certificates/examples/ansible/smallstep-ssh/tasks/main.yml
2022-02-02 18:54:55 +01:00

41 lines
2 KiB
YAML

# These steps automate the installation guide here:
# https://smallstep.com/docs/sso-ssh/hosts/
# TODO: Figure out how to make this idempotent instead of reinstalling on each run
- name: Bootstrap node to connect to CA
command: "step ca bootstrap --context ssh --ca-url {{ smallstep_ssh_ca_url }} --fingerprint {{ smallstep_ssh_ca_fingerprint }} --force"
# when: smallstep_ssh_installed.changed or smallstep_ssh_force_reinit
- name: Get a host SSH certificate
command: "step ssh certificate --context ssh {{ inventory_hostname }} /etc/ssh/ssh_host_ecdsa_key.pub --host --sign --provisioner=\"Service Account\" --token=\"{{ smallstep_ssh_enrollment_token }}\" --force"
# when: smallstep_ssh_installed.changed or smallstep_ssh_force_reinit
- name: Configure SSHD (will be overwriten by the sshd template in Ansible later)
command: "step ssh config --context ssh --host --set Certificate=ssh_host_ecdsa_key-cert.pub --set Key=ssh_host_ecdsa_key"
# when: smallstep_ssh_installed.changed or smallstep_ssh_force_reinit
- name: Activate SmallStep PAM/NSS modules and nohup sshd
command: "step-ssh activate {{ inventory_hostname }}"
# when: smallstep_ssh_installed.changed or smallstep_ssh_force_reinit
- name: Generate host tags list
set_fact:
smallstep_ssh_host_tags_string: "{{ smallstep_ssh_host_tags | to_json | regex_replace('\\:\\ ','=') | regex_replace('\\{\\\"|,\\ \\\"', ' --tag \"') | regex_replace('[\\[\\]{}]') }}"
- name: Generate command to register
set_fact:
smallstep_ssh_register_string: |
step-ssh-ctl register
--hostname {{ inventory_hostname }}
{% if not smallstep_ssh_host_is_bastion %}--bastion '{{ smallstep_ssh_host_behind_bastion_name|default("") }}'{% endif %}
{% if smallstep_ssh_host_is_bastion %}--is-bastion{% endif %}
{{ smallstep_ssh_host_tags_string }}
- debug: var=smallstep_ssh_register_string
- name: Register host with smallstep
command: "{{ smallstep_ssh_register_string }}"
# when: smallstep_ssh_installed.changed or smallstep_ssh_force_reinit