colin/nix-files
1
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity

revoke ssh access from servo/moby into any other system (by default)

Browse Source
This commit is contained in:
Colin 2023-07-07 21:14:41 +00:00
parent 54b74498b6
commit 24a3c22edc
3 changed files with 14 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
hosts/common/home/ssh.nix
View File

@ -1,3 +1,4 @@
# TODO: this should be moved to users/colin.nix
{ config, lib, sane-lib, ... }: { config, lib, sane-lib, ... }:
with lib; with lib;

12
hosts/common/ssh.nix
View File

@ -2,7 +2,6 @@
let let
inherit (builtins) attrValues head map mapAttrs tail; inherit (builtins) attrValues head map mapAttrs tail;
inherit (lib) concatStringsSep mkMerge reverseList;
in in
{ {
sane.ssh.pubkeys = sane.ssh.pubkeys =
@ -10,9 +9,9 @@ in
# path is a DNS-style path like [ "org" "uninsane" "root" ] # path is a DNS-style path like [ "org" "uninsane" "root" ]
keyNameForPath = path: keyNameForPath = path:
let let
rev = reverseList path; rev = lib.reverseList path;
name = head rev; name = head rev;
host = concatStringsSep "." (tail rev); host = lib.concatStringsSep "." (tail rev);
in in
"${name}@${host}"; "${name}@${host}";
@ -23,9 +22,10 @@ in
(name: { (name: {
inherit name; inherit name;
value = { value = {
colin = hostCfg.ssh.user_pubkey;
root = hostCfg.ssh.host_pubkey; root = hostCfg.ssh.host_pubkey;
}; } // (lib.optionalAttrs hostCfg.ssh.authorized {
colin = hostCfg.ssh.user_pubkey;
});
}) })
hostCfg.names hostCfg.names
; ;
@ -34,7 +34,7 @@ in
map keysForHost (builtins.attrValues config.sane.hosts.by-name) map keysForHost (builtins.attrValues config.sane.hosts.by-name)
) )
); );
in mkMerge (map in lib.mkMerge (map
({ path, value }: { ({ path, value }: {
"${keyNameForPath path}" = lib.mkIf (value != null) value; "${keyNameForPath path}" = lib.mkIf (value != null) value;
}) })

7
hosts/modules/hosts.nix
View File

@ -26,6 +26,11 @@ let
e.g. "ssh-ed25519 AAAA<base64>". e.g. "ssh-ed25519 AAAA<base64>".
''; '';
}; };
ssh.authorized = mkOption {
type = types.bool;
default = true;
description = "make this host's ssh key be an authorized_key for the system being deployed to";
};
wg-home.pubkey = mkOption { wg-home.pubkey = mkOption {
type = types.nullOr types.str; type = types.nullOr types.str;
default = null; default = null;
@ -92,6 +97,7 @@ in
}; };
sane.hosts.by-name."moby" = { sane.hosts.by-name."moby" = {
ssh.authorized = lib.mkDefault false; # moby's too easy to hijack: don't let it ssh places
ssh.user_pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICrR+gePnl0nV/vy7I5BzrGeyVL+9eOuXHU1yNE3uCwU"; ssh.user_pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICrR+gePnl0nV/vy7I5BzrGeyVL+9eOuXHU1yNE3uCwU";
ssh.host_pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO1N/IT3nQYUD+dBlU1sTEEVMxfOyMkrrDeyHcYgnJvw"; ssh.host_pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO1N/IT3nQYUD+dBlU1sTEEVMxfOyMkrrDeyHcYgnJvw";
wg-home.pubkey = "I7XIR1hm8bIzAtcAvbhWOwIAabGkuEvbWH/3kyIB1yA="; wg-home.pubkey = "I7XIR1hm8bIzAtcAvbhWOwIAabGkuEvbWH/3kyIB1yA=";
@ -100,6 +106,7 @@ in
}; };
sane.hosts.by-name."servo" = { sane.hosts.by-name."servo" = {
ssh.authorized = lib.mkDefault false; # servo presents too many services to the internet: easy atack vector
ssh.user_pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPS1qFzKurAdB9blkWomq8gI1g0T3sTs9LsmFOj5VtqX"; ssh.user_pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPS1qFzKurAdB9blkWomq8gI1g0T3sTs9LsmFOj5VtqX";
ssh.host_pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOfdSmFkrVT6DhpgvFeQKm3Fh9VKZ9DbLYOPOJWYQ0E8"; ssh.host_pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOfdSmFkrVT6DhpgvFeQKm3Fh9VKZ9DbLYOPOJWYQ0E8";
wg-home.pubkey = "roAw+IUFVtdpCcqa4khB385Qcv9l5JAB//730tyK4Wk="; wg-home.pubkey = "roAw+IUFVtdpCcqa4khB385Qcv9l5JAB//730tyK4Wk=";