Dustin C. Hatch
88f165363d
The `ssh-bootstrap` script, which is run by the *ssh-bootstrap.service* systemd unit, requests SSH host certificates for each of the existing SSH host keys. The certificates are issued by the *POST /sshkeys/sign* operation of *dch-webhooks* web service. The *step-ssh-renew* timer/service runs `step ssh renew`, in a container, on a weekly basis to renew the SSH host certificate. A host certificate must already exist, and its private key is used to authenticate to the CA server. Since `step ssh renew` can only operate on one certificate/key file at a time, the `step-ssh-renew@.container` defines a template unit. The template instance specifies the key type (i.e. `rsa`, `ecdsa`, or `ed25519`), which in turn defines which certificate and private key file to use. The timer unit activates a target unit, which depends on the concrete service units. Note that the target unit must have `StopWhenUnneeded=yes` so that it can be restarted again the next time the timer fires.
21 lines
547 B
Plaintext
21 lines
547 B
Plaintext
[Unit]
|
|
Description=Renew SSH host %I certificate
|
|
After=network-online.target
|
|
Wants=network-online.target
|
|
ConditionPathExists=/etc/ssh/ssh_host_%I_key-cert.pub
|
|
|
|
[Container]
|
|
ContainerName=step-ssh-renew-%I
|
|
Image=docker.io/smallstep/step-cli:0.25.0
|
|
EnvironmentFile=/etc/sysconfig/step-ssh-renew
|
|
Exec=step ssh renew -f /etc/ssh/ssh_host_%I_key-cert.pub /etc/ssh/ssh_host_%I_key
|
|
Volume=/etc/ssh:/etc/ssh:rw
|
|
Volume=/etc/pki:/etc/pki:ro
|
|
# Required in order to be able to write to /etc/ssh
|
|
SecurityLabelDisable=true
|
|
User=0
|
|
Group=0
|
|
|
|
[Service]
|
|
Type=oneshot
|