103 lines
3 KiB
YAML
103 lines
3 KiB
YAML
|
---
|
||
|
# vim: set expandtab tabstop=2 shiftwidth=2:
|
||
|
|
||
|
- name: Pull host pub
|
||
|
register: host_pub
|
||
|
slurp:
|
||
|
src: '{{ssh_cert_host_pub_path}}'
|
||
|
#dest: '{{ssh_cert_base_dir}}/host-{{inventory_hostname}}.pub'
|
||
|
#flat: true
|
||
|
- set_fact:
|
||
|
host_pub_type: '{{(host_pub.content | b64decode).split(" ")[0]}}'
|
||
|
host_pub_hash: '{{(host_pub.content | b64decode).split(" ")[1]}}'
|
||
|
principals: "{{lookup( 'flattened',
|
||
|
[inventory_hostname, inventory_hostname+'.'+domain, inventory_hostname+'.local'] +
|
||
|
lookup ('dig', inventory_hostname, 'qtype=A', wantlist=True)|difference('NXDOMAIN') +
|
||
|
lookup ('dig', inventory_hostname, 'qtype=AAAA', wantlist=True)|difference('NXDOMAIN') +
|
||
|
(ssh_cert_host_addition_ids | default ([]))
|
||
|
)}}"
|
||
|
- name: Register host pub for sshca
|
||
|
remote_user: root
|
||
|
delegate_to: '{{ssh_ca_host}}'
|
||
|
authorized_key:
|
||
|
user: '{{ssh_ca_user}}'
|
||
|
state: present
|
||
|
key: '{{host_pub_type}} {{host_pub_hash}} {{inventory_hostname}}'
|
||
|
key_options: 'restrict,command="/var/lib/sshca/ssh-ca host {{inventory_hostname|quote}} {{principals|quote}}"'
|
||
|
|
||
|
- name: Push ca pub
|
||
|
copy:
|
||
|
src: '{{ssh_cert_host_capub_path}}'
|
||
|
dest: '{{ssh_cert_host_capub_path}}'
|
||
|
mode: 0644
|
||
|
owner: root
|
||
|
group: root
|
||
|
- name: sshd_config - HostCertificate
|
||
|
lineinfile:
|
||
|
path: /etc/ssh/sshd_config
|
||
|
insertbefore: '^# HostKeys for protocol'
|
||
|
regexp: '^\s*HostCertificate\s+'
|
||
|
line: 'HostCertificate {{ssh_cert_host_cert_path}}'
|
||
|
- name: known_hosts ca-cert
|
||
|
known_hosts:
|
||
|
hash_host: false
|
||
|
path: /etc/ssh/ssh_known_hosts
|
||
|
name: denkn.at
|
||
|
key: "@cert-authority * {{lookup('file', ssh_cert_host_capub_path)}}"
|
||
|
|
||
|
- name: install ssh-cert-renew
|
||
|
copy:
|
||
|
dest: '{{item.value}}'
|
||
|
src: '{{item.key}}'
|
||
|
mode: 0644
|
||
|
owner: root
|
||
|
group: root
|
||
|
with_dict:
|
||
|
ssh-cert-renew@.timer: /etc/systemd/system/ssh-cert-renew@.timer
|
||
|
ssh-cert-renew@.service: /etc/systemd/system/ssh-cert-renew@.service
|
||
|
- name: install ssh-cert-renew
|
||
|
copy:
|
||
|
dest: '{{item.value}}'
|
||
|
src: '{{item.key}}'
|
||
|
mode: 0755
|
||
|
owner: root
|
||
|
group: root
|
||
|
with_dict:
|
||
|
ssh-cert-renew: /etc/systemd/ssh-cert-renew
|
||
|
|
||
|
- name: config ssh-cert-renew
|
||
|
lineinfile:
|
||
|
create: true
|
||
|
path: '/etc/default/ssh-cert-renew'
|
||
|
regexp: '^\s*{{item.key}}='
|
||
|
line: '{{item.key}}={{item.value}}'
|
||
|
with_dict:
|
||
|
ssh_cert_mail_to: '{{ssh_cert_mail_to |mandatory}}'
|
||
|
ssh_cert_mail_from: '{{ssh_cert_mail_from|mandatory}}'
|
||
|
ssh_cert_sign_host: '{{ssh_cert_sign_host|mandatory}}'
|
||
|
|
||
|
- name: renew ssh-cert
|
||
|
systemd:
|
||
|
daemon_reload: true
|
||
|
name: "ssh-cert-renew@ssh_host_ed25519_key.service"
|
||
|
state: started
|
||
|
- name: enable services
|
||
|
systemd:
|
||
|
name: '{{item}}'
|
||
|
enabled: true
|
||
|
state: started
|
||
|
with_items:
|
||
|
- "ssh-cert-renew@ssh_host_ed25519_key.timer"
|
||
|
- ssh.service
|
||
|
|
||
|
- name: reload ssh
|
||
|
service:
|
||
|
name: ssh
|
||
|
state: reloaded
|
||
|
|
||
|
- name: remove from local known_hosts
|
||
|
known_hosts:
|
||
|
state: absent
|
||
|
host: '{{item}}'
|
||
|
with_items: '{{principals.split(",")}}'
|