From 8a7faac35b7bb38c4d13dd61670de43dae9db971 Mon Sep 17 00:00:00 2001
From: "Dustin C. Hatch" <dustin@hatch.name>
Date: Sat, 13 Sep 2025 22:01:58 -0500
Subject: [PATCH] r/ssh-host-certs: Reload sshd after renewing certs

In Fedora 41, it seems the SSH daemon no longer automatically uses the
new certificate after its host certificates have been renewed.  To get
it to pick up the new ones, we have to explicitly tell it to reload.  To
handle that automatically, I've added a new systemd path unit that
monitors the certificate files.  When it detects that one of them has
changed, it will send the signal to the SSH daemon to tell it to reload.
---
 .../ssh-host-certs/files/reload-ssh-cert.path | 11 +++++++++
 .../files/reload-ssh-cert.service             | 24 +++++++++++++++++++
 roles/ssh-host-certs/tasks/main.yml           | 10 ++++++++
 3 files changed, 45 insertions(+)
 create mode 100644 roles/ssh-host-certs/files/reload-ssh-cert.path
 create mode 100644 roles/ssh-host-certs/files/reload-ssh-cert.service

diff --git a/roles/ssh-host-certs/files/reload-ssh-cert.path b/roles/ssh-host-certs/files/reload-ssh-cert.path
new file mode 100644
index 0000000..f4fdb71
--- /dev/null
+++ b/roles/ssh-host-certs/files/reload-ssh-cert.path
@@ -0,0 +1,11 @@
+[Unit]
+Description=Watch SSH Host certificates for renewal
+After=sshd.service
+
+[Path]
+PathChanged=/etc/ssh/ssh_host_rsa_key-cert.pub
+PathChanged=/etc/ssh/ssh_host_ecdsa_key-cert.pub
+PathChanged=/etc/ssh/ssh_host_ed25519-cert.pub
+
+[Install]
+WantedBy=paths.target
diff --git a/roles/ssh-host-certs/files/reload-ssh-cert.service b/roles/ssh-host-certs/files/reload-ssh-cert.service
new file mode 100644
index 0000000..c4f2798
--- /dev/null
+++ b/roles/ssh-host-certs/files/reload-ssh-cert.service
@@ -0,0 +1,24 @@
+[Unit]
+Description=Reload SSH daemon when certificate is renewed
+After=sshd.service
+
+[Service]
+Type=oneshot
+ExecStart=/usr/bin/systemctl reload sshd
+CapabilityBoundingSet=
+NoNewPrivileges=true
+ProtectSystem=strict
+ProtectHome=true
+PrivateDevices=true
+PrivateTmp=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=yes
+RestrictAddressFamilies=AF_UNIX
+LockPersonality=true
+MemoryDenyWriteExecute=true
+RestrictRealtime=true
+RestrictSUIDSGID=true
diff --git a/roles/ssh-host-certs/tasks/main.yml b/roles/ssh-host-certs/tasks/main.yml
index d57760e..32e47f2 100644
--- a/roles/ssh-host-certs/tasks/main.yml
+++ b/roles/ssh-host-certs/tasks/main.yml
@@ -23,6 +23,8 @@
   - ssh-host-cert-sign@.service
   - ssh-host-certs-renew.target
   - ssh-host-certs-renew.timer
+  - reload-ssh-cert.path
+  - reload-ssh-cert.service
   notify:
   - reload systemd
   tags:
@@ -48,6 +50,14 @@
   tags:
   - service
 
+- name: ensure reload-ssh-cert.path is enabled
+  systemd:
+    name: reload-ssh-cert.path
+    enabled: true
+    state: started
+  tags:
+  - service
+
 - name: ensure sshd is configured to use host certificates
   template:
     src: hostcertificate.conf.j2