mirror of
https://pagure.io/fedora-infra/ansible.git
synced 2026-04-27 03:52:09 +08:00
109 lines
2.3 KiB
YAML
109 lines
2.3 KiB
YAML
- name: Determine SSH keys generated by this machine
|
|
find: paths=/etc/ssh
|
|
file_type=file
|
|
patterns="ssh_host_*_key"
|
|
register: ssh_key_files
|
|
tags:
|
|
- sshd_config
|
|
- config
|
|
- sshd
|
|
- base
|
|
|
|
- name: Determine SSH keys never signed
|
|
stat: path="{{item.path}}-cert.pub"
|
|
with_items: "{{ssh_key_files.files}}"
|
|
register: ssh_cert_files
|
|
tags:
|
|
- sshd_config
|
|
- config
|
|
- sshd
|
|
- base
|
|
|
|
- name: Set lists of certs to sign to empty
|
|
set_fact:
|
|
certs_to_sign: "[]"
|
|
tags:
|
|
- sshd_config
|
|
- config
|
|
- sshd
|
|
- base
|
|
|
|
- name: Set list of certs to sign
|
|
set_fact:
|
|
certs_to_sign: "{{certs_to_sign}} + [ '{{item.item.path}}' ]"
|
|
with_items: "{{ssh_cert_files.results}}"
|
|
when: not item.stat.exists
|
|
tags:
|
|
- sshd_config
|
|
- config
|
|
- sshd
|
|
- base
|
|
|
|
# TODO: Get expired certificates, and add them to certs_to_sign
|
|
|
|
- set_fact:
|
|
pubkeydir: "/tmp/sshkeysign"
|
|
tags:
|
|
- sshd_config
|
|
- config
|
|
- sshd
|
|
- base
|
|
|
|
- name: Create directory for storing pubkeys
|
|
file: path="{{pubkeydir}}"
|
|
owner=root
|
|
group=root
|
|
mode=0600
|
|
state=directory
|
|
delegate_to: "batcave01.phx2.fedoraproject.org"
|
|
run_once: true
|
|
tags:
|
|
- sshd_config
|
|
- config
|
|
- sshd
|
|
- base
|
|
|
|
- name: Get public keys for certs to sign
|
|
fetch: src="{{item}}.pub"
|
|
dest="{{pubkeydir}}"
|
|
fail_on_missing=true
|
|
with_items: "{{certs_to_sign}}"
|
|
tags:
|
|
- sshd_config
|
|
- config
|
|
- sshd
|
|
- base
|
|
|
|
- name: Set some extra signing facts
|
|
set_fact:
|
|
sign_hostnames: "{{ssh_hostnames}} + ['{{inventory_hostname}}']"
|
|
sign_validity: "-1h:+52w"
|
|
tags:
|
|
- sshd_config
|
|
- config
|
|
- sshd
|
|
- base
|
|
|
|
# Currently, we use the epoch as serial. That's unique enough for now
|
|
- name: Sign the certificates
|
|
command: "ssh-keygen -s {{private}}/files/ssh/{{env}}_ca_host_key -I {{inventory_hostname}} -h -n {{ sign_hostnames|join(',') }} -V {{sign_validity}} -z {{ansible_date_time.epoch}} {{pubkeydir}}/{{inventory_hostname}}{{item}}.pub"
|
|
delegate_to: "batcave01.phx2.fedoraproject.org"
|
|
with_items: "{{certs_to_sign}}"
|
|
tags:
|
|
- sshd_config
|
|
- config
|
|
- sshd
|
|
- base
|
|
|
|
- name: Copy the certificates
|
|
copy: src="{{pubkeydir}}/{{inventory_hostname}}{{item}}-cert.pub"
|
|
dest="{{item}}-cert.pub"
|
|
with_items: "{{certs_to_sign}}"
|
|
notify:
|
|
- restart sshd
|
|
tags:
|
|
- sshd_config
|
|
- config
|
|
- sshd
|
|
- base
|