summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGregor Kleen <gkleen@yggdrasil.li>2022-02-12 14:06:09 +0100
committerGregor Kleen <gkleen@yggdrasil.li>2022-02-12 14:06:09 +0100
commitebb52640b558054ce57ad7bcb37ed1f7aff5bdcf (patch)
treeb18bd1ce1434609ab4476a508e3da413623bdaea
parent7dfdf54de426b995173cec67b40451f0b83d264a (diff)
downloadnixos-ebb52640b558054ce57ad7bcb37ed1f7aff5bdcf.tar
nixos-ebb52640b558054ce57ad7bcb37ed1f7aff5bdcf.tar.gz
nixos-ebb52640b558054ce57ad7bcb37ed1f7aff5bdcf.tar.bz2
nixos-ebb52640b558054ce57ad7bcb37ed1f7aff5bdcf.tar.xz
nixos-ebb52640b558054ce57ad7bcb37ed1f7aff5bdcf.zip
ymir: openssh ca
-rw-r--r--knownHosts.nix50
-rw-r--r--krl.binbin0 -> 174 bytes
-rw-r--r--ymir.nix11
-rw-r--r--ymir/ed25519-cert.pub1
-rw-r--r--ymir/rsa-cert.pub1
5 files changed, 16 insertions, 47 deletions
diff --git a/knownHosts.nix b/knownHosts.nix
index 720a4932..96a104ba 100644
--- a/knownHosts.nix
+++ b/knownHosts.nix
@@ -1,50 +1,6 @@
1{ 1{
2 ymir-rsa = { 2 "*.yggdrasil" = {
3 hostNames = ["ymir.yggdrasil.li" "ymir.niflheim.yggdrasil"]; 3 extraHostNames = ["*.yggdrasil.li"];
4 publicKey = '' 4 publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC1t7HamptQ49VXtSZyRsaOuja5In1N0U9Ybdiu6ztzi ca.yggdrasil";
5 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDNr7oFNneR3sVuAhdbnU83PuG6gTU6rDmiz+qykkRUr5Qdtm0NIr9lI7nhoO/MaALWmkMXsBGjvJ2UxvY959g0wQRHJZnuJDwOMo3YJjfuDGMTtp8ikzd646uMHQB+y/xb4dou6f0INr94eRsZcji7AQgZQnyWVV3DZuSADBfNK0Tx6sT6IdbJXaCwYoexnfSfzDdu3i5zMuReF4zdkFUEfAdcbOM8Cr0Abnn4+iLVrof/QaOEuZDC+Pf5QUhkAArETdavSCUIbV6+1md0jz/T8yalgrTCsYOoEUbSPwM/8vmiYDWSo/tvAf3KnVIPjjK2UFz7Qu0HyK0y1dBEXoYLGZ1ep4x67aE4zy7GlR2GZdAYilHknugZB+/kvYGDEixHFfcUh/uvF5PY8sm63C6HUBT1s/aQHXGHgE4uUru6YvbU3UW3fRdslABY/atZ9gc3MuKu9Zk27b1SYfAAoK1R8rKsOKWqUWvvMVCfKBNKqqb7+30q75iGeneB8Tb1C9lToyDG2Yl5p+Gpfnj8YmaU/xFm0HFEC42crRbaQyz01LmupHWf8VwH/O2LsjztAF9b4Oe2q/NwqQAF+h5hIm2tfM2fzxHGCmw1sFYf6dEdkyV5pge/IJrnuQn27iO06tRC6tvrt/ocbpwEEOk/3WWpAWW4oT8L5ceh7iAXrCRWpw==
6 '';
7 };
8 ymir-ed25519 = {
9 hostNames = ["ymir.yggdrasil.li" "ymir.niflheim.yggdrasil"];
10 publicKey = ''
11 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDeBBux2bIXnS/RUv+Y/NCpzI/SCW0KOJSzf48KDiEZD
12 '';
13 };
14 odin-rsa = {
15 hostNames = ["odin.asgard.yggdrasil"];
16 publicKey = ''
17 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC5tCkUoo1V97e7bdAnOvxYXgJ8i+PrECUzbXW8Xwy/ir6a/cl3Lm+RMV/h29sVVT56bb0TtZ/JrYyYyWpy/g8FDGgm06mHnxGjjCE7FQpMRk/QoE7JKvqB4mTyMH6lE9lfuLiPI0S7JXrx0xiSJS0Z989Xmu8CN0pA4qyNmMVvAm+zSgxA1KLVcOWUw9mbmVInm1JB+l/psmYcdne4fjWGOn8awY0KGSB5W8xiThjoJe2a8BrW5g8xYS7mLQeKvCkVmukvMu9rUPdCqXp5QPBD8l7tl2jnrefSTRozysfZGX2aRy+a1xXZ/LLBimM/DQ2vDeXYGmE0saCTAgOm4u6Cx6j+SHq64koLaWfHygVeyvCnD0ttKhVzBkbsqzyootg/C1uNaMnavkfUVgSZigyHvfvgGLq39awQ3Zxgxui7vhPy0Mjf2/3EWJyWRvZTX7gBDO0pi8bfyTqhEKTBNn2MvN4gAimc14tO0XClVzh1iUWJMqewoX22u4RUOr3b4MJoUMgiFvyup3gL0+n7EJhMtYrUJ1FwlzGGLCZUtgdQ8tIYz+DWfXIPWXA7rBuUu/fNxrpNqEHtagsnQ4LEquxhq5iqgRZ4/BpwRi1Lp6tcNDCFeG80CFEcKpQv4nPXSHuwPfb3hGZAxy0pnB/BKJ0Uo6azvGb0xTL7P65y25Yjaw==
18 '';
19 };
20 odin-ed25519 = {
21 hostNames = ["odin.asgard.yggdrasil"];
22 publicKey = ''
23 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC0bDMyJFg6VNgiTebP9z9LJ90scGGdILK0qpNFQhMfc
24 '';
25 };
26 hel-rsa = {
27 hostNames = ["hel.asgard.yggdrasil" "hel.faraday.asgard.yggdrasil" "hel.midgard.yggdrasil"];
28 publicKey = ''
29 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDPpiWp5AN75fV/P+oLLExOkJ933dr4r0tE8deUjSB8QlNWoNSxg0WP8noUri52TkbYV1JZh+r6o4XGZrsXHdk2+ggLYDvIbNyUumsTGI2stexuw9oow9OMys1+f1Ld+szyYnO6dA+zXAjHXS129r3PtSMc9ELra+W5tARFdmcBQt0v/pgSkz1acJQvv8286ioyxUfQ08JUBD2Nb6dVCtdCFXZkivFpKV5mNDOsDsNwBJQda6o5SUuglIEzvP1Q2HPlBAV3pozvmlzUgZrY3hiEkge4fmqm71ZCbCNv61FYKo1LgtMDGLHyxT72lmESR7yS5s1O/nPHCAOeWns40h2ykOD1bfWYFdgH9oEOYbCxGTryfSAJn5qS1FP7serBcjW/lCTfYBNXXtuOHSBLDKfmNb5WgQKPgjSWrVOtk8qWHP2DOgF0C1vL4qr2CjE2LvwxwfC6PaMGb7TJHFeQTPobVgH6m9BGTsVciRIo4PmfYQ9xLD9rcvYd7SDk5KFantphmPgZrQ4PkMik/9Hx3+Mg2L4SuLtXNxmMmTZgXGv5N+NbSkOXNxmjjM0fVSX/d2FOmY51XvLIIx0C+kwiv4FfqI3jbmqvf6mJ7Ev6peoTYgZ3yqeLkC8MOelC77CKfeO+pgGiPR/dEPPCoFHq1kgaOa0dl8Iuzgo/Z0ZGUtux1Q==
30 '';
31 };
32 hel-ed25519 = {
33 hostNames = ["hel.asgard.yggdrasil" "hel.faraday.asgard.yggdrasil" "hel.midgard.yggdrasil"];
34 publicKey = ''
35 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAVmpfhUPgjsWyvomTbRJh5qkIC5WzdgdatqfRTd1EcK
36 '';
37 };
38 sif-rsa = {
39 hostNames = ["sif.asgard.yggdrasil" "sif.faraday.asgard.yggdrasil" "sif.midgard.yggdrasil"];
40 publicKey = ''
41 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCeFqJep1CuWakcoiAkz4bSaHbAIwM89Er46o3KUpjCWGTmDmhJyBiG38pupcctH0awwElkX09GsNx230mTtjT6qcxN+vGsGMJIqFD+/7ZobSLJDHYCo6Jx23jZUjg1SqxYjwB5ooWGI61Vh6SaOy8WRrUn0q8rJyd9SEC+3tJlKO5QqRi/Vnwzj47m+YjGz2UlqJ9a4GeRh1O5SiGx5jd4a/VoeK1XJcW94XeWpPQdUGnVYUXZn9cwYVrogmXdr18ImnPxghsQg4xwS2A6KMjUw9m56XkqIq7vTslmL9JaYcjlSCHbsSVq9+Wu1oKxoyndN7Sim7SkAZwHFUEMBNlontBitgYl6z10VdKX739os6h07uXjGEs+mPk4/CkGZhvhnErV2T9FO+65jnU3mZkeX5tfJHqJ8PnDch2JD6O7+Mjpce4zs/x3mwH36peER6iiIBYGlSF0AlUDShdqj+fPWFu6gZ9piOAZ2L3YXDA0ulM6pL69SbulrUNOwtTy6LkBfKDwpaQK1KO1VOYBaKa7s+krOJXW18k+tpfo4aKSeTuwvykMPndKMKvxcsxNymkGo2AzLw017Qgshzv9rRbLNMBFd85S3krakGyBVL0HAVrAdkjvsWqj5FnHAjgBc1AZnZPbJu3g9/wm7k8rPMV0jxKMpW+zxjVFYDhFUWYp9w==
42 '';
43 };
44 sif-ed25519 = {
45 hostNames = ["sif.asgard.yggdrasil" "sif.faraday.asgard.yggdrasil" "sif.midgard.yggdrasil"];
46 publicKey = ''
47 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOfiwlzGcNQjamtIwv7fmXnddjajraeovaM6gRNui1+v
48 '';
49 }; 5 };
50} 6}
diff --git a/krl.bin b/krl.bin
new file mode 100644
index 00000000..3f04c994
--- /dev/null
+++ b/krl.bin
Binary files differ
diff --git a/ymir.nix b/ymir.nix
index df306121..8f01ad6b 100644
--- a/ymir.nix
+++ b/ymir.nix
@@ -212,9 +212,20 @@ in rec {
212 challengeResponseAuthentication = false; 212 challengeResponseAuthentication = false;
213 extraConfig = '' 213 extraConfig = ''
214 AllowGroups ssh 214 AllowGroups ssh
215
216 HostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub
217 HostCertificate /etc/ssh/ssh_host_rsa_key-cert.pub
218 RevokedKeys /etc/ssh/krl.bin
215 ''; 219 '';
216 knownHosts = import ./knownHosts.nix; 220 knownHosts = import ./knownHosts.nix;
221 hostKeys = [
222 { bits = 4096; path = "/etc/ssh/ssh_host_rsa_key"; type = "rsa"; }
223 { path = "/etc/ssh/ssh_host_ed25519_key"; type = "ed25519"; }
224 ];
217 }; 225 };
226 environment.etc."ssh/ssh_host_rsa_key-cert.pub".source = ./ymir/rsa-cert.pub;
227 environment.etc."ssh/ssh_host_ed25519_key-cert.pub".source = ./ymir/ed25519-cert.pub;
228 environment.etc."ssh/krl.bin".source = ./krl.bin;
218 users.groups."ssh" = { 229 users.groups."ssh" = {
219 members = ["gitolite" "uucp" "root"]; 230 members = ["gitolite" "uucp" "root"];
220 }; 231 };
diff --git a/ymir/ed25519-cert.pub b/ymir/ed25519-cert.pub
new file mode 100644
index 00000000..83ec913e
--- /dev/null
+++ b/ymir/ed25519-cert.pub
@@ -0,0 +1 @@
ssh-ed25519-cert-v01@openssh.com AAAAIHNzaC1lZDI1NTE5LWNlcnQtdjAxQG9wZW5zc2guY29tAAAAICUd5T+t6Giaq52opNtwkdA/h6DDVMV5mSAwmUY2U9cTAAAAIDeBBux2bIXnS/RUv+Y/NCpzI/SCW0KOJSzf48KDiEZDQAAAAGIHpkUAAAACAAAAJGQ5NmYwYWY1LTBjYjUtNDM1Zi1hYTFlLTc5ZjFhMjVlOTcyMAAAABUAAAAReW1pci55Z2dkcmFzaWwubGkAAAAAYgZUuwAAAABjsL7wAAAAAAAAAAAAAAAAAAAAMwAAAAtzc2gtZWQyNTUxOQAAACAtbex2pqbUOPVV7UmckbGjro2uSJ9TdFPWG3Yrus7c4gAAAFMAAAALc3NoLWVkMjU1MTkAAABAorc2x49gJECkdwOjFrpSVKGpG/eapaFTFjNE0KIt+BUidQn821ort2lV+ycdZKO8XvWsFjzfCvdIMakpnDB9BA== ymir/ed25519.pub
diff --git a/ymir/rsa-cert.pub b/ymir/rsa-cert.pub
new file mode 100644
index 00000000..f2d60979
--- /dev/null
+++ b/ymir/rsa-cert.pub
@@ -0,0 +1 @@
ssh-rsa-cert-v01@openssh.com AAAAHHNzaC1yc2EtY2VydC12MDFAb3BlbnNzaC5jb20AAAAg9cWaz1e9vLZV008c3egsA3xB56YLxvExYAzLBKN/nSoAAAADAQABAAACAQDNr7oFNneR3sVuAhdbnU83PuG6gTU6rDmiz+qykkRUr5Qdtm0NIr9lI7nhoO/MaALWmkMXsBGjvJ2UxvY959g0wQRHJZnuJDwOMo3YJjfuDGMTtp8ikzd646uMHQB+y/xb4dou6f0INr94eRsZcji7AQgZQnyWVV3DZuSADBfNK0Tx6sT6IdbJXaCwYoexnfSfzDdu3i5zMuReF4zdkFUEfAdcbOM8Cr0Abnn4+iLVrof/QaOEuZDC+Pf5QUhkAArETdavSCUIbV6+1md0jz/T8yalgrTCsYOoEUbSPwM/8vmiYDWSo/tvAf3KnVIPjjK2UFz7Qu0HyK0y1dBEXoYLGZ1ep4x67aE4zy7GlR2GZdAYilHknugZB+/kvYGDEixHFfcUh/uvF5PY8sm63C6HUBT1s/aQHXGHgE4uUru6YvbU3UW3fRdslABY/atZ9gc3MuKu9Zk27b1SYfAAoK1R8rKsOKWqUWvvMVCfKBNKqqb7+30q75iGeneB8Tb1C9lToyDG2Yl5p+Gpfnj8YmaU/xFm0HFEC42crRbaQyz01LmupHWf8VwH/O2LsjztAF9b4Oe2q/NwqQAF+h5hIm2tfM2fzxHGCmw1sFYf6dEdkyV5pge/IJrnuQn27iO06tRC6tvrt/ocbpwEEOk/3WWpAWW4oT8L5ceh7iAXrCRWp0AAAABiB6ZGAAAAAgAAACRiZTBlYjg0MS0xNmEyLTQwY2MtYjQwNy02Nzc3MzVmZTg1ODkAAAAVAAAAEXltaXIueWdnZHJhc2lsLmxpAAAAAGIGVLwAAAAAY7C+8AAAAAAAAAAAAAAAAAAAADMAAAALc3NoLWVkMjU1MTkAAAAgLW3sdqam1Dj1Ve1JnJGxo66NrkifU3RT1ht2K7rO3OIAAABTAAAAC3NzaC1lZDI1NTE5AAAAQMHTfT5Y+8BLsPFfhsQwGbyrd6ufCph8WGTTH8e8D/FhFApIjPCnCuZJVOXrmdRAzc7BXFnJBBOX34Z7o8Y30wA= ymir/rsa.pub