V9.14.022.2026.06.10

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2026-06-10 18:57:46 +01:00 · 2026-06-10 17:57:31 +01:00
60 changed files with 838 additions and 85 deletions
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-# Version Master V9.14.020.2026.06.08
+# Version Master V9.14.022.2026.06.10

 name: 🔐 Generating a Private Live ISO TRIXIE.

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-# Version Master V9.14.020.2026.06.08
+# Version Master V9.14.022.2026.06.10

 name: 🔐 Generating a Private Live ISO TRIXIE.

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-# Version Master V9.14.020.2026.06.08
+# Version Master V9.14.022.2026.06.10

 name: 💙 Generating a PUBLIC Live ISO.

@@ -25,7 +25,7 @@ body:
    attributes:
      label: "Version"
      description: "Which version are you running? Use `./ciss_live_builder.sh -v`."
-      placeholder: "e.g., Master V9.14.020.2026.06.08"
+      placeholder: "e.g., Master V9.14.022.2026.06.10"
    validations:
      required: true

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-# Version Master V9.14.020.2026.06.08
+# Version Master V9.14.022.2026.06.10

 FROM debian:bookworm

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-# Version Master V9.14.020.2026.06.08
+# Version Master V9.14.022.2026.06.10

 name: 🔁 Render README.md to README.html.

@@ -11,5 +11,5 @@

 build:
  counter: 1023
-  version: V9.14.020.2026.06.08
+  version: V9.14.022.2026.06.10
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
@@ -11,5 +11,5 @@

 build:
  counter: 1023
-  version: V9.14.020.2026.06.08
+  version: V9.14.022.2026.06.10
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
@@ -11,5 +11,5 @@

 build:
  counter: 1023
-  version: V9.14.020.2026.06.08
+  version: V9.14.022.2026.06.10
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-# Version Master V9.14.020.2026.06.08
+# Version Master V9.14.022.2026.06.10

 name: 🔐 Generating a Private Live ISO TRIXIE.

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-# Version Master V9.14.020.2026.06.08
+# Version Master V9.14.022.2026.06.10

 name: 🔐 Generating a Private Live ISO TRIXIE.

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-# Version Master V9.14.020.2026.06.08
+# Version Master V9.14.022.2026.06.10

 name: 💙 Generating a PUBLIC Live ISO.

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-# Version Master V9.14.020.2026.06.08
+# Version Master V9.14.022.2026.06.10

 # Gitea Workflow: Shell-Script Linting
 #
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-# Version Master V9.14.020.2026.06.08
+# Version Master V9.14.022.2026.06.10

 name: 🛡️ Retrieve DNSSEC status of coresecret.dev.

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-# Version Master V9.14.020.2026.06.08
+# Version Master V9.14.022.2026.06.10

 name: 🔁 Render Graphviz Diagrams.

@@ -15,5 +15,5 @@ properties_SPDX-License-Identifier="LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1 "
 properties_SPDX-LicenseComment="This file is part of the CISS.debian.installer.secure framework."
 properties_SPDX-PackageName="CISS.debian.live.builder"
 properties_SPDX-Security-Contact="security@coresecret.eu"
-properties_version="V9.14.020.2026.06.08"
+properties_version="V9.14.022.2026.06.10"
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
@@ -6,7 +6,7 @@ Creator: Person: Marc S. Weidner (Centurion Intelligence Consulting Agency)
 Created: 2025-05-07T12:00:00Z
 Package: CISS.debian.live.builder
 PackageName: CISS.debian.live.builder
-PackageVersion: Master V9.14.020.2026.06.08
+PackageVersion: Master V9.14.022.2026.06.10
 PackageSupplier: Organization: Centurion Intelligence Consulting Agency
 PackageDownloadLocation: https://git.coresecret.dev/msw/CISS.debian.live.builder
 PackageHomePage: https://git.coresecret.dev/msw/CISS.debian.live.builder
@@ -2,7 +2,7 @@
 gitea: none
 include_toc: true
 ---
-[![Static Badge](https://badges.coresecret.dev/badge/Release-V9.14.020.2026.06.08-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder)
+[![Static Badge](https://badges.coresecret.dev/badge/Release-V9.14.022.2026.06.10-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder)
 &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/Licence-EUPL1.2-white?style=plastic&logo=europeanunion&logoColor=white&logoSize=auto&label=Licence&color=%23003399)](https://eupl.eu/1.2/en/) &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/opensourceinitiative-Compliant-white?style=plastic&logo=opensourceinitiative&logoColor=white&logoSize=auto&label=OSI&color=%233DA639)](https://opensource.org/license/eupl-1-2) &nbsp;
@@ -27,7 +27,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.020.2026.06.08<br>
+**Build**: V9.14.022.2026.06.10<br>

 **CISS.debian.live.builder — First of its own.**<br>
 **World-class CIA: Designed, handcrafted, and powered by Centurion Intelligence Consulting Agency.**
@@ -175,7 +175,7 @@ installer toolchain.

 This project adheres strictly to a structured versioning scheme following the pattern x.y.z-Date.

-Example: `V9.14.020.2026.06.08`
+Example: `V9.14.022.2026.06.10`

 `x.y.z` represents major (x), minor (y), and patch (z) version increments.

@@ -365,6 +365,11 @@ For further details see: **[90-ciss-local.hardened.md](docs/documentation/90-cis
 ## 2.9. UFW Hardening

 * **Description**: Defaults to `deny incoming` and (optionally) `deny outgoing`; automatically opens only whitelisted ports.
+* **Primordial SSH exception**: `--primordial-url <https-git-url>`, `--primordial-key <ssh-identity-filename>` and
+  `--primordial-ssh <port>` configure the CDI Primordial overlay clone. `--primordial-ssh` also adds an outgoing-only UFW TCP
+  exception for a bootstrap/recovery SSH port when the live system's UFW outgoing policy is `deny`. It adds no incoming firewall
+  rule and does not replace `--ssh-port`. If the requested port already matches an existing outgoing SSH exception, the current
+  hook still emits the requested labelled rule because this repository has no separate UFW rule deduplication layer.
 * **Rationale**: Implements a default-deny firewall, reducing lateral movement and data exfiltration risks immediately after
  deployment.

@@ -520,6 +525,9 @@ To use **``CISS.debian.live.builder``** as intended, the following baseline is e
     --signing_key_pass=signing_key_pass.txt \
     --signing_key=signing_key.asc \
     --ssh-port 4242 \
+     --primordial-url https://git.coresecret.dev/ahz/PhysNet.primordial.git \
+     --primordial-key id--git.coresecret.dev--PhysNet.primordial_deploy--ed25519--newton--2025-10 \
+     --primordial-ssh 42842 \
     --ssh-pubkey /dev/shm/cdlb_secrets \
     --sshfp \
     --trixie
@@ -569,6 +577,9 @@ preview it or run it.
    SSH_PUBKEY=/dev/shm/cdlb_secrets

    # Optional
+    PRIMORDIAL_URL=https://git.coresecret.dev/ahz/PhysNet.primordial.git
+    PRIMORDIAL_KEY=id--git.coresecret.dev--PhysNet.primordial_deploy--ed25519--newton--2025-10
+    PRIMORDIAL_SSH_PORT=42842
    PROVIDER_NETCUP_IPV6=2001:cdb::1
    # comma-separated; IPv6 in [] is fine
    JUMP_HOSTS=[2001:db8::1],[2001:db8::2]     
@@ -8,13 +8,13 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.020.2026.06.08<br>
+**Build**: V9.14.022.2026.06.10<br>

 # 2. Repository Structure

 **Project:** Centurion Intelligence Consulting Agency Information Security Standard (CISS) — Debian Live Builder  
 **Branch:** `master`  
-**Repository State:** Master Version **9.14**, Build **V9.14.020.2026.06.08** (as of 2025-10-11)
+**Repository State:** Master Version **9.14**, Build **V9.14.022.2026.06.10** (as of 2025-10-11)

 ## 3.1. Top-Level Layout

@@ -0,0 +1,37 @@
+                              .:-=++***#####***+==-:.
+                        .-=*#%%@@@@@@@@@@@@@@@@@@@@@%%#*=-.
+                    .=*#@@@@@@@%%%%%%%%%%%%%%%%%%%%%@@@@@@@%*=:
+                 :+#@@@@%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%@@@@%*=.
+              .+#@@@%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%@@@#=:
+            :*%@@%%%%%%%%%%%%%%%%@@@@@@@@@@@@@%%%%%%%%%%%%%%%%@@@@%%%*=
+          :*@@%%%%%%%%%%%%%%@@@@@%%#*******#%%@@@@%%%%%%%%%@@%#+-:.
+        .+@@%%%%%%%%%%%%%%@@%#+-.             .-+#%@@%%%%@@#=.
+       -%@%%%%%%%%%%%%%@@%*-.    :-+**####**+-:   .-*%@@@*:
+      +@@%%%%%%%%%%%%%@%+.   :+#%@@@@@@@@@@@@@@%#+:  .+#:
+     *@%%%%%%%%%%%%%%@*.   =#@@@@%%%%%%%%%%%%%%@@@@#-
+    *@%%%%%%%%%%%%%%@-   -%@@%%%%%%%%%%%%%%%%%%%%%%@@#-
+   +@%%%%%%%%%%%%%%@-   +@@%%%%%%%%%%%%%%%%%%%%%%%%%%@@+-*#
+  -@%%%%%%%%%%%%%%@+   +@%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%@@@@-
+  %%%%%%%%%%%%%%%%%   :@%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+ -@%%%%%%%%%%%%%%@*   +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%@=
+ #%%%%%%%%%%%%%%%@=   *@%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+.%%%%%%%%%%%%%%%%@+   +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%@@%%%%%%%=
+-@%%%%%%%%%%%%%%%@*   :@%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%@@@@@@@@.
+=@%%%%%%%%%%%%%%%%%.   #@%%%%%%%%%%%%%%%%%%%%%%%%%%%*..:--==+*-
+=@%%%%%%%%%%%%%%%%@=   :@%%%%%%%%%%%%%%%%%%%%%%%%%%%@#:
+=@%%%%%%%%%%%%%%%%%%.   +@%%%%%%%%%%%%%%%%%%%%%%%%%%%@@+
+:@%%%%%%%%%%%%%%%%%@#    #%%%%%%%%%%%%%%%%%%%%%%%%%%%%%@#::::.
+ %@%%%%%%%%%%%%%%%%%@=   :@%%%%%%%%%%%%%%%%%%%%%%%%%%%%%@@@@@@%#:
+ *%%%%%%%%%%%%%%%%%%-     *@%%%%%%%%%%%%%%%@@@@%%%%%%%%%%%%%%%@@@.
+ :@%%%%%%%%%%%%%%%@-      -@%%%%%%%%%%%%@@@%%%%%@@%%%%%%%%%%%%%%%.
+  *@%%%%%%%%%%%%%@+       .%%%%%%%%%%%@@*=:.   .-*@%%%%%%%%%%%%@=
+  .%%%%%%%%%%%%%%%.       .%%%%%%%%%@@*:          :%%%%%%%%%%%@+
+   =@%%%%%%%%%%%@*        -@%%%%%%%@#:             =@%%%%%%%%@*
+    +@%%%%%%%%%%@.        *@%%%%%@@+               .@%%%%%%%%%.
+     *@%%%%%%%%@+        -@%%%%%@%-                .@%%%%%%%@=
+      +@%%%%%@@*        :%%%%%@@*.                 -@%%%%%%%%
+       =@@@@@#-        :%%%%@@%-                   #%%%%%%%@+
+        :#*+:         :%%%@@%+                    -@@@%%%%%@:
+                     =@@@@#=.                      :+#@@@@%%.
+                   .*%#*=.                            .=*%@%
+                   ::.                                   .-+
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.020.2026.06.08<br>
+**Build**: V9.14.022.2026.06.10<br>

 # 2. CISS Secure Boot Private Material

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.020.2026.06.08<br>
+**Build**: V9.14.022.2026.06.10<br>

 # 2. CISS Secure Boot Public Material

@@ -111,6 +111,7 @@ source_guard "./var/bash.var.sh"
 ### CHECK FOR CONTACT, HELP, VERSION STRING, AND XTRACE DEBUG.
 for arg in "$@"; do case "${arg,,}" in -c|--contact) . ./lib/lib_contact.sh   ; contact; exit 0;; esac; done
 for arg in "$@"; do case "${arg,,}" in -h|--help)    . ./lib/lib_usage.sh     ; usage  ; exit 0;; esac; done
+for arg in "$@"; do case "${arg,,}" in -l|--logo)    . ./lib/lib_logo.sh      ; logo   ; exit 0;; esac; done
 for arg in "$@"; do case "${arg,,}" in -v|--version) . ./lib/lib_version.sh   ; version; exit 0;; esac; done
 for arg in "$@"; do case "${arg,,}" in -d|--debug)   . ./meta_sources_debug.sh; debugger "${@}";; esac; done

@@ -15,6 +15,10 @@ BUILD_DIR            ?=
 DROPBEAR_VERSION     ?=
 ### Optional SOPS release override; empty uses VAR_SOPS_VERSION from var/global.var.sh:
 SOPS_VERSION         ?=
+### Optional Primordial CDI overlay settings; all three values are required for automatic overlay bootstrap:
+PRIMORDIAL_URL       ?=
+PRIMORDIAL_KEY       ?=
+PRIMORDIAL_SSH_PORT  ?=
 PROVIDER_NETCUP_IPV6 ?=
 ROOT_PASSWORD_FILE   ?=
 ### Secure Boot profile; debian-shim or ciss-uki:
@@ -15,6 +15,7 @@ printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"

 declare -r UFW_OUT_POLICY="deny"
 declare -r SSHPORT="SSHPORT_MUST_BE_SET"
+# PRIMORDIAL_SSH_PORT_DECLARATION_MUST_BE_SET

 ufw --force reset

@@ -44,7 +45,8 @@ if [[ ${UFW_OUT_POLICY,,} == "deny"  ]]; then
  ufw allow out  853/tcp comment 'Outgoing DoT'
  ufw allow out  993/tcp comment 'Outgoing IMAPS'
  ufw allow out 4460/tcp comment 'Outgoing NTS'
-  ufw allow out "${SSHPORT}"/tcp comment 'Outgoing SSH (Custom-Port)'
+  ufw allow out "${SSHPORT}"/tcp comment 'Outgoing SSH Custom-Port'
+  # PRIMORDIAL_SSH_RULE_MUST_BE_SET
  ufw allow out   53/udp comment 'Outgoing DNS'
  ufw allow out  123/udp comment 'Outgoing NTP'
  ufw allow out  443/udp comment 'Outgoing QUIC'
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-# Version Master V9.14.020.2026.06.08
+# Version Master V9.14.022.2026.06.10

 [git.coresecret.dev]:42842 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGQA107AVmg1D/jnyXiqbPf38zQRl8s3c+PM1zbfpeQl
 [git.coresecret.dev]:42842 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDYD9ysmMWZlejUnxu0qOzeWcIYezoFLbYdo6ffGUL5kqOBAYb+5CF4bJLUpA93XFYVF+TbrcMV1yJh6JaHFL0VU5CvgAzruCeedx0c4qUV6lWcJUGNk5K0yb9n2Wosdy6F/zTOxL9KXBt/TV+cscsen2Dahvx0ctMKgNbu+vvUcWxHf9lOkbYoF/uA/nW5CVXy5XUPVUDFUhEeKXL85+6gid5AEMfYT8aRl5YDGvo1iMBmBYOljN4S7MnRe14qbAZG0GDGvF22eHbSU2pILcFIjc2Lo/S5Ox/MJpbLAqpFlLPTKgr6F7yVwfNMSNwl05ysUOZfrQKSXzCU6+lfqKYCwemLALyG/n1ernpp7/8W/2RYoz3fd+TQyfhW++rx3yUHpYCkTv9A4LRYZYGSAWKMHSBEYq3EcATQUxQi0xpwmcR+u0uC9F9eta5Bim+sBZD6F2hgPJ5xgYT8LFm880g1YadAwBoD4TAkqSvl+jYW0VA2GH9CknKHJ36gc/X4eeUHDC1Hf/E8M5RBj4D6NuHfeVRik/ahHmoCqKQUW7VU/EBsWFsngDiLEHcV71iMtWiUddWOHwoAPHIzn6p9HTeLCxTwsPMG5UDGK/S9HUozqDXxexRtqbcFa7DWuzRvZ1bcZ2VQsaafuzKCkkc4NjC7h1wssel7q9aeYPFg+1vS6Q==
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-# Version Master V9.14.020.2026.06.08
+# Version Master V9.14.022.2026.06.10

 ### https://www.ssh-audit.com/
 ### ssh -Q cipher | cipher-auth | compression | kex | kex-gss | key | key-cert | key-plain | key-sig | mac | protocol-version | sig
@@ -11,7 +11,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-# Version Master V9.14.020.2026.06.08
+# Version Master V9.14.022.2026.06.10

 ### https://docs.kernel.org/
 ### https://github.com/a13xp0p0v/kernel-hardening-checker/
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-declare -gr VERSION="Master V9.14.020.2026.06.08"
+declare -gr VERSION="Master V9.14.022.2026.06.10"

 ### VERY EARLY CHECK FOR DEBUGGING
 if [[ $* == *" --debug "* ]]; then
@@ -112,4 +112,4 @@ d-i preseed/late_command string sh /preseed/.ash/3_di_preseed_late_command.sh

 # Please consider donating to my work at: https://coresecret.eu/spenden/
 ###########################################################################################
-# Written by: ./preseed_hash_generator.sh Version: Master V9.14.020.2026.06.08 at: 10:18:37.9542
+# Written by: ./preseed_hash_generator.sh Version: Master V9.14.022.2026.06.10 at: 10:18:37.9542
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.020.2026.06.08<br>
+**Build**: V9.14.022.2026.06.10<br>

 # 2. DNSSEC Status

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.020.2026.06.08<br>
+**Build**: V9.14.022.2026.06.10<br>

 # 2. Haveged Audit on Netcup RS 2000 G11

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.020.2026.06.08<br>
+**Build**: V9.14.022.2026.06.10<br>

 # 2. Lynis Audit:

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.020.2026.06.08<br>
+**Build**: V9.14.022.2026.06.10<br>

 # 2. SSH Audit by ssh-audit.com

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.020.2026.06.08<br>
+**Build**: V9.14.022.2026.06.10<br>

 # 2. TLS Audit:
 ````text
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.020.2026.06.08<br>
+**Build**: V9.14.022.2026.06.10<br>

 # 2. Hardened Kernel Boot Parameters

@@ -8,11 +8,17 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.020.2026.06.08<br>
+**Build**: V9.14.022.2026.06.10<br>

 # 2. Changelog

+## V9.14.022.2026.06.10
+* **Added**: [lib_logo.sh](../lib/lib_logo.sh)
+* **Added**: [9999_cdi_starter.sh](../scripts/usr/local/sbin/9999_cdi_starter.sh) Retrieve rdns for Primordial-Workflow™
+* **Added**: [0900_ufw_setup.chroot](../config/hooks/live/0900_ufw_setup.chroot) SSH ufw out exception for Primordial-Workflow™
+
 ## V9.14.020.2026.06.08
+* **Added**: [bootscreen.txt](../bootscreen.txt)
 * **Changed**: ``sops 3.13.0`` to ``sops 3.13.1``

 ## V9.14.018.2026.06.07
@@ -132,7 +138,7 @@ include_toc: true
 * **Changed**: [lib_check_secrets.sh](../lib/lib_check_secrets.sh) + updated shopt handling.
 * **Changed**: [lib_ciss_upgrades_boot.sh](../lib/lib_ciss_upgrades_boot.sh) + integrates and generates sha512sum and GPG signatures on CISS specific LIVE boot artifacts.
 * **Changed**: [lib_gnupg.sh](../lib/lib_gnupg.sh) + integration of optional import of offline GPG CA public keys.
-* **Changed**: [lib_primordial.sh](../lib/lib_primordial.sh) + Updates for CISS and PhysNet primordial-workflow™.
+* **Changed**: [lib_primordial.sh](../lib/lib_primordial.sh) + Updates for CISS and PhysNet Primordial-Workflow™.
 * **Changed**: [lib_usage.sh](../lib/lib_usage.sh) + ``--signing_ca=*``.
 * **Changed**: [binary_checksums.sh](../scripts/usr/lib/live/build/binary_checksums.sh) + ``! -path './live/filesystem.squashfs'``
 * **Changed**: [9999_cdi_starter.sh](../scripts/usr/local/sbin/9999_cdi_starter.sh) + increased verbosity.
@@ -186,10 +192,10 @@ include_toc: true
 * **Added**: [marc_s_weidner_msw+deploy@coresecet.dev_0x2CCF4601_public.asc](../.pubkey/marc_s_weidner_msw%2Bdeploy%40coresecet.dev_0x2CCF4601_public.asc)
 * **Added**: [0870_bashdb.chroot](../config/hooks/live/0870_bashdb.chroot) bashdb debugger https://github.com/Trepan-Debuggers/bashdb.git
 * **Added**: [0030-ciss-verify-checksums](../config/includes.chroot/usr/lib/live/boot/0030-ciss-verify-checksums) Unified handling via includes.chroot.
-* **Added**: [lib_ciss_upgrades_boot.sh](../lib/lib_ciss_upgrades_boot.sh) Updates for CISS and PhysNet primordial-workflow™.
-* **Added**: [lib_ciss_upgrades_build.sh](../lib/lib_ciss_upgrades_build.sh) Updates for CISS and PhysNet primordial-workflow™.
-* **Added**: [lib_gnupg.sh](../lib/lib_gnupg.sh) Updates for CISS and PhysNet primordial-workflow™.
-* **Added**: [lib_primordial.sh](../lib/lib_primordial.sh) Updates for CISS and PhysNet primordial-workflow™.
+* **Added**: [lib_ciss_upgrades_boot.sh](../lib/lib_ciss_upgrades_boot.sh) Updates for CISS and PhysNet Primordial-Workflow™.
+* **Added**: [lib_ciss_upgrades_build.sh](../lib/lib_ciss_upgrades_build.sh) Updates for CISS and PhysNet Primordial-Workflow™.
+* **Added**: [lib_gnupg.sh](../lib/lib_gnupg.sh) Updates for CISS and PhysNet Primordial-Workflow™.
+* **Added**: [lib_primordial.sh](../lib/lib_primordial.sh) Updates for CISS and PhysNet Primordial-Workflow™.
 * **Added**: [0030-ciss-verify-checksums](../scripts/usr/lib/live/boot/0030-ciss-verify-checksums) Unified handling via includes.chroot.
 * **Bugfixes**: [linter_char_scripts.yaml](../.gitea/workflows/linter_char_scripts.yaml) - WORKFLOW_ID="${GITHUB_WORKFLOW:-linter_char_scripts.yaml}"
 * **Bugfixes**: [render-dnssec-status.yaml](../.gitea/workflows/render-dnssec-status.yaml) - WORKFLOW_ID="${GITHUB_WORKFLOW:-render-dnssec-status.yaml}"
@@ -197,11 +203,11 @@ include_toc: true
 * **Changed**: [generate_PRIVATE_trixie_1.yaml](../.gitea/workflows/generate_PRIVATE_trixie_1.yaml) Rewritten for new secrets handling.
 * **Changed**: [0000_basic_chroot_setup.chroot](../config/hooks/live/0000_basic_chroot_setup.chroot) + VAR_DATE improvements.
 * **Changed**: [0001_initramfs_modules.chroot](../config/hooks/live/0001_initramfs_modules.chroot) + VAR_DATE improvements.
-* **Changed**: [9930_hardening_ssh.chroot](../config/hooks/live/9930_hardening_ssh.chroot) Rewritten for CISS and PhysNet primordial-workflow™.
+* **Changed**: [9930_hardening_ssh.chroot](../config/hooks/live/9930_hardening_ssh.chroot) Rewritten for CISS and PhysNet Primordial-Workflow™.
 * **Changed**: [9999_zzzz.chroot](../config/hooks/live/9999_zzzz.chroot) + Final update-initramfs
 * **Changed**: [sshd_config](../config/includes.chroot/etc/ssh/sshd_config) + Less strict MaxStartups settings.
 * **Changed**: [live.list.common.chroot](../config/package-lists/live.list.common.chroot) + tmux
-* **Changed**: [lib_arg_parser.sh](../lib/lib_arg_parser.sh) Rewritten for CISS and PhysNet primordial-workflow™.
+* **Changed**: [lib_arg_parser.sh](../lib/lib_arg_parser.sh) Rewritten for CISS and PhysNet Primordial-Workflow™.
 * **Changed**: [lib_arg_priority_check.sh](../lib/lib_arg_priority_check.sh) Unified UI.
 * **Changed**: [lib_cdi.sh](../lib/lib_cdi.sh) + Commandline parameters: verify-checksums=sha512,sha384 verify-checksums-signatures
 * **Changed**: [lib_change_splash.sh](../lib/lib_change_splash.sh) Unified UI.
@@ -210,11 +216,11 @@ include_toc: true
 * **Changed**: [lib_check_kernel.sh](../lib/lib_check_kernel.sh) Minor declare unification.
 * **Changed**: [lib_check_pkgs.sh](../lib/lib_check_pkgs.sh) Improved command checks. Unified UI.
 * **Changed**: [lib_check_provider.sh](../lib/lib_check_provider.sh) Unified variables.
-* **Changed**: [lib_clean_up.sh](../lib/lib_clean_up.sh) Secure deletion of CISS and PhysNet primordial-workflow™ artifacts.
+* **Changed**: [lib_clean_up.sh](../lib/lib_clean_up.sh) Secure deletion of CISS and PhysNet Primordial-Workflow™ artifacts.
 * **Changed**: [lib_debug.sh](../lib/lib_debug.sh) + Integrated EPOCH in PS4.
 * **Changed**: [lib_debug_header.sh](../lib/lib_debug_header.sh) + Integrated SOURCE_DATE_EPOCH.
 * **Changed**: [lib_hardening_root_pw.sh](../lib/lib_hardening_root_pw.sh) Unified UI.
-* **Changed**: [lib_hardening_ultra.sh](../lib/lib_hardening_ultra.sh) Rewritten for CISS and PhysNet primordial-workflow™.
+* **Changed**: [lib_hardening_ultra.sh](../lib/lib_hardening_ultra.sh) Rewritten for CISS and PhysNet Primordial-Workflow™.
 * **Changed**: [lib_hardening_ssh_tcp.sh](../lib/lib_hardening_ssh_tcp.sh) Unified UI.
 * **Changed**: [lib_lb_build_start.sh](../lib/lib_lb_build_start.sh) Deterministic return code examination.
 * **Changed**: [lib_lb_config_start.sh](../lib/lib_lb_config_start.sh) Removed potential disown race condition.
@@ -254,11 +260,11 @@ include_toc: true
 ## V8.13.290.2025.10.26
 * **Updated**: [0001_initramfs_modules.chroot](../config/hooks/live/0001_initramfs_modules.chroot) + ESP/FAT/UEFI mods
 * **Updated**: [9950_hardening_fail2ban.chroot](../config/hooks/live/9950_hardening_fail2ban.chroot)
-* **Updated**: [9999-cdi-starter](../scripts/usr/local/sbin/9999_cdi_starter.sh) Preparations for CISS and PhysNet primordial-workflow™.
+* **Updated**: [9999-cdi-starter](../scripts/usr/local/sbin/9999_cdi_starter.sh) Preparations for CISS and PhysNet Primordial-Workflow™.

 ## V8.13.288.2025.10.24
-* **Added**: Preparations for CISS and PhysNet primordial-workflow™.
-* **Added**: [0865_yq.chroot](../config/hooks/live/0865_yq.chroot)Preparations for CISS and PhysNet primordial-workflow™.
+* **Added**: Preparations for CISS and PhysNet Primordial-Workflow™.
+* **Added**: [0865_yq.chroot](../config/hooks/live/0865_yq.chroot)Preparations for CISS and PhysNet Primordial-Workflow™.
 * **Updated**: [0001_initramfs_modules.chroot](../config/hooks/live/0001_initramfs_modules.chroot) + nftables mods
 * **Updated**: [9950_hardening_fail2ban.chroot](../config/hooks/live/9950_hardening_fail2ban.chroot) + banaction = nftables-*
 * **Updated**: [0900_ufw_setup.chroot](../config/hooks/live/0900_ufw_setup.chroot) changed var injection
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.020.2026.06.08<br>
+**Build**: V9.14.022.2026.06.10<br>

 # 2. Centurion Net - Developer Branch Overview

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.020.2026.06.08<br>
+**Build**: V9.14.022.2026.06.10<br>

 # 2. Purpose

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.020.2026.06.08<br>
+**Build**: V9.14.022.2026.06.10<br>

 # 2. Contributing / participating

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.020.2026.06.08<br>
+**Build**: V9.14.022.2026.06.10<br>

 # 2. Credits

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.020.2026.06.08<br>
+**Build**: V9.14.022.2026.06.10<br>

 # 2. Download the latest PUBLIC CISS.debian.live.ISO

@@ -8,14 +8,14 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.020.2026.06.08<br>
+**Build**: V9.14.022.2026.06.10<br>

 # 2.1. Usage
 ````text
                        CDLB(1)                        CISS.debian.live.builder                        CDLB(1)

 CISS.debian.live.builder from https://git.coresecret.dev/msw
-Master V9.14.020.2026.06.08
+Master V9.14.022.2026.06.10
 A lightweight Shell Wrapper for building a hardened Debian Live ISO Image.

 (c) Marc S. Weidner, 2018 - 2026
@@ -98,6 +98,24 @@ A lightweight Shell Wrapper for building a hardened Debian Live ISO Image.
    Provides statistic only after successful building a CISS.debian.live-ISO. While enabling '--log-statistics-only'
    the argument '--build-directory' MUST be provided.

+  --primordial-key <ssh-identity-filename>
+    SSH identity filename for the Primordial overlay clone. This MUST be a filename only; the runtime path is derived as
+    '/root/.ssh/<ssh-identity-filename>'.
+    Example fragment:
+      ./ciss_live_builder.sh --primordial-url https://git.coresecret.dev/ahz/PhysNet.primordial.git \
+        --primordial-key id--git.coresecret.dev--PhysNet.primordial_deploy--ed25519--newton--2025-10 \
+        --primordial-ssh 42842
+        
+  --primordial-ssh <INTEGER>
+    Adds one outgoing UFW TCP exception for a bootstrap/recovery SSH port.
+    Outgoing only: no incoming firewall rule is added, and this option does not replace '--ssh-port'.
+    Effective only when the Live System's UFW outgoing policy is 'deny'.
+    Port MUST be a decimal integer between '1' and '65535'.
+
+  --primordial-url <https-git-url>
+    HTTPS Git repository URL for the Primordial CDI overlay. MUST start with 'https://', include a host and path, and end in
+    '.git'. The CDI starter converts this URL to an SSH clone URL at runtime.
+
  --provider-netcup-ipv6
    Activates IPv6 support for Netcup Root Server. One unique IPv6 address MUST be provided in this case and MUST be
    encapsulated with [], e.g., [1234::abcd].
@@ -168,7 +186,7 @@ A lightweight Shell Wrapper for building a hardened Debian Live ISO Image.
 💷 Please consider donating to my work at:
 🌐 https://coresecret.eu/spenden/

-                        V9.14.020.2026.06.08                        2026-05-17                         CDLB(1)
+                        V9.14.022.2026.06.10                        2026-05-17                         CDLB(1)
 ````

 # 3. Booting
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.020.2026.06.08<br>
+**Build**: V9.14.022.2026.06.10<br>

 # 2. CISS.debian.live.builder – Boot & Trust Chain (Technical Documentation)

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.020.2026.06.08<br>
+**Build**: V9.14.022.2026.06.10<br>

 # 2. SSH Host Key Policy – CISS.debian.live.builder / CISS.debian.installer

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.020.2026.06.08<br>
+**Build**: V9.14.022.2026.06.10<br>

 # 2. Resources

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.020.2026.06.08<br>
+**Build**: V9.14.022.2026.06.10<br>

 # 2. ``30-ciss-hardening.conf``

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.020.2026.06.08<br>
+**Build**: V9.14.022.2026.06.10<br>

 # 2. ``90-ciss-local.hardened``

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.020.2026.06.08<br>
+**Build**: V9.14.022.2026.06.10<br>

 # 2. ``ciss_live_builder.sh``

@@ -38,6 +38,9 @@ guard_sourcing || return "${ERR_GUARD_SRCE}"
 #   VAR_ISO8601
 #   VAR_LUKS
 #   VAR_LUKS_KEY
+#   VAR_PRIMORDIAL_KEY
+#   VAR_PRIMORDIAL_SSH_PORT
+#   VAR_PRIMORDIAL_URL
 #   VAR_REIONICE_CLASS
 #   VAR_REIONICE_PRIORITY
 #   VAR_SIGNER
@@ -73,6 +76,9 @@ guard_sourcing || return "${ERR_GUARD_SRCE}"
 #   ERR__SSH__PORT: on failure
 #######################################
 arg_parser() {
+  declare primordial_key_regex='^[A-Za-z0-9._@%+=:,~-]+$'
+  declare primordial_url_regex='^https://[A-Za-z0-9.-]+/[A-Za-z0-9._~/%+=:@,-]+\.git$'
+
  while [[ $# -gt 0 ]]; do

    declare argument="${1}"
@@ -287,6 +293,99 @@ arg_parser() {
          shift 1
          ;;

+        --primordial-key)
+          declare primordial_key="${2-}"
+
+          if [[ -n "${primordial_key}" && "${primordial_key}" != -* && "${primordial_key}" != "." && "${primordial_key}" != ".." && "${primordial_key}" != */* && "${primordial_key}" =~ ${primordial_key_regex} ]]; then
+
+            # shellcheck disable=SC2034
+            declare -gx VAR_PRIMORDIAL_KEY="${primordial_key}"
+            shift 2
+
+          else
+
+            if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen_cleaner; fi
+            printf "\e[91m❌ Error: --primordial-key MUST be a filename matching '^[A-Za-z0-9._@%%+=:,~-]+$' and MUST NOT be '.', '..', or contain '/'.\e[0m\n" >&2
+            read -p -r $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
+            exit "${ERR_ARG_MSMTCH}"
+
+          fi
+          ;;
+
+        --primordial-key=*)
+          declare primordial_key="${1#*=}"
+
+          if [[ -n "${primordial_key}" && "${primordial_key}" != "." && "${primordial_key}" != ".." && "${primordial_key}" != */* && "${primordial_key}" =~ ${primordial_key_regex} ]]; then
+
+            # shellcheck disable=SC2034
+            declare -gx VAR_PRIMORDIAL_KEY="${primordial_key}"
+            shift 1
+
+          else
+
+            if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen_cleaner; fi
+            printf "\e[91m❌ Error: --primordial-key MUST be a filename matching '^[A-Za-z0-9._@%%+=:,~-]+$' and MUST NOT be '.', '..', or contain '/'.\e[0m\n" >&2
+            read -p -r $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
+            exit "${ERR_ARG_MSMTCH}"
+
+          fi
+          ;;
+
+        --primordial-ssh)
+          if [[ -n "${2-}" && "${2}" =~ ^-?[0-9]+$ && "${2}" -ge 1 && "${2}" -le 65535 ]]; then
+
+            # shellcheck disable=SC2034
+            declare -gix VAR_PRIMORDIAL_SSH_PORT="${2}"
+            shift 2
+
+          else
+
+            if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen_cleaner; fi
+            printf "\e[91m❌ Error: --primordial-ssh MUST be an integer between '1' and '65535'.\e[0m\n" >&2
+            read -p -r $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
+            exit "${ERR__SSH__PORT}"
+
+          fi
+          ;;
+
+        --primordial-url)
+          declare primordial_url="${2-}"
+
+          if [[ -n "${primordial_url}" && "${primordial_url}" != -* && "${primordial_url}" =~ ${primordial_url_regex} ]]; then
+
+            # shellcheck disable=SC2034
+            declare -gx VAR_PRIMORDIAL_URL="${primordial_url}"
+            shift 2
+
+          else
+
+            if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen_cleaner; fi
+            printf "\e[91m❌ Error: --primordial-url MUST be an HTTPS Git URL with non-empty host, non-empty path, and '.git' suffix.\e[0m\n" >&2
+            read -p -r $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
+            exit "${ERR_ARG_MSMTCH}"
+
+          fi
+          ;;
+
+        --primordial-url=*)
+          declare primordial_url="${1#*=}"
+
+          if [[ -n "${primordial_url}" && "${primordial_url}" =~ ${primordial_url_regex} ]]; then
+
+            # shellcheck disable=SC2034
+            declare -gx VAR_PRIMORDIAL_URL="${primordial_url}"
+            shift 1
+
+          else
+
+            if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen_cleaner; fi
+            printf "\e[91m❌ Error: --primordial-url MUST be an HTTPS Git URL with non-empty host, non-empty path, and '.git' suffix.\e[0m\n" >&2
+            read -p -r $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
+            exit "${ERR_ARG_MSMTCH}"
+
+          fi
+          ;;
+
        --provider-netcup-ipv6)
          if [[ -n "${2-}" && "${2}" != -* ]]; then
            declare -i count=0
@@ -19,6 +19,9 @@ guard_sourcing || return "${ERR_GUARD_SRCE}"
 #   VAR_HANDLER_BUILD_DIR
 #   VAR_HANDLER_CDI
 #   VAR_KERNEL
+#   VAR_PRIMORDIAL_KEY
+#   VAR_PRIMORDIAL_SSH_PORT
+#   VAR_PRIMORDIAL_URL
 #   VAR_WORKDIR
 # Arguments:
 #   None
@@ -38,7 +41,20 @@ cdi() {

    fi

-    install -m 0755 -o root -g root "${VAR_WORKDIR}/scripts/usr/local/sbin/9999_cdi_starter.sh" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/local/sbin/9999_cdi_starter.sh"
+    declare var_cdi_starter="${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/local/sbin/9999_cdi_starter.sh"
+    declare var_primordial_key_q="" var_primordial_ssh_port_q="" var_primordial_url_q=""
+
+    install -m 0755 -o root -g root "${VAR_WORKDIR}/scripts/usr/local/sbin/9999_cdi_starter.sh" "${var_cdi_starter}"
+
+    printf -v var_primordial_key_q '%q' "${VAR_PRIMORDIAL_KEY:-}"
+    printf -v var_primordial_ssh_port_q '%q' "${VAR_PRIMORDIAL_SSH_PORT:-}"
+    printf -v var_primordial_url_q '%q' "${VAR_PRIMORDIAL_URL:-}"
+
+    sed -i \
+      -e "s|^declare -gx   VAR_PRIMORDIAL_KEY=.*$|declare -gx   VAR_PRIMORDIAL_KEY=${var_primordial_key_q}          # Primordial SSH identity filename.|" \
+      -e "s|^declare -gx   VAR_PRIMORDIAL_SSH_PORT=.*$|declare -gx   VAR_PRIMORDIAL_SSH_PORT=${var_primordial_ssh_port_q}     # Primordial SSH port.|" \
+      -e "s|^declare -gx   VAR_PRIMORDIAL_URL=.*$|declare -gx   VAR_PRIMORDIAL_URL=${var_primordial_url_q}          # Primordial HTTPS Git URL.|" \
+      "${var_cdi_starter}"

    declare tmp_entry
    tmp_entry="$(mktemp)"
@@ -13,13 +13,14 @@
 guard_sourcing || return "${ERR_GUARD_SRCE}"

 #######################################
-# Module for accompanying all 'CISS.debian.hardening' features into the Live ISO image.
+# Module for following all 'CISS.debian.hardening' features into the Live ISO image.
 # Globals:
 #   ARY_HANDLER_JUMPHOST
 #   ARY_HANDLER_JUMPHOST_UNIQUE
 #   BASH_SOURCE
 #   VAR_ARCHITECTURE
 #   VAR_HANDLER_BUILD_DIR
+#   VAR_PRIMORDIAL_SSH_PORT
 #   VAR_SSHFP
 #   VAR_SSHPORT
 #   VAR_SSHPUBKEY
@@ -196,12 +197,26 @@ hardening_ultra() {
  sed -i "s|PORT_MUST_BE_SET|${sshport}|g" "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9950_hardening_fail2ban.chroot"

  ### /config/hooks/live/0900_ufw_setup.chroot
-  sed -i "s|SSHPORT_MUST_BE_SET|${sshport}|g" "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/0900_ufw_setup.chroot"
+  declare ufw_file="${VAR_HANDLER_BUILD_DIR}/config/hooks/live/0900_ufw_setup.chroot"
+  sed -i "s|SSHPORT_MUST_BE_SET|${sshport}|g" "${ufw_file}"
+
+  declare primordial_ssh_port="${VAR_PRIMORDIAL_SSH_PORT:-}"
+  if [[ -n "${primordial_ssh_port}" ]]; then
+
+    sed -i "s|^# PRIMORDIAL_SSH_PORT_DECLARATION_MUST_BE_SET$|declare -r PRIMORDIAL_SSH_PORT=\"${primordial_ssh_port}\"|" "${ufw_file}"
+    sed -i "s|^[[:space:]]*# PRIMORDIAL_SSH_RULE_MUST_BE_SET$|  ufw allow out \"\${PRIMORDIAL_SSH_PORT}\"/tcp comment 'Outgoing Primordial SSH'|" "${ufw_file}"
+
+  else
+
+    sed -i '/^# PRIMORDIAL_SSH_PORT_DECLARATION_MUST_BE_SET$/d' "${ufw_file}"
+    sed -i '/^[[:space:]]*# PRIMORDIAL_SSH_RULE_MUST_BE_SET$/d' "${ufw_file}"
+
+  fi

  ### /config/hooks/live/0900_ufw_setup.chroot
  if [[ ${#ARY_HANDLER_JUMPHOST[@]} -gt 0 ]]; then

-    declare file="${VAR_HANDLER_BUILD_DIR}/config/hooks/live/0900_ufw_setup.chroot"
+    declare file="${ufw_file}"

    sed -i "/^ufw allow in \"\${SSHPORT}\"\/tcp comment 'Incoming SSH (Custom-Port)'$/d" "${file}"

@@ -251,7 +266,7 @@ hardening_ultra() {
  ### ./config/hooks/live/9950_hardening_fail2ban.chroot -----------------------------------------------------------------------
  if ((${#ARY_HANDLER_JUMPHOST[@]} > 0)); then

-    printf "\e[95m🧪 Updating fail2ban Jumphosts IPs ... \e[0m\n"
+    printf "\e[95m🧪 Updating fail2ban Jump-hosts IPs ... \e[0m\n"

    # Join array entries with spaces, preserving any newlines
    declare ips="${ARY_HANDLER_JUMPHOST[*]}"
@@ -265,7 +280,7 @@ hardening_ultra() {
    # Perform an in-place replacement of IGNORE_IP_MUST_BE_SET with the cleaned list
    sed -i -E "/^[[:space:]]*ignoreip[[:space:]]*=/ s|IGNORE_IP_MUST_BE_SET|${flat_ips}|g" "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9950_hardening_fail2ban.chroot"

-    printf "\e[92m✅ Updating fail2ban Jumphosts IPs done. \e[0m\n"
+    printf "\e[92m✅ Updating fail2ban Jump-hosts IPs done. \e[0m\n"

  else

@@ -0,0 +1,33 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2026-06-10; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2026; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+#######################################
+# Logo Wrapper CISS.debian.live.builder
+# Globals:
+#   None
+# Arguments:
+#   None
+# Returns:
+#   0: on success
+#######################################
+logo() {
+  clear
+  printf '\033[95m'
+  cat centurion.txt
+  printf '\033[0m\n'
+  sleep 4
+  return 0
+}
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f logo
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -90,7 +90,7 @@ init_primordial() {

  fi

-  ### Check for SSH CISS and PhysNet primordial-workflow(tm) integration -------------------------------------------------------
+  ### Check for SSH CISS and PhysNet Primordial-Workflow™ integration -------------------------------------------------------
  if [[ "${VAR_SSHFP,,}" == "true" ]]; then

    install -d -m 0700                      "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh"
@@ -55,7 +55,7 @@ sanitize_arg() {
    {
      printf "❌ Control character   : '%s'. \n" "${disallowed_ctrl}"
      printf "❌         in argument : '%s'. \n" "${input}"
-      printf "❌ Allowed Characters  : 'a-z A-Z 0-9 . _ / = [ ] : \" - + space' \n"
+      printf "❌ Allowed Characters  : 'a-z A-Z 0-9 . _ / = [ ] : \" @ %% , ~ - + space' \n"
      printf "\n"
    } >> "${LOG_ERROR}"

@@ -63,7 +63,7 @@ sanitize_arg() {

    printf "\e[91m❌ Control character   : '%s'. \e[0m\n" "${disallowed_ctrl}" >&2
    printf "\e[91m❌         in argument : '%s'. \e[0m\n" "${input}" >&2
-    printf "\e[91m❌ Allowed Characters  : 'a-z A-Z 0-9 . _ / = [ ] : \" - + space' \e[0m\n" >&2
+    printf "\e[91m❌ Allowed Characters  : 'a-z A-Z 0-9 . _ / = [ ] : \" @ %% , ~ - + space' \e[0m\n" >&2

    # shellcheck disable=SC2162
    read -p  $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
@@ -73,8 +73,8 @@ sanitize_arg() {
  fi

  ### Step 2: Define allowed characters:
-  ### letters, digits, dot, underscore, slash, equals, [, ], colon, double-quote, hyphen, space.
-  declare allowed='a-zA-Z0-9._/=\[\]:"\-+ '
+  ### letters, digits, dot, underscore, slash, equals, [, ], colon, double-quote, @, %, comma, tilde, hyphen, plus, space.
+  declare allowed='a-zA-Z0-9._/=\[\]:"@%,~\-+ '
  declare disallowed
  disallowed=$(printf '%s' "${input}" | tr -d "${allowed}")

@@ -82,7 +82,7 @@ sanitize_arg() {
    {
      printf "❌ Invalid character   : '%s'. \n" "${disallowed//?/& }"
      printf "❌         in argument : '%s'. \n" "${input}"
-      printf "❌ Allowed Characters  : 'a-z A-Z 0-9 . _ / = [ ] : \" - + space' \n"
+      printf "❌ Allowed Characters  : 'a-z A-Z 0-9 . _ / = [ ] : \" @ %% , ~ - + space' \n"
      printf "\n"
    } >> "${LOG_ERROR}"

@@ -90,7 +90,7 @@ sanitize_arg() {

    printf "\e[91m❌ Invalid character   : '%s'. \e[0m\n" "${disallowed//?/& }" >&2
    printf "\e[91m❌         in argument : '%s'. \e[0m\n" "${input}" >&2
-    printf "\e[91m❌ Allowed Characters  : 'a-z A-Z 0-9 . _ / = [ ] : \" - + space' \e[0m\n" >&2
+    printf "\e[91m❌ Allowed Characters  : 'a-z A-Z 0-9 . _ / = [ ] : \" @ %% , ~ - + space' \e[0m\n" >&2

    # shellcheck disable=SC2162
    read -p  $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
@@ -119,8 +119,8 @@ readonly -f sanitize_arg
 sanitize_string() {
  declare input="$1"
  ### Define allowed characters:
-  ### letters, digits, dot, underscore, slash, equals, [, ], colon, double-quote, hyphen, space.
-  declare allowed='a-zA-Z0-9._/=\[\]:"\-+ '
+  ### letters, digits, dot, underscore, slash, equals, [, ], colon, double-quote, @, %, comma, tilde, hyphen, plus, space.
+  declare allowed='a-zA-Z0-9._/=\[\]:"@%,~\-+ '
  printf '%s' "${input}" | tr -cd "${allowed}"
 }
 ### Prevents accidental 'unset -f'.
@@ -39,13 +39,13 @@ usage() {
  # shellcheck disable=SC2155
  declare var_header=$(center "CDLB(1)                        CISS.debian.live.builder                        CDLB(1)" "${var_cols}")
  # shellcheck disable=SC2155
-  declare var_footer=$(center "V9.14.020.2026.06.08                        2026-06-08                         CDLB(1)" "${var_cols}")
+  declare var_footer=$(center "V9.14.022.2026.06.10                        2026-06-10                         CDLB(1)" "${var_cols}")

  {
    echo -e "\e[1;97m${var_header}\e[0m"
    echo
    echo -e "\e[92mCISS.debian.live.builder from https://git.coresecret.dev/msw \e[0m"
-    echo -e "\e[92mMaster V9.14.020.2026.06.08\e[0m"
+    echo -e "\e[92mMaster V9.14.022.2026.06.10\e[0m"
    echo -e "\e[92mA lightweight Shell Wrapper for building a hardened Debian Live ISO Image.\e[0m"
    echo
    echo -e "\e[97m(c) Marc S. Weidner, 2018 - 2026 \e[0m"
@@ -120,6 +120,24 @@ usage() {
    echo "    Provides statistic only after successful building a CISS.debian.live-ISO. While enabling '--log-statistics-only'"
    echo "    the argument '--build-directory' MUST be provided."
    echo
+    echo -e "\e[97m  --primordial-key <ssh-identity-filename> \e[0m"
+    echo "    SSH identity filename for the Primordial overlay clone. This MUST be a filename only; the runtime path is"
+    echo "    derived as '/root/.ssh/<ssh-identity-filename>'."
+    echo "    Example fragment:"
+    echo "      ./ciss_live_builder.sh --primordial-url https://git.coresecret.dev/ahz/PhysNet.primordial.git \\"
+    echo "        --primordial-key id--git.coresecret.dev--PhysNet.primordial_deploy--ed25519--newton--2025-10 \\"
+    echo "        --primordial-ssh 42842"
+    echo
+    echo -e "\e[97m  --primordial-ssh <INTEGER> \e[0m"
+    echo "    Adds one outgoing UFW TCP exception for a bootstrap SSH port."
+    echo "    Outgoing only: no incoming firewall rule is added, and this option does not replace '--ssh-port'."
+    echo "    Effective only when the Live System's UFW outgoing policy is 'deny'."
+    echo "    Port MUST be a decimal integer between '1' and '65535'."
+    echo
+    echo -e "\e[97m  --primordial-url <https-git-url> \e[0m"
+    echo "    HTTPS Git repository URL for the Primordial CDI overlay. MUST start with 'https://', include a host and"
+    echo "    path, and end in '.git'. The CDI starter converts this URL to an SSH clone URL at runtime."
+    echo
    echo -e "\e[97m  --provider-netcup-ipv6 \e[0m"
    echo "    Activates IPv6 support for Netcup Root Server. One unique IPv6 address MUST be provided in this case and MUST be"
    echo "    encapsulated with [], e.g., [1234::abcd]."
@@ -25,7 +25,7 @@ TIMESTAMP            ?= $(shell date -u +%Y-%m-%dT%H-%M-%S)

 ### Core parameters (safe defaults; override in config.mk, rename config.mk.sample to config.mk and apply the remaining values):
 ARCH                 ?= amd64
-AUTOBUILD            ?= 6.16.3+deb13-amd64
+AUTOBUILD            ?= 7.0.10+deb13-amd64
 CONTROL              ?= $(TIMESTAMP)
 DROPBEAR_VERSION     ?= 2026.91
 SOPS_VERSION         ?= 3.13.1
@@ -63,6 +63,9 @@ define COMPOSE_AND
 	[[ -n '$(FLAG_DEBUG)'           ]] && cmd+=( --debug )
 	[[ -n '$(FLAG_DHCP_CENTURION)'  ]] && cmd+=( --dhcp-centurion )
 	[[ -n '$(FLAG_TRIXIE)'          ]] && cmd+=( --trixie )
+	[[ -n '$(PRIMORDIAL_URL)'       ]] && cmd+=( --primordial-url '$(PRIMORDIAL_URL)' )
+	[[ -n '$(PRIMORDIAL_KEY)'       ]] && cmd+=( --primordial-key '$(PRIMORDIAL_KEY)' )
+	[[ -n '$(PRIMORDIAL_SSH_PORT)'  ]] && cmd+=( --primordial-ssh '$(PRIMORDIAL_SSH_PORT)' )
 	[[ -n '$(PROVIDER_NETCUP_IPV6)' ]] && cmd+=( --provider-netcup-ipv6 '$(PROVIDER_NETCUP_IPV6)' )
 	[[ -n '$(RENICE)'               ]] && cmd+=( --renice-priority '$(RENICE)' )
 	if [[ -n '$(REIONICE_CLASS)' && -n '$(REIONICE_PRIO)' ]]; then
@@ -13,6 +13,12 @@
 set -Ceuo pipefail
 umask 0077

+declare -gx   VAR_RDNS_DOMAIN=""             # Forward-confirmed reverse DNS domain.
+declare -gx   VAR_RDNS_IPV4=""               # IPv4 address used for RDNS verification.
+declare -gx   VAR_RDNS_NORMALIZED=""         # RDNS domain normalized for Primordial branch names.
+declare -gx   VAR_PRIMORDIAL_KEY=""          # Primordial SSH identity filename.
+declare -gx   VAR_PRIMORDIAL_SSH_PORT=""     # Primordial SSH port.
+declare -gx   VAR_PRIMORDIAL_URL=""          # Primordial HTTPS Git URL.
 declare -grx  VAR_SEMAPHORE="/root/cdi.ciss" # Semaphore to appear.
 declare -girx VAR_TIMEOUT=3600               # Semaphore timer in seconds.

@@ -90,6 +96,472 @@ net_wait() {
 # shellcheck disable=SC2034
 readonly -f net_wait

+#######################################
+# Validate an IPv4 address.
+# Globals:
+#   None
+# Arguments:
+#   $1: IPv4 address
+# Returns:
+#   0: valid IPv4 address
+#   1: invalid IPv4 address
+#######################################
+is_ipv4() {
+  ### Declare Arrays, HashMaps, and Variables.
+  declare -r var_ip="${1:-}"
+  declare -a ary_octets=()
+  declare     var_octet=""
+
+  [[ "${var_ip}" =~ ^([0-9]{1,3}\.){3}[0-9]{1,3}$ ]] || return 1
+
+  IFS='.' read -r -a ary_octets <<< "${var_ip}"
+
+  for var_octet in "${ary_octets[@]}"; do
+
+    if ! ((10#${var_octet} <= 255)); then
+
+      return 1
+
+    fi
+
+  done
+
+  return 0
+}
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f is_ipv4
+
+#######################################
+# Validate a DNS domain name returned by RDNS.
+# Globals:
+#   None
+# Arguments:
+#   $1: domain name
+# Returns:
+#   0: valid domain name
+#   1: invalid domain name
+#######################################
+is_dns_name() {
+  ### Declare Arrays, HashMaps, and Variables.
+  declare -r var_name="${1:-}"
+
+  [[ "${#var_name}" -le 253 ]] || return 1
+  [[ "${var_name}" =~ ^[A-Za-z0-9]([A-Za-z0-9-]{0,61}[A-Za-z0-9])?(\.[A-Za-z0-9]([A-Za-z0-9-]{0,61}[A-Za-z0-9])?)+$ ]] \
+    || return 1
+
+  return 0
+}
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f is_dns_name
+
+#######################################
+# Retrieve and forward-confirm reverse DNS for the active IPv4 route.
+# Globals:
+#   VAR_RDNS_DOMAIN
+#   VAR_RDNS_IPV4
+# Arguments:
+#   $1: module log file
+# Returns:
+#   0: on confirmed RDNS
+#   1: on missing or unconfirmed RDNS
+#######################################
+# retrieve_rdns() intentionally probes optional resolver tools and validation helpers inside conditionals.
+# shellcheck disable=SC2310,SC2312
+retrieve_rdns() {
+  ### Declare Arrays, HashMaps, and Variables.
+  declare -r var_log="${1:-}"
+  declare -a ary_a=()
+  declare -a ary_rdns=()
+  declare -a ary_targets=()
+  declare    var_a="" var_ipv4="" var_rdns="" var_target=""
+
+  VAR_RDNS_DOMAIN=""
+  VAR_RDNS_IPV4=""
+
+  mapfile -t ary_targets < <(
+    getent ahostsv4 git.coresecret.dev 2>/dev/null \
+      | awk '/^([0-9]{1,3}\.){3}[0-9]{1,3}[[:space:]]/ && !seen[$1]++ { print $1 }'
+  )
+  ary_targets+=( "1.1.1.1" "9.9.9.9" "8.8.8.8" )
+
+  if command -v ip >/dev/null 2>&1; then
+
+    for var_target in "${ary_targets[@]}"; do
+
+      if var_ipv4="$(
+        ip -o -4 route get "${var_target}" 2>/dev/null \
+          | awk '{ for (i = 1; i <= NF; i++) { if ($i == "src") { print $(i + 1); exit } } }'
+      )" && is_ipv4 "${var_ipv4}"; then
+
+        break
+
+      fi
+
+      var_ipv4=""
+
+    done
+
+    if [[ -z "${var_ipv4}" ]]; then
+
+      mapfile -t ary_targets < <(
+        ip -o -4 addr show scope global up 2>/dev/null \
+          | awk '{ split($4, addr, "/"); if (!seen[addr[1]]++) { print addr[1] } }'
+      )
+
+      for var_target in "${ary_targets[@]}"; do
+
+        if is_ipv4 "${var_target}"; then
+
+          var_ipv4="${var_target}"
+          break
+
+        fi
+
+      done
+
+    fi
+
+  fi
+
+  if [[ -z "${var_ipv4}" ]]; then
+
+    logger -t cdi-watcher "retrieve_rdns(): no active IPv4 address found; continuing without RDNS."
+    printf "Command: [retrieve_rdns] no active IPv4 address found; continuing without RDNS.\n" >> "${var_log}"
+    return 1
+
+  fi
+
+  if command -v dig >/dev/null 2>&1; then
+
+    mapfile -t ary_rdns < <(
+      dig +time=3 +tries=1 +short -x "${var_ipv4}" 2>/dev/null \
+        | sed 's/[.]$//' \
+        | awk 'NF && !seen[$0]++ { print $0 }'
+    )
+
+  fi
+
+  if ((${#ary_rdns[@]} == 0)) && command -v host >/dev/null 2>&1; then
+
+    mapfile -t ary_rdns < <(
+      host "${var_ipv4}" 2>/dev/null \
+        | awk '/domain name pointer/ { sub(/[.]$/, "", $NF); if (!seen[$NF]++) { print $NF } }'
+    )
+
+  fi
+
+  if ((${#ary_rdns[@]} == 0)); then
+
+    mapfile -t ary_rdns < <(
+      getent hosts "${var_ipv4}" 2>/dev/null \
+        | awk '{ for (i = 2; i <= NF; i++) { sub(/[.]$/, "", $i); if (!seen[$i]++) { print $i } } }'
+    )
+
+  fi
+
+  for var_rdns in "${ary_rdns[@]}"; do
+
+    var_rdns="${var_rdns%.}"
+    var_rdns="${var_rdns,,}"
+
+    if ! is_dns_name "${var_rdns}"; then
+
+      continue
+
+    fi
+
+    ary_a=()
+
+    if command -v dig >/dev/null 2>&1; then
+
+      mapfile -t ary_a < <(
+        dig +time=3 +tries=1 +short A "${var_rdns}" 2>/dev/null \
+          | awk '/^([0-9]{1,3}\.){3}[0-9]{1,3}$/ && !seen[$0]++ { print $0 }'
+      )
+
+    fi
+
+    if ((${#ary_a[@]} == 0)) && command -v host >/dev/null 2>&1; then
+
+      mapfile -t ary_a < <(
+        host -t A "${var_rdns}" 2>/dev/null \
+          | awk '/ has address / && !seen[$NF]++ { print $NF }'
+      )
+
+    fi
+
+    if ((${#ary_a[@]} == 0)); then
+
+      mapfile -t ary_a < <(
+        getent ahostsv4 "${var_rdns}" 2>/dev/null \
+          | awk '!seen[$1]++ { print $1 }'
+      )
+
+    fi
+
+    for var_a in "${ary_a[@]}"; do
+
+      if is_ipv4 "${var_a}" && [[ "${var_a}" == "${var_ipv4}" ]]; then
+
+        VAR_RDNS_IPV4="${var_ipv4}"
+        VAR_RDNS_DOMAIN="${var_rdns}"
+        logger -t cdi-watcher "retrieve_rdns(): confirmed IPv4 ${VAR_RDNS_IPV4} RDNS ${VAR_RDNS_DOMAIN}."
+        printf "Command: [retrieve_rdns] confirmed IPv4 [%s] RDNS [%s].\n" \
+          "${VAR_RDNS_IPV4}" "${VAR_RDNS_DOMAIN}" >> "${var_log}"
+        return 0
+
+      fi
+
+    done
+
+  done
+
+  logger -t cdi-watcher "retrieve_rdns(): no forward-confirmed RDNS for IPv4 ${var_ipv4}; continuing without RDNS."
+  printf "Command: [retrieve_rdns] no forward-confirmed RDNS for IPv4 [%s]; continuing without RDNS.\n" \
+    "${var_ipv4}" >> "${var_log}"
+
+  return 1
+}
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f retrieve_rdns
+
+#######################################
+# Normalize a DNS domain into a Primordial branch name.
+# Globals:
+#   None
+# Arguments:
+#   $1: DNS domain name
+# Returns:
+#   0: on success
+#   1: on invalid DNS domain
+#######################################
+normalize_rdns_domain() {
+  ### Declare Arrays, HashMaps, and Variables.
+  declare var_domain="${1:-}"
+
+  var_domain="${var_domain%.}"
+  var_domain="${var_domain,,}"
+
+  # shellcheck disable=SC2310
+  is_dns_name "${var_domain}" || return 1
+
+  printf '%s\n' "${var_domain//./_}"
+
+  return 0
+}
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f normalize_rdns_domain
+
+#######################################
+# Convert an HTTPS Git URL into the SSH URL used for Primordial clone.
+# Globals:
+#   None
+# Arguments:
+#   $1: HTTPS Git URL
+#   $2: SSH port
+# Returns:
+#   0: on success
+#   1: on invalid URL or port
+#######################################
+derive_ssh_git_url() {
+  ### Declare Arrays, HashMaps, and Variables.
+  declare -r var_https_url="${1:-}"
+  declare -r var_ssh_port="${2:-}"
+  declare    var_host="" var_path=""
+
+  if [[ ! "${var_https_url}" =~ ^https://([A-Za-z0-9.-]+)/([A-Za-z0-9._~/%+=:@,-]+\.git)$ ]]; then
+
+    return 1
+
+  fi
+
+  var_host="${BASH_REMATCH[1]}"
+  var_path="${BASH_REMATCH[2]}"
+
+  if [[ -z "${var_host}" || -z "${var_path}" || ! "${var_ssh_port}" =~ ^[0-9]+$ ]] \
+    || ((10#${var_ssh_port} < 1 || 10#${var_ssh_port} > 65535)); then
+
+    return 1
+
+  fi
+
+  printf 'ssh://git@%s:%s/%s\n' "${var_host}" "${var_ssh_port}" "${var_path}"
+
+  return 0
+}
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f derive_ssh_git_url
+
+#######################################
+# Apply the Primordial overlay and create the CDI semaphore only on success.
+# Globals:
+#   VAR_PRIMORDIAL_KEY
+#   VAR_PRIMORDIAL_SSH_PORT
+#   VAR_PRIMORDIAL_URL
+#   VAR_RDNS_DOMAIN
+#   VAR_RDNS_NORMALIZED
+#   VAR_SEMAPHORE
+# Arguments:
+#   $1: module log file
+#   $2: CISS.debian.installer directory
+# Returns:
+#   0: on success or optional skip
+#   1: on failed configured Primordial overlay
+#######################################
+apply_primordial_overlay() {
+  ### Declare Arrays, HashMaps, and Variables.
+  declare -r var_log="${1:-}"
+  declare -r var_repo_dir="${2:-}"
+  declare -r var_overlay_dir="/root/git/overlay"
+  declare    var_identity="" var_ssh_url="" var_rdns_normalized=""
+
+  if [[ -z "${VAR_PRIMORDIAL_URL}" && -z "${VAR_PRIMORDIAL_KEY}" && -z "${VAR_PRIMORDIAL_SSH_PORT}" ]]; then
+
+    logger -t cdi-watcher "Primordial overlay not configured; continuing with existing semaphore polling."
+    printf "Command: [apply_primordial_overlay] skipped; Primordial overlay not configured.\n" >> "${var_log}"
+    return 0
+
+  fi
+
+  if ! rm -f -- "${VAR_SEMAPHORE}"; then
+
+    logger -t cdi-watcher "Failed to remove existing CDI semaphore; aborting CDI autostart."
+    printf "Command: [rm -f -- %s] failed; aborting CDI autostart.\n" "${VAR_SEMAPHORE}" >> "${var_log}"
+    return 1
+
+  fi
+
+  if [[ -z "${VAR_PRIMORDIAL_URL}" || -z "${VAR_PRIMORDIAL_KEY}" || -z "${VAR_PRIMORDIAL_SSH_PORT}" || -z "${VAR_RDNS_DOMAIN}" ]]; then
+
+    logger -t cdi-watcher "Primordial overlay configuration incomplete; aborting CDI autostart."
+    printf "Command: [apply_primordial_overlay] failed; Primordial URL, key, SSH port, and RDNS domain are required.\n" >> "${var_log}"
+    return 1
+
+  fi
+
+  # shellcheck disable=SC2310
+  if ! var_rdns_normalized="$(normalize_rdns_domain "${VAR_RDNS_DOMAIN}")"; then
+
+    logger -t cdi-watcher "Primordial overlay RDNS branch derivation failed; aborting CDI autostart."
+    printf "Command: [normalize_rdns_domain %s] failed; aborting CDI autostart.\n" "${VAR_RDNS_DOMAIN}" >> "${var_log}"
+    return 1
+
+  fi
+
+  declare -gx VAR_RDNS_NORMALIZED="${var_rdns_normalized}"
+
+  # shellcheck disable=SC2310
+  if ! var_ssh_url="$(derive_ssh_git_url "${VAR_PRIMORDIAL_URL}" "${VAR_PRIMORDIAL_SSH_PORT}")"; then
+
+    logger -t cdi-watcher "Primordial HTTPS Git URL conversion failed; aborting CDI autostart."
+    printf "Command: [derive_ssh_git_url] failed for configured Primordial URL; aborting CDI autostart.\n" >> "${var_log}"
+    return 1
+
+  fi
+
+  var_identity="/root/.ssh/${VAR_PRIMORDIAL_KEY}"
+
+  if [[ ! -e "${var_identity}" ]]; then
+
+    logger -t cdi-watcher "Primordial SSH identity file is missing; aborting CDI autostart."
+    printf "Command: [test -e /root/.ssh/<primordial-key>] failed; aborting CDI autostart.\n" >> "${var_log}"
+    return 1
+
+  fi
+
+  if [[ ! -f "${var_identity}" ]]; then
+
+    logger -t cdi-watcher "Primordial SSH identity path is not a regular file; aborting CDI autostart."
+    printf "Command: [test -f /root/.ssh/<primordial-key>] failed; aborting CDI autostart.\n" >> "${var_log}"
+    return 1
+
+  fi
+
+  if [[ ! -r "${var_identity}" ]]; then
+
+    logger -t cdi-watcher "Primordial SSH identity file is not readable by root; aborting CDI autostart."
+    printf "Command: [test -r /root/.ssh/<primordial-key>] failed; aborting CDI autostart.\n" >> "${var_log}"
+    return 1
+
+  fi
+
+  if ! rm -rf -- "${var_overlay_dir}"; then
+
+    logger -t cdi-watcher "Failed to remove existing Primordial overlay directory; aborting CDI autostart."
+    printf "Command: [rm -rf -- %s] failed; aborting CDI autostart.\n" "${var_overlay_dir}" >> "${var_log}"
+    return 1
+
+  fi
+
+  if ! GIT_SSH_COMMAND="ssh -i ${var_identity} -p ${VAR_PRIMORDIAL_SSH_PORT}" \
+    git clone --branch "${VAR_RDNS_NORMALIZED}" "${var_ssh_url}" "${var_overlay_dir}"; then
+
+    logger -t cdi-watcher "Primordial overlay clone failed; aborting CDI autostart."
+    printf "Command: [git clone --branch %s <primordial-ssh-url> %s] failed; aborting CDI autostart.\n" \
+      "${VAR_RDNS_NORMALIZED}" "${var_overlay_dir}" >> "${var_log}"
+    rm -rf -- "${var_overlay_dir}" || true
+    return 1
+
+  fi
+
+  if [[ ! -d "${var_overlay_dir}/.preseed" ]]; then
+
+    logger -t cdi-watcher "Primordial overlay .preseed directory is missing; aborting CDI autostart."
+    printf "Command: [test -d %s/.preseed] failed; aborting CDI autostart.\n" "${var_overlay_dir}" >> "${var_log}"
+    return 1
+
+  fi
+
+  if [[ ! -d "${var_overlay_dir}/includes" ]]; then
+
+    logger -t cdi-watcher "Primordial overlay includes directory is missing; aborting CDI autostart."
+    printf "Command: [test -d %s/includes] failed; aborting CDI autostart.\n" "${var_overlay_dir}" >> "${var_log}"
+    return 1
+
+  fi
+
+  install -d -m 0700 "${var_repo_dir}/.preseed" "${var_repo_dir}/includes"
+
+  if ! rsync -av "${var_overlay_dir}/.preseed/" "${var_repo_dir}/.preseed/"; then
+
+    logger -t cdi-watcher "Primordial overlay .preseed rsync failed; aborting CDI autostart."
+    printf "Command: [rsync -av %s/.preseed/ %s/.preseed/] failed; aborting CDI autostart.\n" \
+      "${var_overlay_dir}" "${var_repo_dir}" >> "${var_log}"
+    return 1
+
+  fi
+
+  if ! rsync -av "${var_overlay_dir}/includes/" "${var_repo_dir}/includes"; then
+
+    logger -t cdi-watcher "Primordial overlay includes rsync failed; aborting CDI autostart."
+    printf "Command: [rsync -av %s/includes/ %s/includes] failed; aborting CDI autostart.\n" \
+      "${var_overlay_dir}" "${var_repo_dir}" >> "${var_log}"
+    return 1
+
+  fi
+
+  if ! install -m 0600 /dev/null "${VAR_SEMAPHORE}"; then
+
+    logger -t cdi-watcher "Primordial overlay applied but semaphore creation failed; aborting CDI autostart."
+    printf "Command: [install -m 0600 /dev/null %s] failed; aborting CDI autostart.\n" "${VAR_SEMAPHORE}" >> "${var_log}"
+    return 1
+
+  fi
+
+  logger -t cdi-watcher "Primordial overlay applied for branch ${VAR_RDNS_NORMALIZED}; CDI semaphore created."
+  printf "Command: [apply_primordial_overlay] executed for branch [%s].\n" "${VAR_RDNS_NORMALIZED}" >> "${var_log}"
+
+  return 0
+}
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f apply_primordial_overlay
+
 #######################################
 # Wrapper for loading CISS hardened Kernel Parameters.
 # Globals:
@@ -129,8 +601,7 @@ main() {
  var_log="/root/.ciss/cdi/log/9999-cdi-starter_$(date +"%Y-%m-%d_%H-%M-%S").log"
  touch "${var_log}"

-
-  printf "CISS.debian.installer Master V9.14.020.2026.06.08 is up! \n" >> "${var_log}"
+  printf "CISS.debian.live.builder V9.14.022.2026.06.10 calling CISS.debian.installer ... \n" >> "${var_log}"

  ### Sleep a moment to settle boot artifacts.
  sleep 8
@@ -153,6 +624,12 @@ main() {
  fi
  printf "Command: [net_wait] executed.\n" >> "${var_log}"

+  ### Retrieve forward-confirmed reverse DNS.
+  printf "Command: [retrieve_rdns] to be executed ... \n" >> "${var_log}"
+  # shellcheck disable=SC2310
+  retrieve_rdns "${var_log}" || true
+  printf "Command: [retrieve_rdns] executed.\n" >> "${var_log}"
+
  ### apt update.
  if ! apt-get update >> "${var_log}"; then

@@ -179,6 +656,16 @@ main() {
  cd "${var_repo_dir}"
  printf "Command: [git clone %s %s] executed.\n" "${var_repo_url}" "${var_repo_dir}" >> "${var_log}"

+  ### Apply Primordial overlay before allowing CDI autostart.
+  # shellcheck disable=SC2310
+  if ! apply_primordial_overlay "${var_log}" "${var_repo_dir}"; then
+
+    logger -t cdi-watcher "Primordial overlay failed; CDI autostart aborted before semaphore polling."
+    printf "Command: [apply_primordial_overlay] failed; CDI autostart aborted before semaphore polling.\n" >> "${var_log}"
+    exit 0
+
+  fi
+
  ### Poll up to VAR_TIMEOUT seconds for the semaphore to appear and be mode 0600.
  for ((i=0; i<VAR_TIMEOUT; i++)); do

@@ -209,7 +696,7 @@ main() {

  ### Timeout reached without acceptable semaphore.
  logger -t cdi-watcher "No valid semaphore ${VAR_SEMAPHORE} (mode 0600) within ${VAR_TIMEOUT}s; exiting idle."
-  printf "CISS.debian.installer Master V9.14.020.2026.06.08: No valid semaphore [%s] within [%s]s.\n" "${VAR_SEMAPHORE}" "${VAR_TIMEOUT}" >> "${var_log}"
+  printf "CISS.debian.live.builder V9.14.022.2026.06.10: No valid semaphore [%s] within [%s]s.\n" "${VAR_SEMAPHORE}" "${VAR_TIMEOUT}" >> "${var_log}"

  exit 0
 }
@@ -25,7 +25,7 @@ declare -grx VAR_GIT_HEAD_FULL="$(git rev-parse HEAD)"
 declare -grx VAR_HOST="$(uname -n)"
 declare -grx VAR_ISO8601="$(date -u -d "@${VAR_DATE_EPOCH}" '+%Y-%m-%dT%H:%M:%SZ')"
 declare -grx VAR_SYSTEM="$(uname -mnosv)"
-declare -grx VAR_VERSION="Master V9.14.020.2026.06.08"
+declare -grx VAR_VERSION="Master V9.14.022.2026.06.10"
 declare -grx VAR_VER_BASH="$(bash --version | head -n1 | awk '{
  # Print $4 and $5; include $6 only if it exists
  out = $4
@@ -34,6 +34,9 @@ declare -g  VAR_HANDLER_CDI="false"
 declare -g  VAR_HANDLER_NETCUP_IPV6="false"
 declare -g  VAR_HANDLER_SPLASH=""
 declare -g  VAR_HASHED_PWD=""
+declare -g  VAR_PRIMORDIAL_KEY=""
+declare -g  VAR_PRIMORDIAL_SSH_PORT=""
+declare -g  VAR_PRIMORDIAL_URL=""
 declare -g  VAR_SCRIPT_SUCCESS="false"
 declare -g  VAR_SOPS_VERSION="3.13.1"
 declare -g  VAR_SSHFP="false"
Author	SHA256	Message	Date
msw	9ef535554a	V9.14.022.2026.06.10 🛡️ Retrieve DNSSEC status of coresecret.dev. / 🛡️ Retrieve DNSSEC status of coresecret.dev. (push) Has been cancelled Details 🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Has been cancelled Details 💙 Generating a PUBLIC Live ISO. / 💙 Generating a PUBLIC Live ISO. (push) Has been cancelled Details 🔐 Generating a Private Live ISO TRIXIE. / 🔐 Generating a Private Live ISO TRIXIE. (push) Has been cancelled Details Signed-off-by: Marc S. Weidner <msw@coresecret.dev>	2026-06-10 18:57:46 +01:00
msw	800cd175fc	V9.14.022.2026.06.10 Signed-off-by: Marc S. Weidner <msw@coresecret.dev>	2026-06-10 17:57:31 +01:00