DEPLOY BOT : 🛡️ Shell Script Linting [skip ci]

X-CI-Metadata: master@99d669d at 2025-12-06T04:39:52Z on 941bb339cd9a

Generated at : 2025-12-06T04:39:52Z
Runner Host  : 941bb339cd9a
Workflow ID  : 🛡️ Shell Script Linting
Git Commit   : 99d669d HEAD -> master

.archive/.0000_lib_usage.sh

@@ -1,142 +0,0 @@
-#!/bin/bash
-# SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
-# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
-# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
-# SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
-# SPDX-PackageName: CISS.debian.live.builder
-# SPDX-Security-Contact: security@coresecret.eu
-
-#######################################
-# Usage Wrapper CISS.debian.live.builder
-# Globals:
-#   none
-# Arguments:
-#   $0: Script name
-#######################################
-usage() {
-  clear
-  cat << EOF
-$(echo -e "\e[92mCISS.debian.live.builder\e[0m")
-$(echo -e "\e[92mMaster V8.13.142.2025.10.14\e[0m")
-$(echo -e "\e[92mA lightweight Shell Wrapper for building a hardened Debian Live ISO Image.\e[0m")
-
-$(echo -e "\e[97m(c) Marc S. Weidner, 2018 - 2025\e[0m")
-$(echo -e "\e[97m(p) Centurion Press, 2024 - 2025\e[0m")
-
-"${0} <option>", where <option> is one or more of:
-
-$(echo -e "\e[97m  --help, -h\e[0m")
-    What you're looking at.
-
-$(echo -e "\e[97m  --autobuild=*, -a=*\e[0m")
-    Headless mode. Skip the dialog wrapper, provider note screen and interactive kernel
-    selector dialog. Change '*' to your desired Linux kernel and trim the
-    'linux-image-' string to select a specific kernel, e.g. '--autobuild=6.12.30+bpo-amd64'.
-
-$(echo -e "\e[97m  --architecture <STRING> one of <amd64 | arm64>\e[0m")
-    A string reflecting the architecture of the Live System.
-    MUST be provided.
-
-$(echo -e "\e[97m  --build-directory </path/to/build_directory>\e[0m")
-    Where the Debian Live Build Image should be generated.
-    MUST be provided.
-
-$(echo -e "\e[97m  --change-splash <STRING> one of <club | hexagon>\e[0m")
-    A string reflecting the GRub Boot Screen Splash you want to use.
-    If omitted defaults to "./.archive/background/club.png".
-
-$(echo -e "\e[97m  --cdi (Experimental Feature)\e[0m")
-    This option generates a boot menu entry to start the forthcoming
-    'CISS.debian.installer', which will be executed after
-    the system has successfully booted up.
-
-$(echo -e "\e[97m  --contact, -c\e[0m")
-    Displays contact information of the author.
-
-$(echo -e "\e[97m  --control <INTEGER>\e[0m")
-    An integer that reflects the version of your Live ISO Image.
-    MUST be provided.
-
-$(echo -e "\e[97m  --debug\e[0m")
-    Enables debug logging for the main program routine. Detailed logging
-    information are written to "/tmp/ciss_live_builder_$$.log"
-
-$(echo -e "\e[97m  --dhcp-centurion\e[0m")
-    If a DHCP lease is provided, the provider's nameserver will be overridden,
-    and only the hardened, privacy-focused Centurion DNS servers will be used:
-      - https://dns01.eddns.eu/
-      - https://dns02.eddns.de/
-      - https://dns03.eddns.eu/
-
-$(echo -e "\e[97m  --jump-host <IP | IP | ... >\e[0m")
-    Provide up to 10 IPs for /etc/host.allow whitelisting of SSH access.
-    Could be either IPv4 and / or IPv6 addresses and / or CCDIR notation.
-    If provided, than it MUST be a <SPACE> separated list.
-    IPv6 addresses MUST be encapsulated with [], e.g., [1234::abcd]/64.
-
-$(echo -e "\e[97m  --log-statistics-only\e[0m")
-    Provides statistic only after successful building a
-    CISS.debian.live-ISO. While enabling "--log-statistics-only"
-    the argument "--build-directory" MUST be provided while
-    all further options MUST be omitted.
-
-$(echo -e "\e[97m  --provider-netcup-ipv6\e[0m")
-    Activates IPv6 support for Netcup Root Server. One unique
-    IPv6 address MUST be provided in this case and MUST be encapsulated
-    with [], e.g., [1234::abcd].
-
-$(echo -e "\e[97m  --renice-priority <PRIORITY>\e[0m")
-    Reset the nice priority value of the script and all its children
-    to the desired <PRIORITY>. MUST be an integer (between "-19" and 19).
-    Negative (higher) values MUST be enclosed in double quotes '"'.
-
-$(echo -e "\e[97m  --reionice-priority <CLASS> <PRIORITY>\e[0m")
-    Reset the ionice priority value of the script and all its children
-    to the desired <CLASS>. MUST be an integer:
-      1: realtime
-      2: best-effort
-      3: idle
-    Defaults to '2'.
-    Whereas <PRIORITY> MUST be an integer as well between:
-      0: highest priority and
-      7: lowest priority.
-    Defaults to '4'.
-    A real-time I/O process can significantly slow down other processes
-    or even cause them to starve if it continuously requests I/O.
-
-$(echo -e "\e[97m  --root-password-file </path/to/password.txt>\e[0m")
-    Password file for 'root', if given, MUST be a string of 20 to 64 characters,
-    and MUST NOT contain the special character '"'.
-    If the argument is omitted, no further login authentication is required for
-    the local console. The root password is hashed with an 16 Byte '/dev/random'
-    generated SALT and SHA512 Hashing function and 8,388,608 rounds. Immediately
-    after Hash generation all Variables containing plain password fragments are
-    deleted. Password file SHOULD be '0400' and 'root:root' and is deleted without
-    further prompt after password hash has been successfully generated via:
-    'shred -vfzu 5 -f'.
-    No tracing of any plain text password fragment in any debug log.
-
-$(echo -e "\e[97m  --ssh-port <INTEGER>\e[0m")
-    The desired Port SSH should listen to.
-    If not provided defaults to Port 22.
-
-$(echo -e "\e[97m  --ssh-pubkey </path/to/.ssh/>\e[0m")
-    Imports the SSH Public Key(s) from the FILE 'authorized_keys' of the
-    specified PATH into the Live ISO. MUST be provided.
-
-$(echo -e "\e[97m  --version, -v\e[0m")
-    Displays version of ${0}.
-
-$(echo -e "\e[93m💡 Notes:\e[0m")
-🔵 You MUST be 'root' to run this script.
-
-$(echo -e "\e[95m💷 Please consider donating to my work at:\e[0m")
-$(echo -e "\e[95m🌐 https://coresecret.eu/spenden/         \e[0m")
-
-EOF
-}
-# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

.archive/0005_tmpfile_dublette.chroot

@@ -1,72 +0,0 @@
-#!/bin/bash
-# SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
-# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
-# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
-# SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
-# SPDX-PackageName: CISS.debian.live.builder
-# SPDX-Security-Contact: security@coresecret.eu
-set -Ceuo pipefail
-
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
-
-# Purpose: Copy vendor 'legacy.conf' to '/etc/tmpfiles.d' and drop duplicate '/run/lock' lines.
-
-#######################################
-# Simple error terminal logger.
-# Arguments:
-#   None
-#######################################
-log() { printf '[tmpfiles-fix] %s\n' "$*" >&2; }
-
-### Locate vendor 'legacy.conf' (The path can vary).
-declare vendor=""
-
-for p in /usr/lib/tmpfiles.d/legacy.conf /lib/tmpfiles.d/legacy.conf; do
-
-  if [[ -f "${p}" ]]; then vendor="${p}"; break; fi
-
-done
-
-if [[ -z "${vendor}" ]]; then
-  log "WARN: vendor legacy.conf not found; creating a minimal override"
-  install -D -m 0644 /dev/null /etc/tmpfiles.d/legacy.conf
-
-else
-
-  install -D -m 0644 "${vendor}" /etc/tmpfiles.d/legacy.conf
-
-fi
-
-### Deduplicate: keep only the FIRST 'd /run/lock ' definition, drop subsequent ones.
-# shellcheck disable=SC2155
-declare tmpdir="$(mktemp -d)"
-declare out="${tmpdir}/legacy.conf"
-
-awk '
-BEGIN{seen=0}
-{
-  # Preserve everything by default
-  keep=1
-  # Match tmpfiles "d /run/lock ..." (allowing variable spacing and case of directive)
-  if ($1 ~ /^[dD]$/ && $2 == "/run/lock") {
-    if (seen==1) { keep=0 } else { seen=1 }
-  }
-  if (keep) print
-}' /etc/tmpfiles.d/legacy.conf >| "${out}"
-
-### Install the sanitized file atomically.
-install -m 0644 -o root -g root "${out}" /etc/tmpfiles.d/legacy.conf
-rm -rf -- "${tmpdir}"
-
-log "Deduplicated /etc/tmpfiles.d/legacy.conf (kept only first /run/lock entry)."
-
-command -v systemd-tmpfiles >/dev/null 2>&1 && systemd-tmpfiles --create --prefix /run/lock || true
-
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
-
-exit 0
-# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

.archive/0010_dhcp_supersede.sh

@@ -0,0 +1,113 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+set -Ceuo pipefail
+
+printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+
+if [[ ! -d "${VAR_HANDLER_BUILD_DIR}"/config/includes.chroot/etc/dhcp ]]; then
+
+  mkdir -p "${VAR_HANDLER_BUILD_DIR}"/config/includes.chroot/etc/dhcp
+
+fi
+
+cat << 'EOF' >> "${VAR_HANDLER_BUILD_DIR}"/config/includes.chroot/etc/dhcp/dhclient.conf
+
+# Custom dhclient config to override DHCP DNS
+# dns01.eddns.eu, dns02.eddns.de, dns03.eddns.eu;
+
+supersede domain-name-servers 135.181.207.105, 89.58.62.53, 138.199.237.109;
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
+EOF
+
+
+cat << 'EOF' >> "${VAR_HANDLER_BUILD_DIR}"/config/includes.chroot/etc/dhcpcd.conf
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-08-12; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+### No Global APIPA-Fallback.
+noipv4ll
+
+### A ServerID is required by RFC2131.
+require dhcp_server_identifier
+
+### Respect the network MTU. This is applied to DHCP routes.
+option interface_mtu
+
+### A list of options to request from the DHCP server.
+option host_name
+option domain_name
+option domain_search
+option rapid_commit
+
+### Most distributions have NTP support.
+option ntp_servers
+
+### Ask server to update both A and PTR via FQDN (RFC 4702 semantics).
+fqdn both
+
+###-----------------------------------------------------------------------------------------------------------------------------
+### Global defaults for all interfaces.
+#option host_name
+#option domain_name
+#option domain_search
+
+### Ask server to update both A and PTR via FQDN (RFC 4702 semantics).
+#fqdn both
+###-----------------------------------------------------------------------------------------------------------------------------
+
+### Enforce static DNS and prevent dhcpcd from writing 'resolv.conf'.
+nooption domain_name_servers
+nohook resolv.conf rdnssd
+
+### Static resolvers (IPv4).
+### (This does NOT write '/etc/resolv.conf' because of nohook above.)
+static domain_name_servers=135.181.207.105 89.58.62.53 138.199.237.109
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
+EOF
+
+
+cat << 'EOF' >| "${VAR_HANDLER_BUILD_DIR}"/config/includes.chroot/etc/resolv.conf
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-08-12; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+# static /etc/resolv.conf (CISS)
+
+nameserver 135.181.207.105
+nameserver 89.58.62.53
+nameserver 138.199.237.109
+options edns0
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
+EOF
+
+printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' successfully applied. \e[0m\n" "${0}"
+
+exit 0
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

.archive/0100_ciss_mem_wipe.chroot

@@ -0,0 +1,302 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+set -Ceuo pipefail
+
+printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+
+[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
+export DEBIAN_FRONTEND="noninteractive"
+export INITRD="No"
+
+apt-get install -y --no-install-recommends kexec-tools
+
+install -d -m 0755 /boot/ciss-memwipe
+install -d -m 0755 /usr/local/sbin
+install -d -m 0755 /etc/systemd/system
+install -d -m 0755 /etc/default
+
+### Pick a kernel to kexec into: use the latest installed vmlinuz. -------------------------------------------------------------
+# shellcheck disable=SC2012,SC2155
+declare _KERNEL="$(cd /boot && ls -1 vmlinuz-* | sed 's|vmlinuz-||' | sort -V | tail -n1)"
+cp -f "/boot/vmlinuz-${_KERNEL}" /boot/ciss-memwipe/vmlinuz
+
+### Build minimal initramfs with a busybox and a tiny '/init'. -----------------------------------------------------------------
+declare _TMP_DIR; _TMP_DIR="$(mktemp -d)"
+trap 'rm -rf "${_TMP_DIR}"' EXIT
+
+mkdir -p "${_TMP_DIR}"/{bin,dev,proc,sys,wipe}
+
+### Locate the current busybox binary. -----------------------------------------------------------------------------------------
+declare _BUSYBOX_BIN; _BUSYBOX_BIN="$(command -v busybox || true)"
+if [[ -z "${_BUSYBOX_BIN}" ]]; then
+  echo "ERROR: busybox not found after installation attempt." >&2
+  exit 42
+fi
+
+cp -f "${_BUSYBOX_BIN}" "${_TMP_DIR}/bin/busybox"
+
+#######################################
+# Copy required shared libs into the initramfs (if the busybox is dynamic).
+# Globals:
+#   _TMP_DIR
+# Arguments:
+#   1: _BUSYBOX_BIN
+# Returns:
+#   0: on success
+#######################################
+copy_libs() {
+  declare bin="$1"
+
+  if ldd "${bin}" 2>&1 | grep -q 'not a dynamic executable'; then
+    return 0
+  fi
+
+  ldd "${bin}" | awk '
+    /=> \// {print $3}
+    # some libs are printed as absolute path without "=>"
+    /^\//    {print $1}
+  ' | while read -r lib; do
+    [[ -n "${lib}" ]] || continue
+    dest="${_TMP_DIR}$(dirname "${lib}")"
+    install -d -m 0755 "${dest}"
+    cp -f "${lib}" "${dest}"
+  done
+}
+
+copy_libs "${_BUSYBOX_BIN}"
+
+### Generate '/init' script ----------------------------------------------------------------------------------------------------
+cat << 'EOF' >| "${_TMP_DIR}/init"
+#!/bin/busybox sh
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+# Minimal init to wipe RAM, then power off.
+# Parses cmdline: ciss_wipe_passes=2 ciss_wipe_mode=zero+random ciss_dd_bs=64M ciss_tmpfs_pct=95
+set -eu
+
+#######################################
+# Helper
+# Globals:
+#   None
+# Arguments:
+#   1: key
+# Returns:
+#   0: on success
+#######################################
+get_arg() { # $1=key ; echoes value or empty
+  for tok in $(cat /proc/cmdline); do
+    case "$tok" in
+      $1=*) echo "${tok#*=}"; return 0;;
+    esac
+  done
+  echo ""
+}
+
+mount -t devtmpfs devtmpfs /dev 2>/dev/null || true
+[ -e /dev/console ] || mknod -m 600 /dev/console c 5 1
+[ -e /dev/null ]    || mknod -m 666 /dev/null c 1 3
+[ -e /dev/urandom ] || mknod -m 444 /dev/urandom c 1 9
+
+mount -t proc proc /proc
+mount -t sysfs sysfs /sys
+
+PASSES="$(get_arg ciss_wipe_passes)"; [ -n "${PASSES}" ] || PASSES=2
+MODE="$(get_arg ciss_wipe_mode)"; [ -n "${MODE}" ] || MODE="zero+random"
+BS="$(get_arg ciss_dd_bs)"; [ -n "${BS}" ] || BS=64M
+PCT="$(get_arg ciss_tmpfs_pct)"; [ -n "${PCT}" ] || PCT=95
+
+echo 1 >| /proc/sys/kernel/printk 2>/dev/null || true
+
+MEM_KB="$(awk '/MemTotal:/ {print $2}' /proc/meminfo)"
+SIZE_KB=$(( MEM_KB * PCT / 100 ))
+mount -t tmpfs -o "size=${SIZE_KB}k,nodev,nosuid,noexec,mode=0700" tmpfs /wipe
+
+#######################################
+# Wipe helper
+# Globals:
+#   None
+# Arguments:
+#   1: pattern
+# Returns:
+#   0: on success
+#######################################
+wipe_pass() {
+  pattern="$1" # zero or random
+  if [ "$pattern" = "zero" ]; then
+    src="/dev/zero"
+  else
+    src="/dev/urandom"
+  fi
+
+  i=0
+  while :; do
+    # Use busybox dd explicitly to avoid surprises
+    busybox dd if="$src" of="/wipe/block_$i" bs="$BS" status=none || break
+    i=$((i+1))
+  done
+  sync
+  echo 3 > /proc/sys/vm/drop_caches 2>/dev/null || true
+  rm -f /wipe/block_* 2>/dev/null || true
+  sync
+  return 0
+}
+
+DO_ZERO=0; DO_RANDOM=0
+case "$MODE" in
+  zero) DO_ZERO=1 ;;
+  random) DO_RANDOM=1 ;;
+  zero+random|random+zero) DO_ZERO=1; DO_RANDOM=1 ;;
+  *) DO_ZERO=1 ;;
+esac
+
+p=1
+while [ $p -le "$PASSES" ]; do
+  [ $DO_ZERO -eq 1 ] && wipe_pass zero
+  [ $DO_RANDOM -eq 1 ] && wipe_pass random
+  p=$((p+1))
+done
+
+sync
+busybox poweroff -f || echo o >| /proc/sysrq-trigger
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
+EOF
+
+chmod +x "${_TMP_DIR}/init"
+
+### Create the initramfs archive -----------------------------------------------------------------------------------------------
+( cd "${_TMP_DIR}" && find . -print0 | cpio --null -ov --format=newc ) | gzip -9 > /boot/ciss-memwipe/initrd.img
+
+### Default configuration.
+cat << 'EOF' >| /etc/default/ciss-memwipe
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+# CISS Memory Wipe defaults:
+
+CISS_WIPE_PASSES=2             # number of passes
+CISS_WIPE_MODE="zero+random"   # zero | random | zero+random
+CISS_WIPE_DD_BS="64M"          # dd block size
+CISS_WIPE_TMPFS_PCT=95         # percentage of MemTotal to allocate
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
+EOF
+
+### Helper script --------------------------------------------------------------------------------------------------------------
+cat << 'EOF' >| /usr/local/sbin/ciss-memwipe
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+set -euo pipefail
+
+. /etc/default/ciss-memwipe || true
+
+KERNEL="/boot/ciss-memwipe/vmlinuz"
+INITRD="/boot/ciss-memwipe/initrd.img"
+
+append_common="quiet loglevel=1 ciss_wipe_passes=${CISS_WIPE_PASSES:-2} ciss_wipe_mode=${CISS_WIPE_MODE:-zero+random} ciss_dd_bs=${CISS_WIPE_DD_BS:-64M} ciss_tmpfs_pct=${CISS_WIPE_TMPFS_PCT:-95}"
+
+prepare() {
+  if [ -w /proc/sys/kernel/kexec_load_disabled ] && [ "$(cat /proc/sys/kernel/kexec_load_disabled)" = "1" ]; then
+    echo 0 > /proc/sys/kernel/kexec_load_disabled || true
+  fi
+  if command -v kexec >/dev/null 2>&1 && [ -s "$KERNEL" ] && [ -s "$INITRD" ]; then
+    kexec -l "$KERNEL" --initrd="$INITRD" --append="$append_common" || true
+  fi
+}
+
+fallback_inplace() {
+  mount -t tmpfs -o "size=95%,nodev,nosuid,noexec,mode=0700" tmpfs /run/wipe 2>/dev/null || mkdir -p /run/wipe
+  i=0
+  while :; do
+    dd if=/dev/zero of="/run/wipe/blk_$i" bs="${CISS_WIPE_DD_BS:-64M}" status=none || break
+    i=$((i+1))
+  done
+  sync; echo 3 > /proc/sys/vm/drop_caches 2>/dev/null || true
+  rm -f /run/wipe/blk_* 2>/dev/null || true
+  sync
+  systemctl poweroff -f || poweroff -f || echo o > /proc/sysrq-trigger
+}
+
+execute() {
+  sync; echo 3 > /proc/sys/vm/drop_caches 2>/dev/null || true
+  if command -v systemctl >/dev/null 2>&1 && systemctl --quiet is-system-running; then
+    systemctl kexec || kexec -e || fallback_inplace
+  else
+    kexec -e || fallback_inplace
+  fi
+}
+
+case "${1:-}" in
+  prepare) prepare ;;
+  execute) execute ;;
+  *) echo "Usage: $0 {prepare|execute}" >&2; exit 2 ;;
+esac
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
+EOF
+chmod 0755 /usr/local/sbin/ciss-memwipe
+
+### Systemd service: load at boot, execute on shutdown. ------------------------------------------------------------------------
+cat << 'EOF' >| /etc/systemd/system/ciss-memwipe.service
+[Unit]
+Description=CISS: preload and execute kexec-based RAM wipe on shutdown
+DefaultDependencies=no
+Before=shutdown.target
+After=local-fs.target network.target multi-user.target
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=/usr/local/sbin/ciss-memwipe prepare
+ExecStop=/usr/local/sbin/ciss-memwipe execute
+TimeoutStartSec=20s
+TimeoutStopSec=infinity
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+install -d -m 0755 /etc/systemd/system/multi-user.target.wants
+ln -sf /etc/systemd/system/ciss-memwipe.service /etc/systemd/system/multi-user.target.wants/ciss-memwipe.service
+
+systemctl enable ciss-memwipe.service
+
+printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+
+exit 0
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

.archive/90-ciss-networkd.preset

@@ -0,0 +1,19 @@
+# bashsupport disable=BP5007
+
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-11-26; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+enable systemd-networkd.service
+enable systemd-resolved.service
+disable networking.service
+disable NetworkManager.service
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf

.archive/9985_clamav.chroot

@@ -5,7 +5,7 @@
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

.archive/9999_interfaces_update.chroot

@@ -5,7 +5,7 @@
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
@@ -16,7 +16,7 @@ printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "
 # shellcheck disable=SC2155
 declare -r VAR_DATE="$(date +%F)"
 
-mv /etc/network/interfaces /root/.ciss/dlb/backup/interfaces.chroot
+mv /etc/network/interfaces /root/.ciss/cdlb/backup/interfaces.chroot
 rm -f /etc/network/interfaces
 
 cat << EOF >| /etc/network/interfaces
@@ -26,7 +26,7 @@ cat << EOF >| /etc/network/interfaces
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

.archive/generate_PRIVATE_trixie_0.yaml

@@ -0,0 +1,448 @@
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-08-22; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+# Version Master V8.13.768.2025.12.06
+
+name: 🔐 Generating a Private Live ISO TRIXIE.
+
+defaults:
+  run:
+    shell: bash
+
+permissions:
+  contents: write
+
+on:
+  push:
+    branches:
+      - master
+    paths:
+      - '.gitea/trigger/t_generate_PRIVATE_trixie_0.yaml'
+
+jobs:
+  generate-private-cdlb-trixie:
+    name: 🔐 Generating a Private Live ISO TRIXIE.
+    runs-on: cdlb.trixie
+
+    container:
+      image: debian:trixie
+
+    steps:
+      - name: 🛠️ Basic Image Setup.
+        shell: bash
+        run: |
+          export DEBIAN_FRONTEND=noninteractive
+          apt-get update -qq
+          apt-get upgrade -y
+          apt-get install -y --no-install-recommends \
+            apt-utils \
+            bash \
+            ca-certificates \
+            curl \
+            git \
+            gnupg \
+            openssh-client \
+            openssl \
+            perl \
+            sudo \
+            util-linux
+
+      - name: ⚙️ Check GnuPG Version.
+        shell: bash
+        run: |
+          gpg --version
+
+      - name: ⚙️ Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
+        shell: bash
+        run: |
+          set -euo pipefail
+          var_wait=$(( RANDOM % 33 ))
+          printf "⏳ Waiting %s seconds to desynchronize parallel workflows...\n" "${var_wait}"
+          sleep "${var_wait}"
+
+          rm -rf ~/.ssh && mkdir -m700 ~/.ssh
+
+          ### Private Key
+          echo "${{ secrets.SSH_MSW_DEPLOY_CORESECRET_DEV }}" >| ~/.ssh/id_ed25519
+          chmod 0600 ~/.ssh/id_ed25519
+
+          ### Scan git.coresecret.dev to fill ~/.ssh/known_hosts
+          ssh-keyscan -p 42842 git.coresecret.dev >| ~/.ssh/known_hosts
+          chmod 0600 ~/.ssh/known_hosts
+
+          ### Generate SSH Config for git.coresecret.dev Custom-Port
+          cat <<EOF >| ~/.ssh/config
+          Host git.coresecret.dev
+            HostName git.coresecret.dev
+            Port 42842
+            IdentityFile ~/.ssh/id_ed25519
+            StrictHostKeyChecking yes
+            UserKnownHostsFile ~/.ssh/known_hosts
+          EOF
+          chmod 0600 ~/.ssh/config
+
+      ### https://github.com/actions/checkout/issues/1843
+      - name: 🛠️ Using manual clone via SSH to circumvent Gitea SHA-256 object issues.
+        shell: bash
+        env:
+          ### GITHUB_REF_NAME contains the branch name from the push event.
+          GITHUB_REF_NAME: ${{ github.ref_name }}
+        run: |
+          git clone --branch "${GITHUB_REF_NAME}" ssh://git@git.coresecret.dev:42842/msw/CISS.debian.live.builder.git .
+          git fetch --unshallow || echo "Nothing to fetch - already full clone."
+
+      - name: 🛠️ Cleaning the workspace.
+        shell: bash
+        run: |
+          git reset --hard
+          git clean -fd
+
+      - name: ⚙️ Importing the 'CI PGP DEPLOY ONLY' key.
+        shell: bash
+        run: |
+          set -euo pipefail
+          ### GPG-Home relative to the Runner Workspace to avoid changing global files.
+          export GNUPGHOME="$(pwd)/.gnupg"
+          mkdir -m 700 "${GNUPGHOME}"
+          echo "${{ secrets.PGP_PUBKEY_CENTURION_ROOT_2025_X448 }}" >| centurion-root.PUB.asc
+          gpg --batch --import centurion-root.PUB.asc
+          echo "${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV }}" >| ci-bot.sec.asc
+          gpg --batch --import ci-bot.sec.asc
+          ### Trust the key automatically
+          KEY_ID=$(gpg --list-keys --with-colons | awk -F: '/^pub:/ {print $5}')
+          echo "trust-model always" >| "${GNUPGHOME}/gpg.conf"
+
+      - name: ⚙️ Configuring Git for signed CI/DEPLOY commits.
+        shell: bash
+        run: |
+          set -euo pipefail
+          export GNUPGHOME="$(pwd)/.gnupg"
+          git config user.name "Marc S. Weidner BOT"
+          git config user.email "msw+bot@coresecret.dev"
+          git config commit.gpgsign true
+          git config gpg.program gpg
+          git config gpg.format openpgp
+
+      - name: ⚙️ Preparing the build environment.
+        shell: bash
+        run: |
+          set -euo pipefail
+          mkdir -p /opt/config
+          mkdir -p /opt/livebuild
+          touch /opt/config/password.txt && chmod 0600 /opt/config/password.txt
+          touch /opt/config/authorized_keys && chmod 0600 /opt/config/authorized_keys
+          echo "${{ secrets.CISS_DLB_ROOT_PWD }}" >| /opt/config/password.txt
+          echo "${{ secrets.CISS_DLB_ROOT_SSH_PUBKEY }}" >| /opt/config/authorized_keys
+
+      - name: 🔧 Render live hook with secrets.
+        shell: bash
+        working-directory: ${{ github.workspace }}
+        env:
+          ED25519_PRIV:        ${{ secrets.CISS_DLB_SSH_HOST_ED25519_KEY }}
+          ED25519_PUB:         ${{ secrets.CISS_DLB_SSH_HOST_ED25519_KEY_PUB }}
+          RSA_PRIV:            ${{ secrets.CISS_DLB_SSH_HOST_RSA_KEY }}
+          RSA_PUB:             ${{ secrets.CISS_DLB_SSH_HOST_RSA_KEY_PUB }}
+          CISS_PRIMORDIAL:     ${{ secrets.CISS_PRIMORDIAL_PRIVATE }}
+          CISS_PRIMORDIAL_PUB: ${{ secrets.CISS_PRIMORDIAL_PUBLIC }}
+        run: |
+          set -Ceuo pipefail
+          umask 077
+
+          REPO_ROOT="$(git rev-parse --show-toplevel 2>/dev/null || pwd -P)"
+
+          TPL="${REPO_ROOT}/config/hooks/live/9935_hardening_ssh.chroot.tmpl"
+          OUT="${REPO_ROOT}/config/hooks/live/9935_hardening_ssh.chroot"
+          ID_OUT="${REPO_ROOT}/config/includes.chroot/root/.ssh/id_2025_ed25519_ciss_primordial"
+          ID_OUT_PUB="${REPO_ROOT}/config/includes.chroot/root/.ssh/id_2025_ed25519_ciss_primordial.pub"
+
+          if [[ ! -f "${TPL}" ]]; then
+            echo "Template not found: ${TPL}"
+            echo "::group::Tree of config/hooks/live"
+            ls -la "${REPO_ROOT}/config/hooks/live" || true
+            echo "::endgroup::"
+            exit 2
+          fi
+
+          export ED25519_PRIV="${ED25519_PRIV//$'\r'/}"
+          export ED25519_PUB="${ED25519_PUB//$'\r'/}"
+          export RSA_PRIV="${RSA_PRIV//$'\r'/}"
+          export RSA_PUB="${RSA_PUB//$'\r'/}"
+          export CISS_PRIMORDIAL="${CISS_PRIMORDIAL//$'\r'/}"
+          export CISS_PRIMORDIAL_PUB="${CISS_PRIMORDIAL_PUB//$'\r'/}"
+
+          (
+          cat << EOF >| "${ID_OUT}"
+          ${CISS_PRIMORDIAL}
+          EOF
+          ) && chmod 0600 "${ID_OUT}"
+          if [[ -f "${ID_OUT}" ]]; then
+            echo "Written: ${ID_OUT}"
+          else
+            echo "Error: ${ID_OUT} not written."
+          fi
+
+          (
+          cat << EOF >| "${ID_OUT_PUB}"
+          ${CISS_PRIMORDIAL_PUB}
+          EOF
+          ) && chmod 0600 "${ID_OUT_PUB}"
+          if [[ -f "${ID_OUT_PUB}" ]]; then
+            echo "Written: ${ID_OUT_PUB}"
+          else
+            echo "Error: ${ID_OUT_PUB} not written."
+          fi
+
+          perl -0777 -pe '
+            BEGIN{
+              $ed=$ENV{ED25519_PRIV}; $edpub=$ENV{ED25519_PUB};
+              $rsa=$ENV{RSA_PRIV};    $rsapub=$ENV{RSA_PUB};
+            }
+            s/\{\{\s*secrets\.CISS_DLB_SSH_HOST_ED25519_KEY\s*\}\}/$ed/g;
+            s/\{\{\s*secrets\.CISS_DLB_SSH_HOST_ED25519_KEY_PUB\s*\}\}/$edpub/g;
+            s/\{\{\s*secrets\.CISS_DLB_SSH_HOST_RSA_KEY\s*\}\}/$rsa/g;
+            s/\{\{\s*secrets\.CISS_DLB_SSH_HOST_RSA_KEY_PUB\s*\}\}/$rsapub/g;
+          ' "${TPL}" > "${OUT}"
+
+          chmod 0755 "${OUT}"
+          echo "Hook rendered: ${OUT}"
+
+      - name: 🛠️ Starting CISS.debian.live.builder. This may take a while ...
+        shell: bash
+        working-directory: ${{ github.workspace }}
+        run: |
+          set -euo pipefail
+          chmod 0755 ciss_live_builder.sh
+          timestamp=$(date -u +"%Y_%m_%dT%H_%M_%SZ")
+          ### Change "--autobuild=" to the specific kernel version you need: '6.16.3+deb13-amd64'.
+          ./ciss_live_builder.sh \
+            --autobuild=6.16.3+deb13-amd64 \
+            --architecture amd64 \
+            --build-directory /opt/livebuild \
+            --cdi \
+            --control "${timestamp}" \
+            --debug \
+            --dhcp-centurion \
+            --jump-host ${{ secrets.CISS_DLB_JUMP_HOSTS }} \
+            --provider-netcup-ipv6 ${{ secrets.CISS_DLB_NETCUP_IPV6 }} \
+            --root-password-file /opt/config/password.txt \
+            --ssh-port ${{ secrets.CISS_DLB_SSH_PORT }} \
+            --ssh-pubkey /opt/config \
+            --sshfp \
+            --trixie
+
+          REPO_ROOT="$(git rev-parse --show-toplevel 2>/dev/null || pwd -P)"
+          OUT="$REPO_ROOT/config/hooks/live/9935_hardening_ssh.chroot"
+          rm -f "$OUT"
+          echo "Hook removed: $OUT"
+          shred -fzu -n 5 /opt/config/authorized_keys
+
+      - name: 📥 Checking Centurion Cloud for existing LIVE ISOs.
+        shell: bash
+        env:
+          NC_BASE: "https://cloud.e2ee.li"
+          SHARE_TOKEN: "${{ secrets.CENTURION_CLOUD_UL_USER }}"
+          SHARE_PASS: "${{ secrets.CENTURION_CLOUD_UL_PASSWD }}"
+        run: |
+          set -euo pipefail
+          SHARE_SUBDIR=""
+
+          echo "📥 Get directory listing via PROPFIND ..."
+          curl -s \
+          --user "${SHARE_TOKEN}:${SHARE_PASS}" \
+          -X PROPFIND \
+          -H "Depth: 1" \
+          "${NC_BASE}/public.php/webdav/${SHARE_SUBDIR}" \
+          -o propfind_public.xml
+
+          echo "📥 Filter .iso files from the PROPFIND response ..."
+          grep -oP '(?<=<d:href>)[^<]+\.iso(?=</d:href>)' propfind_public.xml >| public_iso_list.txt || true
+
+          if [[ -f public_iso_list.txt && -s public_iso_list.txt ]]; then
+            echo "💡 Old ISO files found and deleted :"
+            while IFS= read -r href; do
+              FILE_URL="${NC_BASE}${href}"
+              echo "  Delete: ${FILE_URL}"
+              if curl -s \
+                --user "${SHARE_TOKEN}:${SHARE_PASS}" \
+                  -X DELETE "${FILE_URL}"; then
+                echo "    ✅ Successfully deleted: $(basename "${href}")"
+              else
+                echo "    ❌ Error: $(basename "${href}") could not be deleted"
+              fi
+            done < public_iso_list.txt
+          else
+            echo "💡 No old ISO files found to delete."
+          fi
+
+      - name: 🛠️ Upload the ISO file to the Centurion Cloud (cloud.e2ee.li) via WebDAV.
+        shell: bash
+        env:
+          NC_BASE: "https://cloud.e2ee.li"
+          SHARE_TOKEN: "${{ secrets.CENTURION_CLOUD_UL_USER }}"
+          SHARE_PASS: "${{ secrets.CENTURION_CLOUD_UL_PASSWD }}"
+        run: |
+          set -euo pipefail
+          if [[ $(ls /opt/livebuild/*.iso 2>/dev/null | wc -l) -ne 1 ]]; then
+            echo "❌ There must be exactly one .iso file in the directory!"
+            exit 1
+          else
+            VAR_ISO_FILE_PATH=$(ls /opt/livebuild/*.iso)
+            VAR_ISO_FILE_NAME=$(basename "${VAR_ISO_FILE_PATH}")
+            echo "✅ ISO file found: ${VAR_ISO_FILE_NAME}"
+          fi
+
+          AUTH="${SHARE_TOKEN}:${SHARE_PASS}"
+          if curl --retry 2 "${NC_BASE}"/public.php/webdav/"${VAR_ISO_FILE_NAME}" \
+          --upload-file "${VAR_ISO_FILE_PATH}" --user "${AUTH}" > /dev/null 2>&1; then
+            echo "✅ New ISO successfully uploaded."
+          else
+            echo "❌ Uploading the new ISO failed."
+            exit 1
+          fi
+
+      - name: 🔑 Generating a sha512 Hash of ISO, signing with the 'CI PGP DEPLOY ONLY' key, generate a success message file.
+        shell: bash
+        run: |
+          if [[ $(ls /opt/livebuild/*.iso 2>/dev/null | wc -l) -ne 1 ]]; then
+            echo "❌ There must be exactly one .iso file in the directory!"
+            exit 1
+          else
+            VAR_ISO_FILE_PATH=$(ls /opt/livebuild/*.iso)
+            VAR_ISO_FILE_NAME=$(basename "${VAR_ISO_FILE_PATH}")
+            echo "✅ ISO file found: ${VAR_ISO_FILE_NAME}"
+          fi
+
+          VAR_ISO_FILE_SHA512="${VAR_ISO_FILE_NAME}.sha512"
+          touch "${VAR_ISO_FILE_SHA512}"
+          sha512sum "${VAR_ISO_FILE_PATH}" | awk '{print $1}' >| "${VAR_ISO_FILE_SHA512}"
+          SIGNATURE_FILE="${VAR_ISO_FILE_SHA512}.sign"
+          touch "${SIGNATURE_FILE}"
+          export GNUPGHOME="$(pwd)/.gnupg"
+          gpg --batch --yes --armor --detach-sign --output "${SIGNATURE_FILE}" "${VAR_ISO_FILE_SHA512}"
+
+          timestamp=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
+          VAR_DATE="$(date +%F)"
+          PRIVATE_FILE="LIVE_ISO_TRIXIE_0.private"
+          touch "${PRIVATE_FILE}"
+          cat << EOF >| "${PRIVATE_FILE}"
+          # SPDX-Version: 3.0
+          # SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev>
+          # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+          # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+          # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+          # SPDX-FileType: SOURCE
+          # SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
+          # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+          # SPDX-PackageName: CISS.debian.live.builder
+          # SPDX-Security-Contact: security@coresecret.eu
+
+          This file was automatically generated by the DEPLOY BOT on: "${timestamp}"
+
+          CISS.debian.live.builder ISO :
+            "${VAR_ISO_FILE_NAME}"
+          CISS.debian.live.builder ISO sha512 :
+            $(< "${VAR_ISO_FILE_SHA512}")
+          CISS.debian.live.builder ISO sha512 sign :
+            $(< "${SIGNATURE_FILE}")
+
+          # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text
+          EOF
+
+      - name: 🚧 Stash local changes (including untracked).
+        shell: bash
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          ### Temporarily store any local modifications or untracked files.
+          git stash push --include-untracked -m "ci-temp" || echo "✔️ Nothing to stash."
+
+      - name: 🔄 Sync with remote before commit using merge strategy.
+        shell: bash
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          export GNUPGHOME="$(pwd)/.gnupg"
+
+          echo "🔄 Fetching origin/master ..."
+          git fetch origin master
+
+          echo "🔁 Merging origin/master into current branch ..."
+          git merge --no-edit origin/master || echo "✔️ Already up to date or fast-forward."
+
+          echo "📋 Post-merge status :"
+          git status
+          git log --oneline -n 5
+
+      - name: 🛠️ Restore stashed changes.
+        shell: bash
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          ### Apply previously stashed changes.
+          git stash pop || echo "✔️ Nothing to pop."
+
+      - name: 📦 Stage generated files.
+        shell: bash
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          PRIVATE_FILE="LIVE_ISO_TRIXIE_0.private"
+          git add "${PRIVATE_FILE}" || echo "✔️ Nothing to add."
+
+      - name: 🔑 Commit and sign changes with CI metadata.
+        shell: bash
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          export GNUPGHOME="$(pwd)/.gnupg"
+
+          if git diff --cached --quiet; then
+            echo "✔️ No staged changes to commit."
+          else
+            echo "📝 Committing changes with GPG signature ..."
+
+            ### CI Metadata
+            TIMESTAMP_UTC="$(date -u +'%Y-%m-%dT%H:%M:%SZ')"
+            HOSTNAME="$(hostname -f || hostname)"
+            GIT_SHA="$(git rev-parse --short HEAD)"
+            GIT_REF="$(git symbolic-ref --short HEAD || echo detached)"
+            WORKFLOW_ID="${GITHUB_WORKFLOW:-generate_PRIVATE_trixie_0.yaml}"
+            CI_HEADER="X-CI-Metadata: ${GIT_REF}@${GIT_SHA} at ${TIMESTAMP_UTC} on ${HOSTNAME}"
+
+            COMMIT_MSG="DEPLOY BOT   : 🔐 Auto-Generate PRIVATE LIVE ISO TRIXIE 0 [skip ci]
+
+          ${CI_HEADER}
+
+          Generated at : ${TIMESTAMP_UTC}
+          Runner Host  : ${HOSTNAME}
+          Workflow ID  : ${WORKFLOW_ID}
+          Git Commit   : ${GIT_SHA} HEAD -> ${GIT_REF}
+          "
+
+            echo "🔏 Commit message :"
+            echo "${COMMIT_MSG}"
+            git commit -S -m "${COMMIT_MSG}"
+          fi
+
+      - name: 🔁 Push back to repository.
+        shell: bash
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          echo "📤 Pushing changes to ${GITHUB_REF_NAME} ..."
+          git push origin HEAD:${GITHUB_REF_NAME}
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml

.archive/generate_PRIVATE_trixie_1.yaml

@@ -0,0 +1,491 @@
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-08-22; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+# Version Master V8.13.768.2025.12.06
+
+name: 🔐 Generating a Private Live ISO TRIXIE.
+
+defaults:
+  run:
+    shell: bash
+
+permissions:
+  contents: write
+
+on:
+  push:
+    branches:
+      - master
+    paths:
+      - '.gitea/trigger/t_generate_PRIVATE_trixie_1.yaml'
+
+jobs:
+  generate-private-cdlb-trixie:
+    name: 🔐 Generating a Private Live ISO TRIXIE.
+    runs-on: cdlb.trixie
+
+    container:
+      image: debian:trixie
+
+    defaults:
+      run:
+        shell: bash
+        working-directory: ${{ github.workspace }}
+
+    steps:
+      - name: ⏳ Waiting random time to desynchronize parallel workflows.
+        run: |
+          set -euo pipefail
+          var_wait=$(( RANDOM % 33 ))
+          printf "⏳ Waiting %s seconds to desynchronize parallel workflows...\n" "${var_wait}"
+          sleep "${var_wait}"
+
+      - name: 🛠️ Basic Image Setup.
+        run: |
+          set -euo pipefail
+          umask 0077
+          export DEBIAN_FRONTEND=noninteractive
+          apt-get update -qq
+          apt-get upgrade -y
+          apt-get install -y --no-install-recommends \
+            apt-utils \
+            bash \
+            ca-certificates \
+            curl \
+            git \
+            gnupg \
+            openssh-client \
+            openssl \
+            perl \
+            sudo \
+            util-linux
+
+      - name: ⚙️ Check GnuPG Version.
+        run: |
+          gpg --version
+
+      - name: ⚙️ Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
+        run: |
+          set -euo pipefail
+          umask 0077
+
+          rm -rf ~/.ssh && mkdir -m700 ~/.ssh
+
+          ### Private Key
+          echo "${{ secrets.SSH_MSW_DEPLOY_CORESECRET_DEV }}" >| ~/.ssh/id_ed25519
+          chmod 0600 ~/.ssh/id_ed25519
+
+          ### Scan git.coresecret.dev to fill ~/.ssh/known_hosts
+          ssh-keyscan -p 42842 git.coresecret.dev >| ~/.ssh/known_hosts
+          chmod 0600 ~/.ssh/known_hosts
+
+          ### Generate SSH Config for git.coresecret.dev Custom-Port
+          cat <<EOF >| ~/.ssh/config
+          Host git.coresecret.dev
+            HostName git.coresecret.dev
+            Port 42842
+            IdentityFile ~/.ssh/id_ed25519
+            StrictHostKeyChecking yes
+            UserKnownHostsFile ~/.ssh/known_hosts
+          EOF
+          chmod 0600 ~/.ssh/config
+
+      ### https://github.com/actions/checkout/issues/1843
+      - name: 🛠️ Using manual clone via SSH to circumvent Gitea SHA-256 object issues.
+        env:
+          ### GITHUB_REF_NAME contains the branch name from the push event.
+          GITHUB_REF_NAME: ${{ github.ref_name }}
+        run: |
+          set -euo pipefail
+          git clone --branch "${GITHUB_REF_NAME}" ssh://git@git.coresecret.dev:42842/msw/CISS.debian.live.builder.git .
+          git fetch --unshallow || echo "Nothing to fetch - already full clone."
+
+      - name: ⚙️ Init GNUPGHOME.
+        run: |
+          set -euo pipefail
+          umask 0077
+          GNUPGHOME="/dev/shm/gnupg.${GITHUB_RUN_ID}.${GITHUB_JOB}.${GITHUB_RUN_ATTEMPT}"
+          mkdir -p -m 700 "${GNUPGHOME}"
+          echo "GNUPGHOME=${GNUPGHOME}" >> "${GITHUB_ENV}"
+          echo 'allow-loopback-pinentry' >| "${GNUPGHOME}/gpg-agent.conf"
+          gpgconf --reload gpg-agent || true
+
+      - name: ⚙️ Importing the 'CI PGP DEPLOY ONLY' key.
+        env:
+          PRIVATE_PGP_MSW_DEPLOY_CORESECRET_DEV: ${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV }}
+        run: |
+          set -euo pipefail
+          umask 0077
+          printf '%s' "${PRIVATE_PGP_MSW_DEPLOY_CORESECRET_DEV}" | gpg --batch --import
+          unset PRIVATE_PGP_MSW_DEPLOY_CORESECRET_DEV
+
+      - name: ⚙️ Configuring Git for signed CI/DEPLOY commits.
+        run: |
+          set -euo pipefail
+          git config user.name "Marc S. Weidner BOT"
+          git config user.email "msw+bot@coresecret.dev"
+          git config commit.gpgsign true
+          git config gpg.program gpg
+          git config gpg.format openpgp
+
+      - name: ⚙️ Preparing the build environment.
+        run: |
+          set -euo pipefail
+          umask 0077
+          mkdir -p /opt/cdlb/secrets
+          mkdir -p /opt/cdlb/livebuild
+          install -m 0600 /dev/null /opt/cdlb/secrets/password.txt
+          install -m 0600 /dev/null /opt/cdlb/secrets/authorized_keys
+          install -m 0600 /dev/null /opt/cdlb/secrets/ssh_host_ed25519_key
+          install -m 0600 /dev/null /opt/cdlb/secrets/ssh_host_ed25519_key.pub
+          install -m 0600 /dev/null /opt/cdlb/secrets/ssh_host_rsa_key
+          install -m 0600 /dev/null /opt/cdlb/secrets/ssh_host_rsa_key.pub
+          install -m 0600 /dev/null /opt/cdlb/secrets/id_2025_ed25519_ciss_primordial
+          install -m 0600 /dev/null /opt/cdlb/secrets/id_2025_ed25519_ciss_primordial.pub
+          install -m 0600 /dev/null /opt/cdlb/secrets/keys.txt
+          install -m 0600 /dev/null /opt/cdlb/secrets/luks.txt
+
+          echo "${{ secrets.CISS_DLB_ROOT_PWD_1 }}"               >| /opt/cdlb/secrets/password.txt
+          echo "${{ secrets.CISS_DLB_ROOT_SSH_PUBKEY_1 }}"        >| /opt/cdlb/secrets/authorized_keys
+          echo "${{ secrets.CISS_DLB_SSH_HOST_ED25519_KEY }}"     >| /opt/cdlb/secrets/ssh_host_ed25519_key
+          echo "${{ secrets.CISS_DLB_SSH_HOST_ED25519_KEY_PUB }}" >| /opt/cdlb/secrets/ssh_host_ed25519_key.pub
+          echo "${{ secrets.CISS_DLB_SSH_HOST_RSA_KEY }}"         >| /opt/cdlb/secrets/ssh_host_rsa_key
+          echo "${{ secrets.CISS_DLB_SSH_HOST_RSA_KEY_PUB }}"     >| /opt/cdlb/secrets/ssh_host_rsa_key.pub
+          echo "${{ secrets.CISS_PRIMORDIAL_PRIVATE }}"           >| /opt/cdlb/secrets/id_2025_ed25519_ciss_primordial
+          echo "${{ secrets.CISS_PRIMORDIAL_PUBLIC }}"            >| /opt/cdlb/secrets/id_2025_ed25519_ciss_primordial.pub
+          echo "${{ secrets.CISS_PHYS_AGE }}"                     >| /opt/cdlb/secrets/keys.txt
+          echo "${{ secrets.CISS_PHYS_LUKS }}"                    >| /opt/cdlb/secrets/luks.txt
+
+
+      - name: 🔧 Render live hook with secrets.
+        shell: bash
+        working-directory: ${{ github.workspace }}
+        env:
+          ED25519_PRIV:        ${{ secrets.CISS_DLB_SSH_HOST_ED25519_KEY }}
+          ED25519_PUB:         ${{ secrets.CISS_DLB_SSH_HOST_ED25519_KEY_PUB }}
+          RSA_PRIV:            ${{ secrets.CISS_DLB_SSH_HOST_RSA_KEY }}
+          RSA_PUB:             ${{ secrets.CISS_DLB_SSH_HOST_RSA_KEY_PUB }}
+          CISS_PRIMORDIAL:     ${{ secrets.CISS_PRIMORDIAL_PRIVATE }}
+          CISS_PRIMORDIAL_PUB: ${{ secrets.CISS_PRIMORDIAL_PUBLIC }}
+          CISS_PHYS_AGE:       ${{ secrets.CISS_PHYS_AGE }}
+          MSW_GPG_DEPLOY_BOT:  ${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV }}
+        run: |
+          set -Ceuo pipefail
+          umask 077
+
+          REPO_ROOT="$(git rev-parse --show-toplevel 2>/dev/null || pwd -P)"
+
+          TPL="${REPO_ROOT}/config/hooks/live/9935_hardening_ssh.chroot.tmpl"
+          OUT="${REPO_ROOT}/config/hooks/live/9935_hardening_ssh.chroot"
+          ID_OUT="${REPO_ROOT}/config/includes.chroot/root/.ssh/id_2025_ed25519_ciss_primordial"
+          ID_OUT_PUB="${REPO_ROOT}/config/includes.chroot/root/.ssh/id_2025_ed25519_ciss_primordial.pub"
+          SOPS="${REPO_ROOT}/config/hooks/live/0860_sops.chroot"
+          BINARY_CHECKSUMS="${REPO_ROOT}/scripts/usr/lib/live/build/binary_checksums.sh"
+
+          if [[ ! -f "${TPL}" ]]; then
+            echo "Template not found: ${TPL}"
+            echo "::group::Tree of config/hooks/live"
+            ls -la "${REPO_ROOT}/config/hooks/live" || true
+            echo "::endgroup::"
+            exit 2
+          fi
+
+          export ED25519_PRIV="${ED25519_PRIV//$'\r'/}"
+          export ED25519_PUB="${ED25519_PUB//$'\r'/}"
+          export RSA_PRIV="${RSA_PRIV//$'\r'/}"
+          export RSA_PUB="${RSA_PUB//$'\r'/}"
+          export CISS_PRIMORDIAL="${CISS_PRIMORDIAL//$'\r'/}"
+          export CISS_PRIMORDIAL_PUB="${CISS_PRIMORDIAL_PUB//$'\r'/}"
+          export CISS_PHYS_AGE="${CISS_PHYS_AGE//$'\r'/}"
+          export MSW_GPG_DEPLOY_BOT="${MSW_GPG_DEPLOY_BOT//$'\r'/}"
+
+          (
+          cat << EOF >| "${ID_OUT}"
+          ${CISS_PRIMORDIAL}
+          EOF
+          ) && chmod 0600 "${ID_OUT}"
+          if [[ -f "${ID_OUT}" ]]; then
+            echo "Written: ${ID_OUT}"
+          else
+            echo "Error: ${ID_OUT} not written."
+          fi
+
+          (
+          cat << EOF >| "${ID_OUT_PUB}"
+          ${CISS_PRIMORDIAL_PUB}
+          EOF
+          ) && chmod 0600 "${ID_OUT_PUB}"
+          if [[ -f "${ID_OUT_PUB}" ]]; then
+            echo "Written: ${ID_OUT_PUB}"
+          else
+            echo "Error: ${ID_OUT_PUB} not written."
+          fi
+
+          perl -0777 -pe '
+            BEGIN{
+              $ed=$ENV{ED25519_PRIV}; $edpub=$ENV{ED25519_PUB};
+              $rsa=$ENV{RSA_PRIV};    $rsapub=$ENV{RSA_PUB};
+            }
+            s/\{\{\s*secrets\.CISS_DLB_SSH_HOST_ED25519_KEY\s*\}\}/$ed/g;
+            s/\{\{\s*secrets\.CISS_DLB_SSH_HOST_ED25519_KEY_PUB\s*\}\}/$edpub/g;
+            s/\{\{\s*secrets\.CISS_DLB_SSH_HOST_RSA_KEY\s*\}\}/$rsa/g;
+            s/\{\{\s*secrets\.CISS_DLB_SSH_HOST_RSA_KEY_PUB\s*\}\}/$rsapub/g;
+          ' "${TPL}" > "${OUT}"
+
+          chmod 0755 "${OUT}"
+
+          perl -0777 -i -pe '
+            BEGIN {
+              our $age = $ENV{CISS_PHYS_AGE} // q{};
+            }
+            s/\{\{\s*secrets\.CISS_PHYS_AGE\s*\}\}/$age/g;
+          ' -- "${SOPS}"
+          chmod 0755 "${SOPS}"
+
+          perl -0777 -i -pe '
+            BEGIN {
+              our $deploy = $ENV{MSW_GPG_DEPLOY_BOT} // q{};
+            }
+            s/\{\{\s*secrets\.MSW_GPG_DEPLOY_BOT\s*\}\}/$deploy/g;
+          ' -- "${BINARY_CHECKSUMS}"
+          chmod 0755 "${BINARY_CHECKSUMS}"
+
+          echo "Hook rendered: ${OUT}"
+
+      - name: 🛠️ Starting CISS.debian.live.builder. This may take a while ...
+        shell: bash
+        working-directory: ${{ github.workspace }}
+        run: |
+          set -euo pipefail
+          chmod 0755 ciss_live_builder.sh
+          timestamp=$(date -u +"%Y_%m_%dT%H_%M_%SZ")
+          ### Change "--autobuild=" to the specific kernel version you need: '6.16.3+deb13-amd64'.
+          ./ciss_live_builder.sh \
+            --autobuild=6.16.3+deb13-amd64 \
+            --architecture amd64 \
+            --build-directory /opt/cdlb/livebuild \
+            --cdi \
+            --control "${timestamp}" \
+            --jump-host ${{ secrets.CISS_DLB_JUMP_HOSTS_1 }} \
+            --root-password-file /opt/cdlb/secrets/password.txt \
+            --ssh-port ${{ secrets.CISS_DLB_SSH_PORT_1 }} \
+            --ssh-pubkey /opt/cdlb/secrets \
+            --sshfp \
+            --trixie
+
+          REPO_ROOT="$(git rev-parse --show-toplevel 2>/dev/null || pwd -P)"
+          OUT="$REPO_ROOT/config/hooks/live/9935_hardening_ssh.chroot"
+          rm -f "$OUT"
+          echo "Hook removed: $OUT"
+          shred -fzu -n 5 /opt/cdlb/secrets/authorized_keys
+
+      - name: 📥 Checking Centurion Cloud for existing LIVE ISOs.
+        shell: bash
+        env:
+          NC_BASE: "https://cloud.e2ee.li"
+          SHARE_TOKEN: "${{ secrets.CENTURION_CLOUD_UL_USER_1 }}"
+          SHARE_PASS: "${{ secrets.CENTURION_CLOUD_UL_PASSWD_1 }}"
+        run: |
+          set -euo pipefail
+          SHARE_SUBDIR=""
+
+          echo "📥 Get directory listing via PROPFIND ..."
+          curl -s \
+          --user "${SHARE_TOKEN}:${SHARE_PASS}" \
+          -X PROPFIND \
+          -H "Depth: 1" \
+          "${NC_BASE}/public.php/webdav/${SHARE_SUBDIR}" \
+          -o propfind_public.xml
+
+          echo "📥 Filter .iso files from the PROPFIND response ..."
+          grep -oP '(?<=<d:href>)[^<]+\.iso(?=</d:href>)' propfind_public.xml >| public_iso_list.txt || true
+
+          if [[ -f public_iso_list.txt && -s public_iso_list.txt ]]; then
+            echo "💡 Old ISO files found and deleted :"
+            while IFS= read -r href; do
+              FILE_URL="${NC_BASE}${href}"
+              echo "  Delete: ${FILE_URL}"
+              if curl -s \
+                --user "${SHARE_TOKEN}:${SHARE_PASS}" \
+                  -X DELETE "${FILE_URL}"; then
+                echo "    ✅ Successfully deleted: $(basename "${href}")"
+              else
+                echo "    ❌ Error: $(basename "${href}") could not be deleted"
+              fi
+            done < public_iso_list.txt
+          else
+            echo "💡 No old ISO files found to delete."
+          fi
+
+      - name: 🛠️ Upload the ISO file to the Centurion Cloud (cloud.e2ee.li) via WebDAV.
+        shell: bash
+        env:
+          NC_BASE: "https://cloud.e2ee.li"
+          SHARE_TOKEN: "${{ secrets.CENTURION_CLOUD_UL_USER_1 }}"
+          SHARE_PASS: "${{ secrets.CENTURION_CLOUD_UL_PASSWD_1 }}"
+        run: |
+          set -euo pipefail
+          if [[ $(ls /opt/cdlb/livebuild/*.iso 2>/dev/null | wc -l) -ne 1 ]]; then
+            echo "❌ There must be exactly one .iso file in the directory!"
+            exit 1
+          else
+            VAR_ISO_FILE_PATH=$(ls /opt/cdlb/livebuild/*.iso)
+            VAR_ISO_FILE_NAME=$(basename "${VAR_ISO_FILE_PATH}")
+            echo "✅ ISO file found: ${VAR_ISO_FILE_NAME}"
+          fi
+
+          AUTH="${SHARE_TOKEN}:${SHARE_PASS}"
+          if curl --retry 2 "${NC_BASE}"/public.php/webdav/"${VAR_ISO_FILE_NAME}" \
+          --upload-file "${VAR_ISO_FILE_PATH}" --user "${AUTH}" > /dev/null 2>&1; then
+            echo "✅ New ISO successfully uploaded."
+          else
+            echo "❌ Uploading the new ISO failed."
+            exit 1
+          fi
+
+      - name: 🔑 Generating a sha512 Hash of ISO, signing with the 'CI PGP DEPLOY ONLY' key, generate a success message file.
+        shell: bash
+        run: |
+          if [[ $(ls /opt/cdlb/livebuild/*.iso 2>/dev/null | wc -l) -ne 1 ]]; then
+            echo "❌ There must be exactly one .iso file in the directory!"
+            exit 1
+          else
+            VAR_ISO_FILE_PATH=$(ls /opt/cdlb/livebuild/*.iso)
+            VAR_ISO_FILE_NAME=$(basename "${VAR_ISO_FILE_PATH}")
+            echo "✅ ISO file found: ${VAR_ISO_FILE_NAME}"
+          fi
+
+          VAR_ISO_FILE_SHA512="${VAR_ISO_FILE_NAME}.sha512"
+          touch "${VAR_ISO_FILE_SHA512}"
+          sha512sum "${VAR_ISO_FILE_PATH}" | awk '{print $1}' >| "${VAR_ISO_FILE_SHA512}"
+          SIGNATURE_FILE="${VAR_ISO_FILE_SHA512}.sign"
+          touch "${SIGNATURE_FILE}"
+          export GNUPGHOME="$(pwd)/.gnupg"
+          gpg --batch --yes --armor --detach-sign --output "${SIGNATURE_FILE}" "${VAR_ISO_FILE_SHA512}"
+
+          timestamp=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
+          VAR_DATE="$(date +%F)"
+          PRIVATE_FILE="LIVE_ISO_TRIXIE_1.private"
+          touch "${PRIVATE_FILE}"
+          cat << EOF >| "${PRIVATE_FILE}"
+          # SPDX-Version: 3.0
+          # SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev>
+          # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+          # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+          # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+          # SPDX-FileType: SOURCE
+          # SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
+          # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+          # SPDX-PackageName: CISS.debian.live.builder
+          # SPDX-Security-Contact: security@coresecret.eu
+
+          This file was automatically generated by the DEPLOY BOT on: "${timestamp}"
+
+          CISS.debian.live.builder ISO :
+            "${VAR_ISO_FILE_NAME}"
+          CISS.debian.live.builder ISO sha512 :
+            $(< "${VAR_ISO_FILE_SHA512}")
+          CISS.debian.live.builder ISO sha512 sign :
+            $(< "${SIGNATURE_FILE}")
+
+          # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text
+          EOF
+
+      - name: 🚧 Stash local changes (including untracked).
+        shell: bash
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          ### Temporarily store any local modifications or untracked files.
+          git stash push --include-untracked -m "ci-temp" || echo "✔️ Nothing to stash."
+
+      - name: 🔄 Sync with remote before commit using merge strategy.
+        shell: bash
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          export GNUPGHOME="$(pwd)/.gnupg"
+
+          echo "🔄 Fetching origin/master ..."
+          git fetch origin master
+
+          echo "🔁 Merging origin/master into current branch ..."
+          git merge --no-edit origin/master || echo "✔️ Already up to date or fast-forward."
+
+          echo "📋 Post-merge status :"
+          git status
+          git log --oneline -n 5
+
+      - name: 🛠️ Restore stashed changes.
+        shell: bash
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          ### Apply previously stashed changes.
+          git stash pop || echo "✔️ Nothing to pop."
+
+      - name: 📦 Stage generated files.
+        shell: bash
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          PRIVATE_FILE="LIVE_ISO_TRIXIE_1.private"
+          git add "${PRIVATE_FILE}" || echo "✔️ Nothing to add."
+
+      - name: 🔑 Commit and sign changes with CI metadata.
+        shell: bash
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          export GNUPGHOME="$(pwd)/.gnupg"
+
+          if git diff --cached --quiet; then
+            echo "✔️ No staged changes to commit."
+          else
+            echo "📝 Committing changes with GPG signature ..."
+
+            ### CI Metadata
+            TIMESTAMP_UTC="$(date -u +'%Y-%m-%dT%H:%M:%SZ')"
+            HOSTNAME="$(hostname -f || hostname)"
+            GIT_SHA="$(git rev-parse --short HEAD)"
+            GIT_REF="$(git symbolic-ref --short HEAD || echo detached)"
+            WORKFLOW_ID="${GITHUB_WORKFLOW:-render-md-to-html.yaml}"
+            CI_HEADER="X-CI-Metadata: ${GIT_REF}@${GIT_SHA} at ${TIMESTAMP_UTC} on ${HOSTNAME}"
+
+            COMMIT_MSG="DEPLOY BOT   : 🔐 Auto-Generate PRIVATE LIVE ISO TRIXIE 1 [skip ci]
+
+          ${CI_HEADER}
+
+          Generated at : ${TIMESTAMP_UTC}
+          Runner Host  : ${HOSTNAME}
+          Workflow ID  : ${WORKFLOW_ID}
+          Git Commit   : ${GIT_SHA} HEAD -> ${GIT_REF}
+          "
+
+            echo "🔏 Commit message :"
+            echo "${COMMIT_MSG}"
+            git commit -S -m "${COMMIT_MSG}"
+          fi
+
+      - name: 🔁 Push back to repository.
+        shell: bash
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          echo "📤 Pushing changes to ${GITHUB_REF_NAME} ..."
+          git push origin HEAD:${GITHUB_REF_NAME}
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml

.archive/generate_PUBLIC_iso.yaml

@@ -0,0 +1,366 @@
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+# Version Master V8.13.768.2025.12.06
+
+name: 💙 Generating a PUBLIC Live ISO.
+
+defaults:
+  run:
+    shell: bash
+
+permissions:
+  contents: write
+
+on:
+  push:
+    branches:
+      - master
+    paths:
+      - '.gitea/trigger/t_generate_PUBLIC.yaml'
+
+jobs:
+  generate-public-cdlb-trixie:
+    name: 💙 Generating a PUBLIC Live ISO.
+    runs-on: cdlb.trixie
+
+    container:
+      image: debian:trixie
+
+    steps:
+      - name: 🛠️ Basic Image Setup.
+        shell: bash
+        run: |
+          export DEBIAN_FRONTEND=noninteractive
+          apt-get update -qq
+          apt-get upgrade -y
+          apt-get install -y --no-install-recommends \
+            apt-utils \
+            bash \
+            ca-certificates \
+            curl \
+            git \
+            gnupg \
+            openssh-client \
+            openssl \
+            perl \
+            sudo \
+            util-linux
+
+      - name: ⚙️ Check GnuPG Version.
+        shell: bash
+        run: |
+          gpg --version
+
+      - name: ⚙️ Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
+        shell: bash
+        run: |
+          set -euo pipefail
+          var_wait=$(( RANDOM % 33 ))
+          printf "⏳ Waiting %s seconds to desynchronize parallel workflows...\n" "${var_wait}"
+          sleep "${var_wait}"
+
+          rm -rf ~/.ssh && mkdir -m700 ~/.ssh
+
+          ### Private Key
+          echo "${{ secrets.SSH_MSW_DEPLOY_CORESECRET_DEV }}" >| ~/.ssh/id_ed25519
+          chmod 0600 ~/.ssh/id_ed25519
+
+          ### Scan git.coresecret.dev to fill ~/.ssh/known_hosts
+          ssh-keyscan -p 42842 git.coresecret.dev >| ~/.ssh/known_hosts
+          chmod 0600 ~/.ssh/known_hosts
+
+          ### Generate SSH Config for git.coresecret.dev Custom-Port
+          cat <<EOF >| ~/.ssh/config
+          Host git.coresecret.dev
+            HostName git.coresecret.dev
+            Port 42842
+            IdentityFile ~/.ssh/id_ed25519
+            StrictHostKeyChecking yes
+            UserKnownHostsFile ~/.ssh/known_hosts
+          EOF
+          chmod 0600 ~/.ssh/config
+
+      ### https://github.com/actions/checkout/issues/1843
+      - name: 🛠️ Using manual clone via SSH to circumvent Gitea SHA-256 object issues.
+        shell: bash
+        env:
+          ### GITHUB_REF_NAME contains the branch name from the push event.
+          GITHUB_REF_NAME: ${{ github.ref_name }}
+        run: |
+          git clone --branch "${GITHUB_REF_NAME}" ssh://git@git.coresecret.dev:42842/msw/CISS.debian.live.builder.git .
+          git fetch --unshallow || echo "Nothing to fetch - already full clone."
+
+      - name: 🛠️ Cleaning the workspace.
+        shell: bash
+        run: |
+          git reset --hard
+          git clean -fd
+
+      - name: ⚙️ Importing the 'CI PGP DEPLOY ONLY' key.
+        shell: bash
+        run: |
+          set -euo pipefail
+          ### GPG-Home relative to the Runner Workspace to avoid changing global files.
+          export GNUPGHOME="$(pwd)/.gnupg"
+          mkdir -m 700 "${GNUPGHOME}"
+          echo "${{ secrets.PGP_PUBKEY_CENTURION_ROOT_2025_X448 }}" >| centurion-root.PUB.asc
+          gpg --batch --import centurion-root.PUB.asc
+          echo "${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV }}" >| ci-bot.sec.asc
+          gpg --batch --import ci-bot.sec.asc
+          ### Trust the key automatically
+          KEY_ID=$(gpg --list-keys --with-colons | awk -F: '/^pub:/ {print $5}')
+          echo "trust-model always" >| "${GNUPGHOME}/gpg.conf"
+
+      - name: ⚙️ Configuring Git for signed CI/DEPLOY commits.
+        shell: bash
+        run: |
+          set -euo pipefail
+          export GNUPGHOME="$(pwd)/.gnupg"
+          git config user.name "Marc S. Weidner BOT"
+          git config user.email "msw+bot@coresecret.dev"
+          git config commit.gpgsign true
+          git config gpg.program gpg
+          git config gpg.format openpgp
+
+      - name: ⚙️ Preparing the build environment.
+        shell: bash
+        run: |
+          set -euo pipefail
+          mkdir -p /opt/config
+          mkdir -p /opt/livebuild
+          touch /opt/config/password.txt && chmod 0600 /opt/config/password.txt
+          touch /opt/config/authorized_keys && chmod 0600 /opt/config/authorized_keys
+          echo 'Mvnz#zENbf2vsAYEAbfPcnbDcmct7XefPXfRJxSQQH' >| /opt/config/password.txt
+          echo 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINAYZDAqVZUk3LwJsqeVHKvLn8UKkFx642VBbiSS8uSY 2025_ciss.debian.live.ISO_PUBLIC_ONLY' >| /opt/config/authorized_keys
+
+      - name: 🛠️ Starting CISS.debian.live.builder. This may take a while ...
+        shell: bash
+        run: |
+          set -euo pipefail
+          sed -i '/^hardening_ssh_tcp.*/d' ciss_live_builder.sh
+          chmod 0755 ciss_live_builder.sh
+          timestamp=$(date -u +"%Y_%m_%dT%H_%M_%SZ")
+          ### Change "--autobuild=" to the specific kernel version you need: '6.16.3+deb13-amd64'.
+          ./ciss_live_builder.sh \
+            --autobuild=6.16.3+deb13-amd64 \
+            --architecture amd64 \
+            --build-directory /opt/livebuild \
+            --cdi \
+            --control "${timestamp}" \
+            --debug \
+            --root-password-file /opt/config/password.txt \
+            --ssh-port 42137 \
+            --ssh-pubkey /opt/config \
+            --trixie
+
+      - name: 📥 Checking Centurion Cloud for existing LIVE ISOs.
+        shell: bash
+        env:
+          NC_BASE: "https://cloud.e2ee.li"
+          SHARE_TOKEN: "${{ secrets.CENTURION_CLOUD_UL_USER_PUBLIC }}"
+          SHARE_PASS: "${{ secrets.CENTURION_CLOUD_UL_PASSWD_PUBLIC }}"
+        run: |
+          set -euo pipefail
+          SHARE_SUBDIR=""
+
+          echo "📥 Get directory listing via PROPFIND ..."
+          curl -s \
+          --user "${SHARE_TOKEN}:${SHARE_PASS}" \
+          -X PROPFIND \
+          -H "Depth: 1" \
+          "${NC_BASE}/public.php/webdav/${SHARE_SUBDIR}" \
+          -o propfind_public.xml
+
+          echo "📥 Filter .iso files from the PROPFIND response ..."
+          grep -oP '(?<=<d:href>)[^<]+\.iso(?=</d:href>)' propfind_public.xml >| public_iso_list.txt || true
+
+          if [[ -f public_iso_list.txt && -s public_iso_list.txt ]]; then
+            echo "💡 Old ISO files found and deleted :"
+            while IFS= read -r href; do
+              FILE_URL="${NC_BASE}${href}"
+              echo "  Delete: ${FILE_URL}"
+              if curl -s \
+                --user "${SHARE_TOKEN}:${SHARE_PASS}" \
+                  -X DELETE "${FILE_URL}"; then
+                echo "    ✅ Successfully deleted: $(basename "${href}")"
+              else
+                echo "    ❌ Error: $(basename "${href}") could not be deleted"
+              fi
+            done < public_iso_list.txt
+          else
+            echo "💡 No old ISO files found to delete."
+          fi
+
+      - name: 🛠️ Upload the ISO file to the Centurion Cloud (cloud.e2ee.li) via WebDAV.
+        shell: bash
+        env:
+          NC_BASE: "https://cloud.e2ee.li"
+          SHARE_TOKEN: "${{ secrets.CENTURION_CLOUD_UL_USER_PUBLIC }}"
+          SHARE_PASS: "${{ secrets.CENTURION_CLOUD_UL_PASSWD_PUBLIC }}"
+        run: |
+          set -euo pipefail
+          if [[ $(ls /opt/livebuild/*.iso 2>/dev/null | wc -l) -ne 1 ]]; then
+            echo "❌ There must be exactly one .iso file in the directory!"
+            exit 1
+          else
+            VAR_ISO_FILE_PATH=$(ls /opt/livebuild/*.iso)
+            VAR_ISO_FILE_NAME=$(basename "${VAR_ISO_FILE_PATH}")
+            echo "✅ ISO file found: ${VAR_ISO_FILE_NAME}"
+          fi
+
+          AUTH="${SHARE_TOKEN}:${SHARE_PASS}"
+          if curl --retry 2 "${NC_BASE}"/public.php/webdav/"${VAR_ISO_FILE_NAME}" \
+          --upload-file "${VAR_ISO_FILE_PATH}" --user "${AUTH}" > /dev/null 2>&1; then
+            echo "✅ New ISO successfully uploaded."
+          else
+            echo "❌ Uploading the new ISO failed."
+            exit 1
+          fi
+
+      - name: 🔑 Generating a sha512 Hash of ISO, signing with the 'CI PGP DEPLOY ONLY' key, generate a success message file.
+        shell: bash
+        run: |
+          if [[ $(ls /opt/livebuild/*.iso 2>/dev/null | wc -l) -ne 1 ]]; then
+            echo "❌ There must be exactly one .iso file in the directory!"
+            exit 1
+          else
+            VAR_ISO_FILE_PATH=$(ls /opt/livebuild/*.iso)
+            VAR_ISO_FILE_NAME=$(basename "${VAR_ISO_FILE_PATH}")
+            echo "✅ ISO file found: ${VAR_ISO_FILE_NAME}"
+          fi
+
+          VAR_ISO_FILE_SHA512="${VAR_ISO_FILE_NAME}.sha512"
+          touch "${VAR_ISO_FILE_SHA512}"
+          sha512sum "${VAR_ISO_FILE_PATH}" | awk '{print $1}' >| "${VAR_ISO_FILE_SHA512}"
+          SIGNATURE_FILE="${VAR_ISO_FILE_SHA512}.sign"
+          touch "${SIGNATURE_FILE}"
+          export GNUPGHOME="$(pwd)/.gnupg"
+          gpg --batch --yes --armor --detach-sign --output "${SIGNATURE_FILE}" "${VAR_ISO_FILE_SHA512}"
+
+          timestamp=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
+          VAR_DATE="$(date +%F)"
+          PRIVATE_FILE="LIVE_ISO.public"
+          touch "${PRIVATE_FILE}"
+          cat << EOF >| "${PRIVATE_FILE}"
+          # SPDX-Version: 3.0
+          # SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev>
+          # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+          # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+          # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+          # SPDX-FileType: SOURCE
+          # SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
+          # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+          # SPDX-PackageName: CISS.debian.live.builder
+          # SPDX-Security-Contact: security@coresecret.eu
+
+          This file was automatically generated by the DEPLOY BOT on: "${timestamp}"
+
+          CISS.debian.live.builder ISO :
+            "${VAR_ISO_FILE_NAME}"
+          CISS.debian.live.builder ISO sha512 :
+            $(< "${VAR_ISO_FILE_SHA512}")
+          CISS.debian.live.builder ISO sha512 sign :
+            $(< "${SIGNATURE_FILE}")
+
+          # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text
+          EOF
+
+      - name: 🚧 Stash local changes (including untracked).
+        shell: bash
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          ### Temporarily store any local modifications or untracked files.
+          git stash push --include-untracked -m "ci-temp" || echo "✔️ Nothing to stash."
+
+      - name: 🔄 Sync with remote before commit using merge strategy.
+        shell: bash
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          export GNUPGHOME="$(pwd)/.gnupg"
+
+          echo "🔄 Fetching origin/master ..."
+          git fetch origin master
+
+          echo "🔁 Merging origin/master into current branch ..."
+          git merge --no-edit origin/master || echo "✔️ Already up to date or fast-forward."
+
+          echo "📋 Post-merge status :"
+          git status
+          git log --oneline -n 5
+
+      - name: 🛠️ Restore stashed changes.
+        shell: bash
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          ### Apply previously stashed changes.
+          git stash pop || echo "✔️ Nothing to pop."
+
+      - name: 📦 Stage generated files.
+        shell: bash
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          PRIVATE_FILE="LIVE_ISO.public"
+          git add "${PRIVATE_FILE}" || echo "✔️ Nothing to add."
+
+      - name: 🔑 Commit and sign changes with CI metadata.
+        shell: bash
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          export GNUPGHOME="$(pwd)/.gnupg"
+
+          if git diff --cached --quiet; then
+            echo "✔️ No staged changes to commit."
+          else
+            echo "📝 Committing changes with GPG signature ..."
+
+            ### CI Metadata
+            TIMESTAMP_UTC="$(date -u +'%Y-%m-%dT%H:%M:%SZ')"
+            HOSTNAME="$(hostname -f || hostname)"
+            GIT_SHA="$(git rev-parse --short HEAD)"
+            GIT_REF="$(git symbolic-ref --short HEAD || echo detached)"
+            WORKFLOW_ID="${GITHUB_WORKFLOW:-generate_PUBLIC_iso.yaml}"
+            CI_HEADER="X-CI-Metadata: ${GIT_REF}@${GIT_SHA} at ${TIMESTAMP_UTC} on ${HOSTNAME}"
+
+            COMMIT_MSG="DEPLOY BOT   : 💙 Auto-Generate PUBLIC LIVE ISO [skip ci]
+
+          ${CI_HEADER}
+
+          Generated at : ${TIMESTAMP_UTC}
+          Runner Host  : ${HOSTNAME}
+          Workflow ID  : ${WORKFLOW_ID}
+          Git Commit   : ${GIT_SHA} HEAD -> ${GIT_REF}
+          "
+
+            echo "🔏 Commit message :"
+            echo "${COMMIT_MSG}"
+            git commit -S -m "${COMMIT_MSG}"
+          fi
+
+      - name: 🔁 Push back to repository.
+        shell: bash
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          echo "📤 Pushing changes to ${GITHUB_REF_NAME} ..."
+          git push origin HEAD:${GITHUB_REF_NAME}
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml

.archive/icon.lib

@@ -4,52 +4,67 @@
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
+⏫
+⬆️
+☁️
+☢️
+☣️
+✍️
 ✅
 ❌
 ⚠️
-🚫
-🔐
-🔒
-🔑
-✍️
-🖥️
-🔄
-🔁
-🌌
-🔵
-💙
-🔍
-💡
-🔧
-🛠️
-🏗
+•
 ⚙️
-📐
-🧪
-📩
-📥
-📦
-📑
-📂
-📀
+🆙
+🌌
+🌐
 🎉
-😺
+🎯
+🏗
+💙
+💡
+💬
+💽
+💾
+💿
+📀
+📁
+📂
+📅
 📉
 📊
-🧾
 📋
-🕑
-🧠
-📅
-🎯
-🌐
+📐
+📑
+📡
+📤
+📥
+📦
+📩
+🔁
+🔄
+🔍
+🔐
+🔑
+🔒
 🔗
-💬
-☢️
-☣️
-•
+🔧
+🔵
+🔼
+🕑
+🖥️
+🗂️
+🗄️
+🗜️
+😺
+🚫
+🛠️
+🛡️
+🧠
+🧪
+🧾
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

.archive/network/interfaces

@@ -4,7 +4,7 @@
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

.editorconfig

@@ -4,7 +4,7 @@
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml

@@ -4,7 +4,7 @@
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
@@ -25,7 +25,7 @@ body:
     attributes:
       label: "Version"
       description: "Which version are you running? Use `./ciss_live_builder.sh -v`."
-      placeholder: "e.g., Master V8.13.142.2025.10.14"
+      placeholder: "e.g., Master V8.13.768.2025.12.06"
     validations:
       required: true
 

.gitea/ISSUE_TEMPLATE/PULL_REQUEST_TEMPLATE.yaml

@@ -4,7 +4,7 @@
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

.gitea/TODO/dockerfile

@@ -4,12 +4,12 @@
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-# Version Master V8.13.142.2025.10.14
+# Version Master V8.13.768.2025.12.06
 
 FROM debian:bookworm
 

.gitea/TODO/render-md-to-html.yaml

@@ -4,12 +4,12 @@
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-# Version Master V8.13.142.2025.10.14
+# Version Master V8.13.768.2025.12.06
 
 name: 🔁 Render README.md to README.html.
 
@@ -38,11 +38,11 @@ jobs:
 
           ### Private Key
           echo "${{ secrets.SSH_MSW_DEPLOY_CORESECRET_DEV }}" >| ~/.ssh/id_ed25519
-          chmod 600 ~/.ssh/id_ed25519
+          chmod 0600 ~/.ssh/id_ed25519
 
           ### Scan git.coresecret.dev to fill ~/.ssh/known_hosts
           ssh-keyscan -p 42842 git.coresecret.dev >| ~/.ssh/known_hosts
-          chmod 600 ~/.ssh/known_hosts
+          chmod 0600 ~/.ssh/known_hosts
 
           ### Generate SSH Config for git.coresecret.dev Custom-Port
           cat <<EOF >| ~/.ssh/config
@@ -53,7 +53,7 @@ jobs:
             StrictHostKeyChecking yes
             UserKnownHostsFile ~/.ssh/known_hosts
           EOF
-          chmod 600 ~/.ssh/config
+          chmod 0600 ~/.ssh/config
 
       ### https://github.com/actions/checkout/issues/1843
       - name: 🛠️ Using manual clone via SSH to circumvent Gitea SHA-256 object issues.

.gitea/trigger/t_generate_PRIVATE_trixie_0.yaml

@@ -4,12 +4,12 @@
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
 build:
   counter: 1023
-  version: V8.13.142.2025.10.14
+  version: V8.13.768.2025.12.06
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml

.gitea/trigger/t_generate_PRIVATE_trixie_1.yaml

@@ -4,12 +4,12 @@
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
 build:
   counter: 1023
-  version: V8.13.142.2025.10.14
+  version: V8.13.768.2025.12.06
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml

.gitea/trigger/t_generate_PUBLIC.yaml

@@ -4,12 +4,12 @@
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
 build:
   counter: 1023
-  version: V8.13.142.2025.10.14
+  version: V8.13.768.2025.12.06
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml

.gitea/trigger/t_generate_dns.yaml

@@ -4,12 +4,12 @@
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
 build:
   counter: 1023
-  version: V8.13.142.2025.10.14
+  version: V8.13.768.2025.12.06
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml

.gitea/workflows/generate_PRIVATE_trixie_0.yaml

@@ -4,19 +4,15 @@
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-# Version Master V8.13.142.2025.10.14
+# Version Master V8.13.768.2025.12.06
 
 name: 🔐 Generating a Private Live ISO TRIXIE.
 
-defaults:
-  run:
-    shell: bash
-
 permissions:
   contents: write
 
@@ -35,216 +31,207 @@ jobs:
     container:
       image: debian:trixie
 
-    steps:
-      - name: 🛠️ Basic Image Setup.
+    defaults:
+      run:
         shell: bash
+        working-directory: ${{ github.workspace }}
+
+    steps:
+      - name: 🕑 Waiting random time to desynchronize parallel workflows.
         run: |
+          set -euo pipefail
+          var_wait=$(( RANDOM % 33 ))
+          printf "🕑 Waiting %s seconds to desynchronize parallel workflows...\n" "${var_wait}"
+          sleep "${var_wait}"
+
+      - name: 🔧 Basic Image Setup.
+        run: |
+          set -euo pipefail
+          umask 0022
+
+          echo "APT_LISTCHANGES_FRONTEND=none"  >> "${GITHUB_ENV}"
+          echo "DEBIAN_FRONTEND=noninteractive" >> "${GITHUB_ENV}"
+          echo "LC_ALL=C.UTF-8"                 >> "${GITHUB_ENV}"
+          echo "TZ=UTC"                         >> "${GITHUB_ENV}"
+          echo "VAR_CDLB_INSIDE_RUNNER=true"    >> "${GITHUB_ENV}"
+
+          export APT_LISTCHANGES_FRONTEND=none
           export DEBIAN_FRONTEND=noninteractive
-          apt-get update
+
+          apt-get update -qq
           apt-get upgrade -y
           apt-get install -y --no-install-recommends \
             apt-utils \
             bash \
+            bat \
             ca-certificates \
+            cryptsetup \
             curl \
+            debootstrap \
             git \
+            gnupg-utils \
             gnupg \
+            gpg-agent \
+            gpgv \
+            live-build \
+            lsb-release \
             openssh-client \
             openssl \
             perl \
+            pinentry-curses \
+            pinentry-tty \
             sudo \
-            util-linux
+            util-linux \
+            whois
 
       - name: ⚙️ Check GnuPG Version.
-        shell: bash
         run: |
           gpg --version
 
       - name: ⚙️ Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
-        shell: bash
         run: |
+          set +x
           set -euo pipefail
-          var_wait=$(( RANDOM % 33 ))
-          printf "⏳ Waiting %s seconds to desynchronize parallel workflows...\n" "${var_wait}"
-          sleep "${var_wait}"
+          umask 0077
 
           rm -rf ~/.ssh && mkdir -m700 ~/.ssh
 
           ### Private Key
           echo "${{ secrets.SSH_MSW_DEPLOY_CORESECRET_DEV }}" >| ~/.ssh/id_ed25519
-          chmod 600 ~/.ssh/id_ed25519
+          chmod 0600 ~/.ssh/id_ed25519
 
           ### Scan git.coresecret.dev to fill ~/.ssh/known_hosts
           ssh-keyscan -p 42842 git.coresecret.dev >| ~/.ssh/known_hosts
-          chmod 600 ~/.ssh/known_hosts
+          chmod 0600 ~/.ssh/known_hosts
 
           ### Generate SSH Config for git.coresecret.dev Custom-Port
           cat <<EOF >| ~/.ssh/config
           Host git.coresecret.dev
+            BatchMode yes
+            ConnectTimeout 5
+            ControlMaster auto
+            ControlPath ~/.ssh/cm-%r@%h:%p
+            ControlPersist 5m
             HostName git.coresecret.dev
-            Port 42842
             IdentityFile ~/.ssh/id_ed25519
+            Port 42842
+            ServerAliveCountMax 3
+            ServerAliveInterval 10
             StrictHostKeyChecking yes
+            User git
             UserKnownHostsFile ~/.ssh/known_hosts
           EOF
-          chmod 600 ~/.ssh/config
+          chmod 0600 ~/.ssh/config
 
       ### https://github.com/actions/checkout/issues/1843
-      - name: 🛠️ Using manual clone via SSH to circumvent Gitea SHA-256 object issues.
-        shell: bash
+      - name: 🔧 Using manual clone via SSH to circumvent Gitea SHA-256 object issues.
         env:
           ### GITHUB_REF_NAME contains the branch name from the push event.
           GITHUB_REF_NAME: ${{ github.ref_name }}
         run: |
+          set -euo pipefail
           git clone --branch "${GITHUB_REF_NAME}" ssh://git@git.coresecret.dev:42842/msw/CISS.debian.live.builder.git .
-          git fetch --unshallow || echo "Nothing to fetch - already full clone."
 
-      - name: 🛠️ Cleaning the workspace.
-        shell: bash
+      - name: ⚙️ Init GNUPGHOME.
         run: |
-          git reset --hard
-          git clean -fd
+          set +x
+          set -euo pipefail
+          umask 0077
+          GNUPGHOME="${PWD}/gnupg.${GITHUB_RUN_ID}.${GITHUB_JOB}"
+          # shellcheck disable=SC2174
+          mkdir -p -m 0700 "${GNUPGHOME}"
+          echo "GNUPGHOME=${GNUPGHOME}"                 >> "${GITHUB_ENV}"
+          echo 'allow-loopback-pinentry'                >| "${GNUPGHOME}/gpg-agent.conf"
+          echo 'pinentry-program /usr/bin/pinentry-tty' >> "${GNUPGHOME}/gpg-agent.conf"
+          gpgconf --reload gpg-agent || true
 
       - name: ⚙️ Importing the 'CI PGP DEPLOY ONLY' key.
-        shell: bash
+        env:
+          PRIVATE_PGP_MSW_DEPLOY_CORESECRET_DEV: ${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV }}
         run: |
+          set +x
           set -euo pipefail
-          ### GPG-Home relative to the Runner Workspace to avoid changing global files.
-          export GNUPGHOME="$(pwd)/.gnupg"
-          mkdir -m 700 "${GNUPGHOME}"
-          echo "${{ secrets.PGP_PUBKEY_CENTURION_ROOT_2025_X448 }}" >| centurion-root.PUB.asc
-          gpg --batch --import centurion-root.PUB.asc
-          echo "${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV }}" >| ci-bot.sec.asc
-          gpg --batch --import ci-bot.sec.asc
-          ### Trust the key automatically
-          KEY_ID=$(gpg --list-keys --with-colons | awk -F: '/^pub:/ {print $5}')
-          echo "trust-model always" >| "${GNUPGHOME}/gpg.conf"
+          umask 0077
+          printf '%s' "${PRIVATE_PGP_MSW_DEPLOY_CORESECRET_DEV}" | gpg --batch --import
+          unset PRIVATE_PGP_MSW_DEPLOY_CORESECRET_DEV
 
       - name: ⚙️ Configuring Git for signed CI/DEPLOY commits.
-        shell: bash
         run: |
+          set +x
           set -euo pipefail
-          export GNUPGHOME="$(pwd)/.gnupg"
           git config user.name "Marc S. Weidner BOT"
           git config user.email "msw+bot@coresecret.dev"
+          git config user.signingkey ${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV_FPR }}
           git config commit.gpgsign true
           git config gpg.program gpg
           git config gpg.format openpgp
+          git config --get user.signingkey
 
       - name: ⚙️ Preparing the build environment.
-        shell: bash
+        run: |
+          set +x
+          set -euo pipefail
+          umask 0077
+          mkdir -p /dev/shm/cdlb_secrets
+
+          install -m 0600 /dev/null /dev/shm/cdlb_secrets/password.txt
+          install -m 0600 /dev/null /dev/shm/cdlb_secrets/authorized_keys
+          install -m 0600 /dev/null /dev/shm/cdlb_secrets/ssh_host_ed25519_key
+          install -m 0600 /dev/null /dev/shm/cdlb_secrets/ssh_host_ed25519_key.pub
+          install -m 0600 /dev/null /dev/shm/cdlb_secrets/ssh_host_rsa_key
+          install -m 0600 /dev/null /dev/shm/cdlb_secrets/ssh_host_rsa_key.pub
+          install -m 0600 /dev/null /dev/shm/cdlb_secrets/id_2025_ed25519_ciss_primordial
+          install -m 0600 /dev/null /dev/shm/cdlb_secrets/id_2025_ed25519_ciss_primordial.pub
+          install -m 0600 /dev/null /dev/shm/cdlb_secrets/keys.txt
+          install -m 0600 /dev/null /dev/shm/cdlb_secrets/luks.txt
+          install -m 0600 /dev/null /dev/shm/cdlb_secrets/signing_ca.asc
+          install -m 0600 /dev/null /dev/shm/cdlb_secrets/signing_key.asc
+          install -m 0600 /dev/null /dev/shm/cdlb_secrets/signing_key_pass.txt
+
+          echo "${{ secrets.CISS_DLB_ROOT_PWD }}"                 >| /dev/shm/cdlb_secrets/password.txt
+          echo "${{ secrets.CISS_DLB_ROOT_SSH_PUBKEY }}"          >| /dev/shm/cdlb_secrets/authorized_keys
+          echo "${{ secrets.CISS_DLB_SSH_HOST_ED25519_KEY }}"     >| /dev/shm/cdlb_secrets/ssh_host_ed25519_key
+          echo "${{ secrets.CISS_DLB_SSH_HOST_ED25519_KEY_PUB }}" >| /dev/shm/cdlb_secrets/ssh_host_ed25519_key.pub
+          echo "${{ secrets.CISS_DLB_SSH_HOST_RSA_KEY }}"         >| /dev/shm/cdlb_secrets/ssh_host_rsa_key
+          echo "${{ secrets.CISS_DLB_SSH_HOST_RSA_KEY_PUB }}"     >| /dev/shm/cdlb_secrets/ssh_host_rsa_key.pub
+          echo "${{ secrets.CISS_PRIMORDIAL_PRIVATE }}"           >| /dev/shm/cdlb_secrets/id_2025_ed25519_ciss_primordial
+          echo "${{ secrets.CISS_PRIMORDIAL_PUBLIC }}"            >| /dev/shm/cdlb_secrets/id_2025_ed25519_ciss_primordial.pub
+          echo "${{ secrets.CISS_PHYS_AGE }}"                     >| /dev/shm/cdlb_secrets/keys.txt
+          echo "${{ secrets.CISS_PHYS_LUKS }}"                    >| /dev/shm/cdlb_secrets/luks.txt
+          echo "${{ secrets.PGP_CISS_CA_PUBLIC_KEY }}"            >| /dev/shm/cdlb_secrets/signing_ca.asc
+          echo "${{ secrets.PGP_MSW_PRIVATE_SIGNING_KEY }}"       >| /dev/shm/cdlb_secrets/signing_key.asc
+          echo "${{ secrets.PGP_MSW_PRIVATE_SIGNING_KEY_PASS }}"  >| /dev/shm/cdlb_secrets/signing_key_pass.txt
+
+      - name: 🔧 Starting CISS.debian.live.builder. This may take about an hour ...
         run: |
           set -euo pipefail
-          mkdir -p /opt/config
-          mkdir -p /opt/livebuild
-          touch /opt/config/password.txt && chmod 0600 /opt/config/password.txt
-          touch /opt/config/authorized_keys && chmod 0600 /opt/config/authorized_keys
-          echo "${{ secrets.CISS_DLB_ROOT_PWD }}" >| /opt/config/password.txt
-          echo "${{ secrets.CISS_DLB_ROOT_SSH_PUBKEY }}" >| /opt/config/authorized_keys
-
-      - name: 🔧 Render live hook with secrets.
-        shell: bash
-        working-directory: ${{ github.workspace }}
-        env:
-          ED25519_PRIV:        ${{ secrets.CISS_DLB_SSH_HOST_ED25519_KEY }}
-          ED25519_PUB:         ${{ secrets.CISS_DLB_SSH_HOST_ED25519_KEY_PUB }}
-          RSA_PRIV:            ${{ secrets.CISS_DLB_SSH_HOST_RSA_KEY }}
-          RSA_PUB:             ${{ secrets.CISS_DLB_SSH_HOST_RSA_KEY_PUB }}
-          CISS_PRIMORDIAL:     ${{ secrets.CISS_PRIMORDIAL_PRIVATE }}
-          CISS_PRIMORDIAL_PUB: ${{ secrets.CISS_PRIMORDIAL_PUBLIC }}
-        run: |
-          set -Ceuo pipefail
-          umask 077
-
-          REPO_ROOT="$(git rev-parse --show-toplevel 2>/dev/null || pwd -P)"
-
-          TPL="${REPO_ROOT}/config/hooks/live/9935_hardening_ssh.chroot.tmpl"
-          OUT="${REPO_ROOT}/config/hooks/live/9935_hardening_ssh.chroot"
-          ID_OUT="${REPO_ROOT}/config/includes.chroot/root/.ssh/id_2025_ed25519_ciss_primordial"
-          ID_OUT_PUB="${REPO_ROOT}/config/includes.chroot/root/.ssh/id_2025_ed25519_ciss_primordial.pub"
-
-          if [[ ! -f "${TPL}" ]]; then
-            echo "Template not found: ${TPL}"
-            echo "::group::Tree of config/hooks/live"
-            ls -la "${REPO_ROOT}/config/hooks/live" || true
-            echo "::endgroup::"
-            exit 2
-          fi
-
-          export ED25519_PRIV="${ED25519_PRIV//$'\r'/}"
-          export ED25519_PUB="${ED25519_PUB//$'\r'/}"
-          export RSA_PRIV="${RSA_PRIV//$'\r'/}"
-          export RSA_PUB="${RSA_PUB//$'\r'/}"
-          export CISS_PRIMORDIAL="${CISS_PRIMORDIAL//$'\r'/}"
-          export CISS_PRIMORDIAL_PUB="${CISS_PRIMORDIAL_PUB//$'\r'/}"
-
-          (
-          cat << EOF >| "${ID_OUT}"
-          ${CISS_PRIMORDIAL}
-          EOF
-          ) && chmod 0600 "${ID_OUT}"
-          if [[ -f "${ID_OUT}" ]]; then
-            echo "Written: ${ID_OUT}"
-          else
-            echo "Error: ${ID_OUT} not written."
-          fi
-
-          (
-          cat << EOF >| "${ID_OUT_PUB}"
-          ${CISS_PRIMORDIAL_PUB}
-          EOF
-          ) && chmod 0600 "${ID_OUT_PUB}"
-          if [[ -f "${ID_OUT_PUB}" ]]; then
-            echo "Written: ${ID_OUT_PUB}"
-          else
-            echo "Error: ${ID_OUT_PUB} not written."
-          fi
-
-          perl -0777 -pe '
-            BEGIN{
-              $ed=$ENV{ED25519_PRIV}; $edpub=$ENV{ED25519_PUB};
-              $rsa=$ENV{RSA_PRIV};    $rsapub=$ENV{RSA_PUB};
-            }
-            s/\{\{\s*secrets\.CISS_DLB_SSH_HOST_ED25519_KEY\s*\}\}/$ed/g;
-            s/\{\{\s*secrets\.CISS_DLB_SSH_HOST_ED25519_KEY_PUB\s*\}\}/$edpub/g;
-            s/\{\{\s*secrets\.CISS_DLB_SSH_HOST_RSA_KEY\s*\}\}/$rsa/g;
-            s/\{\{\s*secrets\.CISS_DLB_SSH_HOST_RSA_KEY_PUB\s*\}\}/$rsapub/g;
-          ' "${TPL}" > "${OUT}"
-
-          chmod 0755 "${OUT}"
-          echo "Hook rendered: ${OUT}"
-
-      - name: 🛠️ Starting CISS.debian.live.builder. This may take a while ...
-        shell: bash
-        working-directory: ${{ github.workspace }}
-        run: |
-          set -euo pipefail
-          chmod 0755 ciss_live_builder.sh
+          chmod 0700 ciss_live_builder.sh
           timestamp=$(date -u +"%Y_%m_%dT%H_%M_%SZ")
-          ### Change "--autobuild=" to the specific kernel version you need: '6.16.3+deb13-amd64'.
+          ### Change "--autobuild=" to the specific kernel version you need: '6.17.8+deb13-amd64'.
+          chmod 0400 /dev/shm/cdlb_secrets/*
           ./ciss_live_builder.sh \
-            --autobuild=6.16.3+deb13-amd64 \
             --architecture amd64 \
-            --build-directory /opt/livebuild \
+            --autobuild=6.17.8+deb13-amd64 \
+            --build-directory /opt/cdlb \
             --cdi \
+            --change-splash hexagon \
             --control "${timestamp}" \
-            --debug \
             --dhcp-centurion \
             --jump-host ${{ secrets.CISS_DLB_JUMP_HOSTS }} \
+            --key_age=keys.txt \
+            --key_luks=luks.txt \
             --provider-netcup-ipv6 ${{ secrets.CISS_DLB_NETCUP_IPV6 }} \
-            --root-password-file /opt/config/password.txt \
+            --root-password-file /dev/shm/cdlb_secrets/password.txt \
+            --signing_ca=signing_ca.asc \
+            --signing_key_fpr=${{ secrets.PGP_MSW_PRIVATE_SIGNING_KEY_FPR }} \
+            --signing_key_pass=signing_key_pass.txt \
+            --signing_key=signing_key.asc \
             --ssh-port ${{ secrets.CISS_DLB_SSH_PORT }} \
-            --ssh-pubkey /opt/config \
+            --ssh-pubkey /dev/shm/cdlb_secrets \
             --sshfp \
             --trixie
 
-          REPO_ROOT="$(git rev-parse --show-toplevel 2>/dev/null || pwd -P)"
-          OUT="$REPO_ROOT/config/hooks/live/9935_hardening_ssh.chroot"
-          rm -f "$OUT"
-          echo "Hook removed: $OUT"
-
       - name: 📥 Checking Centurion Cloud for existing LIVE ISOs.
-        shell: bash
         env:
           NC_BASE: "https://cloud.e2ee.li"
           SHARE_TOKEN: "${{ secrets.CENTURION_CLOUD_UL_USER }}"
@@ -254,83 +241,106 @@ jobs:
           SHARE_SUBDIR=""
 
           echo "📥 Get directory listing via PROPFIND ..."
-          curl -s \
-          --user "${SHARE_TOKEN}:${SHARE_PASS}" \
-          -X PROPFIND \
-          -H "Depth: 1" \
-          "${NC_BASE}/public.php/webdav/${SHARE_SUBDIR}" \
+
+          curl -s --user "${SHARE_TOKEN}:${SHARE_PASS}" -X PROPFIND -H "Depth: 1" "${NC_BASE}/public.php/webdav/${SHARE_SUBDIR}" \
           -o propfind_public.xml
 
           echo "📥 Filter .iso files from the PROPFIND response ..."
+
           grep -oP '(?<=<d:href>)[^<]+\.iso(?=</d:href>)' propfind_public.xml >| public_iso_list.txt || true
 
           if [[ -f public_iso_list.txt && -s public_iso_list.txt ]]; then
+
             echo "💡 Old ISO files found and deleted :"
+
             while IFS= read -r href; do
+
               FILE_URL="${NC_BASE}${href}"
               echo "  Delete: ${FILE_URL}"
-              if curl -s \
-                --user "${SHARE_TOKEN}:${SHARE_PASS}" \
-                  -X DELETE "${FILE_URL}"; then
+
+              if curl -s --user "${SHARE_TOKEN}:${SHARE_PASS}" -X DELETE "${FILE_URL}"; then
+
                 echo "    ✅ Successfully deleted: $(basename "${href}")"
+
               else
+
                 echo "    ❌ Error: $(basename "${href}") could not be deleted"
+
               fi
+
             done < public_iso_list.txt
+
           else
+
             echo "💡 No old ISO files found to delete."
+
           fi
 
-      - name: 🛠️ Upload the ISO file to the Centurion Cloud (cloud.e2ee.li) via WebDAV.
-        shell: bash
+      - name: ⬆️ Upload the ISO file to the Centurion Cloud (cloud.e2ee.li) via WebDAV.
         env:
           NC_BASE: "https://cloud.e2ee.li"
           SHARE_TOKEN: "${{ secrets.CENTURION_CLOUD_UL_USER }}"
           SHARE_PASS: "${{ secrets.CENTURION_CLOUD_UL_PASSWD }}"
         run: |
           set -euo pipefail
-          if [[ $(ls /opt/livebuild/*.iso 2>/dev/null | wc -l) -ne 1 ]]; then
+
+          if [[ $(ls /opt/cdlb/*.iso 2>/dev/null | wc -l) -ne 1 ]]; then
+
             echo "❌ There must be exactly one .iso file in the directory!"
             exit 1
+
           else
-            VAR_ISO_FILE_PATH=$(ls /opt/livebuild/*.iso)
+
+            VAR_ISO_FILE_PATH=$(ls /opt/cdlb/*.iso)
             VAR_ISO_FILE_NAME=$(basename "${VAR_ISO_FILE_PATH}")
             echo "✅ ISO file found: ${VAR_ISO_FILE_NAME}"
+
           fi
 
           AUTH="${SHARE_TOKEN}:${SHARE_PASS}"
+
           if curl --retry 2 "${NC_BASE}"/public.php/webdav/"${VAR_ISO_FILE_NAME}" \
           --upload-file "${VAR_ISO_FILE_PATH}" --user "${AUTH}" > /dev/null 2>&1; then
+
             echo "✅ New ISO successfully uploaded."
+
           else
+
             echo "❌ Uploading the new ISO failed."
             exit 1
+
           fi
 
       - name: 🔑 Generating a sha512 Hash of ISO, signing with the 'CI PGP DEPLOY ONLY' key, generate a success message file.
-        shell: bash
         run: |
-          if [[ $(ls /opt/livebuild/*.iso 2>/dev/null | wc -l) -ne 1 ]]; then
+          if [[ $(ls /opt/cdlb/*.iso 2>/dev/null | wc -l) -ne 1 ]]; then
+
             echo "❌ There must be exactly one .iso file in the directory!"
             exit 1
+
           else
-            VAR_ISO_FILE_PATH=$(ls /opt/livebuild/*.iso)
+
+            VAR_ISO_FILE_PATH=$(ls /opt/cdlb/*.iso)
             VAR_ISO_FILE_NAME=$(basename "${VAR_ISO_FILE_PATH}")
             echo "✅ ISO file found: ${VAR_ISO_FILE_NAME}"
+
           fi
 
           VAR_ISO_FILE_SHA512="${VAR_ISO_FILE_NAME}.sha512"
           touch "${VAR_ISO_FILE_SHA512}"
+
           sha512sum "${VAR_ISO_FILE_PATH}" | awk '{print $1}' >| "${VAR_ISO_FILE_SHA512}"
+
           SIGNATURE_FILE="${VAR_ISO_FILE_SHA512}.sign"
           touch "${SIGNATURE_FILE}"
-          export GNUPGHOME="$(pwd)/.gnupg"
-          gpg --batch --yes --armor --detach-sign --output "${SIGNATURE_FILE}" "${VAR_ISO_FILE_SHA512}"
+
+          gpg --batch --yes --armor --detach-sign --local-user ${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV_FPR }} --output "${SIGNATURE_FILE}" "${VAR_ISO_FILE_SHA512}"
 
           timestamp=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
           VAR_DATE="$(date +%F)"
           PRIVATE_FILE="LIVE_ISO_TRIXIE_0.private"
           touch "${PRIVATE_FILE}"
+
           cat << EOF >| "${PRIVATE_FILE}"
           # SPDX-Version: 3.0
           # SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -338,7 +348,7 @@ jobs:
           # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
           # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
           # SPDX-FileType: SOURCE
-          # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+          # SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
           # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
           # SPDX-PackageName: CISS.debian.live.builder
           # SPDX-Security-Contact: security@coresecret.eu
@@ -356,7 +366,6 @@ jobs:
           EOF
 
       - name: 🚧 Stash local changes (including untracked).
-        shell: bash
         env:
           GIT_SSH_COMMAND: "ssh -p 42842"
         run: |
@@ -365,12 +374,10 @@ jobs:
           git stash push --include-untracked -m "ci-temp" || echo "✔️ Nothing to stash."
 
       - name: 🔄 Sync with remote before commit using merge strategy.
-        shell: bash
         env:
           GIT_SSH_COMMAND: "ssh -p 42842"
         run: |
           set -euo pipefail
-          export GNUPGHOME="$(pwd)/.gnupg"
 
           echo "🔄 Fetching origin/master ..."
           git fetch origin master
@@ -382,8 +389,7 @@ jobs:
           git status
           git log --oneline -n 5
 
-      - name: 🛠️ Restore stashed changes.
-        shell: bash
+      - name: 🔧 Restore stashed changes.
         env:
           GIT_SSH_COMMAND: "ssh -p 42842"
         run: |
@@ -392,7 +398,6 @@ jobs:
           git stash pop || echo "✔️ Nothing to pop."
 
       - name: 📦 Stage generated files.
-        shell: bash
         env:
           GIT_SSH_COMMAND: "ssh -p 42842"
         run: |
@@ -401,16 +406,17 @@ jobs:
           git add "${PRIVATE_FILE}" || echo "✔️ Nothing to add."
 
       - name: 🔑 Commit and sign changes with CI metadata.
-        shell: bash
         env:
           GIT_SSH_COMMAND: "ssh -p 42842"
         run: |
           set -euo pipefail
-          export GNUPGHOME="$(pwd)/.gnupg"
 
           if git diff --cached --quiet; then
+
             echo "✔️ No staged changes to commit."
+
           else
+
             echo "📝 Committing changes with GPG signature ..."
 
             ### CI Metadata
@@ -418,7 +424,7 @@ jobs:
             HOSTNAME="$(hostname -f || hostname)"
             GIT_SHA="$(git rev-parse --short HEAD)"
             GIT_REF="$(git symbolic-ref --short HEAD || echo detached)"
-            WORKFLOW_ID="${GITHUB_WORKFLOW:-render-md-to-html.yaml}"
+            WORKFLOW_ID="${GITHUB_WORKFLOW:-generate_PRIVATE_trixie_0.yaml}"
             CI_HEADER="X-CI-Metadata: ${GIT_REF}@${GIT_SHA} at ${TIMESTAMP_UTC} on ${HOSTNAME}"
 
             COMMIT_MSG="DEPLOY BOT   : 🔐 Auto-Generate PRIVATE LIVE ISO TRIXIE 0 [skip ci]
@@ -434,10 +440,10 @@ jobs:
             echo "🔏 Commit message :"
             echo "${COMMIT_MSG}"
             git commit -S -m "${COMMIT_MSG}"
+
           fi
 
       - name: 🔁 Push back to repository.
-        shell: bash
         env:
           GIT_SSH_COMMAND: "ssh -p 42842"
         run: |

.gitea/workflows/generate_PRIVATE_trixie_1.yaml

@@ -4,19 +4,15 @@
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-# Version Master V8.13.142.2025.10.14
+# Version Master V8.13.768.2025.12.06
 
 name: 🔐 Generating a Private Live ISO TRIXIE.
 
-defaults:
-  run:
-    shell: bash
-
 permissions:
   contents: write
 
@@ -35,213 +31,205 @@ jobs:
     container:
       image: debian:trixie
 
-    steps:
-      - name: 🛠️ Basic Image Setup.
+    defaults:
+      run:
         shell: bash
+        working-directory: ${{ github.workspace }}
+
+    steps:
+      - name: 🕑 Waiting random time to desynchronize parallel workflows.
         run: |
+          set -euo pipefail
+          var_wait=$(( RANDOM % 33 ))
+          printf "🕑 Waiting %s seconds to desynchronize parallel workflows...\n" "${var_wait}"
+          sleep "${var_wait}"
+
+      - name: 🔧 Basic Image Setup.
+        run: |
+          set -euo pipefail
+          umask 0022
+
+          echo "APT_LISTCHANGES_FRONTEND=none"  >> "${GITHUB_ENV}"
+          echo "DEBIAN_FRONTEND=noninteractive" >> "${GITHUB_ENV}"
+          echo "LC_ALL=C.UTF-8"                 >> "${GITHUB_ENV}"
+          echo "TZ=UTC"                         >> "${GITHUB_ENV}"
+          echo "VAR_CDLB_INSIDE_RUNNER=true"    >> "${GITHUB_ENV}"
+
+          export APT_LISTCHANGES_FRONTEND=none
           export DEBIAN_FRONTEND=noninteractive
-          apt-get update
+
+          apt-get update -qq
           apt-get upgrade -y
           apt-get install -y --no-install-recommends \
             apt-utils \
             bash \
+            bat \
             ca-certificates \
+            cryptsetup \
             curl \
+            debootstrap \
             git \
+            gnupg-utils \
             gnupg \
+            gpg-agent \
+            gpgv \
+            live-build \
+            lsb-release \
             openssh-client \
             openssl \
             perl \
+            pinentry-curses \
+            pinentry-tty \
             sudo \
-            util-linux
+            util-linux \
+            whois
 
       - name: ⚙️ Check GnuPG Version.
-        shell: bash
         run: |
           gpg --version
 
       - name: ⚙️ Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
-        shell: bash
         run: |
+          set +x
           set -euo pipefail
-          var_wait=$(( RANDOM % 33 ))
-          printf "⏳ Waiting %s seconds to desynchronize parallel workflows...\n" "${var_wait}"
-          sleep "${var_wait}"
+          umask 0077
 
           rm -rf ~/.ssh && mkdir -m700 ~/.ssh
 
           ### Private Key
           echo "${{ secrets.SSH_MSW_DEPLOY_CORESECRET_DEV }}" >| ~/.ssh/id_ed25519
-          chmod 600 ~/.ssh/id_ed25519
+          chmod 0600 ~/.ssh/id_ed25519
 
           ### Scan git.coresecret.dev to fill ~/.ssh/known_hosts
           ssh-keyscan -p 42842 git.coresecret.dev >| ~/.ssh/known_hosts
-          chmod 600 ~/.ssh/known_hosts
+          chmod 0600 ~/.ssh/known_hosts
 
           ### Generate SSH Config for git.coresecret.dev Custom-Port
           cat <<EOF >| ~/.ssh/config
           Host git.coresecret.dev
+            BatchMode yes
+            ConnectTimeout 5
+            ControlMaster auto
+            ControlPath ~/.ssh/cm-%r@%h:%p
+            ControlPersist 5m
             HostName git.coresecret.dev
-            Port 42842
             IdentityFile ~/.ssh/id_ed25519
+            Port 42842
+            ServerAliveCountMax 3
+            ServerAliveInterval 10
             StrictHostKeyChecking yes
+            User git
             UserKnownHostsFile ~/.ssh/known_hosts
           EOF
-          chmod 600 ~/.ssh/config
+          chmod 0600 ~/.ssh/config
 
       ### https://github.com/actions/checkout/issues/1843
-      - name: 🛠️ Using manual clone via SSH to circumvent Gitea SHA-256 object issues.
-        shell: bash
+      - name: 🔧 Using manual clone via SSH to circumvent Gitea SHA-256 object issues.
         env:
           ### GITHUB_REF_NAME contains the branch name from the push event.
           GITHUB_REF_NAME: ${{ github.ref_name }}
         run: |
+          set -euo pipefail
           git clone --branch "${GITHUB_REF_NAME}" ssh://git@git.coresecret.dev:42842/msw/CISS.debian.live.builder.git .
-          git fetch --unshallow || echo "Nothing to fetch - already full clone."
 
-      - name: 🛠️ Cleaning the workspace.
-        shell: bash
+      - name: ⚙️ Init GNUPGHOME.
         run: |
-          git reset --hard
-          git clean -fd
+          set +x
+          set -euo pipefail
+          umask 0077
+          GNUPGHOME="${PWD}/gnupg.${GITHUB_RUN_ID}.${GITHUB_JOB}"
+          # shellcheck disable=SC2174
+          mkdir -p -m 0700 "${GNUPGHOME}"
+          echo "GNUPGHOME=${GNUPGHOME}"                 >> "${GITHUB_ENV}"
+          echo 'allow-loopback-pinentry'                >| "${GNUPGHOME}/gpg-agent.conf"
+          echo 'pinentry-program /usr/bin/pinentry-tty' >> "${GNUPGHOME}/gpg-agent.conf"
+          gpgconf --reload gpg-agent || true
 
       - name: ⚙️ Importing the 'CI PGP DEPLOY ONLY' key.
-        shell: bash
+        env:
+          PRIVATE_PGP_MSW_DEPLOY_CORESECRET_DEV: ${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV }}
         run: |
+          set +x
           set -euo pipefail
-          ### GPG-Home relative to the Runner Workspace to avoid changing global files.
-          export GNUPGHOME="$(pwd)/.gnupg"
-          mkdir -m 700 "${GNUPGHOME}"
-          echo "${{ secrets.PGP_PUBKEY_CENTURION_ROOT_2025_X448 }}" >| centurion-root.PUB.asc
-          gpg --batch --import centurion-root.PUB.asc
-          echo "${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV }}" >| ci-bot.sec.asc
-          gpg --batch --import ci-bot.sec.asc
-          ### Trust the key automatically
-          KEY_ID=$(gpg --list-keys --with-colons | awk -F: '/^pub:/ {print $5}')
-          echo "trust-model always" >| "${GNUPGHOME}/gpg.conf"
+          umask 0077
+          printf '%s' "${PRIVATE_PGP_MSW_DEPLOY_CORESECRET_DEV}" | gpg --batch --import
+          unset PRIVATE_PGP_MSW_DEPLOY_CORESECRET_DEV
 
       - name: ⚙️ Configuring Git for signed CI/DEPLOY commits.
-        shell: bash
         run: |
+          set +x
           set -euo pipefail
-          export GNUPGHOME="$(pwd)/.gnupg"
           git config user.name "Marc S. Weidner BOT"
           git config user.email "msw+bot@coresecret.dev"
+          git config user.signingkey ${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV_FPR }}
           git config commit.gpgsign true
           git config gpg.program gpg
           git config gpg.format openpgp
+          git config --get user.signingkey
 
       - name: ⚙️ Preparing the build environment.
-        shell: bash
+        run: |
+          set +x
+          set -euo pipefail
+          umask 0077
+          mkdir -p /dev/shm/cdlb_secrets
+
+          install -m 0600 /dev/null /dev/shm/cdlb_secrets/password.txt
+          install -m 0600 /dev/null /dev/shm/cdlb_secrets/authorized_keys
+          install -m 0600 /dev/null /dev/shm/cdlb_secrets/ssh_host_ed25519_key
+          install -m 0600 /dev/null /dev/shm/cdlb_secrets/ssh_host_ed25519_key.pub
+          install -m 0600 /dev/null /dev/shm/cdlb_secrets/ssh_host_rsa_key
+          install -m 0600 /dev/null /dev/shm/cdlb_secrets/ssh_host_rsa_key.pub
+          install -m 0600 /dev/null /dev/shm/cdlb_secrets/id_2025_ed25519_ciss_primordial
+          install -m 0600 /dev/null /dev/shm/cdlb_secrets/id_2025_ed25519_ciss_primordial.pub
+          install -m 0600 /dev/null /dev/shm/cdlb_secrets/keys.txt
+          install -m 0600 /dev/null /dev/shm/cdlb_secrets/luks.txt
+          install -m 0600 /dev/null /dev/shm/cdlb_secrets/signing_ca.asc
+          install -m 0600 /dev/null /dev/shm/cdlb_secrets/signing_key.asc
+          install -m 0600 /dev/null /dev/shm/cdlb_secrets/signing_key_pass.txt
+
+          echo "${{ secrets.CISS_DLB_ROOT_PWD_1 }}"               >| /dev/shm/cdlb_secrets/password.txt
+          echo "${{ secrets.CISS_DLB_ROOT_SSH_PUBKEY_1 }}"        >| /dev/shm/cdlb_secrets/authorized_keys
+          echo "${{ secrets.CISS_DLB_SSH_HOST_ED25519_KEY }}"     >| /dev/shm/cdlb_secrets/ssh_host_ed25519_key
+          echo "${{ secrets.CISS_DLB_SSH_HOST_ED25519_KEY_PUB }}" >| /dev/shm/cdlb_secrets/ssh_host_ed25519_key.pub
+          echo "${{ secrets.CISS_DLB_SSH_HOST_RSA_KEY }}"         >| /dev/shm/cdlb_secrets/ssh_host_rsa_key
+          echo "${{ secrets.CISS_DLB_SSH_HOST_RSA_KEY_PUB }}"     >| /dev/shm/cdlb_secrets/ssh_host_rsa_key.pub
+          echo "${{ secrets.CISS_PRIMORDIAL_PRIVATE }}"           >| /dev/shm/cdlb_secrets/id_2025_ed25519_ciss_primordial
+          echo "${{ secrets.CISS_PRIMORDIAL_PUBLIC }}"            >| /dev/shm/cdlb_secrets/id_2025_ed25519_ciss_primordial.pub
+          echo "${{ secrets.CISS_PHYS_AGE }}"                     >| /dev/shm/cdlb_secrets/keys.txt
+          echo "${{ secrets.CISS_PHYS_LUKS }}"                    >| /dev/shm/cdlb_secrets/luks.txt
+          echo "${{ secrets.PGP_CISS_CA_PUBLIC_KEY }}"            >| /dev/shm/cdlb_secrets/signing_ca.asc
+          echo "${{ secrets.PGP_MSW_PRIVATE_SIGNING_KEY }}"       >| /dev/shm/cdlb_secrets/signing_key.asc
+          echo "${{ secrets.PGP_MSW_PRIVATE_SIGNING_KEY_PASS }}"  >| /dev/shm/cdlb_secrets/signing_key_pass.txt
+
+      - name: 🔧 Starting CISS.debian.live.builder. This may take about an hour ...
         run: |
           set -euo pipefail
-          mkdir -p /opt/config
-          mkdir -p /opt/livebuild
-          touch /opt/config/password.txt && chmod 0600 /opt/config/password.txt
-          touch /opt/config/authorized_keys && chmod 0600 /opt/config/authorized_keys
-          echo "${{ secrets.CISS_DLB_ROOT_PWD_1 }}" >| /opt/config/password.txt
-          echo "${{ secrets.CISS_DLB_ROOT_SSH_PUBKEY_1 }}" >| /opt/config/authorized_keys
-
-      - name: 🔧 Render live hook with secrets.
-        shell: bash
-        working-directory: ${{ github.workspace }}
-        env:
-          ED25519_PRIV:        ${{ secrets.CISS_DLB_SSH_HOST_ED25519_KEY }}
-          ED25519_PUB:         ${{ secrets.CISS_DLB_SSH_HOST_ED25519_KEY_PUB }}
-          RSA_PRIV:            ${{ secrets.CISS_DLB_SSH_HOST_RSA_KEY }}
-          RSA_PUB:             ${{ secrets.CISS_DLB_SSH_HOST_RSA_KEY_PUB }}
-          CISS_PRIMORDIAL:     ${{ secrets.CISS_PRIMORDIAL_PRIVATE }}
-          CISS_PRIMORDIAL_PUB: ${{ secrets.CISS_PRIMORDIAL_PUBLIC }}
-        run: |
-          set -Ceuo pipefail
-          umask 077
-
-          REPO_ROOT="$(git rev-parse --show-toplevel 2>/dev/null || pwd -P)"
-
-          TPL="${REPO_ROOT}/config/hooks/live/9935_hardening_ssh.chroot.tmpl"
-          OUT="${REPO_ROOT}/config/hooks/live/9935_hardening_ssh.chroot"
-          ID_OUT="${REPO_ROOT}/config/includes.chroot/root/.ssh/id_2025_ed25519_ciss_primordial"
-          ID_OUT_PUB="${REPO_ROOT}/config/includes.chroot/root/.ssh/id_2025_ed25519_ciss_primordial.pub"
-
-          if [[ ! -f "${TPL}" ]]; then
-            echo "Template not found: ${TPL}"
-            echo "::group::Tree of config/hooks/live"
-            ls -la "${REPO_ROOT}/config/hooks/live" || true
-            echo "::endgroup::"
-            exit 2
-          fi
-
-          export ED25519_PRIV="${ED25519_PRIV//$'\r'/}"
-          export ED25519_PUB="${ED25519_PUB//$'\r'/}"
-          export RSA_PRIV="${RSA_PRIV//$'\r'/}"
-          export RSA_PUB="${RSA_PUB//$'\r'/}"
-          export CISS_PRIMORDIAL="${CISS_PRIMORDIAL//$'\r'/}"
-          export CISS_PRIMORDIAL_PUB="${CISS_PRIMORDIAL_PUB//$'\r'/}"
-
-          (
-          cat << EOF >| "${ID_OUT}"
-          ${CISS_PRIMORDIAL}
-          EOF
-          ) && chmod 0600 "${ID_OUT}"
-          if [[ -f "${ID_OUT}" ]]; then
-            echo "Written: ${ID_OUT}"
-          else
-            echo "Error: ${ID_OUT} not written."
-          fi
-
-          (
-          cat << EOF >| "${ID_OUT_PUB}"
-          ${CISS_PRIMORDIAL_PUB}
-          EOF
-          ) && chmod 0600 "${ID_OUT_PUB}"
-          if [[ -f "${ID_OUT_PUB}" ]]; then
-            echo "Written: ${ID_OUT_PUB}"
-          else
-            echo "Error: ${ID_OUT_PUB} not written."
-          fi
-
-          perl -0777 -pe '
-            BEGIN{
-              $ed=$ENV{ED25519_PRIV}; $edpub=$ENV{ED25519_PUB};
-              $rsa=$ENV{RSA_PRIV};    $rsapub=$ENV{RSA_PUB};
-            }
-            s/\{\{\s*secrets\.CISS_DLB_SSH_HOST_ED25519_KEY\s*\}\}/$ed/g;
-            s/\{\{\s*secrets\.CISS_DLB_SSH_HOST_ED25519_KEY_PUB\s*\}\}/$edpub/g;
-            s/\{\{\s*secrets\.CISS_DLB_SSH_HOST_RSA_KEY\s*\}\}/$rsa/g;
-            s/\{\{\s*secrets\.CISS_DLB_SSH_HOST_RSA_KEY_PUB\s*\}\}/$rsapub/g;
-          ' "${TPL}" > "${OUT}"
-
-          chmod 0755 "${OUT}"
-          echo "Hook rendered: ${OUT}"
-
-      - name: 🛠️ Starting CISS.debian.live.builder. This may take a while ...
-        shell: bash
-        working-directory: ${{ github.workspace }}
-        run: |
-          set -euo pipefail
-          chmod 0755 ciss_live_builder.sh
+          chmod 0700 ciss_live_builder.sh
           timestamp=$(date -u +"%Y_%m_%dT%H_%M_%SZ")
-          ### Change "--autobuild=" to the specific kernel version you need: '6.16.3+deb13-amd64'.
+          ### Change "--autobuild=" to the specific kernel version you need: '6.17.8+deb13-amd64'.
+          chmod 0400 /dev/shm/cdlb_secrets/*
           ./ciss_live_builder.sh \
-            --autobuild=6.16.3+deb13-amd64 \
             --architecture amd64 \
-            --build-directory /opt/livebuild \
+            --autobuild=6.17.8+deb13-amd64 \
+            --build-directory /opt/cdlb \
             --cdi \
+            --change-splash hexagon \
             --control "${timestamp}" \
             --jump-host ${{ secrets.CISS_DLB_JUMP_HOSTS_1 }} \
-            --root-password-file /opt/config/password.txt \
+            --key_age=keys.txt \
+            --key_luks=luks.txt \
+            --root-password-file /dev/shm/cdlb_secrets/password.txt \
+            --signing_ca=signing_ca.asc \
+            --signing_key_fpr=${{ secrets.PGP_MSW_PRIVATE_SIGNING_KEY_FPR }} \
+            --signing_key_pass=signing_key_pass.txt \
+            --signing_key=signing_key.asc \
             --ssh-port ${{ secrets.CISS_DLB_SSH_PORT_1 }} \
-            --ssh-pubkey /opt/config \
+            --ssh-pubkey /dev/shm/cdlb_secrets \
             --sshfp \
             --trixie
 
-          REPO_ROOT="$(git rev-parse --show-toplevel 2>/dev/null || pwd -P)"
-          OUT="$REPO_ROOT/config/hooks/live/9935_hardening_ssh.chroot"
-          rm -f "$OUT"
-          echo "Hook removed: $OUT"
-
       - name: 📥 Checking Centurion Cloud for existing LIVE ISOs.
-        shell: bash
         env:
           NC_BASE: "https://cloud.e2ee.li"
           SHARE_TOKEN: "${{ secrets.CENTURION_CLOUD_UL_USER_1 }}"
@@ -251,83 +239,106 @@ jobs:
           SHARE_SUBDIR=""
 
           echo "📥 Get directory listing via PROPFIND ..."
-          curl -s \
-          --user "${SHARE_TOKEN}:${SHARE_PASS}" \
-          -X PROPFIND \
-          -H "Depth: 1" \
-          "${NC_BASE}/public.php/webdav/${SHARE_SUBDIR}" \
+
+          curl -s --user "${SHARE_TOKEN}:${SHARE_PASS}" -X PROPFIND -H "Depth: 1" "${NC_BASE}/public.php/webdav/${SHARE_SUBDIR}" \
           -o propfind_public.xml
 
           echo "📥 Filter .iso files from the PROPFIND response ..."
+
           grep -oP '(?<=<d:href>)[^<]+\.iso(?=</d:href>)' propfind_public.xml >| public_iso_list.txt || true
 
           if [[ -f public_iso_list.txt && -s public_iso_list.txt ]]; then
+
             echo "💡 Old ISO files found and deleted :"
+
             while IFS= read -r href; do
+
               FILE_URL="${NC_BASE}${href}"
               echo "  Delete: ${FILE_URL}"
-              if curl -s \
-                --user "${SHARE_TOKEN}:${SHARE_PASS}" \
-                  -X DELETE "${FILE_URL}"; then
+
+              if curl -s --user "${SHARE_TOKEN}:${SHARE_PASS}" -X DELETE "${FILE_URL}"; then
+
                 echo "    ✅ Successfully deleted: $(basename "${href}")"
+
               else
+
                 echo "    ❌ Error: $(basename "${href}") could not be deleted"
+
               fi
+
             done < public_iso_list.txt
+
           else
+
             echo "💡 No old ISO files found to delete."
+
           fi
 
-      - name: 🛠️ Upload the ISO file to the Centurion Cloud (cloud.e2ee.li) via WebDAV.
-        shell: bash
+      - name: ⬆️ Upload the ISO file to the Centurion Cloud (cloud.e2ee.li) via WebDAV.
         env:
           NC_BASE: "https://cloud.e2ee.li"
           SHARE_TOKEN: "${{ secrets.CENTURION_CLOUD_UL_USER_1 }}"
           SHARE_PASS: "${{ secrets.CENTURION_CLOUD_UL_PASSWD_1 }}"
         run: |
           set -euo pipefail
-          if [[ $(ls /opt/livebuild/*.iso 2>/dev/null | wc -l) -ne 1 ]]; then
+
+          if [[ $(ls /opt/cdlb/*.iso 2>/dev/null | wc -l) -ne 1 ]]; then
+
             echo "❌ There must be exactly one .iso file in the directory!"
             exit 1
+
           else
-            VAR_ISO_FILE_PATH=$(ls /opt/livebuild/*.iso)
+
+            VAR_ISO_FILE_PATH=$(ls /opt/cdlb/*.iso)
             VAR_ISO_FILE_NAME=$(basename "${VAR_ISO_FILE_PATH}")
             echo "✅ ISO file found: ${VAR_ISO_FILE_NAME}"
+
           fi
 
           AUTH="${SHARE_TOKEN}:${SHARE_PASS}"
+
           if curl --retry 2 "${NC_BASE}"/public.php/webdav/"${VAR_ISO_FILE_NAME}" \
           --upload-file "${VAR_ISO_FILE_PATH}" --user "${AUTH}" > /dev/null 2>&1; then
+
             echo "✅ New ISO successfully uploaded."
+
           else
+
             echo "❌ Uploading the new ISO failed."
             exit 1
+
           fi
 
       - name: 🔑 Generating a sha512 Hash of ISO, signing with the 'CI PGP DEPLOY ONLY' key, generate a success message file.
-        shell: bash
         run: |
-          if [[ $(ls /opt/livebuild/*.iso 2>/dev/null | wc -l) -ne 1 ]]; then
+          if [[ $(ls /opt/cdlb/*.iso 2>/dev/null | wc -l) -ne 1 ]]; then
+
             echo "❌ There must be exactly one .iso file in the directory!"
             exit 1
+
           else
-            VAR_ISO_FILE_PATH=$(ls /opt/livebuild/*.iso)
+
+            VAR_ISO_FILE_PATH=$(ls /opt/cdlb/*.iso)
             VAR_ISO_FILE_NAME=$(basename "${VAR_ISO_FILE_PATH}")
             echo "✅ ISO file found: ${VAR_ISO_FILE_NAME}"
+
           fi
 
           VAR_ISO_FILE_SHA512="${VAR_ISO_FILE_NAME}.sha512"
           touch "${VAR_ISO_FILE_SHA512}"
+
           sha512sum "${VAR_ISO_FILE_PATH}" | awk '{print $1}' >| "${VAR_ISO_FILE_SHA512}"
+
           SIGNATURE_FILE="${VAR_ISO_FILE_SHA512}.sign"
           touch "${SIGNATURE_FILE}"
-          export GNUPGHOME="$(pwd)/.gnupg"
-          gpg --batch --yes --armor --detach-sign --output "${SIGNATURE_FILE}" "${VAR_ISO_FILE_SHA512}"
+
+          gpg --batch --yes --armor --detach-sign --local-user ${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV_FPR }} --output "${SIGNATURE_FILE}" "${VAR_ISO_FILE_SHA512}"
 
           timestamp=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
           VAR_DATE="$(date +%F)"
           PRIVATE_FILE="LIVE_ISO_TRIXIE_1.private"
           touch "${PRIVATE_FILE}"
+
           cat << EOF >| "${PRIVATE_FILE}"
           # SPDX-Version: 3.0
           # SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -335,7 +346,7 @@ jobs:
           # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
           # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
           # SPDX-FileType: SOURCE
-          # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+          # SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
           # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
           # SPDX-PackageName: CISS.debian.live.builder
           # SPDX-Security-Contact: security@coresecret.eu
@@ -353,7 +364,6 @@ jobs:
           EOF
 
       - name: 🚧 Stash local changes (including untracked).
-        shell: bash
         env:
           GIT_SSH_COMMAND: "ssh -p 42842"
         run: |
@@ -362,12 +372,10 @@ jobs:
           git stash push --include-untracked -m "ci-temp" || echo "✔️ Nothing to stash."
 
       - name: 🔄 Sync with remote before commit using merge strategy.
-        shell: bash
         env:
           GIT_SSH_COMMAND: "ssh -p 42842"
         run: |
           set -euo pipefail
-          export GNUPGHOME="$(pwd)/.gnupg"
 
           echo "🔄 Fetching origin/master ..."
           git fetch origin master
@@ -379,8 +387,7 @@ jobs:
           git status
           git log --oneline -n 5
 
-      - name: 🛠️ Restore stashed changes.
-        shell: bash
+      - name: 🔧 Restore stashed changes.
         env:
           GIT_SSH_COMMAND: "ssh -p 42842"
         run: |
@@ -389,7 +396,6 @@ jobs:
           git stash pop || echo "✔️ Nothing to pop."
 
       - name: 📦 Stage generated files.
-        shell: bash
         env:
           GIT_SSH_COMMAND: "ssh -p 42842"
         run: |
@@ -398,16 +404,17 @@ jobs:
           git add "${PRIVATE_FILE}" || echo "✔️ Nothing to add."
 
       - name: 🔑 Commit and sign changes with CI metadata.
-        shell: bash
         env:
           GIT_SSH_COMMAND: "ssh -p 42842"
         run: |
           set -euo pipefail
-          export GNUPGHOME="$(pwd)/.gnupg"
 
           if git diff --cached --quiet; then
+
             echo "✔️ No staged changes to commit."
+
           else
+
             echo "📝 Committing changes with GPG signature ..."
 
             ### CI Metadata
@@ -415,7 +422,7 @@ jobs:
             HOSTNAME="$(hostname -f || hostname)"
             GIT_SHA="$(git rev-parse --short HEAD)"
             GIT_REF="$(git symbolic-ref --short HEAD || echo detached)"
-            WORKFLOW_ID="${GITHUB_WORKFLOW:-render-md-to-html.yaml}"
+            WORKFLOW_ID="${GITHUB_WORKFLOW:-generate_PRIVATE_trixie_1.yaml}"
             CI_HEADER="X-CI-Metadata: ${GIT_REF}@${GIT_SHA} at ${TIMESTAMP_UTC} on ${HOSTNAME}"
 
             COMMIT_MSG="DEPLOY BOT   : 🔐 Auto-Generate PRIVATE LIVE ISO TRIXIE 1 [skip ci]
@@ -431,10 +438,10 @@ jobs:
             echo "🔏 Commit message :"
             echo "${COMMIT_MSG}"
             git commit -S -m "${COMMIT_MSG}"
+
           fi
 
       - name: 🔁 Push back to repository.
-        shell: bash
         env:
           GIT_SSH_COMMAND: "ssh -p 42842"
         run: |

.gitea/workflows/generate_PUBLIC_iso.yaml

@@ -1,22 +1,18 @@
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-08-22; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-# Version Master V8.13.142.2025.10.14
+# Version Master V8.13.768.2025.12.06
 
 name: 💙 Generating a PUBLIC Live ISO.
 
-defaults:
-  run:
-    shell: bash
-
 permissions:
   contents: write
 
@@ -35,135 +31,173 @@ jobs:
     container:
       image: debian:trixie
 
-    steps:
-      - name: 🛠️ Basic Image Setup.
+    defaults:
+      run:
         shell: bash
+        working-directory: ${{ github.workspace }}
+
+    steps:
+      - name: 🕑 Waiting random time to desynchronize parallel workflows.
         run: |
+          set -euo pipefail
+          var_wait=$(( RANDOM % 33 ))
+          printf "🕑 Waiting %s seconds to desynchronize parallel workflows...\n" "${var_wait}"
+          sleep "${var_wait}"
+
+      - name: 🔧 Basic Image Setup.
+        run: |
+          set -euo pipefail
+          umask 0022
+
+          echo "APT_LISTCHANGES_FRONTEND=none"  >> "${GITHUB_ENV}"
+          echo "DEBIAN_FRONTEND=noninteractive" >> "${GITHUB_ENV}"
+          echo "LC_ALL=C.UTF-8"                 >> "${GITHUB_ENV}"
+          echo "TZ=UTC"                         >> "${GITHUB_ENV}"
+          echo "VAR_CDLB_INSIDE_RUNNER=true"    >> "${GITHUB_ENV}"
+
+          export APT_LISTCHANGES_FRONTEND=none
           export DEBIAN_FRONTEND=noninteractive
-          apt-get update
+
+          apt-get update -qq
           apt-get upgrade -y
           apt-get install -y --no-install-recommends \
             apt-utils \
             bash \
+            bat \
             ca-certificates \
+            cryptsetup \
             curl \
+            debootstrap \
             git \
+            gnupg-utils \
             gnupg \
+            gpg-agent \
+            gpgv \
+            live-build \
+            lsb-release \
             openssh-client \
             openssl \
             perl \
+            pinentry-curses \
+            pinentry-tty \
             sudo \
-            util-linux
+            util-linux \
+            whois
 
       - name: ⚙️ Check GnuPG Version.
-        shell: bash
         run: |
           gpg --version
 
       - name: ⚙️ Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
-        shell: bash
         run: |
+          set +x
           set -euo pipefail
-          var_wait=$(( RANDOM % 33 ))
-          printf "⏳ Waiting %s seconds to desynchronize parallel workflows...\n" "${var_wait}"
-          sleep "${var_wait}"
+          umask 0077
 
           rm -rf ~/.ssh && mkdir -m700 ~/.ssh
 
           ### Private Key
           echo "${{ secrets.SSH_MSW_DEPLOY_CORESECRET_DEV }}" >| ~/.ssh/id_ed25519
-          chmod 600 ~/.ssh/id_ed25519
+          chmod 0600 ~/.ssh/id_ed25519
 
           ### Scan git.coresecret.dev to fill ~/.ssh/known_hosts
           ssh-keyscan -p 42842 git.coresecret.dev >| ~/.ssh/known_hosts
-          chmod 600 ~/.ssh/known_hosts
+          chmod 0600 ~/.ssh/known_hosts
 
           ### Generate SSH Config for git.coresecret.dev Custom-Port
           cat <<EOF >| ~/.ssh/config
           Host git.coresecret.dev
+            BatchMode yes
+            ConnectTimeout 5
+            ControlMaster auto
+            ControlPath ~/.ssh/cm-%r@%h:%p
+            ControlPersist 5m
             HostName git.coresecret.dev
-            Port 42842
             IdentityFile ~/.ssh/id_ed25519
+            Port 42842
+            ServerAliveCountMax 3
+            ServerAliveInterval 10
             StrictHostKeyChecking yes
+            User git
             UserKnownHostsFile ~/.ssh/known_hosts
           EOF
-          chmod 600 ~/.ssh/config
+          chmod 0600 ~/.ssh/config
 
       ### https://github.com/actions/checkout/issues/1843
-      - name: 🛠️ Using manual clone via SSH to circumvent Gitea SHA-256 object issues.
-        shell: bash
+      - name: 🔧 Using manual clone via SSH to circumvent Gitea SHA-256 object issues.
         env:
           ### GITHUB_REF_NAME contains the branch name from the push event.
           GITHUB_REF_NAME: ${{ github.ref_name }}
         run: |
+          set -euo pipefail
           git clone --branch "${GITHUB_REF_NAME}" ssh://git@git.coresecret.dev:42842/msw/CISS.debian.live.builder.git .
-          git fetch --unshallow || echo "Nothing to fetch - already full clone."
 
-      - name: 🛠️ Cleaning the workspace.
-        shell: bash
+      - name: ⚙️ Init GNUPGHOME.
         run: |
-          git reset --hard
-          git clean -fd
+          set +x
+          set -euo pipefail
+          umask 0077
+          GNUPGHOME="${PWD}/gnupg.${GITHUB_RUN_ID}.${GITHUB_JOB}"
+          # shellcheck disable=SC2174
+          mkdir -p -m 0700 "${GNUPGHOME}"
+          echo "GNUPGHOME=${GNUPGHOME}"                 >> "${GITHUB_ENV}"
+          echo 'allow-loopback-pinentry'                >| "${GNUPGHOME}/gpg-agent.conf"
+          echo 'pinentry-program /usr/bin/pinentry-tty' >> "${GNUPGHOME}/gpg-agent.conf"
+          gpgconf --reload gpg-agent || true
 
       - name: ⚙️ Importing the 'CI PGP DEPLOY ONLY' key.
-        shell: bash
+        env:
+          PRIVATE_PGP_MSW_DEPLOY_CORESECRET_DEV: ${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV }}
         run: |
+          set +x
           set -euo pipefail
-          ### GPG-Home relative to the Runner Workspace to avoid changing global files.
-          export GNUPGHOME="$(pwd)/.gnupg"
-          mkdir -m 700 "${GNUPGHOME}"
-          echo "${{ secrets.PGP_PUBKEY_CENTURION_ROOT_2025_X448 }}" >| centurion-root.PUB.asc
-          gpg --batch --import centurion-root.PUB.asc
-          echo "${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV }}" >| ci-bot.sec.asc
-          gpg --batch --import ci-bot.sec.asc
-          ### Trust the key automatically
-          KEY_ID=$(gpg --list-keys --with-colons | awk -F: '/^pub:/ {print $5}')
-          echo "trust-model always" >| "${GNUPGHOME}/gpg.conf"
+          umask 0077
+          printf '%s' "${PRIVATE_PGP_MSW_DEPLOY_CORESECRET_DEV}" | gpg --batch --import
+          unset PRIVATE_PGP_MSW_DEPLOY_CORESECRET_DEV
 
       - name: ⚙️ Configuring Git for signed CI/DEPLOY commits.
-        shell: bash
         run: |
+          set +x
           set -euo pipefail
-          export GNUPGHOME="$(pwd)/.gnupg"
           git config user.name "Marc S. Weidner BOT"
           git config user.email "msw+bot@coresecret.dev"
+          git config user.signingkey ${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV_FPR }}
           git config commit.gpgsign true
           git config gpg.program gpg
           git config gpg.format openpgp
+          git config --get user.signingkey
 
       - name: ⚙️ Preparing the build environment.
-        shell: bash
         run: |
+          set +x
           set -euo pipefail
-          mkdir -p /opt/config
-          mkdir -p /opt/livebuild
-          touch /opt/config/password.txt && chmod 0600 /opt/config/password.txt
-          touch /opt/config/authorized_keys && chmod 0600 /opt/config/authorized_keys
-          echo 'Mvnz#zENbf2vsAYEAbfPcnbDcmct7XefPXfRJxSQQH' >| /opt/config/password.txt
-          echo 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINAYZDAqVZUk3LwJsqeVHKvLn8UKkFx642VBbiSS8uSY 2025_ciss.debian.live.ISO_PUBLIC_ONLY' >| /opt/config/authorized_keys
+          umask 0077
+          mkdir -p /dev/shm/cdlb_secrets
+          install -m 0600 /dev/null /dev/shm/cdlb_secrets/password.txt
+          install -m 0600 /dev/null /dev/shm/cdlb_secrets/authorized_keys
+          echo 'Mvnz#zENbf2vsAYEAbfPcnbDcmct7XefPXfRJxSQQH' >| /dev/shm/cdlb_secrets/password.txt
+          echo 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINAYZDAqVZUk3LwJsqeVHKvLn8UKkFx642VBbiSS8uSY 2025_ciss.debian.live.ISO_PUBLIC_ONLY' >| /dev/shm/cdlb_secrets/authorized_keys
 
-      - name: 🛠️ Starting CISS.debian.live.builder. This may take a while ...
-        shell: bash
+
+      - name: 🔧 Starting CISS.debian.live.builder. This may take about an hour ...
         run: |
           set -euo pipefail
-          sed -i '/^hardening_ssh.*/d' ciss_live_builder.sh
-          chmod 0755 ciss_live_builder.sh
+          chmod 0700 ciss_live_builder.sh
           timestamp=$(date -u +"%Y_%m_%dT%H_%M_%SZ")
-          ### Change "--autobuild=" to the specific kernel version you need: '6.16.3+deb13-amd64'.
+          ### Change "--autobuild=" to the specific kernel version you need: '6.17.8+deb13-amd64'.
+          chmod 0400 /dev/shm/cdlb_secrets/*
           ./ciss_live_builder.sh \
-            --autobuild=6.16.3+deb13-amd64 \
             --architecture amd64 \
-            --build-directory /opt/livebuild \
-            --cdi \
+            --autobuild=6.17.8+deb13-amd64 \
+            --build-directory /opt/cdlb \
+            --change-splash hexagon \
             --control "${timestamp}" \
-            --debug \
-            --root-password-file /opt/config/password.txt \
+            --root-password-file /dev/shm/cdlb_secrets/password.txt \
             --ssh-port 42137 \
-            --ssh-pubkey /opt/config \
+            --ssh-pubkey /dev/shm/cdlb_secrets \
             --trixie
 
       - name: 📥 Checking Centurion Cloud for existing LIVE ISOs.
-        shell: bash
         env:
           NC_BASE: "https://cloud.e2ee.li"
           SHARE_TOKEN: "${{ secrets.CENTURION_CLOUD_UL_USER_PUBLIC }}"
@@ -173,83 +207,106 @@ jobs:
           SHARE_SUBDIR=""
 
           echo "📥 Get directory listing via PROPFIND ..."
-          curl -s \
-          --user "${SHARE_TOKEN}:${SHARE_PASS}" \
-          -X PROPFIND \
-          -H "Depth: 1" \
-          "${NC_BASE}/public.php/webdav/${SHARE_SUBDIR}" \
+
+          curl -s --user "${SHARE_TOKEN}:${SHARE_PASS}" -X PROPFIND -H "Depth: 1" "${NC_BASE}/public.php/webdav/${SHARE_SUBDIR}" \
           -o propfind_public.xml
 
           echo "📥 Filter .iso files from the PROPFIND response ..."
+
           grep -oP '(?<=<d:href>)[^<]+\.iso(?=</d:href>)' propfind_public.xml >| public_iso_list.txt || true
 
           if [[ -f public_iso_list.txt && -s public_iso_list.txt ]]; then
+
             echo "💡 Old ISO files found and deleted :"
+
             while IFS= read -r href; do
+
               FILE_URL="${NC_BASE}${href}"
               echo "  Delete: ${FILE_URL}"
-              if curl -s \
-                --user "${SHARE_TOKEN}:${SHARE_PASS}" \
-                  -X DELETE "${FILE_URL}"; then
+
+              if curl -s --user "${SHARE_TOKEN}:${SHARE_PASS}" -X DELETE "${FILE_URL}"; then
+
                 echo "    ✅ Successfully deleted: $(basename "${href}")"
+
               else
+
                 echo "    ❌ Error: $(basename "${href}") could not be deleted"
+
               fi
+
             done < public_iso_list.txt
+
           else
+
             echo "💡 No old ISO files found to delete."
+
           fi
 
-      - name: 🛠️ Upload the ISO file to the Centurion Cloud (cloud.e2ee.li) via WebDAV.
-        shell: bash
+      - name: ⬆️ Upload the ISO file to the Centurion Cloud (cloud.e2ee.li) via WebDAV.
         env:
           NC_BASE: "https://cloud.e2ee.li"
           SHARE_TOKEN: "${{ secrets.CENTURION_CLOUD_UL_USER_PUBLIC }}"
           SHARE_PASS: "${{ secrets.CENTURION_CLOUD_UL_PASSWD_PUBLIC }}"
         run: |
           set -euo pipefail
-          if [[ $(ls /opt/livebuild/*.iso 2>/dev/null | wc -l) -ne 1 ]]; then
+
+          if [[ $(ls /opt/cdlb/*.iso 2>/dev/null | wc -l) -ne 1 ]]; then
+
             echo "❌ There must be exactly one .iso file in the directory!"
             exit 1
+
           else
-            VAR_ISO_FILE_PATH=$(ls /opt/livebuild/*.iso)
+
+            VAR_ISO_FILE_PATH=$(ls /opt/cdlb/*.iso)
             VAR_ISO_FILE_NAME=$(basename "${VAR_ISO_FILE_PATH}")
             echo "✅ ISO file found: ${VAR_ISO_FILE_NAME}"
+
           fi
 
           AUTH="${SHARE_TOKEN}:${SHARE_PASS}"
+
           if curl --retry 2 "${NC_BASE}"/public.php/webdav/"${VAR_ISO_FILE_NAME}" \
           --upload-file "${VAR_ISO_FILE_PATH}" --user "${AUTH}" > /dev/null 2>&1; then
+
             echo "✅ New ISO successfully uploaded."
+
           else
+
             echo "❌ Uploading the new ISO failed."
             exit 1
+
           fi
 
       - name: 🔑 Generating a sha512 Hash of ISO, signing with the 'CI PGP DEPLOY ONLY' key, generate a success message file.
-        shell: bash
         run: |
-          if [[ $(ls /opt/livebuild/*.iso 2>/dev/null | wc -l) -ne 1 ]]; then
+          if [[ $(ls /opt/cdlb/*.iso 2>/dev/null | wc -l) -ne 1 ]]; then
+
             echo "❌ There must be exactly one .iso file in the directory!"
             exit 1
+
           else
-            VAR_ISO_FILE_PATH=$(ls /opt/livebuild/*.iso)
+
+            VAR_ISO_FILE_PATH=$(ls /opt/cdlb/*.iso)
             VAR_ISO_FILE_NAME=$(basename "${VAR_ISO_FILE_PATH}")
             echo "✅ ISO file found: ${VAR_ISO_FILE_NAME}"
+
           fi
 
           VAR_ISO_FILE_SHA512="${VAR_ISO_FILE_NAME}.sha512"
           touch "${VAR_ISO_FILE_SHA512}"
+
           sha512sum "${VAR_ISO_FILE_PATH}" | awk '{print $1}' >| "${VAR_ISO_FILE_SHA512}"
+
           SIGNATURE_FILE="${VAR_ISO_FILE_SHA512}.sign"
           touch "${SIGNATURE_FILE}"
-          export GNUPGHOME="$(pwd)/.gnupg"
-          gpg --batch --yes --armor --detach-sign --output "${SIGNATURE_FILE}" "${VAR_ISO_FILE_SHA512}"
+
+          gpg --batch --yes --armor --detach-sign --local-user ${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV_FPR }} --output "${SIGNATURE_FILE}" "${VAR_ISO_FILE_SHA512}"
 
           timestamp=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
           VAR_DATE="$(date +%F)"
           PRIVATE_FILE="LIVE_ISO.public"
           touch "${PRIVATE_FILE}"
+
           cat << EOF >| "${PRIVATE_FILE}"
           # SPDX-Version: 3.0
           # SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -257,7 +314,7 @@ jobs:
           # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
           # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
           # SPDX-FileType: SOURCE
-          # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+          # SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
           # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
           # SPDX-PackageName: CISS.debian.live.builder
           # SPDX-Security-Contact: security@coresecret.eu
@@ -275,7 +332,6 @@ jobs:
           EOF
 
       - name: 🚧 Stash local changes (including untracked).
-        shell: bash
         env:
           GIT_SSH_COMMAND: "ssh -p 42842"
         run: |
@@ -284,12 +340,10 @@ jobs:
           git stash push --include-untracked -m "ci-temp" || echo "✔️ Nothing to stash."
 
       - name: 🔄 Sync with remote before commit using merge strategy.
-        shell: bash
         env:
           GIT_SSH_COMMAND: "ssh -p 42842"
         run: |
           set -euo pipefail
-          export GNUPGHOME="$(pwd)/.gnupg"
 
           echo "🔄 Fetching origin/master ..."
           git fetch origin master
@@ -301,8 +355,7 @@ jobs:
           git status
           git log --oneline -n 5
 
-      - name: 🛠️ Restore stashed changes.
-        shell: bash
+      - name: 🔧 Restore stashed changes.
         env:
           GIT_SSH_COMMAND: "ssh -p 42842"
         run: |
@@ -311,7 +364,6 @@ jobs:
           git stash pop || echo "✔️ Nothing to pop."
 
       - name: 📦 Stage generated files.
-        shell: bash
         env:
           GIT_SSH_COMMAND: "ssh -p 42842"
         run: |
@@ -320,16 +372,17 @@ jobs:
           git add "${PRIVATE_FILE}" || echo "✔️ Nothing to add."
 
       - name: 🔑 Commit and sign changes with CI metadata.
-        shell: bash
         env:
           GIT_SSH_COMMAND: "ssh -p 42842"
         run: |
           set -euo pipefail
-          export GNUPGHOME="$(pwd)/.gnupg"
 
           if git diff --cached --quiet; then
+
             echo "✔️ No staged changes to commit."
+
           else
+
             echo "📝 Committing changes with GPG signature ..."
 
             ### CI Metadata
@@ -337,7 +390,7 @@ jobs:
             HOSTNAME="$(hostname -f || hostname)"
             GIT_SHA="$(git rev-parse --short HEAD)"
             GIT_REF="$(git symbolic-ref --short HEAD || echo detached)"
-            WORKFLOW_ID="${GITHUB_WORKFLOW:-render-md-to-html.yaml}"
+            WORKFLOW_ID="${GITHUB_WORKFLOW:-generate_PUBLIC_iso.yaml}"
             CI_HEADER="X-CI-Metadata: ${GIT_REF}@${GIT_SHA} at ${TIMESTAMP_UTC} on ${HOSTNAME}"
 
             COMMIT_MSG="DEPLOY BOT   : 💙 Auto-Generate PUBLIC LIVE ISO [skip ci]
@@ -353,10 +406,10 @@ jobs:
             echo "🔏 Commit message :"
             echo "${COMMIT_MSG}"
             git commit -S -m "${COMMIT_MSG}"
+
           fi
 
       - name: 🔁 Push back to repository.
-        shell: bash
         env:
           GIT_SSH_COMMAND: "ssh -p 42842"
         run: |

.gitea/workflows/linter_char_scripts.yaml

@@ -4,12 +4,12 @@
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-# Version Master V8.13.142.2025.10.14
+# Version Master V8.13.768.2025.12.06
 
 # Gitea Workflow: Shell-Script Linting
 #
@@ -36,61 +36,67 @@ jobs:
     name: 🛡️ Shell Script Linting
     runs-on: ubuntu-latest
 
-    steps:
-      - name: ⚙️ Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
+    defaults:
+      run:
         shell: bash
+        working-directory: ${{ github.workspace }}
+
+    steps:
+      - name: 🕑 Waiting random time to desynchronize parallel workflows.
         run: |
           set -euo pipefail
           var_wait=$(( RANDOM % 33 ))
-          printf "⏳ Waiting %s seconds to desynchronize parallel workflows...\n" "${var_wait}"
+          printf "🕑 Waiting %s seconds to desynchronize parallel workflows...\n" "${var_wait}"
           sleep "${var_wait}"
 
-          rm -rf ~/.ssh && mkdir -m700 ~/.ssh
+      - name: ⚙️ Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
+        run: |
+          set +x
+          set -euo pipefail
+          rm -rf ~/.ssh && mkdir -m0700 ~/.ssh
 
           ### Private Key
           echo "${{ secrets.SSH_MSW_DEPLOY_CORESECRET_DEV }}" >| ~/.ssh/id_ed25519
-          chmod 600 ~/.ssh/id_ed25519
+          chmod 0600 ~/.ssh/id_ed25519
 
           ### Scan git.coresecret.dev to fill ~/.ssh/known_hosts
           ssh-keyscan -p 42842 git.coresecret.dev >| ~/.ssh/known_hosts
-          chmod 600 ~/.ssh/known_hosts
+          chmod 0600 ~/.ssh/known_hosts
 
           ### Generate SSH Config for git.coresecret.dev Custom-Port
           cat <<EOF >| ~/.ssh/config
           Host git.coresecret.dev
+            BatchMode yes
+            ConnectTimeout 5
+            ControlMaster auto
+            ControlPath ~/.ssh/cm-%r@%h:%p
+            ControlPersist 5m
             HostName git.coresecret.dev
-            Port 42842
             IdentityFile ~/.ssh/id_ed25519
+            Port 42842
+            ServerAliveCountMax 3
+            ServerAliveInterval 10
             StrictHostKeyChecking yes
+            User git
             UserKnownHostsFile ~/.ssh/known_hosts
           EOF
-          chmod 600 ~/.ssh/config
+          chmod 0600 ~/.ssh/config
 
       ### https://github.com/actions/checkout/issues/1843
-      - name: 🛠️ Using manual clone via SSH to circumvent Gitea SHA-256 object issues.
-        shell: bash
+      - name: 🔧 Using manual clone via SSH to circumvent Gitea SHA-256 object issues.
         env:
           ### GITHUB_REF_NAME contains the branch name from the push event.
           GITHUB_REF_NAME: ${{ github.ref_name }}
         run: |
           set -euo pipefail
           git clone --branch "${GITHUB_REF_NAME}" ssh://git@git.coresecret.dev:42842/msw/CISS.debian.live.builder.git .
-          git fetch --unshallow || echo "Nothing to fetch - already full clone."
-
-      - name: 🛠️ Cleaning the workspace.
-        shell: bash
-        run: |
-          set -euo pipefail
-          git reset --hard
-          git clean -fd
 
       - name: ⚙️ Importing the 'CI PGP DEPLOY ONLY' key.
-        shell: bash
         run: |
           set -euo pipefail
           ### GPG-Home relative to the Runner Workspace to avoid changing global files.
-          export GNUPGHOME="$(pwd)/.gnupg"
-          mkdir -m 700 "${GNUPGHOME}"
+          export GNUPGHOME="$(PWD)/.gnupg"
+          mkdir -m 0700 "${GNUPGHOME}"
           echo "${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV }}" >| ci-bot.sec.asc
           gpg --batch --import ci-bot.sec.asc
           ### Trust the key automatically
@@ -98,10 +104,9 @@ jobs:
           echo "trust-model always" >| "${GNUPGHOME}/gpg.conf"
 
       - name: ⚙️ Configuring Git for signed CI/DEPLOY commits.
-        shell: bash
         run: |
           set -euo pipefail
-          export GNUPGHOME="$(pwd)/.gnupg"
+          export GNUPGHOME="$(PWD)/.gnupg"
           git config user.name "Marc S. Weidner BOT"
           git config user.email "msw+bot@coresecret.dev"
           git config commit.gpgsign true
@@ -109,22 +114,19 @@ jobs:
           git config gpg.format openpgp
 
       - name: ⚙️ Convert APT sources to HTTPS.
-        shell: bash
         run: |
           set -euo pipefail
           sed -i 's|http://\(archive\.ubuntu\.com\|security\.ubuntu\.com\)|https://\1|g' /etc/apt/sources.list
           sed -i 's|http://\(archive\.ubuntu\.com\|security\.ubuntu\.com\)|https://\1|g' /etc/apt/sources.list.d/*.list || true
 
-      - name: 🛠️ Install dependencies.
-        shell: bash
+      - name: 🔧 Install dependencies.
         run: |
           ### Install grep with Perl-regex support, falls noch nicht vorhanden
-          apt-get update
+          apt-get update  -qq
           apt-get upgrade -y
           apt-get install -y grep
 
       - name: 🔍 Lint shell scripts
-        shell: bash
         run: |
           # -------------------------------
           # STEP 1: Find target files.
@@ -216,7 +218,7 @@ jobs:
           # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
           # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
           # SPDX-FileType: SOURCE
-          # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+          # SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
           # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
           # SPDX-PackageName: CISS.debian.live.builder
           # SPDX-Security-Contact: security@coresecret.eu
@@ -240,7 +242,7 @@ jobs:
           # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
           # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
           # SPDX-FileType: SOURCE
-          # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+          # SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
           # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
           # SPDX-PackageName: CISS.debian.live.builder
           # SPDX-Security-Contact: security@coresecret.eu
@@ -254,7 +256,6 @@ jobs:
           fi
 
       - name: 🚧 Stash local changes (including untracked).
-        shell: bash
         env:
           GIT_SSH_COMMAND: "ssh -p 42842"
         run: |
@@ -263,12 +264,11 @@ jobs:
           git stash push --include-untracked -m "ci-temp" || echo "✔️ Nothing to stash."
 
       - name: 🔄 Sync with remote before commit using merge strategy.
-        shell: bash
         env:
           GIT_SSH_COMMAND: "ssh -p 42842"
         run: |
           set -euo pipefail
-          export GNUPGHOME="$(pwd)/.gnupg"
+          export GNUPGHOME="$(PWD)/.gnupg"
 
           echo "🔄 Fetching origin/master ..."
           git fetch origin master
@@ -280,8 +280,7 @@ jobs:
           git status
           git log --oneline -n 5
 
-      - name: 🛠️ Restore stashed changes.
-        shell: bash
+      - name: 🔧 Restore stashed changes.
         env:
           GIT_SSH_COMMAND: "ssh -p 42842"
         run: |
@@ -290,7 +289,6 @@ jobs:
           git stash pop || echo "✔️ Nothing to pop."
 
       - name: 📦 Stage generated files.
-        shell: bash
         env:
           GIT_SSH_COMMAND: "ssh -p 42842"
         run: |
@@ -299,12 +297,11 @@ jobs:
           git add "${PRIVATE_FILE}" || echo "✔️ Nothing to add."
 
       - name: 🔑 Commit and sign changes with CI metadata.
-        shell: bash
         env:
           GIT_SSH_COMMAND: "ssh -p 42842"
         run: |
           set -euo pipefail
-          export GNUPGHOME="$(pwd)/.gnupg"
+          export GNUPGHOME="$(PWD)/.gnupg"
 
           if git diff --cached --quiet; then
             echo "✔️ No staged changes to commit."
@@ -316,7 +313,7 @@ jobs:
             HOSTNAME="$(hostname -f || hostname)"
             GIT_SHA="$(git rev-parse --short HEAD)"
             GIT_REF="$(git symbolic-ref --short HEAD || echo detached)"
-            WORKFLOW_ID="${GITHUB_WORKFLOW:-render-md-to-html.yaml}"
+            WORKFLOW_ID="${GITHUB_WORKFLOW:-linter_char_scripts.yaml}"
             CI_HEADER="X-CI-Metadata: ${GIT_REF}@${GIT_SHA} at ${TIMESTAMP_UTC} on ${HOSTNAME}"
 
             COMMIT_MSG="DEPLOY BOT   : 🛡️ Shell Script Linting [skip ci]
@@ -335,7 +332,6 @@ jobs:
           fi
 
       - name: 🔁 Push back to repository.
-        shell: bash
         env:
           GIT_SSH_COMMAND: "ssh -p 42842"
         run: |

.gitea/workflows/render-dnssec-status.yaml

@@ -4,12 +4,12 @@
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-# Version Master V8.13.142.2025.10.14
+# Version Master V8.13.768.2025.12.06
 
 name: 🛡️ Retrieve DNSSEC status of coresecret.dev.
 
@@ -28,61 +28,67 @@ jobs:
     name: 🛡️ Retrieve DNSSEC status of coresecret.dev.
     runs-on: ubuntu-latest
 
-    steps:
-      - name: ⚙️ Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
+    defaults:
+      run:
         shell: bash
+        working-directory: ${{ github.workspace }}
+
+    steps:
+      - name: 🕑 Waiting random time to desynchronize parallel workflows.
         run: |
           set -euo pipefail
           var_wait=$(( RANDOM % 33 ))
-          printf "⏳ Waiting %s seconds to desynchronize parallel workflows...\n" "${var_wait}"
+          printf "🕑 Waiting %s seconds to desynchronize parallel workflows...\n" "${var_wait}"
           sleep "${var_wait}"
 
+      - name: ⚙️ Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
+        run: |
+          set +x
+          set -euo pipefail
           rm -rf ~/.ssh && mkdir -m700 ~/.ssh
 
           ### Private Key
           echo "${{ secrets.SSH_MSW_DEPLOY_CORESECRET_DEV }}" >| ~/.ssh/id_ed25519
-          chmod 600 ~/.ssh/id_ed25519
+          chmod 0600 ~/.ssh/id_ed25519
 
           ### Scan git.coresecret.dev to fill ~/.ssh/known_hosts
           ssh-keyscan -p 42842 git.coresecret.dev >| ~/.ssh/known_hosts
-          chmod 600 ~/.ssh/known_hosts
+          chmod 0600 ~/.ssh/known_hosts
 
           ### Generate SSH Config for git.coresecret.dev Custom-Port
           cat <<EOF >| ~/.ssh/config
           Host git.coresecret.dev
+            BatchMode yes
+            ConnectTimeout 5
+            ControlMaster auto
+            ControlPath ~/.ssh/cm-%r@%h:%p
+            ControlPersist 5m
             HostName git.coresecret.dev
-            Port 42842
             IdentityFile ~/.ssh/id_ed25519
+            Port 42842
+            ServerAliveCountMax 3
+            ServerAliveInterval 10
             StrictHostKeyChecking yes
+            User git
             UserKnownHostsFile ~/.ssh/known_hosts
           EOF
-          chmod 600 ~/.ssh/config
+          chmod 0600 ~/.ssh/config
 
       ### https://github.com/actions/checkout/issues/1843
-      - name: 🛠️ Using manual clone via SSH to circumvent Gitea SHA-256 object issues.
-        shell: bash
+      - name: 🔧 Using manual clone via SSH to circumvent Gitea SHA-256 object issues.
         env:
           ### GITHUB_REF_NAME contains the branch name from the push event.
           GITHUB_REF_NAME: ${{ github.ref_name }}
         run: |
           set -euo pipefail
           git clone --branch "${GITHUB_REF_NAME}" ssh://git@git.coresecret.dev:42842/msw/CISS.debian.live.builder.git .
-          git fetch --unshallow || echo "Nothing to fetch - already full clone."
-
-      - name: 🛠️ Cleaning the workspace.
-        shell: bash
-        run: |
-          set -euo pipefail
-          git reset --hard
-          git clean -fd
 
       - name: ⚙️ Importing the 'CI PGP DEPLOY ONLY' key.
-        shell: bash
         run: |
           set -euo pipefail
           ### GPG-Home relative to the Runner Workspace to avoid changing global files.
-          export GNUPGHOME="$(pwd)/.gnupg"
-          mkdir -m 700 "${GNUPGHOME}"
+          export GNUPGHOME="$(PWD)/.gnupg"
+          mkdir -m 0700 "${GNUPGHOME}"
           echo "${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV }}" >| ci-bot.sec.asc
           gpg --batch --import ci-bot.sec.asc
           ### Trust the key automatically
@@ -90,10 +96,9 @@ jobs:
           echo "trust-model always" >| "${GNUPGHOME}/gpg.conf"
 
       - name: ⚙️ Configuring Git for signed CI/DEPLOY commits.
-        shell: bash
         run: |
           set -euo pipefail
-          export GNUPGHOME="$(pwd)/.gnupg"
+          export GNUPGHOME="$(PWD)/.gnupg"
           git config user.name "Marc S. Weidner BOT"
           git config user.email "msw+bot@coresecret.dev"
           git config commit.gpgsign true
@@ -101,38 +106,32 @@ jobs:
           git config gpg.format openpgp
 
       - name: ⚙️ Convert APT sources to HTTPS.
-        shell: bash
         run: |
           set -euo pipefail
           sed -i 's|http://\(archive\.ubuntu\.com\|security\.ubuntu\.com\)|https://\1|g' /etc/apt/sources.list
           sed -i 's|http://\(archive\.ubuntu\.com\|security\.ubuntu\.com\)|https://\1|g' /etc/apt/sources.list.d/*.list || true
 
-      - name: 🛠️ Install DNSViz.
-        shell: bash
+      - name: 🔧 Install DNSViz.
         run: |
           sudo apt-get update
           sudo apt-get install -y dnsviz
 
       - name: ⚙️ Ensure docs/SECURITY/ directory exists.
-        shell: bash
         run: |
           mkdir -p docs/SECURITY/
           rm -f docs/SECURITY/coresecret.dev.png
 
-      - name: 🛠️ Prepare DNS Cache.
-        shell: bash
+      - name: 🔧 Prepare DNS Cache.
         run: |
           sudo apt-get install -y dnsutils
           dig +dnssec +multi coresecret.dev @8.8.8.8
 
-      - name: 🛠️ Retrieve Zone Dump and generate .png Visualization.
-        shell: bash
+      - name: 🔧 Retrieve Zone Dump and generate .png Visualization.
         run: |
           dnsviz probe -s 8.8.8.8 -R SOA,A,AAAA,CAA,CDS,CDNSKEY,LOC,HTTPS,MX,NS,TXT coresecret.dev >| coresecret.dev.json
           dnsviz graph -T png < coresecret.dev.json >| docs/SECURITY/coresecret.dev.png
 
       - name: 🚧 Stash local changes (including untracked).
-        shell: bash
         env:
           GIT_SSH_COMMAND: "ssh -p 42842"
         run: |
@@ -141,12 +140,11 @@ jobs:
           git stash push --include-untracked -m "ci-temp" || echo "✔️ Nothing to stash."
 
       - name: 🔄 Sync with remote before commit using merge strategy.
-        shell: bash
         env:
           GIT_SSH_COMMAND: "ssh -p 42842"
         run: |
           set -euo pipefail
-          export GNUPGHOME="$(pwd)/.gnupg"
+          export GNUPGHOME="$(PWD)/.gnupg"
 
           echo "🔄 Fetching origin/master ..."
           git fetch origin master
@@ -158,8 +156,7 @@ jobs:
           git status
           git log --oneline -n 5
 
-      - name: 🛠️ Restore stashed changes.
-        shell: bash
+      - name: 🔧 Restore stashed changes.
         env:
           GIT_SSH_COMMAND: "ssh -p 42842"
         run: |
@@ -168,7 +165,6 @@ jobs:
           git stash pop || echo "✔️ Nothing to pop."
 
       - name: 📦 Stage generated files.
-        shell: bash
         env:
           GIT_SSH_COMMAND: "ssh -p 42842"
         run: |
@@ -176,12 +172,11 @@ jobs:
           git add docs/SECURITY/*.png || echo "✔️ Nothing to add."
 
       - name: 🔑 Commit and sign changes with CI metadata.
-        shell: bash
         env:
           GIT_SSH_COMMAND: "ssh -p 42842"
         run: |
           set -euo pipefail
-          export GNUPGHOME="$(pwd)/.gnupg"
+          export GNUPGHOME="$(PWD)/.gnupg"
 
           if git diff --cached --quiet; then
             echo "✔️ No staged changes to commit."
@@ -193,7 +188,7 @@ jobs:
             HOSTNAME="$(hostname -f || hostname)"
             GIT_SHA="$(git rev-parse --short HEAD)"
             GIT_REF="$(git symbolic-ref --short HEAD || echo detached)"
-            WORKFLOW_ID="${GITHUB_WORKFLOW:-render-md-to-html.yaml}"
+            WORKFLOW_ID="${GITHUB_WORKFLOW:-render-dnssec-status.yaml}"
             CI_HEADER="X-CI-Metadata: ${GIT_REF}@${GIT_SHA} at ${TIMESTAMP_UTC} on ${HOSTNAME}"
 
             COMMIT_MSG="DEPLOY BOT   : 🛡️ Auto-Generate DNSSEC Status [skip ci]

.gitea/workflows/render-dot-to-png.yaml

@@ -4,12 +4,12 @@
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-# Version Master V8.13.142.2025.10.14
+# Version Master V8.13.768.2025.12.06
 
 name: 🔁 Render Graphviz Diagrams.
 
@@ -29,61 +29,67 @@ jobs:
     name: 🔁 Render Graphviz Diagrams.
     runs-on: ubuntu-latest
 
-    steps:
-      - name: ⚙️ Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
+    defaults:
+      run:
         shell: bash
+        working-directory: ${{ github.workspace }}
+
+    steps:
+      - name: 🕑 Waiting random time to desynchronize parallel workflows.
         run: |
           set -euo pipefail
           var_wait=$(( RANDOM % 33 ))
-          printf "⏳ Waiting %s seconds to desynchronize parallel workflows...\n" "${var_wait}"
+          printf "🕑 Waiting %s seconds to desynchronize parallel workflows...\n" "${var_wait}"
           sleep "${var_wait}"
 
+      - name: ⚙️ Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
+        run: |
+          set +x
+          set -euo pipefail
           rm -rf ~/.ssh && mkdir -m700 ~/.ssh
 
           ### Private Key
           echo "${{ secrets.SSH_MSW_DEPLOY_CORESECRET_DEV }}" >| ~/.ssh/id_ed25519
-          chmod 600 ~/.ssh/id_ed25519
+          chmod 0600 ~/.ssh/id_ed25519
 
           ### Scan git.coresecret.dev to fill ~/.ssh/known_hosts
           ssh-keyscan -p 42842 git.coresecret.dev >| ~/.ssh/known_hosts
-          chmod 600 ~/.ssh/known_hosts
+          chmod 0600 ~/.ssh/known_hosts
 
           ### Generate SSH Config for git.coresecret.dev Custom-Port
           cat <<EOF >| ~/.ssh/config
           Host git.coresecret.dev
+            BatchMode yes
+            ConnectTimeout 5
+            ControlMaster auto
+            ControlPath ~/.ssh/cm-%r@%h:%p
+            ControlPersist 5m
             HostName git.coresecret.dev
-            Port 42842
             IdentityFile ~/.ssh/id_ed25519
+            Port 42842
+            ServerAliveCountMax 3
+            ServerAliveInterval 10
             StrictHostKeyChecking yes
+            User git
             UserKnownHostsFile ~/.ssh/known_hosts
           EOF
-          chmod 600 ~/.ssh/config
+          chmod 0600 ~/.ssh/config
 
       ### https://github.com/actions/checkout/issues/1843
-      - name: 🛠️ Using manual clone via SSH to circumvent Gitea SHA-256 object issues.
-        shell: bash
+      - name: 🔧 Using manual clone via SSH to circumvent Gitea SHA-256 object issues.
         env:
           ### GITHUB_REF_NAME contains the branch name from the push event.
           GITHUB_REF_NAME: ${{ github.ref_name }}
         run: |
           set -euo pipefail
           git clone --branch "${GITHUB_REF_NAME}" ssh://git@git.coresecret.dev:42842/msw/CISS.debian.live.builder.git .
-          git fetch --unshallow || echo "Nothing to fetch - already full clone."
-
-      - name: 🛠️ Cleaning the workspace.
-        shell: bash
-        run: |
-          set -euo pipefail
-          git reset --hard
-          git clean -fd
 
       - name: ⚙️ Importing the 'CI PGP DEPLOY ONLY' key.
-        shell: bash
         run: |
           set -euo pipefail
           ### GPG-Home relative to the Runner Workspace to avoid changing global files.
-          export GNUPGHOME="$(pwd)/.gnupg"
-          mkdir -m 700 "${GNUPGHOME}"
+          export GNUPGHOME="$(PWD)/.gnupg"
+          mkdir -m 0700 "${GNUPGHOME}"
           echo "${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV }}" >| ci-bot.sec.asc
           gpg --batch --import ci-bot.sec.asc
           ### Trust the key automatically
@@ -91,10 +97,9 @@ jobs:
           echo "trust-model always" >| "${GNUPGHOME}/gpg.conf"
 
       - name: ⚙️ Configuring Git for signed CI/DEPLOY commits.
-        shell: bash
         run: |
           set -euo pipefail
-          export GNUPGHOME="$(pwd)/.gnupg"
+          export GNUPGHOME="$(PWD)/.gnupg"
           git config user.name "Marc S. Weidner BOT"
           git config user.email "msw+bot@coresecret.dev"
           git config commit.gpgsign true
@@ -102,21 +107,18 @@ jobs:
           git config gpg.format openpgp
 
       - name: ⚙️ Convert APT sources to HTTPS.
-        shell: bash
         run: |
           set -euo pipefail
           sed -i 's|http://\(archive\.ubuntu\.com\|security\.ubuntu\.com\)|https://\1|g' /etc/apt/sources.list
           sed -i 's|http://\(archive\.ubuntu\.com\|security\.ubuntu\.com\)|https://\1|g' /etc/apt/sources.list.d/*.list || true
 
-      - name: 🛠️ Install Graphviz.
-        shell: bash
+      - name: 🔧 Install Graphviz.
         run: |
           set -euo pipefail
           sudo apt-get update
           sudo apt-get install -y graphviz
 
-      - name: 🛠️ Render all .dot / .gv to PNG.
-        shell: bash
+      - name: 🔧 Render all .dot / .gv to PNG.
         run: |
           set -euo pipefail
           find . -type f \( -name "*.dot" -o -name "*.gv" \) | while read file; do
@@ -125,7 +127,6 @@ jobs:
           done
 
       - name: 🚧 Stash local changes (including untracked).
-        shell: bash
         env:
           GIT_SSH_COMMAND: "ssh -p 42842"
         run: |
@@ -134,12 +135,11 @@ jobs:
           git stash push --include-untracked -m "ci-temp" || echo "✔️ Nothing to stash."
 
       - name: 🔄 Sync with remote before commit using merge strategy.
-        shell: bash
         env:
           GIT_SSH_COMMAND: "ssh -p 42842"
         run: |
           set -euo pipefail
-          export GNUPGHOME="$(pwd)/.gnupg"
+          export GNUPGHOME="$(PWD)/.gnupg"
 
           echo "🔄 Fetching origin/master ..."
           git fetch origin master
@@ -151,8 +151,7 @@ jobs:
           git status
           git log --oneline -n 5
 
-      - name: 🛠️ Restore stashed changes.
-        shell: bash
+      - name: 🔧 Restore stashed changes.
         env:
           GIT_SSH_COMMAND: "ssh -p 42842"
         run: |
@@ -161,7 +160,6 @@ jobs:
           git stash pop || echo "✔️ Nothing to pop."
 
       - name: 📦 Stage generated files.
-        shell: bash
         env:
           GIT_SSH_COMMAND: "ssh -p 42842"
         run: |
@@ -169,12 +167,11 @@ jobs:
           git add *.png || echo "✔️ Nothing to add."
 
       - name: 🔑 Commit and sign changes with CI metadata.
-        shell: bash
         env:
           GIT_SSH_COMMAND: "ssh -p 42842"
         run: |
           set -euo pipefail
-          export GNUPGHOME="$(pwd)/.gnupg"
+          export GNUPGHOME="$(PWD)/.gnupg"
 
           if git diff --cached --quiet; then
             echo "✔️ No staged changes to commit."
@@ -186,7 +183,7 @@ jobs:
             HOSTNAME="$(hostname -f || hostname)"
             GIT_SHA="$(git rev-parse --short HEAD)"
             GIT_REF="$(git symbolic-ref --short HEAD || echo detached)"
-            WORKFLOW_ID="${GITHUB_WORKFLOW:-render-md-to-html.yaml}"
+            WORKFLOW_ID="${GITHUB_WORKFLOW:-render-dot-to-png.yaml}"
             CI_HEADER="X-CI-Metadata: ${GIT_REF}@${GIT_SHA} at ${TIMESTAMP_UTC} on ${HOSTNAME}"
 
             COMMIT_MSG="DEPLOY BOT   : 🔁 Auto-Generate PNG from *.dot. [skip ci]
@@ -205,7 +202,6 @@ jobs:
           fi
 
       - name: 🔁 Push back to repository.
-        shell: bash
         env:
           GIT_SSH_COMMAND: "ssh -p 42842"
         run: |

.gitignore

@@ -4,13 +4,12 @@
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 .checklist/
 .idea/
-build/
 out/
 target/
 *.DS_Store

.pubkey/dropbear-key-2015.asc

@@ -0,0 +1,41 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQINBFWRP60BEACmOtUkYtbGNcmXdSKJ7caplzIbjuRWgSDR860hEosRDQqwORCL
+50xAEnPxgEiryONJUgOF0NRkBGJS9BsvfO3hH0LL4YSRTi0Wv7hJHTtqyzwa9qAH
+clyzNoq25dgy3D8OS6Bx1SgKFm8UTxTiCRTD0l1pRJx9efVEcAGkLgiconmyFZpJ
+oJ5XX8786bKucx791aA/26atNIzzsSo/295YAMi3QjIL5Mh5qtprSJkFRKcMx/Ay
+KaVzFlM8A/Kqea1cFiqwCJ9UNUdfvBa6K9HvTr6mPhznvH/ORt4m0sDigEoJAqLp
+KWNmjw7yITAK72nBDi/qQEhudUk22m9cVNV/mdNFoRkl9gDkgFvlcM6JksqOxkGp
+SAOJGdOU4V82e8FDSEK9C/pY+leeWeG5h/CLtw1v+Sdhk0PPRr17VKKOLCw2FGx1
+fcRYNdsuoMN4K8fgLoCzzKbyMC+y6sENEgEHSSPQDQ75XzM2Bo1UpfcHWpjqEllu
+8slhPWagckf07n0eOAARPIARlae+Wo8cYBScoZ30P5iOmYRWsxQ0HGwcLieyhuiS
+rb/NBex/tnR5ykvJNLW59P1Q5y7dpp/fLO6DpufAf+uoIfLOChnw3S5fvSL8ftxd
+GyWS79cMUkhcnFID2qfnaykxNsunuD9pEgfo9XhDk0iKZoCEKehRTau1rQARAQAB
+tC5Ecm9wYmVhciBTU0ggUmVsZWFzZSBTaWduaW5nIDxtYXR0QHVjYy5hc24uYXU+
+iQI3BBMBCgAhBQJVkT+tAhsDBQsJCAcDBRUKCQgLBRYCAwEAAh4BAheAAAoJEEST
+FJTynGdzHgQP/1bVxV0KqXxEJpRSiu3aOEDu2WHIJahizZ94AClgPB0r14pEgT4T
+eCOdxinubENH+u1/ShlBVykTGyukmonhd10v8NGWAUldhkPi3jaHcxHSfENWXmu/
++KBpcHQ0j2/PlO+RxpNkGUWTjTu9WKFiFeIX60QLCMDJpOvPe49yb650xMpjTROM
+5yOGdTkmAw4SZCkHmd7zgmzSHxXnNzXLvT9bYsJXVZwXB7Jqw4bwOHGpqB3kXsQ2
+LR2pMitM8YV3Gmjtvy+mpBqvdQ5fsxISFTC5wAUT9f6jsHfFLUv6OuNLrhZghioT
+fjPj58nfD1/4j7ka9mSyZV0PEhW5f5GYvt3WEeJJyZyhkjAkzjtZTi5sTs+QtRm0
+APCspF/y1afErS5adjTjuzSkyVx9VMBowqiYo6AGu7byajNf0rFPtTgDBC3j4Mae
++vL5k1KvXuX1Hr1zZiM1OVMt4EOmY7mERmHXwVv1bOK/uUwQkCXKCFpP/v7a5VHL
+qpwCF65mBTW/G1ZKglUQT0JeyVJqqQHVKbNzgMSpDM7ra80/KFOg6zb9iNbjxRrH
+NfXeAGbmSWwbpFBNT3kbJWUqjqLkoD2R7rNN5SnzdPEGk/aCGuYZlLFE8k5/mJ3V
+K3X1t11fgu9lqYFpv7CenwXrbVCgxDkoic84+HezqXyQnoAp9n8xJI6diQIcBBAB
+CgAGBQJVkT+/AAoJEPSYMBLCC7qsbiQP/1qKpOo73GPvISknRpPYVWX0z7yMRUAB
+7gA9SYF7n0jOHwDAFKjYQdpIxff3xPbLaB9bRQFq6m67o1Ly5bwxXGPclsJQP/r3
+GQ8it7Dzs4JSi1Yk4Fg+Po4tHWSpW53uRKtryiaYEoQ9LYQd8fS3JDWFtkXYUVAM
+xKmKINr4UKExlYBpQS2AWve4Ou3xM9dxiDX4pH3azD8Qb24rC5vbkG8Sq+2+/QIV
+i/JxbSQHaJ+kaukHRufHWqgg4xOBE8gfS82RHqNxES1CeWcejNxhsXQP9cfUxsvZ
+2Lchm3leOZ/2ztVQ4O8aJOKN+ng8pqOjKuJDamQmN0L/1N3lfN+gg5Ccluyoj89f
+gxDuINJDeY7aulFcGfIIsa0AuDWyAly1Lcwz/Sle2WOA7xcg8FcdhqV9158a+BzB
+cSMvHRs0W0Xwsso3GyUfDomqWuOfERvQXRgwKR0SFYDeHAlB3dhKHt/KjDn0nqEo
+CFtg4ZjA0hh1KMgu5ceticwuEQOkPX5H3ZpqH99LBekHjgdp5m87FG2bWVVkYGIm
+BBoFNnCBVMXonmyZlFstZNDcvb4cYYY+gN6yDFqX1HkqV1RDSHMO7KEmVwPOg/LK
+lKpH//tEulZUqN0h8ldoNKEMRa1OOGl8nNygJFldoPzoY/3ZAbIJy8KwZeWUjkzv
+WieMGaws051uiEYEEBEKAAYFAlWRRVgACgkQjPn4sExkf7wC9wCgh2nBBbfhkvE4
+Xj3d7uSYCr1oLEEAnjJ+RpVfu3Gpye5Q+0X8EFiMLlXZ
+=kT6a
+-----END PGP PUBLIC KEY BLOCK-----

.pubkey/marc_s_weidner_msw+deploy@coresecet.dev_0x2CCF4601_public.asc

@@ -0,0 +1,21 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mEkFaQzeVBYAAAA/AytlcQHGPz+Tku/rFh5KSbHE465pYWjWOWSl26vKCk5HNMX6
+y2MGyUUbm5tVYHymp3EYbRBS8dJ+qKCKrzyAtDJNYXJjIFMuIFdlaWRuZXIgREVQ
+TE9ZIDxtc3crZGVwbG95QGNvcmVzZWNyZXQuZGV2PojNBRMWCABNIiEFmAiaRyzP
+RgHNUdfHCV02U1KW6hS43pIZhyPE3GBuj3YFAmkM3lQCGwMFCQfPlNwFCwkIBwIC
+IgIGFQoJCAsCBBYCAwECHgcCF4AAAA+GAcduwdOub1yMWc0o5e1qdkI/8Pv9jqYF
+P46Ko2UU24Q3AaYC5oBFyD4sKf4ojosYovs4fzrZCXqbH4ABxi0kmYEUZT11L+Ex
+AfiwNvJBCzlcvLzdK7A+ZBDgdaV5pybSN4/ZnUKkUSzZV/6odcVM2LtqkbAHAIjU
+BRAWCABUIiEFb9PDFk6t5GIBJKfozM13iXXLB7VAp8veRtbuNEidacIFAmkM3vEF
+gwfP84AkFIAAAAAADQAOcmVtQGdudXBnLm9yZ0NlbnR1cmlvbixDSUNBAACKBAHI
+5t3aZSnSERrnAZ3rwxItsTB9KeTVdtRnpxyZ7leBf4987ECcfwDDozkDGFo2cJwg
+eKPRloMif1eAAcjOdUXeunlNBTlPlyOBk0ukWT5SgVeZUl5bsNRgJWu7MoNiT9vQ
+M7gJjlyYcVoMZ47G7TA9Z+goJwC4TAVpDN5UEgAAAEIDK2VvAcCPfkOJzBvvplco
+PXb8jg4AsJXU10wHSucHMdR2R26+IJTCAYU6d3O47wTBr6QFc5HRgDZcf6FngQMB
+CgmIsgUYFggAMiIhBZgImkcsz0YBzVHXxwldNlNSluoUuN6SGYcjxNxgbo92BQJp
+DN5UAhsMBQkHz5TcAABuDQHI5Zp2rsRwc0WR0WaaQOIFh7KdL7x3dHljJ5u2m6Zc
+pzmlnZGuCTe0BmVzECJhq7Yqi+ajENbWOc+AAcUbToifr1VvbgZgUDtA+f2IlHRM
+ovaAOH5ED+DHy6OjEmBG43ZIPQbsbD4td5VIZoi+f6npZrhXNQA=
+=Q67G
+-----END PGP PUBLIC KEY BLOCK-----

.shellcheckrc

@@ -1,14 +1,17 @@
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
-# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-CreationInfo: 2025-11-10; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
-# SPDX-PackageName: CISS.debian.installer
+# SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
+# https://github.com/koalaman/shellcheck/wiki/directive
+# https://github.com/koalaman/shellcheck/wiki/Optional
+
 encoding=utf-8
 external-sources=true
 shell=bash
@@ -16,6 +19,8 @@ source-path=~/lib
 source-path=~/scripts
 source-path=~/var
 
+enable=add-default-case
+enable=avoid-negated-conditions
 enable=avoid-nullary-conditions
 enable=check-extra-masked-returns
 enable=check-set-e-suppressed
@@ -24,5 +29,6 @@ enable=deprecate-which
 enable=quote-safe-variables
 enable=require-double-brackets
 enable=require-variable-braces
+enable=useless-use-of-cat
 
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf

.version.properties

@@ -4,16 +4,16 @@
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1 
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 properties_SPDX-Version="3.0"
 properties_SPDX-ExternalRef="GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git"
 properties_SPDX-FileCopyrightText="2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>"
-properties_SPDX-License-Identifier="EUPL-1.2 OR LicenseRef-CCLA-1.0"
+properties_SPDX-License-Identifier="LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1 "
 properties_SPDX-LicenseComment="This file is part of the CISS.debian.installer.secure framework."
 properties_SPDX-PackageName="CISS.debian.live.builder"
 properties_SPDX-Security-Contact="security@coresecret.eu"
-properties_version="V8.13.142.2025.10.14"
+properties_version="V8.13.768.2025.12.06"
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf

CISS.debian.live.builder.spdx

@@ -6,7 +6,7 @@ Creator: Person: Marc S. Weidner (Centurion Intelligence Consulting Agency)
 Created: 2025-05-07T12:00:00Z
 Package: CISS.debian.live.builder
 PackageName: CISS.debian.live.builder
-PackageVersion: Master V8.13.142.2025.10.14
+PackageVersion: Master V8.13.768.2025.12.06
 PackageSupplier: Organization: Centurion Intelligence Consulting Agency
 PackageDownloadLocation: https://git.coresecret.dev/msw/CISS.debian.live.builder
 PackageHomePage: https://git.coresecret.dev/msw/CISS.debian.live.builder

LICENSE

@@ -1,256 +1,100 @@
-# SPDX-License-Identifier: EUPL-1.2
+SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 
-EUPL-1.2
+Centurion Licensing Overview
+============================
 
-EUROPEAN UNION PUBLIC LICENCE v. 1.2
-EUPL © the European Union 2007, 2016
+This repository uses a dual-licensing model combining a non-commercial "source-available" license with a separate commercial
+subscription license.
 
-This European Union Public Licence (the 'EUPL') applies to the Work (as defined below) which is provided under the
-terms of this Licence. Any use of the Work, other than as authorised under this Licence is prohibited (to the extent such
-a use is covered by a right of the copyright holder of the Work).
+1. Default License: Centurion Non-Commercial License 1.1 (CNCL-1.1)
+---------------------------------------------------------------
 
-The Work is provided under the terms of this Licence when the Licensor (as defined below) has placed the following
-notice immediately following the copyright notice for the Work:
+Unless explicitly stated otherwise in an individual file or directory, all original content in this repository is licensed under the
 
-                          Licensed under the EUPL
+    Centurion Non-Commercial License 1.1 (CNCL-1.1)
+    SPDX-Identifier: LicenseRef-CNCL-1.1
 
-or has expressed by any other means his willingness to license under the EUPL.
+Under CNCL-1.1 you may:
 
-1.Definitions
+  - use, study and modify the Software for non-commercial purposes;
+  - share the Software and your modifications for non-commercial purposes;
+  - NOT use the Software for any Commercial Use (as defined in CNCL-1.1).
 
-In this Licence, the following terms have the following meaning:
+Any Commercial Use of the Software (in whole or in part) is NOT permitted under CNCL-1.1 and requires a separate commercial
+license agreement with the Licensor (see section 2 below).
 
-— 'The Licence':this Licence.
+The full text of CNCL-1.1 is provided in:
 
-— 'The Original Work':the work or software distributed or communicated by the Licensor under this Licence, available
-as Source Code and also as Executable Code as the case may be.
+    ./docs/LICENSES/CNCL-1.1.txt
 
-— 'Derivative Works':the works or software that could be created by the Licensee, based upon the Original Work or
-modifications thereof. This Licence does not define the extent of modification or dependence on the Original Work
-required in order to classify a work as a Derivative Work; this extent is determined by copyright law applicable in
-the country mentioned in Article 15.
 
-— 'The Work':the Original Work or its Derivative Works.
+2. Commercial Use: Centurion Commercial License Agreement 1.1 (CCLA-1.1)
+---------------------------------------------------------------------
 
-— 'The Source Code':the human-readable form of the Work, which is the most convenient for people to study and
-modify.
+For any Commercial Use (including but not limited to use in paid services, SaaS offerings, commercial products, or internal use
+that contributes to revenue generation or cost reduction), a valid commercial subscription license is required.
 
-— 'The Executable Code':any code, which has generally been compiled and, which is meant to be interpreted by
-a computer as a program.
+Commercial rights are governed exclusively by the:
 
-— 'The Licensor':the natural or legal person that distributes or communicates the Work under the Licence.
+    Centurion Commercial License Agreement 1.1 (CCLA-1.1)
+    SPDX-Identifier: LicenseRef-CCLA-1.1
 
-— 'Contributor(s)':any natural or legal person who modifies the Work under the Licence, or otherwise contributes to
-the creation of a Derivative Work.
+The CCLA-1.1 grants time-limited, non-transferable rights to use the Software for commercial purposes, subject to subscription
+fees, support terms and the liability limitations described therein.
 
-— 'The Licensee' or 'You':any natural or legal person who makes any usage of the Work under the terms of the
-Licence.
+The full text of CCLA-1.1 is provided in:
 
-— 'Distribution' or 'Communication':any act of selling, giving, lending, renting, distributing, communicating,
-transmitting, or otherwise making available, online, or offline, copies of the Work or providing access to its essential
-functionalities at the disposal of any other natural or legal person.
+    ./docs/LICENSES/CCLA-1.1.txt
 
-2.Scope of the rights granted by the Licence
+If you are unsure whether your intended use case qualifies as Commercial Use, you must assume that it does and contact the
+Licensor at:
 
-The Licensor hereby grants You a worldwide, royalty-free, non-exclusive, sublicensable licence to do the following, for
-the duration of copyright vested in the Original Work:
+    legal@coresecret.eu
 
-— use the Work in any circumstances and for all usage,
 
-— reproduce the Work,
+3. Open-Source Components and Third-Party Code
+-------------------------------------------
 
-— modify the Work and make Derivative Works based upon the Work,
+This repository may contain or depend on third-party components that are licensed under separate open-source licenses, including
+but not limited to:
 
-— communicate to the public, including the right to make available or display the Work or copies thereof to the public
-and perform publicly, as the case may be, the Work,
+  - EUPL-1.2 (European Union Public Licence)
+  - other FOSS licenses as stated in the respective files or directories.
 
-— distribute the Work or copies thereof,
+Such components are clearly marked, typically via SPDX-License-Identifier headers and / or dedicated license files. For those
+components, the respective third-party license terms apply and take precedence over CNCL-1.1 and CCLA-1.1 with respect to that
+code.
 
-— lend and rent the Work or copies thereof,
+Where code from other projects is incorporated, the original copyright notices and license texts are preserved, and their terms
+remain in force for those portions.
 
-— sublicense rights in the Work or copies thereof.
 
-Those rights can be exercised on any media, supports, and formats, whether now known or later invented, as far as the
-applicable law permits so.
+4. SPDX Usage and Per-File Licensing
+------------------------------------
 
-In the countries where moral rights apply, the Licensor waives his right to exercise his moral right to the extent allowed
-by law in order to make effective the licence of the economic rights here above listed.
+Each source file SHOULD contain an SPDX-License-Identifier line indicating the applicable license for that file, for example:
 
-The Licensor grants to the Licensee royalty-free, non-exclusive usage rights to any patents held by the Licensor, to the
-extent necessary to make use of the rights granted on the Work under this Licence.
+  - For non-commercial Centurion code:
+        SPDX-License-Identifier: LicenseRef-CNCL-1.1
 
-3.Communication of the Source Code
+  - For commercial-only Centurion deliverables (if applicable in private branches):
+        SPDX-License-Identifier: LicenseRef-CCLA-1.1
 
-The Licensor may provide the Work either in its Source Code form or as Executable Code. If the Work is provided as
-Executable Code, the Licensor provides in addition a machine-readable copy of the Source Code of the Work along with
-each copy of the Work that the Licensor distributes or indicates, in a notice following the copyright notice attached to
-the Work, a repository where the Source Code is easily and freely accessible for as long as the Licensor continues to
-distribute or communicate the Work.
+  - For EUPL-licensed parts:
+        SPDX-License-Identifier: EUPL-1.2
 
-4.Limitations on copyright
+In case of any apparent conflict between this overview file and the SPDX-License-Identifier in a specific file, the
+SPDX-License-Identifier in that file SHALL prevail for that file.
 
-Nothing in this Licence is intended to deprive the Licensee of the benefits from any exception or limitation to the
-exclusive rights of the rights owners in the Work, to the exhaustion of those rights or of other applicable limitations
-thereto.
 
-5.Obligations of the Licensee
+5. No Legal Advice; Governing Documents
+---------------------------------------
 
-The grant of the rights mentioned above is subject to some restrictions and obligations imposed on the Licensee. Those
-obligations are the following:
+This LICENSE file is an informational overview only. The legally binding terms governing your use of the Software are
+exclusively those set out in:
 
-Attribution right: The Licensee shall keep intact all copyright, patent or trademarks notices and all notices that refer to
-the Licence and to the disclaimer of warranties. The Licensee must include a copy of such notices, and a copy of the
-Licence with every copy of the Work he/she distributes or communicates. The Licensee must cause any Derivative Work
-to carry prominent notices stating that the Work has been modified and the date of modification.
+  - Centurion Non-Commercial License 1.1 (CNCL-1.1)
+  - Centurion Commercial License Agreement 1.1 (CCLA-1.1)
+  - and any applicable third-party licenses as referenced above.
 
-Copyleft clause: If the Licensee distributes or communicates copies of the Original Works or Derivative Works, this
-Distribution or Communication will be done under the terms of this Licence or of a later version of this Licence unless
-the Original Work is expressly distributed only under this version of the Licence — for example, by communicating
-'EUPL v. 1.2 only'. The Licensee (becoming Licensor) cannot offer or impose any additional terms or conditions on the
-Work or Derivative Work that alter or restrict the terms of the Licence.
-
-Compatibility clause: If the Licensee Distributes or Communicates Derivative Works or copies thereof based upon both
-the Work and another work licensed under a Compatible Licence, this Distribution or Communication can be done
-under the terms of this Compatible Licence. For the sake of this clause, 'Compatible Licence' refers to the licences listed
-in the appendix attached to this Licence. Should the Licensee's obligations under the Compatible Licence conflict with
-his/her obligations under this Licence, the obligations of the Compatible Licence shall prevail.
-
-The provision of Source Code: When distributing or communicating copies of the Work, the Licensee will provide
-a machine-readable copy of the Source Code or indicate a repository where this Source will be easily and freely available
-for as long as the Licensee continues to distribute or communicate the Work.
-Legal Protection: This Licence does not grant permission to use the trade names, trademarks, service marks, or names
-of the Licensor, except as required for reasonable and customary use in describing the origin of the Work and
-reproducing the content of the copyright notice.
-
-6.Chain of Authorship
-
-The original Licensor warrants that the copyright in the Original Work granted hereunder is owned by him/her or
-licensed to him/her and that he/she has the power and authority to grant the Licence.
-
-Each Contributor warrants that the copyright in the modifications he/she brings to the Work is owned by him/her or
-licensed to him/her and that he/she has the power and authority to grant the Licence.
-
-Each time You accept the Licence, the original Licensor and subsequent Contributors grant You a licence to their contributions
-to the Work, under the terms of this Licence.
-
-7.Disclaimer of Warranty
-
-The Work is a work in progress, which is continuously improved by numerous Contributors. It is not finished work
-and may therefore contain defects or 'bugs' inherent to this type of development.
-
-For the above reason, the Work is provided under the Licence on an 'as is' basis and without warranties of any kind
-concerning the Work, including without limitation merchantability, fitness for a particular purpose, absence of defects or
-errors, accuracy, non-infringement of intellectual property rights other than copyright as stated in Article 6 of this
-Licence.
-
-This disclaimer of warranty is an essential part of the Licence and a condition for the grant of any rights to the Work.
-
-8.Disclaimer of Liability
-
-Except in the cases of wilful misconduct or damages directly caused to natural persons, the Licensor will in no event be
-liable for any direct or indirect, material or moral, damages of any kind, arising out of the Licence or of the use of the
-Work, including without limitation, damages for loss of goodwill, work stoppage, computer failure or malfunction, loss
-of data, or any commercial damage, even if the Licensor has been advised of the possibility of such damage. However,
-the Licensor will be liable under statutory product liability laws as far as such laws apply to the Work.
-
-9.Additional agreements
-
-While distributing the Work, You may choose to conclude an additional agreement, defining obligations or services
-consistent with this Licence. However, if accepting obligations, You may act only on your own behalf and on your sole
-responsibility, not on behalf of the original Licensor or any other Contributor, and only if You agree to indemnify,
-defend, and hold each Contributor harmless for any liability incurred by, or claims asserted against such a Contributor by
-the fact You have accepted any warranty or additional liability.
-
-10.Acceptance of the Licence
-
-The provisions of this Licence can be accepted by clicking on an icon 'I agree' placed under the bottom of a window
-displaying the text of this Licence or by affirming consent in any other similar way, in accordance with the rules of
-applicable law. Clicking on that icon indicates your clear and irrevocable acceptance of this Licence and all of its terms
-and conditions.
-
-Similarly, you irrevocably accept this Licence and all of its terms and conditions by exercising any rights granted to You
-by Article 2 of this Licence, such as the use of the Work, the creation by You of a Derivative Work or the Distribution
-or Communication by You of the Work or copies thereof.
-
-11.Information to the public
-
-In case of any Distribution or Communication of the Work by means of electronic communication by You (for example,
-by offering to download the Work from a remote location) the distribution channel or media (for example, a website)
-must at least provide to the public the information requested by the applicable law regarding the Licensor, the Licence,
-and the way it may be accessible, concluded, stored, and reproduced by the Licensee.
-
-12.Termination of the Licence
-
-The Licence and the rights granted hereunder will terminate automatically upon any breach by the Licensee of the terms
-of the Licence.
-
-Such a termination will not terminate the licences of any person who has received the Work from the Licensee under
-the Licence, provided such persons remain in full compliance with the Licence.
-
-13.Miscellaneous
-
-Without prejudice of Article 9 above, the Licence represents the complete agreement between the Parties as to the
-Work.
-
-If any provision of the Licence is invalid or unenforceable under applicable law, this will not affect the validity or
-enforceability of the Licence as a whole. Such provision will be construed or reformed so as necessary to make it valid
-and enforceable.
-
-The European Commission may publish other linguistic versions or new versions of this Licence or updated versions of
-the Appendix, so far this is required and reasonable, without reducing the scope of the rights granted by the Licence.
-New versions of the Licence will be published with a unique version number.
-
-All linguistic versions of this Licence, approved by the European Commission, have identical value. Parties can take
-advantage of the linguistic version of their choice.
-
-14.Jurisdiction
-
-Without prejudice to specific agreement between parties,
-
-— any litigation resulting from the interpretation of this License, arising between the European Union institutions,
-bodies, offices, or agencies, as a Licensor, and any Licensee, will be subject to the jurisdiction of the Court of Justice
-of the European Union, as laid down in article 272 of the Treaty on the Functioning of the European Union,
-
-— any litigation arising between other parties and resulting from the interpretation of this License will be subject to
-the exclusive jurisdiction of the competent court where the Licensor resides or conducts its primary business.
-
-15.Applicable Law
-
-Without prejudice to specific agreement between parties,
-
-— this Licence shall be governed by the law of the European Union Member State where the Licensor has his seat,
-resides, or has his registered office
-
-— this licence shall be governed by Belgian law if the Licensor has no seat, residence, or registered office inside
-a European Union Member State.
-
-
-                                                         Appendix
-
-'Compatible Licences' according to Article 5 EUPL are:
-
-— GNU General Public License (GPL) v. 2, v. 3
-
-— GNU Affero General Public License (AGPL) v. 3
-
-— Open Software License (OSL) v. 2.1, v. 3.0
-
-— Eclipse Public License (EPL) v. 1.0
-
-— CeCILL v. 2.0, v. 2.1
-
-— Mozilla Public Licence (MPL) v. 2
-
-— GNU Lesser General Public Licence (LGPL) v. 2.1, v. 3
-
-— Creative Commons Attribution-ShareAlike v. 3.0 Unported (CC BY-SA 3.0) for works other than software
-
-— European Union Public Licence (EUPL) v. 1.1, v. 1.2
-
-— Québec Free and Open-Source Licence — Reciprocity (LiLiQ-R) or Strong Reciprocity (LiLiQ-R+).
-
-The European Commission may update this Appendix to later versions of the above licences without producing
-a new version of the EUPL, as long as they provide the rights granted in Article 2 of this Licence and protect the
-covered Source Code from exclusive appropriation.
-
-All other changes or additions to this Appendix require the production of a new EUPL version.
+In the event of any conflict between this overview and the full license texts, the full license texts shall prevail.

LINTER_RESULTS.txt

@@ -1,16 +1,16 @@
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-10-14; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-12-06; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-This file was automatically generated by the DEPLOY BOT on: "2025-10-14T19:37:03Z"
+This file was automatically generated by the DEPLOY BOT on: "2025-12-06T04:39:51Z"
 
-⚠️ The last linter check was NOT successful. ⚠️
+✅ The last linter check was successful. ✅
 
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text

LIVE_ISO.public

@@ -1,27 +1,27 @@
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-10-14; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-10-29; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-This file was automatically generated by the DEPLOY BOT on: "2025-10-14T22:23:27Z"
+This file was automatically generated by the DEPLOY BOT on: "2025-10-29T11:15:54Z"
 
 CISS.debian.live.builder ISO :
-  "ciss-debian-live-2025_10_14T21_30_07Z-amd64.hybrid.iso"
+  "ciss-debian-live-2025_10_29T10_21_17Z-amd64.hybrid.iso"
 CISS.debian.live.builder ISO sha512 :
-  442037d11eb48f4adbd1a3da17cf36062ec6be816627c38fe814458840020f212c551b96d5e785c4372fa09fc11fd9529f34166530b1e1f5ce9335abadb5f771
+  c4694bb55c7571df893dace7469ca4f90693eb61922508e6e5795cb442c01f2e487d055f23c27f3d1226bdd30aa4f5522af07addfc16b6f7d3224394590bd591
 CISS.debian.live.builder ISO sha512 sign :
   -----BEGIN PGP SIGNATURE-----
 
-iHUEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaO7NXwAKCRA85KY4hzOw
-IT3LAP4uP8glLMDEpUntKJQTiPqSYjGUyIFoKmsgALGPJcnnoQD/fcz4Mq12mF32
-jf4ETKQBqlxuQyLTPvPFhLsrBbDD0AI=
-=/UNR
+iHUEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaQH3agAKCRA85KY4hzOw
+IbCaAP9Dqt8oESXBWNUgzCBDmBc/uZgDKJ/Ve/oIXsUGIfIqnwD/fovruI1dvGen
+4p02K+Dc5sf9sdU0IjMDrWVZAj8uBA0=
+=ieyd
 -----END PGP SIGNATURE-----
 
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text

LIVE_ISO_TRIXIE_0.private

@@ -1,27 +1,27 @@
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-10-14; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-12-06; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-This file was automatically generated by the DEPLOY BOT on: "2025-10-14T20:32:28Z"
+This file was automatically generated by the DEPLOY BOT on: "2025-12-06T03:44:29Z"
 
 CISS.debian.live.builder ISO :
-  "ciss-debian-live-2025_10_14T19_36_59Z-amd64.hybrid.iso"
+  "ciss-debian-live-2025_12_06T02_53_28Z-amd64.hybrid.iso"
 CISS.debian.live.builder ISO sha512 :
-  57559f9b9c5e50dad6a5b2023d992c26b8f4d25dd0d45ffa5cfd479ee623287e2c2eead70016267b848c5910db5ba5c4e2dfeeb12cca6f59fe455dad886c51d9
+  2bf967b902455fe1f4d3ba1cb0b3c5983c6812181ae95b10ce837c0aaae084207bf15c22add2709c21c45f4262db2a2f787b2c93f3a1c507289c020e70314707
 CISS.debian.live.builder ISO sha512 sign :
   -----BEGIN PGP SIGNATURE-----
 
-iHUEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaO6zXAAKCRA85KY4hzOw
-Idq2AQDRmgHRGnX1bn+cNV5JirecSke0IAwlAjEXOl4tFoQlewEA0s2R1A3OQjIq
-fAhdl2wltVNT5+jUg6EUj3FE3kVPaQo=
-=fmxg
+iHUEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaTOmnQAKCRA85KY4hzOw
+IcItAQDvE6vEkbslGR5BLMVV+DKi2GDnIzIMVs7zROiPsKb3BgEA1Koqx7ccc+H2
+MmNv12w674dS2xmTZHOViYePe2KWLw0=
+=I8w2
 -----END PGP SIGNATURE-----
 
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text

LIVE_ISO_TRIXIE_1.private

@@ -1,27 +1,27 @@
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-10-14; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-12-06; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-This file was automatically generated by the DEPLOY BOT on: "2025-10-14T21:28:34Z"
+This file was automatically generated by the DEPLOY BOT on: "2025-12-06T04:35:36Z"
 
 CISS.debian.live.builder ISO :
-  "ciss-debian-live-2025_10_14T20_33_51Z-amd64.hybrid.iso"
+  "ciss-debian-live-2025_12_06T03_45_41Z-amd64.hybrid.iso"
 CISS.debian.live.builder ISO sha512 :
-  4a47a1ed0986b67774047b2bfc6fdd53753fa8f301f8376b23ccde1f5187aeffbca7fce3194a3d7b61278630291a1d2d954a289da712c064326eb6b7020c228c
+  fe9481d92cf61554da92ff883a58d9aaa2ae5fe86d9c3dd634a1c3a79e1b6ca5e08693d4f9b0870077fc0bf2f840a3e678d9c9dc44f9b8dae5d474a6d39e16b2
 CISS.debian.live.builder ISO sha512 sign :
   -----BEGIN PGP SIGNATURE-----
 
-iHUEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaO7AggAKCRA85KY4hzOw
-IWpdAP4xCxUP4V0lOBE1u7+wEOoEmXiRC10Va4Hf2UXjH1BSVwEAsz/cMaGt+rJT
-q0i+5EftPavvIst48aXQsp7QKjyNewM=
-=x3/T
+iHUEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaTOymAAKCRA85KY4hzOw
+Ic1iAQDVxT891Nv+LHzQs3vL31/1wqeOjiGmZbEJR8XvBoRe4wEAjdmvUpEXyb1Y
+qhaFcxWDrRgiVKaitGkbNo2w6yICdgY=
+=TQPs
 -----END PGP SIGNATURE-----
 
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text

README.md

@@ -2,7 +2,7 @@
 gitea: none
 include_toc: true
 ---
-[![Static Badge](https://badges.coresecret.dev/badge/Release-V8.13.142.2025.10.14-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder)
+[![Static Badge](https://badges.coresecret.dev/badge/Release-V8.13.768.2025.12.06-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder)
  
 [![Static Badge](https://badges.coresecret.dev/badge/Licence-EUPL1.2-white?style=plastic&logo=europeanunion&logoColor=white&logoSize=auto&label=Licence&color=%23003399)](https://eupl.eu/1.2/en/)  
 [![Static Badge](https://badges.coresecret.dev/badge/opensourceinitiative-Compliant-white?style=plastic&logo=opensourceinitiative&logoColor=white&logoSize=auto&label=OSI&color=%233DA639)](https://opensource.org/license/eupl-1-2)  
@@ -11,8 +11,9 @@ include_toc: true
 [![Static Badge](https://badges.coresecret.dev/badge/shellformat-passed-white?style=plastic&logo=google&logoColor=white&logoSize=auto&label=shellformat&color=%234285F4)](https://github.com/mvdan/sh)  
 [![Static Badge](https://badges.coresecret.dev/badge/Shellstyle-Google-white?style=plastic&logo=google&logoColor=white&logoSize=auto&label=Shellstyle&color=%234285F4)](https://google.github.io/styleguide/shellguide.html)
  
-[![Static Badge](https://badges.coresecret.dev/badge/Gitea-1.24.6-white?style=plastic&logo=gitea&logoColor=white&logoSize=auto&label=gitea&color=%23609926)](https://docs.gitea.com/)  
-[![Static Badge](https://badges.coresecret.dev/badge/IntelliJ-2025.2.3-white?style=plastic&logo=intellijidea&logoColor=white&logoSize=auto&label=IntelliJ&color=%23000000)](https://www.jetbrains.com/store/?section=personal&billing=yearly)  
+[![Static Badge](https://badges.coresecret.dev/badge/Gitea-1.25.1-white?style=plastic&logo=gitea&logoColor=white&logoSize=auto&label=gitea&color=%23609926)](https://docs.gitea.com/)  
+[![Static Badge](https://badges.coresecret.dev/badge/Runner-0.2.13-white?style=plastic&logo=gitea&logoColor=white&logoSize=auto&label=runner&color=%23609926)](https://docs.gitea.com/)  
+[![Static Badge](https://badges.coresecret.dev/badge/IntelliJ-2025.2.4-white?style=plastic&logo=intellijidea&logoColor=white&logoSize=auto&label=IntelliJ&color=%23000000)](https://www.jetbrains.com/store/?section=personal&billing=yearly)  
 [![Static Badge](https://badges.coresecret.dev/badge/keepassxc-2.7.10-white?style=plastic&logo=keepassxc&logoColor=white&logoSize=auto&label=KeePassXC&color=%236CAC4D)](https://keepassxc.org/)  
 [![Static Badge](https://badges.coresecret.dev/badge/netcup-Netcup-white?style=plastic&logo=netcup&logoColor=white&logoSize=auto&label=powered&color=%23056473)](https://www.netcup.com/de)  
 [![Static Badge](https://badges.coresecret.dev/badge/powered-Centurion-white?style=plastic&logo=europeanunion&logoColor=white&logoSize=auto&label=powered&color=%230F243E)](https://coresecret.eu/)  
@@ -26,26 +27,67 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.142.2025.10.14<br>
+**Build**: V8.13.768.2025.12.06<br>
 
-This shell wrapper automates the creation of a Debian Bookworm live ISO hardened according to the latest best practices in server
-and service security. It integrates into your build pipeline to deliver an isolated, robust environment suitable for
-cloud deployment or unattended installations via the forthcoming `CISS.debian.installer`. Additionally, automated CI workflows 
-based on Gitea Actions are provided, enabling reproducible ISO generation. A generic ISO is automatically built upon significant
+**CISS.debian.live.builder — First of its own.**<br>
+**World-class CIA: Designed, handcrafted and powered by Centurion Intelligence Consulting Agency.**
+
+Developed and maintained as a one-man, security-driven engineering effort since 2024, **CISS.debian.live.builder** is designed 
+to serve as a reference implementation for hardened, image-based Debian deployments.
+
+This shell wrapper automates the creation of a Debian Trixie live ISO hardened according to the latest best practices in server
+and service security. It integrates into your build pipeline to deliver an isolated, robust environment suitable for cloud
+deployment or unattended installations via the forthcoming `CISS.debian.installer`. Additionally, automated CI workflows based
+on Gitea Actions are provided, enabling reproducible ISO generation. A generic ISO is automatically built upon significant
 changes and made publicly available for download. The latest generic ISO is available at:
 **[PUBLIC CISS.debian.live.ISO](/docs/DL_PUB_ISO.md)**
 
-Check out more:
-* [CenturionNet Services](https://coresecret.eu/cnet/) 
+Beyond a conventional live system, **CISS.debian.live.builder** assembles a **fully encrypted, integrity-protected live medium**
+in a single, deterministic build step: a LUKS2 container backed by `dm-integrity` hosting the SquashFS root filesystem, combined
+with a hardened initramfs chain including a dedicated Dropbear build pipeline for remote LUKS unlock. The resulting ISO ships 
+with a hardened kernel configuration, strict sysctl and network tuning, pre-configured SSH hardening and fail2ban, and a 
+customised `verify-checksums` path providing both ISO-edge verification and runtime attestation of the live root. All components
+are aligned with the `CISS.debian.installer` baseline, ensuring a unified cryptographic and security posture from first boot to 
+an installed system. For an overview of the entire build process, see:
+**[MAN_CISS_ISO_BOOT_CHAIN.md](docs/MAN_CISS_ISO_BOOT_CHAIN.md)**
+
+When built with the ``--dhcp-centurion`` profile, the live system ships with a strict network and resolver policy: 
+``systemd-networkd`` and ``systemd-resolved`` are pre-configured to use ``DNS-over-TLS (DoT)`` exclusively against the 
+**CenturionDNS** resolver infrastructure; plain DNS is not used and connectivity failures are treated as hard errors. DNSSEC 
+validation is enforced in a fail-closed manner: zones with invalid or broken signatures result in ``SERVFAIL`` and are not 
+silently downgraded. Multicast name resolution via ``mDNS`` and ``LLMNR`` is disabled globally to avoid unintended name leakage
+and spoofing surfaces.
+
+Internally, the builder employs a dedicated secret-handling pipeline backed by a tmpfs-only secrets directory
+(`/dev/shm/cdlb_secrets`). Sensitive material such as root passwords, SSH keys, and signing keys never appears on the command
+line, is guarded by strict `0400 root:root` permissions, and any symlink inside the secret path is treated as a hard failure
+that aborts the run. Critical code paths temporarily disable Bash xtrace so that credentials never leak into debug logs, and
+transient secret files are shredded (`shred -fzu`) as soon as they are no longer needed. GNUPG homes used for signing are
+wiped, unencrypted chroot artifacts and includes are removed after `lb build`, and the final artifact is reduced to the
+encrypted SquashFS inside the LUKS2 container. At runtime, LUKS passphrases in the live ISO and installer are transported via
+named pipes inside the initramfs instead of process arguments, further minimizing exposure in process listings.
+
+Check out more leading world-class services powered by Centurion Intelligence Consulting Agency:
 * [CenturionDNS Resolver](https://eddns.eu/)
 * [CenturionDNS Blocklist](https://dns.eddns.eu/blocklists/centurion_titanium_ultimate.txt) 
+* [CenturionMeet](https://talk.e2ee.li/)
+* [CenturionNet Services](https://coresecret.eu/cnet/)
 * [CenturionNet Status](https://uptime.coresecret.eu/) 
-* [CenturionMeet](https://talk.e2ee.li/) 
+
+**Contact the author:**
 * [Contact the author](https://coresecret.eu/contact/)
 
+**Legal Disclaimer:**
+* This project is not affiliated with, authorized, maintained, sponsored, or endorsed by the [Debian Project](https://www.debian.org/) 
+* [Licensing & Compliance](#6-licensing--compliance)
+* [Disclaimer](#7-disclaimer)
+* [Centurion Imprint & Legal Notice](https://coresecret.eu/imprint/)
+* [Centurion Privacy Policy](https://coresecret.eu/privacy/)
+
 ## 1.1. Preliminary Remarks
 
 ### 1.1.1. HSM
+
 Please note that all my signing keys are stored in an HSM and that the signing environment is air-gapped. The next step is to 
 move to a room-gapped environment. ^^
 
@@ -57,57 +99,48 @@ add_header Expect-CT                 "max-age=86400, enforce"
 add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
 ````
 
-* Additionally, the entire zone is dual-signed with **DNSSEC**. See the current **DNSSEC** status at: **[DNSSEC Audit Report](/docs/AUDIT_DNSSEC.md)**
-* A comprehensive TLS audit of the **`git.coresecret.dev`** Gitea server is also available. See: **[TLS Audit Report](/docs/AUDIT_TLS.md)**
-* The infrastructure of the **`CISS.debian.live.builder`** building system is visualized here. See: **[Centurion Net](/docs/CNET.md)**
+* The zones behind this project are dual-signed with **DNSSEC**. The current validation state is documented in the **[DNSSEC Audit Report](/docs/AUDIT_DNSSEC.md)**
+* The TLS surface of **``git.coresecret.dev``** is independently audited, and the findings are held in the **[TLS Audit Report](/docs/AUDIT_TLS.md)**
+* The topology of the underlying **`CISS.debian.live.builder`** building infrastructure is described in **[Centurion Net](/docs/CNET.md)**
 
 ### 1.1.3. Gitea Action Runner Hardening
 
-The CI runners operate on a dedicated host system located in a completely separate Autonomous System (AS). This host is solely 
-dedicated to providing CI runners and does not perform any other tasks. Each runner is hermetically isolated from others using 
-non-privileged, shell-less user accounts with no direct login capability. Additionally, each runner executes within its own 
-separate directory tree, employs `DynamicUser` features, and adheres to strict systemd hardening policies (achieving a ``systemd-analyze security`` 
-rating of **``2.6``**). Docker containers used by runners do not run in privileged mode. Security is further enhanced through the use 
-of both UFW software firewalls and dedicated hardware firewall appliances.
+The CI runners live on a host in a separate autonomous system, and that host has exactly one purpose: run Gitea Actions runners. 
+Each runner receives its own service account without a login shell, is bound to a separate directory tree, and inherits a 
+hardened systemd unit with ``DynamicUser``, reduced capabilities, and restrictive sandboxing. A ``systemd-analyze security`` score 
+of around **``2.6``** is the baseline, not an aspiration. Traffic from those runners traverses both a software firewall (UFW) 
+and dedicated hardware firewall appliances. Docker, where used, runs unprivileged.
 
 ## 1.2. Match Host and Target Versions
 
-Build, for example, a Debian Trixie live image only on a Debian Trixie host. The build toolchain and boot artifacts are 
-release-specific: ``live-build``, ``live-boot``, ``live-config``, ``debootstrap``, ``kernel/initramfs`` tools, ``mksquashfs``, 
-``GRUB/ISOLINUX``, and even ``dpkg/apt`` often change defaults and formats between releases (e.g., compression modes, SquashFS 
-options, hook ordering, systemd/udev behavior). Building on a different host release commonly yields non-reproducible or even 
-unbootable ISOs (missing modules/firmware, ABI mismatches, divergent paths). Keeping host and target on the same version ensures
-reproducible builds, matching dependencies, and compatible boot artifacts.
+I always build a Debian Trixie live image on a Debian Trixie host. The toolchain and all boot components that matter to 
+reproducibility are release-specific: ``live-build``, ``live-boot``, ``live-config``, ``debootstrap``, ``mksquashfs``, ``grub``, 
+the ``kernel``, ``initramfs`` tooling, and even ``dpkg`` and ``apt`` defaults evolve from one release to the next. Mixing 
+generations produces fragile or outright broken ISOs, sometimes subtly, sometimes catastrophically. Keeping host and target in 
+lockstep avoids those mismatches and gives me predictable artifacts across builds.
 
-## 1.3. Immutable Source-of-Truth System
+## 1.3. Immutable Source-of-Truth System and Encrypted Live Root
 
-This live ISO establishes a secure, fully deterministic, integrity self-verifying boot environment based entirely on static
-source-code definitions. All configurations, system components, and installation routines are embedded during build time and 
-locked for runtime immutability. This ensures that the live environment functions as a trusted **Source of Truth** — not only 
-for boot-time operations, but for deploying entire systems in a secure and reproducible way.<br>
+The live ISO acts as a sealed, immutable execution environment. All relevant configuration, all installation logic, and all 
+security decisions are rendered into the image at build time and treated as read-only at runtime. On top of that logical 
+ immutability, I now layer cryptographic protection of the live root file system itself. The live image contains a LUKS2 container
+file with dm-integrity that wraps the SquashFS payload. The initramfs knows how to locate this container, unlock it, verify its 
+integrity, and then present the decrypted SquashFS as the root component of an OverlayFS stack. The detailed boot and 
+verification chain is documented separately in **[CISS ISO Boot Chain](docs/MAN_CISS_ISO_BOOT_CHAIN.md)**<br>
 
-Once booted, the environment optionally launches a fully scripted installer, via the forthcoming `CISS.debian.installer`,
-yet to deploy, that provisions the target system (the hardware the DVD is running on). The installer pulls no external 
-dependencies besides of the necessary Debian debootstrap and Debian Packages and never exposes the target system in a not 
-secure manner to the internet during installation. It operates strictly from within the verified image content, providing fully 
-secured provisioning. Combined with checksum verification, **activated by default**, at boot and strict firewall defaults, this 
-architecture guarantees that what is executed has not been tampered with and corresponds exactly to the intended source definition.<br>
+In compact form, my expectations for the system are:<br>
 
-An even more secure deployment variant — an unattended and headless version — can be built without any active network interface
-or shell-access, also via the forthcoming `CISS.debian.installer`. Such a version performs all verification steps autonomously, 
-provisions the target device from embedded source artifacts, and reboots into a fully encrypted system image. The system then 
-awaits the decryption passphrase input via an embedded Dropbear SSH server (SSH PubKey only) in the initramfs, exposing no ports
-without cryptographic hardened access, while also the `/boot` partition could be encrypted via the built-in support of 
-`grub2 (2.12-9)`.<br>
+* Every bit that matters for boot and provisioning is covered by checksums that I control and that are signed with keys under my solely authoritative HSM.
+* The live root runs out of a LUKS2 dm-integrity container so that a tampered or bit-rotted SquashFS never becomes a trusted root.
+* Verification steps are not advisory. Any anomaly causes a hard abort during boot.
+* After the live environment has reached a stable, verified state, it can hand off to ``CISS.debian.installer``. The installer operates from the same image, does not pull random payloads from the internet, and keeps the target system behind a hardened firewall until the entire provisioning process has completed.
+* For unattended, headless scenarios I also support builds where the target system is installed without ever exposing a shell over the console. After installation and reboot, the machine waits for a decryption passphrase via an embedded Dropbear SSH instance in the initramfs, limited to public key authentication and guarded by strict cryptographic policies. In such variants even ``/boot`` can be encrypted, with GRUB taking care of unlocking the boot partition.
 
-This approach provides a fully reproducible, audit-friendly, and tamper-resistant provisioning workflow rooted entirely in 
-source-defined infrastructure logic.<br>
+These combinations give me a provisioning chain that is auditable, reproducible, and robust against both casual and targeted tampering.<br>
 
-After build and configuration, the following audit reports can be generated:
+Once the system is up, I can trigger a set of audits from within the live environment:
 
-* **Haveged Audit Report**: Validates entropy daemon health and confirms `/dev/random` seeding performance.
-  Type `chkhvg` at the prompt. See example report: **[Haveged Audit Report](/docs/AUDIT_HAVEGED.md)**
-* **Lynis Audit Report**: Outputs a detailed security score and recommendations, confirming a 91%+ hardening baseline.
+* **Lynis Audit Report**: Outputs a detailed security score and recommendations, confirming a 93%+ hardening baseline.
   Type `lsadt` at the prompt. See example report: **[Lynis Audit Report](/docs/AUDIT_LYNIS.md)**
 * **SSH Audit Report**: Verifies SSH daemon configuration against the latest best-practice cipher, KEX, and MAC recommendations.
   Type `ssh-audit <IP>:<PORT>`. See example report: **[SSH Audit Report](/docs/AUDIT_SSH.md)**
@@ -116,42 +149,33 @@ After build and configuration, the following audit reports can be generated:
 
 ![CISS.debian.live.builder](/docs/screenshots/CISS.debian.live.builder_preview.jpeg)
 
-## 1.5. Caution. Significant information for those considering using D-I.
-
+## 1.5. Caution. Debian Installer and Security Context
 **The Debian Installer (d-i) will ALWAYS boot a new system.**<br>
 
-Regardless of whether you start it:
-* via the boot menu of your Live ISO (grub, isolinux) like **CISS.debian.live.builder**,
-* via kexec in the running system,
-* via the debian-installer-launcher package,
-* or even via a graphical installer shortcut.
+The classical Debian Installer (d-i) always boots its own kernel and its own initramfs. That effect is independent of the way it
+is launched: 
 
-The following happens in all cases:
-* The installer kernel (/install/vmlinuz) + initrd.gz are started.
-* The existing live system is exited.
-* The memory is overwritten.
-* All running processes - e.g., firewall, hardened SSH access, etc. pp. - cease to exist.
+* from a GRUB entry on the live medium, 
+* from within a running live session via a graphical shortcut, 
+* through kexec, 
+* or via helper packages such as debian-installer-launcher.
 
-The Debian Installer loads:
-* its own kernel,
-* its own initramfs,
-* its own minimal root filesystem (BusyBox + udeb packages),
-* no SSH access (unless explicitly enabled via preseed)
-* no firewall, AppArmor, logging, etc. pp.,
-* it disables all running network services, even if you were previously in the live system.
+In all of these cases the running live system is discarded. The memory contents of the hardened live environment vanish, the 
+firewall disappears, the hardened SSH daemon is terminated, and the hardened kernel is replaced by the installer kernel. The 
+installer brings its own minimal root file system, usually BusyBox plus a limited set of udeb packages, and it does not 
+implement my firewall, my AppArmor profiles, my logging configuration, or my remote access policies, unless I explicitly 
+reintroduce those elements via preseed.
 
-This means function status of the **CISS.2025.debian.live.builder** ISO after d-i start:
-* ufw, iptables, nftables ✘ disabled, not loaded,
-* sshd with hardening ✘ stopped (processes gone),
-* the running kernel ✘ replaced,
-* Logging (rsyslog, journald) ✘ not active,
-* preseed control over the network is possible (but without any protection).
+In that phase the security properties are therefore those of d-i, not those of CISS.debian.live.builder. This is not a defect in
+Debian, it is a property of how any installer that boots its own kernel behaves. It is important to keep this distinction in 
+mind when deciding whether a workflow must stay inside the hardened live context or may trade that environment for the standard 
+installer toolchain.
 
 ## 1.6. Versioning Schema
 
 This project adheres strictly to a structured versioning scheme following the pattern x.y.z-Date.
 
-Example: `V8.13.142.2025.10.14`
+Example: `V8.13.768.2025.12.06`
 
 `x.y.z` represents major (x), minor (y), and patch (z) version increments.
 
@@ -167,74 +191,76 @@ and only when, they appear in all capitals, as shown here.
 
 # 2. Features & Rationale
 
-Below is a breakdown of each hardening component, with a summary of why each is critical to your security posture.
+Below I walk through the major hardening components, with a focus on why I implemented them the way I did and how they interact.
+I treat this builder as a reference implementation for my own infrastructure; **it is not a toy**.
 
 ## 2.1. Kernel Hardening
 
-### 2.1.1. Boot Parameters
+### 2.1.1. Unified Hardened Boot Parameters
 
-* **Description**: Customizes kernel command-line flags to disable unused features and enable mitigations.
-* **Key Parameters**:
-  * `audit_backlog_limit=8192`: Ensures the audit subsystem can queue up to 8192 events to avoid dropped logs under heavy loads.
-  * `audit=1`: Enables kernel auditing from boot to record system calls and security events.
-  * `cfi=kcfi`: Activates kernel control-flow integrity using kCFI to protect against control-flow hijacking.
-  * `debugfs=off`: Disables debugfs to prevent non-privileged access to kernel internals.
-  * `efi=disable_early_pci_dma`: Stops early PCI DMA under EFI to mitigate DMA-based attacks during boot.
-  * `efi_no_storage_paranoia`: Disables extra EFI storage checks to streamline boot without compromising expected storage integrity.
-  * `hardened_usercopy=1`: Enables stringent checks on copy operations between user and kernel space to prevent buffer overflows.
-  * `ia32_emulation=0`: Turns off 32-bit compatibility modes to reduce attack surface on 64-bit hosts.
-  * `init_on_alloc=1`: Zeroes memory on allocation to prevent leakage of previous data.
-  * `init_on_free=1`: Initializes memory on free to catch use-after-free bugs.
-  * `iommu=force`: Enforces IOMMU for all devices to isolate DMA-capable hardware.
-  * `kfence.sample_interval=100`: Configures the kernel fence memory safety tool to sample every 100 allocations.
-  * `kvm.nx_huge_pages=force`: Enforces non-executable huge pages in KVM to mitigate code injection.
-  * `l1d_flush=on`: Flushes L1 data cache on context switch to mitigate L1D vulnerabilities.
-  * `lockdown=confidentiality`: Puts the kernel in confidentiality lockdown to restrict direct hardware access.
-  * `loglevel=0`: Suppresses non-critical kernel messages to reduce information leakage.
-  * `mce=0`: Disables machine check exceptions to prevent side-channel data leaks from hardware error reporting.
-  * `mitigations=auto,nosmt`: Enables all automatic CPU mitigations and disables SMT to reduce side-channel risks.
-  * `mmio_stale_data=full,nosmt`: Ensures stale MMIO data is fully flushed and disables SMT for added protection.
-  * `oops=panic`: Forces a kernel oops to trigger a panic, preventing the system from running in an inconsistent state.
-  * `page_alloc.shuffle=1`: Randomizes physical page allocation to hinder memory layout prediction attacks.
-  * `page_poison=1`: Fills freed pages with a poison pattern to detect use-after-free.
-  * `panic=-1`: Disables automatic reboot on panic to preserve the system state for forensic analysis.
-  * `pti=on`: Enables page table isolation to mitigate Meltdown attacks.
-  * `random.trust_bootloader=off`: Prevents trusting entropy provided by the bootloader.
-  * `random.trust_cpu=off`: Disables trusting CPU-provided randomness, enforcing external entropy sources.
-  * `randomize_kstack_offset=on`: Randomizes the kernel stack offset on each syscall entry to harden against stack probing.
-  * `randomize_va_space=2`: Enables full address space layout randomization (ASLR) for user space.
-  * `retbleed=auto,nosmt`: Enables automatic RETBLEED mitigations and disables SMT for better side-channel resistance.
-  * `rodata=on`: Marks kernel read-only data sections to prevent runtime modification.
-  * `tsx=off`: Disables Intel TSX extensions to eliminate related speculative execution vulnerabilities.
-  * `vdso32=0`: Disables 32-bit vDSO to prevent unintended cross-mode calls.
-  * `vsyscall=none`: Disables legacy vsyscall support to close a potential attack vector.
-* **Rationale**: Ensures early activation of protections, reducing exposure to CPU vulnerabilities before the system fully boots.
+Both the ``CISS.debian.live.builder`` LIVE ISO and the ``CISS.debian.installer`` rely on the same kernel command line. I consider
+a diverging kernel baseline between installer and live system operationally dangerous, because it leads to two distinct sets of 
+expectations about mitigations and attack surface. The boot parameters I apply are:
+
+````bash
+apparmor=1 security=apparmor audit_backlog_limit=262144 audit=1 debugfs=off \
+efi=disable_early_pci_dma hardened_usercopy=1 ia32_emulation=0 \
+init_on_alloc=1 init_on_free=1 \
+iommu.passthrough=0 iommu.strict=1 iommu=force \
+kfence.sample_interval=100 kvm.nx_huge_pages=force \
+l1d_flush=on lockdown=integrity loglevel=0 \
+mitigations=auto,nosmt mmio_stale_data=full,force nosmt=force \
+oops=panic page_alloc.shuffle=1 page_poison=1 panic=0 pti=on \
+random.trust_bootloader=off random.trust_cpu=off randomize_kstack_offset=on \
+retbleed=auto,nosmt rodata=on slab_nomerge vdso32=0 vsyscall=none
+````
+
+The parameters fall into several categories.
+
+* The AppArmor-related flags ``apparmor=1``, ``security=apparmor`` guarantee that AppArmor is not an afterthought but an integral part of the security architecture from the first instruction. I do not accept a boot sequence that comes up without LSM enforcement and then attempts to enable it later.
+* The audit subsystem is configured to be always on ``audit=1`` and to tolerate heavy bursts without dropping events ``audit_backlog_limit=262144``. I treat the audit trail as an evidentiary artifact; truncation because of backlog limits is not acceptable in that model.
+* The debug surface of the kernel is reduced aggressively. ``debugfs=off`` avoids a traditional footgun that exposes kernel internals in a way that is friendly to attackers and rarely necessary in production.
+* Memory is hardened on several levels at allocation time and at free time. ``init_on_alloc=1`` and ``init_on_free=1`` provide deterministic zeroing, ``page_poison=1`` fills freed pages with a poison pattern, and ``page_alloc.shuffle=1`` shuffles the allocator so that a process can no longer rely on stable physical patterns. Together these measures raise the cost of use-after-free exploitation and other memory corruption attacks.
+* The IOMMU is not optional. I force it on ``iommu=force``, disable passthrough ``iommu.passthrough=0`` and require strict behavior ``iommu.strict=``1. Any environment that contains devices capable of DMA must have a correctly configured IOMMU, otherwise the trust model for the CPU and for the memory hierarchy collapses as soon as a hostile device is introduced.
+* ``kfence.sample_interval=100`` activates KFENCE with a sampling interval that is still usable in production but sensitive enough to catch a meaningful subset of memory safety bugs under real workloads.
+* Virtualization-specific knobs include ``kvm.nx_huge_pages=force``, to keep huge pages non-executable, and ``l1d_flush=on`` so that context switches flush the L1 data cache where needed.
+* ``lockdown=integrity`` places the kernel into lockdown mode with an emphasis on integrity. In this project I consider the integrity of the system more critical than the ability to introspect a running kernel from userspace.
+* Speculative execution and microarchitectural issues are covered by ``mitigations=auto,nosmt``,`` mmio_stale_data=full,force``, and ``retbleed=auto,nosmt``. I combine the automatic mitigation set provided by the kernel with a forced Single Thread mode where it is required because simultaneous multithreading is simply not worth the residual risk profile in many server contexts.
+* ``nosmt=force`` acts as a guardrail here. It prevents a misconfiguration from quietly re-enabling SMT while the system operator assumes it is disabled.
+* Fault handling is configured through ``oops=panic`` and ``panic=0``. An oops triggers a panic so that I do not continue to run a kernel in an undefined state. At the same time I instruct the system not to reboot automatically on panic, to preserve the state for post-mortem analysis rather than cutting the ground away under a debugging session.
+* ``pti=on``, ``rodata=on``, and ``slab_nomerge`` are classical hardening parameters that I still consider essential. Page-table isolation, read-only data segments, and prohibiting slab merging collectively prevent a wide range of exploits, especially under pressure from speculative execution attacks.
+* To avoid brittle side assumptions, I remove legacy or obsolete interfaces: ``vdso32=0`` and ``vsyscall=none`` shut down the remaining vestiges of 32-bit vDSO and vsyscall support on 64-bit systems. ``ia32_emulation=0`` it again narrows the attack surface by disabling full 32-bit compatibility on 64-bit kernels.
+* Finally, I do not trust entropy claims either from the bootloader or the CPU itself. I opt out of both with ``random.trust_bootloader=off`` and ``random.trust_cpu=off`` and rely on my own entropy strategy described later.
+
+All of these parameters are applied in exactly the same way for the live ISO and for the installer environment. That is a 
+deliberate design decision.
 
 ### 2.1.2. CPU Vulnerability Mitigations
 
-* **Description**: Enables all known kernel-level mitigations (Spectre, Meltdown, MDS, L1TF, etc.).
-* **Rationale**: Prevents side-channel attacks that exploit speculative execution, which remain a high-risk vector in
-  multi-tenant cloud environments.
+I build the kernels with the relevant mitigations for Spectre, Meltdown, L1TF, MDS, TAA, Retbleed, and related families activated. 
+The ``mitigations=auto,nosmt`` flag ensures that new mitigations integrated into the mainline kernel become effective as they 
+are added, instead of requiring that I micromanage every single toggle. The residual performance cost is acceptable in the 
+context I am targeting; stale mitigations can be revisited, but missing mitigations will not be.
 
 ### 2.1.3. Kernel Self-Protection
 
-* **Description**: Activates `CONFIG_DEBUG_RODATA`, `CONFIG_STRICT_MODULE_RWX`, and other self-protections.
-* **Rationale**: Hardens kernel memory regions against unauthorized writings and enforces stricter module loading policies.
+I enable the standard set of self-protection options, such as strict module page permissions, read-only data enforcement, and 
+restrictions around kprobes and BPF. The builder is not a kernel configuration tool, but it carries the expectation that the 
+kernels it runs with are compiled according to this hardening profile. I treat deviations from that profile as unsupported.
 
 ### 2.1.4. Local Kernel Hardening
 
-* **Description**: The wrapper `sysp()`provides a function to apply and audit local kernel hardening rules from `/etc/sysctl.d/99_local.hardened`:
+The wrapper `sysp()`provides a function to apply and audit local kernel hardening rules from `/etc/sysctl.d/90-ciss-local.hardened`:
 ````bash
-###########################################################################################
-# Globals: Wrapper for loading CISS.2025 hardened Kernel Parameters
+#######################################
+# Wrapper for loading CISS hardened Kernel Parameters.
 # Arguments:
-#  none
-###########################################################################################
-# shellcheck disable=SC2317
+#   None
+#######################################
 sysp() {
-  sysctl -p /etc/sysctl.d/99_local.hardened
-  # sleep 1
-  sysctl -a | grep -E 'kernel|vm|net' > /var/log/sysctl_check"$(date +"%Y-%m-%d_%H:%M:%S")".log
+  sysctl -p /etc/sysctl.d/90-ciss-local.hardened
+  # shellcheck disable=SC2312
+  sysctl -a | grep -E 'kernel|vm|net' >| /var/log/sysctl_check"$(date +"%Y-%m-%d_%H:%M:%S")".log
 }
 ````
 * **Key measures loaded by this file include:**
@@ -250,16 +276,36 @@ Once applied, some hardening settings cannot be undone via `sysctl` without a re
 until the next boot. Automatic enforcement at startup is therefore omitted by design—run `sysp()` manually and plan a reboot to 
 apply or revert these controls.
 
+In case you provide the ``--cdi`` option to the installer, the ``sysp()`` function is automatically applied at the boot process via:
+[9999_cdi_starter.sh](scripts/usr/local/sbin/9999_cdi_starter.sh).
+
+For further details see: **[90-ciss-local.hardened.md](docs/documentation/90-ciss-local.hardened.md)**
+
 ## 2.2. Module Blacklisting
 
 * **Description**: Disables and blacklists non-essential or insecure kernel modules.
 * **Rationale**: Minimizes attack surface by preventing loads of drivers or modules not required by the live environment.
 
+For further details see: **[30-ciss-hardening.conf.md](docs/documentation/30-ciss-hardening.conf.md)**
+
 ## 2.3. Network Hardening
 
-* **Description**: Applies `sysctl` settings (e.g., `net.ipv4.conf.all.rp_filter=1`, `arp_ignore`, `arp_announce`) to restrict
-  inbound/outbound traffic behaviors.
-* **Rationale**: Mitigates ARP spoofing, IP spoofing, and reduces the risk of man-in-the-middle on internal networks.
+At the kernel level classical ``sysctl`` settings are applied that defend against spoofing and sloppy network behavior. Reverse path 
+filtering is enabled, ARP handling is pinned down, and loose binding of addresses is discouraged. Where appropriate, IPv6 
+receives the same level of attention as IPv4. The network stack is switched firmly to ``systemd-networkd`` and ``systemd-resolved``. 
+The hook [0000_basic_chroot_setup.chroot](config/hooks/live/0000_basic_chroot_setup.chroot) removes ``ifupdown``, wires up 
+``systemd-networkd`` and ``systemd-resolved`` via explicit WantedBy symlinks, and ensures that the stub resolver at ``127.0.0.53``
+is the canonical ``resolv.conf`` target. The same hook writes dedicated configuration snippets:
+
+``/etc/systemd/resolved.conf.d/10-ciss-dnssec.conf`` enforces opportunistic ``DNS-over-TLS`` and full ``DNSSEC`` validation 
+while disabling ``LLMNR`` and ``MulticastDNS``.
+
+This converges the system on a single, hardened DNS resolution path and avoids the common situation where multiple name 
+resolution mechanisms step on each other. Where desired, this resolution chain can be plugged into **CenturionDNS**, a resolver
+infrastructure that I control and that enforces DNSSEC validation, QNAME minimisation, and a curated blocklist. For sensitive 
+deployments, this stack is used as the default.
+
+For further details see: **[90-ciss-local.hardened.md](docs/documentation/90-ciss-local.hardened.md)**
 
 ## 2.4. Core Dump & Kernel Hardening
 
@@ -290,7 +336,7 @@ apply or revert these controls.
 * **Description**: The SSH tunnel and access are secured through multiple layers of defense:
   * **Firewall Restriction**: ufw allows connections only from defined jump host or VPN exit node IPs.
   * **TCP Wrappers**: `/etc/hosts.allow` and `/etc/hosts.deny` enforce an `ALL: ALL` deny policy, permitting only specified hosts.
-  * **One-Hit Ban**: A custom Fail2Ban rule `/etc/fail2ban/jail.d/centurion-default.conf` immediately bans any host 
+  * **One-Hit Ban**: A custom Fail2Ban rule `/etc/fail2ban/jail.d/ciss-default.conf` immediately bans any host 
     that touches closed ports. 
     * Additionally, the `fail2ban` service is hardened as well according to:
     [Arch Linux Wiki Fail2ban Hardening](https://wiki.archlinux.org/title/fail2ban#Service_hardening) 
@@ -423,9 +469,12 @@ predictable script behavior.
 
 # 4. Prerequisites
 
-* **Host**: Debian Trixie with `live-build` and ``debootstrap`` packages installed.
-* **Privileges**: Root or sudo access to execute `ciss_live_builder.sh` and related scripts.
-* **Network**: Outbound access to Debian repositories and PTB NTPsec pool.
+To use **``CISS.debian.live.builder``** as intended, the following baseline is expected:<br>
+
+* The build host runs Debian 13 Trixie, fully updated. Building a Trixie image on an older or newer release is technically possible but explicitly not supported.
+* The host has the standard live-build stack installed ``live-build``, ``live-boot``, ``live-config``, ``debootstrap`` and the cryptographic tooling required for ``LUKS2``, ``dm-integrity``, ``cryptsetup``, ``gpg``.
+* Disk space must be sufficient to hold the chroot, the temporary build artifacts, and the final ISO with encrypted root. For comfortable work I assume around 30–40 gigabytes of free space.
+* The user running the builder has root privileges and understands that the script is capable of creating, mounting, and manipulating block devices.
 
 # 5. Installation & Usage
 
@@ -439,9 +488,9 @@ predictable script behavior.
    
 2. Preparation:
    1. Ensure you are root.
-   2. Create the build directory `mkdir /opt/livebuild`.
-   3. Place your desired SSH public key in the `authorized_keys` file, for example, in the `/opt/gitea/CISS.debian.live.builder` directory.
-   4. Place your desired Password in the `password.txt` file, for example, in the `/opt/gitea/CISS.debian.live.builder` directory.
+   2. Create the build directory `mkdir /opt/cdlb` and the tmpfs secrets directory `mkdir /dev/shm/cdlb_secrets`.
+   3. Place your desired SSH public key in the `authorized_keys` file, for example, in the `/dev/shm/cdlb_secrets` directory.
+   4. Place your desired Password in the `password.txt` file, for example, in the `/dev/shm/cdlb_secrets` directory.
    5. Make any other changes you need to.
 
 3. Run the config builder script `./ciss_live_builder.sh` and the integrated `lb build` command (example):
@@ -449,21 +498,29 @@ predictable script behavior.
    ````bash
    chmod 0700 ./ciss_live_builder.sh
    timestamp=$(date -u +%Y-%m-%dT%H:%M:%S%z)
-   ./ciss_live_builder.sh --architecture amd64 \
-                          --build-directory /opt/livebuild \
-                          --change-splash hexagon \
-                          --control "${timestamp}" \
-                          --cdi \
-                          --debug \
-                          --dhcp-centurion \
-                          --jump-host 10.0.0.128 [c0de:4711:0815:4242::1] [2abc:4711:0815:4242::1]/64 \
-                          --provider-netcup-ipv6 [c0de:4711:0815:4242::ffff] \
-                          --renice-priority "-19" \
-                          --reionice-priority 1 2 \
-                          --root-password-file /opt/gitea/CISS.debian.live.builder/password.txt \
-                          --ssh-port 4242 \
-                          --ssh-pubkey /opt/gitea/CISS.debian.live.builder \
-                          --trixie
+   ./ciss_live_builder.sh \
+     --architecture amd64 \
+     --autobuild=6.16.3+deb13-amd64 \
+     --build-directory /opt/cdlb \
+     --cdi \
+     --change-splash hexagon \
+     --control "${timestamp}" \
+     --debug \
+     --dhcp-centurion \
+     --jump-host 10.0.0.128 [c0de:4711:0815:4242::1] [2abc:4711:0815:4242::1]/64 \
+     --key_age=keys.txt \
+     --key_luks=luks.txt \
+     --provider-netcup-ipv6 [c0de:4711:0815:4242::ffff] \
+     --reionice-priority 1 2 \
+     --renice-priority "-19" \
+     --root-password-file /dev/shm/cdlb_secrets/password.txt \
+     --signing_key_fpr=98089A472CCF4601CD51D7C7095D36535296EA14B8DE92198723C4DC606E8F76 \
+     --signing_key_pass=signing_key_pass.txt \
+     --signing_key=signing_key.asc \
+     --ssh-port 4242 \
+     --ssh-pubkey /dev/shm/cdlb_secrets \
+     --sshfp \
+     --trixie
    ````
 
 4. Locate your ISO in the `--build-directory`.
@@ -487,9 +544,9 @@ preview it or run it.
 
 2. Preparation:
    1. Ensure you are root.
-   2. Create the build directory `mkdir /opt/livebuild`.
-   3. Place your desired SSH public key in the `authorized_keys` file, for example, in the `/opt/gitea/CISS.debian.live.builder` directory.
-   4. Place your desired Password in the `password.txt` file, for example, in the `/opt/gitea/CISS.debian.live.builder` directory.
+   2. Create the build directory `mkdir /opt/cdlb` and the tmpfs secrets directory `mkdir /dev/shm/cdlb_secrets`.
+   3. Place your desired SSH public key in the `authorized_keys` file, for example, in the `/dev/shm/cdlb_secrets` directory.
+   4. Place your desired Password in the `password.txt` file, for example, in the `/dev/shm/cdlb_secrets` directory.
    5. Copy and edit the sample and set your options (no spaces around commas in lists): 
 
     ````bash
@@ -497,10 +554,10 @@ preview it or run it.
     ````
 
     ````bash
-    BUILD_DIR=/opt/livebuild
-    ROOT_PASSWORD_FILE=/opt/gitea/CISS.debian.live.builder/password.txt
+    BUILD_DIR=/opt/cdlb
+    ROOT_PASSWORD_FILE=/dev/shm/cdlb_secrets/password.txt
     SSH_PORT=4242
-    SSH_PUBKEY=/root/.ssh
+    SSH_PUBKEY=/dev/shm/cdlb_secrets
 
     # Optional
     PROVIDER_NETCUP_IPV6=2001:cdb::1
@@ -533,7 +590,7 @@ preview it or run it.
 
             ### Private Key
             echo "${{ secrets.CHANGE_ME }}" >| ~/.ssh/id_ed25519
-            chmod 600 ~/.ssh/id_ed25519
+            chmod 0600 ~/.ssh/id_ed25519
   #...
         ### https://github.com/actions/checkout/issues/1843
         - name: Using manual clone via SSH to circumvent Gitea SHA-256 object issues.
@@ -580,13 +637,22 @@ preview it or run it.
 
 # 6. Licensing & Compliance
 
-This repository is fully SPDX-compliant. All source files include appropriate SPDX license identifiers and headers to ensure
-clear and unambiguous licensing. You can verify compliance by reviewing the top of each file, which follows the SPDX
-standard for license expressions and metadata.
+Unless stated otherwise in individual files via SPDX headers, this project is licensed under the European Union Public License (EUPL 1.2).
+That license is OSI-approved and compatible with internal use in both public sector and private environments. Several files carry
+dual or multi-license statements, for example **``LicenseRef-CNCL-1.1``** and / or **``LicenseRef-CCLA-1.1``**, where I offer a 
+non-commercial license for community use and a commercial license for professional integration. The SPDX headers in each file 
+are authoritative. If you plan to integrate **``CISS.debian.live.builder``** into a commercial product or a managed service 
+offering, you should treat these license markers as binding and reach out for a proper agreement where required.
 
 # 7. Disclaimer
 
-This README is provided "as-is" without any warranty. Review your organization's policies before deploying to production.
+This repository is designed for well-experienced administrators and security professionals who are comfortable with low-level 
+Linux tooling, cryptography, and automation. It can and will create, format, and encrypt devices. It is entirely possible to 
+destroy data if you use it carelessly. I publish this work in good faith and with a strong focus on correctness and robustness. 
+Nevertheless, there is no warranty of any kind. You are responsible for understanding what you are doing, for validating your 
+own threat model, and for ensuring that this tool fits your regulatory and operational environment. If you treat the builder, and 
+the resulting images with the same discipline with which they were created, you will obtain a hardened, reproducible, and 
+auditable base for serious systems. If you treat them casually, they will not save you from yourself.
 
 ---
 **[no tracking | no logging | no advertising | no profiling | no bullshit](https://coresecret.eu/)**

REPOSITORY.md

@@ -8,15 +8,15 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.142.2025.10.14<br>
+**Build**: V8.13.768.2025.12.06<br>
 
-# 2.1. Repository Structure
+# 2. Repository Structure
 
 **Project:** Centurion Intelligence Consulting Agency Information Security Standard (CISS) — Debian Live Builder  
 **Branch:** `master`  
-**Repository State:** Master Version **8.13**, Build **V8.13.142.2025.10.14** (as of 2025-10-11)
+**Repository State:** Master Version **8.13**, Build **V8.13.768.2025.12.06** (as of 2025-10-11)
 
-## 2.2. Top-Level Layout
+## 3.1. Top-Level Layout
 
 ````text
 CISS.debian.live.builder/
@@ -59,17 +59,17 @@ CISS.debian.live.builder/
 
 > **Note:** The ISO marker files (`LIVE_ISO.*`) are produced by CI workflows for convenient retrieval of generated images.
 
-## 2.3. Directory Semantics
+## 3.2. Directory Semantics
 
-### 2.3.1. `.gitea/` — CI/CD Orchestration
+### 3.2.1. `.gitea/` — CI/CD Orchestration
 - **`workflows/`**: Declarative Gitea Actions to lint shell scripts, render Graphviz/DNSSEC status, and generate **PUBLIC**/**PRIVATE (TRIXIE)** ISOs reproducibly.
 - **`trigger/`**: Manual/auxiliary trigger manifests (`t_generate_PUBLIC.yaml`, `t_generate_PRIVATE_trixie_{0,1}.yaml`, `t_generate_dns.yaml`) to drive pipeline variants.
 - **`ISSUE_TEMPLATE/`**: Issue and pull request templates to standardize change management.
 - **`properties/`** and **`TODO/`**: Auxiliary config fragments (JSON/Lua) and maintenance utilities (e.g., `render-md-to-html.yaml`).
 
-### 2.3.2. `config/` — Live-Build Configuration
+### 3.2.2. `config/` — Live-Build Configuration
 - **`bootloaders/`**: Boot assets for GRUB in EFI and PC modes, incl. a branded splash image.
-- **`hooks/live/`**: **Ordered** `*.chroot` hooks implementing system configuration and hardening during image creation; the numeric prefixes dictate execution (e.g., `0000_basic_chroot_setup.chroot`, `0810_chrony_setup.chroot`, `0900_ufw_setup.chroot`, `9930_hardening_ssh.chroot`, `9950_fail2ban_hardening.chroot`).
+- **`hooks/live/`**: **Ordered** `*.chroot` hooks implementing system configuration and hardening during image creation; the numeric prefixes dictate execution (e.g., `0000_basic_chroot_setup.chroot`, `0810_chrony_setup.chroot`, `0900_ufw_setup.chroot`, `9930_hardening_ssh.chroot`, `9950_hardening_fail2ban.chroot`).
 - **`includes.binary/boot/grub/`**: Static GRUB configuration embedded in the binary image (`config.cfg`).
 - **`includes.chroot/`**: Files copied into the live system’s root:
   - `etc/` (APT configuration, `live/`, `modprobe.d/`, network, SSH, `sysctl.d/`, systemd drop-ins, banners),
@@ -77,40 +77,40 @@ CISS.debian.live.builder/
   - `root/` (administrator dotfiles and keys).
 - **`package-lists/`**: Architecture-specific and common package manifests (`amd64`, `arm64`, `common`) used by `live-build`.
 
-### 2.3.3. `docs/` — Documentation Corpus
+### 3.2.3. `docs/` — Documentation Corpus
 Audit reports (DNSSEC, Lynis, SSH, TLS, Haveged), **BOOTPARAMS**, **CHANGELOG**, **CODING_CONVENTION**, **CONTRIBUTING**, **REFERENCES**; plus `SECURITY/`, `LICENSES/`, architecture diagrams under `graphviz/`, and illustrative `screenshots/`.
 
-### 2.3.4. `lib/` — Shell Library Modules
+### 3.2.4. `lib/` — Shell Library Modules
 Composable, single-purpose modules used by the wrapper and CI steps (argument parsing and validation, kernel/CPU mitigation checks, provider support, `lb config/build` scaffolding, usage/version banners, sanitization and traps, SSH/root-password hardening, ultra-hardening profile, etc.).
 
-### 2.3.5. `scripts/` — Operational Helpers
+### 3.2.5. `scripts/` — Operational Helpers
 Ancillary scripts for DHCP supersedes, resolver bootstrapping, and live-boot verification; targeted paths such as `scripts/etc/network/` and `scripts/live-boot/` encapsulate deploy-time adjustments and integrity checks.
 
-### 2.3.6. `var/` — Variables & Defaults
+### 3.2.6. `var/` — Variables & Defaults
 Layered variable sets (`early.var.sh`, `global.var.sh`, `bash.var.sh`, `color.var.sh`) providing early-boot defaults, global tuning, and TTY/UI niceties.
 
-## 2.4. Key Files
+## 3.3. Key Files
 
 - **`ciss_live_builder.sh`** — Primary entrypoint; orchestrates argument parsing, environment preparation, `lb config`/`lb build` execution and post-processing.
 - **`makefile`** & **`config.mk.sample`** — Make-based convenience wrapper and a sample configuration surface.
 - **`README.md`, `SECURITY.md`, `LICENSE`, `CISS.debian.live.builder.spdx`** — Project overview, security policy, licensing, and SPDX manifest for compliance.
 - **ISO markers**: `LIVE_ISO.public`, `LIVE_ISO_TRIXIE_{0,1}.private` reflect CI pipeline outputs.
 
-## 2.5. Conventions & Build Logic
+## 3.4. Conventions & Build Logic
 
 - **Hook Ordering**: Numeric prefixes (`0000_…` → `99xx_…`) strictly determine execution sequencing within `config/hooks/live/`. Early hooks establish base state (initramfs modules, checksums), mid-range hooks integrate security services (AppArmor, Chrony/NTPsec, Lynis, UFW, Fail2Ban, SSH auditing), late hooks enforce hardening and cleanup (SSH tightening, memory-dump policies, service disablement).
 - **Binary vs. Chroot Includes**: Assets under `includes.binary/` affect the ISO’s bootloader stage; `includes.chroot/` become part of the runtime filesystem.
 - **Architecture Scoping**: Package lists are split into `*amd64*`, `*arm64*`, and `*common*` to keep images minimal and deterministic.
 - **CI/CD**: Reproducible ISO builds are executed via Gitea workflows; dedicated `trigger/` manifests parameterize public vs. private images and auxiliary rendering jobs (e.g., DNSSEC status, Graphviz diagrams).
 
-## 2.6. Cross-References (Documentation)
+## 3.5. Cross-References (Documentation)
 
 - **Boot Parameters**: see `docs/BOOTPARAMS.md`.
 - **Audits**: `docs/AUDIT_*.md` (DNSSEC, Lynis, SSH, TLS, Haveged).
 - **Coding & Contribution**: `docs/CODING_CONVENTION.md`, `docs/CONTRIBUTING.md`.
 - **Change Log & References**: `docs/CHANGELOG.md`, `docs/REFERENCES.md`.
 
-## 2.7. Licensing & Compliance
+## 3.6. Licensing & Compliance
 
 The repository is **SPDX-compliant**; source files carry SPDX identifiers. See `CISS.debian.live.builder.spdx` and `LICENSE` for details.
 

ciss_live_builder.sh

@@ -5,7 +5,7 @@
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
@@ -20,25 +20,30 @@
 # default login shell has been zsh, but bash remains available at '/bin/bash'. Windows support. You can use bash via WSL, MSYS2,
 # or Cygwin on Windows systems.
 
+### RESOURCES
+# https://github.com/koalaman/shellcheck
+# https://github.com/mvdan/sh
+# https://google.github.io/styleguide/shellguide.html
+# https://mywiki.wooledge.org/BashGuide
+# https://styles.goatbytes.io/lang/shell/
+# https://www.bashsupport.com/de/
+# https://www.gnu.org/software/bash/manual/
+
 ### CATCH ARGUMENTS AND DECLARE BASIC VARIABLES.
-# shellcheck disable=SC2155
+# shellcheck disable=SC2155,SC2249
+declare -agx  ARY_PARAM_ARRAY=("$@")                                     # Arguments passed to script as an array.
 declare -girx VAR_START_TIME="${SECONDS}"                                # Start time of script execution.
 declare -grx  VAR_PARAM_COUNT="$#"                                       # Arguments passed to script.
 declare -grx  VAR_PARAM_STRNG="$*"                                       # Arguments passed to script as string.
-declare -ag   ARY_PARAM_ARRAY=("$@")                                     # Arguments passed to script as an array.
 declare -grx  VAR_SETUP_FILE="${0##*/}"                                  # 'ciss_debian_live_builder.sh'
-declare -grx  VAR_SETUP_PATH="$(cd "$(dirname "${0}")" && pwd)"          # '/opt/git/CISS.debian.live.builder'
-declare -grx  VAR_SETUP_FULL="$(cd "$(dirname "${0}")" && pwd)/${0##*/}" # '/opt/git/CISS.debian.live.builder/ciss_debian_live_builder.sh'
-# shellcheck disable=SC2155
-declare -grx SCRIPT_FULLPATH="$(readlink -f "${BASH_SOURCE[0]:-$0}")"
-# shellcheck disable=SC2155
-declare -grx SCRIPT_BASEPATH="$(dirname "${SCRIPT_FULLPATH}")"
-# shellcheck disable=SC2155
-declare -grx VAR_WORKDIR="$(dirname "${SCRIPT_FULLPATH}")"
+declare -grx  VAR_SETUP_FULL="$(cd "$(dirname "${0}")" && pwd)/${0##*/}" # '/root/git/CISS.debian.live.builder/ciss_debian_live_builder.sh'
+declare -grx  VAR_SETUP_PATH="$(cd "$(dirname "${0}")" && pwd)"          # '/root/git/CISS.debian.live.builder'
+declare -grx  VAR_TMP_SECRET="/dev/shm/cdlb_secrets"                     # Fixed tmpfs path to store securely build artifacts.
+declare -grx  VAR_WORKDIR="$(dirname "${VAR_SETUP_FULL}")"               # '/root/git/CISS.debian.live.builder'
 
 ### PRELIMINARY CHECKS.
 ### No ash, dash, ksh, sh.
-# shellcheck disable=2292
+# shellcheck disable=SC2292
 [ -z "${BASH_VERSINFO[0]}" ] && {
   . ./var/global.var.sh
   printf "\e[91m❌ Please make sure you are using 'bash'! Bye... \e[0m\n" >&2
@@ -60,7 +65,7 @@ declare -grx VAR_WORKDIR="$(dirname "${SCRIPT_FULLPATH}")"
 }
 
 ### Check to be not called by sh.
-# shellcheck disable=2312
+# shellcheck disable=SC2312
 [[ $(kill -l | grep -c SIG) -eq 0 ]] && {
   . ./var/global.var.sh
   printf "\e[91m❌ Please make sure you are calling the script without leading 'sh'! Bye... \e[0m\n" >&2
@@ -95,30 +100,40 @@ declare -grx VAR_WORKDIR="$(dirname "${SCRIPT_FULLPATH}")"
   exit 1
 }
 
-### SOURCING MUST SET EARLY VARIABLES, GUARD_SOURCING(), CHECK_GIT()
+### SOURCING MUST SET EARLY VARIABLES, GUARD_SOURCING().
 . ./var/early.var.sh
 . ./lib/lib_guard_sourcing.sh
 . ./lib/lib_source_guard.sh
-source_guard "./lib/lib_git_var.sh"
 
-### CHECK FOR CONTACT, HELP, VERSION STRING, AND XTRACE DEBUG
-for arg in "$@"; do case "${arg,,}" in -c|--contact) . ./lib/lib_contact.sh; contact; exit 0;; esac; done
-for arg in "$@"; do case "${arg,,}" in -h|--help)    . ./lib/lib_usage.sh  ; usage  ; exit 0;; esac; done
-for arg in "$@"; do case "${arg,,}" in -v|--version) . ./lib/lib_version.sh; version; exit 0;; esac; done
-
-### ALL CHECKS DONE. READY TO START THE SCRIPT
+### SECURING ENVIRONMENT.
 source_guard "./var/bash.var.sh"
-check_git
-for arg in "$@"; do case "${arg,,}" in -d|--debug) . ./meta_sources_debug.sh; debugger "${@}";; esac; done
-declare -gx VAR_SETUP="true"
 
-### SOURCING VARIABLES
+### CHECK FOR CONTACT, HELP, VERSION STRING, AND XTRACE DEBUG.
+for arg in "$@"; do case "${arg,,}" in -c|--contact) . ./lib/lib_contact.sh   ; contact; exit 0;; esac; done
+for arg in "$@"; do case "${arg,,}" in -h|--help)    . ./lib/lib_usage.sh     ; usage  ; exit 0;; esac; done
+for arg in "$@"; do case "${arg,,}" in -v|--version) . ./lib/lib_version.sh   ; version; exit 0;; esac; done
+for arg in "$@"; do case "${arg,,}" in -d|--debug)   . ./meta_sources_debug.sh; debugger "${@}";; esac; done
+
+### ALL CHECKS DONE. READY TO START THE SCRIPT.
+printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"
+declare -grx VAR_SETUP="true"
+
+### SECURING SECRETS ARTIFACTS.
+test ! -L "${VAR_TMP_SECRET}" || {
+  . ./var/global.var.sh
+  printf "\e[91m❌ Refusing symlink: '%s'! Bye... \e[0m\n" "${VAR_TMP_SECRET}" >&2
+  exit "${ERR_SECRETSSYM}"
+}
+find "${VAR_TMP_SECRET}" -type f -exec chmod 0400 {} +
+find "${VAR_TMP_SECRET}" -type f -exec chown root:root {} +
+
+### SOURCING VARIABLES.
 [[ "${VAR_SETUP}" == true ]] && {
   source_guard "./var/color.var.sh"
   source_guard "./var/global.var.sh"
 }
 
-### SOURCING LIBRARIES
+### SOURCING LIBRARIES.
 [[ "${VAR_SETUP}" == true ]] && {
   source_guard "./lib/lib_arg_parser.sh"
   source_guard "./lib/lib_arg_priority_check.sh"
@@ -130,29 +145,38 @@ declare -gx VAR_SETUP="true"
   source_guard "./lib/lib_check_kernel.sh"
   source_guard "./lib/lib_check_pkgs.sh"
   source_guard "./lib/lib_check_provider.sh"
+  source_guard "./lib/lib_check_secrets.sh"
   source_guard "./lib/lib_check_stats.sh"
   source_guard "./lib/lib_check_var.sh"
+  source_guard "./lib/lib_ciss_signatures.sh"
+  source_guard "./lib/lib_ciss_upgrades_boot.sh"
+  source_guard "./lib/lib_ciss_upgrades_build.sh"
   source_guard "./lib/lib_clean_screen.sh"
   source_guard "./lib/lib_clean_up.sh"
   source_guard "./lib/lib_copy_integrity.sh"
+  source_guard "./lib/lib_gnupg.sh"
   source_guard "./lib/lib_hardening_root_pw.sh"
-  source_guard "./lib/lib_hardening_ssh.sh"
+  source_guard "./lib/lib_hardening_ssh_tcp.sh"
   source_guard "./lib/lib_hardening_ultra.sh"
   source_guard "./lib/lib_helper_ip.sh"
   source_guard "./lib/lib_lb_build_start.sh"
   source_guard "./lib/lib_lb_config_start.sh"
-  source_guard "./lib/lib_lb_config_write.sh"
   source_guard "./lib/lib_lb_config_write_trixie.sh"
   source_guard "./lib/lib_note_target.sh"
+  source_guard "./lib/lib_primordial.sh"
   source_guard "./lib/lib_provider_netcup.sh"
   source_guard "./lib/lib_run_analysis.sh"
   source_guard "./lib/lib_sanitizer.sh"
   source_guard "./lib/lib_trap_on_err.sh"
   source_guard "./lib/lib_trap_on_exit.sh"
+  source_guard "./lib/lib_update_microcode.sh"
   source_guard "./lib/lib_usage.sh"
 }
 
-### ADVISORY LOCK
+### CHECKING REQUIRED PACKAGES.
+check_pkgs
+
+### ADVISORY LOCK.
 exec 127>/var/lock/ciss_live_builder.lock || {
   printf "\e[91m❌ Cannot open lockfile for writing! Bye... \e[0m\n" >&2
   exit "${ERR_FLOCK_WRTG}"
@@ -163,95 +187,90 @@ if ! flock -x -n 127; then
   exit "${ERR_FLOCK_COLL}"
 fi
 
-### CHECK FOR AUTOBUILD MODE
+### CHECK FOR AUTOBUILD MODE.
 for arg in "$@"; do case "${arg,,}" in -a=*|--autobuild=*) declare -gx VAR_HANDLER_AUTOBUILD="true"; declare -gx VAR_KERNEL="${arg#*=}";; esac; done; unset arg
 for dir in /usr/local/sbin /usr/sbin; do case ":${PATH}:" in *":${dir}:"*) ;; *) PATH="${PATH}:${dir}" ;; esac; done; export PATH; unset dir
 
-### CHECKING REQUIRED PACKAGES
-check_pkgs
-
-### DIALOG OUTPUT FOR INITIALIZATION
+### DIALOG OUTPUT FOR INITIALIZATION.
 if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen; fi
 
-### Updating Status of Dialog Gauge Bar
+### Updating Status of Dialog Gauge Bar.
 if ! ${VAR_HANDLER_AUTOBUILD}; then printf "XXX\nInitialization done ... \nXXX\n15\n" >&3; fi
 
-### Updating Status of Dialog Gauge Bar
-if ! ${VAR_HANDLER_AUTOBUILD}; then printf "XXX\nAdditional initialization ... \nXXX\n30\n" >&3; fi
-
-### Updating Status of Dialog Gauge Bar
+### Updating Status of Dialog Gauge Bar.
 if ! ${VAR_HANDLER_AUTOBUILD}; then printf "XXX\nActivate traps ... \nXXX\n50\n" >&3; fi
 ### Following the CISS Bash naming and ordering scheme:
-trap 'trap_on_exit "$?"' EXIT
-trap 'trap_on_err "$?" "${BASH_SOURCE[0]}" "${LINENO}" "${FUNCNAME[0]:-main}" "${BASH_COMMAND}"' ERR
+trap 'trap_on_exit "$?" "${BASH_SOURCE[0]}" "${LINENO}" "${FUNCNAME[0]:-main}" "${BASH_COMMAND}"' EXIT
+trap 'trap_on_err  "$?" "${BASH_SOURCE[0]}" "${LINENO}" "${FUNCNAME[0]:-main}" "${BASH_COMMAND}"' ERR
 
-### Updating Status of Dialog Gauge Bar
+### Updating Status of Dialog Gauge Bar.
 if ! ${VAR_HANDLER_AUTOBUILD}; then printf "XXX\nSanitizing Arguments ... \nXXX\n75\n" >&3; fi
 arg_check "$@"
-declare -ar ARY_ARG_SANITIZED=("$@")
-declare -gr VAR_ARG_SANITIZED="${ARY_ARG_SANITIZED[*]}"
+declare -ar  ARY_ARG_SANITIZED=("$@")
+declare -grx VAR_ARG_SANITIZED="${ARY_ARG_SANITIZED[*]}"
 
-### Updating Status of Dialog Gauge Bar
+### Updating Status of Dialog Gauge Bar.
 if ! ${VAR_HANDLER_AUTOBUILD}; then printf "XXX\nParsing Arguments ... \nXXX\n90\n" >&3; fi
 arg_parser "$@"
 
-### Updating Status of Dialog Gauge Bar
+### Updating Status of Dialog Gauge Bar.
 if ! ${VAR_HANDLER_AUTOBUILD}; then printf "XXX\nFinal checks ... \nXXX\n95\n" >&3; fi
 clean_ip
 
-### Updating Status of Dialog Gauge Bar
+### Updating Status of Dialog Gauge Bar.
 if ! ${VAR_HANDLER_AUTOBUILD}; then printf "XXX\nInitialization completed ... \nXXX\n100\n" >&3; sleep 1; fi
 
-### Turn off Dialog Wrapper
+### Turn off the dialog wrapper.
 if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen_cleaner; fi
 
-### MAIN Program
+### MAIN Program ---------------------------------------------------------------------------------------------------------------
 arg_priority_check
 check_stats
+
 if ! ${VAR_HANDLER_AUTOBUILD}; then check_provider; fi
 if ! ${VAR_HANDLER_AUTOBUILD}; then check_kernel; fi
 
-if [[ ! "${VAR_SSHFP}" == "true" ]]; then
-  rm -f "${SCRIPT_BASEPATH}/config/includes.chroot/root/.ssh/id_2025_ed25519_ciss_primordial"
-  rm -f "${SCRIPT_BASEPATH}/config/includes.chroot/root/.ssh/id_2025_ed25519_ciss_primordial.pub"
-fi
+ciss_upgrades_build
+hardening_ssh_tcp
 
-check_hooks
-hardening_ssh
+### Preparing the build environment.
 lb_config_start
 
-if [[ "${VAR_SUITE}" == "bookworm" ]]; then
+### Writing the build configuration.
+lb_config_write_trixie
 
-  lb_config_write
-  rm -f "${SCRIPT_BASEPATH}/config/hooks/live/9998_sources_list_trixie.chroot"
-  rm -f "${SCRIPT_BASEPATH}/config/includes.chroot/etc/login.defs"
+### Init GNUPGHOME.
+init_gnupg
 
-else
-
-  lb_config_write_trixie
-  rm -f "${SCRIPT_BASEPATH}/config/hooks/live/0003_install_backports.chroot"
-  rm -f "${SCRIPT_BASEPATH}/config/hooks/live/9998_sources_list_bookworm.chroot"
-
-fi
-
-# shellcheck disable=SC2164
-cd "${VAR_WORKDIR}"
+### Integrate primordial SSH identity files.
+init_primordial
 
+### Integrate the CISS.debian.live.builder repository into the build directory.
+### Modifications from this point onwards must be placed under 'VAR_HANDLER_BUILD_DIR'.
 hardening_ultra
-hardening_root_pw
+
+### CISS.debian.installer 'GRUB' and 'autostart' generator.
+cdi
+
+### Final CISS.debian.live.builder integrations.
 change_splash
 check_dhcp
-cdi
-provider_netcup
+ciss_signatures
+ciss_upgrades_boot
+hardening_root_pw
 note_target
+provider_netcup
+update_microcode
+x_hooks
+x_remove
 
-### Start the build process
+### Start the build process ----------------------------------------------------------------------------------------------------
 set +o errtrace
 lb_build_start
-
 set -o errtrace
+
 run_analysis
 copy_db
-declare -g VAR_SCRIPT_SUCCESS=true
+declare -grx VAR_SCRIPT_SUCCESS="true"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config.mk.sample

@@ -4,7 +4,7 @@
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

config/bootloaders/grub-efi/grub.cfg

@@ -4,7 +4,7 @@
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
@@ -43,4 +43,4 @@ submenu 'Utilities ...' --hotkey=u {
     }
   fi
   }
-# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config/bootloaders/grub-pc/grub.cfg

@@ -4,7 +4,7 @@
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
@@ -43,4 +43,4 @@ submenu 'Utilities ...' --hotkey=u {
     }
   fi
   }
-# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config/hooks/.keep

@@ -0,0 +1,10 @@
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-10-26; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu

config/hooks/live/0000_basic_chroot_setup.chroot

@@ -5,7 +5,7 @@
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
@@ -13,15 +13,277 @@ set -Ceuo pipefail
 
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 
-export DEBIAN_FRONTEND="noninteractive"
-apt-get update -qq
+# shellcheck disable=SC2155
+declare -gx VAR_DATE="$(date +%F)"
 
-mkdir -p /root/.ciss/dlb/{backup,log}
-chmod 0700 /root/.ciss/dlb/{backup,log}
+#######################################
+# Generates '/etc/default/ciss-xdg-profile'
+# Globals:
+#   None
+# Arguments:
+#   None
+# Returns:
+#   0: on success
+#######################################
+generate_ciss_xdg_profile() {
+  cat << EOF >> /etc/default/ciss-xdg-profile
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+# Default toggles for ciss-xdg-profile
+# 1 = enable, 0 = disable
+
+ENABLE_XDG_BASH_HISTORY=1
+ENABLE_XDG_LESS_HISTORY=1
+ENABLE_XDG_ZSH_HISTORY=1
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
+EOF
+
+  chmod 0644 /etc/default/ciss-xdg-profile
+
+  return 0
+}
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f generate_ciss_xdg_profile
+
+#######################################
+# Generates '/etc/profile.d/ciss-xdg.sh'
+# Globals:
+#   None
+# Arguments:
+#   None
+# Returns:
+#   0: on success
+#######################################
+generate_ciss_xdg_sh() {
+  cat << EOF >| /etc/profile.d/ciss-xdg.sh
+#!/bin/sh
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+EOF
+  cat << 'EOF' >> /etc/profile.d/ciss-xdg.sh
+# shellcheck shell=sh
+
+# This file is sourced by login shells via '/etc/profile'. Keep POSIX sh compatible.
+
+### XDG variables (do not override if already set).
+export XDG_CONFIG_HOME="${XDG_CONFIG_HOME:-${HOME}/.config}"
+export XDG_DATA_HOME="${XDG_DATA_HOME:-${HOME}/.local/share}"
+export XDG_CACHE_HOME="${XDG_CACHE_HOME:-${HOME}/.cache}"
+export XDG_STATE_HOME="${XDG_STATE_HOME:-${HOME}/.local/state}"
+export XDG_CONFIG_DIRS="${XDG_CONFIG_DIRS:-/etc/xdg}"
+export XDG_DATA_DIRS="${XDG_DATA_DIRS:-/usr/local/share:/usr/share}"
+
+### XDG_RUNTIME_DIR is provided by systemd-logind; do not set a persistent path.
+# shellcheck disable=SC2312
+if [ -z "${XDG_RUNTIME_DIR:-}" ] && [ -d "/run/user/$(id -u)" ]; then
+  # shellcheck disable=SC2155
+  export XDG_RUNTIME_DIR="/run/user/$(id -u)"
+fi
+
+### Create canonical directories idempotently with 0700.
+_xdg_umask="$(umask)"
+umask 077
+[ -d "${XDG_CONFIG_HOME}"     ] || install -d -m 0700 -- "${XDG_CONFIG_HOME}"
+[ -d "${XDG_DATA_HOME}"       ] || install -d -m 0700 -- "${XDG_DATA_HOME}"
+[ -d "${XDG_CACHE_HOME}"      ] || install -d -m 0700 -- "${XDG_CACHE_HOME}"
+[ -d "${XDG_STATE_HOME}"      ] || install -d -m 0700 -- "${XDG_STATE_HOME}"
+umask "${_xdg_umask}"
+unset _xdg_umask
+
+### Optional migrations (controlled via /'etc/default/ciss-xdg-profile').
+[ -f /etc/default/ciss-xdg-profile ] && . /etc/default/ciss-xdg-profile
+
+### Bash history -> XDG_STATE_HOME (only if running bash).
+if [ "${ENABLE_XDG_BASH_HISTORY:-1}" = "1" ] && [ -n "${BASH_VERSION:-}" ]; then
+  [ -d "${XDG_STATE_HOME}/bash" ] || install -d -m 0700 -- "${XDG_STATE_HOME}/bash"
+  export HISTFILE="${XDG_STATE_HOME}/bash/history"
+fi
+
+### Less history -> XDG_STATE_HOME
+if [ "${ENABLE_XDG_LESS_HISTORY:-1}" = "1" ]; then
+  [ -d "${XDG_STATE_HOME}/less" ] || install -d -m 0700 -- "${XDG_STATE_HOME}/less"
+  export LESSHISTFILE="${XDG_STATE_HOME}/less/history"
+fi
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
+EOF
+
+  chmod 0755 /etc/profile.d/ciss-xdg.sh
+
+  return 0
+}
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f generate_ciss_xdg_sh
+
+#######################################
+# Generates '/root/ciss_xdg_tmp.sh'
+# Globals:
+#   None
+# Arguments:
+#   None
+# Returns:
+#   0: on success
+#######################################
+generate_ciss_xdg_tmp_sh() {
+  cat << EOF >| /root/ciss_xdg_tmp.sh
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+### XDG variables (do not override if already set).
+
+EOF
+  cat << 'EOF' >> /root/ciss_xdg_tmp.sh
+set -a
+
+# shellcheck disable=SC2034
+XDG_CONFIG_HOME="${XDG_CONFIG_HOME:-${HOME}/.config}"
+# shellcheck disable=SC2034
+XDG_DATA_HOME="${XDG_DATA_HOME:-${HOME}/.local/share}"
+# shellcheck disable=SC2034
+XDG_CACHE_HOME="${XDG_CACHE_HOME:-${HOME}/.cache}"
+# shellcheck disable=SC2034
+XDG_STATE_HOME="${XDG_STATE_HOME:-${HOME}/.local/state}"
+# shellcheck disable=SC2034
+XDG_CONFIG_DIRS="${XDG_CONFIG_DIRS:-/etc/xdg}"
+# shellcheck disable=SC2034
+XDG_DATA_DIRS="${XDG_DATA_DIRS:-/usr/local/share:/usr/share}"
+
+### Optional migrations (controlled via /etc/default/ciss-xdg-profile).
+[[ -f /etc/default/ciss-xdg-profile ]] && . /etc/default/ciss-xdg-profile
+
+### Bash history -> XDG_STATE_HOME (only if running bash).
+if [[ "${ENABLE_XDG_BASH_HISTORY:-1}" = "1" ]] && [[ -n "${BASH_VERSION:-}" ]]; then
+  HISTFILE="${XDG_STATE_HOME}/bash/history"
+fi
+
+set +a
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
+EOF
+  chmod 0700 /root/ciss_xdg_tmp.sh
+
+  return 0
+}
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f generate_ciss_xdg_tmp_sh
+
+### Ensuring XDG compliance: https://specifications.freedesktop.org/basedir/latest/ --------------------------------------------
+generate_ciss_xdg_profile
+generate_ciss_xdg_sh
+generate_ciss_xdg_tmp_sh
+
+[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
+export DEBIAN_FRONTEND="noninteractive"
+export INITRD="No"
+apt-get update -qq
+apt-get install -y --no-install-suggests libpam-systemd
+
+### Installing microcode updates -----------------------------------------------------------------------------------------------
+if [[ -f /root/.architecture ]]; then
+
+  apt-get install -y --no-install-suggests amd64-microcode intel-microcode
+  rm -f /root/.architecture
+
+fi
+
+### Prepare environment --------------------------------------------------------------------------------------------------------
+mkdir -p /root/.ciss/cdlb/{backup,log,private_keys}
+chmod 0700 /root/.ciss/cdlb/{backup,log,private_keys}
 
 mkdir -p /root/git
 chmod 0700 /root/git
 
+mkdir -p /etc/ciss/keys
+chmod 0755 /etc/ciss/keys
+
+### Mask apt show version unit and timer ---------------------------------------------------------------------------------------
+ln -sf /dev/null /etc/systemd/system/apt-show-versions.timer
+ln -sf /dev/null /etc/systemd/system/apt-show-versions.service
+rm -f /etc/cron.daily/apt-show-versions || true
+
+### Remove the original '/usr/lib/live/boot/0030-verify-checksums' -------------------------------------------------------------
+[[ -e /usr/lib/live/boot/0030-verify-checksums ]] && rm -f /usr/lib/live/boot/0030-verify-checksums
+
+### Ensure proper 0755 rights for CISS initramfs scripts  ----------------------------------------------------------------------
+find /usr/lib/live/boot -type f -exec chmod 0755 {} +
+
+[[ -e /etc/initramfs-tools/scripts/init-premount/1000_ciss_fixpath.sh ]] \
+  && chmod 0755 /etc/initramfs-tools/scripts/init-premount/1000_ciss_fixpath.sh
+
+[[ -e /etc/initramfs-tools/scripts/init-top/0000_ciss_fixpath.sh ]] \
+  && chmod 0755 /etc/initramfs-tools/scripts/init-top/0000_ciss_fixpath.sh
+
+### Ensure proper systemd directories exist ------------------------------------------------------------------------------------
+mkdir -p /etc/systemd/resolved.conf.d
+mkdir -p /etc/systemd/system
+mkdir -p /etc/systemd/system/multi-user.target.wants
+mkdir -p /etc/systemd/system/sockets.target.wants
+
+### Enable clean systemd-networkd stack ----------------------------------------------------------------------------------------
+apt-get -y purge ifupdown || true
+
+ln -sf /lib/systemd/system/systemd-networkd.service /etc/systemd/system/multi-user.target.wants/systemd-networkd.service
+
+ln -sf /lib/systemd/system/systemd-resolved.service /etc/systemd/system/multi-user.target.wants/systemd-resolved.service
+
+ln -sf /lib/systemd/system/systemd-resolved.socket  /etc/systemd/system/sockets.target.wants/systemd-resolved.socket
+
+cat << EOF >| /etc/systemd/system/ciss-fix-resolvconf.service
+[Unit]
+Description=Force systemd-resolved stub resolv.conf
+After=network-online.target
+Before=apt-daily.service
+
+[Service]
+Type=oneshot
+ExecStart=/usr/bin/rm -f /etc/resolv.conf
+ExecStart=/usr/bin/ln -s /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+ln -sf /etc/systemd/system/ciss-fix-resolvconf.service /etc/systemd/system/multi-user.target.wants/ciss-fix-resolvconf.service
+
+cat << EOF >| /etc/systemd/resolved.conf.d/10-ciss-dnssec.conf
+[Resolve]
+DNSOverTLS=opportunistic
+DNSSEC=yes
+LLMNR=no
+MulticastDNS=no
+EOF
+
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 
 exit 0

config/hooks/live/0001_initramfs_modules.chroot

@@ -1,11 +1,11 @@
 #!/bin/bash
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-11-10; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
@@ -52,20 +52,21 @@ grep_nic_driver_modules() {
 
   return 0
 }
-
-export DEBIAN_FRONTEND="noninteractive"
-apt-get install -y intel-microcode amd64-microcode
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f grep_nic_driver_modules
 
 # shellcheck disable=SC2155
-declare nic_driver="$(grep_nic_driver_modules)"
+declare nic_driver="$(grep_nic_driver_modules)" VAR_DATE="$(date +%F)"
+
 cat << EOF >| /etc/initramfs-tools/modules
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
@@ -82,19 +83,10 @@ cat << EOF >| /etc/initramfs-tools/modules
 # raid1
 # sd_mod
 
-### Load AppArmor early:
+### AppArmor -------------------------------------------------------------------------------------------------------------------
 apparmor
 
-### Entropy source for '/dev/random':
-jitterentropy_rng
-rng_core
-
-### Live-ISO-Stack:
-loop
-squashfs
-overlay
-
-### Main btrfs-Stack:
+### btrfs ----------------------------------------------------------------------------------------------------------------------
 btrfs
 lzo
 xor
@@ -102,28 +94,7 @@ xxhash
 zstd
 zstd_compress
 
-### Main ext4-Stack:
-ext4
-jbd2
-libcrc32c
-
-### Main VFAT/ESP/FAT/UEFI-Stack:
-exfat
-fat
-nls_ascii
-nls_cp437
-nls_iso8859-1
-nls_iso8859-15
-nls_utf8
-vfat
-
-### Device mapper, encryption & integrity:
-dm_mod
-dm_crypt
-dm_integrity
-dm_verity
-
-### Main cryptography-Stack:
+### cryptography ---------------------------------------------------------------------------------------------------------------
 aes_generic
 blake2b_generic
 crc32c_generic
@@ -133,59 +104,111 @@ sha256_generic
 sha512_generic
 xts
 
-### QEMU Bochs-compatible virtual machine support:
-bochs
+### cryptsetup -----------------------------------------------------------------------------------------------------------------
+dm_crypt
+dm_integrity
+dm_mod
+dm_verity
 
-### RAID6 parity generation module:
-raid6_pq
+### Entropy --------------------------------------------------------------------------------------------------------------------
+jitterentropy_rng
+rng_core
 
-### Combined RAID4/5/6 support module:
-raid456
+### ESP/FAT/UEFI ---------------------------------------------------------------------------------------------------------------
+exfat
+fat
+nls_ascii
+nls_cp437
+nls_iso8859-1
+nls_iso8859-15
+nls_utf8
+vfat
 
-### SCSI/SATA-Stack:
-sd_mod
-sr_mod
-sg
-ahci
-libahci
-ata_generic
-libata
-scsi_mod
-scsi_dh_alua
+### ext4 -----------------------------------------------------------------------------------------------------------------------
+ext4
+jbd2
+libcrc32c
 
-### NVMe-Stack:
+### Live-ISO -------------------------------------------------------------------------------------------------------------------
+loop
+squashfs
+overlay
+
+#### nftables ------------------------------------------------------------------------------------------------------------------
+#nf_log_common  # built-in
+#nft_counter    # built-in
+#nft_icmp       # built-in
+#nft_icmpv6     # built-in
+#nft_meta       # built-in
+#nft_set_hash   # built-in
+#nft_set_rbtree # built-in
+#nft_tcp        # built-in
+#nft_udp        # built-in
+nf_conntrack
+nf_nat
+nf_reject_ipv4
+nf_reject_ipv6
+nf_tables
+nfnetlink
+nfnetlink_log
+nft_ct
+nft_limit
+nft_log
+nft_masq
+nft_nat
+nft_reject_inet
+
+### NVMe -----------------------------------------------------------------------------------------------------------------------
 nvme
 nvme_core
 
-### USB-Stack:
-xhci_pci
-xhci_hcd
+### QEMU -----------------------------------------------------------------------------------------------------------------------
+bochs
+
+### RAID -----------------------------------------------------------------------------------------------------------------------
+raid456
+raid6_pq
+
+### SCSI/SATA ------------------------------------------------------------------------------------------------------------------
+ahci
+ata_generic
+libahci
+libata
+scsi_dh_alua
+scsi_mod
+sd_mod
+sg
+sr_mod
+
+### USB ------------------------------------------------------------------------------------------------------------------------
 ehci_pci
 ohci_pci
+uas
 uhci_hcd
 usb_storage
-uas
+xhci_hcd
+xhci_pci
 
-### Virtual-Machines-Stack:
-virtio_pci
+### Virtual --------------------------------------------------------------------------------------------------------------------
 virtio_blk
-virtio_scsi
-virtio_rng
 virtio_console
+virtio_pci
+virtio_rng
+virtio_scsi
 
-### Network Driver Host-machine:
+### Network Driver Host-machine ------------------------------------------------------------------------------------------------
 "${nic_driver}"
 
 EOF
 
-cat << 'EOF' >| /etc/initramfs-tools/update-initramfs.conf
+cat << EOF >| /etc/initramfs-tools/update-initramfs.conf
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
@@ -201,7 +224,7 @@ cat << 'EOF' >| /etc/initramfs-tools/update-initramfs.conf
 # If set to all update-initramfs will update all initramfs
 # If set to no disables any update to initramfs besides kernel upgrade
 
-update_initramfs=yes
+update_initramfs=all
 
 #
 # backup_initramfs [ yes | no ]
@@ -213,14 +236,14 @@ backup_initramfs=no
 
 EOF
 
-cat << 'EOF' >| /etc/initramfs-tools/initramfs.conf
+cat << EOF >| /etc/initramfs-tools/initramfs.conf
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
@@ -277,10 +300,10 @@ COMPRESS=zstd
 # Defaults vary by compressor.
 #
 # Valid values are:
-# 1-9 for gzip|bzip2|lzma|lzop
-# 0-9 for  lz4|xz
-# 0-19 for zstd
-# COMPRESSLEVEL=3
+# 1...9 for gzip|bzip2|lzma|lzop
+# 0...9 for  lz4|xz
+# 0...19 for zstd
+COMPRESSLEVEL=16
 
 #
 # DEVICE: ...
@@ -317,45 +340,10 @@ FSTYPE=auto
 
 EOF
 
-cat << 'EOF' >> /etc/initramfs-tools/hooks/ciss_debian_live_builder
-#!/bin/sh
-# SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
-# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
-# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
-# SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
-# SPDX-PackageName: CISS.debian.live.builder
-# SPDX-Security-Contact: security@coresecret.eu
-
-set -e
-
-PREREQ=""
-prereqs() { echo "$PREREQ"; }
-case $1 in
-  prereqs) prereqs; exit 0 ;;
-esac
-
-. /usr/share/initramfs-tools/hook-functions
-
-mkdir -p "${DESTDIR}/bin" "${DESTDIR}/usr/bin" "${DESTDIR}/usr/local/bin"
-
-# Include Bash
-copy_exec /usr/bin/bash /usr/bin
-
-# Include lsblk (block device information tool)
-copy_exec /usr/bin/lsblk /usr/bin
-
-# Include udevadm (udev management tool)
-copy_exec /usr/bin/udevadm /usr/bin
-EOF
-
-chmod 0755 /etc/initramfs-tools/hooks/ciss_debian_live_builder
-
-### Regenerate the initramfs for the live system kernel
-update-initramfs -u -k all -v
+chmod 0755 /etc/initramfs-tools/hooks/9999_ciss_custom_prompt.sh
+chmod 0755 /etc/initramfs-tools/hooks/9999_ciss_debian_live_builder.sh
+chmod 0755 /etc/initramfs-tools/scripts/init-premount/1000_ciss_fixpath.sh
+chmod 0755 /etc/initramfs-tools/scripts/init-top/0000_ciss_fixpath.sh
 
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 

config/hooks/live/0002_hardening_overlay_tmpfs.chroot

@@ -0,0 +1,63 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-11-12; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+set -Ceuo pipefail
+
+printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+
+VAR_DATE="$(date +%F)"
+
+cat << EOF >| /etc/systemd/system/ciss-remount-root.service
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+[Unit]
+Description=Remount overlay root with nosuid,nodev
+DefaultDependencies=no
+After=local-fs.target
+Before=basic.target
+
+[Service]
+Type=oneshot
+ExecStart=/bin/mount -o remount,nosuid,nodev /
+
+[Install]
+WantedBy=sysinit.target
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
+EOF
+
+mkdir -p /etc/systemd/system/tmp.mount.d
+cat << EOF >| /etc/systemd/system/tmp.mount.d/override.conf
+[Mount]
+Options=mode=1777,strictatime,nosuid,nodev,noexec,size=1%
+EOF
+
+mkdir -p /etc/systemd/system/dev-shm.mount.d
+cat << EOF >| /etc/systemd/system/dev-shm.mount.d/override.conf
+[Mount]
+Options=mode=1777,nosuid,nodev,noexec,size=25%
+EOF
+
+systemctl enable ciss-remount-root.service
+
+printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+
+exit 0
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config/hooks/live/0002_verify_checksums.chroot

@@ -1,142 +0,0 @@
-#!/bin/bash
-# SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
-# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
-# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
-# SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
-# SPDX-PackageName: CISS.debian.live.builder
-# SPDX-Security-Contact: security@coresecret.eu
-set -Ceuo pipefail
-
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
-
-target="/usr/lib/live/boot/0030-verify-checksums"
-src="$(mktemp)"
-
-if [[ ! -d /usr/lib/live/boot ]]; then
-  mkdir -p /usr/lib/live/boot
-fi
-
-cat << 'EOF' >| "${src}"
-#!/bin/sh
-# SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
-# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
-# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
-# SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
-# SPDX-PackageName: CISS.debian.live.builder
-# SPDX-Security-Contact: security@coresecret.eu
-
-### Changed version of https://salsa.debian.org/live-team/live-boot 'components/0030-verify-checksums'
-### In case of successful verification of the offered checksums, proceed with booting, else panic.
-
-### Inside 0002_verify_checksums.chroot ###
-
-#######################################
-# Live build ISO with the modified checksum verification script for continuing the boot process.
-# Globals:
-#   LIVE_BOOT_CMDLINE
-#   LIVE_VERIFY_CHECKSUMS
-#   LIVE_VERIFY_CHECKSUMS_DIGESTS
-#   _CHECKSUM
-#   _CHECKSUMS
-#   _DIGEST
-#   _MOUNTPOINT
-#   _PARAMETER
-#   _RETURN
-#   _TTY
-# Arguments:
-#   $1: ${_PARAMETER}
-# Returns:
-#   0 : Successful Verification
-#######################################
-Verify_checksums() {
-  for _PARAMETER in ${LIVE_BOOT_CMDLINE}; do
-    case "${_PARAMETER}" in
-      live-boot.verify-checksums=* | verify-checksums=*)
-        LIVE_VERIFY_CHECKSUMS="true"
-        LIVE_VERIFY_CHECKSUMS_DIGESTS="${_PARAMETER#*verify-checksums=}"
-        ;;
-
-      live-boot.verify-checksums | verify-checksums)
-        LIVE_VERIFY_CHECKSUMS="true"
-        ;;
-    esac
-  done
-
-  case "${LIVE_VERIFY_CHECKSUMS}" in
-    true) ;;
-
-    *)
-      return 0
-      ;;
-  esac
-
-  _MOUNTPOINT="${1}"
-
-  LIVE_VERIFY_CHECKSUMS_DIGESTS="${LIVE_VERIFY_CHECKSUMS_DIGESTS:-sha512 sha384 sha256}"
-  _TTY="/dev/tty8"
-
-  log_begin_msg "Verifying checksums"
-
-  # shellcheck disable=SC2164
-  cd "${_MOUNTPOINT}"
-
-  for _DIGEST in $(echo "${LIVE_VERIFY_CHECKSUMS_DIGESTS}" | sed -e 's|,| |g'); do
-    # shellcheck disable=SC2060
-    _CHECKSUMS="$(echo "${_DIGEST}" | tr [a-z] [A-Z])SUMS ${_DIGEST}sum.txt"
-
-    for _CHECKSUM in ${_CHECKSUMS}; do
-      if [ -e "${_CHECKSUM}" ]; then
-        echo "Found ${_CHECKSUM}..." > "${_TTY}"
-
-        if [ -e "/bin/${_DIGEST}sum" ]; then
-          echo "Checking ${_CHECKSUM}..." > "${_TTY}"
-
-          # Verify checksums
-          grep -v '^#' "${_CHECKSUM}" | /bin/"${_DIGEST}"sum -c > "${_TTY}"
-          _RETURN="${?}"
-
-          # Stop after the first verification
-          # break 2
-        else
-          echo "Not found /bin/${_DIGEST}sum..." > "${_TTY}"
-        fi
-      fi
-    done
-  done
-
-  log_end_msg
-
-  case "${_RETURN}" in
-    0)
-      log_success_msg "Verification sha512 sha384 sha256 successful, continuing booting in 10 seconds."
-      sleep 10
-      return 0
-      ;;
-
-    *)
-      panic "Verification failed, $(basename ${_TTY}) for more information."
-      ;;
-  esac
-}
-# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
-EOF
-
-# Copy and make executable
-install -Dm755 "${src}" "${target}"
-
-rm -f "${src}"
-
-unset target src
-
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
-
-exit 0
-# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config/hooks/live/0003_cdi_autostart.chroot

@@ -0,0 +1,54 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+set -Ceuo pipefail
+
+printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+
+if [[ -f /root/.cdi ]]; then
+
+  cat << EOF >| /etc/systemd/system/cdi-starter.service
+[Unit]
+Description=CISS CDI post-boot starter
+Documentation=https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+ConditionFileIsExecutable=/usr/local/sbin/9999_cdi_starter.sh
+After=live-config.service systemd-user-sessions.service getty.target
+After=network-online.target NetworkManager-wait-online.service
+Wants=network-online.target
+
+[Service]
+Type=simple
+RemainAfterExit=yes
+ExecStart=/usr/local/sbin/9999_cdi_starter.sh
+TimeoutStartSec=0
+Nice=5
+IOSchedulingClass=best-effort
+IOSchedulingPriority=7
+Environment=LANG=C.UTF-8
+StandardOutput=journal
+StandardError=journal
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+  chmod 0644 /etc/systemd/system/cdi-starter.service
+
+  systemctl enable cdi-starter.service
+
+  rm -f /root/.cdi
+
+fi
+
+printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+
+exit 0
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config/hooks/live/0007_update_logrotate.chroot

@@ -0,0 +1,78 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+set -Ceuo pipefail
+
+printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+
+[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
+export DEBIAN_FRONTEND="noninteractive"
+export INITRD="No"
+
+rm -f         "/etc/logrotate.conf"
+cat << EOF >| "/etc/logrotate.conf"
+# See "man logrotate" for details. Global options do not affect preceding include directives.
+
+# Rotate log files daily
+daily
+
+# Keep 90 daily worth of backlogs.
+rotate 90
+
+# Hard cap: delete rotated logs older than 90 days.
+maxage 90
+
+# Do not rotate the log if it is empty (this overrides the ifempty option).
+notifempty
+
+# Create new (empty) log files after rotating old ones.
+create
+
+# Use date as a suffix of the rotated file.
+dateext
+
+# Use yesterday's instead of today's date to create the dateext extension, so that the rotated log file has a date in its name
+# that is the same as the timestamps within it.
+dateyesterday
+
+# Enable compression
+compress
+
+# Use zstd instead of gzip.
+compresscmd /usr/bin/zstd
+
+# File extension for compressed logs.
+compressext .zst
+
+# Set zstd level 3 (default).
+compressoptions -20
+
+# How to decompress for 'logrotate -d' or similar.
+uncompresscmd /usr/bin/unzstd
+
+# Keep the most recent rotation uncompressed for one cycle.
+delaycompress
+
+# Delete log files using shred -u instead of unlink().
+shred
+
+# packages drop log rotation information into this directory
+include /etc/logrotate.d
+
+# system-specific logs may also be configured here.
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
+EOF
+
+printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+
+exit 0
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config/hooks/live/0010_install_apparmor.chroot

@@ -5,7 +5,7 @@
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
@@ -13,7 +13,9 @@ set -Ceuo pipefail
 
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 
+[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
 export DEBIAN_FRONTEND="noninteractive"
+export INITRD="No"
 apt-get install -y --no-install-recommends apparmor apparmor-utils apparmor-profiles apparmor-profiles-extra
 
 install -d /etc/systemd/system/apparmor.service.d

config/hooks/live/0020_dropbear_build.chroot

@@ -0,0 +1,81 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+set -Ceuo pipefail
+
+printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+
+[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
+export DEBIAN_FRONTEND="noninteractive"
+export INITRD="No"
+
+### Declare Arrays, HashMaps, and Variables.
+declare var_dropbear_version="2025.88"
+declare var_tar="/root/dropbear/dropbear-${var_dropbear_version}.tar.bz2"
+declare var_build_dir="/root/build/dropbear-${var_dropbear_version}"
+declare var_logfile="/root/.ciss/cdlb/log/0020_dropbear_build.log"
+
+mkdir -p "/root/build"
+cp "${var_tar}" "/root/build"
+tar xjf "/root/dropbear/dropbear-${var_dropbear_version}.tar.bz2" -C "/root/build"
+cp "/root/dropbear/localoptions.h" "${var_build_dir}"
+cd "${var_build_dir}"
+
+### Flag Purpose:
+#  -fPIE              : Generate position-independent executable code
+#  -pie               : Link the executable as PIE (so that ASLR works)
+#  -static            : Fully statically linked against musl
+#  -s                 : Strip unnecessary symbols directly during linking
+#  -Wl,-z,relro,-z,now: Enables full RELRO (symbol resolution at program startup)
+
+# shellcheck disable=SC2016,SC2312
+if ! setsid bash -c '
+    ### Sterile environment for the build-process.
+
+    export -n SHELLOPTS || true
+
+    set +u
+
+    unset PATH_SEPARATOR
+    PATH_SEPARATOR=":"
+    PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+
+    if ! command -v musl-gcc >/dev/null 2>&1; then
+      echo "ERROR: musl-gcc not found. Install musl-tools in chroot." >&2
+      exit 1
+    fi
+
+    CC=musl-gcc \
+      CFLAGS="-Os -fPIE -Wno-undef -fstack-protector-strong -D_FORTIFY_SOURCE=2" \
+      LDFLAGS="-static -pie -s -Wl,-z,relro,-z,now" \
+      ./configure \
+      --enable-static \
+      --enable-openpty \
+      --disable-pam \
+      --disable-zlib
+
+    # shellcheck disable=2312
+    make -j"$(nproc)"
+  ' >| "${var_logfile}" 2>&1
+then
+
+  printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ Dropbear build failed. See [%s] \e[0m\n" "${var_logfile}" >&2
+  tail -n 42 "${var_logfile}" >&2 || true
+  exit 42
+
+fi
+
+  rm -rf /root/dropbear
+
+printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+
+exit 0
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config/hooks/live/0021_dropbear_initramfs.chroot

@@ -0,0 +1,132 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-11-10; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+set -Ceuo pipefail
+
+printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+
+### Declare Arrays, HashMaps, and Variables.
+declare var_logfile="/root/.ciss/cdlb/log/0021_dropbear_initramfs.log"
+
+[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
+export DEBIAN_FRONTEND="noninteractive"
+export INITRD="No"
+
+apt-get install -y --no-install-recommends --no-install-suggests cryptsetup-initramfs dropbear-initramfs dropbear-bin 2>&1 | tee -a "${var_logfile}"
+apt-get purge -y dropbear 2>&1 | tee -a "${var_logfile}" || true
+apt-get install -y --no-install-recommends --no-install-suggests gpgv 2>&1 | tee -a "${var_logfile}"
+apt-mark hold dropbear dropbear-initramfs 2>&1 | tee -a "${var_logfile}"
+
+mkdir -p /root/.ciss/cdlb/backup/usr/share/initramfs-tools/scripts/init-premount
+mv /usr/share/initramfs-tools/scripts/init-premount/dropbear /root/.ciss/cdlb/backup/usr/share/initramfs-tools/scripts/init-premount/dropbear.trixie
+install -m 0755 -o root -g root /root/dropbear.file /usr/share/initramfs-tools/scripts/init-premount/dropbear
+rm -f /root/dropbear.file
+
+mkdir -p /root/.ciss/cdlb/backup/usr/sbin
+mv /usr/sbin/dropbear /root/.ciss/cdlb/backup/usr/sbin/dropbear.trixie
+install -m 0755 -o root -g root /root/build/dropbear-2025.88/dropbear /usr/sbin/
+
+mkdir -p /root/.ciss/cdlb/backup/usr/bin
+for var_file in dbclient dropbearconvert dropbearkey; do
+
+  mv "/usr/bin/${var_file}" "/root/.ciss/cdlb/backup/usr/bin/${var_file}.trixie"
+  install -m 0755 -o root -g root "/root/build/dropbear-2025.88/${var_file}" /usr/bin/
+
+done
+
+mkdir -p /etc/initramfs-tools/scripts/init-bottom
+
+cat << 'EOF' >| /etc/initramfs-tools/scripts/init-bottom/zzzz-dropbear-kill
+#!/bin/sh
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-11-10; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+PREREQ=""
+prereqs() { echo "${PREREQ}"; }
+# shellcheck disable=SC2249
+case "${1}" in
+  prereqs) prereqs; exit 0 ;;
+esac
+
+### Stop dropbear shipped in the initramfs after root pivot.
+[ -x /bin/pidof ] || exit 0
+
+P=$(/bin/pidof dropbear 2>/dev/null) || true
+
+[ -n "${P}" ] || exit 0
+
+/bin/kill -TERM "${P}" 2>/dev/null || true
+/bin/sleep 1
+
+/bin/kill -KILL "${P}" 2>/dev/null || true
+exit 0
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
+EOF
+
+chmod 0755 /etc/initramfs-tools/scripts/init-bottom/zzzz-dropbear-kill
+
+cat << EOF >| /etc/apt/preferences.d/99-mask-dropbear
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-11-10; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+# Never install the dropbear daemon package at all.
+
+Package: dropbear
+Pin: release *
+Pin-Priority: -1
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
+EOF
+
+cat << EOF >| /etc/apt/preferences.d/99-mask-dropbear-initramfs
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-11-10; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+# Keep the currently installed initramfs integration; never upgrade it.
+
+Package: dropbear-initramfs
+Pin: release *
+Pin-Priority: -1
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
+EOF
+
+systemctl mask dropbear.service dropbear.socket
+
+printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+
+exit 0
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config/hooks/live/0022_dropbear_setup.chroot

@@ -0,0 +1,160 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-11-10; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+set -Ceuo pipefail
+
+printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+
+[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
+export DEBIAN_FRONTEND="noninteractive"
+export INITRD="No"
+
+#######################################
+# Set up the 'dropbear-initramfs' environment.
+# Globals:
+#   None
+# Arguments:
+#   None
+# Returns:
+#   0: on success
+#######################################
+dropbear_setup() {
+  ### Declare Arrays, HashMaps, and Variables.
+  # shellcheck disable=SC2155
+  declare user_root_sshpubkey="$(< /root/.ssh/authorized_keys)"
+  declare var_force_command_string='command="/usr/local/bin/unlock_wrapper.sh",no-agent-forwarding,no-port-forwarding,no-X11-forwarding '
+
+  ### Prepare strong dropbear host keys.
+  rm -f /etc/dropbear/initramfs/dropbear*key*
+
+  if [[ -d /root/ssh ]]; then
+
+    dropbearconvert openssh dropbear /root/ssh/ssh_host_ed25519_key        /etc/dropbear/initramfs/dropbear_ed25519_host_key
+    dropbearkey -y -f /etc/dropbear/initramfs/dropbear_ed25519_host_key >| /etc/dropbear/initramfs/dropbear_ed25519_host_key.pub
+
+    if [[ -f /root/ssh/ssh_host_rsa_key ]]; then
+
+      dropbearconvert openssh dropbear /root/ssh/ssh_host_rsa_key          /etc/dropbear/initramfs/dropbear_rsa_host_key
+      dropbearkey -y -f /etc/dropbear/initramfs/dropbear_rsa_host_key   >| /etc/dropbear/initramfs/dropbear_rsa_host_key.pub
+
+    fi
+
+  else
+
+    # shellcheck disable=SC2312
+    /usr/bin/dropbearkey -t ed25519     -f /etc/dropbear/initramfs/dropbear_ed25519_host_key -C "root@live-$(date -I)"
+
+    # shellcheck disable=SC2312
+    /usr/bin/dropbearkey -t rsa -s 4096 -f /etc/dropbear/initramfs/dropbear_rsa_host_key     -C "root@live-$(date -I)"
+
+  fi
+
+  chmod 0600 /etc/dropbear/initramfs/dropbear_ed25519_host_key
+  chmod 0644 /etc/dropbear/initramfs/dropbear_ed25519_host_key.pub
+
+  ### Prepare dropbear authorized_keys.
+  printf "%s\n" "${var_force_command_string}${user_root_sshpubkey}" >| /etc/dropbear/initramfs/authorized_keys
+  chmod 0600 /etc/dropbear/initramfs/authorized_keys
+  install -m 0644 -o root -g root /etc/banner /etc/dropbear/initramfs/banner
+
+  ### "IP=<HOST IP>::<GATEWAY IP>:<SUBNET MASK>:<FQDN>:<NIC>:none:<DNS 0 IP>:<DNS 1 IP>:<NTP IP>"
+  ### "IP=:::::<NIC>:dhcp"
+  printf "IP=::::::dhcp\n" >| /etc/initramfs-tools/conf.d/ip
+
+  ### Generate dropbear configuration file.
+  write_dropbear_conf
+
+  return 0
+}
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f dropbear_setup
+
+#######################################
+# Write '/etc/dropbear/initramfs/dropbear.conf'.
+# Globals:
+#   None
+# Arguments:
+#   None
+# Returns:
+#   0: on success
+#######################################
+write_dropbear_conf() {
+  # shellcheck disable=SC2155
+  declare sshport="$(< /root/sshport)"
+  rm -f /root/sshport
+
+  [[ -z "${sshport:-}" ]] && sshport="2222"
+
+  ### CISS internal
+  [[ "${sshport}" == "42137" ]] && sshport="44137"
+
+  cat << EOF >| /etc/dropbear/initramfs/dropbear.conf
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+# Configuration options for the dropbear-initramfs boot scripts.
+# Variable assignment follow shell semantics and escaping/quoting rules.
+# You must run update-initramfs(8) to effect changes to this file (like
+# for other files in the '/etc/dropbear/initramfs' directory).
+
+# Command line options to pass to dropbear(8).
+# Dropbear options for 2025+:
+# -b: Display the contents of bannerfile before user login
+# -E: Log to stderr
+# -I: Idle timeout in seconds
+# -K: Keepalive interval in seconds
+# -p: Specify port (and optionally address)
+# -w: Disable root login (SHOULD NOT be implemented for initramfs)
+DROPBEAR_OPTIONS="-b /etc/dropbear/banner -E -I 300 -K 60 -p ${sshport}"
+
+# On local (non-NFS) mounts, interfaces matching this pattern are
+# brought down before exiting the ramdisk to avoid dirty network
+# configuration in the normal kernel.
+# The special value 'none' keeps all interfaces up and preserves routing
+# tables and addresses.
+#IFDOWN="*"
+
+# On local (non-NFS) mounts, the network stack and dropbear are started
+# asynchronously at init-premount stage.  This value specifies the
+# maximum number of seconds to wait (while the network/dropbear are
+# being configured) at init-bottom stage before terminating dropbear and
+# bringing the network down.
+# If the timeout is too short, and if the boot process is not blocking
+# on user input supplied via SSHd (ie no remote unlocking), then the
+# initrd might pivot to init(1) too early, thereby causing a race
+# condition between network configuration from initramfs vs from the
+# normal system.
+#DROPBEAR_SHUTDOWN_TIMEOUT=60
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
+EOF
+
+  return 0
+}
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f write_dropbear_conf
+
+dropbear_setup
+
+printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+
+exit 0
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config/hooks/live/0040_ssh_config_setup.chroot

@@ -5,7 +5,7 @@
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
@@ -20,7 +20,7 @@ cat << EOF >> /etc/ssh/ssh_config.d/10-sshfp.conf
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

config/hooks/live/0050_activate_root.chroot

@@ -5,7 +5,7 @@
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
@@ -25,8 +25,8 @@ fi
 cd /root
 
 # shellcheck disable=SC2312
-cp /etc/shadow /root/.ciss/dlb/backup/shadow.bak."$(date +%F_%T)"
-chmod 0600 /root/.ciss/dlb/backup/shadow.bak.*
+cp /etc/shadow /root/.ciss/cdlb/backup/shadow.bak."$(date +%F_%T)"
+chmod 0600 /root/.ciss/cdlb/backup/shadow.bak.*
 
 declare hashed_pwd
 declare safe_hashed_pwd
@@ -37,15 +37,13 @@ sed -i "s|^root:[^:]*:\(.*\)|root:${safe_hashed_pwd}:\1|" /etc/shadow
 sed -i "s|^user:[^:]*:\(.*\)|user:${safe_hashed_pwd}:\1|" /etc/shadow
 unset hashed_pwd safe_hashed_pwd
 
-cat /etc/shadow
+if shred -fzu -n 5 /root/.pwd; then
 
-if shred -vfzu -n 5 /root/.pwd; then
-
-  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Password file /root/.pwd: -vfzu -n 5 >> done. \e[0m\n"
+  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Password file /root/.pwd: shred -fzu -n 5 >> done. \e[0m\n"
 
 else
 
-  printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ Password file /root/.pwd: -vfzu -n 5 >> NOT successful. \e[0m\n" >&2
+  printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ Password file /root/.pwd: shred -fzu -n 5 >> NOT successful. \e[0m\n" >&2
 
 fi
 

config/hooks/live/0080_keyboard_layout.chroot

@@ -5,7 +5,7 @@
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
@@ -21,6 +21,9 @@ XKBOPTIONS=""
 BACKSPACE="guess"
 EOF
 
+[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
+export DEBIAN_FRONTEND="noninteractive"
+export INITRD="No"
 dpkg-reconfigure -f noninteractive keyboard-configuration
 
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"

config/hooks/live/0090_jitterentropy.chroot

@@ -1,11 +1,11 @@
 #!/bin/bash
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
@@ -13,23 +13,20 @@ set -Ceuo pipefail
 
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 
-DEBIAN_FRONTEND=noninteractive \
-  apt-get update && \
-    DEBIAN_FRONTEND=noninteractive \
-      apt-get install -y --no-install-recommends \
-        -o Dpkg::Options::="--force-confdef" \
-        -o Dpkg::Options::="--force-confold" \
-        -t bookworm-backports \
-        btrfs-progs \
-        curl \
-        debootstrap \
-        iproute2 \
-        ncat \
-        nmap \
-        ssh \
-        systemd \
-        systemd-sysv \
-        whois
+[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
+export DEBIAN_FRONTEND="noninteractive"
+export INITRD="No"
+apt-get install -y --no-install-recommends jitterentropy-rngd
+
+cd /root
+
+mkdir -p /etc/systemd/system/jitterentropy-rngd.service.d
+
+cat << 'EOF' >> /etc/systemd/system/jitterentropy-rngd.service.d/override.conf
+[Service]
+ExecStart=
+ExecStart=/usr/sbin/jitterentropy-rngd --osr=2
+EOF
 
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 

config/hooks/live/0120_set_hostname.chroot

@@ -5,17 +5,16 @@
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
 
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
-# sleep 1
 
-mv /etc/hostname /root/.ciss/dlb/backup/hostname.bak
-mv /etc/mailname /root/.ciss/dlb/backup/mailname.bak
+mv /etc/hostname /root/.ciss/cdlb/backup/hostname.bak
+mv /etc/mailname /root/.ciss/cdlb/backup/mailname.bak
 
 cat << 'EOF' >| /etc/hostname
 live.local
@@ -28,7 +27,6 @@ localhost.local
 EOF
 
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
-# sleep 1
 
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config/hooks/live/0130_machineid.chroot

@@ -5,14 +5,13 @@
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
 
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
-# sleep 1
 
 cd /root
 if [[ -f /var/lib/dbus/machine-id ]]; then
@@ -22,7 +21,7 @@ fi
 cat << 'EOF' >| /var/lib/dbus/machine-id
 b08dfa6083e7567a1921a715000001fb
 EOF
-chmod 644 /var/lib/dbus/machine-id
+chmod 0644 /var/lib/dbus/machine-id
 
 if [[ -f /etc/machine-id ]]; then
   rm /etc/machine-id
@@ -34,7 +33,6 @@ EOF
 chmod 644 /etc/machine-id
 
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
-# sleep 1
 
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config/hooks/live/0400_eza_install.chroot

@@ -5,7 +5,7 @@
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
@@ -23,8 +23,10 @@ wget -qO- https://raw.githubusercontent.com/eza-community/eza/main/deb.asc | gpg
 echo "deb [signed-by=/etc/apt/keyrings/gierens.gpg] http://deb.gierens.de stable main" | tee /etc/apt/sources.list.d/gierens.list
 chmod 644 /etc/apt/keyrings/gierens.gpg /etc/apt/sources.list.d/gierens.list
 
+[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
 export DEBIAN_FRONTEND="noninteractive"
-apt-get update
+export INITRD="No"
+apt-get update -qq
 apt-get install -y eza
 
 git clone https://github.com/eza-community/eza-themes.git

config/hooks/live/0800_lynis_setup.chroot

@@ -5,7 +5,7 @@
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
@@ -16,11 +16,453 @@ printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "
 curl -fsSL https://packages.cisofy.com/keys/cisofy-software-public.key | gpg --dearmor -o /etc/apt/trusted.gpg.d/cisofy-software-public.gpg
 echo "deb [arch=amd64,arm64 signed-by=/etc/apt/trusted.gpg.d/cisofy-software-public.gpg] https://packages.cisofy.com/community/lynis/deb/ stable main" | tee /etc/apt/sources.list.d/cisofy-lynis.list
 
+[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
 export DEBIAN_FRONTEND="noninteractive"
-apt-get update
+export INITRD="No"
+apt-get update -qq
 apt-get install -y lynis
 lynis show version
 
+cat << EOF_LYNIS >| /etc/lynis/default.prf
+#################################################################################
+#
+#
+# Lynis - Default scan profile
+#
+#
+#################################################################################
+#
+#
+# This profile provides Lynis with most of its initial values to perform a
+# system audit.
+#
+#
+# WARNINGS
+# ----------
+#
+# Do NOT make changes to this file. Instead, copy only your changes into
+# the file custom.prf and put it in the same directory as default.prf
+#
+# To discover where your profiles are located: lynis show profiles
+#
+#
+# Lynis performs a strict check on profiles to avoid the inclusion of
+# possibly harmful injections. See include/profiles for details.
+#
+#
+#################################################################################
+#
+# All empty lines or with the # prefix will be skipped
+#
+#################################################################################
+
+# Use colored output
+colors=yes
+
+# Compressed uploads (set to zero when errors with uploading occur)
+compressed-uploads=yes
+
+# Amount of connections in WAIT state before reporting it as a suggestion
+#connections-max-wait-state=5000
+
+# Debug mode (for debugging purposes, extra data logged to screen)
+#debug=yes
+
+# Show non-zero exit code when warnings are found
+error-on-warnings=no
+
+# Use Lynis in your own language (by default auto-detected)
+language=
+
+# Log tests from another guest operating system (default: yes)
+#log-tests-incorrect-os=yes
+
+# Define if available NTP daemon is configured as a server or client on the network
+# values: server or client (default: client)
+#ntpd-role=client
+
+# Defines the role of the system (personal, workstation or server)
+machine-role=server
+
+# Ignore some stratum 16 hosts (for example when running as time source itself)
+#ntp-ignore-stratum-16-peer=127.0.0.1
+
+# Profile name, will be used as title/description
+profile-name=Default Audit Template
+
+# Number of seconds to pause between every test (0 is no pause)
+pause-between-tests=0
+
+# Quick mode (do not wait for keypresses)
+quick=yes
+
+# Refresh software repositories to help detecting vulnerable packages
+refresh-repositories=yes
+
+# Show solution for findings
+show-report-solution=yes
+
+# Show inline tips about the tool
+show-tool-tips=yes
+
+# Skip plugins
+skip-plugins=no
+
+# Skip a test (one per line)
+#skip-test=SSH-7408
+skip-test=KRNL-5788
+skip-test=KRNL-5830
+skip-test=AUTH-9229
+
+# Skip a particular option within a test (when applicable)
+#skip-test=SSH-7408:loglevel
+#skip-test=SSH-7408:permitrootlogin
+
+# Skip Lynis upgrade availability test (default: no)
+#skip-upgrade-test=yes
+
+# Locations where to search for SSL certificates (separate paths with a colon)
+ssl-certificate-paths=/etc/apache2:/etc/dovecot:/etc/httpd:/etc/letsencrypt:/etc/pki:/etc/postfix:/etc/refind.d/keys:/etc/ssl:/opt/psa/var/certificates:/usr/local/psa/var/certificates:/usr/local/share/ca-certificates:/usr/share/ca-certificates:/usr/share/gnupg:/var/www:/srv/www
+ssl-certificate-paths-to-ignore=/etc/letsencrypt/archive:
+ssl-certificate-include-packages=no
+
+# Scan type - how deep the audit should be (light, normal or full)
+test-scan-mode=full
+
+# Verbose output
+verbose=no
+
+
+#################################################################################
+#
+# Plugins
+# ---------------
+# Define which plugins are enabled
+#
+# Notes:
+# - Nothing happens if plugin isn't available
+# - There is no order in execution of plugins
+# - See documentation about how to use plugins and phases
+# - Some are for Lynis Enterprise users only
+#
+#################################################################################
+
+# Lynis plugins to enable
+plugin=authentication
+plugin=compliance
+plugin=configuration
+plugin=control-panels
+plugin=crypto
+plugin=dns
+plugin=docker
+plugin=file-integrity
+plugin=file-systems
+plugin=firewalls
+plugin=forensics
+plugin=hardware
+plugin=intrusion-detection
+plugin=intrusion-prevention
+plugin=kernel
+plugin=malware
+plugin=memory
+plugin=nginx
+plugin=pam
+plugin=processes
+plugin=security-modules
+plugin=software
+plugin=system-integrity
+plugin=systemd
+plugin=users
+plugin=krb5
+
+# Disable a particular plugin (will overrule an enabled plugin)
+#disable-plugin=authentication
+
+#################################################################################
+#
+# Kernel options
+# ---------------
+# config-data=, followed by:
+#
+# - Type                     = Set to 'sysctl'
+# - Setting                  = value of sysctl key (e.g. kernel.sysrq)
+# - Expected value           = Preferred value for key (e.g. 0)
+# - Hardening Points         = Number of hardening points (typically 1 point per key) (1)
+# - Description              = Textual description about the sysctl key(Disable magic SysRQ)
+# - Related file or command  = For example, sysctl -a to retrieve more details
+# - Solution field           = Specifies more details or where to find them (url:URL, text:TEXT, or -)
+#
+#################################################################################
+
+# Config
+# - Type (sysctl)
+# - Setting (kernel.sysrq)
+# - Expected value (0)
+# - Hardening Points (1)
+# - Description (Disable magic SysRQ)
+# - Related file or command (sysctl -a)
+# - Solution field (url:URL, text:TEXT, or -)
+
+# Processes
+config-data=sysctl;security.bsd.see_other_gids;0;1;Groups only see their own processes;sysctl -a;-;category:security;
+config-data=sysctl;security.bsd.see_other_uids;0;1;Users only see their own processes;sysctl -a;-;category:security;
+config-data=sysctl;security.bsd.stack_guard_page;1;1;Enable stack smashing protection (SSP)/ProPolice to defend against possible buffer overflows;-;category:security;
+config-data=sysctl;security.bsd.unprivileged_proc_debug;0;1;Unprivileged processes can not use process debugging;sysctl -a;-;category:security;
+config-data=sysctl;security.bsd.unprivileged_read_msgbuf;0;1;Unprivileged processes can not read the kernel message buffer;sysctl -a;-;category:security;
+
+# Kernel
+config-data=sysctl;fs.suid_dumpable;0;1;Restrict core dumps;sysctl -a;url:https;//www.kernel.org/doc/Documentation/sysctl/fs.txt;category:security;
+config-data=sysctl;fs.protected_fifos;2;1;Restrict FIFO special device creation behavior;sysctl -a;url:https;//www.kernel.org/doc/Documentation/sysctl/fs.txt;category:security;
+config-data=sysctl;fs.protected_hardlinks;1;1;Restrict hardlink creation behavior;sysctl -a;url:https;//www.kernel.org/doc/Documentation/sysctl/fs.txt;category:security;
+config-data=sysctl;fs.protected_regular;2;1;Restrict regular files creation behavior;sysctl -a;url:https;//www.kernel.org/doc/Documentation/sysctl/fs.txt;category:security;
+config-data=sysctl;fs.protected_symlinks;1;1;Restrict symlink following behavior;sysctl -a;url:https;//www.kernel.org/doc/Documentation/sysctl/fs.txt;category:security;
+#config-data=sysctl;kern.randompid=2345;Randomize PID numbers with a specific modulus;sysctl -a;-;category:security;
+config-data=sysctl;kern.sugid_coredump;0;1;No description;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
+config-data=sysctl;kernel.core_setuid_ok;0;1;No description;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
+config-data=sysctl;kernel.core_uses_pid;1;1;No description;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
+config-data=sysctl;kernel.ctrl-alt-del;0;1;No description;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
+config-data=sysctl;kernel.dmesg_restrict;1;1;Restrict use of dmesg;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
+config-data=sysctl;kernel.exec-shield-randomize;1;1;No description;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
+config-data=sysctl;kernel.exec-shield;1;1;No description;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
+config-data=sysctl;kernel.kptr_restrict;2;1;Restrict access to kernel symbols;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
+config-data=sysctl;kernel.maps_protect;1;1;Restrict access to /proc/[pid]/maps;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
+config-data=sysctl;kernel.modules_disabled;1;1;Restrict module loading once this sysctl value is loaded;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
+config-data=sysctl;kernel.perf_event_paranoid;2|3|4;1;Restrict unprivileged access to the perf_event_open() system call.;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
+config-data=sysctl;kernel.randomize_va_space;2;1;Randomize of memory address locations (ASLR);sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
+config-data=sysctl;kernel.suid_dumpable;0;1;Restrict core dumps;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
+config-data=sysctl;kernel.sysrq;0;1;Disable magic SysRQ;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
+config-data=sysctl;kernel.unprivileged_bpf_disabled;1;1;Restrict BPF for unprivileged users;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
+config-data=sysctl;kernel.use-nx;0;1;No description;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
+config-data=sysctl;kernel.yama.ptrace_scope;1|2|3;1;Disable process tracing for everyone;-;category:security;
+
+# Network
+config-data=sysctl;net.core.bpf_jit_harden;2;1;Hardened BPF JIT compilation;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
+config-data=sysctl;net.inet.ip.linklocal.in.allowbadttl;0;
+config-data=sysctl;net.inet.tcp.always_keepalive;0;1;Disable TCP keep alive detection for dead peers as the keepalive can be spoofed;-;category:security;
+#config-data=sysctl;net.inet.tcp.fast_finwait2_recycle;1;1;Recycle FIN/WAIT states more quickly (DoS mitigation step, with risk of false RST);-;category:security;
+config-data=sysctl;net.inet.tcp.nolocaltimewait;1;1;Remove the TIME_WAIT state for loopback interface;-;category:security;
+config-data=sysctl;net.inet.tcp.path_mtu_discovery;0;1;Disable MTU discovery as many hosts drop the ICMP type 3 packets;-;category:security;
+config-data=sysctl;net.inet.icmp.bmcastecho;0;1;Ignore ICMP packets directed to broadcast address;-;category:security;
+config-data=sysctl;net.inet.tcp.icmp_may_rst;0;1;ICMP may not send RST to avoid spoofed ICMP/UDP floods;-;category:security;
+config-data=sysctl;net.inet.icmp.drop_redirect;1;1;Do not allow redirected ICMP packets;-;category:security;
+config-data=sysctl;net.inet.icmp.rediraccept;0;1;Disable incoming ICMP redirect routing redirects;-;category:security;
+config-data=sysctl;net.inet.icmp.timestamp;0;1;Disable timestamps;-;category:security;
+config-data=sysctl;net.inet.ip.accept_sourceroute;0;1;Disable IP source routing;-;category:security;
+config-data=sysctl;net.inet.ip.check_interface;1;1;Verify that a packet arrived on the right interface;-;category:security;
+config-data=sysctl;net.inet.ip.forwarding;0;1;Do not allow forwarding of traffic;-;category:security;
+config-data=sysctl;net.inet.ip.process_options;0;1;Ignore any IP options in the incoming packets;-;category:security;
+config-data=sysctl;net.inet.ip.random_id;1;1;Use a random IP id to each packet leaving the system;-;category:security;
+config-data=sysctl;net.inet.ip.redirect;0;1;Disable/Ignore ICMP routing redirects;-;category:security;
+config-data=sysctl;net.inet.ip.sourceroute;0;1;Disable IP source routing;-;category:security;
+config-data=sysctl;net.inet.ip6.redirect;0;1;Disable/Ignore ICMP routing redirects;-;category:security;
+config-data=sysctl;net.inet.tcp.blackhole;2;1;Do not sent RST but drop traffic when delivered to closed TCP port;-;category:security;
+config-data=sysctl;net.inet.tcp.drop_synfin;1;1;SYN/FIN packets will be dropped on initial connection;-;category:security;
+config-data=sysctl;net.inet.udp.blackhole;1;1;Do not sent RST but drop traffic when delivered to closed UDP port;-;category:security;
+config-data=sysctl;net.inet6.icmp6.rediraccept;0;1;Disable incoming ICMP redirect routing redirects;-;category:security;
+config-data=sysctl;net.inet6.ip6.forwarding;0;1;Do not allow forwarding of traffic;-;category:security;
+config-data=sysctl;net.inet6.ip6.fw.enable;1;1;Enable filtering;-;category:security;
+config-data=sysctl;net.inet6.ip6.redirect;0;1;Disable sending ICMP redirect routing redirects;-;category:security;
+config-data=sysctl;net.ipv4.conf.all.accept_redirects;0;1;Disable/Ignore ICMP routing redirects;-;category:security;
+config-data=sysctl;net.ipv4.conf.all.accept_source_route;0;1;Disable IP source routing;-;category:security;
+config-data=sysctl;net.ipv4.conf.all.bootp_relay;0;1;Do not relay BOOTP packets;-;category:security;
+config-data=sysctl;net.ipv4.conf.all.forwarding;0;1;Disable IP source routing;-;category:security;
+config-data=sysctl;net.ipv4.conf.all.log_martians;1;1;Log all packages for which the host does not have a path back to the source;-;category:security;
+config-data=sysctl;net.ipv4.conf.all.mc_forwarding;0;1;Disable IP source routing;-;category:security;
+config-data=sysctl;net.ipv4.conf.all.proxy_arp;0;1;Do not relay ARP packets;-;category:security;
+config-data=sysctl;net.ipv4.conf.all.rp_filter;1;1;Enforce ingress/egress filtering for packets;-;category:security;
+config-data=sysctl;net.ipv4.conf.all.send_redirects;0;1;Disable/Ignore ICMP routing redirects;-;category:security;
+config-data=sysctl;net.ipv4.conf.default.accept_redirects;0;1;Disable/Ignore ICMP routing redirects;-;category:security;
+config-data=sysctl;net.ipv4.conf.default.accept_source_route;0;1;Disable IP source routing;-;category:security;
+config-data=sysctl;net.ipv4.conf.default.log_martians;1;1;Log all packages for which the host does not have a path back to the source;-;category:security;
+config-data=sysctl;net.ipv4.icmp_echo_ignore_broadcasts;1;1;Ignore ICMP packets directed to broadcast address;-;category:security;
+config-data=sysctl;net.ipv4.icmp_ignore_bogus_error_responses;1;1;Ignore-;category:security;
+#config-data=sysctl;net.ipv4.ip_forward;0;1;Do not forward traffic;-;category:security;
+config-data=sysctl;net.ipv4.tcp_syncookies;1;1;Use SYN cookies to prevent SYN attack;-;category:security;
+config-data=sysctl;net.ipv4.tcp_timestamps;0|1;1;Disable TCP time stamps or enable them with different offsets;-;category:security;
+config-data=sysctl;net.ipv6.conf.all.send_redirects;0;1;Disable/ignore ICMP routing redirects;-;category:security;
+config-data=sysctl;net.ipv6.conf.all.accept_redirects;0;1;Disable/Ignore ICMP routing redirects;-;category:security;
+config-data=sysctl;net.ipv6.conf.all.accept_source_route;0;1;Disable IP source routing;-;category:security;
+config-data=sysctl;net.ipv6.conf.default.accept_redirects;0;1;Disable/Ignore ICMP routing redirects;-;category:security;
+config-data=sysctl;net.ipv6.conf.default.accept_source_route;0;1;Disable IP source routing;-;category:security;
+
+# Other
+config-data=sysctl;dev.tty.ldisc_autoload;0;1;Disable loading of TTY line disciplines;-;category:security;
+config-data=sysctl;hw.kbd.keymap_restrict_change;4;1;Disable changing the keymap by non-privileged users;-;category:security;
+#sysctl;kern.securelevel;1^2^3;1;FreeBSD security level;
+#security.jail.jailed; 0
+#security.jail.jail_max_af_ips; 255
+#security.jail.mount_allowed; 0
+#security.jail.chflags_allowed; 0
+#security.jail.allow_raw_sockets; 0
+#security.jail.enforce_statfs; 2
+#security.jail.sysvipc_allowed; 0
+#security.jail.socket_unixiproute_only; 1
+#security.jail.set_hostname_allowed; 1
+#security.bsd.suser_enabled; 1
+#security.bsd.unprivileged_proc_debug; 1
+#security.bsd.conservative_signals; 1
+#security.bsd.unprivileged_read_msgbuf; 1
+#security.bsd.unprivileged_get_quota; 0
+config-data=sysctl;security.bsd.hardlink_check_gid;1;1;Unprivileged processes are not allowed to create hard links to files which are owned by other groups;-;category:security;
+config-data=sysctl;security.bsd.hardlink_check_uid;1;1;Unprivileged processes are not allowed to create hard links to files which are owned by other users;-;category:security;
+
+
+#################################################################################
+#
+# permfile
+# ---------------
+# permfile=file name:file permissions:owner:group:action:
+# Action = NOTICE or WARN
+# Examples:
+# permfile=/etc/test1.dat:600:root:wheel:NOTICE:
+# permfile=/etc/test1.dat:640:root:-:WARN:
+#
+#################################################################################
+
+#permfile=/etc/inetd.conf:rw-------:root:-:WARN:
+#permfile=/etc/fstab:rw-r--r--:root:-:WARN:
+permfile=/boot/grub/grub.cfg:rw-------:root:root:WARN:
+permfile=/boot/grub2/grub.cfg:rw-------:root:root:WARN:
+permfile=/boot/grub2/user.cfg:rw-------:root:root:WARN:
+permfile=/etc/at.allow:rw-------:root:-:WARN:
+permfile=/etc/at.deny:rw-------:root:-:WARN:
+permfile=/etc/cron.allow:rw-------:root:-:WARN:
+permfile=/etc/cron.deny:rw-------:root:-:WARN:
+permfile=/etc/crontab:rw-------:root:-:WARN:
+permfile=/etc/group:rw-r--r--:root:-:WARN:
+permfile=/etc/group-:rw-r--r--:root:-:WARN:
+permfile=/etc/hosts.allow:rw-r--r--:root:root:WARN:
+permfile=/etc/hosts.deny:rw-r--r--:root:root:WARN:
+permfile=/etc/issue:rw-r--r--:root:root:WARN:
+permfile=/etc/issue.net:rw-r--r--:root:root:WARN:
+permfile=/etc/lilo.conf:rw-------:root:-:WARN:
+permfile=/etc/motd:rw-r--r--:root:root:WARN:
+permfile=/etc/passwd:rw-r--r--:root:-:WARN:
+permfile=/etc/passwd-:rw-r--r--:root:-:WARN:
+permfile=/etc/ssh/sshd_config:rw-------:root:-:WARN:
+permfile=/etc/hosts.equiv:rw-r--r--:root:root:WARN:
+permfile=/etc/shosts.equiv:rw-r--r--:root:root:WARN:
+permfile=/root/.rhosts:rw-------:root:root:WARN:
+permfile=/root/.rlogin:rw-------:root:root:WARN:
+permfile=/root/.shosts:rw-------:root:root:WARN:
+
+# These permissions differ by OS
+#permfile=/etc/gshadow:---------:root:-:WARN:
+#permfile=/etc/gshadow-:---------:root:-:WARN:
+#permfile=/etc/shadow:---------:root:-:WARN:
+#permfile=/etc/shadow-:---------:root:-:WARN:
+
+
+#################################################################################
+#
+# permdir
+# ---------------
+# permdir=directory name:file permissions:owner:group:action when permissions are different:
+#
+#################################################################################
+
+permdir=/root/.ssh:rwx------:root:-:WARN:
+permdir=/etc/cron.d:rwx------:root:root:WARN:
+permdir=/etc/cron.daily:rwx------:root:root:WARN:
+permdir=/etc/cron.hourly:rwx------:root:root:WARN:
+permdir=/etc/cron.weekly:rwx------:root:root:WARN:
+permdir=/etc/cron.monthly:rwx------:root:root:WARN:
+
+
+# Ignore some specific home directories
+# One directory per line; directories will be skipped for home directory specific
+# checks, like file permissions, SSH and other configuration files
+#ignore-home-dir=/home/user
+
+
+# Allow promiscuous interfaces
+#   <option>:<promiscuous interface name>:<description>:
+#if_promisc:pflog0:pf log daemon interface:
+
+
+# The URL prefix and append to the URL for controls or your custom tests
+# Link will be formed as {control-url-protocol}://{control-url-prepend}CONTROL-ID{control-url-append}
+#control-url-protocol=https
+#control-url-prepend=cisofy.com/control/
+#control-url-append=/
+
+# The URL prefix and append to URL's for your custom tests
+#custom-url-protocol=https
+#custom-url-prepend=your-domain.example.org/control-info/
+#custom-url-append=/
+
+
+#################################################################################
+#
+# Operating system specific
+# -------------------------
+#
+#################################################################################
+
+# Skip the FreeBSD portaudit test
+#freebsd-skip-portaudit=yes
+
+# Skip security repository check for Debian based systems
+#debian-skip-security-repository=yes
+
+
+
+#################################################################################
+#
+# Lynis Enterprise options
+# ------------------------
+#
+#################################################################################
+
+# Allow this system to be purged when it is outdated (default: not defined).
+# This is useful for ephemeral systems which are short-lived.
+#allow-auto-purge=yes
+
+# Sometimes it might be useful to override the host identifiers.
+# Use only hexadecimal values (0-9, a-f), with 40 and 64 characters in length.
+#
+#hostid=40-char-hash
+#hostid2=64-char-hash
+
+# Lynis Enterprise license key
+license-key=
+
+# Proxy settings
+# Protocol (http, https, socks5)
+#proxy-protocol=https
+
+# Proxy server
+#proxy-server=10.0.1.250
+
+# Define proxy port to use
+#proxy-port=3128
+
+# Define the group names to link to this system (preferably single words). Default setting: append
+# To clear groups before assignment, add 'action:clear' as last groupname
+#system-groups=groupname1,groupname2,groupname3
+
+# Define which compliance standards are audited and reported on. Disable this if not required.
+compliance-standards=cis,hipaa,iso27001,pci-dss
+
+# Provide the name of the customer/client
+#system-customer-name=mycustomer
+
+# Upload data to central server
+upload=no
+
+# The hostname/IP address to receive the data
+upload-server=
+
+# Provide options to cURL (or other upload tool) when uploading data.
+# upload-options=--insecure (use HTTPS, but skip certificate check for self-signed certificates)
+upload-options=
+
+# Link one or more tags to a system
+#tags=db,production,ssn-1304
+
+#EOF
+EOF_LYNIS
+
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 
 exit 0

config/hooks/live/0810_chrony_setup.chroot

@@ -5,7 +5,7 @@
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
@@ -15,15 +15,17 @@ printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "
 
 mkdir -p /var/log/chrony
 
+[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
 export DEBIAN_FRONTEND="noninteractive"
+export INITRD="No"
 export TZ="Etc/UTC"
 
 apt-get install -y adjtimex chrony tzdata
 
 systemctl enable chrony.service
 
-mv /etc/chrony/chrony.conf /root/.ciss/dlb/backup/chrony.conf.bak
-chmod 0644 /root/.ciss/dlb/backup/chrony.conf.bak
+mv /etc/chrony/chrony.conf /root/.ciss/cdlb/backup/chrony.conf.bak
+chmod 0644 /root/.ciss/cdlb/backup/chrony.conf.bak
 
 cat << EOF >| /etc/chrony/chrony.conf
 # SPDX-Version: 3.0
@@ -32,7 +34,7 @@ cat << EOF >| /etc/chrony/chrony.conf
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
@@ -50,13 +52,13 @@ log tracking measurements statistics
 
 authselectmode require
 
-server ntp.ripe.net      iburst nts minpoll 5 maxpoll 9
+# server ntp.ripe.net      iburst nts minpoll 5 maxpoll 9
 server ptbtime3.ptb.de   iburst nts minpoll 5 maxpoll 9
 server ptbtime2.ptb.de   iburst nts minpoll 5 maxpoll 9
 server ptbtime1.ptb.de   iburst nts minpoll 5 maxpoll 9
-server ntp13.metas.ch    iburst nts minpoll 5 maxpoll 9
-server time-c-b.nist.gov iburst nts minpoll 5 maxpoll 9
-server sth1.ntp.se       iburst nts minpoll 5 maxpoll 9
+# server ntp13.metas.ch    iburst nts minpoll 5 maxpoll 9
+# server time-c-b.nist.gov iburst nts minpoll 5 maxpoll 9
+# server sth1.ntp.se       iburst nts minpoll 5 maxpoll 9
 server ntp0.fau.de       iburst nts minpoll 5 maxpoll 9
 
 leapsectz right/UTC
@@ -110,6 +112,8 @@ if [[ -e /usr/share/zoneinfo/right/UTC ]]; then
 
 fi
 
+chronyd -Q -f /etc/chrony/chrony.conf 2>&1
+
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 
 exit 0

config/hooks/live/0820_kernel_hardening_checker.chroot

@@ -5,7 +5,7 @@
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

config/hooks/live/0822_ssh_restart_hook.chroot

@@ -5,7 +5,7 @@
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
@@ -13,36 +13,17 @@ set -Ceuo pipefail
 
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 
-cd /root
-declare target_script="/etc/cron.d/restart-ssh"
+mkdir -p /etc/systemd/system/ssh.service.d
 
-cat << 'EOF' >| "${target_script}"
-@reboot root /usr/local/bin/restart-ssh.sh
+cat << EOF >| /etc/systemd/system/ssh.service.d/10-ciss-network.conf
+[Unit]
+After=network-online.target ufw.service fail2ban.service
+Wants=network-online.target
+
+[Service]
+ExecStartPre=/bin/sleep 5
 EOF
 
-chmod 0644 "${target_script}"
-
-cat << 'EOF' >| /usr/local/bin/restart-ssh.sh
-#!/bin/bash
-# SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
-# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
-# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
-# SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
-# SPDX-PackageName: CISS.debian.live.builder
-# SPDX-Security-Contact: security@coresecret.eu
-
-# Script to restart SSH at boot
-systemctl stop ssh
-sleep 5
-systemctl start ssh
-EOF
-
-chmod +x /usr/local/bin/restart-ssh.sh
-
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 
 exit 0

config/hooks/live/0825_my_sqltuner_perl.chroot

@@ -5,7 +5,7 @@
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

config/hooks/live/0830_download_yq.chroot

@@ -5,7 +5,7 @@
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

config/hooks/live/0835_testssl.sh.chroot

@@ -5,7 +5,7 @@
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

config/hooks/live/0840_ufw_abuse_ipdb_reporter.chroot

@@ -5,7 +5,7 @@
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
@@ -13,7 +13,9 @@ set -Ceuo pipefail
 
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 
+[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
 export DEBIAN_FRONTEND="noninteractive"
+export INITRD="No"
 curl -fsSL https://deb.nodesource.com/setup_22.x | sudo -E bash - && \
 apt-get install -y nodejs
 

config/hooks/live/0845_harbian_audit.chroot

@@ -5,20 +5,18 @@
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
 
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
-# sleep 1
 
 cd /root/git
 git clone https://github.com/hardenedlinux/harbian-audit.git
 
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
-# sleep 1
 
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config/hooks/live/0850_ssh_audit.chroot

@@ -5,20 +5,18 @@
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
 
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
-# sleep 1
 
 cd /root/git
 git clone https://github.com/jtesta/ssh-audit.git
 
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
-sleep 1
 
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config/hooks/live/0855_dnsviz.chroot

@@ -5,20 +5,18 @@
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
 
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
-# sleep 1
 
 cd /root/git
 git clone https://github.com/dnsviz/dnsviz.git
 
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
-sleep 1
 
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config/hooks/live/0860_sops.chroot

@@ -5,7 +5,7 @@
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
@@ -13,7 +13,9 @@ set -Ceuo pipefail
 
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 
-export DEBIAN_FRONTEND=noninteractive
+[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
+export DEBIAN_FRONTEND="noninteractive"
+export INITRD="No"
 
 SOPS_VER="v3.11.0"
 ARCH="$(dpkg --print-architecture)"
@@ -39,14 +41,16 @@ cosign verify-blob "sops-${SOPS_VER}.checksums.txt" \
 sha256sum -c "sops-${SOPS_VER}.checksums.txt" --ignore-missing
 
 install -m 0755 "${SOPS_FILE}" /usr/local/bin/sops
-sops --version --check-for-updates
-age --version
+sops --version --check-for-updates >| /root/.ciss/cdlb/log/sops.log
+age --version                      >| /root/.ciss/cdlb/log/age.log
 
 rm -f "/tmp/${SOPS_FILE}"
 rm -f "/tmp/sops-${SOPS_VER}.checksums.txt"
 rm -f "/tmp/sops-${SOPS_VER}.checksums.pem"
 rm -f "/tmp/sops-${SOPS_VER}.checksums.sig"
 
+chmod 0400 /root/.config/sops/age/keys.txt
+
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 
 exit 0

config/hooks/live/0865_yq.chroot

@@ -5,7 +5,7 @@
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
@@ -13,17 +13,13 @@ set -Ceuo pipefail
 
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 
+[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
 export DEBIAN_FRONTEND="noninteractive"
-apt-get install -y --no-install-recommends haveged
+export INITRD="No"
 
-cd /root
-cat << 'EOF' >| /etc/default/haveged
-# Configuration file for haveged
-
-# Options to pass to haveged:
-DAEMON_ARGS="-w 2048 -v 1"
-EOF
+wget https://github.com/mikefarah/yq/releases/latest/download/yq_linux_amd64 -O /usr/local/bin/yq && chmod +x /usr/local/bin/yq
 
+yq --version
 
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 

config/hooks/live/0870_bashdb.chroot

@@ -0,0 +1,37 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+set -Ceuo pipefail
+
+printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+
+umask 0077
+
+[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
+export DEBIAN_FRONTEND="noninteractive"
+export INITRD="No"
+
+apt-get install -y texinfo
+
+cd /root/git
+git clone https://github.com/Trepan-Debuggers/bashdb.git
+cd /root/git/bashdb
+./autogen.sh
+make
+
+apt-get purge -y texinfo
+apt-get autoremove --purge -y
+apt-get autoclean -y
+
+printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+
+exit 0
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config/hooks/live/0900_ufw_setup.chroot

@@ -5,17 +5,16 @@
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
 
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
-# sleep 1
 
 declare -r UFW_OUT_POLICY="deny"
-declare -r SSHPORT="MUST_BE_SET"
+declare -r SSHPORT="SSHPORT_MUST_BE_SET"
 
 ufw --force reset
 
@@ -42,6 +41,7 @@ if [[ ${UFW_OUT_POLICY,,} == "deny"  ]]; then
   ufw allow out  443/tcp comment 'Outgoing HTTPS'
   ufw allow out  465/tcp comment 'Outgoing SMTPS'
   ufw allow out  587/tcp comment 'Outgoing SMTPS'
+  ufw allow out  853/tcp comment 'Outgoing DoT'
   ufw allow out  993/tcp comment 'Outgoing IMAPS'
   ufw allow out 4460/tcp comment 'Outgoing NTS'
   ufw allow out "${SSHPORT}"/tcp comment 'Outgoing SSH (Custom-Port)'
@@ -51,6 +51,7 @@ if [[ ${UFW_OUT_POLICY,,} == "deny"  ]]; then
   ufw allow out  853/udp comment 'Outgoing DoQ'
 fi
 
+### Allowing ICMP IPv4 outgoing per default.
 sed -i "/# ok icmp code for FORWARD/i \# ok icmp codes for OUTPUT" /etc/ufw/before.rules
 sed -i "/# ok icmp code for FORWARD/i \-A ufw-before-output -p icmp --icmp-type destination-unreachable -j ACCEPT" /etc/ufw/before.rules
 sed -i "/# ok icmp code for FORWARD/i \-A ufw-before-output -p icmp --icmp-type time-exceeded -j ACCEPT" /etc/ufw/before.rules
@@ -61,7 +62,6 @@ sed -i 's/^ENABLED=no/ENABLED=yes/' /etc/ufw/ufw.conf
 ln -sf /lib/systemd/system/ufw.service /etc/systemd/system/multi-user.target.wants/ufw.service
 
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
-# sleep 1
 
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config/hooks/live/9900_process_accounting.chroot

@@ -5,7 +5,7 @@
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
@@ -13,7 +13,9 @@ set -Ceuo pipefail
 
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 
+[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
 export DEBIAN_FRONTEND="noninteractive"
+export INITRD="No"
 apt-get install -y acct
 
 if [[ ! -d /etc/systemd/system/multi-user.target.wants ]]; then

config/hooks/live/9910_motd.chroot

@@ -5,7 +5,7 @@
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
@@ -13,8 +13,8 @@ set -Ceuo pipefail
 
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 
-mkdir -p /root/.ciss/dlb/backup/update-motd.d
-cp -af /etc/update-motd.d/* /root/.ciss/dlb/backup/update-motd.d
+mkdir -p /root/.ciss/cdlb/backup/update-motd.d
+cp -af /etc/update-motd.d/* /root/.ciss/cdlb/backup/update-motd.d
 
 cat << 'EOF' >| /etc/update-motd.d/10-uname
 #!/bin/sh

config/hooks/live/9920_deleting_invalid_x509.chroot

@@ -5,7 +5,7 @@
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
@@ -14,7 +14,7 @@ set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 
 declare -a search_dirs=("/etc/ssl/certs" "/usr/local/share/ca-certificates" "/usr/share/ca-certificates" "/etc/letsencrypt")
-declare backup_dir="/root/.ciss/dlb/backup/certificates"
+declare backup_dir="/root/.ciss/cdlb/backup/certificates"
 declare current_date
 current_date=$(date +%s)
 declare -ax expired_certificates=()

config/hooks/live/9930_hardening_ssh.chroot

@@ -5,36 +5,57 @@
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
 
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+declare _key=""
+
+cd /etc/ssh
 
-cd /etc/ssh || {
-  printf "\e[91mm++++ ++++ ++++ ++++ ++++ ++++ ++ Could not find /etc/ssh \e[0m\n"
-}
 rm -rf ssh_host_*key*
 
-# shellcheck disable=SC2312
-ssh-keygen -o -N "" -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -C "root@live-$(date -I)"
-# shellcheck disable=SC2312
-ssh-keygen -o -N "" -t rsa -b 8192 -f /etc/ssh/ssh_host_rsa_key -C "root@live-$(date -I)"
+if [[ -d /root/ssh ]]; then
 
-awk '$5 >= 4000' /etc/ssh/moduli >| /etc/ssh/moduli.safe
-rm -rf /etc/ssh/moduli
-mv /etc/ssh/moduli.safe /etc/ssh/moduli
+  if compgen -G "/root/ssh/ssh_host_*" > /dev/null; then
+    mv -t /etc/ssh -- /root/ssh/ssh_host_*
+  fi
+
+  if compgen -G "/root/ssh/*sha256sum.txt" > /dev/null; then
+    mv -t /etc/ssh -- /root/ssh/*sha256sum.txt
+  fi
+
+  rm -rf /root/ssh
+
+else
+
+  # shellcheck disable=SC2312
+  ssh-keygen -o -N "" -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -C "root@live-$(date -I)"
+
+  # shellcheck disable=SC2312
+  ssh-keygen -o -N "" -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa_key -C "root@live-$(date -I)"
+
+fi
 
 chmod 0600 /etc/ssh/ssh_host_*_key
 chown root:root /etc/ssh/ssh_host_*_key
 chmod 0644 /etc/ssh/ssh_host_*_key.pub
 chown root:root /etc/ssh/ssh_host_*_key.pub
 
-chmod 600 /etc/ssh/sshd_config /etc/ssh/ssh_config
+if compgen -G "/etc/ssh/*sha256sum.txt" > /dev/null; then
+  chmod 0440 /etc/ssh/*sha256sum.txt
+  chown root:root /etc/ssh/*sha256sum.txt
+fi
+
+awk '$5 >= 4000' /etc/ssh/moduli >| /etc/ssh/moduli.safe
+rm -rf /etc/ssh/moduli
+mv /etc/ssh/moduli.safe /etc/ssh/moduli
+
+chmod 0600 /etc/ssh/sshd_config /etc/ssh/ssh_config
 
-touch /root/sshfp
 ssh-keygen -r @ >| /root/sshfp
 
 ###########################################################################################
@@ -51,7 +72,7 @@ cat << 'EOF' >| /etc/profile.d/idle-users.sh
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
@@ -77,6 +98,23 @@ Requires=ufw.service
 EOF
 chmod 0644 /etc/systemd/system/ssh.service.d/override.conf
 
+### Final checks. Verify host keys after installation.
+if command -v ssh-keygen >/dev/null 2>&1; then
+
+  for _key in /etc/ssh/ssh_host_*key; do
+
+    ### Only consider regular files
+    [[ -f "${_key}" ]] || continue
+
+    ssh-keygen -lf "${_key}" >/dev/null || exit 42
+    ssh-keygen -yf "${_key}" >/dev/null || exit 42
+
+  done
+
+fi
+
+/usr/sbin/sshd -t || exit 42
+
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 
 exit 0

config/hooks/live/9935_hardening_ssh.chroot.tmpl

@@ -1,93 +0,0 @@
-#!/bin/bash
-# SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
-# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
-# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
-# SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
-# SPDX-PackageName: CISS.debian.live.builder
-# SPDX-Security-Contact: security@coresecret.eu
-set -Ceuo pipefail
-
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
-
-cd /etc/ssh || {
-  printf "\e[91mm++++ ++++ ++++ ++++ ++++ ++++ ++ Could not find /etc/ssh \e[0m\n"
-}
-
-cat << 'EOF' >| ssh_host_ed25519_key
-{{ secrets.CISS_DLB_SSH_HOST_ED25519_KEY }}
-EOF
-
-cat << 'EOF' >| ssh_host_ed25519_key.pub
-{{ secrets.CISS_DLB_SSH_HOST_ED25519_KEY_PUB }}
-EOF
-
-cat << 'EOF' >| ssh_host_rsa_key
-{{ secrets.CISS_DLB_SSH_HOST_RSA_KEY }}
-EOF
-
-cat << 'EOF' >| ssh_host_rsa_key.pub
-{{ secrets.CISS_DLB_SSH_HOST_RSA_KEY_PUB }}
-EOF
-
-awk '$5 >= 4000' /etc/ssh/moduli >| /etc/ssh/moduli.safe
-rm -rf /etc/ssh/moduli
-mv /etc/ssh/moduli.safe /etc/ssh/moduli
-
-chmod 0600 /etc/ssh/ssh_host_*_key
-chown root:root /etc/ssh/ssh_host_*_key
-chmod 0644 /etc/ssh/ssh_host_*_key.pub
-chown root:root /etc/ssh/ssh_host_*_key.pub
-
-chmod 600 /etc/ssh/sshd_config /etc/ssh/ssh_config
-
-touch /root/sshfp
-ssh-keygen -r @ >| /root/sshfp
-
-###########################################################################################
-# Remarks: The file /etc/profile.d/idle-users.sh is created to set two read-only          #
-# environment variables: TMOUT and HISTFILE.                                              #
-# TMOUT=14400 ensures that users are automatically logged out after 4 hours of inactivity.#
-# readonly HISTFILE ensures that the command history cannot be changed.                   #
-# The chmod +x command ensures that the file is executed in every shell session.          #
-###########################################################################################
-cat << 'EOF' >| /etc/profile.d/idle-users.sh
-# SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
-# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
-# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
-# SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
-# SPDX-PackageName: CISS.debian.live.builder
-# SPDX-Security-Contact: security@coresecret.eu
-
-case $- in
-  *i*)
-    TMOUT=14400
-    export TMOUT
-    readonly TMOUT
-  ;;
-esac
-
-# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
-EOF
-
-chmod +x /etc/profile.d/idle-users.sh
-
-mkdir -p /etc/systemd/system/ssh.service.d
-cat << 'EOF' >| /etc/systemd/system/ssh.service.d/override.conf
-[Unit]
-After=ufw.service
-Requires=ufw.service
-EOF
-chmod 0644 /etc/systemd/system/ssh.service.d/override.conf
-
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
-
-exit 0
-# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config/hooks/live/9935_hardening_ssl.chroot

@@ -0,0 +1,454 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-12-03; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+set -Ceuo pipefail
+
+printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+
+mkdir -p /root/.ciss/cdlb/backup/etc/ssl
+
+mv /etc/ssl/openssl.cnf /root/.ciss/cdlb/backup/etc/ssl/openssl.cnf.bak
+
+cat << 'EOF' >| /etc/ssl/openssl.cnf
+#
+# OpenSSL example configuration file.
+# See doc/man5/config.pod for more information.
+#
+# This is mostly being used for generation of certificate requests,
+# but may be used for autoloading of providers
+
+# Note that you can include other files from the main configuration
+# file using the .include directive.
+#.include filename
+
+openssl_conf = default_conf
+
+# This definition stops the following lines choking if HOME isn't
+# defined.
+HOME			= .
+
+# Use this to automatically load providers.
+openssl_conf = openssl_init
+
+# Comment out the next line to ignore configuration errors
+config_diagnostics = 1
+
+# Extra OBJECT IDENTIFIER information:
+# oid_file       = $ENV::HOME/.oid
+oid_section = new_oids
+
+# To use this configuration file with the "-extfile" option of the
+# "openssl x509" utility, name here the section containing the
+# X.509v3 extensions to use:
+# extensions		=
+# (Alternatively, use a configuration file that has only
+# X.509v3 extensions in its main [= default] section.)
+
+[ new_oids ]
+# We can add new OIDs in here for use by 'ca,' 'req,' and 'ts.'
+# Add a simple OID like this:
+# testoid1=1.2.3.4
+# Or use config file substitution like this:
+# testoid2=${testoid1}.5.6
+
+# Policies used by the TSA examples.
+tsa_policy1 = 1.2.3.4.1
+tsa_policy2 = 1.2.3.4.5.6
+tsa_policy3 = 1.2.3.4.5.7
+
+# For FIPS
+# Optionally include a file that is generated by the OpenSSL fipsinstall
+# application. This file contains configuration data required by the OpenSSL
+# fips provider. It contains a named section e.g., [fips_sect] which is
+# referenced from the [provider_sect] below.
+# Refer to the OpenSSL security policy for more information.
+# .include fipsmodule.cnf
+
+[openssl_init]
+providers = provider_sect
+
+# List of providers to load
+[provider_sect]
+default = default_sect
+# The fips section name should match the section name inside the
+# included fipsmodule.cnf.
+# fips = fips_sect
+
+# If no providers are activated explicitly, the default one is activated implicitly.
+# See man 7 OSSL_PROVIDER-default for more details.
+#
+# If you add a section explicitly activating any other provider(s), you most
+# probably need to explicitly activate the default provider, otherwise it
+# becomes unavailable in openssl.  As a consequence, applications depending on
+# OpenSSL may not work correctly, which could lead to significant system
+# problems including inability to remotely access the system.
+[default_sect]
+# activate = 1
+
+
+####################################################################
+[ ca ]
+default_ca	= CA_default		# The default ca section
+
+####################################################################
+[ CA_default ]
+
+dir		= ./demoCA		# Where everything is kept
+certs		= $dir/certs		# Where the issued certs are kept
+crl_dir		= $dir/crl		# Where the issued crl are kept
+database	= $dir/index.txt	# database index file.
+#unique_subject	= no			# Set to 'no' to allow creation of several certs with the same subject.
+new_certs_dir	= $dir/newcerts		# default place for new certs.
+
+certificate	= $dir/cacert.pem 	# The CA certificate
+serial		= $dir/serial 		# The current serial number
+crlnumber	= $dir/crlnumber	# the current crl number
+					# must be commented out to leave a V1 CRL
+crl		= $dir/crl.pem 		# The current CRL
+private_key	= $dir/private/cakey.pem # The private key
+
+x509_extensions	= usr_cert		# The extensions to add to the cert
+
+# Comment out the following two lines for the "traditional"
+# (and highly broken) format.
+name_opt 	= ca_default		# Subject Name options
+cert_opt 	= ca_default		# Certificate field options
+
+# Extension copying option: use with caution.
+# copy_extensions = copy
+
+# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
+# so this is commented out by default to leave a V1 CRL.
+# crlnumber must also be commented out to leave a V1 CRL.
+# crl_extensions	= crl_ext
+
+default_days	= 365			# how long to certify for
+default_crl_days= 30			# how long before next CRL
+default_md	= default		# use public key default MD
+preserve	= no			# keep passed DN ordering
+
+# A few different ways of specifying how similar the request should look
+# For type CA, the listed attributes must be the same, and the optional
+# and supplied fields are just that.
+policy		= policy_match
+
+# For the CA policy
+[ policy_match ]
+countryName		= match
+stateOrProvinceName	= match
+organizationName	= match
+organizationalUnitName	= optional
+commonName		= supplied
+emailAddress		= optional
+
+# For the 'anything' policy
+# At this point in time, you must list all acceptable 'object'
+# types.
+[ policy_anything ]
+countryName		= optional
+stateOrProvinceName	= optional
+localityName		= optional
+organizationName	= optional
+organizationalUnitName	= optional
+commonName		= supplied
+emailAddress		= optional
+
+####################################################################
+[ req ]
+default_bits		= 4096
+default_keyfile 	= privkey.pem
+distinguished_name	= req_distinguished_name
+attributes		= req_attributes
+x509_extensions	= v3_ca	# The extensions to add to the self-signed cert
+
+# Passwords for private keys if not present, they will be prompted for
+# input_password = secret
+# output_password = secret
+
+# This sets a mask for permitted string types. There are several options.
+# default: PrintableString, T61String, BMPString.
+# pkix	 : PrintableString, BMPString (PKIX recommendation before 2004)
+# utf8only: only UTF8Strings (PKIX recommendation after 2004).
+# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
+# MASK:XXXX a literal mask value.
+# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings.
+string_mask = utf8only
+
+# req_extensions = v3_req # The extensions to add to a certificate request
+
+[ req_distinguished_name ]
+countryName			= Country Name (2-letter code)
+countryName_default		= AU
+countryName_min			= 2
+countryName_max			= 2
+
+stateOrProvinceName		= State or Province Name (full name)
+stateOrProvinceName_default	= Some-State
+
+localityName			= Locality Name (e.g., city)
+
+0.organizationName		= Organization Name (e.g., company)
+0.organizationName_default	= Internet Widgits Pty Ltd
+
+# we can do this, but it is unnecessary normally
+#1.organizationName		= Second Organization Name (e.g., company)
+#1.organizationName_default	= World Wide Web Pty Ltd
+
+organizationalUnitName		= Organizational Unit Name (e.g., section)
+#organizationalUnitName_default	=
+
+commonName			= Common Name (e.g., server FQDN or YOUR name)
+commonName_max			= 64
+
+emailAddress			= Email Address
+emailAddress_max		= 64
+
+# SET-ex3			= SET extension number 3
+
+[ req_attributes ]
+challengePassword		= A challenge password
+challengePassword_min		= 4
+challengePassword_max		= 20
+
+unstructuredName		= An optional company name
+
+[ usr_cert ]
+
+# These extensions are added when 'ca' signs a request.
+
+# This goes against PKIX guidelines, but some CAs do it, and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+
+basicConstraints=CA:FALSE
+
+# This is typical in keyUsage for a client certificate.
+# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
+
+# This stuff is for subjectAltName and issuerAltname.
+# Import the email address.
+# subjectAltName=email:copy
+# An alternative to produce certificates that aren't
+# deprecated, according to PKIX.
+# subjectAltName=email:move
+
+# Copy subject details
+# issuerAltName=issuer:copy
+
+# This is required for TSA certificates.
+# extendedKeyUsage = critical,timeStamping
+
+[ v3_req ]
+
+# Extensions to add to a certificate request
+
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+[ v3_ca ]
+
+
+# Extensions for a typical CA
+
+
+# PKIX recommendation.
+
+subjectKeyIdentifier=hash
+
+authorityKeyIdentifier=keyid:always,issuer
+
+basicConstraints = critical,CA:true
+
+# Key usage: this is typical for a CA certificate. However, since it will
+# prevent it being used as a test self-signed certificate, it is best
+# left out by default.
+# keyUsage = cRLSign, keyCertSign
+
+# Include email address in subject alt name: another PKIX recommendation
+# subjectAltName=email:copy
+# Copy issuer details
+# issuerAltName=issuer:copy
+
+# DER hex encoding of an extension: beware experts only!
+# obj=DER:02:03
+# Where 'obj' is a standard or added object
+# You can even override a supported extension:
+# basicConstraints= critical, DER:30:03:01:01:FF
+
+[ crl_ext ]
+
+# CRL extensions.
+# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
+
+# issuerAltName=issuer:copy
+authorityKeyIdentifier=keyid:always
+
+[ proxy_cert_ext ]
+# These extensions should be added when creating a proxy certificate
+
+# This goes against PKIX guidelines, but some CAs do it, and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+
+basicConstraints=CA:FALSE
+
+# This is typical in keyUsage for a client certificate.
+# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
+
+# This stuff is for subjectAltName and issuerAltname.
+# Import the email address.
+# subjectAltName=email:copy
+# An alternative to produce certificates that aren't
+# deprecated, according to PKIX.
+# subjectAltName=email:move
+
+# Copy subject details
+# issuerAltName=issuer:copy
+
+# This really needs to be in place for it to be a proxy certificate.
+proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
+
+####################################################################
+[ tsa ]
+
+default_tsa = tsa_config1	# the default TSA section
+
+[ tsa_config1 ]
+
+# These are used by the TSA reply generation only.
+dir		= ./demoCA		# TSA root directory
+serial		= $dir/tsaserial	# The current serial number (mandatory)
+crypto_device	= builtin		# OpenSSL engine to use for signing
+signer_cert	= $dir/tsacert.pem 	# The TSA signing certificate
+					# (optional)
+certs		= $dir/cacert.pem	# Certificate chain to include in reply
+					# (optional)
+signer_key	= $dir/private/tsakey.pem # The TSA private key (optional)
+signer_digest  = sha256			# Signing digest to use. (Optional)
+default_policy	= tsa_policy1		# Policy if request did not specify it
+					# (optional)
+other_policies	= tsa_policy2, tsa_policy3	# acceptable policies (optional)
+digests     = sha1, sha256, sha384, sha512  # Acceptable message digests (mandatory)
+accuracy	= secs:1, millisecs:500, microsecs:100	# (optional)
+clock_precision_digits  = 0	# number of digits after dot. (optional)
+ordering		= yes	# Is ordering defined for timestamps?
+				# (optional, default: no)
+tsa_name		= yes	# Must the TSA name be included in the reply?
+				# (optional, default: no)
+ess_cert_id_chain	= no	# Must the ESS cert id chain be included?
+				# (optional, default: no)
+ess_cert_id_alg		= sha256	# algorithm to compute certificate
+				# identifier (optional, default: sha256)
+
+[insta] # CMP using Insta Demo CA
+# Message transfer
+server = pki.certificate.fi:8700
+# proxy = # set this as far as needed, e.g., http://192.168.1.1:8080
+# tls_use = 0
+path = pkix/
+
+# Server authentication
+recipient = "/C=FI/O=Insta Demo/CN=Insta Demo CA" # or set srvcert or issuer
+ignore_keyusage = 1 # quirk needed to accept Insta CA cert not including digitalsignature
+unprotected_errors = 1 # quirk needed to accept negative responses possibly not protected
+extracertsout = insta.extracerts.pem
+
+# Client authentication
+ref = 3078 # user identification
+secret = pass:insta # can be used for both client and server side
+
+# Generic message options
+cmd = ir # default operation, can be overridden on cmd line with, e.g., kur
+
+# Certificate enrollment
+subject = "/CN=openssl-cmp-test"
+newkey = insta.priv.pem
+out_trusted = apps/insta.ca.crt # does not include keyUsage digitalSignature
+certout = insta.cert.pem
+
+[pbm] # Password-based protection for Insta CA
+# Server and client authentication
+ref = $insta::ref # 3078
+secret = $insta::secret # pass:insta
+
+[signature] # Signature-based protection for Insta CA
+# Server authentication
+trusted = $insta::out_trusted # apps/insta.ca.crt
+
+# Client authentication
+secret = # disable the PBM
+key = $insta::newkey # insta.priv.pem
+cert = $insta::certout # insta.cert.pem
+
+[ir]
+cmd = ir
+
+[cr]
+cmd = cr
+
+[kur]
+# Certificate update
+cmd = kur
+oldcert = $insta::certout # insta.cert.pem
+
+[rr]
+# Certificate revocation
+cmd = rr
+oldcert = $insta::certout # insta.cert.pem
+
+##### Added by CISS.debian.live.builder #####
+[default_conf]
+ssl_conf = ssl_sect
+
+[ssl_sect]
+system_default = system_default_sect
+
+[system_default_sect]
+# Protocol floor / ceiling:
+# - only TLS 1.2 and 1.3.
+# - TLS 1.3 is FS by design;
+# - TLS 1.2 FS enforced via the cipher list.
+MinProtocol = TLSv1.2
+MaxProtocol = TLSv1.3
+
+# TLS 1.2 cipher policy:
+# - Forward secrecy only: ECDHE or DHE (no static RSA kx);
+# - AES-256 *GCM* only (no DHE (dheatattack), no AES-128, no CBC);
+# - Keep distro default SECLEVEL=2 explicitly.
+CipherString = ECDHE+AES256-GCM:ECDHE+CHACHA20:ECDHE+ARIA256-GCM:ECDHE+CAMELLIA256-GCM:!kRSA:!PSK:!SRP:!aNULL:!eNULL:@SECLEVEL=2
+
+# TLS 1.3 cipher policy: AES-256 and ChaCha20-Poly1305 only:
+Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
+
+# Prefer strong, widely supported ECDHE groups (first = most preferred):
+Groups = X448:P-521:P-384
+
+SignatureAlgorithms = rsa_pss_rsae_sha512:rsa_pss_rsae_sha384:rsa_pss_rsae_sha256
+
+# Operational flags:
+# -SessionTicket  : disable TLS session tickets (TLS 1.2 + 1.3)
+# ServerPreference: honor server cipher order (TLS 1.2)
+# NoRenegotiation : disallow TLS 1.2 renegotiation
+Options = -SessionTicket,ServerPreference,NoRenegotiation
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
+EOF
+
+printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+
+exit 0
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config/hooks/live/9940_hardening_memory.dump.chroot

@@ -1,11 +1,11 @@
 #!/bin/bash
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-11-10; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
@@ -13,27 +13,74 @@ set -Ceuo pipefail
 
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 
-cp -u /etc/security/limits.conf /root/.ciss/dlb/backup/limits.conf.bak
-chmod 0644 /root/.ciss/dlb/backup/limits.conf.bak
+cp -u /etc/security/limits.conf /root/.ciss/cdlb/backup/limits.conf.bak
+chmod 0644 /root/.ciss/cdlb/backup/limits.conf.bak
 
-grep -Eq '^[[:space:]]*\*[[:space:]]+soft[[:space:]]+core[[:space:]]+0[[:space:]]*$' /etc/security/limits.conf \
-  || sed -i -E '/^[[:space:]]*#?[[:space:]]*soft[[:space:]]+core[[:space:]]+0[[:space:]]*$/ i\*               soft    core            0' /etc/security/limits.conf
+### Comment any existing active core settings to avoid conflicts, both soft/hard, any domain including "*".
+sed -i -E '
+/^[[:space:]]*\*[[:space:]]+soft[[:space:]]+core[[:space:]]+0[[:space:]]*$/d
+/^[[:space:]]*\*[[:space:]]+hard[[:space:]]+core[[:space:]]+0[[:space:]]*$/d
+/^[[:space:]]*#\*               soft    core            0$/d
+/^[[:space:]]*#root            hard    core            100000$/d
+/^[[:space:]]*#\*               hard    rss             10000$/d
+/^[[:space:]]*#@student        hard    nproc           20$/d
+/^[[:space:]]*#@faculty        soft    nproc           20$/d
+/^[[:space:]]*#@faculty        hard    nproc           50$/d
+/^[[:space:]]*#ftp             hard    nproc           0$/d
+/^[[:space:]]*#ftp             -       chroot          \/ftp$/d
+/^[[:space:]]*#@student        -       maxlogins       4$/d
+/^[[:space:]]*# End of file/i\
+*               soft    core            0\
+*               hard    core            0
+' /etc/security/limits.conf
 
-grep -Eq '^[[:space:]]*\*[[:space:]]+hard[[:space:]]+core[[:space:]]+0[[:space:]]*$' /etc/security/limits.conf \
-  || sed -i -E '/^[[:space:]]*#?[[:space:]]*root[[:space:]]+hard[[:space:]]+core[[:space:]]+100000[[:space:]]*$/ i\*               hard    core            0' /etc/security/limits.conf
+mkdir -p /etc/systemd/coredump.conf.d
+mkdir -p /etc/security/limits.d
 
-if [[ ! -d /etc/systemd/coredump.conf.d ]]; then
+cat << EOF >| /etc/security/limits.d/9999-ciss-coredump-disable.conf
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-11-10; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
 
-  mkdir -p /etc/systemd/coredump.conf.d
+*               soft    core            0
+*               hard    core            0
+root            soft    core            0
+root            hard    core            0
 
-fi
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
+EOF
+chmod 0644 /etc/security/limits.d/9999-ciss-coredump-disable.conf
+
+cat << EOF >| /etc/systemd/coredump.conf.d/9999-ciss-coredump-disable.conf
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-11-10; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
 
-touch /etc/systemd/coredump.conf.d/disable.conf
-chmod 0644 /etc/systemd/coredump.conf.d/disable.conf
-cat << EOF >| /etc/systemd/coredump.conf.d/disable.conf
 [Coredump]
 Storage=none
+ProcessSizeMax=0
+ExternalSizeMax=0
+JournalSizeMax=0
+MaxUse=0
+KeepFree=0
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
 EOF
+chmod 0644 /etc/systemd/coredump.conf.d/9999-ciss-coredump-disable.conf
 
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 

config/hooks/live/9950_fail2ban_hardening.chroot

@@ -1,146 +0,0 @@
-#!/bin/bash
-# SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
-# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
-# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
-# SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
-# SPDX-PackageName: CISS.debian.live.builder
-# SPDX-Security-Contact: security@coresecret.eu
-set -Ceuo pipefail
-
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
-
-cd /root
-
-cp -u /etc/fail2ban/fail2ban.conf /root/.ciss/dlb/backup/fail2ban.conf.bak
-chmod 0644 /root/.ciss/dlb/backup/fail2ban.conf.bak
-
-### https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1024305
-sed -i 's/#allowipv6 = auto/allowipv6 = auto/1' /etc/fail2ban/fail2ban.conf
-
-mv /etc/fail2ban/jail.d/defaults-debian.conf /root/.ciss/dlb/backup/defaults-debian.conf.bak
-chmod 0644 /root/.ciss/dlb/backup/defaults-debian.conf.bak
-
-cat << 'EOF' >| /etc/fail2ban/jail.d/centurion-default.conf
-# SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <cendev@coresecret.eu>
-# SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.live.builder.git
-# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
-# SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
-# SPDX-PackageName: CISS.debian.live.builder
-# SPDX-Security-Contact: security@coresecret.eu
-
-[DEFAULT]
-usedns    = yes
-# local | vpn
-ignoreip  = 127.0.0.0/8 ::1 MUST_BE_SET
-maxretry  = 8
-findtime  = 24h
-bantime   = 24h
-
-### SSH Handling: Foreign IP (not in /etc/hosts.allow): refused to connect: immediate ban [sshd-refused]
-###               Jump host mistyped 1-3 times: no ban, only after four attempts          [sshd]
-
-[sshd]
-enabled   = true
-backend   = systemd
-filter    = sshd
-mode      = normal
-port      = MUST_BE_SET
-protocol  = tcp
-logpath   = /var/log/auth.log
-maxretry  = 4
-findtime  = 24h
-bantime   = 24h
-
-[sshd-refused]
-enabled   = true
-filter    = sshd-refused
-port      = MUST_BE_SET
-protocol  = tcp
-logpath   = /var/log/auth.log
-maxretry  = 1
-findtime  = 24h
-bantime   = 24h
-
-# ufw aggressive approach:
-# Any valid client communicating with our server should be going directly to the service ports opened in ufw (ssh, 80, 443, ...).
-# Any client touching other ports is treated as malicious and therefore should be blocked access to ALL ports after one attempt.
-
-[ufw]
-enabled   = true
-filter    = ufw.aggressive
-action    = iptables-allports
-logpath   = /var/log/ufw.log
-maxretry  = 1
-findtime  = 24h
-bantime   = 24h
-protocol  = tcp,udp
-
-EOF
-
-cat << EOF >| /etc/fail2ban/filter.d/ufw.aggressive.conf
-[Definition]
-failregex = ^.*UFW BLOCK.* SRC=<HOST> .*DPT=\d+ .*
-EOF
-
-cat << EOF >| /etc/fail2ban/filter.d/sshd-refused.conf
-[Definition]
-failregex = ^refused connect from \S+ \(<HOST>\)
-EOF
-
-###########################################################################################
-# Remarks: hardening of fail2ban systemd                                                  #
-###########################################################################################
-# https://wiki.archlinux.org/title/fail2ban#Service_hardening                             #
-# The CapabilityBoundingSet parameters CAP_DAC_READ_SEARCH will allow Fail2ban full read  #
-# access to every directory and file. CAP_NET_ADMIN and CAP_NET_RAW allow Fail2ban to     #
-# operate # on any firewall that has a command-line shell interface. By using             #
-# ProtectSystem=strict the filesystem hierarchy will only be read-only; ReadWritePaths    #
-# allows Fail2ban to have write access on required paths.                                 #
-###########################################################################################
-mkdir -p /etc/systemd/system/fail2ban.service.d
-mkdir /var/log/fail2ban
-
-cat << 'EOF' >| /etc/systemd/system/fail2ban.service.d/override.conf
-[Service]
-PrivateDevices=yes
-PrivateTmp=yes
-ProtectHome=read-only
-ProtectSystem=strict
-ReadWritePaths=-/var/run/fail2ban
-ReadWritePaths=-/var/lib/fail2ban
-ReadWritePaths=-/var/log/fail2ban
-ReadWritePaths=-/var/spool/postfix/maildrop
-ReadWritePaths=-/run/xtables.lock
-CapabilityBoundingSet=CAP_AUDIT_READ CAP_DAC_READ_SEARCH CAP_NET_ADMIN CAP_NET_RAW
-
-### Added by CISS.debian.live.builder
-ProtectClock=true
-ProtectHostname=true
-
-EOF
-
-cat << 'EOF' >> /etc/fail2ban/fail2ban.local
-[Definition]
-logtarget = /var/log/fail2ban/fail2ban.log
-EOF
-
-###########################################################################################
-# Remarks: Logrotate must be updated either                                               #
-###########################################################################################
-cp -a /etc/logrotate.d/fail2ban /root/.ciss/dlb/backup/fail2ban_logrotate.bak
-sed -i 's/\/var\/log\/fail2ban.log/\/var\/log\/fail2ban\/fail2ban.log/1' /etc/logrotate.d/fail2ban
-touch /var/log/fail2ban/fail2ban.log
-chmod 640 /var/log/fail2ban/fail2ban.log
-
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
-
-exit 0
-# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config/hooks/live/9950_hardening_fail2ban.chroot

@@ -0,0 +1,241 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+set -Ceuo pipefail
+
+printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+
+cd /root
+
+cp -u /etc/fail2ban/fail2ban.conf /root/.ciss/cdlb/backup/fail2ban.conf.bak
+chmod 0400 /root/.ciss/cdlb/backup/fail2ban.conf.bak
+
+### https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1024305
+sed -i 's/#allowipv6 = auto/allowipv6 = auto/1' /etc/fail2ban/fail2ban.conf
+
+mv /etc/fail2ban/jail.d/defaults-debian.conf /root/.ciss/cdlb/backup/defaults-debian.conf.bak
+chmod 0400 /root/.ciss/cdlb/backup/defaults-debian.conf.bak
+
+cat << EOF >| /etc/fail2ban/jail.d/ciss-default.conf
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <cendev@coresecret.eu>
+# SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+[DEFAULT]
+banaction             = nftables-multiport
+banaction_allports    = nftables-allports
+dbpurgeage            = 384d
+#                       127.0.0.1/8 - IPv4 loopback range (local host)
+#                       ::1/128     - IPv6 loopback
+#                       fe80::/10   - IPv6 link-local (on-link only; NDP/RA/DAD)
+#                       ff00::/8    - IPv6 multicast (not an unicast host)
+#                       ::/128      - IPv6 unspecified (all zeros; never a real peer)
+ignoreip              = 127.0.0.1/8 ::1/128 fe80::/10 ff00::/8 ::/128 IGNORE_IP_MUST_BE_SET
+usedns                = yes
+
+[recidive]
+enabled               = true
+banaction             = nftables[type=custom, family=inet, table=f2b-table, chain=f2b-chain, blocktype=drop]
+bantime               = 8d
+bantime.increment     = true
+bantime.factor        = 1
+bantime.maxtime       = 128d
+bantime.multipliers   = 1 2 4 8 16
+bantime.overalljails  = true
+bantime.rndtime       = 877s
+filter                = recidive
+findtime              = 16d
+logpath               = /var/log/fail2ban/fail2ban.log*
+maxretry              = 2
+
+### SSH Handling:     Foreign IP (not in /etc/hosts.allow): refused to connect: immediate ban [sshd-refused]
+###                   Jump host mistyped 1-3 times: no ban, only after four attempts          [sshd]
+
+[sshd]
+enabled               = true
+backend               = systemd
+bantime               = 1h
+bantime.increment     = true
+bantime.factor        = 1
+bantime.maxtime       = 16d
+bantime.multipliers   = 1 2 4 8 16 32 64 128 256 384
+bantime.overalljails  = true
+bantime.rndtime       = 877s
+filter                = sshd
+findtime              = 16m
+maxretry              = 4
+mode                  = aggressive
+port                  = PORT_MUST_BE_SET
+protocol              = tcp
+
+[sshd-refused]
+enabled               = true
+bantime               = 1h
+bantime.increment     = true
+bantime.factor        = 1
+bantime.maxtime       = 16d
+bantime.multipliers   = 1 2 4 8 16 32 64 128 256 384
+bantime.overalljails  = true
+bantime.rndtime       = 877s
+filter                = ciss-sshd-refused
+findtime              = 16m
+logpath               = /var/log/auth.log
+maxretry              = 1
+port                  = PORT_MUST_BE_SET
+protocol              = tcp
+
+#
+# CISS aggressive approach:
+# Any valid client communicating with our server should be going directly to the service ports opened in ufw (ssh, 80, ...).
+# Any client touching other ports is treated as malicious and therefore should be blocked access to ALL ports after 1 attempt.
+#
+
+[ufw]
+enabled               = true
+banaction             = nftables[type=custom, family=inet, table=f2b-table, chain=f2b-chain, blocktype=drop]
+bantime               = 1h
+bantime.increment     = true
+bantime.factor        = 1
+bantime.maxtime       = 16d
+bantime.multipliers   = 1 2 4 8 16 32 64 128 256 384
+bantime.overalljails  = true
+bantime.rndtime       = 877s
+filter                = ciss-ufw
+findtime              = 16m
+logpath               = /var/log/ufw.log
+maxretry              = 1
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
+EOF
+
+cat << EOF >| /etc/fail2ban/filter.d/ciss-ufw.conf
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-10-18; WEIDNER, Marc S.; <cendev@coresecret.eu>
+# SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+[Definition]
+# Match UFW BLOCK/REJECT with a source IP and *any* port field (SPT or DPT), protocol may be missing.
+failregex             = ^.*UFW (?:BLOCK|REJECT).*?\bSRC=<HOST>\b.*?(?:\bDPT=\d+\b|\bSPT=\d+\b).*$
+ignoreregex           =
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
+EOF
+
+cat << 'EOF' >| /etc/fail2ban/filter.d/ciss-sshd-refused.conf
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-10-18; WEIDNER, Marc S.; <cendev@coresecret.eu>
+# SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+[Definition]
+failregex = ^refused connect from \S+ \(<HOST>\)
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
+EOF
+
+###########################################################################################
+# Remarks: hardening of fail2ban systemd                                                  #
+###########################################################################################
+# https://wiki.archlinux.org/title/fail2ban#Service_hardening                             #
+# The CapabilityBoundingSet parameters CAP_DAC_READ_SEARCH will allow Fail2ban full read  #
+# access to every directory and file. CAP_NET_ADMIN and CAP_NET_RAW allow Fail2ban to     #
+# operate # on any firewall that has a command-line shell interface. By using             #
+# ProtectSystem=strict the filesystem hierarchy will only be read-only; ReadWritePaths    #
+# allows Fail2ban to have write access on required paths.                                 #
+###########################################################################################
+mkdir -p /etc/systemd/system/fail2ban.service.d
+mkdir -p /var/log/fail2ban
+
+cat << 'EOF' >| /etc/systemd/system/fail2ban.service.d/override.conf
+[Service]
+PrivateDevices=yes
+PrivateTmp=yes
+ProtectHome=read-only
+ProtectSystem=strict
+ReadWritePaths=-/var/run/fail2ban
+ReadWritePaths=-/var/lib/fail2ban
+ReadWritePaths=-/var/log/fail2ban
+ReadWritePaths=-/var/spool/postfix/maildrop
+ReadWritePaths=-/run/xtables.lock
+CapabilityBoundingSet=CAP_AUDIT_READ CAP_DAC_READ_SEARCH CAP_NET_ADMIN CAP_NET_RAW
+
+### Added by CISS.debian.live.builder
+ProtectClock=true
+ProtectHostname=true
+
+EOF
+
+cat << 'EOF' >> /etc/fail2ban/fail2ban.local
+[Definition]
+logtarget             = /var/log/fail2ban/fail2ban.log
+
+[Database]
+# Keep entries for at least 384 days to cover recidive findtime.
+dbpurgeage            = 384d
+EOF
+
+###########################################################################################
+# Remarks: Logrotate must be updated either                                               #
+###########################################################################################
+cp -a /etc/logrotate.d/fail2ban /root/.ciss/cdlb/backup/fail2ban_logrotate.bak
+cat << EOF >| /etc/logrotate.d/fail2ban
+/var/log/fail2ban/fail2ban.log {
+    daily
+    rotate 384
+    maxage 384
+    notifempty
+    dateext
+    dateyesterday
+    compress
+    compresscmd /usr/bin/zstd
+    compressext .zst
+    compressoptions -20
+    uncompresscmd /usr/bin/unzstd
+    delaycompress
+    shred
+    missingok
+    postrotate
+        fail2ban-client flushlogs 1>/dev/null
+    endscript
+    # If fail2ban runs as non-root it still needs to have write access
+    # to logfiles.
+    # create 640 fail2ban adm
+    create 640 root adm
+}
+EOF
+
+touch /var/log/fail2ban/fail2ban.log
+chmod 0640 /var/log/fail2ban/fail2ban.log
+
+printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+
+exit 0
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config/hooks/live/9960_disable_services.chroot

@@ -5,7 +5,7 @@
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

config/hooks/live/9970_remove_exim.chroot

@@ -5,7 +5,7 @@
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
@@ -13,16 +13,20 @@ set -Ceuo pipefail
 
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 
+[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
+export DEBIAN_FRONTEND="noninteractive"
+export INITRD="No"
+
 cd /etc
 
-apt-get purge exim4 exim4-base exim4-config  -y
+apt-get purge exim4 exim4-base exim4-config -y
 apt-get autoremove -y
 apt-get autoclean -y
 apt-get autopurge -y
 
 apt-mark hold exim4 exim4-daemon-light exim4-base exim4-config
 
-apt-get update
+apt-get update -qq
 apt-get upgrade -y
 
 if [[ -d /etc/exim4 ]]; then

config/hooks/live/9980_usb_guard.chroot

@@ -5,7 +5,7 @@
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
@@ -13,7 +13,9 @@ set -Ceuo pipefail
 
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 
+[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
 export DEBIAN_FRONTEND="noninteractive"
+export INITRD="No"
 apt-get install -y usbguard
 
 ### Preparing USBGuard: see https://www.privacy-handbuch.de/handbuch_91a.htm
@@ -22,7 +24,7 @@ usbguard generate-policy >> /tmp/rules.conf
 
 if [[ -f /etc/usbguard/rules.conf && -s /etc/usbguard/rules.conf ]]; then
 
-  mv /etc/usbguard/rules.conf /root/.ciss/dlb/backup/usbguard_rules.conf.bak
+  mv /etc/usbguard/rules.conf /root/.ciss/cdlb/backup/usbguard_rules.conf.bak
   cp -a /tmp/rules.conf /etc/usbguard/rules.conf
   chmod 0600 /etc/usbguard/rules.conf
 
@@ -34,7 +36,7 @@ else
 
 fi
 
-cp -a /etc/usbguard/usbguard-daemon.conf /root/.ciss/dlb/backup/usbguard-daemon.conf.bak
+cp -a /etc/usbguard/usbguard-daemon.conf /root/.ciss/cdlb/backup/usbguard-daemon.conf.bak
 #sed -i "s/PresentDevicePolicy=apply-policy/PresentDevicePolicy=allow/" /etc/usbguard/usbguard-daemon.conf
 
 rm -f /tmp/rules.conf

config/hooks/live/9990_final_purge.chroot

@@ -5,7 +5,7 @@
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
@@ -13,13 +13,16 @@ set -Ceuo pipefail
 
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 
+[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
+
 export DEBIAN_FRONTEND="noninteractive"
+export INITRD="No"
 
 apt-get update -qq
 
-apt-get purge -y exim4 exim4-daemon-light exim4-base exim4-config qemu-guest-agent rmail
+apt-get purge -y exim4 exim4-daemon-light exim4-base exim4-config postfix-mta-sts-resolver postfix qemu-guest-agent rmail
 
-apt-mark hold exim4 exim4-daemon-light exim4-base exim4-config qemu-guest-agent rmail
+apt-mark hold exim4 exim4-daemon-light exim4-base exim4-config postfix-mta-sts-resolver postfix qemu-guest-agent rmail
 
 dpkg --get-selections | grep deinstall >| /tmp/deinstall.log || true
 

config/hooks/live/9991_file_permissions.chroot

@@ -5,7 +5,7 @@
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
@@ -18,8 +18,8 @@ chmod 0644 /etc/issue
 chmod 0644 /etc/issue.net
 
 if [[ -f /etc/motd ]]; then
-  cp -a /etc/motd /root/.ciss/dlb/backup/motd.bak
-  chmod 0644 /root/.ciss/dlb/backup/motd.bak
+  cp -a /etc/motd /root/.ciss/cdlb/backup/motd.bak
+  chmod 0644 /root/.ciss/cdlb/backup/motd.bak
   rm /etc/motd
 fi
 
@@ -36,7 +36,7 @@ cat << EOF >| /etc/motd
 
 EOF
 
-cp -a /etc/login.defs /root/.ciss/dlb/backup/login.defs.bak
+cp -a /etc/login.defs /root/.ciss/cdlb/backup/login.defs.bak
 
 sed -ri 's/^(#?LOGIN_TIMEOUT)[[:space:]]+[0-9]+/\1 180/' /etc/login.defs
 sed -i 's/UMASK		022/UMASK		077/' /etc/login.defs

config/hooks/live/9992_password_expiration.chroot

@@ -5,11 +5,92 @@
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
+#######################################
+# Iterates all '/etc/shadow' entries and sets:
+#   4=min age=0, 5=max age=16384, 6=warn=128, 7=inactive=42, 8=expire=17.09.2102
+#   Safe: creates a timestamped backup and (if available) locks '/etc/.pwd.lock'.
+# Globals:
+#   RECOVERY
+#   TARGET
+#   VAR_RUN_RECOVERY
+# Arguments:
+#   None
+# Returns:
+#   0: on success
+#######################################
+update_shadow() {
+  ### Declare Arrays, HashMaps, and Variables.
+
+  declare -r  var_shadow="/etc/shadow"
+  declare -r  var_backup="/root/.ciss/cdlb/backup/etc/shadow.$(date +%s).bak"
+  declare -r  var_temp="${var_shadow}.new.$$"
+  declare -r  var_exp_dt="17.09.2102"
+  declare     var_exp_ds=""
+
+  mkdir -p "/root/.ciss/cdlb/backup/etc"
+
+  var_exp_ds="$(
+    awk -v d="${var_exp_dt}" 'BEGIN{
+      # Force UTC to avoid DST/timezone off-by-one errors
+      ENVIRON["TZ"]="UTC";
+      if (match(d, /^([0-9]{2})\.([0-9]{2})\.([0-9]{4})$/, a)) {
+        dd=a[1]+0; mm=a[2]+0; yyyy=a[3]+0;
+        sec = mktime(sprintf("%04d %02d %02d 00 00 00 0", yyyy, mm, dd));
+        if (sec < 0) { print "ERR"; exit 1 }
+        print int(sec/86400);
+        exit 0
+      } else { print "ERR"; exit 1 }
+    }'
+  )" || return 42
+
+  # shellcheck disable=SC2249
+  case "${var_exp_ds}" in
+
+    ''|*ERR*)
+      return 127
+      ;;
+
+  esac
+
+  umask 0077
+  cp --preserve=mode,ownership "${var_shadow}" "${var_backup}"
+
+  ### Rewrite fields 4..8 for every line
+  ### Preserve fields 1..3 and 9, keep password hashes untouched.
+  ### Pad to 9 fields if shorter; keep empty lines intact (rare but safe).
+  awk -v FS=":" -v OFS=":" -v v_exp="${var_exp_ds}" '
+    NF==0 { print; next }                      # preserve blank lines verbatim
+    {
+      # pad missing trailing fields to 9
+      for (i=NF+1; i<=9; i++) $i="";
+      $4=0; $5=16384; $6=128; $7=42; $8=v_exp; # set required fields
+      print
+    }
+  ' "${var_backup}" >| "${var_temp}"
+
+  ### Defensive: ensure non-empty output.
+  if [[ ! -s "${var_temp}" ]]; then
+    rm -f "${var_temp}"
+    return 42
+  fi
+
+  ### Preserve owner/mode (fallback to 0640 root:shadow if reference fails).
+  chown --reference="${var_shadow}" "${var_temp}" 2>/dev/null || chown root:shadow "${var_temp}" 2>/dev/null || true
+  chmod --reference="${var_shadow}" "${var_temp}" 2>/dev/null || chmod 0640 "${var_temp}" 2>/dev/null || true
+
+  ### Atomic replace.
+  mv -f "${var_temp}" "${var_shadow}"
+
+  return 0
+}
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f update_shadow
 
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 
@@ -49,6 +130,8 @@ awk -F: '$2 !~ /^\$[0-9]/ && length($2)==13 { print $1,$2 }' /etc/shadow
 
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ All applicable accounts have been updated. \e[0m\n"
 
+update_shadow
+
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 
 exit 0

config/hooks/live/9993_aide.chroot

@@ -5,7 +5,7 @@
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
@@ -13,10 +13,12 @@ set -Ceuo pipefail
 
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 
+[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
 export DEBIAN_FRONTEND="noninteractive"
+export INITRD="No"
 apt-get install -y aide > /dev/null 2>&1
 
-cp -u /etc/aide/aide.conf /root/.ciss/dlb/backup/aide.conf.bak
+cp -u /etc/aide/aide.conf /root/.ciss/cdlb/backup/aide.conf.bak
 sed -i "s/Checksums = H/Checksums = sha512/" /etc/aide/aide.conf
 
 if aideinit > /dev/null 2>&1; then

config/hooks/live/9994_password_policy.chroot

@@ -5,7 +5,7 @@
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
@@ -20,8 +20,8 @@ printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "
 # shellcheck disable=SC2155
 declare -r VAR_DATE="$(date +%F)"
 
-cp -a /etc/security/pwquality.conf /root/.ciss/dlb/backup/pwquality.conf.bak
-chmod 0644 /root/.ciss/dlb/backup/pwquality.conf.bak
+cp -a /etc/security/pwquality.conf /root/.ciss/cdlb/backup/pwquality.conf.bak
+chmod 0644 /root/.ciss/cdlb/backup/pwquality.conf.bak
 
 cat << EOF >| /etc/security/pwquality.conf
 # SPDX-Version: 3.0
@@ -30,7 +30,7 @@ cat << EOF >| /etc/security/pwquality.conf
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

config/hooks/live/9995_sysstat.chroot

@@ -5,7 +5,7 @@
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

config/hooks/live/9996_auditd.chroot

@@ -5,7 +5,7 @@
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
@@ -25,30 +25,49 @@ printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "
 
 cd /root
 
+[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
 export DEBIAN_FRONTEND="noninteractive"
+export INITRD="No"
 apt-get install -y auditd
 
-cp -u /etc/audit/audit.rules /root/.ciss/dlb/backup/audit.rules.bak
-cp -u /etc/audit/auditd.conf /root/.ciss/dlb/backup/auditd.conf.bak
-cp -u /etc/audit/rules.d/audit.rules /root/.ciss/dlb/backup/rules_d_audit.rules.bak
+cp -u /etc/audit/audit.rules /root/.ciss/cdlb/backup/audit.rules.bak
+cp -u /etc/audit/auditd.conf /root/.ciss/cdlb/backup/auditd.conf.bak
+cp -u /etc/audit/rules.d/audit.rules /root/.ciss/cdlb/backup/rules_d_audit.rules.bak
 rm -rf /etc/audit/rules.d/audit.rules
 
-############################################################### /etc/audit/rules.d/10-base-config.rules
-cat << EOF >| /etc/audit/rules.d/10-base-config.rules
+############################################################### /etc/audit/rules.d/00-base-config.rules
+cat << EOF >| /etc/audit/rules.d/00-base-config.rules
 ## First rule - delete all
 -D
 
 ## Increase the buffers to survive stress events.
-## Make this bigger for busy systems
--b 8192
+## Make this bigger for busy systems.
+-b 16384
 
-## This determine how long to wait in burst of events
---backlog_wait_time 60000
+## Rate Limit. Cap kernel->userspace message rate (0 = unlimited).
+-r 200
 
-## Set failure mode to syslog
+## This determine how long to wait in burst of events. How long to wait in bursts (us).
+--backlog_wait_time 1024
+
+## Set failure mode to syslog.
 -f 1
 EOF
 
+############################################################### /etc/audit/rules.d/10-ciss-noise-floor.rules
+cat << EOF >| /etc/audit/rules.d/10-ciss-noise-floor.rules
+## Ignore kernel/daemon noise without a loginuid (unset = 4294967295).
+-a never,exit -F auid=4294967295
+
+## Make privileged exec tracing user-initiated only (no boot-time daemons).
+-a always,exit -F arch=b64 -S execve -F euid=0 -F auid>=1000 -F auid!=-1 -k exec_root
+-a always,exit -F arch=b32 -S execve -F euid=0 -F auid>=1000 -F auid!=-1 -k exec_root
+
+## (Optional, same principle for suid/sgid transitions).
+-a always,exit -F arch=b64 -S execve -C uid!=euid -F auid>=1000 -F auid!=-1 -k exec_suid_sgid
+-a always,exit -F arch=b32 -S execve -C uid!=euid -F auid>=1000 -F auid!=-1 -k exec_suid_sgid
+EOF
+
 ############################################################### /etc/audit/rules.d/11-loginuid.rules
 cat << EOF >| /etc/audit/rules.d/11-loginuid.rules
 --loginuid-immutable
@@ -91,6 +110,17 @@ cat << EOF >| /etc/audit/rules.d/22-ignore-chrony.rules
 -a never,exit -F arch=b32 -S adjtimex -F auid=unset -F uid=_chrony
 EOF
 
+############################################################### /etc/audit/rules.d/25-ciss-exec.rules
+cat << EOF >| /etc/audit/rules.d/25-ciss-exec.rules
+## Focus on privileged exec, not every user command
+-a always,exit -F arch=b64 -S execve -F euid=0 -k exec_root
+-a always,exit -F arch=b32 -S execve -F euid=0 -k exec_root
+-a always,exit -F arch=b64 -S execve -F exe=/usr/bin/sudo -k exec_sudo
+-a always,exit -F arch=b32 -S execve -F exe=/usr/bin/sudo -k exec_sudo
+-a always,exit -F arch=b64 -S execve -C uid!=euid -k exec_suid_sgid
+-a always,exit -F arch=b32 -S execve -C uid!=euid -k exec_suid_sgid
+EOF
+
 ############################################################### /etc/audit/rules.d/30-ospp-v42-1-create-failed.rules
 cat << EOF >| /etc/audit/rules.d/30-ospp-v42-1-create-failed.rules
 ## Unsuccessful file creation (open with O_CREAT)
@@ -108,17 +138,6 @@ cat << EOF >| /etc/audit/rules.d/30-ospp-v42-1-create-failed.rules
 -a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
 EOF
 
-############################################################### /etc/audit/rules.d/30-ospp-v42-1-create-success.rules
-cat << EOF >| /etc/audit/rules.d/30-ospp-v42-1-create-success.rules
-## Successful file creation (open with O_CREAT)
--a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
--a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
--a always,exit -F arch=b32 -S open -F a1&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
--a always,exit -F arch=b64 -S open -F a1&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
--a always,exit -F arch=b32 -S creat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
--a always,exit -F arch=b64 -S creat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
-EOF
-
 ############################################################### /etc/audit/rules.d/30-ospp-v42-2-modify-failed.rules
 cat << EOF >| /etc/audit/rules.d/30-ospp-v42-2-modify-failed.rules
 ## Unsuccessful file modifications (open for write or truncate)
@@ -136,17 +155,6 @@ cat << EOF >| /etc/audit/rules.d/30-ospp-v42-2-modify-failed.rules
 -a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
 EOF
 
-############################################################### /etc/audit/rules.d/30-ospp-v42-2-modify-success.rules
-cat << EOF >| /etc/audit/rules.d/30-ospp-v42-2-modify-success.rules
-## Successful file modifications (open for write or truncate)
--a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
--a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
--a always,exit -F arch=b32 -S open -F a1&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
--a always,exit -F arch=b64 -S open -F a1&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
--a always,exit -F arch=b32 -S truncate,ftruncate -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
--a always,exit -F arch=b64 -S truncate,ftruncate -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
-EOF
-
 ############################################################### /etc/audit/rules.d/30-ospp-v42-3-access-failed.rules
 cat << EOF >| /etc/audit/rules.d/30-ospp-v42-3-access-failed.rules
 ## Unsuccessful file access (any other opens) This has to go last.
@@ -156,14 +164,6 @@ cat << EOF >| /etc/audit/rules.d/30-ospp-v42-3-access-failed.rules
 -a always,exit -F arch=b64 -S open,openat,openat2,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-access
 EOF
 
-############################################################### /etc/audit/rules.d/30-ospp-v42-3-access-success.rules
-cat << EOF >| /etc/audit/rules.d/30-ospp-v42-3-access-success.rules
-## Successful file access (any other opens) This has to go last.
-## These next two are likely to result in a whole lot of events
--a always,exit -F arch=b32 -S open,openat,openat2,open_by_handle_at -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access
--a always,exit -F arch=b64 -S open,openat,openat2,open_by_handle_at -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access
-EOF
-
 ############################################################### /etc/audit/rules.d/30-ospp-v42-4-delete-failed.rules
 cat << EOF >| /etc/audit/rules.d/30-ospp-v42-4-delete-failed.rules
 ## Unsuccessful file delete
@@ -173,13 +173,6 @@ cat << EOF >| /etc/audit/rules.d/30-ospp-v42-4-delete-failed.rules
 -a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
 EOF
 
-############################################################### /etc/audit/rules.d/30-ospp-v42-4-delete-success.rules
-cat << EOF >| /etc/audit/rules.d/30-ospp-v42-4-delete-success.rules
-## Successful file delete
--a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-delete
--a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-delete
-EOF
-
 ############################################################### /etc/audit/rules.d/30-ospp-v42-5-perm-change-failed.rules
 cat << EOF >| /etc/audit/rules.d/30-ospp-v42-5-perm-change-failed.rules
 ## Unsuccessful permission change
@@ -189,13 +182,6 @@ cat << EOF >| /etc/audit/rules.d/30-ospp-v42-5-perm-change-failed.rules
 -a always,exit -F arch=b64 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change
 EOF
 
-############################################################### /etc/audit/rules.d/30-ospp-v42-5-perm-change-success.rules
-cat << EOF >| /etc/audit/rules.d/30-ospp-v42-5-perm-change-success.rules
-## Successful permission change
--a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change
--a always,exit -F arch=b64 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change
-EOF
-
 ############################################################### /etc/audit/rules.d/30-ospp-v42-6-owner-change-failed.rules
 cat << EOF >| /etc/audit/rules.d/30-ospp-v42-6-owner-change-failed.rules
 ## Unsuccessful ownership change
@@ -205,13 +191,6 @@ cat << EOF >| /etc/audit/rules.d/30-ospp-v42-6-owner-change-failed.rules
 -a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-owner-change
 EOF
 
-############################################################### /etc/audit/rules.d/30-ospp-v42-6-owner-change-success.rules
-cat << EOF >| /etc/audit/rules.d/30-ospp-v42-6-owner-change-success.rules
-## Successful ownership change
--a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-owner-change
--a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-owner-change
-EOF
-
 ############################################################### /etc/audit/rules.d/30-ospp-v42.rules
 cat << EOF >| /etc/audit/rules.d/30-ospp-v42.rules
 ## The purpose of these rules is to meet the requirements for Operating
@@ -384,7 +363,7 @@ cat << EOF >| /etc/systemd/system/audit-rules.service.d/10-ciss.conf
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

config/hooks/live/9997_debsums.chroot

@@ -5,7 +5,7 @@
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
@@ -15,11 +15,13 @@ printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "
 
 cd /root
 
+[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
 export DEBIAN_FRONTEND="noninteractive"
+export INITRD="No"
 apt-get install -y --no-install-recommends debsums
 
-cp -a /etc/default/debsums /root/.ciss/dlb/backup/debsums.bak
-chmod 0644 /root/.ciss/dlb/backup/debsums.bak
+cp -a /etc/default/debsums /root/.ciss/cdlb/backup/debsums.bak
+chmod 0644 /root/.ciss/cdlb/backup/debsums.bak
 sed -i "s/CRON_CHECK=never/CRON_CHECK=monthly/" /etc/default/debsums
 
 if debsums -g > /dev/null 2>&1; then

config/hooks/live/9998_sources_list_bookworm.chroot

@@ -1,61 +0,0 @@
-#!/bin/bash
-# SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
-# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
-# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
-# SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
-# SPDX-PackageName: CISS.debian.live.builder
-# SPDX-Security-Contact: security@coresecret.eu
-set -Ceuo pipefail
-
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
-
-# shellcheck disable=SC2155
-declare -r VAR_DATE="$(date +%F)"
-
-cd /root
-
-if [[ -f /etc/apt/sources.list ]]; then
-  mv /etc/apt/sources.list /root/.ciss/dlb/backup/sources.list.bak
-fi
-
-cat << 'EOF' >| /etc/apt/sources.list
-# SPDX-Version: 3.0
-# SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <cendev@coresecret.eu>
-# SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.live.builder.git
-# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
-# SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
-# SPDX-PackageName: CISS.debian.live.builder
-# SPDX-Security-Contact: security@coresecret.eu
-#-----------------------------------------------------------------------------------------#
-#                                  OFFICIAL DEBIAN REPOS
-#-----------------------------------------------------------------------------------------#
-
-### Debian Main Repos Bookworm
-
-deb https://deb.debian.org/debian/ bookworm main contrib non-free non-free-firmware
-deb-src https://deb.debian.org/debian/ bookworm main contrib non-free non-free-firmware
-
-deb http://security.debian.org/debian-security bookworm-security main contrib non-free non-free-firmware
-deb-src http://security.debian.org/debian-security bookworm-security main contrib non-free non-free-firmware
-
-deb https://deb.debian.org/debian/ bookworm-updates main contrib non-free non-free-firmware
-deb-src https://deb.debian.org/debian/ bookworm-updates main contrib non-free non-free-firmware
-
-deb https://deb.debian.org/debian/ bookworm-backports main contrib non-free non-free-firmware
-deb-src https://deb.debian.org/debian/ bookworm-backports main contrib non-free non-free-firmware
-
-# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
-EOF
-
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
-# sleep 1
-
-exit 0
-# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh