split out new-machine-mandos

0d85b37d · Peter Palfrader · a51aaa98 · 0d85b37d · 0d85b37d · 0d85b37d
Commit 0d85b37d authored 5 years ago by Peter Palfrader
--- a/tsa/howto/new-machine-hetzner-cloud.mdwn
+++ b/tsa/howto/new-machine-hetzner-cloud.mdwn
@@ -41,17 +41,4 @@ Then

 To setup autoboot using mandos:

- 1. add a new key to the LUKS partition and prepare mandos snippet:
-
-        (DEVICE=/dev/sda2 &&
-         apt install -y haveged mandos-client &&
-         echo '--options-for=mandos-client:--connect=116.203.128.207:16283' >> /etc/mandos/plugin-runner.conf
-         umask 077 &&
-         t=`tempfile` &&
-         dd if=/dev/random bs=1 count=128 of="$t" &&
-         cryptsetup luksAddKey $DEVICE "$t" &&
-         mandos-keygen --passfile "$t"
-        )
-
- 1. add the output of `mandos-keygen` from above to `/etc/mandos/clients.conf` on the mandos-server and `service mandos restart` and `puppet agent -t` (to update the firewall after you added the host to ldap)
- 1. rebuild the initrd on the new host `update-initramfs -u` and reboot
+See [[new-machine-mandos]] for setting up the mandos client on this host.
--- a/tsa/howto/new-machine-hetzner-robot.mdwn
+++ b/tsa/howto/new-machine-hetzner-robot.mdwn
@@ -195,4 +195,5 @@ which we'll use below.
 Configuration
 -------------

-See [[new-machine]] for post-install configuration steps.
+See [[new-machine]] for post-install configuration steps, then
+follow [[new-machine-mandos]] for setting up the mandos client on this host.
--- a/tsa/howto/new-machine-mandos.mdwn
+++ b/tsa/howto/new-machine-mandos.mdwn
+
+Mandos is a means to give LUKS keys to machines that want to boot but have an encrypted rootfs.
+
+Here's how you add a new client to our setup:
+
+ 1. add a new key to the LUKS partition and prepare mandos snippet:
+
+         echo 'encrypted (root/lvm/..) device (e.g. /dev/sda2 or /dev/mb/pv_nvme): ' && read DEVICE &&
+         apt install -y haveged mandos-client &&
+         (grep 116.203.128.207 /etc/mandos/plugin-runner.conf || echo '--options-for=mandos-client:--connect=116.203.128.207:16283' | tee -a /etc/mandos/plugin-runner.conf) &&
+         umask 077 &&
+         t=`tempfile` &&
+         dd if=/dev/random bs=1 count=128 of="$t" &&
+         cryptsetup luksAddKey $DEVICE "$t" &&
+         mandos-keygen --passfile "$t"
+
+ 1. add the output of `mandos-keygen` from above to `/etc/mandos/clients.conf` on the mandos-server and `service mandos restart` and `puppet agent -t` (to update the firewall after you added the host to ldap)
+ 1. rebuild the initrd on the new host `update-initramfs -u` and reboot
--- a/tsa/howto/new-machine.mdwn
+++ b/tsa/howto/new-machine.mdwn
@@ -30,7 +30,8 @@ All commands to be run as root unless otherwise noted.

 * sanitize DNS configuration:

-        grep torproject.org /etc/resolv.conf || echo 'domain torproject.org' >>  /etc/resolv.conf
+        # grep torproject.org /etc/resolv.conf || echo 'domain torproject.org' >>  /etc/resolv.conf
+        grep torproject.org /etc/resolv.conf || ( echo 'domain torproject.org'; echo 'nameserver 8.8.8.8' ) > /etc/resolv.conf
        vi /etc/hosts # make sure the local host is there with both FQDN and just hostname

 * add to ldap on `alberti` using: