Don't fiddle extra host keys added later by monkey@core's ssh.

And remove group read access to =~monkey/.ssh/known_hosts= on Core,
else the client will remove it later (producing a spurious diff, and a
re-config loop).

diff --git a/README.org b/README.org
index bd14c3e9412d887feb53fa6f770edeedf2780c8d..9280c88f0c64f343c55062e539f3bf94af03664d 100644 (file)
--- a/README.org
+++ b/README.org
@@ -2889,13 +2889,13 @@ described in [[apache2-core][*Configure Apache2]]).
     pubkeyfile: "{{ pubkeypath }}/ssh_host_ecdsa_key.pub"
     pubkey: "{{ lookup('file', pubkeyfile) }}"
   lineinfile:
-    regexp: "^{{ domain_name }}"
+    regexp: "^{{ domain_name }},{{ front_addr }} ecdsa-sha2-nistp256 "
     line: "{{ domain_name }},{{ front_addr }} {{ pubkey }}"
     path: /home/monkey/.ssh/known_hosts
     create: yes
     owner: monkey
     group: monkey
-    mode: "u=rw,g=r,o="
+    mode: "u=rw,g=,o="
 #+END_SRC
 
 ** Install Unattended Upgrades

diff --git a/roles_t/core/tasks/main.yml b/roles_t/core/tasks/main.yml
index a4ece0aab714d0b7e6850354ebb2d2737d32bbf7..4811a2acd1dc24a3a627d32b863f30ea109fffe7 100644 (file)
--- a/roles_t/core/tasks/main.yml
+++ b/roles_t/core/tasks/main.yml
@@ -216,13 +216,13 @@
     pubkeyfile: "{{ pubkeypath }}/ssh_host_ecdsa_key.pub"
     pubkey: "{{ lookup('file', pubkeyfile) }}"
   lineinfile:
-    regexp: "^{{ domain_name }}"
+    regexp: "^{{ domain_name }},{{ front_addr }} ecdsa-sha2-nistp256 "
     line: "{{ domain_name }},{{ front_addr }} {{ pubkey }}"
     path: /home/monkey/.ssh/known_hosts
     create: yes
     owner: monkey
     group: monkey
-    mode: "u=rw,g=r,o="
+    mode: "u=rw,g=,o="
 
 - name: Install basic software.
   become: yes