- name: ensure sshca-cli is installed
  package:
    name: sshca-cli
    state: present
  tags:
  - install

- name: ensure sshca-cli-systemd is not installed
  package:
    name: sshca-cli-systemd
    state: absent
  tags:
  - uninstall

- name: ensure ssh host cert signing systemd units are installed
  copy:
    src: '{{ item }}'
    dest: /etc/systemd/system/{{ item }}
    owner: root
    group: root
    mode: u=rw,go=r
  loop:
  - ssh-host-cert-sign@.service
  - ssh-host-certs-renew.target
  - ssh-host-certs-renew.timer
  notify:
  - reload systemd
  tags:
  - systemd

- name: ensure ssh-host-cert-sign is configured
  template:
    src: ssh-host-cert-sign.env.j2
    dest: /etc/sysconfig/ssh-host-cert-sign
    owner: root
    group: root
    mode: u=rw,go=r
  notify:
  - restart ssh-host-certs-renew.target
  tags:
  - config

- name: ensure ssh-host-certs-renew.timer is enabled
  systemd:
    name: ssh-host-certs-renew.timer
    enabled: true
    state: started
  tags:
  - service

- name: ensure sshd is configured to use host certificates
  template:
    src: hostcertificate.conf.j2
    dest: /etc/ssh/sshd_config.d/10-hostcertificate.conf
    mode: u=rw,go=r
    owner: root
    group: root
  notify:
  - reload sshd
  tags:
  - config
  - sshd_config