File: main.yml

package info (click to toggle)
golang-github-smallstep-certificates 0.20.0-5
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid, trixie
  • size: 23,144 kB
  • sloc: sh: 278; makefile: 170
file content (41 lines) | stat: -rw-r--r-- 2,089 bytes parent folder | download | duplicates (2) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
 

# These steps automate the installation guide here:
#  https://smallstep.com/docs/sso-ssh/hosts/

# TODO: Figure out how to make this idempotent instead of reinstalling on each run

- name: Bootstrap node to connect to CA
  command: "step ca bootstrap --context ssh --ca-url {{ smallstep_ssh_ca_url }} --fingerprint {{ smallstep_ssh_ca_fingerprint }} --force"
#  when: smallstep_ssh_installed.changed or smallstep_ssh_force_reinit

- name: Get a host SSH certificate
  command: "step ssh certificate --context ssh {{ inventory_hostname }} /etc/ssh/ssh_host_ecdsa_key.pub --host --sign --provisioner=\"Service Account\" --token=\"{{ smallstep_ssh_enrollment_token }}\" --force"
#  when: smallstep_ssh_installed.changed or smallstep_ssh_force_reinit

- name: Configure SSHD (will be overwriten by the sshd template in Ansible later)
  command: "step ssh config --context ssh --host --set Certificate=ssh_host_ecdsa_key-cert.pub --set Key=ssh_host_ecdsa_key"
#  when: smallstep_ssh_installed.changed or smallstep_ssh_force_reinit

- name: Activate SmallStep PAM/NSS modules and nohup sshd
  command: "step-ssh activate {{ inventory_hostname }}"
#  when: smallstep_ssh_installed.changed or smallstep_ssh_force_reinit

- name: Generate host tags list
  set_fact:
    smallstep_ssh_host_tags_string: "{{ smallstep_ssh_host_tags | to_json | regex_replace('\\:\\ ','=') | regex_replace('\\{\\\"|,\\ \\\"', ' --tag \"') | regex_replace('[\\[\\]{}]') }}"

- name: Generate command to register
  set_fact:
    smallstep_ssh_register_string: |
          step-ssh-ctl register
                --hostname {{ inventory_hostname }}
                {% if not smallstep_ssh_host_is_bastion %}--bastion '{{ smallstep_ssh_host_behind_bastion_name|default("") }}'{% endif %}
                {% if smallstep_ssh_host_is_bastion %}--is-bastion{% endif %}
                {{ smallstep_ssh_host_tags_string }}

- debug: var=smallstep_ssh_register_string

- name: Register host with smallstep
  command: "{{ smallstep_ssh_register_string }}"
#  when: smallstep_ssh_installed.changed or smallstep_ssh_force_reinit