kalipso/infrastructure
1
1
Fork 1
Code Issues 42 Pull Requests 2 Actions Projects 2 Releases Wiki Activity

Compare commits

base: kalipso:master
Branches Tags
kalipso:master kalipso:vaultwarden kalipso:staging kalipso:script kalipso:zineshop kalipso:nextcloud_upgrade_31 kalipso:printer-module kalipso:microvm-dirs kalipso:sanoid kalipso:issue77 kalipso:reproducible-deployments kalipso:reproducible-deployments-filestructure kalipso:issue31 kalipso:microvm-module kalipso:issue47 kalipso:hostbuilder kalipso:better-workflows kalipso:issue51 kalipso:local-testing-v2 kalipso:gitea kalipso:fileserver
..
compare: kalipso:6cabd45e1c4e8a06af27e13edf242bccd936cc94
Branches Tags
kalipso:vaultwarden kalipso:master kalipso:staging kalipso:script kalipso:zineshop kalipso:nextcloud_upgrade_31 kalipso:printer-module kalipso:microvm-dirs kalipso:sanoid kalipso:issue77 kalipso:reproducible-deployments kalipso:reproducible-deployments-filestructure kalipso:issue31 kalipso:microvm-module kalipso:issue47 kalipso:hostbuilder kalipso:better-workflows kalipso:issue51 kalipso:local-testing-v2 kalipso:gitea kalipso:fileserver

3 Commits
master ... 6cabd45e1c

Author SHA1 Message Date
ahtlon
6cabd45e1c Fix string warning, script execution
All checks were successful
Check flake syntax / flake-check (push) Successful in 4m51s
Details
2025-10-25 22:21:59 +02:00
ahtlon
8d5702d93a Add command testing 2025-10-25 22:21:59 +02:00
ahtlon
b12c28e553 Add printer scraping 2025-10-25 22:21:59 +02:00
14 changed files with 75 additions and 149 deletions
Expand all files Collapse all files

60
flake.lock generated
View File

@@ -67,11 +67,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1763992789, "lastModified": 1748226808,
"narHash": "sha256-WHkdBlw6oyxXIra/vQPYLtqY+3G8dUVZM8bEXk0t8x4=", "narHash": "sha256-GaBRgxjWO1bAQa8P2+FDxG4ANBVhjnSjBms096qQdxo=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "44831a7eaba4360fb81f2acc5ea6de5fde90aaa3", "rev": "83665c39fa688bd6a1f7c43cf7997a70f6a109f9",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -109,11 +109,11 @@
"spectrum": "spectrum" "spectrum": "spectrum"
}, },
"locked": { "locked": {
"lastModified": 1764549796, "lastModified": 1748260747,
"narHash": "sha256-Mswg665P92EoHkBwCwPr/7bdnj04g2Qfb+t02ZEYTHA=", "narHash": "sha256-V3ONd70wm55JxcUa1rE0JU3zD+Cz7KK/iSVhRD7lq68=",
"owner": "astro", "owner": "astro",
"repo": "microvm.nix", "repo": "microvm.nix",
"rev": "030d055e877cc13d7525b39f434150226d5e4482", "rev": "b6c5dfc2a1c7614c94fd2c5d2e8578fd52396f3b",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -145,11 +145,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1764234087, "lastModified": 1747663185,
"narHash": "sha256-NHF7QWa0ZPT8hsJrvijREW3+nifmF2rTXgS2v0tpcEA=", "narHash": "sha256-Obh50J+O9jhUM/FgXtI3he/QRNiV9+J53+l+RlKSaAk=",
"owner": "nix-community", "owner": "nix-community",
"repo": "nixos-generators", "repo": "nixos-generators",
"rev": "032a1878682fafe829edfcf5fdfad635a2efe748", "rev": "ee07ba0d36c38e9915c55d2ac5a8fb0f05f2afcc",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -160,11 +160,11 @@
}, },
"nixos-hardware": { "nixos-hardware": {
"locked": { "locked": {
"lastModified": 1764440730, "lastModified": 1747900541,
"narHash": "sha256-ZlJTNLUKQRANlLDomuRWLBCH5792x+6XUJ4YdFRjtO4=", "narHash": "sha256-dn64Pg9xLETjblwZs9Euu/SsjW80pd6lr5qSiyLY1pg=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixos-hardware", "repo": "nixos-hardware",
"rev": "9154f4569b6cdfd3c595851a6ba51bfaa472d9f3", "rev": "11f2d9ea49c3e964315215d6baa73a8d42672f06",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -192,11 +192,11 @@
}, },
"nixpkgs-unstable": { "nixpkgs-unstable": {
"locked": { "locked": {
"lastModified": 1764517877, "lastModified": 1748190013,
"narHash": "sha256-pp3uT4hHijIC8JUK5MEqeAWmParJrgBVzHLNfJDZxg4=", "narHash": "sha256-R5HJFflOfsP5FBtk+zE8FpL8uqE7n62jqOsADvVshhE=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "2d293cbfa5a793b4c50d17c05ef9e385b90edf6c", "rev": "62b852f6c6742134ade1abdd2a21685fd617a291",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -208,16 +208,16 @@
}, },
"nixpkgs_2": { "nixpkgs_2": {
"locked": { "locked": {
"lastModified": 1764522689, "lastModified": 1748162331,
"narHash": "sha256-SqUuBFjhl/kpDiVaKLQBoD8TLD+/cTUzzgVFoaHrkqY=", "narHash": "sha256-rqc2RKYTxP3tbjA+PB3VMRQNnjesrT0pEofXQTrMsS8=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "8bb5646e0bed5dbd3ab08c7a7cc15b75ab4e1d0f", "rev": "7c43f080a7f28b2774f3b3f43234ca11661bf334",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "NixOS", "owner": "NixOS",
"ref": "nixos-25.11", "ref": "nixos-25.05",
"repo": "nixpkgs", "repo": "nixpkgs",
"type": "github" "type": "github"
} }
@@ -246,11 +246,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1764483358, "lastModified": 1747603214,
"narHash": "sha256-EyyvCzXoHrbL467YSsQBTWWg4sR96MH1sPpKoSOelB4=", "narHash": "sha256-lAblXm0VwifYCJ/ILPXJwlz0qNY07DDYdLD+9H+Wc8o=",
"owner": "Mic92", "owner": "Mic92",
"repo": "sops-nix", "repo": "sops-nix",
"rev": "5aca6ff67264321d47856a2ed183729271107c9c", "rev": "8d215e1c981be3aa37e47aeabd4e61bb069548fd",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -262,11 +262,11 @@
"spectrum": { "spectrum": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1759482047, "lastModified": 1746869549,
"narHash": "sha256-H1wiXRQHxxPyMMlP39ce3ROKCwI5/tUn36P8x6dFiiQ=", "narHash": "sha256-BKZ/yZO/qeLKh9YqVkKB6wJiDQJAZNN5rk5NsMImsWs=",
"ref": "refs/heads/main", "ref": "refs/heads/main",
"rev": "c5d5786d3dc938af0b279c542d1e43bce381b4b9", "rev": "d927e78530892ec8ed389e8fae5f38abee00ad87",
"revCount": 996, "revCount": 862,
"type": "git", "type": "git",
"url": "https://spectrum-os.org/git/spectrum" "url": "https://spectrum-os.org/git/spectrum"
}, },
@@ -450,11 +450,11 @@
"utils": "utils_4" "utils": "utils_4"
}, },
"locked": { "locked": {
"lastModified": 1764942243, "lastModified": 1751462005,
"narHash": "sha256-P02Zm0VAON9SqRxqe6h5vfxgpCBYeiz5JPWGIn6KFFg=", "narHash": "sha256-vhr2GORiXij3mL+QIfnL0sKSbbBIglw1wnHWNmFejiA=",
"ref": "refs/heads/master", "ref": "refs/heads/master",
"rev": "f56b7eb6887b7e0fecae4a1f4c1311392eebad8d", "rev": "f505fb17bf1882cc3683e1e252ce44583cbe58ce",
"revCount": 156, "revCount": 155,
"type": "git", "type": "git",
"url": "https://git.dynamicdiscord.de/kalipso/zineshop" "url": "https://git.dynamicdiscord.de/kalipso/zineshop"
}, },

2
flake.nix
View File

@@ -3,7 +3,7 @@
inputs = { inputs = {
nixos-hardware.url = "github:NixOS/nixos-hardware/master"; nixos-hardware.url = "github:NixOS/nixos-hardware/master";
nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.11"; nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.05";
nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixos-unstable"; nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixos-unstable";
sops-nix.url = "github:Mic92/sops-nix"; sops-nix.url = "github:Mic92/sops-nix";
sops-nix.inputs.nixpkgs.follows = "nixpkgs"; sops-nix.inputs.nixpkgs.follows = "nixpkgs";

2
machines/bakunin/configuration.nix
View File

@@ -48,7 +48,7 @@ in
firefox firefox
thunderbird thunderbird
telegram-desktop telegram-desktop
tor-browser tor-browser-bundle-bin
keepassxc keepassxc
libreoffice libreoffice
gimp gimp

4
machines/durruti/host_config.nix
View File

@@ -49,10 +49,6 @@ in
locations."/" = { locations."/" = {
proxyPass = "http://10.0.0.10"; proxyPass = "http://10.0.0.10";
extraConfig = '' extraConfig = ''
client_max_body_size 10G;
client_body_timeout 3600s;
send_timeout 3600s;
fastcgi_buffers 64 4K;
''; '';
}; };
}; };

40
machines/fanny/configuration.nix
View File

@@ -1,7 +1,6 @@
{ inputs, config, ... }: { inputs, config, ... }:
let let
sshKeys = import ../ssh_keys.nix; sshKeys = import ../ssh_keys.nix;
peers = import ../modules/malobeo/peers.nix;
in in
{ {
sops.defaultSopsFile = ./secrets.yaml; sops.defaultSopsFile = ./secrets.yaml;
@@ -86,42 +85,8 @@ in
enable = true; enable = true;
authorizedKeys = sshKeys.admins; authorizedKeys = sshKeys.admins;
ethernetDrivers = ["r8169"]; ethernetDrivers = ["r8169"];
zfsExtraPools = [ "storage" ];
}; };
boot.initrd = {
availableKernelModules = [ "wireguard" ];
# postMountCommands = ''
# ip address flush dev wg-initrd
# ip link set dev wg-initrd down
# '';
systemd = {
enable = true;
network = {
enable = true;
netdevs."30-wg-initrd" = {
netdevConfig = {
Kind = "wireguard";
Name = "wg-initrd";
};
wireguardConfig = { PrivateKeyFile = "/etc/secrets/30-wg-initrd.key"; };
wireguardPeers = [{
AllowedIPs = peers.vpn.allowedIPs;
PublicKey = peers.vpn.publicKey;
Endpoint = "${peers.vpn.publicIp}:${builtins.toString(peers.vpn.listenPort)}";
PersistentKeepalive = 25;
}];
};
networks."30-wg-initrd" = {
name = "wg-initrd";
addresses = [{ Address = "${peers.fanny-initrd.address}/24"; }];
};
};
};
};
boot.initrd.secrets."/etc/secrets/30-wg-initrd.key" = "/etc/wireguard/wg.private";
services.malobeo.vpn = { services.malobeo.vpn = {
enable = true; enable = true;
name = "fanny"; name = "fanny";
@@ -165,10 +130,7 @@ in
proxyPass = "http://10.0.0.13"; proxyPass = "http://10.0.0.13";
extraConfig = '' extraConfig = ''
proxy_set_header Host $host; proxy_set_header Host $host;
client_max_body_size ${inputs.self.nixosConfigurations.nextcloud.config.services.nextcloud.maxUploadSize}; client_max_body_size 10G;
client_body_timeout 3600s;
send_timeout 3600s;
fastcgi_buffers 64 4K;
''; '';
}; };
}; };

2
machines/louise/configuration.nix
View File

@@ -31,7 +31,7 @@
firefox firefox
thunderbird thunderbird
telegram-desktop telegram-desktop
tor-browser tor-browser-bundle-bin
keepassxc keepassxc
libreoffice libreoffice
gimp gimp

37
machines/modules/malobeo/initssh.nix
View File

@@ -22,11 +22,6 @@ in
description = "Ethernet drivers to load: run `lspci -k | grep -iA4 ethernet`"; description = "Ethernet drivers to load: run `lspci -k | grep -iA4 ethernet`";
example = "r8169"; example = "r8169";
}; };
zfsExtraPools = lib.mkOption {
type = lib.types.listOf lib.types.str;
default = [ ];
description = "Name or GUID of extra ZFS pools that you wish to import during boot.";
};
}; };
config = lib.mkIf (cfg.enable && config.malobeo.disks.encryption) { config = lib.mkIf (cfg.enable && config.malobeo.disks.encryption) {
@@ -37,41 +32,33 @@ in
zfs = { zfs = {
forceImportAll = true; forceImportAll = true;
requestEncryptionCredentials = true; requestEncryptionCredentials = true;
extraPools = cfg.zfsExtraPools;
}; };
initrd = { initrd = {
availableKernelModules = cfg.ethernetDrivers; availableKernelModules = cfg.ethernetDrivers;
systemd = { systemd = {
initrdBin = [ pkgs.busybox pkgs.wireguard-tools pkgs.iproute2 ];
enable = true; enable = true;
network.enable = true; network.enable = true;
services."stopInitVpn" = {
description = "stop init vpn";
wantedBy = [
"initrd.target"
];
after = [
"zfs.target"
];
serviceConfig.StandardOutput = "journal+console";
script = ''
networkctl down wg-initrd
'';
serviceConfig.Type = "oneshot";
}; };
}; network.ssh = {
network = {
flushBeforeStage2 = true;
ssh = {
enable = true; enable = true;
port = 222; port = 222;
authorizedKeys = cfg.authorizedKeys; authorizedKeys = cfg.authorizedKeys;
hostKeys = [ "/etc/ssh/initrd" ]; hostKeys = [ "/etc/ssh/initrd" ];
}; };
};
secrets = { secrets = {
"/etc/ssh/initrd" = "/etc/ssh/initrd"; "/etc/ssh/initrd" = "/etc/ssh/initrd";
}; };
systemd.services.zfs-remote-unlock = {
description = "Prepare for ZFS remote unlock";
wantedBy = ["initrd.target"];
after = ["systemd-networkd.service"];
path = with pkgs; [ zfs ];
serviceConfig.Type = "oneshot";
script = ''
echo "systemctl default" >> /var/empty/.profile
'';
};
}; };
kernelParams = [ "ip=::::${hostName}-initrd::dhcp" ]; kernelParams = [ "ip=::::${hostName}-initrd::dhcp" ];
}; };

8
machines/modules/malobeo/peers.nix
View File

@@ -44,14 +44,6 @@
publicKey = "3U59F6T1s/1LaZBIa6wB0qsVuO6pRR9jfYZJIH2piAU="; publicKey = "3U59F6T1s/1LaZBIa6wB0qsVuO6pRR9jfYZJIH2piAU=";
}; };
"fanny-initrd" = {
role = "client";
address = "10.100.0.102";
allowedIPs = [ "10.100.0.102/32" ];
#TODO: UPDATE
publicKey = "h1A2yt7OQ5EJIilC8tQg203u27o6J6/c+Kd/pZ4UWAY=";
};
"backup0" = { "backup0" = {
role = "client"; role = "client";
address = "10.100.0.20"; address = "10.100.0.20";

15
machines/nextcloud/configuration.nix
View File

@@ -31,13 +31,9 @@ with lib;
lokiHost = "10.0.0.14"; lokiHost = "10.0.0.14";
}; };
services.postgresqlBackup = {
enable = true;
};
services.nextcloud = { services.nextcloud = {
enable = true; enable = true;
package = pkgs.nextcloud32; package = pkgs.nextcloud31;
hostName = "cloud.malobeo.org"; hostName = "cloud.malobeo.org";
config.adminpassFile = config.sops.secrets.nextcloudAdminPass.path; config.adminpassFile = config.sops.secrets.nextcloudAdminPass.path;
maxUploadSize = "10G"; maxUploadSize = "10G";
@@ -52,9 +48,14 @@ with lib;
extraAppsEnable = true; extraAppsEnable = true;
extraApps = { extraApps = {
inherit (config.services.nextcloud.package.packages.apps) contacts calendar polls registration collectives forms; inherit (config.services.nextcloud.package.packages.apps) contacts calendar polls registration collectives forms;
appointments = pkgs.fetchNextcloudApp {
sha256 = "sha256-ls1rLnsX7U9wo2WkEtzhrvliTcWUl6LWXolE/9etJ78=";
url = "https://github.com/SergeyMosin/Appointments/raw/refs/tags/v2.4.3/build/artifacts/appstore/appointments.tar.gz";
license = "agpl3Plus";
};
deck = pkgs.fetchNextcloudApp { deck = pkgs.fetchNextcloudApp {
sha256 = "sha256-epjwIANb6vTNx9KqaG6jZc14YPoFMBTCj+/c9JHcWkA="; sha256 = "sha256-1sqDmJpM9SffMY2aaxwzqntdjdcUaRySyaUDv9VHuiE=";
url = "https://link.storjshare.io/raw/jvrl62dakd6htpyxohjkiiqiw5ma/mal/deck32.tar.gz"; url = "https://link.storjshare.io/raw/jw7pf6gct34j3pcqvlq6ddasvdwq/mal/deck.tar.gz";
license = "agpl3Plus"; license = "agpl3Plus";
}; };
}; };

21
machines/overwatch/pull_info.sh
View File

@@ -1,5 +1,5 @@
#!/usr/bin/env bash #!/usr/bin/env bash
set -eo pipefail set -o pipefail
for command in "jq" "xq" "grep" "curl" "sed" for command in "jq" "xq" "grep" "curl" "sed"
do do
if ! command -v $command >/dev/null 2>&1 if ! command -v $command >/dev/null 2>&1
@@ -13,7 +13,7 @@ get_cookie () {
if [[ $1 == "-d" ]]; then if [[ $1 == "-d" ]]; then
cookie=$(cat request_example_1.txt) cookie=$(cat request_example_1.txt)
else else
cookie=$(curl -s -D - -X GET http://192.168.1.42/wcd/index.html) cookie=$(curl -D - -X GET http://192.168.1.42/wcd/index.html)
fi fi
exitCode="$?" exitCode="$?"
@@ -93,14 +93,15 @@ system_counter_ScanFaxCounter_keys=("DocumentReadTotal" "DocumentReadLarge" "Fax
system_consumables_base_keys=("Toner (Yellow)" "Toner (Magenta)" "Toner (Cyan)" "Toner (Black)" "Drum Cartridge (Cyan)" "Developer Cartridge (Cyan)" "Drum Cartridge (Magenta)" "Developer Cartridge (Magenta)" "Drum Cartridge (Yellow)" "Developer Cartridge (Yellow)" "Drum Cartridge (Black)" "Developer Cartridge (Black)" "Fusing Unit" "Image Transfer Belt Unit" "Transfer Roller Unit") system_consumables_base_keys=("Toner (Yellow)" "Toner (Magenta)" "Toner (Cyan)" "Toner (Black)" "Drum Cartridge (Cyan)" "Developer Cartridge (Cyan)" "Drum Cartridge (Magenta)" "Developer Cartridge (Magenta)" "Drum Cartridge (Yellow)" "Developer Cartridge (Yellow)" "Drum Cartridge (Black)" "Developer Cartridge (Black)" "Fusing Unit" "Image Transfer Belt Unit" "Transfer Roller Unit")
#End Variables------------- #End Variables-------------
echo "Getting cookie" echo "Start getting cookie"
get_cookie "$@" get_cookie "$@"
echo "Cookie got"
echo "Start extracting info from system_counter" echo "Start extract from system_counter"
if [[ $1 == "-d" ]]; then if [[ $1 == "-d" ]]; then
system_counter_data=$(cat system_counter.xml |xq) system_counter_data=$(cat system_counter.xml |xq)
else else
system_counter_data=$(curl -s -X GET http://192.168.1.42/wcd/system_counter.xml -H "Cookie: ID=$cookie" |xq) system_counter_data=$(curl -X GET http://192.168.1.42/wcd/system_counter.xml -H "Cookie: ID=\"$cookie\"" |xq)
fi fi
get_values ".MFP.Count.UserCounterInfo.TotalCounterList.TotalCounter" system_counter_TotalCounter_keys TotalCounter get_values ".MFP.Count.UserCounterInfo.TotalCounterList.TotalCounter" system_counter_TotalCounter_keys TotalCounter
@@ -117,17 +118,19 @@ get_values ".MFP.Count.UserCounterInfo.ScanFaxCounterList.ScanFaxCounter" system
get_values_DeviceStatus system_counter_DeviceStatus_keys DeviceStatus get_values_DeviceStatus system_counter_DeviceStatus_keys DeviceStatus
echo "Start extracting info from system_consumables" echo "Stop extract from system_counter"
echo
echo "Start extract from system_consumables"
if [[ $1 == "-d" ]]; then if [[ $1 == "-d" ]]; then
system_consumables_data=$(cat system_consumables.xml |xq) system_consumables_data=$(cat system_consumables.xml |xq)
else else
system_consumables_data=$(curl -s -X GET http://192.168.1.42/wcd/system_consumable.xml -H "Cookie: ID=$cookie" |xq) system_consumables_data=$(curl -X GET http://192.168.1.42/wcd/system_counter.xml -H "Cookie: ID=\"$cookie\"")
fi fi
get_values_consumables system_consumables_base_keys Consumables get_values_consumables system_consumables_base_keys Consumables
echo "Sending data to prometheus-pushgateway..." echo "Stop extract from system_consumables"
echo "$valueStore" | curl -s --data-binary @- http://localhost:9091/metrics/job/printer echo "$valueStore" | curl --data-binary @- http://localhost:9091/metrics/job/printer
echo "Success!" echo "Success!"
exit 0 exit 0

4
machines/vpn/configuration.nix
View File

@@ -45,10 +45,6 @@ with lib;
proxyPass = "http://10.100.0.101"; proxyPass = "http://10.100.0.101";
extraConfig = '' extraConfig = ''
proxy_set_header Host $host; proxy_set_header Host $host;
client_max_body_size ${inputs.self.nixosConfigurations.nextcloud.config.services.nextcloud.maxUploadSize};
client_body_timeout 3600s;
send_timeout 3600s;
fastcgi_buffers 64 4K;
''; '';
}; };
}; };

6
scripts/add_new_host_keys.sh
View File

@@ -31,13 +31,10 @@ cd "$pwpath"
# Generate SSH keys # Generate SSH keys
ssh-keygen -f $hostkey -t ed25519 -N "" -C "root@$host" ssh-keygen -f $hostkey -t ed25519 -N "" -C "root@$host"
ssh-keygen -f $initrdkey -t ed25519 -N "" -C "root@$host-initrd" ssh-keygen -f $initrdkey -t ed25519 -N "" -C "root@$host-initrd"
wg genkey > wg.private
publickey=$(cat wg.private | wg pubkey)
#encrypt the private keys #encrypt the private keys
sops -e -i ./$hostkey sops -e -i ./$hostkey
sops -e -i ./$initrdkey sops -e -i ./$initrdkey
sops -e -i ./wg.private
#generate encryption key #generate encryption key
tr -dc 'A-Za-z0-9' < /dev/urandom | head -c 20 > disk.key tr -dc 'A-Za-z0-9' < /dev/urandom | head -c 20 > disk.key
@@ -48,9 +45,6 @@ echo
echo "Hier ist der age public key für sops etc:" echo "Hier ist der age public key für sops etc:"
echo "$(ssh-to-age -i ./"$hostkey".pub)" echo "$(ssh-to-age -i ./"$hostkey".pub)"
echo echo
echo "Hier ist der wireguard pubkey für das gerät"
echo "$publickey"
echo
echo "Hier ist eine reproduzierbare mac-addresse:" echo "Hier ist eine reproduzierbare mac-addresse:"
echo "$hostname"|md5sum|sed 's/^\(..\)\(..\)\(..\)\(..\)\(..\).*$/02:\1:\2:\3:\4:\5/' echo "$hostname"|md5sum|sed 's/^\(..\)\(..\)\(..\)\(..\)\(..\).*$/02:\1:\2:\3:\4:\5/'

3
scripts/remote-install-encrypt.sh
View File

@@ -40,9 +40,7 @@ trap cleanup EXIT
# Create the directory where sshd expects to find the host keys # Create the directory where sshd expects to find the host keys
install -d -m755 "$temp/etc/ssh/" install -d -m755 "$temp/etc/ssh/"
install -d -m755 "$temp/etc/wireguard/"
##TODO:: wg genkey + pubkey --> /etc/wireguard/wg.private
diskKey=$(sops -d $pwpath/disk.key) diskKey=$(sops -d $pwpath/disk.key)
echo "$diskKey" > /tmp/secret.key echo "$diskKey" > /tmp/secret.key
@@ -50,7 +48,6 @@ sops -d "$pwpath/$hostkey" > "$temp/etc/ssh/$hostname"
sops -d "$pwpath/$initrdkey" > "$temp/etc/ssh/initrd" sops -d "$pwpath/$initrdkey" > "$temp/etc/ssh/initrd"
sops -d "$pwpath/wg.private" > "$temp/etc/wireguard/wg.private"
# # Set the correct permissions so sshd will accept the key # # Set the correct permissions so sshd will accept the key
chmod 600 "$temp/etc/ssh/$hostname" chmod 600 "$temp/etc/ssh/$hostname"
chmod 600 "$temp/etc/ssh/initrd" chmod 600 "$temp/etc/ssh/initrd"

8
scripts/unlock-boot.sh
View File

@@ -24,16 +24,14 @@ diskkey=$(sops -d machines/$hostname/secrets/disk.key)
echo echo
if [ $# = 1 ] if [ $# = 1 ]
then then
ssh $sshoptions root@$hostname-initrd "zpool import -a" echo "$diskkey" | ssh $sshoptions root@$hostname-initrd "systemd-tty-ask-password-agent" #root
echo "$diskkey" | ssh $sshoptions root@$hostname-initrd "zfs load-key storage/encrypted" #root
echo "$diskkey" | ssh $sshoptions root@$hostname-initrd "systemd-tty-ask-password-agent" #data echo "$diskkey" | ssh $sshoptions root@$hostname-initrd "systemd-tty-ask-password-agent" #data
elif [ $# = 2 ] elif [ $# = 2 ]
then then
ip=$2 ip=$2
ssh $sshoptions root@$ip "zpool import -a" echo "$diskkey" | ssh $sshoptions root@$ip "systemd-tty-ask-password-agent" #root
echo "$diskkey" | ssh $sshoptions root@$ip "zfs load-key storage/encrypted" echo "$diskkey" | ssh $sshoptions root@$ip "systemd-tty-ask-password-agent" #data
echo "$diskkey" | ssh $sshoptions root@$ip "systemd-tty-ask-password-agent"
else else
echo echo