fixing init ssh

2022-01-18 20:21:03 +01:00 · 2022-01-18 20:21:03 +01:00 · 766f4a8b4b
commit 766f4a8b4b
parent dd75b61992
3 changed files with 36 additions and 26 deletions
--- a/nixos/system/all/sshd-known-hosts-bootup.nix
+++ b/nixos/system/all/sshd-known-hosts-bootup.nix
@ -3,31 +3,36 @@ with lib;
 let

  computers = {
-    #workhorse = {
-    #  onionId = fileContents ../../private_assets/onion_id_workhorse;
-    #  publicKey =
-    #    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII/I4JBA1HHTH2xsrEM7xtxkhRDE42lZcBrdBvN46WTx";
-    #};
-    #porani = {
-    #  onionId = fileContents ../../private_assets/onion_id_porani;
-    #  publicKey =
-    #    "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBGFaTRGqMd/rKpyMUP6wVbgiWFOUvUV2qS/B5Xe02UUch/wxR4fTCY+vnzku5K0V/qqJpjYLgHotwZFqO/8lFu4=";
-    #};
+    pepe = {
+      onionId = fileContents ../../private_assets/onion_id_pepe;
+      # SHA256:aOZbqpgc5CcTNtRAzjuG/0BQZ9MF5c9u/N+UC88y8kI
+      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB5K4UHD8cIcXB33UiOj5vyXJj+4CyyiLFDMwcyad92a";
+    };
+
  };

 in
 {

-  services.openssh.knownHosts = mapAttrs'
+  services.openssh.knownHosts = {
+    "robi-init-ssh" = {
+      hostNames = [
+        "[robi]:2222"
+        "[144.76.13.147]:2222"
+      ];
+      # SHA256:rhvbJ84cPXXezaoJiY7tFsG8CJxI2F/lLKz8q+xUW+g
+      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMKQ7XB6Cs9FJmHkuZ9ihbj76WsK0uJBh882ceyKaaKJ";
+    };
+  } // (mapAttrs'
    (name:
      { onionId, publicKey, ... }: {
        name = "${name}-init-ssh";
        value = {
-          hostNames = [ onionId ];
+          hostNames = [ "[${onionId}]:2222" ];
          inherit publicKey;
        };
      })
-    computers;
+    computers);

  environment.systemPackages =
    let
@ -36,7 +41,7 @@ in
        (name:
          { onionId, ... }:
          pkgs.writers.writeDashBin "ssh-boot-to-${name}" ''
-            ${pkgs.tor}/bin/torify ${pkgs.openssh}/bin/ssh root@${onionId} -p 23
+            ${pkgs.tor}/bin/torify ${pkgs.openssh}/bin/ssh root@${onionId} -p 2222
          '')
        computers;

@ -44,7 +49,7 @@ in
        (name:
          { onionId, ... }:
          pkgs.writers.writeDashBin "unlock-boot-${name}" ''
-            ${pkgs.tor}/bin/torify ${pkgs.openssh}/bin/ssh root@${onionId} -p 23 '
+            ${pkgs.tor}/bin/torify ${pkgs.openssh}/bin/ssh root@${onionId} -p 2222 '
            echo -n "enter password : "
            read password
            echo "$password" > /crypt-ramfs/passphrase
--- a/nixos/system/all/sshd-known-hosts-private.nix
+++ b/nixos/system/all/sshd-known-hosts-private.nix
@ -2,6 +2,16 @@
 { config, lib, ... }: {

  services.openssh.knownHosts = {
+    #"robi_init" = {
+    #  hostNames = [
+    #    "robi:2222"
+    #    "144.76.13.147:2222"
+    #  ];
+    #  fingerprints
+    #  256 SHA256:rhvbJ84cPXXezaoJiY7tFsG8CJxI2F/lLKz8q+xUW+g root@rescue (ED25519)
+    # 3072 SHA256:KBVMQLNWaDpzlCZERN9OeEDFAhUoADOZRfenXWHxswU root@rescue (RSA)
+    #  publicKey = "";
+    #};
    "robi" = {
      hostNames = [
        "robi.private"
@ -34,8 +44,7 @@
        config.module.cluster.services.tinc.private.hosts.sputnik.tincIp
        config.module.cluster.services.tinc.secret.hosts.sputnik.tincIp
      ];
-      publicKey =
-        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICTLXDTqUtl0BQgzH1O7CRulGCRN1P4KU8imL/wjYFh8";
+      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICTLXDTqUtl0BQgzH1O7CRulGCRN1P4KU8imL/wjYFh8";
    };
    "workhorse.private" = {
      hostNames = [
@ -44,16 +53,14 @@
        config.module.cluster.services.tinc.private.hosts.workhorse.tincIp
        config.module.cluster.services.tinc.secret.hosts.workhorse.tincIp
      ];
-      publicKey =
-        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDaK0Vv33TuGQa/B5p54sGilgpYvfKkBaBGlEBpIk1QB";
+      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDaK0Vv33TuGQa/B5p54sGilgpYvfKkBaBGlEBpIk1QB";
    };
    "porani.secret" = {
      hostNames = [
        "porani.secret"
        config.module.cluster.services.tinc.secret.hosts.porani.tincIp
      ];
-      publicKey =
-        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOKNtRWVrqADgAMtTSWgnpp8gRKUtn4QUMFzQ78fC+aK";
+      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOKNtRWVrqADgAMtTSWgnpp8gRKUtn4QUMFzQ78fC+aK";
    };
    "pepe.private" = {
      hostNames = [
@ -61,16 +68,14 @@
        "pepe.lan"
        config.module.cluster.services.tinc.private.hosts.pepe.tincIp
      ];
-      publicKey =
-        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJPlva+Vdj8WmQPlbQLN3qicMz5AAsyTzK53BincxtAz";
+      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJPlva+Vdj8WmQPlbQLN3qicMz5AAsyTzK53BincxtAz";
    };
    "mobi.private" = {
      hostNames = [
        "mobi.private"
        config.module.cluster.services.tinc.private.hosts.mobi.tincIp
      ];
-      publicKey =
-        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGhBtcipW9rV6hHS2hv5tl5hd8vW8dnuFfFwnAs2u0kS";
+      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGhBtcipW9rV6hHS2hv5tl5hd8vW8dnuFfFwnAs2u0kS";
    };
  };
 }
--- a/nixos/system/server/initssh.nix
+++ b/nixos/system/server/initssh.nix
@ -34,7 +34,7 @@ in
        config.users.users.root.openssh.authorizedKeys.keyFiles);
    };
    hostKey = mkOption {
-      default = "/etc/ssh/ssh_host_ed25519_key";
+      default = "/etc/secrets/initrd/ssh_host_ed25519_key";
      type = with types; path;
      description = ''
        To generate keys, use ssh-keygen(1):