DEPLOY BOT : 🛡️ Shell Script Linting [skip ci]

X-CI-Metadata: master@c21a25f at 2025-06-17T17:03:36Z on 31b30f152ad6

Generated at : 2025-06-17T17:03:36Z
Runner Host  : 31b30f152ad6
Workflow ID  : 🛡️ Shell Script Linting
Git Commit   : c21a25f HEAD -> master

.archive/icon.lib

@@ -2,41 +2,48 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 ✅
-🔧
+❌
+⚠️
+🚫
+🔐
+🔒
 🔑
+✍️
 🖥️
+🔄
+🔁
+🌌
+🔵
+💙
+🔍
+💡
+🔧
 🛠️
+🏗
+⚙️
+📐
+🧪
+📩
 📥
 📦
 📑
 📂
-🔒
+📀
-🔐
-⚙️
-❌
-🌌
 🎉
-🖥️
-🔑
-📂
-📩
-🔵
 😺
-🧪
+📉
 📊
 🧾
-📀
+📋
-📉
+🕑
-⏱
 🧠
 📅
-💙
+🎯
-🚫
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

.editorconfig

@@ -2,7 +2,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml

@@ -2,7 +2,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
@@ -12,9 +12,7 @@
 name: "Bug Report"
 about: "Create a report to help us improve"
 title: "[BUG | possible BUG]: "
-labels: "bug:to be reproduced,bug:needs triage/confirmation"
+assignees: "MSW"
-assignees: ""
----
 body:
   # Instructions for the reporter
   - type: markdown
@@ -27,7 +25,7 @@ body:
     attributes:
       label: "Version"
       description: "Which version are you running? Use `./ciss_live_builder.sh -v`."
-      placeholder: "e.g., Master V8.02.080.2025.05.19"
+      placeholder: "e.g., Master V8.03.768.2025.06.17"
     validations:
       required: true
 

.gitea/ISSUE_TEMPLATE/PULL_REQUEST_TEMPLATE.yaml

@@ -2,7 +2,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
@@ -12,7 +12,7 @@
 name: "Standard-PR"
 about: "Please answer the following questions before submitting the PR."
 title: "[PR]: "
-ref: "master"
+assignees: "MSW"
 body:
   - type: markdown
     attributes:
@@ -48,8 +48,8 @@ body:
       options:
         - label: "My edits contain no tabs, use two-space indentation, and no trailing whitespace"
         - label: "I have read ~/docs/CONTRIBUTING.md and ~/docs/CODING_CONVENTION.md"
-        - label: "I have tested this fix or improvement on ≥2 VMs without issues"
+        - label: "I have tested this fix or improvement on >=2 VMs without issues"
-        - label: "I have tested this new feature on ≥2 VMs with and without it to avoid side effects"
+        - label: "I have tested this new feature on >=2 VMs with and without it to avoid side effects"
         - label: "Documentation and/or 'usage()' and/or 'arg_parser' have been updated for the new feature"
         - label: "I added myself to ~/docs/CREDITS.md (alphabetical) and updated ~/docs/CHANGELOG.md"
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml

.gitea/TODO/dockerfile

@@ -0,0 +1,69 @@
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+### Version Master V8.03.768.2025.06.17
+
+FROM debian:bookworm
+
+ENV DEBIAN_FRONTEND=noninteractive
+
+RUN apt-get update -y \
+    && apt-get upgrade -y \
+    && apt-get install -y \
+      apt-transport-https \
+      apt-utils \
+      bash \
+      ca-certificates \
+      gnupg \
+      openssl \
+      sudo \
+    && apt-get update -y \
+    && apt-get upgrade -y \
+    && apt-get clean \
+    && apt-get autoremove --purge -y \
+    && rm -rf /var/lib/apt/lists/*
+
+RUN mkdir -p /etc/apt/sources.list.d && touch /etc/apt/sources.list.d/bookworm-backports.list \
+    && echo 'deb https://deb.debian.org/debian bookworm-backports main' >| /etc/apt/sources.list.d/bookworm-backports.list \
+    && apt-get update -y \
+    && apt-get upgrade -y \
+    && apt-get install -y --no-install-recommends \
+      autoconf \
+      automake \
+      build-essential \
+      cryptsetup \
+      curl \
+      debootstrap \
+      dosfstools \
+      efibootmgr \
+      gettext \
+      git \
+      haveged \
+      libtool \
+      live-build \
+      parted \
+      pkg-config \
+      ssh \
+      ssl-cert \
+      texinfo \
+      wget \
+      whois \
+    && apt-get clean \
+    && apt-get autoremove --purge -y \
+    && rm -rf /var/lib/apt/lists/*
+
+RUN useradd --create-home --shell /bin/bash runner
+
+WORKDIR /home/runner
+
+USER runner
+
+ENTRYPOINT ["bash"]

.gitea/TODO/generate-iso.yaml

@@ -1,169 +0,0 @@
-# SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
-# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
-# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
-# SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
-# SPDX-PackageName: CISS.debian.live.builder
-# SPDX-Security-Contact: security@coresecret.eu
-
-name: Generating private Live ISO.
-
-permissions:
-  contents: write
-
-on:
-  push:
-    branches:
-      - master
-    paths:
-      - '.gitea/autobuild.yaml'
-
-jobs:
-  generating-ciss-debian-live-iso:
-    runs-on: ubuntu-latest
-
-    ### Run all steps inside Debian Bookworm
-    container:
-      image: debian:bookworm
-      options: --user root
-
-    steps:
-      - name: Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
-        run: |
-          rm -rf ~/.ssh && mkdir -m700 ~/.ssh
-
-          ### Private Key
-          echo "${{ secrets.SSH_MSW_DEPLOY_CORESECRET_DEV }}" >| ~/.ssh/id_ed25519
-          chmod 600 ~/.ssh/id_ed25519
-
-          ### Scan git.coresecret.dev to fill ~/.ssh/known_hosts
-          ssh-keyscan -p 42842 git.coresecret.dev >| ~/.ssh/known_hosts
-          chmod 600 ~/.ssh/known_hosts
-
-          ### Generate SSH Config for git.coresecret.dev Custom-Port
-          cat <<EOF >| ~/.ssh/config
-          Host git.coresecret.dev
-            HostName git.coresecret.dev
-            Port 42842
-            IdentityFile ~/.ssh/id_ed25519
-            StrictHostKeyChecking yes
-            UserKnownHostsFile ~/.ssh/known_hosts
-          EOF
-          chmod 600 ~/.ssh/config
-
-      ### https://github.com/actions/checkout/issues/1843
-      - name: Using manual clone via SSH to circumvent Gitea SHA-256 object issues.
-        run: |
-          git clone --branch "${GITHUB_REF_NAME}" ssh://git@git.coresecret.dev:42842/msw/CISS.debian.live.builder.git .
-          git fetch --unshallow || echo "Nothing to fetch - already full clone."
-        env:
-          ### GITHUB_REF_NAME contains the branch name from the push event.
-          GITHUB_REF_NAME: ${{ github.ref_name }}
-
-      - name: Cleaning workspace.
-        run: |
-          git reset --hard
-          git clean -fd
-
-      - name: Installing Debian Live-Build and Tools.
-        run: |
-          apt-get update
-          apt-get install -y live-build gnupg curl whois
-
-      - name: Importing "CI PGP DEPLOY ONLY" Key.
-        run: |
-          ### GPG-Home relative to the Runner Workspace to avoid changing global files.
-          export GNUPGHOME="$(pwd)/.gnupg"
-          mkdir -m700 "${GNUPGHOME}"
-          echo "${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV }}" >| ci-bot.sec.asc
-          gpg --batch --import ci-bot.sec.asc
-          ### Trust the key automatically
-          KEY_ID=$(gpg --list-keys --with-colons | awk -F: '/^pub:/ {print $5}')
-          echo "trust-model always" >| "${GNUPGHOME}/gpg.conf"
-
-      - name: Configuring Git for signed CI DEPLOY commits.
-        run: |
-          export GNUPGHOME="$(pwd)/.gnupg"
-          git config user.name "Marc S. Weidner BOT"
-          git config user.email "msw+bot@coresecret.dev"
-          git config commit.gpgsign true
-          git config gpg.program gpg
-          git config gpg.format openpgp
-
-      - name: Preparing Build Environment.
-        run: |
-          rm -rf /opt/{config,livebuild}
-          mkdir -p /opt/{config,livebuild}
-          echo "${{ secrets.CISS_DLB_ROOT_PWD }}" >| /opt/config/password.txt
-          echo "${{ secrets.CISS_DLB_ROOT_SSH_PUBKEY }}" >| /opt/config/authorized_keys
-          chmod 0600 /opt/config/authorized_keys
-
-      - name: Starting CISS.debian.live.builder.
-        run: |
-          timestamp=$(date -u +"%Y_%m_%d_%H_%M_Z")
-          ### Change "--autobuild=" to the specific kernel version you need: 6.12.22+bpo-amd64.
-          ./ciss_live_builder.sh \
-          --autobuild=6.12.22+bpo-amd64 \
-          --architecture amd64 \
-          --build-directory /opt/livebuild \
-          --control "${timestamp}" \
-          --debug \
-          --dhcp-centurion \
-          --jump-host "${{ secrets.CISS_DLB_JUMP_HOSTS }}" \
-          --provider-netcup-ipv6 "${{ secrets.CISS_DLB_NETCUP_IPV6 }}" \
-          --renice-priority "-19" \
-          --reionice-priority 1 2 \
-          --root-password-file /opt/config/password.txt \
-          --ssh-port 4242 \
-          --ssh-pubkey /opt/config
-
-      - name: Uploading ISO to CenturionCloud "cloud.e2ee.li" via WebDAV
-        env:
-          WEBDAV_URL: "https://cloud.e2ee.li/remote.php/dav/files/runner/PUBLIC/CISS-live/NAME.iso"
-          WEBDAV_USER: ${{ secrets.NC_USER }}
-          WEBDAV_PASS: ${{ secrets.NC_PASS }}
-        run: |
-          ### Remove old ISO if exists
-          curl -u "${WEBDAV_USER}:${WEBDAV_PASS}" -X DELETE "${WEBDAV_URL}" || true
-          ### Upload new ISO
-          curl -u "${WEBDAV_USER}:${WEBDAV_PASS}" -T NAME.iso "${WEBDAV_URL}"
-          ### Verify upload
-          HTTP_CODE=$(curl -o /dev/null -s -w "%{http_code}" -u "${WEBDAV_USER}:${WEBDAV_PASS}" "${WEBDAV_URL}")
-          if [ "$HTTP_CODE" -ne 200 ]; then
-            echo "Upload failed with HTTP status ${HTTP_CODE}"
-            exit 1
-          fi
-          echo "ISO successfully uploaded and verified."
-
-      - name: Generating Hash and Signing with Private Key
-        run: |
-          :
-          ### TODO: Implement this function
-
-      - name: Generating Success Message to Push back into Repo
-        run: |
-          :
-          ### TODO: Implement this function
-
-      - name: Stage generated files.
-        run: |
-          git add !!!!!!!!!!!!!
-        env:
-          GIT_SSH_COMMAND: "ssh -p 42842"
-
-      - name: Commit and Sign changes.
-        run: |
-          export GNUPGHOME="$(pwd)/.gnupg"
-          git commit -S -m "DEPLOY BOT: Auto-Generate LIVE ISO [skip ci]" || echo "No Changes, nothing to Sign or to Commit."
-        env:
-          GIT_SSH_COMMAND: "ssh -p 42842"
-
-      - name: Push back to Repository.
-        run: |
-          git push origin HEAD:${GITHUB_REF_NAME}
-        env:
-          GIT_SSH_COMMAND: "ssh -p 42842"
-# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml

.gitea/TODO/render-md-to-html.yaml

@@ -0,0 +1,241 @@
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+### Version Master V8.03.768.2025.06.17
+
+name: 🔁 Render README.md to README.html.
+
+permissions:
+  contents: write
+
+on:
+  push:
+    branches:
+      - master
+    paths:
+      - "README.md"
+      - '.gitea/properties/lua/linkfix.lua'
+
+jobs:
+  render-md-to-html:
+    name: 🔁 Render README.md to README.html.
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: ⚙️ Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
+        shell: bash
+        run: |
+          set -euo pipefail
+          rm -rf ~/.ssh && mkdir -m700 ~/.ssh
+
+          ### Private Key
+          echo "${{ secrets.SSH_MSW_DEPLOY_CORESECRET_DEV }}" >| ~/.ssh/id_ed25519
+          chmod 600 ~/.ssh/id_ed25519
+
+          ### Scan git.coresecret.dev to fill ~/.ssh/known_hosts
+          ssh-keyscan -p 42842 git.coresecret.dev >| ~/.ssh/known_hosts
+          chmod 600 ~/.ssh/known_hosts
+
+          ### Generate SSH Config for git.coresecret.dev Custom-Port
+          cat <<EOF >| ~/.ssh/config
+          Host git.coresecret.dev
+            HostName git.coresecret.dev
+            Port 42842
+            IdentityFile ~/.ssh/id_ed25519
+            StrictHostKeyChecking yes
+            UserKnownHostsFile ~/.ssh/known_hosts
+          EOF
+          chmod 600 ~/.ssh/config
+
+      ### https://github.com/actions/checkout/issues/1843
+      - name: 🛠️ Using manual clone via SSH to circumvent Gitea SHA-256 object issues.
+        shell: bash
+        env:
+          ### GITHUB_REF_NAME contains the branch name from the push event.
+          GITHUB_REF_NAME: ${{ github.ref_name }}
+        run: |
+          set -euo pipefail
+          git clone --branch "${GITHUB_REF_NAME}" ssh://git@git.coresecret.dev:42842/msw/CISS.debian.live.builder.git .
+          git fetch --unshallow || echo "Nothing to fetch - already full clone."
+
+      - name: 🛠️ Cleaning the workspace.
+        shell: bash
+        run: |
+          set -euo pipefail
+          git reset --hard
+          git clean -fd
+
+      - name: ⚙️ Importing the 'CI PGP DEPLOY ONLY' key.
+        shell: bash
+        run: |
+          set -euo pipefail
+          ### GPG-Home relative to the Runner Workspace to avoid changing global files.
+          export GNUPGHOME="$(pwd)/.gnupg"
+          mkdir -m 700 "${GNUPGHOME}"
+          echo "${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV }}" >| ci-bot.sec.asc
+          gpg --batch --import ci-bot.sec.asc
+          ### Trust the key automatically
+          KEY_ID=$(gpg --list-keys --with-colons | awk -F: '/^pub:/ {print $5}')
+          echo "trust-model always" >| "${GNUPGHOME}/gpg.conf"
+
+      - name: ⚙️ Configuring Git for signed CI/DEPLOY commits.
+        shell: bash
+        run: |
+          set -euo pipefail
+          export GNUPGHOME="$(pwd)/.gnupg"
+          git config user.name "Marc S. Weidner BOT"
+          git config user.email "msw+bot@coresecret.dev"
+          git config commit.gpgsign true
+          git config gpg.program gpg
+          git config gpg.format openpgp
+
+      - name: ⚙️ Convert APT sources to HTTPS.
+        shell: bash
+        run: |
+          set -euo pipefail
+          sed -i 's|http://\(archive\.ubuntu\.com\|security\.ubuntu\.com\)|https://\1|g' /etc/apt/sources.list
+          sed -i 's|http://\(archive\.ubuntu\.com\|security\.ubuntu\.com\)|https://\1|g' /etc/apt/sources.list.d/*.list || true
+
+      - name: 🛠️ Install Pandoc & Dependencies.
+        shell: bash
+        run: |
+          set -euo pipefail
+          sudo apt-get update
+          sudo apt-get install -y pandoc
+
+      - name: ⚙️ Ensure .html/ directory exists.
+        shell: bash
+        run:
+          mkdir -p .html
+
+      - name: 🛠️ Render *.md to full standalone HTML.
+        shell: bash
+        run: |
+          set -euo pipefail
+          find . \( -path "*/.*" -prune \) -o -type f -name "*.md" -print  | while read file; do
+            out=$(basename "${file%.md}.html")
+            pandoc -s "${file}" \
+              --metadata title="${file}" \
+              --metadata lang=en \
+              -f gfm+footnotes \
+              -t html5 \
+              --no-highlight \
+              --strip-comments \
+              --wrap=none \
+              --lua-filter=.gitea/properties/lua/linkfix.lua \
+              -o .html/"${out}"
+          done
+
+      - name: 🛠️ Extract HTML fragment for Gitea for *.md.
+        shell: bash
+        run: |
+          set -euo pipefail
+          find . \( -path "*/.*" -prune \) -o -type f -name "README.md" -print | while read file; do
+            out="${file%.md}.html"
+            pandoc "${file}" \
+              -f gfm+footnotes \
+              -t html5 \
+              --no-highlight \
+              --strip-comments \
+              --wrap=none \
+              --lua-filter=.gitea/properties/lua/linkfix.lua \
+              -o "${out}"
+          done
+
+      - name: 🚧 Stash local changes (including untracked).
+        shell: bash
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          ### Temporarily store any local modifications or untracked files.
+          git stash push --include-untracked -m "ci-temp" || echo "✔️ Nothing to stash."
+
+      - name: 🔄 Sync with remote before commit using merge strategy.
+        shell: bash
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          export GNUPGHOME="$(pwd)/.gnupg"
+
+          echo "🔄 Fetching origin/master ..."
+          git fetch origin master
+
+          echo "🔁 Merging origin/master into current branch ..."
+          git merge --no-edit origin/master || echo "✔️ Already up to date or fast-forward."
+
+          echo "📋 Post-merge status :"
+          git status
+          git log --oneline -n 5
+
+      - name: 🛠️ Restore stashed changes.
+        shell: bash
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          ### Apply previously stashed changes.
+          git stash pop || echo "✔️ Nothing to pop."
+
+      - name: 📦 Stage generated files.
+        shell: bash
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          git add *.html  || echo "✔️ Nothing to add."
+
+      - name: 🔑 Commit and sign changes with CI metadata.
+        shell: bash
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          export GNUPGHOME="$(pwd)/.gnupg"
+
+          if git diff --cached --quiet; then
+            echo "✔️ No staged changes to commit."
+          else
+            echo "📝 Committing changes with GPG signature ..."
+
+            ### CI Metadata
+            TIMESTAMP_UTC="$(date -u +'%Y-%m-%dT%H:%M:%SZ')"
+            HOSTNAME="$(hostname -f || hostname)"
+            GIT_SHA="$(git rev-parse --short HEAD)"
+            GIT_REF="$(git symbolic-ref --short HEAD || echo detached)"
+            WORKFLOW_ID="${GITHUB_WORKFLOW:-render-md-to-html.yaml}"
+            CI_HEADER="X-CI-Metadata: ${GIT_REF}@${GIT_SHA} at ${TIMESTAMP_UTC} on ${HOSTNAME}"
+
+            COMMIT_MSG="DEPLOY BOT   : 🔁 Auto-Generate *.html from *.md [skip ci]
+
+          ${CI_HEADER}
+
+          Generated at : ${TIMESTAMP_UTC}
+          Runner Host  : ${HOSTNAME}
+          Workflow ID  : ${WORKFLOW_ID}
+          Git Commit   : ${GIT_SHA} HEAD -> ${GIT_REF}
+          "
+
+            echo "🔏 Commit message :"
+            echo "${COMMIT_MSG}"
+            git commit -S -m "${COMMIT_MSG}"
+          fi
+
+      - name: 🔁 Push back to repository.
+        shell: bash
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          echo "📤 Pushing changes to ${GITHUB_REF_NAME} ..."
+          git push origin HEAD:${GITHUB_REF_NAME}
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml

.gitea/trigger/t_generate_PRIVATE_iso_flavour_0.yaml

@@ -2,7 +2,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
@@ -10,6 +10,6 @@
 # SPDX-Security-Contact: security@coresecret.eu
 
 build:
-  counter: 1024
+  counter: 1023
-  version: V8.02.644.2025.05.31
+  version: V8.03.768.2025.06.17
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml

.gitea/trigger/t_generate_PRIVATE_iso_flavour_1.yaml

@@ -0,0 +1,15 @@
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+build:
+  counter: 1023
+  version: V8.03.768.2025.06.17
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml

.gitea/trigger/t_generate_PUBLIC.yaml

@@ -0,0 +1,15 @@
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+build:
+  counter: 1023
+  version: V8.03.768.2025.06.17
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml

.gitea/trigger/t_generate_dns.yaml

@@ -2,7 +2,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
@@ -10,6 +10,6 @@
 # SPDX-Security-Contact: security@coresecret.eu
 
 build:
-  counter: 1024
+  counter: 1023
-  version: V8.02.644.2025.05.31
+  version: V8.03.768.2025.06.17
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml

.gitea/workflows/generate_PRIVATE_iso_flavour_0.yaml

@@ -0,0 +1,485 @@
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+### Version Master V8.03.768.2025.06.17
+
+name: 🔐 Generating a Private Live ISO FLV 0.
+
+permissions:
+  contents: write
+
+on:
+  push:
+    branches:
+      - master
+    paths:
+      - '.gitea/trigger/t_generate_PRIVATE_iso_flavour_0.yaml'
+
+jobs:
+  generate-private-ciss-debian-live-iso:
+    name: 🔐 Generating a Private Live ISO FLV 0.
+    runs-on: ciss.debian.live.builder.iso.generator
+
+    ### Run all steps inside Debian Bookworm
+    container:
+      image: debian:bookworm
+
+    steps:
+      - name: 🛠️ Basic Image Setup and enable Bookworm Backports.
+        run: |
+          apt-get update -y
+          apt-get install -y apt-transport-https apt-utils bash ca-certificates openssl sudo
+          echo 'deb https://deb.debian.org/debian bookworm-backports main' \
+            >| /etc/apt/sources.list.d/bookworm-backports.list
+          apt-get update -y
+          apt-get upgrade -y
+
+      - name: 🛠️ Installing Build Tools.
+        shell: bash
+        run: |
+          apt-get update -y
+          apt-get install -y \
+            autoconf \
+            automake \
+            build-essential \
+            cryptsetup \
+            curl \
+            debootstrap \
+            dosfstools \
+            efibootmgr \
+            gettext \
+            git \
+            gnupg \
+            haveged \
+            libbz2-dev \
+            zlib1g-dev \
+            liblzma-dev \
+            libtool \
+            live-build \
+            parted \
+            pkg-config \
+            ssh \
+            ssl-cert \
+            sudo \
+            texinfo \
+            wget \
+            whois \
+
+      - name: 🛠️ Build GnuPG from the sources, as the Bookworm GPG does not understand key format 5.
+        shell: bash
+        run: |
+          urls=(
+            "https://gnupg.org/ftp/gcrypt/npth/npth-1.8.tar.bz2"
+            "https://gnupg.org/ftp/gcrypt/libgpg-error/libgpg-error-1.55.tar.bz2"
+            "https://gnupg.org/ftp/gcrypt/libgcrypt/libgcrypt-1.11.1.tar.bz2"
+            "https://gnupg.org/ftp/gcrypt/libksba/libksba-1.6.7.tar.bz2"
+            "https://gnupg.org/ftp/gcrypt/libassuan/libassuan-3.0.2.tar.bz2"
+            "https://gnupg.org/ftp/gcrypt/gnupg/gnupg-2.4.8.tar.bz2"
+          )
+
+          wget --https-only https://gnupg.org/signature_key.asc -O signature_key.asc > /dev/null 2>&1
+          gpg --batch --import signature_key.asc
+
+          for url in "${urls[@]}"; do
+            archive_name="${url##*/}"
+            pkg_name="${archive_name%.tar.bz2}"
+            echo "🔄 Processing ${pkg_name}"
+            if [[ ! -f "${archive_name}" ]]; then
+              echo "📥 Downloading: '${archive_name}'."
+              if wget --https-only "${url}" -O "${archive_name}" > /dev/null 2>&1 && wget --https-only "${url}.sig" -O "${archive_name}.sig" > /dev/null 2>&1; then
+                echo "✅ Download successful: '${archive_name}'."
+              else
+                echo "❌ Download NOT successful: '${archive_name}'."
+                exit 1
+              fi
+            else
+              echo "💡 Skipping download, package already exists: '${archive_name}'."
+            fi
+
+            if ! gpg --verify "${archive_name}.sig" "${archive_name}"; then echo "❌ Bad Signature: '${archive_name}'.";exit 1; fi
+
+            if [[ ! -d "${pkg_name}" ]]; then
+              echo "📂 Extracting: '${archive_name}'."
+              if tar -xjf "${archive_name}"; then
+                echo "✅ Extraction successful: '${archive_name}'."
+              else
+                echo "❌ Extraction not successful: '${archive_name}'."
+                exit 1
+              fi
+            else
+              echo "💡 Skipping directory, already exists: '${pkg_name}'."
+            fi
+
+            echo "🏗️ Build and install the package: '${pkg_name}'."
+            cd "${pkg_name}" || { echo "❌ Could not change to '${pkg_name}'."; exit 1; }
+            mkdir -p build
+            cd build || { echo "❌ Could not change to '/build'."; exit 1; }
+
+            sudo ../configure > /dev/null 2>&1  || { echo "❌ '../configure' NOT successful for '${pkg_name}'."; exit 1; }
+            make > /dev/null 2>&1 || { echo "❌ 'make' NOT successful for '${pkg_name}'."; exit 1; }
+            sudo make install > /dev/null 2>&1 || { echo "❌ 'make install' NOT successful for '${pkg_name}'."; exit 1; }
+
+            cd ../.. || { echo "❌ Could not change to '../..'."; exit 1; }
+
+            rm -f "${archive_name}" && rm -f "${archive_name}.sig" && echo "✅ Removed archive: '${pkg_name}'."
+            rm -fr "${pkg_name}" && echo "✅ Removed build artifacts: '${pkg_name}'."
+            echo "✅ Successful build and installation of '${pkg_name}'."
+            echo "-------------------------------------------------------------------------------------"
+
+          done
+
+          rm -f signature_key.asc
+
+          echo "✅ All packages were built and installed successfully."
+
+          mv_bin=(
+            "/usr/bin/gpg"
+            "/usr/bin/gpg-agent"
+            "/usr/bin/gpgconf"
+            "/usr/bin/gpg-connect-agent"
+            "/usr/bin/gpg-wks-client"
+            "/usr/bin/gpg-preset-passphrase"
+          )
+
+          for bin in "${mv_bin[@]}"; do
+            name="${bin##*/}"
+            if [[ -f "${bin}" && -f "/usr/local/bin/${name}" ]]; then
+              if mv "${bin}" "${bin}.debian-backup"; then
+                echo "✅ Moved successfully: '${bin}'."
+              else
+                echo "❌ Moved NOT successfully: '${bin}'."
+              fi
+            else
+              echo "💡 Does not exist as build binary: '${bin}'."
+            fi
+          done
+
+          for bin in "${mv_bin[@]}"; do
+            name="${bin##*/}"
+            if [[ -f "/usr/local/bin/${name}" ]]; then
+              if update-alternatives --install "${bin}" "${name}" "/usr/local/bin/${name}" 100; then
+                echo "✅ 'update-alternatives' successfully: '${bin}'."
+              else
+                echo "❌ 'update-alternatives' NOT successfully: '${bin}'."
+              fi
+            else
+              echo "💡 Does not exist: '/usr/local/bin/${name}'."
+            fi
+          done
+
+          sudo ldconfig
+
+          gpgconf --kill all
+          /usr/local/bin/gpg-agent --daemon
+
+      - name: ⚙️ Check GnuPG Version.
+        shell: bash
+        run: |
+          gpg --version
+
+      - name: ⚙️ Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
+        shell: bash
+        run: |
+          rm -rf ~/.ssh && mkdir -m700 ~/.ssh
+
+          ### Private Key
+          echo "${{ secrets.SSH_MSW_DEPLOY_CORESECRET_DEV }}" >| ~/.ssh/id_ed25519
+          chmod 600 ~/.ssh/id_ed25519
+
+          ### Scan git.coresecret.dev to fill ~/.ssh/known_hosts
+          ssh-keyscan -p 42842 git.coresecret.dev >| ~/.ssh/known_hosts
+          chmod 600 ~/.ssh/known_hosts
+
+          ### Generate SSH Config for git.coresecret.dev Custom-Port
+          cat <<EOF >| ~/.ssh/config
+          Host git.coresecret.dev
+            HostName git.coresecret.dev
+            Port 42842
+            IdentityFile ~/.ssh/id_ed25519
+            StrictHostKeyChecking yes
+            UserKnownHostsFile ~/.ssh/known_hosts
+          EOF
+          chmod 600 ~/.ssh/config
+
+      ### https://github.com/actions/checkout/issues/1843
+      - name: 🛠️ Using manual clone via SSH to circumvent Gitea SHA-256 object issues.
+        shell: bash
+        env:
+          ### GITHUB_REF_NAME contains the branch name from the push event.
+          GITHUB_REF_NAME: ${{ github.ref_name }}
+        run: |
+          git clone --branch "${GITHUB_REF_NAME}" ssh://git@git.coresecret.dev:42842/msw/CISS.debian.live.builder.git .
+          git fetch --unshallow || echo "Nothing to fetch - already full clone."
+
+      - name: 🛠️ Cleaning the workspace.
+        shell: bash
+        run: |
+          git reset --hard
+          git clean -fd
+
+      - name: ⚙️ Importing the 'CI PGP DEPLOY ONLY' key.
+        shell: bash
+        run: |
+          set -euo pipefail
+          ### GPG-Home relative to the Runner Workspace to avoid changing global files.
+          export GNUPGHOME="$(pwd)/.gnupg"
+          mkdir -m 700 "${GNUPGHOME}"
+          echo "${{ secrets.PGP_PUBKEY_CENTURION_ROOT_2025_X448 }}" >| centurion-root.PUB.asc
+          gpg --batch --import centurion-root.PUB.asc
+          echo "${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV }}" >| ci-bot.sec.asc
+          gpg --batch --import ci-bot.sec.asc
+          ### Trust the key automatically
+          KEY_ID=$(gpg --list-keys --with-colons | awk -F: '/^pub:/ {print $5}')
+          echo "trust-model always" >| "${GNUPGHOME}/gpg.conf"
+
+      - name: ⚙️ Configuring Git for signed CI/DEPLOY commits.
+        shell: bash
+        run: |
+          set -euo pipefail
+          export GNUPGHOME="$(pwd)/.gnupg"
+          git config user.name "Marc S. Weidner BOT"
+          git config user.email "msw+bot@coresecret.dev"
+          git config commit.gpgsign true
+          git config gpg.program gpg
+          git config gpg.format openpgp
+
+      - name: ⚙️ Preparing the build environment.
+        shell: bash
+        run: |
+          set -euo pipefail
+          mkdir -p /opt/config
+          mkdir -p /opt/livebuild
+          touch /opt/config/password.txt && chmod 0600 /opt/config/password.txt
+          touch /opt/config/authorized_keys && chmod 0600 /opt/config/authorized_keys
+          echo "${{ secrets.CISS_DLB_ROOT_PWD }}" >| /opt/config/password.txt
+          echo "${{ secrets.CISS_DLB_ROOT_SSH_PUBKEY }}" >| /opt/config/authorized_keys
+
+      - name: 🛠️ Starting CISS.debian.live.builder. This may take a while ...
+        shell: bash
+        run: |
+          set -euo pipefail
+          chmod 0755 ciss_live_builder.sh
+          timestamp=$(date -u +"%Y_%m_%dT%H_%M_%SZ")
+          ### Change "--autobuild=" to the specific kernel version you need: 6.12.22+bpo-amd64.
+          ./ciss_live_builder.sh \
+            --autobuild=6.12.30+bpo-amd64 \
+            --architecture amd64 \
+            --build-directory /opt/livebuild \
+            --control "${timestamp}" \
+            --debug \
+            --dhcp-centurion \
+            --jump-host ${{ secrets.CISS_DLB_JUMP_HOSTS }} \
+            --provider-netcup-ipv6 ${{ secrets.CISS_DLB_NETCUP_IPV6 }} \
+            --root-password-file /opt/config/password.txt \
+            --ssh-port ${{ secrets.CISS_DLB_SSH_PORT }} \
+            --ssh-pubkey /opt/config
+
+      - name: 📥 Checking Centurion Cloud for existing LIVE ISOs.
+        shell: bash
+        env:
+          NC_BASE: "https://cloud.e2ee.li"
+          SHARE_TOKEN: "${{ secrets.CENTURION_CLOUD_UL_USER }}"
+          SHARE_PASS: "${{ secrets.CENTURION_CLOUD_UL_PASSWD }}"
+        run: |
+          set -euo pipefail
+          SHARE_SUBDIR=""
+
+          echo "📥 Get directory listing via PROPFIND ..."
+          curl -s \
+          --user "${SHARE_TOKEN}:${SHARE_PASS}" \
+          -X PROPFIND \
+          -H "Depth: 1" \
+          "${NC_BASE}/public.php/webdav/${SHARE_SUBDIR}" \
+          -o propfind_public.xml
+
+          echo "📥 Filter .iso files from the PROPFIND response ..."
+          grep -oP '(?<=<d:href>)[^<]+\.iso(?=</d:href>)' propfind_public.xml >| public_iso_list.txt || true
+
+          if [[ -f public_iso_list.txt && -s public_iso_list.txt ]]; then
+            echo "💡 Old ISO files found and deleted :"
+            while IFS= read -r href; do
+              FILE_URL="${NC_BASE}${href}"
+              echo "  Delete: ${FILE_URL}"
+              if curl -s \
+                --user "${SHARE_TOKEN}:${SHARE_PASS}" \
+                  -X DELETE "${FILE_URL}"; then
+                echo "    ✅ Successfully deleted: $(basename "${href}")"
+              else
+                echo "    ❌ Error: $(basename "${href}") could not be deleted"
+              fi
+            done < public_iso_list.txt
+          else
+            echo "💡 No old ISO files found to delete."
+          fi
+
+      - name: 🛠️ Upload the ISO file to the Centurion Cloud (cloud.e2ee.li) via WebDAV.
+        shell: bash
+        env:
+          NC_BASE: "https://cloud.e2ee.li"
+          SHARE_TOKEN: "${{ secrets.CENTURION_CLOUD_UL_USER }}"
+          SHARE_PASS: "${{ secrets.CENTURION_CLOUD_UL_PASSWD }}"
+        run: |
+          set -euo pipefail
+          if [[ $(ls /opt/livebuild/*.iso 2>/dev/null | wc -l) -ne 1 ]]; then
+            echo "❌ There must be exactly one .iso file in the directory!"
+            exit 1
+          else
+            VAR_ISO_FILE_PATH=$(ls /opt/livebuild/*.iso)
+            VAR_ISO_FILE_NAME=$(basename "${VAR_ISO_FILE_PATH}")
+            echo "✅ ISO file found: ${VAR_ISO_FILE_NAME}"
+          fi
+
+          AUTH="${SHARE_TOKEN}:${SHARE_PASS}"
+          if curl --retry 2 "${NC_BASE}"/public.php/webdav/"${VAR_ISO_FILE_NAME}" \
+          --upload-file "${VAR_ISO_FILE_PATH}" --user "${AUTH}" > /dev/null 2>&1; then
+            echo "✅ New ISO successfully uploaded."
+          else
+            echo "❌ Uploading the new ISO failed."
+            exit 1
+          fi
+
+      - name: 🔑 Generating a sha512 Hash of ISO, signing with the 'CI PGP DEPLOY ONLY' key, generate a success message file.
+        shell: bash
+        run: |
+          if [[ $(ls /opt/livebuild/*.iso 2>/dev/null | wc -l) -ne 1 ]]; then
+            echo "❌ There must be exactly one .iso file in the directory!"
+            exit 1
+          else
+            VAR_ISO_FILE_PATH=$(ls /opt/livebuild/*.iso)
+            VAR_ISO_FILE_NAME=$(basename "${VAR_ISO_FILE_PATH}")
+            echo "✅ ISO file found: ${VAR_ISO_FILE_NAME}"
+          fi
+
+          VAR_ISO_FILE_SHA512="${VAR_ISO_FILE_NAME}.sha512"
+          touch "${VAR_ISO_FILE_SHA512}"
+          sha512sum "${VAR_ISO_FILE_PATH}" | awk '{print $1}' >| "${VAR_ISO_FILE_SHA512}"
+          SIGNATURE_FILE="${VAR_ISO_FILE_SHA512}.sign"
+          touch "${SIGNATURE_FILE}"
+          export GNUPGHOME="$(pwd)/.gnupg"
+          gpg --batch --yes --armor --detach-sign --output "${SIGNATURE_FILE}" "${VAR_ISO_FILE_SHA512}"
+
+          timestamp=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
+          PRIVATE_FILE="LIVE_ISO_FLV_0.private"
+          touch "${PRIVATE_FILE}"
+          cat << EOF >| "${PRIVATE_FILE}"
+          # SPDX-Version: 3.0
+          # SPDX-CreationInfo: 2025-06-01; WEIDNER, Marc S.; <msw@coresecret.dev>
+          # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+          # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+          # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+          # SPDX-FileType: SOURCE
+          # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+          # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+          # SPDX-PackageName: CISS.debian.live.builder
+          # SPDX-Security-Contact: security@coresecret.eu
+
+          This file was automatically generated by the DEPLOY BOT on: "${timestamp}".
+
+          CISS.debian.live.builder ISO :
+            "${VAR_ISO_FILE_NAME}"
+          CISS.debian.live.builder ISO sha512 :
+            "${VAR_ISO_FILE_SHA512}"
+          CISS.debian.live.builder ISO sha512 sign :
+            $(< "${SIGNATURE_FILE}")
+
+          # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text
+          EOF
+
+      - name: 🚧 Stash local changes (including untracked).
+        shell: bash
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          ### Temporarily store any local modifications or untracked files.
+          git stash push --include-untracked -m "ci-temp" || echo "✔️ Nothing to stash."
+
+      - name: 🔄 Sync with remote before commit using merge strategy.
+        shell: bash
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          export GNUPGHOME="$(pwd)/.gnupg"
+
+          echo "🔄 Fetching origin/master ..."
+          git fetch origin master
+
+          echo "🔁 Merging origin/master into current branch ..."
+          git merge --no-edit origin/master || echo "✔️ Already up to date or fast-forward."
+
+          echo "📋 Post-merge status :"
+          git status
+          git log --oneline -n 5
+
+      - name: 🛠️ Restore stashed changes.
+        shell: bash
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          ### Apply previously stashed changes.
+          git stash pop || echo "✔️ Nothing to pop."
+
+      - name: 📦 Stage generated files.
+        shell: bash
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          PRIVATE_FILE="LIVE_ISO_FLV_0.private"
+          git add "${PRIVATE_FILE}" || echo "✔️ Nothing to add."
+
+      - name: 🔑 Commit and sign changes with CI metadata.
+        shell: bash
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          export GNUPGHOME="$(pwd)/.gnupg"
+
+          if git diff --cached --quiet; then
+            echo "✔️ No staged changes to commit."
+          else
+            echo "📝 Committing changes with GPG signature ..."
+
+            ### CI Metadata
+            TIMESTAMP_UTC="$(date -u +'%Y-%m-%dT%H:%M:%SZ')"
+            HOSTNAME="$(hostname -f || hostname)"
+            GIT_SHA="$(git rev-parse --short HEAD)"
+            GIT_REF="$(git symbolic-ref --short HEAD || echo detached)"
+            WORKFLOW_ID="${GITHUB_WORKFLOW:-render-md-to-html.yaml}"
+            CI_HEADER="X-CI-Metadata: ${GIT_REF}@${GIT_SHA} at ${TIMESTAMP_UTC} on ${HOSTNAME}"
+
+            COMMIT_MSG="DEPLOY BOT   : 🔐 Auto-Generate PRIVATE LIVE ISO FLV 0 [skip ci]
+
+          ${CI_HEADER}
+
+          Generated at : ${TIMESTAMP_UTC}
+          Runner Host  : ${HOSTNAME}
+          Workflow ID  : ${WORKFLOW_ID}
+          Git Commit   : ${GIT_SHA} HEAD -> ${GIT_REF}
+          "
+
+            echo "🔏 Commit message :"
+            echo "${COMMIT_MSG}"
+            git commit -S -m "${COMMIT_MSG}"
+          fi
+
+      - name: 🔁 Push back to repository.
+        shell: bash
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          echo "📤 Pushing changes to ${GITHUB_REF_NAME} ..."
+          git push origin HEAD:${GITHUB_REF_NAME}
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml

.gitea/workflows/generate_PRIVATE_iso_flavour_1.yaml

@@ -0,0 +1,482 @@
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+### Version Master V8.03.768.2025.06.17
+
+name: 🔐 Generating a Private Live ISO FLV 1.
+
+permissions:
+  contents: write
+
+on:
+  push:
+    branches:
+      - master
+    paths:
+      - '.gitea/trigger/t_generate_PRIVATE_iso_flavour_1.yaml'
+
+jobs:
+  generate-private-ciss-debian-live-iso:
+    name: 🔐 Generating a Private Live ISO FLV 1.
+    runs-on: ciss.debian.live.builder.iso.generator
+
+    ### Run all steps inside Debian Bookworm
+    container:
+      image: debian:bookworm
+
+    steps:
+      - name: 🛠️ Basic Image Setup and enable Bookworm Backports.
+        run: |
+          apt-get update -y
+          apt-get install -y apt-transport-https apt-utils bash ca-certificates openssl sudo
+          echo 'deb https://deb.debian.org/debian bookworm-backports main' \
+            >| /etc/apt/sources.list.d/bookworm-backports.list
+          apt-get update -y
+          apt-get upgrade -y
+
+      - name: 🛠️ Installing Build Tools.
+        shell: bash
+        run: |
+          apt-get update -y
+          apt-get install -y \
+            autoconf \
+            automake \
+            build-essential \
+            cryptsetup \
+            curl \
+            debootstrap \
+            dosfstools \
+            efibootmgr \
+            gettext \
+            git \
+            gnupg \
+            haveged \
+            libbz2-dev \
+            zlib1g-dev \
+            liblzma-dev \
+            libtool \
+            live-build \
+            parted \
+            pkg-config \
+            ssh \
+            ssl-cert \
+            sudo \
+            texinfo \
+            wget \
+            whois \
+
+      - name: 🛠️ Build GnuPG from the sources, as the Bookworm GPG does not understand key format 5.
+        shell: bash
+        run: |
+          urls=(
+            "https://gnupg.org/ftp/gcrypt/npth/npth-1.8.tar.bz2"
+            "https://gnupg.org/ftp/gcrypt/libgpg-error/libgpg-error-1.55.tar.bz2"
+            "https://gnupg.org/ftp/gcrypt/libgcrypt/libgcrypt-1.11.1.tar.bz2"
+            "https://gnupg.org/ftp/gcrypt/libksba/libksba-1.6.7.tar.bz2"
+            "https://gnupg.org/ftp/gcrypt/libassuan/libassuan-3.0.2.tar.bz2"
+            "https://gnupg.org/ftp/gcrypt/gnupg/gnupg-2.4.8.tar.bz2"
+          )
+
+          wget --https-only https://gnupg.org/signature_key.asc -O signature_key.asc > /dev/null 2>&1
+          gpg --batch --import signature_key.asc
+
+          for url in "${urls[@]}"; do
+            archive_name="${url##*/}"
+            pkg_name="${archive_name%.tar.bz2}"
+            echo "🔄 Processing ${pkg_name}"
+            if [[ ! -f "${archive_name}" ]]; then
+              echo "📥 Downloading: '${archive_name}'."
+              if wget --https-only "${url}" -O "${archive_name}" > /dev/null 2>&1 && wget --https-only "${url}.sig" -O "${archive_name}.sig" > /dev/null 2>&1; then
+                echo "✅ Download successful: '${archive_name}'."
+              else
+                echo "❌ Download NOT successful: '${archive_name}'."
+                exit 1
+              fi
+            else
+              echo "💡 Skipping download, package already exists: '${archive_name}'."
+            fi
+
+            if ! gpg --verify "${archive_name}.sig" "${archive_name}"; then echo "❌ Bad Signature: '${archive_name}'.";exit 1; fi
+
+            if [[ ! -d "${pkg_name}" ]]; then
+              echo "📂 Extracting: '${archive_name}'."
+              if tar -xjf "${archive_name}"; then
+                echo "✅ Extraction successful: '${archive_name}'."
+              else
+                echo "❌ Extraction not successful: '${archive_name}'."
+                exit 1
+              fi
+            else
+              echo "💡 Skipping directory, already exists: '${pkg_name}'."
+            fi
+
+            echo "🏗️ Build and install the package: '${pkg_name}'."
+            cd "${pkg_name}" || { echo "❌ Could not change to '${pkg_name}'."; exit 1; }
+            mkdir -p build
+            cd build || { echo "❌ Could not change to '/build'."; exit 1; }
+
+            sudo ../configure > /dev/null 2>&1  || { echo "❌ '../configure' NOT successful for '${pkg_name}'."; exit 1; }
+            make > /dev/null 2>&1 || { echo "❌ 'make' NOT successful for '${pkg_name}'."; exit 1; }
+            sudo make install > /dev/null 2>&1 || { echo "❌ 'make install' NOT successful for '${pkg_name}'."; exit 1; }
+
+            cd ../.. || { echo "❌ Could not change to '../..'."; exit 1; }
+
+            rm -f "${archive_name}" && rm -f "${archive_name}.sig" && echo "✅ Removed archive: '${pkg_name}'."
+            rm -fr "${pkg_name}" && echo "✅ Removed build artifacts: '${pkg_name}'."
+            echo "✅ Successful build and installation of '${pkg_name}'."
+            echo "-------------------------------------------------------------------------------------"
+
+          done
+
+          rm -f signature_key.asc
+
+          echo "✅ All packages were built and installed successfully."
+
+          mv_bin=(
+            "/usr/bin/gpg"
+            "/usr/bin/gpg-agent"
+            "/usr/bin/gpgconf"
+            "/usr/bin/gpg-connect-agent"
+            "/usr/bin/gpg-wks-client"
+            "/usr/bin/gpg-preset-passphrase"
+          )
+
+          for bin in "${mv_bin[@]}"; do
+            name="${bin##*/}"
+            if [[ -f "${bin}" && -f "/usr/local/bin/${name}" ]]; then
+              if mv "${bin}" "${bin}.debian-backup"; then
+                echo "✅ Moved successfully: '${bin}'."
+              else
+                echo "❌ Moved NOT successfully: '${bin}'."
+              fi
+            else
+              echo "💡 Does not exist as build binary: '${bin}'."
+            fi
+          done
+
+          for bin in "${mv_bin[@]}"; do
+            name="${bin##*/}"
+            if [[ -f "/usr/local/bin/${name}" ]]; then
+              if update-alternatives --install "${bin}" "${name}" "/usr/local/bin/${name}" 100; then
+                echo "✅ 'update-alternatives' successfully: '${bin}'."
+              else
+                echo "❌ 'update-alternatives' NOT successfully: '${bin}'."
+              fi
+            else
+              echo "💡 Does not exist: '/usr/local/bin/${name}'."
+            fi
+          done
+
+          sudo ldconfig
+
+          gpgconf --kill all
+          /usr/local/bin/gpg-agent --daemon
+
+      - name: ⚙️ Check GnuPG Version.
+        shell: bash
+        run: |
+          gpg --version
+
+      - name: ⚙️ Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
+        shell: bash
+        run: |
+          rm -rf ~/.ssh && mkdir -m700 ~/.ssh
+
+          ### Private Key
+          echo "${{ secrets.SSH_MSW_DEPLOY_CORESECRET_DEV }}" >| ~/.ssh/id_ed25519
+          chmod 600 ~/.ssh/id_ed25519
+
+          ### Scan git.coresecret.dev to fill ~/.ssh/known_hosts
+          ssh-keyscan -p 42842 git.coresecret.dev >| ~/.ssh/known_hosts
+          chmod 600 ~/.ssh/known_hosts
+
+          ### Generate SSH Config for git.coresecret.dev Custom-Port
+          cat <<EOF >| ~/.ssh/config
+          Host git.coresecret.dev
+            HostName git.coresecret.dev
+            Port 42842
+            IdentityFile ~/.ssh/id_ed25519
+            StrictHostKeyChecking yes
+            UserKnownHostsFile ~/.ssh/known_hosts
+          EOF
+          chmod 600 ~/.ssh/config
+
+      ### https://github.com/actions/checkout/issues/1843
+      - name: 🛠️ Using manual clone via SSH to circumvent Gitea SHA-256 object issues.
+        shell: bash
+        env:
+          ### GITHUB_REF_NAME contains the branch name from the push event.
+          GITHUB_REF_NAME: ${{ github.ref_name }}
+        run: |
+          git clone --branch "${GITHUB_REF_NAME}" ssh://git@git.coresecret.dev:42842/msw/CISS.debian.live.builder.git .
+          git fetch --unshallow || echo "Nothing to fetch - already full clone."
+
+      - name: 🛠️ Cleaning the workspace.
+        shell: bash
+        run: |
+          git reset --hard
+          git clean -fd
+
+      - name: ⚙️ Importing the 'CI PGP DEPLOY ONLY' key.
+        shell: bash
+        run: |
+          set -euo pipefail
+          ### GPG-Home relative to the Runner Workspace to avoid changing global files.
+          export GNUPGHOME="$(pwd)/.gnupg"
+          mkdir -m 700 "${GNUPGHOME}"
+          echo "${{ secrets.PGP_PUBKEY_CENTURION_ROOT_2025_X448 }}" >| centurion-root.PUB.asc
+          gpg --batch --import centurion-root.PUB.asc
+          echo "${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV }}" >| ci-bot.sec.asc
+          gpg --batch --import ci-bot.sec.asc
+          ### Trust the key automatically
+          KEY_ID=$(gpg --list-keys --with-colons | awk -F: '/^pub:/ {print $5}')
+          echo "trust-model always" >| "${GNUPGHOME}/gpg.conf"
+
+      - name: ⚙️ Configuring Git for signed CI/DEPLOY commits.
+        shell: bash
+        run: |
+          set -euo pipefail
+          export GNUPGHOME="$(pwd)/.gnupg"
+          git config user.name "Marc S. Weidner BOT"
+          git config user.email "msw+bot@coresecret.dev"
+          git config commit.gpgsign true
+          git config gpg.program gpg
+          git config gpg.format openpgp
+
+      - name: ⚙️ Preparing the build environment.
+        shell: bash
+        run: |
+          set -euo pipefail
+          mkdir -p /opt/config
+          mkdir -p /opt/livebuild
+          touch /opt/config/password.txt && chmod 0600 /opt/config/password.txt
+          touch /opt/config/authorized_keys && chmod 0600 /opt/config/authorized_keys
+          echo "${{ secrets.CISS_DLB_ROOT_PWD_1 }}" >| /opt/config/password.txt
+          echo "${{ secrets.CISS_DLB_ROOT_SSH_PUBKEY_1 }}" >| /opt/config/authorized_keys
+
+      - name: 🛠️ Starting CISS.debian.live.builder. This may take a while ...
+        shell: bash
+        run: |
+          set -euo pipefail
+          chmod 0755 ciss_live_builder.sh
+          timestamp=$(date -u +"%Y_%m_%dT%H_%M_%SZ")
+          ### Change "--autobuild=" to the specific kernel version you need: 6.12.22+bpo-amd64.
+          ./ciss_live_builder.sh \
+            --autobuild=6.12.30+bpo-amd64 \
+            --architecture amd64 \
+            --build-directory /opt/livebuild \
+            --control "${timestamp}" \
+            --jump-host ${{ secrets.CISS_DLB_JUMP_HOSTS_1 }} \
+            --root-password-file /opt/config/password.txt \
+            --ssh-port ${{ secrets.CISS_DLB_SSH_PORT_1 }} \
+            --ssh-pubkey /opt/config
+
+      - name: 📥 Checking Centurion Cloud for existing LIVE ISOs.
+        shell: bash
+        env:
+          NC_BASE: "https://cloud.e2ee.li"
+          SHARE_TOKEN: "${{ secrets.CENTURION_CLOUD_UL_USER_1 }}"
+          SHARE_PASS: "${{ secrets.CENTURION_CLOUD_UL_PASSWD_1 }}"
+        run: |
+          set -euo pipefail
+          SHARE_SUBDIR=""
+
+          echo "📥 Get directory listing via PROPFIND ..."
+          curl -s \
+          --user "${SHARE_TOKEN}:${SHARE_PASS}" \
+          -X PROPFIND \
+          -H "Depth: 1" \
+          "${NC_BASE}/public.php/webdav/${SHARE_SUBDIR}" \
+          -o propfind_public.xml
+
+          echo "📥 Filter .iso files from the PROPFIND response ..."
+          grep -oP '(?<=<d:href>)[^<]+\.iso(?=</d:href>)' propfind_public.xml >| public_iso_list.txt || true
+
+          if [[ -f public_iso_list.txt && -s public_iso_list.txt ]]; then
+            echo "💡 Old ISO files found and deleted :"
+            while IFS= read -r href; do
+              FILE_URL="${NC_BASE}${href}"
+              echo "  Delete: ${FILE_URL}"
+              if curl -s \
+                --user "${SHARE_TOKEN}:${SHARE_PASS}" \
+                  -X DELETE "${FILE_URL}"; then
+                echo "    ✅ Successfully deleted: $(basename "${href}")"
+              else
+                echo "    ❌ Error: $(basename "${href}") could not be deleted"
+              fi
+            done < public_iso_list.txt
+          else
+            echo "💡 No old ISO files found to delete."
+          fi
+
+      - name: 🛠️ Upload the ISO file to the Centurion Cloud (cloud.e2ee.li) via WebDAV.
+        shell: bash
+        env:
+          NC_BASE: "https://cloud.e2ee.li"
+          SHARE_TOKEN: "${{ secrets.CENTURION_CLOUD_UL_USER_1 }}"
+          SHARE_PASS: "${{ secrets.CENTURION_CLOUD_UL_PASSWD_1 }}"
+        run: |
+          set -euo pipefail
+          if [[ $(ls /opt/livebuild/*.iso 2>/dev/null | wc -l) -ne 1 ]]; then
+            echo "❌ There must be exactly one .iso file in the directory!"
+            exit 1
+          else
+            VAR_ISO_FILE_PATH=$(ls /opt/livebuild/*.iso)
+            VAR_ISO_FILE_NAME=$(basename "${VAR_ISO_FILE_PATH}")
+            echo "✅ ISO file found: ${VAR_ISO_FILE_NAME}"
+          fi
+
+          AUTH="${SHARE_TOKEN}:${SHARE_PASS}"
+          if curl --retry 2 "${NC_BASE}"/public.php/webdav/"${VAR_ISO_FILE_NAME}" \
+          --upload-file "${VAR_ISO_FILE_PATH}" --user "${AUTH}" > /dev/null 2>&1; then
+            echo "✅ New ISO successfully uploaded."
+          else
+            echo "❌ Uploading the new ISO failed."
+            exit 1
+          fi
+
+      - name: 🔑 Generating a sha512 Hash of ISO, signing with the 'CI PGP DEPLOY ONLY' key, generate a success message file.
+        shell: bash
+        run: |
+          if [[ $(ls /opt/livebuild/*.iso 2>/dev/null | wc -l) -ne 1 ]]; then
+            echo "❌ There must be exactly one .iso file in the directory!"
+            exit 1
+          else
+            VAR_ISO_FILE_PATH=$(ls /opt/livebuild/*.iso)
+            VAR_ISO_FILE_NAME=$(basename "${VAR_ISO_FILE_PATH}")
+            echo "✅ ISO file found: ${VAR_ISO_FILE_NAME}"
+          fi
+
+          VAR_ISO_FILE_SHA512="${VAR_ISO_FILE_NAME}.sha512"
+          touch "${VAR_ISO_FILE_SHA512}"
+          sha512sum "${VAR_ISO_FILE_PATH}" | awk '{print $1}' >| "${VAR_ISO_FILE_SHA512}"
+          SIGNATURE_FILE="${VAR_ISO_FILE_SHA512}.sign"
+          touch "${SIGNATURE_FILE}"
+          export GNUPGHOME="$(pwd)/.gnupg"
+          gpg --batch --yes --armor --detach-sign --output "${SIGNATURE_FILE}" "${VAR_ISO_FILE_SHA512}"
+
+          timestamp=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
+          PRIVATE_FILE="LIVE_ISO_FLV_1.private"
+          touch "${PRIVATE_FILE}"
+          cat << EOF >| "${PRIVATE_FILE}"
+          # SPDX-Version: 3.0
+          # SPDX-CreationInfo: 2025-06-01; WEIDNER, Marc S.; <msw@coresecret.dev>
+          # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+          # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+          # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+          # SPDX-FileType: SOURCE
+          # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+          # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+          # SPDX-PackageName: CISS.debian.live.builder
+          # SPDX-Security-Contact: security@coresecret.eu
+
+          This file was automatically generated by the DEPLOY BOT on: "${timestamp}".
+
+          CISS.debian.live.builder ISO :
+            "${VAR_ISO_FILE_NAME}"
+          CISS.debian.live.builder ISO sha512 :
+            "${VAR_ISO_FILE_SHA512}"
+          CISS.debian.live.builder ISO sha512 sign :
+            $(< "${SIGNATURE_FILE}")
+
+          # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text
+          EOF
+
+      - name: 🚧 Stash local changes (including untracked).
+        shell: bash
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          ### Temporarily store any local modifications or untracked files.
+          git stash push --include-untracked -m "ci-temp" || echo "✔️ Nothing to stash."
+
+      - name: 🔄 Sync with remote before commit using merge strategy.
+        shell: bash
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          export GNUPGHOME="$(pwd)/.gnupg"
+
+          echo "🔄 Fetching origin/master ..."
+          git fetch origin master
+
+          echo "🔁 Merging origin/master into current branch ..."
+          git merge --no-edit origin/master || echo "✔️ Already up to date or fast-forward."
+
+          echo "📋 Post-merge status :"
+          git status
+          git log --oneline -n 5
+
+      - name: 🛠️ Restore stashed changes.
+        shell: bash
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          ### Apply previously stashed changes.
+          git stash pop || echo "✔️ Nothing to pop."
+
+      - name: 📦 Stage generated files.
+        shell: bash
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          PRIVATE_FILE="LIVE_ISO_FLV_1.private"
+          git add "${PRIVATE_FILE}" || echo "✔️ Nothing to add."
+
+      - name: 🔑 Commit and sign changes with CI metadata.
+        shell: bash
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          export GNUPGHOME="$(pwd)/.gnupg"
+
+          if git diff --cached --quiet; then
+            echo "✔️ No staged changes to commit."
+          else
+            echo "📝 Committing changes with GPG signature ..."
+
+            ### CI Metadata
+            TIMESTAMP_UTC="$(date -u +'%Y-%m-%dT%H:%M:%SZ')"
+            HOSTNAME="$(hostname -f || hostname)"
+            GIT_SHA="$(git rev-parse --short HEAD)"
+            GIT_REF="$(git symbolic-ref --short HEAD || echo detached)"
+            WORKFLOW_ID="${GITHUB_WORKFLOW:-render-md-to-html.yaml}"
+            CI_HEADER="X-CI-Metadata: ${GIT_REF}@${GIT_SHA} at ${TIMESTAMP_UTC} on ${HOSTNAME}"
+
+            COMMIT_MSG="DEPLOY BOT   : 🔐 Auto-Generate PRIVATE LIVE ISO FLV 1 [skip ci]
+
+          ${CI_HEADER}
+
+          Generated at : ${TIMESTAMP_UTC}
+          Runner Host  : ${HOSTNAME}
+          Workflow ID  : ${WORKFLOW_ID}
+          Git Commit   : ${GIT_SHA} HEAD -> ${GIT_REF}
+          "
+
+            echo "🔏 Commit message :"
+            echo "${COMMIT_MSG}"
+            git commit -S -m "${COMMIT_MSG}"
+          fi
+
+      - name: 🔁 Push back to repository.
+        shell: bash
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          echo "📤 Pushing changes to ${GITHUB_REF_NAME} ..."
+          git push origin HEAD:${GITHUB_REF_NAME}
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml

.gitea/workflows/generate_PUBLIC_iso.yaml

@@ -0,0 +1,482 @@
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+### Version Master V8.03.768.2025.06.17
+
+name: 💙 Generating a PUBLIC Live ISO.
+
+permissions:
+  contents: write
+
+on:
+  push:
+    branches:
+      - master
+    paths:
+      - '.gitea/trigger/t_generate_PUBLIC.yaml'
+
+jobs:
+  generate-private-ciss-debian-live-iso:
+    name: 💙 Generating a PUBLIC Live ISO.
+    runs-on: ciss.debian.live.builder.iso.generator
+
+    ### Run all steps inside Debian Bookworm
+    container:
+      image: debian:bookworm
+
+    steps:
+      - name: 🛠️ Basic Image Setup and enable Bookworm Backports.
+        run: |
+          apt-get update -y
+          apt-get install -y apt-transport-https apt-utils bash ca-certificates openssl sudo
+          echo 'deb https://deb.debian.org/debian bookworm-backports main' \
+            >| /etc/apt/sources.list.d/bookworm-backports.list
+          apt-get update -y
+          apt-get upgrade -y
+
+      - name: 🛠️ Installing Build Tools.
+        shell: bash
+        run: |
+          apt-get update -y
+          apt-get install -y \
+            autoconf \
+            automake \
+            build-essential \
+            cryptsetup \
+            curl \
+            debootstrap \
+            dosfstools \
+            efibootmgr \
+            gettext \
+            git \
+            gnupg \
+            haveged \
+            libbz2-dev \
+            zlib1g-dev \
+            liblzma-dev \
+            libtool \
+            live-build \
+            parted \
+            pkg-config \
+            ssh \
+            ssl-cert \
+            sudo \
+            texinfo \
+            wget \
+            whois \
+
+      - name: 🛠️ Build GnuPG from the sources, as the Bookworm GPG does not understand key format 5.
+        shell: bash
+        run: |
+          urls=(
+            "https://gnupg.org/ftp/gcrypt/npth/npth-1.8.tar.bz2"
+            "https://gnupg.org/ftp/gcrypt/libgpg-error/libgpg-error-1.55.tar.bz2"
+            "https://gnupg.org/ftp/gcrypt/libgcrypt/libgcrypt-1.11.1.tar.bz2"
+            "https://gnupg.org/ftp/gcrypt/libksba/libksba-1.6.7.tar.bz2"
+            "https://gnupg.org/ftp/gcrypt/libassuan/libassuan-3.0.2.tar.bz2"
+            "https://gnupg.org/ftp/gcrypt/gnupg/gnupg-2.4.8.tar.bz2"
+          )
+
+          wget --https-only https://gnupg.org/signature_key.asc -O signature_key.asc > /dev/null 2>&1
+          gpg --batch --import signature_key.asc
+
+          for url in "${urls[@]}"; do
+            archive_name="${url##*/}"
+            pkg_name="${archive_name%.tar.bz2}"
+            echo "🔄 Processing ${pkg_name}"
+            if [[ ! -f "${archive_name}" ]]; then
+              echo "📥 Downloading: '${archive_name}'."
+              if wget --https-only "${url}" -O "${archive_name}" > /dev/null 2>&1 && wget --https-only "${url}.sig" -O "${archive_name}.sig" > /dev/null 2>&1; then
+                echo "✅ Download successful: '${archive_name}'."
+              else
+                echo "❌ Download NOT successful: '${archive_name}'."
+                exit 1
+              fi
+            else
+              echo "💡 Skipping download, package already exists: '${archive_name}'."
+            fi
+
+            if ! gpg --verify "${archive_name}.sig" "${archive_name}"; then echo "❌ Bad Signature: '${archive_name}'.";exit 1; fi
+
+            if [[ ! -d "${pkg_name}" ]]; then
+              echo "📂 Extracting: '${archive_name}'."
+              if tar -xjf "${archive_name}"; then
+                echo "✅ Extraction successful: '${archive_name}'."
+              else
+                echo "❌ Extraction not successful: '${archive_name}'."
+                exit 1
+              fi
+            else
+              echo "💡 Skipping directory, already exists: '${pkg_name}'."
+            fi
+
+            echo "🏗️ Build and install the package: '${pkg_name}'."
+            cd "${pkg_name}" || { echo "❌ Could not change to '${pkg_name}'."; exit 1; }
+            mkdir -p build
+            cd build || { echo "❌ Could not change to '/build'."; exit 1; }
+
+            sudo ../configure > /dev/null 2>&1  || { echo "❌ '../configure' NOT successful for '${pkg_name}'."; exit 1; }
+            make > /dev/null 2>&1 || { echo "❌ 'make' NOT successful for '${pkg_name}'."; exit 1; }
+            sudo make install > /dev/null 2>&1 || { echo "❌ 'make install' NOT successful for '${pkg_name}'."; exit 1; }
+
+            cd ../.. || { echo "❌ Could not change to '../..'."; exit 1; }
+
+            rm -f "${archive_name}" && rm -f "${archive_name}.sig" && echo "✅ Removed archive: '${pkg_name}'."
+            rm -fr "${pkg_name}" && echo "✅ Removed build artifacts: '${pkg_name}'."
+            echo "✅ Successful build and installation of '${pkg_name}'."
+            echo "-------------------------------------------------------------------------------------"
+
+          done
+
+          rm -f signature_key.asc
+
+          echo "✅ All packages were built and installed successfully."
+
+          mv_bin=(
+            "/usr/bin/gpg"
+            "/usr/bin/gpg-agent"
+            "/usr/bin/gpgconf"
+            "/usr/bin/gpg-connect-agent"
+            "/usr/bin/gpg-wks-client"
+            "/usr/bin/gpg-preset-passphrase"
+          )
+
+          for bin in "${mv_bin[@]}"; do
+            name="${bin##*/}"
+            if [[ -f "${bin}" && -f "/usr/local/bin/${name}" ]]; then
+              if mv "${bin}" "${bin}.debian-backup"; then
+                echo "✅ Moved successfully: '${bin}'."
+              else
+                echo "❌ Moved NOT successfully: '${bin}'."
+              fi
+            else
+              echo "💡 Does not exist as build binary: '${bin}'."
+            fi
+          done
+
+          for bin in "${mv_bin[@]}"; do
+            name="${bin##*/}"
+            if [[ -f "/usr/local/bin/${name}" ]]; then
+              if update-alternatives --install "${bin}" "${name}" "/usr/local/bin/${name}" 100; then
+                echo "✅ 'update-alternatives' successfully: '${bin}'."
+              else
+                echo "❌ 'update-alternatives' NOT successfully: '${bin}'."
+              fi
+            else
+              echo "💡 Does not exist: '/usr/local/bin/${name}'."
+            fi
+          done
+
+          sudo ldconfig
+
+          gpgconf --kill all
+          /usr/local/bin/gpg-agent --daemon
+
+      - name: ⚙️ Check GnuPG Version.
+        shell: bash
+        run: |
+          gpg --version
+
+      - name: ⚙️ Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
+        shell: bash
+        run: |
+          rm -rf ~/.ssh && mkdir -m700 ~/.ssh
+
+          ### Private Key
+          echo "${{ secrets.SSH_MSW_DEPLOY_CORESECRET_DEV }}" >| ~/.ssh/id_ed25519
+          chmod 600 ~/.ssh/id_ed25519
+
+          ### Scan git.coresecret.dev to fill ~/.ssh/known_hosts
+          ssh-keyscan -p 42842 git.coresecret.dev >| ~/.ssh/known_hosts
+          chmod 600 ~/.ssh/known_hosts
+
+          ### Generate SSH Config for git.coresecret.dev Custom-Port
+          cat <<EOF >| ~/.ssh/config
+          Host git.coresecret.dev
+            HostName git.coresecret.dev
+            Port 42842
+            IdentityFile ~/.ssh/id_ed25519
+            StrictHostKeyChecking yes
+            UserKnownHostsFile ~/.ssh/known_hosts
+          EOF
+          chmod 600 ~/.ssh/config
+
+      ### https://github.com/actions/checkout/issues/1843
+      - name: 🛠️ Using manual clone via SSH to circumvent Gitea SHA-256 object issues.
+        shell: bash
+        env:
+          ### GITHUB_REF_NAME contains the branch name from the push event.
+          GITHUB_REF_NAME: ${{ github.ref_name }}
+        run: |
+          git clone --branch "${GITHUB_REF_NAME}" ssh://git@git.coresecret.dev:42842/msw/CISS.debian.live.builder.git .
+          git fetch --unshallow || echo "Nothing to fetch - already full clone."
+
+      - name: 🛠️ Cleaning the workspace.
+        shell: bash
+        run: |
+          git reset --hard
+          git clean -fd
+
+      - name: ⚙️ Importing the 'CI PGP DEPLOY ONLY' key.
+        shell: bash
+        run: |
+          set -euo pipefail
+          ### GPG-Home relative to the Runner Workspace to avoid changing global files.
+          export GNUPGHOME="$(pwd)/.gnupg"
+          mkdir -m 700 "${GNUPGHOME}"
+          echo "${{ secrets.PGP_PUBKEY_CENTURION_ROOT_2025_X448 }}" >| centurion-root.PUB.asc
+          gpg --batch --import centurion-root.PUB.asc
+          echo "${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV }}" >| ci-bot.sec.asc
+          gpg --batch --import ci-bot.sec.asc
+          ### Trust the key automatically
+          KEY_ID=$(gpg --list-keys --with-colons | awk -F: '/^pub:/ {print $5}')
+          echo "trust-model always" >| "${GNUPGHOME}/gpg.conf"
+
+      - name: ⚙️ Configuring Git for signed CI/DEPLOY commits.
+        shell: bash
+        run: |
+          set -euo pipefail
+          export GNUPGHOME="$(pwd)/.gnupg"
+          git config user.name "Marc S. Weidner BOT"
+          git config user.email "msw+bot@coresecret.dev"
+          git config commit.gpgsign true
+          git config gpg.program gpg
+          git config gpg.format openpgp
+
+      - name: ⚙️ Preparing the build environment.
+        shell: bash
+        run: |
+          set -euo pipefail
+          mkdir -p /opt/config
+          mkdir -p /opt/livebuild
+          touch /opt/config/password.txt && chmod 0600 /opt/config/password.txt
+          touch /opt/config/authorized_keys && chmod 0600 /opt/config/authorized_keys
+          echo 'Mvnz#zENbf2vsAYEAbfPcnbDcmct7XefPXfRJxSQQH' >| /opt/config/password.txt
+          echo 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINAYZDAqVZUk3LwJsqeVHKvLn8UKkFx642VBbiSS8uSY 2025_ciss.debian.live.ISO_PUBLIC_ONLY' >| /opt/config/authorized_keys
+
+      - name: 🛠️ Starting CISS.debian.live.builder. This may take a while ...
+        shell: bash
+        run: |
+          set -euo pipefail
+          sed -i '/^hardening_ssh.*/d' ciss_live_builder.sh
+          chmod 0755 ciss_live_builder.sh
+          timestamp=$(date -u +"%Y_%m_%dT%H_%M_%SZ")
+          ### Change "--autobuild=" to the specific kernel version you need: 6.12.22+bpo-amd64.
+          ./ciss_live_builder.sh \
+            --autobuild=6.12.30+bpo-amd64 \
+            --architecture amd64 \
+            --build-directory /opt/livebuild \
+            --control "${timestamp}" \
+            --root-password-file /opt/config/password.txt \
+            --ssh-port 42137 \
+            --ssh-pubkey /opt/config
+
+      - name: 📥 Checking Centurion Cloud for existing LIVE ISOs.
+        shell: bash
+        env:
+          NC_BASE: "https://cloud.e2ee.li"
+          SHARE_TOKEN: "${{ secrets.CENTURION_CLOUD_UL_USER_PUBLIC }}"
+          SHARE_PASS: "${{ secrets.CENTURION_CLOUD_UL_PASSWD_PUBLIC }}"
+        run: |
+          set -euo pipefail
+          SHARE_SUBDIR=""
+
+          echo "📥 Get directory listing via PROPFIND ..."
+          curl -s \
+          --user "${SHARE_TOKEN}:${SHARE_PASS}" \
+          -X PROPFIND \
+          -H "Depth: 1" \
+          "${NC_BASE}/public.php/webdav/${SHARE_SUBDIR}" \
+          -o propfind_public.xml
+
+          echo "📥 Filter .iso files from the PROPFIND response ..."
+          grep -oP '(?<=<d:href>)[^<]+\.iso(?=</d:href>)' propfind_public.xml >| public_iso_list.txt || true
+
+          if [[ -f public_iso_list.txt && -s public_iso_list.txt ]]; then
+            echo "💡 Old ISO files found and deleted :"
+            while IFS= read -r href; do
+              FILE_URL="${NC_BASE}${href}"
+              echo "  Delete: ${FILE_URL}"
+              if curl -s \
+                --user "${SHARE_TOKEN}:${SHARE_PASS}" \
+                  -X DELETE "${FILE_URL}"; then
+                echo "    ✅ Successfully deleted: $(basename "${href}")"
+              else
+                echo "    ❌ Error: $(basename "${href}") could not be deleted"
+              fi
+            done < public_iso_list.txt
+          else
+            echo "💡 No old ISO files found to delete."
+          fi
+
+      - name: 🛠️ Upload the ISO file to the Centurion Cloud (cloud.e2ee.li) via WebDAV.
+        shell: bash
+        env:
+          NC_BASE: "https://cloud.e2ee.li"
+          SHARE_TOKEN: "${{ secrets.CENTURION_CLOUD_UL_USER_PUBLIC }}"
+          SHARE_PASS: "${{ secrets.CENTURION_CLOUD_UL_PASSWD_PUBLIC }}"
+        run: |
+          set -euo pipefail
+          if [[ $(ls /opt/livebuild/*.iso 2>/dev/null | wc -l) -ne 1 ]]; then
+            echo "❌ There must be exactly one .iso file in the directory!"
+            exit 1
+          else
+            VAR_ISO_FILE_PATH=$(ls /opt/livebuild/*.iso)
+            VAR_ISO_FILE_NAME=$(basename "${VAR_ISO_FILE_PATH}")
+            echo "✅ ISO file found: ${VAR_ISO_FILE_NAME}"
+          fi
+
+          AUTH="${SHARE_TOKEN}:${SHARE_PASS}"
+          if curl --retry 2 "${NC_BASE}"/public.php/webdav/"${VAR_ISO_FILE_NAME}" \
+          --upload-file "${VAR_ISO_FILE_PATH}" --user "${AUTH}" > /dev/null 2>&1; then
+            echo "✅ New ISO successfully uploaded."
+          else
+            echo "❌ Uploading the new ISO failed."
+            exit 1
+          fi
+
+      - name: 🔑 Generating a sha512 Hash of ISO, signing with the 'CI PGP DEPLOY ONLY' key, generate a success message file.
+        shell: bash
+        run: |
+          if [[ $(ls /opt/livebuild/*.iso 2>/dev/null | wc -l) -ne 1 ]]; then
+            echo "❌ There must be exactly one .iso file in the directory!"
+            exit 1
+          else
+            VAR_ISO_FILE_PATH=$(ls /opt/livebuild/*.iso)
+            VAR_ISO_FILE_NAME=$(basename "${VAR_ISO_FILE_PATH}")
+            echo "✅ ISO file found: ${VAR_ISO_FILE_NAME}"
+          fi
+
+          VAR_ISO_FILE_SHA512="${VAR_ISO_FILE_NAME}.sha512"
+          touch "${VAR_ISO_FILE_SHA512}"
+          sha512sum "${VAR_ISO_FILE_PATH}" | awk '{print $1}' >| "${VAR_ISO_FILE_SHA512}"
+          SIGNATURE_FILE="${VAR_ISO_FILE_SHA512}.sign"
+          touch "${SIGNATURE_FILE}"
+          export GNUPGHOME="$(pwd)/.gnupg"
+          gpg --batch --yes --armor --detach-sign --output "${SIGNATURE_FILE}" "${VAR_ISO_FILE_SHA512}"
+
+          timestamp=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
+          PRIVATE_FILE="LIVE_ISO.public"
+          touch "${PRIVATE_FILE}"
+          cat << EOF >| "${PRIVATE_FILE}"
+          # SPDX-Version: 3.0
+          # SPDX-CreationInfo: 2025-06-01; WEIDNER, Marc S.; <msw@coresecret.dev>
+          # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+          # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+          # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+          # SPDX-FileType: SOURCE
+          # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+          # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+          # SPDX-PackageName: CISS.debian.live.builder
+          # SPDX-Security-Contact: security@coresecret.eu
+
+          This file was automatically generated by the DEPLOY BOT on: "${timestamp}".
+
+          CISS.debian.live.builder ISO :
+            "${VAR_ISO_FILE_NAME}"
+          CISS.debian.live.builder ISO sha512 :
+            "${VAR_ISO_FILE_SHA512}"
+          CISS.debian.live.builder ISO sha512 sign :
+            $(< "${SIGNATURE_FILE}")
+
+          # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text
+          EOF
+
+      - name: 🚧 Stash local changes (including untracked).
+        shell: bash
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          ### Temporarily store any local modifications or untracked files.
+          git stash push --include-untracked -m "ci-temp" || echo "✔️ Nothing to stash."
+
+      - name: 🔄 Sync with remote before commit using merge strategy.
+        shell: bash
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          export GNUPGHOME="$(pwd)/.gnupg"
+
+          echo "🔄 Fetching origin/master ..."
+          git fetch origin master
+
+          echo "🔁 Merging origin/master into current branch ..."
+          git merge --no-edit origin/master || echo "✔️ Already up to date or fast-forward."
+
+          echo "📋 Post-merge status :"
+          git status
+          git log --oneline -n 5
+
+      - name: 🛠️ Restore stashed changes.
+        shell: bash
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          ### Apply previously stashed changes.
+          git stash pop || echo "✔️ Nothing to pop."
+
+      - name: 📦 Stage generated files.
+        shell: bash
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          PRIVATE_FILE="LIVE_ISO.public"
+          git add "${PRIVATE_FILE}" || echo "✔️ Nothing to add."
+
+      - name: 🔑 Commit and sign changes with CI metadata.
+        shell: bash
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          export GNUPGHOME="$(pwd)/.gnupg"
+
+          if git diff --cached --quiet; then
+            echo "✔️ No staged changes to commit."
+          else
+            echo "📝 Committing changes with GPG signature ..."
+
+            ### CI Metadata
+            TIMESTAMP_UTC="$(date -u +'%Y-%m-%dT%H:%M:%SZ')"
+            HOSTNAME="$(hostname -f || hostname)"
+            GIT_SHA="$(git rev-parse --short HEAD)"
+            GIT_REF="$(git symbolic-ref --short HEAD || echo detached)"
+            WORKFLOW_ID="${GITHUB_WORKFLOW:-render-md-to-html.yaml}"
+            CI_HEADER="X-CI-Metadata: ${GIT_REF}@${GIT_SHA} at ${TIMESTAMP_UTC} on ${HOSTNAME}"
+
+            COMMIT_MSG="DEPLOY BOT   : 💙 Auto-Generate PUBLIC LIVE ISO [skip ci]
+
+          ${CI_HEADER}
+
+          Generated at : ${TIMESTAMP_UTC}
+          Runner Host  : ${HOSTNAME}
+          Workflow ID  : ${WORKFLOW_ID}
+          Git Commit   : ${GIT_SHA} HEAD -> ${GIT_REF}
+          "
+
+            echo "🔏 Commit message :"
+            echo "${COMMIT_MSG}"
+            git commit -S -m "${COMMIT_MSG}"
+          fi
+
+      - name: 🔁 Push back to repository.
+        shell: bash
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          echo "📤 Pushing changes to ${GITHUB_REF_NAME} ..."
+          git push origin HEAD:${GITHUB_REF_NAME}
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml

.gitea/workflows/linter_char_scripts.yaml

@@ -0,0 +1,339 @@
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+### Version Master V8.03.768.2025.06.17
+
+# Gitea Workflow: Shell-Script Linting
+#
+# This workflow scans all '*.sh', '*.zsh', '*.chroot' and all files with Shebang (#!) for:
+# 1. Windows CRLF line endings
+# 2. unauthorized control characters (C0 control characters except \t, \n)
+# 3. non-ASCII (ambiguous UTF) characters
+#
+# Findings are collected and at the end of the run with file, line number,
+# and the respective character in the Runner output.
+
+name: 🛡️ Shell Script Linting
+
+on:
+  push:
+    branches:
+      - master
+  pull_request:
+    branches:
+      - master
+
+jobs:
+  shell-script-linter:
+    name: 🛡️ Shell Script Linting
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: ⚙️ Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
+        shell: bash
+        run: |
+          set -euo pipefail
+          rm -rf ~/.ssh && mkdir -m700 ~/.ssh
+
+          ### Private Key
+          echo "${{ secrets.SSH_MSW_DEPLOY_CORESECRET_DEV }}" >| ~/.ssh/id_ed25519
+          chmod 600 ~/.ssh/id_ed25519
+
+          ### Scan git.coresecret.dev to fill ~/.ssh/known_hosts
+          ssh-keyscan -p 42842 git.coresecret.dev >| ~/.ssh/known_hosts
+          chmod 600 ~/.ssh/known_hosts
+
+          ### Generate SSH Config for git.coresecret.dev Custom-Port
+          cat <<EOF >| ~/.ssh/config
+          Host git.coresecret.dev
+            HostName git.coresecret.dev
+            Port 42842
+            IdentityFile ~/.ssh/id_ed25519
+            StrictHostKeyChecking yes
+            UserKnownHostsFile ~/.ssh/known_hosts
+          EOF
+          chmod 600 ~/.ssh/config
+
+      ### https://github.com/actions/checkout/issues/1843
+      - name: 🛠️ Using manual clone via SSH to circumvent Gitea SHA-256 object issues.
+        shell: bash
+        env:
+          ### GITHUB_REF_NAME contains the branch name from the push event.
+          GITHUB_REF_NAME: ${{ github.ref_name }}
+        run: |
+          set -euo pipefail
+          git clone --branch "${GITHUB_REF_NAME}" ssh://git@git.coresecret.dev:42842/msw/CISS.debian.live.builder.git .
+          git fetch --unshallow || echo "Nothing to fetch - already full clone."
+
+      - name: 🛠️ Cleaning the workspace.
+        shell: bash
+        run: |
+          set -euo pipefail
+          git reset --hard
+          git clean -fd
+
+      - name: ⚙️ Importing the 'CI PGP DEPLOY ONLY' key.
+        shell: bash
+        run: |
+          set -euo pipefail
+          ### GPG-Home relative to the Runner Workspace to avoid changing global files.
+          export GNUPGHOME="$(pwd)/.gnupg"
+          mkdir -m 700 "${GNUPGHOME}"
+          echo "${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV }}" >| ci-bot.sec.asc
+          gpg --batch --import ci-bot.sec.asc
+          ### Trust the key automatically
+          KEY_ID=$(gpg --list-keys --with-colons | awk -F: '/^pub:/ {print $5}')
+          echo "trust-model always" >| "${GNUPGHOME}/gpg.conf"
+
+      - name: ⚙️ Configuring Git for signed CI/DEPLOY commits.
+        shell: bash
+        run: |
+          set -euo pipefail
+          export GNUPGHOME="$(pwd)/.gnupg"
+          git config user.name "Marc S. Weidner BOT"
+          git config user.email "msw+bot@coresecret.dev"
+          git config commit.gpgsign true
+          git config gpg.program gpg
+          git config gpg.format openpgp
+
+      - name: ⚙️ Convert APT sources to HTTPS.
+        shell: bash
+        run: |
+          set -euo pipefail
+          sed -i 's|http://\(archive\.ubuntu\.com\|security\.ubuntu\.com\)|https://\1|g' /etc/apt/sources.list
+          sed -i 's|http://\(archive\.ubuntu\.com\|security\.ubuntu\.com\)|https://\1|g' /etc/apt/sources.list.d/*.list || true
+
+      - name: 🛠️ Install dependencies.
+        shell: bash
+        run: |
+          ### Install grep with Perl-regex support, falls noch nicht vorhanden
+          apt-get update
+          apt-get upgrade -y
+          apt-get install -y grep
+
+      - name: 🔍 Lint shell scripts
+        shell: bash
+        run: |
+          # -------------------------------
+          # STEP 1: Find target files.
+          #
+          # We capture:
+          # - All files '*.sh', '*.zsh', '*.chroot'
+          # - All files whose first line begins with "#!" (shebang)
+          # -------------------------------
+          mapfile -t files_to_check < <(
+            find . \
+              -path './.git' -prune -o \
+              -type f \( \
+                -iname '*.sh' -o \
+                -iname '*.zsh' -o \
+                -iname '*.chroot' -o \
+                -exec grep -Iq '^#!' {} \; \
+              \) -print
+          )
+
+          # -------------------------------
+          # STEP 2: Regex definitions
+          #
+          # - CRLF_REGEX           Carriage Return (\r) for Windows CRLF
+          # - CTRL_REGEX           C0 control characters except Tab (\x09) and Newline (\x0A)
+          #   - Range:             [\x00-\x08\x0B-\x0C\x0E-\x1F\x7F]
+          # - NON_ASCII_REGEX      All bytes -> 0x7F, except emoji characters in defined ranges
+          #
+          # Emoji ranges that we exclude:
+          # - \x{1F300}-\x{1F5FF}  Misc Symbols & Pictographs
+          # - \x{1F600}-\x{1F64F}  Emoticons
+          # - \x{1F680}-\x{1F6FF}  Transport & Map Symbols
+          # - \x{1F900}-\x{1F9FF}  Supplemental Symbols & Pictographs
+          # - \x{2600}-\x{26FF}    Miscellaneous Symbols
+          # - \x{2700}-\x{27BF}    Dingbats
+          # -------------------------------
+
+          CRLF_REGEX=$'\r'
+          CTRL_REGEX='[\x00-\x08\x0B-\x0C\x0E-\x1F\x7F]'
+          NON_ASCII_REGEX='(?![\x{1F300}-\x{1F5FF}\x{1F600}-\x{1F64F}\x{1F680}-\x{1F6FF}\x{1F900}-\x{1F9FF}\x{2600}-\x{26FF}\x{2700}-\x{27BF}])[^\x00-\x7F]'
+
+          # -------------------------------
+          # STEP 3: Accumulator for findings
+          # -------------------------------
+          findings=""
+
+          # -------------------------------
+          # STEP 4: Perform all checks for each file
+          # -------------------------------
+          for file in "${files_to_check[@]}"; do
+            #
+            # 4.1: CRLF detection
+            #      grep -nP returns "lineno:<line with CR>"
+            # -------------------------------
+            while IFS=: read -r lineno _rest; do
+              findings+="${file}: CRLF-found at line ${lineno}: <CR>"$'\n'
+            done < <(grep -nP "${CRLF_REGEX}" "${file}" || true)
+
+            #
+            # 4.2: Unallowed control characters
+            #      grep -nP -o returns "lineno:<matched-char>"
+            # -------------------------------
+            while IFS=: read -r lineno char; do
+              findings+="${file}: control-char at line ${lineno}: ${char}"$'\n'
+            done < <(grep -nP -o "${CTRL_REGEX}" "${file}" || true)
+
+            #
+            # 4.3: Non-ASCII characters with emoji exception
+            #      grep -nP -o returns "lineno:<matched-char>"
+            # -------------------------------
+            while IFS=: read -r lineno char; do
+              findings+="${file}: non-ascii at line ${lineno}: ${char}"$'\n'
+            done < <(grep -nP -o "${NON_ASCII_REGEX}" "${file}" || true)
+          done
+
+          # -------------------------------
+          # STEP 5: Output results
+          # -------------------------------
+          if [[ -n "${findings}" ]]; then
+            echo -e "⚠️ Linting issues detected:\n"
+            echo -e "${findings}"
+            timestamp=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
+            PRIVATE_FILE="LINTER_RESULTS.txt"
+            touch "${PRIVATE_FILE}"
+            cat << EOF >| "${PRIVATE_FILE}"
+          # SPDX-Version: 3.0
+          # SPDX-CreationInfo: 2025-06-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+          # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+          # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+          # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+          # SPDX-FileType: SOURCE
+          # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+          # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+          # SPDX-PackageName: CISS.debian.live.builder
+          # SPDX-Security-Contact: security@coresecret.eu
+
+          This file was automatically generated by the DEPLOY BOT on: "${timestamp}".
+
+          ⚠️ The last linter check was NOT successful. ⚠️
+
+          # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text
+          EOF
+          else
+            echo "✅ No issues found in shell scripts."
+            timestamp=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
+            PRIVATE_FILE="LINTER_RESULTS.txt"
+            touch "${PRIVATE_FILE}"
+            cat << EOF >| "${PRIVATE_FILE}"
+          # SPDX-Version: 3.0
+          # SPDX-CreationInfo: 2025-06-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+          # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+          # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+          # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+          # SPDX-FileType: SOURCE
+          # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+          # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+          # SPDX-PackageName: CISS.debian.live.builder
+          # SPDX-Security-Contact: security@coresecret.eu
+
+          This file was automatically generated by the DEPLOY BOT on: "${timestamp}".
+
+          ✅ The last linter check was successful. ✅
+
+          # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text
+          EOF
+          fi
+
+      - name: 🚧 Stash local changes (including untracked).
+        shell: bash
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          ### Temporarily store any local modifications or untracked files.
+          git stash push --include-untracked -m "ci-temp" || echo "✔️ Nothing to stash."
+
+      - name: 🔄 Sync with remote before commit using merge strategy.
+        shell: bash
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          export GNUPGHOME="$(pwd)/.gnupg"
+
+          echo "🔄 Fetching origin/master ..."
+          git fetch origin master
+
+          echo "🔁 Merging origin/master into current branch ..."
+          git merge --no-edit origin/master || echo "✔️ Already up to date or fast-forward."
+
+          echo "📋 Post-merge status :"
+          git status
+          git log --oneline -n 5
+
+      - name: 🛠️ Restore stashed changes.
+        shell: bash
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          ### Apply previously stashed changes.
+          git stash pop || echo "✔️ Nothing to pop."
+
+      - name: 📦 Stage generated files.
+        shell: bash
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          PRIVATE_FILE="LINTER_RESULTS.txt"
+          git add "${PRIVATE_FILE}" || echo "✔️ Nothing to add."
+
+      - name: 🔑 Commit and sign changes with CI metadata.
+        shell: bash
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          export GNUPGHOME="$(pwd)/.gnupg"
+
+          if git diff --cached --quiet; then
+            echo "✔️ No staged changes to commit."
+          else
+            echo "📝 Committing changes with GPG signature ..."
+
+            ### CI Metadata
+            TIMESTAMP_UTC="$(date -u +'%Y-%m-%dT%H:%M:%SZ')"
+            HOSTNAME="$(hostname -f || hostname)"
+            GIT_SHA="$(git rev-parse --short HEAD)"
+            GIT_REF="$(git symbolic-ref --short HEAD || echo detached)"
+            WORKFLOW_ID="${GITHUB_WORKFLOW:-render-md-to-html.yaml}"
+            CI_HEADER="X-CI-Metadata: ${GIT_REF}@${GIT_SHA} at ${TIMESTAMP_UTC} on ${HOSTNAME}"
+
+            COMMIT_MSG="DEPLOY BOT   : 🛡️ Shell Script Linting [skip ci]
+
+          ${CI_HEADER}
+
+          Generated at : ${TIMESTAMP_UTC}
+          Runner Host  : ${HOSTNAME}
+          Workflow ID  : ${WORKFLOW_ID}
+          Git Commit   : ${GIT_SHA} HEAD -> ${GIT_REF}
+          "
+
+            echo "🔏 Commit message :"
+            echo "${COMMIT_MSG}"
+            git commit -S -m "${COMMIT_MSG}"
+          fi
+
+      - name: 🔁 Push back to repository.
+        shell: bash
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          echo "📤 Pushing changes to ${GITHUB_REF_NAME} ..."
+          git push origin HEAD:${GITHUB_REF_NAME}
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml

.gitea/workflows/render-dnssec-status.yaml

@@ -2,14 +2,16 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-name: Retrieve the DNSSEC status at the time of updating the repository.
+### Version Master V8.03.768.2025.06.17
+
+name: 🛡️ Retrieve DNSSEC status of coresecret.dev.
 
 permissions:
   contents: write
@@ -23,13 +25,15 @@ on:
 
 jobs:
   build-dnssec-diagram:
-    name: Retrieve the DNSSEC status at the time of updating the repository.
+    name: 🛡️ Retrieve DNSSEC status of coresecret.dev.
     runs-on: ubuntu-latest
+
     steps:
-      - name: Prepare SSH Setup, SSH Deploy Key, Known Hosts, config.
+      - name: ⚙️ Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
+        shell: bash
         run: |
-          rm -rf ~/.ssh
+          set -euo pipefail
-          mkdir -p ~/.ssh
+          rm -rf ~/.ssh && mkdir -m700 ~/.ssh
 
           ### Private Key
           echo "${{ secrets.SSH_MSW_DEPLOY_CORESECRET_DEV }}" >| ~/.ssh/id_ed25519
@@ -51,31 +55,27 @@ jobs:
           chmod 600 ~/.ssh/config
 
       ### https://github.com/actions/checkout/issues/1843
-      - name: Use manual clone via SSH to circumvent Gitea SHA-256 object issues.
+      - name: 🛠️ Using manual clone via SSH to circumvent Gitea SHA-256 object issues.
-        run: |
+        shell: bash
-          git clone --branch "${GITHUB_REF_NAME}" ssh://git@git.coresecret.dev:42842/msw/CISS.debian.live.builder.git .
-          git fetch --unshallow || echo "Nothing to fetch - already full clone."
         env:
           ### GITHUB_REF_NAME contains the branch name from the push event.
           GITHUB_REF_NAME: ${{ github.ref_name }}
-
-      - name: Clean workspace.
         run: |
+          set -euo pipefail
+          git clone --branch "${GITHUB_REF_NAME}" ssh://git@git.coresecret.dev:42842/msw/CISS.debian.live.builder.git .
+          git fetch --unshallow || echo "Nothing to fetch - already full clone."
+
+      - name: 🛠️ Cleaning the workspace.
+        shell: bash
+        run: |
+          set -euo pipefail
           git reset --hard
           git clean -fd
 
-      - name: Convert APT sources to HTTPS.
+      - name: ⚙️ Importing the 'CI PGP DEPLOY ONLY' key.
-        run: |
+        shell: bash
-          sed -i 's|http://\(archive\.ubuntu\.com\|security\.ubuntu\.com\)|https://\1|g' /etc/apt/sources.list
-          sed -i 's|http://\(archive\.ubuntu\.com\|security\.ubuntu\.com\)|https://\1|g' /etc/apt/sources.list.d/*.list || true
-
-      - name: Install DNSViz.
-        run: |
-          sudo apt-get update
-          sudo apt-get install -y dnsviz
-
-      - name: Import CI PGP DEPLOY ONLY Key.
         run: |
+          set -euo pipefail
           ### GPG-Home relative to the Runner Workspace to avoid changing global files.
           export GNUPGHOME="$(pwd)/.gnupg"
           mkdir -m 700 "${GNUPGHOME}"
@@ -84,10 +84,11 @@ jobs:
           ### Trust the key automatically
           KEY_ID=$(gpg --list-keys --with-colons | awk -F: '/^pub:/ {print $5}')
           echo "trust-model always" >| "${GNUPGHOME}/gpg.conf"
-        shell: bash
 
-      - name: Configure Git for signed CI DEPLOY commits.
+      - name: ⚙️ Configuring Git for signed CI/DEPLOY commits.
+        shell: bash
         run: |
+          set -euo pipefail
           export GNUPGHOME="$(pwd)/.gnupg"
           git config user.name "Marc S. Weidner BOT"
           git config user.email "msw+bot@coresecret.dev"
@@ -95,37 +96,123 @@ jobs:
           git config gpg.program gpg
           git config gpg.format openpgp
 
-      - name: Ensure docs/SECURITY/ directory exists.
+      - name: ⚙️ Convert APT sources to HTTPS.
+        shell: bash
+        run: |
+          set -euo pipefail
+          sed -i 's|http://\(archive\.ubuntu\.com\|security\.ubuntu\.com\)|https://\1|g' /etc/apt/sources.list
+          sed -i 's|http://\(archive\.ubuntu\.com\|security\.ubuntu\.com\)|https://\1|g' /etc/apt/sources.list.d/*.list || true
+
+      - name: 🛠️ Install DNSViz.
+        shell: bash
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y dnsviz
+
+      - name: ⚙️ Ensure docs/SECURITY/ directory exists.
+        shell: bash
         run: |
           mkdir -p docs/SECURITY/
           rm -f docs/SECURITY/coresecret.dev.png
 
-      - name: Prepare DNS Cache.
+      - name: 🛠️ Prepare DNS Cache.
+        shell: bash
         run: |
           sudo apt-get install -y dnsutils
           dig +dnssec +multi coresecret.dev @8.8.8.8
 
-      - name: Retrieve Zone Dump and generate .png Visualization.
+      - name: 🛠️ Retrieve Zone Dump and generate .png Visualization.
+        shell: bash
         run: |
           dnsviz probe -s 8.8.8.8 -R SOA,A,AAAA,CAA,CDS,CDNSKEY,LOC,HTTPS,MX,NS,TXT coresecret.dev >| coresecret.dev.json
           dnsviz graph -T png < coresecret.dev.json >| docs/SECURITY/coresecret.dev.png
 
-      - name: Stage generated files.
+      - name: 🚧 Stash local changes (including untracked).
-        run: |
+        shell: bash
-          git add docs/SECURITY/*.png
         env:
           GIT_SSH_COMMAND: "ssh -p 42842"
-
-      - name: Commit and Sign changes.
         run: |
+          set -euo pipefail
+          ### Temporarily store any local modifications or untracked files.
+          git stash push --include-untracked -m "ci-temp" || echo "✔️ Nothing to stash."
+
+      - name: 🔄 Sync with remote before commit using merge strategy.
+        shell: bash
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
           export GNUPGHOME="$(pwd)/.gnupg"
-          git commit -S -m "DEPLOY BOT: Auto-Generate DNSSEC Status [skip ci]" || echo "No Changes, nothing to Sign or to Commit."
-        env:
-          GIT_SSH_COMMAND: "ssh -p 42842"
 
-      - name: Push back to Repository.
+          echo "🔄 Fetching origin/master ..."
-        run: |
+          git fetch origin master
-          git push origin HEAD:${GITHUB_REF_NAME}
+
+          echo "🔁 Merging origin/master into current branch ..."
+          git merge --no-edit origin/master || echo "✔️ Already up to date or fast-forward."
+
+          echo "📋 Post-merge status :"
+          git status
+          git log --oneline -n 5
+
+      - name: 🛠️ Restore stashed changes.
+        shell: bash
         env:
           GIT_SSH_COMMAND: "ssh -p 42842"
-# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
+        run: |
+          set -euo pipefail
+          ### Apply previously stashed changes.
+          git stash pop || echo "✔️ Nothing to pop."
+
+      - name: 📦 Stage generated files.
+        shell: bash
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          git add docs/SECURITY/*.png || echo "✔️ Nothing to add."
+
+      - name: 🔑 Commit and sign changes with CI metadata.
+        shell: bash
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          export GNUPGHOME="$(pwd)/.gnupg"
+
+          if git diff --cached --quiet; then
+            echo "✔️ No staged changes to commit."
+          else
+            echo "📝 Committing changes with GPG signature ..."
+
+            ### CI Metadata
+            TIMESTAMP_UTC="$(date -u +'%Y-%m-%dT%H:%M:%SZ')"
+            HOSTNAME="$(hostname -f || hostname)"
+            GIT_SHA="$(git rev-parse --short HEAD)"
+            GIT_REF="$(git symbolic-ref --short HEAD || echo detached)"
+            WORKFLOW_ID="${GITHUB_WORKFLOW:-render-md-to-html.yaml}"
+            CI_HEADER="X-CI-Metadata: ${GIT_REF}@${GIT_SHA} at ${TIMESTAMP_UTC} on ${HOSTNAME}"
+
+            COMMIT_MSG="DEPLOY BOT   : 🛡️ Auto-Generate DNSSEC Status [skip ci]
+
+          ${CI_HEADER}
+
+          Generated at : ${TIMESTAMP_UTC}
+          Runner Host  : ${HOSTNAME}
+          Workflow ID  : ${WORKFLOW_ID}
+          Git Commit   : ${GIT_SHA} HEAD -> ${GIT_REF}
+          "
+
+            echo "🔏 Commit message :"
+            echo "${COMMIT_MSG}"
+            git commit -S -m "${COMMIT_MSG}"
+          fi
+
+      - name: 🔁 Push back to repository.
+        shell: bash
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          echo "📤 Pushing changes to ${GITHUB_REF_NAME} ..."
+          git push origin HEAD:${GITHUB_REF_NAME}
+      # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml

.gitea/workflows/render-dot-to-png.yaml

@@ -0,0 +1,211 @@
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+### Version Master V8.03.768.2025.06.17
+
+name: 🔁 Render Graphviz Diagrams.
+
+permissions:
+  contents: write
+
+on:
+  push:
+    branches:
+      - master
+    paths:
+      - "**/*.gv"
+      - "**/*.dot"
+
+jobs:
+  build-graphiz-diagrams:
+    name: 🔁 Render Graphviz Diagrams.
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: ⚙️ Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
+        shell: bash
+        run: |
+          set -euo pipefail
+          rm -rf ~/.ssh && mkdir -m700 ~/.ssh
+
+          ### Private Key
+          echo "${{ secrets.SSH_MSW_DEPLOY_CORESECRET_DEV }}" >| ~/.ssh/id_ed25519
+          chmod 600 ~/.ssh/id_ed25519
+
+          ### Scan git.coresecret.dev to fill ~/.ssh/known_hosts
+          ssh-keyscan -p 42842 git.coresecret.dev >| ~/.ssh/known_hosts
+          chmod 600 ~/.ssh/known_hosts
+
+          ### Generate SSH Config for git.coresecret.dev Custom-Port
+          cat <<EOF >| ~/.ssh/config
+          Host git.coresecret.dev
+            HostName git.coresecret.dev
+            Port 42842
+            IdentityFile ~/.ssh/id_ed25519
+            StrictHostKeyChecking yes
+            UserKnownHostsFile ~/.ssh/known_hosts
+          EOF
+          chmod 600 ~/.ssh/config
+
+      ### https://github.com/actions/checkout/issues/1843
+      - name: 🛠️ Using manual clone via SSH to circumvent Gitea SHA-256 object issues.
+        shell: bash
+        env:
+          ### GITHUB_REF_NAME contains the branch name from the push event.
+          GITHUB_REF_NAME: ${{ github.ref_name }}
+        run: |
+          set -euo pipefail
+          git clone --branch "${GITHUB_REF_NAME}" ssh://git@git.coresecret.dev:42842/msw/CISS.debian.live.builder.git .
+          git fetch --unshallow || echo "Nothing to fetch - already full clone."
+
+      - name: 🛠️ Cleaning the workspace.
+        shell: bash
+        run: |
+          set -euo pipefail
+          git reset --hard
+          git clean -fd
+
+      - name: ⚙️ Importing the 'CI PGP DEPLOY ONLY' key.
+        shell: bash
+        run: |
+          set -euo pipefail
+          ### GPG-Home relative to the Runner Workspace to avoid changing global files.
+          export GNUPGHOME="$(pwd)/.gnupg"
+          mkdir -m 700 "${GNUPGHOME}"
+          echo "${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV }}" >| ci-bot.sec.asc
+          gpg --batch --import ci-bot.sec.asc
+          ### Trust the key automatically
+          KEY_ID=$(gpg --list-keys --with-colons | awk -F: '/^pub:/ {print $5}')
+          echo "trust-model always" >| "${GNUPGHOME}/gpg.conf"
+
+      - name: ⚙️ Configuring Git for signed CI/DEPLOY commits.
+        shell: bash
+        run: |
+          set -euo pipefail
+          export GNUPGHOME="$(pwd)/.gnupg"
+          git config user.name "Marc S. Weidner BOT"
+          git config user.email "msw+bot@coresecret.dev"
+          git config commit.gpgsign true
+          git config gpg.program gpg
+          git config gpg.format openpgp
+
+      - name: ⚙️ Convert APT sources to HTTPS.
+        shell: bash
+        run: |
+          set -euo pipefail
+          sed -i 's|http://\(archive\.ubuntu\.com\|security\.ubuntu\.com\)|https://\1|g' /etc/apt/sources.list
+          sed -i 's|http://\(archive\.ubuntu\.com\|security\.ubuntu\.com\)|https://\1|g' /etc/apt/sources.list.d/*.list || true
+
+      - name: 🛠️ Install Graphviz.
+        shell: bash
+        run: |
+          set -euo pipefail
+          sudo apt-get update
+          sudo apt-get install -y graphviz
+
+      - name: 🛠️ Render all .dot / .gv to PNG.
+        shell: bash
+        run: |
+          set -euo pipefail
+          find . -type f \( -name "*.dot" -o -name "*.gv" \) | while read file; do
+            out="${file%.*}.png"
+            dot -Tpng "${file}" -o "${out}"
+          done
+
+      - name: 🚧 Stash local changes (including untracked).
+        shell: bash
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          ### Temporarily store any local modifications or untracked files.
+          git stash push --include-untracked -m "ci-temp" || echo "✔️ Nothing to stash."
+
+      - name: 🔄 Sync with remote before commit using merge strategy.
+        shell: bash
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          export GNUPGHOME="$(pwd)/.gnupg"
+
+          echo "🔄 Fetching origin/master ..."
+          git fetch origin master
+
+          echo "🔁 Merging origin/master into current branch ..."
+          git merge --no-edit origin/master || echo "✔️ Already up to date or fast-forward."
+
+          echo "📋 Post-merge status :"
+          git status
+          git log --oneline -n 5
+
+      - name: 🛠️ Restore stashed changes.
+        shell: bash
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          ### Apply previously stashed changes.
+          git stash pop || echo "✔️ Nothing to pop."
+
+      - name: 📦 Stage generated files.
+        shell: bash
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          git add *.png || echo "✔️ Nothing to add."
+
+      - name: 🔑 Commit and sign changes with CI metadata.
+        shell: bash
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          export GNUPGHOME="$(pwd)/.gnupg"
+
+          if git diff --cached --quiet; then
+            echo "✔️ No staged changes to commit."
+          else
+            echo "📝 Committing changes with GPG signature ..."
+
+            ### CI Metadata
+            TIMESTAMP_UTC="$(date -u +'%Y-%m-%dT%H:%M:%SZ')"
+            HOSTNAME="$(hostname -f || hostname)"
+            GIT_SHA="$(git rev-parse --short HEAD)"
+            GIT_REF="$(git symbolic-ref --short HEAD || echo detached)"
+            WORKFLOW_ID="${GITHUB_WORKFLOW:-render-md-to-html.yaml}"
+            CI_HEADER="X-CI-Metadata: ${GIT_REF}@${GIT_SHA} at ${TIMESTAMP_UTC} on ${HOSTNAME}"
+
+            COMMIT_MSG="DEPLOY BOT   : 🔁 Auto-Generate PNG from *.dot. [skip ci]
+
+          ${CI_HEADER}
+
+          Generated at : ${TIMESTAMP_UTC}
+          Runner Host  : ${HOSTNAME}
+          Workflow ID  : ${WORKFLOW_ID}
+          Git Commit   : ${GIT_SHA} HEAD -> ${GIT_REF}
+          "
+
+            echo "🔏 Commit message :"
+            echo "${COMMIT_MSG}"
+            git commit -S -m "${COMMIT_MSG}"
+          fi
+
+      - name: 🔁 Push back to repository.
+        shell: bash
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          echo "📤 Pushing changes to ${GITHUB_REF_NAME} ..."
+          git push origin HEAD:${GITHUB_REF_NAME}
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml

.gitignore

@@ -2,7 +2,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

.version.properties

@@ -2,7 +2,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
@@ -10,10 +10,10 @@
 # SPDX-Security-Contact: security@coresecret.eu
 properties_SPDX-Version="3.0"
 properties_SPDX-ExternalRef="GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git"
-properties_SPDX-FileCopyrightText="2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>"
+properties_SPDX-FileCopyrightText="2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>"
 properties_SPDX-License-Identifier="EUPL-1.2 OR LicenseRef-CCLA-1.0"
-properties_SPDX-LicenseComment="This file is part of the CISS.hardened.installer framework."
+properties_SPDX-LicenseComment="This file is part of the CISS.debian.installer.secure framework."
 properties_SPDX-PackageName="CISS.debian.live.builder"
 properties_SPDX-Security-Contact="security@coresecret.eu"
-properties_version="V8.02.644.2025.05.31"
+properties_version="V8.03.768.2025.06.17"
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf

CISS.debian.live.builder.spdx

@@ -6,7 +6,7 @@ Creator: Person: Marc S. Weidner (Centurion Intelligence Consulting Agency)
 Created: 2025-05-07T12:00:00Z
 Package: CISS.debian.live.builder
 PackageName: CISS.debian.live.builder
-PackageVersion: Master V8.02.644.2025.05.31
+PackageVersion: Master V8.03.768.2025.06.17
 PackageSupplier: Organization: Centurion Intelligence Consulting Agency
 PackageDownloadLocation: https://git.coresecret.dev/msw/CISS.debian.live.builder
 PackageHomePage: https://git.coresecret.dev/msw/CISS.debian.live.builder

LINTER_RESULTS.txt

@@ -0,0 +1,16 @@
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+This file was automatically generated by the DEPLOY BOT on: "2025-06-17T17:03:33Z".
+
+✅ The last linter check was successful. ✅
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text

LIVE_ISO.public

@@ -0,0 +1,27 @@
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-01; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+This file was automatically generated by the DEPLOY BOT on: "2025-06-17T14:54:34Z".
+
+CISS.debian.live.builder ISO :
+  "ciss-debian-live-2025_06_17T14_12_22Z-amd64.hybrid.iso"
+CISS.debian.live.builder ISO sha512 :
+  "ciss-debian-live-2025_06_17T14_12_22Z-amd64.hybrid.iso.sha512"
+CISS.debian.live.builder ISO sha512 sign :
+  -----BEGIN PGP SIGNATURE-----
+
+iHUEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaFGBqgAKCRA85KY4hzOw
+IYthAQDYHWvmctdnn39QGj0cdLgPkqMd3JTtC+goiM2BO6UAoQD/SM4ObHSBQ9ZO
+tQ5Wj5SzmMyMqFB9UIFizaEH0RcBEgk=
+=zTxU
+-----END PGP SIGNATURE-----
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text

LIVE_ISO_FLV_0.private

@@ -0,0 +1,27 @@
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-01; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+This file was automatically generated by the DEPLOY BOT on: "2025-06-17T13:12:03Z".
+
+CISS.debian.live.builder ISO :
+  "ciss-debian-live-2025_06_17T12_29_48Z-amd64.hybrid.iso"
+CISS.debian.live.builder ISO sha512 :
+  "ciss-debian-live-2025_06_17T12_29_48Z-amd64.hybrid.iso.sha512"
+CISS.debian.live.builder ISO sha512 sign :
+  -----BEGIN PGP SIGNATURE-----
+
+iHUEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaFFpowAKCRA85KY4hzOw
+IQmsAQC7nsyQvaiBPjFjze0arnTSyJ0X45OElMH6vwWeOPCYwgEAgoPURpD9KBWX
+TDSR3bhZqdaFTJYAQfguXxDI0wff8Aw=
+=BqaA
+-----END PGP SIGNATURE-----
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text

LIVE_ISO_FLV_1.private

@@ -0,0 +1,27 @@
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-01; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+This file was automatically generated by the DEPLOY BOT on: "2025-06-17T14:03:33Z".
+
+CISS.debian.live.builder ISO :
+  "ciss-debian-live-2025_06_17T13_20_50Z-amd64.hybrid.iso"
+CISS.debian.live.builder ISO sha512 :
+  "ciss-debian-live-2025_06_17T13_20_50Z-amd64.hybrid.iso.sha512"
+CISS.debian.live.builder ISO sha512 sign :
+  -----BEGIN PGP SIGNATURE-----
+
+iHUEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaFF1tQAKCRA85KY4hzOw
+IbsWAP9Zk6J3kFfRVASMGnT4h2Joak31pmX5p3Ron4mRDserMgEArhu1axOkGlyI
+MPD3Zw/YEZeRSRtGLPFPfEEq8zAmIQo=
+=b16D
+-----END PGP SIGNATURE-----
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text

README.md

@@ -2,7 +2,7 @@
 gitea: none
 include_toc: true
 ---
-[![Static Badge](https://badges.coresecret.dev/badge/Release-V8.02.644.2025.05.31-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder)
+[![Static Badge](https://badges.coresecret.dev/badge/Release-V8.03.768.2025.06.17-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder)
  
 [![Static Badge](https://badges.coresecret.dev/badge/Licence-EUPL1.2-white?style=plastic&logo=europeanunion&logoColor=white&logoSize=auto&label=Licence&color=%23003399)](https://eupl.eu/1.2/en/)  
 [![Static Badge](https://badges.coresecret.dev/badge/opensourceinitiative-Compliant-white?style=plastic&logo=opensourceinitiative&logoColor=white&logoSize=auto&label=OSI&color=%233DA639)](https://opensource.org/license/eupl-1-2)  
@@ -25,35 +25,50 @@ include_toc: true
 
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
-**Master Version**: 8.02<br>
+**Master Version**: 8.03<br>
-**Build**: V8.02.644.2025.05.31<br>
+**Build**: V8.03.768.2025.06.17<br>
 
 This shell wrapper automates the creation of a Debian Bookworm live ISO hardened according to the latest best practices in server
 and service security. It integrates into your build pipeline to deliver an isolated, robust environment suitable for
-cloud deployment or unattended installations via the forthcoming `CISS.debian.installer`.
+cloud deployment or unattended installations via the forthcoming `CISS.debian.installer`. Additionally, automated CI workflows 
+based on Gitea Actions are provided, enabling reproducible ISO generation. A generic ISO is automatically built upon significant
+changes and made publicly available for download. The latest generic ISO is available at:
+**[PUBLIC CISS.debian.live.ISO](/docs/DL_PUB_ISO.md)**
 
 Check out more:
 * [CenturionNet Services](https://coresecret.eu/cnet/) 
-* [CenturionDNS Resolver](https://dns.eddns.eu/)
+* [CenturionDNS Resolver](https://eddns.eu/)
 * [CenturionDNS Blocklist](https://dns.eddns.eu/blocklists/centurion_titanium_ultimate.txt) 
 * [CenturionNet Status](https://uptime.coresecret.eu/) 
 * [CenturionMeet](https://talk.e2ee.li/) 
 * [Contact the author](https://coresecret.eu/contact/)
 
-## 1.1. Notes
+## 1.1. Preliminary Remarks
 
 ### 1.1.1. HSM
 Please note that all my signing keys are stored in an HSM and that the signing environment is air-gapped. The next step is to 
 move to a room-gapped environment. ^^
 
-### 1.1.2. HSTS and DNSSEC
+### 1.1.2. DNSSEC, HSTS, TLS
 
 Please note that `coresecret.dev` is included in the [(HSTS Preload List)](https://hstspreload.org/) and always serves the headers:
 ````nginx configuration pro
 add_header Expect-CT                 "max-age=86400, enforce"                       always;
 add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
 ````
-Additionally, the entire zone is dual-signed with DNSSEC. See the current DNSSEC status at [DNSSEC Audit Report](https://git.coresecret.dev/msw/CISS.debian.live.builder/src/branch/master/docs/AUDIT_DNSSEC.md)
+
+* Additionally, the entire zone is dual-signed with **DNSSEC**. See the current **DNSSEC** status at: **[DNSSEC Audit Report](/docs/AUDIT_DNSSEC.md)**
+* A comprehensive TLS audit of the **`git.coresecret.dev`** Gitea server is also available. See: **[TLS Audit Report](/docs/AUDIT_TLS.md)**
+* The infrastructure of the **`CISS.debian.live.builder`** building system is visualized here. See: **[Centurion Net](/docs/CNET.md)**
+
+### 1.1.3. Gitea Action Runner Hardening
+
+The CI runners operate on a dedicated host system located in a completely separate Autonomous System (AS). This host is solely 
+dedicated to providing CI runners and does not perform any other tasks. Each runner is hermetically isolated from others using 
+non-privileged, shell-less user accounts with no direct login capability. Additionally, each runner executes within its own 
+separate directory tree, employs `DynamicUser` features, and adheres to strict systemd hardening policies (achieving a ``systemd-analyze security`` 
+rating of **``2.6``**). Docker containers used by runners do not run in privileged mode. Security is further enhanced through the use 
+of both UFW software firewalls and dedicated hardware firewall appliances.
 
 ## 1.2. Immutable Source-of-Truth System
 
@@ -81,18 +96,18 @@ source-defined infrastructure logic.<br>
 
 After build and configuration, the following audit reports can be generated:
 
-* **Haveged Audit Report**: Validates entropy daemon health and confirms '/dev/random' seeding performance.
+* **Haveged Audit Report**: Validates entropy daemon health and confirms `/dev/random` seeding performance.
-  Type `chkhvg` at the prompt. See example report: [Haveged Audit Report](https://git.coresecret.dev/msw/CISS.debian.live.builder/src/branch/master/docs/AUDIT_HAVEGED.md)
+  Type `chkhvg` at the prompt. See example report: **[Haveged Audit Report](/docs/AUDIT_HAVEGED.md)**
 * **Lynis Audit Report**: Outputs a detailed security score and recommendations, confirming a 91%+ hardening baseline.
-  Type `lsadt` at the prompt. See example report: [Lynis Audit Report](https://git.coresecret.dev/msw/CISS.debian.live.builder/src/branch/master/docs/AUDIT_LYNIS.md)
+  Type `lsadt` at the prompt. See example report: **[Lynis Audit Report](/docs/AUDIT_LYNIS.md)**
 * **SSH Audit Report**: Verifies SSH daemon configuration against the latest best-practice cipher, KEX, and MAC recommendations.
-  Type `ssh-audit <IP>:<PORT>`. See example report: [SSH Audit Report](https://git.coresecret.dev/msw/CISS.debian.live.builder/src/branch/master/docs/AUDIT_SSH.md)
+  Type `ssh-audit <IP>:<PORT>`. See example report: **[SSH Audit Report](/docs/AUDIT_SSH.md)**
 
-## 1.2. Preview
+## 1.3. Preview
 
 ![CISS.debian.live.builder](/docs/screenshots/CISS.debian.live.builder_preview.jpeg)
 
-## 1.3. Caution. Significant information for those considering using D-I.
+## 1.4. Caution. Significant information for those considering using D-I.
 
 **The Debian Installer (d-i) will ALWAYS boot a new system.**<br>
 
@@ -106,7 +121,7 @@ The following happens in all cases:
 * The installer kernel (/install/vmlinuz) + initrd.gz are started.
 * The existing live system is exited.
 * The memory is overwritten.
-* All running processes – e.g., firewall, hardened SSH access, etc. pp. – cease to exist.
+* All running processes - e.g., firewall, hardened SSH access, etc. pp. - cease to exist.
 
 The Debian Installer loads:
 * its own kernel,
@@ -123,6 +138,17 @@ This means function status of the **CISS.2025.debian.live.builder** ISO after d-
 * Logging (rsyslog, journald) ✘ not active,
 * preseed control over the network is possible (but without any protection).
 
+## 1.5. Versioning Schema
+
+This project adheres strictly to a structured versioning scheme following the pattern x.y.z-Date.
+
+Example: `8.03.384.2025.06.03`
+
+`x.y.z` represents major (x), minor (y), and patch (z) version increments.
+
+Date (YYYY.MM.DD) denotes the build or release date, facilitating clear tracking of incremental changes and ensuring 
+reproducibility and traceability.
+
 # 2. Features & Rationale
 
 Below is a breakdown of each hardening component, with a summary of why each is critical to your security posture.
@@ -131,7 +157,7 @@ Below is a breakdown of each hardening component, with a summary of why each is
 
 ### 2.1.1. Boot Parameters
 
-* **Description**: Customizes kernel command‑line flags to disable unused features and enable mitigations.
+* **Description**: Customizes kernel command-line flags to disable unused features and enable mitigations.
 * **Key Parameters**:
   * `audit_backlog_limit=8192`: Ensures the audit subsystem can queue up to 8192 events to avoid dropped logs under heavy loads.
   * `audit=1`: Enables kernel auditing from boot to record system calls and security events.
@@ -171,12 +197,12 @@ Below is a breakdown of each hardening component, with a summary of why each is
 ### 2.1.2. CPU Vulnerability Mitigations
 
 * **Description**: Enables all known kernel-level mitigations (Spectre, Meltdown, MDS, L1TF, etc.).
-* **Rationale**: Prevents side‑channel attacks that exploit speculative execution, which remain a high‑risk vector in
+* **Rationale**: Prevents side-channel attacks that exploit speculative execution, which remain a high-risk vector in
-  multi‑tenant cloud environments.
+  multi-tenant cloud environments.
 
 ### 2.1.3. Kernel Self-Protection
 
-* **Description**: Activates `CONFIG_DEBUG_RODATA`, `CONFIG_STRICT_MODULE_RWX`, and other self‑protections.
+* **Description**: Activates `CONFIG_DEBUG_RODATA`, `CONFIG_STRICT_MODULE_RWX`, and other self-protections.
 * **Rationale**: Hardens kernel memory regions against unauthorized writings and enforces stricter module loading policies.
 
 ### 2.1.4. Local Kernel Hardening
@@ -210,14 +236,14 @@ apply or revert these controls.
 
 ## 2.2. Module Blacklisting
 
-* **Description**: Disables and blacklists non‑essential or insecure kernel modules.
+* **Description**: Disables and blacklists non-essential or insecure kernel modules.
 * **Rationale**: Minimizes attack surface by preventing loads of drivers or modules not required by the live environment.
 
 ## 2.3. Network Hardening
 
 * **Description**: Applies `sysctl` settings (e.g., `net.ipv4.conf.all.rp_filter=1`, `arp_ignore`, `arp_announce`) to restrict
   inbound/outbound traffic behaviors.
-* **Rationale**: Mitigates ARP spoofing, IP spoofing, and reduces the risk of man‑in‑the‑middle on internal networks.
+* **Rationale**: Mitigates ARP spoofing, IP spoofing, and reduces the risk of man-in-the-middle on internal networks.
 
 ## 2.4. Core Dump & Kernel Hardening
 
@@ -234,7 +260,7 @@ apply or revert these controls.
 ## 2.6. Permissions & Authentication
 
 * **Description**: Sets strict directory and file permissions, integrates with PAM modules (e.g., `pam_faillock`).
-* **Rationale**: Enforces the principle of least privilege at file‑system level and strengthens authentication policies.
+* **Rationale**: Enforces the principle of least privilege at file-system level and strengthens authentication policies.
 
 ## 2.7. High-Security Baseline (Lynis Audit)
 
@@ -248,11 +274,11 @@ apply or revert these controls.
 * **Description**: The SSH tunnel and access are secured through multiple layers of defense:
   * **Firewall Restriction**: ufw allows connections only from defined jump host or VPN exit node IPs.
   * **TCP Wrappers**: `/etc/hosts.allow` and `/etc/hosts.deny` enforce an `ALL: ALL` deny policy, permitting only specified hosts.
-  * **One‑Hit Ban**: A custom Fail2Ban rule `/etc/fail2ban/jail.d/centurion-default.conf` immediately bans any host 
+  * **One-Hit Ban**: A custom Fail2Ban rule `/etc/fail2ban/jail.d/centurion-default.conf` immediately bans any host 
     that touches closed ports. 
     * Additionally, the `fail2ban` service is hardened as well according to:
     [Arch Linux Wiki Fail2ban Hardening](https://wiki.archlinux.org/title/fail2ban#Service_hardening) 
-  * **SSH Ultra‑Hardening**: The `/etc/sshd_config` enforces strict cryptographic and connection controls with respect to 
+  * **SSH Ultra-Hardening**: The `/etc/sshd_config` enforces strict cryptographic and connection controls with respect to 
     [SSH Audit Guide Debian 12](https://www.ssh-audit.com/hardening_guides.html#debian_12):
     * `RekeyLimit 1G 1h`
     * `HostKey /etc/ssh/ssh_host_ed25519_key`
@@ -277,7 +303,7 @@ apply or revert these controls.
 ## 2.9. UFW Hardening
 
 * **Description**: Defaults to `deny incoming` and (optionally) `deny outgoing`; automatically opens only whitelisted ports.
-* **Rationale**: Implements a default‑deny firewall, reducing lateral movement and data exfiltration risks immediately after
+* **Rationale**: Implements a default-deny firewall, reducing lateral movement and data exfiltration risks immediately after
   deployment.
 
 ## 2.10. Fail2Ban Enhancements
@@ -286,13 +312,13 @@ apply or revert these controls.
   * Bans any connection to a closed port for 24 hours
   * Automatically ignores designated bastion/jump host subnets
   * Hardened via `systemd` policy override to limit privileges of the Fail2Ban service itself
-* **Rationale**: Provides proactive defense against port scans and brute‑force attacks, while isolating the ban daemon in a
+* **Rationale**: Provides proactive defense against port scans and brute-force attacks, while isolating the ban daemon in a
-  minimal‑privilege context.
+  minimal-privilege context.
 
 ## 2.11. NTPsec & Chrony
 
 * **Description**: Installs `chrony`, selects PTB NTPsec servers by default.
-* **Rationale**: Ensures tamper‑resistant time synchronization, which is essential for log integrity, certificate validation,
+* **Rationale**: Ensures tamper-resistant time synchronization, which is essential for log integrity, certificate validation,
   and forensic accuracy.
 
 # 3. Script Features & Rationale
@@ -379,9 +405,16 @@ predictable script behavior.
    git clone https://git.coresecret.dev/msw/CISS.debian.live.builder.git
    cd CISS.debian.live.builder
    ```
-2. Edit the '.gitea/workflows/generate-iso.yaml' file according to your requirements.
+2. Preparation:
+   1. Ensure you are root.
+   2. Create the build directory `mkdir /opt/livebuild`.
+   3. Place your desired SSH public key in the `authorized_keys` file, for example, in the `/opt/gitea/CISS.debian.live.builder` directory.
+   4. Place your desired Password in the `password.txt` file, for example, in the `/opt/gitea/CISS.debian.live.builder` directory.
+   5. Make any other changes you need to.
+3. Run the config builder script `./ciss_live_builder.sh` and the integrated `lb build` command (example):
 
    ```yaml
+   chmod 0700 ./ciss_live_builder.sh
    ./ciss_live_builder.sh --architecture amd64 \
                           --build-directory /opt/livebuild \
                           --change-splash hexagon \
@@ -396,16 +429,78 @@ predictable script behavior.
                           --ssh-port 4242 \
                           --ssh-pubkey /opt/gitea/CISS.debian.live.builder
    ```
-3. Locate your ISO in the `--build-directory`.
+4. Locate your ISO in the `--build-directory`.
-4. Boot from the ISO and login to the live image via the console, or the multi-layer secured coresecret SSH tunnel.
+5. Boot from the ISO and login to the live image via the console, or the multi-layer secured **coresecret** SSH tunnel.
-5. Type `sysp` for the final kernel hardening features.
+6. Type `sysp` for the final kernel hardening features.
-6. Check the boot log with `jboot` and via `ssf` that all services are up.
+7. Check the boot log with `jboot` and via `ssf` that all services are up.
-7. Finally, audit your environment with `lsadt` for a comprehensive Lynis audit.
+8. Finally, audit your environment with `lsadt` for a comprehensive Lynis audit.
-8. Type `celp` for some shortcuts.
+9. Type `celp` for some shortcuts.
 
 # 5.2. CI/CD Gitea Runner Workflow Example
 
-1. tba
+1. Clone the repository:
+
+   ```bash
+   git clone https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+   cd CISS.debian.live.builder
+   ```
+2. Edit the `.gitea/workflows/generate-iso.yaml` file according to your requirements. Ensure that the trigger file
+   `.gitea/trigger/t_generate.iso.yaml` and the counter are updated. Change all the necessary `{{ secrets.VAR }}`.
+   Push your commits to trigger the workflow. Then download your final ISO from the specified Location.
+
+  ```yaml
+  #...
+      steps:
+        - name: Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
+          run: |
+            rm -rf ~/.ssh && mkdir -m700 ~/.ssh
+
+            ### Private Key
+            echo "${{ secrets.CHANGE_ME }}" >| ~/.ssh/id_ed25519
+            chmod 600 ~/.ssh/id_ed25519
+  #...
+        ### https://github.com/actions/checkout/issues/1843
+        - name: Using manual clone via SSH to circumvent Gitea SHA-256 object issues.
+          run: |
+            git clone --branch "${GITHUB_REF_NAME}" ssh://git@CHANGE_ME .
+  #...
+        - name: Importing the 'CI PGP DEPLOY ONLY' key.
+          run: |
+            ### GPG-Home relative to the Runner Workspace to avoid changing global files.
+            export GNUPGHOME="$(pwd)/.gnupg"
+            mkdir -m700 "${GNUPGHOME}"
+            echo "${{ secrets.CHANGE_ME }}" >| ci-bot.sec.asc
+  #...
+        - name: Configuring Git for signed CI/DEPLOY commits.
+          run: |
+            export GNUPGHOME="$(pwd)/.gnupg"
+            git config user.name "CHANGE_ME"
+            git config user.email "CHANGE_ME"
+  #...
+        - name: Preparing the build environment.
+          run: |
+            mkdir -p /opt/config
+            mkdir -p /opt/livebuild
+            echo "${{ secrets.CHANGE_ME }}" >| /opt/config/password.txt
+            echo "${{ secrets.CHANGE_ME }}" >| /opt/config/authorized_keys
+  #...
+        - name: Starting CISS.debian.live.builder. This may take a while ...
+          run: |
+            chmod 0700 ciss_live_builder.sh && chown root:root ciss_live_builder.sh
+            timestamp=$(date -u +"%Y_%m_%d_%H_%M_Z")
+            ### Change "--autobuild=" to the specific kernel version you need: '6.12.22+bpo-amd64'.
+            ./ciss_live_builder.sh \
+              --autobuild=CHANGE_ME \
+              --architecture CHANGE_ME \
+              --build-directory /opt/livebuild \
+              --control "${timestamp}" \
+              --jump-host "${{ secrets.CHANGE_ME }}" \
+              --root-password-file /opt/config/password.txt \
+              --ssh-port CHANGE_ME \
+              --ssh-pubkey /opt/config
+  #...
+        ### SKIP OR CHANGE ALL REMAINING STEPS
+  ```
 
 # 6. Licensing & Compliance
 
@@ -415,7 +510,7 @@ standard for license expressions and metadata.
 
 # 7. Disclaimer
 
-This README is provided "as‑is" without any warranty. Review your organization's policies before deploying to production.
+This README is provided "as-is" without any warranty. Review your organization's policies before deploying to production.
 
 ---
 **[no tracking | no logging | no advertising | no profiling | no bullshit](https://coresecret.eu/)**

ciss_live_builder.sh

@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
@@ -40,7 +40,8 @@
 
 declare -g VAR_HANDLER_AUTOBUILD="false"
 declare -gr VAR_CONTACT="security@coresecret.eu"
-declare -gr VAR_VERSION="Master V8.02.644.2025.05.31"
+declare -gr VAR_VERSION="Master V8.03.768.2025.06.17"
+for dir in /usr/local/sbin /usr/sbin; do case ":${PATH}:" in *":${dir}:"*) ;; *) PATH="${PATH}:${dir}" ;; esac; done; export PATH; unset dir
 
 ### VERY EARLY CHECK FOR AUTO-BUILD, CONTACT, USAGE, AND VERSION STRING
 declare arg
@@ -101,7 +102,9 @@ declare -gr ARGUMENTS_COUNT="$#"
 declare -gr ARG_STR_ORG_INPUT="$*"
 #declare -ar ARG_ARY_ORG_INPUT=("$@")
 # shellcheck disable=SC2155
-declare -gr SCRIPT_FULLPATH="$(readlink -f "${BASH_SOURCE[0]:-$0}")"
+declare -grx SCRIPT_FULLPATH="$(readlink -f "${BASH_SOURCE[0]:-$0}")"
+# shellcheck disable=SC2155
+declare -grx SCRIPT_BASEPATH="$(dirname "${SCRIPT_FULLPATH}")"
 # shellcheck disable=SC2155
 declare -grx VAR_WORKDIR="$(dirname "${SCRIPT_FULLPATH}")"
 

config/bootloaders/grub-efi/grub.cfg

@@ -2,7 +2,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

config/bootloaders/grub-pc/grub.cfg

@@ -2,7 +2,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

config/hooks/live/0000_generate_backup_dir.chroot

@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

config/hooks/live/0001_initramfs_modules.chroot

@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
@@ -48,7 +48,7 @@ cat << EOF >| /etc/initramfs-tools/modules
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
@@ -113,7 +113,7 @@ cat << 'EOF' >| /etc/initramfs-tools/update-initramfs.conf
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
@@ -148,7 +148,7 @@ cat << 'EOF' >| /etc/initramfs-tools/initramfs.conf
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
@@ -207,9 +207,9 @@ COMPRESS=zstd
 # Defaults vary by compressor.
 #
 # Valid values are:
-# 1–9 for gzip|bzip2|lzma|lzop
+# 1-9 for gzip|bzip2|lzma|lzop
-# 0–9 for  lz4|xz
+# 0-9 for  lz4|xz
-# 0–19 for zstd
+# 0-19 for zstd
 # COMPRESSLEVEL=3
 
 #
@@ -253,7 +253,7 @@ cat << 'EOF' >> /etc/initramfs-tools/hooks/ciss_debian_live_builder
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.

config/hooks/live/0002_verify_checksums.chroot

@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
@@ -27,7 +27,7 @@ cat << 'EOF' >| "${src}"
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.

config/hooks/live/0003_install_backports.chroot

@@ -0,0 +1,39 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+set -C -e -u -o pipefail
+
+printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+# sleep 1
+
+DEBIAN_FRONTEND=noninteractive \
+  apt-get update && \
+    DEBIAN_FRONTEND=noninteractive \
+      apt-get install -y --no-install-recommends \
+        -o Dpkg::Options::="--force-confdef" \
+        -o Dpkg::Options::="--force-confold" \
+        -t bookworm-backports \
+        btrfs-progs \
+        curl \
+        debootstrap \
+        iproute2 \
+        ncat \
+        nmap \
+        ssh \
+        systemd \
+        systemd-sysv \
+        whois
+
+printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+# sleep 1
+
+exit 0
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config/hooks/live/0050_activate_root.chroot

@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.

config/hooks/live/0080_keyboard_layout.chroot

@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

config/hooks/live/0090_haveged.chroot

@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

config/hooks/live/0120_set_hostname.chroot

@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

config/hooks/live/0130_machineid.chroot

@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

config/hooks/live/0400_eza_install.chroot

@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
@@ -133,14 +133,6 @@ symlink_path: {foreground: Cyan}
 control_char: {foreground: Red}
 broken_symlink: {foreground: Red}
 broken_path_overlay: {foreground: Default, is_underlined: true}
-
-filenames:
-  # Custom filename-based overrides
-  # Cargo.toml: {icon: {glyph: 🦀}}
-
-extensions:
-  # Custom extension-based overrides
-  # rs: {filename: {foreground: Red}, icon: {glyph: 🦀}}
 EOF
 
 chmod 0644 "/root/eza-themes/themes/centurion.yml"

config/hooks/live/0800_lynis_setup.chroot

@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

config/hooks/live/0810_chrony_setup.chroot

@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

config/hooks/live/0820_kernel_hardening_checker.chroot

@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

config/hooks/live/0822_ssh_restart_hook.chroot

@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
@@ -29,7 +29,7 @@ cat << 'EOF' >| /usr/local/bin/restart-ssh.sh
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

config/hooks/live/0825_my_sqltuner_perl.chroot

@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

config/hooks/live/0830_download_yq.chroot

@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

config/hooks/live/0835_testssl.sh.chroot

@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

config/hooks/live/0840_ufw_abuse_ipdb_reporter.chroot

@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

config/hooks/live/0845_harbian_audit.chroot

@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

config/hooks/live/0850_ssh_audit.chroot

@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.

config/hooks/live/0855_dnsviz.chroot

@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.

config/hooks/live/0900_ufw_setup.chroot

@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

config/hooks/live/1024_git_clone_ciss_2025_debian_installer.chroot

@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

config/hooks/live/9900_process_accounting.chroot

@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.

config/hooks/live/9910_motd.chroot

@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.

config/hooks/live/9920_deleting_invalid_x509.chroot

@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

config/hooks/live/9930_hardening_ssh.chroot

@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

config/hooks/live/9940_hardening_memory.dump.chroot

@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

config/hooks/live/9950_fail2ban_hardening.chroot

@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
@@ -30,7 +30,7 @@ cat << 'EOF' >| /etc/fail2ban/jail.d/centurion-default.conf
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <cendev@coresecret.eu>
 # SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.2025.hardened.installer framework.
@@ -46,7 +46,7 @@ findtime  = 24h
 bantime   = 24h
 
 ### SSH Handling: Foreign IP (not in /etc/hosts.allow): refused to connect: immediate ban [sshd-refused]
-###               Jump host mistyped 1–3 times: no ban, only after four attempts          [sshd]
+###               Jump host mistyped 1-3 times: no ban, only after four attempts          [sshd]
 
 [sshd]
 enabled   = true

config/hooks/live/9960_disable_services.chroot

@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

config/hooks/live/9970_remove_exim.chroot

@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

config/hooks/live/9980_usb_guard.chroot

@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

config/hooks/live/9985_clamav.chroot

@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
@@ -32,8 +32,8 @@ ReadOnlyPaths=/
 ReadWritePaths=/var/lib/clamav /var/log/clamav /var/run/clamav /run/clamav
 
 MemoryDenyWriteExecute=yes
-MemoryLimit=512M
+#MemoryLimit=4096M
-CPUShares=512
+#CPUShares=512
 
 RestrictAddressFamilies=AF_INET AF_INET6
 RestrictNamespaces=yes
@@ -58,8 +58,8 @@ ReadOnlyPaths=/
 ReadWritePaths=/var/lib/clamav /var/log/clamav /var/run/clamav
 
 MemoryDenyWriteExecute=yes
-MemoryLimit=512M
+#MemoryLimit=4096M
-CPUShares=512
+#CPUShares=512
 
 RestrictAddressFamilies=AF_INET AF_INET6
 RestrictNamespaces=yes

config/hooks/live/9990_final_purge.chroot

@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
@@ -16,13 +16,13 @@ printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "
 
 apt-get update -y
 
-apt-get purge -y exim4 exim4-daemon-light exim4-base exim4-config \
+apt-get purge -y exim4 exim4-daemon-light exim4-base exim4-config qemu-guest-agent rmail
-qemu-guest-agent rmail sendmail-base sendmail-bin sendmail-cf sensible-mda sendmail-doc
+#sendmail-base sendmail-bin sendmail-cf sensible-mda sendmail-doc
 
-apt-mark hold exim4 exim4-daemon-light exim4-base exim4-config \
+apt-mark hold exim4 exim4-daemon-light exim4-base exim4-config qemu-guest-agent rmail
-qemu-guest-agent rmail sendmail-base sendmail-bin sendmail-cf sensible-mda sendmail-doc
+#sendmail-base sendmail-bin sendmail-cf sensible-mda sendmail-doc
 
-dpkg --get-selections | grep deinstall >> /tmp/deinstall.log || true
+dpkg --get-selections | grep deinstall >| /tmp/deinstall.log || true
 
 if [[ -s /tmp/deinstall.log ]]; then
   printf "\n"

config/hooks/live/9991_file_permissions.chroot

@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
@@ -39,6 +39,7 @@ EOF
 
 cp -a /etc/login.defs /root/.ciss/dlb/backup/login.defs.bak
 
+sed -ri 's/^(#?LOGIN_TIMEOUT)[[:space:]]+[0-9]+/\1 180/' /etc/login.defs
 sed -i 's/UMASK		022/UMASK		077/' /etc/login.defs
 sed -i 's/PASS_MAX_DAYS	99999/PASS_MAX_DAYS	16384/' /etc/login.defs
 sed -i 's/PASS_MIN_DAYS	0/PASS_MIN_DAYS	1/' /etc/login.defs

config/hooks/live/9992_password_expiration.chroot

@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.

config/hooks/live/9993_aide.chroot

@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
@@ -14,12 +14,12 @@ set -C -e -u -o pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1
 
-apt-get install -y aide
+apt-get install -y aide > /dev/null 2>&1
 
 cp -u /etc/aide/aide.conf /root/.ciss/dlb/backup/aide.conf.bak
 sed -i "s/Checksums = H/Checksums = sha512/" /etc/aide/aide.conf
 
-if aideinit; then
+if aideinit > /dev/null 2>&1; then
   printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ 'aideinit' successful. \e[0m\n"
 else
   printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ 'aideinit' NOT successful. \e[0m\n" >&2

config/hooks/live/9994_password_policy.chroot

@@ -3,15 +3,15 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-### NIST recommends at least eight characters but advises longer passphrases (e.g., 12–64) for increased security.
+### NIST recommends at least eight characters but advises longer passphrases (e.g., 12-64) for increased security.
-### NIST SP 800–63B, https://pages.nist.gov/800-63-3/sp800-63b.html
+### NIST SP 800-63B, https://pages.nist.gov/800-63-3/sp800-63b.html
 
 set -C -e -u -o pipefail
 
@@ -26,7 +26,7 @@ cat << 'EOF' >| /etc/security/pwquality.conf
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
@@ -34,7 +34,7 @@ cat << 'EOF' >| /etc/security/pwquality.conf
 # SPDX-Security-Contact: security@coresecret.eu
 
 ### Current recommendations for '/etc/security/pwquality.conf' based on common best practices,
-### including NIST SP 800–63B, https://pages.nist.gov/800-63-3/sp800-63b.html
+### including NIST SP 800-63B, https://pages.nist.gov/800-63-3/sp800-63b.html
 ### and weighing usability against security.
 
 ### Configuration for systemwide password quality limits
@@ -46,16 +46,16 @@ difok = 4
 
 ### Length over complexity: Studies show that longer passphrases are significantly more
 ### resistant to brute-force and dictionary attacks. NIST recommends at least eight characters
-### but advises longer passphrases (e.g., 12–64) for increased security. Twenty characters strike a
+### but advises longer passphrases (e.g., 12-64) for increased security. Twenty characters strike a
 ### good balance between security and user convenience.
 ### Minimum acceptable size for the new password (plus one if
 ### credits are not disabled, which is the default). (See pam_cracklib manual.)
 ### Cannot be set to a lower value than 6.
-minlen = 20
+minlen = 40
 
 ### dcredit = 0, ucredit = 0, lcredit = 0, ocredit = 0, minclass = 0
-### NIST SP 800–63B advises against rigid complexity rules (numbers, symbols, uppercase)
+### NIST SP 800-63B advises against rigid complexity rules (numbers, symbols, uppercase)
-### because they can lead users to adopt predictable patterns (e.g., “Pa$$word!”).
+### because they can lead users to adopt predictable patterns (e.g., "Pa$$word!").
 ### Length and dictionary checks are more effective.
 
   ### The maximum credit for having digits in the new password. If less than 0
@@ -83,12 +83,12 @@ minlen = 20
 
 ### The maximum number of allowed consecutive same characters in the new password.
 ### The check is disabled if the value is 0.
-maxrepeat = 2
+maxrepeat = 3
 
 ### The maximum number of allowed consecutive characters of the same class in the
 ### new password.
 ### The check is disabled if the value is 0.
-maxclassrepeat = 4
+maxclassrepeat = 0
 
 ### Whether to check for the words from the passwd entry GECOS string of the user.
 ### The check is enabled if the value is not 0.

config/hooks/live/9995_sysstat.chroot

@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.

config/hooks/live/9996_auditd.chroot

@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.

config/hooks/live/9997_debsums.chroot

@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
@@ -22,7 +22,7 @@ cp -a /etc/default/debsums /root/.ciss/dlb/backup/debsums.bak
 chmod 0644 /root/.ciss/dlb/backup/debsums.bak
 sed -i "s/CRON_CHECK=never/CRON_CHECK=monthly/" /etc/default/debsums
 
-if debsums -g; then
+if debsums -g > /dev/null 2>&1; then
   printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ 'debsums -g' successful. \e[0m\n"
 else
   # Omit false negative error output to stdout and stderr, as no problematic errors occur on startup.

config/hooks/live/9998_sources_list.chroot

@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
@@ -25,7 +25,7 @@ cat << 'EOF' >| /etc/apt/sources.list
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <cendev@coresecret.eu>
 # SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.2025.hardened.installer framework.

config/hooks/live/9999_interfaces_update.chroot

@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
@@ -22,7 +22,7 @@ cat << 'EOF' >| /etc/network/interfaces
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

config/includes.binary/boot/grub/config.cfg

@@ -2,7 +2,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.

config/includes.chroot/etc/live/config.conf

@@ -2,7 +2,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

config/includes.chroot/etc/modprobe.d/30-cendev-hardening.conf

@@ -2,7 +2,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

config/includes.chroot/etc/network/interfaces

@@ -2,7 +2,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

config/includes.chroot/etc/ssh/sshd_config

@@ -2,14 +2,14 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-### Version Master V8.02.644.2025.05.31
+### Version Master V8.03.768.2025.06.17
 
 ### https://www.ssh-audit.com/
 ### ssh -Q cipher | cipher-auth | compression | kex | kex-gss | key | key-cert | key-plain | key-sig | mac | protocol-version | sig
@@ -51,7 +51,7 @@ MaxSessions                  2
 MaxStartups                  08:64:16
 ### Restrict each individual source IP to only 4 unauthenticated connection slot
 ### in the concurrent MaxStartups pool, preventing one IP from monopolizing slots.
-PerSourceMaxStartups         4
+PerSourceMaxStartups         8
 ClientAliveInterval          300
 ClientAliveCountMax          2
 

config/includes.chroot/etc/sysctl.d/99_local.hardened

@@ -2,14 +2,14 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-### Version Master V8.02.644.2025.05.31
+### Version Master V8.03.768.2025.06.17
 
 ### https://docs.kernel.org/
 ### https://github.com/a13xp0p0v/kernel-hardening-checker/

config/includes.chroot/etc/systemd/system/getty@tty1.service.d/override.conf

@@ -2,7 +2,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

config/includes.chroot/preseed/.ash/0_di_preseed_include_command.sh

@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

config/includes.chroot/preseed/.ash/1_di_preseed_early_command.sh

@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

config/includes.chroot/preseed/.ash/2_di_partman_early_command.sh

@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

config/includes.chroot/preseed/.ash/3_di_preseed_late_command.sh

@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

config/includes.chroot/preseed/.ash/di_scripting_flexibility.sh

@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

config/includes.chroot/preseed/.ash/di_scripting_password.sh

@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
@@ -26,13 +26,13 @@ grep -o '[!-~]' /dev/urandom | tr -d '\n' | head -c64 >> "${TMP_PASSPHRASE_FILE}
 DEB_INSTALLER_CRYPT_INC_FILE=$(mktemp)
 readonly DEB_INSTALLER_CRYPT_INC_FILE
 
-# Read the first line (the passphrase) – POSIX-compliant
+# Read the first line (the passphrase) - POSIX-compliant
 # IFS= prevents leading/trailing spaces from being truncated,
 # -r ensures that backslashes are not interpreted.
 IFS= read -r passphrase < "${TMP_PASSPHRASE_FILE}"
 
 # A single printf call with exactly one redirect
-# – ShellCheck-compliant and valid in POSIX-sh
+# - ShellCheck-compliant and valid in POSIX-sh
 printf 'd-i partman-crypto/passphrase string %s\n' "${passphrase}" >> "$DEB_INSTALLER_CRYPT_INC_FILE"
 
 printf 'd-i partman-crypto/passphrase-again string %s\n' "${passphrase}" >> "$DEB_INSTALLER_CRYPT_INC_FILE"

config/includes.chroot/preseed/.ash/di_scripting_ssh.sh

@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

config/includes.chroot/preseed/.cfg/.directories.cfg

@@ -2,7 +2,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

config/includes.chroot/preseed/.cfg/apt.cfg

@@ -2,7 +2,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

config/includes.chroot/preseed/.cfg/base.cfg

@@ -2,7 +2,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

config/includes.chroot/preseed/.cfg/finished.cfg

@@ -2,7 +2,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

config/includes.chroot/preseed/.cfg/firmware.cfg

@@ -2,7 +2,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

config/includes.chroot/preseed/.cfg/grub.cfg

@@ -2,7 +2,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

config/includes.chroot/preseed/.cfg/locale.cfg

@@ -2,7 +2,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

config/includes.chroot/preseed/.cfg/modules.cfg

@@ -2,7 +2,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

config/includes.chroot/preseed/.cfg/network.cfg

@@ -2,7 +2,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

config/includes.chroot/preseed/.cfg/packages.cfg

@@ -2,7 +2,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

config/includes.chroot/preseed/.cfg/partitioning.cfg

@@ -2,7 +2,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

config/includes.chroot/preseed/.cfg/security.cfg

@@ -2,7 +2,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

config/includes.chroot/preseed/.cfg/software.cfg

@@ -2,7 +2,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

config/includes.chroot/preseed/.cfg/ssh.cfg

@@ -2,7 +2,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

config/includes.chroot/preseed/.cfg/time.cfg

@@ -2,7 +2,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.