40 lines
1.5 KiB
Nix
40 lines
1.5 KiB
Nix
|
{ config, factsGenerator, ... }:
|
||
|
{
|
||
|
|
||
|
# Defines the root SSH key to be used exclusively for accessing the backup server.
|
||
|
# The need for this arises because deployments using the 'clan' command-line tool (e.g. 'clan machines update')
|
||
|
# make use of the 'ssh -A' option, which forwards the SSH agent from the client to the target machine.
|
||
|
# If the target machine becomes compromised by an attacker,
|
||
|
# they could potentially leverage the forwarded SSH agent to access the backup server.
|
||
|
# This file prevents that scenario by restricting access strictly to the defined SSH key,
|
||
|
# which is only used to access the backup server, so no other ssh-agent will contain this ssh key
|
||
|
|
||
|
clan.core.facts.services."mainUser.ssh.chungus" = factsGenerator.ssh { name = "root.chungus"; };
|
||
|
|
||
|
systemd.tmpfiles.settings.mainUser = {
|
||
|
"/run/facts/ssh.mainUser.chungus.id_ed25519"."C+" = {
|
||
|
user = config.users.users.mainUser.name;
|
||
|
group = config.users.users.mainUser.group;
|
||
|
mode = "400";
|
||
|
argument =
|
||
|
config.clan.core.facts.services."mainUser.ssh.chungus".secret."ssh.root.chungus.id_ed25519".path;
|
||
|
};
|
||
|
};
|
||
|
|
||
|
home-manager.users.mainUser.programs.ssh.matchBlocks = {
|
||
|
"chungus.bear" = {
|
||
|
identityFile = "/run/facts/ssh.mainUser.chungus.id_ed25519";
|
||
|
identitiesOnly = true;
|
||
|
};
|
||
|
"chungus.private" = {
|
||
|
identityFile = "/run/facts/ssh.mainUser.chungus.id_ed25519";
|
||
|
identitiesOnly = true;
|
||
|
};
|
||
|
"chungus.wg0" = {
|
||
|
identityFile = "/run/facts/ssh.mainUser.chungus.id_ed25519";
|
||
|
identitiesOnly = true;
|
||
|
};
|
||
|
};
|
||
|
|
||
|
}
|