diff options
author | Gregor Kleen <gkleen@yggdrasil.li> | 2022-02-12 14:06:09 +0100 |
---|---|---|
committer | Gregor Kleen <gkleen@yggdrasil.li> | 2022-02-12 14:06:09 +0100 |
commit | ebb52640b558054ce57ad7bcb37ed1f7aff5bdcf (patch) | |
tree | b18bd1ce1434609ab4476a508e3da413623bdaea | |
parent | 7dfdf54de426b995173cec67b40451f0b83d264a (diff) | |
download | nixos-ebb52640b558054ce57ad7bcb37ed1f7aff5bdcf.tar nixos-ebb52640b558054ce57ad7bcb37ed1f7aff5bdcf.tar.gz nixos-ebb52640b558054ce57ad7bcb37ed1f7aff5bdcf.tar.bz2 nixos-ebb52640b558054ce57ad7bcb37ed1f7aff5bdcf.tar.xz nixos-ebb52640b558054ce57ad7bcb37ed1f7aff5bdcf.zip |
ymir: openssh ca
-rw-r--r-- | knownHosts.nix | 50 | ||||
-rw-r--r-- | krl.bin | bin | 0 -> 174 bytes | |||
-rw-r--r-- | ymir.nix | 11 | ||||
-rw-r--r-- | ymir/ed25519-cert.pub | 1 | ||||
-rw-r--r-- | ymir/rsa-cert.pub | 1 |
5 files changed, 16 insertions, 47 deletions
diff --git a/knownHosts.nix b/knownHosts.nix index 720a4932..96a104ba 100644 --- a/knownHosts.nix +++ b/knownHosts.nix | |||
@@ -1,50 +1,6 @@ | |||
1 | { | 1 | { |
2 | ymir-rsa = { | 2 | "*.yggdrasil" = { |
3 | hostNames = ["ymir.yggdrasil.li" "ymir.niflheim.yggdrasil"]; | 3 | extraHostNames = ["*.yggdrasil.li"]; |
4 | publicKey = '' | 4 | publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC1t7HamptQ49VXtSZyRsaOuja5In1N0U9Ybdiu6ztzi ca.yggdrasil"; |
5 | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDNr7oFNneR3sVuAhdbnU83PuG6gTU6rDmiz+qykkRUr5Qdtm0NIr9lI7nhoO/MaALWmkMXsBGjvJ2UxvY959g0wQRHJZnuJDwOMo3YJjfuDGMTtp8ikzd646uMHQB+y/xb4dou6f0INr94eRsZcji7AQgZQnyWVV3DZuSADBfNK0Tx6sT6IdbJXaCwYoexnfSfzDdu3i5zMuReF4zdkFUEfAdcbOM8Cr0Abnn4+iLVrof/QaOEuZDC+Pf5QUhkAArETdavSCUIbV6+1md0jz/T8yalgrTCsYOoEUbSPwM/8vmiYDWSo/tvAf3KnVIPjjK2UFz7Qu0HyK0y1dBEXoYLGZ1ep4x67aE4zy7GlR2GZdAYilHknugZB+/kvYGDEixHFfcUh/uvF5PY8sm63C6HUBT1s/aQHXGHgE4uUru6YvbU3UW3fRdslABY/atZ9gc3MuKu9Zk27b1SYfAAoK1R8rKsOKWqUWvvMVCfKBNKqqb7+30q75iGeneB8Tb1C9lToyDG2Yl5p+Gpfnj8YmaU/xFm0HFEC42crRbaQyz01LmupHWf8VwH/O2LsjztAF9b4Oe2q/NwqQAF+h5hIm2tfM2fzxHGCmw1sFYf6dEdkyV5pge/IJrnuQn27iO06tRC6tvrt/ocbpwEEOk/3WWpAWW4oT8L5ceh7iAXrCRWpw== | ||
6 | ''; | ||
7 | }; | ||
8 | ymir-ed25519 = { | ||
9 | hostNames = ["ymir.yggdrasil.li" "ymir.niflheim.yggdrasil"]; | ||
10 | publicKey = '' | ||
11 | ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDeBBux2bIXnS/RUv+Y/NCpzI/SCW0KOJSzf48KDiEZD | ||
12 | ''; | ||
13 | }; | ||
14 | odin-rsa = { | ||
15 | hostNames = ["odin.asgard.yggdrasil"]; | ||
16 | publicKey = '' | ||
17 | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC5tCkUoo1V97e7bdAnOvxYXgJ8i+PrECUzbXW8Xwy/ir6a/cl3Lm+RMV/h29sVVT56bb0TtZ/JrYyYyWpy/g8FDGgm06mHnxGjjCE7FQpMRk/QoE7JKvqB4mTyMH6lE9lfuLiPI0S7JXrx0xiSJS0Z989Xmu8CN0pA4qyNmMVvAm+zSgxA1KLVcOWUw9mbmVInm1JB+l/psmYcdne4fjWGOn8awY0KGSB5W8xiThjoJe2a8BrW5g8xYS7mLQeKvCkVmukvMu9rUPdCqXp5QPBD8l7tl2jnrefSTRozysfZGX2aRy+a1xXZ/LLBimM/DQ2vDeXYGmE0saCTAgOm4u6Cx6j+SHq64koLaWfHygVeyvCnD0ttKhVzBkbsqzyootg/C1uNaMnavkfUVgSZigyHvfvgGLq39awQ3Zxgxui7vhPy0Mjf2/3EWJyWRvZTX7gBDO0pi8bfyTqhEKTBNn2MvN4gAimc14tO0XClVzh1iUWJMqewoX22u4RUOr3b4MJoUMgiFvyup3gL0+n7EJhMtYrUJ1FwlzGGLCZUtgdQ8tIYz+DWfXIPWXA7rBuUu/fNxrpNqEHtagsnQ4LEquxhq5iqgRZ4/BpwRi1Lp6tcNDCFeG80CFEcKpQv4nPXSHuwPfb3hGZAxy0pnB/BKJ0Uo6azvGb0xTL7P65y25Yjaw== | ||
18 | ''; | ||
19 | }; | ||
20 | odin-ed25519 = { | ||
21 | hostNames = ["odin.asgard.yggdrasil"]; | ||
22 | publicKey = '' | ||
23 | ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC0bDMyJFg6VNgiTebP9z9LJ90scGGdILK0qpNFQhMfc | ||
24 | ''; | ||
25 | }; | ||
26 | hel-rsa = { | ||
27 | hostNames = ["hel.asgard.yggdrasil" "hel.faraday.asgard.yggdrasil" "hel.midgard.yggdrasil"]; | ||
28 | publicKey = '' | ||
29 | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDPpiWp5AN75fV/P+oLLExOkJ933dr4r0tE8deUjSB8QlNWoNSxg0WP8noUri52TkbYV1JZh+r6o4XGZrsXHdk2+ggLYDvIbNyUumsTGI2stexuw9oow9OMys1+f1Ld+szyYnO6dA+zXAjHXS129r3PtSMc9ELra+W5tARFdmcBQt0v/pgSkz1acJQvv8286ioyxUfQ08JUBD2Nb6dVCtdCFXZkivFpKV5mNDOsDsNwBJQda6o5SUuglIEzvP1Q2HPlBAV3pozvmlzUgZrY3hiEkge4fmqm71ZCbCNv61FYKo1LgtMDGLHyxT72lmESR7yS5s1O/nPHCAOeWns40h2ykOD1bfWYFdgH9oEOYbCxGTryfSAJn5qS1FP7serBcjW/lCTfYBNXXtuOHSBLDKfmNb5WgQKPgjSWrVOtk8qWHP2DOgF0C1vL4qr2CjE2LvwxwfC6PaMGb7TJHFeQTPobVgH6m9BGTsVciRIo4PmfYQ9xLD9rcvYd7SDk5KFantphmPgZrQ4PkMik/9Hx3+Mg2L4SuLtXNxmMmTZgXGv5N+NbSkOXNxmjjM0fVSX/d2FOmY51XvLIIx0C+kwiv4FfqI3jbmqvf6mJ7Ev6peoTYgZ3yqeLkC8MOelC77CKfeO+pgGiPR/dEPPCoFHq1kgaOa0dl8Iuzgo/Z0ZGUtux1Q== | ||
30 | ''; | ||
31 | }; | ||
32 | hel-ed25519 = { | ||
33 | hostNames = ["hel.asgard.yggdrasil" "hel.faraday.asgard.yggdrasil" "hel.midgard.yggdrasil"]; | ||
34 | publicKey = '' | ||
35 | ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAVmpfhUPgjsWyvomTbRJh5qkIC5WzdgdatqfRTd1EcK | ||
36 | ''; | ||
37 | }; | ||
38 | sif-rsa = { | ||
39 | hostNames = ["sif.asgard.yggdrasil" "sif.faraday.asgard.yggdrasil" "sif.midgard.yggdrasil"]; | ||
40 | publicKey = '' | ||
41 | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCeFqJep1CuWakcoiAkz4bSaHbAIwM89Er46o3KUpjCWGTmDmhJyBiG38pupcctH0awwElkX09GsNx230mTtjT6qcxN+vGsGMJIqFD+/7ZobSLJDHYCo6Jx23jZUjg1SqxYjwB5ooWGI61Vh6SaOy8WRrUn0q8rJyd9SEC+3tJlKO5QqRi/Vnwzj47m+YjGz2UlqJ9a4GeRh1O5SiGx5jd4a/VoeK1XJcW94XeWpPQdUGnVYUXZn9cwYVrogmXdr18ImnPxghsQg4xwS2A6KMjUw9m56XkqIq7vTslmL9JaYcjlSCHbsSVq9+Wu1oKxoyndN7Sim7SkAZwHFUEMBNlontBitgYl6z10VdKX739os6h07uXjGEs+mPk4/CkGZhvhnErV2T9FO+65jnU3mZkeX5tfJHqJ8PnDch2JD6O7+Mjpce4zs/x3mwH36peER6iiIBYGlSF0AlUDShdqj+fPWFu6gZ9piOAZ2L3YXDA0ulM6pL69SbulrUNOwtTy6LkBfKDwpaQK1KO1VOYBaKa7s+krOJXW18k+tpfo4aKSeTuwvykMPndKMKvxcsxNymkGo2AzLw017Qgshzv9rRbLNMBFd85S3krakGyBVL0HAVrAdkjvsWqj5FnHAjgBc1AZnZPbJu3g9/wm7k8rPMV0jxKMpW+zxjVFYDhFUWYp9w== | ||
42 | ''; | ||
43 | }; | ||
44 | sif-ed25519 = { | ||
45 | hostNames = ["sif.asgard.yggdrasil" "sif.faraday.asgard.yggdrasil" "sif.midgard.yggdrasil"]; | ||
46 | publicKey = '' | ||
47 | ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOfiwlzGcNQjamtIwv7fmXnddjajraeovaM6gRNui1+v | ||
48 | ''; | ||
49 | }; | 5 | }; |
50 | } | 6 | } |
diff --git a/krl.bin b/krl.bin new file mode 100644 index 00000000..3f04c994 --- /dev/null +++ b/krl.bin | |||
Binary files differ | |||
@@ -212,9 +212,20 @@ in rec { | |||
212 | challengeResponseAuthentication = false; | 212 | challengeResponseAuthentication = false; |
213 | extraConfig = '' | 213 | extraConfig = '' |
214 | AllowGroups ssh | 214 | AllowGroups ssh |
215 | |||
216 | HostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub | ||
217 | HostCertificate /etc/ssh/ssh_host_rsa_key-cert.pub | ||
218 | RevokedKeys /etc/ssh/krl.bin | ||
215 | ''; | 219 | ''; |
216 | knownHosts = import ./knownHosts.nix; | 220 | knownHosts = import ./knownHosts.nix; |
221 | hostKeys = [ | ||
222 | { bits = 4096; path = "/etc/ssh/ssh_host_rsa_key"; type = "rsa"; } | ||
223 | { path = "/etc/ssh/ssh_host_ed25519_key"; type = "ed25519"; } | ||
224 | ]; | ||
217 | }; | 225 | }; |
226 | environment.etc."ssh/ssh_host_rsa_key-cert.pub".source = ./ymir/rsa-cert.pub; | ||
227 | environment.etc."ssh/ssh_host_ed25519_key-cert.pub".source = ./ymir/ed25519-cert.pub; | ||
228 | environment.etc."ssh/krl.bin".source = ./krl.bin; | ||
218 | users.groups."ssh" = { | 229 | users.groups."ssh" = { |
219 | members = ["gitolite" "uucp" "root"]; | 230 | members = ["gitolite" "uucp" "root"]; |
220 | }; | 231 | }; |
diff --git a/ymir/ed25519-cert.pub b/ymir/ed25519-cert.pub new file mode 100644 index 00000000..83ec913e --- /dev/null +++ b/ymir/ed25519-cert.pub | |||
@@ -0,0 +1 @@ | |||
ssh-ed25519-cert-v01@openssh.com AAAAIHNzaC1lZDI1NTE5LWNlcnQtdjAxQG9wZW5zc2guY29tAAAAICUd5T+t6Giaq52opNtwkdA/h6DDVMV5mSAwmUY2U9cTAAAAIDeBBux2bIXnS/RUv+Y/NCpzI/SCW0KOJSzf48KDiEZDQAAAAGIHpkUAAAACAAAAJGQ5NmYwYWY1LTBjYjUtNDM1Zi1hYTFlLTc5ZjFhMjVlOTcyMAAAABUAAAAReW1pci55Z2dkcmFzaWwubGkAAAAAYgZUuwAAAABjsL7wAAAAAAAAAAAAAAAAAAAAMwAAAAtzc2gtZWQyNTUxOQAAACAtbex2pqbUOPVV7UmckbGjro2uSJ9TdFPWG3Yrus7c4gAAAFMAAAALc3NoLWVkMjU1MTkAAABAorc2x49gJECkdwOjFrpSVKGpG/eapaFTFjNE0KIt+BUidQn821ort2lV+ycdZKO8XvWsFjzfCvdIMakpnDB9BA== ymir/ed25519.pub | |||
diff --git a/ymir/rsa-cert.pub b/ymir/rsa-cert.pub new file mode 100644 index 00000000..f2d60979 --- /dev/null +++ b/ymir/rsa-cert.pub | |||
@@ -0,0 +1 @@ | |||
ssh-rsa-cert-v01@openssh.com AAAAHHNzaC1yc2EtY2VydC12MDFAb3BlbnNzaC5jb20AAAAg9cWaz1e9vLZV008c3egsA3xB56YLxvExYAzLBKN/nSoAAAADAQABAAACAQDNr7oFNneR3sVuAhdbnU83PuG6gTU6rDmiz+qykkRUr5Qdtm0NIr9lI7nhoO/MaALWmkMXsBGjvJ2UxvY959g0wQRHJZnuJDwOMo3YJjfuDGMTtp8ikzd646uMHQB+y/xb4dou6f0INr94eRsZcji7AQgZQnyWVV3DZuSADBfNK0Tx6sT6IdbJXaCwYoexnfSfzDdu3i5zMuReF4zdkFUEfAdcbOM8Cr0Abnn4+iLVrof/QaOEuZDC+Pf5QUhkAArETdavSCUIbV6+1md0jz/T8yalgrTCsYOoEUbSPwM/8vmiYDWSo/tvAf3KnVIPjjK2UFz7Qu0HyK0y1dBEXoYLGZ1ep4x67aE4zy7GlR2GZdAYilHknugZB+/kvYGDEixHFfcUh/uvF5PY8sm63C6HUBT1s/aQHXGHgE4uUru6YvbU3UW3fRdslABY/atZ9gc3MuKu9Zk27b1SYfAAoK1R8rKsOKWqUWvvMVCfKBNKqqb7+30q75iGeneB8Tb1C9lToyDG2Yl5p+Gpfnj8YmaU/xFm0HFEC42crRbaQyz01LmupHWf8VwH/O2LsjztAF9b4Oe2q/NwqQAF+h5hIm2tfM2fzxHGCmw1sFYf6dEdkyV5pge/IJrnuQn27iO06tRC6tvrt/ocbpwEEOk/3WWpAWW4oT8L5ceh7iAXrCRWp0AAAABiB6ZGAAAAAgAAACRiZTBlYjg0MS0xNmEyLTQwY2MtYjQwNy02Nzc3MzVmZTg1ODkAAAAVAAAAEXltaXIueWdnZHJhc2lsLmxpAAAAAGIGVLwAAAAAY7C+8AAAAAAAAAAAAAAAAAAAADMAAAALc3NoLWVkMjU1MTkAAAAgLW3sdqam1Dj1Ve1JnJGxo66NrkifU3RT1ht2K7rO3OIAAABTAAAAC3NzaC1lZDI1NTE5AAAAQMHTfT5Y+8BLsPFfhsQwGbyrd6ufCph8WGTTH8e8D/FhFApIjPCnCuZJVOXrmdRAzc7BXFnJBBOX34Z7o8Y30wA= ymir/rsa.pub | |||