From 360011c903bcfa89c35bee1d8d0ec4b98b029ed8 Mon Sep 17 00:00:00 2001
From: Lars Wirzenius <liw@liw.fi>
Date: Fri, 8 Apr 2022 17:39:59 +0300
Subject: feat: if desired, configure host's sshd to accept a CA for users

Sponsored-by: author
---
 std.yml | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/std.yml b/std.yml
index 0814f95..a35e87d 100644
--- a/std.yml
+++ b/std.yml
@@ -16,6 +16,7 @@
         passwd -l root
 
     - name: "create ~root/.ssh"
+      when: user_pub is defined
       file:
         state: directory
         path: /root/.ssh
@@ -24,6 +25,7 @@
         mode: 0700
 
     - name: "set ~root/.ssh/authorized keys"
+      when: user_pub is defined
       copy:
         content: |
           {{ user_pub }}
@@ -32,6 +34,19 @@
         group: root
         mode: 0600
 
+    - name: "install user CA public key"
+      when: user_ca_pubkey is defined
+      copy:
+        content: |
+          {{ user_ca_pubkey }}
+        dest: /etc/ssh/user_ca_keys
+
+    - name: "configure sshd to accept CA for users"
+      when: user_ca_pubkey is defined
+      copy:
+        content: TrustedUserCAKeys /etc/ssh/user_ca_keys
+        dest: /etc/ssh/sshd_config.d/userca.conf
+
     - name: "configure keyboard layout"
       copy:
         content: |
-- 
cgit v1.2.1