From 3c41b72c9b6863b1b39e3602ac01791200f6eacd Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Mon, 10 Apr 2023 15:04:53 +0200 Subject: [PATCH] fetch user certificate for backup server --- inventory/group_vars/all.yml | 5 +-- roles/borg/tasks/main.yml | 2 +- roles/system/files/ssh.conf | 1 + roles/system/files/ssh_user_ed25519_key | 25 ++++++++++++++ roles/system/tasks/main.yml | 33 +++++++++++++++++-- .../templates/ssh_host_ed25519_key.pub.j2 | 1 - 6 files changed, 61 insertions(+), 6 deletions(-) create mode 100644 roles/system/files/ssh.conf create mode 100644 roles/system/files/ssh_user_ed25519_key delete mode 100644 roles/system/templates/ssh_host_ed25519_key.pub.j2 diff --git a/inventory/group_vars/all.yml b/inventory/group_vars/all.yml index 1ee4f48..00f2a00 100644 --- a/inventory/group_vars/all.yml +++ b/inventory/group_vars/all.yml @@ -1,5 +1,6 @@ -borg_public_key: "AAAAC3NzaC1lZDI1NTE5AAAAIBTag7YToG5W+H2kEUz40kOH+7cs0Lp3owFFKkmHBiWM" -dataserver_public_key: "AAAAC3NzaC1lZDI1NTE5AAAAIJsLVptkoOwmxs6DnenN8u7Q1Tm/Psh0QdI6vjrTgb6D" +borg_public_key: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBTag7YToG5W+H2kEUz40kOH+7cs0Lp3owFFKkmHBiWM root@max" +dataserver_public_key: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJsLVptkoOwmxs6DnenN8u7Q1Tm/Psh0QdI6vjrTgb6D root@lewis" +user_public_key: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBRBrKmIKP5BFhLSdntatIgSC0R/D9EEZlak5Yt0DfUe root@lewis" kingston1tb_mount_point: "/mnt/kingston1TB" kingston1tb_uuid: "622a8d81-aa2f-460b-a563-c3cdb6285609" backup_location: "{{ kingston1tb_mount_point }}/homeserver_backup" diff --git a/roles/borg/tasks/main.yml b/roles/borg/tasks/main.yml index ff4c687..55a3c8c 100644 --- a/roles/borg/tasks/main.yml +++ b/roles/borg/tasks/main.yml @@ -14,7 +14,7 @@ name: borgbackup - name: Add Borg public key authorized_key: - key: "ssh-ed25519 {{ borg_public_key }} root@max" + key: "{{ borg_public_key }}" user: "{{ ansible_user_id }}" - name: Create Borg repository command: diff --git a/roles/system/files/ssh.conf b/roles/system/files/ssh.conf new file mode 100644 index 0000000..9a26c53 --- /dev/null +++ b/roles/system/files/ssh.conf @@ -0,0 +1 @@ +CertificateFile /etc/ssh/ssh_user_ed25519_key-cert.pub diff --git a/roles/system/files/ssh_user_ed25519_key b/roles/system/files/ssh_user_ed25519_key new file mode 100644 index 0000000..97b033f --- /dev/null +++ b/roles/system/files/ssh_user_ed25519_key @@ -0,0 +1,25 @@ +$ANSIBLE_VAULT;1.1;AES256 +35346438336463383831313235653538373964643631303961373865643332623636383161333934 +3531363564313239623935343032376535333962336336350a666439303639363735626562323530 +39613366343331643331663434303531613230373934376537646665633630356462333932613537 +3465383636323934300a343264636565623166646266313764643262343532376336333763363662 +30623133303436373936323534366335663439626633313138366565303037323034613164646663 +31366366346561623039633035373638636464626237353566376666643039626334633863626565 +66356538326464363465623035396534663033646336393265326339346363376666396565346130 +66313634373931323738613863653066313034373361646530666561633463626536633963613236 +31616561316366633865383336363832663066343666356437616332376565326630316538663236 +65383234643439633737336639306232383862366230316262353639313833393138643464393734 +61313463323961623264386334666462623039663138326434643339633165393533386665393839 +34643762643864316331343562366139343432313332356232386139663564323338633139363930 +61346139346430643966346363393331616264396133613362393066363039303164623730356536 +35313138613536626665393239663532663061636433316232393839323732393635316634376464 +39313439656131643436393830356662383537353730373132346639366636613830616562613164 +65623333663763653364616638663833333732356238303130626161653139646563633433353865 +64346235616331363338303265396437623264353066646439643264646665343962373237376131 +30326564623264336365653666616331616138356235323961323134373265646434643065666661 +63616534333631323132663532623135393632333236613162623932316261316165616331396261 +66383862303763313032653565323934303366313765326330303032353937386434656134336433 +30616531323762343539666331336132313530316637393564643530303135366263633531393334 +30346632383139333263326265356133316435636663613130626566333730623739653936366138 +33663165616336363361323631643331346238333635623135623364663234366666393034663132 +64616234633735636164 diff --git a/roles/system/tasks/main.yml b/roles/system/tasks/main.yml index c7c4d30..1fc7d1f 100644 --- a/roles/system/tasks/main.yml +++ b/roles/system/tasks/main.yml @@ -4,12 +4,41 @@ user: "{{ ansible_user_id }}" loop: "{{ admin_public_keys }}" - name: Copy host public key - template: - src: "{{ role_path }}/templates/ssh_host_ed25519_key.pub.j2" + copy: dest: "/etc/ssh/ssh_host_ed25519_key.pub" + content: "{{ dataserver_public_key }}" mode: 0644 - name: Copy host private key copy: src: "{{ role_path }}/files/ssh_host_ed25519_key" dest: "/etc/ssh/ssh_host_ed25519_key" mode: 0600 +- name: Copy user public key + copy: + dest: "/etc/ssh/ssh_user_ed25519_key.pub" + content: "{{ user_public_key }}" + mode: 0644 +- name: Copy user private key + copy: + src: "{{ role_path }}/files/ssh_user_ed25519_key" + dest: "/etc/ssh/ssh_user_ed25519_key" + mode: 0600 +- name: Copy ssh config + copy: + src: "{{ role_path }}/files/ssh.conf" + dest: "/etc/ssh/ssh_config.d/custom.conf" +- name: Check certificate existance + stat: + path: "/etc/ssh/ssh_user_ed25519_key-cert.pub" + register: cert_stat +- name: Generate user certificate + command: + cmd: "ssh -o ConnectTimeout=3 -o ConnectionAttempts=1 root@hermes.dmz '/root/ca.sh user \"{{ user_public_key }}\" lewis.dmz \"backup\"'" + register: cert + delegate_to: localhost + when: not cert_stat.stat.exists +- name: Place user certificate + copy: + dest: "/etc/ssh/ssh_user_ed25519_key-cert.pub" + content: "{{ cert.stdout }}" + when: not cert_stat.stat.exists diff --git a/roles/system/templates/ssh_host_ed25519_key.pub.j2 b/roles/system/templates/ssh_host_ed25519_key.pub.j2 deleted file mode 100644 index 08b6b21..0000000 --- a/roles/system/templates/ssh_host_ed25519_key.pub.j2 +++ /dev/null @@ -1 +0,0 @@ -ssh-ed25519 {{ dataserver_public_key }} root@lewis