Playbooks to a new Lilik
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
 

110 lines
2.6 KiB

---
- include: 'roles/service/tasks/main.yaml'
vars:
service_name: 'ssh'
service_packages:
- 'openssh-server'
- 'openssh-sftp-server'
- name: 'update user ca certs'
template:
src: 'user_ca.pub.j2'
dest: '/etc/ssh/user_ca.pub'
notify: 'restart ssh'
- name: 'validate ssh cert if present'
ssh_cert:
register: ssh_verification
ignore_errors: yes
- debug:
var: ssh_verification
verbosity: 2
- block:
- name: 'generate host cert request'
cert_request:
host: '{{ server_fqdn }}'
path: '/etc/ssh/ssh_host_ed25519_key.pub'
proto: 'ssh'
register: ca_request
- name: 'start sign request'
include: 'ca-dialog.yaml'
vars:
ansible_connection: 'ssh'
- debug:
var: request_result
verbosity: 2
- set_fact:
request_output: '{{ request_result.stdout | from_json }}'
- debug:
var: request_output
verbosity: 2
- name: 'generate get request'
set_fact:
ca_request:
type: 'get_certificate'
requestID: '{{ request_output.requestID }}'
- debug:
var: ca_request
verbosity: 2
- debug:
msg: 'Please manualy confirm sign request with id {{ request_output.requestID }}'
- name: 'wait for cert'
include: 'ca-dialog.yaml'
vars:
ansible_connection: 'ssh'
- debug:
var: request_result
verbosity: 2
- set_fact:
cert_key: '{{ request_result.stdout | string | from_json }}'
- name: 'write certificate to container'
copy:
content: '{{ cert_key.result }}'
dest: '/etc/ssh/ssh_host_ed25519_key-cert.pub'
register: set_pub_key
notify: 'restart ssh'
when: ssh_verification.failed
- name: 'add certificate to sshd config'
lineinfile:
line: 'HostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub'
dest: '/etc/ssh/sshd_config'
regexp: '^HostCertificate *'
notify: 'restart ssh'
- name: 'trust user ca key'
lineinfile:
line: 'TrustedUserCAKeys /etc/ssh/user_ca.pub'
dest: '/etc/ssh/sshd_config'
regexp: '^TrustedUserCAKeys *'
notify: 'restart ssh'
- name: 'permit root login only with certificate'
lineinfile:
line: 'PermitRootLogin without-password'
dest: '/etc/ssh/sshd_config'
regexp: '^PermitRootLogin *'
notify: 'restart ssh'
- meta: 'flush_handlers'
- name: 'waiting for ssh on {{ inventory_hostname }} to start'
wait_for:
host: '{{ hostvars | ip_from_inventory(inventory_hostname) }}'
port: 22
timeout: 30
delegate_to: '{{ inventory_hostname }}'
delegate_facts: true