DEPLOY BOT : 🔐 Auto-Generate PRIVATE LIVE ISO FLV 1 [skip ci]

X-CI-Metadata: master@4f7131c at 2025-06-24T22:34:39Z on 56dbb041e6a3

Generated at : 2025-06-24T22:34:39Z
Runner Host  : 56dbb041e6a3
Workflow ID  : 🔐 Generating a Private Live ISO FLV 1.
Git Commit   : 4f7131c HEAD -> master

.archive/icon.lib

@@ -2,41 +2,54 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 ✅
-🔧
+❌
+⚠️
+🚫
+🔐
+🔒
 🔑
+✍️
 🖥️
+🔄
+🔁
+🌌
+🔵
+💙
+🔍
+💡
+🔧
 🛠️
+🏗
+⚙️
+📐
+🧪
+📩
 📥
 📦
 📑
 📂
-🔒
-🔐
-⚙️
-❌
-🌌
+📀
 🎉
-🖥️
-🔑
-📂
-📩
-🔵
 😺
-🧪
+📉
 📊
 🧾
-📀
-📉
-⏱
+📋
+🕑
 🧠
 📅
-💙
-🚫
+🎯
+🌐
+🔗
+💬
+☢️
+☣️
+•
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

.editorconfig

@@ -2,7 +2,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml

@@ -2,7 +2,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
@@ -12,9 +12,7 @@
 name: "Bug Report"
 about: "Create a report to help us improve"
 title: "[BUG | possible BUG]: "
-labels: "bug:to be reproduced,bug:needs triage/confirmation"
-assignees: ""
----
+assignees: "MSW"
 body:
   # Instructions for the reporter
   - type: markdown
@@ -27,7 +25,7 @@ body:
     attributes:
       label: "Version"
       description: "Which version are you running? Use `./ciss_live_builder.sh -v`."
-      placeholder: "e.g., Master V8.02.080.2025.05.19"
+      placeholder: "e.g., Master V8.03.832.2025.06.24"
     validations:
       required: true
 

.gitea/ISSUE_TEMPLATE/PULL_REQUEST_TEMPLATE.yaml

@@ -2,7 +2,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
@@ -12,7 +12,7 @@
 name: "Standard-PR"
 about: "Please answer the following questions before submitting the PR."
 title: "[PR]: "
-ref: "master"
+assignees: "MSW"
 body:
   - type: markdown
     attributes:
@@ -48,8 +48,8 @@ body:
       options:
         - label: "My edits contain no tabs, use two-space indentation, and no trailing whitespace"
         - label: "I have read ~/docs/CONTRIBUTING.md and ~/docs/CODING_CONVENTION.md"
-        - label: "I have tested this fix or improvement on ≥2 VMs without issues"
-        - label: "I have tested this new feature on ≥2 VMs with and without it to avoid side effects"
+        - label: "I have tested this fix or improvement on >=2 VMs without issues"
+        - label: "I have tested this new feature on >=2 VMs with and without it to avoid side effects"
         - label: "Documentation and/or 'usage()' and/or 'arg_parser' have been updated for the new feature"
         - label: "I added myself to ~/docs/CREDITS.md (alphabetical) and updated ~/docs/CHANGELOG.md"
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml

.gitea/TODO/dockerfile

@@ -0,0 +1,69 @@
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+### Version Master V8.03.832.2025.06.24
+
+FROM debian:bookworm
+
+ENV DEBIAN_FRONTEND=noninteractive
+
+RUN apt-get update -y \
+    && apt-get upgrade -y \
+    && apt-get install -y \
+      apt-transport-https \
+      apt-utils \
+      bash \
+      ca-certificates \
+      gnupg \
+      openssl \
+      sudo \
+    && apt-get update -y \
+    && apt-get upgrade -y \
+    && apt-get clean \
+    && apt-get autoremove --purge -y \
+    && rm -rf /var/lib/apt/lists/*
+
+RUN mkdir -p /etc/apt/sources.list.d && touch /etc/apt/sources.list.d/bookworm-backports.list \
+    && echo 'deb https://deb.debian.org/debian bookworm-backports main' >| /etc/apt/sources.list.d/bookworm-backports.list \
+    && apt-get update -y \
+    && apt-get upgrade -y \
+    && apt-get install -y --no-install-recommends \
+      autoconf \
+      automake \
+      build-essential \
+      cryptsetup \
+      curl \
+      debootstrap \
+      dosfstools \
+      efibootmgr \
+      gettext \
+      git \
+      haveged \
+      libtool \
+      live-build \
+      parted \
+      pkg-config \
+      ssh \
+      ssl-cert \
+      texinfo \
+      wget \
+      whois \
+    && apt-get clean \
+    && apt-get autoremove --purge -y \
+    && rm -rf /var/lib/apt/lists/*
+
+RUN useradd --create-home --shell /bin/bash runner
+
+WORKDIR /home/runner
+
+USER runner
+
+ENTRYPOINT ["bash"]

.gitea/TODO/render-md-to-html.yaml

@@ -2,16 +2,16 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-### Version Master V8.03.127.2025.06.02
+### Version Master V8.03.832.2025.06.24
 
-name: Render README.md to README.html
+name: 🔁 Render README.md to README.html.
 
 permissions:
   contents: write
@@ -21,18 +21,19 @@ on:
     branches:
       - master
     paths:
-      - "**/*.md"
+      - "README.md"
       - '.gitea/properties/lua/linkfix.lua'
 
 jobs:
   render-md-to-html:
-    name: Render README.md to README.html
+    name: 🔁 Render README.md to README.html.
     runs-on: ubuntu-latest
 
     steps:
-      - name: Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
+      - name: ⚙️ Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
         shell: bash
         run: |
+          set -euo pipefail
           rm -rf ~/.ssh && mkdir -m700 ~/.ssh
 
           ### Private Key
@@ -55,24 +56,27 @@ jobs:
           chmod 600 ~/.ssh/config
 
       ### https://github.com/actions/checkout/issues/1843
-      - name: Using manual clone via SSH to circumvent Gitea SHA-256 object issues.
+      - name: 🛠️ Using manual clone via SSH to circumvent Gitea SHA-256 object issues.
         shell: bash
         env:
           ### GITHUB_REF_NAME contains the branch name from the push event.
           GITHUB_REF_NAME: ${{ github.ref_name }}
         run: |
+          set -euo pipefail
           git clone --branch "${GITHUB_REF_NAME}" ssh://git@git.coresecret.dev:42842/msw/CISS.debian.live.builder.git .
           git fetch --unshallow || echo "Nothing to fetch - already full clone."
 
-      - name: Cleaning the workspace.
+      - name: 🛠️ Cleaning the workspace.
         shell: bash
         run: |
+          set -euo pipefail
           git reset --hard
           git clean -fd
 
-      - name: Importing the 'CI PGP DEPLOY ONLY' key.
+      - name: ⚙️ Importing the 'CI PGP DEPLOY ONLY' key.
         shell: bash
         run: |
+          set -euo pipefail
           ### GPG-Home relative to the Runner Workspace to avoid changing global files.
           export GNUPGHOME="$(pwd)/.gnupg"
           mkdir -m 700 "${GNUPGHOME}"
@@ -82,9 +86,10 @@ jobs:
           KEY_ID=$(gpg --list-keys --with-colons | awk -F: '/^pub:/ {print $5}')
           echo "trust-model always" >| "${GNUPGHOME}/gpg.conf"
 
-      - name: Configuring Git for signed CI/DEPLOY commits.
+      - name: ⚙️ Configuring Git for signed CI/DEPLOY commits.
         shell: bash
         run: |
+          set -euo pipefail
           export GNUPGHOME="$(pwd)/.gnupg"
           git config user.name "Marc S. Weidner BOT"
           git config user.email "msw+bot@coresecret.dev"
@@ -92,43 +97,47 @@ jobs:
           git config gpg.program gpg
           git config gpg.format openpgp
 
-      - name: Convert APT sources to HTTPS.
+      - name: ⚙️ Convert APT sources to HTTPS.
         shell: bash
         run: |
+          set -euo pipefail
           sed -i 's|http://\(archive\.ubuntu\.com\|security\.ubuntu\.com\)|https://\1|g' /etc/apt/sources.list
           sed -i 's|http://\(archive\.ubuntu\.com\|security\.ubuntu\.com\)|https://\1|g' /etc/apt/sources.list.d/*.list || true
 
-      - name: Install Pandoc & dependencies.
+      - name: 🛠️ Install Pandoc & Dependencies.
         shell: bash
         run: |
+          set -euo pipefail
           sudo apt-get update
           sudo apt-get install -y pandoc
 
-      #- name: Ensure .html/ directory exists.
-      #  shell: bash
-      #  run:
-      #    mkdir -p .html
+      - name: ⚙️ Ensure .html/ directory exists.
+        shell: bash
+        run:
+          mkdir -p .html
 
-      #- name: Render *.md to full standalone HTML.
-      #  shell: bash
-      #  run: |
-      #    find . \( -path "*/.*" -prune \) -o -type f -name "*.md" -print  | while read file; do
-      #      out=$(basename "${file%.md}.html")
-      #      pandoc -s "${file}" \
-      #        --metadata title="${file}" \
-      #        --metadata lang=en \
-      #        -f gfm+footnotes \
-      #        -t html5 \
-      #        --no-highlight \
-      #        --strip-comments \
-      #        --wrap=none \
-      #        --lua-filter=.gitea/properties/lua/linkfix.lua \
-      #        -o .html/"${out}"
-      #    done
-
-      - name: Extract HTML fragment for Gitea for *.md.
+      - name: 🛠️ Render *.md to full standalone HTML.
         shell: bash
         run: |
+          set -euo pipefail
+          find . \( -path "*/.*" -prune \) -o -type f -name "*.md" -print  | while read file; do
+            out=$(basename "${file%.md}.html")
+            pandoc -s "${file}" \
+              --metadata title="${file}" \
+              --metadata lang=en \
+              -f gfm+footnotes \
+              -t html5 \
+              --no-highlight \
+              --strip-comments \
+              --wrap=none \
+              --lua-filter=.gitea/properties/lua/linkfix.lua \
+              -o .html/"${out}"
+          done
+
+      - name: 🛠️ Extract HTML fragment for Gitea for *.md.
+        shell: bash
+        run: |
+          set -euo pipefail
           find . \( -path "*/.*" -prune \) -o -type f -name "README.md" -print | while read file; do
             out="${file%.md}.html"
             pandoc "${file}" \
@@ -141,7 +150,16 @@ jobs:
               -o "${out}"
           done
 
-      - name: Sync with remote before commit to avoid Job Race Conditions.
+      - name: 🚧 Stash local changes (including untracked).
+        shell: bash
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          ### Temporarily store any local modifications or untracked files.
+          git stash push --include-untracked -m "ci-temp" || echo "✔️ Nothing to stash."
+
+      - name: 🔄 Sync with remote before commit using merge strategy.
         shell: bash
         env:
           GIT_SSH_COMMAND: "ssh -p 42842"
@@ -149,39 +167,75 @@ jobs:
           set -euo pipefail
           export GNUPGHOME="$(pwd)/.gnupg"
 
-          echo "🔒 Stashing local changes (if any) ..."
-          git stash push --include-untracked --message "pre-rebase stash" || true
-
-          echo "🔄 Fetching and rebasing from origin/master ..."
+          echo "🔄 Fetching origin/master ..."
           git fetch origin master
-          git rebase origin/master
 
-          echo "🎯 Restoring local changes from stash (if any) ..."
-          git stash pop || echo "ℹ️ Nothing to pop or merge conflict during stash pop."
+          echo "🔁 Merging origin/master into current branch ..."
+          git merge --no-edit origin/master || echo "✔️ Already up to date or fast-forward."
 
-          echo "📋 Current status after rebase : "
+          echo "📋 Post-merge status :"
           git status
           git log --oneline -n 5
 
-      - name: Stage generated files.
+      - name: 🛠️ Restore stashed changes.
         shell: bash
         env:
           GIT_SSH_COMMAND: "ssh -p 42842"
         run: |
-          git add '*.html'
+          set -euo pipefail
+          ### Apply previously stashed changes.
+          git stash pop || echo "✔️ Nothing to pop."
 
-      - name: Commit and Sign changes.
+      - name: 📦 Stage generated files.
         shell: bash
         env:
           GIT_SSH_COMMAND: "ssh -p 42842"
         run: |
+          set -euo pipefail
+          git add *.html  || echo "✔️ Nothing to add."
+
+      - name: 🔑 Commit and sign changes with CI metadata.
+        shell: bash
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
           export GNUPGHOME="$(pwd)/.gnupg"
-          git commit -S -m "DEPLOY BOT: Auto-Generate *.html from *.md [skip ci]" || echo "No Changes, nothing to Sign or to Commit."
 
-      - name: Push back to Repository.
+          if git diff --cached --quiet; then
+            echo "✔️ No staged changes to commit."
+          else
+            echo "📝 Committing changes with GPG signature ..."
+
+            ### CI Metadata
+            TIMESTAMP_UTC="$(date -u +'%Y-%m-%dT%H:%M:%SZ')"
+            HOSTNAME="$(hostname -f || hostname)"
+            GIT_SHA="$(git rev-parse --short HEAD)"
+            GIT_REF="$(git symbolic-ref --short HEAD || echo detached)"
+            WORKFLOW_ID="${GITHUB_WORKFLOW:-render-md-to-html.yaml}"
+            CI_HEADER="X-CI-Metadata: ${GIT_REF}@${GIT_SHA} at ${TIMESTAMP_UTC} on ${HOSTNAME}"
+
+            COMMIT_MSG="DEPLOY BOT   : 🔁 Auto-Generate *.html from *.md [skip ci]
+
+          ${CI_HEADER}
+
+          Generated at : ${TIMESTAMP_UTC}
+          Runner Host  : ${HOSTNAME}
+          Workflow ID  : ${WORKFLOW_ID}
+          Git Commit   : ${GIT_SHA} HEAD -> ${GIT_REF}
+          "
+
+            echo "🔏 Commit message :"
+            echo "${COMMIT_MSG}"
+            git commit -S -m "${COMMIT_MSG}"
+          fi
+
+      - name: 🔁 Push back to repository.
         shell: bash
         env:
           GIT_SSH_COMMAND: "ssh -p 42842"
         run: |
+          set -euo pipefail
+          echo "📤 Pushing changes to ${GITHUB_REF_NAME} ..."
           git push origin HEAD:${GITHUB_REF_NAME}
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml

.gitea/trigger/t_generate_PRIVATE_iso_flavour_0.yaml

@@ -2,7 +2,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
@@ -11,5 +11,5 @@
 
 build:
   counter: 1024
-  version: V8.03.132.2025.06.02
+  version: V8.03.832.2025.06.24
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml

.gitea/trigger/t_generate_PRIVATE_iso_flavour_1.yaml

@@ -0,0 +1,15 @@
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+build:
+  counter: 1023
+  version: V8.03.832.2025.06.24
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml

.gitea/trigger/t_generate_PUBLIC.yaml

@@ -0,0 +1,15 @@
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+build:
+  counter: 1023
+  version: V8.03.832.2025.06.24
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml

.gitea/trigger/t_generate_dns.yaml

@@ -2,7 +2,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
@@ -10,6 +10,6 @@
 # SPDX-Security-Contact: security@coresecret.eu
 
 build:
-  counter: 1024
-  version: V8.03.127.2025.06.02
+  counter: 1023
+  version: V8.03.832.2025.06.24
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml

.gitea/workflows/generate-iso.yaml

@@ -1,304 +0,0 @@
-# SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
-# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
-# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
-# SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
-# SPDX-PackageName: CISS.debian.live.builder
-# SPDX-Security-Contact: security@coresecret.eu
-
-### Version Master V8.03.127.2025.06.02
-
-name: Generating a private Live ISO.
-
-permissions:
-  contents: write
-
-on:
-  push:
-    branches:
-      - master
-    paths:
-      - '.gitea/trigger/t_generate_iso.yaml'
-
-jobs:
-  generate-private-ciss-debian-live-iso:
-    name: Generating a private Live ISO.
-    runs-on: ciss.debian.live.builder
-
-    ### Run all steps inside Debian Bookworm
-    container:
-      image: debian:trixie
-
-    steps:
-      - name: Basic Image Setup and enable Bookworm Backports.
-        run: |
-          apt-get update
-          apt-get install -y apt-transport-https apt-utils bash ca-certificates openssl sudo
-          echo 'deb https://deb.debian.org/debian bookworm-backports main' \
-            >| /etc/apt/sources.list.d/bookworm-backports.list
-          apt-get update
-
-      - name: Installing Build Tools.
-        shell: bash
-        run: |
-          apt-get update
-          apt-get install -y \
-            cryptsetup \
-            curl \
-            debootstrap \
-            dosfstools \
-            efibootmgr \
-            gnupg \
-            git \
-            gpgv \
-            haveged \
-            live-build \
-            parted \
-            ssh \
-            ssl-cert \
-            wget \
-            whois
-
-      - name: Check GnuPG Version.
-        shell: bash
-        run: |
-          gpg --version
-
-      - name: Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
-        shell: bash
-        run: |
-          rm -rf ~/.ssh && mkdir -m700 ~/.ssh
-
-          ### Private Key
-          echo "${{ secrets.SSH_MSW_DEPLOY_CORESECRET_DEV }}" >| ~/.ssh/id_ed25519
-          chmod 600 ~/.ssh/id_ed25519
-
-          ### Scan git.coresecret.dev to fill ~/.ssh/known_hosts
-          ssh-keyscan -p 42842 git.coresecret.dev >| ~/.ssh/known_hosts
-          chmod 600 ~/.ssh/known_hosts
-
-          ### Generate SSH Config for git.coresecret.dev Custom-Port
-          cat <<EOF >| ~/.ssh/config
-          Host git.coresecret.dev
-            HostName git.coresecret.dev
-            Port 42842
-            IdentityFile ~/.ssh/id_ed25519
-            StrictHostKeyChecking yes
-            UserKnownHostsFile ~/.ssh/known_hosts
-          EOF
-          chmod 600 ~/.ssh/config
-
-      ### https://github.com/actions/checkout/issues/1843
-      - name: Using manual clone via SSH to circumvent Gitea SHA-256 object issues.
-        shell: bash
-        env:
-          ### GITHUB_REF_NAME contains the branch name from the push event.
-          GITHUB_REF_NAME: ${{ github.ref_name }}
-        run: |
-          git clone --branch "${GITHUB_REF_NAME}" ssh://git@git.coresecret.dev:42842/msw/CISS.debian.live.builder.git .
-          git fetch --unshallow || echo "Nothing to fetch - already full clone."
-
-      - name: Cleaning the workspace.
-        shell: bash
-        run: |
-          git reset --hard
-          git clean -fd
-
-      - name: Importing the 'CI PGP DEPLOY ONLY' key.
-        shell: bash
-        run: |
-          ### GPG-Home relative to the Runner Workspace to avoid changing global files.
-          export GNUPGHOME="$(pwd)/.gnupg"
-          mkdir -m 700 "${GNUPGHOME}"
-          echo "${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV }}" >| ci-bot.sec.asc
-          gpg --batch --import ci-bot.sec.asc
-          ### Trust the key automatically
-          KEY_ID=$(gpg --list-keys --with-colons | awk -F: '/^pub:/ {print $5}')
-          echo "trust-model always" >| "${GNUPGHOME}/gpg.conf"
-
-      - name: Configuring Git for signed CI/DEPLOY commits.
-        shell: bash
-        run: |
-          export GNUPGHOME="$(pwd)/.gnupg"
-          git config user.name "Marc S. Weidner BOT"
-          git config user.email "msw+bot@coresecret.dev"
-          git config commit.gpgsign true
-          git config gpg.program gpg
-          git config gpg.format openpgp
-
-      - name: Preparing the build environment.
-        shell: bash
-        run: |
-          mkdir -p /opt/config
-          mkdir -p /opt/livebuild
-          touch /opt/config/password.txt && chmod 0600 /opt/config/password.txt
-          touch /opt/config/authorized_keys && chmod 0600 /opt/config/authorized_keys
-          echo "${{ secrets.CISS_DLB_ROOT_PWD }}" >| /opt/config/password.txt
-          echo "${{ secrets.CISS_DLB_ROOT_SSH_PUBKEY }}" >| /opt/config/authorized_keys
-
-      - name: Starting CISS.debian.live.builder. This may take a while ...
-        shell: bash
-        run: |
-          chmod 0755 ciss_live_builder.sh
-          timestamp=$(date -u +"%Y_%m_%dT%H_%M_%SZ")
-          ### Change "--autobuild=" to the specific kernel version you need: 6.12.22+bpo-amd64.
-          ./ciss_live_builder.sh \
-            --autobuild=6.12.22+bpo-amd64 \
-            --architecture amd64 \
-            --build-directory /opt/livebuild \
-            --control "${timestamp}" \
-            --debug \
-            --dhcp-centurion \
-            --jump-host "${{ secrets.CISS_DLB_JUMP_HOSTS }}" \
-            --provider-netcup-ipv6 "${{ secrets.CISS_DLB_NETCUP_IPV6 }}" \
-            --root-password-file /opt/config/password.txt \
-            --ssh-port 42842 \
-            --ssh-pubkey /opt/config
-
-      - name: Checking Centurion Cloud for existing LIVE ISOs.
-        shell: bash
-        env:
-          NC_BASE: "https://cloud.e2ee.li"
-          SHARE_TOKEN: "${{ secrets.CENTURION_CLOUD_UL_USER }}"
-          SHARE_PASS: "${{ secrets.CENTURION_CLOUD_UL_PASSWD }}"
-        run: |
-          set -euo pipefail
-          SHARE_SUBDIR=""
-
-          echo "Get directory listing via PROPFIND ..."
-          curl -s \
-          --user "${SHARE_TOKEN}:${SHARE_PASS}" \
-          -X PROPFIND \
-          -H "Depth: 1" \
-          "${NC_BASE}/public.php/webdav/${SHARE_SUBDIR}" \
-          -o propfind_public.xml
-
-          echo "Filter .iso files from the PROPFIND response ..."
-          grep -oP '(?<=<d:href>)[^<]+\.iso(?=</d:href>)' propfind_public.xml >| public_iso_list.txt || true
-
-          if [[ -f public_iso_list.txt && -s public_iso_list.txt ]]; then
-            echo "Old ISO files found and deleted :"
-            while IFS= read -r href; do
-              FILE_URL="${NC_BASE}${href}"
-              echo "  Delete: ${FILE_URL}"
-              if curl -s \
-                --user "${SHARE_TOKEN}:${SHARE_PASS}" \
-                  -X DELETE "${FILE_URL}"; then
-                echo "    ✅ Successfully deleted: $(basename "${href}")"
-              else
-                echo "    ❌ Error: $(basename "${href}") could not be deleted"
-              fi
-            done < public_iso_list.txt
-          else
-            echo "No old ISO files found to delete."
-          fi
-
-      - name: Upload the ISO file to the Centurion Cloud (cloud.e2ee.li) via WebDAV.
-        shell: bash
-        env:
-          NC_BASE: "https://cloud.e2ee.li"
-          SHARE_TOKEN: "${{ secrets.CENTURION_CLOUD_UL_USER }}"
-          SHARE_PASS: "${{ secrets.CENTURION_CLOUD_UL_PASSWD }}"
-        run: |
-          if [[ $(ls /opt/livebuild/*.iso 2>/dev/null | wc -l) -ne 1 ]]; then
-            echo "❌ There must be exactly one .iso file in the directory!"
-            exit 1
-          else
-            VAR_ISO_FILE_PATH=$(ls /opt/livebuild/*.iso)
-            VAR_ISO_FILE_NAME=$(basename "${VAR_ISO_FILE_PATH}")
-            echo "✅ ISO file found: ${VAR_ISO_FILE_NAME}"
-          fi
-
-          AUTH="${SHARE_TOKEN}:${SHARE_PASS}"
-          if curl --retry 2 "${NC_BASE}"/public.php/webdav/"${VAR_ISO_FILE_NAME}" \
-          --upload-file "${VAR_ISO_FILE_PATH}" --user "${AUTH}"; then
-            echo "✅ New ISO successfully uploaded."
-          else
-            echo "❌ Uploading the new ISO failed."
-            exit 1
-          fi
-
-      - name: Generating a sha512 Hash of ISO, signing with the 'CI PGP DEPLOY ONLY' key, generate a success message file.
-        shell: bash
-        run: |
-          if [[ $(ls /opt/livebuild/*.iso 2>/dev/null | wc -l) -ne 1 ]]; then
-            echo "❌ There must be exactly one .iso file in the directory!"
-            exit 1
-          else
-            VAR_ISO_FILE_PATH=$(ls /opt/livebuild/*.iso)
-            VAR_ISO_FILE_NAME=$(basename "${VAR_ISO_FILE_PATH}")
-            echo "✅ ISO file found: ${VAR_ISO_FILE_NAME}"
-          fi
-
-          VAR_ISO_FILE_SHA512="${VAR_ISO_FILE_NAME}.sha512"
-          touch "${VAR_ISO_FILE_SHA512}"
-          sha512sum "${VAR_ISO_FILE_PATH}" | awk '{print $1}' >| "${VAR_ISO_FILE_SHA512}"
-          SIGNATURE_FILE="${VAR_ISO_FILE_SHA512}.sign"
-          touch "${SIGNATURE_FILE}"
-          export GNUPGHOME="$(pwd)/.gnupg"
-          gpg --batch --yes --armor --detach-sign --output "${SIGNATURE_FILE}" "${VAR_ISO_FILE_SHA512}"
-
-          timestamp=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
-          PRIVATE_FILE="LIVE_ISO.private"
-          touch "${PRIVATE_FILE}"
-          cat << EOF >| "${PRIVATE_FILE}"
-          # SPDX-Version: 3.0
-          # SPDX-CreationInfo: 2025-06-01; WEIDNER, Marc S.; <msw@coresecret.dev>
-          # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
-          # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-          # SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
-          # SPDX-FileType: SOURCE
-          # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-          # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
-          # SPDX-PackageName: CISS.debian.live.builder
-          # SPDX-Security-Contact: security@coresecret.eu
-
-          This file was automatically generated by the DEPLOY BOT on: "${timestamp}".
-
-          CISS.debian.live.builder ISO :
-            "${VAR_ISO_FILE_NAME}"
-          CISS.debian.live.builder ISO sha512 :
-            "${VAR_ISO_FILE_SHA512}"
-          CISS.debian.live.builder ISO sha512 sign :
-            $(< "${SIGNATURE_FILE}")
-
-          # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text
-          EOF
-
-      - name: Sync with remote before commit to avoid Job Race Conditions.
-        shell: bash
-        env:
-          GIT_SSH_COMMAND: "ssh -p 42842"
-        run: |
-          export GNUPGHOME="$(pwd)/.gnupg"
-          git fetch origin master
-          git rebase origin/master
-          git status
-          git log --oneline -n 5
-
-      - name: Stage generated files.
-        shell: bash
-        env:
-          GIT_SSH_COMMAND: "ssh -p 42842"
-        run: |
-          PRIVATE_FILE="LIVE_ISO.private"
-          git add "${PRIVATE_FILE}"
-
-      - name: Commit and Sign changes.
-        shell: bash
-        env:
-          GIT_SSH_COMMAND: "ssh -p 42842"
-        run: |
-          export GNUPGHOME="$(pwd)/.gnupg"
-          git commit -S -m "DEPLOY BOT: Auto-Generate LIVE ISO [skip ci]" || echo "No Changes, nothing to Sign or to Commit."
-
-      - name: Push back to Repository.
-        shell: bash
-        env:
-          GIT_SSH_COMMAND: "ssh -p 42842"
-        run: |
-          git push origin HEAD:${GITHUB_REF_NAME}
-# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml

.gitea/workflows/generate_PRIVATE_iso_flavour_0.yaml

@@ -0,0 +1,485 @@
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+### Version Master V8.03.832.2025.06.24
+
+name: 🔐 Generating a Private Live ISO FLV 0.
+
+permissions:
+  contents: write
+
+on:
+  push:
+    branches:
+      - master
+    paths:
+      - '.gitea/trigger/t_generate_PRIVATE_iso_flavour_0.yaml'
+
+jobs:
+  generate-private-ciss-debian-live-iso:
+    name: 🔐 Generating a Private Live ISO FLV 0.
+    runs-on: ciss.debian.live.builder.iso.generator
+
+    ### Run all steps inside Debian Bookworm
+    container:
+      image: debian:bookworm
+
+    steps:
+      - name: 🛠️ Basic Image Setup and enable Bookworm Backports.
+        run: |
+          apt-get update -y
+          apt-get install -y apt-transport-https apt-utils bash ca-certificates openssl sudo
+          echo 'deb https://deb.debian.org/debian bookworm-backports main' \
+            >| /etc/apt/sources.list.d/bookworm-backports.list
+          apt-get update -y
+          apt-get upgrade -y
+
+      - name: 🛠️ Installing Build Tools.
+        shell: bash
+        run: |
+          apt-get update -y
+          apt-get install -y \
+            autoconf \
+            automake \
+            build-essential \
+            cryptsetup \
+            curl \
+            debootstrap \
+            dosfstools \
+            efibootmgr \
+            gettext \
+            git \
+            gnupg \
+            haveged \
+            libbz2-dev \
+            zlib1g-dev \
+            liblzma-dev \
+            libtool \
+            live-build \
+            parted \
+            pkg-config \
+            ssh \
+            ssl-cert \
+            sudo \
+            texinfo \
+            wget \
+            whois \
+
+      - name: 🛠️ Build GnuPG from the sources, as the Bookworm GPG does not understand key format 5.
+        shell: bash
+        run: |
+          urls=(
+            "https://gnupg.org/ftp/gcrypt/npth/npth-1.8.tar.bz2"
+            "https://gnupg.org/ftp/gcrypt/libgpg-error/libgpg-error-1.55.tar.bz2"
+            "https://gnupg.org/ftp/gcrypt/libgcrypt/libgcrypt-1.11.1.tar.bz2"
+            "https://gnupg.org/ftp/gcrypt/libksba/libksba-1.6.7.tar.bz2"
+            "https://gnupg.org/ftp/gcrypt/libassuan/libassuan-3.0.2.tar.bz2"
+            "https://gnupg.org/ftp/gcrypt/gnupg/gnupg-2.4.8.tar.bz2"
+          )
+
+          wget --https-only https://gnupg.org/signature_key.asc -O signature_key.asc > /dev/null 2>&1
+          gpg --batch --import signature_key.asc
+
+          for url in "${urls[@]}"; do
+            archive_name="${url##*/}"
+            pkg_name="${archive_name%.tar.bz2}"
+            echo "🔄 Processing ${pkg_name}"
+            if [[ ! -f "${archive_name}" ]]; then
+              echo "📥 Downloading: '${archive_name}'."
+              if wget --https-only "${url}" -O "${archive_name}" > /dev/null 2>&1 && wget --https-only "${url}.sig" -O "${archive_name}.sig" > /dev/null 2>&1; then
+                echo "✅ Download successful: '${archive_name}'."
+              else
+                echo "❌ Download NOT successful: '${archive_name}'."
+                exit 1
+              fi
+            else
+              echo "💡 Skipping download, package already exists: '${archive_name}'."
+            fi
+
+            if ! gpg --verify "${archive_name}.sig" "${archive_name}"; then echo "❌ Bad Signature: '${archive_name}'.";exit 1; fi
+
+            if [[ ! -d "${pkg_name}" ]]; then
+              echo "📂 Extracting: '${archive_name}'."
+              if tar -xjf "${archive_name}"; then
+                echo "✅ Extraction successful: '${archive_name}'."
+              else
+                echo "❌ Extraction not successful: '${archive_name}'."
+                exit 1
+              fi
+            else
+              echo "💡 Skipping directory, already exists: '${pkg_name}'."
+            fi
+
+            echo "🏗️ Build and install the package: '${pkg_name}'."
+            cd "${pkg_name}" || { echo "❌ Could not change to '${pkg_name}'."; exit 1; }
+            mkdir -p build
+            cd build || { echo "❌ Could not change to '/build'."; exit 1; }
+
+            sudo ../configure > /dev/null 2>&1  || { echo "❌ '../configure' NOT successful for '${pkg_name}'."; exit 1; }
+            make > /dev/null 2>&1 || { echo "❌ 'make' NOT successful for '${pkg_name}'."; exit 1; }
+            sudo make install > /dev/null 2>&1 || { echo "❌ 'make install' NOT successful for '${pkg_name}'."; exit 1; }
+
+            cd ../.. || { echo "❌ Could not change to '../..'."; exit 1; }
+
+            rm -f "${archive_name}" && rm -f "${archive_name}.sig" && echo "✅ Removed archive: '${pkg_name}'."
+            rm -fr "${pkg_name}" && echo "✅ Removed build artifacts: '${pkg_name}'."
+            echo "✅ Successful build and installation of '${pkg_name}'."
+            echo "-------------------------------------------------------------------------------------"
+
+          done
+
+          rm -f signature_key.asc
+
+          echo "✅ All packages were built and installed successfully."
+
+          mv_bin=(
+            "/usr/bin/gpg"
+            "/usr/bin/gpg-agent"
+            "/usr/bin/gpgconf"
+            "/usr/bin/gpg-connect-agent"
+            "/usr/bin/gpg-wks-client"
+            "/usr/bin/gpg-preset-passphrase"
+          )
+
+          for bin in "${mv_bin[@]}"; do
+            name="${bin##*/}"
+            if [[ -f "${bin}" && -f "/usr/local/bin/${name}" ]]; then
+              if mv "${bin}" "${bin}.debian-backup"; then
+                echo "✅ Moved successfully: '${bin}'."
+              else
+                echo "❌ Moved NOT successfully: '${bin}'."
+              fi
+            else
+              echo "💡 Does not exist as build binary: '${bin}'."
+            fi
+          done
+
+          for bin in "${mv_bin[@]}"; do
+            name="${bin##*/}"
+            if [[ -f "/usr/local/bin/${name}" ]]; then
+              if update-alternatives --install "${bin}" "${name}" "/usr/local/bin/${name}" 100; then
+                echo "✅ 'update-alternatives' successfully: '${bin}'."
+              else
+                echo "❌ 'update-alternatives' NOT successfully: '${bin}'."
+              fi
+            else
+              echo "💡 Does not exist: '/usr/local/bin/${name}'."
+            fi
+          done
+
+          sudo ldconfig
+
+          gpgconf --kill all
+          /usr/local/bin/gpg-agent --daemon
+
+      - name: ⚙️ Check GnuPG Version.
+        shell: bash
+        run: |
+          gpg --version
+
+      - name: ⚙️ Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
+        shell: bash
+        run: |
+          rm -rf ~/.ssh && mkdir -m700 ~/.ssh
+
+          ### Private Key
+          echo "${{ secrets.SSH_MSW_DEPLOY_CORESECRET_DEV }}" >| ~/.ssh/id_ed25519
+          chmod 600 ~/.ssh/id_ed25519
+
+          ### Scan git.coresecret.dev to fill ~/.ssh/known_hosts
+          ssh-keyscan -p 42842 git.coresecret.dev >| ~/.ssh/known_hosts
+          chmod 600 ~/.ssh/known_hosts
+
+          ### Generate SSH Config for git.coresecret.dev Custom-Port
+          cat <<EOF >| ~/.ssh/config
+          Host git.coresecret.dev
+            HostName git.coresecret.dev
+            Port 42842
+            IdentityFile ~/.ssh/id_ed25519
+            StrictHostKeyChecking yes
+            UserKnownHostsFile ~/.ssh/known_hosts
+          EOF
+          chmod 600 ~/.ssh/config
+
+      ### https://github.com/actions/checkout/issues/1843
+      - name: 🛠️ Using manual clone via SSH to circumvent Gitea SHA-256 object issues.
+        shell: bash
+        env:
+          ### GITHUB_REF_NAME contains the branch name from the push event.
+          GITHUB_REF_NAME: ${{ github.ref_name }}
+        run: |
+          git clone --branch "${GITHUB_REF_NAME}" ssh://git@git.coresecret.dev:42842/msw/CISS.debian.live.builder.git .
+          git fetch --unshallow || echo "Nothing to fetch - already full clone."
+
+      - name: 🛠️ Cleaning the workspace.
+        shell: bash
+        run: |
+          git reset --hard
+          git clean -fd
+
+      - name: ⚙️ Importing the 'CI PGP DEPLOY ONLY' key.
+        shell: bash
+        run: |
+          set -euo pipefail
+          ### GPG-Home relative to the Runner Workspace to avoid changing global files.
+          export GNUPGHOME="$(pwd)/.gnupg"
+          mkdir -m 700 "${GNUPGHOME}"
+          echo "${{ secrets.PGP_PUBKEY_CENTURION_ROOT_2025_X448 }}" >| centurion-root.PUB.asc
+          gpg --batch --import centurion-root.PUB.asc
+          echo "${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV }}" >| ci-bot.sec.asc
+          gpg --batch --import ci-bot.sec.asc
+          ### Trust the key automatically
+          KEY_ID=$(gpg --list-keys --with-colons | awk -F: '/^pub:/ {print $5}')
+          echo "trust-model always" >| "${GNUPGHOME}/gpg.conf"
+
+      - name: ⚙️ Configuring Git for signed CI/DEPLOY commits.
+        shell: bash
+        run: |
+          set -euo pipefail
+          export GNUPGHOME="$(pwd)/.gnupg"
+          git config user.name "Marc S. Weidner BOT"
+          git config user.email "msw+bot@coresecret.dev"
+          git config commit.gpgsign true
+          git config gpg.program gpg
+          git config gpg.format openpgp
+
+      - name: ⚙️ Preparing the build environment.
+        shell: bash
+        run: |
+          set -euo pipefail
+          mkdir -p /opt/config
+          mkdir -p /opt/livebuild
+          touch /opt/config/password.txt && chmod 0600 /opt/config/password.txt
+          touch /opt/config/authorized_keys && chmod 0600 /opt/config/authorized_keys
+          echo "${{ secrets.CISS_DLB_ROOT_PWD }}" >| /opt/config/password.txt
+          echo "${{ secrets.CISS_DLB_ROOT_SSH_PUBKEY }}" >| /opt/config/authorized_keys
+
+      - name: 🛠️ Starting CISS.debian.live.builder. This may take a while ...
+        shell: bash
+        run: |
+          set -euo pipefail
+          chmod 0755 ciss_live_builder.sh
+          timestamp=$(date -u +"%Y_%m_%dT%H_%M_%SZ")
+          ### Change "--autobuild=" to the specific kernel version you need: 6.12.22+bpo-amd64.
+          ./ciss_live_builder.sh \
+            --autobuild=6.12.30+bpo-amd64 \
+            --architecture amd64 \
+            --build-directory /opt/livebuild \
+            --control "${timestamp}" \
+            --debug \
+            --dhcp-centurion \
+            --jump-host ${{ secrets.CISS_DLB_JUMP_HOSTS }} \
+            --provider-netcup-ipv6 ${{ secrets.CISS_DLB_NETCUP_IPV6 }} \
+            --root-password-file /opt/config/password.txt \
+            --ssh-port ${{ secrets.CISS_DLB_SSH_PORT }} \
+            --ssh-pubkey /opt/config
+
+      - name: 📥 Checking Centurion Cloud for existing LIVE ISOs.
+        shell: bash
+        env:
+          NC_BASE: "https://cloud.e2ee.li"
+          SHARE_TOKEN: "${{ secrets.CENTURION_CLOUD_UL_USER }}"
+          SHARE_PASS: "${{ secrets.CENTURION_CLOUD_UL_PASSWD }}"
+        run: |
+          set -euo pipefail
+          SHARE_SUBDIR=""
+
+          echo "📥 Get directory listing via PROPFIND ..."
+          curl -s \
+          --user "${SHARE_TOKEN}:${SHARE_PASS}" \
+          -X PROPFIND \
+          -H "Depth: 1" \
+          "${NC_BASE}/public.php/webdav/${SHARE_SUBDIR}" \
+          -o propfind_public.xml
+
+          echo "📥 Filter .iso files from the PROPFIND response ..."
+          grep -oP '(?<=<d:href>)[^<]+\.iso(?=</d:href>)' propfind_public.xml >| public_iso_list.txt || true
+
+          if [[ -f public_iso_list.txt && -s public_iso_list.txt ]]; then
+            echo "💡 Old ISO files found and deleted :"
+            while IFS= read -r href; do
+              FILE_URL="${NC_BASE}${href}"
+              echo "  Delete: ${FILE_URL}"
+              if curl -s \
+                --user "${SHARE_TOKEN}:${SHARE_PASS}" \
+                  -X DELETE "${FILE_URL}"; then
+                echo "    ✅ Successfully deleted: $(basename "${href}")"
+              else
+                echo "    ❌ Error: $(basename "${href}") could not be deleted"
+              fi
+            done < public_iso_list.txt
+          else
+            echo "💡 No old ISO files found to delete."
+          fi
+
+      - name: 🛠️ Upload the ISO file to the Centurion Cloud (cloud.e2ee.li) via WebDAV.
+        shell: bash
+        env:
+          NC_BASE: "https://cloud.e2ee.li"
+          SHARE_TOKEN: "${{ secrets.CENTURION_CLOUD_UL_USER }}"
+          SHARE_PASS: "${{ secrets.CENTURION_CLOUD_UL_PASSWD }}"
+        run: |
+          set -euo pipefail
+          if [[ $(ls /opt/livebuild/*.iso 2>/dev/null | wc -l) -ne 1 ]]; then
+            echo "❌ There must be exactly one .iso file in the directory!"
+            exit 1
+          else
+            VAR_ISO_FILE_PATH=$(ls /opt/livebuild/*.iso)
+            VAR_ISO_FILE_NAME=$(basename "${VAR_ISO_FILE_PATH}")
+            echo "✅ ISO file found: ${VAR_ISO_FILE_NAME}"
+          fi
+
+          AUTH="${SHARE_TOKEN}:${SHARE_PASS}"
+          if curl --retry 2 "${NC_BASE}"/public.php/webdav/"${VAR_ISO_FILE_NAME}" \
+          --upload-file "${VAR_ISO_FILE_PATH}" --user "${AUTH}" > /dev/null 2>&1; then
+            echo "✅ New ISO successfully uploaded."
+          else
+            echo "❌ Uploading the new ISO failed."
+            exit 1
+          fi
+
+      - name: 🔑 Generating a sha512 Hash of ISO, signing with the 'CI PGP DEPLOY ONLY' key, generate a success message file.
+        shell: bash
+        run: |
+          if [[ $(ls /opt/livebuild/*.iso 2>/dev/null | wc -l) -ne 1 ]]; then
+            echo "❌ There must be exactly one .iso file in the directory!"
+            exit 1
+          else
+            VAR_ISO_FILE_PATH=$(ls /opt/livebuild/*.iso)
+            VAR_ISO_FILE_NAME=$(basename "${VAR_ISO_FILE_PATH}")
+            echo "✅ ISO file found: ${VAR_ISO_FILE_NAME}"
+          fi
+
+          VAR_ISO_FILE_SHA512="${VAR_ISO_FILE_NAME}.sha512"
+          touch "${VAR_ISO_FILE_SHA512}"
+          sha512sum "${VAR_ISO_FILE_PATH}" | awk '{print $1}' >| "${VAR_ISO_FILE_SHA512}"
+          SIGNATURE_FILE="${VAR_ISO_FILE_SHA512}.sign"
+          touch "${SIGNATURE_FILE}"
+          export GNUPGHOME="$(pwd)/.gnupg"
+          gpg --batch --yes --armor --detach-sign --output "${SIGNATURE_FILE}" "${VAR_ISO_FILE_SHA512}"
+
+          timestamp=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
+          PRIVATE_FILE="LIVE_ISO_FLV_0.private"
+          touch "${PRIVATE_FILE}"
+          cat << EOF >| "${PRIVATE_FILE}"
+          # SPDX-Version: 3.0
+          # SPDX-CreationInfo: 2025-06-01; WEIDNER, Marc S.; <msw@coresecret.dev>
+          # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+          # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+          # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+          # SPDX-FileType: SOURCE
+          # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+          # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+          # SPDX-PackageName: CISS.debian.live.builder
+          # SPDX-Security-Contact: security@coresecret.eu
+
+          This file was automatically generated by the DEPLOY BOT on: "${timestamp}".
+
+          CISS.debian.live.builder ISO :
+            "${VAR_ISO_FILE_NAME}"
+          CISS.debian.live.builder ISO sha512 :
+            $(< "${VAR_ISO_FILE_SHA512}")
+          CISS.debian.live.builder ISO sha512 sign :
+            $(< "${SIGNATURE_FILE}")
+
+          # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text
+          EOF
+
+      - name: 🚧 Stash local changes (including untracked).
+        shell: bash
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          ### Temporarily store any local modifications or untracked files.
+          git stash push --include-untracked -m "ci-temp" || echo "✔️ Nothing to stash."
+
+      - name: 🔄 Sync with remote before commit using merge strategy.
+        shell: bash
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          export GNUPGHOME="$(pwd)/.gnupg"
+
+          echo "🔄 Fetching origin/master ..."
+          git fetch origin master
+
+          echo "🔁 Merging origin/master into current branch ..."
+          git merge --no-edit origin/master || echo "✔️ Already up to date or fast-forward."
+
+          echo "📋 Post-merge status :"
+          git status
+          git log --oneline -n 5
+
+      - name: 🛠️ Restore stashed changes.
+        shell: bash
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          ### Apply previously stashed changes.
+          git stash pop || echo "✔️ Nothing to pop."
+
+      - name: 📦 Stage generated files.
+        shell: bash
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          PRIVATE_FILE="LIVE_ISO_FLV_0.private"
+          git add "${PRIVATE_FILE}" || echo "✔️ Nothing to add."
+
+      - name: 🔑 Commit and sign changes with CI metadata.
+        shell: bash
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          export GNUPGHOME="$(pwd)/.gnupg"
+
+          if git diff --cached --quiet; then
+            echo "✔️ No staged changes to commit."
+          else
+            echo "📝 Committing changes with GPG signature ..."
+
+            ### CI Metadata
+            TIMESTAMP_UTC="$(date -u +'%Y-%m-%dT%H:%M:%SZ')"
+            HOSTNAME="$(hostname -f || hostname)"
+            GIT_SHA="$(git rev-parse --short HEAD)"
+            GIT_REF="$(git symbolic-ref --short HEAD || echo detached)"
+            WORKFLOW_ID="${GITHUB_WORKFLOW:-render-md-to-html.yaml}"
+            CI_HEADER="X-CI-Metadata: ${GIT_REF}@${GIT_SHA} at ${TIMESTAMP_UTC} on ${HOSTNAME}"
+
+            COMMIT_MSG="DEPLOY BOT   : 🔐 Auto-Generate PRIVATE LIVE ISO FLV 0 [skip ci]
+
+          ${CI_HEADER}
+
+          Generated at : ${TIMESTAMP_UTC}
+          Runner Host  : ${HOSTNAME}
+          Workflow ID  : ${WORKFLOW_ID}
+          Git Commit   : ${GIT_SHA} HEAD -> ${GIT_REF}
+          "
+
+            echo "🔏 Commit message :"
+            echo "${COMMIT_MSG}"
+            git commit -S -m "${COMMIT_MSG}"
+          fi
+
+      - name: 🔁 Push back to repository.
+        shell: bash
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          echo "📤 Pushing changes to ${GITHUB_REF_NAME} ..."
+          git push origin HEAD:${GITHUB_REF_NAME}
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml

.gitea/workflows/generate_PRIVATE_iso_flavour_1.yaml

@@ -0,0 +1,482 @@
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+### Version Master V8.03.832.2025.06.24
+
+name: 🔐 Generating a Private Live ISO FLV 1.
+
+permissions:
+  contents: write
+
+on:
+  push:
+    branches:
+      - master
+    paths:
+      - '.gitea/trigger/t_generate_PRIVATE_iso_flavour_1.yaml'
+
+jobs:
+  generate-private-ciss-debian-live-iso:
+    name: 🔐 Generating a Private Live ISO FLV 1.
+    runs-on: ciss.debian.live.builder.iso.generator
+
+    ### Run all steps inside Debian Bookworm
+    container:
+      image: debian:bookworm
+
+    steps:
+      - name: 🛠️ Basic Image Setup and enable Bookworm Backports.
+        run: |
+          apt-get update -y
+          apt-get install -y apt-transport-https apt-utils bash ca-certificates openssl sudo
+          echo 'deb https://deb.debian.org/debian bookworm-backports main' \
+            >| /etc/apt/sources.list.d/bookworm-backports.list
+          apt-get update -y
+          apt-get upgrade -y
+
+      - name: 🛠️ Installing Build Tools.
+        shell: bash
+        run: |
+          apt-get update -y
+          apt-get install -y \
+            autoconf \
+            automake \
+            build-essential \
+            cryptsetup \
+            curl \
+            debootstrap \
+            dosfstools \
+            efibootmgr \
+            gettext \
+            git \
+            gnupg \
+            haveged \
+            libbz2-dev \
+            zlib1g-dev \
+            liblzma-dev \
+            libtool \
+            live-build \
+            parted \
+            pkg-config \
+            ssh \
+            ssl-cert \
+            sudo \
+            texinfo \
+            wget \
+            whois \
+
+      - name: 🛠️ Build GnuPG from the sources, as the Bookworm GPG does not understand key format 5.
+        shell: bash
+        run: |
+          urls=(
+            "https://gnupg.org/ftp/gcrypt/npth/npth-1.8.tar.bz2"
+            "https://gnupg.org/ftp/gcrypt/libgpg-error/libgpg-error-1.55.tar.bz2"
+            "https://gnupg.org/ftp/gcrypt/libgcrypt/libgcrypt-1.11.1.tar.bz2"
+            "https://gnupg.org/ftp/gcrypt/libksba/libksba-1.6.7.tar.bz2"
+            "https://gnupg.org/ftp/gcrypt/libassuan/libassuan-3.0.2.tar.bz2"
+            "https://gnupg.org/ftp/gcrypt/gnupg/gnupg-2.4.8.tar.bz2"
+          )
+
+          wget --https-only https://gnupg.org/signature_key.asc -O signature_key.asc > /dev/null 2>&1
+          gpg --batch --import signature_key.asc
+
+          for url in "${urls[@]}"; do
+            archive_name="${url##*/}"
+            pkg_name="${archive_name%.tar.bz2}"
+            echo "🔄 Processing ${pkg_name}"
+            if [[ ! -f "${archive_name}" ]]; then
+              echo "📥 Downloading: '${archive_name}'."
+              if wget --https-only "${url}" -O "${archive_name}" > /dev/null 2>&1 && wget --https-only "${url}.sig" -O "${archive_name}.sig" > /dev/null 2>&1; then
+                echo "✅ Download successful: '${archive_name}'."
+              else
+                echo "❌ Download NOT successful: '${archive_name}'."
+                exit 1
+              fi
+            else
+              echo "💡 Skipping download, package already exists: '${archive_name}'."
+            fi
+
+            if ! gpg --verify "${archive_name}.sig" "${archive_name}"; then echo "❌ Bad Signature: '${archive_name}'.";exit 1; fi
+
+            if [[ ! -d "${pkg_name}" ]]; then
+              echo "📂 Extracting: '${archive_name}'."
+              if tar -xjf "${archive_name}"; then
+                echo "✅ Extraction successful: '${archive_name}'."
+              else
+                echo "❌ Extraction not successful: '${archive_name}'."
+                exit 1
+              fi
+            else
+              echo "💡 Skipping directory, already exists: '${pkg_name}'."
+            fi
+
+            echo "🏗️ Build and install the package: '${pkg_name}'."
+            cd "${pkg_name}" || { echo "❌ Could not change to '${pkg_name}'."; exit 1; }
+            mkdir -p build
+            cd build || { echo "❌ Could not change to '/build'."; exit 1; }
+
+            sudo ../configure > /dev/null 2>&1  || { echo "❌ '../configure' NOT successful for '${pkg_name}'."; exit 1; }
+            make > /dev/null 2>&1 || { echo "❌ 'make' NOT successful for '${pkg_name}'."; exit 1; }
+            sudo make install > /dev/null 2>&1 || { echo "❌ 'make install' NOT successful for '${pkg_name}'."; exit 1; }
+
+            cd ../.. || { echo "❌ Could not change to '../..'."; exit 1; }
+
+            rm -f "${archive_name}" && rm -f "${archive_name}.sig" && echo "✅ Removed archive: '${pkg_name}'."
+            rm -fr "${pkg_name}" && echo "✅ Removed build artifacts: '${pkg_name}'."
+            echo "✅ Successful build and installation of '${pkg_name}'."
+            echo "-------------------------------------------------------------------------------------"
+
+          done
+
+          rm -f signature_key.asc
+
+          echo "✅ All packages were built and installed successfully."
+
+          mv_bin=(
+            "/usr/bin/gpg"
+            "/usr/bin/gpg-agent"
+            "/usr/bin/gpgconf"
+            "/usr/bin/gpg-connect-agent"
+            "/usr/bin/gpg-wks-client"
+            "/usr/bin/gpg-preset-passphrase"
+          )
+
+          for bin in "${mv_bin[@]}"; do
+            name="${bin##*/}"
+            if [[ -f "${bin}" && -f "/usr/local/bin/${name}" ]]; then
+              if mv "${bin}" "${bin}.debian-backup"; then
+                echo "✅ Moved successfully: '${bin}'."
+              else
+                echo "❌ Moved NOT successfully: '${bin}'."
+              fi
+            else
+              echo "💡 Does not exist as build binary: '${bin}'."
+            fi
+          done
+
+          for bin in "${mv_bin[@]}"; do
+            name="${bin##*/}"
+            if [[ -f "/usr/local/bin/${name}" ]]; then
+              if update-alternatives --install "${bin}" "${name}" "/usr/local/bin/${name}" 100; then
+                echo "✅ 'update-alternatives' successfully: '${bin}'."
+              else
+                echo "❌ 'update-alternatives' NOT successfully: '${bin}'."
+              fi
+            else
+              echo "💡 Does not exist: '/usr/local/bin/${name}'."
+            fi
+          done
+
+          sudo ldconfig
+
+          gpgconf --kill all
+          /usr/local/bin/gpg-agent --daemon
+
+      - name: ⚙️ Check GnuPG Version.
+        shell: bash
+        run: |
+          gpg --version
+
+      - name: ⚙️ Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
+        shell: bash
+        run: |
+          rm -rf ~/.ssh && mkdir -m700 ~/.ssh
+
+          ### Private Key
+          echo "${{ secrets.SSH_MSW_DEPLOY_CORESECRET_DEV }}" >| ~/.ssh/id_ed25519
+          chmod 600 ~/.ssh/id_ed25519
+
+          ### Scan git.coresecret.dev to fill ~/.ssh/known_hosts
+          ssh-keyscan -p 42842 git.coresecret.dev >| ~/.ssh/known_hosts
+          chmod 600 ~/.ssh/known_hosts
+
+          ### Generate SSH Config for git.coresecret.dev Custom-Port
+          cat <<EOF >| ~/.ssh/config
+          Host git.coresecret.dev
+            HostName git.coresecret.dev
+            Port 42842
+            IdentityFile ~/.ssh/id_ed25519
+            StrictHostKeyChecking yes
+            UserKnownHostsFile ~/.ssh/known_hosts
+          EOF
+          chmod 600 ~/.ssh/config
+
+      ### https://github.com/actions/checkout/issues/1843
+      - name: 🛠️ Using manual clone via SSH to circumvent Gitea SHA-256 object issues.
+        shell: bash
+        env:
+          ### GITHUB_REF_NAME contains the branch name from the push event.
+          GITHUB_REF_NAME: ${{ github.ref_name }}
+        run: |
+          git clone --branch "${GITHUB_REF_NAME}" ssh://git@git.coresecret.dev:42842/msw/CISS.debian.live.builder.git .
+          git fetch --unshallow || echo "Nothing to fetch - already full clone."
+
+      - name: 🛠️ Cleaning the workspace.
+        shell: bash
+        run: |
+          git reset --hard
+          git clean -fd
+
+      - name: ⚙️ Importing the 'CI PGP DEPLOY ONLY' key.
+        shell: bash
+        run: |
+          set -euo pipefail
+          ### GPG-Home relative to the Runner Workspace to avoid changing global files.
+          export GNUPGHOME="$(pwd)/.gnupg"
+          mkdir -m 700 "${GNUPGHOME}"
+          echo "${{ secrets.PGP_PUBKEY_CENTURION_ROOT_2025_X448 }}" >| centurion-root.PUB.asc
+          gpg --batch --import centurion-root.PUB.asc
+          echo "${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV }}" >| ci-bot.sec.asc
+          gpg --batch --import ci-bot.sec.asc
+          ### Trust the key automatically
+          KEY_ID=$(gpg --list-keys --with-colons | awk -F: '/^pub:/ {print $5}')
+          echo "trust-model always" >| "${GNUPGHOME}/gpg.conf"
+
+      - name: ⚙️ Configuring Git for signed CI/DEPLOY commits.
+        shell: bash
+        run: |
+          set -euo pipefail
+          export GNUPGHOME="$(pwd)/.gnupg"
+          git config user.name "Marc S. Weidner BOT"
+          git config user.email "msw+bot@coresecret.dev"
+          git config commit.gpgsign true
+          git config gpg.program gpg
+          git config gpg.format openpgp
+
+      - name: ⚙️ Preparing the build environment.
+        shell: bash
+        run: |
+          set -euo pipefail
+          mkdir -p /opt/config
+          mkdir -p /opt/livebuild
+          touch /opt/config/password.txt && chmod 0600 /opt/config/password.txt
+          touch /opt/config/authorized_keys && chmod 0600 /opt/config/authorized_keys
+          echo "${{ secrets.CISS_DLB_ROOT_PWD_1 }}" >| /opt/config/password.txt
+          echo "${{ secrets.CISS_DLB_ROOT_SSH_PUBKEY_1 }}" >| /opt/config/authorized_keys
+
+      - name: 🛠️ Starting CISS.debian.live.builder. This may take a while ...
+        shell: bash
+        run: |
+          set -euo pipefail
+          chmod 0755 ciss_live_builder.sh
+          timestamp=$(date -u +"%Y_%m_%dT%H_%M_%SZ")
+          ### Change "--autobuild=" to the specific kernel version you need: 6.12.22+bpo-amd64.
+          ./ciss_live_builder.sh \
+            --autobuild=6.12.30+bpo-amd64 \
+            --architecture amd64 \
+            --build-directory /opt/livebuild \
+            --control "${timestamp}" \
+            --jump-host ${{ secrets.CISS_DLB_JUMP_HOSTS_1 }} \
+            --root-password-file /opt/config/password.txt \
+            --ssh-port ${{ secrets.CISS_DLB_SSH_PORT_1 }} \
+            --ssh-pubkey /opt/config
+
+      - name: 📥 Checking Centurion Cloud for existing LIVE ISOs.
+        shell: bash
+        env:
+          NC_BASE: "https://cloud.e2ee.li"
+          SHARE_TOKEN: "${{ secrets.CENTURION_CLOUD_UL_USER_1 }}"
+          SHARE_PASS: "${{ secrets.CENTURION_CLOUD_UL_PASSWD_1 }}"
+        run: |
+          set -euo pipefail
+          SHARE_SUBDIR=""
+
+          echo "📥 Get directory listing via PROPFIND ..."
+          curl -s \
+          --user "${SHARE_TOKEN}:${SHARE_PASS}" \
+          -X PROPFIND \
+          -H "Depth: 1" \
+          "${NC_BASE}/public.php/webdav/${SHARE_SUBDIR}" \
+          -o propfind_public.xml
+
+          echo "📥 Filter .iso files from the PROPFIND response ..."
+          grep -oP '(?<=<d:href>)[^<]+\.iso(?=</d:href>)' propfind_public.xml >| public_iso_list.txt || true
+
+          if [[ -f public_iso_list.txt && -s public_iso_list.txt ]]; then
+            echo "💡 Old ISO files found and deleted :"
+            while IFS= read -r href; do
+              FILE_URL="${NC_BASE}${href}"
+              echo "  Delete: ${FILE_URL}"
+              if curl -s \
+                --user "${SHARE_TOKEN}:${SHARE_PASS}" \
+                  -X DELETE "${FILE_URL}"; then
+                echo "    ✅ Successfully deleted: $(basename "${href}")"
+              else
+                echo "    ❌ Error: $(basename "${href}") could not be deleted"
+              fi
+            done < public_iso_list.txt
+          else
+            echo "💡 No old ISO files found to delete."
+          fi
+
+      - name: 🛠️ Upload the ISO file to the Centurion Cloud (cloud.e2ee.li) via WebDAV.
+        shell: bash
+        env:
+          NC_BASE: "https://cloud.e2ee.li"
+          SHARE_TOKEN: "${{ secrets.CENTURION_CLOUD_UL_USER_1 }}"
+          SHARE_PASS: "${{ secrets.CENTURION_CLOUD_UL_PASSWD_1 }}"
+        run: |
+          set -euo pipefail
+          if [[ $(ls /opt/livebuild/*.iso 2>/dev/null | wc -l) -ne 1 ]]; then
+            echo "❌ There must be exactly one .iso file in the directory!"
+            exit 1
+          else
+            VAR_ISO_FILE_PATH=$(ls /opt/livebuild/*.iso)
+            VAR_ISO_FILE_NAME=$(basename "${VAR_ISO_FILE_PATH}")
+            echo "✅ ISO file found: ${VAR_ISO_FILE_NAME}"
+          fi
+
+          AUTH="${SHARE_TOKEN}:${SHARE_PASS}"
+          if curl --retry 2 "${NC_BASE}"/public.php/webdav/"${VAR_ISO_FILE_NAME}" \
+          --upload-file "${VAR_ISO_FILE_PATH}" --user "${AUTH}" > /dev/null 2>&1; then
+            echo "✅ New ISO successfully uploaded."
+          else
+            echo "❌ Uploading the new ISO failed."
+            exit 1
+          fi
+
+      - name: 🔑 Generating a sha512 Hash of ISO, signing with the 'CI PGP DEPLOY ONLY' key, generate a success message file.
+        shell: bash
+        run: |
+          if [[ $(ls /opt/livebuild/*.iso 2>/dev/null | wc -l) -ne 1 ]]; then
+            echo "❌ There must be exactly one .iso file in the directory!"
+            exit 1
+          else
+            VAR_ISO_FILE_PATH=$(ls /opt/livebuild/*.iso)
+            VAR_ISO_FILE_NAME=$(basename "${VAR_ISO_FILE_PATH}")
+            echo "✅ ISO file found: ${VAR_ISO_FILE_NAME}"
+          fi
+
+          VAR_ISO_FILE_SHA512="${VAR_ISO_FILE_NAME}.sha512"
+          touch "${VAR_ISO_FILE_SHA512}"
+          sha512sum "${VAR_ISO_FILE_PATH}" | awk '{print $1}' >| "${VAR_ISO_FILE_SHA512}"
+          SIGNATURE_FILE="${VAR_ISO_FILE_SHA512}.sign"
+          touch "${SIGNATURE_FILE}"
+          export GNUPGHOME="$(pwd)/.gnupg"
+          gpg --batch --yes --armor --detach-sign --output "${SIGNATURE_FILE}" "${VAR_ISO_FILE_SHA512}"
+
+          timestamp=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
+          PRIVATE_FILE="LIVE_ISO_FLV_1.private"
+          touch "${PRIVATE_FILE}"
+          cat << EOF >| "${PRIVATE_FILE}"
+          # SPDX-Version: 3.0
+          # SPDX-CreationInfo: 2025-06-01; WEIDNER, Marc S.; <msw@coresecret.dev>
+          # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+          # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+          # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+          # SPDX-FileType: SOURCE
+          # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+          # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+          # SPDX-PackageName: CISS.debian.live.builder
+          # SPDX-Security-Contact: security@coresecret.eu
+
+          This file was automatically generated by the DEPLOY BOT on: "${timestamp}".
+
+          CISS.debian.live.builder ISO :
+            "${VAR_ISO_FILE_NAME}"
+          CISS.debian.live.builder ISO sha512 :
+            $(< "${VAR_ISO_FILE_SHA512}")
+          CISS.debian.live.builder ISO sha512 sign :
+            $(< "${SIGNATURE_FILE}")
+
+          # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text
+          EOF
+
+      - name: 🚧 Stash local changes (including untracked).
+        shell: bash
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          ### Temporarily store any local modifications or untracked files.
+          git stash push --include-untracked -m "ci-temp" || echo "✔️ Nothing to stash."
+
+      - name: 🔄 Sync with remote before commit using merge strategy.
+        shell: bash
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          export GNUPGHOME="$(pwd)/.gnupg"
+
+          echo "🔄 Fetching origin/master ..."
+          git fetch origin master
+
+          echo "🔁 Merging origin/master into current branch ..."
+          git merge --no-edit origin/master || echo "✔️ Already up to date or fast-forward."
+
+          echo "📋 Post-merge status :"
+          git status
+          git log --oneline -n 5
+
+      - name: 🛠️ Restore stashed changes.
+        shell: bash
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          ### Apply previously stashed changes.
+          git stash pop || echo "✔️ Nothing to pop."
+
+      - name: 📦 Stage generated files.
+        shell: bash
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          PRIVATE_FILE="LIVE_ISO_FLV_1.private"
+          git add "${PRIVATE_FILE}" || echo "✔️ Nothing to add."
+
+      - name: 🔑 Commit and sign changes with CI metadata.
+        shell: bash
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          export GNUPGHOME="$(pwd)/.gnupg"
+
+          if git diff --cached --quiet; then
+            echo "✔️ No staged changes to commit."
+          else
+            echo "📝 Committing changes with GPG signature ..."
+
+            ### CI Metadata
+            TIMESTAMP_UTC="$(date -u +'%Y-%m-%dT%H:%M:%SZ')"
+            HOSTNAME="$(hostname -f || hostname)"
+            GIT_SHA="$(git rev-parse --short HEAD)"
+            GIT_REF="$(git symbolic-ref --short HEAD || echo detached)"
+            WORKFLOW_ID="${GITHUB_WORKFLOW:-render-md-to-html.yaml}"
+            CI_HEADER="X-CI-Metadata: ${GIT_REF}@${GIT_SHA} at ${TIMESTAMP_UTC} on ${HOSTNAME}"
+
+            COMMIT_MSG="DEPLOY BOT   : 🔐 Auto-Generate PRIVATE LIVE ISO FLV 1 [skip ci]
+
+          ${CI_HEADER}
+
+          Generated at : ${TIMESTAMP_UTC}
+          Runner Host  : ${HOSTNAME}
+          Workflow ID  : ${WORKFLOW_ID}
+          Git Commit   : ${GIT_SHA} HEAD -> ${GIT_REF}
+          "
+
+            echo "🔏 Commit message :"
+            echo "${COMMIT_MSG}"
+            git commit -S -m "${COMMIT_MSG}"
+          fi
+
+      - name: 🔁 Push back to repository.
+        shell: bash
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          echo "📤 Pushing changes to ${GITHUB_REF_NAME} ..."
+          git push origin HEAD:${GITHUB_REF_NAME}
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml

.gitea/workflows/generate_PUBLIC_iso.yaml

@@ -0,0 +1,482 @@
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+### Version Master V8.03.832.2025.06.24
+
+name: 💙 Generating a PUBLIC Live ISO.
+
+permissions:
+  contents: write
+
+on:
+  push:
+    branches:
+      - master
+    paths:
+      - '.gitea/trigger/t_generate_PUBLIC.yaml'
+
+jobs:
+  generate-private-ciss-debian-live-iso:
+    name: 💙 Generating a PUBLIC Live ISO.
+    runs-on: ciss.debian.live.builder.iso.generator
+
+    ### Run all steps inside Debian Bookworm
+    container:
+      image: debian:bookworm
+
+    steps:
+      - name: 🛠️ Basic Image Setup and enable Bookworm Backports.
+        run: |
+          apt-get update -y
+          apt-get install -y apt-transport-https apt-utils bash ca-certificates openssl sudo
+          echo 'deb https://deb.debian.org/debian bookworm-backports main' \
+            >| /etc/apt/sources.list.d/bookworm-backports.list
+          apt-get update -y
+          apt-get upgrade -y
+
+      - name: 🛠️ Installing Build Tools.
+        shell: bash
+        run: |
+          apt-get update -y
+          apt-get install -y \
+            autoconf \
+            automake \
+            build-essential \
+            cryptsetup \
+            curl \
+            debootstrap \
+            dosfstools \
+            efibootmgr \
+            gettext \
+            git \
+            gnupg \
+            haveged \
+            libbz2-dev \
+            zlib1g-dev \
+            liblzma-dev \
+            libtool \
+            live-build \
+            parted \
+            pkg-config \
+            ssh \
+            ssl-cert \
+            sudo \
+            texinfo \
+            wget \
+            whois \
+
+      - name: 🛠️ Build GnuPG from the sources, as the Bookworm GPG does not understand key format 5.
+        shell: bash
+        run: |
+          urls=(
+            "https://gnupg.org/ftp/gcrypt/npth/npth-1.8.tar.bz2"
+            "https://gnupg.org/ftp/gcrypt/libgpg-error/libgpg-error-1.55.tar.bz2"
+            "https://gnupg.org/ftp/gcrypt/libgcrypt/libgcrypt-1.11.1.tar.bz2"
+            "https://gnupg.org/ftp/gcrypt/libksba/libksba-1.6.7.tar.bz2"
+            "https://gnupg.org/ftp/gcrypt/libassuan/libassuan-3.0.2.tar.bz2"
+            "https://gnupg.org/ftp/gcrypt/gnupg/gnupg-2.4.8.tar.bz2"
+          )
+
+          wget --https-only https://gnupg.org/signature_key.asc -O signature_key.asc > /dev/null 2>&1
+          gpg --batch --import signature_key.asc
+
+          for url in "${urls[@]}"; do
+            archive_name="${url##*/}"
+            pkg_name="${archive_name%.tar.bz2}"
+            echo "🔄 Processing ${pkg_name}"
+            if [[ ! -f "${archive_name}" ]]; then
+              echo "📥 Downloading: '${archive_name}'."
+              if wget --https-only "${url}" -O "${archive_name}" > /dev/null 2>&1 && wget --https-only "${url}.sig" -O "${archive_name}.sig" > /dev/null 2>&1; then
+                echo "✅ Download successful: '${archive_name}'."
+              else
+                echo "❌ Download NOT successful: '${archive_name}'."
+                exit 1
+              fi
+            else
+              echo "💡 Skipping download, package already exists: '${archive_name}'."
+            fi
+
+            if ! gpg --verify "${archive_name}.sig" "${archive_name}"; then echo "❌ Bad Signature: '${archive_name}'.";exit 1; fi
+
+            if [[ ! -d "${pkg_name}" ]]; then
+              echo "📂 Extracting: '${archive_name}'."
+              if tar -xjf "${archive_name}"; then
+                echo "✅ Extraction successful: '${archive_name}'."
+              else
+                echo "❌ Extraction not successful: '${archive_name}'."
+                exit 1
+              fi
+            else
+              echo "💡 Skipping directory, already exists: '${pkg_name}'."
+            fi
+
+            echo "🏗️ Build and install the package: '${pkg_name}'."
+            cd "${pkg_name}" || { echo "❌ Could not change to '${pkg_name}'."; exit 1; }
+            mkdir -p build
+            cd build || { echo "❌ Could not change to '/build'."; exit 1; }
+
+            sudo ../configure > /dev/null 2>&1  || { echo "❌ '../configure' NOT successful for '${pkg_name}'."; exit 1; }
+            make > /dev/null 2>&1 || { echo "❌ 'make' NOT successful for '${pkg_name}'."; exit 1; }
+            sudo make install > /dev/null 2>&1 || { echo "❌ 'make install' NOT successful for '${pkg_name}'."; exit 1; }
+
+            cd ../.. || { echo "❌ Could not change to '../..'."; exit 1; }
+
+            rm -f "${archive_name}" && rm -f "${archive_name}.sig" && echo "✅ Removed archive: '${pkg_name}'."
+            rm -fr "${pkg_name}" && echo "✅ Removed build artifacts: '${pkg_name}'."
+            echo "✅ Successful build and installation of '${pkg_name}'."
+            echo "-------------------------------------------------------------------------------------"
+
+          done
+
+          rm -f signature_key.asc
+
+          echo "✅ All packages were built and installed successfully."
+
+          mv_bin=(
+            "/usr/bin/gpg"
+            "/usr/bin/gpg-agent"
+            "/usr/bin/gpgconf"
+            "/usr/bin/gpg-connect-agent"
+            "/usr/bin/gpg-wks-client"
+            "/usr/bin/gpg-preset-passphrase"
+          )
+
+          for bin in "${mv_bin[@]}"; do
+            name="${bin##*/}"
+            if [[ -f "${bin}" && -f "/usr/local/bin/${name}" ]]; then
+              if mv "${bin}" "${bin}.debian-backup"; then
+                echo "✅ Moved successfully: '${bin}'."
+              else
+                echo "❌ Moved NOT successfully: '${bin}'."
+              fi
+            else
+              echo "💡 Does not exist as build binary: '${bin}'."
+            fi
+          done
+
+          for bin in "${mv_bin[@]}"; do
+            name="${bin##*/}"
+            if [[ -f "/usr/local/bin/${name}" ]]; then
+              if update-alternatives --install "${bin}" "${name}" "/usr/local/bin/${name}" 100; then
+                echo "✅ 'update-alternatives' successfully: '${bin}'."
+              else
+                echo "❌ 'update-alternatives' NOT successfully: '${bin}'."
+              fi
+            else
+              echo "💡 Does not exist: '/usr/local/bin/${name}'."
+            fi
+          done
+
+          sudo ldconfig
+
+          gpgconf --kill all
+          /usr/local/bin/gpg-agent --daemon
+
+      - name: ⚙️ Check GnuPG Version.
+        shell: bash
+        run: |
+          gpg --version
+
+      - name: ⚙️ Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
+        shell: bash
+        run: |
+          rm -rf ~/.ssh && mkdir -m700 ~/.ssh
+
+          ### Private Key
+          echo "${{ secrets.SSH_MSW_DEPLOY_CORESECRET_DEV }}" >| ~/.ssh/id_ed25519
+          chmod 600 ~/.ssh/id_ed25519
+
+          ### Scan git.coresecret.dev to fill ~/.ssh/known_hosts
+          ssh-keyscan -p 42842 git.coresecret.dev >| ~/.ssh/known_hosts
+          chmod 600 ~/.ssh/known_hosts
+
+          ### Generate SSH Config for git.coresecret.dev Custom-Port
+          cat <<EOF >| ~/.ssh/config
+          Host git.coresecret.dev
+            HostName git.coresecret.dev
+            Port 42842
+            IdentityFile ~/.ssh/id_ed25519
+            StrictHostKeyChecking yes
+            UserKnownHostsFile ~/.ssh/known_hosts
+          EOF
+          chmod 600 ~/.ssh/config
+
+      ### https://github.com/actions/checkout/issues/1843
+      - name: 🛠️ Using manual clone via SSH to circumvent Gitea SHA-256 object issues.
+        shell: bash
+        env:
+          ### GITHUB_REF_NAME contains the branch name from the push event.
+          GITHUB_REF_NAME: ${{ github.ref_name }}
+        run: |
+          git clone --branch "${GITHUB_REF_NAME}" ssh://git@git.coresecret.dev:42842/msw/CISS.debian.live.builder.git .
+          git fetch --unshallow || echo "Nothing to fetch - already full clone."
+
+      - name: 🛠️ Cleaning the workspace.
+        shell: bash
+        run: |
+          git reset --hard
+          git clean -fd
+
+      - name: ⚙️ Importing the 'CI PGP DEPLOY ONLY' key.
+        shell: bash
+        run: |
+          set -euo pipefail
+          ### GPG-Home relative to the Runner Workspace to avoid changing global files.
+          export GNUPGHOME="$(pwd)/.gnupg"
+          mkdir -m 700 "${GNUPGHOME}"
+          echo "${{ secrets.PGP_PUBKEY_CENTURION_ROOT_2025_X448 }}" >| centurion-root.PUB.asc
+          gpg --batch --import centurion-root.PUB.asc
+          echo "${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV }}" >| ci-bot.sec.asc
+          gpg --batch --import ci-bot.sec.asc
+          ### Trust the key automatically
+          KEY_ID=$(gpg --list-keys --with-colons | awk -F: '/^pub:/ {print $5}')
+          echo "trust-model always" >| "${GNUPGHOME}/gpg.conf"
+
+      - name: ⚙️ Configuring Git for signed CI/DEPLOY commits.
+        shell: bash
+        run: |
+          set -euo pipefail
+          export GNUPGHOME="$(pwd)/.gnupg"
+          git config user.name "Marc S. Weidner BOT"
+          git config user.email "msw+bot@coresecret.dev"
+          git config commit.gpgsign true
+          git config gpg.program gpg
+          git config gpg.format openpgp
+
+      - name: ⚙️ Preparing the build environment.
+        shell: bash
+        run: |
+          set -euo pipefail
+          mkdir -p /opt/config
+          mkdir -p /opt/livebuild
+          touch /opt/config/password.txt && chmod 0600 /opt/config/password.txt
+          touch /opt/config/authorized_keys && chmod 0600 /opt/config/authorized_keys
+          echo 'Mvnz#zENbf2vsAYEAbfPcnbDcmct7XefPXfRJxSQQH' >| /opt/config/password.txt
+          echo 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINAYZDAqVZUk3LwJsqeVHKvLn8UKkFx642VBbiSS8uSY 2025_ciss.debian.live.ISO_PUBLIC_ONLY' >| /opt/config/authorized_keys
+
+      - name: 🛠️ Starting CISS.debian.live.builder. This may take a while ...
+        shell: bash
+        run: |
+          set -euo pipefail
+          sed -i '/^hardening_ssh.*/d' ciss_live_builder.sh
+          chmod 0755 ciss_live_builder.sh
+          timestamp=$(date -u +"%Y_%m_%dT%H_%M_%SZ")
+          ### Change "--autobuild=" to the specific kernel version you need: 6.12.22+bpo-amd64.
+          ./ciss_live_builder.sh \
+            --autobuild=6.12.30+bpo-amd64 \
+            --architecture amd64 \
+            --build-directory /opt/livebuild \
+            --control "${timestamp}" \
+            --root-password-file /opt/config/password.txt \
+            --ssh-port 42137 \
+            --ssh-pubkey /opt/config
+
+      - name: 📥 Checking Centurion Cloud for existing LIVE ISOs.
+        shell: bash
+        env:
+          NC_BASE: "https://cloud.e2ee.li"
+          SHARE_TOKEN: "${{ secrets.CENTURION_CLOUD_UL_USER_PUBLIC }}"
+          SHARE_PASS: "${{ secrets.CENTURION_CLOUD_UL_PASSWD_PUBLIC }}"
+        run: |
+          set -euo pipefail
+          SHARE_SUBDIR=""
+
+          echo "📥 Get directory listing via PROPFIND ..."
+          curl -s \
+          --user "${SHARE_TOKEN}:${SHARE_PASS}" \
+          -X PROPFIND \
+          -H "Depth: 1" \
+          "${NC_BASE}/public.php/webdav/${SHARE_SUBDIR}" \
+          -o propfind_public.xml
+
+          echo "📥 Filter .iso files from the PROPFIND response ..."
+          grep -oP '(?<=<d:href>)[^<]+\.iso(?=</d:href>)' propfind_public.xml >| public_iso_list.txt || true
+
+          if [[ -f public_iso_list.txt && -s public_iso_list.txt ]]; then
+            echo "💡 Old ISO files found and deleted :"
+            while IFS= read -r href; do
+              FILE_URL="${NC_BASE}${href}"
+              echo "  Delete: ${FILE_URL}"
+              if curl -s \
+                --user "${SHARE_TOKEN}:${SHARE_PASS}" \
+                  -X DELETE "${FILE_URL}"; then
+                echo "    ✅ Successfully deleted: $(basename "${href}")"
+              else
+                echo "    ❌ Error: $(basename "${href}") could not be deleted"
+              fi
+            done < public_iso_list.txt
+          else
+            echo "💡 No old ISO files found to delete."
+          fi
+
+      - name: 🛠️ Upload the ISO file to the Centurion Cloud (cloud.e2ee.li) via WebDAV.
+        shell: bash
+        env:
+          NC_BASE: "https://cloud.e2ee.li"
+          SHARE_TOKEN: "${{ secrets.CENTURION_CLOUD_UL_USER_PUBLIC }}"
+          SHARE_PASS: "${{ secrets.CENTURION_CLOUD_UL_PASSWD_PUBLIC }}"
+        run: |
+          set -euo pipefail
+          if [[ $(ls /opt/livebuild/*.iso 2>/dev/null | wc -l) -ne 1 ]]; then
+            echo "❌ There must be exactly one .iso file in the directory!"
+            exit 1
+          else
+            VAR_ISO_FILE_PATH=$(ls /opt/livebuild/*.iso)
+            VAR_ISO_FILE_NAME=$(basename "${VAR_ISO_FILE_PATH}")
+            echo "✅ ISO file found: ${VAR_ISO_FILE_NAME}"
+          fi
+
+          AUTH="${SHARE_TOKEN}:${SHARE_PASS}"
+          if curl --retry 2 "${NC_BASE}"/public.php/webdav/"${VAR_ISO_FILE_NAME}" \
+          --upload-file "${VAR_ISO_FILE_PATH}" --user "${AUTH}" > /dev/null 2>&1; then
+            echo "✅ New ISO successfully uploaded."
+          else
+            echo "❌ Uploading the new ISO failed."
+            exit 1
+          fi
+
+      - name: 🔑 Generating a sha512 Hash of ISO, signing with the 'CI PGP DEPLOY ONLY' key, generate a success message file.
+        shell: bash
+        run: |
+          if [[ $(ls /opt/livebuild/*.iso 2>/dev/null | wc -l) -ne 1 ]]; then
+            echo "❌ There must be exactly one .iso file in the directory!"
+            exit 1
+          else
+            VAR_ISO_FILE_PATH=$(ls /opt/livebuild/*.iso)
+            VAR_ISO_FILE_NAME=$(basename "${VAR_ISO_FILE_PATH}")
+            echo "✅ ISO file found: ${VAR_ISO_FILE_NAME}"
+          fi
+
+          VAR_ISO_FILE_SHA512="${VAR_ISO_FILE_NAME}.sha512"
+          touch "${VAR_ISO_FILE_SHA512}"
+          sha512sum "${VAR_ISO_FILE_PATH}" | awk '{print $1}' >| "${VAR_ISO_FILE_SHA512}"
+          SIGNATURE_FILE="${VAR_ISO_FILE_SHA512}.sign"
+          touch "${SIGNATURE_FILE}"
+          export GNUPGHOME="$(pwd)/.gnupg"
+          gpg --batch --yes --armor --detach-sign --output "${SIGNATURE_FILE}" "${VAR_ISO_FILE_SHA512}"
+
+          timestamp=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
+          PRIVATE_FILE="LIVE_ISO.public"
+          touch "${PRIVATE_FILE}"
+          cat << EOF >| "${PRIVATE_FILE}"
+          # SPDX-Version: 3.0
+          # SPDX-CreationInfo: 2025-06-01; WEIDNER, Marc S.; <msw@coresecret.dev>
+          # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+          # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+          # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+          # SPDX-FileType: SOURCE
+          # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+          # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+          # SPDX-PackageName: CISS.debian.live.builder
+          # SPDX-Security-Contact: security@coresecret.eu
+
+          This file was automatically generated by the DEPLOY BOT on: "${timestamp}".
+
+          CISS.debian.live.builder ISO :
+            "${VAR_ISO_FILE_NAME}"
+          CISS.debian.live.builder ISO sha512 :
+            $(< "${VAR_ISO_FILE_SHA512}")
+          CISS.debian.live.builder ISO sha512 sign :
+            $(< "${SIGNATURE_FILE}")
+
+          # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text
+          EOF
+
+      - name: 🚧 Stash local changes (including untracked).
+        shell: bash
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          ### Temporarily store any local modifications or untracked files.
+          git stash push --include-untracked -m "ci-temp" || echo "✔️ Nothing to stash."
+
+      - name: 🔄 Sync with remote before commit using merge strategy.
+        shell: bash
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          export GNUPGHOME="$(pwd)/.gnupg"
+
+          echo "🔄 Fetching origin/master ..."
+          git fetch origin master
+
+          echo "🔁 Merging origin/master into current branch ..."
+          git merge --no-edit origin/master || echo "✔️ Already up to date or fast-forward."
+
+          echo "📋 Post-merge status :"
+          git status
+          git log --oneline -n 5
+
+      - name: 🛠️ Restore stashed changes.
+        shell: bash
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          ### Apply previously stashed changes.
+          git stash pop || echo "✔️ Nothing to pop."
+
+      - name: 📦 Stage generated files.
+        shell: bash
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          PRIVATE_FILE="LIVE_ISO.public"
+          git add "${PRIVATE_FILE}" || echo "✔️ Nothing to add."
+
+      - name: 🔑 Commit and sign changes with CI metadata.
+        shell: bash
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          export GNUPGHOME="$(pwd)/.gnupg"
+
+          if git diff --cached --quiet; then
+            echo "✔️ No staged changes to commit."
+          else
+            echo "📝 Committing changes with GPG signature ..."
+
+            ### CI Metadata
+            TIMESTAMP_UTC="$(date -u +'%Y-%m-%dT%H:%M:%SZ')"
+            HOSTNAME="$(hostname -f || hostname)"
+            GIT_SHA="$(git rev-parse --short HEAD)"
+            GIT_REF="$(git symbolic-ref --short HEAD || echo detached)"
+            WORKFLOW_ID="${GITHUB_WORKFLOW:-render-md-to-html.yaml}"
+            CI_HEADER="X-CI-Metadata: ${GIT_REF}@${GIT_SHA} at ${TIMESTAMP_UTC} on ${HOSTNAME}"
+
+            COMMIT_MSG="DEPLOY BOT   : 💙 Auto-Generate PUBLIC LIVE ISO [skip ci]
+
+          ${CI_HEADER}
+
+          Generated at : ${TIMESTAMP_UTC}
+          Runner Host  : ${HOSTNAME}
+          Workflow ID  : ${WORKFLOW_ID}
+          Git Commit   : ${GIT_SHA} HEAD -> ${GIT_REF}
+          "
+
+            echo "🔏 Commit message :"
+            echo "${COMMIT_MSG}"
+            git commit -S -m "${COMMIT_MSG}"
+          fi
+
+      - name: 🔁 Push back to repository.
+        shell: bash
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          echo "📤 Pushing changes to ${GITHUB_REF_NAME} ..."
+          git push origin HEAD:${GITHUB_REF_NAME}
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml

.gitea/workflows/linter_char_scripts.yaml

@@ -0,0 +1,339 @@
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+### Version Master V8.03.832.2025.06.24
+
+# Gitea Workflow: Shell-Script Linting
+#
+# This workflow scans all '*.sh', '*.zsh', '*.chroot' and all files with Shebang (#!) for:
+# 1. Windows CRLF line endings
+# 2. unauthorized control characters (C0 control characters except \t, \n)
+# 3. non-ASCII (ambiguous UTF) characters
+#
+# Findings are collected and at the end of the run with file, line number,
+# and the respective character in the Runner output.
+
+name: 🛡️ Shell Script Linting
+
+on:
+  push:
+    branches:
+      - master
+  pull_request:
+    branches:
+      - master
+
+jobs:
+  shell-script-linter:
+    name: 🛡️ Shell Script Linting
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: ⚙️ Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
+        shell: bash
+        run: |
+          set -euo pipefail
+          rm -rf ~/.ssh && mkdir -m700 ~/.ssh
+
+          ### Private Key
+          echo "${{ secrets.SSH_MSW_DEPLOY_CORESECRET_DEV }}" >| ~/.ssh/id_ed25519
+          chmod 600 ~/.ssh/id_ed25519
+
+          ### Scan git.coresecret.dev to fill ~/.ssh/known_hosts
+          ssh-keyscan -p 42842 git.coresecret.dev >| ~/.ssh/known_hosts
+          chmod 600 ~/.ssh/known_hosts
+
+          ### Generate SSH Config for git.coresecret.dev Custom-Port
+          cat <<EOF >| ~/.ssh/config
+          Host git.coresecret.dev
+            HostName git.coresecret.dev
+            Port 42842
+            IdentityFile ~/.ssh/id_ed25519
+            StrictHostKeyChecking yes
+            UserKnownHostsFile ~/.ssh/known_hosts
+          EOF
+          chmod 600 ~/.ssh/config
+
+      ### https://github.com/actions/checkout/issues/1843
+      - name: 🛠️ Using manual clone via SSH to circumvent Gitea SHA-256 object issues.
+        shell: bash
+        env:
+          ### GITHUB_REF_NAME contains the branch name from the push event.
+          GITHUB_REF_NAME: ${{ github.ref_name }}
+        run: |
+          set -euo pipefail
+          git clone --branch "${GITHUB_REF_NAME}" ssh://git@git.coresecret.dev:42842/msw/CISS.debian.live.builder.git .
+          git fetch --unshallow || echo "Nothing to fetch - already full clone."
+
+      - name: 🛠️ Cleaning the workspace.
+        shell: bash
+        run: |
+          set -euo pipefail
+          git reset --hard
+          git clean -fd
+
+      - name: ⚙️ Importing the 'CI PGP DEPLOY ONLY' key.
+        shell: bash
+        run: |
+          set -euo pipefail
+          ### GPG-Home relative to the Runner Workspace to avoid changing global files.
+          export GNUPGHOME="$(pwd)/.gnupg"
+          mkdir -m 700 "${GNUPGHOME}"
+          echo "${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV }}" >| ci-bot.sec.asc
+          gpg --batch --import ci-bot.sec.asc
+          ### Trust the key automatically
+          KEY_ID=$(gpg --list-keys --with-colons | awk -F: '/^pub:/ {print $5}')
+          echo "trust-model always" >| "${GNUPGHOME}/gpg.conf"
+
+      - name: ⚙️ Configuring Git for signed CI/DEPLOY commits.
+        shell: bash
+        run: |
+          set -euo pipefail
+          export GNUPGHOME="$(pwd)/.gnupg"
+          git config user.name "Marc S. Weidner BOT"
+          git config user.email "msw+bot@coresecret.dev"
+          git config commit.gpgsign true
+          git config gpg.program gpg
+          git config gpg.format openpgp
+
+      - name: ⚙️ Convert APT sources to HTTPS.
+        shell: bash
+        run: |
+          set -euo pipefail
+          sed -i 's|http://\(archive\.ubuntu\.com\|security\.ubuntu\.com\)|https://\1|g' /etc/apt/sources.list
+          sed -i 's|http://\(archive\.ubuntu\.com\|security\.ubuntu\.com\)|https://\1|g' /etc/apt/sources.list.d/*.list || true
+
+      - name: 🛠️ Install dependencies.
+        shell: bash
+        run: |
+          ### Install grep with Perl-regex support, falls noch nicht vorhanden
+          apt-get update
+          apt-get upgrade -y
+          apt-get install -y grep
+
+      - name: 🔍 Lint shell scripts
+        shell: bash
+        run: |
+          # -------------------------------
+          # STEP 1: Find target files.
+          #
+          # We capture:
+          # - All files '*.sh', '*.zsh', '*.chroot'
+          # - All files whose first line begins with "#!" (shebang)
+          # -------------------------------
+          mapfile -t files_to_check < <(
+            find . \
+              -path './.git' -prune -o \
+              -type f \( \
+                -iname '*.sh' -o \
+                -iname '*.zsh' -o \
+                -iname '*.chroot' -o \
+                -exec grep -Iq '^#!' {} \; \
+              \) -print
+          )
+
+          # -------------------------------
+          # STEP 2: Regex definitions
+          #
+          # - CRLF_REGEX           Carriage Return (\r) for Windows CRLF
+          # - CTRL_REGEX           C0 control characters except Tab (\x09) and Newline (\x0A)
+          #   - Range:             [\x00-\x08\x0B-\x0C\x0E-\x1F\x7F]
+          # - NON_ASCII_REGEX      All bytes -> 0x7F, except emoji characters in defined ranges
+          #
+          # Emoji ranges that we exclude:
+          # - \x{1F300}-\x{1F5FF}  Misc Symbols & Pictographs
+          # - \x{1F600}-\x{1F64F}  Emoticons
+          # - \x{1F680}-\x{1F6FF}  Transport & Map Symbols
+          # - \x{1F900}-\x{1F9FF}  Supplemental Symbols & Pictographs
+          # - \x{2600}-\x{26FF}    Miscellaneous Symbols
+          # - \x{2700}-\x{27BF}    Dingbats
+          # -------------------------------
+
+          CRLF_REGEX=$'\r'
+          CTRL_REGEX='[\x00-\x08\x0B-\x0C\x0E-\x1F\x7F]'
+          NON_ASCII_REGEX='(?![\x{1F300}-\x{1F5FF}\x{1F600}-\x{1F64F}\x{1F680}-\x{1F6FF}\x{1F900}-\x{1F9FF}\x{2600}-\x{26FF}\x{2700}-\x{27BF}])[^\x00-\x7F]'
+
+          # -------------------------------
+          # STEP 3: Accumulator for findings
+          # -------------------------------
+          findings=""
+
+          # -------------------------------
+          # STEP 4: Perform all checks for each file
+          # -------------------------------
+          for file in "${files_to_check[@]}"; do
+            #
+            # 4.1: CRLF detection
+            #      grep -nP returns "lineno:<line with CR>"
+            # -------------------------------
+            while IFS=: read -r lineno _rest; do
+              findings+="${file}: CRLF-found at line ${lineno}: <CR>"$'\n'
+            done < <(grep -nP "${CRLF_REGEX}" "${file}" || true)
+
+            #
+            # 4.2: Unallowed control characters
+            #      grep -nP -o returns "lineno:<matched-char>"
+            # -------------------------------
+            while IFS=: read -r lineno char; do
+              findings+="${file}: control-char at line ${lineno}: ${char}"$'\n'
+            done < <(grep -nP -o "${CTRL_REGEX}" "${file}" || true)
+
+            #
+            # 4.3: Non-ASCII characters with emoji exception
+            #      grep -nP -o returns "lineno:<matched-char>"
+            # -------------------------------
+            while IFS=: read -r lineno char; do
+              findings+="${file}: non-ascii at line ${lineno}: ${char}"$'\n'
+            done < <(grep -nP -o "${NON_ASCII_REGEX}" "${file}" || true)
+          done
+
+          # -------------------------------
+          # STEP 5: Output results
+          # -------------------------------
+          if [[ -n "${findings}" ]]; then
+            echo -e "⚠️ Linting issues detected:\n"
+            echo -e "${findings}"
+            timestamp=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
+            PRIVATE_FILE="LINTER_RESULTS.txt"
+            touch "${PRIVATE_FILE}"
+            cat << EOF >| "${PRIVATE_FILE}"
+          # SPDX-Version: 3.0
+          # SPDX-CreationInfo: 2025-06-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+          # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+          # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+          # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+          # SPDX-FileType: SOURCE
+          # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+          # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+          # SPDX-PackageName: CISS.debian.live.builder
+          # SPDX-Security-Contact: security@coresecret.eu
+
+          This file was automatically generated by the DEPLOY BOT on: "${timestamp}".
+
+          ⚠️ The last linter check was NOT successful. ⚠️
+
+          # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text
+          EOF
+          else
+            echo "✅ No issues found in shell scripts."
+            timestamp=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
+            PRIVATE_FILE="LINTER_RESULTS.txt"
+            touch "${PRIVATE_FILE}"
+            cat << EOF >| "${PRIVATE_FILE}"
+          # SPDX-Version: 3.0
+          # SPDX-CreationInfo: 2025-06-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+          # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+          # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+          # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+          # SPDX-FileType: SOURCE
+          # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+          # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+          # SPDX-PackageName: CISS.debian.live.builder
+          # SPDX-Security-Contact: security@coresecret.eu
+
+          This file was automatically generated by the DEPLOY BOT on: "${timestamp}".
+
+          ✅ The last linter check was successful. ✅
+
+          # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text
+          EOF
+          fi
+
+      - name: 🚧 Stash local changes (including untracked).
+        shell: bash
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          ### Temporarily store any local modifications or untracked files.
+          git stash push --include-untracked -m "ci-temp" || echo "✔️ Nothing to stash."
+
+      - name: 🔄 Sync with remote before commit using merge strategy.
+        shell: bash
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          export GNUPGHOME="$(pwd)/.gnupg"
+
+          echo "🔄 Fetching origin/master ..."
+          git fetch origin master
+
+          echo "🔁 Merging origin/master into current branch ..."
+          git merge --no-edit origin/master || echo "✔️ Already up to date or fast-forward."
+
+          echo "📋 Post-merge status :"
+          git status
+          git log --oneline -n 5
+
+      - name: 🛠️ Restore stashed changes.
+        shell: bash
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          ### Apply previously stashed changes.
+          git stash pop || echo "✔️ Nothing to pop."
+
+      - name: 📦 Stage generated files.
+        shell: bash
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          PRIVATE_FILE="LINTER_RESULTS.txt"
+          git add "${PRIVATE_FILE}" || echo "✔️ Nothing to add."
+
+      - name: 🔑 Commit and sign changes with CI metadata.
+        shell: bash
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          export GNUPGHOME="$(pwd)/.gnupg"
+
+          if git diff --cached --quiet; then
+            echo "✔️ No staged changes to commit."
+          else
+            echo "📝 Committing changes with GPG signature ..."
+
+            ### CI Metadata
+            TIMESTAMP_UTC="$(date -u +'%Y-%m-%dT%H:%M:%SZ')"
+            HOSTNAME="$(hostname -f || hostname)"
+            GIT_SHA="$(git rev-parse --short HEAD)"
+            GIT_REF="$(git symbolic-ref --short HEAD || echo detached)"
+            WORKFLOW_ID="${GITHUB_WORKFLOW:-render-md-to-html.yaml}"
+            CI_HEADER="X-CI-Metadata: ${GIT_REF}@${GIT_SHA} at ${TIMESTAMP_UTC} on ${HOSTNAME}"
+
+            COMMIT_MSG="DEPLOY BOT   : 🛡️ Shell Script Linting [skip ci]
+
+          ${CI_HEADER}
+
+          Generated at : ${TIMESTAMP_UTC}
+          Runner Host  : ${HOSTNAME}
+          Workflow ID  : ${WORKFLOW_ID}
+          Git Commit   : ${GIT_SHA} HEAD -> ${GIT_REF}
+          "
+
+            echo "🔏 Commit message :"
+            echo "${COMMIT_MSG}"
+            git commit -S -m "${COMMIT_MSG}"
+          fi
+
+      - name: 🔁 Push back to repository.
+        shell: bash
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          echo "📤 Pushing changes to ${GITHUB_REF_NAME} ..."
+          git push origin HEAD:${GITHUB_REF_NAME}
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml

.gitea/workflows/render-dnssec-status.yaml

@@ -2,16 +2,16 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-### Version Master V8.03.127.2025.06.02
+### Version Master V8.03.832.2025.06.24
 
-name: Retrieve the DNSSEC status at the time of updating the repository.
+name: 🛡️ Retrieve DNSSEC status of coresecret.dev.
 
 permissions:
   contents: write
@@ -25,14 +25,15 @@ on:
 
 jobs:
   build-dnssec-diagram:
-    name: Retrieve the DNSSEC status at the time of updating the repository.
+    name: 🛡️ Retrieve DNSSEC status of coresecret.dev.
     runs-on: ubuntu-latest
+
     steps:
-      - name: Prepare SSH Setup, SSH Deploy Key, Known Hosts, config.
+      - name: ⚙️ Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
         shell: bash
         run: |
-          rm -rf ~/.ssh
-          mkdir -p ~/.ssh
+          set -euo pipefail
+          rm -rf ~/.ssh && mkdir -m700 ~/.ssh
 
           ### Private Key
           echo "${{ secrets.SSH_MSW_DEPLOY_CORESECRET_DEV }}" >| ~/.ssh/id_ed25519
@@ -54,36 +55,27 @@ jobs:
           chmod 600 ~/.ssh/config
 
       ### https://github.com/actions/checkout/issues/1843
-      - name: Use manual clone via SSH to circumvent Gitea SHA-256 object issues.
+      - name: 🛠️ Using manual clone via SSH to circumvent Gitea SHA-256 object issues.
         shell: bash
-        run: |
-          git clone --branch "${GITHUB_REF_NAME}" ssh://git@git.coresecret.dev:42842/msw/CISS.debian.live.builder.git .
-          git fetch --unshallow || echo "Nothing to fetch - already full clone."
         env:
           ### GITHUB_REF_NAME contains the branch name from the push event.
           GITHUB_REF_NAME: ${{ github.ref_name }}
+        run: |
+          set -euo pipefail
+          git clone --branch "${GITHUB_REF_NAME}" ssh://git@git.coresecret.dev:42842/msw/CISS.debian.live.builder.git .
+          git fetch --unshallow || echo "Nothing to fetch - already full clone."
 
-      - name: Clean workspace.
+      - name: 🛠️ Cleaning the workspace.
         shell: bash
         run: |
+          set -euo pipefail
           git reset --hard
           git clean -fd
 
-      - name: Convert APT sources to HTTPS.
-        shell: bash
-        run: |
-          sed -i 's|http://\(archive\.ubuntu\.com\|security\.ubuntu\.com\)|https://\1|g' /etc/apt/sources.list
-          sed -i 's|http://\(archive\.ubuntu\.com\|security\.ubuntu\.com\)|https://\1|g' /etc/apt/sources.list.d/*.list || true
-
-      - name: Install DNSViz.
-        shell: bash
-        run: |
-          sudo apt-get update
-          sudo apt-get install -y dnsviz
-
-      - name: Import CI PGP DEPLOY ONLY Key.
+      - name: ⚙️ Importing the 'CI PGP DEPLOY ONLY' key.
         shell: bash
         run: |
+          set -euo pipefail
           ### GPG-Home relative to the Runner Workspace to avoid changing global files.
           export GNUPGHOME="$(pwd)/.gnupg"
           mkdir -m 700 "${GNUPGHOME}"
@@ -93,9 +85,10 @@ jobs:
           KEY_ID=$(gpg --list-keys --with-colons | awk -F: '/^pub:/ {print $5}')
           echo "trust-model always" >| "${GNUPGHOME}/gpg.conf"
 
-      - name: Configure Git for signed CI DEPLOY commits.
+      - name: ⚙️ Configuring Git for signed CI/DEPLOY commits.
         shell: bash
         run: |
+          set -euo pipefail
           export GNUPGHOME="$(pwd)/.gnupg"
           git config user.name "Marc S. Weidner BOT"
           git config user.email "msw+bot@coresecret.dev"
@@ -103,43 +96,123 @@ jobs:
           git config gpg.program gpg
           git config gpg.format openpgp
 
-      - name: Ensure docs/SECURITY/ directory exists.
+      - name: ⚙️ Convert APT sources to HTTPS.
+        shell: bash
+        run: |
+          set -euo pipefail
+          sed -i 's|http://\(archive\.ubuntu\.com\|security\.ubuntu\.com\)|https://\1|g' /etc/apt/sources.list
+          sed -i 's|http://\(archive\.ubuntu\.com\|security\.ubuntu\.com\)|https://\1|g' /etc/apt/sources.list.d/*.list || true
+
+      - name: 🛠️ Install DNSViz.
+        shell: bash
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y dnsviz
+
+      - name: ⚙️ Ensure docs/SECURITY/ directory exists.
         shell: bash
         run: |
           mkdir -p docs/SECURITY/
           rm -f docs/SECURITY/coresecret.dev.png
 
-      - name: Prepare DNS Cache.
+      - name: 🛠️ Prepare DNS Cache.
         shell: bash
         run: |
           sudo apt-get install -y dnsutils
           dig +dnssec +multi coresecret.dev @8.8.8.8
 
-      - name: Retrieve Zone Dump and generate .png Visualization.
+      - name: 🛠️ Retrieve Zone Dump and generate .png Visualization.
         shell: bash
         run: |
           dnsviz probe -s 8.8.8.8 -R SOA,A,AAAA,CAA,CDS,CDNSKEY,LOC,HTTPS,MX,NS,TXT coresecret.dev >| coresecret.dev.json
           dnsviz graph -T png < coresecret.dev.json >| docs/SECURITY/coresecret.dev.png
 
-      - name: Stage generated files.
+      - name: 🚧 Stash local changes (including untracked).
         shell: bash
-        run: |
-          git add docs/SECURITY/*.png
         env:
           GIT_SSH_COMMAND: "ssh -p 42842"
-
-      - name: Commit and Sign changes.
-        shell: bash
         run: |
+          set -euo pipefail
+          ### Temporarily store any local modifications or untracked files.
+          git stash push --include-untracked -m "ci-temp" || echo "✔️ Nothing to stash."
+
+      - name: 🔄 Sync with remote before commit using merge strategy.
+        shell: bash
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
           export GNUPGHOME="$(pwd)/.gnupg"
-          git commit -S -m "DEPLOY BOT: Auto-Generate DNSSEC Status [skip ci]" || echo "No Changes, nothing to Sign or to Commit."
-        env:
-          GIT_SSH_COMMAND: "ssh -p 42842"
 
-      - name: Push back to Repository.
+          echo "🔄 Fetching origin/master ..."
+          git fetch origin master
+
+          echo "🔁 Merging origin/master into current branch ..."
+          git merge --no-edit origin/master || echo "✔️ Already up to date or fast-forward."
+
+          echo "📋 Post-merge status :"
+          git status
+          git log --oneline -n 5
+
+      - name: 🛠️ Restore stashed changes.
         shell: bash
-        run: |
-          git push origin HEAD:${GITHUB_REF_NAME}
         env:
           GIT_SSH_COMMAND: "ssh -p 42842"
-# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
+        run: |
+          set -euo pipefail
+          ### Apply previously stashed changes.
+          git stash pop || echo "✔️ Nothing to pop."
+
+      - name: 📦 Stage generated files.
+        shell: bash
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          git add docs/SECURITY/*.png || echo "✔️ Nothing to add."
+
+      - name: 🔑 Commit and sign changes with CI metadata.
+        shell: bash
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          export GNUPGHOME="$(pwd)/.gnupg"
+
+          if git diff --cached --quiet; then
+            echo "✔️ No staged changes to commit."
+          else
+            echo "📝 Committing changes with GPG signature ..."
+
+            ### CI Metadata
+            TIMESTAMP_UTC="$(date -u +'%Y-%m-%dT%H:%M:%SZ')"
+            HOSTNAME="$(hostname -f || hostname)"
+            GIT_SHA="$(git rev-parse --short HEAD)"
+            GIT_REF="$(git symbolic-ref --short HEAD || echo detached)"
+            WORKFLOW_ID="${GITHUB_WORKFLOW:-render-md-to-html.yaml}"
+            CI_HEADER="X-CI-Metadata: ${GIT_REF}@${GIT_SHA} at ${TIMESTAMP_UTC} on ${HOSTNAME}"
+
+            COMMIT_MSG="DEPLOY BOT   : 🛡️ Auto-Generate DNSSEC Status [skip ci]
+
+          ${CI_HEADER}
+
+          Generated at : ${TIMESTAMP_UTC}
+          Runner Host  : ${HOSTNAME}
+          Workflow ID  : ${WORKFLOW_ID}
+          Git Commit   : ${GIT_SHA} HEAD -> ${GIT_REF}
+          "
+
+            echo "🔏 Commit message :"
+            echo "${COMMIT_MSG}"
+            git commit -S -m "${COMMIT_MSG}"
+          fi
+
+      - name: 🔁 Push back to repository.
+        shell: bash
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          echo "📤 Pushing changes to ${GITHUB_REF_NAME} ..."
+          git push origin HEAD:${GITHUB_REF_NAME}
+      # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml

.gitea/workflows/render-dot-to-png.yaml

@@ -0,0 +1,211 @@
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+### Version Master V8.03.832.2025.06.24
+
+name: 🔁 Render Graphviz Diagrams.
+
+permissions:
+  contents: write
+
+on:
+  push:
+    branches:
+      - master
+    paths:
+      - "**/*.gv"
+      - "**/*.dot"
+
+jobs:
+  build-graphiz-diagrams:
+    name: 🔁 Render Graphviz Diagrams.
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: ⚙️ Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
+        shell: bash
+        run: |
+          set -euo pipefail
+          rm -rf ~/.ssh && mkdir -m700 ~/.ssh
+
+          ### Private Key
+          echo "${{ secrets.SSH_MSW_DEPLOY_CORESECRET_DEV }}" >| ~/.ssh/id_ed25519
+          chmod 600 ~/.ssh/id_ed25519
+
+          ### Scan git.coresecret.dev to fill ~/.ssh/known_hosts
+          ssh-keyscan -p 42842 git.coresecret.dev >| ~/.ssh/known_hosts
+          chmod 600 ~/.ssh/known_hosts
+
+          ### Generate SSH Config for git.coresecret.dev Custom-Port
+          cat <<EOF >| ~/.ssh/config
+          Host git.coresecret.dev
+            HostName git.coresecret.dev
+            Port 42842
+            IdentityFile ~/.ssh/id_ed25519
+            StrictHostKeyChecking yes
+            UserKnownHostsFile ~/.ssh/known_hosts
+          EOF
+          chmod 600 ~/.ssh/config
+
+      ### https://github.com/actions/checkout/issues/1843
+      - name: 🛠️ Using manual clone via SSH to circumvent Gitea SHA-256 object issues.
+        shell: bash
+        env:
+          ### GITHUB_REF_NAME contains the branch name from the push event.
+          GITHUB_REF_NAME: ${{ github.ref_name }}
+        run: |
+          set -euo pipefail
+          git clone --branch "${GITHUB_REF_NAME}" ssh://git@git.coresecret.dev:42842/msw/CISS.debian.live.builder.git .
+          git fetch --unshallow || echo "Nothing to fetch - already full clone."
+
+      - name: 🛠️ Cleaning the workspace.
+        shell: bash
+        run: |
+          set -euo pipefail
+          git reset --hard
+          git clean -fd
+
+      - name: ⚙️ Importing the 'CI PGP DEPLOY ONLY' key.
+        shell: bash
+        run: |
+          set -euo pipefail
+          ### GPG-Home relative to the Runner Workspace to avoid changing global files.
+          export GNUPGHOME="$(pwd)/.gnupg"
+          mkdir -m 700 "${GNUPGHOME}"
+          echo "${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV }}" >| ci-bot.sec.asc
+          gpg --batch --import ci-bot.sec.asc
+          ### Trust the key automatically
+          KEY_ID=$(gpg --list-keys --with-colons | awk -F: '/^pub:/ {print $5}')
+          echo "trust-model always" >| "${GNUPGHOME}/gpg.conf"
+
+      - name: ⚙️ Configuring Git for signed CI/DEPLOY commits.
+        shell: bash
+        run: |
+          set -euo pipefail
+          export GNUPGHOME="$(pwd)/.gnupg"
+          git config user.name "Marc S. Weidner BOT"
+          git config user.email "msw+bot@coresecret.dev"
+          git config commit.gpgsign true
+          git config gpg.program gpg
+          git config gpg.format openpgp
+
+      - name: ⚙️ Convert APT sources to HTTPS.
+        shell: bash
+        run: |
+          set -euo pipefail
+          sed -i 's|http://\(archive\.ubuntu\.com\|security\.ubuntu\.com\)|https://\1|g' /etc/apt/sources.list
+          sed -i 's|http://\(archive\.ubuntu\.com\|security\.ubuntu\.com\)|https://\1|g' /etc/apt/sources.list.d/*.list || true
+
+      - name: 🛠️ Install Graphviz.
+        shell: bash
+        run: |
+          set -euo pipefail
+          sudo apt-get update
+          sudo apt-get install -y graphviz
+
+      - name: 🛠️ Render all .dot / .gv to PNG.
+        shell: bash
+        run: |
+          set -euo pipefail
+          find . -type f \( -name "*.dot" -o -name "*.gv" \) | while read file; do
+            out="${file%.*}.png"
+            dot -Tpng "${file}" -o "${out}"
+          done
+
+      - name: 🚧 Stash local changes (including untracked).
+        shell: bash
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          ### Temporarily store any local modifications or untracked files.
+          git stash push --include-untracked -m "ci-temp" || echo "✔️ Nothing to stash."
+
+      - name: 🔄 Sync with remote before commit using merge strategy.
+        shell: bash
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          export GNUPGHOME="$(pwd)/.gnupg"
+
+          echo "🔄 Fetching origin/master ..."
+          git fetch origin master
+
+          echo "🔁 Merging origin/master into current branch ..."
+          git merge --no-edit origin/master || echo "✔️ Already up to date or fast-forward."
+
+          echo "📋 Post-merge status :"
+          git status
+          git log --oneline -n 5
+
+      - name: 🛠️ Restore stashed changes.
+        shell: bash
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          ### Apply previously stashed changes.
+          git stash pop || echo "✔️ Nothing to pop."
+
+      - name: 📦 Stage generated files.
+        shell: bash
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          git add *.png || echo "✔️ Nothing to add."
+
+      - name: 🔑 Commit and sign changes with CI metadata.
+        shell: bash
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          export GNUPGHOME="$(pwd)/.gnupg"
+
+          if git diff --cached --quiet; then
+            echo "✔️ No staged changes to commit."
+          else
+            echo "📝 Committing changes with GPG signature ..."
+
+            ### CI Metadata
+            TIMESTAMP_UTC="$(date -u +'%Y-%m-%dT%H:%M:%SZ')"
+            HOSTNAME="$(hostname -f || hostname)"
+            GIT_SHA="$(git rev-parse --short HEAD)"
+            GIT_REF="$(git symbolic-ref --short HEAD || echo detached)"
+            WORKFLOW_ID="${GITHUB_WORKFLOW:-render-md-to-html.yaml}"
+            CI_HEADER="X-CI-Metadata: ${GIT_REF}@${GIT_SHA} at ${TIMESTAMP_UTC} on ${HOSTNAME}"
+
+            COMMIT_MSG="DEPLOY BOT   : 🔁 Auto-Generate PNG from *.dot. [skip ci]
+
+          ${CI_HEADER}
+
+          Generated at : ${TIMESTAMP_UTC}
+          Runner Host  : ${HOSTNAME}
+          Workflow ID  : ${WORKFLOW_ID}
+          Git Commit   : ${GIT_SHA} HEAD -> ${GIT_REF}
+          "
+
+            echo "🔏 Commit message :"
+            echo "${COMMIT_MSG}"
+            git commit -S -m "${COMMIT_MSG}"
+          fi
+
+      - name: 🔁 Push back to repository.
+        shell: bash
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          echo "📤 Pushing changes to ${GITHUB_REF_NAME} ..."
+          git push origin HEAD:${GITHUB_REF_NAME}
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml

.gitignore

@@ -2,7 +2,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

.version.properties

@@ -2,7 +2,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
@@ -10,10 +10,10 @@
 # SPDX-Security-Contact: security@coresecret.eu
 properties_SPDX-Version="3.0"
 properties_SPDX-ExternalRef="GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git"
-properties_SPDX-FileCopyrightText="2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>"
+properties_SPDX-FileCopyrightText="2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>"
 properties_SPDX-License-Identifier="EUPL-1.2 OR LicenseRef-CCLA-1.0"
-properties_SPDX-LicenseComment="This file is part of the CISS.hardened.installer framework."
+properties_SPDX-LicenseComment="This file is part of the CISS.debian.installer.secure framework."
 properties_SPDX-PackageName="CISS.debian.live.builder"
 properties_SPDX-Security-Contact="security@coresecret.eu"
-properties_version="V8.03.127.2025.06.02"
+properties_version="V8.03.832.2025.06.24"
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf

CISS.debian.live.builder.spdx

@@ -6,7 +6,7 @@ Creator: Person: Marc S. Weidner (Centurion Intelligence Consulting Agency)
 Created: 2025-05-07T12:00:00Z
 Package: CISS.debian.live.builder
 PackageName: CISS.debian.live.builder
-PackageVersion: Master V8.03.127.2025.06.02
+PackageVersion: Master V8.03.832.2025.06.24
 PackageSupplier: Organization: Centurion Intelligence Consulting Agency
 PackageDownloadLocation: https://git.coresecret.dev/msw/CISS.debian.live.builder
 PackageHomePage: https://git.coresecret.dev/msw/CISS.debian.live.builder

LINTER_RESULTS.txt

@@ -0,0 +1,16 @@
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+This file was automatically generated by the DEPLOY BOT on: "2025-06-24T21:45:52Z".
+
+✅ The last linter check was successful. ✅
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text

LIVE_ISO.public

@@ -2,24 +2,26 @@
 # SPDX-CreationInfo: 2025-06-01; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-This file was automatically generated by the DEPLOY BOT on: "2025-06-02T07:05:05Z".
+This file was automatically generated by the DEPLOY BOT on: "2025-06-23T09:04:49Z".
 
 CISS.debian.live.builder ISO :
-  "ciss-debian-live-2025_06_02T06_28_22Z-amd64.hybrid.iso"
+  "ciss-debian-live-2025_06_23T08_20_37Z-amd64.hybrid.iso"
 CISS.debian.live.builder ISO sha512 :
-  "ciss-debian-live-2025_06_02T06_28_22Z-amd64.hybrid.iso.sha512"
+  86a8be09e16299892ae99d195b56a04356bcf5d2202016da8f8fa7441077c43fab68ebefcb8c39b3423f085a74b607907fb691ac71fdef92af33782bd2ac0ce5
 CISS.debian.live.builder ISO sha512 sign :
   -----BEGIN PGP SIGNATURE-----
 
-iHUEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaD1NIQAKCRA85KY4hzOw
-IUI1AQCy+C8u2sxrulp9oEsYNPEQLnVuyqGxlsaGF9soF+ay4AD/cjMt0sNK/SUd
-Rt0J3YmtZbbXgIAaUyAMKMc3Bf3nHgc=
-=Z0iZ
+iHUEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaFkYsQAKCRA85KY4hzOw
+IbrbAQDeOIS3QYKIPkMhYlNPIcsJjv/dh3TdYiuQbkvfwVI+/gD/TiB+ska62vJk
+LGfwjuaxMC0KHG1/UTICytOeAnTrXAc=
+=qk8B
 -----END PGP SIGNATURE-----
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text

LIVE_ISO_FLV_0.private

@@ -0,0 +1,27 @@
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-01; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+This file was automatically generated by the DEPLOY BOT on: "2025-06-24T19:21:36Z".
+
+CISS.debian.live.builder ISO :
+  "ciss-debian-live-2025_06_24T18_36_59Z-amd64.hybrid.iso"
+CISS.debian.live.builder ISO sha512 :
+  3ca5a9635ef74a48f6d8f31696ec56e56ee95eff5317df95976e22d31e331bc503422602e24a9eaddfc30212acf6ebe96af51e94298c4c7c49c839c62abb6c2f
+CISS.debian.live.builder ISO sha512 sign :
+  -----BEGIN PGP SIGNATURE-----
+
+iHUEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaFr6wAAKCRA85KY4hzOw
+IbgHAP4p9jlF9jZkYIw/0H8j07QUWNHxeUz2r2UXp8aN2gUEBwEAxqbznJhH8li8
+40g5sWwGLmBjlidIOe0NxeMUBkuMlQg=
+=gq5w
+-----END PGP SIGNATURE-----
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text

LIVE_ISO_FLV_1.private

@@ -0,0 +1,27 @@
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-01; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+This file was automatically generated by the DEPLOY BOT on: "2025-06-24T22:34:36Z".
+
+CISS.debian.live.builder ISO :
+  "ciss-debian-live-2025_06_24T21_53_22Z-amd64.hybrid.iso"
+CISS.debian.live.builder ISO sha512 :
+  581d951c8ab4d8e7afd2d727f8e64bd6fff51d005b84b9800e941da8dae654985bae500e056f02729d6b274ba330dfdbec59fd5ec2c8b18c3bbf37433b73c154
+CISS.debian.live.builder ISO sha512 sign :
+  -----BEGIN PGP SIGNATURE-----
+
+iHUEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaFsn/AAKCRA85KY4hzOw
+IUvMAP9P1U6lblhdZ9tSROvYXRXcv0IEg2rVo3fMx9T5fozLewEAgxxo0+J1Nlvu
+KVZOdiuc6xdxkBHWYaA2kSXZKI+qAwA=
+=2H0C
+-----END PGP SIGNATURE-----
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text

README.html

@@ -1,405 +0,0 @@
-<p><a href="https://git.coresecret.dev/msw/CISS.debian.live.builder"><img src="https://badges.coresecret.dev/badge/Release-V8.03.127.2025.06.02-white?style=plastic&amp;logo=linux&amp;logoColor=white&amp;logoSize=auto&amp;label=Release&amp;color=%23FCC624" alt="Static Badge" /></a>   <a href="https://eupl.eu/1.2/en/"><img src="https://badges.coresecret.dev/badge/Licence-EUPL1.2-white?style=plastic&amp;logo=europeanunion&amp;logoColor=white&amp;logoSize=auto&amp;label=Licence&amp;color=%23003399" alt="Static Badge" /></a>   <a href="https://opensource.org/license/eupl-1-2"><img src="https://badges.coresecret.dev/badge/opensourceinitiative-Compliant-white?style=plastic&amp;logo=opensourceinitiative&amp;logoColor=white&amp;logoSize=auto&amp;label=OSI&amp;color=%233DA639" alt="Static Badge" /></a>   <a href="https://www.gnu.org/software/bash/"><img src="https://badges.coresecret.dev/badge/Bash-V5.2.15-white?style=plastic&amp;logo=gnubash&amp;logoColor=white&amp;logoSize=auto&amp;label=Bash&amp;color=%234EAA25" alt="Static Badge" /></a>   <a href="https://shellcheck.net/"><img src="https://badges.coresecret.dev/badge/shellcheck-passed-white?style=plastic&amp;logo=gnubash&amp;logoColor=white&amp;logoSize=auto&amp;label=shellcheck&amp;color=%234EAA25" alt="Static Badge" /></a>   <a href="https://github.com/mvdan/sh"><img src="https://badges.coresecret.dev/badge/shellformat-passed-white?style=plastic&amp;logo=google&amp;logoColor=white&amp;logoSize=auto&amp;label=shellformat&amp;color=%234285F4" alt="Static Badge" /></a>   <a href="https://google.github.io/styleguide/shellguide.html"><img src="https://badges.coresecret.dev/badge/Shellstyle-Google-white?style=plastic&amp;logo=google&amp;logoColor=white&amp;logoSize=auto&amp;label=Shellstyle&amp;color=%234285F4" alt="Static Badge" /></a>   <a href="https://docs.gitea.com/"><img src="https://badges.coresecret.dev/badge/Gitea-1.23.8-white?style=plastic&amp;logo=gitea&amp;logoColor=white&amp;logoSize=auto&amp;label=gitea&amp;color=%23609926" alt="Static Badge" /></a>   <a href="https://www.jetbrains.com/store/?section=personal&amp;billing=yearly"><img src="https://badges.coresecret.dev/badge/IntelliJ-2025.1.1.1-white?style=plastic&amp;logo=intellijidea&amp;logoColor=white&amp;logoSize=auto&amp;label=IntelliJ&amp;color=%23000000" alt="Static Badge" /></a>   <a href="https://keepassxc.org/"><img src="https://badges.coresecret.dev/badge/keepassxc-2.7.10-white?style=plastic&amp;logo=keepassxc&amp;logoColor=white&amp;logoSize=auto&amp;label=KeePassXC&amp;color=%236CAC4D" alt="Static Badge" /></a>   <a href="https://www.netcup.com/de"><img src="https://badges.coresecret.dev/badge/netcup-Netcup-white?style=plastic&amp;logo=netcup&amp;logoColor=white&amp;logoSize=auto&amp;label=powered&amp;color=%23056473" alt="Static Badge" /></a>   <a href="https://coresecret.eu/"><img src="https://badges.coresecret.dev/badge/powered-Centurion-white?style=plastic&amp;logo=europeanunion&amp;logoColor=white&amp;logoSize=auto&amp;label=powered&amp;color=%230F243E" alt="Static Badge" /></a>   <a href="https://x.com/coresecret_eu"><img src="https://badges.coresecret.dev/badge/SocialMedia-@coresecret_eu-white?style=plastic&amp;logo=x&amp;logoColor=white&amp;logoSize=auto&amp;label=SocialMedia&amp;color=%23000000" alt="Static Badge" /></a>   <a href="https://coresecret.eu/spenden/#sepa"><img src="https://badges.coresecret.dev/badge/Donation-Donation-white?style=plastic&amp;logo=sepa&amp;logoColor=white&amp;logoSize=auto&amp;label=&amp;color=%230F243E" alt="Static Badge" /></a>   <a href="https://coresecret.eu/spenden/#bitcoin"><img src="https://badges.coresecret.dev/badge/bitcoin-Bitcoin-white?style=plastic&amp;logo=bitcoin&amp;logoColor=white&amp;logoSize=auto&amp;label=Donation&amp;color=%23F7931A" alt="Static Badge" /></a>   <a href="https://coresecret.eu/contact/#simplex"><img src="https://badges.coresecret.dev/badge/simplex-Simplex-white?style=plastic&amp;logo=simplex&amp;logoColor=white&amp;logoSize=auto&amp;label=Contact&amp;color=%23000000" alt="Static Badge" /></a>  </p>
-<h1 id="1-cissdebianlivebuilder">1. CISS.debian.live.builder</h1>
-<p><strong>Centurion Intelligence Consulting Agency Information Security Standard</strong><br> <em>Debian Live Build Generator for hardened live environment and CISS Debian Installer</em><br> <strong>Master Version</strong>: 8.02<br> <strong>Build</strong>: V8.03.145.2025.06.02<br></p>
-<p>This shell wrapper automates the creation of a Debian Bookworm live ISO hardened according to the latest best practices in server and service security. It integrates into your build pipeline to deliver an isolated, robust environment suitable for cloud deployment or unattended installations via the forthcoming <code>CISS.debian.installer</code>.</p>
-<p>Check out more:</p>
-<ul>
-<li><a href="https://coresecret.eu/cnet/">CenturionNet Services</a></li>
-<li><a href="https://dns.eddns.eu/">CenturionDNS Resolver</a></li>
-<li><a href="https://dns.eddns.eu/blocklists/centurion_titanium_ultimate.txt">CenturionDNS Blocklist</a></li>
-<li><a href="https://uptime.coresecret.eu/">CenturionNet Status</a></li>
-<li><a href="https://talk.e2ee.li/">CenturionMeet</a></li>
-<li><a href="https://coresecret.eu/contact/">Contact the author</a></li>
-</ul>
-<h2 id="11-preliminary-remarks">1.1. Preliminary Remarks</h2>
-<h3 id="111-hsm">1.1.1. HSM</h3>
-<p>Please note that all my signing keys are stored in an HSM and that the signing environment is air-gapped. The next step is to move to a room-gapped environment. ^^</p>
-<h3 id="112-hsts-and-dnssec">1.1.2. HSTS and DNSSEC</h3>
-<p>Please note that <code>coresecret.dev</code> is included in the <a href="https://hstspreload.org/">(HSTS Preload List)</a> and always serves the headers:</p>
-<pre class="nginx"><code>add_header Expect-CT                 &quot;max-age=86400, enforce&quot;                       always;
-add_header Strict-Transport-Security &quot;max-age=63072000; includeSubDomains; preload&quot; always;</code></pre>
-<p>Additionally, the entire zone is dual-signed with DNSSEC. See the current DNSSEC status at <a href="https://git.coresecret.dev/msw/CISS.debian.live.builder/src/branch/master/docs/AUDIT_DNSSEC.html">DNSSEC Audit Report</a></p>
-<h2 id="12-immutable-source-of-truth-system">1.2. Immutable Source-of-Truth System</h2>
-<p>This live ISO establishes a secure, fully deterministic, integrity self-verifying boot environment based entirely on static source-code definitions. All configurations, system components, and installation routines are embedded during build time and locked for runtime immutability. This ensures that the live environment functions as a trusted <strong>Source of Truth</strong> — not only for boot-time operations, but for deploying entire systems in a secure and reproducible way.<br></p>
-<p>Once booted, the environment optionally launches a fully scripted installer, via the forthcoming <code>CISS.debian.installer</code>, yet to deploy, that provisions the target system (the hardware the DVD is running on). The installer pulls no external dependencies besides of the necessary Debian debootstrap and Debian Packages and never exposes the target system in a not secure manner to the internet during installation. It operates strictly from within the verified image content, providing fully secured provisioning. Combined with checksum verification, <strong>activated by default</strong>, at boot and strict firewall defaults, this architecture guarantees that what is executed has not been tampered with and corresponds exactly to the intended source definition.<br></p>
-<p>An even more secure deployment variant — an unattended and headless version — can be built without any active network interface or shell-access, also via the forthcoming <code>CISS.debian.installer</code>. Such a version performs all verification steps autonomously, provisions the target device from embedded source artifacts, and reboots into a fully encrypted system image. The system then awaits the decryption passphrase input via an embedded Dropbear SSH server (SSH PubKey only) in the initramfs, exposing no ports without cryptographic hardened access, while also the <code>/boot</code> partition could be encrypted via the built-in support of <code>grub2 (2.12-1~bpo12+1)</code>.<br></p>
-<p>This approach provides a fully reproducible, audit-friendly, and tamper-resistant provisioning workflow rooted entirely in source-defined infrastructure logic.<br></p>
-<p>After build and configuration, the following audit reports can be generated:</p>
-<ul>
-<li><strong>Haveged Audit Report</strong>: Validates entropy daemon health and confirms '/dev/random' seeding performance. Type <code>chkhvg</code> at the prompt. See example report: <a href="https://git.coresecret.dev/msw/CISS.debian.live.builder/src/branch/master/docs/AUDIT_HAVEGED.html">Haveged Audit Report</a></li>
-<li><strong>Lynis Audit Report</strong>: Outputs a detailed security score and recommendations, confirming a 91%+ hardening baseline. Type <code>lsadt</code> at the prompt. See example report: <a href="https://git.coresecret.dev/msw/CISS.debian.live.builder/src/branch/master/docs/AUDIT_LYNIS.html">Lynis Audit Report</a></li>
-<li><strong>SSH Audit Report</strong>: Verifies SSH daemon configuration against the latest best-practice cipher, KEX, and MAC recommendations. Type <code>ssh-audit &lt;IP&gt;:&lt;PORT&gt;</code>. See example report: <a href="https://git.coresecret.dev/msw/CISS.debian.live.builder/src/branch/master/docs/AUDIT_SSH.html">SSH Audit Report</a></li>
-</ul>
-<h2 id="12-preview">1.2. Preview</h2>
-<p><img src="/docs/screenshots/CISS.debian.live.builder_preview.jpeg" alt="CISS.debian.live.builder" /></p>
-<h2 id="13-caution-significant-information-for-those-considering-using-d-i">1.3. Caution. Significant information for those considering using D-I.</h2>
-<p><strong>The Debian Installer (d-i) will ALWAYS boot a new system.</strong><br></p>
-<p>Regardless of whether you start it:</p>
-<ul>
-<li>via the boot menu of your Live ISO (grub, isolinux) like <strong>CISS.debian.live.builder</strong>,</li>
-<li>via kexec in the running system,</li>
-<li>via the debian-installer-launcher package,</li>
-<li>or even via a graphical installer shortcut.</li>
-</ul>
-<p>The following happens in all cases:</p>
-<ul>
-<li>The installer kernel (/install/vmlinuz) + initrd.gz are started.</li>
-<li>The existing live system is exited.</li>
-<li>The memory is overwritten.</li>
-<li>All running processes – e.g., firewall, hardened SSH access, etc. pp. – cease to exist.</li>
-</ul>
-<p>The Debian Installer loads:</p>
-<ul>
-<li>its own kernel,</li>
-<li>its own initramfs,</li>
-<li>its own minimal root filesystem (BusyBox + udeb packages),</li>
-<li>no SSH access (unless explicitly enabled via preseed)</li>
-<li>no firewall, AppArmor, logging, etc. pp.,</li>
-<li>it disables all running network services, even if you were previously in the live system.</li>
-</ul>
-<p>This means function status of the <strong>CISS.2025.debian.live.builder</strong> ISO after d-i start:</p>
-<ul>
-<li>ufw, iptables, nftables ✘ disabled, not loaded,</li>
-<li>sshd with hardening ✘ stopped (processes gone),</li>
-<li>the running kernel ✘ replaced,</li>
-<li>Logging (rsyslog, journald) ✘ not active,</li>
-<li>preseed control over the network is possible (but without any protection).</li>
-</ul>
-<h1 id="2-features--rationale">2. Features &amp; Rationale</h1>
-<p>Below is a breakdown of each hardening component, with a summary of why each is critical to your security posture.</p>
-<h2 id="21-kernel-hardening">2.1. Kernel Hardening</h2>
-<h3 id="211-boot-parameters">2.1.1. Boot Parameters</h3>
-<ul>
-<li><strong>Description</strong>: Customizes kernel command-line flags to disable unused features and enable mitigations.</li>
-<li><strong>Key Parameters</strong>:
-<ul>
-<li><code>audit_backlog_limit=8192</code>: Ensures the audit subsystem can queue up to 8192 events to avoid dropped logs under heavy loads.</li>
-<li><code>audit=1</code>: Enables kernel auditing from boot to record system calls and security events.</li>
-<li><code>cfi=kcfi</code>: Activates kernel control-flow integrity using kCFI to protect against control-flow hijacking.</li>
-<li><code>debugfs=off</code>: Disables debugfs to prevent non-privileged access to kernel internals.</li>
-<li><code>efi=disable_early_pci_dma</code>: Stops early PCI DMA under EFI to mitigate DMA-based attacks during boot.</li>
-<li><code>efi_no_storage_paranoia</code>: Disables extra EFI storage checks to streamline boot without compromising expected storage integrity.</li>
-<li><code>hardened_usercopy=1</code>: Enables stringent checks on copy operations between user and kernel space to prevent buffer overflows.</li>
-<li><code>ia32_emulation=0</code>: Turns off 32-bit compatibility modes to reduce attack surface on 64-bit hosts.</li>
-<li><code>init_on_alloc=1</code>: Zeroes memory on allocation to prevent leakage of previous data.</li>
-<li><code>init_on_free=1</code>: Initializes memory on free to catch use-after-free bugs.</li>
-<li><code>iommu=force</code>: Enforces IOMMU for all devices to isolate DMA-capable hardware.</li>
-<li><code>kfence.sample_interval=100</code>: Configures the kernel fence memory safety tool to sample every 100 allocations.</li>
-<li><code>kvm.nx_huge_pages=force</code>: Enforces non-executable huge pages in KVM to mitigate code injection.</li>
-<li><code>l1d_flush=on</code>: Flushes L1 data cache on context switch to mitigate L1D vulnerabilities.</li>
-<li><code>lockdown=confidentiality</code>: Puts the kernel in confidentiality lockdown to restrict direct hardware access.</li>
-<li><code>loglevel=0</code>: Suppresses non-critical kernel messages to reduce information leakage.</li>
-<li><code>mce=0</code>: Disables machine check exceptions to prevent side-channel data leaks from hardware error reporting.</li>
-<li><code>mitigations=auto,nosmt</code>: Enables all automatic CPU mitigations and disables SMT to reduce side-channel risks.</li>
-<li><code>mmio_stale_data=full,nosmt</code>: Ensures stale MMIO data is fully flushed and disables SMT for added protection.</li>
-<li><code>oops=panic</code>: Forces a kernel oops to trigger a panic, preventing the system from running in an inconsistent state.</li>
-<li><code>page_alloc.shuffle=1</code>: Randomizes physical page allocation to hinder memory layout prediction attacks.</li>
-<li><code>page_poison=1</code>: Fills freed pages with a poison pattern to detect use-after-free.</li>
-<li><code>panic=-1</code>: Disables automatic reboot on panic to preserve the system state for forensic analysis.</li>
-<li><code>pti=on</code>: Enables page table isolation to mitigate Meltdown attacks.</li>
-<li><code>random.trust_bootloader=off</code>: Prevents trusting entropy provided by the bootloader.</li>
-<li><code>random.trust_cpu=off</code>: Disables trusting CPU-provided randomness, enforcing external entropy sources.</li>
-<li><code>randomize_kstack_offset=on</code>: Randomizes the kernel stack offset on each syscall entry to harden against stack probing.</li>
-<li><code>randomize_va_space=2</code>: Enables full address space layout randomization (ASLR) for user space.</li>
-<li><code>retbleed=auto,nosmt</code>: Enables automatic RETBLEED mitigations and disables SMT for better side-channel resistance.</li>
-<li><code>rodata=on</code>: Marks kernel read-only data sections to prevent runtime modification.</li>
-<li><code>tsx=off</code>: Disables Intel TSX extensions to eliminate related speculative execution vulnerabilities.</li>
-<li><code>vdso32=0</code>: Disables 32-bit vDSO to prevent unintended cross-mode calls.</li>
-<li><code>vsyscall=none</code>: Disables legacy vsyscall support to close a potential attack vector.</li>
-</ul></li>
-<li><strong>Rationale</strong>: Ensures early activation of protections, reducing exposure to CPU vulnerabilities before the system fully boots.</li>
-</ul>
-<h3 id="212-cpu-vulnerability-mitigations">2.1.2. CPU Vulnerability Mitigations</h3>
-<ul>
-<li><strong>Description</strong>: Enables all known kernel-level mitigations (Spectre, Meltdown, MDS, L1TF, etc.).</li>
-<li><strong>Rationale</strong>: Prevents side-channel attacks that exploit speculative execution, which remain a high-risk vector in multi-tenant cloud environments.</li>
-</ul>
-<h3 id="213-kernel-self-protection">2.1.3. Kernel Self-Protection</h3>
-<ul>
-<li><strong>Description</strong>: Activates <code>CONFIG_DEBUG_RODATA</code>, <code>CONFIG_STRICT_MODULE_RWX</code>, and other self-protections.</li>
-<li><strong>Rationale</strong>: Hardens kernel memory regions against unauthorized writings and enforces stricter module loading policies.</li>
-</ul>
-<h3 id="214-local-kernel-hardening">2.1.4. Local Kernel Hardening</h3>
-<ul>
-<li><strong>Description</strong>: The wrapper <code>sysp()</code>provides a function to apply and audit local kernel hardening rules from <code>/etc/sysctl.d/99_local.hardened</code>:</li>
-</ul>
-<pre class="bash"><code>###########################################################################################
-# Globals: Wrapper for loading CISS.2025 hardened Kernel Parameters
-# Arguments:
-#  none
-###########################################################################################
-# shellcheck disable=SC2317
-sysp() {
-  sysctl -p /etc/sysctl.d/99_local.hardened
-  # sleep 1
-  sysctl -a | grep -E &#39;kernel|vm|net&#39; &gt; /var/log/sysctl_check&quot;$(date +&quot;%Y-%m-%d_%H:%M:%S&quot;)&quot;.log
-}</code></pre>
-<ul>
-<li><strong>Key measures loaded by this file include:</strong>
-<ul>
-<li>Disabling module loading <code>kernel.modules_disabled=1</code></li>
-<li>Restricting kernel pointers &amp; logs <code>kernel.kptr_restrict=2</code>, <code>kernel.dmesg_restrict=1</code>, <code>kernel.printk=3 3 3 3</code></li>
-<li>Disabling unprivileged BPF and userfaultfd</li>
-<li>Disabling kexec and unprivileged user namespaces</li>
-<li>Locking down ptrace scope <code>kernel.yama.ptrace_scope=2</code></li>
-<li>Protecting filesystem links and FIFOs <code>fs.protected_*</code></li>
-</ul></li>
-</ul>
-<p><strong>Warning</strong> Once applied, some hardening settings cannot be undone via <code>sysctl</code> without a reboot, and dynamic module loading remains disabled until the next boot. Automatic enforcement at startup is therefore omitted by design—run <code>sysp()</code> manually and plan a reboot to apply or revert these controls.</p>
-<h2 id="22-module-blacklisting">2.2. Module Blacklisting</h2>
-<ul>
-<li><strong>Description</strong>: Disables and blacklists non-essential or insecure kernel modules.</li>
-<li><strong>Rationale</strong>: Minimizes attack surface by preventing loads of drivers or modules not required by the live environment.</li>
-</ul>
-<h2 id="23-network-hardening">2.3. Network Hardening</h2>
-<ul>
-<li><strong>Description</strong>: Applies <code>sysctl</code> settings (e.g., <code>net.ipv4.conf.all.rp_filter=1</code>, <code>arp_ignore</code>, <code>arp_announce</code>) to restrict inbound/outbound traffic behaviors.</li>
-<li><strong>Rationale</strong>: Mitigates ARP spoofing, IP spoofing, and reduces the risk of man-in-the-middle on internal networks.</li>
-</ul>
-<h2 id="24-core-dump--kernel-hardening">2.4. Core Dump &amp; Kernel Hardening</h2>
-<ul>
-<li><strong>Description</strong>: Limits core dump generation paths, enforces <code>Yama</code> restrictions, and configures <code>kernel.kptr_restrict</code>.</li>
-<li><strong>Rationale</strong>: Prevents leakage of sensitive memory contents and reduces information disclosure from unintentional crash dumps.</li>
-</ul>
-<h2 id="25-entropy-collection-improvements">2.5. Entropy Collection Improvements</h2>
-<ul>
-<li><strong>Description</strong>: Installs and configures <code>haveged</code>, seeds <code>/dev/random</code> early.</li>
-<li><strong>Rationale</strong>: Cloud instances frequently suffer low entropy at the start; improving randomness ensures strong cryptographic key generation for SSH and other services.</li>
-</ul>
-<h2 id="26-permissions--authentication">2.6. Permissions &amp; Authentication</h2>
-<ul>
-<li><strong>Description</strong>: Sets strict directory and file permissions, integrates with PAM modules (e.g., <code>pam_faillock</code>).</li>
-<li><strong>Rationale</strong>: Enforces the principle of least privilege at file-system level and strengthens authentication policies.</li>
-</ul>
-<h2 id="27-high-security-baseline-lynis-audit">2.7. High-Security Baseline (Lynis Audit)</h2>
-<ul>
-<li><strong>Description</strong>: Run a baseline audit via <a href="https://cisofy.com/lynis/">Lynis</a> after build completion. The generated live environment consistently achieves a 91%+ score in Lynis security audits.</li>
-<li><strong>Rationale</strong>: Provides independent verification of security posture and flags any configuration drifts or missing hardening steps.</li>
-</ul>
-<h2 id="28-ssh-tunnel--access-security">2.8. SSH Tunnel &amp; Access Security</h2>
-<ul>
-<li><strong>Description</strong>: The SSH tunnel and access are secured through multiple layers of defense:
-<ul>
-<li><strong>Firewall Restriction</strong>: ufw allows connections only from defined jump host or VPN exit node IPs.</li>
-<li><strong>TCP Wrappers</strong>: <code>/etc/hosts.allow</code> and <code>/etc/hosts.deny</code> enforce an <code>ALL: ALL</code> deny policy, permitting only specified hosts.</li>
-<li><strong>One-Hit Ban</strong>: A custom Fail2Ban rule <code>/etc/fail2ban/jail.d/centurion-default.conf</code> immediately bans any host that touches closed ports.
-<ul>
-<li>Additionally, the <code>fail2ban</code> service is hardened as well according to: <a href="https://wiki.archlinux.org/title/fail2ban#Service_hardening">Arch Linux Wiki Fail2ban Hardening</a></li>
-</ul></li>
-<li><strong>SSH Ultra-Hardening</strong>: The <code>/etc/sshd_config</code> enforces strict cryptographic and connection controls with respect to <a href="https://www.ssh-audit.com/hardening_guides.html#debian_12">SSH Audit Guide Debian 12</a>:
-<ul>
-<li><code>RekeyLimit 1G 1h</code></li>
-<li><code>HostKey /etc/ssh/ssh_host_ed25519_key</code></li>
-<li><code>HostKey /etc/ssh/ssh_host_rsa_key (8192-bit RSA)</code></li>
-<li><code>PubkeyAuthentication yes</code></li>
-<li><code>PermitRootLogin prohibit-password</code></li>
-<li><code>PasswordAuthentication no</code></li>
-<li><code>PermitEmptyPasswords no</code></li>
-<li><code>LoginGraceTime 2m</code></li>
-<li><code>MaxAuthTries 3</code></li>
-<li><code>MaxSessions 2</code></li>
-<li><code>MaxStartups 08:64:16</code></li>
-<li><code>PerSourceMaxStartups 4</code></li>
-<li><code>RequiredRSASize 4096</code></li>
-<li><code>Ciphers aes256-gcm@openssh.com</code></li>
-<li><code>KexAlgorithms sntrup761x25519-sha512@openssh.com,sntrup761x25519-sha512,gss-curve25519-sha256-</code></li>
-<li><code>MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com</code></li>
-</ul></li>
-</ul></li>
-<li><strong>Rationale</strong>: These measures ensure that only authorized hosts can establish SSH tunnels, with strict cryptographic and usage policies enforced. Minimizes brute force, passive sniffing, and reduces credentials' exposure by limiting protocol features to vetted algorithms.</li>
-</ul>
-<h2 id="29-ufw-hardening">2.9. UFW Hardening</h2>
-<ul>
-<li><strong>Description</strong>: Defaults to <code>deny incoming</code> and (optionally) <code>deny outgoing</code>; automatically opens only whitelisted ports.</li>
-<li><strong>Rationale</strong>: Implements a default-deny firewall, reducing lateral movement and data exfiltration risks immediately after deployment.</li>
-</ul>
-<h2 id="210-fail2ban-enhancements">2.10. Fail2Ban Enhancements</h2>
-<ul>
-<li><strong>Description</strong>:
-<ul>
-<li>Bans any connection to a closed port for 24 hours</li>
-<li>Automatically ignores designated bastion/jump host subnets</li>
-<li>Hardened via <code>systemd</code> policy override to limit privileges of the Fail2Ban service itself</li>
-</ul></li>
-<li><strong>Rationale</strong>: Provides proactive defense against port scans and brute-force attacks, while isolating the ban daemon in a minimal-privilege context.</li>
-</ul>
-<h2 id="211-ntpsec--chrony">2.11. NTPsec &amp; Chrony</h2>
-<ul>
-<li><strong>Description</strong>: Installs <code>chrony</code>, selects PTB NTPsec servers by default.</li>
-<li><strong>Rationale</strong>: Ensures tamper-resistant time synchronization, which is essential for log integrity, certificate validation, and forensic accuracy.</li>
-</ul>
-<h1 id="3-script-features--rationale">3. Script Features &amp; Rationale</h1>
-<h2 id="31-input-validation--security">3.1. Input Validation &amp; Security</h2>
-<ul>
-<li><strong>Description</strong>: All script arguments are validated using a robust input sanitizer.</li>
-<li><strong>Rationale</strong>: Prevents injection attacks and ensures only expected data types and values are processed.</li>
-</ul>
-<h2 id="32-debug-mode-with-detailed-logging">3.2. Debug Mode with Detailed Logging</h2>
-<ul>
-<li><p><strong>Description</strong>: A built-in debug mode outputs clear, timestamped logs including:</p>
-<ul>
-<li>Script Name and Path of called Function,</li>
-<li>Line Number,</li>
-<li>Function Name,</li>
-<li>Exit Code of the previous Command,</li>
-<li>Executed Command.</li>
-</ul></li>
-<li><p><strong>Rationale</strong>: Simplifies troubleshooting and provides precise error tracing.</p></li>
-</ul>
-<h2 id="33-secure-debug-logging">3.3. Secure Debug Logging</h2>
-<ul>
-<li><strong>Description</strong>: No hardcoded plaintext password fragments or sensitive artifacts appear in debug logs.</li>
-<li><strong>Rationale</strong>: Prevents accidental exposure of credentials during troubleshooting.</li>
-</ul>
-<h2 id="34-secure-password-handling">3.4. Secure Password Handling</h2>
-<ul>
-<li><strong>Description</strong>: Password files, if provided, are shredded immediately after being hashed.</li>
-<li><strong>Rationale</strong>: Prevents password recovery from temporary files.</li>
-</ul>
-<h2 id="35-variable-declaration--validation">3.5. Variable Declaration &amp; Validation</h2>
-<ul>
-<li><strong>Description</strong>: All variables are declared and validated before use.</li>
-<li><strong>Rationale</strong>: Avoids unintended behavior from unset or improperly set variables.</li>
-</ul>
-<h2 id="36-pure-bash-implementation">3.6. Pure Bash Implementation</h2>
-<ul>
-<li><strong>Description</strong>: The entire wrapper and all its functions are written in pure Bash, without external dependencies.</li>
-<li><strong>Rationale</strong>: Ensures maximum portability and compatibility with standard Debian environments.</li>
-</ul>
-<h2 id="37-bash-error-handling">3.7. Bash Error Handling</h2>
-<ul>
-<li><p><strong>Description</strong>: The implemented xtrace wrapper <code>set -x</code> enforces comprehensive Bash error handling to ensure</p>
-<ul>
-<li>robust,</li>
-<li>predictable execution,</li>
-<li>and early detection of failures.</li>
-</ul>
-<p>and delivers full information, which command failed to execute:</p>
-<ul>
-<li>Script Name and Path of called Function,</li>
-<li>Line Number,</li>
-<li>Function Name,</li>
-<li>Exit Code of the previous Command,</li>
-<li>Executed Command,</li>
-<li>Environment Settings,</li>
-<li>Argument Counter passed to Script,</li>
-<li>Argument String passed to Script.</li>
-</ul></li>
-<li><p>The following <code>set</code> options are applied at the beginning of the script (see <a href="https://www.gnu.org/software/bash/manual/bash.html#The-Set-BuiltinGNU">Bash Manual, The Set Builtin</a>):</p></li>
-</ul>
-<pre class="bash"><code>set -o errexit   # Exit script when a command exits with non-zero status (same as &quot;set -e&quot;).
-set -o errtrace  # Inherit ERR traps in subshells (same as &quot;set -E&quot;).
-set -o functrace # Inherit DEBUG and RETURN traps in subshells (same as &quot;set -T&quot;).
-set -o nounset   # Exit script on use of an undefined variable (same as &quot;set -u&quot;).
-set -o pipefail  # Return the exit status of the last failed command in a pipeline.
-set -o noclobber # Prevent overwriting files via redirection (same as &quot;set -C&quot;).</code></pre>
-<ul>
-<li><strong>Rationale</strong>: These options enforce strict error checking and handling, reducing silent failures and ensuring predictable script behavior.</li>
-</ul>
-<h1 id="4-prerequisites">4. Prerequisites</h1>
-<ul>
-<li><strong>Host</strong>: Debian Bookworm or newer with <code>live-build</code> package installed.</li>
-<li><strong>Privileges</strong>: Root or sudo access to execute <code>ciss_live_builder.sh</code> and related scripts.</li>
-<li><strong>Network</strong>: Outbound access to Debian repositories and PTB NTPsec pool.</li>
-</ul>
-<h1 id="5-installation--usage">5. Installation &amp; Usage</h1>
-<h1 id="51-interactive-cli--dialog-wrapper">5.1. Interactive CLI / Dialog Wrapper</h1>
-<ol type="1">
-<li><p>Clone the repository:</p>
-<pre class="bash"><code>git clone https://git.coresecret.dev/msw/CISS.debian.live.builder.git
-cd CISS.debian.live.builder</code></pre></li>
-<li><p>Preparation:</p>
-<ol type="1">
-<li>Ensure you are root.</li>
-<li>Create the build directory <code>mkdir /opt/livebuild</code>.</li>
-<li>Place your desired SSH public key in the <code>authorized_keys</code> file, for example, in the <code>/opt/gitea/CISS.debian.live.builder</code> directory.</li>
-<li>Place your desired Password in the <code>password.txt</code> file, for example, in the <code>/opt/gitea/CISS.debian.live.builder</code> directory.</li>
-<li>Make any other changes you need to.</li>
-</ol></li>
-<li><p>Run the config builder script <code>./ciss_live_builder.sh</code> and the integrated <code>lb build</code> command (example):</p>
-<pre class="yaml"><code>chmod 0700 ./ciss_live_builder.sh
-./ciss_live_builder.sh --architecture amd64 \
-                       --build-directory /opt/livebuild \
-                       --change-splash hexagon \
-                       --control 384 \
-                       --debug \
-                       --dhcp-centurion \
-                       --jump-host 10.0.0.128 [c0de:4711:0815:4242::1] [2abc:4711:0815:4242::1]/64 \
-                       --provider-netcup-ipv6 [c0de:4711:0815:4242::ffff] \
-                       --renice-priority &quot;-19&quot; \
-                       --reionice-priority 1 2 \
-                       --root-password-file /opt/gitea/CISS.debian.live.builder/password.txt \
-                       --ssh-port 4242 \
-                       --ssh-pubkey /opt/gitea/CISS.debian.live.builder</code></pre></li>
-<li><p>Locate your ISO in the <code>--build-directory</code>.</p></li>
-<li><p>Boot from the ISO and login to the live image via the console, or the multi-layer secured <strong>coresecret</strong> SSH tunnel.</p></li>
-<li><p>Type <code>sysp</code> for the final kernel hardening features.</p></li>
-<li><p>Check the boot log with <code>jboot</code> and via <code>ssf</code> that all services are up.</p></li>
-<li><p>Finally, audit your environment with <code>lsadt</code> for a comprehensive Lynis audit.</p></li>
-<li><p>Type <code>celp</code> for some shortcuts.</p></li>
-</ol>
-<h1 id="52-cicd-gitea-runner-workflow-example">5.2. CI/CD Gitea Runner Workflow Example</h1>
-<ol type="1">
-<li><p>Clone the repository:</p>
-<pre class="bash"><code>git clone https://git.coresecret.dev/msw/CISS.debian.live.builder.git
-cd CISS.debian.live.builder</code></pre></li>
-<li><p>Edit the <code>.gitea/workflows/generate-iso.yaml</code> file according to your requirements. Ensure that the trigger file <code>.gitea/trigger/t_generate.iso.yaml</code> and the counter are updated. Change all the necessary <code>{{ secrets.VAR }}</code>. Push your commits to trigger the workflow. Then download your final ISO from the specified Location.</p></li>
-</ol>
-<pre class="yaml"><code>#...
-    steps:
-      - name: Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
-        run: |
-          rm -rf ~/.ssh &amp;&amp; mkdir -m700 ~/.ssh
-
-          ### Private Key
-          echo &quot;${{ secrets.CHANGE_ME }}&quot; &gt;| ~/.ssh/id_ed25519
-          chmod 600 ~/.ssh/id_ed25519
-#...
-      ### https://github.com/actions/checkout/issues/1843
-      - name: Using manual clone via SSH to circumvent Gitea SHA-256 object issues.
-        run: |
-          git clone --branch &quot;${GITHUB_REF_NAME}&quot; ssh://git@CHANGE_ME .
-#...
-      - name: Importing the &#39;CI PGP DEPLOY ONLY&#39; key.
-        run: |
-          ### GPG-Home relative to the Runner Workspace to avoid changing global files.
-          export GNUPGHOME=&quot;$(pwd)/.gnupg&quot;
-          mkdir -m700 &quot;${GNUPGHOME}&quot;
-          echo &quot;${{ secrets.CHANGE_ME }}&quot; &gt;| ci-bot.sec.asc
-#...
-      - name: Configuring Git for signed CI/DEPLOY commits.
-        run: |
-          export GNUPGHOME=&quot;$(pwd)/.gnupg&quot;
-          git config user.name &quot;CHANGE_ME&quot;
-          git config user.email &quot;CHANGE_ME&quot;
-#...
-      - name: Preparing the build environment.
-        run: |
-          mkdir -p /opt/config
-          mkdir -p /opt/livebuild
-          echo &quot;${{ secrets.CHANGE_ME }}&quot; &gt;| /opt/config/password.txt
-          echo &quot;${{ secrets.CHANGE_ME }}&quot; &gt;| /opt/config/authorized_keys
-#...
-      - name: Starting CISS.debian.live.builder. This may take a while ...
-        run: |
-          chmod 0700 ciss_live_builder.sh &amp;&amp; chown root:root ciss_live_builder.sh
-          timestamp=$(date -u +&quot;%Y_%m_%d_%H_%M_Z&quot;)
-          ### Change &quot;--autobuild=&quot; to the specific kernel version you need: &#39;6.12.22+bpo-amd64&#39;.
-          ./ciss_live_builder.sh \
-            --autobuild=CHANGE_ME \
-            --architecture CHANGE_ME \
-            --build-directory /opt/livebuild \
-            --control &quot;${timestamp}&quot; \
-            --jump-host &quot;${{ secrets.CHANGE_ME }}&quot; \
-            --root-password-file /opt/config/password.txt \
-            --ssh-port CHANGE_ME \
-            --ssh-pubkey /opt/config
-#...
-      ### SKIP OR CHANGE ALL REMAINING STEPS</code></pre>
-<h1 id="6-licensing--compliance">6. Licensing &amp; Compliance</h1>
-<p>This repository is fully SPDX-compliant. All source files include appropriate SPDX license identifiers and headers to ensure clear and unambiguous licensing. You can verify compliance by reviewing the top of each file, which follows the SPDX standard for license expressions and metadata.</p>
-<h1 id="7-disclaimer">7. Disclaimer</h1>
-<p>This README is provided "as-is" without any warranty. Review your organization's policies before deploying to production.</p>
-<hr />
-<p><strong><a href="https://coresecret.eu/">no tracking | no logging | no advertising | no profiling | no bullshit</a></strong></p>
-

README.md

@@ -2,7 +2,7 @@
 gitea: none
 include_toc: true
 ---
-[![Static Badge](https://badges.coresecret.dev/badge/Release-V8.03.127.2025.06.02-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder)
+[![Static Badge](https://badges.coresecret.dev/badge/Release-V8.03.832.2025.06.24-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder)
  
 [![Static Badge](https://badges.coresecret.dev/badge/Licence-EUPL1.2-white?style=plastic&logo=europeanunion&logoColor=white&logoSize=auto&label=Licence&color=%23003399)](https://eupl.eu/1.2/en/)  
 [![Static Badge](https://badges.coresecret.dev/badge/opensourceinitiative-Compliant-white?style=plastic&logo=opensourceinitiative&logoColor=white&logoSize=auto&label=OSI&color=%233DA639)](https://opensource.org/license/eupl-1-2)  
@@ -11,8 +11,8 @@ include_toc: true
 [![Static Badge](https://badges.coresecret.dev/badge/shellformat-passed-white?style=plastic&logo=google&logoColor=white&logoSize=auto&label=shellformat&color=%234285F4)](https://github.com/mvdan/sh)  
 [![Static Badge](https://badges.coresecret.dev/badge/Shellstyle-Google-white?style=plastic&logo=google&logoColor=white&logoSize=auto&label=Shellstyle&color=%234285F4)](https://google.github.io/styleguide/shellguide.html)
  
-[![Static Badge](https://badges.coresecret.dev/badge/Gitea-1.23.8-white?style=plastic&logo=gitea&logoColor=white&logoSize=auto&label=gitea&color=%23609926)](https://docs.gitea.com/)  
-[![Static Badge](https://badges.coresecret.dev/badge/IntelliJ-2025.1.1.1-white?style=plastic&logo=intellijidea&logoColor=white&logoSize=auto&label=IntelliJ&color=%23000000)](https://www.jetbrains.com/store/?section=personal&billing=yearly)  
+[![Static Badge](https://badges.coresecret.dev/badge/Gitea-1.24.2-white?style=plastic&logo=gitea&logoColor=white&logoSize=auto&label=gitea&color=%23609926)](https://docs.gitea.com/)  
+[![Static Badge](https://badges.coresecret.dev/badge/IntelliJ-2025.1.3-white?style=plastic&logo=intellijidea&logoColor=white&logoSize=auto&label=IntelliJ&color=%23000000)](https://www.jetbrains.com/store/?section=personal&billing=yearly)  
 [![Static Badge](https://badges.coresecret.dev/badge/keepassxc-2.7.10-white?style=plastic&logo=keepassxc&logoColor=white&logoSize=auto&label=KeePassXC&color=%236CAC4D)](https://keepassxc.org/)  
 [![Static Badge](https://badges.coresecret.dev/badge/netcup-Netcup-white?style=plastic&logo=netcup&logoColor=white&logoSize=auto&label=powered&color=%23056473)](https://www.netcup.com/de)  
 [![Static Badge](https://badges.coresecret.dev/badge/powered-Centurion-white?style=plastic&logo=europeanunion&logoColor=white&logoSize=auto&label=powered&color=%230F243E)](https://coresecret.eu/)  
@@ -25,16 +25,19 @@ include_toc: true
 
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
-**Master Version**: 8.02<br>
-**Build**: V8.03.145.2025.06.02<br>
+**Master Version**: 8.03<br>
+**Build**: V8.03.832.2025.06.24<br>
 
 This shell wrapper automates the creation of a Debian Bookworm live ISO hardened according to the latest best practices in server
 and service security. It integrates into your build pipeline to deliver an isolated, robust environment suitable for
-cloud deployment or unattended installations via the forthcoming `CISS.debian.installer`.
+cloud deployment or unattended installations via the forthcoming `CISS.debian.installer`. Additionally, automated CI workflows 
+based on Gitea Actions are provided, enabling reproducible ISO generation. A generic ISO is automatically built upon significant
+changes and made publicly available for download. The latest generic ISO is available at:
+**[PUBLIC CISS.debian.live.ISO](/docs/DL_PUB_ISO.md)**
 
 Check out more:
 * [CenturionNet Services](https://coresecret.eu/cnet/) 
-* [CenturionDNS Resolver](https://dns.eddns.eu/)
+* [CenturionDNS Resolver](https://eddns.eu/)
 * [CenturionDNS Blocklist](https://dns.eddns.eu/blocklists/centurion_titanium_ultimate.txt) 
 * [CenturionNet Status](https://uptime.coresecret.eu/) 
 * [CenturionMeet](https://talk.e2ee.li/) 
@@ -46,14 +49,26 @@ Check out more:
 Please note that all my signing keys are stored in an HSM and that the signing environment is air-gapped. The next step is to 
 move to a room-gapped environment. ^^
 
-### 1.1.2. HSTS and DNSSEC
+### 1.1.2. DNSSEC, HSTS, TLS
 
 Please note that `coresecret.dev` is included in the [(HSTS Preload List)](https://hstspreload.org/) and always serves the headers:
 ````nginx configuration pro
 add_header Expect-CT                 "max-age=86400, enforce"                       always;
 add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
 ````
-Additionally, the entire zone is dual-signed with DNSSEC. See the current DNSSEC status at [DNSSEC Audit Report](https://git.coresecret.dev/msw/CISS.debian.live.builder/src/branch/master/docs/AUDIT_DNSSEC.md)
+
+* Additionally, the entire zone is dual-signed with **DNSSEC**. See the current **DNSSEC** status at: **[DNSSEC Audit Report](/docs/AUDIT_DNSSEC.md)**
+* A comprehensive TLS audit of the **`git.coresecret.dev`** Gitea server is also available. See: **[TLS Audit Report](/docs/AUDIT_TLS.md)**
+* The infrastructure of the **`CISS.debian.live.builder`** building system is visualized here. See: **[Centurion Net](/docs/CNET.md)**
+
+### 1.1.3. Gitea Action Runner Hardening
+
+The CI runners operate on a dedicated host system located in a completely separate Autonomous System (AS). This host is solely 
+dedicated to providing CI runners and does not perform any other tasks. Each runner is hermetically isolated from others using 
+non-privileged, shell-less user accounts with no direct login capability. Additionally, each runner executes within its own 
+separate directory tree, employs `DynamicUser` features, and adheres to strict systemd hardening policies (achieving a ``systemd-analyze security`` 
+rating of **``2.6``**). Docker containers used by runners do not run in privileged mode. Security is further enhanced through the use 
+of both UFW software firewalls and dedicated hardware firewall appliances.
 
 ## 1.2. Immutable Source-of-Truth System
 
@@ -81,18 +96,18 @@ source-defined infrastructure logic.<br>
 
 After build and configuration, the following audit reports can be generated:
 
-* **Haveged Audit Report**: Validates entropy daemon health and confirms '/dev/random' seeding performance.
-  Type `chkhvg` at the prompt. See example report: [Haveged Audit Report](https://git.coresecret.dev/msw/CISS.debian.live.builder/src/branch/master/docs/AUDIT_HAVEGED.md)
+* **Haveged Audit Report**: Validates entropy daemon health and confirms `/dev/random` seeding performance.
+  Type `chkhvg` at the prompt. See example report: **[Haveged Audit Report](/docs/AUDIT_HAVEGED.md)**
 * **Lynis Audit Report**: Outputs a detailed security score and recommendations, confirming a 91%+ hardening baseline.
-  Type `lsadt` at the prompt. See example report: [Lynis Audit Report](https://git.coresecret.dev/msw/CISS.debian.live.builder/src/branch/master/docs/AUDIT_LYNIS.md)
+  Type `lsadt` at the prompt. See example report: **[Lynis Audit Report](/docs/AUDIT_LYNIS.md)**
 * **SSH Audit Report**: Verifies SSH daemon configuration against the latest best-practice cipher, KEX, and MAC recommendations.
-  Type `ssh-audit <IP>:<PORT>`. See example report: [SSH Audit Report](https://git.coresecret.dev/msw/CISS.debian.live.builder/src/branch/master/docs/AUDIT_SSH.md)
+  Type `ssh-audit <IP>:<PORT>`. See example report: **[SSH Audit Report](/docs/AUDIT_SSH.md)**
 
-## 1.2. Preview
+## 1.3. Preview
 
 ![CISS.debian.live.builder](/docs/screenshots/CISS.debian.live.builder_preview.jpeg)
 
-## 1.3. Caution. Significant information for those considering using D-I.
+## 1.4. Caution. Significant information for those considering using D-I.
 
 **The Debian Installer (d-i) will ALWAYS boot a new system.**<br>
 
@@ -106,7 +121,7 @@ The following happens in all cases:
 * The installer kernel (/install/vmlinuz) + initrd.gz are started.
 * The existing live system is exited.
 * The memory is overwritten.
-* All running processes – e.g., firewall, hardened SSH access, etc. pp. – cease to exist.
+* All running processes - e.g., firewall, hardened SSH access, etc. pp. - cease to exist.
 
 The Debian Installer loads:
 * its own kernel,
@@ -123,6 +138,24 @@ This means function status of the **CISS.2025.debian.live.builder** ISO after d-
 * Logging (rsyslog, journald) ✘ not active,
 * preseed control over the network is possible (but without any protection).
 
+## 1.5. Versioning Schema
+
+This project adheres strictly to a structured versioning scheme following the pattern x.y.z-Date.
+
+Example: `V8.03.832.2025.06.24`
+
+`x.y.z` represents major (x), minor (y), and patch (z) version increments.
+
+Date (YYYY.MM.DD) denotes the build or release date, facilitating clear tracking of incremental changes and ensuring 
+reproducibility and traceability.
+
+## 1.6. Keywords
+
+The keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED",
+"MAY", and "OPTIONAL" in this Repo are to be interpreted as described in [[BCP 14](https://www.rfc-editor.org/info/bcp14)], 
+[[RFC2119](https://datatracker.ietf.org/doc/html/rfc2119)], [[RFC8174](https://datatracker.ietf.org/doc/html/rfc8174)] when,
+and only when, they appear in all capitals, as shown here.
+
 # 2. Features & Rationale
 
 Below is a breakdown of each hardening component, with a summary of why each is critical to your security posture.

ciss_live_builder.sh

@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
@@ -37,65 +37,89 @@
   . ./var/global.var.sh; printf "\e[91m❌ Minimum requirement is bash 5.1. You are using '%s'! Bye... \e[0m\n" "${BASH_VERSION}" >&2; exit "${ERR_UNSPPTBASH}"; }
 [[ ${BASH_VERSINFO[0]} -le 5 ]] && [[ ${BASH_VERSINFO[1]} -le 1 ]] && {
   . ./var/global.var.sh; printf "\e[91m❌ Minimum requirement is bash 5.1. You are using '%s'! Bye... \e[0m\n" "${BASH_VERSION}" >&2; exit "${ERR_UNSPPTBASH}"; }
+[[ ${#} -eq 0 ]] && {
+  . ./lib/lib_usage.sh; usage; exit 1; }
 
-declare -g VAR_HANDLER_AUTOBUILD="false"
-declare -gr VAR_CONTACT="security@coresecret.eu"
-declare -gr VAR_VERSION="Master V8.03.127.2025.06.02"
+### SOURCING MUST SET EARLY VARIABLES, GUARD_SOURCING(), CHECK_GIT()
+. ./var/early.var.sh
+. ./lib/lib_guard_sourcing.sh
+. ./lib/lib_git_var.sh
 
-### VERY EARLY CHECK FOR AUTO-BUILD, CONTACT, USAGE, AND VERSION STRING
-declare arg
-if [[ ${#} -eq 0 ]]; then . ./lib/lib_usage.sh; usage; exit 1; fi
-for arg in "$@"; do case "${arg,,}" in -a=*|--autobuild=*) declare -g VAR_HANDLER_AUTOBUILD=true; declare -g VAR_KERNEL="${arg#*=}";; esac; done
-for arg in "$@"; do case "${arg,,}" in -c|--contact) printf "\e[95mCISS.debian.live.builder Contact: %s\e[0m\n" "${VAR_CONTACT}"; exit 0;; esac; done
-for arg in "$@"; do case "${arg,,}" in -h|--help) . ./lib/lib_usage.sh; usage; exit 0;; esac; done
+### CHECK FOR CONTACT, HELP, VERSION STRING, AND XTRACE DEBUG
+for arg in "$@"; do case "${arg,,}" in -c|--contact) . ./lib/lib_contact.sh; contact; exit 0;; esac; done
+for arg in "$@"; do case "${arg,,}" in -h|--help)    . ./lib/lib_usage.sh; usage; exit 0;; esac; done
 for arg in "$@"; do case "${arg,,}" in -v|--version) printf "\e[95mCISS.debian.live.builder Version: %s\e[0m\n" "${VAR_VERSION}"; exit 0;; esac; done
-unset arg
 
-### VERY EARLY CHECK FOR XTRACE DEBUGGING
-if [[ $* == *" --debug "* ]]; then
-  . ./lib/lib_debug.sh
-  debugger "${@}"
-else
-  declare -grx VAR_EARLY_DEBUG=false
-fi
+### ALL CHECKS DONE. READY TO START THE SCRIPT
+check_git
+for arg in "$@"; do case "${arg,,}" in -d|--debug)   . ./meta_sources_debug.sh; debugger "${@}";; esac; done
+declare -gx VAR_SETUP="true"
 
-### Advisory Lock
-exec 127>/var/lock/ciss_live_builder.lock || {
+### SOURCING VARIABLES
+[[ "${VAR_SETUP}" == true ]] && {
+  . ./var/bash.var.sh
+  . ./var/color.var.sh
   . ./var/global.var.sh
+}
+
+### SOURCING LIBRARIES
+[[ "${VAR_SETUP}" == true ]] && {
+  . ./lib/lib_arg_parser.sh
+  . ./lib/lib_arg_priority_check.sh
+  . ./lib/lib_boot_screen.sh
+  . ./lib/lib_cdi.sh
+  . ./lib/lib_change_splash.sh
+  . ./lib/lib_check_dhcp.sh
+  . ./lib/lib_check_hooks.sh
+  . ./lib/lib_check_kernel.sh
+  . ./lib/lib_check_pkgs.sh
+  . ./lib/lib_check_provider.sh
+  . ./lib/lib_check_stats.sh
+  . ./lib/lib_check_var.sh
+  . ./lib/lib_clean_screen.sh
+  . ./lib/lib_clean_up.sh
+  . ./lib/lib_copy_integrity.sh
+  . ./lib/lib_hardening_root_pw.sh
+  . ./lib/lib_hardening_ssh.sh
+  . ./lib/lib_hardening_ultra.sh
+  . ./lib/lib_helper_ip.sh
+  . ./lib/lib_lb_build_start.sh
+  . ./lib/lib_lb_config_start.sh
+  . ./lib/lib_lb_config_write.sh
+  . ./lib/lib_provider_netcup.sh
+  . ./lib/lib_run_analysis.sh
+  . ./lib/lib_sanitizer.sh
+  . ./lib/lib_trap_on_err.sh
+  . ./lib/lib_trap_on_exit.sh
+  . ./lib/lib_usage.sh
+}
+
+### ADVISORY LOCK
+exec 127>/var/lock/ciss_live_builder.lock || {
   printf "\e[91m❌ Cannot open lockfile for writing! Bye... \e[0m\n" >&2
   exit "${ERR_FLOCK_WRTG}"
 }
 
 if ! flock -x -n 127; then
-  . ./var/global.var.sh
   printf "\e[91m❌ Another instance is running! Bye...\e[0m\n" >&2
   exit "${ERR_FLOCK_COLL}"
 fi
 
-### Checking required packages
-. ./lib/lib_check_pkgs.sh
+### CHECK FOR AUTOBUILD MODE
+for arg in "$@"; do case "${arg,,}" in -a=*|--autobuild=*) declare -gx VAR_HANDLER_AUTOBUILD="true"; declare -gx VAR_KERNEL="${arg#*=}";; esac; done; unset arg
+for dir in /usr/local/sbin /usr/sbin; do case ":${PATH}:" in *":${dir}:"*) ;; *) PATH="${PATH}:${dir}" ;; esac; done; export PATH; unset dir
+
+### CHECKING REQUIRED PACKAGES
 check_pkgs
 
-### Dialog Output for Initialization
-if ! $VAR_HANDLER_AUTOBUILD; then . ./lib/lib_boot_screen.sh && boot_screen; fi
+### DIALOG OUTPUT FOR INITIALIZATION
+if ! $VAR_HANDLER_AUTOBUILD; then boot_screen; fi
 
 ### Updating Status of Dialog Gauge Bar
-if ! $VAR_HANDLER_AUTOBUILD; then printf "XXX\nUpdating variables ... \nXXX\n05\n" >&3; fi
-. ./var/global.var.sh
-. ./var/colors.var.sh
+if ! $VAR_HANDLER_AUTOBUILD; then printf "XXX\nInitialization done ... \nXXX\n15\n" >&3; fi
 
 ### Updating Status of Dialog Gauge Bar
-if ! $VAR_HANDLER_AUTOBUILD; then printf "XXX\nEnabling Bash Error Handling ... \nXXX\n15\n" >&3; fi
-### For all options see https://www.gnu.org/software/bash/manual/bash.html#The-Set-Builtin
-set -o errexit   # Exit script when a command exits with non-zero status, the same as "set -e".
-set -o errtrace  # Any traps on ERR are inherited in a subshell environment, the same as "set -E".
-set -o functrace # Any traps on DEBUG and RETURN are inherited in a subshell environment, the same as "set -T".
-set -o nounset   # Exit script on use of an undefined variable, the same as "set -u".
-set -o pipefail  # Makes pipelines return the exit status of the last command in the pipe that failed.
-set -o noclobber # Prevent overwriting, the same as "set -C".
-
-### Updating Status of Dialog Gauge Bar
-if ! $VAR_HANDLER_AUTOBUILD; then printf "XXX\nAdditional initialization ... \nXXX\n25\n" >&3; fi
+if ! $VAR_HANDLER_AUTOBUILD; then printf "XXX\nAdditional initialization ... \nXXX\n30\n" >&3; fi
 ### Initialization
 declare -gr ARGUMENTS_COUNT="$#"
 declare -gr ARG_STR_ORG_INPUT="$*"
@@ -108,42 +132,13 @@ declare -grx SCRIPT_BASEPATH="$(dirname "${SCRIPT_FULLPATH}")"
 declare -grx VAR_WORKDIR="$(dirname "${SCRIPT_FULLPATH}")"
 
 ### Updating Status of Dialog Gauge Bar
-if ! $VAR_HANDLER_AUTOBUILD; then printf "XXX\nSourcing Libraries ... \nXXX\n50\n" >&3; fi
-. ./lib/lib_arg_parser.sh
-. ./lib/lib_arg_priority_check.sh
-. ./lib/lib_cdi.sh
-. ./lib/lib_change_splash.sh
-. ./lib/lib_check_dhcp.sh
-. ./lib/lib_check_hooks.sh
-. ./lib/lib_check_kernel.sh
-. ./lib/lib_check_provider.sh
-. ./lib/lib_check_stats.sh
-. ./lib/lib_check_var.sh
-. ./lib/lib_clean_screen.sh
-. ./lib/lib_clean_up.sh
-. ./lib/lib_copy_integrity.sh
-. ./lib/lib_hardening_root_pw.sh
-. ./lib/lib_hardening_ssh.sh
-. ./lib/lib_hardening_ultra.sh
-. ./lib/lib_helper_ip.sh
-. ./lib/lib_lb_build_start.sh
-. ./lib/lib_lb_config_start.sh
-. ./lib/lib_lb_config_write.sh
-. ./lib/lib_provider_netcup.sh
-. ./lib/lib_run_analysis.sh
-. ./lib/lib_sanitizer.sh
-. ./lib/lib_trap_on_err.sh
-. ./lib/lib_trap_on_exit.sh
-. ./lib/lib_usage.sh
-
-### Updating Status of Dialog Gauge Bar
-if ! $VAR_HANDLER_AUTOBUILD; then printf "XXX\nActivate traps ... \nXXX\n55\n" >&3; fi
-### Following the CISS Bash naming and ordering scheme
+if ! $VAR_HANDLER_AUTOBUILD; then printf "XXX\nActivate traps ... \nXXX\n50\n" >&3; fi
+### Following the CISS Bash naming and ordering scheme:
 trap 'trap_on_exit "$?"' EXIT
 trap 'trap_on_err "$?" "${BASH_SOURCE[0]}" "${LINENO}" "${FUNCNAME[0]:-main}" "${BASH_COMMAND}"' ERR
 
 ### Updating Status of Dialog Gauge Bar
-if ! $VAR_HANDLER_AUTOBUILD; then printf "XXX\nSanitizing Arguments ... \nXXX\n70\n" >&3; fi
+if ! $VAR_HANDLER_AUTOBUILD; then printf "XXX\nSanitizing Arguments ... \nXXX\n75\n" >&3; fi
 arg_check "$@"
 declare -ar ARY_ARG_SANITIZED=("$@")
 declare -gr VAR_ARG_SANITIZED="${ARY_ARG_SANITIZED[*]}"
@@ -159,6 +154,7 @@ clean_ip
 ### Updating Status of Dialog Gauge Bar
 if ! $VAR_HANDLER_AUTOBUILD; then printf "XXX\nInitialization completed ... \nXXX\n100\n" >&3; sleep 1; fi
 
+### Turn off Dialog Wrapper
 if ! $VAR_HANDLER_AUTOBUILD; then boot_screen_cleaner; fi
 
 ### MAIN Program

config/bootloaders/grub-efi/grub.cfg

@@ -2,7 +2,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

config/bootloaders/grub-pc/grub.cfg

@@ -2,7 +2,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

config/hooks/live/0000_generate_backup_dir.chroot

@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

config/hooks/live/0001_initramfs_modules.chroot

@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
@@ -48,7 +48,7 @@ cat << EOF >| /etc/initramfs-tools/modules
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
@@ -113,7 +113,7 @@ cat << 'EOF' >| /etc/initramfs-tools/update-initramfs.conf
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
@@ -148,7 +148,7 @@ cat << 'EOF' >| /etc/initramfs-tools/initramfs.conf
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
@@ -207,9 +207,9 @@ COMPRESS=zstd
 # Defaults vary by compressor.
 #
 # Valid values are:
-# 1–9 for gzip|bzip2|lzma|lzop
-# 0–9 for  lz4|xz
-# 0–19 for zstd
+# 1-9 for gzip|bzip2|lzma|lzop
+# 0-9 for  lz4|xz
+# 0-19 for zstd
 # COMPRESSLEVEL=3
 
 #
@@ -253,7 +253,7 @@ cat << 'EOF' >> /etc/initramfs-tools/hooks/ciss_debian_live_builder
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.

config/hooks/live/0002_verify_checksums.chroot

@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
@@ -27,7 +27,7 @@ cat << 'EOF' >| "${src}"
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.

config/hooks/live/0003_install_backports.chroot

@@ -0,0 +1,39 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+set -C -e -u -o pipefail
+
+printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+# sleep 1
+
+DEBIAN_FRONTEND=noninteractive \
+  apt-get update && \
+    DEBIAN_FRONTEND=noninteractive \
+      apt-get install -y --no-install-recommends \
+        -o Dpkg::Options::="--force-confdef" \
+        -o Dpkg::Options::="--force-confold" \
+        -t bookworm-backports \
+        btrfs-progs \
+        curl \
+        debootstrap \
+        iproute2 \
+        ncat \
+        nmap \
+        ssh \
+        systemd \
+        systemd-sysv \
+        whois
+
+printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+# sleep 1
+
+exit 0
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config/hooks/live/0050_activate_root.chroot

@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.

config/hooks/live/0080_keyboard_layout.chroot

@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

config/hooks/live/0090_haveged.chroot

@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

config/hooks/live/0120_set_hostname.chroot

@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

config/hooks/live/0130_machineid.chroot

@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

config/hooks/live/0400_eza_install.chroot

@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
@@ -133,14 +133,6 @@ symlink_path: {foreground: Cyan}
 control_char: {foreground: Red}
 broken_symlink: {foreground: Red}
 broken_path_overlay: {foreground: Default, is_underlined: true}
-
-filenames:
-  # Custom filename-based overrides
-  # Cargo.toml: {icon: {glyph: 🦀}}
-
-extensions:
-  # Custom extension-based overrides
-  # rs: {filename: {foreground: Red}, icon: {glyph: 🦀}}
 EOF
 
 chmod 0644 "/root/eza-themes/themes/centurion.yml"

config/hooks/live/0800_lynis_setup.chroot

@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

config/hooks/live/0810_chrony_setup.chroot

@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

config/hooks/live/0820_kernel_hardening_checker.chroot

@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

config/hooks/live/0822_ssh_restart_hook.chroot

@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
@@ -29,7 +29,7 @@ cat << 'EOF' >| /usr/local/bin/restart-ssh.sh
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

config/hooks/live/0825_my_sqltuner_perl.chroot

@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

config/hooks/live/0830_download_yq.chroot

@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

config/hooks/live/0835_testssl.sh.chroot

@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

config/hooks/live/0840_ufw_abuse_ipdb_reporter.chroot

@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

config/hooks/live/0845_harbian_audit.chroot

@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

config/hooks/live/0850_ssh_audit.chroot

@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.

config/hooks/live/0855_dnsviz.chroot

@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.

config/hooks/live/0900_ufw_setup.chroot

@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

config/hooks/live/1024_git_clone_ciss_2025_debian_installer.chroot

@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

config/hooks/live/9900_process_accounting.chroot

@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.

config/hooks/live/9910_motd.chroot

@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.

config/hooks/live/9920_deleting_invalid_x509.chroot

@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

config/hooks/live/9930_hardening_ssh.chroot

@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

config/hooks/live/9940_hardening_memory.dump.chroot

@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

config/hooks/live/9950_fail2ban_hardening.chroot

@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
@@ -30,7 +30,7 @@ cat << 'EOF' >| /etc/fail2ban/jail.d/centurion-default.conf
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <cendev@coresecret.eu>
 # SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.2025.hardened.installer framework.
@@ -46,7 +46,7 @@ findtime  = 24h
 bantime   = 24h
 
 ### SSH Handling: Foreign IP (not in /etc/hosts.allow): refused to connect: immediate ban [sshd-refused]
-###               Jump host mistyped 1–3 times: no ban, only after four attempts          [sshd]
+###               Jump host mistyped 1-3 times: no ban, only after four attempts          [sshd]
 
 [sshd]
 enabled   = true

config/hooks/live/9960_disable_services.chroot

@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

config/hooks/live/9970_remove_exim.chroot

@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

config/hooks/live/9980_usb_guard.chroot

@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

config/hooks/live/9985_clamav.chroot

@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
@@ -32,8 +32,8 @@ ReadOnlyPaths=/
 ReadWritePaths=/var/lib/clamav /var/log/clamav /var/run/clamav /run/clamav
 
 MemoryDenyWriteExecute=yes
-MemoryLimit=512M
-CPUShares=512
+#MemoryLimit=4096M
+#CPUShares=512
 
 RestrictAddressFamilies=AF_INET AF_INET6
 RestrictNamespaces=yes
@@ -58,8 +58,8 @@ ReadOnlyPaths=/
 ReadWritePaths=/var/lib/clamav /var/log/clamav /var/run/clamav
 
 MemoryDenyWriteExecute=yes
-MemoryLimit=512M
-CPUShares=512
+#MemoryLimit=4096M
+#CPUShares=512
 
 RestrictAddressFamilies=AF_INET AF_INET6
 RestrictNamespaces=yes

config/hooks/live/9990_final_purge.chroot

@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
@@ -16,13 +16,13 @@ printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "
 
 apt-get update -y
 
-apt-get purge -y exim4 exim4-daemon-light exim4-base exim4-config \
-qemu-guest-agent rmail sendmail-base sendmail-bin sendmail-cf sensible-mda sendmail-doc
+apt-get purge -y exim4 exim4-daemon-light exim4-base exim4-config qemu-guest-agent rmail
+#sendmail-base sendmail-bin sendmail-cf sensible-mda sendmail-doc
 
-apt-mark hold exim4 exim4-daemon-light exim4-base exim4-config \
-qemu-guest-agent rmail sendmail-base sendmail-bin sendmail-cf sensible-mda sendmail-doc
+apt-mark hold exim4 exim4-daemon-light exim4-base exim4-config qemu-guest-agent rmail
+#sendmail-base sendmail-bin sendmail-cf sensible-mda sendmail-doc
 
-dpkg --get-selections | grep deinstall >> /tmp/deinstall.log || true
+dpkg --get-selections | grep deinstall >| /tmp/deinstall.log || true
 
 if [[ -s /tmp/deinstall.log ]]; then
   printf "\n"

config/hooks/live/9991_file_permissions.chroot

@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
@@ -39,6 +39,7 @@ EOF
 
 cp -a /etc/login.defs /root/.ciss/dlb/backup/login.defs.bak
 
+sed -ri 's/^(#?LOGIN_TIMEOUT)[[:space:]]+[0-9]+/\1 180/' /etc/login.defs
 sed -i 's/UMASK		022/UMASK		077/' /etc/login.defs
 sed -i 's/PASS_MAX_DAYS	99999/PASS_MAX_DAYS	16384/' /etc/login.defs
 sed -i 's/PASS_MIN_DAYS	0/PASS_MIN_DAYS	1/' /etc/login.defs

config/hooks/live/9992_password_expiration.chroot

@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.

config/hooks/live/9993_aide.chroot

@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
@@ -14,12 +14,12 @@ set -C -e -u -o pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1
 
-apt-get install -y aide
+apt-get install -y aide > /dev/null 2>&1
 
 cp -u /etc/aide/aide.conf /root/.ciss/dlb/backup/aide.conf.bak
 sed -i "s/Checksums = H/Checksums = sha512/" /etc/aide/aide.conf
 
-if aideinit; then
+if aideinit > /dev/null 2>&1; then
   printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ 'aideinit' successful. \e[0m\n"
 else
   printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ 'aideinit' NOT successful. \e[0m\n" >&2

config/hooks/live/9994_password_policy.chroot

@@ -3,15 +3,15 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-### NIST recommends at least eight characters but advises longer passphrases (e.g., 12–64) for increased security.
-### NIST SP 800–63B, https://pages.nist.gov/800-63-3/sp800-63b.html
+### NIST recommends at least eight characters but advises longer passphrases (e.g., 12-64) for increased security.
+### NIST SP 800-63B, https://pages.nist.gov/800-63-3/sp800-63b.html
 
 set -C -e -u -o pipefail
 
@@ -26,7 +26,7 @@ cat << 'EOF' >| /etc/security/pwquality.conf
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
@@ -34,7 +34,7 @@ cat << 'EOF' >| /etc/security/pwquality.conf
 # SPDX-Security-Contact: security@coresecret.eu
 
 ### Current recommendations for '/etc/security/pwquality.conf' based on common best practices,
-### including NIST SP 800–63B, https://pages.nist.gov/800-63-3/sp800-63b.html
+### including NIST SP 800-63B, https://pages.nist.gov/800-63-3/sp800-63b.html
 ### and weighing usability against security.
 
 ### Configuration for systemwide password quality limits
@@ -46,16 +46,16 @@ difok = 4
 
 ### Length over complexity: Studies show that longer passphrases are significantly more
 ### resistant to brute-force and dictionary attacks. NIST recommends at least eight characters
-### but advises longer passphrases (e.g., 12–64) for increased security. Twenty characters strike a
+### but advises longer passphrases (e.g., 12-64) for increased security. Twenty characters strike a
 ### good balance between security and user convenience.
 ### Minimum acceptable size for the new password (plus one if
 ### credits are not disabled, which is the default). (See pam_cracklib manual.)
 ### Cannot be set to a lower value than 6.
-minlen = 20
+minlen = 40
 
 ### dcredit = 0, ucredit = 0, lcredit = 0, ocredit = 0, minclass = 0
-### NIST SP 800–63B advises against rigid complexity rules (numbers, symbols, uppercase)
-### because they can lead users to adopt predictable patterns (e.g., “Pa$$word!”).
+### NIST SP 800-63B advises against rigid complexity rules (numbers, symbols, uppercase)
+### because they can lead users to adopt predictable patterns (e.g., "Pa$$word!").
 ### Length and dictionary checks are more effective.
 
   ### The maximum credit for having digits in the new password. If less than 0
@@ -83,12 +83,12 @@ minlen = 20
 
 ### The maximum number of allowed consecutive same characters in the new password.
 ### The check is disabled if the value is 0.
-maxrepeat = 2
+maxrepeat = 3
 
 ### The maximum number of allowed consecutive characters of the same class in the
 ### new password.
 ### The check is disabled if the value is 0.
-maxclassrepeat = 4
+maxclassrepeat = 0
 
 ### Whether to check for the words from the passwd entry GECOS string of the user.
 ### The check is enabled if the value is not 0.

config/hooks/live/9995_sysstat.chroot

@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.

config/hooks/live/9996_auditd.chroot

@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.

config/hooks/live/9997_debsums.chroot

@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
@@ -22,7 +22,7 @@ cp -a /etc/default/debsums /root/.ciss/dlb/backup/debsums.bak
 chmod 0644 /root/.ciss/dlb/backup/debsums.bak
 sed -i "s/CRON_CHECK=never/CRON_CHECK=monthly/" /etc/default/debsums
 
-if debsums -g; then
+if debsums -g > /dev/null 2>&1; then
   printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ 'debsums -g' successful. \e[0m\n"
 else
   # Omit false negative error output to stdout and stderr, as no problematic errors occur on startup.

config/hooks/live/9998_sources_list.chroot

@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
@@ -25,7 +25,7 @@ cat << 'EOF' >| /etc/apt/sources.list
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <cendev@coresecret.eu>
 # SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.2025.hardened.installer framework.

config/hooks/live/9999_interfaces_update.chroot

@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
@@ -22,7 +22,7 @@ cat << 'EOF' >| /etc/network/interfaces
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

config/includes.binary/boot/grub/config.cfg

@@ -2,7 +2,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.

config/includes.chroot/etc/live/config.conf

@@ -2,7 +2,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

config/includes.chroot/etc/modprobe.d/30-cendev-hardening.conf

@@ -2,7 +2,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

config/includes.chroot/etc/network/interfaces

@@ -2,7 +2,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

config/includes.chroot/etc/ssh/sshd_config

@@ -2,14 +2,14 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-### Version Master V8.03.127.2025.06.02
+### Version Master V8.03.832.2025.06.24
 
 ### https://www.ssh-audit.com/
 ### ssh -Q cipher | cipher-auth | compression | kex | kex-gss | key | key-cert | key-plain | key-sig | mac | protocol-version | sig
@@ -51,7 +51,7 @@ MaxSessions                  2
 MaxStartups                  08:64:16
 ### Restrict each individual source IP to only 4 unauthenticated connection slot
 ### in the concurrent MaxStartups pool, preventing one IP from monopolizing slots.
-PerSourceMaxStartups         4
+PerSourceMaxStartups         8
 ClientAliveInterval          300
 ClientAliveCountMax          2
 

config/includes.chroot/etc/sysctl.d/99_local.hardened

@@ -2,14 +2,14 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-### Version Master V8.03.127.2025.06.02
+### Version Master V8.03.832.2025.06.24
 
 ### https://docs.kernel.org/
 ### https://github.com/a13xp0p0v/kernel-hardening-checker/

config/includes.chroot/etc/systemd/system/getty@tty1.service.d/override.conf

@@ -2,7 +2,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

config/includes.chroot/preseed/.ash/0_di_preseed_include_command.sh

@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

config/includes.chroot/preseed/.ash/1_di_preseed_early_command.sh

@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

config/includes.chroot/preseed/.ash/2_di_partman_early_command.sh

@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

config/includes.chroot/preseed/.ash/3_di_preseed_late_command.sh

@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

config/includes.chroot/preseed/.ash/di_scripting_flexibility.sh

@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

config/includes.chroot/preseed/.ash/di_scripting_password.sh

@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
@@ -26,13 +26,13 @@ grep -o '[!-~]' /dev/urandom | tr -d '\n' | head -c64 >> "${TMP_PASSPHRASE_FILE}
 DEB_INSTALLER_CRYPT_INC_FILE=$(mktemp)
 readonly DEB_INSTALLER_CRYPT_INC_FILE
 
-# Read the first line (the passphrase) – POSIX-compliant
+# Read the first line (the passphrase) - POSIX-compliant
 # IFS= prevents leading/trailing spaces from being truncated,
 # -r ensures that backslashes are not interpreted.
 IFS= read -r passphrase < "${TMP_PASSPHRASE_FILE}"
 
 # A single printf call with exactly one redirect
-# – ShellCheck-compliant and valid in POSIX-sh
+# - ShellCheck-compliant and valid in POSIX-sh
 printf 'd-i partman-crypto/passphrase string %s\n' "${passphrase}" >> "$DEB_INSTALLER_CRYPT_INC_FILE"
 
 printf 'd-i partman-crypto/passphrase-again string %s\n' "${passphrase}" >> "$DEB_INSTALLER_CRYPT_INC_FILE"

config/includes.chroot/preseed/.ash/di_scripting_ssh.sh

@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

config/includes.chroot/preseed/.cfg/.directories.cfg

@@ -2,7 +2,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

config/includes.chroot/preseed/.cfg/apt.cfg

@@ -2,7 +2,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

config/includes.chroot/preseed/.cfg/base.cfg

@@ -2,7 +2,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

config/includes.chroot/preseed/.cfg/finished.cfg

@@ -2,7 +2,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

config/includes.chroot/preseed/.cfg/firmware.cfg

@@ -2,7 +2,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

config/includes.chroot/preseed/.cfg/grub.cfg

@@ -2,7 +2,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

config/includes.chroot/preseed/.cfg/locale.cfg

@@ -2,7 +2,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

config/includes.chroot/preseed/.cfg/modules.cfg

@@ -2,7 +2,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

config/includes.chroot/preseed/.cfg/network.cfg

@@ -2,7 +2,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

config/includes.chroot/preseed/.cfg/packages.cfg

@@ -2,7 +2,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

config/includes.chroot/preseed/.cfg/partitioning.cfg

@@ -2,7 +2,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

config/includes.chroot/preseed/.cfg/security.cfg

@@ -2,7 +2,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

config/includes.chroot/preseed/.cfg/software.cfg

@@ -2,7 +2,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

config/includes.chroot/preseed/.cfg/ssh.cfg

@@ -2,7 +2,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.