V8.13.288.2025.10.24

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>

.gitea/trigger/t_generate_PRIVATE_trixie_1.yaml

@@ -10,6 +10,6 @@
 # SPDX-Security-Contact: security@coresecret.eu
 
 build:
-  counter: 1023
+  counter: 1024
   version: V8.13.288.2025.10.24
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml

config/hooks/live/0860_sops.chroot

@@ -51,9 +51,11 @@ rm -f "/tmp/sops-${SOPS_VER}.checksums.sig"
 umask 0077
 
 mkdir -p /root/.config/sops/age
-cat << 'EOF' /root/.config/sops/age/keys.txt
+
+cat << 'EOF' >| /root/.config/sops/age/keys.txt
 {{ secrets.CISS_PHYS_AGE }}
 EOF
+
 chmod 0400 /root/.config/sops/age/keys.txt
 
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"

config/hooks/live/9950_hardening_fail2ban.chroot

@@ -102,7 +102,6 @@ protocol              = tcp
 # CISS aggressive approach:
 # Any valid client communicating with our server should be going directly to the service ports opened in ufw (ssh, 80, ...).
 # Any client touching other ports is treated as malicious and therefore should be blocked access to ALL ports after 1 attempt.
-# There is no necessity to ping our servers excessively. Any client pinging us more than 1 times will be blocked.
 #
 
 [ufw]

docs/CHANGELOG.md

@@ -13,6 +13,7 @@ include_toc: true
 # 2. Changelog
 
 ## V8.13.288.2025.10.24
+* **Added**: Preparations for CISS and PhysNet primordial-workflow™.
 * **Updated**: [0001_initramfs_modules.chroot](../config/hooks/live/0001_initramfs_modules.chroot) + nftables mods
 * **Updated**: [9950_hardening_fail2ban.chroot](../config/hooks/live/9950_hardening_fail2ban.chroot) + banaction = nftables-*
 * **Updated**: [0900_ufw_setup.chroot](../config/hooks/live/0900_ufw_setup.chroot) changed var injection