diff --git a/common.yaml b/common.yaml index 0057690..8e7ba60 100644 --- a/common.yaml +++ b/common.yaml @@ -8,4 +8,4 @@ ignition: - local: collectd.ign - local: local_exporter.ign - local: notify-shutdown.ign - - local: step-ssh.ign + - local: ssh-host-certs.ign diff --git a/dch-repo.yaml b/dch-repo.yaml new file mode 100644 index 0000000..3869822 --- /dev/null +++ b/dch-repo.yaml @@ -0,0 +1,9 @@ +variant: fcos +version: 1.4.0 + +storage: + files: + - path: /etc/yum.repos.d/dch.repo + mode: 0644 + contents: + local: dch.repo diff --git a/dch.repo b/dch.repo new file mode 100644 index 0000000..2f1227c --- /dev/null +++ b/dch.repo @@ -0,0 +1,6 @@ +[dch] +name=DCH - Fedora $releasever +baseurl=https://files.pyrocufflink.blue/yum/dch/fedora/$releasever +gpgkey=https://files.pyrocufflink.blue/yum/dch/gnupg.pub +gpgcheck=1 +skip_if_unavailable=true diff --git a/ssh-bootstrap.service b/ssh-bootstrap.service deleted file mode 100644 index 9833057..0000000 --- a/ssh-bootstrap.service +++ /dev/null @@ -1,13 +0,0 @@ -# vim: set ft=systemd : -[Service] -Description=Bootstrap SSH host certificates -ConditionPathExistsGlob=!/etc/ssh/ssh_host_*_key-cert.pub -After=network-online.target -Wants=network-online.target - -[Service] -Type=oneshot -ExecStart=/bin/sh /etc/ssh/bootstrap.sh - -[Install] -WantedBy=multi-user.target diff --git a/ssh-bootstrap.sh b/ssh-bootstrap.sh deleted file mode 100644 index 1a8d891..0000000 --- a/ssh-bootstrap.sh +++ /dev/null @@ -1,35 +0,0 @@ -#!/bin/sh -# vim: set sw=4 ts=4 sts=4 et : - -gen_sshd_config() { - { - for x in ssh_host_*_key-cert.pub; do - printf 'HostCertificate /etc/ssh/%s\n' "${x}" - done - } > sshd_config.d/10-hostcertificate.conf -} - -parse_response() { - jq -r '.certificates | to_entries | .[] | .key + " " + .value' \ - | while read filename contents; do - [ -n "${filename}" ] || continue - echo "${contents}" > "${filename}" || return - done -} - -request_sign() { - set -- \ - https://bootstrap.pyrocufflink.blue/sshkeys/sign \ - -H 'Accept: application/json' \ - -F hostname=$(hostname -f) - for f in /etc/ssh/ssh_host_*_key.pub; do - set -- "$@" -F keys=@"${f}" - done - curl -fsSL "$@" -} - -cd /etc/ssh || exit -request_sign | parse_response -gen_sshd_config - -systemctl reload sshd diff --git a/ssh-host-certs.yaml b/ssh-host-certs.yaml new file mode 100644 index 0000000..0c43c85 --- /dev/null +++ b/ssh-host-certs.yaml @@ -0,0 +1,40 @@ +variant: fcos +version: 1.4.0 + +ignition: + config: + merge: + - local: dch-repo.ign + +storage: + files: + - path: /etc/ignition/packages.d/sshca + mode: 0644 + contents: + inline: | + sshca-cli-systemd + + - path: /etc/ssh/sshd_config.d/10-hostcertificate.conf + mode: 0644 + contents: + inline: | + HostCertificate /etc/ssh/ssh_host_ecdsa_key-cert.pub + HostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub + HostCertificate /etc/ssh/ssh_host_rsa_key-cert.pub + + - path: /etc/sysconfig/ssh-host-cert-sign + mode: 0644 + contents: + inline: | + SSHCA_SERVER=https://sshca.pyrocufflink.blue + + links: + - path: /etc/systemd/system/after-install.target.wants/ssh-host-certs.target + target: /usr/lib/systemd/system/ssh-host-certs.target + - path: /etc/systemd/system/after-install.target.wants/ssh-host-certs-renew.timer + target: /usr/lib/systemd/system/ssh-host-certs-renew.timer + +systemd: + units: + - name: ssh-host-certs-renew.timer + enabled: true diff --git a/step-ssh-renew.env b/step-ssh-renew.env deleted file mode 100644 index fe30f16..0000000 --- a/step-ssh-renew.env +++ /dev/null @@ -1,3 +0,0 @@ -STEP_CA_URL=https://ca.pyrocufflink.blue:32599 -STEP_ROOT=/etc/pki/ca-trust/source/anchors/dch-root-ca.crt -STEP_PROVISIONER=sshpop diff --git a/step-ssh-renew.target b/step-ssh-renew.target deleted file mode 100644 index 7e7b2a1..0000000 --- a/step-ssh-renew.target +++ /dev/null @@ -1,6 +0,0 @@ -[Unit] -Description=Renew SSH host certificates -StopWhenUnneeded=yes -Wants=step-ssh-renew@ed25519.service -Wants=step-ssh-renew@ecdsa.service -Wants=step-ssh-renew@rsa.service diff --git a/step-ssh-renew.timer b/step-ssh-renew.timer deleted file mode 100644 index f7344a6..0000000 --- a/step-ssh-renew.timer +++ /dev/null @@ -1,11 +0,0 @@ -[Unit] -Description=Periodically renew SSH host certificates - -[Timer] -Unit=%N.target -OnCalendar=Tue *-*-* 00:00:00 -RandomizedDelaySec=48h -Persistent=yes - -[Install] -WantedBy=timers.target diff --git a/step-ssh-renew@.container b/step-ssh-renew@.container deleted file mode 100644 index 117576b..0000000 --- a/step-ssh-renew@.container +++ /dev/null @@ -1,20 +0,0 @@ -[Unit] -Description=Renew SSH host %I certificate -After=network-online.target -Wants=network-online.target -ConditionPathExists=/etc/ssh/ssh_host_%I_key-cert.pub - -[Container] -ContainerName=step-ssh-renew-%I -Image=docker.io/smallstep/step-cli:0.25.0 -EnvironmentFile=/etc/sysconfig/step-ssh-renew -Exec=step ssh renew -f /etc/ssh/ssh_host_%I_key-cert.pub /etc/ssh/ssh_host_%I_key -Volume=/etc/ssh:/etc/ssh:rw -Volume=/etc/pki:/etc/pki:ro -# Required in order to be able to write to /etc/ssh -SecurityLabelDisable=true -User=0 -Group=0 - -[Service] -Type=oneshot diff --git a/step-ssh.yaml b/step-ssh.yaml deleted file mode 100644 index 6856ba2..0000000 --- a/step-ssh.yaml +++ /dev/null @@ -1,29 +0,0 @@ -variant: fcos -version: 1.4.0 - -storage: - files: - - path: /etc/ssh/bootstrap.sh - mode: 0755 - contents: - local: ssh-bootstrap.sh - - path: /etc/containers/systemd/step-ssh-renew@.container - mode: 0644 - contents: - local: step-ssh-renew@.container - - path: /etc/sysconfig/step-ssh-renew - mode: 0600 - contents: - local: step-ssh-renew.env - - path: /etc/systemd/system/ssh-bootstrap.service - mode: 0644 - contents: - local: ssh-bootstrap.service - - path: /etc/systemd/system/step-ssh-renew.target - mode: 0644 - contents: - local: step-ssh-renew.target - - path: /etc/systemd/system/step-ssh-renew.timer - mode: 0644 - contents: - local: step-ssh-renew.timer