fix(user/secrets/hcv): include vssh script

Signed-off-by: Matej Focko <me@mfocko.xyz>
2023-09-06 11:42:26 +02:00 · 2023-09-06 11:42:26 +02:00 · a1235a25b4
commit a1235a25b4
parent 6f29e49597
3 changed files with 45 additions and 3 deletions
--- a/roles/user/secrets/hcv/files/vssh.sh
+++ b/roles/user/secrets/hcv/files/vssh.sh
@ -0,0 +1,31 @@
+#!/bin/bash
+
+# create a temporary directory for an SSH key
+SSH_KEY_DIR=$(mktemp -d)
+
+# if no path to the key exists, create a temporary one
+if [[ $SSH_KEY_PATH == "" ]]; then
+  SSH_KEY_PATH=$SSH_KEY_DIR/id_ed25519
+  ssh-keygen -q -t ed25519 -N "" -f $SSH_KEY_PATH
+fi
+
+vault ssh \
+  -no-exec \
+  -field=signed_key \
+  -mode=ca \
+  -role="$VSSH_ROLE" \
+  -valid-principals="$VSSH_PRINCIPALS" \
+  -public-key-path=$SSH_KEY_PATH.pub \
+  -private-key-path=$SSH_KEY_PATH \
+  localhost > $SSH_KEY_PATH.pub.signed
+chmod 400 $SSH_KEY_PATH.pub.signed
+
+# DEBUG
+ssh-keygen -L -f $SSH_KEY_PATH.pub.signed
+
+# execute the SSH
+ssh -i $SSH_KEY_PATH -i $SSH_KEY_PATH.pub.signed $@
+
+# delete the signed key and temporary key if exists
+rm -f $SSH_KEY_PATH.pub.signed
+rm -rf $SSH_KEY_DIR
--- a/roles/user/secrets/hcv/tasks/main.yml
+++ b/roles/user/secrets/hcv/tasks/main.yml
@ -14,3 +14,10 @@
 - name: Install HC Vault to userspace
  ansible.builtin.include_tasks: install_user.yml
  when: ansible_distribution not in [ "AlmaLinux", "CentOS", "Fedora", "Ubuntu"]
+
+- name: Install ‹vssh› script
+  ansible.builtin.copy:
+    src: files/vssh.sh
+    dest: ~/.local/bin/vssh
+    mode: 0700
+    creates: ~/.local/bin/vssh
--- a/roles/user/shell/zsh/files/zshrc
+++ b/roles/user/shell/zsh/files/zshrc
@ -78,7 +78,7 @@ alias bwvps='ln -sf $HOME/.config/Bitwarden\ CLI/{vault.mfocko.xyz,data}.json'
 function gen_pass() {
    LENGTH=12
    if [[ -n $1 ]]; then
-	LENGTH=$1
+    LENGTH=$1
    fi

    bw generate -uln --length $LENGTH
@ -87,19 +87,23 @@ function gen_pass() {
 function gen_passphrase() {
    LENGTH=2
    if [[ -n $1 ]]; then
-	LENGTH=$1
+    LENGTH=$1
    fi

    bw generate -p --words $LENGTH
 }

-# HashiCorp Vault
+### HashiCorp Vault ###
 export VAULT_ADDR="https://hvault.mfocko.xyz"
 function hcvu() {
    local PASS=$(yad --text "Password for HashiCorp Vault @ mfocko.xyz:" --center --button "yad-ok" --entry --hide-text)
    vault login -method=userpass -no-print username=$(whoami) password=$PASS
 }

+# SSH variables for HashiCorp Vault
+export VSSH_ROLE=$(whoami)
+export VSSH_PRINCIPALS="$(whoami),me@mfocko.xyz"
+
 ### public_html ###
 function from_phrase() {
    bw list items --search $2 | jq --raw-output ".[] | select(.folderId == \"$1\") | .fields[] | select(.value == \"$3\") | .name"