lilik_playbook/roles/ssh_server/tasks/main.yaml

# We can not use include_role here since it not share the connection with the current role
- include: roles/service/tasks/main.yaml
  vars:
    service_name: ssh
    service_packages:
        - openssh-server
        - openssh-sftp-server

- name: lookup user ca key
  set_fact:
    user_ca_key: "{{ lookup('file', 'test_ssh_ca.pub') }}"

- name: Update container user CA key
  copy:
    content: "ssh-rsa {{ user_ca_key }}"
    dest: "/etc/ssh/user_ca.pub"
  notify: restart ssh

- name: Check if host certificate is valid
  shell: '[[ $(ssh-keygen -f /etc/ssh/ssh_host_ed25519_key-cert.pub -L |grep "$(ssh-keygen -f /etc/ssh/user_ca.pub -l|cut -d " " -f 2)" -A 3 |grep Valid |cut -d " " -f 13) > $(date +%Y-%m-%dT%H:%M:%S --date "+1 month") ]]'
  args:
    executable: /bin/bash
  register: vm_has_valid_ssh_certificate
  changed_when: false
  failed_when: false

- debug:
    var: vm_has_valid_ssh_certificate
    verbosity: 2

- block:
    - name: Read host public key
      slurp:
        src: "/etc/ssh/ssh_host_ed25519_key.pub"
      register: vm_public_key

    - debug:
        var: vm_public_key['content']
        verbosity: 2

    - name: generate host request
      set_fact:
        ca_request:
          type: 'sign_request'
          request:
            keyType: 'ssh_host'
            hostName: '{{ ansible_docker_extra_args | default(inventory_hostname) }}.lilik.it'
            keyData: "{{ vm_public_key['content'] | b64decode | replace('\n', '')}}"

    - debug:
        var: ca_request | to_json
        verbosity: 2

    - name: start sign request
      include: ca-dialog.yaml
      vars:
        ansible_connection: ssh

    - debug:
        var: request_result
        verbosity: 2

    - set_fact:
        request_output: "{{ request_result.stdout | from_json }}"

    - debug:
        var: request_output
        verbosity: 2

    - name: generate get request
      set_fact:
        ca_request:
          type: 'get_certificate'
          requestID: '{{ request_output.requestID }}'

    - debug:
        var: ca_request
        verbosity: 2

    - debug:
        msg: "Please manualy confirm sign request with id {{ request_output.requestID }}"

    - name: wait for cert
      include: ca-dialog.yaml
      vars:
        ansible_connection: ssh

    - debug:
        var: request_result
        verbosity: 2

    - set_fact:
          cert_key: "{{ request_result.stdout | string | from_json }}"

    - name: Write certificate to container
      copy:
        content: "{{ cert_key.result }}"
        dest: "/etc/ssh/ssh_host_ed25519_key-cert.pub"
      register: set_pub_key
      notify: restart ssh
  when: "vm_has_valid_ssh_certificate.rc != 0"

- name: add certificate to sshd config
  lineinfile:
    line: 'HostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub'
    dest: '/etc/ssh/sshd_config'
    regexp: '^HostCertificate *'
  notify: restart ssh

- name: trust user ca key
  lineinfile:
    line: 'TrustedUserCAKeys /etc/ssh/user_ca.pub'
    dest: '/etc/ssh/sshd_config'
    regexp: '^TrustedUserCAKeys *'
  notify: restart ssh

- name: permit root login only with certificate
  lineinfile:
    line: 'PermitRootLogin without-password'
    dest: '/etc/ssh/sshd_config'
    regexp: '^PermitRootLogin *'
  notify: restart ssh

- meta: flush_handlers

- name: "waiting for ssh on {{ ansible_docker_extra_args | default(inventory_hostname) }} to start"
  wait_for:
    host: "{{ hostvars | ip_from_inventory(inventory_hostname) }}"
    port: 22
    timeout: 30
  delegate_to: "{{ inventory_hostname }}"
  delegate_facts: True