sshd_cert: Sign if pubkey is newer than cert

roles/sshd_cert/tasks/main.yml

@@ -5,6 +5,22 @@
     dest: "/srv/sshca/pubkeys/{{ inventory_hostname }}.pub"
     flat: true
 
+- name: Check status of public key
+  ansible.builtin.stat:
+    path: "/srv/sshca/pubkeys/{{ inventory_hostname }}.pub"
+  changed_when: false
+  failed_when: false
+  check_mode: false
+  register: sshd_cert_pubkey
+
+- name: Check status of certificate
+  ansible.builtin.stat:
+    path: "/srv/sshca/pubkeys/{{ inventory_hostname }}-cert.pub"
+  changed_when: false
+  failed_when: false
+  check_mode: false
+  register: sshd_cert_status
+
 - name: Sign key
   ansible.builtin.command:
     argv:
@@ -21,7 +37,7 @@
       - -z
       - "{{ ansible_date_time.epoch }}"
       - "/srv/sshca/pubkeys/{{ inventory_hostname }}.pub"
-    creates: "/srv/sshca/pubkeys/{{ inventory_hostname }}-cert.pub"
+  when: not sshd_cert_status.stat.exists or sshd_cert_status.stat.mtime | int < sshd_cert_pubkey.stat.mtime | int
   delegate_to: localhost
 
 - name: Install certificate