aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorEuAndreh <eu@euandre.org>2019-06-08 11:43:38 -0300
committerEuAndreh <eu@euandre.org>2019-06-08 11:43:38 -0300
commitf054e9dea98bf56c8ea068dc279e99e76a334848 (patch)
tree116518290093461bcd9655398583e3fb1bd91176
parentUse nextcloud.${TLD} instead of cloud.${TLD} as CNAME for Nextcloud installation (diff)
downloadtoph-f054e9dea98bf56c8ea068dc279e99e76a334848.tar.gz
toph-f054e9dea98bf56c8ea068dc279e99e76a334848.tar.xz
Generate UserKnownHostsFile dynamically instead of when rotating keys
The previous solution would hardcode the server IP. This way we can change the server IP address that is hosting everything and keep the SSH keypair. Previously changing the IP address would require either calling the =./rotate-ssh-keys.sh= script or manually changing the IP address on the known-hosts.txt file. The IP address being duplicated itself was a code smell. Both SSH keypair and IP address can now be changed independently.
-rw-r--r--.gitignore3
-rwxr-xr-xrotate-ssh-keys.sh2
-rwxr-xr-xscripts/ci/setup.sh2
-rw-r--r--secrets/ssh/known-hosts.txtbin774 -> 0 bytes
-rw-r--r--ssh.env.conf2
5 files changed, 5 insertions, 4 deletions
diff --git a/.gitignore b/.gitignore
index 7dfc366..88329b0 100644
--- a/.gitignore
+++ b/.gitignore
@@ -10,4 +10,5 @@
/hosts
/user-data.sh
/scripts/box/create-backup.sh
-/scripts/box/restore-backup.sh \ No newline at end of file
+/scripts/box/restore-backup.sh
+/generated-known-hosts.txt \ No newline at end of file
diff --git a/rotate-ssh-keys.sh b/rotate-ssh-keys.sh
index 4369002..7189657 100755
--- a/rotate-ssh-keys.sh
+++ b/rotate-ssh-keys.sh
@@ -5,8 +5,6 @@ cd "$(dirname "${BASH_SOURCE[0]}")"
rm -f ./secrets/ssh/*
ssh-keygen -t rsa -b 4096 -q -N '' -f ./secrets/ssh/vps-box-client
ssh-keygen -t rsa -b 4096 -q -N '' -f ./secrets/ssh/vps-box-server
-PUBLIC_KEY="$(awk '{print $2}' < ./secrets/ssh/vps-box-server.pub)"
-echo "${TLD},${PINNED_IP} ssh-rsa ${PUBLIC_KEY}" > ./secrets/ssh/known-hosts.txt
git add ./secrets/ssh/
git commit -m "Script: rotate SSH keys"
diff --git a/scripts/ci/setup.sh b/scripts/ci/setup.sh
index d9ac70c..b23b48f 100755
--- a/scripts/ci/setup.sh
+++ b/scripts/ci/setup.sh
@@ -33,6 +33,8 @@ export SSH_SERVER_PUBLIC_KEY
# https://stackoverflow.com/questions/24963705/is-there-an-escape-character-for-envsubst
export DOLLAR='$'
+PUBLIC_KEY_ONLY="$(awk '{print $2}' < ./secrets/ssh/vps-box-server.pub)"
+echo "${TLD},${PINNED_IP} ssh-rsa $(echo $SSH_SERVER_PUBLIC_KEY | awk '{print $2}')" > ./generated-known-hosts.txt
envsubst < ./ssh.env.conf >> ~/.ssh/config
envsubst < ./hosts.env > ./hosts
envsubst < ./docker-compose.env.yaml > ./docker-compose.yaml
diff --git a/secrets/ssh/known-hosts.txt b/secrets/ssh/known-hosts.txt
deleted file mode 100644
index 8bbf729..0000000
--- a/secrets/ssh/known-hosts.txt
+++ /dev/null
Binary files differ
diff --git a/ssh.env.conf b/ssh.env.conf
index b3dc21d..6a7ba03 100644
--- a/ssh.env.conf
+++ b/ssh.env.conf
@@ -1,7 +1,7 @@
Host $TLD
User root
IdentityFile $PWD/secrets/ssh/vps-box-client
- UserKnownHostsFile $PWD/secrets/ssh/known-hosts.txt
+ UserKnownHostsFile $PWD/generated-known-hosts.txt
Port $SSH_PORT
Host git.sr.ht
StrictHostKeyChecking no