extract role

inventory/host_vars/lewis.yml

@@ -12,3 +12,10 @@ backup_hosts:
 
 apt_install_packages:
   - borgbackup
+
+deploy_ssh_certificates:
+  - name: ssh_host_ed25519_key
+    type: host
+    key_type: ed25519
+    signing_key: hyp_host
+    host: lewis.hyp

lewis.yml

@@ -48,36 +48,6 @@
         passno: 1
         state: present
 
-    - name: Generate host key pair
-      openssh_keypair:
-        path: /etc/ssh/ssh_host_ed25519_key
-        type: ed25519
-        comment: "{{ ansible_host }}"
-      register: host_key
-
-    - name: Check whether host certificate exists
-      stat:
-        path: /etc/ssh/ssh_host_ed25519_key-cert.pub
-      register: cert_stat
-
-    - name: Generate SSH host certificate
-      command:
-        cmd: "ssh -o ConnectTimeout=3 -o ConnectionAttempts=1 root@atlas.hyp '/root/ssh_ca/ssh_ca.sh host hyp_host \"{{ host_key.public_key }}\" {{ ansible_host }}'"
-      register: host_certificate
-      delegate_to: localhost
-      when: not cert_stat.stat.exists
-
-    - name: Place host certificate
-      copy:
-        dest: /etc/ssh/ssh_host_ed25519_key-cert.pub
-        content: "{{ host_certificate.stdout }}"
-        mode: 0644
-      when: not cert_stat.stat.exists
-
-    - name: Enable host certificate
-      copy:
-        dest: /etc/ssh/sshd_config.d/sshd_host_certificate.conf
-        content: "HostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub"
-
   roles:
-    - apt
+    - {role: apt, tags: apt}
+    - {role: deploy_ssh_certificates, tags: deploy_ssh_certificates}

requirements.yml

@@ -1,3 +1,6 @@
 - name: apt
   src: https://github.com/sunscrapers/ansible-role-apt.git
   scm: git
+- name: deploy_ssh_certificates
+  src: https://git.pim.kunis.nl/home/ansible-role-deploy-ssh-certificates
+  scm: git