From 2a7a5d58ca03d58d3d2919737493391165ff14ac Mon Sep 17 00:00:00 2001 From: Mira Kuntz Date: Tue, 13 Jan 2026 15:28:46 +0100 Subject: [PATCH 01/14] add sshd config to ssh resign --- group_vars/all/ssh-keys.yml | 2 ++ roles/ssh-host-resign/tasks/main.yml | 12 +++++++++++- 2 files changed, 13 insertions(+), 1 deletion(-) diff --git a/group_vars/all/ssh-keys.yml b/group_vars/all/ssh-keys.yml index b90b3d9a8..59b929baf 100644 --- a/group_vars/all/ssh-keys.yml +++ b/group_vars/all/ssh-keys.yml @@ -1 +1,3 @@ ssh_manager_authorized_persons: "{{ ssh_manager_authorized_persons_vault }}" + +ssh_cert_domains_ips: "*.galaxyproject.eu,*.usegalaxy.eu,*.bi.privat,192.52.33.*,192.52.32.*,10.4.68.*,10.5.68.*,10.5.67.*" diff --git a/roles/ssh-host-resign/tasks/main.yml b/roles/ssh-host-resign/tasks/main.yml index a37721bf1..2e49060a8 100644 --- a/roles/ssh-host-resign/tasks/main.yml +++ b/roles/ssh-host-resign/tasks/main.yml @@ -22,6 +22,16 @@ - /etc/ssh/ssh_host_ed25519_key-cert.pub notify: "restart sshd" +- name: Add keys to SSHD Config + ansible.builtin.lineinfile: + line: "{{ item }}" + path: /etc/ssh/sshd_config + with_items: + - HostCertificate /etc/ssh/ssh_host_rsa_key-cert.pub + - HostCertificate /etc/ssh/ssh_host_ecdsa_key-cert.pub + - HostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub + notify: "restart sshd" + - name: Ensure server key is gone file: path: /tmp/server_ca @@ -29,4 +39,4 @@ - name: "Helper" debug: - msg: "Please add the following to your known_hosts file: @cert-authority {{ lookup('file', 'server_ca.pub') }}" + msg: "Please add the following to your known_hosts file: @cert-authority {{ ssh_cert_domains_ips }} {{ lookup('file', 'server_ca.pub') }}" From db48e8660aa015fc72ad16d9f756fe8746658c87 Mon Sep 17 00:00:00 2001 From: Mira Kuntz Date: Tue, 13 Jan 2026 16:58:01 +0100 Subject: [PATCH 02/14] add ssh resign handler, rename var --- group_vars/all/ssh-keys.yml | 2 +- roles/ssh-host-resign/handlers/main.yml | 5 +++++ roles/ssh-host-resign/tasks/main.yml | 20 +++++++------------- 3 files changed, 13 insertions(+), 14 deletions(-) create mode 100644 roles/ssh-host-resign/handlers/main.yml diff --git a/group_vars/all/ssh-keys.yml b/group_vars/all/ssh-keys.yml index 59b929baf..e77989bd1 100644 --- a/group_vars/all/ssh-keys.yml +++ b/group_vars/all/ssh-keys.yml @@ -1,3 +1,3 @@ ssh_manager_authorized_persons: "{{ ssh_manager_authorized_persons_vault }}" -ssh_cert_domains_ips: "*.galaxyproject.eu,*.usegalaxy.eu,*.bi.privat,192.52.33.*,192.52.32.*,10.4.68.*,10.5.68.*,10.5.67.*" +ssh_host_resign_cert_domains_ips: "*.galaxyproject.eu,*.usegalaxy.eu,*.bi.privat,192.52.33.*,192.52.32.*,10.4.68.*,10.5.68.*,10.5.67.*" diff --git a/roles/ssh-host-resign/handlers/main.yml b/roles/ssh-host-resign/handlers/main.yml new file mode 100644 index 000000000..90a59e0a4 --- /dev/null +++ b/roles/ssh-host-resign/handlers/main.yml @@ -0,0 +1,5 @@ +--- +- name: restart sshd + ansible.builtin.systemd: + service: sshd + state: reloaded diff --git a/roles/ssh-host-resign/tasks/main.yml b/roles/ssh-host-resign/tasks/main.yml index 2e49060a8..e1f78ba25 100644 --- a/roles/ssh-host-resign/tasks/main.yml +++ b/roles/ssh-host-resign/tasks/main.yml @@ -13,14 +13,13 @@ - rsa - ecdsa - ed25519 + # This ensures the server_ca will be removed in any case + ignore_errors: true -# Requires dev-sec.ssh-hardening + patches -- set_fact: - ssh_host_key_cert_files: - - /etc/ssh/ssh_host_rsa_key-cert.pub - - /etc/ssh/ssh_host_ecdsa_key-cert.pub - - /etc/ssh/ssh_host_ed25519_key-cert.pub - notify: "restart sshd" +- name: Ensure server key is gone + file: + path: /tmp/server_ca + state: absent - name: Add keys to SSHD Config ansible.builtin.lineinfile: @@ -32,11 +31,6 @@ - HostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub notify: "restart sshd" -- name: Ensure server key is gone - file: - path: /tmp/server_ca - state: absent - - name: "Helper" debug: - msg: "Please add the following to your known_hosts file: @cert-authority {{ ssh_cert_domains_ips }} {{ lookup('file', 'server_ca.pub') }}" + msg: "Please add the following to your known_hosts file: @cert-authority {{ ssh_host_resign_cert_domains_ips }} {{ lookup('file', 'server_ca.pub') }}" From 7ce07db17971ff1932c31d9995293e6575d6d8eb Mon Sep 17 00:00:00 2001 From: Mira Kuntz Date: Wed, 14 Jan 2026 13:18:17 +0100 Subject: [PATCH 03/14] add idempotence to role merge sign and resign --- roles/ssh-host-resign/files/server_ca | 89 ----------------------- roles/ssh-host-resign/files/server_ca.pub | 1 - roles/ssh-host-resign/handlers/main.yml | 5 -- roles/ssh-host-resign/tasks/main.yml | 36 --------- roles/ssh-host-sign/tasks/main.yml | 42 ++++------- roles/ssh-host-sign/tasks/sign.yml | 47 ++++++++++++ 6 files changed, 61 insertions(+), 159 deletions(-) delete mode 100644 roles/ssh-host-resign/files/server_ca delete mode 100644 roles/ssh-host-resign/files/server_ca.pub delete mode 100644 roles/ssh-host-resign/handlers/main.yml delete mode 100644 roles/ssh-host-resign/tasks/main.yml create mode 100644 roles/ssh-host-sign/tasks/sign.yml diff --git a/roles/ssh-host-resign/files/server_ca b/roles/ssh-host-resign/files/server_ca deleted file mode 100644 index b765389d7..000000000 --- a/roles/ssh-host-resign/files/server_ca +++ /dev/null @@ -1,89 +0,0 @@ -$ANSIBLE_VAULT;1.1;AES256 -35623839633831636162636331376561353430653030373638656231386430653237383632616132 -3130353037313362666566653963653133653430613635350a633665393632613365663264353635 -63643337666264366164396238643164326461626331316134626130323630376132646335363266 -3234363236393633330a633164643363666435346330306466366230636133636438616634343639 -32373535653265633966373930323732323162313565386332383338303132666339343630376663 -38383339653238373632313838613332643331303031356263636534316636393335643766323266 -30623535633666633439646563356562633764643464313964316536613065343235643832393437 -66646532333939356130663136663231343337326434316232323865343136373266373665623633 -65646166323232623733353734333665396533303839326461623761313333613837656261353464 -39663732326461333162643763323161366133663130616236363766633234313861353933613736 -30323962666166363161363462653939313861643231316534326163333738326561646436396263 -38626239363764623766353434373733313862646131363230653337326234346466363830343836 -30306332336337346562386262393263353064393161393464373263373736393863376339366263 -32616131656661623836643034373931303465373961356431386464646638646362353065323934 -63313635396564356437353838383265333737346234383261663533626233626230333564656336 -36313031636533623663653135383334653136646133396536663337636332336532326538646563 -64336136646436376334393865303935663433393237323939323639343861643033323934643835 -63653530393134323933356166653065393939666533383463663235643535353262626434316439 -38376133393338343437383136393038643937323639613531663631613262343032363732346263 -61383837666331626266326335646564353262393933323731643933366232643836646431663364 -35323166383564666634336535326531353137663633323561623333373234373934656333383733 -35313236363363396639386639316338356334343137333731376233356230636461353838363238 -39363961663233633836363834313663663732383435663434376634636437656431613430343430 -36653239633662356534313166323835633531613364653432306338613933313038646236323038 -34366535366530343163373638623666356163393864366662666439666134333738636132653235 -35313430343537343764643061353861633465636430643361323563303733633130393763303461 -37343761653864333835313635356237656431646230393439393566623631386166363437326339 -38383061346634643839346339663864663531336263623039613365343439383163636230366266 -61316232393164366563363138333338393463653234363535373836363235306230636331663537 -32326634383863316538303561346665626437393336323537383630373434356239336161363430 -65376561656532663534626631383162313031376537626237666665336561626564643335346165 -39613861383966356162643562643039323334313632653061316566333637646461633834623037 -34663330366536343538363862616161303835343365643935653037386230313663393261363237 -36353631303232303863343839613933373264313933326462333037613735646239373731333431 -36633464333730396635333635666337656635666538356263653036383637303266316563363434 -30306437643032303064323961393164616635313862306264666362336666306636313236373365 -64623364613630373938653535326136653831656138656165373461353734396661316239643838 -39363364366662396364353531316366396333343465653237306664306362383465326366316630 -38366333616263366632633663353466656562353030633064373933636633633138613333323761 -36373261666465643538366632326463626339663433386433343261646462616433656565643431 -32373165313434633365376661376561626339663863383332333332343566613466333766303366 -65613939323933646335623636356534636666346261313532616663366162356164373630373564 -37386133646439643463366339633066626165376436393164646431663231393062396631313966 -64643063613138326361333037323133323563356361326439666361646630643931643964646466 -36303338383033623638383330363164356161646566643834633566316261323330383562333762 -65333833393638353436626365663637663938643465323038336237633563306631666264396635 -37333937613133346130363064383330356638623034356532393733393361653961366662313134 -63653035386633386432313033363732303730326634366366333938656339613361656333303934 -34306530346463306361303436643435633636313263626139393361376362303939613134646263 -65626139626637383664663065333564336136363766623036323233336166666631373962316638 -34613363316238613336356639393031353537353863303438376530633539653162623165326235 -31363933336537626563306133383566666533383262363163343035636634366237663035373062 -63323934396132343031656431343039393036366662623164343033383663323236306133623437 -34373063386236343434306230396561373838313139303933633332636565646365393461313839 -32333261626637306362303665373638333663643037313535326239373665663166373636323139 -37356530303039363265353533306237396664343532653765636562616634656461623237336638 -66323036663962376334623533366463396338353532633337356666626634333732316639333438 -65356532396462353734326439373335646235333666333365346661353834626563626436663436 -65643634383837643930643961363032356336626535666465613934326230333832393564356565 -34636530346432613165616464336337643637343330626335636265616265646238623332343330 -37353063313537613866373565386564353162393463396166613636393537393461653838323039 -61653966656434623037306666626666363938333133373337313939373765303531346566356535 -34666331323038646562306439613266646231353836353832333536396165303563643931346237 -63616435316566343736633864353038376531366164663762616137663264383031373039616534 -64656233366563393561663438383736636330333465653163343564643565336436653964306665 -32303465316461303063316463383335376532373062313931343539353064613139366336616663 -61343064643336646237393839646164386364366564323237323338356234636363643362663266 -62353533323562633332316437373030663966356562323466666563303731636666626537386263 -34356363663136656636623565373336336339616535343532626166656238333666303439343537 -34643838316562666437643366623539633462653939333938363538386264653934326363643661 -65333363626331316266356266663237306536376564383134376265613135346238646361366331 -66356465316138303834386432386363333961653765303665386533343164633663306664363634 -63633264376563393566653766383966313065636134383037356134316365313261373930303366 -34353461616433336530646165353065376330306235333037633230653136653663653032323531 -35343866383635306539643834333563633866633633613666653533626166653932333934323961 -30376333323866376131323934336162306133373035326562643361616161316663353966363365 -38653531316165653137663734316662313062306637303761653961353938323863366639386565 -64666661383462323435336231366639313236636237353033353134616336313865633932643961 -38316666653832636663343233386662376431383438303566366434653964323138656336396664 -62643065346538326138396631393935613238646136626436666530363838666633343839613737 -62643537303963303134393961373932336265373866333961303532363665353366373162323633 -66643430386263363630653064346339623539343565353937666330326231326564653135656461 -35366266353531643739646261306135343264663564333062366138653737316436633236326535 -34333362666337373831353538313363366462326366623864323738623731366338383733626433 -62636637353835643438363562613033313264323463656262616163366133613136616434363139 -38646132366366313064623564626265386265316365636539653532383866643537393561323431 -62616163663338306265326465356262323431323964616661386233363937386132633538343832 -30326637313637336365 diff --git a/roles/ssh-host-resign/files/server_ca.pub b/roles/ssh-host-resign/files/server_ca.pub deleted file mode 100644 index fb30aa98f..000000000 --- a/roles/ssh-host-resign/files/server_ca.pub +++ /dev/null @@ -1 +0,0 @@ -ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDLQD6fG38uwFj91GSe6YnRnBuTjXWZN6Pck1JRCTWtufwKV0SZNczD+qUdnFfZrCx/wBVK8R6zL2VWS9hcFK1LuE8HK86f8qG/gcB6yFt/0I/PWoSjcbUMPQTzFIy8yxvdIoPTlj/P6+uNgweTvMFI4+UOuCI71IhB/liTHn1/2dXQM94SFd4VQeg+3Tc6gDxEqRSS6dLIq0uvR8//luIpoW38yh2ozwHmjMKTvHnbduGqHlES4qz9cU9iZkWoPzSp+qoxCOijHvwzL5vD0/k4hZ/iJyTzDHQLDra3Kaa8ykWdERCxjpMp1y9dVQ23lVxp+UUAt3RHOCU1/KuNM9Pr hxr@mk diff --git a/roles/ssh-host-resign/handlers/main.yml b/roles/ssh-host-resign/handlers/main.yml deleted file mode 100644 index 90a59e0a4..000000000 --- a/roles/ssh-host-resign/handlers/main.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -- name: restart sshd - ansible.builtin.systemd: - service: sshd - state: reloaded diff --git a/roles/ssh-host-resign/tasks/main.yml b/roles/ssh-host-resign/tasks/main.yml deleted file mode 100644 index e1f78ba25..000000000 --- a/roles/ssh-host-resign/tasks/main.yml +++ /dev/null @@ -1,36 +0,0 @@ ---- -- name: Copy server key into VM temporarily - copy: - src: server_ca - dest: /tmp/server_ca - owner: root - group: root - mode: 0600 - -- name: Sign Keys - command: ssh-keygen -s /tmp/server_ca -I key_for_test1 -h -V +520w /etc/ssh/ssh_host_{{ item }}_key.pub - with_items: - - rsa - - ecdsa - - ed25519 - # This ensures the server_ca will be removed in any case - ignore_errors: true - -- name: Ensure server key is gone - file: - path: /tmp/server_ca - state: absent - -- name: Add keys to SSHD Config - ansible.builtin.lineinfile: - line: "{{ item }}" - path: /etc/ssh/sshd_config - with_items: - - HostCertificate /etc/ssh/ssh_host_rsa_key-cert.pub - - HostCertificate /etc/ssh/ssh_host_ecdsa_key-cert.pub - - HostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub - notify: "restart sshd" - -- name: "Helper" - debug: - msg: "Please add the following to your known_hosts file: @cert-authority {{ ssh_host_resign_cert_domains_ips }} {{ lookup('file', 'server_ca.pub') }}" diff --git a/roles/ssh-host-sign/tasks/main.yml b/roles/ssh-host-sign/tasks/main.yml index df60c7c9f..49365678a 100644 --- a/roles/ssh-host-sign/tasks/main.yml +++ b/roles/ssh-host-sign/tasks/main.yml @@ -1,23 +1,16 @@ --- -- stat: path=/etc/ssh/ssh_host_rsa_key-cert.pub - register: st - -- name: Copy server key into VM temporarily - copy: - src: server_ca - dest: /tmp/server_ca - owner: root - group: root - mode: 0600 - when: not st.stat.exists - -- name: Sign Keys - command: ssh-keygen -s /tmp/server_ca -I key_for_test1 -h -V +520w /etc/ssh/ssh_host_{{ item }}_key.pub +- name: Sign host keys if missing or expired + ansible.builtin.include_tasks: + file: sign.yml with_items: - rsa - ecdsa - ed25519 - when: not st.stat.exists + +- name: Ensure server key is gone + file: + path: /tmp/server_ca + state: absent # Requires dev-sec.ssh-hardening - set_fact: @@ -27,19 +20,12 @@ - "HostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub" notify: "restart sshd" -- name: Ensure server key is gone - file: - path: /tmp/server_ca - state: absent - when: not st.stat.exists - - name: Another way to call known_hosts - known_hosts: - name: "CA" - key: "@cert-authority * {{ lookup('file', 'server_ca.pub') }}" + ansible.builtin.lineinfile: + line: "@cert-authority {{ ssh_host_resign_cert_domains_ips }} {{ lookup('file', 'server_ca.pub') }}" path: /etc/ssh/ssh_known_hosts - state: present + create: true -# - name: "Helper" -# debug: -# msg: "Please add the following to your known_hosts file: @cert-authority {{ lookup('file', 'server_ca.pub') }}" +- name: "Helper" + debug: + msg: "Please add the following to your known_hosts file: @cert-authority {{ ssh_host_resign_cert_domains_ips }} {{ lookup('file', 'server_ca.pub') }}" diff --git a/roles/ssh-host-sign/tasks/sign.yml b/roles/ssh-host-sign/tasks/sign.yml new file mode 100644 index 000000000..8c9358215 --- /dev/null +++ b/roles/ssh-host-sign/tasks/sign.yml @@ -0,0 +1,47 @@ +- name: Check if cert files exist + ansible.builtin.stat: + path: "/etc/ssh/ssh_host_{{item}}_key-cert.pub" + register: "st" + +- set_fact: + outdated_certs: 0 +- name: Sign keys if outdated + when: st.stat.exists + block: + - ansible.builtin.command: + cmd: "ssh-keygen -L -f /etc/ssh/ssh_host_{{ item }}_key-cert.pub" + register: cert_info + - name: Parse expiration date + set_fact: + # Extracts "2036-01-02T12:22:54" + expiry_string: "{{ cert_info | regex_search('to\\s(\\d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2})', '\\1') | first | regex_replace('T', '\ ') }}" + - debug: + var: "{{ expiry_string }}" + + - name: Convert dates for comparison + set_fact: + expiry_date: "{{ (expiry_string | to_datetime) }}" + + - name: Determine if certificate will expire in less than a month + ansible.builtin.set_fact: + is_outdated: "{{ ((expiry_string | to_datetime) - now()).days < 30 }}" + +- name: Sign keys if outdated + when: (not st.stat.exists) or is_outdated + block: + - name: Copy server key into VM temporarily + copy: + src: server_ca + dest: /tmp/server_ca + owner: root + group: root + mode: 0600 + + - name: Sign Keys + command: ssh-keygen -s /tmp/server_ca -I key_for_test1 -h -V +520w /etc/ssh/ssh_host_{{ item }}_key.pub + ignore_errors: true + rescue: + - name: Ensure server key is gone + file: + path: /tmp/server_ca + state: absent From 47da3e3424920d7737cf96e0841880e0eebe3b87 Mon Sep 17 00:00:00 2001 From: Mira Kuntz Date: Wed, 14 Jan 2026 13:19:10 +0100 Subject: [PATCH 04/14] add ssh-host-sign to all playbook --- all.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/all.yml b/all.yml index c4b246d57..88436608d 100644 --- a/all.yml +++ b/all.yml @@ -4,3 +4,5 @@ gather_facts: false roles: - role: usegalaxy_eu.ssh_manager + - ssh-host-sign + - dev-sec.ssh-hardening From 93393b04a9475cea4feef0bb07f31cec0c45900c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jos=C3=A9=20Manuel=20Dom=C3=ADnguez?= Date: Thu, 15 Jan 2026 17:35:07 +0100 Subject: [PATCH 05/14] Gather facts and become root before running `dev-sec.ssh-hardening` in all.yml --- all.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/all.yml b/all.yml index 88436608d..a303a5a9c 100644 --- a/all.yml +++ b/all.yml @@ -1,8 +1,9 @@ --- - name: Manage authorized SSH keys hosts: all - gather_facts: false + gather_facts: true roles: - role: usegalaxy_eu.ssh_manager - ssh-host-sign - - dev-sec.ssh-hardening + - role: dev-sec.ssh-hardening + become: true From 84b5ba4f1af9f503afa93015ef3e4ce43d438cd7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jos=C3=A9=20Manuel=20Dom=C3=ADnguez?= Date: Thu, 15 Jan 2026 17:36:05 +0100 Subject: [PATCH 06/14] Set `ssh_server_ports: ["8080"]` for apps.galaxyproject.eu This is the server's actual configuration. --- host_vars/apps.galaxyproject.eu.yml | 1 + 1 file changed, 1 insertion(+) create mode 100644 host_vars/apps.galaxyproject.eu.yml diff --git a/host_vars/apps.galaxyproject.eu.yml b/host_vars/apps.galaxyproject.eu.yml new file mode 100644 index 000000000..1d273bb5a --- /dev/null +++ b/host_vars/apps.galaxyproject.eu.yml @@ -0,0 +1 @@ +ssh_server_ports: ["8080"] From 0a5103b5a20fdd3991346f6605b395403941af2a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jos=C3=A9=20Manuel=20Dom=C3=ADnguez?= <43052541+kysrpex@users.noreply.github.com> Date: Mon, 19 Jan 2026 14:01:57 +0100 Subject: [PATCH 07/14] Apply suggestions from code review --- all.yml | 2 +- group_vars/all/ssh-keys.yml | 2 +- roles/ssh-host-sign/tasks/main.yml | 10 +++------- roles/ssh-host-sign/tasks/sign.yml | 6 +++--- 4 files changed, 8 insertions(+), 12 deletions(-) diff --git a/all.yml b/all.yml index a303a5a9c..131728c86 100644 --- a/all.yml +++ b/all.yml @@ -1,5 +1,5 @@ --- -- name: Manage authorized SSH keys +- name: Configure SSH service and manage authorized keys hosts: all gather_facts: true roles: diff --git a/group_vars/all/ssh-keys.yml b/group_vars/all/ssh-keys.yml index e77989bd1..020a7c7b7 100644 --- a/group_vars/all/ssh-keys.yml +++ b/group_vars/all/ssh-keys.yml @@ -1,3 +1,3 @@ ssh_manager_authorized_persons: "{{ ssh_manager_authorized_persons_vault }}" -ssh_host_resign_cert_domains_ips: "*.galaxyproject.eu,*.usegalaxy.eu,*.bi.privat,192.52.33.*,192.52.32.*,10.4.68.*,10.5.68.*,10.5.67.*" +ssh_host_sign_cert_domains_ips: "*.galaxyproject.eu,*.usegalaxy.eu,*.bi.privat,192.52.33.*,192.52.32.*,10.4.68.*,10.5.68.*,10.5.67.*" diff --git a/roles/ssh-host-sign/tasks/main.yml b/roles/ssh-host-sign/tasks/main.yml index 49365678a..c47512d6c 100644 --- a/roles/ssh-host-sign/tasks/main.yml +++ b/roles/ssh-host-sign/tasks/main.yml @@ -6,11 +6,6 @@ - rsa - ecdsa - ed25519 - -- name: Ensure server key is gone - file: - path: /tmp/server_ca - state: absent # Requires dev-sec.ssh-hardening - set_fact: @@ -22,10 +17,11 @@ - name: Another way to call known_hosts ansible.builtin.lineinfile: - line: "@cert-authority {{ ssh_host_resign_cert_domains_ips }} {{ lookup('file', 'server_ca.pub') }}" + line: "@cert-authority {{ ssh_host_sign_cert_domains_ips }} {{ lookup('file', 'server_ca.pub') }}" path: /etc/ssh/ssh_known_hosts + state: present create: true - name: "Helper" debug: - msg: "Please add the following to your known_hosts file: @cert-authority {{ ssh_host_resign_cert_domains_ips }} {{ lookup('file', 'server_ca.pub') }}" + msg: "Please add the following to your known_hosts file: @cert-authority {{ ssh_host_sign_cert_domains_ips }} {{ lookup('file', 'server_ca.pub') }}" diff --git a/roles/ssh-host-sign/tasks/sign.yml b/roles/ssh-host-sign/tasks/sign.yml index 8c9358215..2b7f4cd0e 100644 --- a/roles/ssh-host-sign/tasks/sign.yml +++ b/roles/ssh-host-sign/tasks/sign.yml @@ -4,8 +4,8 @@ register: "st" - set_fact: - outdated_certs: 0 -- name: Sign keys if outdated + is_outdated: 0 +- name: Determine if keys are outdated when: st.stat.exists block: - ansible.builtin.command: @@ -40,7 +40,7 @@ - name: Sign Keys command: ssh-keygen -s /tmp/server_ca -I key_for_test1 -h -V +520w /etc/ssh/ssh_host_{{ item }}_key.pub ignore_errors: true - rescue: + always: - name: Ensure server key is gone file: path: /tmp/server_ca From 25bc52c5ec38e1080e67d38f0d099aeed022ac9e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jos=C3=A9=20Manuel=20Dom=C3=ADnguez?= Date: Mon, 19 Jan 2026 14:35:15 +0100 Subject: [PATCH 08/14] Read keys to sign and certificates to output from mapping `ssh_host_sign_keys` --- group_vars/all/ssh-host-sign.yml | 11 +++++++++++ group_vars/all/ssh-keys.yml | 2 -- roles/ssh-host-sign/tasks/main.yml | 19 ++++++------------- roles/ssh-host-sign/tasks/sign.yml | 11 +++++++---- 4 files changed, 24 insertions(+), 19 deletions(-) create mode 100644 group_vars/all/ssh-host-sign.yml diff --git a/group_vars/all/ssh-host-sign.yml b/group_vars/all/ssh-host-sign.yml new file mode 100644 index 000000000..73c134eda --- /dev/null +++ b/group_vars/all/ssh-host-sign.yml @@ -0,0 +1,11 @@ +ssh_host_sign_keys: + - key: /etc/ssh/ssh_host_rsa_key.pub + certificate: /etc/ssh/ssh_host_rsa_key-cert.pub + + - key: /etc/ssh/ssh_host_ecdsa_key.pub + certificate: /etc/ssh/ssh_host_ecdsa_key-cert.pub + + - key: /etc/ssh/ssh_host_ed25519_key.pub + certificate: /etc/ssh/ssh_host_ed25519_key-cert.pub + +ssh_host_sign_cert_domains_ips: "*.galaxyproject.eu,*.usegalaxy.eu,*.bi.privat,192.52.33.*,192.52.32.*,10.4.68.*,10.5.68.*,10.5.67.*" diff --git a/group_vars/all/ssh-keys.yml b/group_vars/all/ssh-keys.yml index 020a7c7b7..b90b3d9a8 100644 --- a/group_vars/all/ssh-keys.yml +++ b/group_vars/all/ssh-keys.yml @@ -1,3 +1 @@ ssh_manager_authorized_persons: "{{ ssh_manager_authorized_persons_vault }}" - -ssh_host_sign_cert_domains_ips: "*.galaxyproject.eu,*.usegalaxy.eu,*.bi.privat,192.52.33.*,192.52.32.*,10.4.68.*,10.5.68.*,10.5.67.*" diff --git a/roles/ssh-host-sign/tasks/main.yml b/roles/ssh-host-sign/tasks/main.yml index c47512d6c..27197df54 100644 --- a/roles/ssh-host-sign/tasks/main.yml +++ b/roles/ssh-host-sign/tasks/main.yml @@ -2,26 +2,19 @@ - name: Sign host keys if missing or expired ansible.builtin.include_tasks: file: sign.yml - with_items: - - rsa - - ecdsa - - ed25519 + with_items: "{{ ssh_host_sign_keys }}" # Requires dev-sec.ssh-hardening - set_fact: - sshd_custom_options: - - "HostCertificate /etc/ssh/ssh_host_rsa_key-cert.pub" - - "HostCertificate /etc/ssh/ssh_host_ecdsa_key-cert.pub" - - "HostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub" + sshd_custom_options: >- + {{ + ssh_host_sign | map(attribute="certificate") | map('regex_replace', '^(.*)$', 'HostCertificate \\1') | list + }} notify: "restart sshd" -- name: Another way to call known_hosts +- name: Add CA certificate to known_hosts file ansible.builtin.lineinfile: line: "@cert-authority {{ ssh_host_sign_cert_domains_ips }} {{ lookup('file', 'server_ca.pub') }}" path: /etc/ssh/ssh_known_hosts state: present create: true - -- name: "Helper" - debug: - msg: "Please add the following to your known_hosts file: @cert-authority {{ ssh_host_sign_cert_domains_ips }} {{ lookup('file', 'server_ca.pub') }}" diff --git a/roles/ssh-host-sign/tasks/sign.yml b/roles/ssh-host-sign/tasks/sign.yml index 2b7f4cd0e..c20b64cd0 100644 --- a/roles/ssh-host-sign/tasks/sign.yml +++ b/roles/ssh-host-sign/tasks/sign.yml @@ -1,6 +1,6 @@ - name: Check if cert files exist ansible.builtin.stat: - path: "/etc/ssh/ssh_host_{{item}}_key-cert.pub" + path: "{{ item.certificate }}" register: "st" - set_fact: @@ -9,7 +9,7 @@ when: st.stat.exists block: - ansible.builtin.command: - cmd: "ssh-keygen -L -f /etc/ssh/ssh_host_{{ item }}_key-cert.pub" + cmd: "ssh-keygen -L -f {{ item.certificate }}" register: cert_info - name: Parse expiration date set_fact: @@ -38,10 +38,13 @@ mode: 0600 - name: Sign Keys - command: ssh-keygen -s /tmp/server_ca -I key_for_test1 -h -V +520w /etc/ssh/ssh_host_{{ item }}_key.pub - ignore_errors: true + command: "ssh-keygen -s /tmp/server_ca -I key_for_test1 -h -V +520w {{ item.key }}" always: - name: Ensure server key is gone file: path: /tmp/server_ca state: absent + +- name: "Helper" + ansible.builtin.debug: + msg: "Please add the following to your known_hosts file: @cert-authority {{ ssh_host_sign_cert_domains_ips }} {{ lookup('file', 'server_ca.pub') }}" From d78c759bd9ed1fa1a7a5e0d21e62b03b22602009 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jos=C3=A9=20Manuel=20Dom=C3=ADnguez?= Date: Mon, 19 Jan 2026 14:41:38 +0100 Subject: [PATCH 09/14] Do not set `sshd_custom_options` in `ssh-host-sign` role Let's leave that task to `dev-sec.ssh-hardening`. --- roles/ssh-host-sign/tasks/main.yml | 8 -------- 1 file changed, 8 deletions(-) diff --git a/roles/ssh-host-sign/tasks/main.yml b/roles/ssh-host-sign/tasks/main.yml index 27197df54..68eb8a33a 100644 --- a/roles/ssh-host-sign/tasks/main.yml +++ b/roles/ssh-host-sign/tasks/main.yml @@ -4,14 +4,6 @@ file: sign.yml with_items: "{{ ssh_host_sign_keys }}" -# Requires dev-sec.ssh-hardening -- set_fact: - sshd_custom_options: >- - {{ - ssh_host_sign | map(attribute="certificate") | map('regex_replace', '^(.*)$', 'HostCertificate \\1') | list - }} - notify: "restart sshd" - - name: Add CA certificate to known_hosts file ansible.builtin.lineinfile: line: "@cert-authority {{ ssh_host_sign_cert_domains_ips }} {{ lookup('file', 'server_ca.pub') }}" From d684572430b75df11a2911d8a003ca6888ea5117 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jos=C3=A9=20Manuel=20Dom=C3=ADnguez?= Date: Mon, 19 Jan 2026 15:03:10 +0100 Subject: [PATCH 10/14] Gather SSH certificate info in check mode --- roles/ssh-host-sign/tasks/sign.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/roles/ssh-host-sign/tasks/sign.yml b/roles/ssh-host-sign/tasks/sign.yml index c20b64cd0..19835b526 100644 --- a/roles/ssh-host-sign/tasks/sign.yml +++ b/roles/ssh-host-sign/tasks/sign.yml @@ -10,6 +10,8 @@ block: - ansible.builtin.command: cmd: "ssh-keygen -L -f {{ item.certificate }}" + check_mode: false + changed_when: false register: cert_info - name: Parse expiration date set_fact: From b66dfa16532e8e858d3d7c7bddcf622e6df2494f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jos=C3=A9=20Manuel=20Dom=C3=ADnguez?= Date: Mon, 19 Jan 2026 15:09:04 +0100 Subject: [PATCH 11/14] Hide the CA key on the playbook run logs --- roles/ssh-host-sign/tasks/sign.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/ssh-host-sign/tasks/sign.yml b/roles/ssh-host-sign/tasks/sign.yml index 19835b526..104afd6f3 100644 --- a/roles/ssh-host-sign/tasks/sign.yml +++ b/roles/ssh-host-sign/tasks/sign.yml @@ -38,6 +38,7 @@ owner: root group: root mode: 0600 + diff: false - name: Sign Keys command: "ssh-keygen -s /tmp/server_ca -I key_for_test1 -h -V +520w {{ item.key }}" From af05d164fbccf3f33c2c3b4ae914b34f03a3da9e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jos=C3=A9=20Manuel=20Dom=C3=ADnguez?= Date: Mon, 19 Jan 2026 15:50:18 +0100 Subject: [PATCH 12/14] Switch to `devsec.hardening.ssh_hardening` Switch from deprecated role `dev-sec.hardening` to `ssh_hardening` from the `devsec.hardening` collection. --- .gitignore | 1 - all.yml | 2 +- apollo.yml | 1 - beacon.yml | 2 -- build.yml | 2 -- cvmfs.yml | 4 ---- galaxy-test.yml | 1 - grafana.yml | 1 - group_vars/all/ssh_hardening.yml | 5 +++++ group_vars/all/vars.yml | 25 ------------------------- incoming.yml | 2 -- influxdb.yml | 2 -- maintenance.yml | 2 -- mq.yml | 2 -- one-off/cvmfs-stratum0.yml | 1 - one-off/denbi-stratum0.yml | 1 - one-off/hicbrowser.yml | 1 - one-off/job-working-dir.yml | 1 - one-off/org-jenkins-nodes.yml | 1 - one-off/ssds1.yml | 1 - plausible.yml | 2 -- proxy.yml | 2 -- requirements.yaml | 2 -- sn07.yml | 2 -- sn09.yml | 2 -- sn11.yml | 2 -- telescope.yml | 1 - tpv-broker.yml | 2 -- traefik-proxy.yml | 1 - 29 files changed, 6 insertions(+), 68 deletions(-) create mode 100644 group_vars/all/ssh_hardening.yml diff --git a/.gitignore b/.gitignore index 47389e54c..4096bc0b6 100644 --- a/.gitignore +++ b/.gitignore @@ -5,7 +5,6 @@ collections/ roles/cloudalchemy.grafana/ roles/dev-sec.os-hardening/ -roles/dev-sec.ssh-hardening/ roles/galaxyproject.galaxy/ roles/galaxyproject.nginx/ roles/galaxyproject.cvmfs/ diff --git a/all.yml b/all.yml index 131728c86..fa86044ac 100644 --- a/all.yml +++ b/all.yml @@ -5,5 +5,5 @@ roles: - role: usegalaxy_eu.ssh_manager - ssh-host-sign - - role: dev-sec.ssh-hardening + - role: devsec.hardening.ssh_hardening become: true diff --git a/apollo.yml b/apollo.yml index 11b20de9a..5574933cd 100644 --- a/apollo.yml +++ b/apollo.yml @@ -45,4 +45,3 @@ # END custom - dj-wasabi.telegraf # - dev-sec.os-hardening - # - dev-sec.ssh-hardening diff --git a/beacon.yml b/beacon.yml index ec1264b0f..bd9e3601e 100644 --- a/beacon.yml +++ b/beacon.yml @@ -8,8 +8,6 @@ - group_vars/beacon/vars.yml - group_vars/beacon/vault.yml vars: - collections: - - devsec.hardening roles: - role: usegalaxy_eu.handy.os_setup vars: diff --git a/build.yml b/build.yml index 87e18bbe4..f7ef95719 100644 --- a/build.yml +++ b/build.yml @@ -21,8 +21,6 @@ loop: - http - https - collections: - - devsec.hardening roles: - hostname - usegalaxy-eu.dynmotd diff --git a/cvmfs.yml b/cvmfs.yml index fa4d8ef56..56d87f009 100644 --- a/cvmfs.yml +++ b/cvmfs.yml @@ -7,8 +7,6 @@ - "secret_group_vars/all.yml" - mounts/mountpoints.yml - mounts/dest/all.yml - collections: - - devsec.hardening pre_tasks: - name: Set default version of Python alternatives: @@ -51,7 +49,6 @@ - dj-wasabi.telegraf # hardening - os_hardening - - ssh_hardening # # - hostname @@ -69,4 +66,3 @@ # # END custom # - dj-wasabi.telegraf # - dev-sec.os-hardening -# - dev-sec.ssh-hardening diff --git a/galaxy-test.yml b/galaxy-test.yml index b5f806555..265fb72e2 100644 --- a/galaxy-test.yml +++ b/galaxy-test.yml @@ -149,4 +149,3 @@ # Some of our 'cleanups' also generate telegraf format so this goes at end. - dj-wasabi.telegraf #- dev-sec.os-hardening - - dev-sec.ssh-hardening diff --git a/grafana.yml b/grafana.yml index 02e417143..1f96ca046 100644 --- a/grafana.yml +++ b/grafana.yml @@ -25,7 +25,6 @@ name: - git collections: - - devsec.hardening - grafana.grafana roles: ## Starting configuration of the operating system diff --git a/group_vars/all/ssh_hardening.yml b/group_vars/all/ssh_hardening.yml new file mode 100644 index 000000000..1e16e46bb --- /dev/null +++ b/group_vars/all/ssh_hardening.yml @@ -0,0 +1,5 @@ +ssh_host_certificates: "{{ ssh_host_sign_keys | map(attribute='certificate') }}" +ssh_permit_root_login: "without-password" +ssh_use_pam: true +sftp_enabled: true +ssh_client_alive_interval: 600 diff --git a/group_vars/all/vars.yml b/group_vars/all/vars.yml index e5a1c61b8..65c13a07b 100644 --- a/group_vars/all/vars.yml +++ b/group_vars/all/vars.yml @@ -64,9 +64,6 @@ nginx_selinux_allow_local_connections: true #nginx_servers: # - redirect-ssl -# Allow root login on all machines - TBD -ssh_allow_root_with_key: true - redis_connection_string: "redis://:{{ redis_requirepass }}@mq02.galaxyproject.eu:6379/0" # Chrony chrony_server: 'time.ruf.uni-freiburg.de iburst' @@ -168,28 +165,6 @@ au_random_sleep: 360 sysctl_config: net.ipv6.conf.all.disable_ipv6: 0 -# SSH - -# ALL hosts should have signed SSH keys. -# ssh-host-(re)sign role -ssh_host_key_cert_files: - - /etc/ssh/ssh_host_rsa_key-cert.pub - - /etc/ssh/ssh_host_ecdsa_key-cert.pub - - /etc/ssh/ssh_host_ed25519_key-cert.pub - -# dev-sec.ssh-hardening role -# Allow root login on all machines -ssh_permit_root_login: "without-password" -sshd_custom_options: - - "HostCertificate {{ ssh_host_key_cert_files[0] }}" - - "HostCertificate {{ ssh_host_key_cert_files[1] }}" - - "HostCertificate {{ ssh_host_key_cert_files[2] }}" -# Anything else prevents more login -ssh_use_pam: true -# Required if you want to run ansible more than once. -sftp_enabled: true -ssh_client_alive_interval: 600 - # Apollo env vars apollo_env: "GALAXY_WEBAPOLLO_URL={{ GALAXY_WEBAPOLLO_URL }} GALAXY_WEBAPOLLO_USER={{ GALAXY_WEBAPOLLO_USER }} GALAXY_WEBAPOLLO_PASSWORD={{ GALAXY_WEBAPOLLO_PASSWORD }} GALAXY_WEBAPOLLO_EXT_URL={{ GALAXY_WEBAPOLLO_EXT_URL }} GALAXY_SHARED_DIR={{ GALAXY_SHARED_DIR }} GALAXY_APOLLO_ORG_SUFFIX=id" diff --git a/incoming.yml b/incoming.yml index 187d41ca3..af5761c72 100644 --- a/incoming.yml +++ b/incoming.yml @@ -9,8 +9,6 @@ - secret_group_vars/all.yml - mounts/mountpoints.yml - mounts/dest/all.yml - collections: - - devsec.hardening pre_tasks: - name: Set timezone to Europe/Berlin community.general.timezone: diff --git a/influxdb.yml b/influxdb.yml index 4716f6e1b..ca0958101 100644 --- a/influxdb.yml +++ b/influxdb.yml @@ -39,8 +39,6 @@ ansible.builtin.service: name: firewalld state: reloaded - collections: - - devsec.hardening roles: ## Starting configuration of the operating system - geerlingguy.swap diff --git a/maintenance.yml b/maintenance.yml index 6c72c8bdd..d263fe0d7 100644 --- a/maintenance.yml +++ b/maintenance.yml @@ -8,8 +8,6 @@ - secret_group_vars/all.yml - mounts/dest/all.yml - mounts/mountpoints.yml - collections: - - devsec.hardening handlers: - name: restart rsyslog service: diff --git a/mq.yml b/mq.yml index ed9400bed..b40ce4aca 100644 --- a/mq.yml +++ b/mq.yml @@ -6,8 +6,6 @@ - secret_group_vars/all.yml - secret_group_vars/aws.yml # AWS creds - secret_group_vars/pulsar.yml # Pulsar + MQ Connections - collections: - - devsec.hardening pre_tasks: # - name: Set default version of Python # alternatives: diff --git a/one-off/cvmfs-stratum0.yml b/one-off/cvmfs-stratum0.yml index c49493819..4c38bd769 100644 --- a/one-off/cvmfs-stratum0.yml +++ b/one-off/cvmfs-stratum0.yml @@ -30,4 +30,3 @@ # END custom - dj-wasabi.telegraf # - dev-sec.os-hardening -# - dev-sec.ssh-hardening diff --git a/one-off/denbi-stratum0.yml b/one-off/denbi-stratum0.yml index a5877ebc1..322f952a6 100644 --- a/one-off/denbi-stratum0.yml +++ b/one-off/denbi-stratum0.yml @@ -29,4 +29,3 @@ # END custom - dj-wasabi.telegraf #- dev-sec.os-hardening - #- dev-sec.ssh-hardening diff --git a/one-off/hicbrowser.yml b/one-off/hicbrowser.yml index 94c74b455..1613d9bb7 100644 --- a/one-off/hicbrowser.yml +++ b/one-off/hicbrowser.yml @@ -16,4 +16,3 @@ # END custom - dj-wasabi.telegraf - dev-sec.os-hardening - - dev-sec.ssh-hardening diff --git a/one-off/job-working-dir.yml b/one-off/job-working-dir.yml index 3270a341f..6cb95616e 100644 --- a/one-off/job-working-dir.yml +++ b/one-off/job-working-dir.yml @@ -19,4 +19,3 @@ # END custom - dj-wasabi.telegraf - dev-sec.os-hardening - - dev-sec.ssh-hardening diff --git a/one-off/org-jenkins-nodes.yml b/one-off/org-jenkins-nodes.yml index 2f986d490..7e41b19e2 100644 --- a/one-off/org-jenkins-nodes.yml +++ b/one-off/org-jenkins-nodes.yml @@ -45,4 +45,3 @@ - hxr.monitor-email - influxdata.chrony - dev-sec.os-hardening - - dev-sec.ssh-hardening diff --git a/one-off/ssds1.yml b/one-off/ssds1.yml index 7d8f1c2bb..ea1ad1f0b 100644 --- a/one-off/ssds1.yml +++ b/one-off/ssds1.yml @@ -15,4 +15,3 @@ - geerlingguy.nfs - linuxhq.yum_cron - dev-sec.os-hardening - - dev-sec.ssh-hardening diff --git a/plausible.yml b/plausible.yml index 8ea11fac9..5a616b405 100644 --- a/plausible.yml +++ b/plausible.yml @@ -7,8 +7,6 @@ vars_files: - secret_group_vars/all.yml - secret_group_vars/plausible.yml - collections: - - devsec.hardening roles: - hostname - usegalaxy-eu.dynmotd diff --git a/proxy.yml b/proxy.yml index fd3d4b587..1af900114 100644 --- a/proxy.yml +++ b/proxy.yml @@ -6,8 +6,6 @@ hostname: proxy.galaxyproject.eu vars_files: - secret_group_vars/all.yml - collections: - - devsec.hardening pre_tasks: - name: Set default version of Python alternatives: diff --git a/requirements.yaml b/requirements.yaml index 69abca846..c47789a79 100644 --- a/requirements.yaml +++ b/requirements.yaml @@ -55,8 +55,6 @@ collections: roles: - name: dev-sec.os-hardening version: 4.2.0 - - name: dev-sec.ssh-hardening - version: 9.7.0 - name: devops.tomcat7 version: 1.0.0 - name: dj-wasabi.telegraf diff --git a/sn07.yml b/sn07.yml index fb4f921a8..06c73cf74 100644 --- a/sn07.yml +++ b/sn07.yml @@ -55,8 +55,6 @@ - templates/galaxy/config/job_conf.yml - mounts/mountpoints.yml - mounts/dest/all.yml - collections: - - devsec.hardening handlers: - name: Restart Galaxy shell: | diff --git a/sn09.yml b/sn09.yml index 44757b1f7..518ac9528 100644 --- a/sn09.yml +++ b/sn09.yml @@ -67,8 +67,6 @@ - templates/galaxy/config/job_conf.yml - mounts/dest/all.yml - mounts/mountpoints.yml - collections: - - devsec.hardening handlers: - name: Restart Galaxy ansible.builtin.shell: | diff --git a/sn11.yml b/sn11.yml index d8c01d728..69eaa2932 100644 --- a/sn11.yml +++ b/sn11.yml @@ -9,8 +9,6 @@ - group_vars/sn11.yml - mounts/dest/all.yml - mounts/mountpoints.yml - collections: - - devsec.hardening pre_tasks: - name: Add mosh service config for FirewallD ansible.builtin.copy: diff --git a/telescope.yml b/telescope.yml index 9518d934c..ecdfab940 100644 --- a/telescope.yml +++ b/telescope.yml @@ -24,4 +24,3 @@ # END custom - dj-wasabi.telegraf - dev-sec.os-hardening - - dev-sec.ssh-hardening diff --git a/tpv-broker.yml b/tpv-broker.yml index 1627a9e82..370108771 100644 --- a/tpv-broker.yml +++ b/tpv-broker.yml @@ -12,8 +12,6 @@ - group_vars/tpv-broker.yml - secret_group_vars/all.yml - secret_group_vars/aws.yml - collections: - - devsec.hardening pre_tasks: - name: Install Dependencies package: diff --git a/traefik-proxy.yml b/traefik-proxy.yml index f37c69ff0..608f72593 100644 --- a/traefik-proxy.yml +++ b/traefik-proxy.yml @@ -63,5 +63,4 @@ - usegalaxy-eu.dynmotd - artis3n.tailscale - usegalaxy_eu.traefik - - devsec.hardening.ssh_hardening - devsec.hardening.os_hardening From 2f744075214a715be6b83168d546a4343191bad3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jos=C3=A9=20Manuel=20Dom=C3=ADnguez?= Date: Mon, 19 Jan 2026 16:03:19 +0100 Subject: [PATCH 13/14] Remove resign-keys.yml playbook --- resign-keys.yml | 7 ------- 1 file changed, 7 deletions(-) delete mode 100644 resign-keys.yml diff --git a/resign-keys.yml b/resign-keys.yml deleted file mode 100644 index 3e8b876e9..000000000 --- a/resign-keys.yml +++ /dev/null @@ -1,7 +0,0 @@ ---- -- name: resign all ssh keys - hosts: all - become: true - roles: - - ssh-host-resign - - dev-sec.ssh-hardening From 727de4d3ff388522cd516ec2cde6921704e7283d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jos=C3=A9=20Manuel=20Dom=C3=ADnguez?= Date: Mon, 19 Jan 2026 16:13:04 +0100 Subject: [PATCH 14/14] Move "Helper" task from `ssh-host-sign` role from sign.yml to main.yml again --- roles/ssh-host-sign/tasks/main.yml | 4 ++++ roles/ssh-host-sign/tasks/sign.yml | 4 ---- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/roles/ssh-host-sign/tasks/main.yml b/roles/ssh-host-sign/tasks/main.yml index 68eb8a33a..64399b81d 100644 --- a/roles/ssh-host-sign/tasks/main.yml +++ b/roles/ssh-host-sign/tasks/main.yml @@ -10,3 +10,7 @@ path: /etc/ssh/ssh_known_hosts state: present create: true + +- name: "Helper" + ansible.builtin.debug: + msg: "Please add the following to your known_hosts file: @cert-authority {{ ssh_host_sign_cert_domains_ips }} {{ lookup('file', 'server_ca.pub') }}" diff --git a/roles/ssh-host-sign/tasks/sign.yml b/roles/ssh-host-sign/tasks/sign.yml index 104afd6f3..f3681d390 100644 --- a/roles/ssh-host-sign/tasks/sign.yml +++ b/roles/ssh-host-sign/tasks/sign.yml @@ -47,7 +47,3 @@ file: path: /tmp/server_ca state: absent - -- name: "Helper" - ansible.builtin.debug: - msg: "Please add the following to your known_hosts file: @cert-authority {{ ssh_host_sign_cert_domains_ips }} {{ lookup('file', 'server_ca.pub') }}"