From 836d926e432b34aa183faca30f73c8786e64ae83 Mon Sep 17 00:00:00 2001
From: Pim Kunis <pim@kunis.nl>
Date: Tue, 25 Apr 2023 17:45:23 +0200
Subject: [PATCH] support for arbitrary number of CA key pair

---
 README.md              |  8 ++++----
 tasks/main.yml         | 26 ++++++++------------------
 templates/ssh_ca.sh.j2 | 16 +++++++++-------
 3 files changed, 21 insertions(+), 29 deletions(-)

diff --git a/README.md b/README.md
index 108cd63..429e971 100644
--- a/README.md
+++ b/README.md
@@ -19,7 +19,7 @@ Notable, it has the following limitations:
 The following variables must be set before calling the role:
 
 - `ssh_ca_dir`: Working directory for the certificate authority
-- `ssh_ca_user_ca_private_key`: Private key of the SSH user CA
-- `ssh_ca_user_ca_public_key`: Public key of the SSH user CA
-- `ssh_ca_host_ca_private_key`: Private key of the SSH host CA
-- `ssh_ca_host_ca_public_key`: Public key of the SSH host CA
+- `ssh_ca_key_pair`: List of CA key pairs
+  - `name`: File name of the CA key pair
+  - `public_key`: Public key contents on the key pair
+  - `private_key`: Private key contents on the key pair
diff --git a/tasks/main.yml b/tasks/main.yml
index 82198eb..2c29214 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -16,26 +16,16 @@
     path: "{{ ssh_ca_dir }}/keys"
     state: directory
 
-- name: Copy user CA private key
+- name: Copy private keys
   copy:
-    dest: "{{ ssh_ca_dir }}/keys/user_ca"
-    content: "{{ ssh_ca_user_ca_private_key }}"
+    dest: "{{ ssh_ca_dir }}/keys/{{ item.name }}"
+    content: "{{ item.private_key }}"
     mode: 0600
+  with_items: "{{ ssh_ca_key_pairs }}"
 
-- name: Copy host CA private key
+- name: Copy public keys
   copy:
-    dest: "{{ ssh_ca_dir }}/keys/host_ca"
-    content: "{{ ssh_ca_host_ca_private_key }}"
-    mode: 0600
-
-- name: Copy user CA public key
-  copy:
-    dest: "{{ ssh_ca_dir }}/keys/user_ca.pub"
-    content: "{{ ssh_ca_user_ca_public_key }}"
-    mode: 0644
-
-- name: Copy host CA public key
-  copy:
-    dest: "{{ ssh_ca_dir }}/keys/host_ca.pub"
-    content: "{{ ssh_ca_host_ca_public_key }}"
+    dest: "{{ ssh_ca_dir }}/keys/{{ item.name }}.pub"
+    content: "{{ item.public_key }}"
     mode: 0644
+  with_items: "{{ ssh_ca_key_pairs }}"
diff --git a/templates/ssh_ca.sh.j2 b/templates/ssh_ca.sh.j2
index 6809fa7..23479ee 100644
--- a/templates/ssh_ca.sh.j2
+++ b/templates/ssh_ca.sh.j2
@@ -3,22 +3,24 @@ set -euo pipefail
 IFS=$'\n\t'
 
 host() {
-	PUBKEY="$2"
-	HOST="$3"
+	CAKEY="$2"
+	PUBKEY="$3"
+	HOST="$4"
 
 	echo "$PUBKEY" > {{ ssh_ca_dir }}/"$HOST".pub
-	ssh-keygen -h -s {{ ssh_ca_dir }}/keys/host_ca -I "$HOST" -n "$HOST" {{ ssh_ca_dir }}/"$HOST".pub
+	ssh-keygen -h -s {{ ssh_ca_dir }}/keys/"$CAKEY" -I "$HOST" -n "$HOST" {{ ssh_ca_dir }}/"$HOST".pub
 	cat {{ ssh_ca_dir }}/"$HOST"-cert.pub
 	rm {{ ssh_ca_dir }}/"$HOST"*.pub
 }
 
 user() {
-	PUBKEY="$2"
-	HOST="$3"
-	PRINCIPALS="$4"
+	CAKEY="$2"
+	PUBKEY="$3"
+	HOST="$4"
+	PRINCIPALS="$5"
 
 	echo "$PUBKEY" > {{ ssh_ca_dir }}/"$HOST".pub
-	ssh-keygen -s {{ ssh_ca_dir }}/keys/user_ca -I "$HOST" -n "$HOST","$PRINCIPALS" {{ ssh_ca_dir }}/"$HOST".pub
+	ssh-keygen -s {{ ssh_ca_dir }}/keys/"$CAKEY" -I "$HOST" -n "$HOST","$PRINCIPALS" {{ ssh_ca_dir }}/"$HOST".pub
 	cat {{ ssh_ca_dir }}/"$HOST"-cert.pub
 	rm {{ ssh_ca_dir }}/"$HOST"*.pub
 }