From 1dbc2985d39fae7c73c741a95a486d9014aa036b Mon Sep 17 00:00:00 2001
From: Dmitriy Rabotyagov <dmitriy.rabotyagov@citynetwork.eu>
Date: Wed, 18 Jan 2023 20:26:52 +0100
Subject: [PATCH] Use cryptography backend for openssh_keypair

With default "auto" backend, opensshbin is first pick, which fails
to read a key in case of insecure permissions. This makes task fail
in case private key in topic has mode different from 0600, even if
different mode specified for the module itself [1].

Along with switching backend we also adding mode key to be supported

[1] https://github.com/ansible-collections/community.crypto/issues/564
Change-Id: I9444ef832136783bde1eff5425e4cd369f905a5c
---
 roles/ssh_keypairs/tasks/standalone/create_keypair.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/roles/ssh_keypairs/tasks/standalone/create_keypair.yml b/roles/ssh_keypairs/tasks/standalone/create_keypair.yml
index f5944b9..299ce17 100644
--- a/roles/ssh_keypairs/tasks/standalone/create_keypair.yml
+++ b/roles/ssh_keypairs/tasks/standalone/create_keypair.yml
@@ -28,6 +28,8 @@
           size: "{{ kp.size | default(omit) }}"
           type: "{{ kp.type | default(omit) }}"
           path: "{{ kp_dir ~ '/' ~ kp['name'] }}"
+          mode: "{{ kp.mode | default(omit) }}"
+          backend: cryptography
         register: kp_keys
 
       - name: Generate an OpenSSH user certificate for {{ kp['name'] }}