diff options
| author | EuAndreh <eu@euandre.org> | 2019-06-08 11:43:38 -0300 |
|---|---|---|
| committer | EuAndreh <eu@euandre.org> | 2019-06-08 11:43:38 -0300 |
| commit | f054e9dea98bf56c8ea068dc279e99e76a334848 (patch) | |
| tree | 116518290093461bcd9655398583e3fb1bd91176 | |
| parent | Use nextcloud.${TLD} instead of cloud.${TLD} as CNAME for Nextcloud installation (diff) | |
| download | toph-f054e9dea98bf56c8ea068dc279e99e76a334848.tar.gz toph-f054e9dea98bf56c8ea068dc279e99e76a334848.tar.xz | |
Generate UserKnownHostsFile dynamically instead of when rotating keys
The previous solution would hardcode the server IP. This way we can change the
server IP address that is hosting everything and keep the SSH keypair.
Previously changing the IP address would require either calling the
=./rotate-ssh-keys.sh= script or manually changing the IP address on the
known-hosts.txt file.
The IP address being duplicated itself was a code smell.
Both SSH keypair and IP address can now be changed independently.
| -rw-r--r-- | .gitignore | 3 | ||||
| -rwxr-xr-x | rotate-ssh-keys.sh | 2 | ||||
| -rwxr-xr-x | scripts/ci/setup.sh | 2 | ||||
| -rw-r--r-- | secrets/ssh/known-hosts.txt | bin | 774 -> 0 bytes | |||
| -rw-r--r-- | ssh.env.conf | 2 |
5 files changed, 5 insertions, 4 deletions
@@ -10,4 +10,5 @@ /hosts /user-data.sh /scripts/box/create-backup.sh -/scripts/box/restore-backup.sh
\ No newline at end of file +/scripts/box/restore-backup.sh +/generated-known-hosts.txt
\ No newline at end of file diff --git a/rotate-ssh-keys.sh b/rotate-ssh-keys.sh index 4369002..7189657 100755 --- a/rotate-ssh-keys.sh +++ b/rotate-ssh-keys.sh @@ -5,8 +5,6 @@ cd "$(dirname "${BASH_SOURCE[0]}")" rm -f ./secrets/ssh/* ssh-keygen -t rsa -b 4096 -q -N '' -f ./secrets/ssh/vps-box-client ssh-keygen -t rsa -b 4096 -q -N '' -f ./secrets/ssh/vps-box-server -PUBLIC_KEY="$(awk '{print $2}' < ./secrets/ssh/vps-box-server.pub)" -echo "${TLD},${PINNED_IP} ssh-rsa ${PUBLIC_KEY}" > ./secrets/ssh/known-hosts.txt git add ./secrets/ssh/ git commit -m "Script: rotate SSH keys" diff --git a/scripts/ci/setup.sh b/scripts/ci/setup.sh index d9ac70c..b23b48f 100755 --- a/scripts/ci/setup.sh +++ b/scripts/ci/setup.sh @@ -33,6 +33,8 @@ export SSH_SERVER_PUBLIC_KEY # https://stackoverflow.com/questions/24963705/is-there-an-escape-character-for-envsubst export DOLLAR='$' +PUBLIC_KEY_ONLY="$(awk '{print $2}' < ./secrets/ssh/vps-box-server.pub)" +echo "${TLD},${PINNED_IP} ssh-rsa $(echo $SSH_SERVER_PUBLIC_KEY | awk '{print $2}')" > ./generated-known-hosts.txt envsubst < ./ssh.env.conf >> ~/.ssh/config envsubst < ./hosts.env > ./hosts envsubst < ./docker-compose.env.yaml > ./docker-compose.yaml diff --git a/secrets/ssh/known-hosts.txt b/secrets/ssh/known-hosts.txt Binary files differdeleted file mode 100644 index 8bbf729..0000000 --- a/secrets/ssh/known-hosts.txt +++ /dev/null diff --git a/ssh.env.conf b/ssh.env.conf index b3dc21d..6a7ba03 100644 --- a/ssh.env.conf +++ b/ssh.env.conf @@ -1,7 +1,7 @@ Host $TLD User root IdentityFile $PWD/secrets/ssh/vps-box-client - UserKnownHostsFile $PWD/secrets/ssh/known-hosts.txt + UserKnownHostsFile $PWD/generated-known-hosts.txt Port $SSH_PORT Host git.sr.ht StrictHostKeyChecking no |