fix: use new SSH CA for hosts

This one doesn't require pressing a U2F token button five times per
host, because Ansible evaluates variable values at the time of use.

Sponsored-by: author

1 files changed, 12 insertions, 2 deletions

diff --git a/v-i/x220-spec.yaml b/v-i/x220-spec.yaml
index 961e29a..ca5138d 100644
--- a/v-i/x220-spec.yaml
+++ b/v-i/x220-spec.yaml
@@ -2,5 +2,15 @@ hostname: x220
 luks: asdf
 drive: /dev/sda
 ansible_vars:
-  user_pub: |
-   ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPQe6lsTapAxiwhhEeE/ixuK+5N8esCsMWoekQqjtxjP liw personal systems
+  user_ca_pubkey: |
+    sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIAnrswi6ZNElxSgt6ak5hjSNIkVte11ht7BG3qpBJU4hAAAABHNzaDo= 
+  host_key: |
+    -----BEGIN OPENSSH PRIVATE KEY-----
+    b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
+    QyNTUxOQAAACDFnkucADoZml5WXcXrP51B7x4mP0Ud7glusushEKIuqgAAAIiz+pWks/qV
+    pAAAAAtzc2gtZWQyNTUxOQAAACDFnkucADoZml5WXcXrP51B7x4mP0Ud7glusushEKIuqg
+    AAAEAGaSsLWAFVnDH5ZHdAHun7LwgX3FqSv5ScBWVCvUln/MWeS5wAOhmaXlZdxes/nUHv
+    HiY/RR3uCW6y6yEQoi6qAAAAAAECAwQF
+    -----END OPENSSH PRIVATE KEY-----
+  host_cert: |
+    ssh-ed25519-cert-v01@openssh.com AAAAIHNzaC1lZDI1NTE5LWNlcnQtdjAxQG9wZW5zc2guY29tAAAAIAzCEd+NFyuyLcUIRKWUHj+uLfk1xGWnNRFf4otMIwDSAAAAIMWeS5wAOhmaXlZdxes/nUHvHiY/RR3uCW6y6yEQoi6qAAAAAAAAAAAAAAACAAAAGWNlcnRpZmljYXRlIGZvciBob3N0IHgyMjAAAAAIAAAABHgyMjAAAAAAYwsBzAAAAABjgakYAAAAAAAAAAAAAAAAAAAAMwAAAAtzc2gtZWQyNTUxOQAAACD7tWzrRUC8C8aZNM0tWvEBW/VJQ2zjjh9THBOYQ07ZxAAAAFMAAAALc3NoLWVkMjU1MTkAAABA7569E5JnKAvXBTGMzyBNa8oVcVYf3hbPjHzdXfYghKV4iJLbDj/1yBBYaFid4hIUOfRvC9ECdMGkLskd41OfCg== /tmp/.tmpDuMmUW/sub.pub