From: Matt Birkholz <matt@birchwood-abbey.net>
Date: Tue, 30 Apr 2024 18:46:28 +0000 (-0600)
Subject: Don't fiddle extra host keys added later by monkey@core's ssh.
X-Git-Url: https://birchwood-abbey.net/git?a=commitdiff_plain;h=9652b3cc9474e000f53123eaa95d577b804a568f;p=Institute

Don't fiddle extra host keys added later by monkey@core's ssh.

And remove group read access to =~monkey/.ssh/known_hosts= on Core,
else the client will remove it later (producing a spurious diff, and a
re-config loop).
---

diff --git a/README.org b/README.org
index bd14c3e..9280c88 100644
--- a/README.org
+++ b/README.org
@@ -2889,13 +2889,13 @@ described in [[apache2-core][*Configure Apache2]]).
     pubkeyfile: "{{ pubkeypath }}/ssh_host_ecdsa_key.pub"
     pubkey: "{{ lookup('file', pubkeyfile) }}"
   lineinfile:
-    regexp: "^{{ domain_name }}"
+    regexp: "^{{ domain_name }},{{ front_addr }} ecdsa-sha2-nistp256 "
     line: "{{ domain_name }},{{ front_addr }} {{ pubkey }}"
     path: /home/monkey/.ssh/known_hosts
     create: yes
     owner: monkey
     group: monkey
-    mode: "u=rw,g=r,o="
+    mode: "u=rw,g=,o="
 #+END_SRC
 
 ** Install Unattended Upgrades
diff --git a/roles_t/core/tasks/main.yml b/roles_t/core/tasks/main.yml
index a4ece0a..4811a2a 100644
--- a/roles_t/core/tasks/main.yml
+++ b/roles_t/core/tasks/main.yml
@@ -216,13 +216,13 @@
     pubkeyfile: "{{ pubkeypath }}/ssh_host_ecdsa_key.pub"
     pubkey: "{{ lookup('file', pubkeyfile) }}"
   lineinfile:
-    regexp: "^{{ domain_name }}"
+    regexp: "^{{ domain_name }},{{ front_addr }} ecdsa-sha2-nistp256 "
     line: "{{ domain_name }},{{ front_addr }} {{ pubkey }}"
     path: /home/monkey/.ssh/known_hosts
     create: yes
     owner: monkey
     group: monkey
-    mode: "u=rw,g=r,o="
+    mode: "u=rw,g=,o="
 
 - name: Install basic software.
   become: yes