DEPLOY BOT : 🛡️ Shell Script Linting [skip ci]

X-CI-Metadata: master@99d669d at 2025-12-06T04:39:52Z on 941bb339cd9a

Generated at : 2025-12-06T04:39:52Z
Runner Host  : 941bb339cd9a
Workflow ID  : 🛡️ Shell Script Linting
Git Commit   : 99d669d HEAD -> master

.archive/0010_dhcp_supersede.sh

@@ -0,0 +1,113 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+set -Ceuo pipefail
+
+printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+
+if [[ ! -d "${VAR_HANDLER_BUILD_DIR}"/config/includes.chroot/etc/dhcp ]]; then
+
+  mkdir -p "${VAR_HANDLER_BUILD_DIR}"/config/includes.chroot/etc/dhcp
+
+fi
+
+cat << 'EOF' >> "${VAR_HANDLER_BUILD_DIR}"/config/includes.chroot/etc/dhcp/dhclient.conf
+
+# Custom dhclient config to override DHCP DNS
+# dns01.eddns.eu, dns02.eddns.de, dns03.eddns.eu;
+
+supersede domain-name-servers 135.181.207.105, 89.58.62.53, 138.199.237.109;
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
+EOF
+
+
+cat << 'EOF' >> "${VAR_HANDLER_BUILD_DIR}"/config/includes.chroot/etc/dhcpcd.conf
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-08-12; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+### No Global APIPA-Fallback.
+noipv4ll
+
+### A ServerID is required by RFC2131.
+require dhcp_server_identifier
+
+### Respect the network MTU. This is applied to DHCP routes.
+option interface_mtu
+
+### A list of options to request from the DHCP server.
+option host_name
+option domain_name
+option domain_search
+option rapid_commit
+
+### Most distributions have NTP support.
+option ntp_servers
+
+### Ask server to update both A and PTR via FQDN (RFC 4702 semantics).
+fqdn both
+
+###-----------------------------------------------------------------------------------------------------------------------------
+### Global defaults for all interfaces.
+#option host_name
+#option domain_name
+#option domain_search
+
+### Ask server to update both A and PTR via FQDN (RFC 4702 semantics).
+#fqdn both
+###-----------------------------------------------------------------------------------------------------------------------------
+
+### Enforce static DNS and prevent dhcpcd from writing 'resolv.conf'.
+nooption domain_name_servers
+nohook resolv.conf rdnssd
+
+### Static resolvers (IPv4).
+### (This does NOT write '/etc/resolv.conf' because of nohook above.)
+static domain_name_servers=135.181.207.105 89.58.62.53 138.199.237.109
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
+EOF
+
+
+cat << 'EOF' >| "${VAR_HANDLER_BUILD_DIR}"/config/includes.chroot/etc/resolv.conf
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-08-12; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+# static /etc/resolv.conf (CISS)
+
+nameserver 135.181.207.105
+nameserver 89.58.62.53
+nameserver 138.199.237.109
+options edns0
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
+EOF
+
+printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' successfully applied. \e[0m\n" "${0}"
+
+exit 0
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

.archive/0100_ciss_mem_wipe.chroot

@@ -0,0 +1,302 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+set -Ceuo pipefail
+
+printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+
+[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
+export DEBIAN_FRONTEND="noninteractive"
+export INITRD="No"
+
+apt-get install -y --no-install-recommends kexec-tools
+
+install -d -m 0755 /boot/ciss-memwipe
+install -d -m 0755 /usr/local/sbin
+install -d -m 0755 /etc/systemd/system
+install -d -m 0755 /etc/default
+
+### Pick a kernel to kexec into: use the latest installed vmlinuz. -------------------------------------------------------------
+# shellcheck disable=SC2012,SC2155
+declare _KERNEL="$(cd /boot && ls -1 vmlinuz-* | sed 's|vmlinuz-||' | sort -V | tail -n1)"
+cp -f "/boot/vmlinuz-${_KERNEL}" /boot/ciss-memwipe/vmlinuz
+
+### Build minimal initramfs with a busybox and a tiny '/init'. -----------------------------------------------------------------
+declare _TMP_DIR; _TMP_DIR="$(mktemp -d)"
+trap 'rm -rf "${_TMP_DIR}"' EXIT
+
+mkdir -p "${_TMP_DIR}"/{bin,dev,proc,sys,wipe}
+
+### Locate the current busybox binary. -----------------------------------------------------------------------------------------
+declare _BUSYBOX_BIN; _BUSYBOX_BIN="$(command -v busybox || true)"
+if [[ -z "${_BUSYBOX_BIN}" ]]; then
+  echo "ERROR: busybox not found after installation attempt." >&2
+  exit 42
+fi
+
+cp -f "${_BUSYBOX_BIN}" "${_TMP_DIR}/bin/busybox"
+
+#######################################
+# Copy required shared libs into the initramfs (if the busybox is dynamic).
+# Globals:
+#   _TMP_DIR
+# Arguments:
+#   1: _BUSYBOX_BIN
+# Returns:
+#   0: on success
+#######################################
+copy_libs() {
+  declare bin="$1"
+
+  if ldd "${bin}" 2>&1 | grep -q 'not a dynamic executable'; then
+    return 0
+  fi
+
+  ldd "${bin}" | awk '
+    /=> \// {print $3}
+    # some libs are printed as absolute path without "=>"
+    /^\//    {print $1}
+  ' | while read -r lib; do
+    [[ -n "${lib}" ]] || continue
+    dest="${_TMP_DIR}$(dirname "${lib}")"
+    install -d -m 0755 "${dest}"
+    cp -f "${lib}" "${dest}"
+  done
+}
+
+copy_libs "${_BUSYBOX_BIN}"
+
+### Generate '/init' script ----------------------------------------------------------------------------------------------------
+cat << 'EOF' >| "${_TMP_DIR}/init"
+#!/bin/busybox sh
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+# Minimal init to wipe RAM, then power off.
+# Parses cmdline: ciss_wipe_passes=2 ciss_wipe_mode=zero+random ciss_dd_bs=64M ciss_tmpfs_pct=95
+set -eu
+
+#######################################
+# Helper
+# Globals:
+#   None
+# Arguments:
+#   1: key
+# Returns:
+#   0: on success
+#######################################
+get_arg() { # $1=key ; echoes value or empty
+  for tok in $(cat /proc/cmdline); do
+    case "$tok" in
+      $1=*) echo "${tok#*=}"; return 0;;
+    esac
+  done
+  echo ""
+}
+
+mount -t devtmpfs devtmpfs /dev 2>/dev/null || true
+[ -e /dev/console ] || mknod -m 600 /dev/console c 5 1
+[ -e /dev/null ]    || mknod -m 666 /dev/null c 1 3
+[ -e /dev/urandom ] || mknod -m 444 /dev/urandom c 1 9
+
+mount -t proc proc /proc
+mount -t sysfs sysfs /sys
+
+PASSES="$(get_arg ciss_wipe_passes)"; [ -n "${PASSES}" ] || PASSES=2
+MODE="$(get_arg ciss_wipe_mode)"; [ -n "${MODE}" ] || MODE="zero+random"
+BS="$(get_arg ciss_dd_bs)"; [ -n "${BS}" ] || BS=64M
+PCT="$(get_arg ciss_tmpfs_pct)"; [ -n "${PCT}" ] || PCT=95
+
+echo 1 >| /proc/sys/kernel/printk 2>/dev/null || true
+
+MEM_KB="$(awk '/MemTotal:/ {print $2}' /proc/meminfo)"
+SIZE_KB=$(( MEM_KB * PCT / 100 ))
+mount -t tmpfs -o "size=${SIZE_KB}k,nodev,nosuid,noexec,mode=0700" tmpfs /wipe
+
+#######################################
+# Wipe helper
+# Globals:
+#   None
+# Arguments:
+#   1: pattern
+# Returns:
+#   0: on success
+#######################################
+wipe_pass() {
+  pattern="$1" # zero or random
+  if [ "$pattern" = "zero" ]; then
+    src="/dev/zero"
+  else
+    src="/dev/urandom"
+  fi
+
+  i=0
+  while :; do
+    # Use busybox dd explicitly to avoid surprises
+    busybox dd if="$src" of="/wipe/block_$i" bs="$BS" status=none || break
+    i=$((i+1))
+  done
+  sync
+  echo 3 > /proc/sys/vm/drop_caches 2>/dev/null || true
+  rm -f /wipe/block_* 2>/dev/null || true
+  sync
+  return 0
+}
+
+DO_ZERO=0; DO_RANDOM=0
+case "$MODE" in
+  zero) DO_ZERO=1 ;;
+  random) DO_RANDOM=1 ;;
+  zero+random|random+zero) DO_ZERO=1; DO_RANDOM=1 ;;
+  *) DO_ZERO=1 ;;
+esac
+
+p=1
+while [ $p -le "$PASSES" ]; do
+  [ $DO_ZERO -eq 1 ] && wipe_pass zero
+  [ $DO_RANDOM -eq 1 ] && wipe_pass random
+  p=$((p+1))
+done
+
+sync
+busybox poweroff -f || echo o >| /proc/sysrq-trigger
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
+EOF
+
+chmod +x "${_TMP_DIR}/init"
+
+### Create the initramfs archive -----------------------------------------------------------------------------------------------
+( cd "${_TMP_DIR}" && find . -print0 | cpio --null -ov --format=newc ) | gzip -9 > /boot/ciss-memwipe/initrd.img
+
+### Default configuration.
+cat << 'EOF' >| /etc/default/ciss-memwipe
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+# CISS Memory Wipe defaults:
+
+CISS_WIPE_PASSES=2             # number of passes
+CISS_WIPE_MODE="zero+random"   # zero | random | zero+random
+CISS_WIPE_DD_BS="64M"          # dd block size
+CISS_WIPE_TMPFS_PCT=95         # percentage of MemTotal to allocate
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
+EOF
+
+### Helper script --------------------------------------------------------------------------------------------------------------
+cat << 'EOF' >| /usr/local/sbin/ciss-memwipe
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+set -euo pipefail
+
+. /etc/default/ciss-memwipe || true
+
+KERNEL="/boot/ciss-memwipe/vmlinuz"
+INITRD="/boot/ciss-memwipe/initrd.img"
+
+append_common="quiet loglevel=1 ciss_wipe_passes=${CISS_WIPE_PASSES:-2} ciss_wipe_mode=${CISS_WIPE_MODE:-zero+random} ciss_dd_bs=${CISS_WIPE_DD_BS:-64M} ciss_tmpfs_pct=${CISS_WIPE_TMPFS_PCT:-95}"
+
+prepare() {
+  if [ -w /proc/sys/kernel/kexec_load_disabled ] && [ "$(cat /proc/sys/kernel/kexec_load_disabled)" = "1" ]; then
+    echo 0 > /proc/sys/kernel/kexec_load_disabled || true
+  fi
+  if command -v kexec >/dev/null 2>&1 && [ -s "$KERNEL" ] && [ -s "$INITRD" ]; then
+    kexec -l "$KERNEL" --initrd="$INITRD" --append="$append_common" || true
+  fi
+}
+
+fallback_inplace() {
+  mount -t tmpfs -o "size=95%,nodev,nosuid,noexec,mode=0700" tmpfs /run/wipe 2>/dev/null || mkdir -p /run/wipe
+  i=0
+  while :; do
+    dd if=/dev/zero of="/run/wipe/blk_$i" bs="${CISS_WIPE_DD_BS:-64M}" status=none || break
+    i=$((i+1))
+  done
+  sync; echo 3 > /proc/sys/vm/drop_caches 2>/dev/null || true
+  rm -f /run/wipe/blk_* 2>/dev/null || true
+  sync
+  systemctl poweroff -f || poweroff -f || echo o > /proc/sysrq-trigger
+}
+
+execute() {
+  sync; echo 3 > /proc/sys/vm/drop_caches 2>/dev/null || true
+  if command -v systemctl >/dev/null 2>&1 && systemctl --quiet is-system-running; then
+    systemctl kexec || kexec -e || fallback_inplace
+  else
+    kexec -e || fallback_inplace
+  fi
+}
+
+case "${1:-}" in
+  prepare) prepare ;;
+  execute) execute ;;
+  *) echo "Usage: $0 {prepare|execute}" >&2; exit 2 ;;
+esac
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
+EOF
+chmod 0755 /usr/local/sbin/ciss-memwipe
+
+### Systemd service: load at boot, execute on shutdown. ------------------------------------------------------------------------
+cat << 'EOF' >| /etc/systemd/system/ciss-memwipe.service
+[Unit]
+Description=CISS: preload and execute kexec-based RAM wipe on shutdown
+DefaultDependencies=no
+Before=shutdown.target
+After=local-fs.target network.target multi-user.target
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=/usr/local/sbin/ciss-memwipe prepare
+ExecStop=/usr/local/sbin/ciss-memwipe execute
+TimeoutStartSec=20s
+TimeoutStopSec=infinity
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+install -d -m 0755 /etc/systemd/system/multi-user.target.wants
+ln -sf /etc/systemd/system/ciss-memwipe.service /etc/systemd/system/multi-user.target.wants/ciss-memwipe.service
+
+systemctl enable ciss-memwipe.service
+
+printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+
+exit 0
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

.archive/90-ciss-networkd.preset

@@ -0,0 +1,19 @@
+# bashsupport disable=BP5007
+
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-11-26; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+enable systemd-networkd.service
+enable systemd-resolved.service
+disable networking.service
+disable NetworkManager.service
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf

.archive/9985_clamav.chroot

@@ -1,18 +1,17 @@
 #!/bin/bash
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
-# sleep 1
 
 mkdir -p /etc/systemd/system/clamav-daemon.service.d
 cat << 'EOF' >| /etc/systemd/system/clamav-daemon.service.d/override.conf
@@ -32,8 +31,8 @@ ReadOnlyPaths=/
 ReadWritePaths=/var/lib/clamav /var/log/clamav /var/run/clamav /run/clamav
 
 MemoryDenyWriteExecute=yes
-MemoryLimit=512M
-CPUShares=512
+#MemoryLimit=4096M
+#CPUShares=512
 
 RestrictAddressFamilies=AF_INET AF_INET6
 RestrictNamespaces=yes
@@ -58,8 +57,8 @@ ReadOnlyPaths=/
 ReadWritePaths=/var/lib/clamav /var/log/clamav /var/run/clamav
 
 MemoryDenyWriteExecute=yes
-MemoryLimit=512M
-CPUShares=512
+#MemoryLimit=4096M
+#CPUShares=512
 
 RestrictAddressFamilies=AF_INET AF_INET6
 RestrictNamespaces=yes
@@ -71,7 +70,6 @@ EOF
 chmod 0644 /etc/systemd/system/clamav-freshclam.service.d/override.conf
 
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
-# sleep 1
 
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

.archive/9999_interfaces_update.chroot

@@ -1,30 +1,32 @@
 #!/bin/bash
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
-# sleep 1
 
-mv /etc/network/interfaces /root/.ciss/dlb/backup/interfaces.chroot
+# shellcheck disable=SC2155
+declare -r VAR_DATE="$(date +%F)"
+
+mv /etc/network/interfaces /root/.ciss/cdlb/backup/interfaces.chroot
 rm -f /etc/network/interfaces
 
-cat << 'EOF' >| /etc/network/interfaces
+cat << EOF >| /etc/network/interfaces
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
@@ -32,6 +34,9 @@ cat << 'EOF' >| /etc/network/interfaces
 # This file describes the network interfaces available on your system
 # and how to activate them. For more information, see interfaces(5).
 
+EOF
+
+cat << 'EOF' >> /etc/network/interfaces
 ### The loopback network interface
 auto lo
 iface lo inet loopback
@@ -59,7 +64,6 @@ EOF
 chmod 0644 /etc/network/interfaces
 
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
-# sleep 1
 
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

.archive/generate_PRIVATE_trixie_0.yaml

@@ -0,0 +1,448 @@
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-08-22; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+# Version Master V8.13.768.2025.12.06
+
+name: 🔐 Generating a Private Live ISO TRIXIE.
+
+defaults:
+  run:
+    shell: bash
+
+permissions:
+  contents: write
+
+on:
+  push:
+    branches:
+      - master
+    paths:
+      - '.gitea/trigger/t_generate_PRIVATE_trixie_0.yaml'
+
+jobs:
+  generate-private-cdlb-trixie:
+    name: 🔐 Generating a Private Live ISO TRIXIE.
+    runs-on: cdlb.trixie
+
+    container:
+      image: debian:trixie
+
+    steps:
+      - name: 🛠️ Basic Image Setup.
+        shell: bash
+        run: |
+          export DEBIAN_FRONTEND=noninteractive
+          apt-get update -qq
+          apt-get upgrade -y
+          apt-get install -y --no-install-recommends \
+            apt-utils \
+            bash \
+            ca-certificates \
+            curl \
+            git \
+            gnupg \
+            openssh-client \
+            openssl \
+            perl \
+            sudo \
+            util-linux
+
+      - name: ⚙️ Check GnuPG Version.
+        shell: bash
+        run: |
+          gpg --version
+
+      - name: ⚙️ Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
+        shell: bash
+        run: |
+          set -euo pipefail
+          var_wait=$(( RANDOM % 33 ))
+          printf "⏳ Waiting %s seconds to desynchronize parallel workflows...\n" "${var_wait}"
+          sleep "${var_wait}"
+
+          rm -rf ~/.ssh && mkdir -m700 ~/.ssh
+
+          ### Private Key
+          echo "${{ secrets.SSH_MSW_DEPLOY_CORESECRET_DEV }}" >| ~/.ssh/id_ed25519
+          chmod 0600 ~/.ssh/id_ed25519
+
+          ### Scan git.coresecret.dev to fill ~/.ssh/known_hosts
+          ssh-keyscan -p 42842 git.coresecret.dev >| ~/.ssh/known_hosts
+          chmod 0600 ~/.ssh/known_hosts
+
+          ### Generate SSH Config for git.coresecret.dev Custom-Port
+          cat <<EOF >| ~/.ssh/config
+          Host git.coresecret.dev
+            HostName git.coresecret.dev
+            Port 42842
+            IdentityFile ~/.ssh/id_ed25519
+            StrictHostKeyChecking yes
+            UserKnownHostsFile ~/.ssh/known_hosts
+          EOF
+          chmod 0600 ~/.ssh/config
+
+      ### https://github.com/actions/checkout/issues/1843
+      - name: 🛠️ Using manual clone via SSH to circumvent Gitea SHA-256 object issues.
+        shell: bash
+        env:
+          ### GITHUB_REF_NAME contains the branch name from the push event.
+          GITHUB_REF_NAME: ${{ github.ref_name }}
+        run: |
+          git clone --branch "${GITHUB_REF_NAME}" ssh://git@git.coresecret.dev:42842/msw/CISS.debian.live.builder.git .
+          git fetch --unshallow || echo "Nothing to fetch - already full clone."
+
+      - name: 🛠️ Cleaning the workspace.
+        shell: bash
+        run: |
+          git reset --hard
+          git clean -fd
+
+      - name: ⚙️ Importing the 'CI PGP DEPLOY ONLY' key.
+        shell: bash
+        run: |
+          set -euo pipefail
+          ### GPG-Home relative to the Runner Workspace to avoid changing global files.
+          export GNUPGHOME="$(pwd)/.gnupg"
+          mkdir -m 700 "${GNUPGHOME}"
+          echo "${{ secrets.PGP_PUBKEY_CENTURION_ROOT_2025_X448 }}" >| centurion-root.PUB.asc
+          gpg --batch --import centurion-root.PUB.asc
+          echo "${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV }}" >| ci-bot.sec.asc
+          gpg --batch --import ci-bot.sec.asc
+          ### Trust the key automatically
+          KEY_ID=$(gpg --list-keys --with-colons | awk -F: '/^pub:/ {print $5}')
+          echo "trust-model always" >| "${GNUPGHOME}/gpg.conf"
+
+      - name: ⚙️ Configuring Git for signed CI/DEPLOY commits.
+        shell: bash
+        run: |
+          set -euo pipefail
+          export GNUPGHOME="$(pwd)/.gnupg"
+          git config user.name "Marc S. Weidner BOT"
+          git config user.email "msw+bot@coresecret.dev"
+          git config commit.gpgsign true
+          git config gpg.program gpg
+          git config gpg.format openpgp
+
+      - name: ⚙️ Preparing the build environment.
+        shell: bash
+        run: |
+          set -euo pipefail
+          mkdir -p /opt/config
+          mkdir -p /opt/livebuild
+          touch /opt/config/password.txt && chmod 0600 /opt/config/password.txt
+          touch /opt/config/authorized_keys && chmod 0600 /opt/config/authorized_keys
+          echo "${{ secrets.CISS_DLB_ROOT_PWD }}" >| /opt/config/password.txt
+          echo "${{ secrets.CISS_DLB_ROOT_SSH_PUBKEY }}" >| /opt/config/authorized_keys
+
+      - name: 🔧 Render live hook with secrets.
+        shell: bash
+        working-directory: ${{ github.workspace }}
+        env:
+          ED25519_PRIV:        ${{ secrets.CISS_DLB_SSH_HOST_ED25519_KEY }}
+          ED25519_PUB:         ${{ secrets.CISS_DLB_SSH_HOST_ED25519_KEY_PUB }}
+          RSA_PRIV:            ${{ secrets.CISS_DLB_SSH_HOST_RSA_KEY }}
+          RSA_PUB:             ${{ secrets.CISS_DLB_SSH_HOST_RSA_KEY_PUB }}
+          CISS_PRIMORDIAL:     ${{ secrets.CISS_PRIMORDIAL_PRIVATE }}
+          CISS_PRIMORDIAL_PUB: ${{ secrets.CISS_PRIMORDIAL_PUBLIC }}
+        run: |
+          set -Ceuo pipefail
+          umask 077
+
+          REPO_ROOT="$(git rev-parse --show-toplevel 2>/dev/null || pwd -P)"
+
+          TPL="${REPO_ROOT}/config/hooks/live/9935_hardening_ssh.chroot.tmpl"
+          OUT="${REPO_ROOT}/config/hooks/live/9935_hardening_ssh.chroot"
+          ID_OUT="${REPO_ROOT}/config/includes.chroot/root/.ssh/id_2025_ed25519_ciss_primordial"
+          ID_OUT_PUB="${REPO_ROOT}/config/includes.chroot/root/.ssh/id_2025_ed25519_ciss_primordial.pub"
+
+          if [[ ! -f "${TPL}" ]]; then
+            echo "Template not found: ${TPL}"
+            echo "::group::Tree of config/hooks/live"
+            ls -la "${REPO_ROOT}/config/hooks/live" || true
+            echo "::endgroup::"
+            exit 2
+          fi
+
+          export ED25519_PRIV="${ED25519_PRIV//$'\r'/}"
+          export ED25519_PUB="${ED25519_PUB//$'\r'/}"
+          export RSA_PRIV="${RSA_PRIV//$'\r'/}"
+          export RSA_PUB="${RSA_PUB//$'\r'/}"
+          export CISS_PRIMORDIAL="${CISS_PRIMORDIAL//$'\r'/}"
+          export CISS_PRIMORDIAL_PUB="${CISS_PRIMORDIAL_PUB//$'\r'/}"
+
+          (
+          cat << EOF >| "${ID_OUT}"
+          ${CISS_PRIMORDIAL}
+          EOF
+          ) && chmod 0600 "${ID_OUT}"
+          if [[ -f "${ID_OUT}" ]]; then
+            echo "Written: ${ID_OUT}"
+          else
+            echo "Error: ${ID_OUT} not written."
+          fi
+
+          (
+          cat << EOF >| "${ID_OUT_PUB}"
+          ${CISS_PRIMORDIAL_PUB}
+          EOF
+          ) && chmod 0600 "${ID_OUT_PUB}"
+          if [[ -f "${ID_OUT_PUB}" ]]; then
+            echo "Written: ${ID_OUT_PUB}"
+          else
+            echo "Error: ${ID_OUT_PUB} not written."
+          fi
+
+          perl -0777 -pe '
+            BEGIN{
+              $ed=$ENV{ED25519_PRIV}; $edpub=$ENV{ED25519_PUB};
+              $rsa=$ENV{RSA_PRIV};    $rsapub=$ENV{RSA_PUB};
+            }
+            s/\{\{\s*secrets\.CISS_DLB_SSH_HOST_ED25519_KEY\s*\}\}/$ed/g;
+            s/\{\{\s*secrets\.CISS_DLB_SSH_HOST_ED25519_KEY_PUB\s*\}\}/$edpub/g;
+            s/\{\{\s*secrets\.CISS_DLB_SSH_HOST_RSA_KEY\s*\}\}/$rsa/g;
+            s/\{\{\s*secrets\.CISS_DLB_SSH_HOST_RSA_KEY_PUB\s*\}\}/$rsapub/g;
+          ' "${TPL}" > "${OUT}"
+
+          chmod 0755 "${OUT}"
+          echo "Hook rendered: ${OUT}"
+
+      - name: 🛠️ Starting CISS.debian.live.builder. This may take a while ...
+        shell: bash
+        working-directory: ${{ github.workspace }}
+        run: |
+          set -euo pipefail
+          chmod 0755 ciss_live_builder.sh
+          timestamp=$(date -u +"%Y_%m_%dT%H_%M_%SZ")
+          ### Change "--autobuild=" to the specific kernel version you need: '6.16.3+deb13-amd64'.
+          ./ciss_live_builder.sh \
+            --autobuild=6.16.3+deb13-amd64 \
+            --architecture amd64 \
+            --build-directory /opt/livebuild \
+            --cdi \
+            --control "${timestamp}" \
+            --debug \
+            --dhcp-centurion \
+            --jump-host ${{ secrets.CISS_DLB_JUMP_HOSTS }} \
+            --provider-netcup-ipv6 ${{ secrets.CISS_DLB_NETCUP_IPV6 }} \
+            --root-password-file /opt/config/password.txt \
+            --ssh-port ${{ secrets.CISS_DLB_SSH_PORT }} \
+            --ssh-pubkey /opt/config \
+            --sshfp \
+            --trixie
+
+          REPO_ROOT="$(git rev-parse --show-toplevel 2>/dev/null || pwd -P)"
+          OUT="$REPO_ROOT/config/hooks/live/9935_hardening_ssh.chroot"
+          rm -f "$OUT"
+          echo "Hook removed: $OUT"
+          shred -fzu -n 5 /opt/config/authorized_keys
+
+      - name: 📥 Checking Centurion Cloud for existing LIVE ISOs.
+        shell: bash
+        env:
+          NC_BASE: "https://cloud.e2ee.li"
+          SHARE_TOKEN: "${{ secrets.CENTURION_CLOUD_UL_USER }}"
+          SHARE_PASS: "${{ secrets.CENTURION_CLOUD_UL_PASSWD }}"
+        run: |
+          set -euo pipefail
+          SHARE_SUBDIR=""
+
+          echo "📥 Get directory listing via PROPFIND ..."
+          curl -s \
+          --user "${SHARE_TOKEN}:${SHARE_PASS}" \
+          -X PROPFIND \
+          -H "Depth: 1" \
+          "${NC_BASE}/public.php/webdav/${SHARE_SUBDIR}" \
+          -o propfind_public.xml
+
+          echo "📥 Filter .iso files from the PROPFIND response ..."
+          grep -oP '(?<=<d:href>)[^<]+\.iso(?=</d:href>)' propfind_public.xml >| public_iso_list.txt || true
+
+          if [[ -f public_iso_list.txt && -s public_iso_list.txt ]]; then
+            echo "💡 Old ISO files found and deleted :"
+            while IFS= read -r href; do
+              FILE_URL="${NC_BASE}${href}"
+              echo "  Delete: ${FILE_URL}"
+              if curl -s \
+                --user "${SHARE_TOKEN}:${SHARE_PASS}" \
+                  -X DELETE "${FILE_URL}"; then
+                echo "    ✅ Successfully deleted: $(basename "${href}")"
+              else
+                echo "    ❌ Error: $(basename "${href}") could not be deleted"
+              fi
+            done < public_iso_list.txt
+          else
+            echo "💡 No old ISO files found to delete."
+          fi
+
+      - name: 🛠️ Upload the ISO file to the Centurion Cloud (cloud.e2ee.li) via WebDAV.
+        shell: bash
+        env:
+          NC_BASE: "https://cloud.e2ee.li"
+          SHARE_TOKEN: "${{ secrets.CENTURION_CLOUD_UL_USER }}"
+          SHARE_PASS: "${{ secrets.CENTURION_CLOUD_UL_PASSWD }}"
+        run: |
+          set -euo pipefail
+          if [[ $(ls /opt/livebuild/*.iso 2>/dev/null | wc -l) -ne 1 ]]; then
+            echo "❌ There must be exactly one .iso file in the directory!"
+            exit 1
+          else
+            VAR_ISO_FILE_PATH=$(ls /opt/livebuild/*.iso)
+            VAR_ISO_FILE_NAME=$(basename "${VAR_ISO_FILE_PATH}")
+            echo "✅ ISO file found: ${VAR_ISO_FILE_NAME}"
+          fi
+
+          AUTH="${SHARE_TOKEN}:${SHARE_PASS}"
+          if curl --retry 2 "${NC_BASE}"/public.php/webdav/"${VAR_ISO_FILE_NAME}" \
+          --upload-file "${VAR_ISO_FILE_PATH}" --user "${AUTH}" > /dev/null 2>&1; then
+            echo "✅ New ISO successfully uploaded."
+          else
+            echo "❌ Uploading the new ISO failed."
+            exit 1
+          fi
+
+      - name: 🔑 Generating a sha512 Hash of ISO, signing with the 'CI PGP DEPLOY ONLY' key, generate a success message file.
+        shell: bash
+        run: |
+          if [[ $(ls /opt/livebuild/*.iso 2>/dev/null | wc -l) -ne 1 ]]; then
+            echo "❌ There must be exactly one .iso file in the directory!"
+            exit 1
+          else
+            VAR_ISO_FILE_PATH=$(ls /opt/livebuild/*.iso)
+            VAR_ISO_FILE_NAME=$(basename "${VAR_ISO_FILE_PATH}")
+            echo "✅ ISO file found: ${VAR_ISO_FILE_NAME}"
+          fi
+
+          VAR_ISO_FILE_SHA512="${VAR_ISO_FILE_NAME}.sha512"
+          touch "${VAR_ISO_FILE_SHA512}"
+          sha512sum "${VAR_ISO_FILE_PATH}" | awk '{print $1}' >| "${VAR_ISO_FILE_SHA512}"
+          SIGNATURE_FILE="${VAR_ISO_FILE_SHA512}.sign"
+          touch "${SIGNATURE_FILE}"
+          export GNUPGHOME="$(pwd)/.gnupg"
+          gpg --batch --yes --armor --detach-sign --output "${SIGNATURE_FILE}" "${VAR_ISO_FILE_SHA512}"
+
+          timestamp=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
+          VAR_DATE="$(date +%F)"
+          PRIVATE_FILE="LIVE_ISO_TRIXIE_0.private"
+          touch "${PRIVATE_FILE}"
+          cat << EOF >| "${PRIVATE_FILE}"
+          # SPDX-Version: 3.0
+          # SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev>
+          # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+          # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+          # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+          # SPDX-FileType: SOURCE
+          # SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
+          # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+          # SPDX-PackageName: CISS.debian.live.builder
+          # SPDX-Security-Contact: security@coresecret.eu
+
+          This file was automatically generated by the DEPLOY BOT on: "${timestamp}"
+
+          CISS.debian.live.builder ISO :
+            "${VAR_ISO_FILE_NAME}"
+          CISS.debian.live.builder ISO sha512 :
+            $(< "${VAR_ISO_FILE_SHA512}")
+          CISS.debian.live.builder ISO sha512 sign :
+            $(< "${SIGNATURE_FILE}")
+
+          # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text
+          EOF
+
+      - name: 🚧 Stash local changes (including untracked).
+        shell: bash
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          ### Temporarily store any local modifications or untracked files.
+          git stash push --include-untracked -m "ci-temp" || echo "✔️ Nothing to stash."
+
+      - name: 🔄 Sync with remote before commit using merge strategy.
+        shell: bash
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          export GNUPGHOME="$(pwd)/.gnupg"
+
+          echo "🔄 Fetching origin/master ..."
+          git fetch origin master
+
+          echo "🔁 Merging origin/master into current branch ..."
+          git merge --no-edit origin/master || echo "✔️ Already up to date or fast-forward."
+
+          echo "📋 Post-merge status :"
+          git status
+          git log --oneline -n 5
+
+      - name: 🛠️ Restore stashed changes.
+        shell: bash
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          ### Apply previously stashed changes.
+          git stash pop || echo "✔️ Nothing to pop."
+
+      - name: 📦 Stage generated files.
+        shell: bash
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          PRIVATE_FILE="LIVE_ISO_TRIXIE_0.private"
+          git add "${PRIVATE_FILE}" || echo "✔️ Nothing to add."
+
+      - name: 🔑 Commit and sign changes with CI metadata.
+        shell: bash
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          export GNUPGHOME="$(pwd)/.gnupg"
+
+          if git diff --cached --quiet; then
+            echo "✔️ No staged changes to commit."
+          else
+            echo "📝 Committing changes with GPG signature ..."
+
+            ### CI Metadata
+            TIMESTAMP_UTC="$(date -u +'%Y-%m-%dT%H:%M:%SZ')"
+            HOSTNAME="$(hostname -f || hostname)"
+            GIT_SHA="$(git rev-parse --short HEAD)"
+            GIT_REF="$(git symbolic-ref --short HEAD || echo detached)"
+            WORKFLOW_ID="${GITHUB_WORKFLOW:-generate_PRIVATE_trixie_0.yaml}"
+            CI_HEADER="X-CI-Metadata: ${GIT_REF}@${GIT_SHA} at ${TIMESTAMP_UTC} on ${HOSTNAME}"
+
+            COMMIT_MSG="DEPLOY BOT   : 🔐 Auto-Generate PRIVATE LIVE ISO TRIXIE 0 [skip ci]
+
+          ${CI_HEADER}
+
+          Generated at : ${TIMESTAMP_UTC}
+          Runner Host  : ${HOSTNAME}
+          Workflow ID  : ${WORKFLOW_ID}
+          Git Commit   : ${GIT_SHA} HEAD -> ${GIT_REF}
+          "
+
+            echo "🔏 Commit message :"
+            echo "${COMMIT_MSG}"
+            git commit -S -m "${COMMIT_MSG}"
+          fi
+
+      - name: 🔁 Push back to repository.
+        shell: bash
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          echo "📤 Pushing changes to ${GITHUB_REF_NAME} ..."
+          git push origin HEAD:${GITHUB_REF_NAME}
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml

.archive/generate_PRIVATE_trixie_1.yaml

@@ -0,0 +1,491 @@
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-08-22; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+# Version Master V8.13.768.2025.12.06
+
+name: 🔐 Generating a Private Live ISO TRIXIE.
+
+defaults:
+  run:
+    shell: bash
+
+permissions:
+  contents: write
+
+on:
+  push:
+    branches:
+      - master
+    paths:
+      - '.gitea/trigger/t_generate_PRIVATE_trixie_1.yaml'
+
+jobs:
+  generate-private-cdlb-trixie:
+    name: 🔐 Generating a Private Live ISO TRIXIE.
+    runs-on: cdlb.trixie
+
+    container:
+      image: debian:trixie
+
+    defaults:
+      run:
+        shell: bash
+        working-directory: ${{ github.workspace }}
+
+    steps:
+      - name: ⏳ Waiting random time to desynchronize parallel workflows.
+        run: |
+          set -euo pipefail
+          var_wait=$(( RANDOM % 33 ))
+          printf "⏳ Waiting %s seconds to desynchronize parallel workflows...\n" "${var_wait}"
+          sleep "${var_wait}"
+
+      - name: 🛠️ Basic Image Setup.
+        run: |
+          set -euo pipefail
+          umask 0077
+          export DEBIAN_FRONTEND=noninteractive
+          apt-get update -qq
+          apt-get upgrade -y
+          apt-get install -y --no-install-recommends \
+            apt-utils \
+            bash \
+            ca-certificates \
+            curl \
+            git \
+            gnupg \
+            openssh-client \
+            openssl \
+            perl \
+            sudo \
+            util-linux
+
+      - name: ⚙️ Check GnuPG Version.
+        run: |
+          gpg --version
+
+      - name: ⚙️ Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
+        run: |
+          set -euo pipefail
+          umask 0077
+
+          rm -rf ~/.ssh && mkdir -m700 ~/.ssh
+
+          ### Private Key
+          echo "${{ secrets.SSH_MSW_DEPLOY_CORESECRET_DEV }}" >| ~/.ssh/id_ed25519
+          chmod 0600 ~/.ssh/id_ed25519
+
+          ### Scan git.coresecret.dev to fill ~/.ssh/known_hosts
+          ssh-keyscan -p 42842 git.coresecret.dev >| ~/.ssh/known_hosts
+          chmod 0600 ~/.ssh/known_hosts
+
+          ### Generate SSH Config for git.coresecret.dev Custom-Port
+          cat <<EOF >| ~/.ssh/config
+          Host git.coresecret.dev
+            HostName git.coresecret.dev
+            Port 42842
+            IdentityFile ~/.ssh/id_ed25519
+            StrictHostKeyChecking yes
+            UserKnownHostsFile ~/.ssh/known_hosts
+          EOF
+          chmod 0600 ~/.ssh/config
+
+      ### https://github.com/actions/checkout/issues/1843
+      - name: 🛠️ Using manual clone via SSH to circumvent Gitea SHA-256 object issues.
+        env:
+          ### GITHUB_REF_NAME contains the branch name from the push event.
+          GITHUB_REF_NAME: ${{ github.ref_name }}
+        run: |
+          set -euo pipefail
+          git clone --branch "${GITHUB_REF_NAME}" ssh://git@git.coresecret.dev:42842/msw/CISS.debian.live.builder.git .
+          git fetch --unshallow || echo "Nothing to fetch - already full clone."
+
+      - name: ⚙️ Init GNUPGHOME.
+        run: |
+          set -euo pipefail
+          umask 0077
+          GNUPGHOME="/dev/shm/gnupg.${GITHUB_RUN_ID}.${GITHUB_JOB}.${GITHUB_RUN_ATTEMPT}"
+          mkdir -p -m 700 "${GNUPGHOME}"
+          echo "GNUPGHOME=${GNUPGHOME}" >> "${GITHUB_ENV}"
+          echo 'allow-loopback-pinentry' >| "${GNUPGHOME}/gpg-agent.conf"
+          gpgconf --reload gpg-agent || true
+
+      - name: ⚙️ Importing the 'CI PGP DEPLOY ONLY' key.
+        env:
+          PRIVATE_PGP_MSW_DEPLOY_CORESECRET_DEV: ${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV }}
+        run: |
+          set -euo pipefail
+          umask 0077
+          printf '%s' "${PRIVATE_PGP_MSW_DEPLOY_CORESECRET_DEV}" | gpg --batch --import
+          unset PRIVATE_PGP_MSW_DEPLOY_CORESECRET_DEV
+
+      - name: ⚙️ Configuring Git for signed CI/DEPLOY commits.
+        run: |
+          set -euo pipefail
+          git config user.name "Marc S. Weidner BOT"
+          git config user.email "msw+bot@coresecret.dev"
+          git config commit.gpgsign true
+          git config gpg.program gpg
+          git config gpg.format openpgp
+
+      - name: ⚙️ Preparing the build environment.
+        run: |
+          set -euo pipefail
+          umask 0077
+          mkdir -p /opt/cdlb/secrets
+          mkdir -p /opt/cdlb/livebuild
+          install -m 0600 /dev/null /opt/cdlb/secrets/password.txt
+          install -m 0600 /dev/null /opt/cdlb/secrets/authorized_keys
+          install -m 0600 /dev/null /opt/cdlb/secrets/ssh_host_ed25519_key
+          install -m 0600 /dev/null /opt/cdlb/secrets/ssh_host_ed25519_key.pub
+          install -m 0600 /dev/null /opt/cdlb/secrets/ssh_host_rsa_key
+          install -m 0600 /dev/null /opt/cdlb/secrets/ssh_host_rsa_key.pub
+          install -m 0600 /dev/null /opt/cdlb/secrets/id_2025_ed25519_ciss_primordial
+          install -m 0600 /dev/null /opt/cdlb/secrets/id_2025_ed25519_ciss_primordial.pub
+          install -m 0600 /dev/null /opt/cdlb/secrets/keys.txt
+          install -m 0600 /dev/null /opt/cdlb/secrets/luks.txt
+
+          echo "${{ secrets.CISS_DLB_ROOT_PWD_1 }}"               >| /opt/cdlb/secrets/password.txt
+          echo "${{ secrets.CISS_DLB_ROOT_SSH_PUBKEY_1 }}"        >| /opt/cdlb/secrets/authorized_keys
+          echo "${{ secrets.CISS_DLB_SSH_HOST_ED25519_KEY }}"     >| /opt/cdlb/secrets/ssh_host_ed25519_key
+          echo "${{ secrets.CISS_DLB_SSH_HOST_ED25519_KEY_PUB }}" >| /opt/cdlb/secrets/ssh_host_ed25519_key.pub
+          echo "${{ secrets.CISS_DLB_SSH_HOST_RSA_KEY }}"         >| /opt/cdlb/secrets/ssh_host_rsa_key
+          echo "${{ secrets.CISS_DLB_SSH_HOST_RSA_KEY_PUB }}"     >| /opt/cdlb/secrets/ssh_host_rsa_key.pub
+          echo "${{ secrets.CISS_PRIMORDIAL_PRIVATE }}"           >| /opt/cdlb/secrets/id_2025_ed25519_ciss_primordial
+          echo "${{ secrets.CISS_PRIMORDIAL_PUBLIC }}"            >| /opt/cdlb/secrets/id_2025_ed25519_ciss_primordial.pub
+          echo "${{ secrets.CISS_PHYS_AGE }}"                     >| /opt/cdlb/secrets/keys.txt
+          echo "${{ secrets.CISS_PHYS_LUKS }}"                    >| /opt/cdlb/secrets/luks.txt
+
+
+      - name: 🔧 Render live hook with secrets.
+        shell: bash
+        working-directory: ${{ github.workspace }}
+        env:
+          ED25519_PRIV:        ${{ secrets.CISS_DLB_SSH_HOST_ED25519_KEY }}
+          ED25519_PUB:         ${{ secrets.CISS_DLB_SSH_HOST_ED25519_KEY_PUB }}
+          RSA_PRIV:            ${{ secrets.CISS_DLB_SSH_HOST_RSA_KEY }}
+          RSA_PUB:             ${{ secrets.CISS_DLB_SSH_HOST_RSA_KEY_PUB }}
+          CISS_PRIMORDIAL:     ${{ secrets.CISS_PRIMORDIAL_PRIVATE }}
+          CISS_PRIMORDIAL_PUB: ${{ secrets.CISS_PRIMORDIAL_PUBLIC }}
+          CISS_PHYS_AGE:       ${{ secrets.CISS_PHYS_AGE }}
+          MSW_GPG_DEPLOY_BOT:  ${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV }}
+        run: |
+          set -Ceuo pipefail
+          umask 077
+
+          REPO_ROOT="$(git rev-parse --show-toplevel 2>/dev/null || pwd -P)"
+
+          TPL="${REPO_ROOT}/config/hooks/live/9935_hardening_ssh.chroot.tmpl"
+          OUT="${REPO_ROOT}/config/hooks/live/9935_hardening_ssh.chroot"
+          ID_OUT="${REPO_ROOT}/config/includes.chroot/root/.ssh/id_2025_ed25519_ciss_primordial"
+          ID_OUT_PUB="${REPO_ROOT}/config/includes.chroot/root/.ssh/id_2025_ed25519_ciss_primordial.pub"
+          SOPS="${REPO_ROOT}/config/hooks/live/0860_sops.chroot"
+          BINARY_CHECKSUMS="${REPO_ROOT}/scripts/usr/lib/live/build/binary_checksums.sh"
+
+          if [[ ! -f "${TPL}" ]]; then
+            echo "Template not found: ${TPL}"
+            echo "::group::Tree of config/hooks/live"
+            ls -la "${REPO_ROOT}/config/hooks/live" || true
+            echo "::endgroup::"
+            exit 2
+          fi
+
+          export ED25519_PRIV="${ED25519_PRIV//$'\r'/}"
+          export ED25519_PUB="${ED25519_PUB//$'\r'/}"
+          export RSA_PRIV="${RSA_PRIV//$'\r'/}"
+          export RSA_PUB="${RSA_PUB//$'\r'/}"
+          export CISS_PRIMORDIAL="${CISS_PRIMORDIAL//$'\r'/}"
+          export CISS_PRIMORDIAL_PUB="${CISS_PRIMORDIAL_PUB//$'\r'/}"
+          export CISS_PHYS_AGE="${CISS_PHYS_AGE//$'\r'/}"
+          export MSW_GPG_DEPLOY_BOT="${MSW_GPG_DEPLOY_BOT//$'\r'/}"
+
+          (
+          cat << EOF >| "${ID_OUT}"
+          ${CISS_PRIMORDIAL}
+          EOF
+          ) && chmod 0600 "${ID_OUT}"
+          if [[ -f "${ID_OUT}" ]]; then
+            echo "Written: ${ID_OUT}"
+          else
+            echo "Error: ${ID_OUT} not written."
+          fi
+
+          (
+          cat << EOF >| "${ID_OUT_PUB}"
+          ${CISS_PRIMORDIAL_PUB}
+          EOF
+          ) && chmod 0600 "${ID_OUT_PUB}"
+          if [[ -f "${ID_OUT_PUB}" ]]; then
+            echo "Written: ${ID_OUT_PUB}"
+          else
+            echo "Error: ${ID_OUT_PUB} not written."
+          fi
+
+          perl -0777 -pe '
+            BEGIN{
+              $ed=$ENV{ED25519_PRIV}; $edpub=$ENV{ED25519_PUB};
+              $rsa=$ENV{RSA_PRIV};    $rsapub=$ENV{RSA_PUB};
+            }
+            s/\{\{\s*secrets\.CISS_DLB_SSH_HOST_ED25519_KEY\s*\}\}/$ed/g;
+            s/\{\{\s*secrets\.CISS_DLB_SSH_HOST_ED25519_KEY_PUB\s*\}\}/$edpub/g;
+            s/\{\{\s*secrets\.CISS_DLB_SSH_HOST_RSA_KEY\s*\}\}/$rsa/g;
+            s/\{\{\s*secrets\.CISS_DLB_SSH_HOST_RSA_KEY_PUB\s*\}\}/$rsapub/g;
+          ' "${TPL}" > "${OUT}"
+
+          chmod 0755 "${OUT}"
+
+          perl -0777 -i -pe '
+            BEGIN {
+              our $age = $ENV{CISS_PHYS_AGE} // q{};
+            }
+            s/\{\{\s*secrets\.CISS_PHYS_AGE\s*\}\}/$age/g;
+          ' -- "${SOPS}"
+          chmod 0755 "${SOPS}"
+
+          perl -0777 -i -pe '
+            BEGIN {
+              our $deploy = $ENV{MSW_GPG_DEPLOY_BOT} // q{};
+            }
+            s/\{\{\s*secrets\.MSW_GPG_DEPLOY_BOT\s*\}\}/$deploy/g;
+          ' -- "${BINARY_CHECKSUMS}"
+          chmod 0755 "${BINARY_CHECKSUMS}"
+
+          echo "Hook rendered: ${OUT}"
+
+      - name: 🛠️ Starting CISS.debian.live.builder. This may take a while ...
+        shell: bash
+        working-directory: ${{ github.workspace }}
+        run: |
+          set -euo pipefail
+          chmod 0755 ciss_live_builder.sh
+          timestamp=$(date -u +"%Y_%m_%dT%H_%M_%SZ")
+          ### Change "--autobuild=" to the specific kernel version you need: '6.16.3+deb13-amd64'.
+          ./ciss_live_builder.sh \
+            --autobuild=6.16.3+deb13-amd64 \
+            --architecture amd64 \
+            --build-directory /opt/cdlb/livebuild \
+            --cdi \
+            --control "${timestamp}" \
+            --jump-host ${{ secrets.CISS_DLB_JUMP_HOSTS_1 }} \
+            --root-password-file /opt/cdlb/secrets/password.txt \
+            --ssh-port ${{ secrets.CISS_DLB_SSH_PORT_1 }} \
+            --ssh-pubkey /opt/cdlb/secrets \
+            --sshfp \
+            --trixie
+
+          REPO_ROOT="$(git rev-parse --show-toplevel 2>/dev/null || pwd -P)"
+          OUT="$REPO_ROOT/config/hooks/live/9935_hardening_ssh.chroot"
+          rm -f "$OUT"
+          echo "Hook removed: $OUT"
+          shred -fzu -n 5 /opt/cdlb/secrets/authorized_keys
+
+      - name: 📥 Checking Centurion Cloud for existing LIVE ISOs.
+        shell: bash
+        env:
+          NC_BASE: "https://cloud.e2ee.li"
+          SHARE_TOKEN: "${{ secrets.CENTURION_CLOUD_UL_USER_1 }}"
+          SHARE_PASS: "${{ secrets.CENTURION_CLOUD_UL_PASSWD_1 }}"
+        run: |
+          set -euo pipefail
+          SHARE_SUBDIR=""
+
+          echo "📥 Get directory listing via PROPFIND ..."
+          curl -s \
+          --user "${SHARE_TOKEN}:${SHARE_PASS}" \
+          -X PROPFIND \
+          -H "Depth: 1" \
+          "${NC_BASE}/public.php/webdav/${SHARE_SUBDIR}" \
+          -o propfind_public.xml
+
+          echo "📥 Filter .iso files from the PROPFIND response ..."
+          grep -oP '(?<=<d:href>)[^<]+\.iso(?=</d:href>)' propfind_public.xml >| public_iso_list.txt || true
+
+          if [[ -f public_iso_list.txt && -s public_iso_list.txt ]]; then
+            echo "💡 Old ISO files found and deleted :"
+            while IFS= read -r href; do
+              FILE_URL="${NC_BASE}${href}"
+              echo "  Delete: ${FILE_URL}"
+              if curl -s \
+                --user "${SHARE_TOKEN}:${SHARE_PASS}" \
+                  -X DELETE "${FILE_URL}"; then
+                echo "    ✅ Successfully deleted: $(basename "${href}")"
+              else
+                echo "    ❌ Error: $(basename "${href}") could not be deleted"
+              fi
+            done < public_iso_list.txt
+          else
+            echo "💡 No old ISO files found to delete."
+          fi
+
+      - name: 🛠️ Upload the ISO file to the Centurion Cloud (cloud.e2ee.li) via WebDAV.
+        shell: bash
+        env:
+          NC_BASE: "https://cloud.e2ee.li"
+          SHARE_TOKEN: "${{ secrets.CENTURION_CLOUD_UL_USER_1 }}"
+          SHARE_PASS: "${{ secrets.CENTURION_CLOUD_UL_PASSWD_1 }}"
+        run: |
+          set -euo pipefail
+          if [[ $(ls /opt/cdlb/livebuild/*.iso 2>/dev/null | wc -l) -ne 1 ]]; then
+            echo "❌ There must be exactly one .iso file in the directory!"
+            exit 1
+          else
+            VAR_ISO_FILE_PATH=$(ls /opt/cdlb/livebuild/*.iso)
+            VAR_ISO_FILE_NAME=$(basename "${VAR_ISO_FILE_PATH}")
+            echo "✅ ISO file found: ${VAR_ISO_FILE_NAME}"
+          fi
+
+          AUTH="${SHARE_TOKEN}:${SHARE_PASS}"
+          if curl --retry 2 "${NC_BASE}"/public.php/webdav/"${VAR_ISO_FILE_NAME}" \
+          --upload-file "${VAR_ISO_FILE_PATH}" --user "${AUTH}" > /dev/null 2>&1; then
+            echo "✅ New ISO successfully uploaded."
+          else
+            echo "❌ Uploading the new ISO failed."
+            exit 1
+          fi
+
+      - name: 🔑 Generating a sha512 Hash of ISO, signing with the 'CI PGP DEPLOY ONLY' key, generate a success message file.
+        shell: bash
+        run: |
+          if [[ $(ls /opt/cdlb/livebuild/*.iso 2>/dev/null | wc -l) -ne 1 ]]; then
+            echo "❌ There must be exactly one .iso file in the directory!"
+            exit 1
+          else
+            VAR_ISO_FILE_PATH=$(ls /opt/cdlb/livebuild/*.iso)
+            VAR_ISO_FILE_NAME=$(basename "${VAR_ISO_FILE_PATH}")
+            echo "✅ ISO file found: ${VAR_ISO_FILE_NAME}"
+          fi
+
+          VAR_ISO_FILE_SHA512="${VAR_ISO_FILE_NAME}.sha512"
+          touch "${VAR_ISO_FILE_SHA512}"
+          sha512sum "${VAR_ISO_FILE_PATH}" | awk '{print $1}' >| "${VAR_ISO_FILE_SHA512}"
+          SIGNATURE_FILE="${VAR_ISO_FILE_SHA512}.sign"
+          touch "${SIGNATURE_FILE}"
+          export GNUPGHOME="$(pwd)/.gnupg"
+          gpg --batch --yes --armor --detach-sign --output "${SIGNATURE_FILE}" "${VAR_ISO_FILE_SHA512}"
+
+          timestamp=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
+          VAR_DATE="$(date +%F)"
+          PRIVATE_FILE="LIVE_ISO_TRIXIE_1.private"
+          touch "${PRIVATE_FILE}"
+          cat << EOF >| "${PRIVATE_FILE}"
+          # SPDX-Version: 3.0
+          # SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev>
+          # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+          # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+          # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+          # SPDX-FileType: SOURCE
+          # SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
+          # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+          # SPDX-PackageName: CISS.debian.live.builder
+          # SPDX-Security-Contact: security@coresecret.eu
+
+          This file was automatically generated by the DEPLOY BOT on: "${timestamp}"
+
+          CISS.debian.live.builder ISO :
+            "${VAR_ISO_FILE_NAME}"
+          CISS.debian.live.builder ISO sha512 :
+            $(< "${VAR_ISO_FILE_SHA512}")
+          CISS.debian.live.builder ISO sha512 sign :
+            $(< "${SIGNATURE_FILE}")
+
+          # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text
+          EOF
+
+      - name: 🚧 Stash local changes (including untracked).
+        shell: bash
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          ### Temporarily store any local modifications or untracked files.
+          git stash push --include-untracked -m "ci-temp" || echo "✔️ Nothing to stash."
+
+      - name: 🔄 Sync with remote before commit using merge strategy.
+        shell: bash
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          export GNUPGHOME="$(pwd)/.gnupg"
+
+          echo "🔄 Fetching origin/master ..."
+          git fetch origin master
+
+          echo "🔁 Merging origin/master into current branch ..."
+          git merge --no-edit origin/master || echo "✔️ Already up to date or fast-forward."
+
+          echo "📋 Post-merge status :"
+          git status
+          git log --oneline -n 5
+
+      - name: 🛠️ Restore stashed changes.
+        shell: bash
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          ### Apply previously stashed changes.
+          git stash pop || echo "✔️ Nothing to pop."
+
+      - name: 📦 Stage generated files.
+        shell: bash
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          PRIVATE_FILE="LIVE_ISO_TRIXIE_1.private"
+          git add "${PRIVATE_FILE}" || echo "✔️ Nothing to add."
+
+      - name: 🔑 Commit and sign changes with CI metadata.
+        shell: bash
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          export GNUPGHOME="$(pwd)/.gnupg"
+
+          if git diff --cached --quiet; then
+            echo "✔️ No staged changes to commit."
+          else
+            echo "📝 Committing changes with GPG signature ..."
+
+            ### CI Metadata
+            TIMESTAMP_UTC="$(date -u +'%Y-%m-%dT%H:%M:%SZ')"
+            HOSTNAME="$(hostname -f || hostname)"
+            GIT_SHA="$(git rev-parse --short HEAD)"
+            GIT_REF="$(git symbolic-ref --short HEAD || echo detached)"
+            WORKFLOW_ID="${GITHUB_WORKFLOW:-render-md-to-html.yaml}"
+            CI_HEADER="X-CI-Metadata: ${GIT_REF}@${GIT_SHA} at ${TIMESTAMP_UTC} on ${HOSTNAME}"
+
+            COMMIT_MSG="DEPLOY BOT   : 🔐 Auto-Generate PRIVATE LIVE ISO TRIXIE 1 [skip ci]
+
+          ${CI_HEADER}
+
+          Generated at : ${TIMESTAMP_UTC}
+          Runner Host  : ${HOSTNAME}
+          Workflow ID  : ${WORKFLOW_ID}
+          Git Commit   : ${GIT_SHA} HEAD -> ${GIT_REF}
+          "
+
+            echo "🔏 Commit message :"
+            echo "${COMMIT_MSG}"
+            git commit -S -m "${COMMIT_MSG}"
+          fi
+
+      - name: 🔁 Push back to repository.
+        shell: bash
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          echo "📤 Pushing changes to ${GITHUB_REF_NAME} ..."
+          git push origin HEAD:${GITHUB_REF_NAME}
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml

.archive/generate_PUBLIC_iso.yaml

@@ -2,16 +2,20 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-### Version Master V8.03.127.2025.06.02
+# Version Master V8.13.768.2025.12.06
 
-name: Generating a private Live ISO.
+name: 💙 Generating a PUBLIC Live ISO.
+
+defaults:
+  run:
+    shell: bash
 
 permissions:
   contents: write
@@ -21,46 +25,35 @@ on:
     branches:
       - master
     paths:
-      - '.gitea/trigger/t_generate_iso.yaml'
+      - '.gitea/trigger/t_generate_PUBLIC.yaml'
 
 jobs:
-  generate-private-ciss-debian-live-iso:
-    name: Generating a private Live ISO.
-    runs-on: ciss.debian.live.builder
+  generate-public-cdlb-trixie:
+    name: 💙 Generating a PUBLIC Live ISO.
+    runs-on: cdlb.trixie
 
-    ### Run all steps inside Debian Bookworm
     container:
       image: debian:trixie
 
     steps:
-      - name: Basic Image Setup and enable Bookworm Backports.
-        run: |
-          apt-get update
-          apt-get install -y apt-transport-https apt-utils bash ca-certificates openssl sudo
-          echo 'deb https://deb.debian.org/debian bookworm-backports main' \
-            >| /etc/apt/sources.list.d/bookworm-backports.list
-          apt-get update
-
-      - name: Installing Build Tools.
+      - name: 🛠️ Basic Image Setup.
         shell: bash
         run: |
-          apt-get update
-          apt-get install -y \
-            cryptsetup \
+          export DEBIAN_FRONTEND=noninteractive
+          apt-get update -qq
+          apt-get upgrade -y
+          apt-get install -y --no-install-recommends \
+            apt-utils \
+            bash \
+            ca-certificates \
             curl \
-            debootstrap \
-            dosfstools \
-            efibootmgr \
-            gnupg \
             git \
-            gpgv \
-            haveged \
-            live-build \
-            parted \
-            ssh \
-            ssl-cert \
-            wget \
-            whois
+            gnupg \
+            openssh-client \
+            openssl \
+            perl \
+            sudo \
+            util-linux
 
       - name: ⚙️ Check GnuPG Version.
         shell: bash
@@ -70,15 +63,20 @@ jobs:
       - name: ⚙️ Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
         shell: bash
         run: |
+          set -euo pipefail
+          var_wait=$(( RANDOM % 33 ))
+          printf "⏳ Waiting %s seconds to desynchronize parallel workflows...\n" "${var_wait}"
+          sleep "${var_wait}"
+
           rm -rf ~/.ssh && mkdir -m700 ~/.ssh
 
           ### Private Key
           echo "${{ secrets.SSH_MSW_DEPLOY_CORESECRET_DEV }}" >| ~/.ssh/id_ed25519
-          chmod 600 ~/.ssh/id_ed25519
+          chmod 0600 ~/.ssh/id_ed25519
 
           ### Scan git.coresecret.dev to fill ~/.ssh/known_hosts
           ssh-keyscan -p 42842 git.coresecret.dev >| ~/.ssh/known_hosts
-          chmod 600 ~/.ssh/known_hosts
+          chmod 0600 ~/.ssh/known_hosts
 
           ### Generate SSH Config for git.coresecret.dev Custom-Port
           cat <<EOF >| ~/.ssh/config
@@ -89,7 +87,7 @@ jobs:
             StrictHostKeyChecking yes
             UserKnownHostsFile ~/.ssh/known_hosts
           EOF
-          chmod 600 ~/.ssh/config
+          chmod 0600 ~/.ssh/config
 
       ### https://github.com/actions/checkout/issues/1843
       - name: 🛠️ Using manual clone via SSH to circumvent Gitea SHA-256 object issues.
@@ -114,6 +112,8 @@ jobs:
           ### GPG-Home relative to the Runner Workspace to avoid changing global files.
           export GNUPGHOME="$(pwd)/.gnupg"
           mkdir -m 700 "${GNUPGHOME}"
+          echo "${{ secrets.PGP_PUBKEY_CENTURION_ROOT_2025_X448 }}" >| centurion-root.PUB.asc
+          gpg --batch --import centurion-root.PUB.asc
           echo "${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV }}" >| ci-bot.sec.asc
           gpg --batch --import ci-bot.sec.asc
           ### Trust the key automatically
@@ -139,35 +139,35 @@ jobs:
           mkdir -p /opt/livebuild
           touch /opt/config/password.txt && chmod 0600 /opt/config/password.txt
           touch /opt/config/authorized_keys && chmod 0600 /opt/config/authorized_keys
-          echo "${{ secrets.CISS_DLB_ROOT_PWD }}" >| /opt/config/password.txt
-          echo "${{ secrets.CISS_DLB_ROOT_SSH_PUBKEY }}" >| /opt/config/authorized_keys
+          echo 'Mvnz#zENbf2vsAYEAbfPcnbDcmct7XefPXfRJxSQQH' >| /opt/config/password.txt
+          echo 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINAYZDAqVZUk3LwJsqeVHKvLn8UKkFx642VBbiSS8uSY 2025_ciss.debian.live.ISO_PUBLIC_ONLY' >| /opt/config/authorized_keys
 
       - name: 🛠️ Starting CISS.debian.live.builder. This may take a while ...
         shell: bash
         run: |
           set -euo pipefail
+          sed -i '/^hardening_ssh_tcp.*/d' ciss_live_builder.sh
           chmod 0755 ciss_live_builder.sh
           timestamp=$(date -u +"%Y_%m_%dT%H_%M_%SZ")
-          ### Change "--autobuild=" to the specific kernel version you need: 6.12.22+bpo-amd64.
+          ### Change "--autobuild=" to the specific kernel version you need: '6.16.3+deb13-amd64'.
           ./ciss_live_builder.sh \
-            --autobuild=6.12.22+bpo-amd64 \
+            --autobuild=6.16.3+deb13-amd64 \
             --architecture amd64 \
             --build-directory /opt/livebuild \
+            --cdi \
             --control "${timestamp}" \
             --debug \
-            --dhcp-centurion \
-            --jump-host "${{ secrets.CISS_DLB_JUMP_HOSTS }}" \
-            --provider-netcup-ipv6 "${{ secrets.CISS_DLB_NETCUP_IPV6 }}" \
             --root-password-file /opt/config/password.txt \
-            --ssh-port 42842 \
-            --ssh-pubkey /opt/config
+            --ssh-port 42137 \
+            --ssh-pubkey /opt/config \
+            --trixie
 
       - name: 📥 Checking Centurion Cloud for existing LIVE ISOs.
         shell: bash
         env:
           NC_BASE: "https://cloud.e2ee.li"
-          SHARE_TOKEN: "${{ secrets.CENTURION_CLOUD_UL_USER }}"
-          SHARE_PASS: "${{ secrets.CENTURION_CLOUD_UL_PASSWD }}"
+          SHARE_TOKEN: "${{ secrets.CENTURION_CLOUD_UL_USER_PUBLIC }}"
+          SHARE_PASS: "${{ secrets.CENTURION_CLOUD_UL_PASSWD_PUBLIC }}"
         run: |
           set -euo pipefail
           SHARE_SUBDIR=""
@@ -184,7 +184,7 @@ jobs:
           grep -oP '(?<=<d:href>)[^<]+\.iso(?=</d:href>)' propfind_public.xml >| public_iso_list.txt || true
 
           if [[ -f public_iso_list.txt && -s public_iso_list.txt ]]; then
-            echo "ℹ️ Old ISO files found and deleted :"
+            echo "💡 Old ISO files found and deleted :"
             while IFS= read -r href; do
               FILE_URL="${NC_BASE}${href}"
               echo "  Delete: ${FILE_URL}"
@@ -197,15 +197,15 @@ jobs:
               fi
             done < public_iso_list.txt
           else
-            echo "ℹ️ No old ISO files found to delete."
+            echo "💡 No old ISO files found to delete."
           fi
 
       - name: 🛠️ Upload the ISO file to the Centurion Cloud (cloud.e2ee.li) via WebDAV.
         shell: bash
         env:
           NC_BASE: "https://cloud.e2ee.li"
-          SHARE_TOKEN: "${{ secrets.CENTURION_CLOUD_UL_USER }}"
-          SHARE_PASS: "${{ secrets.CENTURION_CLOUD_UL_PASSWD }}"
+          SHARE_TOKEN: "${{ secrets.CENTURION_CLOUD_UL_USER_PUBLIC }}"
+          SHARE_PASS: "${{ secrets.CENTURION_CLOUD_UL_PASSWD_PUBLIC }}"
         run: |
           set -euo pipefail
           if [[ $(ls /opt/livebuild/*.iso 2>/dev/null | wc -l) -ne 1 ]]; then
@@ -219,7 +219,7 @@ jobs:
 
           AUTH="${SHARE_TOKEN}:${SHARE_PASS}"
           if curl --retry 2 "${NC_BASE}"/public.php/webdav/"${VAR_ISO_FILE_NAME}" \
-          --upload-file "${VAR_ISO_FILE_PATH}" --user "${AUTH}"; then
+          --upload-file "${VAR_ISO_FILE_PATH}" --user "${AUTH}" > /dev/null 2>&1; then
             echo "✅ New ISO successfully uploaded."
           else
             echo "❌ Uploading the new ISO failed."
@@ -247,32 +247,42 @@ jobs:
           gpg --batch --yes --armor --detach-sign --output "${SIGNATURE_FILE}" "${VAR_ISO_FILE_SHA512}"
 
           timestamp=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
-          PRIVATE_FILE="LIVE_ISO.private"
+          VAR_DATE="$(date +%F)"
+          PRIVATE_FILE="LIVE_ISO.public"
           touch "${PRIVATE_FILE}"
           cat << EOF >| "${PRIVATE_FILE}"
           # SPDX-Version: 3.0
-          # SPDX-CreationInfo: 2025-06-01; WEIDNER, Marc S.; <msw@coresecret.dev>
+          # SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev>
           # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
           # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-          # SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+          # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
           # SPDX-FileType: SOURCE
-          # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+          # SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
           # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
           # SPDX-PackageName: CISS.debian.live.builder
           # SPDX-Security-Contact: security@coresecret.eu
 
-          This file was automatically generated by the DEPLOY BOT on: "${timestamp}".
+          This file was automatically generated by the DEPLOY BOT on: "${timestamp}"
 
           CISS.debian.live.builder ISO :
             "${VAR_ISO_FILE_NAME}"
           CISS.debian.live.builder ISO sha512 :
-            "${VAR_ISO_FILE_SHA512}"
+            $(< "${VAR_ISO_FILE_SHA512}")
           CISS.debian.live.builder ISO sha512 sign :
             $(< "${SIGNATURE_FILE}")
 
           # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text
           EOF
 
+      - name: 🚧 Stash local changes (including untracked).
+        shell: bash
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          ### Temporarily store any local modifications or untracked files.
+          git stash push --include-untracked -m "ci-temp" || echo "✔️ Nothing to stash."
+
       - name: 🔄 Sync with remote before commit using merge strategy.
         shell: bash
         env:
@@ -291,14 +301,23 @@ jobs:
           git status
           git log --oneline -n 5
 
+      - name: 🛠️ Restore stashed changes.
+        shell: bash
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          ### Apply previously stashed changes.
+          git stash pop || echo "✔️ Nothing to pop."
+
       - name: 📦 Stage generated files.
         shell: bash
         env:
           GIT_SSH_COMMAND: "ssh -p 42842"
         run: |
           set -euo pipefail
-          PRIVATE_FILE="LIVE_ISO.private"
-          git add "${PRIVATE_FILE}" || echo "ℹ️ Nothing to add."
+          PRIVATE_FILE="LIVE_ISO.public"
+          git add "${PRIVATE_FILE}" || echo "✔️ Nothing to add."
 
       - name: 🔑 Commit and sign changes with CI metadata.
         shell: bash
@@ -309,7 +328,7 @@ jobs:
           export GNUPGHOME="$(pwd)/.gnupg"
 
           if git diff --cached --quiet; then
-            echo "ℹ️ No staged changes to commit."
+            echo "✔️ No staged changes to commit."
           else
             echo "📝 Committing changes with GPG signature ..."
 
@@ -318,17 +337,17 @@ jobs:
             HOSTNAME="$(hostname -f || hostname)"
             GIT_SHA="$(git rev-parse --short HEAD)"
             GIT_REF="$(git symbolic-ref --short HEAD || echo detached)"
-            WORKFLOW_ID="${GITHUB_WORKFLOW:-render-md-to-html.yaml}"
+            WORKFLOW_ID="${GITHUB_WORKFLOW:-generate_PUBLIC_iso.yaml}"
             CI_HEADER="X-CI-Metadata: ${GIT_REF}@${GIT_SHA} at ${TIMESTAMP_UTC} on ${HOSTNAME}"
 
-            COMMIT_MSG="DEPLOY BOT: Auto-Generate PRIVATE LIVE ISO [skip ci]
+            COMMIT_MSG="DEPLOY BOT   : 💙 Auto-Generate PUBLIC LIVE ISO [skip ci]
 
           ${CI_HEADER}
 
           Generated at : ${TIMESTAMP_UTC}
           Runner Host  : ${HOSTNAME}
           Workflow ID  : ${WORKFLOW_ID}
-            Git Commit  : ${GIT_SHA} HEAD → ${GIT_REF}
+          Git Commit   : ${GIT_SHA} HEAD -> ${GIT_REF}
           "
 
             echo "🔏 Commit message :"

.archive/icon.lib

@@ -2,45 +2,69 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
+⏫
+⬆️
+☁️
+☢️
+☣️
+✍️
 ✅
-🔧
-🔑
-🖥️
-🛠️
+❌
+⚠️
+•
+⚙️
+🆙
+🌌
+🌐
+🎉
+🎯
+🏗
+💙
+💡
+💬
+💽
+💾
+💿
+📀
+📁
+📂
+📅
+📉
+📊
+📋
+📐
+📑
+📡
+📤
 📥
 📦
-📑
-📂
-🔒
-🔐
-⚙️
-❌
-🌌
-🎉
-🖥️
-📂
 📩
-🔵
-😺
-🧪
-📊
-🧾
-📀
-📉
-⏱
-🧠
-📅
-💙
-🚫
-🔄
 🔁
-📋
-🎯
-ℹ️
+🔄
+🔍
+🔐
+🔑
+🔒
+🔗
+🔧
+🔵
+🔼
+🕑
+🖥️
+🗂️
+🗄️
+🗜️
+😺
+🚫
+🛠️
+🛡️
+🧠
+🧪
+🧾
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

.archive/network/interfaces

@@ -2,9 +2,9 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

.editorconfig

@@ -2,9 +2,9 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
@@ -25,6 +25,10 @@ charset = utf-8
 insert_final_newline = true
 trim_trailing_whitespace = true
 
+[{makefile,*.mk}]
+indent_style = tab
+tab_width    = 8
+
 [*.md]
 end_of_line = lf
 # Markdown benefits from a final newline for POSIX tools

.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml

@@ -2,9 +2,9 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
@@ -12,9 +12,7 @@
 name: "Bug Report"
 about: "Create a report to help us improve"
 title: "[BUG | possible BUG]: "
-labels: "bug:to be reproduced,bug:needs triage/confirmation"
-assignees: ""
----
+assignees: "MSW"
 body:
   # Instructions for the reporter
   - type: markdown
@@ -27,7 +25,7 @@ body:
     attributes:
       label: "Version"
       description: "Which version are you running? Use `./ciss_live_builder.sh -v`."
-      placeholder: "e.g., Master V8.02.080.2025.05.19"
+      placeholder: "e.g., Master V8.13.768.2025.12.06"
     validations:
       required: true
 

.gitea/ISSUE_TEMPLATE/PULL_REQUEST_TEMPLATE.yaml

@@ -2,9 +2,9 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
@@ -12,7 +12,7 @@
 name: "Standard-PR"
 about: "Please answer the following questions before submitting the PR."
 title: "[PR]: "
-ref: "master"
+assignees: "MSW"
 body:
   - type: markdown
     attributes:
@@ -48,8 +48,8 @@ body:
       options:
         - label: "My edits contain no tabs, use two-space indentation, and no trailing whitespace"
         - label: "I have read ~/docs/CONTRIBUTING.md and ~/docs/CODING_CONVENTION.md"
-        - label: "I have tested this fix or improvement on ≥2 VMs without issues"
-        - label: "I have tested this new feature on ≥2 VMs with and without it to avoid side effects"
+        - label: "I have tested this fix or improvement on >=2 VMs without issues"
+        - label: "I have tested this new feature on >=2 VMs with and without it to avoid side effects"
         - label: "Documentation and/or 'usage()' and/or 'arg_parser' have been updated for the new feature"
         - label: "I added myself to ~/docs/CREDITS.md (alphabetical) and updated ~/docs/CHANGELOG.md"
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml

.gitea/TODO/dockerfile

@@ -0,0 +1,69 @@
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+# Version Master V8.13.768.2025.12.06
+
+FROM debian:bookworm
+
+ENV DEBIAN_FRONTEND=noninteractive
+
+RUN apt-get update -y \
+    && apt-get upgrade -y \
+    && apt-get install -y \
+      apt-transport-https \
+      apt-utils \
+      bash \
+      ca-certificates \
+      gnupg \
+      openssl \
+      sudo \
+    && apt-get update -y \
+    && apt-get upgrade -y \
+    && apt-get clean \
+    && apt-get autoremove --purge -y \
+    && rm -rf /var/lib/apt/lists/*
+
+RUN mkdir -p /etc/apt/sources.list.d && touch /etc/apt/sources.list.d/bookworm-backports.list \
+    && echo 'deb https://deb.debian.org/debian bookworm-backports main' >| /etc/apt/sources.list.d/bookworm-backports.list \
+    && apt-get update -y \
+    && apt-get upgrade -y \
+    && apt-get install -y --no-install-recommends \
+      autoconf \
+      automake \
+      build-essential \
+      cryptsetup \
+      curl \
+      debootstrap \
+      dosfstools \
+      efibootmgr \
+      gettext \
+      git \
+      haveged \
+      libtool \
+      live-build \
+      parted \
+      pkg-config \
+      ssh \
+      ssl-cert \
+      texinfo \
+      wget \
+      whois \
+    && apt-get clean \
+    && apt-get autoremove --purge -y \
+    && rm -rf /var/lib/apt/lists/*
+
+RUN useradd --create-home --shell /bin/bash runner
+
+WORKDIR /home/runner
+
+USER runner
+
+ENTRYPOINT ["bash"]

.gitea/TODO/render-md-to-html.yaml

@@ -2,16 +2,16 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-### Version Master V8.03.127.2025.06.02
+# Version Master V8.13.768.2025.12.06
 
-name: Render README.md to README.html
+name: 🔁 Render README.md to README.html.
 
 permissions:
   contents: write
@@ -21,12 +21,12 @@ on:
     branches:
       - master
     paths:
-      - "**/*.md"
+      - "README.md"
       - '.gitea/properties/lua/linkfix.lua'
 
 jobs:
   render-md-to-html:
-    name: Render README.md to README.html
+    name: 🔁 Render README.md to README.html.
     runs-on: ubuntu-latest
 
     steps:
@@ -38,11 +38,11 @@ jobs:
 
           ### Private Key
           echo "${{ secrets.SSH_MSW_DEPLOY_CORESECRET_DEV }}" >| ~/.ssh/id_ed25519
-          chmod 600 ~/.ssh/id_ed25519
+          chmod 0600 ~/.ssh/id_ed25519
 
           ### Scan git.coresecret.dev to fill ~/.ssh/known_hosts
           ssh-keyscan -p 42842 git.coresecret.dev >| ~/.ssh/known_hosts
-          chmod 600 ~/.ssh/known_hosts
+          chmod 0600 ~/.ssh/known_hosts
 
           ### Generate SSH Config for git.coresecret.dev Custom-Port
           cat <<EOF >| ~/.ssh/config
@@ -53,7 +53,7 @@ jobs:
             StrictHostKeyChecking yes
             UserKnownHostsFile ~/.ssh/known_hosts
           EOF
-          chmod 600 ~/.ssh/config
+          chmod 0600 ~/.ssh/config
 
       ### https://github.com/actions/checkout/issues/1843
       - name: 🛠️ Using manual clone via SSH to circumvent Gitea SHA-256 object issues.
@@ -111,30 +111,30 @@ jobs:
           sudo apt-get update
           sudo apt-get install -y pandoc
 
-      #- name: Ensure .html/ directory exists.
-      #  shell: bash
-      #  run:
-      #    mkdir -p .html
+      - name: ⚙️ Ensure .html/ directory exists.
+        shell: bash
+        run:
+          mkdir -p .html
 
-      #- name: Render *.md to full standalone HTML.
-      #  shell: bash
-      #  run: |
-      #    set -euo pipefail
-      #    find . \( -path "*/.*" -prune \) -o -type f -name "*.md" -print  | while read file; do
-      #      out=$(basename "${file%.md}.html")
-      #      pandoc -s "${file}" \
-      #        --metadata title="${file}" \
-      #        --metadata lang=en \
-      #        -f gfm+footnotes \
-      #        -t html5 \
-      #        --no-highlight \
-      #        --strip-comments \
-      #        --wrap=none \
-      #        --lua-filter=.gitea/properties/lua/linkfix.lua \
-      #        -o .html/"${out}"
-      #    done
+      - name: 🛠️ Render *.md to full standalone HTML.
+        shell: bash
+        run: |
+          set -euo pipefail
+          find . \( -path "*/.*" -prune \) -o -type f -name "*.md" -print  | while read file; do
+            out=$(basename "${file%.md}.html")
+            pandoc -s "${file}" \
+              --metadata title="${file}" \
+              --metadata lang=en \
+              -f gfm+footnotes \
+              -t html5 \
+              --no-highlight \
+              --strip-comments \
+              --wrap=none \
+              --lua-filter=.gitea/properties/lua/linkfix.lua \
+              -o .html/"${out}"
+          done
 
-      - name: 📥 Extract HTML fragment for Gitea for *.md.
+      - name: 🛠️ Extract HTML fragment for Gitea for *.md.
         shell: bash
         run: |
           set -euo pipefail
@@ -150,6 +150,15 @@ jobs:
               -o "${out}"
           done
 
+      - name: 🚧 Stash local changes (including untracked).
+        shell: bash
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          ### Temporarily store any local modifications or untracked files.
+          git stash push --include-untracked -m "ci-temp" || echo "✔️ Nothing to stash."
+
       - name: 🔄 Sync with remote before commit using merge strategy.
         shell: bash
         env:
@@ -168,13 +177,22 @@ jobs:
           git status
           git log --oneline -n 5
 
+      - name: 🛠️ Restore stashed changes.
+        shell: bash
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          ### Apply previously stashed changes.
+          git stash pop || echo "✔️ Nothing to pop."
+
       - name: 📦 Stage generated files.
         shell: bash
         env:
           GIT_SSH_COMMAND: "ssh -p 42842"
         run: |
           set -euo pipefail
-          git add *.html  || echo "ℹ️ Nothing to add."
+          git add *.html  || echo "✔️ Nothing to add."
 
       - name: 🔑 Commit and sign changes with CI metadata.
         shell: bash
@@ -185,7 +203,7 @@ jobs:
           export GNUPGHOME="$(pwd)/.gnupg"
 
           if git diff --cached --quiet; then
-            echo "ℹ️ No staged changes to commit."
+            echo "✔️ No staged changes to commit."
           else
             echo "📝 Committing changes with GPG signature ..."
 
@@ -197,14 +215,14 @@ jobs:
             WORKFLOW_ID="${GITHUB_WORKFLOW:-render-md-to-html.yaml}"
             CI_HEADER="X-CI-Metadata: ${GIT_REF}@${GIT_SHA} at ${TIMESTAMP_UTC} on ${HOSTNAME}"
 
-            COMMIT_MSG="DEPLOY BOT: Auto-Generate *.html from *.md [skip ci]
+            COMMIT_MSG="DEPLOY BOT   : 🔁 Auto-Generate *.html from *.md [skip ci]
 
           ${CI_HEADER}
 
           Generated at : ${TIMESTAMP_UTC}
           Runner Host  : ${HOSTNAME}
           Workflow ID  : ${WORKFLOW_ID}
-            Git Commit  : ${GIT_SHA} HEAD → ${GIT_REF}
+          Git Commit   : ${GIT_SHA} HEAD -> ${GIT_REF}
           "
 
             echo "🔏 Commit message :"

.gitea/trigger/t_generate_PRIVATE_trixie_0.yaml

@@ -0,0 +1,15 @@
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-08-22; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+build:
+  counter: 1023
+  version: V8.13.768.2025.12.06
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml

.gitea/trigger/t_generate_PRIVATE_trixie_1.yaml

@@ -0,0 +1,15 @@
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-08-22; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+build:
+  counter: 1023
+  version: V8.13.768.2025.12.06
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml

.gitea/trigger/t_generate_PUBLIC.yaml

@@ -2,14 +2,14 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
 build:
-  counter: 1024
-  version: V8.03.132.2025.06.02
+  counter: 1023
+  version: V8.13.768.2025.12.06
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml

.gitea/trigger/t_generate_dns.yaml

@@ -2,14 +2,14 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
 build:
-  counter: 1024
-  version: V8.03.127.2025.06.02
+  counter: 1023
+  version: V8.13.768.2025.12.06
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml

.gitea/workflows/generate_PRIVATE_trixie_0.yaml

@@ -0,0 +1,453 @@
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-08-22; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+# Version Master V8.13.768.2025.12.06
+
+name: 🔐 Generating a Private Live ISO TRIXIE.
+
+permissions:
+  contents: write
+
+on:
+  push:
+    branches:
+      - master
+    paths:
+      - '.gitea/trigger/t_generate_PRIVATE_trixie_0.yaml'
+
+jobs:
+  generate-private-cdlb-trixie:
+    name: 🔐 Generating a Private Live ISO TRIXIE.
+    runs-on: cdlb.trixie
+
+    container:
+      image: debian:trixie
+
+    defaults:
+      run:
+        shell: bash
+        working-directory: ${{ github.workspace }}
+
+    steps:
+      - name: 🕑 Waiting random time to desynchronize parallel workflows.
+        run: |
+          set -euo pipefail
+          var_wait=$(( RANDOM % 33 ))
+          printf "🕑 Waiting %s seconds to desynchronize parallel workflows...\n" "${var_wait}"
+          sleep "${var_wait}"
+
+      - name: 🔧 Basic Image Setup.
+        run: |
+          set -euo pipefail
+          umask 0022
+
+          echo "APT_LISTCHANGES_FRONTEND=none"  >> "${GITHUB_ENV}"
+          echo "DEBIAN_FRONTEND=noninteractive" >> "${GITHUB_ENV}"
+          echo "LC_ALL=C.UTF-8"                 >> "${GITHUB_ENV}"
+          echo "TZ=UTC"                         >> "${GITHUB_ENV}"
+          echo "VAR_CDLB_INSIDE_RUNNER=true"    >> "${GITHUB_ENV}"
+
+          export APT_LISTCHANGES_FRONTEND=none
+          export DEBIAN_FRONTEND=noninteractive
+
+          apt-get update -qq
+          apt-get upgrade -y
+          apt-get install -y --no-install-recommends \
+            apt-utils \
+            bash \
+            bat \
+            ca-certificates \
+            cryptsetup \
+            curl \
+            debootstrap \
+            git \
+            gnupg-utils \
+            gnupg \
+            gpg-agent \
+            gpgv \
+            live-build \
+            lsb-release \
+            openssh-client \
+            openssl \
+            perl \
+            pinentry-curses \
+            pinentry-tty \
+            sudo \
+            util-linux \
+            whois
+
+      - name: ⚙️ Check GnuPG Version.
+        run: |
+          gpg --version
+
+      - name: ⚙️ Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
+        run: |
+          set +x
+          set -euo pipefail
+          umask 0077
+
+          rm -rf ~/.ssh && mkdir -m700 ~/.ssh
+
+          ### Private Key
+          echo "${{ secrets.SSH_MSW_DEPLOY_CORESECRET_DEV }}" >| ~/.ssh/id_ed25519
+          chmod 0600 ~/.ssh/id_ed25519
+
+          ### Scan git.coresecret.dev to fill ~/.ssh/known_hosts
+          ssh-keyscan -p 42842 git.coresecret.dev >| ~/.ssh/known_hosts
+          chmod 0600 ~/.ssh/known_hosts
+
+          ### Generate SSH Config for git.coresecret.dev Custom-Port
+          cat <<EOF >| ~/.ssh/config
+          Host git.coresecret.dev
+            BatchMode yes
+            ConnectTimeout 5
+            ControlMaster auto
+            ControlPath ~/.ssh/cm-%r@%h:%p
+            ControlPersist 5m
+            HostName git.coresecret.dev
+            IdentityFile ~/.ssh/id_ed25519
+            Port 42842
+            ServerAliveCountMax 3
+            ServerAliveInterval 10
+            StrictHostKeyChecking yes
+            User git
+            UserKnownHostsFile ~/.ssh/known_hosts
+          EOF
+          chmod 0600 ~/.ssh/config
+
+      ### https://github.com/actions/checkout/issues/1843
+      - name: 🔧 Using manual clone via SSH to circumvent Gitea SHA-256 object issues.
+        env:
+          ### GITHUB_REF_NAME contains the branch name from the push event.
+          GITHUB_REF_NAME: ${{ github.ref_name }}
+        run: |
+          set -euo pipefail
+          git clone --branch "${GITHUB_REF_NAME}" ssh://git@git.coresecret.dev:42842/msw/CISS.debian.live.builder.git .
+
+      - name: ⚙️ Init GNUPGHOME.
+        run: |
+          set +x
+          set -euo pipefail
+          umask 0077
+          GNUPGHOME="${PWD}/gnupg.${GITHUB_RUN_ID}.${GITHUB_JOB}"
+          # shellcheck disable=SC2174
+          mkdir -p -m 0700 "${GNUPGHOME}"
+          echo "GNUPGHOME=${GNUPGHOME}"                 >> "${GITHUB_ENV}"
+          echo 'allow-loopback-pinentry'                >| "${GNUPGHOME}/gpg-agent.conf"
+          echo 'pinentry-program /usr/bin/pinentry-tty' >> "${GNUPGHOME}/gpg-agent.conf"
+          gpgconf --reload gpg-agent || true
+
+      - name: ⚙️ Importing the 'CI PGP DEPLOY ONLY' key.
+        env:
+          PRIVATE_PGP_MSW_DEPLOY_CORESECRET_DEV: ${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV }}
+        run: |
+          set +x
+          set -euo pipefail
+          umask 0077
+          printf '%s' "${PRIVATE_PGP_MSW_DEPLOY_CORESECRET_DEV}" | gpg --batch --import
+          unset PRIVATE_PGP_MSW_DEPLOY_CORESECRET_DEV
+
+      - name: ⚙️ Configuring Git for signed CI/DEPLOY commits.
+        run: |
+          set +x
+          set -euo pipefail
+          git config user.name "Marc S. Weidner BOT"
+          git config user.email "msw+bot@coresecret.dev"
+          git config user.signingkey ${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV_FPR }}
+          git config commit.gpgsign true
+          git config gpg.program gpg
+          git config gpg.format openpgp
+          git config --get user.signingkey
+
+      - name: ⚙️ Preparing the build environment.
+        run: |
+          set +x
+          set -euo pipefail
+          umask 0077
+          mkdir -p /dev/shm/cdlb_secrets
+
+          install -m 0600 /dev/null /dev/shm/cdlb_secrets/password.txt
+          install -m 0600 /dev/null /dev/shm/cdlb_secrets/authorized_keys
+          install -m 0600 /dev/null /dev/shm/cdlb_secrets/ssh_host_ed25519_key
+          install -m 0600 /dev/null /dev/shm/cdlb_secrets/ssh_host_ed25519_key.pub
+          install -m 0600 /dev/null /dev/shm/cdlb_secrets/ssh_host_rsa_key
+          install -m 0600 /dev/null /dev/shm/cdlb_secrets/ssh_host_rsa_key.pub
+          install -m 0600 /dev/null /dev/shm/cdlb_secrets/id_2025_ed25519_ciss_primordial
+          install -m 0600 /dev/null /dev/shm/cdlb_secrets/id_2025_ed25519_ciss_primordial.pub
+          install -m 0600 /dev/null /dev/shm/cdlb_secrets/keys.txt
+          install -m 0600 /dev/null /dev/shm/cdlb_secrets/luks.txt
+          install -m 0600 /dev/null /dev/shm/cdlb_secrets/signing_ca.asc
+          install -m 0600 /dev/null /dev/shm/cdlb_secrets/signing_key.asc
+          install -m 0600 /dev/null /dev/shm/cdlb_secrets/signing_key_pass.txt
+
+          echo "${{ secrets.CISS_DLB_ROOT_PWD }}"                 >| /dev/shm/cdlb_secrets/password.txt
+          echo "${{ secrets.CISS_DLB_ROOT_SSH_PUBKEY }}"          >| /dev/shm/cdlb_secrets/authorized_keys
+          echo "${{ secrets.CISS_DLB_SSH_HOST_ED25519_KEY }}"     >| /dev/shm/cdlb_secrets/ssh_host_ed25519_key
+          echo "${{ secrets.CISS_DLB_SSH_HOST_ED25519_KEY_PUB }}" >| /dev/shm/cdlb_secrets/ssh_host_ed25519_key.pub
+          echo "${{ secrets.CISS_DLB_SSH_HOST_RSA_KEY }}"         >| /dev/shm/cdlb_secrets/ssh_host_rsa_key
+          echo "${{ secrets.CISS_DLB_SSH_HOST_RSA_KEY_PUB }}"     >| /dev/shm/cdlb_secrets/ssh_host_rsa_key.pub
+          echo "${{ secrets.CISS_PRIMORDIAL_PRIVATE }}"           >| /dev/shm/cdlb_secrets/id_2025_ed25519_ciss_primordial
+          echo "${{ secrets.CISS_PRIMORDIAL_PUBLIC }}"            >| /dev/shm/cdlb_secrets/id_2025_ed25519_ciss_primordial.pub
+          echo "${{ secrets.CISS_PHYS_AGE }}"                     >| /dev/shm/cdlb_secrets/keys.txt
+          echo "${{ secrets.CISS_PHYS_LUKS }}"                    >| /dev/shm/cdlb_secrets/luks.txt
+          echo "${{ secrets.PGP_CISS_CA_PUBLIC_KEY }}"            >| /dev/shm/cdlb_secrets/signing_ca.asc
+          echo "${{ secrets.PGP_MSW_PRIVATE_SIGNING_KEY }}"       >| /dev/shm/cdlb_secrets/signing_key.asc
+          echo "${{ secrets.PGP_MSW_PRIVATE_SIGNING_KEY_PASS }}"  >| /dev/shm/cdlb_secrets/signing_key_pass.txt
+
+      - name: 🔧 Starting CISS.debian.live.builder. This may take about an hour ...
+        run: |
+          set -euo pipefail
+          chmod 0700 ciss_live_builder.sh
+          timestamp=$(date -u +"%Y_%m_%dT%H_%M_%SZ")
+          ### Change "--autobuild=" to the specific kernel version you need: '6.17.8+deb13-amd64'.
+          chmod 0400 /dev/shm/cdlb_secrets/*
+          ./ciss_live_builder.sh \
+            --architecture amd64 \
+            --autobuild=6.17.8+deb13-amd64 \
+            --build-directory /opt/cdlb \
+            --cdi \
+            --change-splash hexagon \
+            --control "${timestamp}" \
+            --dhcp-centurion \
+            --jump-host ${{ secrets.CISS_DLB_JUMP_HOSTS }} \
+            --key_age=keys.txt \
+            --key_luks=luks.txt \
+            --provider-netcup-ipv6 ${{ secrets.CISS_DLB_NETCUP_IPV6 }} \
+            --root-password-file /dev/shm/cdlb_secrets/password.txt \
+            --signing_ca=signing_ca.asc \
+            --signing_key_fpr=${{ secrets.PGP_MSW_PRIVATE_SIGNING_KEY_FPR }} \
+            --signing_key_pass=signing_key_pass.txt \
+            --signing_key=signing_key.asc \
+            --ssh-port ${{ secrets.CISS_DLB_SSH_PORT }} \
+            --ssh-pubkey /dev/shm/cdlb_secrets \
+            --sshfp \
+            --trixie
+
+      - name: 📥 Checking Centurion Cloud for existing LIVE ISOs.
+        env:
+          NC_BASE: "https://cloud.e2ee.li"
+          SHARE_TOKEN: "${{ secrets.CENTURION_CLOUD_UL_USER }}"
+          SHARE_PASS: "${{ secrets.CENTURION_CLOUD_UL_PASSWD }}"
+        run: |
+          set -euo pipefail
+          SHARE_SUBDIR=""
+
+          echo "📥 Get directory listing via PROPFIND ..."
+
+          curl -s --user "${SHARE_TOKEN}:${SHARE_PASS}" -X PROPFIND -H "Depth: 1" "${NC_BASE}/public.php/webdav/${SHARE_SUBDIR}" \
+          -o propfind_public.xml
+
+          echo "📥 Filter .iso files from the PROPFIND response ..."
+
+          grep -oP '(?<=<d:href>)[^<]+\.iso(?=</d:href>)' propfind_public.xml >| public_iso_list.txt || true
+
+          if [[ -f public_iso_list.txt && -s public_iso_list.txt ]]; then
+
+            echo "💡 Old ISO files found and deleted :"
+
+            while IFS= read -r href; do
+
+              FILE_URL="${NC_BASE}${href}"
+              echo "  Delete: ${FILE_URL}"
+
+              if curl -s --user "${SHARE_TOKEN}:${SHARE_PASS}" -X DELETE "${FILE_URL}"; then
+
+                echo "    ✅ Successfully deleted: $(basename "${href}")"
+
+              else
+
+                echo "    ❌ Error: $(basename "${href}") could not be deleted"
+
+              fi
+
+            done < public_iso_list.txt
+
+          else
+
+            echo "💡 No old ISO files found to delete."
+
+          fi
+
+      - name: ⬆️ Upload the ISO file to the Centurion Cloud (cloud.e2ee.li) via WebDAV.
+        env:
+          NC_BASE: "https://cloud.e2ee.li"
+          SHARE_TOKEN: "${{ secrets.CENTURION_CLOUD_UL_USER }}"
+          SHARE_PASS: "${{ secrets.CENTURION_CLOUD_UL_PASSWD }}"
+        run: |
+          set -euo pipefail
+
+          if [[ $(ls /opt/cdlb/*.iso 2>/dev/null | wc -l) -ne 1 ]]; then
+
+            echo "❌ There must be exactly one .iso file in the directory!"
+            exit 1
+
+          else
+
+            VAR_ISO_FILE_PATH=$(ls /opt/cdlb/*.iso)
+            VAR_ISO_FILE_NAME=$(basename "${VAR_ISO_FILE_PATH}")
+            echo "✅ ISO file found: ${VAR_ISO_FILE_NAME}"
+
+          fi
+
+          AUTH="${SHARE_TOKEN}:${SHARE_PASS}"
+
+          if curl --retry 2 "${NC_BASE}"/public.php/webdav/"${VAR_ISO_FILE_NAME}" \
+          --upload-file "${VAR_ISO_FILE_PATH}" --user "${AUTH}" > /dev/null 2>&1; then
+
+            echo "✅ New ISO successfully uploaded."
+
+          else
+
+            echo "❌ Uploading the new ISO failed."
+            exit 1
+
+          fi
+
+      - name: 🔑 Generating a sha512 Hash of ISO, signing with the 'CI PGP DEPLOY ONLY' key, generate a success message file.
+        run: |
+          if [[ $(ls /opt/cdlb/*.iso 2>/dev/null | wc -l) -ne 1 ]]; then
+
+            echo "❌ There must be exactly one .iso file in the directory!"
+            exit 1
+
+          else
+
+            VAR_ISO_FILE_PATH=$(ls /opt/cdlb/*.iso)
+            VAR_ISO_FILE_NAME=$(basename "${VAR_ISO_FILE_PATH}")
+            echo "✅ ISO file found: ${VAR_ISO_FILE_NAME}"
+
+          fi
+
+          VAR_ISO_FILE_SHA512="${VAR_ISO_FILE_NAME}.sha512"
+          touch "${VAR_ISO_FILE_SHA512}"
+
+          sha512sum "${VAR_ISO_FILE_PATH}" | awk '{print $1}' >| "${VAR_ISO_FILE_SHA512}"
+
+          SIGNATURE_FILE="${VAR_ISO_FILE_SHA512}.sign"
+          touch "${SIGNATURE_FILE}"
+
+          gpg --batch --yes --armor --detach-sign --local-user ${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV_FPR }} --output "${SIGNATURE_FILE}" "${VAR_ISO_FILE_SHA512}"
+
+          timestamp=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
+          VAR_DATE="$(date +%F)"
+          PRIVATE_FILE="LIVE_ISO_TRIXIE_0.private"
+          touch "${PRIVATE_FILE}"
+
+          cat << EOF >| "${PRIVATE_FILE}"
+          # SPDX-Version: 3.0
+          # SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev>
+          # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+          # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+          # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+          # SPDX-FileType: SOURCE
+          # SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
+          # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+          # SPDX-PackageName: CISS.debian.live.builder
+          # SPDX-Security-Contact: security@coresecret.eu
+
+          This file was automatically generated by the DEPLOY BOT on: "${timestamp}"
+
+          CISS.debian.live.builder ISO :
+            "${VAR_ISO_FILE_NAME}"
+          CISS.debian.live.builder ISO sha512 :
+            $(< "${VAR_ISO_FILE_SHA512}")
+          CISS.debian.live.builder ISO sha512 sign :
+            $(< "${SIGNATURE_FILE}")
+
+          # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text
+          EOF
+
+      - name: 🚧 Stash local changes (including untracked).
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          ### Temporarily store any local modifications or untracked files.
+          git stash push --include-untracked -m "ci-temp" || echo "✔️ Nothing to stash."
+
+      - name: 🔄 Sync with remote before commit using merge strategy.
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+
+          echo "🔄 Fetching origin/master ..."
+          git fetch origin master
+
+          echo "🔁 Merging origin/master into current branch ..."
+          git merge --no-edit origin/master || echo "✔️ Already up to date or fast-forward."
+
+          echo "📋 Post-merge status :"
+          git status
+          git log --oneline -n 5
+
+      - name: 🔧 Restore stashed changes.
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          ### Apply previously stashed changes.
+          git stash pop || echo "✔️ Nothing to pop."
+
+      - name: 📦 Stage generated files.
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          PRIVATE_FILE="LIVE_ISO_TRIXIE_0.private"
+          git add "${PRIVATE_FILE}" || echo "✔️ Nothing to add."
+
+      - name: 🔑 Commit and sign changes with CI metadata.
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+
+          if git diff --cached --quiet; then
+
+            echo "✔️ No staged changes to commit."
+
+          else
+
+            echo "📝 Committing changes with GPG signature ..."
+
+            ### CI Metadata
+            TIMESTAMP_UTC="$(date -u +'%Y-%m-%dT%H:%M:%SZ')"
+            HOSTNAME="$(hostname -f || hostname)"
+            GIT_SHA="$(git rev-parse --short HEAD)"
+            GIT_REF="$(git symbolic-ref --short HEAD || echo detached)"
+            WORKFLOW_ID="${GITHUB_WORKFLOW:-generate_PRIVATE_trixie_0.yaml}"
+            CI_HEADER="X-CI-Metadata: ${GIT_REF}@${GIT_SHA} at ${TIMESTAMP_UTC} on ${HOSTNAME}"
+
+            COMMIT_MSG="DEPLOY BOT   : 🔐 Auto-Generate PRIVATE LIVE ISO TRIXIE 0 [skip ci]
+
+          ${CI_HEADER}
+
+          Generated at : ${TIMESTAMP_UTC}
+          Runner Host  : ${HOSTNAME}
+          Workflow ID  : ${WORKFLOW_ID}
+          Git Commit   : ${GIT_SHA} HEAD -> ${GIT_REF}
+          "
+
+            echo "🔏 Commit message :"
+            echo "${COMMIT_MSG}"
+            git commit -S -m "${COMMIT_MSG}"
+
+          fi
+
+      - name: 🔁 Push back to repository.
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          echo "📤 Pushing changes to ${GITHUB_REF_NAME} ..."
+          git push origin HEAD:${GITHUB_REF_NAME}
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml

.gitea/workflows/generate_PRIVATE_trixie_1.yaml

@@ -0,0 +1,451 @@
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-08-22; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+# Version Master V8.13.768.2025.12.06
+
+name: 🔐 Generating a Private Live ISO TRIXIE.
+
+permissions:
+  contents: write
+
+on:
+  push:
+    branches:
+      - master
+    paths:
+      - '.gitea/trigger/t_generate_PRIVATE_trixie_1.yaml'
+
+jobs:
+  generate-private-cdlb-trixie:
+    name: 🔐 Generating a Private Live ISO TRIXIE.
+    runs-on: cdlb.trixie
+
+    container:
+      image: debian:trixie
+
+    defaults:
+      run:
+        shell: bash
+        working-directory: ${{ github.workspace }}
+
+    steps:
+      - name: 🕑 Waiting random time to desynchronize parallel workflows.
+        run: |
+          set -euo pipefail
+          var_wait=$(( RANDOM % 33 ))
+          printf "🕑 Waiting %s seconds to desynchronize parallel workflows...\n" "${var_wait}"
+          sleep "${var_wait}"
+
+      - name: 🔧 Basic Image Setup.
+        run: |
+          set -euo pipefail
+          umask 0022
+
+          echo "APT_LISTCHANGES_FRONTEND=none"  >> "${GITHUB_ENV}"
+          echo "DEBIAN_FRONTEND=noninteractive" >> "${GITHUB_ENV}"
+          echo "LC_ALL=C.UTF-8"                 >> "${GITHUB_ENV}"
+          echo "TZ=UTC"                         >> "${GITHUB_ENV}"
+          echo "VAR_CDLB_INSIDE_RUNNER=true"    >> "${GITHUB_ENV}"
+
+          export APT_LISTCHANGES_FRONTEND=none
+          export DEBIAN_FRONTEND=noninteractive
+
+          apt-get update -qq
+          apt-get upgrade -y
+          apt-get install -y --no-install-recommends \
+            apt-utils \
+            bash \
+            bat \
+            ca-certificates \
+            cryptsetup \
+            curl \
+            debootstrap \
+            git \
+            gnupg-utils \
+            gnupg \
+            gpg-agent \
+            gpgv \
+            live-build \
+            lsb-release \
+            openssh-client \
+            openssl \
+            perl \
+            pinentry-curses \
+            pinentry-tty \
+            sudo \
+            util-linux \
+            whois
+
+      - name: ⚙️ Check GnuPG Version.
+        run: |
+          gpg --version
+
+      - name: ⚙️ Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
+        run: |
+          set +x
+          set -euo pipefail
+          umask 0077
+
+          rm -rf ~/.ssh && mkdir -m700 ~/.ssh
+
+          ### Private Key
+          echo "${{ secrets.SSH_MSW_DEPLOY_CORESECRET_DEV }}" >| ~/.ssh/id_ed25519
+          chmod 0600 ~/.ssh/id_ed25519
+
+          ### Scan git.coresecret.dev to fill ~/.ssh/known_hosts
+          ssh-keyscan -p 42842 git.coresecret.dev >| ~/.ssh/known_hosts
+          chmod 0600 ~/.ssh/known_hosts
+
+          ### Generate SSH Config for git.coresecret.dev Custom-Port
+          cat <<EOF >| ~/.ssh/config
+          Host git.coresecret.dev
+            BatchMode yes
+            ConnectTimeout 5
+            ControlMaster auto
+            ControlPath ~/.ssh/cm-%r@%h:%p
+            ControlPersist 5m
+            HostName git.coresecret.dev
+            IdentityFile ~/.ssh/id_ed25519
+            Port 42842
+            ServerAliveCountMax 3
+            ServerAliveInterval 10
+            StrictHostKeyChecking yes
+            User git
+            UserKnownHostsFile ~/.ssh/known_hosts
+          EOF
+          chmod 0600 ~/.ssh/config
+
+      ### https://github.com/actions/checkout/issues/1843
+      - name: 🔧 Using manual clone via SSH to circumvent Gitea SHA-256 object issues.
+        env:
+          ### GITHUB_REF_NAME contains the branch name from the push event.
+          GITHUB_REF_NAME: ${{ github.ref_name }}
+        run: |
+          set -euo pipefail
+          git clone --branch "${GITHUB_REF_NAME}" ssh://git@git.coresecret.dev:42842/msw/CISS.debian.live.builder.git .
+
+      - name: ⚙️ Init GNUPGHOME.
+        run: |
+          set +x
+          set -euo pipefail
+          umask 0077
+          GNUPGHOME="${PWD}/gnupg.${GITHUB_RUN_ID}.${GITHUB_JOB}"
+          # shellcheck disable=SC2174
+          mkdir -p -m 0700 "${GNUPGHOME}"
+          echo "GNUPGHOME=${GNUPGHOME}"                 >> "${GITHUB_ENV}"
+          echo 'allow-loopback-pinentry'                >| "${GNUPGHOME}/gpg-agent.conf"
+          echo 'pinentry-program /usr/bin/pinentry-tty' >> "${GNUPGHOME}/gpg-agent.conf"
+          gpgconf --reload gpg-agent || true
+
+      - name: ⚙️ Importing the 'CI PGP DEPLOY ONLY' key.
+        env:
+          PRIVATE_PGP_MSW_DEPLOY_CORESECRET_DEV: ${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV }}
+        run: |
+          set +x
+          set -euo pipefail
+          umask 0077
+          printf '%s' "${PRIVATE_PGP_MSW_DEPLOY_CORESECRET_DEV}" | gpg --batch --import
+          unset PRIVATE_PGP_MSW_DEPLOY_CORESECRET_DEV
+
+      - name: ⚙️ Configuring Git for signed CI/DEPLOY commits.
+        run: |
+          set +x
+          set -euo pipefail
+          git config user.name "Marc S. Weidner BOT"
+          git config user.email "msw+bot@coresecret.dev"
+          git config user.signingkey ${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV_FPR }}
+          git config commit.gpgsign true
+          git config gpg.program gpg
+          git config gpg.format openpgp
+          git config --get user.signingkey
+
+      - name: ⚙️ Preparing the build environment.
+        run: |
+          set +x
+          set -euo pipefail
+          umask 0077
+          mkdir -p /dev/shm/cdlb_secrets
+
+          install -m 0600 /dev/null /dev/shm/cdlb_secrets/password.txt
+          install -m 0600 /dev/null /dev/shm/cdlb_secrets/authorized_keys
+          install -m 0600 /dev/null /dev/shm/cdlb_secrets/ssh_host_ed25519_key
+          install -m 0600 /dev/null /dev/shm/cdlb_secrets/ssh_host_ed25519_key.pub
+          install -m 0600 /dev/null /dev/shm/cdlb_secrets/ssh_host_rsa_key
+          install -m 0600 /dev/null /dev/shm/cdlb_secrets/ssh_host_rsa_key.pub
+          install -m 0600 /dev/null /dev/shm/cdlb_secrets/id_2025_ed25519_ciss_primordial
+          install -m 0600 /dev/null /dev/shm/cdlb_secrets/id_2025_ed25519_ciss_primordial.pub
+          install -m 0600 /dev/null /dev/shm/cdlb_secrets/keys.txt
+          install -m 0600 /dev/null /dev/shm/cdlb_secrets/luks.txt
+          install -m 0600 /dev/null /dev/shm/cdlb_secrets/signing_ca.asc
+          install -m 0600 /dev/null /dev/shm/cdlb_secrets/signing_key.asc
+          install -m 0600 /dev/null /dev/shm/cdlb_secrets/signing_key_pass.txt
+
+          echo "${{ secrets.CISS_DLB_ROOT_PWD_1 }}"               >| /dev/shm/cdlb_secrets/password.txt
+          echo "${{ secrets.CISS_DLB_ROOT_SSH_PUBKEY_1 }}"        >| /dev/shm/cdlb_secrets/authorized_keys
+          echo "${{ secrets.CISS_DLB_SSH_HOST_ED25519_KEY }}"     >| /dev/shm/cdlb_secrets/ssh_host_ed25519_key
+          echo "${{ secrets.CISS_DLB_SSH_HOST_ED25519_KEY_PUB }}" >| /dev/shm/cdlb_secrets/ssh_host_ed25519_key.pub
+          echo "${{ secrets.CISS_DLB_SSH_HOST_RSA_KEY }}"         >| /dev/shm/cdlb_secrets/ssh_host_rsa_key
+          echo "${{ secrets.CISS_DLB_SSH_HOST_RSA_KEY_PUB }}"     >| /dev/shm/cdlb_secrets/ssh_host_rsa_key.pub
+          echo "${{ secrets.CISS_PRIMORDIAL_PRIVATE }}"           >| /dev/shm/cdlb_secrets/id_2025_ed25519_ciss_primordial
+          echo "${{ secrets.CISS_PRIMORDIAL_PUBLIC }}"            >| /dev/shm/cdlb_secrets/id_2025_ed25519_ciss_primordial.pub
+          echo "${{ secrets.CISS_PHYS_AGE }}"                     >| /dev/shm/cdlb_secrets/keys.txt
+          echo "${{ secrets.CISS_PHYS_LUKS }}"                    >| /dev/shm/cdlb_secrets/luks.txt
+          echo "${{ secrets.PGP_CISS_CA_PUBLIC_KEY }}"            >| /dev/shm/cdlb_secrets/signing_ca.asc
+          echo "${{ secrets.PGP_MSW_PRIVATE_SIGNING_KEY }}"       >| /dev/shm/cdlb_secrets/signing_key.asc
+          echo "${{ secrets.PGP_MSW_PRIVATE_SIGNING_KEY_PASS }}"  >| /dev/shm/cdlb_secrets/signing_key_pass.txt
+
+      - name: 🔧 Starting CISS.debian.live.builder. This may take about an hour ...
+        run: |
+          set -euo pipefail
+          chmod 0700 ciss_live_builder.sh
+          timestamp=$(date -u +"%Y_%m_%dT%H_%M_%SZ")
+          ### Change "--autobuild=" to the specific kernel version you need: '6.17.8+deb13-amd64'.
+          chmod 0400 /dev/shm/cdlb_secrets/*
+          ./ciss_live_builder.sh \
+            --architecture amd64 \
+            --autobuild=6.17.8+deb13-amd64 \
+            --build-directory /opt/cdlb \
+            --cdi \
+            --change-splash hexagon \
+            --control "${timestamp}" \
+            --jump-host ${{ secrets.CISS_DLB_JUMP_HOSTS_1 }} \
+            --key_age=keys.txt \
+            --key_luks=luks.txt \
+            --root-password-file /dev/shm/cdlb_secrets/password.txt \
+            --signing_ca=signing_ca.asc \
+            --signing_key_fpr=${{ secrets.PGP_MSW_PRIVATE_SIGNING_KEY_FPR }} \
+            --signing_key_pass=signing_key_pass.txt \
+            --signing_key=signing_key.asc \
+            --ssh-port ${{ secrets.CISS_DLB_SSH_PORT_1 }} \
+            --ssh-pubkey /dev/shm/cdlb_secrets \
+            --sshfp \
+            --trixie
+
+      - name: 📥 Checking Centurion Cloud for existing LIVE ISOs.
+        env:
+          NC_BASE: "https://cloud.e2ee.li"
+          SHARE_TOKEN: "${{ secrets.CENTURION_CLOUD_UL_USER_1 }}"
+          SHARE_PASS: "${{ secrets.CENTURION_CLOUD_UL_PASSWD_1 }}"
+        run: |
+          set -euo pipefail
+          SHARE_SUBDIR=""
+
+          echo "📥 Get directory listing via PROPFIND ..."
+
+          curl -s --user "${SHARE_TOKEN}:${SHARE_PASS}" -X PROPFIND -H "Depth: 1" "${NC_BASE}/public.php/webdav/${SHARE_SUBDIR}" \
+          -o propfind_public.xml
+
+          echo "📥 Filter .iso files from the PROPFIND response ..."
+
+          grep -oP '(?<=<d:href>)[^<]+\.iso(?=</d:href>)' propfind_public.xml >| public_iso_list.txt || true
+
+          if [[ -f public_iso_list.txt && -s public_iso_list.txt ]]; then
+
+            echo "💡 Old ISO files found and deleted :"
+
+            while IFS= read -r href; do
+
+              FILE_URL="${NC_BASE}${href}"
+              echo "  Delete: ${FILE_URL}"
+
+              if curl -s --user "${SHARE_TOKEN}:${SHARE_PASS}" -X DELETE "${FILE_URL}"; then
+
+                echo "    ✅ Successfully deleted: $(basename "${href}")"
+
+              else
+
+                echo "    ❌ Error: $(basename "${href}") could not be deleted"
+
+              fi
+
+            done < public_iso_list.txt
+
+          else
+
+            echo "💡 No old ISO files found to delete."
+
+          fi
+
+      - name: ⬆️ Upload the ISO file to the Centurion Cloud (cloud.e2ee.li) via WebDAV.
+        env:
+          NC_BASE: "https://cloud.e2ee.li"
+          SHARE_TOKEN: "${{ secrets.CENTURION_CLOUD_UL_USER_1 }}"
+          SHARE_PASS: "${{ secrets.CENTURION_CLOUD_UL_PASSWD_1 }}"
+        run: |
+          set -euo pipefail
+
+          if [[ $(ls /opt/cdlb/*.iso 2>/dev/null | wc -l) -ne 1 ]]; then
+
+            echo "❌ There must be exactly one .iso file in the directory!"
+            exit 1
+
+          else
+
+            VAR_ISO_FILE_PATH=$(ls /opt/cdlb/*.iso)
+            VAR_ISO_FILE_NAME=$(basename "${VAR_ISO_FILE_PATH}")
+            echo "✅ ISO file found: ${VAR_ISO_FILE_NAME}"
+
+          fi
+
+          AUTH="${SHARE_TOKEN}:${SHARE_PASS}"
+
+          if curl --retry 2 "${NC_BASE}"/public.php/webdav/"${VAR_ISO_FILE_NAME}" \
+          --upload-file "${VAR_ISO_FILE_PATH}" --user "${AUTH}" > /dev/null 2>&1; then
+
+            echo "✅ New ISO successfully uploaded."
+
+          else
+
+            echo "❌ Uploading the new ISO failed."
+            exit 1
+
+          fi
+
+      - name: 🔑 Generating a sha512 Hash of ISO, signing with the 'CI PGP DEPLOY ONLY' key, generate a success message file.
+        run: |
+          if [[ $(ls /opt/cdlb/*.iso 2>/dev/null | wc -l) -ne 1 ]]; then
+
+            echo "❌ There must be exactly one .iso file in the directory!"
+            exit 1
+
+          else
+
+            VAR_ISO_FILE_PATH=$(ls /opt/cdlb/*.iso)
+            VAR_ISO_FILE_NAME=$(basename "${VAR_ISO_FILE_PATH}")
+            echo "✅ ISO file found: ${VAR_ISO_FILE_NAME}"
+
+          fi
+
+          VAR_ISO_FILE_SHA512="${VAR_ISO_FILE_NAME}.sha512"
+          touch "${VAR_ISO_FILE_SHA512}"
+
+          sha512sum "${VAR_ISO_FILE_PATH}" | awk '{print $1}' >| "${VAR_ISO_FILE_SHA512}"
+
+          SIGNATURE_FILE="${VAR_ISO_FILE_SHA512}.sign"
+          touch "${SIGNATURE_FILE}"
+
+          gpg --batch --yes --armor --detach-sign --local-user ${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV_FPR }} --output "${SIGNATURE_FILE}" "${VAR_ISO_FILE_SHA512}"
+
+          timestamp=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
+          VAR_DATE="$(date +%F)"
+          PRIVATE_FILE="LIVE_ISO_TRIXIE_1.private"
+          touch "${PRIVATE_FILE}"
+
+          cat << EOF >| "${PRIVATE_FILE}"
+          # SPDX-Version: 3.0
+          # SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev>
+          # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+          # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+          # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+          # SPDX-FileType: SOURCE
+          # SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
+          # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+          # SPDX-PackageName: CISS.debian.live.builder
+          # SPDX-Security-Contact: security@coresecret.eu
+
+          This file was automatically generated by the DEPLOY BOT on: "${timestamp}"
+
+          CISS.debian.live.builder ISO :
+            "${VAR_ISO_FILE_NAME}"
+          CISS.debian.live.builder ISO sha512 :
+            $(< "${VAR_ISO_FILE_SHA512}")
+          CISS.debian.live.builder ISO sha512 sign :
+            $(< "${SIGNATURE_FILE}")
+
+          # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text
+          EOF
+
+      - name: 🚧 Stash local changes (including untracked).
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          ### Temporarily store any local modifications or untracked files.
+          git stash push --include-untracked -m "ci-temp" || echo "✔️ Nothing to stash."
+
+      - name: 🔄 Sync with remote before commit using merge strategy.
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+
+          echo "🔄 Fetching origin/master ..."
+          git fetch origin master
+
+          echo "🔁 Merging origin/master into current branch ..."
+          git merge --no-edit origin/master || echo "✔️ Already up to date or fast-forward."
+
+          echo "📋 Post-merge status :"
+          git status
+          git log --oneline -n 5
+
+      - name: 🔧 Restore stashed changes.
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          ### Apply previously stashed changes.
+          git stash pop || echo "✔️ Nothing to pop."
+
+      - name: 📦 Stage generated files.
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          PRIVATE_FILE="LIVE_ISO_TRIXIE_1.private"
+          git add "${PRIVATE_FILE}" || echo "✔️ Nothing to add."
+
+      - name: 🔑 Commit and sign changes with CI metadata.
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+
+          if git diff --cached --quiet; then
+
+            echo "✔️ No staged changes to commit."
+
+          else
+
+            echo "📝 Committing changes with GPG signature ..."
+
+            ### CI Metadata
+            TIMESTAMP_UTC="$(date -u +'%Y-%m-%dT%H:%M:%SZ')"
+            HOSTNAME="$(hostname -f || hostname)"
+            GIT_SHA="$(git rev-parse --short HEAD)"
+            GIT_REF="$(git symbolic-ref --short HEAD || echo detached)"
+            WORKFLOW_ID="${GITHUB_WORKFLOW:-generate_PRIVATE_trixie_1.yaml}"
+            CI_HEADER="X-CI-Metadata: ${GIT_REF}@${GIT_SHA} at ${TIMESTAMP_UTC} on ${HOSTNAME}"
+
+            COMMIT_MSG="DEPLOY BOT   : 🔐 Auto-Generate PRIVATE LIVE ISO TRIXIE 1 [skip ci]
+
+          ${CI_HEADER}
+
+          Generated at : ${TIMESTAMP_UTC}
+          Runner Host  : ${HOSTNAME}
+          Workflow ID  : ${WORKFLOW_ID}
+          Git Commit   : ${GIT_SHA} HEAD -> ${GIT_REF}
+          "
+
+            echo "🔏 Commit message :"
+            echo "${COMMIT_MSG}"
+            git commit -S -m "${COMMIT_MSG}"
+
+          fi
+
+      - name: 🔁 Push back to repository.
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          echo "📤 Pushing changes to ${GITHUB_REF_NAME} ..."
+          git push origin HEAD:${GITHUB_REF_NAME}
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml

.gitea/workflows/generate_PUBLIC_iso.yaml

@@ -0,0 +1,419 @@
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-08-22; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+# Version Master V8.13.768.2025.12.06
+
+name: 💙 Generating a PUBLIC Live ISO.
+
+permissions:
+  contents: write
+
+on:
+  push:
+    branches:
+      - master
+    paths:
+      - '.gitea/trigger/t_generate_PUBLIC.yaml'
+
+jobs:
+  generate-public-cdlb-trixie:
+    name: 💙 Generating a PUBLIC Live ISO.
+    runs-on: cdlb.trixie
+
+    container:
+      image: debian:trixie
+
+    defaults:
+      run:
+        shell: bash
+        working-directory: ${{ github.workspace }}
+
+    steps:
+      - name: 🕑 Waiting random time to desynchronize parallel workflows.
+        run: |
+          set -euo pipefail
+          var_wait=$(( RANDOM % 33 ))
+          printf "🕑 Waiting %s seconds to desynchronize parallel workflows...\n" "${var_wait}"
+          sleep "${var_wait}"
+
+      - name: 🔧 Basic Image Setup.
+        run: |
+          set -euo pipefail
+          umask 0022
+
+          echo "APT_LISTCHANGES_FRONTEND=none"  >> "${GITHUB_ENV}"
+          echo "DEBIAN_FRONTEND=noninteractive" >> "${GITHUB_ENV}"
+          echo "LC_ALL=C.UTF-8"                 >> "${GITHUB_ENV}"
+          echo "TZ=UTC"                         >> "${GITHUB_ENV}"
+          echo "VAR_CDLB_INSIDE_RUNNER=true"    >> "${GITHUB_ENV}"
+
+          export APT_LISTCHANGES_FRONTEND=none
+          export DEBIAN_FRONTEND=noninteractive
+
+          apt-get update -qq
+          apt-get upgrade -y
+          apt-get install -y --no-install-recommends \
+            apt-utils \
+            bash \
+            bat \
+            ca-certificates \
+            cryptsetup \
+            curl \
+            debootstrap \
+            git \
+            gnupg-utils \
+            gnupg \
+            gpg-agent \
+            gpgv \
+            live-build \
+            lsb-release \
+            openssh-client \
+            openssl \
+            perl \
+            pinentry-curses \
+            pinentry-tty \
+            sudo \
+            util-linux \
+            whois
+
+      - name: ⚙️ Check GnuPG Version.
+        run: |
+          gpg --version
+
+      - name: ⚙️ Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
+        run: |
+          set +x
+          set -euo pipefail
+          umask 0077
+
+          rm -rf ~/.ssh && mkdir -m700 ~/.ssh
+
+          ### Private Key
+          echo "${{ secrets.SSH_MSW_DEPLOY_CORESECRET_DEV }}" >| ~/.ssh/id_ed25519
+          chmod 0600 ~/.ssh/id_ed25519
+
+          ### Scan git.coresecret.dev to fill ~/.ssh/known_hosts
+          ssh-keyscan -p 42842 git.coresecret.dev >| ~/.ssh/known_hosts
+          chmod 0600 ~/.ssh/known_hosts
+
+          ### Generate SSH Config for git.coresecret.dev Custom-Port
+          cat <<EOF >| ~/.ssh/config
+          Host git.coresecret.dev
+            BatchMode yes
+            ConnectTimeout 5
+            ControlMaster auto
+            ControlPath ~/.ssh/cm-%r@%h:%p
+            ControlPersist 5m
+            HostName git.coresecret.dev
+            IdentityFile ~/.ssh/id_ed25519
+            Port 42842
+            ServerAliveCountMax 3
+            ServerAliveInterval 10
+            StrictHostKeyChecking yes
+            User git
+            UserKnownHostsFile ~/.ssh/known_hosts
+          EOF
+          chmod 0600 ~/.ssh/config
+
+      ### https://github.com/actions/checkout/issues/1843
+      - name: 🔧 Using manual clone via SSH to circumvent Gitea SHA-256 object issues.
+        env:
+          ### GITHUB_REF_NAME contains the branch name from the push event.
+          GITHUB_REF_NAME: ${{ github.ref_name }}
+        run: |
+          set -euo pipefail
+          git clone --branch "${GITHUB_REF_NAME}" ssh://git@git.coresecret.dev:42842/msw/CISS.debian.live.builder.git .
+
+      - name: ⚙️ Init GNUPGHOME.
+        run: |
+          set +x
+          set -euo pipefail
+          umask 0077
+          GNUPGHOME="${PWD}/gnupg.${GITHUB_RUN_ID}.${GITHUB_JOB}"
+          # shellcheck disable=SC2174
+          mkdir -p -m 0700 "${GNUPGHOME}"
+          echo "GNUPGHOME=${GNUPGHOME}"                 >> "${GITHUB_ENV}"
+          echo 'allow-loopback-pinentry'                >| "${GNUPGHOME}/gpg-agent.conf"
+          echo 'pinentry-program /usr/bin/pinentry-tty' >> "${GNUPGHOME}/gpg-agent.conf"
+          gpgconf --reload gpg-agent || true
+
+      - name: ⚙️ Importing the 'CI PGP DEPLOY ONLY' key.
+        env:
+          PRIVATE_PGP_MSW_DEPLOY_CORESECRET_DEV: ${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV }}
+        run: |
+          set +x
+          set -euo pipefail
+          umask 0077
+          printf '%s' "${PRIVATE_PGP_MSW_DEPLOY_CORESECRET_DEV}" | gpg --batch --import
+          unset PRIVATE_PGP_MSW_DEPLOY_CORESECRET_DEV
+
+      - name: ⚙️ Configuring Git for signed CI/DEPLOY commits.
+        run: |
+          set +x
+          set -euo pipefail
+          git config user.name "Marc S. Weidner BOT"
+          git config user.email "msw+bot@coresecret.dev"
+          git config user.signingkey ${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV_FPR }}
+          git config commit.gpgsign true
+          git config gpg.program gpg
+          git config gpg.format openpgp
+          git config --get user.signingkey
+
+      - name: ⚙️ Preparing the build environment.
+        run: |
+          set +x
+          set -euo pipefail
+          umask 0077
+          mkdir -p /dev/shm/cdlb_secrets
+          install -m 0600 /dev/null /dev/shm/cdlb_secrets/password.txt
+          install -m 0600 /dev/null /dev/shm/cdlb_secrets/authorized_keys
+          echo 'Mvnz#zENbf2vsAYEAbfPcnbDcmct7XefPXfRJxSQQH' >| /dev/shm/cdlb_secrets/password.txt
+          echo 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINAYZDAqVZUk3LwJsqeVHKvLn8UKkFx642VBbiSS8uSY 2025_ciss.debian.live.ISO_PUBLIC_ONLY' >| /dev/shm/cdlb_secrets/authorized_keys
+
+
+      - name: 🔧 Starting CISS.debian.live.builder. This may take about an hour ...
+        run: |
+          set -euo pipefail
+          chmod 0700 ciss_live_builder.sh
+          timestamp=$(date -u +"%Y_%m_%dT%H_%M_%SZ")
+          ### Change "--autobuild=" to the specific kernel version you need: '6.17.8+deb13-amd64'.
+          chmod 0400 /dev/shm/cdlb_secrets/*
+          ./ciss_live_builder.sh \
+            --architecture amd64 \
+            --autobuild=6.17.8+deb13-amd64 \
+            --build-directory /opt/cdlb \
+            --change-splash hexagon \
+            --control "${timestamp}" \
+            --root-password-file /dev/shm/cdlb_secrets/password.txt \
+            --ssh-port 42137 \
+            --ssh-pubkey /dev/shm/cdlb_secrets \
+            --trixie
+
+      - name: 📥 Checking Centurion Cloud for existing LIVE ISOs.
+        env:
+          NC_BASE: "https://cloud.e2ee.li"
+          SHARE_TOKEN: "${{ secrets.CENTURION_CLOUD_UL_USER_PUBLIC }}"
+          SHARE_PASS: "${{ secrets.CENTURION_CLOUD_UL_PASSWD_PUBLIC }}"
+        run: |
+          set -euo pipefail
+          SHARE_SUBDIR=""
+
+          echo "📥 Get directory listing via PROPFIND ..."
+
+          curl -s --user "${SHARE_TOKEN}:${SHARE_PASS}" -X PROPFIND -H "Depth: 1" "${NC_BASE}/public.php/webdav/${SHARE_SUBDIR}" \
+          -o propfind_public.xml
+
+          echo "📥 Filter .iso files from the PROPFIND response ..."
+
+          grep -oP '(?<=<d:href>)[^<]+\.iso(?=</d:href>)' propfind_public.xml >| public_iso_list.txt || true
+
+          if [[ -f public_iso_list.txt && -s public_iso_list.txt ]]; then
+
+            echo "💡 Old ISO files found and deleted :"
+
+            while IFS= read -r href; do
+
+              FILE_URL="${NC_BASE}${href}"
+              echo "  Delete: ${FILE_URL}"
+
+              if curl -s --user "${SHARE_TOKEN}:${SHARE_PASS}" -X DELETE "${FILE_URL}"; then
+
+                echo "    ✅ Successfully deleted: $(basename "${href}")"
+
+              else
+
+                echo "    ❌ Error: $(basename "${href}") could not be deleted"
+
+              fi
+
+            done < public_iso_list.txt
+
+          else
+
+            echo "💡 No old ISO files found to delete."
+
+          fi
+
+      - name: ⬆️ Upload the ISO file to the Centurion Cloud (cloud.e2ee.li) via WebDAV.
+        env:
+          NC_BASE: "https://cloud.e2ee.li"
+          SHARE_TOKEN: "${{ secrets.CENTURION_CLOUD_UL_USER_PUBLIC }}"
+          SHARE_PASS: "${{ secrets.CENTURION_CLOUD_UL_PASSWD_PUBLIC }}"
+        run: |
+          set -euo pipefail
+
+          if [[ $(ls /opt/cdlb/*.iso 2>/dev/null | wc -l) -ne 1 ]]; then
+
+            echo "❌ There must be exactly one .iso file in the directory!"
+            exit 1
+
+          else
+
+            VAR_ISO_FILE_PATH=$(ls /opt/cdlb/*.iso)
+            VAR_ISO_FILE_NAME=$(basename "${VAR_ISO_FILE_PATH}")
+            echo "✅ ISO file found: ${VAR_ISO_FILE_NAME}"
+
+          fi
+
+          AUTH="${SHARE_TOKEN}:${SHARE_PASS}"
+
+          if curl --retry 2 "${NC_BASE}"/public.php/webdav/"${VAR_ISO_FILE_NAME}" \
+          --upload-file "${VAR_ISO_FILE_PATH}" --user "${AUTH}" > /dev/null 2>&1; then
+
+            echo "✅ New ISO successfully uploaded."
+
+          else
+
+            echo "❌ Uploading the new ISO failed."
+            exit 1
+
+          fi
+
+      - name: 🔑 Generating a sha512 Hash of ISO, signing with the 'CI PGP DEPLOY ONLY' key, generate a success message file.
+        run: |
+          if [[ $(ls /opt/cdlb/*.iso 2>/dev/null | wc -l) -ne 1 ]]; then
+
+            echo "❌ There must be exactly one .iso file in the directory!"
+            exit 1
+
+          else
+
+            VAR_ISO_FILE_PATH=$(ls /opt/cdlb/*.iso)
+            VAR_ISO_FILE_NAME=$(basename "${VAR_ISO_FILE_PATH}")
+            echo "✅ ISO file found: ${VAR_ISO_FILE_NAME}"
+
+          fi
+
+          VAR_ISO_FILE_SHA512="${VAR_ISO_FILE_NAME}.sha512"
+          touch "${VAR_ISO_FILE_SHA512}"
+
+          sha512sum "${VAR_ISO_FILE_PATH}" | awk '{print $1}' >| "${VAR_ISO_FILE_SHA512}"
+
+          SIGNATURE_FILE="${VAR_ISO_FILE_SHA512}.sign"
+          touch "${SIGNATURE_FILE}"
+
+          gpg --batch --yes --armor --detach-sign --local-user ${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV_FPR }} --output "${SIGNATURE_FILE}" "${VAR_ISO_FILE_SHA512}"
+
+          timestamp=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
+          VAR_DATE="$(date +%F)"
+          PRIVATE_FILE="LIVE_ISO.public"
+          touch "${PRIVATE_FILE}"
+
+          cat << EOF >| "${PRIVATE_FILE}"
+          # SPDX-Version: 3.0
+          # SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev>
+          # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+          # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+          # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+          # SPDX-FileType: SOURCE
+          # SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
+          # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+          # SPDX-PackageName: CISS.debian.live.builder
+          # SPDX-Security-Contact: security@coresecret.eu
+
+          This file was automatically generated by the DEPLOY BOT on: "${timestamp}"
+
+          CISS.debian.live.builder ISO :
+            "${VAR_ISO_FILE_NAME}"
+          CISS.debian.live.builder ISO sha512 :
+            $(< "${VAR_ISO_FILE_SHA512}")
+          CISS.debian.live.builder ISO sha512 sign :
+            $(< "${SIGNATURE_FILE}")
+
+          # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text
+          EOF
+
+      - name: 🚧 Stash local changes (including untracked).
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          ### Temporarily store any local modifications or untracked files.
+          git stash push --include-untracked -m "ci-temp" || echo "✔️ Nothing to stash."
+
+      - name: 🔄 Sync with remote before commit using merge strategy.
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+
+          echo "🔄 Fetching origin/master ..."
+          git fetch origin master
+
+          echo "🔁 Merging origin/master into current branch ..."
+          git merge --no-edit origin/master || echo "✔️ Already up to date or fast-forward."
+
+          echo "📋 Post-merge status :"
+          git status
+          git log --oneline -n 5
+
+      - name: 🔧 Restore stashed changes.
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          ### Apply previously stashed changes.
+          git stash pop || echo "✔️ Nothing to pop."
+
+      - name: 📦 Stage generated files.
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          PRIVATE_FILE="LIVE_ISO.public"
+          git add "${PRIVATE_FILE}" || echo "✔️ Nothing to add."
+
+      - name: 🔑 Commit and sign changes with CI metadata.
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+
+          if git diff --cached --quiet; then
+
+            echo "✔️ No staged changes to commit."
+
+          else
+
+            echo "📝 Committing changes with GPG signature ..."
+
+            ### CI Metadata
+            TIMESTAMP_UTC="$(date -u +'%Y-%m-%dT%H:%M:%SZ')"
+            HOSTNAME="$(hostname -f || hostname)"
+            GIT_SHA="$(git rev-parse --short HEAD)"
+            GIT_REF="$(git symbolic-ref --short HEAD || echo detached)"
+            WORKFLOW_ID="${GITHUB_WORKFLOW:-generate_PUBLIC_iso.yaml}"
+            CI_HEADER="X-CI-Metadata: ${GIT_REF}@${GIT_SHA} at ${TIMESTAMP_UTC} on ${HOSTNAME}"
+
+            COMMIT_MSG="DEPLOY BOT   : 💙 Auto-Generate PUBLIC LIVE ISO [skip ci]
+
+          ${CI_HEADER}
+
+          Generated at : ${TIMESTAMP_UTC}
+          Runner Host  : ${HOSTNAME}
+          Workflow ID  : ${WORKFLOW_ID}
+          Git Commit   : ${GIT_SHA} HEAD -> ${GIT_REF}
+          "
+
+            echo "🔏 Commit message :"
+            echo "${COMMIT_MSG}"
+            git commit -S -m "${COMMIT_MSG}"
+
+          fi
+
+      - name: 🔁 Push back to repository.
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          echo "📤 Pushing changes to ${GITHUB_REF_NAME} ..."
+          git push origin HEAD:${GITHUB_REF_NAME}
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml

.gitea/workflows/linter_char_scripts.yaml

@@ -0,0 +1,341 @@
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+# Version Master V8.13.768.2025.12.06
+
+# Gitea Workflow: Shell-Script Linting
+#
+# This workflow scans all '*.sh', '*.zsh', '*.chroot' and all files with Shebang (#!) for:
+# 1. Windows CRLF line endings
+# 2. unauthorized control characters (C0 control characters except \t, \n)
+# 3. non-ASCII (ambiguous UTF) characters
+#
+# Findings are collected and at the end of the run with file, line number,
+# and the respective character in the Runner output.
+
+name: 🛡️ Shell Script Linting
+
+on:
+  push:
+    branches:
+      - master
+  pull_request:
+    branches:
+      - master
+
+jobs:
+  shell-script-linter:
+    name: 🛡️ Shell Script Linting
+    runs-on: ubuntu-latest
+
+    defaults:
+      run:
+        shell: bash
+        working-directory: ${{ github.workspace }}
+
+    steps:
+      - name: 🕑 Waiting random time to desynchronize parallel workflows.
+        run: |
+          set -euo pipefail
+          var_wait=$(( RANDOM % 33 ))
+          printf "🕑 Waiting %s seconds to desynchronize parallel workflows...\n" "${var_wait}"
+          sleep "${var_wait}"
+
+      - name: ⚙️ Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
+        run: |
+          set +x
+          set -euo pipefail
+          rm -rf ~/.ssh && mkdir -m0700 ~/.ssh
+
+          ### Private Key
+          echo "${{ secrets.SSH_MSW_DEPLOY_CORESECRET_DEV }}" >| ~/.ssh/id_ed25519
+          chmod 0600 ~/.ssh/id_ed25519
+
+          ### Scan git.coresecret.dev to fill ~/.ssh/known_hosts
+          ssh-keyscan -p 42842 git.coresecret.dev >| ~/.ssh/known_hosts
+          chmod 0600 ~/.ssh/known_hosts
+
+          ### Generate SSH Config for git.coresecret.dev Custom-Port
+          cat <<EOF >| ~/.ssh/config
+          Host git.coresecret.dev
+            BatchMode yes
+            ConnectTimeout 5
+            ControlMaster auto
+            ControlPath ~/.ssh/cm-%r@%h:%p
+            ControlPersist 5m
+            HostName git.coresecret.dev
+            IdentityFile ~/.ssh/id_ed25519
+            Port 42842
+            ServerAliveCountMax 3
+            ServerAliveInterval 10
+            StrictHostKeyChecking yes
+            User git
+            UserKnownHostsFile ~/.ssh/known_hosts
+          EOF
+          chmod 0600 ~/.ssh/config
+
+      ### https://github.com/actions/checkout/issues/1843
+      - name: 🔧 Using manual clone via SSH to circumvent Gitea SHA-256 object issues.
+        env:
+          ### GITHUB_REF_NAME contains the branch name from the push event.
+          GITHUB_REF_NAME: ${{ github.ref_name }}
+        run: |
+          set -euo pipefail
+          git clone --branch "${GITHUB_REF_NAME}" ssh://git@git.coresecret.dev:42842/msw/CISS.debian.live.builder.git .
+
+      - name: ⚙️ Importing the 'CI PGP DEPLOY ONLY' key.
+        run: |
+          set -euo pipefail
+          ### GPG-Home relative to the Runner Workspace to avoid changing global files.
+          export GNUPGHOME="$(PWD)/.gnupg"
+          mkdir -m 0700 "${GNUPGHOME}"
+          echo "${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV }}" >| ci-bot.sec.asc
+          gpg --batch --import ci-bot.sec.asc
+          ### Trust the key automatically
+          KEY_ID=$(gpg --list-keys --with-colons | awk -F: '/^pub:/ {print $5}')
+          echo "trust-model always" >| "${GNUPGHOME}/gpg.conf"
+
+      - name: ⚙️ Configuring Git for signed CI/DEPLOY commits.
+        run: |
+          set -euo pipefail
+          export GNUPGHOME="$(PWD)/.gnupg"
+          git config user.name "Marc S. Weidner BOT"
+          git config user.email "msw+bot@coresecret.dev"
+          git config commit.gpgsign true
+          git config gpg.program gpg
+          git config gpg.format openpgp
+
+      - name: ⚙️ Convert APT sources to HTTPS.
+        run: |
+          set -euo pipefail
+          sed -i 's|http://\(archive\.ubuntu\.com\|security\.ubuntu\.com\)|https://\1|g' /etc/apt/sources.list
+          sed -i 's|http://\(archive\.ubuntu\.com\|security\.ubuntu\.com\)|https://\1|g' /etc/apt/sources.list.d/*.list || true
+
+      - name: 🔧 Install dependencies.
+        run: |
+          ### Install grep with Perl-regex support, falls noch nicht vorhanden
+          apt-get update  -qq
+          apt-get upgrade -y
+          apt-get install -y grep
+
+      - name: 🔍 Lint shell scripts
+        run: |
+          # -------------------------------
+          # STEP 1: Find target files.
+          #
+          # We capture:
+          # - All files '*.sh', '*.zsh', '*.chroot'
+          # - All files whose first line begins with "#!" (shebang)
+          # -------------------------------
+          mapfile -t files_to_check < <(
+            find . \
+              -path './.git' -prune -o \
+              -type f \( \
+                -iname '*.sh' -o \
+                -iname '*.zsh' -o \
+                -iname '*.chroot' -o \
+                -exec grep -Iq '^#!' {} \; \
+              \) -print
+          )
+
+          # -------------------------------
+          # STEP 2: Regex definitions
+          #
+          # - CRLF_REGEX           Carriage Return (\r) for Windows CRLF
+          # - CTRL_REGEX           C0 control characters except Tab (\x09) and Newline (\x0A)
+          #   - Range:             [\x00-\x08\x0B-\x0C\x0E-\x1F\x7F]
+          # - NON_ASCII_REGEX      All bytes -> 0x7F, except emoji characters in defined ranges
+          #
+          # Emoji ranges that we exclude:
+          # - \x{1F300}-\x{1F5FF}  Misc Symbols & Pictographs
+          # - \x{1F600}-\x{1F64F}  Emoticons
+          # - \x{1F680}-\x{1F6FF}  Transport & Map Symbols
+          # - \x{1F900}-\x{1F9FF}  Supplemental Symbols & Pictographs
+          # - \x{2600}-\x{26FF}    Miscellaneous Symbols
+          # - \x{2700}-\x{27BF}    Dingbats
+          # -------------------------------
+
+          CRLF_REGEX=$'\r'
+          CTRL_REGEX='[\x00-\x08\x0B-\x0C\x0E-\x1F\x7F]'
+          NON_ASCII_REGEX='(?![\x{1F300}-\x{1F5FF}\x{1F600}-\x{1F64F}\x{1F680}-\x{1F6FF}\x{1F900}-\x{1F9FF}\x{2600}-\x{26FF}\x{2700}-\x{27BF}])[^\x00-\x7F]'
+
+          # -------------------------------
+          # STEP 3: Accumulator for findings
+          # -------------------------------
+          findings=""
+
+          # -------------------------------
+          # STEP 4: Perform all checks for each file
+          # -------------------------------
+          for file in "${files_to_check[@]}"; do
+            #
+            # 4.1: CRLF detection
+            #      grep -nP returns "lineno:<line with CR>"
+            # -------------------------------
+            while IFS=: read -r lineno _rest; do
+              findings+="${file}: CRLF-found at line ${lineno}: <CR>"$'\n'
+            done < <(grep -nP "${CRLF_REGEX}" "${file}" || true)
+
+            #
+            # 4.2: Unallowed control characters
+            #      grep -nP -o returns "lineno:<matched-char>"
+            # -------------------------------
+            while IFS=: read -r lineno char; do
+              findings+="${file}: control-char at line ${lineno}: ${char}"$'\n'
+            done < <(grep -nP -o "${CTRL_REGEX}" "${file}" || true)
+
+            #
+            # 4.3: Non-ASCII characters with emoji exception
+            #      grep -nP -o returns "lineno:<matched-char>"
+            # -------------------------------
+            while IFS=: read -r lineno char; do
+              findings+="${file}: non-ascii at line ${lineno}: ${char}"$'\n'
+            done < <(grep -nP -o "${NON_ASCII_REGEX}" "${file}" || true)
+          done
+
+          # -------------------------------
+          # STEP 5: Output results
+          # -------------------------------
+          if [[ -n "${findings}" ]]; then
+            echo -e "⚠️ Linting issues detected:\n"
+            echo -e "${findings}"
+            timestamp=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
+            VAR_DATE="$(date +%F)"
+            PRIVATE_FILE="LINTER_RESULTS.txt"
+            touch "${PRIVATE_FILE}"
+            cat << EOF >| "${PRIVATE_FILE}"
+          # SPDX-Version: 3.0
+          # SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev>
+          # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+          # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+          # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+          # SPDX-FileType: SOURCE
+          # SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
+          # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+          # SPDX-PackageName: CISS.debian.live.builder
+          # SPDX-Security-Contact: security@coresecret.eu
+
+          This file was automatically generated by the DEPLOY BOT on: "${timestamp}"
+
+          ⚠️ The last linter check was NOT successful. ⚠️
+
+          # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text
+          EOF
+          else
+            echo "✅ No issues found in shell scripts."
+            timestamp=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
+            VAR_DATE="$(date +%F)"
+            PRIVATE_FILE="LINTER_RESULTS.txt"
+            touch "${PRIVATE_FILE}"
+            cat << EOF >| "${PRIVATE_FILE}"
+          # SPDX-Version: 3.0
+          # SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev>
+          # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+          # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+          # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+          # SPDX-FileType: SOURCE
+          # SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
+          # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+          # SPDX-PackageName: CISS.debian.live.builder
+          # SPDX-Security-Contact: security@coresecret.eu
+
+          This file was automatically generated by the DEPLOY BOT on: "${timestamp}"
+
+          ✅ The last linter check was successful. ✅
+
+          # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text
+          EOF
+          fi
+
+      - name: 🚧 Stash local changes (including untracked).
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          ### Temporarily store any local modifications or untracked files.
+          git stash push --include-untracked -m "ci-temp" || echo "✔️ Nothing to stash."
+
+      - name: 🔄 Sync with remote before commit using merge strategy.
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          export GNUPGHOME="$(PWD)/.gnupg"
+
+          echo "🔄 Fetching origin/master ..."
+          git fetch origin master
+
+          echo "🔁 Merging origin/master into current branch ..."
+          git merge --no-edit origin/master || echo "✔️ Already up to date or fast-forward."
+
+          echo "📋 Post-merge status :"
+          git status
+          git log --oneline -n 5
+
+      - name: 🔧 Restore stashed changes.
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          ### Apply previously stashed changes.
+          git stash pop || echo "✔️ Nothing to pop."
+
+      - name: 📦 Stage generated files.
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          PRIVATE_FILE="LINTER_RESULTS.txt"
+          git add "${PRIVATE_FILE}" || echo "✔️ Nothing to add."
+
+      - name: 🔑 Commit and sign changes with CI metadata.
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          export GNUPGHOME="$(PWD)/.gnupg"
+
+          if git diff --cached --quiet; then
+            echo "✔️ No staged changes to commit."
+          else
+            echo "📝 Committing changes with GPG signature ..."
+
+            ### CI Metadata
+            TIMESTAMP_UTC="$(date -u +'%Y-%m-%dT%H:%M:%SZ')"
+            HOSTNAME="$(hostname -f || hostname)"
+            GIT_SHA="$(git rev-parse --short HEAD)"
+            GIT_REF="$(git symbolic-ref --short HEAD || echo detached)"
+            WORKFLOW_ID="${GITHUB_WORKFLOW:-linter_char_scripts.yaml}"
+            CI_HEADER="X-CI-Metadata: ${GIT_REF}@${GIT_SHA} at ${TIMESTAMP_UTC} on ${HOSTNAME}"
+
+            COMMIT_MSG="DEPLOY BOT   : 🛡️ Shell Script Linting [skip ci]
+
+          ${CI_HEADER}
+
+          Generated at : ${TIMESTAMP_UTC}
+          Runner Host  : ${HOSTNAME}
+          Workflow ID  : ${WORKFLOW_ID}
+          Git Commit   : ${GIT_SHA} HEAD -> ${GIT_REF}
+          "
+
+            echo "🔏 Commit message :"
+            echo "${COMMIT_MSG}"
+            git commit -S -m "${COMMIT_MSG}"
+          fi
+
+      - name: 🔁 Push back to repository.
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          echo "📤 Pushing changes to ${GITHUB_REF_NAME} ..."
+          git push origin HEAD:${GITHUB_REF_NAME}
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml

.gitea/workflows/render-dnssec-status.yaml

@@ -2,16 +2,16 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-### Version Master V8.03.127.2025.06.02
+# Version Master V8.13.768.2025.12.06
 
-name: Retrieve the DNSSEC status at the time of updating the repository.
+name: 🛡️ Retrieve DNSSEC status of coresecret.dev.
 
 permissions:
   contents: write
@@ -25,121 +25,193 @@ on:
 
 jobs:
   build-dnssec-diagram:
-    name: Retrieve the DNSSEC status at the time of updating the repository.
+    name: 🛡️ Retrieve DNSSEC status of coresecret.dev.
     runs-on: ubuntu-latest
-    steps:
-      - name: Prepare SSH Setup, SSH Deploy Key, Known Hosts, config.
+
+    defaults:
+      run:
         shell: bash
+        working-directory: ${{ github.workspace }}
+
+    steps:
+      - name: 🕑 Waiting random time to desynchronize parallel workflows.
         run: |
-          rm -rf ~/.ssh
-          mkdir -p ~/.ssh
+          set -euo pipefail
+          var_wait=$(( RANDOM % 33 ))
+          printf "🕑 Waiting %s seconds to desynchronize parallel workflows...\n" "${var_wait}"
+          sleep "${var_wait}"
+
+      - name: ⚙️ Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
+        run: |
+          set +x
+          set -euo pipefail
+          rm -rf ~/.ssh && mkdir -m700 ~/.ssh
 
           ### Private Key
           echo "${{ secrets.SSH_MSW_DEPLOY_CORESECRET_DEV }}" >| ~/.ssh/id_ed25519
-          chmod 600 ~/.ssh/id_ed25519
+          chmod 0600 ~/.ssh/id_ed25519
 
           ### Scan git.coresecret.dev to fill ~/.ssh/known_hosts
           ssh-keyscan -p 42842 git.coresecret.dev >| ~/.ssh/known_hosts
-          chmod 600 ~/.ssh/known_hosts
+          chmod 0600 ~/.ssh/known_hosts
 
           ### Generate SSH Config for git.coresecret.dev Custom-Port
           cat <<EOF >| ~/.ssh/config
           Host git.coresecret.dev
+            BatchMode yes
+            ConnectTimeout 5
+            ControlMaster auto
+            ControlPath ~/.ssh/cm-%r@%h:%p
+            ControlPersist 5m
             HostName git.coresecret.dev
-            Port 42842
             IdentityFile ~/.ssh/id_ed25519
+            Port 42842
+            ServerAliveCountMax 3
+            ServerAliveInterval 10
             StrictHostKeyChecking yes
+            User git
             UserKnownHostsFile ~/.ssh/known_hosts
           EOF
-          chmod 600 ~/.ssh/config
+          chmod 0600 ~/.ssh/config
 
       ### https://github.com/actions/checkout/issues/1843
-      - name: Use manual clone via SSH to circumvent Gitea SHA-256 object issues.
-        shell: bash
-        run: |
-          git clone --branch "${GITHUB_REF_NAME}" ssh://git@git.coresecret.dev:42842/msw/CISS.debian.live.builder.git .
-          git fetch --unshallow || echo "Nothing to fetch - already full clone."
+      - name: 🔧 Using manual clone via SSH to circumvent Gitea SHA-256 object issues.
         env:
           ### GITHUB_REF_NAME contains the branch name from the push event.
           GITHUB_REF_NAME: ${{ github.ref_name }}
-
-      - name: Clean workspace.
-        shell: bash
         run: |
-          git reset --hard
-          git clean -fd
+          set -euo pipefail
+          git clone --branch "${GITHUB_REF_NAME}" ssh://git@git.coresecret.dev:42842/msw/CISS.debian.live.builder.git .
 
-      - name: Convert APT sources to HTTPS.
-        shell: bash
-        run: |
-          sed -i 's|http://\(archive\.ubuntu\.com\|security\.ubuntu\.com\)|https://\1|g' /etc/apt/sources.list
-          sed -i 's|http://\(archive\.ubuntu\.com\|security\.ubuntu\.com\)|https://\1|g' /etc/apt/sources.list.d/*.list || true
-
-      - name: Install DNSViz.
-        shell: bash
-        run: |
-          sudo apt-get update
-          sudo apt-get install -y dnsviz
-
-      - name: Import CI PGP DEPLOY ONLY Key.
-        shell: bash
+      - name: ⚙️ Importing the 'CI PGP DEPLOY ONLY' key.
         run: |
+          set -euo pipefail
           ### GPG-Home relative to the Runner Workspace to avoid changing global files.
-          export GNUPGHOME="$(pwd)/.gnupg"
-          mkdir -m 700 "${GNUPGHOME}"
+          export GNUPGHOME="$(PWD)/.gnupg"
+          mkdir -m 0700 "${GNUPGHOME}"
           echo "${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV }}" >| ci-bot.sec.asc
           gpg --batch --import ci-bot.sec.asc
           ### Trust the key automatically
           KEY_ID=$(gpg --list-keys --with-colons | awk -F: '/^pub:/ {print $5}')
           echo "trust-model always" >| "${GNUPGHOME}/gpg.conf"
 
-      - name: Configure Git for signed CI DEPLOY commits.
-        shell: bash
+      - name: ⚙️ Configuring Git for signed CI/DEPLOY commits.
         run: |
-          export GNUPGHOME="$(pwd)/.gnupg"
+          set -euo pipefail
+          export GNUPGHOME="$(PWD)/.gnupg"
           git config user.name "Marc S. Weidner BOT"
           git config user.email "msw+bot@coresecret.dev"
           git config commit.gpgsign true
           git config gpg.program gpg
           git config gpg.format openpgp
 
-      - name: Ensure docs/SECURITY/ directory exists.
-        shell: bash
+      - name: ⚙️ Convert APT sources to HTTPS.
+        run: |
+          set -euo pipefail
+          sed -i 's|http://\(archive\.ubuntu\.com\|security\.ubuntu\.com\)|https://\1|g' /etc/apt/sources.list
+          sed -i 's|http://\(archive\.ubuntu\.com\|security\.ubuntu\.com\)|https://\1|g' /etc/apt/sources.list.d/*.list || true
+
+      - name: 🔧 Install DNSViz.
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y dnsviz
+
+      - name: ⚙️ Ensure docs/SECURITY/ directory exists.
         run: |
           mkdir -p docs/SECURITY/
           rm -f docs/SECURITY/coresecret.dev.png
 
-      - name: Prepare DNS Cache.
-        shell: bash
+      - name: 🔧 Prepare DNS Cache.
         run: |
           sudo apt-get install -y dnsutils
           dig +dnssec +multi coresecret.dev @8.8.8.8
 
-      - name: Retrieve Zone Dump and generate .png Visualization.
-        shell: bash
+      - name: 🔧 Retrieve Zone Dump and generate .png Visualization.
         run: |
           dnsviz probe -s 8.8.8.8 -R SOA,A,AAAA,CAA,CDS,CDNSKEY,LOC,HTTPS,MX,NS,TXT coresecret.dev >| coresecret.dev.json
           dnsviz graph -T png < coresecret.dev.json >| docs/SECURITY/coresecret.dev.png
 
-      - name: Stage generated files.
-        shell: bash
-        run: |
-          git add docs/SECURITY/*.png
+      - name: 🚧 Stash local changes (including untracked).
         env:
           GIT_SSH_COMMAND: "ssh -p 42842"
-
-      - name: Commit and Sign changes.
-        shell: bash
         run: |
-          export GNUPGHOME="$(pwd)/.gnupg"
-          git commit -S -m "DEPLOY BOT: Auto-Generate DNSSEC Status [skip ci]" || echo "No Changes, nothing to Sign or to Commit."
+          set -euo pipefail
+          ### Temporarily store any local modifications or untracked files.
+          git stash push --include-untracked -m "ci-temp" || echo "✔️ Nothing to stash."
+
+      - name: 🔄 Sync with remote before commit using merge strategy.
         env:
           GIT_SSH_COMMAND: "ssh -p 42842"
-
-      - name: Push back to Repository.
-        shell: bash
         run: |
+          set -euo pipefail
+          export GNUPGHOME="$(PWD)/.gnupg"
+
+          echo "🔄 Fetching origin/master ..."
+          git fetch origin master
+
+          echo "🔁 Merging origin/master into current branch ..."
+          git merge --no-edit origin/master || echo "✔️ Already up to date or fast-forward."
+
+          echo "📋 Post-merge status :"
+          git status
+          git log --oneline -n 5
+
+      - name: 🔧 Restore stashed changes.
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          ### Apply previously stashed changes.
+          git stash pop || echo "✔️ Nothing to pop."
+
+      - name: 📦 Stage generated files.
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          git add docs/SECURITY/*.png || echo "✔️ Nothing to add."
+
+      - name: 🔑 Commit and sign changes with CI metadata.
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          export GNUPGHOME="$(PWD)/.gnupg"
+
+          if git diff --cached --quiet; then
+            echo "✔️ No staged changes to commit."
+          else
+            echo "📝 Committing changes with GPG signature ..."
+
+            ### CI Metadata
+            TIMESTAMP_UTC="$(date -u +'%Y-%m-%dT%H:%M:%SZ')"
+            HOSTNAME="$(hostname -f || hostname)"
+            GIT_SHA="$(git rev-parse --short HEAD)"
+            GIT_REF="$(git symbolic-ref --short HEAD || echo detached)"
+            WORKFLOW_ID="${GITHUB_WORKFLOW:-render-dnssec-status.yaml}"
+            CI_HEADER="X-CI-Metadata: ${GIT_REF}@${GIT_SHA} at ${TIMESTAMP_UTC} on ${HOSTNAME}"
+
+            COMMIT_MSG="DEPLOY BOT   : 🛡️ Auto-Generate DNSSEC Status [skip ci]
+
+          ${CI_HEADER}
+
+          Generated at : ${TIMESTAMP_UTC}
+          Runner Host  : ${HOSTNAME}
+          Workflow ID  : ${WORKFLOW_ID}
+          Git Commit   : ${GIT_SHA} HEAD -> ${GIT_REF}
+          "
+
+            echo "🔏 Commit message :"
+            echo "${COMMIT_MSG}"
+            git commit -S -m "${COMMIT_MSG}"
+          fi
+
+      - name: 🔁 Push back to repository.
+        shell: bash
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          echo "📤 Pushing changes to ${GITHUB_REF_NAME} ..."
           git push origin HEAD:${GITHUB_REF_NAME}
-        env:
-          GIT_SSH_COMMAND: "ssh -p 42842"
       # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml

.gitea/workflows/render-dot-to-png.yaml

@@ -0,0 +1,211 @@
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+# Version Master V8.13.768.2025.12.06
+
+name: 🔁 Render Graphviz Diagrams.
+
+permissions:
+  contents: write
+
+on:
+  push:
+    branches:
+      - master
+    paths:
+      - "**/*.gv"
+      - "**/*.dot"
+
+jobs:
+  build-graphiz-diagrams:
+    name: 🔁 Render Graphviz Diagrams.
+    runs-on: ubuntu-latest
+
+    defaults:
+      run:
+        shell: bash
+        working-directory: ${{ github.workspace }}
+
+    steps:
+      - name: 🕑 Waiting random time to desynchronize parallel workflows.
+        run: |
+          set -euo pipefail
+          var_wait=$(( RANDOM % 33 ))
+          printf "🕑 Waiting %s seconds to desynchronize parallel workflows...\n" "${var_wait}"
+          sleep "${var_wait}"
+
+      - name: ⚙️ Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
+        run: |
+          set +x
+          set -euo pipefail
+          rm -rf ~/.ssh && mkdir -m700 ~/.ssh
+
+          ### Private Key
+          echo "${{ secrets.SSH_MSW_DEPLOY_CORESECRET_DEV }}" >| ~/.ssh/id_ed25519
+          chmod 0600 ~/.ssh/id_ed25519
+
+          ### Scan git.coresecret.dev to fill ~/.ssh/known_hosts
+          ssh-keyscan -p 42842 git.coresecret.dev >| ~/.ssh/known_hosts
+          chmod 0600 ~/.ssh/known_hosts
+
+          ### Generate SSH Config for git.coresecret.dev Custom-Port
+          cat <<EOF >| ~/.ssh/config
+          Host git.coresecret.dev
+            BatchMode yes
+            ConnectTimeout 5
+            ControlMaster auto
+            ControlPath ~/.ssh/cm-%r@%h:%p
+            ControlPersist 5m
+            HostName git.coresecret.dev
+            IdentityFile ~/.ssh/id_ed25519
+            Port 42842
+            ServerAliveCountMax 3
+            ServerAliveInterval 10
+            StrictHostKeyChecking yes
+            User git
+            UserKnownHostsFile ~/.ssh/known_hosts
+          EOF
+          chmod 0600 ~/.ssh/config
+
+      ### https://github.com/actions/checkout/issues/1843
+      - name: 🔧 Using manual clone via SSH to circumvent Gitea SHA-256 object issues.
+        env:
+          ### GITHUB_REF_NAME contains the branch name from the push event.
+          GITHUB_REF_NAME: ${{ github.ref_name }}
+        run: |
+          set -euo pipefail
+          git clone --branch "${GITHUB_REF_NAME}" ssh://git@git.coresecret.dev:42842/msw/CISS.debian.live.builder.git .
+
+      - name: ⚙️ Importing the 'CI PGP DEPLOY ONLY' key.
+        run: |
+          set -euo pipefail
+          ### GPG-Home relative to the Runner Workspace to avoid changing global files.
+          export GNUPGHOME="$(PWD)/.gnupg"
+          mkdir -m 0700 "${GNUPGHOME}"
+          echo "${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV }}" >| ci-bot.sec.asc
+          gpg --batch --import ci-bot.sec.asc
+          ### Trust the key automatically
+          KEY_ID=$(gpg --list-keys --with-colons | awk -F: '/^pub:/ {print $5}')
+          echo "trust-model always" >| "${GNUPGHOME}/gpg.conf"
+
+      - name: ⚙️ Configuring Git for signed CI/DEPLOY commits.
+        run: |
+          set -euo pipefail
+          export GNUPGHOME="$(PWD)/.gnupg"
+          git config user.name "Marc S. Weidner BOT"
+          git config user.email "msw+bot@coresecret.dev"
+          git config commit.gpgsign true
+          git config gpg.program gpg
+          git config gpg.format openpgp
+
+      - name: ⚙️ Convert APT sources to HTTPS.
+        run: |
+          set -euo pipefail
+          sed -i 's|http://\(archive\.ubuntu\.com\|security\.ubuntu\.com\)|https://\1|g' /etc/apt/sources.list
+          sed -i 's|http://\(archive\.ubuntu\.com\|security\.ubuntu\.com\)|https://\1|g' /etc/apt/sources.list.d/*.list || true
+
+      - name: 🔧 Install Graphviz.
+        run: |
+          set -euo pipefail
+          sudo apt-get update
+          sudo apt-get install -y graphviz
+
+      - name: 🔧 Render all .dot / .gv to PNG.
+        run: |
+          set -euo pipefail
+          find . -type f \( -name "*.dot" -o -name "*.gv" \) | while read file; do
+            out="${file%.*}.png"
+            dot -Tpng "${file}" -o "${out}"
+          done
+
+      - name: 🚧 Stash local changes (including untracked).
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          ### Temporarily store any local modifications or untracked files.
+          git stash push --include-untracked -m "ci-temp" || echo "✔️ Nothing to stash."
+
+      - name: 🔄 Sync with remote before commit using merge strategy.
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          export GNUPGHOME="$(PWD)/.gnupg"
+
+          echo "🔄 Fetching origin/master ..."
+          git fetch origin master
+
+          echo "🔁 Merging origin/master into current branch ..."
+          git merge --no-edit origin/master || echo "✔️ Already up to date or fast-forward."
+
+          echo "📋 Post-merge status :"
+          git status
+          git log --oneline -n 5
+
+      - name: 🔧 Restore stashed changes.
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          ### Apply previously stashed changes.
+          git stash pop || echo "✔️ Nothing to pop."
+
+      - name: 📦 Stage generated files.
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          git add *.png || echo "✔️ Nothing to add."
+
+      - name: 🔑 Commit and sign changes with CI metadata.
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          export GNUPGHOME="$(PWD)/.gnupg"
+
+          if git diff --cached --quiet; then
+            echo "✔️ No staged changes to commit."
+          else
+            echo "📝 Committing changes with GPG signature ..."
+
+            ### CI Metadata
+            TIMESTAMP_UTC="$(date -u +'%Y-%m-%dT%H:%M:%SZ')"
+            HOSTNAME="$(hostname -f || hostname)"
+            GIT_SHA="$(git rev-parse --short HEAD)"
+            GIT_REF="$(git symbolic-ref --short HEAD || echo detached)"
+            WORKFLOW_ID="${GITHUB_WORKFLOW:-render-dot-to-png.yaml}"
+            CI_HEADER="X-CI-Metadata: ${GIT_REF}@${GIT_SHA} at ${TIMESTAMP_UTC} on ${HOSTNAME}"
+
+            COMMIT_MSG="DEPLOY BOT   : 🔁 Auto-Generate PNG from *.dot. [skip ci]
+
+          ${CI_HEADER}
+
+          Generated at : ${TIMESTAMP_UTC}
+          Runner Host  : ${HOSTNAME}
+          Workflow ID  : ${WORKFLOW_ID}
+          Git Commit   : ${GIT_SHA} HEAD -> ${GIT_REF}
+          "
+
+            echo "🔏 Commit message :"
+            echo "${COMMIT_MSG}"
+            git commit -S -m "${COMMIT_MSG}"
+          fi
+
+      - name: 🔁 Push back to repository.
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          echo "📤 Pushing changes to ${GITHUB_REF_NAME} ..."
+          git push origin HEAD:${GITHUB_REF_NAME}
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml

.gitignore

@@ -2,19 +2,19 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 .checklist/
 .idea/
-build/
 out/
 target/
 *.DS_Store
 *.log
 *.ps1
+config.mk
 Thumbs.db
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf

.pubkey/dropbear-key-2015.asc

@@ -0,0 +1,41 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQINBFWRP60BEACmOtUkYtbGNcmXdSKJ7caplzIbjuRWgSDR860hEosRDQqwORCL
+50xAEnPxgEiryONJUgOF0NRkBGJS9BsvfO3hH0LL4YSRTi0Wv7hJHTtqyzwa9qAH
+clyzNoq25dgy3D8OS6Bx1SgKFm8UTxTiCRTD0l1pRJx9efVEcAGkLgiconmyFZpJ
+oJ5XX8786bKucx791aA/26atNIzzsSo/295YAMi3QjIL5Mh5qtprSJkFRKcMx/Ay
+KaVzFlM8A/Kqea1cFiqwCJ9UNUdfvBa6K9HvTr6mPhznvH/ORt4m0sDigEoJAqLp
+KWNmjw7yITAK72nBDi/qQEhudUk22m9cVNV/mdNFoRkl9gDkgFvlcM6JksqOxkGp
+SAOJGdOU4V82e8FDSEK9C/pY+leeWeG5h/CLtw1v+Sdhk0PPRr17VKKOLCw2FGx1
+fcRYNdsuoMN4K8fgLoCzzKbyMC+y6sENEgEHSSPQDQ75XzM2Bo1UpfcHWpjqEllu
+8slhPWagckf07n0eOAARPIARlae+Wo8cYBScoZ30P5iOmYRWsxQ0HGwcLieyhuiS
+rb/NBex/tnR5ykvJNLW59P1Q5y7dpp/fLO6DpufAf+uoIfLOChnw3S5fvSL8ftxd
+GyWS79cMUkhcnFID2qfnaykxNsunuD9pEgfo9XhDk0iKZoCEKehRTau1rQARAQAB
+tC5Ecm9wYmVhciBTU0ggUmVsZWFzZSBTaWduaW5nIDxtYXR0QHVjYy5hc24uYXU+
+iQI3BBMBCgAhBQJVkT+tAhsDBQsJCAcDBRUKCQgLBRYCAwEAAh4BAheAAAoJEEST
+FJTynGdzHgQP/1bVxV0KqXxEJpRSiu3aOEDu2WHIJahizZ94AClgPB0r14pEgT4T
+eCOdxinubENH+u1/ShlBVykTGyukmonhd10v8NGWAUldhkPi3jaHcxHSfENWXmu/
++KBpcHQ0j2/PlO+RxpNkGUWTjTu9WKFiFeIX60QLCMDJpOvPe49yb650xMpjTROM
+5yOGdTkmAw4SZCkHmd7zgmzSHxXnNzXLvT9bYsJXVZwXB7Jqw4bwOHGpqB3kXsQ2
+LR2pMitM8YV3Gmjtvy+mpBqvdQ5fsxISFTC5wAUT9f6jsHfFLUv6OuNLrhZghioT
+fjPj58nfD1/4j7ka9mSyZV0PEhW5f5GYvt3WEeJJyZyhkjAkzjtZTi5sTs+QtRm0
+APCspF/y1afErS5adjTjuzSkyVx9VMBowqiYo6AGu7byajNf0rFPtTgDBC3j4Mae
++vL5k1KvXuX1Hr1zZiM1OVMt4EOmY7mERmHXwVv1bOK/uUwQkCXKCFpP/v7a5VHL
+qpwCF65mBTW/G1ZKglUQT0JeyVJqqQHVKbNzgMSpDM7ra80/KFOg6zb9iNbjxRrH
+NfXeAGbmSWwbpFBNT3kbJWUqjqLkoD2R7rNN5SnzdPEGk/aCGuYZlLFE8k5/mJ3V
+K3X1t11fgu9lqYFpv7CenwXrbVCgxDkoic84+HezqXyQnoAp9n8xJI6diQIcBBAB
+CgAGBQJVkT+/AAoJEPSYMBLCC7qsbiQP/1qKpOo73GPvISknRpPYVWX0z7yMRUAB
+7gA9SYF7n0jOHwDAFKjYQdpIxff3xPbLaB9bRQFq6m67o1Ly5bwxXGPclsJQP/r3
+GQ8it7Dzs4JSi1Yk4Fg+Po4tHWSpW53uRKtryiaYEoQ9LYQd8fS3JDWFtkXYUVAM
+xKmKINr4UKExlYBpQS2AWve4Ou3xM9dxiDX4pH3azD8Qb24rC5vbkG8Sq+2+/QIV
+i/JxbSQHaJ+kaukHRufHWqgg4xOBE8gfS82RHqNxES1CeWcejNxhsXQP9cfUxsvZ
+2Lchm3leOZ/2ztVQ4O8aJOKN+ng8pqOjKuJDamQmN0L/1N3lfN+gg5Ccluyoj89f
+gxDuINJDeY7aulFcGfIIsa0AuDWyAly1Lcwz/Sle2WOA7xcg8FcdhqV9158a+BzB
+cSMvHRs0W0Xwsso3GyUfDomqWuOfERvQXRgwKR0SFYDeHAlB3dhKHt/KjDn0nqEo
+CFtg4ZjA0hh1KMgu5ceticwuEQOkPX5H3ZpqH99LBekHjgdp5m87FG2bWVVkYGIm
+BBoFNnCBVMXonmyZlFstZNDcvb4cYYY+gN6yDFqX1HkqV1RDSHMO7KEmVwPOg/LK
+lKpH//tEulZUqN0h8ldoNKEMRa1OOGl8nNygJFldoPzoY/3ZAbIJy8KwZeWUjkzv
+WieMGaws051uiEYEEBEKAAYFAlWRRVgACgkQjPn4sExkf7wC9wCgh2nBBbfhkvE4
+Xj3d7uSYCr1oLEEAnjJ+RpVfu3Gpye5Q+0X8EFiMLlXZ
+=kT6a
+-----END PGP PUBLIC KEY BLOCK-----

.pubkey/marc_s_weidner_msw+deploy@coresecet.dev_0x2CCF4601_public.asc

@@ -0,0 +1,21 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mEkFaQzeVBYAAAA/AytlcQHGPz+Tku/rFh5KSbHE465pYWjWOWSl26vKCk5HNMX6
+y2MGyUUbm5tVYHymp3EYbRBS8dJ+qKCKrzyAtDJNYXJjIFMuIFdlaWRuZXIgREVQ
+TE9ZIDxtc3crZGVwbG95QGNvcmVzZWNyZXQuZGV2PojNBRMWCABNIiEFmAiaRyzP
+RgHNUdfHCV02U1KW6hS43pIZhyPE3GBuj3YFAmkM3lQCGwMFCQfPlNwFCwkIBwIC
+IgIGFQoJCAsCBBYCAwECHgcCF4AAAA+GAcduwdOub1yMWc0o5e1qdkI/8Pv9jqYF
+P46Ko2UU24Q3AaYC5oBFyD4sKf4ojosYovs4fzrZCXqbH4ABxi0kmYEUZT11L+Ex
+AfiwNvJBCzlcvLzdK7A+ZBDgdaV5pybSN4/ZnUKkUSzZV/6odcVM2LtqkbAHAIjU
+BRAWCABUIiEFb9PDFk6t5GIBJKfozM13iXXLB7VAp8veRtbuNEidacIFAmkM3vEF
+gwfP84AkFIAAAAAADQAOcmVtQGdudXBnLm9yZ0NlbnR1cmlvbixDSUNBAACKBAHI
+5t3aZSnSERrnAZ3rwxItsTB9KeTVdtRnpxyZ7leBf4987ECcfwDDozkDGFo2cJwg
+eKPRloMif1eAAcjOdUXeunlNBTlPlyOBk0ukWT5SgVeZUl5bsNRgJWu7MoNiT9vQ
+M7gJjlyYcVoMZ47G7TA9Z+goJwC4TAVpDN5UEgAAAEIDK2VvAcCPfkOJzBvvplco
+PXb8jg4AsJXU10wHSucHMdR2R26+IJTCAYU6d3O47wTBr6QFc5HRgDZcf6FngQMB
+CgmIsgUYFggAMiIhBZgImkcsz0YBzVHXxwldNlNSluoUuN6SGYcjxNxgbo92BQJp
+DN5UAhsMBQkHz5TcAABuDQHI5Zp2rsRwc0WR0WaaQOIFh7KdL7x3dHljJ5u2m6Zc
+pzmlnZGuCTe0BmVzECJhq7Yqi+ajENbWOc+AAcUbToifr1VvbgZgUDtA+f2IlHRM
+ovaAOH5ED+DHy6OjEmBG43ZIPQbsbD4td5VIZoi+f6npZrhXNQA=
+=Q67G
+-----END PGP PUBLIC KEY BLOCK-----

.shellcheckrc

@@ -0,0 +1,34 @@
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-11-10; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+# https://github.com/koalaman/shellcheck/wiki/directive
+# https://github.com/koalaman/shellcheck/wiki/Optional
+
+encoding=utf-8
+external-sources=true
+shell=bash
+source-path=~/lib
+source-path=~/scripts
+source-path=~/var
+
+enable=add-default-case
+enable=avoid-negated-conditions
+enable=avoid-nullary-conditions
+enable=check-extra-masked-returns
+enable=check-set-e-suppressed
+enable=check-unassigned-uppercase
+enable=deprecate-which
+enable=quote-safe-variables
+enable=require-double-brackets
+enable=require-variable-braces
+enable=useless-use-of-cat
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf

.version.properties

@@ -2,18 +2,18 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1 
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 properties_SPDX-Version="3.0"
 properties_SPDX-ExternalRef="GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git"
-properties_SPDX-FileCopyrightText="2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>"
-properties_SPDX-License-Identifier="EUPL-1.2 OR LicenseRef-CCLA-1.0"
-properties_SPDX-LicenseComment="This file is part of the CISS.hardened.installer framework."
+properties_SPDX-FileCopyrightText="2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>"
+properties_SPDX-License-Identifier="LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1 "
+properties_SPDX-LicenseComment="This file is part of the CISS.debian.installer.secure framework."
 properties_SPDX-PackageName="CISS.debian.live.builder"
 properties_SPDX-Security-Contact="security@coresecret.eu"
-properties_version="V8.03.127.2025.06.02"
+properties_version="V8.13.768.2025.12.06"
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf

CISS.debian.live.builder.spdx

@@ -6,7 +6,7 @@ Creator: Person: Marc S. Weidner (Centurion Intelligence Consulting Agency)
 Created: 2025-05-07T12:00:00Z
 Package: CISS.debian.live.builder
 PackageName: CISS.debian.live.builder
-PackageVersion: Master V8.03.127.2025.06.02
+PackageVersion: Master V8.13.768.2025.12.06
 PackageSupplier: Organization: Centurion Intelligence Consulting Agency
 PackageDownloadLocation: https://git.coresecret.dev/msw/CISS.debian.live.builder
 PackageHomePage: https://git.coresecret.dev/msw/CISS.debian.live.builder

LICENSE

@@ -1,256 +1,100 @@
-# SPDX-License-Identifier: EUPL-1.2
+SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 
-EUPL-1.2
+Centurion Licensing Overview
+============================
 
-EUROPEAN UNION PUBLIC LICENCE v. 1.2
-EUPL © the European Union 2007, 2016
+This repository uses a dual-licensing model combining a non-commercial "source-available" license with a separate commercial
+subscription license.
 
-This European Union Public Licence (the 'EUPL') applies to the Work (as defined below) which is provided under the
-terms of this Licence. Any use of the Work, other than as authorised under this Licence is prohibited (to the extent such
-a use is covered by a right of the copyright holder of the Work).
+1. Default License: Centurion Non-Commercial License 1.1 (CNCL-1.1)
+---------------------------------------------------------------
 
-The Work is provided under the terms of this Licence when the Licensor (as defined below) has placed the following
-notice immediately following the copyright notice for the Work:
+Unless explicitly stated otherwise in an individual file or directory, all original content in this repository is licensed under the
 
-                          Licensed under the EUPL
+    Centurion Non-Commercial License 1.1 (CNCL-1.1)
+    SPDX-Identifier: LicenseRef-CNCL-1.1
 
-or has expressed by any other means his willingness to license under the EUPL.
+Under CNCL-1.1 you may:
 
-1.Definitions
+  - use, study and modify the Software for non-commercial purposes;
+  - share the Software and your modifications for non-commercial purposes;
+  - NOT use the Software for any Commercial Use (as defined in CNCL-1.1).
 
-In this Licence, the following terms have the following meaning:
+Any Commercial Use of the Software (in whole or in part) is NOT permitted under CNCL-1.1 and requires a separate commercial
+license agreement with the Licensor (see section 2 below).
 
-— 'The Licence':this Licence.
+The full text of CNCL-1.1 is provided in:
 
-— 'The Original Work':the work or software distributed or communicated by the Licensor under this Licence, available
-as Source Code and also as Executable Code as the case may be.
+    ./docs/LICENSES/CNCL-1.1.txt
 
-— 'Derivative Works':the works or software that could be created by the Licensee, based upon the Original Work or
-modifications thereof. This Licence does not define the extent of modification or dependence on the Original Work
-required in order to classify a work as a Derivative Work; this extent is determined by copyright law applicable in
-the country mentioned in Article 15.
 
-— 'The Work':the Original Work or its Derivative Works.
+2. Commercial Use: Centurion Commercial License Agreement 1.1 (CCLA-1.1)
+---------------------------------------------------------------------
 
-— 'The Source Code':the human-readable form of the Work, which is the most convenient for people to study and
-modify.
+For any Commercial Use (including but not limited to use in paid services, SaaS offerings, commercial products, or internal use
+that contributes to revenue generation or cost reduction), a valid commercial subscription license is required.
 
-— 'The Executable Code':any code, which has generally been compiled and, which is meant to be interpreted by
-a computer as a program.
+Commercial rights are governed exclusively by the:
 
-— 'The Licensor':the natural or legal person that distributes or communicates the Work under the Licence.
+    Centurion Commercial License Agreement 1.1 (CCLA-1.1)
+    SPDX-Identifier: LicenseRef-CCLA-1.1
 
-— 'Contributor(s)':any natural or legal person who modifies the Work under the Licence, or otherwise contributes to
-the creation of a Derivative Work.
+The CCLA-1.1 grants time-limited, non-transferable rights to use the Software for commercial purposes, subject to subscription
+fees, support terms and the liability limitations described therein.
 
-— 'The Licensee' or 'You':any natural or legal person who makes any usage of the Work under the terms of the
-Licence.
+The full text of CCLA-1.1 is provided in:
 
-— 'Distribution' or 'Communication':any act of selling, giving, lending, renting, distributing, communicating,
-transmitting, or otherwise making available, online, or offline, copies of the Work or providing access to its essential
-functionalities at the disposal of any other natural or legal person.
+    ./docs/LICENSES/CCLA-1.1.txt
 
-2.Scope of the rights granted by the Licence
+If you are unsure whether your intended use case qualifies as Commercial Use, you must assume that it does and contact the
+Licensor at:
 
-The Licensor hereby grants You a worldwide, royalty-free, non-exclusive, sublicensable licence to do the following, for
-the duration of copyright vested in the Original Work:
+    legal@coresecret.eu
 
-— use the Work in any circumstances and for all usage,
 
-— reproduce the Work,
+3. Open-Source Components and Third-Party Code
+-------------------------------------------
 
-— modify the Work and make Derivative Works based upon the Work,
+This repository may contain or depend on third-party components that are licensed under separate open-source licenses, including
+but not limited to:
 
-— communicate to the public, including the right to make available or display the Work or copies thereof to the public
-and perform publicly, as the case may be, the Work,
+  - EUPL-1.2 (European Union Public Licence)
+  - other FOSS licenses as stated in the respective files or directories.
 
-— distribute the Work or copies thereof,
+Such components are clearly marked, typically via SPDX-License-Identifier headers and / or dedicated license files. For those
+components, the respective third-party license terms apply and take precedence over CNCL-1.1 and CCLA-1.1 with respect to that
+code.
 
-— lend and rent the Work or copies thereof,
+Where code from other projects is incorporated, the original copyright notices and license texts are preserved, and their terms
+remain in force for those portions.
 
-— sublicense rights in the Work or copies thereof.
 
-Those rights can be exercised on any media, supports, and formats, whether now known or later invented, as far as the
-applicable law permits so.
+4. SPDX Usage and Per-File Licensing
+------------------------------------
 
-In the countries where moral rights apply, the Licensor waives his right to exercise his moral right to the extent allowed
-by law in order to make effective the licence of the economic rights here above listed.
+Each source file SHOULD contain an SPDX-License-Identifier line indicating the applicable license for that file, for example:
 
-The Licensor grants to the Licensee royalty-free, non-exclusive usage rights to any patents held by the Licensor, to the
-extent necessary to make use of the rights granted on the Work under this Licence.
+  - For non-commercial Centurion code:
+        SPDX-License-Identifier: LicenseRef-CNCL-1.1
 
-3.Communication of the Source Code
+  - For commercial-only Centurion deliverables (if applicable in private branches):
+        SPDX-License-Identifier: LicenseRef-CCLA-1.1
 
-The Licensor may provide the Work either in its Source Code form or as Executable Code. If the Work is provided as
-Executable Code, the Licensor provides in addition a machine-readable copy of the Source Code of the Work along with
-each copy of the Work that the Licensor distributes or indicates, in a notice following the copyright notice attached to
-the Work, a repository where the Source Code is easily and freely accessible for as long as the Licensor continues to
-distribute or communicate the Work.
+  - For EUPL-licensed parts:
+        SPDX-License-Identifier: EUPL-1.2
 
-4.Limitations on copyright
+In case of any apparent conflict between this overview file and the SPDX-License-Identifier in a specific file, the
+SPDX-License-Identifier in that file SHALL prevail for that file.
 
-Nothing in this Licence is intended to deprive the Licensee of the benefits from any exception or limitation to the
-exclusive rights of the rights owners in the Work, to the exhaustion of those rights or of other applicable limitations
-thereto.
 
-5.Obligations of the Licensee
+5. No Legal Advice; Governing Documents
+---------------------------------------
 
-The grant of the rights mentioned above is subject to some restrictions and obligations imposed on the Licensee. Those
-obligations are the following:
+This LICENSE file is an informational overview only. The legally binding terms governing your use of the Software are
+exclusively those set out in:
 
-Attribution right: The Licensee shall keep intact all copyright, patent or trademarks notices and all notices that refer to
-the Licence and to the disclaimer of warranties. The Licensee must include a copy of such notices, and a copy of the
-Licence with every copy of the Work he/she distributes or communicates. The Licensee must cause any Derivative Work
-to carry prominent notices stating that the Work has been modified and the date of modification.
+  - Centurion Non-Commercial License 1.1 (CNCL-1.1)
+  - Centurion Commercial License Agreement 1.1 (CCLA-1.1)
+  - and any applicable third-party licenses as referenced above.
 
-Copyleft clause: If the Licensee distributes or communicates copies of the Original Works or Derivative Works, this
-Distribution or Communication will be done under the terms of this Licence or of a later version of this Licence unless
-the Original Work is expressly distributed only under this version of the Licence — for example, by communicating
-'EUPL v. 1.2 only'. The Licensee (becoming Licensor) cannot offer or impose any additional terms or conditions on the
-Work or Derivative Work that alter or restrict the terms of the Licence.
-
-Compatibility clause: If the Licensee Distributes or Communicates Derivative Works or copies thereof based upon both
-the Work and another work licensed under a Compatible Licence, this Distribution or Communication can be done
-under the terms of this Compatible Licence. For the sake of this clause, 'Compatible Licence' refers to the licences listed
-in the appendix attached to this Licence. Should the Licensee's obligations under the Compatible Licence conflict with
-his/her obligations under this Licence, the obligations of the Compatible Licence shall prevail.
-
-The provision of Source Code: When distributing or communicating copies of the Work, the Licensee will provide
-a machine-readable copy of the Source Code or indicate a repository where this Source will be easily and freely available
-for as long as the Licensee continues to distribute or communicate the Work.
-Legal Protection: This Licence does not grant permission to use the trade names, trademarks, service marks, or names
-of the Licensor, except as required for reasonable and customary use in describing the origin of the Work and
-reproducing the content of the copyright notice.
-
-6.Chain of Authorship
-
-The original Licensor warrants that the copyright in the Original Work granted hereunder is owned by him/her or
-licensed to him/her and that he/she has the power and authority to grant the Licence.
-
-Each Contributor warrants that the copyright in the modifications he/she brings to the Work is owned by him/her or
-licensed to him/her and that he/she has the power and authority to grant the Licence.
-
-Each time You accept the Licence, the original Licensor and subsequent Contributors grant You a licence to their contributions
-to the Work, under the terms of this Licence.
-
-7.Disclaimer of Warranty
-
-The Work is a work in progress, which is continuously improved by numerous Contributors. It is not finished work
-and may therefore contain defects or 'bugs' inherent to this type of development.
-
-For the above reason, the Work is provided under the Licence on an 'as is' basis and without warranties of any kind
-concerning the Work, including without limitation merchantability, fitness for a particular purpose, absence of defects or
-errors, accuracy, non-infringement of intellectual property rights other than copyright as stated in Article 6 of this
-Licence.
-
-This disclaimer of warranty is an essential part of the Licence and a condition for the grant of any rights to the Work.
-
-8.Disclaimer of Liability
-
-Except in the cases of wilful misconduct or damages directly caused to natural persons, the Licensor will in no event be
-liable for any direct or indirect, material or moral, damages of any kind, arising out of the Licence or of the use of the
-Work, including without limitation, damages for loss of goodwill, work stoppage, computer failure or malfunction, loss
-of data, or any commercial damage, even if the Licensor has been advised of the possibility of such damage. However,
-the Licensor will be liable under statutory product liability laws as far as such laws apply to the Work.
-
-9.Additional agreements
-
-While distributing the Work, You may choose to conclude an additional agreement, defining obligations or services
-consistent with this Licence. However, if accepting obligations, You may act only on your own behalf and on your sole
-responsibility, not on behalf of the original Licensor or any other Contributor, and only if You agree to indemnify,
-defend, and hold each Contributor harmless for any liability incurred by, or claims asserted against such a Contributor by
-the fact You have accepted any warranty or additional liability.
-
-10.Acceptance of the Licence
-
-The provisions of this Licence can be accepted by clicking on an icon 'I agree' placed under the bottom of a window
-displaying the text of this Licence or by affirming consent in any other similar way, in accordance with the rules of
-applicable law. Clicking on that icon indicates your clear and irrevocable acceptance of this Licence and all of its terms
-and conditions.
-
-Similarly, you irrevocably accept this Licence and all of its terms and conditions by exercising any rights granted to You
-by Article 2 of this Licence, such as the use of the Work, the creation by You of a Derivative Work or the Distribution
-or Communication by You of the Work or copies thereof.
-
-11.Information to the public
-
-In case of any Distribution or Communication of the Work by means of electronic communication by You (for example,
-by offering to download the Work from a remote location) the distribution channel or media (for example, a website)
-must at least provide to the public the information requested by the applicable law regarding the Licensor, the Licence,
-and the way it may be accessible, concluded, stored, and reproduced by the Licensee.
-
-12.Termination of the Licence
-
-The Licence and the rights granted hereunder will terminate automatically upon any breach by the Licensee of the terms
-of the Licence.
-
-Such a termination will not terminate the licences of any person who has received the Work from the Licensee under
-the Licence, provided such persons remain in full compliance with the Licence.
-
-13.Miscellaneous
-
-Without prejudice of Article 9 above, the Licence represents the complete agreement between the Parties as to the
-Work.
-
-If any provision of the Licence is invalid or unenforceable under applicable law, this will not affect the validity or
-enforceability of the Licence as a whole. Such provision will be construed or reformed so as necessary to make it valid
-and enforceable.
-
-The European Commission may publish other linguistic versions or new versions of this Licence or updated versions of
-the Appendix, so far this is required and reasonable, without reducing the scope of the rights granted by the Licence.
-New versions of the Licence will be published with a unique version number.
-
-All linguistic versions of this Licence, approved by the European Commission, have identical value. Parties can take
-advantage of the linguistic version of their choice.
-
-14.Jurisdiction
-
-Without prejudice to specific agreement between parties,
-
-— any litigation resulting from the interpretation of this License, arising between the European Union institutions,
-bodies, offices, or agencies, as a Licensor, and any Licensee, will be subject to the jurisdiction of the Court of Justice
-of the European Union, as laid down in article 272 of the Treaty on the Functioning of the European Union,
-
-— any litigation arising between other parties and resulting from the interpretation of this License will be subject to
-the exclusive jurisdiction of the competent court where the Licensor resides or conducts its primary business.
-
-15.Applicable Law
-
-Without prejudice to specific agreement between parties,
-
-— this Licence shall be governed by the law of the European Union Member State where the Licensor has his seat,
-resides, or has his registered office
-
-— this licence shall be governed by Belgian law if the Licensor has no seat, residence, or registered office inside
-a European Union Member State.
-
-
-                                                         Appendix
-
-'Compatible Licences' according to Article 5 EUPL are:
-
-— GNU General Public License (GPL) v. 2, v. 3
-
-— GNU Affero General Public License (AGPL) v. 3
-
-— Open Software License (OSL) v. 2.1, v. 3.0
-
-— Eclipse Public License (EPL) v. 1.0
-
-— CeCILL v. 2.0, v. 2.1
-
-— Mozilla Public Licence (MPL) v. 2
-
-— GNU Lesser General Public Licence (LGPL) v. 2.1, v. 3
-
-— Creative Commons Attribution-ShareAlike v. 3.0 Unported (CC BY-SA 3.0) for works other than software
-
-— European Union Public Licence (EUPL) v. 1.1, v. 1.2
-
-— Québec Free and Open-Source Licence — Reciprocity (LiLiQ-R) or Strong Reciprocity (LiLiQ-R+).
-
-The European Commission may update this Appendix to later versions of the above licences without producing
-a new version of the EUPL, as long as they provide the rights granted in Article 2 of this Licence and protect the
-covered Source Code from exclusive appropriation.
-
-All other changes or additions to this Appendix require the production of a new EUPL version.
+In the event of any conflict between this overview and the full license texts, the full license texts shall prevail.

LINTER_RESULTS.txt

@@ -0,0 +1,16 @@
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-12-06; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+This file was automatically generated by the DEPLOY BOT on: "2025-12-06T04:39:51Z"
+
+✅ The last linter check was successful. ✅
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text

LIVE_ISO.public

@@ -1,25 +1,27 @@
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-06-01; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-10-29; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-This file was automatically generated by the DEPLOY BOT on: "2025-06-02T07:05:05Z".
+This file was automatically generated by the DEPLOY BOT on: "2025-10-29T11:15:54Z"
 
 CISS.debian.live.builder ISO :
-  "ciss-debian-live-2025_06_02T06_28_22Z-amd64.hybrid.iso"
+  "ciss-debian-live-2025_10_29T10_21_17Z-amd64.hybrid.iso"
 CISS.debian.live.builder ISO sha512 :
-  "ciss-debian-live-2025_06_02T06_28_22Z-amd64.hybrid.iso.sha512"
+  c4694bb55c7571df893dace7469ca4f90693eb61922508e6e5795cb442c01f2e487d055f23c27f3d1226bdd30aa4f5522af07addfc16b6f7d3224394590bd591
 CISS.debian.live.builder ISO sha512 sign :
   -----BEGIN PGP SIGNATURE-----
 
-iHUEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaD1NIQAKCRA85KY4hzOw
-IUI1AQCy+C8u2sxrulp9oEsYNPEQLnVuyqGxlsaGF9soF+ay4AD/cjMt0sNK/SUd
-Rt0J3YmtZbbXgIAaUyAMKMc3Bf3nHgc=
-=Z0iZ
+iHUEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaQH3agAKCRA85KY4hzOw
+IbCaAP9Dqt8oESXBWNUgzCBDmBc/uZgDKJ/Ve/oIXsUGIfIqnwD/fovruI1dvGen
+4p02K+Dc5sf9sdU0IjMDrWVZAj8uBA0=
+=ieyd
 -----END PGP SIGNATURE-----
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text

LIVE_ISO_TRIXIE_0.private

@@ -0,0 +1,27 @@
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-12-06; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+This file was automatically generated by the DEPLOY BOT on: "2025-12-06T03:44:29Z"
+
+CISS.debian.live.builder ISO :
+  "ciss-debian-live-2025_12_06T02_53_28Z-amd64.hybrid.iso"
+CISS.debian.live.builder ISO sha512 :
+  2bf967b902455fe1f4d3ba1cb0b3c5983c6812181ae95b10ce837c0aaae084207bf15c22add2709c21c45f4262db2a2f787b2c93f3a1c507289c020e70314707
+CISS.debian.live.builder ISO sha512 sign :
+  -----BEGIN PGP SIGNATURE-----
+
+iHUEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaTOmnQAKCRA85KY4hzOw
+IcItAQDvE6vEkbslGR5BLMVV+DKi2GDnIzIMVs7zROiPsKb3BgEA1Koqx7ccc+H2
+MmNv12w674dS2xmTZHOViYePe2KWLw0=
+=I8w2
+-----END PGP SIGNATURE-----
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text

LIVE_ISO_TRIXIE_1.private

@@ -0,0 +1,27 @@
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-12-06; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+This file was automatically generated by the DEPLOY BOT on: "2025-12-06T04:35:36Z"
+
+CISS.debian.live.builder ISO :
+  "ciss-debian-live-2025_12_06T03_45_41Z-amd64.hybrid.iso"
+CISS.debian.live.builder ISO sha512 :
+  fe9481d92cf61554da92ff883a58d9aaa2ae5fe86d9c3dd634a1c3a79e1b6ca5e08693d4f9b0870077fc0bf2f840a3e678d9c9dc44f9b8dae5d474a6d39e16b2
+CISS.debian.live.builder ISO sha512 sign :
+  -----BEGIN PGP SIGNATURE-----
+
+iHUEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaTOymAAKCRA85KY4hzOw
+Ic1iAQDVxT891Nv+LHzQs3vL31/1wqeOjiGmZbEJR8XvBoRe4wEAjdmvUpEXyb1Y
+qhaFcxWDrRgiVKaitGkbNo2w6yICdgY=
+=TQPs
+-----END PGP SIGNATURE-----
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text

README.html

@@ -1,405 +0,0 @@
-<p><a href="https://git.coresecret.dev/msw/CISS.debian.live.builder"><img src="https://badges.coresecret.dev/badge/Release-V8.03.127.2025.06.02-white?style=plastic&amp;logo=linux&amp;logoColor=white&amp;logoSize=auto&amp;label=Release&amp;color=%23FCC624" alt="Static Badge" /></a>   <a href="https://eupl.eu/1.2/en/"><img src="https://badges.coresecret.dev/badge/Licence-EUPL1.2-white?style=plastic&amp;logo=europeanunion&amp;logoColor=white&amp;logoSize=auto&amp;label=Licence&amp;color=%23003399" alt="Static Badge" /></a>   <a href="https://opensource.org/license/eupl-1-2"><img src="https://badges.coresecret.dev/badge/opensourceinitiative-Compliant-white?style=plastic&amp;logo=opensourceinitiative&amp;logoColor=white&amp;logoSize=auto&amp;label=OSI&amp;color=%233DA639" alt="Static Badge" /></a>   <a href="https://www.gnu.org/software/bash/"><img src="https://badges.coresecret.dev/badge/Bash-V5.2.15-white?style=plastic&amp;logo=gnubash&amp;logoColor=white&amp;logoSize=auto&amp;label=Bash&amp;color=%234EAA25" alt="Static Badge" /></a>   <a href="https://shellcheck.net/"><img src="https://badges.coresecret.dev/badge/shellcheck-passed-white?style=plastic&amp;logo=gnubash&amp;logoColor=white&amp;logoSize=auto&amp;label=shellcheck&amp;color=%234EAA25" alt="Static Badge" /></a>   <a href="https://github.com/mvdan/sh"><img src="https://badges.coresecret.dev/badge/shellformat-passed-white?style=plastic&amp;logo=google&amp;logoColor=white&amp;logoSize=auto&amp;label=shellformat&amp;color=%234285F4" alt="Static Badge" /></a>   <a href="https://google.github.io/styleguide/shellguide.html"><img src="https://badges.coresecret.dev/badge/Shellstyle-Google-white?style=plastic&amp;logo=google&amp;logoColor=white&amp;logoSize=auto&amp;label=Shellstyle&amp;color=%234285F4" alt="Static Badge" /></a>   <a href="https://docs.gitea.com/"><img src="https://badges.coresecret.dev/badge/Gitea-1.23.8-white?style=plastic&amp;logo=gitea&amp;logoColor=white&amp;logoSize=auto&amp;label=gitea&amp;color=%23609926" alt="Static Badge" /></a>   <a href="https://www.jetbrains.com/store/?section=personal&amp;billing=yearly"><img src="https://badges.coresecret.dev/badge/IntelliJ-2025.1.1.1-white?style=plastic&amp;logo=intellijidea&amp;logoColor=white&amp;logoSize=auto&amp;label=IntelliJ&amp;color=%23000000" alt="Static Badge" /></a>   <a href="https://keepassxc.org/"><img src="https://badges.coresecret.dev/badge/keepassxc-2.7.10-white?style=plastic&amp;logo=keepassxc&amp;logoColor=white&amp;logoSize=auto&amp;label=KeePassXC&amp;color=%236CAC4D" alt="Static Badge" /></a>   <a href="https://www.netcup.com/de"><img src="https://badges.coresecret.dev/badge/netcup-Netcup-white?style=plastic&amp;logo=netcup&amp;logoColor=white&amp;logoSize=auto&amp;label=powered&amp;color=%23056473" alt="Static Badge" /></a>   <a href="https://coresecret.eu/"><img src="https://badges.coresecret.dev/badge/powered-Centurion-white?style=plastic&amp;logo=europeanunion&amp;logoColor=white&amp;logoSize=auto&amp;label=powered&amp;color=%230F243E" alt="Static Badge" /></a>   <a href="https://x.com/coresecret_eu"><img src="https://badges.coresecret.dev/badge/SocialMedia-@coresecret_eu-white?style=plastic&amp;logo=x&amp;logoColor=white&amp;logoSize=auto&amp;label=SocialMedia&amp;color=%23000000" alt="Static Badge" /></a>   <a href="https://coresecret.eu/spenden/#sepa"><img src="https://badges.coresecret.dev/badge/Donation-Donation-white?style=plastic&amp;logo=sepa&amp;logoColor=white&amp;logoSize=auto&amp;label=&amp;color=%230F243E" alt="Static Badge" /></a>   <a href="https://coresecret.eu/spenden/#bitcoin"><img src="https://badges.coresecret.dev/badge/bitcoin-Bitcoin-white?style=plastic&amp;logo=bitcoin&amp;logoColor=white&amp;logoSize=auto&amp;label=Donation&amp;color=%23F7931A" alt="Static Badge" /></a>   <a href="https://coresecret.eu/contact/#simplex"><img src="https://badges.coresecret.dev/badge/simplex-Simplex-white?style=plastic&amp;logo=simplex&amp;logoColor=white&amp;logoSize=auto&amp;label=Contact&amp;color=%23000000" alt="Static Badge" /></a>  </p>
-<h1 id="1-cissdebianlivebuilder">1. CISS.debian.live.builder</h1>
-<p><strong>Centurion Intelligence Consulting Agency Information Security Standard</strong><br> <em>Debian Live Build Generator for hardened live environment and CISS Debian Installer</em><br> <strong>Master Version</strong>: 8.02<br> <strong>Build</strong>: V8.03.145.2025.06.02<br></p>
-<p>This shell wrapper automates the creation of a Debian Bookworm live ISO hardened according to the latest best practices in server and service security. It integrates into your build pipeline to deliver an isolated, robust environment suitable for cloud deployment or unattended installations via the forthcoming <code>CISS.debian.installer</code>.</p>
-<p>Check out more:</p>
-<ul>
-<li><a href="https://coresecret.eu/cnet/">CenturionNet Services</a></li>
-<li><a href="https://dns.eddns.eu/">CenturionDNS Resolver</a></li>
-<li><a href="https://dns.eddns.eu/blocklists/centurion_titanium_ultimate.txt">CenturionDNS Blocklist</a></li>
-<li><a href="https://uptime.coresecret.eu/">CenturionNet Status</a></li>
-<li><a href="https://talk.e2ee.li/">CenturionMeet</a></li>
-<li><a href="https://coresecret.eu/contact/">Contact the author</a></li>
-</ul>
-<h2 id="11-preliminary-remarks">1.1. Preliminary Remarks</h2>
-<h3 id="111-hsm">1.1.1. HSM</h3>
-<p>Please note that all my signing keys are stored in an HSM and that the signing environment is air-gapped. The next step is to move to a room-gapped environment. ^^</p>
-<h3 id="112-hsts-and-dnssec">1.1.2. HSTS and DNSSEC</h3>
-<p>Please note that <code>coresecret.dev</code> is included in the <a href="https://hstspreload.org/">(HSTS Preload List)</a> and always serves the headers:</p>
-<pre class="nginx"><code>add_header Expect-CT                 &quot;max-age=86400, enforce&quot;                       always;
-add_header Strict-Transport-Security &quot;max-age=63072000; includeSubDomains; preload&quot; always;</code></pre>
-<p>Additionally, the entire zone is dual-signed with DNSSEC. See the current DNSSEC status at <a href="https://git.coresecret.dev/msw/CISS.debian.live.builder/src/branch/master/docs/AUDIT_DNSSEC.html">DNSSEC Audit Report</a></p>
-<h2 id="12-immutable-source-of-truth-system">1.2. Immutable Source-of-Truth System</h2>
-<p>This live ISO establishes a secure, fully deterministic, integrity self-verifying boot environment based entirely on static source-code definitions. All configurations, system components, and installation routines are embedded during build time and locked for runtime immutability. This ensures that the live environment functions as a trusted <strong>Source of Truth</strong> — not only for boot-time operations, but for deploying entire systems in a secure and reproducible way.<br></p>
-<p>Once booted, the environment optionally launches a fully scripted installer, via the forthcoming <code>CISS.debian.installer</code>, yet to deploy, that provisions the target system (the hardware the DVD is running on). The installer pulls no external dependencies besides of the necessary Debian debootstrap and Debian Packages and never exposes the target system in a not secure manner to the internet during installation. It operates strictly from within the verified image content, providing fully secured provisioning. Combined with checksum verification, <strong>activated by default</strong>, at boot and strict firewall defaults, this architecture guarantees that what is executed has not been tampered with and corresponds exactly to the intended source definition.<br></p>
-<p>An even more secure deployment variant — an unattended and headless version — can be built without any active network interface or shell-access, also via the forthcoming <code>CISS.debian.installer</code>. Such a version performs all verification steps autonomously, provisions the target device from embedded source artifacts, and reboots into a fully encrypted system image. The system then awaits the decryption passphrase input via an embedded Dropbear SSH server (SSH PubKey only) in the initramfs, exposing no ports without cryptographic hardened access, while also the <code>/boot</code> partition could be encrypted via the built-in support of <code>grub2 (2.12-1~bpo12+1)</code>.<br></p>
-<p>This approach provides a fully reproducible, audit-friendly, and tamper-resistant provisioning workflow rooted entirely in source-defined infrastructure logic.<br></p>
-<p>After build and configuration, the following audit reports can be generated:</p>
-<ul>
-<li><strong>Haveged Audit Report</strong>: Validates entropy daemon health and confirms '/dev/random' seeding performance. Type <code>chkhvg</code> at the prompt. See example report: <a href="https://git.coresecret.dev/msw/CISS.debian.live.builder/src/branch/master/docs/AUDIT_HAVEGED.html">Haveged Audit Report</a></li>
-<li><strong>Lynis Audit Report</strong>: Outputs a detailed security score and recommendations, confirming a 91%+ hardening baseline. Type <code>lsadt</code> at the prompt. See example report: <a href="https://git.coresecret.dev/msw/CISS.debian.live.builder/src/branch/master/docs/AUDIT_LYNIS.html">Lynis Audit Report</a></li>
-<li><strong>SSH Audit Report</strong>: Verifies SSH daemon configuration against the latest best-practice cipher, KEX, and MAC recommendations. Type <code>ssh-audit &lt;IP&gt;:&lt;PORT&gt;</code>. See example report: <a href="https://git.coresecret.dev/msw/CISS.debian.live.builder/src/branch/master/docs/AUDIT_SSH.html">SSH Audit Report</a></li>
-</ul>
-<h2 id="12-preview">1.2. Preview</h2>
-<p><img src="/docs/screenshots/CISS.debian.live.builder_preview.jpeg" alt="CISS.debian.live.builder" /></p>
-<h2 id="13-caution-significant-information-for-those-considering-using-d-i">1.3. Caution. Significant information for those considering using D-I.</h2>
-<p><strong>The Debian Installer (d-i) will ALWAYS boot a new system.</strong><br></p>
-<p>Regardless of whether you start it:</p>
-<ul>
-<li>via the boot menu of your Live ISO (grub, isolinux) like <strong>CISS.debian.live.builder</strong>,</li>
-<li>via kexec in the running system,</li>
-<li>via the debian-installer-launcher package,</li>
-<li>or even via a graphical installer shortcut.</li>
-</ul>
-<p>The following happens in all cases:</p>
-<ul>
-<li>The installer kernel (/install/vmlinuz) + initrd.gz are started.</li>
-<li>The existing live system is exited.</li>
-<li>The memory is overwritten.</li>
-<li>All running processes – e.g., firewall, hardened SSH access, etc. pp. – cease to exist.</li>
-</ul>
-<p>The Debian Installer loads:</p>
-<ul>
-<li>its own kernel,</li>
-<li>its own initramfs,</li>
-<li>its own minimal root filesystem (BusyBox + udeb packages),</li>
-<li>no SSH access (unless explicitly enabled via preseed)</li>
-<li>no firewall, AppArmor, logging, etc. pp.,</li>
-<li>it disables all running network services, even if you were previously in the live system.</li>
-</ul>
-<p>This means function status of the <strong>CISS.2025.debian.live.builder</strong> ISO after d-i start:</p>
-<ul>
-<li>ufw, iptables, nftables ✘ disabled, not loaded,</li>
-<li>sshd with hardening ✘ stopped (processes gone),</li>
-<li>the running kernel ✘ replaced,</li>
-<li>Logging (rsyslog, journald) ✘ not active,</li>
-<li>preseed control over the network is possible (but without any protection).</li>
-</ul>
-<h1 id="2-features--rationale">2. Features &amp; Rationale</h1>
-<p>Below is a breakdown of each hardening component, with a summary of why each is critical to your security posture.</p>
-<h2 id="21-kernel-hardening">2.1. Kernel Hardening</h2>
-<h3 id="211-boot-parameters">2.1.1. Boot Parameters</h3>
-<ul>
-<li><strong>Description</strong>: Customizes kernel command-line flags to disable unused features and enable mitigations.</li>
-<li><strong>Key Parameters</strong>:
-<ul>
-<li><code>audit_backlog_limit=8192</code>: Ensures the audit subsystem can queue up to 8192 events to avoid dropped logs under heavy loads.</li>
-<li><code>audit=1</code>: Enables kernel auditing from boot to record system calls and security events.</li>
-<li><code>cfi=kcfi</code>: Activates kernel control-flow integrity using kCFI to protect against control-flow hijacking.</li>
-<li><code>debugfs=off</code>: Disables debugfs to prevent non-privileged access to kernel internals.</li>
-<li><code>efi=disable_early_pci_dma</code>: Stops early PCI DMA under EFI to mitigate DMA-based attacks during boot.</li>
-<li><code>efi_no_storage_paranoia</code>: Disables extra EFI storage checks to streamline boot without compromising expected storage integrity.</li>
-<li><code>hardened_usercopy=1</code>: Enables stringent checks on copy operations between user and kernel space to prevent buffer overflows.</li>
-<li><code>ia32_emulation=0</code>: Turns off 32-bit compatibility modes to reduce attack surface on 64-bit hosts.</li>
-<li><code>init_on_alloc=1</code>: Zeroes memory on allocation to prevent leakage of previous data.</li>
-<li><code>init_on_free=1</code>: Initializes memory on free to catch use-after-free bugs.</li>
-<li><code>iommu=force</code>: Enforces IOMMU for all devices to isolate DMA-capable hardware.</li>
-<li><code>kfence.sample_interval=100</code>: Configures the kernel fence memory safety tool to sample every 100 allocations.</li>
-<li><code>kvm.nx_huge_pages=force</code>: Enforces non-executable huge pages in KVM to mitigate code injection.</li>
-<li><code>l1d_flush=on</code>: Flushes L1 data cache on context switch to mitigate L1D vulnerabilities.</li>
-<li><code>lockdown=confidentiality</code>: Puts the kernel in confidentiality lockdown to restrict direct hardware access.</li>
-<li><code>loglevel=0</code>: Suppresses non-critical kernel messages to reduce information leakage.</li>
-<li><code>mce=0</code>: Disables machine check exceptions to prevent side-channel data leaks from hardware error reporting.</li>
-<li><code>mitigations=auto,nosmt</code>: Enables all automatic CPU mitigations and disables SMT to reduce side-channel risks.</li>
-<li><code>mmio_stale_data=full,nosmt</code>: Ensures stale MMIO data is fully flushed and disables SMT for added protection.</li>
-<li><code>oops=panic</code>: Forces a kernel oops to trigger a panic, preventing the system from running in an inconsistent state.</li>
-<li><code>page_alloc.shuffle=1</code>: Randomizes physical page allocation to hinder memory layout prediction attacks.</li>
-<li><code>page_poison=1</code>: Fills freed pages with a poison pattern to detect use-after-free.</li>
-<li><code>panic=-1</code>: Disables automatic reboot on panic to preserve the system state for forensic analysis.</li>
-<li><code>pti=on</code>: Enables page table isolation to mitigate Meltdown attacks.</li>
-<li><code>random.trust_bootloader=off</code>: Prevents trusting entropy provided by the bootloader.</li>
-<li><code>random.trust_cpu=off</code>: Disables trusting CPU-provided randomness, enforcing external entropy sources.</li>
-<li><code>randomize_kstack_offset=on</code>: Randomizes the kernel stack offset on each syscall entry to harden against stack probing.</li>
-<li><code>randomize_va_space=2</code>: Enables full address space layout randomization (ASLR) for user space.</li>
-<li><code>retbleed=auto,nosmt</code>: Enables automatic RETBLEED mitigations and disables SMT for better side-channel resistance.</li>
-<li><code>rodata=on</code>: Marks kernel read-only data sections to prevent runtime modification.</li>
-<li><code>tsx=off</code>: Disables Intel TSX extensions to eliminate related speculative execution vulnerabilities.</li>
-<li><code>vdso32=0</code>: Disables 32-bit vDSO to prevent unintended cross-mode calls.</li>
-<li><code>vsyscall=none</code>: Disables legacy vsyscall support to close a potential attack vector.</li>
-</ul></li>
-<li><strong>Rationale</strong>: Ensures early activation of protections, reducing exposure to CPU vulnerabilities before the system fully boots.</li>
-</ul>
-<h3 id="212-cpu-vulnerability-mitigations">2.1.2. CPU Vulnerability Mitigations</h3>
-<ul>
-<li><strong>Description</strong>: Enables all known kernel-level mitigations (Spectre, Meltdown, MDS, L1TF, etc.).</li>
-<li><strong>Rationale</strong>: Prevents side-channel attacks that exploit speculative execution, which remain a high-risk vector in multi-tenant cloud environments.</li>
-</ul>
-<h3 id="213-kernel-self-protection">2.1.3. Kernel Self-Protection</h3>
-<ul>
-<li><strong>Description</strong>: Activates <code>CONFIG_DEBUG_RODATA</code>, <code>CONFIG_STRICT_MODULE_RWX</code>, and other self-protections.</li>
-<li><strong>Rationale</strong>: Hardens kernel memory regions against unauthorized writings and enforces stricter module loading policies.</li>
-</ul>
-<h3 id="214-local-kernel-hardening">2.1.4. Local Kernel Hardening</h3>
-<ul>
-<li><strong>Description</strong>: The wrapper <code>sysp()</code>provides a function to apply and audit local kernel hardening rules from <code>/etc/sysctl.d/99_local.hardened</code>:</li>
-</ul>
-<pre class="bash"><code>###########################################################################################
-# Globals: Wrapper for loading CISS.2025 hardened Kernel Parameters
-# Arguments:
-#  none
-###########################################################################################
-# shellcheck disable=SC2317
-sysp() {
-  sysctl -p /etc/sysctl.d/99_local.hardened
-  # sleep 1
-  sysctl -a | grep -E &#39;kernel|vm|net&#39; &gt; /var/log/sysctl_check&quot;$(date +&quot;%Y-%m-%d_%H:%M:%S&quot;)&quot;.log
-}</code></pre>
-<ul>
-<li><strong>Key measures loaded by this file include:</strong>
-<ul>
-<li>Disabling module loading <code>kernel.modules_disabled=1</code></li>
-<li>Restricting kernel pointers &amp; logs <code>kernel.kptr_restrict=2</code>, <code>kernel.dmesg_restrict=1</code>, <code>kernel.printk=3 3 3 3</code></li>
-<li>Disabling unprivileged BPF and userfaultfd</li>
-<li>Disabling kexec and unprivileged user namespaces</li>
-<li>Locking down ptrace scope <code>kernel.yama.ptrace_scope=2</code></li>
-<li>Protecting filesystem links and FIFOs <code>fs.protected_*</code></li>
-</ul></li>
-</ul>
-<p><strong>Warning</strong> Once applied, some hardening settings cannot be undone via <code>sysctl</code> without a reboot, and dynamic module loading remains disabled until the next boot. Automatic enforcement at startup is therefore omitted by design—run <code>sysp()</code> manually and plan a reboot to apply or revert these controls.</p>
-<h2 id="22-module-blacklisting">2.2. Module Blacklisting</h2>
-<ul>
-<li><strong>Description</strong>: Disables and blacklists non-essential or insecure kernel modules.</li>
-<li><strong>Rationale</strong>: Minimizes attack surface by preventing loads of drivers or modules not required by the live environment.</li>
-</ul>
-<h2 id="23-network-hardening">2.3. Network Hardening</h2>
-<ul>
-<li><strong>Description</strong>: Applies <code>sysctl</code> settings (e.g., <code>net.ipv4.conf.all.rp_filter=1</code>, <code>arp_ignore</code>, <code>arp_announce</code>) to restrict inbound/outbound traffic behaviors.</li>
-<li><strong>Rationale</strong>: Mitigates ARP spoofing, IP spoofing, and reduces the risk of man-in-the-middle on internal networks.</li>
-</ul>
-<h2 id="24-core-dump--kernel-hardening">2.4. Core Dump &amp; Kernel Hardening</h2>
-<ul>
-<li><strong>Description</strong>: Limits core dump generation paths, enforces <code>Yama</code> restrictions, and configures <code>kernel.kptr_restrict</code>.</li>
-<li><strong>Rationale</strong>: Prevents leakage of sensitive memory contents and reduces information disclosure from unintentional crash dumps.</li>
-</ul>
-<h2 id="25-entropy-collection-improvements">2.5. Entropy Collection Improvements</h2>
-<ul>
-<li><strong>Description</strong>: Installs and configures <code>haveged</code>, seeds <code>/dev/random</code> early.</li>
-<li><strong>Rationale</strong>: Cloud instances frequently suffer low entropy at the start; improving randomness ensures strong cryptographic key generation for SSH and other services.</li>
-</ul>
-<h2 id="26-permissions--authentication">2.6. Permissions &amp; Authentication</h2>
-<ul>
-<li><strong>Description</strong>: Sets strict directory and file permissions, integrates with PAM modules (e.g., <code>pam_faillock</code>).</li>
-<li><strong>Rationale</strong>: Enforces the principle of least privilege at file-system level and strengthens authentication policies.</li>
-</ul>
-<h2 id="27-high-security-baseline-lynis-audit">2.7. High-Security Baseline (Lynis Audit)</h2>
-<ul>
-<li><strong>Description</strong>: Run a baseline audit via <a href="https://cisofy.com/lynis/">Lynis</a> after build completion. The generated live environment consistently achieves a 91%+ score in Lynis security audits.</li>
-<li><strong>Rationale</strong>: Provides independent verification of security posture and flags any configuration drifts or missing hardening steps.</li>
-</ul>
-<h2 id="28-ssh-tunnel--access-security">2.8. SSH Tunnel &amp; Access Security</h2>
-<ul>
-<li><strong>Description</strong>: The SSH tunnel and access are secured through multiple layers of defense:
-<ul>
-<li><strong>Firewall Restriction</strong>: ufw allows connections only from defined jump host or VPN exit node IPs.</li>
-<li><strong>TCP Wrappers</strong>: <code>/etc/hosts.allow</code> and <code>/etc/hosts.deny</code> enforce an <code>ALL: ALL</code> deny policy, permitting only specified hosts.</li>
-<li><strong>One-Hit Ban</strong>: A custom Fail2Ban rule <code>/etc/fail2ban/jail.d/centurion-default.conf</code> immediately bans any host that touches closed ports.
-<ul>
-<li>Additionally, the <code>fail2ban</code> service is hardened as well according to: <a href="https://wiki.archlinux.org/title/fail2ban#Service_hardening">Arch Linux Wiki Fail2ban Hardening</a></li>
-</ul></li>
-<li><strong>SSH Ultra-Hardening</strong>: The <code>/etc/sshd_config</code> enforces strict cryptographic and connection controls with respect to <a href="https://www.ssh-audit.com/hardening_guides.html#debian_12">SSH Audit Guide Debian 12</a>:
-<ul>
-<li><code>RekeyLimit 1G 1h</code></li>
-<li><code>HostKey /etc/ssh/ssh_host_ed25519_key</code></li>
-<li><code>HostKey /etc/ssh/ssh_host_rsa_key (8192-bit RSA)</code></li>
-<li><code>PubkeyAuthentication yes</code></li>
-<li><code>PermitRootLogin prohibit-password</code></li>
-<li><code>PasswordAuthentication no</code></li>
-<li><code>PermitEmptyPasswords no</code></li>
-<li><code>LoginGraceTime 2m</code></li>
-<li><code>MaxAuthTries 3</code></li>
-<li><code>MaxSessions 2</code></li>
-<li><code>MaxStartups 08:64:16</code></li>
-<li><code>PerSourceMaxStartups 4</code></li>
-<li><code>RequiredRSASize 4096</code></li>
-<li><code>Ciphers aes256-gcm@openssh.com</code></li>
-<li><code>KexAlgorithms sntrup761x25519-sha512@openssh.com,sntrup761x25519-sha512,gss-curve25519-sha256-</code></li>
-<li><code>MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com</code></li>
-</ul></li>
-</ul></li>
-<li><strong>Rationale</strong>: These measures ensure that only authorized hosts can establish SSH tunnels, with strict cryptographic and usage policies enforced. Minimizes brute force, passive sniffing, and reduces credentials' exposure by limiting protocol features to vetted algorithms.</li>
-</ul>
-<h2 id="29-ufw-hardening">2.9. UFW Hardening</h2>
-<ul>
-<li><strong>Description</strong>: Defaults to <code>deny incoming</code> and (optionally) <code>deny outgoing</code>; automatically opens only whitelisted ports.</li>
-<li><strong>Rationale</strong>: Implements a default-deny firewall, reducing lateral movement and data exfiltration risks immediately after deployment.</li>
-</ul>
-<h2 id="210-fail2ban-enhancements">2.10. Fail2Ban Enhancements</h2>
-<ul>
-<li><strong>Description</strong>:
-<ul>
-<li>Bans any connection to a closed port for 24 hours</li>
-<li>Automatically ignores designated bastion/jump host subnets</li>
-<li>Hardened via <code>systemd</code> policy override to limit privileges of the Fail2Ban service itself</li>
-</ul></li>
-<li><strong>Rationale</strong>: Provides proactive defense against port scans and brute-force attacks, while isolating the ban daemon in a minimal-privilege context.</li>
-</ul>
-<h2 id="211-ntpsec--chrony">2.11. NTPsec &amp; Chrony</h2>
-<ul>
-<li><strong>Description</strong>: Installs <code>chrony</code>, selects PTB NTPsec servers by default.</li>
-<li><strong>Rationale</strong>: Ensures tamper-resistant time synchronization, which is essential for log integrity, certificate validation, and forensic accuracy.</li>
-</ul>
-<h1 id="3-script-features--rationale">3. Script Features &amp; Rationale</h1>
-<h2 id="31-input-validation--security">3.1. Input Validation &amp; Security</h2>
-<ul>
-<li><strong>Description</strong>: All script arguments are validated using a robust input sanitizer.</li>
-<li><strong>Rationale</strong>: Prevents injection attacks and ensures only expected data types and values are processed.</li>
-</ul>
-<h2 id="32-debug-mode-with-detailed-logging">3.2. Debug Mode with Detailed Logging</h2>
-<ul>
-<li><p><strong>Description</strong>: A built-in debug mode outputs clear, timestamped logs including:</p>
-<ul>
-<li>Script Name and Path of called Function,</li>
-<li>Line Number,</li>
-<li>Function Name,</li>
-<li>Exit Code of the previous Command,</li>
-<li>Executed Command.</li>
-</ul></li>
-<li><p><strong>Rationale</strong>: Simplifies troubleshooting and provides precise error tracing.</p></li>
-</ul>
-<h2 id="33-secure-debug-logging">3.3. Secure Debug Logging</h2>
-<ul>
-<li><strong>Description</strong>: No hardcoded plaintext password fragments or sensitive artifacts appear in debug logs.</li>
-<li><strong>Rationale</strong>: Prevents accidental exposure of credentials during troubleshooting.</li>
-</ul>
-<h2 id="34-secure-password-handling">3.4. Secure Password Handling</h2>
-<ul>
-<li><strong>Description</strong>: Password files, if provided, are shredded immediately after being hashed.</li>
-<li><strong>Rationale</strong>: Prevents password recovery from temporary files.</li>
-</ul>
-<h2 id="35-variable-declaration--validation">3.5. Variable Declaration &amp; Validation</h2>
-<ul>
-<li><strong>Description</strong>: All variables are declared and validated before use.</li>
-<li><strong>Rationale</strong>: Avoids unintended behavior from unset or improperly set variables.</li>
-</ul>
-<h2 id="36-pure-bash-implementation">3.6. Pure Bash Implementation</h2>
-<ul>
-<li><strong>Description</strong>: The entire wrapper and all its functions are written in pure Bash, without external dependencies.</li>
-<li><strong>Rationale</strong>: Ensures maximum portability and compatibility with standard Debian environments.</li>
-</ul>
-<h2 id="37-bash-error-handling">3.7. Bash Error Handling</h2>
-<ul>
-<li><p><strong>Description</strong>: The implemented xtrace wrapper <code>set -x</code> enforces comprehensive Bash error handling to ensure</p>
-<ul>
-<li>robust,</li>
-<li>predictable execution,</li>
-<li>and early detection of failures.</li>
-</ul>
-<p>and delivers full information, which command failed to execute:</p>
-<ul>
-<li>Script Name and Path of called Function,</li>
-<li>Line Number,</li>
-<li>Function Name,</li>
-<li>Exit Code of the previous Command,</li>
-<li>Executed Command,</li>
-<li>Environment Settings,</li>
-<li>Argument Counter passed to Script,</li>
-<li>Argument String passed to Script.</li>
-</ul></li>
-<li><p>The following <code>set</code> options are applied at the beginning of the script (see <a href="https://www.gnu.org/software/bash/manual/bash.html#The-Set-BuiltinGNU">Bash Manual, The Set Builtin</a>):</p></li>
-</ul>
-<pre class="bash"><code>set -o errexit   # Exit script when a command exits with non-zero status (same as &quot;set -e&quot;).
-set -o errtrace  # Inherit ERR traps in subshells (same as &quot;set -E&quot;).
-set -o functrace # Inherit DEBUG and RETURN traps in subshells (same as &quot;set -T&quot;).
-set -o nounset   # Exit script on use of an undefined variable (same as &quot;set -u&quot;).
-set -o pipefail  # Return the exit status of the last failed command in a pipeline.
-set -o noclobber # Prevent overwriting files via redirection (same as &quot;set -C&quot;).</code></pre>
-<ul>
-<li><strong>Rationale</strong>: These options enforce strict error checking and handling, reducing silent failures and ensuring predictable script behavior.</li>
-</ul>
-<h1 id="4-prerequisites">4. Prerequisites</h1>
-<ul>
-<li><strong>Host</strong>: Debian Bookworm or newer with <code>live-build</code> package installed.</li>
-<li><strong>Privileges</strong>: Root or sudo access to execute <code>ciss_live_builder.sh</code> and related scripts.</li>
-<li><strong>Network</strong>: Outbound access to Debian repositories and PTB NTPsec pool.</li>
-</ul>
-<h1 id="5-installation--usage">5. Installation &amp; Usage</h1>
-<h1 id="51-interactive-cli--dialog-wrapper">5.1. Interactive CLI / Dialog Wrapper</h1>
-<ol type="1">
-<li><p>Clone the repository:</p>
-<pre class="bash"><code>git clone https://git.coresecret.dev/msw/CISS.debian.live.builder.git
-cd CISS.debian.live.builder</code></pre></li>
-<li><p>Preparation:</p>
-<ol type="1">
-<li>Ensure you are root.</li>
-<li>Create the build directory <code>mkdir /opt/livebuild</code>.</li>
-<li>Place your desired SSH public key in the <code>authorized_keys</code> file, for example, in the <code>/opt/gitea/CISS.debian.live.builder</code> directory.</li>
-<li>Place your desired Password in the <code>password.txt</code> file, for example, in the <code>/opt/gitea/CISS.debian.live.builder</code> directory.</li>
-<li>Make any other changes you need to.</li>
-</ol></li>
-<li><p>Run the config builder script <code>./ciss_live_builder.sh</code> and the integrated <code>lb build</code> command (example):</p>
-<pre class="yaml"><code>chmod 0700 ./ciss_live_builder.sh
-./ciss_live_builder.sh --architecture amd64 \
-                       --build-directory /opt/livebuild \
-                       --change-splash hexagon \
-                       --control 384 \
-                       --debug \
-                       --dhcp-centurion \
-                       --jump-host 10.0.0.128 [c0de:4711:0815:4242::1] [2abc:4711:0815:4242::1]/64 \
-                       --provider-netcup-ipv6 [c0de:4711:0815:4242::ffff] \
-                       --renice-priority &quot;-19&quot; \
-                       --reionice-priority 1 2 \
-                       --root-password-file /opt/gitea/CISS.debian.live.builder/password.txt \
-                       --ssh-port 4242 \
-                       --ssh-pubkey /opt/gitea/CISS.debian.live.builder</code></pre></li>
-<li><p>Locate your ISO in the <code>--build-directory</code>.</p></li>
-<li><p>Boot from the ISO and login to the live image via the console, or the multi-layer secured <strong>coresecret</strong> SSH tunnel.</p></li>
-<li><p>Type <code>sysp</code> for the final kernel hardening features.</p></li>
-<li><p>Check the boot log with <code>jboot</code> and via <code>ssf</code> that all services are up.</p></li>
-<li><p>Finally, audit your environment with <code>lsadt</code> for a comprehensive Lynis audit.</p></li>
-<li><p>Type <code>celp</code> for some shortcuts.</p></li>
-</ol>
-<h1 id="52-cicd-gitea-runner-workflow-example">5.2. CI/CD Gitea Runner Workflow Example</h1>
-<ol type="1">
-<li><p>Clone the repository:</p>
-<pre class="bash"><code>git clone https://git.coresecret.dev/msw/CISS.debian.live.builder.git
-cd CISS.debian.live.builder</code></pre></li>
-<li><p>Edit the <code>.gitea/workflows/generate-iso.yaml</code> file according to your requirements. Ensure that the trigger file <code>.gitea/trigger/t_generate.iso.yaml</code> and the counter are updated. Change all the necessary <code>{{ secrets.VAR }}</code>. Push your commits to trigger the workflow. Then download your final ISO from the specified Location.</p></li>
-</ol>
-<pre class="yaml"><code>#...
-    steps:
-      - name: Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
-        run: |
-          rm -rf ~/.ssh &amp;&amp; mkdir -m700 ~/.ssh
-
-          ### Private Key
-          echo &quot;${{ secrets.CHANGE_ME }}&quot; &gt;| ~/.ssh/id_ed25519
-          chmod 600 ~/.ssh/id_ed25519
-#...
-      ### https://github.com/actions/checkout/issues/1843
-      - name: Using manual clone via SSH to circumvent Gitea SHA-256 object issues.
-        run: |
-          git clone --branch &quot;${GITHUB_REF_NAME}&quot; ssh://git@CHANGE_ME .
-#...
-      - name: Importing the &#39;CI PGP DEPLOY ONLY&#39; key.
-        run: |
-          ### GPG-Home relative to the Runner Workspace to avoid changing global files.
-          export GNUPGHOME=&quot;$(pwd)/.gnupg&quot;
-          mkdir -m700 &quot;${GNUPGHOME}&quot;
-          echo &quot;${{ secrets.CHANGE_ME }}&quot; &gt;| ci-bot.sec.asc
-#...
-      - name: Configuring Git for signed CI/DEPLOY commits.
-        run: |
-          export GNUPGHOME=&quot;$(pwd)/.gnupg&quot;
-          git config user.name &quot;CHANGE_ME&quot;
-          git config user.email &quot;CHANGE_ME&quot;
-#...
-      - name: Preparing the build environment.
-        run: |
-          mkdir -p /opt/config
-          mkdir -p /opt/livebuild
-          echo &quot;${{ secrets.CHANGE_ME }}&quot; &gt;| /opt/config/password.txt
-          echo &quot;${{ secrets.CHANGE_ME }}&quot; &gt;| /opt/config/authorized_keys
-#...
-      - name: Starting CISS.debian.live.builder. This may take a while ...
-        run: |
-          chmod 0700 ciss_live_builder.sh &amp;&amp; chown root:root ciss_live_builder.sh
-          timestamp=$(date -u +&quot;%Y_%m_%d_%H_%M_Z&quot;)
-          ### Change &quot;--autobuild=&quot; to the specific kernel version you need: &#39;6.12.22+bpo-amd64&#39;.
-          ./ciss_live_builder.sh \
-            --autobuild=CHANGE_ME \
-            --architecture CHANGE_ME \
-            --build-directory /opt/livebuild \
-            --control &quot;${timestamp}&quot; \
-            --jump-host &quot;${{ secrets.CHANGE_ME }}&quot; \
-            --root-password-file /opt/config/password.txt \
-            --ssh-port CHANGE_ME \
-            --ssh-pubkey /opt/config
-#...
-      ### SKIP OR CHANGE ALL REMAINING STEPS</code></pre>
-<h1 id="6-licensing--compliance">6. Licensing &amp; Compliance</h1>
-<p>This repository is fully SPDX-compliant. All source files include appropriate SPDX license identifiers and headers to ensure clear and unambiguous licensing. You can verify compliance by reviewing the top of each file, which follows the SPDX standard for license expressions and metadata.</p>
-<h1 id="7-disclaimer">7. Disclaimer</h1>
-<p>This README is provided "as-is" without any warranty. Review your organization's policies before deploying to production.</p>
-<hr />
-<p><strong><a href="https://coresecret.eu/">no tracking | no logging | no advertising | no profiling | no bullshit</a></strong></p>
-

README.md

@@ -2,17 +2,18 @@
 gitea: none
 include_toc: true
 ---
-[![Static Badge](https://badges.coresecret.dev/badge/Release-V8.03.127.2025.06.02-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder)
+[![Static Badge](https://badges.coresecret.dev/badge/Release-V8.13.768.2025.12.06-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder)
  
 [![Static Badge](https://badges.coresecret.dev/badge/Licence-EUPL1.2-white?style=plastic&logo=europeanunion&logoColor=white&logoSize=auto&label=Licence&color=%23003399)](https://eupl.eu/1.2/en/)  
 [![Static Badge](https://badges.coresecret.dev/badge/opensourceinitiative-Compliant-white?style=plastic&logo=opensourceinitiative&logoColor=white&logoSize=auto&label=OSI&color=%233DA639)](https://opensource.org/license/eupl-1-2)  
-[![Static Badge](https://badges.coresecret.dev/badge/Bash-V5.2.15-white?style=plastic&logo=gnubash&logoColor=white&logoSize=auto&label=Bash&color=%234EAA25)](https://www.gnu.org/software/bash/)  
+[![Static Badge](https://badges.coresecret.dev/badge/Bash-V5.2.37-white?style=plastic&logo=gnubash&logoColor=white&logoSize=auto&label=Bash&color=%234EAA25)](https://www.gnu.org/software/bash/)  
 [![Static Badge](https://badges.coresecret.dev/badge/shellcheck-passed-white?style=plastic&logo=gnubash&logoColor=white&logoSize=auto&label=shellcheck&color=%234EAA25)](https://shellcheck.net/)  
 [![Static Badge](https://badges.coresecret.dev/badge/shellformat-passed-white?style=plastic&logo=google&logoColor=white&logoSize=auto&label=shellformat&color=%234285F4)](https://github.com/mvdan/sh)  
 [![Static Badge](https://badges.coresecret.dev/badge/Shellstyle-Google-white?style=plastic&logo=google&logoColor=white&logoSize=auto&label=Shellstyle&color=%234285F4)](https://google.github.io/styleguide/shellguide.html)
  
-[![Static Badge](https://badges.coresecret.dev/badge/Gitea-1.23.8-white?style=plastic&logo=gitea&logoColor=white&logoSize=auto&label=gitea&color=%23609926)](https://docs.gitea.com/)  
-[![Static Badge](https://badges.coresecret.dev/badge/IntelliJ-2025.1.1.1-white?style=plastic&logo=intellijidea&logoColor=white&logoSize=auto&label=IntelliJ&color=%23000000)](https://www.jetbrains.com/store/?section=personal&billing=yearly)  
+[![Static Badge](https://badges.coresecret.dev/badge/Gitea-1.25.1-white?style=plastic&logo=gitea&logoColor=white&logoSize=auto&label=gitea&color=%23609926)](https://docs.gitea.com/)  
+[![Static Badge](https://badges.coresecret.dev/badge/Runner-0.2.13-white?style=plastic&logo=gitea&logoColor=white&logoSize=auto&label=runner&color=%23609926)](https://docs.gitea.com/)  
+[![Static Badge](https://badges.coresecret.dev/badge/IntelliJ-2025.2.4-white?style=plastic&logo=intellijidea&logoColor=white&logoSize=auto&label=IntelliJ&color=%23000000)](https://www.jetbrains.com/store/?section=personal&billing=yearly)  
 [![Static Badge](https://badges.coresecret.dev/badge/keepassxc-2.7.10-white?style=plastic&logo=keepassxc&logoColor=white&logoSize=auto&label=KeePassXC&color=%236CAC4D)](https://keepassxc.org/)  
 [![Static Badge](https://badges.coresecret.dev/badge/netcup-Netcup-white?style=plastic&logo=netcup&logoColor=white&logoSize=auto&label=powered&color=%23056473)](https://www.netcup.com/de)  
 [![Static Badge](https://badges.coresecret.dev/badge/powered-Centurion-white?style=plastic&logo=europeanunion&logoColor=white&logoSize=auto&label=powered&color=%230F243E)](https://coresecret.eu/)  
@@ -25,174 +26,241 @@ include_toc: true
 
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
-**Master Version**: 8.02<br>
-**Build**: V8.03.145.2025.06.02<br>
+**Master Version**: 8.13<br>
+**Build**: V8.13.768.2025.12.06<br>
 
-This shell wrapper automates the creation of a Debian Bookworm live ISO hardened according to the latest best practices in server
-and service security. It integrates into your build pipeline to deliver an isolated, robust environment suitable for
-cloud deployment or unattended installations via the forthcoming `CISS.debian.installer`.
+**CISS.debian.live.builder — First of its own.**<br>
+**World-class CIA: Designed, handcrafted and powered by Centurion Intelligence Consulting Agency.**
 
-Check out more:
-* [CenturionNet Services](https://coresecret.eu/cnet/) 
-* [CenturionDNS Resolver](https://dns.eddns.eu/)
+Developed and maintained as a one-man, security-driven engineering effort since 2024, **CISS.debian.live.builder** is designed 
+to serve as a reference implementation for hardened, image-based Debian deployments.
+
+This shell wrapper automates the creation of a Debian Trixie live ISO hardened according to the latest best practices in server
+and service security. It integrates into your build pipeline to deliver an isolated, robust environment suitable for cloud
+deployment or unattended installations via the forthcoming `CISS.debian.installer`. Additionally, automated CI workflows based
+on Gitea Actions are provided, enabling reproducible ISO generation. A generic ISO is automatically built upon significant
+changes and made publicly available for download. The latest generic ISO is available at:
+**[PUBLIC CISS.debian.live.ISO](/docs/DL_PUB_ISO.md)**
+
+Beyond a conventional live system, **CISS.debian.live.builder** assembles a **fully encrypted, integrity-protected live medium**
+in a single, deterministic build step: a LUKS2 container backed by `dm-integrity` hosting the SquashFS root filesystem, combined
+with a hardened initramfs chain including a dedicated Dropbear build pipeline for remote LUKS unlock. The resulting ISO ships 
+with a hardened kernel configuration, strict sysctl and network tuning, pre-configured SSH hardening and fail2ban, and a 
+customised `verify-checksums` path providing both ISO-edge verification and runtime attestation of the live root. All components
+are aligned with the `CISS.debian.installer` baseline, ensuring a unified cryptographic and security posture from first boot to 
+an installed system. For an overview of the entire build process, see:
+**[MAN_CISS_ISO_BOOT_CHAIN.md](docs/MAN_CISS_ISO_BOOT_CHAIN.md)**
+
+When built with the ``--dhcp-centurion`` profile, the live system ships with a strict network and resolver policy: 
+``systemd-networkd`` and ``systemd-resolved`` are pre-configured to use ``DNS-over-TLS (DoT)`` exclusively against the 
+**CenturionDNS** resolver infrastructure; plain DNS is not used and connectivity failures are treated as hard errors. DNSSEC 
+validation is enforced in a fail-closed manner: zones with invalid or broken signatures result in ``SERVFAIL`` and are not 
+silently downgraded. Multicast name resolution via ``mDNS`` and ``LLMNR`` is disabled globally to avoid unintended name leakage
+and spoofing surfaces.
+
+Internally, the builder employs a dedicated secret-handling pipeline backed by a tmpfs-only secrets directory
+(`/dev/shm/cdlb_secrets`). Sensitive material such as root passwords, SSH keys, and signing keys never appears on the command
+line, is guarded by strict `0400 root:root` permissions, and any symlink inside the secret path is treated as a hard failure
+that aborts the run. Critical code paths temporarily disable Bash xtrace so that credentials never leak into debug logs, and
+transient secret files are shredded (`shred -fzu`) as soon as they are no longer needed. GNUPG homes used for signing are
+wiped, unencrypted chroot artifacts and includes are removed after `lb build`, and the final artifact is reduced to the
+encrypted SquashFS inside the LUKS2 container. At runtime, LUKS passphrases in the live ISO and installer are transported via
+named pipes inside the initramfs instead of process arguments, further minimizing exposure in process listings.
+
+Check out more leading world-class services powered by Centurion Intelligence Consulting Agency:
+* [CenturionDNS Resolver](https://eddns.eu/)
 * [CenturionDNS Blocklist](https://dns.eddns.eu/blocklists/centurion_titanium_ultimate.txt) 
-* [CenturionNet Status](https://uptime.coresecret.eu/) 
 * [CenturionMeet](https://talk.e2ee.li/)
+* [CenturionNet Services](https://coresecret.eu/cnet/)
+* [CenturionNet Status](https://uptime.coresecret.eu/) 
+
+**Contact the author:**
 * [Contact the author](https://coresecret.eu/contact/)
 
+**Legal Disclaimer:**
+* This project is not affiliated with, authorized, maintained, sponsored, or endorsed by the [Debian Project](https://www.debian.org/) 
+* [Licensing & Compliance](#6-licensing--compliance)
+* [Disclaimer](#7-disclaimer)
+* [Centurion Imprint & Legal Notice](https://coresecret.eu/imprint/)
+* [Centurion Privacy Policy](https://coresecret.eu/privacy/)
+
 ## 1.1. Preliminary Remarks
 
 ### 1.1.1. HSM
+
 Please note that all my signing keys are stored in an HSM and that the signing environment is air-gapped. The next step is to 
 move to a room-gapped environment. ^^
 
-### 1.1.2. HSTS and DNSSEC
+### 1.1.2. DNSSEC, HSTS, TLS
 
 Please note that `coresecret.dev` is included in the [(HSTS Preload List)](https://hstspreload.org/) and always serves the headers:
 ````nginx configuration pro
 add_header Expect-CT                 "max-age=86400, enforce"                       always;
 add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
 ````
-Additionally, the entire zone is dual-signed with DNSSEC. See the current DNSSEC status at [DNSSEC Audit Report](https://git.coresecret.dev/msw/CISS.debian.live.builder/src/branch/master/docs/AUDIT_DNSSEC.md)
 
-## 1.2. Immutable Source-of-Truth System
+* The zones behind this project are dual-signed with **DNSSEC**. The current validation state is documented in the **[DNSSEC Audit Report](/docs/AUDIT_DNSSEC.md)**
+* The TLS surface of **``git.coresecret.dev``** is independently audited, and the findings are held in the **[TLS Audit Report](/docs/AUDIT_TLS.md)**
+* The topology of the underlying **`CISS.debian.live.builder`** building infrastructure is described in **[Centurion Net](/docs/CNET.md)**
 
-This live ISO establishes a secure, fully deterministic, integrity self-verifying boot environment based entirely on static
-source-code definitions. All configurations, system components, and installation routines are embedded during build time and 
-locked for runtime immutability. This ensures that the live environment functions as a trusted **Source of Truth** — not only 
-for boot-time operations, but for deploying entire systems in a secure and reproducible way.<br>
+### 1.1.3. Gitea Action Runner Hardening
 
-Once booted, the environment optionally launches a fully scripted installer, via the forthcoming `CISS.debian.installer`,
-yet to deploy, that provisions the target system (the hardware the DVD is running on). The installer pulls no external 
-dependencies besides of the necessary Debian debootstrap and Debian Packages and never exposes the target system in a not 
-secure manner to the internet during installation. It operates strictly from within the verified image content, providing fully 
-secured provisioning. Combined with checksum verification, **activated by default**, at boot and strict firewall defaults, this 
-architecture guarantees that what is executed has not been tampered with and corresponds exactly to the intended source definition.<br>
+The CI runners live on a host in a separate autonomous system, and that host has exactly one purpose: run Gitea Actions runners. 
+Each runner receives its own service account without a login shell, is bound to a separate directory tree, and inherits a 
+hardened systemd unit with ``DynamicUser``, reduced capabilities, and restrictive sandboxing. A ``systemd-analyze security`` score 
+of around **``2.6``** is the baseline, not an aspiration. Traffic from those runners traverses both a software firewall (UFW) 
+and dedicated hardware firewall appliances. Docker, where used, runs unprivileged.
 
-An even more secure deployment variant — an unattended and headless version — can be built without any active network interface
-or shell-access, also via the forthcoming `CISS.debian.installer`. Such a version performs all verification steps autonomously, 
-provisions the target device from embedded source artifacts, and reboots into a fully encrypted system image. The system then 
-awaits the decryption passphrase input via an embedded Dropbear SSH server (SSH PubKey only) in the initramfs, exposing no ports
-without cryptographic hardened access, while also the `/boot` partition could be encrypted via the built-in support of 
-`grub2 (2.12-1~bpo12+1)`.<br>
+## 1.2. Match Host and Target Versions
 
-This approach provides a fully reproducible, audit-friendly, and tamper-resistant provisioning workflow rooted entirely in 
-source-defined infrastructure logic.<br>
+I always build a Debian Trixie live image on a Debian Trixie host. The toolchain and all boot components that matter to 
+reproducibility are release-specific: ``live-build``, ``live-boot``, ``live-config``, ``debootstrap``, ``mksquashfs``, ``grub``, 
+the ``kernel``, ``initramfs`` tooling, and even ``dpkg`` and ``apt`` defaults evolve from one release to the next. Mixing 
+generations produces fragile or outright broken ISOs, sometimes subtly, sometimes catastrophically. Keeping host and target in 
+lockstep avoids those mismatches and gives me predictable artifacts across builds.
 
-After build and configuration, the following audit reports can be generated:
+## 1.3. Immutable Source-of-Truth System and Encrypted Live Root
 
-* **Haveged Audit Report**: Validates entropy daemon health and confirms '/dev/random' seeding performance.
-  Type `chkhvg` at the prompt. See example report: [Haveged Audit Report](https://git.coresecret.dev/msw/CISS.debian.live.builder/src/branch/master/docs/AUDIT_HAVEGED.md)
-* **Lynis Audit Report**: Outputs a detailed security score and recommendations, confirming a 91%+ hardening baseline.
-  Type `lsadt` at the prompt. See example report: [Lynis Audit Report](https://git.coresecret.dev/msw/CISS.debian.live.builder/src/branch/master/docs/AUDIT_LYNIS.md)
+The live ISO acts as a sealed, immutable execution environment. All relevant configuration, all installation logic, and all 
+security decisions are rendered into the image at build time and treated as read-only at runtime. On top of that logical 
+ immutability, I now layer cryptographic protection of the live root file system itself. The live image contains a LUKS2 container
+file with dm-integrity that wraps the SquashFS payload. The initramfs knows how to locate this container, unlock it, verify its 
+integrity, and then present the decrypted SquashFS as the root component of an OverlayFS stack. The detailed boot and 
+verification chain is documented separately in **[CISS ISO Boot Chain](docs/MAN_CISS_ISO_BOOT_CHAIN.md)**<br>
+
+In compact form, my expectations for the system are:<br>
+
+* Every bit that matters for boot and provisioning is covered by checksums that I control and that are signed with keys under my solely authoritative HSM.
+* The live root runs out of a LUKS2 dm-integrity container so that a tampered or bit-rotted SquashFS never becomes a trusted root.
+* Verification steps are not advisory. Any anomaly causes a hard abort during boot.
+* After the live environment has reached a stable, verified state, it can hand off to ``CISS.debian.installer``. The installer operates from the same image, does not pull random payloads from the internet, and keeps the target system behind a hardened firewall until the entire provisioning process has completed.
+* For unattended, headless scenarios I also support builds where the target system is installed without ever exposing a shell over the console. After installation and reboot, the machine waits for a decryption passphrase via an embedded Dropbear SSH instance in the initramfs, limited to public key authentication and guarded by strict cryptographic policies. In such variants even ``/boot`` can be encrypted, with GRUB taking care of unlocking the boot partition.
+
+These combinations give me a provisioning chain that is auditable, reproducible, and robust against both casual and targeted tampering.<br>
+
+Once the system is up, I can trigger a set of audits from within the live environment:
+
+* **Lynis Audit Report**: Outputs a detailed security score and recommendations, confirming a 93%+ hardening baseline.
+  Type `lsadt` at the prompt. See example report: **[Lynis Audit Report](/docs/AUDIT_LYNIS.md)**
 * **SSH Audit Report**: Verifies SSH daemon configuration against the latest best-practice cipher, KEX, and MAC recommendations.
-  Type `ssh-audit <IP>:<PORT>`. See example report: [SSH Audit Report](https://git.coresecret.dev/msw/CISS.debian.live.builder/src/branch/master/docs/AUDIT_SSH.md)
+  Type `ssh-audit <IP>:<PORT>`. See example report: **[SSH Audit Report](/docs/AUDIT_SSH.md)**
 
-## 1.2. Preview
+## 1.4. Preview
 
 ![CISS.debian.live.builder](/docs/screenshots/CISS.debian.live.builder_preview.jpeg)
 
-## 1.3. Caution. Significant information for those considering using D-I.
-
+## 1.5. Caution. Debian Installer and Security Context
 **The Debian Installer (d-i) will ALWAYS boot a new system.**<br>
 
-Regardless of whether you start it:
-* via the boot menu of your Live ISO (grub, isolinux) like **CISS.debian.live.builder**,
-* via kexec in the running system,
-* via the debian-installer-launcher package,
-* or even via a graphical installer shortcut.
+The classical Debian Installer (d-i) always boots its own kernel and its own initramfs. That effect is independent of the way it
+is launched: 
 
-The following happens in all cases:
-* The installer kernel (/install/vmlinuz) + initrd.gz are started.
-* The existing live system is exited.
-* The memory is overwritten.
-* All running processes – e.g., firewall, hardened SSH access, etc. pp. – cease to exist.
+* from a GRUB entry on the live medium, 
+* from within a running live session via a graphical shortcut, 
+* through kexec, 
+* or via helper packages such as debian-installer-launcher.
 
-The Debian Installer loads:
-* its own kernel,
-* its own initramfs,
-* its own minimal root filesystem (BusyBox + udeb packages),
-* no SSH access (unless explicitly enabled via preseed)
-* no firewall, AppArmor, logging, etc. pp.,
-* it disables all running network services, even if you were previously in the live system.
+In all of these cases the running live system is discarded. The memory contents of the hardened live environment vanish, the 
+firewall disappears, the hardened SSH daemon is terminated, and the hardened kernel is replaced by the installer kernel. The 
+installer brings its own minimal root file system, usually BusyBox plus a limited set of udeb packages, and it does not 
+implement my firewall, my AppArmor profiles, my logging configuration, or my remote access policies, unless I explicitly 
+reintroduce those elements via preseed.
 
-This means function status of the **CISS.2025.debian.live.builder** ISO after d-i start:
-* ufw, iptables, nftables ✘ disabled, not loaded,
-* sshd with hardening ✘ stopped (processes gone),
-* the running kernel ✘ replaced,
-* Logging (rsyslog, journald) ✘ not active,
-* preseed control over the network is possible (but without any protection).
+In that phase the security properties are therefore those of d-i, not those of CISS.debian.live.builder. This is not a defect in
+Debian, it is a property of how any installer that boots its own kernel behaves. It is important to keep this distinction in 
+mind when deciding whether a workflow must stay inside the hardened live context or may trade that environment for the standard 
+installer toolchain.
+
+## 1.6. Versioning Schema
+
+This project adheres strictly to a structured versioning scheme following the pattern x.y.z-Date.
+
+Example: `V8.13.768.2025.12.06`
+
+`x.y.z` represents major (x), minor (y), and patch (z) version increments.
+
+Date (YYYY.MM.DD) denotes the build or release date, facilitating clear tracking of incremental changes and ensuring 
+reproducibility and traceability.
+
+## 1.7. Keywords
+
+The keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED",
+"MAY", and "OPTIONAL" in this Repo are to be interpreted as described in [[BCP 14](https://www.rfc-editor.org/info/bcp14)], 
+[[RFC2119](https://datatracker.ietf.org/doc/html/rfc2119)], [[RFC8174](https://datatracker.ietf.org/doc/html/rfc8174)] when,
+and only when, they appear in all capitals, as shown here.
 
 # 2. Features & Rationale
 
-Below is a breakdown of each hardening component, with a summary of why each is critical to your security posture.
+Below I walk through the major hardening components, with a focus on why I implemented them the way I did and how they interact.
+I treat this builder as a reference implementation for my own infrastructure; **it is not a toy**.
 
 ## 2.1. Kernel Hardening
 
-### 2.1.1. Boot Parameters
+### 2.1.1. Unified Hardened Boot Parameters
 
-* **Description**: Customizes kernel command-line flags to disable unused features and enable mitigations.
-* **Key Parameters**:
-  * `audit_backlog_limit=8192`: Ensures the audit subsystem can queue up to 8192 events to avoid dropped logs under heavy loads.
-  * `audit=1`: Enables kernel auditing from boot to record system calls and security events.
-  * `cfi=kcfi`: Activates kernel control-flow integrity using kCFI to protect against control-flow hijacking.
-  * `debugfs=off`: Disables debugfs to prevent non-privileged access to kernel internals.
-  * `efi=disable_early_pci_dma`: Stops early PCI DMA under EFI to mitigate DMA-based attacks during boot.
-  * `efi_no_storage_paranoia`: Disables extra EFI storage checks to streamline boot without compromising expected storage integrity.
-  * `hardened_usercopy=1`: Enables stringent checks on copy operations between user and kernel space to prevent buffer overflows.
-  * `ia32_emulation=0`: Turns off 32-bit compatibility modes to reduce attack surface on 64-bit hosts.
-  * `init_on_alloc=1`: Zeroes memory on allocation to prevent leakage of previous data.
-  * `init_on_free=1`: Initializes memory on free to catch use-after-free bugs.
-  * `iommu=force`: Enforces IOMMU for all devices to isolate DMA-capable hardware.
-  * `kfence.sample_interval=100`: Configures the kernel fence memory safety tool to sample every 100 allocations.
-  * `kvm.nx_huge_pages=force`: Enforces non-executable huge pages in KVM to mitigate code injection.
-  * `l1d_flush=on`: Flushes L1 data cache on context switch to mitigate L1D vulnerabilities.
-  * `lockdown=confidentiality`: Puts the kernel in confidentiality lockdown to restrict direct hardware access.
-  * `loglevel=0`: Suppresses non-critical kernel messages to reduce information leakage.
-  * `mce=0`: Disables machine check exceptions to prevent side-channel data leaks from hardware error reporting.
-  * `mitigations=auto,nosmt`: Enables all automatic CPU mitigations and disables SMT to reduce side-channel risks.
-  * `mmio_stale_data=full,nosmt`: Ensures stale MMIO data is fully flushed and disables SMT for added protection.
-  * `oops=panic`: Forces a kernel oops to trigger a panic, preventing the system from running in an inconsistent state.
-  * `page_alloc.shuffle=1`: Randomizes physical page allocation to hinder memory layout prediction attacks.
-  * `page_poison=1`: Fills freed pages with a poison pattern to detect use-after-free.
-  * `panic=-1`: Disables automatic reboot on panic to preserve the system state for forensic analysis.
-  * `pti=on`: Enables page table isolation to mitigate Meltdown attacks.
-  * `random.trust_bootloader=off`: Prevents trusting entropy provided by the bootloader.
-  * `random.trust_cpu=off`: Disables trusting CPU-provided randomness, enforcing external entropy sources.
-  * `randomize_kstack_offset=on`: Randomizes the kernel stack offset on each syscall entry to harden against stack probing.
-  * `randomize_va_space=2`: Enables full address space layout randomization (ASLR) for user space.
-  * `retbleed=auto,nosmt`: Enables automatic RETBLEED mitigations and disables SMT for better side-channel resistance.
-  * `rodata=on`: Marks kernel read-only data sections to prevent runtime modification.
-  * `tsx=off`: Disables Intel TSX extensions to eliminate related speculative execution vulnerabilities.
-  * `vdso32=0`: Disables 32-bit vDSO to prevent unintended cross-mode calls.
-  * `vsyscall=none`: Disables legacy vsyscall support to close a potential attack vector.
-* **Rationale**: Ensures early activation of protections, reducing exposure to CPU vulnerabilities before the system fully boots.
+Both the ``CISS.debian.live.builder`` LIVE ISO and the ``CISS.debian.installer`` rely on the same kernel command line. I consider
+a diverging kernel baseline between installer and live system operationally dangerous, because it leads to two distinct sets of 
+expectations about mitigations and attack surface. The boot parameters I apply are:
+
+````bash
+apparmor=1 security=apparmor audit_backlog_limit=262144 audit=1 debugfs=off \
+efi=disable_early_pci_dma hardened_usercopy=1 ia32_emulation=0 \
+init_on_alloc=1 init_on_free=1 \
+iommu.passthrough=0 iommu.strict=1 iommu=force \
+kfence.sample_interval=100 kvm.nx_huge_pages=force \
+l1d_flush=on lockdown=integrity loglevel=0 \
+mitigations=auto,nosmt mmio_stale_data=full,force nosmt=force \
+oops=panic page_alloc.shuffle=1 page_poison=1 panic=0 pti=on \
+random.trust_bootloader=off random.trust_cpu=off randomize_kstack_offset=on \
+retbleed=auto,nosmt rodata=on slab_nomerge vdso32=0 vsyscall=none
+````
+
+The parameters fall into several categories.
+
+* The AppArmor-related flags ``apparmor=1``, ``security=apparmor`` guarantee that AppArmor is not an afterthought but an integral part of the security architecture from the first instruction. I do not accept a boot sequence that comes up without LSM enforcement and then attempts to enable it later.
+* The audit subsystem is configured to be always on ``audit=1`` and to tolerate heavy bursts without dropping events ``audit_backlog_limit=262144``. I treat the audit trail as an evidentiary artifact; truncation because of backlog limits is not acceptable in that model.
+* The debug surface of the kernel is reduced aggressively. ``debugfs=off`` avoids a traditional footgun that exposes kernel internals in a way that is friendly to attackers and rarely necessary in production.
+* Memory is hardened on several levels at allocation time and at free time. ``init_on_alloc=1`` and ``init_on_free=1`` provide deterministic zeroing, ``page_poison=1`` fills freed pages with a poison pattern, and ``page_alloc.shuffle=1`` shuffles the allocator so that a process can no longer rely on stable physical patterns. Together these measures raise the cost of use-after-free exploitation and other memory corruption attacks.
+* The IOMMU is not optional. I force it on ``iommu=force``, disable passthrough ``iommu.passthrough=0`` and require strict behavior ``iommu.strict=``1. Any environment that contains devices capable of DMA must have a correctly configured IOMMU, otherwise the trust model for the CPU and for the memory hierarchy collapses as soon as a hostile device is introduced.
+* ``kfence.sample_interval=100`` activates KFENCE with a sampling interval that is still usable in production but sensitive enough to catch a meaningful subset of memory safety bugs under real workloads.
+* Virtualization-specific knobs include ``kvm.nx_huge_pages=force``, to keep huge pages non-executable, and ``l1d_flush=on`` so that context switches flush the L1 data cache where needed.
+* ``lockdown=integrity`` places the kernel into lockdown mode with an emphasis on integrity. In this project I consider the integrity of the system more critical than the ability to introspect a running kernel from userspace.
+* Speculative execution and microarchitectural issues are covered by ``mitigations=auto,nosmt``,`` mmio_stale_data=full,force``, and ``retbleed=auto,nosmt``. I combine the automatic mitigation set provided by the kernel with a forced Single Thread mode where it is required because simultaneous multithreading is simply not worth the residual risk profile in many server contexts.
+* ``nosmt=force`` acts as a guardrail here. It prevents a misconfiguration from quietly re-enabling SMT while the system operator assumes it is disabled.
+* Fault handling is configured through ``oops=panic`` and ``panic=0``. An oops triggers a panic so that I do not continue to run a kernel in an undefined state. At the same time I instruct the system not to reboot automatically on panic, to preserve the state for post-mortem analysis rather than cutting the ground away under a debugging session.
+* ``pti=on``, ``rodata=on``, and ``slab_nomerge`` are classical hardening parameters that I still consider essential. Page-table isolation, read-only data segments, and prohibiting slab merging collectively prevent a wide range of exploits, especially under pressure from speculative execution attacks.
+* To avoid brittle side assumptions, I remove legacy or obsolete interfaces: ``vdso32=0`` and ``vsyscall=none`` shut down the remaining vestiges of 32-bit vDSO and vsyscall support on 64-bit systems. ``ia32_emulation=0`` it again narrows the attack surface by disabling full 32-bit compatibility on 64-bit kernels.
+* Finally, I do not trust entropy claims either from the bootloader or the CPU itself. I opt out of both with ``random.trust_bootloader=off`` and ``random.trust_cpu=off`` and rely on my own entropy strategy described later.
+
+All of these parameters are applied in exactly the same way for the live ISO and for the installer environment. That is a 
+deliberate design decision.
 
 ### 2.1.2. CPU Vulnerability Mitigations
 
-* **Description**: Enables all known kernel-level mitigations (Spectre, Meltdown, MDS, L1TF, etc.).
-* **Rationale**: Prevents side-channel attacks that exploit speculative execution, which remain a high-risk vector in
-  multi-tenant cloud environments.
+I build the kernels with the relevant mitigations for Spectre, Meltdown, L1TF, MDS, TAA, Retbleed, and related families activated. 
+The ``mitigations=auto,nosmt`` flag ensures that new mitigations integrated into the mainline kernel become effective as they 
+are added, instead of requiring that I micromanage every single toggle. The residual performance cost is acceptable in the 
+context I am targeting; stale mitigations can be revisited, but missing mitigations will not be.
 
 ### 2.1.3. Kernel Self-Protection
 
-* **Description**: Activates `CONFIG_DEBUG_RODATA`, `CONFIG_STRICT_MODULE_RWX`, and other self-protections.
-* **Rationale**: Hardens kernel memory regions against unauthorized writings and enforces stricter module loading policies.
+I enable the standard set of self-protection options, such as strict module page permissions, read-only data enforcement, and 
+restrictions around kprobes and BPF. The builder is not a kernel configuration tool, but it carries the expectation that the 
+kernels it runs with are compiled according to this hardening profile. I treat deviations from that profile as unsupported.
 
 ### 2.1.4. Local Kernel Hardening
 
-* **Description**: The wrapper `sysp()`provides a function to apply and audit local kernel hardening rules from `/etc/sysctl.d/99_local.hardened`:
+The wrapper `sysp()`provides a function to apply and audit local kernel hardening rules from `/etc/sysctl.d/90-ciss-local.hardened`:
 ````bash
-###########################################################################################
-# Globals: Wrapper for loading CISS.2025 hardened Kernel Parameters
+#######################################
+# Wrapper for loading CISS hardened Kernel Parameters.
 # Arguments:
-#  none
-###########################################################################################
-# shellcheck disable=SC2317
+#   None
+#######################################
 sysp() {
-  sysctl -p /etc/sysctl.d/99_local.hardened
-  # sleep 1
-  sysctl -a | grep -E 'kernel|vm|net' > /var/log/sysctl_check"$(date +"%Y-%m-%d_%H:%M:%S")".log
+  sysctl -p /etc/sysctl.d/90-ciss-local.hardened
+  # shellcheck disable=SC2312
+  sysctl -a | grep -E 'kernel|vm|net' >| /var/log/sysctl_check"$(date +"%Y-%m-%d_%H:%M:%S")".log
 }
 ````
 * **Key measures loaded by this file include:**
@@ -208,16 +276,36 @@ Once applied, some hardening settings cannot be undone via `sysctl` without a re
 until the next boot. Automatic enforcement at startup is therefore omitted by design—run `sysp()` manually and plan a reboot to 
 apply or revert these controls.
 
+In case you provide the ``--cdi`` option to the installer, the ``sysp()`` function is automatically applied at the boot process via:
+[9999_cdi_starter.sh](scripts/usr/local/sbin/9999_cdi_starter.sh).
+
+For further details see: **[90-ciss-local.hardened.md](docs/documentation/90-ciss-local.hardened.md)**
+
 ## 2.2. Module Blacklisting
 
 * **Description**: Disables and blacklists non-essential or insecure kernel modules.
 * **Rationale**: Minimizes attack surface by preventing loads of drivers or modules not required by the live environment.
 
+For further details see: **[30-ciss-hardening.conf.md](docs/documentation/30-ciss-hardening.conf.md)**
+
 ## 2.3. Network Hardening
 
-* **Description**: Applies `sysctl` settings (e.g., `net.ipv4.conf.all.rp_filter=1`, `arp_ignore`, `arp_announce`) to restrict
-  inbound/outbound traffic behaviors.
-* **Rationale**: Mitigates ARP spoofing, IP spoofing, and reduces the risk of man-in-the-middle on internal networks.
+At the kernel level classical ``sysctl`` settings are applied that defend against spoofing and sloppy network behavior. Reverse path 
+filtering is enabled, ARP handling is pinned down, and loose binding of addresses is discouraged. Where appropriate, IPv6 
+receives the same level of attention as IPv4. The network stack is switched firmly to ``systemd-networkd`` and ``systemd-resolved``. 
+The hook [0000_basic_chroot_setup.chroot](config/hooks/live/0000_basic_chroot_setup.chroot) removes ``ifupdown``, wires up 
+``systemd-networkd`` and ``systemd-resolved`` via explicit WantedBy symlinks, and ensures that the stub resolver at ``127.0.0.53``
+is the canonical ``resolv.conf`` target. The same hook writes dedicated configuration snippets:
+
+``/etc/systemd/resolved.conf.d/10-ciss-dnssec.conf`` enforces opportunistic ``DNS-over-TLS`` and full ``DNSSEC`` validation 
+while disabling ``LLMNR`` and ``MulticastDNS``.
+
+This converges the system on a single, hardened DNS resolution path and avoids the common situation where multiple name 
+resolution mechanisms step on each other. Where desired, this resolution chain can be plugged into **CenturionDNS**, a resolver
+infrastructure that I control and that enforces DNSSEC validation, QNAME minimisation, and a curated blocklist. For sensitive 
+deployments, this stack is used as the default.
+
+For further details see: **[90-ciss-local.hardened.md](docs/documentation/90-ciss-local.hardened.md)**
 
 ## 2.4. Core Dump & Kernel Hardening
 
@@ -248,7 +336,7 @@ apply or revert these controls.
 * **Description**: The SSH tunnel and access are secured through multiple layers of defense:
   * **Firewall Restriction**: ufw allows connections only from defined jump host or VPN exit node IPs.
   * **TCP Wrappers**: `/etc/hosts.allow` and `/etc/hosts.deny` enforce an `ALL: ALL` deny policy, permitting only specified hosts.
-  * **One-Hit Ban**: A custom Fail2Ban rule `/etc/fail2ban/jail.d/centurion-default.conf` immediately bans any host 
+  * **One-Hit Ban**: A custom Fail2Ban rule `/etc/fail2ban/jail.d/ciss-default.conf` immediately bans any host 
     that touches closed ports. 
     * Additionally, the `fail2ban` service is hardened as well according to:
     [Arch Linux Wiki Fail2ban Hardening](https://wiki.archlinux.org/title/fail2ban#Service_hardening) 
@@ -356,53 +444,85 @@ apply or revert these controls.
 set -o errexit   # Exit script when a command exits with non-zero status (same as "set -e").
 set -o errtrace  # Inherit ERR traps in subshells (same as "set -E").
 set -o functrace # Inherit DEBUG and RETURN traps in subshells (same as "set -T").
+set -o ignoreeof # An interactive shell will not exit upon reading EOF.
 set -o nounset   # Exit script on use of an undefined variable (same as "set -u").
 set -o pipefail  # Return the exit status of the last failed command in a pipeline.
 set -o noclobber # Prevent overwriting files via redirection (same as "set -C").
 ```
+
+* The following `shopt` options are applied at the beginning of the script (see
+  [Bash Manual, The Shopt Builtin](https://www.gnu.org/software/bash/manual/bash.html#The-Shopt-Builtin)):
+````bash
+shopt -s failglob        # If set, patterns that fail to match filenames during filename expansion result in an expansion error.
+shopt -s inherit_errexit # If set, command substitution inherits the value of the errexit option instead of unsetting it in the
+                         # subshell environment.
+shopt -s lastpipe        # If set, and job control is not active, the shell runs the last command of a pipeline not executed in
+                         # the background in the current shell environment.
+shopt -u expand_aliases  # If set, aliases are expanded as described. This option is enabled by default for interactive shells.
+shopt -u dotglob         # If set, Bash includes filenames beginning with a '.' in the results of filename expansion.
+shopt -u extglob         # If set, enable the extended pattern matching features.
+shopt -u nullglob        # If set, filename expansion patterns that match no files expand to nothing and are removed.
+````
+
 * **Rationale**: These options enforce strict error checking and handling, reducing silent failures and ensuring 
 predictable script behavior.
 
 # 4. Prerequisites
 
-* **Host**: Debian Bookworm or newer with `live-build` package installed.
-* **Privileges**: Root or sudo access to execute `ciss_live_builder.sh` and related scripts.
-* **Network**: Outbound access to Debian repositories and PTB NTPsec pool.
+To use **``CISS.debian.live.builder``** as intended, the following baseline is expected:<br>
+
+* The build host runs Debian 13 Trixie, fully updated. Building a Trixie image on an older or newer release is technically possible but explicitly not supported.
+* The host has the standard live-build stack installed ``live-build``, ``live-boot``, ``live-config``, ``debootstrap`` and the cryptographic tooling required for ``LUKS2``, ``dm-integrity``, ``cryptsetup``, ``gpg``.
+* Disk space must be sufficient to hold the chroot, the temporary build artifacts, and the final ISO with encrypted root. For comfortable work I assume around 30–40 gigabytes of free space.
+* The user running the builder has root privileges and understands that the script is capable of creating, mounting, and manipulating block devices.
 
 # 5. Installation & Usage
 
-# 5.1. Interactive CLI / Dialog Wrapper
+## 5.1. Interactive CLI / Dialog Wrapper
 
 1. Clone the repository:
-
    ```bash
    git clone https://git.coresecret.dev/msw/CISS.debian.live.builder.git
    cd CISS.debian.live.builder
    ```
+   
 2. Preparation:
    1. Ensure you are root.
-   2. Create the build directory `mkdir /opt/livebuild`.
-   3. Place your desired SSH public key in the `authorized_keys` file, for example, in the `/opt/gitea/CISS.debian.live.builder` directory.
-   4. Place your desired Password in the `password.txt` file, for example, in the `/opt/gitea/CISS.debian.live.builder` directory.
+   2. Create the build directory `mkdir /opt/cdlb` and the tmpfs secrets directory `mkdir /dev/shm/cdlb_secrets`.
+   3. Place your desired SSH public key in the `authorized_keys` file, for example, in the `/dev/shm/cdlb_secrets` directory.
+   4. Place your desired Password in the `password.txt` file, for example, in the `/dev/shm/cdlb_secrets` directory.
    5. Make any other changes you need to.
+
 3. Run the config builder script `./ciss_live_builder.sh` and the integrated `lb build` command (example):
 
-   ```yaml
+   ````bash
    chmod 0700 ./ciss_live_builder.sh
-   ./ciss_live_builder.sh --architecture amd64 \
-                          --build-directory /opt/livebuild \
+   timestamp=$(date -u +%Y-%m-%dT%H:%M:%S%z)
+   ./ciss_live_builder.sh \
+     --architecture amd64 \
+     --autobuild=6.16.3+deb13-amd64 \
+     --build-directory /opt/cdlb \
+     --cdi \
      --change-splash hexagon \
-                          --control 384 \
+     --control "${timestamp}" \
      --debug \
      --dhcp-centurion \
      --jump-host 10.0.0.128 [c0de:4711:0815:4242::1] [2abc:4711:0815:4242::1]/64 \
+     --key_age=keys.txt \
+     --key_luks=luks.txt \
      --provider-netcup-ipv6 [c0de:4711:0815:4242::ffff] \
-                          --renice-priority "-19" \
      --reionice-priority 1 2 \
-                          --root-password-file /opt/gitea/CISS.debian.live.builder/password.txt \
+     --renice-priority "-19" \
+     --root-password-file /dev/shm/cdlb_secrets/password.txt \
+     --signing_key_fpr=98089A472CCF4601CD51D7C7095D36535296EA14B8DE92198723C4DC606E8F76 \
+     --signing_key_pass=signing_key_pass.txt \
+     --signing_key=signing_key.asc \
      --ssh-port 4242 \
-                          --ssh-pubkey /opt/gitea/CISS.debian.live.builder
-   ```
+     --ssh-pubkey /dev/shm/cdlb_secrets \
+     --sshfp \
+     --trixie
+   ````
+
 4. Locate your ISO in the `--build-directory`.
 5. Boot from the ISO and login to the live image via the console, or the multi-layer secured **coresecret** SSH tunnel.
 6. Type `sysp` for the final kernel hardening features.
@@ -410,7 +530,46 @@ predictable script behavior.
 8. Finally, audit your environment with `lsadt` for a comprehensive Lynis audit.
 9. Type `celp` for some shortcuts.
 
-# 5.2. CI/CD Gitea Runner Workflow Example
+## 5.2. Make Wrapper, Quick Usage
+
+This repo ships a thin make wrapper around ``./ciss_live_builder.sh``, so you can compose a correctly quoted command and either 
+preview it or run it.
+
+1. Clone the repository:
+
+   ```bash
+   git clone https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+   cd CISS.debian.live.builder
+   ```
+
+2. Preparation:
+   1. Ensure you are root.
+   2. Create the build directory `mkdir /opt/cdlb` and the tmpfs secrets directory `mkdir /dev/shm/cdlb_secrets`.
+   3. Place your desired SSH public key in the `authorized_keys` file, for example, in the `/dev/shm/cdlb_secrets` directory.
+   4. Place your desired Password in the `password.txt` file, for example, in the `/dev/shm/cdlb_secrets` directory.
+   5. Copy and edit the sample and set your options (no spaces around commas in lists): 
+
+    ````bash
+    cp config.mk.sample config.mk
+    ````
+
+    ````bash
+    BUILD_DIR=/opt/cdlb
+    ROOT_PASSWORD_FILE=/dev/shm/cdlb_secrets/password.txt
+    SSH_PORT=4242
+    SSH_PUBKEY=/dev/shm/cdlb_secrets
+
+    # Optional
+    PROVIDER_NETCUP_IPV6=2001:cdb::1
+    # comma-separated; IPv6 in [] is fine
+    JUMP_HOSTS=[2001:db8::1],[2001:db8::2]     
+    ````
+
+3. Dry-run first (prints the exact command): ````make dry-run````
+
+4. Execute the build: ````make live````
+
+## 5.3. CI/CD Gitea Runner Workflow Example
 
 1. Clone the repository:
 
@@ -431,7 +590,7 @@ predictable script behavior.
 
             ### Private Key
             echo "${{ secrets.CHANGE_ME }}" >| ~/.ssh/id_ed25519
-            chmod 600 ~/.ssh/id_ed25519
+            chmod 0600 ~/.ssh/id_ed25519
   #...
         ### https://github.com/actions/checkout/issues/1843
         - name: Using manual clone via SSH to circumvent Gitea SHA-256 object issues.
@@ -478,13 +637,22 @@ predictable script behavior.
 
 # 6. Licensing & Compliance
 
-This repository is fully SPDX-compliant. All source files include appropriate SPDX license identifiers and headers to ensure
-clear and unambiguous licensing. You can verify compliance by reviewing the top of each file, which follows the SPDX
-standard for license expressions and metadata.
+Unless stated otherwise in individual files via SPDX headers, this project is licensed under the European Union Public License (EUPL 1.2).
+That license is OSI-approved and compatible with internal use in both public sector and private environments. Several files carry
+dual or multi-license statements, for example **``LicenseRef-CNCL-1.1``** and / or **``LicenseRef-CCLA-1.1``**, where I offer a 
+non-commercial license for community use and a commercial license for professional integration. The SPDX headers in each file 
+are authoritative. If you plan to integrate **``CISS.debian.live.builder``** into a commercial product or a managed service 
+offering, you should treat these license markers as binding and reach out for a proper agreement where required.
 
 # 7. Disclaimer
 
-This README is provided "as-is" without any warranty. Review your organization's policies before deploying to production.
+This repository is designed for well-experienced administrators and security professionals who are comfortable with low-level 
+Linux tooling, cryptography, and automation. It can and will create, format, and encrypt devices. It is entirely possible to 
+destroy data if you use it carelessly. I publish this work in good faith and with a strong focus on correctness and robustness. 
+Nevertheless, there is no warranty of any kind. You are responsible for understanding what you are doing, for validating your 
+own threat model, and for ensuring that this tool fits your regulatory and operational environment. If you treat the builder, and 
+the resulting images with the same discipline with which they were created, you will obtain a hardened, reproducible, and 
+auditable base for serious systems. If you treat them casually, they will not save you from yourself.
 
 ---
 **[no tracking | no logging | no advertising | no profiling | no bullshit](https://coresecret.eu/)**

REPOSITORY.md

@@ -0,0 +1,119 @@
+---
+gitea: none
+include_toc: true
+---
+
+# 1. CISS.debian.live.builder
+
+**Centurion Intelligence Consulting Agency Information Security Standard**<br>
+*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
+**Master Version**: 8.13<br>
+**Build**: V8.13.768.2025.12.06<br>
+
+# 2. Repository Structure
+
+**Project:** Centurion Intelligence Consulting Agency Information Security Standard (CISS) — Debian Live Builder  
+**Branch:** `master`  
+**Repository State:** Master Version **8.13**, Build **V8.13.768.2025.12.06** (as of 2025-10-11)
+
+## 3.1. Top-Level Layout
+
+````text
+CISS.debian.live.builder/
+├─ .archive/                                                                           # Archived artefacts or historical assets
+├─ .gitea/ # Gitea CI/CD metadata (workflows, triggers, templates)
+│ ├─ ISSUE_TEMPLATE/
+│ ├─ properties/{json, lua}
+│ ├─ TO DO/{dockerfile, render-md-to-html.yaml}
+│ ├─ trigger/{t_generate_.yaml}
+│ └─ workflows/{generate_.yaml, linter_char_scripts.yaml, render-.yaml}
+├─ .pubkey/                                                                         # Public keys (e.g., for CI or verification)
+├─ config/ # Live-build configuration (boot, hooks, includes, package lists)
+│ ├─ bootloaders/{grub-efi, grub-pc, splash.png}
+│ ├─ hooks/live/.chroot                                                                  # Ordered chroot hooks (0000_* … 99xx_)
+│ ├─ includes.binary/boot/grub/config.cfg
+│ ├─ includes.chroot/{etc, preseed, root}
+│ └─ package-lists/{live.list.amd64.chroot, live.list.arm64.chroot, live.list.common.chroot}
+├─ docs/                                                                  # Project documentation (audits, change log, policies)
+│ ├─ AUDIT_.md, BOOTPARAMS.md, CHANGELOG.md, CODING_CONVENTION.md, ...
+│ ├─ SECURITY/, LICENSES/, graphviz/, screenshots/
+├─ lib/                                                                              # Shell library modules used by the builder
+├─ scripts/ # Helper/orchestration scripts (e.g., network, live-boot)
+├─ var/                                                                     # Variable sets and early/global defaults (*.var.sh)
+├─ .editorconfig
+├─ .gitignore
+├─ .shellcheckrc
+├─ .version.properties
+├─ CISS.debian.live.builder.spdx                                                     # SPDX bill of materials / license manifest
+├─ LICENSE
+├─ SECURITY.md
+├─ README.md
+├─ config.mk.sample
+├─ ciss_live_builder.sh                                                                              # Main entrypoint / wrapper
+├─ makefile
+├─ meta_sources_debug.sh
+├─ LIVE_ISO_TRIXIE_0.private                                                                               # CI artefact markers
+├─ LIVE_ISO_TRIXIE_1.private                                                                               # CI artefact markers
+└─ LIVE_ISO.public                                                                                         # CI artefact markers
+````
+
+> **Note:** The ISO marker files (`LIVE_ISO.*`) are produced by CI workflows for convenient retrieval of generated images.
+
+## 3.2. Directory Semantics
+
+### 3.2.1. `.gitea/` — CI/CD Orchestration
+- **`workflows/`**: Declarative Gitea Actions to lint shell scripts, render Graphviz/DNSSEC status, and generate **PUBLIC**/**PRIVATE (TRIXIE)** ISOs reproducibly.
+- **`trigger/`**: Manual/auxiliary trigger manifests (`t_generate_PUBLIC.yaml`, `t_generate_PRIVATE_trixie_{0,1}.yaml`, `t_generate_dns.yaml`) to drive pipeline variants.
+- **`ISSUE_TEMPLATE/`**: Issue and pull request templates to standardize change management.
+- **`properties/`** and **`TODO/`**: Auxiliary config fragments (JSON/Lua) and maintenance utilities (e.g., `render-md-to-html.yaml`).
+
+### 3.2.2. `config/` — Live-Build Configuration
+- **`bootloaders/`**: Boot assets for GRUB in EFI and PC modes, incl. a branded splash image.
+- **`hooks/live/`**: **Ordered** `*.chroot` hooks implementing system configuration and hardening during image creation; the numeric prefixes dictate execution (e.g., `0000_basic_chroot_setup.chroot`, `0810_chrony_setup.chroot`, `0900_ufw_setup.chroot`, `9930_hardening_ssh.chroot`, `9950_hardening_fail2ban.chroot`).
+- **`includes.binary/boot/grub/`**: Static GRUB configuration embedded in the binary image (`config.cfg`).
+- **`includes.chroot/`**: Files copied into the live system’s root:
+  - `etc/` (APT configuration, `live/`, `modprobe.d/`, network, SSH, `sysctl.d/`, systemd drop-ins, banners),
+  - `preseed/` (installer preseeding and supporting artifacts),
+  - `root/` (administrator dotfiles and keys).
+- **`package-lists/`**: Architecture-specific and common package manifests (`amd64`, `arm64`, `common`) used by `live-build`.
+
+### 3.2.3. `docs/` — Documentation Corpus
+Audit reports (DNSSEC, Lynis, SSH, TLS, Haveged), **BOOTPARAMS**, **CHANGELOG**, **CODING_CONVENTION**, **CONTRIBUTING**, **REFERENCES**; plus `SECURITY/`, `LICENSES/`, architecture diagrams under `graphviz/`, and illustrative `screenshots/`.
+
+### 3.2.4. `lib/` — Shell Library Modules
+Composable, single-purpose modules used by the wrapper and CI steps (argument parsing and validation, kernel/CPU mitigation checks, provider support, `lb config/build` scaffolding, usage/version banners, sanitization and traps, SSH/root-password hardening, ultra-hardening profile, etc.).
+
+### 3.2.5. `scripts/` — Operational Helpers
+Ancillary scripts for DHCP supersedes, resolver bootstrapping, and live-boot verification; targeted paths such as `scripts/etc/network/` and `scripts/live-boot/` encapsulate deploy-time adjustments and integrity checks.
+
+### 3.2.6. `var/` — Variables & Defaults
+Layered variable sets (`early.var.sh`, `global.var.sh`, `bash.var.sh`, `color.var.sh`) providing early-boot defaults, global tuning, and TTY/UI niceties.
+
+## 3.3. Key Files
+
+- **`ciss_live_builder.sh`** — Primary entrypoint; orchestrates argument parsing, environment preparation, `lb config`/`lb build` execution and post-processing.
+- **`makefile`** & **`config.mk.sample`** — Make-based convenience wrapper and a sample configuration surface.
+- **`README.md`, `SECURITY.md`, `LICENSE`, `CISS.debian.live.builder.spdx`** — Project overview, security policy, licensing, and SPDX manifest for compliance.
+- **ISO markers**: `LIVE_ISO.public`, `LIVE_ISO_TRIXIE_{0,1}.private` reflect CI pipeline outputs.
+
+## 3.4. Conventions & Build Logic
+
+- **Hook Ordering**: Numeric prefixes (`0000_…` → `99xx_…`) strictly determine execution sequencing within `config/hooks/live/`. Early hooks establish base state (initramfs modules, checksums), mid-range hooks integrate security services (AppArmor, Chrony/NTPsec, Lynis, UFW, Fail2Ban, SSH auditing), late hooks enforce hardening and cleanup (SSH tightening, memory-dump policies, service disablement).
+- **Binary vs. Chroot Includes**: Assets under `includes.binary/` affect the ISO’s bootloader stage; `includes.chroot/` become part of the runtime filesystem.
+- **Architecture Scoping**: Package lists are split into `*amd64*`, `*arm64*`, and `*common*` to keep images minimal and deterministic.
+- **CI/CD**: Reproducible ISO builds are executed via Gitea workflows; dedicated `trigger/` manifests parameterize public vs. private images and auxiliary rendering jobs (e.g., DNSSEC status, Graphviz diagrams).
+
+## 3.5. Cross-References (Documentation)
+
+- **Boot Parameters**: see `docs/BOOTPARAMS.md`.
+- **Audits**: `docs/AUDIT_*.md` (DNSSEC, Lynis, SSH, TLS, Haveged).
+- **Coding & Contribution**: `docs/CODING_CONVENTION.md`, `docs/CONTRIBUTING.md`.
+- **Change Log & References**: `docs/CHANGELOG.md`, `docs/REFERENCES.md`.
+
+## 3.6. Licensing & Compliance
+
+The repository is **SPDX-compliant**; source files carry SPDX identifiers. See `CISS.debian.live.builder.spdx` and `LICENSE` for details.
+
+---
+**[no tracking | no logging | no advertising | no profiling | no bullshit](https://coresecret.eu/)**
+<!-- vim: set number et ts=2 sw=2 sts=2 ai tw=128 ft=markdown -->

ciss_live_builder.sh

@@ -3,9 +3,9 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
@@ -13,179 +13,264 @@
 ### Contributions so far see ./docs/CREDITS.md
 
 ### WHY BASH?
-# Ease of installation.
-# No compiling or installing gems, CPAN modules, pip packages, etc.
-# Simple to use and read. Clear syntax and straightforward output interpretation.
-# Built-in power.
-# Pattern matching, line processing, and regular expression support are available natively,
-# no external binaries required.
-# Cross-platform consistency.
-# '/bin/bash' is the default shell on most Linux distributions, ensuring scripts run unmodified across systems.
-# macOS compatibility.
-# Since macOS Catalina (10.15), the default login shell has been zsh, but bash remains available at '/bin/bash'.
-# Windows support.
-# You can use bash via WSL, MSYS2, or Cygwin on Windows systems.
+# Ease of installation. No compiling or installing gems, CPAN modules, pip packages, etc. Simple to use and read. Clear syntax
+# and straightforward output interpretation. Built-in power. Pattern matching, line processing, and regular expression support
+# are available natively, no external binaries required. Cross-platform consistency. '/bin/bash' is the default shell on most
+# Linux distributions, ensuring scripts run unmodified across systems. macOS compatibility. Since macOS Catalina (10.15), the
+# default login shell has been zsh, but bash remains available at '/bin/bash'. Windows support. You can use bash via WSL, MSYS2,
+# or Cygwin on Windows systems.
 
-### Preliminary checks
+### RESOURCES
+# https://github.com/koalaman/shellcheck
+# https://github.com/mvdan/sh
+# https://google.github.io/styleguide/shellguide.html
+# https://mywiki.wooledge.org/BashGuide
+# https://styles.goatbytes.io/lang/shell/
+# https://www.bashsupport.com/de/
+# https://www.gnu.org/software/bash/manual/
+
+### CATCH ARGUMENTS AND DECLARE BASIC VARIABLES.
+# shellcheck disable=SC2155,SC2249
+declare -agx  ARY_PARAM_ARRAY=("$@")                                     # Arguments passed to script as an array.
+declare -girx VAR_START_TIME="${SECONDS}"                                # Start time of script execution.
+declare -grx  VAR_PARAM_COUNT="$#"                                       # Arguments passed to script.
+declare -grx  VAR_PARAM_STRNG="$*"                                       # Arguments passed to script as string.
+declare -grx  VAR_SETUP_FILE="${0##*/}"                                  # 'ciss_debian_live_builder.sh'
+declare -grx  VAR_SETUP_FULL="$(cd "$(dirname "${0}")" && pwd)/${0##*/}" # '/root/git/CISS.debian.live.builder/ciss_debian_live_builder.sh'
+declare -grx  VAR_SETUP_PATH="$(cd "$(dirname "${0}")" && pwd)"          # '/root/git/CISS.debian.live.builder'
+declare -grx  VAR_TMP_SECRET="/dev/shm/cdlb_secrets"                     # Fixed tmpfs path to store securely build artifacts.
+declare -grx  VAR_WORKDIR="$(dirname "${VAR_SETUP_FULL}")"               # '/root/git/CISS.debian.live.builder'
+
+### PRELIMINARY CHECKS.
+### No ash, dash, ksh, sh.
+# shellcheck disable=SC2292
 [ -z "${BASH_VERSINFO[0]}" ] && {
-  . ./var/global.var.sh; printf "\e[91m❌ Please make sure you are using 'bash'! Bye... \e[0m\n" >&2; exit "${ERR_UNSPPTBASH}"; }
-[[ ${EUID} -ne 0 ]] && {
-  . ./var/global.var.sh; printf "\e[91m❌ Please make sure you are 'root'! Bye... \e[0m\n" >&2; exit "${ERR_NOT_USER_0}"; }
-[[ $(kill -l | grep -c SIG) -eq 0 ]] && {
-  . ./var/global.var.sh; printf "\e[91m❌ Please make sure you are calling the script without leading 'sh'! Bye... \e[0m\n" >&2; exit "${ERR_UNSPPTBASH}"; }
-[[ ${BASH_VERSINFO[0]} -lt 5 ]] && {
-  . ./var/global.var.sh; printf "\e[91m❌ Minimum requirement is bash 5.1. You are using '%s'! Bye... \e[0m\n" "${BASH_VERSION}" >&2; exit "${ERR_UNSPPTBASH}"; }
-[[ ${BASH_VERSINFO[0]} -le 5 ]] && [[ ${BASH_VERSINFO[1]} -le 1 ]] && {
-  . ./var/global.var.sh; printf "\e[91m❌ Minimum requirement is bash 5.1. You are using '%s'! Bye... \e[0m\n" "${BASH_VERSION}" >&2; exit "${ERR_UNSPPTBASH}"; }
-
-declare -g VAR_HANDLER_AUTOBUILD="false"
-declare -gr VAR_CONTACT="security@coresecret.eu"
-declare -gr VAR_VERSION="Master V8.03.127.2025.06.02"
-
-### VERY EARLY CHECK FOR AUTO-BUILD, CONTACT, USAGE, AND VERSION STRING
-declare arg
-if [[ ${#} -eq 0 ]]; then . ./lib/lib_usage.sh; usage; exit 1; fi
-for arg in "$@"; do case "${arg,,}" in -a=*|--autobuild=*) declare -g VAR_HANDLER_AUTOBUILD=true; declare -g VAR_KERNEL="${arg#*=}";; esac; done
-for arg in "$@"; do case "${arg,,}" in -c|--contact) printf "\e[95mCISS.debian.live.builder Contact: %s\e[0m\n" "${VAR_CONTACT}"; exit 0;; esac; done
-for arg in "$@"; do case "${arg,,}" in -h|--help) . ./lib/lib_usage.sh; usage; exit 0;; esac; done
-for arg in "$@"; do case "${arg,,}" in -v|--version) printf "\e[95mCISS.debian.live.builder Version: %s\e[0m\n" "${VAR_VERSION}"; exit 0;; esac; done
-unset arg
-
-### VERY EARLY CHECK FOR XTRACE DEBUGGING
-if [[ $* == *" --debug "* ]]; then
-  . ./lib/lib_debug.sh
-  debugger "${@}"
-else
-  declare -grx VAR_EARLY_DEBUG=false
-fi
-
-### Advisory Lock
-exec 127>/var/lock/ciss_live_builder.lock || {
   . ./var/global.var.sh
+  printf "\e[91m❌ Please make sure you are using 'bash'! Bye... \e[0m\n" >&2
+  exit "${ERR_UNSPPTBASH}"
+}
+
+### No zsh.
+[[ -n "${ZSH_VERSION:-}" ]] && {
+  . ./var/global.var.sh
+  printf "\e[91m❌ Please make sure you are using 'bash'! Bye... \e[0m\n" >&2
+  exit "${ERR_UNSPPTBASH}"
+}
+
+### Not root.
+[[ ${EUID} -ne 0 ]] && {
+  . ./var/global.var.sh
+  printf "\e[91m❌ Please make sure you are 'root'! Bye... \e[0m\n" >&2
+  exit "${ERR_NOT_USER_0}"
+}
+
+### Check to be not called by sh.
+# shellcheck disable=SC2312
+[[ $(kill -l | grep -c SIG) -eq 0 ]] && {
+  . ./var/global.var.sh
+  printf "\e[91m❌ Please make sure you are calling the script without leading 'sh'! Bye... \e[0m\n" >&2
+  exit "${ERR_UNSPPTBASH}"
+}
+
+### Check to be not sourced.
+[[ "${BASH_SOURCE[0]}" != "$0" ]] && {
+  . ./var/global.var.sh
+  printf "\e[91m❌ This script must be executed, not sourced. Please run '%s' directly! Bye... \e[0m\n" "$0" >&2
+  exit "${ERR_UNSPPTBASH}"
+}
+
+### Minimum Bash version 5.
+[[ ${BASH_VERSINFO[0]} -lt 5 ]] && {
+  . ./var/global.var.sh
+  printf "\e[91m❌ Minimum requirement is bash 5.1. You are using '%s'! Bye... \e[0m\n" "${BASH_VERSION}" >&2
+  exit "${ERR_UNSPPTBASH}"
+}
+
+### Minimum Bash version 5.1.
+[[ ${BASH_VERSINFO[0]} -le 5 ]] && [[ ${BASH_VERSINFO[1]} -le 1 ]] && {
+  . ./var/global.var.sh
+  printf "\e[91m❌ Minimum requirement is bash 5.1. You are using '%s'! Bye... \e[0m\n" "${BASH_VERSION}" >&2
+  exit "${ERR_UNSPPTBASH}"
+}
+
+### No arguments.
+[[ ${#} -eq 0 ]] && {
+  . ./lib/lib_usage.sh
+  usage
+  exit 1
+}
+
+### SOURCING MUST SET EARLY VARIABLES, GUARD_SOURCING().
+. ./var/early.var.sh
+. ./lib/lib_guard_sourcing.sh
+. ./lib/lib_source_guard.sh
+
+### SECURING ENVIRONMENT.
+source_guard "./var/bash.var.sh"
+
+### CHECK FOR CONTACT, HELP, VERSION STRING, AND XTRACE DEBUG.
+for arg in "$@"; do case "${arg,,}" in -c|--contact) . ./lib/lib_contact.sh   ; contact; exit 0;; esac; done
+for arg in "$@"; do case "${arg,,}" in -h|--help)    . ./lib/lib_usage.sh     ; usage  ; exit 0;; esac; done
+for arg in "$@"; do case "${arg,,}" in -v|--version) . ./lib/lib_version.sh   ; version; exit 0;; esac; done
+for arg in "$@"; do case "${arg,,}" in -d|--debug)   . ./meta_sources_debug.sh; debugger "${@}";; esac; done
+
+### ALL CHECKS DONE. READY TO START THE SCRIPT.
+printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"
+declare -grx VAR_SETUP="true"
+
+### SECURING SECRETS ARTIFACTS.
+test ! -L "${VAR_TMP_SECRET}" || {
+  . ./var/global.var.sh
+  printf "\e[91m❌ Refusing symlink: '%s'! Bye... \e[0m\n" "${VAR_TMP_SECRET}" >&2
+  exit "${ERR_SECRETSSYM}"
+}
+find "${VAR_TMP_SECRET}" -type f -exec chmod 0400 {} +
+find "${VAR_TMP_SECRET}" -type f -exec chown root:root {} +
+
+### SOURCING VARIABLES.
+[[ "${VAR_SETUP}" == true ]] && {
+  source_guard "./var/color.var.sh"
+  source_guard "./var/global.var.sh"
+}
+
+### SOURCING LIBRARIES.
+[[ "${VAR_SETUP}" == true ]] && {
+  source_guard "./lib/lib_arg_parser.sh"
+  source_guard "./lib/lib_arg_priority_check.sh"
+  source_guard "./lib/lib_boot_screen.sh"
+  source_guard "./lib/lib_cdi.sh"
+  source_guard "./lib/lib_change_splash.sh"
+  source_guard "./lib/lib_check_dhcp.sh"
+  source_guard "./lib/lib_check_hooks.sh"
+  source_guard "./lib/lib_check_kernel.sh"
+  source_guard "./lib/lib_check_pkgs.sh"
+  source_guard "./lib/lib_check_provider.sh"
+  source_guard "./lib/lib_check_secrets.sh"
+  source_guard "./lib/lib_check_stats.sh"
+  source_guard "./lib/lib_check_var.sh"
+  source_guard "./lib/lib_ciss_signatures.sh"
+  source_guard "./lib/lib_ciss_upgrades_boot.sh"
+  source_guard "./lib/lib_ciss_upgrades_build.sh"
+  source_guard "./lib/lib_clean_screen.sh"
+  source_guard "./lib/lib_clean_up.sh"
+  source_guard "./lib/lib_copy_integrity.sh"
+  source_guard "./lib/lib_gnupg.sh"
+  source_guard "./lib/lib_hardening_root_pw.sh"
+  source_guard "./lib/lib_hardening_ssh_tcp.sh"
+  source_guard "./lib/lib_hardening_ultra.sh"
+  source_guard "./lib/lib_helper_ip.sh"
+  source_guard "./lib/lib_lb_build_start.sh"
+  source_guard "./lib/lib_lb_config_start.sh"
+  source_guard "./lib/lib_lb_config_write_trixie.sh"
+  source_guard "./lib/lib_note_target.sh"
+  source_guard "./lib/lib_primordial.sh"
+  source_guard "./lib/lib_provider_netcup.sh"
+  source_guard "./lib/lib_run_analysis.sh"
+  source_guard "./lib/lib_sanitizer.sh"
+  source_guard "./lib/lib_trap_on_err.sh"
+  source_guard "./lib/lib_trap_on_exit.sh"
+  source_guard "./lib/lib_update_microcode.sh"
+  source_guard "./lib/lib_usage.sh"
+}
+
+### CHECKING REQUIRED PACKAGES.
+check_pkgs
+
+### ADVISORY LOCK.
+exec 127>/var/lock/ciss_live_builder.lock || {
   printf "\e[91m❌ Cannot open lockfile for writing! Bye... \e[0m\n" >&2
   exit "${ERR_FLOCK_WRTG}"
 }
 
 if ! flock -x -n 127; then
-  . ./var/global.var.sh
   printf "\e[91m❌ Another instance is running! Bye...\e[0m\n" >&2
   exit "${ERR_FLOCK_COLL}"
 fi
 
-### Checking required packages
-. ./lib/lib_check_pkgs.sh
-check_pkgs
+### CHECK FOR AUTOBUILD MODE.
+for arg in "$@"; do case "${arg,,}" in -a=*|--autobuild=*) declare -gx VAR_HANDLER_AUTOBUILD="true"; declare -gx VAR_KERNEL="${arg#*=}";; esac; done; unset arg
+for dir in /usr/local/sbin /usr/sbin; do case ":${PATH}:" in *":${dir}:"*) ;; *) PATH="${PATH}:${dir}" ;; esac; done; export PATH; unset dir
 
-### Dialog Output for Initialization
-if ! $VAR_HANDLER_AUTOBUILD; then . ./lib/lib_boot_screen.sh && boot_screen; fi
+### DIALOG OUTPUT FOR INITIALIZATION.
+if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen; fi
 
-### Updating Status of Dialog Gauge Bar
-if ! $VAR_HANDLER_AUTOBUILD; then printf "XXX\nUpdating variables ... \nXXX\n05\n" >&3; fi
-. ./var/global.var.sh
-. ./var/colors.var.sh
+### Updating Status of Dialog Gauge Bar.
+if ! ${VAR_HANDLER_AUTOBUILD}; then printf "XXX\nInitialization done ... \nXXX\n15\n" >&3; fi
 
-### Updating Status of Dialog Gauge Bar
-if ! $VAR_HANDLER_AUTOBUILD; then printf "XXX\nEnabling Bash Error Handling ... \nXXX\n15\n" >&3; fi
-### For all options see https://www.gnu.org/software/bash/manual/bash.html#The-Set-Builtin
-set -o errexit   # Exit script when a command exits with non-zero status, the same as "set -e".
-set -o errtrace  # Any traps on ERR are inherited in a subshell environment, the same as "set -E".
-set -o functrace # Any traps on DEBUG and RETURN are inherited in a subshell environment, the same as "set -T".
-set -o nounset   # Exit script on use of an undefined variable, the same as "set -u".
-set -o pipefail  # Makes pipelines return the exit status of the last command in the pipe that failed.
-set -o noclobber # Prevent overwriting, the same as "set -C".
-
-### Updating Status of Dialog Gauge Bar
-if ! $VAR_HANDLER_AUTOBUILD; then printf "XXX\nAdditional initialization ... \nXXX\n25\n" >&3; fi
-### Initialization
-declare -gr ARGUMENTS_COUNT="$#"
-declare -gr ARG_STR_ORG_INPUT="$*"
-#declare -ar ARG_ARY_ORG_INPUT=("$@")
-# shellcheck disable=SC2155
-declare -grx SCRIPT_FULLPATH="$(readlink -f "${BASH_SOURCE[0]:-$0}")"
-# shellcheck disable=SC2155
-declare -grx SCRIPT_BASEPATH="$(dirname "${SCRIPT_FULLPATH}")"
-# shellcheck disable=SC2155
-declare -grx VAR_WORKDIR="$(dirname "${SCRIPT_FULLPATH}")"
-
-### Updating Status of Dialog Gauge Bar
-if ! $VAR_HANDLER_AUTOBUILD; then printf "XXX\nSourcing Libraries ... \nXXX\n50\n" >&3; fi
-. ./lib/lib_arg_parser.sh
-. ./lib/lib_arg_priority_check.sh
-. ./lib/lib_cdi.sh
-. ./lib/lib_change_splash.sh
-. ./lib/lib_check_dhcp.sh
-. ./lib/lib_check_hooks.sh
-. ./lib/lib_check_kernel.sh
-. ./lib/lib_check_provider.sh
-. ./lib/lib_check_stats.sh
-. ./lib/lib_check_var.sh
-. ./lib/lib_clean_screen.sh
-. ./lib/lib_clean_up.sh
-. ./lib/lib_copy_integrity.sh
-. ./lib/lib_hardening_root_pw.sh
-. ./lib/lib_hardening_ssh.sh
-. ./lib/lib_hardening_ultra.sh
-. ./lib/lib_helper_ip.sh
-. ./lib/lib_lb_build_start.sh
-. ./lib/lib_lb_config_start.sh
-. ./lib/lib_lb_config_write.sh
-. ./lib/lib_provider_netcup.sh
-. ./lib/lib_run_analysis.sh
-. ./lib/lib_sanitizer.sh
-. ./lib/lib_trap_on_err.sh
-. ./lib/lib_trap_on_exit.sh
-. ./lib/lib_usage.sh
-
-### Updating Status of Dialog Gauge Bar
-if ! $VAR_HANDLER_AUTOBUILD; then printf "XXX\nActivate traps ... \nXXX\n55\n" >&3; fi
-### Following the CISS Bash naming and ordering scheme
-trap 'trap_on_exit "$?"' EXIT
+### Updating Status of Dialog Gauge Bar.
+if ! ${VAR_HANDLER_AUTOBUILD}; then printf "XXX\nActivate traps ... \nXXX\n50\n" >&3; fi
+### Following the CISS Bash naming and ordering scheme:
+trap 'trap_on_exit "$?" "${BASH_SOURCE[0]}" "${LINENO}" "${FUNCNAME[0]:-main}" "${BASH_COMMAND}"' EXIT
 trap 'trap_on_err  "$?" "${BASH_SOURCE[0]}" "${LINENO}" "${FUNCNAME[0]:-main}" "${BASH_COMMAND}"' ERR
 
-### Updating Status of Dialog Gauge Bar
-if ! $VAR_HANDLER_AUTOBUILD; then printf "XXX\nSanitizing Arguments ... \nXXX\n70\n" >&3; fi
+### Updating Status of Dialog Gauge Bar.
+if ! ${VAR_HANDLER_AUTOBUILD}; then printf "XXX\nSanitizing Arguments ... \nXXX\n75\n" >&3; fi
 arg_check "$@"
 declare -ar  ARY_ARG_SANITIZED=("$@")
-declare -gr VAR_ARG_SANITIZED="${ARY_ARG_SANITIZED[*]}"
+declare -grx VAR_ARG_SANITIZED="${ARY_ARG_SANITIZED[*]}"
 
-### Updating Status of Dialog Gauge Bar
-if ! $VAR_HANDLER_AUTOBUILD; then printf "XXX\nParsing Arguments ... \nXXX\n90\n" >&3; fi
+### Updating Status of Dialog Gauge Bar.
+if ! ${VAR_HANDLER_AUTOBUILD}; then printf "XXX\nParsing Arguments ... \nXXX\n90\n" >&3; fi
 arg_parser "$@"
 
-### Updating Status of Dialog Gauge Bar
-if ! $VAR_HANDLER_AUTOBUILD; then printf "XXX\nFinal checks ... \nXXX\n95\n" >&3; fi
+### Updating Status of Dialog Gauge Bar.
+if ! ${VAR_HANDLER_AUTOBUILD}; then printf "XXX\nFinal checks ... \nXXX\n95\n" >&3; fi
 clean_ip
 
-### Updating Status of Dialog Gauge Bar
-if ! $VAR_HANDLER_AUTOBUILD; then printf "XXX\nInitialization completed ... \nXXX\n100\n" >&3; sleep 1; fi
+### Updating Status of Dialog Gauge Bar.
+if ! ${VAR_HANDLER_AUTOBUILD}; then printf "XXX\nInitialization completed ... \nXXX\n100\n" >&3; sleep 1; fi
 
-if ! $VAR_HANDLER_AUTOBUILD; then boot_screen_cleaner; fi
+### Turn off the dialog wrapper.
+if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen_cleaner; fi
 
-### MAIN Program
+### MAIN Program ---------------------------------------------------------------------------------------------------------------
 arg_priority_check
 check_stats
-if ! $VAR_HANDLER_AUTOBUILD; then check_provider; fi
-if ! $VAR_HANDLER_AUTOBUILD; then check_kernel; fi
-check_hooks
-hardening_ssh
-lb_config_start
-lb_config_write
 
-cd "${VAR_WORKDIR}"
+if ! ${VAR_HANDLER_AUTOBUILD}; then check_provider; fi
+if ! ${VAR_HANDLER_AUTOBUILD}; then check_kernel; fi
+
+ciss_upgrades_build
+hardening_ssh_tcp
+
+### Preparing the build environment.
+lb_config_start
+
+### Writing the build configuration.
+lb_config_write_trixie
+
+### Init GNUPGHOME.
+init_gnupg
+
+### Integrate primordial SSH identity files.
+init_primordial
+
+### Integrate the CISS.debian.live.builder repository into the build directory.
+### Modifications from this point onwards must be placed under 'VAR_HANDLER_BUILD_DIR'.
 hardening_ultra
-hardening_root_pw
+
+### CISS.debian.installer 'GRUB' and 'autostart' generator.
+cdi
+
+### Final CISS.debian.live.builder integrations.
 change_splash
 check_dhcp
-cdi
+ciss_signatures
+ciss_upgrades_boot
+hardening_root_pw
+note_target
 provider_netcup
+update_microcode
+x_hooks
+x_remove
 
-### Start the build process
+### Start the build process ----------------------------------------------------------------------------------------------------
 set +o errtrace
 lb_build_start
-
 set -o errtrace
+
 run_analysis
 copy_db
-declare -g VAR_SCRIPT_SUCCESS=true
+declare -grx VAR_SCRIPT_SUCCESS="true"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config.mk.sample

@@ -0,0 +1,21 @@
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-08-21; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+BUILD_DIR            ?=
+PROVIDER_NETCUP_IPV6 ?=
+ROOT_PASSWORD_FILE   ?=
+SSH_PORT             ?=
+SSH_PUBKEY           ?=
+
+### Comma-separated jump hosts (can be empty):
+JUMP_HOSTS           ?=
+
+# vim: set ft=make noet ts=8 sw=8

config/bootloaders/grub-efi/grub.cfg

@@ -2,9 +2,9 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

config/bootloaders/grub-pc/grub.cfg

@@ -2,9 +2,9 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

config/hooks/.keep

@@ -0,0 +1,10 @@
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-10-26; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu

config/hooks/live/0000_basic_chroot_setup.chroot

@@ -0,0 +1,290 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+set -Ceuo pipefail
+
+printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+
+# shellcheck disable=SC2155
+declare -gx VAR_DATE="$(date +%F)"
+
+#######################################
+# Generates '/etc/default/ciss-xdg-profile'
+# Globals:
+#   None
+# Arguments:
+#   None
+# Returns:
+#   0: on success
+#######################################
+generate_ciss_xdg_profile() {
+  cat << EOF >> /etc/default/ciss-xdg-profile
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+# Default toggles for ciss-xdg-profile
+# 1 = enable, 0 = disable
+
+ENABLE_XDG_BASH_HISTORY=1
+ENABLE_XDG_LESS_HISTORY=1
+ENABLE_XDG_ZSH_HISTORY=1
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
+EOF
+
+  chmod 0644 /etc/default/ciss-xdg-profile
+
+  return 0
+}
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f generate_ciss_xdg_profile
+
+#######################################
+# Generates '/etc/profile.d/ciss-xdg.sh'
+# Globals:
+#   None
+# Arguments:
+#   None
+# Returns:
+#   0: on success
+#######################################
+generate_ciss_xdg_sh() {
+  cat << EOF >| /etc/profile.d/ciss-xdg.sh
+#!/bin/sh
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+EOF
+  cat << 'EOF' >> /etc/profile.d/ciss-xdg.sh
+# shellcheck shell=sh
+
+# This file is sourced by login shells via '/etc/profile'. Keep POSIX sh compatible.
+
+### XDG variables (do not override if already set).
+export XDG_CONFIG_HOME="${XDG_CONFIG_HOME:-${HOME}/.config}"
+export XDG_DATA_HOME="${XDG_DATA_HOME:-${HOME}/.local/share}"
+export XDG_CACHE_HOME="${XDG_CACHE_HOME:-${HOME}/.cache}"
+export XDG_STATE_HOME="${XDG_STATE_HOME:-${HOME}/.local/state}"
+export XDG_CONFIG_DIRS="${XDG_CONFIG_DIRS:-/etc/xdg}"
+export XDG_DATA_DIRS="${XDG_DATA_DIRS:-/usr/local/share:/usr/share}"
+
+### XDG_RUNTIME_DIR is provided by systemd-logind; do not set a persistent path.
+# shellcheck disable=SC2312
+if [ -z "${XDG_RUNTIME_DIR:-}" ] && [ -d "/run/user/$(id -u)" ]; then
+  # shellcheck disable=SC2155
+  export XDG_RUNTIME_DIR="/run/user/$(id -u)"
+fi
+
+### Create canonical directories idempotently with 0700.
+_xdg_umask="$(umask)"
+umask 077
+[ -d "${XDG_CONFIG_HOME}"     ] || install -d -m 0700 -- "${XDG_CONFIG_HOME}"
+[ -d "${XDG_DATA_HOME}"       ] || install -d -m 0700 -- "${XDG_DATA_HOME}"
+[ -d "${XDG_CACHE_HOME}"      ] || install -d -m 0700 -- "${XDG_CACHE_HOME}"
+[ -d "${XDG_STATE_HOME}"      ] || install -d -m 0700 -- "${XDG_STATE_HOME}"
+umask "${_xdg_umask}"
+unset _xdg_umask
+
+### Optional migrations (controlled via /'etc/default/ciss-xdg-profile').
+[ -f /etc/default/ciss-xdg-profile ] && . /etc/default/ciss-xdg-profile
+
+### Bash history -> XDG_STATE_HOME (only if running bash).
+if [ "${ENABLE_XDG_BASH_HISTORY:-1}" = "1" ] && [ -n "${BASH_VERSION:-}" ]; then
+  [ -d "${XDG_STATE_HOME}/bash" ] || install -d -m 0700 -- "${XDG_STATE_HOME}/bash"
+  export HISTFILE="${XDG_STATE_HOME}/bash/history"
+fi
+
+### Less history -> XDG_STATE_HOME
+if [ "${ENABLE_XDG_LESS_HISTORY:-1}" = "1" ]; then
+  [ -d "${XDG_STATE_HOME}/less" ] || install -d -m 0700 -- "${XDG_STATE_HOME}/less"
+  export LESSHISTFILE="${XDG_STATE_HOME}/less/history"
+fi
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
+EOF
+
+  chmod 0755 /etc/profile.d/ciss-xdg.sh
+
+  return 0
+}
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f generate_ciss_xdg_sh
+
+#######################################
+# Generates '/root/ciss_xdg_tmp.sh'
+# Globals:
+#   None
+# Arguments:
+#   None
+# Returns:
+#   0: on success
+#######################################
+generate_ciss_xdg_tmp_sh() {
+  cat << EOF >| /root/ciss_xdg_tmp.sh
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+### XDG variables (do not override if already set).
+
+EOF
+  cat << 'EOF' >> /root/ciss_xdg_tmp.sh
+set -a
+
+# shellcheck disable=SC2034
+XDG_CONFIG_HOME="${XDG_CONFIG_HOME:-${HOME}/.config}"
+# shellcheck disable=SC2034
+XDG_DATA_HOME="${XDG_DATA_HOME:-${HOME}/.local/share}"
+# shellcheck disable=SC2034
+XDG_CACHE_HOME="${XDG_CACHE_HOME:-${HOME}/.cache}"
+# shellcheck disable=SC2034
+XDG_STATE_HOME="${XDG_STATE_HOME:-${HOME}/.local/state}"
+# shellcheck disable=SC2034
+XDG_CONFIG_DIRS="${XDG_CONFIG_DIRS:-/etc/xdg}"
+# shellcheck disable=SC2034
+XDG_DATA_DIRS="${XDG_DATA_DIRS:-/usr/local/share:/usr/share}"
+
+### Optional migrations (controlled via /etc/default/ciss-xdg-profile).
+[[ -f /etc/default/ciss-xdg-profile ]] && . /etc/default/ciss-xdg-profile
+
+### Bash history -> XDG_STATE_HOME (only if running bash).
+if [[ "${ENABLE_XDG_BASH_HISTORY:-1}" = "1" ]] && [[ -n "${BASH_VERSION:-}" ]]; then
+  HISTFILE="${XDG_STATE_HOME}/bash/history"
+fi
+
+set +a
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
+EOF
+  chmod 0700 /root/ciss_xdg_tmp.sh
+
+  return 0
+}
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f generate_ciss_xdg_tmp_sh
+
+### Ensuring XDG compliance: https://specifications.freedesktop.org/basedir/latest/ --------------------------------------------
+generate_ciss_xdg_profile
+generate_ciss_xdg_sh
+generate_ciss_xdg_tmp_sh
+
+[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
+export DEBIAN_FRONTEND="noninteractive"
+export INITRD="No"
+apt-get update -qq
+apt-get install -y --no-install-suggests libpam-systemd
+
+### Installing microcode updates -----------------------------------------------------------------------------------------------
+if [[ -f /root/.architecture ]]; then
+
+  apt-get install -y --no-install-suggests amd64-microcode intel-microcode
+  rm -f /root/.architecture
+
+fi
+
+### Prepare environment --------------------------------------------------------------------------------------------------------
+mkdir -p /root/.ciss/cdlb/{backup,log,private_keys}
+chmod 0700 /root/.ciss/cdlb/{backup,log,private_keys}
+
+mkdir -p /root/git
+chmod 0700 /root/git
+
+mkdir -p /etc/ciss/keys
+chmod 0755 /etc/ciss/keys
+
+### Mask apt show version unit and timer ---------------------------------------------------------------------------------------
+ln -sf /dev/null /etc/systemd/system/apt-show-versions.timer
+ln -sf /dev/null /etc/systemd/system/apt-show-versions.service
+rm -f /etc/cron.daily/apt-show-versions || true
+
+### Remove the original '/usr/lib/live/boot/0030-verify-checksums' -------------------------------------------------------------
+[[ -e /usr/lib/live/boot/0030-verify-checksums ]] && rm -f /usr/lib/live/boot/0030-verify-checksums
+
+### Ensure proper 0755 rights for CISS initramfs scripts  ----------------------------------------------------------------------
+find /usr/lib/live/boot -type f -exec chmod 0755 {} +
+
+[[ -e /etc/initramfs-tools/scripts/init-premount/1000_ciss_fixpath.sh ]] \
+  && chmod 0755 /etc/initramfs-tools/scripts/init-premount/1000_ciss_fixpath.sh
+
+[[ -e /etc/initramfs-tools/scripts/init-top/0000_ciss_fixpath.sh ]] \
+  && chmod 0755 /etc/initramfs-tools/scripts/init-top/0000_ciss_fixpath.sh
+
+### Ensure proper systemd directories exist ------------------------------------------------------------------------------------
+mkdir -p /etc/systemd/resolved.conf.d
+mkdir -p /etc/systemd/system
+mkdir -p /etc/systemd/system/multi-user.target.wants
+mkdir -p /etc/systemd/system/sockets.target.wants
+
+### Enable clean systemd-networkd stack ----------------------------------------------------------------------------------------
+apt-get -y purge ifupdown || true
+
+ln -sf /lib/systemd/system/systemd-networkd.service /etc/systemd/system/multi-user.target.wants/systemd-networkd.service
+
+ln -sf /lib/systemd/system/systemd-resolved.service /etc/systemd/system/multi-user.target.wants/systemd-resolved.service
+
+ln -sf /lib/systemd/system/systemd-resolved.socket  /etc/systemd/system/sockets.target.wants/systemd-resolved.socket
+
+cat << EOF >| /etc/systemd/system/ciss-fix-resolvconf.service
+[Unit]
+Description=Force systemd-resolved stub resolv.conf
+After=network-online.target
+Before=apt-daily.service
+
+[Service]
+Type=oneshot
+ExecStart=/usr/bin/rm -f /etc/resolv.conf
+ExecStart=/usr/bin/ln -s /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+ln -sf /etc/systemd/system/ciss-fix-resolvconf.service /etc/systemd/system/multi-user.target.wants/ciss-fix-resolvconf.service
+
+cat << EOF >| /etc/systemd/resolved.conf.d/10-ciss-dnssec.conf
+[Resolve]
+DNSOverTLS=opportunistic
+DNSSEC=yes
+LLMNR=no
+MulticastDNS=no
+EOF
+
+printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+
+exit 0
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config/hooks/live/0001_initramfs_modules.chroot

@@ -1,27 +1,32 @@
 #!/bin/bash
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-11-10; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
-# sleep 1
 
 #######################################
-# Get all NIC Driver of the current Host-machine
+# Get all NIC drivers of the current Host machine.
+# Globals:
+#   None
 # Arguments:
 #   None
+# Returns:
+#   0: on success
 #######################################
 grep_nic_driver_modules() {
   declare _mods
-  # Gather all Driver and sort unique
+
+  ### Gather all Driver and sort unique.
+  # shellcheck disable=SC2312
   readarray -t _mods < <(
     lspci -k \
       | grep -A2 -i ethernet \
@@ -32,26 +37,37 @@ grep_nic_driver_modules() {
 
   declare nic_module
   declare nic_modules
+
   if [[ "${#_mods[@]}" -eq 1 ]]; then
+
     nic_module="${_mods[0]}"
     echo "${nic_module}"
+
   else
+
     nic_modules="${_mods[*]}"
     echo "${nic_modules}"
+
   fi
+
+  return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f grep_nic_driver_modules
 
 # shellcheck disable=SC2155
-declare nic_driver="$(grep_nic_driver_modules)"
+declare nic_driver="$(grep_nic_driver_modules)" VAR_DATE="$(date +%F)"
+
 cat << EOF >| /etc/initramfs-tools/modules
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
@@ -67,56 +83,133 @@ cat << EOF >| /etc/initramfs-tools/modules
 # raid1
 # sd_mod
 
-### QEMU Bochs-compatible virtual machine support
-bochs
+### AppArmor -------------------------------------------------------------------------------------------------------------------
+apparmor
 
-### Device-mapper core module (required for all dm_* features)
-dm_mod
-
-### Device-mapper integrity target (provides integrity checking)
-dm-integrity
-
-### Device-mapper crypt target (provides disk encryption)
-dm-crypt
-
-### Generic AES block cipher implementation (used by dm-crypt)
-aes_generic
-
-### Generic SHA-256 hashing algorithm (used by various crypto and integrity targets)
-sha256_generic
-
-### Generic CRC32C checksum implementation (used by btrfs and other filesystems)
-crc32c_generic
-
-### Main btrfs filesystem module
+### btrfs ----------------------------------------------------------------------------------------------------------------------
 btrfs
-
-### Zstandard compression support for btrfs
+lzo
+xor
+xxhash
+zstd
 zstd_compress
 
-### XOR parity implementation for RAID functionality
-xor
+### cryptography ---------------------------------------------------------------------------------------------------------------
+aes_generic
+blake2b_generic
+crc32c_generic
+cryptd
+libcrc32c
+sha256_generic
+sha512_generic
+xts
 
-### RAID6 parity generation module
+### cryptsetup -----------------------------------------------------------------------------------------------------------------
+dm_crypt
+dm_integrity
+dm_mod
+dm_verity
+
+### Entropy --------------------------------------------------------------------------------------------------------------------
+jitterentropy_rng
+rng_core
+
+### ESP/FAT/UEFI ---------------------------------------------------------------------------------------------------------------
+exfat
+fat
+nls_ascii
+nls_cp437
+nls_iso8859-1
+nls_iso8859-15
+nls_utf8
+vfat
+
+### ext4 -----------------------------------------------------------------------------------------------------------------------
+ext4
+jbd2
+libcrc32c
+
+### Live-ISO -------------------------------------------------------------------------------------------------------------------
+loop
+squashfs
+overlay
+
+#### nftables ------------------------------------------------------------------------------------------------------------------
+#nf_log_common  # built-in
+#nft_counter    # built-in
+#nft_icmp       # built-in
+#nft_icmpv6     # built-in
+#nft_meta       # built-in
+#nft_set_hash   # built-in
+#nft_set_rbtree # built-in
+#nft_tcp        # built-in
+#nft_udp        # built-in
+nf_conntrack
+nf_nat
+nf_reject_ipv4
+nf_reject_ipv6
+nf_tables
+nfnetlink
+nfnetlink_log
+nft_ct
+nft_limit
+nft_log
+nft_masq
+nft_nat
+nft_reject_inet
+
+### NVMe -----------------------------------------------------------------------------------------------------------------------
+nvme
+nvme_core
+
+### QEMU -----------------------------------------------------------------------------------------------------------------------
+bochs
+
+### RAID -----------------------------------------------------------------------------------------------------------------------
+raid456
 raid6_pq
 
-### Combined RAID4/5/6 support module
-raid456
+### SCSI/SATA ------------------------------------------------------------------------------------------------------------------
+ahci
+ata_generic
+libahci
+libata
+scsi_dh_alua
+scsi_mod
+sd_mod
+sg
+sr_mod
 
-### Network Driver Host-machine
+### USB ------------------------------------------------------------------------------------------------------------------------
+ehci_pci
+ohci_pci
+uas
+uhci_hcd
+usb_storage
+xhci_hcd
+xhci_pci
+
+### Virtual --------------------------------------------------------------------------------------------------------------------
+virtio_blk
+virtio_console
+virtio_pci
+virtio_rng
+virtio_scsi
+
+### Network Driver Host-machine ------------------------------------------------------------------------------------------------
 "${nic_driver}"
 
 EOF
 
-cat << 'EOF' >| /etc/initramfs-tools/update-initramfs.conf
+cat << EOF >| /etc/initramfs-tools/update-initramfs.conf
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
@@ -131,7 +224,7 @@ cat << 'EOF' >| /etc/initramfs-tools/update-initramfs.conf
 # If set to all update-initramfs will update all initramfs
 # If set to no disables any update to initramfs besides kernel upgrade
 
-update_initramfs=yes
+update_initramfs=all
 
 #
 # backup_initramfs [ yes | no ]
@@ -143,15 +236,15 @@ backup_initramfs=no
 
 EOF
 
-cat << 'EOF' >| /etc/initramfs-tools/initramfs.conf
+cat << EOF >| /etc/initramfs-tools/initramfs.conf
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
@@ -207,10 +300,10 @@ COMPRESS=zstd
 # Defaults vary by compressor.
 #
 # Valid values are:
-# 1–9 for gzip|bzip2|lzma|lzop
-# 0–9 for  lz4|xz
-# 0–19 for zstd
-# COMPRESSLEVEL=3
+# 1...9 for gzip|bzip2|lzma|lzop
+# 0...9 for  lz4|xz
+# 0...19 for zstd
+COMPRESSLEVEL=16
 
 #
 # DEVICE: ...
@@ -247,48 +340,12 @@ FSTYPE=auto
 
 EOF
 
-cat << 'EOF' >> /etc/initramfs-tools/hooks/ciss_debian_live_builder
-#!/bin/sh
-# SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
-# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
-# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
-# SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
-# SPDX-PackageName: CISS.debian.live.builder
-# SPDX-Security-Contact: security@coresecret.eu
-
-set -e
-
-PREREQ=""
-prereqs() { echo "$PREREQ"; }
-case $1 in
-  prereqs) prereqs; exit 0 ;;
-esac
-
-. /usr/share/initramfs-tools/hook-functions
-
-mkdir -p "${DESTDIR}/bin" "${DESTDIR}/usr/bin" "${DESTDIR}/usr/local/bin"
-
-# Include Bash
-copy_exec /usr/bin/bash /usr/bin
-
-# Include lsblk (block device information tool)
-copy_exec /usr/bin/lsblk /usr/bin
-
-# Include udevadm (udev management tool)
-copy_exec /usr/bin/udevadm /usr/bin
-EOF
-
-chmod 0755 /etc/initramfs-tools/hooks/ciss_debian_live_builder
-
-### Regenerate the initramfs for the live system kernel
-update-initramfs -u -k all
+chmod 0755 /etc/initramfs-tools/hooks/9999_ciss_custom_prompt.sh
+chmod 0755 /etc/initramfs-tools/hooks/9999_ciss_debian_live_builder.sh
+chmod 0755 /etc/initramfs-tools/scripts/init-premount/1000_ciss_fixpath.sh
+chmod 0755 /etc/initramfs-tools/scripts/init-top/0000_ciss_fixpath.sh
 
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
-# sleep 1
 
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config/hooks/live/0002_hardening_overlay_tmpfs.chroot

@@ -0,0 +1,63 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-11-12; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+set -Ceuo pipefail
+
+printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+
+VAR_DATE="$(date +%F)"
+
+cat << EOF >| /etc/systemd/system/ciss-remount-root.service
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+[Unit]
+Description=Remount overlay root with nosuid,nodev
+DefaultDependencies=no
+After=local-fs.target
+Before=basic.target
+
+[Service]
+Type=oneshot
+ExecStart=/bin/mount -o remount,nosuid,nodev /
+
+[Install]
+WantedBy=sysinit.target
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
+EOF
+
+mkdir -p /etc/systemd/system/tmp.mount.d
+cat << EOF >| /etc/systemd/system/tmp.mount.d/override.conf
+[Mount]
+Options=mode=1777,strictatime,nosuid,nodev,noexec,size=1%
+EOF
+
+mkdir -p /etc/systemd/system/dev-shm.mount.d
+cat << EOF >| /etc/systemd/system/dev-shm.mount.d/override.conf
+[Mount]
+Options=mode=1777,nosuid,nodev,noexec,size=25%
+EOF
+
+systemctl enable ciss-remount-root.service
+
+printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+
+exit 0
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config/hooks/live/0002_verify_checksums.chroot

@@ -1,144 +0,0 @@
-#!/bin/bash
-# SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
-# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
-# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
-# SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
-# SPDX-PackageName: CISS.debian.live.builder
-# SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
-
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
-# sleep 1
-
-target="/usr/lib/live/boot/0030-verify-checksums"
-src="$(mktemp)"
-
-if [[ ! -d /usr/lib/live/boot ]]; then
-  mkdir -p /usr/lib/live/boot
-fi
-
-cat << 'EOF' >| "${src}"
-#!/bin/sh
-# SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
-# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
-# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
-# SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
-# SPDX-PackageName: CISS.debian.live.builder
-# SPDX-Security-Contact: security@coresecret.eu
-
-### Changed version of https://salsa.debian.org/live-team/live-boot 'components/0030-verify-checksums'
-### In case of successful verification of the offered checksums, proceed with booting, else panic.
-
-### Inside 0002_verify_checksums.chroot ###
-
-#######################################
-# Live build ISO with the modified checksum verification script for continuing the boot process.
-# Globals:
-#   LIVE_BOOT_CMDLINE
-#   LIVE_VERIFY_CHECKSUMS
-#   LIVE_VERIFY_CHECKSUMS_DIGESTS
-#   _CHECKSUM
-#   _CHECKSUMS
-#   _DIGEST
-#   _MOUNTPOINT
-#   _PARAMETER
-#   _RETURN
-#   _TTY
-# Arguments:
-#   $1: ${_PARAMETER}
-# Returns:
-#   0 : Successful Verification
-#######################################
-Verify_checksums() {
-  for _PARAMETER in ${LIVE_BOOT_CMDLINE}; do
-    case "${_PARAMETER}" in
-      live-boot.verify-checksums=* | verify-checksums=*)
-        LIVE_VERIFY_CHECKSUMS="true"
-        LIVE_VERIFY_CHECKSUMS_DIGESTS="${_PARAMETER#*verify-checksums=}"
-        ;;
-
-      live-boot.verify-checksums | verify-checksums)
-        LIVE_VERIFY_CHECKSUMS="true"
-        ;;
-    esac
-  done
-
-  case "${LIVE_VERIFY_CHECKSUMS}" in
-    true) ;;
-
-    *)
-      return 0
-      ;;
-  esac
-
-  _MOUNTPOINT="${1}"
-
-  LIVE_VERIFY_CHECKSUMS_DIGESTS="${LIVE_VERIFY_CHECKSUMS_DIGESTS:-sha512 sha384 sha256}"
-  _TTY="/dev/tty8"
-
-  log_begin_msg "Verifying checksums"
-
-  # shellcheck disable=SC2164
-  cd "${_MOUNTPOINT}"
-
-  for _DIGEST in $(echo "${LIVE_VERIFY_CHECKSUMS_DIGESTS}" | sed -e 's|,| |g'); do
-    # shellcheck disable=SC2060
-    _CHECKSUMS="$(echo "${_DIGEST}" | tr [a-z] [A-Z])SUMS ${_DIGEST}sum.txt"
-
-    for _CHECKSUM in ${_CHECKSUMS}; do
-      if [ -e "${_CHECKSUM}" ]; then
-        echo "Found ${_CHECKSUM}..." > "${_TTY}"
-
-        if [ -e "/bin/${_DIGEST}sum" ]; then
-          echo "Checking ${_CHECKSUM}..." > "${_TTY}"
-
-          # Verify checksums
-          grep -v '^#' "${_CHECKSUM}" | /bin/"${_DIGEST}"sum -c > "${_TTY}"
-          _RETURN="${?}"
-
-          # Stop after the first verification
-          # break 2
-        else
-          echo "Not found /bin/${_DIGEST}sum..." > "${_TTY}"
-        fi
-      fi
-    done
-  done
-
-  log_end_msg
-
-  case "${_RETURN}" in
-    0)
-      log_success_msg "Verification sha512 sha384 sha256 successful, continuing booting in 10 seconds."
-      sleep 10
-      return 0
-      ;;
-
-    *)
-      panic "Verification failed, $(basename ${_TTY}) for more information."
-      ;;
-  esac
-}
-# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
-EOF
-
-# Copy and make executable
-install -Dm755 "${src}" "${target}"
-
-rm -f "${src}"
-
-unset target src
-
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
-# sleep 1
-
-exit 0
-# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config/hooks/live/0003_cdi_autostart.chroot

@@ -0,0 +1,54 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+set -Ceuo pipefail
+
+printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+
+if [[ -f /root/.cdi ]]; then
+
+  cat << EOF >| /etc/systemd/system/cdi-starter.service
+[Unit]
+Description=CISS CDI post-boot starter
+Documentation=https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+ConditionFileIsExecutable=/usr/local/sbin/9999_cdi_starter.sh
+After=live-config.service systemd-user-sessions.service getty.target
+After=network-online.target NetworkManager-wait-online.service
+Wants=network-online.target
+
+[Service]
+Type=simple
+RemainAfterExit=yes
+ExecStart=/usr/local/sbin/9999_cdi_starter.sh
+TimeoutStartSec=0
+Nice=5
+IOSchedulingClass=best-effort
+IOSchedulingPriority=7
+Environment=LANG=C.UTF-8
+StandardOutput=journal
+StandardError=journal
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+  chmod 0644 /etc/systemd/system/cdi-starter.service
+
+  systemctl enable cdi-starter.service
+
+  rm -f /root/.cdi
+
+fi
+
+printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+
+exit 0
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config/hooks/live/0007_update_logrotate.chroot

@@ -0,0 +1,78 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+set -Ceuo pipefail
+
+printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+
+[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
+export DEBIAN_FRONTEND="noninteractive"
+export INITRD="No"
+
+rm -f         "/etc/logrotate.conf"
+cat << EOF >| "/etc/logrotate.conf"
+# See "man logrotate" for details. Global options do not affect preceding include directives.
+
+# Rotate log files daily
+daily
+
+# Keep 90 daily worth of backlogs.
+rotate 90
+
+# Hard cap: delete rotated logs older than 90 days.
+maxage 90
+
+# Do not rotate the log if it is empty (this overrides the ifempty option).
+notifempty
+
+# Create new (empty) log files after rotating old ones.
+create
+
+# Use date as a suffix of the rotated file.
+dateext
+
+# Use yesterday's instead of today's date to create the dateext extension, so that the rotated log file has a date in its name
+# that is the same as the timestamps within it.
+dateyesterday
+
+# Enable compression
+compress
+
+# Use zstd instead of gzip.
+compresscmd /usr/bin/zstd
+
+# File extension for compressed logs.
+compressext .zst
+
+# Set zstd level 3 (default).
+compressoptions -20
+
+# How to decompress for 'logrotate -d' or similar.
+uncompresscmd /usr/bin/unzstd
+
+# Keep the most recent rotation uncompressed for one cycle.
+delaycompress
+
+# Delete log files using shred -u instead of unlink().
+shred
+
+# packages drop log rotation information into this directory
+include /etc/logrotate.d
+
+# system-specific logs may also be configured here.
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
+EOF
+
+printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+
+exit 0
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config/hooks/live/0010_install_apparmor.chroot

@@ -0,0 +1,36 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+set -Ceuo pipefail
+
+printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+
+[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
+export DEBIAN_FRONTEND="noninteractive"
+export INITRD="No"
+apt-get install -y --no-install-recommends apparmor apparmor-utils apparmor-profiles apparmor-profiles-extra
+
+install -d /etc/systemd/system/apparmor.service.d
+cat << EOF >| /etc/systemd/system/apparmor.service.d/10-live-force.conf
+[Unit]
+### Drop any negative live conditions that would skip AppArmor on overlay.
+ConditionPathExists=
+
+### Ensure we only rely on the security=apparmor condition.
+ConditionSecurity=apparmor
+EOF
+
+install -d -m 0755 /var/cache/apparmor
+
+printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+
+exit 0
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config/hooks/live/0020_dropbear_build.chroot

@@ -0,0 +1,81 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+set -Ceuo pipefail
+
+printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+
+[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
+export DEBIAN_FRONTEND="noninteractive"
+export INITRD="No"
+
+### Declare Arrays, HashMaps, and Variables.
+declare var_dropbear_version="2025.88"
+declare var_tar="/root/dropbear/dropbear-${var_dropbear_version}.tar.bz2"
+declare var_build_dir="/root/build/dropbear-${var_dropbear_version}"
+declare var_logfile="/root/.ciss/cdlb/log/0020_dropbear_build.log"
+
+mkdir -p "/root/build"
+cp "${var_tar}" "/root/build"
+tar xjf "/root/dropbear/dropbear-${var_dropbear_version}.tar.bz2" -C "/root/build"
+cp "/root/dropbear/localoptions.h" "${var_build_dir}"
+cd "${var_build_dir}"
+
+### Flag Purpose:
+#  -fPIE              : Generate position-independent executable code
+#  -pie               : Link the executable as PIE (so that ASLR works)
+#  -static            : Fully statically linked against musl
+#  -s                 : Strip unnecessary symbols directly during linking
+#  -Wl,-z,relro,-z,now: Enables full RELRO (symbol resolution at program startup)
+
+# shellcheck disable=SC2016,SC2312
+if ! setsid bash -c '
+    ### Sterile environment for the build-process.
+
+    export -n SHELLOPTS || true
+
+    set +u
+
+    unset PATH_SEPARATOR
+    PATH_SEPARATOR=":"
+    PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+
+    if ! command -v musl-gcc >/dev/null 2>&1; then
+      echo "ERROR: musl-gcc not found. Install musl-tools in chroot." >&2
+      exit 1
+    fi
+
+    CC=musl-gcc \
+      CFLAGS="-Os -fPIE -Wno-undef -fstack-protector-strong -D_FORTIFY_SOURCE=2" \
+      LDFLAGS="-static -pie -s -Wl,-z,relro,-z,now" \
+      ./configure \
+      --enable-static \
+      --enable-openpty \
+      --disable-pam \
+      --disable-zlib
+
+    # shellcheck disable=2312
+    make -j"$(nproc)"
+  ' >| "${var_logfile}" 2>&1
+then
+
+  printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ Dropbear build failed. See [%s] \e[0m\n" "${var_logfile}" >&2
+  tail -n 42 "${var_logfile}" >&2 || true
+  exit 42
+
+fi
+
+  rm -rf /root/dropbear
+
+printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+
+exit 0
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config/hooks/live/0021_dropbear_initramfs.chroot

@@ -0,0 +1,132 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-11-10; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+set -Ceuo pipefail
+
+printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+
+### Declare Arrays, HashMaps, and Variables.
+declare var_logfile="/root/.ciss/cdlb/log/0021_dropbear_initramfs.log"
+
+[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
+export DEBIAN_FRONTEND="noninteractive"
+export INITRD="No"
+
+apt-get install -y --no-install-recommends --no-install-suggests cryptsetup-initramfs dropbear-initramfs dropbear-bin 2>&1 | tee -a "${var_logfile}"
+apt-get purge -y dropbear 2>&1 | tee -a "${var_logfile}" || true
+apt-get install -y --no-install-recommends --no-install-suggests gpgv 2>&1 | tee -a "${var_logfile}"
+apt-mark hold dropbear dropbear-initramfs 2>&1 | tee -a "${var_logfile}"
+
+mkdir -p /root/.ciss/cdlb/backup/usr/share/initramfs-tools/scripts/init-premount
+mv /usr/share/initramfs-tools/scripts/init-premount/dropbear /root/.ciss/cdlb/backup/usr/share/initramfs-tools/scripts/init-premount/dropbear.trixie
+install -m 0755 -o root -g root /root/dropbear.file /usr/share/initramfs-tools/scripts/init-premount/dropbear
+rm -f /root/dropbear.file
+
+mkdir -p /root/.ciss/cdlb/backup/usr/sbin
+mv /usr/sbin/dropbear /root/.ciss/cdlb/backup/usr/sbin/dropbear.trixie
+install -m 0755 -o root -g root /root/build/dropbear-2025.88/dropbear /usr/sbin/
+
+mkdir -p /root/.ciss/cdlb/backup/usr/bin
+for var_file in dbclient dropbearconvert dropbearkey; do
+
+  mv "/usr/bin/${var_file}" "/root/.ciss/cdlb/backup/usr/bin/${var_file}.trixie"
+  install -m 0755 -o root -g root "/root/build/dropbear-2025.88/${var_file}" /usr/bin/
+
+done
+
+mkdir -p /etc/initramfs-tools/scripts/init-bottom
+
+cat << 'EOF' >| /etc/initramfs-tools/scripts/init-bottom/zzzz-dropbear-kill
+#!/bin/sh
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-11-10; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+PREREQ=""
+prereqs() { echo "${PREREQ}"; }
+# shellcheck disable=SC2249
+case "${1}" in
+  prereqs) prereqs; exit 0 ;;
+esac
+
+### Stop dropbear shipped in the initramfs after root pivot.
+[ -x /bin/pidof ] || exit 0
+
+P=$(/bin/pidof dropbear 2>/dev/null) || true
+
+[ -n "${P}" ] || exit 0
+
+/bin/kill -TERM "${P}" 2>/dev/null || true
+/bin/sleep 1
+
+/bin/kill -KILL "${P}" 2>/dev/null || true
+exit 0
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
+EOF
+
+chmod 0755 /etc/initramfs-tools/scripts/init-bottom/zzzz-dropbear-kill
+
+cat << EOF >| /etc/apt/preferences.d/99-mask-dropbear
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-11-10; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+# Never install the dropbear daemon package at all.
+
+Package: dropbear
+Pin: release *
+Pin-Priority: -1
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
+EOF
+
+cat << EOF >| /etc/apt/preferences.d/99-mask-dropbear-initramfs
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-11-10; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+# Keep the currently installed initramfs integration; never upgrade it.
+
+Package: dropbear-initramfs
+Pin: release *
+Pin-Priority: -1
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
+EOF
+
+systemctl mask dropbear.service dropbear.socket
+
+printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+
+exit 0
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config/hooks/live/0022_dropbear_setup.chroot

@@ -0,0 +1,160 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-11-10; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+set -Ceuo pipefail
+
+printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+
+[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
+export DEBIAN_FRONTEND="noninteractive"
+export INITRD="No"
+
+#######################################
+# Set up the 'dropbear-initramfs' environment.
+# Globals:
+#   None
+# Arguments:
+#   None
+# Returns:
+#   0: on success
+#######################################
+dropbear_setup() {
+  ### Declare Arrays, HashMaps, and Variables.
+  # shellcheck disable=SC2155
+  declare user_root_sshpubkey="$(< /root/.ssh/authorized_keys)"
+  declare var_force_command_string='command="/usr/local/bin/unlock_wrapper.sh",no-agent-forwarding,no-port-forwarding,no-X11-forwarding '
+
+  ### Prepare strong dropbear host keys.
+  rm -f /etc/dropbear/initramfs/dropbear*key*
+
+  if [[ -d /root/ssh ]]; then
+
+    dropbearconvert openssh dropbear /root/ssh/ssh_host_ed25519_key        /etc/dropbear/initramfs/dropbear_ed25519_host_key
+    dropbearkey -y -f /etc/dropbear/initramfs/dropbear_ed25519_host_key >| /etc/dropbear/initramfs/dropbear_ed25519_host_key.pub
+
+    if [[ -f /root/ssh/ssh_host_rsa_key ]]; then
+
+      dropbearconvert openssh dropbear /root/ssh/ssh_host_rsa_key          /etc/dropbear/initramfs/dropbear_rsa_host_key
+      dropbearkey -y -f /etc/dropbear/initramfs/dropbear_rsa_host_key   >| /etc/dropbear/initramfs/dropbear_rsa_host_key.pub
+
+    fi
+
+  else
+
+    # shellcheck disable=SC2312
+    /usr/bin/dropbearkey -t ed25519     -f /etc/dropbear/initramfs/dropbear_ed25519_host_key -C "root@live-$(date -I)"
+
+    # shellcheck disable=SC2312
+    /usr/bin/dropbearkey -t rsa -s 4096 -f /etc/dropbear/initramfs/dropbear_rsa_host_key     -C "root@live-$(date -I)"
+
+  fi
+
+  chmod 0600 /etc/dropbear/initramfs/dropbear_ed25519_host_key
+  chmod 0644 /etc/dropbear/initramfs/dropbear_ed25519_host_key.pub
+
+  ### Prepare dropbear authorized_keys.
+  printf "%s\n" "${var_force_command_string}${user_root_sshpubkey}" >| /etc/dropbear/initramfs/authorized_keys
+  chmod 0600 /etc/dropbear/initramfs/authorized_keys
+  install -m 0644 -o root -g root /etc/banner /etc/dropbear/initramfs/banner
+
+  ### "IP=<HOST IP>::<GATEWAY IP>:<SUBNET MASK>:<FQDN>:<NIC>:none:<DNS 0 IP>:<DNS 1 IP>:<NTP IP>"
+  ### "IP=:::::<NIC>:dhcp"
+  printf "IP=::::::dhcp\n" >| /etc/initramfs-tools/conf.d/ip
+
+  ### Generate dropbear configuration file.
+  write_dropbear_conf
+
+  return 0
+}
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f dropbear_setup
+
+#######################################
+# Write '/etc/dropbear/initramfs/dropbear.conf'.
+# Globals:
+#   None
+# Arguments:
+#   None
+# Returns:
+#   0: on success
+#######################################
+write_dropbear_conf() {
+  # shellcheck disable=SC2155
+  declare sshport="$(< /root/sshport)"
+  rm -f /root/sshport
+
+  [[ -z "${sshport:-}" ]] && sshport="2222"
+
+  ### CISS internal
+  [[ "${sshport}" == "42137" ]] && sshport="44137"
+
+  cat << EOF >| /etc/dropbear/initramfs/dropbear.conf
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+# Configuration options for the dropbear-initramfs boot scripts.
+# Variable assignment follow shell semantics and escaping/quoting rules.
+# You must run update-initramfs(8) to effect changes to this file (like
+# for other files in the '/etc/dropbear/initramfs' directory).
+
+# Command line options to pass to dropbear(8).
+# Dropbear options for 2025+:
+# -b: Display the contents of bannerfile before user login
+# -E: Log to stderr
+# -I: Idle timeout in seconds
+# -K: Keepalive interval in seconds
+# -p: Specify port (and optionally address)
+# -w: Disable root login (SHOULD NOT be implemented for initramfs)
+DROPBEAR_OPTIONS="-b /etc/dropbear/banner -E -I 300 -K 60 -p ${sshport}"
+
+# On local (non-NFS) mounts, interfaces matching this pattern are
+# brought down before exiting the ramdisk to avoid dirty network
+# configuration in the normal kernel.
+# The special value 'none' keeps all interfaces up and preserves routing
+# tables and addresses.
+#IFDOWN="*"
+
+# On local (non-NFS) mounts, the network stack and dropbear are started
+# asynchronously at init-premount stage.  This value specifies the
+# maximum number of seconds to wait (while the network/dropbear are
+# being configured) at init-bottom stage before terminating dropbear and
+# bringing the network down.
+# If the timeout is too short, and if the boot process is not blocking
+# on user input supplied via SSHd (ie no remote unlocking), then the
+# initrd might pivot to init(1) too early, thereby causing a race
+# condition between network configuration from initramfs vs from the
+# normal system.
+#DROPBEAR_SHUTDOWN_TIMEOUT=60
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
+EOF
+
+  return 0
+}
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f write_dropbear_conf
+
+dropbear_setup
+
+printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+
+exit 0
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config/hooks/live/0040_ssh_config_setup.chroot

@@ -0,0 +1,44 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+set -Ceuo pipefail
+
+printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+
+cat << EOF >> /etc/ssh/ssh_config.d/10-sshfp.conf
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+Host git.coresecret.dev
+    Port                    42842
+    VerifyHostKeyDNS        yes
+    StrictHostKeyChecking   yes
+    GlobalKnownHostsFile    /etc/ssh/ssh_known_hosts
+    UserKnownHostsFile      /dev/null
+    HostKeyAlgorithms       ssh-ed25519-cert-v01@openssh.com,ssh-ed25519,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-256
+    CanonicalizeHostname    no
+    UpdateHostKeys          no
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
+EOF
+
+printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+
+exit 0
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config/hooks/live/0050_activate_root.chroot

@@ -1,32 +1,32 @@
 #!/bin/bash
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
-# sleep 1
 
 if [[ ! -f /root/.pwd ]]; then
+
   printf "\e[93m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ /root/.pwd NOT found. \e[0m\n"
-  # sleep 1
   printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ Exiting Hook ... \e[0m\n"
-  # sleep 1
   printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' done. Nothing changed. \e[0m\n" "${0}"
   exit 0
+
 fi
 
 cd /root
 
-cp /etc/shadow /root/.ciss/dlb/backup/shadow.bak."$(date +%F_%T)"
-chmod 600 /root/.ciss/dlb/backup/shadow.bak.*
+# shellcheck disable=SC2312
+cp /etc/shadow /root/.ciss/cdlb/backup/shadow.bak."$(date +%F_%T)"
+chmod 0600 /root/.ciss/cdlb/backup/shadow.bak.*
 
 declare hashed_pwd
 declare safe_hashed_pwd
@@ -37,17 +37,17 @@ sed -i "s|^root:[^:]*:\(.*\)|root:${safe_hashed_pwd}:\1|" /etc/shadow
 sed -i "s|^user:[^:]*:\(.*\)|user:${safe_hashed_pwd}:\1|" /etc/shadow
 unset hashed_pwd safe_hashed_pwd
 
-cat /etc/shadow
-# sleep 1
+if shred -fzu -n 5 /root/.pwd; then
+
+  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Password file /root/.pwd: shred -fzu -n 5 >> done. \e[0m\n"
 
-if shred -vfzu -n 5 /root/.pwd; then
-  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Password file /root/.pwd: -vfzu -n 5 >> done. \e[0m\n"
 else
-  printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ Password file /root/.pwd: -vfzu -n 5 >> NOT successful. \e[0m\n" >&2
+
+  printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ Password file /root/.pwd: shred -fzu -n 5 >> NOT successful. \e[0m\n" >&2
+
 fi
 
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
-# sleep 1
 
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config/hooks/live/0080_keyboard_layout.chroot

@@ -1,18 +1,17 @@
 #!/bin/bash
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
-# sleep 1
 
 cat << 'EOF' >| /etc/default/keyboard
 XKBMODEL="pc105"
@@ -22,10 +21,12 @@ XKBOPTIONS=""
 BACKSPACE="guess"
 EOF
 
+[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
+export DEBIAN_FRONTEND="noninteractive"
+export INITRD="No"
 dpkg-reconfigure -f noninteractive keyboard-configuration
 
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
-# sleep 1
 
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config/hooks/live/0090_haveged.chroot

@@ -1,42 +0,0 @@
-#!/bin/bash
-# SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
-# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
-# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
-# SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
-# SPDX-PackageName: CISS.debian.live.builder
-# SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
-
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
-# sleep 1
-
-apt-get update -y
-apt-get install --no-install-recommends haveged -y
-
-cd /root
-cat << 'EOF' >| /etc/default/haveged
-# Configuration file for haveged
-
-# Options to pass to haveged:
-DAEMON_ARGS="-w 2048 -v 1"
-EOF
-
-#mkdir -p /etc/systemd/system/haveged.service.d
-#cat << 'EOF' >| /etc/systemd/system/haveged.service.d/override.conf
-#[Service]
-#NoNewPrivileges=yes
-#ReadWritePaths=/dev/random /dev/urandom
-#AmbientCapabilities=
-#User=haveged
-#Group=nogroup
-#EOF
-
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
-# sleep 1
-
-exit 0
-# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config/hooks/live/0090_jitterentropy.chroot

@@ -0,0 +1,34 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+set -Ceuo pipefail
+
+printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+
+[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
+export DEBIAN_FRONTEND="noninteractive"
+export INITRD="No"
+apt-get install -y --no-install-recommends jitterentropy-rngd
+
+cd /root
+
+mkdir -p /etc/systemd/system/jitterentropy-rngd.service.d
+
+cat << 'EOF' >> /etc/systemd/system/jitterentropy-rngd.service.d/override.conf
+[Service]
+ExecStart=
+ExecStart=/usr/sbin/jitterentropy-rngd --osr=2
+EOF
+
+printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+
+exit 0
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config/hooks/live/0120_set_hostname.chroot

@@ -1,21 +1,20 @@
 #!/bin/bash
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
-# sleep 1
 
-mv /etc/hostname /root/.ciss/dlb/backup/hostname.bak
-mv /etc/mailname /root/.ciss/dlb/backup/mailname.bak
+mv /etc/hostname /root/.ciss/cdlb/backup/hostname.bak
+mv /etc/mailname /root/.ciss/cdlb/backup/mailname.bak
 
 cat << 'EOF' >| /etc/hostname
 live.local
@@ -28,7 +27,6 @@ localhost.local
 EOF
 
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
-# sleep 1
 
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config/hooks/live/0130_machineid.chroot

@@ -1,18 +1,17 @@
 #!/bin/bash
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
-# sleep 1
 
 cd /root
 if [[ -f /var/lib/dbus/machine-id ]]; then
@@ -22,7 +21,7 @@ fi
 cat << 'EOF' >| /var/lib/dbus/machine-id
 b08dfa6083e7567a1921a715000001fb
 EOF
-chmod 644 /var/lib/dbus/machine-id
+chmod 0644 /var/lib/dbus/machine-id
 
 if [[ -f /etc/machine-id ]]; then
   rm /etc/machine-id
@@ -34,7 +33,6 @@ EOF
 chmod 644 /etc/machine-id
 
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
-# sleep 1
 
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config/hooks/live/0400_eza_install.chroot

@@ -1,18 +1,17 @@
 #!/bin/bash
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
-# sleep 1
 
 cd /root
 
@@ -24,7 +23,10 @@ wget -qO- https://raw.githubusercontent.com/eza-community/eza/main/deb.asc | gpg
 echo "deb [signed-by=/etc/apt/keyrings/gierens.gpg] http://deb.gierens.de stable main" | tee /etc/apt/sources.list.d/gierens.list
 chmod 644 /etc/apt/keyrings/gierens.gpg /etc/apt/sources.list.d/gierens.list
 
-apt-get update -y
+[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
+export DEBIAN_FRONTEND="noninteractive"
+export INITRD="No"
+apt-get update -qq
 apt-get install -y eza
 
 git clone https://github.com/eza-community/eza-themes.git
@@ -133,14 +135,6 @@ symlink_path: {foreground: Cyan}
 control_char: {foreground: Red}
 broken_symlink: {foreground: Red}
 broken_path_overlay: {foreground: Default, is_underlined: true}
-
-filenames:
-  # Custom filename-based overrides
-  # Cargo.toml: {icon: {glyph: 🦀}}
-
-extensions:
-  # Custom extension-based overrides
-  # rs: {filename: {foreground: Red}, icon: {glyph: 🦀}}
 EOF
 
 chmod 0644 "/root/eza-themes/themes/centurion.yml"
@@ -153,10 +147,7 @@ unzip /tmp/nerd/Hack.zip -d /root/.local/share/fonts
 fc-cache -fv
 rm -rf /tmp/nerd
 
-unset repo latest_release download_url
-
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
-# sleep 1
 
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config/hooks/live/0800_lynis_setup.chroot

@@ -1,28 +1,469 @@
 #!/bin/bash
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
-# sleep 1
 
 curl -fsSL https://packages.cisofy.com/keys/cisofy-software-public.key | gpg --dearmor -o /etc/apt/trusted.gpg.d/cisofy-software-public.gpg
 echo "deb [arch=amd64,arm64 signed-by=/etc/apt/trusted.gpg.d/cisofy-software-public.gpg] https://packages.cisofy.com/community/lynis/deb/ stable main" | tee /etc/apt/sources.list.d/cisofy-lynis.list
 
-apt-get update -y
+[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
+export DEBIAN_FRONTEND="noninteractive"
+export INITRD="No"
+apt-get update -qq
 apt-get install -y lynis
 lynis show version
 
+cat << EOF_LYNIS >| /etc/lynis/default.prf
+#################################################################################
+#
+#
+# Lynis - Default scan profile
+#
+#
+#################################################################################
+#
+#
+# This profile provides Lynis with most of its initial values to perform a
+# system audit.
+#
+#
+# WARNINGS
+# ----------
+#
+# Do NOT make changes to this file. Instead, copy only your changes into
+# the file custom.prf and put it in the same directory as default.prf
+#
+# To discover where your profiles are located: lynis show profiles
+#
+#
+# Lynis performs a strict check on profiles to avoid the inclusion of
+# possibly harmful injections. See include/profiles for details.
+#
+#
+#################################################################################
+#
+# All empty lines or with the # prefix will be skipped
+#
+#################################################################################
+
+# Use colored output
+colors=yes
+
+# Compressed uploads (set to zero when errors with uploading occur)
+compressed-uploads=yes
+
+# Amount of connections in WAIT state before reporting it as a suggestion
+#connections-max-wait-state=5000
+
+# Debug mode (for debugging purposes, extra data logged to screen)
+#debug=yes
+
+# Show non-zero exit code when warnings are found
+error-on-warnings=no
+
+# Use Lynis in your own language (by default auto-detected)
+language=
+
+# Log tests from another guest operating system (default: yes)
+#log-tests-incorrect-os=yes
+
+# Define if available NTP daemon is configured as a server or client on the network
+# values: server or client (default: client)
+#ntpd-role=client
+
+# Defines the role of the system (personal, workstation or server)
+machine-role=server
+
+# Ignore some stratum 16 hosts (for example when running as time source itself)
+#ntp-ignore-stratum-16-peer=127.0.0.1
+
+# Profile name, will be used as title/description
+profile-name=Default Audit Template
+
+# Number of seconds to pause between every test (0 is no pause)
+pause-between-tests=0
+
+# Quick mode (do not wait for keypresses)
+quick=yes
+
+# Refresh software repositories to help detecting vulnerable packages
+refresh-repositories=yes
+
+# Show solution for findings
+show-report-solution=yes
+
+# Show inline tips about the tool
+show-tool-tips=yes
+
+# Skip plugins
+skip-plugins=no
+
+# Skip a test (one per line)
+#skip-test=SSH-7408
+skip-test=KRNL-5788
+skip-test=KRNL-5830
+skip-test=AUTH-9229
+
+# Skip a particular option within a test (when applicable)
+#skip-test=SSH-7408:loglevel
+#skip-test=SSH-7408:permitrootlogin
+
+# Skip Lynis upgrade availability test (default: no)
+#skip-upgrade-test=yes
+
+# Locations where to search for SSL certificates (separate paths with a colon)
+ssl-certificate-paths=/etc/apache2:/etc/dovecot:/etc/httpd:/etc/letsencrypt:/etc/pki:/etc/postfix:/etc/refind.d/keys:/etc/ssl:/opt/psa/var/certificates:/usr/local/psa/var/certificates:/usr/local/share/ca-certificates:/usr/share/ca-certificates:/usr/share/gnupg:/var/www:/srv/www
+ssl-certificate-paths-to-ignore=/etc/letsencrypt/archive:
+ssl-certificate-include-packages=no
+
+# Scan type - how deep the audit should be (light, normal or full)
+test-scan-mode=full
+
+# Verbose output
+verbose=no
+
+
+#################################################################################
+#
+# Plugins
+# ---------------
+# Define which plugins are enabled
+#
+# Notes:
+# - Nothing happens if plugin isn't available
+# - There is no order in execution of plugins
+# - See documentation about how to use plugins and phases
+# - Some are for Lynis Enterprise users only
+#
+#################################################################################
+
+# Lynis plugins to enable
+plugin=authentication
+plugin=compliance
+plugin=configuration
+plugin=control-panels
+plugin=crypto
+plugin=dns
+plugin=docker
+plugin=file-integrity
+plugin=file-systems
+plugin=firewalls
+plugin=forensics
+plugin=hardware
+plugin=intrusion-detection
+plugin=intrusion-prevention
+plugin=kernel
+plugin=malware
+plugin=memory
+plugin=nginx
+plugin=pam
+plugin=processes
+plugin=security-modules
+plugin=software
+plugin=system-integrity
+plugin=systemd
+plugin=users
+plugin=krb5
+
+# Disable a particular plugin (will overrule an enabled plugin)
+#disable-plugin=authentication
+
+#################################################################################
+#
+# Kernel options
+# ---------------
+# config-data=, followed by:
+#
+# - Type                     = Set to 'sysctl'
+# - Setting                  = value of sysctl key (e.g. kernel.sysrq)
+# - Expected value           = Preferred value for key (e.g. 0)
+# - Hardening Points         = Number of hardening points (typically 1 point per key) (1)
+# - Description              = Textual description about the sysctl key(Disable magic SysRQ)
+# - Related file or command  = For example, sysctl -a to retrieve more details
+# - Solution field           = Specifies more details or where to find them (url:URL, text:TEXT, or -)
+#
+#################################################################################
+
+# Config
+# - Type (sysctl)
+# - Setting (kernel.sysrq)
+# - Expected value (0)
+# - Hardening Points (1)
+# - Description (Disable magic SysRQ)
+# - Related file or command (sysctl -a)
+# - Solution field (url:URL, text:TEXT, or -)
+
+# Processes
+config-data=sysctl;security.bsd.see_other_gids;0;1;Groups only see their own processes;sysctl -a;-;category:security;
+config-data=sysctl;security.bsd.see_other_uids;0;1;Users only see their own processes;sysctl -a;-;category:security;
+config-data=sysctl;security.bsd.stack_guard_page;1;1;Enable stack smashing protection (SSP)/ProPolice to defend against possible buffer overflows;-;category:security;
+config-data=sysctl;security.bsd.unprivileged_proc_debug;0;1;Unprivileged processes can not use process debugging;sysctl -a;-;category:security;
+config-data=sysctl;security.bsd.unprivileged_read_msgbuf;0;1;Unprivileged processes can not read the kernel message buffer;sysctl -a;-;category:security;
+
+# Kernel
+config-data=sysctl;fs.suid_dumpable;0;1;Restrict core dumps;sysctl -a;url:https;//www.kernel.org/doc/Documentation/sysctl/fs.txt;category:security;
+config-data=sysctl;fs.protected_fifos;2;1;Restrict FIFO special device creation behavior;sysctl -a;url:https;//www.kernel.org/doc/Documentation/sysctl/fs.txt;category:security;
+config-data=sysctl;fs.protected_hardlinks;1;1;Restrict hardlink creation behavior;sysctl -a;url:https;//www.kernel.org/doc/Documentation/sysctl/fs.txt;category:security;
+config-data=sysctl;fs.protected_regular;2;1;Restrict regular files creation behavior;sysctl -a;url:https;//www.kernel.org/doc/Documentation/sysctl/fs.txt;category:security;
+config-data=sysctl;fs.protected_symlinks;1;1;Restrict symlink following behavior;sysctl -a;url:https;//www.kernel.org/doc/Documentation/sysctl/fs.txt;category:security;
+#config-data=sysctl;kern.randompid=2345;Randomize PID numbers with a specific modulus;sysctl -a;-;category:security;
+config-data=sysctl;kern.sugid_coredump;0;1;No description;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
+config-data=sysctl;kernel.core_setuid_ok;0;1;No description;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
+config-data=sysctl;kernel.core_uses_pid;1;1;No description;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
+config-data=sysctl;kernel.ctrl-alt-del;0;1;No description;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
+config-data=sysctl;kernel.dmesg_restrict;1;1;Restrict use of dmesg;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
+config-data=sysctl;kernel.exec-shield-randomize;1;1;No description;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
+config-data=sysctl;kernel.exec-shield;1;1;No description;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
+config-data=sysctl;kernel.kptr_restrict;2;1;Restrict access to kernel symbols;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
+config-data=sysctl;kernel.maps_protect;1;1;Restrict access to /proc/[pid]/maps;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
+config-data=sysctl;kernel.modules_disabled;1;1;Restrict module loading once this sysctl value is loaded;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
+config-data=sysctl;kernel.perf_event_paranoid;2|3|4;1;Restrict unprivileged access to the perf_event_open() system call.;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
+config-data=sysctl;kernel.randomize_va_space;2;1;Randomize of memory address locations (ASLR);sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
+config-data=sysctl;kernel.suid_dumpable;0;1;Restrict core dumps;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
+config-data=sysctl;kernel.sysrq;0;1;Disable magic SysRQ;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
+config-data=sysctl;kernel.unprivileged_bpf_disabled;1;1;Restrict BPF for unprivileged users;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
+config-data=sysctl;kernel.use-nx;0;1;No description;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
+config-data=sysctl;kernel.yama.ptrace_scope;1|2|3;1;Disable process tracing for everyone;-;category:security;
+
+# Network
+config-data=sysctl;net.core.bpf_jit_harden;2;1;Hardened BPF JIT compilation;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
+config-data=sysctl;net.inet.ip.linklocal.in.allowbadttl;0;
+config-data=sysctl;net.inet.tcp.always_keepalive;0;1;Disable TCP keep alive detection for dead peers as the keepalive can be spoofed;-;category:security;
+#config-data=sysctl;net.inet.tcp.fast_finwait2_recycle;1;1;Recycle FIN/WAIT states more quickly (DoS mitigation step, with risk of false RST);-;category:security;
+config-data=sysctl;net.inet.tcp.nolocaltimewait;1;1;Remove the TIME_WAIT state for loopback interface;-;category:security;
+config-data=sysctl;net.inet.tcp.path_mtu_discovery;0;1;Disable MTU discovery as many hosts drop the ICMP type 3 packets;-;category:security;
+config-data=sysctl;net.inet.icmp.bmcastecho;0;1;Ignore ICMP packets directed to broadcast address;-;category:security;
+config-data=sysctl;net.inet.tcp.icmp_may_rst;0;1;ICMP may not send RST to avoid spoofed ICMP/UDP floods;-;category:security;
+config-data=sysctl;net.inet.icmp.drop_redirect;1;1;Do not allow redirected ICMP packets;-;category:security;
+config-data=sysctl;net.inet.icmp.rediraccept;0;1;Disable incoming ICMP redirect routing redirects;-;category:security;
+config-data=sysctl;net.inet.icmp.timestamp;0;1;Disable timestamps;-;category:security;
+config-data=sysctl;net.inet.ip.accept_sourceroute;0;1;Disable IP source routing;-;category:security;
+config-data=sysctl;net.inet.ip.check_interface;1;1;Verify that a packet arrived on the right interface;-;category:security;
+config-data=sysctl;net.inet.ip.forwarding;0;1;Do not allow forwarding of traffic;-;category:security;
+config-data=sysctl;net.inet.ip.process_options;0;1;Ignore any IP options in the incoming packets;-;category:security;
+config-data=sysctl;net.inet.ip.random_id;1;1;Use a random IP id to each packet leaving the system;-;category:security;
+config-data=sysctl;net.inet.ip.redirect;0;1;Disable/Ignore ICMP routing redirects;-;category:security;
+config-data=sysctl;net.inet.ip.sourceroute;0;1;Disable IP source routing;-;category:security;
+config-data=sysctl;net.inet.ip6.redirect;0;1;Disable/Ignore ICMP routing redirects;-;category:security;
+config-data=sysctl;net.inet.tcp.blackhole;2;1;Do not sent RST but drop traffic when delivered to closed TCP port;-;category:security;
+config-data=sysctl;net.inet.tcp.drop_synfin;1;1;SYN/FIN packets will be dropped on initial connection;-;category:security;
+config-data=sysctl;net.inet.udp.blackhole;1;1;Do not sent RST but drop traffic when delivered to closed UDP port;-;category:security;
+config-data=sysctl;net.inet6.icmp6.rediraccept;0;1;Disable incoming ICMP redirect routing redirects;-;category:security;
+config-data=sysctl;net.inet6.ip6.forwarding;0;1;Do not allow forwarding of traffic;-;category:security;
+config-data=sysctl;net.inet6.ip6.fw.enable;1;1;Enable filtering;-;category:security;
+config-data=sysctl;net.inet6.ip6.redirect;0;1;Disable sending ICMP redirect routing redirects;-;category:security;
+config-data=sysctl;net.ipv4.conf.all.accept_redirects;0;1;Disable/Ignore ICMP routing redirects;-;category:security;
+config-data=sysctl;net.ipv4.conf.all.accept_source_route;0;1;Disable IP source routing;-;category:security;
+config-data=sysctl;net.ipv4.conf.all.bootp_relay;0;1;Do not relay BOOTP packets;-;category:security;
+config-data=sysctl;net.ipv4.conf.all.forwarding;0;1;Disable IP source routing;-;category:security;
+config-data=sysctl;net.ipv4.conf.all.log_martians;1;1;Log all packages for which the host does not have a path back to the source;-;category:security;
+config-data=sysctl;net.ipv4.conf.all.mc_forwarding;0;1;Disable IP source routing;-;category:security;
+config-data=sysctl;net.ipv4.conf.all.proxy_arp;0;1;Do not relay ARP packets;-;category:security;
+config-data=sysctl;net.ipv4.conf.all.rp_filter;1;1;Enforce ingress/egress filtering for packets;-;category:security;
+config-data=sysctl;net.ipv4.conf.all.send_redirects;0;1;Disable/Ignore ICMP routing redirects;-;category:security;
+config-data=sysctl;net.ipv4.conf.default.accept_redirects;0;1;Disable/Ignore ICMP routing redirects;-;category:security;
+config-data=sysctl;net.ipv4.conf.default.accept_source_route;0;1;Disable IP source routing;-;category:security;
+config-data=sysctl;net.ipv4.conf.default.log_martians;1;1;Log all packages for which the host does not have a path back to the source;-;category:security;
+config-data=sysctl;net.ipv4.icmp_echo_ignore_broadcasts;1;1;Ignore ICMP packets directed to broadcast address;-;category:security;
+config-data=sysctl;net.ipv4.icmp_ignore_bogus_error_responses;1;1;Ignore-;category:security;
+#config-data=sysctl;net.ipv4.ip_forward;0;1;Do not forward traffic;-;category:security;
+config-data=sysctl;net.ipv4.tcp_syncookies;1;1;Use SYN cookies to prevent SYN attack;-;category:security;
+config-data=sysctl;net.ipv4.tcp_timestamps;0|1;1;Disable TCP time stamps or enable them with different offsets;-;category:security;
+config-data=sysctl;net.ipv6.conf.all.send_redirects;0;1;Disable/ignore ICMP routing redirects;-;category:security;
+config-data=sysctl;net.ipv6.conf.all.accept_redirects;0;1;Disable/Ignore ICMP routing redirects;-;category:security;
+config-data=sysctl;net.ipv6.conf.all.accept_source_route;0;1;Disable IP source routing;-;category:security;
+config-data=sysctl;net.ipv6.conf.default.accept_redirects;0;1;Disable/Ignore ICMP routing redirects;-;category:security;
+config-data=sysctl;net.ipv6.conf.default.accept_source_route;0;1;Disable IP source routing;-;category:security;
+
+# Other
+config-data=sysctl;dev.tty.ldisc_autoload;0;1;Disable loading of TTY line disciplines;-;category:security;
+config-data=sysctl;hw.kbd.keymap_restrict_change;4;1;Disable changing the keymap by non-privileged users;-;category:security;
+#sysctl;kern.securelevel;1^2^3;1;FreeBSD security level;
+#security.jail.jailed; 0
+#security.jail.jail_max_af_ips; 255
+#security.jail.mount_allowed; 0
+#security.jail.chflags_allowed; 0
+#security.jail.allow_raw_sockets; 0
+#security.jail.enforce_statfs; 2
+#security.jail.sysvipc_allowed; 0
+#security.jail.socket_unixiproute_only; 1
+#security.jail.set_hostname_allowed; 1
+#security.bsd.suser_enabled; 1
+#security.bsd.unprivileged_proc_debug; 1
+#security.bsd.conservative_signals; 1
+#security.bsd.unprivileged_read_msgbuf; 1
+#security.bsd.unprivileged_get_quota; 0
+config-data=sysctl;security.bsd.hardlink_check_gid;1;1;Unprivileged processes are not allowed to create hard links to files which are owned by other groups;-;category:security;
+config-data=sysctl;security.bsd.hardlink_check_uid;1;1;Unprivileged processes are not allowed to create hard links to files which are owned by other users;-;category:security;
+
+
+#################################################################################
+#
+# permfile
+# ---------------
+# permfile=file name:file permissions:owner:group:action:
+# Action = NOTICE or WARN
+# Examples:
+# permfile=/etc/test1.dat:600:root:wheel:NOTICE:
+# permfile=/etc/test1.dat:640:root:-:WARN:
+#
+#################################################################################
+
+#permfile=/etc/inetd.conf:rw-------:root:-:WARN:
+#permfile=/etc/fstab:rw-r--r--:root:-:WARN:
+permfile=/boot/grub/grub.cfg:rw-------:root:root:WARN:
+permfile=/boot/grub2/grub.cfg:rw-------:root:root:WARN:
+permfile=/boot/grub2/user.cfg:rw-------:root:root:WARN:
+permfile=/etc/at.allow:rw-------:root:-:WARN:
+permfile=/etc/at.deny:rw-------:root:-:WARN:
+permfile=/etc/cron.allow:rw-------:root:-:WARN:
+permfile=/etc/cron.deny:rw-------:root:-:WARN:
+permfile=/etc/crontab:rw-------:root:-:WARN:
+permfile=/etc/group:rw-r--r--:root:-:WARN:
+permfile=/etc/group-:rw-r--r--:root:-:WARN:
+permfile=/etc/hosts.allow:rw-r--r--:root:root:WARN:
+permfile=/etc/hosts.deny:rw-r--r--:root:root:WARN:
+permfile=/etc/issue:rw-r--r--:root:root:WARN:
+permfile=/etc/issue.net:rw-r--r--:root:root:WARN:
+permfile=/etc/lilo.conf:rw-------:root:-:WARN:
+permfile=/etc/motd:rw-r--r--:root:root:WARN:
+permfile=/etc/passwd:rw-r--r--:root:-:WARN:
+permfile=/etc/passwd-:rw-r--r--:root:-:WARN:
+permfile=/etc/ssh/sshd_config:rw-------:root:-:WARN:
+permfile=/etc/hosts.equiv:rw-r--r--:root:root:WARN:
+permfile=/etc/shosts.equiv:rw-r--r--:root:root:WARN:
+permfile=/root/.rhosts:rw-------:root:root:WARN:
+permfile=/root/.rlogin:rw-------:root:root:WARN:
+permfile=/root/.shosts:rw-------:root:root:WARN:
+
+# These permissions differ by OS
+#permfile=/etc/gshadow:---------:root:-:WARN:
+#permfile=/etc/gshadow-:---------:root:-:WARN:
+#permfile=/etc/shadow:---------:root:-:WARN:
+#permfile=/etc/shadow-:---------:root:-:WARN:
+
+
+#################################################################################
+#
+# permdir
+# ---------------
+# permdir=directory name:file permissions:owner:group:action when permissions are different:
+#
+#################################################################################
+
+permdir=/root/.ssh:rwx------:root:-:WARN:
+permdir=/etc/cron.d:rwx------:root:root:WARN:
+permdir=/etc/cron.daily:rwx------:root:root:WARN:
+permdir=/etc/cron.hourly:rwx------:root:root:WARN:
+permdir=/etc/cron.weekly:rwx------:root:root:WARN:
+permdir=/etc/cron.monthly:rwx------:root:root:WARN:
+
+
+# Ignore some specific home directories
+# One directory per line; directories will be skipped for home directory specific
+# checks, like file permissions, SSH and other configuration files
+#ignore-home-dir=/home/user
+
+
+# Allow promiscuous interfaces
+#   <option>:<promiscuous interface name>:<description>:
+#if_promisc:pflog0:pf log daemon interface:
+
+
+# The URL prefix and append to the URL for controls or your custom tests
+# Link will be formed as {control-url-protocol}://{control-url-prepend}CONTROL-ID{control-url-append}
+#control-url-protocol=https
+#control-url-prepend=cisofy.com/control/
+#control-url-append=/
+
+# The URL prefix and append to URL's for your custom tests
+#custom-url-protocol=https
+#custom-url-prepend=your-domain.example.org/control-info/
+#custom-url-append=/
+
+
+#################################################################################
+#
+# Operating system specific
+# -------------------------
+#
+#################################################################################
+
+# Skip the FreeBSD portaudit test
+#freebsd-skip-portaudit=yes
+
+# Skip security repository check for Debian based systems
+#debian-skip-security-repository=yes
+
+
+
+#################################################################################
+#
+# Lynis Enterprise options
+# ------------------------
+#
+#################################################################################
+
+# Allow this system to be purged when it is outdated (default: not defined).
+# This is useful for ephemeral systems which are short-lived.
+#allow-auto-purge=yes
+
+# Sometimes it might be useful to override the host identifiers.
+# Use only hexadecimal values (0-9, a-f), with 40 and 64 characters in length.
+#
+#hostid=40-char-hash
+#hostid2=64-char-hash
+
+# Lynis Enterprise license key
+license-key=
+
+# Proxy settings
+# Protocol (http, https, socks5)
+#proxy-protocol=https
+
+# Proxy server
+#proxy-server=10.0.1.250
+
+# Define proxy port to use
+#proxy-port=3128
+
+# Define the group names to link to this system (preferably single words). Default setting: append
+# To clear groups before assignment, add 'action:clear' as last groupname
+#system-groups=groupname1,groupname2,groupname3
+
+# Define which compliance standards are audited and reported on. Disable this if not required.
+compliance-standards=cis,hipaa,iso27001,pci-dss
+
+# Provide the name of the customer/client
+#system-customer-name=mycustomer
+
+# Upload data to central server
+upload=no
+
+# The hostname/IP address to receive the data
+upload-server=
+
+# Provide options to cURL (or other upload tool) when uploading data.
+# upload-options=--insecure (use HTTPS, but skip certificate check for self-signed certificates)
+upload-options=
+
+# Link one or more tags to a system
+#tags=db,production,ssn-1304
+
+#EOF
+EOF_LYNIS
+
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
-# sleep 1
 
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config/hooks/live/0810_chrony_setup.chroot

@@ -1,28 +1,44 @@
 #!/bin/bash
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
-# sleep 1
 
 mkdir -p /var/log/chrony
-# See https://coresecret.eu/tutorials/debian-package-glossary/ for a brief description of the installed packages.
-apt-get install chrony -y
+
+[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
+export DEBIAN_FRONTEND="noninteractive"
+export INITRD="No"
+export TZ="Etc/UTC"
+
+apt-get install -y adjtimex chrony tzdata
+
 systemctl enable chrony.service
 
-mv /etc/chrony/chrony.conf /root/.ciss/dlb/backup/chrony.conf.bak
-chmod 644 /root/.ciss/dlb/backup/chrony.conf.bak
+mv /etc/chrony/chrony.conf /root/.ciss/cdlb/backup/chrony.conf.bak
+chmod 0644 /root/.ciss/cdlb/backup/chrony.conf.bak
+
+cat << EOF >| /etc/chrony/chrony.conf
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
 
-cat << 'EOF' >| /etc/chrony/chrony.conf
 # Include configuration files found in /etc/chrony/conf.d.
 confdir /etc/chrony/conf.d
 driftfile /var/lib/chrony/chrony.drift
@@ -36,16 +52,13 @@ log tracking measurements statistics
 
 authselectmode require
 
-server ptbtime1.ptb.de iburst nts minpoll 5 maxpoll 9
-server ptbtime2.ptb.de iburst nts minpoll 5 maxpoll 9
-server ptbtime3.ptb.de iburst nts minpoll 5 maxpoll 9
-server ptbtime4.ptb.de iburst nts noselect minpoll 5 maxpoll 9
-# server nts.netnod.se iburst nts minpoll 5 maxpoll 9
-
 # server ntp.ripe.net      iburst nts minpoll 5 maxpoll 9
-# server ntp12.metas.ch iburst nts minpoll 5 maxpoll 9
-# server ntp2.tecnico.ulisboa.pt iburst nts minpoll 5 maxpoll 9
+server ptbtime3.ptb.de   iburst nts minpoll 5 maxpoll 9
+server ptbtime2.ptb.de   iburst nts minpoll 5 maxpoll 9
+server ptbtime1.ptb.de   iburst nts minpoll 5 maxpoll 9
+# server ntp13.metas.ch    iburst nts minpoll 5 maxpoll 9
 # server time-c-b.nist.gov iburst nts minpoll 5 maxpoll 9
+# server sth1.ntp.se       iburst nts minpoll 5 maxpoll 9
 server ntp0.fau.de       iburst nts minpoll 5 maxpoll 9
 
 leapsectz right/UTC
@@ -56,13 +69,52 @@ maxupdateskew 100.0
 
 rtcsync
 
-makestep 1 3
+makestep 0.25 3
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
 EOF
 
-chmod 644 /etc/chrony/chrony.conf
+chmod 0644 /etc/chrony/chrony.conf
+
+[[ -f /root/.ciss/check_chrony.sh ]] && chmod 0700 /root/.ciss/check_chrony.sh
+
+### Build right/UTC from tzdata leap table if missing.
+if [[ ! -e /usr/share/zoneinfo/right/UTC ]]; then
+
+  install -d -m 0755 /usr/share/zoneinfo/right
+
+  ### Minimal zic source for a fixed UTC zone.
+  declare -r tmp_src="/tmp/UTC.src"
+  printf 'Zone UTC  0  -  UTC\n' > "${tmp_src}"
+
+  ### Prefer the zic-format leapseconds file.
+  declare leap_zic="/usr/share/zoneinfo/leapseconds"
+
+  if [[ -s "${leap_zic}" ]]; then
+
+    zic -d /usr/share/zoneinfo/right -L "${leap_zic}" "${tmp_src}"
+
+  else
+
+    echo "WARNING: ${leap_zic} not found; building right/UTC without leap info." >&2
+    zic -d /usr/share/zoneinfo/right -L /dev/null "${tmp_src}"
+
+  fi
+
+  rm -f "${tmp_src}"
+
+fi
+
+if [[ -e /usr/share/zoneinfo/right/UTC ]]; then
+
+  ### Expect to see 'Sat Dec 31 23:59:60 UTC 2016' rendered in right/UTC
+  TZ=right/UTC date -ud '2017-01-01 00:00:00 -1 second' || true
+
+fi
+
+chronyd -Q -f /etc/chrony/chrony.conf 2>&1
 
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
-# sleep 1
 
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config/hooks/live/0820_kernel_hardening_checker.chroot

@@ -1,24 +1,22 @@
 #!/bin/bash
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
-# sleep 1
 
 cd /root/git
 git clone https://github.com/a13xp0p0v/kernel-hardening-checker.git
 
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
-# sleep 1
 
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config/hooks/live/0822_ssh_restart_hook.chroot

@@ -1,52 +1,30 @@
 #!/bin/bash
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
-# sleep 1
 
-cd /root
-declare target_script="/etc/cron.d/restart-ssh"
+mkdir -p /etc/systemd/system/ssh.service.d
 
-cat << 'EOF' >| "${target_script}"
-@reboot root /usr/local/bin/restart-ssh.sh
+cat << EOF >| /etc/systemd/system/ssh.service.d/10-ciss-network.conf
+[Unit]
+After=network-online.target ufw.service fail2ban.service
+Wants=network-online.target
+
+[Service]
+ExecStartPre=/bin/sleep 5
 EOF
 
-chmod 644 "${target_script}"
-
-cat << 'EOF' >| /usr/local/bin/restart-ssh.sh
-#!/bin/bash
-# SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
-# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
-# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
-# SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
-# SPDX-PackageName: CISS.debian.live.builder
-# SPDX-Security-Contact: security@coresecret.eu
-
-# Script to restart SSH at boot
-systemctl stop ssh
-sleep 5
-systemctl start ssh
-EOF
-
-chmod +x /usr/local/bin/restart-ssh.sh
-unset target_script
-
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
-# sleep 1
 
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config/hooks/live/0825_my_sqltuner_perl.chroot

@@ -1,24 +1,22 @@
 #!/bin/bash
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
-# sleep 1
 
 cd /root/git
 git clone --depth 1 -b master https://github.com/major/MySQLTuner-perl.git
 
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
-# sleep 1
 
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config/hooks/live/0830_download_yq.chroot

@@ -1,24 +1,22 @@
 #!/bin/bash
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
-# sleep 1
 
 wget https://github.com/mikefarah/yq/releases/latest/download/yq_linux_amd64 -O /usr/bin/yq
 chmod +x /usr/bin/yq
 
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
-# sleep 1
 
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config/hooks/live/0835_testssl.sh.chroot

@@ -1,24 +1,22 @@
 #!/bin/bash
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
-# sleep 1
 
 cd /root/git
 git clone https://github.com/testssl/testssl.sh.git
 
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
-# sleep 1
 
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config/hooks/live/0840_ufw_abuse_ipdb_reporter.chroot

@@ -1,20 +1,21 @@
 #!/bin/bash
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
-# sleep 1
 
-apt-get install -y curl
+[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
+export DEBIAN_FRONTEND="noninteractive"
+export INITRD="No"
 curl -fsSL https://deb.nodesource.com/setup_22.x | sudo -E bash - && \
 apt-get install -y nodejs
 
@@ -22,7 +23,6 @@ cd /root/git
 git clone https://github.com/sefinek/UFW-AbuseIPDB-Reporter.git
 
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
-# sleep 1
 
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config/hooks/live/0845_harbian_audit.chroot

@@ -1,24 +1,22 @@
 #!/bin/bash
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
-# sleep 1
 
 cd /root/git
 git clone https://github.com/hardenedlinux/harbian-audit.git
 
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
-# sleep 1
 
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config/hooks/live/0850_ssh_audit.chroot

@@ -1,24 +1,22 @@
 #!/bin/bash
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
-# sleep 1
 
 cd /root/git
 git clone https://github.com/jtesta/ssh-audit.git
 
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
-sleep 1
 
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config/hooks/live/0855_dnsviz.chroot

@@ -1,24 +1,22 @@
 #!/bin/bash
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
-# sleep 1
 
 cd /root/git
 git clone https://github.com/dnsviz/dnsviz.git
 
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
-sleep 1
 
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config/hooks/live/0860_sops.chroot

@@ -0,0 +1,57 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+set -Ceuo pipefail
+
+printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+
+[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
+export DEBIAN_FRONTEND="noninteractive"
+export INITRD="No"
+
+SOPS_VER="v3.11.0"
+ARCH="$(dpkg --print-architecture)"
+case "${ARCH}" in
+  amd64)  SOPS_FILE="sops-${SOPS_VER}.linux.amd64" ;;
+  arm64)  SOPS_FILE="sops-${SOPS_VER}.linux.arm64" ;;
+  *)  echo "Unsupported arch: ${ARCH}" >&2; exit 1 ;;
+esac
+
+cd /tmp
+
+curl -fsSLO "https://github.com/getsops/sops/releases/download/${SOPS_VER}/${SOPS_FILE}"
+curl -fsSLO "https://github.com/getsops/sops/releases/download/${SOPS_VER}/sops-${SOPS_VER}.checksums.txt"
+curl -fsSLO "https://github.com/getsops/sops/releases/download/${SOPS_VER}/sops-${SOPS_VER}.checksums.pem"
+curl -fsSLO "https://github.com/getsops/sops/releases/download/${SOPS_VER}/sops-${SOPS_VER}.checksums.sig"
+
+cosign verify-blob "sops-${SOPS_VER}.checksums.txt" \
+  --certificate    "sops-${SOPS_VER}.checksums.pem" \
+  --signature      "sops-${SOPS_VER}.checksums.sig" \
+  --certificate-identity-regexp="https://github.com/getsops" \
+  --certificate-oidc-issuer="https://token.actions.githubusercontent.com"
+
+sha256sum -c "sops-${SOPS_VER}.checksums.txt" --ignore-missing
+
+install -m 0755 "${SOPS_FILE}" /usr/local/bin/sops
+sops --version --check-for-updates >| /root/.ciss/cdlb/log/sops.log
+age --version                      >| /root/.ciss/cdlb/log/age.log
+
+rm -f "/tmp/${SOPS_FILE}"
+rm -f "/tmp/sops-${SOPS_VER}.checksums.txt"
+rm -f "/tmp/sops-${SOPS_VER}.checksums.pem"
+rm -f "/tmp/sops-${SOPS_VER}.checksums.sig"
+
+chmod 0400 /root/.config/sops/age/keys.txt
+
+printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+
+exit 0
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config/hooks/live/0865_yq.chroot

@@ -1,27 +1,27 @@
 #!/bin/bash
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
-# sleep 1
 
-mkdir -p /root/.ciss/dlb/backup
-chmod 0700 /root/.ciss/dlb/backup
+[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
+export DEBIAN_FRONTEND="noninteractive"
+export INITRD="No"
 
-mkdir -p /root/git
-chmod 0700 /root/git
+wget https://github.com/mikefarah/yq/releases/latest/download/yq_linux_amd64 -O /usr/local/bin/yq && chmod +x /usr/local/bin/yq
+
+yq --version
 
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
-# sleep 1
 
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config/hooks/live/0870_bashdb.chroot

@@ -1,25 +1,37 @@
 #!/bin/bash
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
-# sleep 1
 
-# TODO: MUST be uncommented
+umask 0077
+
+[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
+export DEBIAN_FRONTEND="noninteractive"
+export INITRD="No"
+
+apt-get install -y texinfo
+
 cd /root/git
-# git clone https://git.coresecret.dev/msw/CISS.debian.installer.git
+git clone https://github.com/Trepan-Debuggers/bashdb.git
+cd /root/git/bashdb
+./autogen.sh
+make
+
+apt-get purge -y texinfo
+apt-get autoremove --purge -y
+apt-get autoclean -y
 
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
-# sleep 1
 
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config/hooks/live/0900_ufw_setup.chroot

@@ -1,21 +1,20 @@
 #!/bin/bash
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
-# sleep 1
 
 declare -r UFW_OUT_POLICY="deny"
-declare -r SSHPORT="MUST_BE_SET"
+declare -r SSHPORT="SSHPORT_MUST_BE_SET"
 
 ufw --force reset
 
@@ -42,6 +41,7 @@ if [[ ${UFW_OUT_POLICY,,} == "deny"  ]]; then
   ufw allow out  443/tcp comment 'Outgoing HTTPS'
   ufw allow out  465/tcp comment 'Outgoing SMTPS'
   ufw allow out  587/tcp comment 'Outgoing SMTPS'
+  ufw allow out  853/tcp comment 'Outgoing DoT'
   ufw allow out  993/tcp comment 'Outgoing IMAPS'
   ufw allow out 4460/tcp comment 'Outgoing NTS'
   ufw allow out "${SSHPORT}"/tcp comment 'Outgoing SSH (Custom-Port)'
@@ -51,6 +51,7 @@ if [[ ${UFW_OUT_POLICY,,} == "deny"  ]]; then
   ufw allow out  853/udp comment 'Outgoing DoQ'
 fi
 
+### Allowing ICMP IPv4 outgoing per default.
 sed -i "/# ok icmp code for FORWARD/i \# ok icmp codes for OUTPUT" /etc/ufw/before.rules
 sed -i "/# ok icmp code for FORWARD/i \-A ufw-before-output -p icmp --icmp-type destination-unreachable -j ACCEPT" /etc/ufw/before.rules
 sed -i "/# ok icmp code for FORWARD/i \-A ufw-before-output -p icmp --icmp-type time-exceeded -j ACCEPT" /etc/ufw/before.rules
@@ -61,7 +62,6 @@ sed -i 's/^ENABLED=no/ENABLED=yes/' /etc/ufw/ufw.conf
 ln -sf /lib/systemd/system/ufw.service /etc/systemd/system/multi-user.target.wants/ufw.service
 
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
-# sleep 1
 
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config/hooks/live/9900_process_accounting.chroot

@@ -1,33 +1,40 @@
 #!/bin/bash
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
-# sleep 1
 
+[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
+export DEBIAN_FRONTEND="noninteractive"
+export INITRD="No"
 apt-get install -y acct
 
 if [[ ! -d /etc/systemd/system/multi-user.target.wants ]]; then
+
   mkdir -p /etc/systemd/system/multi-user.target.wants
+
 fi
 
 if ln -s /lib/systemd/system/acct.service /etc/systemd/system/multi-user.target.wants/acct.service; then
+
   printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ 'Process Accounting' enabled successful. \e[0m\n"
+
 else
+
   printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ 'Process Accounting' already enabled. \e[0m\n" >&2
+
 fi
 
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
-# sleep 1
 
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config/hooks/live/9910_motd.chroot

@@ -1,21 +1,20 @@
 #!/bin/bash
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
-# sleep 1
 
-mkdir -p /root/.ciss/dlb/backup/update-motd.d
-cp -af /etc/update-motd.d/* /root/.ciss/dlb/backup/update-motd.d
+mkdir -p /root/.ciss/cdlb/backup/update-motd.d
+cp -af /etc/update-motd.d/* /root/.ciss/cdlb/backup/update-motd.d
 
 cat << 'EOF' >| /etc/update-motd.d/10-uname
 #!/bin/sh
@@ -24,8 +23,7 @@ EOF
 
 chmod 0755 /etc/update-motd.d/10-uname
 
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' successful applied. \e[0m\n" "${0}"
-# sleep 1
+printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' successfully applied. \e[0m\n" "${0}"
 
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config/hooks/live/9920_deleting_invalid_x509.chroot

@@ -1,21 +1,20 @@
 #!/bin/bash
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
-# sleep 1
 
 declare -a search_dirs=("/etc/ssl/certs" "/usr/local/share/ca-certificates" "/usr/share/ca-certificates" "/etc/letsencrypt")
-declare backup_dir="/root/.ciss/dlb/backup/certificates"
+declare backup_dir="/root/.ciss/cdlb/backup/certificates"
 declare current_date
 current_date=$(date +%s)
 declare -ax expired_certificates=()
@@ -31,13 +30,20 @@ declare -ax expired_certificates=()
 #######################################
 create_backup() {
   printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Backup Certificate: '%s' ... \e[0m\n" "${backup_dir}"
+
   mkdir -p "${backup_dir}"
   declare dir=""
+
   for dir in "${search_dirs[@]}"; do
-    if [ -d "${dir}" ] && compgen -G "${dir}"/* > /dev/null; then
+
+    if [[ -d "${dir}" ]] && compgen -G "${dir}"/* > /dev/null; then
+
       cp -r "${dir}"/* "${backup_dir}"
+
     fi
+
   done
+
   printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Backup Certificate: '%s' done.\e[0m\n" "${backup_dir}"
 }
 
@@ -59,18 +65,25 @@ check_certificates() {
   declare cert=""
   declare cert_date=""
   declare cert_date_seconds=""
+
   for dir in "${search_dirs[@]}"; do
+
+    # shellcheck disable=SC2312
     while IFS= read -r -d '' cert; do
+
       cert_date=$(openssl x509 -in "${cert}" -noout -enddate | sed 's/notAfter=//')
       cert_date_seconds=$(date -d "${cert_date}" +%s)
+
       if [[ ${cert_date_seconds} -lt ${current_date} ]]; then
+
         declare -g expired_certificates+=("${cert}")
+
       fi
+
     done < <(find "${dir}" -type f \( -name "*.crt" -o -name "*.pem" \) -print0)
+
   done
 }
-#   done < <(find "${dir}" -type f -name "*.crt" -o -name "*.pem" -print0)
-#   done < <(find "${DIR}" -type f \( -name "*.crt" -o -name "*.pem" \) -print0)
 
 #######################################
 # Find and clean all ca-certificates.crt files in SEARCH_DIRS.
@@ -84,9 +97,13 @@ check_certificates() {
 #######################################
 delete_expired_from_all_bundles() {
   declare dir bundle
+
   for dir in "${search_dirs[@]}"; do
+
     bundle="${dir}/ca-certificates.crt"
+
     if [[ -f ${bundle} ]]; then
+
       printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Checking Root-CA Bundle: '%s' ...\e[0m\n" "${bundle}"
       declare tmp_bundle="${bundle}.tmp"
       declare -a block=()
@@ -97,33 +114,57 @@ delete_expired_from_all_bundles() {
 
       declare line=""
       while IFS= read -r line; do
+
         block+=("${line}")
+
         if [[ ${line} == "-----END CERTIFICATE-----"   ]]; then
+
           cert=$(printf "%s\n" "${block[@]}")
           enddate=$(echo "${cert}" | openssl x509 -noout -enddate 2> /dev/null | sed 's/notAfter=//')
+
           if [[ -n ${enddate}   ]]; then
+
             declare cert_date_seconds=""
             cert_date_seconds=$(date -d "${enddate}" +%s)
+
             if [[ ${cert_date_seconds} -lt ${current_date} ]]; then
+
               expired=1
+
             else
+
               expired=0
+
             fi
+
           else
+
             expired=0
+
           fi
+
           if [[ ${expired} -eq 0 ]]; then
+
             printf "%s\n" "${block[@]}" >> "${tmp_bundle}"
+
           else
+
             printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅  Certificate deleted: '%s' (Expired: %s)\e[0m\n" "${bundle}" "${enddate}"
+
           fi
+
           block=()
+
         fi
+
       done < "${bundle}"
 
       mv -f "${tmp_bundle}" "${bundle}"
+
       printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Checking Root-CA Bundle: '%s' done. \e[0m\n" "${bundle}"
+
     fi
+
   done
 }
 
@@ -141,30 +182,38 @@ else
   printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Expired certificates found:\e[0m\n"
 
   for exp_cert in "${expired_certificates[@]}"; do
+
     printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ '%s'. \e[0m\n" "${exp_cert}"
+
   done
 
   for exp_cert in "${expired_certificates[@]}"; do
+
     rm -f "${exp_cert}"
+
     printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Certificate deleted: '%s'.\e[0m\n" "${exp_cert}"
     basename=$(basename "${exp_cert}")
     mozilla_entry="mozilla/${basename%.pem}.crt"
     mozilla_entry="${mozilla_entry%.crt}.crt"
     declare ca_conf="/etc/ca-certificates.conf"
+
     if grep -Fxq "${mozilla_entry}" "${ca_conf}"; then
+
       sed -i "s|^${mozilla_entry}$|#${mozilla_entry}|" "${ca_conf}"
       printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Entry in ca-certificates.conf deselected: '#%s'.\e[0m\n" "${mozilla_entry}"
+
     fi
+
   done
 
   printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Updating the certificate cache ... \e[0m\n"
   update-ca-certificates --fresh
   printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Updating the certificate cache done.\e[0m\n"
-  # sleep 1
+
 fi
 
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
-# sleep 1
+
 
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config/hooks/live/9930_hardening_ssh.chroot

@@ -1,39 +1,61 @@
 #!/bin/bash
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
-# sleep 1
+declare _key=""
+
+cd /etc/ssh
 
-cd /etc/ssh || {
-  printf "\e[91mm++++ ++++ ++++ ++++ ++++ ++++ ++ Could not find /etc/ssh \e[0m\n"
-}
 rm -rf ssh_host_*key*
 
-ssh-keygen -o -N "" -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -C "root@live-$(date -I)"
-ssh-keygen -o -N "" -t rsa -b 8192 -f /etc/ssh/ssh_host_rsa_key -C "root@live-$(date -I)"
+if [[ -d /root/ssh ]]; then
 
-awk '$5 >= 4000' /etc/ssh/moduli >| /etc/ssh/moduli.safe
-rm -rf /etc/ssh/moduli
-mv /etc/ssh/moduli.safe /etc/ssh/moduli
+  if compgen -G "/root/ssh/ssh_host_*" > /dev/null; then
+    mv -t /etc/ssh -- /root/ssh/ssh_host_*
+  fi
+
+  if compgen -G "/root/ssh/*sha256sum.txt" > /dev/null; then
+    mv -t /etc/ssh -- /root/ssh/*sha256sum.txt
+  fi
+
+  rm -rf /root/ssh
+
+else
+
+  # shellcheck disable=SC2312
+  ssh-keygen -o -N "" -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -C "root@live-$(date -I)"
+
+  # shellcheck disable=SC2312
+  ssh-keygen -o -N "" -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa_key -C "root@live-$(date -I)"
+
+fi
 
 chmod 0600 /etc/ssh/ssh_host_*_key
 chown root:root /etc/ssh/ssh_host_*_key
 chmod 0644 /etc/ssh/ssh_host_*_key.pub
 chown root:root /etc/ssh/ssh_host_*_key.pub
 
-chmod 600 /etc/ssh/sshd_config /etc/ssh/ssh_config
+if compgen -G "/etc/ssh/*sha256sum.txt" > /dev/null; then
+  chmod 0440 /etc/ssh/*sha256sum.txt
+  chown root:root /etc/ssh/*sha256sum.txt
+fi
+
+awk '$5 >= 4000' /etc/ssh/moduli >| /etc/ssh/moduli.safe
+rm -rf /etc/ssh/moduli
+mv /etc/ssh/moduli.safe /etc/ssh/moduli
+
+chmod 0600 /etc/ssh/sshd_config /etc/ssh/ssh_config
 
-touch /root/sshfp
 ssh-keygen -r @ >| /root/sshfp
 
 ###########################################################################################
@@ -44,7 +66,26 @@ ssh-keygen -r @ >| /root/sshfp
 # The chmod +x command ensures that the file is executed in every shell session.          #
 ###########################################################################################
 cat << 'EOF' >| /etc/profile.d/idle-users.sh
-declare -girx TMOUT=14400
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+case $- in
+  *i*)
+    TMOUT=14400
+    export TMOUT
+    readonly TMOUT
+  ;;
+esac
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
 EOF
 
 chmod +x /etc/profile.d/idle-users.sh
@@ -57,8 +98,24 @@ Requires=ufw.service
 EOF
 chmod 0644 /etc/systemd/system/ssh.service.d/override.conf
 
+### Final checks. Verify host keys after installation.
+if command -v ssh-keygen >/dev/null 2>&1; then
+
+  for _key in /etc/ssh/ssh_host_*key; do
+
+    ### Only consider regular files
+    [[ -f "${_key}" ]] || continue
+
+    ssh-keygen -lf "${_key}" >/dev/null || exit 42
+    ssh-keygen -yf "${_key}" >/dev/null || exit 42
+
+  done
+
+fi
+
+/usr/sbin/sshd -t || exit 42
+
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
-# sleep 1
 
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config/hooks/live/9935_hardening_ssl.chroot

@@ -0,0 +1,454 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-12-03; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+set -Ceuo pipefail
+
+printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+
+mkdir -p /root/.ciss/cdlb/backup/etc/ssl
+
+mv /etc/ssl/openssl.cnf /root/.ciss/cdlb/backup/etc/ssl/openssl.cnf.bak
+
+cat << 'EOF' >| /etc/ssl/openssl.cnf
+#
+# OpenSSL example configuration file.
+# See doc/man5/config.pod for more information.
+#
+# This is mostly being used for generation of certificate requests,
+# but may be used for autoloading of providers
+
+# Note that you can include other files from the main configuration
+# file using the .include directive.
+#.include filename
+
+openssl_conf = default_conf
+
+# This definition stops the following lines choking if HOME isn't
+# defined.
+HOME			= .
+
+# Use this to automatically load providers.
+openssl_conf = openssl_init
+
+# Comment out the next line to ignore configuration errors
+config_diagnostics = 1
+
+# Extra OBJECT IDENTIFIER information:
+# oid_file       = $ENV::HOME/.oid
+oid_section = new_oids
+
+# To use this configuration file with the "-extfile" option of the
+# "openssl x509" utility, name here the section containing the
+# X.509v3 extensions to use:
+# extensions		=
+# (Alternatively, use a configuration file that has only
+# X.509v3 extensions in its main [= default] section.)
+
+[ new_oids ]
+# We can add new OIDs in here for use by 'ca,' 'req,' and 'ts.'
+# Add a simple OID like this:
+# testoid1=1.2.3.4
+# Or use config file substitution like this:
+# testoid2=${testoid1}.5.6
+
+# Policies used by the TSA examples.
+tsa_policy1 = 1.2.3.4.1
+tsa_policy2 = 1.2.3.4.5.6
+tsa_policy3 = 1.2.3.4.5.7
+
+# For FIPS
+# Optionally include a file that is generated by the OpenSSL fipsinstall
+# application. This file contains configuration data required by the OpenSSL
+# fips provider. It contains a named section e.g., [fips_sect] which is
+# referenced from the [provider_sect] below.
+# Refer to the OpenSSL security policy for more information.
+# .include fipsmodule.cnf
+
+[openssl_init]
+providers = provider_sect
+
+# List of providers to load
+[provider_sect]
+default = default_sect
+# The fips section name should match the section name inside the
+# included fipsmodule.cnf.
+# fips = fips_sect
+
+# If no providers are activated explicitly, the default one is activated implicitly.
+# See man 7 OSSL_PROVIDER-default for more details.
+#
+# If you add a section explicitly activating any other provider(s), you most
+# probably need to explicitly activate the default provider, otherwise it
+# becomes unavailable in openssl.  As a consequence, applications depending on
+# OpenSSL may not work correctly, which could lead to significant system
+# problems including inability to remotely access the system.
+[default_sect]
+# activate = 1
+
+
+####################################################################
+[ ca ]
+default_ca	= CA_default		# The default ca section
+
+####################################################################
+[ CA_default ]
+
+dir		= ./demoCA		# Where everything is kept
+certs		= $dir/certs		# Where the issued certs are kept
+crl_dir		= $dir/crl		# Where the issued crl are kept
+database	= $dir/index.txt	# database index file.
+#unique_subject	= no			# Set to 'no' to allow creation of several certs with the same subject.
+new_certs_dir	= $dir/newcerts		# default place for new certs.
+
+certificate	= $dir/cacert.pem 	# The CA certificate
+serial		= $dir/serial 		# The current serial number
+crlnumber	= $dir/crlnumber	# the current crl number
+					# must be commented out to leave a V1 CRL
+crl		= $dir/crl.pem 		# The current CRL
+private_key	= $dir/private/cakey.pem # The private key
+
+x509_extensions	= usr_cert		# The extensions to add to the cert
+
+# Comment out the following two lines for the "traditional"
+# (and highly broken) format.
+name_opt 	= ca_default		# Subject Name options
+cert_opt 	= ca_default		# Certificate field options
+
+# Extension copying option: use with caution.
+# copy_extensions = copy
+
+# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
+# so this is commented out by default to leave a V1 CRL.
+# crlnumber must also be commented out to leave a V1 CRL.
+# crl_extensions	= crl_ext
+
+default_days	= 365			# how long to certify for
+default_crl_days= 30			# how long before next CRL
+default_md	= default		# use public key default MD
+preserve	= no			# keep passed DN ordering
+
+# A few different ways of specifying how similar the request should look
+# For type CA, the listed attributes must be the same, and the optional
+# and supplied fields are just that.
+policy		= policy_match
+
+# For the CA policy
+[ policy_match ]
+countryName		= match
+stateOrProvinceName	= match
+organizationName	= match
+organizationalUnitName	= optional
+commonName		= supplied
+emailAddress		= optional
+
+# For the 'anything' policy
+# At this point in time, you must list all acceptable 'object'
+# types.
+[ policy_anything ]
+countryName		= optional
+stateOrProvinceName	= optional
+localityName		= optional
+organizationName	= optional
+organizationalUnitName	= optional
+commonName		= supplied
+emailAddress		= optional
+
+####################################################################
+[ req ]
+default_bits		= 4096
+default_keyfile 	= privkey.pem
+distinguished_name	= req_distinguished_name
+attributes		= req_attributes
+x509_extensions	= v3_ca	# The extensions to add to the self-signed cert
+
+# Passwords for private keys if not present, they will be prompted for
+# input_password = secret
+# output_password = secret
+
+# This sets a mask for permitted string types. There are several options.
+# default: PrintableString, T61String, BMPString.
+# pkix	 : PrintableString, BMPString (PKIX recommendation before 2004)
+# utf8only: only UTF8Strings (PKIX recommendation after 2004).
+# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
+# MASK:XXXX a literal mask value.
+# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings.
+string_mask = utf8only
+
+# req_extensions = v3_req # The extensions to add to a certificate request
+
+[ req_distinguished_name ]
+countryName			= Country Name (2-letter code)
+countryName_default		= AU
+countryName_min			= 2
+countryName_max			= 2
+
+stateOrProvinceName		= State or Province Name (full name)
+stateOrProvinceName_default	= Some-State
+
+localityName			= Locality Name (e.g., city)
+
+0.organizationName		= Organization Name (e.g., company)
+0.organizationName_default	= Internet Widgits Pty Ltd
+
+# we can do this, but it is unnecessary normally
+#1.organizationName		= Second Organization Name (e.g., company)
+#1.organizationName_default	= World Wide Web Pty Ltd
+
+organizationalUnitName		= Organizational Unit Name (e.g., section)
+#organizationalUnitName_default	=
+
+commonName			= Common Name (e.g., server FQDN or YOUR name)
+commonName_max			= 64
+
+emailAddress			= Email Address
+emailAddress_max		= 64
+
+# SET-ex3			= SET extension number 3
+
+[ req_attributes ]
+challengePassword		= A challenge password
+challengePassword_min		= 4
+challengePassword_max		= 20
+
+unstructuredName		= An optional company name
+
+[ usr_cert ]
+
+# These extensions are added when 'ca' signs a request.
+
+# This goes against PKIX guidelines, but some CAs do it, and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+
+basicConstraints=CA:FALSE
+
+# This is typical in keyUsage for a client certificate.
+# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
+
+# This stuff is for subjectAltName and issuerAltname.
+# Import the email address.
+# subjectAltName=email:copy
+# An alternative to produce certificates that aren't
+# deprecated, according to PKIX.
+# subjectAltName=email:move
+
+# Copy subject details
+# issuerAltName=issuer:copy
+
+# This is required for TSA certificates.
+# extendedKeyUsage = critical,timeStamping
+
+[ v3_req ]
+
+# Extensions to add to a certificate request
+
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+[ v3_ca ]
+
+
+# Extensions for a typical CA
+
+
+# PKIX recommendation.
+
+subjectKeyIdentifier=hash
+
+authorityKeyIdentifier=keyid:always,issuer
+
+basicConstraints = critical,CA:true
+
+# Key usage: this is typical for a CA certificate. However, since it will
+# prevent it being used as a test self-signed certificate, it is best
+# left out by default.
+# keyUsage = cRLSign, keyCertSign
+
+# Include email address in subject alt name: another PKIX recommendation
+# subjectAltName=email:copy
+# Copy issuer details
+# issuerAltName=issuer:copy
+
+# DER hex encoding of an extension: beware experts only!
+# obj=DER:02:03
+# Where 'obj' is a standard or added object
+# You can even override a supported extension:
+# basicConstraints= critical, DER:30:03:01:01:FF
+
+[ crl_ext ]
+
+# CRL extensions.
+# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
+
+# issuerAltName=issuer:copy
+authorityKeyIdentifier=keyid:always
+
+[ proxy_cert_ext ]
+# These extensions should be added when creating a proxy certificate
+
+# This goes against PKIX guidelines, but some CAs do it, and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+
+basicConstraints=CA:FALSE
+
+# This is typical in keyUsage for a client certificate.
+# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
+
+# This stuff is for subjectAltName and issuerAltname.
+# Import the email address.
+# subjectAltName=email:copy
+# An alternative to produce certificates that aren't
+# deprecated, according to PKIX.
+# subjectAltName=email:move
+
+# Copy subject details
+# issuerAltName=issuer:copy
+
+# This really needs to be in place for it to be a proxy certificate.
+proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
+
+####################################################################
+[ tsa ]
+
+default_tsa = tsa_config1	# the default TSA section
+
+[ tsa_config1 ]
+
+# These are used by the TSA reply generation only.
+dir		= ./demoCA		# TSA root directory
+serial		= $dir/tsaserial	# The current serial number (mandatory)
+crypto_device	= builtin		# OpenSSL engine to use for signing
+signer_cert	= $dir/tsacert.pem 	# The TSA signing certificate
+					# (optional)
+certs		= $dir/cacert.pem	# Certificate chain to include in reply
+					# (optional)
+signer_key	= $dir/private/tsakey.pem # The TSA private key (optional)
+signer_digest  = sha256			# Signing digest to use. (Optional)
+default_policy	= tsa_policy1		# Policy if request did not specify it
+					# (optional)
+other_policies	= tsa_policy2, tsa_policy3	# acceptable policies (optional)
+digests     = sha1, sha256, sha384, sha512  # Acceptable message digests (mandatory)
+accuracy	= secs:1, millisecs:500, microsecs:100	# (optional)
+clock_precision_digits  = 0	# number of digits after dot. (optional)
+ordering		= yes	# Is ordering defined for timestamps?
+				# (optional, default: no)
+tsa_name		= yes	# Must the TSA name be included in the reply?
+				# (optional, default: no)
+ess_cert_id_chain	= no	# Must the ESS cert id chain be included?
+				# (optional, default: no)
+ess_cert_id_alg		= sha256	# algorithm to compute certificate
+				# identifier (optional, default: sha256)
+
+[insta] # CMP using Insta Demo CA
+# Message transfer
+server = pki.certificate.fi:8700
+# proxy = # set this as far as needed, e.g., http://192.168.1.1:8080
+# tls_use = 0
+path = pkix/
+
+# Server authentication
+recipient = "/C=FI/O=Insta Demo/CN=Insta Demo CA" # or set srvcert or issuer
+ignore_keyusage = 1 # quirk needed to accept Insta CA cert not including digitalsignature
+unprotected_errors = 1 # quirk needed to accept negative responses possibly not protected
+extracertsout = insta.extracerts.pem
+
+# Client authentication
+ref = 3078 # user identification
+secret = pass:insta # can be used for both client and server side
+
+# Generic message options
+cmd = ir # default operation, can be overridden on cmd line with, e.g., kur
+
+# Certificate enrollment
+subject = "/CN=openssl-cmp-test"
+newkey = insta.priv.pem
+out_trusted = apps/insta.ca.crt # does not include keyUsage digitalSignature
+certout = insta.cert.pem
+
+[pbm] # Password-based protection for Insta CA
+# Server and client authentication
+ref = $insta::ref # 3078
+secret = $insta::secret # pass:insta
+
+[signature] # Signature-based protection for Insta CA
+# Server authentication
+trusted = $insta::out_trusted # apps/insta.ca.crt
+
+# Client authentication
+secret = # disable the PBM
+key = $insta::newkey # insta.priv.pem
+cert = $insta::certout # insta.cert.pem
+
+[ir]
+cmd = ir
+
+[cr]
+cmd = cr
+
+[kur]
+# Certificate update
+cmd = kur
+oldcert = $insta::certout # insta.cert.pem
+
+[rr]
+# Certificate revocation
+cmd = rr
+oldcert = $insta::certout # insta.cert.pem
+
+##### Added by CISS.debian.live.builder #####
+[default_conf]
+ssl_conf = ssl_sect
+
+[ssl_sect]
+system_default = system_default_sect
+
+[system_default_sect]
+# Protocol floor / ceiling:
+# - only TLS 1.2 and 1.3.
+# - TLS 1.3 is FS by design;
+# - TLS 1.2 FS enforced via the cipher list.
+MinProtocol = TLSv1.2
+MaxProtocol = TLSv1.3
+
+# TLS 1.2 cipher policy:
+# - Forward secrecy only: ECDHE or DHE (no static RSA kx);
+# - AES-256 *GCM* only (no DHE (dheatattack), no AES-128, no CBC);
+# - Keep distro default SECLEVEL=2 explicitly.
+CipherString = ECDHE+AES256-GCM:ECDHE+CHACHA20:ECDHE+ARIA256-GCM:ECDHE+CAMELLIA256-GCM:!kRSA:!PSK:!SRP:!aNULL:!eNULL:@SECLEVEL=2
+
+# TLS 1.3 cipher policy: AES-256 and ChaCha20-Poly1305 only:
+Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
+
+# Prefer strong, widely supported ECDHE groups (first = most preferred):
+Groups = X448:P-521:P-384
+
+SignatureAlgorithms = rsa_pss_rsae_sha512:rsa_pss_rsae_sha384:rsa_pss_rsae_sha256
+
+# Operational flags:
+# -SessionTicket  : disable TLS session tickets (TLS 1.2 + 1.3)
+# ServerPreference: honor server cipher order (TLS 1.2)
+# NoRenegotiation : disallow TLS 1.2 renegotiation
+Options = -SessionTicket,ServerPreference,NoRenegotiation
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
+EOF
+
+printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+
+exit 0
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config/hooks/live/9940_hardening_memory.dump.chroot

@@ -1,37 +1,88 @@
 #!/bin/bash
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-11-10; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
-# sleep 1
 
-cp -u /etc/security/limits.conf /root/.ciss/dlb/backup/limits.conf.bak
-chmod 0644 /root/.ciss/dlb/backup/limits.conf.bak
-sed -i "/#*               soft    core            0/ i\*               soft    core            0" /etc/security/limits.conf
-sed -i "/#root            hard    core            100000/ i\*               hard    core            0" /etc/security/limits.conf
+cp -u /etc/security/limits.conf /root/.ciss/cdlb/backup/limits.conf.bak
+chmod 0644 /root/.ciss/cdlb/backup/limits.conf.bak
+
+### Comment any existing active core settings to avoid conflicts, both soft/hard, any domain including "*".
+sed -i -E '
+/^[[:space:]]*\*[[:space:]]+soft[[:space:]]+core[[:space:]]+0[[:space:]]*$/d
+/^[[:space:]]*\*[[:space:]]+hard[[:space:]]+core[[:space:]]+0[[:space:]]*$/d
+/^[[:space:]]*#\*               soft    core            0$/d
+/^[[:space:]]*#root            hard    core            100000$/d
+/^[[:space:]]*#\*               hard    rss             10000$/d
+/^[[:space:]]*#@student        hard    nproc           20$/d
+/^[[:space:]]*#@faculty        soft    nproc           20$/d
+/^[[:space:]]*#@faculty        hard    nproc           50$/d
+/^[[:space:]]*#ftp             hard    nproc           0$/d
+/^[[:space:]]*#ftp             -       chroot          \/ftp$/d
+/^[[:space:]]*#@student        -       maxlogins       4$/d
+/^[[:space:]]*# End of file/i\
+*               soft    core            0\
+*               hard    core            0
+' /etc/security/limits.conf
 
-if [[ ! -d /etc/systemd/coredump.conf.d ]]; then
 mkdir -p /etc/systemd/coredump.conf.d
-fi
+mkdir -p /etc/security/limits.d
+
+cat << EOF >| /etc/security/limits.d/9999-ciss-coredump-disable.conf
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-11-10; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+*               soft    core            0
+*               hard    core            0
+root            soft    core            0
+root            hard    core            0
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
+EOF
+chmod 0644 /etc/security/limits.d/9999-ciss-coredump-disable.conf
+
+cat << EOF >| /etc/systemd/coredump.conf.d/9999-ciss-coredump-disable.conf
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-11-10; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
 
-touch /etc/systemd/coredump.conf.d/disable.conf
-chmod 0644 /etc/systemd/coredump.conf.d/disable.conf
-cat << EOF >| /etc/systemd/coredump.conf.d/disable.conf
 [Coredump]
 Storage=none
+ProcessSizeMax=0
+ExternalSizeMax=0
+JournalSizeMax=0
+MaxUse=0
+KeepFree=0
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
 EOF
+chmod 0644 /etc/systemd/coredump.conf.d/9999-ciss-coredump-disable.conf
 
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
-# sleep 1
 
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config/hooks/live/9950_fail2ban_hardening.chroot

@@ -1,148 +0,0 @@
-#!/bin/bash
-# SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
-# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
-# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
-# SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
-# SPDX-PackageName: CISS.debian.live.builder
-# SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
-
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
-# sleep 1
-
-cd /root
-
-cp -u /etc/fail2ban/fail2ban.conf /root/.ciss/dlb/backup/fail2ban.conf.bak
-chmod 0644 /root/.ciss/dlb/backup/fail2ban.conf.bak
-
-### https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1024305
-sed -i 's/#allowipv6 = auto/allowipv6 = auto/1' /etc/fail2ban/fail2ban.conf
-
-mv /etc/fail2ban/jail.d/defaults-debian.conf /root/.ciss/dlb/backup/defaults-debian.conf.bak
-chmod 0644 /root/.ciss/dlb/backup/defaults-debian.conf.bak
-
-cat << 'EOF' >| /etc/fail2ban/jail.d/centurion-default.conf
-# SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <cendev@coresecret.eu>
-# SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.live.builder.git
-# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
-# SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.2025.hardened.installer framework.
-# SPDX-PackageName: CISS.2025.debian.live.builder
-# SPDX-Security-Contact: security@coresecret.eu
-
-[DEFAULT]
-usedns    = yes
-# local | vpn
-ignoreip  = 127.0.0.0/8 ::1 MUST_BE_SET
-maxretry  = 8
-findtime  = 24h
-bantime   = 24h
-
-### SSH Handling: Foreign IP (not in /etc/hosts.allow): refused to connect: immediate ban [sshd-refused]
-###               Jump host mistyped 1–3 times: no ban, only after four attempts          [sshd]
-
-[sshd]
-enabled   = true
-backend   = systemd
-filter    = sshd
-mode      = normal
-port      = MUST_BE_SET
-protocol  = tcp
-logpath   = /var/log/auth.log
-maxretry  = 4
-findtime  = 24h
-bantime   = 24h
-
-[sshd-refused]
-enabled   = true
-filter    = sshd-refused
-port      = MUST_BE_SET
-protocol  = tcp
-logpath   = /var/log/auth.log
-maxretry  = 1
-findtime  = 24h
-bantime   = 24h
-
-# ufw aggressive approach:
-# Any valid client communicating with our server should be going directly to the service ports opened in ufw (ssh, 80, 443, ...).
-# Any client touching other ports is treated as malicious and therefore should be blocked access to ALL ports after one attempt.
-
-[ufw]
-enabled   = true
-filter    = ufw.aggressive
-action    = iptables-allports
-logpath   = /var/log/ufw.log
-maxretry  = 1
-findtime  = 24h
-bantime   = 24h
-protocol  = tcp,udp
-
-EOF
-
-cat << EOF >| /etc/fail2ban/filter.d/ufw.aggressive.conf
-[Definition]
-failregex = ^.*UFW BLOCK.* SRC=<HOST> .*DPT=\d+ .*
-EOF
-
-cat << EOF >| /etc/fail2ban/filter.d/sshd-refused.conf
-[Definition]
-failregex = ^refused connect from \S+ \(<HOST>\)
-EOF
-
-###########################################################################################
-# Remarks: hardening of fail2ban systemd                                                  #
-###########################################################################################
-# https://wiki.archlinux.org/title/fail2ban#Service_hardening                             #
-# The CapabilityBoundingSet parameters CAP_DAC_READ_SEARCH will allow Fail2ban full read  #
-# access to every directory and file. CAP_NET_ADMIN and CAP_NET_RAW allow Fail2ban to     #
-# operate # on any firewall that has a command-line shell interface. By using             #
-# ProtectSystem=strict the filesystem hierarchy will only be read-only; ReadWritePaths    #
-# allows Fail2ban to have write access on required paths.                                 #
-###########################################################################################
-mkdir -p /etc/systemd/system/fail2ban.service.d
-mkdir /var/log/fail2ban
-
-cat << 'EOF' >| /etc/systemd/system/fail2ban.service.d/override.conf
-[Service]
-PrivateDevices=yes
-PrivateTmp=yes
-ProtectHome=read-only
-ProtectSystem=strict
-ReadWritePaths=-/var/run/fail2ban
-ReadWritePaths=-/var/lib/fail2ban
-ReadWritePaths=-/var/log/fail2ban
-ReadWritePaths=-/var/spool/postfix/maildrop
-ReadWritePaths=-/run/xtables.lock
-CapabilityBoundingSet=CAP_AUDIT_READ CAP_DAC_READ_SEARCH CAP_NET_ADMIN CAP_NET_RAW
-
-### Added by CISS.debian.live.builder
-ProtectClock=true
-ProtectHostname=true
-
-EOF
-
-cat << 'EOF' >> /etc/fail2ban/fail2ban.local
-[Definition]
-logtarget = /var/log/fail2ban/fail2ban.log
-EOF
-
-###########################################################################################
-# Remarks: Logrotate must be updated either                                               #
-###########################################################################################
-cp -a /etc/logrotate.d/fail2ban /root/.ciss/dlb/backup/fail2ban_logrotate.bak
-sed -i 's/\/var\/log\/fail2ban.log/\/var\/log\/fail2ban\/fail2ban.log/1' /etc/logrotate.d/fail2ban
-touch /var/log/fail2ban/fail2ban.log
-chmod 640 /var/log/fail2ban/fail2ban.log
-
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
-# sleep 1
-
-exit 0
-# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config/hooks/live/9950_hardening_fail2ban.chroot

@@ -0,0 +1,241 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+set -Ceuo pipefail
+
+printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+
+cd /root
+
+cp -u /etc/fail2ban/fail2ban.conf /root/.ciss/cdlb/backup/fail2ban.conf.bak
+chmod 0400 /root/.ciss/cdlb/backup/fail2ban.conf.bak
+
+### https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1024305
+sed -i 's/#allowipv6 = auto/allowipv6 = auto/1' /etc/fail2ban/fail2ban.conf
+
+mv /etc/fail2ban/jail.d/defaults-debian.conf /root/.ciss/cdlb/backup/defaults-debian.conf.bak
+chmod 0400 /root/.ciss/cdlb/backup/defaults-debian.conf.bak
+
+cat << EOF >| /etc/fail2ban/jail.d/ciss-default.conf
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <cendev@coresecret.eu>
+# SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+[DEFAULT]
+banaction             = nftables-multiport
+banaction_allports    = nftables-allports
+dbpurgeage            = 384d
+#                       127.0.0.1/8 - IPv4 loopback range (local host)
+#                       ::1/128     - IPv6 loopback
+#                       fe80::/10   - IPv6 link-local (on-link only; NDP/RA/DAD)
+#                       ff00::/8    - IPv6 multicast (not an unicast host)
+#                       ::/128      - IPv6 unspecified (all zeros; never a real peer)
+ignoreip              = 127.0.0.1/8 ::1/128 fe80::/10 ff00::/8 ::/128 IGNORE_IP_MUST_BE_SET
+usedns                = yes
+
+[recidive]
+enabled               = true
+banaction             = nftables[type=custom, family=inet, table=f2b-table, chain=f2b-chain, blocktype=drop]
+bantime               = 8d
+bantime.increment     = true
+bantime.factor        = 1
+bantime.maxtime       = 128d
+bantime.multipliers   = 1 2 4 8 16
+bantime.overalljails  = true
+bantime.rndtime       = 877s
+filter                = recidive
+findtime              = 16d
+logpath               = /var/log/fail2ban/fail2ban.log*
+maxretry              = 2
+
+### SSH Handling:     Foreign IP (not in /etc/hosts.allow): refused to connect: immediate ban [sshd-refused]
+###                   Jump host mistyped 1-3 times: no ban, only after four attempts          [sshd]
+
+[sshd]
+enabled               = true
+backend               = systemd
+bantime               = 1h
+bantime.increment     = true
+bantime.factor        = 1
+bantime.maxtime       = 16d
+bantime.multipliers   = 1 2 4 8 16 32 64 128 256 384
+bantime.overalljails  = true
+bantime.rndtime       = 877s
+filter                = sshd
+findtime              = 16m
+maxretry              = 4
+mode                  = aggressive
+port                  = PORT_MUST_BE_SET
+protocol              = tcp
+
+[sshd-refused]
+enabled               = true
+bantime               = 1h
+bantime.increment     = true
+bantime.factor        = 1
+bantime.maxtime       = 16d
+bantime.multipliers   = 1 2 4 8 16 32 64 128 256 384
+bantime.overalljails  = true
+bantime.rndtime       = 877s
+filter                = ciss-sshd-refused
+findtime              = 16m
+logpath               = /var/log/auth.log
+maxretry              = 1
+port                  = PORT_MUST_BE_SET
+protocol              = tcp
+
+#
+# CISS aggressive approach:
+# Any valid client communicating with our server should be going directly to the service ports opened in ufw (ssh, 80, ...).
+# Any client touching other ports is treated as malicious and therefore should be blocked access to ALL ports after 1 attempt.
+#
+
+[ufw]
+enabled               = true
+banaction             = nftables[type=custom, family=inet, table=f2b-table, chain=f2b-chain, blocktype=drop]
+bantime               = 1h
+bantime.increment     = true
+bantime.factor        = 1
+bantime.maxtime       = 16d
+bantime.multipliers   = 1 2 4 8 16 32 64 128 256 384
+bantime.overalljails  = true
+bantime.rndtime       = 877s
+filter                = ciss-ufw
+findtime              = 16m
+logpath               = /var/log/ufw.log
+maxretry              = 1
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
+EOF
+
+cat << EOF >| /etc/fail2ban/filter.d/ciss-ufw.conf
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-10-18; WEIDNER, Marc S.; <cendev@coresecret.eu>
+# SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+[Definition]
+# Match UFW BLOCK/REJECT with a source IP and *any* port field (SPT or DPT), protocol may be missing.
+failregex             = ^.*UFW (?:BLOCK|REJECT).*?\bSRC=<HOST>\b.*?(?:\bDPT=\d+\b|\bSPT=\d+\b).*$
+ignoreregex           =
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
+EOF
+
+cat << 'EOF' >| /etc/fail2ban/filter.d/ciss-sshd-refused.conf
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-10-18; WEIDNER, Marc S.; <cendev@coresecret.eu>
+# SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+[Definition]
+failregex = ^refused connect from \S+ \(<HOST>\)
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
+EOF
+
+###########################################################################################
+# Remarks: hardening of fail2ban systemd                                                  #
+###########################################################################################
+# https://wiki.archlinux.org/title/fail2ban#Service_hardening                             #
+# The CapabilityBoundingSet parameters CAP_DAC_READ_SEARCH will allow Fail2ban full read  #
+# access to every directory and file. CAP_NET_ADMIN and CAP_NET_RAW allow Fail2ban to     #
+# operate # on any firewall that has a command-line shell interface. By using             #
+# ProtectSystem=strict the filesystem hierarchy will only be read-only; ReadWritePaths    #
+# allows Fail2ban to have write access on required paths.                                 #
+###########################################################################################
+mkdir -p /etc/systemd/system/fail2ban.service.d
+mkdir -p /var/log/fail2ban
+
+cat << 'EOF' >| /etc/systemd/system/fail2ban.service.d/override.conf
+[Service]
+PrivateDevices=yes
+PrivateTmp=yes
+ProtectHome=read-only
+ProtectSystem=strict
+ReadWritePaths=-/var/run/fail2ban
+ReadWritePaths=-/var/lib/fail2ban
+ReadWritePaths=-/var/log/fail2ban
+ReadWritePaths=-/var/spool/postfix/maildrop
+ReadWritePaths=-/run/xtables.lock
+CapabilityBoundingSet=CAP_AUDIT_READ CAP_DAC_READ_SEARCH CAP_NET_ADMIN CAP_NET_RAW
+
+### Added by CISS.debian.live.builder
+ProtectClock=true
+ProtectHostname=true
+
+EOF
+
+cat << 'EOF' >> /etc/fail2ban/fail2ban.local
+[Definition]
+logtarget             = /var/log/fail2ban/fail2ban.log
+
+[Database]
+# Keep entries for at least 384 days to cover recidive findtime.
+dbpurgeage            = 384d
+EOF
+
+###########################################################################################
+# Remarks: Logrotate must be updated either                                               #
+###########################################################################################
+cp -a /etc/logrotate.d/fail2ban /root/.ciss/cdlb/backup/fail2ban_logrotate.bak
+cat << EOF >| /etc/logrotate.d/fail2ban
+/var/log/fail2ban/fail2ban.log {
+    daily
+    rotate 384
+    maxage 384
+    notifempty
+    dateext
+    dateyesterday
+    compress
+    compresscmd /usr/bin/zstd
+    compressext .zst
+    compressoptions -20
+    uncompresscmd /usr/bin/unzstd
+    delaycompress
+    shred
+    missingok
+    postrotate
+        fail2ban-client flushlogs 1>/dev/null
+    endscript
+    # If fail2ban runs as non-root it still needs to have write access
+    # to logfiles.
+    # create 640 fail2ban adm
+    create 640 root adm
+}
+EOF
+
+touch /var/log/fail2ban/fail2ban.log
+chmod 0640 /var/log/fail2ban/fail2ban.log
+
+printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+
+exit 0
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config/hooks/live/9960_disable_services.chroot

@@ -1,18 +1,17 @@
 #!/bin/bash
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
-# sleep 1
 
 ###########################################################################################
 # Remarks: Turn off Energy saving mode and ctrl-alt-del                                   #
@@ -25,7 +24,6 @@ done
 unset target
 
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
-# sleep 1
 
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config/hooks/live/9970_remove_exim.chroot

@@ -1,32 +1,32 @@
 #!/bin/bash
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
-# sleep 1
+
+[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
+export DEBIAN_FRONTEND="noninteractive"
+export INITRD="No"
 
 cd /etc
 
-apt-get purge exim4 -y
-apt-get purge exim4-base -y
-apt-get purge exim4-config -y
-
+apt-get purge exim4 exim4-base exim4-config -y
 apt-get autoremove -y
 apt-get autoclean -y
 apt-get autopurge -y
 
 apt-mark hold exim4 exim4-daemon-light exim4-base exim4-config
 
-apt-get update -y
+apt-get update -qq
 apt-get upgrade -y
 
 if [[ -d /etc/exim4 ]]; then
@@ -34,7 +34,6 @@ if [[ -d /etc/exim4 ]]; then
 fi
 
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
-# sleep 1
 
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config/hooks/live/9980_usb_guard.chroot

@@ -1,45 +1,47 @@
 #!/bin/bash
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
-# sleep 1
 
+[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
+export DEBIAN_FRONTEND="noninteractive"
+export INITRD="No"
 apt-get install -y usbguard
 
-# sleep 1
-
-# Preparing USBGuard: see https://www.privacy-handbuch.de/handbuch_91a.htm
+### Preparing USBGuard: see https://www.privacy-handbuch.de/handbuch_91a.htm
 touch /tmp/rules.conf
 usbguard generate-policy >> /tmp/rules.conf
 
 if [[ -f /etc/usbguard/rules.conf && -s /etc/usbguard/rules.conf ]]; then
-  mv /etc/usbguard/rules.conf /root/.ciss/dlb/backup/usbguard_rules.conf.bak
+
+  mv /etc/usbguard/rules.conf /root/.ciss/cdlb/backup/usbguard_rules.conf.bak
   cp -a /tmp/rules.conf /etc/usbguard/rules.conf
   chmod 0600 /etc/usbguard/rules.conf
+
 else
+
   rm -f /etc/usbguard/rules.conf
   cp -a /tmp/rules.conf /etc/usbguard/rules.conf
   chmod 0600 /etc/usbguard/rules.conf
+
 fi
 
-cp -a /etc/usbguard/usbguard-daemon.conf /root/.ciss/dlb/backup/usbguard-daemon.conf.bak
-sed -i "s/PresentDevicePolicy=apply-policy/PresentDevicePolicy=allow/" /etc/usbguard/usbguard-daemon.conf
-# sleep 1
+cp -a /etc/usbguard/usbguard-daemon.conf /root/.ciss/cdlb/backup/usbguard-daemon.conf.bak
+#sed -i "s/PresentDevicePolicy=apply-policy/PresentDevicePolicy=allow/" /etc/usbguard/usbguard-daemon.conf
 
 rm -f /tmp/rules.conf
 
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
-# sleep 1
 
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config/hooks/live/9990_final_purge.chroot

@@ -1,47 +1,55 @@
 #!/bin/bash
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
-# sleep 1
 
-apt-get update -y
+[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
 
-apt-get purge -y exim4 exim4-daemon-light exim4-base exim4-config \
-qemu-guest-agent rmail sendmail-base sendmail-bin sendmail-cf sensible-mda sendmail-doc
+export DEBIAN_FRONTEND="noninteractive"
+export INITRD="No"
 
-apt-mark hold exim4 exim4-daemon-light exim4-base exim4-config \
-qemu-guest-agent rmail sendmail-base sendmail-bin sendmail-cf sensible-mda sendmail-doc
+apt-get update -qq
 
-dpkg --get-selections | grep deinstall >> /tmp/deinstall.log || true
+apt-get purge -y exim4 exim4-daemon-light exim4-base exim4-config postfix-mta-sts-resolver postfix qemu-guest-agent rmail
+
+apt-mark hold exim4 exim4-daemon-light exim4-base exim4-config postfix-mta-sts-resolver postfix qemu-guest-agent rmail
+
+dpkg --get-selections | grep deinstall >| /tmp/deinstall.log || true
 
 if [[ -s /tmp/deinstall.log ]]; then
+
   printf "\n"
   printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Packages to purge ... \e[0m\n"
   sed -i 's!deinstall!!' /tmp/deinstall.log
+
   while IFS= read -r line; do
+
     declare trimmed_string
-    trimmed_string=$(echo "$line" | awk '{$1=$1};1')
+    trimmed_string=$(echo "${line}" | awk '{$1=$1};1')
     echo "y" | apt-get purge "${trimmed_string}"
     printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Package '%s' purged. \e[0m\n" "${trimmed_string}"
-    # sleep 1
+
   done < /tmp/deinstall.log
+
   printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Packages to purge done. \e[0m\n"
+
 else
+
   printf "\n"
   printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ No Packages to purge, proceeding with clean up. \e[0m\n"
+
 fi
 
-apt-get update -y
 apt-get upgrade -y
 
 rm -f /tmp/deinstall.log
@@ -52,8 +60,7 @@ apt-get autopurge -y
 
 updatedb
 
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' successful applied. \e[0m\n" "${0}"
-# sleep 1
+printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' successfully applied. \e[0m\n" "${0}"
 
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config/hooks/live/9991_file_permissions.chroot

@@ -1,26 +1,25 @@
 #!/bin/bash
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
-# sleep 1
 
 chmod 0644 /etc/banner
 chmod 0644 /etc/issue
 chmod 0644 /etc/issue.net
 
 if [[ -f /etc/motd ]]; then
-  cp -a /etc/motd /root/.ciss/dlb/backup/motd.bak
-  chmod 0644 /root/.ciss/dlb/backup/motd.bak
+  cp -a /etc/motd /root/.ciss/cdlb/backup/motd.bak
+  chmod 0644 /root/.ciss/cdlb/backup/motd.bak
   rm /etc/motd
 fi
 
@@ -37,8 +36,9 @@ cat << EOF >| /etc/motd
 
 EOF
 
-cp -a /etc/login.defs /root/.ciss/dlb/backup/login.defs.bak
+cp -a /etc/login.defs /root/.ciss/cdlb/backup/login.defs.bak
 
+sed -ri 's/^(#?LOGIN_TIMEOUT)[[:space:]]+[0-9]+/\1 180/' /etc/login.defs
 sed -i 's/UMASK		022/UMASK		077/' /etc/login.defs
 sed -i 's/PASS_MAX_DAYS	99999/PASS_MAX_DAYS	16384/' /etc/login.defs
 sed -i 's/PASS_MIN_DAYS	0/PASS_MIN_DAYS	1/' /etc/login.defs
@@ -54,8 +54,8 @@ fi
 
 if [[ -f /etc/cron.allow ]]; then
   cp -u /etc/cron.allow /root/.backup/cron.allow.bak
-  chmod 644 /root/.backup/cron.allow.bak
-  chmod 600 /etc/cron.allow
+  chmod 0644 /root/.backup/cron.allow.bak
+  chmod 0600 /etc/cron.allow
   cat << EOF >| /etc/cron.allow
 root
 EOF
@@ -98,8 +98,18 @@ for bin in as gcc g++ cc clang; do
 done
 unset bin target
 
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' successful applied. \e[0m\n" "${0}"
-# sleep 1
+###    Directories: 0700
+find /root -type d -exec chmod 0700 {} +
+###    Executable files: 0700 (any x-bit set)
+find /root -type f -perm /111 -exec chmod 0700 {} +
+###    Non-executable files: 0600
+find /root -type f ! -perm /111 -exec chmod 0600 {} +
+###    Ownership: UID:GID (do not dereference symlinks; stay on this filesystem)
+find /root -xdev -exec chown -h root:root {} +
+
+rm -f /etc/tmpfiles.d/legacy.conf
+
+printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' successfully applied. \e[0m\n" "${0}"
 
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config/hooks/live/9992_password_expiration.chroot

@@ -1,42 +1,127 @@
 #!/bin/bash
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
+#######################################
+# Iterates all '/etc/shadow' entries and sets:
+#   4=min age=0, 5=max age=16384, 6=warn=128, 7=inactive=42, 8=expire=17.09.2102
+#   Safe: creates a timestamped backup and (if available) locks '/etc/.pwd.lock'.
+# Globals:
+#   RECOVERY
+#   TARGET
+#   VAR_RUN_RECOVERY
+# Arguments:
+#   None
+# Returns:
+#   0: on success
+#######################################
+update_shadow() {
+  ### Declare Arrays, HashMaps, and Variables.
+
+  declare -r  var_shadow="/etc/shadow"
+  declare -r  var_backup="/root/.ciss/cdlb/backup/etc/shadow.$(date +%s).bak"
+  declare -r  var_temp="${var_shadow}.new.$$"
+  declare -r  var_exp_dt="17.09.2102"
+  declare     var_exp_ds=""
+
+  mkdir -p "/root/.ciss/cdlb/backup/etc"
+
+  var_exp_ds="$(
+    awk -v d="${var_exp_dt}" 'BEGIN{
+      # Force UTC to avoid DST/timezone off-by-one errors
+      ENVIRON["TZ"]="UTC";
+      if (match(d, /^([0-9]{2})\.([0-9]{2})\.([0-9]{4})$/, a)) {
+        dd=a[1]+0; mm=a[2]+0; yyyy=a[3]+0;
+        sec = mktime(sprintf("%04d %02d %02d 00 00 00 0", yyyy, mm, dd));
+        if (sec < 0) { print "ERR"; exit 1 }
+        print int(sec/86400);
+        exit 0
+      } else { print "ERR"; exit 1 }
+    }'
+  )" || return 42
+
+  # shellcheck disable=SC2249
+  case "${var_exp_ds}" in
+
+    ''|*ERR*)
+      return 127
+      ;;
+
+  esac
+
+  umask 0077
+  cp --preserve=mode,ownership "${var_shadow}" "${var_backup}"
+
+  ### Rewrite fields 4..8 for every line
+  ### Preserve fields 1..3 and 9, keep password hashes untouched.
+  ### Pad to 9 fields if shorter; keep empty lines intact (rare but safe).
+  awk -v FS=":" -v OFS=":" -v v_exp="${var_exp_ds}" '
+    NF==0 { print; next }                      # preserve blank lines verbatim
+    {
+      # pad missing trailing fields to 9
+      for (i=NF+1; i<=9; i++) $i="";
+      $4=0; $5=16384; $6=128; $7=42; $8=v_exp; # set required fields
+      print
+    }
+  ' "${var_backup}" >| "${var_temp}"
+
+  ### Defensive: ensure non-empty output.
+  if [[ ! -s "${var_temp}" ]]; then
+    rm -f "${var_temp}"
+    return 42
+  fi
+
+  ### Preserve owner/mode (fallback to 0640 root:shadow if reference fails).
+  chown --reference="${var_shadow}" "${var_temp}" 2>/dev/null || chown root:shadow "${var_temp}" 2>/dev/null || true
+  chmod --reference="${var_shadow}" "${var_temp}" 2>/dev/null || chmod 0640 "${var_temp}" 2>/dev/null || true
+
+  ### Atomic replace.
+  mv -f "${var_temp}" "${var_shadow}"
+
+  return 0
+}
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f update_shadow
 
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
-# sleep 1
 
 if ! command -v chage &>/dev/null; then
+
   printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Info: 'chage' NOT found. Exiting hook ... \e[0m\n"
   printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
-  # sleep 1
+
   exit 0
+
 fi
 
 declare -i max_days=16384
+# shellcheck disable=SC2312
 mapfile -t users_to_update < <(
   awk -F: '$2 !~ /^[!*]/ { print $1 }' /etc/shadow
 )
 
 if [[ ${#users_to_update[@]} -eq 0 ]]; then
+
   printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ No enabled-login accounts found in /etc/shadow. Exiting hook ... \e[0m\n"
   printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
-  # sleep 1
+
   exit 0
+
 fi
 
 declare user
 for user in "${users_to_update[@]}"; do
   printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Setting max password age for user '%s' to '%s' days. \e[0m\n" "${user}" "${max_days}"
-  chage --maxdays "$max_days" "$user"
+  chage --maxdays "${max_days}" "${user}"
 done
 
 unset max_days user users_to_update
@@ -45,8 +130,9 @@ awk -F: '$2 !~ /^\$[0-9]/ && length($2)==13 { print $1,$2 }' /etc/shadow
 
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ All applicable accounts have been updated. \e[0m\n"
 
+update_shadow
+
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
-# sleep 1
 
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config/hooks/live/9993_aide.chroot

@@ -1,32 +1,37 @@
 #!/bin/bash
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
-# sleep 1
 
-apt-get install -y aide
+[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
+export DEBIAN_FRONTEND="noninteractive"
+export INITRD="No"
+apt-get install -y aide > /dev/null 2>&1
 
-cp -u /etc/aide/aide.conf /root/.ciss/dlb/backup/aide.conf.bak
+cp -u /etc/aide/aide.conf /root/.ciss/cdlb/backup/aide.conf.bak
 sed -i "s/Checksums = H/Checksums = sha512/" /etc/aide/aide.conf
 
-if aideinit; then
+if aideinit > /dev/null 2>&1; then
+
   printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ 'aideinit' successful. \e[0m\n"
+
 else
+
   printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ 'aideinit' NOT successful. \e[0m\n" >&2
+
 fi
 
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
-# sleep 1
 
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config/hooks/live/9994_password_policy.chroot

@@ -1,40 +1,42 @@
 #!/bin/bash
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-### NIST recommends at least eight characters but advises longer passphrases (e.g., 12–64) for increased security.
-### NIST SP 800–63B, https://pages.nist.gov/800-63-3/sp800-63b.html
+### NIST recommends at least eight characters but advises longer passphrases (e.g., 12-64) for increased security.
+### NIST SP 800-63B, https://pages.nist.gov/800-63-3/sp800-63b.html
 
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
-# sleep 1
 
-cp -a /etc/security/pwquality.conf /root/.ciss/dlb/backup/pwquality.conf.bak
-chmod 0644 /root/.ciss/dlb/backup/pwquality.conf.bak
+# shellcheck disable=SC2155
+declare -r VAR_DATE="$(date +%F)"
 
-cat << 'EOF' >| /etc/security/pwquality.conf
+cp -a /etc/security/pwquality.conf /root/.ciss/cdlb/backup/pwquality.conf.bak
+chmod 0644 /root/.ciss/cdlb/backup/pwquality.conf.bak
+
+cat << EOF >| /etc/security/pwquality.conf
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
 ### Current recommendations for '/etc/security/pwquality.conf' based on common best practices,
-### including NIST SP 800–63B, https://pages.nist.gov/800-63-3/sp800-63b.html
+### including NIST SP 800-63B, https://pages.nist.gov/800-63-3/sp800-63b.html
 ### and weighing usability against security.
 
 ### Configuration for systemwide password quality limits
@@ -46,16 +48,16 @@ difok = 4
 
 ### Length over complexity: Studies show that longer passphrases are significantly more
 ### resistant to brute-force and dictionary attacks. NIST recommends at least eight characters
-### but advises longer passphrases (e.g., 12–64) for increased security. Twenty characters strike a
+### but advises longer passphrases (e.g., 12-64) for increased security. Twenty characters strike a
 ### good balance between security and user convenience.
 ### Minimum acceptable size for the new password (plus one if
 ### credits are not disabled, which is the default). (See pam_cracklib manual.)
 ### Cannot be set to a lower value than 6.
-minlen = 20
+minlen = 40
 
 ### dcredit = 0, ucredit = 0, lcredit = 0, ocredit = 0, minclass = 0
-### NIST SP 800–63B advises against rigid complexity rules (numbers, symbols, uppercase)
-### because they can lead users to adopt predictable patterns (e.g., “Pa$$word!”).
+### NIST SP 800-63B advises against rigid complexity rules (numbers, symbols, uppercase)
+### because they can lead users to adopt predictable patterns (e.g., "Pa$$word!").
 ### Length and dictionary checks are more effective.
 
   ### The maximum credit for having digits in the new password. If less than 0
@@ -83,12 +85,12 @@ minlen = 20
 
 ### The maximum number of allowed consecutive same characters in the new password.
 ### The check is disabled if the value is 0.
-maxrepeat = 2
+maxrepeat = 3
 
 ### The maximum number of allowed consecutive characters of the same class in the
 ### new password.
 ### The check is disabled if the value is 0.
-maxclassrepeat = 4
+maxclassrepeat = 0
 
 ### Whether to check for the words from the passwd entry GECOS string of the user.
 ### The check is enabled if the value is not 0.
@@ -129,7 +131,6 @@ local_users_only
 EOF
 
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
-# sleep 1
 
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config/hooks/live/9995_sysstat.chroot

@@ -1,23 +1,21 @@
 #!/bin/bash
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
-# sleep 1
 
 sed -i 's#^\(ENABLED=\).*#\1"true"#' /etc/default/sysstat
 
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
-# sleep 1
 
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config/hooks/live/9996_auditd.chroot

@@ -1,47 +1,73 @@
 #!/bin/bash
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
 ### https://github.com/linux-audit/audit-userspace/tree/master/rules
 
-set -C -e -u -o pipefail
+set -Ceuo pipefail
+
+#######################################
+# Simple error terminal logger.
+# Arguments:
+#   None
+#######################################
+log() { printf '[auditd-build] %s\n' "${*}" >&2; }
 
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
-# sleep 1
 
 cd /root
 
-apt-get install auditd -y
+[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
+export DEBIAN_FRONTEND="noninteractive"
+export INITRD="No"
+apt-get install -y auditd
 
-cp -u /etc/audit/audit.rules /root/.ciss/dlb/backup/audit.rules.bak
-cp -u /etc/audit/auditd.conf /root/.ciss/dlb/backup/auditd.conf.bak
-cp -u /etc/audit/rules.d/audit.rules /root/.ciss/dlb/backup/rules_d_audit.rules.bak
+cp -u /etc/audit/audit.rules /root/.ciss/cdlb/backup/audit.rules.bak
+cp -u /etc/audit/auditd.conf /root/.ciss/cdlb/backup/auditd.conf.bak
+cp -u /etc/audit/rules.d/audit.rules /root/.ciss/cdlb/backup/rules_d_audit.rules.bak
 rm -rf /etc/audit/rules.d/audit.rules
 
-############################################################### /etc/audit/rules.d/10-base-config.rules
-cat << EOF >| /etc/audit/rules.d/10-base-config.rules
+############################################################### /etc/audit/rules.d/00-base-config.rules
+cat << EOF >| /etc/audit/rules.d/00-base-config.rules
 ## First rule - delete all
 -D
 
 ## Increase the buffers to survive stress events.
-## Make this bigger for busy systems
--b 8192
+## Make this bigger for busy systems.
+-b 16384
 
-## This determine how long to wait in burst of events
---backlog_wait_time 60000
+## Rate Limit. Cap kernel->userspace message rate (0 = unlimited).
+-r 200
 
-## Set failure mode to syslog
+## This determine how long to wait in burst of events. How long to wait in bursts (us).
+--backlog_wait_time 1024
+
+## Set failure mode to syslog.
 -f 1
 EOF
 
+############################################################### /etc/audit/rules.d/10-ciss-noise-floor.rules
+cat << EOF >| /etc/audit/rules.d/10-ciss-noise-floor.rules
+## Ignore kernel/daemon noise without a loginuid (unset = 4294967295).
+-a never,exit -F auid=4294967295
+
+## Make privileged exec tracing user-initiated only (no boot-time daemons).
+-a always,exit -F arch=b64 -S execve -F euid=0 -F auid>=1000 -F auid!=-1 -k exec_root
+-a always,exit -F arch=b32 -S execve -F euid=0 -F auid>=1000 -F auid!=-1 -k exec_root
+
+## (Optional, same principle for suid/sgid transitions).
+-a always,exit -F arch=b64 -S execve -C uid!=euid -F auid>=1000 -F auid!=-1 -k exec_suid_sgid
+-a always,exit -F arch=b32 -S execve -C uid!=euid -F auid>=1000 -F auid!=-1 -k exec_suid_sgid
+EOF
+
 ############################################################### /etc/audit/rules.d/11-loginuid.rules
 cat << EOF >| /etc/audit/rules.d/11-loginuid.rules
 --loginuid-immutable
@@ -50,13 +76,18 @@ EOF
 ############################################################### /etc/audit/rules.d/20-dont-audit.rules
 cat << EOF >| /etc/audit/rules.d/20-dont-audit.rules
 ## This is for don't audit rules. We put these early because audit
-### is a first match wins system. Uncomment the rules you want.
+## is a first match wins system. Uncomment the rules you want.
 
 ## Cron jobs fill the logs with stuff we normally don't want
--a never,user -F subj_type=crond_t
+-a never,user
 
 ## This prevents chrony from overwhelming the logs
--a never,exit -F arch=x86_64 -S adjtimex -F auid=unset -F uid=chrony -F subj_type=chronyd_t
+-a never,exit -F arch=b64 -S adjtimex -F exe=/usr/sbin/chronyd
+-a never,exit -F arch=b32 -S adjtimex -F exe=/usr/sbin/chronyd
+
+## Human-attributable time changes
+-a always,exit -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -F auid>=1000 -F auid!=4294967295 -k time-change
+-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S clock_settime -F auid>=1000 -F auid!=4294967295 -k time-change
 
 ### This is not very interesting and wastes a lot of space if
 ### the server is public facing
@@ -75,8 +106,19 @@ EOF
 ############################################################### /etc/audit/rules.d/22-ignore-chrony.rules
 cat << EOF >| /etc/audit/rules.d/22-ignore-chrony.rules
 ## This rule suppresses the time-change event when chrony does time updates
--a never,exit -F arch=b64 -S adjtimex -F auid=unset -F uid=chrony -F subj_type=chronyd_t
--a never,exit -F arch=b32 -S adjtimex -F auid=unset -F uid=chrony -F subj_type=chronyd_t
+-a never,exit -F arch=b64 -S adjtimex -F auid=unset -F uid=_chrony
+-a never,exit -F arch=b32 -S adjtimex -F auid=unset -F uid=_chrony
+EOF
+
+############################################################### /etc/audit/rules.d/25-ciss-exec.rules
+cat << EOF >| /etc/audit/rules.d/25-ciss-exec.rules
+## Focus on privileged exec, not every user command
+-a always,exit -F arch=b64 -S execve -F euid=0 -k exec_root
+-a always,exit -F arch=b32 -S execve -F euid=0 -k exec_root
+-a always,exit -F arch=b64 -S execve -F exe=/usr/bin/sudo -k exec_sudo
+-a always,exit -F arch=b32 -S execve -F exe=/usr/bin/sudo -k exec_sudo
+-a always,exit -F arch=b64 -S execve -C uid!=euid -k exec_suid_sgid
+-a always,exit -F arch=b32 -S execve -C uid!=euid -k exec_suid_sgid
 EOF
 
 ############################################################### /etc/audit/rules.d/30-ospp-v42-1-create-failed.rules
@@ -96,17 +138,6 @@ cat << EOF >| /etc/audit/rules.d/30-ospp-v42-1-create-failed.rules
 -a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
 EOF
 
-############################################################### /etc/audit/rules.d/30-ospp-v42-1-create-success.rules
-cat << EOF >| /etc/audit/rules.d/30-ospp-v42-1-create-success.rules
-## Successful file creation (open with O_CREAT)
--a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
--a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
--a always,exit -F arch=b32 -S open -F a1&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
--a always,exit -F arch=b64 -S open -F a1&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
--a always,exit -F arch=b32 -S creat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
--a always,exit -F arch=b64 -S creat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
-EOF
-
 ############################################################### /etc/audit/rules.d/30-ospp-v42-2-modify-failed.rules
 cat << EOF >| /etc/audit/rules.d/30-ospp-v42-2-modify-failed.rules
 ## Unsuccessful file modifications (open for write or truncate)
@@ -124,17 +155,6 @@ cat << EOF >| /etc/audit/rules.d/30-ospp-v42-2-modify-failed.rules
 -a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
 EOF
 
-############################################################### /etc/audit/rules.d/30-ospp-v42-2-modify-success.rules
-cat << EOF >| /etc/audit/rules.d/30-ospp-v42-2-modify-success.rules
-## Successful file modifications (open for write or truncate)
--a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
--a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
--a always,exit -F arch=b32 -S open -F a1&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
--a always,exit -F arch=b64 -S open -F a1&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
--a always,exit -F arch=b32 -S truncate,ftruncate -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
--a always,exit -F arch=b64 -S truncate,ftruncate -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
-EOF
-
 ############################################################### /etc/audit/rules.d/30-ospp-v42-3-access-failed.rules
 cat << EOF >| /etc/audit/rules.d/30-ospp-v42-3-access-failed.rules
 ## Unsuccessful file access (any other opens) This has to go last.
@@ -144,14 +164,6 @@ cat << EOF >| /etc/audit/rules.d/30-ospp-v42-3-access-failed.rules
 -a always,exit -F arch=b64 -S open,openat,openat2,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-access
 EOF
 
-############################################################### /etc/audit/rules.d/30-ospp-v42-3-access-success.rules
-cat << EOF >| /etc/audit/rules.d/30-ospp-v42-3-access-success.rules
-## Successful file access (any other opens) This has to go last.
-## These next two are likely to result in a whole lot of events
--a always,exit -F arch=b32 -S open,openat,openat2,open_by_handle_at -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access
--a always,exit -F arch=b64 -S open,openat,openat2,open_by_handle_at -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access
-EOF
-
 ############################################################### /etc/audit/rules.d/30-ospp-v42-4-delete-failed.rules
 cat << EOF >| /etc/audit/rules.d/30-ospp-v42-4-delete-failed.rules
 ## Unsuccessful file delete
@@ -161,13 +173,6 @@ cat << EOF >| /etc/audit/rules.d/30-ospp-v42-4-delete-failed.rules
 -a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
 EOF
 
-############################################################### /etc/audit/rules.d/30-ospp-v42-4-delete-success.rules
-cat << EOF >| /etc/audit/rules.d/30-ospp-v42-4-delete-success.rules
-## Successful file delete
--a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-delete
--a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-delete
-EOF
-
 ############################################################### /etc/audit/rules.d/30-ospp-v42-5-perm-change-failed.rules
 cat << EOF >| /etc/audit/rules.d/30-ospp-v42-5-perm-change-failed.rules
 ## Unsuccessful permission change
@@ -177,13 +182,6 @@ cat << EOF >| /etc/audit/rules.d/30-ospp-v42-5-perm-change-failed.rules
 -a always,exit -F arch=b64 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change
 EOF
 
-############################################################### /etc/audit/rules.d/30-ospp-v42-5-perm-change-success.rules
-cat << EOF >| /etc/audit/rules.d/30-ospp-v42-5-perm-change-success.rules
-## Successful permission change
--a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change
--a always,exit -F arch=b64 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change
-EOF
-
 ############################################################### /etc/audit/rules.d/30-ospp-v42-6-owner-change-failed.rules
 cat << EOF >| /etc/audit/rules.d/30-ospp-v42-6-owner-change-failed.rules
 ## Unsuccessful ownership change
@@ -193,13 +191,6 @@ cat << EOF >| /etc/audit/rules.d/30-ospp-v42-6-owner-change-failed.rules
 -a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-owner-change
 EOF
 
-############################################################### /etc/audit/rules.d/30-ospp-v42-6-owner-change-success.rules
-cat << EOF >| /etc/audit/rules.d/30-ospp-v42-6-owner-change-success.rules
-## Successful ownership change
--a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-owner-change
--a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-owner-change
-EOF
-
 ############################################################### /etc/audit/rules.d/30-ospp-v42.rules
 cat << EOF >| /etc/audit/rules.d/30-ospp-v42.rules
 ## The purpose of these rules is to meet the requirements for Operating
@@ -325,8 +316,65 @@ cat << EOF >| /etc/audit/rules.d/99-finalize.rules
 -e 2
 EOF
 
+shopt -s nullglob
+rules=(/etc/audit/rules.d/*.rules)
+if (( ${#rules[@]} == 0 )); then
+  log "ERROR: /etc/audit/rules.d is empty. Seed rules before this hook."
+  exit 127
+fi
+
+if ! /sbin/augenrules --check >/dev/null 2>&1; then
+  log "ERROR: augenrules --check failed. Fix the /etc/audit/rules.d/*.rules first."
+  exit 128
+fi
+
+# shellcheck disable=2155
+declare tmp="$(mktemp)"
+printf '%s\0' "${rules[@]}" \
+  | xargs -0 -I{} basename "{}" \
+  | sort -V \
+  | while read -r fname; do
+    f="/etc/audit/rules.d/${fname}"
+    ### Normalize CRLF and strip UTF-8 BOM.
+    sed -e 's/\r$//' -e '1s/^\xEF\xBB\xBF//' "${f}" >> "${tmp}"
+    printf '\n' >> "${tmp}"
+  done
+
+# shellcheck disable=2155
+declare tmp_stripped="$(mktemp)"
+sed -e '/^[[:space:]]*#/d' -e '/^[[:space:]]*$/d' "${tmp}" >| "${tmp_stripped}"
+sed -E 's/[[:space:]]+#.*$//' -i "${tmp_stripped}"
+
+install -m 0600 -o root -g root "${tmp_stripped}" /etc/audit/audit.rules
+rm -f "${tmp}" "${tmp_stripped}"
+
+if ! grep -Eq '(^-a|^-w|^-e[[:space:]]+1|^-e[[:space:]]+2)' /etc/audit/audit.rules; then
+  log "WARN: /etc/audit/audit.rules contains no -a/-w rules or '-e 1/2'; is this intended?"
+fi
+
+log "Done. /etc/audit/audit.rules generated at build-time (no kernel load)."
+
+mkdir -p /etc/systemd/system/audit-rules.service.d
+
+cat << EOF >| /etc/systemd/system/audit-rules.service.d/10-ciss.conf
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+[Service]
+ExecStart=
+ExecStart=/usr/sbin/augenrules --load
+
+EOF
+
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
-# sleep 1
 
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config/hooks/live/9997_debsums.chroot

@@ -1,36 +1,41 @@
 #!/bin/bash
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
-# sleep 1
 
 cd /root
 
-apt-get install --no-install-recommends debsums -y
+[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
+export DEBIAN_FRONTEND="noninteractive"
+export INITRD="No"
+apt-get install -y --no-install-recommends debsums
 
-cp -a /etc/default/debsums /root/.ciss/dlb/backup/debsums.bak
-chmod 0644 /root/.ciss/dlb/backup/debsums.bak
+cp -a /etc/default/debsums /root/.ciss/cdlb/backup/debsums.bak
+chmod 0644 /root/.ciss/cdlb/backup/debsums.bak
 sed -i "s/CRON_CHECK=never/CRON_CHECK=monthly/" /etc/default/debsums
 
-if debsums -g; then
+if debsums -g > /dev/null 2>&1; then
+
   printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ 'debsums -g' successful. \e[0m\n"
+
 else
+
   # Omit false negative error output to stdout and stderr, as no problematic errors occur on startup.
   printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ 'debsums -g' NOT successful. \e[0m\n"  > /dev/null 2>&1
+
 fi
 
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
-# sleep 1
 
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config/hooks/live/9998_sources_list.chroot

@@ -1,59 +0,0 @@
-#!/bin/bash
-# SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
-# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
-# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
-# SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
-# SPDX-PackageName: CISS.debian.live.builder
-# SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
-
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
-# sleep 1
-
-cd /root
-
-if [[ -f /etc/apt/sources.list ]]; then
-  mv /etc/apt/sources.list /root/.ciss/dlb/backup/sources.list.bak
-fi
-
-cat << 'EOF' >| /etc/apt/sources.list
-# SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <cendev@coresecret.eu>
-# SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.live.builder.git
-# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
-# SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.2025.hardened.installer framework.
-# SPDX-PackageName: CISS.2025.debian.live.builder
-# SPDX-Security-Contact: security@coresecret.eu
-#-----------------------------------------------------------------------------------------#
-#                                  OFFICIAL DEBIAN REPOS
-#-----------------------------------------------------------------------------------------#
-
-### Debian Main Repos Bookworm
-
-deb https://deb.debian.org/debian/ bookworm main contrib non-free non-free-firmware
-deb-src https://deb.debian.org/debian/ bookworm main contrib non-free non-free-firmware
-
-deb http://security.debian.org/debian-security bookworm-security main contrib non-free non-free-firmware
-deb-src http://security.debian.org/debian-security bookworm-security main contrib non-free non-free-firmware
-
-deb https://deb.debian.org/debian/ bookworm-updates main contrib non-free non-free-firmware
-deb-src https://deb.debian.org/debian/ bookworm-updates main contrib non-free non-free-firmware
-
-deb https://deb.debian.org/debian/ bookworm-backports main contrib non-free non-free-firmware
-deb-src https://deb.debian.org/debian/ bookworm-backports main contrib non-free non-free-firmware
-
-# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
-EOF
-
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
-# sleep 1
-
-exit 0
-# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config/hooks/live/9998_sources_list_trixie.chroot

@@ -0,0 +1,136 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-08-12; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+set -Ceuo pipefail
+
+printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+
+[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
+export DEBIAN_FRONTEND="noninteractive"
+export INITRD="No"
+
+# shellcheck disable=SC2155
+declare -r VAR_DATE="$(date +%F)"
+
+cd /root
+
+mkdir -p /etc/apt/apt.conf.d
+
+cat << EOF >| /etc/apt/apt.conf.d/00-deb822-prefer
+// Make APT ignore the classic /etc/apt/sources.list entirely.
+Dir::Etc {
+  sourcelist  "/dev/null";                // classic list is ignored
+  sourceparts "/etc/apt/sources.list.d";  // deb822 *.sources remain authoritative
+}
+EOF
+
+if [[ ! -f /etc/apt/sources.list.d/trixie.sources ]]; then
+  cat << EOF >| /etc/apt/sources.list.d/trixie.sources
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <cendev@coresecret.eu>
+# SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+Types: deb deb-src
+URIs: https://deb.debian.org/debian/
+Suites: trixie
+Components: main contrib non-free non-free-firmware
+Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
+EOF
+fi
+
+if [[ ! -f /etc/apt/sources.list.d/trixie-security.sources ]]; then
+  cat << EOF >| /etc/apt/sources.list.d/trixie-security.sources
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <cendev@coresecret.eu>
+# SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+Types: deb deb-src
+URIs: https://security.debian.org/debian-security/
+Suites: trixie-security
+Components: main contrib non-free non-free-firmware
+Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
+EOF
+fi
+
+if [[ ! -f /etc/apt/sources.list.d/trixie-updates.sources ]]; then
+ cat << EOF >| /etc/apt/sources.list.d/trixie-updates.sources
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <cendev@coresecret.eu>
+# SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+Types: deb deb-src
+URIs: https://deb.debian.org/debian/
+Suites: trixie-updates
+Components: main contrib non-free non-free-firmware
+Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
+EOF
+fi
+
+
+if [[ ! -f /etc/apt/sources.list.d/trixie-backports.sources ]]; then
+  cat << EOF >| /etc/apt/sources.list.d/trixie-backports.sources
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <cendev@coresecret.eu>
+# SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+Types: deb deb-src
+URIs: https://deb.debian.org/debian/
+Suites: trixie-backports
+Components: main contrib non-free non-free-firmware
+Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
+EOF
+fi
+
+apt-get update -qq
+apt-get dist-upgrade -y        # (= apt full-upgrade) allow installs/replacements/removals.
+apt-get autoremove --purge -y  # 'autopurge' == 'autoremove --purge'.
+apt-get clean -y               # Stronger than autoclean: removes the entire '.deb'-cache.
+
+printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+
+exit 0
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh