🔒 use exclusive ssh key for chungus
All checks were successful
Build all NixOS Configurations / nix build (push) Successful in 8m17s

This commit is contained in:
Ingolf Wagner 2024-10-19 15:32:03 +09:00
parent 9efa7f7ca6
commit 0e3e67554a
No known key found for this signature in database
GPG key ID: 76BF5F1928B9618B
4 changed files with 75 additions and 23 deletions

View file

@ -8,7 +8,6 @@
with lib; with lib;
with types; with types;
let let
defaultRootKeyFiles = [ "${assets}/mrvandalo_rsa.pub" ];
cfg = config.components.network.sshd; cfg = config.components.network.sshd;
# maybe ascii-image-converter is also nice here # maybe ascii-image-converter is also nice here
@ -30,11 +29,6 @@ in
type = bool; type = bool;
default = true; default = true;
}; };
rootKeyFiles = mkOption {
type = with types; listOf path;
default = [ ];
description = "keys to root login";
};
onlyTincAccess = mkOption { onlyTincAccess = mkOption {
type = bool; type = bool;
default = false; default = false;
@ -64,14 +58,13 @@ in
# settings.LoginGraceTime = 0; # settings.LoginGraceTime = 0;
}; };
users.users.root.openssh.authorizedKeys.keyFiles = cfg.rootKeyFiles ++ defaultRootKeyFiles;
# todo enable again when I can it's possible to set the `-q` ssh option in clan # todo enable again when I can it's possible to set the `-q` ssh option in clan
#services.openssh.banner = builtins.readFile sshBanner; #services.openssh.banner = builtins.readFile sshBanner;
}) })
(mkIf (cfg.onlyTincAccess && cfg.enable) { (mkIf (cfg.onlyTincAccess && cfg.enable) {
# fixme: this is not working
networking.firewall.extraCommands = '' networking.firewall.extraCommands = ''
iptables --table nat --append PREROUTING ! --in-interface tinc.+ --protocol tcp --match tcp --dport 22 --jump REDIRECT --to-ports 0 iptables --table nat --append PREROUTING ! --in-interface tinc.+ --protocol tcp --match tcp --dport 22 --jump REDIRECT --to-ports 0
''; '';

View file

@ -224,18 +224,11 @@
]; ];
}; };
defaultModules = [ defaultAuthorizedKeys =
# make flake inputs accessiable in NixOS
{
_module.args.self = self;
_module.args.inputs = self.inputs;
}
# ssh keys
(
{ config, pkgs, ... }: { config, pkgs, ... }:
{ {
users.users.root.openssh.authorizedKeys.keyFiles = [ users.users.root.openssh.authorizedKeys.keyFiles = [
# master key # yubikey key
./assets/mrvandalo_rsa.pub ./assets/mrvandalo_rsa.pub
# backup key # backup key
"${config.clan.core.clanDir}/machines/chungus/facts/ssh.syncoid.id_ed25519.pub" "${config.clan.core.clanDir}/machines/chungus/facts/ssh.syncoid.id_ed25519.pub"
@ -243,8 +236,14 @@
"${config.clan.core.clanDir}/machines/chungus/facts/ssh.paperless-ngx.id_ed25519.pub" "${config.clan.core.clanDir}/machines/chungus/facts/ssh.paperless-ngx.id_ed25519.pub"
]; ];
environment.systemPackages = [ pkgs.borgbackup ]; environment.systemPackages = [ pkgs.borgbackup ];
};
defaultModules = [
# make flake inputs accessiable in NixOS
{
_module.args.self = self;
_module.args.inputs = self.inputs;
} }
)
{ {
# disable emergency mode everywhere, although it might be needed on laptops # disable emergency mode everywhere, although it might be needed on laptops
boot.initrd.systemd.emergencyAccess = false; boot.initrd.systemd.emergencyAccess = false;
@ -409,6 +408,7 @@
name = "cream"; name = "cream";
host = "cream.bear"; host = "cream.bear";
modules = [ modules = [
defaultAuthorizedKeys
zerotierModules zerotierModules
nixos-hardware.nixosModules.framework-12th-gen-intel nixos-hardware.nixosModules.framework-12th-gen-intel
retiolum.nixosModules.retiolum retiolum.nixosModules.retiolum
@ -445,6 +445,12 @@
{ {
clan.core.machineDescription = "Laptop"; clan.core.machineDescription = "Laptop";
} }
{
users.users.root.openssh.authorizedKeys.keyFiles = [
# yubikey key
./assets/mrvandalo_rsa.pub
];
}
]; ];
}; };
@ -466,6 +472,15 @@
{ {
clan.core.machineDescription = "Home Server"; clan.core.machineDescription = "Home Server";
} }
(
{ config, ... }:
{
# keys only to access chungus
users.users.root.openssh.authorizedKeys.keyFiles = [
"${config.clan.core.clanDir}/machines/cherry/facts/ssh.root.chungus.id_ed25519.pub"
];
}
)
]; ];
}; };
@ -474,6 +489,7 @@
host = "orbi.bear"; host = "orbi.bear";
#host = "95.216.66.212"; #host = "95.216.66.212";
modules = [ modules = [
defaultAuthorizedKeys
healthchecks.nixosModules.default healthchecks.nixosModules.default
homeManagerModules homeManagerModules
stylixModules stylixModules
@ -496,6 +512,7 @@
#host = "167.235.205.150"; #host = "167.235.205.150";
host = "95.217.18.54"; host = "95.217.18.54";
modules = [ modules = [
defaultAuthorizedKeys
homeManagerModules homeManagerModules
stylixModules stylixModules
srvos.nixosModules.hardware-hetzner-cloud srvos.nixosModules.hardware-hetzner-cloud
@ -517,6 +534,7 @@
#host = "usbstick.bear"; #host = "usbstick.bear";
host = "10.100.0.100"; host = "10.100.0.100";
modules = [ modules = [
defaultAuthorizedKeys
homeManagerModules homeManagerModules
stylixModules stylixModules
zerotierModules zerotierModules

View file

@ -20,6 +20,8 @@
./37c3.nix ./37c3.nix
./topology.nix ./topology.nix
./ssh.nix
]; ];
#time.timeZone = lib.mkForce "Asia/Bangkok"; #time.timeZone = lib.mkForce "Asia/Bangkok";

39
machines/cherry/ssh.nix Normal file
View file

@ -0,0 +1,39 @@
{ config, factsGenerator, ... }:
{
# Defines the root SSH key to be used exclusively for accessing the backup server.
# The need for this arises because deployments using the 'clan' command-line tool (e.g. 'clan machines update')
# make use of the 'ssh -A' option, which forwards the SSH agent from the client to the target machine.
# If the target machine becomes compromised by an attacker,
# they could potentially leverage the forwarded SSH agent to access the backup server.
# This file prevents that scenario by restricting access strictly to the defined SSH key,
# which is only used to access the backup server, so no other ssh-agent will contain this ssh key
clan.core.facts.services."mainUser.ssh.chungus" = factsGenerator.ssh { name = "root.chungus"; };
systemd.tmpfiles.settings.mainUser = {
"/run/facts/ssh.mainUser.chungus.id_ed25519"."C+" = {
user = config.users.users.mainUser.name;
group = config.users.users.mainUser.group;
mode = "400";
argument =
config.clan.core.facts.services."mainUser.ssh.chungus".secret."ssh.root.chungus.id_ed25519".path;
};
};
home-manager.users.mainUser.programs.ssh.matchBlocks = {
"chungus.bear" = {
identityFile = "/run/facts/ssh.mainUser.chungus.id_ed25519";
identitiesOnly = true;
};
"chungus.private" = {
identityFile = "/run/facts/ssh.mainUser.chungus.id_ed25519";
identitiesOnly = true;
};
"chungus.wg0" = {
identityFile = "/run/facts/ssh.mainUser.chungus.id_ed25519";
identitiesOnly = true;
};
};
}