Vish/homelab-optimized
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
8c1e3cc3b8d2ce31ed08d215ab4c54d58e57167d
homelab-optimized/docs/networking/SSH_MESH.md
Gitea Mirror Bot 8c1e3cc3b8
Some checks failed
Documentation / Build Docusaurus (push) Failing after 5m4s
Details
Documentation / Deploy to GitHub Pages (push) Has been skipped
Details
Sanitized mirror from private repository - 2026-03-23 11:46:37 UTC
2026-03-23 11:46:37 +00:00

2.6 KiB
Raw Blame History

SSH Mesh — Key-Based Authentication Across All Hosts

All Tailscale-connected hosts can SSH to each other using ed25519 key authentication. No passwords needed.

Participating Hosts

Host User Tailscale IP SSH Port Key
homelab-vm homelab 100.67.40.126 22 admin@thevish.io
atlantis vish 100.83.230.112 60000 vish@atlantis
calypso Vish 100.103.48.78 62000 calypso access
guava vish 100.75.252.64 22 vish@guava
setillo vish 100.125.0.20 22 setillo-key
pi-5 vish 100.77.151.40 22 vish@pi-5
nuc vish 100.72.55.21 22 vish@nuc
moon vish 100.64.0.6 22 vish@moon
seattle root 100.82.197.124 22 root@seattle
matrix-ubuntu test 100.85.21.51 22 test@matrix-ubuntu
jellyfish lulu 100.69.121.120 22 lulu@jellyfish
pve root 100.87.12.28 22 root@pve (RSA)
gl-mt3000 root 100.126.243.15 22 (admin key only)
gl-be3600 root 100.105.59.123 22 root@gl-be3600

The admin key (admin@thevish.io from homelab-vm) is present on every host.

Ansible Playbook

Manage the mesh with ansible/playbooks/ssh_mesh.yml:

# Distribute keys to all hosts (collect + push)
ansible-playbook -i inventory.yml playbooks/ssh_mesh.yml --tags distribute

# Verify connectivity from localhost
ansible-playbook -i inventory.yml playbooks/ssh_mesh.yml --tags verify

# Generate missing keys + distribute
ansible-playbook -i inventory.yml playbooks/ssh_mesh.yml -e "generate_missing=true"

The ssh_mesh group in inventory.yml defines which hosts participate.

Adding a New Host

  1. Add the host to ansible/inventory.yml under the appropriate group and to the ssh_mesh children
  2. Run the playbook with key generation: 
    ansible-playbook -i inventory.yml playbooks/ssh_mesh.yml -e "generate_missing=true"
  3. This will generate a key on the new host if needed, collect all keys, and distribute them everywhere

Notes

  • Synology NAS (Atlantis/Calypso/Setillo): Home directory must be chmod 755 or stricter — SSH refuses key auth if home is world-writable. DSM can reset permissions on reboot.
  • OpenWrt routers (MT3000/BE3600): Use dropbear SSH, not OpenSSH. Key auth works but ssh -o flags differ slightly.
  • TrueNAS (Guava): Home directory is at /mnt/data/vish-home/vish/, not /home/vish/.
  • pi-5-kevin: Frequently offline — will fail verification but has keys distributed.
  • homelab-vm: SSH config historically uses password auth to itself; key auth works to all other hosts.

Established 2026-03-23

Reference in New Issue View Git Blame Copy Permalink