- name: ensure ssh host certificates are signed ssh_host_certs: register: host_certs tags: - cert - name: ensure sshd is configured to use host certificates template: src: hostcertificate.conf.j2 dest: /etc/ssh/sshd_config.d/10-hostcertificate.conf mode: u=rw,go=r owner: root group: root notify: - reload sshd tags: - config - sshd_config - name: ensure dch-smallstep repo is configured copy: src: dch-smallstep.repo dest: /etc/yum.repos.d/dch-smallstep.repo mode: u=rw,go=r owner: root group: root tags: - yumrepo - name: ensure step-cli is installed package: name: step-cli state: present tags: - install - name: ensure step certificate directory exists file: path: '{{ step_root_ca_path | dirname }}' mode: u=rwx,go=rx owner: root group: root state: directory tags: - cert - name: ensure step root ca is installed copy: src: '{{ step_root_ca }}' dest: '{{ step_root_ca_path }}' mode: u=rw,go=r owner: root group: root tags: - cert - name: ensure step-ssh-renew systemd units are installed copy: src: '{{ item }}' dest: /etc/systemd/system/{{ item }} mode: u=rw,go=r owner: root group: root loop: - step-ssh-renew@.service - step-ssh-renew.target - step-ssh-renew.timer tags: - systemd - name: ensure step-ssh-renew environment variables are set template: src: step-ssh-renew.env.j2 dest: /etc/sysconfig/step-ssh-renew mode: u=rw,go=r owner: root group: root tags: - config - step-cli-config - name: ensure step-ssh-renew.timer is enabled systemd: name: step-ssh-renew.timer enabled: true tags: - service - name: ensure step-ssh-renew.timer is running systemd: name: step-ssh-renew.timer state: started tags: - service - name: ensure sshd is configured to trust user certificate ca copy: src: trustedusercakeys.conf dest: /etc/ssh/sshd_config.d/70-trustedusercakeys.conf mode: u=rw,go=r owner: root group: root tags: - config - sshd-config notify: - reload sshd - name: ensure user ssh ca certificates are trusted template: src: ca.pub.j2 dest: /etc/ssh/ca.pub mode: u=rw,go=r owner: root group: root tags: - config - sshd-config notify: - reload sshd