Easy CA management
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 

67 lines
1.8 KiB

---
# This is an example of how to use Ansible with the ca-server shell.
# In this playbook we assume that you are requesting a ssh-host certificate
# to be used by the host `machine.example.com` and that the server hosting
# the ca-server shell is in your inventory under the name `ca_server`.
#
# We are using ed25519 as our preferred algorithm but any other one may be
# just right, be sure to change both the key and certificate destination.
#
- name: Read host public key
slurp:
src: "/etc/ssh/ssh_host_ed25519_key.pub"
register: vm_public_key
- debug:
var: vm_public_key['content']
verbosity: 2
- name: generate host request
set_fact:
ca_request:
type: 'sign_request'
request:
keyType: 'ssh_host'
hostName: 'machine.example.com'
keyData: "{{ vm_public_key['content'] | b64decode | replace('\n', '')}}"
- debug:
var: ca_request | to_json
verbosity: 2
- raw: "{{ ca_request | to_json }}"
delegate_to: ca_server
delegate_facts: True
register: request_result
failed_when: "( request_result.stdout | string | from_json ).failed"
- set_fact:
request_output: "{{ request_result.stdout | string | from_json }}"
- debug:
var: request_output
verbosity: 2
- debug:
msg: "Please manualy confirm sign request with id {{ request_output.requestID }}"
- name: generate get request
set_fact:
ca_request:
type: 'get_certificate'
requestID: '{{ request_output.requestID }}'
- raw: "{{ ca_request | to_json }}"
delegate_to: ca_server
delegate_facts: True
register: request_result
failed_when: "( request_result.stdout | string | from_json ).failed"
- set_fact:
cert_key: "{{ request_result.stdout | string | from_json }}"
- name: write certificate to host
copy:
content: "{{ cert_key.result }}"
dest: "/etc/ssh/ssh_host_ed25519_key-cert.pub"
register: set_pub_key