DEPLOY BOT : 🔐 Auto-Generate PRIVATE LIVE ISO TRIXIE 1 [skip ci]

X-CI-Metadata: master@22d6c9a at 2025-08-22T17:41:17Z on 9441b3c6beee

Generated at : 2025-08-22T17:41:17Z
Runner Host  : 9441b3c6beee
Workflow ID  : 🔐 Generating a Private Live ISO TRIXIE.
Git Commit   : 22d6c9a HEAD -> master

.gitea/trigger/t_generate_PRIVATE_trixie.yaml

@@ -1,15 +0,0 @@
-# SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
-# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
-# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
-# SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
-# SPDX-PackageName: CISS.debian.live.builder
-# SPDX-Security-Contact: security@coresecret.eu
-
-build:
-  counter: 1023
-  version: V8.13.008.2025.08.22
-# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml

.gitea/trigger/t_generate_PRIVATE_trixie_0.yaml

@@ -1,5 +1,5 @@
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-08-22; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>

.gitea/trigger/t_generate_PRIVATE_trixie_1.yaml

@@ -1,5 +1,5 @@
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-08-22; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>

.gitea/workflows/generate_PRIVATE_iso_flavour_0.yaml

@@ -1,485 +0,0 @@
-# SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
-# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
-# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
-# SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
-# SPDX-PackageName: CISS.debian.live.builder
-# SPDX-Security-Contact: security@coresecret.eu
-
-### Version Master V8.13.008.2025.08.22
-
-name: 🔐 Generating a Private Live ISO FLV 0.
-
-permissions:
-  contents: write
-
-on:
-  push:
-    branches:
-      - master
-    paths:
-      - '.gitea/trigger/t_generate_PRIVATE_iso_flavour_0.yaml'
-
-jobs:
-  generate-private-ciss-debian-live-iso:
-    name: 🔐 Generating a Private Live ISO FLV 0.
-    runs-on: ciss.debian.live.builder.iso.generator
-
-    ### Run all steps inside Debian Bookworm
-    container:
-      image: debian:bookworm
-
-    steps:
-      - name: 🛠️ Basic Image Setup and enable Bookworm Backports.
-        run: |
-          apt-get update -y
-          apt-get install -y apt-transport-https apt-utils bash ca-certificates openssl sudo
-          echo 'deb https://deb.debian.org/debian bookworm-backports main' \
-            >| /etc/apt/sources.list.d/bookworm-backports.list
-          apt-get update -y
-          apt-get upgrade -y
-
-      - name: 🛠️ Installing Build Tools.
-        shell: bash
-        run: |
-          apt-get update -y
-          apt-get install -y \
-            autoconf \
-            automake \
-            build-essential \
-            cryptsetup \
-            curl \
-            debootstrap \
-            dosfstools \
-            efibootmgr \
-            gettext \
-            git \
-            gnupg \
-            haveged \
-            libbz2-dev \
-            zlib1g-dev \
-            liblzma-dev \
-            libtool \
-            live-build \
-            parted \
-            pkg-config \
-            ssh \
-            ssl-cert \
-            sudo \
-            texinfo \
-            wget \
-            whois \
-
-      - name: 🛠️ Build GnuPG from the sources, as the Bookworm GPG does not understand key format 5.
-        shell: bash
-        run: |
-          urls=(
-            "https://gnupg.org/ftp/gcrypt/npth/npth-1.8.tar.bz2"
-            "https://gnupg.org/ftp/gcrypt/libgpg-error/libgpg-error-1.55.tar.bz2"
-            "https://gnupg.org/ftp/gcrypt/libgcrypt/libgcrypt-1.11.1.tar.bz2"
-            "https://gnupg.org/ftp/gcrypt/libksba/libksba-1.6.7.tar.bz2"
-            "https://gnupg.org/ftp/gcrypt/libassuan/libassuan-3.0.2.tar.bz2"
-            "https://gnupg.org/ftp/gcrypt/gnupg/gnupg-2.4.8.tar.bz2"
-          )
-
-          wget --https-only https://gnupg.org/signature_key.asc -O signature_key.asc > /dev/null 2>&1
-          gpg --batch --import signature_key.asc
-
-          for url in "${urls[@]}"; do
-            archive_name="${url##*/}"
-            pkg_name="${archive_name%.tar.bz2}"
-            echo "🔄 Processing ${pkg_name}"
-            if [[ ! -f "${archive_name}" ]]; then
-              echo "📥 Downloading: '${archive_name}'."
-              if wget --https-only "${url}" -O "${archive_name}" > /dev/null 2>&1 && wget --https-only "${url}.sig" -O "${archive_name}.sig" > /dev/null 2>&1; then
-                echo "✅ Download successful: '${archive_name}'."
-              else
-                echo "❌ Download NOT successful: '${archive_name}'."
-                exit 1
-              fi
-            else
-              echo "💡 Skipping download, package already exists: '${archive_name}'."
-            fi
-
-            if ! gpg --verify "${archive_name}.sig" "${archive_name}"; then echo "❌ Bad Signature: '${archive_name}'.";exit 1; fi
-
-            if [[ ! -d "${pkg_name}" ]]; then
-              echo "📂 Extracting: '${archive_name}'."
-              if tar -xjf "${archive_name}"; then
-                echo "✅ Extraction successful: '${archive_name}'."
-              else
-                echo "❌ Extraction not successful: '${archive_name}'."
-                exit 1
-              fi
-            else
-              echo "💡 Skipping directory, already exists: '${pkg_name}'."
-            fi
-
-            echo "🏗️ Build and install the package: '${pkg_name}'."
-            cd "${pkg_name}" || { echo "❌ Could not change to '${pkg_name}'."; exit 1; }
-            mkdir -p build
-            cd build || { echo "❌ Could not change to '/build'."; exit 1; }
-
-            sudo ../configure > /dev/null 2>&1  || { echo "❌ '../configure' NOT successful for '${pkg_name}'."; exit 1; }
-            make > /dev/null 2>&1 || { echo "❌ 'make' NOT successful for '${pkg_name}'."; exit 1; }
-            sudo make install > /dev/null 2>&1 || { echo "❌ 'make install' NOT successful for '${pkg_name}'."; exit 1; }
-
-            cd ../.. || { echo "❌ Could not change to '../..'."; exit 1; }
-
-            rm -f "${archive_name}" && rm -f "${archive_name}.sig" && echo "✅ Removed archive: '${pkg_name}'."
-            rm -fr "${pkg_name}" && echo "✅ Removed build artifacts: '${pkg_name}'."
-            echo "✅ Successful build and installation of '${pkg_name}'."
-            echo "-------------------------------------------------------------------------------------"
-
-          done
-
-          rm -f signature_key.asc
-
-          echo "✅ All packages were built and installed successfully."
-
-          mv_bin=(
-            "/usr/bin/gpg"
-            "/usr/bin/gpg-agent"
-            "/usr/bin/gpgconf"
-            "/usr/bin/gpg-connect-agent"
-            "/usr/bin/gpg-wks-client"
-            "/usr/bin/gpg-preset-passphrase"
-          )
-
-          for bin in "${mv_bin[@]}"; do
-            name="${bin##*/}"
-            if [[ -f "${bin}" && -f "/usr/local/bin/${name}" ]]; then
-              if mv "${bin}" "${bin}.debian-backup"; then
-                echo "✅ Moved successfully: '${bin}'."
-              else
-                echo "❌ Moved NOT successfully: '${bin}'."
-              fi
-            else
-              echo "💡 Does not exist as build binary: '${bin}'."
-            fi
-          done
-
-          for bin in "${mv_bin[@]}"; do
-            name="${bin##*/}"
-            if [[ -f "/usr/local/bin/${name}" ]]; then
-              if update-alternatives --install "${bin}" "${name}" "/usr/local/bin/${name}" 100; then
-                echo "✅ 'update-alternatives' successfully: '${bin}'."
-              else
-                echo "❌ 'update-alternatives' NOT successfully: '${bin}'."
-              fi
-            else
-              echo "💡 Does not exist: '/usr/local/bin/${name}'."
-            fi
-          done
-
-          sudo ldconfig
-
-          gpgconf --kill all
-          /usr/local/bin/gpg-agent --daemon
-
-      - name: ⚙️ Check GnuPG Version.
-        shell: bash
-        run: |
-          gpg --version
-
-      - name: ⚙️ Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
-        shell: bash
-        run: |
-          rm -rf ~/.ssh && mkdir -m700 ~/.ssh
-
-          ### Private Key
-          echo "${{ secrets.SSH_MSW_DEPLOY_CORESECRET_DEV }}" >| ~/.ssh/id_ed25519
-          chmod 600 ~/.ssh/id_ed25519
-
-          ### Scan git.coresecret.dev to fill ~/.ssh/known_hosts
-          ssh-keyscan -p 42842 git.coresecret.dev >| ~/.ssh/known_hosts
-          chmod 600 ~/.ssh/known_hosts
-
-          ### Generate SSH Config for git.coresecret.dev Custom-Port
-          cat <<EOF >| ~/.ssh/config
-          Host git.coresecret.dev
-            HostName git.coresecret.dev
-            Port 42842
-            IdentityFile ~/.ssh/id_ed25519
-            StrictHostKeyChecking yes
-            UserKnownHostsFile ~/.ssh/known_hosts
-          EOF
-          chmod 600 ~/.ssh/config
-
-      ### https://github.com/actions/checkout/issues/1843
-      - name: 🛠️ Using manual clone via SSH to circumvent Gitea SHA-256 object issues.
-        shell: bash
-        env:
-          ### GITHUB_REF_NAME contains the branch name from the push event.
-          GITHUB_REF_NAME: ${{ github.ref_name }}
-        run: |
-          git clone --branch "${GITHUB_REF_NAME}" ssh://git@git.coresecret.dev:42842/msw/CISS.debian.live.builder.git .
-          git fetch --unshallow || echo "Nothing to fetch - already full clone."
-
-      - name: 🛠️ Cleaning the workspace.
-        shell: bash
-        run: |
-          git reset --hard
-          git clean -fd
-
-      - name: ⚙️ Importing the 'CI PGP DEPLOY ONLY' key.
-        shell: bash
-        run: |
-          set -euo pipefail
-          ### GPG-Home relative to the Runner Workspace to avoid changing global files.
-          export GNUPGHOME="$(pwd)/.gnupg"
-          mkdir -m 700 "${GNUPGHOME}"
-          echo "${{ secrets.PGP_PUBKEY_CENTURION_ROOT_2025_X448 }}" >| centurion-root.PUB.asc
-          gpg --batch --import centurion-root.PUB.asc
-          echo "${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV }}" >| ci-bot.sec.asc
-          gpg --batch --import ci-bot.sec.asc
-          ### Trust the key automatically
-          KEY_ID=$(gpg --list-keys --with-colons | awk -F: '/^pub:/ {print $5}')
-          echo "trust-model always" >| "${GNUPGHOME}/gpg.conf"
-
-      - name: ⚙️ Configuring Git for signed CI/DEPLOY commits.
-        shell: bash
-        run: |
-          set -euo pipefail
-          export GNUPGHOME="$(pwd)/.gnupg"
-          git config user.name "Marc S. Weidner BOT"
-          git config user.email "msw+bot@coresecret.dev"
-          git config commit.gpgsign true
-          git config gpg.program gpg
-          git config gpg.format openpgp
-
-      - name: ⚙️ Preparing the build environment.
-        shell: bash
-        run: |
-          set -euo pipefail
-          mkdir -p /opt/config
-          mkdir -p /opt/livebuild
-          touch /opt/config/password.txt && chmod 0600 /opt/config/password.txt
-          touch /opt/config/authorized_keys && chmod 0600 /opt/config/authorized_keys
-          echo "${{ secrets.CISS_DLB_ROOT_PWD }}" >| /opt/config/password.txt
-          echo "${{ secrets.CISS_DLB_ROOT_SSH_PUBKEY }}" >| /opt/config/authorized_keys
-
-      - name: 🛠️ Starting CISS.debian.live.builder. This may take a while ...
-        shell: bash
-        run: |
-          set -euo pipefail
-          chmod 0755 ciss_live_builder.sh
-          timestamp=$(date -u +"%Y_%m_%dT%H_%M_%SZ")
-          ### Change "--autobuild=" to the specific kernel version you need: 6.12.22+bpo-amd64.
-          ./ciss_live_builder.sh \
-            --autobuild=6.1.0-37-amd64 \
-            --architecture amd64 \
-            --build-directory /opt/livebuild \
-            --control "${timestamp}" \
-            --debug \
-            --dhcp-centurion \
-            --jump-host ${{ secrets.CISS_DLB_JUMP_HOSTS }} \
-            --provider-netcup-ipv6 ${{ secrets.CISS_DLB_NETCUP_IPV6 }} \
-            --root-password-file /opt/config/password.txt \
-            --ssh-port ${{ secrets.CISS_DLB_SSH_PORT }} \
-            --ssh-pubkey /opt/config
-
-      - name: 📥 Checking Centurion Cloud for existing LIVE ISOs.
-        shell: bash
-        env:
-          NC_BASE: "https://cloud.e2ee.li"
-          SHARE_TOKEN: "${{ secrets.CENTURION_CLOUD_UL_USER }}"
-          SHARE_PASS: "${{ secrets.CENTURION_CLOUD_UL_PASSWD }}"
-        run: |
-          set -euo pipefail
-          SHARE_SUBDIR=""
-
-          echo "📥 Get directory listing via PROPFIND ..."
-          curl -s \
-          --user "${SHARE_TOKEN}:${SHARE_PASS}" \
-          -X PROPFIND \
-          -H "Depth: 1" \
-          "${NC_BASE}/public.php/webdav/${SHARE_SUBDIR}" \
-          -o propfind_public.xml
-
-          echo "📥 Filter .iso files from the PROPFIND response ..."
-          grep -oP '(?<=<d:href>)[^<]+\.iso(?=</d:href>)' propfind_public.xml >| public_iso_list.txt || true
-
-          if [[ -f public_iso_list.txt && -s public_iso_list.txt ]]; then
-            echo "💡 Old ISO files found and deleted :"
-            while IFS= read -r href; do
-              FILE_URL="${NC_BASE}${href}"
-              echo "  Delete: ${FILE_URL}"
-              if curl -s \
-                --user "${SHARE_TOKEN}:${SHARE_PASS}" \
-                  -X DELETE "${FILE_URL}"; then
-                echo "    ✅ Successfully deleted: $(basename "${href}")"
-              else
-                echo "    ❌ Error: $(basename "${href}") could not be deleted"
-              fi
-            done < public_iso_list.txt
-          else
-            echo "💡 No old ISO files found to delete."
-          fi
-
-      - name: 🛠️ Upload the ISO file to the Centurion Cloud (cloud.e2ee.li) via WebDAV.
-        shell: bash
-        env:
-          NC_BASE: "https://cloud.e2ee.li"
-          SHARE_TOKEN: "${{ secrets.CENTURION_CLOUD_UL_USER }}"
-          SHARE_PASS: "${{ secrets.CENTURION_CLOUD_UL_PASSWD }}"
-        run: |
-          set -euo pipefail
-          if [[ $(ls /opt/livebuild/*.iso 2>/dev/null | wc -l) -ne 1 ]]; then
-            echo "❌ There must be exactly one .iso file in the directory!"
-            exit 1
-          else
-            VAR_ISO_FILE_PATH=$(ls /opt/livebuild/*.iso)
-            VAR_ISO_FILE_NAME=$(basename "${VAR_ISO_FILE_PATH}")
-            echo "✅ ISO file found: ${VAR_ISO_FILE_NAME}"
-          fi
-
-          AUTH="${SHARE_TOKEN}:${SHARE_PASS}"
-          if curl --retry 2 "${NC_BASE}"/public.php/webdav/"${VAR_ISO_FILE_NAME}" \
-          --upload-file "${VAR_ISO_FILE_PATH}" --user "${AUTH}" > /dev/null 2>&1; then
-            echo "✅ New ISO successfully uploaded."
-          else
-            echo "❌ Uploading the new ISO failed."
-            exit 1
-          fi
-
-      - name: 🔑 Generating a sha512 Hash of ISO, signing with the 'CI PGP DEPLOY ONLY' key, generate a success message file.
-        shell: bash
-        run: |
-          if [[ $(ls /opt/livebuild/*.iso 2>/dev/null | wc -l) -ne 1 ]]; then
-            echo "❌ There must be exactly one .iso file in the directory!"
-            exit 1
-          else
-            VAR_ISO_FILE_PATH=$(ls /opt/livebuild/*.iso)
-            VAR_ISO_FILE_NAME=$(basename "${VAR_ISO_FILE_PATH}")
-            echo "✅ ISO file found: ${VAR_ISO_FILE_NAME}"
-          fi
-
-          VAR_ISO_FILE_SHA512="${VAR_ISO_FILE_NAME}.sha512"
-          touch "${VAR_ISO_FILE_SHA512}"
-          sha512sum "${VAR_ISO_FILE_PATH}" | awk '{print $1}' >| "${VAR_ISO_FILE_SHA512}"
-          SIGNATURE_FILE="${VAR_ISO_FILE_SHA512}.sign"
-          touch "${SIGNATURE_FILE}"
-          export GNUPGHOME="$(pwd)/.gnupg"
-          gpg --batch --yes --armor --detach-sign --output "${SIGNATURE_FILE}" "${VAR_ISO_FILE_SHA512}"
-
-          timestamp=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
-          PRIVATE_FILE="LIVE_ISO_FLV_0.private"
-          touch "${PRIVATE_FILE}"
-          cat << EOF >| "${PRIVATE_FILE}"
-          # SPDX-Version: 3.0
-          # SPDX-CreationInfo: 2025-06-01; WEIDNER, Marc S.; <msw@coresecret.dev>
-          # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
-          # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-          # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
-          # SPDX-FileType: SOURCE
-          # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-          # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
-          # SPDX-PackageName: CISS.debian.live.builder
-          # SPDX-Security-Contact: security@coresecret.eu
-
-          This file was automatically generated by the DEPLOY BOT on: "${timestamp}"
-
-          CISS.debian.live.builder ISO :
-            "${VAR_ISO_FILE_NAME}"
-          CISS.debian.live.builder ISO sha512 :
-            $(< "${VAR_ISO_FILE_SHA512}")
-          CISS.debian.live.builder ISO sha512 sign :
-            $(< "${SIGNATURE_FILE}")
-
-          # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text
-          EOF
-
-      - name: 🚧 Stash local changes (including untracked).
-        shell: bash
-        env:
-          GIT_SSH_COMMAND: "ssh -p 42842"
-        run: |
-          set -euo pipefail
-          ### Temporarily store any local modifications or untracked files.
-          git stash push --include-untracked -m "ci-temp" || echo "✔️ Nothing to stash."
-
-      - name: 🔄 Sync with remote before commit using merge strategy.
-        shell: bash
-        env:
-          GIT_SSH_COMMAND: "ssh -p 42842"
-        run: |
-          set -euo pipefail
-          export GNUPGHOME="$(pwd)/.gnupg"
-
-          echo "🔄 Fetching origin/master ..."
-          git fetch origin master
-
-          echo "🔁 Merging origin/master into current branch ..."
-          git merge --no-edit origin/master || echo "✔️ Already up to date or fast-forward."
-
-          echo "📋 Post-merge status :"
-          git status
-          git log --oneline -n 5
-
-      - name: 🛠️ Restore stashed changes.
-        shell: bash
-        env:
-          GIT_SSH_COMMAND: "ssh -p 42842"
-        run: |
-          set -euo pipefail
-          ### Apply previously stashed changes.
-          git stash pop || echo "✔️ Nothing to pop."
-
-      - name: 📦 Stage generated files.
-        shell: bash
-        env:
-          GIT_SSH_COMMAND: "ssh -p 42842"
-        run: |
-          set -euo pipefail
-          PRIVATE_FILE="LIVE_ISO_FLV_0.private"
-          git add "${PRIVATE_FILE}" || echo "✔️ Nothing to add."
-
-      - name: 🔑 Commit and sign changes with CI metadata.
-        shell: bash
-        env:
-          GIT_SSH_COMMAND: "ssh -p 42842"
-        run: |
-          set -euo pipefail
-          export GNUPGHOME="$(pwd)/.gnupg"
-
-          if git diff --cached --quiet; then
-            echo "✔️ No staged changes to commit."
-          else
-            echo "📝 Committing changes with GPG signature ..."
-
-            ### CI Metadata
-            TIMESTAMP_UTC="$(date -u +'%Y-%m-%dT%H:%M:%SZ')"
-            HOSTNAME="$(hostname -f || hostname)"
-            GIT_SHA="$(git rev-parse --short HEAD)"
-            GIT_REF="$(git symbolic-ref --short HEAD || echo detached)"
-            WORKFLOW_ID="${GITHUB_WORKFLOW:-render-md-to-html.yaml}"
-            CI_HEADER="X-CI-Metadata: ${GIT_REF}@${GIT_SHA} at ${TIMESTAMP_UTC} on ${HOSTNAME}"
-
-            COMMIT_MSG="DEPLOY BOT   : 🔐 Auto-Generate PRIVATE LIVE ISO FLV 0 [skip ci]
-
-          ${CI_HEADER}
-
-          Generated at : ${TIMESTAMP_UTC}
-          Runner Host  : ${HOSTNAME}
-          Workflow ID  : ${WORKFLOW_ID}
-          Git Commit   : ${GIT_SHA} HEAD -> ${GIT_REF}
-          "
-
-            echo "🔏 Commit message :"
-            echo "${COMMIT_MSG}"
-            git commit -S -m "${COMMIT_MSG}"
-          fi
-
-      - name: 🔁 Push back to repository.
-        shell: bash
-        env:
-          GIT_SSH_COMMAND: "ssh -p 42842"
-        run: |
-          set -euo pipefail
-          echo "📤 Pushing changes to ${GITHUB_REF_NAME} ..."
-          git push origin HEAD:${GITHUB_REF_NAME}
-# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml

.gitea/workflows/generate_PRIVATE_trixie_0.yaml

@@ -1,5 +1,5 @@
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-08-22; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -13,6 +13,10 @@
 
 name: 🔐 Generating a Private Live ISO TRIXIE.
 
+defaults:
+  run:
+    shell: bash
+
 permissions:
   contents: write
 
@@ -21,32 +25,34 @@ on:
     branches:
       - master
     paths:
-      - '.gitea/trigger/t_generate_PRIVATE_trixie.yaml'
+      - '.gitea/trigger/t_generate_PRIVATE_trixie_0.yaml'
 
 jobs:
-  generate-private-ciss-debian-live-iso:
+  generate-private-cdlb-trixie:
     name: 🔐 Generating a Private Live ISO TRIXIE.
-    runs-on: ciss.debian.live.builder.iso.generator
+    runs-on: cdlb.trixie
 
-    ### Run all steps inside Debian Trixie
     container:
       image: debian:trixie
 
     steps:
       - name: 🛠️ Basic Image Setup.
+        shell: bash
         run: |
           export DEBIAN_FRONTEND=noninteractive
-          apt-get update -y
+          apt-get update
           apt-get upgrade -y
           apt-get install -y --no-install-recommends \
             apt-utils \
             bash \
             ca-certificates \
+            curl \
             git \
             gnupg \
             openssh-client \
             openssl \
-            sudo
+            sudo \
+            util-linux
 
       - name: ⚙️ Check GnuPG Version.
         shell: bash
@@ -237,7 +243,7 @@ jobs:
 
           timestamp=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
           VAR_DATE="$(date +%F)"
-          PRIVATE_FILE="LIVE_ISO_FLV_0.private"
+          PRIVATE_FILE="LIVE_ISO_TRIXIE_0.private"
           touch "${PRIVATE_FILE}"
           cat << EOF >| "${PRIVATE_FILE}"
           # SPDX-Version: 3.0
@@ -305,7 +311,7 @@ jobs:
           GIT_SSH_COMMAND: "ssh -p 42842"
         run: |
           set -euo pipefail
-          PRIVATE_FILE="LIVE_ISO_FLV_0.private"
+          PRIVATE_FILE="LIVE_ISO_TRIXIE_0.private"
           git add "${PRIVATE_FILE}" || echo "✔️ Nothing to add."
 
       - name: 🔑 Commit and sign changes with CI metadata.
@@ -329,7 +335,7 @@ jobs:
             WORKFLOW_ID="${GITHUB_WORKFLOW:-render-md-to-html.yaml}"
             CI_HEADER="X-CI-Metadata: ${GIT_REF}@${GIT_SHA} at ${TIMESTAMP_UTC} on ${HOSTNAME}"
 
-            COMMIT_MSG="DEPLOY BOT   : 🔐 Auto-Generate PRIVATE LIVE ISO FLV 0 [skip ci]
+            COMMIT_MSG="DEPLOY BOT   : 🔐 Auto-Generate PRIVATE LIVE ISO TRIXIE 0 [skip ci]
 
           ${CI_HEADER}
 

.gitea/workflows/generate_PRIVATE_trixie_1.yaml

@@ -1,5 +1,5 @@
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-08-22; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -11,7 +11,11 @@
 
 ### Version Master V8.13.008.2025.08.22
 
-name: 🔐 Generating a Private Live ISO FLV 1.
+name: 🔐 Generating a Private Live ISO TRIXIE.
+
+defaults:
+  run:
+    shell: bash
 
 permissions:
   contents: write
@@ -21,164 +25,34 @@ on:
     branches:
       - master
     paths:
-      - '.gitea/trigger/t_generate_PRIVATE_iso_flavour_1.yaml'
+      - '.gitea/trigger/t_generate_PRIVATE_trixie_1.yaml'
 
 jobs:
-  generate-private-ciss-debian-live-iso:
+  generate-private-cdlb-trixie:
-    name: 🔐 Generating a Private Live ISO FLV 1.
+    name: 🔐 Generating a Private Live ISO TRIXIE.
-    runs-on: ciss.debian.live.builder.iso.generator
+    runs-on: cdlb.trixie
 
-    ### Run all steps inside Debian Bookworm
     container:
-      image: debian:bookworm
+      image: debian:trixie
 
     steps:
-      - name: 🛠️ Basic Image Setup and enable Bookworm Backports.
+      - name: 🛠️ Basic Image Setup.
-        run: |
-          apt-get update -y
-          apt-get install -y apt-transport-https apt-utils bash ca-certificates openssl sudo
-          echo 'deb https://deb.debian.org/debian bookworm-backports main' \
-            >| /etc/apt/sources.list.d/bookworm-backports.list
-          apt-get update -y
-          apt-get upgrade -y
-
-      - name: 🛠️ Installing Build Tools.
         shell: bash
         run: |
-          apt-get update -y
+          export DEBIAN_FRONTEND=noninteractive
-          apt-get install -y \
+          apt-get update
-            autoconf \
+          apt-get upgrade -y
-            automake \
+          apt-get install -y --no-install-recommends \
-            build-essential \
+            apt-utils \
-            cryptsetup \
+            bash \
+            ca-certificates \
             curl \
-            debootstrap \
-            dosfstools \
-            efibootmgr \
-            gettext \
             git \
             gnupg \
-            haveged \
+            openssh-client \
-            libbz2-dev \
+            openssl \
-            zlib1g-dev \
-            liblzma-dev \
-            libtool \
-            live-build \
-            parted \
-            pkg-config \
-            ssh \
-            ssl-cert \
             sudo \
-            texinfo \
+            util-linux
-            wget \
-            whois \
-
-      - name: 🛠️ Build GnuPG from the sources, as the Bookworm GPG does not understand key format 5.
-        shell: bash
-        run: |
-          urls=(
-            "https://gnupg.org/ftp/gcrypt/npth/npth-1.8.tar.bz2"
-            "https://gnupg.org/ftp/gcrypt/libgpg-error/libgpg-error-1.55.tar.bz2"
-            "https://gnupg.org/ftp/gcrypt/libgcrypt/libgcrypt-1.11.1.tar.bz2"
-            "https://gnupg.org/ftp/gcrypt/libksba/libksba-1.6.7.tar.bz2"
-            "https://gnupg.org/ftp/gcrypt/libassuan/libassuan-3.0.2.tar.bz2"
-            "https://gnupg.org/ftp/gcrypt/gnupg/gnupg-2.4.8.tar.bz2"
-          )
-
-          wget --https-only https://gnupg.org/signature_key.asc -O signature_key.asc > /dev/null 2>&1
-          gpg --batch --import signature_key.asc
-
-          for url in "${urls[@]}"; do
-            archive_name="${url##*/}"
-            pkg_name="${archive_name%.tar.bz2}"
-            echo "🔄 Processing ${pkg_name}"
-            if [[ ! -f "${archive_name}" ]]; then
-              echo "📥 Downloading: '${archive_name}'."
-              if wget --https-only "${url}" -O "${archive_name}" > /dev/null 2>&1 && wget --https-only "${url}.sig" -O "${archive_name}.sig" > /dev/null 2>&1; then
-                echo "✅ Download successful: '${archive_name}'."
-              else
-                echo "❌ Download NOT successful: '${archive_name}'."
-                exit 1
-              fi
-            else
-              echo "💡 Skipping download, package already exists: '${archive_name}'."
-            fi
-
-            if ! gpg --verify "${archive_name}.sig" "${archive_name}"; then echo "❌ Bad Signature: '${archive_name}'.";exit 1; fi
-
-            if [[ ! -d "${pkg_name}" ]]; then
-              echo "📂 Extracting: '${archive_name}'."
-              if tar -xjf "${archive_name}"; then
-                echo "✅ Extraction successful: '${archive_name}'."
-              else
-                echo "❌ Extraction not successful: '${archive_name}'."
-                exit 1
-              fi
-            else
-              echo "💡 Skipping directory, already exists: '${pkg_name}'."
-            fi
-
-            echo "🏗️ Build and install the package: '${pkg_name}'."
-            cd "${pkg_name}" || { echo "❌ Could not change to '${pkg_name}'."; exit 1; }
-            mkdir -p build
-            cd build || { echo "❌ Could not change to '/build'."; exit 1; }
-
-            sudo ../configure > /dev/null 2>&1  || { echo "❌ '../configure' NOT successful for '${pkg_name}'."; exit 1; }
-            make > /dev/null 2>&1 || { echo "❌ 'make' NOT successful for '${pkg_name}'."; exit 1; }
-            sudo make install > /dev/null 2>&1 || { echo "❌ 'make install' NOT successful for '${pkg_name}'."; exit 1; }
-
-            cd ../.. || { echo "❌ Could not change to '../..'."; exit 1; }
-
-            rm -f "${archive_name}" && rm -f "${archive_name}.sig" && echo "✅ Removed archive: '${pkg_name}'."
-            rm -fr "${pkg_name}" && echo "✅ Removed build artifacts: '${pkg_name}'."
-            echo "✅ Successful build and installation of '${pkg_name}'."
-            echo "-------------------------------------------------------------------------------------"
-
-          done
-
-          rm -f signature_key.asc
-
-          echo "✅ All packages were built and installed successfully."
-
-          mv_bin=(
-            "/usr/bin/gpg"
-            "/usr/bin/gpg-agent"
-            "/usr/bin/gpgconf"
-            "/usr/bin/gpg-connect-agent"
-            "/usr/bin/gpg-wks-client"
-            "/usr/bin/gpg-preset-passphrase"
-          )
-
-          for bin in "${mv_bin[@]}"; do
-            name="${bin##*/}"
-            if [[ -f "${bin}" && -f "/usr/local/bin/${name}" ]]; then
-              if mv "${bin}" "${bin}.debian-backup"; then
-                echo "✅ Moved successfully: '${bin}'."
-              else
-                echo "❌ Moved NOT successfully: '${bin}'."
-              fi
-            else
-              echo "💡 Does not exist as build binary: '${bin}'."
-            fi
-          done
-
-          for bin in "${mv_bin[@]}"; do
-            name="${bin##*/}"
-            if [[ -f "/usr/local/bin/${name}" ]]; then
-              if update-alternatives --install "${bin}" "${name}" "/usr/local/bin/${name}" 100; then
-                echo "✅ 'update-alternatives' successfully: '${bin}'."
-              else
-                echo "❌ 'update-alternatives' NOT successfully: '${bin}'."
-              fi
-            else
-              echo "💡 Does not exist: '/usr/local/bin/${name}'."
-            fi
-          done
-
-          sudo ldconfig
-
-          gpgconf --kill all
-          /usr/local/bin/gpg-agent --daemon
 
       - name: ⚙️ Check GnuPG Version.
         shell: bash
@@ -268,16 +142,17 @@ jobs:
           set -euo pipefail
           chmod 0755 ciss_live_builder.sh
           timestamp=$(date -u +"%Y_%m_%dT%H_%M_%SZ")
-          ### Change "--autobuild=" to the specific kernel version you need: 6.12.22+bpo-amd64.
+          ### Change "--autobuild=" to the specific kernel version you need: '6.12.41+deb13-amd64'.
           ./ciss_live_builder.sh \
-            --autobuild=6.1.0-37-amd64 \
+            --autobuild=6.12.41+deb13-amd64 \
             --architecture amd64 \
             --build-directory /opt/livebuild \
             --control "${timestamp}" \
             --jump-host ${{ secrets.CISS_DLB_JUMP_HOSTS_1 }} \
             --root-password-file /opt/config/password.txt \
             --ssh-port ${{ secrets.CISS_DLB_SSH_PORT_1 }} \
-            --ssh-pubkey /opt/config
+            --ssh-pubkey /opt/config \
+            --trixie
 
       - name: 📥 Checking Centurion Cloud for existing LIVE ISOs.
         shell: bash
@@ -364,11 +239,12 @@ jobs:
           gpg --batch --yes --armor --detach-sign --output "${SIGNATURE_FILE}" "${VAR_ISO_FILE_SHA512}"
 
           timestamp=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
-          PRIVATE_FILE="LIVE_ISO_FLV_1.private"
+          VAR_DATE="$(date +%F)"
+          PRIVATE_FILE="LIVE_ISO_TRIXIE_1.private"
           touch "${PRIVATE_FILE}"
           cat << EOF >| "${PRIVATE_FILE}"
           # SPDX-Version: 3.0
-          # SPDX-CreationInfo: 2025-06-01; WEIDNER, Marc S.; <msw@coresecret.dev>
+          # SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev>
           # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
           # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
           # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -432,7 +308,7 @@ jobs:
           GIT_SSH_COMMAND: "ssh -p 42842"
         run: |
           set -euo pipefail
-          PRIVATE_FILE="LIVE_ISO_FLV_1.private"
+          PRIVATE_FILE="LIVE_ISO_TRIXIE_1.private"
           git add "${PRIVATE_FILE}" || echo "✔️ Nothing to add."
 
       - name: 🔑 Commit and sign changes with CI metadata.
@@ -456,7 +332,7 @@ jobs:
             WORKFLOW_ID="${GITHUB_WORKFLOW:-render-md-to-html.yaml}"
             CI_HEADER="X-CI-Metadata: ${GIT_REF}@${GIT_SHA} at ${TIMESTAMP_UTC} on ${HOSTNAME}"
 
-            COMMIT_MSG="DEPLOY BOT   : 🔐 Auto-Generate PRIVATE LIVE ISO FLV 1 [skip ci]
+            COMMIT_MSG="DEPLOY BOT   : 🔐 Auto-Generate PRIVATE LIVE ISO TRIXIE 1 [skip ci]
 
           ${CI_HEADER}
 

.gitea/workflows/linter_char_scripts.yaml

@@ -202,11 +202,12 @@ jobs:
             echo -e "⚠️ Linting issues detected:\n"
             echo -e "${findings}"
             timestamp=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
+            VAR_DATE="$(date +%F)"
             PRIVATE_FILE="LINTER_RESULTS.txt"
             touch "${PRIVATE_FILE}"
             cat << EOF >| "${PRIVATE_FILE}"
           # SPDX-Version: 3.0
-          # SPDX-CreationInfo: 2025-06-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+          # SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev>
           # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
           # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
           # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -225,11 +226,12 @@ jobs:
           else
             echo "✅ No issues found in shell scripts."
             timestamp=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
+            VAR_DATE="$(date +%F)"
             PRIVATE_FILE="LINTER_RESULTS.txt"
             touch "${PRIVATE_FILE}"
             cat << EOF >| "${PRIVATE_FILE}"
           # SPDX-Version: 3.0
-          # SPDX-CreationInfo: 2025-06-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+          # SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev>
           # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
           # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
           # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>

LINTER_RESULTS.txt

@@ -1,5 +1,5 @@
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-06-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-08-22; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -9,8 +9,8 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-This file was automatically generated by the DEPLOY BOT on: "2025-08-22T07:12:11Z"
+This file was automatically generated by the DEPLOY BOT on: "2025-08-22T17:25:58Z"
 
-⚠️ The last linter check was NOT successful. ⚠️
+✅ The last linter check was successful. ✅
 
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text

LIVE_ISO_TRIXIE_0.private

@@ -1,5 +1,5 @@
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-06-01; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-08-22; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -9,19 +9,19 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-This file was automatically generated by the DEPLOY BOT on: "2025-08-11T21:40:41Z".
+This file was automatically generated by the DEPLOY BOT on: "2025-08-22T16:55:09Z"
 
 CISS.debian.live.builder ISO :
-  "ciss-debian-live-2025_08_11T20_53_16Z-amd64.hybrid.iso"
+  "ciss-debian-live-2025_08_22T16_11_02Z-amd64.hybrid.iso"
 CISS.debian.live.builder ISO sha512 :
-  b8bcba496881e7f4e881b6816975410f6f07bd70f069f73db4ce84d61bb9758a37087753d28b212ed26b163d84176d5df97fdb1d3356a0667e15cf81d388feb6
+  35c288d96239804e244cbe99c8ce3895aec39104a7200c2ef7326d38e1ec4eea3bf60b895eaa4d981cb718ae4d27d2d4166f16252b88606a870d14c3db096a37
 CISS.debian.live.builder ISO sha512 sign :
   -----BEGIN PGP SIGNATURE-----
 
-iHUEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaJpjWQAKCRA85KY4hzOw
+iHUEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaKig7QAKCRA85KY4hzOw
-IVM1AQD2lkvQOmkcR4LlCk0f6FUcqIMRRlBIwjhDiaWTKjZgeAD/cc4skxFCGmLU
+IWKWAP0Wlqbi3ArURSGW5m+E+OstdsU7qHjf+e1SVRJ3BGUzaAEAr3ceyHiiA2/7
-EhHNg/3ZoE6PGxe4Y5UFuQnJhDZe/w8=
+RlXsvZxNgVDaEVSdjmt99dMrZK7DRws=
-=rwBS
+=4Oh3
 -----END PGP SIGNATURE-----
 
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text

LIVE_ISO_TRIXIE_1.private

@@ -1,5 +1,5 @@
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-06-01; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-08-22; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -9,19 +9,19 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-This file was automatically generated by the DEPLOY BOT on: "2025-08-11T20:44:02Z".
+This file was automatically generated by the DEPLOY BOT on: "2025-08-22T17:41:13Z"
 
 CISS.debian.live.builder ISO :
-  "ciss-debian-live-2025_08_11T19_54_44Z-amd64.hybrid.iso"
+  "ciss-debian-live-2025_08_22T16_56_12Z-amd64.hybrid.iso"
 CISS.debian.live.builder ISO sha512 :
-  6de2f5be12f73906f704488a38366a242d4c4755dd4bf325e6211b6a7a5f3be1b39315d95963d4565c5230c149024be796a136bd62e3243ee62a7805d6c20c14
+  4925332b61dbd91f0c444624bbe7de586dbd911fbb27b080a99e44ae312c5139afc502d0415d0bef7dfbd1e5461c07e0a0700f7206e746a91cbcb5403ef003e3
 CISS.debian.live.builder ISO sha512 sign :
   -----BEGIN PGP SIGNATURE-----
 
-iHUEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaJpWEgAKCRA85KY4hzOw
+iHUEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaKiruQAKCRA85KY4hzOw
-IQ/xAP9rp/m86hkxhb6i7Beh7g7bxiuQYY5Q1LZX+GHmpqQ/EQEAoUzgn1Tm7+hy
+IdoTAQDqyOBkGA0xDoLsDvjFSaf3tmzz8mD/5qvsDtF6y/rEWwD/dAXzMOdQjxg8
-iaMUnRwNiJ0x77hZxcM6FnSkk2hTuAY=
+IcK+GK6u4k5/HT5bYlCvTy/WxRb5ggQ=
-=9Ot8
+=boDM
 -----END PGP SIGNATURE-----
 
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text

README.md

@@ -11,7 +11,7 @@ include_toc: true
 [![Static Badge](https://badges.coresecret.dev/badge/shellformat-passed-white?style=plastic&logo=google&logoColor=white&logoSize=auto&label=shellformat&color=%234285F4)](https://github.com/mvdan/sh)  
 [![Static Badge](https://badges.coresecret.dev/badge/Shellstyle-Google-white?style=plastic&logo=google&logoColor=white&logoSize=auto&label=Shellstyle&color=%234285F4)](https://google.github.io/styleguide/shellguide.html)
  
-[![Static Badge](https://badges.coresecret.dev/badge/Gitea-1.24.2-white?style=plastic&logo=gitea&logoColor=white&logoSize=auto&label=gitea&color=%23609926)](https://docs.gitea.com/)  
+[![Static Badge](https://badges.coresecret.dev/badge/Gitea-1.24.5-white?style=plastic&logo=gitea&logoColor=white&logoSize=auto&label=gitea&color=%23609926)](https://docs.gitea.com/)  
 [![Static Badge](https://badges.coresecret.dev/badge/IntelliJ-2025.2-white?style=plastic&logo=intellijidea&logoColor=white&logoSize=auto&label=IntelliJ&color=%23000000)](https://www.jetbrains.com/store/?section=personal&billing=yearly)  
 [![Static Badge](https://badges.coresecret.dev/badge/keepassxc-2.7.10-white?style=plastic&logo=keepassxc&logoColor=white&logoSize=auto&label=KeePassXC&color=%236CAC4D)](https://keepassxc.org/)  
 [![Static Badge](https://badges.coresecret.dev/badge/netcup-Netcup-white?style=plastic&logo=netcup&logoColor=white&logoSize=auto&label=powered&color=%23056473)](https://www.netcup.com/de)  
@@ -70,7 +70,16 @@ separate directory tree, employs `DynamicUser` features, and adheres to strict s
 rating of **``2.6``**). Docker containers used by runners do not run in privileged mode. Security is further enhanced through the use 
 of both UFW software firewalls and dedicated hardware firewall appliances.
 
-## 1.2. Immutable Source-of-Truth System
+## 1.2. Match Host and Target Versions
+
+Build, for example, a Debian Trixie live image only on a Debian Trixie host. The build toolchain and boot artifacts are 
+release-specific: ``live-build``, ``live-boot``, ``live-config``, ``debootstrap``, ``kernel/initramfs`` tools, ``mksquashfs``, 
+``GRUB/ISOLINUX``, and even ``dpkg/apt`` often change defaults and formats between releases (e.g., compression modes, SquashFS 
+options, hook ordering, systemd/udev behavior). Building on a different host release commonly yields non-reproducible or even 
+unbootable ISOs (missing modules/firmware, ABI mismatches, divergent paths). Keeping host and target on the same version ensures
+reproducible builds, matching dependencies, and compatible boot artifacts.
+
+## 1.3. Immutable Source-of-Truth System
 
 This live ISO establishes a secure, fully deterministic, integrity self-verifying boot environment based entirely on static
 source-code definitions. All configurations, system components, and installation routines are embedded during build time and 
@@ -103,11 +112,11 @@ After build and configuration, the following audit reports can be generated:
 * **SSH Audit Report**: Verifies SSH daemon configuration against the latest best-practice cipher, KEX, and MAC recommendations.
   Type `ssh-audit <IP>:<PORT>`. See example report: **[SSH Audit Report](/docs/AUDIT_SSH.md)**
 
-## 1.3. Preview
+## 1.4. Preview
 
 ![CISS.debian.live.builder](/docs/screenshots/CISS.debian.live.builder_preview.jpeg)
 
-## 1.4. Caution. Significant information for those considering using D-I.
+## 1.5. Caution. Significant information for those considering using D-I.
 
 **The Debian Installer (d-i) will ALWAYS boot a new system.**<br>
 
@@ -138,7 +147,7 @@ This means function status of the **CISS.2025.debian.live.builder** ISO after d-
 * Logging (rsyslog, journald) ✘ not active,
 * preseed control over the network is possible (but without any protection).
 
-## 1.5. Versioning Schema
+## 1.6. Versioning Schema
 
 This project adheres strictly to a structured versioning scheme following the pattern x.y.z-Date.
 
@@ -149,7 +158,7 @@ Example: `V8.13.008.2025.08.22`
 Date (YYYY.MM.DD) denotes the build or release date, facilitating clear tracking of incremental changes and ensuring 
 reproducibility and traceability.
 
-## 1.6. Keywords
+## 1.7. Keywords
 
 The keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED",
 "MAY", and "OPTIONAL" in this Repo are to be interpreted as described in [[BCP 14](https://www.rfc-editor.org/info/bcp14)], 
@@ -414,26 +423,27 @@ predictable script behavior.
 
 # 4. Prerequisites
 
-* **Host**: Debian Bookworm or newer with `live-build` package installed.
+* **Host**: Debian Trixie with `live-build` and ``debootstrap`` packages installed.
 * **Privileges**: Root or sudo access to execute `ciss_live_builder.sh` and related scripts.
 * **Network**: Outbound access to Debian repositories and PTB NTPsec pool.
 
 # 5. Installation & Usage
 
-# 5.1. Interactive CLI / Dialog Wrapper
+## 5.1. Interactive CLI / Dialog Wrapper
 
 1. Clone the repository:
-
    ```bash
    git clone https://git.coresecret.dev/msw/CISS.debian.live.builder.git
    cd CISS.debian.live.builder
    ```
+   
 2. Preparation:
    1. Ensure you are root.
    2. Create the build directory `mkdir /opt/livebuild`.
    3. Place your desired SSH public key in the `authorized_keys` file, for example, in the `/opt/gitea/CISS.debian.live.builder` directory.
    4. Place your desired Password in the `password.txt` file, for example, in the `/opt/gitea/CISS.debian.live.builder` directory.
    5. Make any other changes you need to.
+
 3. Run the config builder script `./ciss_live_builder.sh` and the integrated `lb build` command (example):
 
    ````bash
@@ -454,6 +464,7 @@ predictable script behavior.
                           --ssh-pubkey /opt/gitea/CISS.debian.live.builder \
                           --trixie
    ````
+
 4. Locate your ISO in the `--build-directory`.
 5. Boot from the ISO and login to the live image via the console, or the multi-layer secured **coresecret** SSH tunnel.
 6. Type `sysp` for the final kernel hardening features.
@@ -461,7 +472,46 @@ predictable script behavior.
 8. Finally, audit your environment with `lsadt` for a comprehensive Lynis audit.
 9. Type `celp` for some shortcuts.
 
-# 5.2. CI/CD Gitea Runner Workflow Example
+## 5.2. Make Wrapper, Quick Usage
+
+This repo ships a thin make wrapper around ``./ciss_live_builder.sh``, so you can compose a correctly quoted command and either 
+preview it or run it.
+
+1. Clone the repository:
+
+   ```bash
+   git clone https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+   cd CISS.debian.live.builder
+   ```
+
+2. Preparation:
+   1. Ensure you are root.
+   2. Create the build directory `mkdir /opt/livebuild`.
+   3. Place your desired SSH public key in the `authorized_keys` file, for example, in the `/opt/gitea/CISS.debian.live.builder` directory.
+   4. Place your desired Password in the `password.txt` file, for example, in the `/opt/gitea/CISS.debian.live.builder` directory.
+   5. Copy and edit the sample and set your options (no spaces around commas in lists): 
+
+    ````bash
+    cp config.mk.sample config.mk
+    ````
+
+    ````bash
+    BUILD_DIR=/opt/livebuild
+    ROOT_PASSWORD_FILE=/opt/gitea/CISS.debian.live.builder/password.txt
+    SSH_PORT=4242
+    SSH_PUBKEY=/root/.ssh
+
+    # Optional
+    PROVIDER_NETCUP_IPV6=2001:cdb::1
+    # comma-separated; IPv6 in [] is fine
+    JUMP_HOSTS=[2001:db8::1],[2001:db8::2]     
+    ````
+
+3. Dry-run first (prints the exact command): ````make dry-run````
+
+4. Execute the build: ````make live````
+
+## 5.3. CI/CD Gitea Runner Workflow Example
 
 1. Clone the repository:
 

docs/DOCUMENTATION.md

@@ -121,7 +121,7 @@ A lightweight Shell Wrapper for building a hardened Debian Bookworm Live ISO Ima
     specified PATH into the Live ISO. MUST be provided.
 
   --trixie
-    Create a Debian Trixie Live ISO. Experimental Feature.
+    Create a Debian Trixie Live ISO.
 
   --version, -v
     Displays version of ./ciss_live_builder.sh.

lib/lib_arg_priority_check.sh

@@ -24,7 +24,7 @@ guard_sourcing
 arg_priority_check() {
   declare var
   ### Check if nice PRIORITY is set and adjust nice priority.
-  if [[ -n ${VAR_HANDLER_PRIORITY:-} ]]; then
+  if [[  "${VAR_HANDLER_PRIORITY:-}" -ne 0 ]]; then
     if command -v renice >/dev/null; then
       renice "${VAR_HANDLER_PRIORITY}" -p "$$"
       var=$(ps -o ni= -p $$) > /dev/null 2>&1
@@ -32,12 +32,12 @@ arg_priority_check() {
       # sleep 1
       unset var
     else
-      printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ⚠️ renice not installed (util-linux) \e[0m\n"
+      printf "\e[93m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ renice not installed (util-linux) \e[0m\n"
     fi
   fi
 
   ### Check if ionice PRIORITY is set and adjust ionice priority.
-  if [[ -n ${VAR_REIONICE_CLASS:-} ]]; then
+  if [[ "${VAR_REIONICE_CLASS:-}" -ne 2 ]]; then
     if command -v ionice >/dev/null; then
       ionice -c"${VAR_REIONICE_CLASS:-2}" -n"${VAR_REIONICE_PRIORITY:-4}" -p "$$"
       var=$(ionice -p $$) > /dev/null 2>&1
@@ -45,7 +45,7 @@ arg_priority_check() {
       # sleep 1
       unset var
     else
-      printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ⚠️ ionice not installed (util-linux) \e[0m\n"
+      printf "\e[93m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ ionice not installed (util-linux) \e[0m\n"
     fi
   fi
 }

lib/lib_trap_on_err.sh

@@ -119,15 +119,18 @@ print_scr_err() {
 #   $5: ${BASH_COMMAND}
 #######################################
 trap_on_err() {
-  trap - ERR
+  trap - DEBUG ERR INT TERM
   declare -g ERRCODE="$1"
   declare -g ERRSCRT="$2"
   declare -g ERRLINE="$3"
   declare -g ERRFUNC="$4"
   declare -g ERRCMMD="$5"
+  # shellcheck disable=SC2034
+  declare -g ERRTRAP="true"
+
   if "${VAR_EARLY_DEBUG}"; then dump_user_vars; fi
   clean_up "${ERRCODE}"
-  if ! $VAR_HANDLER_AUTOBUILD; then clean_screen; fi
+  if ! "${VAR_HANDLER_AUTOBUILD}"; then clean_screen; fi
   print_file_err
   print_scr_err
 }
@@ -148,6 +151,7 @@ dump_user_vars() {
   set +x
   {
     declare var
+    # shellcheck disable=SC2312
     while IFS= read -r var; do
       declare -p "${var}" 2>/dev/null
     done < <(compgen -v | grep -Ev '^(BASH|_).*')

lib/lib_trap_on_exit.sh

@@ -20,7 +20,7 @@ guard_sourcing
 #   $1: $?
 #######################################
 trap_on_exit() {
-  trap - EXIT
+  trap - DEBUG ERR EXIT INT TERM
   declare -r var_trap_on_exit_code="$1"
   if (( var_trap_on_exit_code == 0 )); then
     if "${VAR_EARLY_DEBUG}"; then dump_user_vars; fi

lib/lib_usage.sh

@@ -149,7 +149,7 @@ usage() {
     echo "    specified PATH into the Live ISO. MUST be provided."
     echo
     echo -e "\e[97m  --trixie \e[0m"
-    echo "    Create a Debian Trixie Live ISO. Experimental Feature"
+    echo "    Create a Debian Trixie Live ISO."
     echo
     echo -e "\e[97m  --version, -v \e[0m"
     echo "    Show version of ${0}."