Manage public SSH files as "extra-etc-file" instead of like a secret

author: EuAndreh <eu@euandre.org> 2023-03-20 09:46:20 -0300
committer: EuAndreh <eu@euandre.org> 2023-03-20 10:03:17 -0300
commit: 7ffcd694068d484842be0b87a9aeeda0a7720568 (patch)
tree: c2744d6661967f5a2c128528d6ed51739556d906
parent: Makefile: Also upload managed SSH known_hosts file (diff)
download: server-7ffcd694068d484842be0b87a9aeeda0a7720568.tar.gz
server-7ffcd694068d484842be0b87a9aeeda0a7720568.tar.xz
5 files changed, 14 insertions, 18 deletions
diff --git a/.gitignore b/.gitignore
index 6eedc52..d0b0079 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,4 +1,3 @@
 /src/secrets/
-/src/infrastructure/keys/SSH/*.stripped
 /result
 /result-next
diff --git a/Makefile b/Makefile
index 08931fb..c39eb5b 100644
--- a/Makefile
+++ b/Makefile
@@ -5,18 +5,21 @@
 all: result
 
 
-result: ALWAYS
+result: ALWAYS src/infrastructure/keys/SSH/root@euandre.org.id_rsa.pub.stripped
 	rm -f result-next
 	guix system -v3 -r result-next build src/infrastructure/guix/system.scm
 	rm -f result
 	mv result-next result
 
+src/infrastructure/keys/SSH/root@euandre.org.id_rsa.pub.stripped: \
+		src/infrastructure/keys/SSH/root@euandre.org.id_rsa.pub.txt
+	cut -d' ' -f6- < $(@D)/`basename $@ .stripped`.txt > $@
+
 
 check:
 
 clean:
 	rm -rf \
-		src/secrets/*.txt src/infrastructure/keys/SSH/*.stripped       \
 		result result-next                                             \
 
 
@@ -43,22 +46,13 @@ $(repo-secrets):
 	gpg -aer eu@euandre.org < $(@D)/`basename $@ .gpg` > $@
 
 
-public-ssh = src/infrastructure/keys/SSH/root@euandre.org.id_rsa.pub
-$(public-ssh).stripped: $(public-ssh).txt
-	cut -d' ' -f6- < $(public-ssh).txt > $@
-
-
-upload-secrets: $(prod-secrets.txt) $(public-ssh).stripped \
-		src/infrastructure/keys/known_hosts.txt
+upload-secrets: $(prod-secrets.txt)
 	ssh euandre.org sudo -u secrets-keeper 'rm -f /opt/secrets/*'
 	rsync \
 		--rsync-path='sudo -u secrets-keeper rsync' \
 		--chmod=000                                 \
 		-avzP                                       \
-		$(prod-secrets.txt)                         \
-		$(public-ssh).stripped                      \
-		src/infrastructure/keys/known_hosts.txt     \
-		euandre.org:/opt/secrets/
+		$(prod-secrets.txt) euandre.org:/opt/secrets/
 
 
 ## Generate the ".ssh/authorized_keys" file and upload
diff --git a/src/infrastructure/keys/known_hosts.txt b/src/infrastructure/config/known_hosts.txt
index 44fc283..44fc283 100644
--- a/src/infrastructure/keys/known_hosts.txt
+++ b/src/infrastructure/config/known_hosts.txt
diff --git a/src/infrastructure/guix/system.scm b/src/infrastructure/guix/system.scm
index 3d340e5..d591c2b 100644
--- a/src/infrastructure/guix/system.scm
+++ b/src/infrastructure/guix/system.scm
@@ -409,10 +409,12 @@
                      "#)))))))
       (service cgit-service-type queue:cgit-pre-configuration)
       (simple-service 'extra-etc-file etc-service-type
-        `(("rc"        ,(plain-file "rc.sh"     (file "src/infrastructure/config/rc.sh")))
-          ("ssh.conf"  ,(plain-file "ssh.conf"  (file "src/infrastructure/config/ssh.conf")))
-          ("init.scm"  ,(plain-file "init.scm"  (file "src/infrastructure/config/init.scm")))
-          ("gitconfig" ,(plain-file "gitconfig" (file "src/infrastructure/config/gitconfig")))))
+        `(("rc"          ,(plain-file "rc.sh"       (file "src/infrastructure/config/rc.sh")))
+          ("known_hosts" ,(plain-file "known_hosts" (file "src/infrastructure/config/known_hosts.txt")))
+          ("id_rsa.pub"  ,(plain-file "id_rsa.pub"  (file "src/infrastructure/keys/SSH/root@euandre.org.id_rsa.pub.stripped")))
+          ("ssh.conf"    ,(plain-file "ssh.conf"    (file "src/infrastructure/config/ssh.conf")))
+          ("init.scm"    ,(plain-file "init.scm"    (file "src/infrastructure/config/init.scm")))
+          ("gitconfig"   ,(plain-file "gitconfig"   (file "src/infrastructure/config/gitconfig")))))
       (service git-daemon-service-type
         (git-daemon-configuration
           (export-all? #t)))
diff --git a/src/infrastructure/keys/SSH/root@euandre.org.id_rsa.pub.stripped b/src/infrastructure/keys/SSH/root@euandre.org.id_rsa.pub.stripped
new file mode 100644
index 0000000..4a715ff
--- /dev/null
+++ b/src/infrastructure/keys/SSH/root@euandre.org.id_rsa.pub.stripped
@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC0o73ml7gMPhw/EwjIof6ph5PHPAL5EFDrP7PPZ9xCES79nSKZ0r40uW2RNp2Gzwb/QYtbr/aFkuX11Eo739upnj5cydyr4AHPLgoBoPVbn7/0/IIkin4r31GrWYdGzXRZSB5Tz0Za58OYW0RiUVHffx/E5+tOBQ2SMc6WK9/Q6FljGrD3yK/KYgZhcvmfsDTv2DGhFFORoUQSfGGwmRMJXGVPG2lDqoD3I3CWF34Y/b9GRHdSFgHy3iOas03WTsMaOSosmuF9MMm8Zn2515XGXU+uirsUJrFOa5leRBEvoEmx+WsB6CULn0PKk+ieghcq8z4j5oR1AOUFeSSJVIvlOyyt8x5rqLW8CvPFtU982LZrAq/DCcuaIkx/ww/cIbkUIN52Tv1Ia8jfV2aqRJ4hRshsuh9mj5fUlp+jmrMY6Ww5tl24OKrKRAT6pr5Fzgip927BkLPKJFClcp5fzZJLUiwNihYfuR5J+VselMPfxoTXfNVj/hsINclj2CLoCTM= root@toph
author	EuAndreh <eu@euandre.org>	2023-03-20 09:46:20 -0300
committer	EuAndreh <eu@euandre.org>	2023-03-20 10:03:17 -0300
commit	7ffcd694068d484842be0b87a9aeeda0a7720568 (patch)
tree	c2744d6661967f5a2c128528d6ed51739556d906
parent	Makefile: Also upload managed SSH known_hosts file (diff)
download	server-7ffcd694068d484842be0b87a9aeeda0a7720568.tar.gz server-7ffcd694068d484842be0b87a9aeeda0a7720568.tar.xz