From 0e3e67554a03b7d0f10fa597b837b9cb9cd80cd3 Mon Sep 17 00:00:00 2001 From: Ingolf Wagner Date: Sat, 19 Oct 2024 15:32:03 +0900 Subject: [PATCH] :lock: use exclusive ssh key for chungus --- components/network/sshd/default.nix | 9 +----- flake.nix | 48 ++++++++++++++++++++--------- machines/cherry/configuration.nix | 2 ++ machines/cherry/ssh.nix | 39 +++++++++++++++++++++++ 4 files changed, 75 insertions(+), 23 deletions(-) create mode 100644 machines/cherry/ssh.nix diff --git a/components/network/sshd/default.nix b/components/network/sshd/default.nix index 3e09a5e..2b80a1d 100644 --- a/components/network/sshd/default.nix +++ b/components/network/sshd/default.nix @@ -8,7 +8,6 @@ with lib; with types; let - defaultRootKeyFiles = [ "${assets}/mrvandalo_rsa.pub" ]; cfg = config.components.network.sshd; # maybe ascii-image-converter is also nice here @@ -30,11 +29,6 @@ in type = bool; default = true; }; - rootKeyFiles = mkOption { - type = with types; listOf path; - default = [ ]; - description = "keys to root login"; - }; onlyTincAccess = mkOption { type = bool; default = false; @@ -64,14 +58,13 @@ in # settings.LoginGraceTime = 0; }; - users.users.root.openssh.authorizedKeys.keyFiles = cfg.rootKeyFiles ++ defaultRootKeyFiles; - # todo enable again when I can it's possible to set the `-q` ssh option in clan #services.openssh.banner = builtins.readFile sshBanner; }) (mkIf (cfg.onlyTincAccess && cfg.enable) { + # fixme: this is not working networking.firewall.extraCommands = '' iptables --table nat --append PREROUTING ! --in-interface tinc.+ --protocol tcp --match tcp --dport 22 --jump REDIRECT --to-ports 0 ''; diff --git a/flake.nix b/flake.nix index e4d9563..ec7df9e 100644 --- a/flake.nix +++ b/flake.nix @@ -224,27 +224,26 @@ ]; }; + defaultAuthorizedKeys = + { config, pkgs, ... }: + { + users.users.root.openssh.authorizedKeys.keyFiles = [ + # yubikey key + ./assets/mrvandalo_rsa.pub + # backup key + "${config.clan.core.clanDir}/machines/chungus/facts/ssh.syncoid.id_ed25519.pub" + "${config.clan.core.clanDir}/machines/chungus/facts/ssh.rbackup.id_ed25519.pub" + "${config.clan.core.clanDir}/machines/chungus/facts/ssh.paperless-ngx.id_ed25519.pub" + ]; + environment.systemPackages = [ pkgs.borgbackup ]; + }; + defaultModules = [ # make flake inputs accessiable in NixOS { _module.args.self = self; _module.args.inputs = self.inputs; } - # ssh keys - ( - { config, pkgs, ... }: - { - users.users.root.openssh.authorizedKeys.keyFiles = [ - # master key - ./assets/mrvandalo_rsa.pub - # backup key - "${config.clan.core.clanDir}/machines/chungus/facts/ssh.syncoid.id_ed25519.pub" - "${config.clan.core.clanDir}/machines/chungus/facts/ssh.rbackup.id_ed25519.pub" - "${config.clan.core.clanDir}/machines/chungus/facts/ssh.paperless-ngx.id_ed25519.pub" - ]; - environment.systemPackages = [ pkgs.borgbackup ]; - } - ) { # disable emergency mode everywhere, although it might be needed on laptops boot.initrd.systemd.emergencyAccess = false; @@ -409,6 +408,7 @@ name = "cream"; host = "cream.bear"; modules = [ + defaultAuthorizedKeys zerotierModules nixos-hardware.nixosModules.framework-12th-gen-intel retiolum.nixosModules.retiolum @@ -445,6 +445,12 @@ { clan.core.machineDescription = "Laptop"; } + { + users.users.root.openssh.authorizedKeys.keyFiles = [ + # yubikey key + ./assets/mrvandalo_rsa.pub + ]; + } ]; }; @@ -466,6 +472,15 @@ { clan.core.machineDescription = "Home Server"; } + ( + { config, ... }: + { + # keys only to access chungus + users.users.root.openssh.authorizedKeys.keyFiles = [ + "${config.clan.core.clanDir}/machines/cherry/facts/ssh.root.chungus.id_ed25519.pub" + ]; + } + ) ]; }; @@ -474,6 +489,7 @@ host = "orbi.bear"; #host = "95.216.66.212"; modules = [ + defaultAuthorizedKeys healthchecks.nixosModules.default homeManagerModules stylixModules @@ -496,6 +512,7 @@ #host = "167.235.205.150"; host = "95.217.18.54"; modules = [ + defaultAuthorizedKeys homeManagerModules stylixModules srvos.nixosModules.hardware-hetzner-cloud @@ -517,6 +534,7 @@ #host = "usbstick.bear"; host = "10.100.0.100"; modules = [ + defaultAuthorizedKeys homeManagerModules stylixModules zerotierModules diff --git a/machines/cherry/configuration.nix b/machines/cherry/configuration.nix index 77fb40e..f89cf99 100644 --- a/machines/cherry/configuration.nix +++ b/machines/cherry/configuration.nix @@ -20,6 +20,8 @@ ./37c3.nix ./topology.nix + ./ssh.nix + ]; #time.timeZone = lib.mkForce "Asia/Bangkok"; diff --git a/machines/cherry/ssh.nix b/machines/cherry/ssh.nix new file mode 100644 index 0000000..b5f73b7 --- /dev/null +++ b/machines/cherry/ssh.nix @@ -0,0 +1,39 @@ +{ config, factsGenerator, ... }: +{ + + # Defines the root SSH key to be used exclusively for accessing the backup server. + # The need for this arises because deployments using the 'clan' command-line tool (e.g. 'clan machines update') + # make use of the 'ssh -A' option, which forwards the SSH agent from the client to the target machine. + # If the target machine becomes compromised by an attacker, + # they could potentially leverage the forwarded SSH agent to access the backup server. + # This file prevents that scenario by restricting access strictly to the defined SSH key, + # which is only used to access the backup server, so no other ssh-agent will contain this ssh key + + clan.core.facts.services."mainUser.ssh.chungus" = factsGenerator.ssh { name = "root.chungus"; }; + + systemd.tmpfiles.settings.mainUser = { + "/run/facts/ssh.mainUser.chungus.id_ed25519"."C+" = { + user = config.users.users.mainUser.name; + group = config.users.users.mainUser.group; + mode = "400"; + argument = + config.clan.core.facts.services."mainUser.ssh.chungus".secret."ssh.root.chungus.id_ed25519".path; + }; + }; + + home-manager.users.mainUser.programs.ssh.matchBlocks = { + "chungus.bear" = { + identityFile = "/run/facts/ssh.mainUser.chungus.id_ed25519"; + identitiesOnly = true; + }; + "chungus.private" = { + identityFile = "/run/facts/ssh.mainUser.chungus.id_ed25519"; + identitiesOnly = true; + }; + "chungus.wg0" = { + identityFile = "/run/facts/ssh.mainUser.chungus.id_ed25519"; + identitiesOnly = true; + }; + }; + +}