user-certs renewal support added. vers -> defaults

tasks/main.yml

@@ -5,8 +5,6 @@
   register: host_pub
   slurp:
     src:  '{{ssh_cert_host_pub_path}}'
-    #dest: '{{ssh_cert_base_dir}}/host-{{inventory_hostname}}.pub'
-    #flat: true
 - set_fact:
     host_pub_type: '{{(host_pub.content | b64decode).split(" ")[0]}}'
     host_pub_hash: '{{(host_pub.content | b64decode).split(" ")[1]}}'
@@ -23,10 +21,32 @@
     user:        '{{ssh_ca_user}}'
     state:       present
     key:         '{{host_pub_type}} {{host_pub_hash}} {{inventory_hostname}}'
-    key_options: 'restrict,command="/var/lib/sshca/ssh-ca host {{inventory_hostname|quote}} {{principals|quote}}"'
+    key_options: 'restrict,command="~/ssh-ca host {{inventory_hostname|quote}} {{principals|quote}}"'
+
+- when: ssh_cert_users is defined
+  block:
+  - debug: var=ssh_cert_users
+  - name: Pull users pub
+    register: users_pub
+    become: yes
+    become_user: '{{item.user}}'
+    #shell: >-
+    #  cat {{ssh_cert_user_pub_path|quote}}
+    slurp:
+      src: '{{ssh_cert_user_pub_path}}'
+    with_items: '{{ssh_cert_users}}'
+  - name: Register host pub for sshca
+    remote_user: root
+    delegate_to: '{{ssh_ca_host}}'
+    authorized_key:
+      user:        '{{ssh_ca_user}}'
+      state:       present
+      key:         '{{(item.content | b64decode).split(" ")[0]}} {{(item.content | b64decode).split(" ")[1]}} {{item.item.user}}@{{inventory_hostname}}'
+      key_options: 'restrict,command="~/ssh-ca user {{item.item.user|quote}}@{{inventory_hostname|quote}} {{item.item.principals|default([item.item.user])|join(",")|quote}}"'
+    with_items: '{{users_pub.results}}'
 
 - name: Push ca pub
-  copy: 
+  copy:
     src:  '{{ssh_cert_host_capub_path}}'
     dest: '{{ssh_cert_host_capub_path}}'
     mode: 0644
@@ -42,7 +62,7 @@
   known_hosts:
     hash_host: false
     path: /etc/ssh/ssh_known_hosts
-    name: denkn.at
+    name: '{{ssh_cert_known_domain}}'
     key: "@cert-authority * {{lookup('file', ssh_cert_host_capub_path)}}"
 
 - name: install ssh-cert-renew
@@ -53,8 +73,10 @@
     owner: root
     group: root
   with_dict:
-    ssh-cert-renew@.timer:   /etc/systemd/system/ssh-cert-renew@.timer
-    ssh-cert-renew@.service: /etc/systemd/system/ssh-cert-renew@.service
+    ssh-host-cert-renew@.timer:   /etc/systemd/system/ssh-cert-renew@.timer
+    ssh-host-cert-renew@.service: /etc/systemd/system/ssh-cert-renew@.service
+    ssh-user-cert-renew@.timer:   /etc/systemd/user/ssh-cert-renew@.timer
+    ssh-user-cert-renew@.service: /etc/systemd/user/ssh-cert-renew@.service
 - name: install ssh-cert-renew
   copy:
     dest: '{{item.value}}'
@@ -65,7 +87,7 @@
   with_dict:
     ssh-cert-renew:          /etc/systemd/ssh-cert-renew
 
-- name: config ssh-cert-renew
+- name: config host ssh-cert-renew
   lineinfile:
     create: true
     path:   '/etc/default/ssh-cert-renew'
@@ -76,7 +98,7 @@
     ssh_cert_mail_from: '{{ssh_cert_mail_from|mandatory}}'
     ssh_cert_sign_host: '{{ssh_cert_sign_host|mandatory}}'
 
-- name: renew ssh-cert
+- name: renew host ssh-cert
   systemd:
     daemon_reload: true
     name:  "ssh-cert-renew@ssh_host_ed25519_key.service"
@@ -90,6 +112,26 @@
   - "ssh-cert-renew@ssh_host_ed25519_key.timer"
   - ssh.service
 
+- when: ssh_cert_users is defined
+  block:
+  - name: renew users ssh-cert
+    become_user: '{{item.user}}'
+    become: true
+    systemd:
+      scope: user
+      name:  "ssh-cert-renew@id_ed25519.service"
+      state: started
+    with_items: '{{ssh_cert_users}}'
+  - name: enable users renewal services
+    become_user: '{{item.user}}'
+    become: true
+    systemd:
+      scope: user
+      name: "ssh-cert-renew@id_ed25519.timer"
+      enabled: true
+      state:   started
+    with_items: '{{ssh_cert_users}}'
+
 - name: reload ssh
   service:
     name:  ssh