From add0f72d7206b2f64973568081650f7bb3b14141 Mon Sep 17 00:00:00 2001
From: Lars Wirzenius <liw@liw.fi>
Date: Fri, 19 Aug 2022 11:08:00 +0300
Subject: exolobe1-spec: set host key and cert for installation

This quite a temporary key and cert.

Sponsored-by: author
---
 ansible/exolobe1.yml   | 24 +++++++-----------------
 v-i/exolobe1-spec.yaml | 10 ++++++++++
 2 files changed, 17 insertions(+), 17 deletions(-)

diff --git a/ansible/exolobe1.yml b/ansible/exolobe1.yml
index b5425d4..ddbb61b 100644
--- a/ansible/exolobe1.yml
+++ b/ansible/exolobe1.yml
@@ -3,24 +3,9 @@
   become: no
   roles:
     - sane_debian_system
+    - sshd
     - unix_users
-  tasks:
-    - apt:
-        name:
-          - libpam-yubico
-    - lineinfile:
-        path: /etc/pam.d/common-auth
-        regex: pam_yubico.so
-        line: "auth required pam_yubico.so mode=challenge-response chalresp_path=/etc/yubikey_chalresp"
-    - file:
-        state: directory
-        path: /etc/yubikey_chalresp
-        mode: 0700
-    - copy:
-        content: |
-          {{ lookup('pipe', 'pass libpam-yubico/liw/y5.chalresp') }}
-        dest: "/etc/yubikey_chalresp/liw-{{ lookup('pipe', 'pass libpam-yubico/liw/y5.serial') }}"
-        mode: 0600
+    - gnome-system
   vars:
     ansible_python_interpreter: /usr/bin/python3
 
@@ -45,5 +30,10 @@
         authorized_keys: |
           {{ liw_personal_ssh_pub }}
 
+    sshd_version: 1
+    sshd_host_key: "{{ lookup('pipe', 'sshca host private-key exolobe1') }}"
+    sshd_host_cert: "{{ lookup('pipe', 'sshca host certify liw.fi/ca/host/v3 exolobe1') }}"
+    sshd_user_ca_pub: "{{ lookup('pipe', 'sshca ca public-key liw.fi/ca/user/v3') }}"
+
     rustup_cargo_install: |
       starship
diff --git a/v-i/exolobe1-spec.yaml b/v-i/exolobe1-spec.yaml
index dcc4019..b063753 100644
--- a/v-i/exolobe1-spec.yaml
+++ b/v-i/exolobe1-spec.yaml
@@ -5,5 +5,15 @@ extra_lvs:
     size: 300G
     mounted: /home
 ansible_vars:
+  host_key: |
+    -----BEGIN OPENSSH PRIVATE KEY-----
+    b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
+    QyNTUxOQAAACDrR+77pLmmtG2oAtcaot5ZIgU7FriMoDSCejG33dsfjgAAAIietrwbnra8
+    GwAAAAtzc2gtZWQyNTUxOQAAACDrR+77pLmmtG2oAtcaot5ZIgU7FriMoDSCejG33dsfjg
+    AAAEAugoV1wqYMsAYSW1su3W3WyWh4ZIWNbvDIkphOGOS0eetH7vukuaa0bagC1xqi3lki
+    BTsWuIygNIJ6Mbfd2x+OAAAAAAECAwQF
+    -----END OPENSSH PRIVATE KEY-----
+  host_cert: |
+    ssh-ed25519-cert-v01@openssh.com AAAAIHNzaC1lZDI1NTE5LWNlcnQtdjAxQG9wZW5zc2guY29tAAAAIBP8EBgXCPNnMmQyA/yi1TR7gvC/x4nuy07Rerr5YiZEAAAAIOtH7vukuaa0bagC1xqi3lkiBTsWuIygNIJ6Mbfd2x+OAAAAAAAAAAAAAAACAAAAJGhvc3QgY2VydGlmaWNhdGUgZm9yIC1uZXhvbG9iZTEgb25seQAAAAwAAAAIZXhvbG9iZTEAAAAAYv80eAAAAABi/0LWAAAAAAAAAAAAAAAAAAAASgAAABpzay1zc2gtZWQyNTUxOUBvcGVuc3NoLmNvbQAAACDeJ1TbK+3I9g06kkVHB3IeEWOikNT4BAd1S0NFgwfjNwAAAARzc2g6AAAAZwAAABpzay1zc2gtZWQyNTUxOUBvcGVuc3NoLmNvbQAAAECkEfhBJWCzRnqDZb3XnrBJNOb41pwpKtC3u4fKodkUjjag3+Sp0myTVexUaTAOGF0OSrrk/j0YdZIeArWTaroDAQAAAsw= /tmp/.tmpximUbQ/sub.pub
   user_pub: |
    ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPQe6lsTapAxiwhhEeE/ixuK+5N8esCsMWoekQqjtxjP liw personal systems
-- 
cgit v1.2.1