user-certs renewal support added. vers -> defaults
This commit is contained in:
parent
202f8b40da
commit
9cbe617309
15
README.adoc
15
README.adoc
|
@ -32,6 +32,10 @@ Path to CA base on ssh-ca-host.
|
||||||
This is not host-specific, so you should change it for all hosts or neither.
|
This is not host-specific, so you should change it for all hosts or neither.
|
||||||
Must match with `ssh_ca`-role.
|
Must match with `ssh_ca`-role.
|
||||||
Default: `~/.ssh-ca`
|
Default: `~/.ssh-ca`
|
||||||
|
**Do not change!**
|
||||||
|
|
||||||
|
ssh_cert_known_domain::
|
||||||
|
Adds domain to trust by this CA.
|
||||||
|
|
||||||
ssh_cert_mail_to::
|
ssh_cert_mail_to::
|
||||||
If you want to be informed on renewal or errors, provide a mailto-address.
|
If you want to be informed on renewal or errors, provide a mailto-address.
|
||||||
|
@ -79,16 +83,7 @@ Dependencies
|
||||||
Example Playbook
|
Example Playbook
|
||||||
----------------
|
----------------
|
||||||
|
|
||||||
Optional, use ssh-ca-role before:
|
Optional, use ssh-ca-role before.
|
||||||
|
|
||||||
----
|
|
||||||
- name: SSH-CA
|
|
||||||
hosts: ssh_ca_server
|
|
||||||
roles:
|
|
||||||
- role: ssh-ca
|
|
||||||
----
|
|
||||||
|
|
||||||
This you need only on one machine.
|
|
||||||
|
|
||||||
Then use the regular role:
|
Then use the regular role:
|
||||||
|
|
||||||
|
|
|
@ -1,2 +1,9 @@
|
||||||
---
|
ssh_ca_user: sshca
|
||||||
# defaults file for ssh-ca
|
ssh_ca_base_dir: ~/.ssh-ca
|
||||||
|
ssh_cert_sign_host: '{{ssh_ca_host}}'
|
||||||
|
ssh_cert_host_pub_path: /etc/ssh/ssh_host_ed25519_key.pub
|
||||||
|
ssh_cert_host_cert_path: /etc/ssh/ssh_host_ed25519_key-cert.pub
|
||||||
|
ssh_cert_host_capub_path: /etc/ssh/ca.pub
|
||||||
|
ssh_cert_user_pub_path: ~/.ssh/id_ed25519.pub
|
||||||
|
ssh_cert_user_cert_path: ~/.ssh/id_ed25519-cert.pub
|
||||||
|
#ssh_cert_host_addition_ids: []
|
||||||
|
|
|
@ -1,8 +0,0 @@
|
||||||
[Unit]
|
|
||||||
Description=Renewal ssh host certificate %i
|
|
||||||
|
|
||||||
[Service]
|
|
||||||
EnvironmentFile=/etc/default/ssh-cert-renew
|
|
||||||
Type=oneshot
|
|
||||||
ExecStart=/usr/local/bin/timer-mail -t ${ssh_ca_mail_to} -f ${ssh_ca_mail_from} -s "ssh certificate renewal %i" -ve \
|
|
||||||
/etc/systemd/ssh-cert-renew ${ssh_ca_sign_host} /etc/ssh/%i
|
|
8
files/ssh-host-cert-renew@.service
Normal file
8
files/ssh-host-cert-renew@.service
Normal file
|
@ -0,0 +1,8 @@
|
||||||
|
[Unit]
|
||||||
|
Description=Renewal ssh host certificate %i
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
EnvironmentFile=/etc/default/ssh-cert-renew
|
||||||
|
Type=oneshot
|
||||||
|
ExecStart=/usr/local/bin/timer-mail -t ${ssh_cert_mail_to} -f ${ssh_cert_mail_from} -s "ssh certificate renewal %i" -ve \
|
||||||
|
/etc/systemd/ssh-cert-renew ${ssh_cert_sign_host} /etc/ssh/%i
|
10
files/ssh-user-cert-renew@.service
Normal file
10
files/ssh-user-cert-renew@.service
Normal file
|
@ -0,0 +1,10 @@
|
||||||
|
[Unit]
|
||||||
|
Description=Renewal ssh user certificate %i
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
EnvironmentFile=/etc/default/ssh-cert-renew
|
||||||
|
EnvironmentFile=-%h/.config/ssh/cert-renew
|
||||||
|
Type=oneshot
|
||||||
|
ExecStart=+mkdir -p %h/.config/ssh
|
||||||
|
ExecStart=/usr/local/bin/timer-mail -t ${ssh_cert_mail_to} -f ${ssh_cert_mail_from} -s "ssh certificate renewal %i" -ve \
|
||||||
|
/etc/systemd/ssh-cert-renew ${ssh_cert_sign_host} %h/.ssh/%i
|
8
files/ssh-user-cert-renew@.timer
Normal file
8
files/ssh-user-cert-renew@.timer
Normal file
|
@ -0,0 +1,8 @@
|
||||||
|
[Unit]
|
||||||
|
Description=Renewal ssh user certificate %i
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
WantedBy=timers.target
|
||||||
|
|
||||||
|
[Timer]
|
||||||
|
OnCalendar=4:00
|
|
@ -1,6 +1,6 @@
|
||||||
galaxy_info:
|
galaxy_info:
|
||||||
author: Denis Knauf
|
author: Denis Knauf
|
||||||
description: your role description
|
description: Provides ssh-certificates for servers as renewal service
|
||||||
|
|
||||||
# issue_tracker_url: http://example.com/issue/tracker
|
# issue_tracker_url: http://example.com/issue/tracker
|
||||||
license: AGPL-3.0-or-later
|
license: AGPL-3.0-or-later
|
||||||
|
|
|
@ -5,8 +5,6 @@
|
||||||
register: host_pub
|
register: host_pub
|
||||||
slurp:
|
slurp:
|
||||||
src: '{{ssh_cert_host_pub_path}}'
|
src: '{{ssh_cert_host_pub_path}}'
|
||||||
#dest: '{{ssh_cert_base_dir}}/host-{{inventory_hostname}}.pub'
|
|
||||||
#flat: true
|
|
||||||
- set_fact:
|
- set_fact:
|
||||||
host_pub_type: '{{(host_pub.content | b64decode).split(" ")[0]}}'
|
host_pub_type: '{{(host_pub.content | b64decode).split(" ")[0]}}'
|
||||||
host_pub_hash: '{{(host_pub.content | b64decode).split(" ")[1]}}'
|
host_pub_hash: '{{(host_pub.content | b64decode).split(" ")[1]}}'
|
||||||
|
@ -23,10 +21,32 @@
|
||||||
user: '{{ssh_ca_user}}'
|
user: '{{ssh_ca_user}}'
|
||||||
state: present
|
state: present
|
||||||
key: '{{host_pub_type}} {{host_pub_hash}} {{inventory_hostname}}'
|
key: '{{host_pub_type}} {{host_pub_hash}} {{inventory_hostname}}'
|
||||||
key_options: 'restrict,command="/var/lib/sshca/ssh-ca host {{inventory_hostname|quote}} {{principals|quote}}"'
|
key_options: 'restrict,command="~/ssh-ca host {{inventory_hostname|quote}} {{principals|quote}}"'
|
||||||
|
|
||||||
|
- when: ssh_cert_users is defined
|
||||||
|
block:
|
||||||
|
- debug: var=ssh_cert_users
|
||||||
|
- name: Pull users pub
|
||||||
|
register: users_pub
|
||||||
|
become: yes
|
||||||
|
become_user: '{{item.user}}'
|
||||||
|
#shell: >-
|
||||||
|
# cat {{ssh_cert_user_pub_path|quote}}
|
||||||
|
slurp:
|
||||||
|
src: '{{ssh_cert_user_pub_path}}'
|
||||||
|
with_items: '{{ssh_cert_users}}'
|
||||||
|
- name: Register host pub for sshca
|
||||||
|
remote_user: root
|
||||||
|
delegate_to: '{{ssh_ca_host}}'
|
||||||
|
authorized_key:
|
||||||
|
user: '{{ssh_ca_user}}'
|
||||||
|
state: present
|
||||||
|
key: '{{(item.content | b64decode).split(" ")[0]}} {{(item.content | b64decode).split(" ")[1]}} {{item.item.user}}@{{inventory_hostname}}'
|
||||||
|
key_options: 'restrict,command="~/ssh-ca user {{item.item.user|quote}}@{{inventory_hostname|quote}} {{item.item.principals|default([item.item.user])|join(",")|quote}}"'
|
||||||
|
with_items: '{{users_pub.results}}'
|
||||||
|
|
||||||
- name: Push ca pub
|
- name: Push ca pub
|
||||||
copy:
|
copy:
|
||||||
src: '{{ssh_cert_host_capub_path}}'
|
src: '{{ssh_cert_host_capub_path}}'
|
||||||
dest: '{{ssh_cert_host_capub_path}}'
|
dest: '{{ssh_cert_host_capub_path}}'
|
||||||
mode: 0644
|
mode: 0644
|
||||||
|
@ -42,7 +62,7 @@
|
||||||
known_hosts:
|
known_hosts:
|
||||||
hash_host: false
|
hash_host: false
|
||||||
path: /etc/ssh/ssh_known_hosts
|
path: /etc/ssh/ssh_known_hosts
|
||||||
name: denkn.at
|
name: '{{ssh_cert_known_domain}}'
|
||||||
key: "@cert-authority * {{lookup('file', ssh_cert_host_capub_path)}}"
|
key: "@cert-authority * {{lookup('file', ssh_cert_host_capub_path)}}"
|
||||||
|
|
||||||
- name: install ssh-cert-renew
|
- name: install ssh-cert-renew
|
||||||
|
@ -53,8 +73,10 @@
|
||||||
owner: root
|
owner: root
|
||||||
group: root
|
group: root
|
||||||
with_dict:
|
with_dict:
|
||||||
ssh-cert-renew@.timer: /etc/systemd/system/ssh-cert-renew@.timer
|
ssh-host-cert-renew@.timer: /etc/systemd/system/ssh-cert-renew@.timer
|
||||||
ssh-cert-renew@.service: /etc/systemd/system/ssh-cert-renew@.service
|
ssh-host-cert-renew@.service: /etc/systemd/system/ssh-cert-renew@.service
|
||||||
|
ssh-user-cert-renew@.timer: /etc/systemd/user/ssh-cert-renew@.timer
|
||||||
|
ssh-user-cert-renew@.service: /etc/systemd/user/ssh-cert-renew@.service
|
||||||
- name: install ssh-cert-renew
|
- name: install ssh-cert-renew
|
||||||
copy:
|
copy:
|
||||||
dest: '{{item.value}}'
|
dest: '{{item.value}}'
|
||||||
|
@ -65,7 +87,7 @@
|
||||||
with_dict:
|
with_dict:
|
||||||
ssh-cert-renew: /etc/systemd/ssh-cert-renew
|
ssh-cert-renew: /etc/systemd/ssh-cert-renew
|
||||||
|
|
||||||
- name: config ssh-cert-renew
|
- name: config host ssh-cert-renew
|
||||||
lineinfile:
|
lineinfile:
|
||||||
create: true
|
create: true
|
||||||
path: '/etc/default/ssh-cert-renew'
|
path: '/etc/default/ssh-cert-renew'
|
||||||
|
@ -76,7 +98,7 @@
|
||||||
ssh_cert_mail_from: '{{ssh_cert_mail_from|mandatory}}'
|
ssh_cert_mail_from: '{{ssh_cert_mail_from|mandatory}}'
|
||||||
ssh_cert_sign_host: '{{ssh_cert_sign_host|mandatory}}'
|
ssh_cert_sign_host: '{{ssh_cert_sign_host|mandatory}}'
|
||||||
|
|
||||||
- name: renew ssh-cert
|
- name: renew host ssh-cert
|
||||||
systemd:
|
systemd:
|
||||||
daemon_reload: true
|
daemon_reload: true
|
||||||
name: "ssh-cert-renew@ssh_host_ed25519_key.service"
|
name: "ssh-cert-renew@ssh_host_ed25519_key.service"
|
||||||
|
@ -90,6 +112,26 @@
|
||||||
- "ssh-cert-renew@ssh_host_ed25519_key.timer"
|
- "ssh-cert-renew@ssh_host_ed25519_key.timer"
|
||||||
- ssh.service
|
- ssh.service
|
||||||
|
|
||||||
|
- when: ssh_cert_users is defined
|
||||||
|
block:
|
||||||
|
- name: renew users ssh-cert
|
||||||
|
become_user: '{{item.user}}'
|
||||||
|
become: true
|
||||||
|
systemd:
|
||||||
|
scope: user
|
||||||
|
name: "ssh-cert-renew@id_ed25519.service"
|
||||||
|
state: started
|
||||||
|
with_items: '{{ssh_cert_users}}'
|
||||||
|
- name: enable users renewal services
|
||||||
|
become_user: '{{item.user}}'
|
||||||
|
become: true
|
||||||
|
systemd:
|
||||||
|
scope: user
|
||||||
|
name: "ssh-cert-renew@id_ed25519.timer"
|
||||||
|
enabled: true
|
||||||
|
state: started
|
||||||
|
with_items: '{{ssh_cert_users}}'
|
||||||
|
|
||||||
- name: reload ssh
|
- name: reload ssh
|
||||||
service:
|
service:
|
||||||
name: ssh
|
name: ssh
|
||||||
|
|
|
@ -1,9 +1,2 @@
|
||||||
ssh_ca_user: sshca
|
---
|
||||||
ssh_ca_base_dir: ~/.ssh-ca
|
# vim: set et sw=2 ts=2 sts=2:
|
||||||
ssh_cert_sign_host: '{{ssh_ca_host}}'
|
|
||||||
ssh_cert_host_pub_path: /etc/ssh/ssh_host_ed25519_key.pub
|
|
||||||
ssh_cert_host_cert_path: /etc/ssh/ssh_host_ed25519_key-cert.pub
|
|
||||||
ssh_cert_host_capub_path: /etc/ssh/ca.pub
|
|
||||||
ssh_cert_user_pub_path: ~/.ssh/id_ed25519.pub
|
|
||||||
ssh_cert_user_cert_path: ~/.ssh/id_ed25519-cert.pub
|
|
||||||
#ssh_cert_host_addition_ids: []
|
|
||||||
|
|
Loading…
Reference in a new issue