base: Factor out SSH host, user cert roles

Moving the SSH host and user certificate configuration roles out of `base.yml` into their own playbooks. This will make it easier to deploy them separately, and target different sets of hosts. The main driver for this change is the OVH VPS; being external, it cannot communicate with SSHCA and thus cannot have a signed host certificate. As such, we do not want to try to configure the SSHCA client on it at all.
2025-02-01 12:36:39 -06:00 · 2025-02-01 12:36:39 -06:00 · 34c1256f27
parent a3a2dde6ab
commit 34c1256f27
4 changed files with 9 additions and 3 deletions
--- a/base.yml
+++ b/base.yml
@ -2,9 +2,6 @@
 - hosts: all
  roles:
  - base
-  - role: ssh-host-certs
-    tags: ssh-host-certs
-  - ssh-user-ca
 - hosts: kvm-guest
  roles:
  - serial-console
--- a/bootstrap.yml
+++ b/bootstrap.yml
@ -2,3 +2,5 @@
 - import_playbook: hostname.yml
 - import_playbook: base.yml
 - import_playbook: firewalld.yml
+- import_playbook: ssh-host-certs.yml
+- import_playbook: ssh-user-ca.yml
--- a/ssh-host-certs.yml
+++ b/ssh-host-certs.yml
@ -0,0 +1,4 @@
+- hosts: '!vps'
+  roles:
+  - role: ssh-host-certs
+    tags: ssh-host-certs
--- a/ssh-user-ca.yml
+++ b/ssh-user-ca.yml
@ -0,0 +1,3 @@
+- hosts: all
+  roles:
+  - ssh-user-ca