Sovran_Systems/Sovran_SystemsOS
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #316 from naturallaw777/copilot/fix-legacy-ssh-key-handling

Browse Source 
Repair legacy factory SSH keys when Hub passphrase changes
This commit is contained in:
Sovran Systems
2026-06-24 17:25:57 -05:00
committed by GitHub
parent f4590ff653 7f975bc4f1
commit 625a307a8d
1 changed files with 37 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files
modules/core/ssh-bootstrap.nix
+37 -4
View File
@@ -31,7 +31,7 @@ lib.mkIf userExists {
}; };
systemd.services.factory-ssh-keygen = { systemd.services.factory-ssh-keygen = {
description = "Generate factory SSH key for ${userName} if missing"; description = "Generate or repair factory SSH key for ${userName}";
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
after = [ "ssh-passphrase-setup.service" ]; after = [ "ssh-passphrase-setup.service" ];
requires = [ "ssh-passphrase-setup.service" ]; requires = [ "ssh-passphrase-setup.service" ];
@@ -39,14 +39,47 @@ lib.mkIf userExists {
Type = "oneshot"; Type = "oneshot";
RemainAfterExit = true; RemainAfterExit = true;
}; };
path = [ pkgs.openssh pkgs.coreutils ]; path = [ pkgs.openssh pkgs.coreutils pkgs.util-linux ];
script = '' script = ''
if [ ! -f "${keyPath}" ]; then set -eu
PASSPHRASE=$(cat /var/lib/secrets/ssh-passphrase)
PASSPHRASE=$(cat /var/lib/secrets/ssh-passphrase)
lock_file="${keyPath}.lock"
exec 9>"$lock_file"
if ! flock -n 9; then
echo "Factory SSH key setup is already running." >&2
exit 1
fi
generate_factory_key() {
ssh-keygen -q -N "$PASSPHRASE" -t ed25519 -f "${keyPath}" ssh-keygen -q -N "$PASSPHRASE" -t ed25519 -f "${keyPath}"
chown ${userName}:users "${keyPath}" "${keyPath}.pub" chown ${userName}:users "${keyPath}" "${keyPath}.pub"
chmod 600 "${keyPath}" chmod 600 "${keyPath}"
chmod 644 "${keyPath}.pub" chmod 644 "${keyPath}.pub"
}
if [ ! -f "${keyPath}" ]; then
generate_factory_key
elif ! ssh-keygen -y -P "$PASSPHRASE" -f "${keyPath}" >/dev/null 2>&1; then
backup_suffix="$(date -u +%Y%m%d_%H%M%S)-$$"
backup_path="${keyPath}.bak-$backup_suffix"
backup_index=0
while [ -e "$backup_path" ] || [ -e "$backup_path.pub" ]; do
backup_index=$((backup_index + 1))
backup_path="${keyPath}.bak-$backup_suffix-$backup_index"
done
echo "Existing factory SSH key does not match current passphrase; backing it up to $backup_path and generating a replacement."
mv "${keyPath}" "$backup_path"
if [ -f "${keyPath}.pub" ]; then
mv "${keyPath}.pub" "$backup_path.pub"
fi
generate_factory_key
fi fi
''; '';
}; };