120 lines
3.9 KiB
YAML
120 lines
3.9 KiB
YAML
---
|
|
- name: Deploy /etc/ssh/local_ssh_ca.pub
|
|
ansible.builtin.copy:
|
|
content: |
|
|
{{ hostvars['console']['ssh']['ca']['pub'] }}
|
|
dest: "/etc/ssh/local_ssh_ca.pub"
|
|
owner: "root"
|
|
group: "root"
|
|
mode: "0644"
|
|
become: true
|
|
no_log: true
|
|
|
|
- name: Check ssh_host_key-cert.pub
|
|
ansible.builtin.stat:
|
|
path: "/etc/ssh/ssh_host_ed25519_key-cert.pub"
|
|
register: "is_signed_ca_key"
|
|
|
|
- name: Get current ssh_host_key-cert.pub Key ID
|
|
ansible.builtin.shell: |
|
|
set -o pipefail
|
|
ssh-keygen -L -f /etc/ssh/ssh_host_ed25519_key-cert.pub | \
|
|
grep "Key ID" | \
|
|
sed -E 's/.*Key ID: "(.*)"/\1/'
|
|
when: is_signed_ca_key.stat.exists
|
|
changed_when: false
|
|
register: "current_key_id"
|
|
no_log: true
|
|
|
|
- name: Get current ssh_host_key-cert.pub san
|
|
ansible.builtin.shell: |
|
|
set -o pipefail
|
|
ssh-keygen -L -f /etc/ssh/ssh_host_ed25519_key-cert.pub | \
|
|
sed -n '/Principals:/,/Critical Options:/p' | \
|
|
sed '1d;$d' | \
|
|
sed 's/^[[:space:]]*//'
|
|
when: is_signed_ca_key.stat.exists
|
|
changed_when: false
|
|
register: "current_san_id"
|
|
no_log: true
|
|
|
|
- name: Set current key informations
|
|
ansible.builtin.set_fact:
|
|
current_id_key: "{{ current_key_id.stdout }}"
|
|
current_san_list: "{{ current_san_id.stdout_lines }}"
|
|
when: is_signed_ca_key.stat.exists
|
|
no_log: true
|
|
|
|
- name: Compare key values between current information and defined information
|
|
ansible.builtin.set_fact:
|
|
is_certificate_info_different: true
|
|
when: (current_id_key | default("")) != node['name'] or (current_san_list | default([])) != (node['ssh_san'].split(',') | map('trim') | list)
|
|
|
|
- name: Get SSH CA and signing
|
|
when: not is_signed_ca_key.stat.exists or (is_certificate_info_different | default(false))
|
|
block:
|
|
- name: Get ssh_host_key.pub from remote server
|
|
ansible.builtin.fetch:
|
|
src: "/etc/ssh/ssh_host_ed25519_key.pub"
|
|
dest: "/run/user/{{ hostvars['console']['node']['uid'] }}/{{ node['name'] }}_ssh_host_ed25519_key.pub"
|
|
flat: true
|
|
become: true
|
|
|
|
- name: Get SSH CA
|
|
delegate_to: "console"
|
|
ansible.builtin.copy:
|
|
content: |
|
|
{{ hostvars['console']['ssh']['ca']['key'] }}
|
|
dest: "/run/user/{{ hostvars['console']['node']['uid'] }}/local_ssh_ca_private_key"
|
|
owner: "console"
|
|
group: "svadmins"
|
|
mode: "0400"
|
|
no_log: true
|
|
|
|
- name: Sign on ssh host keys (pub file)
|
|
delegate_to: "console"
|
|
ansible.builtin.command: |
|
|
ssh-keygen -s /run/user/{{ hostvars['console']['node']['uid'] }}/local_ssh_ca_private_key \
|
|
-h \
|
|
-I "{{ node['name'] }}" \
|
|
-n "{{ node['ssh_san'] }}" \
|
|
/run/user/{{ hostvars['console']['node']['uid'] }}/{{ node['name'] }}_ssh_host_ed25519_key.pub
|
|
changed_when: not is_signed_ca_key.stat.exists or (is_certificate_info_different | default(false))
|
|
no_log: true
|
|
|
|
- name: Deploy signed pub file
|
|
ansible.builtin.copy:
|
|
src: "/run/user/{{ hostvars['console']['node']['uid'] }}/{{ node['name'] }}_ssh_host_ed25519_key-cert.pub"
|
|
dest: "/etc/ssh/ssh_host_ed25519_key-cert.pub"
|
|
owner: "root"
|
|
group: "root"
|
|
mode: "0644"
|
|
become: true
|
|
notify: "notification_restart_sshd"
|
|
|
|
always:
|
|
- name: Clean temporary files
|
|
delegate_to: "console"
|
|
ansible.builtin.file:
|
|
path: "/run/user/{{ hostvars['console']['node']['uid'] }}/{{ item }}"
|
|
state: "absent"
|
|
loop:
|
|
- "{{ node['name'] }}_ssh_host_ed25519_key.pub"
|
|
- "{{ node['name'] }}_ssh_host_ed25519_key-cert.pub"
|
|
- "local_ssh_ca_private_key"
|
|
no_log: true
|
|
|
|
- name: Set sshd_config.d files
|
|
ansible.builtin.copy:
|
|
src: "{{ hostvars['console']['node']['config_path'] }}/node/common/ssh/{{ item }}"
|
|
dest: "/etc/ssh/sshd_config.d/{{ item }}"
|
|
owner: "root"
|
|
group: "root"
|
|
mode: "0644"
|
|
loop:
|
|
- "prohibit_root.conf"
|
|
- "ssh_ca.conf"
|
|
- "host_certificate.conf"
|
|
become: true
|
|
notify: "notification_restart_sshd"
|