install CA in authorized_keys for user. renewal once a day, not fix at 4o'clock.
This commit is contained in:
parent
9cbe617309
commit
255a4ab9f5
1
.gitignore
vendored
1
.gitignore
vendored
|
@ -22,3 +22,4 @@ tags
|
||||||
# ---> Ansible
|
# ---> Ansible
|
||||||
*.retry
|
*.retry
|
||||||
|
|
||||||
|
/meta/.galaxy_install_info
|
||||||
|
|
|
@ -1,8 +1,10 @@
|
||||||
[Unit]
|
[Unit]
|
||||||
Description=Renewal ssh host certificate %i
|
Description=Renewal ssh host certificate %i
|
||||||
|
After=network.target
|
||||||
|
|
||||||
[Install]
|
[Install]
|
||||||
WantedBy=timers.target
|
WantedBy=timers.target
|
||||||
|
|
||||||
[Timer]
|
[Timer]
|
||||||
OnCalendar=4:00
|
OnUnitActiveSec=24h
|
||||||
|
OnActiveSec=1m
|
||||||
|
|
|
@ -5,7 +5,18 @@
|
||||||
register: host_pub
|
register: host_pub
|
||||||
slurp:
|
slurp:
|
||||||
src: '{{ssh_cert_host_pub_path}}'
|
src: '{{ssh_cert_host_pub_path}}'
|
||||||
|
|
||||||
|
- name: Fetch CA pub
|
||||||
|
remote_user: root
|
||||||
|
delegate_to: '{{ssh_ca_host}}'
|
||||||
|
register: _ca_pub
|
||||||
|
become: yes
|
||||||
|
become_user: '{{ssh_ca_user}}'
|
||||||
|
slurp:
|
||||||
|
src: '{{ssh_ca_base_dir}}/ca.pub'
|
||||||
|
|
||||||
- set_fact:
|
- set_fact:
|
||||||
|
ca_pub: '{{_ca_pub.content | b64decode}}'
|
||||||
host_pub_type: '{{(host_pub.content | b64decode).split(" ")[0]}}'
|
host_pub_type: '{{(host_pub.content | b64decode).split(" ")[0]}}'
|
||||||
host_pub_hash: '{{(host_pub.content | b64decode).split(" ")[1]}}'
|
host_pub_hash: '{{(host_pub.content | b64decode).split(" ")[1]}}'
|
||||||
principals: "{{lookup( 'flattened',
|
principals: "{{lookup( 'flattened',
|
||||||
|
@ -47,11 +58,11 @@
|
||||||
|
|
||||||
- name: Push ca pub
|
- name: Push ca pub
|
||||||
copy:
|
copy:
|
||||||
src: '{{ssh_cert_host_capub_path}}'
|
dest: '{{ssh_cert_host_capub_path}}'
|
||||||
dest: '{{ssh_cert_host_capub_path}}'
|
content: '{{ca_pub}}'
|
||||||
mode: 0644
|
mode: 0644
|
||||||
owner: root
|
owner: root
|
||||||
group: root
|
group: root
|
||||||
- name: sshd_config - HostCertificate
|
- name: sshd_config - HostCertificate
|
||||||
lineinfile:
|
lineinfile:
|
||||||
path: /etc/ssh/sshd_config
|
path: /etc/ssh/sshd_config
|
||||||
|
@ -132,6 +143,15 @@
|
||||||
state: started
|
state: started
|
||||||
with_items: '{{ssh_cert_users}}'
|
with_items: '{{ssh_cert_users}}'
|
||||||
|
|
||||||
|
- name: "Register certificate-role in user's authorized_keys"
|
||||||
|
when: ssh_cert_user_authorized_roles is defined
|
||||||
|
with_items: '{{ssh_cert_user_authorized_roles}}'
|
||||||
|
authorized_key:
|
||||||
|
user: '{{item.user}}'
|
||||||
|
state: present
|
||||||
|
key: '{{ca_pub}}'
|
||||||
|
key_options: 'cert-authority,principals="{{item.roles|default([item.user])|join(",")}}"'
|
||||||
|
|
||||||
- name: reload ssh
|
- name: reload ssh
|
||||||
service:
|
service:
|
||||||
name: ssh
|
name: ssh
|
||||||
|
|
Loading…
Reference in a new issue