replace predefined ssh keys with generated ones

2023-03-31 21:41:12 +02:00 · 2023-03-31 21:41:12 +02:00 · 28298d3ce6
commit 28298d3ce6
parent 8d3e913a8c
3 changed files with 105 additions and 6 deletions
--- a/bundles/backup-client/items.py
+++ b/bundles/backup-client/items.py
@ -33,14 +33,17 @@ else:
    backup_target = repo.get_node(node.metadata.get('backup-client/target'))

    files['/etc/backup.priv'] = {
-        'content': repo.vault.decrypt_file(join('backup', 'keys', f'{node.name}.key.vault')),
+        'content': repo.libs.ssh.generate_ed25519_private_key(
+            node.metadata.get('backup-client/user-name'),
+            backup_target,
+        ),
        'mode': '0400',
    }

    files['/usr/local/bin/generate-backup'] = {
        'content_type': 'mako',
        'context': {
-            'username': node.metadata['backup-client']['user-name'],
+            'username': node.metadata.get('backup-client/user-name'),
            'server': backup_target.metadata.get('backup-server/my_hostname'),
            'port': backup_target.metadata.get('backup-server/my_ssh_port'),
            'paths': backup_paths,
--- a/bundles/backup-server/items.py
+++ b/bundles/backup-server/items.py
@ -27,9 +27,6 @@ directories['/etc/backup-server/clients'] = {
 sudoers = {}

 for nodename, config in node.metadata.get('backup-server/clients', {}).items():
-    with open(join(repo.path, 'data', 'backup', 'keys', f'{nodename}.pub'), 'r') as f:
-        pubkey = f.read().strip()
-
    sudoers[config['user']] = nodename

    users[config['user']] = {
@ -41,7 +38,10 @@ for nodename, config in node.metadata.get('backup-server/clients', {}).items():
    }

    files[f'/srv/backups/{nodename}/.ssh/authorized_keys'] = {
-        'content': pubkey,
+        'content': repo.libs.ssh.generate_ed25519_public_key(
+            config['user'],
+            node,
+        ),
        'owner': config['user'],
        'mode': '0400',
        'needs': {