ansible-role-ssh-cert/tasks/main.yml

103 lines
3 KiB
YAML
Raw Normal View History

2020-09-16 14:19:19 +02:00
---
# vim: set expandtab tabstop=2 shiftwidth=2:
- name: Pull host pub
register: host_pub
slurp:
src: '{{ssh_cert_host_pub_path}}'
#dest: '{{ssh_cert_base_dir}}/host-{{inventory_hostname}}.pub'
#flat: true
- set_fact:
host_pub_type: '{{(host_pub.content | b64decode).split(" ")[0]}}'
host_pub_hash: '{{(host_pub.content | b64decode).split(" ")[1]}}'
principals: "{{lookup( 'flattened',
[inventory_hostname, inventory_hostname+'.'+domain, inventory_hostname+'.local'] +
lookup ('dig', inventory_hostname, 'qtype=A', wantlist=True)|difference('NXDOMAIN') +
lookup ('dig', inventory_hostname, 'qtype=AAAA', wantlist=True)|difference('NXDOMAIN') +
(ssh_cert_host_addition_ids | default ([]))
)}}"
- name: Register host pub for sshca
remote_user: root
delegate_to: '{{ssh_ca_host}}'
authorized_key:
user: '{{ssh_ca_user}}'
state: present
key: '{{host_pub_type}} {{host_pub_hash}} {{inventory_hostname}}'
key_options: 'restrict,command="/var/lib/sshca/ssh-ca host {{inventory_hostname|quote}} {{principals|quote}}"'
- name: Push ca pub
copy:
src: '{{ssh_cert_host_capub_path}}'
dest: '{{ssh_cert_host_capub_path}}'
mode: 0644
owner: root
group: root
- name: sshd_config - HostCertificate
lineinfile:
path: /etc/ssh/sshd_config
insertbefore: '^# HostKeys for protocol'
regexp: '^\s*HostCertificate\s+'
line: 'HostCertificate {{ssh_cert_host_cert_path}}'
- name: known_hosts ca-cert
known_hosts:
hash_host: false
path: /etc/ssh/ssh_known_hosts
name: denkn.at
key: "@cert-authority * {{lookup('file', ssh_cert_host_capub_path)}}"
- name: install ssh-cert-renew
copy:
dest: '{{item.value}}'
src: '{{item.key}}'
mode: 0644
owner: root
group: root
with_dict:
ssh-cert-renew@.timer: /etc/systemd/system/ssh-cert-renew@.timer
ssh-cert-renew@.service: /etc/systemd/system/ssh-cert-renew@.service
- name: install ssh-cert-renew
copy:
dest: '{{item.value}}'
src: '{{item.key}}'
mode: 0755
owner: root
group: root
with_dict:
ssh-cert-renew: /etc/systemd/ssh-cert-renew
- name: config ssh-cert-renew
lineinfile:
create: true
path: '/etc/default/ssh-cert-renew'
regexp: '^\s*{{item.key}}='
line: '{{item.key}}={{item.value}}'
with_dict:
ssh_cert_mail_to: '{{ssh_cert_mail_to |mandatory}}'
ssh_cert_mail_from: '{{ssh_cert_mail_from|mandatory}}'
ssh_cert_sign_host: '{{ssh_cert_sign_host|mandatory}}'
- name: renew ssh-cert
systemd:
daemon_reload: true
name: "ssh-cert-renew@ssh_host_ed25519_key.service"
state: started
- name: enable services
systemd:
name: '{{item}}'
enabled: true
state: started
with_items:
- "ssh-cert-renew@ssh_host_ed25519_key.timer"
- ssh.service
- name: reload ssh
service:
name: ssh
state: reloaded
- name: remove from local known_hosts
known_hosts:
state: absent
host: '{{item}}'
with_items: '{{principals.split(",")}}'