733985c773
All checks were successful
Build all NixOS Configurations / nix build (push) Successful in 7m2s
46 lines
1.5 KiB
Nix
46 lines
1.5 KiB
Nix
{
|
|
config,
|
|
factsGenerator,
|
|
lib,
|
|
...
|
|
}:
|
|
let
|
|
hostname = "chungus";
|
|
in
|
|
{
|
|
|
|
# Defines the root SSH key to be used exclusively for accessing a secure machine.
|
|
# The need for this arises because deployments using the 'clan' command-line tool (e.g. 'clan machines update')
|
|
# make use of the 'ssh -A' option, which forwards the SSH agent from the client to the target machine.
|
|
# If the target machine becomes compromised by an attacker,
|
|
# they could potentially leverage the forwarded SSH agent to access the secure machine.
|
|
# This file prevents that scenario by restricting access strictly to the defined SSH key,
|
|
# which is only used to access the secure machine, so no other ssh-agent will contain this ssh key
|
|
|
|
clan.core.facts.services."ssh.root.${hostname}" = factsGenerator.ssh {
|
|
name = "root.${hostname}";
|
|
};
|
|
|
|
systemd.tmpfiles.settings.mainUser = {
|
|
"/run/facts/ssh.root.${hostname}.id_ed25519"."C+" = {
|
|
user = config.users.users.mainUser.name;
|
|
group = config.users.users.mainUser.group;
|
|
mode = "400";
|
|
argument =
|
|
config.clan.core.facts.services."ssh.root.${hostname}".secret."ssh.root.${hostname}.id_ed25519".path;
|
|
};
|
|
};
|
|
|
|
home-manager.users.mainUser.programs.ssh.matchBlocks =
|
|
lib.genAttrs
|
|
[
|
|
"${hostname}.bear"
|
|
"${hostname}.private"
|
|
"${hostname}.wg0"
|
|
]
|
|
(name: {
|
|
identityFile = "/run/facts/ssh.root.${hostname}.id_ed25519";
|
|
identitiesOnly = true;
|
|
});
|
|
|
|
}
|