rpm: Add systemd service/target/timer units
The *ssh-host-cert-sign@.service* unit does what it says on the tin: requests a signed host certificate from an SSHCA server. It is a template unit, whose instances correspond to SSH key types (RSA, ECDSA, and Ed25519). The *ssh-host-certs.target* unit depends on the three instances of the template unit, so they can all be activated together. This target is only activated on the first boot of the system, to initially request the certificates. The *ssh-host-certs-renew.timer* unit periodically renews the SSH hosts certificates. Its corresponding target unit depends on the three instances of *ssh-host-cert-sign@.service*, so each certificate will be renewed independently.dev/auto-reload
parent
f6abf699e8
commit
5ab5c3e98d
|
|
@ -0,0 +1,34 @@
|
|||
[Unit]
|
||||
Description=Request %I SSH Host Certificate
|
||||
After=network-online.target
|
||||
Wants=network-online.target
|
||||
|
||||
[Service]
|
||||
Type=oneshot
|
||||
EnvironmentFile=-/etc/sysconfig/ssh-host-cert-sign
|
||||
ExecStart=/usr/bin/sshca-cli host sign --output /etc/ssh/ssh_host_%I_key-cert.pub /etc/ssh/ssh_host_%I_key.pub
|
||||
|
||||
CapabilityBoundingSet=CAP_CHOWN
|
||||
DeviceAllow=
|
||||
DevicePolicy=closed
|
||||
LockPersonality=yes
|
||||
MemoryDenyWriteExecute=yes
|
||||
NoNewPrivileges=yes
|
||||
PrivateDevices=yes
|
||||
PrivateUsers=yes
|
||||
PrivateTmp=yes
|
||||
ProcSubset=pid
|
||||
ProtectClock=yes
|
||||
ProtectControlGroups=yes
|
||||
ProtectHome=yes
|
||||
ProtectHostname=yes
|
||||
ProtectKernelLogs=yes
|
||||
ProtectKernelModules=yes
|
||||
ProtectKernelTunables=yes
|
||||
ProtectProc=invisible
|
||||
ProtectSystem=strict
|
||||
ReadWritePaths=/etc/ssh
|
||||
RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
|
||||
RestrictNamespaces=yes
|
||||
RestrictRealtime=yes
|
||||
RestrictSUIDSGID=yes
|
||||
|
|
@ -0,0 +1,7 @@
|
|||
# vim: set ft=systemd :
|
||||
[Unit]
|
||||
Description=Request SSH Host Certificates
|
||||
StopWhenUnneeded=yes
|
||||
Wants=ssh-host-cert-sign@ed25519.service
|
||||
Wants=ssh-host-cert-sign@rsa.service
|
||||
Wants=ssh-host-cert-sign@ecdsa.service
|
||||
|
|
@ -0,0 +1,12 @@
|
|||
# vim: set ft=systemd :
|
||||
[Unit]
|
||||
Description=Periodically renew SSH host certificates
|
||||
|
||||
[Timer]
|
||||
Unit=%N.target
|
||||
OnCalendar=Tue *-*-* 00:00:00
|
||||
RandomizedDelaySec=48h
|
||||
Persistent=yes
|
||||
|
||||
[Install]
|
||||
WantedBy=timers.target
|
||||
|
|
@ -0,0 +1,10 @@
|
|||
# vim: set ft=systemd :
|
||||
[Unit]
|
||||
Description=Request SSH Host Certificates
|
||||
ConditionFirstBoot=yes
|
||||
Wants=ssh-host-cert-sign@ed25519.service
|
||||
Wants=ssh-host-cert-sign@rsa.service
|
||||
Wants=ssh-host-cert-sign@ecdsa.service
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
|
|
@ -18,17 +18,30 @@ License: MIT OR Apache-2.0
|
|||
URL: https://git.pyrocufflink.net/dustin/sshca
|
||||
Source: sshca-cli-%{version}.tar.xz
|
||||
Source: sshca-cli-%{version}-vendor.tar.xz
|
||||
Source: ssh-host-cert-sign@.service
|
||||
Source: ssh-host-certs.target
|
||||
Source: ssh-host-certs-renew.target
|
||||
Source: ssh-host-certs-renew.timer
|
||||
|
||||
ExclusiveArch: %{rust_arches}
|
||||
|
||||
BuildRequires: cargo-rpm-macros >= 25
|
||||
BuildRequires: openssl-devel
|
||||
BuildRequires: systemd-rpm-macros
|
||||
|
||||
%global _description %{expand:
|
||||
CLI client for SSHCA.}
|
||||
|
||||
%description %{_description}
|
||||
|
||||
%package systemd
|
||||
Summary: systemd units for managing SSH host certificates with SSHCA
|
||||
Requires: %{name} = %{version}
|
||||
|
||||
%description systemd
|
||||
A collection of systemd service, timer, and target units that automatically
|
||||
request and renew SSH host certificates from an SSHCA server.
|
||||
|
||||
%prep
|
||||
%autosetup -n %{crate}-%{version} -p1 -a1
|
||||
%cargo_prep -v vendor
|
||||
|
|
@ -43,11 +56,28 @@ CLI client for SSHCA.}
|
|||
%install
|
||||
%cargo_install
|
||||
|
||||
mkdir -p $RPM_BUILD_ROOT%{_unitdir}
|
||||
install -m u=rw,go=r \
|
||||
%{SOURCE2} \
|
||||
%{SOURCE3} \
|
||||
%{SOURCE4} \
|
||||
%{SOURCE5} \
|
||||
$RPM_BUILD_ROOT%{_unitdir}
|
||||
|
||||
%if %{with check}
|
||||
%check
|
||||
%cargo_test
|
||||
%endif
|
||||
|
||||
%post systemd
|
||||
%systemd_post ssh-host-certs.target ssh-host-certs-renew.timer
|
||||
|
||||
%preun systemd
|
||||
%systemd_preun ssh-host-certs.target ssh-host-certs-renew.timer
|
||||
|
||||
%postun systemd
|
||||
%systemd_postun ssh-host-certs.target ssh-host-certs-renew.timer
|
||||
|
||||
%files
|
||||
%license LICENSE-Apache-2.0.txt
|
||||
%license LICENSE-MIT.txt
|
||||
|
|
@ -55,6 +85,9 @@ CLI client for SSHCA.}
|
|||
%license cargo-vendor.txt
|
||||
%{_bindir}/sshca-cli
|
||||
|
||||
%files systemd
|
||||
%{_unitdir}/*
|
||||
|
||||
%changelog
|
||||
* Sun Nov 05 2023 Dustin C. Hatch <dustin@hatch.name> - 0.1.0-1
|
||||
- Initial package
|
||||
|
|
|
|||
Loading…
Reference in New Issue