From 766f4a8b4b2944a13eb8ff8309a734e03f1bac73 Mon Sep 17 00:00:00 2001 From: Ingolf Wagner Date: Tue, 18 Jan 2022 20:21:03 +0100 Subject: [PATCH] fixing init ssh --- nixos/system/all/sshd-known-hosts-bootup.nix | 35 +++++++++++-------- nixos/system/all/sshd-known-hosts-private.nix | 25 +++++++------ nixos/system/server/initssh.nix | 2 +- 3 files changed, 36 insertions(+), 26 deletions(-) diff --git a/nixos/system/all/sshd-known-hosts-bootup.nix b/nixos/system/all/sshd-known-hosts-bootup.nix index 8a71e8a..60bdc13 100644 --- a/nixos/system/all/sshd-known-hosts-bootup.nix +++ b/nixos/system/all/sshd-known-hosts-bootup.nix @@ -3,31 +3,36 @@ with lib; let computers = { - #workhorse = { - # onionId = fileContents ../../private_assets/onion_id_workhorse; - # publicKey = - # "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII/I4JBA1HHTH2xsrEM7xtxkhRDE42lZcBrdBvN46WTx"; - #}; - #porani = { - # onionId = fileContents ../../private_assets/onion_id_porani; - # publicKey = - # "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBGFaTRGqMd/rKpyMUP6wVbgiWFOUvUV2qS/B5Xe02UUch/wxR4fTCY+vnzku5K0V/qqJpjYLgHotwZFqO/8lFu4="; - #}; + pepe = { + onionId = fileContents ../../private_assets/onion_id_pepe; + # SHA256:aOZbqpgc5CcTNtRAzjuG/0BQZ9MF5c9u/N+UC88y8kI + publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB5K4UHD8cIcXB33UiOj5vyXJj+4CyyiLFDMwcyad92a"; + }; + }; in { - services.openssh.knownHosts = mapAttrs' + services.openssh.knownHosts = { + "robi-init-ssh" = { + hostNames = [ + "[robi]:2222" + "[144.76.13.147]:2222" + ]; + # SHA256:rhvbJ84cPXXezaoJiY7tFsG8CJxI2F/lLKz8q+xUW+g + publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMKQ7XB6Cs9FJmHkuZ9ihbj76WsK0uJBh882ceyKaaKJ"; + }; + } // (mapAttrs' (name: { onionId, publicKey, ... }: { name = "${name}-init-ssh"; value = { - hostNames = [ onionId ]; + hostNames = [ "[${onionId}]:2222" ]; inherit publicKey; }; }) - computers; + computers); environment.systemPackages = let @@ -36,7 +41,7 @@ in (name: { onionId, ... }: pkgs.writers.writeDashBin "ssh-boot-to-${name}" '' - ${pkgs.tor}/bin/torify ${pkgs.openssh}/bin/ssh root@${onionId} -p 23 + ${pkgs.tor}/bin/torify ${pkgs.openssh}/bin/ssh root@${onionId} -p 2222 '') computers; @@ -44,7 +49,7 @@ in (name: { onionId, ... }: pkgs.writers.writeDashBin "unlock-boot-${name}" '' - ${pkgs.tor}/bin/torify ${pkgs.openssh}/bin/ssh root@${onionId} -p 23 ' + ${pkgs.tor}/bin/torify ${pkgs.openssh}/bin/ssh root@${onionId} -p 2222 ' echo -n "enter password : " read password echo "$password" > /crypt-ramfs/passphrase diff --git a/nixos/system/all/sshd-known-hosts-private.nix b/nixos/system/all/sshd-known-hosts-private.nix index 523d130..2984e52 100644 --- a/nixos/system/all/sshd-known-hosts-private.nix +++ b/nixos/system/all/sshd-known-hosts-private.nix @@ -2,6 +2,16 @@ { config, lib, ... }: { services.openssh.knownHosts = { + #"robi_init" = { + # hostNames = [ + # "robi:2222" + # "144.76.13.147:2222" + # ]; + # fingerprints + # 256 SHA256:rhvbJ84cPXXezaoJiY7tFsG8CJxI2F/lLKz8q+xUW+g root@rescue (ED25519) + # 3072 SHA256:KBVMQLNWaDpzlCZERN9OeEDFAhUoADOZRfenXWHxswU root@rescue (RSA) + # publicKey = ""; + #}; "robi" = { hostNames = [ "robi.private" @@ -34,8 +44,7 @@ config.module.cluster.services.tinc.private.hosts.sputnik.tincIp config.module.cluster.services.tinc.secret.hosts.sputnik.tincIp ]; - publicKey = - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICTLXDTqUtl0BQgzH1O7CRulGCRN1P4KU8imL/wjYFh8"; + publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICTLXDTqUtl0BQgzH1O7CRulGCRN1P4KU8imL/wjYFh8"; }; "workhorse.private" = { hostNames = [ @@ -44,16 +53,14 @@ config.module.cluster.services.tinc.private.hosts.workhorse.tincIp config.module.cluster.services.tinc.secret.hosts.workhorse.tincIp ]; - publicKey = - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDaK0Vv33TuGQa/B5p54sGilgpYvfKkBaBGlEBpIk1QB"; + publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDaK0Vv33TuGQa/B5p54sGilgpYvfKkBaBGlEBpIk1QB"; }; "porani.secret" = { hostNames = [ "porani.secret" config.module.cluster.services.tinc.secret.hosts.porani.tincIp ]; - publicKey = - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOKNtRWVrqADgAMtTSWgnpp8gRKUtn4QUMFzQ78fC+aK"; + publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOKNtRWVrqADgAMtTSWgnpp8gRKUtn4QUMFzQ78fC+aK"; }; "pepe.private" = { hostNames = [ @@ -61,16 +68,14 @@ "pepe.lan" config.module.cluster.services.tinc.private.hosts.pepe.tincIp ]; - publicKey = - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJPlva+Vdj8WmQPlbQLN3qicMz5AAsyTzK53BincxtAz"; + publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJPlva+Vdj8WmQPlbQLN3qicMz5AAsyTzK53BincxtAz"; }; "mobi.private" = { hostNames = [ "mobi.private" config.module.cluster.services.tinc.private.hosts.mobi.tincIp ]; - publicKey = - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGhBtcipW9rV6hHS2hv5tl5hd8vW8dnuFfFwnAs2u0kS"; + publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGhBtcipW9rV6hHS2hv5tl5hd8vW8dnuFfFwnAs2u0kS"; }; }; } diff --git a/nixos/system/server/initssh.nix b/nixos/system/server/initssh.nix index fecd15c..ee3a562 100644 --- a/nixos/system/server/initssh.nix +++ b/nixos/system/server/initssh.nix @@ -34,7 +34,7 @@ in config.users.users.root.openssh.authorizedKeys.keyFiles); }; hostKey = mkOption { - default = "/etc/ssh/ssh_host_ed25519_key"; + default = "/etc/secrets/initrd/ssh_host_ed25519_key"; type = with types; path; description = '' To generate keys, use ssh-keygen(1):