feat(user/ssh): install vssh script

Signed-off-by: Matej Focko <me@mfocko.xyz>
2024-07-01 13:21:55 +02:00 · 2024-07-01 13:21:55 +02:00 · 73090a0db1
commit 73090a0db1
parent 0f7de0b35a
2 changed files with 37 additions and 0 deletions
--- a/roles/user/ssh/files/vssh
+++ b/roles/user/ssh/files/vssh
@ -0,0 +1,31 @@
+#!/bin/bash
+
+# create a temporary directory for an SSH key
+SSH_KEY_DIR=$(mktemp -d)
+
+# if no path to the key exists, create a temporary one
+if [[ $SSH_KEY_PATH == "" ]]; then
+  SSH_KEY_PATH=$SSH_KEY_DIR/id_ed25519
+  ssh-keygen -q -t ed25519 -N "" -f $SSH_KEY_PATH
+fi
+
+vault ssh \
+  -no-exec \
+  -field=signed_key \
+  -mode=ca \
+  -role="$VSSH_ROLE" \
+  -valid-principals="$VSSH_PRINCIPALS" \
+  -public-key-path=$SSH_KEY_PATH.pub \
+  -private-key-path=$SSH_KEY_PATH \
+  localhost > $SSH_KEY_PATH.pub.signed
+chmod 400 $SSH_KEY_PATH.pub.signed
+
+# [DEBUG]
+ssh-keygen -L -f $SSH_KEY_PATH.pub.signed
+
+# execute the SSH
+ssh -i $SSH_KEY_PATH -i $SSH_KEY_PATH.pub.signed $@
+
+# delete the signed key and temporary key if exists
+rm -f $SSH_KEY_PATH.pub.signed
+rm -rf $SSH_KEY_DIR
--- a/roles/user/ssh/tasks/main.yml
+++ b/roles/user/ssh/tasks/main.yml
@ -12,3 +12,9 @@
    dest: ~/.ssh/authorized_keys
    mode: 0600
  tags: ssh/authorized-keys
+
+- name: Install ‹vssh› script
+  ansible.builtin.copy:
+    src: files/vssh
+    dest: ~/.local/bin/vssh
+    mode: 0640