onboard-spoke.sh: add key selection prompt for tunnel auth, use explicit -i flag for all SSH calls, clarify hub key installation header

README.md

@@ -37,12 +37,18 @@ cd tinyboard
 
 ### Adding the Spoke's Public Key to the Hub
 
-During `setup-spoke.sh`, a key pair is generated on the spoke for the autossh tunnel. The script will display the public key and pause. Before pressing ENTER, the hub owner must add the public key to the hub user's `authorized_keys`:
+During `setup-spoke.sh`, a key pair is generated on the spoke for the autossh tunnel. The script will display the public key and pause. Before pressing ENTER, the hub owner must add the public key to the hub user's `authorized_keys`. Run this on the hub as the hub user (e.g. `armbian`):
 
 ```bash
 echo "<paste public key here>" >> ~/.ssh/authorized_keys
 ```
 
+Or as root:
+
+```bash
+echo "<paste public key here>" >> /home/armbian/.ssh/authorized_keys
+```
+
 Once the key is added, press ENTER on the spoke to continue. The script will test the SSH connection and if successful, bring up the tunnel.
 
 The private key never leaves the spoke — only the public key is shared.

hub/onboard-spoke.sh

@@ -73,6 +73,27 @@ KEY_PATH="$SSH_DIR/$KEY_NAME"
 
 mkdir -p "$(dirname "$RCLONE_CONF")"
 
+header "Select Tunnel Key"
+AVAILABLE_KEYS=()
+while IFS= read -r keyfile; do
+    AVAILABLE_KEYS+=("$keyfile")
+done < <(find "$SSH_DIR" -maxdepth 1 -type f ! -name "*.pub" ! -name "known_hosts" ! -name "authorized_keys" ! -name "config" | sort)
+
+if [ ${#AVAILABLE_KEYS[@]} -eq 0 ]; then
+    die "No private keys found in $SSH_DIR."
+fi
+
+echo "Available keys:"
+for i in "${!AVAILABLE_KEYS[@]}"; do
+    echo "  $i) ${AVAILABLE_KEYS[$i]}"
+done
+echo ""
+read -rp "Choose key to use for tunnel access [0]: " KEY_CHOICE
+KEY_CHOICE="${KEY_CHOICE:-0}"
+[[ "$KEY_CHOICE" =~ ^[0-9]+$ ]] && [ "$KEY_CHOICE" -lt "${#AVAILABLE_KEYS[@]}" ] || die "Invalid choice."
+TUNNEL_KEY="${AVAILABLE_KEYS[$KEY_CHOICE]}"
+info "Using key: $TUNNEL_KEY"
+
 header "Checking Tunnel"
 info "Scanning spoke host key..."
 KEYSCAN=$(ssh-keyscan -p "$TUNNEL_PORT" -H localhost 2>/dev/null)
@@ -86,7 +107,7 @@ done <<< "$KEYSCAN"
 
 info "Verifying spoke is reachable on port $TUNNEL_PORT..."
 retry_or_abort \
-    "ssh -o BatchMode=yes -o ConnectTimeout=10 -p \"$TUNNEL_PORT\" \"$SPOKE_USER\"@localhost exit" \
+    "ssh -i \"$TUNNEL_KEY\" -o BatchMode=yes -o ConnectTimeout=10 -p \"$TUNNEL_PORT\" \"$SPOKE_USER\"@localhost exit" \
     "Spoke not reachable on port $TUNNEL_PORT. Make sure the tunnel is up."
 
 header "Generating Hub SSH Key"
@@ -99,10 +120,10 @@ fi
 chmod 600 "$KEY_PATH"
 info "Permissions set: $KEY_PATH is 600"
 
-header "Copying Hub Key to Spoke"
+header "Installing Hub Access Key on Spoke"
-info "Running ssh-copy-id to $SPOKE_USER@localhost:$TUNNEL_PORT..."
+info "Copying hub public key to spoke's authorized_keys so the hub can SSH in for rclone..."
 info "(You will be prompted for the $SPOKE_USER password on the spoke)"
-if ssh-copy-id -i "$KEY_PATH.pub" -p "$TUNNEL_PORT" "$SPOKE_USER"@localhost; then
+if ssh-copy-id -i "$KEY_PATH.pub" -o "IdentityFile=$TUNNEL_KEY" -p "$TUNNEL_PORT" "$SPOKE_USER"@localhost; then
     info "Key copied."
 else
     warn "ssh-copy-id failed — password auth may be disabled on the spoke."