ci: Pin to dedicated nodes

Now that there are several production workloads on the Raspberry Pi cluster, we don't want intense jobs like this running on them. To ensure this job runs on a dedicated node, we need to use a label expression that matches the appropriate nodes.
systemd: Add unit to auto reload sshd after renew
2025-09-13 07:17:03 -05:00 · 2025-09-12 07:16:02 -05:00
8 changed files with 200 additions and 0 deletions
--- a/ci/Jenkinsfile
+++ b/ci/Jenkinsfile
@ -82,5 +82,70 @@ pipeline {
            }
        }

+        stage('Build Container') {
+            matrix {
+                axes {
+                    axis {
+                        name 'ARCH'
+                        values 'amd64', 'arm64'
+                    }
+                }
+                stages {
+                    stage('Container') {
+                        agent {
+                            kubernetes {
+                                yamlFile 'ci/podTemplate-container.yaml'
+                                yamlMergeStrategy merge()
+                                defaultContainer 'buildah'
+                                nodeSelector "kubernetes.io/arch=${ARCH}"
+                            }
+                        }
+
+                        stages {
+                            stage('Build') {
+                                steps {
+                                    sh '. ci/build-container.sh'
+                                    stash name: env.ARCH, includes: "*.oci.tar"
+                                }
+                            }
+                        }
+                    }
+                }
+            }
+        }
+
+        stage('Publish Container') {
+            agent {
+                kubernetes {
+                    yamlFile 'ci/podTemplate-container.yaml'
+                    yamlMergeStrategy merge()
+                    defaultContainer 'buildah'
+                }
+            }
+
+            environment {
+                REGISTRY_AUTH_FILE = "${env.WORKSPACE_TMP}/auth.json"
+            }
+
+            steps {
+                unstash 'amd64'
+                unstash 'arm64'
+                withCredentials([usernamePassword(
+                    credentialsId: 'jenkins-packages',
+                    usernameVariable: 'BUILDAH_USERNAME',
+                    passwordVariable: 'BUILDAH_PASSWORD',
+                )]) {
+                    sh """
+                        buildah login \
+                        --username \${BUILDAH_USERNAME} \
+                        --password \${BUILDAH_PASSWORD} \
+                        git.pyrocufflink.net
+                    """
+                }
+                sh '. ci/publish-container.sh'
+            }
+        }
+
+
    }
 }
--- a/reload-ssh-cert.path
+++ b/reload-ssh-cert.path
@ -0,0 +1,11 @@
+[Unit]
+Description=Watch SSH Host certificates for renewal
+After=sshd.service
+
+[Path]
+PathChanged=/etc/ssh/ssh_host_rsa_key-cert.pub
+PathChanged=/etc/ssh/ssh_host_ecdsa_key-cert.pub
+PathChanged=/etc/ssh/ssh_host_ed25519-cert.pub
+
+[Install]
+WantedBy=paths.target
--- a/reload-ssh-cert.service
+++ b/reload-ssh-cert.service
@ -0,0 +1,24 @@
+[Unit]
+Description=Reload SSH daemon when certificate is renewed
+After=sshd.service
+
+[Service]
+Type=oneshot
+ExecStart=/usr/bin/systemctl reload sshd
+CapabilityBoundingSet=
+NoNewPrivileges=true
+ProtectSystem=strict
+ProtectHome=true
+PrivateDevices=true
+PrivateTmp=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=yes
+RestrictAddressFamilies=AF_UNIX
+LockPersonality=true
+MemoryDenyWriteExecute=true
+RestrictRealtime=true
+RestrictSUIDSGID=true
--- a/ssh-host-cert-sign@.service
+++ b/ssh-host-cert-sign@.service
@ -0,0 +1,34 @@
+[Unit]
+Description=Request %I SSH Host Certificate
+After=network-online.target
+Wants=network-online.target
+
+[Service]
+Type=oneshot
+EnvironmentFile=-/etc/sysconfig/ssh-host-cert-sign
+ExecStart=/usr/bin/sshca-cli host sign --output /etc/ssh/ssh_host_%I_key-cert.pub /etc/ssh/ssh_host_%I_key.pub
+
+CapabilityBoundingSet=CAP_CHOWN
+DeviceAllow=
+DevicePolicy=closed
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+NoNewPrivileges=yes
+PrivateDevices=yes
+PrivateUsers=yes
+PrivateTmp=yes
+ProcSubset=pid
+ProtectClock=yes
+ProtectControlGroups=yes
+ProtectHome=yes
+ProtectHostname=yes
+ProtectKernelLogs=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+ProtectProc=invisible
+ProtectSystem=strict
+ReadWritePaths=/etc/ssh
+RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
+RestrictNamespaces=yes
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
--- a/ssh-host-certs-renew.target
+++ b/ssh-host-certs-renew.target
@ -0,0 +1,7 @@
+# vim: set ft=systemd :
+[Unit]
+Description=Request SSH Host Certificates
+StopWhenUnneeded=yes
+Wants=ssh-host-cert-sign@ed25519.service
+Wants=ssh-host-cert-sign@rsa.service
+Wants=ssh-host-cert-sign@ecdsa.service
--- a/ssh-host-certs-renew.timer
+++ b/ssh-host-certs-renew.timer
@ -0,0 +1,12 @@
+# vim: set ft=systemd :
+[Unit]
+Description=Periodically renew SSH host certificates
+
+[Timer]
+Unit=%N.target
+OnCalendar=Tue *-*-* 00:00:00
+RandomizedDelaySec=48h
+Persistent=yes
+
+[Install]
+WantedBy=timers.target
--- a/ssh-host-certs.target
+++ b/ssh-host-certs.target
@ -0,0 +1,10 @@
+# vim: set ft=systemd :
+[Unit]
+Description=Request SSH Host Certificates
+ConditionFirstBoot=yes
+Wants=ssh-host-cert-sign@ed25519.service
+Wants=ssh-host-cert-sign@rsa.service
+Wants=ssh-host-cert-sign@ecdsa.service
+
+[Install]
+WantedBy=multi-user.target
--- a/sshca-cli.spec
+++ b/sshca-cli.spec
@ -18,17 +18,32 @@ License:        MIT OR Apache-2.0
 URL:            https://git.pyrocufflink.net/dustin/sshca
 Source:         sshca-cli-%{version}.tar.xz
 Source:         sshca-cli-%{version}-vendor.tar.xz
+Source:         ssh-host-cert-sign@.service
+Source:         ssh-host-certs.target
+Source:         ssh-host-certs-renew.target
+Source:         ssh-host-certs-renew.timer
+Source:         reload-ssh-cert.path
+Source:         reload-ssh-cert.service

 ExclusiveArch:  %{rust_arches}

 BuildRequires:  cargo-rpm-macros >= 25
 BuildRequires:  openssl-devel
+BuildRequires:  systemd-rpm-macros

 %global _description %{expand:
 CLI client for SSHCA.}

 %description %{_description}

+%package systemd
+Summary:        systemd units for managing SSH host certificates with SSHCA
+Requires:       %{name} = %{version}
+
+%description systemd
+A collection of systemd service, timer, and target units that automatically
+request and renew SSH host certificates from an SSHCA server.
+
 %prep
 %autosetup -n %{crate}-%{version} -p1 -a1
 %cargo_prep -v vendor
@ -43,11 +58,30 @@ CLI client for SSHCA.}
 %install
 %cargo_install

+mkdir -p $RPM_BUILD_ROOT%{_unitdir}
+install -m u=rw,go=r \
+	%{SOURCE2} \
+	%{SOURCE3} \
+	%{SOURCE4} \
+	%{SOURCE5} \
+	%{SOURCE6} \
+	%{SOURCE7} \
+	$RPM_BUILD_ROOT%{_unitdir}
+
 %if %{with check}
 %check
 %cargo_test
 %endif

+%post systemd
+%systemd_post ssh-host-certs.target ssh-host-certs-renew.timer reload-ssh-cert.path
+
+%preun systemd
+%systemd_preun ssh-host-certs.target ssh-host-certs-renew.timer reload-ssh-cert.path
+
+%postun systemd
+%systemd_postun ssh-host-certs.target ssh-host-certs-renew.timer reload-ssh-cert.path
+
 %files
 %license LICENSE-Apache-2.0.txt
 %license LICENSE-MIT.txt
@ -55,6 +89,9 @@ CLI client for SSHCA.}
 %license cargo-vendor.txt
 %{_bindir}/sshca-cli

+%files systemd
+%{_unitdir}/*
+
 %changelog
 * Sun Nov 05 2023 Dustin C. Hatch <dustin@hatch.name> - 0.1.0-1
 - Initial package