73 lines
1.4 KiB
YAML
73 lines
1.4 KiB
YAML
- name: ensure sshca-cli is installed
|
|
package:
|
|
name: sshca-cli
|
|
state: present
|
|
tags:
|
|
- install
|
|
|
|
- name: ensure sshca-cli-systemd is not installed
|
|
package:
|
|
name: sshca-cli-systemd
|
|
state: absent
|
|
tags:
|
|
- uninstall
|
|
|
|
- name: ensure ssh host cert signing systemd units are installed
|
|
copy:
|
|
src: '{{ item }}'
|
|
dest: /etc/systemd/system/{{ item }}
|
|
owner: root
|
|
group: root
|
|
mode: u=rw,go=r
|
|
loop:
|
|
- ssh-host-cert-sign@.service
|
|
- ssh-host-certs-renew.target
|
|
- ssh-host-certs-renew.timer
|
|
- reload-ssh-cert.path
|
|
- reload-ssh-cert.service
|
|
notify:
|
|
- reload systemd
|
|
tags:
|
|
- systemd
|
|
|
|
- name: ensure ssh-host-cert-sign is configured
|
|
template:
|
|
src: ssh-host-cert-sign.env.j2
|
|
dest: /etc/sysconfig/ssh-host-cert-sign
|
|
owner: root
|
|
group: root
|
|
mode: u=rw,go=r
|
|
notify:
|
|
- restart ssh-host-certs-renew.target
|
|
tags:
|
|
- config
|
|
|
|
- name: ensure ssh-host-certs-renew.timer is enabled
|
|
systemd:
|
|
name: ssh-host-certs-renew.timer
|
|
enabled: true
|
|
state: started
|
|
tags:
|
|
- service
|
|
|
|
- name: ensure reload-ssh-cert.path is enabled
|
|
systemd:
|
|
name: reload-ssh-cert.path
|
|
enabled: true
|
|
state: started
|
|
tags:
|
|
- service
|
|
|
|
- name: ensure sshd is configured to use host certificates
|
|
template:
|
|
src: hostcertificate.conf.j2
|
|
dest: /etc/ssh/sshd_config.d/10-hostcertificate.conf
|
|
mode: u=rw,go=r
|
|
owner: root
|
|
group: root
|
|
notify:
|
|
- reload sshd
|
|
tags:
|
|
- config
|
|
- sshd_config
|