From 333e24b61f65fbb78e12bc6db323ee1daa857424 Mon Sep 17 00:00:00 2001
From: Denis Knauf <deac@denkn.at>
Date: Mon, 28 Feb 2022 17:56:59 +0100
Subject: [PATCH] =?UTF-8?q?Anpassungen=20f=C3=BCr=20https://git.denkn.at/d?=
 =?UTF-8?q?eac/ssh-ca,=20falls=20ssh-ca-role=20nicht=20verwendet=20wird.?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 defaults/main.yml |  3 +++
 tasks/main.yml    | 10 +++++-----
 2 files changed, 8 insertions(+), 5 deletions(-)

diff --git a/defaults/main.yml b/defaults/main.yml
index 67baa8e..339711a 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -1,6 +1,9 @@
 ssh_ca_user:              sshca
 ssh_ca_base_dir:          ~/.ssh-ca
+ssh_ca_pub:               '{{ssh_ca_base_dir}}/ca.pub'
+ssh_ca_command:           ~/ssh-ca
 ssh_cert_sign_host:       '{{ssh_ca_host}}'
+ssh_cert_sign_user:       '{{ssh_ca_user}}'
 ssh_cert_host_pub_path:   /etc/ssh/ssh_host_ed25519_key.pub
 ssh_cert_host_cert_path:  /etc/ssh/ssh_host_ed25519_key-cert.pub
 ssh_cert_host_capub_path: /etc/ssh/ca.pub
diff --git a/tasks/main.yml b/tasks/main.yml
index 9fd745f..674d1fb 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -13,7 +13,7 @@
   become: yes
   become_user: '{{ssh_ca_user}}'
   slurp:
-    src: '{{ssh_ca_base_dir}}/ca.pub'
+    src: '{{ssh_ca_pub}}'
 
 - set_fact:
     ca_pub: '{{_ca_pub.content | b64decode}}'
@@ -32,7 +32,7 @@
     user:        '{{ssh_ca_user}}'
     state:       present
     key:         '{{host_pub_type}} {{host_pub_hash}} {{inventory_hostname}}'
-    key_options: 'restrict,command="~/ssh-ca host {{inventory_hostname|quote}} {{principals|quote}}"'
+    key_options: 'restrict,command="{{ssh_ca_command}} host {{inventory_hostname|quote}} {{principals|quote}}"'
 
 - when: ssh_cert_users is defined
   block:
@@ -53,7 +53,7 @@
       user:        '{{ssh_ca_user}}'
       state:       present
       key:         '{{(item.content | b64decode).split(" ")[0]}} {{(item.content | b64decode).split(" ")[1]}} {{item.item.user}}@{{inventory_hostname}}'
-      key_options: 'restrict,command="~/ssh-ca user {{item.item.user|quote}}@{{inventory_hostname|quote}} {{item.item.principals|default([item.item.user])|join(",")|quote}}"'
+      key_options: 'restrict,command="{{ssh_ca_command}} user {{item.item.user|quote}}@{{inventory_hostname|quote}} {{item.item.principals|default([item.item.user])|join(",")|quote}}"'
     with_items: '{{users_pub.results}}'
 
 - name: Push ca pub
@@ -74,7 +74,7 @@
     hash_host: false
     path: /etc/ssh/ssh_known_hosts
     name: '{{ssh_cert_known_domain}}'
-    key: "@cert-authority * {{lookup('file', ssh_cert_host_capub_path)}}"
+    key: "@cert-authority *.{{ssh_cert_known_domain}} {{lookup('file', ssh_cert_host_capub_path)}}"
 
 - name: install ssh-cert-renew
   copy:
@@ -107,7 +107,7 @@
   with_dict:
     ssh_cert_mail_to:   '{{ssh_cert_mail_to  |mandatory}}'
     ssh_cert_mail_from: '{{ssh_cert_mail_from|mandatory}}'
-    ssh_cert_sign_host: '{{ssh_cert_sign_host|mandatory}}'
+    ssh_cert_sign_host: '{{ssh_cert_sign_user|mandatory}}|{{ssh_cert_sign_host|mandatory}}'
 
 - name: renew host ssh-cert
   systemd: