From 662daa9037f9489d5384efde0de4061ed8350666 Mon Sep 17 00:00:00 2001
From: MaxBed4d <max@stackhpc.com>
Date: Tue, 15 Oct 2024 15:00:37 +0000
Subject: [PATCH] Ansible playbook to configure sshd for Conch CA certs.

---
 ansible/ca-cert.yml | 27 +++++++++++++++++++++++++++
 1 file changed, 27 insertions(+)
 create mode 100644 ansible/ca-cert.yml

diff --git a/ansible/ca-cert.yml b/ansible/ca-cert.yml
new file mode 100644
index 000000000..f974e13b1
--- /dev/null
+++ b/ansible/ca-cert.yml
@@ -0,0 +1,27 @@
+# An ansible playbook to configure the SSHD configuration to enable CA cert auth for SSH.
+# Remember to export CI_CLOUD if it isn't part of your environment's variables.
+
+# NOTE: Change the src for the `ssh_signing_key.pub` to be your corresponding directory.
+
+- hosts: login
+  gather_facts: true
+  become: true
+  tasks:
+    - name: Copy ssh public key
+      ansible.builtin.copy:
+        src: /var/lib/rocky/conch/ssh_signing_key.pub
+        dest: /etc/ssh/ca_user_key.pub
+        owner: root
+        group: root
+        mode: '0644'
+        remote_src: true
+
+    - name: Ensure CA Certs are accepted
+      ansible.builtin.lineinfile:
+        line: 'TrustedUserCAKeys /etc/ssh/ca_user_key.pub'
+        dest: /etc/ssh/sshd_config
+
+    - name: Restart SSH service
+      ansible.builtin.systemd:
+        name: sshd
+        state: restarted