init
This commit is contained in:
commit
7cc5352634
4 changed files with 78 additions and 0 deletions
2
defaults/main.yml
Normal file
2
defaults/main.yml
Normal file
|
|
@ -0,0 +1,2 @@
|
|||
ssh_ca_host: root@atlas.hyp
|
||||
ssh_ca_script: /root/ssh_ca/ssh_ca.sh
|
||||
18
meta/main.yml
Normal file
18
meta/main.yml
Normal file
|
|
@ -0,0 +1,18 @@
|
|||
galaxy_info:
|
||||
role_name: deploy_ssh_certificates
|
||||
author: Pim Kunis
|
||||
description: Fetch and install SSH certificates.
|
||||
|
||||
issue_tracker_url: https://git.pim.kunis.nl/pim/ansible-role-deploy-ssh-certificates/issues
|
||||
|
||||
license: GPLv3
|
||||
|
||||
min_ansible_version: 1.2
|
||||
|
||||
platforms:
|
||||
- name: Debian
|
||||
versions:
|
||||
- bookworm
|
||||
|
||||
galaxy_tags:
|
||||
- ssh
|
||||
55
tasks/deploy_certificate.yml
Normal file
55
tasks/deploy_certificate.yml
Normal file
|
|
@ -0,0 +1,55 @@
|
|||
- name: Generate key pair
|
||||
openssh_keypair:
|
||||
path: "/etc/ssh/{{ item.name }}"
|
||||
type: "{{ item.key_type }}"
|
||||
register: key_pair
|
||||
|
||||
- name: Check whether certificate exists
|
||||
stat:
|
||||
path: "/etc/ssh/{{ item.name }}-cert.pub"
|
||||
register: cert_stat
|
||||
|
||||
- name: Generate SSH user certificate
|
||||
command:
|
||||
cmd: "ssh -o ConnectTimeout=3 -o ConnectionAttempts=2 {{ ssh_ca_host }} '{{ ssh_ca_script }} user {{ item.signing_key }} \"{{ key_pair.public_key }}\" {{ item.host }} \"{{ item.principals }}\"'"
|
||||
register: certificate
|
||||
delegate_to: localhost
|
||||
when: item.type == "user" and not cert_stat.stat.exists
|
||||
|
||||
- name: Generate SSH host certificate
|
||||
command:
|
||||
cmd: "ssh -o ConnectTimeout=3 -o ConnectionAttempts=2 {{ ssh_ca_host }} '{{ ssh_ca_script }} host {{ item.signing_key }} \"{{ key_pair.public_key }}\" {{ item.host }}'"
|
||||
register: certificate
|
||||
delegate_to: localhost
|
||||
when: item.type == "host" and not cert_stat.stat.exists
|
||||
|
||||
- name: Place certificate
|
||||
copy:
|
||||
dest: "/etc/ssh/{{ item.name }}-cert.pub"
|
||||
content: "{{ certificate.stdout }}"
|
||||
mode: 0644
|
||||
when: not cert_stat.exists
|
||||
|
||||
- name: Enable user certificate
|
||||
lineinfile:
|
||||
path: /etc/ssh/ssh_config.d/certificates.conf
|
||||
line: "CertificateFile /etc/ssh/{{ item.name }}-cert.pub"
|
||||
when: item.type == "user"
|
||||
|
||||
- name: Enable user identity
|
||||
lineinfile:
|
||||
path: /etc/ssh/ssh_config.d/certificates.conf
|
||||
line: "IdentityFile /etc/ssh/{{ item.name }}"
|
||||
when: item.type == "user"
|
||||
|
||||
- name: Enable host certificate
|
||||
lineinfile:
|
||||
path: /etc/ssh/sshd_config.d/certificates.conf
|
||||
line: "HostCertificate /etc/ssh/{{ item.name }}-cert.pub"
|
||||
when: item.type == "host"
|
||||
|
||||
- name: Enable host key
|
||||
lineinfile:
|
||||
path: /etc/ssh/sshd_config.d/certificates.conf
|
||||
line: "HostKey /etc/ssh/{{ item.name }}"
|
||||
when: item.type == "host"
|
||||
3
tasks/main.yml
Normal file
3
tasks/main.yml
Normal file
|
|
@ -0,0 +1,3 @@
|
|||
- name: Create each certificate
|
||||
include_tasks: "deploy_certificate.yml"
|
||||
loop: "{{ deploy_certificates }}"
|
||||
Reference in a new issue