diff --git a/roles/ssh-host-certs/files/ssh-host-cert-sign@.service b/roles/ssh-host-certs/files/ssh-host-cert-sign@.service new file mode 100644 index 0000000..0efde1e --- /dev/null +++ b/roles/ssh-host-certs/files/ssh-host-cert-sign@.service @@ -0,0 +1,34 @@ +[Unit] +Description=Request %I SSH Host Certificate +After=network-online.target +Wants=network-online.target + +[Service] +Type=oneshot +EnvironmentFile=-/etc/sysconfig/ssh-host-cert-sign +ExecStart=/usr/bin/sshca-cli host sign --output /etc/ssh/ssh_host_%I_key-cert.pub /etc/ssh/ssh_host_%I_key.pub + +CapabilityBoundingSet=CAP_CHOWN +DeviceAllow= +DevicePolicy=closed +LockPersonality=yes +MemoryDenyWriteExecute=yes +NoNewPrivileges=yes +PrivateDevices=yes +PrivateUsers=yes +PrivateTmp=yes +ProcSubset=pid +ProtectClock=yes +ProtectControlGroups=yes +ProtectHome=yes +ProtectHostname=yes +ProtectKernelLogs=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +ProtectProc=invisible +ProtectSystem=strict +ReadWritePaths=/etc/ssh +RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX +RestrictNamespaces=yes +RestrictRealtime=yes +RestrictSUIDSGID=yes diff --git a/roles/ssh-host-certs/files/ssh-host-certs-renew.target b/roles/ssh-host-certs/files/ssh-host-certs-renew.target new file mode 100644 index 0000000..9e54f1b --- /dev/null +++ b/roles/ssh-host-certs/files/ssh-host-certs-renew.target @@ -0,0 +1,7 @@ +# vim: set ft=systemd : +[Unit] +Description=Request SSH Host Certificates +StopWhenUnneeded=yes +Wants=ssh-host-cert-sign@ed25519.service +Wants=ssh-host-cert-sign@rsa.service +Wants=ssh-host-cert-sign@ecdsa.service diff --git a/roles/ssh-host-certs/files/ssh-host-certs-renew.timer b/roles/ssh-host-certs/files/ssh-host-certs-renew.timer new file mode 100644 index 0000000..3f6f728 --- /dev/null +++ b/roles/ssh-host-certs/files/ssh-host-certs-renew.timer @@ -0,0 +1,12 @@ +# vim: set ft=systemd : +[Unit] +Description=Periodically renew SSH host certificates + +[Timer] +Unit=%N.target +OnCalendar=Tue *-*-* 00:00:00 +RandomizedDelaySec=48h +Persistent=yes + +[Install] +WantedBy=timers.target diff --git a/roles/ssh-host-certs/meta/main.yml b/roles/ssh-host-certs/meta/main.yml index 592bdcd..77fe691 100644 --- a/roles/ssh-host-certs/meta/main.yml +++ b/roles/ssh-host-certs/meta/main.yml @@ -1,3 +1,4 @@ dependencies: +- role: systemd-base - role: dch-yum tags: dch-yum diff --git a/roles/ssh-host-certs/tasks/main.yml b/roles/ssh-host-certs/tasks/main.yml index e91b39b..d57760e 100644 --- a/roles/ssh-host-certs/tasks/main.yml +++ b/roles/ssh-host-certs/tasks/main.yml @@ -1,12 +1,33 @@ -- name: ensure sshca-cli-systemd is installed +- name: ensure sshca-cli is installed package: - name: sshca-cli-systemd + name: sshca-cli state: present - notify: - - restart ssh-host-certs.target tags: - install +- name: ensure sshca-cli-systemd is not installed + package: + name: sshca-cli-systemd + state: absent + tags: + - uninstall + +- name: ensure ssh host cert signing systemd units are installed + copy: + src: '{{ item }}' + dest: /etc/systemd/system/{{ item }} + owner: root + group: root + mode: u=rw,go=r + loop: + - ssh-host-cert-sign@.service + - ssh-host-certs-renew.target + - ssh-host-certs-renew.timer + notify: + - reload systemd + tags: + - systemd + - name: ensure ssh-host-cert-sign is configured template: src: ssh-host-cert-sign.env.j2 @@ -15,7 +36,7 @@ group: root mode: u=rw,go=r notify: - - restart ssh-host-certs.target + - restart ssh-host-certs-renew.target tags: - config