roles/ssh-host-certs/files/reload-ssh-cert.path

@@ -1,11 +0,0 @@
-[Unit]
-Description=Watch SSH Host certificates for renewal
-After=sshd.service
-
-[Path]
-PathChanged=/etc/ssh/ssh_host_rsa_key-cert.pub
-PathChanged=/etc/ssh/ssh_host_ecdsa_key-cert.pub
-PathChanged=/etc/ssh/ssh_host_ed25519-cert.pub
-
-[Install]
-WantedBy=paths.target

roles/ssh-host-certs/files/reload-ssh-cert.service

@@ -1,24 +0,0 @@
-[Unit]
-Description=Reload SSH daemon when certificate is renewed
-After=sshd.service
-
-[Service]
-Type=oneshot
-ExecStart=/usr/bin/systemctl reload sshd
-CapabilityBoundingSet=
-NoNewPrivileges=true
-ProtectSystem=strict
-ProtectHome=true
-PrivateDevices=true
-PrivateTmp=true
-ProtectHostname=true
-ProtectClock=true
-ProtectKernelTunables=true
-ProtectKernelModules=true
-ProtectKernelLogs=true
-ProtectControlGroups=yes
-RestrictAddressFamilies=AF_UNIX
-LockPersonality=true
-MemoryDenyWriteExecute=true
-RestrictRealtime=true
-RestrictSUIDSGID=true

roles/ssh-host-certs/files/ssh-host-cert-sign@.service

@@ -1,34 +0,0 @@
-[Unit]
-Description=Request %I SSH Host Certificate
-After=network-online.target
-Wants=network-online.target
-
-[Service]
-Type=oneshot
-EnvironmentFile=-/etc/sysconfig/ssh-host-cert-sign
-ExecStart=/usr/bin/sshca-cli host sign --output /etc/ssh/ssh_host_%I_key-cert.pub /etc/ssh/ssh_host_%I_key.pub
-
-CapabilityBoundingSet=CAP_CHOWN
-DeviceAllow=
-DevicePolicy=closed
-LockPersonality=yes
-MemoryDenyWriteExecute=yes
-NoNewPrivileges=yes
-PrivateDevices=yes
-PrivateUsers=yes
-PrivateTmp=yes
-ProcSubset=pid
-ProtectClock=yes
-ProtectControlGroups=yes
-ProtectHome=yes
-ProtectHostname=yes
-ProtectKernelLogs=yes
-ProtectKernelModules=yes
-ProtectKernelTunables=yes
-ProtectProc=invisible
-ProtectSystem=strict
-ReadWritePaths=/etc/ssh
-RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
-RestrictNamespaces=yes
-RestrictRealtime=yes
-RestrictSUIDSGID=yes

roles/ssh-host-certs/files/ssh-host-certs-renew.target

@@ -1,7 +0,0 @@
-# vim: set ft=systemd :
-[Unit]
-Description=Request SSH Host Certificates
-StopWhenUnneeded=yes
-Wants=ssh-host-cert-sign@ed25519.service
-Wants=ssh-host-cert-sign@rsa.service
-Wants=ssh-host-cert-sign@ecdsa.service

roles/ssh-host-certs/files/ssh-host-certs-renew.timer

@@ -1,12 +0,0 @@
-# vim: set ft=systemd :
-[Unit]
-Description=Periodically renew SSH host certificates
-
-[Timer]
-Unit=%N.target
-OnCalendar=Tue *-*-* 00:00:00
-RandomizedDelaySec=48h
-Persistent=yes
-
-[Install]
-WantedBy=timers.target

roles/ssh-host-certs/tasks/main.yml

@@ -1,34 +1,11 @@
-- name: ensure sshca-cli is installed
+- name: ensure sshca-cli-systemd is installed
-  package:
-    name: sshca-cli
-    state: present
-  tags:
-  - install
-
-- name: ensure sshca-cli-systemd is not installed
   package:
     name: sshca-cli-systemd
-    state: absent
+    state: present
-  tags:
-  - uninstall
-
-- name: ensure ssh host cert signing systemd units are installed
-  copy:
-    src: '{{ item }}'
-    dest: /etc/systemd/system/{{ item }}
-    owner: root
-    group: root
-    mode: u=rw,go=r
-  loop:
-  - ssh-host-cert-sign@.service
-  - ssh-host-certs-renew.target
-  - ssh-host-certs-renew.timer
-  - reload-ssh-cert.path
-  - reload-ssh-cert.service
   notify:
-  - reload systemd
+  - restart ssh-host-certs.target
   tags:
-  - systemd
+  - install
 
 - name: ensure ssh-host-cert-sign is configured
   template:
@@ -38,7 +15,7 @@
     group: root
     mode: u=rw,go=r
   notify:
-  - restart ssh-host-certs-renew.target
+  - restart ssh-host-certs.target
   tags:
   - config
 
@@ -50,14 +27,6 @@
   tags:
   - service
 
-- name: ensure reload-ssh-cert.path is enabled
-  systemd:
-    name: reload-ssh-cert.path
-    enabled: true
-    state: started
-  tags:
-  - service
-
 - name: ensure sshd is configured to use host certificates
   template:
     src: hostcertificate.conf.j2