🔧 dedicated ssh key for cherry as well
All checks were successful
Build all NixOS Configurations / nix build (push) Successful in 7m2s
All checks were successful
Build all NixOS Configurations / nix build (push) Successful in 7m2s
This commit is contained in:
parent
74f7208936
commit
733985c773
6 changed files with 104 additions and 47 deletions
|
@ -423,12 +423,15 @@
|
||||||
{
|
{
|
||||||
clan.core.machineDescription = "Laptop";
|
clan.core.machineDescription = "Laptop";
|
||||||
}
|
}
|
||||||
|
(
|
||||||
|
{ config, ... }:
|
||||||
{
|
{
|
||||||
|
# keys only to access cherry
|
||||||
users.users.root.openssh.authorizedKeys.keyFiles = [
|
users.users.root.openssh.authorizedKeys.keyFiles = [
|
||||||
# yubikey key
|
"${config.clan.core.clanDir}/machines/cherry/facts/ssh.root.cherry.id_ed25519.pub"
|
||||||
./assets/mrvandalo_rsa.pub
|
|
||||||
];
|
];
|
||||||
}
|
}
|
||||||
|
)
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
|
@ -20,7 +20,8 @@
|
||||||
./37c3.nix
|
./37c3.nix
|
||||||
./topology.nix
|
./topology.nix
|
||||||
|
|
||||||
./ssh.nix
|
./ssh-chungus.nix
|
||||||
|
./ssh-cherry.nix
|
||||||
|
|
||||||
];
|
];
|
||||||
|
|
||||||
|
|
|
@ -1 +1 @@
|
||||||
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINjJvuEviWlnptuKqA8MQ3QVVdvEGaez1VmShaj56QTg nixbld@cherry
|
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINjJvuEviWlnptuKqA8MQ3QVVdvEGaez1VmShaj56QTg root@cherry
|
46
machines/cherry/ssh-cherry.nix
Normal file
46
machines/cherry/ssh-cherry.nix
Normal file
|
@ -0,0 +1,46 @@
|
||||||
|
{
|
||||||
|
config,
|
||||||
|
factsGenerator,
|
||||||
|
lib,
|
||||||
|
...
|
||||||
|
}:
|
||||||
|
let
|
||||||
|
hostname = "cherry";
|
||||||
|
in
|
||||||
|
{
|
||||||
|
|
||||||
|
# Defines the root SSH key to be used exclusively for accessing a secure machine.
|
||||||
|
# The need for this arises because deployments using the 'clan' command-line tool (e.g. 'clan machines update')
|
||||||
|
# make use of the 'ssh -A' option, which forwards the SSH agent from the client to the target machine.
|
||||||
|
# If the target machine becomes compromised by an attacker,
|
||||||
|
# they could potentially leverage the forwarded SSH agent to access the secure machine.
|
||||||
|
# This file prevents that scenario by restricting access strictly to the defined SSH key,
|
||||||
|
# which is only used to access the secure machine, so no other ssh-agent will contain this ssh key
|
||||||
|
|
||||||
|
clan.core.facts.services."ssh.root.${hostname}" = factsGenerator.ssh {
|
||||||
|
name = "root.${hostname}";
|
||||||
|
};
|
||||||
|
|
||||||
|
systemd.tmpfiles.settings.mainUser = {
|
||||||
|
"/run/facts/ssh.root.${hostname}.id_ed25519"."C+" = {
|
||||||
|
user = config.users.users.mainUser.name;
|
||||||
|
group = config.users.users.mainUser.group;
|
||||||
|
mode = "400";
|
||||||
|
argument =
|
||||||
|
config.clan.core.facts.services."ssh.root.${hostname}".secret."ssh.root.${hostname}.id_ed25519".path;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
home-manager.users.mainUser.programs.ssh.matchBlocks =
|
||||||
|
lib.genAttrs
|
||||||
|
[
|
||||||
|
"${hostname}.bear"
|
||||||
|
"${hostname}.private"
|
||||||
|
"${hostname}.wg0"
|
||||||
|
]
|
||||||
|
(name: {
|
||||||
|
identityFile = "/run/facts/ssh.root.${hostname}.id_ed25519";
|
||||||
|
identitiesOnly = true;
|
||||||
|
});
|
||||||
|
|
||||||
|
}
|
46
machines/cherry/ssh-chungus.nix
Normal file
46
machines/cherry/ssh-chungus.nix
Normal file
|
@ -0,0 +1,46 @@
|
||||||
|
{
|
||||||
|
config,
|
||||||
|
factsGenerator,
|
||||||
|
lib,
|
||||||
|
...
|
||||||
|
}:
|
||||||
|
let
|
||||||
|
hostname = "chungus";
|
||||||
|
in
|
||||||
|
{
|
||||||
|
|
||||||
|
# Defines the root SSH key to be used exclusively for accessing a secure machine.
|
||||||
|
# The need for this arises because deployments using the 'clan' command-line tool (e.g. 'clan machines update')
|
||||||
|
# make use of the 'ssh -A' option, which forwards the SSH agent from the client to the target machine.
|
||||||
|
# If the target machine becomes compromised by an attacker,
|
||||||
|
# they could potentially leverage the forwarded SSH agent to access the secure machine.
|
||||||
|
# This file prevents that scenario by restricting access strictly to the defined SSH key,
|
||||||
|
# which is only used to access the secure machine, so no other ssh-agent will contain this ssh key
|
||||||
|
|
||||||
|
clan.core.facts.services."ssh.root.${hostname}" = factsGenerator.ssh {
|
||||||
|
name = "root.${hostname}";
|
||||||
|
};
|
||||||
|
|
||||||
|
systemd.tmpfiles.settings.mainUser = {
|
||||||
|
"/run/facts/ssh.root.${hostname}.id_ed25519"."C+" = {
|
||||||
|
user = config.users.users.mainUser.name;
|
||||||
|
group = config.users.users.mainUser.group;
|
||||||
|
mode = "400";
|
||||||
|
argument =
|
||||||
|
config.clan.core.facts.services."ssh.root.${hostname}".secret."ssh.root.${hostname}.id_ed25519".path;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
home-manager.users.mainUser.programs.ssh.matchBlocks =
|
||||||
|
lib.genAttrs
|
||||||
|
[
|
||||||
|
"${hostname}.bear"
|
||||||
|
"${hostname}.private"
|
||||||
|
"${hostname}.wg0"
|
||||||
|
]
|
||||||
|
(name: {
|
||||||
|
identityFile = "/run/facts/ssh.root.${hostname}.id_ed25519";
|
||||||
|
identitiesOnly = true;
|
||||||
|
});
|
||||||
|
|
||||||
|
}
|
|
@ -1,39 +0,0 @@
|
||||||
{ config, factsGenerator, ... }:
|
|
||||||
{
|
|
||||||
|
|
||||||
# Defines the root SSH key to be used exclusively for accessing the backup server.
|
|
||||||
# The need for this arises because deployments using the 'clan' command-line tool (e.g. 'clan machines update')
|
|
||||||
# make use of the 'ssh -A' option, which forwards the SSH agent from the client to the target machine.
|
|
||||||
# If the target machine becomes compromised by an attacker,
|
|
||||||
# they could potentially leverage the forwarded SSH agent to access the backup server.
|
|
||||||
# This file prevents that scenario by restricting access strictly to the defined SSH key,
|
|
||||||
# which is only used to access the backup server, so no other ssh-agent will contain this ssh key
|
|
||||||
|
|
||||||
clan.core.facts.services."mainUser.ssh.chungus" = factsGenerator.ssh { name = "root.chungus"; };
|
|
||||||
|
|
||||||
systemd.tmpfiles.settings.mainUser = {
|
|
||||||
"/run/facts/ssh.mainUser.chungus.id_ed25519"."C+" = {
|
|
||||||
user = config.users.users.mainUser.name;
|
|
||||||
group = config.users.users.mainUser.group;
|
|
||||||
mode = "400";
|
|
||||||
argument =
|
|
||||||
config.clan.core.facts.services."mainUser.ssh.chungus".secret."ssh.root.chungus.id_ed25519".path;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
home-manager.users.mainUser.programs.ssh.matchBlocks = {
|
|
||||||
"chungus.bear" = {
|
|
||||||
identityFile = "/run/facts/ssh.mainUser.chungus.id_ed25519";
|
|
||||||
identitiesOnly = true;
|
|
||||||
};
|
|
||||||
"chungus.private" = {
|
|
||||||
identityFile = "/run/facts/ssh.mainUser.chungus.id_ed25519";
|
|
||||||
identitiesOnly = true;
|
|
||||||
};
|
|
||||||
"chungus.wg0" = {
|
|
||||||
identityFile = "/run/facts/ssh.mainUser.chungus.id_ed25519";
|
|
||||||
identitiesOnly = true;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
}
|
|
Loading…
Reference in a new issue