From 1accea28c67a65ac244aef715f0e6ca546cf1440 Mon Sep 17 00:00:00 2001 From: root Date: Sun, 28 Jun 2026 11:47:56 +0200 Subject: [PATCH] Horus-VPS SSH-Keys in shared/ssh aufnehmen. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit WireGuard-Zugang VM 101 → 10.1.1.1 dokumentiert, horus-root Set und Deploy via Sprung-Host jean@192.168.10.10 ergänzt. Co-authored-by: Cursor --- pve1/guests/vm101-ubuntu/README.md | 1 + shared/ssh/README.md | 23 +++++++++++++++-- shared/ssh/assembled/authorized_keys.all.pub | 4 +++ shared/ssh/assembled/horus-root.pub | 10 ++++++++ shared/ssh/fragments/horus-vps-root.pub | 14 +++++++++++ shared/ssh/fragments/vm101-to-horus.pub | 3 +++ shared/ssh/install-authorized-keys.sh | 26 +++++++++++++++++++- shared/ssh/rebuild-assembled.sh | 3 +++ 8 files changed, 81 insertions(+), 3 deletions(-) create mode 100644 shared/ssh/assembled/horus-root.pub create mode 100644 shared/ssh/fragments/horus-vps-root.pub create mode 100644 shared/ssh/fragments/vm101-to-horus.pub diff --git a/pve1/guests/vm101-ubuntu/README.md b/pve1/guests/vm101-ubuntu/README.md index 7a101fe..5e9ace3 100644 --- a/pve1/guests/vm101-ubuntu/README.md +++ b/pve1/guests/vm101-ubuntu/README.md @@ -7,6 +7,7 @@ | **Stacks** | `/opt/stacks/` | | **Stack-UI** | Dockge → `:5001` | | **Docker** | `iptables: false` → [docker-daemon.json](docker-daemon.json), NAT: [../../scripts/vm101-docker-nat-rules.sh](../../scripts/vm101-docker-nat-rules.sh) | +| **Horus VPS** | WireGuard `wg0` 10.1.1.5 → Horus 10.1.1.1 · SSH-Keys: [shared/ssh](../../shared/ssh/README.md#horus-vps-wireguard) | ## Netzwerk `docbr0` diff --git a/shared/ssh/README.md b/shared/ssh/README.md index c650754..9482c16 100644 --- a/shared/ssh/README.md +++ b/shared/ssh/README.md @@ -20,6 +20,20 @@ shared/ssh/ | [fragments/host-pve1.pub](fragments/host-pve1.pub) | root@pve1 ed25519 | | [fragments/host-pve2.pub](fragments/host-pve2.pub) | root@pve2 (Ansible / Host-SSH) | | [fragments/legacy-pve1-rsa.pub](fragments/legacy-pve1-rsa.pub) | Altes RSA auf pve1 (Kommentar „root@pve2“) | +| [fragments/horus-vps-root.pub](fragments/horus-vps-root.pub) | **Horus VPS** root@10.1.1.1 (via WireGuard) | +| [fragments/vm101-to-horus.pub](fragments/vm101-to-horus.pub) | VM 101 → Horus (Automation-Key, Referenz) | + +## Horus VPS (WireGuard) + +| | | +|---|---| +| **Hostname** | horus.jeanavril.com | +| **Öffentlich** | 207.180.222.207 (nur WG, kein SSH von außen) | +| **VPN** | VM 101 `wg0` **10.1.1.5** ↔ Horus **10.1.1.1** | +| **SSH** | `root@10.1.1.1` — nur von VM 101 (oder anderem WG-Peer) | +| **VM-Key** | `jean@DESKTOP-J08NPU2` → `jean@192.168.10.10:~/.ssh/id_ed25519` | + +Die VM nutzt die Verbindung u.a. für SSL-Zertifikate (NPM `custom_ssl/`). User **`jean`** existiert auf Horus nicht — nur **`root`**. ## Assembled Sets → Ziel @@ -28,6 +42,7 @@ shared/ssh/ | [assembled/proxmox-root.pub](assembled/proxmox-root.pub) | pve1 `192.168.10.5`, pve2 `192.168.10.4` | root | | [assembled/vm101-jean.pub](assembled/vm101-jean.pub) | VM 101 Ubuntu `192.168.10.10` | jean | | [assembled/pve2-lxc-root.pub](assembled/pve2-lxc-root.pub) | CT 101 docker, 109 media, 110 AIDEV (pve2) | root | +| [assembled/horus-root.pub](assembled/horus-root.pub) | Horus VPS `10.1.1.1` (via WG) | root | | [assembled/authorized_keys.all.pub](assembled/authorized_keys.all.pub) | Referenz — alle Keys vereint | — | ### Matrix (Ist-Zustand) @@ -39,7 +54,8 @@ shared/ssh/ | jean@192.168.10.10 | vm101-jean | Ansible fish-setup nutzt jean + SSH | | CT 101 (docker) | pve2-lxc-root | Ansible disk-maintenance | | CT 109 (media) | subset: admin + OJIEMRE | aktuell nur OJIEMRE — bei Bedarf volles Set | -| CT 110 (aidev) | pve2-lxc-root | **aktuell leer** — Keys fehlen für Ansible | +| CT 110 (aidev) | pve2-lxc-root | Keys vermutlich vorhanden — CT war beim Export **gestoppt**, daher nicht auslesbar | +| root@10.1.1.1 (Horus) | horus-root | Nur via WireGuard; VM-Automation-Key: J08NPU2 | ## Neuen Key hinzufügen @@ -65,6 +81,9 @@ cd /root/docu/shared/ssh ./install-authorized-keys.sh pve2-lxc-root ./install-authorized-keys.sh pve2-lxc-root --ct 101 +# Horus (von pve1/pve2 aus — springt über VM 101) +./install-authorized-keys.sh horus-root + # Vorschau ./install-authorized-keys.sh --dry-run proxmox-root ``` @@ -82,4 +101,4 @@ Symlink auf dem Host: `ln -sfn /root/docu/pve{1,2}/ansible /root/ansible` - **Nur Public Keys** ins Repo — niemals `id_*` ohne `.pub` oder `.git-credentials-*` - Zwei verschiedene `ssh-rsa … root@pve2`: aktueller Key auf pve2 vs. Legacy auf pve1 (`legacy-pve1-rsa.pub`) -- CT 110: vor Ansible-Wartung Keys deployen (`pve2-lxc-root`) +- CT muss **laufen**, damit `pct exec` Keys lesen/schreiben kann (110 war beim Export gestoppt) diff --git a/shared/ssh/assembled/authorized_keys.all.pub b/shared/ssh/assembled/authorized_keys.all.pub index 4aac2af..6cf452b 100644 --- a/shared/ssh/assembled/authorized_keys.all.pub +++ b/shared/ssh/assembled/authorized_keys.all.pub @@ -8,7 +8,11 @@ ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCTs4xGQ9bW9eB3gfPx10Ddi7rxqnYFM+BFT7+DuUeo ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJSVmBVrCmUuCgKS4L3w6jRq2Efi/28ghElDSs22Hu2G abc@bdad197f6631 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOfSnbZKfHpVI9w8ogdfsA7XnYA28goelOfq+w3X02Bx jean@DESKTOP-H9797I1 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK0ToemBZ+/ibr9k0LHsn2J0JuLalXw//TLmC0ydE7vr jean@DESKTOP-J08NPU2 +sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIBsG9CHE5dT2an9W7mjuMhVXQncgXVcvlJzScq/SKe2BAAAABHNzaDo= jean@DESKTOP-K6JF0AB ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJJvDmBpuduGeVdN92I/tr5YkfmQo5fQ4lI5ZgakRQef root@pve1 +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIADkU1x7tNWVg30edAF9lU6ik5UFK1I5NScyiQNgcqvc root@docker-pve1 +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHFYVCd+5vmG2L5kKsu8eBmgi4DN9Bj0N/6HBuG7WuMw root@server5 +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHMi3cDD/bZfrDZad0UeYGs1vJl1e3UuDTo2zp92APhm root@server6 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICXDMnLAJlxd56f6BCJAjVFbaTDcI2lLMOQf1OWCGzaA root@pve2 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC6NPVyFfE1hUimqs18TxjIB72+o59CVVQbJzK0cGmvzROnoR4iGPelwvGFnRUOdUbnGXK5TkQQB6dCnLKHEdULyQ5yXimI37Ywerr5cMorUF3QtWp4WHs2ewPgvdjc0gL0GLlSq7mHQ649PZbhpHo8GlOudsdEVqoxOKcvI/V572huuItTYj0AMnSHglQ1NR0jjeo6ItDblEpU6Anj4knqQYYyOD1CGAJZaKt+2UXsIV3xhkDFhq6Xv83VIj3T4Cju9VsIqFb5eOUUu7er0WpF0rqEqcVliPlq4Ja+eJ1Wl9HnD/5tUeM5yWDHynXTwSlMUCVvnaBtrFbIFhDR9pxWGEnNy6UEjiLRIrYkNMKr+QnzTesB8N8jvfPJoAMcESZAAi675PawbqYxK59ZG+sa/sX83G7GFl5MtB0lUhiyCJPdGUa63QfQw0J8X0dvkZCNcpsDWhbq9B+uu1GL1JS2Rr2uoYSwfIFUiyaQY8KniYlzYb2TyImEQZ7UYkTurIYVutjGJwNqr5KhrZb6flkt/t7fHe/rAScbhm/4lVQFYZYGggitnR6rh262CBl2ML53V1crhLzPjOQWu770y64mZBjf+NwWK84ikPsA0ei2/ph+oWnAkYZVbWVR47AOnLqDed95jJBL5rbAkeSe32MDTPG638pfiBRl/mvPdabZcQ== root@pve2 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCvZFYXzxAFFa6aDpAOE/SlhU6yDYTxcP3h1NUyZvW2z/pXg05bQ1ZclYwk3RWjBRj4LQeYqClGyiXDo3bTJFusFq+UWVoYr0OIzyEu+5o+rNavErJxXRyiCFb61sSpxwanlec4MqTTNv8SvRHmmZPUjnfHRKjbHbj4LxMZT4cu3PSYAH98ANdgYw5ufZWuCQHxKN9LvQ8K/1JQAbxOGisnovIMtYo96NBk49FWHHQ29O0A5qDMW8HU9jXfWq5GTYplRdr7pnWDJBjuAUudmtG9vcMGZep5ExA2v9nfsbji4jemntBViDwk3mKcYn5NwIWrot89CON5Qe62QRSJnja5c7fSEPs+I2ltJ3ExLWwIMrQQua+yNJlGSkjLw8y1McuSUIk1FNRxLh4S1TDJOZ4zgHwHQFn1CV3+ZCCD0IM0VNKFpOgNmdQoziHIz96dCeZaQRFXl1Cf0YfhRwhuUqI8ifhgy32GfC5HlR82KRWYFNofZymRCMWaN8jMjfZZ3K2RkiAQUfjc9iojzY0NSO9kbM8RorHXNMgNkQVozgE//baULBCAYqT0q9jHd8mdqf4cfZ+Oj/EDqlnX6YNk+AC6VGmp4LlqWZGRdM9ovXoDe9g82RPypJI8fF0Ie0ws9rOQoVEzCmG9d3EXIQXn5M6JF660QgfcUrKTwUW/mKs0eQ== root@pve2 diff --git a/shared/ssh/assembled/horus-root.pub b/shared/ssh/assembled/horus-root.pub new file mode 100644 index 0000000..00fccf1 --- /dev/null +++ b/shared/ssh/assembled/horus-root.pub @@ -0,0 +1,10 @@ +sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIEohWH3Rqh0+h5sYmi921rf3l2mZ0RXebCS8hR9pmHIiAAAABHNzaDo= jean@DESKTOP-DA5D3IG +sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIEGR43JnbBQNZ3U9onHM1XoFiJStBUmGTf2yr9p/haYuAAAABHNzaDo= jean@DESKTOP-2N4HRBF +sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIBsG9CHE5dT2an9W7mjuMhVXQncgXVcvlJzScq/SKe2BAAAABHNzaDo= jean@DESKTOP-K6JF0AB +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK0ToemBZ+/ibr9k0LHsn2J0JuLalXw//TLmC0ydE7vr jean@DESKTOP-J08NPU2 +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAj1SFdqGjsIrF644ywWANqDMrsrlSBAQiM1HWEfwOIF jean@DESKTOP-L7L1S5V +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID/3NRXevRiFpmLGkrZTA1Fp2FigYtDvvpG8Ta60U28p jean@x380 +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJJvDmBpuduGeVdN92I/tr5YkfmQo5fQ4lI5ZgakRQef root@pve1 +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIADkU1x7tNWVg30edAF9lU6ik5UFK1I5NScyiQNgcqvc root@docker-pve1 +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHFYVCd+5vmG2L5kKsu8eBmgi4DN9Bj0N/6HBuG7WuMw root@server5 +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHMi3cDD/bZfrDZad0UeYGs1vJl1e3UuDTo2zp92APhm root@server6 diff --git a/shared/ssh/fragments/horus-vps-root.pub b/shared/ssh/fragments/horus-vps-root.pub new file mode 100644 index 0000000..296af41 --- /dev/null +++ b/shared/ssh/fragments/horus-vps-root.pub @@ -0,0 +1,14 @@ +# Horus VPS — root@10.1.1.1 (horus.jeanavril.com) +# Erreichbar nur via WireGuard (VM 101: wg0 10.1.1.5 ↔ Horus 10.1.1.1, Endpoint 207.180.222.207) +# VM 101 Automation: ssh root@10.1.1.1 (Key jean@DESKTOP-J08NPU2 = jean@192.168.10.10 ~/.ssh/id_ed25519) + +sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIEohWH3Rqh0+h5sYmi921rf3l2mZ0RXebCS8hR9pmHIiAAAABHNzaDo= jean@DESKTOP-DA5D3IG +sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIEGR43JnbBQNZ3U9onHM1XoFiJStBUmGTf2yr9p/haYuAAAABHNzaDo= jean@DESKTOP-2N4HRBF +sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIBsG9CHE5dT2an9W7mjuMhVXQncgXVcvlJzScq/SKe2BAAAABHNzaDo= jean@DESKTOP-K6JF0AB +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK0ToemBZ+/ibr9k0LHsn2J0JuLalXw//TLmC0ydE7vr jean@DESKTOP-J08NPU2 +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAj1SFdqGjsIrF644ywWANqDMrsrlSBAQiM1HWEfwOIF jean@DESKTOP-L7L1S5V +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID/3NRXevRiFpmLGkrZTA1Fp2FigYtDvvpG8Ta60U28p jean@x380 +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJJvDmBpuduGeVdN92I/tr5YkfmQo5fQ4lI5ZgakRQef root@pve1 +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIADkU1x7tNWVg30edAF9lU6ik5UFK1I5NScyiQNgcqvc root@docker-pve1 +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHFYVCd+5vmG2L5kKsu8eBmgi4DN9Bj0N/6HBuG7WuMw root@server5 +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHMi3cDD/bZfrDZad0UeYGs1vJl1e3UuDTo2zp92APhm root@server6 diff --git a/shared/ssh/fragments/vm101-to-horus.pub b/shared/ssh/fragments/vm101-to-horus.pub new file mode 100644 index 0000000..6761182 --- /dev/null +++ b/shared/ssh/fragments/vm101-to-horus.pub @@ -0,0 +1,3 @@ +# Key auf VM 101 (jean@192.168.10.10), mit dem root@10.1.1.1 (Horus) erreicht wird +# Private Key: ~/.ssh/id_ed25519 (nicht ins Repo) +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK0ToemBZ+/ibr9k0LHsn2J0JuLalXw//TLmC0ydE7vr jean@DESKTOP-J08NPU2 diff --git a/shared/ssh/install-authorized-keys.sh b/shared/ssh/install-authorized-keys.sh index 1ac8fed..9cd9876 100755 --- a/shared/ssh/install-authorized-keys.sh +++ b/shared/ssh/install-authorized-keys.sh @@ -18,10 +18,12 @@ Targets: proxmox-root → /root/.ssh/authorized_keys auf Proxmox-Hosts vm101-jean → jean@192.168.10.10 ~/.ssh/authorized_keys pve2-lxc-root → root in CTs auf pve2 (101 docker, 109 media, 110 aidev) + horus-root → root@10.1.1.1 (Horus VPS, nur via WireGuard — Springt über VM 101) Options: --dest PATH Lokale Zieldatei (nur proxmox-root, default: /root/.ssh/authorized_keys) - --remote USER@HOST Auf Remote-Host installieren (proxmox-root / vm101-jean) + --remote USER@HOST Auf Remote-Host installieren (proxmox-root / vm101-jean / horus-root) + --jump USER@HOST Sprung-Host für horus-root (default: jean@192.168.10.10) --ct VMID Nur einen CT (pve2-lxc-root, mehrfach möglich) --dry-run Nur anzeigen, nicht schreiben -h Hilfe @@ -31,9 +33,12 @@ Beispiele: ./install-authorized-keys.sh --remote root@192.168.10.5 proxmox-root ./install-authorized-keys.sh vm101-jean ./install-authorized-keys.sh pve2-lxc-root --ct 101 + ./install-authorized-keys.sh horus-root EOF } +JUMP="" + log() { printf '%s\n' "$*"; } run() { @@ -70,6 +75,17 @@ install_remote() { log "Installiert auf $remote:$dest" } +install_remote_via_jump() { + local src="$1" jump="$2" remote="$3" dest="$4" + if (( DRY_RUN )); then + log "[dry-run] $jump → $remote → $dest ← $src" + return + fi + scp -q "$src" "$jump:/tmp/authorized_keys.new" + ssh "$jump" "scp -q /tmp/authorized_keys.new ${remote}:/tmp/authorized_keys.new && ssh -o BatchMode=yes ${remote} 'mkdir -p /root/.ssh && chmod 700 /root/.ssh && install -m 600 /tmp/authorized_keys.new ${dest} && rm -f /tmp/authorized_keys.new' && rm -f /tmp/authorized_keys.new" + log "Installiert auf $remote:$dest (via $jump)" +} + install_pve2_ct() { local src="$1" vmid="$2" if (( DRY_RUN )); then @@ -87,6 +103,7 @@ while [[ $# -gt 0 ]]; do case "$1" in --dest) DEST="$2"; shift 2 ;; --remote) REMOTE="$2"; shift 2 ;; + --jump) JUMP="$2"; shift 2 ;; --ct) CT_IDS+=("$2"); shift 2 ;; --dry-run) DRY_RUN=1; shift ;; -h|--help) usage; exit 0 ;; @@ -123,6 +140,13 @@ case "$TARGET" in install_pve2_ct "$SRC" "$vmid" done ;; + horus-root) + SRC="$SSH_DIR/assembled/horus-root.pub" + DEST="${DEST:-/root/.ssh/authorized_keys}" + JUMP="${JUMP:-jean@192.168.10.10}" + REMOTE="${REMOTE:-root@10.1.1.1}" + install_remote_via_jump "$SRC" "$JUMP" "$REMOTE" "$DEST" + ;; *) echo "Unbekanntes Target: $TARGET" >&2 usage >&2 diff --git a/shared/ssh/rebuild-assembled.sh b/shared/ssh/rebuild-assembled.sh index f3b47ae..b87bd9d 100755 --- a/shared/ssh/rebuild-assembled.sh +++ b/shared/ssh/rebuild-assembled.sh @@ -32,6 +32,9 @@ build pve2-lxc-root.pub \ "$FRAG/admin-laptops-extra.pub" \ "$FRAG/admin-mobile.pub" +build horus-root.pub \ + "$FRAG/horus-vps-root.pub" + build authorized_keys.all.pub \ "$FRAG"/*.pub