From 96998d9df7b0393d9a297f40dd397a49aeb52fc2 Mon Sep 17 00:00:00 2001
From: Mathieu Strypsteen <mathieu@strypsteen.me>
Date: Mon, 30 Dec 2024 20:27:51 +0100
Subject: [PATCH] Add tang

---
 common/etc/ssh/sshd_config                  |  1 -
 container-config/borgmatic/sandbox.yaml     |  3 ++-
 ignition/home-gw.bu                         |  6 +++---
 ignition/home.bu                            | 10 ++++++----
 ignition/infra.bu                           | 12 ++++++++++++
 ignition/vps.bu                             |  6 +++---
 infra/etc/config.d/90-infra.toml            |  2 ++
 infra/etc/containers/systemd/tang.container |  7 +++++++
 qubes/etc/qubes/policy.d/30-user.policy     |  2 --
 setup-qubes-fedora.sh                       |  2 +-
 sync-changes.sh                             |  0
 11 files changed, 36 insertions(+), 15 deletions(-)
 create mode 100644 ignition/infra.bu
 create mode 100644 infra/etc/config.d/90-infra.toml
 create mode 100644 infra/etc/containers/systemd/tang.container
 mode change 100644 => 100755 sync-changes.sh

diff --git a/common/etc/ssh/sshd_config b/common/etc/ssh/sshd_config
index 578dca2..f8e277a 100644
--- a/common/etc/ssh/sshd_config
+++ b/common/etc/ssh/sshd_config
@@ -7,6 +7,5 @@ KexAlgorithms sntrup761x25519-sha512@openssh.com
 MACs hmac-sha2-512-etm@openssh.com
 PubkeyAcceptedKeyTypes sk-ssh-ed25519@openssh.com,ssh-ed25519
 Ciphers chacha20-poly1305@openssh.com
-AllowUsers root
 Subsystem sftp internal-sftp
 Include /usr/etc/ssh/sshd_config.d/40-ssh-key-dir.conf
diff --git a/container-config/borgmatic/sandbox.yaml b/container-config/borgmatic/sandbox.yaml
index 969ce58..8226b70 100644
--- a/container-config/borgmatic/sandbox.yaml
+++ b/container-config/borgmatic/sandbox.yaml
@@ -1 +1,2 @@
-remote_path: borg
+exclude_patterns:
+  - /run/host/var/home
diff --git a/ignition/home-gw.bu b/ignition/home-gw.bu
index 62ec30d..40ddbdf 100644
--- a/ignition/home-gw.bu
+++ b/ignition/home-gw.bu
@@ -1,5 +1,5 @@
 variant: fcos
-version: 1.5.0
+version: 1.6.0
 storage:
   files:
     - path: /etc/sysctl.d/ignition.conf
@@ -29,5 +29,5 @@ passwd:
   users:
     - name: root
       ssh_authorized_keys:
-        - sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIHSZEZAdsx64pSt+2uSHU25K6m3peo2nt2oQJW3jm6i6AAAABHNzaDo= mathieu@yubikey
-        - sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIIH33pRp93TOK5OyidgYVYtWBNKawKFzUilOA7Nb2NWzAAAABHNzaDo= mathieu@yubikey-c
+        - "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIHSZEZAdsx64pSt+2uSHU25K6m3peo2nt2oQJW3jm6i6AAAABHNzaDo= mathieu@yubikey"
+        - "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIIH33pRp93TOK5OyidgYVYtWBNKawKFzUilOA7Nb2NWzAAAABHNzaDo= mathieu@yubikey-c"
diff --git a/ignition/home.bu b/ignition/home.bu
index 5fcaaff..28f9be8 100644
--- a/ignition/home.bu
+++ b/ignition/home.bu
@@ -1,12 +1,14 @@
 variant: fcos
-version: 1.5.0
+version: 1.6.0
 boot_device:
   luks:
-    tpm2: true
+    tang:
+      - url: "http://infra.server.home.arpa:8080"
+        thumbprint: "MKYiehPjYLcEz6o1yKCYLaugJDBtDMSzSgtNAWutSZs"
     discard: true
 passwd:
   users:
     - name: root
       ssh_authorized_keys:
-        - sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIHSZEZAdsx64pSt+2uSHU25K6m3peo2nt2oQJW3jm6i6AAAABHNzaDo= mathieu@yubikey
-        - sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIIH33pRp93TOK5OyidgYVYtWBNKawKFzUilOA7Nb2NWzAAAABHNzaDo= mathieu@yubikey-c
+        - "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIHSZEZAdsx64pSt+2uSHU25K6m3peo2nt2oQJW3jm6i6AAAABHNzaDo= mathieu@yubikey"
+        - "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIIH33pRp93TOK5OyidgYVYtWBNKawKFzUilOA7Nb2NWzAAAABHNzaDo= mathieu@yubikey-c"
diff --git a/ignition/infra.bu b/ignition/infra.bu
new file mode 100644
index 0000000..df73290
--- /dev/null
+++ b/ignition/infra.bu
@@ -0,0 +1,12 @@
+variant: fcos
+version: 1.6.0
+boot_device:
+  luks:
+    tpm2: true
+    discard: true
+passwd:
+  users:
+    - name: root
+      ssh_authorized_keys:
+        - "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIHSZEZAdsx64pSt+2uSHU25K6m3peo2nt2oQJW3jm6i6AAAABHNzaDo= mathieu@yubikey"
+        - "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIIH33pRp93TOK5OyidgYVYtWBNKawKFzUilOA7Nb2NWzAAAABHNzaDo= mathieu@yubikey-c"
diff --git a/ignition/vps.bu b/ignition/vps.bu
index 173a22b..6ccb688 100644
--- a/ignition/vps.bu
+++ b/ignition/vps.bu
@@ -1,8 +1,8 @@
 variant: fcos
-version: 1.5.0
+version: 1.6.0
 passwd:
   users:
     - name: root
       ssh_authorized_keys:
-        - sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIHSZEZAdsx64pSt+2uSHU25K6m3peo2nt2oQJW3jm6i6AAAABHNzaDo= mathieu@yubikey
-        - sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIIH33pRp93TOK5OyidgYVYtWBNKawKFzUilOA7Nb2NWzAAAABHNzaDo= mathieu@yubikey-c
+        - "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIHSZEZAdsx64pSt+2uSHU25K6m3peo2nt2oQJW3jm6i6AAAABHNzaDo= mathieu@yubikey"
+        - "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIIH33pRp93TOK5OyidgYVYtWBNKawKFzUilOA7Nb2NWzAAAABHNzaDo= mathieu@yubikey-c"
diff --git a/infra/etc/config.d/90-infra.toml b/infra/etc/config.d/90-infra.toml
new file mode 100644
index 0000000..96c0d44
--- /dev/null
+++ b/infra/etc/config.d/90-infra.toml
@@ -0,0 +1,2 @@
+[updates]
+enabled = false
diff --git a/infra/etc/containers/systemd/tang.container b/infra/etc/containers/systemd/tang.container
new file mode 100644
index 0000000..9484165
--- /dev/null
+++ b/infra/etc/containers/systemd/tang.container
@@ -0,0 +1,7 @@
+[Container]
+Image=docker.io/padhihomelab/tang
+Volume=systemd-tang:/db:U,Z
+PublishPort=8080:8080
+AutoUpdate=registry
+[Install]
+WantedBy=multi-user.target
diff --git a/qubes/etc/qubes/policy.d/30-user.policy b/qubes/etc/qubes/policy.d/30-user.policy
index f169018..e1c50f9 100644
--- a/qubes/etc/qubes/policy.d/30-user.policy
+++ b/qubes/etc/qubes/policy.d/30-user.policy
@@ -10,7 +10,6 @@ qubes.ClipboardPaste * @anyvm sys-whonix deny
 qubes.ClipboardPaste * @anyvm system-config deny
 qubes.ClipboardPaste * @anyvm dev deny
 qubes.ClipboardPaste * @anyvm vault deny
-qubes.ClipboardPaste * @anyvm ssh deny
 qubes.ClipboardPaste * @anyvm @anyvm ask
 qubes.OpenInVM * @anyvm @dispvm allow
 qubes.OpenInVM * @anyvm @anyvm deny
@@ -29,4 +28,3 @@ qubes.Filecopy * @anyvm sys-whonix deny
 qubes.Filecopy * @anyvm system-config deny
 qubes.Filecopy * @anyvm dev deny
 qubes.Filecopy * @anyvm vault deny
-qubes.Filecopy * @anyvm ssh deny
diff --git a/setup-qubes-fedora.sh b/setup-qubes-fedora.sh
index 022d718..b3aca19 100644
--- a/setup-qubes-fedora.sh
+++ b/setup-qubes-fedora.sh
@@ -9,4 +9,4 @@ dnf install --allowerasing bash-color-prompt bash-completion borgbackup bind-uti
 dnf remove cheese evolution-data-server firefox gnome-software gnome-weather PackageKit-command-not-found rpmfusion-nonfree-release thunderbird totem
 sh setup-desktop.sh
 all_proxy=127.0.0.1:8082 flatpak remote-add --if-not-exists flathub /usr/lib/fedora-third-party/conf.d/fedora-flathub.flatpakrepo
-all_proxy=127.0.0.1:8082 flatpak install com.github.tchx84.Flatseal im.riot.Riot io.mpv.Mpv org.chromium.Chromium org.freedesktop.Platform.ffmpeg-full/x86_64/23.08 org.libreoffice.LibreOffice org.mozilla.firefox
+all_proxy=127.0.0.1:8082 flatpak install com.github.tchx84.Flatseal com.github.xournalpp.xournalpp com.moonlight_stream.Moonlight com.yubico.yubioath im.riot.Riot io.mpv.Mpv org.chromium.Chromium org.freedesktop.Platform.ffmpeg-full/x86_64/23.08 org.gimp.GIMP org.gnome.Evolution org.libreoffice.LibreOffice org.mozilla.firefox
diff --git a/sync-changes.sh b/sync-changes.sh
old mode 100644
new mode 100755