From a1235a25b44cf58577d065132909d68ef5c6ea00 Mon Sep 17 00:00:00 2001 From: Matej Focko Date: Wed, 6 Sep 2023 11:42:26 +0200 Subject: [PATCH] fix(user/secrets/hcv): include vssh script Signed-off-by: Matej Focko --- roles/user/secrets/hcv/files/vssh.sh | 31 +++++++++++++++++++++++++++ roles/user/secrets/hcv/tasks/main.yml | 7 ++++++ roles/user/shell/zsh/files/zshrc | 10 ++++++--- 3 files changed, 45 insertions(+), 3 deletions(-) create mode 100644 roles/user/secrets/hcv/files/vssh.sh diff --git a/roles/user/secrets/hcv/files/vssh.sh b/roles/user/secrets/hcv/files/vssh.sh new file mode 100644 index 0000000..20d102c --- /dev/null +++ b/roles/user/secrets/hcv/files/vssh.sh @@ -0,0 +1,31 @@ +#!/bin/bash + +# create a temporary directory for an SSH key +SSH_KEY_DIR=$(mktemp -d) + +# if no path to the key exists, create a temporary one +if [[ $SSH_KEY_PATH == "" ]]; then + SSH_KEY_PATH=$SSH_KEY_DIR/id_ed25519 + ssh-keygen -q -t ed25519 -N "" -f $SSH_KEY_PATH +fi + +vault ssh \ + -no-exec \ + -field=signed_key \ + -mode=ca \ + -role="$VSSH_ROLE" \ + -valid-principals="$VSSH_PRINCIPALS" \ + -public-key-path=$SSH_KEY_PATH.pub \ + -private-key-path=$SSH_KEY_PATH \ + localhost > $SSH_KEY_PATH.pub.signed +chmod 400 $SSH_KEY_PATH.pub.signed + +# DEBUG +ssh-keygen -L -f $SSH_KEY_PATH.pub.signed + +# execute the SSH +ssh -i $SSH_KEY_PATH -i $SSH_KEY_PATH.pub.signed $@ + +# delete the signed key and temporary key if exists +rm -f $SSH_KEY_PATH.pub.signed +rm -rf $SSH_KEY_DIR diff --git a/roles/user/secrets/hcv/tasks/main.yml b/roles/user/secrets/hcv/tasks/main.yml index 57ec067..0ea6c5c 100644 --- a/roles/user/secrets/hcv/tasks/main.yml +++ b/roles/user/secrets/hcv/tasks/main.yml @@ -14,3 +14,10 @@ - name: Install HC Vault to userspace ansible.builtin.include_tasks: install_user.yml when: ansible_distribution not in [ "AlmaLinux", "CentOS", "Fedora", "Ubuntu"] + +- name: Install ‹vssh› script + ansible.builtin.copy: + src: files/vssh.sh + dest: ~/.local/bin/vssh + mode: 0700 + creates: ~/.local/bin/vssh diff --git a/roles/user/shell/zsh/files/zshrc b/roles/user/shell/zsh/files/zshrc index 06d232a..22a0e3c 100644 --- a/roles/user/shell/zsh/files/zshrc +++ b/roles/user/shell/zsh/files/zshrc @@ -78,7 +78,7 @@ alias bwvps='ln -sf $HOME/.config/Bitwarden\ CLI/{vault.mfocko.xyz,data}.json' function gen_pass() { LENGTH=12 if [[ -n $1 ]]; then - LENGTH=$1 + LENGTH=$1 fi bw generate -uln --length $LENGTH @@ -87,19 +87,23 @@ function gen_pass() { function gen_passphrase() { LENGTH=2 if [[ -n $1 ]]; then - LENGTH=$1 + LENGTH=$1 fi bw generate -p --words $LENGTH } -# HashiCorp Vault +### HashiCorp Vault ### export VAULT_ADDR="https://hvault.mfocko.xyz" function hcvu() { local PASS=$(yad --text "Password for HashiCorp Vault @ mfocko.xyz:" --center --button "yad-ok" --entry --hide-text) vault login -method=userpass -no-print username=$(whoami) password=$PASS } +# SSH variables for HashiCorp Vault +export VSSH_ROLE=$(whoami) +export VSSH_PRINCIPALS="$(whoami),me@mfocko.xyz" + ### public_html ### function from_phrase() { bw list items --search $2 | jq --raw-output ".[] | select(.folderId == \"$1\") | .fields[] | select(.value == \"$3\") | .name"