kalipso/infrastructure
1
1
Fork 1
Code Issues 42 Pull Requests 2 Actions Projects 2 Releases Wiki Activity

Compare commits

base: kalipso:6cabd45e1c4e8a06af27e13edf242bccd936cc94
Branches Tags
kalipso:master kalipso:vaultwarden kalipso:staging kalipso:script kalipso:zineshop kalipso:nextcloud_upgrade_31 kalipso:printer-module kalipso:microvm-dirs kalipso:sanoid kalipso:issue77 kalipso:reproducible-deployments kalipso:reproducible-deployments-filestructure kalipso:issue31 kalipso:microvm-module kalipso:issue47 kalipso:hostbuilder kalipso:better-workflows kalipso:issue51 kalipso:local-testing-v2 kalipso:gitea kalipso:fileserver
..
compare: kalipso:script
Branches Tags
kalipso:vaultwarden kalipso:master kalipso:staging kalipso:script kalipso:zineshop kalipso:nextcloud_upgrade_31 kalipso:printer-module kalipso:microvm-dirs kalipso:sanoid kalipso:issue77 kalipso:reproducible-deployments kalipso:reproducible-deployments-filestructure kalipso:issue31 kalipso:microvm-module kalipso:issue47 kalipso:hostbuilder kalipso:better-workflows kalipso:issue51 kalipso:local-testing-v2 kalipso:gitea kalipso:fileserver

11 Commits
6cabd45e1c ... script

Author SHA1 Message Date
ahtlon
ee24f8a4a9 change script to first import storage before unlocking root
All checks were successful
Check flake syntax / flake-check (push) Successful in 4m36s
Details
2025-11-15 15:43:34 +01:00
ahtlon
c18724e9a6 Add wireguard generation to scripts (THIS IS NOT TESTED)
All checks were successful
Check flake syntax / flake-check (push) Successful in 5m20s
Details
2025-11-15 14:02:04 +01:00
kalipso
b59f4084c0 [fanny] set wg initrd key
All checks were successful
Check flake syntax / flake-check (push) Successful in 4m59s
Details
2025-11-15 13:39:55 +01:00
kalipso
f6bd56d583 [fanny] setup initrd wireguard
All checks were successful
Check flake syntax / flake-check (push) Successful in 9m48s
Details
2025-11-15 13:12:29 +01:00
kalipso
f8f68df868 [initssh] load all zfs keys 2025-11-15 13:12:29 +01:00
ahtlon
38e4199e94 [printer-scraping] This should work now
All checks were successful
Check flake syntax / flake-check (push) Successful in 4m42s
Details
2025-10-29 12:16:48 +01:00
ahtlon
ae2ec0d7b2 [printer-scraping] Save server responses for debugging purposes.
All checks were successful
Check flake syntax / flake-check (push) Successful in 4m42s
Details 
I'll remove this later
 2025-10-27 12:04:27 +01:00
ahtlon
d52e47f88b Merge branch 'add_printer_monitor'
All checks were successful
Check flake syntax / flake-check (push) Successful in 4m51s
Details
2025-10-25 22:39:21 +02:00
ahtlon
523005ed94 Fix string warning, script execution
Some checks failed
Check flake syntax / flake-check (push) Has been cancelled
Details
2025-10-25 22:16:38 +02:00
ahtlon
360d9b3df7 Add command testing 2025-10-25 22:16:03 +02:00
ahtlon
9eb61b166a Add printer scraping 2025-10-25 21:51:14 +02:00
7 changed files with 64 additions and 18 deletions
Expand all files Collapse all files

30
machines/fanny/configuration.nix
View File

@@ -1,6 +1,7 @@
{ inputs, config, ... }: { inputs, config, ... }:
let let
sshKeys = import ../ssh_keys.nix; sshKeys = import ../ssh_keys.nix;
peers = import ../modules/malobeo/peers.nix;
in in
{ {
sops.defaultSopsFile = ./secrets.yaml; sops.defaultSopsFile = ./secrets.yaml;
@@ -87,6 +88,35 @@ in
ethernetDrivers = ["r8169"]; ethernetDrivers = ["r8169"];
}; };
boot.initrd = {
availableKernelModules = [ "wireguard" ];
systemd = {
enable = true;
network = {
enable = true;
netdevs."30-wg-initrd" = {
netdevConfig = {
Kind = "wireguard";
Name = "wg-initrd";
};
wireguardConfig = { PrivateKeyFile = "/etc/secrets/30-wg-initrd.key"; };
wireguardPeers = [{
AllowedIPs = peers.fanny-initrd.allowedIPs;
PublicKey = peers.fanny-initrd.publicKey;
Endpoint = "${peers.vpn.publicIp}:${builtins.toString(peers.vpn.listenPort)}";
PersistentKeepalive = 25;
}];
};
networks."30-wg-initrd" = {
name = "wg-initrd";
addresses = [{ Address = peers.fanny-initrd.address; }];
};
};
};
};
boot.initrd.secrets."/etc/secrets/30-wg-initrd.key" = "/etc/wireguard/wg.private";
services.malobeo.vpn = { services.malobeo.vpn = {
enable = true; enable = true;
name = "fanny"; name = "fanny";

4
machines/modules/malobeo/initssh.nix
View File

@@ -56,11 +56,11 @@ in
path = with pkgs; [ zfs ]; path = with pkgs; [ zfs ];
serviceConfig.Type = "oneshot"; serviceConfig.Type = "oneshot";
script = '' script = ''
echo "systemctl default" >> /var/empty/.profile echo "zfs load-key -a; killall zfs; systemctl default" >> /var/empty/.profile
''; '';
}; };
}; };
kernelParams = [ "ip=::::${hostName}-initrd::dhcp" ]; kernelParams = [ "ip=::::${hostName}-initrd::dhcp" ];
}; };
}; };
} }

8
machines/modules/malobeo/peers.nix
View File

@@ -44,6 +44,14 @@
publicKey = "3U59F6T1s/1LaZBIa6wB0qsVuO6pRR9jfYZJIH2piAU="; publicKey = "3U59F6T1s/1LaZBIa6wB0qsVuO6pRR9jfYZJIH2piAU=";
}; };
"fanny-initrd" = {
role = "client";
address = "10.100.0.102";
allowedIPs = [ "10.100.0.102/32" ];
#TODO: UPDATE
publicKey = "h1A2yt7OQ5EJIilC8tQg203u27o6J6/c+Kd/pZ4UWAY=";
};
"backup0" = { "backup0" = {
role = "client"; role = "client";
address = "10.100.0.20"; address = "10.100.0.20";

23
machines/overwatch/pull_info.sh
View File

@@ -1,5 +1,5 @@
#!/usr/bin/env bash #!/usr/bin/env bash
set -o pipefail set -eo pipefail
for command in "jq" "xq" "grep" "curl" "sed" for command in "jq" "xq" "grep" "curl" "sed"
do do
if ! command -v $command >/dev/null 2>&1 if ! command -v $command >/dev/null 2>&1
@@ -13,7 +13,7 @@ get_cookie () {
if [[ $1 == "-d" ]]; then if [[ $1 == "-d" ]]; then
cookie=$(cat request_example_1.txt) cookie=$(cat request_example_1.txt)
else else
cookie=$(curl -D - -X GET http://192.168.1.42/wcd/index.html) cookie=$(curl -s -D - -X GET http://192.168.1.42/wcd/index.html)
fi fi
exitCode="$?" exitCode="$?"
@@ -93,15 +93,14 @@ system_counter_ScanFaxCounter_keys=("DocumentReadTotal" "DocumentReadLarge" "Fax
system_consumables_base_keys=("Toner (Yellow)" "Toner (Magenta)" "Toner (Cyan)" "Toner (Black)" "Drum Cartridge (Cyan)" "Developer Cartridge (Cyan)" "Drum Cartridge (Magenta)" "Developer Cartridge (Magenta)" "Drum Cartridge (Yellow)" "Developer Cartridge (Yellow)" "Drum Cartridge (Black)" "Developer Cartridge (Black)" "Fusing Unit" "Image Transfer Belt Unit" "Transfer Roller Unit") system_consumables_base_keys=("Toner (Yellow)" "Toner (Magenta)" "Toner (Cyan)" "Toner (Black)" "Drum Cartridge (Cyan)" "Developer Cartridge (Cyan)" "Drum Cartridge (Magenta)" "Developer Cartridge (Magenta)" "Drum Cartridge (Yellow)" "Developer Cartridge (Yellow)" "Drum Cartridge (Black)" "Developer Cartridge (Black)" "Fusing Unit" "Image Transfer Belt Unit" "Transfer Roller Unit")
#End Variables------------- #End Variables-------------
echo "Start getting cookie" echo "Getting cookie"
get_cookie "$@" get_cookie "$@"
echo "Cookie got"
echo "Start extract from system_counter" echo "Start extracting info from system_counter"
if [[ $1 == "-d" ]]; then if [[ $1 == "-d" ]]; then
system_counter_data=$(cat system_counter.xml |xq) system_counter_data=$(cat system_counter.xml |xq)
else else
system_counter_data=$(curl -X GET http://192.168.1.42/wcd/system_counter.xml -H "Cookie: ID=\"$cookie\"" |xq) system_counter_data=$(curl -s -X GET http://192.168.1.42/wcd/system_counter.xml -H "Cookie: ID=$cookie" |xq)
fi fi
get_values ".MFP.Count.UserCounterInfo.TotalCounterList.TotalCounter" system_counter_TotalCounter_keys TotalCounter get_values ".MFP.Count.UserCounterInfo.TotalCounterList.TotalCounter" system_counter_TotalCounter_keys TotalCounter
@@ -118,19 +117,17 @@ get_values ".MFP.Count.UserCounterInfo.ScanFaxCounterList.ScanFaxCounter" system
get_values_DeviceStatus system_counter_DeviceStatus_keys DeviceStatus get_values_DeviceStatus system_counter_DeviceStatus_keys DeviceStatus
echo "Stop extract from system_counter" echo "Start extracting info from system_consumables"
echo
echo "Start extract from system_consumables"
if [[ $1 == "-d" ]]; then if [[ $1 == "-d" ]]; then
system_consumables_data=$(cat system_consumables.xml |xq) system_consumables_data=$(cat system_consumables.xml |xq)
else else
system_consumables_data=$(curl -X GET http://192.168.1.42/wcd/system_counter.xml -H "Cookie: ID=\"$cookie\"") system_consumables_data=$(curl -s -X GET http://192.168.1.42/wcd/system_consumable.xml -H "Cookie: ID=$cookie" |xq)
fi fi
get_values_consumables system_consumables_base_keys Consumables get_values_consumables system_consumables_base_keys Consumables
echo "Stop extract from system_consumables" echo "Sending data to prometheus-pushgateway..."
echo "$valueStore" | curl --data-binary @- http://localhost:9091/metrics/job/printer echo "$valueStore" | curl -s --data-binary @- http://localhost:9091/metrics/job/printer
echo "Success!" echo "Success!"
exit 0 exit 0

6
scripts/add_new_host_keys.sh
View File

@@ -31,10 +31,13 @@ cd "$pwpath"
# Generate SSH keys # Generate SSH keys
ssh-keygen -f $hostkey -t ed25519 -N "" -C "root@$host" ssh-keygen -f $hostkey -t ed25519 -N "" -C "root@$host"
ssh-keygen -f $initrdkey -t ed25519 -N "" -C "root@$host-initrd" ssh-keygen -f $initrdkey -t ed25519 -N "" -C "root@$host-initrd"
wg genkey > wg.private
publickey=$(cat wg.private | wg pubkey)
#encrypt the private keys #encrypt the private keys
sops -e -i ./$hostkey sops -e -i ./$hostkey
sops -e -i ./$initrdkey sops -e -i ./$initrdkey
sops -e -i ./wg.private
#generate encryption key #generate encryption key
tr -dc 'A-Za-z0-9' < /dev/urandom | head -c 20 > disk.key tr -dc 'A-Za-z0-9' < /dev/urandom | head -c 20 > disk.key
@@ -45,6 +48,9 @@ echo
echo "Hier ist der age public key für sops etc:" echo "Hier ist der age public key für sops etc:"
echo "$(ssh-to-age -i ./"$hostkey".pub)" echo "$(ssh-to-age -i ./"$hostkey".pub)"
echo echo
echo "Hier ist der wireguard pubkey für das gerät"
echo "$publickey"
echo
echo "Hier ist eine reproduzierbare mac-addresse:" echo "Hier ist eine reproduzierbare mac-addresse:"
echo "$hostname"|md5sum|sed 's/^\(..\)\(..\)\(..\)\(..\)\(..\).*$/02:\1:\2:\3:\4:\5/' echo "$hostname"|md5sum|sed 's/^\(..\)\(..\)\(..\)\(..\)\(..\).*$/02:\1:\2:\3:\4:\5/'

3
scripts/remote-install-encrypt.sh
View File

@@ -40,7 +40,9 @@ trap cleanup EXIT
# Create the directory where sshd expects to find the host keys # Create the directory where sshd expects to find the host keys
install -d -m755 "$temp/etc/ssh/" install -d -m755 "$temp/etc/ssh/"
install -d -m755 "$temp/etc/wireguard/"
##TODO:: wg genkey + pubkey --> /etc/wireguard/wg.private
diskKey=$(sops -d $pwpath/disk.key) diskKey=$(sops -d $pwpath/disk.key)
echo "$diskKey" > /tmp/secret.key echo "$diskKey" > /tmp/secret.key
@@ -48,6 +50,7 @@ sops -d "$pwpath/$hostkey" > "$temp/etc/ssh/$hostname"
sops -d "$pwpath/$initrdkey" > "$temp/etc/ssh/initrd" sops -d "$pwpath/$initrdkey" > "$temp/etc/ssh/initrd"
sops -d "$pwpath/wg.private" > "$temp/etc/wireguard/wg.private"
# # Set the correct permissions so sshd will accept the key # # Set the correct permissions so sshd will accept the key
chmod 600 "$temp/etc/ssh/$hostname" chmod 600 "$temp/etc/ssh/$hostname"
chmod 600 "$temp/etc/ssh/initrd" chmod 600 "$temp/etc/ssh/initrd"

8
scripts/unlock-boot.sh
View File

@@ -24,14 +24,16 @@ diskkey=$(sops -d machines/$hostname/secrets/disk.key)
echo echo
if [ $# = 1 ] if [ $# = 1 ]
then then
echo "$diskkey" | ssh $sshoptions root@$hostname-initrd "systemd-tty-ask-password-agent" #root ssh $sshoptions root@$hostname-initrd "zpool import -a"
echo "$diskkey" | ssh $sshoptions root@$hostname-initrd "zfs load-key storage/encrypted" #root
echo "$diskkey" | ssh $sshoptions root@$hostname-initrd "systemd-tty-ask-password-agent" #data echo "$diskkey" | ssh $sshoptions root@$hostname-initrd "systemd-tty-ask-password-agent" #data
elif [ $# = 2 ] elif [ $# = 2 ]
then then
ip=$2 ip=$2
echo "$diskkey" | ssh $sshoptions root@$ip "systemd-tty-ask-password-agent" #root ssh $sshoptions root@$ip "zpool import -a"
echo "$diskkey" | ssh $sshoptions root@$ip "systemd-tty-ask-password-agent" #data echo "$diskkey" | ssh $sshoptions root@$ip "zfs load-key storage/encrypted"
echo "$diskkey" | ssh $sshoptions root@$ip "systemd-tty-ask-password-agent"
else else
echo echo