165 lines
5.1 KiB
YAML
165 lines
5.1 KiB
YAML
---
|
|
# vim: set expandtab tabstop=2 shiftwidth=2:
|
|
|
|
- name: Pull host pub
|
|
register: host_pub
|
|
slurp:
|
|
src: '{{ssh_cert_host_pub_path}}'
|
|
|
|
- name: Fetch CA pub
|
|
remote_user: root
|
|
delegate_to: '{{ssh_ca_host}}'
|
|
register: _ca_pub
|
|
become: yes
|
|
become_user: '{{ssh_ca_user}}'
|
|
slurp:
|
|
src: '{{ssh_ca_pub}}'
|
|
|
|
- set_fact:
|
|
ca_pub: '{{_ca_pub.content | b64decode}}'
|
|
host_pub_type: '{{(host_pub.content | b64decode).split(" ")[0]}}'
|
|
host_pub_hash: '{{(host_pub.content | b64decode).split(" ")[1]}}'
|
|
principals: "{{lookup( 'flattened',
|
|
[inventory_hostname, inventory_hostname+'.'+domain, inventory_hostname+'.local'] +
|
|
lookup ('dig', inventory_hostname, 'qtype=A', wantlist=True)|difference('NXDOMAIN') +
|
|
lookup ('dig', inventory_hostname, 'qtype=AAAA', wantlist=True)|difference('NXDOMAIN') +
|
|
(ssh_cert_host_addition_ids | default ([]))
|
|
)}}"
|
|
- name: Register host pub for sshca
|
|
remote_user: root
|
|
delegate_to: '{{ssh_ca_host}}'
|
|
authorized_key:
|
|
user: '{{ssh_ca_user}}'
|
|
state: present
|
|
key: '{{host_pub_type}} {{host_pub_hash}} {{inventory_hostname}}'
|
|
key_options: 'restrict,command="{{ssh_ca_command}} host {{inventory_hostname|quote}} {{principals|quote}}"'
|
|
|
|
- when: ssh_cert_users is defined
|
|
block:
|
|
- debug: var=ssh_cert_users
|
|
- name: Pull users pub
|
|
register: users_pub
|
|
become: yes
|
|
become_user: '{{item.user}}'
|
|
#shell: >-
|
|
# cat {{ssh_cert_user_pub_path|quote}}
|
|
slurp:
|
|
src: '{{ssh_cert_user_pub_path}}'
|
|
with_items: '{{ssh_cert_users}}'
|
|
- name: Register host pub for sshca
|
|
remote_user: root
|
|
delegate_to: '{{ssh_ca_host}}'
|
|
authorized_key:
|
|
user: '{{ssh_ca_user}}'
|
|
state: present
|
|
key: '{{(item.content | b64decode).split(" ")[0]}} {{(item.content | b64decode).split(" ")[1]}} {{item.item.user}}@{{inventory_hostname}}'
|
|
key_options: 'restrict,command="{{ssh_ca_command}} user {{item.item.user|quote}}@{{inventory_hostname|quote}} {{item.item.principals|default([item.item.user])|join(",")|quote}}"'
|
|
with_items: '{{users_pub.results}}'
|
|
|
|
- name: Push ca pub
|
|
copy:
|
|
dest: '{{ssh_cert_host_capub_path}}'
|
|
content: '{{ca_pub}}'
|
|
mode: 0644
|
|
owner: root
|
|
group: root
|
|
- name: sshd_config - HostCertificate
|
|
lineinfile:
|
|
path: /etc/ssh/sshd_config
|
|
insertbefore: '^# HostKeys for protocol'
|
|
regexp: '^\s*HostCertificate\s+'
|
|
line: 'HostCertificate {{ssh_cert_host_cert_path}}'
|
|
- name: known_hosts ca-cert
|
|
known_hosts:
|
|
hash_host: false
|
|
path: /etc/ssh/ssh_known_hosts
|
|
name: '{{ssh_cert_known_domain}}'
|
|
key: "@cert-authority *.{{ssh_cert_known_domain}},{{ssh_cert_known_domain}} {{lookup('file', ssh_cert_host_capub_path)}}"
|
|
|
|
- name: install ssh-cert-renew
|
|
copy:
|
|
dest: '{{item.value}}'
|
|
src: '{{item.key}}'
|
|
mode: 0644
|
|
owner: root
|
|
group: root
|
|
with_dict:
|
|
ssh-host-cert-renew@.timer: /etc/systemd/system/ssh-cert-renew@.timer
|
|
ssh-host-cert-renew@.service: /etc/systemd/system/ssh-cert-renew@.service
|
|
ssh-user-cert-renew@.timer: /etc/systemd/user/ssh-cert-renew@.timer
|
|
ssh-user-cert-renew@.service: /etc/systemd/user/ssh-cert-renew@.service
|
|
- name: install ssh-cert-renew
|
|
copy:
|
|
dest: '{{item.value}}'
|
|
src: '{{item.key}}'
|
|
mode: 0755
|
|
owner: root
|
|
group: root
|
|
with_dict:
|
|
ssh-cert-renew: /etc/systemd/ssh-cert-renew
|
|
|
|
- name: config host ssh-cert-renew
|
|
lineinfile:
|
|
create: true
|
|
path: '/etc/default/ssh-cert-renew'
|
|
regexp: '^\s*{{item.key}}='
|
|
line: '{{item.key}}={{item.value}}'
|
|
with_dict:
|
|
ssh_cert_mail_to: '{{ssh_cert_mail_to |mandatory}}'
|
|
ssh_cert_mail_from: '{{ssh_cert_mail_from|mandatory}}'
|
|
ssh_cert_sign_host: '{{ssh_cert_sign_user|mandatory}}|{{ssh_cert_sign_host|mandatory}}'
|
|
|
|
- name: renew host ssh-cert
|
|
systemd:
|
|
daemon_reload: true
|
|
name: "ssh-cert-renew@ssh_host_ed25519_key.service"
|
|
state: started
|
|
- name: enable services
|
|
systemd:
|
|
name: '{{item}}'
|
|
enabled: true
|
|
state: started
|
|
with_items:
|
|
- "ssh-cert-renew@ssh_host_ed25519_key.timer"
|
|
- ssh.service
|
|
|
|
- when: ssh_cert_users is defined
|
|
block:
|
|
- name: renew users ssh-cert
|
|
become_user: '{{item.user}}'
|
|
become: true
|
|
systemd:
|
|
scope: user
|
|
name: "ssh-cert-renew@id_ed25519.service"
|
|
state: started
|
|
with_items: '{{ssh_cert_users}}'
|
|
- name: enable users renewal services
|
|
become_user: '{{item.user}}'
|
|
become: true
|
|
systemd:
|
|
scope: user
|
|
name: "ssh-cert-renew@id_ed25519.timer"
|
|
enabled: true
|
|
state: started
|
|
with_items: '{{ssh_cert_users}}'
|
|
|
|
- name: "Register certificate-role in user's authorized_keys"
|
|
when: ssh_cert_user_authorized_roles is defined
|
|
with_items: '{{ssh_cert_user_authorized_roles}}'
|
|
authorized_key:
|
|
user: '{{item.user}}'
|
|
state: present
|
|
key: '{{ca_pub}}'
|
|
key_options: 'cert-authority,principals="{{item.roles|default([item.user])|join(",")}}"'
|
|
|
|
- name: reload ssh
|
|
service:
|
|
name: ssh
|
|
state: reloaded
|
|
|
|
- name: remove from local known_hosts
|
|
known_hosts:
|
|
state: absent
|
|
host: '{{item}}'
|
|
with_items: '{{principals.split(",")}}'
|