From 73a93a35109cdd66d9e4fa16c58400d89afefa26 Mon Sep 17 00:00:00 2001
From: Lars Wirzenius <liw@liw.fi>
Date: Sun, 31 Jul 2022 17:03:13 +0300
Subject: ssh-dev: configure user CA

Sponsored-by: author
---
 ansible/ssh-dev.yml | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

diff --git a/ansible/ssh-dev.yml b/ansible/ssh-dev.yml
index dd20b79..889c72b 100644
--- a/ansible/ssh-dev.yml
+++ b/ansible/ssh-dev.yml
@@ -12,11 +12,23 @@
           Port {{ sshd_port }}
         dest: /etc/ssh/sshd_config.d/port.conf
       notify: sshd_restart
+    - name: "Configure user CA for SSH server"
+      when: sshd_user_ca_pub is defined
+      copy:
+        content: |
+          {{ sshd_user_ca_pub }}
+        dest: /etc/ssh/user_ca_pubs
+    - name: "Configure SSH server to accept user CA"
+      when: sshd_user_ca_pub is defined
+      copy:
+        content: |
+          TrustedUserCAKeys /etc/ssh/user_ca_pubs
+        dest: /etc/ssh/sshd_config.d/user_ca.conf
   handlers:
     - name: sshd_restart
       systemd:
         name: ssh
-        state: restarted
+        state: reloaded
   vars:
     ansible_python_interpreter: /usr/bin/python3
 
@@ -30,3 +42,5 @@
       - username: liw
 
     sshd_port: 22
+    sshd_user_ca_pub: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHdSnGI91exKItWsZi0XFVQWluS0FUdd12FLjuQk1FxG liw User CA v1
+
-- 
cgit v1.2.1