From 7cc5352634a41ded5c61301c4b6b439f610073a8 Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Wed, 26 Apr 2023 18:41:33 +0200 Subject: [PATCH] init --- defaults/main.yml | 2 ++ meta/main.yml | 18 ++++++++++++ tasks/deploy_certificate.yml | 55 ++++++++++++++++++++++++++++++++++++ tasks/main.yml | 3 ++ 4 files changed, 78 insertions(+) create mode 100644 defaults/main.yml create mode 100644 meta/main.yml create mode 100644 tasks/deploy_certificate.yml create mode 100644 tasks/main.yml diff --git a/defaults/main.yml b/defaults/main.yml new file mode 100644 index 0000000..ef6bb10 --- /dev/null +++ b/defaults/main.yml @@ -0,0 +1,2 @@ +ssh_ca_host: root@atlas.hyp +ssh_ca_script: /root/ssh_ca/ssh_ca.sh diff --git a/meta/main.yml b/meta/main.yml new file mode 100644 index 0000000..f14b086 --- /dev/null +++ b/meta/main.yml @@ -0,0 +1,18 @@ +galaxy_info: + role_name: deploy_ssh_certificates + author: Pim Kunis + description: Fetch and install SSH certificates. + + issue_tracker_url: https://git.pim.kunis.nl/pim/ansible-role-deploy-ssh-certificates/issues + + license: GPLv3 + + min_ansible_version: 1.2 + + platforms: + - name: Debian + versions: + - bookworm + + galaxy_tags: + - ssh diff --git a/tasks/deploy_certificate.yml b/tasks/deploy_certificate.yml new file mode 100644 index 0000000..3bb8821 --- /dev/null +++ b/tasks/deploy_certificate.yml @@ -0,0 +1,55 @@ +- name: Generate key pair + openssh_keypair: + path: "/etc/ssh/{{ item.name }}" + type: "{{ item.key_type }}" + register: key_pair + +- name: Check whether certificate exists + stat: + path: "/etc/ssh/{{ item.name }}-cert.pub" + register: cert_stat + +- name: Generate SSH user certificate + command: + cmd: "ssh -o ConnectTimeout=3 -o ConnectionAttempts=2 {{ ssh_ca_host }} '{{ ssh_ca_script }} user {{ item.signing_key }} \"{{ key_pair.public_key }}\" {{ item.host }} \"{{ item.principals }}\"'" + register: certificate + delegate_to: localhost + when: item.type == "user" and not cert_stat.stat.exists + +- name: Generate SSH host certificate + command: + cmd: "ssh -o ConnectTimeout=3 -o ConnectionAttempts=2 {{ ssh_ca_host }} '{{ ssh_ca_script }} host {{ item.signing_key }} \"{{ key_pair.public_key }}\" {{ item.host }}'" + register: certificate + delegate_to: localhost + when: item.type == "host" and not cert_stat.stat.exists + +- name: Place certificate + copy: + dest: "/etc/ssh/{{ item.name }}-cert.pub" + content: "{{ certificate.stdout }}" + mode: 0644 + when: not cert_stat.exists + +- name: Enable user certificate + lineinfile: + path: /etc/ssh/ssh_config.d/certificates.conf + line: "CertificateFile /etc/ssh/{{ item.name }}-cert.pub" + when: item.type == "user" + +- name: Enable user identity + lineinfile: + path: /etc/ssh/ssh_config.d/certificates.conf + line: "IdentityFile /etc/ssh/{{ item.name }}" + when: item.type == "user" + +- name: Enable host certificate + lineinfile: + path: /etc/ssh/sshd_config.d/certificates.conf + line: "HostCertificate /etc/ssh/{{ item.name }}-cert.pub" + when: item.type == "host" + +- name: Enable host key + lineinfile: + path: /etc/ssh/sshd_config.d/certificates.conf + line: "HostKey /etc/ssh/{{ item.name }}" + when: item.type == "host" diff --git a/tasks/main.yml b/tasks/main.yml new file mode 100644 index 0000000..915d355 --- /dev/null +++ b/tasks/main.yml @@ -0,0 +1,3 @@ +- name: Create each certificate + include_tasks: "deploy_certificate.yml" + loop: "{{ deploy_certificates }}"