ssh-certs hosts.
All checks were successful
Gitea Actions Demo / Explore-Gitea-Actions (push) Successful in 0s
All checks were successful
Gitea Actions Demo / Explore-Gitea-Actions (push) Successful in 0s
This commit is contained in:
hogweed1
@@ -24,4 +24,6 @@
|
|||||||
- import_playbook: resolvconf.yml
|
- import_playbook: resolvconf.yml
|
||||||
- import_playbook: users.yml
|
- import_playbook: users.yml
|
||||||
- import_playbook: exporters.yml
|
- import_playbook: exporters.yml
|
||||||
- import_playbook: pmc314-ca.yml
|
- import_playbook: pmc314-ca.yml
|
||||||
|
|
||||||
|
- import_playbook: ssh-certs/deploy-user-certs.yml
|
||||||
|
|||||||
59
playbooks/ssh-certs/deploy-host-certs.yml
Normal file
59
playbooks/ssh-certs/deploy-host-certs.yml
Normal file
@@ -0,0 +1,59 @@
|
|||||||
|
- hosts: all
|
||||||
|
become: yes
|
||||||
|
vars:
|
||||||
|
# Имя провижнера на сервере step-ca, который имеет право подписывать хосты
|
||||||
|
step_host_provisioner: "ssh-host-provisioner"
|
||||||
|
# Путь к файлу с паролем от этого провижнера на вашей Ansible-машине
|
||||||
|
step_provisioner_password_file: "/etc/step-ca/host_provisioner_password.txt"
|
||||||
|
|
||||||
|
tasks:
|
||||||
|
- name: Создание временной папки на Ansible-машине для генерации ключей хоста
|
||||||
|
delegate_to: localhost
|
||||||
|
become: no
|
||||||
|
file:
|
||||||
|
path: "/tmp/ssh_host_certs/{{ inventory_hostname }}"
|
||||||
|
state: directory
|
||||||
|
mode: '0700'
|
||||||
|
|
||||||
|
- name: Удаленный выпуск Хост-сертификата силами step-ca
|
||||||
|
delegate_to: localhost
|
||||||
|
become: no
|
||||||
|
shell: >
|
||||||
|
step ssh certificate {{ inventory_hostname }} /tmp/ssh_host_certs/{{ inventory_hostname }}/ssh_host_ed25519_key.pub
|
||||||
|
--host --sign --provisioner "{{ step_host_provisioner }}"
|
||||||
|
--password-file "{{ step_provisioner_password_file }}"
|
||||||
|
--principal "{{ inventory_hostname }}" --principal "{{ ansible_host }}"
|
||||||
|
--force
|
||||||
|
|
||||||
|
# step создаст два файла: сам публичный ключ и файл сертификата с суффиксом -cert.pub
|
||||||
|
# Нам нужно забрать получившийся сертификат и положить его на целевую ноду
|
||||||
|
|
||||||
|
- name: Копирование сгенерированного Хост-сертификата на целевую виртуалку
|
||||||
|
copy:
|
||||||
|
src: "/tmp/ssh_host_certs/{{ inventory_hostname }}/ssh_host_ed25519_key-cert.pub"
|
||||||
|
dest: /etc/ssh/ssh_host_ed25519_key-cert.pub
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: '0600'
|
||||||
|
|
||||||
|
- name: Настройка sshd_config для отдачи Хост-сертификата клиентам
|
||||||
|
blockinfile:
|
||||||
|
path: /etc/ssh/sshd_config
|
||||||
|
block: |
|
||||||
|
HostKey /etc/ssh/ssh_host_ed25519_key
|
||||||
|
HostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub
|
||||||
|
marker: "# {mark} ANSIBLE MANAGED HOST CERTIFICATE BLOCK #"
|
||||||
|
notify: Restart SSH
|
||||||
|
|
||||||
|
- name: Очистка временных файлов на Ansible-машине
|
||||||
|
delegate_to: localhost
|
||||||
|
become: no
|
||||||
|
file:
|
||||||
|
path: "/tmp/ssh_host_certs/{{ inventory_hostname }}"
|
||||||
|
state: absent
|
||||||
|
|
||||||
|
handlers:
|
||||||
|
- name: Restart SSH
|
||||||
|
service:
|
||||||
|
name: sshd
|
||||||
|
state: restarted
|
||||||
Reference in New Issue
Block a user