From 61e8ebdd203fd9de5eb1b86d3056d0bc2470a828 Mon Sep 17 00:00:00 2001
From: Timo Makinen <tmakinen@foo.sh>
Date: Sat, 23 Mar 2024 21:33:13 +0000
Subject: [PATCH] sshd_cert: Sign if pubkey is newer than cert

---
 roles/sshd_cert/tasks/main.yml | 18 +++++++++++++++++-
 1 file changed, 17 insertions(+), 1 deletion(-)

diff --git a/roles/sshd_cert/tasks/main.yml b/roles/sshd_cert/tasks/main.yml
index fea0499..28aa96d 100644
--- a/roles/sshd_cert/tasks/main.yml
+++ b/roles/sshd_cert/tasks/main.yml
@@ -5,6 +5,22 @@
     dest: "/srv/sshca/pubkeys/{{ inventory_hostname }}.pub"
     flat: true
 
+- name: Check status of public key
+  ansible.builtin.stat:
+    path: "/srv/sshca/pubkeys/{{ inventory_hostname }}.pub"
+  changed_when: false
+  failed_when: false
+  check_mode: false
+  register: sshd_cert_pubkey
+
+- name: Check status of certificate
+  ansible.builtin.stat:
+    path: "/srv/sshca/pubkeys/{{ inventory_hostname }}-cert.pub"
+  changed_when: false
+  failed_when: false
+  check_mode: false
+  register: sshd_cert_status
+
 - name: Sign key
   ansible.builtin.command:
     argv:
@@ -21,7 +37,7 @@
       - -z
       - "{{ ansible_date_time.epoch }}"
       - "/srv/sshca/pubkeys/{{ inventory_hostname }}.pub"
-    creates: "/srv/sshca/pubkeys/{{ inventory_hostname }}-cert.pub"
+  when: not sshd_cert_status.stat.exists or sshd_cert_status.stat.mtime | int < sshd_cert_pubkey.stat.mtime | int
   delegate_to: localhost
 
 - name: Install certificate