You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
127 lines
3.2 KiB
127 lines
3.2 KiB
- include: service.yaml
|
|
# static: yes # see static include issue: https://github.com/ansible/ansible/issues/13485
|
|
vars:
|
|
service_name: ssh
|
|
service_packages:
|
|
- openssh-server
|
|
|
|
- name: Check if host certificate exists
|
|
stat:
|
|
path: "/etc/ssh/ssh_host_ed25519_key-cert.pub"
|
|
register: vm_ssh_certificate_exists
|
|
|
|
- debug:
|
|
var: vm_ssh_certificate_exists
|
|
verbosity: 2
|
|
|
|
- block:
|
|
- name: Read host public key
|
|
slurp:
|
|
src: "/etc/ssh/ssh_host_ed25519_key.pub"
|
|
register: vm_public_key
|
|
|
|
- debug:
|
|
var: vm_public_key['content']
|
|
verbosity: 2
|
|
|
|
- name: generate host request
|
|
set_fact:
|
|
cert_request:
|
|
type: 'sign_request'
|
|
request:
|
|
keyType: 'ssh_host'
|
|
hostName: '{{ ansible_docker_extra_args | default(inventory_hostname) }}.lilik.it'
|
|
keyData: "{{ vm_public_key['content'] | b64decode | replace('\n', '')}}"
|
|
|
|
- debug:
|
|
var: cert_request | to_json
|
|
verbosity: 2
|
|
|
|
- name: start sign request
|
|
raw: "{{ cert_request | to_json }}"
|
|
delegate_to: ca_request
|
|
delegate_facts: True
|
|
connection: ssh
|
|
register: request_result
|
|
failed_when: "( request_result.stdout | from_json ).failed"
|
|
|
|
- debug:
|
|
var: request_result
|
|
verbosity: 2
|
|
|
|
- set_fact:
|
|
request_output: "{{ request_result.stdout | from_json }}"
|
|
|
|
- debug:
|
|
var: request_output
|
|
verbosity: 2
|
|
|
|
- name: generate get request
|
|
set_fact:
|
|
get_request:
|
|
type: 'get_certificate'
|
|
requestID: '{{ request_output.requestID }}'
|
|
|
|
- debug:
|
|
var: get_request
|
|
verbosity: 2
|
|
|
|
- debug:
|
|
msg: "Please manualy confirm sign request with id {{ request_output.requestID }}"
|
|
|
|
- name: wait for cert
|
|
raw: "{{ get_request | to_json }}"
|
|
delegate_to: ca_request
|
|
delegate_facts: True
|
|
connection: ssh
|
|
register: cert_result
|
|
failed_when: "(cert_result.stdout | from_json).failed"
|
|
|
|
- debug:
|
|
var: cert_result
|
|
verbosity: 2
|
|
|
|
- set_fact:
|
|
cert_key: "{{ cert_result.stdout | string | from_json }}"
|
|
|
|
- name: Write certificate to container
|
|
copy:
|
|
content: "{{ cert_key.result }}"
|
|
dest: "/etc/ssh/ssh_host_ed25519_key-cert.pub"
|
|
register: set_pub_key
|
|
notify: restart ssh
|
|
when: "not vm_ssh_certificate_exists.stat.exists"
|
|
|
|
|
|
- name: lookup user ca key
|
|
set_fact:
|
|
user_ca_key: "{{ lookup('file', 'test_ssh_ca.pub') }}"
|
|
|
|
- name: Update container user CA key
|
|
copy:
|
|
content: "ssh-rsa {{ user_ca_key }}"
|
|
dest: "/etc/ssh/user_ca.pub"
|
|
|
|
- name: add certificate to sshd config
|
|
lineinfile:
|
|
line: 'HostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub'
|
|
dest: '/etc/ssh/sshd_config'
|
|
regexp: '^HostCertificate *'
|
|
notify: restart ssh
|
|
|
|
- name: trust user ca key
|
|
lineinfile:
|
|
line: 'TrustedUserCAKeys /etc/ssh/user_ca.pub'
|
|
dest: '/etc/ssh/sshd_config'
|
|
regexp: '^TrustedUserCAKeys *'
|
|
notify: restart ssh
|
|
|
|
- meta: flush_handlers
|
|
|
|
- name: "waiting for ssh on {{ inventory_hostname }} vm to start"
|
|
wait_for:
|
|
host: "{{ hostvars[inventory_hostname]['ansible_host'] }}"
|
|
port: 22
|
|
timeout: 30
|
|
delegate_to: "{{ inventory_hostname }}"
|
|
delegate_facts: True
|