You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
121 lines
2.9 KiB
121 lines
2.9 KiB
# We can not use include_role here since it not
|
|
# share the connection with the current role
|
|
---
|
|
- include: roles/service/tasks/main.yaml
|
|
vars:
|
|
service_name: ssh
|
|
service_packages:
|
|
- openssh-server
|
|
- openssh-sftp-server
|
|
|
|
- name: Add last logins to MOTD
|
|
file:
|
|
dest: /etc/update-motd.d/11-last-ssh-login
|
|
src: last_ssh_login
|
|
|
|
- name: lookup user ca key
|
|
set_fact:
|
|
user_ca_key: "{{ lookup('file', 'lilik_ca_s1.pub') }}"
|
|
|
|
- name: Update container user CA key
|
|
copy:
|
|
content: "{{ user_ca_key }}"
|
|
dest: "/etc/ssh/user_ca.pub"
|
|
notify: restart ssh
|
|
|
|
- name: Validate SSH host certificate if any
|
|
ssh_cert:
|
|
register: ssh_verification
|
|
ignore_errors: yes
|
|
|
|
- debug:
|
|
var: ssh_verification
|
|
verbosity: 2
|
|
|
|
- block:
|
|
- name: Generate host request
|
|
host_request:
|
|
host: "{{ server_fqdn }}"
|
|
path: "/etc/ssh/ssh_host_ed25519_key.pub"
|
|
proto: "ssh"
|
|
register: ca_request
|
|
|
|
- name: start sign request
|
|
include: ca-dialog.yaml
|
|
vars:
|
|
ansible_connection: ssh
|
|
|
|
- debug:
|
|
var: request_result
|
|
verbosity: 2
|
|
|
|
- set_fact:
|
|
request_output: "{{ request_result.stdout | from_json }}"
|
|
|
|
- debug:
|
|
var: request_output
|
|
verbosity: 2
|
|
|
|
- name: generate get request
|
|
set_fact:
|
|
ca_request:
|
|
type: 'get_certificate'
|
|
requestID: '{{ request_output.requestID }}'
|
|
|
|
- debug:
|
|
var: ca_request
|
|
verbosity: 2
|
|
|
|
- debug:
|
|
msg: "Please manualy confirm sign request with id {{ request_output.requestID }}"
|
|
|
|
- name: wait for cert
|
|
include: ca-dialog.yaml
|
|
vars:
|
|
ansible_connection: ssh
|
|
|
|
- debug:
|
|
var: request_result
|
|
verbosity: 2
|
|
|
|
- set_fact:
|
|
cert_key: "{{ request_result.stdout | string | from_json }}"
|
|
|
|
- name: Write certificate to container
|
|
copy:
|
|
content: "{{ cert_key.result }}"
|
|
dest: "/etc/ssh/ssh_host_ed25519_key-cert.pub"
|
|
register: set_pub_key
|
|
notify: restart ssh
|
|
when: ssh_verification.failed
|
|
|
|
- name: add certificate to sshd config
|
|
lineinfile:
|
|
line: 'HostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub'
|
|
dest: '/etc/ssh/sshd_config'
|
|
regexp: '^HostCertificate *'
|
|
notify: restart ssh
|
|
|
|
- name: trust user ca key
|
|
lineinfile:
|
|
line: 'TrustedUserCAKeys /etc/ssh/user_ca.pub'
|
|
dest: '/etc/ssh/sshd_config'
|
|
regexp: '^TrustedUserCAKeys *'
|
|
notify: restart ssh
|
|
|
|
- name: permit root login only with certificate
|
|
lineinfile:
|
|
line: 'PermitRootLogin without-password'
|
|
dest: '/etc/ssh/sshd_config'
|
|
regexp: '^PermitRootLogin *'
|
|
notify: restart ssh
|
|
|
|
- meta: flush_handlers
|
|
|
|
- name: "waiting for ssh on {{ ansible_docker_extra_args | default(inventory_hostname) }} to start"
|
|
wait_for:
|
|
host: "{{ hostvars | ip_from_inventory(inventory_hostname) }}"
|
|
port: 22
|
|
timeout: 30
|
|
delegate_to: "{{ inventory_hostname }}"
|
|
delegate_facts: True
|