[fanny] fix flushing init vpn

I'll remove this later

flake.lock

@@ -357,11 +357,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1743458889,
-        "narHash": "sha256-eVTtsCPio3Wj/g/gvKTsyjh90vrNsmgjzXK9jMfcboM=",
+        "lastModified": 1760981884,
+        "narHash": "sha256-ASFWbOhuB6i3AKze5sHCvTM+nqHIuUEZy9MGiTcdZxA=",
         "ref": "refs/heads/master",
-        "rev": "b61466549e2687628516aa1f9ba73f251935773a",
-        "revCount": 30,
+        "rev": "b67eb2d778a34c0dceb91a236b390fe493aa3465",
+        "revCount": 32,
         "type": "git",
         "url": "https://git.dynamicdiscord.de/kalipso/tasklist"
       },

machines/fanny/configuration.nix

@@ -1,6 +1,7 @@
 { inputs, config, ... }:
 let
   sshKeys = import ../ssh_keys.nix;
+  peers = import ../modules/malobeo/peers.nix;
 in
 {
   sops.defaultSopsFile = ./secrets.yaml;
@@ -85,8 +86,42 @@ in
     enable = true;
     authorizedKeys = sshKeys.admins;
     ethernetDrivers = ["r8169"];
+    zfsExtraPools = [ "storage" ];
   };
 
+  boot.initrd = {
+    availableKernelModules = [ "wireguard" ];
+    # postMountCommands = ''
+    #   ip address flush dev wg-initrd
+    #   ip link set dev wg-initrd down
+    # '';
+    systemd = {
+      enable = true;
+      network = {
+        enable = true;
+        netdevs."30-wg-initrd" = {
+          netdevConfig = {
+            Kind = "wireguard";
+            Name = "wg-initrd";
+          };
+          wireguardConfig = { PrivateKeyFile = "/etc/secrets/30-wg-initrd.key"; };
+          wireguardPeers = [{
+            AllowedIPs = peers.vpn.allowedIPs;
+            PublicKey = peers.vpn.publicKey;
+            Endpoint = "${peers.vpn.publicIp}:${builtins.toString(peers.vpn.listenPort)}";
+            PersistentKeepalive = 25;
+          }];
+        };
+        networks."30-wg-initrd" = {
+          name = "wg-initrd";
+          addresses = [{ Address = "${peers.fanny-initrd.address}/24"; }];
+        };
+      };
+    };
+  };
+
+  boot.initrd.secrets."/etc/secrets/30-wg-initrd.key" = "/etc/wireguard/wg.private";
+
   services.malobeo.vpn = {
     enable = true;
     name = "fanny";

machines/modules/malobeo/initssh.nix

@@ -22,6 +22,11 @@ in
       description = "Ethernet drivers to load: run `lspci -k | grep -iA4 ethernet`";
       example = "r8169";
     };
+    zfsExtraPools = lib.mkOption {
+      type = lib.types.listOf lib.types.str;
+      default = [ ];
+      description = "Name or GUID of extra ZFS pools that you wish to import during boot.";
+    };
   };
   
   config = lib.mkIf (cfg.enable && config.malobeo.disks.encryption) {
@@ -32,35 +37,43 @@ in
       zfs = {
         forceImportAll = true;
         requestEncryptionCredentials = true;
-        
+        extraPools = cfg.zfsExtraPools;
       };
       initrd = {
         availableKernelModules = cfg.ethernetDrivers;
         systemd = {
+          initrdBin = [ pkgs.busybox pkgs.wireguard-tools pkgs.iproute2 ]; 
           enable = true;
           network.enable = true;
+          services."stopInitVpn" = {
+            description = "stop init vpn";
+            wantedBy = [
+              "initrd.target"
+            ];
+            after = [
+              "zfs.target"
+            ];
+            serviceConfig.StandardOutput = "journal+console";
+            script = ''
+              networkctl down wg-initrd
+            '';
+            serviceConfig.Type = "oneshot";
+      };
         };
-        network.ssh = {
-          enable = true;
-          port = 222;
-          authorizedKeys = cfg.authorizedKeys;
-          hostKeys = [ "/etc/ssh/initrd" ];
+        network = {
+          flushBeforeStage2 = true;
+          ssh = {
+            enable = true;
+            port = 222;
+            authorizedKeys = cfg.authorizedKeys;
+            hostKeys = [ "/etc/ssh/initrd" ];
+          };
         };
         secrets = {
           "/etc/ssh/initrd" = "/etc/ssh/initrd";
         };
-        systemd.services.zfs-remote-unlock = {
-          description = "Prepare for ZFS remote unlock";
-          wantedBy = ["initrd.target"];
-          after = ["systemd-networkd.service"];
-          path = with pkgs; [ zfs ];
-          serviceConfig.Type = "oneshot";
-          script = ''
-            echo "systemctl default" >> /var/empty/.profile
-          '';
-        };
       };
       kernelParams = [ "ip=::::${hostName}-initrd::dhcp" ];
     };
   };
-}
+}

machines/modules/malobeo/peers.nix

@@ -44,6 +44,14 @@
     publicKey = "3U59F6T1s/1LaZBIa6wB0qsVuO6pRR9jfYZJIH2piAU=";
   };
 
+  "fanny-initrd" = {
+    role = "client";
+    address = "10.100.0.102";
+    allowedIPs = [ "10.100.0.102/32" ];
+    #TODO: UPDATE
+    publicKey = "h1A2yt7OQ5EJIilC8tQg203u27o6J6/c+Kd/pZ4UWAY=";
+  };
+
   "backup0" = {
     role = "client";
     address = "10.100.0.20";

machines/overwatch/configuration.nix

@@ -12,6 +12,7 @@ with lib;
     self.nixosModules.malobeo.metrics
     ../modules/malobeo_user.nix
     ../modules/sshd.nix
+    ./printer_module.nix
   ];
 
   networking.firewall.allowedTCPPorts = [ 80 3100 ];
@@ -77,6 +78,8 @@ with lib;
     };
       };
   };
+  
+  printer_scraping.enable = true;
 
   services.prometheus = {
     enable = true;
@@ -89,6 +92,12 @@ with lib;
           targets = [ "127.0.0.1:9002" ];
         }];
       }
+      {
+        job_name = "printer";
+        static_configs = [{
+          targets = [ "127.0.0.1:9091" ];
+        }];
+      }
       {
         job_name = "durruti";
         static_configs = [{

machines/overwatch/printer_module.nix

@@ -0,0 +1,33 @@
+{config, lib, pkgs, ...}:
+{
+  options.printer_scraping = {
+    enable = lib.mkOption {
+      type = lib.types.bool;
+      default = false;
+      description = "Enable the script to pull data from the printer";
+    };
+    timer = lib.mkOption {
+      type = lib.types.str;
+      default = "1m";
+      description = "systemd timer for script execution";
+    };
+  };
+
+  config = lib.mkIf config.printer_scraping.enable {
+    systemd.services."printer-scraping" = {
+      description = "Pull printer stats and upload to influxdb";
+      serviceConfig.Type = "oneshot";
+      path = with pkgs; [yq jq curl bash];
+      script = "bash ${./pull_info.sh}";
+    };
+    systemd.timers."printer-scraping" = {
+      wantedBy = ["timers.target"];
+      timerConfig = {
+        OnBootSec = "5s";
+        OnUnitActiveSec = config.printer_scraping.timer;
+        Unit = "printer-scraping.service";
+      };
+    };
+    services.prometheus.pushgateway.enable = true; #Im not dealing with influx
+  };
+}

machines/overwatch/pull_info.sh

@@ -0,0 +1,133 @@
+#!/usr/bin/env bash
+set -eo pipefail
+for command in "jq" "xq" "grep" "curl" "sed"
+do
+    if ! command -v $command >/dev/null 2>&1
+    then
+        echo "$command could not be found"
+        exit 1
+    fi
+done
+#Functions---------------
+get_cookie () {
+    if [[ $1 == "-d" ]]; then
+        cookie=$(cat request_example_1.txt)
+    else
+        cookie=$(curl -s -D - -X GET http://192.168.1.42/wcd/index.html)
+    fi
+
+    exitCode="$?"
+    if [[ $exitCode == "7" ]];
+    then
+        echo "Server offline"
+        exit 0
+    elif [[ $exitCode != "0" ]];
+    then 
+        echo "Something went wrong"
+        exit 1
+    fi
+
+    cookie=$(echo "$cookie" | grep Set-Cookie | grep -oP "ID=\K[^.]+" )
+    if [[ $cookie == "" ]]
+    then
+        echo "No cookie got!"
+        exit 1
+    fi
+}
+get_values () {
+    local path="$1"
+    local -n keys=$2
+    local name="$3"
+
+    local_system_counter_data=$(echo "$system_counter_data" | jq "$path | .[]")
+    for key in "${keys[@]}";
+    do 
+        value=$(echo "$local_system_counter_data" | 
+        jq "select(.Type==\"$key\") | .Count" | 
+        sed 's/"//g'
+        )
+        valueStore=$(echo "$valueStore"; echo "$name"_"$key" "$value")
+    done
+}
+get_values_DeviceStatus () {
+    local -n keys=$1
+    local name="$2"
+
+    local_system_counter_data=$(echo "$system_counter_data" | jq ".MFP.Common.DeviceStatus")
+    for key in "${keys[@]}";
+    do 
+        value=$(echo "$local_system_counter_data" | 
+        jq ".$key" | 
+        sed 's/"//g'
+        )
+        valueStore=$(echo "$valueStore"; echo "$name"_"$key" "$value")
+    done
+
+}
+get_values_consumables () {
+    local -n keys=$1
+    local name="$2"
+
+    local_system_consumables_data=$(echo "$system_consumables_data" | jq ".[] |.DeviceInfo.ConsumableList.Consumable | .[]")
+    for key in "${keys[@]}";
+    do 
+        value=$(
+            echo "$local_system_consumables_data" | 
+            jq "select(.Name==\"$key\") | .CurrentLevel.LevelPer" | 
+            sed 's/"//g'
+            )
+        valueStore=$(echo "$valueStore"; echo "$name"_"${key//[^a-zA-Z_-]/_}" "$value")
+    done
+}
+#End Functions----------
+
+#Variables-----------------------
+system_counter_DeviceStatus_keys=("ScanStatus" "PrintStatus" "Processing" "NetworkErrorStatus" "KmSaasgw" "HddMirroringErrorStatus")
+system_counter_TotalCounter_keys=("Total" "DuplexTotal" "Document" "Paper" "TotalLarge" "PrintPageTotal" "PaperSizeA3" "PaperSizeA4" "PaperSizeB4" "PaperSizeB5" "PaperSizeOther" "Nin12in1" "PaperTypeNormal" "PaperTypeOther")
+system_counter_FullColorCounter_keys=("PrintPageTotal" "A3" "A4" "B4" "B5" "Other")
+system_counter_BlackCounter_keys=("PrintPageTotal" "A3" "A4" "B4" "B5" "Other")
+system_counter_DoubleColorCounter_keys=("PrintPageTotal" "A3" "A4" "B4" "B5" "Other")
+system_counter_CopyCounter_keys=("BwTotal" "FullColorTotal" "Total" "BwLarge" "FullColorLarge" "BiColorLarge")
+system_counter_PrintCounter_keys=("BwTotal" "FullColorTotal" "BiColorTotal" "Total" "BwLarge" "FullColorLarge" "BiColorLarge")
+system_counter_ScanFaxCounter_keys=("DocumentReadTotal" "DocumentReadLarge" "FaxReceive" "FaxSend")
+system_consumables_base_keys=("Toner (Yellow)" "Toner (Magenta)" "Toner (Cyan)" "Toner (Black)" "Drum Cartridge (Cyan)" "Developer Cartridge (Cyan)" "Drum Cartridge (Magenta)" "Developer Cartridge (Magenta)" "Drum Cartridge (Yellow)" "Developer Cartridge (Yellow)" "Drum Cartridge (Black)" "Developer Cartridge (Black)" "Fusing Unit" "Image Transfer Belt Unit" "Transfer Roller Unit")
+#End Variables-------------
+
+echo "Getting cookie"
+get_cookie "$@"
+
+echo "Start extracting info from system_counter"
+if [[ $1 == "-d" ]]; then
+    system_counter_data=$(cat system_counter.xml |xq)
+else
+    system_counter_data=$(curl -s -X GET http://192.168.1.42/wcd/system_counter.xml -H "Cookie: ID=$cookie" |xq)
+fi
+
+get_values ".MFP.Count.UserCounterInfo.TotalCounterList.TotalCounter" system_counter_TotalCounter_keys TotalCounter
+
+get_values ".MFP.Count.UserCounterInfo.PaperSheetCounter.FullColorCounterList.FullColorCounter" system_counter_FullColorCounter_keys FullColorCounter
+
+get_values ".MFP.Count.UserCounterInfo.PaperSheetCounter.BlackCounterList.BlackCounter" system_counter_BlackCounter_keys BlackCounter
+
+get_values ".MFP.Count.UserCounterInfo.PaperSheetCounter.DoubleColorCounterList.DoubleColorCounter" system_counter_DoubleColorCounter_keys DoubleColorCounter
+
+get_values ".MFP.Count.UserCounterInfo.CopyCounterList.CopyCounter" system_counter_CopyCounter_keys CopyCounter
+
+get_values ".MFP.Count.UserCounterInfo.ScanFaxCounterList.ScanFaxCounter" system_counter_ScanFaxCounter_keys ScanFaxCounter
+
+get_values_DeviceStatus system_counter_DeviceStatus_keys DeviceStatus
+
+echo "Start extracting info from system_consumables"
+if [[ $1 == "-d" ]]; then
+    system_consumables_data=$(cat system_consumables.xml |xq)
+else
+    system_consumables_data=$(curl -s -X GET http://192.168.1.42/wcd/system_consumable.xml -H "Cookie: ID=$cookie" |xq)
+fi
+
+get_values_consumables system_consumables_base_keys Consumables
+
+echo "Sending data to prometheus-pushgateway..."
+
+echo "$valueStore" | curl -s --data-binary @- http://localhost:9091/metrics/job/printer
+echo "Success!"
+exit 0

scripts/add_new_host_keys.sh

@@ -31,10 +31,13 @@ cd "$pwpath"
 # Generate SSH keys
 ssh-keygen -f $hostkey -t ed25519 -N "" -C "root@$host"
 ssh-keygen -f $initrdkey -t ed25519 -N "" -C "root@$host-initrd"
+wg genkey > wg.private
+publickey=$(cat wg.private | wg pubkey)
 
 #encrypt the private keys
 sops -e -i ./$hostkey
 sops -e -i ./$initrdkey
+sops -e -i ./wg.private
 
 #generate encryption key
 tr -dc 'A-Za-z0-9' < /dev/urandom | head -c 20 > disk.key
@@ -45,6 +48,9 @@ echo
 echo "Hier ist der age public key für sops etc:"
 echo "$(ssh-to-age -i ./"$hostkey".pub)"
 echo
+echo "Hier ist der wireguard pubkey für das gerät"
+echo "$publickey"
+echo 
 echo "Hier ist eine reproduzierbare mac-addresse:"
 echo "$hostname"|md5sum|sed 's/^\(..\)\(..\)\(..\)\(..\)\(..\).*$/02:\1:\2:\3:\4:\5/'
 

scripts/remote-install-encrypt.sh

@@ -40,7 +40,9 @@ trap cleanup EXIT
 
 # Create the directory where sshd expects to find the host keys
 install -d -m755 "$temp/etc/ssh/"
+install -d -m755 "$temp/etc/wireguard/"
 
+##TODO:: wg genkey + pubkey --> /etc/wireguard/wg.private
 diskKey=$(sops -d $pwpath/disk.key)
 echo "$diskKey" > /tmp/secret.key
 
@@ -48,6 +50,7 @@ sops -d "$pwpath/$hostkey" > "$temp/etc/ssh/$hostname"
 
 sops -d "$pwpath/$initrdkey" > "$temp/etc/ssh/initrd"
 
+sops -d "$pwpath/wg.private" > "$temp/etc/wireguard/wg.private"
 # # Set the correct permissions so sshd will accept the key
 chmod 600 "$temp/etc/ssh/$hostname"
 chmod 600 "$temp/etc/ssh/initrd"

scripts/unlock-boot.sh

@@ -24,14 +24,16 @@ diskkey=$(sops -d machines/$hostname/secrets/disk.key)
 echo
 if [ $# = 1 ]
     then
-    echo "$diskkey" | ssh $sshoptions root@$hostname-initrd "systemd-tty-ask-password-agent" #root
+    ssh $sshoptions root@$hostname-initrd "zpool import -a"
+    echo "$diskkey" | ssh $sshoptions root@$hostname-initrd "zfs load-key storage/encrypted" #root
     echo "$diskkey" | ssh $sshoptions root@$hostname-initrd "systemd-tty-ask-password-agent" #data
 
 elif [ $# = 2 ]
     then
     ip=$2
-    echo "$diskkey" | ssh $sshoptions root@$ip "systemd-tty-ask-password-agent" #root
-    echo "$diskkey" | ssh $sshoptions root@$ip "systemd-tty-ask-password-agent" #data
+    ssh $sshoptions root@$ip "zpool import -a"
+    echo "$diskkey" | ssh $sshoptions root@$ip "zfs load-key storage/encrypted" 
+    echo "$diskkey" | ssh $sshoptions root@$ip "systemd-tty-ask-password-agent"
     
 else
     echo