r/ssh-host-certs: Manage SSH host certificates

The *ssh-host-certs* role, which is now applied as part of the
`base.yml` playbook and therefore applies to all managed nodes, is
responsible for installing the *sshca-cli* package and using it to
request signed SSH host certificates.  The *sshca-cli-systemd*
sub-package includes systemd units that automate the process of
requesting and renewing host certificates.  These units need to be
enabled and provided the URL of the SSHCA service.  Additionally, the
SSH daemon needs to be configured to load the host certificates.

base.yml

@@ -2,6 +2,8 @@
 - hosts: all
   roles:
   - base
+  - role: ssh-host-certs
+    tags: ssh-host-certs
 - hosts: kvm-guest
   roles:
   - serial-console

group_vars/all.yml

@@ -1,3 +1,5 @@
+sshca_url: https://sshca.pyrocufflink.blue
+
 certbot_account_email: dustin@hatch.name
 smtp:
   mode: relay

roles/ssh-host-certs/defaults/main.yml

@@ -0,0 +1,4 @@
+ssh_host_certs:
+- /etc/ssh/ssh_host_ed25519_key-cert.pub
+- /etc/ssh/ssh_host_rsa_key-cert.pub
+- /etc/ssh/ssh_host_ecdsa_key-cert.pub

roles/ssh-host-certs/handlers/main.yml

@@ -0,0 +1,9 @@
+- name: restart ssh-host-certs.target
+  systemd:
+    name: ssh-host-certs.target
+    state: started
+
+- name: reload sshd
+  service:
+    name: sshd
+    state: reloaded

roles/ssh-host-certs/meta/main.yml

@@ -0,0 +1,3 @@
+dependencies:
+- role: dch-yum
+  tags: dch-yum

roles/ssh-host-certs/tasks/main.yml

@@ -0,0 +1,41 @@
+- name: ensure sshca-cli-systemd is installed
+  package:
+    name: sshca-cli-systemd
+    state: present
+  notify:
+  - restart ssh-host-certs.target
+  tags:
+  - install
+
+- name: ensure ssh-host-cert-sign is configured
+  template:
+    src: ssh-host-cert-sign.env.j2
+    dest: /etc/sysconfig/ssh-host-cert-sign
+    owner: root
+    group: root
+    mode: u=rw,go=r
+  notify:
+  - restart ssh-host-certs.target
+  tags:
+  - config
+
+- name: ensure ssh-host-certs-renew.timer is enabled
+  systemd:
+    name: ssh-host-certs-renew.timer
+    enabled: true
+    state: started
+  tags:
+  - service
+
+- name: ensure sshd is configured to use host certificates
+  template:
+    src: hostcertificate.conf.j2
+    dest: /etc/ssh/sshd_config.d/10-hostcertificate.conf
+    mode: u=rw,go=r
+    owner: root
+    group: root
+  notify:
+  - reload sshd
+  tags:
+  - config
+  - sshd_config

roles/ssh-host-certs/templates/hostcertificate.conf.j2

@@ -0,0 +1,5 @@
+{% if ssh_host_certs|d(none) %}
+{% for cert in ssh_host_certs | sort %}
+HostCertificate {{ cert }}
+{% endfor %}
+{% endif %}

roles/ssh-host-certs/templates/ssh-host-cert-sign.env.j2

@@ -0,0 +1 @@
+SSHCA_SERVER={{ sshca_url }}