• Backups
• Cox home network facts
• Dotfiles
  • Neovim's Lazy.vim
  • Zsh
    • OS Detection
    • Parsing options
    • Startup performance
• Email
  • Running sieve locally
  • Sieve
• Fun Holidays
• Gaming
  • Mobile Games
• Gaming PC Hardware
• Gitlab
  • Automatically adding UptimeRobot to Gitlab's monitoring whitelist with ansible
  • Caching CI stuff with Minio
  • Fixing SAML association for a Gitlab user
  • Having a little fun with Gitlab's join date
• Good RFC
• Homelab
  • AUR Repo
  • Bootstrap
    • (NAS) Garage S3
    • Dedicated Server
    • IOFlood (Netherite)
    • Soft Serve
    • Synology NAS
    • ntfy.sh
  • Step-CA
  • Tech Stack
  • VLANs
• IPv6
• Kubernetes
  • Get Root CA
  • New SSH Fingerprints to Flux
  • Talos OIDC setup
• Linux
  • Backups
  • Desktop Customization
  • Disabling WiFi
  • Getting disk serial number
  • Monitoring
  • Non-root users can ping
  • Pacman hooks
  • PowerDNS administration
  • Reboot Criteria
  • Systemd version via DBus
  • Text-to-speech locally
• MacOS
  • Local backups
• Meta - Digital Garden
• Meta - Test Page
• OpenID Connect
• Packing List
• Ruby
  • Fixing Fakeweb & Coveralls conflict
  • Generating a webpage screenshot
• SQLite Booleans
• Security
  • Password reset via HMAC
• Smarthome
• Web Design
  • Icon Libraries
  • SVG Icons
  • Various Ideas

Bootstrapping soft-serve for Flux

See also updating the SSH host keys for Flux as if you’re reading this it’s likely you’re rebuilding the git server entirely.

With my ansible automation, I generate the initial admin key and store it in /var/lib/soft-serve/admin.
It’ll be used locally (or you can copy it to your local machine if you really must…) by running an ssh client against localhost.
This document also assumes the server is running on port 22222, as per my ansible automation.

You can access the server using ssh over localhost by running the following command:

ssh -i /var/lib/soft-serve/admin localhost -p 22222 help...

But doing that over and over is tedious, so I made a shell script that wraps all of that called /usr/local/bin/soft-serve.sh.
It’s managed by ansible as well, so customizations to things like ports or changes to the admin key should be automatically picked up.

Limit access to SSH key users

Make sure that soft-serve limits the available SSH authentication methods, and disables the HTTP and git protocols.
And users must be assigned collaborators to access a repository rather than be granted read-only by default.

soft-serve.sh settings allow-keyless false
soft-serve.sh settings anon-access no-access

Create users for flux and admins

And assign the new user a public key (which the private key is stored as a sops encrypted file ‘.ssh.key.enc’ in k8s-tanka-world.)

soft-serve.sh user create flux
soft-serve.sh user add-pubkey flux "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICr9TGFTYO8+Pc29PRNTogzM5wkHx+fJcKuQxREv5hV5"

soft-serve.sh user create nogweii
# this pubkey comes from my workstation, it may have changed since writing
soft-serve.sh user add-pubkey nogweii "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO8BGyFBJGy1GnsbUaXNnpYFrHxdeoVRfGdyWTGQ0zt2"

Create the sys/flux-config repo

I put the repo under a path for organization’s purpose, it’s not special. The name is also not special, but it’s useful to be descriptive.

# Create the repo
soft-serve.sh repo create sys/flux-config
# Mark the repo as private, limiting who can access it
soft-serve.sh repo private sys/flux-config true

Permissions for the repo

Since I’m making it a private repo to avoid anyone with a pubkey in the server’s configuration from accessing the repo, gotta grant users specific access:

# Flux can read the repo, not update it
soft-serve.sh repo collab add sys/flux-config flux read-only
# Grant nogweii full read-write access
soft-serve.sh repo collab add sys/flux-config nogweii read-write

Example SSH config to access soft-serve

Since I’ll want to access the git server over SSH from my workstation, here’s an sample config file for OpenSSH:

Host soft
  Hostname var.aether.earth
  User nogweii
  IdentityFile ~/.ssh/keys/externals
  IdentitiesOnly yes
  Port 22222
  RemoteCommand none
  RequestTTY auto

Backlinks

• Dedicated Server