# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
%YAML 1.2
---
### This file contains all required Secrets, Tokens and Public and Private Keys for the CISS.debian.installer
### Master V8.00.000.2025.06.17
### YAML specification: 1.2

secrets:
  created_at: "2025-10-23"
  created_for: "host_domain_tld"
  name: "CISS.debian.installer"
  version: "V8.00.000.2025.06.17"
  description: "Secrets for automated installation of encrypted systems on this host via primordial-workflow™."

user:
  root:
    password:
      hashed: "$y$jFT$7pQlcZrgTEGrzkEm7UQW/.$QoCamalYEAV5mN4QWIE.xpHo8kvXa9sym2Uz.9oELwA"
      description: "Password-hash, YESCRYPT only, for the root user. Leave value empty if disabled password authentication."
      scope: "auth"
      type: "user-password"
      note: "Used to unlock the root user."
    sshpubkey:
      value: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINAYZDAqVZUk3LwJsqeVHKvLn8UKkFx642VBbiSS8uSY 2025_ciss.debian.live.ISO_PUBLIC_ONLY"
      description: "SSH public key for the root user."
      scope: "auth"
      type: "user-sshpubkey"
      note: "Used to unlock the root user."
  user0:
    password:
      hashed: "$y$jFT$OGeZONH5ho2JSXvAbyIBQ1$5OhyHqOaMZ9BZcfMOYEwF.nMLFKd9ceiW2oNksPCHVB"
      description: "Password-hash, YESCRYPT only, for the specified user. Leave value empty if disabled password authentication."
      scope: "auth"
      type: "user-password"
      note: "Used to unlock the specified user."
    sshpubkey:
      value: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINAYZDAqVZUk3LwJsqeVHKvLn8UKkFx642VBbiSS8uSY 2025_ciss.debian.live.ISO_PUBLIC_ONLY"
      description: "SSH public key for the specified user."
      scope: "auth"
      type: "user-sshpubkey"
      note: "Used to unlock the specified user."
  user1:
    password:
      hashed: ""
      description: "Password-hash, YESCRYPT only, for the specified user. Leave value empty if disabled password authentication."
      scope: "auth"
      type: "user-password"
      note: "Used to unlock the specified user."
    sshpubkey:
      value: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINAYZDAqVZUk3LwJsqeVHKvLn8UKkFx642VBbiSS8uSY 2025_ciss.debian.live.ISO_PUBLIC_ONLY"
      description: "SSH public key for the specified user."
      scope: "auth"
      type: "user-sshpubkey"
      note: "Used to unlock the specified user."

passwords:
  grub:
    plain: "PleASE_CHan3e_M!"
    description: "Password used to unlock the GRUB bootloader before system initialization."
    scope: "boot"
    type: "grub-password"
    notes: "Used to unlock the GRUB bootloader during early system initialization on encrypted systems."

  boot:
    plain: "Ceterum_censeo_Bruxellam_et_Berolinum_delenda_esse!"
    description: "LUKS passphrase used to decrypt the /boot partition during system boot."
    scope: "boot"
    type: "luks-passphrase"
    notes: "Dedicated passphrase for the /boot partition; chosen for easy manual input via the VPS web console."

  luks:
    backup:
      plain: "NextcloudFolderNameOrShareID:SuperSecurePassword123!"
      description: "Credentials for the Nextcloud folder that stores encrypted LUKS header backups"
      scope: "offsite-backup"
      type: "nextcloud-share-credentials"
      notes: "The value is '<share-identifier>:<password>' (colon-separated). Use the same dedicated destination and credentials across servers."
    common:
      plain: "Ceterum_censeo_Bruxellam_et_Berolinum_delenda_esse!"
      description: "Primary shared LUKS passphrase used by encrypted partitions during installation."
      scope: "installer"
      type: "luks-passphrase"
      notes: "Main LUKS passphrase baked into the installer for automated setup. For dropbear SSH input method only."
    nuke:
      plain: "THIS_IS_THE_NUKE_PASSWORD!"
      description: "Special LUKS passphrase that triggers secure wipe of all volumes when entered."
      scope: "emergency"
      type: "luks-passphrase-nuke"
      notes: "Use only to irreversibly destroy all encrypted volumes."

seeds:
  mfa:
    info:
      plain: "totp:v1"
      description: "MFA version identifier (e.g., 'totp:v1') for seamless mfa secrets rollover."
      scope: "auth"
      type: "mfa"
      notes: "Used to add version identifier to the MFA seed to derive per-host MFA secrets for remote unlock authentication."
    salt:
      plain: "CISS:CDI:OTP"
      description: "Combination of <plain> and (Server_FQDN/Username)"
      scope: "auth"
      type: "mfa"
      notes: "Used to add salt to the MFA seed to derive per-host MFA secrets for remote unlock authentication."
    secret:
      hex: "7cad63da408c27b5121c89cdd0cf878b8f8df1f34bcc0a944152261ee1481fda"
      description: "Master seed (hex) used to derive per-machine MFA secrets for remote unlock authentication."
      scope: "auth"
      type: "mfa"
      notes: "Used solely for generating per-host one-time passwords (OTPs) utilized by MFA mechanisms for SSH, TTY, su, and sudo authentication"

# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml