This is necssary if you are going to use ansible on these machines. There are two parts that need to be addressed: ssh and gpg.
First, you need to be able to access the machine remotely. It is recommend that you create a new private key that links to the new machine. It is not recommended to reuse SSH keys in case you need to revoke access.
ssh-keygen -t ecdsa -b 521 -C "<Username>-<machine>"
Now, we need to sign the key to allow for you to access the servers. Copy the id_ecdsa.pub over to a computer that is able to use Ansible correctly. Once it is copied over, run the following command accounting for differences in paths:
ssh-keygen -s <path to systems>/ca/cosci-llc_user.ca -I "<username> - <machine>" -n <username>,sysadmin,root id_ecdsa.pub
This will create a file called id_ecdsa-cert.pub. Copy this file back to the machine you want to add to Ansible. Place the file in the .ssh/ directory and change the permissions:
chmod 600 ./id_ecdsa-cert.pub
Now update your configuration files to have a CertificateFile directive in any machine that you want to connect to within the Ansible scripts. For instance:
Host zonza
HostName zonza.cosci-llc.com
CertificateFile ~/.ssh/id_ecdsa-cert.pub
Port 22
ForwardAgent yes
Now you should be able to ssh to any CoSci-LLC machine just fine. In addition, test if sysadmin@zonza works. This is critical to work because Ansible requires a connection via that user.
With GPG keys, it is recommend to use the same key among machines. This is because a GPG key is like an identity and it is easier to have the same identity across all machines.
First, select which GPG key to export from the machine:
gpg --list-secret-keys
Copy the ID of the key you want to export. For instance:
sec rsa4096 2018-09-20 [SC]
F92AFB458F917C9CDE6C1ED57A747426F7042EDC
uid [ultimate] Owen Parkins <oparkins@gmail.com>
ssb rsa4096 2018-09-20 [E]
ssb rsa4096 2019-10-05 [A] [expires: 2020-10-04]
F92AFB458F917C9CDE6C1ED57A747426F7042EDC is the key ID.
Now, export the key:
gpg --export-secret-keys <key ID> > private.key
Copy private.key over to the new machine and import it:
gpg --import private.key
After completing both SSH and GPG setup, you should be able to run Ansible scripts on the new machine.