# SPDX-Version: 3.0 # SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; # SPDX-FileType: SOURCE # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. # SPDX-PackageName: CISS.debian.installer # SPDX-Security-Contact: security@coresecret.eu # # # This file contains all required Secrets, Tokens and Public and Private Keys for the CISS.debian.installer # Master V8.00.000.2025.06.17 # YAML specification: 1.2 # secrets: description: "Secrets for automated installation of encrypted systems on this host via primordial-workflowâ„¢." created_at: "2025-10-23" created_for: "host_domain_tld" name: "CISS.debian.installer" version: "V8.00.000.2025.06.17" x_files: "false" ################################################################################################################################ # Grub bootloader passphrase ################################################################################################################################ grub: note: "Password used to unlock the GRUB bootloader before system initialization." scope: "grub" type: "plain" value: "PleASE_CHan3e_M!" ################################################################################################################################ # LUKS and LUKS Nuke passphrase ################################################################################################################################ luks: backup: note: "The value is [:] (colon-separated). Use the same dedicated destination and credentials across servers." scope: "offsite-backup" type: "plain" value: "NextcloudFolderNameOrShareID:SuperSecurePassword123!" boot: note: "Dedicated passphrase for the [/boot] partition; chosen for easy manual input via the VPS web console." scope: "luks" type: "plain" value: "Ceterum_censeo_Bruxellam_et_Berolinum_delenda_esse!" common: note: "Main LUKS passphrase baked into the installer for automated setup. For dropbear SSH input method only." scope: "luks" type: "plain" value: "Ceterum_censeo_Bruxellam_et_Berolinum_delenda_esse!" nuke: note: "Special LUKS passphrase that triggers secure wipe of all volumes when entered." scope: "luks" type: "plain" value: "THIS_IS_THE_NUKE_PASSWORD!" ################################################################################################################################ # TOTP MFA seed and salt and other seed variables ################################################################################################################################ seeds: mfa: info: note: "MFA version identifier, e.g., [totp:v1] for seamless mfa secrets rollover." scope: "mfa" type: "plain" value: "totp:v1" salt: note: "Used to add a salt to the MFA seed to derive per-host MFA secrets for remote unlock authentication." scope: "mfa" type: "plain" value: "CISS:CDI:OTP" secret: note: "Master seed (hex) used to derive per-machine MFA secrets for remote unlock authentication." scope: "mfa" type: "plain" value: "7cad63da408c27b5121c89cdd0cf878b8f8df1f34bcc0a944152261ee1481fda" ################################################################################################################################ # User passwords and SSH keys ################################################################################################################################ user: root: password: note: "Password-hash, YESCRYPT only, for the root user. Leave value empty if disabled password authentication." scope: "auth" type: "hash" value: "$y$jFT$7pQlcZrgTEGrzkEm7UQW/.$QoCamalYEAV5mN4QWIE.xpHo8kvXa9sym2Uz.9oELwA" sshpubkey: note: "SSH public key for the root user. This key is also used for dropbear SSH authentication." scope: "auth" type: "sshpubkey" value: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINAYZDAqVZUk3LwJsqeVHKvLn8UKkFx642VBbiSS8uSY 2025_ciss.debian.live.ISO_PUBLIC_ONLY" user0: name: "user" password: note: "Password-hash, YESCRYPT only, for the specified user. Leave value empty if disabled password authentication." scope: "auth" type: "hash" value: "$y$jFT$OGeZONH5ho2JSXvAbyIBQ1$5OhyHqOaMZ9BZcfMOYEwF.nMLFKd9ceiW2oNksPCHVB" sshpubkey: note: "SSH public key for the specified user." scope: "auth" type: "sshpubkey" value: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINAYZDAqVZUk3LwJsqeVHKvLn8UKkFx642VBbiSS8uSY 2025_ciss.debian.live.ISO_PUBLIC_ONLY" user1: name: "ansible" password: note: "Password-hash, YESCRYPT only, for the specified user. Leave value empty if disabled password authentication." scope: "auth" type: "hash" value: "" sshpubkey: note: "SSH public key for the specified user." scope: "auth" type: "sshpubkey" value: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINAYZDAqVZUk3LwJsqeVHKvLn8UKkFx642VBbiSS8uSY 2025_ciss.debian.live.ISO_PUBLIC_ONLY" # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml