59 lines
1.8 KiB
YAML
59 lines
1.8 KiB
YAML
- name: Generate key pair
|
|
openssh_keypair:
|
|
path: "/etc/ssh/{{ item.name }}"
|
|
type: "{{ item.key_type }}"
|
|
register: key_pair
|
|
|
|
- name: Check whether certificate exists
|
|
stat:
|
|
path: "/etc/ssh/{{ item.name }}-cert.pub"
|
|
register: cert_stat
|
|
|
|
- name: Generate SSH user certificate
|
|
command:
|
|
cmd: "ssh -o ConnectTimeout=3 -o ConnectionAttempts=2 {{ ssh_ca_host }} '{{ ssh_ca_script }} user {{ item.signing_key }} \"{{ key_pair.public_key }}\" {{ item.host }} \"{{ item.principals }}\"'"
|
|
register: certificate
|
|
delegate_to: localhost
|
|
when: item.type == "user" and not cert_stat.stat.exists
|
|
|
|
- name: Generate SSH host certificate
|
|
command:
|
|
cmd: "ssh -o ConnectTimeout=3 -o ConnectionAttempts=2 {{ ssh_ca_host }} '{{ ssh_ca_script }} host {{ item.signing_key }} \"{{ key_pair.public_key }}\" {{ item.host }}'"
|
|
register: certificate
|
|
delegate_to: localhost
|
|
when: item.type == "host" and not cert_stat.stat.exists
|
|
|
|
- name: Place certificate
|
|
copy:
|
|
dest: "/etc/ssh/{{ item.name }}-cert.pub"
|
|
content: "{{ certificate.stdout }}"
|
|
mode: 0644
|
|
when: not cert_stat.stat.exists
|
|
|
|
- name: Enable user certificate
|
|
lineinfile:
|
|
path: /etc/ssh/ssh_config.d/certificates.conf
|
|
line: "CertificateFile /etc/ssh/{{ item.name }}-cert.pub"
|
|
create: true
|
|
when: item.type == "user"
|
|
|
|
- name: Enable user identity
|
|
lineinfile:
|
|
path: /etc/ssh/ssh_config.d/certificates.conf
|
|
line: "IdentityFile /etc/ssh/{{ item.name }}"
|
|
create: true
|
|
when: item.type == "user"
|
|
|
|
- name: Enable host certificate
|
|
lineinfile:
|
|
path: /etc/ssh/sshd_config.d/certificates.conf
|
|
line: "HostCertificate /etc/ssh/{{ item.name }}-cert.pub"
|
|
create: true
|
|
when: item.type == "host"
|
|
|
|
- name: Enable host key
|
|
lineinfile:
|
|
path: /etc/ssh/sshd_config.d/certificates.conf
|
|
line: "HostKey /etc/ssh/{{ item.name }}"
|
|
create: true
|
|
when: item.type == "host"
|