DEPLOY BOT : 🔐 Auto-Generate PRIVATE LIVE ISO FLV 1 [skip ci]

X-CI-Metadata: master@4f7131c at 2025-06-24T22:34:39Z on 56dbb041e6a3 Generated at : 2025-06-24T22:34:39Z Runner Host : 56dbb041e6a3 Workflow ID : 🔐 Generating a Private Live ISO FLV 1. Git Commit : 4f7131c HEAD -> master
DEPLOY BOT : 🛡️ Shell Script Linting [skip ci]
2025-06-24 22:34:39 +00:00 · 2025-06-24 21:45:55 +00:00 · 2025-06-24 23:44:04 +02:00 · 2025-06-24 20:29:03 +00:00 · 2025-06-24 22:27:16 +02:00 · 2025-06-24 20:24:22 +00:00
175 changed files with 4521 additions and 871 deletions
--- a/.archive/icon.lib
+++ b/.archive/icon.lib
@@ -2,41 +2,54 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 ✅
-🔧
+❌
 ⚠️
 🚫
 🔐
 🔒
 🔑
 ✍️
 🖥️
 🔄
 🔁
 🌌
 🔵
 💙
 🔍
 💡
 🔧
 🛠️
 🏗
 ⚙️
 📐
 🧪
 📩
 📥
 📦
 📑
 📂
-🔒
+📀
 🔐
 ⚙️
 ❌
 🌌
 🎉
 🖥️
 🔑
 📂
 📩
 🔵
 😺
-🧪
+📉
 📊
 🧾
-📀
+📋
-📉
+🕑
 ⏱
 🧠
 📅
-💙
+🎯
-🚫
+🌐
 🔗
 💬
 ☢️
 ☣️
 •
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/.editorconfig
+++ b/.editorconfig
@@ -2,7 +2,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
--- a/.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml
+++ b/.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml
@@ -2,7 +2,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
@@ -12,9 +12,7 @@
 name: "Bug Report"
 about: "Create a report to help us improve"
 title: "[BUG | possible BUG]: "
-labels: "bug:to be reproduced,bug:needs triage/confirmation"
+assignees: "MSW"
 assignees: ""
 ---
 body:
  # Instructions for the reporter
  - type: markdown
@@ -27,7 +25,7 @@ body:
    attributes:
      label: "Version"
      description: "Which version are you running? Use `./ciss_live_builder.sh -v`."
-      placeholder: "e.g., Master V8.02.080.2025.05.19"
+      placeholder: "e.g., Master V8.03.832.2025.06.24"
    validations:
      required: true
--- a/.gitea/ISSUE_TEMPLATE/PULL_REQUEST_TEMPLATE.yaml
+++ b/.gitea/ISSUE_TEMPLATE/PULL_REQUEST_TEMPLATE.yaml
@@ -2,7 +2,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
@@ -12,7 +12,7 @@
 name: "Standard-PR"
 about: "Please answer the following questions before submitting the PR."
 title: "[PR]: "
-ref: "master"
+assignees: "MSW"
 body:
  - type: markdown
    attributes:
@@ -48,8 +48,8 @@ body:
      options:
        - label: "My edits contain no tabs, use two-space indentation, and no trailing whitespace"
        - label: "I have read ~/docs/CONTRIBUTING.md and ~/docs/CODING_CONVENTION.md"
-        - label: "I have tested this fix or improvement on ≥2 VMs without issues"
+        - label: "I have tested this fix or improvement on >=2 VMs without issues"
-        - label: "I have tested this new feature on ≥2 VMs with and without it to avoid side effects"
+        - label: "I have tested this new feature on >=2 VMs with and without it to avoid side effects"
        - label: "Documentation and/or 'usage()' and/or 'arg_parser' have been updated for the new feature"
        - label: "I added myself to ~/docs/CREDITS.md (alphabetical) and updated ~/docs/CHANGELOG.md"
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
--- a/.gitea/TODO/dockerfile
+++ b/.gitea/TODO/dockerfile
@@ -0,0 +1,69 @@
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 ### Version Master V8.03.832.2025.06.24
 FROM debian:bookworm
 ENV DEBIAN_FRONTEND=noninteractive
 RUN apt-get update -y \
    && apt-get upgrade -y \
    && apt-get install -y \
      apt-transport-https \
      apt-utils \
      bash \
      ca-certificates \
      gnupg \
      openssl \
      sudo \
    && apt-get update -y \
    && apt-get upgrade -y \
    && apt-get clean \
    && apt-get autoremove --purge -y \
    && rm -rf /var/lib/apt/lists/*
 RUN mkdir -p /etc/apt/sources.list.d && touch /etc/apt/sources.list.d/bookworm-backports.list \
    && echo 'deb https://deb.debian.org/debian bookworm-backports main' >| /etc/apt/sources.list.d/bookworm-backports.list \
    && apt-get update -y \
    && apt-get upgrade -y \
    && apt-get install -y --no-install-recommends \
      autoconf \
      automake \
      build-essential \
      cryptsetup \
      curl \
      debootstrap \
      dosfstools \
      efibootmgr \
      gettext \
      git \
      haveged \
      libtool \
      live-build \
      parted \
      pkg-config \
      ssh \
      ssl-cert \
      texinfo \
      wget \
      whois \
    && apt-get clean \
    && apt-get autoremove --purge -y \
    && rm -rf /var/lib/apt/lists/*
 RUN useradd --create-home --shell /bin/bash runner
 WORKDIR /home/runner
 USER runner
 ENTRYPOINT ["bash"]
--- a/.gitea/TODO/generate-iso.yaml
+++ b/.gitea/TODO/generate-iso.yaml
@@ -1,169 +0,0 @@
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 name: Generating private Live ISO.
 permissions:
  contents: write
 on:
  push:
    branches:
      - master
    paths:
      - '.gitea/autobuild.yaml'
 jobs:
  generating-ciss-debian-live-iso:
    runs-on: ubuntu-latest
    ### Run all steps inside Debian Bookworm
    container:
      image: debian:bookworm
      options: --user root
    steps:
      - name: Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
        run: |
          rm -rf ~/.ssh && mkdir -m700 ~/.ssh
          ### Private Key
          echo "${{ secrets.SSH_MSW_DEPLOY_CORESECRET_DEV }}" >| ~/.ssh/id_ed25519
          chmod 600 ~/.ssh/id_ed25519
          ### Scan git.coresecret.dev to fill ~/.ssh/known_hosts
          ssh-keyscan -p 42842 git.coresecret.dev >| ~/.ssh/known_hosts
          chmod 600 ~/.ssh/known_hosts
          ### Generate SSH Config for git.coresecret.dev Custom-Port
          cat <<EOF >| ~/.ssh/config
          Host git.coresecret.dev
            HostName git.coresecret.dev
            Port 42842
            IdentityFile ~/.ssh/id_ed25519
            StrictHostKeyChecking yes
            UserKnownHostsFile ~/.ssh/known_hosts
          EOF
          chmod 600 ~/.ssh/config
      ### https://github.com/actions/checkout/issues/1843
      - name: Using manual clone via SSH to circumvent Gitea SHA-256 object issues.
        run: |
          git clone --branch "${GITHUB_REF_NAME}" ssh://git@git.coresecret.dev:42842/msw/CISS.debian.live.builder.git .
          git fetch --unshallow || echo "Nothing to fetch - already full clone."
        env:
          ### GITHUB_REF_NAME contains the branch name from the push event.
          GITHUB_REF_NAME: ${{ github.ref_name }}
      - name: Cleaning workspace.
        run: |
          git reset --hard
          git clean -fd
      - name: Installing Debian Live-Build and Tools.
        run: |
          apt-get update
          apt-get install -y live-build gnupg curl whois
      - name: Importing "CI PGP DEPLOY ONLY" Key.
        run: |
          ### GPG-Home relative to the Runner Workspace to avoid changing global files.
          export GNUPGHOME="$(pwd)/.gnupg"
          mkdir -m700 "${GNUPGHOME}"
          echo "${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV }}" >| ci-bot.sec.asc
          gpg --batch --import ci-bot.sec.asc
          ### Trust the key automatically
          KEY_ID=$(gpg --list-keys --with-colons | awk -F: '/^pub:/ {print $5}')
          echo "trust-model always" >| "${GNUPGHOME}/gpg.conf"
      - name: Configuring Git for signed CI DEPLOY commits.
        run: |
          export GNUPGHOME="$(pwd)/.gnupg"
          git config user.name "Marc S. Weidner BOT"
          git config user.email "msw+bot@coresecret.dev"
          git config commit.gpgsign true
          git config gpg.program gpg
          git config gpg.format openpgp
      - name: Preparing Build Environment.
        run: |
          rm -rf /opt/{config,livebuild}
          mkdir -p /opt/{config,livebuild}
          echo "${{ secrets.CISS_DLB_ROOT_PWD }}" >| /opt/config/password.txt
          echo "${{ secrets.CISS_DLB_ROOT_SSH_PUBKEY }}" >| /opt/config/authorized_keys
          chmod 0600 /opt/config/authorized_keys
      - name: Starting CISS.debian.live.builder.
        run: |
          timestamp=$(date -u +"%Y_%m_%d_%H_%M_Z")
          ### Change "--autobuild=" to the specific kernel version you need: 6.12.22+bpo-amd64.
          ./ciss_live_builder.sh \
          --autobuild=6.12.22+bpo-amd64 \
          --architecture amd64 \
          --build-directory /opt/livebuild \
          --control "${timestamp}" \
          --debug \
          --dhcp-centurion \
          --jump-host "${{ secrets.CISS_DLB_JUMP_HOSTS }}" \
          --provider-netcup-ipv6 "${{ secrets.CISS_DLB_NETCUP_IPV6 }}" \
          --renice-priority "-19" \
          --reionice-priority 1 2 \
          --root-password-file /opt/config/password.txt \
          --ssh-port 4242 \
          --ssh-pubkey /opt/config
      - name: Uploading ISO to CenturionCloud "cloud.e2ee.li" via WebDAV
        env:
          WEBDAV_URL: "https://cloud.e2ee.li/remote.php/dav/files/runner/PUBLIC/CISS-live/NAME.iso"
          WEBDAV_USER: ${{ secrets.NC_USER }}
          WEBDAV_PASS: ${{ secrets.NC_PASS }}
        run: |
          ### Remove old ISO if exists
          curl -u "${WEBDAV_USER}:${WEBDAV_PASS}" -X DELETE "${WEBDAV_URL}" || true
          ### Upload new ISO
          curl -u "${WEBDAV_USER}:${WEBDAV_PASS}" -T NAME.iso "${WEBDAV_URL}"
          ### Verify upload
          HTTP_CODE=$(curl -o /dev/null -s -w "%{http_code}" -u "${WEBDAV_USER}:${WEBDAV_PASS}" "${WEBDAV_URL}")
          if [ "$HTTP_CODE" -ne 200 ]; then
            echo "Upload failed with HTTP status ${HTTP_CODE}"
            exit 1
          fi
          echo "ISO successfully uploaded and verified."
      - name: Generating Hash and Signing with Private Key
        run: |
          :
          ### TODO: Implement this function
      - name: Generating Success Message to Push back into Repo
        run: |
          :
          ### TODO: Implement this function
      - name: Stage generated files.
        run: |
          git add !!!!!!!!!!!!!
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
      - name: Commit and Sign changes.
        run: |
          export GNUPGHOME="$(pwd)/.gnupg"
          git commit -S -m "DEPLOY BOT: Auto-Generate LIVE ISO [skip ci]" || echo "No Changes, nothing to Sign or to Commit."
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
      - name: Push back to Repository.
        run: |
          git push origin HEAD:${GITHUB_REF_NAME}
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
--- a/.gitea/TODO/render-md-to-html.yaml
+++ b/.gitea/TODO/render-md-to-html.yaml
@@ -0,0 +1,241 @@
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 ### Version Master V8.03.832.2025.06.24
 name: 🔁 Render README.md to README.html.
 permissions:
  contents: write
 on:
  push:
    branches:
      - master
    paths:
      - "README.md"
      - '.gitea/properties/lua/linkfix.lua'
 jobs:
  render-md-to-html:
    name: 🔁 Render README.md to README.html.
    runs-on: ubuntu-latest
    steps:
      - name: ⚙️ Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
        shell: bash
        run: |
          set -euo pipefail
          rm -rf ~/.ssh && mkdir -m700 ~/.ssh
          ### Private Key
          echo "${{ secrets.SSH_MSW_DEPLOY_CORESECRET_DEV }}" >| ~/.ssh/id_ed25519
          chmod 600 ~/.ssh/id_ed25519
          ### Scan git.coresecret.dev to fill ~/.ssh/known_hosts
          ssh-keyscan -p 42842 git.coresecret.dev >| ~/.ssh/known_hosts
          chmod 600 ~/.ssh/known_hosts
          ### Generate SSH Config for git.coresecret.dev Custom-Port
          cat <<EOF >| ~/.ssh/config
          Host git.coresecret.dev
            HostName git.coresecret.dev
            Port 42842
            IdentityFile ~/.ssh/id_ed25519
            StrictHostKeyChecking yes
            UserKnownHostsFile ~/.ssh/known_hosts
          EOF
          chmod 600 ~/.ssh/config
      ### https://github.com/actions/checkout/issues/1843
      - name: 🛠️ Using manual clone via SSH to circumvent Gitea SHA-256 object issues.
        shell: bash
        env:
          ### GITHUB_REF_NAME contains the branch name from the push event.
          GITHUB_REF_NAME: ${{ github.ref_name }}
        run: |
          set -euo pipefail
          git clone --branch "${GITHUB_REF_NAME}" ssh://git@git.coresecret.dev:42842/msw/CISS.debian.live.builder.git .
          git fetch --unshallow || echo "Nothing to fetch - already full clone."
      - name: 🛠️ Cleaning the workspace.
        shell: bash
        run: |
          set -euo pipefail
          git reset --hard
          git clean -fd
      - name: ⚙️ Importing the 'CI PGP DEPLOY ONLY' key.
        shell: bash
        run: |
          set -euo pipefail
          ### GPG-Home relative to the Runner Workspace to avoid changing global files.
          export GNUPGHOME="$(pwd)/.gnupg"
          mkdir -m 700 "${GNUPGHOME}"
          echo "${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV }}" >| ci-bot.sec.asc
          gpg --batch --import ci-bot.sec.asc
          ### Trust the key automatically
          KEY_ID=$(gpg --list-keys --with-colons | awk -F: '/^pub:/ {print $5}')
          echo "trust-model always" >| "${GNUPGHOME}/gpg.conf"
      - name: ⚙️ Configuring Git for signed CI/DEPLOY commits.
        shell: bash
        run: |
          set -euo pipefail
          export GNUPGHOME="$(pwd)/.gnupg"
          git config user.name "Marc S. Weidner BOT"
          git config user.email "msw+bot@coresecret.dev"
          git config commit.gpgsign true
          git config gpg.program gpg
          git config gpg.format openpgp
      - name: ⚙️ Convert APT sources to HTTPS.
        shell: bash
        run: |
          set -euo pipefail
          sed -i 's|http://\(archive\.ubuntu\.com\|security\.ubuntu\.com\)|https://\1|g' /etc/apt/sources.list
          sed -i 's|http://\(archive\.ubuntu\.com\|security\.ubuntu\.com\)|https://\1|g' /etc/apt/sources.list.d/*.list || true
      - name: 🛠️ Install Pandoc & Dependencies.
        shell: bash
        run: |
          set -euo pipefail
          sudo apt-get update
          sudo apt-get install -y pandoc
      - name: ⚙️ Ensure .html/ directory exists.
        shell: bash
        run:
          mkdir -p .html
      - name: 🛠️ Render *.md to full standalone HTML.
        shell: bash
        run: |
          set -euo pipefail
          find . \( -path "*/.*" -prune \) -o -type f -name "*.md" -print  | while read file; do
            out=$(basename "${file%.md}.html")
            pandoc -s "${file}" \
              --metadata title="${file}" \
              --metadata lang=en \
              -f gfm+footnotes \
              -t html5 \
              --no-highlight \
              --strip-comments \
              --wrap=none \
              --lua-filter=.gitea/properties/lua/linkfix.lua \
              -o .html/"${out}"
          done
      - name: 🛠️ Extract HTML fragment for Gitea for *.md.
        shell: bash
        run: |
          set -euo pipefail
          find . \( -path "*/.*" -prune \) -o -type f -name "README.md" -print | while read file; do
            out="${file%.md}.html"
            pandoc "${file}" \
              -f gfm+footnotes \
              -t html5 \
              --no-highlight \
              --strip-comments \
              --wrap=none \
              --lua-filter=.gitea/properties/lua/linkfix.lua \
              -o "${out}"
          done
      - name: 🚧 Stash local changes (including untracked).
        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
          set -euo pipefail
          ### Temporarily store any local modifications or untracked files.
          git stash push --include-untracked -m "ci-temp" || echo "✔️ Nothing to stash."
      - name: 🔄 Sync with remote before commit using merge strategy.
        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
          set -euo pipefail
          export GNUPGHOME="$(pwd)/.gnupg"
          echo "🔄 Fetching origin/master ..."
          git fetch origin master
          echo "🔁 Merging origin/master into current branch ..."
          git merge --no-edit origin/master || echo "✔️ Already up to date or fast-forward."
          echo "📋 Post-merge status :"
          git status
          git log --oneline -n 5
      - name: 🛠️ Restore stashed changes.
        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
          set -euo pipefail
          ### Apply previously stashed changes.
          git stash pop || echo "✔️ Nothing to pop."
      - name: 📦 Stage generated files.
        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
          set -euo pipefail
          git add *.html  || echo "✔️ Nothing to add."
      - name: 🔑 Commit and sign changes with CI metadata.
        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
          set -euo pipefail
          export GNUPGHOME="$(pwd)/.gnupg"
          if git diff --cached --quiet; then
            echo "✔️ No staged changes to commit."
          else
            echo "📝 Committing changes with GPG signature ..."
            ### CI Metadata
            TIMESTAMP_UTC="$(date -u +'%Y-%m-%dT%H:%M:%SZ')"
            HOSTNAME="$(hostname -f || hostname)"
            GIT_SHA="$(git rev-parse --short HEAD)"
            GIT_REF="$(git symbolic-ref --short HEAD || echo detached)"
            WORKFLOW_ID="${GITHUB_WORKFLOW:-render-md-to-html.yaml}"
            CI_HEADER="X-CI-Metadata: ${GIT_REF}@${GIT_SHA} at ${TIMESTAMP_UTC} on ${HOSTNAME}"
            COMMIT_MSG="DEPLOY BOT   : 🔁 Auto-Generate *.html from *.md [skip ci]
          ${CI_HEADER}
          Generated at : ${TIMESTAMP_UTC}
          Runner Host  : ${HOSTNAME}
          Workflow ID  : ${WORKFLOW_ID}
          Git Commit   : ${GIT_SHA} HEAD -> ${GIT_REF}
          "
            echo "🔏 Commit message :"
            echo "${COMMIT_MSG}"
            git commit -S -m "${COMMIT_MSG}"
          fi
      - name: 🔁 Push back to repository.
        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
          set -euo pipefail
          echo "📤 Pushing changes to ${GITHUB_REF_NAME} ..."
          git push origin HEAD:${GITHUB_REF_NAME}
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
--- a/.gitea/trigger/t_generate_PRIVATE_iso_flavour_0.yaml
+++ b/.gitea/trigger/t_generate_PRIVATE_iso_flavour_0.yaml
@@ -2,7 +2,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
@@ -11,5 +11,5 @@
 build:
  counter: 1024
-  version: V8.02.644.2025.05.31
+  version: V8.03.832.2025.06.24
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
--- a/.gitea/trigger/t_generate_PRIVATE_iso_flavour_1.yaml
+++ b/.gitea/trigger/t_generate_PRIVATE_iso_flavour_1.yaml
@@ -0,0 +1,15 @@
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 build:
  counter: 1023
  version: V8.03.832.2025.06.24
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
--- a/.gitea/trigger/t_generate_PUBLIC.yaml
+++ b/.gitea/trigger/t_generate_PUBLIC.yaml
@@ -0,0 +1,15 @@
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 build:
  counter: 1023
  version: V8.03.832.2025.06.24
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
--- a/.gitea/trigger/t_generate_dns.yaml
+++ b/.gitea/trigger/t_generate_dns.yaml
@@ -2,7 +2,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
@@ -10,6 +10,6 @@
 # SPDX-Security-Contact: security@coresecret.eu
 build:
-  counter: 1024
+  counter: 1023
-  version: V8.02.644.2025.05.31
+  version: V8.03.832.2025.06.24
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
--- a/.gitea/workflows/generate_PRIVATE_iso_flavour_0.yaml
+++ b/.gitea/workflows/generate_PRIVATE_iso_flavour_0.yaml
@@ -0,0 +1,485 @@
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 ### Version Master V8.03.832.2025.06.24
 name: 🔐 Generating a Private Live ISO FLV 0.
 permissions:
  contents: write
 on:
  push:
    branches:
      - master
    paths:
      - '.gitea/trigger/t_generate_PRIVATE_iso_flavour_0.yaml'
 jobs:
  generate-private-ciss-debian-live-iso:
    name: 🔐 Generating a Private Live ISO FLV 0.
    runs-on: ciss.debian.live.builder.iso.generator
    ### Run all steps inside Debian Bookworm
    container:
      image: debian:bookworm
    steps:
      - name: 🛠️ Basic Image Setup and enable Bookworm Backports.
        run: |
          apt-get update -y
          apt-get install -y apt-transport-https apt-utils bash ca-certificates openssl sudo
          echo 'deb https://deb.debian.org/debian bookworm-backports main' \
            >| /etc/apt/sources.list.d/bookworm-backports.list
          apt-get update -y
          apt-get upgrade -y
      - name: 🛠️ Installing Build Tools.
        shell: bash
        run: |
          apt-get update -y
          apt-get install -y \
            autoconf \
            automake \
            build-essential \
            cryptsetup \
            curl \
            debootstrap \
            dosfstools \
            efibootmgr \
            gettext \
            git \
            gnupg \
            haveged \
            libbz2-dev \
            zlib1g-dev \
            liblzma-dev \
            libtool \
            live-build \
            parted \
            pkg-config \
            ssh \
            ssl-cert \
            sudo \
            texinfo \
            wget \
            whois \
      - name: 🛠️ Build GnuPG from the sources, as the Bookworm GPG does not understand key format 5.
        shell: bash
        run: |
          urls=(
            "https://gnupg.org/ftp/gcrypt/npth/npth-1.8.tar.bz2"
            "https://gnupg.org/ftp/gcrypt/libgpg-error/libgpg-error-1.55.tar.bz2"
            "https://gnupg.org/ftp/gcrypt/libgcrypt/libgcrypt-1.11.1.tar.bz2"
            "https://gnupg.org/ftp/gcrypt/libksba/libksba-1.6.7.tar.bz2"
            "https://gnupg.org/ftp/gcrypt/libassuan/libassuan-3.0.2.tar.bz2"
            "https://gnupg.org/ftp/gcrypt/gnupg/gnupg-2.4.8.tar.bz2"
          )
          wget --https-only https://gnupg.org/signature_key.asc -O signature_key.asc > /dev/null 2>&1
          gpg --batch --import signature_key.asc
          for url in "${urls[@]}"; do
            archive_name="${url##*/}"
            pkg_name="${archive_name%.tar.bz2}"
            echo "🔄 Processing ${pkg_name}"
            if [[ ! -f "${archive_name}" ]]; then
              echo "📥 Downloading: '${archive_name}'."
              if wget --https-only "${url}" -O "${archive_name}" > /dev/null 2>&1 && wget --https-only "${url}.sig" -O "${archive_name}.sig" > /dev/null 2>&1; then
                echo "✅ Download successful: '${archive_name}'."
              else
                echo "❌ Download NOT successful: '${archive_name}'."
                exit 1
              fi
            else
              echo "💡 Skipping download, package already exists: '${archive_name}'."
            fi
            if ! gpg --verify "${archive_name}.sig" "${archive_name}"; then echo "❌ Bad Signature: '${archive_name}'.";exit 1; fi
            if [[ ! -d "${pkg_name}" ]]; then
              echo "📂 Extracting: '${archive_name}'."
              if tar -xjf "${archive_name}"; then
                echo "✅ Extraction successful: '${archive_name}'."
              else
                echo "❌ Extraction not successful: '${archive_name}'."
                exit 1
              fi
            else
              echo "💡 Skipping directory, already exists: '${pkg_name}'."
            fi
            echo "🏗️ Build and install the package: '${pkg_name}'."
            cd "${pkg_name}" || { echo "❌ Could not change to '${pkg_name}'."; exit 1; }
            mkdir -p build
            cd build || { echo "❌ Could not change to '/build'."; exit 1; }
            sudo ../configure > /dev/null 2>&1  || { echo "❌ '../configure' NOT successful for '${pkg_name}'."; exit 1; }
            make > /dev/null 2>&1 || { echo "❌ 'make' NOT successful for '${pkg_name}'."; exit 1; }
            sudo make install > /dev/null 2>&1 || { echo "❌ 'make install' NOT successful for '${pkg_name}'."; exit 1; }
            cd ../.. || { echo "❌ Could not change to '../..'."; exit 1; }
            rm -f "${archive_name}" && rm -f "${archive_name}.sig" && echo "✅ Removed archive: '${pkg_name}'."
            rm -fr "${pkg_name}" && echo "✅ Removed build artifacts: '${pkg_name}'."
            echo "✅ Successful build and installation of '${pkg_name}'."
            echo "-------------------------------------------------------------------------------------"
          done
          rm -f signature_key.asc
          echo "✅ All packages were built and installed successfully."
          mv_bin=(
            "/usr/bin/gpg"
            "/usr/bin/gpg-agent"
            "/usr/bin/gpgconf"
            "/usr/bin/gpg-connect-agent"
            "/usr/bin/gpg-wks-client"
            "/usr/bin/gpg-preset-passphrase"
          )
          for bin in "${mv_bin[@]}"; do
            name="${bin##*/}"
            if [[ -f "${bin}" && -f "/usr/local/bin/${name}" ]]; then
              if mv "${bin}" "${bin}.debian-backup"; then
                echo "✅ Moved successfully: '${bin}'."
              else
                echo "❌ Moved NOT successfully: '${bin}'."
              fi
            else
              echo "💡 Does not exist as build binary: '${bin}'."
            fi
          done
          for bin in "${mv_bin[@]}"; do
            name="${bin##*/}"
            if [[ -f "/usr/local/bin/${name}" ]]; then
              if update-alternatives --install "${bin}" "${name}" "/usr/local/bin/${name}" 100; then
                echo "✅ 'update-alternatives' successfully: '${bin}'."
              else
                echo "❌ 'update-alternatives' NOT successfully: '${bin}'."
              fi
            else
              echo "💡 Does not exist: '/usr/local/bin/${name}'."
            fi
          done
          sudo ldconfig
          gpgconf --kill all
          /usr/local/bin/gpg-agent --daemon
      - name: ⚙️ Check GnuPG Version.
        shell: bash
        run: |
          gpg --version
      - name: ⚙️ Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
        shell: bash
        run: |
          rm -rf ~/.ssh && mkdir -m700 ~/.ssh
          ### Private Key
          echo "${{ secrets.SSH_MSW_DEPLOY_CORESECRET_DEV }}" >| ~/.ssh/id_ed25519
          chmod 600 ~/.ssh/id_ed25519
          ### Scan git.coresecret.dev to fill ~/.ssh/known_hosts
          ssh-keyscan -p 42842 git.coresecret.dev >| ~/.ssh/known_hosts
          chmod 600 ~/.ssh/known_hosts
          ### Generate SSH Config for git.coresecret.dev Custom-Port
          cat <<EOF >| ~/.ssh/config
          Host git.coresecret.dev
            HostName git.coresecret.dev
            Port 42842
            IdentityFile ~/.ssh/id_ed25519
            StrictHostKeyChecking yes
            UserKnownHostsFile ~/.ssh/known_hosts
          EOF
          chmod 600 ~/.ssh/config
      ### https://github.com/actions/checkout/issues/1843
      - name: 🛠️ Using manual clone via SSH to circumvent Gitea SHA-256 object issues.
        shell: bash
        env:
          ### GITHUB_REF_NAME contains the branch name from the push event.
          GITHUB_REF_NAME: ${{ github.ref_name }}
        run: |
          git clone --branch "${GITHUB_REF_NAME}" ssh://git@git.coresecret.dev:42842/msw/CISS.debian.live.builder.git .
          git fetch --unshallow || echo "Nothing to fetch - already full clone."
      - name: 🛠️ Cleaning the workspace.
        shell: bash
        run: |
          git reset --hard
          git clean -fd
      - name: ⚙️ Importing the 'CI PGP DEPLOY ONLY' key.
        shell: bash
        run: |
          set -euo pipefail
          ### GPG-Home relative to the Runner Workspace to avoid changing global files.
          export GNUPGHOME="$(pwd)/.gnupg"
          mkdir -m 700 "${GNUPGHOME}"
          echo "${{ secrets.PGP_PUBKEY_CENTURION_ROOT_2025_X448 }}" >| centurion-root.PUB.asc
          gpg --batch --import centurion-root.PUB.asc
          echo "${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV }}" >| ci-bot.sec.asc
          gpg --batch --import ci-bot.sec.asc
          ### Trust the key automatically
          KEY_ID=$(gpg --list-keys --with-colons | awk -F: '/^pub:/ {print $5}')
          echo "trust-model always" >| "${GNUPGHOME}/gpg.conf"
      - name: ⚙️ Configuring Git for signed CI/DEPLOY commits.
        shell: bash
        run: |
          set -euo pipefail
          export GNUPGHOME="$(pwd)/.gnupg"
          git config user.name "Marc S. Weidner BOT"
          git config user.email "msw+bot@coresecret.dev"
          git config commit.gpgsign true
          git config gpg.program gpg
          git config gpg.format openpgp
      - name: ⚙️ Preparing the build environment.
        shell: bash
        run: |
          set -euo pipefail
          mkdir -p /opt/config
          mkdir -p /opt/livebuild
          touch /opt/config/password.txt && chmod 0600 /opt/config/password.txt
          touch /opt/config/authorized_keys && chmod 0600 /opt/config/authorized_keys
          echo "${{ secrets.CISS_DLB_ROOT_PWD }}" >| /opt/config/password.txt
          echo "${{ secrets.CISS_DLB_ROOT_SSH_PUBKEY }}" >| /opt/config/authorized_keys
      - name: 🛠️ Starting CISS.debian.live.builder. This may take a while ...
        shell: bash
        run: |
          set -euo pipefail
          chmod 0755 ciss_live_builder.sh
          timestamp=$(date -u +"%Y_%m_%dT%H_%M_%SZ")
          ### Change "--autobuild=" to the specific kernel version you need: 6.12.22+bpo-amd64.
          ./ciss_live_builder.sh \
            --autobuild=6.12.30+bpo-amd64 \
            --architecture amd64 \
            --build-directory /opt/livebuild \
            --control "${timestamp}" \
            --debug \
            --dhcp-centurion \
            --jump-host ${{ secrets.CISS_DLB_JUMP_HOSTS }} \
            --provider-netcup-ipv6 ${{ secrets.CISS_DLB_NETCUP_IPV6 }} \
            --root-password-file /opt/config/password.txt \
            --ssh-port ${{ secrets.CISS_DLB_SSH_PORT }} \
            --ssh-pubkey /opt/config
      - name: 📥 Checking Centurion Cloud for existing LIVE ISOs.
        shell: bash
        env:
          NC_BASE: "https://cloud.e2ee.li"
          SHARE_TOKEN: "${{ secrets.CENTURION_CLOUD_UL_USER }}"
          SHARE_PASS: "${{ secrets.CENTURION_CLOUD_UL_PASSWD }}"
        run: |
          set -euo pipefail
          SHARE_SUBDIR=""
          echo "📥 Get directory listing via PROPFIND ..."
          curl -s \
          --user "${SHARE_TOKEN}:${SHARE_PASS}" \
          -X PROPFIND \
          -H "Depth: 1" \
          "${NC_BASE}/public.php/webdav/${SHARE_SUBDIR}" \
          -o propfind_public.xml
          echo "📥 Filter .iso files from the PROPFIND response ..."
          grep -oP '(?<=<d:href>)[^<]+\.iso(?=</d:href>)' propfind_public.xml >| public_iso_list.txt || true
          if [[ -f public_iso_list.txt && -s public_iso_list.txt ]]; then
            echo "💡 Old ISO files found and deleted :"
            while IFS= read -r href; do
              FILE_URL="${NC_BASE}${href}"
              echo "  Delete: ${FILE_URL}"
              if curl -s \
                --user "${SHARE_TOKEN}:${SHARE_PASS}" \
                  -X DELETE "${FILE_URL}"; then
                echo "    ✅ Successfully deleted: $(basename "${href}")"
              else
                echo "    ❌ Error: $(basename "${href}") could not be deleted"
              fi
            done < public_iso_list.txt
          else
            echo "💡 No old ISO files found to delete."
          fi
      - name: 🛠️ Upload the ISO file to the Centurion Cloud (cloud.e2ee.li) via WebDAV.
        shell: bash
        env:
          NC_BASE: "https://cloud.e2ee.li"
          SHARE_TOKEN: "${{ secrets.CENTURION_CLOUD_UL_USER }}"
          SHARE_PASS: "${{ secrets.CENTURION_CLOUD_UL_PASSWD }}"
        run: |
          set -euo pipefail
          if [[ $(ls /opt/livebuild/*.iso 2>/dev/null | wc -l) -ne 1 ]]; then
            echo "❌ There must be exactly one .iso file in the directory!"
            exit 1
          else
            VAR_ISO_FILE_PATH=$(ls /opt/livebuild/*.iso)
            VAR_ISO_FILE_NAME=$(basename "${VAR_ISO_FILE_PATH}")
            echo "✅ ISO file found: ${VAR_ISO_FILE_NAME}"
          fi
          AUTH="${SHARE_TOKEN}:${SHARE_PASS}"
          if curl --retry 2 "${NC_BASE}"/public.php/webdav/"${VAR_ISO_FILE_NAME}" \
          --upload-file "${VAR_ISO_FILE_PATH}" --user "${AUTH}" > /dev/null 2>&1; then
            echo "✅ New ISO successfully uploaded."
          else
            echo "❌ Uploading the new ISO failed."
            exit 1
          fi
      - name: 🔑 Generating a sha512 Hash of ISO, signing with the 'CI PGP DEPLOY ONLY' key, generate a success message file.
        shell: bash
        run: |
          if [[ $(ls /opt/livebuild/*.iso 2>/dev/null | wc -l) -ne 1 ]]; then
            echo "❌ There must be exactly one .iso file in the directory!"
            exit 1
          else
            VAR_ISO_FILE_PATH=$(ls /opt/livebuild/*.iso)
            VAR_ISO_FILE_NAME=$(basename "${VAR_ISO_FILE_PATH}")
            echo "✅ ISO file found: ${VAR_ISO_FILE_NAME}"
          fi
          VAR_ISO_FILE_SHA512="${VAR_ISO_FILE_NAME}.sha512"
          touch "${VAR_ISO_FILE_SHA512}"
          sha512sum "${VAR_ISO_FILE_PATH}" | awk '{print $1}' >| "${VAR_ISO_FILE_SHA512}"
          SIGNATURE_FILE="${VAR_ISO_FILE_SHA512}.sign"
          touch "${SIGNATURE_FILE}"
          export GNUPGHOME="$(pwd)/.gnupg"
          gpg --batch --yes --armor --detach-sign --output "${SIGNATURE_FILE}" "${VAR_ISO_FILE_SHA512}"
          timestamp=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
          PRIVATE_FILE="LIVE_ISO_FLV_0.private"
          touch "${PRIVATE_FILE}"
          cat << EOF >| "${PRIVATE_FILE}"
          # SPDX-Version: 3.0
          # SPDX-CreationInfo: 2025-06-01; WEIDNER, Marc S.; <msw@coresecret.dev>
          # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
          # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
          # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
          # SPDX-FileType: SOURCE
          # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
          # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
          # SPDX-PackageName: CISS.debian.live.builder
          # SPDX-Security-Contact: security@coresecret.eu
          This file was automatically generated by the DEPLOY BOT on: "${timestamp}".
          CISS.debian.live.builder ISO :
            "${VAR_ISO_FILE_NAME}"
          CISS.debian.live.builder ISO sha512 :
            $(< "${VAR_ISO_FILE_SHA512}")
          CISS.debian.live.builder ISO sha512 sign :
            $(< "${SIGNATURE_FILE}")
          # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text
          EOF
      - name: 🚧 Stash local changes (including untracked).
        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
          set -euo pipefail
          ### Temporarily store any local modifications or untracked files.
          git stash push --include-untracked -m "ci-temp" || echo "✔️ Nothing to stash."
      - name: 🔄 Sync with remote before commit using merge strategy.
        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
          set -euo pipefail
          export GNUPGHOME="$(pwd)/.gnupg"
          echo "🔄 Fetching origin/master ..."
          git fetch origin master
          echo "🔁 Merging origin/master into current branch ..."
          git merge --no-edit origin/master || echo "✔️ Already up to date or fast-forward."
          echo "📋 Post-merge status :"
          git status
          git log --oneline -n 5
      - name: 🛠️ Restore stashed changes.
        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
          set -euo pipefail
          ### Apply previously stashed changes.
          git stash pop || echo "✔️ Nothing to pop."
      - name: 📦 Stage generated files.
        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
          set -euo pipefail
          PRIVATE_FILE="LIVE_ISO_FLV_0.private"
          git add "${PRIVATE_FILE}" || echo "✔️ Nothing to add."
      - name: 🔑 Commit and sign changes with CI metadata.
        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
          set -euo pipefail
          export GNUPGHOME="$(pwd)/.gnupg"
          if git diff --cached --quiet; then
            echo "✔️ No staged changes to commit."
          else
            echo "📝 Committing changes with GPG signature ..."
            ### CI Metadata
            TIMESTAMP_UTC="$(date -u +'%Y-%m-%dT%H:%M:%SZ')"
            HOSTNAME="$(hostname -f || hostname)"
            GIT_SHA="$(git rev-parse --short HEAD)"
            GIT_REF="$(git symbolic-ref --short HEAD || echo detached)"
            WORKFLOW_ID="${GITHUB_WORKFLOW:-render-md-to-html.yaml}"
            CI_HEADER="X-CI-Metadata: ${GIT_REF}@${GIT_SHA} at ${TIMESTAMP_UTC} on ${HOSTNAME}"
            COMMIT_MSG="DEPLOY BOT   : 🔐 Auto-Generate PRIVATE LIVE ISO FLV 0 [skip ci]
          ${CI_HEADER}
          Generated at : ${TIMESTAMP_UTC}
          Runner Host  : ${HOSTNAME}
          Workflow ID  : ${WORKFLOW_ID}
          Git Commit   : ${GIT_SHA} HEAD -> ${GIT_REF}
          "
            echo "🔏 Commit message :"
            echo "${COMMIT_MSG}"
            git commit -S -m "${COMMIT_MSG}"
          fi
      - name: 🔁 Push back to repository.
        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
          set -euo pipefail
          echo "📤 Pushing changes to ${GITHUB_REF_NAME} ..."
          git push origin HEAD:${GITHUB_REF_NAME}
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
--- a/.gitea/workflows/generate_PRIVATE_iso_flavour_1.yaml
+++ b/.gitea/workflows/generate_PRIVATE_iso_flavour_1.yaml
@@ -0,0 +1,482 @@
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 ### Version Master V8.03.832.2025.06.24
 name: 🔐 Generating a Private Live ISO FLV 1.
 permissions:
  contents: write
 on:
  push:
    branches:
      - master
    paths:
      - '.gitea/trigger/t_generate_PRIVATE_iso_flavour_1.yaml'
 jobs:
  generate-private-ciss-debian-live-iso:
    name: 🔐 Generating a Private Live ISO FLV 1.
    runs-on: ciss.debian.live.builder.iso.generator
    ### Run all steps inside Debian Bookworm
    container:
      image: debian:bookworm
    steps:
      - name: 🛠️ Basic Image Setup and enable Bookworm Backports.
        run: |
          apt-get update -y
          apt-get install -y apt-transport-https apt-utils bash ca-certificates openssl sudo
          echo 'deb https://deb.debian.org/debian bookworm-backports main' \
            >| /etc/apt/sources.list.d/bookworm-backports.list
          apt-get update -y
          apt-get upgrade -y
      - name: 🛠️ Installing Build Tools.
        shell: bash
        run: |
          apt-get update -y
          apt-get install -y \
            autoconf \
            automake \
            build-essential \
            cryptsetup \
            curl \
            debootstrap \
            dosfstools \
            efibootmgr \
            gettext \
            git \
            gnupg \
            haveged \
            libbz2-dev \
            zlib1g-dev \
            liblzma-dev \
            libtool \
            live-build \
            parted \
            pkg-config \
            ssh \
            ssl-cert \
            sudo \
            texinfo \
            wget \
            whois \
      - name: 🛠️ Build GnuPG from the sources, as the Bookworm GPG does not understand key format 5.
        shell: bash
        run: |
          urls=(
            "https://gnupg.org/ftp/gcrypt/npth/npth-1.8.tar.bz2"
            "https://gnupg.org/ftp/gcrypt/libgpg-error/libgpg-error-1.55.tar.bz2"
            "https://gnupg.org/ftp/gcrypt/libgcrypt/libgcrypt-1.11.1.tar.bz2"
            "https://gnupg.org/ftp/gcrypt/libksba/libksba-1.6.7.tar.bz2"
            "https://gnupg.org/ftp/gcrypt/libassuan/libassuan-3.0.2.tar.bz2"
            "https://gnupg.org/ftp/gcrypt/gnupg/gnupg-2.4.8.tar.bz2"
          )
          wget --https-only https://gnupg.org/signature_key.asc -O signature_key.asc > /dev/null 2>&1
          gpg --batch --import signature_key.asc
          for url in "${urls[@]}"; do
            archive_name="${url##*/}"
            pkg_name="${archive_name%.tar.bz2}"
            echo "🔄 Processing ${pkg_name}"
            if [[ ! -f "${archive_name}" ]]; then
              echo "📥 Downloading: '${archive_name}'."
              if wget --https-only "${url}" -O "${archive_name}" > /dev/null 2>&1 && wget --https-only "${url}.sig" -O "${archive_name}.sig" > /dev/null 2>&1; then
                echo "✅ Download successful: '${archive_name}'."
              else
                echo "❌ Download NOT successful: '${archive_name}'."
                exit 1
              fi
            else
              echo "💡 Skipping download, package already exists: '${archive_name}'."
            fi
            if ! gpg --verify "${archive_name}.sig" "${archive_name}"; then echo "❌ Bad Signature: '${archive_name}'.";exit 1; fi
            if [[ ! -d "${pkg_name}" ]]; then
              echo "📂 Extracting: '${archive_name}'."
              if tar -xjf "${archive_name}"; then
                echo "✅ Extraction successful: '${archive_name}'."
              else
                echo "❌ Extraction not successful: '${archive_name}'."
                exit 1
              fi
            else
              echo "💡 Skipping directory, already exists: '${pkg_name}'."
            fi
            echo "🏗️ Build and install the package: '${pkg_name}'."
            cd "${pkg_name}" || { echo "❌ Could not change to '${pkg_name}'."; exit 1; }
            mkdir -p build
            cd build || { echo "❌ Could not change to '/build'."; exit 1; }
            sudo ../configure > /dev/null 2>&1  || { echo "❌ '../configure' NOT successful for '${pkg_name}'."; exit 1; }
            make > /dev/null 2>&1 || { echo "❌ 'make' NOT successful for '${pkg_name}'."; exit 1; }
            sudo make install > /dev/null 2>&1 || { echo "❌ 'make install' NOT successful for '${pkg_name}'."; exit 1; }
            cd ../.. || { echo "❌ Could not change to '../..'."; exit 1; }
            rm -f "${archive_name}" && rm -f "${archive_name}.sig" && echo "✅ Removed archive: '${pkg_name}'."
            rm -fr "${pkg_name}" && echo "✅ Removed build artifacts: '${pkg_name}'."
            echo "✅ Successful build and installation of '${pkg_name}'."
            echo "-------------------------------------------------------------------------------------"
          done
          rm -f signature_key.asc
          echo "✅ All packages were built and installed successfully."
          mv_bin=(
            "/usr/bin/gpg"
            "/usr/bin/gpg-agent"
            "/usr/bin/gpgconf"
            "/usr/bin/gpg-connect-agent"
            "/usr/bin/gpg-wks-client"
            "/usr/bin/gpg-preset-passphrase"
          )
          for bin in "${mv_bin[@]}"; do
            name="${bin##*/}"
            if [[ -f "${bin}" && -f "/usr/local/bin/${name}" ]]; then
              if mv "${bin}" "${bin}.debian-backup"; then
                echo "✅ Moved successfully: '${bin}'."
              else
                echo "❌ Moved NOT successfully: '${bin}'."
              fi
            else
              echo "💡 Does not exist as build binary: '${bin}'."
            fi
          done
          for bin in "${mv_bin[@]}"; do
            name="${bin##*/}"
            if [[ -f "/usr/local/bin/${name}" ]]; then
              if update-alternatives --install "${bin}" "${name}" "/usr/local/bin/${name}" 100; then
                echo "✅ 'update-alternatives' successfully: '${bin}'."
              else
                echo "❌ 'update-alternatives' NOT successfully: '${bin}'."
              fi
            else
              echo "💡 Does not exist: '/usr/local/bin/${name}'."
            fi
          done
          sudo ldconfig
          gpgconf --kill all
          /usr/local/bin/gpg-agent --daemon
      - name: ⚙️ Check GnuPG Version.
        shell: bash
        run: |
          gpg --version
      - name: ⚙️ Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
        shell: bash
        run: |
          rm -rf ~/.ssh && mkdir -m700 ~/.ssh
          ### Private Key
          echo "${{ secrets.SSH_MSW_DEPLOY_CORESECRET_DEV }}" >| ~/.ssh/id_ed25519
          chmod 600 ~/.ssh/id_ed25519
          ### Scan git.coresecret.dev to fill ~/.ssh/known_hosts
          ssh-keyscan -p 42842 git.coresecret.dev >| ~/.ssh/known_hosts
          chmod 600 ~/.ssh/known_hosts
          ### Generate SSH Config for git.coresecret.dev Custom-Port
          cat <<EOF >| ~/.ssh/config
          Host git.coresecret.dev
            HostName git.coresecret.dev
            Port 42842
            IdentityFile ~/.ssh/id_ed25519
            StrictHostKeyChecking yes
            UserKnownHostsFile ~/.ssh/known_hosts
          EOF
          chmod 600 ~/.ssh/config
      ### https://github.com/actions/checkout/issues/1843
      - name: 🛠️ Using manual clone via SSH to circumvent Gitea SHA-256 object issues.
        shell: bash
        env:
          ### GITHUB_REF_NAME contains the branch name from the push event.
          GITHUB_REF_NAME: ${{ github.ref_name }}
        run: |
          git clone --branch "${GITHUB_REF_NAME}" ssh://git@git.coresecret.dev:42842/msw/CISS.debian.live.builder.git .
          git fetch --unshallow || echo "Nothing to fetch - already full clone."
      - name: 🛠️ Cleaning the workspace.
        shell: bash
        run: |
          git reset --hard
          git clean -fd
      - name: ⚙️ Importing the 'CI PGP DEPLOY ONLY' key.
        shell: bash
        run: |
          set -euo pipefail
          ### GPG-Home relative to the Runner Workspace to avoid changing global files.
          export GNUPGHOME="$(pwd)/.gnupg"
          mkdir -m 700 "${GNUPGHOME}"
          echo "${{ secrets.PGP_PUBKEY_CENTURION_ROOT_2025_X448 }}" >| centurion-root.PUB.asc
          gpg --batch --import centurion-root.PUB.asc
          echo "${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV }}" >| ci-bot.sec.asc
          gpg --batch --import ci-bot.sec.asc
          ### Trust the key automatically
          KEY_ID=$(gpg --list-keys --with-colons | awk -F: '/^pub:/ {print $5}')
          echo "trust-model always" >| "${GNUPGHOME}/gpg.conf"
      - name: ⚙️ Configuring Git for signed CI/DEPLOY commits.
        shell: bash
        run: |
          set -euo pipefail
          export GNUPGHOME="$(pwd)/.gnupg"
          git config user.name "Marc S. Weidner BOT"
          git config user.email "msw+bot@coresecret.dev"
          git config commit.gpgsign true
          git config gpg.program gpg
          git config gpg.format openpgp
      - name: ⚙️ Preparing the build environment.
        shell: bash
        run: |
          set -euo pipefail
          mkdir -p /opt/config
          mkdir -p /opt/livebuild
          touch /opt/config/password.txt && chmod 0600 /opt/config/password.txt
          touch /opt/config/authorized_keys && chmod 0600 /opt/config/authorized_keys
          echo "${{ secrets.CISS_DLB_ROOT_PWD_1 }}" >| /opt/config/password.txt
          echo "${{ secrets.CISS_DLB_ROOT_SSH_PUBKEY_1 }}" >| /opt/config/authorized_keys
      - name: 🛠️ Starting CISS.debian.live.builder. This may take a while ...
        shell: bash
        run: |
          set -euo pipefail
          chmod 0755 ciss_live_builder.sh
          timestamp=$(date -u +"%Y_%m_%dT%H_%M_%SZ")
          ### Change "--autobuild=" to the specific kernel version you need: 6.12.22+bpo-amd64.
          ./ciss_live_builder.sh \
            --autobuild=6.12.30+bpo-amd64 \
            --architecture amd64 \
            --build-directory /opt/livebuild \
            --control "${timestamp}" \
            --jump-host ${{ secrets.CISS_DLB_JUMP_HOSTS_1 }} \
            --root-password-file /opt/config/password.txt \
            --ssh-port ${{ secrets.CISS_DLB_SSH_PORT_1 }} \
            --ssh-pubkey /opt/config
      - name: 📥 Checking Centurion Cloud for existing LIVE ISOs.
        shell: bash
        env:
          NC_BASE: "https://cloud.e2ee.li"
          SHARE_TOKEN: "${{ secrets.CENTURION_CLOUD_UL_USER_1 }}"
          SHARE_PASS: "${{ secrets.CENTURION_CLOUD_UL_PASSWD_1 }}"
        run: |
          set -euo pipefail
          SHARE_SUBDIR=""
          echo "📥 Get directory listing via PROPFIND ..."
          curl -s \
          --user "${SHARE_TOKEN}:${SHARE_PASS}" \
          -X PROPFIND \
          -H "Depth: 1" \
          "${NC_BASE}/public.php/webdav/${SHARE_SUBDIR}" \
          -o propfind_public.xml
          echo "📥 Filter .iso files from the PROPFIND response ..."
          grep -oP '(?<=<d:href>)[^<]+\.iso(?=</d:href>)' propfind_public.xml >| public_iso_list.txt || true
          if [[ -f public_iso_list.txt && -s public_iso_list.txt ]]; then
            echo "💡 Old ISO files found and deleted :"
            while IFS= read -r href; do
              FILE_URL="${NC_BASE}${href}"
              echo "  Delete: ${FILE_URL}"
              if curl -s \
                --user "${SHARE_TOKEN}:${SHARE_PASS}" \
                  -X DELETE "${FILE_URL}"; then
                echo "    ✅ Successfully deleted: $(basename "${href}")"
              else
                echo "    ❌ Error: $(basename "${href}") could not be deleted"
              fi
            done < public_iso_list.txt
          else
            echo "💡 No old ISO files found to delete."
          fi
      - name: 🛠️ Upload the ISO file to the Centurion Cloud (cloud.e2ee.li) via WebDAV.
        shell: bash
        env:
          NC_BASE: "https://cloud.e2ee.li"
          SHARE_TOKEN: "${{ secrets.CENTURION_CLOUD_UL_USER_1 }}"
          SHARE_PASS: "${{ secrets.CENTURION_CLOUD_UL_PASSWD_1 }}"
        run: |
          set -euo pipefail
          if [[ $(ls /opt/livebuild/*.iso 2>/dev/null | wc -l) -ne 1 ]]; then
            echo "❌ There must be exactly one .iso file in the directory!"
            exit 1
          else
            VAR_ISO_FILE_PATH=$(ls /opt/livebuild/*.iso)
            VAR_ISO_FILE_NAME=$(basename "${VAR_ISO_FILE_PATH}")
            echo "✅ ISO file found: ${VAR_ISO_FILE_NAME}"
          fi
          AUTH="${SHARE_TOKEN}:${SHARE_PASS}"
          if curl --retry 2 "${NC_BASE}"/public.php/webdav/"${VAR_ISO_FILE_NAME}" \
          --upload-file "${VAR_ISO_FILE_PATH}" --user "${AUTH}" > /dev/null 2>&1; then
            echo "✅ New ISO successfully uploaded."
          else
            echo "❌ Uploading the new ISO failed."
            exit 1
          fi
      - name: 🔑 Generating a sha512 Hash of ISO, signing with the 'CI PGP DEPLOY ONLY' key, generate a success message file.
        shell: bash
        run: |
          if [[ $(ls /opt/livebuild/*.iso 2>/dev/null | wc -l) -ne 1 ]]; then
            echo "❌ There must be exactly one .iso file in the directory!"
            exit 1
          else
            VAR_ISO_FILE_PATH=$(ls /opt/livebuild/*.iso)
            VAR_ISO_FILE_NAME=$(basename "${VAR_ISO_FILE_PATH}")
            echo "✅ ISO file found: ${VAR_ISO_FILE_NAME}"
          fi
          VAR_ISO_FILE_SHA512="${VAR_ISO_FILE_NAME}.sha512"
          touch "${VAR_ISO_FILE_SHA512}"
          sha512sum "${VAR_ISO_FILE_PATH}" | awk '{print $1}' >| "${VAR_ISO_FILE_SHA512}"
          SIGNATURE_FILE="${VAR_ISO_FILE_SHA512}.sign"
          touch "${SIGNATURE_FILE}"
          export GNUPGHOME="$(pwd)/.gnupg"
          gpg --batch --yes --armor --detach-sign --output "${SIGNATURE_FILE}" "${VAR_ISO_FILE_SHA512}"
          timestamp=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
          PRIVATE_FILE="LIVE_ISO_FLV_1.private"
          touch "${PRIVATE_FILE}"
          cat << EOF >| "${PRIVATE_FILE}"
          # SPDX-Version: 3.0
          # SPDX-CreationInfo: 2025-06-01; WEIDNER, Marc S.; <msw@coresecret.dev>
          # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
          # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
          # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
          # SPDX-FileType: SOURCE
          # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
          # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
          # SPDX-PackageName: CISS.debian.live.builder
          # SPDX-Security-Contact: security@coresecret.eu
          This file was automatically generated by the DEPLOY BOT on: "${timestamp}".
          CISS.debian.live.builder ISO :
            "${VAR_ISO_FILE_NAME}"
          CISS.debian.live.builder ISO sha512 :
            $(< "${VAR_ISO_FILE_SHA512}")
          CISS.debian.live.builder ISO sha512 sign :
            $(< "${SIGNATURE_FILE}")
          # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text
          EOF
      - name: 🚧 Stash local changes (including untracked).
        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
          set -euo pipefail
          ### Temporarily store any local modifications or untracked files.
          git stash push --include-untracked -m "ci-temp" || echo "✔️ Nothing to stash."
      - name: 🔄 Sync with remote before commit using merge strategy.
        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
          set -euo pipefail
          export GNUPGHOME="$(pwd)/.gnupg"
          echo "🔄 Fetching origin/master ..."
          git fetch origin master
          echo "🔁 Merging origin/master into current branch ..."
          git merge --no-edit origin/master || echo "✔️ Already up to date or fast-forward."
          echo "📋 Post-merge status :"
          git status
          git log --oneline -n 5
      - name: 🛠️ Restore stashed changes.
        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
          set -euo pipefail
          ### Apply previously stashed changes.
          git stash pop || echo "✔️ Nothing to pop."
      - name: 📦 Stage generated files.
        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
          set -euo pipefail
          PRIVATE_FILE="LIVE_ISO_FLV_1.private"
          git add "${PRIVATE_FILE}" || echo "✔️ Nothing to add."
      - name: 🔑 Commit and sign changes with CI metadata.
        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
          set -euo pipefail
          export GNUPGHOME="$(pwd)/.gnupg"
          if git diff --cached --quiet; then
            echo "✔️ No staged changes to commit."
          else
            echo "📝 Committing changes with GPG signature ..."
            ### CI Metadata
            TIMESTAMP_UTC="$(date -u +'%Y-%m-%dT%H:%M:%SZ')"
            HOSTNAME="$(hostname -f || hostname)"
            GIT_SHA="$(git rev-parse --short HEAD)"
            GIT_REF="$(git symbolic-ref --short HEAD || echo detached)"
            WORKFLOW_ID="${GITHUB_WORKFLOW:-render-md-to-html.yaml}"
            CI_HEADER="X-CI-Metadata: ${GIT_REF}@${GIT_SHA} at ${TIMESTAMP_UTC} on ${HOSTNAME}"
            COMMIT_MSG="DEPLOY BOT   : 🔐 Auto-Generate PRIVATE LIVE ISO FLV 1 [skip ci]
          ${CI_HEADER}
          Generated at : ${TIMESTAMP_UTC}
          Runner Host  : ${HOSTNAME}
          Workflow ID  : ${WORKFLOW_ID}
          Git Commit   : ${GIT_SHA} HEAD -> ${GIT_REF}
          "
            echo "🔏 Commit message :"
            echo "${COMMIT_MSG}"
            git commit -S -m "${COMMIT_MSG}"
          fi
      - name: 🔁 Push back to repository.
        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
          set -euo pipefail
          echo "📤 Pushing changes to ${GITHUB_REF_NAME} ..."
          git push origin HEAD:${GITHUB_REF_NAME}
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
--- a/.gitea/workflows/generate_PUBLIC_iso.yaml
+++ b/.gitea/workflows/generate_PUBLIC_iso.yaml
@@ -0,0 +1,482 @@
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 ### Version Master V8.03.832.2025.06.24
 name: 💙 Generating a PUBLIC Live ISO.
 permissions:
  contents: write
 on:
  push:
    branches:
      - master
    paths:
      - '.gitea/trigger/t_generate_PUBLIC.yaml'
 jobs:
  generate-private-ciss-debian-live-iso:
    name: 💙 Generating a PUBLIC Live ISO.
    runs-on: ciss.debian.live.builder.iso.generator
    ### Run all steps inside Debian Bookworm
    container:
      image: debian:bookworm
    steps:
      - name: 🛠️ Basic Image Setup and enable Bookworm Backports.
        run: |
          apt-get update -y
          apt-get install -y apt-transport-https apt-utils bash ca-certificates openssl sudo
          echo 'deb https://deb.debian.org/debian bookworm-backports main' \
            >| /etc/apt/sources.list.d/bookworm-backports.list
          apt-get update -y
          apt-get upgrade -y
      - name: 🛠️ Installing Build Tools.
        shell: bash
        run: |
          apt-get update -y
          apt-get install -y \
            autoconf \
            automake \
            build-essential \
            cryptsetup \
            curl \
            debootstrap \
            dosfstools \
            efibootmgr \
            gettext \
            git \
            gnupg \
            haveged \
            libbz2-dev \
            zlib1g-dev \
            liblzma-dev \
            libtool \
            live-build \
            parted \
            pkg-config \
            ssh \
            ssl-cert \
            sudo \
            texinfo \
            wget \
            whois \
      - name: 🛠️ Build GnuPG from the sources, as the Bookworm GPG does not understand key format 5.
        shell: bash
        run: |
          urls=(
            "https://gnupg.org/ftp/gcrypt/npth/npth-1.8.tar.bz2"
            "https://gnupg.org/ftp/gcrypt/libgpg-error/libgpg-error-1.55.tar.bz2"
            "https://gnupg.org/ftp/gcrypt/libgcrypt/libgcrypt-1.11.1.tar.bz2"
            "https://gnupg.org/ftp/gcrypt/libksba/libksba-1.6.7.tar.bz2"
            "https://gnupg.org/ftp/gcrypt/libassuan/libassuan-3.0.2.tar.bz2"
            "https://gnupg.org/ftp/gcrypt/gnupg/gnupg-2.4.8.tar.bz2"
          )
          wget --https-only https://gnupg.org/signature_key.asc -O signature_key.asc > /dev/null 2>&1
          gpg --batch --import signature_key.asc
          for url in "${urls[@]}"; do
            archive_name="${url##*/}"
            pkg_name="${archive_name%.tar.bz2}"
            echo "🔄 Processing ${pkg_name}"
            if [[ ! -f "${archive_name}" ]]; then
              echo "📥 Downloading: '${archive_name}'."
              if wget --https-only "${url}" -O "${archive_name}" > /dev/null 2>&1 && wget --https-only "${url}.sig" -O "${archive_name}.sig" > /dev/null 2>&1; then
                echo "✅ Download successful: '${archive_name}'."
              else
                echo "❌ Download NOT successful: '${archive_name}'."
                exit 1
              fi
            else
              echo "💡 Skipping download, package already exists: '${archive_name}'."
            fi
            if ! gpg --verify "${archive_name}.sig" "${archive_name}"; then echo "❌ Bad Signature: '${archive_name}'.";exit 1; fi
            if [[ ! -d "${pkg_name}" ]]; then
              echo "📂 Extracting: '${archive_name}'."
              if tar -xjf "${archive_name}"; then
                echo "✅ Extraction successful: '${archive_name}'."
              else
                echo "❌ Extraction not successful: '${archive_name}'."
                exit 1
              fi
            else
              echo "💡 Skipping directory, already exists: '${pkg_name}'."
            fi
            echo "🏗️ Build and install the package: '${pkg_name}'."
            cd "${pkg_name}" || { echo "❌ Could not change to '${pkg_name}'."; exit 1; }
            mkdir -p build
            cd build || { echo "❌ Could not change to '/build'."; exit 1; }
            sudo ../configure > /dev/null 2>&1  || { echo "❌ '../configure' NOT successful for '${pkg_name}'."; exit 1; }
            make > /dev/null 2>&1 || { echo "❌ 'make' NOT successful for '${pkg_name}'."; exit 1; }
            sudo make install > /dev/null 2>&1 || { echo "❌ 'make install' NOT successful for '${pkg_name}'."; exit 1; }
            cd ../.. || { echo "❌ Could not change to '../..'."; exit 1; }
            rm -f "${archive_name}" && rm -f "${archive_name}.sig" && echo "✅ Removed archive: '${pkg_name}'."
            rm -fr "${pkg_name}" && echo "✅ Removed build artifacts: '${pkg_name}'."
            echo "✅ Successful build and installation of '${pkg_name}'."
            echo "-------------------------------------------------------------------------------------"
          done
          rm -f signature_key.asc
          echo "✅ All packages were built and installed successfully."
          mv_bin=(
            "/usr/bin/gpg"
            "/usr/bin/gpg-agent"
            "/usr/bin/gpgconf"
            "/usr/bin/gpg-connect-agent"
            "/usr/bin/gpg-wks-client"
            "/usr/bin/gpg-preset-passphrase"
          )
          for bin in "${mv_bin[@]}"; do
            name="${bin##*/}"
            if [[ -f "${bin}" && -f "/usr/local/bin/${name}" ]]; then
              if mv "${bin}" "${bin}.debian-backup"; then
                echo "✅ Moved successfully: '${bin}'."
              else
                echo "❌ Moved NOT successfully: '${bin}'."
              fi
            else
              echo "💡 Does not exist as build binary: '${bin}'."
            fi
          done
          for bin in "${mv_bin[@]}"; do
            name="${bin##*/}"
            if [[ -f "/usr/local/bin/${name}" ]]; then
              if update-alternatives --install "${bin}" "${name}" "/usr/local/bin/${name}" 100; then
                echo "✅ 'update-alternatives' successfully: '${bin}'."
              else
                echo "❌ 'update-alternatives' NOT successfully: '${bin}'."
              fi
            else
              echo "💡 Does not exist: '/usr/local/bin/${name}'."
            fi
          done
          sudo ldconfig
          gpgconf --kill all
          /usr/local/bin/gpg-agent --daemon
      - name: ⚙️ Check GnuPG Version.
        shell: bash
        run: |
          gpg --version
      - name: ⚙️ Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
        shell: bash
        run: |
          rm -rf ~/.ssh && mkdir -m700 ~/.ssh
          ### Private Key
          echo "${{ secrets.SSH_MSW_DEPLOY_CORESECRET_DEV }}" >| ~/.ssh/id_ed25519
          chmod 600 ~/.ssh/id_ed25519
          ### Scan git.coresecret.dev to fill ~/.ssh/known_hosts
          ssh-keyscan -p 42842 git.coresecret.dev >| ~/.ssh/known_hosts
          chmod 600 ~/.ssh/known_hosts
          ### Generate SSH Config for git.coresecret.dev Custom-Port
          cat <<EOF >| ~/.ssh/config
          Host git.coresecret.dev
            HostName git.coresecret.dev
            Port 42842
            IdentityFile ~/.ssh/id_ed25519
            StrictHostKeyChecking yes
            UserKnownHostsFile ~/.ssh/known_hosts
          EOF
          chmod 600 ~/.ssh/config
      ### https://github.com/actions/checkout/issues/1843
      - name: 🛠️ Using manual clone via SSH to circumvent Gitea SHA-256 object issues.
        shell: bash
        env:
          ### GITHUB_REF_NAME contains the branch name from the push event.
          GITHUB_REF_NAME: ${{ github.ref_name }}
        run: |
          git clone --branch "${GITHUB_REF_NAME}" ssh://git@git.coresecret.dev:42842/msw/CISS.debian.live.builder.git .
          git fetch --unshallow || echo "Nothing to fetch - already full clone."
      - name: 🛠️ Cleaning the workspace.
        shell: bash
        run: |
          git reset --hard
          git clean -fd
      - name: ⚙️ Importing the 'CI PGP DEPLOY ONLY' key.
        shell: bash
        run: |
          set -euo pipefail
          ### GPG-Home relative to the Runner Workspace to avoid changing global files.
          export GNUPGHOME="$(pwd)/.gnupg"
          mkdir -m 700 "${GNUPGHOME}"
          echo "${{ secrets.PGP_PUBKEY_CENTURION_ROOT_2025_X448 }}" >| centurion-root.PUB.asc
          gpg --batch --import centurion-root.PUB.asc
          echo "${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV }}" >| ci-bot.sec.asc
          gpg --batch --import ci-bot.sec.asc
          ### Trust the key automatically
          KEY_ID=$(gpg --list-keys --with-colons | awk -F: '/^pub:/ {print $5}')
          echo "trust-model always" >| "${GNUPGHOME}/gpg.conf"
      - name: ⚙️ Configuring Git for signed CI/DEPLOY commits.
        shell: bash
        run: |
          set -euo pipefail
          export GNUPGHOME="$(pwd)/.gnupg"
          git config user.name "Marc S. Weidner BOT"
          git config user.email "msw+bot@coresecret.dev"
          git config commit.gpgsign true
          git config gpg.program gpg
          git config gpg.format openpgp
      - name: ⚙️ Preparing the build environment.
        shell: bash
        run: |
          set -euo pipefail
          mkdir -p /opt/config
          mkdir -p /opt/livebuild
          touch /opt/config/password.txt && chmod 0600 /opt/config/password.txt
          touch /opt/config/authorized_keys && chmod 0600 /opt/config/authorized_keys
          echo 'Mvnz#zENbf2vsAYEAbfPcnbDcmct7XefPXfRJxSQQH' >| /opt/config/password.txt
          echo 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINAYZDAqVZUk3LwJsqeVHKvLn8UKkFx642VBbiSS8uSY 2025_ciss.debian.live.ISO_PUBLIC_ONLY' >| /opt/config/authorized_keys
      - name: 🛠️ Starting CISS.debian.live.builder. This may take a while ...
        shell: bash
        run: |
          set -euo pipefail
          sed -i '/^hardening_ssh.*/d' ciss_live_builder.sh
          chmod 0755 ciss_live_builder.sh
          timestamp=$(date -u +"%Y_%m_%dT%H_%M_%SZ")
          ### Change "--autobuild=" to the specific kernel version you need: 6.12.22+bpo-amd64.
          ./ciss_live_builder.sh \
            --autobuild=6.12.30+bpo-amd64 \
            --architecture amd64 \
            --build-directory /opt/livebuild \
            --control "${timestamp}" \
            --root-password-file /opt/config/password.txt \
            --ssh-port 42137 \
            --ssh-pubkey /opt/config
      - name: 📥 Checking Centurion Cloud for existing LIVE ISOs.
        shell: bash
        env:
          NC_BASE: "https://cloud.e2ee.li"
          SHARE_TOKEN: "${{ secrets.CENTURION_CLOUD_UL_USER_PUBLIC }}"
          SHARE_PASS: "${{ secrets.CENTURION_CLOUD_UL_PASSWD_PUBLIC }}"
        run: |
          set -euo pipefail
          SHARE_SUBDIR=""
          echo "📥 Get directory listing via PROPFIND ..."
          curl -s \
          --user "${SHARE_TOKEN}:${SHARE_PASS}" \
          -X PROPFIND \
          -H "Depth: 1" \
          "${NC_BASE}/public.php/webdav/${SHARE_SUBDIR}" \
          -o propfind_public.xml
          echo "📥 Filter .iso files from the PROPFIND response ..."
          grep -oP '(?<=<d:href>)[^<]+\.iso(?=</d:href>)' propfind_public.xml >| public_iso_list.txt || true
          if [[ -f public_iso_list.txt && -s public_iso_list.txt ]]; then
            echo "💡 Old ISO files found and deleted :"
            while IFS= read -r href; do
              FILE_URL="${NC_BASE}${href}"
              echo "  Delete: ${FILE_URL}"
              if curl -s \
                --user "${SHARE_TOKEN}:${SHARE_PASS}" \
                  -X DELETE "${FILE_URL}"; then
                echo "    ✅ Successfully deleted: $(basename "${href}")"
              else
                echo "    ❌ Error: $(basename "${href}") could not be deleted"
              fi
            done < public_iso_list.txt
          else
            echo "💡 No old ISO files found to delete."
          fi
      - name: 🛠️ Upload the ISO file to the Centurion Cloud (cloud.e2ee.li) via WebDAV.
        shell: bash
        env:
          NC_BASE: "https://cloud.e2ee.li"
          SHARE_TOKEN: "${{ secrets.CENTURION_CLOUD_UL_USER_PUBLIC }}"
          SHARE_PASS: "${{ secrets.CENTURION_CLOUD_UL_PASSWD_PUBLIC }}"
        run: |
          set -euo pipefail
          if [[ $(ls /opt/livebuild/*.iso 2>/dev/null | wc -l) -ne 1 ]]; then
            echo "❌ There must be exactly one .iso file in the directory!"
            exit 1
          else
            VAR_ISO_FILE_PATH=$(ls /opt/livebuild/*.iso)
            VAR_ISO_FILE_NAME=$(basename "${VAR_ISO_FILE_PATH}")
            echo "✅ ISO file found: ${VAR_ISO_FILE_NAME}"
          fi
          AUTH="${SHARE_TOKEN}:${SHARE_PASS}"
          if curl --retry 2 "${NC_BASE}"/public.php/webdav/"${VAR_ISO_FILE_NAME}" \
          --upload-file "${VAR_ISO_FILE_PATH}" --user "${AUTH}" > /dev/null 2>&1; then
            echo "✅ New ISO successfully uploaded."
          else
            echo "❌ Uploading the new ISO failed."
            exit 1
          fi
      - name: 🔑 Generating a sha512 Hash of ISO, signing with the 'CI PGP DEPLOY ONLY' key, generate a success message file.
        shell: bash
        run: |
          if [[ $(ls /opt/livebuild/*.iso 2>/dev/null | wc -l) -ne 1 ]]; then
            echo "❌ There must be exactly one .iso file in the directory!"
            exit 1
          else
            VAR_ISO_FILE_PATH=$(ls /opt/livebuild/*.iso)
            VAR_ISO_FILE_NAME=$(basename "${VAR_ISO_FILE_PATH}")
            echo "✅ ISO file found: ${VAR_ISO_FILE_NAME}"
          fi
          VAR_ISO_FILE_SHA512="${VAR_ISO_FILE_NAME}.sha512"
          touch "${VAR_ISO_FILE_SHA512}"
          sha512sum "${VAR_ISO_FILE_PATH}" | awk '{print $1}' >| "${VAR_ISO_FILE_SHA512}"
          SIGNATURE_FILE="${VAR_ISO_FILE_SHA512}.sign"
          touch "${SIGNATURE_FILE}"
          export GNUPGHOME="$(pwd)/.gnupg"
          gpg --batch --yes --armor --detach-sign --output "${SIGNATURE_FILE}" "${VAR_ISO_FILE_SHA512}"
          timestamp=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
          PRIVATE_FILE="LIVE_ISO.public"
          touch "${PRIVATE_FILE}"
          cat << EOF >| "${PRIVATE_FILE}"
          # SPDX-Version: 3.0
          # SPDX-CreationInfo: 2025-06-01; WEIDNER, Marc S.; <msw@coresecret.dev>
          # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
          # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
          # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
          # SPDX-FileType: SOURCE
          # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
          # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
          # SPDX-PackageName: CISS.debian.live.builder
          # SPDX-Security-Contact: security@coresecret.eu
          This file was automatically generated by the DEPLOY BOT on: "${timestamp}".
          CISS.debian.live.builder ISO :
            "${VAR_ISO_FILE_NAME}"
          CISS.debian.live.builder ISO sha512 :
            $(< "${VAR_ISO_FILE_SHA512}")
          CISS.debian.live.builder ISO sha512 sign :
            $(< "${SIGNATURE_FILE}")
          # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text
          EOF
      - name: 🚧 Stash local changes (including untracked).
        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
          set -euo pipefail
          ### Temporarily store any local modifications or untracked files.
          git stash push --include-untracked -m "ci-temp" || echo "✔️ Nothing to stash."
      - name: 🔄 Sync with remote before commit using merge strategy.
        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
          set -euo pipefail
          export GNUPGHOME="$(pwd)/.gnupg"
          echo "🔄 Fetching origin/master ..."
          git fetch origin master
          echo "🔁 Merging origin/master into current branch ..."
          git merge --no-edit origin/master || echo "✔️ Already up to date or fast-forward."
          echo "📋 Post-merge status :"
          git status
          git log --oneline -n 5
      - name: 🛠️ Restore stashed changes.
        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
          set -euo pipefail
          ### Apply previously stashed changes.
          git stash pop || echo "✔️ Nothing to pop."
      - name: 📦 Stage generated files.
        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
          set -euo pipefail
          PRIVATE_FILE="LIVE_ISO.public"
          git add "${PRIVATE_FILE}" || echo "✔️ Nothing to add."
      - name: 🔑 Commit and sign changes with CI metadata.
        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
          set -euo pipefail
          export GNUPGHOME="$(pwd)/.gnupg"
          if git diff --cached --quiet; then
            echo "✔️ No staged changes to commit."
          else
            echo "📝 Committing changes with GPG signature ..."
            ### CI Metadata
            TIMESTAMP_UTC="$(date -u +'%Y-%m-%dT%H:%M:%SZ')"
            HOSTNAME="$(hostname -f || hostname)"
            GIT_SHA="$(git rev-parse --short HEAD)"
            GIT_REF="$(git symbolic-ref --short HEAD || echo detached)"
            WORKFLOW_ID="${GITHUB_WORKFLOW:-render-md-to-html.yaml}"
            CI_HEADER="X-CI-Metadata: ${GIT_REF}@${GIT_SHA} at ${TIMESTAMP_UTC} on ${HOSTNAME}"
            COMMIT_MSG="DEPLOY BOT   : 💙 Auto-Generate PUBLIC LIVE ISO [skip ci]
          ${CI_HEADER}
          Generated at : ${TIMESTAMP_UTC}
          Runner Host  : ${HOSTNAME}
          Workflow ID  : ${WORKFLOW_ID}
          Git Commit   : ${GIT_SHA} HEAD -> ${GIT_REF}
          "
            echo "🔏 Commit message :"
            echo "${COMMIT_MSG}"
            git commit -S -m "${COMMIT_MSG}"
          fi
      - name: 🔁 Push back to repository.
        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
          set -euo pipefail
          echo "📤 Pushing changes to ${GITHUB_REF_NAME} ..."
          git push origin HEAD:${GITHUB_REF_NAME}
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
--- a/.gitea/workflows/linter_char_scripts.yaml
+++ b/.gitea/workflows/linter_char_scripts.yaml
@@ -0,0 +1,339 @@
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 ### Version Master V8.03.832.2025.06.24
 # Gitea Workflow: Shell-Script Linting
 #
 # This workflow scans all '*.sh', '*.zsh', '*.chroot' and all files with Shebang (#!) for:
 # 1. Windows CRLF line endings
 # 2. unauthorized control characters (C0 control characters except \t, \n)
 # 3. non-ASCII (ambiguous UTF) characters
 #
 # Findings are collected and at the end of the run with file, line number,
 # and the respective character in the Runner output.
 name: 🛡️ Shell Script Linting
 on:
  push:
    branches:
      - master
  pull_request:
    branches:
      - master
 jobs:
  shell-script-linter:
    name: 🛡️ Shell Script Linting
    runs-on: ubuntu-latest
    steps:
      - name: ⚙️ Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
        shell: bash
        run: |
          set -euo pipefail
          rm -rf ~/.ssh && mkdir -m700 ~/.ssh
          ### Private Key
          echo "${{ secrets.SSH_MSW_DEPLOY_CORESECRET_DEV }}" >| ~/.ssh/id_ed25519
          chmod 600 ~/.ssh/id_ed25519
          ### Scan git.coresecret.dev to fill ~/.ssh/known_hosts
          ssh-keyscan -p 42842 git.coresecret.dev >| ~/.ssh/known_hosts
          chmod 600 ~/.ssh/known_hosts
          ### Generate SSH Config for git.coresecret.dev Custom-Port
          cat <<EOF >| ~/.ssh/config
          Host git.coresecret.dev
            HostName git.coresecret.dev
            Port 42842
            IdentityFile ~/.ssh/id_ed25519
            StrictHostKeyChecking yes
            UserKnownHostsFile ~/.ssh/known_hosts
          EOF
          chmod 600 ~/.ssh/config
      ### https://github.com/actions/checkout/issues/1843
      - name: 🛠️ Using manual clone via SSH to circumvent Gitea SHA-256 object issues.
        shell: bash
        env:
          ### GITHUB_REF_NAME contains the branch name from the push event.
          GITHUB_REF_NAME: ${{ github.ref_name }}
        run: |
          set -euo pipefail
          git clone --branch "${GITHUB_REF_NAME}" ssh://git@git.coresecret.dev:42842/msw/CISS.debian.live.builder.git .
          git fetch --unshallow || echo "Nothing to fetch - already full clone."
      - name: 🛠️ Cleaning the workspace.
        shell: bash
        run: |
          set -euo pipefail
          git reset --hard
          git clean -fd
      - name: ⚙️ Importing the 'CI PGP DEPLOY ONLY' key.
        shell: bash
        run: |
          set -euo pipefail
          ### GPG-Home relative to the Runner Workspace to avoid changing global files.
          export GNUPGHOME="$(pwd)/.gnupg"
          mkdir -m 700 "${GNUPGHOME}"
          echo "${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV }}" >| ci-bot.sec.asc
          gpg --batch --import ci-bot.sec.asc
          ### Trust the key automatically
          KEY_ID=$(gpg --list-keys --with-colons | awk -F: '/^pub:/ {print $5}')
          echo "trust-model always" >| "${GNUPGHOME}/gpg.conf"
      - name: ⚙️ Configuring Git for signed CI/DEPLOY commits.
        shell: bash
        run: |
          set -euo pipefail
          export GNUPGHOME="$(pwd)/.gnupg"
          git config user.name "Marc S. Weidner BOT"
          git config user.email "msw+bot@coresecret.dev"
          git config commit.gpgsign true
          git config gpg.program gpg
          git config gpg.format openpgp
      - name: ⚙️ Convert APT sources to HTTPS.
        shell: bash
        run: |
          set -euo pipefail
          sed -i 's|http://\(archive\.ubuntu\.com\|security\.ubuntu\.com\)|https://\1|g' /etc/apt/sources.list
          sed -i 's|http://\(archive\.ubuntu\.com\|security\.ubuntu\.com\)|https://\1|g' /etc/apt/sources.list.d/*.list || true
      - name: 🛠️ Install dependencies.
        shell: bash
        run: |
          ### Install grep with Perl-regex support, falls noch nicht vorhanden
          apt-get update
          apt-get upgrade -y
          apt-get install -y grep
      - name: 🔍 Lint shell scripts
        shell: bash
        run: |
          # -------------------------------
          # STEP 1: Find target files.
          #
          # We capture:
          # - All files '*.sh', '*.zsh', '*.chroot'
          # - All files whose first line begins with "#!" (shebang)
          # -------------------------------
          mapfile -t files_to_check < <(
            find . \
              -path './.git' -prune -o \
              -type f \( \
                -iname '*.sh' -o \
                -iname '*.zsh' -o \
                -iname '*.chroot' -o \
                -exec grep -Iq '^#!' {} \; \
              \) -print
          )
          # -------------------------------
          # STEP 2: Regex definitions
          #
          # - CRLF_REGEX           Carriage Return (\r) for Windows CRLF
          # - CTRL_REGEX           C0 control characters except Tab (\x09) and Newline (\x0A)
          #   - Range:             [\x00-\x08\x0B-\x0C\x0E-\x1F\x7F]
          # - NON_ASCII_REGEX      All bytes -> 0x7F, except emoji characters in defined ranges
          #
          # Emoji ranges that we exclude:
          # - \x{1F300}-\x{1F5FF}  Misc Symbols & Pictographs
          # - \x{1F600}-\x{1F64F}  Emoticons
          # - \x{1F680}-\x{1F6FF}  Transport & Map Symbols
          # - \x{1F900}-\x{1F9FF}  Supplemental Symbols & Pictographs
          # - \x{2600}-\x{26FF}    Miscellaneous Symbols
          # - \x{2700}-\x{27BF}    Dingbats
          # -------------------------------
          CRLF_REGEX=$'\r'
          CTRL_REGEX='[\x00-\x08\x0B-\x0C\x0E-\x1F\x7F]'
          NON_ASCII_REGEX='(?![\x{1F300}-\x{1F5FF}\x{1F600}-\x{1F64F}\x{1F680}-\x{1F6FF}\x{1F900}-\x{1F9FF}\x{2600}-\x{26FF}\x{2700}-\x{27BF}])[^\x00-\x7F]'
          # -------------------------------
          # STEP 3: Accumulator for findings
          # -------------------------------
          findings=""
          # -------------------------------
          # STEP 4: Perform all checks for each file
          # -------------------------------
          for file in "${files_to_check[@]}"; do
            #
            # 4.1: CRLF detection
            #      grep -nP returns "lineno:<line with CR>"
            # -------------------------------
            while IFS=: read -r lineno _rest; do
              findings+="${file}: CRLF-found at line ${lineno}: <CR>"$'\n'
            done < <(grep -nP "${CRLF_REGEX}" "${file}" || true)
            #
            # 4.2: Unallowed control characters
            #      grep -nP -o returns "lineno:<matched-char>"
            # -------------------------------
            while IFS=: read -r lineno char; do
              findings+="${file}: control-char at line ${lineno}: ${char}"$'\n'
            done < <(grep -nP -o "${CTRL_REGEX}" "${file}" || true)
            #
            # 4.3: Non-ASCII characters with emoji exception
            #      grep -nP -o returns "lineno:<matched-char>"
            # -------------------------------
            while IFS=: read -r lineno char; do
              findings+="${file}: non-ascii at line ${lineno}: ${char}"$'\n'
            done < <(grep -nP -o "${NON_ASCII_REGEX}" "${file}" || true)
          done
          # -------------------------------
          # STEP 5: Output results
          # -------------------------------
          if [[ -n "${findings}" ]]; then
            echo -e "⚠️ Linting issues detected:\n"
            echo -e "${findings}"
            timestamp=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
            PRIVATE_FILE="LINTER_RESULTS.txt"
            touch "${PRIVATE_FILE}"
            cat << EOF >| "${PRIVATE_FILE}"
          # SPDX-Version: 3.0
          # SPDX-CreationInfo: 2025-06-05; WEIDNER, Marc S.; <msw@coresecret.dev>
          # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
          # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
          # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
          # SPDX-FileType: SOURCE
          # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
          # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
          # SPDX-PackageName: CISS.debian.live.builder
          # SPDX-Security-Contact: security@coresecret.eu
          This file was automatically generated by the DEPLOY BOT on: "${timestamp}".
          ⚠️ The last linter check was NOT successful. ⚠️
          # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text
          EOF
          else
            echo "✅ No issues found in shell scripts."
            timestamp=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
            PRIVATE_FILE="LINTER_RESULTS.txt"
            touch "${PRIVATE_FILE}"
            cat << EOF >| "${PRIVATE_FILE}"
          # SPDX-Version: 3.0
          # SPDX-CreationInfo: 2025-06-05; WEIDNER, Marc S.; <msw@coresecret.dev>
          # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
          # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
          # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
          # SPDX-FileType: SOURCE
          # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
          # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
          # SPDX-PackageName: CISS.debian.live.builder
          # SPDX-Security-Contact: security@coresecret.eu
          This file was automatically generated by the DEPLOY BOT on: "${timestamp}".
          ✅ The last linter check was successful. ✅
          # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text
          EOF
          fi
      - name: 🚧 Stash local changes (including untracked).
        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
          set -euo pipefail
          ### Temporarily store any local modifications or untracked files.
          git stash push --include-untracked -m "ci-temp" || echo "✔️ Nothing to stash."
      - name: 🔄 Sync with remote before commit using merge strategy.
        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
          set -euo pipefail
          export GNUPGHOME="$(pwd)/.gnupg"
          echo "🔄 Fetching origin/master ..."
          git fetch origin master
          echo "🔁 Merging origin/master into current branch ..."
          git merge --no-edit origin/master || echo "✔️ Already up to date or fast-forward."
          echo "📋 Post-merge status :"
          git status
          git log --oneline -n 5
      - name: 🛠️ Restore stashed changes.
        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
          set -euo pipefail
          ### Apply previously stashed changes.
          git stash pop || echo "✔️ Nothing to pop."
      - name: 📦 Stage generated files.
        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
          set -euo pipefail
          PRIVATE_FILE="LINTER_RESULTS.txt"
          git add "${PRIVATE_FILE}" || echo "✔️ Nothing to add."
      - name: 🔑 Commit and sign changes with CI metadata.
        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
          set -euo pipefail
          export GNUPGHOME="$(pwd)/.gnupg"
          if git diff --cached --quiet; then
            echo "✔️ No staged changes to commit."
          else
            echo "📝 Committing changes with GPG signature ..."
            ### CI Metadata
            TIMESTAMP_UTC="$(date -u +'%Y-%m-%dT%H:%M:%SZ')"
            HOSTNAME="$(hostname -f || hostname)"
            GIT_SHA="$(git rev-parse --short HEAD)"
            GIT_REF="$(git symbolic-ref --short HEAD || echo detached)"
            WORKFLOW_ID="${GITHUB_WORKFLOW:-render-md-to-html.yaml}"
            CI_HEADER="X-CI-Metadata: ${GIT_REF}@${GIT_SHA} at ${TIMESTAMP_UTC} on ${HOSTNAME}"
            COMMIT_MSG="DEPLOY BOT   : 🛡️ Shell Script Linting [skip ci]
          ${CI_HEADER}
          Generated at : ${TIMESTAMP_UTC}
          Runner Host  : ${HOSTNAME}
          Workflow ID  : ${WORKFLOW_ID}
          Git Commit   : ${GIT_SHA} HEAD -> ${GIT_REF}
          "
            echo "🔏 Commit message :"
            echo "${COMMIT_MSG}"
            git commit -S -m "${COMMIT_MSG}"
          fi
      - name: 🔁 Push back to repository.
        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
          set -euo pipefail
          echo "📤 Pushing changes to ${GITHUB_REF_NAME} ..."
          git push origin HEAD:${GITHUB_REF_NAME}
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
--- a/.gitea/workflows/render-dnssec-status.yaml
+++ b/.gitea/workflows/render-dnssec-status.yaml
@@ -2,14 +2,16 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-name: Retrieve the DNSSEC status at the time of updating the repository.
+### Version Master V8.03.832.2025.06.24
 name: 🛡️ Retrieve DNSSEC status of coresecret.dev.
 permissions:
  contents: write
@@ -23,13 +25,15 @@ on:
 jobs:
  build-dnssec-diagram:
-    name: Retrieve the DNSSEC status at the time of updating the repository.
+    name: 🛡️ Retrieve DNSSEC status of coresecret.dev.
    runs-on: ubuntu-latest
    steps:
-      - name: Prepare SSH Setup, SSH Deploy Key, Known Hosts, config.
+      - name: ⚙️ Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
        shell: bash
        run: |
-          rm -rf ~/.ssh
+          set -euo pipefail
-          mkdir -p ~/.ssh
+          rm -rf ~/.ssh && mkdir -m700 ~/.ssh
          ### Private Key
          echo "${{ secrets.SSH_MSW_DEPLOY_CORESECRET_DEV }}" >| ~/.ssh/id_ed25519
@@ -51,31 +55,27 @@ jobs:
          chmod 600 ~/.ssh/config
      ### https://github.com/actions/checkout/issues/1843
-      - name: Use manual clone via SSH to circumvent Gitea SHA-256 object issues.
+      - name: 🛠️ Using manual clone via SSH to circumvent Gitea SHA-256 object issues.
-        run: |
+        shell: bash
          git clone --branch "${GITHUB_REF_NAME}" ssh://git@git.coresecret.dev:42842/msw/CISS.debian.live.builder.git .
          git fetch --unshallow || echo "Nothing to fetch - already full clone."
        env:
          ### GITHUB_REF_NAME contains the branch name from the push event.
          GITHUB_REF_NAME: ${{ github.ref_name }}
      - name: Clean workspace.
        run: |
          set -euo pipefail
          git clone --branch "${GITHUB_REF_NAME}" ssh://git@git.coresecret.dev:42842/msw/CISS.debian.live.builder.git .
          git fetch --unshallow || echo "Nothing to fetch - already full clone."
      - name: 🛠️ Cleaning the workspace.
        shell: bash
        run: |
          set -euo pipefail
          git reset --hard
          git clean -fd
-      - name: Convert APT sources to HTTPS.
+      - name: ⚙️ Importing the 'CI PGP DEPLOY ONLY' key.
-        run: |
+        shell: bash
          sed -i 's|http://\(archive\.ubuntu\.com\|security\.ubuntu\.com\)|https://\1|g' /etc/apt/sources.list
          sed -i 's|http://\(archive\.ubuntu\.com\|security\.ubuntu\.com\)|https://\1|g' /etc/apt/sources.list.d/*.list || true
      - name: Install DNSViz.
        run: |
          sudo apt-get update
          sudo apt-get install -y dnsviz
      - name: Import CI PGP DEPLOY ONLY Key.
        run: |
          set -euo pipefail
          ### GPG-Home relative to the Runner Workspace to avoid changing global files.
          export GNUPGHOME="$(pwd)/.gnupg"
          mkdir -m 700 "${GNUPGHOME}"
@@ -84,10 +84,11 @@ jobs:
          ### Trust the key automatically
          KEY_ID=$(gpg --list-keys --with-colons | awk -F: '/^pub:/ {print $5}')
          echo "trust-model always" >| "${GNUPGHOME}/gpg.conf"
        shell: bash
-      - name: Configure Git for signed CI DEPLOY commits.
+      - name: ⚙️ Configuring Git for signed CI/DEPLOY commits.
        shell: bash
        run: |
          set -euo pipefail
          export GNUPGHOME="$(pwd)/.gnupg"
          git config user.name "Marc S. Weidner BOT"
          git config user.email "msw+bot@coresecret.dev"
@@ -95,37 +96,123 @@ jobs:
          git config gpg.program gpg
          git config gpg.format openpgp
-      - name: Ensure docs/SECURITY/ directory exists.
+      - name: ⚙️ Convert APT sources to HTTPS.
        shell: bash
        run: |
          set -euo pipefail
          sed -i 's|http://\(archive\.ubuntu\.com\|security\.ubuntu\.com\)|https://\1|g' /etc/apt/sources.list
          sed -i 's|http://\(archive\.ubuntu\.com\|security\.ubuntu\.com\)|https://\1|g' /etc/apt/sources.list.d/*.list || true
      - name: 🛠️ Install DNSViz.
        shell: bash
        run: |
          sudo apt-get update
          sudo apt-get install -y dnsviz
      - name: ⚙️ Ensure docs/SECURITY/ directory exists.
        shell: bash
        run: |
          mkdir -p docs/SECURITY/
          rm -f docs/SECURITY/coresecret.dev.png
-      - name: Prepare DNS Cache.
+      - name: 🛠️ Prepare DNS Cache.
        shell: bash
        run: |
          sudo apt-get install -y dnsutils
          dig +dnssec +multi coresecret.dev @8.8.8.8
-      - name: Retrieve Zone Dump and generate .png Visualization.
+      - name: 🛠️ Retrieve Zone Dump and generate .png Visualization.
        shell: bash
        run: |
          dnsviz probe -s 8.8.8.8 -R SOA,A,AAAA,CAA,CDS,CDNSKEY,LOC,HTTPS,MX,NS,TXT coresecret.dev >| coresecret.dev.json
          dnsviz graph -T png < coresecret.dev.json >| docs/SECURITY/coresecret.dev.png
-      - name: Stage generated files.
+      - name: 🚧 Stash local changes (including untracked).
-        run: |
+        shell: bash
          git add docs/SECURITY/*.png
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
      - name: Commit and Sign changes.
        run: |
          set -euo pipefail
          ### Temporarily store any local modifications or untracked files.
          git stash push --include-untracked -m "ci-temp" || echo "✔️ Nothing to stash."
      - name: 🔄 Sync with remote before commit using merge strategy.
        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
          set -euo pipefail
          export GNUPGHOME="$(pwd)/.gnupg"
          git commit -S -m "DEPLOY BOT: Auto-Generate DNSSEC Status [skip ci]" || echo "No Changes, nothing to Sign or to Commit."
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
-      - name: Push back to Repository.
+          echo "🔄 Fetching origin/master ..."
-        run: |
+          git fetch origin master
-          git push origin HEAD:${GITHUB_REF_NAME}
+
          echo "🔁 Merging origin/master into current branch ..."
          git merge --no-edit origin/master || echo "✔️ Already up to date or fast-forward."
          echo "📋 Post-merge status :"
          git status
          git log --oneline -n 5
      - name: 🛠️ Restore stashed changes.
        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
-# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
+        run: |
          set -euo pipefail
          ### Apply previously stashed changes.
          git stash pop || echo "✔️ Nothing to pop."
      - name: 📦 Stage generated files.
        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
          set -euo pipefail
          git add docs/SECURITY/*.png || echo "✔️ Nothing to add."
      - name: 🔑 Commit and sign changes with CI metadata.
        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
          set -euo pipefail
          export GNUPGHOME="$(pwd)/.gnupg"
          if git diff --cached --quiet; then
            echo "✔️ No staged changes to commit."
          else
            echo "📝 Committing changes with GPG signature ..."
            ### CI Metadata
            TIMESTAMP_UTC="$(date -u +'%Y-%m-%dT%H:%M:%SZ')"
            HOSTNAME="$(hostname -f || hostname)"
            GIT_SHA="$(git rev-parse --short HEAD)"
            GIT_REF="$(git symbolic-ref --short HEAD || echo detached)"
            WORKFLOW_ID="${GITHUB_WORKFLOW:-render-md-to-html.yaml}"
            CI_HEADER="X-CI-Metadata: ${GIT_REF}@${GIT_SHA} at ${TIMESTAMP_UTC} on ${HOSTNAME}"
            COMMIT_MSG="DEPLOY BOT   : 🛡️ Auto-Generate DNSSEC Status [skip ci]
          ${CI_HEADER}
          Generated at : ${TIMESTAMP_UTC}
          Runner Host  : ${HOSTNAME}
          Workflow ID  : ${WORKFLOW_ID}
          Git Commit   : ${GIT_SHA} HEAD -> ${GIT_REF}
          "
            echo "🔏 Commit message :"
            echo "${COMMIT_MSG}"
            git commit -S -m "${COMMIT_MSG}"
          fi
      - name: 🔁 Push back to repository.
        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
          set -euo pipefail
          echo "📤 Pushing changes to ${GITHUB_REF_NAME} ..."
          git push origin HEAD:${GITHUB_REF_NAME}
      # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
--- a/.gitea/workflows/render-dot-to-png.yaml
+++ b/.gitea/workflows/render-dot-to-png.yaml
@@ -0,0 +1,211 @@
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 ### Version Master V8.03.832.2025.06.24
 name: 🔁 Render Graphviz Diagrams.
 permissions:
  contents: write
 on:
  push:
    branches:
      - master
    paths:
      - "**/*.gv"
      - "**/*.dot"
 jobs:
  build-graphiz-diagrams:
    name: 🔁 Render Graphviz Diagrams.
    runs-on: ubuntu-latest
    steps:
      - name: ⚙️ Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
        shell: bash
        run: |
          set -euo pipefail
          rm -rf ~/.ssh && mkdir -m700 ~/.ssh
          ### Private Key
          echo "${{ secrets.SSH_MSW_DEPLOY_CORESECRET_DEV }}" >| ~/.ssh/id_ed25519
          chmod 600 ~/.ssh/id_ed25519
          ### Scan git.coresecret.dev to fill ~/.ssh/known_hosts
          ssh-keyscan -p 42842 git.coresecret.dev >| ~/.ssh/known_hosts
          chmod 600 ~/.ssh/known_hosts
          ### Generate SSH Config for git.coresecret.dev Custom-Port
          cat <<EOF >| ~/.ssh/config
          Host git.coresecret.dev
            HostName git.coresecret.dev
            Port 42842
            IdentityFile ~/.ssh/id_ed25519
            StrictHostKeyChecking yes
            UserKnownHostsFile ~/.ssh/known_hosts
          EOF
          chmod 600 ~/.ssh/config
      ### https://github.com/actions/checkout/issues/1843
      - name: 🛠️ Using manual clone via SSH to circumvent Gitea SHA-256 object issues.
        shell: bash
        env:
          ### GITHUB_REF_NAME contains the branch name from the push event.
          GITHUB_REF_NAME: ${{ github.ref_name }}
        run: |
          set -euo pipefail
          git clone --branch "${GITHUB_REF_NAME}" ssh://git@git.coresecret.dev:42842/msw/CISS.debian.live.builder.git .
          git fetch --unshallow || echo "Nothing to fetch - already full clone."
      - name: 🛠️ Cleaning the workspace.
        shell: bash
        run: |
          set -euo pipefail
          git reset --hard
          git clean -fd
      - name: ⚙️ Importing the 'CI PGP DEPLOY ONLY' key.
        shell: bash
        run: |
          set -euo pipefail
          ### GPG-Home relative to the Runner Workspace to avoid changing global files.
          export GNUPGHOME="$(pwd)/.gnupg"
          mkdir -m 700 "${GNUPGHOME}"
          echo "${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV }}" >| ci-bot.sec.asc
          gpg --batch --import ci-bot.sec.asc
          ### Trust the key automatically
          KEY_ID=$(gpg --list-keys --with-colons | awk -F: '/^pub:/ {print $5}')
          echo "trust-model always" >| "${GNUPGHOME}/gpg.conf"
      - name: ⚙️ Configuring Git for signed CI/DEPLOY commits.
        shell: bash
        run: |
          set -euo pipefail
          export GNUPGHOME="$(pwd)/.gnupg"
          git config user.name "Marc S. Weidner BOT"
          git config user.email "msw+bot@coresecret.dev"
          git config commit.gpgsign true
          git config gpg.program gpg
          git config gpg.format openpgp
      - name: ⚙️ Convert APT sources to HTTPS.
        shell: bash
        run: |
          set -euo pipefail
          sed -i 's|http://\(archive\.ubuntu\.com\|security\.ubuntu\.com\)|https://\1|g' /etc/apt/sources.list
          sed -i 's|http://\(archive\.ubuntu\.com\|security\.ubuntu\.com\)|https://\1|g' /etc/apt/sources.list.d/*.list || true
      - name: 🛠️ Install Graphviz.
        shell: bash
        run: |
          set -euo pipefail
          sudo apt-get update
          sudo apt-get install -y graphviz
      - name: 🛠️ Render all .dot / .gv to PNG.
        shell: bash
        run: |
          set -euo pipefail
          find . -type f \( -name "*.dot" -o -name "*.gv" \) | while read file; do
            out="${file%.*}.png"
            dot -Tpng "${file}" -o "${out}"
          done
      - name: 🚧 Stash local changes (including untracked).
        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
          set -euo pipefail
          ### Temporarily store any local modifications or untracked files.
          git stash push --include-untracked -m "ci-temp" || echo "✔️ Nothing to stash."
      - name: 🔄 Sync with remote before commit using merge strategy.
        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
          set -euo pipefail
          export GNUPGHOME="$(pwd)/.gnupg"
          echo "🔄 Fetching origin/master ..."
          git fetch origin master
          echo "🔁 Merging origin/master into current branch ..."
          git merge --no-edit origin/master || echo "✔️ Already up to date or fast-forward."
          echo "📋 Post-merge status :"
          git status
          git log --oneline -n 5
      - name: 🛠️ Restore stashed changes.
        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
          set -euo pipefail
          ### Apply previously stashed changes.
          git stash pop || echo "✔️ Nothing to pop."
      - name: 📦 Stage generated files.
        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
          set -euo pipefail
          git add *.png || echo "✔️ Nothing to add."
      - name: 🔑 Commit and sign changes with CI metadata.
        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
          set -euo pipefail
          export GNUPGHOME="$(pwd)/.gnupg"
          if git diff --cached --quiet; then
            echo "✔️ No staged changes to commit."
          else
            echo "📝 Committing changes with GPG signature ..."
            ### CI Metadata
            TIMESTAMP_UTC="$(date -u +'%Y-%m-%dT%H:%M:%SZ')"
            HOSTNAME="$(hostname -f || hostname)"
            GIT_SHA="$(git rev-parse --short HEAD)"
            GIT_REF="$(git symbolic-ref --short HEAD || echo detached)"
            WORKFLOW_ID="${GITHUB_WORKFLOW:-render-md-to-html.yaml}"
            CI_HEADER="X-CI-Metadata: ${GIT_REF}@${GIT_SHA} at ${TIMESTAMP_UTC} on ${HOSTNAME}"
            COMMIT_MSG="DEPLOY BOT   : 🔁 Auto-Generate PNG from *.dot. [skip ci]
          ${CI_HEADER}
          Generated at : ${TIMESTAMP_UTC}
          Runner Host  : ${HOSTNAME}
          Workflow ID  : ${WORKFLOW_ID}
          Git Commit   : ${GIT_SHA} HEAD -> ${GIT_REF}
          "
            echo "🔏 Commit message :"
            echo "${COMMIT_MSG}"
            git commit -S -m "${COMMIT_MSG}"
          fi
      - name: 🔁 Push back to repository.
        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
          set -euo pipefail
          echo "📤 Pushing changes to ${GITHUB_REF_NAME} ..."
          git push origin HEAD:${GITHUB_REF_NAME}
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
--- a/.gitignore
+++ b/.gitignore
@@ -2,7 +2,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
--- a/.version.properties
+++ b/.version.properties
@@ -2,7 +2,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
@@ -10,10 +10,10 @@
 # SPDX-Security-Contact: security@coresecret.eu
 properties_SPDX-Version="3.0"
 properties_SPDX-ExternalRef="GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git"
-properties_SPDX-FileCopyrightText="2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>"
+properties_SPDX-FileCopyrightText="2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>"
 properties_SPDX-License-Identifier="EUPL-1.2 OR LicenseRef-CCLA-1.0"
-properties_SPDX-LicenseComment="This file is part of the CISS.hardened.installer framework."
+properties_SPDX-LicenseComment="This file is part of the CISS.debian.installer.secure framework."
 properties_SPDX-PackageName="CISS.debian.live.builder"
 properties_SPDX-Security-Contact="security@coresecret.eu"
-properties_version="V8.02.644.2025.05.31"
+properties_version="V8.03.832.2025.06.24"
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
--- a/CISS.debian.live.builder.spdx
+++ b/CISS.debian.live.builder.spdx
@@ -6,7 +6,7 @@ Creator: Person: Marc S. Weidner (Centurion Intelligence Consulting Agency)
 Created: 2025-05-07T12:00:00Z
 Package: CISS.debian.live.builder
 PackageName: CISS.debian.live.builder
-PackageVersion: Master V8.02.644.2025.05.31
+PackageVersion: Master V8.03.832.2025.06.24
 PackageSupplier: Organization: Centurion Intelligence Consulting Agency
 PackageDownloadLocation: https://git.coresecret.dev/msw/CISS.debian.live.builder
 PackageHomePage: https://git.coresecret.dev/msw/CISS.debian.live.builder
--- a/LINTER_RESULTS.txt
+++ b/LINTER_RESULTS.txt
@@ -0,0 +1,16 @@
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-06-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 This file was automatically generated by the DEPLOY BOT on: "2025-06-24T21:45:52Z".
 ✅ The last linter check was successful. ✅
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text
--- a/LIVE_ISO.public
+++ b/LIVE_ISO.public
@@ -0,0 +1,27 @@
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-06-01; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 This file was automatically generated by the DEPLOY BOT on: "2025-06-23T09:04:49Z".
 CISS.debian.live.builder ISO :
  "ciss-debian-live-2025_06_23T08_20_37Z-amd64.hybrid.iso"
 CISS.debian.live.builder ISO sha512 :
  86a8be09e16299892ae99d195b56a04356bcf5d2202016da8f8fa7441077c43fab68ebefcb8c39b3423f085a74b607907fb691ac71fdef92af33782bd2ac0ce5
 CISS.debian.live.builder ISO sha512 sign :
  -----BEGIN PGP SIGNATURE-----
 iHUEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaFkYsQAKCRA85KY4hzOw
 IbrbAQDeOIS3QYKIPkMhYlNPIcsJjv/dh3TdYiuQbkvfwVI+/gD/TiB+ska62vJk
 LGfwjuaxMC0KHG1/UTICytOeAnTrXAc=
 =qk8B
 -----END PGP SIGNATURE-----
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text
--- a/LIVE_ISO_FLV_0.private
+++ b/LIVE_ISO_FLV_0.private
@@ -0,0 +1,27 @@
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-06-01; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 This file was automatically generated by the DEPLOY BOT on: "2025-06-24T19:21:36Z".
 CISS.debian.live.builder ISO :
  "ciss-debian-live-2025_06_24T18_36_59Z-amd64.hybrid.iso"
 CISS.debian.live.builder ISO sha512 :
  3ca5a9635ef74a48f6d8f31696ec56e56ee95eff5317df95976e22d31e331bc503422602e24a9eaddfc30212acf6ebe96af51e94298c4c7c49c839c62abb6c2f
 CISS.debian.live.builder ISO sha512 sign :
  -----BEGIN PGP SIGNATURE-----
 iHUEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaFr6wAAKCRA85KY4hzOw
 IbgHAP4p9jlF9jZkYIw/0H8j07QUWNHxeUz2r2UXp8aN2gUEBwEAxqbznJhH8li8
 40g5sWwGLmBjlidIOe0NxeMUBkuMlQg=
 =gq5w
 -----END PGP SIGNATURE-----
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text
--- a/LIVE_ISO_FLV_1.private
+++ b/LIVE_ISO_FLV_1.private
@@ -0,0 +1,27 @@
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-06-01; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 This file was automatically generated by the DEPLOY BOT on: "2025-06-24T22:34:36Z".
 CISS.debian.live.builder ISO :
  "ciss-debian-live-2025_06_24T21_53_22Z-amd64.hybrid.iso"
 CISS.debian.live.builder ISO sha512 :
  581d951c8ab4d8e7afd2d727f8e64bd6fff51d005b84b9800e941da8dae654985bae500e056f02729d6b274ba330dfdbec59fd5ec2c8b18c3bbf37433b73c154
 CISS.debian.live.builder ISO sha512 sign :
  -----BEGIN PGP SIGNATURE-----
 iHUEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaFsn/AAKCRA85KY4hzOw
 IUvMAP9P1U6lblhdZ9tSROvYXRXcv0IEg2rVo3fMx9T5fozLewEAgxxo0+J1Nlvu
 KVZOdiuc6xdxkBHWYaA2kSXZKI+qAwA=
 =2H0C
 -----END PGP SIGNATURE-----
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text
--- a/README.md
+++ b/README.md
@@ -2,7 +2,7 @@
 gitea: none
 include_toc: true
 ---
-[![Static Badge](https://badges.coresecret.dev/badge/Release-V8.02.644.2025.05.31-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder)
+[![Static Badge](https://badges.coresecret.dev/badge/Release-V8.03.832.2025.06.24-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder)
 &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/Licence-EUPL1.2-white?style=plastic&logo=europeanunion&logoColor=white&logoSize=auto&label=Licence&color=%23003399)](https://eupl.eu/1.2/en/) &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/opensourceinitiative-Compliant-white?style=plastic&logo=opensourceinitiative&logoColor=white&logoSize=auto&label=OSI&color=%233DA639)](https://opensource.org/license/eupl-1-2) &nbsp;
@@ -11,8 +11,8 @@ include_toc: true
 [![Static Badge](https://badges.coresecret.dev/badge/shellformat-passed-white?style=plastic&logo=google&logoColor=white&logoSize=auto&label=shellformat&color=%234285F4)](https://github.com/mvdan/sh) &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/Shellstyle-Google-white?style=plastic&logo=google&logoColor=white&logoSize=auto&label=Shellstyle&color=%234285F4)](https://google.github.io/styleguide/shellguide.html)
 &nbsp;
-[![Static Badge](https://badges.coresecret.dev/badge/Gitea-1.23.8-white?style=plastic&logo=gitea&logoColor=white&logoSize=auto&label=gitea&color=%23609926)](https://docs.gitea.com/) &nbsp;
+[![Static Badge](https://badges.coresecret.dev/badge/Gitea-1.24.2-white?style=plastic&logo=gitea&logoColor=white&logoSize=auto&label=gitea&color=%23609926)](https://docs.gitea.com/) &nbsp;
-[![Static Badge](https://badges.coresecret.dev/badge/IntelliJ-2025.1.1.1-white?style=plastic&logo=intellijidea&logoColor=white&logoSize=auto&label=IntelliJ&color=%23000000)](https://www.jetbrains.com/store/?section=personal&billing=yearly) &nbsp;
+[![Static Badge](https://badges.coresecret.dev/badge/IntelliJ-2025.1.3-white?style=plastic&logo=intellijidea&logoColor=white&logoSize=auto&label=IntelliJ&color=%23000000)](https://www.jetbrains.com/store/?section=personal&billing=yearly) &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/keepassxc-2.7.10-white?style=plastic&logo=keepassxc&logoColor=white&logoSize=auto&label=KeePassXC&color=%236CAC4D)](https://keepassxc.org/) &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/netcup-Netcup-white?style=plastic&logo=netcup&logoColor=white&logoSize=auto&label=powered&color=%23056473)](https://www.netcup.com/de) &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/powered-Centurion-white?style=plastic&logo=europeanunion&logoColor=white&logoSize=auto&label=powered&color=%230F243E)](https://coresecret.eu/) &nbsp;
@@ -25,35 +25,50 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
-**Master Version**: 8.02<br>
+**Master Version**: 8.03<br>
-**Build**: V8.02.644.2025.05.31<br>
+**Build**: V8.03.832.2025.06.24<br>
 This shell wrapper automates the creation of a Debian Bookworm live ISO hardened according to the latest best practices in server
 and service security. It integrates into your build pipeline to deliver an isolated, robust environment suitable for
-cloud deployment or unattended installations via the forthcoming `CISS.debian.installer`.
+cloud deployment or unattended installations via the forthcoming `CISS.debian.installer`. Additionally, automated CI workflows 
 based on Gitea Actions are provided, enabling reproducible ISO generation. A generic ISO is automatically built upon significant
 changes and made publicly available for download. The latest generic ISO is available at:
 **[PUBLIC CISS.debian.live.ISO](/docs/DL_PUB_ISO.md)**
 Check out more:
 * [CenturionNet Services](https://coresecret.eu/cnet/) 
-* [CenturionDNS Resolver](https://dns.eddns.eu/)
+* [CenturionDNS Resolver](https://eddns.eu/)
 * [CenturionDNS Blocklist](https://dns.eddns.eu/blocklists/centurion_titanium_ultimate.txt) 
 * [CenturionNet Status](https://uptime.coresecret.eu/) 
 * [CenturionMeet](https://talk.e2ee.li/) 
 * [Contact the author](https://coresecret.eu/contact/)
-## 1.1. Notes
+## 1.1. Preliminary Remarks
 ### 1.1.1. HSM
 Please note that all my signing keys are stored in an HSM and that the signing environment is air-gapped. The next step is to 
 move to a room-gapped environment. ^^
-### 1.1.2. HSTS and DNSSEC
+### 1.1.2. DNSSEC, HSTS, TLS
 Please note that `coresecret.dev` is included in the [(HSTS Preload List)](https://hstspreload.org/) and always serves the headers:
 ````nginx configuration pro
 add_header Expect-CT                 "max-age=86400, enforce"                       always;
 add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
 ````
-Additionally, the entire zone is dual-signed with DNSSEC. See the current DNSSEC status at [DNSSEC Audit Report](https://git.coresecret.dev/msw/CISS.debian.live.builder/src/branch/master/docs/AUDIT_DNSSEC.md)
+
 * Additionally, the entire zone is dual-signed with **DNSSEC**. See the current **DNSSEC** status at: **[DNSSEC Audit Report](/docs/AUDIT_DNSSEC.md)**
 * A comprehensive TLS audit of the **`git.coresecret.dev`** Gitea server is also available. See: **[TLS Audit Report](/docs/AUDIT_TLS.md)**
 * The infrastructure of the **`CISS.debian.live.builder`** building system is visualized here. See: **[Centurion Net](/docs/CNET.md)**
 ### 1.1.3. Gitea Action Runner Hardening
 The CI runners operate on a dedicated host system located in a completely separate Autonomous System (AS). This host is solely 
 dedicated to providing CI runners and does not perform any other tasks. Each runner is hermetically isolated from others using 
 non-privileged, shell-less user accounts with no direct login capability. Additionally, each runner executes within its own 
 separate directory tree, employs `DynamicUser` features, and adheres to strict systemd hardening policies (achieving a ``systemd-analyze security`` 
 rating of **``2.6``**). Docker containers used by runners do not run in privileged mode. Security is further enhanced through the use 
 of both UFW software firewalls and dedicated hardware firewall appliances.
 ## 1.2. Immutable Source-of-Truth System
@@ -81,18 +96,18 @@ source-defined infrastructure logic.<br>
 After build and configuration, the following audit reports can be generated:
-* **Haveged Audit Report**: Validates entropy daemon health and confirms '/dev/random' seeding performance.
+* **Haveged Audit Report**: Validates entropy daemon health and confirms `/dev/random` seeding performance.
-  Type `chkhvg` at the prompt. See example report: [Haveged Audit Report](https://git.coresecret.dev/msw/CISS.debian.live.builder/src/branch/master/docs/AUDIT_HAVEGED.md)
+  Type `chkhvg` at the prompt. See example report: **[Haveged Audit Report](/docs/AUDIT_HAVEGED.md)**
 * **Lynis Audit Report**: Outputs a detailed security score and recommendations, confirming a 91%+ hardening baseline.
-  Type `lsadt` at the prompt. See example report: [Lynis Audit Report](https://git.coresecret.dev/msw/CISS.debian.live.builder/src/branch/master/docs/AUDIT_LYNIS.md)
+  Type `lsadt` at the prompt. See example report: **[Lynis Audit Report](/docs/AUDIT_LYNIS.md)**
 * **SSH Audit Report**: Verifies SSH daemon configuration against the latest best-practice cipher, KEX, and MAC recommendations.
-  Type `ssh-audit <IP>:<PORT>`. See example report: [SSH Audit Report](https://git.coresecret.dev/msw/CISS.debian.live.builder/src/branch/master/docs/AUDIT_SSH.md)
+  Type `ssh-audit <IP>:<PORT>`. See example report: **[SSH Audit Report](/docs/AUDIT_SSH.md)**
-## 1.2. Preview
+## 1.3. Preview
 ![CISS.debian.live.builder](/docs/screenshots/CISS.debian.live.builder_preview.jpeg)
-## 1.3. Caution. Significant information for those considering using D-I.
+## 1.4. Caution. Significant information for those considering using D-I.
 **The Debian Installer (d-i) will ALWAYS boot a new system.**<br>
@@ -106,7 +121,7 @@ The following happens in all cases:
 * The installer kernel (/install/vmlinuz) + initrd.gz are started.
 * The existing live system is exited.
 * The memory is overwritten.
-* All running processes – e.g., firewall, hardened SSH access, etc. pp. – cease to exist.
+* All running processes - e.g., firewall, hardened SSH access, etc. pp. - cease to exist.
 The Debian Installer loads:
 * its own kernel,
@@ -123,6 +138,24 @@ This means function status of the **CISS.2025.debian.live.builder** ISO after d-
 * Logging (rsyslog, journald) ✘ not active,
 * preseed control over the network is possible (but without any protection).
 ## 1.5. Versioning Schema
 This project adheres strictly to a structured versioning scheme following the pattern x.y.z-Date.
 Example: `V8.03.832.2025.06.24`
 `x.y.z` represents major (x), minor (y), and patch (z) version increments.
 Date (YYYY.MM.DD) denotes the build or release date, facilitating clear tracking of incremental changes and ensuring 
 reproducibility and traceability.
 ## 1.6. Keywords
 The keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED",
 "MAY", and "OPTIONAL" in this Repo are to be interpreted as described in [[BCP 14](https://www.rfc-editor.org/info/bcp14)], 
 [[RFC2119](https://datatracker.ietf.org/doc/html/rfc2119)], [[RFC8174](https://datatracker.ietf.org/doc/html/rfc8174)] when,
 and only when, they appear in all capitals, as shown here.
 # 2. Features & Rationale
 Below is a breakdown of each hardening component, with a summary of why each is critical to your security posture.
@@ -131,7 +164,7 @@ Below is a breakdown of each hardening component, with a summary of why each is
 ### 2.1.1. Boot Parameters
-* **Description**: Customizes kernel command‑line flags to disable unused features and enable mitigations.
+* **Description**: Customizes kernel command-line flags to disable unused features and enable mitigations.
 * **Key Parameters**:
  * `audit_backlog_limit=8192`: Ensures the audit subsystem can queue up to 8192 events to avoid dropped logs under heavy loads.
  * `audit=1`: Enables kernel auditing from boot to record system calls and security events.
@@ -171,12 +204,12 @@ Below is a breakdown of each hardening component, with a summary of why each is
 ### 2.1.2. CPU Vulnerability Mitigations
 * **Description**: Enables all known kernel-level mitigations (Spectre, Meltdown, MDS, L1TF, etc.).
-* **Rationale**: Prevents side‑channel attacks that exploit speculative execution, which remain a high‑risk vector in
+* **Rationale**: Prevents side-channel attacks that exploit speculative execution, which remain a high-risk vector in
-  multi‑tenant cloud environments.
+  multi-tenant cloud environments.
 ### 2.1.3. Kernel Self-Protection
-* **Description**: Activates `CONFIG_DEBUG_RODATA`, `CONFIG_STRICT_MODULE_RWX`, and other self‑protections.
+* **Description**: Activates `CONFIG_DEBUG_RODATA`, `CONFIG_STRICT_MODULE_RWX`, and other self-protections.
 * **Rationale**: Hardens kernel memory regions against unauthorized writings and enforces stricter module loading policies.
 ### 2.1.4. Local Kernel Hardening
@@ -210,14 +243,14 @@ apply or revert these controls.
 ## 2.2. Module Blacklisting
-* **Description**: Disables and blacklists non‑essential or insecure kernel modules.
+* **Description**: Disables and blacklists non-essential or insecure kernel modules.
 * **Rationale**: Minimizes attack surface by preventing loads of drivers or modules not required by the live environment.
 ## 2.3. Network Hardening
 * **Description**: Applies `sysctl` settings (e.g., `net.ipv4.conf.all.rp_filter=1`, `arp_ignore`, `arp_announce`) to restrict
  inbound/outbound traffic behaviors.
-* **Rationale**: Mitigates ARP spoofing, IP spoofing, and reduces the risk of man‑in‑the‑middle on internal networks.
+* **Rationale**: Mitigates ARP spoofing, IP spoofing, and reduces the risk of man-in-the-middle on internal networks.
 ## 2.4. Core Dump & Kernel Hardening
@@ -234,7 +267,7 @@ apply or revert these controls.
 ## 2.6. Permissions & Authentication
 * **Description**: Sets strict directory and file permissions, integrates with PAM modules (e.g., `pam_faillock`).
-* **Rationale**: Enforces the principle of least privilege at file‑system level and strengthens authentication policies.
+* **Rationale**: Enforces the principle of least privilege at file-system level and strengthens authentication policies.
 ## 2.7. High-Security Baseline (Lynis Audit)
@@ -248,11 +281,11 @@ apply or revert these controls.
 * **Description**: The SSH tunnel and access are secured through multiple layers of defense:
  * **Firewall Restriction**: ufw allows connections only from defined jump host or VPN exit node IPs.
  * **TCP Wrappers**: `/etc/hosts.allow` and `/etc/hosts.deny` enforce an `ALL: ALL` deny policy, permitting only specified hosts.
-  * **One‑Hit Ban**: A custom Fail2Ban rule `/etc/fail2ban/jail.d/centurion-default.conf` immediately bans any host 
+  * **One-Hit Ban**: A custom Fail2Ban rule `/etc/fail2ban/jail.d/centurion-default.conf` immediately bans any host 
    that touches closed ports. 
    * Additionally, the `fail2ban` service is hardened as well according to:
    [Arch Linux Wiki Fail2ban Hardening](https://wiki.archlinux.org/title/fail2ban#Service_hardening) 
-  * **SSH Ultra‑Hardening**: The `/etc/sshd_config` enforces strict cryptographic and connection controls with respect to 
+  * **SSH Ultra-Hardening**: The `/etc/sshd_config` enforces strict cryptographic and connection controls with respect to 
    [SSH Audit Guide Debian 12](https://www.ssh-audit.com/hardening_guides.html#debian_12):
    * `RekeyLimit 1G 1h`
    * `HostKey /etc/ssh/ssh_host_ed25519_key`
@@ -277,7 +310,7 @@ apply or revert these controls.
 ## 2.9. UFW Hardening
 * **Description**: Defaults to `deny incoming` and (optionally) `deny outgoing`; automatically opens only whitelisted ports.
-* **Rationale**: Implements a default‑deny firewall, reducing lateral movement and data exfiltration risks immediately after
+* **Rationale**: Implements a default-deny firewall, reducing lateral movement and data exfiltration risks immediately after
  deployment.
 ## 2.10. Fail2Ban Enhancements
@@ -286,13 +319,13 @@ apply or revert these controls.
  * Bans any connection to a closed port for 24 hours
  * Automatically ignores designated bastion/jump host subnets
  * Hardened via `systemd` policy override to limit privileges of the Fail2Ban service itself
-* **Rationale**: Provides proactive defense against port scans and brute‑force attacks, while isolating the ban daemon in a
+* **Rationale**: Provides proactive defense against port scans and brute-force attacks, while isolating the ban daemon in a
-  minimal‑privilege context.
+  minimal-privilege context.
 ## 2.11. NTPsec & Chrony
 * **Description**: Installs `chrony`, selects PTB NTPsec servers by default.
-* **Rationale**: Ensures tamper‑resistant time synchronization, which is essential for log integrity, certificate validation,
+* **Rationale**: Ensures tamper-resistant time synchronization, which is essential for log integrity, certificate validation,
  and forensic accuracy.
 # 3. Script Features & Rationale
@@ -379,9 +412,16 @@ predictable script behavior.
   git clone https://git.coresecret.dev/msw/CISS.debian.live.builder.git
   cd CISS.debian.live.builder
   ```
-2. Edit the '.gitea/workflows/generate-iso.yaml' file according to your requirements.
+2. Preparation:
   1. Ensure you are root.
   2. Create the build directory `mkdir /opt/livebuild`.
   3. Place your desired SSH public key in the `authorized_keys` file, for example, in the `/opt/gitea/CISS.debian.live.builder` directory.
   4. Place your desired Password in the `password.txt` file, for example, in the `/opt/gitea/CISS.debian.live.builder` directory.
   5. Make any other changes you need to.
 3. Run the config builder script `./ciss_live_builder.sh` and the integrated `lb build` command (example):
   ```yaml
   chmod 0700 ./ciss_live_builder.sh
   ./ciss_live_builder.sh --architecture amd64 \
                          --build-directory /opt/livebuild \
                          --change-splash hexagon \
@@ -396,16 +436,78 @@ predictable script behavior.
                          --ssh-port 4242 \
                          --ssh-pubkey /opt/gitea/CISS.debian.live.builder
   ```
-3. Locate your ISO in the `--build-directory`.
+4. Locate your ISO in the `--build-directory`.
-4. Boot from the ISO and login to the live image via the console, or the multi-layer secured coresecret SSH tunnel.
+5. Boot from the ISO and login to the live image via the console, or the multi-layer secured **coresecret** SSH tunnel.
-5. Type `sysp` for the final kernel hardening features.
+6. Type `sysp` for the final kernel hardening features.
-6. Check the boot log with `jboot` and via `ssf` that all services are up.
+7. Check the boot log with `jboot` and via `ssf` that all services are up.
-7. Finally, audit your environment with `lsadt` for a comprehensive Lynis audit.
+8. Finally, audit your environment with `lsadt` for a comprehensive Lynis audit.
-8. Type `celp` for some shortcuts.
+9. Type `celp` for some shortcuts.
 # 5.2. CI/CD Gitea Runner Workflow Example
-1. tba
+1. Clone the repository:
   ```bash
   git clone https://git.coresecret.dev/msw/CISS.debian.live.builder.git
   cd CISS.debian.live.builder
   ```
 2. Edit the `.gitea/workflows/generate-iso.yaml` file according to your requirements. Ensure that the trigger file
   `.gitea/trigger/t_generate.iso.yaml` and the counter are updated. Change all the necessary `{{ secrets.VAR }}`.
   Push your commits to trigger the workflow. Then download your final ISO from the specified Location.
  ```yaml
  #...
      steps:
        - name: Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
          run: |
            rm -rf ~/.ssh && mkdir -m700 ~/.ssh
            ### Private Key
            echo "${{ secrets.CHANGE_ME }}" >| ~/.ssh/id_ed25519
            chmod 600 ~/.ssh/id_ed25519
  #...
        ### https://github.com/actions/checkout/issues/1843
        - name: Using manual clone via SSH to circumvent Gitea SHA-256 object issues.
          run: |
            git clone --branch "${GITHUB_REF_NAME}" ssh://git@CHANGE_ME .
  #...
        - name: Importing the 'CI PGP DEPLOY ONLY' key.
          run: |
            ### GPG-Home relative to the Runner Workspace to avoid changing global files.
            export GNUPGHOME="$(pwd)/.gnupg"
            mkdir -m700 "${GNUPGHOME}"
            echo "${{ secrets.CHANGE_ME }}" >| ci-bot.sec.asc
  #...
        - name: Configuring Git for signed CI/DEPLOY commits.
          run: |
            export GNUPGHOME="$(pwd)/.gnupg"
            git config user.name "CHANGE_ME"
            git config user.email "CHANGE_ME"
  #...
        - name: Preparing the build environment.
          run: |
            mkdir -p /opt/config
            mkdir -p /opt/livebuild
            echo "${{ secrets.CHANGE_ME }}" >| /opt/config/password.txt
            echo "${{ secrets.CHANGE_ME }}" >| /opt/config/authorized_keys
  #...
        - name: Starting CISS.debian.live.builder. This may take a while ...
          run: |
            chmod 0700 ciss_live_builder.sh && chown root:root ciss_live_builder.sh
            timestamp=$(date -u +"%Y_%m_%d_%H_%M_Z")
            ### Change "--autobuild=" to the specific kernel version you need: '6.12.22+bpo-amd64'.
            ./ciss_live_builder.sh \
              --autobuild=CHANGE_ME \
              --architecture CHANGE_ME \
              --build-directory /opt/livebuild \
              --control "${timestamp}" \
              --jump-host "${{ secrets.CHANGE_ME }}" \
              --root-password-file /opt/config/password.txt \
              --ssh-port CHANGE_ME \
              --ssh-pubkey /opt/config
  #...
        ### SKIP OR CHANGE ALL REMAINING STEPS
  ```
 # 6. Licensing & Compliance
@@ -415,7 +517,7 @@ standard for license expressions and metadata.
 # 7. Disclaimer
-This README is provided "as‑is" without any warranty. Review your organization's policies before deploying to production.
+This README is provided "as-is" without any warranty. Review your organization's policies before deploying to production.
 ---
 **[no tracking | no logging | no advertising | no profiling | no bullshit](https://coresecret.eu/)**
--- a/ciss_live_builder.sh
+++ b/ciss_live_builder.sh
@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
@@ -37,111 +37,108 @@
  . ./var/global.var.sh; printf "\e[91m❌ Minimum requirement is bash 5.1. You are using '%s'! Bye... \e[0m\n" "${BASH_VERSION}" >&2; exit "${ERR_UNSPPTBASH}"; }
 [[ ${BASH_VERSINFO[0]} -le 5 ]] && [[ ${BASH_VERSINFO[1]} -le 1 ]] && {
  . ./var/global.var.sh; printf "\e[91m❌ Minimum requirement is bash 5.1. You are using '%s'! Bye... \e[0m\n" "${BASH_VERSION}" >&2; exit "${ERR_UNSPPTBASH}"; }
 [[ ${#} -eq 0 ]] && {
  . ./lib/lib_usage.sh; usage; exit 1; }
-declare -g VAR_HANDLER_AUTOBUILD="false"
+### SOURCING MUST SET EARLY VARIABLES, GUARD_SOURCING(), CHECK_GIT()
-declare -gr VAR_CONTACT="security@coresecret.eu"
+. ./var/early.var.sh
-declare -gr VAR_VERSION="Master V8.02.644.2025.05.31"
+. ./lib/lib_guard_sourcing.sh
 . ./lib/lib_git_var.sh
-### VERY EARLY CHECK FOR AUTO-BUILD, CONTACT, USAGE, AND VERSION STRING
+### CHECK FOR CONTACT, HELP, VERSION STRING, AND XTRACE DEBUG
-declare arg
+for arg in "$@"; do case "${arg,,}" in -c|--contact) . ./lib/lib_contact.sh; contact; exit 0;; esac; done
-if [[ ${#} -eq 0 ]]; then . ./lib/lib_usage.sh; usage; exit 1; fi
+for arg in "$@"; do case "${arg,,}" in -h|--help)    . ./lib/lib_usage.sh; usage; exit 0;; esac; done
 for arg in "$@"; do case "${arg,,}" in -a=*|--autobuild=*) declare -g VAR_HANDLER_AUTOBUILD=true; declare -g VAR_KERNEL="${arg#*=}";; esac; done
 for arg in "$@"; do case "${arg,,}" in -c|--contact) printf "\e[95mCISS.debian.live.builder Contact: %s\e[0m\n" "${VAR_CONTACT}"; exit 0;; esac; done
 for arg in "$@"; do case "${arg,,}" in -h|--help) . ./lib/lib_usage.sh; usage; exit 0;; esac; done
 for arg in "$@"; do case "${arg,,}" in -v|--version) printf "\e[95mCISS.debian.live.builder Version: %s\e[0m\n" "${VAR_VERSION}"; exit 0;; esac; done
 unset arg
-### VERY EARLY CHECK FOR XTRACE DEBUGGING
+### ALL CHECKS DONE. READY TO START THE SCRIPT
-if [[ $* == *" --debug "* ]]; then
+check_git
-  . ./lib/lib_debug.sh
+for arg in "$@"; do case "${arg,,}" in -d|--debug)   . ./meta_sources_debug.sh; debugger "${@}";; esac; done
-  debugger "${@}"
+declare -gx VAR_SETUP="true"
 else
  declare -grx VAR_EARLY_DEBUG=false
 fi
-### Advisory Lock
+### SOURCING VARIABLES
-exec 127>/var/lock/ciss_live_builder.lock || {
+[[ "${VAR_SETUP}" == true ]] && {
  . ./var/bash.var.sh
  . ./var/color.var.sh
  . ./var/global.var.sh
 }
 ### SOURCING LIBRARIES
 [[ "${VAR_SETUP}" == true ]] && {
  . ./lib/lib_arg_parser.sh
  . ./lib/lib_arg_priority_check.sh
  . ./lib/lib_boot_screen.sh
  . ./lib/lib_cdi.sh
  . ./lib/lib_change_splash.sh
  . ./lib/lib_check_dhcp.sh
  . ./lib/lib_check_hooks.sh
  . ./lib/lib_check_kernel.sh
  . ./lib/lib_check_pkgs.sh
  . ./lib/lib_check_provider.sh
  . ./lib/lib_check_stats.sh
  . ./lib/lib_check_var.sh
  . ./lib/lib_clean_screen.sh
  . ./lib/lib_clean_up.sh
  . ./lib/lib_copy_integrity.sh
  . ./lib/lib_hardening_root_pw.sh
  . ./lib/lib_hardening_ssh.sh
  . ./lib/lib_hardening_ultra.sh
  . ./lib/lib_helper_ip.sh
  . ./lib/lib_lb_build_start.sh
  . ./lib/lib_lb_config_start.sh
  . ./lib/lib_lb_config_write.sh
  . ./lib/lib_provider_netcup.sh
  . ./lib/lib_run_analysis.sh
  . ./lib/lib_sanitizer.sh
  . ./lib/lib_trap_on_err.sh
  . ./lib/lib_trap_on_exit.sh
  . ./lib/lib_usage.sh
 }
 ### ADVISORY LOCK
 exec 127>/var/lock/ciss_live_builder.lock || {
  printf "\e[91m❌ Cannot open lockfile for writing! Bye... \e[0m\n" >&2
  exit "${ERR_FLOCK_WRTG}"
 }
 if ! flock -x -n 127; then
  . ./var/global.var.sh
  printf "\e[91m❌ Another instance is running! Bye...\e[0m\n" >&2
  exit "${ERR_FLOCK_COLL}"
 fi
-### Checking required packages
+### CHECK FOR AUTOBUILD MODE
-. ./lib/lib_check_pkgs.sh
+for arg in "$@"; do case "${arg,,}" in -a=*|--autobuild=*) declare -gx VAR_HANDLER_AUTOBUILD="true"; declare -gx VAR_KERNEL="${arg#*=}";; esac; done; unset arg
 for dir in /usr/local/sbin /usr/sbin; do case ":${PATH}:" in *":${dir}:"*) ;; *) PATH="${PATH}:${dir}" ;; esac; done; export PATH; unset dir
 ### CHECKING REQUIRED PACKAGES
 check_pkgs
-### Dialog Output for Initialization
+### DIALOG OUTPUT FOR INITIALIZATION
-if ! $VAR_HANDLER_AUTOBUILD; then . ./lib/lib_boot_screen.sh && boot_screen; fi
+if ! $VAR_HANDLER_AUTOBUILD; then boot_screen; fi
 ### Updating Status of Dialog Gauge Bar
-if ! $VAR_HANDLER_AUTOBUILD; then printf "XXX\nUpdating variables ... \nXXX\n05\n" >&3; fi
+if ! $VAR_HANDLER_AUTOBUILD; then printf "XXX\nInitialization done ... \nXXX\n15\n" >&3; fi
 . ./var/global.var.sh
 . ./var/colors.var.sh
 ### Updating Status of Dialog Gauge Bar
-if ! $VAR_HANDLER_AUTOBUILD; then printf "XXX\nEnabling Bash Error Handling ... \nXXX\n15\n" >&3; fi
+if ! $VAR_HANDLER_AUTOBUILD; then printf "XXX\nAdditional initialization ... \nXXX\n30\n" >&3; fi
 ### For all options see https://www.gnu.org/software/bash/manual/bash.html#The-Set-Builtin
 set -o errexit   # Exit script when a command exits with non-zero status, the same as "set -e".
 set -o errtrace  # Any traps on ERR are inherited in a subshell environment, the same as "set -E".
 set -o functrace # Any traps on DEBUG and RETURN are inherited in a subshell environment, the same as "set -T".
 set -o nounset   # Exit script on use of an undefined variable, the same as "set -u".
 set -o pipefail  # Makes pipelines return the exit status of the last command in the pipe that failed.
 set -o noclobber # Prevent overwriting, the same as "set -C".
 ### Updating Status of Dialog Gauge Bar
 if ! $VAR_HANDLER_AUTOBUILD; then printf "XXX\nAdditional initialization ... \nXXX\n25\n" >&3; fi
 ### Initialization
 declare -gr ARGUMENTS_COUNT="$#"
 declare -gr ARG_STR_ORG_INPUT="$*"
 #declare -ar ARG_ARY_ORG_INPUT=("$@")
 # shellcheck disable=SC2155
-declare -gr SCRIPT_FULLPATH="$(readlink -f "${BASH_SOURCE[0]:-$0}")"
+declare -grx SCRIPT_FULLPATH="$(readlink -f "${BASH_SOURCE[0]:-$0}")"
 # shellcheck disable=SC2155
 declare -grx SCRIPT_BASEPATH="$(dirname "${SCRIPT_FULLPATH}")"
 # shellcheck disable=SC2155
 declare -grx VAR_WORKDIR="$(dirname "${SCRIPT_FULLPATH}")"
 ### Updating Status of Dialog Gauge Bar
-if ! $VAR_HANDLER_AUTOBUILD; then printf "XXX\nSourcing Libraries ... \nXXX\n50\n" >&3; fi
+if ! $VAR_HANDLER_AUTOBUILD; then printf "XXX\nActivate traps ... \nXXX\n50\n" >&3; fi
-. ./lib/lib_arg_parser.sh
+### Following the CISS Bash naming and ordering scheme:
 . ./lib/lib_arg_priority_check.sh
 . ./lib/lib_cdi.sh
 . ./lib/lib_change_splash.sh
 . ./lib/lib_check_dhcp.sh
 . ./lib/lib_check_hooks.sh
 . ./lib/lib_check_kernel.sh
 . ./lib/lib_check_provider.sh
 . ./lib/lib_check_stats.sh
 . ./lib/lib_check_var.sh
 . ./lib/lib_clean_screen.sh
 . ./lib/lib_clean_up.sh
 . ./lib/lib_copy_integrity.sh
 . ./lib/lib_hardening_root_pw.sh
 . ./lib/lib_hardening_ssh.sh
 . ./lib/lib_hardening_ultra.sh
 . ./lib/lib_helper_ip.sh
 . ./lib/lib_lb_build_start.sh
 . ./lib/lib_lb_config_start.sh
 . ./lib/lib_lb_config_write.sh
 . ./lib/lib_provider_netcup.sh
 . ./lib/lib_run_analysis.sh
 . ./lib/lib_sanitizer.sh
 . ./lib/lib_trap_on_err.sh
 . ./lib/lib_trap_on_exit.sh
 . ./lib/lib_usage.sh
 ### Updating Status of Dialog Gauge Bar
 if ! $VAR_HANDLER_AUTOBUILD; then printf "XXX\nActivate traps ... \nXXX\n55\n" >&3; fi
 ### Following the CISS Bash naming and ordering scheme
 trap 'trap_on_exit "$?"' EXIT
 trap 'trap_on_err "$?" "${BASH_SOURCE[0]}" "${LINENO}" "${FUNCNAME[0]:-main}" "${BASH_COMMAND}"' ERR
 ### Updating Status of Dialog Gauge Bar
-if ! $VAR_HANDLER_AUTOBUILD; then printf "XXX\nSanitizing Arguments ... \nXXX\n70\n" >&3; fi
+if ! $VAR_HANDLER_AUTOBUILD; then printf "XXX\nSanitizing Arguments ... \nXXX\n75\n" >&3; fi
 arg_check "$@"
 declare -ar ARY_ARG_SANITIZED=("$@")
 declare -gr VAR_ARG_SANITIZED="${ARY_ARG_SANITIZED[*]}"
@@ -157,6 +154,7 @@ clean_ip
 ### Updating Status of Dialog Gauge Bar
 if ! $VAR_HANDLER_AUTOBUILD; then printf "XXX\nInitialization completed ... \nXXX\n100\n" >&3; sleep 1; fi
 ### Turn off Dialog Wrapper
 if ! $VAR_HANDLER_AUTOBUILD; then boot_screen_cleaner; fi
 ### MAIN Program
--- a/config/bootloaders/grub-efi/grub.cfg
+++ b/config/bootloaders/grub-efi/grub.cfg
@@ -2,7 +2,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
--- a/config/bootloaders/grub-pc/grub.cfg
+++ b/config/bootloaders/grub-pc/grub.cfg
@@ -2,7 +2,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
--- a/config/hooks/live/0000_generate_backup_dir.chroot
+++ b/config/hooks/live/0000_generate_backup_dir.chroot
@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
--- a/config/hooks/live/0001_initramfs_modules.chroot
+++ b/config/hooks/live/0001_initramfs_modules.chroot
@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
@@ -48,7 +48,7 @@ cat << EOF >| /etc/initramfs-tools/modules
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
@@ -113,7 +113,7 @@ cat << 'EOF' >| /etc/initramfs-tools/update-initramfs.conf
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
@@ -148,7 +148,7 @@ cat << 'EOF' >| /etc/initramfs-tools/initramfs.conf
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
@@ -207,9 +207,9 @@ COMPRESS=zstd
 # Defaults vary by compressor.
 #
 # Valid values are:
-# 1–9 for gzip|bzip2|lzma|lzop
+# 1-9 for gzip|bzip2|lzma|lzop
-# 0–9 for  lz4|xz
+# 0-9 for  lz4|xz
-# 0–19 for zstd
+# 0-19 for zstd
 # COMPRESSLEVEL=3
 #
@@ -253,7 +253,7 @@ cat << 'EOF' >> /etc/initramfs-tools/hooks/ciss_debian_live_builder
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
--- a/config/hooks/live/0002_verify_checksums.chroot
+++ b/config/hooks/live/0002_verify_checksums.chroot
@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
@@ -27,7 +27,7 @@ cat << 'EOF' >| "${src}"
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
--- a/config/hooks/live/0003_install_backports.chroot
+++ b/config/hooks/live/0003_install_backports.chroot
@@ -0,0 +1,39 @@
 #!/bin/bash
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 set -C -e -u -o pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1
 DEBIAN_FRONTEND=noninteractive \
  apt-get update && \
    DEBIAN_FRONTEND=noninteractive \
      apt-get install -y --no-install-recommends \
        -o Dpkg::Options::="--force-confdef" \
        -o Dpkg::Options::="--force-confold" \
        -t bookworm-backports \
        btrfs-progs \
        curl \
        debootstrap \
        iproute2 \
        ncat \
        nmap \
        ssh \
        systemd \
        systemd-sysv \
        whois
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 # sleep 1
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/0050_activate_root.chroot
+++ b/config/hooks/live/0050_activate_root.chroot
@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
--- a/config/hooks/live/0080_keyboard_layout.chroot
+++ b/config/hooks/live/0080_keyboard_layout.chroot
@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
--- a/config/hooks/live/0090_haveged.chroot
+++ b/config/hooks/live/0090_haveged.chroot
@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
--- a/config/hooks/live/0120_set_hostname.chroot
+++ b/config/hooks/live/0120_set_hostname.chroot
@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
--- a/config/hooks/live/0130_machineid.chroot
+++ b/config/hooks/live/0130_machineid.chroot
@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
--- a/config/hooks/live/0400_eza_install.chroot
+++ b/config/hooks/live/0400_eza_install.chroot
@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
@@ -133,14 +133,6 @@ symlink_path: {foreground: Cyan}
 control_char: {foreground: Red}
 broken_symlink: {foreground: Red}
 broken_path_overlay: {foreground: Default, is_underlined: true}
 filenames:
  # Custom filename-based overrides
  # Cargo.toml: {icon: {glyph: ðŸ¦€}}
 extensions:
  # Custom extension-based overrides
  # rs: {filename: {foreground: Red}, icon: {glyph: ðŸ¦€}}
 EOF
 chmod 0644 "/root/eza-themes/themes/centurion.yml"
--- a/config/hooks/live/0800_lynis_setup.chroot
+++ b/config/hooks/live/0800_lynis_setup.chroot
@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
--- a/config/hooks/live/0810_chrony_setup.chroot
+++ b/config/hooks/live/0810_chrony_setup.chroot
@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
--- a/config/hooks/live/0820_kernel_hardening_checker.chroot
+++ b/config/hooks/live/0820_kernel_hardening_checker.chroot
@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
--- a/config/hooks/live/0822_ssh_restart_hook.chroot
+++ b/config/hooks/live/0822_ssh_restart_hook.chroot
@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
@@ -29,7 +29,7 @@ cat << 'EOF' >| /usr/local/bin/restart-ssh.sh
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
--- a/config/hooks/live/0825_my_sqltuner_perl.chroot
+++ b/config/hooks/live/0825_my_sqltuner_perl.chroot
@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
--- a/config/hooks/live/0830_download_yq.chroot
+++ b/config/hooks/live/0830_download_yq.chroot
@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
--- a/config/hooks/live/0835_testssl.sh.chroot
+++ b/config/hooks/live/0835_testssl.sh.chroot
@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
--- a/config/hooks/live/0840_ufw_abuse_ipdb_reporter.chroot
+++ b/config/hooks/live/0840_ufw_abuse_ipdb_reporter.chroot
@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
--- a/config/hooks/live/0845_harbian_audit.chroot
+++ b/config/hooks/live/0845_harbian_audit.chroot
@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
--- a/config/hooks/live/0850_ssh_audit.chroot
+++ b/config/hooks/live/0850_ssh_audit.chroot
@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
--- a/config/hooks/live/0855_dnsviz.chroot
+++ b/config/hooks/live/0855_dnsviz.chroot
@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
--- a/config/hooks/live/0900_ufw_setup.chroot
+++ b/config/hooks/live/0900_ufw_setup.chroot
@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
--- a/config/hooks/live/1024_git_clone_ciss_2025_debian_installer.chroot
+++ b/config/hooks/live/1024_git_clone_ciss_2025_debian_installer.chroot
@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
--- a/config/hooks/live/9900_process_accounting.chroot
+++ b/config/hooks/live/9900_process_accounting.chroot
@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
--- a/config/hooks/live/9910_motd.chroot
+++ b/config/hooks/live/9910_motd.chroot
@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
--- a/config/hooks/live/9920_deleting_invalid_x509.chroot
+++ b/config/hooks/live/9920_deleting_invalid_x509.chroot
@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
--- a/config/hooks/live/9930_hardening_ssh.chroot
+++ b/config/hooks/live/9930_hardening_ssh.chroot
@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
--- a/config/hooks/live/9940_hardening_memory.dump.chroot
+++ b/config/hooks/live/9940_hardening_memory.dump.chroot
@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
--- a/config/hooks/live/9950_fail2ban_hardening.chroot
+++ b/config/hooks/live/9950_fail2ban_hardening.chroot
@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
@@ -30,7 +30,7 @@ cat << 'EOF' >| /etc/fail2ban/jail.d/centurion-default.conf
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <cendev@coresecret.eu>
 # SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.2025.hardened.installer framework.
@@ -46,7 +46,7 @@ findtime  = 24h
 bantime   = 24h
 ### SSH Handling: Foreign IP (not in /etc/hosts.allow): refused to connect: immediate ban [sshd-refused]
-###               Jump host mistyped 1–3 times: no ban, only after four attempts          [sshd]
+###               Jump host mistyped 1-3 times: no ban, only after four attempts          [sshd]
 [sshd]
 enabled   = true
--- a/config/hooks/live/9960_disable_services.chroot
+++ b/config/hooks/live/9960_disable_services.chroot
@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
--- a/config/hooks/live/9970_remove_exim.chroot
+++ b/config/hooks/live/9970_remove_exim.chroot
@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
--- a/config/hooks/live/9980_usb_guard.chroot
+++ b/config/hooks/live/9980_usb_guard.chroot
@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
--- a/config/hooks/live/9985_clamav.chroot
+++ b/config/hooks/live/9985_clamav.chroot
@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
@@ -32,8 +32,8 @@ ReadOnlyPaths=/
 ReadWritePaths=/var/lib/clamav /var/log/clamav /var/run/clamav /run/clamav
 MemoryDenyWriteExecute=yes
-MemoryLimit=512M
+#MemoryLimit=4096M
-CPUShares=512
+#CPUShares=512
 RestrictAddressFamilies=AF_INET AF_INET6
 RestrictNamespaces=yes
@@ -58,8 +58,8 @@ ReadOnlyPaths=/
 ReadWritePaths=/var/lib/clamav /var/log/clamav /var/run/clamav
 MemoryDenyWriteExecute=yes
-MemoryLimit=512M
+#MemoryLimit=4096M
-CPUShares=512
+#CPUShares=512
 RestrictAddressFamilies=AF_INET AF_INET6
 RestrictNamespaces=yes
--- a/config/hooks/live/9990_final_purge.chroot
+++ b/config/hooks/live/9990_final_purge.chroot
@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
@@ -16,13 +16,13 @@ printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "
 apt-get update -y
-apt-get purge -y exim4 exim4-daemon-light exim4-base exim4-config \
+apt-get purge -y exim4 exim4-daemon-light exim4-base exim4-config qemu-guest-agent rmail
-qemu-guest-agent rmail sendmail-base sendmail-bin sendmail-cf sensible-mda sendmail-doc
+#sendmail-base sendmail-bin sendmail-cf sensible-mda sendmail-doc
-apt-mark hold exim4 exim4-daemon-light exim4-base exim4-config \
+apt-mark hold exim4 exim4-daemon-light exim4-base exim4-config qemu-guest-agent rmail
-qemu-guest-agent rmail sendmail-base sendmail-bin sendmail-cf sensible-mda sendmail-doc
+#sendmail-base sendmail-bin sendmail-cf sensible-mda sendmail-doc
-dpkg --get-selections | grep deinstall >> /tmp/deinstall.log || true
+dpkg --get-selections | grep deinstall >| /tmp/deinstall.log || true
 if [[ -s /tmp/deinstall.log ]]; then
  printf "\n"
--- a/config/hooks/live/9991_file_permissions.chroot
+++ b/config/hooks/live/9991_file_permissions.chroot
@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
@@ -39,6 +39,7 @@ EOF
 cp -a /etc/login.defs /root/.ciss/dlb/backup/login.defs.bak
 sed -ri 's/^(#?LOGIN_TIMEOUT)[[:space:]]+[0-9]+/\1 180/' /etc/login.defs
 sed -i 's/UMASK		022/UMASK		077/' /etc/login.defs
 sed -i 's/PASS_MAX_DAYS	99999/PASS_MAX_DAYS	16384/' /etc/login.defs
 sed -i 's/PASS_MIN_DAYS	0/PASS_MIN_DAYS	1/' /etc/login.defs
--- a/config/hooks/live/9992_password_expiration.chroot
+++ b/config/hooks/live/9992_password_expiration.chroot
@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
--- a/config/hooks/live/9993_aide.chroot
+++ b/config/hooks/live/9993_aide.chroot
@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
@@ -14,12 +14,12 @@ set -C -e -u -o pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1
-apt-get install -y aide
+apt-get install -y aide > /dev/null 2>&1
 cp -u /etc/aide/aide.conf /root/.ciss/dlb/backup/aide.conf.bak
 sed -i "s/Checksums = H/Checksums = sha512/" /etc/aide/aide.conf
-if aideinit; then
+if aideinit > /dev/null 2>&1; then
  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ 'aideinit' successful. \e[0m\n"
 else
  printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ 'aideinit' NOT successful. \e[0m\n" >&2
--- a/config/hooks/live/9994_password_policy.chroot
+++ b/config/hooks/live/9994_password_policy.chroot
@@ -3,15 +3,15 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-### NIST recommends at least eight characters but advises longer passphrases (e.g., 12–64) for increased security.
+### NIST recommends at least eight characters but advises longer passphrases (e.g., 12-64) for increased security.
-### NIST SP 800–63B, https://pages.nist.gov/800-63-3/sp800-63b.html
+### NIST SP 800-63B, https://pages.nist.gov/800-63-3/sp800-63b.html
 set -C -e -u -o pipefail
@@ -26,7 +26,7 @@ cat << 'EOF' >| /etc/security/pwquality.conf
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
@@ -34,7 +34,7 @@ cat << 'EOF' >| /etc/security/pwquality.conf
 # SPDX-Security-Contact: security@coresecret.eu
 ### Current recommendations for '/etc/security/pwquality.conf' based on common best practices,
-### including NIST SP 800–63B, https://pages.nist.gov/800-63-3/sp800-63b.html
+### including NIST SP 800-63B, https://pages.nist.gov/800-63-3/sp800-63b.html
 ### and weighing usability against security.
 ### Configuration for systemwide password quality limits
@@ -46,16 +46,16 @@ difok = 4
 ### Length over complexity: Studies show that longer passphrases are significantly more
 ### resistant to brute-force and dictionary attacks. NIST recommends at least eight characters
-### but advises longer passphrases (e.g., 12–64) for increased security. Twenty characters strike a
+### but advises longer passphrases (e.g., 12-64) for increased security. Twenty characters strike a
 ### good balance between security and user convenience.
 ### Minimum acceptable size for the new password (plus one if
 ### credits are not disabled, which is the default). (See pam_cracklib manual.)
 ### Cannot be set to a lower value than 6.
-minlen = 20
+minlen = 40
 ### dcredit = 0, ucredit = 0, lcredit = 0, ocredit = 0, minclass = 0
-### NIST SP 800–63B advises against rigid complexity rules (numbers, symbols, uppercase)
+### NIST SP 800-63B advises against rigid complexity rules (numbers, symbols, uppercase)
-### because they can lead users to adopt predictable patterns (e.g., “Pa$$word!”).
+### because they can lead users to adopt predictable patterns (e.g., "Pa$$word!").
 ### Length and dictionary checks are more effective.
  ### The maximum credit for having digits in the new password. If less than 0
@@ -83,12 +83,12 @@ minlen = 20
 ### The maximum number of allowed consecutive same characters in the new password.
 ### The check is disabled if the value is 0.
-maxrepeat = 2
+maxrepeat = 3
 ### The maximum number of allowed consecutive characters of the same class in the
 ### new password.
 ### The check is disabled if the value is 0.
-maxclassrepeat = 4
+maxclassrepeat = 0
 ### Whether to check for the words from the passwd entry GECOS string of the user.
 ### The check is enabled if the value is not 0.
--- a/config/hooks/live/9995_sysstat.chroot
+++ b/config/hooks/live/9995_sysstat.chroot
@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
--- a/config/hooks/live/9996_auditd.chroot
+++ b/config/hooks/live/9996_auditd.chroot
@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
--- a/config/hooks/live/9997_debsums.chroot
+++ b/config/hooks/live/9997_debsums.chroot
@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
@@ -22,7 +22,7 @@ cp -a /etc/default/debsums /root/.ciss/dlb/backup/debsums.bak
 chmod 0644 /root/.ciss/dlb/backup/debsums.bak
 sed -i "s/CRON_CHECK=never/CRON_CHECK=monthly/" /etc/default/debsums
-if debsums -g; then
+if debsums -g > /dev/null 2>&1; then
  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ 'debsums -g' successful. \e[0m\n"
 else
  # Omit false negative error output to stdout and stderr, as no problematic errors occur on startup.
--- a/config/hooks/live/9998_sources_list.chroot
+++ b/config/hooks/live/9998_sources_list.chroot
@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
@@ -25,7 +25,7 @@ cat << 'EOF' >| /etc/apt/sources.list
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <cendev@coresecret.eu>
 # SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.2025.hardened.installer framework.
--- a/config/hooks/live/9999_interfaces_update.chroot
+++ b/config/hooks/live/9999_interfaces_update.chroot
@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
@@ -22,7 +22,7 @@ cat << 'EOF' >| /etc/network/interfaces
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
--- a/config/includes.binary/boot/grub/config.cfg
+++ b/config/includes.binary/boot/grub/config.cfg
@@ -2,7 +2,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
--- a/config/includes.chroot/etc/live/config.conf
+++ b/config/includes.chroot/etc/live/config.conf
@@ -2,7 +2,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
--- a/config/includes.chroot/etc/modprobe.d/30-cendev-hardening.conf
+++ b/config/includes.chroot/etc/modprobe.d/30-cendev-hardening.conf
@@ -2,7 +2,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
--- a/config/includes.chroot/etc/network/interfaces
+++ b/config/includes.chroot/etc/network/interfaces
@@ -2,7 +2,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
--- a/config/includes.chroot/etc/ssh/sshd_config
+++ b/config/includes.chroot/etc/ssh/sshd_config
@@ -2,14 +2,14 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-### Version Master V8.02.644.2025.05.31
+### Version Master V8.03.832.2025.06.24
 ### https://www.ssh-audit.com/
 ### ssh -Q cipher | cipher-auth | compression | kex | kex-gss | key | key-cert | key-plain | key-sig | mac | protocol-version | sig
@@ -51,7 +51,7 @@ MaxSessions                  2
 MaxStartups                  08:64:16
 ### Restrict each individual source IP to only 4 unauthenticated connection slot
 ### in the concurrent MaxStartups pool, preventing one IP from monopolizing slots.
-PerSourceMaxStartups         4
+PerSourceMaxStartups         8
 ClientAliveInterval          300
 ClientAliveCountMax          2
--- a/config/includes.chroot/etc/sysctl.d/99_local.hardened
+++ b/config/includes.chroot/etc/sysctl.d/99_local.hardened
@@ -2,14 +2,14 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-### Version Master V8.02.644.2025.05.31
+### Version Master V8.03.832.2025.06.24
 ### https://docs.kernel.org/
 ### https://github.com/a13xp0p0v/kernel-hardening-checker/
--- a/config/includes.chroot/etc/systemd/system/getty@tty1.service.d/override.conf
+++ b/config/includes.chroot/etc/systemd/system/getty@tty1.service.d/override.conf
@@ -2,7 +2,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
--- a/config/includes.chroot/preseed/.ash/0_di_preseed_include_command.sh
+++ b/config/includes.chroot/preseed/.ash/0_di_preseed_include_command.sh
@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
--- a/config/includes.chroot/preseed/.ash/1_di_preseed_early_command.sh
+++ b/config/includes.chroot/preseed/.ash/1_di_preseed_early_command.sh
@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
--- a/config/includes.chroot/preseed/.ash/2_di_partman_early_command.sh
+++ b/config/includes.chroot/preseed/.ash/2_di_partman_early_command.sh
@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
--- a/config/includes.chroot/preseed/.ash/3_di_preseed_late_command.sh
+++ b/config/includes.chroot/preseed/.ash/3_di_preseed_late_command.sh
@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
--- a/config/includes.chroot/preseed/.ash/di_scripting_flexibility.sh
+++ b/config/includes.chroot/preseed/.ash/di_scripting_flexibility.sh
@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
--- a/config/includes.chroot/preseed/.ash/di_scripting_password.sh
+++ b/config/includes.chroot/preseed/.ash/di_scripting_password.sh
@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
@@ -26,13 +26,13 @@ grep -o '[!-~]' /dev/urandom | tr -d '\n' | head -c64 >> "${TMP_PASSPHRASE_FILE}
 DEB_INSTALLER_CRYPT_INC_FILE=$(mktemp)
 readonly DEB_INSTALLER_CRYPT_INC_FILE
-# Read the first line (the passphrase) – POSIX-compliant
+# Read the first line (the passphrase) - POSIX-compliant
 # IFS= prevents leading/trailing spaces from being truncated,
 # -r ensures that backslashes are not interpreted.
 IFS= read -r passphrase < "${TMP_PASSPHRASE_FILE}"
 # A single printf call with exactly one redirect
-# – ShellCheck-compliant and valid in POSIX-sh
+# - ShellCheck-compliant and valid in POSIX-sh
 printf 'd-i partman-crypto/passphrase string %s\n' "${passphrase}" >> "$DEB_INSTALLER_CRYPT_INC_FILE"
 printf 'd-i partman-crypto/passphrase-again string %s\n' "${passphrase}" >> "$DEB_INSTALLER_CRYPT_INC_FILE"
--- a/config/includes.chroot/preseed/.ash/di_scripting_ssh.sh
+++ b/config/includes.chroot/preseed/.ash/di_scripting_ssh.sh
@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
--- a/config/includes.chroot/preseed/.cfg/.directories.cfg
+++ b/config/includes.chroot/preseed/.cfg/.directories.cfg
@@ -2,7 +2,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
--- a/config/includes.chroot/preseed/.cfg/apt.cfg
+++ b/config/includes.chroot/preseed/.cfg/apt.cfg
@@ -2,7 +2,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
--- a/config/includes.chroot/preseed/.cfg/base.cfg
+++ b/config/includes.chroot/preseed/.cfg/base.cfg
@@ -2,7 +2,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
--- a/config/includes.chroot/preseed/.cfg/finished.cfg
+++ b/config/includes.chroot/preseed/.cfg/finished.cfg
@@ -2,7 +2,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
--- a/config/includes.chroot/preseed/.cfg/firmware.cfg
+++ b/config/includes.chroot/preseed/.cfg/firmware.cfg
@@ -2,7 +2,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
--- a/config/includes.chroot/preseed/.cfg/grub.cfg
+++ b/config/includes.chroot/preseed/.cfg/grub.cfg
@@ -2,7 +2,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
--- a/config/includes.chroot/preseed/.cfg/locale.cfg
+++ b/config/includes.chroot/preseed/.cfg/locale.cfg
@@ -2,7 +2,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
--- a/config/includes.chroot/preseed/.cfg/modules.cfg
+++ b/config/includes.chroot/preseed/.cfg/modules.cfg
@@ -2,7 +2,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
--- a/config/includes.chroot/preseed/.cfg/network.cfg
+++ b/config/includes.chroot/preseed/.cfg/network.cfg
@@ -2,7 +2,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
--- a/config/includes.chroot/preseed/.cfg/packages.cfg
+++ b/config/includes.chroot/preseed/.cfg/packages.cfg
@@ -2,7 +2,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
--- a/config/includes.chroot/preseed/.cfg/partitioning.cfg
+++ b/config/includes.chroot/preseed/.cfg/partitioning.cfg
@@ -2,7 +2,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
--- a/config/includes.chroot/preseed/.cfg/security.cfg
+++ b/config/includes.chroot/preseed/.cfg/security.cfg
@@ -2,7 +2,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
--- a/config/includes.chroot/preseed/.cfg/software.cfg
+++ b/config/includes.chroot/preseed/.cfg/software.cfg
@@ -2,7 +2,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
--- a/config/includes.chroot/preseed/.cfg/ssh.cfg
+++ b/config/includes.chroot/preseed/.cfg/ssh.cfg
@@ -2,7 +2,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
--- a/config/includes.chroot/preseed/.cfg/time.cfg
+++ b/config/includes.chroot/preseed/.cfg/time.cfg
@@ -2,7 +2,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
--- a/Show More
+++ b/Show More