70 lines
2.1 KiB
YAML
70 lines
2.1 KiB
YAML
|
---
|
||
|
version: '3'
|
||
|
|
||
|
tasks:
|
||
|
generate:
|
||
|
vars:
|
||
|
SSH_CIPHER: '{{if .SSH_CIPHER}}{{.SSH_CIPHER}}{{else}}ed25519{{end}}'
|
||
|
SSH_EMAIL_COMMENT:
|
||
|
sh: echo "{{if .SSH_EMAIL}}{{.SSH_EMAIL}}{{else}}$(jq -r '.YUBI_EMAIL' .yubi.json){{end}}"
|
||
|
SSH_KEY_CATEGORY: '{{if .SSH_KEY_CATEGORY}}{{.SSH_KEY_CATEGORY}}{{else}}ssh{{end}}'
|
||
|
cmds:
|
||
|
- mkdir -p "$HOME/.ssh"
|
||
|
- ssh-keygen -t {{.SSH_CIPHER}} -C "{{.SSH_EMAIL_COMMENT}} ({{.SSH_CIPHER}} - {{.SSH_KEY_CATEGORY}})"
|
||
|
-f "$HOME/.ssh/id_gpg_{{.SSH_CIPHER}}_{{.SSH_KEY_CATEGORY}}" -q -P ""{{if (eq .SSH_CIPHER "rsa")}} -b 4096{{end}}
|
||
|
|
||
|
yubikey:
|
||
|
summary: |
|
||
|
Generates default SSH keys that are intended to be made part of
|
||
|
the keys stored in the ~/.gnupg folder using the `gpg-agent`.
|
||
|
cmds:
|
||
|
- task: generate
|
||
|
vars:
|
||
|
SSH_CIPHER: ed25519
|
||
|
SSH_KEY_CATEGORY: alt_auto
|
||
|
- task: generate
|
||
|
vars:
|
||
|
SSH_CIPHER: rsa
|
||
|
SSH_KEY_CATEGORY: alt_auto
|
||
|
- task: generate
|
||
|
vars:
|
||
|
SSH_CIPHER: ed25519
|
||
|
SSH_KEY_CATEGORY: auto
|
||
|
- task: generate
|
||
|
vars:
|
||
|
SSH_CIPHER: rsa
|
||
|
SSH_KEY_CATEGORY: auto
|
||
|
- task: generate
|
||
|
vars:
|
||
|
SSH_CIPHER: ed25519
|
||
|
SSH_KEY_CATEGORY: local
|
||
|
- task: generate
|
||
|
vars:
|
||
|
SSH_CIPHER: rsa
|
||
|
SSH_KEY_CATEGORY: local
|
||
|
- task: generate
|
||
|
vars:
|
||
|
SSH_CIPHER: ed25519
|
||
|
SSH_KEY_CATEGORY: private
|
||
|
- task: generate
|
||
|
vars:
|
||
|
SSH_CIPHER: rsa
|
||
|
SSH_KEY_CATEGORY: private
|
||
|
- task: generate
|
||
|
vars:
|
||
|
SSH_CIPHER: ed25519
|
||
|
SSH_KEY_CATEGORY: web
|
||
|
- task: generate
|
||
|
vars:
|
||
|
SSH_CIPHER: rsa
|
||
|
SSH_KEY_CATEGORY: web
|
||
|
status:
|
||
|
- '[ -n "$YUBIKEY_BACKUP" ]'
|
||
|
|
||
|
yubikey:resident:
|
||
|
notes:
|
||
|
- https://catbaba.com/ssh-authentication-with-a-yubikey-fido2-hardware-token-easy-portable-touch-free/
|
||
|
- -O no-touch-required for no touch required auth
|
||
|
cmds:
|
||
|
- ssh-keygen -t ed25519 -O resident -O verify-required -C "{{.FILL_ME_IN}}"
|