🔧 dedicated ssh key for cherry as well
All checks were successful
Build all NixOS Configurations / nix build (push) Successful in 7m2s
All checks were successful
Build all NixOS Configurations / nix build (push) Successful in 7m2s
This commit is contained in:
parent
74f7208936
commit
733985c773
6 changed files with 104 additions and 47 deletions
|
@ -423,12 +423,15 @@
|
|||
{
|
||||
clan.core.machineDescription = "Laptop";
|
||||
}
|
||||
(
|
||||
{ config, ... }:
|
||||
{
|
||||
# keys only to access cherry
|
||||
users.users.root.openssh.authorizedKeys.keyFiles = [
|
||||
# yubikey key
|
||||
./assets/mrvandalo_rsa.pub
|
||||
"${config.clan.core.clanDir}/machines/cherry/facts/ssh.root.cherry.id_ed25519.pub"
|
||||
];
|
||||
}
|
||||
)
|
||||
];
|
||||
};
|
||||
|
||||
|
|
|
@ -20,7 +20,8 @@
|
|||
./37c3.nix
|
||||
./topology.nix
|
||||
|
||||
./ssh.nix
|
||||
./ssh-chungus.nix
|
||||
./ssh-cherry.nix
|
||||
|
||||
];
|
||||
|
||||
|
|
|
@ -1 +1 @@
|
|||
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINjJvuEviWlnptuKqA8MQ3QVVdvEGaez1VmShaj56QTg nixbld@cherry
|
||||
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINjJvuEviWlnptuKqA8MQ3QVVdvEGaez1VmShaj56QTg root@cherry
|
46
machines/cherry/ssh-cherry.nix
Normal file
46
machines/cherry/ssh-cherry.nix
Normal file
|
@ -0,0 +1,46 @@
|
|||
{
|
||||
config,
|
||||
factsGenerator,
|
||||
lib,
|
||||
...
|
||||
}:
|
||||
let
|
||||
hostname = "cherry";
|
||||
in
|
||||
{
|
||||
|
||||
# Defines the root SSH key to be used exclusively for accessing a secure machine.
|
||||
# The need for this arises because deployments using the 'clan' command-line tool (e.g. 'clan machines update')
|
||||
# make use of the 'ssh -A' option, which forwards the SSH agent from the client to the target machine.
|
||||
# If the target machine becomes compromised by an attacker,
|
||||
# they could potentially leverage the forwarded SSH agent to access the secure machine.
|
||||
# This file prevents that scenario by restricting access strictly to the defined SSH key,
|
||||
# which is only used to access the secure machine, so no other ssh-agent will contain this ssh key
|
||||
|
||||
clan.core.facts.services."ssh.root.${hostname}" = factsGenerator.ssh {
|
||||
name = "root.${hostname}";
|
||||
};
|
||||
|
||||
systemd.tmpfiles.settings.mainUser = {
|
||||
"/run/facts/ssh.root.${hostname}.id_ed25519"."C+" = {
|
||||
user = config.users.users.mainUser.name;
|
||||
group = config.users.users.mainUser.group;
|
||||
mode = "400";
|
||||
argument =
|
||||
config.clan.core.facts.services."ssh.root.${hostname}".secret."ssh.root.${hostname}.id_ed25519".path;
|
||||
};
|
||||
};
|
||||
|
||||
home-manager.users.mainUser.programs.ssh.matchBlocks =
|
||||
lib.genAttrs
|
||||
[
|
||||
"${hostname}.bear"
|
||||
"${hostname}.private"
|
||||
"${hostname}.wg0"
|
||||
]
|
||||
(name: {
|
||||
identityFile = "/run/facts/ssh.root.${hostname}.id_ed25519";
|
||||
identitiesOnly = true;
|
||||
});
|
||||
|
||||
}
|
46
machines/cherry/ssh-chungus.nix
Normal file
46
machines/cherry/ssh-chungus.nix
Normal file
|
@ -0,0 +1,46 @@
|
|||
{
|
||||
config,
|
||||
factsGenerator,
|
||||
lib,
|
||||
...
|
||||
}:
|
||||
let
|
||||
hostname = "chungus";
|
||||
in
|
||||
{
|
||||
|
||||
# Defines the root SSH key to be used exclusively for accessing a secure machine.
|
||||
# The need for this arises because deployments using the 'clan' command-line tool (e.g. 'clan machines update')
|
||||
# make use of the 'ssh -A' option, which forwards the SSH agent from the client to the target machine.
|
||||
# If the target machine becomes compromised by an attacker,
|
||||
# they could potentially leverage the forwarded SSH agent to access the secure machine.
|
||||
# This file prevents that scenario by restricting access strictly to the defined SSH key,
|
||||
# which is only used to access the secure machine, so no other ssh-agent will contain this ssh key
|
||||
|
||||
clan.core.facts.services."ssh.root.${hostname}" = factsGenerator.ssh {
|
||||
name = "root.${hostname}";
|
||||
};
|
||||
|
||||
systemd.tmpfiles.settings.mainUser = {
|
||||
"/run/facts/ssh.root.${hostname}.id_ed25519"."C+" = {
|
||||
user = config.users.users.mainUser.name;
|
||||
group = config.users.users.mainUser.group;
|
||||
mode = "400";
|
||||
argument =
|
||||
config.clan.core.facts.services."ssh.root.${hostname}".secret."ssh.root.${hostname}.id_ed25519".path;
|
||||
};
|
||||
};
|
||||
|
||||
home-manager.users.mainUser.programs.ssh.matchBlocks =
|
||||
lib.genAttrs
|
||||
[
|
||||
"${hostname}.bear"
|
||||
"${hostname}.private"
|
||||
"${hostname}.wg0"
|
||||
]
|
||||
(name: {
|
||||
identityFile = "/run/facts/ssh.root.${hostname}.id_ed25519";
|
||||
identitiesOnly = true;
|
||||
});
|
||||
|
||||
}
|
|
@ -1,39 +0,0 @@
|
|||
{ config, factsGenerator, ... }:
|
||||
{
|
||||
|
||||
# Defines the root SSH key to be used exclusively for accessing the backup server.
|
||||
# The need for this arises because deployments using the 'clan' command-line tool (e.g. 'clan machines update')
|
||||
# make use of the 'ssh -A' option, which forwards the SSH agent from the client to the target machine.
|
||||
# If the target machine becomes compromised by an attacker,
|
||||
# they could potentially leverage the forwarded SSH agent to access the backup server.
|
||||
# This file prevents that scenario by restricting access strictly to the defined SSH key,
|
||||
# which is only used to access the backup server, so no other ssh-agent will contain this ssh key
|
||||
|
||||
clan.core.facts.services."mainUser.ssh.chungus" = factsGenerator.ssh { name = "root.chungus"; };
|
||||
|
||||
systemd.tmpfiles.settings.mainUser = {
|
||||
"/run/facts/ssh.mainUser.chungus.id_ed25519"."C+" = {
|
||||
user = config.users.users.mainUser.name;
|
||||
group = config.users.users.mainUser.group;
|
||||
mode = "400";
|
||||
argument =
|
||||
config.clan.core.facts.services."mainUser.ssh.chungus".secret."ssh.root.chungus.id_ed25519".path;
|
||||
};
|
||||
};
|
||||
|
||||
home-manager.users.mainUser.programs.ssh.matchBlocks = {
|
||||
"chungus.bear" = {
|
||||
identityFile = "/run/facts/ssh.mainUser.chungus.id_ed25519";
|
||||
identitiesOnly = true;
|
||||
};
|
||||
"chungus.private" = {
|
||||
identityFile = "/run/facts/ssh.mainUser.chungus.id_ed25519";
|
||||
identitiesOnly = true;
|
||||
};
|
||||
"chungus.wg0" = {
|
||||
identityFile = "/run/facts/ssh.mainUser.chungus.id_ed25519";
|
||||
identitiesOnly = true;
|
||||
};
|
||||
};
|
||||
|
||||
}
|
Loading…
Reference in a new issue