palo/nixos-config
palo/nixos-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

🔧 dedicated ssh key for cherry as well
All checks were successful
Build all NixOS Configurations / nix build (push) Successful in 7m2s
Details

Browse source
This commit is contained in:
Ingolf Wagner 2024-10-19 16:25:14 +09:00
parent 74f7208936
commit 733985c773
No known key found for this signature in database
GPG key ID: 76BF5F1928B9618B
6 changed files with 104 additions and 47 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

15
flake.nix
View file

@ -423,12 +423,15 @@
{ {
clan.core.machineDescription = "Laptop"; clan.core.machineDescription = "Laptop";
} }
{ (
users.users.root.openssh.authorizedKeys.keyFiles = [ { config, ... }:
# yubikey key {
./assets/mrvandalo_rsa.pub # keys only to access cherry
]; users.users.root.openssh.authorizedKeys.keyFiles = [
} "${config.clan.core.clanDir}/machines/cherry/facts/ssh.root.cherry.id_ed25519.pub"
];
}
)
]; ];
}; };

3
machines/cherry/configuration.nix
View file

@ -20,7 +20,8 @@
./37c3.nix ./37c3.nix
./topology.nix ./topology.nix
./ssh.nix ./ssh-chungus.nix
./ssh-cherry.nix
]; ];

2
machines/cherry/facts/ssh.root.cherry.id_ed25519.pub
View file

@ -1 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINjJvuEviWlnptuKqA8MQ3QVVdvEGaez1VmShaj56QTg nixbld@cherry ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINjJvuEviWlnptuKqA8MQ3QVVdvEGaez1VmShaj56QTg root@cherry

46
machines/cherry/ssh-cherry.nix Normal file
View file

@ -0,0 +1,46 @@
{
config,
factsGenerator,
lib,
...
}:
let
hostname = "cherry";
in
{
# Defines the root SSH key to be used exclusively for accessing a secure machine.
# The need for this arises because deployments using the 'clan' command-line tool (e.g. 'clan machines update')
# make use of the 'ssh -A' option, which forwards the SSH agent from the client to the target machine.
# If the target machine becomes compromised by an attacker,
# they could potentially leverage the forwarded SSH agent to access the secure machine.
# This file prevents that scenario by restricting access strictly to the defined SSH key,
# which is only used to access the secure machine, so no other ssh-agent will contain this ssh key
clan.core.facts.services."ssh.root.${hostname}" = factsGenerator.ssh {
name = "root.${hostname}";
};
systemd.tmpfiles.settings.mainUser = {
"/run/facts/ssh.root.${hostname}.id_ed25519"."C+" = {
user = config.users.users.mainUser.name;
group = config.users.users.mainUser.group;
mode = "400";
argument =
config.clan.core.facts.services."ssh.root.${hostname}".secret."ssh.root.${hostname}.id_ed25519".path;
};
};
home-manager.users.mainUser.programs.ssh.matchBlocks =
lib.genAttrs
[
"${hostname}.bear"
"${hostname}.private"
"${hostname}.wg0"
]
(name: {
identityFile = "/run/facts/ssh.root.${hostname}.id_ed25519";
identitiesOnly = true;
});
}

46
machines/cherry/ssh-chungus.nix Normal file
View file

@ -0,0 +1,46 @@
{
config,
factsGenerator,
lib,
...
}:
let
hostname = "chungus";
in
{
# Defines the root SSH key to be used exclusively for accessing a secure machine.
# The need for this arises because deployments using the 'clan' command-line tool (e.g. 'clan machines update')
# make use of the 'ssh -A' option, which forwards the SSH agent from the client to the target machine.
# If the target machine becomes compromised by an attacker,
# they could potentially leverage the forwarded SSH agent to access the secure machine.
# This file prevents that scenario by restricting access strictly to the defined SSH key,
# which is only used to access the secure machine, so no other ssh-agent will contain this ssh key
clan.core.facts.services."ssh.root.${hostname}" = factsGenerator.ssh {
name = "root.${hostname}";
};
systemd.tmpfiles.settings.mainUser = {
"/run/facts/ssh.root.${hostname}.id_ed25519"."C+" = {
user = config.users.users.mainUser.name;
group = config.users.users.mainUser.group;
mode = "400";
argument =
config.clan.core.facts.services."ssh.root.${hostname}".secret."ssh.root.${hostname}.id_ed25519".path;
};
};
home-manager.users.mainUser.programs.ssh.matchBlocks =
lib.genAttrs
[
"${hostname}.bear"
"${hostname}.private"
"${hostname}.wg0"
]
(name: {
identityFile = "/run/facts/ssh.root.${hostname}.id_ed25519";
identitiesOnly = true;
});
}

39
machines/cherry/ssh.nix
View file

@ -1,39 +0,0 @@
{ config, factsGenerator, ... }:
{
# Defines the root SSH key to be used exclusively for accessing the backup server.
# The need for this arises because deployments using the 'clan' command-line tool (e.g. 'clan machines update')
# make use of the 'ssh -A' option, which forwards the SSH agent from the client to the target machine.
# If the target machine becomes compromised by an attacker,
# they could potentially leverage the forwarded SSH agent to access the backup server.
# This file prevents that scenario by restricting access strictly to the defined SSH key,
# which is only used to access the backup server, so no other ssh-agent will contain this ssh key
clan.core.facts.services."mainUser.ssh.chungus" = factsGenerator.ssh { name = "root.chungus"; };
systemd.tmpfiles.settings.mainUser = {
"/run/facts/ssh.mainUser.chungus.id_ed25519"."C+" = {
user = config.users.users.mainUser.name;
group = config.users.users.mainUser.group;
mode = "400";
argument =
config.clan.core.facts.services."mainUser.ssh.chungus".secret."ssh.root.chungus.id_ed25519".path;
};
};
home-manager.users.mainUser.programs.ssh.matchBlocks = {
"chungus.bear" = {
identityFile = "/run/facts/ssh.mainUser.chungus.id_ed25519";
identitiesOnly = true;
};
"chungus.private" = {
identityFile = "/run/facts/ssh.mainUser.chungus.id_ed25519";
identitiesOnly = true;
};
"chungus.wg0" = {
identityFile = "/run/facts/ssh.mainUser.chungus.id_ed25519";
identitiesOnly = true;
};
};
}