| Zack Williams | ba5549c | 2017-03-25 15:04:45 -0700 | [diff] [blame] | 1 | --- |
| 2 | # ssh-pki/tasks/main.yml |
| 3 | |
| Zack Williams | 7928696 | 2017-07-10 12:24:37 -0700 | [diff] [blame] | 4 | # if this step fails, may need to include `create-configdir-become` role to |
| 5 | # create directories using become. |
| Zack Williams | ba5549c | 2017-03-25 15:04:45 -0700 | [diff] [blame] | 6 | - name: Create SSH CA Directory |
| Zack Williams | ba5549c | 2017-03-25 15:04:45 -0700 | [diff] [blame] | 7 | file: |
| 8 | dest: "{{ item }}" |
| 9 | state: directory |
| 10 | owner: "{{ ansible_user_id }}" |
| 11 | mode: 0700 |
| 12 | with_items: |
| 13 | - "{{ ssh_pki_dir }}" |
| 14 | - "{{ ssh_pki_dir }}/ca" |
| 15 | - "{{ ssh_pki_dir }}/client_certs" |
| 16 | - "{{ ssh_pki_dir }}/host_certs" |
| 17 | |
| 18 | - name: Generate SSH CA Cert |
| 19 | command: > |
| 20 | ssh-keygen |
| 21 | -q -N "{{ ssh_ca_phrase }}" |
| 22 | -t {{ ssh_keytype }} |
| 23 | -b {{ ssh_keysize }} |
| 24 | -C "CORD SSH CA" |
| 25 | -f {{ ssh_pki_dir }}/ca/cord_ssh_ca_cert |
| 26 | args: |
| 27 | creates: "{{ ssh_pki_dir }}/ca/cord_ssh_ca_cert.pub" |
| 28 | |
| 29 | - name: Generate SSH Client Certs |
| 30 | command: > |
| 31 | ssh-keygen |
| 32 | -q -N "" |
| 33 | -t {{ item.keytype | default(ssh_keytype) }} |
| 34 | -b {{ item.keysize | default(ssh_keysize) }} |
| 35 | -C "CORD SSH client key for {{ item.name }}" |
| 36 | -f {{ ssh_pki_dir }}/client_certs/{{ item.name }}_sshkey |
| 37 | args: |
| 38 | creates: "{{ ssh_pki_dir }}/client_certs/{{ item.name }}_sshkey.pub" |
| 39 | with_items: "{{ ssh_client_genkeys }}" |
| 40 | register: client_ssh_key_generated |
| 41 | |
| 42 | - name: Sign SSH Client Certs with SSH CA |
| 43 | command: > |
| 44 | ssh-keygen |
| 45 | -q -P "{{ ssh_ca_phrase }}" |
| 46 | -I "{{ item.name }}" |
| 47 | -n "{{ item.name }}" |
| 48 | -s {{ ssh_pki_dir }}/ca/cord_ssh_ca_cert |
| 49 | {{ ssh_pki_dir }}/client_certs/{{ item.name }}_sshkey.pub |
| 50 | args: |
| 51 | creates: "{{ ssh_pki_dir }}/client_certs/{{ item.name }}_sshkey-cert.pub" |
| 52 | with_items: "{{ ssh_client_genkeys }}" |
| 53 | |
| 54 | - name: Generate SSH Host Certs |
| 55 | command: > |
| 56 | ssh-keygen |
| 57 | -q -N "" |
| 58 | -t {{ item.keytype | default(ssh_keytype) }} |
| 59 | -b {{ item.keysize | default(ssh_keysize) }} |
| 60 | -C "CORD SSH host key for {{ item.name }}" |
| 61 | -f {{ ssh_pki_dir }}/host_certs/{{ item.name }}_sshkey |
| 62 | args: |
| 63 | creates: "{{ ssh_pki_dir }}/host_certs/{{ item.name }}_sshkey.pub" |
| 64 | with_items: "{{ ssh_host_genkeys }}" |
| 65 | register: host_ssh_keys_generated |
| 66 | |
| 67 | - name: Generate SSH Host Certs |
| 68 | command: > |
| 69 | ssh-keygen |
| 70 | -q -P "{{ ssh_ca_phrase }}" -h |
| 71 | -I "{{ item.name }}" |
| 72 | -n "{{ item.name }},{{ item.name }}.{{ site_suffix }}" |
| 73 | -s {{ ssh_pki_dir }}/ca/cord_ssh_ca_cert |
| 74 | {{ ssh_pki_dir }}/host_certs/{{ item.name }}_sshkey.pub |
| 75 | args: |
| 76 | creates: "{{ ssh_pki_dir }}/host_certs/{{ item.name }}_sshkey-cert.pub" |
| 77 | with_items: "{{ ssh_host_genkeys }}" |
| 78 | |