geir/home-lab
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
home-lab/scripts/setup-ssh-keys.sh
Geir Okkenhaug Jerstad 77e6b9a501 feat: Implement two-key SSH management strategy 
- Add modules/security/ssh-keys.nix for centralized SSH key management
- Generate role-specific SSH keys with geir@geokkjer.eu email:
  - Admin key (geir@geokkjer.eu-admin) for sma user server access
  - Development key (geir@geokkjer.eu-dev) for geir user and git services
- Update SSH client config with role-based host patterns
- Configure users/geir.nix and users/sma.nix with appropriate key access
- Add SSH key setup to both machine configurations
- Create scripts/setup-ssh-keys.sh for key generation automation
- Update plan.md with completed SSH security implementation

Security benefits:
- Principle of least privilege (separate admin vs dev access)
- Limited blast radius if keys are compromised
- Clear usage patterns: ssh admin-sleeper vs ssh geir@sleeper-service.home
- Maintains compatibility with existing services during transition
2025-06-05 16:25:33 +02:00

89 lines
2.6 KiB
Bash
Executable file
Raw Blame History

#!/usr/bin/env bash
# SSH Key Generation Script - Two-Key Strategy
# Generates admin and development SSH keys
set -euo pipefail
SSH_DIR="$HOME/.ssh"
HOSTNAME="$(hostname)"
EMAIL_BASE="geir@geokkjer.eu"
echo "🔑 Setting up SSH keys for $HOSTNAME"
echo "📧 Using email base: $EMAIL_BASE"
# Create SSH directory if it doesn't exist
mkdir -p "$SSH_DIR"
chmod 700 "$SSH_DIR"
# Backup existing key if it exists
if [[ -f "$SSH_DIR/id_ed25519" ]]; then
echo "💾 Backing up existing key to id_ed25519.backup"
cp "$SSH_DIR/id_ed25519" "$SSH_DIR/id_ed25519.backup"
cp "$SSH_DIR/id_ed25519.pub" "$SSH_DIR/id_ed25519.pub.backup"
fi
echo ""
echo "🔐 Generating two SSH keys:"
echo " 1. Admin key (for sma user, server administration)"
echo " 2. Development key (for geir user, git, daily use)"
echo ""
# Generate admin key
ADMIN_KEY="$SSH_DIR/id_ed25519_admin"
if [[ ! -f "$ADMIN_KEY" ]]; then
echo "🔐 Generating admin key..."
ssh-keygen -t ed25519 -f "$ADMIN_KEY" -C "$EMAIL_BASE-admin" -N ""
chmod 600 "$ADMIN_KEY"
chmod 644 "$ADMIN_KEY.pub"
echo "✅ Generated: $ADMIN_KEY"
else
echo "⏭️ Admin key already exists"
fi
# Generate development key
DEV_KEY="$SSH_DIR/id_ed25519_dev"
if [[ ! -f "$DEV_KEY" ]]; then
echo "🔐 Generating development key..."
ssh-keygen -t ed25519 -f "$DEV_KEY" -C "$EMAIL_BASE-dev" -N ""
chmod 600 "$DEV_KEY"
chmod 644 "$DEV_KEY.pub"
echo "✅ Generated: $DEV_KEY"
else
echo "⏭️ Development key already exists"
fi
echo ""
echo "🎯 Next steps:"
echo "1. Add these public keys to your NixOS configuration:"
echo "2. Deploy updated configuration to target servers"
echo "3. Test SSH access with both keys"
echo "4. Update external Git services with new development key"
echo ""
echo "📋 Public keys to add to NixOS configuration:"
echo ""
if [[ -f "$ADMIN_KEY.pub" ]]; then
echo "# Admin key (add to security.ssh-keys.admin in modules/security/ssh-keys.nix)"
echo "\"$(cat "$ADMIN_KEY.pub")\""
echo ""
fi
if [[ -f "$DEV_KEY.pub" ]]; then
echo "# Development key (add to security.ssh-keys.development in modules/security/ssh-keys.nix)"
echo "\"$(cat "$DEV_KEY.pub")\""
echo ""
fi
echo "💡 Usage examples:"
echo " ssh geir@sleeper-service.home # Uses dev key automatically"
echo " ssh admin-sleeper # Uses admin key for sma user"
echo " git clone git@github.com:user/repo # Uses dev key for git"
echo ""
echo "🔄 To update your Git remotes with the new key:"
echo " # Add new key to GitHub/GitLab first, then:"
echo " ssh -T git@github.com # Test the connection"
echo ""
echo "✅ SSH key setup complete!"
Reference in a new issue View git blame Copy permalink