Apply non-core changes in CORD-912 to master
remove vestigial templates
create admin-openrc.sh in cord_profile_dir and home dir
Change-Id: I52a7cef1ea9e0dc7a37d9888fcfdc093434777ef
diff --git a/roles/ssh-pki/defaults/main.yml b/roles/ssh-pki/defaults/main.yml
new file mode 100644
index 0000000..1e8574e
--- /dev/null
+++ b/roles/ssh-pki/defaults/main.yml
@@ -0,0 +1,20 @@
+---
+# ssh-pki/tasks/main.yml
+
+pki_dir: "/opt/pki"
+ssh_pki_dir: "/opt/ssh_pki"
+credentials_dir: "/opt/credentials"
+
+# password on SSH CA
+ssh_ca_phrase: "{{ lookup('password', credentials_dir ~ '/ssh_ca_phrase length=64') }}"
+
+# ssh-keygen parameters
+ssh_keytype: rsa
+ssh_keysize: 4096
+
+# lists of keys to generate
+ssh_client_genkeys:
+ - name: headnode
+
+ssh_host_genkeys: []
+
diff --git a/roles/ssh-pki/tasks/main.yml b/roles/ssh-pki/tasks/main.yml
new file mode 100644
index 0000000..44dbe64
--- /dev/null
+++ b/roles/ssh-pki/tasks/main.yml
@@ -0,0 +1,76 @@
+---
+# ssh-pki/tasks/main.yml
+
+- name: Create SSH CA Directory
+ file:
+ dest: "{{ item }}"
+ state: directory
+ owner: "{{ ansible_user_id }}"
+ mode: 0700
+ with_items:
+ - "{{ ssh_pki_dir }}"
+ - "{{ ssh_pki_dir }}/ca"
+ - "{{ ssh_pki_dir }}/client_certs"
+ - "{{ ssh_pki_dir }}/host_certs"
+
+- name: Generate SSH CA Cert
+ command: >
+ ssh-keygen
+ -q -N "{{ ssh_ca_phrase }}"
+ -t {{ ssh_keytype }}
+ -b {{ ssh_keysize }}
+ -C "CORD SSH CA"
+ -f {{ ssh_pki_dir }}/ca/cord_ssh_ca_cert
+ args:
+ creates: "{{ ssh_pki_dir }}/ca/cord_ssh_ca_cert.pub"
+
+- name: Generate SSH Client Certs
+ command: >
+ ssh-keygen
+ -q -N ""
+ -t {{ item.keytype | default(ssh_keytype) }}
+ -b {{ item.keysize | default(ssh_keysize) }}
+ -C "CORD SSH client key for {{ item.name }}"
+ -f {{ ssh_pki_dir }}/client_certs/{{ item.name }}_sshkey
+ args:
+ creates: "{{ ssh_pki_dir }}/client_certs/{{ item.name }}_sshkey.pub"
+ with_items: "{{ ssh_client_genkeys }}"
+ register: client_ssh_key_generated
+
+- name: Sign SSH Client Certs with SSH CA
+ command: >
+ ssh-keygen
+ -q -P "{{ ssh_ca_phrase }}"
+ -I "{{ item.name }}"
+ -n "{{ item.name }}"
+ -s {{ ssh_pki_dir }}/ca/cord_ssh_ca_cert
+ {{ ssh_pki_dir }}/client_certs/{{ item.name }}_sshkey.pub
+ args:
+ creates: "{{ ssh_pki_dir }}/client_certs/{{ item.name }}_sshkey-cert.pub"
+ with_items: "{{ ssh_client_genkeys }}"
+
+- name: Generate SSH Host Certs
+ command: >
+ ssh-keygen
+ -q -N ""
+ -t {{ item.keytype | default(ssh_keytype) }}
+ -b {{ item.keysize | default(ssh_keysize) }}
+ -C "CORD SSH host key for {{ item.name }}"
+ -f {{ ssh_pki_dir }}/host_certs/{{ item.name }}_sshkey
+ args:
+ creates: "{{ ssh_pki_dir }}/host_certs/{{ item.name }}_sshkey.pub"
+ with_items: "{{ ssh_host_genkeys }}"
+ register: host_ssh_keys_generated
+
+- name: Generate SSH Host Certs
+ command: >
+ ssh-keygen
+ -q -P "{{ ssh_ca_phrase }}" -h
+ -I "{{ item.name }}"
+ -n "{{ item.name }},{{ item.name }}.{{ site_suffix }}"
+ -s {{ ssh_pki_dir }}/ca/cord_ssh_ca_cert
+ {{ ssh_pki_dir }}/host_certs/{{ item.name }}_sshkey.pub
+ args:
+ creates: "{{ ssh_pki_dir }}/host_certs/{{ item.name }}_sshkey-cert.pub"
+ with_items: "{{ ssh_host_genkeys }}"
+