--- - include: 'roles/service/tasks/main.yaml' vars: service_name: 'ssh' service_packages: - 'openssh-server' - 'openssh-sftp-server' - name: 'update user ca certs' template: src: 'user_ca.pub.j2' dest: '/etc/ssh/user_ca.pub' notify: 'restart ssh' - name: 'validate ssh cert if present' ssh_cert: register: ssh_verification ignore_errors: yes - debug: var: ssh_verification verbosity: 2 - block: - name: 'generate host cert request' cert_request: host: '{{ server_fqdn }}' path: '/etc/ssh/ssh_host_ed25519_key.pub' proto: 'ssh' register: ca_request - name: 'start sign request' include: 'ca-dialog.yaml' vars: ansible_connection: 'ssh' - debug: var: request_result verbosity: 2 - set_fact: request_output: '{{ request_result.stdout | from_json }}' - debug: var: request_output verbosity: 2 - name: 'generate get request' set_fact: ca_request: type: 'get_certificate' requestID: '{{ request_output.requestID }}' - debug: var: ca_request verbosity: 2 - debug: msg: 'Please manualy confirm sign request with id {{ request_output.requestID }}' - name: 'wait for cert' include: 'ca-dialog.yaml' vars: ansible_connection: 'ssh' - debug: var: request_result verbosity: 2 - set_fact: cert_key: '{{ request_result.stdout | string | from_json }}' - name: 'write certificate to container' copy: content: '{{ cert_key.result }}' dest: '/etc/ssh/ssh_host_ed25519_key-cert.pub' register: set_pub_key notify: 'restart ssh' when: ssh_verification.failed - name: 'add certificate to sshd config' lineinfile: line: 'HostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub' dest: '/etc/ssh/sshd_config' regexp: '^HostCertificate *' notify: 'restart ssh' - name: 'trust user ca key' lineinfile: line: 'TrustedUserCAKeys /etc/ssh/user_ca.pub' dest: '/etc/ssh/sshd_config' regexp: '^TrustedUserCAKeys *' notify: 'restart ssh' - name: 'permit root login only with certificate' lineinfile: line: 'PermitRootLogin without-password' dest: '/etc/ssh/sshd_config' regexp: '^PermitRootLogin *' notify: 'restart ssh' - meta: 'flush_handlers' - name: 'waiting for ssh on {{ inventory_hostname }} to start' wait_for: host: '{{ hostvars | ip_from_inventory(inventory_hostname) }}' port: 22 timeout: 30 delegate_to: '{{ inventory_hostname }}' delegate_facts: true