Inbound SSH to Whrrr VMM guests: humans and agents¶
ubuncap (192.168.6.100) and recordurbate (192.168.6.98) are Ansible-managed
VMM guests on Synology whrrr. User someone, NOPASSWD sudo.
Related: saltierpoop-inbound-ssh-agents.md, ssh-keys-and-infra-services.md.
Three access paths¶
| Who | Command | Key | Notes |
|---|---|---|---|
| You (interactive) | ssh someone@192.168.6.100 (or .98) |
Personal / 1Password | May prompt for passphrase |
| Cursor / agents (direct) | ssh ubuncap-cursor / ssh recordurbate-cursor |
~/.ssh/cursor-infra |
Same key as infra-services-cursor |
| C&C from infra-services | sudo ssh -i /etc/homelab/patch-controller/id_ed25519 someone@… |
patch-controller | Restricted to from="192.168.6.17" on server |
Patch-controller keys are installed by coordinated patching bootstrap / site.yml.
They only work from infra-services, not from your laptop.
Workstation SSH config¶
On your PC (not infra-services): edit %USERPROFILE%\.ssh\config — the same
file that already defines infra-services-cursor. Add these blocks there (WSL
only if you SSH from WSL; Cursor’s default terminal on Windows uses the Windows
config):
Host ubuncap-cursor
HostName 192.168.6.100
User someone
IdentityFile ~/.ssh/cursor-infra
IdentitiesOnly yes
IdentityAgent none
Host recordurbate-cursor
HostName 192.168.6.98
User someone
IdentityFile ~/.ssh/cursor-infra
IdentitiesOnly yes
IdentityAgent none
Authorize the agent key (one-time)¶
The cursor-infra public key must be in /home/someone/.ssh/authorized_keys.
Option A — from infra-services (patch-controller already trusted):
# ubuncap
type %USERPROFILE%\.ssh\cursor-infra.pub | ssh infra-services-cursor \
"sudo ssh -i /etc/homelab/patch-controller/id_ed25519 someone@192.168.6.100 \
'mkdir -p .ssh && chmod 700 .ssh && cat >> .ssh/authorized_keys && chmod 600 .ssh/authorized_keys'"
# recordurbate
type %USERPROFILE%\.ssh\cursor-infra.pub | ssh infra-services-cursor \
"sudo ssh -i /etc/homelab/patch-controller/id_ed25519 someone@192.168.6.98 \
'mkdir -p .ssh && chmod 700 .ssh && cat >> .ssh/authorized_keys && chmod 600 .ssh/authorized_keys'"
Option B — while logged in as you on each VM:
Do not commit the pubkey to git.
Verification¶
| # | Where | Command | Expect |
|---|---|---|---|
| 1 | Cursor terminal (Windows PowerShell — same as infra-services-cursor) |
ssh -o BatchMode=yes ubuncap-cursor 'echo ok' |
ok |
| 2 | Cursor terminal | ssh -o BatchMode=yes recordurbate-cursor 'echo ok' |
ok |
| 3 | infra-services | sudo ssh -i /etc/homelab/patch-controller/id_ed25519 someone@192.168.6.100 hostname |
ubuncap |
Related¶
- Coordinated OS patching — Whrrr VMM wave
- ubuncap, recordurbate