ansible-role-deploy-ssh-cer.../tasks/deploy_certificate.yml

- name: Generate key pair
  openssh_keypair:
    path: "/etc/ssh/{{ item.name }}"
    type: "{{ item.key_type }}"
  register: key_pair

- name: Check whether certificate exists
  stat:
    path: "/etc/ssh/{{ item.name }}-cert.pub"
  register: cert_stat

- name: Generate SSH user certificate
  command:
    cmd: "ssh -o ConnectTimeout=3 -o ConnectionAttempts=2 {{ ssh_ca_host }} '{{ ssh_ca_script }} user {{ item.signing_key }} \"{{ key_pair.public_key }}\" {{ item.host }} \"{{ item.principals }}\"'"
  register: user_cert
  delegate_to: localhost
  when: item.type == "user" and not cert_stat.stat.exists

- name: Generate SSH host certificate
  command:
    cmd: "ssh -o ConnectTimeout=3 -o ConnectionAttempts=2 {{ ssh_ca_host }} '{{ ssh_ca_script }} host {{ item.signing_key }} \"{{ key_pair.public_key }}\" {{ item.host }}'"
  register: host_cert
  delegate_to: localhost
  when: item.type == "host" and not cert_stat.stat.exists

- name: Place certificate
  copy:
    dest: "/etc/ssh/{{ item.name }}-cert.pub"
    content: "{{ (item.type == 'user') | ternary(user_cert.stdout, host_cert.stdout) }}"
    mode: 0644
  when: not cert_stat.stat.exists

- name: Enable user certificate
  lineinfile:
    path: /etc/ssh/ssh_config.d/certificates.conf
    line: "CertificateFile /etc/ssh/{{ item.name }}-cert.pub"
    create: true
  when: item.type == "user"
  notify: restart sshd

- name: Enable user identity
  lineinfile:
    path: /etc/ssh/ssh_config.d/certificates.conf
    line: "IdentityFile /etc/ssh/{{ item.name }}"
    create: true
  when: item.type == "user"
  notify: restart sshd

- name: Enable host certificate
  lineinfile:
    path: /etc/ssh/sshd_config.d/certificates.conf
    line: "HostCertificate /etc/ssh/{{ item.name }}-cert.pub"
    create: true
  when: item.type == "host"
  notify: restart sshd

- name: Enable host key
  lineinfile:
    path: /etc/ssh/sshd_config.d/certificates.conf
    line: "HostKey /etc/ssh/{{ item.name }}"
    create: true
  when: item.type == "host"
  notify: restart sshd
init 2023-04-26 16:41:33 +00:00			`- name: Generate key pair`
			`openssh_keypair:`
			`path: "/etc/ssh/{{ item.name }}"`
			`type: "{{ item.key_type }}"`
			`register: key_pair`

			`- name: Check whether certificate exists`
			`stat:`
			`path: "/etc/ssh/{{ item.name }}-cert.pub"`
			`register: cert_stat`

			`- name: Generate SSH user certificate`
			`command:`
			`cmd: "ssh -o ConnectTimeout=3 -o ConnectionAttempts=2 {{ ssh_ca_host }} '{{ ssh_ca_script }} user {{ item.signing_key }} \"{{ key_pair.public_key }}\" {{ item.host }} \"{{ item.principals }}\"'"`
fix no attribute stdout 2023-04-26 17:17:40 +00:00			`register: user_cert`
init 2023-04-26 16:41:33 +00:00			`delegate_to: localhost`
			`when: item.type == "user" and not cert_stat.stat.exists`

			`- name: Generate SSH host certificate`
			`command:`
			`cmd: "ssh -o ConnectTimeout=3 -o ConnectionAttempts=2 {{ ssh_ca_host }} '{{ ssh_ca_script }} host {{ item.signing_key }} \"{{ key_pair.public_key }}\" {{ item.host }}'"`
fix no attribute stdout 2023-04-26 17:17:40 +00:00			`register: host_cert`
init 2023-04-26 16:41:33 +00:00			`delegate_to: localhost`
			`when: item.type == "host" and not cert_stat.stat.exists`

			`- name: Place certificate`
			`copy:`
			`dest: "/etc/ssh/{{ item.name }}-cert.pub"`
fix no attribute stdout 2023-04-26 17:17:40 +00:00			`content: "{{ (item.type == 'user') \| ternary(user_cert.stdout, host_cert.stdout) }}"`
init 2023-04-26 16:41:33 +00:00			`mode: 0644`
fix typo 2023-04-26 16:51:27 +00:00			`when: not cert_stat.stat.exists`
init 2023-04-26 16:41:33 +00:00
			`- name: Enable user certificate`
			`lineinfile:`
			`path: /etc/ssh/ssh_config.d/certificates.conf`
			`line: "CertificateFile /etc/ssh/{{ item.name }}-cert.pub"`
create files in lineinfile 2023-04-26 16:53:15 +00:00			`create: true`
init 2023-04-26 16:41:33 +00:00			`when: item.type == "user"`
restart sshd if needed 2023-04-26 17:12:10 +00:00			`notify: restart sshd`
init 2023-04-26 16:41:33 +00:00
			`- name: Enable user identity`
			`lineinfile:`
			`path: /etc/ssh/ssh_config.d/certificates.conf`
			`line: "IdentityFile /etc/ssh/{{ item.name }}"`
create files in lineinfile 2023-04-26 16:53:15 +00:00			`create: true`
init 2023-04-26 16:41:33 +00:00			`when: item.type == "user"`
restart sshd if needed 2023-04-26 17:12:10 +00:00			`notify: restart sshd`
init 2023-04-26 16:41:33 +00:00
			`- name: Enable host certificate`
			`lineinfile:`
			`path: /etc/ssh/sshd_config.d/certificates.conf`
			`line: "HostCertificate /etc/ssh/{{ item.name }}-cert.pub"`
create files in lineinfile 2023-04-26 16:53:15 +00:00			`create: true`
init 2023-04-26 16:41:33 +00:00			`when: item.type == "host"`
restart sshd if needed 2023-04-26 17:12:10 +00:00			`notify: restart sshd`
init 2023-04-26 16:41:33 +00:00
			`- name: Enable host key`
			`lineinfile:`
			`path: /etc/ssh/sshd_config.d/certificates.conf`
			`line: "HostKey /etc/ssh/{{ item.name }}"`
create files in lineinfile 2023-04-26 16:53:15 +00:00			`create: true`
init 2023-04-26 16:41:33 +00:00			`when: item.type == "host"`
restart sshd if needed 2023-04-26 17:12:10 +00:00			`notify: restart sshd`