install CA in authorized_keys for user. renewal once a day, not fix at 4o'clock.

.gitignore

@@ -22,3 +22,4 @@ tags
 # ---> Ansible
 *.retry
 
+/meta/.galaxy_install_info

files/ssh-host-cert-renew@.timer

@@ -1,8 +1,10 @@
 [Unit]
 Description=Renewal ssh host certificate %i
+After=network.target
 
 [Install]
 WantedBy=timers.target
 
 [Timer]
-OnCalendar=4:00
+OnUnitActiveSec=24h
+OnActiveSec=1m

tasks/main.yml

@@ -5,7 +5,18 @@
   register: host_pub
   slurp:
     src:  '{{ssh_cert_host_pub_path}}'
+
+- name: Fetch CA pub
+  remote_user: root
+  delegate_to: '{{ssh_ca_host}}'
+  register: _ca_pub
+  become: yes
+  become_user: '{{ssh_ca_user}}'
+  slurp:
+    src: '{{ssh_ca_base_dir}}/ca.pub'
+
 - set_fact:
+    ca_pub: '{{_ca_pub.content | b64decode}}'
     host_pub_type: '{{(host_pub.content | b64decode).split(" ")[0]}}'
     host_pub_hash: '{{(host_pub.content | b64decode).split(" ")[1]}}'
     principals: "{{lookup( 'flattened',
@@ -47,11 +58,11 @@
 
 - name: Push ca pub
   copy:
-    src:  '{{ssh_cert_host_capub_path}}'
-    dest: '{{ssh_cert_host_capub_path}}'
-    mode: 0644
-    owner: root
-    group: root
+    dest:    '{{ssh_cert_host_capub_path}}'
+    content: '{{ca_pub}}'
+    mode:    0644
+    owner:   root
+    group:   root
 - name: sshd_config - HostCertificate
   lineinfile:
     path:         /etc/ssh/sshd_config
@@ -132,6 +143,15 @@
       state:   started
     with_items: '{{ssh_cert_users}}'
 
+- name: "Register certificate-role in user's authorized_keys"
+  when: ssh_cert_user_authorized_roles is defined
+  with_items: '{{ssh_cert_user_authorized_roles}}'
+  authorized_key:
+    user:        '{{item.user}}'
+    state:       present
+    key:         '{{ca_pub}}'
+    key_options: 'cert-authority,principals="{{item.roles|default([item.user])|join(",")}}"'
+
 - name: reload ssh
   service:
     name:  ssh