--- - name: Require SSH CA public key path ansible.builtin.assert: that: - ssh_ca_pubkey_path is defined - ssh_ca_pubkey_path | length > 0 fail_msg: >- Set ssh_ca_pubkey_path to the OpenBao SSH CA public key file (from railiance-platform openbao-configure-ssh). - name: Stat SSH CA public key source ansible.builtin.stat: path: "{{ ssh_ca_pubkey_path }}" delegate_to: localhost become: false register: ssh_ca_pubkey_stat - name: Fail when SSH CA public key is missing ansible.builtin.fail: msg: "SSH CA public key not found on controller: {{ ssh_ca_pubkey_path }}" when: not ssh_ca_pubkey_stat.stat.exists - name: Ensure SSH CA directory exists ansible.builtin.file: path: /etc/ssh/ca state: directory owner: root group: root mode: "0755" - name: Install SSH user CA public key ansible.builtin.copy: src: "{{ ssh_ca_pubkey_path }}" dest: /etc/ssh/ca/ca_user.pub owner: root group: root mode: "0644" notify: Restart sshd - name: Configure SSH certificate trust ansible.builtin.copy: dest: /etc/ssh/sshd_config.d/20-ssh-ca.conf owner: root group: root mode: "0644" content: | TrustedUserCAKeys /etc/ssh/ca/ca_user.pub AuthorizedPrincipalsFile /etc/ssh/auth_principals/%u notify: Restart sshd - name: Ensure auth_principals directory exists ansible.builtin.file: path: /etc/ssh/auth_principals state: directory owner: root group: root mode: "0755" - name: Resolve principals for this host ansible.builtin.set_fact: ssh_ca_host_principals: >- {{ (ssh_principals[inventory_hostname].users if ssh_principals is defined and inventory_hostname in ssh_principals else {}) }} - name: Deploy auth_principals files per user ansible.builtin.copy: dest: "/etc/ssh/auth_principals/{{ item.key }}" owner: root group: root mode: "0644" content: "{{ item.value | join('\n') }}\n" loop: "{{ ssh_ca_host_principals | dict2items }}" when: ssh_ca_host_principals | length > 0 notify: Restart sshd - name: Warn when no principals configured for host ansible.builtin.debug: msg: >- No principals in ssh_principals.yaml for {{ inventory_hostname }} — CA trust installed; add users under hosts..users to enable cert login. when: ssh_ca_host_principals | length == 0