Merge pull request #454 from stackhpc/waldur-sshd-auto-config

sd109 · web-flow · commit b39e8347f223 · 2024-10-17T16:43:19.000+01:00
Ansible playbook to configure sshd for Conch CA certs.
diff --git a/ansible/ca-cert.yml b/ansible/ca-cert.yml
@@ -0,0 +1,27 @@
+# An ansible playbook to configure the SSHD configuration to enable CA cert auth for SSH.
+# Remember to export CI_CLOUD if it isn't part of your environment's variables.
+
+# NOTE: Change the src for the `ssh_signing_key.pub` to be your corresponding directory.
+
+- hosts: login
+  gather_facts: true
+  become: true
+  tasks:
+    - name: Copy ssh public key
+      ansible.builtin.copy:
+        src: /var/lib/rocky/conch/ssh_signing_key.pub
+        dest: /etc/ssh/ca_user_key.pub
+        owner: root
+        group: root
+        mode: '0644'
+        remote_src: true
+
+    - name: Ensure CA Certs are accepted
+      ansible.builtin.lineinfile:
+        line: 'TrustedUserCAKeys /etc/ssh/ca_user_key.pub'
+        dest: /etc/ssh/sshd_config
+
+    - name: Restart SSH service
+      ansible.builtin.systemd:
+        name: sshd
+        state: restarted
