DEPLOY BOT : 🛡️ Shell Script Linting [skip ci]

X-CI-Metadata: master@99d669d at 2025-12-06T04:39:52Z on 941bb339cd9a Generated at : 2025-12-06T04:39:52Z Runner Host : 941bb339cd9a Workflow ID : 🛡️ Shell Script Linting Git Commit : 99d669d HEAD -> master
V8.13.768.2025.12.06
2025-12-06 04:39:52 +00:00 · 2025-12-06 05:38:13 +01:00 · 2025-12-06 04:35:39 +00:00 · 2025-12-06 03:44:33 +00:00 · 2025-12-06 02:57:35 +00:00 · 2025-12-06 02:53:47 +00:00
292 changed files with 15585 additions and 3790 deletions
--- a/.archive/.0000_lib_usage.sh
+++ b/.archive/.0000_lib_usage.sh
@@ -1,142 +0,0 @@
 #!/bin/bash
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 #######################################
 # Usage Wrapper CISS.debian.live.builder
 # Globals:
 #   none
 # Arguments:
 #   $0: Script name
 #######################################
 usage() {
  clear
  cat << EOF
 $(echo -e "\e[92mCISS.debian.live.builder\e[0m")
 $(echo -e "\e[92mMaster V8.13.008.2025.08.22\e[0m")
 $(echo -e "\e[92mA lightweight Shell Wrapper for building a hardened Debian Live ISO Image.\e[0m")
 $(echo -e "\e[97m(c) Marc S. Weidner, 2018 - 2025\e[0m")
 $(echo -e "\e[97m(p) Centurion Press, 2024 - 2025\e[0m")
 "${0} <option>", where <option> is one or more of:
 $(echo -e "\e[97m  --help, -h\e[0m")
    What you're looking at.
 $(echo -e "\e[97m  --autobuild=*, -a=*\e[0m")
    Headless mode. Skip the dialog wrapper, provider note screen and interactive kernel
    selector dialog. Change '*' to your desired Linux kernel and trim the
    'linux-image-' string to select a specific kernel, e.g. '--autobuild=6.12.30+bpo-amd64'.
 $(echo -e "\e[97m  --architecture <STRING> one of <amd64 | arm64>\e[0m")
    A string reflecting the architecture of the Live System.
    MUST be provided.
 $(echo -e "\e[97m  --build-directory </path/to/build_directory>\e[0m")
    Where the Debian Live Build Image should be generated.
    MUST be provided.
 $(echo -e "\e[97m  --change-splash <STRING> one of <club | hexagon>\e[0m")
    A string reflecting the GRub Boot Screen Splash you want to use.
    If omitted defaults to "./.archive/background/club.png".
 $(echo -e "\e[97m  --cdi (Experimental Feature)\e[0m")
    This option generates a boot menu entry to start the forthcoming
    'CISS.debian.installer', which will be executed after
    the system has successfully booted up.
 $(echo -e "\e[97m  --contact, -c\e[0m")
    Displays contact information of the author.
 $(echo -e "\e[97m  --control <INTEGER>\e[0m")
    An integer that reflects the version of your Live ISO Image.
    MUST be provided.
 $(echo -e "\e[97m  --debug\e[0m")
    Enables debug logging for the main program routine. Detailed logging
    information are written to "/tmp/ciss_live_builder_$$.log"
 $(echo -e "\e[97m  --dhcp-centurion\e[0m")
    If a DHCP lease is provided, the provider's nameserver will be overridden,
    and only the hardened, privacy-focused Centurion DNS servers will be used:
      - https://dns01.eddns.eu/
      - https://dns02.eddns.de/
      - https://dns03.eddns.eu/
 $(echo -e "\e[97m  --jump-host <IP | IP | ... >\e[0m")
    Provide up to 10 IPs for /etc/host.allow whitelisting of SSH access.
    Could be either IPv4 and / or IPv6 addresses and / or CCDIR notation.
    If provided, than it MUST be a <SPACE> separated list.
    IPv6 addresses MUST be encapsulated with [], e.g., [1234::abcd]/64.
 $(echo -e "\e[97m  --log-statistics-only\e[0m")
    Provides statistic only after successful building a
    CISS.debian.live-ISO. While enabling "--log-statistics-only"
    the argument "--build-directory" MUST be provided while
    all further options MUST be omitted.
 $(echo -e "\e[97m  --provider-netcup-ipv6\e[0m")
    Activates IPv6 support for Netcup Root Server. One unique
    IPv6 address MUST be provided in this case and MUST be encapsulated
    with [], e.g., [1234::abcd].
 $(echo -e "\e[97m  --renice-priority <PRIORITY>\e[0m")
    Reset the nice priority value of the script and all its children
    to the desired <PRIORITY>. MUST be an integer (between "-19" and 19).
    Negative (higher) values MUST be enclosed in double quotes '"'.
 $(echo -e "\e[97m  --reionice-priority <CLASS> <PRIORITY>\e[0m")
    Reset the ionice priority value of the script and all its children
    to the desired <CLASS>. MUST be an integer:
      1: realtime
      2: best-effort
      3: idle
    Defaults to '2'.
    Whereas <PRIORITY> MUST be an integer as well between:
      0: highest priority and
      7: lowest priority.
    Defaults to '4'.
    A real-time I/O process can significantly slow down other processes
    or even cause them to starve if it continuously requests I/O.
 $(echo -e "\e[97m  --root-password-file </path/to/password.txt>\e[0m")
    Password file for 'root', if given, MUST be a string of 20 to 64 characters,
    and MUST NOT contain the special character '"'.
    If the argument is omitted, no further login authentication is required for
    the local console. The root password is hashed with an 16 Byte '/dev/random'
    generated SALT and SHA512 Hashing function and 8,388,608 rounds. Immediately
    after Hash generation all Variables containing plain password fragments are
    deleted. Password file SHOULD be '0400' and 'root:root' and is deleted without
    further prompt after password hash has been successfully generated via:
    'shred -vfzu 5 -f'.
    No tracing of any plain text password fragment in any debug log.
 $(echo -e "\e[97m  --ssh-port <INTEGER>\e[0m")
    The desired Port SSH should listen to.
    If not provided defaults to Port 22.
 $(echo -e "\e[97m  --ssh-pubkey </path/to/.ssh/>\e[0m")
    Imports the SSH Public Key(s) from the FILE 'authorized_keys' of the
    specified PATH into the Live ISO. MUST be provided.
 $(echo -e "\e[97m  --version, -v\e[0m")
    Displays version of ${0}.
 $(echo -e "\e[93m💡 Notes:\e[0m")
 🔵 You MUST be 'root' to run this script.
 $(echo -e "\e[95m💷 Please consider donating to my work at:\e[0m")
 $(echo -e "\e[95m🌐 https://coresecret.eu/spenden/         \e[0m")
 EOF
 }
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/.archive/0003_install_backports.chroot
+++ b/.archive/0003_install_backports.chroot
@@ -1,39 +0,0 @@
 #!/bin/bash
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 set -C -e -u -o pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1
 DEBIAN_FRONTEND=noninteractive \
  apt-get update && \
    DEBIAN_FRONTEND=noninteractive \
      apt-get install -y --no-install-recommends \
        -o Dpkg::Options::="--force-confdef" \
        -o Dpkg::Options::="--force-confold" \
        -t bookworm-backports \
        btrfs-progs \
        curl \
        debootstrap \
        iproute2 \
        ncat \
        nmap \
        ssh \
        systemd \
        systemd-sysv \
        whois
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 # sleep 1
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/.archive/0010_dhcp_supersede.sh
+++ b/.archive/0010_dhcp_supersede.sh
@@ -0,0 +1,113 @@
 #!/bin/bash
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 if [[ ! -d "${VAR_HANDLER_BUILD_DIR}"/config/includes.chroot/etc/dhcp ]]; then
  mkdir -p "${VAR_HANDLER_BUILD_DIR}"/config/includes.chroot/etc/dhcp
 fi
 cat << 'EOF' >> "${VAR_HANDLER_BUILD_DIR}"/config/includes.chroot/etc/dhcp/dhclient.conf
 # Custom dhclient config to override DHCP DNS
 # dns01.eddns.eu, dns02.eddns.de, dns03.eddns.eu;
 supersede domain-name-servers 135.181.207.105, 89.58.62.53, 138.199.237.109;
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
 EOF
 cat << 'EOF' >> "${VAR_HANDLER_BUILD_DIR}"/config/includes.chroot/etc/dhcpcd.conf
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-08-12; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 ### No Global APIPA-Fallback.
 noipv4ll
 ### A ServerID is required by RFC2131.
 require dhcp_server_identifier
 ### Respect the network MTU. This is applied to DHCP routes.
 option interface_mtu
 ### A list of options to request from the DHCP server.
 option host_name
 option domain_name
 option domain_search
 option rapid_commit
 ### Most distributions have NTP support.
 option ntp_servers
 ### Ask server to update both A and PTR via FQDN (RFC 4702 semantics).
 fqdn both
 ###-----------------------------------------------------------------------------------------------------------------------------
 ### Global defaults for all interfaces.
 #option host_name
 #option domain_name
 #option domain_search
 ### Ask server to update both A and PTR via FQDN (RFC 4702 semantics).
 #fqdn both
 ###-----------------------------------------------------------------------------------------------------------------------------
 ### Enforce static DNS and prevent dhcpcd from writing 'resolv.conf'.
 nooption domain_name_servers
 nohook resolv.conf rdnssd
 ### Static resolvers (IPv4).
 ### (This does NOT write '/etc/resolv.conf' because of nohook above.)
 static domain_name_servers=135.181.207.105 89.58.62.53 138.199.237.109
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
 EOF
 cat << 'EOF' >| "${VAR_HANDLER_BUILD_DIR}"/config/includes.chroot/etc/resolv.conf
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-08-12; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 # static /etc/resolv.conf (CISS)
 nameserver 135.181.207.105
 nameserver 89.58.62.53
 nameserver 138.199.237.109
 options edns0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
 EOF
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' successfully applied. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/.archive/0100_ciss_mem_wipe.chroot
+++ b/.archive/0100_ciss_mem_wipe.chroot
@@ -0,0 +1,302 @@
 #!/bin/bash
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
 export DEBIAN_FRONTEND="noninteractive"
 export INITRD="No"
 apt-get install -y --no-install-recommends kexec-tools
 install -d -m 0755 /boot/ciss-memwipe
 install -d -m 0755 /usr/local/sbin
 install -d -m 0755 /etc/systemd/system
 install -d -m 0755 /etc/default
 ### Pick a kernel to kexec into: use the latest installed vmlinuz. -------------------------------------------------------------
 # shellcheck disable=SC2012,SC2155
 declare _KERNEL="$(cd /boot && ls -1 vmlinuz-* | sed 's|vmlinuz-||' | sort -V | tail -n1)"
 cp -f "/boot/vmlinuz-${_KERNEL}" /boot/ciss-memwipe/vmlinuz
 ### Build minimal initramfs with a busybox and a tiny '/init'. -----------------------------------------------------------------
 declare _TMP_DIR; _TMP_DIR="$(mktemp -d)"
 trap 'rm -rf "${_TMP_DIR}"' EXIT
 mkdir -p "${_TMP_DIR}"/{bin,dev,proc,sys,wipe}
 ### Locate the current busybox binary. -----------------------------------------------------------------------------------------
 declare _BUSYBOX_BIN; _BUSYBOX_BIN="$(command -v busybox || true)"
 if [[ -z "${_BUSYBOX_BIN}" ]]; then
  echo "ERROR: busybox not found after installation attempt." >&2
  exit 42
 fi
 cp -f "${_BUSYBOX_BIN}" "${_TMP_DIR}/bin/busybox"
 #######################################
 # Copy required shared libs into the initramfs (if the busybox is dynamic).
 # Globals:
 #   _TMP_DIR
 # Arguments:
 #   1: _BUSYBOX_BIN
 # Returns:
 #   0: on success
 #######################################
 copy_libs() {
  declare bin="$1"
  if ldd "${bin}" 2>&1 | grep -q 'not a dynamic executable'; then
    return 0
  fi
  ldd "${bin}" | awk '
    /=> \// {print $3}
    # some libs are printed as absolute path without "=>"
    /^\//    {print $1}
  ' | while read -r lib; do
    [[ -n "${lib}" ]] || continue
    dest="${_TMP_DIR}$(dirname "${lib}")"
    install -d -m 0755 "${dest}"
    cp -f "${lib}" "${dest}"
  done
 }
 copy_libs "${_BUSYBOX_BIN}"
 ### Generate '/init' script ----------------------------------------------------------------------------------------------------
 cat << 'EOF' >| "${_TMP_DIR}/init"
 #!/bin/busybox sh
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 # Minimal init to wipe RAM, then power off.
 # Parses cmdline: ciss_wipe_passes=2 ciss_wipe_mode=zero+random ciss_dd_bs=64M ciss_tmpfs_pct=95
 set -eu
 #######################################
 # Helper
 # Globals:
 #   None
 # Arguments:
 #   1: key
 # Returns:
 #   0: on success
 #######################################
 get_arg() { # $1=key ; echoes value or empty
  for tok in $(cat /proc/cmdline); do
    case "$tok" in
      $1=*) echo "${tok#*=}"; return 0;;
    esac
  done
  echo ""
 }
 mount -t devtmpfs devtmpfs /dev 2>/dev/null || true
 [ -e /dev/console ] || mknod -m 600 /dev/console c 5 1
 [ -e /dev/null ]    || mknod -m 666 /dev/null c 1 3
 [ -e /dev/urandom ] || mknod -m 444 /dev/urandom c 1 9
 mount -t proc proc /proc
 mount -t sysfs sysfs /sys
 PASSES="$(get_arg ciss_wipe_passes)"; [ -n "${PASSES}" ] || PASSES=2
 MODE="$(get_arg ciss_wipe_mode)"; [ -n "${MODE}" ] || MODE="zero+random"
 BS="$(get_arg ciss_dd_bs)"; [ -n "${BS}" ] || BS=64M
 PCT="$(get_arg ciss_tmpfs_pct)"; [ -n "${PCT}" ] || PCT=95
 echo 1 >| /proc/sys/kernel/printk 2>/dev/null || true
 MEM_KB="$(awk '/MemTotal:/ {print $2}' /proc/meminfo)"
 SIZE_KB=$(( MEM_KB * PCT / 100 ))
 mount -t tmpfs -o "size=${SIZE_KB}k,nodev,nosuid,noexec,mode=0700" tmpfs /wipe
 #######################################
 # Wipe helper
 # Globals:
 #   None
 # Arguments:
 #   1: pattern
 # Returns:
 #   0: on success
 #######################################
 wipe_pass() {
  pattern="$1" # zero or random
  if [ "$pattern" = "zero" ]; then
    src="/dev/zero"
  else
    src="/dev/urandom"
  fi
  i=0
  while :; do
    # Use busybox dd explicitly to avoid surprises
    busybox dd if="$src" of="/wipe/block_$i" bs="$BS" status=none || break
    i=$((i+1))
  done
  sync
  echo 3 > /proc/sys/vm/drop_caches 2>/dev/null || true
  rm -f /wipe/block_* 2>/dev/null || true
  sync
  return 0
 }
 DO_ZERO=0; DO_RANDOM=0
 case "$MODE" in
  zero) DO_ZERO=1 ;;
  random) DO_RANDOM=1 ;;
  zero+random|random+zero) DO_ZERO=1; DO_RANDOM=1 ;;
  *) DO_ZERO=1 ;;
 esac
 p=1
 while [ $p -le "$PASSES" ]; do
  [ $DO_ZERO -eq 1 ] && wipe_pass zero
  [ $DO_RANDOM -eq 1 ] && wipe_pass random
  p=$((p+1))
 done
 sync
 busybox poweroff -f || echo o >| /proc/sysrq-trigger
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
 EOF
 chmod +x "${_TMP_DIR}/init"
 ### Create the initramfs archive -----------------------------------------------------------------------------------------------
 ( cd "${_TMP_DIR}" && find . -print0 | cpio --null -ov --format=newc ) | gzip -9 > /boot/ciss-memwipe/initrd.img
 ### Default configuration.
 cat << 'EOF' >| /etc/default/ciss-memwipe
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 # CISS Memory Wipe defaults:
 CISS_WIPE_PASSES=2             # number of passes
 CISS_WIPE_MODE="zero+random"   # zero | random | zero+random
 CISS_WIPE_DD_BS="64M"          # dd block size
 CISS_WIPE_TMPFS_PCT=95         # percentage of MemTotal to allocate
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
 EOF
 ### Helper script --------------------------------------------------------------------------------------------------------------
 cat << 'EOF' >| /usr/local/sbin/ciss-memwipe
 #!/bin/bash
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 set -euo pipefail
 . /etc/default/ciss-memwipe || true
 KERNEL="/boot/ciss-memwipe/vmlinuz"
 INITRD="/boot/ciss-memwipe/initrd.img"
 append_common="quiet loglevel=1 ciss_wipe_passes=${CISS_WIPE_PASSES:-2} ciss_wipe_mode=${CISS_WIPE_MODE:-zero+random} ciss_dd_bs=${CISS_WIPE_DD_BS:-64M} ciss_tmpfs_pct=${CISS_WIPE_TMPFS_PCT:-95}"
 prepare() {
  if [ -w /proc/sys/kernel/kexec_load_disabled ] && [ "$(cat /proc/sys/kernel/kexec_load_disabled)" = "1" ]; then
    echo 0 > /proc/sys/kernel/kexec_load_disabled || true
  fi
  if command -v kexec >/dev/null 2>&1 && [ -s "$KERNEL" ] && [ -s "$INITRD" ]; then
    kexec -l "$KERNEL" --initrd="$INITRD" --append="$append_common" || true
  fi
 }
 fallback_inplace() {
  mount -t tmpfs -o "size=95%,nodev,nosuid,noexec,mode=0700" tmpfs /run/wipe 2>/dev/null || mkdir -p /run/wipe
  i=0
  while :; do
    dd if=/dev/zero of="/run/wipe/blk_$i" bs="${CISS_WIPE_DD_BS:-64M}" status=none || break
    i=$((i+1))
  done
  sync; echo 3 > /proc/sys/vm/drop_caches 2>/dev/null || true
  rm -f /run/wipe/blk_* 2>/dev/null || true
  sync
  systemctl poweroff -f || poweroff -f || echo o > /proc/sysrq-trigger
 }
 execute() {
  sync; echo 3 > /proc/sys/vm/drop_caches 2>/dev/null || true
  if command -v systemctl >/dev/null 2>&1 && systemctl --quiet is-system-running; then
    systemctl kexec || kexec -e || fallback_inplace
  else
    kexec -e || fallback_inplace
  fi
 }
 case "${1:-}" in
  prepare) prepare ;;
  execute) execute ;;
  *) echo "Usage: $0 {prepare|execute}" >&2; exit 2 ;;
 esac
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
 EOF
 chmod 0755 /usr/local/sbin/ciss-memwipe
 ### Systemd service: load at boot, execute on shutdown. ------------------------------------------------------------------------
 cat << 'EOF' >| /etc/systemd/system/ciss-memwipe.service
 [Unit]
 Description=CISS: preload and execute kexec-based RAM wipe on shutdown
 DefaultDependencies=no
 Before=shutdown.target
 After=local-fs.target network.target multi-user.target
 [Service]
 Type=oneshot
 RemainAfterExit=yes
 ExecStart=/usr/local/sbin/ciss-memwipe prepare
 ExecStop=/usr/local/sbin/ciss-memwipe execute
 TimeoutStartSec=20s
 TimeoutStopSec=infinity
 [Install]
 WantedBy=multi-user.target
 EOF
 install -d -m 0755 /etc/systemd/system/multi-user.target.wants
 ln -sf /etc/systemd/system/ciss-memwipe.service /etc/systemd/system/multi-user.target.wants/ciss-memwipe.service
 systemctl enable ciss-memwipe.service
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/.archive/90-ciss-networkd.preset
+++ b/.archive/90-ciss-networkd.preset
@@ -0,0 +1,19 @@
 # bashsupport disable=BP5007
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-11-26; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 enable systemd-networkd.service
 enable systemd-resolved.service
 disable networking.service
 disable NetworkManager.service
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
--- a/config/hooks/live/9985_clamav.chroot
+++ b/config/hooks/live/9985_clamav.chroot
@@ -1,18 +1,17 @@
 #!/bin/bash
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1
 mkdir -p /etc/systemd/system/clamav-daemon.service.d
 cat << 'EOF' >| /etc/systemd/system/clamav-daemon.service.d/override.conf
@@ -71,7 +70,6 @@ EOF
 chmod 0644 /etc/systemd/system/clamav-freshclam.service.d/override.conf
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 # sleep 1
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/9999_interfaces_update.chroot
+++ b/config/hooks/live/9999_interfaces_update.chroot
@@ -1,30 +1,32 @@
 #!/bin/bash
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1
-mv /etc/network/interfaces /root/.ciss/dlb/backup/interfaces.chroot
+# shellcheck disable=SC2155
 declare -r VAR_DATE="$(date +%F)"
 mv /etc/network/interfaces /root/.ciss/cdlb/backup/interfaces.chroot
 rm -f /etc/network/interfaces
-cat << 'EOF' >| /etc/network/interfaces
+cat << EOF >| /etc/network/interfaces
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
@@ -32,6 +34,9 @@ cat << 'EOF' >| /etc/network/interfaces
 # This file describes the network interfaces available on your system
 # and how to activate them. For more information, see interfaces(5).
 EOF
 cat << 'EOF' >> /etc/network/interfaces
 ### The loopback network interface
 auto lo
 iface lo inet loopback
@@ -59,7 +64,6 @@ EOF
 chmod 0644 /etc/network/interfaces
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 # sleep 1
 exit 0
-# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/.archive/generate_PRIVATE_trixie_0.yaml
+++ b/.archive/generate_PRIVATE_trixie_0.yaml
@@ -0,0 +1,448 @@
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-08-22; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 # Version Master V8.13.768.2025.12.06
 name: 🔐 Generating a Private Live ISO TRIXIE.
 defaults:
  run:
    shell: bash
 permissions:
  contents: write
 on:
  push:
    branches:
      - master
    paths:
      - '.gitea/trigger/t_generate_PRIVATE_trixie_0.yaml'
 jobs:
  generate-private-cdlb-trixie:
    name: 🔐 Generating a Private Live ISO TRIXIE.
    runs-on: cdlb.trixie
    container:
      image: debian:trixie
    steps:
      - name: 🛠️ Basic Image Setup.
        shell: bash
        run: |
          export DEBIAN_FRONTEND=noninteractive
          apt-get update -qq
          apt-get upgrade -y
          apt-get install -y --no-install-recommends \
            apt-utils \
            bash \
            ca-certificates \
            curl \
            git \
            gnupg \
            openssh-client \
            openssl \
            perl \
            sudo \
            util-linux
      - name: ⚙️ Check GnuPG Version.
        shell: bash
        run: |
          gpg --version
      - name: ⚙️ Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
        shell: bash
        run: |
          set -euo pipefail
          var_wait=$(( RANDOM % 33 ))
          printf "⏳ Waiting %s seconds to desynchronize parallel workflows...\n" "${var_wait}"
          sleep "${var_wait}"
          rm -rf ~/.ssh && mkdir -m700 ~/.ssh
          ### Private Key
          echo "${{ secrets.SSH_MSW_DEPLOY_CORESECRET_DEV }}" >| ~/.ssh/id_ed25519
          chmod 0600 ~/.ssh/id_ed25519
          ### Scan git.coresecret.dev to fill ~/.ssh/known_hosts
          ssh-keyscan -p 42842 git.coresecret.dev >| ~/.ssh/known_hosts
          chmod 0600 ~/.ssh/known_hosts
          ### Generate SSH Config for git.coresecret.dev Custom-Port
          cat <<EOF >| ~/.ssh/config
          Host git.coresecret.dev
            HostName git.coresecret.dev
            Port 42842
            IdentityFile ~/.ssh/id_ed25519
            StrictHostKeyChecking yes
            UserKnownHostsFile ~/.ssh/known_hosts
          EOF
          chmod 0600 ~/.ssh/config
      ### https://github.com/actions/checkout/issues/1843
      - name: 🛠️ Using manual clone via SSH to circumvent Gitea SHA-256 object issues.
        shell: bash
        env:
          ### GITHUB_REF_NAME contains the branch name from the push event.
          GITHUB_REF_NAME: ${{ github.ref_name }}
        run: |
          git clone --branch "${GITHUB_REF_NAME}" ssh://git@git.coresecret.dev:42842/msw/CISS.debian.live.builder.git .
          git fetch --unshallow || echo "Nothing to fetch - already full clone."
      - name: 🛠️ Cleaning the workspace.
        shell: bash
        run: |
          git reset --hard
          git clean -fd
      - name: ⚙️ Importing the 'CI PGP DEPLOY ONLY' key.
        shell: bash
        run: |
          set -euo pipefail
          ### GPG-Home relative to the Runner Workspace to avoid changing global files.
          export GNUPGHOME="$(pwd)/.gnupg"
          mkdir -m 700 "${GNUPGHOME}"
          echo "${{ secrets.PGP_PUBKEY_CENTURION_ROOT_2025_X448 }}" >| centurion-root.PUB.asc
          gpg --batch --import centurion-root.PUB.asc
          echo "${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV }}" >| ci-bot.sec.asc
          gpg --batch --import ci-bot.sec.asc
          ### Trust the key automatically
          KEY_ID=$(gpg --list-keys --with-colons | awk -F: '/^pub:/ {print $5}')
          echo "trust-model always" >| "${GNUPGHOME}/gpg.conf"
      - name: ⚙️ Configuring Git for signed CI/DEPLOY commits.
        shell: bash
        run: |
          set -euo pipefail
          export GNUPGHOME="$(pwd)/.gnupg"
          git config user.name "Marc S. Weidner BOT"
          git config user.email "msw+bot@coresecret.dev"
          git config commit.gpgsign true
          git config gpg.program gpg
          git config gpg.format openpgp
      - name: ⚙️ Preparing the build environment.
        shell: bash
        run: |
          set -euo pipefail
          mkdir -p /opt/config
          mkdir -p /opt/livebuild
          touch /opt/config/password.txt && chmod 0600 /opt/config/password.txt
          touch /opt/config/authorized_keys && chmod 0600 /opt/config/authorized_keys
          echo "${{ secrets.CISS_DLB_ROOT_PWD }}" >| /opt/config/password.txt
          echo "${{ secrets.CISS_DLB_ROOT_SSH_PUBKEY }}" >| /opt/config/authorized_keys
      - name: 🔧 Render live hook with secrets.
        shell: bash
        working-directory: ${{ github.workspace }}
        env:
          ED25519_PRIV:        ${{ secrets.CISS_DLB_SSH_HOST_ED25519_KEY }}
          ED25519_PUB:         ${{ secrets.CISS_DLB_SSH_HOST_ED25519_KEY_PUB }}
          RSA_PRIV:            ${{ secrets.CISS_DLB_SSH_HOST_RSA_KEY }}
          RSA_PUB:             ${{ secrets.CISS_DLB_SSH_HOST_RSA_KEY_PUB }}
          CISS_PRIMORDIAL:     ${{ secrets.CISS_PRIMORDIAL_PRIVATE }}
          CISS_PRIMORDIAL_PUB: ${{ secrets.CISS_PRIMORDIAL_PUBLIC }}
        run: |
          set -Ceuo pipefail
          umask 077
          REPO_ROOT="$(git rev-parse --show-toplevel 2>/dev/null || pwd -P)"
          TPL="${REPO_ROOT}/config/hooks/live/9935_hardening_ssh.chroot.tmpl"
          OUT="${REPO_ROOT}/config/hooks/live/9935_hardening_ssh.chroot"
          ID_OUT="${REPO_ROOT}/config/includes.chroot/root/.ssh/id_2025_ed25519_ciss_primordial"
          ID_OUT_PUB="${REPO_ROOT}/config/includes.chroot/root/.ssh/id_2025_ed25519_ciss_primordial.pub"
          if [[ ! -f "${TPL}" ]]; then
            echo "Template not found: ${TPL}"
            echo "::group::Tree of config/hooks/live"
            ls -la "${REPO_ROOT}/config/hooks/live" || true
            echo "::endgroup::"
            exit 2
          fi
          export ED25519_PRIV="${ED25519_PRIV//$'\r'/}"
          export ED25519_PUB="${ED25519_PUB//$'\r'/}"
          export RSA_PRIV="${RSA_PRIV//$'\r'/}"
          export RSA_PUB="${RSA_PUB//$'\r'/}"
          export CISS_PRIMORDIAL="${CISS_PRIMORDIAL//$'\r'/}"
          export CISS_PRIMORDIAL_PUB="${CISS_PRIMORDIAL_PUB//$'\r'/}"
          (
          cat << EOF >| "${ID_OUT}"
          ${CISS_PRIMORDIAL}
          EOF
          ) && chmod 0600 "${ID_OUT}"
          if [[ -f "${ID_OUT}" ]]; then
            echo "Written: ${ID_OUT}"
          else
            echo "Error: ${ID_OUT} not written."
          fi
          (
          cat << EOF >| "${ID_OUT_PUB}"
          ${CISS_PRIMORDIAL_PUB}
          EOF
          ) && chmod 0600 "${ID_OUT_PUB}"
          if [[ -f "${ID_OUT_PUB}" ]]; then
            echo "Written: ${ID_OUT_PUB}"
          else
            echo "Error: ${ID_OUT_PUB} not written."
          fi
          perl -0777 -pe '
            BEGIN{
              $ed=$ENV{ED25519_PRIV}; $edpub=$ENV{ED25519_PUB};
              $rsa=$ENV{RSA_PRIV};    $rsapub=$ENV{RSA_PUB};
            }
            s/\{\{\s*secrets\.CISS_DLB_SSH_HOST_ED25519_KEY\s*\}\}/$ed/g;
            s/\{\{\s*secrets\.CISS_DLB_SSH_HOST_ED25519_KEY_PUB\s*\}\}/$edpub/g;
            s/\{\{\s*secrets\.CISS_DLB_SSH_HOST_RSA_KEY\s*\}\}/$rsa/g;
            s/\{\{\s*secrets\.CISS_DLB_SSH_HOST_RSA_KEY_PUB\s*\}\}/$rsapub/g;
          ' "${TPL}" > "${OUT}"
          chmod 0755 "${OUT}"
          echo "Hook rendered: ${OUT}"
      - name: 🛠️ Starting CISS.debian.live.builder. This may take a while ...
        shell: bash
        working-directory: ${{ github.workspace }}
        run: |
          set -euo pipefail
          chmod 0755 ciss_live_builder.sh
          timestamp=$(date -u +"%Y_%m_%dT%H_%M_%SZ")
          ### Change "--autobuild=" to the specific kernel version you need: '6.16.3+deb13-amd64'.
          ./ciss_live_builder.sh \
            --autobuild=6.16.3+deb13-amd64 \
            --architecture amd64 \
            --build-directory /opt/livebuild \
            --cdi \
            --control "${timestamp}" \
            --debug \
            --dhcp-centurion \
            --jump-host ${{ secrets.CISS_DLB_JUMP_HOSTS }} \
            --provider-netcup-ipv6 ${{ secrets.CISS_DLB_NETCUP_IPV6 }} \
            --root-password-file /opt/config/password.txt \
            --ssh-port ${{ secrets.CISS_DLB_SSH_PORT }} \
            --ssh-pubkey /opt/config \
            --sshfp \
            --trixie
          REPO_ROOT="$(git rev-parse --show-toplevel 2>/dev/null || pwd -P)"
          OUT="$REPO_ROOT/config/hooks/live/9935_hardening_ssh.chroot"
          rm -f "$OUT"
          echo "Hook removed: $OUT"
          shred -fzu -n 5 /opt/config/authorized_keys
      - name: 📥 Checking Centurion Cloud for existing LIVE ISOs.
        shell: bash
        env:
          NC_BASE: "https://cloud.e2ee.li"
          SHARE_TOKEN: "${{ secrets.CENTURION_CLOUD_UL_USER }}"
          SHARE_PASS: "${{ secrets.CENTURION_CLOUD_UL_PASSWD }}"
        run: |
          set -euo pipefail
          SHARE_SUBDIR=""
          echo "📥 Get directory listing via PROPFIND ..."
          curl -s \
          --user "${SHARE_TOKEN}:${SHARE_PASS}" \
          -X PROPFIND \
          -H "Depth: 1" \
          "${NC_BASE}/public.php/webdav/${SHARE_SUBDIR}" \
          -o propfind_public.xml
          echo "📥 Filter .iso files from the PROPFIND response ..."
          grep -oP '(?<=<d:href>)[^<]+\.iso(?=</d:href>)' propfind_public.xml >| public_iso_list.txt || true
          if [[ -f public_iso_list.txt && -s public_iso_list.txt ]]; then
            echo "💡 Old ISO files found and deleted :"
            while IFS= read -r href; do
              FILE_URL="${NC_BASE}${href}"
              echo "  Delete: ${FILE_URL}"
              if curl -s \
                --user "${SHARE_TOKEN}:${SHARE_PASS}" \
                  -X DELETE "${FILE_URL}"; then
                echo "    ✅ Successfully deleted: $(basename "${href}")"
              else
                echo "    ❌ Error: $(basename "${href}") could not be deleted"
              fi
            done < public_iso_list.txt
          else
            echo "💡 No old ISO files found to delete."
          fi
      - name: 🛠️ Upload the ISO file to the Centurion Cloud (cloud.e2ee.li) via WebDAV.
        shell: bash
        env:
          NC_BASE: "https://cloud.e2ee.li"
          SHARE_TOKEN: "${{ secrets.CENTURION_CLOUD_UL_USER }}"
          SHARE_PASS: "${{ secrets.CENTURION_CLOUD_UL_PASSWD }}"
        run: |
          set -euo pipefail
          if [[ $(ls /opt/livebuild/*.iso 2>/dev/null | wc -l) -ne 1 ]]; then
            echo "❌ There must be exactly one .iso file in the directory!"
            exit 1
          else
            VAR_ISO_FILE_PATH=$(ls /opt/livebuild/*.iso)
            VAR_ISO_FILE_NAME=$(basename "${VAR_ISO_FILE_PATH}")
            echo "✅ ISO file found: ${VAR_ISO_FILE_NAME}"
          fi
          AUTH="${SHARE_TOKEN}:${SHARE_PASS}"
          if curl --retry 2 "${NC_BASE}"/public.php/webdav/"${VAR_ISO_FILE_NAME}" \
          --upload-file "${VAR_ISO_FILE_PATH}" --user "${AUTH}" > /dev/null 2>&1; then
            echo "✅ New ISO successfully uploaded."
          else
            echo "❌ Uploading the new ISO failed."
            exit 1
          fi
      - name: 🔑 Generating a sha512 Hash of ISO, signing with the 'CI PGP DEPLOY ONLY' key, generate a success message file.
        shell: bash
        run: |
          if [[ $(ls /opt/livebuild/*.iso 2>/dev/null | wc -l) -ne 1 ]]; then
            echo "❌ There must be exactly one .iso file in the directory!"
            exit 1
          else
            VAR_ISO_FILE_PATH=$(ls /opt/livebuild/*.iso)
            VAR_ISO_FILE_NAME=$(basename "${VAR_ISO_FILE_PATH}")
            echo "✅ ISO file found: ${VAR_ISO_FILE_NAME}"
          fi
          VAR_ISO_FILE_SHA512="${VAR_ISO_FILE_NAME}.sha512"
          touch "${VAR_ISO_FILE_SHA512}"
          sha512sum "${VAR_ISO_FILE_PATH}" | awk '{print $1}' >| "${VAR_ISO_FILE_SHA512}"
          SIGNATURE_FILE="${VAR_ISO_FILE_SHA512}.sign"
          touch "${SIGNATURE_FILE}"
          export GNUPGHOME="$(pwd)/.gnupg"
          gpg --batch --yes --armor --detach-sign --output "${SIGNATURE_FILE}" "${VAR_ISO_FILE_SHA512}"
          timestamp=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
          VAR_DATE="$(date +%F)"
          PRIVATE_FILE="LIVE_ISO_TRIXIE_0.private"
          touch "${PRIVATE_FILE}"
          cat << EOF >| "${PRIVATE_FILE}"
          # SPDX-Version: 3.0
          # SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev>
          # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
          # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
          # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
          # SPDX-FileType: SOURCE
          # SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
          # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
          # SPDX-PackageName: CISS.debian.live.builder
          # SPDX-Security-Contact: security@coresecret.eu
          This file was automatically generated by the DEPLOY BOT on: "${timestamp}"
          CISS.debian.live.builder ISO :
            "${VAR_ISO_FILE_NAME}"
          CISS.debian.live.builder ISO sha512 :
            $(< "${VAR_ISO_FILE_SHA512}")
          CISS.debian.live.builder ISO sha512 sign :
            $(< "${SIGNATURE_FILE}")
          # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text
          EOF
      - name: 🚧 Stash local changes (including untracked).
        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
          set -euo pipefail
          ### Temporarily store any local modifications or untracked files.
          git stash push --include-untracked -m "ci-temp" || echo "✔️ Nothing to stash."
      - name: 🔄 Sync with remote before commit using merge strategy.
        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
          set -euo pipefail
          export GNUPGHOME="$(pwd)/.gnupg"
          echo "🔄 Fetching origin/master ..."
          git fetch origin master
          echo "🔁 Merging origin/master into current branch ..."
          git merge --no-edit origin/master || echo "✔️ Already up to date or fast-forward."
          echo "📋 Post-merge status :"
          git status
          git log --oneline -n 5
      - name: 🛠️ Restore stashed changes.
        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
          set -euo pipefail
          ### Apply previously stashed changes.
          git stash pop || echo "✔️ Nothing to pop."
      - name: 📦 Stage generated files.
        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
          set -euo pipefail
          PRIVATE_FILE="LIVE_ISO_TRIXIE_0.private"
          git add "${PRIVATE_FILE}" || echo "✔️ Nothing to add."
      - name: 🔑 Commit and sign changes with CI metadata.
        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
          set -euo pipefail
          export GNUPGHOME="$(pwd)/.gnupg"
          if git diff --cached --quiet; then
            echo "✔️ No staged changes to commit."
          else
            echo "📝 Committing changes with GPG signature ..."
            ### CI Metadata
            TIMESTAMP_UTC="$(date -u +'%Y-%m-%dT%H:%M:%SZ')"
            HOSTNAME="$(hostname -f || hostname)"
            GIT_SHA="$(git rev-parse --short HEAD)"
            GIT_REF="$(git symbolic-ref --short HEAD || echo detached)"
            WORKFLOW_ID="${GITHUB_WORKFLOW:-generate_PRIVATE_trixie_0.yaml}"
            CI_HEADER="X-CI-Metadata: ${GIT_REF}@${GIT_SHA} at ${TIMESTAMP_UTC} on ${HOSTNAME}"
            COMMIT_MSG="DEPLOY BOT   : 🔐 Auto-Generate PRIVATE LIVE ISO TRIXIE 0 [skip ci]
          ${CI_HEADER}
          Generated at : ${TIMESTAMP_UTC}
          Runner Host  : ${HOSTNAME}
          Workflow ID  : ${WORKFLOW_ID}
          Git Commit   : ${GIT_SHA} HEAD -> ${GIT_REF}
          "
            echo "🔏 Commit message :"
            echo "${COMMIT_MSG}"
            git commit -S -m "${COMMIT_MSG}"
          fi
      - name: 🔁 Push back to repository.
        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
          set -euo pipefail
          echo "📤 Pushing changes to ${GITHUB_REF_NAME} ..."
          git push origin HEAD:${GITHUB_REF_NAME}
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
--- a/.archive/generate_PRIVATE_trixie_1.yaml
+++ b/.archive/generate_PRIVATE_trixie_1.yaml
@@ -0,0 +1,491 @@
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-08-22; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 # Version Master V8.13.768.2025.12.06
 name: 🔐 Generating a Private Live ISO TRIXIE.
 defaults:
  run:
    shell: bash
 permissions:
  contents: write
 on:
  push:
    branches:
      - master
    paths:
      - '.gitea/trigger/t_generate_PRIVATE_trixie_1.yaml'
 jobs:
  generate-private-cdlb-trixie:
    name: 🔐 Generating a Private Live ISO TRIXIE.
    runs-on: cdlb.trixie
    container:
      image: debian:trixie
    defaults:
      run:
        shell: bash
        working-directory: ${{ github.workspace }}
    steps:
      - name: ⏳ Waiting random time to desynchronize parallel workflows.
        run: |
          set -euo pipefail
          var_wait=$(( RANDOM % 33 ))
          printf "⏳ Waiting %s seconds to desynchronize parallel workflows...\n" "${var_wait}"
          sleep "${var_wait}"
      - name: 🛠️ Basic Image Setup.
        run: |
          set -euo pipefail
          umask 0077
          export DEBIAN_FRONTEND=noninteractive
          apt-get update -qq
          apt-get upgrade -y
          apt-get install -y --no-install-recommends \
            apt-utils \
            bash \
            ca-certificates \
            curl \
            git \
            gnupg \
            openssh-client \
            openssl \
            perl \
            sudo \
            util-linux
      - name: ⚙️ Check GnuPG Version.
        run: |
          gpg --version
      - name: ⚙️ Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
        run: |
          set -euo pipefail
          umask 0077
          rm -rf ~/.ssh && mkdir -m700 ~/.ssh
          ### Private Key
          echo "${{ secrets.SSH_MSW_DEPLOY_CORESECRET_DEV }}" >| ~/.ssh/id_ed25519
          chmod 0600 ~/.ssh/id_ed25519
          ### Scan git.coresecret.dev to fill ~/.ssh/known_hosts
          ssh-keyscan -p 42842 git.coresecret.dev >| ~/.ssh/known_hosts
          chmod 0600 ~/.ssh/known_hosts
          ### Generate SSH Config for git.coresecret.dev Custom-Port
          cat <<EOF >| ~/.ssh/config
          Host git.coresecret.dev
            HostName git.coresecret.dev
            Port 42842
            IdentityFile ~/.ssh/id_ed25519
            StrictHostKeyChecking yes
            UserKnownHostsFile ~/.ssh/known_hosts
          EOF
          chmod 0600 ~/.ssh/config
      ### https://github.com/actions/checkout/issues/1843
      - name: 🛠️ Using manual clone via SSH to circumvent Gitea SHA-256 object issues.
        env:
          ### GITHUB_REF_NAME contains the branch name from the push event.
          GITHUB_REF_NAME: ${{ github.ref_name }}
        run: |
          set -euo pipefail
          git clone --branch "${GITHUB_REF_NAME}" ssh://git@git.coresecret.dev:42842/msw/CISS.debian.live.builder.git .
          git fetch --unshallow || echo "Nothing to fetch - already full clone."
      - name: ⚙️ Init GNUPGHOME.
        run: |
          set -euo pipefail
          umask 0077
          GNUPGHOME="/dev/shm/gnupg.${GITHUB_RUN_ID}.${GITHUB_JOB}.${GITHUB_RUN_ATTEMPT}"
          mkdir -p -m 700 "${GNUPGHOME}"
          echo "GNUPGHOME=${GNUPGHOME}" >> "${GITHUB_ENV}"
          echo 'allow-loopback-pinentry' >| "${GNUPGHOME}/gpg-agent.conf"
          gpgconf --reload gpg-agent || true
      - name: ⚙️ Importing the 'CI PGP DEPLOY ONLY' key.
        env:
          PRIVATE_PGP_MSW_DEPLOY_CORESECRET_DEV: ${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV }}
        run: |
          set -euo pipefail
          umask 0077
          printf '%s' "${PRIVATE_PGP_MSW_DEPLOY_CORESECRET_DEV}" | gpg --batch --import
          unset PRIVATE_PGP_MSW_DEPLOY_CORESECRET_DEV
      - name: ⚙️ Configuring Git for signed CI/DEPLOY commits.
        run: |
          set -euo pipefail
          git config user.name "Marc S. Weidner BOT"
          git config user.email "msw+bot@coresecret.dev"
          git config commit.gpgsign true
          git config gpg.program gpg
          git config gpg.format openpgp
      - name: ⚙️ Preparing the build environment.
        run: |
          set -euo pipefail
          umask 0077
          mkdir -p /opt/cdlb/secrets
          mkdir -p /opt/cdlb/livebuild
          install -m 0600 /dev/null /opt/cdlb/secrets/password.txt
          install -m 0600 /dev/null /opt/cdlb/secrets/authorized_keys
          install -m 0600 /dev/null /opt/cdlb/secrets/ssh_host_ed25519_key
          install -m 0600 /dev/null /opt/cdlb/secrets/ssh_host_ed25519_key.pub
          install -m 0600 /dev/null /opt/cdlb/secrets/ssh_host_rsa_key
          install -m 0600 /dev/null /opt/cdlb/secrets/ssh_host_rsa_key.pub
          install -m 0600 /dev/null /opt/cdlb/secrets/id_2025_ed25519_ciss_primordial
          install -m 0600 /dev/null /opt/cdlb/secrets/id_2025_ed25519_ciss_primordial.pub
          install -m 0600 /dev/null /opt/cdlb/secrets/keys.txt
          install -m 0600 /dev/null /opt/cdlb/secrets/luks.txt
          echo "${{ secrets.CISS_DLB_ROOT_PWD_1 }}"               >| /opt/cdlb/secrets/password.txt
          echo "${{ secrets.CISS_DLB_ROOT_SSH_PUBKEY_1 }}"        >| /opt/cdlb/secrets/authorized_keys
          echo "${{ secrets.CISS_DLB_SSH_HOST_ED25519_KEY }}"     >| /opt/cdlb/secrets/ssh_host_ed25519_key
          echo "${{ secrets.CISS_DLB_SSH_HOST_ED25519_KEY_PUB }}" >| /opt/cdlb/secrets/ssh_host_ed25519_key.pub
          echo "${{ secrets.CISS_DLB_SSH_HOST_RSA_KEY }}"         >| /opt/cdlb/secrets/ssh_host_rsa_key
          echo "${{ secrets.CISS_DLB_SSH_HOST_RSA_KEY_PUB }}"     >| /opt/cdlb/secrets/ssh_host_rsa_key.pub
          echo "${{ secrets.CISS_PRIMORDIAL_PRIVATE }}"           >| /opt/cdlb/secrets/id_2025_ed25519_ciss_primordial
          echo "${{ secrets.CISS_PRIMORDIAL_PUBLIC }}"            >| /opt/cdlb/secrets/id_2025_ed25519_ciss_primordial.pub
          echo "${{ secrets.CISS_PHYS_AGE }}"                     >| /opt/cdlb/secrets/keys.txt
          echo "${{ secrets.CISS_PHYS_LUKS }}"                    >| /opt/cdlb/secrets/luks.txt
      - name: 🔧 Render live hook with secrets.
        shell: bash
        working-directory: ${{ github.workspace }}
        env:
          ED25519_PRIV:        ${{ secrets.CISS_DLB_SSH_HOST_ED25519_KEY }}
          ED25519_PUB:         ${{ secrets.CISS_DLB_SSH_HOST_ED25519_KEY_PUB }}
          RSA_PRIV:            ${{ secrets.CISS_DLB_SSH_HOST_RSA_KEY }}
          RSA_PUB:             ${{ secrets.CISS_DLB_SSH_HOST_RSA_KEY_PUB }}
          CISS_PRIMORDIAL:     ${{ secrets.CISS_PRIMORDIAL_PRIVATE }}
          CISS_PRIMORDIAL_PUB: ${{ secrets.CISS_PRIMORDIAL_PUBLIC }}
          CISS_PHYS_AGE:       ${{ secrets.CISS_PHYS_AGE }}
          MSW_GPG_DEPLOY_BOT:  ${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV }}
        run: |
          set -Ceuo pipefail
          umask 077
          REPO_ROOT="$(git rev-parse --show-toplevel 2>/dev/null || pwd -P)"
          TPL="${REPO_ROOT}/config/hooks/live/9935_hardening_ssh.chroot.tmpl"
          OUT="${REPO_ROOT}/config/hooks/live/9935_hardening_ssh.chroot"
          ID_OUT="${REPO_ROOT}/config/includes.chroot/root/.ssh/id_2025_ed25519_ciss_primordial"
          ID_OUT_PUB="${REPO_ROOT}/config/includes.chroot/root/.ssh/id_2025_ed25519_ciss_primordial.pub"
          SOPS="${REPO_ROOT}/config/hooks/live/0860_sops.chroot"
          BINARY_CHECKSUMS="${REPO_ROOT}/scripts/usr/lib/live/build/binary_checksums.sh"
          if [[ ! -f "${TPL}" ]]; then
            echo "Template not found: ${TPL}"
            echo "::group::Tree of config/hooks/live"
            ls -la "${REPO_ROOT}/config/hooks/live" || true
            echo "::endgroup::"
            exit 2
          fi
          export ED25519_PRIV="${ED25519_PRIV//$'\r'/}"
          export ED25519_PUB="${ED25519_PUB//$'\r'/}"
          export RSA_PRIV="${RSA_PRIV//$'\r'/}"
          export RSA_PUB="${RSA_PUB//$'\r'/}"
          export CISS_PRIMORDIAL="${CISS_PRIMORDIAL//$'\r'/}"
          export CISS_PRIMORDIAL_PUB="${CISS_PRIMORDIAL_PUB//$'\r'/}"
          export CISS_PHYS_AGE="${CISS_PHYS_AGE//$'\r'/}"
          export MSW_GPG_DEPLOY_BOT="${MSW_GPG_DEPLOY_BOT//$'\r'/}"
          (
          cat << EOF >| "${ID_OUT}"
          ${CISS_PRIMORDIAL}
          EOF
          ) && chmod 0600 "${ID_OUT}"
          if [[ -f "${ID_OUT}" ]]; then
            echo "Written: ${ID_OUT}"
          else
            echo "Error: ${ID_OUT} not written."
          fi
          (
          cat << EOF >| "${ID_OUT_PUB}"
          ${CISS_PRIMORDIAL_PUB}
          EOF
          ) && chmod 0600 "${ID_OUT_PUB}"
          if [[ -f "${ID_OUT_PUB}" ]]; then
            echo "Written: ${ID_OUT_PUB}"
          else
            echo "Error: ${ID_OUT_PUB} not written."
          fi
          perl -0777 -pe '
            BEGIN{
              $ed=$ENV{ED25519_PRIV}; $edpub=$ENV{ED25519_PUB};
              $rsa=$ENV{RSA_PRIV};    $rsapub=$ENV{RSA_PUB};
            }
            s/\{\{\s*secrets\.CISS_DLB_SSH_HOST_ED25519_KEY\s*\}\}/$ed/g;
            s/\{\{\s*secrets\.CISS_DLB_SSH_HOST_ED25519_KEY_PUB\s*\}\}/$edpub/g;
            s/\{\{\s*secrets\.CISS_DLB_SSH_HOST_RSA_KEY\s*\}\}/$rsa/g;
            s/\{\{\s*secrets\.CISS_DLB_SSH_HOST_RSA_KEY_PUB\s*\}\}/$rsapub/g;
          ' "${TPL}" > "${OUT}"
          chmod 0755 "${OUT}"
          perl -0777 -i -pe '
            BEGIN {
              our $age = $ENV{CISS_PHYS_AGE} // q{};
            }
            s/\{\{\s*secrets\.CISS_PHYS_AGE\s*\}\}/$age/g;
          ' -- "${SOPS}"
          chmod 0755 "${SOPS}"
          perl -0777 -i -pe '
            BEGIN {
              our $deploy = $ENV{MSW_GPG_DEPLOY_BOT} // q{};
            }
            s/\{\{\s*secrets\.MSW_GPG_DEPLOY_BOT\s*\}\}/$deploy/g;
          ' -- "${BINARY_CHECKSUMS}"
          chmod 0755 "${BINARY_CHECKSUMS}"
          echo "Hook rendered: ${OUT}"
      - name: 🛠️ Starting CISS.debian.live.builder. This may take a while ...
        shell: bash
        working-directory: ${{ github.workspace }}
        run: |
          set -euo pipefail
          chmod 0755 ciss_live_builder.sh
          timestamp=$(date -u +"%Y_%m_%dT%H_%M_%SZ")
          ### Change "--autobuild=" to the specific kernel version you need: '6.16.3+deb13-amd64'.
          ./ciss_live_builder.sh \
            --autobuild=6.16.3+deb13-amd64 \
            --architecture amd64 \
            --build-directory /opt/cdlb/livebuild \
            --cdi \
            --control "${timestamp}" \
            --jump-host ${{ secrets.CISS_DLB_JUMP_HOSTS_1 }} \
            --root-password-file /opt/cdlb/secrets/password.txt \
            --ssh-port ${{ secrets.CISS_DLB_SSH_PORT_1 }} \
            --ssh-pubkey /opt/cdlb/secrets \
            --sshfp \
            --trixie
          REPO_ROOT="$(git rev-parse --show-toplevel 2>/dev/null || pwd -P)"
          OUT="$REPO_ROOT/config/hooks/live/9935_hardening_ssh.chroot"
          rm -f "$OUT"
          echo "Hook removed: $OUT"
          shred -fzu -n 5 /opt/cdlb/secrets/authorized_keys
      - name: 📥 Checking Centurion Cloud for existing LIVE ISOs.
        shell: bash
        env:
          NC_BASE: "https://cloud.e2ee.li"
          SHARE_TOKEN: "${{ secrets.CENTURION_CLOUD_UL_USER_1 }}"
          SHARE_PASS: "${{ secrets.CENTURION_CLOUD_UL_PASSWD_1 }}"
        run: |
          set -euo pipefail
          SHARE_SUBDIR=""
          echo "📥 Get directory listing via PROPFIND ..."
          curl -s \
          --user "${SHARE_TOKEN}:${SHARE_PASS}" \
          -X PROPFIND \
          -H "Depth: 1" \
          "${NC_BASE}/public.php/webdav/${SHARE_SUBDIR}" \
          -o propfind_public.xml
          echo "📥 Filter .iso files from the PROPFIND response ..."
          grep -oP '(?<=<d:href>)[^<]+\.iso(?=</d:href>)' propfind_public.xml >| public_iso_list.txt || true
          if [[ -f public_iso_list.txt && -s public_iso_list.txt ]]; then
            echo "💡 Old ISO files found and deleted :"
            while IFS= read -r href; do
              FILE_URL="${NC_BASE}${href}"
              echo "  Delete: ${FILE_URL}"
              if curl -s \
                --user "${SHARE_TOKEN}:${SHARE_PASS}" \
                  -X DELETE "${FILE_URL}"; then
                echo "    ✅ Successfully deleted: $(basename "${href}")"
              else
                echo "    ❌ Error: $(basename "${href}") could not be deleted"
              fi
            done < public_iso_list.txt
          else
            echo "💡 No old ISO files found to delete."
          fi
      - name: 🛠️ Upload the ISO file to the Centurion Cloud (cloud.e2ee.li) via WebDAV.
        shell: bash
        env:
          NC_BASE: "https://cloud.e2ee.li"
          SHARE_TOKEN: "${{ secrets.CENTURION_CLOUD_UL_USER_1 }}"
          SHARE_PASS: "${{ secrets.CENTURION_CLOUD_UL_PASSWD_1 }}"
        run: |
          set -euo pipefail
          if [[ $(ls /opt/cdlb/livebuild/*.iso 2>/dev/null | wc -l) -ne 1 ]]; then
            echo "❌ There must be exactly one .iso file in the directory!"
            exit 1
          else
            VAR_ISO_FILE_PATH=$(ls /opt/cdlb/livebuild/*.iso)
            VAR_ISO_FILE_NAME=$(basename "${VAR_ISO_FILE_PATH}")
            echo "✅ ISO file found: ${VAR_ISO_FILE_NAME}"
          fi
          AUTH="${SHARE_TOKEN}:${SHARE_PASS}"
          if curl --retry 2 "${NC_BASE}"/public.php/webdav/"${VAR_ISO_FILE_NAME}" \
          --upload-file "${VAR_ISO_FILE_PATH}" --user "${AUTH}" > /dev/null 2>&1; then
            echo "✅ New ISO successfully uploaded."
          else
            echo "❌ Uploading the new ISO failed."
            exit 1
          fi
      - name: 🔑 Generating a sha512 Hash of ISO, signing with the 'CI PGP DEPLOY ONLY' key, generate a success message file.
        shell: bash
        run: |
          if [[ $(ls /opt/cdlb/livebuild/*.iso 2>/dev/null | wc -l) -ne 1 ]]; then
            echo "❌ There must be exactly one .iso file in the directory!"
            exit 1
          else
            VAR_ISO_FILE_PATH=$(ls /opt/cdlb/livebuild/*.iso)
            VAR_ISO_FILE_NAME=$(basename "${VAR_ISO_FILE_PATH}")
            echo "✅ ISO file found: ${VAR_ISO_FILE_NAME}"
          fi
          VAR_ISO_FILE_SHA512="${VAR_ISO_FILE_NAME}.sha512"
          touch "${VAR_ISO_FILE_SHA512}"
          sha512sum "${VAR_ISO_FILE_PATH}" | awk '{print $1}' >| "${VAR_ISO_FILE_SHA512}"
          SIGNATURE_FILE="${VAR_ISO_FILE_SHA512}.sign"
          touch "${SIGNATURE_FILE}"
          export GNUPGHOME="$(pwd)/.gnupg"
          gpg --batch --yes --armor --detach-sign --output "${SIGNATURE_FILE}" "${VAR_ISO_FILE_SHA512}"
          timestamp=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
          VAR_DATE="$(date +%F)"
          PRIVATE_FILE="LIVE_ISO_TRIXIE_1.private"
          touch "${PRIVATE_FILE}"
          cat << EOF >| "${PRIVATE_FILE}"
          # SPDX-Version: 3.0
          # SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev>
          # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
          # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
          # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
          # SPDX-FileType: SOURCE
          # SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
          # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
          # SPDX-PackageName: CISS.debian.live.builder
          # SPDX-Security-Contact: security@coresecret.eu
          This file was automatically generated by the DEPLOY BOT on: "${timestamp}"
          CISS.debian.live.builder ISO :
            "${VAR_ISO_FILE_NAME}"
          CISS.debian.live.builder ISO sha512 :
            $(< "${VAR_ISO_FILE_SHA512}")
          CISS.debian.live.builder ISO sha512 sign :
            $(< "${SIGNATURE_FILE}")
          # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text
          EOF
      - name: 🚧 Stash local changes (including untracked).
        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
          set -euo pipefail
          ### Temporarily store any local modifications or untracked files.
          git stash push --include-untracked -m "ci-temp" || echo "✔️ Nothing to stash."
      - name: 🔄 Sync with remote before commit using merge strategy.
        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
          set -euo pipefail
          export GNUPGHOME="$(pwd)/.gnupg"
          echo "🔄 Fetching origin/master ..."
          git fetch origin master
          echo "🔁 Merging origin/master into current branch ..."
          git merge --no-edit origin/master || echo "✔️ Already up to date or fast-forward."
          echo "📋 Post-merge status :"
          git status
          git log --oneline -n 5
      - name: 🛠️ Restore stashed changes.
        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
          set -euo pipefail
          ### Apply previously stashed changes.
          git stash pop || echo "✔️ Nothing to pop."
      - name: 📦 Stage generated files.
        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
          set -euo pipefail
          PRIVATE_FILE="LIVE_ISO_TRIXIE_1.private"
          git add "${PRIVATE_FILE}" || echo "✔️ Nothing to add."
      - name: 🔑 Commit and sign changes with CI metadata.
        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
          set -euo pipefail
          export GNUPGHOME="$(pwd)/.gnupg"
          if git diff --cached --quiet; then
            echo "✔️ No staged changes to commit."
          else
            echo "📝 Committing changes with GPG signature ..."
            ### CI Metadata
            TIMESTAMP_UTC="$(date -u +'%Y-%m-%dT%H:%M:%SZ')"
            HOSTNAME="$(hostname -f || hostname)"
            GIT_SHA="$(git rev-parse --short HEAD)"
            GIT_REF="$(git symbolic-ref --short HEAD || echo detached)"
            WORKFLOW_ID="${GITHUB_WORKFLOW:-render-md-to-html.yaml}"
            CI_HEADER="X-CI-Metadata: ${GIT_REF}@${GIT_SHA} at ${TIMESTAMP_UTC} on ${HOSTNAME}"
            COMMIT_MSG="DEPLOY BOT   : 🔐 Auto-Generate PRIVATE LIVE ISO TRIXIE 1 [skip ci]
          ${CI_HEADER}
          Generated at : ${TIMESTAMP_UTC}
          Runner Host  : ${HOSTNAME}
          Workflow ID  : ${WORKFLOW_ID}
          Git Commit   : ${GIT_SHA} HEAD -> ${GIT_REF}
          "
            echo "🔏 Commit message :"
            echo "${COMMIT_MSG}"
            git commit -S -m "${COMMIT_MSG}"
          fi
      - name: 🔁 Push back to repository.
        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
          set -euo pipefail
          echo "📤 Pushing changes to ${GITHUB_REF_NAME} ..."
          git push origin HEAD:${GITHUB_REF_NAME}
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
--- a/.archive/generate_PUBLIC_iso.yaml
+++ b/.archive/generate_PUBLIC_iso.yaml
@@ -0,0 +1,366 @@
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 # Version Master V8.13.768.2025.12.06
 name: 💙 Generating a PUBLIC Live ISO.
 defaults:
  run:
    shell: bash
 permissions:
  contents: write
 on:
  push:
    branches:
      - master
    paths:
      - '.gitea/trigger/t_generate_PUBLIC.yaml'
 jobs:
  generate-public-cdlb-trixie:
    name: 💙 Generating a PUBLIC Live ISO.
    runs-on: cdlb.trixie
    container:
      image: debian:trixie
    steps:
      - name: 🛠️ Basic Image Setup.
        shell: bash
        run: |
          export DEBIAN_FRONTEND=noninteractive
          apt-get update -qq
          apt-get upgrade -y
          apt-get install -y --no-install-recommends \
            apt-utils \
            bash \
            ca-certificates \
            curl \
            git \
            gnupg \
            openssh-client \
            openssl \
            perl \
            sudo \
            util-linux
      - name: ⚙️ Check GnuPG Version.
        shell: bash
        run: |
          gpg --version
      - name: ⚙️ Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
        shell: bash
        run: |
          set -euo pipefail
          var_wait=$(( RANDOM % 33 ))
          printf "⏳ Waiting %s seconds to desynchronize parallel workflows...\n" "${var_wait}"
          sleep "${var_wait}"
          rm -rf ~/.ssh && mkdir -m700 ~/.ssh
          ### Private Key
          echo "${{ secrets.SSH_MSW_DEPLOY_CORESECRET_DEV }}" >| ~/.ssh/id_ed25519
          chmod 0600 ~/.ssh/id_ed25519
          ### Scan git.coresecret.dev to fill ~/.ssh/known_hosts
          ssh-keyscan -p 42842 git.coresecret.dev >| ~/.ssh/known_hosts
          chmod 0600 ~/.ssh/known_hosts
          ### Generate SSH Config for git.coresecret.dev Custom-Port
          cat <<EOF >| ~/.ssh/config
          Host git.coresecret.dev
            HostName git.coresecret.dev
            Port 42842
            IdentityFile ~/.ssh/id_ed25519
            StrictHostKeyChecking yes
            UserKnownHostsFile ~/.ssh/known_hosts
          EOF
          chmod 0600 ~/.ssh/config
      ### https://github.com/actions/checkout/issues/1843
      - name: 🛠️ Using manual clone via SSH to circumvent Gitea SHA-256 object issues.
        shell: bash
        env:
          ### GITHUB_REF_NAME contains the branch name from the push event.
          GITHUB_REF_NAME: ${{ github.ref_name }}
        run: |
          git clone --branch "${GITHUB_REF_NAME}" ssh://git@git.coresecret.dev:42842/msw/CISS.debian.live.builder.git .
          git fetch --unshallow || echo "Nothing to fetch - already full clone."
      - name: 🛠️ Cleaning the workspace.
        shell: bash
        run: |
          git reset --hard
          git clean -fd
      - name: ⚙️ Importing the 'CI PGP DEPLOY ONLY' key.
        shell: bash
        run: |
          set -euo pipefail
          ### GPG-Home relative to the Runner Workspace to avoid changing global files.
          export GNUPGHOME="$(pwd)/.gnupg"
          mkdir -m 700 "${GNUPGHOME}"
          echo "${{ secrets.PGP_PUBKEY_CENTURION_ROOT_2025_X448 }}" >| centurion-root.PUB.asc
          gpg --batch --import centurion-root.PUB.asc
          echo "${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV }}" >| ci-bot.sec.asc
          gpg --batch --import ci-bot.sec.asc
          ### Trust the key automatically
          KEY_ID=$(gpg --list-keys --with-colons | awk -F: '/^pub:/ {print $5}')
          echo "trust-model always" >| "${GNUPGHOME}/gpg.conf"
      - name: ⚙️ Configuring Git for signed CI/DEPLOY commits.
        shell: bash
        run: |
          set -euo pipefail
          export GNUPGHOME="$(pwd)/.gnupg"
          git config user.name "Marc S. Weidner BOT"
          git config user.email "msw+bot@coresecret.dev"
          git config commit.gpgsign true
          git config gpg.program gpg
          git config gpg.format openpgp
      - name: ⚙️ Preparing the build environment.
        shell: bash
        run: |
          set -euo pipefail
          mkdir -p /opt/config
          mkdir -p /opt/livebuild
          touch /opt/config/password.txt && chmod 0600 /opt/config/password.txt
          touch /opt/config/authorized_keys && chmod 0600 /opt/config/authorized_keys
          echo 'Mvnz#zENbf2vsAYEAbfPcnbDcmct7XefPXfRJxSQQH' >| /opt/config/password.txt
          echo 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINAYZDAqVZUk3LwJsqeVHKvLn8UKkFx642VBbiSS8uSY 2025_ciss.debian.live.ISO_PUBLIC_ONLY' >| /opt/config/authorized_keys
      - name: 🛠️ Starting CISS.debian.live.builder. This may take a while ...
        shell: bash
        run: |
          set -euo pipefail
          sed -i '/^hardening_ssh_tcp.*/d' ciss_live_builder.sh
          chmod 0755 ciss_live_builder.sh
          timestamp=$(date -u +"%Y_%m_%dT%H_%M_%SZ")
          ### Change "--autobuild=" to the specific kernel version you need: '6.16.3+deb13-amd64'.
          ./ciss_live_builder.sh \
            --autobuild=6.16.3+deb13-amd64 \
            --architecture amd64 \
            --build-directory /opt/livebuild \
            --cdi \
            --control "${timestamp}" \
            --debug \
            --root-password-file /opt/config/password.txt \
            --ssh-port 42137 \
            --ssh-pubkey /opt/config \
            --trixie
      - name: 📥 Checking Centurion Cloud for existing LIVE ISOs.
        shell: bash
        env:
          NC_BASE: "https://cloud.e2ee.li"
          SHARE_TOKEN: "${{ secrets.CENTURION_CLOUD_UL_USER_PUBLIC }}"
          SHARE_PASS: "${{ secrets.CENTURION_CLOUD_UL_PASSWD_PUBLIC }}"
        run: |
          set -euo pipefail
          SHARE_SUBDIR=""
          echo "📥 Get directory listing via PROPFIND ..."
          curl -s \
          --user "${SHARE_TOKEN}:${SHARE_PASS}" \
          -X PROPFIND \
          -H "Depth: 1" \
          "${NC_BASE}/public.php/webdav/${SHARE_SUBDIR}" \
          -o propfind_public.xml
          echo "📥 Filter .iso files from the PROPFIND response ..."
          grep -oP '(?<=<d:href>)[^<]+\.iso(?=</d:href>)' propfind_public.xml >| public_iso_list.txt || true
          if [[ -f public_iso_list.txt && -s public_iso_list.txt ]]; then
            echo "💡 Old ISO files found and deleted :"
            while IFS= read -r href; do
              FILE_URL="${NC_BASE}${href}"
              echo "  Delete: ${FILE_URL}"
              if curl -s \
                --user "${SHARE_TOKEN}:${SHARE_PASS}" \
                  -X DELETE "${FILE_URL}"; then
                echo "    ✅ Successfully deleted: $(basename "${href}")"
              else
                echo "    ❌ Error: $(basename "${href}") could not be deleted"
              fi
            done < public_iso_list.txt
          else
            echo "💡 No old ISO files found to delete."
          fi
      - name: 🛠️ Upload the ISO file to the Centurion Cloud (cloud.e2ee.li) via WebDAV.
        shell: bash
        env:
          NC_BASE: "https://cloud.e2ee.li"
          SHARE_TOKEN: "${{ secrets.CENTURION_CLOUD_UL_USER_PUBLIC }}"
          SHARE_PASS: "${{ secrets.CENTURION_CLOUD_UL_PASSWD_PUBLIC }}"
        run: |
          set -euo pipefail
          if [[ $(ls /opt/livebuild/*.iso 2>/dev/null | wc -l) -ne 1 ]]; then
            echo "❌ There must be exactly one .iso file in the directory!"
            exit 1
          else
            VAR_ISO_FILE_PATH=$(ls /opt/livebuild/*.iso)
            VAR_ISO_FILE_NAME=$(basename "${VAR_ISO_FILE_PATH}")
            echo "✅ ISO file found: ${VAR_ISO_FILE_NAME}"
          fi
          AUTH="${SHARE_TOKEN}:${SHARE_PASS}"
          if curl --retry 2 "${NC_BASE}"/public.php/webdav/"${VAR_ISO_FILE_NAME}" \
          --upload-file "${VAR_ISO_FILE_PATH}" --user "${AUTH}" > /dev/null 2>&1; then
            echo "✅ New ISO successfully uploaded."
          else
            echo "❌ Uploading the new ISO failed."
            exit 1
          fi
      - name: 🔑 Generating a sha512 Hash of ISO, signing with the 'CI PGP DEPLOY ONLY' key, generate a success message file.
        shell: bash
        run: |
          if [[ $(ls /opt/livebuild/*.iso 2>/dev/null | wc -l) -ne 1 ]]; then
            echo "❌ There must be exactly one .iso file in the directory!"
            exit 1
          else
            VAR_ISO_FILE_PATH=$(ls /opt/livebuild/*.iso)
            VAR_ISO_FILE_NAME=$(basename "${VAR_ISO_FILE_PATH}")
            echo "✅ ISO file found: ${VAR_ISO_FILE_NAME}"
          fi
          VAR_ISO_FILE_SHA512="${VAR_ISO_FILE_NAME}.sha512"
          touch "${VAR_ISO_FILE_SHA512}"
          sha512sum "${VAR_ISO_FILE_PATH}" | awk '{print $1}' >| "${VAR_ISO_FILE_SHA512}"
          SIGNATURE_FILE="${VAR_ISO_FILE_SHA512}.sign"
          touch "${SIGNATURE_FILE}"
          export GNUPGHOME="$(pwd)/.gnupg"
          gpg --batch --yes --armor --detach-sign --output "${SIGNATURE_FILE}" "${VAR_ISO_FILE_SHA512}"
          timestamp=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
          VAR_DATE="$(date +%F)"
          PRIVATE_FILE="LIVE_ISO.public"
          touch "${PRIVATE_FILE}"
          cat << EOF >| "${PRIVATE_FILE}"
          # SPDX-Version: 3.0
          # SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev>
          # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
          # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
          # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
          # SPDX-FileType: SOURCE
          # SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
          # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
          # SPDX-PackageName: CISS.debian.live.builder
          # SPDX-Security-Contact: security@coresecret.eu
          This file was automatically generated by the DEPLOY BOT on: "${timestamp}"
          CISS.debian.live.builder ISO :
            "${VAR_ISO_FILE_NAME}"
          CISS.debian.live.builder ISO sha512 :
            $(< "${VAR_ISO_FILE_SHA512}")
          CISS.debian.live.builder ISO sha512 sign :
            $(< "${SIGNATURE_FILE}")
          # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text
          EOF
      - name: 🚧 Stash local changes (including untracked).
        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
          set -euo pipefail
          ### Temporarily store any local modifications or untracked files.
          git stash push --include-untracked -m "ci-temp" || echo "✔️ Nothing to stash."
      - name: 🔄 Sync with remote before commit using merge strategy.
        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
          set -euo pipefail
          export GNUPGHOME="$(pwd)/.gnupg"
          echo "🔄 Fetching origin/master ..."
          git fetch origin master
          echo "🔁 Merging origin/master into current branch ..."
          git merge --no-edit origin/master || echo "✔️ Already up to date or fast-forward."
          echo "📋 Post-merge status :"
          git status
          git log --oneline -n 5
      - name: 🛠️ Restore stashed changes.
        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
          set -euo pipefail
          ### Apply previously stashed changes.
          git stash pop || echo "✔️ Nothing to pop."
      - name: 📦 Stage generated files.
        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
          set -euo pipefail
          PRIVATE_FILE="LIVE_ISO.public"
          git add "${PRIVATE_FILE}" || echo "✔️ Nothing to add."
      - name: 🔑 Commit and sign changes with CI metadata.
        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
          set -euo pipefail
          export GNUPGHOME="$(pwd)/.gnupg"
          if git diff --cached --quiet; then
            echo "✔️ No staged changes to commit."
          else
            echo "📝 Committing changes with GPG signature ..."
            ### CI Metadata
            TIMESTAMP_UTC="$(date -u +'%Y-%m-%dT%H:%M:%SZ')"
            HOSTNAME="$(hostname -f || hostname)"
            GIT_SHA="$(git rev-parse --short HEAD)"
            GIT_REF="$(git symbolic-ref --short HEAD || echo detached)"
            WORKFLOW_ID="${GITHUB_WORKFLOW:-generate_PUBLIC_iso.yaml}"
            CI_HEADER="X-CI-Metadata: ${GIT_REF}@${GIT_SHA} at ${TIMESTAMP_UTC} on ${HOSTNAME}"
            COMMIT_MSG="DEPLOY BOT   : 💙 Auto-Generate PUBLIC LIVE ISO [skip ci]
          ${CI_HEADER}
          Generated at : ${TIMESTAMP_UTC}
          Runner Host  : ${HOSTNAME}
          Workflow ID  : ${WORKFLOW_ID}
          Git Commit   : ${GIT_SHA} HEAD -> ${GIT_REF}
          "
            echo "🔏 Commit message :"
            echo "${COMMIT_MSG}"
            git commit -S -m "${COMMIT_MSG}"
          fi
      - name: 🔁 Push back to repository.
        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
          set -euo pipefail
          echo "📤 Pushing changes to ${GITHUB_REF_NAME} ..."
          git push origin HEAD:${GITHUB_REF_NAME}
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
--- a/.archive/icon.lib
+++ b/.archive/icon.lib
@@ -4,52 +4,67 @@
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 ⏫
 ⬆️
 ☁️
 ☢️
 ☣️
 ✍️
 ✅
 ❌
 ⚠️
-🚫
+•
 🔐
 🔒
 🔑
 ✍️
 🖥️
 🔄
 🔁
 🌌
 🔵
 💙
 🔍
 💡
 🔧
 🛠️
 🏗
 ⚙️
-📐
+🆙
-🧪
+🌌
-📩
+🌐
 📥
 📦
 📑
 📂
 📀
 🎉
-😺
+🎯
 🏗
 💙
 💡
 💬
 💽
 💾
 💿
 📀
 📁
 📂
 📅
 📉
 📊
 🧾
 📋
-🕑
+📐
-🧠
+📑
-📅
+📡
-🎯
+📤
-🌐
+📥
 📦
 📩
 🔁
 🔄
 🔍
 🔐
 🔑
 🔒
 🔗
-💬
+🔧
-☢️
+🔵
-☣️
+🔼
-•
+🕑
 🖥️
 🗂️
 🗄️
 🗜️
 😺
 🚫
 🛠️
 🛡️
 🧠
 🧪
 🧾
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/includes.chroot/etc/network/interfaces
+++ b/config/includes.chroot/etc/network/interfaces
@@ -4,7 +4,7 @@
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
--- a/.editorconfig
+++ b/.editorconfig
@@ -4,7 +4,7 @@
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
--- a/.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml
+++ b/.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml
@@ -4,7 +4,7 @@
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
@@ -25,7 +25,7 @@ body:
    attributes:
      label: "Version"
      description: "Which version are you running? Use `./ciss_live_builder.sh -v`."
-      placeholder: "e.g., Master V8.13.008.2025.08.22"
+      placeholder: "e.g., Master V8.13.768.2025.12.06"
    validations:
      required: true
--- a/.gitea/ISSUE_TEMPLATE/PULL_REQUEST_TEMPLATE.yaml
+++ b/.gitea/ISSUE_TEMPLATE/PULL_REQUEST_TEMPLATE.yaml
@@ -4,7 +4,7 @@
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
--- a/.gitea/TODO/dockerfile
+++ b/.gitea/TODO/dockerfile
@@ -4,12 +4,12 @@
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-### Version Master V8.13.008.2025.08.22
+# Version Master V8.13.768.2025.12.06
 FROM debian:bookworm
--- a/.gitea/TODO/render-md-to-html.yaml
+++ b/.gitea/TODO/render-md-to-html.yaml
@@ -4,12 +4,12 @@
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-### Version Master V8.13.008.2025.08.22
+# Version Master V8.13.768.2025.12.06
 name: 🔁 Render README.md to README.html.
@@ -38,11 +38,11 @@ jobs:
          ### Private Key
          echo "${{ secrets.SSH_MSW_DEPLOY_CORESECRET_DEV }}" >| ~/.ssh/id_ed25519
-          chmod 600 ~/.ssh/id_ed25519
+          chmod 0600 ~/.ssh/id_ed25519
          ### Scan git.coresecret.dev to fill ~/.ssh/known_hosts
          ssh-keyscan -p 42842 git.coresecret.dev >| ~/.ssh/known_hosts
-          chmod 600 ~/.ssh/known_hosts
+          chmod 0600 ~/.ssh/known_hosts
          ### Generate SSH Config for git.coresecret.dev Custom-Port
          cat <<EOF >| ~/.ssh/config
@@ -53,7 +53,7 @@ jobs:
            StrictHostKeyChecking yes
            UserKnownHostsFile ~/.ssh/known_hosts
          EOF
-          chmod 600 ~/.ssh/config
+          chmod 0600 ~/.ssh/config
      ### https://github.com/actions/checkout/issues/1843
      - name: 🛠️ Using manual clone via SSH to circumvent Gitea SHA-256 object issues.
--- a/.gitea/trigger/t_generate_PRIVATE_trixie_0.yaml
+++ b/.gitea/trigger/t_generate_PRIVATE_trixie_0.yaml
@@ -4,12 +4,12 @@
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 build:
  counter: 1023
-  version: V8.13.008.2025.08.22
+  version: V8.13.768.2025.12.06
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
--- a/.gitea/trigger/t_generate_PRIVATE_trixie_1.yaml
+++ b/.gitea/trigger/t_generate_PRIVATE_trixie_1.yaml
@@ -4,12 +4,12 @@
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 build:
  counter: 1023
-  version: V8.13.008.2025.08.22
+  version: V8.13.768.2025.12.06
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
--- a/.gitea/trigger/t_generate_PUBLIC.yaml
+++ b/.gitea/trigger/t_generate_PUBLIC.yaml
@@ -4,12 +4,12 @@
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 build:
  counter: 1023
-  version: V8.13.008.2025.08.22
+  version: V8.13.768.2025.12.06
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
--- a/.gitea/trigger/t_generate_dns.yaml
+++ b/.gitea/trigger/t_generate_dns.yaml
@@ -4,12 +4,12 @@
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 build:
  counter: 1023
-  version: V8.13.008.2025.08.22
+  version: V8.13.768.2025.12.06
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
--- a/.gitea/workflows/generate_PRIVATE_trixie_0.yaml
+++ b/.gitea/workflows/generate_PRIVATE_trixie_0.yaml
@@ -4,19 +4,15 @@
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-### Version Master V8.13.008.2025.08.22
+# Version Master V8.13.768.2025.12.06
 name: 🔐 Generating a Private Live ISO TRIXIE.
 defaults:
  run:
    shell: bash
 permissions:
  contents: write
@@ -35,130 +31,207 @@ jobs:
    container:
      image: debian:trixie
-    steps:
+    defaults:
-      - name: 🛠️ Basic Image Setup.
+      run:
        shell: bash
        working-directory: ${{ github.workspace }}
    steps:
      - name: 🕑 Waiting random time to desynchronize parallel workflows.
        run: |
          set -euo pipefail
          var_wait=$(( RANDOM % 33 ))
          printf "🕑 Waiting %s seconds to desynchronize parallel workflows...\n" "${var_wait}"
          sleep "${var_wait}"
      - name: 🔧 Basic Image Setup.
        run: |
          set -euo pipefail
          umask 0022
          echo "APT_LISTCHANGES_FRONTEND=none"  >> "${GITHUB_ENV}"
          echo "DEBIAN_FRONTEND=noninteractive" >> "${GITHUB_ENV}"
          echo "LC_ALL=C.UTF-8"                 >> "${GITHUB_ENV}"
          echo "TZ=UTC"                         >> "${GITHUB_ENV}"
          echo "VAR_CDLB_INSIDE_RUNNER=true"    >> "${GITHUB_ENV}"
          export APT_LISTCHANGES_FRONTEND=none
          export DEBIAN_FRONTEND=noninteractive
-          apt-get update
+
          apt-get update -qq
          apt-get upgrade -y
          apt-get install -y --no-install-recommends \
            apt-utils \
            bash \
            bat \
            ca-certificates \
            cryptsetup \
            curl \
            debootstrap \
            git \
            gnupg-utils \
            gnupg \
            gpg-agent \
            gpgv \
            live-build \
            lsb-release \
            openssh-client \
            openssl \
            perl \
            pinentry-curses \
            pinentry-tty \
            sudo \
-            util-linux
+            util-linux \
            whois
      - name: ⚙️ Check GnuPG Version.
        shell: bash
        run: |
          gpg --version
      - name: ⚙️ Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
        shell: bash
        run: |
          set +x
          set -euo pipefail
          umask 0077
          rm -rf ~/.ssh && mkdir -m700 ~/.ssh
          ### Private Key
          echo "${{ secrets.SSH_MSW_DEPLOY_CORESECRET_DEV }}" >| ~/.ssh/id_ed25519
-          chmod 600 ~/.ssh/id_ed25519
+          chmod 0600 ~/.ssh/id_ed25519
          ### Scan git.coresecret.dev to fill ~/.ssh/known_hosts
          ssh-keyscan -p 42842 git.coresecret.dev >| ~/.ssh/known_hosts
-          chmod 600 ~/.ssh/known_hosts
+          chmod 0600 ~/.ssh/known_hosts
          ### Generate SSH Config for git.coresecret.dev Custom-Port
          cat <<EOF >| ~/.ssh/config
          Host git.coresecret.dev
            BatchMode yes
            ConnectTimeout 5
            ControlMaster auto
            ControlPath ~/.ssh/cm-%r@%h:%p
            ControlPersist 5m
            HostName git.coresecret.dev
            Port 42842
            IdentityFile ~/.ssh/id_ed25519
            Port 42842
            ServerAliveCountMax 3
            ServerAliveInterval 10
            StrictHostKeyChecking yes
            User git
            UserKnownHostsFile ~/.ssh/known_hosts
          EOF
-          chmod 600 ~/.ssh/config
+          chmod 0600 ~/.ssh/config
      ### https://github.com/actions/checkout/issues/1843
-      - name: 🛠️ Using manual clone via SSH to circumvent Gitea SHA-256 object issues.
+      - name: 🔧 Using manual clone via SSH to circumvent Gitea SHA-256 object issues.
        shell: bash
        env:
          ### GITHUB_REF_NAME contains the branch name from the push event.
          GITHUB_REF_NAME: ${{ github.ref_name }}
        run: |
          set -euo pipefail
          git clone --branch "${GITHUB_REF_NAME}" ssh://git@git.coresecret.dev:42842/msw/CISS.debian.live.builder.git .
          git fetch --unshallow || echo "Nothing to fetch - already full clone."
-      - name: 🛠️ Cleaning the workspace.
+      - name: ⚙️ Init GNUPGHOME.
        shell: bash
        run: |
-          git reset --hard
+          set +x
-          git clean -fd
+          set -euo pipefail
          umask 0077
          GNUPGHOME="${PWD}/gnupg.${GITHUB_RUN_ID}.${GITHUB_JOB}"
          # shellcheck disable=SC2174
          mkdir -p -m 0700 "${GNUPGHOME}"
          echo "GNUPGHOME=${GNUPGHOME}"                 >> "${GITHUB_ENV}"
          echo 'allow-loopback-pinentry'                >| "${GNUPGHOME}/gpg-agent.conf"
          echo 'pinentry-program /usr/bin/pinentry-tty' >> "${GNUPGHOME}/gpg-agent.conf"
          gpgconf --reload gpg-agent || true
      - name: ⚙️ Importing the 'CI PGP DEPLOY ONLY' key.
-        shell: bash
+        env:
          PRIVATE_PGP_MSW_DEPLOY_CORESECRET_DEV: ${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV }}
        run: |
          set +x
          set -euo pipefail
-          ### GPG-Home relative to the Runner Workspace to avoid changing global files.
+          umask 0077
-          export GNUPGHOME="$(pwd)/.gnupg"
+          printf '%s' "${PRIVATE_PGP_MSW_DEPLOY_CORESECRET_DEV}" | gpg --batch --import
-          mkdir -m 700 "${GNUPGHOME}"
+          unset PRIVATE_PGP_MSW_DEPLOY_CORESECRET_DEV
          echo "${{ secrets.PGP_PUBKEY_CENTURION_ROOT_2025_X448 }}" >| centurion-root.PUB.asc
          gpg --batch --import centurion-root.PUB.asc
          echo "${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV }}" >| ci-bot.sec.asc
          gpg --batch --import ci-bot.sec.asc
          ### Trust the key automatically
          KEY_ID=$(gpg --list-keys --with-colons | awk -F: '/^pub:/ {print $5}')
          echo "trust-model always" >| "${GNUPGHOME}/gpg.conf"
      - name: ⚙️ Configuring Git for signed CI/DEPLOY commits.
        shell: bash
        run: |
          set +x
          set -euo pipefail
          export GNUPGHOME="$(pwd)/.gnupg"
          git config user.name "Marc S. Weidner BOT"
          git config user.email "msw+bot@coresecret.dev"
          git config user.signingkey ${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV_FPR }}
          git config commit.gpgsign true
          git config gpg.program gpg
          git config gpg.format openpgp
          git config --get user.signingkey
      - name: ⚙️ Preparing the build environment.
        shell: bash
        run: |
          set +x
          set -euo pipefail
-          mkdir -p /opt/config
+          umask 0077
-          mkdir -p /opt/livebuild
+          mkdir -p /dev/shm/cdlb_secrets
          touch /opt/config/password.txt && chmod 0600 /opt/config/password.txt
          touch /opt/config/authorized_keys && chmod 0600 /opt/config/authorized_keys
          echo "${{ secrets.CISS_DLB_ROOT_PWD }}" >| /opt/config/password.txt
          echo "${{ secrets.CISS_DLB_ROOT_SSH_PUBKEY }}" >| /opt/config/authorized_keys
-      - name: 🛠️ Starting CISS.debian.live.builder. This may take a while ...
+          install -m 0600 /dev/null /dev/shm/cdlb_secrets/password.txt
-        shell: bash
+          install -m 0600 /dev/null /dev/shm/cdlb_secrets/authorized_keys
          install -m 0600 /dev/null /dev/shm/cdlb_secrets/ssh_host_ed25519_key
          install -m 0600 /dev/null /dev/shm/cdlb_secrets/ssh_host_ed25519_key.pub
          install -m 0600 /dev/null /dev/shm/cdlb_secrets/ssh_host_rsa_key
          install -m 0600 /dev/null /dev/shm/cdlb_secrets/ssh_host_rsa_key.pub
          install -m 0600 /dev/null /dev/shm/cdlb_secrets/id_2025_ed25519_ciss_primordial
          install -m 0600 /dev/null /dev/shm/cdlb_secrets/id_2025_ed25519_ciss_primordial.pub
          install -m 0600 /dev/null /dev/shm/cdlb_secrets/keys.txt
          install -m 0600 /dev/null /dev/shm/cdlb_secrets/luks.txt
          install -m 0600 /dev/null /dev/shm/cdlb_secrets/signing_ca.asc
          install -m 0600 /dev/null /dev/shm/cdlb_secrets/signing_key.asc
          install -m 0600 /dev/null /dev/shm/cdlb_secrets/signing_key_pass.txt
          echo "${{ secrets.CISS_DLB_ROOT_PWD }}"                 >| /dev/shm/cdlb_secrets/password.txt
          echo "${{ secrets.CISS_DLB_ROOT_SSH_PUBKEY }}"          >| /dev/shm/cdlb_secrets/authorized_keys
          echo "${{ secrets.CISS_DLB_SSH_HOST_ED25519_KEY }}"     >| /dev/shm/cdlb_secrets/ssh_host_ed25519_key
          echo "${{ secrets.CISS_DLB_SSH_HOST_ED25519_KEY_PUB }}" >| /dev/shm/cdlb_secrets/ssh_host_ed25519_key.pub
          echo "${{ secrets.CISS_DLB_SSH_HOST_RSA_KEY }}"         >| /dev/shm/cdlb_secrets/ssh_host_rsa_key
          echo "${{ secrets.CISS_DLB_SSH_HOST_RSA_KEY_PUB }}"     >| /dev/shm/cdlb_secrets/ssh_host_rsa_key.pub
          echo "${{ secrets.CISS_PRIMORDIAL_PRIVATE }}"           >| /dev/shm/cdlb_secrets/id_2025_ed25519_ciss_primordial
          echo "${{ secrets.CISS_PRIMORDIAL_PUBLIC }}"            >| /dev/shm/cdlb_secrets/id_2025_ed25519_ciss_primordial.pub
          echo "${{ secrets.CISS_PHYS_AGE }}"                     >| /dev/shm/cdlb_secrets/keys.txt
          echo "${{ secrets.CISS_PHYS_LUKS }}"                    >| /dev/shm/cdlb_secrets/luks.txt
          echo "${{ secrets.PGP_CISS_CA_PUBLIC_KEY }}"            >| /dev/shm/cdlb_secrets/signing_ca.asc
          echo "${{ secrets.PGP_MSW_PRIVATE_SIGNING_KEY }}"       >| /dev/shm/cdlb_secrets/signing_key.asc
          echo "${{ secrets.PGP_MSW_PRIVATE_SIGNING_KEY_PASS }}"  >| /dev/shm/cdlb_secrets/signing_key_pass.txt
      - name: 🔧 Starting CISS.debian.live.builder. This may take about an hour ...
        run: |
          set -euo pipefail
-          chmod 0755 ciss_live_builder.sh
+          chmod 0700 ciss_live_builder.sh
          timestamp=$(date -u +"%Y_%m_%dT%H_%M_%SZ")
-          ### Change "--autobuild=" to the specific kernel version you need: '6.12.41+deb13-amd64'.
+          ### Change "--autobuild=" to the specific kernel version you need: '6.17.8+deb13-amd64'.
          chmod 0400 /dev/shm/cdlb_secrets/*
          ./ciss_live_builder.sh \
            --autobuild=6.12.41+deb13-amd64 \
            --architecture amd64 \
-            --build-directory /opt/livebuild \
+            --autobuild=6.17.8+deb13-amd64 \
            --build-directory /opt/cdlb \
            --cdi \
            --change-splash hexagon \
            --control "${timestamp}" \
            --debug \
            --dhcp-centurion \
            --jump-host ${{ secrets.CISS_DLB_JUMP_HOSTS }} \
            --key_age=keys.txt \
            --key_luks=luks.txt \
            --provider-netcup-ipv6 ${{ secrets.CISS_DLB_NETCUP_IPV6 }} \
-            --root-password-file /opt/config/password.txt \
+            --root-password-file /dev/shm/cdlb_secrets/password.txt \
            --signing_ca=signing_ca.asc \
            --signing_key_fpr=${{ secrets.PGP_MSW_PRIVATE_SIGNING_KEY_FPR }} \
            --signing_key_pass=signing_key_pass.txt \
            --signing_key=signing_key.asc \
            --ssh-port ${{ secrets.CISS_DLB_SSH_PORT }} \
-            --ssh-pubkey /opt/config \
+            --ssh-pubkey /dev/shm/cdlb_secrets \
            --sshfp \
            --trixie
      - name: 📥 Checking Centurion Cloud for existing LIVE ISOs.
        shell: bash
        env:
          NC_BASE: "https://cloud.e2ee.li"
          SHARE_TOKEN: "${{ secrets.CENTURION_CLOUD_UL_USER }}"
@@ -168,83 +241,106 @@ jobs:
          SHARE_SUBDIR=""
          echo "📥 Get directory listing via PROPFIND ..."
-          curl -s \
+
-          --user "${SHARE_TOKEN}:${SHARE_PASS}" \
+          curl -s --user "${SHARE_TOKEN}:${SHARE_PASS}" -X PROPFIND -H "Depth: 1" "${NC_BASE}/public.php/webdav/${SHARE_SUBDIR}" \
          -X PROPFIND \
          -H "Depth: 1" \
          "${NC_BASE}/public.php/webdav/${SHARE_SUBDIR}" \
          -o propfind_public.xml
          echo "📥 Filter .iso files from the PROPFIND response ..."
          grep -oP '(?<=<d:href>)[^<]+\.iso(?=</d:href>)' propfind_public.xml >| public_iso_list.txt || true
          if [[ -f public_iso_list.txt && -s public_iso_list.txt ]]; then
            echo "💡 Old ISO files found and deleted :"
            while IFS= read -r href; do
              FILE_URL="${NC_BASE}${href}"
              echo "  Delete: ${FILE_URL}"
-              if curl -s \
+
-                --user "${SHARE_TOKEN}:${SHARE_PASS}" \
+              if curl -s --user "${SHARE_TOKEN}:${SHARE_PASS}" -X DELETE "${FILE_URL}"; then
-                  -X DELETE "${FILE_URL}"; then
+
                echo "    ✅ Successfully deleted: $(basename "${href}")"
              else
                echo "    ❌ Error: $(basename "${href}") could not be deleted"
              fi
            done < public_iso_list.txt
          else
            echo "💡 No old ISO files found to delete."
          fi
-      - name: 🛠️ Upload the ISO file to the Centurion Cloud (cloud.e2ee.li) via WebDAV.
+      - name: ⬆️ Upload the ISO file to the Centurion Cloud (cloud.e2ee.li) via WebDAV.
        shell: bash
        env:
          NC_BASE: "https://cloud.e2ee.li"
          SHARE_TOKEN: "${{ secrets.CENTURION_CLOUD_UL_USER }}"
          SHARE_PASS: "${{ secrets.CENTURION_CLOUD_UL_PASSWD }}"
        run: |
          set -euo pipefail
-          if [[ $(ls /opt/livebuild/*.iso 2>/dev/null | wc -l) -ne 1 ]]; then
+
          if [[ $(ls /opt/cdlb/*.iso 2>/dev/null | wc -l) -ne 1 ]]; then
            echo "❌ There must be exactly one .iso file in the directory!"
            exit 1
          else
-            VAR_ISO_FILE_PATH=$(ls /opt/livebuild/*.iso)
+
            VAR_ISO_FILE_PATH=$(ls /opt/cdlb/*.iso)
            VAR_ISO_FILE_NAME=$(basename "${VAR_ISO_FILE_PATH}")
            echo "✅ ISO file found: ${VAR_ISO_FILE_NAME}"
          fi
          AUTH="${SHARE_TOKEN}:${SHARE_PASS}"
          if curl --retry 2 "${NC_BASE}"/public.php/webdav/"${VAR_ISO_FILE_NAME}" \
          --upload-file "${VAR_ISO_FILE_PATH}" --user "${AUTH}" > /dev/null 2>&1; then
            echo "✅ New ISO successfully uploaded."
          else
            echo "❌ Uploading the new ISO failed."
            exit 1
          fi
      - name: 🔑 Generating a sha512 Hash of ISO, signing with the 'CI PGP DEPLOY ONLY' key, generate a success message file.
        shell: bash
        run: |
-          if [[ $(ls /opt/livebuild/*.iso 2>/dev/null | wc -l) -ne 1 ]]; then
+          if [[ $(ls /opt/cdlb/*.iso 2>/dev/null | wc -l) -ne 1 ]]; then
            echo "❌ There must be exactly one .iso file in the directory!"
            exit 1
          else
-            VAR_ISO_FILE_PATH=$(ls /opt/livebuild/*.iso)
+
            VAR_ISO_FILE_PATH=$(ls /opt/cdlb/*.iso)
            VAR_ISO_FILE_NAME=$(basename "${VAR_ISO_FILE_PATH}")
            echo "✅ ISO file found: ${VAR_ISO_FILE_NAME}"
          fi
          VAR_ISO_FILE_SHA512="${VAR_ISO_FILE_NAME}.sha512"
          touch "${VAR_ISO_FILE_SHA512}"
          sha512sum "${VAR_ISO_FILE_PATH}" | awk '{print $1}' >| "${VAR_ISO_FILE_SHA512}"
          SIGNATURE_FILE="${VAR_ISO_FILE_SHA512}.sign"
          touch "${SIGNATURE_FILE}"
-          export GNUPGHOME="$(pwd)/.gnupg"
+
-          gpg --batch --yes --armor --detach-sign --output "${SIGNATURE_FILE}" "${VAR_ISO_FILE_SHA512}"
+          gpg --batch --yes --armor --detach-sign --local-user ${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV_FPR }} --output "${SIGNATURE_FILE}" "${VAR_ISO_FILE_SHA512}"
          timestamp=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
          VAR_DATE="$(date +%F)"
          PRIVATE_FILE="LIVE_ISO_TRIXIE_0.private"
          touch "${PRIVATE_FILE}"
          cat << EOF >| "${PRIVATE_FILE}"
          # SPDX-Version: 3.0
          # SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -252,7 +348,7 @@ jobs:
          # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
          # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
          # SPDX-FileType: SOURCE
-          # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+          # SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
          # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
          # SPDX-PackageName: CISS.debian.live.builder
          # SPDX-Security-Contact: security@coresecret.eu
@@ -270,7 +366,6 @@ jobs:
          EOF
      - name: 🚧 Stash local changes (including untracked).
        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
@@ -279,12 +374,10 @@ jobs:
          git stash push --include-untracked -m "ci-temp" || echo "✔️ Nothing to stash."
      - name: 🔄 Sync with remote before commit using merge strategy.
        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
          set -euo pipefail
          export GNUPGHOME="$(pwd)/.gnupg"
          echo "🔄 Fetching origin/master ..."
          git fetch origin master
@@ -296,8 +389,7 @@ jobs:
          git status
          git log --oneline -n 5
-      - name: 🛠️ Restore stashed changes.
+      - name: 🔧 Restore stashed changes.
        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
@@ -306,7 +398,6 @@ jobs:
          git stash pop || echo "✔️ Nothing to pop."
      - name: 📦 Stage generated files.
        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
@@ -315,16 +406,17 @@ jobs:
          git add "${PRIVATE_FILE}" || echo "✔️ Nothing to add."
      - name: 🔑 Commit and sign changes with CI metadata.
        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
          set -euo pipefail
          export GNUPGHOME="$(pwd)/.gnupg"
          if git diff --cached --quiet; then
            echo "✔️ No staged changes to commit."
          else
            echo "📝 Committing changes with GPG signature ..."
            ### CI Metadata
@@ -332,7 +424,7 @@ jobs:
            HOSTNAME="$(hostname -f || hostname)"
            GIT_SHA="$(git rev-parse --short HEAD)"
            GIT_REF="$(git symbolic-ref --short HEAD || echo detached)"
-            WORKFLOW_ID="${GITHUB_WORKFLOW:-render-md-to-html.yaml}"
+            WORKFLOW_ID="${GITHUB_WORKFLOW:-generate_PRIVATE_trixie_0.yaml}"
            CI_HEADER="X-CI-Metadata: ${GIT_REF}@${GIT_SHA} at ${TIMESTAMP_UTC} on ${HOSTNAME}"
            COMMIT_MSG="DEPLOY BOT   : 🔐 Auto-Generate PRIVATE LIVE ISO TRIXIE 0 [skip ci]
@@ -348,10 +440,10 @@ jobs:
            echo "🔏 Commit message :"
            echo "${COMMIT_MSG}"
            git commit -S -m "${COMMIT_MSG}"
          fi
      - name: 🔁 Push back to repository.
        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
--- a/.gitea/workflows/generate_PRIVATE_trixie_1.yaml
+++ b/.gitea/workflows/generate_PRIVATE_trixie_1.yaml
@@ -4,19 +4,15 @@
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-### Version Master V8.13.008.2025.08.22
+# Version Master V8.13.768.2025.12.06
 name: 🔐 Generating a Private Live ISO TRIXIE.
 defaults:
  run:
    shell: bash
 permissions:
  contents: write
@@ -35,127 +31,205 @@ jobs:
    container:
      image: debian:trixie
-    steps:
+    defaults:
-      - name: 🛠️ Basic Image Setup.
+      run:
        shell: bash
        working-directory: ${{ github.workspace }}
    steps:
      - name: 🕑 Waiting random time to desynchronize parallel workflows.
        run: |
          set -euo pipefail
          var_wait=$(( RANDOM % 33 ))
          printf "🕑 Waiting %s seconds to desynchronize parallel workflows...\n" "${var_wait}"
          sleep "${var_wait}"
      - name: 🔧 Basic Image Setup.
        run: |
          set -euo pipefail
          umask 0022
          echo "APT_LISTCHANGES_FRONTEND=none"  >> "${GITHUB_ENV}"
          echo "DEBIAN_FRONTEND=noninteractive" >> "${GITHUB_ENV}"
          echo "LC_ALL=C.UTF-8"                 >> "${GITHUB_ENV}"
          echo "TZ=UTC"                         >> "${GITHUB_ENV}"
          echo "VAR_CDLB_INSIDE_RUNNER=true"    >> "${GITHUB_ENV}"
          export APT_LISTCHANGES_FRONTEND=none
          export DEBIAN_FRONTEND=noninteractive
-          apt-get update
+
          apt-get update -qq
          apt-get upgrade -y
          apt-get install -y --no-install-recommends \
            apt-utils \
            bash \
            bat \
            ca-certificates \
            cryptsetup \
            curl \
            debootstrap \
            git \
            gnupg-utils \
            gnupg \
            gpg-agent \
            gpgv \
            live-build \
            lsb-release \
            openssh-client \
            openssl \
            perl \
            pinentry-curses \
            pinentry-tty \
            sudo \
-            util-linux
+            util-linux \
            whois
      - name: ⚙️ Check GnuPG Version.
        shell: bash
        run: |
          gpg --version
      - name: ⚙️ Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
        shell: bash
        run: |
          set +x
          set -euo pipefail
          umask 0077
          rm -rf ~/.ssh && mkdir -m700 ~/.ssh
          ### Private Key
          echo "${{ secrets.SSH_MSW_DEPLOY_CORESECRET_DEV }}" >| ~/.ssh/id_ed25519
-          chmod 600 ~/.ssh/id_ed25519
+          chmod 0600 ~/.ssh/id_ed25519
          ### Scan git.coresecret.dev to fill ~/.ssh/known_hosts
          ssh-keyscan -p 42842 git.coresecret.dev >| ~/.ssh/known_hosts
-          chmod 600 ~/.ssh/known_hosts
+          chmod 0600 ~/.ssh/known_hosts
          ### Generate SSH Config for git.coresecret.dev Custom-Port
          cat <<EOF >| ~/.ssh/config
          Host git.coresecret.dev
            BatchMode yes
            ConnectTimeout 5
            ControlMaster auto
            ControlPath ~/.ssh/cm-%r@%h:%p
            ControlPersist 5m
            HostName git.coresecret.dev
            Port 42842
            IdentityFile ~/.ssh/id_ed25519
            Port 42842
            ServerAliveCountMax 3
            ServerAliveInterval 10
            StrictHostKeyChecking yes
            User git
            UserKnownHostsFile ~/.ssh/known_hosts
          EOF
-          chmod 600 ~/.ssh/config
+          chmod 0600 ~/.ssh/config
      ### https://github.com/actions/checkout/issues/1843
-      - name: 🛠️ Using manual clone via SSH to circumvent Gitea SHA-256 object issues.
+      - name: 🔧 Using manual clone via SSH to circumvent Gitea SHA-256 object issues.
        shell: bash
        env:
          ### GITHUB_REF_NAME contains the branch name from the push event.
          GITHUB_REF_NAME: ${{ github.ref_name }}
        run: |
          set -euo pipefail
          git clone --branch "${GITHUB_REF_NAME}" ssh://git@git.coresecret.dev:42842/msw/CISS.debian.live.builder.git .
          git fetch --unshallow || echo "Nothing to fetch - already full clone."
-      - name: 🛠️ Cleaning the workspace.
+      - name: ⚙️ Init GNUPGHOME.
        shell: bash
        run: |
-          git reset --hard
+          set +x
-          git clean -fd
+          set -euo pipefail
          umask 0077
          GNUPGHOME="${PWD}/gnupg.${GITHUB_RUN_ID}.${GITHUB_JOB}"
          # shellcheck disable=SC2174
          mkdir -p -m 0700 "${GNUPGHOME}"
          echo "GNUPGHOME=${GNUPGHOME}"                 >> "${GITHUB_ENV}"
          echo 'allow-loopback-pinentry'                >| "${GNUPGHOME}/gpg-agent.conf"
          echo 'pinentry-program /usr/bin/pinentry-tty' >> "${GNUPGHOME}/gpg-agent.conf"
          gpgconf --reload gpg-agent || true
      - name: ⚙️ Importing the 'CI PGP DEPLOY ONLY' key.
-        shell: bash
+        env:
          PRIVATE_PGP_MSW_DEPLOY_CORESECRET_DEV: ${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV }}
        run: |
          set +x
          set -euo pipefail
-          ### GPG-Home relative to the Runner Workspace to avoid changing global files.
+          umask 0077
-          export GNUPGHOME="$(pwd)/.gnupg"
+          printf '%s' "${PRIVATE_PGP_MSW_DEPLOY_CORESECRET_DEV}" | gpg --batch --import
-          mkdir -m 700 "${GNUPGHOME}"
+          unset PRIVATE_PGP_MSW_DEPLOY_CORESECRET_DEV
          echo "${{ secrets.PGP_PUBKEY_CENTURION_ROOT_2025_X448 }}" >| centurion-root.PUB.asc
          gpg --batch --import centurion-root.PUB.asc
          echo "${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV }}" >| ci-bot.sec.asc
          gpg --batch --import ci-bot.sec.asc
          ### Trust the key automatically
          KEY_ID=$(gpg --list-keys --with-colons | awk -F: '/^pub:/ {print $5}')
          echo "trust-model always" >| "${GNUPGHOME}/gpg.conf"
      - name: ⚙️ Configuring Git for signed CI/DEPLOY commits.
        shell: bash
        run: |
          set +x
          set -euo pipefail
          export GNUPGHOME="$(pwd)/.gnupg"
          git config user.name "Marc S. Weidner BOT"
          git config user.email "msw+bot@coresecret.dev"
          git config user.signingkey ${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV_FPR }}
          git config commit.gpgsign true
          git config gpg.program gpg
          git config gpg.format openpgp
          git config --get user.signingkey
      - name: ⚙️ Preparing the build environment.
        shell: bash
        run: |
          set +x
          set -euo pipefail
-          mkdir -p /opt/config
+          umask 0077
-          mkdir -p /opt/livebuild
+          mkdir -p /dev/shm/cdlb_secrets
          touch /opt/config/password.txt && chmod 0600 /opt/config/password.txt
          touch /opt/config/authorized_keys && chmod 0600 /opt/config/authorized_keys
          echo "${{ secrets.CISS_DLB_ROOT_PWD_1 }}" >| /opt/config/password.txt
          echo "${{ secrets.CISS_DLB_ROOT_SSH_PUBKEY_1 }}" >| /opt/config/authorized_keys
-      - name: 🛠️ Starting CISS.debian.live.builder. This may take a while ...
+          install -m 0600 /dev/null /dev/shm/cdlb_secrets/password.txt
-        shell: bash
+          install -m 0600 /dev/null /dev/shm/cdlb_secrets/authorized_keys
          install -m 0600 /dev/null /dev/shm/cdlb_secrets/ssh_host_ed25519_key
          install -m 0600 /dev/null /dev/shm/cdlb_secrets/ssh_host_ed25519_key.pub
          install -m 0600 /dev/null /dev/shm/cdlb_secrets/ssh_host_rsa_key
          install -m 0600 /dev/null /dev/shm/cdlb_secrets/ssh_host_rsa_key.pub
          install -m 0600 /dev/null /dev/shm/cdlb_secrets/id_2025_ed25519_ciss_primordial
          install -m 0600 /dev/null /dev/shm/cdlb_secrets/id_2025_ed25519_ciss_primordial.pub
          install -m 0600 /dev/null /dev/shm/cdlb_secrets/keys.txt
          install -m 0600 /dev/null /dev/shm/cdlb_secrets/luks.txt
          install -m 0600 /dev/null /dev/shm/cdlb_secrets/signing_ca.asc
          install -m 0600 /dev/null /dev/shm/cdlb_secrets/signing_key.asc
          install -m 0600 /dev/null /dev/shm/cdlb_secrets/signing_key_pass.txt
          echo "${{ secrets.CISS_DLB_ROOT_PWD_1 }}"               >| /dev/shm/cdlb_secrets/password.txt
          echo "${{ secrets.CISS_DLB_ROOT_SSH_PUBKEY_1 }}"        >| /dev/shm/cdlb_secrets/authorized_keys
          echo "${{ secrets.CISS_DLB_SSH_HOST_ED25519_KEY }}"     >| /dev/shm/cdlb_secrets/ssh_host_ed25519_key
          echo "${{ secrets.CISS_DLB_SSH_HOST_ED25519_KEY_PUB }}" >| /dev/shm/cdlb_secrets/ssh_host_ed25519_key.pub
          echo "${{ secrets.CISS_DLB_SSH_HOST_RSA_KEY }}"         >| /dev/shm/cdlb_secrets/ssh_host_rsa_key
          echo "${{ secrets.CISS_DLB_SSH_HOST_RSA_KEY_PUB }}"     >| /dev/shm/cdlb_secrets/ssh_host_rsa_key.pub
          echo "${{ secrets.CISS_PRIMORDIAL_PRIVATE }}"           >| /dev/shm/cdlb_secrets/id_2025_ed25519_ciss_primordial
          echo "${{ secrets.CISS_PRIMORDIAL_PUBLIC }}"            >| /dev/shm/cdlb_secrets/id_2025_ed25519_ciss_primordial.pub
          echo "${{ secrets.CISS_PHYS_AGE }}"                     >| /dev/shm/cdlb_secrets/keys.txt
          echo "${{ secrets.CISS_PHYS_LUKS }}"                    >| /dev/shm/cdlb_secrets/luks.txt
          echo "${{ secrets.PGP_CISS_CA_PUBLIC_KEY }}"            >| /dev/shm/cdlb_secrets/signing_ca.asc
          echo "${{ secrets.PGP_MSW_PRIVATE_SIGNING_KEY }}"       >| /dev/shm/cdlb_secrets/signing_key.asc
          echo "${{ secrets.PGP_MSW_PRIVATE_SIGNING_KEY_PASS }}"  >| /dev/shm/cdlb_secrets/signing_key_pass.txt
      - name: 🔧 Starting CISS.debian.live.builder. This may take about an hour ...
        run: |
          set -euo pipefail
-          chmod 0755 ciss_live_builder.sh
+          chmod 0700 ciss_live_builder.sh
          timestamp=$(date -u +"%Y_%m_%dT%H_%M_%SZ")
-          ### Change "--autobuild=" to the specific kernel version you need: '6.12.41+deb13-amd64'.
+          ### Change "--autobuild=" to the specific kernel version you need: '6.17.8+deb13-amd64'.
          chmod 0400 /dev/shm/cdlb_secrets/*
          ./ciss_live_builder.sh \
            --autobuild=6.12.41+deb13-amd64 \
            --architecture amd64 \
-            --build-directory /opt/livebuild \
+            --autobuild=6.17.8+deb13-amd64 \
            --build-directory /opt/cdlb \
            --cdi \
            --change-splash hexagon \
            --control "${timestamp}" \
            --jump-host ${{ secrets.CISS_DLB_JUMP_HOSTS_1 }} \
-            --root-password-file /opt/config/password.txt \
+            --key_age=keys.txt \
            --key_luks=luks.txt \
            --root-password-file /dev/shm/cdlb_secrets/password.txt \
            --signing_ca=signing_ca.asc \
            --signing_key_fpr=${{ secrets.PGP_MSW_PRIVATE_SIGNING_KEY_FPR }} \
            --signing_key_pass=signing_key_pass.txt \
            --signing_key=signing_key.asc \
            --ssh-port ${{ secrets.CISS_DLB_SSH_PORT_1 }} \
-            --ssh-pubkey /opt/config \
+            --ssh-pubkey /dev/shm/cdlb_secrets \
            --sshfp \
            --trixie
      - name: 📥 Checking Centurion Cloud for existing LIVE ISOs.
        shell: bash
        env:
          NC_BASE: "https://cloud.e2ee.li"
          SHARE_TOKEN: "${{ secrets.CENTURION_CLOUD_UL_USER_1 }}"
@@ -165,83 +239,106 @@ jobs:
          SHARE_SUBDIR=""
          echo "📥 Get directory listing via PROPFIND ..."
-          curl -s \
+
-          --user "${SHARE_TOKEN}:${SHARE_PASS}" \
+          curl -s --user "${SHARE_TOKEN}:${SHARE_PASS}" -X PROPFIND -H "Depth: 1" "${NC_BASE}/public.php/webdav/${SHARE_SUBDIR}" \
          -X PROPFIND \
          -H "Depth: 1" \
          "${NC_BASE}/public.php/webdav/${SHARE_SUBDIR}" \
          -o propfind_public.xml
          echo "📥 Filter .iso files from the PROPFIND response ..."
          grep -oP '(?<=<d:href>)[^<]+\.iso(?=</d:href>)' propfind_public.xml >| public_iso_list.txt || true
          if [[ -f public_iso_list.txt && -s public_iso_list.txt ]]; then
            echo "💡 Old ISO files found and deleted :"
            while IFS= read -r href; do
              FILE_URL="${NC_BASE}${href}"
              echo "  Delete: ${FILE_URL}"
-              if curl -s \
+
-                --user "${SHARE_TOKEN}:${SHARE_PASS}" \
+              if curl -s --user "${SHARE_TOKEN}:${SHARE_PASS}" -X DELETE "${FILE_URL}"; then
-                  -X DELETE "${FILE_URL}"; then
+
                echo "    ✅ Successfully deleted: $(basename "${href}")"
              else
                echo "    ❌ Error: $(basename "${href}") could not be deleted"
              fi
            done < public_iso_list.txt
          else
            echo "💡 No old ISO files found to delete."
          fi
-      - name: 🛠️ Upload the ISO file to the Centurion Cloud (cloud.e2ee.li) via WebDAV.
+      - name: ⬆️ Upload the ISO file to the Centurion Cloud (cloud.e2ee.li) via WebDAV.
        shell: bash
        env:
          NC_BASE: "https://cloud.e2ee.li"
          SHARE_TOKEN: "${{ secrets.CENTURION_CLOUD_UL_USER_1 }}"
          SHARE_PASS: "${{ secrets.CENTURION_CLOUD_UL_PASSWD_1 }}"
        run: |
          set -euo pipefail
-          if [[ $(ls /opt/livebuild/*.iso 2>/dev/null | wc -l) -ne 1 ]]; then
+
          if [[ $(ls /opt/cdlb/*.iso 2>/dev/null | wc -l) -ne 1 ]]; then
            echo "❌ There must be exactly one .iso file in the directory!"
            exit 1
          else
-            VAR_ISO_FILE_PATH=$(ls /opt/livebuild/*.iso)
+
            VAR_ISO_FILE_PATH=$(ls /opt/cdlb/*.iso)
            VAR_ISO_FILE_NAME=$(basename "${VAR_ISO_FILE_PATH}")
            echo "✅ ISO file found: ${VAR_ISO_FILE_NAME}"
          fi
          AUTH="${SHARE_TOKEN}:${SHARE_PASS}"
          if curl --retry 2 "${NC_BASE}"/public.php/webdav/"${VAR_ISO_FILE_NAME}" \
          --upload-file "${VAR_ISO_FILE_PATH}" --user "${AUTH}" > /dev/null 2>&1; then
            echo "✅ New ISO successfully uploaded."
          else
            echo "❌ Uploading the new ISO failed."
            exit 1
          fi
      - name: 🔑 Generating a sha512 Hash of ISO, signing with the 'CI PGP DEPLOY ONLY' key, generate a success message file.
        shell: bash
        run: |
-          if [[ $(ls /opt/livebuild/*.iso 2>/dev/null | wc -l) -ne 1 ]]; then
+          if [[ $(ls /opt/cdlb/*.iso 2>/dev/null | wc -l) -ne 1 ]]; then
            echo "❌ There must be exactly one .iso file in the directory!"
            exit 1
          else
-            VAR_ISO_FILE_PATH=$(ls /opt/livebuild/*.iso)
+
            VAR_ISO_FILE_PATH=$(ls /opt/cdlb/*.iso)
            VAR_ISO_FILE_NAME=$(basename "${VAR_ISO_FILE_PATH}")
            echo "✅ ISO file found: ${VAR_ISO_FILE_NAME}"
          fi
          VAR_ISO_FILE_SHA512="${VAR_ISO_FILE_NAME}.sha512"
          touch "${VAR_ISO_FILE_SHA512}"
          sha512sum "${VAR_ISO_FILE_PATH}" | awk '{print $1}' >| "${VAR_ISO_FILE_SHA512}"
          SIGNATURE_FILE="${VAR_ISO_FILE_SHA512}.sign"
          touch "${SIGNATURE_FILE}"
-          export GNUPGHOME="$(pwd)/.gnupg"
+
-          gpg --batch --yes --armor --detach-sign --output "${SIGNATURE_FILE}" "${VAR_ISO_FILE_SHA512}"
+          gpg --batch --yes --armor --detach-sign --local-user ${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV_FPR }} --output "${SIGNATURE_FILE}" "${VAR_ISO_FILE_SHA512}"
          timestamp=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
          VAR_DATE="$(date +%F)"
          PRIVATE_FILE="LIVE_ISO_TRIXIE_1.private"
          touch "${PRIVATE_FILE}"
          cat << EOF >| "${PRIVATE_FILE}"
          # SPDX-Version: 3.0
          # SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -249,7 +346,7 @@ jobs:
          # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
          # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
          # SPDX-FileType: SOURCE
-          # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+          # SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
          # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
          # SPDX-PackageName: CISS.debian.live.builder
          # SPDX-Security-Contact: security@coresecret.eu
@@ -267,7 +364,6 @@ jobs:
          EOF
      - name: 🚧 Stash local changes (including untracked).
        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
@@ -276,12 +372,10 @@ jobs:
          git stash push --include-untracked -m "ci-temp" || echo "✔️ Nothing to stash."
      - name: 🔄 Sync with remote before commit using merge strategy.
        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
          set -euo pipefail
          export GNUPGHOME="$(pwd)/.gnupg"
          echo "🔄 Fetching origin/master ..."
          git fetch origin master
@@ -293,8 +387,7 @@ jobs:
          git status
          git log --oneline -n 5
-      - name: 🛠️ Restore stashed changes.
+      - name: 🔧 Restore stashed changes.
        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
@@ -303,7 +396,6 @@ jobs:
          git stash pop || echo "✔️ Nothing to pop."
      - name: 📦 Stage generated files.
        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
@@ -312,16 +404,17 @@ jobs:
          git add "${PRIVATE_FILE}" || echo "✔️ Nothing to add."
      - name: 🔑 Commit and sign changes with CI metadata.
        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
          set -euo pipefail
          export GNUPGHOME="$(pwd)/.gnupg"
          if git diff --cached --quiet; then
            echo "✔️ No staged changes to commit."
          else
            echo "📝 Committing changes with GPG signature ..."
            ### CI Metadata
@@ -329,7 +422,7 @@ jobs:
            HOSTNAME="$(hostname -f || hostname)"
            GIT_SHA="$(git rev-parse --short HEAD)"
            GIT_REF="$(git symbolic-ref --short HEAD || echo detached)"
-            WORKFLOW_ID="${GITHUB_WORKFLOW:-render-md-to-html.yaml}"
+            WORKFLOW_ID="${GITHUB_WORKFLOW:-generate_PRIVATE_trixie_1.yaml}"
            CI_HEADER="X-CI-Metadata: ${GIT_REF}@${GIT_SHA} at ${TIMESTAMP_UTC} on ${HOSTNAME}"
            COMMIT_MSG="DEPLOY BOT   : 🔐 Auto-Generate PRIVATE LIVE ISO TRIXIE 1 [skip ci]
@@ -345,10 +438,10 @@ jobs:
            echo "🔏 Commit message :"
            echo "${COMMIT_MSG}"
            git commit -S -m "${COMMIT_MSG}"
          fi
      - name: 🔁 Push back to repository.
        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
--- a/.gitea/workflows/generate_PUBLIC_iso.yaml
+++ b/.gitea/workflows/generate_PUBLIC_iso.yaml
@@ -1,15 +1,15 @@
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-08-22; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-### Version Master V8.13.008.2025.08.22
+# Version Master V8.13.768.2025.12.06
 name: 💙 Generating a PUBLIC Live ISO.
@@ -24,263 +24,180 @@ on:
      - '.gitea/trigger/t_generate_PUBLIC.yaml'
 jobs:
-  generate-private-ciss-debian-live-iso:
+  generate-public-cdlb-trixie:
    name: 💙 Generating a PUBLIC Live ISO.
-    runs-on: ciss.debian.live.builder.iso.generator
+    runs-on: cdlb.trixie
    ### Run all steps inside Debian Bookworm
    container:
-      image: debian:bookworm
+      image: debian:trixie
    defaults:
      run:
        shell: bash
        working-directory: ${{ github.workspace }}
    steps:
-      - name: 🛠️ Basic Image Setup and enable Bookworm Backports.
+      - name: 🕑 Waiting random time to desynchronize parallel workflows.
        run: |
-          apt-get update -y
+          set -euo pipefail
-          apt-get install -y apt-transport-https apt-utils bash ca-certificates openssl sudo
+          var_wait=$(( RANDOM % 33 ))
-          echo 'deb https://deb.debian.org/debian bookworm-backports main' \
+          printf "🕑 Waiting %s seconds to desynchronize parallel workflows...\n" "${var_wait}"
-            >| /etc/apt/sources.list.d/bookworm-backports.list
+          sleep "${var_wait}"
          apt-get update -y
          apt-get upgrade -y
-      - name: 🛠️ Installing Build Tools.
+      - name: 🔧 Basic Image Setup.
        shell: bash
        run: |
-          apt-get update -y
+          set -euo pipefail
-          apt-get install -y \
+          umask 0022
-            autoconf \
+
-            automake \
+          echo "APT_LISTCHANGES_FRONTEND=none"  >> "${GITHUB_ENV}"
-            build-essential \
+          echo "DEBIAN_FRONTEND=noninteractive" >> "${GITHUB_ENV}"
          echo "LC_ALL=C.UTF-8"                 >> "${GITHUB_ENV}"
          echo "TZ=UTC"                         >> "${GITHUB_ENV}"
          echo "VAR_CDLB_INSIDE_RUNNER=true"    >> "${GITHUB_ENV}"
          export APT_LISTCHANGES_FRONTEND=none
          export DEBIAN_FRONTEND=noninteractive
          apt-get update -qq
          apt-get upgrade -y
          apt-get install -y --no-install-recommends \
            apt-utils \
            bash \
            bat \
            ca-certificates \
            cryptsetup \
            curl \
            debootstrap \
            dosfstools \
            efibootmgr \
            gettext \
            git \
            gnupg-utils \
            gnupg \
-            haveged \
+            gpg-agent \
-            libbz2-dev \
+            gpgv \
            zlib1g-dev \
            liblzma-dev \
            libtool \
            live-build \
-            parted \
+            lsb-release \
-            pkg-config \
+            openssh-client \
-            ssh \
+            openssl \
-            ssl-cert \
+            perl \
            pinentry-curses \
            pinentry-tty \
            sudo \
-            texinfo \
+            util-linux \
-            wget \
+            whois
            whois \
      - name: 🛠️ Build GnuPG from the sources, as the Bookworm GPG does not understand key format 5.
        shell: bash
        run: |
          urls=(
            "https://gnupg.org/ftp/gcrypt/npth/npth-1.8.tar.bz2"
            "https://gnupg.org/ftp/gcrypt/libgpg-error/libgpg-error-1.55.tar.bz2"
            "https://gnupg.org/ftp/gcrypt/libgcrypt/libgcrypt-1.11.1.tar.bz2"
            "https://gnupg.org/ftp/gcrypt/libksba/libksba-1.6.7.tar.bz2"
            "https://gnupg.org/ftp/gcrypt/libassuan/libassuan-3.0.2.tar.bz2"
            "https://gnupg.org/ftp/gcrypt/gnupg/gnupg-2.4.8.tar.bz2"
          )
          wget --https-only https://gnupg.org/signature_key.asc -O signature_key.asc > /dev/null 2>&1
          gpg --batch --import signature_key.asc
          for url in "${urls[@]}"; do
            archive_name="${url##*/}"
            pkg_name="${archive_name%.tar.bz2}"
            echo "🔄 Processing ${pkg_name}"
            if [[ ! -f "${archive_name}" ]]; then
              echo "📥 Downloading: '${archive_name}'."
              if wget --https-only "${url}" -O "${archive_name}" > /dev/null 2>&1 && wget --https-only "${url}.sig" -O "${archive_name}.sig" > /dev/null 2>&1; then
                echo "✅ Download successful: '${archive_name}'."
              else
                echo "❌ Download NOT successful: '${archive_name}'."
                exit 1
              fi
            else
              echo "💡 Skipping download, package already exists: '${archive_name}'."
            fi
            if ! gpg --verify "${archive_name}.sig" "${archive_name}"; then echo "❌ Bad Signature: '${archive_name}'.";exit 1; fi
            if [[ ! -d "${pkg_name}" ]]; then
              echo "📂 Extracting: '${archive_name}'."
              if tar -xjf "${archive_name}"; then
                echo "✅ Extraction successful: '${archive_name}'."
              else
                echo "❌ Extraction not successful: '${archive_name}'."
                exit 1
              fi
            else
              echo "💡 Skipping directory, already exists: '${pkg_name}'."
            fi
            echo "🏗️ Build and install the package: '${pkg_name}'."
            cd "${pkg_name}" || { echo "❌ Could not change to '${pkg_name}'."; exit 1; }
            mkdir -p build
            cd build || { echo "❌ Could not change to '/build'."; exit 1; }
            sudo ../configure > /dev/null 2>&1  || { echo "❌ '../configure' NOT successful for '${pkg_name}'."; exit 1; }
            make > /dev/null 2>&1 || { echo "❌ 'make' NOT successful for '${pkg_name}'."; exit 1; }
            sudo make install > /dev/null 2>&1 || { echo "❌ 'make install' NOT successful for '${pkg_name}'."; exit 1; }
            cd ../.. || { echo "❌ Could not change to '../..'."; exit 1; }
            rm -f "${archive_name}" && rm -f "${archive_name}.sig" && echo "✅ Removed archive: '${pkg_name}'."
            rm -fr "${pkg_name}" && echo "✅ Removed build artifacts: '${pkg_name}'."
            echo "✅ Successful build and installation of '${pkg_name}'."
            echo "-------------------------------------------------------------------------------------"
          done
          rm -f signature_key.asc
          echo "✅ All packages were built and installed successfully."
          mv_bin=(
            "/usr/bin/gpg"
            "/usr/bin/gpg-agent"
            "/usr/bin/gpgconf"
            "/usr/bin/gpg-connect-agent"
            "/usr/bin/gpg-wks-client"
            "/usr/bin/gpg-preset-passphrase"
          )
          for bin in "${mv_bin[@]}"; do
            name="${bin##*/}"
            if [[ -f "${bin}" && -f "/usr/local/bin/${name}" ]]; then
              if mv "${bin}" "${bin}.debian-backup"; then
                echo "✅ Moved successfully: '${bin}'."
              else
                echo "❌ Moved NOT successfully: '${bin}'."
              fi
            else
              echo "💡 Does not exist as build binary: '${bin}'."
            fi
          done
          for bin in "${mv_bin[@]}"; do
            name="${bin##*/}"
            if [[ -f "/usr/local/bin/${name}" ]]; then
              if update-alternatives --install "${bin}" "${name}" "/usr/local/bin/${name}" 100; then
                echo "✅ 'update-alternatives' successfully: '${bin}'."
              else
                echo "❌ 'update-alternatives' NOT successfully: '${bin}'."
              fi
            else
              echo "💡 Does not exist: '/usr/local/bin/${name}'."
            fi
          done
          sudo ldconfig
          gpgconf --kill all
          /usr/local/bin/gpg-agent --daemon
      - name: ⚙️ Check GnuPG Version.
        shell: bash
        run: |
          gpg --version
      - name: ⚙️ Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
        shell: bash
        run: |
          set +x
          set -euo pipefail
          umask 0077
          rm -rf ~/.ssh && mkdir -m700 ~/.ssh
          ### Private Key
          echo "${{ secrets.SSH_MSW_DEPLOY_CORESECRET_DEV }}" >| ~/.ssh/id_ed25519
-          chmod 600 ~/.ssh/id_ed25519
+          chmod 0600 ~/.ssh/id_ed25519
          ### Scan git.coresecret.dev to fill ~/.ssh/known_hosts
          ssh-keyscan -p 42842 git.coresecret.dev >| ~/.ssh/known_hosts
-          chmod 600 ~/.ssh/known_hosts
+          chmod 0600 ~/.ssh/known_hosts
          ### Generate SSH Config for git.coresecret.dev Custom-Port
          cat <<EOF >| ~/.ssh/config
          Host git.coresecret.dev
            BatchMode yes
            ConnectTimeout 5
            ControlMaster auto
            ControlPath ~/.ssh/cm-%r@%h:%p
            ControlPersist 5m
            HostName git.coresecret.dev
            Port 42842
            IdentityFile ~/.ssh/id_ed25519
            Port 42842
            ServerAliveCountMax 3
            ServerAliveInterval 10
            StrictHostKeyChecking yes
            User git
            UserKnownHostsFile ~/.ssh/known_hosts
          EOF
-          chmod 600 ~/.ssh/config
+          chmod 0600 ~/.ssh/config
      ### https://github.com/actions/checkout/issues/1843
-      - name: 🛠️ Using manual clone via SSH to circumvent Gitea SHA-256 object issues.
+      - name: 🔧 Using manual clone via SSH to circumvent Gitea SHA-256 object issues.
        shell: bash
        env:
          ### GITHUB_REF_NAME contains the branch name from the push event.
          GITHUB_REF_NAME: ${{ github.ref_name }}
        run: |
          set -euo pipefail
          git clone --branch "${GITHUB_REF_NAME}" ssh://git@git.coresecret.dev:42842/msw/CISS.debian.live.builder.git .
          git fetch --unshallow || echo "Nothing to fetch - already full clone."
-      - name: 🛠️ Cleaning the workspace.
+      - name: ⚙️ Init GNUPGHOME.
        shell: bash
        run: |
-          git reset --hard
+          set +x
-          git clean -fd
+          set -euo pipefail
          umask 0077
          GNUPGHOME="${PWD}/gnupg.${GITHUB_RUN_ID}.${GITHUB_JOB}"
          # shellcheck disable=SC2174
          mkdir -p -m 0700 "${GNUPGHOME}"
          echo "GNUPGHOME=${GNUPGHOME}"                 >> "${GITHUB_ENV}"
          echo 'allow-loopback-pinentry'                >| "${GNUPGHOME}/gpg-agent.conf"
          echo 'pinentry-program /usr/bin/pinentry-tty' >> "${GNUPGHOME}/gpg-agent.conf"
          gpgconf --reload gpg-agent || true
      - name: ⚙️ Importing the 'CI PGP DEPLOY ONLY' key.
-        shell: bash
+        env:
          PRIVATE_PGP_MSW_DEPLOY_CORESECRET_DEV: ${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV }}
        run: |
          set +x
          set -euo pipefail
-          ### GPG-Home relative to the Runner Workspace to avoid changing global files.
+          umask 0077
-          export GNUPGHOME="$(pwd)/.gnupg"
+          printf '%s' "${PRIVATE_PGP_MSW_DEPLOY_CORESECRET_DEV}" | gpg --batch --import
-          mkdir -m 700 "${GNUPGHOME}"
+          unset PRIVATE_PGP_MSW_DEPLOY_CORESECRET_DEV
          echo "${{ secrets.PGP_PUBKEY_CENTURION_ROOT_2025_X448 }}" >| centurion-root.PUB.asc
          gpg --batch --import centurion-root.PUB.asc
          echo "${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV }}" >| ci-bot.sec.asc
          gpg --batch --import ci-bot.sec.asc
          ### Trust the key automatically
          KEY_ID=$(gpg --list-keys --with-colons | awk -F: '/^pub:/ {print $5}')
          echo "trust-model always" >| "${GNUPGHOME}/gpg.conf"
      - name: ⚙️ Configuring Git for signed CI/DEPLOY commits.
        shell: bash
        run: |
          set +x
          set -euo pipefail
          export GNUPGHOME="$(pwd)/.gnupg"
          git config user.name "Marc S. Weidner BOT"
          git config user.email "msw+bot@coresecret.dev"
          git config user.signingkey ${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV_FPR }}
          git config commit.gpgsign true
          git config gpg.program gpg
          git config gpg.format openpgp
          git config --get user.signingkey
      - name: ⚙️ Preparing the build environment.
        shell: bash
        run: |
          set +x
          set -euo pipefail
-          mkdir -p /opt/config
+          umask 0077
-          mkdir -p /opt/livebuild
+          mkdir -p /dev/shm/cdlb_secrets
-          touch /opt/config/password.txt && chmod 0600 /opt/config/password.txt
+          install -m 0600 /dev/null /dev/shm/cdlb_secrets/password.txt
-          touch /opt/config/authorized_keys && chmod 0600 /opt/config/authorized_keys
+          install -m 0600 /dev/null /dev/shm/cdlb_secrets/authorized_keys
-          echo 'Mvnz#zENbf2vsAYEAbfPcnbDcmct7XefPXfRJxSQQH' >| /opt/config/password.txt
+          echo 'Mvnz#zENbf2vsAYEAbfPcnbDcmct7XefPXfRJxSQQH' >| /dev/shm/cdlb_secrets/password.txt
-          echo 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINAYZDAqVZUk3LwJsqeVHKvLn8UKkFx642VBbiSS8uSY 2025_ciss.debian.live.ISO_PUBLIC_ONLY' >| /opt/config/authorized_keys
+          echo 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINAYZDAqVZUk3LwJsqeVHKvLn8UKkFx642VBbiSS8uSY 2025_ciss.debian.live.ISO_PUBLIC_ONLY' >| /dev/shm/cdlb_secrets/authorized_keys
-      - name: 🛠️ Starting CISS.debian.live.builder. This may take a while ...
+
-        shell: bash
+      - name: 🔧 Starting CISS.debian.live.builder. This may take about an hour ...
        run: |
          set -euo pipefail
-          sed -i '/^hardening_ssh.*/d' ciss_live_builder.sh
+          chmod 0700 ciss_live_builder.sh
          chmod 0755 ciss_live_builder.sh
          timestamp=$(date -u +"%Y_%m_%dT%H_%M_%SZ")
-          ### Change "--autobuild=" to the specific kernel version you need: 6.12.22+bpo-amd64.
+          ### Change "--autobuild=" to the specific kernel version you need: '6.17.8+deb13-amd64'.
          chmod 0400 /dev/shm/cdlb_secrets/*
          ./ciss_live_builder.sh \
            --autobuild=6.1.0-37-amd64 \
            --architecture amd64 \
-            --build-directory /opt/livebuild \
+            --autobuild=6.17.8+deb13-amd64 \
            --build-directory /opt/cdlb \
            --change-splash hexagon \
            --control "${timestamp}" \
-            --root-password-file /opt/config/password.txt \
+            --root-password-file /dev/shm/cdlb_secrets/password.txt \
            --ssh-port 42137 \
-            --ssh-pubkey /opt/config
+            --ssh-pubkey /dev/shm/cdlb_secrets \
            --trixie
      - name: 📥 Checking Centurion Cloud for existing LIVE ISOs.
        shell: bash
        env:
          NC_BASE: "https://cloud.e2ee.li"
          SHARE_TOKEN: "${{ secrets.CENTURION_CLOUD_UL_USER_PUBLIC }}"
@@ -290,90 +207,114 @@ jobs:
          SHARE_SUBDIR=""
          echo "📥 Get directory listing via PROPFIND ..."
-          curl -s \
+
-          --user "${SHARE_TOKEN}:${SHARE_PASS}" \
+          curl -s --user "${SHARE_TOKEN}:${SHARE_PASS}" -X PROPFIND -H "Depth: 1" "${NC_BASE}/public.php/webdav/${SHARE_SUBDIR}" \
          -X PROPFIND \
          -H "Depth: 1" \
          "${NC_BASE}/public.php/webdav/${SHARE_SUBDIR}" \
          -o propfind_public.xml
          echo "📥 Filter .iso files from the PROPFIND response ..."
          grep -oP '(?<=<d:href>)[^<]+\.iso(?=</d:href>)' propfind_public.xml >| public_iso_list.txt || true
          if [[ -f public_iso_list.txt && -s public_iso_list.txt ]]; then
            echo "💡 Old ISO files found and deleted :"
            while IFS= read -r href; do
              FILE_URL="${NC_BASE}${href}"
              echo "  Delete: ${FILE_URL}"
-              if curl -s \
+
-                --user "${SHARE_TOKEN}:${SHARE_PASS}" \
+              if curl -s --user "${SHARE_TOKEN}:${SHARE_PASS}" -X DELETE "${FILE_URL}"; then
-                  -X DELETE "${FILE_URL}"; then
+
                echo "    ✅ Successfully deleted: $(basename "${href}")"
              else
                echo "    ❌ Error: $(basename "${href}") could not be deleted"
              fi
            done < public_iso_list.txt
          else
            echo "💡 No old ISO files found to delete."
          fi
-      - name: 🛠️ Upload the ISO file to the Centurion Cloud (cloud.e2ee.li) via WebDAV.
+      - name: ⬆️ Upload the ISO file to the Centurion Cloud (cloud.e2ee.li) via WebDAV.
        shell: bash
        env:
          NC_BASE: "https://cloud.e2ee.li"
          SHARE_TOKEN: "${{ secrets.CENTURION_CLOUD_UL_USER_PUBLIC }}"
          SHARE_PASS: "${{ secrets.CENTURION_CLOUD_UL_PASSWD_PUBLIC }}"
        run: |
          set -euo pipefail
-          if [[ $(ls /opt/livebuild/*.iso 2>/dev/null | wc -l) -ne 1 ]]; then
+
          if [[ $(ls /opt/cdlb/*.iso 2>/dev/null | wc -l) -ne 1 ]]; then
            echo "❌ There must be exactly one .iso file in the directory!"
            exit 1
          else
-            VAR_ISO_FILE_PATH=$(ls /opt/livebuild/*.iso)
+
            VAR_ISO_FILE_PATH=$(ls /opt/cdlb/*.iso)
            VAR_ISO_FILE_NAME=$(basename "${VAR_ISO_FILE_PATH}")
            echo "✅ ISO file found: ${VAR_ISO_FILE_NAME}"
          fi
          AUTH="${SHARE_TOKEN}:${SHARE_PASS}"
          if curl --retry 2 "${NC_BASE}"/public.php/webdav/"${VAR_ISO_FILE_NAME}" \
          --upload-file "${VAR_ISO_FILE_PATH}" --user "${AUTH}" > /dev/null 2>&1; then
            echo "✅ New ISO successfully uploaded."
          else
            echo "❌ Uploading the new ISO failed."
            exit 1
          fi
      - name: 🔑 Generating a sha512 Hash of ISO, signing with the 'CI PGP DEPLOY ONLY' key, generate a success message file.
        shell: bash
        run: |
-          if [[ $(ls /opt/livebuild/*.iso 2>/dev/null | wc -l) -ne 1 ]]; then
+          if [[ $(ls /opt/cdlb/*.iso 2>/dev/null | wc -l) -ne 1 ]]; then
            echo "❌ There must be exactly one .iso file in the directory!"
            exit 1
          else
-            VAR_ISO_FILE_PATH=$(ls /opt/livebuild/*.iso)
+
            VAR_ISO_FILE_PATH=$(ls /opt/cdlb/*.iso)
            VAR_ISO_FILE_NAME=$(basename "${VAR_ISO_FILE_PATH}")
            echo "✅ ISO file found: ${VAR_ISO_FILE_NAME}"
          fi
          VAR_ISO_FILE_SHA512="${VAR_ISO_FILE_NAME}.sha512"
          touch "${VAR_ISO_FILE_SHA512}"
          sha512sum "${VAR_ISO_FILE_PATH}" | awk '{print $1}' >| "${VAR_ISO_FILE_SHA512}"
          SIGNATURE_FILE="${VAR_ISO_FILE_SHA512}.sign"
          touch "${SIGNATURE_FILE}"
-          export GNUPGHOME="$(pwd)/.gnupg"
+
-          gpg --batch --yes --armor --detach-sign --output "${SIGNATURE_FILE}" "${VAR_ISO_FILE_SHA512}"
+          gpg --batch --yes --armor --detach-sign --local-user ${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV_FPR }} --output "${SIGNATURE_FILE}" "${VAR_ISO_FILE_SHA512}"
          timestamp=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
          VAR_DATE="$(date +%F)"
          PRIVATE_FILE="LIVE_ISO.public"
          touch "${PRIVATE_FILE}"
          cat << EOF >| "${PRIVATE_FILE}"
          # SPDX-Version: 3.0
-          # SPDX-CreationInfo: 2025-06-01; WEIDNER, Marc S.; <msw@coresecret.dev>
+          # SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev>
          # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
          # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
          # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
          # SPDX-FileType: SOURCE
-          # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+          # SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
          # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
          # SPDX-PackageName: CISS.debian.live.builder
          # SPDX-Security-Contact: security@coresecret.eu
@@ -391,7 +332,6 @@ jobs:
          EOF
      - name: 🚧 Stash local changes (including untracked).
        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
@@ -400,12 +340,10 @@ jobs:
          git stash push --include-untracked -m "ci-temp" || echo "✔️ Nothing to stash."
      - name: 🔄 Sync with remote before commit using merge strategy.
        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
          set -euo pipefail
          export GNUPGHOME="$(pwd)/.gnupg"
          echo "🔄 Fetching origin/master ..."
          git fetch origin master
@@ -417,8 +355,7 @@ jobs:
          git status
          git log --oneline -n 5
-      - name: 🛠️ Restore stashed changes.
+      - name: 🔧 Restore stashed changes.
        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
@@ -427,7 +364,6 @@ jobs:
          git stash pop || echo "✔️ Nothing to pop."
      - name: 📦 Stage generated files.
        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
@@ -436,16 +372,17 @@ jobs:
          git add "${PRIVATE_FILE}" || echo "✔️ Nothing to add."
      - name: 🔑 Commit and sign changes with CI metadata.
        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
          set -euo pipefail
          export GNUPGHOME="$(pwd)/.gnupg"
          if git diff --cached --quiet; then
            echo "✔️ No staged changes to commit."
          else
            echo "📝 Committing changes with GPG signature ..."
            ### CI Metadata
@@ -453,7 +390,7 @@ jobs:
            HOSTNAME="$(hostname -f || hostname)"
            GIT_SHA="$(git rev-parse --short HEAD)"
            GIT_REF="$(git symbolic-ref --short HEAD || echo detached)"
-            WORKFLOW_ID="${GITHUB_WORKFLOW:-render-md-to-html.yaml}"
+            WORKFLOW_ID="${GITHUB_WORKFLOW:-generate_PUBLIC_iso.yaml}"
            CI_HEADER="X-CI-Metadata: ${GIT_REF}@${GIT_SHA} at ${TIMESTAMP_UTC} on ${HOSTNAME}"
            COMMIT_MSG="DEPLOY BOT   : 💙 Auto-Generate PUBLIC LIVE ISO [skip ci]
@@ -469,10 +406,10 @@ jobs:
            echo "🔏 Commit message :"
            echo "${COMMIT_MSG}"
            git commit -S -m "${COMMIT_MSG}"
          fi
      - name: 🔁 Push back to repository.
        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
--- a/.gitea/workflows/linter_char_scripts.yaml
+++ b/.gitea/workflows/linter_char_scripts.yaml
@@ -4,12 +4,12 @@
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-### Version Master V8.13.008.2025.08.22
+# Version Master V8.13.768.2025.12.06
 # Gitea Workflow: Shell-Script Linting
 #
@@ -36,57 +36,67 @@ jobs:
    name: 🛡️ Shell Script Linting
    runs-on: ubuntu-latest
-    steps:
+    defaults:
-      - name: ⚙️ Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
+      run:
        shell: bash
        working-directory: ${{ github.workspace }}
    steps:
      - name: 🕑 Waiting random time to desynchronize parallel workflows.
        run: |
          set -euo pipefail
-          rm -rf ~/.ssh && mkdir -m700 ~/.ssh
+          var_wait=$(( RANDOM % 33 ))
          printf "🕑 Waiting %s seconds to desynchronize parallel workflows...\n" "${var_wait}"
          sleep "${var_wait}"
      - name: ⚙️ Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
        run: |
          set +x
          set -euo pipefail
          rm -rf ~/.ssh && mkdir -m0700 ~/.ssh
          ### Private Key
          echo "${{ secrets.SSH_MSW_DEPLOY_CORESECRET_DEV }}" >| ~/.ssh/id_ed25519
-          chmod 600 ~/.ssh/id_ed25519
+          chmod 0600 ~/.ssh/id_ed25519
          ### Scan git.coresecret.dev to fill ~/.ssh/known_hosts
          ssh-keyscan -p 42842 git.coresecret.dev >| ~/.ssh/known_hosts
-          chmod 600 ~/.ssh/known_hosts
+          chmod 0600 ~/.ssh/known_hosts
          ### Generate SSH Config for git.coresecret.dev Custom-Port
          cat <<EOF >| ~/.ssh/config
          Host git.coresecret.dev
            BatchMode yes
            ConnectTimeout 5
            ControlMaster auto
            ControlPath ~/.ssh/cm-%r@%h:%p
            ControlPersist 5m
            HostName git.coresecret.dev
            Port 42842
            IdentityFile ~/.ssh/id_ed25519
            Port 42842
            ServerAliveCountMax 3
            ServerAliveInterval 10
            StrictHostKeyChecking yes
            User git
            UserKnownHostsFile ~/.ssh/known_hosts
          EOF
-          chmod 600 ~/.ssh/config
+          chmod 0600 ~/.ssh/config
      ### https://github.com/actions/checkout/issues/1843
-      - name: 🛠️ Using manual clone via SSH to circumvent Gitea SHA-256 object issues.
+      - name: 🔧 Using manual clone via SSH to circumvent Gitea SHA-256 object issues.
        shell: bash
        env:
          ### GITHUB_REF_NAME contains the branch name from the push event.
          GITHUB_REF_NAME: ${{ github.ref_name }}
        run: |
          set -euo pipefail
          git clone --branch "${GITHUB_REF_NAME}" ssh://git@git.coresecret.dev:42842/msw/CISS.debian.live.builder.git .
          git fetch --unshallow || echo "Nothing to fetch - already full clone."
      - name: 🛠️ Cleaning the workspace.
        shell: bash
        run: |
          set -euo pipefail
          git reset --hard
          git clean -fd
      - name: ⚙️ Importing the 'CI PGP DEPLOY ONLY' key.
        shell: bash
        run: |
          set -euo pipefail
          ### GPG-Home relative to the Runner Workspace to avoid changing global files.
-          export GNUPGHOME="$(pwd)/.gnupg"
+          export GNUPGHOME="$(PWD)/.gnupg"
-          mkdir -m 700 "${GNUPGHOME}"
+          mkdir -m 0700 "${GNUPGHOME}"
          echo "${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV }}" >| ci-bot.sec.asc
          gpg --batch --import ci-bot.sec.asc
          ### Trust the key automatically
@@ -94,10 +104,9 @@ jobs:
          echo "trust-model always" >| "${GNUPGHOME}/gpg.conf"
      - name: ⚙️ Configuring Git for signed CI/DEPLOY commits.
        shell: bash
        run: |
          set -euo pipefail
-          export GNUPGHOME="$(pwd)/.gnupg"
+          export GNUPGHOME="$(PWD)/.gnupg"
          git config user.name "Marc S. Weidner BOT"
          git config user.email "msw+bot@coresecret.dev"
          git config commit.gpgsign true
@@ -105,22 +114,19 @@ jobs:
          git config gpg.format openpgp
      - name: ⚙️ Convert APT sources to HTTPS.
        shell: bash
        run: |
          set -euo pipefail
          sed -i 's|http://\(archive\.ubuntu\.com\|security\.ubuntu\.com\)|https://\1|g' /etc/apt/sources.list
          sed -i 's|http://\(archive\.ubuntu\.com\|security\.ubuntu\.com\)|https://\1|g' /etc/apt/sources.list.d/*.list || true
-      - name: 🛠️ Install dependencies.
+      - name: 🔧 Install dependencies.
        shell: bash
        run: |
          ### Install grep with Perl-regex support, falls noch nicht vorhanden
-          apt-get update
+          apt-get update  -qq
          apt-get upgrade -y
          apt-get install -y grep
      - name: 🔍 Lint shell scripts
        shell: bash
        run: |
          # -------------------------------
          # STEP 1: Find target files.
@@ -212,7 +218,7 @@ jobs:
          # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
          # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
          # SPDX-FileType: SOURCE
-          # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+          # SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
          # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
          # SPDX-PackageName: CISS.debian.live.builder
          # SPDX-Security-Contact: security@coresecret.eu
@@ -236,7 +242,7 @@ jobs:
          # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
          # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
          # SPDX-FileType: SOURCE
-          # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+          # SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
          # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
          # SPDX-PackageName: CISS.debian.live.builder
          # SPDX-Security-Contact: security@coresecret.eu
@@ -250,7 +256,6 @@ jobs:
          fi
      - name: 🚧 Stash local changes (including untracked).
        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
@@ -259,12 +264,11 @@ jobs:
          git stash push --include-untracked -m "ci-temp" || echo "✔️ Nothing to stash."
      - name: 🔄 Sync with remote before commit using merge strategy.
        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
          set -euo pipefail
-          export GNUPGHOME="$(pwd)/.gnupg"
+          export GNUPGHOME="$(PWD)/.gnupg"
          echo "🔄 Fetching origin/master ..."
          git fetch origin master
@@ -276,8 +280,7 @@ jobs:
          git status
          git log --oneline -n 5
-      - name: 🛠️ Restore stashed changes.
+      - name: 🔧 Restore stashed changes.
        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
@@ -286,7 +289,6 @@ jobs:
          git stash pop || echo "✔️ Nothing to pop."
      - name: 📦 Stage generated files.
        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
@@ -295,12 +297,11 @@ jobs:
          git add "${PRIVATE_FILE}" || echo "✔️ Nothing to add."
      - name: 🔑 Commit and sign changes with CI metadata.
        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
          set -euo pipefail
-          export GNUPGHOME="$(pwd)/.gnupg"
+          export GNUPGHOME="$(PWD)/.gnupg"
          if git diff --cached --quiet; then
            echo "✔️ No staged changes to commit."
@@ -312,7 +313,7 @@ jobs:
            HOSTNAME="$(hostname -f || hostname)"
            GIT_SHA="$(git rev-parse --short HEAD)"
            GIT_REF="$(git symbolic-ref --short HEAD || echo detached)"
-            WORKFLOW_ID="${GITHUB_WORKFLOW:-render-md-to-html.yaml}"
+            WORKFLOW_ID="${GITHUB_WORKFLOW:-linter_char_scripts.yaml}"
            CI_HEADER="X-CI-Metadata: ${GIT_REF}@${GIT_SHA} at ${TIMESTAMP_UTC} on ${HOSTNAME}"
            COMMIT_MSG="DEPLOY BOT   : 🛡️ Shell Script Linting [skip ci]
@@ -331,7 +332,6 @@ jobs:
          fi
      - name: 🔁 Push back to repository.
        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
--- a/.gitea/workflows/render-dnssec-status.yaml
+++ b/.gitea/workflows/render-dnssec-status.yaml
@@ -4,12 +4,12 @@
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-### Version Master V8.13.008.2025.08.22
+# Version Master V8.13.768.2025.12.06
 name: 🛡️ Retrieve DNSSEC status of coresecret.dev.
@@ -28,57 +28,67 @@ jobs:
    name: 🛡️ Retrieve DNSSEC status of coresecret.dev.
    runs-on: ubuntu-latest
-    steps:
+    defaults:
-      - name: ⚙️ Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
+      run:
        shell: bash
        working-directory: ${{ github.workspace }}
    steps:
      - name: 🕑 Waiting random time to desynchronize parallel workflows.
        run: |
          set -euo pipefail
          var_wait=$(( RANDOM % 33 ))
          printf "🕑 Waiting %s seconds to desynchronize parallel workflows...\n" "${var_wait}"
          sleep "${var_wait}"
      - name: ⚙️ Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
        run: |
          set +x
          set -euo pipefail
          rm -rf ~/.ssh && mkdir -m700 ~/.ssh
          ### Private Key
          echo "${{ secrets.SSH_MSW_DEPLOY_CORESECRET_DEV }}" >| ~/.ssh/id_ed25519
-          chmod 600 ~/.ssh/id_ed25519
+          chmod 0600 ~/.ssh/id_ed25519
          ### Scan git.coresecret.dev to fill ~/.ssh/known_hosts
          ssh-keyscan -p 42842 git.coresecret.dev >| ~/.ssh/known_hosts
-          chmod 600 ~/.ssh/known_hosts
+          chmod 0600 ~/.ssh/known_hosts
          ### Generate SSH Config for git.coresecret.dev Custom-Port
          cat <<EOF >| ~/.ssh/config
          Host git.coresecret.dev
            BatchMode yes
            ConnectTimeout 5
            ControlMaster auto
            ControlPath ~/.ssh/cm-%r@%h:%p
            ControlPersist 5m
            HostName git.coresecret.dev
            Port 42842
            IdentityFile ~/.ssh/id_ed25519
            Port 42842
            ServerAliveCountMax 3
            ServerAliveInterval 10
            StrictHostKeyChecking yes
            User git
            UserKnownHostsFile ~/.ssh/known_hosts
          EOF
-          chmod 600 ~/.ssh/config
+          chmod 0600 ~/.ssh/config
      ### https://github.com/actions/checkout/issues/1843
-      - name: 🛠️ Using manual clone via SSH to circumvent Gitea SHA-256 object issues.
+      - name: 🔧 Using manual clone via SSH to circumvent Gitea SHA-256 object issues.
        shell: bash
        env:
          ### GITHUB_REF_NAME contains the branch name from the push event.
          GITHUB_REF_NAME: ${{ github.ref_name }}
        run: |
          set -euo pipefail
          git clone --branch "${GITHUB_REF_NAME}" ssh://git@git.coresecret.dev:42842/msw/CISS.debian.live.builder.git .
          git fetch --unshallow || echo "Nothing to fetch - already full clone."
      - name: 🛠️ Cleaning the workspace.
        shell: bash
        run: |
          set -euo pipefail
          git reset --hard
          git clean -fd
      - name: ⚙️ Importing the 'CI PGP DEPLOY ONLY' key.
        shell: bash
        run: |
          set -euo pipefail
          ### GPG-Home relative to the Runner Workspace to avoid changing global files.
-          export GNUPGHOME="$(pwd)/.gnupg"
+          export GNUPGHOME="$(PWD)/.gnupg"
-          mkdir -m 700 "${GNUPGHOME}"
+          mkdir -m 0700 "${GNUPGHOME}"
          echo "${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV }}" >| ci-bot.sec.asc
          gpg --batch --import ci-bot.sec.asc
          ### Trust the key automatically
@@ -86,10 +96,9 @@ jobs:
          echo "trust-model always" >| "${GNUPGHOME}/gpg.conf"
      - name: ⚙️ Configuring Git for signed CI/DEPLOY commits.
        shell: bash
        run: |
          set -euo pipefail
-          export GNUPGHOME="$(pwd)/.gnupg"
+          export GNUPGHOME="$(PWD)/.gnupg"
          git config user.name "Marc S. Weidner BOT"
          git config user.email "msw+bot@coresecret.dev"
          git config commit.gpgsign true
@@ -97,38 +106,32 @@ jobs:
          git config gpg.format openpgp
      - name: ⚙️ Convert APT sources to HTTPS.
        shell: bash
        run: |
          set -euo pipefail
          sed -i 's|http://\(archive\.ubuntu\.com\|security\.ubuntu\.com\)|https://\1|g' /etc/apt/sources.list
          sed -i 's|http://\(archive\.ubuntu\.com\|security\.ubuntu\.com\)|https://\1|g' /etc/apt/sources.list.d/*.list || true
-      - name: 🛠️ Install DNSViz.
+      - name: 🔧 Install DNSViz.
        shell: bash
        run: |
          sudo apt-get update
          sudo apt-get install -y dnsviz
      - name: ⚙️ Ensure docs/SECURITY/ directory exists.
        shell: bash
        run: |
          mkdir -p docs/SECURITY/
          rm -f docs/SECURITY/coresecret.dev.png
-      - name: 🛠️ Prepare DNS Cache.
+      - name: 🔧 Prepare DNS Cache.
        shell: bash
        run: |
          sudo apt-get install -y dnsutils
          dig +dnssec +multi coresecret.dev @8.8.8.8
-      - name: 🛠️ Retrieve Zone Dump and generate .png Visualization.
+      - name: 🔧 Retrieve Zone Dump and generate .png Visualization.
        shell: bash
        run: |
          dnsviz probe -s 8.8.8.8 -R SOA,A,AAAA,CAA,CDS,CDNSKEY,LOC,HTTPS,MX,NS,TXT coresecret.dev >| coresecret.dev.json
          dnsviz graph -T png < coresecret.dev.json >| docs/SECURITY/coresecret.dev.png
      - name: 🚧 Stash local changes (including untracked).
        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
@@ -137,12 +140,11 @@ jobs:
          git stash push --include-untracked -m "ci-temp" || echo "✔️ Nothing to stash."
      - name: 🔄 Sync with remote before commit using merge strategy.
        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
          set -euo pipefail
-          export GNUPGHOME="$(pwd)/.gnupg"
+          export GNUPGHOME="$(PWD)/.gnupg"
          echo "🔄 Fetching origin/master ..."
          git fetch origin master
@@ -154,8 +156,7 @@ jobs:
          git status
          git log --oneline -n 5
-      - name: 🛠️ Restore stashed changes.
+      - name: 🔧 Restore stashed changes.
        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
@@ -164,7 +165,6 @@ jobs:
          git stash pop || echo "✔️ Nothing to pop."
      - name: 📦 Stage generated files.
        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
@@ -172,12 +172,11 @@ jobs:
          git add docs/SECURITY/*.png || echo "✔️ Nothing to add."
      - name: 🔑 Commit and sign changes with CI metadata.
        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
          set -euo pipefail
-          export GNUPGHOME="$(pwd)/.gnupg"
+          export GNUPGHOME="$(PWD)/.gnupg"
          if git diff --cached --quiet; then
            echo "✔️ No staged changes to commit."
@@ -189,7 +188,7 @@ jobs:
            HOSTNAME="$(hostname -f || hostname)"
            GIT_SHA="$(git rev-parse --short HEAD)"
            GIT_REF="$(git symbolic-ref --short HEAD || echo detached)"
-            WORKFLOW_ID="${GITHUB_WORKFLOW:-render-md-to-html.yaml}"
+            WORKFLOW_ID="${GITHUB_WORKFLOW:-render-dnssec-status.yaml}"
            CI_HEADER="X-CI-Metadata: ${GIT_REF}@${GIT_SHA} at ${TIMESTAMP_UTC} on ${HOSTNAME}"
            COMMIT_MSG="DEPLOY BOT   : 🛡️ Auto-Generate DNSSEC Status [skip ci]
--- a/.gitea/workflows/render-dot-to-png.yaml
+++ b/.gitea/workflows/render-dot-to-png.yaml
@@ -4,12 +4,12 @@
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-### Version Master V8.13.008.2025.08.22
+# Version Master V8.13.768.2025.12.06
 name: 🔁 Render Graphviz Diagrams.
@@ -29,57 +29,67 @@ jobs:
    name: 🔁 Render Graphviz Diagrams.
    runs-on: ubuntu-latest
-    steps:
+    defaults:
-      - name: ⚙️ Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
+      run:
        shell: bash
        working-directory: ${{ github.workspace }}
    steps:
      - name: 🕑 Waiting random time to desynchronize parallel workflows.
        run: |
          set -euo pipefail
          var_wait=$(( RANDOM % 33 ))
          printf "🕑 Waiting %s seconds to desynchronize parallel workflows...\n" "${var_wait}"
          sleep "${var_wait}"
      - name: ⚙️ Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
        run: |
          set +x
          set -euo pipefail
          rm -rf ~/.ssh && mkdir -m700 ~/.ssh
          ### Private Key
          echo "${{ secrets.SSH_MSW_DEPLOY_CORESECRET_DEV }}" >| ~/.ssh/id_ed25519
-          chmod 600 ~/.ssh/id_ed25519
+          chmod 0600 ~/.ssh/id_ed25519
          ### Scan git.coresecret.dev to fill ~/.ssh/known_hosts
          ssh-keyscan -p 42842 git.coresecret.dev >| ~/.ssh/known_hosts
-          chmod 600 ~/.ssh/known_hosts
+          chmod 0600 ~/.ssh/known_hosts
          ### Generate SSH Config for git.coresecret.dev Custom-Port
          cat <<EOF >| ~/.ssh/config
          Host git.coresecret.dev
            BatchMode yes
            ConnectTimeout 5
            ControlMaster auto
            ControlPath ~/.ssh/cm-%r@%h:%p
            ControlPersist 5m
            HostName git.coresecret.dev
            Port 42842
            IdentityFile ~/.ssh/id_ed25519
            Port 42842
            ServerAliveCountMax 3
            ServerAliveInterval 10
            StrictHostKeyChecking yes
            User git
            UserKnownHostsFile ~/.ssh/known_hosts
          EOF
-          chmod 600 ~/.ssh/config
+          chmod 0600 ~/.ssh/config
      ### https://github.com/actions/checkout/issues/1843
-      - name: 🛠️ Using manual clone via SSH to circumvent Gitea SHA-256 object issues.
+      - name: 🔧 Using manual clone via SSH to circumvent Gitea SHA-256 object issues.
        shell: bash
        env:
          ### GITHUB_REF_NAME contains the branch name from the push event.
          GITHUB_REF_NAME: ${{ github.ref_name }}
        run: |
          set -euo pipefail
          git clone --branch "${GITHUB_REF_NAME}" ssh://git@git.coresecret.dev:42842/msw/CISS.debian.live.builder.git .
          git fetch --unshallow || echo "Nothing to fetch - already full clone."
      - name: 🛠️ Cleaning the workspace.
        shell: bash
        run: |
          set -euo pipefail
          git reset --hard
          git clean -fd
      - name: ⚙️ Importing the 'CI PGP DEPLOY ONLY' key.
        shell: bash
        run: |
          set -euo pipefail
          ### GPG-Home relative to the Runner Workspace to avoid changing global files.
-          export GNUPGHOME="$(pwd)/.gnupg"
+          export GNUPGHOME="$(PWD)/.gnupg"
-          mkdir -m 700 "${GNUPGHOME}"
+          mkdir -m 0700 "${GNUPGHOME}"
          echo "${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV }}" >| ci-bot.sec.asc
          gpg --batch --import ci-bot.sec.asc
          ### Trust the key automatically
@@ -87,10 +97,9 @@ jobs:
          echo "trust-model always" >| "${GNUPGHOME}/gpg.conf"
      - name: ⚙️ Configuring Git for signed CI/DEPLOY commits.
        shell: bash
        run: |
          set -euo pipefail
-          export GNUPGHOME="$(pwd)/.gnupg"
+          export GNUPGHOME="$(PWD)/.gnupg"
          git config user.name "Marc S. Weidner BOT"
          git config user.email "msw+bot@coresecret.dev"
          git config commit.gpgsign true
@@ -98,21 +107,18 @@ jobs:
          git config gpg.format openpgp
      - name: ⚙️ Convert APT sources to HTTPS.
        shell: bash
        run: |
          set -euo pipefail
          sed -i 's|http://\(archive\.ubuntu\.com\|security\.ubuntu\.com\)|https://\1|g' /etc/apt/sources.list
          sed -i 's|http://\(archive\.ubuntu\.com\|security\.ubuntu\.com\)|https://\1|g' /etc/apt/sources.list.d/*.list || true
-      - name: 🛠️ Install Graphviz.
+      - name: 🔧 Install Graphviz.
        shell: bash
        run: |
          set -euo pipefail
          sudo apt-get update
          sudo apt-get install -y graphviz
-      - name: 🛠️ Render all .dot / .gv to PNG.
+      - name: 🔧 Render all .dot / .gv to PNG.
        shell: bash
        run: |
          set -euo pipefail
          find . -type f \( -name "*.dot" -o -name "*.gv" \) | while read file; do
@@ -121,7 +127,6 @@ jobs:
          done
      - name: 🚧 Stash local changes (including untracked).
        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
@@ -130,12 +135,11 @@ jobs:
          git stash push --include-untracked -m "ci-temp" || echo "✔️ Nothing to stash."
      - name: 🔄 Sync with remote before commit using merge strategy.
        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
          set -euo pipefail
-          export GNUPGHOME="$(pwd)/.gnupg"
+          export GNUPGHOME="$(PWD)/.gnupg"
          echo "🔄 Fetching origin/master ..."
          git fetch origin master
@@ -147,8 +151,7 @@ jobs:
          git status
          git log --oneline -n 5
-      - name: 🛠️ Restore stashed changes.
+      - name: 🔧 Restore stashed changes.
        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
@@ -157,7 +160,6 @@ jobs:
          git stash pop || echo "✔️ Nothing to pop."
      - name: 📦 Stage generated files.
        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
@@ -165,12 +167,11 @@ jobs:
          git add *.png || echo "✔️ Nothing to add."
      - name: 🔑 Commit and sign changes with CI metadata.
        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
          set -euo pipefail
-          export GNUPGHOME="$(pwd)/.gnupg"
+          export GNUPGHOME="$(PWD)/.gnupg"
          if git diff --cached --quiet; then
            echo "✔️ No staged changes to commit."
@@ -182,7 +183,7 @@ jobs:
            HOSTNAME="$(hostname -f || hostname)"
            GIT_SHA="$(git rev-parse --short HEAD)"
            GIT_REF="$(git symbolic-ref --short HEAD || echo detached)"
-            WORKFLOW_ID="${GITHUB_WORKFLOW:-render-md-to-html.yaml}"
+            WORKFLOW_ID="${GITHUB_WORKFLOW:-render-dot-to-png.yaml}"
            CI_HEADER="X-CI-Metadata: ${GIT_REF}@${GIT_SHA} at ${TIMESTAMP_UTC} on ${HOSTNAME}"
            COMMIT_MSG="DEPLOY BOT   : 🔁 Auto-Generate PNG from *.dot. [skip ci]
@@ -201,7 +202,6 @@ jobs:
          fi
      - name: 🔁 Push back to repository.
        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
--- a/.gitignore
+++ b/.gitignore
@@ -4,13 +4,12 @@
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 .checklist/
 .idea/
 build/
 out/
 target/
 *.DS_Store
--- a/.pubkey/dropbear-key-2015.asc
+++ b/.pubkey/dropbear-key-2015.asc
@@ -0,0 +1,41 @@
 -----BEGIN PGP PUBLIC KEY BLOCK-----
 mQINBFWRP60BEACmOtUkYtbGNcmXdSKJ7caplzIbjuRWgSDR860hEosRDQqwORCL
 50xAEnPxgEiryONJUgOF0NRkBGJS9BsvfO3hH0LL4YSRTi0Wv7hJHTtqyzwa9qAH
 clyzNoq25dgy3D8OS6Bx1SgKFm8UTxTiCRTD0l1pRJx9efVEcAGkLgiconmyFZpJ
 oJ5XX8786bKucx791aA/26atNIzzsSo/295YAMi3QjIL5Mh5qtprSJkFRKcMx/Ay
 KaVzFlM8A/Kqea1cFiqwCJ9UNUdfvBa6K9HvTr6mPhznvH/ORt4m0sDigEoJAqLp
 KWNmjw7yITAK72nBDi/qQEhudUk22m9cVNV/mdNFoRkl9gDkgFvlcM6JksqOxkGp
 SAOJGdOU4V82e8FDSEK9C/pY+leeWeG5h/CLtw1v+Sdhk0PPRr17VKKOLCw2FGx1
 fcRYNdsuoMN4K8fgLoCzzKbyMC+y6sENEgEHSSPQDQ75XzM2Bo1UpfcHWpjqEllu
 8slhPWagckf07n0eOAARPIARlae+Wo8cYBScoZ30P5iOmYRWsxQ0HGwcLieyhuiS
 rb/NBex/tnR5ykvJNLW59P1Q5y7dpp/fLO6DpufAf+uoIfLOChnw3S5fvSL8ftxd
 GyWS79cMUkhcnFID2qfnaykxNsunuD9pEgfo9XhDk0iKZoCEKehRTau1rQARAQAB
 tC5Ecm9wYmVhciBTU0ggUmVsZWFzZSBTaWduaW5nIDxtYXR0QHVjYy5hc24uYXU+
 iQI3BBMBCgAhBQJVkT+tAhsDBQsJCAcDBRUKCQgLBRYCAwEAAh4BAheAAAoJEEST
 FJTynGdzHgQP/1bVxV0KqXxEJpRSiu3aOEDu2WHIJahizZ94AClgPB0r14pEgT4T
 eCOdxinubENH+u1/ShlBVykTGyukmonhd10v8NGWAUldhkPi3jaHcxHSfENWXmu/
 +KBpcHQ0j2/PlO+RxpNkGUWTjTu9WKFiFeIX60QLCMDJpOvPe49yb650xMpjTROM
 5yOGdTkmAw4SZCkHmd7zgmzSHxXnNzXLvT9bYsJXVZwXB7Jqw4bwOHGpqB3kXsQ2
 LR2pMitM8YV3Gmjtvy+mpBqvdQ5fsxISFTC5wAUT9f6jsHfFLUv6OuNLrhZghioT
 fjPj58nfD1/4j7ka9mSyZV0PEhW5f5GYvt3WEeJJyZyhkjAkzjtZTi5sTs+QtRm0
 APCspF/y1afErS5adjTjuzSkyVx9VMBowqiYo6AGu7byajNf0rFPtTgDBC3j4Mae
 +vL5k1KvXuX1Hr1zZiM1OVMt4EOmY7mERmHXwVv1bOK/uUwQkCXKCFpP/v7a5VHL
 qpwCF65mBTW/G1ZKglUQT0JeyVJqqQHVKbNzgMSpDM7ra80/KFOg6zb9iNbjxRrH
 NfXeAGbmSWwbpFBNT3kbJWUqjqLkoD2R7rNN5SnzdPEGk/aCGuYZlLFE8k5/mJ3V
 K3X1t11fgu9lqYFpv7CenwXrbVCgxDkoic84+HezqXyQnoAp9n8xJI6diQIcBBAB
 CgAGBQJVkT+/AAoJEPSYMBLCC7qsbiQP/1qKpOo73GPvISknRpPYVWX0z7yMRUAB
 7gA9SYF7n0jOHwDAFKjYQdpIxff3xPbLaB9bRQFq6m67o1Ly5bwxXGPclsJQP/r3
 GQ8it7Dzs4JSi1Yk4Fg+Po4tHWSpW53uRKtryiaYEoQ9LYQd8fS3JDWFtkXYUVAM
 xKmKINr4UKExlYBpQS2AWve4Ou3xM9dxiDX4pH3azD8Qb24rC5vbkG8Sq+2+/QIV
 i/JxbSQHaJ+kaukHRufHWqgg4xOBE8gfS82RHqNxES1CeWcejNxhsXQP9cfUxsvZ
 2Lchm3leOZ/2ztVQ4O8aJOKN+ng8pqOjKuJDamQmN0L/1N3lfN+gg5Ccluyoj89f
 gxDuINJDeY7aulFcGfIIsa0AuDWyAly1Lcwz/Sle2WOA7xcg8FcdhqV9158a+BzB
 cSMvHRs0W0Xwsso3GyUfDomqWuOfERvQXRgwKR0SFYDeHAlB3dhKHt/KjDn0nqEo
 CFtg4ZjA0hh1KMgu5ceticwuEQOkPX5H3ZpqH99LBekHjgdp5m87FG2bWVVkYGIm
 BBoFNnCBVMXonmyZlFstZNDcvb4cYYY+gN6yDFqX1HkqV1RDSHMO7KEmVwPOg/LK
 lKpH//tEulZUqN0h8ldoNKEMRa1OOGl8nNygJFldoPzoY/3ZAbIJy8KwZeWUjkzv
 WieMGaws051uiEYEEBEKAAYFAlWRRVgACgkQjPn4sExkf7wC9wCgh2nBBbfhkvE4
 Xj3d7uSYCr1oLEEAnjJ+RpVfu3Gpye5Q+0X8EFiMLlXZ
 =kT6a
 -----END PGP PUBLIC KEY BLOCK-----
--- a/.pubkey/marc_s_weidner_msw+bot@coreseret.dev_0x8733B021_public.gpg
+++ b/.pubkey/marc_s_weidner_msw+bot@coreseret.dev_0x8733B021_public.gpg
--- a/.pubkey/marc_s_weidner_msw+deploy@coresecet.dev_0x2CCF4601_public.asc
+++ b/.pubkey/marc_s_weidner_msw+deploy@coresecet.dev_0x2CCF4601_public.asc
@@ -0,0 +1,21 @@
 -----BEGIN PGP PUBLIC KEY BLOCK-----
 mEkFaQzeVBYAAAA/AytlcQHGPz+Tku/rFh5KSbHE465pYWjWOWSl26vKCk5HNMX6
 y2MGyUUbm5tVYHymp3EYbRBS8dJ+qKCKrzyAtDJNYXJjIFMuIFdlaWRuZXIgREVQ
 TE9ZIDxtc3crZGVwbG95QGNvcmVzZWNyZXQuZGV2PojNBRMWCABNIiEFmAiaRyzP
 RgHNUdfHCV02U1KW6hS43pIZhyPE3GBuj3YFAmkM3lQCGwMFCQfPlNwFCwkIBwIC
 IgIGFQoJCAsCBBYCAwECHgcCF4AAAA+GAcduwdOub1yMWc0o5e1qdkI/8Pv9jqYF
 P46Ko2UU24Q3AaYC5oBFyD4sKf4ojosYovs4fzrZCXqbH4ABxi0kmYEUZT11L+Ex
 AfiwNvJBCzlcvLzdK7A+ZBDgdaV5pybSN4/ZnUKkUSzZV/6odcVM2LtqkbAHAIjU
 BRAWCABUIiEFb9PDFk6t5GIBJKfozM13iXXLB7VAp8veRtbuNEidacIFAmkM3vEF
 gwfP84AkFIAAAAAADQAOcmVtQGdudXBnLm9yZ0NlbnR1cmlvbixDSUNBAACKBAHI
 5t3aZSnSERrnAZ3rwxItsTB9KeTVdtRnpxyZ7leBf4987ECcfwDDozkDGFo2cJwg
 eKPRloMif1eAAcjOdUXeunlNBTlPlyOBk0ukWT5SgVeZUl5bsNRgJWu7MoNiT9vQ
 M7gJjlyYcVoMZ47G7TA9Z+goJwC4TAVpDN5UEgAAAEIDK2VvAcCPfkOJzBvvplco
 PXb8jg4AsJXU10wHSucHMdR2R26+IJTCAYU6d3O47wTBr6QFc5HRgDZcf6FngQMB
 CgmIsgUYFggAMiIhBZgImkcsz0YBzVHXxwldNlNSluoUuN6SGYcjxNxgbo92BQJp
 DN5UAhsMBQkHz5TcAABuDQHI5Zp2rsRwc0WR0WaaQOIFh7KdL7x3dHljJ5u2m6Zc
 pzmlnZGuCTe0BmVzECJhq7Yqi+ajENbWOc+AAcUbToifr1VvbgZgUDtA+f2IlHRM
 ovaAOH5ED+DHy6OjEmBG43ZIPQbsbD4td5VIZoi+f6npZrhXNQA=
 =Q67G
 -----END PGP PUBLIC KEY BLOCK-----
--- a/.pubkey/marc_s_weidner_msw@coresecret.dev_0xE62E84F8_public.gpg
+++ b/.pubkey/marc_s_weidner_msw@coresecret.dev_0xE62E84F8_public.gpg
--- a/.shellcheckrc
+++ b/.shellcheckrc
@@ -1,14 +1,17 @@
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-11-10; WEIDNER, Marc S.; <msw@coresecret.dev>
-# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
-# SPDX-PackageName: CISS.debian.installer
+# SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 # https://github.com/koalaman/shellcheck/wiki/directive
 # https://github.com/koalaman/shellcheck/wiki/Optional
 encoding=utf-8
 external-sources=true
 shell=bash
@@ -16,6 +19,8 @@ source-path=~/lib
 source-path=~/scripts
 source-path=~/var
 enable=add-default-case
 enable=avoid-negated-conditions
 enable=avoid-nullary-conditions
 enable=check-extra-masked-returns
 enable=check-set-e-suppressed
@@ -24,5 +29,6 @@ enable=deprecate-which
 enable=quote-safe-variables
 enable=require-double-brackets
 enable=require-variable-braces
 enable=useless-use-of-cat
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
--- a/.version.properties
+++ b/.version.properties
@@ -4,16 +4,16 @@
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1 
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 properties_SPDX-Version="3.0"
 properties_SPDX-ExternalRef="GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git"
 properties_SPDX-FileCopyrightText="2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>"
-properties_SPDX-License-Identifier="EUPL-1.2 OR LicenseRef-CCLA-1.0"
+properties_SPDX-License-Identifier="LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1 "
 properties_SPDX-LicenseComment="This file is part of the CISS.debian.installer.secure framework."
 properties_SPDX-PackageName="CISS.debian.live.builder"
 properties_SPDX-Security-Contact="security@coresecret.eu"
-properties_version="V8.13.008.2025.08.22"
+properties_version="V8.13.768.2025.12.06"
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
--- a/CISS.debian.live.builder.spdx
+++ b/CISS.debian.live.builder.spdx
@@ -6,7 +6,7 @@ Creator: Person: Marc S. Weidner (Centurion Intelligence Consulting Agency)
 Created: 2025-05-07T12:00:00Z
 Package: CISS.debian.live.builder
 PackageName: CISS.debian.live.builder
-PackageVersion: Master V8.13.008.2025.08.22
+PackageVersion: Master V8.13.768.2025.12.06
 PackageSupplier: Organization: Centurion Intelligence Consulting Agency
 PackageDownloadLocation: https://git.coresecret.dev/msw/CISS.debian.live.builder
 PackageHomePage: https://git.coresecret.dev/msw/CISS.debian.live.builder
--- a/280
+++ b/280
@@ -1,256 +1,100 @@
-# SPDX-License-Identifier: EUPL-1.2
+SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
-EUPL-1.2
+Centurion Licensing Overview
 ============================
-EUROPEAN UNION PUBLIC LICENCE v. 1.2
+This repository uses a dual-licensing model combining a non-commercial "source-available" license with a separate commercial
-EUPL © the European Union 2007, 2016
+subscription license.
-This European Union Public Licence (the 'EUPL') applies to the Work (as defined below) which is provided under the
+1. Default License: Centurion Non-Commercial License 1.1 (CNCL-1.1)
-terms of this Licence. Any use of the Work, other than as authorised under this Licence is prohibited (to the extent such
+---------------------------------------------------------------
 a use is covered by a right of the copyright holder of the Work).
-The Work is provided under the terms of this Licence when the Licensor (as defined below) has placed the following
+Unless explicitly stated otherwise in an individual file or directory, all original content in this repository is licensed under the
 notice immediately following the copyright notice for the Work:
-                          Licensed under the EUPL
+    Centurion Non-Commercial License 1.1 (CNCL-1.1)
    SPDX-Identifier: LicenseRef-CNCL-1.1
-or has expressed by any other means his willingness to license under the EUPL.
+Under CNCL-1.1 you may:
-1.Definitions
+  - use, study and modify the Software for non-commercial purposes;
  - share the Software and your modifications for non-commercial purposes;
  - NOT use the Software for any Commercial Use (as defined in CNCL-1.1).
-In this Licence, the following terms have the following meaning:
+Any Commercial Use of the Software (in whole or in part) is NOT permitted under CNCL-1.1 and requires a separate commercial
 license agreement with the Licensor (see section 2 below).
-— 'The Licence':this Licence.
+The full text of CNCL-1.1 is provided in:
-— 'The Original Work':the work or software distributed or communicated by the Licensor under this Licence, available
+    ./docs/LICENSES/CNCL-1.1.txt
 as Source Code and also as Executable Code as the case may be.
 — 'Derivative Works':the works or software that could be created by the Licensee, based upon the Original Work or
 modifications thereof. This Licence does not define the extent of modification or dependence on the Original Work
 required in order to classify a work as a Derivative Work; this extent is determined by copyright law applicable in
 the country mentioned in Article 15.
-— 'The Work':the Original Work or its Derivative Works.
+2. Commercial Use: Centurion Commercial License Agreement 1.1 (CCLA-1.1)
 ---------------------------------------------------------------------
-— 'The Source Code':the human-readable form of the Work, which is the most convenient for people to study and
+For any Commercial Use (including but not limited to use in paid services, SaaS offerings, commercial products, or internal use
-modify.
+that contributes to revenue generation or cost reduction), a valid commercial subscription license is required.
-— 'The Executable Code':any code, which has generally been compiled and, which is meant to be interpreted by
+Commercial rights are governed exclusively by the:
 a computer as a program.
-— 'The Licensor':the natural or legal person that distributes or communicates the Work under the Licence.
+    Centurion Commercial License Agreement 1.1 (CCLA-1.1)
    SPDX-Identifier: LicenseRef-CCLA-1.1
-— 'Contributor(s)':any natural or legal person who modifies the Work under the Licence, or otherwise contributes to
+The CCLA-1.1 grants time-limited, non-transferable rights to use the Software for commercial purposes, subject to subscription
-the creation of a Derivative Work.
+fees, support terms and the liability limitations described therein.
-— 'The Licensee' or 'You':any natural or legal person who makes any usage of the Work under the terms of the
+The full text of CCLA-1.1 is provided in:
 Licence.
-— 'Distribution' or 'Communication':any act of selling, giving, lending, renting, distributing, communicating,
+    ./docs/LICENSES/CCLA-1.1.txt
 transmitting, or otherwise making available, online, or offline, copies of the Work or providing access to its essential
 functionalities at the disposal of any other natural or legal person.
-2.Scope of the rights granted by the Licence
+If you are unsure whether your intended use case qualifies as Commercial Use, you must assume that it does and contact the
 Licensor at:
-The Licensor hereby grants You a worldwide, royalty-free, non-exclusive, sublicensable licence to do the following, for
+    legal@coresecret.eu
 the duration of copyright vested in the Original Work:
 — use the Work in any circumstances and for all usage,
-— reproduce the Work,
+3. Open-Source Components and Third-Party Code
 -------------------------------------------
-— modify the Work and make Derivative Works based upon the Work,
+This repository may contain or depend on third-party components that are licensed under separate open-source licenses, including
 but not limited to:
-— communicate to the public, including the right to make available or display the Work or copies thereof to the public
+  - EUPL-1.2 (European Union Public Licence)
-and perform publicly, as the case may be, the Work,
+  - other FOSS licenses as stated in the respective files or directories.
-— distribute the Work or copies thereof,
+Such components are clearly marked, typically via SPDX-License-Identifier headers and / or dedicated license files. For those
 components, the respective third-party license terms apply and take precedence over CNCL-1.1 and CCLA-1.1 with respect to that
 code.
-— lend and rent the Work or copies thereof,
+Where code from other projects is incorporated, the original copyright notices and license texts are preserved, and their terms
 remain in force for those portions.
 — sublicense rights in the Work or copies thereof.
-Those rights can be exercised on any media, supports, and formats, whether now known or later invented, as far as the
+4. SPDX Usage and Per-File Licensing
-applicable law permits so.
+------------------------------------
-In the countries where moral rights apply, the Licensor waives his right to exercise his moral right to the extent allowed
+Each source file SHOULD contain an SPDX-License-Identifier line indicating the applicable license for that file, for example:
 by law in order to make effective the licence of the economic rights here above listed.
-The Licensor grants to the Licensee royalty-free, non-exclusive usage rights to any patents held by the Licensor, to the
+  - For non-commercial Centurion code:
-extent necessary to make use of the rights granted on the Work under this Licence.
+        SPDX-License-Identifier: LicenseRef-CNCL-1.1
-3.Communication of the Source Code
+  - For commercial-only Centurion deliverables (if applicable in private branches):
        SPDX-License-Identifier: LicenseRef-CCLA-1.1
-The Licensor may provide the Work either in its Source Code form or as Executable Code. If the Work is provided as
+  - For EUPL-licensed parts:
-Executable Code, the Licensor provides in addition a machine-readable copy of the Source Code of the Work along with
+        SPDX-License-Identifier: EUPL-1.2
 each copy of the Work that the Licensor distributes or indicates, in a notice following the copyright notice attached to
 the Work, a repository where the Source Code is easily and freely accessible for as long as the Licensor continues to
 distribute or communicate the Work.
-4.Limitations on copyright
+In case of any apparent conflict between this overview file and the SPDX-License-Identifier in a specific file, the
 SPDX-License-Identifier in that file SHALL prevail for that file.
 Nothing in this Licence is intended to deprive the Licensee of the benefits from any exception or limitation to the
 exclusive rights of the rights owners in the Work, to the exhaustion of those rights or of other applicable limitations
 thereto.
-5.Obligations of the Licensee
+5. No Legal Advice; Governing Documents
 ---------------------------------------
-The grant of the rights mentioned above is subject to some restrictions and obligations imposed on the Licensee. Those
+This LICENSE file is an informational overview only. The legally binding terms governing your use of the Software are
-obligations are the following:
+exclusively those set out in:
-Attribution right: The Licensee shall keep intact all copyright, patent or trademarks notices and all notices that refer to
+  - Centurion Non-Commercial License 1.1 (CNCL-1.1)
-the Licence and to the disclaimer of warranties. The Licensee must include a copy of such notices, and a copy of the
+  - Centurion Commercial License Agreement 1.1 (CCLA-1.1)
-Licence with every copy of the Work he/she distributes or communicates. The Licensee must cause any Derivative Work
+  - and any applicable third-party licenses as referenced above.
 to carry prominent notices stating that the Work has been modified and the date of modification.
-Copyleft clause: If the Licensee distributes or communicates copies of the Original Works or Derivative Works, this
+In the event of any conflict between this overview and the full license texts, the full license texts shall prevail.
 Distribution or Communication will be done under the terms of this Licence or of a later version of this Licence unless
 the Original Work is expressly distributed only under this version of the Licence — for example, by communicating
 'EUPL v. 1.2 only'. The Licensee (becoming Licensor) cannot offer or impose any additional terms or conditions on the
 Work or Derivative Work that alter or restrict the terms of the Licence.
 Compatibility clause: If the Licensee Distributes or Communicates Derivative Works or copies thereof based upon both
 the Work and another work licensed under a Compatible Licence, this Distribution or Communication can be done
 under the terms of this Compatible Licence. For the sake of this clause, 'Compatible Licence' refers to the licences listed
 in the appendix attached to this Licence. Should the Licensee's obligations under the Compatible Licence conflict with
 his/her obligations under this Licence, the obligations of the Compatible Licence shall prevail.
 The provision of Source Code: When distributing or communicating copies of the Work, the Licensee will provide
 a machine-readable copy of the Source Code or indicate a repository where this Source will be easily and freely available
 for as long as the Licensee continues to distribute or communicate the Work.
 Legal Protection: This Licence does not grant permission to use the trade names, trademarks, service marks, or names
 of the Licensor, except as required for reasonable and customary use in describing the origin of the Work and
 reproducing the content of the copyright notice.
 6.Chain of Authorship
 The original Licensor warrants that the copyright in the Original Work granted hereunder is owned by him/her or
 licensed to him/her and that he/she has the power and authority to grant the Licence.
 Each Contributor warrants that the copyright in the modifications he/she brings to the Work is owned by him/her or
 licensed to him/her and that he/she has the power and authority to grant the Licence.
 Each time You accept the Licence, the original Licensor and subsequent Contributors grant You a licence to their contributions
 to the Work, under the terms of this Licence.
 7.Disclaimer of Warranty
 The Work is a work in progress, which is continuously improved by numerous Contributors. It is not finished work
 and may therefore contain defects or 'bugs' inherent to this type of development.
 For the above reason, the Work is provided under the Licence on an 'as is' basis and without warranties of any kind
 concerning the Work, including without limitation merchantability, fitness for a particular purpose, absence of defects or
 errors, accuracy, non-infringement of intellectual property rights other than copyright as stated in Article 6 of this
 Licence.
 This disclaimer of warranty is an essential part of the Licence and a condition for the grant of any rights to the Work.
 8.Disclaimer of Liability
 Except in the cases of wilful misconduct or damages directly caused to natural persons, the Licensor will in no event be
 liable for any direct or indirect, material or moral, damages of any kind, arising out of the Licence or of the use of the
 Work, including without limitation, damages for loss of goodwill, work stoppage, computer failure or malfunction, loss
 of data, or any commercial damage, even if the Licensor has been advised of the possibility of such damage. However,
 the Licensor will be liable under statutory product liability laws as far as such laws apply to the Work.
 9.Additional agreements
 While distributing the Work, You may choose to conclude an additional agreement, defining obligations or services
 consistent with this Licence. However, if accepting obligations, You may act only on your own behalf and on your sole
 responsibility, not on behalf of the original Licensor or any other Contributor, and only if You agree to indemnify,
 defend, and hold each Contributor harmless for any liability incurred by, or claims asserted against such a Contributor by
 the fact You have accepted any warranty or additional liability.
 10.Acceptance of the Licence
 The provisions of this Licence can be accepted by clicking on an icon 'I agree' placed under the bottom of a window
 displaying the text of this Licence or by affirming consent in any other similar way, in accordance with the rules of
 applicable law. Clicking on that icon indicates your clear and irrevocable acceptance of this Licence and all of its terms
 and conditions.
 Similarly, you irrevocably accept this Licence and all of its terms and conditions by exercising any rights granted to You
 by Article 2 of this Licence, such as the use of the Work, the creation by You of a Derivative Work or the Distribution
 or Communication by You of the Work or copies thereof.
 11.Information to the public
 In case of any Distribution or Communication of the Work by means of electronic communication by You (for example,
 by offering to download the Work from a remote location) the distribution channel or media (for example, a website)
 must at least provide to the public the information requested by the applicable law regarding the Licensor, the Licence,
 and the way it may be accessible, concluded, stored, and reproduced by the Licensee.
 12.Termination of the Licence
 The Licence and the rights granted hereunder will terminate automatically upon any breach by the Licensee of the terms
 of the Licence.
 Such a termination will not terminate the licences of any person who has received the Work from the Licensee under
 the Licence, provided such persons remain in full compliance with the Licence.
 13.Miscellaneous
 Without prejudice of Article 9 above, the Licence represents the complete agreement between the Parties as to the
 Work.
 If any provision of the Licence is invalid or unenforceable under applicable law, this will not affect the validity or
 enforceability of the Licence as a whole. Such provision will be construed or reformed so as necessary to make it valid
 and enforceable.
 The European Commission may publish other linguistic versions or new versions of this Licence or updated versions of
 the Appendix, so far this is required and reasonable, without reducing the scope of the rights granted by the Licence.
 New versions of the Licence will be published with a unique version number.
 All linguistic versions of this Licence, approved by the European Commission, have identical value. Parties can take
 advantage of the linguistic version of their choice.
 14.Jurisdiction
 Without prejudice to specific agreement between parties,
 — any litigation resulting from the interpretation of this License, arising between the European Union institutions,
 bodies, offices, or agencies, as a Licensor, and any Licensee, will be subject to the jurisdiction of the Court of Justice
 of the European Union, as laid down in article 272 of the Treaty on the Functioning of the European Union,
 — any litigation arising between other parties and resulting from the interpretation of this License will be subject to
 the exclusive jurisdiction of the competent court where the Licensor resides or conducts its primary business.
 15.Applicable Law
 Without prejudice to specific agreement between parties,
 — this Licence shall be governed by the law of the European Union Member State where the Licensor has his seat,
 resides, or has his registered office
 — this licence shall be governed by Belgian law if the Licensor has no seat, residence, or registered office inside
 a European Union Member State.
                                                         Appendix
 'Compatible Licences' according to Article 5 EUPL are:
 — GNU General Public License (GPL) v. 2, v. 3
 — GNU Affero General Public License (AGPL) v. 3
 — Open Software License (OSL) v. 2.1, v. 3.0
 — Eclipse Public License (EPL) v. 1.0
 — CeCILL v. 2.0, v. 2.1
 — Mozilla Public Licence (MPL) v. 2
 — GNU Lesser General Public Licence (LGPL) v. 2.1, v. 3
 — Creative Commons Attribution-ShareAlike v. 3.0 Unported (CC BY-SA 3.0) for works other than software
 — European Union Public Licence (EUPL) v. 1.1, v. 1.2
 — Québec Free and Open-Source Licence — Reciprocity (LiLiQ-R) or Strong Reciprocity (LiLiQ-R+).
 The European Commission may update this Appendix to later versions of the above licences without producing
 a new version of the EUPL, as long as they provide the rights granted in Article 2 of this Licence and protect the
 covered Source Code from exclusive appropriation.
 All other changes or additions to this Appendix require the production of a new EUPL version.
--- a/LINTER_RESULTS.txt
+++ b/LINTER_RESULTS.txt
@@ -1,15 +1,15 @@
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-08-22; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-12-06; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-This file was automatically generated by the DEPLOY BOT on: "2025-08-22T17:25:58Z"
+This file was automatically generated by the DEPLOY BOT on: "2025-12-06T04:39:51Z"
 ✅ The last linter check was successful. ✅
--- a/LIVE_ISO.public
+++ b/LIVE_ISO.public
@@ -1,27 +1,27 @@
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-06-01; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-10-29; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-This file was automatically generated by the DEPLOY BOT on: "2025-08-11T22:40:21Z".
+This file was automatically generated by the DEPLOY BOT on: "2025-10-29T11:15:54Z"
 CISS.debian.live.builder ISO :
-  "ciss-debian-live-2025_08_11T21_49_56Z-amd64.hybrid.iso"
+  "ciss-debian-live-2025_10_29T10_21_17Z-amd64.hybrid.iso"
 CISS.debian.live.builder ISO sha512 :
-  4aa02673b9a8d5b974014eca4371d1ed69b05eaea9e92203cf7c092880833e18812bf31ab053399eda98b7a3da0b76b8dcdaaba892e9f52f836ea9d2b0e09e38
+  c4694bb55c7571df893dace7469ca4f90693eb61922508e6e5795cb442c01f2e487d055f23c27f3d1226bdd30aa4f5522af07addfc16b6f7d3224394590bd591
 CISS.debian.live.builder ISO sha512 sign :
  -----BEGIN PGP SIGNATURE-----
-iHUEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaJpxVQAKCRA85KY4hzOw
+iHUEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaQH3agAKCRA85KY4hzOw
-IZWOAQDJriUoDvDNSQiHbFfW4KVV1E1wqe12eS7GyfVFr9bISwEAoDKhQ85+RiGr
+IbCaAP9Dqt8oESXBWNUgzCBDmBc/uZgDKJ/Ve/oIXsUGIfIqnwD/fovruI1dvGen
-pCdWqvU8wcfzEIlKIpAgAZVrhX/xRw8=
+4p02K+Dc5sf9sdU0IjMDrWVZAj8uBA0=
-=wNVV
+=ieyd
 -----END PGP SIGNATURE-----
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text
--- a/LIVE_ISO_TRIXIE_0.private
+++ b/LIVE_ISO_TRIXIE_0.private
@@ -1,27 +1,27 @@
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-08-22; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-12-06; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-This file was automatically generated by the DEPLOY BOT on: "2025-08-22T16:55:09Z"
+This file was automatically generated by the DEPLOY BOT on: "2025-12-06T03:44:29Z"
 CISS.debian.live.builder ISO :
-  "ciss-debian-live-2025_08_22T16_11_02Z-amd64.hybrid.iso"
+  "ciss-debian-live-2025_12_06T02_53_28Z-amd64.hybrid.iso"
 CISS.debian.live.builder ISO sha512 :
-  35c288d96239804e244cbe99c8ce3895aec39104a7200c2ef7326d38e1ec4eea3bf60b895eaa4d981cb718ae4d27d2d4166f16252b88606a870d14c3db096a37
+  2bf967b902455fe1f4d3ba1cb0b3c5983c6812181ae95b10ce837c0aaae084207bf15c22add2709c21c45f4262db2a2f787b2c93f3a1c507289c020e70314707
 CISS.debian.live.builder ISO sha512 sign :
  -----BEGIN PGP SIGNATURE-----
-iHUEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaKig7QAKCRA85KY4hzOw
+iHUEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaTOmnQAKCRA85KY4hzOw
-IWKWAP0Wlqbi3ArURSGW5m+E+OstdsU7qHjf+e1SVRJ3BGUzaAEAr3ceyHiiA2/7
+IcItAQDvE6vEkbslGR5BLMVV+DKi2GDnIzIMVs7zROiPsKb3BgEA1Koqx7ccc+H2
-RlXsvZxNgVDaEVSdjmt99dMrZK7DRws=
+MmNv12w674dS2xmTZHOViYePe2KWLw0=
-=4Oh3
+=I8w2
 -----END PGP SIGNATURE-----
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text
--- a/LIVE_ISO_TRIXIE_1.private
+++ b/LIVE_ISO_TRIXIE_1.private
@@ -1,27 +1,27 @@
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-08-22; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-12-06; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-This file was automatically generated by the DEPLOY BOT on: "2025-08-22T17:41:13Z"
+This file was automatically generated by the DEPLOY BOT on: "2025-12-06T04:35:36Z"
 CISS.debian.live.builder ISO :
-  "ciss-debian-live-2025_08_22T16_56_12Z-amd64.hybrid.iso"
+  "ciss-debian-live-2025_12_06T03_45_41Z-amd64.hybrid.iso"
 CISS.debian.live.builder ISO sha512 :
-  4925332b61dbd91f0c444624bbe7de586dbd911fbb27b080a99e44ae312c5139afc502d0415d0bef7dfbd1e5461c07e0a0700f7206e746a91cbcb5403ef003e3
+  fe9481d92cf61554da92ff883a58d9aaa2ae5fe86d9c3dd634a1c3a79e1b6ca5e08693d4f9b0870077fc0bf2f840a3e678d9c9dc44f9b8dae5d474a6d39e16b2
 CISS.debian.live.builder ISO sha512 sign :
  -----BEGIN PGP SIGNATURE-----
-iHUEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaKiruQAKCRA85KY4hzOw
+iHUEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaTOymAAKCRA85KY4hzOw
-IdoTAQDqyOBkGA0xDoLsDvjFSaf3tmzz8mD/5qvsDtF6y/rEWwD/dAXzMOdQjxg8
+Ic1iAQDVxT891Nv+LHzQs3vL31/1wqeOjiGmZbEJR8XvBoRe4wEAjdmvUpEXyb1Y
-IcK+GK6u4k5/HT5bYlCvTy/WxRb5ggQ=
+qhaFcxWDrRgiVKaitGkbNo2w6yICdgY=
-=boDM
+=TQPs
 -----END PGP SIGNATURE-----
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text
--- a/README.md
+++ b/README.md
@@ -2,17 +2,18 @@
 gitea: none
 include_toc: true
 ---
-[![Static Badge](https://badges.coresecret.dev/badge/Release-V8.13.008.2025.08.22-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder)
+[![Static Badge](https://badges.coresecret.dev/badge/Release-V8.13.768.2025.12.06-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder)
 &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/Licence-EUPL1.2-white?style=plastic&logo=europeanunion&logoColor=white&logoSize=auto&label=Licence&color=%23003399)](https://eupl.eu/1.2/en/) &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/opensourceinitiative-Compliant-white?style=plastic&logo=opensourceinitiative&logoColor=white&logoSize=auto&label=OSI&color=%233DA639)](https://opensource.org/license/eupl-1-2) &nbsp;
-[![Static Badge](https://badges.coresecret.dev/badge/Bash-V5.2.15-white?style=plastic&logo=gnubash&logoColor=white&logoSize=auto&label=Bash&color=%234EAA25)](https://www.gnu.org/software/bash/) &nbsp;
+[![Static Badge](https://badges.coresecret.dev/badge/Bash-V5.2.37-white?style=plastic&logo=gnubash&logoColor=white&logoSize=auto&label=Bash&color=%234EAA25)](https://www.gnu.org/software/bash/) &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/shellcheck-passed-white?style=plastic&logo=gnubash&logoColor=white&logoSize=auto&label=shellcheck&color=%234EAA25)](https://shellcheck.net/) &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/shellformat-passed-white?style=plastic&logo=google&logoColor=white&logoSize=auto&label=shellformat&color=%234285F4)](https://github.com/mvdan/sh) &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/Shellstyle-Google-white?style=plastic&logo=google&logoColor=white&logoSize=auto&label=Shellstyle&color=%234285F4)](https://google.github.io/styleguide/shellguide.html)
 &nbsp;
-[![Static Badge](https://badges.coresecret.dev/badge/Gitea-1.24.5-white?style=plastic&logo=gitea&logoColor=white&logoSize=auto&label=gitea&color=%23609926)](https://docs.gitea.com/) &nbsp;
+[![Static Badge](https://badges.coresecret.dev/badge/Gitea-1.25.1-white?style=plastic&logo=gitea&logoColor=white&logoSize=auto&label=gitea&color=%23609926)](https://docs.gitea.com/) &nbsp;
-[![Static Badge](https://badges.coresecret.dev/badge/IntelliJ-2025.2-white?style=plastic&logo=intellijidea&logoColor=white&logoSize=auto&label=IntelliJ&color=%23000000)](https://www.jetbrains.com/store/?section=personal&billing=yearly) &nbsp;
+[![Static Badge](https://badges.coresecret.dev/badge/Runner-0.2.13-white?style=plastic&logo=gitea&logoColor=white&logoSize=auto&label=runner&color=%23609926)](https://docs.gitea.com/) &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/IntelliJ-2025.2.4-white?style=plastic&logo=intellijidea&logoColor=white&logoSize=auto&label=IntelliJ&color=%23000000)](https://www.jetbrains.com/store/?section=personal&billing=yearly) &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/keepassxc-2.7.10-white?style=plastic&logo=keepassxc&logoColor=white&logoSize=auto&label=KeePassXC&color=%236CAC4D)](https://keepassxc.org/) &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/netcup-Netcup-white?style=plastic&logo=netcup&logoColor=white&logoSize=auto&label=powered&color=%23056473)](https://www.netcup.com/de) &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/powered-Centurion-white?style=plastic&logo=europeanunion&logoColor=white&logoSize=auto&label=powered&color=%230F243E)](https://coresecret.eu/) &nbsp;
@@ -26,26 +27,67 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.008.2025.08.22<br>
+**Build**: V8.13.768.2025.12.06<br>
-This shell wrapper automates the creation of a Debian Bookworm live ISO hardened according to the latest best practices in server
+**CISS.debian.live.builder — First of its own.**<br>
-and service security. It integrates into your build pipeline to deliver an isolated, robust environment suitable for
+**World-class CIA: Designed, handcrafted and powered by Centurion Intelligence Consulting Agency.**
-cloud deployment or unattended installations via the forthcoming `CISS.debian.installer`. Additionally, automated CI workflows 
+
-based on Gitea Actions are provided, enabling reproducible ISO generation. A generic ISO is automatically built upon significant
+Developed and maintained as a one-man, security-driven engineering effort since 2024, **CISS.debian.live.builder** is designed 
 to serve as a reference implementation for hardened, image-based Debian deployments.
 This shell wrapper automates the creation of a Debian Trixie live ISO hardened according to the latest best practices in server
 and service security. It integrates into your build pipeline to deliver an isolated, robust environment suitable for cloud
 deployment or unattended installations via the forthcoming `CISS.debian.installer`. Additionally, automated CI workflows based
 on Gitea Actions are provided, enabling reproducible ISO generation. A generic ISO is automatically built upon significant
 changes and made publicly available for download. The latest generic ISO is available at:
 **[PUBLIC CISS.debian.live.ISO](/docs/DL_PUB_ISO.md)**
-Check out more:
+Beyond a conventional live system, **CISS.debian.live.builder** assembles a **fully encrypted, integrity-protected live medium**
-* [CenturionNet Services](https://coresecret.eu/cnet/) 
+in a single, deterministic build step: a LUKS2 container backed by `dm-integrity` hosting the SquashFS root filesystem, combined
 with a hardened initramfs chain including a dedicated Dropbear build pipeline for remote LUKS unlock. The resulting ISO ships 
 with a hardened kernel configuration, strict sysctl and network tuning, pre-configured SSH hardening and fail2ban, and a 
 customised `verify-checksums` path providing both ISO-edge verification and runtime attestation of the live root. All components
 are aligned with the `CISS.debian.installer` baseline, ensuring a unified cryptographic and security posture from first boot to 
 an installed system. For an overview of the entire build process, see:
 **[MAN_CISS_ISO_BOOT_CHAIN.md](docs/MAN_CISS_ISO_BOOT_CHAIN.md)**
 When built with the ``--dhcp-centurion`` profile, the live system ships with a strict network and resolver policy: 
 ``systemd-networkd`` and ``systemd-resolved`` are pre-configured to use ``DNS-over-TLS (DoT)`` exclusively against the 
 **CenturionDNS** resolver infrastructure; plain DNS is not used and connectivity failures are treated as hard errors. DNSSEC 
 validation is enforced in a fail-closed manner: zones with invalid or broken signatures result in ``SERVFAIL`` and are not 
 silently downgraded. Multicast name resolution via ``mDNS`` and ``LLMNR`` is disabled globally to avoid unintended name leakage
 and spoofing surfaces.
 Internally, the builder employs a dedicated secret-handling pipeline backed by a tmpfs-only secrets directory
 (`/dev/shm/cdlb_secrets`). Sensitive material such as root passwords, SSH keys, and signing keys never appears on the command
 line, is guarded by strict `0400 root:root` permissions, and any symlink inside the secret path is treated as a hard failure
 that aborts the run. Critical code paths temporarily disable Bash xtrace so that credentials never leak into debug logs, and
 transient secret files are shredded (`shred -fzu`) as soon as they are no longer needed. GNUPG homes used for signing are
 wiped, unencrypted chroot artifacts and includes are removed after `lb build`, and the final artifact is reduced to the
 encrypted SquashFS inside the LUKS2 container. At runtime, LUKS passphrases in the live ISO and installer are transported via
 named pipes inside the initramfs instead of process arguments, further minimizing exposure in process listings.
 Check out more leading world-class services powered by Centurion Intelligence Consulting Agency:
 * [CenturionDNS Resolver](https://eddns.eu/)
 * [CenturionDNS Blocklist](https://dns.eddns.eu/blocklists/centurion_titanium_ultimate.txt) 
 * [CenturionMeet](https://talk.e2ee.li/)
 * [CenturionNet Services](https://coresecret.eu/cnet/)
 * [CenturionNet Status](https://uptime.coresecret.eu/) 
-* [CenturionMeet](https://talk.e2ee.li/) 
+
 **Contact the author:**
 * [Contact the author](https://coresecret.eu/contact/)
 **Legal Disclaimer:**
 * This project is not affiliated with, authorized, maintained, sponsored, or endorsed by the [Debian Project](https://www.debian.org/) 
 * [Licensing & Compliance](#6-licensing--compliance)
 * [Disclaimer](#7-disclaimer)
 * [Centurion Imprint & Legal Notice](https://coresecret.eu/imprint/)
 * [Centurion Privacy Policy](https://coresecret.eu/privacy/)
 ## 1.1. Preliminary Remarks
 ### 1.1.1. HSM
 Please note that all my signing keys are stored in an HSM and that the signing environment is air-gapped. The next step is to 
 move to a room-gapped environment. ^^
@@ -57,57 +99,48 @@ add_header Expect-CT                 "max-age=86400, enforce"
 add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
 ````
-* Additionally, the entire zone is dual-signed with **DNSSEC**. See the current **DNSSEC** status at: **[DNSSEC Audit Report](/docs/AUDIT_DNSSEC.md)**
+* The zones behind this project are dual-signed with **DNSSEC**. The current validation state is documented in the **[DNSSEC Audit Report](/docs/AUDIT_DNSSEC.md)**
-* A comprehensive TLS audit of the **`git.coresecret.dev`** Gitea server is also available. See: **[TLS Audit Report](/docs/AUDIT_TLS.md)**
+* The TLS surface of **``git.coresecret.dev``** is independently audited, and the findings are held in the **[TLS Audit Report](/docs/AUDIT_TLS.md)**
-* The infrastructure of the **`CISS.debian.live.builder`** building system is visualized here. See: **[Centurion Net](/docs/CNET.md)**
+* The topology of the underlying **`CISS.debian.live.builder`** building infrastructure is described in **[Centurion Net](/docs/CNET.md)**
 ### 1.1.3. Gitea Action Runner Hardening
-The CI runners operate on a dedicated host system located in a completely separate Autonomous System (AS). This host is solely 
+The CI runners live on a host in a separate autonomous system, and that host has exactly one purpose: run Gitea Actions runners. 
-dedicated to providing CI runners and does not perform any other tasks. Each runner is hermetically isolated from others using 
+Each runner receives its own service account without a login shell, is bound to a separate directory tree, and inherits a 
-non-privileged, shell-less user accounts with no direct login capability. Additionally, each runner executes within its own 
+hardened systemd unit with ``DynamicUser``, reduced capabilities, and restrictive sandboxing. A ``systemd-analyze security`` score 
-separate directory tree, employs `DynamicUser` features, and adheres to strict systemd hardening policies (achieving a ``systemd-analyze security`` 
+of around **``2.6``** is the baseline, not an aspiration. Traffic from those runners traverses both a software firewall (UFW) 
-rating of **``2.6``**). Docker containers used by runners do not run in privileged mode. Security is further enhanced through the use 
+and dedicated hardware firewall appliances. Docker, where used, runs unprivileged.
 of both UFW software firewalls and dedicated hardware firewall appliances.
 ## 1.2. Match Host and Target Versions
-Build, for example, a Debian Trixie live image only on a Debian Trixie host. The build toolchain and boot artifacts are 
+I always build a Debian Trixie live image on a Debian Trixie host. The toolchain and all boot components that matter to 
-release-specific: ``live-build``, ``live-boot``, ``live-config``, ``debootstrap``, ``kernel/initramfs`` tools, ``mksquashfs``, 
+reproducibility are release-specific: ``live-build``, ``live-boot``, ``live-config``, ``debootstrap``, ``mksquashfs``, ``grub``, 
-``GRUB/ISOLINUX``, and even ``dpkg/apt`` often change defaults and formats between releases (e.g., compression modes, SquashFS 
+the ``kernel``, ``initramfs`` tooling, and even ``dpkg`` and ``apt`` defaults evolve from one release to the next. Mixing 
-options, hook ordering, systemd/udev behavior). Building on a different host release commonly yields non-reproducible or even 
+generations produces fragile or outright broken ISOs, sometimes subtly, sometimes catastrophically. Keeping host and target in 
-unbootable ISOs (missing modules/firmware, ABI mismatches, divergent paths). Keeping host and target on the same version ensures
+lockstep avoids those mismatches and gives me predictable artifacts across builds.
 reproducible builds, matching dependencies, and compatible boot artifacts.
-## 1.3. Immutable Source-of-Truth System
+## 1.3. Immutable Source-of-Truth System and Encrypted Live Root
-This live ISO establishes a secure, fully deterministic, integrity self-verifying boot environment based entirely on static
+The live ISO acts as a sealed, immutable execution environment. All relevant configuration, all installation logic, and all 
-source-code definitions. All configurations, system components, and installation routines are embedded during build time and 
+security decisions are rendered into the image at build time and treated as read-only at runtime. On top of that logical 
-locked for runtime immutability. This ensures that the live environment functions as a trusted **Source of Truth** — not only 
+ immutability, I now layer cryptographic protection of the live root file system itself. The live image contains a LUKS2 container
-for boot-time operations, but for deploying entire systems in a secure and reproducible way.<br>
+file with dm-integrity that wraps the SquashFS payload. The initramfs knows how to locate this container, unlock it, verify its 
 integrity, and then present the decrypted SquashFS as the root component of an OverlayFS stack. The detailed boot and 
 verification chain is documented separately in **[CISS ISO Boot Chain](docs/MAN_CISS_ISO_BOOT_CHAIN.md)**<br>
-Once booted, the environment optionally launches a fully scripted installer, via the forthcoming `CISS.debian.installer`,
+In compact form, my expectations for the system are:<br>
 yet to deploy, that provisions the target system (the hardware the DVD is running on). The installer pulls no external 
 dependencies besides of the necessary Debian debootstrap and Debian Packages and never exposes the target system in a not 
 secure manner to the internet during installation. It operates strictly from within the verified image content, providing fully 
 secured provisioning. Combined with checksum verification, **activated by default**, at boot and strict firewall defaults, this 
 architecture guarantees that what is executed has not been tampered with and corresponds exactly to the intended source definition.<br>
-An even more secure deployment variant — an unattended and headless version — can be built without any active network interface
+* Every bit that matters for boot and provisioning is covered by checksums that I control and that are signed with keys under my solely authoritative HSM.
-or shell-access, also via the forthcoming `CISS.debian.installer`. Such a version performs all verification steps autonomously, 
+* The live root runs out of a LUKS2 dm-integrity container so that a tampered or bit-rotted SquashFS never becomes a trusted root.
-provisions the target device from embedded source artifacts, and reboots into a fully encrypted system image. The system then 
+* Verification steps are not advisory. Any anomaly causes a hard abort during boot.
-awaits the decryption passphrase input via an embedded Dropbear SSH server (SSH PubKey only) in the initramfs, exposing no ports
+* After the live environment has reached a stable, verified state, it can hand off to ``CISS.debian.installer``. The installer operates from the same image, does not pull random payloads from the internet, and keeps the target system behind a hardened firewall until the entire provisioning process has completed.
-without cryptographic hardened access, while also the `/boot` partition could be encrypted via the built-in support of 
+* For unattended, headless scenarios I also support builds where the target system is installed without ever exposing a shell over the console. After installation and reboot, the machine waits for a decryption passphrase via an embedded Dropbear SSH instance in the initramfs, limited to public key authentication and guarded by strict cryptographic policies. In such variants even ``/boot`` can be encrypted, with GRUB taking care of unlocking the boot partition.
 `grub2 (2.12-9)`.<br>
-This approach provides a fully reproducible, audit-friendly, and tamper-resistant provisioning workflow rooted entirely in 
+These combinations give me a provisioning chain that is auditable, reproducible, and robust against both casual and targeted tampering.<br>
 source-defined infrastructure logic.<br>
-After build and configuration, the following audit reports can be generated:
+Once the system is up, I can trigger a set of audits from within the live environment:
-* **Haveged Audit Report**: Validates entropy daemon health and confirms `/dev/random` seeding performance.
+* **Lynis Audit Report**: Outputs a detailed security score and recommendations, confirming a 93%+ hardening baseline.
  Type `chkhvg` at the prompt. See example report: **[Haveged Audit Report](/docs/AUDIT_HAVEGED.md)**
 * **Lynis Audit Report**: Outputs a detailed security score and recommendations, confirming a 91%+ hardening baseline.
  Type `lsadt` at the prompt. See example report: **[Lynis Audit Report](/docs/AUDIT_LYNIS.md)**
 * **SSH Audit Report**: Verifies SSH daemon configuration against the latest best-practice cipher, KEX, and MAC recommendations.
  Type `ssh-audit <IP>:<PORT>`. See example report: **[SSH Audit Report](/docs/AUDIT_SSH.md)**
@@ -116,42 +149,33 @@ After build and configuration, the following audit reports can be generated:
 ![CISS.debian.live.builder](/docs/screenshots/CISS.debian.live.builder_preview.jpeg)
-## 1.5. Caution. Significant information for those considering using D-I.
+## 1.5. Caution. Debian Installer and Security Context
 **The Debian Installer (d-i) will ALWAYS boot a new system.**<br>
-Regardless of whether you start it:
+The classical Debian Installer (d-i) always boots its own kernel and its own initramfs. That effect is independent of the way it
-* via the boot menu of your Live ISO (grub, isolinux) like **CISS.debian.live.builder**,
+is launched: 
 * via kexec in the running system,
 * via the debian-installer-launcher package,
 * or even via a graphical installer shortcut.
-The following happens in all cases:
+* from a GRUB entry on the live medium, 
-* The installer kernel (/install/vmlinuz) + initrd.gz are started.
+* from within a running live session via a graphical shortcut, 
-* The existing live system is exited.
+* through kexec, 
-* The memory is overwritten.
+* or via helper packages such as debian-installer-launcher.
 * All running processes - e.g., firewall, hardened SSH access, etc. pp. - cease to exist.
-The Debian Installer loads:
+In all of these cases the running live system is discarded. The memory contents of the hardened live environment vanish, the 
-* its own kernel,
+firewall disappears, the hardened SSH daemon is terminated, and the hardened kernel is replaced by the installer kernel. The 
-* its own initramfs,
+installer brings its own minimal root file system, usually BusyBox plus a limited set of udeb packages, and it does not 
-* its own minimal root filesystem (BusyBox + udeb packages),
+implement my firewall, my AppArmor profiles, my logging configuration, or my remote access policies, unless I explicitly 
-* no SSH access (unless explicitly enabled via preseed)
+reintroduce those elements via preseed.
 * no firewall, AppArmor, logging, etc. pp.,
 * it disables all running network services, even if you were previously in the live system.
-This means function status of the **CISS.2025.debian.live.builder** ISO after d-i start:
+In that phase the security properties are therefore those of d-i, not those of CISS.debian.live.builder. This is not a defect in
-* ufw, iptables, nftables ✘ disabled, not loaded,
+Debian, it is a property of how any installer that boots its own kernel behaves. It is important to keep this distinction in 
-* sshd with hardening ✘ stopped (processes gone),
+mind when deciding whether a workflow must stay inside the hardened live context or may trade that environment for the standard 
-* the running kernel ✘ replaced,
+installer toolchain.
 * Logging (rsyslog, journald) ✘ not active,
 * preseed control over the network is possible (but without any protection).
 ## 1.6. Versioning Schema
 This project adheres strictly to a structured versioning scheme following the pattern x.y.z-Date.
-Example: `V8.13.008.2025.08.22`
+Example: `V8.13.768.2025.12.06`
 `x.y.z` represents major (x), minor (y), and patch (z) version increments.
@@ -167,74 +191,76 @@ and only when, they appear in all capitals, as shown here.
 # 2. Features & Rationale
-Below is a breakdown of each hardening component, with a summary of why each is critical to your security posture.
+Below I walk through the major hardening components, with a focus on why I implemented them the way I did and how they interact.
 I treat this builder as a reference implementation for my own infrastructure; **it is not a toy**.
 ## 2.1. Kernel Hardening
-### 2.1.1. Boot Parameters
+### 2.1.1. Unified Hardened Boot Parameters
-* **Description**: Customizes kernel command-line flags to disable unused features and enable mitigations.
+Both the ``CISS.debian.live.builder`` LIVE ISO and the ``CISS.debian.installer`` rely on the same kernel command line. I consider
-* **Key Parameters**:
+a diverging kernel baseline between installer and live system operationally dangerous, because it leads to two distinct sets of 
-  * `audit_backlog_limit=8192`: Ensures the audit subsystem can queue up to 8192 events to avoid dropped logs under heavy loads.
+expectations about mitigations and attack surface. The boot parameters I apply are:
-  * `audit=1`: Enables kernel auditing from boot to record system calls and security events.
+
-  * `cfi=kcfi`: Activates kernel control-flow integrity using kCFI to protect against control-flow hijacking.
+````bash
-  * `debugfs=off`: Disables debugfs to prevent non-privileged access to kernel internals.
+apparmor=1 security=apparmor audit_backlog_limit=262144 audit=1 debugfs=off \
-  * `efi=disable_early_pci_dma`: Stops early PCI DMA under EFI to mitigate DMA-based attacks during boot.
+efi=disable_early_pci_dma hardened_usercopy=1 ia32_emulation=0 \
-  * `efi_no_storage_paranoia`: Disables extra EFI storage checks to streamline boot without compromising expected storage integrity.
+init_on_alloc=1 init_on_free=1 \
-  * `hardened_usercopy=1`: Enables stringent checks on copy operations between user and kernel space to prevent buffer overflows.
+iommu.passthrough=0 iommu.strict=1 iommu=force \
-  * `ia32_emulation=0`: Turns off 32-bit compatibility modes to reduce attack surface on 64-bit hosts.
+kfence.sample_interval=100 kvm.nx_huge_pages=force \
-  * `init_on_alloc=1`: Zeroes memory on allocation to prevent leakage of previous data.
+l1d_flush=on lockdown=integrity loglevel=0 \
-  * `init_on_free=1`: Initializes memory on free to catch use-after-free bugs.
+mitigations=auto,nosmt mmio_stale_data=full,force nosmt=force \
-  * `iommu=force`: Enforces IOMMU for all devices to isolate DMA-capable hardware.
+oops=panic page_alloc.shuffle=1 page_poison=1 panic=0 pti=on \
-  * `kfence.sample_interval=100`: Configures the kernel fence memory safety tool to sample every 100 allocations.
+random.trust_bootloader=off random.trust_cpu=off randomize_kstack_offset=on \
-  * `kvm.nx_huge_pages=force`: Enforces non-executable huge pages in KVM to mitigate code injection.
+retbleed=auto,nosmt rodata=on slab_nomerge vdso32=0 vsyscall=none
-  * `l1d_flush=on`: Flushes L1 data cache on context switch to mitigate L1D vulnerabilities.
+````
-  * `lockdown=confidentiality`: Puts the kernel in confidentiality lockdown to restrict direct hardware access.
+
-  * `loglevel=0`: Suppresses non-critical kernel messages to reduce information leakage.
+The parameters fall into several categories.
-  * `mce=0`: Disables machine check exceptions to prevent side-channel data leaks from hardware error reporting.
+
-  * `mitigations=auto,nosmt`: Enables all automatic CPU mitigations and disables SMT to reduce side-channel risks.
+* The AppArmor-related flags ``apparmor=1``, ``security=apparmor`` guarantee that AppArmor is not an afterthought but an integral part of the security architecture from the first instruction. I do not accept a boot sequence that comes up without LSM enforcement and then attempts to enable it later.
-  * `mmio_stale_data=full,nosmt`: Ensures stale MMIO data is fully flushed and disables SMT for added protection.
+* The audit subsystem is configured to be always on ``audit=1`` and to tolerate heavy bursts without dropping events ``audit_backlog_limit=262144``. I treat the audit trail as an evidentiary artifact; truncation because of backlog limits is not acceptable in that model.
-  * `oops=panic`: Forces a kernel oops to trigger a panic, preventing the system from running in an inconsistent state.
+* The debug surface of the kernel is reduced aggressively. ``debugfs=off`` avoids a traditional footgun that exposes kernel internals in a way that is friendly to attackers and rarely necessary in production.
-  * `page_alloc.shuffle=1`: Randomizes physical page allocation to hinder memory layout prediction attacks.
+* Memory is hardened on several levels at allocation time and at free time. ``init_on_alloc=1`` and ``init_on_free=1`` provide deterministic zeroing, ``page_poison=1`` fills freed pages with a poison pattern, and ``page_alloc.shuffle=1`` shuffles the allocator so that a process can no longer rely on stable physical patterns. Together these measures raise the cost of use-after-free exploitation and other memory corruption attacks.
-  * `page_poison=1`: Fills freed pages with a poison pattern to detect use-after-free.
+* The IOMMU is not optional. I force it on ``iommu=force``, disable passthrough ``iommu.passthrough=0`` and require strict behavior ``iommu.strict=``1. Any environment that contains devices capable of DMA must have a correctly configured IOMMU, otherwise the trust model for the CPU and for the memory hierarchy collapses as soon as a hostile device is introduced.
-  * `panic=-1`: Disables automatic reboot on panic to preserve the system state for forensic analysis.
+* ``kfence.sample_interval=100`` activates KFENCE with a sampling interval that is still usable in production but sensitive enough to catch a meaningful subset of memory safety bugs under real workloads.
-  * `pti=on`: Enables page table isolation to mitigate Meltdown attacks.
+* Virtualization-specific knobs include ``kvm.nx_huge_pages=force``, to keep huge pages non-executable, and ``l1d_flush=on`` so that context switches flush the L1 data cache where needed.
-  * `random.trust_bootloader=off`: Prevents trusting entropy provided by the bootloader.
+* ``lockdown=integrity`` places the kernel into lockdown mode with an emphasis on integrity. In this project I consider the integrity of the system more critical than the ability to introspect a running kernel from userspace.
-  * `random.trust_cpu=off`: Disables trusting CPU-provided randomness, enforcing external entropy sources.
+* Speculative execution and microarchitectural issues are covered by ``mitigations=auto,nosmt``,`` mmio_stale_data=full,force``, and ``retbleed=auto,nosmt``. I combine the automatic mitigation set provided by the kernel with a forced Single Thread mode where it is required because simultaneous multithreading is simply not worth the residual risk profile in many server contexts.
-  * `randomize_kstack_offset=on`: Randomizes the kernel stack offset on each syscall entry to harden against stack probing.
+* ``nosmt=force`` acts as a guardrail here. It prevents a misconfiguration from quietly re-enabling SMT while the system operator assumes it is disabled.
-  * `randomize_va_space=2`: Enables full address space layout randomization (ASLR) for user space.
+* Fault handling is configured through ``oops=panic`` and ``panic=0``. An oops triggers a panic so that I do not continue to run a kernel in an undefined state. At the same time I instruct the system not to reboot automatically on panic, to preserve the state for post-mortem analysis rather than cutting the ground away under a debugging session.
-  * `retbleed=auto,nosmt`: Enables automatic RETBLEED mitigations and disables SMT for better side-channel resistance.
+* ``pti=on``, ``rodata=on``, and ``slab_nomerge`` are classical hardening parameters that I still consider essential. Page-table isolation, read-only data segments, and prohibiting slab merging collectively prevent a wide range of exploits, especially under pressure from speculative execution attacks.
-  * `rodata=on`: Marks kernel read-only data sections to prevent runtime modification.
+* To avoid brittle side assumptions, I remove legacy or obsolete interfaces: ``vdso32=0`` and ``vsyscall=none`` shut down the remaining vestiges of 32-bit vDSO and vsyscall support on 64-bit systems. ``ia32_emulation=0`` it again narrows the attack surface by disabling full 32-bit compatibility on 64-bit kernels.
-  * `tsx=off`: Disables Intel TSX extensions to eliminate related speculative execution vulnerabilities.
+* Finally, I do not trust entropy claims either from the bootloader or the CPU itself. I opt out of both with ``random.trust_bootloader=off`` and ``random.trust_cpu=off`` and rely on my own entropy strategy described later.
-  * `vdso32=0`: Disables 32-bit vDSO to prevent unintended cross-mode calls.
+
-  * `vsyscall=none`: Disables legacy vsyscall support to close a potential attack vector.
+All of these parameters are applied in exactly the same way for the live ISO and for the installer environment. That is a 
-* **Rationale**: Ensures early activation of protections, reducing exposure to CPU vulnerabilities before the system fully boots.
+deliberate design decision.
 ### 2.1.2. CPU Vulnerability Mitigations
-* **Description**: Enables all known kernel-level mitigations (Spectre, Meltdown, MDS, L1TF, etc.).
+I build the kernels with the relevant mitigations for Spectre, Meltdown, L1TF, MDS, TAA, Retbleed, and related families activated. 
-* **Rationale**: Prevents side-channel attacks that exploit speculative execution, which remain a high-risk vector in
+The ``mitigations=auto,nosmt`` flag ensures that new mitigations integrated into the mainline kernel become effective as they 
-  multi-tenant cloud environments.
+are added, instead of requiring that I micromanage every single toggle. The residual performance cost is acceptable in the 
 context I am targeting; stale mitigations can be revisited, but missing mitigations will not be.
 ### 2.1.3. Kernel Self-Protection
-* **Description**: Activates `CONFIG_DEBUG_RODATA`, `CONFIG_STRICT_MODULE_RWX`, and other self-protections.
+I enable the standard set of self-protection options, such as strict module page permissions, read-only data enforcement, and 
-* **Rationale**: Hardens kernel memory regions against unauthorized writings and enforces stricter module loading policies.
+restrictions around kprobes and BPF. The builder is not a kernel configuration tool, but it carries the expectation that the 
 kernels it runs with are compiled according to this hardening profile. I treat deviations from that profile as unsupported.
 ### 2.1.4. Local Kernel Hardening
-* **Description**: The wrapper `sysp()`provides a function to apply and audit local kernel hardening rules from `/etc/sysctl.d/99_local.hardened`:
+The wrapper `sysp()`provides a function to apply and audit local kernel hardening rules from `/etc/sysctl.d/90-ciss-local.hardened`:
 ````bash
-###########################################################################################
+#######################################
-# Globals: Wrapper for loading CISS.2025 hardened Kernel Parameters
+# Wrapper for loading CISS hardened Kernel Parameters.
 # Arguments:
-#  none
+#   None
-###########################################################################################
+#######################################
 # shellcheck disable=SC2317
 sysp() {
-  sysctl -p /etc/sysctl.d/99_local.hardened
+  sysctl -p /etc/sysctl.d/90-ciss-local.hardened
-  # sleep 1
+  # shellcheck disable=SC2312
-  sysctl -a | grep -E 'kernel|vm|net' > /var/log/sysctl_check"$(date +"%Y-%m-%d_%H:%M:%S")".log
+  sysctl -a | grep -E 'kernel|vm|net' >| /var/log/sysctl_check"$(date +"%Y-%m-%d_%H:%M:%S")".log
 }
 ````
 * **Key measures loaded by this file include:**
@@ -250,16 +276,36 @@ Once applied, some hardening settings cannot be undone via `sysctl` without a re
 until the next boot. Automatic enforcement at startup is therefore omitted by design—run `sysp()` manually and plan a reboot to 
 apply or revert these controls.
 In case you provide the ``--cdi`` option to the installer, the ``sysp()`` function is automatically applied at the boot process via:
 [9999_cdi_starter.sh](scripts/usr/local/sbin/9999_cdi_starter.sh).
 For further details see: **[90-ciss-local.hardened.md](docs/documentation/90-ciss-local.hardened.md)**
 ## 2.2. Module Blacklisting
 * **Description**: Disables and blacklists non-essential or insecure kernel modules.
 * **Rationale**: Minimizes attack surface by preventing loads of drivers or modules not required by the live environment.
 For further details see: **[30-ciss-hardening.conf.md](docs/documentation/30-ciss-hardening.conf.md)**
 ## 2.3. Network Hardening
-* **Description**: Applies `sysctl` settings (e.g., `net.ipv4.conf.all.rp_filter=1`, `arp_ignore`, `arp_announce`) to restrict
+At the kernel level classical ``sysctl`` settings are applied that defend against spoofing and sloppy network behavior. Reverse path 
-  inbound/outbound traffic behaviors.
+filtering is enabled, ARP handling is pinned down, and loose binding of addresses is discouraged. Where appropriate, IPv6 
-* **Rationale**: Mitigates ARP spoofing, IP spoofing, and reduces the risk of man-in-the-middle on internal networks.
+receives the same level of attention as IPv4. The network stack is switched firmly to ``systemd-networkd`` and ``systemd-resolved``. 
 The hook [0000_basic_chroot_setup.chroot](config/hooks/live/0000_basic_chroot_setup.chroot) removes ``ifupdown``, wires up 
 ``systemd-networkd`` and ``systemd-resolved`` via explicit WantedBy symlinks, and ensures that the stub resolver at ``127.0.0.53``
 is the canonical ``resolv.conf`` target. The same hook writes dedicated configuration snippets:
 ``/etc/systemd/resolved.conf.d/10-ciss-dnssec.conf`` enforces opportunistic ``DNS-over-TLS`` and full ``DNSSEC`` validation 
 while disabling ``LLMNR`` and ``MulticastDNS``.
 This converges the system on a single, hardened DNS resolution path and avoids the common situation where multiple name 
 resolution mechanisms step on each other. Where desired, this resolution chain can be plugged into **CenturionDNS**, a resolver
 infrastructure that I control and that enforces DNSSEC validation, QNAME minimisation, and a curated blocklist. For sensitive 
 deployments, this stack is used as the default.
 For further details see: **[90-ciss-local.hardened.md](docs/documentation/90-ciss-local.hardened.md)**
 ## 2.4. Core Dump & Kernel Hardening
@@ -290,7 +336,7 @@ apply or revert these controls.
 * **Description**: The SSH tunnel and access are secured through multiple layers of defense:
  * **Firewall Restriction**: ufw allows connections only from defined jump host or VPN exit node IPs.
  * **TCP Wrappers**: `/etc/hosts.allow` and `/etc/hosts.deny` enforce an `ALL: ALL` deny policy, permitting only specified hosts.
-  * **One-Hit Ban**: A custom Fail2Ban rule `/etc/fail2ban/jail.d/centurion-default.conf` immediately bans any host 
+  * **One-Hit Ban**: A custom Fail2Ban rule `/etc/fail2ban/jail.d/ciss-default.conf` immediately bans any host 
    that touches closed ports. 
    * Additionally, the `fail2ban` service is hardened as well according to:
    [Arch Linux Wiki Fail2ban Hardening](https://wiki.archlinux.org/title/fail2ban#Service_hardening) 
@@ -423,9 +469,12 @@ predictable script behavior.
 # 4. Prerequisites
-* **Host**: Debian Trixie with `live-build` and ``debootstrap`` packages installed.
+To use **``CISS.debian.live.builder``** as intended, the following baseline is expected:<br>
-* **Privileges**: Root or sudo access to execute `ciss_live_builder.sh` and related scripts.
+
-* **Network**: Outbound access to Debian repositories and PTB NTPsec pool.
+* The build host runs Debian 13 Trixie, fully updated. Building a Trixie image on an older or newer release is technically possible but explicitly not supported.
 * The host has the standard live-build stack installed ``live-build``, ``live-boot``, ``live-config``, ``debootstrap`` and the cryptographic tooling required for ``LUKS2``, ``dm-integrity``, ``cryptsetup``, ``gpg``.
 * Disk space must be sufficient to hold the chroot, the temporary build artifacts, and the final ISO with encrypted root. For comfortable work I assume around 30–40 gigabytes of free space.
 * The user running the builder has root privileges and understands that the script is capable of creating, mounting, and manipulating block devices.
 # 5. Installation & Usage
@@ -439,9 +488,9 @@ predictable script behavior.
 2. Preparation:
   1. Ensure you are root.
-   2. Create the build directory `mkdir /opt/livebuild`.
+   2. Create the build directory `mkdir /opt/cdlb` and the tmpfs secrets directory `mkdir /dev/shm/cdlb_secrets`.
-   3. Place your desired SSH public key in the `authorized_keys` file, for example, in the `/opt/gitea/CISS.debian.live.builder` directory.
+   3. Place your desired SSH public key in the `authorized_keys` file, for example, in the `/dev/shm/cdlb_secrets` directory.
-   4. Place your desired Password in the `password.txt` file, for example, in the `/opt/gitea/CISS.debian.live.builder` directory.
+   4. Place your desired Password in the `password.txt` file, for example, in the `/dev/shm/cdlb_secrets` directory.
   5. Make any other changes you need to.
 3. Run the config builder script `./ciss_live_builder.sh` and the integrated `lb build` command (example):
@@ -449,20 +498,29 @@ predictable script behavior.
   ````bash
   chmod 0700 ./ciss_live_builder.sh
   timestamp=$(date -u +%Y-%m-%dT%H:%M:%S%z)
-   ./ciss_live_builder.sh --architecture amd64 \
+   ./ciss_live_builder.sh \
-                          --build-directory /opt/livebuild \
+     --architecture amd64 \
-                          --change-splash hexagon \
+     --autobuild=6.16.3+deb13-amd64 \
-                          --control "${timestamp}" \
+     --build-directory /opt/cdlb \
-                          --debug \
+     --cdi \
-                          --dhcp-centurion \
+     --change-splash hexagon \
-                          --jump-host 10.0.0.128 [c0de:4711:0815:4242::1] [2abc:4711:0815:4242::1]/64 \
+     --control "${timestamp}" \
-                          --provider-netcup-ipv6 [c0de:4711:0815:4242::ffff] \
+     --debug \
-                          --renice-priority "-19" \
+     --dhcp-centurion \
-                          --reionice-priority 1 2 \
+     --jump-host 10.0.0.128 [c0de:4711:0815:4242::1] [2abc:4711:0815:4242::1]/64 \
-                          --root-password-file /opt/gitea/CISS.debian.live.builder/password.txt \
+     --key_age=keys.txt \
-                          --ssh-port 4242 \
+     --key_luks=luks.txt \
-                          --ssh-pubkey /opt/gitea/CISS.debian.live.builder \
+     --provider-netcup-ipv6 [c0de:4711:0815:4242::ffff] \
-                          --trixie
+     --reionice-priority 1 2 \
     --renice-priority "-19" \
     --root-password-file /dev/shm/cdlb_secrets/password.txt \
     --signing_key_fpr=98089A472CCF4601CD51D7C7095D36535296EA14B8DE92198723C4DC606E8F76 \
     --signing_key_pass=signing_key_pass.txt \
     --signing_key=signing_key.asc \
     --ssh-port 4242 \
     --ssh-pubkey /dev/shm/cdlb_secrets \
     --sshfp \
     --trixie
   ````
 4. Locate your ISO in the `--build-directory`.
@@ -486,9 +544,9 @@ preview it or run it.
 2. Preparation:
   1. Ensure you are root.
-   2. Create the build directory `mkdir /opt/livebuild`.
+   2. Create the build directory `mkdir /opt/cdlb` and the tmpfs secrets directory `mkdir /dev/shm/cdlb_secrets`.
-   3. Place your desired SSH public key in the `authorized_keys` file, for example, in the `/opt/gitea/CISS.debian.live.builder` directory.
+   3. Place your desired SSH public key in the `authorized_keys` file, for example, in the `/dev/shm/cdlb_secrets` directory.
-   4. Place your desired Password in the `password.txt` file, for example, in the `/opt/gitea/CISS.debian.live.builder` directory.
+   4. Place your desired Password in the `password.txt` file, for example, in the `/dev/shm/cdlb_secrets` directory.
   5. Copy and edit the sample and set your options (no spaces around commas in lists): 
    ````bash
@@ -496,10 +554,10 @@ preview it or run it.
    ````
    ````bash
-    BUILD_DIR=/opt/livebuild
+    BUILD_DIR=/opt/cdlb
-    ROOT_PASSWORD_FILE=/opt/gitea/CISS.debian.live.builder/password.txt
+    ROOT_PASSWORD_FILE=/dev/shm/cdlb_secrets/password.txt
    SSH_PORT=4242
-    SSH_PUBKEY=/root/.ssh
+    SSH_PUBKEY=/dev/shm/cdlb_secrets
    # Optional
    PROVIDER_NETCUP_IPV6=2001:cdb::1
@@ -532,7 +590,7 @@ preview it or run it.
            ### Private Key
            echo "${{ secrets.CHANGE_ME }}" >| ~/.ssh/id_ed25519
-            chmod 600 ~/.ssh/id_ed25519
+            chmod 0600 ~/.ssh/id_ed25519
  #...
        ### https://github.com/actions/checkout/issues/1843
        - name: Using manual clone via SSH to circumvent Gitea SHA-256 object issues.
@@ -579,13 +637,22 @@ preview it or run it.
 # 6. Licensing & Compliance
-This repository is fully SPDX-compliant. All source files include appropriate SPDX license identifiers and headers to ensure
+Unless stated otherwise in individual files via SPDX headers, this project is licensed under the European Union Public License (EUPL 1.2).
-clear and unambiguous licensing. You can verify compliance by reviewing the top of each file, which follows the SPDX
+That license is OSI-approved and compatible with internal use in both public sector and private environments. Several files carry
-standard for license expressions and metadata.
+dual or multi-license statements, for example **``LicenseRef-CNCL-1.1``** and / or **``LicenseRef-CCLA-1.1``**, where I offer a 
 non-commercial license for community use and a commercial license for professional integration. The SPDX headers in each file 
 are authoritative. If you plan to integrate **``CISS.debian.live.builder``** into a commercial product or a managed service 
 offering, you should treat these license markers as binding and reach out for a proper agreement where required.
 # 7. Disclaimer
-This README is provided "as-is" without any warranty. Review your organization's policies before deploying to production.
+This repository is designed for well-experienced administrators and security professionals who are comfortable with low-level 
 Linux tooling, cryptography, and automation. It can and will create, format, and encrypt devices. It is entirely possible to 
 destroy data if you use it carelessly. I publish this work in good faith and with a strong focus on correctness and robustness. 
 Nevertheless, there is no warranty of any kind. You are responsible for understanding what you are doing, for validating your 
 own threat model, and for ensuring that this tool fits your regulatory and operational environment. If you treat the builder, and 
 the resulting images with the same discipline with which they were created, you will obtain a hardened, reproducible, and 
 auditable base for serious systems. If you treat them casually, they will not save you from yourself.
 ---
 **[no tracking | no logging | no advertising | no profiling | no bullshit](https://coresecret.eu/)**
--- a/REPOSITORY.md
+++ b/REPOSITORY.md
@@ -0,0 +1,119 @@
 ---
 gitea: none
 include_toc: true
 ---
 # 1. CISS.debian.live.builder
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
 **Build**: V8.13.768.2025.12.06<br>
 # 2. Repository Structure
 **Project:** Centurion Intelligence Consulting Agency Information Security Standard (CISS) — Debian Live Builder  
 **Branch:** `master`  
 **Repository State:** Master Version **8.13**, Build **V8.13.768.2025.12.06** (as of 2025-10-11)
 ## 3.1. Top-Level Layout
 ````text
 CISS.debian.live.builder/
 ├─ .archive/                                                                           # Archived artefacts or historical assets
 ├─ .gitea/ # Gitea CI/CD metadata (workflows, triggers, templates)
 │ ├─ ISSUE_TEMPLATE/
 │ ├─ properties/{json, lua}
 │ ├─ TO DO/{dockerfile, render-md-to-html.yaml}
 │ ├─ trigger/{t_generate_.yaml}
 │ └─ workflows/{generate_.yaml, linter_char_scripts.yaml, render-.yaml}
 ├─ .pubkey/                                                                         # Public keys (e.g., for CI or verification)
 ├─ config/ # Live-build configuration (boot, hooks, includes, package lists)
 │ ├─ bootloaders/{grub-efi, grub-pc, splash.png}
 │ ├─ hooks/live/.chroot                                                                  # Ordered chroot hooks (0000_* … 99xx_)
 │ ├─ includes.binary/boot/grub/config.cfg
 │ ├─ includes.chroot/{etc, preseed, root}
 │ └─ package-lists/{live.list.amd64.chroot, live.list.arm64.chroot, live.list.common.chroot}
 ├─ docs/                                                                  # Project documentation (audits, change log, policies)
 │ ├─ AUDIT_.md, BOOTPARAMS.md, CHANGELOG.md, CODING_CONVENTION.md, ...
 │ ├─ SECURITY/, LICENSES/, graphviz/, screenshots/
 ├─ lib/                                                                              # Shell library modules used by the builder
 ├─ scripts/ # Helper/orchestration scripts (e.g., network, live-boot)
 ├─ var/                                                                     # Variable sets and early/global defaults (*.var.sh)
 ├─ .editorconfig
 ├─ .gitignore
 ├─ .shellcheckrc
 ├─ .version.properties
 ├─ CISS.debian.live.builder.spdx                                                     # SPDX bill of materials / license manifest
 ├─ LICENSE
 ├─ SECURITY.md
 ├─ README.md
 ├─ config.mk.sample
 ├─ ciss_live_builder.sh                                                                              # Main entrypoint / wrapper
 ├─ makefile
 ├─ meta_sources_debug.sh
 ├─ LIVE_ISO_TRIXIE_0.private                                                                               # CI artefact markers
 ├─ LIVE_ISO_TRIXIE_1.private                                                                               # CI artefact markers
 └─ LIVE_ISO.public                                                                                         # CI artefact markers
 ````
 > **Note:** The ISO marker files (`LIVE_ISO.*`) are produced by CI workflows for convenient retrieval of generated images.
 ## 3.2. Directory Semantics
 ### 3.2.1. `.gitea/` — CI/CD Orchestration
 - **`workflows/`**: Declarative Gitea Actions to lint shell scripts, render Graphviz/DNSSEC status, and generate **PUBLIC**/**PRIVATE (TRIXIE)** ISOs reproducibly.
 - **`trigger/`**: Manual/auxiliary trigger manifests (`t_generate_PUBLIC.yaml`, `t_generate_PRIVATE_trixie_{0,1}.yaml`, `t_generate_dns.yaml`) to drive pipeline variants.
 - **`ISSUE_TEMPLATE/`**: Issue and pull request templates to standardize change management.
 - **`properties/`** and **`TODO/`**: Auxiliary config fragments (JSON/Lua) and maintenance utilities (e.g., `render-md-to-html.yaml`).
 ### 3.2.2. `config/` — Live-Build Configuration
 - **`bootloaders/`**: Boot assets for GRUB in EFI and PC modes, incl. a branded splash image.
 - **`hooks/live/`**: **Ordered** `*.chroot` hooks implementing system configuration and hardening during image creation; the numeric prefixes dictate execution (e.g., `0000_basic_chroot_setup.chroot`, `0810_chrony_setup.chroot`, `0900_ufw_setup.chroot`, `9930_hardening_ssh.chroot`, `9950_hardening_fail2ban.chroot`).
 - **`includes.binary/boot/grub/`**: Static GRUB configuration embedded in the binary image (`config.cfg`).
 - **`includes.chroot/`**: Files copied into the live system’s root:
  - `etc/` (APT configuration, `live/`, `modprobe.d/`, network, SSH, `sysctl.d/`, systemd drop-ins, banners),
  - `preseed/` (installer preseeding and supporting artifacts),
  - `root/` (administrator dotfiles and keys).
 - **`package-lists/`**: Architecture-specific and common package manifests (`amd64`, `arm64`, `common`) used by `live-build`.
 ### 3.2.3. `docs/` — Documentation Corpus
 Audit reports (DNSSEC, Lynis, SSH, TLS, Haveged), **BOOTPARAMS**, **CHANGELOG**, **CODING_CONVENTION**, **CONTRIBUTING**, **REFERENCES**; plus `SECURITY/`, `LICENSES/`, architecture diagrams under `graphviz/`, and illustrative `screenshots/`.
 ### 3.2.4. `lib/` — Shell Library Modules
 Composable, single-purpose modules used by the wrapper and CI steps (argument parsing and validation, kernel/CPU mitigation checks, provider support, `lb config/build` scaffolding, usage/version banners, sanitization and traps, SSH/root-password hardening, ultra-hardening profile, etc.).
 ### 3.2.5. `scripts/` — Operational Helpers
 Ancillary scripts for DHCP supersedes, resolver bootstrapping, and live-boot verification; targeted paths such as `scripts/etc/network/` and `scripts/live-boot/` encapsulate deploy-time adjustments and integrity checks.
 ### 3.2.6. `var/` — Variables & Defaults
 Layered variable sets (`early.var.sh`, `global.var.sh`, `bash.var.sh`, `color.var.sh`) providing early-boot defaults, global tuning, and TTY/UI niceties.
 ## 3.3. Key Files
 - **`ciss_live_builder.sh`** — Primary entrypoint; orchestrates argument parsing, environment preparation, `lb config`/`lb build` execution and post-processing.
 - **`makefile`** & **`config.mk.sample`** — Make-based convenience wrapper and a sample configuration surface.
 - **`README.md`, `SECURITY.md`, `LICENSE`, `CISS.debian.live.builder.spdx`** — Project overview, security policy, licensing, and SPDX manifest for compliance.
 - **ISO markers**: `LIVE_ISO.public`, `LIVE_ISO_TRIXIE_{0,1}.private` reflect CI pipeline outputs.
 ## 3.4. Conventions & Build Logic
 - **Hook Ordering**: Numeric prefixes (`0000_…` → `99xx_…`) strictly determine execution sequencing within `config/hooks/live/`. Early hooks establish base state (initramfs modules, checksums), mid-range hooks integrate security services (AppArmor, Chrony/NTPsec, Lynis, UFW, Fail2Ban, SSH auditing), late hooks enforce hardening and cleanup (SSH tightening, memory-dump policies, service disablement).
 - **Binary vs. Chroot Includes**: Assets under `includes.binary/` affect the ISO’s bootloader stage; `includes.chroot/` become part of the runtime filesystem.
 - **Architecture Scoping**: Package lists are split into `*amd64*`, `*arm64*`, and `*common*` to keep images minimal and deterministic.
 - **CI/CD**: Reproducible ISO builds are executed via Gitea workflows; dedicated `trigger/` manifests parameterize public vs. private images and auxiliary rendering jobs (e.g., DNSSEC status, Graphviz diagrams).
 ## 3.5. Cross-References (Documentation)
 - **Boot Parameters**: see `docs/BOOTPARAMS.md`.
 - **Audits**: `docs/AUDIT_*.md` (DNSSEC, Lynis, SSH, TLS, Haveged).
 - **Coding & Contribution**: `docs/CODING_CONVENTION.md`, `docs/CONTRIBUTING.md`.
 - **Change Log & References**: `docs/CHANGELOG.md`, `docs/REFERENCES.md`.
 ## 3.6. Licensing & Compliance
 The repository is **SPDX-compliant**; source files carry SPDX identifiers. See `CISS.debian.live.builder.spdx` and `LICENSE` for details.
 ---
 **[no tracking | no logging | no advertising | no profiling | no bullshit](https://coresecret.eu/)**
 <!-- vim: set number et ts=2 sw=2 sts=2 ai tw=128 ft=markdown -->
--- a/ciss_live_builder.sh
+++ b/ciss_live_builder.sh
@@ -5,7 +5,7 @@
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
@@ -20,25 +20,30 @@
 # default login shell has been zsh, but bash remains available at '/bin/bash'. Windows support. You can use bash via WSL, MSYS2,
 # or Cygwin on Windows systems.
 ### RESOURCES
 # https://github.com/koalaman/shellcheck
 # https://github.com/mvdan/sh
 # https://google.github.io/styleguide/shellguide.html
 # https://mywiki.wooledge.org/BashGuide
 # https://styles.goatbytes.io/lang/shell/
 # https://www.bashsupport.com/de/
 # https://www.gnu.org/software/bash/manual/
 ### CATCH ARGUMENTS AND DECLARE BASIC VARIABLES.
-# shellcheck disable=SC2155
+# shellcheck disable=SC2155,SC2249
 declare -agx  ARY_PARAM_ARRAY=("$@")                                     # Arguments passed to script as an array.
 declare -girx VAR_START_TIME="${SECONDS}"                                # Start time of script execution.
 declare -grx  VAR_PARAM_COUNT="$#"                                       # Arguments passed to script.
 declare -grx  VAR_PARAM_STRNG="$*"                                       # Arguments passed to script as string.
 declare -ag   ARY_PARAM_ARRAY=("$@")                                     # Arguments passed to script as an array.
 declare -grx  VAR_SETUP_FILE="${0##*/}"                                  # 'ciss_debian_live_builder.sh'
-declare -grx  VAR_SETUP_PATH="$(cd "$(dirname "${0}")" && pwd)"          # '/opt/git/CISS.debian.live.builder'
+declare -grx  VAR_SETUP_FULL="$(cd "$(dirname "${0}")" && pwd)/${0##*/}" # '/root/git/CISS.debian.live.builder/ciss_debian_live_builder.sh'
-declare -grx  VAR_SETUP_FULL="$(cd "$(dirname "${0}")" && pwd)/${0##*/}" # '/opt/git/CISS.debian.live.builder/ciss_debian_live_builder.sh'
+declare -grx  VAR_SETUP_PATH="$(cd "$(dirname "${0}")" && pwd)"          # '/root/git/CISS.debian.live.builder'
-# shellcheck disable=SC2155
+declare -grx  VAR_TMP_SECRET="/dev/shm/cdlb_secrets"                     # Fixed tmpfs path to store securely build artifacts.
-declare -grx SCRIPT_FULLPATH="$(readlink -f "${BASH_SOURCE[0]:-$0}")"
+declare -grx  VAR_WORKDIR="$(dirname "${VAR_SETUP_FULL}")"               # '/root/git/CISS.debian.live.builder'
 # shellcheck disable=SC2155
 declare -grx SCRIPT_BASEPATH="$(dirname "${SCRIPT_FULLPATH}")"
 # shellcheck disable=SC2155
 declare -grx VAR_WORKDIR="$(dirname "${SCRIPT_FULLPATH}")"
 ### PRELIMINARY CHECKS.
 ### No ash, dash, ksh, sh.
-# shellcheck disable=2292
+# shellcheck disable=SC2292
 [ -z "${BASH_VERSINFO[0]}" ] && {
  . ./var/global.var.sh
  printf "\e[91m❌ Please make sure you are using 'bash'! Bye... \e[0m\n" >&2
@@ -60,7 +65,7 @@ declare -grx VAR_WORKDIR="$(dirname "${SCRIPT_FULLPATH}")"
 }
 ### Check to be not called by sh.
-# shellcheck disable=2312
+# shellcheck disable=SC2312
 [[ $(kill -l | grep -c SIG) -eq 0 ]] && {
  . ./var/global.var.sh
  printf "\e[91m❌ Please make sure you are calling the script without leading 'sh'! Bye... \e[0m\n" >&2
@@ -95,30 +100,40 @@ declare -grx VAR_WORKDIR="$(dirname "${SCRIPT_FULLPATH}")"
  exit 1
 }
-### SOURCING MUST SET EARLY VARIABLES, GUARD_SOURCING(), CHECK_GIT()
+### SOURCING MUST SET EARLY VARIABLES, GUARD_SOURCING().
 . ./var/early.var.sh
 . ./lib/lib_guard_sourcing.sh
 . ./lib/lib_source_guard.sh
 source_guard "./lib/lib_git_var.sh"
-### CHECK FOR CONTACT, HELP, VERSION STRING, AND XTRACE DEBUG
+### SECURING ENVIRONMENT.
 for arg in "$@"; do case "${arg,,}" in -c|--contact) . ./lib/lib_contact.sh; contact; exit 0;; esac; done
 for arg in "$@"; do case "${arg,,}" in -h|--help)    . ./lib/lib_usage.sh  ; usage  ; exit 0;; esac; done
 for arg in "$@"; do case "${arg,,}" in -v|--version) . ./lib/lib_version.sh; version; exit 0;; esac; done
 ### ALL CHECKS DONE. READY TO START THE SCRIPT
 source_guard "./var/bash.var.sh"
 check_git
 for arg in "$@"; do case "${arg,,}" in -d|--debug) . ./meta_sources_debug.sh; debugger "${@}";; esac; done
 declare -gx VAR_SETUP="true"
-### SOURCING VARIABLES
+### CHECK FOR CONTACT, HELP, VERSION STRING, AND XTRACE DEBUG.
 for arg in "$@"; do case "${arg,,}" in -c|--contact) . ./lib/lib_contact.sh   ; contact; exit 0;; esac; done
 for arg in "$@"; do case "${arg,,}" in -h|--help)    . ./lib/lib_usage.sh     ; usage  ; exit 0;; esac; done
 for arg in "$@"; do case "${arg,,}" in -v|--version) . ./lib/lib_version.sh   ; version; exit 0;; esac; done
 for arg in "$@"; do case "${arg,,}" in -d|--debug)   . ./meta_sources_debug.sh; debugger "${@}";; esac; done
 ### ALL CHECKS DONE. READY TO START THE SCRIPT.
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"
 declare -grx VAR_SETUP="true"
 ### SECURING SECRETS ARTIFACTS.
 test ! -L "${VAR_TMP_SECRET}" || {
  . ./var/global.var.sh
  printf "\e[91m❌ Refusing symlink: '%s'! Bye... \e[0m\n" "${VAR_TMP_SECRET}" >&2
  exit "${ERR_SECRETSSYM}"
 }
 find "${VAR_TMP_SECRET}" -type f -exec chmod 0400 {} +
 find "${VAR_TMP_SECRET}" -type f -exec chown root:root {} +
 ### SOURCING VARIABLES.
 [[ "${VAR_SETUP}" == true ]] && {
  source_guard "./var/color.var.sh"
  source_guard "./var/global.var.sh"
 }
-### SOURCING LIBRARIES
+### SOURCING LIBRARIES.
 [[ "${VAR_SETUP}" == true ]] && {
  source_guard "./lib/lib_arg_parser.sh"
  source_guard "./lib/lib_arg_priority_check.sh"
@@ -130,28 +145,38 @@ declare -gx VAR_SETUP="true"
  source_guard "./lib/lib_check_kernel.sh"
  source_guard "./lib/lib_check_pkgs.sh"
  source_guard "./lib/lib_check_provider.sh"
  source_guard "./lib/lib_check_secrets.sh"
  source_guard "./lib/lib_check_stats.sh"
  source_guard "./lib/lib_check_var.sh"
  source_guard "./lib/lib_ciss_signatures.sh"
  source_guard "./lib/lib_ciss_upgrades_boot.sh"
  source_guard "./lib/lib_ciss_upgrades_build.sh"
  source_guard "./lib/lib_clean_screen.sh"
  source_guard "./lib/lib_clean_up.sh"
  source_guard "./lib/lib_copy_integrity.sh"
  source_guard "./lib/lib_gnupg.sh"
  source_guard "./lib/lib_hardening_root_pw.sh"
-  source_guard "./lib/lib_hardening_ssh.sh"
+  source_guard "./lib/lib_hardening_ssh_tcp.sh"
  source_guard "./lib/lib_hardening_ultra.sh"
  source_guard "./lib/lib_helper_ip.sh"
  source_guard "./lib/lib_lb_build_start.sh"
  source_guard "./lib/lib_lb_config_start.sh"
  source_guard "./lib/lib_lb_config_write.sh"
  source_guard "./lib/lib_lb_config_write_trixie.sh"
  source_guard "./lib/lib_note_target.sh"
  source_guard "./lib/lib_primordial.sh"
  source_guard "./lib/lib_provider_netcup.sh"
  source_guard "./lib/lib_run_analysis.sh"
  source_guard "./lib/lib_sanitizer.sh"
  source_guard "./lib/lib_trap_on_err.sh"
  source_guard "./lib/lib_trap_on_exit.sh"
  source_guard "./lib/lib_update_microcode.sh"
  source_guard "./lib/lib_usage.sh"
 }
-### ADVISORY LOCK
+### CHECKING REQUIRED PACKAGES.
 check_pkgs
 ### ADVISORY LOCK.
 exec 127>/var/lock/ciss_live_builder.lock || {
  printf "\e[91m❌ Cannot open lockfile for writing! Bye... \e[0m\n" >&2
  exit "${ERR_FLOCK_WRTG}"
@@ -162,88 +187,90 @@ if ! flock -x -n 127; then
  exit "${ERR_FLOCK_COLL}"
 fi
-### CHECK FOR AUTOBUILD MODE
+### CHECK FOR AUTOBUILD MODE.
 for arg in "$@"; do case "${arg,,}" in -a=*|--autobuild=*) declare -gx VAR_HANDLER_AUTOBUILD="true"; declare -gx VAR_KERNEL="${arg#*=}";; esac; done; unset arg
 for dir in /usr/local/sbin /usr/sbin; do case ":${PATH}:" in *":${dir}:"*) ;; *) PATH="${PATH}:${dir}" ;; esac; done; export PATH; unset dir
-### CHECKING REQUIRED PACKAGES
+### DIALOG OUTPUT FOR INITIALIZATION.
 check_pkgs
 ### DIALOG OUTPUT FOR INITIALIZATION
 if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen; fi
-### Updating Status of Dialog Gauge Bar
+### Updating Status of Dialog Gauge Bar.
 if ! ${VAR_HANDLER_AUTOBUILD}; then printf "XXX\nInitialization done ... \nXXX\n15\n" >&3; fi
-### Updating Status of Dialog Gauge Bar
+### Updating Status of Dialog Gauge Bar.
 if ! ${VAR_HANDLER_AUTOBUILD}; then printf "XXX\nAdditional initialization ... \nXXX\n30\n" >&3; fi
 ### Updating Status of Dialog Gauge Bar
 if ! ${VAR_HANDLER_AUTOBUILD}; then printf "XXX\nActivate traps ... \nXXX\n50\n" >&3; fi
 ### Following the CISS Bash naming and ordering scheme:
-trap 'trap_on_exit "$?"' EXIT
+trap 'trap_on_exit "$?" "${BASH_SOURCE[0]}" "${LINENO}" "${FUNCNAME[0]:-main}" "${BASH_COMMAND}"' EXIT
-trap 'trap_on_err "$?" "${BASH_SOURCE[0]}" "${LINENO}" "${FUNCNAME[0]:-main}" "${BASH_COMMAND}"' ERR
+trap 'trap_on_err  "$?" "${BASH_SOURCE[0]}" "${LINENO}" "${FUNCNAME[0]:-main}" "${BASH_COMMAND}"' ERR
-### Updating Status of Dialog Gauge Bar
+### Updating Status of Dialog Gauge Bar.
 if ! ${VAR_HANDLER_AUTOBUILD}; then printf "XXX\nSanitizing Arguments ... \nXXX\n75\n" >&3; fi
 arg_check "$@"
-declare -ar ARY_ARG_SANITIZED=("$@")
+declare -ar  ARY_ARG_SANITIZED=("$@")
-declare -gr VAR_ARG_SANITIZED="${ARY_ARG_SANITIZED[*]}"
+declare -grx VAR_ARG_SANITIZED="${ARY_ARG_SANITIZED[*]}"
-### Updating Status of Dialog Gauge Bar
+### Updating Status of Dialog Gauge Bar.
 if ! ${VAR_HANDLER_AUTOBUILD}; then printf "XXX\nParsing Arguments ... \nXXX\n90\n" >&3; fi
 arg_parser "$@"
-### Updating Status of Dialog Gauge Bar
+### Updating Status of Dialog Gauge Bar.
 if ! ${VAR_HANDLER_AUTOBUILD}; then printf "XXX\nFinal checks ... \nXXX\n95\n" >&3; fi
 clean_ip
-### Updating Status of Dialog Gauge Bar
+### Updating Status of Dialog Gauge Bar.
 if ! ${VAR_HANDLER_AUTOBUILD}; then printf "XXX\nInitialization completed ... \nXXX\n100\n" >&3; sleep 1; fi
-### Turn off Dialog Wrapper
+### Turn off the dialog wrapper.
 if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen_cleaner; fi
-### MAIN Program
+### MAIN Program ---------------------------------------------------------------------------------------------------------------
 arg_priority_check
 check_stats
 if ! ${VAR_HANDLER_AUTOBUILD}; then check_provider; fi
 if ! ${VAR_HANDLER_AUTOBUILD}; then check_kernel; fi
-check_hooks
+
-hardening_ssh
+ciss_upgrades_build
 hardening_ssh_tcp
 ### Preparing the build environment.
 lb_config_start
-if [[ "${VAR_SUITE}" == "bookworm" ]]; then
+### Writing the build configuration.
 lb_config_write_trixie
-  lb_config_write
+### Init GNUPGHOME.
-  rm -f "${SCRIPT_BASEPATH}/config/hooks/live/9998_sources_list_trixie.chroot"
+init_gnupg
  rm -f "${SCRIPT_BASEPATH}/config/includes.chroot/etc/login.defs"
-else
+### Integrate primordial SSH identity files.
-
+init_primordial
  lb_config_write_trixie
  rm -f "${SCRIPT_BASEPATH}/config/hooks/live/0003_install_backports.chroot"
  rm -f "${SCRIPT_BASEPATH}/config/hooks/live/9998_sources_list_bookworm.chroot"
 fi
 # shellcheck disable=SC2164
 cd "${VAR_WORKDIR}"
 ### Integrate the CISS.debian.live.builder repository into the build directory.
 ### Modifications from this point onwards must be placed under 'VAR_HANDLER_BUILD_DIR'.
 hardening_ultra
-hardening_root_pw
+
 ### CISS.debian.installer 'GRUB' and 'autostart' generator.
 cdi
 ### Final CISS.debian.live.builder integrations.
 change_splash
 check_dhcp
-cdi
+ciss_signatures
 ciss_upgrades_boot
 hardening_root_pw
 note_target
 provider_netcup
 update_microcode
 x_hooks
 x_remove
-### Start the build process
+### Start the build process ----------------------------------------------------------------------------------------------------
 set +o errtrace
 lb_build_start
 set -o errtrace
 run_analysis
 copy_db
-declare -g VAR_SCRIPT_SUCCESS=true
+declare -grx VAR_SCRIPT_SUCCESS="true"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config.mk.sample
+++ b/config.mk.sample
@@ -4,7 +4,7 @@
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
--- a/config/bootloaders/grub-efi/grub.cfg
+++ b/config/bootloaders/grub-efi/grub.cfg
@@ -4,7 +4,7 @@
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
@@ -43,4 +43,4 @@ submenu 'Utilities ...' --hotkey=u {
    }
  fi
  }
-# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/bootloaders/grub-pc/grub.cfg
+++ b/config/bootloaders/grub-pc/grub.cfg
@@ -4,7 +4,7 @@
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
@@ -43,4 +43,4 @@ submenu 'Utilities ...' --hotkey=u {
    }
  fi
  }
-# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/.keep
+++ b/config/hooks/.keep
@@ -0,0 +1,10 @@
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-10-26; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
--- a/config/hooks/live/0000_basic_chroot_setup.chroot
+++ b/config/hooks/live/0000_basic_chroot_setup.chroot
@@ -0,0 +1,290 @@
 #!/bin/bash
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # shellcheck disable=SC2155
 declare -gx VAR_DATE="$(date +%F)"
 #######################################
 # Generates '/etc/default/ciss-xdg-profile'
 # Globals:
 #   None
 # Arguments:
 #   None
 # Returns:
 #   0: on success
 #######################################
 generate_ciss_xdg_profile() {
  cat << EOF >> /etc/default/ciss-xdg-profile
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 # Default toggles for ciss-xdg-profile
 # 1 = enable, 0 = disable
 ENABLE_XDG_BASH_HISTORY=1
 ENABLE_XDG_LESS_HISTORY=1
 ENABLE_XDG_ZSH_HISTORY=1
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
 EOF
  chmod 0644 /etc/default/ciss-xdg-profile
  return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
 readonly -f generate_ciss_xdg_profile
 #######################################
 # Generates '/etc/profile.d/ciss-xdg.sh'
 # Globals:
 #   None
 # Arguments:
 #   None
 # Returns:
 #   0: on success
 #######################################
 generate_ciss_xdg_sh() {
  cat << EOF >| /etc/profile.d/ciss-xdg.sh
 #!/bin/sh
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 EOF
  cat << 'EOF' >> /etc/profile.d/ciss-xdg.sh
 # shellcheck shell=sh
 # This file is sourced by login shells via '/etc/profile'. Keep POSIX sh compatible.
 ### XDG variables (do not override if already set).
 export XDG_CONFIG_HOME="${XDG_CONFIG_HOME:-${HOME}/.config}"
 export XDG_DATA_HOME="${XDG_DATA_HOME:-${HOME}/.local/share}"
 export XDG_CACHE_HOME="${XDG_CACHE_HOME:-${HOME}/.cache}"
 export XDG_STATE_HOME="${XDG_STATE_HOME:-${HOME}/.local/state}"
 export XDG_CONFIG_DIRS="${XDG_CONFIG_DIRS:-/etc/xdg}"
 export XDG_DATA_DIRS="${XDG_DATA_DIRS:-/usr/local/share:/usr/share}"
 ### XDG_RUNTIME_DIR is provided by systemd-logind; do not set a persistent path.
 # shellcheck disable=SC2312
 if [ -z "${XDG_RUNTIME_DIR:-}" ] && [ -d "/run/user/$(id -u)" ]; then
  # shellcheck disable=SC2155
  export XDG_RUNTIME_DIR="/run/user/$(id -u)"
 fi
 ### Create canonical directories idempotently with 0700.
 _xdg_umask="$(umask)"
 umask 077
 [ -d "${XDG_CONFIG_HOME}"     ] || install -d -m 0700 -- "${XDG_CONFIG_HOME}"
 [ -d "${XDG_DATA_HOME}"       ] || install -d -m 0700 -- "${XDG_DATA_HOME}"
 [ -d "${XDG_CACHE_HOME}"      ] || install -d -m 0700 -- "${XDG_CACHE_HOME}"
 [ -d "${XDG_STATE_HOME}"      ] || install -d -m 0700 -- "${XDG_STATE_HOME}"
 umask "${_xdg_umask}"
 unset _xdg_umask
 ### Optional migrations (controlled via /'etc/default/ciss-xdg-profile').
 [ -f /etc/default/ciss-xdg-profile ] && . /etc/default/ciss-xdg-profile
 ### Bash history -> XDG_STATE_HOME (only if running bash).
 if [ "${ENABLE_XDG_BASH_HISTORY:-1}" = "1" ] && [ -n "${BASH_VERSION:-}" ]; then
  [ -d "${XDG_STATE_HOME}/bash" ] || install -d -m 0700 -- "${XDG_STATE_HOME}/bash"
  export HISTFILE="${XDG_STATE_HOME}/bash/history"
 fi
 ### Less history -> XDG_STATE_HOME
 if [ "${ENABLE_XDG_LESS_HISTORY:-1}" = "1" ]; then
  [ -d "${XDG_STATE_HOME}/less" ] || install -d -m 0700 -- "${XDG_STATE_HOME}/less"
  export LESSHISTFILE="${XDG_STATE_HOME}/less/history"
 fi
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
 EOF
  chmod 0755 /etc/profile.d/ciss-xdg.sh
  return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
 readonly -f generate_ciss_xdg_sh
 #######################################
 # Generates '/root/ciss_xdg_tmp.sh'
 # Globals:
 #   None
 # Arguments:
 #   None
 # Returns:
 #   0: on success
 #######################################
 generate_ciss_xdg_tmp_sh() {
  cat << EOF >| /root/ciss_xdg_tmp.sh
 #!/bin/bash
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 ### XDG variables (do not override if already set).
 EOF
  cat << 'EOF' >> /root/ciss_xdg_tmp.sh
 set -a
 # shellcheck disable=SC2034
 XDG_CONFIG_HOME="${XDG_CONFIG_HOME:-${HOME}/.config}"
 # shellcheck disable=SC2034
 XDG_DATA_HOME="${XDG_DATA_HOME:-${HOME}/.local/share}"
 # shellcheck disable=SC2034
 XDG_CACHE_HOME="${XDG_CACHE_HOME:-${HOME}/.cache}"
 # shellcheck disable=SC2034
 XDG_STATE_HOME="${XDG_STATE_HOME:-${HOME}/.local/state}"
 # shellcheck disable=SC2034
 XDG_CONFIG_DIRS="${XDG_CONFIG_DIRS:-/etc/xdg}"
 # shellcheck disable=SC2034
 XDG_DATA_DIRS="${XDG_DATA_DIRS:-/usr/local/share:/usr/share}"
 ### Optional migrations (controlled via /etc/default/ciss-xdg-profile).
 [[ -f /etc/default/ciss-xdg-profile ]] && . /etc/default/ciss-xdg-profile
 ### Bash history -> XDG_STATE_HOME (only if running bash).
 if [[ "${ENABLE_XDG_BASH_HISTORY:-1}" = "1" ]] && [[ -n "${BASH_VERSION:-}" ]]; then
  HISTFILE="${XDG_STATE_HOME}/bash/history"
 fi
 set +a
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
 EOF
  chmod 0700 /root/ciss_xdg_tmp.sh
  return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
 readonly -f generate_ciss_xdg_tmp_sh
 ### Ensuring XDG compliance: https://specifications.freedesktop.org/basedir/latest/ --------------------------------------------
 generate_ciss_xdg_profile
 generate_ciss_xdg_sh
 generate_ciss_xdg_tmp_sh
 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
 export DEBIAN_FRONTEND="noninteractive"
 export INITRD="No"
 apt-get update -qq
 apt-get install -y --no-install-suggests libpam-systemd
 ### Installing microcode updates -----------------------------------------------------------------------------------------------
 if [[ -f /root/.architecture ]]; then
  apt-get install -y --no-install-suggests amd64-microcode intel-microcode
  rm -f /root/.architecture
 fi
 ### Prepare environment --------------------------------------------------------------------------------------------------------
 mkdir -p /root/.ciss/cdlb/{backup,log,private_keys}
 chmod 0700 /root/.ciss/cdlb/{backup,log,private_keys}
 mkdir -p /root/git
 chmod 0700 /root/git
 mkdir -p /etc/ciss/keys
 chmod 0755 /etc/ciss/keys
 ### Mask apt show version unit and timer ---------------------------------------------------------------------------------------
 ln -sf /dev/null /etc/systemd/system/apt-show-versions.timer
 ln -sf /dev/null /etc/systemd/system/apt-show-versions.service
 rm -f /etc/cron.daily/apt-show-versions || true
 ### Remove the original '/usr/lib/live/boot/0030-verify-checksums' -------------------------------------------------------------
 [[ -e /usr/lib/live/boot/0030-verify-checksums ]] && rm -f /usr/lib/live/boot/0030-verify-checksums
 ### Ensure proper 0755 rights for CISS initramfs scripts  ----------------------------------------------------------------------
 find /usr/lib/live/boot -type f -exec chmod 0755 {} +
 [[ -e /etc/initramfs-tools/scripts/init-premount/1000_ciss_fixpath.sh ]] \
  && chmod 0755 /etc/initramfs-tools/scripts/init-premount/1000_ciss_fixpath.sh
 [[ -e /etc/initramfs-tools/scripts/init-top/0000_ciss_fixpath.sh ]] \
  && chmod 0755 /etc/initramfs-tools/scripts/init-top/0000_ciss_fixpath.sh
 ### Ensure proper systemd directories exist ------------------------------------------------------------------------------------
 mkdir -p /etc/systemd/resolved.conf.d
 mkdir -p /etc/systemd/system
 mkdir -p /etc/systemd/system/multi-user.target.wants
 mkdir -p /etc/systemd/system/sockets.target.wants
 ### Enable clean systemd-networkd stack ----------------------------------------------------------------------------------------
 apt-get -y purge ifupdown || true
 ln -sf /lib/systemd/system/systemd-networkd.service /etc/systemd/system/multi-user.target.wants/systemd-networkd.service
 ln -sf /lib/systemd/system/systemd-resolved.service /etc/systemd/system/multi-user.target.wants/systemd-resolved.service
 ln -sf /lib/systemd/system/systemd-resolved.socket  /etc/systemd/system/sockets.target.wants/systemd-resolved.socket
 cat << EOF >| /etc/systemd/system/ciss-fix-resolvconf.service
 [Unit]
 Description=Force systemd-resolved stub resolv.conf
 After=network-online.target
 Before=apt-daily.service
 [Service]
 Type=oneshot
 ExecStart=/usr/bin/rm -f /etc/resolv.conf
 ExecStart=/usr/bin/ln -s /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf
 [Install]
 WantedBy=multi-user.target
 EOF
 ln -sf /etc/systemd/system/ciss-fix-resolvconf.service /etc/systemd/system/multi-user.target.wants/ciss-fix-resolvconf.service
 cat << EOF >| /etc/systemd/resolved.conf.d/10-ciss-dnssec.conf
 [Resolve]
 DNSOverTLS=opportunistic
 DNSSEC=yes
 LLMNR=no
 MulticastDNS=no
 EOF
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/0001_initramfs_modules.chroot
+++ b/config/hooks/live/0001_initramfs_modules.chroot
@@ -1,23 +1,26 @@
 #!/bin/bash
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-11-10; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1
 #######################################
-# Get all NIC Driver of the current Host-machine
+# Get all NIC drivers of the current Host machine.
 # Globals:
 #   None
 # Arguments:
-#  None
+#   None
 # Returns:
 #   0: on success
 #######################################
 grep_nic_driver_modules() {
  declare _mods
@@ -34,25 +37,36 @@ grep_nic_driver_modules() {
  declare nic_module
  declare nic_modules
  if [[ "${#_mods[@]}" -eq 1 ]]; then
    nic_module="${_mods[0]}"
    echo "${nic_module}"
  else
    nic_modules="${_mods[*]}"
    echo "${nic_modules}"
  fi
  return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
 readonly -f grep_nic_driver_modules
 # shellcheck disable=SC2155
-declare nic_driver="$(grep_nic_driver_modules)"
+declare nic_driver="$(grep_nic_driver_modules)" VAR_DATE="$(date +%F)"
 cat << EOF >| /etc/initramfs-tools/modules
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
@@ -69,7 +83,10 @@ cat << EOF >| /etc/initramfs-tools/modules
 # raid1
 # sd_mod
-### Main btrfs-Stack
+### AppArmor -------------------------------------------------------------------------------------------------------------------
 apparmor
 ### btrfs ----------------------------------------------------------------------------------------------------------------------
 btrfs
 lzo
 xor
@@ -77,12 +94,27 @@ xxhash
 zstd
 zstd_compress
-### Main ext4-Stack
+### cryptography ---------------------------------------------------------------------------------------------------------------
-ext4
+aes_generic
-jbd2
+blake2b_generic
 crc32c_generic
 cryptd
 libcrc32c
 sha256_generic
 sha512_generic
 xts
-### Main VFAT/ESP/FAT/UEFI-Stack
+### cryptsetup -----------------------------------------------------------------------------------------------------------------
 dm_crypt
 dm_integrity
 dm_mod
 dm_verity
 ### Entropy --------------------------------------------------------------------------------------------------------------------
 jitterentropy_rng
 rng_core
 ### ESP/FAT/UEFI ---------------------------------------------------------------------------------------------------------------
 exfat
 fat
 nls_ascii
@@ -92,73 +124,91 @@ nls_iso8859-15
 nls_utf8
 vfat
-### Device mapper, encryption & integrity
+### ext4 -----------------------------------------------------------------------------------------------------------------------
-dm_mod
+ext4
-dm_crypt
+jbd2
 dm_integrity
 dm_verity
 ### Main cryptography-Stack
 aes_generic
 blake2b_generic
 crc32c_generic
 libcrc32c
 sha256_generic
 sha512_generic
-### QEMU Bochs-compatible virtual machine support
+### Live-ISO -------------------------------------------------------------------------------------------------------------------
-bochs
+loop
 squashfs
 overlay
-### RAID6 parity generation module
+#### nftables ------------------------------------------------------------------------------------------------------------------
-raid6_pq
+#nf_log_common  # built-in
 #nft_counter    # built-in
 #nft_icmp       # built-in
 #nft_icmpv6     # built-in
 #nft_meta       # built-in
 #nft_set_hash   # built-in
 #nft_set_rbtree # built-in
 #nft_tcp        # built-in
 #nft_udp        # built-in
 nf_conntrack
 nf_nat
 nf_reject_ipv4
 nf_reject_ipv6
 nf_tables
 nfnetlink
 nfnetlink_log
 nft_ct
 nft_limit
 nft_log
 nft_masq
 nft_nat
 nft_reject_inet
-### Combined RAID4/5/6 support module
+### NVMe -----------------------------------------------------------------------------------------------------------------------
 raid456
 ### SCSI/SATA-Stack
 sd_mod
 sr_mod
 sg
 ahci
 libahci
 ata_generic
 libata
 scsi_mod
 scsi_dh_alua
 ### NVMe-Stack
 nvme
 nvme_core
-### USB-Stack
+### QEMU -----------------------------------------------------------------------------------------------------------------------
-xhci_pci
+bochs
-xhci_hcd
+
 ### RAID -----------------------------------------------------------------------------------------------------------------------
 raid456
 raid6_pq
 ### SCSI/SATA ------------------------------------------------------------------------------------------------------------------
 ahci
 ata_generic
 libahci
 libata
 scsi_dh_alua
 scsi_mod
 sd_mod
 sg
 sr_mod
 ### USB ------------------------------------------------------------------------------------------------------------------------
 ehci_pci
 ohci_pci
 uas
 uhci_hcd
 usb_storage
-uas
+xhci_hcd
 xhci_pci
-### Virtual-Machines-Stack
+### Virtual --------------------------------------------------------------------------------------------------------------------
 virtio_pci
 virtio_blk
 virtio_scsi
 virtio_rng
 virtio_console
 virtio_pci
 virtio_rng
 virtio_scsi
-### Network Driver Host-machine
+### Network Driver Host-machine ------------------------------------------------------------------------------------------------
 "${nic_driver}"
 EOF
-cat << 'EOF' >| /etc/initramfs-tools/update-initramfs.conf
+cat << EOF >| /etc/initramfs-tools/update-initramfs.conf
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
@@ -174,7 +224,7 @@ cat << 'EOF' >| /etc/initramfs-tools/update-initramfs.conf
 # If set to all update-initramfs will update all initramfs
 # If set to no disables any update to initramfs besides kernel upgrade
-update_initramfs=yes
+update_initramfs=all
 #
 # backup_initramfs [ yes | no ]
@@ -186,14 +236,14 @@ backup_initramfs=no
 EOF
-cat << 'EOF' >| /etc/initramfs-tools/initramfs.conf
+cat << EOF >| /etc/initramfs-tools/initramfs.conf
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
@@ -250,10 +300,10 @@ COMPRESS=zstd
 # Defaults vary by compressor.
 #
 # Valid values are:
-# 1-9 for gzip|bzip2|lzma|lzop
+# 1...9 for gzip|bzip2|lzma|lzop
-# 0-9 for  lz4|xz
+# 0...9 for  lz4|xz
-# 0-19 for zstd
+# 0...19 for zstd
-# COMPRESSLEVEL=3
+COMPRESSLEVEL=16
 #
 # DEVICE: ...
@@ -290,48 +340,12 @@ FSTYPE=auto
 EOF
-cat << 'EOF' >> /etc/initramfs-tools/hooks/ciss_debian_live_builder
+chmod 0755 /etc/initramfs-tools/hooks/9999_ciss_custom_prompt.sh
-#!/bin/sh
+chmod 0755 /etc/initramfs-tools/hooks/9999_ciss_debian_live_builder.sh
-# SPDX-Version: 3.0
+chmod 0755 /etc/initramfs-tools/scripts/init-premount/1000_ciss_fixpath.sh
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+chmod 0755 /etc/initramfs-tools/scripts/init-top/0000_ciss_fixpath.sh
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 set -e
 PREREQ=""
 prereqs() { echo "$PREREQ"; }
 case $1 in
  prereqs) prereqs; exit 0 ;;
 esac
 . /usr/share/initramfs-tools/hook-functions
 mkdir -p "${DESTDIR}/bin" "${DESTDIR}/usr/bin" "${DESTDIR}/usr/local/bin"
 # Include Bash
 copy_exec /usr/bin/bash /usr/bin
 # Include lsblk (block device information tool)
 copy_exec /usr/bin/lsblk /usr/bin
 # Include udevadm (udev management tool)
 copy_exec /usr/bin/udevadm /usr/bin
 EOF
 chmod 0755 /etc/initramfs-tools/hooks/ciss_debian_live_builder
 ### Regenerate the initramfs for the live system kernel
 update-initramfs -u -k all
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 # sleep 1
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/0002_hardening_overlay_tmpfs.chroot
+++ b/config/hooks/live/0002_hardening_overlay_tmpfs.chroot
@@ -0,0 +1,63 @@
 #!/bin/bash
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-11-12; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 VAR_DATE="$(date +%F)"
 cat << EOF >| /etc/systemd/system/ciss-remount-root.service
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 [Unit]
 Description=Remount overlay root with nosuid,nodev
 DefaultDependencies=no
 After=local-fs.target
 Before=basic.target
 [Service]
 Type=oneshot
 ExecStart=/bin/mount -o remount,nosuid,nodev /
 [Install]
 WantedBy=sysinit.target
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
 EOF
 mkdir -p /etc/systemd/system/tmp.mount.d
 cat << EOF >| /etc/systemd/system/tmp.mount.d/override.conf
 [Mount]
 Options=mode=1777,strictatime,nosuid,nodev,noexec,size=1%
 EOF
 mkdir -p /etc/systemd/system/dev-shm.mount.d
 cat << EOF >| /etc/systemd/system/dev-shm.mount.d/override.conf
 [Mount]
 Options=mode=1777,nosuid,nodev,noexec,size=25%
 EOF
 systemctl enable ciss-remount-root.service
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/0002_verify_checksums.chroot
+++ b/config/hooks/live/0002_verify_checksums.chroot
@@ -1,144 +0,0 @@
 #!/bin/bash
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 set -C -e -u -o pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1
 target="/usr/lib/live/boot/0030-verify-checksums"
 src="$(mktemp)"
 if [[ ! -d /usr/lib/live/boot ]]; then
  mkdir -p /usr/lib/live/boot
 fi
 cat << 'EOF' >| "${src}"
 #!/bin/sh
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 ### Changed version of https://salsa.debian.org/live-team/live-boot 'components/0030-verify-checksums'
 ### In case of successful verification of the offered checksums, proceed with booting, else panic.
 ### Inside 0002_verify_checksums.chroot ###
 #######################################
 # Live build ISO with the modified checksum verification script for continuing the boot process.
 # Globals:
 #   LIVE_BOOT_CMDLINE
 #   LIVE_VERIFY_CHECKSUMS
 #   LIVE_VERIFY_CHECKSUMS_DIGESTS
 #   _CHECKSUM
 #   _CHECKSUMS
 #   _DIGEST
 #   _MOUNTPOINT
 #   _PARAMETER
 #   _RETURN
 #   _TTY
 # Arguments:
 #   $1: ${_PARAMETER}
 # Returns:
 #   0 : Successful Verification
 #######################################
 Verify_checksums() {
  for _PARAMETER in ${LIVE_BOOT_CMDLINE}; do
    case "${_PARAMETER}" in
      live-boot.verify-checksums=* | verify-checksums=*)
        LIVE_VERIFY_CHECKSUMS="true"
        LIVE_VERIFY_CHECKSUMS_DIGESTS="${_PARAMETER#*verify-checksums=}"
        ;;
      live-boot.verify-checksums | verify-checksums)
        LIVE_VERIFY_CHECKSUMS="true"
        ;;
    esac
  done
  case "${LIVE_VERIFY_CHECKSUMS}" in
    true) ;;
    *)
      return 0
      ;;
  esac
  _MOUNTPOINT="${1}"
  LIVE_VERIFY_CHECKSUMS_DIGESTS="${LIVE_VERIFY_CHECKSUMS_DIGESTS:-sha512 sha384 sha256}"
  _TTY="/dev/tty8"
  log_begin_msg "Verifying checksums"
  # shellcheck disable=SC2164
  cd "${_MOUNTPOINT}"
  for _DIGEST in $(echo "${LIVE_VERIFY_CHECKSUMS_DIGESTS}" | sed -e 's|,| |g'); do
    # shellcheck disable=SC2060
    _CHECKSUMS="$(echo "${_DIGEST}" | tr [a-z] [A-Z])SUMS ${_DIGEST}sum.txt"
    for _CHECKSUM in ${_CHECKSUMS}; do
      if [ -e "${_CHECKSUM}" ]; then
        echo "Found ${_CHECKSUM}..." > "${_TTY}"
        if [ -e "/bin/${_DIGEST}sum" ]; then
          echo "Checking ${_CHECKSUM}..." > "${_TTY}"
          # Verify checksums
          grep -v '^#' "${_CHECKSUM}" | /bin/"${_DIGEST}"sum -c > "${_TTY}"
          _RETURN="${?}"
          # Stop after the first verification
          # break 2
        else
          echo "Not found /bin/${_DIGEST}sum..." > "${_TTY}"
        fi
      fi
    done
  done
  log_end_msg
  case "${_RETURN}" in
    0)
      log_success_msg "Verification sha512 sha384 sha256 successful, continuing booting in 10 seconds."
      sleep 10
      return 0
      ;;
    *)
      panic "Verification failed, $(basename ${_TTY}) for more information."
      ;;
  esac
 }
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
 EOF
 # Copy and make executable
 install -Dm755 "${src}" "${target}"
 rm -f "${src}"
 unset target src
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 # sleep 1
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/0003_cdi_autostart.chroot
+++ b/config/hooks/live/0003_cdi_autostart.chroot
@@ -0,0 +1,54 @@
 #!/bin/bash
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 if [[ -f /root/.cdi ]]; then
  cat << EOF >| /etc/systemd/system/cdi-starter.service
 [Unit]
 Description=CISS CDI post-boot starter
 Documentation=https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 ConditionFileIsExecutable=/usr/local/sbin/9999_cdi_starter.sh
 After=live-config.service systemd-user-sessions.service getty.target
 After=network-online.target NetworkManager-wait-online.service
 Wants=network-online.target
 [Service]
 Type=simple
 RemainAfterExit=yes
 ExecStart=/usr/local/sbin/9999_cdi_starter.sh
 TimeoutStartSec=0
 Nice=5
 IOSchedulingClass=best-effort
 IOSchedulingPriority=7
 Environment=LANG=C.UTF-8
 StandardOutput=journal
 StandardError=journal
 [Install]
 WantedBy=multi-user.target
 EOF
  chmod 0644 /etc/systemd/system/cdi-starter.service
  systemctl enable cdi-starter.service
  rm -f /root/.cdi
 fi
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/0007_update_logrotate.chroot
+++ b/config/hooks/live/0007_update_logrotate.chroot
@@ -0,0 +1,78 @@
 #!/bin/bash
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
 export DEBIAN_FRONTEND="noninteractive"
 export INITRD="No"
 rm -f         "/etc/logrotate.conf"
 cat << EOF >| "/etc/logrotate.conf"
 # See "man logrotate" for details. Global options do not affect preceding include directives.
 # Rotate log files daily
 daily
 # Keep 90 daily worth of backlogs.
 rotate 90
 # Hard cap: delete rotated logs older than 90 days.
 maxage 90
 # Do not rotate the log if it is empty (this overrides the ifempty option).
 notifempty
 # Create new (empty) log files after rotating old ones.
 create
 # Use date as a suffix of the rotated file.
 dateext
 # Use yesterday's instead of today's date to create the dateext extension, so that the rotated log file has a date in its name
 # that is the same as the timestamps within it.
 dateyesterday
 # Enable compression
 compress
 # Use zstd instead of gzip.
 compresscmd /usr/bin/zstd
 # File extension for compressed logs.
 compressext .zst
 # Set zstd level 3 (default).
 compressoptions -20
 # How to decompress for 'logrotate -d' or similar.
 uncompresscmd /usr/bin/unzstd
 # Keep the most recent rotation uncompressed for one cycle.
 delaycompress
 # Delete log files using shred -u instead of unlink().
 shred
 # packages drop log rotation information into this directory
 include /etc/logrotate.d
 # system-specific logs may also be configured here.
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
 EOF
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/0010_install_apparmor.chroot
+++ b/config/hooks/live/0010_install_apparmor.chroot
@@ -0,0 +1,36 @@
 #!/bin/bash
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
 export DEBIAN_FRONTEND="noninteractive"
 export INITRD="No"
 apt-get install -y --no-install-recommends apparmor apparmor-utils apparmor-profiles apparmor-profiles-extra
 install -d /etc/systemd/system/apparmor.service.d
 cat << EOF >| /etc/systemd/system/apparmor.service.d/10-live-force.conf
 [Unit]
 ### Drop any negative live conditions that would skip AppArmor on overlay.
 ConditionPathExists=
 ### Ensure we only rely on the security=apparmor condition.
 ConditionSecurity=apparmor
 EOF
 install -d -m 0755 /var/cache/apparmor
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/0020_dropbear_build.chroot
+++ b/config/hooks/live/0020_dropbear_build.chroot
@@ -0,0 +1,81 @@
 #!/bin/bash
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
 export DEBIAN_FRONTEND="noninteractive"
 export INITRD="No"
 ### Declare Arrays, HashMaps, and Variables.
 declare var_dropbear_version="2025.88"
 declare var_tar="/root/dropbear/dropbear-${var_dropbear_version}.tar.bz2"
 declare var_build_dir="/root/build/dropbear-${var_dropbear_version}"
 declare var_logfile="/root/.ciss/cdlb/log/0020_dropbear_build.log"
 mkdir -p "/root/build"
 cp "${var_tar}" "/root/build"
 tar xjf "/root/dropbear/dropbear-${var_dropbear_version}.tar.bz2" -C "/root/build"
 cp "/root/dropbear/localoptions.h" "${var_build_dir}"
 cd "${var_build_dir}"
 ### Flag Purpose:
 #  -fPIE              : Generate position-independent executable code
 #  -pie               : Link the executable as PIE (so that ASLR works)
 #  -static            : Fully statically linked against musl
 #  -s                 : Strip unnecessary symbols directly during linking
 #  -Wl,-z,relro,-z,now: Enables full RELRO (symbol resolution at program startup)
 # shellcheck disable=SC2016,SC2312
 if ! setsid bash -c '
    ### Sterile environment for the build-process.
    export -n SHELLOPTS || true
    set +u
    unset PATH_SEPARATOR
    PATH_SEPARATOR=":"
    PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
    if ! command -v musl-gcc >/dev/null 2>&1; then
      echo "ERROR: musl-gcc not found. Install musl-tools in chroot." >&2
      exit 1
    fi
    CC=musl-gcc \
      CFLAGS="-Os -fPIE -Wno-undef -fstack-protector-strong -D_FORTIFY_SOURCE=2" \
      LDFLAGS="-static -pie -s -Wl,-z,relro,-z,now" \
      ./configure \
      --enable-static \
      --enable-openpty \
      --disable-pam \
      --disable-zlib
    # shellcheck disable=2312
    make -j"$(nproc)"
  ' >| "${var_logfile}" 2>&1
 then
  printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ Dropbear build failed. See [%s] \e[0m\n" "${var_logfile}" >&2
  tail -n 42 "${var_logfile}" >&2 || true
  exit 42
 fi
  rm -rf /root/dropbear
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/0021_dropbear_initramfs.chroot
+++ b/config/hooks/live/0021_dropbear_initramfs.chroot
@@ -0,0 +1,132 @@
 #!/bin/bash
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-11-10; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 ### Declare Arrays, HashMaps, and Variables.
 declare var_logfile="/root/.ciss/cdlb/log/0021_dropbear_initramfs.log"
 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
 export DEBIAN_FRONTEND="noninteractive"
 export INITRD="No"
 apt-get install -y --no-install-recommends --no-install-suggests cryptsetup-initramfs dropbear-initramfs dropbear-bin 2>&1 | tee -a "${var_logfile}"
 apt-get purge -y dropbear 2>&1 | tee -a "${var_logfile}" || true
 apt-get install -y --no-install-recommends --no-install-suggests gpgv 2>&1 | tee -a "${var_logfile}"
 apt-mark hold dropbear dropbear-initramfs 2>&1 | tee -a "${var_logfile}"
 mkdir -p /root/.ciss/cdlb/backup/usr/share/initramfs-tools/scripts/init-premount
 mv /usr/share/initramfs-tools/scripts/init-premount/dropbear /root/.ciss/cdlb/backup/usr/share/initramfs-tools/scripts/init-premount/dropbear.trixie
 install -m 0755 -o root -g root /root/dropbear.file /usr/share/initramfs-tools/scripts/init-premount/dropbear
 rm -f /root/dropbear.file
 mkdir -p /root/.ciss/cdlb/backup/usr/sbin
 mv /usr/sbin/dropbear /root/.ciss/cdlb/backup/usr/sbin/dropbear.trixie
 install -m 0755 -o root -g root /root/build/dropbear-2025.88/dropbear /usr/sbin/
 mkdir -p /root/.ciss/cdlb/backup/usr/bin
 for var_file in dbclient dropbearconvert dropbearkey; do
  mv "/usr/bin/${var_file}" "/root/.ciss/cdlb/backup/usr/bin/${var_file}.trixie"
  install -m 0755 -o root -g root "/root/build/dropbear-2025.88/${var_file}" /usr/bin/
 done
 mkdir -p /etc/initramfs-tools/scripts/init-bottom
 cat << 'EOF' >| /etc/initramfs-tools/scripts/init-bottom/zzzz-dropbear-kill
 #!/bin/sh
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-11-10; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 PREREQ=""
 prereqs() { echo "${PREREQ}"; }
 # shellcheck disable=SC2249
 case "${1}" in
  prereqs) prereqs; exit 0 ;;
 esac
 ### Stop dropbear shipped in the initramfs after root pivot.
 [ -x /bin/pidof ] || exit 0
 P=$(/bin/pidof dropbear 2>/dev/null) || true
 [ -n "${P}" ] || exit 0
 /bin/kill -TERM "${P}" 2>/dev/null || true
 /bin/sleep 1
 /bin/kill -KILL "${P}" 2>/dev/null || true
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
 EOF
 chmod 0755 /etc/initramfs-tools/scripts/init-bottom/zzzz-dropbear-kill
 cat << EOF >| /etc/apt/preferences.d/99-mask-dropbear
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-11-10; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 # Never install the dropbear daemon package at all.
 Package: dropbear
 Pin: release *
 Pin-Priority: -1
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
 EOF
 cat << EOF >| /etc/apt/preferences.d/99-mask-dropbear-initramfs
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-11-10; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 # Keep the currently installed initramfs integration; never upgrade it.
 Package: dropbear-initramfs
 Pin: release *
 Pin-Priority: -1
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
 EOF
 systemctl mask dropbear.service dropbear.socket
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/0022_dropbear_setup.chroot
+++ b/config/hooks/live/0022_dropbear_setup.chroot
@@ -0,0 +1,160 @@
 #!/bin/bash
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-11-10; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
 export DEBIAN_FRONTEND="noninteractive"
 export INITRD="No"
 #######################################
 # Set up the 'dropbear-initramfs' environment.
 # Globals:
 #   None
 # Arguments:
 #   None
 # Returns:
 #   0: on success
 #######################################
 dropbear_setup() {
  ### Declare Arrays, HashMaps, and Variables.
  # shellcheck disable=SC2155
  declare user_root_sshpubkey="$(< /root/.ssh/authorized_keys)"
  declare var_force_command_string='command="/usr/local/bin/unlock_wrapper.sh",no-agent-forwarding,no-port-forwarding,no-X11-forwarding '
  ### Prepare strong dropbear host keys.
  rm -f /etc/dropbear/initramfs/dropbear*key*
  if [[ -d /root/ssh ]]; then
    dropbearconvert openssh dropbear /root/ssh/ssh_host_ed25519_key        /etc/dropbear/initramfs/dropbear_ed25519_host_key
    dropbearkey -y -f /etc/dropbear/initramfs/dropbear_ed25519_host_key >| /etc/dropbear/initramfs/dropbear_ed25519_host_key.pub
    if [[ -f /root/ssh/ssh_host_rsa_key ]]; then
      dropbearconvert openssh dropbear /root/ssh/ssh_host_rsa_key          /etc/dropbear/initramfs/dropbear_rsa_host_key
      dropbearkey -y -f /etc/dropbear/initramfs/dropbear_rsa_host_key   >| /etc/dropbear/initramfs/dropbear_rsa_host_key.pub
    fi
  else
    # shellcheck disable=SC2312
    /usr/bin/dropbearkey -t ed25519     -f /etc/dropbear/initramfs/dropbear_ed25519_host_key -C "root@live-$(date -I)"
    # shellcheck disable=SC2312
    /usr/bin/dropbearkey -t rsa -s 4096 -f /etc/dropbear/initramfs/dropbear_rsa_host_key     -C "root@live-$(date -I)"
  fi
  chmod 0600 /etc/dropbear/initramfs/dropbear_ed25519_host_key
  chmod 0644 /etc/dropbear/initramfs/dropbear_ed25519_host_key.pub
  ### Prepare dropbear authorized_keys.
  printf "%s\n" "${var_force_command_string}${user_root_sshpubkey}" >| /etc/dropbear/initramfs/authorized_keys
  chmod 0600 /etc/dropbear/initramfs/authorized_keys
  install -m 0644 -o root -g root /etc/banner /etc/dropbear/initramfs/banner
  ### "IP=<HOST IP>::<GATEWAY IP>:<SUBNET MASK>:<FQDN>:<NIC>:none:<DNS 0 IP>:<DNS 1 IP>:<NTP IP>"
  ### "IP=:::::<NIC>:dhcp"
  printf "IP=::::::dhcp\n" >| /etc/initramfs-tools/conf.d/ip
  ### Generate dropbear configuration file.
  write_dropbear_conf
  return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
 readonly -f dropbear_setup
 #######################################
 # Write '/etc/dropbear/initramfs/dropbear.conf'.
 # Globals:
 #   None
 # Arguments:
 #   None
 # Returns:
 #   0: on success
 #######################################
 write_dropbear_conf() {
  # shellcheck disable=SC2155
  declare sshport="$(< /root/sshport)"
  rm -f /root/sshport
  [[ -z "${sshport:-}" ]] && sshport="2222"
  ### CISS internal
  [[ "${sshport}" == "42137" ]] && sshport="44137"
  cat << EOF >| /etc/dropbear/initramfs/dropbear.conf
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 # Configuration options for the dropbear-initramfs boot scripts.
 # Variable assignment follow shell semantics and escaping/quoting rules.
 # You must run update-initramfs(8) to effect changes to this file (like
 # for other files in the '/etc/dropbear/initramfs' directory).
 # Command line options to pass to dropbear(8).
 # Dropbear options for 2025+:
 # -b: Display the contents of bannerfile before user login
 # -E: Log to stderr
 # -I: Idle timeout in seconds
 # -K: Keepalive interval in seconds
 # -p: Specify port (and optionally address)
 # -w: Disable root login (SHOULD NOT be implemented for initramfs)
 DROPBEAR_OPTIONS="-b /etc/dropbear/banner -E -I 300 -K 60 -p ${sshport}"
 # On local (non-NFS) mounts, interfaces matching this pattern are
 # brought down before exiting the ramdisk to avoid dirty network
 # configuration in the normal kernel.
 # The special value 'none' keeps all interfaces up and preserves routing
 # tables and addresses.
 #IFDOWN="*"
 # On local (non-NFS) mounts, the network stack and dropbear are started
 # asynchronously at init-premount stage.  This value specifies the
 # maximum number of seconds to wait (while the network/dropbear are
 # being configured) at init-bottom stage before terminating dropbear and
 # bringing the network down.
 # If the timeout is too short, and if the boot process is not blocking
 # on user input supplied via SSHd (ie no remote unlocking), then the
 # initrd might pivot to init(1) too early, thereby causing a race
 # condition between network configuration from initramfs vs from the
 # normal system.
 #DROPBEAR_SHUTDOWN_TIMEOUT=60
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
 EOF
  return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
 readonly -f write_dropbear_conf
 dropbear_setup
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/0040_ssh_config_setup.chroot
+++ b/config/hooks/live/0040_ssh_config_setup.chroot
@@ -0,0 +1,44 @@
 #!/bin/bash
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 cat << EOF >> /etc/ssh/ssh_config.d/10-sshfp.conf
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 Host git.coresecret.dev
    Port                    42842
    VerifyHostKeyDNS        yes
    StrictHostKeyChecking   yes
    GlobalKnownHostsFile    /etc/ssh/ssh_known_hosts
    UserKnownHostsFile      /dev/null
    HostKeyAlgorithms       ssh-ed25519-cert-v01@openssh.com,ssh-ed25519,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-256
    CanonicalizeHostname    no
    UpdateHostKeys          no
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
 EOF
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/0050_activate_root.chroot
+++ b/config/hooks/live/0050_activate_root.chroot
@@ -1,32 +1,32 @@
 #!/bin/bash
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1
 if [[ ! -f /root/.pwd ]]; then
  printf "\e[93m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ /root/.pwd NOT found. \e[0m\n"
  # sleep 1
  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ Exiting Hook ... \e[0m\n"
  # sleep 1
  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' done. Nothing changed. \e[0m\n" "${0}"
  exit 0
 fi
 cd /root
-cp /etc/shadow /root/.ciss/dlb/backup/shadow.bak."$(date +%F_%T)"
+# shellcheck disable=SC2312
-chmod 600 /root/.ciss/dlb/backup/shadow.bak.*
+cp /etc/shadow /root/.ciss/cdlb/backup/shadow.bak."$(date +%F_%T)"
 chmod 0600 /root/.ciss/cdlb/backup/shadow.bak.*
 declare hashed_pwd
 declare safe_hashed_pwd
@@ -37,17 +37,17 @@ sed -i "s|^root:[^:]*:\(.*\)|root:${safe_hashed_pwd}:\1|" /etc/shadow
 sed -i "s|^user:[^:]*:\(.*\)|user:${safe_hashed_pwd}:\1|" /etc/shadow
 unset hashed_pwd safe_hashed_pwd
-cat /etc/shadow
+if shred -fzu -n 5 /root/.pwd; then
-# sleep 1
+
  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Password file /root/.pwd: shred -fzu -n 5 >> done. \e[0m\n"
 if shred -vfzu -n 5 /root/.pwd; then
  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Password file /root/.pwd: -vfzu -n 5 >> done. \e[0m\n"
 else
-  printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ Password file /root/.pwd: -vfzu -n 5 >> NOT successful. \e[0m\n" >&2
+
  printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ Password file /root/.pwd: shred -fzu -n 5 >> NOT successful. \e[0m\n" >&2
 fi
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 # sleep 1
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/0080_keyboard_layout.chroot
+++ b/config/hooks/live/0080_keyboard_layout.chroot
@@ -1,18 +1,17 @@
 #!/bin/bash
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1
 cat << 'EOF' >| /etc/default/keyboard
 XKBMODEL="pc105"
@@ -22,10 +21,12 @@ XKBOPTIONS=""
 BACKSPACE="guess"
 EOF
 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
 export DEBIAN_FRONTEND="noninteractive"
 export INITRD="No"
 dpkg-reconfigure -f noninteractive keyboard-configuration
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 # sleep 1
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/0090_jitterentropy.chroot
+++ b/config/hooks/live/0090_jitterentropy.chroot
@@ -1,42 +1,34 @@
 #!/bin/bash
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1
-apt-get update -y
+[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
-apt-get install --no-install-recommends haveged -y
+export DEBIAN_FRONTEND="noninteractive"
 export INITRD="No"
 apt-get install -y --no-install-recommends jitterentropy-rngd
 cd /root
 cat << 'EOF' >| /etc/default/haveged
 # Configuration file for haveged
-# Options to pass to haveged:
+mkdir -p /etc/systemd/system/jitterentropy-rngd.service.d
-DAEMON_ARGS="-w 2048 -v 1"
+
 cat << 'EOF' >> /etc/systemd/system/jitterentropy-rngd.service.d/override.conf
 [Service]
 ExecStart=
 ExecStart=/usr/sbin/jitterentropy-rngd --osr=2
 EOF
 #mkdir -p /etc/systemd/system/haveged.service.d
 #cat << 'EOF' >| /etc/systemd/system/haveged.service.d/override.conf
 #[Service]
 #NoNewPrivileges=yes
 #ReadWritePaths=/dev/random /dev/urandom
 #AmbientCapabilities=
 #User=haveged
 #Group=nogroup
 #EOF
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 # sleep 1
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/0120_set_hostname.chroot
+++ b/config/hooks/live/0120_set_hostname.chroot
@@ -1,21 +1,20 @@
 #!/bin/bash
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1
-mv /etc/hostname /root/.ciss/dlb/backup/hostname.bak
+mv /etc/hostname /root/.ciss/cdlb/backup/hostname.bak
-mv /etc/mailname /root/.ciss/dlb/backup/mailname.bak
+mv /etc/mailname /root/.ciss/cdlb/backup/mailname.bak
 cat << 'EOF' >| /etc/hostname
 live.local
@@ -28,7 +27,6 @@ localhost.local
 EOF
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 # sleep 1
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/0130_machineid.chroot
+++ b/config/hooks/live/0130_machineid.chroot
@@ -1,18 +1,17 @@
 #!/bin/bash
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1
 cd /root
 if [[ -f /var/lib/dbus/machine-id ]]; then
@@ -22,7 +21,7 @@ fi
 cat << 'EOF' >| /var/lib/dbus/machine-id
 b08dfa6083e7567a1921a715000001fb
 EOF
-chmod 644 /var/lib/dbus/machine-id
+chmod 0644 /var/lib/dbus/machine-id
 if [[ -f /etc/machine-id ]]; then
  rm /etc/machine-id
@@ -34,7 +33,6 @@ EOF
 chmod 644 /etc/machine-id
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 # sleep 1
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/0400_eza_install.chroot
+++ b/config/hooks/live/0400_eza_install.chroot
@@ -1,18 +1,17 @@
 #!/bin/bash
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1
 cd /root
@@ -24,7 +23,10 @@ wget -qO- https://raw.githubusercontent.com/eza-community/eza/main/deb.asc | gpg
 echo "deb [signed-by=/etc/apt/keyrings/gierens.gpg] http://deb.gierens.de stable main" | tee /etc/apt/sources.list.d/gierens.list
 chmod 644 /etc/apt/keyrings/gierens.gpg /etc/apt/sources.list.d/gierens.list
-apt-get update -y
+[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
 export DEBIAN_FRONTEND="noninteractive"
 export INITRD="No"
 apt-get update -qq
 apt-get install -y eza
 git clone https://github.com/eza-community/eza-themes.git
@@ -145,10 +147,7 @@ unzip /tmp/nerd/Hack.zip -d /root/.local/share/fonts
 fc-cache -fv
 rm -rf /tmp/nerd
 unset repo latest_release download_url
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 # sleep 1
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/0800_lynis_setup.chroot
+++ b/config/hooks/live/0800_lynis_setup.chroot
@@ -1,28 +1,469 @@
 #!/bin/bash
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1
 curl -fsSL https://packages.cisofy.com/keys/cisofy-software-public.key | gpg --dearmor -o /etc/apt/trusted.gpg.d/cisofy-software-public.gpg
 echo "deb [arch=amd64,arm64 signed-by=/etc/apt/trusted.gpg.d/cisofy-software-public.gpg] https://packages.cisofy.com/community/lynis/deb/ stable main" | tee /etc/apt/sources.list.d/cisofy-lynis.list
-apt-get update -y
+[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
 export DEBIAN_FRONTEND="noninteractive"
 export INITRD="No"
 apt-get update -qq
 apt-get install -y lynis
 lynis show version
 cat << EOF_LYNIS >| /etc/lynis/default.prf
 #################################################################################
 #
 #
 # Lynis - Default scan profile
 #
 #
 #################################################################################
 #
 #
 # This profile provides Lynis with most of its initial values to perform a
 # system audit.
 #
 #
 # WARNINGS
 # ----------
 #
 # Do NOT make changes to this file. Instead, copy only your changes into
 # the file custom.prf and put it in the same directory as default.prf
 #
 # To discover where your profiles are located: lynis show profiles
 #
 #
 # Lynis performs a strict check on profiles to avoid the inclusion of
 # possibly harmful injections. See include/profiles for details.
 #
 #
 #################################################################################
 #
 # All empty lines or with the # prefix will be skipped
 #
 #################################################################################
 # Use colored output
 colors=yes
 # Compressed uploads (set to zero when errors with uploading occur)
 compressed-uploads=yes
 # Amount of connections in WAIT state before reporting it as a suggestion
 #connections-max-wait-state=5000
 # Debug mode (for debugging purposes, extra data logged to screen)
 #debug=yes
 # Show non-zero exit code when warnings are found
 error-on-warnings=no
 # Use Lynis in your own language (by default auto-detected)
 language=
 # Log tests from another guest operating system (default: yes)
 #log-tests-incorrect-os=yes
 # Define if available NTP daemon is configured as a server or client on the network
 # values: server or client (default: client)
 #ntpd-role=client
 # Defines the role of the system (personal, workstation or server)
 machine-role=server
 # Ignore some stratum 16 hosts (for example when running as time source itself)
 #ntp-ignore-stratum-16-peer=127.0.0.1
 # Profile name, will be used as title/description
 profile-name=Default Audit Template
 # Number of seconds to pause between every test (0 is no pause)
 pause-between-tests=0
 # Quick mode (do not wait for keypresses)
 quick=yes
 # Refresh software repositories to help detecting vulnerable packages
 refresh-repositories=yes
 # Show solution for findings
 show-report-solution=yes
 # Show inline tips about the tool
 show-tool-tips=yes
 # Skip plugins
 skip-plugins=no
 # Skip a test (one per line)
 #skip-test=SSH-7408
 skip-test=KRNL-5788
 skip-test=KRNL-5830
 skip-test=AUTH-9229
 # Skip a particular option within a test (when applicable)
 #skip-test=SSH-7408:loglevel
 #skip-test=SSH-7408:permitrootlogin
 # Skip Lynis upgrade availability test (default: no)
 #skip-upgrade-test=yes
 # Locations where to search for SSL certificates (separate paths with a colon)
 ssl-certificate-paths=/etc/apache2:/etc/dovecot:/etc/httpd:/etc/letsencrypt:/etc/pki:/etc/postfix:/etc/refind.d/keys:/etc/ssl:/opt/psa/var/certificates:/usr/local/psa/var/certificates:/usr/local/share/ca-certificates:/usr/share/ca-certificates:/usr/share/gnupg:/var/www:/srv/www
 ssl-certificate-paths-to-ignore=/etc/letsencrypt/archive:
 ssl-certificate-include-packages=no
 # Scan type - how deep the audit should be (light, normal or full)
 test-scan-mode=full
 # Verbose output
 verbose=no
 #################################################################################
 #
 # Plugins
 # ---------------
 # Define which plugins are enabled
 #
 # Notes:
 # - Nothing happens if plugin isn't available
 # - There is no order in execution of plugins
 # - See documentation about how to use plugins and phases
 # - Some are for Lynis Enterprise users only
 #
 #################################################################################
 # Lynis plugins to enable
 plugin=authentication
 plugin=compliance
 plugin=configuration
 plugin=control-panels
 plugin=crypto
 plugin=dns
 plugin=docker
 plugin=file-integrity
 plugin=file-systems
 plugin=firewalls
 plugin=forensics
 plugin=hardware
 plugin=intrusion-detection
 plugin=intrusion-prevention
 plugin=kernel
 plugin=malware
 plugin=memory
 plugin=nginx
 plugin=pam
 plugin=processes
 plugin=security-modules
 plugin=software
 plugin=system-integrity
 plugin=systemd
 plugin=users
 plugin=krb5
 # Disable a particular plugin (will overrule an enabled plugin)
 #disable-plugin=authentication
 #################################################################################
 #
 # Kernel options
 # ---------------
 # config-data=, followed by:
 #
 # - Type                     = Set to 'sysctl'
 # - Setting                  = value of sysctl key (e.g. kernel.sysrq)
 # - Expected value           = Preferred value for key (e.g. 0)
 # - Hardening Points         = Number of hardening points (typically 1 point per key) (1)
 # - Description              = Textual description about the sysctl key(Disable magic SysRQ)
 # - Related file or command  = For example, sysctl -a to retrieve more details
 # - Solution field           = Specifies more details or where to find them (url:URL, text:TEXT, or -)
 #
 #################################################################################
 # Config
 # - Type (sysctl)
 # - Setting (kernel.sysrq)
 # - Expected value (0)
 # - Hardening Points (1)
 # - Description (Disable magic SysRQ)
 # - Related file or command (sysctl -a)
 # - Solution field (url:URL, text:TEXT, or -)
 # Processes
 config-data=sysctl;security.bsd.see_other_gids;0;1;Groups only see their own processes;sysctl -a;-;category:security;
 config-data=sysctl;security.bsd.see_other_uids;0;1;Users only see their own processes;sysctl -a;-;category:security;
 config-data=sysctl;security.bsd.stack_guard_page;1;1;Enable stack smashing protection (SSP)/ProPolice to defend against possible buffer overflows;-;category:security;
 config-data=sysctl;security.bsd.unprivileged_proc_debug;0;1;Unprivileged processes can not use process debugging;sysctl -a;-;category:security;
 config-data=sysctl;security.bsd.unprivileged_read_msgbuf;0;1;Unprivileged processes can not read the kernel message buffer;sysctl -a;-;category:security;
 # Kernel
 config-data=sysctl;fs.suid_dumpable;0;1;Restrict core dumps;sysctl -a;url:https;//www.kernel.org/doc/Documentation/sysctl/fs.txt;category:security;
 config-data=sysctl;fs.protected_fifos;2;1;Restrict FIFO special device creation behavior;sysctl -a;url:https;//www.kernel.org/doc/Documentation/sysctl/fs.txt;category:security;
 config-data=sysctl;fs.protected_hardlinks;1;1;Restrict hardlink creation behavior;sysctl -a;url:https;//www.kernel.org/doc/Documentation/sysctl/fs.txt;category:security;
 config-data=sysctl;fs.protected_regular;2;1;Restrict regular files creation behavior;sysctl -a;url:https;//www.kernel.org/doc/Documentation/sysctl/fs.txt;category:security;
 config-data=sysctl;fs.protected_symlinks;1;1;Restrict symlink following behavior;sysctl -a;url:https;//www.kernel.org/doc/Documentation/sysctl/fs.txt;category:security;
 #config-data=sysctl;kern.randompid=2345;Randomize PID numbers with a specific modulus;sysctl -a;-;category:security;
 config-data=sysctl;kern.sugid_coredump;0;1;No description;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
 config-data=sysctl;kernel.core_setuid_ok;0;1;No description;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
 config-data=sysctl;kernel.core_uses_pid;1;1;No description;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
 config-data=sysctl;kernel.ctrl-alt-del;0;1;No description;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
 config-data=sysctl;kernel.dmesg_restrict;1;1;Restrict use of dmesg;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
 config-data=sysctl;kernel.exec-shield-randomize;1;1;No description;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
 config-data=sysctl;kernel.exec-shield;1;1;No description;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
 config-data=sysctl;kernel.kptr_restrict;2;1;Restrict access to kernel symbols;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
 config-data=sysctl;kernel.maps_protect;1;1;Restrict access to /proc/[pid]/maps;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
 config-data=sysctl;kernel.modules_disabled;1;1;Restrict module loading once this sysctl value is loaded;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
 config-data=sysctl;kernel.perf_event_paranoid;2|3|4;1;Restrict unprivileged access to the perf_event_open() system call.;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
 config-data=sysctl;kernel.randomize_va_space;2;1;Randomize of memory address locations (ASLR);sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
 config-data=sysctl;kernel.suid_dumpable;0;1;Restrict core dumps;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
 config-data=sysctl;kernel.sysrq;0;1;Disable magic SysRQ;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
 config-data=sysctl;kernel.unprivileged_bpf_disabled;1;1;Restrict BPF for unprivileged users;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
 config-data=sysctl;kernel.use-nx;0;1;No description;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
 config-data=sysctl;kernel.yama.ptrace_scope;1|2|3;1;Disable process tracing for everyone;-;category:security;
 # Network
 config-data=sysctl;net.core.bpf_jit_harden;2;1;Hardened BPF JIT compilation;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
 config-data=sysctl;net.inet.ip.linklocal.in.allowbadttl;0;
 config-data=sysctl;net.inet.tcp.always_keepalive;0;1;Disable TCP keep alive detection for dead peers as the keepalive can be spoofed;-;category:security;
 #config-data=sysctl;net.inet.tcp.fast_finwait2_recycle;1;1;Recycle FIN/WAIT states more quickly (DoS mitigation step, with risk of false RST);-;category:security;
 config-data=sysctl;net.inet.tcp.nolocaltimewait;1;1;Remove the TIME_WAIT state for loopback interface;-;category:security;
 config-data=sysctl;net.inet.tcp.path_mtu_discovery;0;1;Disable MTU discovery as many hosts drop the ICMP type 3 packets;-;category:security;
 config-data=sysctl;net.inet.icmp.bmcastecho;0;1;Ignore ICMP packets directed to broadcast address;-;category:security;
 config-data=sysctl;net.inet.tcp.icmp_may_rst;0;1;ICMP may not send RST to avoid spoofed ICMP/UDP floods;-;category:security;
 config-data=sysctl;net.inet.icmp.drop_redirect;1;1;Do not allow redirected ICMP packets;-;category:security;
 config-data=sysctl;net.inet.icmp.rediraccept;0;1;Disable incoming ICMP redirect routing redirects;-;category:security;
 config-data=sysctl;net.inet.icmp.timestamp;0;1;Disable timestamps;-;category:security;
 config-data=sysctl;net.inet.ip.accept_sourceroute;0;1;Disable IP source routing;-;category:security;
 config-data=sysctl;net.inet.ip.check_interface;1;1;Verify that a packet arrived on the right interface;-;category:security;
 config-data=sysctl;net.inet.ip.forwarding;0;1;Do not allow forwarding of traffic;-;category:security;
 config-data=sysctl;net.inet.ip.process_options;0;1;Ignore any IP options in the incoming packets;-;category:security;
 config-data=sysctl;net.inet.ip.random_id;1;1;Use a random IP id to each packet leaving the system;-;category:security;
 config-data=sysctl;net.inet.ip.redirect;0;1;Disable/Ignore ICMP routing redirects;-;category:security;
 config-data=sysctl;net.inet.ip.sourceroute;0;1;Disable IP source routing;-;category:security;
 config-data=sysctl;net.inet.ip6.redirect;0;1;Disable/Ignore ICMP routing redirects;-;category:security;
 config-data=sysctl;net.inet.tcp.blackhole;2;1;Do not sent RST but drop traffic when delivered to closed TCP port;-;category:security;
 config-data=sysctl;net.inet.tcp.drop_synfin;1;1;SYN/FIN packets will be dropped on initial connection;-;category:security;
 config-data=sysctl;net.inet.udp.blackhole;1;1;Do not sent RST but drop traffic when delivered to closed UDP port;-;category:security;
 config-data=sysctl;net.inet6.icmp6.rediraccept;0;1;Disable incoming ICMP redirect routing redirects;-;category:security;
 config-data=sysctl;net.inet6.ip6.forwarding;0;1;Do not allow forwarding of traffic;-;category:security;
 config-data=sysctl;net.inet6.ip6.fw.enable;1;1;Enable filtering;-;category:security;
 config-data=sysctl;net.inet6.ip6.redirect;0;1;Disable sending ICMP redirect routing redirects;-;category:security;
 config-data=sysctl;net.ipv4.conf.all.accept_redirects;0;1;Disable/Ignore ICMP routing redirects;-;category:security;
 config-data=sysctl;net.ipv4.conf.all.accept_source_route;0;1;Disable IP source routing;-;category:security;
 config-data=sysctl;net.ipv4.conf.all.bootp_relay;0;1;Do not relay BOOTP packets;-;category:security;
 config-data=sysctl;net.ipv4.conf.all.forwarding;0;1;Disable IP source routing;-;category:security;
 config-data=sysctl;net.ipv4.conf.all.log_martians;1;1;Log all packages for which the host does not have a path back to the source;-;category:security;
 config-data=sysctl;net.ipv4.conf.all.mc_forwarding;0;1;Disable IP source routing;-;category:security;
 config-data=sysctl;net.ipv4.conf.all.proxy_arp;0;1;Do not relay ARP packets;-;category:security;
 config-data=sysctl;net.ipv4.conf.all.rp_filter;1;1;Enforce ingress/egress filtering for packets;-;category:security;
 config-data=sysctl;net.ipv4.conf.all.send_redirects;0;1;Disable/Ignore ICMP routing redirects;-;category:security;
 config-data=sysctl;net.ipv4.conf.default.accept_redirects;0;1;Disable/Ignore ICMP routing redirects;-;category:security;
 config-data=sysctl;net.ipv4.conf.default.accept_source_route;0;1;Disable IP source routing;-;category:security;
 config-data=sysctl;net.ipv4.conf.default.log_martians;1;1;Log all packages for which the host does not have a path back to the source;-;category:security;
 config-data=sysctl;net.ipv4.icmp_echo_ignore_broadcasts;1;1;Ignore ICMP packets directed to broadcast address;-;category:security;
 config-data=sysctl;net.ipv4.icmp_ignore_bogus_error_responses;1;1;Ignore-;category:security;
 #config-data=sysctl;net.ipv4.ip_forward;0;1;Do not forward traffic;-;category:security;
 config-data=sysctl;net.ipv4.tcp_syncookies;1;1;Use SYN cookies to prevent SYN attack;-;category:security;
 config-data=sysctl;net.ipv4.tcp_timestamps;0|1;1;Disable TCP time stamps or enable them with different offsets;-;category:security;
 config-data=sysctl;net.ipv6.conf.all.send_redirects;0;1;Disable/ignore ICMP routing redirects;-;category:security;
 config-data=sysctl;net.ipv6.conf.all.accept_redirects;0;1;Disable/Ignore ICMP routing redirects;-;category:security;
 config-data=sysctl;net.ipv6.conf.all.accept_source_route;0;1;Disable IP source routing;-;category:security;
 config-data=sysctl;net.ipv6.conf.default.accept_redirects;0;1;Disable/Ignore ICMP routing redirects;-;category:security;
 config-data=sysctl;net.ipv6.conf.default.accept_source_route;0;1;Disable IP source routing;-;category:security;
 # Other
 config-data=sysctl;dev.tty.ldisc_autoload;0;1;Disable loading of TTY line disciplines;-;category:security;
 config-data=sysctl;hw.kbd.keymap_restrict_change;4;1;Disable changing the keymap by non-privileged users;-;category:security;
 #sysctl;kern.securelevel;1^2^3;1;FreeBSD security level;
 #security.jail.jailed; 0
 #security.jail.jail_max_af_ips; 255
 #security.jail.mount_allowed; 0
 #security.jail.chflags_allowed; 0
 #security.jail.allow_raw_sockets; 0
 #security.jail.enforce_statfs; 2
 #security.jail.sysvipc_allowed; 0
 #security.jail.socket_unixiproute_only; 1
 #security.jail.set_hostname_allowed; 1
 #security.bsd.suser_enabled; 1
 #security.bsd.unprivileged_proc_debug; 1
 #security.bsd.conservative_signals; 1
 #security.bsd.unprivileged_read_msgbuf; 1
 #security.bsd.unprivileged_get_quota; 0
 config-data=sysctl;security.bsd.hardlink_check_gid;1;1;Unprivileged processes are not allowed to create hard links to files which are owned by other groups;-;category:security;
 config-data=sysctl;security.bsd.hardlink_check_uid;1;1;Unprivileged processes are not allowed to create hard links to files which are owned by other users;-;category:security;
 #################################################################################
 #
 # permfile
 # ---------------
 # permfile=file name:file permissions:owner:group:action:
 # Action = NOTICE or WARN
 # Examples:
 # permfile=/etc/test1.dat:600:root:wheel:NOTICE:
 # permfile=/etc/test1.dat:640:root:-:WARN:
 #
 #################################################################################
 #permfile=/etc/inetd.conf:rw-------:root:-:WARN:
 #permfile=/etc/fstab:rw-r--r--:root:-:WARN:
 permfile=/boot/grub/grub.cfg:rw-------:root:root:WARN:
 permfile=/boot/grub2/grub.cfg:rw-------:root:root:WARN:
 permfile=/boot/grub2/user.cfg:rw-------:root:root:WARN:
 permfile=/etc/at.allow:rw-------:root:-:WARN:
 permfile=/etc/at.deny:rw-------:root:-:WARN:
 permfile=/etc/cron.allow:rw-------:root:-:WARN:
 permfile=/etc/cron.deny:rw-------:root:-:WARN:
 permfile=/etc/crontab:rw-------:root:-:WARN:
 permfile=/etc/group:rw-r--r--:root:-:WARN:
 permfile=/etc/group-:rw-r--r--:root:-:WARN:
 permfile=/etc/hosts.allow:rw-r--r--:root:root:WARN:
 permfile=/etc/hosts.deny:rw-r--r--:root:root:WARN:
 permfile=/etc/issue:rw-r--r--:root:root:WARN:
 permfile=/etc/issue.net:rw-r--r--:root:root:WARN:
 permfile=/etc/lilo.conf:rw-------:root:-:WARN:
 permfile=/etc/motd:rw-r--r--:root:root:WARN:
 permfile=/etc/passwd:rw-r--r--:root:-:WARN:
 permfile=/etc/passwd-:rw-r--r--:root:-:WARN:
 permfile=/etc/ssh/sshd_config:rw-------:root:-:WARN:
 permfile=/etc/hosts.equiv:rw-r--r--:root:root:WARN:
 permfile=/etc/shosts.equiv:rw-r--r--:root:root:WARN:
 permfile=/root/.rhosts:rw-------:root:root:WARN:
 permfile=/root/.rlogin:rw-------:root:root:WARN:
 permfile=/root/.shosts:rw-------:root:root:WARN:
 # These permissions differ by OS
 #permfile=/etc/gshadow:---------:root:-:WARN:
 #permfile=/etc/gshadow-:---------:root:-:WARN:
 #permfile=/etc/shadow:---------:root:-:WARN:
 #permfile=/etc/shadow-:---------:root:-:WARN:
 #################################################################################
 #
 # permdir
 # ---------------
 # permdir=directory name:file permissions:owner:group:action when permissions are different:
 #
 #################################################################################
 permdir=/root/.ssh:rwx------:root:-:WARN:
 permdir=/etc/cron.d:rwx------:root:root:WARN:
 permdir=/etc/cron.daily:rwx------:root:root:WARN:
 permdir=/etc/cron.hourly:rwx------:root:root:WARN:
 permdir=/etc/cron.weekly:rwx------:root:root:WARN:
 permdir=/etc/cron.monthly:rwx------:root:root:WARN:
 # Ignore some specific home directories
 # One directory per line; directories will be skipped for home directory specific
 # checks, like file permissions, SSH and other configuration files
 #ignore-home-dir=/home/user
 # Allow promiscuous interfaces
 #   <option>:<promiscuous interface name>:<description>:
 #if_promisc:pflog0:pf log daemon interface:
 # The URL prefix and append to the URL for controls or your custom tests
 # Link will be formed as {control-url-protocol}://{control-url-prepend}CONTROL-ID{control-url-append}
 #control-url-protocol=https
 #control-url-prepend=cisofy.com/control/
 #control-url-append=/
 # The URL prefix and append to URL's for your custom tests
 #custom-url-protocol=https
 #custom-url-prepend=your-domain.example.org/control-info/
 #custom-url-append=/
 #################################################################################
 #
 # Operating system specific
 # -------------------------
 #
 #################################################################################
 # Skip the FreeBSD portaudit test
 #freebsd-skip-portaudit=yes
 # Skip security repository check for Debian based systems
 #debian-skip-security-repository=yes
 #################################################################################
 #
 # Lynis Enterprise options
 # ------------------------
 #
 #################################################################################
 # Allow this system to be purged when it is outdated (default: not defined).
 # This is useful for ephemeral systems which are short-lived.
 #allow-auto-purge=yes
 # Sometimes it might be useful to override the host identifiers.
 # Use only hexadecimal values (0-9, a-f), with 40 and 64 characters in length.
 #
 #hostid=40-char-hash
 #hostid2=64-char-hash
 # Lynis Enterprise license key
 license-key=
 # Proxy settings
 # Protocol (http, https, socks5)
 #proxy-protocol=https
 # Proxy server
 #proxy-server=10.0.1.250
 # Define proxy port to use
 #proxy-port=3128
 # Define the group names to link to this system (preferably single words). Default setting: append
 # To clear groups before assignment, add 'action:clear' as last groupname
 #system-groups=groupname1,groupname2,groupname3
 # Define which compliance standards are audited and reported on. Disable this if not required.
 compliance-standards=cis,hipaa,iso27001,pci-dss
 # Provide the name of the customer/client
 #system-customer-name=mycustomer
 # Upload data to central server
 upload=no
 # The hostname/IP address to receive the data
 upload-server=
 # Provide options to cURL (or other upload tool) when uploading data.
 # upload-options=--insecure (use HTTPS, but skip certificate check for self-signed certificates)
 upload-options=
 # Link one or more tags to a system
 #tags=db,production,ssn-1304
 #EOF
 EOF_LYNIS
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 # sleep 1
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/0810_chrony_setup.chroot
+++ b/config/hooks/live/0810_chrony_setup.chroot
@@ -1,28 +1,44 @@
 #!/bin/bash
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1
 mkdir -p /var/log/chrony
-# See https://coresecret.eu/tutorials/debian-package-glossary/ for a brief description of the installed packages.
+
-apt-get install chrony -y
+[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
 export DEBIAN_FRONTEND="noninteractive"
 export INITRD="No"
 export TZ="Etc/UTC"
 apt-get install -y adjtimex chrony tzdata
 systemctl enable chrony.service
-mv /etc/chrony/chrony.conf /root/.ciss/dlb/backup/chrony.conf.bak
+mv /etc/chrony/chrony.conf /root/.ciss/cdlb/backup/chrony.conf.bak
-chmod 644 /root/.ciss/dlb/backup/chrony.conf.bak
+chmod 0644 /root/.ciss/cdlb/backup/chrony.conf.bak
 cat << EOF >| /etc/chrony/chrony.conf
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 cat << 'EOF' >| /etc/chrony/chrony.conf
 # Include configuration files found in /etc/chrony/conf.d.
 confdir /etc/chrony/conf.d
 driftfile /var/lib/chrony/chrony.drift
@@ -36,16 +52,14 @@ log tracking measurements statistics
 authselectmode require
-server ptbtime1.ptb.de iburst nts minpoll 5 maxpoll 9
+# server ntp.ripe.net      iburst nts minpoll 5 maxpoll 9
-server ptbtime2.ptb.de iburst nts minpoll 5 maxpoll 9
+server ptbtime3.ptb.de   iburst nts minpoll 5 maxpoll 9
-server ptbtime3.ptb.de iburst nts minpoll 5 maxpoll 9
+server ptbtime2.ptb.de   iburst nts minpoll 5 maxpoll 9
-server ptbtime4.ptb.de iburst nts minpoll 5 maxpoll 9
+server ptbtime1.ptb.de   iburst nts minpoll 5 maxpoll 9
-server sth1.ntp.se iburst nts minpoll 5 maxpoll 9
+# server ntp13.metas.ch    iburst nts minpoll 5 maxpoll 9
 server ntp0.fau.de iburst nts minpoll 5 maxpoll 9
 server ntp13.metas.ch iburst nts minpoll 5 maxpoll 9
 # server ntp.ripe.net iburst nts minpoll 5 maxpoll 9
 # server ntp2.tecnico.ulisboa.pt iburst nts minpoll 5 maxpoll 9
 # server time-c-b.nist.gov iburst nts minpoll 5 maxpoll 9
 # server sth1.ntp.se       iburst nts minpoll 5 maxpoll 9
 server ntp0.fau.de       iburst nts minpoll 5 maxpoll 9
 leapsectz right/UTC
@@ -55,13 +69,52 @@ maxupdateskew 100.0
 rtcsync
-makestep 1 3
+makestep 0.25 3
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
 EOF
-chmod 644 /etc/chrony/chrony.conf
+chmod 0644 /etc/chrony/chrony.conf
 [[ -f /root/.ciss/check_chrony.sh ]] && chmod 0700 /root/.ciss/check_chrony.sh
 ### Build right/UTC from tzdata leap table if missing.
 if [[ ! -e /usr/share/zoneinfo/right/UTC ]]; then
  install -d -m 0755 /usr/share/zoneinfo/right
  ### Minimal zic source for a fixed UTC zone.
  declare -r tmp_src="/tmp/UTC.src"
  printf 'Zone UTC  0  -  UTC\n' > "${tmp_src}"
  ### Prefer the zic-format leapseconds file.
  declare leap_zic="/usr/share/zoneinfo/leapseconds"
  if [[ -s "${leap_zic}" ]]; then
    zic -d /usr/share/zoneinfo/right -L "${leap_zic}" "${tmp_src}"
  else
    echo "WARNING: ${leap_zic} not found; building right/UTC without leap info." >&2
    zic -d /usr/share/zoneinfo/right -L /dev/null "${tmp_src}"
  fi
  rm -f "${tmp_src}"
 fi
 if [[ -e /usr/share/zoneinfo/right/UTC ]]; then
  ### Expect to see 'Sat Dec 31 23:59:60 UTC 2016' rendered in right/UTC
  TZ=right/UTC date -ud '2017-01-01 00:00:00 -1 second' || true
 fi
 chronyd -Q -f /etc/chrony/chrony.conf 2>&1
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 # sleep 1
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/0820_kernel_hardening_checker.chroot
+++ b/config/hooks/live/0820_kernel_hardening_checker.chroot
@@ -1,24 +1,22 @@
 #!/bin/bash
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1
 cd /root/git
 git clone https://github.com/a13xp0p0v/kernel-hardening-checker.git
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 # sleep 1
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/0822_ssh_restart_hook.chroot
+++ b/config/hooks/live/0822_ssh_restart_hook.chroot
@@ -1,52 +1,30 @@
 #!/bin/bash
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1
-cd /root
+mkdir -p /etc/systemd/system/ssh.service.d
 declare target_script="/etc/cron.d/restart-ssh"
-cat << 'EOF' >| "${target_script}"
+cat << EOF >| /etc/systemd/system/ssh.service.d/10-ciss-network.conf
-@reboot root /usr/local/bin/restart-ssh.sh
+[Unit]
 After=network-online.target ufw.service fail2ban.service
 Wants=network-online.target
 [Service]
 ExecStartPre=/bin/sleep 5
 EOF
 chmod 644 "${target_script}"
 cat << 'EOF' >| /usr/local/bin/restart-ssh.sh
 #!/bin/bash
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 # Script to restart SSH at boot
 systemctl stop ssh
 sleep 5
 systemctl start ssh
 EOF
 chmod +x /usr/local/bin/restart-ssh.sh
 unset target_script
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 # sleep 1
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/0825_my_sqltuner_perl.chroot
+++ b/config/hooks/live/0825_my_sqltuner_perl.chroot
@@ -1,24 +1,22 @@
 #!/bin/bash
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1
 cd /root/git
 git clone --depth 1 -b master https://github.com/major/MySQLTuner-perl.git
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 # sleep 1
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/0830_download_yq.chroot
+++ b/config/hooks/live/0830_download_yq.chroot
@@ -1,24 +1,22 @@
 #!/bin/bash
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1
 wget https://github.com/mikefarah/yq/releases/latest/download/yq_linux_amd64 -O /usr/bin/yq
 chmod +x /usr/bin/yq
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 # sleep 1
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/0835_testssl.sh.chroot
+++ b/config/hooks/live/0835_testssl.sh.chroot
@@ -1,24 +1,22 @@
 #!/bin/bash
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1
 cd /root/git
 git clone https://github.com/testssl/testssl.sh.git
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 # sleep 1
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/0840_ufw_abuse_ipdb_reporter.chroot
+++ b/config/hooks/live/0840_ufw_abuse_ipdb_reporter.chroot
@@ -1,20 +1,21 @@
 #!/bin/bash
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1
-apt-get install -y curl
+[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
 export DEBIAN_FRONTEND="noninteractive"
 export INITRD="No"
 curl -fsSL https://deb.nodesource.com/setup_22.x | sudo -E bash - && \
 apt-get install -y nodejs
@@ -22,7 +23,6 @@ cd /root/git
 git clone https://github.com/sefinek/UFW-AbuseIPDB-Reporter.git
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 # sleep 1
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/0845_harbian_audit.chroot
+++ b/config/hooks/live/0845_harbian_audit.chroot
@@ -1,24 +1,22 @@
 #!/bin/bash
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1
 cd /root/git
 git clone https://github.com/hardenedlinux/harbian-audit.git
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 # sleep 1
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/0850_ssh_audit.chroot
+++ b/config/hooks/live/0850_ssh_audit.chroot
@@ -1,24 +1,22 @@
 #!/bin/bash
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1
 cd /root/git
 git clone https://github.com/jtesta/ssh-audit.git
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 sleep 1
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/0855_dnsviz.chroot
+++ b/config/hooks/live/0855_dnsviz.chroot
@@ -1,24 +1,22 @@
 #!/bin/bash
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1
 cd /root/git
 git clone https://github.com/dnsviz/dnsviz.git
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 sleep 1
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/0860_sops.chroot
+++ b/config/hooks/live/0860_sops.chroot
@@ -0,0 +1,57 @@
 #!/bin/bash
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
 export DEBIAN_FRONTEND="noninteractive"
 export INITRD="No"
 SOPS_VER="v3.11.0"
 ARCH="$(dpkg --print-architecture)"
 case "${ARCH}" in
  amd64)  SOPS_FILE="sops-${SOPS_VER}.linux.amd64" ;;
  arm64)  SOPS_FILE="sops-${SOPS_VER}.linux.arm64" ;;
  *)  echo "Unsupported arch: ${ARCH}" >&2; exit 1 ;;
 esac
 cd /tmp
 curl -fsSLO "https://github.com/getsops/sops/releases/download/${SOPS_VER}/${SOPS_FILE}"
 curl -fsSLO "https://github.com/getsops/sops/releases/download/${SOPS_VER}/sops-${SOPS_VER}.checksums.txt"
 curl -fsSLO "https://github.com/getsops/sops/releases/download/${SOPS_VER}/sops-${SOPS_VER}.checksums.pem"
 curl -fsSLO "https://github.com/getsops/sops/releases/download/${SOPS_VER}/sops-${SOPS_VER}.checksums.sig"
 cosign verify-blob "sops-${SOPS_VER}.checksums.txt" \
  --certificate    "sops-${SOPS_VER}.checksums.pem" \
  --signature      "sops-${SOPS_VER}.checksums.sig" \
  --certificate-identity-regexp="https://github.com/getsops" \
  --certificate-oidc-issuer="https://token.actions.githubusercontent.com"
 sha256sum -c "sops-${SOPS_VER}.checksums.txt" --ignore-missing
 install -m 0755 "${SOPS_FILE}" /usr/local/bin/sops
 sops --version --check-for-updates >| /root/.ciss/cdlb/log/sops.log
 age --version                      >| /root/.ciss/cdlb/log/age.log
 rm -f "/tmp/${SOPS_FILE}"
 rm -f "/tmp/sops-${SOPS_VER}.checksums.txt"
 rm -f "/tmp/sops-${SOPS_VER}.checksums.pem"
 rm -f "/tmp/sops-${SOPS_VER}.checksums.sig"
 chmod 0400 /root/.config/sops/age/keys.txt
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/0000_generate_backup_dir.chroot
+++ b/config/hooks/live/0000_generate_backup_dir.chroot
@@ -1,27 +1,27 @@
 #!/bin/bash
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1
-mkdir -p /root/.ciss/dlb/backup
+[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
-chmod 0700 /root/.ciss/dlb/backup
+export DEBIAN_FRONTEND="noninteractive"
 export INITRD="No"
-mkdir -p /root/git
+wget https://github.com/mikefarah/yq/releases/latest/download/yq_linux_amd64 -O /usr/local/bin/yq && chmod +x /usr/local/bin/yq
-chmod 0700 /root/git
+
 yq --version
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 # sleep 1
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/1024_git_clone_ciss_2025_debian_installer.chroot
+++ b/config/hooks/live/1024_git_clone_ciss_2025_debian_installer.chroot
@@ -1,25 +1,37 @@
 #!/bin/bash
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1
-# TODO: MUST be uncommented
+umask 0077
 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
 export DEBIAN_FRONTEND="noninteractive"
 export INITRD="No"
 apt-get install -y texinfo
 cd /root/git
-# git clone https://git.coresecret.dev/msw/CISS.debian.installer.git
+git clone https://github.com/Trepan-Debuggers/bashdb.git
 cd /root/git/bashdb
 ./autogen.sh
 make
 apt-get purge -y texinfo
 apt-get autoremove --purge -y
 apt-get autoclean -y
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 # sleep 1
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/0900_ufw_setup.chroot
+++ b/config/hooks/live/0900_ufw_setup.chroot
@@ -1,21 +1,20 @@
 #!/bin/bash
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1
 declare -r UFW_OUT_POLICY="deny"
-declare -r SSHPORT="MUST_BE_SET"
+declare -r SSHPORT="SSHPORT_MUST_BE_SET"
 ufw --force reset
@@ -42,6 +41,7 @@ if [[ ${UFW_OUT_POLICY,,} == "deny"  ]]; then
  ufw allow out  443/tcp comment 'Outgoing HTTPS'
  ufw allow out  465/tcp comment 'Outgoing SMTPS'
  ufw allow out  587/tcp comment 'Outgoing SMTPS'
  ufw allow out  853/tcp comment 'Outgoing DoT'
  ufw allow out  993/tcp comment 'Outgoing IMAPS'
  ufw allow out 4460/tcp comment 'Outgoing NTS'
  ufw allow out "${SSHPORT}"/tcp comment 'Outgoing SSH (Custom-Port)'
@@ -51,6 +51,7 @@ if [[ ${UFW_OUT_POLICY,,} == "deny"  ]]; then
  ufw allow out  853/udp comment 'Outgoing DoQ'
 fi
 ### Allowing ICMP IPv4 outgoing per default.
 sed -i "/# ok icmp code for FORWARD/i \# ok icmp codes for OUTPUT" /etc/ufw/before.rules
 sed -i "/# ok icmp code for FORWARD/i \-A ufw-before-output -p icmp --icmp-type destination-unreachable -j ACCEPT" /etc/ufw/before.rules
 sed -i "/# ok icmp code for FORWARD/i \-A ufw-before-output -p icmp --icmp-type time-exceeded -j ACCEPT" /etc/ufw/before.rules
@@ -61,7 +62,6 @@ sed -i 's/^ENABLED=no/ENABLED=yes/' /etc/ufw/ufw.conf
 ln -sf /lib/systemd/system/ufw.service /etc/systemd/system/multi-user.target.wants/ufw.service
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 # sleep 1
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/9900_process_accounting.chroot
+++ b/config/hooks/live/9900_process_accounting.chroot
@@ -1,33 +1,40 @@
 #!/bin/bash
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1
 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
 export DEBIAN_FRONTEND="noninteractive"
 export INITRD="No"
 apt-get install -y acct
 if [[ ! -d /etc/systemd/system/multi-user.target.wants ]]; then
  mkdir -p /etc/systemd/system/multi-user.target.wants
 fi
 if ln -s /lib/systemd/system/acct.service /etc/systemd/system/multi-user.target.wants/acct.service; then
  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ 'Process Accounting' enabled successful. \e[0m\n"
 else
  printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ 'Process Accounting' already enabled. \e[0m\n" >&2
 fi
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 # sleep 1
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/9910_motd.chroot
+++ b/config/hooks/live/9910_motd.chroot
@@ -1,21 +1,20 @@
 #!/bin/bash
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1
-mkdir -p /root/.ciss/dlb/backup/update-motd.d
+mkdir -p /root/.ciss/cdlb/backup/update-motd.d
-cp -af /etc/update-motd.d/* /root/.ciss/dlb/backup/update-motd.d
+cp -af /etc/update-motd.d/* /root/.ciss/cdlb/backup/update-motd.d
 cat << 'EOF' >| /etc/update-motd.d/10-uname
 #!/bin/sh
@@ -24,8 +23,7 @@ EOF
 chmod 0755 /etc/update-motd.d/10-uname
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' successful applied. \e[0m\n" "${0}"
+printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' successfully applied. \e[0m\n" "${0}"
 # sleep 1
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/9920_deleting_invalid_x509.chroot
+++ b/config/hooks/live/9920_deleting_invalid_x509.chroot
@@ -1,21 +1,20 @@
 #!/bin/bash
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1
 declare -a search_dirs=("/etc/ssl/certs" "/usr/local/share/ca-certificates" "/usr/share/ca-certificates" "/etc/letsencrypt")
-declare backup_dir="/root/.ciss/dlb/backup/certificates"
+declare backup_dir="/root/.ciss/cdlb/backup/certificates"
 declare current_date
 current_date=$(date +%s)
 declare -ax expired_certificates=()
@@ -27,17 +26,24 @@ declare -ax expired_certificates=()
 #   search_dirs
 #   dir
 # Arguments:
-#  None
+#   None
 #######################################
 create_backup() {
  printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Backup Certificate: '%s' ... \e[0m\n" "${backup_dir}"
  mkdir -p "${backup_dir}"
  declare dir=""
  for dir in "${search_dirs[@]}"; do
-    if [ -d "${dir}" ] && compgen -G "${dir}"/* > /dev/null; then
+
    if [[ -d "${dir}" ]] && compgen -G "${dir}"/* > /dev/null; then
      cp -r "${dir}"/* "${backup_dir}"
    fi
  done
  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Backup Certificate: '%s' done.\e[0m\n" "${backup_dir}"
 }
@@ -52,25 +58,32 @@ create_backup() {
 #   EXPIRED_CERTIFICATES
 #   SEARCH_DIRS
 # Arguments:
-#  None
+#   None
 #######################################
 check_certificates() {
  declare dir=""
  declare cert=""
  declare cert_date=""
  declare cert_date_seconds=""
  for dir in "${search_dirs[@]}"; do
    # shellcheck disable=SC2312
    while IFS= read -r -d '' cert; do
      cert_date=$(openssl x509 -in "${cert}" -noout -enddate | sed 's/notAfter=//')
      cert_date_seconds=$(date -d "${cert_date}" +%s)
      if [[ ${cert_date_seconds} -lt ${current_date} ]]; then
        declare -g expired_certificates+=("${cert}")
      fi
    done < <(find "${dir}" -type f \( -name "*.crt" -o -name "*.pem" \) -print0)
  done
 }
 #   done < <(find "${dir}" -type f -name "*.crt" -o -name "*.pem" -print0)
 #   done < <(find "${DIR}" -type f \( -name "*.crt" -o -name "*.pem" \) -print0)
 #######################################
 # Find and clean all ca-certificates.crt files in SEARCH_DIRS.
@@ -80,13 +93,17 @@ check_certificates() {
 #   cert
 #   line
 # Arguments:
-#  None
+#   None
 #######################################
 delete_expired_from_all_bundles() {
  declare dir bundle
  for dir in "${search_dirs[@]}"; do
    bundle="${dir}/ca-certificates.crt"
    if [[ -f ${bundle} ]]; then
      printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Checking Root-CA Bundle: '%s' ...\e[0m\n" "${bundle}"
      declare tmp_bundle="${bundle}.tmp"
      declare -a block=()
@@ -97,33 +114,57 @@ delete_expired_from_all_bundles() {
      declare line=""
      while IFS= read -r line; do
        block+=("${line}")
        if [[ ${line} == "-----END CERTIFICATE-----"   ]]; then
          cert=$(printf "%s\n" "${block[@]}")
          enddate=$(echo "${cert}" | openssl x509 -noout -enddate 2> /dev/null | sed 's/notAfter=//')
          if [[ -n ${enddate}   ]]; then
            declare cert_date_seconds=""
            cert_date_seconds=$(date -d "${enddate}" +%s)
            if [[ ${cert_date_seconds} -lt ${current_date} ]]; then
              expired=1
            else
              expired=0
            fi
          else
            expired=0
          fi
          if [[ ${expired} -eq 0 ]]; then
            printf "%s\n" "${block[@]}" >> "${tmp_bundle}"
          else
            printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅  Certificate deleted: '%s' (Expired: %s)\e[0m\n" "${bundle}" "${enddate}"
          fi
          block=()
        fi
      done < "${bundle}"
      mv -f "${tmp_bundle}" "${bundle}"
      printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Checking Root-CA Bundle: '%s' done. \e[0m\n" "${bundle}"
    fi
  done
 }
@@ -141,30 +182,38 @@ else
  printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Expired certificates found:\e[0m\n"
  for exp_cert in "${expired_certificates[@]}"; do
    printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ '%s'. \e[0m\n" "${exp_cert}"
  done
  for exp_cert in "${expired_certificates[@]}"; do
    rm -f "${exp_cert}"
    printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Certificate deleted: '%s'.\e[0m\n" "${exp_cert}"
    basename=$(basename "${exp_cert}")
    mozilla_entry="mozilla/${basename%.pem}.crt"
    mozilla_entry="${mozilla_entry%.crt}.crt"
    declare ca_conf="/etc/ca-certificates.conf"
    if grep -Fxq "${mozilla_entry}" "${ca_conf}"; then
      sed -i "s|^${mozilla_entry}$|#${mozilla_entry}|" "${ca_conf}"
      printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Entry in ca-certificates.conf deselected: '#%s'.\e[0m\n" "${mozilla_entry}"
    fi
  done
  printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Updating the certificate cache ... \e[0m\n"
  update-ca-certificates --fresh
  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Updating the certificate cache done.\e[0m\n"
-  # sleep 1
+
 fi
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
-# sleep 1
+
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/9930_hardening_ssh.chroot
+++ b/config/hooks/live/9930_hardening_ssh.chroot
@@ -1,39 +1,61 @@
 #!/bin/bash
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
-# sleep 1
+declare _key=""
 cd /etc/ssh
 cd /etc/ssh || {
  printf "\e[91mm++++ ++++ ++++ ++++ ++++ ++++ ++ Could not find /etc/ssh \e[0m\n"
 }
 rm -rf ssh_host_*key*
-ssh-keygen -o -N "" -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -C "root@live-$(date -I)"
+if [[ -d /root/ssh ]]; then
 ssh-keygen -o -N "" -t rsa -b 8192 -f /etc/ssh/ssh_host_rsa_key -C "root@live-$(date -I)"
-awk '$5 >= 4000' /etc/ssh/moduli >| /etc/ssh/moduli.safe
+  if compgen -G "/root/ssh/ssh_host_*" > /dev/null; then
-rm -rf /etc/ssh/moduli
+    mv -t /etc/ssh -- /root/ssh/ssh_host_*
-mv /etc/ssh/moduli.safe /etc/ssh/moduli
+  fi
  if compgen -G "/root/ssh/*sha256sum.txt" > /dev/null; then
    mv -t /etc/ssh -- /root/ssh/*sha256sum.txt
  fi
  rm -rf /root/ssh
 else
  # shellcheck disable=SC2312
  ssh-keygen -o -N "" -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -C "root@live-$(date -I)"
  # shellcheck disable=SC2312
  ssh-keygen -o -N "" -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa_key -C "root@live-$(date -I)"
 fi
 chmod 0600 /etc/ssh/ssh_host_*_key
 chown root:root /etc/ssh/ssh_host_*_key
 chmod 0644 /etc/ssh/ssh_host_*_key.pub
 chown root:root /etc/ssh/ssh_host_*_key.pub
-chmod 600 /etc/ssh/sshd_config /etc/ssh/ssh_config
+if compgen -G "/etc/ssh/*sha256sum.txt" > /dev/null; then
  chmod 0440 /etc/ssh/*sha256sum.txt
  chown root:root /etc/ssh/*sha256sum.txt
 fi
 awk '$5 >= 4000' /etc/ssh/moduli >| /etc/ssh/moduli.safe
 rm -rf /etc/ssh/moduli
 mv /etc/ssh/moduli.safe /etc/ssh/moduli
 chmod 0600 /etc/ssh/sshd_config /etc/ssh/ssh_config
 touch /root/sshfp
 ssh-keygen -r @ >| /root/sshfp
 ###########################################################################################
@@ -44,7 +66,26 @@ ssh-keygen -r @ >| /root/sshfp
 # The chmod +x command ensures that the file is executed in every shell session.          #
 ###########################################################################################
 cat << 'EOF' >| /etc/profile.d/idle-users.sh
-declare -girx TMOUT=14400
+# SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 case $- in
  *i*)
    TMOUT=14400
    export TMOUT
    readonly TMOUT
  ;;
 esac
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
 EOF
 chmod +x /etc/profile.d/idle-users.sh
@@ -57,8 +98,24 @@ Requires=ufw.service
 EOF
 chmod 0644 /etc/systemd/system/ssh.service.d/override.conf
 ### Final checks. Verify host keys after installation.
 if command -v ssh-keygen >/dev/null 2>&1; then
  for _key in /etc/ssh/ssh_host_*key; do
    ### Only consider regular files
    [[ -f "${_key}" ]] || continue
    ssh-keygen -lf "${_key}" >/dev/null || exit 42
    ssh-keygen -yf "${_key}" >/dev/null || exit 42
  done
 fi
 /usr/sbin/sshd -t || exit 42
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 # sleep 1
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/9935_hardening_ssl.chroot
+++ b/config/hooks/live/9935_hardening_ssl.chroot
@@ -0,0 +1,454 @@
 #!/bin/bash
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-12-03; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 mkdir -p /root/.ciss/cdlb/backup/etc/ssl
 mv /etc/ssl/openssl.cnf /root/.ciss/cdlb/backup/etc/ssl/openssl.cnf.bak
 cat << 'EOF' >| /etc/ssl/openssl.cnf
 #
 # OpenSSL example configuration file.
 # See doc/man5/config.pod for more information.
 #
 # This is mostly being used for generation of certificate requests,
 # but may be used for autoloading of providers
 # Note that you can include other files from the main configuration
 # file using the .include directive.
 #.include filename
 openssl_conf = default_conf
 # This definition stops the following lines choking if HOME isn't
 # defined.
 HOME			= .
 # Use this to automatically load providers.
 openssl_conf = openssl_init
 # Comment out the next line to ignore configuration errors
 config_diagnostics = 1
 # Extra OBJECT IDENTIFIER information:
 # oid_file       = $ENV::HOME/.oid
 oid_section = new_oids
 # To use this configuration file with the "-extfile" option of the
 # "openssl x509" utility, name here the section containing the
 # X.509v3 extensions to use:
 # extensions		=
 # (Alternatively, use a configuration file that has only
 # X.509v3 extensions in its main [= default] section.)
 [ new_oids ]
 # We can add new OIDs in here for use by 'ca,' 'req,' and 'ts.'
 # Add a simple OID like this:
 # testoid1=1.2.3.4
 # Or use config file substitution like this:
 # testoid2=${testoid1}.5.6
 # Policies used by the TSA examples.
 tsa_policy1 = 1.2.3.4.1
 tsa_policy2 = 1.2.3.4.5.6
 tsa_policy3 = 1.2.3.4.5.7
 # For FIPS
 # Optionally include a file that is generated by the OpenSSL fipsinstall
 # application. This file contains configuration data required by the OpenSSL
 # fips provider. It contains a named section e.g., [fips_sect] which is
 # referenced from the [provider_sect] below.
 # Refer to the OpenSSL security policy for more information.
 # .include fipsmodule.cnf
 [openssl_init]
 providers = provider_sect
 # List of providers to load
 [provider_sect]
 default = default_sect
 # The fips section name should match the section name inside the
 # included fipsmodule.cnf.
 # fips = fips_sect
 # If no providers are activated explicitly, the default one is activated implicitly.
 # See man 7 OSSL_PROVIDER-default for more details.
 #
 # If you add a section explicitly activating any other provider(s), you most
 # probably need to explicitly activate the default provider, otherwise it
 # becomes unavailable in openssl.  As a consequence, applications depending on
 # OpenSSL may not work correctly, which could lead to significant system
 # problems including inability to remotely access the system.
 [default_sect]
 # activate = 1
 ####################################################################
 [ ca ]
 default_ca	= CA_default		# The default ca section
 ####################################################################
 [ CA_default ]
 dir		= ./demoCA		# Where everything is kept
 certs		= $dir/certs		# Where the issued certs are kept
 crl_dir		= $dir/crl		# Where the issued crl are kept
 database	= $dir/index.txt	# database index file.
 #unique_subject	= no			# Set to 'no' to allow creation of several certs with the same subject.
 new_certs_dir	= $dir/newcerts		# default place for new certs.
 certificate	= $dir/cacert.pem 	# The CA certificate
 serial		= $dir/serial 		# The current serial number
 crlnumber	= $dir/crlnumber	# the current crl number
 					# must be commented out to leave a V1 CRL
 crl		= $dir/crl.pem 		# The current CRL
 private_key	= $dir/private/cakey.pem # The private key
 x509_extensions	= usr_cert		# The extensions to add to the cert
 # Comment out the following two lines for the "traditional"
 # (and highly broken) format.
 name_opt 	= ca_default		# Subject Name options
 cert_opt 	= ca_default		# Certificate field options
 # Extension copying option: use with caution.
 # copy_extensions = copy
 # Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
 # so this is commented out by default to leave a V1 CRL.
 # crlnumber must also be commented out to leave a V1 CRL.
 # crl_extensions	= crl_ext
 default_days	= 365			# how long to certify for
 default_crl_days= 30			# how long before next CRL
 default_md	= default		# use public key default MD
 preserve	= no			# keep passed DN ordering
 # A few different ways of specifying how similar the request should look
 # For type CA, the listed attributes must be the same, and the optional
 # and supplied fields are just that.
 policy		= policy_match
 # For the CA policy
 [ policy_match ]
 countryName		= match
 stateOrProvinceName	= match
 organizationName	= match
 organizationalUnitName	= optional
 commonName		= supplied
 emailAddress		= optional
 # For the 'anything' policy
 # At this point in time, you must list all acceptable 'object'
 # types.
 [ policy_anything ]
 countryName		= optional
 stateOrProvinceName	= optional
 localityName		= optional
 organizationName	= optional
 organizationalUnitName	= optional
 commonName		= supplied
 emailAddress		= optional
 ####################################################################
 [ req ]
 default_bits		= 4096
 default_keyfile 	= privkey.pem
 distinguished_name	= req_distinguished_name
 attributes		= req_attributes
 x509_extensions	= v3_ca	# The extensions to add to the self-signed cert
 # Passwords for private keys if not present, they will be prompted for
 # input_password = secret
 # output_password = secret
 # This sets a mask for permitted string types. There are several options.
 # default: PrintableString, T61String, BMPString.
 # pkix	 : PrintableString, BMPString (PKIX recommendation before 2004)
 # utf8only: only UTF8Strings (PKIX recommendation after 2004).
 # nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
 # MASK:XXXX a literal mask value.
 # WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings.
 string_mask = utf8only
 # req_extensions = v3_req # The extensions to add to a certificate request
 [ req_distinguished_name ]
 countryName			= Country Name (2-letter code)
 countryName_default		= AU
 countryName_min			= 2
 countryName_max			= 2
 stateOrProvinceName		= State or Province Name (full name)
 stateOrProvinceName_default	= Some-State
 localityName			= Locality Name (e.g., city)
 0.organizationName		= Organization Name (e.g., company)
 0.organizationName_default	= Internet Widgits Pty Ltd
 # we can do this, but it is unnecessary normally
 #1.organizationName		= Second Organization Name (e.g., company)
 #1.organizationName_default	= World Wide Web Pty Ltd
 organizationalUnitName		= Organizational Unit Name (e.g., section)
 #organizationalUnitName_default	=
 commonName			= Common Name (e.g., server FQDN or YOUR name)
 commonName_max			= 64
 emailAddress			= Email Address
 emailAddress_max		= 64
 # SET-ex3			= SET extension number 3
 [ req_attributes ]
 challengePassword		= A challenge password
 challengePassword_min		= 4
 challengePassword_max		= 20
 unstructuredName		= An optional company name
 [ usr_cert ]
 # These extensions are added when 'ca' signs a request.
 # This goes against PKIX guidelines, but some CAs do it, and some software
 # requires this to avoid interpreting an end user certificate as a CA.
 basicConstraints=CA:FALSE
 # This is typical in keyUsage for a client certificate.
 # keyUsage = nonRepudiation, digitalSignature, keyEncipherment
 # PKIX recommendations harmless if included in all certificates.
 subjectKeyIdentifier=hash
 authorityKeyIdentifier=keyid,issuer
 # This stuff is for subjectAltName and issuerAltname.
 # Import the email address.
 # subjectAltName=email:copy
 # An alternative to produce certificates that aren't
 # deprecated, according to PKIX.
 # subjectAltName=email:move
 # Copy subject details
 # issuerAltName=issuer:copy
 # This is required for TSA certificates.
 # extendedKeyUsage = critical,timeStamping
 [ v3_req ]
 # Extensions to add to a certificate request
 basicConstraints = CA:FALSE
 keyUsage = nonRepudiation, digitalSignature, keyEncipherment
 [ v3_ca ]
 # Extensions for a typical CA
 # PKIX recommendation.
 subjectKeyIdentifier=hash
 authorityKeyIdentifier=keyid:always,issuer
 basicConstraints = critical,CA:true
 # Key usage: this is typical for a CA certificate. However, since it will
 # prevent it being used as a test self-signed certificate, it is best
 # left out by default.
 # keyUsage = cRLSign, keyCertSign
 # Include email address in subject alt name: another PKIX recommendation
 # subjectAltName=email:copy
 # Copy issuer details
 # issuerAltName=issuer:copy
 # DER hex encoding of an extension: beware experts only!
 # obj=DER:02:03
 # Where 'obj' is a standard or added object
 # You can even override a supported extension:
 # basicConstraints= critical, DER:30:03:01:01:FF
 [ crl_ext ]
 # CRL extensions.
 # Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
 # issuerAltName=issuer:copy
 authorityKeyIdentifier=keyid:always
 [ proxy_cert_ext ]
 # These extensions should be added when creating a proxy certificate
 # This goes against PKIX guidelines, but some CAs do it, and some software
 # requires this to avoid interpreting an end user certificate as a CA.
 basicConstraints=CA:FALSE
 # This is typical in keyUsage for a client certificate.
 # keyUsage = nonRepudiation, digitalSignature, keyEncipherment
 # PKIX recommendations harmless if included in all certificates.
 subjectKeyIdentifier=hash
 authorityKeyIdentifier=keyid,issuer
 # This stuff is for subjectAltName and issuerAltname.
 # Import the email address.
 # subjectAltName=email:copy
 # An alternative to produce certificates that aren't
 # deprecated, according to PKIX.
 # subjectAltName=email:move
 # Copy subject details
 # issuerAltName=issuer:copy
 # This really needs to be in place for it to be a proxy certificate.
 proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
 ####################################################################
 [ tsa ]
 default_tsa = tsa_config1	# the default TSA section
 [ tsa_config1 ]
 # These are used by the TSA reply generation only.
 dir		= ./demoCA		# TSA root directory
 serial		= $dir/tsaserial	# The current serial number (mandatory)
 crypto_device	= builtin		# OpenSSL engine to use for signing
 signer_cert	= $dir/tsacert.pem 	# The TSA signing certificate
 					# (optional)
 certs		= $dir/cacert.pem	# Certificate chain to include in reply
 					# (optional)
 signer_key	= $dir/private/tsakey.pem # The TSA private key (optional)
 signer_digest  = sha256			# Signing digest to use. (Optional)
 default_policy	= tsa_policy1		# Policy if request did not specify it
 					# (optional)
 other_policies	= tsa_policy2, tsa_policy3	# acceptable policies (optional)
 digests     = sha1, sha256, sha384, sha512  # Acceptable message digests (mandatory)
 accuracy	= secs:1, millisecs:500, microsecs:100	# (optional)
 clock_precision_digits  = 0	# number of digits after dot. (optional)
 ordering		= yes	# Is ordering defined for timestamps?
 				# (optional, default: no)
 tsa_name		= yes	# Must the TSA name be included in the reply?
 				# (optional, default: no)
 ess_cert_id_chain	= no	# Must the ESS cert id chain be included?
 				# (optional, default: no)
 ess_cert_id_alg		= sha256	# algorithm to compute certificate
 				# identifier (optional, default: sha256)
 [insta] # CMP using Insta Demo CA
 # Message transfer
 server = pki.certificate.fi:8700
 # proxy = # set this as far as needed, e.g., http://192.168.1.1:8080
 # tls_use = 0
 path = pkix/
 # Server authentication
 recipient = "/C=FI/O=Insta Demo/CN=Insta Demo CA" # or set srvcert or issuer
 ignore_keyusage = 1 # quirk needed to accept Insta CA cert not including digitalsignature
 unprotected_errors = 1 # quirk needed to accept negative responses possibly not protected
 extracertsout = insta.extracerts.pem
 # Client authentication
 ref = 3078 # user identification
 secret = pass:insta # can be used for both client and server side
 # Generic message options
 cmd = ir # default operation, can be overridden on cmd line with, e.g., kur
 # Certificate enrollment
 subject = "/CN=openssl-cmp-test"
 newkey = insta.priv.pem
 out_trusted = apps/insta.ca.crt # does not include keyUsage digitalSignature
 certout = insta.cert.pem
 [pbm] # Password-based protection for Insta CA
 # Server and client authentication
 ref = $insta::ref # 3078
 secret = $insta::secret # pass:insta
 [signature] # Signature-based protection for Insta CA
 # Server authentication
 trusted = $insta::out_trusted # apps/insta.ca.crt
 # Client authentication
 secret = # disable the PBM
 key = $insta::newkey # insta.priv.pem
 cert = $insta::certout # insta.cert.pem
 [ir]
 cmd = ir
 [cr]
 cmd = cr
 [kur]
 # Certificate update
 cmd = kur
 oldcert = $insta::certout # insta.cert.pem
 [rr]
 # Certificate revocation
 cmd = rr
 oldcert = $insta::certout # insta.cert.pem
 ##### Added by CISS.debian.live.builder #####
 [default_conf]
 ssl_conf = ssl_sect
 [ssl_sect]
 system_default = system_default_sect
 [system_default_sect]
 # Protocol floor / ceiling:
 # - only TLS 1.2 and 1.3.
 # - TLS 1.3 is FS by design;
 # - TLS 1.2 FS enforced via the cipher list.
 MinProtocol = TLSv1.2
 MaxProtocol = TLSv1.3
 # TLS 1.2 cipher policy:
 # - Forward secrecy only: ECDHE or DHE (no static RSA kx);
 # - AES-256 *GCM* only (no DHE (dheatattack), no AES-128, no CBC);
 # - Keep distro default SECLEVEL=2 explicitly.
 CipherString = ECDHE+AES256-GCM:ECDHE+CHACHA20:ECDHE+ARIA256-GCM:ECDHE+CAMELLIA256-GCM:!kRSA:!PSK:!SRP:!aNULL:!eNULL:@SECLEVEL=2
 # TLS 1.3 cipher policy: AES-256 and ChaCha20-Poly1305 only:
 Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
 # Prefer strong, widely supported ECDHE groups (first = most preferred):
 Groups = X448:P-521:P-384
 SignatureAlgorithms = rsa_pss_rsae_sha512:rsa_pss_rsae_sha384:rsa_pss_rsae_sha256
 # Operational flags:
 # -SessionTicket  : disable TLS session tickets (TLS 1.2 + 1.3)
 # ServerPreference: honor server cipher order (TLS 1.2)
 # NoRenegotiation : disallow TLS 1.2 renegotiation
 Options = -SessionTicket,ServerPreference,NoRenegotiation
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
 EOF
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/9940_hardening_memory.dump.chroot
+++ b/config/hooks/live/9940_hardening_memory.dump.chroot
@@ -1,37 +1,88 @@
 #!/bin/bash
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-11-10; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1
-cp -u /etc/security/limits.conf /root/.ciss/dlb/backup/limits.conf.bak
+cp -u /etc/security/limits.conf /root/.ciss/cdlb/backup/limits.conf.bak
-chmod 0644 /root/.ciss/dlb/backup/limits.conf.bak
+chmod 0644 /root/.ciss/cdlb/backup/limits.conf.bak
 sed -i "/#*               soft    core            0/ i\*               soft    core            0" /etc/security/limits.conf
 sed -i "/#root            hard    core            100000/ i\*               hard    core            0" /etc/security/limits.conf
-if [[ ! -d /etc/systemd/coredump.conf.d ]]; then
+### Comment any existing active core settings to avoid conflicts, both soft/hard, any domain including "*".
-  mkdir -p /etc/systemd/coredump.conf.d
+sed -i -E '
-fi
+/^[[:space:]]*\*[[:space:]]+soft[[:space:]]+core[[:space:]]+0[[:space:]]*$/d
 /^[[:space:]]*\*[[:space:]]+hard[[:space:]]+core[[:space:]]+0[[:space:]]*$/d
 /^[[:space:]]*#\*               soft    core            0$/d
 /^[[:space:]]*#root            hard    core            100000$/d
 /^[[:space:]]*#\*               hard    rss             10000$/d
 /^[[:space:]]*#@student        hard    nproc           20$/d
 /^[[:space:]]*#@faculty        soft    nproc           20$/d
 /^[[:space:]]*#@faculty        hard    nproc           50$/d
 /^[[:space:]]*#ftp             hard    nproc           0$/d
 /^[[:space:]]*#ftp             -       chroot          \/ftp$/d
 /^[[:space:]]*#@student        -       maxlogins       4$/d
 /^[[:space:]]*# End of file/i\
 *               soft    core            0\
 *               hard    core            0
 ' /etc/security/limits.conf
 mkdir -p /etc/systemd/coredump.conf.d
 mkdir -p /etc/security/limits.d
 cat << EOF >| /etc/security/limits.d/9999-ciss-coredump-disable.conf
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-11-10; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 *               soft    core            0
 *               hard    core            0
 root            soft    core            0
 root            hard    core            0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
 EOF
 chmod 0644 /etc/security/limits.d/9999-ciss-coredump-disable.conf
 cat << EOF >| /etc/systemd/coredump.conf.d/9999-ciss-coredump-disable.conf
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-11-10; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 touch /etc/systemd/coredump.conf.d/disable.conf
 chmod 0644 /etc/systemd/coredump.conf.d/disable.conf
 cat << EOF >| /etc/systemd/coredump.conf.d/disable.conf
 [Coredump]
 Storage=none
 ProcessSizeMax=0
 ExternalSizeMax=0
 JournalSizeMax=0
 MaxUse=0
 KeepFree=0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
 EOF
 chmod 0644 /etc/systemd/coredump.conf.d/9999-ciss-coredump-disable.conf
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 # sleep 1
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/9950_fail2ban_hardening.chroot
+++ b/config/hooks/live/9950_fail2ban_hardening.chroot
@@ -1,148 +0,0 @@
 #!/bin/bash
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 set -C -e -u -o pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1
 cd /root
 cp -u /etc/fail2ban/fail2ban.conf /root/.ciss/dlb/backup/fail2ban.conf.bak
 chmod 0644 /root/.ciss/dlb/backup/fail2ban.conf.bak
 ### https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1024305
 sed -i 's/#allowipv6 = auto/allowipv6 = auto/1' /etc/fail2ban/fail2ban.conf
 mv /etc/fail2ban/jail.d/defaults-debian.conf /root/.ciss/dlb/backup/defaults-debian.conf.bak
 chmod 0644 /root/.ciss/dlb/backup/defaults-debian.conf.bak
 cat << 'EOF' >| /etc/fail2ban/jail.d/centurion-default.conf
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <cendev@coresecret.eu>
 # SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 [DEFAULT]
 usedns    = yes
 # local | vpn
 ignoreip  = 127.0.0.0/8 ::1 MUST_BE_SET
 maxretry  = 8
 findtime  = 24h
 bantime   = 24h
 ### SSH Handling: Foreign IP (not in /etc/hosts.allow): refused to connect: immediate ban [sshd-refused]
 ###               Jump host mistyped 1-3 times: no ban, only after four attempts          [sshd]
 [sshd]
 enabled   = true
 backend   = systemd
 filter    = sshd
 mode      = normal
 port      = MUST_BE_SET
 protocol  = tcp
 logpath   = /var/log/auth.log
 maxretry  = 4
 findtime  = 24h
 bantime   = 24h
 [sshd-refused]
 enabled   = true
 filter    = sshd-refused
 port      = MUST_BE_SET
 protocol  = tcp
 logpath   = /var/log/auth.log
 maxretry  = 1
 findtime  = 24h
 bantime   = 24h
 # ufw aggressive approach:
 # Any valid client communicating with our server should be going directly to the service ports opened in ufw (ssh, 80, 443, ...).
 # Any client touching other ports is treated as malicious and therefore should be blocked access to ALL ports after one attempt.
 [ufw]
 enabled   = true
 filter    = ufw.aggressive
 action    = iptables-allports
 logpath   = /var/log/ufw.log
 maxretry  = 1
 findtime  = 24h
 bantime   = 24h
 protocol  = tcp,udp
 EOF
 cat << EOF >| /etc/fail2ban/filter.d/ufw.aggressive.conf
 [Definition]
 failregex = ^.*UFW BLOCK.* SRC=<HOST> .*DPT=\d+ .*
 EOF
 cat << EOF >| /etc/fail2ban/filter.d/sshd-refused.conf
 [Definition]
 failregex = ^refused connect from \S+ \(<HOST>\)
 EOF
 ###########################################################################################
 # Remarks: hardening of fail2ban systemd                                                  #
 ###########################################################################################
 # https://wiki.archlinux.org/title/fail2ban#Service_hardening                             #
 # The CapabilityBoundingSet parameters CAP_DAC_READ_SEARCH will allow Fail2ban full read  #
 # access to every directory and file. CAP_NET_ADMIN and CAP_NET_RAW allow Fail2ban to     #
 # operate # on any firewall that has a command-line shell interface. By using             #
 # ProtectSystem=strict the filesystem hierarchy will only be read-only; ReadWritePaths    #
 # allows Fail2ban to have write access on required paths.                                 #
 ###########################################################################################
 mkdir -p /etc/systemd/system/fail2ban.service.d
 mkdir /var/log/fail2ban
 cat << 'EOF' >| /etc/systemd/system/fail2ban.service.d/override.conf
 [Service]
 PrivateDevices=yes
 PrivateTmp=yes
 ProtectHome=read-only
 ProtectSystem=strict
 ReadWritePaths=-/var/run/fail2ban
 ReadWritePaths=-/var/lib/fail2ban
 ReadWritePaths=-/var/log/fail2ban
 ReadWritePaths=-/var/spool/postfix/maildrop
 ReadWritePaths=-/run/xtables.lock
 CapabilityBoundingSet=CAP_AUDIT_READ CAP_DAC_READ_SEARCH CAP_NET_ADMIN CAP_NET_RAW
 ### Added by CISS.debian.live.builder
 ProtectClock=true
 ProtectHostname=true
 EOF
 cat << 'EOF' >> /etc/fail2ban/fail2ban.local
 [Definition]
 logtarget = /var/log/fail2ban/fail2ban.log
 EOF
 ###########################################################################################
 # Remarks: Logrotate must be updated either                                               #
 ###########################################################################################
 cp -a /etc/logrotate.d/fail2ban /root/.ciss/dlb/backup/fail2ban_logrotate.bak
 sed -i 's/\/var\/log\/fail2ban.log/\/var\/log\/fail2ban\/fail2ban.log/1' /etc/logrotate.d/fail2ban
 touch /var/log/fail2ban/fail2ban.log
 chmod 640 /var/log/fail2ban/fail2ban.log
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 # sleep 1
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/9950_hardening_fail2ban.chroot
+++ b/config/hooks/live/9950_hardening_fail2ban.chroot
@@ -0,0 +1,241 @@
 #!/bin/bash
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 cd /root
 cp -u /etc/fail2ban/fail2ban.conf /root/.ciss/cdlb/backup/fail2ban.conf.bak
 chmod 0400 /root/.ciss/cdlb/backup/fail2ban.conf.bak
 ### https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1024305
 sed -i 's/#allowipv6 = auto/allowipv6 = auto/1' /etc/fail2ban/fail2ban.conf
 mv /etc/fail2ban/jail.d/defaults-debian.conf /root/.ciss/cdlb/backup/defaults-debian.conf.bak
 chmod 0400 /root/.ciss/cdlb/backup/defaults-debian.conf.bak
 cat << EOF >| /etc/fail2ban/jail.d/ciss-default.conf
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <cendev@coresecret.eu>
 # SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 [DEFAULT]
 banaction             = nftables-multiport
 banaction_allports    = nftables-allports
 dbpurgeage            = 384d
 #                       127.0.0.1/8 - IPv4 loopback range (local host)
 #                       ::1/128     - IPv6 loopback
 #                       fe80::/10   - IPv6 link-local (on-link only; NDP/RA/DAD)
 #                       ff00::/8    - IPv6 multicast (not an unicast host)
 #                       ::/128      - IPv6 unspecified (all zeros; never a real peer)
 ignoreip              = 127.0.0.1/8 ::1/128 fe80::/10 ff00::/8 ::/128 IGNORE_IP_MUST_BE_SET
 usedns                = yes
 [recidive]
 enabled               = true
 banaction             = nftables[type=custom, family=inet, table=f2b-table, chain=f2b-chain, blocktype=drop]
 bantime               = 8d
 bantime.increment     = true
 bantime.factor        = 1
 bantime.maxtime       = 128d
 bantime.multipliers   = 1 2 4 8 16
 bantime.overalljails  = true
 bantime.rndtime       = 877s
 filter                = recidive
 findtime              = 16d
 logpath               = /var/log/fail2ban/fail2ban.log*
 maxretry              = 2
 ### SSH Handling:     Foreign IP (not in /etc/hosts.allow): refused to connect: immediate ban [sshd-refused]
 ###                   Jump host mistyped 1-3 times: no ban, only after four attempts          [sshd]
 [sshd]
 enabled               = true
 backend               = systemd
 bantime               = 1h
 bantime.increment     = true
 bantime.factor        = 1
 bantime.maxtime       = 16d
 bantime.multipliers   = 1 2 4 8 16 32 64 128 256 384
 bantime.overalljails  = true
 bantime.rndtime       = 877s
 filter                = sshd
 findtime              = 16m
 maxretry              = 4
 mode                  = aggressive
 port                  = PORT_MUST_BE_SET
 protocol              = tcp
 [sshd-refused]
 enabled               = true
 bantime               = 1h
 bantime.increment     = true
 bantime.factor        = 1
 bantime.maxtime       = 16d
 bantime.multipliers   = 1 2 4 8 16 32 64 128 256 384
 bantime.overalljails  = true
 bantime.rndtime       = 877s
 filter                = ciss-sshd-refused
 findtime              = 16m
 logpath               = /var/log/auth.log
 maxretry              = 1
 port                  = PORT_MUST_BE_SET
 protocol              = tcp
 #
 # CISS aggressive approach:
 # Any valid client communicating with our server should be going directly to the service ports opened in ufw (ssh, 80, ...).
 # Any client touching other ports is treated as malicious and therefore should be blocked access to ALL ports after 1 attempt.
 #
 [ufw]
 enabled               = true
 banaction             = nftables[type=custom, family=inet, table=f2b-table, chain=f2b-chain, blocktype=drop]
 bantime               = 1h
 bantime.increment     = true
 bantime.factor        = 1
 bantime.maxtime       = 16d
 bantime.multipliers   = 1 2 4 8 16 32 64 128 256 384
 bantime.overalljails  = true
 bantime.rndtime       = 877s
 filter                = ciss-ufw
 findtime              = 16m
 logpath               = /var/log/ufw.log
 maxretry              = 1
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
 EOF
 cat << EOF >| /etc/fail2ban/filter.d/ciss-ufw.conf
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-10-18; WEIDNER, Marc S.; <cendev@coresecret.eu>
 # SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 [Definition]
 # Match UFW BLOCK/REJECT with a source IP and *any* port field (SPT or DPT), protocol may be missing.
 failregex             = ^.*UFW (?:BLOCK|REJECT).*?\bSRC=<HOST>\b.*?(?:\bDPT=\d+\b|\bSPT=\d+\b).*$
 ignoreregex           =
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
 EOF
 cat << 'EOF' >| /etc/fail2ban/filter.d/ciss-sshd-refused.conf
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-10-18; WEIDNER, Marc S.; <cendev@coresecret.eu>
 # SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 [Definition]
 failregex = ^refused connect from \S+ \(<HOST>\)
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
 EOF
 ###########################################################################################
 # Remarks: hardening of fail2ban systemd                                                  #
 ###########################################################################################
 # https://wiki.archlinux.org/title/fail2ban#Service_hardening                             #
 # The CapabilityBoundingSet parameters CAP_DAC_READ_SEARCH will allow Fail2ban full read  #
 # access to every directory and file. CAP_NET_ADMIN and CAP_NET_RAW allow Fail2ban to     #
 # operate # on any firewall that has a command-line shell interface. By using             #
 # ProtectSystem=strict the filesystem hierarchy will only be read-only; ReadWritePaths    #
 # allows Fail2ban to have write access on required paths.                                 #
 ###########################################################################################
 mkdir -p /etc/systemd/system/fail2ban.service.d
 mkdir -p /var/log/fail2ban
 cat << 'EOF' >| /etc/systemd/system/fail2ban.service.d/override.conf
 [Service]
 PrivateDevices=yes
 PrivateTmp=yes
 ProtectHome=read-only
 ProtectSystem=strict
 ReadWritePaths=-/var/run/fail2ban
 ReadWritePaths=-/var/lib/fail2ban
 ReadWritePaths=-/var/log/fail2ban
 ReadWritePaths=-/var/spool/postfix/maildrop
 ReadWritePaths=-/run/xtables.lock
 CapabilityBoundingSet=CAP_AUDIT_READ CAP_DAC_READ_SEARCH CAP_NET_ADMIN CAP_NET_RAW
 ### Added by CISS.debian.live.builder
 ProtectClock=true
 ProtectHostname=true
 EOF
 cat << 'EOF' >> /etc/fail2ban/fail2ban.local
 [Definition]
 logtarget             = /var/log/fail2ban/fail2ban.log
 [Database]
 # Keep entries for at least 384 days to cover recidive findtime.
 dbpurgeage            = 384d
 EOF
 ###########################################################################################
 # Remarks: Logrotate must be updated either                                               #
 ###########################################################################################
 cp -a /etc/logrotate.d/fail2ban /root/.ciss/cdlb/backup/fail2ban_logrotate.bak
 cat << EOF >| /etc/logrotate.d/fail2ban
 /var/log/fail2ban/fail2ban.log {
    daily
    rotate 384
    maxage 384
    notifempty
    dateext
    dateyesterday
    compress
    compresscmd /usr/bin/zstd
    compressext .zst
    compressoptions -20
    uncompresscmd /usr/bin/unzstd
    delaycompress
    shred
    missingok
    postrotate
        fail2ban-client flushlogs 1>/dev/null
    endscript
    # If fail2ban runs as non-root it still needs to have write access
    # to logfiles.
    # create 640 fail2ban adm
    create 640 root adm
 }
 EOF
 touch /var/log/fail2ban/fail2ban.log
 chmod 0640 /var/log/fail2ban/fail2ban.log
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/9960_disable_services.chroot
+++ b/config/hooks/live/9960_disable_services.chroot
@@ -1,18 +1,17 @@
 #!/bin/bash
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1
 ###########################################################################################
 # Remarks: Turn off Energy saving mode and ctrl-alt-del                                   #
@@ -25,7 +24,6 @@ done
 unset target
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 # sleep 1
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/9970_remove_exim.chroot
+++ b/config/hooks/live/9970_remove_exim.chroot
@@ -1,32 +1,32 @@
 #!/bin/bash
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
-# sleep 1
+
 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
 export DEBIAN_FRONTEND="noninteractive"
 export INITRD="No"
 cd /etc
-apt-get purge exim4 -y
+apt-get purge exim4 exim4-base exim4-config -y
 apt-get purge exim4-base -y
 apt-get purge exim4-config -y
 apt-get autoremove -y
 apt-get autoclean -y
 apt-get autopurge -y
 apt-mark hold exim4 exim4-daemon-light exim4-base exim4-config
-apt-get update -y
+apt-get update -qq
 apt-get upgrade -y
 if [[ -d /etc/exim4 ]]; then
@@ -34,7 +34,6 @@ if [[ -d /etc/exim4 ]]; then
 fi
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 # sleep 1
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/9980_usb_guard.chroot
+++ b/config/hooks/live/9980_usb_guard.chroot
@@ -1,45 +1,47 @@
 #!/bin/bash
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1
 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
 export DEBIAN_FRONTEND="noninteractive"
 export INITRD="No"
 apt-get install -y usbguard
-# sleep 1
+### Preparing USBGuard: see https://www.privacy-handbuch.de/handbuch_91a.htm
 # Preparing USBGuard: see https://www.privacy-handbuch.de/handbuch_91a.htm
 touch /tmp/rules.conf
 usbguard generate-policy >> /tmp/rules.conf
 if [[ -f /etc/usbguard/rules.conf && -s /etc/usbguard/rules.conf ]]; then
-  mv /etc/usbguard/rules.conf /root/.ciss/dlb/backup/usbguard_rules.conf.bak
+
  mv /etc/usbguard/rules.conf /root/.ciss/cdlb/backup/usbguard_rules.conf.bak
  cp -a /tmp/rules.conf /etc/usbguard/rules.conf
  chmod 0600 /etc/usbguard/rules.conf
 else
  rm -f /etc/usbguard/rules.conf
  cp -a /tmp/rules.conf /etc/usbguard/rules.conf
  chmod 0600 /etc/usbguard/rules.conf
 fi
-cp -a /etc/usbguard/usbguard-daemon.conf /root/.ciss/dlb/backup/usbguard-daemon.conf.bak
+cp -a /etc/usbguard/usbguard-daemon.conf /root/.ciss/cdlb/backup/usbguard-daemon.conf.bak
-sed -i "s/PresentDevicePolicy=apply-policy/PresentDevicePolicy=allow/" /etc/usbguard/usbguard-daemon.conf
+#sed -i "s/PresentDevicePolicy=apply-policy/PresentDevicePolicy=allow/" /etc/usbguard/usbguard-daemon.conf
 # sleep 1
 rm -f /tmp/rules.conf
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 # sleep 1
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/9990_final_purge.chroot
+++ b/config/hooks/live/9990_final_purge.chroot
@@ -1,47 +1,55 @@
 #!/bin/bash
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1
-apt-get update -y
+[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
-apt-get purge -y exim4 exim4-daemon-light exim4-base exim4-config qemu-guest-agent rmail
+export DEBIAN_FRONTEND="noninteractive"
-#sendmail-base sendmail-bin sendmail-cf sensible-mda sendmail-doc
+export INITRD="No"
-apt-mark hold exim4 exim4-daemon-light exim4-base exim4-config qemu-guest-agent rmail
+apt-get update -qq
-#sendmail-base sendmail-bin sendmail-cf sensible-mda sendmail-doc
+
 apt-get purge -y exim4 exim4-daemon-light exim4-base exim4-config postfix-mta-sts-resolver postfix qemu-guest-agent rmail
 apt-mark hold exim4 exim4-daemon-light exim4-base exim4-config postfix-mta-sts-resolver postfix qemu-guest-agent rmail
 dpkg --get-selections | grep deinstall >| /tmp/deinstall.log || true
 if [[ -s /tmp/deinstall.log ]]; then
  printf "\n"
  printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Packages to purge ... \e[0m\n"
  sed -i 's!deinstall!!' /tmp/deinstall.log
  while IFS= read -r line; do
    declare trimmed_string
-    trimmed_string=$(echo "$line" | awk '{$1=$1};1')
+    trimmed_string=$(echo "${line}" | awk '{$1=$1};1')
    echo "y" | apt-get purge "${trimmed_string}"
    printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Package '%s' purged. \e[0m\n" "${trimmed_string}"
-    # sleep 1
+
  done < /tmp/deinstall.log
  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Packages to purge done. \e[0m\n"
 else
  printf "\n"
  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ No Packages to purge, proceeding with clean up. \e[0m\n"
 fi
 apt-get update -y
 apt-get upgrade -y
 rm -f /tmp/deinstall.log
@@ -52,8 +60,7 @@ apt-get autopurge -y
 updatedb
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' successful applied. \e[0m\n" "${0}"
+printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' successfully applied. \e[0m\n" "${0}"
 # sleep 1
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/9991_file_permissions.chroot
+++ b/config/hooks/live/9991_file_permissions.chroot
@@ -1,26 +1,25 @@
 #!/bin/bash
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1
 chmod 0644 /etc/banner
 chmod 0644 /etc/issue
 chmod 0644 /etc/issue.net
 if [[ -f /etc/motd ]]; then
-  cp -a /etc/motd /root/.ciss/dlb/backup/motd.bak
+  cp -a /etc/motd /root/.ciss/cdlb/backup/motd.bak
-  chmod 0644 /root/.ciss/dlb/backup/motd.bak
+  chmod 0644 /root/.ciss/cdlb/backup/motd.bak
  rm /etc/motd
 fi
@@ -37,7 +36,7 @@ cat << EOF >| /etc/motd
 EOF
-cp -a /etc/login.defs /root/.ciss/dlb/backup/login.defs.bak
+cp -a /etc/login.defs /root/.ciss/cdlb/backup/login.defs.bak
 sed -ri 's/^(#?LOGIN_TIMEOUT)[[:space:]]+[0-9]+/\1 180/' /etc/login.defs
 sed -i 's/UMASK		022/UMASK		077/' /etc/login.defs
@@ -55,8 +54,8 @@ fi
 if [[ -f /etc/cron.allow ]]; then
  cp -u /etc/cron.allow /root/.backup/cron.allow.bak
-  chmod 644 /root/.backup/cron.allow.bak
+  chmod 0644 /root/.backup/cron.allow.bak
-  chmod 600 /etc/cron.allow
+  chmod 0600 /etc/cron.allow
  cat << EOF >| /etc/cron.allow
 root
 EOF
@@ -99,8 +98,18 @@ for bin in as gcc g++ cc clang; do
 done
 unset bin target
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' successful applied. \e[0m\n" "${0}"
+###    Directories: 0700
-# sleep 1
+find /root -type d -exec chmod 0700 {} +
 ###    Executable files: 0700 (any x-bit set)
 find /root -type f -perm /111 -exec chmod 0700 {} +
 ###    Non-executable files: 0600
 find /root -type f ! -perm /111 -exec chmod 0600 {} +
 ###    Ownership: UID:GID (do not dereference symlinks; stay on this filesystem)
 find /root -xdev -exec chown -h root:root {} +
 rm -f /etc/tmpfiles.d/legacy.conf
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' successfully applied. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/9992_password_expiration.chroot
+++ b/config/hooks/live/9992_password_expiration.chroot
@@ -1,42 +1,127 @@
 #!/bin/bash
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 #######################################
 # Iterates all '/etc/shadow' entries and sets:
 #   4=min age=0, 5=max age=16384, 6=warn=128, 7=inactive=42, 8=expire=17.09.2102
 #   Safe: creates a timestamped backup and (if available) locks '/etc/.pwd.lock'.
 # Globals:
 #   RECOVERY
 #   TARGET
 #   VAR_RUN_RECOVERY
 # Arguments:
 #   None
 # Returns:
 #   0: on success
 #######################################
 update_shadow() {
  ### Declare Arrays, HashMaps, and Variables.
  declare -r  var_shadow="/etc/shadow"
  declare -r  var_backup="/root/.ciss/cdlb/backup/etc/shadow.$(date +%s).bak"
  declare -r  var_temp="${var_shadow}.new.$$"
  declare -r  var_exp_dt="17.09.2102"
  declare     var_exp_ds=""
  mkdir -p "/root/.ciss/cdlb/backup/etc"
  var_exp_ds="$(
    awk -v d="${var_exp_dt}" 'BEGIN{
      # Force UTC to avoid DST/timezone off-by-one errors
      ENVIRON["TZ"]="UTC";
      if (match(d, /^([0-9]{2})\.([0-9]{2})\.([0-9]{4})$/, a)) {
        dd=a[1]+0; mm=a[2]+0; yyyy=a[3]+0;
        sec = mktime(sprintf("%04d %02d %02d 00 00 00 0", yyyy, mm, dd));
        if (sec < 0) { print "ERR"; exit 1 }
        print int(sec/86400);
        exit 0
      } else { print "ERR"; exit 1 }
    }'
  )" || return 42
  # shellcheck disable=SC2249
  case "${var_exp_ds}" in
    ''|*ERR*)
      return 127
      ;;
  esac
  umask 0077
  cp --preserve=mode,ownership "${var_shadow}" "${var_backup}"
  ### Rewrite fields 4..8 for every line
  ### Preserve fields 1..3 and 9, keep password hashes untouched.
  ### Pad to 9 fields if shorter; keep empty lines intact (rare but safe).
  awk -v FS=":" -v OFS=":" -v v_exp="${var_exp_ds}" '
    NF==0 { print; next }                      # preserve blank lines verbatim
    {
      # pad missing trailing fields to 9
      for (i=NF+1; i<=9; i++) $i="";
      $4=0; $5=16384; $6=128; $7=42; $8=v_exp; # set required fields
      print
    }
  ' "${var_backup}" >| "${var_temp}"
  ### Defensive: ensure non-empty output.
  if [[ ! -s "${var_temp}" ]]; then
    rm -f "${var_temp}"
    return 42
  fi
  ### Preserve owner/mode (fallback to 0640 root:shadow if reference fails).
  chown --reference="${var_shadow}" "${var_temp}" 2>/dev/null || chown root:shadow "${var_temp}" 2>/dev/null || true
  chmod --reference="${var_shadow}" "${var_temp}" 2>/dev/null || chmod 0640 "${var_temp}" 2>/dev/null || true
  ### Atomic replace.
  mv -f "${var_temp}" "${var_shadow}"
  return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
 readonly -f update_shadow
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1
 if ! command -v chage &>/dev/null; then
  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Info: 'chage' NOT found. Exiting hook ... \e[0m\n"
  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
-  # sleep 1
+
  exit 0
 fi
 declare -i max_days=16384
 # shellcheck disable=SC2312
 mapfile -t users_to_update < <(
  awk -F: '$2 !~ /^[!*]/ { print $1 }' /etc/shadow
 )
 if [[ ${#users_to_update[@]} -eq 0 ]]; then
  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ No enabled-login accounts found in /etc/shadow. Exiting hook ... \e[0m\n"
  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
-  # sleep 1
+
  exit 0
 fi
 declare user
 for user in "${users_to_update[@]}"; do
  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Setting max password age for user '%s' to '%s' days. \e[0m\n" "${user}" "${max_days}"
-  chage --maxdays "$max_days" "$user"
+  chage --maxdays "${max_days}" "${user}"
 done
 unset max_days user users_to_update
@@ -45,8 +130,9 @@ awk -F: '$2 !~ /^\$[0-9]/ && length($2)==13 { print $1,$2 }' /etc/shadow
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ All applicable accounts have been updated. \e[0m\n"
 update_shadow
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 # sleep 1
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/9993_aide.chroot
+++ b/config/hooks/live/9993_aide.chroot
@@ -1,32 +1,37 @@
 #!/bin/bash
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1
 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
 export DEBIAN_FRONTEND="noninteractive"
 export INITRD="No"
 apt-get install -y aide > /dev/null 2>&1
-cp -u /etc/aide/aide.conf /root/.ciss/dlb/backup/aide.conf.bak
+cp -u /etc/aide/aide.conf /root/.ciss/cdlb/backup/aide.conf.bak
 sed -i "s/Checksums = H/Checksums = sha512/" /etc/aide/aide.conf
 if aideinit > /dev/null 2>&1; then
  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ 'aideinit' successful. \e[0m\n"
 else
  printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ 'aideinit' NOT successful. \e[0m\n" >&2
 fi
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 # sleep 1
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/9994_password_policy.chroot
+++ b/config/hooks/live/9994_password_policy.chroot
@@ -1,11 +1,11 @@
 #!/bin/bash
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
@@ -13,22 +13,24 @@
 ### NIST recommends at least eight characters but advises longer passphrases (e.g., 12-64) for increased security.
 ### NIST SP 800-63B, https://pages.nist.gov/800-63-3/sp800-63b.html
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1
-cp -a /etc/security/pwquality.conf /root/.ciss/dlb/backup/pwquality.conf.bak
+# shellcheck disable=SC2155
-chmod 0644 /root/.ciss/dlb/backup/pwquality.conf.bak
+declare -r VAR_DATE="$(date +%F)"
-cat << 'EOF' >| /etc/security/pwquality.conf
+cp -a /etc/security/pwquality.conf /root/.ciss/cdlb/backup/pwquality.conf.bak
 chmod 0644 /root/.ciss/cdlb/backup/pwquality.conf.bak
 cat << EOF >| /etc/security/pwquality.conf
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
@@ -129,7 +131,6 @@ local_users_only
 EOF
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 # sleep 1
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/9995_sysstat.chroot
+++ b/config/hooks/live/9995_sysstat.chroot
@@ -1,23 +1,21 @@
 #!/bin/bash
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1
 sed -i 's#^\(ENABLED=\).*#\1"true"#' /etc/default/sysstat
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 # sleep 1
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/9996_auditd.chroot
+++ b/config/hooks/live/9996_auditd.chroot
@@ -1,47 +1,73 @@
 #!/bin/bash
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 ### https://github.com/linux-audit/audit-userspace/tree/master/rules
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 #######################################
 # Simple error terminal logger.
 # Arguments:
 #   None
 #######################################
 log() { printf '[auditd-build] %s\n' "${*}" >&2; }
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1
 cd /root
-apt-get install auditd -y
+[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
 export DEBIAN_FRONTEND="noninteractive"
 export INITRD="No"
 apt-get install -y auditd
-cp -u /etc/audit/audit.rules /root/.ciss/dlb/backup/audit.rules.bak
+cp -u /etc/audit/audit.rules /root/.ciss/cdlb/backup/audit.rules.bak
-cp -u /etc/audit/auditd.conf /root/.ciss/dlb/backup/auditd.conf.bak
+cp -u /etc/audit/auditd.conf /root/.ciss/cdlb/backup/auditd.conf.bak
-cp -u /etc/audit/rules.d/audit.rules /root/.ciss/dlb/backup/rules_d_audit.rules.bak
+cp -u /etc/audit/rules.d/audit.rules /root/.ciss/cdlb/backup/rules_d_audit.rules.bak
 rm -rf /etc/audit/rules.d/audit.rules
-############################################################### /etc/audit/rules.d/10-base-config.rules
+############################################################### /etc/audit/rules.d/00-base-config.rules
-cat << EOF >| /etc/audit/rules.d/10-base-config.rules
+cat << EOF >| /etc/audit/rules.d/00-base-config.rules
 ## First rule - delete all
 -D
 ## Increase the buffers to survive stress events.
-## Make this bigger for busy systems
+## Make this bigger for busy systems.
-b 8192
+-b 16384
-## This determine how long to wait in burst of events
+## Rate Limit. Cap kernel->userspace message rate (0 = unlimited).
--backlog_wait_time 60000
+-r 200
-## Set failure mode to syslog
+## This determine how long to wait in burst of events. How long to wait in bursts (us).
 --backlog_wait_time 1024
 ## Set failure mode to syslog.
 -f 1
 EOF
 ############################################################### /etc/audit/rules.d/10-ciss-noise-floor.rules
 cat << EOF >| /etc/audit/rules.d/10-ciss-noise-floor.rules
 ## Ignore kernel/daemon noise without a loginuid (unset = 4294967295).
 -a never,exit -F auid=4294967295
 ## Make privileged exec tracing user-initiated only (no boot-time daemons).
 -a always,exit -F arch=b64 -S execve -F euid=0 -F auid>=1000 -F auid!=-1 -k exec_root
 -a always,exit -F arch=b32 -S execve -F euid=0 -F auid>=1000 -F auid!=-1 -k exec_root
 ## (Optional, same principle for suid/sgid transitions).
 -a always,exit -F arch=b64 -S execve -C uid!=euid -F auid>=1000 -F auid!=-1 -k exec_suid_sgid
 -a always,exit -F arch=b32 -S execve -C uid!=euid -F auid>=1000 -F auid!=-1 -k exec_suid_sgid
 EOF
 ############################################################### /etc/audit/rules.d/11-loginuid.rules
 cat << EOF >| /etc/audit/rules.d/11-loginuid.rules
 --loginuid-immutable
@@ -84,6 +110,17 @@ cat << EOF >| /etc/audit/rules.d/22-ignore-chrony.rules
 -a never,exit -F arch=b32 -S adjtimex -F auid=unset -F uid=_chrony
 EOF
 ############################################################### /etc/audit/rules.d/25-ciss-exec.rules
 cat << EOF >| /etc/audit/rules.d/25-ciss-exec.rules
 ## Focus on privileged exec, not every user command
 -a always,exit -F arch=b64 -S execve -F euid=0 -k exec_root
 -a always,exit -F arch=b32 -S execve -F euid=0 -k exec_root
 -a always,exit -F arch=b64 -S execve -F exe=/usr/bin/sudo -k exec_sudo
 -a always,exit -F arch=b32 -S execve -F exe=/usr/bin/sudo -k exec_sudo
 -a always,exit -F arch=b64 -S execve -C uid!=euid -k exec_suid_sgid
 -a always,exit -F arch=b32 -S execve -C uid!=euid -k exec_suid_sgid
 EOF
 ############################################################### /etc/audit/rules.d/30-ospp-v42-1-create-failed.rules
 cat << EOF >| /etc/audit/rules.d/30-ospp-v42-1-create-failed.rules
 ## Unsuccessful file creation (open with O_CREAT)
@@ -101,17 +138,6 @@ cat << EOF >| /etc/audit/rules.d/30-ospp-v42-1-create-failed.rules
 -a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
 EOF
 ############################################################### /etc/audit/rules.d/30-ospp-v42-1-create-success.rules
 cat << EOF >| /etc/audit/rules.d/30-ospp-v42-1-create-success.rules
 ## Successful file creation (open with O_CREAT)
 -a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
 -a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
 -a always,exit -F arch=b32 -S open -F a1&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
 -a always,exit -F arch=b64 -S open -F a1&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
 -a always,exit -F arch=b32 -S creat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
 -a always,exit -F arch=b64 -S creat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
 EOF
 ############################################################### /etc/audit/rules.d/30-ospp-v42-2-modify-failed.rules
 cat << EOF >| /etc/audit/rules.d/30-ospp-v42-2-modify-failed.rules
 ## Unsuccessful file modifications (open for write or truncate)
@@ -129,17 +155,6 @@ cat << EOF >| /etc/audit/rules.d/30-ospp-v42-2-modify-failed.rules
 -a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
 EOF
 ############################################################### /etc/audit/rules.d/30-ospp-v42-2-modify-success.rules
 cat << EOF >| /etc/audit/rules.d/30-ospp-v42-2-modify-success.rules
 ## Successful file modifications (open for write or truncate)
 -a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
 -a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
 -a always,exit -F arch=b32 -S open -F a1&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
 -a always,exit -F arch=b64 -S open -F a1&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
 -a always,exit -F arch=b32 -S truncate,ftruncate -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
 -a always,exit -F arch=b64 -S truncate,ftruncate -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
 EOF
 ############################################################### /etc/audit/rules.d/30-ospp-v42-3-access-failed.rules
 cat << EOF >| /etc/audit/rules.d/30-ospp-v42-3-access-failed.rules
 ## Unsuccessful file access (any other opens) This has to go last.
@@ -149,14 +164,6 @@ cat << EOF >| /etc/audit/rules.d/30-ospp-v42-3-access-failed.rules
 -a always,exit -F arch=b64 -S open,openat,openat2,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-access
 EOF
 ############################################################### /etc/audit/rules.d/30-ospp-v42-3-access-success.rules
 cat << EOF >| /etc/audit/rules.d/30-ospp-v42-3-access-success.rules
 ## Successful file access (any other opens) This has to go last.
 ## These next two are likely to result in a whole lot of events
 -a always,exit -F arch=b32 -S open,openat,openat2,open_by_handle_at -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access
 -a always,exit -F arch=b64 -S open,openat,openat2,open_by_handle_at -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access
 EOF
 ############################################################### /etc/audit/rules.d/30-ospp-v42-4-delete-failed.rules
 cat << EOF >| /etc/audit/rules.d/30-ospp-v42-4-delete-failed.rules
 ## Unsuccessful file delete
@@ -166,13 +173,6 @@ cat << EOF >| /etc/audit/rules.d/30-ospp-v42-4-delete-failed.rules
 -a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
 EOF
 ############################################################### /etc/audit/rules.d/30-ospp-v42-4-delete-success.rules
 cat << EOF >| /etc/audit/rules.d/30-ospp-v42-4-delete-success.rules
 ## Successful file delete
 -a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-delete
 -a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-delete
 EOF
 ############################################################### /etc/audit/rules.d/30-ospp-v42-5-perm-change-failed.rules
 cat << EOF >| /etc/audit/rules.d/30-ospp-v42-5-perm-change-failed.rules
 ## Unsuccessful permission change
@@ -182,13 +182,6 @@ cat << EOF >| /etc/audit/rules.d/30-ospp-v42-5-perm-change-failed.rules
 -a always,exit -F arch=b64 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change
 EOF
 ############################################################### /etc/audit/rules.d/30-ospp-v42-5-perm-change-success.rules
 cat << EOF >| /etc/audit/rules.d/30-ospp-v42-5-perm-change-success.rules
 ## Successful permission change
 -a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change
 -a always,exit -F arch=b64 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change
 EOF
 ############################################################### /etc/audit/rules.d/30-ospp-v42-6-owner-change-failed.rules
 cat << EOF >| /etc/audit/rules.d/30-ospp-v42-6-owner-change-failed.rules
 ## Unsuccessful ownership change
@@ -198,13 +191,6 @@ cat << EOF >| /etc/audit/rules.d/30-ospp-v42-6-owner-change-failed.rules
 -a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-owner-change
 EOF
 ############################################################### /etc/audit/rules.d/30-ospp-v42-6-owner-change-success.rules
 cat << EOF >| /etc/audit/rules.d/30-ospp-v42-6-owner-change-success.rules
 ## Successful ownership change
 -a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-owner-change
 -a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-owner-change
 EOF
 ############################################################### /etc/audit/rules.d/30-ospp-v42.rules
 cat << EOF >| /etc/audit/rules.d/30-ospp-v42.rules
 ## The purpose of these rules is to meet the requirements for Operating
@@ -330,8 +316,65 @@ cat << EOF >| /etc/audit/rules.d/99-finalize.rules
 -e 2
 EOF
 shopt -s nullglob
 rules=(/etc/audit/rules.d/*.rules)
 if (( ${#rules[@]} == 0 )); then
  log "ERROR: /etc/audit/rules.d is empty. Seed rules before this hook."
  exit 127
 fi
 if ! /sbin/augenrules --check >/dev/null 2>&1; then
  log "ERROR: augenrules --check failed. Fix the /etc/audit/rules.d/*.rules first."
  exit 128
 fi
 # shellcheck disable=2155
 declare tmp="$(mktemp)"
 printf '%s\0' "${rules[@]}" \
  | xargs -0 -I{} basename "{}" \
  | sort -V \
  | while read -r fname; do
    f="/etc/audit/rules.d/${fname}"
    ### Normalize CRLF and strip UTF-8 BOM.
    sed -e 's/\r$//' -e '1s/^\xEF\xBB\xBF//' "${f}" >> "${tmp}"
    printf '\n' >> "${tmp}"
  done
 # shellcheck disable=2155
 declare tmp_stripped="$(mktemp)"
 sed -e '/^[[:space:]]*#/d' -e '/^[[:space:]]*$/d' "${tmp}" >| "${tmp_stripped}"
 sed -E 's/[[:space:]]+#.*$//' -i "${tmp_stripped}"
 install -m 0600 -o root -g root "${tmp_stripped}" /etc/audit/audit.rules
 rm -f "${tmp}" "${tmp_stripped}"
 if ! grep -Eq '(^-a|^-w|^-e[[:space:]]+1|^-e[[:space:]]+2)' /etc/audit/audit.rules; then
  log "WARN: /etc/audit/audit.rules contains no -a/-w rules or '-e 1/2'; is this intended?"
 fi
 log "Done. /etc/audit/audit.rules generated at build-time (no kernel load)."
 mkdir -p /etc/systemd/system/audit-rules.service.d
 cat << EOF >| /etc/systemd/system/audit-rules.service.d/10-ciss.conf
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 [Service]
 ExecStart=
 ExecStart=/usr/sbin/augenrules --load
 EOF
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 # sleep 1
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/9997_debsums.chroot
+++ b/config/hooks/live/9997_debsums.chroot
@@ -1,36 +1,41 @@
 #!/bin/bash
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1
 cd /root
-apt-get install --no-install-recommends debsums -y
+[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
 export DEBIAN_FRONTEND="noninteractive"
 export INITRD="No"
 apt-get install -y --no-install-recommends debsums
-cp -a /etc/default/debsums /root/.ciss/dlb/backup/debsums.bak
+cp -a /etc/default/debsums /root/.ciss/cdlb/backup/debsums.bak
-chmod 0644 /root/.ciss/dlb/backup/debsums.bak
+chmod 0644 /root/.ciss/cdlb/backup/debsums.bak
 sed -i "s/CRON_CHECK=never/CRON_CHECK=monthly/" /etc/default/debsums
 if debsums -g > /dev/null 2>&1; then
  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ 'debsums -g' successful. \e[0m\n"
 else
  # Omit false negative error output to stdout and stderr, as no problematic errors occur on startup.
  printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ 'debsums -g' NOT successful. \e[0m\n"  > /dev/null 2>&1
 fi
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 # sleep 1
 exit 0
-# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/9998_sources_list_bookworm.chroot
+++ b/config/hooks/live/9998_sources_list_bookworm.chroot
@@ -1,59 +0,0 @@
 #!/bin/bash
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 set -C -e -u -o pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1
 cd /root
 if [[ -f /etc/apt/sources.list ]]; then
  mv /etc/apt/sources.list /root/.ciss/dlb/backup/sources.list.bak
 fi
 cat << 'EOF' >| /etc/apt/sources.list
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <cendev@coresecret.eu>
 # SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 #-----------------------------------------------------------------------------------------#
 #                                  OFFICIAL DEBIAN REPOS
 #-----------------------------------------------------------------------------------------#
 ### Debian Main Repos Bookworm
 deb https://deb.debian.org/debian/ bookworm main contrib non-free non-free-firmware
 deb-src https://deb.debian.org/debian/ bookworm main contrib non-free non-free-firmware
 deb http://security.debian.org/debian-security bookworm-security main contrib non-free non-free-firmware
 deb-src http://security.debian.org/debian-security bookworm-security main contrib non-free non-free-firmware
 deb https://deb.debian.org/debian/ bookworm-updates main contrib non-free non-free-firmware
 deb-src https://deb.debian.org/debian/ bookworm-updates main contrib non-free non-free-firmware
 deb https://deb.debian.org/debian/ bookworm-backports main contrib non-free non-free-firmware
 deb-src https://deb.debian.org/debian/ bookworm-backports main contrib non-free non-free-firmware
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
 EOF
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 # sleep 1
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/9998_sources_list_trixie.chroot
+++ b/config/hooks/live/9998_sources_list_trixie.chroot
@@ -5,14 +5,20 @@
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
-# sleep 1
+
 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
 export DEBIAN_FRONTEND="noninteractive"
 export INITRD="No"
 # shellcheck disable=SC2155
 declare -r VAR_DATE="$(date +%F)"
 cd /root
@@ -29,12 +35,12 @@ EOF
 if [[ ! -f /etc/apt/sources.list.d/trixie.sources ]]; then
  cat << EOF >| /etc/apt/sources.list.d/trixie.sources
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-08-11; WEIDNER, Marc S.; <cendev@coresecret.eu>
+# SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <cendev@coresecret.eu>
 # SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
@@ -52,12 +58,12 @@ fi
 if [[ ! -f /etc/apt/sources.list.d/trixie-security.sources ]]; then
  cat << EOF >| /etc/apt/sources.list.d/trixie-security.sources
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-08-11; WEIDNER, Marc S.; <cendev@coresecret.eu>
+# SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <cendev@coresecret.eu>
 # SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
@@ -75,12 +81,12 @@ fi
 if [[ ! -f /etc/apt/sources.list.d/trixie-updates.sources ]]; then
 cat << EOF >| /etc/apt/sources.list.d/trixie-updates.sources
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-08-11; WEIDNER, Marc S.; <cendev@coresecret.eu>
+# SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <cendev@coresecret.eu>
 # SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
@@ -99,12 +105,12 @@ fi
 if [[ ! -f /etc/apt/sources.list.d/trixie-backports.sources ]]; then
  cat << EOF >| /etc/apt/sources.list.d/trixie-backports.sources
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-08-11; WEIDNER, Marc S.; <cendev@coresecret.eu>
+# SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <cendev@coresecret.eu>
 # SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
@@ -119,8 +125,12 @@ Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg
 EOF
 fi
 apt-get update -qq
 apt-get dist-upgrade -y        # (= apt full-upgrade) allow installs/replacements/removals.
 apt-get autoremove --purge -y  # 'autopurge' == 'autoremove --purge'.
 apt-get clean -y               # Stronger than autoclean: removes the entire '.deb'-cache.
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 # sleep 1
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/Show More
+++ b/Show More