r/ssh-host-certs: Import systemd unit files

The _sshca-cli_ package no longer provides a _-systemd_ sub-package
containing the systemd unit files for automatically requesting and
renewing SSH host certificates.  Its original intent was to support
automatically signing certificates on first boot by having the unit
files installed by Anaconda, but this never really worked for various
reasons.  Since I'd rather not have to rebuild the RPMs every time I
need to make a change to the systemd units, and Ansible is required to
actually get the certificates issued anyway, it makes more sense to have
the unit files in the configuration policy instead.

roles/ssh-host-certs/files/ssh-host-cert-sign@.service

@@ -0,0 +1,34 @@
+[Unit]
+Description=Request %I SSH Host Certificate
+After=network-online.target
+Wants=network-online.target
+
+[Service]
+Type=oneshot
+EnvironmentFile=-/etc/sysconfig/ssh-host-cert-sign
+ExecStart=/usr/bin/sshca-cli host sign --output /etc/ssh/ssh_host_%I_key-cert.pub /etc/ssh/ssh_host_%I_key.pub
+
+CapabilityBoundingSet=CAP_CHOWN
+DeviceAllow=
+DevicePolicy=closed
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+NoNewPrivileges=yes
+PrivateDevices=yes
+PrivateUsers=yes
+PrivateTmp=yes
+ProcSubset=pid
+ProtectClock=yes
+ProtectControlGroups=yes
+ProtectHome=yes
+ProtectHostname=yes
+ProtectKernelLogs=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+ProtectProc=invisible
+ProtectSystem=strict
+ReadWritePaths=/etc/ssh
+RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
+RestrictNamespaces=yes
+RestrictRealtime=yes
+RestrictSUIDSGID=yes

roles/ssh-host-certs/files/ssh-host-certs-renew.target

@@ -0,0 +1,7 @@
+# vim: set ft=systemd :
+[Unit]
+Description=Request SSH Host Certificates
+StopWhenUnneeded=yes
+Wants=ssh-host-cert-sign@ed25519.service
+Wants=ssh-host-cert-sign@rsa.service
+Wants=ssh-host-cert-sign@ecdsa.service

roles/ssh-host-certs/files/ssh-host-certs-renew.timer

@@ -0,0 +1,12 @@
+# vim: set ft=systemd :
+[Unit]
+Description=Periodically renew SSH host certificates
+
+[Timer]
+Unit=%N.target
+OnCalendar=Tue *-*-* 00:00:00
+RandomizedDelaySec=48h
+Persistent=yes
+
+[Install]
+WantedBy=timers.target

roles/ssh-host-certs/meta/main.yml

@@ -1,3 +1,4 @@
 dependencies:
+- role: systemd-base
 - role: dch-yum
   tags: dch-yum

roles/ssh-host-certs/tasks/main.yml

@@ -1,12 +1,33 @@
-- name: ensure sshca-cli-systemd is installed
+- name: ensure sshca-cli is installed
   package:
-    name: sshca-cli-systemd
+    name: sshca-cli
     state: present
-  notify:
-  - restart ssh-host-certs.target
   tags:
   - install
 
+- name: ensure sshca-cli-systemd is not installed
+  package:
+    name: sshca-cli-systemd
+    state: absent
+  tags:
+  - uninstall
+
+- name: ensure ssh host cert signing systemd units are installed
+  copy:
+    src: '{{ item }}'
+    dest: /etc/systemd/system/{{ item }}
+    owner: root
+    group: root
+    mode: u=rw,go=r
+  loop:
+  - ssh-host-cert-sign@.service
+  - ssh-host-certs-renew.target
+  - ssh-host-certs-renew.timer
+  notify:
+  - reload systemd
+  tags:
+  - systemd
+
 - name: ensure ssh-host-cert-sign is configured
   template:
     src: ssh-host-cert-sign.env.j2
@@ -15,7 +36,7 @@
     group: root
     mode: u=rw,go=r
   notify:
-  - restart ssh-host-certs.target
+  - restart ssh-host-certs-renew.target
   tags:
   - config