# We can not use include_role here since it not share the connection with the current role - include: roles/service/tasks/main.yaml vars: service_name: ssh service_packages: - openssh-server - openssh-sftp-server - name: lookup user ca key set_fact: user_ca_key: "{{ lookup('file', 'test_ssh_ca.pub') }}" - name: Update container user CA key copy: content: "ssh-rsa {{ user_ca_key }}" dest: "/etc/ssh/user_ca.pub" notify: restart ssh - name: Check if host certificate is valid shell: '[[ $(ssh-keygen -f /etc/ssh/ssh_host_ed25519_key-cert.pub -L |grep "$(ssh-keygen -f /etc/ssh/user_ca.pub -l|cut -d " " -f 2)" -A 3 |grep Valid |cut -d " " -f 13) > $(date +%Y-%m-%dT%H:%M:%S --date "+1 month") ]]' args: executable: /bin/bash register: vm_has_valid_ssh_certificate changed_when: false failed_when: false - debug: var: vm_has_valid_ssh_certificate verbosity: 2 - block: - name: Read host public key slurp: src: "/etc/ssh/ssh_host_ed25519_key.pub" register: vm_public_key - debug: var: vm_public_key['content'] verbosity: 2 - name: generate host request set_fact: ca_request: type: 'sign_request' request: keyType: 'ssh_host' hostName: '{{ ansible_docker_extra_args | default(inventory_hostname) }}.lilik.it' keyData: "{{ vm_public_key['content'] | b64decode | replace('\n', '')}}" - debug: var: ca_request | to_json verbosity: 2 - name: start sign request include: ca-dialog.yaml vars: ansible_connection: ssh - debug: var: request_result verbosity: 2 - set_fact: request_output: "{{ request_result.stdout | from_json }}" - debug: var: request_output verbosity: 2 - name: generate get request set_fact: ca_request: type: 'get_certificate' requestID: '{{ request_output.requestID }}' - debug: var: ca_request verbosity: 2 - debug: msg: "Please manualy confirm sign request with id {{ request_output.requestID }}" - name: wait for cert include: ca-dialog.yaml vars: ansible_connection: ssh - debug: var: request_result verbosity: 2 - set_fact: cert_key: "{{ request_result.stdout | string | from_json }}" - name: Write certificate to container copy: content: "{{ cert_key.result }}" dest: "/etc/ssh/ssh_host_ed25519_key-cert.pub" register: set_pub_key notify: restart ssh when: "vm_has_valid_ssh_certificate.rc != 0" - name: add certificate to sshd config lineinfile: line: 'HostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub' dest: '/etc/ssh/sshd_config' regexp: '^HostCertificate *' notify: restart ssh - name: trust user ca key lineinfile: line: 'TrustedUserCAKeys /etc/ssh/user_ca.pub' dest: '/etc/ssh/sshd_config' regexp: '^TrustedUserCAKeys *' notify: restart ssh - name: permit root login only with certificate lineinfile: line: 'PermitRootLogin without-password' dest: '/etc/ssh/sshd_config' regexp: '^PermitRootLogin *' notify: restart ssh - meta: flush_handlers - name: "waiting for ssh on {{ ansible_docker_extra_args | default(inventory_hostname) }} to start" wait_for: host: "{{ hostvars | ip_from_inventory(inventory_hostname) }}" port: 22 timeout: 30 delegate_to: "{{ inventory_hostname }}" delegate_facts: True