Files
57_Wolve 7faa9098de feat: unified launcher, multi-OS hardening, login alerts & auto-updates
Restructure around a single entry point (automations.sh) with a Gum wizard and
a self-extracting bundle for repo-less installs. Add scripts/oslib.sh so the
provisioning scripts (setup-host, harden-ssh, harden-jumphost, sshuser) run on
Alpine/Debian/Alma; seed root keys from globals/.

- ntfy SSH-login alerts (user, source IP, key, region, jump target) via pam_exec
- daily auto-updates with AUTO_REBOOT=idle (reboots only when no SSH active) and
  opt-in Alpine stable-branch upgrades
- generic + per-deployment cloud-init; Gitea release workflow on tag
- README/LICENSE/.gitignore/.gitattributes (force LF); repo URLs -> Gitea
2026-06-12 14:56:02 -05:00

1.9 KiB

globals/

Shared, cross-deployment assets. Everything here is referenced by the launcher (../automations.sh), the helper library (../scripts/lib.sh), and the per-deployment cloud-init templates — so a value lives in exactly one place.

File Purpose
globals.env.example Template of shared defaults. Copy to globals.env (git-ignored) and edit. Sourced by the launcher and lib.sh.
age-pubkey.txt Age public key recipient(s) for encrypted backups. Used by any stack that backs up (e.g. simplex). Public key — safe to commit.
authorized_keys Static admin SSH public keys. The fallback source when SSH_KEYS_URL is unset.
motd.txt MOTD template (token-based) rendered to /etc/motd by ../scripts/setup-host.sh. You edit the content; the renderer draws the borders and computes all spacing.
Network Domain Name Schema.md Reference: the DNS naming convention (service/device acronyms, UN/LOCODE geo-coding) used for host and service names. setup-host.sh derives the FQDN and Node ID from it.

SSH key resolution (URL-preferred)

resolve_ssh_keys() in ../scripts/lib.sh decides where admin SSH keys come from:

  1. If SSH_KEYS_URL is set in globals.env, it is fetched live with curl -fsSL (always current — best when you rotate keys often). This can be a GitHub keys endpoint (https://github.com/<user>.keys) or any raw authorized_keys URL.
  2. Otherwise, globals/authorized_keys is read directly (self-contained, versioned — edit the repo to rotate).

Rules

  • Only public material lives here. Never commit private keys (SSH private keys, age identities). globals.env and common private-key filename patterns are git-ignored (see ../.gitignore).
  • Store the age private key(s) and SSH private keys somewhere safe, outside this repository.