blob: f4c21040ea14c2d4aa44f6ea7e0f38d169809d37 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
|
- name: "sshd role version"
shell: |
[ "{{ sshd_version }}" = "1" ] || \
(echo "Unexpected version {{ sshd_version }}" 1>&2; exit 1)
- name: "Set SSH host identity"
when: sshd_host_key is defined and sshd_host_cert is defined
copy:
content: |
{{ sshd_host_key }}
dest: /etc/ssh/ssh_host_key
owner: root
group: root
mode: 0600
notify: sshd_restart
- name: "Set SSH host certificate"
when: sshd_host_key is defined and sshd_host_cert is defined
copy:
content: |
{{ sshd_host_cert }}
dest: /etc/ssh/ssh_host_key-cert.pub
notify: sshd_restart
- name: "Configure SSH server host key"
when: sshd_host_key is defined and sshd_host_cert is defined
copy:
content: |
HostKeyAlgorithms ssh-ed25519
HostKey /etc/ssh/ssh_host_key
HostCertificate /etc/ssh/ssh_host_key-cert.pub
dest: /etc/ssh/sshd_config.d/host_id.conf
notify: sshd_restart
- name: "Remove obsolete SSH host keys and certificates"
when: sshd_host_key is defined and sshd_host_cert is defined
shell: |
find /etc/ssh -maxdepth 1 -type f -name "ssh_host_*_key*" -delete
notify: sshd_restart
- name: "Configure SSH server port"
when: sshd_port is defined
copy:
content: |
Port {{ sshd_port }}
dest: /etc/ssh/sshd_config.d/port.conf
notify: sshd_restart
- name: "Configure user CA for SSH server"
when: sshd_user_ca_pub is defined
copy:
content: |
{{ sshd_user_ca_pub }}
dest: /etc/ssh/user_ca_pubs
notify: sshd_restart
- name: "Configure SSH server to accept user CA"
when: sshd_user_ca_pub is defined
copy:
content: |
TrustedUserCAKeys /etc/ssh/user_ca_pubs
dest: /etc/ssh/sshd_config.d/user_ca.conf
notify: sshd_restart
|