From 19f5e9a6fe86fce2f1918024ef797de0e7b569ed Mon Sep 17 00:00:00 2001
From: Lars Wirzenius <liw@liw.fi>
Date: Sun, 28 Aug 2022 09:46:48 +0300
Subject: fix: use new SSH CA for hosts

This one doesn't require pressing a U2F token button five times per
host, because Ansible evaluates variable values at the time of use.

Sponsored-by: author
---
 ansible/exolobe1.yml  |  2 +-
 ansible/exolobe2.yml  |  2 +-
 ansible/holywood2.yml |  2 +-
 ansible/qotom.yml     |  2 +-
 ansible/solace.yml    |  2 +-
 ansible/stamina.yml   |  2 +-
 v-i/x220-spec.yaml    | 14 ++++++++++++--
 7 files changed, 18 insertions(+), 8 deletions(-)

diff --git a/ansible/exolobe1.yml b/ansible/exolobe1.yml
index 66cc3d9..427ad5d 100644
--- a/ansible/exolobe1.yml
+++ b/ansible/exolobe1.yml
@@ -34,7 +34,7 @@
 
     sshd_version: 1
     sshd_host_key: "{{ lookup('pipe', 'sshca host private-key exolobe1') }}"
-    sshd_host_cert: "{{ lookup('pipe', 'sshca host certify liw.fi/ca/host/v3 exolobe1') }}"
+    sshd_host_cert: "{{ lookup('pipe', 'sshca host certify liw.fi/ca/host/v4 exolobe1') }}"
     sshd_user_ca_pub: "{{ lookup('pipe', 'sshca ca public-key liw.fi/ca/user/v3') }}"
 
     rustup_cargo_install: |
diff --git a/ansible/exolobe2.yml b/ansible/exolobe2.yml
index 4d0f291..7d69877 100644
--- a/ansible/exolobe2.yml
+++ b/ansible/exolobe2.yml
@@ -51,5 +51,5 @@
 
     sshd_version: 1
     sshd_host_key: "{{ lookup('pipe', 'sshca host private-key exolobe2') }}"
-    sshd_host_cert: "{{ lookup('pipe', 'sshca host certify liw.fi/ca/host/v3 exolobe2') }}"
+    sshd_host_cert: "{{ lookup('pipe', 'sshca host certify liw.fi/ca/host/v4 exolobe2') }}"
     sshd_user_ca_pub: "{{ lookup('pipe', 'sshca ca public-key liw.fi/ca/user/v3') }}"
diff --git a/ansible/holywood2.yml b/ansible/holywood2.yml
index b37a1b7..ac4d72f 100644
--- a/ansible/holywood2.yml
+++ b/ansible/holywood2.yml
@@ -53,5 +53,5 @@
 
     sshd_version: 1
     sshd_host_key: "{{ lookup('pipe', 'sshca host private-key holywood2') }}"
-    sshd_host_cert: "{{ lookup('pipe', 'sshca host certify liw.fi/ca/host/v3 holywood2') }}"
+    sshd_host_cert: "{{ lookup('pipe', 'sshca host certify liw.fi/ca/host/v4 holywood2') }}"
     sshd_user_ca_pub: "{{ lookup('pipe', 'sshca ca public-key liw.fi/ca/user/v3') }}"
diff --git a/ansible/qotom.yml b/ansible/qotom.yml
index 160f449..8a1cb9f 100644
--- a/ansible/qotom.yml
+++ b/ansible/qotom.yml
@@ -21,6 +21,6 @@
 
     sshd_version: 1
     sshd_host_key: "{{ lookup('pipe', 'sshca host private-key qotom') }}"
-    sshd_host_cert: "{{ lookup('pipe', 'sshca host certify liw.fi/ca/host/v3 qotom') }}"
+    sshd_host_cert: "{{ lookup('pipe', 'sshca host certify liw.fi/ca/host/v4 qotom') }}"
     sshd_user_ca_pub: "{{ lookup('pipe', 'sshca ca public-key liw.fi/ca/user/v3') }}"
 
diff --git a/ansible/solace.yml b/ansible/solace.yml
index db09be9..4f01178 100644
--- a/ansible/solace.yml
+++ b/ansible/solace.yml
@@ -330,5 +330,5 @@
 
     sshd_version: 1
     sshd_host_key: "{{ lookup('pipe', 'pass ssh/host/solace') }}"
-    sshd_host_cert: "{{ lookup('pipe', 'sshca host certify liw.fi/ca/host/v3 solace') }}"
+    sshd_host_cert: "{{ lookup('pipe', 'sshca host certify liw.fi/ca/host/v4 solace') }}"
     sshd_user_ca_pub: "{{ lookup('pipe', 'sshca ca public-key liw.fi/ca/user/v3') }}"
diff --git a/ansible/stamina.yml b/ansible/stamina.yml
index 44ebde9..10b3db7 100644
--- a/ansible/stamina.yml
+++ b/ansible/stamina.yml
@@ -177,5 +177,5 @@
 
     sshd_version: 1
     sshd_host_key: "{{ lookup('pipe', 'pass ssh/host/stamina') }}"
-    sshd_host_cert: "{{ lookup('pipe', 'sshca host certify liw.fi/ca/host/v3 stamina') }}"
+    sshd_host_cert: "{{ lookup('pipe', 'sshca host certify liw.fi/ca/host/v4 stamina') }}"
     sshd_user_ca_pub: "{{ lookup('pipe', 'sshca ca public-key liw.fi/ca/user/v3') }}"
diff --git a/v-i/x220-spec.yaml b/v-i/x220-spec.yaml
index 961e29a..ca5138d 100644
--- a/v-i/x220-spec.yaml
+++ b/v-i/x220-spec.yaml
@@ -2,5 +2,15 @@ hostname: x220
 luks: asdf
 drive: /dev/sda
 ansible_vars:
-  user_pub: |
-   ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPQe6lsTapAxiwhhEeE/ixuK+5N8esCsMWoekQqjtxjP liw personal systems
+  user_ca_pubkey: |
+    sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIAnrswi6ZNElxSgt6ak5hjSNIkVte11ht7BG3qpBJU4hAAAABHNzaDo= 
+  host_key: |
+    -----BEGIN OPENSSH PRIVATE KEY-----
+    b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
+    QyNTUxOQAAACDFnkucADoZml5WXcXrP51B7x4mP0Ud7glusushEKIuqgAAAIiz+pWks/qV
+    pAAAAAtzc2gtZWQyNTUxOQAAACDFnkucADoZml5WXcXrP51B7x4mP0Ud7glusushEKIuqg
+    AAAEAGaSsLWAFVnDH5ZHdAHun7LwgX3FqSv5ScBWVCvUln/MWeS5wAOhmaXlZdxes/nUHv
+    HiY/RR3uCW6y6yEQoi6qAAAAAAECAwQF
+    -----END OPENSSH PRIVATE KEY-----
+  host_cert: |
+    ssh-ed25519-cert-v01@openssh.com AAAAIHNzaC1lZDI1NTE5LWNlcnQtdjAxQG9wZW5zc2guY29tAAAAIAzCEd+NFyuyLcUIRKWUHj+uLfk1xGWnNRFf4otMIwDSAAAAIMWeS5wAOhmaXlZdxes/nUHvHiY/RR3uCW6y6yEQoi6qAAAAAAAAAAAAAAACAAAAGWNlcnRpZmljYXRlIGZvciBob3N0IHgyMjAAAAAIAAAABHgyMjAAAAAAYwsBzAAAAABjgakYAAAAAAAAAAAAAAAAAAAAMwAAAAtzc2gtZWQyNTUxOQAAACD7tWzrRUC8C8aZNM0tWvEBW/VJQ2zjjh9THBOYQ07ZxAAAAFMAAAALc3NoLWVkMjU1MTkAAABA7569E5JnKAvXBTGMzyBNa8oVcVYf3hbPjHzdXfYghKV4iJLbDj/1yBBYaFid4hIUOfRvC9ECdMGkLskd41OfCg== /tmp/.tmpDuMmUW/sub.pub
-- 
cgit v1.2.1