From 1c3b3460998d3a3a8ee6c76d3c9cbda1c9dc8459 Mon Sep 17 00:00:00 2001
From: Pim Kunis <pim@kunis.nl>
Date: Sun, 23 Apr 2023 23:50:30 +0200
Subject: [PATCH] move ssh ca to separate repo

---
 ansible/hermes.yml                          |  4 +-
 ansible/inventory/host_vars/hermes.yml      | 59 +++++++++++++++++++++
 ansible/requirements.yml                    |  3 ++
 ansible/roles/ca/files/ca.sh                | 29 ----------
 ansible/roles/ca/files/keys/host_ca_key     | 27 ----------
 ansible/roles/ca/files/keys/host_ca_key.pub |  1 -
 ansible/roles/ca/files/keys/user_ca_key     | 27 ----------
 ansible/roles/ca/files/keys/user_ca_key.pub |  1 -
 ansible/roles/ca/tasks/main.yml             | 10 ----
 9 files changed, 64 insertions(+), 97 deletions(-)
 create mode 100644 ansible/inventory/host_vars/hermes.yml
 delete mode 100755 ansible/roles/ca/files/ca.sh
 delete mode 100644 ansible/roles/ca/files/keys/host_ca_key
 delete mode 100644 ansible/roles/ca/files/keys/host_ca_key.pub
 delete mode 100644 ansible/roles/ca/files/keys/user_ca_key
 delete mode 100644 ansible/roles/ca/files/keys/user_ca_key.pub
 delete mode 100644 ansible/roles/ca/tasks/main.yml

diff --git a/ansible/hermes.yml b/ansible/hermes.yml
index 7fcd98d..0440e0d 100644
--- a/ansible/hermes.yml
+++ b/ansible/hermes.yml
@@ -2,7 +2,7 @@
   hosts: all
   gather_facts: no
   roles:
-    - 'cloudinit-wait'
+    - cloudinit-wait
 
 - name: Install services
   hosts: all
@@ -22,4 +22,4 @@
   roles:
     - {role: 'dnsmasq', tags: 'dnsmasq'}
     - {role: 'nsd', tags: 'nsd'}
-    - {role: 'ca', tags: 'ca'}
+    - {role: 'ssh-ca', tags: 'ssh-ca'}
diff --git a/ansible/inventory/host_vars/hermes.yml b/ansible/inventory/host_vars/hermes.yml
new file mode 100644
index 0000000..1092d00
--- /dev/null
+++ b/ansible/inventory/host_vars/hermes.yml
@@ -0,0 +1,59 @@
+ssh_ca_dir: /root/ssh_ca
+ssh_ca_user_ca_public_key: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGKOClnK6/Hj8INjEgULY/lD2FM/nbiJHqaSXtEw4+Fj User Certificate Authority for DMZ"
+ssh_ca_host_ca_public_key: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAX2IhgHNxC6JTvLu9cej+iWuG+uJFMXn4AiRro9533x Host Certficate Authority for DMZ"
+ssh_ca_user_ca_private_key: !vault |
+          $ANSIBLE_VAULT;1.1;AES256
+          64343164666336316635323733353839373835316465653038333062386438363131353566626130
+          6531653835313838396638366330386331383533303435300a306333363238633864623864393665
+          31393036346532353134646466666465386633303061346662393430666532366137323866646561
+          3131653064323565370a656361326462336238333464353635303066323565633865663032313661
+          38366238613361626161633862353938326365306634303166346461366531663063343264353533
+          61656630633734643639333738616566326531653264306134363837616365643039626262613433
+          61656361326234313130386533363761366665383064643735316133313133643865616536306466
+          33303733663834646435303935633436383632306330616264343263303861313635383866636163
+          39653064373966643437636530326235653131616366396563386139333837616535616135323337
+          66626161336539356637373138613464376133373234353863383330313362623236633462386234
+          31386635613936306262346264343732623761303331623831353061343035626361623639326530
+          62643139663733666662623039396461623334666565663439613430353364626162653731303535
+          32396638393534363533303039343938346339656266303766613931316337333635373664643461
+          37303332386233663937636631373935613231356262346530323337393733373764613864616563
+          66383137393738316638393530616234653264613363383663366261303433636236326632323734
+          35616133386438613636663631653139386466303534636263393633633663303664326137373139
+          35626336653966396335623330663161333432306538316664376231616161353235353032633438
+          62363663613135616462323363333863376532623764663066616431636632653938666263383731
+          65666564656130383262373964386631643332323066386635643032663833306565643164376239
+          32383732393236336235363936303063663963343061306161643331623330326139663836323561
+          31353532313639613563393938643333326462653833623531613935363265333534663762333831
+          36376264636432656537313834373036623339306430333837323836303134323062306265356430
+          39663238363338666362663364643063613337646237356431383237616465643634313166643435
+          32623864313537336634373631396465643362333237646462336362656430653036656263613162
+          64306662313934643661333462306336333561626335303866306131326538653264343465633139
+          3466663135663239616135353764373532323935613233316132
+ssh_ca_host_ca_private_key: !vault |
+          $ANSIBLE_VAULT;1.1;AES256
+          34613835376232653534353636303364613437666563653530363564346164656136643732626234
+          6430316165623933666461646639303435386433333335660a393538303835616366333066353665
+          64663236353233383236656365356264653963366464303433313133386430646230363634353465
+          6365313836666534330a633832303963616162623631663732623236383665383333323032383364
+          36313663366461643733373836326335386562663362326438353033376431356537326133646338
+          31623064303662616464343639346663323437333038346664393166333930336539373031313161
+          39343365373238383661343234666430336131323666313032333666306333366566336361383536
+          64626261363138323766306239303133376632386235666633363461303135613865343161356266
+          33333634613761616336653162396662633131333336613264663764333761633032313436376534
+          65376631383239666235313939363265643364376638623630373839303236633635356431356263
+          66366535656335326335616666316534366232353262336164663562613439623135303262356130
+          36316134366366623331393230396132366535356435613563663937376639653339343761306431
+          33353331306334336133316234326133663939636430376139376231383966346363303362386265
+          32356166363231613962383434333536356138623039663561313137653037663231666666646230
+          66323932333031626637616434383737623634353933613861326666313737636133333438656634
+          31363461373639366464343836333031313632346465346535303139623038633330356334633866
+          61303765353439303966623030303966656465353538323932343536393764616566386261306466
+          36343237393333376366303933373139353161376262333739353138666162663339393136303634
+          39383433323563666661313631613761343532373736386537626433323631323465623736653165
+          35356163356361346438366430636563656531363164306534353865393039643136366634323638
+          62656261396635353332376661353661353931663932386465643238343031376235363239303832
+          63393437613362623963306364356363396134623739656265326433356134303835356266326465
+          64623631353163653438376534316162666330663963363064326161656335383639356164393237
+          39346231666362313632363737623139373632376461373362656563616566633265653438393361
+          39393734393061653639313365633931373963666635316138663538356265386562373837393530
+          6537646639613534666533626339356335396634613765616664
diff --git a/ansible/requirements.yml b/ansible/requirements.yml
index 5530c9f..e945591 100644
--- a/ansible/requirements.yml
+++ b/ansible/requirements.yml
@@ -1,3 +1,6 @@
 - name: cloudinit-wait
   src: https://git.pim.kunis.nl/pim/ansible-role-cloudinit-wait
   scm: git
+- name: ssh-ca
+  src: https://git.pim.kunis.nl/pim/ansible-role-ssh-ca
+  scm: git
diff --git a/ansible/roles/ca/files/ca.sh b/ansible/roles/ca/files/ca.sh
deleted file mode 100755
index 0a4db50..0000000
--- a/ansible/roles/ca/files/ca.sh
+++ /dev/null
@@ -1,29 +0,0 @@
-#!/bin/bash
-set -euo pipefail
-IFS=$'\n\t'
-
-HOSTCAKEY=/root/.ssh/host_ca_key
-USERCAKEY=/root/.ssh/user_ca_key
-
-host() {
-	PUBKEY="$2"
-	HOST="$3"
-
-	echo "$PUBKEY" > /tmp/"$HOST".pub
-	ssh-keygen -h -s "$HOSTCAKEY" -I "$HOST" -n "$HOST" /tmp/"$HOST".pub
-	cat /tmp/"$HOST"-cert.pub
-	rm /tmp/"$HOST"*.pub
-}
-
-user() {
-	PUBKEY="$2"
-	HOST="$3"
-	PRINCIPALS="$4"
-
-	echo "$PUBKEY" > /tmp/"$HOST".pub
-	ssh-keygen -s "$USERCAKEY" -I "$HOST" -n "$HOST","$PRINCIPALS" /tmp/"$HOST".pub
-	cat /tmp/"$HOST"-cert.pub
-	rm /tmp/"$HOST"*.pub
-}
-
-"$1" "$@"
diff --git a/ansible/roles/ca/files/keys/host_ca_key b/ansible/roles/ca/files/keys/host_ca_key
deleted file mode 100644
index 9942088..0000000
--- a/ansible/roles/ca/files/keys/host_ca_key
+++ /dev/null
@@ -1,27 +0,0 @@
-$ANSIBLE_VAULT;1.1;AES256
-65393830356161326338323139306466316362303835393833383633363431303639393835666538
-6639653036666261363236393832343236656531633261360a333664363033356432386439336630
-65336333666662633635316565363366353530653831383937616566386165346663393938386530
-3233613134343331350a363163383831396265646333336334366664353164386538313031393230
-61356239333863366665396131633039663161306536386636336631646238303164303565653331
-64353465633235396261333739643635306530333665313330633936643966363539646636376630
-32303233303437393662393161313330333331396666613133633964393335393035363536373464
-36323334393235626561333262373639353332663337393562356562656662373833633833636466
-65373739663764623962323630623866363563626536313436346532643332646238393237396439
-35623961336266333037636532663833653466346264326330616135346234643363636662396630
-30613132633237333633636361323937643338323738386231383561613237646436333336383562
-61316232393864316236616561333139626463373962303134366131653439656638636365633930
-33353565373066623763346139663238346237376461613834323839336533653936646532316437
-66303565346665303335656233663735333630643963656637363934626336323361356639616430
-32323133396165356237613062313864313534323364663232636566373332633461316461346435
-32663862353439653764616461646463336639646636333862663832656131356536666233396638
-63613439636432306164393737353033383661623733646231313238303863376362376334656262
-33336132373139333030333533633032353564336666663237333135376532396165653831663537
-32653836373034383965653431646137633638633465626164386638323466636238393665303964
-35366432643962613063326338373031393036643437663438356339386662303362333062343730
-65646535373833343831633164666563616561633833353739643963633265396561386462336234
-66323330363662653235333464623965653635323437613734366231386331363461643262366565
-37626536623832323162363862363632666164353138616362386562393530623265303936656364
-65633463363935393838333338303239333538393865653338396635393262623636616364323133
-66333165616364356235303431316232666330313933386331383435663939386331626635316537
-3964323534326563303636616135663137373365663365663931
diff --git a/ansible/roles/ca/files/keys/host_ca_key.pub b/ansible/roles/ca/files/keys/host_ca_key.pub
deleted file mode 100644
index 4a19643..0000000
--- a/ansible/roles/ca/files/keys/host_ca_key.pub
+++ /dev/null
@@ -1 +0,0 @@
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAX2IhgHNxC6JTvLu9cej+iWuG+uJFMXn4AiRro9533x Host Certficate Authority for DMZ
diff --git a/ansible/roles/ca/files/keys/user_ca_key b/ansible/roles/ca/files/keys/user_ca_key
deleted file mode 100644
index cf8ef0c..0000000
--- a/ansible/roles/ca/files/keys/user_ca_key
+++ /dev/null
@@ -1,27 +0,0 @@
-$ANSIBLE_VAULT;1.1;AES256
-36306261333262396466633565653163323239396630653031343331653337376433356461613064
-3333316136343033396131356638666661623464333333310a636264616339363366386633663965
-64336437316366333363396162376337653537376365306638316166663437643731613935353137
-6138306232396134310a373962653330613331653830343766613435363339343438636665306633
-39633061303937313962323839336437653763336164616433353831646663393764373933306565
-38633335373863363437313531393530333562336430636261656564306563343537313264366436
-32653932356263333938386231333134303633333666343531616332376632343462316335643732
-30386465626533363333626162386331626436373935386537393335666437633166303838663264
-61353532306161343630303233336463376266366463313039343262656333663936333338373633
-31353361356232356637333466316634623739323335613433356362333565646138373838663034
-39363734623537633133393836323261353461623562386235646566303162373235623534383238
-33363264386438393563613639333336323963363733346665663430626335346334386233396236
-34636164653264386266393561303037646464646136313861343438636437626166333361613262
-66333333303139653639383963373731613639643837363639353264376230616264313930396434
-39303863653939613333323739363263383531333539333334306632323865646131653030356365
-38363530656131646431616661616137386161613033643664336661343531333933326339656636
-61356337393936623462323039343534656565353466353565653838666336306266313131316435
-39333739313262646462663531663234633066333033666461306434313166366533353865313530
-31326334383138383332366665383965633838636436646230323931646136336234636631313138
-33363062393632393830383231333166373032386163316633613061643166663266396131333838
-30316439373834356230633566323966376336363362346338323237343637393765323237373832
-61626432653935663230663261343037363037646539623330383235376231303738323132306131
-33646237633164356332366664353763623839623738633230613837356330393535346236383165
-35376631313332356164636336336439386432326337663436373661613264306135313961623434
-37386335663332613435626233333037316466363730623065633336666436343433326564333264
-6231373332643633346235663930616439653238396331626564
diff --git a/ansible/roles/ca/files/keys/user_ca_key.pub b/ansible/roles/ca/files/keys/user_ca_key.pub
deleted file mode 100644
index 71ab782..0000000
--- a/ansible/roles/ca/files/keys/user_ca_key.pub
+++ /dev/null
@@ -1 +0,0 @@
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGKOClnK6/Hj8INjEgULY/lD2FM/nbiJHqaSXtEw4+Fj User Certificate Authority for DMZ
diff --git a/ansible/roles/ca/tasks/main.yml b/ansible/roles/ca/tasks/main.yml
deleted file mode 100644
index 20a992e..0000000
--- a/ansible/roles/ca/tasks/main.yml
+++ /dev/null
@@ -1,10 +0,0 @@
-- name: Copy ca.sh
-  copy:
-    src: "{{ role_path }}/files/ca.sh"
-    dest: /root/ca.sh
-    mode: 755
-- name: Copy keys
-  copy:
-    src: "{{ role_path }}/files/keys/"
-    dest: /root/.ssh/
-    mode: preserve