From 255a4ab9f5d089dee1d81a285cad1a544444d723 Mon Sep 17 00:00:00 2001
From: Denis Knauf <deac@denkn.at>
Date: Wed, 30 Sep 2020 20:45:28 +0200
Subject: [PATCH] install CA in authorized_keys for user. renewal once a day,
 not fix at 4o'clock.

---
 .gitignore                       |  1 +
 files/ssh-host-cert-renew@.timer |  4 +++-
 tasks/main.yml                   | 30 +++++++++++++++++++++++++-----
 3 files changed, 29 insertions(+), 6 deletions(-)

diff --git a/.gitignore b/.gitignore
index fdcf9b4..3d2d662 100644
--- a/.gitignore
+++ b/.gitignore
@@ -22,3 +22,4 @@ tags
 # ---> Ansible
 *.retry
 
+/meta/.galaxy_install_info
diff --git a/files/ssh-host-cert-renew@.timer b/files/ssh-host-cert-renew@.timer
index d3c54e3..c4ebedf 100644
--- a/files/ssh-host-cert-renew@.timer
+++ b/files/ssh-host-cert-renew@.timer
@@ -1,8 +1,10 @@
 [Unit]
 Description=Renewal ssh host certificate %i
+After=network.target
 
 [Install]
 WantedBy=timers.target
 
 [Timer]
-OnCalendar=4:00
+OnUnitActiveSec=24h
+OnActiveSec=1m
diff --git a/tasks/main.yml b/tasks/main.yml
index f8ab8c2..9fd745f 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -5,7 +5,18 @@
   register: host_pub
   slurp:
     src:  '{{ssh_cert_host_pub_path}}'
+
+- name: Fetch CA pub
+  remote_user: root
+  delegate_to: '{{ssh_ca_host}}'
+  register: _ca_pub
+  become: yes
+  become_user: '{{ssh_ca_user}}'
+  slurp:
+    src: '{{ssh_ca_base_dir}}/ca.pub'
+
 - set_fact:
+    ca_pub: '{{_ca_pub.content | b64decode}}'
     host_pub_type: '{{(host_pub.content | b64decode).split(" ")[0]}}'
     host_pub_hash: '{{(host_pub.content | b64decode).split(" ")[1]}}'
     principals: "{{lookup( 'flattened',
@@ -47,11 +58,11 @@
 
 - name: Push ca pub
   copy:
-    src:  '{{ssh_cert_host_capub_path}}'
-    dest: '{{ssh_cert_host_capub_path}}'
-    mode: 0644
-    owner: root
-    group: root
+    dest:    '{{ssh_cert_host_capub_path}}'
+    content: '{{ca_pub}}'
+    mode:    0644
+    owner:   root
+    group:   root
 - name: sshd_config - HostCertificate
   lineinfile:
     path:         /etc/ssh/sshd_config
@@ -132,6 +143,15 @@
       state:   started
     with_items: '{{ssh_cert_users}}'
 
+- name: "Register certificate-role in user's authorized_keys"
+  when: ssh_cert_user_authorized_roles is defined
+  with_items: '{{ssh_cert_user_authorized_roles}}'
+  authorized_key:
+    user:        '{{item.user}}'
+    state:       present
+    key:         '{{ca_pub}}'
+    key_options: 'cert-authority,principals="{{item.roles|default([item.user])|join(",")}}"'
+
 - name: reload ssh
   service:
     name:  ssh