- name: Setup homeserver hosts: dataserver handlers: - name: restart sshd systemd: name: sshd state: restarted tasks: - name: Copy backup user principals file copy: dest: /etc/ssh/backup_principals content: hypervisor - name: Copy hyp user SSH CA public key copy: dest: /etc/ssh/hyp_user.pub content: "{{ hyp_user_ca_public_key }}" - name: Copy user certificate sshd config copy: src: "sshd_user_certificates.conf" dest: /etc/ssh/sshd_config.d/user_certificates.conf notify: restart sshd - name: Ensure backup directory exists file: path: "{{ kingston1tb_mount_point }}/hosts" state: directory - name: Create backup respositories command: cmd: "borg init -e none {{ kingston1tb_mount_point }}/hosts/{{ item }}" creates: "{{ kingston1tb_mount_point }}/hosts/{{ item }}" with_items: "{{ backup_hosts }}" - name: Create extra disk moint point file: path: "{{ kingston1tb_mount_point }}" state: directory - name: Mount extra disk ansible.posix.mount: path: "{{ kingston1tb_mount_point }}" src: "UUID={{ kingston1tb_uuid }}" fstype: ext4 passno: 1 state: present - name: Generate host key pair openssh_keypair: path: /etc/ssh/ssh_host_ed25519_key type: ed25519 comment: "{{ ansible_host }}" register: host_key - name: Check whether host certificate exists stat: path: /etc/ssh/ssh_host_ed25519_key-cert.pub register: cert_stat - name: Generate SSH host certificate command: cmd: "ssh -o ConnectTimeout=3 -o ConnectionAttempts=1 root@atlas.hyp '/root/ssh_ca/ssh_ca.sh host hyp_host \"{{ host_key.public_key }}\" {{ ansible_host }}'" register: host_certificate delegate_to: localhost when: not cert_stat.stat.exists - name: Place host certificate copy: dest: /etc/ssh/ssh_host_ed25519_key-cert.pub content: "{{ host_certificate.stdout }}" mode: 0644 when: not cert_stat.stat.exists - name: Enable host certificate copy: dest: /etc/ssh/sshd_config.d/sshd_host_certificate.conf content: "HostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub" roles: - apt