Sovran_Systems/Sovran_SystemsOS
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

retooled pdf creator

Browse Source
This commit is contained in:
naturallaw77
2026-03-30 19:45:05 -05:00
parent 25e511f8b4
commit a0a28be7ca
1 changed files with 67 additions and 143 deletions
Download Patch File Download Diff File Expand all files Collapse all files

210
modules/credentials-pdf.nix
View File

@@ -1,5 +1,9 @@
{ config, pkgs, lib, ... }: { config, pkgs, lib, ... }:
let
# All dependencies in one place
fonts = pkgs.liberation_ttf;
in
{ {
# ── 1. Auto-Generate Root Password (Runs once) ───────────── # ── 1. Auto-Generate Root Password (Runs once) ─────────────
systemd.services.root-password-setup = { systemd.services.root-password-setup = {
@@ -11,45 +15,24 @@
}; };
path = [ pkgs.pwgen pkgs.shadow pkgs.coreutils ]; path = [ pkgs.pwgen pkgs.shadow pkgs.coreutils ];
script = '' script = ''
set -euo pipefail
SECRET_FILE="/var/lib/secrets/root-password" SECRET_FILE="/var/lib/secrets/root-password"
if [ ! -f "$SECRET_FILE" ]; then if [ ! -f "$SECRET_FILE" ]; then
mkdir -p /var/lib/secrets mkdir -p /var/lib/secrets
ROOT_PASS=$(pwgen -s 20 1) ROOT_PASS=$(pwgen -s 20 1)
# Apply the password to the root user
echo "root:$ROOT_PASS" | chpasswd echo "root:$ROOT_PASS" | chpasswd
# Save it for the PDF generator to read
echo "$ROOT_PASS" > "$SECRET_FILE" echo "$ROOT_PASS" > "$SECRET_FILE"
chmod 600 "$SECRET_FILE" chmod 600 "$SECRET_FILE"
fi fi
''; '';
}; };
# ── 2. The Path Watcher (The Magic Trigger!) ─────────────── # ── 2. Timer: Rebuild PDF every 5 minutes ──────────────────
# This tells NixOS: "If any files inside these folders change, systemd.timers.generate-credentials-pdf = {
# instantly run the generate-credentials-pdf service." description = "Periodically regenerate Magic Keys PDF";
systemd.paths.generate-credentials-pdf-trigger = { wantedBy = [ "timers.target" ];
description = "Watch for new secret files to regenerate Magic Keys PDF"; timerConfig = {
wantedBy = [ "multi-user.target" ]; OnBootSec = "30s";
pathConfig = { OnUnitActiveSec = "5min";
# Watch these directories for new passwords
PathChanged = [
"/var/lib/secrets"
"/var/lib/gnome-remote-desktop"
"/var/lib/domains"
"/etc/nix-bitcoin-secrets"
"/home/free/Documents"
];
# Watch for these specific Tor links to be generated
PathExists = [
"/var/lib/tor/onion/rtl/hostname"
"/var/lib/tor/onion/electrs/hostname"
"/var/lib/tor/onion/bitcoind/hostname"
];
Unit = "generate-credentials-pdf.service"; Unit = "generate-credentials-pdf.service";
}; };
}; };
@@ -59,63 +42,38 @@
description = "Generate Magic Keys PDF for Sovran_SystemsOS"; description = "Generate Magic Keys PDF for Sovran_SystemsOS";
serviceConfig = { serviceConfig = {
Type = "oneshot"; Type = "oneshot";
# Prevent rapid re-triggering
RateLimitIntervalSec = 30;
RateLimitBurstSec = 1;
}; };
path = [ pkgs.pandoc pkgs.typst pkgs.coreutils pkgs.liberation_ttf ]; path = [ pkgs.pandoc pkgs.typst pkgs.coreutils fonts ];
environment = { environment = {
TYPST_FONT_PATHS = "${pkgs.liberation_ttf}/share/fonts"; TYPST_FONT_PATHS = "${fonts}/share/fonts";
}; };
script = '' script = ''
set -euo pipefail
# Give it a tiny delay so multiple files being created at once don't trigger it 10 times in a row
sleep 3
# Deduplication: only rebuild if inputs actually changed
HASH_FILE="/var/lib/secrets/.credentials-pdf-hash"
OUTPUT_PDF="/home/free/Documents/Sovran_SystemsOS_Magic_Keys.pdf"
# Collect the content of all possible input files into one hash
CURRENT_HASH=$(cat \
/var/lib/secrets/root-password \
/etc/nix-bitcoin-secrets/rtl-password \
/var/lib/tor/onion/rtl/hostname \
/var/lib/tor/onion/electrs/hostname \
/var/lib/tor/onion/bitcoind/hostname \
/var/lib/secrets/matrix-users \
/var/lib/gnome-remote-desktop/rdp-credentials \
/var/lib/secrets/nextcloud-admin \
/var/lib/secrets/wordpress-admin \
/var/lib/domains/vaultwarden \
/var/lib/domains/btcpayserver \
2>/dev/null | sha256sum | cut -d' ' -f1)
# Skip rebuild only if the PDF exists AND inputs haven't changed
if [ -f "$OUTPUT_PDF" ] && [ -f "$HASH_FILE" ] && [ "$(cat "$HASH_FILE")" = "$CURRENT_HASH" ]; then
echo "No input changes detected and PDF exists, skipping regeneration."
exit 0
fi
DOC_DIR="/home/free/Documents" DOC_DIR="/home/free/Documents"
mkdir -p "$DOC_DIR" OUTPUT="$DOC_DIR/Sovran_SystemsOS_Magic_Keys.pdf"
FILE="/tmp/magic_keys.md" FILE="/tmp/magic_keys.md"
mkdir -p "$DOC_DIR"
ROOT_PASS="Generating..."
if [ -f "/var/lib/secrets/root-password" ]; then # Read secrets (default to placeholder if missing)
ROOT_PASS=$(cat /var/lib/secrets/root-password) read_secret() { if [ -f "$1" ]; then cat "$1"; else echo "$2"; fi; }
fi
ROOT_PASS=$(read_secret /var/lib/secrets/root-password "Generating...")
cat << 'EOF' > "$FILE" RTL_PASS=$(read_secret /etc/nix-bitcoin-secrets/rtl-password "Not found")
RTL_ONION=$(read_secret /var/lib/tor/onion/rtl/hostname "Not generated yet")
ELECTRS_ONION=$(read_secret /var/lib/tor/onion/electrs/hostname "Not generated yet")
BITCOIN_ONION=$(read_secret /var/lib/tor/onion/bitcoind/hostname "Not generated yet")
# Build the Markdown document
cat > "$FILE" << ENDOFFILE
--- ---
title: "Sovran SystemsOS Magic Keys"
--- ---
# Your Sovran SystemsOS Magic Keys! 🗝 # Your Sovran SystemsOS Magic Keys! 🗝
Welcome to your new computer! We have built a lot of cool secret forts (services) for you. To get into your forts, you need your magic keys (passwords). Welcome to your new computer! We have built a lot of cool secret forts (services) for you. To get into your forts, you need your magic keys (passwords).
Here are all of your keys in one place. **Keep this document safe and do not share it with strangers!** Here are all of your keys in one place. **Keep this document safe and do not share it with strangers!**
@@ -124,58 +82,32 @@ These are the master keys to the actual machine.
### 1. Main Screen Unlock (The 'free' account) ### 1. Main Screen Unlock (The 'free' account)
When you turn the computer on, it usually logs you in automatically. However, if the screen goes to sleep, or **if you enable Remote Desktop (RDP)**, you will need this to log in: When you turn the computer on, it usually logs you in automatically. However, if the screen goes to sleep, or **if you enable Remote Desktop (RDP)**, you will need this to log in:
- **Username:** `free` - **Username:** \`free\`
- **Password:** `free` - **Password:** \`free\`
🚨 **VERY IMPORTANT:** You MUST write this password down and keep it safe! If you lose it, you will be locked out of your computer! 🚨 **VERY IMPORTANT:** You MUST write this password down and keep it safe! If you lose it, you will be locked out of your computer!
EOF
cat << EOF >> "$FILE"
### 2. The Big Boss (Root) ### 2. The Big Boss (Root)
Sometimes a pop-up box might ask for an Administrator (Root) password to change a setting. We created a super-secret password just for this! Sometimes a pop-up box might ask for an Administrator (Root) password to change a setting. We created a super-secret password just for this!
- **Root Password:** \`$ROOT_PASS\` - **Root Password:** \`$ROOT_PASS\`
EOF
cat << 'EOF' >> "$FILE" ### 3. The Hacker Terminal (\`ssh root@localhost\`)
Because your main account is so safe, you cannot just type normal commands to become the boss. If you open a black terminal box and want to make big changes, you must use your special factory key!
### 3. The Hacker Terminal (`ssh root@localhost`)
Because your main account is so safe, you cannot just type normal commands to become the boss. If you open a black terminal box and want to make big changes, you must use your special factory key!
Type this exact command into the terminal: Type this exact command into the terminal:
`ssh root@localhost` \`ssh root@localhost\`
When it asks for a passphrase, type: When it asks for a passphrase, type:
- **Terminal Password:** `gosovransystems` - **Terminal Password:** \`gosovransystems\`
ENDOFFILE
***
EOF
# --- BITCOIN ECOSYSTEM --- # --- BITCOIN ECOSYSTEM ---
if [ -f "/etc/nix-bitcoin-secrets/rtl-password" ] || [ -f "/var/lib/tor/onion/rtl/hostname" ]; then if [ -f "/etc/nix-bitcoin-secrets/rtl-password" ] || [ -f "/var/lib/tor/onion/rtl/hostname" ]; then
echo "## Your Bitcoin & Lightning Node" >> "$FILE" cat >> "$FILE" << BITCOIN
echo "Your computer is a real Bitcoin node! It talks to the network secretly using Tor. Here is how to connect your wallet apps to it:" >> "$FILE"
RTL_ONION="Not generated yet"
if [ -f "/var/lib/tor/onion/rtl/hostname" ]; then
RTL_ONION=$(cat /var/lib/tor/onion/rtl/hostname)
fi
RTL_PASS="Not found"
if [ -f "/etc/nix-bitcoin-secrets/rtl-password" ]; then
RTL_PASS=$(cat /etc/nix-bitcoin-secrets/rtl-password)
fi
ELECTRS_ONION="Not generated yet" ## Your Bitcoin & Lightning Node
if [ -f "/var/lib/tor/onion/electrs/hostname" ]; then Your computer is a real Bitcoin node! It talks to the network secretly using Tor. Here is how to connect your wallet apps to it:
ELECTRS_ONION=$(cat /var/lib/tor/onion/electrs/hostname)
fi
BITCOIN_ONION="Not generated yet"
if [ -f "/var/lib/tor/onion/bitcoind/hostname" ]; then
BITCOIN_ONION=$(cat /var/lib/tor/onion/bitcoind/hostname)
fi
cat << BITCOIN >> "$FILE"
### 1. Ride The Lightning (RTL) ### 1. Ride The Lightning (RTL)
*This is the control panel for your Lightning Node.* *This is the control panel for your Lightning Node.*
Open the **Tor Browser** and go to this website. Use this password to log in: Open the **Tor Browser** and go to this website. Use this password to log in:
@@ -190,84 +122,76 @@ Open the **Tor Browser** and go to this website. Use this password to log in:
### 3. Bitcoin Core ### 3. Bitcoin Core
*This is the heartbeat of your node. It uses this address to talk to other Bitcoiners securely.* *This is the heartbeat of your node. It uses this address to talk to other Bitcoiners securely.*
- **Tor Address:** \`$BITCOIN_ONION\` - **Tor Address:** \`$BITCOIN_ONION\`
***
BITCOIN BITCOIN
fi fi
# --- MATRIX / ELEMENT --- # --- MATRIX / ELEMENT ---
if [ -f "/var/lib/secrets/matrix-users" ]; then if [ -f "/var/lib/secrets/matrix-users" ]; then
echo "" >> "$FILE"
echo "## 💬 Your Private Chat (Matrix / Element)" >> "$FILE" echo "## 💬 Your Private Chat (Matrix / Element)" >> "$FILE"
echo "This is your very own private messaging app! We created an Admin account for you, and a Test account you can give to a friend to try it out. Log in using an app like Element with these details:" >> "$FILE" echo "This is your very own private messaging app! Log in using an app like Element with these details:" >> "$FILE"
echo '```text' >> "$FILE" echo '```text' >> "$FILE"
cat /var/lib/secrets/matrix-users >> "$FILE" cat /var/lib/secrets/matrix-users >> "$FILE"
echo '```' >> "$FILE" echo '```' >> "$FILE"
echo "***" >> "$FILE"
fi fi
# --- GNOME RDP --- # --- GNOME RDP ---
if [ -f "/var/lib/gnome-remote-desktop/rdp-credentials" ]; then if [ -f "/var/lib/gnome-remote-desktop/rdp-credentials" ]; then
echo "" >> "$FILE"
echo "## 🌎 Connect from Far Away (Remote Desktop)" >> "$FILE" echo "## 🌎 Connect from Far Away (Remote Desktop)" >> "$FILE"
echo "This lets you control your computer screen from another device! Open your Remote Desktop app and type in these keys:" >> "$FILE" echo "This lets you control your computer screen from another device!" >> "$FILE"
echo '```text' >> "$FILE" echo '```text' >> "$FILE"
cat /var/lib/gnome-remote-desktop/rdp-credentials >> "$FILE" cat /var/lib/gnome-remote-desktop/rdp-credentials >> "$FILE"
echo '```' >> "$FILE" echo '```' >> "$FILE"
echo "***" >> "$FILE"
fi fi
# --- NEXTCLOUD --- # --- NEXTCLOUD ---
if [ -f "/var/lib/secrets/nextcloud-admin" ]; then if [ -f "/var/lib/secrets/nextcloud-admin" ]; then
echo "" >> "$FILE"
echo "## Your Personal Cloud (Nextcloud)" >> "$FILE" echo "## Your Personal Cloud (Nextcloud)" >> "$FILE"
echo "This is like your own private Google Drive! You can save photos and files here. Go to the URL below and use these keys:" >> "$FILE" echo "This is like your own private Google Drive!" >> "$FILE"
echo '```text' >> "$FILE" echo '```text' >> "$FILE"
cat /var/lib/secrets/nextcloud-admin >> "$FILE" cat /var/lib/secrets/nextcloud-admin >> "$FILE"
echo '```' >> "$FILE" echo '```' >> "$FILE"
echo "***" >> "$FILE"
fi fi
# --- WORDPRESS --- # --- WORDPRESS ---
if [ -f "/var/lib/secrets/wordpress-admin" ]; then if [ -f "/var/lib/secrets/wordpress-admin" ]; then
echo "" >> "$FILE"
echo "## 📝 Your Website (WordPress)" >> "$FILE" echo "## 📝 Your Website (WordPress)" >> "$FILE"
echo "This is your very own website where you can write blogs or make pages. Go to the URL below to log in:" >> "$FILE" echo "This is your very own website where you can write blogs or make pages." >> "$FILE"
echo '```text' >> "$FILE" echo '```text' >> "$FILE"
cat /var/lib/secrets/wordpress-admin >> "$FILE" cat /var/lib/secrets/wordpress-admin >> "$FILE"
echo '```' >> "$FILE" echo '```' >> "$FILE"
echo "***" >> "$FILE"
fi fi
# --- VAULTWARDEN --- # --- VAULTWARDEN ---
if [ -f "/var/lib/domains/vaultwarden" ]; then if [ -f "/var/lib/domains/vaultwarden" ]; then
DOMAIN=$(cat /var/lib/domains/vaultwarden) DOMAIN=$(cat /var/lib/domains/vaultwarden)
echo "" >> "$FILE"
echo "## 🔐 Your Password Manager (Vaultwarden)" >> "$FILE" echo "## 🔐 Your Password Manager (Vaultwarden)" >> "$FILE"
echo "This keeps all your other passwords safe! Go to this website to use it:" >> "$FILE" echo "This keeps all your other passwords safe!" >> "$FILE"
echo "- **Website:** https://$DOMAIN" >> "$FILE" echo "- **Website:** https://$DOMAIN" >> "$FILE"
echo "*(Note: You get to make up your own Master Password the very first time you visit this website!)*" >> "$FILE" echo "*(You make up your own Master Password the first time you visit!)*" >> "$FILE"
echo "***" >> "$FILE"
fi fi
# --- BTCPAY SERVER --- # --- BTCPAY SERVER ---
if [ -f "/var/lib/domains/btcpayserver" ]; then if [ -f "/var/lib/domains/btcpayserver" ]; then
DOMAIN=$(cat /var/lib/domains/btcpayserver) DOMAIN=$(cat /var/lib/domains/btcpayserver)
echo "" >> "$FILE"
echo "## Your Bitcoin Store (BTCPay Server)" >> "$FILE" echo "## Your Bitcoin Store (BTCPay Server)" >> "$FILE"
echo "This lets you accept Bitcoin like a real shop! Go to this website to set it up:" >> "$FILE" echo "This lets you accept Bitcoin like a real shop!" >> "$FILE"
echo "- **Website:** https://$DOMAIN" >> "$FILE" echo "- **Website:** https://$DOMAIN" >> "$FILE"
echo "*(Note: You get to make up your own Admin Password the very first time you visit this website!)*" >> "$FILE" echo "*(You make up your own Admin Password the first time you visit!)*" >> "$FILE"
echo "***" >> "$FILE"
fi fi
# Convert the Markdown text into a beautiful PDF! # Generate PDF
pandoc "$FILE" -o "$DOC_DIR/Sovran_SystemsOS_Magic_Keys.pdf" --pdf-engine=typst \ pandoc "$FILE" -o "$OUTPUT" --pdf-engine=typst \
-V mainfont="Liberation Sans" \ -V mainfont="Liberation Sans" \
-V monofont="Liberation Mono" -V monofont="Liberation Mono"
# Save the hash so we don't rebuild again for the same inputs chown free:users "$OUTPUT"
echo "$CURRENT_HASH" > "$HASH_FILE" rm -f "$FILE"
# Make sure the 'free' user owns the file so they can open it
chown -R free:users "$DOC_DIR"
# Secure the markdown file
chmod 600 "$FILE"
''; '';
}; };
} }