user-certs renewal support added. vers -> defaults

This commit is contained in:
Denis Knauf 2020-09-20 22:45:47 +02:00
parent 202f8b40da
commit 9cbe617309
10 changed files with 94 additions and 39 deletions

View file

@ -32,6 +32,10 @@ Path to CA base on ssh-ca-host.
This is not host-specific, so you should change it for all hosts or neither. This is not host-specific, so you should change it for all hosts or neither.
Must match with `ssh_ca`-role. Must match with `ssh_ca`-role.
Default: `~/.ssh-ca` Default: `~/.ssh-ca`
**Do not change!**
ssh_cert_known_domain::
Adds domain to trust by this CA.
ssh_cert_mail_to:: ssh_cert_mail_to::
If you want to be informed on renewal or errors, provide a mailto-address. If you want to be informed on renewal or errors, provide a mailto-address.
@ -79,16 +83,7 @@ Dependencies
Example Playbook Example Playbook
---------------- ----------------
Optional, use ssh-ca-role before: Optional, use ssh-ca-role before.
----
- name: SSH-CA
hosts: ssh_ca_server
roles:
- role: ssh-ca
----
This you need only on one machine.
Then use the regular role: Then use the regular role:

View file

@ -1,2 +1,9 @@
--- ssh_ca_user: sshca
# defaults file for ssh-ca ssh_ca_base_dir: ~/.ssh-ca
ssh_cert_sign_host: '{{ssh_ca_host}}'
ssh_cert_host_pub_path: /etc/ssh/ssh_host_ed25519_key.pub
ssh_cert_host_cert_path: /etc/ssh/ssh_host_ed25519_key-cert.pub
ssh_cert_host_capub_path: /etc/ssh/ca.pub
ssh_cert_user_pub_path: ~/.ssh/id_ed25519.pub
ssh_cert_user_cert_path: ~/.ssh/id_ed25519-cert.pub
#ssh_cert_host_addition_ids: []

View file

@ -1,8 +0,0 @@
[Unit]
Description=Renewal ssh host certificate %i
[Service]
EnvironmentFile=/etc/default/ssh-cert-renew
Type=oneshot
ExecStart=/usr/local/bin/timer-mail -t ${ssh_ca_mail_to} -f ${ssh_ca_mail_from} -s "ssh certificate renewal %i" -ve \
/etc/systemd/ssh-cert-renew ${ssh_ca_sign_host} /etc/ssh/%i

View file

@ -0,0 +1,8 @@
[Unit]
Description=Renewal ssh host certificate %i
[Service]
EnvironmentFile=/etc/default/ssh-cert-renew
Type=oneshot
ExecStart=/usr/local/bin/timer-mail -t ${ssh_cert_mail_to} -f ${ssh_cert_mail_from} -s "ssh certificate renewal %i" -ve \
/etc/systemd/ssh-cert-renew ${ssh_cert_sign_host} /etc/ssh/%i

View file

@ -0,0 +1,10 @@
[Unit]
Description=Renewal ssh user certificate %i
[Service]
EnvironmentFile=/etc/default/ssh-cert-renew
EnvironmentFile=-%h/.config/ssh/cert-renew
Type=oneshot
ExecStart=+mkdir -p %h/.config/ssh
ExecStart=/usr/local/bin/timer-mail -t ${ssh_cert_mail_to} -f ${ssh_cert_mail_from} -s "ssh certificate renewal %i" -ve \
/etc/systemd/ssh-cert-renew ${ssh_cert_sign_host} %h/.ssh/%i

View file

@ -0,0 +1,8 @@
[Unit]
Description=Renewal ssh user certificate %i
[Install]
WantedBy=timers.target
[Timer]
OnCalendar=4:00

View file

@ -1,6 +1,6 @@
galaxy_info: galaxy_info:
author: Denis Knauf author: Denis Knauf
description: your role description description: Provides ssh-certificates for servers as renewal service
# issue_tracker_url: http://example.com/issue/tracker # issue_tracker_url: http://example.com/issue/tracker
license: AGPL-3.0-or-later license: AGPL-3.0-or-later

View file

@ -5,8 +5,6 @@
register: host_pub register: host_pub
slurp: slurp:
src: '{{ssh_cert_host_pub_path}}' src: '{{ssh_cert_host_pub_path}}'
#dest: '{{ssh_cert_base_dir}}/host-{{inventory_hostname}}.pub'
#flat: true
- set_fact: - set_fact:
host_pub_type: '{{(host_pub.content | b64decode).split(" ")[0]}}' host_pub_type: '{{(host_pub.content | b64decode).split(" ")[0]}}'
host_pub_hash: '{{(host_pub.content | b64decode).split(" ")[1]}}' host_pub_hash: '{{(host_pub.content | b64decode).split(" ")[1]}}'
@ -23,7 +21,29 @@
user: '{{ssh_ca_user}}' user: '{{ssh_ca_user}}'
state: present state: present
key: '{{host_pub_type}} {{host_pub_hash}} {{inventory_hostname}}' key: '{{host_pub_type}} {{host_pub_hash}} {{inventory_hostname}}'
key_options: 'restrict,command="/var/lib/sshca/ssh-ca host {{inventory_hostname|quote}} {{principals|quote}}"' key_options: 'restrict,command="~/ssh-ca host {{inventory_hostname|quote}} {{principals|quote}}"'
- when: ssh_cert_users is defined
block:
- debug: var=ssh_cert_users
- name: Pull users pub
register: users_pub
become: yes
become_user: '{{item.user}}'
#shell: >-
# cat {{ssh_cert_user_pub_path|quote}}
slurp:
src: '{{ssh_cert_user_pub_path}}'
with_items: '{{ssh_cert_users}}'
- name: Register host pub for sshca
remote_user: root
delegate_to: '{{ssh_ca_host}}'
authorized_key:
user: '{{ssh_ca_user}}'
state: present
key: '{{(item.content | b64decode).split(" ")[0]}} {{(item.content | b64decode).split(" ")[1]}} {{item.item.user}}@{{inventory_hostname}}'
key_options: 'restrict,command="~/ssh-ca user {{item.item.user|quote}}@{{inventory_hostname|quote}} {{item.item.principals|default([item.item.user])|join(",")|quote}}"'
with_items: '{{users_pub.results}}'
- name: Push ca pub - name: Push ca pub
copy: copy:
@ -42,7 +62,7 @@
known_hosts: known_hosts:
hash_host: false hash_host: false
path: /etc/ssh/ssh_known_hosts path: /etc/ssh/ssh_known_hosts
name: denkn.at name: '{{ssh_cert_known_domain}}'
key: "@cert-authority * {{lookup('file', ssh_cert_host_capub_path)}}" key: "@cert-authority * {{lookup('file', ssh_cert_host_capub_path)}}"
- name: install ssh-cert-renew - name: install ssh-cert-renew
@ -53,8 +73,10 @@
owner: root owner: root
group: root group: root
with_dict: with_dict:
ssh-cert-renew@.timer: /etc/systemd/system/ssh-cert-renew@.timer ssh-host-cert-renew@.timer: /etc/systemd/system/ssh-cert-renew@.timer
ssh-cert-renew@.service: /etc/systemd/system/ssh-cert-renew@.service ssh-host-cert-renew@.service: /etc/systemd/system/ssh-cert-renew@.service
ssh-user-cert-renew@.timer: /etc/systemd/user/ssh-cert-renew@.timer
ssh-user-cert-renew@.service: /etc/systemd/user/ssh-cert-renew@.service
- name: install ssh-cert-renew - name: install ssh-cert-renew
copy: copy:
dest: '{{item.value}}' dest: '{{item.value}}'
@ -65,7 +87,7 @@
with_dict: with_dict:
ssh-cert-renew: /etc/systemd/ssh-cert-renew ssh-cert-renew: /etc/systemd/ssh-cert-renew
- name: config ssh-cert-renew - name: config host ssh-cert-renew
lineinfile: lineinfile:
create: true create: true
path: '/etc/default/ssh-cert-renew' path: '/etc/default/ssh-cert-renew'
@ -76,7 +98,7 @@
ssh_cert_mail_from: '{{ssh_cert_mail_from|mandatory}}' ssh_cert_mail_from: '{{ssh_cert_mail_from|mandatory}}'
ssh_cert_sign_host: '{{ssh_cert_sign_host|mandatory}}' ssh_cert_sign_host: '{{ssh_cert_sign_host|mandatory}}'
- name: renew ssh-cert - name: renew host ssh-cert
systemd: systemd:
daemon_reload: true daemon_reload: true
name: "ssh-cert-renew@ssh_host_ed25519_key.service" name: "ssh-cert-renew@ssh_host_ed25519_key.service"
@ -90,6 +112,26 @@
- "ssh-cert-renew@ssh_host_ed25519_key.timer" - "ssh-cert-renew@ssh_host_ed25519_key.timer"
- ssh.service - ssh.service
- when: ssh_cert_users is defined
block:
- name: renew users ssh-cert
become_user: '{{item.user}}'
become: true
systemd:
scope: user
name: "ssh-cert-renew@id_ed25519.service"
state: started
with_items: '{{ssh_cert_users}}'
- name: enable users renewal services
become_user: '{{item.user}}'
become: true
systemd:
scope: user
name: "ssh-cert-renew@id_ed25519.timer"
enabled: true
state: started
with_items: '{{ssh_cert_users}}'
- name: reload ssh - name: reload ssh
service: service:
name: ssh name: ssh

View file

@ -1,9 +1,2 @@
ssh_ca_user: sshca ---
ssh_ca_base_dir: ~/.ssh-ca # vim: set et sw=2 ts=2 sts=2:
ssh_cert_sign_host: '{{ssh_ca_host}}'
ssh_cert_host_pub_path: /etc/ssh/ssh_host_ed25519_key.pub
ssh_cert_host_cert_path: /etc/ssh/ssh_host_ed25519_key-cert.pub
ssh_cert_host_capub_path: /etc/ssh/ca.pub
ssh_cert_user_pub_path: ~/.ssh/id_ed25519.pub
ssh_cert_user_cert_path: ~/.ssh/id_ed25519-cert.pub
#ssh_cert_host_addition_ids: []