# Setec Labs Security Update — Debian 13 Trixie
# Release: 2026-03
# Target: Debian 13 (Trixie)
# Author: seteclabs.io
# Note: Trixie is the current testing/stable release

[packages]
apt-get update -qq
apt-get install -y --only-upgrade openssl libssl3t64
apt-get install -y --only-upgrade libgnutls30t64
apt-get install -y --only-upgrade openssh-server openssh-client
apt-get install -y --only-upgrade curl libcurl4t64
apt-get install -y --only-upgrade sudo
apt-get install -y --only-upgrade systemd libsystemd0
apt-get install -y --only-upgrade linux-image-amd64
apt-get install -y --only-upgrade nginx
apt-get install -y --only-upgrade python3 python3-minimal
apt-get install -y --only-upgrade git
apt-get install -y --only-upgrade vim-common xxd
apt-get install -y --only-upgrade libc6

[sysctl]
net.ipv4.tcp_syncookies = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.icmp_echo_ignore_broadcasts = 1
kernel.randomize_va_space = 2
fs.protected_hardlinks = 1
fs.protected_symlinks = 1
kernel.kptr_restrict = 1
kernel.dmesg_restrict = 1
# Trixie supports unprivileged userns restrictions
kernel.unprivileged_userns_clone = 0

[services]
systemctl restart ssh
systemctl restart nginx
systemctl daemon-reexec

[files]
chmod 600 /etc/ssh/sshd_config
chmod 700 /root/.ssh
chmod 644 /etc/sysctl.d/99-setec-update.conf
chown root:root /etc/sysctl.d/99-setec-update.conf

[custom]
bash:-:apt-get autoremove -y --purge 2>&1
bash:-:apt-get -s upgrade 2>&1 | grep -c 'upgraded' || echo '0 remaining upgrades'