forked from epesooj/webring
Configure host to use SSH certs on the host and client side.
This commit is contained in:
DS
parent
a872e6f395
commit
55eb37bb47
10 changed files with 129 additions and 3 deletions
43
README.md
43
README.md
|
|
@ -38,6 +38,41 @@ There's already a `.vscode` directory which should direct VSCode to enable the D
|
|||
|
||||
# Infrastructure
|
||||
|
||||
## Setting up SSH access
|
||||
|
||||
You'll need to trust the SSH certificate authority that generates SSH keys for Epesooj's hosts.
|
||||
The CA's public key is in `./host_config/ssh_certs/host_ca.pub`.
|
||||
|
||||
This is the template for the SSH `known_hosts` entry:
|
||||
|
||||
```
|
||||
@cert-authority <dns name or ip address> <CONTENTS OF host_ca.pub>
|
||||
```
|
||||
|
||||
For example:
|
||||
|
||||
```
|
||||
@cert-authority code.akols.com ssh-ed25519 AAAA...
|
||||
```
|
||||
|
||||
## Signing a user's public SSH key to give them host access
|
||||
|
||||
Run `just sign_user_key <username> <user_pub_key_path>`.
|
||||
This will by default give them `root` access.
|
||||
Check the definition of this `just` command to see how to give them access to different user(s).
|
||||
|
||||
Once this is done, give them the signed public key (it'll be a file in the same directory as `<user_pub_key_path>` with the `-cert.pub` suffix) and tell them to add the `CertificateFile` option to their SSH config to make sure it'll also present the signed public key.
|
||||
For example:
|
||||
|
||||
```
|
||||
Host epesooj
|
||||
User root
|
||||
HostName code.akols.com
|
||||
IdentityFile ~/.ssh/epesooj_personal.pub
|
||||
CertificateFile ~/.ssh/epesooj_personal-cert.pub
|
||||
IdentitiesOnly yes
|
||||
```
|
||||
|
||||
## Nixifying a new host
|
||||
|
||||
If you have a bunch of SSH keys in your SSH agent and get errors when trying to SSH into a fresh host, you may need to temporarily add the following config to your SSH config (obviously change the details for your case).
|
||||
|
|
@ -50,7 +85,15 @@ Host 188.245.194.78
|
|||
IdentitiesOnly yes
|
||||
```
|
||||
|
||||
Once you can SSH into the host normally, run `just nixify_host <hostname> "code" "<dns name>,<ip address>"`.
|
||||
For example: `just nixify_host epesooj-code-0001 code "code.akols.com,188.245.194.78"`.
|
||||
|
||||
This command requires you to have the key for the Epesooj Host SSH certificate authority.
|
||||
If you don't have it, contact someone who does.
|
||||
|
||||
## Deploying the webring
|
||||
|
||||
You should have a `.env` file with the id and deploy key for each script in the webring, as well as a key to deploy the index page to bunny.
|
||||
When you have this, run `deno task deploy`.
|
||||
You'll need the API keys required to deploy these.
|
||||
If you don't have them, contact someone who does.
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue