Dustin C. Hatch
88f165363d
The `ssh-bootstrap` script, which is run by the *ssh-bootstrap.service* systemd unit, requests SSH host certificates for each of the existing SSH host keys. The certificates are issued by the *POST /sshkeys/sign* operation of *dch-webhooks* web service. The *step-ssh-renew* timer/service runs `step ssh renew`, in a container, on a weekly basis to renew the SSH host certificate. A host certificate must already exist, and its private key is used to authenticate to the CA server. Since `step ssh renew` can only operate on one certificate/key file at a time, the `step-ssh-renew@.container` defines a template unit. The template instance specifies the key type (i.e. `rsa`, `ecdsa`, or `ed25519`), which in turn defines which certificate and private key file to use. The timer unit activates a target unit, which depends on the concrete service units. Note that the target unit must have `StopWhenUnneeded=yes` so that it can be restarted again the next time the timer fires.