fix(user/secrets/hcv): include vssh script
Signed-off-by: Matej Focko <me@mfocko.xyz>
This commit is contained in:
parent
6f29e49597
commit
a1235a25b4
3 changed files with 45 additions and 3 deletions
31
roles/user/secrets/hcv/files/vssh.sh
Normal file
31
roles/user/secrets/hcv/files/vssh.sh
Normal file
|
@ -0,0 +1,31 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
# create a temporary directory for an SSH key
|
||||||
|
SSH_KEY_DIR=$(mktemp -d)
|
||||||
|
|
||||||
|
# if no path to the key exists, create a temporary one
|
||||||
|
if [[ $SSH_KEY_PATH == "" ]]; then
|
||||||
|
SSH_KEY_PATH=$SSH_KEY_DIR/id_ed25519
|
||||||
|
ssh-keygen -q -t ed25519 -N "" -f $SSH_KEY_PATH
|
||||||
|
fi
|
||||||
|
|
||||||
|
vault ssh \
|
||||||
|
-no-exec \
|
||||||
|
-field=signed_key \
|
||||||
|
-mode=ca \
|
||||||
|
-role="$VSSH_ROLE" \
|
||||||
|
-valid-principals="$VSSH_PRINCIPALS" \
|
||||||
|
-public-key-path=$SSH_KEY_PATH.pub \
|
||||||
|
-private-key-path=$SSH_KEY_PATH \
|
||||||
|
localhost > $SSH_KEY_PATH.pub.signed
|
||||||
|
chmod 400 $SSH_KEY_PATH.pub.signed
|
||||||
|
|
||||||
|
# DEBUG
|
||||||
|
ssh-keygen -L -f $SSH_KEY_PATH.pub.signed
|
||||||
|
|
||||||
|
# execute the SSH
|
||||||
|
ssh -i $SSH_KEY_PATH -i $SSH_KEY_PATH.pub.signed $@
|
||||||
|
|
||||||
|
# delete the signed key and temporary key if exists
|
||||||
|
rm -f $SSH_KEY_PATH.pub.signed
|
||||||
|
rm -rf $SSH_KEY_DIR
|
|
@ -14,3 +14,10 @@
|
||||||
- name: Install HC Vault to userspace
|
- name: Install HC Vault to userspace
|
||||||
ansible.builtin.include_tasks: install_user.yml
|
ansible.builtin.include_tasks: install_user.yml
|
||||||
when: ansible_distribution not in [ "AlmaLinux", "CentOS", "Fedora", "Ubuntu"]
|
when: ansible_distribution not in [ "AlmaLinux", "CentOS", "Fedora", "Ubuntu"]
|
||||||
|
|
||||||
|
- name: Install ‹vssh› script
|
||||||
|
ansible.builtin.copy:
|
||||||
|
src: files/vssh.sh
|
||||||
|
dest: ~/.local/bin/vssh
|
||||||
|
mode: 0700
|
||||||
|
creates: ~/.local/bin/vssh
|
||||||
|
|
|
@ -78,7 +78,7 @@ alias bwvps='ln -sf $HOME/.config/Bitwarden\ CLI/{vault.mfocko.xyz,data}.json'
|
||||||
function gen_pass() {
|
function gen_pass() {
|
||||||
LENGTH=12
|
LENGTH=12
|
||||||
if [[ -n $1 ]]; then
|
if [[ -n $1 ]]; then
|
||||||
LENGTH=$1
|
LENGTH=$1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
bw generate -uln --length $LENGTH
|
bw generate -uln --length $LENGTH
|
||||||
|
@ -87,19 +87,23 @@ function gen_pass() {
|
||||||
function gen_passphrase() {
|
function gen_passphrase() {
|
||||||
LENGTH=2
|
LENGTH=2
|
||||||
if [[ -n $1 ]]; then
|
if [[ -n $1 ]]; then
|
||||||
LENGTH=$1
|
LENGTH=$1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
bw generate -p --words $LENGTH
|
bw generate -p --words $LENGTH
|
||||||
}
|
}
|
||||||
|
|
||||||
# HashiCorp Vault
|
### HashiCorp Vault ###
|
||||||
export VAULT_ADDR="https://hvault.mfocko.xyz"
|
export VAULT_ADDR="https://hvault.mfocko.xyz"
|
||||||
function hcvu() {
|
function hcvu() {
|
||||||
local PASS=$(yad --text "Password for HashiCorp Vault @ mfocko.xyz:" --center --button "yad-ok" --entry --hide-text)
|
local PASS=$(yad --text "Password for HashiCorp Vault @ mfocko.xyz:" --center --button "yad-ok" --entry --hide-text)
|
||||||
vault login -method=userpass -no-print username=$(whoami) password=$PASS
|
vault login -method=userpass -no-print username=$(whoami) password=$PASS
|
||||||
}
|
}
|
||||||
|
|
||||||
|
# SSH variables for HashiCorp Vault
|
||||||
|
export VSSH_ROLE=$(whoami)
|
||||||
|
export VSSH_PRINCIPALS="$(whoami),me@mfocko.xyz"
|
||||||
|
|
||||||
### public_html ###
|
### public_html ###
|
||||||
function from_phrase() {
|
function from_phrase() {
|
||||||
bw list items --search $2 | jq --raw-output ".[] | select(.folderId == \"$1\") | .fields[] | select(.value == \"$3\") | .name"
|
bw list items --search $2 | jq --raw-output ".[] | select(.folderId == \"$1\") | .fields[] | select(.value == \"$3\") | .name"
|
||||||
|
|
Loading…
Reference in a new issue