---
# vim: set expandtab tabstop=2 shiftwidth=2:

- name: Pull host pub
  register: host_pub
  slurp:
    src:  '{{ssh_cert_host_pub_path}}'

- name: Fetch CA pub
  remote_user: root
  delegate_to: '{{ssh_ca_host}}'
  register: _ca_pub
  become: yes
  become_user: '{{ssh_ca_user}}'
  slurp:
    src: '{{ssh_ca_pub}}'

- set_fact:
    ca_pub: '{{_ca_pub.content | b64decode}}'
    host_pub_type: '{{(host_pub.content | b64decode).split(" ")[0]}}'
    host_pub_hash: '{{(host_pub.content | b64decode).split(" ")[1]}}'
    principals: "{{lookup( 'flattened',
        [inventory_hostname, inventory_hostname+'.'+domain, inventory_hostname+'.local'] + 
        lookup ('dig', inventory_hostname, 'qtype=A',    wantlist=True)|difference('NXDOMAIN') +
        lookup ('dig', inventory_hostname, 'qtype=AAAA', wantlist=True)|difference('NXDOMAIN') +
        (ssh_cert_host_addition_ids | default ([]))
      )}}"
- name: Register host pub for sshca
  remote_user: root
  delegate_to: '{{ssh_ca_host}}'
  authorized_key:
    user:        '{{ssh_ca_user}}'
    state:       present
    key:         '{{host_pub_type}} {{host_pub_hash}} {{inventory_hostname}}'
    key_options: 'restrict,command="{{ssh_ca_command}} host {{inventory_hostname|quote}} {{principals|quote}}"'

- when: ssh_cert_users is defined
  block:
  - debug: var=ssh_cert_users
  - name: Pull users pub
    register: users_pub
    become: yes
    become_user: '{{item.user}}'
    #shell: >-
    #  cat {{ssh_cert_user_pub_path|quote}}
    slurp:
      src: '{{ssh_cert_user_pub_path}}'
    with_items: '{{ssh_cert_users}}'
  - name: Register host pub for sshca
    remote_user: root
    delegate_to: '{{ssh_ca_host}}'
    authorized_key:
      user:        '{{ssh_ca_user}}'
      state:       present
      key:         '{{(item.content | b64decode).split(" ")[0]}} {{(item.content | b64decode).split(" ")[1]}} {{item.item.user}}@{{inventory_hostname}}'
      key_options: 'restrict,command="{{ssh_ca_command}} user {{item.item.user|quote}}@{{inventory_hostname|quote}} {{item.item.principals|default([item.item.user])|join(",")|quote}}"'
    with_items: '{{users_pub.results}}'

- name: Push ca pub
  copy:
    dest:    '{{ssh_cert_host_capub_path}}'
    content: '{{ca_pub}}'
    mode:    0644
    owner:   root
    group:   root
- name: sshd_config - HostCertificate
  lineinfile:
    path:         /etc/ssh/sshd_config
    insertbefore: '^# HostKeys for protocol'
    regexp:       '^\s*HostCertificate\s+'
    line:         'HostCertificate {{ssh_cert_host_cert_path}}'
- name: known_hosts ca-cert
  known_hosts:
    hash_host: false
    path: /etc/ssh/ssh_known_hosts
    name: '{{ssh_cert_known_domain}}'
    key: "@cert-authority {{ssh_cert_known_domain}} {{lookup('file', ssh_cert_host_capub_path)}}"

- name: install ssh-cert-renew
  copy:
    dest: '{{item.value}}'
    src:  '{{item.key}}'
    mode: 0644
    owner: root
    group: root
  with_dict:
    ssh-host-cert-renew@.timer:   /etc/systemd/system/ssh-cert-renew@.timer
    ssh-host-cert-renew@.service: /etc/systemd/system/ssh-cert-renew@.service
    ssh-user-cert-renew@.timer:   /etc/systemd/user/ssh-cert-renew@.timer
    ssh-user-cert-renew@.service: /etc/systemd/user/ssh-cert-renew@.service
- name: install ssh-cert-renew
  copy:
    dest: '{{item.value}}'
    src:  '{{item.key}}'
    mode: 0755
    owner: root
    group: root
  with_dict:
    ssh-cert-renew:          /etc/systemd/ssh-cert-renew

- name: config host ssh-cert-renew
  lineinfile:
    create: true
    path:   '/etc/default/ssh-cert-renew'
    regexp: '^\s*{{item.key}}='
    line:   '{{item.key}}={{item.value}}'
  with_dict:
    ssh_cert_mail_to:   '{{ssh_cert_mail_to  |mandatory}}'
    ssh_cert_mail_from: '{{ssh_cert_mail_from|mandatory}}'
    ssh_cert_sign_host: '{{ssh_cert_sign_user|mandatory}}@{{ssh_cert_sign_host|mandatory}}'

- name: renew host ssh-cert
  systemd:
    daemon_reload: true
    name:  "ssh-cert-renew@ssh_host_ed25519_key.service"
    state: started
- name: enable services
  systemd:
    name:    '{{item}}'
    enabled: true
    state:   started
  with_items:
  - "ssh-cert-renew@ssh_host_ed25519_key.timer"
  - ssh.service

- when: ssh_cert_users is defined
  block:
  - name: renew users ssh-cert
    become_user: '{{item.user}}'
    become: true
    systemd:
      scope: user
      name:  "ssh-cert-renew@id_ed25519.service"
      state: started
    with_items: '{{ssh_cert_users}}'
  - name: enable users renewal services
    become_user: '{{item.user}}'
    become: true
    systemd:
      scope: user
      name: "ssh-cert-renew@id_ed25519.timer"
      enabled: true
      state:   started
    with_items: '{{ssh_cert_users}}'

- name: "Register certificate-role in user's authorized_keys"
  when: ssh_cert_user_authorized_roles is defined
  with_items: '{{ssh_cert_user_authorized_roles}}'
  authorized_key:
    user:        '{{item.user}}'
    state:       present
    key:         '{{ca_pub}}'
    key_options: 'cert-authority,principals="{{item.roles|default([item.user])|join(",")}}"'

- name: reload ssh
  service:
    name:  ssh
    state: reloaded

- name: remove from local known_hosts
  known_hosts:
    state: absent
    host: '{{item}}'
  with_items: '{{principals.split(",")}}'