_BYTES ) * ALIGN_BYTES ))
+declare -i VAR_LUKSFS_SIZE=$(( ( (BASE_SIZE + ALIGN_BYTES - 1) / ALIGN_BYTES ) * ALIGN_BYTES ))
-preallocate "${LUKSFS}" "${LUKSFS_SIZE}"
+preallocate "${LUKSFS}" "${VAR_LUKSFS_SIZE}"
 exec {KEYFD}<"${VAR_TMP_SECRET}/luks.txt"
 if [[ "${VAR_CDLB_INSIDE_RUNNER}" == "false" ]]; then
  cryptsetup luksFormat \
    --batch-mode \
    --cipher aes-xts-plain64 \
@@ -97,19 +99,39 @@ cryptsetup luksFormat \
    --verbose \
    "${LUKSFS}"
 elif [[ "${VAR_CDLB_INSIDE_RUNNER}" == "true" ]]; then
  cryptsetup luksFormat \
    --batch-mode \
    --cipher aes-xts-plain64 \
    --iter-time 1000 \
    --key-file "/proc/$$/fd/${KEYFD}" \
    --key-size 512 \
    --label crypt_liveiso \
    --luks2-keyslots-size 16777216 \
    --luks2-metadata-size 4194304 \
    --pbkdf argon2id \
    --sector-size 4096 \
    --type luks2 \
    --use-random \
    --verbose \
    "${LUKSFS}"
 fi
 cryptsetup open --key-file "/proc/$$/fd/${KEYFD}" "${LUKSFS}" crypt_liveiso
 # shellcheck disable=SC2155
 declare -i LUKS_FREE=$(blockdev --getsize64 /dev/mapper/crypt_liveiso)
-declare -i SQUASH_FS="${SIZE}"
+declare -i SQUASH_FS="${VAR_ROOTFS_SIZE}"
 if (( LUKS_FREE >= SQUASH_FS )); then
-  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ LUKS_FREE '%s' >= SQUASH_FS '%s' \e[0m\n" "${LUKS_FREE}" "${SQUASH_FS}"
+  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ LUKS_FREE '%s' >= SQUASH_FS '%s' \e[0m\n" "${LUKS_FREE}" "${SQUASH_FS}"
 else
-  printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ LUKS_FREE '%s' <= SQUASH_FS '%s' \e[0m\n" "${LUKS_FREE}" "${SQUASH_FS}" >&2
+  printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ LUKS_FREE '%s' <= SQUASH_FS '%s' \e[0m\n" "${LUKS_FREE}" "${SQUASH_FS}" >&2
  exit 42
 fi
@@ -122,7 +144,7 @@ exec {KEYFD}<&-
 shred -fzu -n 5 -- "${VAR_TMP_SECRET}/luks.txt"
-#rm -f -- "${ROOTFS}"
+rm -f -- "${ROOTFS}"
 umask "${__umask}"
 __umask=""
--- a/config/hooks/normal/.keep
+++ b/config/hooks/normal/.keep
@@ -4,7 +4,7 @@
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
--- a/config/includes.binary/boot/grub/config.cfg
+++ b/config/includes.binary/boot/grub/config.cfg
@@ -4,7 +4,7 @@
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
--- a/config/includes.chroot/etc/apt/sources.list
+++ b/config/includes.chroot/etc/apt/sources.list
@@ -4,7 +4,7 @@
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
--- a/config/includes.chroot/etc/apt/sources.list.d/trixie-backports.sources
+++ b/config/includes.chroot/etc/apt/sources.list.d/trixie-backports.sources
@@ -4,7 +4,7 @@
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
--- a/config/includes.chroot/etc/apt/sources.list.d/trixie-security.sources
+++ b/config/includes.chroot/etc/apt/sources.list.d/trixie-security.sources
@@ -4,7 +4,7 @@
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
--- a/Show More
+++ b/Show More