- name: Generate key pair
  openssh_keypair:
    path: "/etc/ssh/{{ item.name }}"
    type: "{{ item.key_type }}"
  register: key_pair

- name: Check whether certificate exists
  stat:
    path: "/etc/ssh/{{ item.name }}-cert.pub"
  register: cert_stat

- name: Generate SSH user certificate
  command:
    cmd: "ssh -o ConnectTimeout=3 -o ConnectionAttempts=2 {{ ssh_ca_host }} '{{ ssh_ca_script }} user {{ item.signing_key }} \"{{ key_pair.public_key }}\" {{ item.host }} \"{{ item.principals }}\"'"
  register: certificate
  delegate_to: localhost
  when: item.type == "user" and not cert_stat.stat.exists

- name: Generate SSH host certificate
  command:
    cmd: "ssh -o ConnectTimeout=3 -o ConnectionAttempts=2 {{ ssh_ca_host }} '{{ ssh_ca_script }} host {{ item.signing_key }} \"{{ key_pair.public_key }}\" {{ item.host }}'"
  register: certificate
  delegate_to: localhost
  when: item.type == "host" and not cert_stat.stat.exists

- name: Place certificate
  copy:
    dest: "/etc/ssh/{{ item.name }}-cert.pub"
    content: "{{ certificate.stdout }}"
    mode: 0644
  when: not cert_stat.stat.exists

- name: Enable user certificate
  lineinfile:
    path: /etc/ssh/ssh_config.d/certificates.conf
    line: "CertificateFile /etc/ssh/{{ item.name }}-cert.pub"
    create: true
  when: item.type == "user"
  notify: restart sshd

- name: Enable user identity
  lineinfile:
    path: /etc/ssh/ssh_config.d/certificates.conf
    line: "IdentityFile /etc/ssh/{{ item.name }}"
    create: true
  when: item.type == "user"
  notify: restart sshd

- name: Enable host certificate
  lineinfile:
    path: /etc/ssh/sshd_config.d/certificates.conf
    line: "HostCertificate /etc/ssh/{{ item.name }}-cert.pub"
    create: true
  when: item.type == "host"
  notify: restart sshd

- name: Enable host key
  lineinfile:
    path: /etc/ssh/sshd_config.d/certificates.conf
    line: "HostKey /etc/ssh/{{ item.name }}"
    create: true
  when: item.type == "host"
  notify: restart sshd