[Unit]
Description=Renew SSH host %I certificate
After=network-online.target
Wants=network-online.target
ConditionPathExists=/etc/ssh/ssh_host_%I_key-cert.pub

[Container]
ContainerName=step-ssh-renew-%I
Image=docker.io/smallstep/step-cli:0.25.0
EnvironmentFile=/etc/sysconfig/step-ssh-renew
Exec=step ssh renew -f /etc/ssh/ssh_host_%I_key-cert.pub /etc/ssh/ssh_host_%I_key
Volume=/etc/ssh:/etc/ssh:rw
Volume=/etc/pki:/etc/pki:ro
# Required in order to be able to write to /etc/ssh
SecurityLabelDisable=true
User=0
Group=0

[Service]
Type=oneshot