r/ssh-host-certs: Import systemd unit files

The _sshca-cli_ package no longer provides a _-systemd_ sub-package containing the systemd unit files for automatically requesting and renewing SSH host certificates. Its original intent was to support automatically signing certificates on first boot by having the unit files installed by Anaconda, but this never really worked for various reasons. Since I'd rather not have to rebuild the RPMs every time I need to make a change to the systemd units, and Ansible is required to actually get the certificates issued anyway, it makes more sense to have the unit files in the configuration policy instead.
2025-09-13 21:37:08 -05:00 · 2025-09-13 21:37:08 -05:00 · 37e6622351
parent 8e8c109bf6
commit 37e6622351
5 changed files with 80 additions and 5 deletions
--- a/roles/ssh-host-certs/files/ssh-host-cert-sign@.service
+++ b/roles/ssh-host-certs/files/ssh-host-cert-sign@.service
@ -0,0 +1,34 @@
+[Unit]
+Description=Request %I SSH Host Certificate
+After=network-online.target
+Wants=network-online.target
+
+[Service]
+Type=oneshot
+EnvironmentFile=-/etc/sysconfig/ssh-host-cert-sign
+ExecStart=/usr/bin/sshca-cli host sign --output /etc/ssh/ssh_host_%I_key-cert.pub /etc/ssh/ssh_host_%I_key.pub
+
+CapabilityBoundingSet=CAP_CHOWN
+DeviceAllow=
+DevicePolicy=closed
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+NoNewPrivileges=yes
+PrivateDevices=yes
+PrivateUsers=yes
+PrivateTmp=yes
+ProcSubset=pid
+ProtectClock=yes
+ProtectControlGroups=yes
+ProtectHome=yes
+ProtectHostname=yes
+ProtectKernelLogs=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+ProtectProc=invisible
+ProtectSystem=strict
+ReadWritePaths=/etc/ssh
+RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
+RestrictNamespaces=yes
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
--- a/roles/ssh-host-certs/files/ssh-host-certs-renew.target
+++ b/roles/ssh-host-certs/files/ssh-host-certs-renew.target
@ -0,0 +1,7 @@
+# vim: set ft=systemd :
+[Unit]
+Description=Request SSH Host Certificates
+StopWhenUnneeded=yes
+Wants=ssh-host-cert-sign@ed25519.service
+Wants=ssh-host-cert-sign@rsa.service
+Wants=ssh-host-cert-sign@ecdsa.service
--- a/roles/ssh-host-certs/files/ssh-host-certs-renew.timer
+++ b/roles/ssh-host-certs/files/ssh-host-certs-renew.timer
@ -0,0 +1,12 @@
+# vim: set ft=systemd :
+[Unit]
+Description=Periodically renew SSH host certificates
+
+[Timer]
+Unit=%N.target
+OnCalendar=Tue *-*-* 00:00:00
+RandomizedDelaySec=48h
+Persistent=yes
+
+[Install]
+WantedBy=timers.target
--- a/roles/ssh-host-certs/meta/main.yml
+++ b/roles/ssh-host-certs/meta/main.yml
@ -1,3 +1,4 @@
 dependencies:
+- role: systemd-base
 - role: dch-yum
  tags: dch-yum
--- a/roles/ssh-host-certs/tasks/main.yml
+++ b/roles/ssh-host-certs/tasks/main.yml
@ -1,12 +1,33 @@
- name: ensure sshca-cli-systemd is installed
+- name: ensure sshca-cli is installed
  package:
-    name: sshca-cli-systemd
+    name: sshca-cli
    state: present
-  notify:
-  - restart ssh-host-certs.target
  tags:
  - install

+- name: ensure sshca-cli-systemd is not installed
+  package:
+    name: sshca-cli-systemd
+    state: absent
+  tags:
+  - uninstall
+
+- name: ensure ssh host cert signing systemd units are installed
+  copy:
+    src: '{{ item }}'
+    dest: /etc/systemd/system/{{ item }}
+    owner: root
+    group: root
+    mode: u=rw,go=r
+  loop:
+  - ssh-host-cert-sign@.service
+  - ssh-host-certs-renew.target
+  - ssh-host-certs-renew.timer
+  notify:
+  - reload systemd
+  tags:
+  - systemd
+
 - name: ensure ssh-host-cert-sign is configured
  template:
    src: ssh-host-cert-sign.env.j2
@ -15,7 +36,7 @@
    group: root
    mode: u=rw,go=r
  notify:
-  - restart ssh-host-certs.target
+  - restart ssh-host-certs-renew.target
  tags:
  - config