Add tang

2024-12-30 20:27:51 +01:00 · 2024-12-30 20:27:51 +01:00 · 96998d9df7
commit 96998d9df7
parent 6bd1666a08
11 changed files with 36 additions and 15 deletions
--- a/common/etc/ssh/sshd_config
+++ b/common/etc/ssh/sshd_config
@ -7,6 +7,5 @@ KexAlgorithms sntrup761x25519-sha512@openssh.com
 MACs hmac-sha2-512-etm@openssh.com
 PubkeyAcceptedKeyTypes sk-ssh-ed25519@openssh.com,ssh-ed25519
 Ciphers chacha20-poly1305@openssh.com
-AllowUsers root
 Subsystem sftp internal-sftp
 Include /usr/etc/ssh/sshd_config.d/40-ssh-key-dir.conf
--- a/container-config/borgmatic/sandbox.yaml
+++ b/container-config/borgmatic/sandbox.yaml
@ -1 +1,2 @@
-remote_path: borg
+exclude_patterns:
+  - /run/host/var/home
--- a/ignition/home-gw.bu
+++ b/ignition/home-gw.bu
@ -1,5 +1,5 @@
 variant: fcos
-version: 1.5.0
+version: 1.6.0
 storage:
  files:
    - path: /etc/sysctl.d/ignition.conf
@ -29,5 +29,5 @@ passwd:
  users:
    - name: root
      ssh_authorized_keys:
-        - sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIHSZEZAdsx64pSt+2uSHU25K6m3peo2nt2oQJW3jm6i6AAAABHNzaDo= mathieu@yubikey
-        - sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIIH33pRp93TOK5OyidgYVYtWBNKawKFzUilOA7Nb2NWzAAAABHNzaDo= mathieu@yubikey-c
+        - "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIHSZEZAdsx64pSt+2uSHU25K6m3peo2nt2oQJW3jm6i6AAAABHNzaDo= mathieu@yubikey"
+        - "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIIH33pRp93TOK5OyidgYVYtWBNKawKFzUilOA7Nb2NWzAAAABHNzaDo= mathieu@yubikey-c"
--- a/ignition/home.bu
+++ b/ignition/home.bu
@ -1,12 +1,14 @@
 variant: fcos
-version: 1.5.0
+version: 1.6.0
 boot_device:
  luks:
-    tpm2: true
+    tang:
+      - url: "http://infra.server.home.arpa:8080"
+        thumbprint: "MKYiehPjYLcEz6o1yKCYLaugJDBtDMSzSgtNAWutSZs"
    discard: true
 passwd:
  users:
    - name: root
      ssh_authorized_keys:
-        - sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIHSZEZAdsx64pSt+2uSHU25K6m3peo2nt2oQJW3jm6i6AAAABHNzaDo= mathieu@yubikey
-        - sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIIH33pRp93TOK5OyidgYVYtWBNKawKFzUilOA7Nb2NWzAAAABHNzaDo= mathieu@yubikey-c
+        - "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIHSZEZAdsx64pSt+2uSHU25K6m3peo2nt2oQJW3jm6i6AAAABHNzaDo= mathieu@yubikey"
+        - "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIIH33pRp93TOK5OyidgYVYtWBNKawKFzUilOA7Nb2NWzAAAABHNzaDo= mathieu@yubikey-c"
--- a/ignition/infra.bu
+++ b/ignition/infra.bu
@ -0,0 +1,12 @@
+variant: fcos
+version: 1.6.0
+boot_device:
+  luks:
+    tpm2: true
+    discard: true
+passwd:
+  users:
+    - name: root
+      ssh_authorized_keys:
+        - "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIHSZEZAdsx64pSt+2uSHU25K6m3peo2nt2oQJW3jm6i6AAAABHNzaDo= mathieu@yubikey"
+        - "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIIH33pRp93TOK5OyidgYVYtWBNKawKFzUilOA7Nb2NWzAAAABHNzaDo= mathieu@yubikey-c"
--- a/ignition/vps.bu
+++ b/ignition/vps.bu
@ -1,8 +1,8 @@
 variant: fcos
-version: 1.5.0
+version: 1.6.0
 passwd:
  users:
    - name: root
      ssh_authorized_keys:
-        - sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIHSZEZAdsx64pSt+2uSHU25K6m3peo2nt2oQJW3jm6i6AAAABHNzaDo= mathieu@yubikey
-        - sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIIH33pRp93TOK5OyidgYVYtWBNKawKFzUilOA7Nb2NWzAAAABHNzaDo= mathieu@yubikey-c
+        - "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIHSZEZAdsx64pSt+2uSHU25K6m3peo2nt2oQJW3jm6i6AAAABHNzaDo= mathieu@yubikey"
+        - "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIIH33pRp93TOK5OyidgYVYtWBNKawKFzUilOA7Nb2NWzAAAABHNzaDo= mathieu@yubikey-c"
--- a/infra/etc/config.d/90-infra.toml
+++ b/infra/etc/config.d/90-infra.toml
@ -0,0 +1,2 @@
+[updates]
+enabled = false
--- a/infra/etc/containers/systemd/tang.container
+++ b/infra/etc/containers/systemd/tang.container
@ -0,0 +1,7 @@
+[Container]
+Image=docker.io/padhihomelab/tang
+Volume=systemd-tang:/db:U,Z
+PublishPort=8080:8080
+AutoUpdate=registry
+[Install]
+WantedBy=multi-user.target
--- a/qubes/etc/qubes/policy.d/30-user.policy
+++ b/qubes/etc/qubes/policy.d/30-user.policy
@ -10,7 +10,6 @@ qubes.ClipboardPaste * @anyvm sys-whonix deny
 qubes.ClipboardPaste * @anyvm system-config deny
 qubes.ClipboardPaste * @anyvm dev deny
 qubes.ClipboardPaste * @anyvm vault deny
-qubes.ClipboardPaste * @anyvm ssh deny
 qubes.ClipboardPaste * @anyvm @anyvm ask
 qubes.OpenInVM * @anyvm @dispvm allow
 qubes.OpenInVM * @anyvm @anyvm deny
@ -29,4 +28,3 @@ qubes.Filecopy * @anyvm sys-whonix deny
 qubes.Filecopy * @anyvm system-config deny
 qubes.Filecopy * @anyvm dev deny
 qubes.Filecopy * @anyvm vault deny
-qubes.Filecopy * @anyvm ssh deny
--- a/setup-qubes-fedora.sh
+++ b/setup-qubes-fedora.sh
@ -9,4 +9,4 @@ dnf install --allowerasing bash-color-prompt bash-completion borgbackup bind-uti
 dnf remove cheese evolution-data-server firefox gnome-software gnome-weather PackageKit-command-not-found rpmfusion-nonfree-release thunderbird totem
 sh setup-desktop.sh
 all_proxy=127.0.0.1:8082 flatpak remote-add --if-not-exists flathub /usr/lib/fedora-third-party/conf.d/fedora-flathub.flatpakrepo
-all_proxy=127.0.0.1:8082 flatpak install com.github.tchx84.Flatseal im.riot.Riot io.mpv.Mpv org.chromium.Chromium org.freedesktop.Platform.ffmpeg-full/x86_64/23.08 org.libreoffice.LibreOffice org.mozilla.firefox
+all_proxy=127.0.0.1:8082 flatpak install com.github.tchx84.Flatseal com.github.xournalpp.xournalpp com.moonlight_stream.Moonlight com.yubico.yubioath im.riot.Riot io.mpv.Mpv org.chromium.Chromium org.freedesktop.Platform.ffmpeg-full/x86_64/23.08 org.gimp.GIMP org.gnome.Evolution org.libreoffice.LibreOffice org.mozilla.firefox
--- a/sync-changes.sh
+++ b/sync-changes.sh