# We can not use include_role here since it not # share the connection with the current role --- - include: roles/service/tasks/main.yaml vars: service_name: ssh service_packages: - openssh-server - openssh-sftp-server - name: lookup user ca key set_fact: user_ca_key: "{{ lookup('file', 'lilik_ca_s1.pub') }}" - name: Update container user CA key copy: content: "{{ user_ca_key }}" dest: "/etc/ssh/user_ca.pub" notify: restart ssh - name: Validate SSH host certificate if any ssh_cert: register: ssh_verification ignore_errors: yes - debug: var: ssh_verification verbosity: 2 - block: - name: Generate host request cert_request: host: "{{ server_fqdn }}" path: "/etc/ssh/ssh_host_ed25519_key.pub" proto: "ssh" register: ca_request - name: start sign request include: ca-dialog.yaml vars: ansible_connection: ssh - debug: var: request_result verbosity: 2 - set_fact: request_output: "{{ request_result.stdout | from_json }}" - debug: var: request_output verbosity: 2 - name: generate get request set_fact: ca_request: type: 'get_certificate' requestID: '{{ request_output.requestID }}' - debug: var: ca_request verbosity: 2 - debug: msg: "Please manualy confirm sign request with id {{ request_output.requestID }}" - name: wait for cert include: ca-dialog.yaml vars: ansible_connection: ssh - debug: var: request_result verbosity: 2 - set_fact: cert_key: "{{ request_result.stdout | string | from_json }}" - name: Write certificate to container copy: content: "{{ cert_key.result }}" dest: "/etc/ssh/ssh_host_ed25519_key-cert.pub" register: set_pub_key notify: restart ssh when: ssh_verification.failed - name: add certificate to sshd config lineinfile: line: 'HostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub' dest: '/etc/ssh/sshd_config' regexp: '^HostCertificate *' notify: restart ssh - name: trust user ca key lineinfile: line: 'TrustedUserCAKeys /etc/ssh/user_ca.pub' dest: '/etc/ssh/sshd_config' regexp: '^TrustedUserCAKeys *' notify: restart ssh - name: permit root login only with certificate lineinfile: line: 'PermitRootLogin without-password' dest: '/etc/ssh/sshd_config' regexp: '^PermitRootLogin *' notify: restart ssh - meta: flush_handlers - name: "waiting for ssh on {{ ansible_docker_extra_args | default(inventory_hostname) }} to start" wait_for: host: "{{ hostvars | ip_from_inventory(inventory_hostname) }}" port: 22 timeout: 30 delegate_to: "{{ inventory_hostname }}" delegate_facts: True