revoke ssh access from servo/moby into any other system (by default)
This commit is contained in:
parent
54b74498b6
commit
24a3c22edc
|
@ -1,3 +1,4 @@
|
||||||
|
# TODO: this should be moved to users/colin.nix
|
||||||
{ config, lib, sane-lib, ... }:
|
{ config, lib, sane-lib, ... }:
|
||||||
|
|
||||||
with lib;
|
with lib;
|
||||||
|
|
|
@ -2,7 +2,6 @@
|
||||||
|
|
||||||
let
|
let
|
||||||
inherit (builtins) attrValues head map mapAttrs tail;
|
inherit (builtins) attrValues head map mapAttrs tail;
|
||||||
inherit (lib) concatStringsSep mkMerge reverseList;
|
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
sane.ssh.pubkeys =
|
sane.ssh.pubkeys =
|
||||||
|
@ -10,9 +9,9 @@ in
|
||||||
# path is a DNS-style path like [ "org" "uninsane" "root" ]
|
# path is a DNS-style path like [ "org" "uninsane" "root" ]
|
||||||
keyNameForPath = path:
|
keyNameForPath = path:
|
||||||
let
|
let
|
||||||
rev = reverseList path;
|
rev = lib.reverseList path;
|
||||||
name = head rev;
|
name = head rev;
|
||||||
host = concatStringsSep "." (tail rev);
|
host = lib.concatStringsSep "." (tail rev);
|
||||||
in
|
in
|
||||||
"${name}@${host}";
|
"${name}@${host}";
|
||||||
|
|
||||||
|
@ -23,9 +22,10 @@ in
|
||||||
(name: {
|
(name: {
|
||||||
inherit name;
|
inherit name;
|
||||||
value = {
|
value = {
|
||||||
colin = hostCfg.ssh.user_pubkey;
|
|
||||||
root = hostCfg.ssh.host_pubkey;
|
root = hostCfg.ssh.host_pubkey;
|
||||||
};
|
} // (lib.optionalAttrs hostCfg.ssh.authorized {
|
||||||
|
colin = hostCfg.ssh.user_pubkey;
|
||||||
|
});
|
||||||
})
|
})
|
||||||
hostCfg.names
|
hostCfg.names
|
||||||
;
|
;
|
||||||
|
@ -34,7 +34,7 @@ in
|
||||||
map keysForHost (builtins.attrValues config.sane.hosts.by-name)
|
map keysForHost (builtins.attrValues config.sane.hosts.by-name)
|
||||||
)
|
)
|
||||||
);
|
);
|
||||||
in mkMerge (map
|
in lib.mkMerge (map
|
||||||
({ path, value }: {
|
({ path, value }: {
|
||||||
"${keyNameForPath path}" = lib.mkIf (value != null) value;
|
"${keyNameForPath path}" = lib.mkIf (value != null) value;
|
||||||
})
|
})
|
||||||
|
|
|
@ -26,6 +26,11 @@ let
|
||||||
e.g. "ssh-ed25519 AAAA<base64>".
|
e.g. "ssh-ed25519 AAAA<base64>".
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
ssh.authorized = mkOption {
|
||||||
|
type = types.bool;
|
||||||
|
default = true;
|
||||||
|
description = "make this host's ssh key be an authorized_key for the system being deployed to";
|
||||||
|
};
|
||||||
wg-home.pubkey = mkOption {
|
wg-home.pubkey = mkOption {
|
||||||
type = types.nullOr types.str;
|
type = types.nullOr types.str;
|
||||||
default = null;
|
default = null;
|
||||||
|
@ -92,6 +97,7 @@ in
|
||||||
};
|
};
|
||||||
|
|
||||||
sane.hosts.by-name."moby" = {
|
sane.hosts.by-name."moby" = {
|
||||||
|
ssh.authorized = lib.mkDefault false; # moby's too easy to hijack: don't let it ssh places
|
||||||
ssh.user_pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICrR+gePnl0nV/vy7I5BzrGeyVL+9eOuXHU1yNE3uCwU";
|
ssh.user_pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICrR+gePnl0nV/vy7I5BzrGeyVL+9eOuXHU1yNE3uCwU";
|
||||||
ssh.host_pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO1N/IT3nQYUD+dBlU1sTEEVMxfOyMkrrDeyHcYgnJvw";
|
ssh.host_pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO1N/IT3nQYUD+dBlU1sTEEVMxfOyMkrrDeyHcYgnJvw";
|
||||||
wg-home.pubkey = "I7XIR1hm8bIzAtcAvbhWOwIAabGkuEvbWH/3kyIB1yA=";
|
wg-home.pubkey = "I7XIR1hm8bIzAtcAvbhWOwIAabGkuEvbWH/3kyIB1yA=";
|
||||||
|
@ -100,6 +106,7 @@ in
|
||||||
};
|
};
|
||||||
|
|
||||||
sane.hosts.by-name."servo" = {
|
sane.hosts.by-name."servo" = {
|
||||||
|
ssh.authorized = lib.mkDefault false; # servo presents too many services to the internet: easy atack vector
|
||||||
ssh.user_pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPS1qFzKurAdB9blkWomq8gI1g0T3sTs9LsmFOj5VtqX";
|
ssh.user_pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPS1qFzKurAdB9blkWomq8gI1g0T3sTs9LsmFOj5VtqX";
|
||||||
ssh.host_pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOfdSmFkrVT6DhpgvFeQKm3Fh9VKZ9DbLYOPOJWYQ0E8";
|
ssh.host_pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOfdSmFkrVT6DhpgvFeQKm3Fh9VKZ9DbLYOPOJWYQ0E8";
|
||||||
wg-home.pubkey = "roAw+IUFVtdpCcqa4khB385Qcv9l5JAB//730tyK4Wk=";
|
wg-home.pubkey = "roAw+IUFVtdpCcqa4khB385Qcv9l5JAB//730tyK4Wk=";
|
||||||
|
|
Loading…
Reference in New Issue
Block a user