configpolicy/roles/step-ssh/tasks/main.yml

- name: ensure ssh host certificates are signed
  ssh_host_certs:
  register: host_certs
  tags:
  - cert

- name: ensure sshd is configured to use host certificates
  template:
    src: hostcertificate.conf.j2
    dest: /etc/ssh/sshd_config.d/10-hostcertificate.conf
    mode: u=rw,go=r
    owner: root
    group: root
  notify:
  - reload sshd
  tags:
  - config
  - sshd_config

- name: ensure dch-smallstep repo is configured
  copy:
    src: dch-smallstep.repo
    dest: /etc/yum.repos.d/dch-smallstep.repo
    mode: u=rw,go=r
    owner: root
    group: root
  tags:
  - yumrepo

- name: ensure step-cli is installed
  package:
    name: step-cli
    state: present
  tags:
  - install

- name: ensure step certificate directory exists
  file:
    path: '{{ step_root_ca_path | dirname }}'
    mode: u=rwx,go=rx
    owner: root
    group: root
    state: directory
  tags:
  - cert
- name: ensure step root ca is installed
  copy:
    src: '{{ step_root_ca }}'
    dest: '{{ step_root_ca_path }}'
    mode: u=rw,go=r
    owner: root
    group: root
  tags:
  - cert

- name: ensure step-ssh-renew systemd units are installed
  copy:
    src: '{{ item }}'
    dest: /etc/systemd/system/{{ item }}
    mode: u=rw,go=r
    owner: root
    group: root
  loop:
  - step-ssh-renew@.service
  - step-ssh-renew.target
  - step-ssh-renew.timer
  tags:
  - systemd

- name: ensure step-ssh-renew environment variables are set
  template:
    src: step-ssh-renew.env.j2
    dest: /etc/sysconfig/step-ssh-renew
    mode: u=rw,go=r
    owner: root
    group: root
  tags:
  - config
  - step-cli-config

- name: ensure step-ssh-renew.timer is enabled
  systemd:
    name: step-ssh-renew.timer
    enabled: true
  tags:
  - service
- name: ensure step-ssh-renew.timer is running
  systemd:
    name: step-ssh-renew.timer
    state: started
  tags:
  - service

- name: ensure sshd is configured to trust user certificate ca
  copy:
    src: trustedusercakeys.conf
    dest: /etc/ssh/sshd_config.d/70-trustedusercakeys.conf
    mode: u=rw,go=r
    owner: root
    group: root
  tags:
  - config
  - sshd-config
  notify:
  - reload sshd

- name: ensure user ssh ca certificates are trusted
  template:
    src: ca.pub.j2
    dest: /etc/ssh/ca.pub
    mode: u=rw,go=r
    owner: root
    group: root
  tags:
  - config
  - sshd-config
  notify:
  - reload sshd