ansible-role-deploy-ssh-cer.../tasks/deploy_certificate.yml

- name: Generate key pair
  openssh_keypair:
    path: "/etc/ssh/{{ item.name }}"
    type: "{{ item.key_type }}"
  register: key_pair

- name: Check whether certificate exists
  stat:
    path: "/etc/ssh/{{ item.name }}-cert.pub"
  register: cert_stat

- name: Generate SSH user certificate
  command:
    cmd: "ssh -o ConnectTimeout=3 -o ConnectionAttempts=2 {{ ssh_ca_host }} '{{ ssh_ca_script }} user {{ item.signing_key }} \"{{ key_pair.public_key }}\" {{ item.host }} \"{{ item.principals }}\"'"
  register: certificate
  delegate_to: localhost
  when: item.type == "user" and not cert_stat.stat.exists

- name: Generate SSH host certificate
  command:
    cmd: "ssh -o ConnectTimeout=3 -o ConnectionAttempts=2 {{ ssh_ca_host }} '{{ ssh_ca_script }} host {{ item.signing_key }} \"{{ key_pair.public_key }}\" {{ item.host }}'"
  register: certificate
  delegate_to: localhost
  when: item.type == "host" and not cert_stat.stat.exists

- name: Place certificate
  copy:
    dest: "/etc/ssh/{{ item.name }}-cert.pub"
    content: "{{ certificate.stdout }}"
    mode: 0644
  when: not cert_stat.stat.exists

- name: Enable user certificate
  lineinfile:
    path: /etc/ssh/ssh_config.d/certificates.conf
    line: "CertificateFile /etc/ssh/{{ item.name }}-cert.pub"
  when: item.type == "user"

- name: Enable user identity
  lineinfile:
    path: /etc/ssh/ssh_config.d/certificates.conf
    line: "IdentityFile /etc/ssh/{{ item.name }}"
  when: item.type == "user"

- name: Enable host certificate
  lineinfile:
    path: /etc/ssh/sshd_config.d/certificates.conf
    line: "HostCertificate /etc/ssh/{{ item.name }}-cert.pub"
  when: item.type == "host"

- name: Enable host key
  lineinfile:
    path: /etc/ssh/sshd_config.d/certificates.conf
    line: "HostKey /etc/ssh/{{ item.name }}"
  when: item.type == "host"
init 2023-04-26 16:41:33 +00:00			`- name: Generate key pair`
			`openssh_keypair:`
			`path: "/etc/ssh/{{ item.name }}"`
			`type: "{{ item.key_type }}"`
			`register: key_pair`

			`- name: Check whether certificate exists`
			`stat:`
			`path: "/etc/ssh/{{ item.name }}-cert.pub"`
			`register: cert_stat`

			`- name: Generate SSH user certificate`
			`command:`
			`cmd: "ssh -o ConnectTimeout=3 -o ConnectionAttempts=2 {{ ssh_ca_host }} '{{ ssh_ca_script }} user {{ item.signing_key }} \"{{ key_pair.public_key }}\" {{ item.host }} \"{{ item.principals }}\"'"`
			`register: certificate`
			`delegate_to: localhost`
			`when: item.type == "user" and not cert_stat.stat.exists`

			`- name: Generate SSH host certificate`
			`command:`
			`cmd: "ssh -o ConnectTimeout=3 -o ConnectionAttempts=2 {{ ssh_ca_host }} '{{ ssh_ca_script }} host {{ item.signing_key }} \"{{ key_pair.public_key }}\" {{ item.host }}'"`
			`register: certificate`
			`delegate_to: localhost`
			`when: item.type == "host" and not cert_stat.stat.exists`

			`- name: Place certificate`
			`copy:`
			`dest: "/etc/ssh/{{ item.name }}-cert.pub"`
			`content: "{{ certificate.stdout }}"`
			`mode: 0644`
fix typo 2023-04-26 16:51:27 +00:00			`when: not cert_stat.stat.exists`
init 2023-04-26 16:41:33 +00:00
			`- name: Enable user certificate`
			`lineinfile:`
			`path: /etc/ssh/ssh_config.d/certificates.conf`
			`line: "CertificateFile /etc/ssh/{{ item.name }}-cert.pub"`
			`when: item.type == "user"`

			`- name: Enable user identity`
			`lineinfile:`
			`path: /etc/ssh/ssh_config.d/certificates.conf`
			`line: "IdentityFile /etc/ssh/{{ item.name }}"`
			`when: item.type == "user"`

			`- name: Enable host certificate`
			`lineinfile:`
			`path: /etc/ssh/sshd_config.d/certificates.conf`
			`line: "HostCertificate /etc/ssh/{{ item.name }}-cert.pub"`
			`when: item.type == "host"`

			`- name: Enable host key`
			`lineinfile:`
			`path: /etc/ssh/sshd_config.d/certificates.conf`
			`line: "HostKey /etc/ssh/{{ item.name }}"`
			`when: item.type == "host"`