diff options
| author | Lars Wirzenius <liw@liw.fi> | 2022-08-28 09:46:48 +0300 |
|---|---|---|
| committer | Lars Wirzenius <liw@liw.fi> | 2022-08-28 09:46:48 +0300 |
| commit | 19f5e9a6fe86fce2f1918024ef797de0e7b569ed (patch) | |
| tree | 9bf489353104749580d165c781093142ea6dd5d3 | |
| parent | e49a4adf42b8f11877eb7033092d2a1a0a3a275d (diff) | |
| download | ansibleness-19f5e9a6fe86fce2f1918024ef797de0e7b569ed.tar.gz | |
fix: use new SSH CA for hosts
This one doesn't require pressing a U2F token button five times per
host, because Ansible evaluates variable values at the time of use.
Sponsored-by: author
| -rw-r--r-- | ansible/exolobe1.yml | 2 | ||||
| -rw-r--r-- | ansible/exolobe2.yml | 2 | ||||
| -rw-r--r-- | ansible/holywood2.yml | 2 | ||||
| -rw-r--r-- | ansible/qotom.yml | 2 | ||||
| -rw-r--r-- | ansible/solace.yml | 2 | ||||
| -rw-r--r-- | ansible/stamina.yml | 2 | ||||
| -rw-r--r-- | v-i/x220-spec.yaml | 14 |
7 files changed, 18 insertions, 8 deletions
diff --git a/ansible/exolobe1.yml b/ansible/exolobe1.yml index 66cc3d9..427ad5d 100644 --- a/ansible/exolobe1.yml +++ b/ansible/exolobe1.yml @@ -34,7 +34,7 @@ sshd_version: 1 sshd_host_key: "{{ lookup('pipe', 'sshca host private-key exolobe1') }}" - sshd_host_cert: "{{ lookup('pipe', 'sshca host certify liw.fi/ca/host/v3 exolobe1') }}" + sshd_host_cert: "{{ lookup('pipe', 'sshca host certify liw.fi/ca/host/v4 exolobe1') }}" sshd_user_ca_pub: "{{ lookup('pipe', 'sshca ca public-key liw.fi/ca/user/v3') }}" rustup_cargo_install: | diff --git a/ansible/exolobe2.yml b/ansible/exolobe2.yml index 4d0f291..7d69877 100644 --- a/ansible/exolobe2.yml +++ b/ansible/exolobe2.yml @@ -51,5 +51,5 @@ sshd_version: 1 sshd_host_key: "{{ lookup('pipe', 'sshca host private-key exolobe2') }}" - sshd_host_cert: "{{ lookup('pipe', 'sshca host certify liw.fi/ca/host/v3 exolobe2') }}" + sshd_host_cert: "{{ lookup('pipe', 'sshca host certify liw.fi/ca/host/v4 exolobe2') }}" sshd_user_ca_pub: "{{ lookup('pipe', 'sshca ca public-key liw.fi/ca/user/v3') }}" diff --git a/ansible/holywood2.yml b/ansible/holywood2.yml index b37a1b7..ac4d72f 100644 --- a/ansible/holywood2.yml +++ b/ansible/holywood2.yml @@ -53,5 +53,5 @@ sshd_version: 1 sshd_host_key: "{{ lookup('pipe', 'sshca host private-key holywood2') }}" - sshd_host_cert: "{{ lookup('pipe', 'sshca host certify liw.fi/ca/host/v3 holywood2') }}" + sshd_host_cert: "{{ lookup('pipe', 'sshca host certify liw.fi/ca/host/v4 holywood2') }}" sshd_user_ca_pub: "{{ lookup('pipe', 'sshca ca public-key liw.fi/ca/user/v3') }}" diff --git a/ansible/qotom.yml b/ansible/qotom.yml index 160f449..8a1cb9f 100644 --- a/ansible/qotom.yml +++ b/ansible/qotom.yml @@ -21,6 +21,6 @@ sshd_version: 1 sshd_host_key: "{{ lookup('pipe', 'sshca host private-key qotom') }}" - sshd_host_cert: "{{ lookup('pipe', 'sshca host certify liw.fi/ca/host/v3 qotom') }}" + sshd_host_cert: "{{ lookup('pipe', 'sshca host certify liw.fi/ca/host/v4 qotom') }}" sshd_user_ca_pub: "{{ lookup('pipe', 'sshca ca public-key liw.fi/ca/user/v3') }}" diff --git a/ansible/solace.yml b/ansible/solace.yml index db09be9..4f01178 100644 --- a/ansible/solace.yml +++ b/ansible/solace.yml @@ -330,5 +330,5 @@ sshd_version: 1 sshd_host_key: "{{ lookup('pipe', 'pass ssh/host/solace') }}" - sshd_host_cert: "{{ lookup('pipe', 'sshca host certify liw.fi/ca/host/v3 solace') }}" + sshd_host_cert: "{{ lookup('pipe', 'sshca host certify liw.fi/ca/host/v4 solace') }}" sshd_user_ca_pub: "{{ lookup('pipe', 'sshca ca public-key liw.fi/ca/user/v3') }}" diff --git a/ansible/stamina.yml b/ansible/stamina.yml index 44ebde9..10b3db7 100644 --- a/ansible/stamina.yml +++ b/ansible/stamina.yml @@ -177,5 +177,5 @@ sshd_version: 1 sshd_host_key: "{{ lookup('pipe', 'pass ssh/host/stamina') }}" - sshd_host_cert: "{{ lookup('pipe', 'sshca host certify liw.fi/ca/host/v3 stamina') }}" + sshd_host_cert: "{{ lookup('pipe', 'sshca host certify liw.fi/ca/host/v4 stamina') }}" sshd_user_ca_pub: "{{ lookup('pipe', 'sshca ca public-key liw.fi/ca/user/v3') }}" diff --git a/v-i/x220-spec.yaml b/v-i/x220-spec.yaml index 961e29a..ca5138d 100644 --- a/v-i/x220-spec.yaml +++ b/v-i/x220-spec.yaml @@ -2,5 +2,15 @@ hostname: x220 luks: asdf drive: /dev/sda ansible_vars: - user_pub: | - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPQe6lsTapAxiwhhEeE/ixuK+5N8esCsMWoekQqjtxjP liw personal systems + user_ca_pubkey: | + sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIAnrswi6ZNElxSgt6ak5hjSNIkVte11ht7BG3qpBJU4hAAAABHNzaDo= + host_key: | + -----BEGIN OPENSSH PRIVATE KEY----- + b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW + QyNTUxOQAAACDFnkucADoZml5WXcXrP51B7x4mP0Ud7glusushEKIuqgAAAIiz+pWks/qV + pAAAAAtzc2gtZWQyNTUxOQAAACDFnkucADoZml5WXcXrP51B7x4mP0Ud7glusushEKIuqg + AAAEAGaSsLWAFVnDH5ZHdAHun7LwgX3FqSv5ScBWVCvUln/MWeS5wAOhmaXlZdxes/nUHv + HiY/RR3uCW6y6yEQoi6qAAAAAAECAwQF + -----END OPENSSH PRIVATE KEY----- + host_cert: | + ssh-ed25519-cert-v01@openssh.com AAAAIHNzaC1lZDI1NTE5LWNlcnQtdjAxQG9wZW5zc2guY29tAAAAIAzCEd+NFyuyLcUIRKWUHj+uLfk1xGWnNRFf4otMIwDSAAAAIMWeS5wAOhmaXlZdxes/nUHvHiY/RR3uCW6y6yEQoi6qAAAAAAAAAAAAAAACAAAAGWNlcnRpZmljYXRlIGZvciBob3N0IHgyMjAAAAAIAAAABHgyMjAAAAAAYwsBzAAAAABjgakYAAAAAAAAAAAAAAAAAAAAMwAAAAtzc2gtZWQyNTUxOQAAACD7tWzrRUC8C8aZNM0tWvEBW/VJQ2zjjh9THBOYQ07ZxAAAAFMAAAALc3NoLWVkMjU1MTkAAABA7569E5JnKAvXBTGMzyBNa8oVcVYf3hbPjHzdXfYghKV4iJLbDj/1yBBYaFid4hIUOfRvC9ECdMGkLskd41OfCg== /tmp/.tmpDuMmUW/sub.pub |