init
This commit is contained in:
commit
7cc5352634
4 changed files with 78 additions and 0 deletions
2
defaults/main.yml
Normal file
2
defaults/main.yml
Normal file
|
|
@ -0,0 +1,2 @@
|
||||||
|
ssh_ca_host: root@atlas.hyp
|
||||||
|
ssh_ca_script: /root/ssh_ca/ssh_ca.sh
|
||||||
18
meta/main.yml
Normal file
18
meta/main.yml
Normal file
|
|
@ -0,0 +1,18 @@
|
||||||
|
galaxy_info:
|
||||||
|
role_name: deploy_ssh_certificates
|
||||||
|
author: Pim Kunis
|
||||||
|
description: Fetch and install SSH certificates.
|
||||||
|
|
||||||
|
issue_tracker_url: https://git.pim.kunis.nl/pim/ansible-role-deploy-ssh-certificates/issues
|
||||||
|
|
||||||
|
license: GPLv3
|
||||||
|
|
||||||
|
min_ansible_version: 1.2
|
||||||
|
|
||||||
|
platforms:
|
||||||
|
- name: Debian
|
||||||
|
versions:
|
||||||
|
- bookworm
|
||||||
|
|
||||||
|
galaxy_tags:
|
||||||
|
- ssh
|
||||||
55
tasks/deploy_certificate.yml
Normal file
55
tasks/deploy_certificate.yml
Normal file
|
|
@ -0,0 +1,55 @@
|
||||||
|
- name: Generate key pair
|
||||||
|
openssh_keypair:
|
||||||
|
path: "/etc/ssh/{{ item.name }}"
|
||||||
|
type: "{{ item.key_type }}"
|
||||||
|
register: key_pair
|
||||||
|
|
||||||
|
- name: Check whether certificate exists
|
||||||
|
stat:
|
||||||
|
path: "/etc/ssh/{{ item.name }}-cert.pub"
|
||||||
|
register: cert_stat
|
||||||
|
|
||||||
|
- name: Generate SSH user certificate
|
||||||
|
command:
|
||||||
|
cmd: "ssh -o ConnectTimeout=3 -o ConnectionAttempts=2 {{ ssh_ca_host }} '{{ ssh_ca_script }} user {{ item.signing_key }} \"{{ key_pair.public_key }}\" {{ item.host }} \"{{ item.principals }}\"'"
|
||||||
|
register: certificate
|
||||||
|
delegate_to: localhost
|
||||||
|
when: item.type == "user" and not cert_stat.stat.exists
|
||||||
|
|
||||||
|
- name: Generate SSH host certificate
|
||||||
|
command:
|
||||||
|
cmd: "ssh -o ConnectTimeout=3 -o ConnectionAttempts=2 {{ ssh_ca_host }} '{{ ssh_ca_script }} host {{ item.signing_key }} \"{{ key_pair.public_key }}\" {{ item.host }}'"
|
||||||
|
register: certificate
|
||||||
|
delegate_to: localhost
|
||||||
|
when: item.type == "host" and not cert_stat.stat.exists
|
||||||
|
|
||||||
|
- name: Place certificate
|
||||||
|
copy:
|
||||||
|
dest: "/etc/ssh/{{ item.name }}-cert.pub"
|
||||||
|
content: "{{ certificate.stdout }}"
|
||||||
|
mode: 0644
|
||||||
|
when: not cert_stat.exists
|
||||||
|
|
||||||
|
- name: Enable user certificate
|
||||||
|
lineinfile:
|
||||||
|
path: /etc/ssh/ssh_config.d/certificates.conf
|
||||||
|
line: "CertificateFile /etc/ssh/{{ item.name }}-cert.pub"
|
||||||
|
when: item.type == "user"
|
||||||
|
|
||||||
|
- name: Enable user identity
|
||||||
|
lineinfile:
|
||||||
|
path: /etc/ssh/ssh_config.d/certificates.conf
|
||||||
|
line: "IdentityFile /etc/ssh/{{ item.name }}"
|
||||||
|
when: item.type == "user"
|
||||||
|
|
||||||
|
- name: Enable host certificate
|
||||||
|
lineinfile:
|
||||||
|
path: /etc/ssh/sshd_config.d/certificates.conf
|
||||||
|
line: "HostCertificate /etc/ssh/{{ item.name }}-cert.pub"
|
||||||
|
when: item.type == "host"
|
||||||
|
|
||||||
|
- name: Enable host key
|
||||||
|
lineinfile:
|
||||||
|
path: /etc/ssh/sshd_config.d/certificates.conf
|
||||||
|
line: "HostKey /etc/ssh/{{ item.name }}"
|
||||||
|
when: item.type == "host"
|
||||||
3
tasks/main.yml
Normal file
3
tasks/main.yml
Normal file
|
|
@ -0,0 +1,3 @@
|
||||||
|
- name: Create each certificate
|
||||||
|
include_tasks: "deploy_certificate.yml"
|
||||||
|
loop: "{{ deploy_certificates }}"
|
||||||
Reference in a new issue