ansible/roles/sshd_cert/tasks/main.yml

---
- name: Copy public key for signing
  ansible.builtin.fetch:
    src: /etc/ssh/ssh_host_ed25519_key.pub
    dest: "/srv/sshca/pubkeys/{{ inventory_hostname }}.pub"
    flat: true

- name: Sign key
  ansible.builtin.command:
    argv:
      - ssh-keygen
      - -s
      - /srv/sshca/ca/ca
      - -I
      - "{{ inventory_hostname }}"
      - -h
      - -n
      - "{{ sshd_cert_hostnames | join(',') }}"
      - -V
      - -1h:+365d
      - -z
      - "{{ ansible_date_time.epoch }}"
      - "/srv/sshca/pubkeys/{{ inventory_hostname }}.pub"
    creates: "/srv/sshca/pubkeys/{{ inventory_hostname }}-cert.pub"
  delegate_to: localhost

- name: Install certificate
  ansible.builtin.copy:
    dest: /etc/ssh/ssh_host_ed25519_key-cert.pub
    src: "/srv/sshca/pubkeys/{{ inventory_hostname }}-cert.pub"
    mode: "0644"
    owner: root
    group: "{{ ansible_wheel }}"
  notify: Restart sshd

- name: Enable host certificate
  ansible.builtin.lineinfile:
    path: /etc/ssh/sshd_config
    line: HostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub
    regexp: "^(# )?HostCertificate .*"
    insertafter: "^HostKey .*"
    validate: "sshd -t -f %s"
  notify: Restart sshd