setup

personal system configuration scripts
git clone git://git.pyratebeard.net/setup.git
Log | Files | Refs | README
commit 13374a88b74ac17b8a84d639c553e71716eb768b
parent 6a359e94065a501f9ae3c89b748c1f591d6b8a22
Author: pyratebeard <root@pyratebeard.net>
Date:   Fri, 22 Dec 2023 16:04:10 +0000

try to self sign hostca

Diffstat:

Mforge | 22+++++++++++++++-------


1 file changed, 15 insertions(+), 7 deletions(-)

diff --git a/forge b/forge
@@ -22,6 +22,7 @@ U_HOME="/usr/${USR}"
 DWARF="sudo -u dwarf"
 EMAIL="root@pyratebeard.net"
 USERCA_KEY="userca-key-01.pub"
+HOSTCA_KEY="hostca-key-01"
 
 # ▓▓▒░ functions
 function _echo() { printf "\n╓───── %s \n╙────────────────────────────────────── ─ ─ \n" "$1"; }
@@ -42,10 +43,6 @@ systemctl daemon-reload
 _echo "installing runtime deps"
 apt update && apt install -y git gpg bash curl locales gnupg software-properties-common unzip
 
-# bitwarden
-curl -sL -o bw.zip "https://vault.bitwarden.com/download/?app=cli&platform=linux" && \
-	unzip -d /usr/local/bin bw.zip
-
 _echo "install pkgs"
 apt-get update && \
 	apt-get install -y \
@@ -61,19 +58,23 @@ apt-get update && \
 		vim \
 		zsh
 
+# bitwarden
+curl -sL -o bw.zip "https://vault.bitwarden.com/download/?app=cli&platform=linux" && \
+	unzip -d /usr/local/bin bw.zip
+
 _echo "remove pkgs"
 apt-get remove -y \
 	nano \
 	telnet
 apt-get autoremove -y
 
+_echo "bitwarden login"
+export BW_SESSION=$(bw login "${EMAIL}" --raw --method 0)
+
 _echo "adding dwarf user"
 id "${USR}" >/dev/null 2>&1 || \
 	useradd -omd ${U_HOME} -u ${U_UID} -g ${U_UID} -s $(which zsh) ${USR}
 
-_echo "bitwarden login"
-export BW_SESSION=$(bw login "${EMAIL}" --raw --method 0)
-
 _echo "creating home skel"
 ## skeleton directories
 mkdir -p \
@@ -106,12 +107,19 @@ id src >/dev/null 2>&1 || \
 
 # ▓▓▒░ ssh
 _echo "ssh config"
+# userca trusted keys
 bw get notes "${USERCA_KEY}" | tee /etc/ssh/${USERCA_KEY}
 
 ## add trustedusercakeys line before ciphers section
 sed -i "/^#\ Ciphers\ and\ keying/i TrustedUserCAKeys\ \/etc\/ssh\/${USERCA_KEY}\n" \
 		/etc/ssh/sshd_config
 
+# hostca self sign
+bw get notes "${HOSTCA_KEY}" | tee /etc/ssh/${HOSTCA_KEY}
+
+ssh-keygen -s /etc/ssh/${HOSTCA_KEY} -h -I $(hostname -s)@$(hostname -d) -n $(hostname -f),$(hostname -s) -V +52w /etc/ssh/ssh_host_ed25519_key.pub
+sed -i '/HostKey\ \/etc\/ssh\/ssh_host_ed25519_key/a HostCertificate\ \/etc\/ssh\/ssh_host_ed25519_key-cert.pub'
+
 ## ensure root login is allowed with keys only
 sed -i 's/.*\(PermitRootLogin\).*/\1 prohibit-password/' /etc/ssh/sshd_config
 ## disable password authentication