dosh-llc/ansible-zero-trust
0
0
Fork 0
Code Issues 1 Pull requests Releases 4 Activity Actions
ansible-zero-trust/roles/ssh_step/tasks/ca-cert-renew.yml
GregoryDosh 981f336d5a
All checks were successful
Version Bump Galaxy.yml / Version Bump Galaxy.yml (push) Successful in 4s
Details
fix: add some validation for vars, also move cron to every 4 hours for better consistency in lab
2025-12-05 15:43:43 -06:00

57 lines
2.4 KiB
YAML
Raw Permalink Blame History

# SPDX-License-Identifier: AGPL-3.0-or-later
# SPDX-FileCopyrightText: 2025 Dosh LLC
---
- name: Add Zero Trust helper scripts
become: true
ansible.builtin.template:
src: "{{ item.src }}"
dest: "{{ item.dest }}"
owner: "{{ STEP_USER_NAME }}"
group: "{{ STEP_GROUP_NAME }}"
mode: "0750"
with_items:
- {
src: "{{ role_path }}/templates/etc/step-ca/scripts/zt-renew-acme.sh.j2",
dest: "{{ STEP_SCRIPTS_PATH }}/zt-renew-acme.sh",
}
- {
src: "{{ role_path }}/templates/etc/step-ca/scripts/zt-renew-ssh.sh.j2",
dest: "{{ STEP_SCRIPTS_PATH }}/zt-renew-ssh.sh",
}
- name: ACME/SSH Cert Renewal Cron Job
become: true
block:
- ansible.builtin.include_role:
name: dosh_llc.ansible_cron.healthcheck_script
vars:
HEALTHCHECK_NAME: "{{ STEP_HC_RENEWAL_NAME }}"
HEALTHCHECK_TAGS: "{{ STEP_HC_RENEWAL_TAGS }}"
HEALTHCHECK_CRON_USER: "{{ STEP_USER_NAME }}"
HEALTHCHECK_CRON_HOUR: "{{ STEP_HC_RENEWAL_CRON }}"
HEALTHCHECK_FILE_NAME: "{{ STEP_HC_FILE_NAME }}"
HEALTHCHECK_FILE_USER: "{{ STEP_USER_NAME }}"
HEALTHCHECK_FILE_GROUP: "{{ STEP_GROUP_NAME }}"
HEALTHCHECK_FILE_CONTENT: |
CERT_RENEW=$({{ STEP_SCRIPTS_PATH }}/zt-renew-acme.sh && {{ STEP_SCRIPTS_PATH }}/zt-renew-ssh.sh 2>&1)
EXIT_STATUS="$?"
if [ "$EXIT_STATUS" -ne 0 ]; then
$logger "ERROR: unable to renew certs: $CERT_RENEW"
exit "$EXIT_STATUS"
else
$logger "INFO: Renewed SSH Host Keys: {{ STEP_CERTS_PATH }}{{ STEP_CERTS_SSH_HOST_CERT }} {{ STEP_CERTS_PATH }}{{ STEP_CERTS_SSH_PRIVATE_KEY }}"
fi
SSHD_RESTART=$({{ SSHD_BIN_ABSOLUTE_PATH }} -t && {% if SERVICE_BIN_ABSOLUTE_PATH %}{{ SERVICE_BIN_ABSOLUTE_PATH }} sshd restart{% else %}{{ SYSTEMCTL_BIN_ABSOLUTE_PATH }} {% if (_systemd_version | int) < 229 %}reload-or-try-restart{% else %}try-reload-or-restart{% endif %} sshd{% endif %})
EXIT_STATUS="$?"
if [ "$EXIT_STATUS" -ne 0 ]; then
$logger "ERROR: unable to restart sshd: $SSHD_RESTART"
exit "$EXIT_STATUS"
else
$logger "INFO: Restarted sshd to pick up changes"
fi
- name: call healthcheck on SSH cert renew
when: _cert_ssh_needs_renewal.changed or not _cert_ssh_existing_san_match
become: true
ansible.builtin.shell: "{{ STEP_HC_FILE_NAME }}"
Reference in a new issue View git blame Copy permalink