Security Favorites

# Sign SSH key with Vault CA
vault write -field=signed_key ssh/sign/domus-client \
  public_key=@~/.ssh/id_ed25519_vault.pub \
  valid_principals="ansible,evanusmodestus,root,adminerosado,admin" \
  >| ~/.ssh/id_ed25519_vault-cert.pub
ssh-add -d ~/.ssh/id_ed25519_vault 2>/dev/null
ssh-add ~/.ssh/id_ed25519_vault

vault write -format=json pki_int/issue/domus-client \
  common_name="hostname.inside.domusdigitalis.dev" \
  ttl="8760h" > /tmp/cert.json

ssh-keygen -Lf ~/.ssh/id_ed25519_vault-cert.pub | grep -E "Valid:|Principals:|Extensions:"

# gopass credential retrieval for scripts
export ISE_USER=$(gopass show -o v3/domains/d000/ise/admin-user)
export ISE_PASS=$(gopass show -o v3/domains/d000/ise/admin-pass)
netapi ise mnt sessions

# age encryption for secrets
age -r "age1wtdeuelfua4afrqqtw8claqf5wc335g7euhgh22pjzd57azpgq3q7jqcnn" \
  -o ~/.secrets/environments/domains/d000/dev/network.env.age \
  /tmp/network.env

# Generate bcrypt hash for configs
python3 -c "import bcrypt; print(bcrypt.hashpw(b'password', bcrypt.gensalt(12)).decode())"

# firewalld active rules audit
firewall-cmd --list-all --zone=public
firewall-cmd --list-ports --zone=public
firewall-cmd --list-services --zone=public

# pfSense firewall rule audit via netapi
dsource d000 dev/network
netapi pfsense api-call GET /api/v2/firewall/rule | \
  jq -r '.data[] | select(.enabled==true) | [.interface, .protocol, .source, .destination, .descr] | @tsv' | \
  column -t

# List ports sorted
sudo firewall-cmd --list-ports | tr ' ' '\n' | sort -t/ -k1 -n

# Add port permanent
sudo firewall-cmd --add-port=8443/tcp --permanent && sudo firewall-cmd --reload

# NodePort range
sudo firewall-cmd --add-port=30000-32767/tcp --permanent && sudo firewall-cmd --reload

stat -c '%a %n' /etc/ssl/private/*

find /etc/ssl/private -type f -perm /o+r