fix(user/secrets/hcv): include vssh script

Signed-off-by: Matej Focko <me@mfocko.xyz>
This commit is contained in:
Matej Focko 2023-09-06 11:42:26 +02:00
parent 6f29e49597
commit a1235a25b4
Signed by: mfocko
GPG key ID: 7C47D46246790496
3 changed files with 45 additions and 3 deletions

View file

@ -0,0 +1,31 @@
#!/bin/bash
# create a temporary directory for an SSH key
SSH_KEY_DIR=$(mktemp -d)
# if no path to the key exists, create a temporary one
if [[ $SSH_KEY_PATH == "" ]]; then
SSH_KEY_PATH=$SSH_KEY_DIR/id_ed25519
ssh-keygen -q -t ed25519 -N "" -f $SSH_KEY_PATH
fi
vault ssh \
-no-exec \
-field=signed_key \
-mode=ca \
-role="$VSSH_ROLE" \
-valid-principals="$VSSH_PRINCIPALS" \
-public-key-path=$SSH_KEY_PATH.pub \
-private-key-path=$SSH_KEY_PATH \
localhost > $SSH_KEY_PATH.pub.signed
chmod 400 $SSH_KEY_PATH.pub.signed
# DEBUG
ssh-keygen -L -f $SSH_KEY_PATH.pub.signed
# execute the SSH
ssh -i $SSH_KEY_PATH -i $SSH_KEY_PATH.pub.signed $@
# delete the signed key and temporary key if exists
rm -f $SSH_KEY_PATH.pub.signed
rm -rf $SSH_KEY_DIR

View file

@ -14,3 +14,10 @@
- name: Install HC Vault to userspace - name: Install HC Vault to userspace
ansible.builtin.include_tasks: install_user.yml ansible.builtin.include_tasks: install_user.yml
when: ansible_distribution not in [ "AlmaLinux", "CentOS", "Fedora", "Ubuntu"] when: ansible_distribution not in [ "AlmaLinux", "CentOS", "Fedora", "Ubuntu"]
- name: Install vssh script
ansible.builtin.copy:
src: files/vssh.sh
dest: ~/.local/bin/vssh
mode: 0700
creates: ~/.local/bin/vssh

View file

@ -93,13 +93,17 @@ function gen_passphrase() {
bw generate -p --words $LENGTH bw generate -p --words $LENGTH
} }
# HashiCorp Vault ### HashiCorp Vault ###
export VAULT_ADDR="https://hvault.mfocko.xyz" export VAULT_ADDR="https://hvault.mfocko.xyz"
function hcvu() { function hcvu() {
local PASS=$(yad --text "Password for HashiCorp Vault @ mfocko.xyz:" --center --button "yad-ok" --entry --hide-text) local PASS=$(yad --text "Password for HashiCorp Vault @ mfocko.xyz:" --center --button "yad-ok" --entry --hide-text)
vault login -method=userpass -no-print username=$(whoami) password=$PASS vault login -method=userpass -no-print username=$(whoami) password=$PASS
} }
# SSH variables for HashiCorp Vault
export VSSH_ROLE=$(whoami)
export VSSH_PRINCIPALS="$(whoami),me@mfocko.xyz"
### public_html ### ### public_html ###
function from_phrase() { function from_phrase() {
bw list items --search $2 | jq --raw-output ".[] | select(.folderId == \"$1\") | .fields[] | select(.value == \"$3\") | .name" bw list items --search $2 | jq --raw-output ".[] | select(.folderId == \"$1\") | .fields[] | select(.value == \"$3\") | .name"