---
|
|
# This is an example of how to use Ansible with the ca-server shell.
|
|
# In this playbook we assume that you are requesting a ssh-host certificate
|
|
# to be used by the host `machine.example.com` and that the server hosting
|
|
# the ca-server shell is in your inventory under the name `ca_server`.
|
|
#
|
|
# We are using ed25519 as our preferred algorithm but any other one may be
|
|
# just right, be sure to change both the key and certificate destination.
|
|
#
|
|
- name: Read host public key
|
|
slurp:
|
|
src: "/etc/ssh/ssh_host_ed25519_key.pub"
|
|
register: vm_public_key
|
|
|
|
- debug:
|
|
var: vm_public_key['content']
|
|
verbosity: 2
|
|
|
|
- name: generate host request
|
|
set_fact:
|
|
ca_request:
|
|
type: 'sign_request'
|
|
request:
|
|
keyType: 'ssh_host'
|
|
hostName: 'machine.example.com'
|
|
keyData: "{{ vm_public_key['content'] | b64decode | replace('\n', '')}}"
|
|
|
|
- debug:
|
|
var: ca_request | to_json
|
|
verbosity: 2
|
|
|
|
- raw: "{{ ca_request | to_json }}"
|
|
delegate_to: ca_server
|
|
delegate_facts: True
|
|
register: request_result
|
|
failed_when: "( request_result.stdout | string | from_json ).failed"
|
|
|
|
- set_fact:
|
|
request_output: "{{ request_result.stdout | string | from_json }}"
|
|
|
|
- debug:
|
|
var: request_output
|
|
verbosity: 2
|
|
|
|
- debug:
|
|
msg: "Please manualy confirm sign request with id {{ request_output.requestID }}"
|
|
|
|
- name: generate get request
|
|
set_fact:
|
|
ca_request:
|
|
type: 'get_certificate'
|
|
requestID: '{{ request_output.requestID }}'
|
|
|
|
- raw: "{{ ca_request | to_json }}"
|
|
delegate_to: ca_server
|
|
delegate_facts: True
|
|
register: request_result
|
|
failed_when: "( request_result.stdout | string | from_json ).failed"
|
|
|
|
- set_fact:
|
|
cert_key: "{{ request_result.stdout | string | from_json }}"
|
|
|
|
- name: write certificate to host
|
|
copy:
|
|
content: "{{ cert_key.result }}"
|
|
dest: "/etc/ssh/ssh_host_ed25519_key-cert.pub"
|
|
register: set_pub_key
|