diff --git a/secrets/ca/keys/intermediate_ca_key b/secrets/ca/keys/intermediate_ca_key index aea53e6..3e20331 100644 --- a/secrets/ca/keys/intermediate_ca_key +++ b/secrets/ca/keys/intermediate_ca_key @@ -1,5 +1,5 @@ { - "data": "ENC[AES256_GCM,data:S/dDpfZyvnGJ3mbDWS5rQZN1EwIQCQuj2WxKnMFirP/tYTsZTROte3KBE/k+7gwzDr6vayawbJr87zWv2ZV7iXiFZ6UK2wPD5Kj1HTY6D+0QtYrJ4Er0MrrFoxEAj+HRVhdXWwTchoC8Hio+8QOKFWW7mgyxh67UDRQJjAYaPoQ2ol19Zg/k5PSZZN9Qn+Bn9Hd5Hq0b2UBPXIWRbQ7u0JeyQXHY6dAzDoruhhrBcZIbX/PRghdAvIPQUo5LbCn5VrmnunktJnTgt9Dtv67ihTa1iBPdUjpkEV/FhDlDPrWAztBurv3IoZZ4hjAYbc/WeFlOkai83th7ggIJ3Njjrvh2JKdg6GDAerOUVtxmt2SECYZcih0ouNecRl/4UYlCi1QsBFJecJDcHh1zWDNiBGIBywkhfY7NUPBoWlfhBRL58JGsnPFthRT7lqF1MIuM2/q1dgCRaVJUsJ0c0WLbpFNUaLIE/TuaI33yVNlmV0yokCa/Q2fKHmkWCN9GkxkIDVxaB2KGusM8op5fDPaTr4kbnGklu+dqha1dZDfVw+GuFzUf5et/oOHZtpCUUwUk6O6IiwDyd6VRjxSYpyrBaNXrStsaUy0uIybCf/whUFiZ/cDuI72i8RGa4Ix/2zDcmdK77bMU3/dTFMh70gWXtHshrCsb043gmZzmkWlXYhPmFnPDX9AATRoEb5/ajfnUskajHN718MW/e5eYwRxBYDwjPCx8aQYr0f5UkNoBbgujsf3n/RsGYMxB7OZlFImnB+SN9hyqN1WsAykL693EqlXtK8+xrcWBnAVuiN3yxGFL1Gz4XlcBJiLjKWVkshuoqr/XdFuDXDs9eEHSpKg4lEOU4vP7hLMl/DhM1ncd/wENnrE0jxgNkX6HqbOQEaiJU6cBs+2M48UzEWDc/+AQpGBpOrd2gzo3o2behW4BQWzhyOZym2DxP+y97mQ8FUxfHW6BFeKTmohQb0wukPw5/ReJNysU+SLmMd8vuGGBHZeY6AMz9zMXE/v1p0+Y1lvCdelAGI1EA72wl7DmtlCCRMnXYdxMfAsH55tuD9+W4dDut67se5Oig3lDYrL/+ubtK8F4iFz7EcJdmIsykeLfK+PbNjPPd24ul0aJPKWgXKNtAtD0QJOuv/b3C/ie3D1hgjajv+X19midWyJGVDvYL/et3ZyypTYH7Q1yqyX6+cH//jZAtmCm5gUNpsFgTZJVzZ94P4iRl6WCgt9D7u8omNA7ov1qbawMxmLlSGq4QcPQXS3giXQItX1CGzJUDoh1v2g+8CWVOfejWerF/qawkNHPaO1Tq5OpDIqha3AGNRGXgqiJfCqD6wo84QKnOjS8Dt1VYaf0gZZmr0XhLfF7bkMxC/M/SmCdJV9Z1XDMMA9aVKVC5GPVJIyx56TZKD4VoliMrVS3u71lMit9XG4v/bqN07hmGJq+An2oBGGqDPJgzysqHvZ1ugmmNwSTAi3Sp5MiOGAx9veagzTnx1W5djb0G+KaSO6UFpgL1NAGHDTztCEPbFcgjHAG0SB+vWfV2go8IM4MLlRsDj1yZMIlvV1b6qAJPfbI070HjIDOfK+J5O7RedsMQlEAHFVSbJ4cX9/OmHs+4pfmu8ToaRkGWQzclyjajqX9p8AT4fHq7upaL3F8Vxry7rCDDlcyIFBL2bv/LAA7N3SgUjljUjf+miIgTy/VyK10HqW2eNlsxWmYXWptpymkqE4kIpCI+g0kPbslbqLFIFeY/7uRBqaoO+brFfXO2CYdfTbbCi16obG0Lov9ucntrfp8opbmZOgefOy9iB+z7Pw48n0PkfDkpXBxdwtFpEz5se/d8EYnZOSUfGqO47KRXeA9SGluCg7e9Z1wiXLjo5JHYqlliscmlVedeRpNevpnWx/z5sV1z7/4WtV7PEjuw5bhE6m/O6LaHtYX7kY8XjvRrr1pfcpTd/knFLK2ClFdGZvnYFdQCKEEqTINO+1x3C8CDF0c0YIPXUiWNubZMNSOJ+uZu7bnhacJMOAowylUwA2nQZn5dkVjw1Zf25pPzvzBA5m+6bTd32+kAd2KeGQqbmXfQN+Iez7tC/DZJ0Yi1lvoUntG7dqA+soIx8I1GjPlCiEtxUao7RR0dwOobmq9gGvu70qmSgnSV9Z+SA5ZnCuBIWjLA0WMuOxwUpv6gKzvNqyPYhAmks7Z4lUAreAvMcuvBmAd4/RhXZkJ6fQWc/eHTkdXLAzfppvl2cNhkfOcOsZaBD70mcISeYK6j2Ug88Bs4eybFUNXs50NpwOab5FsZJfzQEVh5tVzuE2tSGIZphy0DSARWJEzX8DIfFaSqd8gSeoy+Q6MgtzZSKg9VauuEZ92bezMoEYeMSGn7lZbiGgtM3S0oGel9lzCP6L00u+CpEDKm+toGtDGDKKCdMVETyRIA9/gktvszwVDmPmO01tiemyCS67hzN3MmcwzcT2POxxmhFqprA0GPyCK4yzo+xNJxD1riShRbeaVIb80gjyzoaEC02OXTuTbp+LpBeZ+JuLQapF+V9VwTz2qedsyA1ZU9L/qybfNjPmodzSZnARS9UJw6EecdMVjumAKnONqv5IJ7TFdIyNd5oT1X1mD3AP2ujQpYiTdnbpTukQZr6BMnmLPEH3ySg40y/pl04VmdqSKGMUI69qdlkDsD+K/jUYyQ3BqyVev9ZJEsbZSHh0oBpYEcYWlo+ugxhlig1Ou+J5a/J7R1/6yQlnKtjI1WNxI4uSUib/78GXPCA==,iv:VHGFl9flRW4qYxEzqVmRKLDVTeZNEeW6E2OnqB3rB3g=,tag:8PnIUH9vOlbJINDPU+pulw==,type:str]", + "data": "ENC[AES256_GCM,data:TgGIuklFPUSCBosD86NFnkAtRvYijQNQP4vvTkKu3dRAOjdDa2li5djZDUS4NEEPEihpOcMXqHBb+ABk3LmoU5nLmsKCeylUp7+DhcGi9f3xw2h1zbHV37mt40OVLTF3cYufRdydIkCGQA3td3q1ue/wCna2ewe73xwGg5j6ZVJCZAtW4VCNZM+rcG+YxPUC0gmBH59+O0VSrZrkvSnifbr+K0dGwg4i17KwAukI4Ac7YMkQoeuAPXq38+ZftlRx4tq9xBUko6wpPY9zOaFzeagWYMF0n1UYqDt+/3XZI/mukPhJc9tzbWneqgkQBOx3OiDwrNglCHvEpnb+bZePIRLOnNHd1ShETgBqhsHGp9OAwwbAt4tO+HFpCQtVz7s2LWQFLbWiN0SCGzYUkFGCgoXae5H58lxFav8=,iv:UzaWlJ+M+VQx3CcPSGbFZh5/rGbKpS2Rq2XVZAIDFiQ=,tag:F3waoAMuEKTvN2xANReSww==,type:str]", "sops": { "kms": null, "gcp_kms": null, @@ -8,15 +8,15 @@ "age": [ { "recipient": "age1lznyk4ee7e7x8n92cq2n87kz9920473ks5u9jlhd3dczfzq4wamqept56u", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUMUhCOUVVTVpTUk1Pdkly\nK0pINEdVaEo1NFF1YnFPT1l5RE5JcTZieTNjClNxL2laTUdMU1M3bjc5OFE3ZVh4\nN1cwUmlpbXhiM2tlak5ZN1ZxV1FjMjQKLS0tIDA4UmlrSStGKzVsVFlZL2g0cnQr\nWWh4Z1lRRWtJR0Rudmhobjh0bWxuaHcKbGpnkqhKtjCjhtjKi5wl+0tFCEt//FkP\nfLBTUimlLTTINh/29fhd/5P+lgwKXCYTG7GZVY5zLVlhy9eR9fkS8w==\n-----END AGE ENCRYPTED FILE-----\n" + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpRGZSVHRSMGlyazAwQU5j\nd1o1L0Y1ckhQMkh4MVZiRmZlR2ozcmdsUW1vCk4xZ1ZibDBrUWZhYmxVVjBUczRn\nYlJtUWF3Y1lHWG56NkhmK2JOUHVGajQKLS0tIDN2S2doQURpTis2U3lWV0NxdWEz\ncjNZaEl1dEQwOXhsNE9xbHhYUzNTV3cKVmVIe05JwgXKSku7AJmrujYXrbBSbpBJ\nnqCuDIhok1w/fiff+XXn8udbgPVq5bC2SOhHbtVxImgBCFzrj5hQ0A==\n-----END AGE ENCRYPTED FILE-----\n" }, { "recipient": "age1288993th0ge00reg4zqueyvmkrsvk829cs068eekjqfdprsrkeqql7mljk", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIYityQThnWGF3REpUSjhR\nbGMzaTkxaTVwVFJoZlFyUitYMTZFVnc1ZUQ0Cmh3bzdhcitWMXF3Z2t6SjF2Rzlk\nK0xvMGsxa0RBdzV0TzBUM0FMMlozeW8KLS0tIDdOb0JYNEVuT3hEakpIYmRpQlBO\nbFM5b0RDbEhDYTlFNG4wMnZqM2hIcWMKrpZjbcjJ5PE52/5CoYBsDUngYEOVvrAB\nQ1BI/fgs4U6YHApUbLGJT2GGy+JXvBKc8bqc8YxLFhONqT3RKzCHJg==\n-----END AGE ENCRYPTED FILE-----\n" + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4V3NaUEdvMmJvakQ0L1F0\nUnkvQ2F5dEVlZ2pMdlBZcjJac0tERnF5ZWljCmFrdU1NZ29jMkJ1a1ZLdURmVWI0\ncm1vNytFVzZjbVY2aVd2N3laMWNRNFEKLS0tIGgzOTFZY0lxc0JyVmd5cFBlNkRr\nVDBWc0t4c3pVV3RhSTB1UUVpNHd6NUkKNn6Sxb5oxP7iWqTF1+X9nOiYum3U+Rzk\nkryxVnf9EvQIVIFKDaTb+yAEO8otjqj+C4mHA9fannnNEJduOiPWOg==\n-----END AGE ENCRYPTED FILE-----\n" } ], - "lastmodified": "2024-10-21T09:28:49Z", - "mac": "ENC[AES256_GCM,data:0YA9KHUFsh3zERG8kbr8TbklTib9aOdrzdlk5aPZ8UyFkbmP0HKk+lXPQ3RwRVbhMmK3VhGU0IxA0J/QUw7SQu22zSBkl1DF5PzqoKkNgt9T5hZJI2HqWRE3/38/5AU6L5mX7ul28Y47L3lcgr4PNLxlg5qyvxUKoM9riw474I0=,iv:G40/HLd1ftXclEcX8FMQjoce91o83dA2KWeO6VaIqLQ=,tag:7KU2Rz89AiggOuumKNfSjg==,type:str]", + "lastmodified": "2024-11-30T13:18:08Z", + "mac": "ENC[AES256_GCM,data:9R9RJzPMr9Bv8aeCDxhExTfbr+R2hjap6FGSk5QxBdbNpOcNS78ica0CLEmkAYVAfjmx/X2jC5ZnsAueSPUK7nAgNX2gJXbUTpY0F+oKt35GJziLrFLl3u/ahpF9lQ50EL9OqqgS+igDqtodJhKme5DXH5/GXQHhz++O3VZkR78=,iv:XgN3PiowiEosi2DmrjP82HhJMvnwaV530tsBE8GQfjs=,tag:U243BrtH7H/DU9LcjN/MMg==,type:str]", "pgp": null, "unencrypted_suffix": "_unencrypted", "version": "3.9.1" diff --git a/secrets/ca/keys/root_ca_key b/secrets/ca/keys/root_ca_key index 81a3fa6..2a95f17 100644 --- a/secrets/ca/keys/root_ca_key +++ b/secrets/ca/keys/root_ca_key @@ -1,5 +1,5 @@ { - "data": "ENC[AES256_GCM,data:OTpEO78zXv66cH1oKwqmFzNPnnkTH3I66J3emqzYEFtii7EJ3d9POquapJhSRWGZs3kvQevFbMTsdtIvWrrwGNcbmBlSLeNOKrOWjXix1uemsBsA4tt79L7dms9tFMXm7nBqy71wo0MsYjzXEYBTy7n91IIKwkg4o+n9MCQivDXVN3rAy8o25HjuS8fSJRRTuQ92Nnc7WjIbPQbyqHPBlp7hxO9xC6/JdOWZ3Zo/X6AyZuzcoF6Nd5A08hImPtbNZ1/MiBurdLSqGkYx9m5KsGmFKinRqWwYWnsQidXl+2xQcqCZNvdCNMe1OwybAxAEiQDksCTpYOQISIzCsXoT3Wfr4ZpZAlLCzw+ga7nnvF2CPiUeRWXyB655vg0vXgqUHYIaN3l1A1P8OWHRDz/tPd7pWbwAj4BZvDY=,iv:oI+1jK2+4vCW67PbM9VxoViBqUOh9BYP8xZHCaAJloQ=,tag:QX/nFv4NB4ERCP5zB8Mqdw==,type:str]", + "data": "ENC[AES256_GCM,data:5AePh5uXcUseYBGWvlztgmg8mGBGy3ngKRa6+QxOaT0/fzSB1pKkaMtZJo76tV9wwjdL6/b6VVUI7GIaCBD5kgdZuA8RdBTXguHyjjdxAlI9xcrQaWWdATd8JJt+eQp/m2Y+0dioyXKaDV2ukI3GtHYjp/ixMoHHWEocnEEb40wG6c3CZcvsLWJvKTkFc2OvcjcU2RTfuNlYtEETidiD9iC/dtCakNQHmLP1UFYgcn0ebXBKmlqD6+x2o7BVT1SLwVCyGNvH3eKA2AWvddZChnhaNCUIXcRwBFCgS8lPs4iXhAhly+nwuj7ssFpuu3sjm5pq196tRS8WQl2iNUEJ2tzoOpceg1kZZ7KHX3wCbdBlCRqhy9Q4JMvWPDssO+zz2aU21+BDEySDTCnTYX9Hu2/iFvZejt++mKY=,iv:u/Ukye0BAj2ka++AA72W8WfXJAZZ/YJ3RC/aydxdoUc=,tag:ihTP5bCCigWEPcLFaYOhMA==,type:str]", "sops": { "kms": null, "gcp_kms": null, @@ -8,15 +8,15 @@ "age": [ { "recipient": "age1lznyk4ee7e7x8n92cq2n87kz9920473ks5u9jlhd3dczfzq4wamqept56u", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZVHE5aUNjS3F5VFYzMW1j\nbGJkK0VPRmJ2Nk1HSnNXUk1rK0tzaHMzcFZBCjRzTkVZT3hsakRsTHJPSXpGNHdw\nODNTWGhNZWhhdHplYUpBVFp4eE0zLzAKLS0tIGJ4RDkyZ1hTYTBnUHlxRWR6bEpZ\najBvNjdsK3NieEhoVkZkL3ZJWWRxK2MKKKmoz+U/TIAeE1nJop0FtxoOfAR2iP/Y\n5cdTsbXUgDSVginxJbnDaEM9v+OYJXO6ugQNBnkAaHbWn4ADnA8UCA==\n-----END AGE ENCRYPTED FILE-----\n" + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0VElDNHArZXlXa2JRQjd0\nQmVIbGpPWk43NDdiTkFtcEd1bDhRdXJWOUY0CndITHdKTFNJQXFOVFdyUGNtQ09k\nN2hnQmFYR0ZORWtxcUN0ZFhsM0U3N2cKLS0tIFh1TTBpMjFIZ2NYM1QxeDRjYlJx\nYkdrUDZmMUpGbjk3REJCVVRpeFk5Z28KJcia0Bk+3ZoifZnRLwqAko526ODPnkSS\nzymtOj/QYTA0++NP3B1aScIyhWITMEZX1iSoWDmgHj8ZQoNMdkM7AQ==\n-----END AGE ENCRYPTED FILE-----\n" }, { "recipient": "age1288993th0ge00reg4zqueyvmkrsvk829cs068eekjqfdprsrkeqql7mljk", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEdW1ZQkxUaFdtekR5eGh5\nYWdTbWVtemtteFIwNlZVVSthZElnZUp4QjN3ClFsOW9rZVhZckZ5MWdiTjNQbFN4\nNHZaSVEvR085b093dlM3SHl6c01yVWcKLS0tIE10L3lZZDVkQ2I5TEduYkU3V21a\nZ0k5cTcvYmdJMU5QUDV3QWtuYkRUWHcKNgfl9S2V7kuobwgc0mMR+O/quq06y+5q\ncipmOM7DIkyFDq5Cl0e//MZywoOfBTsYlCncA6Hb4hW+Y2Tn+/C4tA==\n-----END AGE ENCRYPTED FILE-----\n" + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZNlNHRWNEcUZGNXNBMDFR\nTzE5RnNMQUMvU1k2OS9XMlpvUktMRzQ5RmxvCnlCS3lzRVpGUHJLRGZ6SWZ2ZktR\na3l0TVN2NUlRVEQwRHByYkNEMDQyWUkKLS0tIEh3RjBWT3c5K2RWeDRjWFpsU1lP\ncStqY2xta3RSNkR6Vkt5YXhYUTZmbDgKvVKmZc8S/RwurJGsGiJ5LhM4waLO9B9k\n2cawxHmcYM3KfXDFwp9UZWhIwF7SRkG56ZE4OjGI3sOL+74ixnePxA==\n-----END AGE ENCRYPTED FILE-----\n" } ], - "lastmodified": "2024-10-21T09:28:49Z", - "mac": "ENC[AES256_GCM,data:UAJ61bLXP9j7/uyppVMvvRLhO12XQXhCLEtfqdeOi7STUqTaCu1NsbNxf+ErA5eVn2DjGMJuyNvxamD1rxzc+VjELOit1pY9Wg4f15nRyryTt9r+iUrYttcwvUXq2knw8bDtJOqz/nYvg4R1qyXwjdSHLrKn6LmKsO0KwTB1nAQ=,iv:jHSYSYfuow0cM8ECzbQ2jM4J3Q5MQTBQ80u/eglfU9g=,tag:tQxMsKppD8xOcGKcBFXm2Q==,type:str]", + "lastmodified": "2024-11-30T13:18:16Z", + "mac": "ENC[AES256_GCM,data:JwjbQ129cYCBNA5Fb8lN9rW7/y4wuVOqLeajIMcYyCzlBcjzCZAV1DKN5n75xMamb/hb1AUkmtp/K82PKM0Vg5X4/lpWTUZXZOzn/TrwHx+yqlJjL9mUdGuHnSY5DwME38Dde3UxdtUa0CVgQOxvMIycW27w8+8NNfO2zxGxkzc=,iv:ZMZASOsqXZOb0NkBqG3GGaqqKgQdjZLiku2yU5QonB8=,tag:/lb/HMxsYOV5XX/5kWnFHA==,type:str]", "pgp": null, "unencrypted_suffix": "_unencrypted", "version": "3.9.1" diff --git a/secrets/ca/keys/ssh_host_ca_key b/secrets/ca/keys/ssh_host_ca_key index abab10e..607cf59 100644 --- a/secrets/ca/keys/ssh_host_ca_key +++ b/secrets/ca/keys/ssh_host_ca_key @@ -1,5 +1,5 @@ { - "data": "ENC[AES256_GCM,data:1ntjhGcHOtOcYBsEskgm/pBmQh2xVu0owTmPgfIzKimrSGS3XG0YUGztakb1jW3IgjRs1hssQpJKxkabSuPVNg4q1Nw7tX3aEfH2K6f2xnV3a7bp8yS30O9+7gDMB6wcTodMfou3Ypm3l2v6YXtVbh/4Gq/7FNUlHxa2wPux4pqoDyMjV1zjJT1exFl1JkUPzzT+02gGSEFacC47I7t85XfPxmn1hdpvpUlGA9CMHrQqTXf4moxePMyLK1oAgXtGLGXpQXl/RWiqNQMEmmBXfynjby6ojq/+psgGgbt89BI5Gi7tb131WXeg/xQSZeGkfbjWyl6/fy60GGPJ004VY0RKN8pB6/duggwWZPa/oEN1V8/DVNcTaq2YKrD4GBoPqeDegnRgMubeyb+talqegEr9AHAhdLtEKio=,iv:eb1VwHeESCREOv4lftxMIDjSFxCiagm0HRzzCURDgMw=,tag:6YhDt3kR+rs+fE14W5Sk5A==,type:str]", + "data": "ENC[AES256_GCM,data:vqQ3HwSmuDlI4UwraLWvwkBSj9zTFeNEWI1xzhVrO/gpx8+WBZOt2F0J7/LSTGAWsWW/9Gov+XXXAOtfnKfjYVzizyT/jE8EQwMuItWiFEVA6hohgwtsk7YKJjXdJIxmiv+WKs73gWb0uFVGh1ArMzsVkGPj1W1AKMFAneDPgsfSCy9aVOMuF8zQwypFC8eaxqOQhLpiN2ncRm8e7khwGurSgYfHDgFghaDr8torgUrZTOPNFk+LEdxB3WcC17+4a8ZyuBapmYdRTrP73czTAuxOF8lMwddJhO99SF7nWuOYVF1FOKLGtK04oKci5/xRIzvWo3I0pGajkxtuF5CyWbd1KblcPfBALIU/J5hU/puGJ7M2sE/qsg/4kaTFxnhq32rPZj291jFb4evDdOhVodfC1axOQUbzAC0=,iv:yOeQ384ikqgDqfthl7GIVSIMNA/n0BYTSIqFN3T9MAY=,tag:Y6nhOCrkWx7MnVpEeKN0Jg==,type:str]", "sops": { "kms": null, "gcp_kms": null, @@ -8,15 +8,15 @@ "age": [ { "recipient": "age1lznyk4ee7e7x8n92cq2n87kz9920473ks5u9jlhd3dczfzq4wamqept56u", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoYzB4UGJwZmFmdXEzT0Vy\nV2ZkMzk5UXd4S1RKeUJmNTNGbHhvUnkzY3cwCkNMQS83dTFQaWJ5YzIwYXZNM0FB\ncTBLWVlWMXJNSlRjRUhDSEV1NFRLQ3MKLS0tIGlkRlZYZ0R6dXJORVBpMkpWWE1l\nWlprQ3kwcXkzMUdVWXpidmgxby9wRVEK3ItRAZMfAtOzjN5r7GHU8KT1upW+xvIA\nqXxIXZBdkkxKOJWQXn5i/xC8YoNek4fdqGeWUGOF9FguU5Zj2tO+ZA==\n-----END AGE ENCRYPTED FILE-----\n" + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFTjRMWlNtYVQ2WnJEaGFN\nVFU2TXRTK2FHREpqREhOWHBKemxNc2U4WW44CnV4OWlBdXlFUWhJYi9jTTRuUWJV\nOWFPV2I4UytDRFo3blN3bUtFQ1NGU0kKLS0tIGp2VHlDc1JMMUdDUjlNNDFwUUxj\nVnhHbCtrNVNpZXo0K2dDVU5YTVJJUEkKk9mVTbzQVGZo3RKDLPDwtENknh+in1Q5\njf4DA1cGDDNzcEIWOOYyS+1mzT9WY8gU0hWqihX/bAx7CVsNUallZw==\n-----END AGE ENCRYPTED FILE-----\n" }, { "recipient": "age1288993th0ge00reg4zqueyvmkrsvk829cs068eekjqfdprsrkeqql7mljk", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQZ2JPWmIxSXg4YnNwMnNw\nMUJSTWlHWDFoNU9ZcmdPb0VBUHQ3SU5qcENnCmhRWkhKWUwxeEh2VDZxUFdrMExa\nWTdLVVV5NHJMTE51ZEhPRHdaSTRTRkEKLS0tIHJ1Z0NibWQ5SitUekhKOXVGd3FH\nQ3dKNE16bnJNczhtRHBCcUxNajZRUWcKhnvYPFTkw73QPs7qDA7C3cX8RPF68sTk\n2MQORHyqN1jyBUVtvezeejL89Mdw1wghh0Q+VXW9b1ozXkFsH7IcXg==\n-----END AGE ENCRYPTED FILE-----\n" + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrVFNwUGpkOUhkUXFWWERq\nMVdueC9VSE9KbGZkenBVK3NRMjRNVXVmcVRRCjNLa0QzbWVCQks3ZmV3eFVjcEp0\nRmxDSlZIZU1IbEdnbE83WlkxV3VZV1EKLS0tICtsRXArajQ4Um9mNEV5OWZBdS85\nVGFSU2wwODZ3Zm44M3pWcTdDV1dxejQKM2BK5Axb1cF344ea89gkzCLzEX6j4amK\nzxf+boBK7JUX7F6QaPB0sRU8J4Cei9mALz96C8xNHjX00KcD3O2QOA==\n-----END AGE ENCRYPTED FILE-----\n" } ], - "lastmodified": "2024-10-21T09:28:49Z", - "mac": "ENC[AES256_GCM,data:xB5qV2aFpvTJxCbOgTaaErBez+pkSz1KEWw0c+NoglcjPkGNx+0MuoSjeuPJ0KiHcS/gol2vo+mmVEEcDSVa/S/ksI/sIqcWoQeZ+XNBcffF+5UPfsyRFBNRJwWsg88ERVwgYjKauCV5MZBvJYf/uL3uUa8chHZNFF+f3QVq464=,iv:R0Gh5SITWXGphccBfI+DbNdnBeC98qDforE1Ffb805M=,tag:L2jqUwSlv1ngPiMQith9Mw==,type:str]", + "lastmodified": "2024-11-30T13:18:20Z", + "mac": "ENC[AES256_GCM,data:AllgcWxHnr3igPi/JbfJCbEa6hKtmILnAjiaMojRZNO4p6zYSoF0s8lo9XX05/vIrFUo+YaCtsuacv+kfz9f6vQafPn7Vulbh6PeH1VlAmzyVfJOTmHP3YX8ic3uM56A4+III1jOERCFOIcc/CKsnRLFhLCRQRMgtgT0hTl5aPw=,iv:60dOYhoUTu1HIHzY36eJeRZ66/v6JmRRpIW99W2D+CI=,tag:F7nLSFm933K5M+JE4IvNYw==,type:str]", "pgp": null, "unencrypted_suffix": "_unencrypted", "version": "3.9.1" diff --git a/secrets/ca/keys/ssh_user_ca_key b/secrets/ca/keys/ssh_user_ca_key index 964919a..e33bff2 100644 --- a/secrets/ca/keys/ssh_user_ca_key +++ b/secrets/ca/keys/ssh_user_ca_key @@ -1,5 +1,5 @@ { - "data": "ENC[AES256_GCM,data:v+ugz+pjgkY2IqW+wNM09Z7OYJoxaPxPwf/THyt+Q3N1SswU6Q3AhzqGoIeMAa+8tIRMdQ++HBsnDtCPZYHV0vNQ7GWE1w1jQ7FHa7hXaWLnqfuKbr5x5bnPzDZYxCt41a8A0fxbrN1ysBE1cMgbHe1tnBWKl1D4tay5RtMoua+vYxS1gwzZSIHY3Tq7GJkyBuJqOZA2oyDgZ9ETTwXwNaDZx35uxi9XbEBHdwIscWGFW50s1NXKavgdmeEEWyOlnIlBm4yhjnLIBW3HjSPWBsCp36+m1VUq/TwK+AH0q3sqovVFXwjduRI59RnJoZ6gMJHYFpXHUfnKZbkC8GVzczUGyLSPD9xhxrSYxGjT1T0pbQsXCls6TugVNOVsRMIN5P05uEo5URBlMkIZisnzqdgBw3gR/roboi4=,iv:NV9jvDY5teQaACPn84G/izLd4CXkZNPGGNRQG3xvw2Q=,tag:qCV+lsrYAgDbi2nMx3HmGg==,type:str]", + "data": "ENC[AES256_GCM,data:YRdPrTLQH0xdWiIzOyjfEGpvfmuj6me6GzZZcauh9bUUywyA1ranDnWqbJYgawQQxIXsq9dhXD0uco+7mmXq2598kF1NI9jh6uLf3k0H494zZOalRBv/k8u9oJDLIiVAkg9eNNLbGX0PMZr/Yue/qdkuXx2Hg9E7bQJwpU/NXF+jKKs+3NmKT5NBlegwAzUs530D4DUoaq5AhvVvdC6a1UcE+KJzQ8pRiz1GjFIxAB7qX+GVwa3yNdLgo2tlAbOzjGtaDfJnhZIHSNEq+4TEhjlF9lCmFCGFDUVupvMOWs0kBywJEzIrDmxmvGHlPj3FfyytPb7qhlsOXDDDS67IoiwluKOnw+sALAG0Iv9LMrDZ3z8MXeEGvRWu0VDMuGXN905/9kGx/A40mPjcfnZvI+qSRIKjER5R8aU=,iv:qiP2Ml59AnK24MBbs7N/HqJIylf+fXGqJAo2N8iFNB0=,tag:0Dj5fVs6OB07kvV4qzuvfw==,type:str]", "sops": { "kms": null, "gcp_kms": null, @@ -8,15 +8,15 @@ "age": [ { "recipient": "age1lznyk4ee7e7x8n92cq2n87kz9920473ks5u9jlhd3dczfzq4wamqept56u", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQNExxOGViUUMwaGpjYld0\ncUdTVnA0QmlPT2kxNjRjbmw0SFhyS284ajJrCnFGK2ZqR2JpTEYwdHdPZ245SkV1\nSjVzMFMvbWNma0RnbTd3ZEpTd0F2THcKLS0tICtITFJGNmhjbStMc29XaDV0dElm\nRTN2QkJhamw4RHo5bXgzSHd5TDNLUFkKJtO9aMmFE43hxRsSa0lnqGo8FVzKxysJ\nOgJMTIftSU7bEvsEok+HlBgX1kyj8v9rgzXLwTrGk42+kVw4Fm2Xkw==\n-----END AGE ENCRYPTED FILE-----\n" + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBUFlvNmRNYUlJSHZYUkpJ\nMEloQXFSdENIWGJVVDNIOVY5MS9SYWRoL0FrCnRJc05wZUZBSDRvMHNUUEhNRXQ4\nTWhYOUp6YUNGZFNWUFRrSmlJM1c4aWcKLS0tIFc1b3NlSEo2eFJhdDgwejRqcHlT\nZE5wN01uaE04cTlIbVJMVWQvQ1pXajgKQ1n6UmP7LEBsnIBXVc0BceOqvwCqQzBP\ncI8C5Io4ILgMjY4dr6sd0SeJG6mfDdiMA+k7c6jqoyZCW/Pkd3LANQ==\n-----END AGE ENCRYPTED FILE-----\n" }, { "recipient": "age1288993th0ge00reg4zqueyvmkrsvk829cs068eekjqfdprsrkeqql7mljk", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLenZoS0phekRTSW5aN3Jw\nZFJsNHJRSnR3dXBiMG5aQ2lyS0Y0Sm1nTEJVCjJ5cUJMSDk4NzBCdnNLd05rSnRi\nSEdnaGl1S1hKbFFwZjluUEkzUmR3MTAKLS0tIG9PMng3MFlUOE1wUXJ2S1cxRllx\nTi9nUm5nVWRXdk9hdWFCc1o2bHNObVEKrz7ROqTXaINk5LNpG4ibLqjCoPH0fzO3\nUgZp5PUC1+VPxYymqstK3kV5WorM2GVVfWcjLv2eofKdgpO90iKp/g==\n-----END AGE ENCRYPTED FILE-----\n" + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtM2lyeXVzdE9nL1k5L3dC\nTkl2MjhMb1FKMFdCeXFPSmNST0pvOTRUaEVvCmdwMnhjSFFHVFhidmIySS9jMEJu\nNTJpRjdFOWpZZ3ZuZFJwZUUrRFU5NnMKLS0tIDJ1UjdVQkpMNm5Pd01JRnZNOEtr\nb1lpMlBkVHpiT2lYdWtZaUQrRW1HUDgKq/JVMf5gdu6lNEmqY6zU2SymbT+jklem\nnUQ9yieJGF+PanutNW6BCJH8jb/fH+Y6AeJ9S+kKCB4Yi75i4d+oHg==\n-----END AGE ENCRYPTED FILE-----\n" } ], - "lastmodified": "2024-10-21T09:28:49Z", - "mac": "ENC[AES256_GCM,data:huZ3fDBV8bOtHW2eNxgTc9e5RmAIsvRhMFGwlVGbpDvftJKNy57CqMal/W0E0pqmvltaGMHGh/f8yzakpYphhbs1/Kro4u34QMu/jV6QvKEyDHtyAGYy6DzjCDRu216DV8uHpDaKoz+7zhjwlPSd60RlXUpfhis+DC8lmdktI2A=,iv:hCUwgkm6fCdWrAqszwzRBh5W7Z/0LXvl1dGiteJkkL0=,tag:0uDeZoG5TCc80Kzgl5U2TA==,type:str]", + "lastmodified": "2024-11-30T13:18:24Z", + "mac": "ENC[AES256_GCM,data:6FJTKEdIpCm+Dz7Ua8dZOMZQFaGU0oU/HRP6ly5mWbXCv81LRbZXRBd+5RDY3z9g9nb0PXZrOMNps63F6SKxK52VfzLIOap3UGeMNQn5P4/yyFj7JQHQ5Gjcf2l2z2VZ7NhUdNoSCV/6lwjValbKtids48Q5c3sFX997ZiqIUnY=,iv:nUeyJd/v8d9v7QsLLckziD9K5qjOZKK4vOQJw/ymi18=,tag:6n5EE3oklWdVcedvB2J/zA==,type:str]", "pgp": null, "unencrypted_suffix": "_unencrypted", "version": "3.9.1" diff --git a/services/ca/ca.json b/services/ca/ca.json deleted file mode 100644 index 677970c..0000000 --- a/services/ca/ca.json +++ /dev/null @@ -1,118 +0,0 @@ -{ - "root": "/var/lib/step-ca/certs/root_ca.crt", - "federatedRoots": null, - "crt": "/var/lib/step-ca/certs/intermediate_ca.crt", - "key": "/var/lib/step-ca/secrets/intermediate_ca_key", - "address": ":443", - "insecureAddress": "", - "dnsNames": [ - "10.69.13.12" - ], - "ssh": { - "hostKey": "/var/lib/step-ca/secrets/ssh_host_ca_key", - "userKey": "/var/lib/step-ca/secrets/ssh_user_ca_key" - }, - "logger": { - "format": "text" - }, - "db": { - "type": "badgerv2", - "dataSource": "/var/lib/step-ca/db", - "badgerFileLoadingMode": "" - }, - "authority": { - "provisioners": [ - { - "type": "JWK", - "name": "ca@home.2rjus.net", - "key": { - "use": "sig", - "kty": "EC", - "kid": "CIjtIe7FNhsNQe1qKGD9Rpj-lrf2ExyTYCXAOd3YDjE", - "crv": "P-256", - "alg": "ES256", - "x": "XRMX-BeobZ-R5-xb-E9YlaRjJUfd7JQxpscaF1NMgFo", - "y": "bF9xLp5-jywRD-MugMaOGbpbniPituWSLMlXRJnUUl0" - }, - "encryptedKey": "eyJhbGciOiJQQkVTMi1IUzI1NitBMTI4S1ciLCJjdHkiOiJqd2sranNvbiIsImVuYyI6IkEyNTZHQ00iLCJwMmMiOjYwMDAwMCwicDJzIjoiY1lWOFJPb3lteXFLMWpzcS1WM1ZXQSJ9.WS8tPK-Q4gtnSsw7MhpTzYT_oi-SQx-CsRLh7KwdZnpACtd4YbcOYg.zeyDkmKRx8BIp-eB.OQ8c-KDW07gqJFtEMqHacRBkttrbJRRz0sYR47vQWDCoWhodaXsxM_Bj2pGvUrR26ij1t7irDeypnJoh6WXvUg3n_JaIUL4HgTwKSBrXZKTscXmY7YVmRMionhAb6oS9Jgus9K4QcFDHacC9_WgtGI7dnu3m0G7c-9Ur9dcDfROfyrnAByJp1rSZMzvriQr4t9bNYjDa8E8yu9zq6aAQqF0Xg_AxwiqYqesT-sdcfrxKS61appApRgPlAhW-uuzyY0wlWtsiyLaGlWM7WMfKdHsq-VqcVrI7Gi2i77vi7OqPEberqSt8D04tIri9S_sArKqWEDnBJsL07CC41IY.CqtYfbSa_wlmIsKgNj5u7g", - "claims": { - "enableSSHCA": true - } - }, - { - "type": "ACME", - "name": "acme" - }, - { - "type": "SSHPOP", - "name": "sshpop", - "claims": { - "enableSSHCA": true - } - } - ] - }, - "tls": { - "cipherSuites": [ - "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256", - "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256" - ], - "minVersion": 1.2, - "maxVersion": 1.3, - "renegotiation": false - }, - "templates": { - "ssh": { - "user": [ - { - "name": "config.tpl", - "type": "snippet", - "template": "templates/ssh/config.tpl", - "path": "~/.ssh/config", - "comment": "#" - }, - { - "name": "step_includes.tpl", - "type": "prepend-line", - "template": "templates/ssh/step_includes.tpl", - "path": "${STEPPATH}/ssh/includes", - "comment": "#" - }, - { - "name": "step_config.tpl", - "type": "file", - "template": "templates/ssh/step_config.tpl", - "path": "ssh/config", - "comment": "#" - }, - { - "name": "known_hosts.tpl", - "type": "file", - "template": "templates/ssh/known_hosts.tpl", - "path": "ssh/known_hosts", - "comment": "#" - } - ], - "host": [ - { - "name": "sshd_config.tpl", - "type": "snippet", - "template": "templates/ssh/sshd_config.tpl", - "path": "/etc/ssh/sshd_config", - "comment": "#", - "requires": [ - "Certificate", - "Key" - ] - }, - { - "name": "ca.tpl", - "type": "snippet", - "template": "templates/ssh/ca.tpl", - "path": "/etc/ssh/ca.pub", - "comment": "#" - } - ] - } - } -} diff --git a/services/ca/default.nix b/services/ca/default.nix index f670bfe..7c61981 100644 --- a/services/ca/default.nix +++ b/services/ca/default.nix @@ -2,32 +2,157 @@ { sops.secrets."ca_root_pw" = { sopsFile = ../../secrets/ca/secrets.yaml; + owner = "step-ca"; path = "/var/lib/step-ca/secrets/ca_root_pw"; }; sops.secrets."intermediate_ca_key" = { sopsFile = ../../secrets/ca/keys/intermediate_ca_key; format = "binary"; + owner = "step-ca"; path = "/var/lib/step-ca/secrets/intermediate_ca_key"; }; sops.secrets."root_ca_key" = { sopsFile = ../../secrets/ca/keys/root_ca_key; format = "binary"; + owner = "step-ca"; path = "/var/lib/step-ca/secrets/root_ca_key"; }; sops.secrets."ssh_host_ca_key" = { sopsFile = ../../secrets/ca/keys/ssh_host_ca_key; format = "binary"; + owner = "step-ca"; path = "/var/lib/step-ca/secrets/ssh_host_ca_key"; }; sops.secrets."ssh_user_ca_key" = { sopsFile = ../../secrets/ca/keys/ssh_user_ca_key; format = "binary"; + owner = "step-ca"; path = "/var/lib/step-ca/secrets/ssh_user_ca_key"; }; - #services.step-ca = { - # enable = true; - # package = unstable.step-ca; - # settings = builtins.fromJSON ./ca.json; - #}; + services.step-ca = { + enable = true; + package = pkgs.step-ca; + intermediatePasswordFile = "/var/lib/step-ca/secrets/ca_root_pw"; + address = "0.0.0.0"; + port = 443; + settings = { + authority = { + provisioners = [ + { + claims = { + enableSSHCA = true; + }; + encryptedKey = "eyJhbGciOiJQQkVTMi1IUzI1NitBMTI4S1ciLCJjdHkiOiJqd2sranNvbiIsImVuYyI6IkEyNTZHQ00iLCJwMmMiOjYwMDAwMCwicDJzIjoiY1lWOFJPb3lteXFLMWpzcS1WM1ZXQSJ9.WS8tPK-Q4gtnSsw7MhpTzYT_oi-SQx-CsRLh7KwdZnpACtd4YbcOYg.zeyDkmKRx8BIp-eB.OQ8c-KDW07gqJFtEMqHacRBkttrbJRRz0sYR47vQWDCoWhodaXsxM_Bj2pGvUrR26ij1t7irDeypnJoh6WXvUg3n_JaIUL4HgTwKSBrXZKTscXmY7YVmRMionhAb6oS9Jgus9K4QcFDHacC9_WgtGI7dnu3m0G7c-9Ur9dcDfROfyrnAByJp1rSZMzvriQr4t9bNYjDa8E8yu9zq6aAQqF0Xg_AxwiqYqesT-sdcfrxKS61appApRgPlAhW-uuzyY0wlWtsiyLaGlWM7WMfKdHsq-VqcVrI7Gi2i77vi7OqPEberqSt8D04tIri9S_sArKqWEDnBJsL07CC41IY.CqtYfbSa_wlmIsKgNj5u7g"; + key = { + alg = "ES256"; + crv = "P-256"; + kid = "CIjtIe7FNhsNQe1qKGD9Rpj-lrf2ExyTYCXAOd3YDjE"; + kty = "EC"; + use = "sig"; + x = "XRMX-BeobZ-R5-xb-E9YlaRjJUfd7JQxpscaF1NMgFo"; + y = "bF9xLp5-jywRD-MugMaOGbpbniPituWSLMlXRJnUUl0"; + }; + name = "ca@home.2rjus.net"; + type = "JWK"; + } + { + name = "acme"; + type = "ACME"; + } + { + claims = { + enableSSHCA = true; + }; + name = "sshpop"; + type = "SSHPOP"; + } + ]; + }; + crt = "/var/lib/step-ca/certs/intermediate_ca.crt"; + db = { + badgerFileLoadingMode = ""; + dataSource = "/var/lib/step-ca/db"; + type = "badgerv2"; + }; + dnsNames = [ + "ca.home.2rjus.net" + "10.69.13.12" + ]; + federatedRoots = null; + insecureAddress = ""; + key = "/var/lib/step-ca/secrets/intermediate_ca_key"; + logger = { + format = "text"; + }; + root = "/var/lib/step-ca/certs/root_ca.crt"; + ssh = { + hostKey = "/var/lib/step-ca/secrets/ssh_host_ca_key"; + userKey = "/var/lib/step-ca/secrets/ssh_user_ca_key"; + }; + templates = { + ssh = { + host = [ + { + comment = "#"; + name = "sshd_config.tpl"; + path = "/etc/ssh/sshd_config"; + requires = [ + "Certificate" + "Key" + ]; + template = ./templates/ssh/sshd_config.tpl; + type = "snippet"; + } + { + comment = "#"; + name = "ca.tpl"; + path = "/etc/ssh/ca.pub"; + template = ./templates/ssh/ca.tpl; + type = "snippet"; + } + ]; + user = [ + { + comment = "#"; + name = "config.tpl"; + path = "~/.ssh/config"; + template = ./templates/ssh/config.tpl; + type = "snippet"; + } + { + comment = "#"; + name = "step_includes.tpl"; + path = "\${STEPPATH}/ssh/includes"; + template = ./templates/ssh/step_includes.tpl; + type = "prepend-line"; + } + { + comment = "#"; + name = "step_config.tpl"; + path = "ssh/config"; + template = ./templates/ssh/step_config.tpl; + type = "file"; + } + { + comment = "#"; + name = "known_hosts.tpl"; + path = "ssh/known_hosts"; + template = ./templates/ssh/known_hosts.tpl; + type = "file"; + } + ]; + }; + }; + tls = { + cipherSuites = [ + "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256" + "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256" + ]; + maxVersion = 1.3; + minVersion = 1.2; + renegotiation = false; + }; + }; + }; } diff --git a/services/ca/templates/ssh/ca.tpl b/services/ca/templates/ssh/ca.tpl new file mode 100644 index 0000000..5b459ee Binary files /dev/null and b/services/ca/templates/ssh/ca.tpl differ diff --git a/services/ca/templates/ssh/config.tpl b/services/ca/templates/ssh/config.tpl new file mode 100644 index 0000000..4b9ddf1 --- /dev/null +++ b/services/ca/templates/ssh/config.tpl @@ -0,0 +1,14 @@ +Host * +{{- if or .User.GOOS "none" | eq "windows" }} +{{- if .User.StepBasePath }} + Include "{{ .User.StepBasePath | replace "\\" "/" | trimPrefix "C:" }}/ssh/includes" +{{- else }} + Include "{{ .User.StepPath | replace "\\" "/" | trimPrefix "C:" }}/ssh/includes" +{{- end }} +{{- else }} +{{- if .User.StepBasePath }} + Include "{{.User.StepBasePath}}/ssh/includes" +{{- else }} + Include "{{.User.StepPath}}/ssh/includes" +{{- end }} +{{- end }} \ No newline at end of file diff --git a/services/ca/templates/ssh/known_hosts.tpl b/services/ca/templates/ssh/known_hosts.tpl new file mode 100644 index 0000000..5354b38 --- /dev/null +++ b/services/ca/templates/ssh/known_hosts.tpl @@ -0,0 +1,4 @@ +@cert-authority * {{.Step.SSH.HostKey.Type}} {{.Step.SSH.HostKey.Marshal | toString | b64enc}} +{{- range .Step.SSH.HostFederatedKeys}} +@cert-authority * {{.Type}} {{.Marshal | toString | b64enc}} +{{- end }} diff --git a/services/ca/templates/ssh/sshd_config.tpl b/services/ca/templates/ssh/sshd_config.tpl new file mode 100644 index 0000000..c8e4b88 --- /dev/null +++ b/services/ca/templates/ssh/sshd_config.tpl @@ -0,0 +1,4 @@ +Match all + TrustedUserCAKeys /etc/ssh/ca.pub + HostCertificate /etc/ssh/{{.User.Certificate}} + HostKey /etc/ssh/{{.User.Key}} \ No newline at end of file diff --git a/services/ca/templates/ssh/step_config.tpl b/services/ca/templates/ssh/step_config.tpl new file mode 100644 index 0000000..a0521f2 --- /dev/null +++ b/services/ca/templates/ssh/step_config.tpl @@ -0,0 +1,11 @@ +Match exec "step ssh check-host{{- if .User.Context }} --context {{ .User.Context }}{{- end }} %h" +{{- if .User.User }} + User {{.User.User}} +{{- end }} +{{- if or .User.GOOS "none" | eq "windows" }} + UserKnownHostsFile "{{.User.StepPath}}\ssh\known_hosts" + ProxyCommand C:\Windows\System32\cmd.exe /c step ssh proxycommand{{- if .User.Context }} --context {{ .User.Context }}{{- end }}{{- if .User.Provisioner }} --provisioner {{ .User.Provisioner }}{{- end }} %r %h %p +{{- else }} + UserKnownHostsFile "{{.User.StepPath}}/ssh/known_hosts" + ProxyCommand step ssh proxycommand{{- if .User.Context }} --context {{ .User.Context }}{{- end }}{{- if .User.Provisioner }} --provisioner {{ .User.Provisioner }}{{- end }} %r %h %p +{{- end }} diff --git a/services/ca/templates/ssh/step_includes.tpl b/services/ca/templates/ssh/step_includes.tpl new file mode 100644 index 0000000..5f79de6 --- /dev/null +++ b/services/ca/templates/ssh/step_includes.tpl @@ -0,0 +1 @@ +{{- if or .User.GOOS "none" | eq "windows" }}Include "{{ .User.StepPath | replace "\\" "/" | trimPrefix "C:" }}/ssh/config"{{- else }}Include "{{.User.StepPath}}/ssh/config"{{- end }} \ No newline at end of file