diff --git a/inventory/host_vars/lewis.yml b/inventory/host_vars/lewis.yml index f79bf26..f890f9e 100644 --- a/inventory/host_vars/lewis.yml +++ b/inventory/host_vars/lewis.yml @@ -12,3 +12,10 @@ backup_hosts: apt_install_packages: - borgbackup + +deploy_ssh_certificates: + - name: ssh_host_ed25519_key + type: host + key_type: ed25519 + signing_key: hyp_host + host: lewis.hyp diff --git a/lewis.yml b/lewis.yml index 706755c..ecf9bd1 100644 --- a/lewis.yml +++ b/lewis.yml @@ -48,36 +48,6 @@ passno: 1 state: present - - name: Generate host key pair - openssh_keypair: - path: /etc/ssh/ssh_host_ed25519_key - type: ed25519 - comment: "{{ ansible_host }}" - register: host_key - - - name: Check whether host certificate exists - stat: - path: /etc/ssh/ssh_host_ed25519_key-cert.pub - register: cert_stat - - - name: Generate SSH host certificate - command: - cmd: "ssh -o ConnectTimeout=3 -o ConnectionAttempts=1 root@atlas.hyp '/root/ssh_ca/ssh_ca.sh host hyp_host \"{{ host_key.public_key }}\" {{ ansible_host }}'" - register: host_certificate - delegate_to: localhost - when: not cert_stat.stat.exists - - - name: Place host certificate - copy: - dest: /etc/ssh/ssh_host_ed25519_key-cert.pub - content: "{{ host_certificate.stdout }}" - mode: 0644 - when: not cert_stat.stat.exists - - - name: Enable host certificate - copy: - dest: /etc/ssh/sshd_config.d/sshd_host_certificate.conf - content: "HostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub" - roles: - - apt + - {role: apt, tags: apt} + - {role: deploy_ssh_certificates, tags: deploy_ssh_certificates} diff --git a/requirements.yml b/requirements.yml index 43e6eca..7dec18d 100644 --- a/requirements.yml +++ b/requirements.yml @@ -1,3 +1,6 @@ - name: apt src: https://github.com/sunscrapers/ansible-role-apt.git scm: git +- name: deploy_ssh_certificates + src: https://git.pim.kunis.nl/home/ansible-role-deploy-ssh-certificates + scm: git