deac/ansible-role-ssh-cert
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

Anpassungen für https://git.denkn.at/deac/ssh-ca, falls ssh-ca-role nicht verwendet wird.

Browse source
This commit is contained in:
Denis Knauf 2022-02-28 17:56:59 +01:00
parent 255a4ab9f5
commit 333e24b61f
2 changed files with 8 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
defaults/main.yml
View file

@ -1,6 +1,9 @@
ssh_ca_user: sshca ssh_ca_user: sshca
ssh_ca_base_dir: ~/.ssh-ca ssh_ca_base_dir: ~/.ssh-ca
ssh_ca_pub: '{{ssh_ca_base_dir}}/ca.pub'
ssh_ca_command: ~/ssh-ca
ssh_cert_sign_host: '{{ssh_ca_host}}' ssh_cert_sign_host: '{{ssh_ca_host}}'
ssh_cert_sign_user: '{{ssh_ca_user}}'
ssh_cert_host_pub_path: /etc/ssh/ssh_host_ed25519_key.pub ssh_cert_host_pub_path: /etc/ssh/ssh_host_ed25519_key.pub
ssh_cert_host_cert_path: /etc/ssh/ssh_host_ed25519_key-cert.pub ssh_cert_host_cert_path: /etc/ssh/ssh_host_ed25519_key-cert.pub
ssh_cert_host_capub_path: /etc/ssh/ca.pub ssh_cert_host_capub_path: /etc/ssh/ca.pub

10
tasks/main.yml
View file

@ -13,7 +13,7 @@
become: yes become: yes
become_user: '{{ssh_ca_user}}' become_user: '{{ssh_ca_user}}'
slurp: slurp:
src: '{{ssh_ca_base_dir}}/ca.pub' src: '{{ssh_ca_pub}}'
- set_fact: - set_fact:
ca_pub: '{{_ca_pub.content | b64decode}}' ca_pub: '{{_ca_pub.content | b64decode}}'
@ -32,7 +32,7 @@
user: '{{ssh_ca_user}}' user: '{{ssh_ca_user}}'
state: present state: present
key: '{{host_pub_type}} {{host_pub_hash}} {{inventory_hostname}}' key: '{{host_pub_type}} {{host_pub_hash}} {{inventory_hostname}}'
key_options: 'restrict,command="~/ssh-ca host {{inventory_hostname|quote}} {{principals|quote}}"' key_options: 'restrict,command="{{ssh_ca_command}} host {{inventory_hostname|quote}} {{principals|quote}}"'
- when: ssh_cert_users is defined - when: ssh_cert_users is defined
block: block:
@ -53,7 +53,7 @@
user: '{{ssh_ca_user}}' user: '{{ssh_ca_user}}'
state: present state: present
key: '{{(item.content | b64decode).split(" ")[0]}} {{(item.content | b64decode).split(" ")[1]}} {{item.item.user}}@{{inventory_hostname}}' key: '{{(item.content | b64decode).split(" ")[0]}} {{(item.content | b64decode).split(" ")[1]}} {{item.item.user}}@{{inventory_hostname}}'
key_options: 'restrict,command="~/ssh-ca user {{item.item.user|quote}}@{{inventory_hostname|quote}} {{item.item.principals|default([item.item.user])|join(",")|quote}}"' key_options: 'restrict,command="{{ssh_ca_command}} user {{item.item.user|quote}}@{{inventory_hostname|quote}} {{item.item.principals|default([item.item.user])|join(",")|quote}}"'
with_items: '{{users_pub.results}}' with_items: '{{users_pub.results}}'
- name: Push ca pub - name: Push ca pub
@ -74,7 +74,7 @@
hash_host: false hash_host: false
path: /etc/ssh/ssh_known_hosts path: /etc/ssh/ssh_known_hosts
name: '{{ssh_cert_known_domain}}' name: '{{ssh_cert_known_domain}}'
key: "@cert-authority * {{lookup('file', ssh_cert_host_capub_path)}}" key: "@cert-authority *.{{ssh_cert_known_domain}} {{lookup('file', ssh_cert_host_capub_path)}}"
- name: install ssh-cert-renew - name: install ssh-cert-renew
copy: copy:
@ -107,7 +107,7 @@
with_dict: with_dict:
ssh_cert_mail_to: '{{ssh_cert_mail_to |mandatory}}' ssh_cert_mail_to: '{{ssh_cert_mail_to |mandatory}}'
ssh_cert_mail_from: '{{ssh_cert_mail_from|mandatory}}' ssh_cert_mail_from: '{{ssh_cert_mail_from|mandatory}}'
ssh_cert_sign_host: '{{ssh_cert_sign_host|mandatory}}' ssh_cert_sign_host: '{{ssh_cert_sign_user|mandatory}}|{{ssh_cert_sign_host|mandatory}}'
- name: renew host ssh-cert - name: renew host ssh-cert
systemd: systemd: