From dfd828af086ee14ba8b0a99afed961aa12af6a33 Mon Sep 17 00:00:00 2001
From: "Dustin C. Hatch" <dustin@hatch.name>
Date: Tue, 7 Nov 2023 18:29:25 -0600
Subject: [PATCH] r/ssh-host-certs: Manage SSH host certificates

The *ssh-host-certs* role, which is now applied as part of the
`base.yml` playbook and therefore applies to all managed nodes, is
responsible for installing the *sshca-cli* package and using it to
request signed SSH host certificates.  The *sshca-cli-systemd*
sub-package includes systemd units that automate the process of
requesting and renewing host certificates.  These units need to be
enabled and provided the URL of the SSHCA service.  Additionally, the
SSH daemon needs to be configured to load the host certificates.
---
 base.yml                                      |  2 +
 group_vars/all.yml                            |  2 +
 roles/ssh-host-certs/defaults/main.yml        |  4 ++
 roles/ssh-host-certs/handlers/main.yml        |  9 ++++
 roles/ssh-host-certs/meta/main.yml            |  3 ++
 roles/ssh-host-certs/tasks/main.yml           | 41 +++++++++++++++++++
 .../templates/hostcertificate.conf.j2         |  5 +++
 .../templates/ssh-host-cert-sign.env.j2       |  1 +
 8 files changed, 67 insertions(+)
 create mode 100644 roles/ssh-host-certs/defaults/main.yml
 create mode 100644 roles/ssh-host-certs/handlers/main.yml
 create mode 100644 roles/ssh-host-certs/meta/main.yml
 create mode 100644 roles/ssh-host-certs/tasks/main.yml
 create mode 100644 roles/ssh-host-certs/templates/hostcertificate.conf.j2
 create mode 100644 roles/ssh-host-certs/templates/ssh-host-cert-sign.env.j2

diff --git a/base.yml b/base.yml
index 2e44e1e..ebe5324 100644
--- a/base.yml
+++ b/base.yml
@@ -2,6 +2,8 @@
 - hosts: all
   roles:
   - base
+  - role: ssh-host-certs
+    tags: ssh-host-certs
 - hosts: kvm-guest
   roles:
   - serial-console
diff --git a/group_vars/all.yml b/group_vars/all.yml
index 3c98b13..85ce756 100644
--- a/group_vars/all.yml
+++ b/group_vars/all.yml
@@ -1,3 +1,5 @@
+sshca_url: https://sshca.pyrocufflink.blue
+
 certbot_account_email: dustin@hatch.name
 smtp:
   mode: relay
diff --git a/roles/ssh-host-certs/defaults/main.yml b/roles/ssh-host-certs/defaults/main.yml
new file mode 100644
index 0000000..646cb9d
--- /dev/null
+++ b/roles/ssh-host-certs/defaults/main.yml
@@ -0,0 +1,4 @@
+ssh_host_certs:
+- /etc/ssh/ssh_host_ed25519_key-cert.pub
+- /etc/ssh/ssh_host_rsa_key-cert.pub
+- /etc/ssh/ssh_host_ecdsa_key-cert.pub
diff --git a/roles/ssh-host-certs/handlers/main.yml b/roles/ssh-host-certs/handlers/main.yml
new file mode 100644
index 0000000..d481a8e
--- /dev/null
+++ b/roles/ssh-host-certs/handlers/main.yml
@@ -0,0 +1,9 @@
+- name: restart ssh-host-certs.target
+  systemd:
+    name: ssh-host-certs.target
+    state: started
+
+- name: reload sshd
+  service:
+    name: sshd
+    state: reloaded
diff --git a/roles/ssh-host-certs/meta/main.yml b/roles/ssh-host-certs/meta/main.yml
new file mode 100644
index 0000000..592bdcd
--- /dev/null
+++ b/roles/ssh-host-certs/meta/main.yml
@@ -0,0 +1,3 @@
+dependencies:
+- role: dch-yum
+  tags: dch-yum
diff --git a/roles/ssh-host-certs/tasks/main.yml b/roles/ssh-host-certs/tasks/main.yml
new file mode 100644
index 0000000..e91b39b
--- /dev/null
+++ b/roles/ssh-host-certs/tasks/main.yml
@@ -0,0 +1,41 @@
+- name: ensure sshca-cli-systemd is installed
+  package:
+    name: sshca-cli-systemd
+    state: present
+  notify:
+  - restart ssh-host-certs.target
+  tags:
+  - install
+
+- name: ensure ssh-host-cert-sign is configured
+  template:
+    src: ssh-host-cert-sign.env.j2
+    dest: /etc/sysconfig/ssh-host-cert-sign
+    owner: root
+    group: root
+    mode: u=rw,go=r
+  notify:
+  - restart ssh-host-certs.target
+  tags:
+  - config
+
+- name: ensure ssh-host-certs-renew.timer is enabled
+  systemd:
+    name: ssh-host-certs-renew.timer
+    enabled: true
+    state: started
+  tags:
+  - service
+
+- name: ensure sshd is configured to use host certificates
+  template:
+    src: hostcertificate.conf.j2
+    dest: /etc/ssh/sshd_config.d/10-hostcertificate.conf
+    mode: u=rw,go=r
+    owner: root
+    group: root
+  notify:
+  - reload sshd
+  tags:
+  - config
+  - sshd_config
diff --git a/roles/ssh-host-certs/templates/hostcertificate.conf.j2 b/roles/ssh-host-certs/templates/hostcertificate.conf.j2
new file mode 100644
index 0000000..1d8359c
--- /dev/null
+++ b/roles/ssh-host-certs/templates/hostcertificate.conf.j2
@@ -0,0 +1,5 @@
+{% if ssh_host_certs|d(none) %}
+{% for cert in ssh_host_certs | sort %}
+HostCertificate {{ cert }}
+{% endfor %}
+{% endif %}
diff --git a/roles/ssh-host-certs/templates/ssh-host-cert-sign.env.j2 b/roles/ssh-host-certs/templates/ssh-host-cert-sign.env.j2
new file mode 100644
index 0000000..defbba2
--- /dev/null
+++ b/roles/ssh-host-certs/templates/ssh-host-cert-sign.env.j2
@@ -0,0 +1 @@
+SSHCA_SERVER={{ sshca_url }}