ci: Pin to dedicated nodes

Now that there are several production workloads on the Raspberry Pi
cluster, we don't want intense jobs like this running on them.  To
ensure this job runs on a dedicated node, we need to use a label
expression that matches the appropriate nodes.

ci/podTemplate.yaml

@@ -13,6 +13,8 @@ spec:
       name: ssh-known-hosts
       subPath: ssh_known_hosts
   hostUsers: false
+  nodeSelector:
+    du5t1n.me/jenkins:
   volumes:
   - name: ssh-known-hosts
     configMap:

reload-ssh-cert.path

@@ -0,0 +1,11 @@
+[Unit]
+Description=Watch SSH Host certificates for renewal
+After=sshd.service
+
+[Path]
+PathChanged=/etc/ssh/ssh_host_rsa_key-cert.pub
+PathChanged=/etc/ssh/ssh_host_ecdsa_key-cert.pub
+PathChanged=/etc/ssh/ssh_host_ed25519-cert.pub
+
+[Install]
+WantedBy=paths.target

reload-ssh-cert.service

@@ -0,0 +1,24 @@
+[Unit]
+Description=Reload SSH daemon when certificate is renewed
+After=sshd.service
+
+[Service]
+Type=oneshot
+ExecStart=/usr/bin/systemctl reload sshd
+CapabilityBoundingSet=
+NoNewPrivileges=true
+ProtectSystem=strict
+ProtectHome=true
+PrivateDevices=true
+PrivateTmp=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=yes
+RestrictAddressFamilies=AF_UNIX
+LockPersonality=true
+MemoryDenyWriteExecute=true
+RestrictRealtime=true
+RestrictSUIDSGID=true

sshca-cli.spec

@@ -8,7 +8,7 @@
 
 Name:           sshca-cli
 Version:        0.1.1
-Release:        1%{?dist}
+Release:        2%{?dist}
 Summary:        CLI client for SSHCA
 
 SourceLicense:  MIT OR Apache-2.0
@@ -22,6 +22,8 @@ Source:         ssh-host-cert-sign@.service
 Source:         ssh-host-certs.target
 Source:         ssh-host-certs-renew.target
 Source:         ssh-host-certs-renew.timer
+Source:         reload-ssh-cert.path
+Source:         reload-ssh-cert.service
 
 ExclusiveArch:  %{rust_arches}
 
@@ -62,6 +64,8 @@ install -m u=rw,go=r \
 	%{SOURCE3} \
 	%{SOURCE4} \
 	%{SOURCE5} \
+	%{SOURCE6} \
+	%{SOURCE7} \
 	$RPM_BUILD_ROOT%{_unitdir}
 
 %if %{with check}
@@ -70,13 +74,13 @@ install -m u=rw,go=r \
 %endif
 
 %post systemd
-%systemd_post ssh-host-certs.target ssh-host-certs-renew.timer
+%systemd_post ssh-host-certs.target ssh-host-certs-renew.timer reload-ssh-cert.path
 
 %preun systemd
-%systemd_preun ssh-host-certs.target ssh-host-certs-renew.timer
+%systemd_preun ssh-host-certs.target ssh-host-certs-renew.timer reload-ssh-cert.path
 
 %postun systemd
-%systemd_postun ssh-host-certs.target ssh-host-certs-renew.timer
+%systemd_postun ssh-host-certs.target ssh-host-certs-renew.timer reload-ssh-cert.path
 
 %files
 %license LICENSE-Apache-2.0.txt