dustin
/
sshca-cli
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

merge into: dustin:master
Branches Tags
dustin:master
dustin:dev/auto-reload
...
pull from: dustin:dev/auto-reload
Branches Tags
dustin:master
dustin:dev/auto-reload

2 Commits
master ... dev/auto-r

Author SHA1 Message Date
Dustin 6817c62295 ci: Pin to dedicated nodes
dustin/sshca-cli/pipeline/head Something is wrong with the build of this commit Details 
Now that there are several production workloads on the Raspberry Pi
cluster, we don't want intense jobs like this running on them.  To
ensure this job runs on a dedicated node, we need to use a label
expression that matches the appropriate nodes.
 2025-09-13 07:17:03 -05:00
Dustin 9dc20b4fd4 systemd: Add unit to auto reload sshd after renew
dustin/sshca-cli/pipeline/head This commit looks good Details 
`sshd` no longer appears to automatically pick up the new certificate
after it has been renewed by `ssh-host-cert-sign@.service`; we need to
explicitly reload it.  To handle this, I've added a systemd _path_ unit
that monitors the certificate files for changes and triggers a
corresponding _service_ unit that reloads the SSH daemon.
 2025-09-12 07:16:02 -05:00
4 changed files with 45 additions and 4 deletions
Show Stats Expand all files Collapse all files

2
ci/podTemplate.yaml
View File

@ -13,6 +13,8 @@ spec:
name: ssh-known-hosts
subPath: ssh_known_hosts
hostUsers: false
nodeSelector:
du5t1n.me/jenkins:
volumes:
- name: ssh-known-hosts
configMap:

11
reload-ssh-cert.path Normal file
View File

@ -0,0 +1,11 @@
[Unit]
Description=Watch SSH Host certificates for renewal
After=sshd.service
[Path]
PathChanged=/etc/ssh/ssh_host_rsa_key-cert.pub
PathChanged=/etc/ssh/ssh_host_ecdsa_key-cert.pub
PathChanged=/etc/ssh/ssh_host_ed25519-cert.pub
[Install]
WantedBy=paths.target

24
reload-ssh-cert.service Normal file
View File

@ -0,0 +1,24 @@
[Unit]
Description=Reload SSH daemon when certificate is renewed
After=sshd.service
[Service]
Type=oneshot
ExecStart=/usr/bin/systemctl reload sshd
CapabilityBoundingSet=
NoNewPrivileges=true
ProtectSystem=strict
ProtectHome=true
PrivateDevices=true
PrivateTmp=true
ProtectHostname=true
ProtectClock=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectKernelLogs=true
ProtectControlGroups=yes
RestrictAddressFamilies=AF_UNIX
LockPersonality=true
MemoryDenyWriteExecute=true
RestrictRealtime=true
RestrictSUIDSGID=true

12
sshca-cli.spec
View File

@ -8,7 +8,7 @@
Name: sshca-cli
Version: 0.1.1
Release: 1%{?dist}
Release: 2%{?dist}
Summary: CLI client for SSHCA
SourceLicense: MIT OR Apache-2.0
@ -22,6 +22,8 @@ Source: ssh-host-cert-sign@.service
Source: ssh-host-certs.target
Source: ssh-host-certs-renew.target
Source: ssh-host-certs-renew.timer
Source: reload-ssh-cert.path
Source: reload-ssh-cert.service
ExclusiveArch: %{rust_arches}
@ -62,6 +64,8 @@ install -m u=rw,go=r \
%{SOURCE3} \
%{SOURCE4} \
%{SOURCE5} \
%{SOURCE6} \
%{SOURCE7} \
$RPM_BUILD_ROOT%{_unitdir}
%if %{with check}
@ -70,13 +74,13 @@ install -m u=rw,go=r \
%endif
%post systemd
%systemd_post ssh-host-certs.target ssh-host-certs-renew.timer
%systemd_post ssh-host-certs.target ssh-host-certs-renew.timer reload-ssh-cert.path
%preun systemd
%systemd_preun ssh-host-certs.target ssh-host-certs-renew.timer
%systemd_preun ssh-host-certs.target ssh-host-certs-renew.timer reload-ssh-cert.path
%postun systemd
%systemd_postun ssh-host-certs.target ssh-host-certs-renew.timer
%systemd_postun ssh-host-certs.target ssh-host-certs-renew.timer reload-ssh-cert.path
%files
%license LICENSE-Apache-2.0.txt