dustin/sshca-cli/pipeline/head This commit looks goodDetails
The _sshca-cli-systemd_ package was intended for machines to
automatically get signed SSH host certificates on first boot. Having
the systemd unit files in an RPM package allowed them to be installed by
Anaconda, without needing custom post-install scripts or Ansible.
Unfortunately, various issues prevented this from actually working as
intended most of the time, and with the new webhook-based automatic
provisioning process, it's not really necessary. I'm thus removing the
sub-package that contained the unit files and moving them to the Ansible
configuration policy.
The *ssh-host-cert-sign@.service* unit does what it says on the tin:
requests a signed host certificate from an SSHCA server. It is a
template unit, whose instances correspond to SSH key types (RSA, ECDSA,
and Ed25519). The *ssh-host-certs.target* unit depends on the three
instances of the template unit, so they can all be activated together.
This target is only activated on the first boot of the system, to
initially request the certificates.
The *ssh-host-certs-renew.timer* unit periodically renews the SSH hosts
certificates. Its corresponding target unit depends on the three
instances of *ssh-host-cert-sign@.service*, so each certificate will be
renewed independently.
The *sshca-cli* RPM package can be used to install the SSHCA CLI client
on Fedora (and other RPM-based distributions). The `.spec` file was
originally generated using [rust2rpm], but several manual modifications
were required. Notably, the script does not generate `BuildRequres`
tags when run in "vendored" mode (i.e. third-party crate sources are
included in the source RPM package instead of packaged as separate
RPMS).
Dustin