From 733985c773eae25aae70bf98c2715eb6e21abdc0 Mon Sep 17 00:00:00 2001
From: Ingolf Wagner <contact@ingolf-wagner.de>
Date: Sat, 19 Oct 2024 16:25:14 +0900
Subject: [PATCH] :wrench: dedicated ssh key for cherry as well

---
 flake.nix                                     | 15 +++---
 machines/cherry/configuration.nix             |  3 +-
 .../facts/ssh.root.cherry.id_ed25519.pub      |  2 +-
 machines/cherry/ssh-cherry.nix                | 46 +++++++++++++++++++
 machines/cherry/ssh-chungus.nix               | 46 +++++++++++++++++++
 machines/cherry/ssh.nix                       | 39 ----------------
 6 files changed, 104 insertions(+), 47 deletions(-)
 create mode 100644 machines/cherry/ssh-cherry.nix
 create mode 100644 machines/cherry/ssh-chungus.nix
 delete mode 100644 machines/cherry/ssh.nix

diff --git a/flake.nix b/flake.nix
index 82ae723..e08f2cb 100644
--- a/flake.nix
+++ b/flake.nix
@@ -423,12 +423,15 @@
                 {
                   clan.core.machineDescription = "Laptop";
                 }
-                {
-                  users.users.root.openssh.authorizedKeys.keyFiles = [
-                    # yubikey key
-                    ./assets/mrvandalo_rsa.pub
-                  ];
-                }
+                (
+                  { config, ... }:
+                  {
+                    # keys only to access cherry
+                    users.users.root.openssh.authorizedKeys.keyFiles = [
+                      "${config.clan.core.clanDir}/machines/cherry/facts/ssh.root.cherry.id_ed25519.pub"
+                    ];
+                  }
+                )
               ];
             };
 
diff --git a/machines/cherry/configuration.nix b/machines/cherry/configuration.nix
index f89cf99..7bdb80b 100644
--- a/machines/cherry/configuration.nix
+++ b/machines/cherry/configuration.nix
@@ -20,7 +20,8 @@
     ./37c3.nix
     ./topology.nix
 
-    ./ssh.nix
+    ./ssh-chungus.nix
+    ./ssh-cherry.nix
 
   ];
 
diff --git a/machines/cherry/facts/ssh.root.cherry.id_ed25519.pub b/machines/cherry/facts/ssh.root.cherry.id_ed25519.pub
index 62e4f89..97c0e4b 100644
--- a/machines/cherry/facts/ssh.root.cherry.id_ed25519.pub
+++ b/machines/cherry/facts/ssh.root.cherry.id_ed25519.pub
@@ -1 +1 @@
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINjJvuEviWlnptuKqA8MQ3QVVdvEGaez1VmShaj56QTg nixbld@cherry
\ No newline at end of file
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINjJvuEviWlnptuKqA8MQ3QVVdvEGaez1VmShaj56QTg root@cherry
\ No newline at end of file
diff --git a/machines/cherry/ssh-cherry.nix b/machines/cherry/ssh-cherry.nix
new file mode 100644
index 0000000..60ac73f
--- /dev/null
+++ b/machines/cherry/ssh-cherry.nix
@@ -0,0 +1,46 @@
+{
+  config,
+  factsGenerator,
+  lib,
+  ...
+}:
+let
+  hostname = "cherry";
+in
+{
+
+  # Defines the root SSH key to be used exclusively for accessing a secure machine.
+  # The need for this arises because deployments using the 'clan' command-line tool (e.g. 'clan machines update')
+  # make use of the 'ssh -A' option, which forwards the SSH agent from the client to the target machine.
+  # If the target machine becomes compromised by an attacker,
+  # they could potentially leverage the forwarded SSH agent to access the secure machine.
+  # This file prevents that scenario by restricting access strictly to the defined SSH key,
+  # which is only used to access the secure machine, so no other ssh-agent will contain this ssh key
+
+  clan.core.facts.services."ssh.root.${hostname}" = factsGenerator.ssh {
+    name = "root.${hostname}";
+  };
+
+  systemd.tmpfiles.settings.mainUser = {
+    "/run/facts/ssh.root.${hostname}.id_ed25519"."C+" = {
+      user = config.users.users.mainUser.name;
+      group = config.users.users.mainUser.group;
+      mode = "400";
+      argument =
+        config.clan.core.facts.services."ssh.root.${hostname}".secret."ssh.root.${hostname}.id_ed25519".path;
+    };
+  };
+
+  home-manager.users.mainUser.programs.ssh.matchBlocks =
+    lib.genAttrs
+      [
+        "${hostname}.bear"
+        "${hostname}.private"
+        "${hostname}.wg0"
+      ]
+      (name: {
+        identityFile = "/run/facts/ssh.root.${hostname}.id_ed25519";
+        identitiesOnly = true;
+      });
+
+}
diff --git a/machines/cherry/ssh-chungus.nix b/machines/cherry/ssh-chungus.nix
new file mode 100644
index 0000000..7cd6206
--- /dev/null
+++ b/machines/cherry/ssh-chungus.nix
@@ -0,0 +1,46 @@
+{
+  config,
+  factsGenerator,
+  lib,
+  ...
+}:
+let
+  hostname = "chungus";
+in
+{
+
+  # Defines the root SSH key to be used exclusively for accessing a secure machine.
+  # The need for this arises because deployments using the 'clan' command-line tool (e.g. 'clan machines update')
+  # make use of the 'ssh -A' option, which forwards the SSH agent from the client to the target machine.
+  # If the target machine becomes compromised by an attacker,
+  # they could potentially leverage the forwarded SSH agent to access the secure machine.
+  # This file prevents that scenario by restricting access strictly to the defined SSH key,
+  # which is only used to access the secure machine, so no other ssh-agent will contain this ssh key
+
+  clan.core.facts.services."ssh.root.${hostname}" = factsGenerator.ssh {
+    name = "root.${hostname}";
+  };
+
+  systemd.tmpfiles.settings.mainUser = {
+    "/run/facts/ssh.root.${hostname}.id_ed25519"."C+" = {
+      user = config.users.users.mainUser.name;
+      group = config.users.users.mainUser.group;
+      mode = "400";
+      argument =
+        config.clan.core.facts.services."ssh.root.${hostname}".secret."ssh.root.${hostname}.id_ed25519".path;
+    };
+  };
+
+  home-manager.users.mainUser.programs.ssh.matchBlocks =
+    lib.genAttrs
+      [
+        "${hostname}.bear"
+        "${hostname}.private"
+        "${hostname}.wg0"
+      ]
+      (name: {
+        identityFile = "/run/facts/ssh.root.${hostname}.id_ed25519";
+        identitiesOnly = true;
+      });
+
+}
diff --git a/machines/cherry/ssh.nix b/machines/cherry/ssh.nix
deleted file mode 100644
index b5f73b7..0000000
--- a/machines/cherry/ssh.nix
+++ /dev/null
@@ -1,39 +0,0 @@
-{ config, factsGenerator, ... }:
-{
-
-  # Defines the root SSH key to be used exclusively for accessing the backup server.
-  # The need for this arises because deployments using the 'clan' command-line tool (e.g. 'clan machines update')
-  # make use of the 'ssh -A' option, which forwards the SSH agent from the client to the target machine.
-  # If the target machine becomes compromised by an attacker,
-  # they could potentially leverage the forwarded SSH agent to access the backup server.
-  # This file prevents that scenario by restricting access strictly to the defined SSH key,
-  # which is only used to access the backup server, so no other ssh-agent will contain this ssh key
-
-  clan.core.facts.services."mainUser.ssh.chungus" = factsGenerator.ssh { name = "root.chungus"; };
-
-  systemd.tmpfiles.settings.mainUser = {
-    "/run/facts/ssh.mainUser.chungus.id_ed25519"."C+" = {
-      user = config.users.users.mainUser.name;
-      group = config.users.users.mainUser.group;
-      mode = "400";
-      argument =
-        config.clan.core.facts.services."mainUser.ssh.chungus".secret."ssh.root.chungus.id_ed25519".path;
-    };
-  };
-
-  home-manager.users.mainUser.programs.ssh.matchBlocks = {
-    "chungus.bear" = {
-      identityFile = "/run/facts/ssh.mainUser.chungus.id_ed25519";
-      identitiesOnly = true;
-    };
-    "chungus.private" = {
-      identityFile = "/run/facts/ssh.mainUser.chungus.id_ed25519";
-      identitiesOnly = true;
-    };
-    "chungus.wg0" = {
-      identityFile = "/run/facts/ssh.mainUser.chungus.id_ed25519";
-      identitiesOnly = true;
-    };
-  };
-
-}