| Zack Williams | ba5549c | 2017-03-25 15:04:45 -0700 | [diff] [blame] | 1 | --- |
| 2 | # ssh-pki/tasks/main.yml |
| 3 | |
| 4 | - name: Create SSH CA Directory |
| 5 | file: |
| 6 | dest: "{{ item }}" |
| 7 | state: directory |
| 8 | owner: "{{ ansible_user_id }}" |
| 9 | mode: 0700 |
| 10 | with_items: |
| 11 | - "{{ ssh_pki_dir }}" |
| 12 | - "{{ ssh_pki_dir }}/ca" |
| 13 | - "{{ ssh_pki_dir }}/client_certs" |
| 14 | - "{{ ssh_pki_dir }}/host_certs" |
| 15 | |
| 16 | - name: Generate SSH CA Cert |
| 17 | command: > |
| 18 | ssh-keygen |
| 19 | -q -N "{{ ssh_ca_phrase }}" |
| 20 | -t {{ ssh_keytype }} |
| 21 | -b {{ ssh_keysize }} |
| 22 | -C "CORD SSH CA" |
| 23 | -f {{ ssh_pki_dir }}/ca/cord_ssh_ca_cert |
| 24 | args: |
| 25 | creates: "{{ ssh_pki_dir }}/ca/cord_ssh_ca_cert.pub" |
| 26 | |
| 27 | - name: Generate SSH Client Certs |
| 28 | command: > |
| 29 | ssh-keygen |
| 30 | -q -N "" |
| 31 | -t {{ item.keytype | default(ssh_keytype) }} |
| 32 | -b {{ item.keysize | default(ssh_keysize) }} |
| 33 | -C "CORD SSH client key for {{ item.name }}" |
| 34 | -f {{ ssh_pki_dir }}/client_certs/{{ item.name }}_sshkey |
| 35 | args: |
| 36 | creates: "{{ ssh_pki_dir }}/client_certs/{{ item.name }}_sshkey.pub" |
| 37 | with_items: "{{ ssh_client_genkeys }}" |
| 38 | register: client_ssh_key_generated |
| 39 | |
| 40 | - name: Sign SSH Client Certs with SSH CA |
| 41 | command: > |
| 42 | ssh-keygen |
| 43 | -q -P "{{ ssh_ca_phrase }}" |
| 44 | -I "{{ item.name }}" |
| 45 | -n "{{ item.name }}" |
| 46 | -s {{ ssh_pki_dir }}/ca/cord_ssh_ca_cert |
| 47 | {{ ssh_pki_dir }}/client_certs/{{ item.name }}_sshkey.pub |
| 48 | args: |
| 49 | creates: "{{ ssh_pki_dir }}/client_certs/{{ item.name }}_sshkey-cert.pub" |
| 50 | with_items: "{{ ssh_client_genkeys }}" |
| 51 | |
| 52 | - name: Generate SSH Host Certs |
| 53 | command: > |
| 54 | ssh-keygen |
| 55 | -q -N "" |
| 56 | -t {{ item.keytype | default(ssh_keytype) }} |
| 57 | -b {{ item.keysize | default(ssh_keysize) }} |
| 58 | -C "CORD SSH host key for {{ item.name }}" |
| 59 | -f {{ ssh_pki_dir }}/host_certs/{{ item.name }}_sshkey |
| 60 | args: |
| 61 | creates: "{{ ssh_pki_dir }}/host_certs/{{ item.name }}_sshkey.pub" |
| 62 | with_items: "{{ ssh_host_genkeys }}" |
| 63 | register: host_ssh_keys_generated |
| 64 | |
| 65 | - name: Generate SSH Host Certs |
| 66 | command: > |
| 67 | ssh-keygen |
| 68 | -q -P "{{ ssh_ca_phrase }}" -h |
| 69 | -I "{{ item.name }}" |
| 70 | -n "{{ item.name }},{{ item.name }}.{{ site_suffix }}" |
| 71 | -s {{ ssh_pki_dir }}/ca/cord_ssh_ca_cert |
| 72 | {{ ssh_pki_dir }}/host_certs/{{ item.name }}_sshkey.pub |
| 73 | args: |
| 74 | creates: "{{ ssh_pki_dir }}/host_certs/{{ item.name }}_sshkey-cert.pub" |
| 75 | with_items: "{{ ssh_host_genkeys }}" |
| 76 | |