Compare commits
7 Commits
d52e47f88b
...
script
| Author | SHA1 | Date | |
|---|---|---|---|
| ee24f8a4a9 | |||
| c18724e9a6 | |||
| b59f4084c0 | |||
| f6bd56d583 | |||
| f8f68df868 | |||
| 38e4199e94 | |||
ae2ec0d7b2
|
@@ -1,6 +1,7 @@
|
||||
{ inputs, config, ... }:
|
||||
let
|
||||
sshKeys = import ../ssh_keys.nix;
|
||||
peers = import ../modules/malobeo/peers.nix;
|
||||
in
|
||||
{
|
||||
sops.defaultSopsFile = ./secrets.yaml;
|
||||
@@ -87,6 +88,35 @@ in
|
||||
ethernetDrivers = ["r8169"];
|
||||
};
|
||||
|
||||
boot.initrd = {
|
||||
availableKernelModules = [ "wireguard" ];
|
||||
systemd = {
|
||||
enable = true;
|
||||
network = {
|
||||
enable = true;
|
||||
netdevs."30-wg-initrd" = {
|
||||
netdevConfig = {
|
||||
Kind = "wireguard";
|
||||
Name = "wg-initrd";
|
||||
};
|
||||
wireguardConfig = { PrivateKeyFile = "/etc/secrets/30-wg-initrd.key"; };
|
||||
wireguardPeers = [{
|
||||
AllowedIPs = peers.fanny-initrd.allowedIPs;
|
||||
PublicKey = peers.fanny-initrd.publicKey;
|
||||
Endpoint = "${peers.vpn.publicIp}:${builtins.toString(peers.vpn.listenPort)}";
|
||||
PersistentKeepalive = 25;
|
||||
}];
|
||||
};
|
||||
networks."30-wg-initrd" = {
|
||||
name = "wg-initrd";
|
||||
addresses = [{ Address = peers.fanny-initrd.address; }];
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
boot.initrd.secrets."/etc/secrets/30-wg-initrd.key" = "/etc/wireguard/wg.private";
|
||||
|
||||
services.malobeo.vpn = {
|
||||
enable = true;
|
||||
name = "fanny";
|
||||
|
||||
@@ -56,11 +56,11 @@ in
|
||||
path = with pkgs; [ zfs ];
|
||||
serviceConfig.Type = "oneshot";
|
||||
script = ''
|
||||
echo "systemctl default" >> /var/empty/.profile
|
||||
echo "zfs load-key -a; killall zfs; systemctl default" >> /var/empty/.profile
|
||||
'';
|
||||
};
|
||||
};
|
||||
kernelParams = [ "ip=::::${hostName}-initrd::dhcp" ];
|
||||
};
|
||||
};
|
||||
}
|
||||
}
|
||||
|
||||
@@ -44,6 +44,14 @@
|
||||
publicKey = "3U59F6T1s/1LaZBIa6wB0qsVuO6pRR9jfYZJIH2piAU=";
|
||||
};
|
||||
|
||||
"fanny-initrd" = {
|
||||
role = "client";
|
||||
address = "10.100.0.102";
|
||||
allowedIPs = [ "10.100.0.102/32" ];
|
||||
#TODO: UPDATE
|
||||
publicKey = "h1A2yt7OQ5EJIilC8tQg203u27o6J6/c+Kd/pZ4UWAY=";
|
||||
};
|
||||
|
||||
"backup0" = {
|
||||
role = "client";
|
||||
address = "10.100.0.20";
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
#!/usr/bin/env bash
|
||||
set -o pipefail
|
||||
set -eo pipefail
|
||||
for command in "jq" "xq" "grep" "curl" "sed"
|
||||
do
|
||||
if ! command -v $command >/dev/null 2>&1
|
||||
@@ -13,7 +13,7 @@ get_cookie () {
|
||||
if [[ $1 == "-d" ]]; then
|
||||
cookie=$(cat request_example_1.txt)
|
||||
else
|
||||
cookie=$(curl -D - -X GET http://192.168.1.42/wcd/index.html)
|
||||
cookie=$(curl -s -D - -X GET http://192.168.1.42/wcd/index.html)
|
||||
fi
|
||||
|
||||
exitCode="$?"
|
||||
@@ -93,15 +93,14 @@ system_counter_ScanFaxCounter_keys=("DocumentReadTotal" "DocumentReadLarge" "Fax
|
||||
system_consumables_base_keys=("Toner (Yellow)" "Toner (Magenta)" "Toner (Cyan)" "Toner (Black)" "Drum Cartridge (Cyan)" "Developer Cartridge (Cyan)" "Drum Cartridge (Magenta)" "Developer Cartridge (Magenta)" "Drum Cartridge (Yellow)" "Developer Cartridge (Yellow)" "Drum Cartridge (Black)" "Developer Cartridge (Black)" "Fusing Unit" "Image Transfer Belt Unit" "Transfer Roller Unit")
|
||||
#End Variables-------------
|
||||
|
||||
echo "Start getting cookie"
|
||||
echo "Getting cookie"
|
||||
get_cookie "$@"
|
||||
echo "Cookie got"
|
||||
|
||||
echo "Start extract from system_counter"
|
||||
echo "Start extracting info from system_counter"
|
||||
if [[ $1 == "-d" ]]; then
|
||||
system_counter_data=$(cat system_counter.xml |xq)
|
||||
else
|
||||
system_counter_data=$(curl -X GET http://192.168.1.42/wcd/system_counter.xml -H "Cookie: ID=\"$cookie\"" |xq)
|
||||
system_counter_data=$(curl -s -X GET http://192.168.1.42/wcd/system_counter.xml -H "Cookie: ID=$cookie" |xq)
|
||||
fi
|
||||
|
||||
get_values ".MFP.Count.UserCounterInfo.TotalCounterList.TotalCounter" system_counter_TotalCounter_keys TotalCounter
|
||||
@@ -118,19 +117,17 @@ get_values ".MFP.Count.UserCounterInfo.ScanFaxCounterList.ScanFaxCounter" system
|
||||
|
||||
get_values_DeviceStatus system_counter_DeviceStatus_keys DeviceStatus
|
||||
|
||||
echo "Stop extract from system_counter"
|
||||
echo
|
||||
echo "Start extract from system_consumables"
|
||||
echo "Start extracting info from system_consumables"
|
||||
if [[ $1 == "-d" ]]; then
|
||||
system_consumables_data=$(cat system_consumables.xml |xq)
|
||||
else
|
||||
system_consumables_data=$(curl -X GET http://192.168.1.42/wcd/system_counter.xml -H "Cookie: ID=\"$cookie\"")
|
||||
system_consumables_data=$(curl -s -X GET http://192.168.1.42/wcd/system_consumable.xml -H "Cookie: ID=$cookie" |xq)
|
||||
fi
|
||||
|
||||
get_values_consumables system_consumables_base_keys Consumables
|
||||
|
||||
echo "Stop extract from system_consumables"
|
||||
echo "Sending data to prometheus-pushgateway..."
|
||||
|
||||
echo "$valueStore" | curl --data-binary @- http://localhost:9091/metrics/job/printer
|
||||
echo "$valueStore" | curl -s --data-binary @- http://localhost:9091/metrics/job/printer
|
||||
echo "Success!"
|
||||
exit 0
|
||||
exit 0
|
||||
|
||||
@@ -31,10 +31,13 @@ cd "$pwpath"
|
||||
# Generate SSH keys
|
||||
ssh-keygen -f $hostkey -t ed25519 -N "" -C "root@$host"
|
||||
ssh-keygen -f $initrdkey -t ed25519 -N "" -C "root@$host-initrd"
|
||||
wg genkey > wg.private
|
||||
publickey=$(cat wg.private | wg pubkey)
|
||||
|
||||
#encrypt the private keys
|
||||
sops -e -i ./$hostkey
|
||||
sops -e -i ./$initrdkey
|
||||
sops -e -i ./wg.private
|
||||
|
||||
#generate encryption key
|
||||
tr -dc 'A-Za-z0-9' < /dev/urandom | head -c 20 > disk.key
|
||||
@@ -45,6 +48,9 @@ echo
|
||||
echo "Hier ist der age public key für sops etc:"
|
||||
echo "$(ssh-to-age -i ./"$hostkey".pub)"
|
||||
echo
|
||||
echo "Hier ist der wireguard pubkey für das gerät"
|
||||
echo "$publickey"
|
||||
echo
|
||||
echo "Hier ist eine reproduzierbare mac-addresse:"
|
||||
echo "$hostname"|md5sum|sed 's/^\(..\)\(..\)\(..\)\(..\)\(..\).*$/02:\1:\2:\3:\4:\5/'
|
||||
|
||||
|
||||
@@ -40,7 +40,9 @@ trap cleanup EXIT
|
||||
|
||||
# Create the directory where sshd expects to find the host keys
|
||||
install -d -m755 "$temp/etc/ssh/"
|
||||
install -d -m755 "$temp/etc/wireguard/"
|
||||
|
||||
##TODO:: wg genkey + pubkey --> /etc/wireguard/wg.private
|
||||
diskKey=$(sops -d $pwpath/disk.key)
|
||||
echo "$diskKey" > /tmp/secret.key
|
||||
|
||||
@@ -48,6 +50,7 @@ sops -d "$pwpath/$hostkey" > "$temp/etc/ssh/$hostname"
|
||||
|
||||
sops -d "$pwpath/$initrdkey" > "$temp/etc/ssh/initrd"
|
||||
|
||||
sops -d "$pwpath/wg.private" > "$temp/etc/wireguard/wg.private"
|
||||
# # Set the correct permissions so sshd will accept the key
|
||||
chmod 600 "$temp/etc/ssh/$hostname"
|
||||
chmod 600 "$temp/etc/ssh/initrd"
|
||||
|
||||
@@ -24,14 +24,16 @@ diskkey=$(sops -d machines/$hostname/secrets/disk.key)
|
||||
echo
|
||||
if [ $# = 1 ]
|
||||
then
|
||||
echo "$diskkey" | ssh $sshoptions root@$hostname-initrd "systemd-tty-ask-password-agent" #root
|
||||
ssh $sshoptions root@$hostname-initrd "zpool import -a"
|
||||
echo "$diskkey" | ssh $sshoptions root@$hostname-initrd "zfs load-key storage/encrypted" #root
|
||||
echo "$diskkey" | ssh $sshoptions root@$hostname-initrd "systemd-tty-ask-password-agent" #data
|
||||
|
||||
elif [ $# = 2 ]
|
||||
then
|
||||
ip=$2
|
||||
echo "$diskkey" | ssh $sshoptions root@$ip "systemd-tty-ask-password-agent" #root
|
||||
echo "$diskkey" | ssh $sshoptions root@$ip "systemd-tty-ask-password-agent" #data
|
||||
ssh $sshoptions root@$ip "zpool import -a"
|
||||
echo "$diskkey" | ssh $sshoptions root@$ip "zfs load-key storage/encrypted"
|
||||
echo "$diskkey" | ssh $sshoptions root@$ip "systemd-tty-ask-password-agent"
|
||||
|
||||
else
|
||||
echo
|
||||
|
||||
Reference in New Issue
Block a user