msw/CISS.debian.installer
SHA256
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
0bde766c8c3e7f21facebb4aab830281d078301b717eb8908d599a17acdef3de
CISS.debian.installer/.preseed/SECRETS.yaml
Marc S. Weidner 01275e130e V8.00.000.2025.06.17 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-10-26 15:54:33 +00:00

116 lines
5.5 KiB
YAML
Raw Blame History

# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
#
#
# This file contains all required Secrets, Tokens and Public and Private Keys for the CISS.debian.installer
# Master V8.00.000.2025.06.17
# YAML specification: 1.2
#
secrets:
description: "Secrets for automated installation of encrypted systems on this host via primordial-workflow™."
created_at: "2025-10-23"
created_for: "host_domain_tld"
name: "CISS.debian.installer"
version: "V8.00.000.2025.06.17"
x_files: "false"
################################################################################################################################
# Grub bootloader passphrase
################################################################################################################################
grub:
note: "Password used to unlock the GRUB bootloader before system initialization."
scope: "grub"
type: "plain"
value: "PleASE_CHan3e_M!"
################################################################################################################################
# LUKS and LUKS Nuke passphrase
################################################################################################################################
luks:
backup:
note: "The value is [<share-identifier>:<password>] (colon-separated). Use the same dedicated destination and credentials across servers."
scope: "offsite-backup"
type: "plain"
value: "NextcloudFolderNameOrShareID:SuperSecurePassword123!"
boot:
note: "Dedicated passphrase for the [/boot] partition; chosen for easy manual input via the VPS web console."
scope: "luks"
type: "plain"
value: "Ceterum_censeo_Bruxellam_et_Berolinum_delenda_esse!"
common:
note: "Main LUKS passphrase baked into the installer for automated setup. For dropbear SSH input method only."
scope: "luks"
type: "plain"
value: "Ceterum_censeo_Bruxellam_et_Berolinum_delenda_esse!"
nuke:
note: "Special LUKS passphrase that triggers secure wipe of all volumes when entered."
scope: "luks"
type: "plain"
value: "THIS_IS_THE_NUKE_PASSWORD!"
################################################################################################################################
# TOTP MFA seed and salt and other seed variables
################################################################################################################################
seeds:
mfa:
info:
note: "MFA version identifier, e.g., [totp:v1] for seamless mfa secrets rollover."
scope: "mfa"
type: "plain"
value: "totp:v1"
salt:
note: "Used to add a salt to the MFA seed to derive per-host MFA secrets for remote unlock authentication."
scope: "mfa"
type: "plain"
value: "CISS:CDI:OTP"
secret:
note: "Master seed (hex) used to derive per-machine MFA secrets for remote unlock authentication."
scope: "mfa"
type: "plain"
value: "7cad63da408c27b5121c89cdd0cf878b8f8df1f34bcc0a944152261ee1481fda"
################################################################################################################################
# User passwords and SSH keys
################################################################################################################################
user:
root:
password:
note: "Password-hash, YESCRYPT only, for the root user. Leave value empty if disabled password authentication."
scope: "auth"
type: "hash"
value: "$y$jFT$7pQlcZrgTEGrzkEm7UQW/.$QoCamalYEAV5mN4QWIE.xpHo8kvXa9sym2Uz.9oELwA"
sshpubkey:
note: "SSH public key for the root user. This key is also used for dropbear SSH authentication."
scope: "auth"
type: "sshpubkey"
value: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINAYZDAqVZUk3LwJsqeVHKvLn8UKkFx642VBbiSS8uSY 2025_ciss.debian.live.ISO_PUBLIC_ONLY"
user0:
name: "user"
password:
note: "Password-hash, YESCRYPT only, for the specified user. Leave value empty if disabled password authentication."
scope: "auth"
type: "hash"
value: "$y$jFT$OGeZONH5ho2JSXvAbyIBQ1$5OhyHqOaMZ9BZcfMOYEwF.nMLFKd9ceiW2oNksPCHVB"
sshpubkey:
note: "SSH public key for the specified user."
scope: "auth"
type: "sshpubkey"
value: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINAYZDAqVZUk3LwJsqeVHKvLn8UKkFx642VBbiSS8uSY 2025_ciss.debian.live.ISO_PUBLIC_ONLY"
user1:
name: "ansible"
password:
note: "Password-hash, YESCRYPT only, for the specified user. Leave value empty if disabled password authentication."
scope: "auth"
type: "hash"
value: ""
sshpubkey:
note: "SSH public key for the specified user."
scope: "auth"
type: "sshpubkey"
value: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINAYZDAqVZUk3LwJsqeVHKvLn8UKkFx642VBbiSS8uSY 2025_ciss.debian.live.ISO_PUBLIC_ONLY"
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
Reference in New Issue View Git Blame Copy Permalink