From 34c1256f2796759f0e45c106e9f79058a531b1ba Mon Sep 17 00:00:00 2001
From: "Dustin C. Hatch" <dustin@hatch.name>
Date: Sat, 1 Feb 2025 12:36:39 -0600
Subject: [PATCH] base: Factor out SSH host, user cert roles

Moving the SSH host and user certificate configuration roles out of
`base.yml` into their own playbooks.  This will make it easier to deploy
them separately, and target different sets of hosts.  The main driver
for this change is the OVH VPS; being external, it cannot communicate
with SSHCA and thus cannot have a signed host certificate.  As such, we
do not want to try to configure the SSHCA client on it at all.
---
 base.yml           | 3 ---
 bootstrap.yml      | 2 ++
 ssh-host-certs.yml | 4 ++++
 ssh-user-ca.yml    | 3 +++
 4 files changed, 9 insertions(+), 3 deletions(-)
 create mode 100644 ssh-host-certs.yml
 create mode 100644 ssh-user-ca.yml

diff --git a/base.yml b/base.yml
index 9f9df55..2e44e1e 100644
--- a/base.yml
+++ b/base.yml
@@ -2,9 +2,6 @@
 - hosts: all
   roles:
   - base
-  - role: ssh-host-certs
-    tags: ssh-host-certs
-  - ssh-user-ca
 - hosts: kvm-guest
   roles:
   - serial-console
diff --git a/bootstrap.yml b/bootstrap.yml
index d61e691..36d49a3 100644
--- a/bootstrap.yml
+++ b/bootstrap.yml
@@ -2,3 +2,5 @@
 - import_playbook: hostname.yml
 - import_playbook: base.yml
 - import_playbook: firewalld.yml
+- import_playbook: ssh-host-certs.yml
+- import_playbook: ssh-user-ca.yml
diff --git a/ssh-host-certs.yml b/ssh-host-certs.yml
new file mode 100644
index 0000000..cde7eb1
--- /dev/null
+++ b/ssh-host-certs.yml
@@ -0,0 +1,4 @@
+- hosts: '!vps'
+  roles:
+  - role: ssh-host-certs
+    tags: ssh-host-certs
diff --git a/ssh-user-ca.yml b/ssh-user-ca.yml
new file mode 100644
index 0000000..e37547a
--- /dev/null
+++ b/ssh-user-ca.yml
@@ -0,0 +1,3 @@
+- hosts: all
+  roles:
+  - ssh-user-ca