diff --git a/ssh-host-cert-sign@.service b/ssh-host-cert-sign@.service new file mode 100644 index 0000000..0efde1e --- /dev/null +++ b/ssh-host-cert-sign@.service @@ -0,0 +1,34 @@ +[Unit] +Description=Request %I SSH Host Certificate +After=network-online.target +Wants=network-online.target + +[Service] +Type=oneshot +EnvironmentFile=-/etc/sysconfig/ssh-host-cert-sign +ExecStart=/usr/bin/sshca-cli host sign --output /etc/ssh/ssh_host_%I_key-cert.pub /etc/ssh/ssh_host_%I_key.pub + +CapabilityBoundingSet=CAP_CHOWN +DeviceAllow= +DevicePolicy=closed +LockPersonality=yes +MemoryDenyWriteExecute=yes +NoNewPrivileges=yes +PrivateDevices=yes +PrivateUsers=yes +PrivateTmp=yes +ProcSubset=pid +ProtectClock=yes +ProtectControlGroups=yes +ProtectHome=yes +ProtectHostname=yes +ProtectKernelLogs=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +ProtectProc=invisible +ProtectSystem=strict +ReadWritePaths=/etc/ssh +RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX +RestrictNamespaces=yes +RestrictRealtime=yes +RestrictSUIDSGID=yes diff --git a/ssh-host-certs-renew.target b/ssh-host-certs-renew.target new file mode 100644 index 0000000..9e54f1b --- /dev/null +++ b/ssh-host-certs-renew.target @@ -0,0 +1,7 @@ +# vim: set ft=systemd : +[Unit] +Description=Request SSH Host Certificates +StopWhenUnneeded=yes +Wants=ssh-host-cert-sign@ed25519.service +Wants=ssh-host-cert-sign@rsa.service +Wants=ssh-host-cert-sign@ecdsa.service diff --git a/ssh-host-certs-renew.timer b/ssh-host-certs-renew.timer new file mode 100644 index 0000000..3f6f728 --- /dev/null +++ b/ssh-host-certs-renew.timer @@ -0,0 +1,12 @@ +# vim: set ft=systemd : +[Unit] +Description=Periodically renew SSH host certificates + +[Timer] +Unit=%N.target +OnCalendar=Tue *-*-* 00:00:00 +RandomizedDelaySec=48h +Persistent=yes + +[Install] +WantedBy=timers.target diff --git a/ssh-host-certs.target b/ssh-host-certs.target new file mode 100644 index 0000000..6277e22 --- /dev/null +++ b/ssh-host-certs.target @@ -0,0 +1,10 @@ +# vim: set ft=systemd : +[Unit] +Description=Request SSH Host Certificates +ConditionFirstBoot=yes +Wants=ssh-host-cert-sign@ed25519.service +Wants=ssh-host-cert-sign@rsa.service +Wants=ssh-host-cert-sign@ecdsa.service + +[Install] +WantedBy=multi-user.target diff --git a/sshca-cli.spec b/sshca-cli.spec index 07b3ab9..55197cb 100644 --- a/sshca-cli.spec +++ b/sshca-cli.spec @@ -18,17 +18,30 @@ License: MIT OR Apache-2.0 URL: https://git.pyrocufflink.net/dustin/sshca Source: sshca-cli-%{version}.tar.xz Source: sshca-cli-%{version}-vendor.tar.xz +Source: ssh-host-cert-sign@.service +Source: ssh-host-certs.target +Source: ssh-host-certs-renew.target +Source: ssh-host-certs-renew.timer ExclusiveArch: %{rust_arches} BuildRequires: cargo-rpm-macros >= 25 BuildRequires: openssl-devel +BuildRequires: systemd-rpm-macros %global _description %{expand: CLI client for SSHCA.} %description %{_description} +%package systemd +Summary: systemd units for managing SSH host certificates with SSHCA +Requires: %{name} = %{version} + +%description systemd +A collection of systemd service, timer, and target units that automatically +request and renew SSH host certificates from an SSHCA server. + %prep %autosetup -n %{crate}-%{version} -p1 -a1 %cargo_prep -v vendor @@ -43,11 +56,28 @@ CLI client for SSHCA.} %install %cargo_install +mkdir -p $RPM_BUILD_ROOT%{_unitdir} +install -m u=rw,go=r \ + %{SOURCE2} \ + %{SOURCE3} \ + %{SOURCE4} \ + %{SOURCE5} \ + $RPM_BUILD_ROOT%{_unitdir} + %if %{with check} %check %cargo_test %endif +%post systemd +%systemd_post ssh-host-certs.target ssh-host-certs-renew.timer + +%preun systemd +%systemd_preun ssh-host-certs.target ssh-host-certs-renew.timer + +%postun systemd +%systemd_postun ssh-host-certs.target ssh-host-certs-renew.timer + %files %license LICENSE-Apache-2.0.txt %license LICENSE-MIT.txt @@ -55,6 +85,9 @@ CLI client for SSHCA.} %license cargo-vendor.txt %{_bindir}/sshca-cli +%files systemd +%{_unitdir}/* + %changelog * Sun Nov 05 2023 Dustin C. Hatch - 0.1.0-1 - Initial package