--- version: '3' tasks: generate: vars: SSH_CIPHER: '{{if .SSH_CIPHER}}{{.SSH_CIPHER}}{{else}}ed25519{{end}}' SSH_EMAIL_COMMENT: sh: echo "{{if .SSH_EMAIL}}{{.SSH_EMAIL}}{{else}}$(jq -r '.YUBI_EMAIL' .yubi.json){{end}}" SSH_KEY_CATEGORY: '{{if .SSH_KEY_CATEGORY}}{{.SSH_KEY_CATEGORY}}{{else}}ssh{{end}}' cmds: - mkdir -p "$HOME/.ssh" - ssh-keygen -t {{.SSH_CIPHER}} -C "{{.SSH_EMAIL_COMMENT}} ({{.SSH_CIPHER}} - {{.SSH_KEY_CATEGORY}})" -f "$HOME/.ssh/id_gpg_{{.SSH_CIPHER}}_{{.SSH_KEY_CATEGORY}}" -q -P ""{{if (eq .SSH_CIPHER "rsa")}} -b 4096{{end}} yubikey: summary: | Generates default SSH keys that are intended to be made part of the keys stored in the ~/.gnupg folder using the `gpg-agent`. cmds: - task: generate vars: SSH_CIPHER: ed25519 SSH_KEY_CATEGORY: alt_auto - task: generate vars: SSH_CIPHER: rsa SSH_KEY_CATEGORY: alt_auto - task: generate vars: SSH_CIPHER: ed25519 SSH_KEY_CATEGORY: auto - task: generate vars: SSH_CIPHER: rsa SSH_KEY_CATEGORY: auto - task: generate vars: SSH_CIPHER: ed25519 SSH_KEY_CATEGORY: local - task: generate vars: SSH_CIPHER: rsa SSH_KEY_CATEGORY: local - task: generate vars: SSH_CIPHER: ed25519 SSH_KEY_CATEGORY: private - task: generate vars: SSH_CIPHER: rsa SSH_KEY_CATEGORY: private - task: generate vars: SSH_CIPHER: ed25519 SSH_KEY_CATEGORY: web - task: generate vars: SSH_CIPHER: rsa SSH_KEY_CATEGORY: web status: - '[ -n "$YUBIKEY_BACKUP" ]' yubikey:resident: notes: - https://catbaba.com/ssh-authentication-with-a-yubikey-fido2-hardware-token-easy-portable-touch-free/ - -O no-touch-required for no touch required auth cmds: - ssh-keygen -t ed25519 -O resident -O verify-required -C "{{.FILL_ME_IN}}"