| Zack Williams | ba5549c | 2017-03-25 15:04:45 -0700 | [diff] [blame] | 1 | --- |
| 2 | # ssh-pki/tasks/main.yml |
| 3 | |
| 4 | - name: Create SSH CA Directory |
| Zack Williams | c989f26 | 2017-05-11 13:02:59 -0700 | [diff] [blame^] | 5 | become: yes |
| Zack Williams | ba5549c | 2017-03-25 15:04:45 -0700 | [diff] [blame] | 6 | file: |
| 7 | dest: "{{ item }}" |
| 8 | state: directory |
| 9 | owner: "{{ ansible_user_id }}" |
| 10 | mode: 0700 |
| 11 | with_items: |
| 12 | - "{{ ssh_pki_dir }}" |
| 13 | - "{{ ssh_pki_dir }}/ca" |
| 14 | - "{{ ssh_pki_dir }}/client_certs" |
| 15 | - "{{ ssh_pki_dir }}/host_certs" |
| 16 | |
| 17 | - name: Generate SSH CA Cert |
| 18 | command: > |
| 19 | ssh-keygen |
| 20 | -q -N "{{ ssh_ca_phrase }}" |
| 21 | -t {{ ssh_keytype }} |
| 22 | -b {{ ssh_keysize }} |
| 23 | -C "CORD SSH CA" |
| 24 | -f {{ ssh_pki_dir }}/ca/cord_ssh_ca_cert |
| 25 | args: |
| 26 | creates: "{{ ssh_pki_dir }}/ca/cord_ssh_ca_cert.pub" |
| 27 | |
| 28 | - name: Generate SSH Client Certs |
| 29 | command: > |
| 30 | ssh-keygen |
| 31 | -q -N "" |
| 32 | -t {{ item.keytype | default(ssh_keytype) }} |
| 33 | -b {{ item.keysize | default(ssh_keysize) }} |
| 34 | -C "CORD SSH client key for {{ item.name }}" |
| 35 | -f {{ ssh_pki_dir }}/client_certs/{{ item.name }}_sshkey |
| 36 | args: |
| 37 | creates: "{{ ssh_pki_dir }}/client_certs/{{ item.name }}_sshkey.pub" |
| 38 | with_items: "{{ ssh_client_genkeys }}" |
| 39 | register: client_ssh_key_generated |
| 40 | |
| 41 | - name: Sign SSH Client Certs with SSH CA |
| 42 | command: > |
| 43 | ssh-keygen |
| 44 | -q -P "{{ ssh_ca_phrase }}" |
| 45 | -I "{{ item.name }}" |
| 46 | -n "{{ item.name }}" |
| 47 | -s {{ ssh_pki_dir }}/ca/cord_ssh_ca_cert |
| 48 | {{ ssh_pki_dir }}/client_certs/{{ item.name }}_sshkey.pub |
| 49 | args: |
| 50 | creates: "{{ ssh_pki_dir }}/client_certs/{{ item.name }}_sshkey-cert.pub" |
| 51 | with_items: "{{ ssh_client_genkeys }}" |
| 52 | |
| 53 | - name: Generate SSH Host Certs |
| 54 | command: > |
| 55 | ssh-keygen |
| 56 | -q -N "" |
| 57 | -t {{ item.keytype | default(ssh_keytype) }} |
| 58 | -b {{ item.keysize | default(ssh_keysize) }} |
| 59 | -C "CORD SSH host key for {{ item.name }}" |
| 60 | -f {{ ssh_pki_dir }}/host_certs/{{ item.name }}_sshkey |
| 61 | args: |
| 62 | creates: "{{ ssh_pki_dir }}/host_certs/{{ item.name }}_sshkey.pub" |
| 63 | with_items: "{{ ssh_host_genkeys }}" |
| 64 | register: host_ssh_keys_generated |
| 65 | |
| 66 | - name: Generate SSH Host Certs |
| 67 | command: > |
| 68 | ssh-keygen |
| 69 | -q -P "{{ ssh_ca_phrase }}" -h |
| 70 | -I "{{ item.name }}" |
| 71 | -n "{{ item.name }},{{ item.name }}.{{ site_suffix }}" |
| 72 | -s {{ ssh_pki_dir }}/ca/cord_ssh_ca_cert |
| 73 | {{ ssh_pki_dir }}/host_certs/{{ item.name }}_sshkey.pub |
| 74 | args: |
| 75 | creates: "{{ ssh_pki_dir }}/host_certs/{{ item.name }}_sshkey-cert.pub" |
| 76 | with_items: "{{ ssh_host_genkeys }}" |
| 77 | |