2020-09-16 14:19:19 +02:00
---
# vim: set expandtab tabstop=2 shiftwidth=2:
- name : Pull host pub
register : host_pub
slurp :
src : '{{ssh_cert_host_pub_path}}'
2020-09-30 20:45:28 +02:00
- name : Fetch CA pub
remote_user : root
delegate_to : '{{ssh_ca_host}}'
register : _ca_pub
become : yes
become_user : '{{ssh_ca_user}}'
slurp :
2022-02-28 17:56:59 +01:00
src : '{{ssh_ca_pub}}'
2020-09-30 20:45:28 +02:00
2020-09-16 14:19:19 +02:00
- set_fact :
2020-09-30 20:45:28 +02:00
ca_pub : '{{_ca_pub.content | b64decode}}'
2020-09-16 14:19:19 +02:00
host_pub_type : '{{(host_pub.content | b64decode).split(" ")[0]}}'
host_pub_hash : '{{(host_pub.content | b64decode).split(" ")[1]}}'
principals : "{{lookup( 'flattened',
[ inventory_hostname, inventory_hostname+'.'+domain, inventory_hostname+'.local'] +
lookup ('dig', inventory_hostname, 'qtype=A', wantlist=True)|difference('NXDOMAIN') +
lookup ('dig', inventory_hostname, 'qtype=AAAA', wantlist=True)|difference('NXDOMAIN') +
(ssh_cert_host_addition_ids | default ([]))
)}}"
- name : Register host pub for sshca
remote_user : root
delegate_to : '{{ssh_ca_host}}'
authorized_key :
user : '{{ssh_ca_user}}'
state : present
key : '{{host_pub_type}} {{host_pub_hash}} {{inventory_hostname}}'
2022-02-28 17:56:59 +01:00
key_options : 'restrict,command="{{ssh_ca_command}} host {{inventory_hostname|quote}} {{principals|quote}}"'
2020-09-20 22:45:47 +02:00
- when : ssh_cert_users is defined
block :
- debug : var=ssh_cert_users
- name : Pull users pub
register : users_pub
become : yes
become_user : '{{item.user}}'
#shell: >-
# cat {{ssh_cert_user_pub_path|quote}}
slurp :
src : '{{ssh_cert_user_pub_path}}'
with_items : '{{ssh_cert_users}}'
- name : Register host pub for sshca
remote_user : root
delegate_to : '{{ssh_ca_host}}'
authorized_key :
user : '{{ssh_ca_user}}'
state : present
key : '{{(item.content | b64decode).split(" ")[0]}} {{(item.content | b64decode).split(" ")[1]}} {{item.item.user}}@{{inventory_hostname}}'
2022-02-28 17:56:59 +01:00
key_options : 'restrict,command="{{ssh_ca_command}} user {{item.item.user|quote}}@{{inventory_hostname|quote}} {{item.item.principals|default([item.item.user])|join(",")|quote}}"'
2020-09-20 22:45:47 +02:00
with_items : '{{users_pub.results}}'
2020-09-16 14:19:19 +02:00
- name : Push ca pub
2020-09-20 22:45:47 +02:00
copy :
2020-09-30 20:45:28 +02:00
dest : '{{ssh_cert_host_capub_path}}'
content : '{{ca_pub}}'
mode : 0644
owner : root
group : root
2020-09-16 14:19:19 +02:00
- name : sshd_config - HostCertificate
lineinfile :
path : /etc/ssh/sshd_config
insertbefore : '^# HostKeys for protocol'
regexp : '^\s*HostCertificate\s+'
line : 'HostCertificate {{ssh_cert_host_cert_path}}'
- name : known_hosts ca-cert
known_hosts :
hash_host : false
path : /etc/ssh/ssh_known_hosts
2020-09-20 22:45:47 +02:00
name : '{{ssh_cert_known_domain}}'
2022-03-15 10:59:21 +01:00
key : "@cert-authority {{ssh_cert_known_domain}} {{lookup('file', ssh_cert_host_capub_path)}}"
2020-09-16 14:19:19 +02:00
- name : install ssh-cert-renew
copy :
dest : '{{item.value}}'
src : '{{item.key}}'
mode : 0644
owner : root
group : root
with_dict :
2020-09-20 22:45:47 +02:00
ssh-host-cert-renew@.timer : /etc/systemd/system/ssh-cert-renew@.timer
ssh-host-cert-renew@.service : /etc/systemd/system/ssh-cert-renew@.service
ssh-user-cert-renew@.timer : /etc/systemd/user/ssh-cert-renew@.timer
ssh-user-cert-renew@.service : /etc/systemd/user/ssh-cert-renew@.service
2020-09-16 14:19:19 +02:00
- name : install ssh-cert-renew
copy :
dest : '{{item.value}}'
src : '{{item.key}}'
mode : 0755
owner : root
group : root
with_dict :
ssh-cert-renew : /etc/systemd/ssh-cert-renew
2020-09-20 22:45:47 +02:00
- name : config host ssh-cert-renew
2020-09-16 14:19:19 +02:00
lineinfile :
create : true
path : '/etc/default/ssh-cert-renew'
regexp : '^\s*{{item.key}}='
line : '{{item.key}}={{item.value}}'
with_dict :
ssh_cert_mail_to : '{{ssh_cert_mail_to |mandatory}}'
ssh_cert_mail_from : '{{ssh_cert_mail_from|mandatory}}'
2022-03-15 10:59:21 +01:00
ssh_cert_sign_host : '{{ssh_cert_sign_user|mandatory}}@{{ssh_cert_sign_host|mandatory}}'
2020-09-16 14:19:19 +02:00
2020-09-20 22:45:47 +02:00
- name : renew host ssh-cert
2020-09-16 14:19:19 +02:00
systemd :
daemon_reload : true
name : "ssh-cert-renew@ssh_host_ed25519_key.service"
state : started
- name : enable services
systemd :
name : '{{item}}'
enabled : true
state : started
with_items :
- "ssh-cert-renew@ssh_host_ed25519_key.timer"
- ssh.service
2020-09-20 22:45:47 +02:00
- when : ssh_cert_users is defined
block :
- name : renew users ssh-cert
become_user : '{{item.user}}'
become : true
systemd :
scope : user
name : "ssh-cert-renew@id_ed25519.service"
state : started
with_items : '{{ssh_cert_users}}'
- name : enable users renewal services
become_user : '{{item.user}}'
become : true
systemd :
scope : user
name : "ssh-cert-renew@id_ed25519.timer"
enabled : true
state : started
with_items : '{{ssh_cert_users}}'
2020-09-30 20:45:28 +02:00
- name : "Register certificate-role in user's authorized_keys"
when : ssh_cert_user_authorized_roles is defined
with_items : '{{ssh_cert_user_authorized_roles}}'
authorized_key :
user : '{{item.user}}'
state : present
key : '{{ca_pub}}'
key_options : 'cert-authority,principals="{{item.roles|default([item.user])|join(",")}}"'
2020-09-16 14:19:19 +02:00
- name : reload ssh
service :
name : ssh
state : reloaded
- name : remove from local known_hosts
known_hosts :
state : absent
host : '{{item}}'
with_items : '{{principals.split(",")}}'