msw/CISS.debian.installer
SHA256
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

V8.00.000.2025.06.17
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m51s
Details

Browse Source 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
Marc S. Weidner
2025-10-23 14:32:55 +01:00
parent 551bd95d80
commit 081533db2a
1 changed files with 72 additions and 88 deletions
Download Patch File Download Diff File Expand all files Collapse all files

160
.preseed/SECRETS.yaml
View File

@@ -21,101 +21,85 @@ secrets:
version: "V8.00.000.2025.06.17"
description: "Secrets for automated installation of encrypted systems on this host via primordial-workflow™."
user:
root:
password:
hashed: "$y$jFT$7pQlcZrgTEGrzkEm7UQW/.$QoCamalYEAV5mN4QWIE.xpHo8kvXa9sym2Uz.9oELwA"
description: "Password-hash, YESCRYPT only, for the root user. Leave value empty if disabled password authentication."
scope: "auth"
type: "user-password"
note: "Used to unlock the root user."
sshpubkey:
value: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINAYZDAqVZUk3LwJsqeVHKvLn8UKkFx642VBbiSS8uSY 2025_ciss.debian.live.ISO_PUBLIC_ONLY"
description: "SSH public key for the root user."
scope: "auth"
type: "user-sshpubkey"
note: "Used to unlock the root user."
user0:
password:
hashed: "$y$jFT$OGeZONH5ho2JSXvAbyIBQ1$5OhyHqOaMZ9BZcfMOYEwF.nMLFKd9ceiW2oNksPCHVB"
description: "Password-hash, YESCRYPT only, for the specified user. Leave value empty if disabled password authentication."
scope: "auth"
type: "user-password"
note: "Used to unlock the specified user."
sshpubkey:
value: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINAYZDAqVZUk3LwJsqeVHKvLn8UKkFx642VBbiSS8uSY 2025_ciss.debian.live.ISO_PUBLIC_ONLY"
description: "SSH public key for the specified user."
scope: "auth"
type: "user-sshpubkey"
note: "Used to unlock the specified user."
user1:
password:
hashed: ""
description: "Password-hash, YESCRYPT only, for the specified user. Leave value empty if disabled password authentication."
scope: "auth"
type: "user-password"
note: "Used to unlock the specified user."
sshpubkey:
value: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINAYZDAqVZUk3LwJsqeVHKvLn8UKkFx642VBbiSS8uSY 2025_ciss.debian.live.ISO_PUBLIC_ONLY"
description: "SSH public key for the specified user."
scope: "auth"
type: "user-sshpubkey"
note: "Used to unlock the specified user."
passwords:
grub:
plain: "PleASE_CHan3e_M!"
description: "Password used to unlock the GRUB bootloader before system initialization."
scope: "boot"
type: "grub-password"
notes: "Used to unlock the GRUB bootloader during early system initialization on encrypted systems."
boot:
plain: "Ceterum_censeo_Bruxellam_et_Berolinum_delenda_esse!"
description: "LUKS passphrase used to decrypt the /boot partition during system boot."
scope: "boot"
type: "luks-passphrase"
notes: "Dedicated passphrase for the /boot partition; chosen for easy manual input via the VPS web console."
note: "Password used to unlock the GRUB bootloader before system initialization."
scope: "grub"
type: "plain"
value: "PleASE_CHan3e_M!"
luks:
backup:
plain: "NextcloudFolderNameOrShareID:SuperSecurePassword123!"
description: "Credentials for the Nextcloud folder that stores encrypted LUKS header backups"
note: "The value is '<share-identifier>:<password>' (colon-separated). Use the same dedicated destination and credentials across servers."
scope: "offsite-backup"
type: "nextcloud-share-credentials"
notes: "The value is '<share-identifier>:<password>' (colon-separated). Use the same dedicated destination and credentials across servers."
type: "plain"
value: "NextcloudFolderNameOrShareID:SuperSecurePassword123!"
boot:
note: "Dedicated passphrase for the '/boot' partition; chosen for easy manual input via the VPS web console."
scope: "luks"
type: "plain"
value: "Ceterum_censeo_Bruxellam_et_Berolinum_delenda_esse!"
common:
plain: "Ceterum_censeo_Bruxellam_et_Berolinum_delenda_esse!"
description: "Primary shared LUKS passphrase used by encrypted partitions during installation."
scope: "installer"
type: "luks-passphrase"
notes: "Main LUKS passphrase baked into the installer for automated setup. For dropbear SSH input method only."
note: "Main LUKS passphrase baked into the installer for automated setup. For dropbear SSH input method only."
scope: "luks"
type: "plain"
value: "Ceterum_censeo_Bruxellam_et_Berolinum_delenda_esse!"
nuke:
plain: "THIS_IS_THE_NUKE_PASSWORD!"
description: "Special LUKS passphrase that triggers secure wipe of all volumes when entered."
scope: "emergency"
type: "luks-passphrase-nuke"
notes: "Use only to irreversibly destroy all encrypted volumes."
note: "Special LUKS passphrase that triggers secure wipe of all volumes when entered."
scope: "luks"
type: "plain"
value: "THIS_IS_THE_NUKE_PASSWORD!"
seeds:
mfa:
info:
plain: "totp:v1"
description: "MFA version identifier (e.g., 'totp:v1') for seamless mfa secrets rollover."
scope: "auth"
type: "mfa"
notes: "Used to add version identifier to the MFA seed to derive per-host MFA secrets for remote unlock authentication."
salt:
plain: "CISS:CDI:OTP"
description: "Combination of <plain> and (Server_FQDN/Username)"
scope: "auth"
type: "mfa"
notes: "Used to add salt to the MFA seed to derive per-host MFA secrets for remote unlock authentication."
secret:
hex: "7cad63da408c27b5121c89cdd0cf878b8f8df1f34bcc0a944152261ee1481fda"
description: "Master seed (hex) used to derive per-machine MFA secrets for remote unlock authentication."
scope: "auth"
type: "mfa"
notes: "Used solely for generating per-host one-time passwords (OTPs) utilized by MFA mechanisms for SSH, TTY, su, and sudo authentication"
seeds:
mfa:
info:
note: "MFA version identifier (e.g., 'totp:v1') for seamless mfa secrets rollover."
scope: "mfa"
type: "plain"
value: "totp:v1"
salt:
note: "Used to add a salt to the MFA seed to derive per-host MFA secrets for remote unlock authentication."
scope: "mfa"
type: "plain"
value: "CISS:CDI:OTP"
secret:
note: "Master seed (hex) used to derive per-machine MFA secrets for remote unlock authentication."
scope: "mfa"
type: "plain"
value: "7cad63da408c27b5121c89cdd0cf878b8f8df1f34bcc0a944152261ee1481fda"
user:
root:
password:
note: "Password-hash, YESCRYPT only, for the root user. Leave value empty if disabled password authentication."
scope: "auth"
type: "hash"
value: "$y$jFT$7pQlcZrgTEGrzkEm7UQW/.$QoCamalYEAV5mN4QWIE.xpHo8kvXa9sym2Uz.9oELwA"
sshpubkey:
note: "SSH public key for the root user. This key is also used for dropbear SSH authentication."
scope: "auth"
type: "sshpubkey"
value: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINAYZDAqVZUk3LwJsqeVHKvLn8UKkFx642VBbiSS8uSY 2025_ciss.debian.live.ISO_PUBLIC_ONLY"
user0:
password:
note: "Password-hash, YESCRYPT only, for the specified user. Leave value empty if disabled password authentication."
scope: "auth"
type: "hash"
value: "$y$jFT$OGeZONH5ho2JSXvAbyIBQ1$5OhyHqOaMZ9BZcfMOYEwF.nMLFKd9ceiW2oNksPCHVB"
sshpubkey:
note: "SSH public key for the specified user."
scope: "auth"
type: "sshpubkey"
value: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINAYZDAqVZUk3LwJsqeVHKvLn8UKkFx642VBbiSS8uSY 2025_ciss.debian.live.ISO_PUBLIC_ONLY"
user1:
password:
note: "Password-hash, YESCRYPT only, for the specified user. Leave value empty if disabled password authentication."
scope: "auth"
type: "hash"
value: ""
sshpubkey:
note: "SSH public key for the specified user."
scope: "auth"
type: "sshpubkey"
value: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINAYZDAqVZUk3LwJsqeVHKvLn8UKkFx642VBbiSS8uSY 2025_ciss.debian.live.ISO_PUBLIC_ONLY"
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml