diff --git a/app/ssh/schema/schema.cue b/app/ssh/schema/schema.cue new file mode 100644 index 0000000..0a0178b --- /dev/null +++ b/app/ssh/schema/schema.cue @@ -0,0 +1,5 @@ +package schema + +#Ssh: { + trusted_user_ca_keys: string +} diff --git a/app/ssh/templates.cue b/app/ssh/templates.cue new file mode 100644 index 0000000..993176f --- /dev/null +++ b/app/ssh/templates.cue @@ -0,0 +1,19 @@ +package ssh + +import "du5t1n.me/cfg/base/schema/instructions" + +templates: [...instructions.#RenderInstruction] & [ + { + template: "ssh/ca.pub" + dest: "/etc/ssh/ca.pub" + }, + { + template: "ssh/trustedusercakeys.conf" + dest: "/etc/ssh/sshd_config.d/70-trustedusercakeys.conf" + hooks: { + changed: [ + {run: "systemctl reload sshd"}, + ] + } + }, +] diff --git a/env/prod/ssh.cue b/env/prod/ssh.cue new file mode 100644 index 0000000..d36cd61 --- /dev/null +++ b/env/prod/ssh.cue @@ -0,0 +1,11 @@ +package prod + +import ( + "du5t1n.me/cfg/app/ssh/schema" +) + +ssh: schema.#Ssh & { + trusted_user_ca_keys: """ + ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINyi18IfxAf9wLnyffnMrThYpqxVwu0rsuiLoqW6rcwF sshca.pyrocufflink.blue + """ +} diff --git a/host/k8s-amd64-n3.pyrocufflink.blue.cue b/host/k8s-amd64-n3.pyrocufflink.blue.cue index 36f645c..307353d 100644 --- a/host/k8s-amd64-n3.pyrocufflink.blue.cue +++ b/host/k8s-amd64-n3.pyrocufflink.blue.cue @@ -3,3 +3,4 @@ import ( ) sudo: prod.sudo +ssh: prod.ssh diff --git a/host/nut0.pyrocufflink.blue.cue b/host/nut0.pyrocufflink.blue.cue index 5757cac..6af1c05 100644 --- a/host/nut0.pyrocufflink.blue.cue +++ b/host/nut0.pyrocufflink.blue.cue @@ -13,4 +13,6 @@ nut: monitor: prod.#nut_monitor & { collectd: prod.collectd +ssh: prod.ssh + sudo: prod.sudo diff --git a/host/nvr1.pyrocufflink.blue.cue b/host/nvr1.pyrocufflink.blue.cue index acfe950..c3a68b8 100644 --- a/host/nvr1.pyrocufflink.blue.cue +++ b/host/nvr1.pyrocufflink.blue.cue @@ -11,4 +11,6 @@ nut: monitor: prod.#nut_monitor & { #username: "nvr1" } +ssh: prod.ssh + sudo: prod.sudo diff --git a/host/serial1.pyrocufflink.blue.cue b/host/serial1.pyrocufflink.blue.cue index e16597a..7c3864b 100644 --- a/host/serial1.pyrocufflink.blue.cue +++ b/host/serial1.pyrocufflink.blue.cue @@ -4,4 +4,5 @@ import ( "du5t1n.me/cfg/env/prod" ) +ssh: prod.ssh sudo: prod.sudo diff --git a/instructions/nut0.pyrocufflink.blue.cue b/instructions/nut0.pyrocufflink.blue.cue index 5bf12d9..79ae999 100644 --- a/instructions/nut0.pyrocufflink.blue.cue +++ b/instructions/nut0.pyrocufflink.blue.cue @@ -5,6 +5,7 @@ import ( "du5t1n.me/cfg/app/collectd" "du5t1n.me/cfg/app/nut" + "du5t1n.me/cfg/app/ssh" "du5t1n.me/cfg/app/sudo" ) @@ -13,5 +14,6 @@ render: list.Concat([ nut.templates, nut.monitor.templates, nut.collectd.templates, + ssh.templates, sudo.templates, ]) diff --git a/instructions/nvr1.pyrocufflink.blue.cue b/instructions/nvr1.pyrocufflink.blue.cue index 4d21428..a2f4df4 100644 --- a/instructions/nvr1.pyrocufflink.blue.cue +++ b/instructions/nvr1.pyrocufflink.blue.cue @@ -4,11 +4,13 @@ import ( "list" "du5t1n.me/cfg/app/nut" + "du5t1n.me/cfg/app/ssh" "du5t1n.me/cfg/app/sudo" ) render: list.Concat([ nut.sysusers.templates, nut.monitor.templates, + ssh.templates, sudo.templates, ]) diff --git a/instructions/serial1.pyrocufflink.blue.cue b/instructions/serial1.pyrocufflink.blue.cue index 8b3b7c5..cd758a1 100644 --- a/instructions/serial1.pyrocufflink.blue.cue +++ b/instructions/serial1.pyrocufflink.blue.cue @@ -4,10 +4,12 @@ import ( "list" "du5t1n.me/cfg/app/collectd" + "du5t1n.me/cfg/app/ssh" "du5t1n.me/cfg/app/sudo" ) render: list.Concat([ collectd.templates, + ssh.templates, sudo.templates, ]) diff --git a/templates/ssh/ca.pub b/templates/ssh/ca.pub new file mode 100644 index 0000000..c764516 --- /dev/null +++ b/templates/ssh/ca.pub @@ -0,0 +1 @@ +{{ ssh.trusted_user_ca_keys }} diff --git a/templates/ssh/trustedusercakeys.conf b/templates/ssh/trustedusercakeys.conf new file mode 100644 index 0000000..6b31833 --- /dev/null +++ b/templates/ssh/trustedusercakeys.conf @@ -0,0 +1 @@ +TrustedUserCAKeys /etc/ssh/ca.pub