coulomb/railiance-infra
0
0
Fork 0
Code Issues Pull Requests Actions Projects Releases Wiki Activity
Files
e065e9ced452da7fa5a99a6e14170ce09d104f4d
railiance-infra/ansible/roles/ssh_ca_host/tasks/main.yml
tegwick c31d70b53f feat(ssh): add bootstrap-ssh-ca role for OpenBao SSH user CA trust 
Deploy TrustedUserCAKeys, auth_principals from ssh_principals.yaml, and
Makefile targets bootstrap-ssh-ca / bootstrap-ssh-ca-host (NET-WP-0020 T5).
2026-06-18 01:06:43 +02:00

86 lines
2.4 KiB
YAML
Raw Blame History

---
- name: Require SSH CA public key path
ansible.builtin.assert:
that:
- ssh_ca_pubkey_path is defined
- ssh_ca_pubkey_path | length > 0
fail_msg: >-
Set ssh_ca_pubkey_path to the OpenBao SSH CA public key file
(from railiance-platform openbao-configure-ssh).
- name: Stat SSH CA public key source
ansible.builtin.stat:
path: "{{ ssh_ca_pubkey_path }}"
delegate_to: localhost
become: false
register: ssh_ca_pubkey_stat
- name: Fail when SSH CA public key is missing
ansible.builtin.fail:
msg: "SSH CA public key not found on controller: {{ ssh_ca_pubkey_path }}"
when: not ssh_ca_pubkey_stat.stat.exists
- name: Ensure SSH CA directory exists
ansible.builtin.file:
path: /etc/ssh/ca
state: directory
owner: root
group: root
mode: "0755"
- name: Install SSH user CA public key
ansible.builtin.copy:
src: "{{ ssh_ca_pubkey_path }}"
dest: /etc/ssh/ca/ca_user.pub
owner: root
group: root
mode: "0644"
notify: Restart sshd
- name: Configure SSH certificate trust
ansible.builtin.copy:
dest: /etc/ssh/sshd_config.d/20-ssh-ca.conf
owner: root
group: root
mode: "0644"
content: |
TrustedUserCAKeys /etc/ssh/ca/ca_user.pub
AuthorizedPrincipalsFile /etc/ssh/auth_principals/%u
notify: Restart sshd
- name: Ensure auth_principals directory exists
ansible.builtin.file:
path: /etc/ssh/auth_principals
state: directory
owner: root
group: root
mode: "0755"
- name: Resolve principals for this host
ansible.builtin.set_fact:
ssh_ca_host_principals: >-
{{
(ssh_principals[inventory_hostname].users
if ssh_principals is defined
and inventory_hostname in ssh_principals
else {})
}}
- name: Deploy auth_principals files per user
ansible.builtin.copy:
dest: "/etc/ssh/auth_principals/{{ item.key }}"
owner: root
group: root
mode: "0644"
content: "{{ item.value | join('\n') }}\n"
loop: "{{ ssh_ca_host_principals | dict2items }}"
when: ssh_ca_host_principals | length > 0
notify: Restart sshd
- name: Warn when no principals configured for host
ansible.builtin.debug:
msg: >-
No principals in ssh_principals.yaml for {{ inventory_hostname }} —
CA trust installed; add users under hosts.<name>.users to enable cert login.
when: ssh_ca_host_principals | length == 0
Reference in New Issue View Git Blame Copy Permalink