ssh_cert ======== Implements SSH-Certificate-renewal on hosts. The renewal-process connects to ssh-ca-host and fetches a new certificate, if needed. These renewal can be used for host-certificates and user-certificates. Prepares `sshd_config` to use the CA and the host-certificate. Requirements ------------ systemd is required, so it would not work on alpine or openwrt, yet. Role Variables -------------- ssh_ca_host:: Hostmachine for CA. This is not host-specific, so you should change it for all hosts or neither. Must match with `ssh_ca`-role. ssh_ca_user:: Hostmachine for CA. This is not host-specific, so you should change it for all hosts or neither. Must match with `ssh_ca`-role. Default: `sshca` ssh_ca_base_dir:: Path to CA base on ssh-ca-host. This is not host-specific, so you should change it for all hosts or neither. Must match with `ssh_ca`-role. Default: `~/.ssh-ca` ssh_cert_mail_to:: If you want to be informed on renewal or errors, provide a mailto-address. Mandatory, yet. ssh_cert_mail_from:: If you want to be informed on renewal or errors, provide an address of sender. Mandatory, yet. ssh_cert_sign_host:: Default: `{{ssh_ca_user}}@{{ssh_ca_host}}` ssh_cert_host_pub_path:: Path to host-key-pub on host-machine. Would be used like a CSR. Default: `/etc/ssh/ssh_host_ed25519_key.pub` ssh_cert_host_cert_path:: Where to place the host-certificate on host-machine? Default: `/etc/ssh/ssh_host_ed25519_key-cert.pub` ssh_cert_host_capub_path:: Where to place the CA on host-machine? Default: `/etc/ssh/ca.pub` ssh_cert_user_pub_path:: Path to user-key-pub on host-machine. Would be used like a CSR. Default: `~/.ssh/id_ed25519.pub` ssh_cert_user_cert_path:: Where to place the user-certificate on host-machine? Default: `~/.ssh/id_ed25519-cert.pub` ssh_cert_host_addition_ids:: Additional IDs (as list) placed in certificate. For host-keys, additional hostnames like `git.example.net`. Default is empty. Dependencies ------------ * ssh-ca Example Playbook ---------------- Optional, use ssh-ca-role before: ---- - name: SSH-CA hosts: ssh_ca_server roles: - role: ssh-ca ---- This you need only on one machine. Then use the regular role: ---- - name: SSH-Cert hosts: hosts roles: - role: ssh-cert ---- License ------- AGPLv3 Author Information ------------------ Denis Knauf - https://git.denkn.at/deac/ansible-role-ssh-cert