V8.13.392.2025.11.07

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-11-07 23:33:29 +01:00 · 2025-11-07 23:21:30 +01:00 · 2025-11-07 21:41:55 +00:00 · 2025-11-07 22:40:46 +01:00 · 2025-11-07 22:37:57 +01:00 · 2025-11-07 21:05:40 +00:00
176 changed files with 6532 additions and 2095 deletions
--- a/.archive/.0000_lib_usage.sh
+++ b/.archive/.0000_lib_usage.sh
@@ -21,7 +21,7 @@ usage() {
  clear
  cat << EOF
 $(echo -e "\e[92mCISS.debian.live.builder\e[0m")
-$(echo -e "\e[92mMaster V8.13.142.2025.10.14\e[0m")
+$(echo -e "\e[92mMaster V8.13.392.2025.11.07\e[0m")
 $(echo -e "\e[92mA lightweight Shell Wrapper for building a hardened Debian Live ISO Image.\e[0m")
 $(echo -e "\e[97m(c) Marc S. Weidner, 2018 - 2025\e[0m")
--- a/.archive/0002_verify_checksums.chroot
+++ b/.archive/0002_verify_checksums.chroot
@@ -0,0 +1,248 @@
 #!/bin/bash
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 target="/usr/lib/live/boot/0030-verify-checksums"
 src="$(mktemp)"
 if [[ ! -d /usr/lib/live/boot ]]; then
  mkdir -p /usr/lib/live/boot
 fi
 cat << 'EOF' >| "${src}"
 #!/bin/sh
 # bashsupport disable=BP5007
 # shellcheck shell=sh
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-10-28; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: GPL-3.0-or-later
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 ### Modified Version of the original file:
 ### https://salsa.debian.org/live-team/live-boot 'components/0030-verify-checksums'
 ### In case of successful verification of the offered checksum, proceed with booting; otherwise panic.
 #######################################
 # Modified checksum-integrity and authenticity-verification-script for continuing the boot process.
 # Globals:
 #   LIVE_BOOT_CMDLINE
 #   _TTY
 # Arguments:
 #   1: _MOUNTPOINT
 # Returns:
 #   0 : Successful verification
 #######################################
 Verify_checksums() {
  _MOUNTPOINT="${1}"
  _TTY="/dev/tty8"
  LIVE_VERIFY_CHECKSUMS_DIGESTS="${LIVE_VERIFY_CHECKSUMS_DIGESTS:-sha512 sha384 sha256}"
  LIVE_VERIFY_CHECKSUMS_SIGNATURES="false"
  for _PARAMETER in ${LIVE_BOOT_CMDLINE}; do
    case "${_PARAMETER}" in
      live-boot.verify-checksums=* | verify-checksums=*)
        LIVE_VERIFY_CHECKSUMS="true"
        LIVE_VERIFY_CHECKSUMS_DIGESTS="${_PARAMETER#*verify-checksums=}"
        ;;
      live-boot.verify-checksums | verify-checksums)
        LIVE_VERIFY_CHECKSUMS="true"
        ;;
      live-boot.verify-checksums-signatures | verify-checksums-signatures)
        LIVE_VERIFY_CHECKSUMS_SIGNATURES="true"
        ;;
    esac
  done
  case "${LIVE_VERIFY_CHECKSUMS}" in
    true)
      :
      ;;
    *)
      return 0
      ;;
  esac
  # shellcheck disable=SC2164
  cd "${_MOUNTPOINT}"
  ### CDLB verification of script integrity itself -----------------------------------------------------------------------------
  if [ "${LIVE_VERIFY_CHECKSUMS_SIGNATURES}" = "true" ]; then
    log_begin_msg "Verifying integrity of '0030-verify-checksums' ..."
    printf "\n"
    CDLB_SCRIPT="$(basename "${0}")"
    CDLB_SHA="sha512"
    CDLB_CMD="" CDLB_COMPUTED="" CDLB_EXPECTED="" CDLB_HASHFILE="" CDLB_ITEM="" CDLB_SIG_FILE=""
    for CDLB_ITEM in ${CDLB_SHA}; do
      CDLB_HASHFILE="${CDLB_SCRIPT}.${CDLB_ITEM}"
      CDLB_SIG_FILE="${CDLB_HASHFILE}.sig"
      CDLB_CMD="${CDLB_ITEM}sum"
      printf "Verifying signature of: [%s]\n" "${CDLB_HASHFILE}"
      if ! gpgv --keyring 0030-verify-checksums_public.gpg "${CDLB_SIG_FILE}" "${CDLB_HASHFILE}"; then
        printf "Signature verification failed for: [%s]\n" "${CDLB_HASHFILE}"
        sleep 8
        # TODO: Remove debug mode
        # return 0
      else
        printf "Signature verification successful for: [%s]\n" "${CDLB_HASHFILE}"
      fi
      printf "Recomputing hash for: [%s]\n" "${CDLB_ITEM}"
      CDLB_COMPUTED=$("${CDLB_CMD}" "${CDLB_SCRIPT}" | { read -r first rest || exit 1; printf '%s\n' "${first}"; })
      read -r CDLB_EXPECTED < "${CDLB_HASHFILE}"
      if [ "${CDLB_COMPUTED}" != "${CDLB_EXPECTED}" ]; then
        printf "Recomputed hash mismatch for: [%s]\n" "${CDLB_ITEM}"
        sleep 8
        # TODO: Remove debug mode
        # return 0
      fi
      printf "Hash verification successful for: [%s]\n" "${CDLB_ITEM}"
    done
    printf "Verifying integrity of '0030-verify-checksums' successfully completed. Proceeding."
    log_end_msg
    printf "\n"
  fi
  ### Checksum and checksum signature verification -----------------------------------------------------------------------------
  log_begin_msg "Verifying checksums"
  printf "\n"
  # shellcheck disable=SC2001
  for _DIGEST in $(echo "${LIVE_VERIFY_CHECKSUMS_DIGESTS}" | sed -e 's|,| |g'); do
    # shellcheck disable=SC2060
    _CHECKSUMS="$(echo "${_DIGEST}" | tr [a-z] [A-Z])SUMS ${_DIGEST}sum.txt"
    for _CHECKSUM in ${_CHECKSUMS}; do
      if [ -e "${_CHECKSUM}" ]; then
        printf "Found [%s] ...\n" "${_CHECKSUM}"
        if [ -e "/bin/${_DIGEST}sum" ]; then
          if [ "${LIVE_VERIFY_CHECKSUMS_SIGNATURES}" = "true" ]; then
            printf "Checking Signature of [%s] ...\n" "${_CHECKSUM}"
            _CHECKSUM_SIGNATURE="${_CHECKSUM}.sig"
            gpgv --keyring 0030-verify-checksums_public.gpg "${_CHECKSUM_SIGNATURE}" "${_CHECKSUM}"
            _RETURN_PGP="${?}"
          else
            _RETURN_PGP="na"
          fi
          printf "Checking Hashes of [%s] ...\n" "${_CHECKSUM}"
          # shellcheck disable=SC2312
          grep -v '^#' "${_CHECKSUM}" | /bin/"${_DIGEST}"sum -c > "${_TTY}"
          _RETURN_SHA="${?}"
          # Stop after the first verification.
          break 2
        else
          printf "Not found [%s] ...\n" "/bin/${_DIGEST}sum"
        fi
      fi
    done
  done
  log_end_msg
  case "${_RETURN_PGP},${_RETURN_SHA}" in
    0,0)
      log_success_msg "Verification of signature AND checksum file successful; continuing booting in 8 seconds."
      sleep 8
      return 0
      ;;
    na,0)
      log_success_msg "Verification of checksum file successful; continuing booting in 8 seconds."
      sleep 8
      return 0
      ;;
    *,0)
      panic "Verification of signature file failed while verification of checksum file successful."
      ;;
    na,*)
      panic "Verification of checksum file failed."
      ;;
  esac
 }
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
 EOF
 # Copy and make executable
 install -m 0755 "${src}" "${target}"
 rm -f "${src}"
 unset target src
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/9985_clamav.chroot
+++ b/config/hooks/live/9985_clamav.chroot
--- a/config/hooks/live/9998_sources_list_bookworm.chroot
+++ b/config/hooks/live/9998_sources_list_bookworm.chroot
@@ -19,7 +19,7 @@ declare -r VAR_DATE="$(date +%F)"
 cd /root
 if [[ -f /etc/apt/sources.list ]]; then
-  mv /etc/apt/sources.list /root/.ciss/dlb/backup/sources.list.bak
+  mv /etc/apt/sources.list /root/.ciss/cdlb/backup/sources.list.bak
 fi
 cat << 'EOF' >| /etc/apt/sources.list
@@ -55,7 +55,6 @@ deb-src https://deb.debian.org/debian/ bookworm-backports main contrib non-free
 EOF
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 # sleep 1
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/.archive/generate_PRIVATE_trixie_0.yaml
+++ b/.archive/generate_PRIVATE_trixie_0.yaml
@@ -0,0 +1,448 @@
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-08-22; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 # Version Master V8.13.392.2025.11.07
 name: 🔐 Generating a Private Live ISO TRIXIE.
 defaults:
  run:
    shell: bash
 permissions:
  contents: write
 on:
  push:
    branches:
      - master
    paths:
      - '.gitea/trigger/t_generate_PRIVATE_trixie_0.yaml'
 jobs:
  generate-private-cdlb-trixie:
    name: 🔐 Generating a Private Live ISO TRIXIE.
    runs-on: cdlb.trixie
    container:
      image: debian:trixie
    steps:
      - name: 🛠️ Basic Image Setup.
        shell: bash
        run: |
          export DEBIAN_FRONTEND=noninteractive
          apt-get update -qq
          apt-get upgrade -y
          apt-get install -y --no-install-recommends \
            apt-utils \
            bash \
            ca-certificates \
            curl \
            git \
            gnupg \
            openssh-client \
            openssl \
            perl \
            sudo \
            util-linux
      - name: ⚙️ Check GnuPG Version.
        shell: bash
        run: |
          gpg --version
      - name: ⚙️ Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
        shell: bash
        run: |
          set -euo pipefail
          var_wait=$(( RANDOM % 33 ))
          printf "⏳ Waiting %s seconds to desynchronize parallel workflows...\n" "${var_wait}"
          sleep "${var_wait}"
          rm -rf ~/.ssh && mkdir -m700 ~/.ssh
          ### Private Key
          echo "${{ secrets.SSH_MSW_DEPLOY_CORESECRET_DEV }}" >| ~/.ssh/id_ed25519
          chmod 0600 ~/.ssh/id_ed25519
          ### Scan git.coresecret.dev to fill ~/.ssh/known_hosts
          ssh-keyscan -p 42842 git.coresecret.dev >| ~/.ssh/known_hosts
          chmod 0600 ~/.ssh/known_hosts
          ### Generate SSH Config for git.coresecret.dev Custom-Port
          cat <<EOF >| ~/.ssh/config
          Host git.coresecret.dev
            HostName git.coresecret.dev
            Port 42842
            IdentityFile ~/.ssh/id_ed25519
            StrictHostKeyChecking yes
            UserKnownHostsFile ~/.ssh/known_hosts
          EOF
          chmod 0600 ~/.ssh/config
      ### https://github.com/actions/checkout/issues/1843
      - name: 🛠️ Using manual clone via SSH to circumvent Gitea SHA-256 object issues.
        shell: bash
        env:
          ### GITHUB_REF_NAME contains the branch name from the push event.
          GITHUB_REF_NAME: ${{ github.ref_name }}
        run: |
          git clone --branch "${GITHUB_REF_NAME}" ssh://git@git.coresecret.dev:42842/msw/CISS.debian.live.builder.git .
          git fetch --unshallow || echo "Nothing to fetch - already full clone."
      - name: 🛠️ Cleaning the workspace.
        shell: bash
        run: |
          git reset --hard
          git clean -fd
      - name: ⚙️ Importing the 'CI PGP DEPLOY ONLY' key.
        shell: bash
        run: |
          set -euo pipefail
          ### GPG-Home relative to the Runner Workspace to avoid changing global files.
          export GNUPGHOME="$(pwd)/.gnupg"
          mkdir -m 700 "${GNUPGHOME}"
          echo "${{ secrets.PGP_PUBKEY_CENTURION_ROOT_2025_X448 }}" >| centurion-root.PUB.asc
          gpg --batch --import centurion-root.PUB.asc
          echo "${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV }}" >| ci-bot.sec.asc
          gpg --batch --import ci-bot.sec.asc
          ### Trust the key automatically
          KEY_ID=$(gpg --list-keys --with-colons | awk -F: '/^pub:/ {print $5}')
          echo "trust-model always" >| "${GNUPGHOME}/gpg.conf"
      - name: ⚙️ Configuring Git for signed CI/DEPLOY commits.
        shell: bash
        run: |
          set -euo pipefail
          export GNUPGHOME="$(pwd)/.gnupg"
          git config user.name "Marc S. Weidner BOT"
          git config user.email "msw+bot@coresecret.dev"
          git config commit.gpgsign true
          git config gpg.program gpg
          git config gpg.format openpgp
      - name: ⚙️ Preparing the build environment.
        shell: bash
        run: |
          set -euo pipefail
          mkdir -p /opt/config
          mkdir -p /opt/livebuild
          touch /opt/config/password.txt && chmod 0600 /opt/config/password.txt
          touch /opt/config/authorized_keys && chmod 0600 /opt/config/authorized_keys
          echo "${{ secrets.CISS_DLB_ROOT_PWD }}" >| /opt/config/password.txt
          echo "${{ secrets.CISS_DLB_ROOT_SSH_PUBKEY }}" >| /opt/config/authorized_keys
      - name: 🔧 Render live hook with secrets.
        shell: bash
        working-directory: ${{ github.workspace }}
        env:
          ED25519_PRIV:        ${{ secrets.CISS_DLB_SSH_HOST_ED25519_KEY }}
          ED25519_PUB:         ${{ secrets.CISS_DLB_SSH_HOST_ED25519_KEY_PUB }}
          RSA_PRIV:            ${{ secrets.CISS_DLB_SSH_HOST_RSA_KEY }}
          RSA_PUB:             ${{ secrets.CISS_DLB_SSH_HOST_RSA_KEY_PUB }}
          CISS_PRIMORDIAL:     ${{ secrets.CISS_PRIMORDIAL_PRIVATE }}
          CISS_PRIMORDIAL_PUB: ${{ secrets.CISS_PRIMORDIAL_PUBLIC }}
        run: |
          set -Ceuo pipefail
          umask 077
          REPO_ROOT="$(git rev-parse --show-toplevel 2>/dev/null || pwd -P)"
          TPL="${REPO_ROOT}/config/hooks/live/9935_hardening_ssh.chroot.tmpl"
          OUT="${REPO_ROOT}/config/hooks/live/9935_hardening_ssh.chroot"
          ID_OUT="${REPO_ROOT}/config/includes.chroot/root/.ssh/id_2025_ed25519_ciss_primordial"
          ID_OUT_PUB="${REPO_ROOT}/config/includes.chroot/root/.ssh/id_2025_ed25519_ciss_primordial.pub"
          if [[ ! -f "${TPL}" ]]; then
            echo "Template not found: ${TPL}"
            echo "::group::Tree of config/hooks/live"
            ls -la "${REPO_ROOT}/config/hooks/live" || true
            echo "::endgroup::"
            exit 2
          fi
          export ED25519_PRIV="${ED25519_PRIV//$'\r'/}"
          export ED25519_PUB="${ED25519_PUB//$'\r'/}"
          export RSA_PRIV="${RSA_PRIV//$'\r'/}"
          export RSA_PUB="${RSA_PUB//$'\r'/}"
          export CISS_PRIMORDIAL="${CISS_PRIMORDIAL//$'\r'/}"
          export CISS_PRIMORDIAL_PUB="${CISS_PRIMORDIAL_PUB//$'\r'/}"
          (
          cat << EOF >| "${ID_OUT}"
          ${CISS_PRIMORDIAL}
          EOF
          ) && chmod 0600 "${ID_OUT}"
          if [[ -f "${ID_OUT}" ]]; then
            echo "Written: ${ID_OUT}"
          else
            echo "Error: ${ID_OUT} not written."
          fi
          (
          cat << EOF >| "${ID_OUT_PUB}"
          ${CISS_PRIMORDIAL_PUB}
          EOF
          ) && chmod 0600 "${ID_OUT_PUB}"
          if [[ -f "${ID_OUT_PUB}" ]]; then
            echo "Written: ${ID_OUT_PUB}"
          else
            echo "Error: ${ID_OUT_PUB} not written."
          fi
          perl -0777 -pe '
            BEGIN{
              $ed=$ENV{ED25519_PRIV}; $edpub=$ENV{ED25519_PUB};
              $rsa=$ENV{RSA_PRIV};    $rsapub=$ENV{RSA_PUB};
            }
            s/\{\{\s*secrets\.CISS_DLB_SSH_HOST_ED25519_KEY\s*\}\}/$ed/g;
            s/\{\{\s*secrets\.CISS_DLB_SSH_HOST_ED25519_KEY_PUB\s*\}\}/$edpub/g;
            s/\{\{\s*secrets\.CISS_DLB_SSH_HOST_RSA_KEY\s*\}\}/$rsa/g;
            s/\{\{\s*secrets\.CISS_DLB_SSH_HOST_RSA_KEY_PUB\s*\}\}/$rsapub/g;
          ' "${TPL}" > "${OUT}"
          chmod 0755 "${OUT}"
          echo "Hook rendered: ${OUT}"
      - name: 🛠️ Starting CISS.debian.live.builder. This may take a while ...
        shell: bash
        working-directory: ${{ github.workspace }}
        run: |
          set -euo pipefail
          chmod 0755 ciss_live_builder.sh
          timestamp=$(date -u +"%Y_%m_%dT%H_%M_%SZ")
          ### Change "--autobuild=" to the specific kernel version you need: '6.16.3+deb13-amd64'.
          ./ciss_live_builder.sh \
            --autobuild=6.16.3+deb13-amd64 \
            --architecture amd64 \
            --build-directory /opt/livebuild \
            --cdi \
            --control "${timestamp}" \
            --debug \
            --dhcp-centurion \
            --jump-host ${{ secrets.CISS_DLB_JUMP_HOSTS }} \
            --provider-netcup-ipv6 ${{ secrets.CISS_DLB_NETCUP_IPV6 }} \
            --root-password-file /opt/config/password.txt \
            --ssh-port ${{ secrets.CISS_DLB_SSH_PORT }} \
            --ssh-pubkey /opt/config \
            --sshfp \
            --trixie
          REPO_ROOT="$(git rev-parse --show-toplevel 2>/dev/null || pwd -P)"
          OUT="$REPO_ROOT/config/hooks/live/9935_hardening_ssh.chroot"
          rm -f "$OUT"
          echo "Hook removed: $OUT"
          shred -fzu -n 5 /opt/config/authorized_keys
      - name: 📥 Checking Centurion Cloud for existing LIVE ISOs.
        shell: bash
        env:
          NC_BASE: "https://cloud.e2ee.li"
          SHARE_TOKEN: "${{ secrets.CENTURION_CLOUD_UL_USER }}"
          SHARE_PASS: "${{ secrets.CENTURION_CLOUD_UL_PASSWD }}"
        run: |
          set -euo pipefail
          SHARE_SUBDIR=""
          echo "📥 Get directory listing via PROPFIND ..."
          curl -s \
          --user "${SHARE_TOKEN}:${SHARE_PASS}" \
          -X PROPFIND \
          -H "Depth: 1" \
          "${NC_BASE}/public.php/webdav/${SHARE_SUBDIR}" \
          -o propfind_public.xml
          echo "📥 Filter .iso files from the PROPFIND response ..."
          grep -oP '(?<=<d:href>)[^<]+\.iso(?=</d:href>)' propfind_public.xml >| public_iso_list.txt || true
          if [[ -f public_iso_list.txt && -s public_iso_list.txt ]]; then
            echo "💡 Old ISO files found and deleted :"
            while IFS= read -r href; do
              FILE_URL="${NC_BASE}${href}"
              echo "  Delete: ${FILE_URL}"
              if curl -s \
                --user "${SHARE_TOKEN}:${SHARE_PASS}" \
                  -X DELETE "${FILE_URL}"; then
                echo "    ✅ Successfully deleted: $(basename "${href}")"
              else
                echo "    ❌ Error: $(basename "${href}") could not be deleted"
              fi
            done < public_iso_list.txt
          else
            echo "💡 No old ISO files found to delete."
          fi
      - name: 🛠️ Upload the ISO file to the Centurion Cloud (cloud.e2ee.li) via WebDAV.
        shell: bash
        env:
          NC_BASE: "https://cloud.e2ee.li"
          SHARE_TOKEN: "${{ secrets.CENTURION_CLOUD_UL_USER }}"
          SHARE_PASS: "${{ secrets.CENTURION_CLOUD_UL_PASSWD }}"
        run: |
          set -euo pipefail
          if [[ $(ls /opt/livebuild/*.iso 2>/dev/null | wc -l) -ne 1 ]]; then
            echo "❌ There must be exactly one .iso file in the directory!"
            exit 1
          else
            VAR_ISO_FILE_PATH=$(ls /opt/livebuild/*.iso)
            VAR_ISO_FILE_NAME=$(basename "${VAR_ISO_FILE_PATH}")
            echo "✅ ISO file found: ${VAR_ISO_FILE_NAME}"
          fi
          AUTH="${SHARE_TOKEN}:${SHARE_PASS}"
          if curl --retry 2 "${NC_BASE}"/public.php/webdav/"${VAR_ISO_FILE_NAME}" \
          --upload-file "${VAR_ISO_FILE_PATH}" --user "${AUTH}" > /dev/null 2>&1; then
            echo "✅ New ISO successfully uploaded."
          else
            echo "❌ Uploading the new ISO failed."
            exit 1
          fi
      - name: 🔑 Generating a sha512 Hash of ISO, signing with the 'CI PGP DEPLOY ONLY' key, generate a success message file.
        shell: bash
        run: |
          if [[ $(ls /opt/livebuild/*.iso 2>/dev/null | wc -l) -ne 1 ]]; then
            echo "❌ There must be exactly one .iso file in the directory!"
            exit 1
          else
            VAR_ISO_FILE_PATH=$(ls /opt/livebuild/*.iso)
            VAR_ISO_FILE_NAME=$(basename "${VAR_ISO_FILE_PATH}")
            echo "✅ ISO file found: ${VAR_ISO_FILE_NAME}"
          fi
          VAR_ISO_FILE_SHA512="${VAR_ISO_FILE_NAME}.sha512"
          touch "${VAR_ISO_FILE_SHA512}"
          sha512sum "${VAR_ISO_FILE_PATH}" | awk '{print $1}' >| "${VAR_ISO_FILE_SHA512}"
          SIGNATURE_FILE="${VAR_ISO_FILE_SHA512}.sign"
          touch "${SIGNATURE_FILE}"
          export GNUPGHOME="$(pwd)/.gnupg"
          gpg --batch --yes --armor --detach-sign --output "${SIGNATURE_FILE}" "${VAR_ISO_FILE_SHA512}"
          timestamp=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
          VAR_DATE="$(date +%F)"
          PRIVATE_FILE="LIVE_ISO_TRIXIE_0.private"
          touch "${PRIVATE_FILE}"
          cat << EOF >| "${PRIVATE_FILE}"
          # SPDX-Version: 3.0
          # SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev>
          # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
          # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
          # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
          # SPDX-FileType: SOURCE
          # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
          # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
          # SPDX-PackageName: CISS.debian.live.builder
          # SPDX-Security-Contact: security@coresecret.eu
          This file was automatically generated by the DEPLOY BOT on: "${timestamp}"
          CISS.debian.live.builder ISO :
            "${VAR_ISO_FILE_NAME}"
          CISS.debian.live.builder ISO sha512 :
            $(< "${VAR_ISO_FILE_SHA512}")
          CISS.debian.live.builder ISO sha512 sign :
            $(< "${SIGNATURE_FILE}")
          # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text
          EOF
      - name: 🚧 Stash local changes (including untracked).
        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
          set -euo pipefail
          ### Temporarily store any local modifications or untracked files.
          git stash push --include-untracked -m "ci-temp" || echo "✔️ Nothing to stash."
      - name: 🔄 Sync with remote before commit using merge strategy.
        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
          set -euo pipefail
          export GNUPGHOME="$(pwd)/.gnupg"
          echo "🔄 Fetching origin/master ..."
          git fetch origin master
          echo "🔁 Merging origin/master into current branch ..."
          git merge --no-edit origin/master || echo "✔️ Already up to date or fast-forward."
          echo "📋 Post-merge status :"
          git status
          git log --oneline -n 5
      - name: 🛠️ Restore stashed changes.
        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
          set -euo pipefail
          ### Apply previously stashed changes.
          git stash pop || echo "✔️ Nothing to pop."
      - name: 📦 Stage generated files.
        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
          set -euo pipefail
          PRIVATE_FILE="LIVE_ISO_TRIXIE_0.private"
          git add "${PRIVATE_FILE}" || echo "✔️ Nothing to add."
      - name: 🔑 Commit and sign changes with CI metadata.
        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
          set -euo pipefail
          export GNUPGHOME="$(pwd)/.gnupg"
          if git diff --cached --quiet; then
            echo "✔️ No staged changes to commit."
          else
            echo "📝 Committing changes with GPG signature ..."
            ### CI Metadata
            TIMESTAMP_UTC="$(date -u +'%Y-%m-%dT%H:%M:%SZ')"
            HOSTNAME="$(hostname -f || hostname)"
            GIT_SHA="$(git rev-parse --short HEAD)"
            GIT_REF="$(git symbolic-ref --short HEAD || echo detached)"
            WORKFLOW_ID="${GITHUB_WORKFLOW:-generate_PRIVATE_trixie_0.yaml}"
            CI_HEADER="X-CI-Metadata: ${GIT_REF}@${GIT_SHA} at ${TIMESTAMP_UTC} on ${HOSTNAME}"
            COMMIT_MSG="DEPLOY BOT   : 🔐 Auto-Generate PRIVATE LIVE ISO TRIXIE 0 [skip ci]
          ${CI_HEADER}
          Generated at : ${TIMESTAMP_UTC}
          Runner Host  : ${HOSTNAME}
          Workflow ID  : ${WORKFLOW_ID}
          Git Commit   : ${GIT_SHA} HEAD -> ${GIT_REF}
          "
            echo "🔏 Commit message :"
            echo "${COMMIT_MSG}"
            git commit -S -m "${COMMIT_MSG}"
          fi
      - name: 🔁 Push back to repository.
        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
          set -euo pipefail
          echo "📤 Pushing changes to ${GITHUB_REF_NAME} ..."
          git push origin HEAD:${GITHUB_REF_NAME}
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
--- a/.archive/generate_PRIVATE_trixie_1.yaml
+++ b/.archive/generate_PRIVATE_trixie_1.yaml
@@ -0,0 +1,491 @@
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-08-22; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 # Version Master V8.13.392.2025.11.07
 name: 🔐 Generating a Private Live ISO TRIXIE.
 defaults:
  run:
    shell: bash
 permissions:
  contents: write
 on:
  push:
    branches:
      - master
    paths:
      - '.gitea/trigger/t_generate_PRIVATE_trixie_1.yaml'
 jobs:
  generate-private-cdlb-trixie:
    name: 🔐 Generating a Private Live ISO TRIXIE.
    runs-on: cdlb.trixie
    container:
      image: debian:trixie
    defaults:
      run:
        shell: bash
        working-directory: ${{ github.workspace }}
    steps:
      - name: ⏳ Waiting random time to desynchronize parallel workflows.
        run: |
          set -euo pipefail
          var_wait=$(( RANDOM % 33 ))
          printf "⏳ Waiting %s seconds to desynchronize parallel workflows...\n" "${var_wait}"
          sleep "${var_wait}"
      - name: 🛠️ Basic Image Setup.
        run: |
          set -euo pipefail
          umask 0077
          export DEBIAN_FRONTEND=noninteractive
          apt-get update -qq
          apt-get upgrade -y
          apt-get install -y --no-install-recommends \
            apt-utils \
            bash \
            ca-certificates \
            curl \
            git \
            gnupg \
            openssh-client \
            openssl \
            perl \
            sudo \
            util-linux
      - name: ⚙️ Check GnuPG Version.
        run: |
          gpg --version
      - name: ⚙️ Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
        run: |
          set -euo pipefail
          umask 0077
          rm -rf ~/.ssh && mkdir -m700 ~/.ssh
          ### Private Key
          echo "${{ secrets.SSH_MSW_DEPLOY_CORESECRET_DEV }}" >| ~/.ssh/id_ed25519
          chmod 0600 ~/.ssh/id_ed25519
          ### Scan git.coresecret.dev to fill ~/.ssh/known_hosts
          ssh-keyscan -p 42842 git.coresecret.dev >| ~/.ssh/known_hosts
          chmod 0600 ~/.ssh/known_hosts
          ### Generate SSH Config for git.coresecret.dev Custom-Port
          cat <<EOF >| ~/.ssh/config
          Host git.coresecret.dev
            HostName git.coresecret.dev
            Port 42842
            IdentityFile ~/.ssh/id_ed25519
            StrictHostKeyChecking yes
            UserKnownHostsFile ~/.ssh/known_hosts
          EOF
          chmod 0600 ~/.ssh/config
      ### https://github.com/actions/checkout/issues/1843
      - name: 🛠️ Using manual clone via SSH to circumvent Gitea SHA-256 object issues.
        env:
          ### GITHUB_REF_NAME contains the branch name from the push event.
          GITHUB_REF_NAME: ${{ github.ref_name }}
        run: |
          set -euo pipefail
          git clone --branch "${GITHUB_REF_NAME}" ssh://git@git.coresecret.dev:42842/msw/CISS.debian.live.builder.git .
          git fetch --unshallow || echo "Nothing to fetch - already full clone."
      - name: ⚙️ Init GNUPGHOME.
        run: |
          set -euo pipefail
          umask 0077
          GNUPGHOME="/dev/shm/gnupg.${GITHUB_RUN_ID}.${GITHUB_JOB}.${GITHUB_RUN_ATTEMPT}"
          mkdir -p -m 700 "${GNUPGHOME}"
          echo "GNUPGHOME=${GNUPGHOME}" >> "${GITHUB_ENV}"
          echo 'allow-loopback-pinentry' >| "${GNUPGHOME}/gpg-agent.conf"
          gpgconf --reload gpg-agent || true
      - name: ⚙️ Importing the 'CI PGP DEPLOY ONLY' key.
        env:
          PRIVATE_PGP_MSW_DEPLOY_CORESECRET_DEV: ${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV }}
        run: |
          set -euo pipefail
          umask 0077
          printf '%s' "${PRIVATE_PGP_MSW_DEPLOY_CORESECRET_DEV}" | gpg --batch --import
          unset PRIVATE_PGP_MSW_DEPLOY_CORESECRET_DEV
      - name: ⚙️ Configuring Git for signed CI/DEPLOY commits.
        run: |
          set -euo pipefail
          git config user.name "Marc S. Weidner BOT"
          git config user.email "msw+bot@coresecret.dev"
          git config commit.gpgsign true
          git config gpg.program gpg
          git config gpg.format openpgp
      - name: ⚙️ Preparing the build environment.
        run: |
          set -euo pipefail
          umask 0077
          mkdir -p /opt/cdlb/secrets
          mkdir -p /opt/cdlb/livebuild
          install -m 0600 /dev/null /opt/cdlb/secrets/password.txt
          install -m 0600 /dev/null /opt/cdlb/secrets/authorized_keys
          install -m 0600 /dev/null /opt/cdlb/secrets/ssh_host_ed25519_key
          install -m 0600 /dev/null /opt/cdlb/secrets/ssh_host_ed25519_key.pub
          install -m 0600 /dev/null /opt/cdlb/secrets/ssh_host_rsa_key
          install -m 0600 /dev/null /opt/cdlb/secrets/ssh_host_rsa_key.pub
          install -m 0600 /dev/null /opt/cdlb/secrets/id_2025_ed25519_ciss_primordial
          install -m 0600 /dev/null /opt/cdlb/secrets/id_2025_ed25519_ciss_primordial.pub
          install -m 0600 /dev/null /opt/cdlb/secrets/keys.txt
          install -m 0600 /dev/null /opt/cdlb/secrets/luks.txt
          echo "${{ secrets.CISS_DLB_ROOT_PWD_1 }}"               >| /opt/cdlb/secrets/password.txt
          echo "${{ secrets.CISS_DLB_ROOT_SSH_PUBKEY_1 }}"        >| /opt/cdlb/secrets/authorized_keys
          echo "${{ secrets.CISS_DLB_SSH_HOST_ED25519_KEY }}"     >| /opt/cdlb/secrets/ssh_host_ed25519_key
          echo "${{ secrets.CISS_DLB_SSH_HOST_ED25519_KEY_PUB }}" >| /opt/cdlb/secrets/ssh_host_ed25519_key.pub
          echo "${{ secrets.CISS_DLB_SSH_HOST_RSA_KEY }}"         >| /opt/cdlb/secrets/ssh_host_rsa_key
          echo "${{ secrets.CISS_DLB_SSH_HOST_RSA_KEY_PUB }}"     >| /opt/cdlb/secrets/ssh_host_rsa_key.pub
          echo "${{ secrets.CISS_PRIMORDIAL_PRIVATE }}"           >| /opt/cdlb/secrets/id_2025_ed25519_ciss_primordial
          echo "${{ secrets.CISS_PRIMORDIAL_PUBLIC }}"            >| /opt/cdlb/secrets/id_2025_ed25519_ciss_primordial.pub
          echo "${{ secrets.CISS_PHYS_AGE }}"                     >| /opt/cdlb/secrets/keys.txt
          echo "${{ secrets.CISS_PHYS_LUKS }}"                    >| /opt/cdlb/secrets/luks.txt
      - name: 🔧 Render live hook with secrets.
        shell: bash
        working-directory: ${{ github.workspace }}
        env:
          ED25519_PRIV:        ${{ secrets.CISS_DLB_SSH_HOST_ED25519_KEY }}
          ED25519_PUB:         ${{ secrets.CISS_DLB_SSH_HOST_ED25519_KEY_PUB }}
          RSA_PRIV:            ${{ secrets.CISS_DLB_SSH_HOST_RSA_KEY }}
          RSA_PUB:             ${{ secrets.CISS_DLB_SSH_HOST_RSA_KEY_PUB }}
          CISS_PRIMORDIAL:     ${{ secrets.CISS_PRIMORDIAL_PRIVATE }}
          CISS_PRIMORDIAL_PUB: ${{ secrets.CISS_PRIMORDIAL_PUBLIC }}
          CISS_PHYS_AGE:       ${{ secrets.CISS_PHYS_AGE }}
          MSW_GPG_DEPLOY_BOT:  ${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV }}
        run: |
          set -Ceuo pipefail
          umask 077
          REPO_ROOT="$(git rev-parse --show-toplevel 2>/dev/null || pwd -P)"
          TPL="${REPO_ROOT}/config/hooks/live/9935_hardening_ssh.chroot.tmpl"
          OUT="${REPO_ROOT}/config/hooks/live/9935_hardening_ssh.chroot"
          ID_OUT="${REPO_ROOT}/config/includes.chroot/root/.ssh/id_2025_ed25519_ciss_primordial"
          ID_OUT_PUB="${REPO_ROOT}/config/includes.chroot/root/.ssh/id_2025_ed25519_ciss_primordial.pub"
          SOPS="${REPO_ROOT}/config/hooks/live/0860_sops.chroot"
          BINARY_CHECKSUMS="${REPO_ROOT}/scripts/usr/lib/live/build/binary_checksums.sh"
          if [[ ! -f "${TPL}" ]]; then
            echo "Template not found: ${TPL}"
            echo "::group::Tree of config/hooks/live"
            ls -la "${REPO_ROOT}/config/hooks/live" || true
            echo "::endgroup::"
            exit 2
          fi
          export ED25519_PRIV="${ED25519_PRIV//$'\r'/}"
          export ED25519_PUB="${ED25519_PUB//$'\r'/}"
          export RSA_PRIV="${RSA_PRIV//$'\r'/}"
          export RSA_PUB="${RSA_PUB//$'\r'/}"
          export CISS_PRIMORDIAL="${CISS_PRIMORDIAL//$'\r'/}"
          export CISS_PRIMORDIAL_PUB="${CISS_PRIMORDIAL_PUB//$'\r'/}"
          export CISS_PHYS_AGE="${CISS_PHYS_AGE//$'\r'/}"
          export MSW_GPG_DEPLOY_BOT="${MSW_GPG_DEPLOY_BOT//$'\r'/}"
          (
          cat << EOF >| "${ID_OUT}"
          ${CISS_PRIMORDIAL}
          EOF
          ) && chmod 0600 "${ID_OUT}"
          if [[ -f "${ID_OUT}" ]]; then
            echo "Written: ${ID_OUT}"
          else
            echo "Error: ${ID_OUT} not written."
          fi
          (
          cat << EOF >| "${ID_OUT_PUB}"
          ${CISS_PRIMORDIAL_PUB}
          EOF
          ) && chmod 0600 "${ID_OUT_PUB}"
          if [[ -f "${ID_OUT_PUB}" ]]; then
            echo "Written: ${ID_OUT_PUB}"
          else
            echo "Error: ${ID_OUT_PUB} not written."
          fi
          perl -0777 -pe '
            BEGIN{
              $ed=$ENV{ED25519_PRIV}; $edpub=$ENV{ED25519_PUB};
              $rsa=$ENV{RSA_PRIV};    $rsapub=$ENV{RSA_PUB};
            }
            s/\{\{\s*secrets\.CISS_DLB_SSH_HOST_ED25519_KEY\s*\}\}/$ed/g;
            s/\{\{\s*secrets\.CISS_DLB_SSH_HOST_ED25519_KEY_PUB\s*\}\}/$edpub/g;
            s/\{\{\s*secrets\.CISS_DLB_SSH_HOST_RSA_KEY\s*\}\}/$rsa/g;
            s/\{\{\s*secrets\.CISS_DLB_SSH_HOST_RSA_KEY_PUB\s*\}\}/$rsapub/g;
          ' "${TPL}" > "${OUT}"
          chmod 0755 "${OUT}"
          perl -0777 -i -pe '
            BEGIN {
              our $age = $ENV{CISS_PHYS_AGE} // q{};
            }
            s/\{\{\s*secrets\.CISS_PHYS_AGE\s*\}\}/$age/g;
          ' -- "${SOPS}"
          chmod 0755 "${SOPS}"
          perl -0777 -i -pe '
            BEGIN {
              our $deploy = $ENV{MSW_GPG_DEPLOY_BOT} // q{};
            }
            s/\{\{\s*secrets\.MSW_GPG_DEPLOY_BOT\s*\}\}/$deploy/g;
          ' -- "${BINARY_CHECKSUMS}"
          chmod 0755 "${BINARY_CHECKSUMS}"
          echo "Hook rendered: ${OUT}"
      - name: 🛠️ Starting CISS.debian.live.builder. This may take a while ...
        shell: bash
        working-directory: ${{ github.workspace }}
        run: |
          set -euo pipefail
          chmod 0755 ciss_live_builder.sh
          timestamp=$(date -u +"%Y_%m_%dT%H_%M_%SZ")
          ### Change "--autobuild=" to the specific kernel version you need: '6.16.3+deb13-amd64'.
          ./ciss_live_builder.sh \
            --autobuild=6.16.3+deb13-amd64 \
            --architecture amd64 \
            --build-directory /opt/cdlb/livebuild \
            --cdi \
            --control "${timestamp}" \
            --jump-host ${{ secrets.CISS_DLB_JUMP_HOSTS_1 }} \
            --root-password-file /opt/cdlb/secrets/password.txt \
            --ssh-port ${{ secrets.CISS_DLB_SSH_PORT_1 }} \
            --ssh-pubkey /opt/cdlb/secrets \
            --sshfp \
            --trixie
          REPO_ROOT="$(git rev-parse --show-toplevel 2>/dev/null || pwd -P)"
          OUT="$REPO_ROOT/config/hooks/live/9935_hardening_ssh.chroot"
          rm -f "$OUT"
          echo "Hook removed: $OUT"
          shred -fzu -n 5 /opt/cdlb/secrets/authorized_keys
      - name: 📥 Checking Centurion Cloud for existing LIVE ISOs.
        shell: bash
        env:
          NC_BASE: "https://cloud.e2ee.li"
          SHARE_TOKEN: "${{ secrets.CENTURION_CLOUD_UL_USER_1 }}"
          SHARE_PASS: "${{ secrets.CENTURION_CLOUD_UL_PASSWD_1 }}"
        run: |
          set -euo pipefail
          SHARE_SUBDIR=""
          echo "📥 Get directory listing via PROPFIND ..."
          curl -s \
          --user "${SHARE_TOKEN}:${SHARE_PASS}" \
          -X PROPFIND \
          -H "Depth: 1" \
          "${NC_BASE}/public.php/webdav/${SHARE_SUBDIR}" \
          -o propfind_public.xml
          echo "📥 Filter .iso files from the PROPFIND response ..."
          grep -oP '(?<=<d:href>)[^<]+\.iso(?=</d:href>)' propfind_public.xml >| public_iso_list.txt || true
          if [[ -f public_iso_list.txt && -s public_iso_list.txt ]]; then
            echo "💡 Old ISO files found and deleted :"
            while IFS= read -r href; do
              FILE_URL="${NC_BASE}${href}"
              echo "  Delete: ${FILE_URL}"
              if curl -s \
                --user "${SHARE_TOKEN}:${SHARE_PASS}" \
                  -X DELETE "${FILE_URL}"; then
                echo "    ✅ Successfully deleted: $(basename "${href}")"
              else
                echo "    ❌ Error: $(basename "${href}") could not be deleted"
              fi
            done < public_iso_list.txt
          else
            echo "💡 No old ISO files found to delete."
          fi
      - name: 🛠️ Upload the ISO file to the Centurion Cloud (cloud.e2ee.li) via WebDAV.
        shell: bash
        env:
          NC_BASE: "https://cloud.e2ee.li"
          SHARE_TOKEN: "${{ secrets.CENTURION_CLOUD_UL_USER_1 }}"
          SHARE_PASS: "${{ secrets.CENTURION_CLOUD_UL_PASSWD_1 }}"
        run: |
          set -euo pipefail
          if [[ $(ls /opt/cdlb/livebuild/*.iso 2>/dev/null | wc -l) -ne 1 ]]; then
            echo "❌ There must be exactly one .iso file in the directory!"
            exit 1
          else
            VAR_ISO_FILE_PATH=$(ls /opt/cdlb/livebuild/*.iso)
            VAR_ISO_FILE_NAME=$(basename "${VAR_ISO_FILE_PATH}")
            echo "✅ ISO file found: ${VAR_ISO_FILE_NAME}"
          fi
          AUTH="${SHARE_TOKEN}:${SHARE_PASS}"
          if curl --retry 2 "${NC_BASE}"/public.php/webdav/"${VAR_ISO_FILE_NAME}" \
          --upload-file "${VAR_ISO_FILE_PATH}" --user "${AUTH}" > /dev/null 2>&1; then
            echo "✅ New ISO successfully uploaded."
          else
            echo "❌ Uploading the new ISO failed."
            exit 1
          fi
      - name: 🔑 Generating a sha512 Hash of ISO, signing with the 'CI PGP DEPLOY ONLY' key, generate a success message file.
        shell: bash
        run: |
          if [[ $(ls /opt/cdlb/livebuild/*.iso 2>/dev/null | wc -l) -ne 1 ]]; then
            echo "❌ There must be exactly one .iso file in the directory!"
            exit 1
          else
            VAR_ISO_FILE_PATH=$(ls /opt/cdlb/livebuild/*.iso)
            VAR_ISO_FILE_NAME=$(basename "${VAR_ISO_FILE_PATH}")
            echo "✅ ISO file found: ${VAR_ISO_FILE_NAME}"
          fi
          VAR_ISO_FILE_SHA512="${VAR_ISO_FILE_NAME}.sha512"
          touch "${VAR_ISO_FILE_SHA512}"
          sha512sum "${VAR_ISO_FILE_PATH}" | awk '{print $1}' >| "${VAR_ISO_FILE_SHA512}"
          SIGNATURE_FILE="${VAR_ISO_FILE_SHA512}.sign"
          touch "${SIGNATURE_FILE}"
          export GNUPGHOME="$(pwd)/.gnupg"
          gpg --batch --yes --armor --detach-sign --output "${SIGNATURE_FILE}" "${VAR_ISO_FILE_SHA512}"
          timestamp=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
          VAR_DATE="$(date +%F)"
          PRIVATE_FILE="LIVE_ISO_TRIXIE_1.private"
          touch "${PRIVATE_FILE}"
          cat << EOF >| "${PRIVATE_FILE}"
          # SPDX-Version: 3.0
          # SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev>
          # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
          # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
          # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
          # SPDX-FileType: SOURCE
          # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
          # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
          # SPDX-PackageName: CISS.debian.live.builder
          # SPDX-Security-Contact: security@coresecret.eu
          This file was automatically generated by the DEPLOY BOT on: "${timestamp}"
          CISS.debian.live.builder ISO :
            "${VAR_ISO_FILE_NAME}"
          CISS.debian.live.builder ISO sha512 :
            $(< "${VAR_ISO_FILE_SHA512}")
          CISS.debian.live.builder ISO sha512 sign :
            $(< "${SIGNATURE_FILE}")
          # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text
          EOF
      - name: 🚧 Stash local changes (including untracked).
        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
          set -euo pipefail
          ### Temporarily store any local modifications or untracked files.
          git stash push --include-untracked -m "ci-temp" || echo "✔️ Nothing to stash."
      - name: 🔄 Sync with remote before commit using merge strategy.
        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
          set -euo pipefail
          export GNUPGHOME="$(pwd)/.gnupg"
          echo "🔄 Fetching origin/master ..."
          git fetch origin master
          echo "🔁 Merging origin/master into current branch ..."
          git merge --no-edit origin/master || echo "✔️ Already up to date or fast-forward."
          echo "📋 Post-merge status :"
          git status
          git log --oneline -n 5
      - name: 🛠️ Restore stashed changes.
        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
          set -euo pipefail
          ### Apply previously stashed changes.
          git stash pop || echo "✔️ Nothing to pop."
      - name: 📦 Stage generated files.
        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
          set -euo pipefail
          PRIVATE_FILE="LIVE_ISO_TRIXIE_1.private"
          git add "${PRIVATE_FILE}" || echo "✔️ Nothing to add."
      - name: 🔑 Commit and sign changes with CI metadata.
        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
          set -euo pipefail
          export GNUPGHOME="$(pwd)/.gnupg"
          if git diff --cached --quiet; then
            echo "✔️ No staged changes to commit."
          else
            echo "📝 Committing changes with GPG signature ..."
            ### CI Metadata
            TIMESTAMP_UTC="$(date -u +'%Y-%m-%dT%H:%M:%SZ')"
            HOSTNAME="$(hostname -f || hostname)"
            GIT_SHA="$(git rev-parse --short HEAD)"
            GIT_REF="$(git symbolic-ref --short HEAD || echo detached)"
            WORKFLOW_ID="${GITHUB_WORKFLOW:-render-md-to-html.yaml}"
            CI_HEADER="X-CI-Metadata: ${GIT_REF}@${GIT_SHA} at ${TIMESTAMP_UTC} on ${HOSTNAME}"
            COMMIT_MSG="DEPLOY BOT   : 🔐 Auto-Generate PRIVATE LIVE ISO TRIXIE 1 [skip ci]
          ${CI_HEADER}
          Generated at : ${TIMESTAMP_UTC}
          Runner Host  : ${HOSTNAME}
          Workflow ID  : ${WORKFLOW_ID}
          Git Commit   : ${GIT_SHA} HEAD -> ${GIT_REF}
          "
            echo "🔏 Commit message :"
            echo "${COMMIT_MSG}"
            git commit -S -m "${COMMIT_MSG}"
          fi
      - name: 🔁 Push back to repository.
        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
          set -euo pipefail
          echo "📤 Pushing changes to ${GITHUB_REF_NAME} ..."
          git push origin HEAD:${GITHUB_REF_NAME}
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
--- a/.archive/generate_PUBLIC_iso.yaml
+++ b/.archive/generate_PUBLIC_iso.yaml
@@ -0,0 +1,366 @@
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 # Version Master V8.13.392.2025.11.07
 name: 💙 Generating a PUBLIC Live ISO.
 defaults:
  run:
    shell: bash
 permissions:
  contents: write
 on:
  push:
    branches:
      - master
    paths:
      - '.gitea/trigger/t_generate_PUBLIC.yaml'
 jobs:
  generate-public-cdlb-trixie:
    name: 💙 Generating a PUBLIC Live ISO.
    runs-on: cdlb.trixie
    container:
      image: debian:trixie
    steps:
      - name: 🛠️ Basic Image Setup.
        shell: bash
        run: |
          export DEBIAN_FRONTEND=noninteractive
          apt-get update -qq
          apt-get upgrade -y
          apt-get install -y --no-install-recommends \
            apt-utils \
            bash \
            ca-certificates \
            curl \
            git \
            gnupg \
            openssh-client \
            openssl \
            perl \
            sudo \
            util-linux
      - name: ⚙️ Check GnuPG Version.
        shell: bash
        run: |
          gpg --version
      - name: ⚙️ Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
        shell: bash
        run: |
          set -euo pipefail
          var_wait=$(( RANDOM % 33 ))
          printf "⏳ Waiting %s seconds to desynchronize parallel workflows...\n" "${var_wait}"
          sleep "${var_wait}"
          rm -rf ~/.ssh && mkdir -m700 ~/.ssh
          ### Private Key
          echo "${{ secrets.SSH_MSW_DEPLOY_CORESECRET_DEV }}" >| ~/.ssh/id_ed25519
          chmod 0600 ~/.ssh/id_ed25519
          ### Scan git.coresecret.dev to fill ~/.ssh/known_hosts
          ssh-keyscan -p 42842 git.coresecret.dev >| ~/.ssh/known_hosts
          chmod 0600 ~/.ssh/known_hosts
          ### Generate SSH Config for git.coresecret.dev Custom-Port
          cat <<EOF >| ~/.ssh/config
          Host git.coresecret.dev
            HostName git.coresecret.dev
            Port 42842
            IdentityFile ~/.ssh/id_ed25519
            StrictHostKeyChecking yes
            UserKnownHostsFile ~/.ssh/known_hosts
          EOF
          chmod 0600 ~/.ssh/config
      ### https://github.com/actions/checkout/issues/1843
      - name: 🛠️ Using manual clone via SSH to circumvent Gitea SHA-256 object issues.
        shell: bash
        env:
          ### GITHUB_REF_NAME contains the branch name from the push event.
          GITHUB_REF_NAME: ${{ github.ref_name }}
        run: |
          git clone --branch "${GITHUB_REF_NAME}" ssh://git@git.coresecret.dev:42842/msw/CISS.debian.live.builder.git .
          git fetch --unshallow || echo "Nothing to fetch - already full clone."
      - name: 🛠️ Cleaning the workspace.
        shell: bash
        run: |
          git reset --hard
          git clean -fd
      - name: ⚙️ Importing the 'CI PGP DEPLOY ONLY' key.
        shell: bash
        run: |
          set -euo pipefail
          ### GPG-Home relative to the Runner Workspace to avoid changing global files.
          export GNUPGHOME="$(pwd)/.gnupg"
          mkdir -m 700 "${GNUPGHOME}"
          echo "${{ secrets.PGP_PUBKEY_CENTURION_ROOT_2025_X448 }}" >| centurion-root.PUB.asc
          gpg --batch --import centurion-root.PUB.asc
          echo "${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV }}" >| ci-bot.sec.asc
          gpg --batch --import ci-bot.sec.asc
          ### Trust the key automatically
          KEY_ID=$(gpg --list-keys --with-colons | awk -F: '/^pub:/ {print $5}')
          echo "trust-model always" >| "${GNUPGHOME}/gpg.conf"
      - name: ⚙️ Configuring Git for signed CI/DEPLOY commits.
        shell: bash
        run: |
          set -euo pipefail
          export GNUPGHOME="$(pwd)/.gnupg"
          git config user.name "Marc S. Weidner BOT"
          git config user.email "msw+bot@coresecret.dev"
          git config commit.gpgsign true
          git config gpg.program gpg
          git config gpg.format openpgp
      - name: ⚙️ Preparing the build environment.
        shell: bash
        run: |
          set -euo pipefail
          mkdir -p /opt/config
          mkdir -p /opt/livebuild
          touch /opt/config/password.txt && chmod 0600 /opt/config/password.txt
          touch /opt/config/authorized_keys && chmod 0600 /opt/config/authorized_keys
          echo 'Mvnz#zENbf2vsAYEAbfPcnbDcmct7XefPXfRJxSQQH' >| /opt/config/password.txt
          echo 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINAYZDAqVZUk3LwJsqeVHKvLn8UKkFx642VBbiSS8uSY 2025_ciss.debian.live.ISO_PUBLIC_ONLY' >| /opt/config/authorized_keys
      - name: 🛠️ Starting CISS.debian.live.builder. This may take a while ...
        shell: bash
        run: |
          set -euo pipefail
          sed -i '/^hardening_ssh_tcp.*/d' ciss_live_builder.sh
          chmod 0755 ciss_live_builder.sh
          timestamp=$(date -u +"%Y_%m_%dT%H_%M_%SZ")
          ### Change "--autobuild=" to the specific kernel version you need: '6.16.3+deb13-amd64'.
          ./ciss_live_builder.sh \
            --autobuild=6.16.3+deb13-amd64 \
            --architecture amd64 \
            --build-directory /opt/livebuild \
            --cdi \
            --control "${timestamp}" \
            --debug \
            --root-password-file /opt/config/password.txt \
            --ssh-port 42137 \
            --ssh-pubkey /opt/config \
            --trixie
      - name: 📥 Checking Centurion Cloud for existing LIVE ISOs.
        shell: bash
        env:
          NC_BASE: "https://cloud.e2ee.li"
          SHARE_TOKEN: "${{ secrets.CENTURION_CLOUD_UL_USER_PUBLIC }}"
          SHARE_PASS: "${{ secrets.CENTURION_CLOUD_UL_PASSWD_PUBLIC }}"
        run: |
          set -euo pipefail
          SHARE_SUBDIR=""
          echo "📥 Get directory listing via PROPFIND ..."
          curl -s \
          --user "${SHARE_TOKEN}:${SHARE_PASS}" \
          -X PROPFIND \
          -H "Depth: 1" \
          "${NC_BASE}/public.php/webdav/${SHARE_SUBDIR}" \
          -o propfind_public.xml
          echo "📥 Filter .iso files from the PROPFIND response ..."
          grep -oP '(?<=<d:href>)[^<]+\.iso(?=</d:href>)' propfind_public.xml >| public_iso_list.txt || true
          if [[ -f public_iso_list.txt && -s public_iso_list.txt ]]; then
            echo "💡 Old ISO files found and deleted :"
            while IFS= read -r href; do
              FILE_URL="${NC_BASE}${href}"
              echo "  Delete: ${FILE_URL}"
              if curl -s \
                --user "${SHARE_TOKEN}:${SHARE_PASS}" \
                  -X DELETE "${FILE_URL}"; then
                echo "    ✅ Successfully deleted: $(basename "${href}")"
              else
                echo "    ❌ Error: $(basename "${href}") could not be deleted"
              fi
            done < public_iso_list.txt
          else
            echo "💡 No old ISO files found to delete."
          fi
      - name: 🛠️ Upload the ISO file to the Centurion Cloud (cloud.e2ee.li) via WebDAV.
        shell: bash
        env:
          NC_BASE: "https://cloud.e2ee.li"
          SHARE_TOKEN: "${{ secrets.CENTURION_CLOUD_UL_USER_PUBLIC }}"
          SHARE_PASS: "${{ secrets.CENTURION_CLOUD_UL_PASSWD_PUBLIC }}"
        run: |
          set -euo pipefail
          if [[ $(ls /opt/livebuild/*.iso 2>/dev/null | wc -l) -ne 1 ]]; then
            echo "❌ There must be exactly one .iso file in the directory!"
            exit 1
          else
            VAR_ISO_FILE_PATH=$(ls /opt/livebuild/*.iso)
            VAR_ISO_FILE_NAME=$(basename "${VAR_ISO_FILE_PATH}")
            echo "✅ ISO file found: ${VAR_ISO_FILE_NAME}"
          fi
          AUTH="${SHARE_TOKEN}:${SHARE_PASS}"
          if curl --retry 2 "${NC_BASE}"/public.php/webdav/"${VAR_ISO_FILE_NAME}" \
          --upload-file "${VAR_ISO_FILE_PATH}" --user "${AUTH}" > /dev/null 2>&1; then
            echo "✅ New ISO successfully uploaded."
          else
            echo "❌ Uploading the new ISO failed."
            exit 1
          fi
      - name: 🔑 Generating a sha512 Hash of ISO, signing with the 'CI PGP DEPLOY ONLY' key, generate a success message file.
        shell: bash
        run: |
          if [[ $(ls /opt/livebuild/*.iso 2>/dev/null | wc -l) -ne 1 ]]; then
            echo "❌ There must be exactly one .iso file in the directory!"
            exit 1
          else
            VAR_ISO_FILE_PATH=$(ls /opt/livebuild/*.iso)
            VAR_ISO_FILE_NAME=$(basename "${VAR_ISO_FILE_PATH}")
            echo "✅ ISO file found: ${VAR_ISO_FILE_NAME}"
          fi
          VAR_ISO_FILE_SHA512="${VAR_ISO_FILE_NAME}.sha512"
          touch "${VAR_ISO_FILE_SHA512}"
          sha512sum "${VAR_ISO_FILE_PATH}" | awk '{print $1}' >| "${VAR_ISO_FILE_SHA512}"
          SIGNATURE_FILE="${VAR_ISO_FILE_SHA512}.sign"
          touch "${SIGNATURE_FILE}"
          export GNUPGHOME="$(pwd)/.gnupg"
          gpg --batch --yes --armor --detach-sign --output "${SIGNATURE_FILE}" "${VAR_ISO_FILE_SHA512}"
          timestamp=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
          VAR_DATE="$(date +%F)"
          PRIVATE_FILE="LIVE_ISO.public"
          touch "${PRIVATE_FILE}"
          cat << EOF >| "${PRIVATE_FILE}"
          # SPDX-Version: 3.0
          # SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev>
          # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
          # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
          # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
          # SPDX-FileType: SOURCE
          # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
          # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
          # SPDX-PackageName: CISS.debian.live.builder
          # SPDX-Security-Contact: security@coresecret.eu
          This file was automatically generated by the DEPLOY BOT on: "${timestamp}"
          CISS.debian.live.builder ISO :
            "${VAR_ISO_FILE_NAME}"
          CISS.debian.live.builder ISO sha512 :
            $(< "${VAR_ISO_FILE_SHA512}")
          CISS.debian.live.builder ISO sha512 sign :
            $(< "${SIGNATURE_FILE}")
          # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text
          EOF
      - name: 🚧 Stash local changes (including untracked).
        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
          set -euo pipefail
          ### Temporarily store any local modifications or untracked files.
          git stash push --include-untracked -m "ci-temp" || echo "✔️ Nothing to stash."
      - name: 🔄 Sync with remote before commit using merge strategy.
        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
          set -euo pipefail
          export GNUPGHOME="$(pwd)/.gnupg"
          echo "🔄 Fetching origin/master ..."
          git fetch origin master
          echo "🔁 Merging origin/master into current branch ..."
          git merge --no-edit origin/master || echo "✔️ Already up to date or fast-forward."
          echo "📋 Post-merge status :"
          git status
          git log --oneline -n 5
      - name: 🛠️ Restore stashed changes.
        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
          set -euo pipefail
          ### Apply previously stashed changes.
          git stash pop || echo "✔️ Nothing to pop."
      - name: 📦 Stage generated files.
        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
          set -euo pipefail
          PRIVATE_FILE="LIVE_ISO.public"
          git add "${PRIVATE_FILE}" || echo "✔️ Nothing to add."
      - name: 🔑 Commit and sign changes with CI metadata.
        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
          set -euo pipefail
          export GNUPGHOME="$(pwd)/.gnupg"
          if git diff --cached --quiet; then
            echo "✔️ No staged changes to commit."
          else
            echo "📝 Committing changes with GPG signature ..."
            ### CI Metadata
            TIMESTAMP_UTC="$(date -u +'%Y-%m-%dT%H:%M:%SZ')"
            HOSTNAME="$(hostname -f || hostname)"
            GIT_SHA="$(git rev-parse --short HEAD)"
            GIT_REF="$(git symbolic-ref --short HEAD || echo detached)"
            WORKFLOW_ID="${GITHUB_WORKFLOW:-generate_PUBLIC_iso.yaml}"
            CI_HEADER="X-CI-Metadata: ${GIT_REF}@${GIT_SHA} at ${TIMESTAMP_UTC} on ${HOSTNAME}"
            COMMIT_MSG="DEPLOY BOT   : 💙 Auto-Generate PUBLIC LIVE ISO [skip ci]
          ${CI_HEADER}
          Generated at : ${TIMESTAMP_UTC}
          Runner Host  : ${HOSTNAME}
          Workflow ID  : ${WORKFLOW_ID}
          Git Commit   : ${GIT_SHA} HEAD -> ${GIT_REF}
          "
            echo "🔏 Commit message :"
            echo "${COMMIT_MSG}"
            git commit -S -m "${COMMIT_MSG}"
          fi
      - name: 🔁 Push back to repository.
        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
          set -euo pipefail
          echo "📤 Pushing changes to ${GITHUB_REF_NAME} ..."
          git push origin HEAD:${GITHUB_REF_NAME}
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
--- a/.archive/icon.lib
+++ b/.archive/icon.lib
@@ -17,6 +17,10 @@
 🔑
 ✍️
 🖥️
 ⬆️
 ⏫
 🔼
 🆙
 🔄
 🔁
 🌌
@@ -32,6 +36,7 @@
 🧪
 📩
 📥
 📤
 📦
 📑
 📂
@@ -52,4 +57,7 @@
 ☢️
 ☣️
 •
 ☁️
 📡
 🛡️
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/.archive/lib_lb_config_write.sh
+++ b/.archive/lib_lb_config_write.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SRCE}"
 #######################################
 # Wrapper to write a new 'lb config' environment.
@@ -38,8 +38,8 @@ lb_config_write() {
    --backports true \
    --binary-filesystem fat32 \
    --binary-image iso-hybrid \
-    --bootappend-install "auto=true priority=critical clock-setup/utc=true console-setup/ask_detect=false debian-installer/country=US debian-installer/language=en debian-installer/locale=en_US.UTF-8 keyboard-configuration/xkb-keymap=de keyboard-configuration/model=pc105 localechooser/supported-locales=en_US.UTF-8 time/zone=Etc/UTC splash audit_backlog_limit=8192 audit=1 cfi=kcfi debugfs=off efi=disable_early_pci_dma efi_no_storage_paranoia hardened_usercopy=1 ia32_emulation=0 init_on_alloc=1 init_on_free=1 iommu=force kfence.sample_interval=100 kvm.nx_huge_pages=force l1d_flush=on lockdown=confidentiality loglevel=0 mce=0 mitigations=auto,nosmt mmio_stale_data=full,nosmt oops=panic page_alloc.shuffle=1 page_poison=1 panic=-1 pti=on random.trust_bootloader=off random.trust_cpu=off randomize_kstack_offset=on randomize_va_space=2 retbleed=auto,nosmt rodata=on tsx=off vdso32=0 vsyscall=none" \
+    --bootappend-install "auto=true priority=critical clock-setup/utc=true console-setup/ask_detect=false debian-installer/country=US debian-installer/language=en debian-installer/locale=en_US.UTF-8 keyboard-configuration/xkb-keymap=de keyboard-configuration/model=pc105 localechooser/supported-locales=en_US.UTF-8 time/zone=Etc/UTC splash audit_backlog_limit=8192 audit=1 cfi=kcfi debugfs=off efi=disable_early_pci_dma efi_no_storage_paranoia hardened_usercopy=1 ia32_emulation=0 init_on_alloc=1 init_on_free=1 iommu=force kfence.sample_interval=100 kvm.nx_huge_pages=force l1d_flush=on lockdown=integrity loglevel=0 mce=0 mitigations=auto,nosmt mmio_stale_data=full,nosmt oops=panic page_alloc.shuffle=1 page_poison=1 panic=-1 pti=on random.trust_bootloader=off random.trust_cpu=off randomize_kstack_offset=on randomize_va_space=2 retbleed=auto,nosmt rodata=on tsx=off vdso32=0 vsyscall=none" \
-    --bootappend-live "boot=live components keyboard-layouts=de keyboard-model=pc105 keyboard-options= keyboard-variants= locales=en_US.UTF-8 nocomponents=cdi-starter noeject nopersistence ramdisk-size=1024M splash swap=true timezone=Etc/UTC toram verify-checksums audit_backlog_limit=8192 audit=1 cfi=kcfi debugfs=off efi=disable_early_pci_dma hardened_usercopy=1 ia32_emulation=0 init_on_alloc=1 init_on_free=1 iommu.passthrough=0 iommu.strict=1 iommu=force kfence.sample_interval=100 kvm.nx_huge_pages=force l1d_flush=on lockdown=confidentiality loglevel=0 mitigations=auto,nosmt mmio_stale_data=full,force,nosmt nosmt=force oops=panic page_alloc.shuffle=1 page_poison=1 panic=-1 pti=on random.trust_bootloader=off random.trust_cpu=off randomize_kstack_offset=on randomize_va_space=2 retbleed=auto,nosmt rodata=on slab_nomerge vdso32=0 vsyscall=none" \
+    --bootappend-live "boot=live components keyboard-layouts=de keyboard-model=pc105 keyboard-options= keyboard-variants= locales=en_US.UTF-8 nocomponents=cdi-starter noeject nopersistence ramdisk-size=1024M splash swap=true timezone=Etc/UTC toram verify-checksums audit_backlog_limit=8192 audit=1 cfi=kcfi debugfs=off efi=disable_early_pci_dma hardened_usercopy=1 ia32_emulation=0 init_on_alloc=1 init_on_free=1 iommu.passthrough=0 iommu.strict=1 iommu=force kfence.sample_interval=100 kvm.nx_huge_pages=force l1d_flush=on lockdown=integrity loglevel=0 mitigations=auto,nosmt mmio_stale_data=full,force,nosmt nosmt=force oops=panic page_alloc.shuffle=1 page_poison=1 panic=-1 pti=on random.trust_bootloader=off random.trust_cpu=off randomize_kstack_offset=on randomize_va_space=2 retbleed=auto,nosmt rodata=on slab_nomerge vdso32=0 vsyscall=none" \
    --bootloaders grub-efi \
    --cache true \
    --checksums sha512 sha256 md5 \
--- a/.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml
+++ b/.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml
@@ -25,7 +25,7 @@ body:
    attributes:
      label: "Version"
      description: "Which version are you running? Use `./ciss_live_builder.sh -v`."
-      placeholder: "e.g., Master V8.13.142.2025.10.14"
+      placeholder: "e.g., Master V8.13.392.2025.11.07"
    validations:
      required: true
--- a/.gitea/TODO/dockerfile
+++ b/.gitea/TODO/dockerfile
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V8.13.142.2025.10.14
+# Version Master V8.13.392.2025.11.07
 FROM debian:bookworm
--- a/.gitea/TODO/render-md-to-html.yaml
+++ b/.gitea/TODO/render-md-to-html.yaml
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V8.13.142.2025.10.14
+# Version Master V8.13.392.2025.11.07
 name: 🔁 Render README.md to README.html.
@@ -38,11 +38,11 @@ jobs:
          ### Private Key
          echo "${{ secrets.SSH_MSW_DEPLOY_CORESECRET_DEV }}" >| ~/.ssh/id_ed25519
-          chmod 600 ~/.ssh/id_ed25519
+          chmod 0600 ~/.ssh/id_ed25519
          ### Scan git.coresecret.dev to fill ~/.ssh/known_hosts
          ssh-keyscan -p 42842 git.coresecret.dev >| ~/.ssh/known_hosts
-          chmod 600 ~/.ssh/known_hosts
+          chmod 0600 ~/.ssh/known_hosts
          ### Generate SSH Config for git.coresecret.dev Custom-Port
          cat <<EOF >| ~/.ssh/config
@@ -53,7 +53,7 @@ jobs:
            StrictHostKeyChecking yes
            UserKnownHostsFile ~/.ssh/known_hosts
          EOF
-          chmod 600 ~/.ssh/config
+          chmod 0600 ~/.ssh/config
      ### https://github.com/actions/checkout/issues/1843
      - name: 🛠️ Using manual clone via SSH to circumvent Gitea SHA-256 object issues.
--- a/.gitea/trigger/t_generate_PRIVATE_trixie_0.yaml
+++ b/.gitea/trigger/t_generate_PRIVATE_trixie_0.yaml
@@ -11,5 +11,5 @@
 build:
  counter: 1023
-  version: V8.13.142.2025.10.14
+  version: V8.13.296.2025.10.29
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
--- a/.gitea/trigger/t_generate_PRIVATE_trixie_1.yaml
+++ b/.gitea/trigger/t_generate_PRIVATE_trixie_1.yaml
@@ -11,5 +11,5 @@
 build:
  counter: 1023
-  version: V8.13.142.2025.10.14
+  version: V8.13.392.2025.11.07
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
--- a/.gitea/trigger/t_generate_PUBLIC.yaml
+++ b/.gitea/trigger/t_generate_PUBLIC.yaml
@@ -11,5 +11,5 @@
 build:
  counter: 1023
-  version: V8.13.142.2025.10.14
+  version: V8.13.296.2025.10.29
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
--- a/.gitea/trigger/t_generate_dns.yaml
+++ b/.gitea/trigger/t_generate_dns.yaml
@@ -11,5 +11,5 @@
 build:
  counter: 1023
-  version: V8.13.142.2025.10.14
+  version: V8.13.392.2025.11.07
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
--- a/.gitea/workflows/generate_PRIVATE_trixie_0.yaml
+++ b/.gitea/workflows/generate_PRIVATE_trixie_0.yaml
@@ -9,14 +9,10 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V8.13.142.2025.10.14
+# Version Master V8.13.392.2025.11.07
 name: 🔐 Generating a Private Live ISO TRIXIE.
 defaults:
  run:
    shell: bash
 permissions:
  contents: write
@@ -35,48 +31,77 @@ jobs:
    container:
      image: debian:trixie
-    steps:
+    defaults:
-      - name: 🛠️ Basic Image Setup.
+      run:
        shell: bash
        working-directory: ${{ github.workspace }}
    steps:
      - name: 🕑 Waiting random time to desynchronize parallel workflows.
        run: |
          set -euo pipefail
          var_wait=$(( RANDOM % 33 ))
          printf "🕑 Waiting %s seconds to desynchronize parallel workflows...\n" "${var_wait}"
          sleep "${var_wait}"
      - name: 🔧 Basic Image Setup.
        run: |
          set -euo pipefail
          umask 0022
          echo "APT_LISTCHANGES_FRONTEND=none"  >> "${GITHUB_ENV}"
          echo "DEBIAN_FRONTEND=noninteractive" >> "${GITHUB_ENV}"
          echo "LC_ALL=C.UTF-8"                 >> "${GITHUB_ENV}"
          echo "TZ=UTC"                         >> "${GITHUB_ENV}"
          echo "VAR_CDLB_INSIDE_RUNNER=true"    >> "${GITHUB_ENV}"
          export APT_LISTCHANGES_FRONTEND=none
          export DEBIAN_FRONTEND=noninteractive
-          apt-get update
+
          apt-get update -qq
          apt-get upgrade -y
          apt-get install -y --no-install-recommends \
            apt-utils \
            bash \
            bat \
            ca-certificates \
            curl \
            debootstrap \
            git \
            gnupg-utils \
            gnupg \
            gpg-agent \
            gpgv \
            live-build \
            lsb-release \
            openssh-client \
            openssl \
            perl \
            pinentry-curses \
            pinentry-tty \
            sudo \
-            util-linux
+            util-linux \
            whois
      - name: ⚙️ Check GnuPG Version.
        shell: bash
        run: |
          gpg --version
      - name: ⚙️ Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
        shell: bash
        run: |
          set +x
          set -euo pipefail
-          var_wait=$(( RANDOM % 33 ))
+          umask 0077
          printf "⏳ Waiting %s seconds to desynchronize parallel workflows...\n" "${var_wait}"
          sleep "${var_wait}"
          rm -rf ~/.ssh && mkdir -m700 ~/.ssh
          ### Private Key
          echo "${{ secrets.SSH_MSW_DEPLOY_CORESECRET_DEV }}" >| ~/.ssh/id_ed25519
-          chmod 600 ~/.ssh/id_ed25519
+          chmod 0600 ~/.ssh/id_ed25519
          ### Scan git.coresecret.dev to fill ~/.ssh/known_hosts
          ssh-keyscan -p 42842 git.coresecret.dev >| ~/.ssh/known_hosts
-          chmod 600 ~/.ssh/known_hosts
+          chmod 0600 ~/.ssh/known_hosts
          ### Generate SSH Config for git.coresecret.dev Custom-Port
          cat <<EOF >| ~/.ssh/config
@@ -87,164 +112,114 @@ jobs:
            StrictHostKeyChecking yes
            UserKnownHostsFile ~/.ssh/known_hosts
          EOF
-          chmod 600 ~/.ssh/config
+          chmod 0600 ~/.ssh/config
      ### https://github.com/actions/checkout/issues/1843
-      - name: 🛠️ Using manual clone via SSH to circumvent Gitea SHA-256 object issues.
+      - name: 🔧 Using manual clone via SSH to circumvent Gitea SHA-256 object issues.
        shell: bash
        env:
          ### GITHUB_REF_NAME contains the branch name from the push event.
          GITHUB_REF_NAME: ${{ github.ref_name }}
        run: |
          set -euo pipefail
          git clone --branch "${GITHUB_REF_NAME}" ssh://git@git.coresecret.dev:42842/msw/CISS.debian.live.builder.git .
          git fetch --unshallow || echo "Nothing to fetch - already full clone."
-      - name: 🛠️ Cleaning the workspace.
+      - name: ⚙️ Init GNUPGHOME.
        shell: bash
        run: |
-          git reset --hard
+          set +x
-          git clean -fd
+          set -euo pipefail
          umask 0077
          GNUPGHOME="${PWD}/gnupg.${GITHUB_RUN_ID}.${GITHUB_JOB}"
          # shellcheck disable=SC2174
          mkdir -p -m 0700 "${GNUPGHOME}"
          echo "GNUPGHOME=${GNUPGHOME}"                 >> "${GITHUB_ENV}"
          echo 'allow-loopback-pinentry'                >| "${GNUPGHOME}/gpg-agent.conf"
          echo 'pinentry-program /usr/bin/pinentry-tty' >> "${GNUPGHOME}/gpg-agent.conf"
          echo "trust-model always"                     >> "${GNUPGHOME}/gpg.conf"
          gpgconf --reload gpg-agent || true
      - name: ⚙️ Importing the 'CI PGP DEPLOY ONLY' key.
-        shell: bash
+        env:
          PRIVATE_PGP_MSW_DEPLOY_CORESECRET_DEV: ${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV }}
        run: |
          set +x
          set -euo pipefail
-          ### GPG-Home relative to the Runner Workspace to avoid changing global files.
+          umask 0077
-          export GNUPGHOME="$(pwd)/.gnupg"
+          printf '%s' "${PRIVATE_PGP_MSW_DEPLOY_CORESECRET_DEV}" | gpg --batch --import
-          mkdir -m 700 "${GNUPGHOME}"
+          unset PRIVATE_PGP_MSW_DEPLOY_CORESECRET_DEV
          echo "${{ secrets.PGP_PUBKEY_CENTURION_ROOT_2025_X448 }}" >| centurion-root.PUB.asc
          gpg --batch --import centurion-root.PUB.asc
          echo "${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV }}" >| ci-bot.sec.asc
          gpg --batch --import ci-bot.sec.asc
          ### Trust the key automatically
          KEY_ID=$(gpg --list-keys --with-colons | awk -F: '/^pub:/ {print $5}')
          echo "trust-model always" >| "${GNUPGHOME}/gpg.conf"
      - name: ⚙️ Configuring Git for signed CI/DEPLOY commits.
        shell: bash
        run: |
          set +x
          set -euo pipefail
          export GNUPGHOME="$(pwd)/.gnupg"
          git config user.name "Marc S. Weidner BOT"
          git config user.email "msw+bot@coresecret.dev"
          git config user.signingkey ${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV_FPR }}
          git config commit.gpgsign true
          git config gpg.program gpg
          git config gpg.format openpgp
          git config --get user.signingkey
      - name: ⚙️ Preparing the build environment.
-        shell: bash
+        run: |
          set +x
          set -euo pipefail
          umask 0077
          mkdir -p /dev/shm/cdlb_secrets
          install -m 0600 /dev/null /dev/shm/cdlb_secrets/password.txt
          install -m 0600 /dev/null /dev/shm/cdlb_secrets/authorized_keys
          install -m 0600 /dev/null /dev/shm/cdlb_secrets/ssh_host_ed25519_key
          install -m 0600 /dev/null /dev/shm/cdlb_secrets/ssh_host_ed25519_key.pub
          install -m 0600 /dev/null /dev/shm/cdlb_secrets/ssh_host_rsa_key
          install -m 0600 /dev/null /dev/shm/cdlb_secrets/ssh_host_rsa_key.pub
          install -m 0600 /dev/null /dev/shm/cdlb_secrets/id_2025_ed25519_ciss_primordial
          install -m 0600 /dev/null /dev/shm/cdlb_secrets/id_2025_ed25519_ciss_primordial.pub
          install -m 0600 /dev/null /dev/shm/cdlb_secrets/keys.txt
          install -m 0600 /dev/null /dev/shm/cdlb_secrets/luks.txt
          install -m 0600 /dev/null /dev/shm/cdlb_secrets/signing_key.asc
          install -m 0600 /dev/null /dev/shm/cdlb_secrets/signing_key_pass.txt
          echo "${{ secrets.CISS_DLB_ROOT_PWD }}"                 >| /dev/shm/cdlb_secrets/password.txt
          echo "${{ secrets.CISS_DLB_ROOT_SSH_PUBKEY }}"          >| /dev/shm/cdlb_secrets/authorized_keys
          echo "${{ secrets.CISS_DLB_SSH_HOST_ED25519_KEY }}"     >| /dev/shm/cdlb_secrets/ssh_host_ed25519_key
          echo "${{ secrets.CISS_DLB_SSH_HOST_ED25519_KEY_PUB }}" >| /dev/shm/cdlb_secrets/ssh_host_ed25519_key.pub
          echo "${{ secrets.CISS_DLB_SSH_HOST_RSA_KEY }}"         >| /dev/shm/cdlb_secrets/ssh_host_rsa_key
          echo "${{ secrets.CISS_DLB_SSH_HOST_RSA_KEY_PUB }}"     >| /dev/shm/cdlb_secrets/ssh_host_rsa_key.pub
          echo "${{ secrets.CISS_PRIMORDIAL_PRIVATE }}"           >| /dev/shm/cdlb_secrets/id_2025_ed25519_ciss_primordial
          echo "${{ secrets.CISS_PRIMORDIAL_PUBLIC }}"            >| /dev/shm/cdlb_secrets/id_2025_ed25519_ciss_primordial.pub
          echo "${{ secrets.CISS_PHYS_AGE }}"                     >| /dev/shm/cdlb_secrets/keys.txt
          echo "${{ secrets.CISS_PHYS_LUKS }}"                    >| /dev/shm/cdlb_secrets/luks.txt
          echo "${{ secrets.PGP_MSW_PRIVATE_SIGNING_KEY }}"       >| /dev/shm/cdlb_secrets/signing_key.asc
          echo "${{ secrets.PGP_MSW_PRIVATE_SIGNING_KEY_PASS }}"  >| /dev/shm/cdlb_secrets/signing_key_pass.txt
      - name: 🔧 Starting CISS.debian.live.builder. This may take about an hour ...
        run: |
          set -euo pipefail
-          mkdir -p /opt/config
+          chmod 0700 ciss_live_builder.sh
          mkdir -p /opt/livebuild
          touch /opt/config/password.txt && chmod 0600 /opt/config/password.txt
          touch /opt/config/authorized_keys && chmod 0600 /opt/config/authorized_keys
          echo "${{ secrets.CISS_DLB_ROOT_PWD }}" >| /opt/config/password.txt
          echo "${{ secrets.CISS_DLB_ROOT_SSH_PUBKEY }}" >| /opt/config/authorized_keys
      - name: 🔧 Render live hook with secrets.
        shell: bash
        working-directory: ${{ github.workspace }}
        env:
          ED25519_PRIV:        ${{ secrets.CISS_DLB_SSH_HOST_ED25519_KEY }}
          ED25519_PUB:         ${{ secrets.CISS_DLB_SSH_HOST_ED25519_KEY_PUB }}
          RSA_PRIV:            ${{ secrets.CISS_DLB_SSH_HOST_RSA_KEY }}
          RSA_PUB:             ${{ secrets.CISS_DLB_SSH_HOST_RSA_KEY_PUB }}
          CISS_PRIMORDIAL:     ${{ secrets.CISS_PRIMORDIAL_PRIVATE }}
          CISS_PRIMORDIAL_PUB: ${{ secrets.CISS_PRIMORDIAL_PUBLIC }}
        run: |
          set -Ceuo pipefail
          umask 077
          REPO_ROOT="$(git rev-parse --show-toplevel 2>/dev/null || pwd -P)"
          TPL="${REPO_ROOT}/config/hooks/live/9935_hardening_ssh.chroot.tmpl"
          OUT="${REPO_ROOT}/config/hooks/live/9935_hardening_ssh.chroot"
          ID_OUT="${REPO_ROOT}/config/includes.chroot/root/.ssh/id_2025_ed25519_ciss_primordial"
          ID_OUT_PUB="${REPO_ROOT}/config/includes.chroot/root/.ssh/id_2025_ed25519_ciss_primordial.pub"
          if [[ ! -f "${TPL}" ]]; then
            echo "Template not found: ${TPL}"
            echo "::group::Tree of config/hooks/live"
            ls -la "${REPO_ROOT}/config/hooks/live" || true
            echo "::endgroup::"
            exit 2
          fi
          export ED25519_PRIV="${ED25519_PRIV//$'\r'/}"
          export ED25519_PUB="${ED25519_PUB//$'\r'/}"
          export RSA_PRIV="${RSA_PRIV//$'\r'/}"
          export RSA_PUB="${RSA_PUB//$'\r'/}"
          export CISS_PRIMORDIAL="${CISS_PRIMORDIAL//$'\r'/}"
          export CISS_PRIMORDIAL_PUB="${CISS_PRIMORDIAL_PUB//$'\r'/}"
          (
          cat << EOF >| "${ID_OUT}"
          ${CISS_PRIMORDIAL}
          EOF
          ) && chmod 0600 "${ID_OUT}"
          if [[ -f "${ID_OUT}" ]]; then
            echo "Written: ${ID_OUT}"
          else
            echo "Error: ${ID_OUT} not written."
          fi
          (
          cat << EOF >| "${ID_OUT_PUB}"
          ${CISS_PRIMORDIAL_PUB}
          EOF
          ) && chmod 0600 "${ID_OUT_PUB}"
          if [[ -f "${ID_OUT_PUB}" ]]; then
            echo "Written: ${ID_OUT_PUB}"
          else
            echo "Error: ${ID_OUT_PUB} not written."
          fi
          perl -0777 -pe '
            BEGIN{
              $ed=$ENV{ED25519_PRIV}; $edpub=$ENV{ED25519_PUB};
              $rsa=$ENV{RSA_PRIV};    $rsapub=$ENV{RSA_PUB};
            }
            s/\{\{\s*secrets\.CISS_DLB_SSH_HOST_ED25519_KEY\s*\}\}/$ed/g;
            s/\{\{\s*secrets\.CISS_DLB_SSH_HOST_ED25519_KEY_PUB\s*\}\}/$edpub/g;
            s/\{\{\s*secrets\.CISS_DLB_SSH_HOST_RSA_KEY\s*\}\}/$rsa/g;
            s/\{\{\s*secrets\.CISS_DLB_SSH_HOST_RSA_KEY_PUB\s*\}\}/$rsapub/g;
          ' "${TPL}" > "${OUT}"
          chmod 0755 "${OUT}"
          echo "Hook rendered: ${OUT}"
      - name: 🛠️ Starting CISS.debian.live.builder. This may take a while ...
        shell: bash
        working-directory: ${{ github.workspace }}
        run: |
          set -euo pipefail
          chmod 0755 ciss_live_builder.sh
          timestamp=$(date -u +"%Y_%m_%dT%H_%M_%SZ")
          ### Change "--autobuild=" to the specific kernel version you need: '6.16.3+deb13-amd64'.
          ./ciss_live_builder.sh \
            --autobuild=6.16.3+deb13-amd64 \
            --architecture amd64 \
-            --build-directory /opt/livebuild \
+            --autobuild=6.16.3+deb13-amd64 \
            --build-directory /opt/cdlb \
            --cdi \
            --control "${timestamp}" \
            --debug \
            --dhcp-centurion \
            --jump-host ${{ secrets.CISS_DLB_JUMP_HOSTS }} \
            --key_age=keys.txt \
            --key_luks=luks.txt \
            --provider-netcup-ipv6 ${{ secrets.CISS_DLB_NETCUP_IPV6 }} \
-            --root-password-file /opt/config/password.txt \
+            --root-password-file /dev/shm/cdlb_secrets/password.txt \
            --signing_key_fpr=${{ secrets.PGP_MSW_PRIVATE_SIGNING_KEY_FPR }} \
            --signing_key_pass=signing_key_pass.txt \
            --signing_key=signing_key.asc \
            --ssh-port ${{ secrets.CISS_DLB_SSH_PORT }} \
-            --ssh-pubkey /opt/config \
+            --ssh-pubkey /dev/shm/cdlb_secrets \
            --sshfp \
            --trixie
          REPO_ROOT="$(git rev-parse --show-toplevel 2>/dev/null || pwd -P)"
          OUT="$REPO_ROOT/config/hooks/live/9935_hardening_ssh.chroot"
          rm -f "$OUT"
          echo "Hook removed: $OUT"
      - name: 📥 Checking Centurion Cloud for existing LIVE ISOs.
        shell: bash
        env:
          NC_BASE: "https://cloud.e2ee.li"
          SHARE_TOKEN: "${{ secrets.CENTURION_CLOUD_UL_USER }}"
@@ -254,83 +229,106 @@ jobs:
          SHARE_SUBDIR=""
          echo "📥 Get directory listing via PROPFIND ..."
-          curl -s \
+
-          --user "${SHARE_TOKEN}:${SHARE_PASS}" \
+          curl -s --user "${SHARE_TOKEN}:${SHARE_PASS}" -X PROPFIND -H "Depth: 1" "${NC_BASE}/public.php/webdav/${SHARE_SUBDIR}" \
          -X PROPFIND \
          -H "Depth: 1" \
          "${NC_BASE}/public.php/webdav/${SHARE_SUBDIR}" \
          -o propfind_public.xml
          echo "📥 Filter .iso files from the PROPFIND response ..."
          grep -oP '(?<=<d:href>)[^<]+\.iso(?=</d:href>)' propfind_public.xml >| public_iso_list.txt || true
          if [[ -f public_iso_list.txt && -s public_iso_list.txt ]]; then
            echo "💡 Old ISO files found and deleted :"
            while IFS= read -r href; do
              FILE_URL="${NC_BASE}${href}"
              echo "  Delete: ${FILE_URL}"
-              if curl -s \
+
-                --user "${SHARE_TOKEN}:${SHARE_PASS}" \
+              if curl -s --user "${SHARE_TOKEN}:${SHARE_PASS}" -X DELETE "${FILE_URL}"; then
-                  -X DELETE "${FILE_URL}"; then
+
                echo "    ✅ Successfully deleted: $(basename "${href}")"
              else
                echo "    ❌ Error: $(basename "${href}") could not be deleted"
-              fi
+
            done < public_iso_list.txt
          else
            echo "💡 No old ISO files found to delete."
              fi
-      - name: 🛠️ Upload the ISO file to the Centurion Cloud (cloud.e2ee.li) via WebDAV.
+            done < public_iso_list.txt
-        shell: bash
+
          else
            echo "💡 No old ISO files found to delete."
          fi
      - name: ⬆️ Upload the ISO file to the Centurion Cloud (cloud.e2ee.li) via WebDAV.
        env:
          NC_BASE: "https://cloud.e2ee.li"
          SHARE_TOKEN: "${{ secrets.CENTURION_CLOUD_UL_USER }}"
          SHARE_PASS: "${{ secrets.CENTURION_CLOUD_UL_PASSWD }}"
        run: |
          set -euo pipefail
-          if [[ $(ls /opt/livebuild/*.iso 2>/dev/null | wc -l) -ne 1 ]]; then
+
          if [[ $(ls /opt/cdlb/livebuild/*.iso 2>/dev/null | wc -l) -ne 1 ]]; then
            echo "❌ There must be exactly one .iso file in the directory!"
            exit 1
          else
-            VAR_ISO_FILE_PATH=$(ls /opt/livebuild/*.iso)
+
            VAR_ISO_FILE_PATH=$(ls /opt/cdlb/livebuild/*.iso)
            VAR_ISO_FILE_NAME=$(basename "${VAR_ISO_FILE_PATH}")
            echo "✅ ISO file found: ${VAR_ISO_FILE_NAME}"
          fi
          AUTH="${SHARE_TOKEN}:${SHARE_PASS}"
-          if curl --retry 2 "${NC_BASE}"/public.php/webdav/"${VAR_ISO_FILE_NAME}" \
+
          if curl --retry 2 "${NC_BASE}"/public.php/webdav/"${VAR_ISO_FILE_NAME}"
          --upload-file "${VAR_ISO_FILE_PATH}" --user "${AUTH}" > /dev/null 2>&1; then
            echo "✅ New ISO successfully uploaded."
          else
            echo "❌ Uploading the new ISO failed."
            exit 1
          fi
      - name: 🔑 Generating a sha512 Hash of ISO, signing with the 'CI PGP DEPLOY ONLY' key, generate a success message file.
        shell: bash
        run: |
-          if [[ $(ls /opt/livebuild/*.iso 2>/dev/null | wc -l) -ne 1 ]]; then
+          if [[ $(ls /opt/cdlb/livebuild/*.iso 2>/dev/null | wc -l) -ne 1 ]]; then
            echo "❌ There must be exactly one .iso file in the directory!"
            exit 1
          else
-            VAR_ISO_FILE_PATH=$(ls /opt/livebuild/*.iso)
+
            VAR_ISO_FILE_PATH=$(ls /opt/cdlb/livebuild/*.iso)
            VAR_ISO_FILE_NAME=$(basename "${VAR_ISO_FILE_PATH}")
            echo "✅ ISO file found: ${VAR_ISO_FILE_NAME}"
          fi
          VAR_ISO_FILE_SHA512="${VAR_ISO_FILE_NAME}.sha512"
          touch "${VAR_ISO_FILE_SHA512}"
          sha512sum "${VAR_ISO_FILE_PATH}" | awk '{print $1}' >| "${VAR_ISO_FILE_SHA512}"
          SIGNATURE_FILE="${VAR_ISO_FILE_SHA512}.sign"
          touch "${SIGNATURE_FILE}"
-          export GNUPGHOME="$(pwd)/.gnupg"
+
-          gpg --batch --yes --armor --detach-sign --output "${SIGNATURE_FILE}" "${VAR_ISO_FILE_SHA512}"
+          gpg --batch --yes --armor --detach-sign --local-user ${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV_FPR }} --output "${SIGNATURE_FILE}" "${VAR_ISO_FILE_SHA512}"
          timestamp=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
          VAR_DATE="$(date +%F)"
          PRIVATE_FILE="LIVE_ISO_TRIXIE_0.private"
          touch "${PRIVATE_FILE}"
          cat << EOF >| "${PRIVATE_FILE}"
          # SPDX-Version: 3.0
          # SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -356,7 +354,6 @@ jobs:
          EOF
      - name: 🚧 Stash local changes (including untracked).
        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
@@ -365,12 +362,10 @@ jobs:
          git stash push --include-untracked -m "ci-temp" || echo "✔️ Nothing to stash."
      - name: 🔄 Sync with remote before commit using merge strategy.
        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
          set -euo pipefail
          export GNUPGHOME="$(pwd)/.gnupg"
          echo "🔄 Fetching origin/master ..."
          git fetch origin master
@@ -382,8 +377,7 @@ jobs:
          git status
          git log --oneline -n 5
-      - name: 🛠️ Restore stashed changes.
+      - name: 🔧 Restore stashed changes.
        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
@@ -392,7 +386,6 @@ jobs:
          git stash pop || echo "✔️ Nothing to pop."
      - name: 📦 Stage generated files.
        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
@@ -401,16 +394,17 @@ jobs:
          git add "${PRIVATE_FILE}" || echo "✔️ Nothing to add."
      - name: 🔑 Commit and sign changes with CI metadata.
        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
          set -euo pipefail
          export GNUPGHOME="$(pwd)/.gnupg"
          if git diff --cached --quiet; then
            echo "✔️ No staged changes to commit."
          else
            echo "📝 Committing changes with GPG signature ..."
            ### CI Metadata
@@ -418,7 +412,7 @@ jobs:
            HOSTNAME="$(hostname -f || hostname)"
            GIT_SHA="$(git rev-parse --short HEAD)"
            GIT_REF="$(git symbolic-ref --short HEAD || echo detached)"
-            WORKFLOW_ID="${GITHUB_WORKFLOW:-render-md-to-html.yaml}"
+            WORKFLOW_ID="${GITHUB_WORKFLOW:-generate_PRIVATE_trixie_0.yaml}"
            CI_HEADER="X-CI-Metadata: ${GIT_REF}@${GIT_SHA} at ${TIMESTAMP_UTC} on ${HOSTNAME}"
            COMMIT_MSG="DEPLOY BOT   : 🔐 Auto-Generate PRIVATE LIVE ISO TRIXIE 0 [skip ci]
@@ -434,10 +428,10 @@ jobs:
            echo "🔏 Commit message :"
            echo "${COMMIT_MSG}"
            git commit -S -m "${COMMIT_MSG}"
          fi
      - name: 🔁 Push back to repository.
        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
--- a/.gitea/workflows/generate_PRIVATE_trixie_1.yaml
+++ b/.gitea/workflows/generate_PRIVATE_trixie_1.yaml
@@ -9,14 +9,10 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V8.13.142.2025.10.14
+# Version Master V8.13.392.2025.11.07
 name: 🔐 Generating a Private Live ISO TRIXIE.
 defaults:
  run:
    shell: bash
 permissions:
  contents: write
@@ -35,48 +31,77 @@ jobs:
    container:
      image: debian:trixie
-    steps:
+    defaults:
-      - name: 🛠️ Basic Image Setup.
+      run:
        shell: bash
        working-directory: ${{ github.workspace }}
    steps:
      - name: 🕑 Waiting random time to desynchronize parallel workflows.
        run: |
          set -euo pipefail
          var_wait=$(( RANDOM % 33 ))
          printf "🕑 Waiting %s seconds to desynchronize parallel workflows...\n" "${var_wait}"
          sleep "${var_wait}"
      - name: 🔧 Basic Image Setup.
        run: |
          set -euo pipefail
          umask 0022
          echo "APT_LISTCHANGES_FRONTEND=none"  >> "${GITHUB_ENV}"
          echo "DEBIAN_FRONTEND=noninteractive" >> "${GITHUB_ENV}"
          echo "LC_ALL=C.UTF-8"                 >> "${GITHUB_ENV}"
          echo "TZ=UTC"                         >> "${GITHUB_ENV}"
          echo "VAR_CDLB_INSIDE_RUNNER=true"    >> "${GITHUB_ENV}"
          export APT_LISTCHANGES_FRONTEND=none
          export DEBIAN_FRONTEND=noninteractive
-          apt-get update
+
          apt-get update -qq
          apt-get upgrade -y
          apt-get install -y --no-install-recommends \
            apt-utils \
            bash \
            bat \
            ca-certificates \
            curl \
            debootstrap \
            git \
            gnupg-utils \
            gnupg \
            gpg-agent \
            gpgv \
            live-build \
            lsb-release \
            openssh-client \
            openssl \
            perl \
            pinentry-curses \
            pinentry-tty \
            sudo \
-            util-linux
+            util-linux \
            whois
      - name: ⚙️ Check GnuPG Version.
        shell: bash
        run: |
          gpg --version
      - name: ⚙️ Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
        shell: bash
        run: |
          set +x
          set -euo pipefail
-          var_wait=$(( RANDOM % 33 ))
+          umask 0077
          printf "⏳ Waiting %s seconds to desynchronize parallel workflows...\n" "${var_wait}"
          sleep "${var_wait}"
          rm -rf ~/.ssh && mkdir -m700 ~/.ssh
          ### Private Key
          echo "${{ secrets.SSH_MSW_DEPLOY_CORESECRET_DEV }}" >| ~/.ssh/id_ed25519
-          chmod 600 ~/.ssh/id_ed25519
+          chmod 0600 ~/.ssh/id_ed25519
          ### Scan git.coresecret.dev to fill ~/.ssh/known_hosts
          ssh-keyscan -p 42842 git.coresecret.dev >| ~/.ssh/known_hosts
-          chmod 600 ~/.ssh/known_hosts
+          chmod 0600 ~/.ssh/known_hosts
          ### Generate SSH Config for git.coresecret.dev Custom-Port
          cat <<EOF >| ~/.ssh/config
@@ -87,161 +112,111 @@ jobs:
            StrictHostKeyChecking yes
            UserKnownHostsFile ~/.ssh/known_hosts
          EOF
-          chmod 600 ~/.ssh/config
+          chmod 0600 ~/.ssh/config
      ### https://github.com/actions/checkout/issues/1843
-      - name: 🛠️ Using manual clone via SSH to circumvent Gitea SHA-256 object issues.
+      - name: 🔧 Using manual clone via SSH to circumvent Gitea SHA-256 object issues.
        shell: bash
        env:
          ### GITHUB_REF_NAME contains the branch name from the push event.
          GITHUB_REF_NAME: ${{ github.ref_name }}
        run: |
          set -euo pipefail
          git clone --branch "${GITHUB_REF_NAME}" ssh://git@git.coresecret.dev:42842/msw/CISS.debian.live.builder.git .
          git fetch --unshallow || echo "Nothing to fetch - already full clone."
-      - name: 🛠️ Cleaning the workspace.
+      - name: ⚙️ Init GNUPGHOME.
        shell: bash
        run: |
-          git reset --hard
+          set +x
-          git clean -fd
+          set -euo pipefail
          umask 0077
          GNUPGHOME="${PWD}/gnupg.${GITHUB_RUN_ID}.${GITHUB_JOB}"
          # shellcheck disable=SC2174
          mkdir -p -m 0700 "${GNUPGHOME}"
          echo "GNUPGHOME=${GNUPGHOME}"                 >> "${GITHUB_ENV}"
          echo 'allow-loopback-pinentry'                >| "${GNUPGHOME}/gpg-agent.conf"
          echo 'pinentry-program /usr/bin/pinentry-tty' >> "${GNUPGHOME}/gpg-agent.conf"
          echo "trust-model always"                     >> "${GNUPGHOME}/gpg.conf"
          gpgconf --reload gpg-agent || true
      - name: ⚙️ Importing the 'CI PGP DEPLOY ONLY' key.
-        shell: bash
+        env:
          PRIVATE_PGP_MSW_DEPLOY_CORESECRET_DEV: ${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV }}
        run: |
          set +x
          set -euo pipefail
-          ### GPG-Home relative to the Runner Workspace to avoid changing global files.
+          umask 0077
-          export GNUPGHOME="$(pwd)/.gnupg"
+          printf '%s' "${PRIVATE_PGP_MSW_DEPLOY_CORESECRET_DEV}" | gpg --batch --import
-          mkdir -m 700 "${GNUPGHOME}"
+          unset PRIVATE_PGP_MSW_DEPLOY_CORESECRET_DEV
          echo "${{ secrets.PGP_PUBKEY_CENTURION_ROOT_2025_X448 }}" >| centurion-root.PUB.asc
          gpg --batch --import centurion-root.PUB.asc
          echo "${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV }}" >| ci-bot.sec.asc
          gpg --batch --import ci-bot.sec.asc
          ### Trust the key automatically
          KEY_ID=$(gpg --list-keys --with-colons | awk -F: '/^pub:/ {print $5}')
          echo "trust-model always" >| "${GNUPGHOME}/gpg.conf"
      - name: ⚙️ Configuring Git for signed CI/DEPLOY commits.
        shell: bash
        run: |
          set +x
          set -euo pipefail
          export GNUPGHOME="$(pwd)/.gnupg"
          git config user.name "Marc S. Weidner BOT"
          git config user.email "msw+bot@coresecret.dev"
          git config user.signingkey ${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV_FPR }}
          git config commit.gpgsign true
          git config gpg.program gpg
          git config gpg.format openpgp
          git config --get user.signingkey
      - name: ⚙️ Preparing the build environment.
-        shell: bash
+        run: |
          set +x
          set -euo pipefail
          umask 0077
          mkdir -p /dev/shm/cdlb_secrets
          install -m 0600 /dev/null /dev/shm/cdlb_secrets/password.txt
          install -m 0600 /dev/null /dev/shm/cdlb_secrets/authorized_keys
          install -m 0600 /dev/null /dev/shm/cdlb_secrets/ssh_host_ed25519_key
          install -m 0600 /dev/null /dev/shm/cdlb_secrets/ssh_host_ed25519_key.pub
          install -m 0600 /dev/null /dev/shm/cdlb_secrets/ssh_host_rsa_key
          install -m 0600 /dev/null /dev/shm/cdlb_secrets/ssh_host_rsa_key.pub
          install -m 0600 /dev/null /dev/shm/cdlb_secrets/id_2025_ed25519_ciss_primordial
          install -m 0600 /dev/null /dev/shm/cdlb_secrets/id_2025_ed25519_ciss_primordial.pub
          install -m 0600 /dev/null /dev/shm/cdlb_secrets/keys.txt
          install -m 0600 /dev/null /dev/shm/cdlb_secrets/luks.txt
          install -m 0600 /dev/null /dev/shm/cdlb_secrets/signing_key.asc
          install -m 0600 /dev/null /dev/shm/cdlb_secrets/signing_key_pass.txt
          echo "${{ secrets.CISS_DLB_ROOT_PWD_1 }}"               >| /dev/shm/cdlb_secrets/password.txt
          echo "${{ secrets.CISS_DLB_ROOT_SSH_PUBKEY_1 }}"        >| /dev/shm/cdlb_secrets/authorized_keys
          echo "${{ secrets.CISS_DLB_SSH_HOST_ED25519_KEY }}"     >| /dev/shm/cdlb_secrets/ssh_host_ed25519_key
          echo "${{ secrets.CISS_DLB_SSH_HOST_ED25519_KEY_PUB }}" >| /dev/shm/cdlb_secrets/ssh_host_ed25519_key.pub
          echo "${{ secrets.CISS_DLB_SSH_HOST_RSA_KEY }}"         >| /dev/shm/cdlb_secrets/ssh_host_rsa_key
          echo "${{ secrets.CISS_DLB_SSH_HOST_RSA_KEY_PUB }}"     >| /dev/shm/cdlb_secrets/ssh_host_rsa_key.pub
          echo "${{ secrets.CISS_PRIMORDIAL_PRIVATE }}"           >| /dev/shm/cdlb_secrets/id_2025_ed25519_ciss_primordial
          echo "${{ secrets.CISS_PRIMORDIAL_PUBLIC }}"            >| /dev/shm/cdlb_secrets/id_2025_ed25519_ciss_primordial.pub
          echo "${{ secrets.CISS_PHYS_AGE }}"                     >| /dev/shm/cdlb_secrets/keys.txt
          echo "${{ secrets.CISS_PHYS_LUKS }}"                    >| /dev/shm/cdlb_secrets/luks.txt
          echo "${{ secrets.PGP_MSW_PRIVATE_SIGNING_KEY }}"       >| /dev/shm/cdlb_secrets/signing_key.asc
          echo "${{ secrets.PGP_MSW_PRIVATE_SIGNING_KEY_PASS }}"  >| /dev/shm/cdlb_secrets/signing_key_pass.txt
      - name: 🔧 Starting CISS.debian.live.builder. This may take about an hour ...
        run: |
          set -euo pipefail
-          mkdir -p /opt/config
+          chmod 0700 ciss_live_builder.sh
          mkdir -p /opt/livebuild
          touch /opt/config/password.txt && chmod 0600 /opt/config/password.txt
          touch /opt/config/authorized_keys && chmod 0600 /opt/config/authorized_keys
          echo "${{ secrets.CISS_DLB_ROOT_PWD_1 }}" >| /opt/config/password.txt
          echo "${{ secrets.CISS_DLB_ROOT_SSH_PUBKEY_1 }}" >| /opt/config/authorized_keys
      - name: 🔧 Render live hook with secrets.
        shell: bash
        working-directory: ${{ github.workspace }}
        env:
          ED25519_PRIV:        ${{ secrets.CISS_DLB_SSH_HOST_ED25519_KEY }}
          ED25519_PUB:         ${{ secrets.CISS_DLB_SSH_HOST_ED25519_KEY_PUB }}
          RSA_PRIV:            ${{ secrets.CISS_DLB_SSH_HOST_RSA_KEY }}
          RSA_PUB:             ${{ secrets.CISS_DLB_SSH_HOST_RSA_KEY_PUB }}
          CISS_PRIMORDIAL:     ${{ secrets.CISS_PRIMORDIAL_PRIVATE }}
          CISS_PRIMORDIAL_PUB: ${{ secrets.CISS_PRIMORDIAL_PUBLIC }}
        run: |
          set -Ceuo pipefail
          umask 077
          REPO_ROOT="$(git rev-parse --show-toplevel 2>/dev/null || pwd -P)"
          TPL="${REPO_ROOT}/config/hooks/live/9935_hardening_ssh.chroot.tmpl"
          OUT="${REPO_ROOT}/config/hooks/live/9935_hardening_ssh.chroot"
          ID_OUT="${REPO_ROOT}/config/includes.chroot/root/.ssh/id_2025_ed25519_ciss_primordial"
          ID_OUT_PUB="${REPO_ROOT}/config/includes.chroot/root/.ssh/id_2025_ed25519_ciss_primordial.pub"
          if [[ ! -f "${TPL}" ]]; then
            echo "Template not found: ${TPL}"
            echo "::group::Tree of config/hooks/live"
            ls -la "${REPO_ROOT}/config/hooks/live" || true
            echo "::endgroup::"
            exit 2
          fi
          export ED25519_PRIV="${ED25519_PRIV//$'\r'/}"
          export ED25519_PUB="${ED25519_PUB//$'\r'/}"
          export RSA_PRIV="${RSA_PRIV//$'\r'/}"
          export RSA_PUB="${RSA_PUB//$'\r'/}"
          export CISS_PRIMORDIAL="${CISS_PRIMORDIAL//$'\r'/}"
          export CISS_PRIMORDIAL_PUB="${CISS_PRIMORDIAL_PUB//$'\r'/}"
          (
          cat << EOF >| "${ID_OUT}"
          ${CISS_PRIMORDIAL}
          EOF
          ) && chmod 0600 "${ID_OUT}"
          if [[ -f "${ID_OUT}" ]]; then
            echo "Written: ${ID_OUT}"
          else
            echo "Error: ${ID_OUT} not written."
          fi
          (
          cat << EOF >| "${ID_OUT_PUB}"
          ${CISS_PRIMORDIAL_PUB}
          EOF
          ) && chmod 0600 "${ID_OUT_PUB}"
          if [[ -f "${ID_OUT_PUB}" ]]; then
            echo "Written: ${ID_OUT_PUB}"
          else
            echo "Error: ${ID_OUT_PUB} not written."
          fi
          perl -0777 -pe '
            BEGIN{
              $ed=$ENV{ED25519_PRIV}; $edpub=$ENV{ED25519_PUB};
              $rsa=$ENV{RSA_PRIV};    $rsapub=$ENV{RSA_PUB};
            }
            s/\{\{\s*secrets\.CISS_DLB_SSH_HOST_ED25519_KEY\s*\}\}/$ed/g;
            s/\{\{\s*secrets\.CISS_DLB_SSH_HOST_ED25519_KEY_PUB\s*\}\}/$edpub/g;
            s/\{\{\s*secrets\.CISS_DLB_SSH_HOST_RSA_KEY\s*\}\}/$rsa/g;
            s/\{\{\s*secrets\.CISS_DLB_SSH_HOST_RSA_KEY_PUB\s*\}\}/$rsapub/g;
          ' "${TPL}" > "${OUT}"
          chmod 0755 "${OUT}"
          echo "Hook rendered: ${OUT}"
      - name: 🛠️ Starting CISS.debian.live.builder. This may take a while ...
        shell: bash
        working-directory: ${{ github.workspace }}
        run: |
          set -euo pipefail
          chmod 0755 ciss_live_builder.sh
          timestamp=$(date -u +"%Y_%m_%dT%H_%M_%SZ")
          ### Change "--autobuild=" to the specific kernel version you need: '6.16.3+deb13-amd64'.
          ./ciss_live_builder.sh \
            --autobuild=6.16.3+deb13-amd64 \
            --architecture amd64 \
-            --build-directory /opt/livebuild \
+            --autobuild=6.16.3+deb13-amd64 \
            --build-directory /opt/cdlb \
            --cdi \
            --control "${timestamp}" \
            --jump-host ${{ secrets.CISS_DLB_JUMP_HOSTS_1 }} \
-            --root-password-file /opt/config/password.txt \
+            --key_age=keys.txt \
            --key_luks=luks.txt \
            --root-password-file /dev/shm/cdlb_secrets/password.txt \
            --signing_key_fpr=${{ secrets.PGP_MSW_PRIVATE_SIGNING_KEY_FPR }} \
            --signing_key_pass=signing_key_pass.txt \
            --signing_key=signing_key.asc \
            --ssh-port ${{ secrets.CISS_DLB_SSH_PORT_1 }} \
-            --ssh-pubkey /opt/config \
+            --ssh-pubkey /dev/shm/cdlb_secrets \
            --sshfp \
            --trixie
          REPO_ROOT="$(git rev-parse --show-toplevel 2>/dev/null || pwd -P)"
          OUT="$REPO_ROOT/config/hooks/live/9935_hardening_ssh.chroot"
          rm -f "$OUT"
          echo "Hook removed: $OUT"
      - name: 📥 Checking Centurion Cloud for existing LIVE ISOs.
        shell: bash
        env:
          NC_BASE: "https://cloud.e2ee.li"
          SHARE_TOKEN: "${{ secrets.CENTURION_CLOUD_UL_USER_1 }}"
@@ -251,83 +226,106 @@ jobs:
          SHARE_SUBDIR=""
          echo "📥 Get directory listing via PROPFIND ..."
-          curl -s \
+
-          --user "${SHARE_TOKEN}:${SHARE_PASS}" \
+          curl -s --user "${SHARE_TOKEN}:${SHARE_PASS}" -X PROPFIND -H "Depth: 1" "${NC_BASE}/public.php/webdav/${SHARE_SUBDIR}" \
          -X PROPFIND \
          -H "Depth: 1" \
          "${NC_BASE}/public.php/webdav/${SHARE_SUBDIR}" \
          -o propfind_public.xml
          echo "📥 Filter .iso files from the PROPFIND response ..."
          grep -oP '(?<=<d:href>)[^<]+\.iso(?=</d:href>)' propfind_public.xml >| public_iso_list.txt || true
          if [[ -f public_iso_list.txt && -s public_iso_list.txt ]]; then
            echo "💡 Old ISO files found and deleted :"
            while IFS= read -r href; do
              FILE_URL="${NC_BASE}${href}"
              echo "  Delete: ${FILE_URL}"
-              if curl -s \
+
-                --user "${SHARE_TOKEN}:${SHARE_PASS}" \
+              if curl -s --user "${SHARE_TOKEN}:${SHARE_PASS}" -X DELETE "${FILE_URL}"; then
-                  -X DELETE "${FILE_URL}"; then
+
                echo "    ✅ Successfully deleted: $(basename "${href}")"
              else
                echo "    ❌ Error: $(basename "${href}") could not be deleted"
-              fi
+
            done < public_iso_list.txt
          else
            echo "💡 No old ISO files found to delete."
              fi
-      - name: 🛠️ Upload the ISO file to the Centurion Cloud (cloud.e2ee.li) via WebDAV.
+            done < public_iso_list.txt
-        shell: bash
+
          else
            echo "💡 No old ISO files found to delete."
          fi
      - name: ⬆️ Upload the ISO file to the Centurion Cloud (cloud.e2ee.li) via WebDAV.
        env:
          NC_BASE: "https://cloud.e2ee.li"
          SHARE_TOKEN: "${{ secrets.CENTURION_CLOUD_UL_USER_1 }}"
          SHARE_PASS: "${{ secrets.CENTURION_CLOUD_UL_PASSWD_1 }}"
        run: |
          set -euo pipefail
-          if [[ $(ls /opt/livebuild/*.iso 2>/dev/null | wc -l) -ne 1 ]]; then
+
          if [[ $(ls /opt/cdlb/livebuild/*.iso 2>/dev/null | wc -l) -ne 1 ]]; then
            echo "❌ There must be exactly one .iso file in the directory!"
            exit 1
          else
-            VAR_ISO_FILE_PATH=$(ls /opt/livebuild/*.iso)
+
            VAR_ISO_FILE_PATH=$(ls /opt/cdlb/livebuild/*.iso)
            VAR_ISO_FILE_NAME=$(basename "${VAR_ISO_FILE_PATH}")
            echo "✅ ISO file found: ${VAR_ISO_FILE_NAME}"
          fi
          AUTH="${SHARE_TOKEN}:${SHARE_PASS}"
-          if curl --retry 2 "${NC_BASE}"/public.php/webdav/"${VAR_ISO_FILE_NAME}" \
+
          if curl --retry 2 "${NC_BASE}"/public.php/webdav/"${VAR_ISO_FILE_NAME}"
          --upload-file "${VAR_ISO_FILE_PATH}" --user "${AUTH}" > /dev/null 2>&1; then
            echo "✅ New ISO successfully uploaded."
          else
            echo "❌ Uploading the new ISO failed."
            exit 1
          fi
      - name: 🔑 Generating a sha512 Hash of ISO, signing with the 'CI PGP DEPLOY ONLY' key, generate a success message file.
        shell: bash
        run: |
-          if [[ $(ls /opt/livebuild/*.iso 2>/dev/null | wc -l) -ne 1 ]]; then
+          if [[ $(ls /opt/cdlb/livebuild/*.iso 2>/dev/null | wc -l) -ne 1 ]]; then
            echo "❌ There must be exactly one .iso file in the directory!"
            exit 1
          else
-            VAR_ISO_FILE_PATH=$(ls /opt/livebuild/*.iso)
+
            VAR_ISO_FILE_PATH=$(ls /opt/cdlb/livebuild/*.iso)
            VAR_ISO_FILE_NAME=$(basename "${VAR_ISO_FILE_PATH}")
            echo "✅ ISO file found: ${VAR_ISO_FILE_NAME}"
          fi
          VAR_ISO_FILE_SHA512="${VAR_ISO_FILE_NAME}.sha512"
          touch "${VAR_ISO_FILE_SHA512}"
          sha512sum "${VAR_ISO_FILE_PATH}" | awk '{print $1}' >| "${VAR_ISO_FILE_SHA512}"
          SIGNATURE_FILE="${VAR_ISO_FILE_SHA512}.sign"
          touch "${SIGNATURE_FILE}"
-          export GNUPGHOME="$(pwd)/.gnupg"
+
-          gpg --batch --yes --armor --detach-sign --output "${SIGNATURE_FILE}" "${VAR_ISO_FILE_SHA512}"
+          gpg --batch --yes --armor --detach-sign --local-user ${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV_FPR }} --output "${SIGNATURE_FILE}" "${VAR_ISO_FILE_SHA512}"
          timestamp=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
          VAR_DATE="$(date +%F)"
          PRIVATE_FILE="LIVE_ISO_TRIXIE_1.private"
          touch "${PRIVATE_FILE}"
          cat << EOF >| "${PRIVATE_FILE}"
          # SPDX-Version: 3.0
          # SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -353,7 +351,6 @@ jobs:
          EOF
      - name: 🚧 Stash local changes (including untracked).
        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
@@ -362,12 +359,10 @@ jobs:
          git stash push --include-untracked -m "ci-temp" || echo "✔️ Nothing to stash."
      - name: 🔄 Sync with remote before commit using merge strategy.
        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
          set -euo pipefail
          export GNUPGHOME="$(pwd)/.gnupg"
          echo "🔄 Fetching origin/master ..."
          git fetch origin master
@@ -379,8 +374,7 @@ jobs:
          git status
          git log --oneline -n 5
-      - name: 🛠️ Restore stashed changes.
+      - name: 🔧 Restore stashed changes.
        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
@@ -389,7 +383,6 @@ jobs:
          git stash pop || echo "✔️ Nothing to pop."
      - name: 📦 Stage generated files.
        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
@@ -398,16 +391,17 @@ jobs:
          git add "${PRIVATE_FILE}" || echo "✔️ Nothing to add."
      - name: 🔑 Commit and sign changes with CI metadata.
        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
          set -euo pipefail
          export GNUPGHOME="$(pwd)/.gnupg"
          if git diff --cached --quiet; then
            echo "✔️ No staged changes to commit."
          else
            echo "📝 Committing changes with GPG signature ..."
            ### CI Metadata
@@ -415,7 +409,7 @@ jobs:
            HOSTNAME="$(hostname -f || hostname)"
            GIT_SHA="$(git rev-parse --short HEAD)"
            GIT_REF="$(git symbolic-ref --short HEAD || echo detached)"
-            WORKFLOW_ID="${GITHUB_WORKFLOW:-render-md-to-html.yaml}"
+            WORKFLOW_ID="${GITHUB_WORKFLOW:-generate_PRIVATE_trixie_1.yaml}"
            CI_HEADER="X-CI-Metadata: ${GIT_REF}@${GIT_SHA} at ${TIMESTAMP_UTC} on ${HOSTNAME}"
            COMMIT_MSG="DEPLOY BOT   : 🔐 Auto-Generate PRIVATE LIVE ISO TRIXIE 1 [skip ci]
@@ -431,10 +425,10 @@ jobs:
            echo "🔏 Commit message :"
            echo "${COMMIT_MSG}"
            git commit -S -m "${COMMIT_MSG}"
          fi
      - name: 🔁 Push back to repository.
        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
--- a/.gitea/workflows/generate_PUBLIC_iso.yaml
+++ b/.gitea/workflows/generate_PUBLIC_iso.yaml
@@ -1,5 +1,5 @@
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-08-22; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -9,14 +9,10 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V8.13.142.2025.10.14
+# Version Master V8.13.392.2025.11.07
 name: 💙 Generating a PUBLIC Live ISO.
 defaults:
  run:
    shell: bash
 permissions:
  contents: write
@@ -35,48 +31,77 @@ jobs:
    container:
      image: debian:trixie
-    steps:
+    defaults:
-      - name: 🛠️ Basic Image Setup.
+      run:
        shell: bash
        working-directory: ${{ github.workspace }}
    steps:
      - name: 🕑 Waiting random time to desynchronize parallel workflows.
        run: |
          set -euo pipefail
          var_wait=$(( RANDOM % 33 ))
          printf "🕑 Waiting %s seconds to desynchronize parallel workflows...\n" "${var_wait}"
          sleep "${var_wait}"
      - name: 🔧 Basic Image Setup.
        run: |
          set -euo pipefail
          umask 0022
          echo "APT_LISTCHANGES_FRONTEND=none"  >> "${GITHUB_ENV}"
          echo "DEBIAN_FRONTEND=noninteractive" >> "${GITHUB_ENV}"
          echo "LC_ALL=C.UTF-8"                 >> "${GITHUB_ENV}"
          echo "TZ=UTC"                         >> "${GITHUB_ENV}"
          echo "VAR_CDLB_INSIDE_RUNNER=true"    >> "${GITHUB_ENV}"
          export APT_LISTCHANGES_FRONTEND=none
          export DEBIAN_FRONTEND=noninteractive
-          apt-get update
+
          apt-get update -qq
          apt-get upgrade -y
          apt-get install -y --no-install-recommends \
            apt-utils \
            bash \
            bat \
            ca-certificates \
            curl \
            debootstrap \
            git \
            gnupg-utils \
            gnupg \
            gpg-agent \
            gpgv \
            live-build \
            lsb-release \
            openssh-client \
            openssl \
            perl \
            pinentry-curses \
            pinentry-tty \
            sudo \
-            util-linux
+            util-linux \
            whois
      - name: ⚙️ Check GnuPG Version.
        shell: bash
        run: |
          gpg --version
      - name: ⚙️ Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
        shell: bash
        run: |
          set +x
          set -euo pipefail
-          var_wait=$(( RANDOM % 33 ))
+          umask 0077
          printf "⏳ Waiting %s seconds to desynchronize parallel workflows...\n" "${var_wait}"
          sleep "${var_wait}"
          rm -rf ~/.ssh && mkdir -m700 ~/.ssh
          ### Private Key
          echo "${{ secrets.SSH_MSW_DEPLOY_CORESECRET_DEV }}" >| ~/.ssh/id_ed25519
-          chmod 600 ~/.ssh/id_ed25519
+          chmod 0600 ~/.ssh/id_ed25519
          ### Scan git.coresecret.dev to fill ~/.ssh/known_hosts
          ssh-keyscan -p 42842 git.coresecret.dev >| ~/.ssh/known_hosts
-          chmod 600 ~/.ssh/known_hosts
+          chmod 0600 ~/.ssh/known_hosts
          ### Generate SSH Config for git.coresecret.dev Custom-Port
          cat <<EOF >| ~/.ssh/config
@@ -87,83 +112,84 @@ jobs:
            StrictHostKeyChecking yes
            UserKnownHostsFile ~/.ssh/known_hosts
          EOF
-          chmod 600 ~/.ssh/config
+          chmod 0600 ~/.ssh/config
      ### https://github.com/actions/checkout/issues/1843
-      - name: 🛠️ Using manual clone via SSH to circumvent Gitea SHA-256 object issues.
+      - name: 🔧 Using manual clone via SSH to circumvent Gitea SHA-256 object issues.
        shell: bash
        env:
          ### GITHUB_REF_NAME contains the branch name from the push event.
          GITHUB_REF_NAME: ${{ github.ref_name }}
        run: |
          set -euo pipefail
          git clone --branch "${GITHUB_REF_NAME}" ssh://git@git.coresecret.dev:42842/msw/CISS.debian.live.builder.git .
          git fetch --unshallow || echo "Nothing to fetch - already full clone."
-      - name: 🛠️ Cleaning the workspace.
+      - name: ⚙️ Init GNUPGHOME.
        shell: bash
        run: |
-          git reset --hard
+          set +x
-          git clean -fd
+          set -euo pipefail
          umask 0077
          GNUPGHOME="${PWD}/gnupg.${GITHUB_RUN_ID}.${GITHUB_JOB}"
          # shellcheck disable=SC2174
          mkdir -p -m 0700 "${GNUPGHOME}"
          echo "GNUPGHOME=${GNUPGHOME}"                 >> "${GITHUB_ENV}"
          echo 'allow-loopback-pinentry'                >| "${GNUPGHOME}/gpg-agent.conf"
          echo 'pinentry-program /usr/bin/pinentry-tty' >> "${GNUPGHOME}/gpg-agent.conf"
          echo "trust-model always"                     >> "${GNUPGHOME}/gpg.conf"
          gpgconf --reload gpg-agent || true
      - name: ⚙️ Importing the 'CI PGP DEPLOY ONLY' key.
-        shell: bash
+        env:
          PRIVATE_PGP_MSW_DEPLOY_CORESECRET_DEV: ${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV }}
        run: |
          set +x
          set -euo pipefail
-          ### GPG-Home relative to the Runner Workspace to avoid changing global files.
+          umask 0077
-          export GNUPGHOME="$(pwd)/.gnupg"
+          printf '%s' "${PRIVATE_PGP_MSW_DEPLOY_CORESECRET_DEV}" | gpg --batch --import
-          mkdir -m 700 "${GNUPGHOME}"
+          unset PRIVATE_PGP_MSW_DEPLOY_CORESECRET_DEV
          echo "${{ secrets.PGP_PUBKEY_CENTURION_ROOT_2025_X448 }}" >| centurion-root.PUB.asc
          gpg --batch --import centurion-root.PUB.asc
          echo "${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV }}" >| ci-bot.sec.asc
          gpg --batch --import ci-bot.sec.asc
          ### Trust the key automatically
          KEY_ID=$(gpg --list-keys --with-colons | awk -F: '/^pub:/ {print $5}')
          echo "trust-model always" >| "${GNUPGHOME}/gpg.conf"
      - name: ⚙️ Configuring Git for signed CI/DEPLOY commits.
        shell: bash
        run: |
          set +x
          set -euo pipefail
          export GNUPGHOME="$(pwd)/.gnupg"
          git config user.name "Marc S. Weidner BOT"
          git config user.email "msw+bot@coresecret.dev"
          git config user.signingkey ${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV_FPR }}
          git config commit.gpgsign true
          git config gpg.program gpg
          git config gpg.format openpgp
          git config --get user.signingkey
      - name: ⚙️ Preparing the build environment.
        shell: bash
        run: |
          set +x
          set -euo pipefail
-          mkdir -p /opt/config
+          umask 0077
-          mkdir -p /opt/livebuild
+          mkdir -p /dev/shm/cdlb_secrets
-          touch /opt/config/password.txt && chmod 0600 /opt/config/password.txt
+          install -m 0600 /dev/null /dev/shm/cdlb_secrets/password.txt
-          touch /opt/config/authorized_keys && chmod 0600 /opt/config/authorized_keys
+          install -m 0600 /dev/null /dev/shm/cdlb_secrets/authorized_keys
-          echo 'Mvnz#zENbf2vsAYEAbfPcnbDcmct7XefPXfRJxSQQH' >| /opt/config/password.txt
+          echo 'Mvnz#zENbf2vsAYEAbfPcnbDcmct7XefPXfRJxSQQH' >| /dev/shm/cdlb_secrets/password.txt
-          echo 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINAYZDAqVZUk3LwJsqeVHKvLn8UKkFx642VBbiSS8uSY 2025_ciss.debian.live.ISO_PUBLIC_ONLY' >| /opt/config/authorized_keys
+          echo 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINAYZDAqVZUk3LwJsqeVHKvLn8UKkFx642VBbiSS8uSY 2025_ciss.debian.live.ISO_PUBLIC_ONLY' >| /dev/shm/cdlb_secrets/authorized_keys
-      - name: 🛠️ Starting CISS.debian.live.builder. This may take a while ...
+
-        shell: bash
+      - name: 🔧 Starting CISS.debian.live.builder. This may take about an hour ...
        run: |
          set -euo pipefail
-          sed -i '/^hardening_ssh.*/d' ciss_live_builder.sh
+          chmod 0700 ciss_live_builder.sh
          chmod 0755 ciss_live_builder.sh
          timestamp=$(date -u +"%Y_%m_%dT%H_%M_%SZ")
          ### Change "--autobuild=" to the specific kernel version you need: '6.16.3+deb13-amd64'.
          ./ciss_live_builder.sh \
            --autobuild=6.16.3+deb13-amd64 \
            --architecture amd64 \
-            --build-directory /opt/livebuild \
+            --autobuild=6.16.3+deb13-amd64 \
            --build-directory /opt/cdlb \
            --cdi \
            --control "${timestamp}" \
            --debug \
-            --root-password-file /opt/config/password.txt \
+            --root-password-file /dev/shm/cdlb_secrets/password.txt \
            --ssh-port 42137 \
-            --ssh-pubkey /opt/config \
+            --ssh-pubkey /dev/shm/cdlb_secrets \
            --trixie
      - name: 📥 Checking Centurion Cloud for existing LIVE ISOs.
        shell: bash
        env:
          NC_BASE: "https://cloud.e2ee.li"
          SHARE_TOKEN: "${{ secrets.CENTURION_CLOUD_UL_USER_PUBLIC }}"
@@ -173,83 +199,106 @@ jobs:
          SHARE_SUBDIR=""
          echo "📥 Get directory listing via PROPFIND ..."
-          curl -s \
+
-          --user "${SHARE_TOKEN}:${SHARE_PASS}" \
+          curl -s --user "${SHARE_TOKEN}:${SHARE_PASS}" -X PROPFIND -H "Depth: 1" "${NC_BASE}/public.php/webdav/${SHARE_SUBDIR}" \
          -X PROPFIND \
          -H "Depth: 1" \
          "${NC_BASE}/public.php/webdav/${SHARE_SUBDIR}" \
          -o propfind_public.xml
          echo "📥 Filter .iso files from the PROPFIND response ..."
          grep -oP '(?<=<d:href>)[^<]+\.iso(?=</d:href>)' propfind_public.xml >| public_iso_list.txt || true
          if [[ -f public_iso_list.txt && -s public_iso_list.txt ]]; then
            echo "💡 Old ISO files found and deleted :"
            while IFS= read -r href; do
              FILE_URL="${NC_BASE}${href}"
              echo "  Delete: ${FILE_URL}"
-              if curl -s \
+
-                --user "${SHARE_TOKEN}:${SHARE_PASS}" \
+              if curl -s --user "${SHARE_TOKEN}:${SHARE_PASS}" -X DELETE "${FILE_URL}"; then
-                  -X DELETE "${FILE_URL}"; then
+
                echo "    ✅ Successfully deleted: $(basename "${href}")"
              else
                echo "    ❌ Error: $(basename "${href}") could not be deleted"
-              fi
+
            done < public_iso_list.txt
          else
            echo "💡 No old ISO files found to delete."
              fi
-      - name: 🛠️ Upload the ISO file to the Centurion Cloud (cloud.e2ee.li) via WebDAV.
+            done < public_iso_list.txt
-        shell: bash
+
          else
            echo "💡 No old ISO files found to delete."
          fi
      - name: ⬆️ Upload the ISO file to the Centurion Cloud (cloud.e2ee.li) via WebDAV.
        env:
          NC_BASE: "https://cloud.e2ee.li"
          SHARE_TOKEN: "${{ secrets.CENTURION_CLOUD_UL_USER_PUBLIC }}"
          SHARE_PASS: "${{ secrets.CENTURION_CLOUD_UL_PASSWD_PUBLIC }}"
        run: |
          set -euo pipefail
-          if [[ $(ls /opt/livebuild/*.iso 2>/dev/null | wc -l) -ne 1 ]]; then
+
          if [[ $(ls /opt/cdlb/livebuild/*.iso 2>/dev/null | wc -l) -ne 1 ]]; then
            echo "❌ There must be exactly one .iso file in the directory!"
            exit 1
          else
-            VAR_ISO_FILE_PATH=$(ls /opt/livebuild/*.iso)
+
            VAR_ISO_FILE_PATH=$(ls /opt/cdlb/livebuild/*.iso)
            VAR_ISO_FILE_NAME=$(basename "${VAR_ISO_FILE_PATH}")
            echo "✅ ISO file found: ${VAR_ISO_FILE_NAME}"
          fi
          AUTH="${SHARE_TOKEN}:${SHARE_PASS}"
-          if curl --retry 2 "${NC_BASE}"/public.php/webdav/"${VAR_ISO_FILE_NAME}" \
+
          if curl --retry 2 "${NC_BASE}"/public.php/webdav/"${VAR_ISO_FILE_NAME}"
          --upload-file "${VAR_ISO_FILE_PATH}" --user "${AUTH}" > /dev/null 2>&1; then
            echo "✅ New ISO successfully uploaded."
          else
            echo "❌ Uploading the new ISO failed."
            exit 1
          fi
      - name: 🔑 Generating a sha512 Hash of ISO, signing with the 'CI PGP DEPLOY ONLY' key, generate a success message file.
        shell: bash
        run: |
-          if [[ $(ls /opt/livebuild/*.iso 2>/dev/null | wc -l) -ne 1 ]]; then
+          if [[ $(ls /opt/cdlb/livebuild/*.iso 2>/dev/null | wc -l) -ne 1 ]]; then
            echo "❌ There must be exactly one .iso file in the directory!"
            exit 1
          else
-            VAR_ISO_FILE_PATH=$(ls /opt/livebuild/*.iso)
+
            VAR_ISO_FILE_PATH=$(ls /opt/cdlb/livebuild/*.iso)
            VAR_ISO_FILE_NAME=$(basename "${VAR_ISO_FILE_PATH}")
            echo "✅ ISO file found: ${VAR_ISO_FILE_NAME}"
          fi
          VAR_ISO_FILE_SHA512="${VAR_ISO_FILE_NAME}.sha512"
          touch "${VAR_ISO_FILE_SHA512}"
          sha512sum "${VAR_ISO_FILE_PATH}" | awk '{print $1}' >| "${VAR_ISO_FILE_SHA512}"
          SIGNATURE_FILE="${VAR_ISO_FILE_SHA512}.sign"
          touch "${SIGNATURE_FILE}"
-          export GNUPGHOME="$(pwd)/.gnupg"
+
-          gpg --batch --yes --armor --detach-sign --output "${SIGNATURE_FILE}" "${VAR_ISO_FILE_SHA512}"
+          gpg --batch --yes --armor --detach-sign --local-user ${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV_FPR }} --output "${SIGNATURE_FILE}" "${VAR_ISO_FILE_SHA512}"
          timestamp=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
          VAR_DATE="$(date +%F)"
          PRIVATE_FILE="LIVE_ISO.public"
          touch "${PRIVATE_FILE}"
          cat << EOF >| "${PRIVATE_FILE}"
          # SPDX-Version: 3.0
          # SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -275,7 +324,6 @@ jobs:
          EOF
      - name: 🚧 Stash local changes (including untracked).
        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
@@ -284,12 +332,10 @@ jobs:
          git stash push --include-untracked -m "ci-temp" || echo "✔️ Nothing to stash."
      - name: 🔄 Sync with remote before commit using merge strategy.
        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
          set -euo pipefail
          export GNUPGHOME="$(pwd)/.gnupg"
          echo "🔄 Fetching origin/master ..."
          git fetch origin master
@@ -301,8 +347,7 @@ jobs:
          git status
          git log --oneline -n 5
-      - name: 🛠️ Restore stashed changes.
+      - name: 🔧 Restore stashed changes.
        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
@@ -311,7 +356,6 @@ jobs:
          git stash pop || echo "✔️ Nothing to pop."
      - name: 📦 Stage generated files.
        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
@@ -320,16 +364,17 @@ jobs:
          git add "${PRIVATE_FILE}" || echo "✔️ Nothing to add."
      - name: 🔑 Commit and sign changes with CI metadata.
        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
          set -euo pipefail
          export GNUPGHOME="$(pwd)/.gnupg"
          if git diff --cached --quiet; then
            echo "✔️ No staged changes to commit."
          else
            echo "📝 Committing changes with GPG signature ..."
            ### CI Metadata
@@ -337,7 +382,7 @@ jobs:
            HOSTNAME="$(hostname -f || hostname)"
            GIT_SHA="$(git rev-parse --short HEAD)"
            GIT_REF="$(git symbolic-ref --short HEAD || echo detached)"
-            WORKFLOW_ID="${GITHUB_WORKFLOW:-render-md-to-html.yaml}"
+            WORKFLOW_ID="${GITHUB_WORKFLOW:-generate_PUBLIC_iso.yaml}"
            CI_HEADER="X-CI-Metadata: ${GIT_REF}@${GIT_SHA} at ${TIMESTAMP_UTC} on ${HOSTNAME}"
            COMMIT_MSG="DEPLOY BOT   : 💙 Auto-Generate PUBLIC LIVE ISO [skip ci]
@@ -353,10 +398,10 @@ jobs:
            echo "🔏 Commit message :"
            echo "${COMMIT_MSG}"
            git commit -S -m "${COMMIT_MSG}"
          fi
      - name: 🔁 Push back to repository.
        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
--- a/.gitea/workflows/linter_char_scripts.yaml
+++ b/.gitea/workflows/linter_char_scripts.yaml
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V8.13.142.2025.10.14
+# Version Master V8.13.392.2025.11.07
 # Gitea Workflow: Shell-Script Linting
 #
@@ -36,24 +36,32 @@ jobs:
    name: 🛡️ Shell Script Linting
    runs-on: ubuntu-latest
-    steps:
+    defaults:
-      - name: ⚙️ Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
+      run:
        shell: bash
        working-directory: ${{ github.workspace }}
    steps:
      - name: 🕑 Waiting random time to desynchronize parallel workflows.
        run: |
          set -euo pipefail
          var_wait=$(( RANDOM % 33 ))
-          printf "⏳ Waiting %s seconds to desynchronize parallel workflows...\n" "${var_wait}"
+          printf "🕑 Waiting %s seconds to desynchronize parallel workflows...\n" "${var_wait}"
          sleep "${var_wait}"
      - name: ⚙️ Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
        run: |
          set +x
          set -euo pipefail
          rm -rf ~/.ssh && mkdir -m700 ~/.ssh
          ### Private Key
          echo "${{ secrets.SSH_MSW_DEPLOY_CORESECRET_DEV }}" >| ~/.ssh/id_ed25519
-          chmod 600 ~/.ssh/id_ed25519
+          chmod 0600 ~/.ssh/id_ed25519
          ### Scan git.coresecret.dev to fill ~/.ssh/known_hosts
          ssh-keyscan -p 42842 git.coresecret.dev >| ~/.ssh/known_hosts
-          chmod 600 ~/.ssh/known_hosts
+          chmod 0600 ~/.ssh/known_hosts
          ### Generate SSH Config for git.coresecret.dev Custom-Port
          cat <<EOF >| ~/.ssh/config
@@ -64,33 +72,23 @@ jobs:
            StrictHostKeyChecking yes
            UserKnownHostsFile ~/.ssh/known_hosts
          EOF
-          chmod 600 ~/.ssh/config
+          chmod 0600 ~/.ssh/config
      ### https://github.com/actions/checkout/issues/1843
-      - name: 🛠️ Using manual clone via SSH to circumvent Gitea SHA-256 object issues.
+      - name: 🔧 Using manual clone via SSH to circumvent Gitea SHA-256 object issues.
        shell: bash
        env:
          ### GITHUB_REF_NAME contains the branch name from the push event.
          GITHUB_REF_NAME: ${{ github.ref_name }}
        run: |
          set -euo pipefail
          git clone --branch "${GITHUB_REF_NAME}" ssh://git@git.coresecret.dev:42842/msw/CISS.debian.live.builder.git .
          git fetch --unshallow || echo "Nothing to fetch - already full clone."
      - name: 🛠️ Cleaning the workspace.
        shell: bash
        run: |
          set -euo pipefail
          git reset --hard
          git clean -fd
      - name: ⚙️ Importing the 'CI PGP DEPLOY ONLY' key.
        shell: bash
        run: |
          set -euo pipefail
          ### GPG-Home relative to the Runner Workspace to avoid changing global files.
-          export GNUPGHOME="$(pwd)/.gnupg"
+          export GNUPGHOME="$(PWD)/.gnupg"
-          mkdir -m 700 "${GNUPGHOME}"
+          mkdir -m 0700 "${GNUPGHOME}"
          echo "${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV }}" >| ci-bot.sec.asc
          gpg --batch --import ci-bot.sec.asc
          ### Trust the key automatically
@@ -98,10 +96,9 @@ jobs:
          echo "trust-model always" >| "${GNUPGHOME}/gpg.conf"
      - name: ⚙️ Configuring Git for signed CI/DEPLOY commits.
        shell: bash
        run: |
          set -euo pipefail
-          export GNUPGHOME="$(pwd)/.gnupg"
+          export GNUPGHOME="$(PWD)/.gnupg"
          git config user.name "Marc S. Weidner BOT"
          git config user.email "msw+bot@coresecret.dev"
          git config commit.gpgsign true
@@ -109,22 +106,19 @@ jobs:
          git config gpg.format openpgp
      - name: ⚙️ Convert APT sources to HTTPS.
        shell: bash
        run: |
          set -euo pipefail
          sed -i 's|http://\(archive\.ubuntu\.com\|security\.ubuntu\.com\)|https://\1|g' /etc/apt/sources.list
          sed -i 's|http://\(archive\.ubuntu\.com\|security\.ubuntu\.com\)|https://\1|g' /etc/apt/sources.list.d/*.list || true
-      - name: 🛠️ Install dependencies.
+      - name: 🔧 Install dependencies.
        shell: bash
        run: |
          ### Install grep with Perl-regex support, falls noch nicht vorhanden
-          apt-get update
+          apt-get update  -qq
          apt-get upgrade -y
          apt-get install -y grep
      - name: 🔍 Lint shell scripts
        shell: bash
        run: |
          # -------------------------------
          # STEP 1: Find target files.
@@ -254,7 +248,6 @@ jobs:
          fi
      - name: 🚧 Stash local changes (including untracked).
        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
@@ -263,12 +256,11 @@ jobs:
          git stash push --include-untracked -m "ci-temp" || echo "✔️ Nothing to stash."
      - name: 🔄 Sync with remote before commit using merge strategy.
        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
          set -euo pipefail
-          export GNUPGHOME="$(pwd)/.gnupg"
+          export GNUPGHOME="$(PWD)/.gnupg"
          echo "🔄 Fetching origin/master ..."
          git fetch origin master
@@ -280,8 +272,7 @@ jobs:
          git status
          git log --oneline -n 5
-      - name: 🛠️ Restore stashed changes.
+      - name: 🔧 Restore stashed changes.
        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
@@ -290,7 +281,6 @@ jobs:
          git stash pop || echo "✔️ Nothing to pop."
      - name: 📦 Stage generated files.
        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
@@ -299,12 +289,11 @@ jobs:
          git add "${PRIVATE_FILE}" || echo "✔️ Nothing to add."
      - name: 🔑 Commit and sign changes with CI metadata.
        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
          set -euo pipefail
-          export GNUPGHOME="$(pwd)/.gnupg"
+          export GNUPGHOME="$(PWD)/.gnupg"
          if git diff --cached --quiet; then
            echo "✔️ No staged changes to commit."
@@ -316,7 +305,7 @@ jobs:
            HOSTNAME="$(hostname -f || hostname)"
            GIT_SHA="$(git rev-parse --short HEAD)"
            GIT_REF="$(git symbolic-ref --short HEAD || echo detached)"
-            WORKFLOW_ID="${GITHUB_WORKFLOW:-render-md-to-html.yaml}"
+            WORKFLOW_ID="${GITHUB_WORKFLOW:-linter_char_scripts.yaml}"
            CI_HEADER="X-CI-Metadata: ${GIT_REF}@${GIT_SHA} at ${TIMESTAMP_UTC} on ${HOSTNAME}"
            COMMIT_MSG="DEPLOY BOT   : 🛡️ Shell Script Linting [skip ci]
@@ -335,7 +324,6 @@ jobs:
          fi
      - name: 🔁 Push back to repository.
        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
--- a/.gitea/workflows/render-dnssec-status.yaml
+++ b/.gitea/workflows/render-dnssec-status.yaml
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V8.13.142.2025.10.14
+# Version Master V8.13.392.2025.11.07
 name: 🛡️ Retrieve DNSSEC status of coresecret.dev.
@@ -28,24 +28,32 @@ jobs:
    name: 🛡️ Retrieve DNSSEC status of coresecret.dev.
    runs-on: ubuntu-latest
-    steps:
+    defaults:
-      - name: ⚙️ Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
+      run:
        shell: bash
        working-directory: ${{ github.workspace }}
    steps:
      - name: 🕑 Waiting random time to desynchronize parallel workflows.
        run: |
          set -euo pipefail
          var_wait=$(( RANDOM % 33 ))
-          printf "⏳ Waiting %s seconds to desynchronize parallel workflows...\n" "${var_wait}"
+          printf "🕑 Waiting %s seconds to desynchronize parallel workflows...\n" "${var_wait}"
          sleep "${var_wait}"
      - name: ⚙️ Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
        run: |
          set +x
          set -euo pipefail
          rm -rf ~/.ssh && mkdir -m700 ~/.ssh
          ### Private Key
          echo "${{ secrets.SSH_MSW_DEPLOY_CORESECRET_DEV }}" >| ~/.ssh/id_ed25519
-          chmod 600 ~/.ssh/id_ed25519
+          chmod 0600 ~/.ssh/id_ed25519
          ### Scan git.coresecret.dev to fill ~/.ssh/known_hosts
          ssh-keyscan -p 42842 git.coresecret.dev >| ~/.ssh/known_hosts
-          chmod 600 ~/.ssh/known_hosts
+          chmod 0600 ~/.ssh/known_hosts
          ### Generate SSH Config for git.coresecret.dev Custom-Port
          cat <<EOF >| ~/.ssh/config
@@ -56,33 +64,23 @@ jobs:
            StrictHostKeyChecking yes
            UserKnownHostsFile ~/.ssh/known_hosts
          EOF
-          chmod 600 ~/.ssh/config
+          chmod 0600 ~/.ssh/config
      ### https://github.com/actions/checkout/issues/1843
-      - name: 🛠️ Using manual clone via SSH to circumvent Gitea SHA-256 object issues.
+      - name: 🔧 Using manual clone via SSH to circumvent Gitea SHA-256 object issues.
        shell: bash
        env:
          ### GITHUB_REF_NAME contains the branch name from the push event.
          GITHUB_REF_NAME: ${{ github.ref_name }}
        run: |
          set -euo pipefail
          git clone --branch "${GITHUB_REF_NAME}" ssh://git@git.coresecret.dev:42842/msw/CISS.debian.live.builder.git .
          git fetch --unshallow || echo "Nothing to fetch - already full clone."
      - name: 🛠️ Cleaning the workspace.
        shell: bash
        run: |
          set -euo pipefail
          git reset --hard
          git clean -fd
      - name: ⚙️ Importing the 'CI PGP DEPLOY ONLY' key.
        shell: bash
        run: |
          set -euo pipefail
          ### GPG-Home relative to the Runner Workspace to avoid changing global files.
-          export GNUPGHOME="$(pwd)/.gnupg"
+          export GNUPGHOME="$(PWD)/.gnupg"
-          mkdir -m 700 "${GNUPGHOME}"
+          mkdir -m 0700 "${GNUPGHOME}"
          echo "${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV }}" >| ci-bot.sec.asc
          gpg --batch --import ci-bot.sec.asc
          ### Trust the key automatically
@@ -90,10 +88,9 @@ jobs:
          echo "trust-model always" >| "${GNUPGHOME}/gpg.conf"
      - name: ⚙️ Configuring Git for signed CI/DEPLOY commits.
        shell: bash
        run: |
          set -euo pipefail
-          export GNUPGHOME="$(pwd)/.gnupg"
+          export GNUPGHOME="$(PWD)/.gnupg"
          git config user.name "Marc S. Weidner BOT"
          git config user.email "msw+bot@coresecret.dev"
          git config commit.gpgsign true
@@ -101,38 +98,32 @@ jobs:
          git config gpg.format openpgp
      - name: ⚙️ Convert APT sources to HTTPS.
        shell: bash
        run: |
          set -euo pipefail
          sed -i 's|http://\(archive\.ubuntu\.com\|security\.ubuntu\.com\)|https://\1|g' /etc/apt/sources.list
          sed -i 's|http://\(archive\.ubuntu\.com\|security\.ubuntu\.com\)|https://\1|g' /etc/apt/sources.list.d/*.list || true
-      - name: 🛠️ Install DNSViz.
+      - name: 🔧 Install DNSViz.
        shell: bash
        run: |
          sudo apt-get update
          sudo apt-get install -y dnsviz
      - name: ⚙️ Ensure docs/SECURITY/ directory exists.
        shell: bash
        run: |
          mkdir -p docs/SECURITY/
          rm -f docs/SECURITY/coresecret.dev.png
-      - name: 🛠️ Prepare DNS Cache.
+      - name: 🔧 Prepare DNS Cache.
        shell: bash
        run: |
          sudo apt-get install -y dnsutils
          dig +dnssec +multi coresecret.dev @8.8.8.8
-      - name: 🛠️ Retrieve Zone Dump and generate .png Visualization.
+      - name: 🔧 Retrieve Zone Dump and generate .png Visualization.
        shell: bash
        run: |
          dnsviz probe -s 8.8.8.8 -R SOA,A,AAAA,CAA,CDS,CDNSKEY,LOC,HTTPS,MX,NS,TXT coresecret.dev >| coresecret.dev.json
          dnsviz graph -T png < coresecret.dev.json >| docs/SECURITY/coresecret.dev.png
      - name: 🚧 Stash local changes (including untracked).
        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
@@ -141,12 +132,11 @@ jobs:
          git stash push --include-untracked -m "ci-temp" || echo "✔️ Nothing to stash."
      - name: 🔄 Sync with remote before commit using merge strategy.
        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
          set -euo pipefail
-          export GNUPGHOME="$(pwd)/.gnupg"
+          export GNUPGHOME="$(PWD)/.gnupg"
          echo "🔄 Fetching origin/master ..."
          git fetch origin master
@@ -158,8 +148,7 @@ jobs:
          git status
          git log --oneline -n 5
-      - name: 🛠️ Restore stashed changes.
+      - name: 🔧 Restore stashed changes.
        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
@@ -168,7 +157,6 @@ jobs:
          git stash pop || echo "✔️ Nothing to pop."
      - name: 📦 Stage generated files.
        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
@@ -176,12 +164,11 @@ jobs:
          git add docs/SECURITY/*.png || echo "✔️ Nothing to add."
      - name: 🔑 Commit and sign changes with CI metadata.
        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
          set -euo pipefail
-          export GNUPGHOME="$(pwd)/.gnupg"
+          export GNUPGHOME="$(PWD)/.gnupg"
          if git diff --cached --quiet; then
            echo "✔️ No staged changes to commit."
@@ -193,7 +180,7 @@ jobs:
            HOSTNAME="$(hostname -f || hostname)"
            GIT_SHA="$(git rev-parse --short HEAD)"
            GIT_REF="$(git symbolic-ref --short HEAD || echo detached)"
-            WORKFLOW_ID="${GITHUB_WORKFLOW:-render-md-to-html.yaml}"
+            WORKFLOW_ID="${GITHUB_WORKFLOW:-render-dnssec-status.yaml}"
            CI_HEADER="X-CI-Metadata: ${GIT_REF}@${GIT_SHA} at ${TIMESTAMP_UTC} on ${HOSTNAME}"
            COMMIT_MSG="DEPLOY BOT   : 🛡️ Auto-Generate DNSSEC Status [skip ci]
--- a/.gitea/workflows/render-dot-to-png.yaml
+++ b/.gitea/workflows/render-dot-to-png.yaml
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V8.13.142.2025.10.14
+# Version Master V8.13.392.2025.11.07
 name: 🔁 Render Graphviz Diagrams.
@@ -29,24 +29,32 @@ jobs:
    name: 🔁 Render Graphviz Diagrams.
    runs-on: ubuntu-latest
-    steps:
+    defaults:
-      - name: ⚙️ Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
+      run:
        shell: bash
        working-directory: ${{ github.workspace }}
    steps:
      - name: 🕑 Waiting random time to desynchronize parallel workflows.
        run: |
          set -euo pipefail
          var_wait=$(( RANDOM % 33 ))
-          printf "⏳ Waiting %s seconds to desynchronize parallel workflows...\n" "${var_wait}"
+          printf "🕑 Waiting %s seconds to desynchronize parallel workflows...\n" "${var_wait}"
          sleep "${var_wait}"
      - name: ⚙️ Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
        run: |
          set +x
          set -euo pipefail
          rm -rf ~/.ssh && mkdir -m700 ~/.ssh
          ### Private Key
          echo "${{ secrets.SSH_MSW_DEPLOY_CORESECRET_DEV }}" >| ~/.ssh/id_ed25519
-          chmod 600 ~/.ssh/id_ed25519
+          chmod 0600 ~/.ssh/id_ed25519
          ### Scan git.coresecret.dev to fill ~/.ssh/known_hosts
          ssh-keyscan -p 42842 git.coresecret.dev >| ~/.ssh/known_hosts
-          chmod 600 ~/.ssh/known_hosts
+          chmod 0600 ~/.ssh/known_hosts
          ### Generate SSH Config for git.coresecret.dev Custom-Port
          cat <<EOF >| ~/.ssh/config
@@ -57,33 +65,23 @@ jobs:
            StrictHostKeyChecking yes
            UserKnownHostsFile ~/.ssh/known_hosts
          EOF
-          chmod 600 ~/.ssh/config
+          chmod 0600 ~/.ssh/config
      ### https://github.com/actions/checkout/issues/1843
-      - name: 🛠️ Using manual clone via SSH to circumvent Gitea SHA-256 object issues.
+      - name: 🔧 Using manual clone via SSH to circumvent Gitea SHA-256 object issues.
        shell: bash
        env:
          ### GITHUB_REF_NAME contains the branch name from the push event.
          GITHUB_REF_NAME: ${{ github.ref_name }}
        run: |
          set -euo pipefail
          git clone --branch "${GITHUB_REF_NAME}" ssh://git@git.coresecret.dev:42842/msw/CISS.debian.live.builder.git .
          git fetch --unshallow || echo "Nothing to fetch - already full clone."
      - name: 🛠️ Cleaning the workspace.
        shell: bash
        run: |
          set -euo pipefail
          git reset --hard
          git clean -fd
      - name: ⚙️ Importing the 'CI PGP DEPLOY ONLY' key.
        shell: bash
        run: |
          set -euo pipefail
          ### GPG-Home relative to the Runner Workspace to avoid changing global files.
-          export GNUPGHOME="$(pwd)/.gnupg"
+          export GNUPGHOME="$(PWD)/.gnupg"
-          mkdir -m 700 "${GNUPGHOME}"
+          mkdir -m 0700 "${GNUPGHOME}"
          echo "${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV }}" >| ci-bot.sec.asc
          gpg --batch --import ci-bot.sec.asc
          ### Trust the key automatically
@@ -91,10 +89,9 @@ jobs:
          echo "trust-model always" >| "${GNUPGHOME}/gpg.conf"
      - name: ⚙️ Configuring Git for signed CI/DEPLOY commits.
        shell: bash
        run: |
          set -euo pipefail
-          export GNUPGHOME="$(pwd)/.gnupg"
+          export GNUPGHOME="$(PWD)/.gnupg"
          git config user.name "Marc S. Weidner BOT"
          git config user.email "msw+bot@coresecret.dev"
          git config commit.gpgsign true
@@ -102,21 +99,18 @@ jobs:
          git config gpg.format openpgp
      - name: ⚙️ Convert APT sources to HTTPS.
        shell: bash
        run: |
          set -euo pipefail
          sed -i 's|http://\(archive\.ubuntu\.com\|security\.ubuntu\.com\)|https://\1|g' /etc/apt/sources.list
          sed -i 's|http://\(archive\.ubuntu\.com\|security\.ubuntu\.com\)|https://\1|g' /etc/apt/sources.list.d/*.list || true
-      - name: 🛠️ Install Graphviz.
+      - name: 🔧 Install Graphviz.
        shell: bash
        run: |
          set -euo pipefail
          sudo apt-get update
          sudo apt-get install -y graphviz
-      - name: 🛠️ Render all .dot / .gv to PNG.
+      - name: 🔧 Render all .dot / .gv to PNG.
        shell: bash
        run: |
          set -euo pipefail
          find . -type f \( -name "*.dot" -o -name "*.gv" \) | while read file; do
@@ -125,7 +119,6 @@ jobs:
          done
      - name: 🚧 Stash local changes (including untracked).
        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
@@ -134,12 +127,11 @@ jobs:
          git stash push --include-untracked -m "ci-temp" || echo "✔️ Nothing to stash."
      - name: 🔄 Sync with remote before commit using merge strategy.
        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
          set -euo pipefail
-          export GNUPGHOME="$(pwd)/.gnupg"
+          export GNUPGHOME="$(PWD)/.gnupg"
          echo "🔄 Fetching origin/master ..."
          git fetch origin master
@@ -151,8 +143,7 @@ jobs:
          git status
          git log --oneline -n 5
-      - name: 🛠️ Restore stashed changes.
+      - name: 🔧 Restore stashed changes.
        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
@@ -161,7 +152,6 @@ jobs:
          git stash pop || echo "✔️ Nothing to pop."
      - name: 📦 Stage generated files.
        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
@@ -169,12 +159,11 @@ jobs:
          git add *.png || echo "✔️ Nothing to add."
      - name: 🔑 Commit and sign changes with CI metadata.
        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
          set -euo pipefail
-          export GNUPGHOME="$(pwd)/.gnupg"
+          export GNUPGHOME="$(PWD)/.gnupg"
          if git diff --cached --quiet; then
            echo "✔️ No staged changes to commit."
@@ -186,7 +175,7 @@ jobs:
            HOSTNAME="$(hostname -f || hostname)"
            GIT_SHA="$(git rev-parse --short HEAD)"
            GIT_REF="$(git symbolic-ref --short HEAD || echo detached)"
-            WORKFLOW_ID="${GITHUB_WORKFLOW:-render-md-to-html.yaml}"
+            WORKFLOW_ID="${GITHUB_WORKFLOW:-render-dot-to-png.yaml}"
            CI_HEADER="X-CI-Metadata: ${GIT_REF}@${GIT_SHA} at ${TIMESTAMP_UTC} on ${HOSTNAME}"
            COMMIT_MSG="DEPLOY BOT   : 🔁 Auto-Generate PNG from *.dot. [skip ci]
@@ -205,7 +194,6 @@ jobs:
          fi
      - name: 🔁 Push back to repository.
        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
--- a/.gitignore
+++ b/.gitignore
@@ -10,7 +10,6 @@
 # SPDX-Security-Contact: security@coresecret.eu
 .checklist/
 .idea/
 build/
 out/
 target/
 *.DS_Store
--- a/.pubkey/marc_s_weidner_msw+bot@coreseret.dev_0x8733B021_public.gpg
+++ b/.pubkey/marc_s_weidner_msw+bot@coreseret.dev_0x8733B021_public.gpg
--- a/.pubkey/marc_s_weidner_msw+deploy@coresecet.dev_0x2CCF4601_public.asc
+++ b/.pubkey/marc_s_weidner_msw+deploy@coresecet.dev_0x2CCF4601_public.asc
@@ -0,0 +1,21 @@
 -----BEGIN PGP PUBLIC KEY BLOCK-----
 mEkFaQzeVBYAAAA/AytlcQHGPz+Tku/rFh5KSbHE465pYWjWOWSl26vKCk5HNMX6
 y2MGyUUbm5tVYHymp3EYbRBS8dJ+qKCKrzyAtDJNYXJjIFMuIFdlaWRuZXIgREVQ
 TE9ZIDxtc3crZGVwbG95QGNvcmVzZWNyZXQuZGV2PojNBRMWCABNIiEFmAiaRyzP
 RgHNUdfHCV02U1KW6hS43pIZhyPE3GBuj3YFAmkM3lQCGwMFCQfPlNwFCwkIBwIC
 IgIGFQoJCAsCBBYCAwECHgcCF4AAAA+GAcduwdOub1yMWc0o5e1qdkI/8Pv9jqYF
 P46Ko2UU24Q3AaYC5oBFyD4sKf4ojosYovs4fzrZCXqbH4ABxi0kmYEUZT11L+Ex
 AfiwNvJBCzlcvLzdK7A+ZBDgdaV5pybSN4/ZnUKkUSzZV/6odcVM2LtqkbAHAIjU
 BRAWCABUIiEFb9PDFk6t5GIBJKfozM13iXXLB7VAp8veRtbuNEidacIFAmkM3vEF
 gwfP84AkFIAAAAAADQAOcmVtQGdudXBnLm9yZ0NlbnR1cmlvbixDSUNBAACKBAHI
 5t3aZSnSERrnAZ3rwxItsTB9KeTVdtRnpxyZ7leBf4987ECcfwDDozkDGFo2cJwg
 eKPRloMif1eAAcjOdUXeunlNBTlPlyOBk0ukWT5SgVeZUl5bsNRgJWu7MoNiT9vQ
 M7gJjlyYcVoMZ47G7TA9Z+goJwC4TAVpDN5UEgAAAEIDK2VvAcCPfkOJzBvvplco
 PXb8jg4AsJXU10wHSucHMdR2R26+IJTCAYU6d3O47wTBr6QFc5HRgDZcf6FngQMB
 CgmIsgUYFggAMiIhBZgImkcsz0YBzVHXxwldNlNSluoUuN6SGYcjxNxgbo92BQJp
 DN5UAhsMBQkHz5TcAABuDQHI5Zp2rsRwc0WR0WaaQOIFh7KdL7x3dHljJ5u2m6Zc
 pzmlnZGuCTe0BmVzECJhq7Yqi+ajENbWOc+AAcUbToifr1VvbgZgUDtA+f2IlHRM
 ovaAOH5ED+DHy6OjEmBG43ZIPQbsbD4td5VIZoi+f6npZrhXNQA=
 =Q67G
 -----END PGP PUBLIC KEY BLOCK-----
--- a/.pubkey/marc_s_weidner_msw@coresecret.dev_0xE62E84F8_public.gpg
+++ b/.pubkey/marc_s_weidner_msw@coresecret.dev_0xE62E84F8_public.gpg
--- a/.version.properties
+++ b/.version.properties
@@ -15,5 +15,5 @@ properties_SPDX-License-Identifier="EUPL-1.2 OR LicenseRef-CCLA-1.0"
 properties_SPDX-LicenseComment="This file is part of the CISS.debian.installer.secure framework."
 properties_SPDX-PackageName="CISS.debian.live.builder"
 properties_SPDX-Security-Contact="security@coresecret.eu"
-properties_version="V8.13.142.2025.10.14"
+properties_version="V8.13.392.2025.11.07"
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
--- a/CISS.debian.live.builder.spdx
+++ b/CISS.debian.live.builder.spdx
@@ -6,7 +6,7 @@ Creator: Person: Marc S. Weidner (Centurion Intelligence Consulting Agency)
 Created: 2025-05-07T12:00:00Z
 Package: CISS.debian.live.builder
 PackageName: CISS.debian.live.builder
-PackageVersion: Master V8.13.142.2025.10.14
+PackageVersion: Master V8.13.392.2025.11.07
 PackageSupplier: Organization: Centurion Intelligence Consulting Agency
 PackageDownloadLocation: https://git.coresecret.dev/msw/CISS.debian.live.builder
 PackageHomePage: https://git.coresecret.dev/msw/CISS.debian.live.builder
--- a/LINTER_RESULTS.txt
+++ b/LINTER_RESULTS.txt
@@ -1,5 +1,5 @@
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-10-14; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-11-07; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-This file was automatically generated by the DEPLOY BOT on: "2025-10-14T19:37:03Z"
+This file was automatically generated by the DEPLOY BOT on: "2025-11-07T21:41:53Z"
 ⚠️ The last linter check was NOT successful. ⚠️
--- a/LIVE_ISO.public
+++ b/LIVE_ISO.public
@@ -1,5 +1,5 @@
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-10-14; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-10-29; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -9,19 +9,19 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-This file was automatically generated by the DEPLOY BOT on: "2025-10-14T22:23:27Z"
+This file was automatically generated by the DEPLOY BOT on: "2025-10-29T11:15:54Z"
 CISS.debian.live.builder ISO :
-  "ciss-debian-live-2025_10_14T21_30_07Z-amd64.hybrid.iso"
+  "ciss-debian-live-2025_10_29T10_21_17Z-amd64.hybrid.iso"
 CISS.debian.live.builder ISO sha512 :
-  442037d11eb48f4adbd1a3da17cf36062ec6be816627c38fe814458840020f212c551b96d5e785c4372fa09fc11fd9529f34166530b1e1f5ce9335abadb5f771
+  c4694bb55c7571df893dace7469ca4f90693eb61922508e6e5795cb442c01f2e487d055f23c27f3d1226bdd30aa4f5522af07addfc16b6f7d3224394590bd591
 CISS.debian.live.builder ISO sha512 sign :
  -----BEGIN PGP SIGNATURE-----
-iHUEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaO7NXwAKCRA85KY4hzOw
+iHUEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaQH3agAKCRA85KY4hzOw
-IT3LAP4uP8glLMDEpUntKJQTiPqSYjGUyIFoKmsgALGPJcnnoQD/fcz4Mq12mF32
+IbCaAP9Dqt8oESXBWNUgzCBDmBc/uZgDKJ/Ve/oIXsUGIfIqnwD/fovruI1dvGen
-jf4ETKQBqlxuQyLTPvPFhLsrBbDD0AI=
+4p02K+Dc5sf9sdU0IjMDrWVZAj8uBA0=
-=/UNR
+=ieyd
 -----END PGP SIGNATURE-----
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text
--- a/LIVE_ISO_TRIXIE_0.private
+++ b/LIVE_ISO_TRIXIE_0.private
@@ -1,5 +1,5 @@
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-10-14; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-10-29; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -9,19 +9,19 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-This file was automatically generated by the DEPLOY BOT on: "2025-10-14T20:32:28Z"
+This file was automatically generated by the DEPLOY BOT on: "2025-10-29T09:24:32Z"
 CISS.debian.live.builder ISO :
-  "ciss-debian-live-2025_10_14T19_36_59Z-amd64.hybrid.iso"
+  "ciss-debian-live-2025_10_29T08_29_04Z-amd64.hybrid.iso"
 CISS.debian.live.builder ISO sha512 :
-  57559f9b9c5e50dad6a5b2023d992c26b8f4d25dd0d45ffa5cfd479ee623287e2c2eead70016267b848c5910db5ba5c4e2dfeeb12cca6f59fe455dad886c51d9
+  ad752b68cdab5061e2c2158712fb76e0504576e596c9806122e549fbd47e1f8de7d081b3a3558753921da2999037e4f257d414f56f8bdd2cc57b1fe995ab2e61
 CISS.debian.live.builder ISO sha512 sign :
  -----BEGIN PGP SIGNATURE-----
-iHUEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaO6zXAAKCRA85KY4hzOw
+iHUEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaQHdUAAKCRA85KY4hzOw
-Idq2AQDRmgHRGnX1bn+cNV5JirecSke0IAwlAjEXOl4tFoQlewEA0s2R1A3OQjIq
+IRbbAQCwd0usM0VdfdTuTyM3ffQfG5wxFGbDpdAGukFX+Lyd6gEAj3O8WDP/uQXd
-fAhdl2wltVNT5+jUg6EUj3FE3kVPaQo=
+T6N/z0S5YKL1jud5aZ35Bio9IktP1gE=
-=fmxg
+=8DQk
 -----END PGP SIGNATURE-----
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text
--- a/LIVE_ISO_TRIXIE_1.private
+++ b/LIVE_ISO_TRIXIE_1.private
@@ -1,5 +1,5 @@
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-10-14; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-10-29; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -9,19 +9,19 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-This file was automatically generated by the DEPLOY BOT on: "2025-10-14T21:28:34Z"
+This file was automatically generated by the DEPLOY BOT on: "2025-10-29T21:52:45Z"
 CISS.debian.live.builder ISO :
-  "ciss-debian-live-2025_10_14T20_33_51Z-amd64.hybrid.iso"
+  "ciss-debian-live-2025_10_29T20_59_34Z-amd64.hybrid.iso"
 CISS.debian.live.builder ISO sha512 :
-  4a47a1ed0986b67774047b2bfc6fdd53753fa8f301f8376b23ccde1f5187aeffbca7fce3194a3d7b61278630291a1d2d954a289da712c064326eb6b7020c228c
+  c2b295aa3bd7ccfbe6c83aa27aeeace796251ad93ebfbf999bc6b1ae7c3c881efeeeda5e9235c5f5b7ad022ee465bc61e04c46906c6a7ca79214866ae62e160d
 CISS.debian.live.builder ISO sha512 sign :
  -----BEGIN PGP SIGNATURE-----
-iHUEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaO7AggAKCRA85KY4hzOw
+iHUEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaQKMrQAKCRA85KY4hzOw
-IWpdAP4xCxUP4V0lOBE1u7+wEOoEmXiRC10Va4Hf2UXjH1BSVwEAsz/cMaGt+rJT
+ISgMAQDy82Yr4/F3cI/ZzLQJyoFSY2qgPl8d84eJZFhhTFpD3AEAmMBws55fQAzz
-q0i+5EftPavvIst48aXQsp7QKjyNewM=
+Q9DBRAvRYgMDLmqsog+m3FEH7cXtDAg=
-=x3/T
+=o+0d
 -----END PGP SIGNATURE-----
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text
--- a/README.md
+++ b/README.md
@@ -2,7 +2,7 @@
 gitea: none
 include_toc: true
 ---
-[![Static Badge](https://badges.coresecret.dev/badge/Release-V8.13.142.2025.10.14-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder)
+[![Static Badge](https://badges.coresecret.dev/badge/Release-V8.13.392.2025.11.07-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder)
 &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/Licence-EUPL1.2-white?style=plastic&logo=europeanunion&logoColor=white&logoSize=auto&label=Licence&color=%23003399)](https://eupl.eu/1.2/en/) &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/opensourceinitiative-Compliant-white?style=plastic&logo=opensourceinitiative&logoColor=white&logoSize=auto&label=OSI&color=%233DA639)](https://opensource.org/license/eupl-1-2) &nbsp;
@@ -11,8 +11,9 @@ include_toc: true
 [![Static Badge](https://badges.coresecret.dev/badge/shellformat-passed-white?style=plastic&logo=google&logoColor=white&logoSize=auto&label=shellformat&color=%234285F4)](https://github.com/mvdan/sh) &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/Shellstyle-Google-white?style=plastic&logo=google&logoColor=white&logoSize=auto&label=Shellstyle&color=%234285F4)](https://google.github.io/styleguide/shellguide.html)
 &nbsp;
-[![Static Badge](https://badges.coresecret.dev/badge/Gitea-1.24.6-white?style=plastic&logo=gitea&logoColor=white&logoSize=auto&label=gitea&color=%23609926)](https://docs.gitea.com/) &nbsp;
+[![Static Badge](https://badges.coresecret.dev/badge/Gitea-1.25.1-white?style=plastic&logo=gitea&logoColor=white&logoSize=auto&label=gitea&color=%23609926)](https://docs.gitea.com/) &nbsp;
-[![Static Badge](https://badges.coresecret.dev/badge/IntelliJ-2025.2.3-white?style=plastic&logo=intellijidea&logoColor=white&logoSize=auto&label=IntelliJ&color=%23000000)](https://www.jetbrains.com/store/?section=personal&billing=yearly) &nbsp;
+[![Static Badge](https://badges.coresecret.dev/badge/Runner-0.2.13-white?style=plastic&logo=gitea&logoColor=white&logoSize=auto&label=runner&color=%23609926)](https://docs.gitea.com/) &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/IntelliJ-2025.2.4-white?style=plastic&logo=intellijidea&logoColor=white&logoSize=auto&label=IntelliJ&color=%23000000)](https://www.jetbrains.com/store/?section=personal&billing=yearly) &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/keepassxc-2.7.10-white?style=plastic&logo=keepassxc&logoColor=white&logoSize=auto&label=KeePassXC&color=%236CAC4D)](https://keepassxc.org/) &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/netcup-Netcup-white?style=plastic&logo=netcup&logoColor=white&logoSize=auto&label=powered&color=%23056473)](https://www.netcup.com/de) &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/powered-Centurion-white?style=plastic&logo=europeanunion&logoColor=white&logoSize=auto&label=powered&color=%230F243E)](https://coresecret.eu/) &nbsp;
@@ -26,7 +27,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.142.2025.10.14<br>
+**Build**: V8.13.392.2025.11.07<br>
 This shell wrapper automates the creation of a Debian Bookworm live ISO hardened according to the latest best practices in server
 and service security. It integrates into your build pipeline to deliver an isolated, robust environment suitable for
@@ -151,7 +152,7 @@ This means function status of the **CISS.2025.debian.live.builder** ISO after d-
 This project adheres strictly to a structured versioning scheme following the pattern x.y.z-Date.
-Example: `V8.13.142.2025.10.14`
+Example: `V8.13.392.2025.11.07`
 `x.y.z` represents major (x), minor (y), and patch (z) version increments.
@@ -290,7 +291,7 @@ apply or revert these controls.
 * **Description**: The SSH tunnel and access are secured through multiple layers of defense:
  * **Firewall Restriction**: ufw allows connections only from defined jump host or VPN exit node IPs.
  * **TCP Wrappers**: `/etc/hosts.allow` and `/etc/hosts.deny` enforce an `ALL: ALL` deny policy, permitting only specified hosts.
-  * **One-Hit Ban**: A custom Fail2Ban rule `/etc/fail2ban/jail.d/centurion-default.conf` immediately bans any host 
+  * **One-Hit Ban**: A custom Fail2Ban rule `/etc/fail2ban/jail.d/ciss-default.conf` immediately bans any host 
    that touches closed ports. 
    * Additionally, the `fail2ban` service is hardened as well according to:
    [Arch Linux Wiki Fail2ban Hardening](https://wiki.archlinux.org/title/fail2ban#Service_hardening) 
@@ -439,9 +440,9 @@ predictable script behavior.
 2. Preparation:
   1. Ensure you are root.
-   2. Create the build directory `mkdir /opt/livebuild`.
+   2. Create the build directory `mkdir /opt/cdlb` and the tmpfs secrets directory `mkdir /dev/shm/cdlb_secrets`.
-   3. Place your desired SSH public key in the `authorized_keys` file, for example, in the `/opt/gitea/CISS.debian.live.builder` directory.
+   3. Place your desired SSH public key in the `authorized_keys` file, for example, in the `/dev/shm/cdlb_secrets` directory.
-   4. Place your desired Password in the `password.txt` file, for example, in the `/opt/gitea/CISS.debian.live.builder` directory.
+   4. Place your desired Password in the `password.txt` file, for example, in the `/dev/shm/cdlb_secrets` directory.
   5. Make any other changes you need to.
 3. Run the config builder script `./ciss_live_builder.sh` and the integrated `lb build` command (example):
@@ -449,20 +450,28 @@ predictable script behavior.
   ````bash
   chmod 0700 ./ciss_live_builder.sh
   timestamp=$(date -u +%Y-%m-%dT%H:%M:%S%z)
-   ./ciss_live_builder.sh --architecture amd64 \
+   ./ciss_live_builder.sh \
-                          --build-directory /opt/livebuild \
+     --architecture amd64 \
     --autobuild=6.16.3+deb13-amd64 \
     --build-directory /opt/cdlb \
     --cdi \
     --change-splash hexagon \
     --control "${timestamp}" \
                          --cdi \
     --debug \
     --dhcp-centurion \
     --jump-host 10.0.0.128 [c0de:4711:0815:4242::1] [2abc:4711:0815:4242::1]/64 \
     --key_age=keys.txt \
     --key_luks=luks.txt \
     --provider-netcup-ipv6 [c0de:4711:0815:4242::ffff] \
                          --renice-priority "-19" \
     --reionice-priority 1 2 \
-                          --root-password-file /opt/gitea/CISS.debian.live.builder/password.txt \
+     --renice-priority "-19" \
     --root-password-file /dev/shm/cdlb_secrets/password.txt \
     --signing_key_fpr=98089A472CCF4601CD51D7C7095D36535296EA14B8DE92198723C4DC606E8F76 \
     --signing_key_pass=signing_key_pass.txt \
     --signing_key=signing_key.asc \
     --ssh-port 4242 \
-                          --ssh-pubkey /opt/gitea/CISS.debian.live.builder \
+     --ssh-pubkey /dev/shm/cdlb_secrets \
     --sshfp \
     --trixie
   ````
@@ -487,9 +496,9 @@ preview it or run it.
 2. Preparation:
   1. Ensure you are root.
-   2. Create the build directory `mkdir /opt/livebuild`.
+   2. Create the build directory `mkdir /opt/cdlb` and the tmpfs secrets directory `mkdir /dev/shm/cdlb_secrets`.
-   3. Place your desired SSH public key in the `authorized_keys` file, for example, in the `/opt/gitea/CISS.debian.live.builder` directory.
+   3. Place your desired SSH public key in the `authorized_keys` file, for example, in the `/dev/shm/cdlb_secrets` directory.
-   4. Place your desired Password in the `password.txt` file, for example, in the `/opt/gitea/CISS.debian.live.builder` directory.
+   4. Place your desired Password in the `password.txt` file, for example, in the `/dev/shm/cdlb_secrets` directory.
   5. Copy and edit the sample and set your options (no spaces around commas in lists): 
    ````bash
@@ -497,10 +506,10 @@ preview it or run it.
    ````
    ````bash
-    BUILD_DIR=/opt/livebuild
+    BUILD_DIR=/opt/cdlb
-    ROOT_PASSWORD_FILE=/opt/gitea/CISS.debian.live.builder/password.txt
+    ROOT_PASSWORD_FILE=/dev/shm/cdlb_secrets/password.txt
    SSH_PORT=4242
-    SSH_PUBKEY=/root/.ssh
+    SSH_PUBKEY=/dev/shm/cdlb_secrets
    # Optional
    PROVIDER_NETCUP_IPV6=2001:cdb::1
@@ -533,7 +542,7 @@ preview it or run it.
            ### Private Key
            echo "${{ secrets.CHANGE_ME }}" >| ~/.ssh/id_ed25519
-            chmod 600 ~/.ssh/id_ed25519
+            chmod 0600 ~/.ssh/id_ed25519
  #...
        ### https://github.com/actions/checkout/issues/1843
        - name: Using manual clone via SSH to circumvent Gitea SHA-256 object issues.
--- a/REPOSITORY.md
+++ b/REPOSITORY.md
@@ -8,13 +8,13 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.142.2025.10.14<br>
+**Build**: V8.13.392.2025.11.07<br>
 # 2.1. Repository Structure
 **Project:** Centurion Intelligence Consulting Agency Information Security Standard (CISS) — Debian Live Builder  
 **Branch:** `master`  
-**Repository State:** Master Version **8.13**, Build **V8.13.142.2025.10.14** (as of 2025-10-11)
+**Repository State:** Master Version **8.13**, Build **V8.13.392.2025.11.07** (as of 2025-10-11)
 ## 2.2. Top-Level Layout
@@ -69,7 +69,7 @@ CISS.debian.live.builder/
 ### 2.3.2. `config/` — Live-Build Configuration
 - **`bootloaders/`**: Boot assets for GRUB in EFI and PC modes, incl. a branded splash image.
- **`hooks/live/`**: **Ordered** `*.chroot` hooks implementing system configuration and hardening during image creation; the numeric prefixes dictate execution (e.g., `0000_basic_chroot_setup.chroot`, `0810_chrony_setup.chroot`, `0900_ufw_setup.chroot`, `9930_hardening_ssh.chroot`, `9950_fail2ban_hardening.chroot`).
+- **`hooks/live/`**: **Ordered** `*.chroot` hooks implementing system configuration and hardening during image creation; the numeric prefixes dictate execution (e.g., `0000_basic_chroot_setup.chroot`, `0810_chrony_setup.chroot`, `0900_ufw_setup.chroot`, `9930_hardening_ssh.chroot`, `9950_hardening_fail2ban.chroot`).
 - **`includes.binary/boot/grub/`**: Static GRUB configuration embedded in the binary image (`config.cfg`).
 - **`includes.chroot/`**: Files copied into the live system’s root:
  - `etc/` (APT configuration, `live/`, `modprobe.d/`, network, SSH, `sysctl.d/`, systemd drop-ins, banners),
--- a/ciss_live_builder.sh
+++ b/ciss_live_builder.sh
@@ -22,23 +22,19 @@
 ### CATCH ARGUMENTS AND DECLARE BASIC VARIABLES.
 # shellcheck disable=SC2155
 declare -agx  ARY_PARAM_ARRAY=("$@")                                     # Arguments passed to script as an array.
 declare -girx VAR_START_TIME="${SECONDS}"                                # Start time of script execution.
 declare -grx  VAR_PARAM_COUNT="$#"                                       # Arguments passed to script.
 declare -grx  VAR_PARAM_STRNG="$*"                                       # Arguments passed to script as string.
 declare -ag   ARY_PARAM_ARRAY=("$@")                                     # Arguments passed to script as an array.
 declare -grx  VAR_SETUP_FILE="${0##*/}"                                  # 'ciss_debian_live_builder.sh'
-declare -grx  VAR_SETUP_PATH="$(cd "$(dirname "${0}")" && pwd)"          # '/opt/git/CISS.debian.live.builder'
+declare -grx  VAR_SETUP_FULL="$(cd "$(dirname "${0}")" && pwd)/${0##*/}" # '/root/git/CISS.debian.live.builder/ciss_debian_live_builder.sh'
-declare -grx  VAR_SETUP_FULL="$(cd "$(dirname "${0}")" && pwd)/${0##*/}" # '/opt/git/CISS.debian.live.builder/ciss_debian_live_builder.sh'
+declare -grx  VAR_SETUP_PATH="$(cd "$(dirname "${0}")" && pwd)"          # '/root/git/CISS.debian.live.builder'
-# shellcheck disable=SC2155
+declare -grx  VAR_TMP_SECRET="/dev/shm/cdlb_secrets"                     # Fixed tmpfs path to store securely build artifacts.
-declare -grx SCRIPT_FULLPATH="$(readlink -f "${BASH_SOURCE[0]:-$0}")"
+declare -grx  VAR_WORKDIR="$(dirname "${VAR_SETUP_FULL}")"               # '/root/git/CISS.debian.live.builder'
 # shellcheck disable=SC2155
 declare -grx SCRIPT_BASEPATH="$(dirname "${SCRIPT_FULLPATH}")"
 # shellcheck disable=SC2155
 declare -grx VAR_WORKDIR="$(dirname "${SCRIPT_FULLPATH}")"
 ### PRELIMINARY CHECKS.
 ### No ash, dash, ksh, sh.
-# shellcheck disable=2292
+# shellcheck disable=SC2292
 [ -z "${BASH_VERSINFO[0]}" ] && {
  . ./var/global.var.sh
  printf "\e[91m❌ Please make sure you are using 'bash'! Bye... \e[0m\n" >&2
@@ -60,7 +56,7 @@ declare -grx VAR_WORKDIR="$(dirname "${SCRIPT_FULLPATH}")"
 }
 ### Check to be not called by sh.
-# shellcheck disable=2312
+# shellcheck disable=SC2312
 [[ $(kill -l | grep -c SIG) -eq 0 ]] && {
  . ./var/global.var.sh
  printf "\e[91m❌ Please make sure you are calling the script without leading 'sh'! Bye... \e[0m\n" >&2
@@ -95,30 +91,40 @@ declare -grx VAR_WORKDIR="$(dirname "${SCRIPT_FULLPATH}")"
  exit 1
 }
-### SOURCING MUST SET EARLY VARIABLES, GUARD_SOURCING(), CHECK_GIT()
+### SOURCING MUST SET EARLY VARIABLES, GUARD_SOURCING().
 . ./var/early.var.sh
 . ./lib/lib_guard_sourcing.sh
 . ./lib/lib_source_guard.sh
 source_guard "./lib/lib_git_var.sh"
-### CHECK FOR CONTACT, HELP, VERSION STRING, AND XTRACE DEBUG
+### SECURING ENVIRONMENT.
 source_guard "./var/bash.var.sh"
 ### CHECK FOR CONTACT, HELP, VERSION STRING, AND XTRACE DEBUG.
 for arg in "$@"; do case "${arg,,}" in -c|--contact) . ./lib/lib_contact.sh   ; contact; exit 0;; esac; done
 for arg in "$@"; do case "${arg,,}" in -h|--help)    . ./lib/lib_usage.sh     ; usage  ; exit 0;; esac; done
 for arg in "$@"; do case "${arg,,}" in -v|--version) . ./lib/lib_version.sh   ; version; exit 0;; esac; done
 ### ALL CHECKS DONE. READY TO START THE SCRIPT
 source_guard "./var/bash.var.sh"
 check_git
 for arg in "$@"; do case "${arg,,}" in -d|--debug)   . ./meta_sources_debug.sh; debugger "${@}";; esac; done
 declare -gx VAR_SETUP="true"
-### SOURCING VARIABLES
+### ALL CHECKS DONE. READY TO START THE SCRIPT.
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"
 declare -grx VAR_SETUP="true"
 ### SECURING SECRETS ARTIFACTS.
 test ! -L "${VAR_TMP_SECRET}" || {
  . ./var/global.var.sh
  printf "\e[91m❌ Refusing symlink: '%s'! Bye... \e[0m\n" "${VAR_TMP_SECRET}" >&2
  exit "${ERR_SECRETSSYM}"
 }
 find "${VAR_TMP_SECRET}" -type f -exec chmod 0400 {} +
 find "${VAR_TMP_SECRET}" -type f -exec chown root:root {} +
 ### SOURCING VARIABLES.
 [[ "${VAR_SETUP}" == true ]] && {
  source_guard "./var/color.var.sh"
  source_guard "./var/global.var.sh"
 }
-### SOURCING LIBRARIES
+### SOURCING LIBRARIES.
 [[ "${VAR_SETUP}" == true ]] && {
  source_guard "./lib/lib_arg_parser.sh"
  source_guard "./lib/lib_arg_priority_check.sh"
@@ -130,29 +136,37 @@ declare -gx VAR_SETUP="true"
  source_guard "./lib/lib_check_kernel.sh"
  source_guard "./lib/lib_check_pkgs.sh"
  source_guard "./lib/lib_check_provider.sh"
  source_guard "./lib/lib_check_secrets.sh"
  source_guard "./lib/lib_check_stats.sh"
  source_guard "./lib/lib_check_var.sh"
  source_guard "./lib/lib_ciss_upgrades_boot.sh"
  source_guard "./lib/lib_ciss_upgrades_build.sh"
  source_guard "./lib/lib_clean_screen.sh"
  source_guard "./lib/lib_clean_up.sh"
  source_guard "./lib/lib_copy_integrity.sh"
  source_guard "./lib/lib_gnupg.sh"
  source_guard "./lib/lib_hardening_root_pw.sh"
-  source_guard "./lib/lib_hardening_ssh.sh"
+  source_guard "./lib/lib_hardening_ssh_tcp.sh"
  source_guard "./lib/lib_hardening_ultra.sh"
  source_guard "./lib/lib_helper_ip.sh"
  source_guard "./lib/lib_lb_build_start.sh"
  source_guard "./lib/lib_lb_config_start.sh"
  source_guard "./lib/lib_lb_config_write.sh"
  source_guard "./lib/lib_lb_config_write_trixie.sh"
  source_guard "./lib/lib_note_target.sh"
  source_guard "./lib/lib_primordial.sh"
  source_guard "./lib/lib_provider_netcup.sh"
  source_guard "./lib/lib_run_analysis.sh"
  source_guard "./lib/lib_sanitizer.sh"
  source_guard "./lib/lib_trap_on_err.sh"
  source_guard "./lib/lib_trap_on_exit.sh"
  source_guard "./lib/lib_update_microcode.sh"
  source_guard "./lib/lib_usage.sh"
 }
-### ADVISORY LOCK
+### CHECKING REQUIRED PACKAGES.
 check_pkgs
 ### ADVISORY LOCK.
 exec 127>/var/lock/ciss_live_builder.lock || {
  printf "\e[91m❌ Cannot open lockfile for writing! Bye... \e[0m\n" >&2
  exit "${ERR_FLOCK_WRTG}"
@@ -163,95 +177,88 @@ if ! flock -x -n 127; then
  exit "${ERR_FLOCK_COLL}"
 fi
-### CHECK FOR AUTOBUILD MODE
+### CHECK FOR AUTOBUILD MODE.
 for arg in "$@"; do case "${arg,,}" in -a=*|--autobuild=*) declare -gx VAR_HANDLER_AUTOBUILD="true"; declare -gx VAR_KERNEL="${arg#*=}";; esac; done; unset arg
 for dir in /usr/local/sbin /usr/sbin; do case ":${PATH}:" in *":${dir}:"*) ;; *) PATH="${PATH}:${dir}" ;; esac; done; export PATH; unset dir
-### CHECKING REQUIRED PACKAGES
+### DIALOG OUTPUT FOR INITIALIZATION.
 check_pkgs
 ### DIALOG OUTPUT FOR INITIALIZATION
 if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen; fi
-### Updating Status of Dialog Gauge Bar
+### Updating Status of Dialog Gauge Bar.
 if ! ${VAR_HANDLER_AUTOBUILD}; then printf "XXX\nInitialization done ... \nXXX\n15\n" >&3; fi
-### Updating Status of Dialog Gauge Bar
+### Updating Status of Dialog Gauge Bar.
 if ! ${VAR_HANDLER_AUTOBUILD}; then printf "XXX\nAdditional initialization ... \nXXX\n30\n" >&3; fi
 ### Updating Status of Dialog Gauge Bar
 if ! ${VAR_HANDLER_AUTOBUILD}; then printf "XXX\nActivate traps ... \nXXX\n50\n" >&3; fi
 ### Following the CISS Bash naming and ordering scheme:
-trap 'trap_on_exit "$?"' EXIT
+trap 'trap_on_exit "$?" "${BASH_SOURCE[0]}" "${LINENO}" "${FUNCNAME[0]:-main}" "${BASH_COMMAND}"' EXIT
 trap 'trap_on_err  "$?" "${BASH_SOURCE[0]}" "${LINENO}" "${FUNCNAME[0]:-main}" "${BASH_COMMAND}"' ERR
-### Updating Status of Dialog Gauge Bar
+### Updating Status of Dialog Gauge Bar.
 if ! ${VAR_HANDLER_AUTOBUILD}; then printf "XXX\nSanitizing Arguments ... \nXXX\n75\n" >&3; fi
 arg_check "$@"
 declare -ar  ARY_ARG_SANITIZED=("$@")
-declare -gr VAR_ARG_SANITIZED="${ARY_ARG_SANITIZED[*]}"
+declare -grx VAR_ARG_SANITIZED="${ARY_ARG_SANITIZED[*]}"
-### Updating Status of Dialog Gauge Bar
+### Updating Status of Dialog Gauge Bar.
 if ! ${VAR_HANDLER_AUTOBUILD}; then printf "XXX\nParsing Arguments ... \nXXX\n90\n" >&3; fi
 arg_parser "$@"
-### Updating Status of Dialog Gauge Bar
+### Updating Status of Dialog Gauge Bar.
 if ! ${VAR_HANDLER_AUTOBUILD}; then printf "XXX\nFinal checks ... \nXXX\n95\n" >&3; fi
 clean_ip
-### Updating Status of Dialog Gauge Bar
+### Updating Status of Dialog Gauge Bar.
 if ! ${VAR_HANDLER_AUTOBUILD}; then printf "XXX\nInitialization completed ... \nXXX\n100\n" >&3; sleep 1; fi
-### Turn off Dialog Wrapper
+### Turn off the dialog wrapper.
 if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen_cleaner; fi
-### MAIN Program
+### MAIN Program ---------------------------------------------------------------------------------------------------------------
 arg_priority_check
 check_stats
 if ! ${VAR_HANDLER_AUTOBUILD}; then check_provider; fi
 if ! ${VAR_HANDLER_AUTOBUILD}; then check_kernel; fi
-if [[ ! "${VAR_SSHFP}" == "true" ]]; then
+ciss_upgrades_build
-  rm -f "${SCRIPT_BASEPATH}/config/includes.chroot/root/.ssh/id_2025_ed25519_ciss_primordial"
+hardening_ssh_tcp
  rm -f "${SCRIPT_BASEPATH}/config/includes.chroot/root/.ssh/id_2025_ed25519_ciss_primordial.pub"
 fi
-check_hooks
+### Preparing the build environment.
 hardening_ssh
 lb_config_start
-if [[ "${VAR_SUITE}" == "bookworm" ]]; then
+### Writing the build configuration.
  lb_config_write
  rm -f "${SCRIPT_BASEPATH}/config/hooks/live/9998_sources_list_trixie.chroot"
  rm -f "${SCRIPT_BASEPATH}/config/includes.chroot/etc/login.defs"
 else
 lb_config_write_trixie
  rm -f "${SCRIPT_BASEPATH}/config/hooks/live/0003_install_backports.chroot"
  rm -f "${SCRIPT_BASEPATH}/config/hooks/live/9998_sources_list_bookworm.chroot"
-fi
+### Init GNUPGHOME.
 init_gnupg
-# shellcheck disable=SC2164
+### Integrate primordial SSH identity files.
-cd "${VAR_WORKDIR}"
+init_primordial
 ### Integrate CISS.debian.live.builder repository into build dir.
 hardening_ultra
-hardening_root_pw
+
 ### CISS.debian.installer 'GRUB' and 'autostart' generator.
 cdi
 ### Final CISS.debian.live.builder integrations.
 change_splash
 check_dhcp
-cdi
+ciss_upgrades_boot
-provider_netcup
+hardening_root_pw
 note_target
 provider_netcup
 update_microcode
 x_hooks
 x_remove
-### Start the build process
+### Start the build process ----------------------------------------------------------------------------------------------------
 set +o errtrace
 lb_build_start
 set -o errtrace
 run_analysis
 copy_db
-declare -g VAR_SCRIPT_SUCCESS=true
+declare -grx VAR_SCRIPT_SUCCESS="true"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/.keep
+++ b/config/hooks/.keep
@@ -0,0 +1,10 @@
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-10-26; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
--- a/config/hooks/live/0000_basic_chroot_setup.chroot
+++ b/config/hooks/live/0000_basic_chroot_setup.chroot
@@ -13,15 +13,227 @@ set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
-export DEBIAN_FRONTEND="noninteractive"
+# shellcheck disable=SC2155
-apt-get update -qq
+declare -gx VAR_DATE="$(date +%F)"
-mkdir -p /root/.ciss/dlb/{backup,log}
+#######################################
-chmod 0700 /root/.ciss/dlb/{backup,log}
+# Generates '/etc/default/ciss-xdg-profile'
 # Globals:
 #   None
 # Arguments:
 #   None
 # Returns:
 #   0: on success
 #######################################
 generate_ciss_xdg_profile() {
  cat << EOF >> /etc/default/ciss-xdg-profile
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 # Default toggles for ciss-xdg-profile
 # 1 = enable, 0 = disable
 ENABLE_XDG_BASH_HISTORY=1
 ENABLE_XDG_LESS_HISTORY=1
 ENABLE_XDG_ZSH_HISTORY=1
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
 EOF
  chmod 0644 /etc/default/ciss-xdg-profile
  return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
 readonly -f generate_ciss_xdg_profile
 #######################################
 # Generates '/etc/profile.d/ciss-xdg.sh'
 # Globals:
 #   None
 # Arguments:
 #   None
 # Returns:
 #   0: on success
 #######################################
 generate_ciss_xdg_sh() {
  cat << EOF >| /etc/profile.d/ciss-xdg.sh
 #!/bin/sh
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 EOF
  cat << 'EOF' >> /etc/profile.d/ciss-xdg.sh
 # shellcheck shell=sh
 # This file is sourced by login shells via '/etc/profile'. Keep POSIX sh compatible.
 ### XDG variables (do not override if already set).
 export XDG_CONFIG_HOME="${XDG_CONFIG_HOME:-${HOME}/.config}"
 export XDG_DATA_HOME="${XDG_DATA_HOME:-${HOME}/.local/share}"
 export XDG_CACHE_HOME="${XDG_CACHE_HOME:-${HOME}/.cache}"
 export XDG_STATE_HOME="${XDG_STATE_HOME:-${HOME}/.local/state}"
 export XDG_CONFIG_DIRS="${XDG_CONFIG_DIRS:-/etc/xdg}"
 export XDG_DATA_DIRS="${XDG_DATA_DIRS:-/usr/local/share:/usr/share}"
 ### XDG_RUNTIME_DIR is provided by systemd-logind; do not set a persistent path.
 # shellcheck disable=SC2312
 if [ -z "${XDG_RUNTIME_DIR:-}" ] && [ -d "/run/user/$(id -u)" ]; then
  # shellcheck disable=SC2155
  export XDG_RUNTIME_DIR="/run/user/$(id -u)"
 fi
 ### Create canonical directories idempotently with 0700.
 _xdg_umask="$(umask)"
 umask 077
 [ -d "${XDG_CONFIG_HOME}"     ] || install -d -m 0700 -- "${XDG_CONFIG_HOME}"
 [ -d "${XDG_DATA_HOME}"       ] || install -d -m 0700 -- "${XDG_DATA_HOME}"
 [ -d "${XDG_CACHE_HOME}"      ] || install -d -m 0700 -- "${XDG_CACHE_HOME}"
 [ -d "${XDG_STATE_HOME}"      ] || install -d -m 0700 -- "${XDG_STATE_HOME}"
 umask "${_xdg_umask}"
 unset _xdg_umask
 ### Optional migrations (controlled via /'etc/default/ciss-xdg-profile').
 [ -f /etc/default/ciss-xdg-profile ] && . /etc/default/ciss-xdg-profile
 ### Bash history -> XDG_STATE_HOME (only if running bash).
 if [ "${ENABLE_XDG_BASH_HISTORY:-1}" = "1" ] && [ -n "${BASH_VERSION:-}" ]; then
  [ -d "${XDG_STATE_HOME}/bash" ] || install -d -m 0700 -- "${XDG_STATE_HOME}/bash"
  export HISTFILE="${XDG_STATE_HOME}/bash/history"
 fi
 ### Less history -> XDG_STATE_HOME
 if [ "${ENABLE_XDG_LESS_HISTORY:-1}" = "1" ]; then
  [ -d "${XDG_STATE_HOME}/less" ] || install -d -m 0700 -- "${XDG_STATE_HOME}/less"
  export LESSHISTFILE="${XDG_STATE_HOME}/less/history"
 fi
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
 EOF
  chmod 0755 /etc/profile.d/ciss-xdg.sh
  return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
 readonly -f generate_ciss_xdg_sh
 #######################################
 # Generates '/root/ciss_xdg_tmp.sh'
 # Globals:
 #   None
 # Arguments:
 #   None
 # Returns:
 #   0: on success
 #######################################
 generate_ciss_xdg_tmp_sh() {
  cat << EOF >| /root/ciss_xdg_tmp.sh
 #!/bin/bash
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 ### XDG variables (do not override if already set).
 EOF
  cat << 'EOF' >> /root/ciss_xdg_tmp.sh
 set -a
 # shellcheck disable=SC2034
 XDG_CONFIG_HOME="${XDG_CONFIG_HOME:-${HOME}/.config}"
 # shellcheck disable=SC2034
 XDG_DATA_HOME="${XDG_DATA_HOME:-${HOME}/.local/share}"
 # shellcheck disable=SC2034
 XDG_CACHE_HOME="${XDG_CACHE_HOME:-${HOME}/.cache}"
 # shellcheck disable=SC2034
 XDG_STATE_HOME="${XDG_STATE_HOME:-${HOME}/.local/state}"
 # shellcheck disable=SC2034
 XDG_CONFIG_DIRS="${XDG_CONFIG_DIRS:-/etc/xdg}"
 # shellcheck disable=SC2034
 XDG_DATA_DIRS="${XDG_DATA_DIRS:-/usr/local/share:/usr/share}"
 ### Optional migrations (controlled via /etc/default/ciss-xdg-profile).
 [[ -f /etc/default/ciss-xdg-profile ]] && . /etc/default/ciss-xdg-profile
 ### Bash history -> XDG_STATE_HOME (only if running bash).
 if [[ "${ENABLE_XDG_BASH_HISTORY:-1}" = "1" ]] && [[ -n "${BASH_VERSION:-}" ]]; then
  HISTFILE="${XDG_STATE_HOME}/bash/history"
 fi
 set +a
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
 EOF
  chmod 0700 /root/ciss_xdg_tmp.sh
  return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
 readonly -f generate_ciss_xdg_tmp_sh
 generate_ciss_xdg_profile
 generate_ciss_xdg_sh
 generate_ciss_xdg_tmp_sh
 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
 export DEBIAN_FRONTEND="noninteractive" INITRD="No"
 apt-get update -qq
 apt-get install -y --no-install-suggests libpam-systemd
 if [[ -f /root/.architecture ]]; then
  apt-get install -y --no-install-suggests amd64-microcode intel-microcode
  rm -f /root/.architecture
 fi
 if [[ -f /root/.architecture ]]; then
  :
 fi
 mkdir -p /root/.ciss/cdlb/{backup,log,private_keys}
 chmod 0700 /root/.ciss/cdlb/{backup,log,private_keys}
 mkdir -p /root/git
 chmod 0700 /root/git
 mkdir -p /etc/ciss/keys
 chmod 0755 /etc/ciss/keys
 ### Mask apt show version unit and timer.
 ln -sf /dev/null /etc/systemd/system/apt-show-versions.timer
 ln -sf /dev/null /etc/systemd/system/apt-show-versions.service
 rm -f /etc/cron.daily/apt-show-versions || true
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
--- a/config/hooks/live/0001_initramfs_modules.chroot
+++ b/config/hooks/live/0001_initramfs_modules.chroot
@@ -53,14 +53,15 @@ grep_nic_driver_modules() {
  return 0
 }
-export DEBIAN_FRONTEND="noninteractive"
+[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
 export DEBIAN_FRONTEND="noninteractive" INITRD="No"
 apt-get install -y intel-microcode amd64-microcode
 # shellcheck disable=SC2155
-declare nic_driver="$(grep_nic_driver_modules)"
+declare nic_driver="$(grep_nic_driver_modules)" VAR_DATE="$(date +%F)"
 cat << EOF >| /etc/initramfs-tools/modules
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -82,19 +83,10 @@ cat << EOF >| /etc/initramfs-tools/modules
 # raid1
 # sd_mod
-### Load AppArmor early:
+### AppArmor -------------------------------------------------------------------------------------------------------------------
 apparmor
-### Entropy source for '/dev/random':
+### btrfs ----------------------------------------------------------------------------------------------------------------------
 jitterentropy_rng
 rng_core
 ### Live-ISO-Stack:
 loop
 squashfs
 overlay
 ### Main btrfs-Stack:
 btrfs
 lzo
 xor
@@ -102,28 +94,7 @@ xxhash
 zstd
 zstd_compress
-### Main ext4-Stack:
+### cryptography ---------------------------------------------------------------------------------------------------------------
 ext4
 jbd2
 libcrc32c
 ### Main VFAT/ESP/FAT/UEFI-Stack:
 exfat
 fat
 nls_ascii
 nls_cp437
 nls_iso8859-1
 nls_iso8859-15
 nls_utf8
 vfat
 ### Device mapper, encryption & integrity:
 dm_mod
 dm_crypt
 dm_integrity
 dm_verity
 ### Main cryptography-Stack:
 aes_generic
 blake2b_generic
 crc32c_generic
@@ -133,54 +104,106 @@ sha256_generic
 sha512_generic
 xts
-### QEMU Bochs-compatible virtual machine support:
+### cryptsetup -----------------------------------------------------------------------------------------------------------------
-bochs
+dm_crypt
 dm_integrity
 dm_mod
 dm_verity
-### RAID6 parity generation module:
+### Entropy --------------------------------------------------------------------------------------------------------------------
-raid6_pq
+jitterentropy_rng
 rng_core
-### Combined RAID4/5/6 support module:
+### ESP/FAT/UEFI ---------------------------------------------------------------------------------------------------------------
-raid456
+exfat
 fat
 nls_ascii
 nls_cp437
 nls_iso8859-1
 nls_iso8859-15
 nls_utf8
 vfat
-### SCSI/SATA-Stack:
+### ext4 -----------------------------------------------------------------------------------------------------------------------
-sd_mod
+ext4
-sr_mod
+jbd2
-sg
+libcrc32c
 ahci
 libahci
 ata_generic
 libata
 scsi_mod
 scsi_dh_alua
-### NVMe-Stack:
+### Live-ISO -------------------------------------------------------------------------------------------------------------------
 loop
 squashfs
 overlay
 #### nftables ------------------------------------------------------------------------------------------------------------------
 #nf_log_common  # built-in
 #nft_counter    # built-in
 #nft_icmp       # built-in
 #nft_icmpv6     # built-in
 #nft_meta       # built-in
 #nft_set_hash   # built-in
 #nft_set_rbtree # built-in
 #nft_tcp        # built-in
 #nft_udp        # built-in
 nf_conntrack
 nf_nat
 nf_reject_ipv4
 nf_reject_ipv6
 nf_tables
 nfnetlink
 nfnetlink_log
 nft_ct
 nft_limit
 nft_log
 nft_masq
 nft_nat
 nft_reject_inet
 ### NVMe -----------------------------------------------------------------------------------------------------------------------
 nvme
 nvme_core
-### USB-Stack:
+### QEMU -----------------------------------------------------------------------------------------------------------------------
-xhci_pci
+bochs
-xhci_hcd
+
 ### RAID -----------------------------------------------------------------------------------------------------------------------
 raid456
 raid6_pq
 ### SCSI/SATA ------------------------------------------------------------------------------------------------------------------
 ahci
 ata_generic
 libahci
 libata
 scsi_dh_alua
 scsi_mod
 sd_mod
 sg
 sr_mod
 ### USB ------------------------------------------------------------------------------------------------------------------------
 ehci_pci
 ohci_pci
 uas
 uhci_hcd
 usb_storage
-uas
+xhci_hcd
 xhci_pci
-### Virtual-Machines-Stack:
+### Virtual --------------------------------------------------------------------------------------------------------------------
 virtio_pci
 virtio_blk
 virtio_scsi
 virtio_rng
 virtio_console
 virtio_pci
 virtio_rng
 virtio_scsi
-### Network Driver Host-machine:
+### Network Driver Host-machine ------------------------------------------------------------------------------------------------
 "${nic_driver}"
 EOF
-cat << 'EOF' >| /etc/initramfs-tools/update-initramfs.conf
+cat << EOF >| /etc/initramfs-tools/update-initramfs.conf
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -201,7 +224,7 @@ cat << 'EOF' >| /etc/initramfs-tools/update-initramfs.conf
 # If set to all update-initramfs will update all initramfs
 # If set to no disables any update to initramfs besides kernel upgrade
-update_initramfs=yes
+update_initramfs=all
 #
 # backup_initramfs [ yes | no ]
@@ -213,9 +236,9 @@ backup_initramfs=no
 EOF
-cat << 'EOF' >| /etc/initramfs-tools/initramfs.conf
+cat << EOF >| /etc/initramfs-tools/initramfs.conf
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -277,10 +300,10 @@ COMPRESS=zstd
 # Defaults vary by compressor.
 #
 # Valid values are:
-# 1-9 for gzip|bzip2|lzma|lzop
+# 1...9 for gzip|bzip2|lzma|lzop
-# 0-9 for  lz4|xz
+# 0...9 for  lz4|xz
-# 0-19 for zstd
+# 0...19 for zstd
-# COMPRESSLEVEL=3
+COMPRESSLEVEL=16
 #
 # DEVICE: ...
@@ -317,10 +340,10 @@ FSTYPE=auto
 EOF
-cat << 'EOF' >> /etc/initramfs-tools/hooks/ciss_debian_live_builder
+cat << EOF >| /etc/initramfs-tools/hooks/ciss_debian_live_builder
 #!/bin/sh
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -330,31 +353,114 @@ cat << 'EOF' >> /etc/initramfs-tools/hooks/ciss_debian_live_builder
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 EOF
 cat << 'EOF' >> /etc/initramfs-tools/hooks/ciss_debian_live_builder
 set -e
 printf "\e[95mStarting: [ciss_debian_live_builder] \n\e[0m"
 PREREQ=""
-prereqs() { echo "$PREREQ"; }
+prereqs() { echo "${PREREQ}"; }
-case $1 in
+# shellcheck disable=SC2249
 case "${1}" in
  prereqs) prereqs; exit 0 ;;
 esac
 . /usr/share/initramfs-tools/hook-functions
 mkdir -p "${DESTDIR}/bin" "${DESTDIR}/usr/bin" "${DESTDIR}/usr/local/bin"
-# Include Bash
+### Ensure directory structure in initramfs
-copy_exec /usr/bin/bash /usr/bin
+mkdir -p "${DESTDIR}/etc/ciss/keys"
 mkdir -p "${DESTDIR}/etc/initramfs-tools/conf.d"
 mkdir -p "${DESTDIR}/etc/initramfs-tools/scripts/init-premount"
 mkdir -p "${DESTDIR}/usr/bin"
 mkdir -p "${DESTDIR}/usr/local/bin"
 mkdir -p "${DESTDIR}/usr/sbin"
 # Include lsblk (block device information tool)
 copy_exec /usr/bin/lsblk /usr/bin
-# Include udevadm (udev management tool)
+### Include bash
-copy_exec /usr/bin/udevadm /usr/bin
+copy_exec /usr/bin/bash /usr/bin/bash
 printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/bash /usr/bin/bash] \n\e[0m"
 ### Include blkid
 copy_exec /usr/sbin/blkid /usr/sbin/blkid
 printf "\e[92mSuccessfully executed: [copy_exec /usr/sbin/blkid /usr/sbin/blkid] \n\e[0m"
 ### Include busybox
 copy_exec /usr/bin/busybox /usr/busybox
 printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/busybox /usr/busybox] \n\e[0m"
 ### Include GNU coreutils 'sort' (has -V)
 copy_exec /usr/bin/sort /usr/bin/sort
 printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/sort /usr/bin/sort] \n\e[0m"
 ### Include gpgv
 copy_exec /usr/bin/gpgv /usr/bin/gpgv
 printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/gpgv /usr/bin/gpgv] \n\e[0m"
 ### Include lsblk
 copy_exec /usr/bin/lsblk /usr/bin/lsblk
 printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/lsblk /usr/bin/lsblk] \n\e[0m"
 ### Include mkpasswd
 copy_exec /usr/bin/mkpasswd /usr/mkpasswd
 printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/mkpasswd /usr/mkpasswd] \n\e[0m"
 copy_exec /usr/bin/mkpasswd /usr/bin/mkpasswd
 printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/mkpasswd /usr/bin/mkpasswd] \n\e[0m"
 ### Include udevadm (udev management tool)
 copy_exec /usr/bin/udevadm /usr/bin/udevadm
 printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/udevadm /usr/bin/udevadm] \n\e[0m"
 ### Include sha384sum, sha512sum
 copy_exec /usr/bin/sha384sum /usr/bin/sha384sum
 printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/sha384sum /usr/bin/sha384sum ] \n\e[0m"
 copy_exec /usr/bin/sha512sum /usr/bin/sha512sum
 printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/sha512sum /usr/bin/sha512sum] \n\e[0m"
 ### Include tree
 copy_exec /usr/bin/tree /usr/bin/tree
 printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/tree /usr/bin/tree] \n\e[0m"
 ### Include whois
 copy_exec /usr/bin/whois /usr/bin/whois
 printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/whois /usr/bin/whois] \n\e[0m"
 ### Link busybox applets for compatibility
 for dir in bin usr/bin; do
  ln -sf busybox "${DESTDIR}/${dir}/cat"
  ln -sf busybox "${DESTDIR}/${dir}/sleep"
 done
 ### Install PGP Signing Keys
 install -m 0444 /etc/ciss/keys/0x8733B021_public.gpg "${DESTDIR}/etc/ciss/keys/0x8733B021_public.gpg"
 printf "\e[92mSuccessfully executed: [install -m 0444 /etc/ciss/keys/0x8733B021_public.gpg %s/etc/ciss/keys/0x8733B021_public.gpg] \n\e[0m" "${DESTDIR}"
 install -m 0444 /etc/ciss/keys/0xE62E84F8_public.gpg "${DESTDIR}/etc/ciss/keys/0xE62E84F8_public.gpg"
 printf "\e[92mSuccessfully executed: [install -m 0444 /etc/ciss/keys/0xE62E84F8_public.gpg %s/etc/ciss/keys/0xE62E84F8_public.gpg] \n\e[0m" "${DESTDIR}"
 printf "\e[92mSuccessfully executed: [ciss_debian_live_builder] \n\e[0m"
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
 EOF
 chmod 0755 /etc/initramfs-tools/hooks/ciss_debian_live_builder
-### Regenerate the initramfs for the live system kernel
+# TODO: Move to 9999_zzzz.chroot
 ### Regenerate the initramfs for the live system kernel.
 update-initramfs -u -k all -v
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
--- a/config/hooks/live/0002_verify_checksums.chroot
+++ b/config/hooks/live/0002_verify_checksums.chroot
@@ -1,142 +0,0 @@
 #!/bin/bash
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 target="/usr/lib/live/boot/0030-verify-checksums"
 src="$(mktemp)"
 if [[ ! -d /usr/lib/live/boot ]]; then
  mkdir -p /usr/lib/live/boot
 fi
 cat << 'EOF' >| "${src}"
 #!/bin/sh
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 ### Changed version of https://salsa.debian.org/live-team/live-boot 'components/0030-verify-checksums'
 ### In case of successful verification of the offered checksums, proceed with booting, else panic.
 ### Inside 0002_verify_checksums.chroot ###
 #######################################
 # Live build ISO with the modified checksum verification script for continuing the boot process.
 # Globals:
 #   LIVE_BOOT_CMDLINE
 #   LIVE_VERIFY_CHECKSUMS
 #   LIVE_VERIFY_CHECKSUMS_DIGESTS
 #   _CHECKSUM
 #   _CHECKSUMS
 #   _DIGEST
 #   _MOUNTPOINT
 #   _PARAMETER
 #   _RETURN
 #   _TTY
 # Arguments:
 #   $1: ${_PARAMETER}
 # Returns:
 #   0 : Successful Verification
 #######################################
 Verify_checksums() {
  for _PARAMETER in ${LIVE_BOOT_CMDLINE}; do
    case "${_PARAMETER}" in
      live-boot.verify-checksums=* | verify-checksums=*)
        LIVE_VERIFY_CHECKSUMS="true"
        LIVE_VERIFY_CHECKSUMS_DIGESTS="${_PARAMETER#*verify-checksums=}"
        ;;
      live-boot.verify-checksums | verify-checksums)
        LIVE_VERIFY_CHECKSUMS="true"
        ;;
    esac
  done
  case "${LIVE_VERIFY_CHECKSUMS}" in
    true) ;;
    *)
      return 0
      ;;
  esac
  _MOUNTPOINT="${1}"
  LIVE_VERIFY_CHECKSUMS_DIGESTS="${LIVE_VERIFY_CHECKSUMS_DIGESTS:-sha512 sha384 sha256}"
  _TTY="/dev/tty8"
  log_begin_msg "Verifying checksums"
  # shellcheck disable=SC2164
  cd "${_MOUNTPOINT}"
  for _DIGEST in $(echo "${LIVE_VERIFY_CHECKSUMS_DIGESTS}" | sed -e 's|,| |g'); do
    # shellcheck disable=SC2060
    _CHECKSUMS="$(echo "${_DIGEST}" | tr [a-z] [A-Z])SUMS ${_DIGEST}sum.txt"
    for _CHECKSUM in ${_CHECKSUMS}; do
      if [ -e "${_CHECKSUM}" ]; then
        echo "Found ${_CHECKSUM}..." > "${_TTY}"
        if [ -e "/bin/${_DIGEST}sum" ]; then
          echo "Checking ${_CHECKSUM}..." > "${_TTY}"
          # Verify checksums
          grep -v '^#' "${_CHECKSUM}" | /bin/"${_DIGEST}"sum -c > "${_TTY}"
          _RETURN="${?}"
          # Stop after the first verification
          # break 2
        else
          echo "Not found /bin/${_DIGEST}sum..." > "${_TTY}"
        fi
      fi
    done
  done
  log_end_msg
  case "${_RETURN}" in
    0)
      log_success_msg "Verification sha512 sha384 sha256 successful, continuing booting in 10 seconds."
      sleep 10
      return 0
      ;;
    *)
      panic "Verification failed, $(basename ${_TTY}) for more information."
      ;;
  esac
 }
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
 EOF
 # Copy and make executable
 install -Dm755 "${src}" "${target}"
 rm -f "${src}"
 unset target src
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/0003_cdi_autostart.chroot
+++ b/config/hooks/live/0003_cdi_autostart.chroot
@@ -0,0 +1,52 @@
 #!/bin/bash
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 if [[ -f /root/.cdi ]]; then
  cat << EOF >| /etc/systemd/system/cdi-starter.service
 [Unit]
 Description=CISS CDI post-boot starter
 Documentation=https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 ConditionPathIsExecutable=/usr/local/sbin/9999-cdi-starter.sh
 After=live-config.service systemd-user-sessions.service getty.target
 After=network-online.target NetworkManager-wait-online.service systemd-networkd-wait-online.service
 Wants=network-online.target
 [Service]
 Type=idle
 ExecStart=/usr/local/sbin/9999-cdi-starter.sh
 TimeoutStartSec=1min
 Nice=5
 IOSchedulingClass=best-effort
 Environment=LANG=C.UTF-8
 StandardOutput=journal
 StandardError=journal
 [Install]
 WantedBy=multi-user.target
 EOF
  chmod 0644 /etc/systemd/system/cdi-starter.service
  systemctl enable cdi-starter.service
  rm -f /root/.cdi
 fi
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/0007_update_logrotate.chroot
+++ b/config/hooks/live/0007_update_logrotate.chroot
@@ -0,0 +1,77 @@
 #!/bin/bash
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
 export DEBIAN_FRONTEND="noninteractive" INITRD="No"
 rm -f         "/etc/logrotate.conf"
 cat << EOF >| "/etc/logrotate.conf"
 # See "man logrotate" for details. Global options do not affect preceding include directives.
 # Rotate log files daily
 daily
 # Keep 90 daily worth of backlogs.
 rotate 90
 # Hard cap: delete rotated logs older than 90 days.
 maxage 90
 # Do not rotate the log if it is empty (this overrides the ifempty option).
 notifempty
 # Create new (empty) log files after rotating old ones.
 create
 # Use date as a suffix of the rotated file.
 dateext
 # Use yesterday's instead of today's date to create the dateext extension, so that the rotated log file has a date in its name
 # that is the same as the timestamps within it.
 dateyesterday
 # Enable compression
 compress
 # Use zstd instead of gzip.
 compresscmd /usr/bin/zstd
 # File extension for compressed logs.
 compressext .zst
 # Set zstd level 3 (default).
 compressoptions -20
 # How to decompress for 'logrotate -d' or similar.
 uncompresscmd /usr/bin/unzstd
 # Keep the most recent rotation uncompressed for one cycle.
 delaycompress
 # Delete log files using shred -u instead of unlink().
 shred
 # packages drop log rotation information into this directory
 include /etc/logrotate.d
 # system-specific logs may also be configured here.
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
 EOF
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/0010_install_apparmor.chroot
+++ b/config/hooks/live/0010_install_apparmor.chroot
@@ -13,7 +13,8 @@ set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
-export DEBIAN_FRONTEND="noninteractive"
+[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
 export DEBIAN_FRONTEND="noninteractive" INITRD="No"
 apt-get install -y --no-install-recommends apparmor apparmor-utils apparmor-profiles apparmor-profiles-extra
 install -d /etc/systemd/system/apparmor.service.d
--- a/config/hooks/live/0050_activate_root.chroot
+++ b/config/hooks/live/0050_activate_root.chroot
@@ -25,8 +25,8 @@ fi
 cd /root
 # shellcheck disable=SC2312
-cp /etc/shadow /root/.ciss/dlb/backup/shadow.bak."$(date +%F_%T)"
+cp /etc/shadow /root/.ciss/cdlb/backup/shadow.bak."$(date +%F_%T)"
-chmod 0600 /root/.ciss/dlb/backup/shadow.bak.*
+chmod 0600 /root/.ciss/cdlb/backup/shadow.bak.*
 declare hashed_pwd
 declare safe_hashed_pwd
@@ -39,13 +39,13 @@ unset hashed_pwd safe_hashed_pwd
 cat /etc/shadow
-if shred -vfzu -n 5 /root/.pwd; then
+if shred -fzu -n 5 /root/.pwd; then
-  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Password file /root/.pwd: -vfzu -n 5 >> done. \e[0m\n"
+  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Password file /root/.pwd: shred -fzu -n 5 >> done. \e[0m\n"
 else
-  printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ Password file /root/.pwd: -vfzu -n 5 >> NOT successful. \e[0m\n" >&2
+  printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ Password file /root/.pwd: shred -fzu -n 5 >> NOT successful. \e[0m\n" >&2
 fi
--- a/config/hooks/live/0080_keyboard_layout.chroot
+++ b/config/hooks/live/0080_keyboard_layout.chroot
@@ -21,6 +21,8 @@ XKBOPTIONS=""
 BACKSPACE="guess"
 EOF
 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
 export DEBIAN_FRONTEND="noninteractive" INITRD="No"
 dpkg-reconfigure -f noninteractive keyboard-configuration
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
--- a/config/hooks/live/0090_jitterentropy.chroot
+++ b/config/hooks/live/0090_jitterentropy.chroot
@@ -0,0 +1,33 @@
 #!/bin/bash
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
 export DEBIAN_FRONTEND="noninteractive" INITRD="No"
 apt-get install -y --no-install-recommends jitterentropy-rngd
 cd /root
 mkdir -p /etc/systemd/system/jitterentropy-rngd.service.d
 cat << 'EOF' >> /etc/systemd/system/jitterentropy-rngd.service.d/override.conf
 [Service]
 ExecStart=
 ExecStart=/usr/sbin/jitterentropy-rngd --osr=2
 EOF
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/0120_set_hostname.chroot
+++ b/config/hooks/live/0120_set_hostname.chroot
@@ -12,10 +12,9 @@
 set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1
-mv /etc/hostname /root/.ciss/dlb/backup/hostname.bak
+mv /etc/hostname /root/.ciss/cdlb/backup/hostname.bak
-mv /etc/mailname /root/.ciss/dlb/backup/mailname.bak
+mv /etc/mailname /root/.ciss/cdlb/backup/mailname.bak
 cat << 'EOF' >| /etc/hostname
 live.local
@@ -28,7 +27,6 @@ localhost.local
 EOF
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 # sleep 1
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/0130_machineid.chroot
+++ b/config/hooks/live/0130_machineid.chroot
@@ -12,7 +12,6 @@
 set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1
 cd /root
 if [[ -f /var/lib/dbus/machine-id ]]; then
@@ -22,7 +21,7 @@ fi
 cat << 'EOF' >| /var/lib/dbus/machine-id
 b08dfa6083e7567a1921a715000001fb
 EOF
-chmod 644 /var/lib/dbus/machine-id
+chmod 0644 /var/lib/dbus/machine-id
 if [[ -f /etc/machine-id ]]; then
  rm /etc/machine-id
@@ -34,7 +33,6 @@ EOF
 chmod 644 /etc/machine-id
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 # sleep 1
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/0400_eza_install.chroot
+++ b/config/hooks/live/0400_eza_install.chroot
@@ -23,8 +23,9 @@ wget -qO- https://raw.githubusercontent.com/eza-community/eza/main/deb.asc | gpg
 echo "deb [signed-by=/etc/apt/keyrings/gierens.gpg] http://deb.gierens.de stable main" | tee /etc/apt/sources.list.d/gierens.list
 chmod 644 /etc/apt/keyrings/gierens.gpg /etc/apt/sources.list.d/gierens.list
-export DEBIAN_FRONTEND="noninteractive"
+[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
-apt-get update
+export DEBIAN_FRONTEND="noninteractive" INITRD="No"
 apt-get update -qq
 apt-get install -y eza
 git clone https://github.com/eza-community/eza-themes.git
--- a/config/hooks/live/0800_lynis_setup.chroot
+++ b/config/hooks/live/0800_lynis_setup.chroot
@@ -16,8 +16,9 @@ printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "
 curl -fsSL https://packages.cisofy.com/keys/cisofy-software-public.key | gpg --dearmor -o /etc/apt/trusted.gpg.d/cisofy-software-public.gpg
 echo "deb [arch=amd64,arm64 signed-by=/etc/apt/trusted.gpg.d/cisofy-software-public.gpg] https://packages.cisofy.com/community/lynis/deb/ stable main" | tee /etc/apt/sources.list.d/cisofy-lynis.list
-export DEBIAN_FRONTEND="noninteractive"
+[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
-apt-get update
+export DEBIAN_FRONTEND="noninteractive" INITRD="No"
 apt-get update -qq
 apt-get install -y lynis
 lynis show version
--- a/config/hooks/live/0810_chrony_setup.chroot
+++ b/config/hooks/live/0810_chrony_setup.chroot
@@ -15,15 +15,16 @@ printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "
 mkdir -p /var/log/chrony
-export DEBIAN_FRONTEND="noninteractive"
+[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
 export DEBIAN_FRONTEND="noninteractive" INITRD="No"
 export TZ="Etc/UTC"
 apt-get install -y adjtimex chrony tzdata
 systemctl enable chrony.service
-mv /etc/chrony/chrony.conf /root/.ciss/dlb/backup/chrony.conf.bak
+mv /etc/chrony/chrony.conf /root/.ciss/cdlb/backup/chrony.conf.bak
-chmod 0644 /root/.ciss/dlb/backup/chrony.conf.bak
+chmod 0644 /root/.ciss/cdlb/backup/chrony.conf.bak
 cat << EOF >| /etc/chrony/chrony.conf
 # SPDX-Version: 3.0
@@ -50,13 +51,13 @@ log tracking measurements statistics
 authselectmode require
-server ntp.ripe.net      iburst nts minpoll 5 maxpoll 9
+# server ntp.ripe.net      iburst nts minpoll 5 maxpoll 9
 server ptbtime3.ptb.de   iburst nts minpoll 5 maxpoll 9
 server ptbtime2.ptb.de   iburst nts minpoll 5 maxpoll 9
 server ptbtime1.ptb.de   iburst nts minpoll 5 maxpoll 9
-server ntp13.metas.ch    iburst nts minpoll 5 maxpoll 9
+# server ntp13.metas.ch    iburst nts minpoll 5 maxpoll 9
-server time-c-b.nist.gov iburst nts minpoll 5 maxpoll 9
+# server time-c-b.nist.gov iburst nts minpoll 5 maxpoll 9
-server sth1.ntp.se       iburst nts minpoll 5 maxpoll 9
+# server sth1.ntp.se       iburst nts minpoll 5 maxpoll 9
 server ntp0.fau.de       iburst nts minpoll 5 maxpoll 9
 leapsectz right/UTC
@@ -110,6 +111,8 @@ if [[ -e /usr/share/zoneinfo/right/UTC ]]; then
 fi
 chronyd -Q -f /etc/chrony/chrony.conf 2>&1
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
--- a/config/hooks/live/0822_ssh_restart_hook.chroot
+++ b/config/hooks/live/0822_ssh_restart_hook.chroot
@@ -20,7 +20,7 @@ cat << 'EOF' >| "${target_script}"
@reboot root /usr/local/bin/restart-ssh.sh
 EOF
-chmod 0644 "${target_script}"
+chmod 0444 "${target_script}"
 cat << 'EOF' >| /usr/local/bin/restart-ssh.sh
 #!/bin/bash
--- a/config/hooks/live/0840_ufw_abuse_ipdb_reporter.chroot
+++ b/config/hooks/live/0840_ufw_abuse_ipdb_reporter.chroot
@@ -13,7 +13,8 @@ set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
-export DEBIAN_FRONTEND="noninteractive"
+[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
 export DEBIAN_FRONTEND="noninteractive" INITRD="No"
 curl -fsSL https://deb.nodesource.com/setup_22.x | sudo -E bash - && \
 apt-get install -y nodejs
--- a/config/hooks/live/0845_harbian_audit.chroot
+++ b/config/hooks/live/0845_harbian_audit.chroot
@@ -12,13 +12,11 @@
 set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1
 cd /root/git
 git clone https://github.com/hardenedlinux/harbian-audit.git
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 # sleep 1
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/0850_ssh_audit.chroot
+++ b/config/hooks/live/0850_ssh_audit.chroot
@@ -12,13 +12,11 @@
 set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1
 cd /root/git
 git clone https://github.com/jtesta/ssh-audit.git
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 sleep 1
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/0855_dnsviz.chroot
+++ b/config/hooks/live/0855_dnsviz.chroot
@@ -12,13 +12,11 @@
 set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1
 cd /root/git
 git clone https://github.com/dnsviz/dnsviz.git
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 sleep 1
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/0860_sops.chroot
+++ b/config/hooks/live/0860_sops.chroot
@@ -13,7 +13,8 @@ set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
-export DEBIAN_FRONTEND=noninteractive
+[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
 export DEBIAN_FRONTEND="noninteractive" INITRD="No"
 SOPS_VER="v3.11.0"
 ARCH="$(dpkg --print-architecture)"
@@ -39,14 +40,16 @@ cosign verify-blob "sops-${SOPS_VER}.checksums.txt" \
 sha256sum -c "sops-${SOPS_VER}.checksums.txt" --ignore-missing
 install -m 0755 "${SOPS_FILE}" /usr/local/bin/sops
-sops --version --check-for-updates
+sops --version --check-for-updates >| /root/.ciss/cdlb/log/sops.log
-age --version
+age --version                      >| /root/.ciss/cdlb/log/age.log
 rm -f "/tmp/${SOPS_FILE}"
 rm -f "/tmp/sops-${SOPS_VER}.checksums.txt"
 rm -f "/tmp/sops-${SOPS_VER}.checksums.pem"
 rm -f "/tmp/sops-${SOPS_VER}.checksums.sig"
 chmod 0400 /root/.config/sops/age/keys.txt
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
--- a/config/hooks/live/0090_haveged.chroot
+++ b/config/hooks/live/0090_haveged.chroot
@@ -13,17 +13,12 @@ set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
-export DEBIAN_FRONTEND="noninteractive"
+[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
-apt-get install -y --no-install-recommends haveged
+export DEBIAN_FRONTEND="noninteractive" INITRD="No"
-cd /root
+wget https://github.com/mikefarah/yq/releases/latest/download/yq_linux_amd64 -O /usr/local/bin/yq && chmod +x /usr/local/bin/yq
 cat << 'EOF' >| /etc/default/haveged
 # Configuration file for haveged
 # Options to pass to haveged:
 DAEMON_ARGS="-w 2048 -v 1"
 EOF
 yq --version
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
--- a/config/hooks/live/0870_bashdb.chroot
+++ b/config/hooks/live/0870_bashdb.chroot
@@ -0,0 +1,36 @@
 #!/bin/bash
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 umask 0077
 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
 export DEBIAN_FRONTEND="noninteractive" INITRD="No"
 apt-get install -y texinfo
 cd /root/git
 git clone https://github.com/Trepan-Debuggers/bashdb.git
 cd /root/git/bashdb
 ./autogen.sh
 make
 apt-get purge -y texinfo
 apt-get autoremove --purge -y
 apt-get autoclean -y
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/0900_ufw_setup.chroot
+++ b/config/hooks/live/0900_ufw_setup.chroot
@@ -12,10 +12,9 @@
 set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1
 declare -r UFW_OUT_POLICY="deny"
-declare -r SSHPORT="MUST_BE_SET"
+declare -r SSHPORT="SSHPORT_MUST_BE_SET"
 ufw --force reset
@@ -51,6 +50,7 @@ if [[ ${UFW_OUT_POLICY,,} == "deny"  ]]; then
  ufw allow out  853/udp comment 'Outgoing DoQ'
 fi
 ### Allowing ICMP IPv4 outgoing per default.
 sed -i "/# ok icmp code for FORWARD/i \# ok icmp codes for OUTPUT" /etc/ufw/before.rules
 sed -i "/# ok icmp code for FORWARD/i \-A ufw-before-output -p icmp --icmp-type destination-unreachable -j ACCEPT" /etc/ufw/before.rules
 sed -i "/# ok icmp code for FORWARD/i \-A ufw-before-output -p icmp --icmp-type time-exceeded -j ACCEPT" /etc/ufw/before.rules
@@ -61,7 +61,6 @@ sed -i 's/^ENABLED=no/ENABLED=yes/' /etc/ufw/ufw.conf
 ln -sf /lib/systemd/system/ufw.service /etc/systemd/system/multi-user.target.wants/ufw.service
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 # sleep 1
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/9900_process_accounting.chroot
+++ b/config/hooks/live/9900_process_accounting.chroot
@@ -13,7 +13,8 @@ set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
-export DEBIAN_FRONTEND="noninteractive"
+[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
 export DEBIAN_FRONTEND="noninteractive" INITRD="No"
 apt-get install -y acct
 if [[ ! -d /etc/systemd/system/multi-user.target.wants ]]; then
--- a/config/hooks/live/9910_motd.chroot
+++ b/config/hooks/live/9910_motd.chroot
@@ -13,8 +13,8 @@ set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
-mkdir -p /root/.ciss/dlb/backup/update-motd.d
+mkdir -p /root/.ciss/cdlb/backup/update-motd.d
-cp -af /etc/update-motd.d/* /root/.ciss/dlb/backup/update-motd.d
+cp -af /etc/update-motd.d/* /root/.ciss/cdlb/backup/update-motd.d
 cat << 'EOF' >| /etc/update-motd.d/10-uname
 #!/bin/sh
--- a/config/hooks/live/9920_deleting_invalid_x509.chroot
+++ b/config/hooks/live/9920_deleting_invalid_x509.chroot
@@ -14,7 +14,7 @@ set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 declare -a search_dirs=("/etc/ssl/certs" "/usr/local/share/ca-certificates" "/usr/share/ca-certificates" "/etc/letsencrypt")
-declare backup_dir="/root/.ciss/dlb/backup/certificates"
+declare backup_dir="/root/.ciss/cdlb/backup/certificates"
 declare current_date
 current_date=$(date +%s)
 declare -ax expired_certificates=()
--- a/config/hooks/live/9930_hardening_ssh.chroot
+++ b/config/hooks/live/9930_hardening_ssh.chroot
@@ -13,26 +13,35 @@ set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
-cd /etc/ssh || {
+cd /etc/ssh
-  printf "\e[91mm++++ ++++ ++++ ++++ ++++ ++++ ++ Could not find /etc/ssh \e[0m\n"
+
 }
 rm -rf ssh_host_*key*
 if [[ -d /root/ssh ]]; then
  mv /root/ssh/ssh_host_*key* /etc/ssh
  rm -rf /root/ssh
 else
  # shellcheck disable=SC2312
  ssh-keygen -o -N "" -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -C "root@live-$(date -I)"
  # shellcheck disable=SC2312
  ssh-keygen -o -N "" -t rsa -b 8192 -f /etc/ssh/ssh_host_rsa_key -C "root@live-$(date -I)"
-awk '$5 >= 4000' /etc/ssh/moduli >| /etc/ssh/moduli.safe
+fi
 rm -rf /etc/ssh/moduli
 mv /etc/ssh/moduli.safe /etc/ssh/moduli
 chmod 0600 /etc/ssh/ssh_host_*_key
 chown root:root /etc/ssh/ssh_host_*_key
 chmod 0644 /etc/ssh/ssh_host_*_key.pub
 chown root:root /etc/ssh/ssh_host_*_key.pub
-chmod 600 /etc/ssh/sshd_config /etc/ssh/ssh_config
+awk '$5 >= 4000' /etc/ssh/moduli >| /etc/ssh/moduli.safe
 rm -rf /etc/ssh/moduli
 mv /etc/ssh/moduli.safe /etc/ssh/moduli
 chmod 0600 /etc/ssh/sshd_config /etc/ssh/ssh_config
 touch /root/sshfp
 ssh-keygen -r @ >| /root/sshfp
--- a/config/hooks/live/9935_hardening_ssh.chroot.tmpl
+++ b/config/hooks/live/9935_hardening_ssh.chroot.tmpl
@@ -1,93 +0,0 @@
 #!/bin/bash
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 cd /etc/ssh || {
  printf "\e[91mm++++ ++++ ++++ ++++ ++++ ++++ ++ Could not find /etc/ssh \e[0m\n"
 }
 cat << 'EOF' >| ssh_host_ed25519_key
 {{ secrets.CISS_DLB_SSH_HOST_ED25519_KEY }}
 EOF
 cat << 'EOF' >| ssh_host_ed25519_key.pub
 {{ secrets.CISS_DLB_SSH_HOST_ED25519_KEY_PUB }}
 EOF
 cat << 'EOF' >| ssh_host_rsa_key
 {{ secrets.CISS_DLB_SSH_HOST_RSA_KEY }}
 EOF
 cat << 'EOF' >| ssh_host_rsa_key.pub
 {{ secrets.CISS_DLB_SSH_HOST_RSA_KEY_PUB }}
 EOF
 awk '$5 >= 4000' /etc/ssh/moduli >| /etc/ssh/moduli.safe
 rm -rf /etc/ssh/moduli
 mv /etc/ssh/moduli.safe /etc/ssh/moduli
 chmod 0600 /etc/ssh/ssh_host_*_key
 chown root:root /etc/ssh/ssh_host_*_key
 chmod 0644 /etc/ssh/ssh_host_*_key.pub
 chown root:root /etc/ssh/ssh_host_*_key.pub
 chmod 600 /etc/ssh/sshd_config /etc/ssh/ssh_config
 touch /root/sshfp
 ssh-keygen -r @ >| /root/sshfp
 ###########################################################################################
 # Remarks: The file /etc/profile.d/idle-users.sh is created to set two read-only          #
 # environment variables: TMOUT and HISTFILE.                                              #
 # TMOUT=14400 ensures that users are automatically logged out after 4 hours of inactivity.#
 # readonly HISTFILE ensures that the command history cannot be changed.                   #
 # The chmod +x command ensures that the file is executed in every shell session.          #
 ###########################################################################################
 cat << 'EOF' >| /etc/profile.d/idle-users.sh
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 case $- in
  *i*)
    TMOUT=14400
    export TMOUT
    readonly TMOUT
  ;;
 esac
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
 EOF
 chmod +x /etc/profile.d/idle-users.sh
 mkdir -p /etc/systemd/system/ssh.service.d
 cat << 'EOF' >| /etc/systemd/system/ssh.service.d/override.conf
 [Unit]
 After=ufw.service
 Requires=ufw.service
 EOF
 chmod 0644 /etc/systemd/system/ssh.service.d/override.conf
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/9940_hardening_memory.dump.chroot
+++ b/config/hooks/live/9940_hardening_memory.dump.chroot
@@ -13,8 +13,8 @@ set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
-cp -u /etc/security/limits.conf /root/.ciss/dlb/backup/limits.conf.bak
+cp -u /etc/security/limits.conf /root/.ciss/cdlb/backup/limits.conf.bak
-chmod 0644 /root/.ciss/dlb/backup/limits.conf.bak
+chmod 0644 /root/.ciss/cdlb/backup/limits.conf.bak
 grep -Eq '^[[:space:]]*\*[[:space:]]+soft[[:space:]]+core[[:space:]]+0[[:space:]]*$' /etc/security/limits.conf \
  || sed -i -E '/^[[:space:]]*#?[[:space:]]*soft[[:space:]]+core[[:space:]]+0[[:space:]]*$/ i\*               soft    core            0' /etc/security/limits.conf
--- a/config/hooks/live/9950_fail2ban_hardening.chroot
+++ b/config/hooks/live/9950_fail2ban_hardening.chroot
@@ -1,146 +0,0 @@
 #!/bin/bash
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 cd /root
 cp -u /etc/fail2ban/fail2ban.conf /root/.ciss/dlb/backup/fail2ban.conf.bak
 chmod 0644 /root/.ciss/dlb/backup/fail2ban.conf.bak
 ### https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1024305
 sed -i 's/#allowipv6 = auto/allowipv6 = auto/1' /etc/fail2ban/fail2ban.conf
 mv /etc/fail2ban/jail.d/defaults-debian.conf /root/.ciss/dlb/backup/defaults-debian.conf.bak
 chmod 0644 /root/.ciss/dlb/backup/defaults-debian.conf.bak
 cat << 'EOF' >| /etc/fail2ban/jail.d/centurion-default.conf
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <cendev@coresecret.eu>
 # SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 [DEFAULT]
 usedns    = yes
 # local | vpn
 ignoreip  = 127.0.0.0/8 ::1 MUST_BE_SET
 maxretry  = 8
 findtime  = 24h
 bantime   = 24h
 ### SSH Handling: Foreign IP (not in /etc/hosts.allow): refused to connect: immediate ban [sshd-refused]
 ###               Jump host mistyped 1-3 times: no ban, only after four attempts          [sshd]
 [sshd]
 enabled   = true
 backend   = systemd
 filter    = sshd
 mode      = normal
 port      = MUST_BE_SET
 protocol  = tcp
 logpath   = /var/log/auth.log
 maxretry  = 4
 findtime  = 24h
 bantime   = 24h
 [sshd-refused]
 enabled   = true
 filter    = sshd-refused
 port      = MUST_BE_SET
 protocol  = tcp
 logpath   = /var/log/auth.log
 maxretry  = 1
 findtime  = 24h
 bantime   = 24h
 # ufw aggressive approach:
 # Any valid client communicating with our server should be going directly to the service ports opened in ufw (ssh, 80, 443, ...).
 # Any client touching other ports is treated as malicious and therefore should be blocked access to ALL ports after one attempt.
 [ufw]
 enabled   = true
 filter    = ufw.aggressive
 action    = iptables-allports
 logpath   = /var/log/ufw.log
 maxretry  = 1
 findtime  = 24h
 bantime   = 24h
 protocol  = tcp,udp
 EOF
 cat << EOF >| /etc/fail2ban/filter.d/ufw.aggressive.conf
 [Definition]
 failregex = ^.*UFW BLOCK.* SRC=<HOST> .*DPT=\d+ .*
 EOF
 cat << EOF >| /etc/fail2ban/filter.d/sshd-refused.conf
 [Definition]
 failregex = ^refused connect from \S+ \(<HOST>\)
 EOF
 ###########################################################################################
 # Remarks: hardening of fail2ban systemd                                                  #
 ###########################################################################################
 # https://wiki.archlinux.org/title/fail2ban#Service_hardening                             #
 # The CapabilityBoundingSet parameters CAP_DAC_READ_SEARCH will allow Fail2ban full read  #
 # access to every directory and file. CAP_NET_ADMIN and CAP_NET_RAW allow Fail2ban to     #
 # operate # on any firewall that has a command-line shell interface. By using             #
 # ProtectSystem=strict the filesystem hierarchy will only be read-only; ReadWritePaths    #
 # allows Fail2ban to have write access on required paths.                                 #
 ###########################################################################################
 mkdir -p /etc/systemd/system/fail2ban.service.d
 mkdir /var/log/fail2ban
 cat << 'EOF' >| /etc/systemd/system/fail2ban.service.d/override.conf
 [Service]
 PrivateDevices=yes
 PrivateTmp=yes
 ProtectHome=read-only
 ProtectSystem=strict
 ReadWritePaths=-/var/run/fail2ban
 ReadWritePaths=-/var/lib/fail2ban
 ReadWritePaths=-/var/log/fail2ban
 ReadWritePaths=-/var/spool/postfix/maildrop
 ReadWritePaths=-/run/xtables.lock
 CapabilityBoundingSet=CAP_AUDIT_READ CAP_DAC_READ_SEARCH CAP_NET_ADMIN CAP_NET_RAW
 ### Added by CISS.debian.live.builder
 ProtectClock=true
 ProtectHostname=true
 EOF
 cat << 'EOF' >> /etc/fail2ban/fail2ban.local
 [Definition]
 logtarget = /var/log/fail2ban/fail2ban.log
 EOF
 ###########################################################################################
 # Remarks: Logrotate must be updated either                                               #
 ###########################################################################################
 cp -a /etc/logrotate.d/fail2ban /root/.ciss/dlb/backup/fail2ban_logrotate.bak
 sed -i 's/\/var\/log\/fail2ban.log/\/var\/log\/fail2ban\/fail2ban.log/1' /etc/logrotate.d/fail2ban
 touch /var/log/fail2ban/fail2ban.log
 chmod 640 /var/log/fail2ban/fail2ban.log
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/9950_hardening_fail2ban.chroot
+++ b/config/hooks/live/9950_hardening_fail2ban.chroot
@@ -0,0 +1,241 @@
 #!/bin/bash
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 cd /root
 cp -u /etc/fail2ban/fail2ban.conf /root/.ciss/cdlb/backup/fail2ban.conf.bak
 chmod 0400 /root/.ciss/cdlb/backup/fail2ban.conf.bak
 ### https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1024305
 sed -i 's/#allowipv6 = auto/allowipv6 = auto/1' /etc/fail2ban/fail2ban.conf
 mv /etc/fail2ban/jail.d/defaults-debian.conf /root/.ciss/cdlb/backup/defaults-debian.conf.bak
 chmod 0400 /root/.ciss/cdlb/backup/defaults-debian.conf.bak
 cat << EOF >| /etc/fail2ban/jail.d/ciss-default.conf
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <cendev@coresecret.eu>
 # SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 [DEFAULT]
 banaction             = nftables-multiport
 banaction_allports    = nftables-allports
 dbpurgeage            = 384d
 #                       127.0.0.1/8 - IPv4 loopback range (local host)
 #                       ::1/128     - IPv6 loopback
 #                       fe80::/10   - IPv6 link-local (on-link only; NDP/RA/DAD)
 #                       ff00::/8    - IPv6 multicast (not an unicast host)
 #                       ::/128      - IPv6 unspecified (all zeros; never a real peer)
 ignoreip              = 127.0.0.1/8 ::1/128 fe80::/10 ff00::/8 ::/128 IGNORE_IP_MUST_BE_SET
 usedns                = yes
 [recidive]
 enabled               = true
 banaction             = nftables[type=custom, family=inet, table=f2b-table, chain=f2b-chain, blocktype=drop]
 bantime               = 8d
 bantime.increment     = true
 bantime.factor        = 1
 bantime.maxtime       = 128d
 bantime.multipliers   = 1 2 4 8 16
 bantime.overalljails  = true
 bantime.rndtime       = 877s
 filter                = recidive
 findtime              = 16d
 logpath               = /var/log/fail2ban/fail2ban.log*
 maxretry              = 2
 ### SSH Handling:     Foreign IP (not in /etc/hosts.allow): refused to connect: immediate ban [sshd-refused]
 ###                   Jump host mistyped 1-3 times: no ban, only after four attempts          [sshd]
 [sshd]
 enabled               = true
 backend               = systemd
 bantime               = 1h
 bantime.increment     = true
 bantime.factor        = 1
 bantime.maxtime       = 16d
 bantime.multipliers   = 1 2 4 8 16 32 64 128 256 384
 bantime.overalljails  = true
 bantime.rndtime       = 877s
 filter                = sshd
 findtime              = 16m
 maxretry              = 4
 mode                  = aggressive
 port                  = PORT_MUST_BE_SET
 protocol              = tcp
 [sshd-refused]
 enabled               = true
 bantime               = 1h
 bantime.increment     = true
 bantime.factor        = 1
 bantime.maxtime       = 16d
 bantime.multipliers   = 1 2 4 8 16 32 64 128 256 384
 bantime.overalljails  = true
 bantime.rndtime       = 877s
 filter                = ciss-sshd-refused
 findtime              = 16m
 logpath               = /var/log/auth.log
 maxretry              = 1
 port                  = PORT_MUST_BE_SET
 protocol              = tcp
 #
 # CISS aggressive approach:
 # Any valid client communicating with our server should be going directly to the service ports opened in ufw (ssh, 80, ...).
 # Any client touching other ports is treated as malicious and therefore should be blocked access to ALL ports after 1 attempt.
 #
 [ufw]
 enabled               = true
 banaction             = nftables[type=custom, family=inet, table=f2b-table, chain=f2b-chain, blocktype=drop]
 bantime               = 1h
 bantime.increment     = true
 bantime.factor        = 1
 bantime.maxtime       = 16d
 bantime.multipliers   = 1 2 4 8 16 32 64 128 256 384
 bantime.overalljails  = true
 bantime.rndtime       = 877s
 filter                = ciss-ufw
 findtime              = 16m
 logpath               = /var/log/ufw.log
 maxretry              = 1
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
 EOF
 cat << EOF >| /etc/fail2ban/filter.d/ciss-ufw.conf
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-10-18; WEIDNER, Marc S.; <cendev@coresecret.eu>
 # SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 [Definition]
 # Match UFW BLOCK/REJECT with a source IP and *any* port field (SPT or DPT), protocol may be missing.
 failregex             = ^.*UFW (?:BLOCK|REJECT).*?\bSRC=<HOST>\b.*?(?:\bDPT=\d+\b|\bSPT=\d+\b).*$
 ignoreregex           =
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
 EOF
 cat << 'EOF' >| /etc/fail2ban/filter.d/ciss-sshd-refused.conf
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-10-18; WEIDNER, Marc S.; <cendev@coresecret.eu>
 # SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 [Definition]
 failregex = ^refused connect from \S+ \(<HOST>\)
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
 EOF
 ###########################################################################################
 # Remarks: hardening of fail2ban systemd                                                  #
 ###########################################################################################
 # https://wiki.archlinux.org/title/fail2ban#Service_hardening                             #
 # The CapabilityBoundingSet parameters CAP_DAC_READ_SEARCH will allow Fail2ban full read  #
 # access to every directory and file. CAP_NET_ADMIN and CAP_NET_RAW allow Fail2ban to     #
 # operate # on any firewall that has a command-line shell interface. By using             #
 # ProtectSystem=strict the filesystem hierarchy will only be read-only; ReadWritePaths    #
 # allows Fail2ban to have write access on required paths.                                 #
 ###########################################################################################
 mkdir -p /etc/systemd/system/fail2ban.service.d
 mkdir -p /var/log/fail2ban
 cat << 'EOF' >| /etc/systemd/system/fail2ban.service.d/override.conf
 [Service]
 PrivateDevices=yes
 PrivateTmp=yes
 ProtectHome=read-only
 ProtectSystem=strict
 ReadWritePaths=-/var/run/fail2ban
 ReadWritePaths=-/var/lib/fail2ban
 ReadWritePaths=-/var/log/fail2ban
 ReadWritePaths=-/var/spool/postfix/maildrop
 ReadWritePaths=-/run/xtables.lock
 CapabilityBoundingSet=CAP_AUDIT_READ CAP_DAC_READ_SEARCH CAP_NET_ADMIN CAP_NET_RAW
 ### Added by CISS.debian.live.builder
 ProtectClock=true
 ProtectHostname=true
 EOF
 cat << 'EOF' >> /etc/fail2ban/fail2ban.local
 [Definition]
 logtarget             = /var/log/fail2ban/fail2ban.log
 [Database]
 # Keep entries for at least 384 days to cover recidive findtime.
 dbpurgeage            = 384d
 EOF
 ###########################################################################################
 # Remarks: Logrotate must be updated either                                               #
 ###########################################################################################
 cp -a /etc/logrotate.d/fail2ban /root/.ciss/cdlb/backup/fail2ban_logrotate.bak
 cat << EOF >| /etc/logrotate.d/fail2ban
 /var/log/fail2ban/fail2ban.log {
    daily
    rotate 384
    maxage 384
    notifempty
    dateext
    dateyesterday
    compress
    compresscmd /usr/bin/zstd
    compressext .zst
    compressoptions -20
    uncompresscmd /usr/bin/unzstd
    delaycompress
    shred
    missingok
    postrotate
        fail2ban-client flushlogs 1>/dev/null
    endscript
    # If fail2ban runs as non-root it still needs to have write access
    # to logfiles.
    # create 640 fail2ban adm
    create 640 root adm
 }
 EOF
 touch /var/log/fail2ban/fail2ban.log
 chmod 0640 /var/log/fail2ban/fail2ban.log
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/9970_remove_exim.chroot
+++ b/config/hooks/live/9970_remove_exim.chroot
@@ -13,6 +13,9 @@ set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
 export DEBIAN_FRONTEND="noninteractive" INITRD="No"
 cd /etc
 apt-get purge exim4 exim4-base exim4-config -y
@@ -22,7 +25,7 @@ apt-get autopurge -y
 apt-mark hold exim4 exim4-daemon-light exim4-base exim4-config
-apt-get update
+apt-get update -qq
 apt-get upgrade -y
 if [[ -d /etc/exim4 ]]; then
--- a/config/hooks/live/9980_usb_guard.chroot
+++ b/config/hooks/live/9980_usb_guard.chroot
@@ -13,7 +13,8 @@ set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
-export DEBIAN_FRONTEND="noninteractive"
+[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
 export DEBIAN_FRONTEND="noninteractive" INITRD="No"
 apt-get install -y usbguard
 ### Preparing USBGuard: see https://www.privacy-handbuch.de/handbuch_91a.htm
@@ -22,7 +23,7 @@ usbguard generate-policy >> /tmp/rules.conf
 if [[ -f /etc/usbguard/rules.conf && -s /etc/usbguard/rules.conf ]]; then
-  mv /etc/usbguard/rules.conf /root/.ciss/dlb/backup/usbguard_rules.conf.bak
+  mv /etc/usbguard/rules.conf /root/.ciss/cdlb/backup/usbguard_rules.conf.bak
  cp -a /tmp/rules.conf /etc/usbguard/rules.conf
  chmod 0600 /etc/usbguard/rules.conf
@@ -34,7 +35,7 @@ else
 fi
-cp -a /etc/usbguard/usbguard-daemon.conf /root/.ciss/dlb/backup/usbguard-daemon.conf.bak
+cp -a /etc/usbguard/usbguard-daemon.conf /root/.ciss/cdlb/backup/usbguard-daemon.conf.bak
 #sed -i "s/PresentDevicePolicy=apply-policy/PresentDevicePolicy=allow/" /etc/usbguard/usbguard-daemon.conf
 rm -f /tmp/rules.conf
--- a/config/hooks/live/9990_final_purge.chroot
+++ b/config/hooks/live/9990_final_purge.chroot
@@ -13,13 +13,15 @@ set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
-export DEBIAN_FRONTEND="noninteractive"
+[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
 export DEBIAN_FRONTEND="noninteractive" INITRD="No"
 apt-get update -qq
-apt-get purge -y exim4 exim4-daemon-light exim4-base exim4-config qemu-guest-agent rmail
+apt-get purge -y exim4 exim4-daemon-light exim4-base exim4-config postfix-mta-sts-resolver postfix qemu-guest-agent rmail
-apt-mark hold exim4 exim4-daemon-light exim4-base exim4-config qemu-guest-agent rmail
+apt-mark hold exim4 exim4-daemon-light exim4-base exim4-config postfix-mta-sts-resolver postfix qemu-guest-agent rmail
 dpkg --get-selections | grep deinstall >| /tmp/deinstall.log || true
--- a/config/hooks/live/9991_file_permissions.chroot
+++ b/config/hooks/live/9991_file_permissions.chroot
@@ -18,8 +18,8 @@ chmod 0644 /etc/issue
 chmod 0644 /etc/issue.net
 if [[ -f /etc/motd ]]; then
-  cp -a /etc/motd /root/.ciss/dlb/backup/motd.bak
+  cp -a /etc/motd /root/.ciss/cdlb/backup/motd.bak
-  chmod 0644 /root/.ciss/dlb/backup/motd.bak
+  chmod 0644 /root/.ciss/cdlb/backup/motd.bak
  rm /etc/motd
 fi
@@ -36,7 +36,7 @@ cat << EOF >| /etc/motd
 EOF
-cp -a /etc/login.defs /root/.ciss/dlb/backup/login.defs.bak
+cp -a /etc/login.defs /root/.ciss/cdlb/backup/login.defs.bak
 sed -ri 's/^(#?LOGIN_TIMEOUT)[[:space:]]+[0-9]+/\1 180/' /etc/login.defs
 sed -i 's/UMASK		022/UMASK		077/' /etc/login.defs
--- a/config/hooks/live/9993_aide.chroot
+++ b/config/hooks/live/9993_aide.chroot
@@ -13,10 +13,11 @@ set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
-export DEBIAN_FRONTEND="noninteractive"
+[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
 export DEBIAN_FRONTEND="noninteractive" INITRD="No"
 apt-get install -y aide > /dev/null 2>&1
-cp -u /etc/aide/aide.conf /root/.ciss/dlb/backup/aide.conf.bak
+cp -u /etc/aide/aide.conf /root/.ciss/cdlb/backup/aide.conf.bak
 sed -i "s/Checksums = H/Checksums = sha512/" /etc/aide/aide.conf
 if aideinit > /dev/null 2>&1; then
--- a/config/hooks/live/9994_password_policy.chroot
+++ b/config/hooks/live/9994_password_policy.chroot
@@ -20,8 +20,8 @@ printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "
 # shellcheck disable=SC2155
 declare -r VAR_DATE="$(date +%F)"
-cp -a /etc/security/pwquality.conf /root/.ciss/dlb/backup/pwquality.conf.bak
+cp -a /etc/security/pwquality.conf /root/.ciss/cdlb/backup/pwquality.conf.bak
-chmod 0644 /root/.ciss/dlb/backup/pwquality.conf.bak
+chmod 0644 /root/.ciss/cdlb/backup/pwquality.conf.bak
 cat << EOF >| /etc/security/pwquality.conf
 # SPDX-Version: 3.0
--- a/config/hooks/live/9996_auditd.chroot
+++ b/config/hooks/live/9996_auditd.chroot
@@ -25,30 +25,48 @@ printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "
 cd /root
-export DEBIAN_FRONTEND="noninteractive"
+[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
 export DEBIAN_FRONTEND="noninteractive" INITRD="No"
 apt-get install -y auditd
-cp -u /etc/audit/audit.rules /root/.ciss/dlb/backup/audit.rules.bak
+cp -u /etc/audit/audit.rules /root/.ciss/cdlb/backup/audit.rules.bak
-cp -u /etc/audit/auditd.conf /root/.ciss/dlb/backup/auditd.conf.bak
+cp -u /etc/audit/auditd.conf /root/.ciss/cdlb/backup/auditd.conf.bak
-cp -u /etc/audit/rules.d/audit.rules /root/.ciss/dlb/backup/rules_d_audit.rules.bak
+cp -u /etc/audit/rules.d/audit.rules /root/.ciss/cdlb/backup/rules_d_audit.rules.bak
 rm -rf /etc/audit/rules.d/audit.rules
-############################################################### /etc/audit/rules.d/10-base-config.rules
+############################################################### /etc/audit/rules.d/00-base-config.rules
-cat << EOF >| /etc/audit/rules.d/10-base-config.rules
+cat << EOF >| /etc/audit/rules.d/00-base-config.rules
 ## First rule - delete all
 -D
 ## Increase the buffers to survive stress events.
-## Make this bigger for busy systems
+## Make this bigger for busy systems.
-b 8192
+-b 16384
-## This determine how long to wait in burst of events
+## Rate Limit. Cap kernel->userspace message rate (0 = unlimited).
--backlog_wait_time 60000
+-r 200
-## Set failure mode to syslog
+## This determine how long to wait in burst of events. How long to wait in bursts (us).
 --backlog_wait_time 1024
 ## Set failure mode to syslog.
 -f 1
 EOF
 ############################################################### /etc/audit/rules.d/10-ciss-noise-floor.rules
 cat << EOF >| /etc/audit/rules.d/10-ciss-noise-floor.rules
 ## Ignore kernel/daemon noise without a loginuid (unset = 4294967295).
 -a never,exit -F auid=4294967295
 ## Make privileged exec tracing user-initiated only (no boot-time daemons).
 -a always,exit -F arch=b64 -S execve -F euid=0 -F auid>=1000 -F auid!=-1 -k exec_root
 -a always,exit -F arch=b32 -S execve -F euid=0 -F auid>=1000 -F auid!=-1 -k exec_root
 ## (Optional, same principle for suid/sgid transitions).
 -a always,exit -F arch=b64 -S execve -C uid!=euid -F auid>=1000 -F auid!=-1 -k exec_suid_sgid
 -a always,exit -F arch=b32 -S execve -C uid!=euid -F auid>=1000 -F auid!=-1 -k exec_suid_sgid
 EOF
 ############################################################### /etc/audit/rules.d/11-loginuid.rules
 cat << EOF >| /etc/audit/rules.d/11-loginuid.rules
 --loginuid-immutable
@@ -91,6 +109,17 @@ cat << EOF >| /etc/audit/rules.d/22-ignore-chrony.rules
 -a never,exit -F arch=b32 -S adjtimex -F auid=unset -F uid=_chrony
 EOF
 ############################################################### /etc/audit/rules.d/25-ciss-exec.rules
 cat << EOF >| /etc/audit/rules.d/25-ciss-exec.rules
 ## Focus on privileged exec, not every user command
 -a always,exit -F arch=b64 -S execve -F euid=0 -k exec_root
 -a always,exit -F arch=b32 -S execve -F euid=0 -k exec_root
 -a always,exit -F arch=b64 -S execve -F exe=/usr/bin/sudo -k exec_sudo
 -a always,exit -F arch=b32 -S execve -F exe=/usr/bin/sudo -k exec_sudo
 -a always,exit -F arch=b64 -S execve -C uid!=euid -k exec_suid_sgid
 -a always,exit -F arch=b32 -S execve -C uid!=euid -k exec_suid_sgid
 EOF
 ############################################################### /etc/audit/rules.d/30-ospp-v42-1-create-failed.rules
 cat << EOF >| /etc/audit/rules.d/30-ospp-v42-1-create-failed.rules
 ## Unsuccessful file creation (open with O_CREAT)
@@ -108,17 +137,6 @@ cat << EOF >| /etc/audit/rules.d/30-ospp-v42-1-create-failed.rules
 -a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
 EOF
 ############################################################### /etc/audit/rules.d/30-ospp-v42-1-create-success.rules
 cat << EOF >| /etc/audit/rules.d/30-ospp-v42-1-create-success.rules
 ## Successful file creation (open with O_CREAT)
 -a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
 -a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
 -a always,exit -F arch=b32 -S open -F a1&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
 -a always,exit -F arch=b64 -S open -F a1&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
 -a always,exit -F arch=b32 -S creat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
 -a always,exit -F arch=b64 -S creat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
 EOF
 ############################################################### /etc/audit/rules.d/30-ospp-v42-2-modify-failed.rules
 cat << EOF >| /etc/audit/rules.d/30-ospp-v42-2-modify-failed.rules
 ## Unsuccessful file modifications (open for write or truncate)
@@ -136,17 +154,6 @@ cat << EOF >| /etc/audit/rules.d/30-ospp-v42-2-modify-failed.rules
 -a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
 EOF
 ############################################################### /etc/audit/rules.d/30-ospp-v42-2-modify-success.rules
 cat << EOF >| /etc/audit/rules.d/30-ospp-v42-2-modify-success.rules
 ## Successful file modifications (open for write or truncate)
 -a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
 -a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
 -a always,exit -F arch=b32 -S open -F a1&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
 -a always,exit -F arch=b64 -S open -F a1&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
 -a always,exit -F arch=b32 -S truncate,ftruncate -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
 -a always,exit -F arch=b64 -S truncate,ftruncate -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
 EOF
 ############################################################### /etc/audit/rules.d/30-ospp-v42-3-access-failed.rules
 cat << EOF >| /etc/audit/rules.d/30-ospp-v42-3-access-failed.rules
 ## Unsuccessful file access (any other opens) This has to go last.
@@ -156,14 +163,6 @@ cat << EOF >| /etc/audit/rules.d/30-ospp-v42-3-access-failed.rules
 -a always,exit -F arch=b64 -S open,openat,openat2,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-access
 EOF
 ############################################################### /etc/audit/rules.d/30-ospp-v42-3-access-success.rules
 cat << EOF >| /etc/audit/rules.d/30-ospp-v42-3-access-success.rules
 ## Successful file access (any other opens) This has to go last.
 ## These next two are likely to result in a whole lot of events
 -a always,exit -F arch=b32 -S open,openat,openat2,open_by_handle_at -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access
 -a always,exit -F arch=b64 -S open,openat,openat2,open_by_handle_at -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access
 EOF
 ############################################################### /etc/audit/rules.d/30-ospp-v42-4-delete-failed.rules
 cat << EOF >| /etc/audit/rules.d/30-ospp-v42-4-delete-failed.rules
 ## Unsuccessful file delete
@@ -173,13 +172,6 @@ cat << EOF >| /etc/audit/rules.d/30-ospp-v42-4-delete-failed.rules
 -a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
 EOF
 ############################################################### /etc/audit/rules.d/30-ospp-v42-4-delete-success.rules
 cat << EOF >| /etc/audit/rules.d/30-ospp-v42-4-delete-success.rules
 ## Successful file delete
 -a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-delete
 -a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-delete
 EOF
 ############################################################### /etc/audit/rules.d/30-ospp-v42-5-perm-change-failed.rules
 cat << EOF >| /etc/audit/rules.d/30-ospp-v42-5-perm-change-failed.rules
 ## Unsuccessful permission change
@@ -189,13 +181,6 @@ cat << EOF >| /etc/audit/rules.d/30-ospp-v42-5-perm-change-failed.rules
 -a always,exit -F arch=b64 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change
 EOF
 ############################################################### /etc/audit/rules.d/30-ospp-v42-5-perm-change-success.rules
 cat << EOF >| /etc/audit/rules.d/30-ospp-v42-5-perm-change-success.rules
 ## Successful permission change
 -a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change
 -a always,exit -F arch=b64 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change
 EOF
 ############################################################### /etc/audit/rules.d/30-ospp-v42-6-owner-change-failed.rules
 cat << EOF >| /etc/audit/rules.d/30-ospp-v42-6-owner-change-failed.rules
 ## Unsuccessful ownership change
@@ -205,13 +190,6 @@ cat << EOF >| /etc/audit/rules.d/30-ospp-v42-6-owner-change-failed.rules
 -a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-owner-change
 EOF
 ############################################################### /etc/audit/rules.d/30-ospp-v42-6-owner-change-success.rules
 cat << EOF >| /etc/audit/rules.d/30-ospp-v42-6-owner-change-success.rules
 ## Successful ownership change
 -a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-owner-change
 -a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-owner-change
 EOF
 ############################################################### /etc/audit/rules.d/30-ospp-v42.rules
 cat << EOF >| /etc/audit/rules.d/30-ospp-v42.rules
 ## The purpose of these rules is to meet the requirements for Operating
--- a/config/hooks/live/9997_debsums.chroot
+++ b/config/hooks/live/9997_debsums.chroot
@@ -15,11 +15,12 @@ printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "
 cd /root
-export DEBIAN_FRONTEND="noninteractive"
+[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
 export DEBIAN_FRONTEND="noninteractive" INITRD="No"
 apt-get install -y --no-install-recommends debsums
-cp -a /etc/default/debsums /root/.ciss/dlb/backup/debsums.bak
+cp -a /etc/default/debsums /root/.ciss/cdlb/backup/debsums.bak
-chmod 0644 /root/.ciss/dlb/backup/debsums.bak
+chmod 0644 /root/.ciss/cdlb/backup/debsums.bak
 sed -i "s/CRON_CHECK=never/CRON_CHECK=monthly/" /etc/default/debsums
 if debsums -g > /dev/null 2>&1; then
--- a/config/hooks/live/9998_sources_list_trixie.chroot
+++ b/config/hooks/live/9998_sources_list_trixie.chroot
@@ -13,6 +13,9 @@ set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
 export DEBIAN_FRONTEND="noninteractive" INITRD="No"
 # shellcheck disable=SC2155
 declare -r VAR_DATE="$(date +%F)"
@@ -121,6 +124,11 @@ Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg
 EOF
 fi
 apt-get update -qq
 apt-get dist-upgrade -y        # (= apt full-upgrade) allow installs/replacements/removals.
 apt-get autoremove --purge -y  # 'autopurge' == 'autoremove --purge'.
 apt-get clean -y               # Stronger than autoclean: removes the entire '.deb'-cache.
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
--- a/config/hooks/live/9999_interfaces_update.chroot
+++ b/config/hooks/live/9999_interfaces_update.chroot
@@ -16,7 +16,7 @@ printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "
 # shellcheck disable=SC2155
 declare -r VAR_DATE="$(date +%F)"
-mv /etc/network/interfaces /root/.ciss/dlb/backup/interfaces.chroot
+mv /etc/network/interfaces /root/.ciss/cdlb/backup/interfaces.chroot
 rm -f /etc/network/interfaces
 cat << EOF >| /etc/network/interfaces
--- a/config/hooks/live/9999_yyyy_logrotate.chroot
+++ b/config/hooks/live/9999_yyyy_logrotate.chroot
@@ -0,0 +1,66 @@
 #!/bin/bash
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 ### Declare Arrays, HashMaps, and Variables.
 declare -ar ary_logrotate=(
  "alternatives"
  "apt"
  "btmp"
  "chrony"
  "clamav-daemon"
  "clamav-freshclam"
  "dpkg"
  "fail2ban"
  "rkhunter"
  "rsnapshot"
  "rsyslog"
  "ufw"
  "unattended-upgrades"
  "usbguard"
  "wtmp"
 )
 declare     var_file="" var_log=""
 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
 export DEBIAN_FRONTEND="noninteractive" INITRD="No"
 for var_log in "${ary_logrotate[@]}"; do
  var_file="/etc/logrotate.d/${var_log}"
  [[ -e "${var_file}" ]] || continue
  ### Replace leading 'monthly'/'weekly' directives with 'daily', preserving indentation and trailing comments.
  sed -E -i \
    -e 's/^([[:space:]]*)(monthly|weekly)([[:space:]]*)(#.*)?$/\1daily\3\4/' \
    -e 's/^([[:space:]]*)rotate([[:space:]]+[0-9]+)?([[:space:]]*)(#.*)?$/\1rotate 90\3\4/' \
    "${var_file}"
 done
 if ! logrotate -d /etc/logrotate.conf; then
  printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ 'logrotate -d /etc/logrotate.conf' failed. \e[0m\n"
 else
  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ 'logrotate -d /etc/logrotate.conf' successful. \e[0m\n"
 fi
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/9999_zzzz.chroot
+++ b/config/hooks/live/9999_zzzz.chroot
@@ -0,0 +1,84 @@
 #!/bin/bash
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 declare var_dm="" var_unit_dir="" var_link="/etc/systemd/system/default.target"
 ### Regenerate the initramfs for the live system kernel.
 update-initramfs -u -k all -v
 ### Determine the canonical systemd unit dir inside chroot.
 if [[ -d /lib/systemd/system ]]; then
  var_unit_dir=/lib/systemd/system
 elif [[ -d /usr/lib/systemd/system ]]; then
  var_unit_dir=/usr/lib/systemd/system
 fi
 ### Enforce 'default.target' -> 'multi-user.target' as a symlink.
 if [[ -e "${var_link}" ]] && [[ ! -L "${var_link}" ]]; then
  ### A regular file here is wrong; we remove it to avoid vendor fallback to graphical.
  rm -f -- "${var_link}"
 fi
 if [[ ! -L "${var_link}" ]]; then
  ln -s "${var_unit_dir}/multi-user.target" "${var_link}"
 else
  ### Ensure it points to multi-user.
  # shellcheck disable=SC2312
  if [[ "$(readlink -f "${var_link}")" != "${var_unit_dir}/multi-user.target" ]]; then
    rm -f -- "${var_link}"
    ln -s "${var_unit_dir}/multi-user.target" "${var_link}"
  fi
 fi
 ### Hard-block any display manager (mask via /dev/null symlink). Include common DMs, and the generic alias:
 ary_dm_units=(
  "display-manager.service"
  "gdm.service"
  "gdm3.service"
  "sddm.service"
  "lightdm.service"
  "xdm.service"
  "lxdm.service"
  "slim.service"
 )
 for var_dm in "${ary_dm_units[@]}"; do
  if [[ ! -L "/etc/systemd/system/${var_dm}" ]]; then
    ln -s /dev/null "/etc/systemd/system/${var_dm}"
  fi
 done
 rm -f /root/ciss_xdg_tmp.sh
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/normal/.keep
+++ b/config/hooks/normal/.keep
@@ -0,0 +1,10 @@
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-10-26; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
--- a/config/includes.chroot/etc/ciss/keys/0x8733B021_public.asc
+++ b/config/includes.chroot/etc/ciss/keys/0x8733B021_public.asc
@@ -0,0 +1,18 @@
 -----BEGIN PGP PUBLIC KEY BLOCK-----
 mDMEaDcItBYJKwYBBAHaRw8BAQdAFyGLpFASTiK4vBgycV2wjb3ZaNqhjZ33E1ir
 MiU98Fu0LE1hcmMgUy4gV2VpZG5lciBCT1QgPG1zdytib3RAY29yZXNlY3JldC5k
 ZXY+iJkEExYIAEEWIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaDcItAIbAwUJCKVq
 fAULCQgHAgIiAgYVCgkICwIEFgIDAQIeBwIXgAAKCRA85KY4hzOwIVOoAQD9WXoh
 Isjs4q7RCAtCXXWO4y4p8Dmn1AjCRN07vBYskQEAu/LjJYpjC553SnLPEN2PjZBt
 pNkwp/fMg2oigxRkygyI1AUQFggAVCIhBW/TwxZOreRiASSn6MzNd4l1ywe1QKfL
 3kbW7jRInWnCBQJoNwjMBYMIpYaAJBSAAAAAAA0ADnJlbUBnbnVwZy5vcmdDZW50
 dXJpb24sQ0lDQQAA3TABxjNpYGUWhvt6x3h688F1KJfeWrrMetflFZBA3UzoIAAg
 SltgMYRnCzpZFGnQILKgj9jyakwckxFLAAHHY/I0Fxmc5ujfkGScUhUKPhruVT2x
 w4aHogEuE9Ebu94JuvBQX3+RlHjG+47qG7bmAT81E47Hih0AuDgEaDcItBIKKwYB
 BAGXVQEFAQEHQOKAnInWn3Wy1fUJJD7bycrXEx6SoLejW5/0jGIG2VdGAwEIB4h+
 BBgWCAAmFiEEqmJzzDShs+vWn8hwPOSmOIczsCEFAmg3CLQCGwwFCQilanwACgkQ
 POSmOIczsCHztAEA2AWCPQ8V8hNdEBvYHwRye8Q9FJO7IyciwwpjH1nOBLMBAJS2
 OSrjMYBFaumow950s7T2d7BEpnxJBtCwfuF+RwgI
 =QwhF
 -----END PGP PUBLIC KEY BLOCK-----
--- a/config/includes.chroot/etc/ciss/keys/0x8733B021_public.gpg
+++ b/config/includes.chroot/etc/ciss/keys/0x8733B021_public.gpg
--- a/config/includes.chroot/etc/ciss/keys/0xE62E84F8_public.asc
+++ b/config/includes.chroot/etc/ciss/keys/0xE62E84F8_public.asc
@@ -0,0 +1,13 @@
 -----BEGIN PGP PUBLIC KEY BLOCK-----
 mDMEaCxYpRYJKwYBBAHaRw8BAQdAr9mRwJ44x3qirCRbE+qjgwBDzZLVkKXvC4UI
 AHxvyMK0JE1hcmMgUy4gV2VpZG5lciA8bXN3QGNvcmVzZWNyZXQuZGV2PoiZBBMW
 CABBFiEEh/wgoINpSv+4MwEbhAKZkeYuhPgFAmgsWKUCGwMFCQiwGosFCwkIBwIC
 IgIGFQoJCAsCBBYCAwECHgcCF4AACgkQhAKZkeYuhPhWnQEAulGegHfBva0ezN5/
 VVqLqDVTe+etr3crCcxKpj8gg7wA/3OfkCvgPht18OoIQbR1IA7jDBSOKvY8OfcR
 1632dZIIuDgEaCxYpRIKKwYBBAGXVQEFAQEHQP34OGSMdCMM8Ku/QY7NC81xbL0h
 kOFdDGlKlA865+kpAwEIB4h+BBgWCAAmFiEEh/wgoINpSv+4MwEbhAKZkeYuhPgF
 AmgsWKUCGwwFCQiwGosACgkQhAKZkeYuhPhnjgD+IHh9XhE+s3VB3ItDIgtT9gTA
 S8ET80dQcFmFGYfjs/oBALmXXxceE+aSd2VO6dumqhtzWCGE7S52/50hxRgLsi8G
 =C3ox
 -----END PGP PUBLIC KEY BLOCK-----
--- a/config/includes.chroot/etc/ciss/keys/0xE62E84F8_public.gpg
+++ b/config/includes.chroot/etc/ciss/keys/0xE62E84F8_public.gpg
--- a/config/includes.chroot/etc/login.defs
+++ b/config/includes.chroot/etc/login.defs
@@ -93,6 +93,7 @@ TTYPERM		0600
 #
 ERASECHAR	0177
 KILLCHAR	025
 UMASK 077
 # HOME_MODE is used by useradd(8) and newusers(8) to set the mode for new
 # home directories.
@@ -203,7 +204,9 @@ NONEXISTENT	/nonexistent
 USERGROUPS_ENAB yes
 #
-# Added by CISS.debian.live.builder for redundance
+# Added by CISS.debian.live.builder for redundancy
-UMASK 077
+UMASK 027
 SHA_CRYPT_MIN_ROUNDS 8388608
 SHA_CRYPT_MAX_ROUNDS 8388608
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
--- a/config/includes.chroot/etc/ssh/ssh_known_hosts
+++ b/config/includes.chroot/etc/ssh/ssh_known_hosts
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V8.13.142.2025.10.14
+# Version Master V8.13.392.2025.11.07
 [git.coresecret.dev]:42842 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGQA107AVmg1D/jnyXiqbPf38zQRl8s3c+PM1zbfpeQl
 [git.coresecret.dev]:42842 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDYD9ysmMWZlejUnxu0qOzeWcIYezoFLbYdo6ffGUL5kqOBAYb+5CF4bJLUpA93XFYVF+TbrcMV1yJh6JaHFL0VU5CvgAzruCeedx0c4qUV6lWcJUGNk5K0yb9n2Wosdy6F/zTOxL9KXBt/TV+cscsen2Dahvx0ctMKgNbu+vvUcWxHf9lOkbYoF/uA/nW5CVXy5XUPVUDFUhEeKXL85+6gid5AEMfYT8aRl5YDGvo1iMBmBYOljN4S7MnRe14qbAZG0GDGvF22eHbSU2pILcFIjc2Lo/S5Ox/MJpbLAqpFlLPTKgr6F7yVwfNMSNwl05ysUOZfrQKSXzCU6+lfqKYCwemLALyG/n1ernpp7/8W/2RYoz3fd+TQyfhW++rx3yUHpYCkTv9A4LRYZYGSAWKMHSBEYq3EcATQUxQi0xpwmcR+u0uC9F9eta5Bim+sBZD6F2hgPJ5xgYT8LFm880g1YadAwBoD4TAkqSvl+jYW0VA2GH9CknKHJ36gc/X4eeUHDC1Hf/E8M5RBj4D6NuHfeVRik/ahHmoCqKQUW7VU/EBsWFsngDiLEHcV71iMtWiUddWOHwoAPHIzn6p9HTeLCxTwsPMG5UDGK/S9HUozqDXxexRtqbcFa7DWuzRvZ1bcZ2VQsaafuzKCkkc4NjC7h1wssel7q9aeYPFg+1vS6Q==
--- a/config/includes.chroot/etc/ssh/sshd_config
+++ b/config/includes.chroot/etc/ssh/sshd_config
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V8.13.142.2025.10.14
+# Version Master V8.13.392.2025.11.07
 ### https://www.ssh-audit.com/
 ### ssh -Q cipher | cipher-auth | compression | kex | kex-gss | key | key-cert | key-plain | key-sig | mac | protocol-version | sig
@@ -28,7 +28,7 @@ LogLevel                     VERBOSE
 AddressFamily                any
 ListenAddress                0.0.0.0
 ListenAddress                ::
-Port MUST_BE_CHANGED
+PORT_MUST_BE_CHANGED
 AllowUsers                   root
 UseDNS                       no
 ### Force a key exchange after transferring 1 GiB of data or 1 hour of session time, whichever occurs first.
@@ -46,10 +46,10 @@ StrictModes                  yes
 LoginGraceTime               2m
 MaxAuthTries                 3
 MaxSessions                  2
-### Begin randomly dropping new unauthenticated connections after the 8th attempt,
+### Begin randomly dropping new unauthenticated connections after the 2nd attempt,
-### with a 64% chance to drop each additional connection, up to a hard limit of 16.
+### with a 64% chance to drop each additional connection, up to a hard limit of 08.
-MaxStartups                  08:64:16
+MaxStartups                  16:32:48
-### Restrict each individual source IP to only 4 unauthenticated connection slot
+### Restrict each individual source IP to only 8 unauthenticated connection slot
 ### in the concurrent MaxStartups pool, preventing one IP from monopolizing slots.
 PerSourceMaxStartups         8
 ClientAliveInterval          300
--- a/config/includes.chroot/etc/sysctl.d/99_local.hardened
+++ b/config/includes.chroot/etc/sysctl.d/99_local.hardened
@@ -1,3 +1,5 @@
 # bashsupport disable=BP5007
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
@@ -9,7 +11,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V8.13.142.2025.10.14
+# Version Master V8.13.392.2025.11.07
 ### https://docs.kernel.org/
 ### https://github.com/a13xp0p0v/kernel-hardening-checker/
@@ -280,15 +282,6 @@ net.ipv4.conf.all.forwarding=0
 net.ipv6.conf.all.accept_ra=0
 net.ipv6.conf.default.accept_ra=0
 ###########################################################################################
 # These parameters relate to secure ICMP redirects. ICMP redirects are messages that a
 # router sends to a device to inform it that there is a better route for the data traffic.
 # This setting prevents the system from responding to redirects that have been spoofed by
 # potential attackers to redirect traffic (e.g., for man-in-the-middle attacks).
 ###########################################################################################
 net.ipv4.conf.all.secure_redirects=1
 net.ipv4.conf.default.secure_redirects=1
 ###########################################################################################
 # This setting prevents the disclosure of TCP timestamps that can be used for system
 # fingerprinting:
--- a/config/includes.chroot/preseed/.iso/preseed_hash_generator.sh
+++ b/config/includes.chroot/preseed/.iso/preseed_hash_generator.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-declare -gr VERSION="Master V8.13.142.2025.10.14"
+declare -gr VERSION="Master V8.13.392.2025.11.07"
 ### VERY EARLY CHECK FOR DEBUGGING
 if [[ $* == *" --debug "* ]]; then
--- a/config/includes.chroot/preseed/preseed.cfg
+++ b/config/includes.chroot/preseed/preseed.cfg
@@ -112,4 +112,4 @@ d-i preseed/late_command string sh /preseed/.ash/3_di_preseed_late_command.sh
 # Please consider donating to my work at: https://coresecret.eu/spenden/
 ###########################################################################################
-# Written by: ./preseed_hash_generator.sh Version: Master V8.13.142.2025.10.14 at: 10:18:37.9542
+# Written by: ./preseed_hash_generator.sh Version: Master V8.13.392.2025.11.07 at: 10:18:37.9542
--- a/config/includes.chroot/root/.bashrc
+++ b/config/includes.chroot/root/.bashrc
@@ -14,21 +14,45 @@
 ### Never use 'errexit' | 'nounset' | 'pipefail' in interactive shells.
 set +o errexit +o nounset +o pipefail
 # shellcheck disable=SC2312
 if [[ "$(id -u)" -eq 0 ]]; then
  umask 0022
  PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
 else
  umask 0077
  PATH="/usr/local/bin:/usr/bin:/bin"
 fi
 export PATH
 trap ' "${SHELL}" /root/.ciss/clean_logout.sh ' EXIT
 source /root/.ciss/alias
 source /root/.ciss/f2bchk.sh
 source /root/.ciss/shortcuts
 source /root/.ciss/scan_libwrap
-### History
+### Preferred editor for local and remote sessions.
-touch /tmp/.bash_history
+export EDITOR="nano"
-chmod 0660 /tmp/.bash_history
+
-chown root:root /tmp/.bash_history
+### History-Settings
-export HISTFILE=/tmp/.bash_history
+# The name of the file in which command history is saved. The default value is ~/.bash_history. If unset, the command history
 # is not saved when a shell exits.
 export HISTFILE="${XDG_STATE_HOME}/bash/history"
 touch "${HISTFILE}"
 chmod 0660 "${HISTFILE}"
 chown root:root "${HISTFILE}"
 export HISTSIZE=2048
 export HISTFILESIZE=2048
 shopt -s histappend
 # Optional, cautious filters (avoids trivial leaks, but not foolproof). Caution: HISTIGNORE is coarse-grained, don't overdo it.
 export HISTIGNORE='*PASS*:*pass*:*secret*:*token*:*API_KEY*'
 # -'ignoreboth' Do not put duplicate lines or lines starting with space in the history.
 # -'erasedups' Causes all previous lines matching the current line to be removed from the history before that line is saved.
 export HISTCONTROL='ignoreboth:erasedups'
 ### Define colors for bash prompt
 export CRED='\033[1;91m'
 export CGRE='\033[1;92m'
--- a/config/includes.chroot/root/.ciss/alias
+++ b/config/includes.chroot/root/.ciss/alias
@@ -10,9 +10,6 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 ########################################################################################### Alpha
 alias genkeyfile='haveged -n 1048576 >| /tmp/secure_keyfile_$(date +%s)'
 ########################################################################################### Bash
 alias clear="printf '\033c'"
 alias c='clear'
@@ -239,7 +236,31 @@ sysp() {
 #######################################
 trel() {
  declare depth=${1:-3}
-  tree -C -h --dirsfirst -L "${depth}"
+
  if ! [[ "${depth}" =~ ^[0-9]+$ ]]; then
    echo "Error: '${depth}' is not a valid depth. Please provide a positive integer." >&2
    return 2
  fi
  if ! command -v eza >/dev/null 2>&1; then
    echo "Error: 'eza' is not installed." >&2
    return 1
  fi
  (( $# > 0 )) && shift
  eza --tree \
    --level="${depth}" \
    --group-directories-first \
    --icons=auto \
    --color=always \
    --long \
    --no-permissions \
    --no-user \
    --no-time \
    "$@"
  return 0
 }
 #######################################
--- a/config/includes.chroot/root/.ciss/check_chrony.sh
+++ b/config/includes.chroot/root/.ciss/check_chrony.sh
@@ -14,7 +14,7 @@ set -Ceuo pipefail
 #######################################
 # Minimal leap-second probe for Debian/chrony systems.
-# - Prints kernel leap flags & TAI offset (ΔAT).
+# - Prints kernel leap flags & TAI offset (delta AT).
 # - Reads tzdata's leap-seconds list (authoritative TAI-UTC).
 # - Shows chrony tracking summary (incl. leap status).
 # - Demonstrates 23:59:60 rendering via TZ=right/UTC.
@@ -38,7 +38,7 @@ main() {
    tz_tai="$(awk '{print $2}' <<<"${tz_leap_line}")"
    ts_human="$(awk -F'#' '{gsub(/^[[:space:]]+/, "", $2); print $2}' <<<"${tz_leap_line}")"
-    printf "tzdata ΔAT (TAI-UTC): %s s [last change at: %s; NTP ts: %s]\n\n" "${tz_tai:-?}" "${ts_human:-?}" "${tz_ntp:-?}"
+    printf "tzdata delta AT (TAI-UTC): %s s [last change at: %s; NTP ts: %s]\n\n" "${tz_tai:-?}" "${ts_human:-?}" "${tz_ntp:-?}"
  else
@@ -56,7 +56,7 @@ main() {
    if [[ -n "${k_tai:-}" ]]; then
-      printf "Kernel-exported ΔAT [tai]: %s s\n" "${k_tai}"
+      printf "Kernel-exported delta AT [tai]: %s s\n" "${k_tai}"
    fi
@@ -96,8 +96,8 @@ main() {
  printf "\n"
  printf "Hint:\n"
-  printf "  • ΔAT (TAI-UTC) should match tzdata and kernel (chrony sets kernel TAI if leapsectz/leapseclist is used).\n"
+  printf "  - delta AT (TAI-UTC) should match tzdata and kernel (chrony sets kernel TAI if leapsectz/leapseclist is used).\n"
-  printf "  • For monotonic intervals, apps must use CLOCK_MONOTONIC, not CLOCK_REALTIME.\n"
+  printf "  - For monotonic intervals, apps must use CLOCK_MONOTONIC, not CLOCK_REALTIME.\n"
  return 0
 }
--- a/config/includes.chroot/root/.ciss/shortcuts
+++ b/config/includes.chroot/root/.ciss/shortcuts
@@ -41,7 +41,6 @@ declare -ga shortcuts=(
  "f2bubn: f2b unban --all"
  "f2bufw: f2b status ufw"
  "free: free -m"
  "genkeyfile: 1MiBi"
  "genpasswd: PWD"
  "genpasswdhash: PWD Hash"
  "genstring: Random String"
--- a/config/includes.chroot/root/.zshenv
+++ b/config/includes.chroot/root/.zshenv
@@ -0,0 +1,27 @@
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-10-19; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 : "${XDG_CONFIG_HOME:=${HOME}/.config}"
 : "${XDG_CACHE_HOME:=${HOME}/.cache}"
 : "${XDG_DATA_HOME:=${HOME}/.local/share}"
 : "${XDG_STATE_HOME:=${HOME}/.local/state}"
 # Do NOT set XDG_RUNTIME_DIR here.
 export XDG_CONFIG_HOME XDG_CACHE_HOME XDG_DATA_HOME XDG_STATE_HOME
 ### Zsh history -> XDG_STATE_HOME (best-effort; zsh might not read /etc/profile)
 if [ "${ENABLE_XDG_ZSH_HISTORY:-1}" = "1" ] && [ -n "${ZSH_VERSION:-}" ]; then
  [ -d "${XDG_STATE_HOME}/zsh" ] || install -d -m 0700 -- "${XDG_STATE_HOME}/zsh"
  export HISTFILE="${XDG_STATE_HOME}/zsh/history"
 fi
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/includes.chroot/usr/lib/live/boot/0030-verify-checksums
+++ b/config/includes.chroot/usr/lib/live/boot/0030-verify-checksums
@@ -0,0 +1,212 @@
 #!/bin/sh
 # bashsupport disable=BP5007
 # shellcheck shell=sh
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-10-28; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: GPL-3.0-or-later
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 ### Modified Version of the original file:
 ### https://salsa.debian.org/live-team/live-boot 'components/0030-verify-checksums'
 ### In case of successful verification of the offered checksum, proceed with booting; otherwise panic.
 #######################################
 # Modified checksum-integrity and authenticity-verification-script for continuing the boot process.
 # Globals:
 #   LIVE_BOOT_CMDLINE
 #   _TTY
 # Arguments:
 #   1: _MOUNTPOINT
 # Returns:
 #   0 : Successful verification
 #######################################
 Verify_checksums() {
  _MOUNTPOINT="${1}"
  _TTY="/dev/tty8"
  LIVE_VERIFY_CHECKSUMS_DIGESTS="${LIVE_VERIFY_CHECKSUMS_DIGESTS:-sha512 sha384 sha256}"
  LIVE_VERIFY_CHECKSUMS_SIGNATURES="false"
  for _PARAMETER in ${LIVE_BOOT_CMDLINE}; do
    case "${_PARAMETER}" in
      live-boot.verify-checksums=* | verify-checksums=*)
        LIVE_VERIFY_CHECKSUMS="true"
        LIVE_VERIFY_CHECKSUMS_DIGESTS="${_PARAMETER#*verify-checksums=}"
        ;;
      live-boot.verify-checksums | verify-checksums)
        LIVE_VERIFY_CHECKSUMS="true"
        ;;
      live-boot.verify-checksums-signatures | verify-checksums-signatures)
        LIVE_VERIFY_CHECKSUMS_SIGNATURES="true"
        ;;
    esac
  done
  case "${LIVE_VERIFY_CHECKSUMS}" in
    true)
      :
      ;;
    *)
      return 0
      ;;
  esac
  # shellcheck disable=SC2164
  cd "${_MOUNTPOINT}"
  ### CDLB verification of script integrity itself -----------------------------------------------------------------------------
  if [ "${LIVE_VERIFY_CHECKSUMS_SIGNATURES}" = "true" ]; then
    log_begin_msg "Verifying integrity of '0030-verify-checksums' ..."
    printf "\n"
    CDLB_SCRIPT="$(basename "${0}")"
    CDLB_SHA="sha512"
    CDLB_CMD="" CDLB_COMPUTED="" CDLB_EXPECTED="" CDLB_HASHFILE="" CDLB_ITEM="" CDLB_SIG_FILE=""
    for CDLB_ITEM in ${CDLB_SHA}; do
      CDLB_HASHFILE="${CDLB_SCRIPT}.${CDLB_ITEM}"
      CDLB_SIG_FILE="${CDLB_HASHFILE}.sig"
      CDLB_CMD="${CDLB_ITEM}sum"
      printf "Verifying signature of: [%s]\n" "${CDLB_HASHFILE}"
      if ! gpgv --keyring 0030-verify-checksums_public.gpg "${CDLB_SIG_FILE}" "${CDLB_HASHFILE}"; then
        printf "Signature verification failed for: [%s]\n" "${CDLB_HASHFILE}"
        sleep 8
        # TODO: Remove debug mode
        # return 0
      else
        printf "Signature verification successful for: [%s]\n" "${CDLB_HASHFILE}"
      fi
      printf "Recomputing hash for: [%s]\n" "${CDLB_ITEM}"
      CDLB_COMPUTED=$("${CDLB_CMD}" "${CDLB_SCRIPT}" | { read -r first rest || exit 1; printf '%s\n' "${first}"; })
      read -r CDLB_EXPECTED < "${CDLB_HASHFILE}"
      if [ "${CDLB_COMPUTED}" != "${CDLB_EXPECTED}" ]; then
        printf "Recomputed hash mismatch for: [%s]\n" "${CDLB_ITEM}"
        sleep 8
        # TODO: Remove debug mode
        # return 0
      fi
      printf "Hash verification successful for: [%s]\n" "${CDLB_ITEM}"
    done
    printf "Verifying integrity of '0030-verify-checksums' successfully completed. Proceeding."
    log_end_msg
    printf "\n"
  fi
  ### Checksum and checksum signature verification -----------------------------------------------------------------------------
  log_begin_msg "Verifying checksums"
  printf "\n"
  # shellcheck disable=SC2001
  for _DIGEST in $(echo "${LIVE_VERIFY_CHECKSUMS_DIGESTS}" | sed -e 's|,| |g'); do
    # shellcheck disable=SC2060
    _CHECKSUMS="$(echo "${_DIGEST}" | tr [a-z] [A-Z])SUMS ${_DIGEST}sum.txt"
    for _CHECKSUM in ${_CHECKSUMS}; do
      if [ -e "${_CHECKSUM}" ]; then
        printf "Found [%s] ...\n" "${_CHECKSUM}"
        if [ -e "/bin/${_DIGEST}sum" ]; then
          if [ "${LIVE_VERIFY_CHECKSUMS_SIGNATURES}" = "true" ]; then
            printf "Checking Signature of [%s] ...\n" "${_CHECKSUM}"
            _CHECKSUM_SIGNATURE="${_CHECKSUM}.sig"
            gpgv --keyring 0030-verify-checksums_public.gpg "${_CHECKSUM_SIGNATURE}" "${_CHECKSUM}"
            _RETURN_PGP="${?}"
          else
            _RETURN_PGP="na"
          fi
          printf "Checking Hashes of [%s] ...\n" "${_CHECKSUM}"
          # shellcheck disable=SC2312
          grep -v '^#' "${_CHECKSUM}" | /bin/"${_DIGEST}"sum -c > "${_TTY}"
          _RETURN_SHA="${?}"
          # Stop after the first verification.
          break 2
        else
          printf "Not found [%s] ...\n" "/bin/${_DIGEST}sum"
        fi
      fi
    done
  done
  log_end_msg
  case "${_RETURN_PGP},${_RETURN_SHA}" in
    0,0)
      log_success_msg "Verification of signature AND checksum file successful; continuing booting in 8 seconds."
      sleep 8
      return 0
      ;;
    na,0)
      log_success_msg "Verification of checksum file successful; continuing booting in 8 seconds."
      sleep 8
      return 0
      ;;
    *,0)
      panic "Verification of signature file failed while verification of checksum file successful."
      ;;
    na,*)
      panic "Verification of checksum file failed."
      ;;
  esac
 }
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/package-lists/live.list.amd64.chroot
+++ b/config/package-lists/live.list.amd64.chroot
@@ -8,5 +8,7 @@
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 grub-efi-amd64-signed
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/package-lists/live.list.arm64.chroot
+++ b/config/package-lists/live.list.arm64.chroot
@@ -8,5 +8,7 @@
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 grub-efi-arm64-signed
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/package-lists/live.list.common.chroot
+++ b/config/package-lists/live.list.common.chroot
@@ -30,8 +30,6 @@ btrfs-progs
 build-essential
 bzip2
 ca-certificates
 clamav
 clamav-daemon
 clang-18
 console-setup
 cosign
@@ -67,11 +65,11 @@ gawk
 gdisk
 git
 gnupg
 haveged
 htop
 iftop
 iproute2
 iputils-ping
 jitterentropy-rngd
 jq
 keyboard-configuration
 keychain
@@ -83,7 +81,7 @@ libpwquality-tools
 libtomcrypt-dev
 libtommath-dev
 libtool
-linux-doc-6.12
+linux-doc-6.16
 linux-source
 live-boot
 live-config
@@ -131,6 +129,7 @@ sudo
 sysstat
 systemd-sysv
 tar
 tmux
 tree
 tshark
 ufw
@@ -146,7 +145,6 @@ whois
 wngerman
 xfsprogs
 xz-utils
 yq
 zip
 zsh
--- a/docs/AUDIT_DNSSEC.md
+++ b/docs/AUDIT_DNSSEC.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.142.2025.10.14<br>
+**Build**: V8.13.392.2025.11.07<br>
 # 2. DNSSEC Status
--- a/Show More
+++ b/Show More