init

2026-02-25 11:18:24 +01:00
commit f8aa6f8b9f
5 changed files with 339 additions and 0 deletions
--- a/user-data.tmpl
+++ b/user-data.tmpl
@@ -0,0 +1,102 @@
+# vim: set filetype=yaml :
+
+#cloud-config
+# user-data.tmpl — plaintext template, safe to commit to git
+# Secrets are injected at build time via envsubst from secrets.sops.yaml
+autoinstall:
+  version: 1
+
+  # ─── LOCALE & KEYBOARD ─────────────────────────────────────────────────────
+  locale: en_US.UTF-8
+  keyboard:
+    layout: us
+
+  # ─── NETWORK ───────────────────────────────────────────────────────────────
+  network:
+    version: 2
+    ethernets:
+      any-eth:
+        match:
+          name: "en*"
+        dhcp4: true
+    wifis:
+      wlp0s20f3:
+        dhcp4: true
+        access-points:
+          "house":
+            password: "${WIFI_HOUSE_PASSWORD}"
+          "house5":
+            password: "${WIFI_HOUSE_PASSWORD}"
+          "NOKIA":
+            auth:
+              key-management: eap
+              eap-method: tls
+              identity: "host/alfoldi.ipa.nsn-net.net"
+              ca-certificate: /nokia/vpn/NOKIA_Root_CA.crt
+              client-certificate: /nokia/vpn/alfoldi.ipa.nsn-net.net.crt
+              client-key: /nokia/vpn/alfoldi.ipa.nsn-net.net.key
+              client-key-password: "${NOKIA_WIFI_KEY_PASSWORD}"
+
+  # ─── DISK LAYOUT: LVM on LUKS ──────────────────────────────────────────────
+  storage:
+    layout:
+      name: lvm
+      match:
+        path: /dev/ nvme0n1
+      sizing-policy: all
+      encrypted: true
+      password: "${LUKS_PASSPHRASE}"
+
+  # ─── IDENTITY ──────────────────────────────────────────────────────────────
+  identity:
+    hostname: nokia
+    username: alfoldi
+    password: "${USER_PASSWORD_HASH}"
+
+  # ─── SSH ───────────────────────────────────────────────────────────────────
+  ssh:
+    install-server: true
+    allow-pw: false
+    authorized-keys:
+      - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICgcJfi0dZotMWa8zQvxXduM76GmQfoPvMU5FjIFZCAa alfonzso@gmail.com"
+
+  # ─── CERT FILES ────────────────────────────────────────────────────────────
+  write_files:
+    - path: /nokia/vpn/NOKIA_Root_CA.crt
+      permissions: '0600'
+      owner: root:root
+      encoding: b64
+      content: "${NOKIA_CA_CERT_B64}"
+
+    - path: /nokia/vpn/alfoldi.ipa.nsn-net.net.crt
+      permissions: '0600'
+      owner: root:root
+      encoding: b64
+      content: "${NOKIA_CLIENT_CERT_B64}"
+
+    - path: /nokia/vpn/alfoldi.ipa.nsn-net.net.key
+      permissions: '0600'
+      owner: root:root
+      encoding: b64
+      content: "${NOKIA_CLIENT_KEY_B64}"
+
+  # ─── PACKAGES ──────────────────────────────────────────────────────────────
+  packages:
+    - git
+    - curl
+    - wget
+    - vim
+    - build-essential
+    - python3
+    - python3-pip
+    - python3-venv
+    - apt-transport-https
+    - ca-certificates
+    - gnupg
+    - lsb-release
+
+  late-commands:
+    - curtin in-target -- bash /post-install.sh
+
+  updates: security
+  shutdown: reboot