dotfiles/roles/system/sshd/tasks/trusted_ca.yml

---
- name: Fetch the public key from the HashiCorp Vault
  ansible.builtin.get_url:
    url: https://hvault.mfocko.xyz/v1/ssh/public_key
    dest: /etc/ssh/sshd_config.d/trusted-user-ca-keys.pem
    mode: 0600
    owner: root
    group: root

- name: Add config for trusted user CA keys
  ansible.builtin.copy:
    src: files/10-ca.conf
    dest: /etc/ssh/sshd_config.d/10-ca.conf
    mode: 0600
    owner: root
    group: root
  notify: "Restart SSH server"