---
|
|
- include: 'roles/service/tasks/main.yaml'
|
|
vars:
|
|
service_name: 'ssh'
|
|
service_packages:
|
|
- 'openssh-server'
|
|
- 'openssh-sftp-server'
|
|
|
|
- name: 'update user ca certs'
|
|
template:
|
|
src: 'user_ca.pub.j2'
|
|
dest: '/etc/ssh/user_ca.pub'
|
|
notify: 'restart ssh'
|
|
|
|
- name: 'validate ssh cert if present'
|
|
ssh_cert:
|
|
register: ssh_verification
|
|
ignore_errors: yes
|
|
|
|
- debug:
|
|
var: ssh_verification
|
|
verbosity: 2
|
|
|
|
- block:
|
|
- name: 'generate host cert request'
|
|
cert_request:
|
|
host: '{{ server_fqdn }}'
|
|
path: '/etc/ssh/ssh_host_ed25519_key.pub'
|
|
proto: 'ssh'
|
|
register: ca_request
|
|
|
|
- name: 'start sign request'
|
|
include: 'ca-dialog.yaml'
|
|
vars:
|
|
ansible_connection: 'ssh'
|
|
|
|
- debug:
|
|
var: request_result
|
|
verbosity: 2
|
|
|
|
- set_fact:
|
|
request_output: '{{ request_result.stdout | from_json }}'
|
|
|
|
- debug:
|
|
var: request_output
|
|
verbosity: 2
|
|
|
|
- name: 'generate get request'
|
|
set_fact:
|
|
ca_request:
|
|
type: 'get_certificate'
|
|
requestID: '{{ request_output.requestID }}'
|
|
|
|
- debug:
|
|
var: ca_request
|
|
verbosity: 2
|
|
|
|
- debug:
|
|
msg: 'Please manualy confirm sign request with id {{ request_output.requestID }}'
|
|
|
|
- name: 'wait for cert'
|
|
include: 'ca-dialog.yaml'
|
|
vars:
|
|
ansible_connection: 'ssh'
|
|
|
|
- debug:
|
|
var: request_result
|
|
verbosity: 2
|
|
|
|
- set_fact:
|
|
cert_key: '{{ request_result.stdout | string | from_json }}'
|
|
|
|
- name: 'write certificate to container'
|
|
copy:
|
|
content: '{{ cert_key.result }}'
|
|
dest: '/etc/ssh/ssh_host_ed25519_key-cert.pub'
|
|
register: set_pub_key
|
|
notify: 'restart ssh'
|
|
when: ssh_verification.failed
|
|
|
|
- name: 'add certificate to sshd config'
|
|
lineinfile:
|
|
line: 'HostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub'
|
|
dest: '/etc/ssh/sshd_config'
|
|
regexp: '^HostCertificate *'
|
|
notify: 'restart ssh'
|
|
|
|
- name: 'trust user ca key'
|
|
lineinfile:
|
|
line: 'TrustedUserCAKeys /etc/ssh/user_ca.pub'
|
|
dest: '/etc/ssh/sshd_config'
|
|
regexp: '^TrustedUserCAKeys *'
|
|
notify: 'restart ssh'
|
|
|
|
- name: 'permit root login only with certificate'
|
|
lineinfile:
|
|
line: 'PermitRootLogin without-password'
|
|
dest: '/etc/ssh/sshd_config'
|
|
regexp: '^PermitRootLogin *'
|
|
notify: 'restart ssh'
|
|
|
|
- meta: 'flush_handlers'
|
|
|
|
- name: 'waiting for ssh on {{ inventory_hostname }} to start'
|
|
wait_for:
|
|
host: '{{ hostvars | ip_from_inventory(inventory_hostname) }}'
|
|
port: 22
|
|
timeout: 30
|
|
delegate_to: '{{ inventory_hostname }}'
|
|
delegate_facts: true
|