fetch user certificate for backup server

2023-04-10 15:04:53 +02:00 · 2023-04-10 15:04:53 +02:00 · 3c41b72c9b
commit 3c41b72c9b
parent 180445348e
6 changed files with 61 additions and 6 deletions
--- a/inventory/group_vars/all.yml
+++ b/inventory/group_vars/all.yml
@ -1,5 +1,6 @@
-borg_public_key: "AAAAC3NzaC1lZDI1NTE5AAAAIBTag7YToG5W+H2kEUz40kOH+7cs0Lp3owFFKkmHBiWM"
+borg_public_key: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBTag7YToG5W+H2kEUz40kOH+7cs0Lp3owFFKkmHBiWM root@max"
-dataserver_public_key: "AAAAC3NzaC1lZDI1NTE5AAAAIJsLVptkoOwmxs6DnenN8u7Q1Tm/Psh0QdI6vjrTgb6D"
+dataserver_public_key: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJsLVptkoOwmxs6DnenN8u7Q1Tm/Psh0QdI6vjrTgb6D root@lewis"
 user_public_key: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBRBrKmIKP5BFhLSdntatIgSC0R/D9EEZlak5Yt0DfUe root@lewis"
 kingston1tb_mount_point: "/mnt/kingston1TB"
 kingston1tb_uuid: "622a8d81-aa2f-460b-a563-c3cdb6285609"
 backup_location: "{{ kingston1tb_mount_point }}/homeserver_backup"
--- a/roles/borg/tasks/main.yml
+++ b/roles/borg/tasks/main.yml
@ -14,7 +14,7 @@
    name: borgbackup
 - name: Add Borg public key
  authorized_key:
-    key: "ssh-ed25519 {{ borg_public_key }} root@max"
+    key: "{{ borg_public_key }}"
    user: "{{ ansible_user_id }}"
 - name: Create Borg repository
  command:
--- a/roles/system/files/ssh.conf
+++ b/roles/system/files/ssh.conf
@ -0,0 +1 @@
 CertificateFile /etc/ssh/ssh_user_ed25519_key-cert.pub
--- a/roles/system/files/ssh_user_ed25519_key
+++ b/roles/system/files/ssh_user_ed25519_key
@ -0,0 +1,25 @@
 $ANSIBLE_VAULT;1.1;AES256
 35346438336463383831313235653538373964643631303961373865643332623636383161333934
 3531363564313239623935343032376535333962336336350a666439303639363735626562323530
 39613366343331643331663434303531613230373934376537646665633630356462333932613537
 3465383636323934300a343264636565623166646266313764643262343532376336333763363662
 30623133303436373936323534366335663439626633313138366565303037323034613164646663
 31366366346561623039633035373638636464626237353566376666643039626334633863626565
 66356538326464363465623035396534663033646336393265326339346363376666396565346130
 66313634373931323738613863653066313034373361646530666561633463626536633963613236
 31616561316366633865383336363832663066343666356437616332376565326630316538663236
 65383234643439633737336639306232383862366230316262353639313833393138643464393734
 61313463323961623264386334666462623039663138326434643339633165393533386665393839
 34643762643864316331343562366139343432313332356232386139663564323338633139363930
 61346139346430643966346363393331616264396133613362393066363039303164623730356536
 35313138613536626665393239663532663061636433316232393839323732393635316634376464
 39313439656131643436393830356662383537353730373132346639366636613830616562613164
 65623333663763653364616638663833333732356238303130626161653139646563633433353865
 64346235616331363338303265396437623264353066646439643264646665343962373237376131
 30326564623264336365653666616331616138356235323961323134373265646434643065666661
 63616534333631323132663532623135393632333236613162623932316261316165616331396261
 66383862303763313032653565323934303366313765326330303032353937386434656134336433
 30616531323762343539666331336132313530316637393564643530303135366263633531393334
 30346632383139333263326265356133316435636663613130626566333730623739653936366138
 33663165616336363361323631643331346238333635623135623364663234366666393034663132
 64616234633735636164
--- a/roles/system/tasks/main.yml
+++ b/roles/system/tasks/main.yml
@ -4,12 +4,41 @@
    user: "{{ ansible_user_id }}"
  loop: "{{ admin_public_keys }}"
 - name: Copy host public key
-  template:
+  copy:
    src: "{{ role_path }}/templates/ssh_host_ed25519_key.pub.j2"
    dest: "/etc/ssh/ssh_host_ed25519_key.pub"
    content: "{{ dataserver_public_key }}"
    mode: 0644
 - name: Copy host private key
  copy:
    src: "{{ role_path }}/files/ssh_host_ed25519_key"
    dest: "/etc/ssh/ssh_host_ed25519_key"
    mode: 0600
 - name: Copy user public key
  copy:
    dest: "/etc/ssh/ssh_user_ed25519_key.pub"
    content: "{{ user_public_key }}"
    mode: 0644
 - name: Copy user private key
  copy:
    src: "{{ role_path }}/files/ssh_user_ed25519_key"
    dest: "/etc/ssh/ssh_user_ed25519_key"
    mode: 0600
 - name: Copy ssh config
  copy:
    src: "{{ role_path }}/files/ssh.conf"
    dest: "/etc/ssh/ssh_config.d/custom.conf"
 - name: Check certificate existance
  stat:
    path: "/etc/ssh/ssh_user_ed25519_key-cert.pub"
  register: cert_stat
 - name: Generate user certificate
  command:
    cmd: "ssh -o ConnectTimeout=3 -o ConnectionAttempts=1 root@hermes.dmz '/root/ca.sh user \"{{ user_public_key }}\" lewis.dmz \"backup\"'"
  register: cert
  delegate_to: localhost
  when: not cert_stat.stat.exists
 - name: Place user certificate
  copy:
    dest: "/etc/ssh/ssh_user_ed25519_key-cert.pub"
    content: "{{ cert.stdout }}"
  when: not cert_stat.stat.exists
--- a/roles/system/templates/ssh_host_ed25519_key.pub.j2
+++ b/roles/system/templates/ssh_host_ed25519_key.pub.j2
@ -1 +0,0 @@
 ssh-ed25519 {{ dataserver_public_key }} root@lewis
		`@ -0,0 +1 @@`
							`CertificateFile /etc/ssh/ssh_user_ed25519_key-cert.pub`
		`@ -1 +0,0 @@`
			`ssh-ed25519 {{ dataserver_public_key }} root@lewis`