Dustin C. Hatch
88f165363d
The `ssh-bootstrap` script, which is run by the *ssh-bootstrap.service* systemd unit, requests SSH host certificates for each of the existing SSH host keys. The certificates are issued by the *POST /sshkeys/sign* operation of *dch-webhooks* web service. The *step-ssh-renew* timer/service runs `step ssh renew`, in a container, on a weekly basis to renew the SSH host certificate. A host certificate must already exist, and its private key is used to authenticate to the CA server. Since `step ssh renew` can only operate on one certificate/key file at a time, the `step-ssh-renew@.container` defines a template unit. The template instance specifies the key type (i.e. `rsa`, `ecdsa`, or `ed25519`), which in turn defines which certificate and private key file to use. The timer unit activates a target unit, which depends on the concrete service units. Note that the target unit must have `StopWhenUnneeded=yes` so that it can be restarted again the next time the timer fires.
30 lines
714 B
YAML
30 lines
714 B
YAML
variant: fcos
|
|
version: 1.4.0
|
|
|
|
storage:
|
|
files:
|
|
- path: /etc/ssh/bootstrap.sh
|
|
mode: 0755
|
|
contents:
|
|
local: ssh-bootstrap.sh
|
|
- path: /etc/containers/systemd/step-ssh-renew@.container
|
|
mode: 0644
|
|
contents:
|
|
local: step-ssh-renew@.container
|
|
- path: /etc/sysconfig/step-ssh-renew
|
|
mode: 0600
|
|
contents:
|
|
local: step-ssh-renew.env
|
|
- path: /etc/systemd/system/ssh-bootstrap.service
|
|
mode: 0644
|
|
contents:
|
|
local: ssh-bootstrap.service
|
|
- path: /etc/systemd/system/step-ssh-renew.target
|
|
mode: 0644
|
|
contents:
|
|
local: step-ssh-renew.target
|
|
- path: /etc/systemd/system/step-ssh-renew.timer
|
|
mode: 0644
|
|
contents:
|
|
local: step-ssh-renew.timer
|