Skip to content
Snippets Groups Projects
Commit 0d85b37d authored by Peter Palfrader's avatar Peter Palfrader
Browse files

split out new-machine-mandos

parent a51aaa98
No related branches found
No related tags found
No related merge requests found
......@@ -41,17 +41,4 @@ Then
To setup autoboot using mandos:
1. add a new key to the LUKS partition and prepare mandos snippet:
(DEVICE=/dev/sda2 &&
apt install -y haveged mandos-client &&
echo '--options-for=mandos-client:--connect=116.203.128.207:16283' >> /etc/mandos/plugin-runner.conf
umask 077 &&
t=`tempfile` &&
dd if=/dev/random bs=1 count=128 of="$t" &&
cryptsetup luksAddKey $DEVICE "$t" &&
mandos-keygen --passfile "$t"
)
1. add the output of `mandos-keygen` from above to `/etc/mandos/clients.conf` on the mandos-server and `service mandos restart` and `puppet agent -t` (to update the firewall after you added the host to ldap)
1. rebuild the initrd on the new host `update-initramfs -u` and reboot
See [[new-machine-mandos]] for setting up the mandos client on this host.
......@@ -195,4 +195,5 @@ which we'll use below.
Configuration
-------------
See [[new-machine]] for post-install configuration steps.
See [[new-machine]] for post-install configuration steps, then
follow [[new-machine-mandos]] for setting up the mandos client on this host.
Mandos is a means to give LUKS keys to machines that want to boot but have an encrypted rootfs.
Here's how you add a new client to our setup:
1. add a new key to the LUKS partition and prepare mandos snippet:
echo 'encrypted (root/lvm/..) device (e.g. /dev/sda2 or /dev/mb/pv_nvme): ' && read DEVICE &&
apt install -y haveged mandos-client &&
(grep 116.203.128.207 /etc/mandos/plugin-runner.conf || echo '--options-for=mandos-client:--connect=116.203.128.207:16283' | tee -a /etc/mandos/plugin-runner.conf) &&
umask 077 &&
t=`tempfile` &&
dd if=/dev/random bs=1 count=128 of="$t" &&
cryptsetup luksAddKey $DEVICE "$t" &&
mandos-keygen --passfile "$t"
1. add the output of `mandos-keygen` from above to `/etc/mandos/clients.conf` on the mandos-server and `service mandos restart` and `puppet agent -t` (to update the firewall after you added the host to ldap)
1. rebuild the initrd on the new host `update-initramfs -u` and reboot
......@@ -30,7 +30,8 @@ All commands to be run as root unless otherwise noted.
* sanitize DNS configuration:
grep torproject.org /etc/resolv.conf || echo 'domain torproject.org' >> /etc/resolv.conf
# grep torproject.org /etc/resolv.conf || echo 'domain torproject.org' >> /etc/resolv.conf
grep torproject.org /etc/resolv.conf || ( echo 'domain torproject.org'; echo 'nameserver 8.8.8.8' ) > /etc/resolv.conf
vi /etc/hosts # make sure the local host is there with both FQDN and just hostname
* add to ldap on `alberti` using:
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment