7faa9098de
Restructure around a single entry point (automations.sh) with a Gum wizard and a self-extracting bundle for repo-less installs. Add scripts/oslib.sh so the provisioning scripts (setup-host, harden-ssh, harden-jumphost, sshuser) run on Alpine/Debian/Alma; seed root keys from globals/. - ntfy SSH-login alerts (user, source IP, key, region, jump target) via pam_exec - daily auto-updates with AUTO_REBOOT=idle (reboots only when no SSH active) and opt-in Alpine stable-branch upgrades - generic + per-deployment cloud-init; Gitea release workflow on tag - README/LICENSE/.gitignore/.gitattributes (force LF); repo URLs -> Gitea
1.9 KiB
1.9 KiB
globals/
Shared, cross-deployment assets. Everything here is referenced by the launcher
(../automations.sh), the helper library
(../scripts/lib.sh), and the per-deployment cloud-init
templates — so a value lives in exactly one place.
| File | Purpose |
|---|---|
globals.env.example |
Template of shared defaults. Copy to globals.env (git-ignored) and edit. Sourced by the launcher and lib.sh. |
age-pubkey.txt |
Age public key recipient(s) for encrypted backups. Used by any stack that backs up (e.g. simplex). Public key — safe to commit. |
authorized_keys |
Static admin SSH public keys. The fallback source when SSH_KEYS_URL is unset. |
motd.txt |
MOTD template (token-based) rendered to /etc/motd by ../scripts/setup-host.sh. You edit the content; the renderer draws the borders and computes all spacing. |
Network Domain Name Schema.md |
Reference: the DNS naming convention (service/device acronyms, UN/LOCODE geo-coding) used for host and service names. setup-host.sh derives the FQDN and Node ID from it. |
SSH key resolution (URL-preferred)
resolve_ssh_keys() in ../scripts/lib.sh decides where admin SSH keys come
from:
- If
SSH_KEYS_URLis set inglobals.env, it is fetched live withcurl -fsSL(always current — best when you rotate keys often). This can be a GitHub keys endpoint (https://github.com/<user>.keys) or any rawauthorized_keysURL. - Otherwise,
globals/authorized_keysis read directly (self-contained, versioned — edit the repo to rotate).
Rules
- Only public material lives here. Never commit private keys (SSH private
keys, age identities).
globals.envand common private-key filename patterns are git-ignored (see../.gitignore). - Store the age private key(s) and SSH private keys somewhere safe, outside this repository.