forked from TrueCloudLab/certificates
42 lines
2 KiB
YAML
42 lines
2 KiB
YAML
|
|
||
|
# These steps automate the installation guide here:
|
||
|
# https://smallstep.com/docs/sso-ssh/hosts/
|
||
|
|
||
|
# TODO: Figure out how to make this idempotent instead of reinstalling on each run
|
||
|
|
||
|
- name: Bootstrap node to connect to CA
|
||
|
command: "step ca bootstrap --context ssh --ca-url {{ smallstep_ssh_ca_url }} --fingerprint {{ smallstep_ssh_ca_fingerprint }} --force"
|
||
|
# when: smallstep_ssh_installed.changed or smallstep_ssh_force_reinit
|
||
|
|
||
|
- name: Get a host SSH certificate
|
||
|
command: "step ssh certificate --context ssh {{ inventory_hostname }} /etc/ssh/ssh_host_ecdsa_key.pub --host --sign --provisioner=\"Service Account\" --token=\"{{ smallstep_ssh_enrollment_token }}\" --force"
|
||
|
# when: smallstep_ssh_installed.changed or smallstep_ssh_force_reinit
|
||
|
|
||
|
- name: Configure SSHD (will be overwriten by the sshd template in Ansible later)
|
||
|
command: "step ssh config --context ssh --host --set Certificate=ssh_host_ecdsa_key-cert.pub --set Key=ssh_host_ecdsa_key"
|
||
|
# when: smallstep_ssh_installed.changed or smallstep_ssh_force_reinit
|
||
|
|
||
|
- name: Activate SmallStep PAM/NSS modules and nohup sshd
|
||
|
command: "step-ssh activate {{ inventory_hostname }}"
|
||
|
# when: smallstep_ssh_installed.changed or smallstep_ssh_force_reinit
|
||
|
|
||
|
- name: Generate host tags list
|
||
|
set_fact:
|
||
|
smallstep_ssh_host_tags_string: "{{ smallstep_ssh_host_tags | to_json | regex_replace('\\:\\ ','=') | regex_replace('\\{\\\"|,\\ \\\"', ' --tag \"') | regex_replace('[\\[\\]{}]') }}"
|
||
|
|
||
|
- name: Generate command to register
|
||
|
set_fact:
|
||
|
smallstep_ssh_register_string: |
|
||
|
step-ssh-ctl register
|
||
|
--hostname {{ inventory_hostname }}
|
||
|
{% if not smallstep_ssh_host_is_bastion %}--bastion '{{ smallstep_ssh_host_behind_bastion_name|default("") }}'{% endif %}
|
||
|
{% if smallstep_ssh_host_is_bastion %}--is-bastion{% endif %}
|
||
|
{{ smallstep_ssh_host_tags_string }}
|
||
|
|
||
|
- debug: var=smallstep_ssh_register_string
|
||
|
|
||
|
- name: Register host with smallstep
|
||
|
command: "{{ smallstep_ssh_register_string }}"
|
||
|
# when: smallstep_ssh_installed.changed or smallstep_ssh_force_reinit
|
||
|
|