From d31019a4449570d4c4bdd14ef3d644a020b0c800 Mon Sep 17 00:00:00 2001
From: Patrick Uiterwijk <puiterwijk@redhat.com>
Date: Thu, 16 Aug 2018 17:38:08 +0000
Subject: [PATCH] Renew SSH cert if it was last modified more than 10 months
 ago

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
---
 roles/basessh/tasks/main.yml | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/roles/basessh/tasks/main.yml b/roles/basessh/tasks/main.yml
index 0b60d87aec..0f2813bb3a 100644
--- a/roles/basessh/tasks/main.yml
+++ b/roles/basessh/tasks/main.yml
@@ -128,7 +128,18 @@
   - sshd
   - base
 
-# TODO: Get expired certificates, and add them to certs_to_sign
+# Renew if last mod was more than 10 months ago
+- name: Get soon-to-expire certificates to sign
+  set_fact:
+    certs_to_sign: "{{certs_to_sign}} + [ '{{item.item.path}}' ]"
+  when: "item.stat.exists and item.stat.mtime < (ansible_date_time.epoch - 25920000)"
+  tags:
+  - basessh
+  - sshd_cert
+  - sshd_config
+  - config
+  - sshd
+  - base
 
 - set_fact:
     pubkeydir: "/tmp/sshkeysign/{{inventory_hostname}}"