|
|
- # We can not use include_role here since it not share thje connection with the current role
- - include: roles/service/tasks/main.yaml
- vars:
- service_name: ssh
- service_packages:
- - openssh-server
- - openssh-sftp-server
-
- - name: Check if host certificate exists
- stat:
- path: "/etc/ssh/ssh_host_ed25519_key-cert.pub"
- register: vm_ssh_certificate_exists
-
- - debug:
- var: vm_ssh_certificate_exists
- verbosity: 2
-
- - block:
- - name: Read host public key
- slurp:
- src: "/etc/ssh/ssh_host_ed25519_key.pub"
- register: vm_public_key
-
- - debug:
- var: vm_public_key['content']
- verbosity: 2
-
- - name: generate host request
- set_fact:
- ca_request:
- type: 'sign_request'
- request:
- keyType: 'ssh_host'
- hostName: '{{ ansible_docker_extra_args | default(inventory_hostname) }}.lilik.it'
- keyData: "{{ vm_public_key['content'] | b64decode | replace('\n', '')}}"
-
- - debug:
- var: ca_request | to_json
- verbosity: 2
-
- - name: start sign request
- include: ca-dialog.yaml
- vars:
- ansible_connection: ssh
-
- - debug:
- var: request_result
- verbosity: 2
-
- - set_fact:
- request_output: "{{ request_result.stdout | from_json }}"
-
- - debug:
- var: request_output
- verbosity: 2
-
- - name: generate get request
- set_fact:
- ca_request:
- type: 'get_certificate'
- requestID: '{{ request_output.requestID }}'
-
- - debug:
- var: ca_request
- verbosity: 2
-
- - debug:
- msg: "Please manualy confirm sign request with id {{ request_output.requestID }}"
-
- - name: wait for cert
- include: ca-dialog.yaml
- vars:
- ansible_connection: ssh
-
- - debug:
- var: request_result
- verbosity: 2
-
- - set_fact:
- cert_key: "{{ request_result.stdout | string | from_json }}"
-
- - name: Write certificate to container
- copy:
- content: "{{ cert_key.result }}"
- dest: "/etc/ssh/ssh_host_ed25519_key-cert.pub"
- register: set_pub_key
- notify: restart ssh
- when: "not vm_ssh_certificate_exists.stat.exists"
-
-
- - name: lookup user ca key
- set_fact:
- user_ca_key: "{{ lookup('file', 'test_ssh_ca.pub') }}"
-
- - name: Update container user CA key
- copy:
- content: "ssh-rsa {{ user_ca_key }}"
- dest: "/etc/ssh/user_ca.pub"
- notify: restart ssh
-
- - name: add certificate to sshd config
- lineinfile:
- line: 'HostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub'
- dest: '/etc/ssh/sshd_config'
- regexp: '^HostCertificate *'
- notify: restart ssh
-
- - name: trust user ca key
- lineinfile:
- line: 'TrustedUserCAKeys /etc/ssh/user_ca.pub'
- dest: '/etc/ssh/sshd_config'
- regexp: '^TrustedUserCAKeys *'
- notify: restart ssh
-
- - name: permit root login only with certificate
- lineinfile:
- line: 'PermitRootLogin without-password'
- dest: '/etc/ssh/sshd_config'
- regexp: '^PermitRootLogin *'
- notify: restart ssh
-
- - meta: flush_handlers
-
- - name: "waiting for ssh on {{ ansible_docker_extra_args | default(inventory_hostname) }} to start"
- wait_for:
- host: "{{ hostvars | ip_from_inventory(inventory_hostname) }}"
- port: 22
- timeout: 30
- delegate_to: "{{ inventory_hostname }}"
- delegate_facts: True
|
