nixos-config/machines/cherry/ssh-chungus.nix

{
  config,
  factsGenerator,
  lib,
  ...
}:
let
  hostname = "chungus";
in
{

  # Defines the root SSH key to be used exclusively for accessing a secure machine.
  # The need for this arises because deployments using the 'clan' command-line tool (e.g. 'clan machines update')
  # make use of the 'ssh -A' option, which forwards the SSH agent from the client to the target machine.
  # If the target machine becomes compromised by an attacker,
  # they could potentially leverage the forwarded SSH agent to access the secure machine.
  # This file prevents that scenario by restricting access strictly to the defined SSH key,
  # which is only used to access the secure machine, so no other ssh-agent will contain this ssh key

  clan.core.facts.services."ssh.root.${hostname}" = factsGenerator.ssh {
    name = "root.${hostname}";
  };

  systemd.tmpfiles.settings.mainUser = {
    "/run/facts/ssh.root.${hostname}.id_ed25519"."C+" = {
      user = config.users.users.mainUser.name;
      group = config.users.users.mainUser.group;
      mode = "400";
      argument =
        config.clan.core.facts.services."ssh.root.${hostname}".secret."ssh.root.${hostname}.id_ed25519".path;
    };
  };

  home-manager.users.mainUser.programs.ssh.matchBlocks =
    lib.genAttrs
      [
        "${hostname}.bear"
        "${hostname}.private"
        "${hostname}.wg0"
      ]
      (name: {
        identityFile = "/run/facts/ssh.root.${hostname}.id_ed25519";
        identitiesOnly = true;
      });

}
:wrench: dedicated ssh key for cherry as well 2024-10-19 09:25:14 +02:00			`{`
			`config,`
			`factsGenerator,`
			`lib,`
			`...`
			`}:`
			`let`
			`hostname = "chungus";`
			`in`
			`{`

			`# Defines the root SSH key to be used exclusively for accessing a secure machine.`
			`# The need for this arises because deployments using the 'clan' command-line tool (e.g. 'clan machines update')`
			`# make use of the 'ssh -A' option, which forwards the SSH agent from the client to the target machine.`
			`# If the target machine becomes compromised by an attacker,`
			`# they could potentially leverage the forwarded SSH agent to access the secure machine.`
			`# This file prevents that scenario by restricting access strictly to the defined SSH key,`
			`# which is only used to access the secure machine, so no other ssh-agent will contain this ssh key`

			`clan.core.facts.services."ssh.root.${hostname}" = factsGenerator.ssh {`
			`name = "root.${hostname}";`
			`};`

			`systemd.tmpfiles.settings.mainUser = {`
			`"/run/facts/ssh.root.${hostname}.id_ed25519"."C+" = {`
			`user = config.users.users.mainUser.name;`
			`group = config.users.users.mainUser.group;`
			`mode = "400";`
			`argument =`
			`config.clan.core.facts.services."ssh.root.${hostname}".secret."ssh.root.${hostname}.id_ed25519".path;`
			`};`
			`};`

			`home-manager.users.mainUser.programs.ssh.matchBlocks =`
			`lib.genAttrs`
			`[`
			`"${hostname}.bear"`
			`"${hostname}.private"`
			`"${hostname}.wg0"`
			`]`
			`(name: {`
			`identityFile = "/run/facts/ssh.root.${hostname}.id_ed25519";`
			`identitiesOnly = true;`
			`});`

			`}`