dotfiles/roles/user/secrets/hcv/files/vssh.sh

#!/bin/bash

# create a temporary directory for an SSH key
SSH_KEY_DIR=$(mktemp -d)

# if no path to the key exists, create a temporary one
if [[ $SSH_KEY_PATH == "" ]]; then
  SSH_KEY_PATH=$SSH_KEY_DIR/id_ed25519
  ssh-keygen -q -t ed25519 -N "" -f $SSH_KEY_PATH
fi

vault ssh \
  -no-exec \
  -field=signed_key \
  -mode=ca \
  -role="$VSSH_ROLE" \
  -valid-principals="$VSSH_PRINCIPALS" \
  -public-key-path=$SSH_KEY_PATH.pub \
  -private-key-path=$SSH_KEY_PATH \
  localhost > $SSH_KEY_PATH.pub.signed
chmod 400 $SSH_KEY_PATH.pub.signed

# DEBUG
ssh-keygen -L -f $SSH_KEY_PATH.pub.signed

# execute the SSH
ssh -i $SSH_KEY_PATH -i $SSH_KEY_PATH.pub.signed $@

# delete the signed key and temporary key if exists
rm -f $SSH_KEY_PATH.pub.signed
rm -rf $SSH_KEY_DIR
fix(user/secrets/hcv): include vssh script Signed-off-by: Matej Focko <me@mfocko.xyz> 2023-09-06 11:42:26 +02:00			`#!/bin/bash`

			`# create a temporary directory for an SSH key`
			`SSH_KEY_DIR=$(mktemp -d)`

			`# if no path to the key exists, create a temporary one`
			`if [[ $SSH_KEY_PATH == "" ]]; then`
			`SSH_KEY_PATH=$SSH_KEY_DIR/id_ed25519`
			`ssh-keygen -q -t ed25519 -N "" -f $SSH_KEY_PATH`
			`fi`

			`vault ssh \`
			`-no-exec \`
			`-field=signed_key \`
			`-mode=ca \`
			`-role="$VSSH_ROLE" \`
			`-valid-principals="$VSSH_PRINCIPALS" \`
			`-public-key-path=$SSH_KEY_PATH.pub \`
			`-private-key-path=$SSH_KEY_PATH \`
			`localhost > $SSH_KEY_PATH.pub.signed`
			`chmod 400 $SSH_KEY_PATH.pub.signed`

			`# DEBUG`
			`ssh-keygen -L -f $SSH_KEY_PATH.pub.signed`

			`# execute the SSH`
			`ssh -i $SSH_KEY_PATH -i $SSH_KEY_PATH.pub.signed $@`

			`# delete the signed key and temporary key if exists`
			`rm -f $SSH_KEY_PATH.pub.signed`
			`rm -rf $SSH_KEY_DIR`