Johannes Kastl
8c4790e963
OBS-URL: https://build.opensuse.org/package/show/security/step-cli?expand=0&rev=4
60 lines
2.0 KiB
Diff
60 lines
2.0 KiB
Diff
Index: cli-0.22.0/systemd/ssh-cert-renewer@.service
|
|
===================================================================
|
|
--- /dev/null
|
|
+++ cli-0.22.0/systemd/ssh-cert-renewer@.service
|
|
@@ -0,0 +1,30 @@
|
|
+[Unit]
|
|
+Description=Smallstep SSH Certificate Renewal for the %I host certificate
|
|
+After=network-online.target
|
|
+Documentation=https://smallstep.com/docs/step-ca/certificate-authority-server-production
|
|
+StartLimitIntervalSec=0
|
|
+PartOf=cert-renewer.target
|
|
+
|
|
+[Service]
|
|
+Type=oneshot
|
|
+User=root
|
|
+
|
|
+Environment=STEPPATH=/etc/step \
|
|
+ CERT_LOCATION=/etc/ssh/ssh_host_%i_key-cert.pub \
|
|
+ KEY_LOCATION=/etc/ssh/ssh_host_%i_key
|
|
+
|
|
+; ExecCondition checks if the certificate is ready for renewal,
|
|
+; based on the exit status of the command.
|
|
+; (In systemd <242, you can use ExecStartPre= here.)
|
|
+ExecCondition=/usr/bin/step ssh needs-renewal ${CERT_LOCATION}
|
|
+
|
|
+; ExecStart renews the certificate, if ExecStartPre was successful.
|
|
+ExecStart=/usr/bin/step ssh renew --force ${CERT_LOCATION} ${KEY_LOCATION}
|
|
+
|
|
+; Try to reload or restart the systemd service that relies on this cert-renewer
|
|
+; If the relying service doesn't exist, forge ahead.
|
|
+; (In systemd <229, use `reload-or-try-restart` instead of `try-reload-or-restart`)
|
|
+ExecStartPost=/usr/bin/env sh -c "! systemctl --quiet is-enabled sshd.service || systemctl try-reload-or-restart sshd"
|
|
+
|
|
+[Install]
|
|
+WantedBy=multi-user.target
|
|
Index: cli-0.22.0/systemd/ssh-cert-renewer@.timer
|
|
===================================================================
|
|
--- /dev/null
|
|
+++ cli-0.22.0/systemd/ssh-cert-renewer@.timer
|
|
@@ -0,0 +1,19 @@
|
|
+[Unit]
|
|
+Description=Timer for Smallstep SSH Certificate Renewal for the %I host certificate
|
|
+Documentation=https://smallstep.com/docs/step-ca/certificate-authority-server-production
|
|
+PartOf=cert-renewer.target
|
|
+
|
|
+[Timer]
|
|
+Persistent=true
|
|
+
|
|
+; Run the timer unit every 5 minutes.
|
|
+OnCalendar=*:1/5
|
|
+
|
|
+; Always run the timer on time.
|
|
+AccuracySec=1us
|
|
+
|
|
+; Add jitter to prevent a "thundering hurd" of simultaneous certificate renewals.
|
|
+RandomizedDelaySec=5m
|
|
+
|
|
+[Install]
|
|
+WantedBy=timers.target
|