change script to first import storage before unlocking root

Add wireguard generation to scripts (THIS IS NOT TESTED)
[fanny] set wg initrd key
2025-11-15 15:43:34 +01:00 · 2025-11-15 14:02:04 +01:00 · 2025-11-15 13:39:55 +01:00
5 changed files with 17 additions and 4 deletions
--- a/machines/fanny/configuration.nix
+++ b/machines/fanny/configuration.nix
@@ -115,6 +115,8 @@ in
    };
  };

+  boot.initrd.secrets."/etc/secrets/30-wg-initrd.key" = "/etc/wireguard/wg.private";
+
  services.malobeo.vpn = {
    enable = true;
    name = "fanny";
--- a/machines/modules/malobeo/peers.nix
+++ b/machines/modules/malobeo/peers.nix
@@ -49,7 +49,7 @@
    address = "10.100.0.102";
    allowedIPs = [ "10.100.0.102/32" ];
    #TODO: UPDATE
-    publicKey = "3U59F6T1s/1LaZBIa6wB0qsVuO6pRR9jfYZJIH2piAU=";
+    publicKey = "h1A2yt7OQ5EJIilC8tQg203u27o6J6/c+Kd/pZ4UWAY=";
  };

  "backup0" = {
--- a/scripts/add_new_host_keys.sh
+++ b/scripts/add_new_host_keys.sh
@@ -31,10 +31,13 @@ cd "$pwpath"
 # Generate SSH keys
 ssh-keygen -f $hostkey -t ed25519 -N "" -C "root@$host"
 ssh-keygen -f $initrdkey -t ed25519 -N "" -C "root@$host-initrd"
+wg genkey > wg.private
+publickey=$(cat wg.private | wg pubkey)

 #encrypt the private keys
 sops -e -i ./$hostkey
 sops -e -i ./$initrdkey
+sops -e -i ./wg.private

 #generate encryption key
 tr -dc 'A-Za-z0-9' < /dev/urandom | head -c 20 > disk.key
@@ -45,6 +48,9 @@ echo
 echo "Hier ist der age public key für sops etc:"
 echo "$(ssh-to-age -i ./"$hostkey".pub)"
 echo
+echo "Hier ist der wireguard pubkey für das gerät"
+echo "$publickey"
+echo 
 echo "Hier ist eine reproduzierbare mac-addresse:"
 echo "$hostname"|md5sum|sed 's/^\(..\)\(..\)\(..\)\(..\)\(..\).*$/02:\1:\2:\3:\4:\5/'

--- a/scripts/remote-install-encrypt.sh
+++ b/scripts/remote-install-encrypt.sh
@@ -40,7 +40,9 @@ trap cleanup EXIT

 # Create the directory where sshd expects to find the host keys
 install -d -m755 "$temp/etc/ssh/"
+install -d -m755 "$temp/etc/wireguard/"

+##TODO:: wg genkey + pubkey --> /etc/wireguard/wg.private
 diskKey=$(sops -d $pwpath/disk.key)
 echo "$diskKey" > /tmp/secret.key

@@ -48,6 +50,7 @@ sops -d "$pwpath/$hostkey" > "$temp/etc/ssh/$hostname"

 sops -d "$pwpath/$initrdkey" > "$temp/etc/ssh/initrd"

+sops -d "$pwpath/wg.private" > "$temp/etc/wireguard/wg.private"
 # # Set the correct permissions so sshd will accept the key
 chmod 600 "$temp/etc/ssh/$hostname"
 chmod 600 "$temp/etc/ssh/initrd"
--- a/scripts/unlock-boot.sh
+++ b/scripts/unlock-boot.sh
@@ -24,14 +24,16 @@ diskkey=$(sops -d machines/$hostname/secrets/disk.key)
 echo
 if [ $# = 1 ]
    then
-    echo "$diskkey" | ssh $sshoptions root@$hostname-initrd "systemd-tty-ask-password-agent" #root
+    ssh $sshoptions root@$hostname-initrd "zpool import -a"
+    echo "$diskkey" | ssh $sshoptions root@$hostname-initrd "zfs load-key storage/encrypted" #root
    echo "$diskkey" | ssh $sshoptions root@$hostname-initrd "systemd-tty-ask-password-agent" #data

 elif [ $# = 2 ]
    then
    ip=$2
-    echo "$diskkey" | ssh $sshoptions root@$ip "systemd-tty-ask-password-agent" #root
-    echo "$diskkey" | ssh $sshoptions root@$ip "systemd-tty-ask-password-agent" #data
+    ssh $sshoptions root@$ip "zpool import -a"
+    echo "$diskkey" | ssh $sshoptions root@$ip "zfs load-key storage/encrypted" 
+    echo "$diskkey" | ssh $sshoptions root@$ip "systemd-tty-ask-password-agent"
    
 else
    echo
Author	SHA1	Message	Date
ahtlon	ee24f8a4a9	change script to first import storage before unlocking root All checks were successful Check flake syntax / flake-check (push) Successful in 4m36s Details	2025-11-15 15:43:34 +01:00
ahtlon	c18724e9a6	Add wireguard generation to scripts (THIS IS NOT TESTED) All checks were successful Check flake syntax / flake-check (push) Successful in 5m20s Details	2025-11-15 14:02:04 +01:00
kalipso	b59f4084c0	[fanny] set wg initrd key All checks were successful Check flake syntax / flake-check (push) Successful in 4m59s Details	2025-11-15 13:39:55 +01:00