lilik_playbook/roles/ssh_server/tasks/main.yaml

---
- include: 'roles/service/tasks/main.yaml'
  vars:
    service_name: 'ssh'
    service_packages:
      - 'openssh-server'
      - 'openssh-sftp-server'

- name: 'update user ca certs'
  template:
    src: 'user_ca.pub.j2'
    dest: '/etc/ssh/user_ca.pub'
  notify: 'restart ssh'

- name: 'validate ssh cert if present'
  ssh_cert:
  register: ssh_verification
  ignore_errors: yes

- debug:
    var: ssh_verification
    verbosity: 2

- block:
    - name: 'generate host cert request'
      cert_request:
        host: '{{ server_fqdn }}'
        path: '/etc/ssh/ssh_host_ed25519_key.pub'
        proto: 'ssh'
      register: ca_request

    - name: 'start sign request'
      include: 'ca-dialog.yaml'
      vars:
        ansible_connection: 'ssh'

    - debug:
        var: request_result
        verbosity: 2

    - set_fact:
        request_output: '{{ request_result.stdout | from_json }}'

    - debug:
        var: request_output
        verbosity: 2

    - name: 'generate get request'
      set_fact:
        ca_request:
          type: 'get_certificate'
          requestID: '{{ request_output.requestID }}'

    - debug:
        var: ca_request
        verbosity: 2

    - debug:
        msg: 'Please manualy confirm sign request with id {{ request_output.requestID }}'

    - name: 'wait for cert'
      include: 'ca-dialog.yaml'
      vars:
        ansible_connection: 'ssh'

    - debug:
        var: request_result
        verbosity: 2

    - set_fact:
          cert_key: '{{ request_result.stdout | string | from_json }}'

    - name: 'write certificate to container'
      copy:
        content: '{{ cert_key.result }}'
        dest: '/etc/ssh/ssh_host_ed25519_key-cert.pub'
      register: set_pub_key
      notify: 'restart ssh'
  when: ssh_verification.failed

- name: 'add certificate to sshd config'
  lineinfile:
    line: 'HostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub'
    dest: '/etc/ssh/sshd_config'
    regexp: '^HostCertificate *'
  notify: 'restart ssh'

- name: 'trust user ca key'
  lineinfile:
    line: 'TrustedUserCAKeys /etc/ssh/user_ca.pub'
    dest: '/etc/ssh/sshd_config'
    regexp: '^TrustedUserCAKeys *'
  notify: 'restart ssh'

- name: 'permit root login only with certificate'
  lineinfile:
    line: 'PermitRootLogin without-password'
    dest: '/etc/ssh/sshd_config'
    regexp: '^PermitRootLogin *'
  notify: 'restart ssh'

- meta: 'flush_handlers'

- name: 'waiting for ssh on {{ inventory_hostname }} to start'
  wait_for:
    host: '{{ hostvars | ip_from_inventory(inventory_hostname) }}'
    port: 22
    timeout: 30
  delegate_to: '{{ inventory_hostname }}'
  delegate_facts: true