coryHawkvelt/gatehouse-ui
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Various QOL updates

Browse Source
This commit is contained in:
cory
2026-05-28 05:58:56 +00:00
parent 2366847151
commit c6fbec6442
7 changed files with 711 additions and 185 deletions
Download Patch File Download Diff File Expand all files Collapse all files
src/pages/marketing/SSHCertificatesPage.tsx
+141
View File
@@ -362,6 +362,147 @@ $ systemctl restart sshd`}
</div>
</section>
{/* Deployment Guide */}
<section className="py-16 lg:py-24 bg-muted/30">
<div className="mx-auto max-w-7xl px-4 sm:px-6 lg:px-8">
<div className="text-center mb-12">
<div className="inline-flex items-center gap-2 px-3 py-1 rounded-full bg-accent/10 text-accent text-sm font-medium mb-4">
<Terminal className="h-4 w-4" />
Deployment Guide
</div>
<h2 className="text-3xl font-bold text-foreground mb-4">
Deploy to Your Servers
</h2>
<p className="text-lg text-muted-foreground max-w-2xl mx-auto">
One-time setup per server. The script below installs the CA key, configures
principal-based access, and reloads SSH all in a single idempotent run.
</p>
</div>
<div className="max-w-4xl mx-auto space-y-6">
<Card>
<CardContent className="pt-6">
<div className="flex items-start gap-4">
<div className="flex-shrink-0 w-8 h-8 rounded-full bg-accent text-accent-foreground flex items-center justify-center text-sm font-bold">1</div>
<div className="flex-1 min-w-0">
<h3 className="text-base font-semibold mb-1">Get your CA public key</h3>
<p className="text-sm text-muted-foreground">
In the Secuird dashboard, go to <strong>Certificate Authorities</strong> and
copy the <strong>User CA</strong> public key from the detail card.
</p>
</div>
</div>
</CardContent>
</Card>
<Card>
<CardContent className="pt-6">
<div className="flex items-start gap-4">
<div className="flex-shrink-0 w-8 h-8 rounded-full bg-accent text-accent-foreground flex items-center justify-center text-sm font-bold">2</div>
<div className="flex-1 min-w-0">
<h3 className="text-base font-semibold mb-1">Decide the Unix user and principal</h3>
<p className="text-sm text-muted-foreground">
Each server has a local Unix user (e.g. <code className="font-mono text-xs">ubuntu</code>, <code className="font-mono text-xs">deploy</code>, <code className="font-mono text-xs">root</code>)
that SSH sessions connect to. Choose which <strong>principal</strong> (from your Secuird configuration) should be
allowed to log in as that user.
</p>
</div>
</div>
</CardContent>
</Card>
<Card>
<CardContent className="pt-6">
<div className="flex items-start gap-4">
<div className="flex-shrink-0 w-8 h-8 rounded-full bg-accent text-accent-foreground flex items-center justify-center text-sm font-bold">3</div>
<div className="flex-1 min-w-0">
<h3 className="text-base font-semibold mb-1">Run the setup script</h3>
<p className="text-sm text-muted-foreground mb-3">
SSH into the server and run the script below as <strong>root</strong>. Paste your
CA public key, set the Unix user and principal, then execute.
</p>
<Card>
<div className="bg-muted/50 px-4 py-2 border-b flex items-center gap-2">
<div className="h-3 w-3 rounded-full bg-destructive/60" />
<div className="h-3 w-3 rounded-full bg-warning/60" />
<div className="h-3 w-3 rounded-full bg-success/60" />
<span className="text-xs text-muted-foreground ml-2 font-mono">deploy.sh</span>
</div>
<CardContent className="p-0">
<pre className="p-4 text-sm font-mono text-foreground overflow-x-auto">
<code>
{`#!/usr/bin/env bash
set -euo pipefail
CA_KEY='<Your CA public key>'
UNIX_USER="ubuntu" # ← change to the server's unix user
PRINCIPAL="<Your principal>" # ← change to the principal for this user
CA_FILE="/etc/ssh/trusted_user_ca"
PRINCIPALS_DIR="/etc/ssh/auth_principals"
SSHD_DROP_IN="/etc/ssh/sshd_config.d/99-ca-auth.conf"
if [[ "$(id -u)" -ne 0 ]]; then
echo "error: must be run as root" >&2
exit 1
fi
install -m 0644 -o root -g root /dev/null "\${CA_FILE}"
echo "\${CA_KEY}" > "\${CA_FILE}"
install -d -m 0755 -o root -g root "\${PRINCIPALS_DIR}"
install -m 0644 -o root -g root /dev/null "\${PRINCIPALS_DIR}/\${UNIX_USER}"
echo "\${PRINCIPAL}" > "\${PRINCIPALS_DIR}/\${UNIX_USER}"
install -d -m 0755 -o root -g root "/etc/ssh/sshd_config.d"
install -m 0600 -o root -g root /dev/null "\${SSHD_DROP_IN}"
cat > "\${SSHD_DROP_IN}" <<EOF
TrustedUserCAKeys \${CA_FILE}
AuthorizedPrincipalsFile \${PRINCIPALS_DIR}/%u
EOF
if sshd -t; then
systemctl reload ssh 2>/dev/null || systemctl reload sshd
echo "done — CA trust and principal '\${PRINCIPAL}' configured for '\${UNIX_USER}'"
else
echo "error: sshd configuration test failed — SSH was NOT reloaded" >&2
exit 1
fi`}
</code>
</pre>
</CardContent>
</Card>
</div>
</div>
</CardContent>
</Card>
<Card>
<CardContent className="pt-6">
<div className="flex items-start gap-4">
<div className="flex-shrink-0 w-8 h-8 rounded-full bg-accent text-accent-foreground flex items-center justify-center text-sm font-bold">4</div>
<div className="flex-1 min-w-0">
<h3 className="text-base font-semibold mb-1">Verify the configuration</h3>
<p className="text-sm text-muted-foreground">
The script validates <code className="font-mono text-xs">sshd -t</code> before reloading if you see
<strong>"done"</strong> at the end, everything is working. To double-check, run:
</p>
<pre className="mt-2 p-3 bg-muted rounded text-xs font-mono text-foreground overflow-x-auto">
<code>{`ssh -T user@your-server # should succeed without a password prompt`}</code>
</pre>
<p className="text-sm text-muted-foreground mt-2">
Repeat on every server. Once the CA key is trusted, <strong>any</strong> user with a valid
Secuird-signed certificate for the matching principal can connect no more distributing
individual SSH keys to each server.
</p>
</div>
</div>
</CardContent>
</Card>
</div>
</div>
</section>
{/* Features Deep Dive */}
<section className="py-16 lg:py-24 bg-muted/30">
<div className="mx-auto max-w-7xl px-4 sm:px-6 lg:px-8">