infrastructure/playbooks/tasks/sync-ssh-hostkeys.yml

- name: Fetch ssh hostkeys
  hosts: all
  gather_facts: false
  tasks:
    - name: Fetch hostkey checksums
      shell: |
        for type in sha256 md5; do
          for file in /etc/ssh/ssh_host_*.pub; do
            ssh-keygen -l -f $file -E $type
          done
          echo
        done        
      register: ssh_hostkeys
      changed_when: ssh_hostkeys | length > 0

    - name: Fetch known_hosts
      shell: |
        set -eo pipefail
        ssh-keyscan -q -p {{ ansible_port | default(22) }} 127.0.0.1 2>/dev/null \
        | sed -E 's/^(\[?)127\.0\.0\.1/\1{{ inventory_hostname }}/' \
        | sort        
      environment:
        LC_COLLATE: C.UTF-8  # to ensure reproducible ordering
      args:
        executable: /bin/bash
      register: known_hosts
      changed_when: known_hosts | length > 0

- name: Store hostkeys
  hosts: localhost
  tasks:
    - name: Store hostkeys
      copy:
        dest: "{{ playbook_dir }}/../../docs/ssh-hostkeys.txt"
        content: |
          {% for host in query('inventory_hostnames', 'all') | sort %}
          # {{ host }}
          {{ hostvars[host].ssh_hostkeys.stdout }}

          {% endfor %}          
        mode: preserve

    - name: Store known_hosts
      blockinfile:
        path: "{{ playbook_dir }}/../../docs/ssh-known_hosts.txt"
        block: |

          {% for host in query('inventory_hostnames', 'all') | sort %}
          # {{ host }}
          {{ hostvars[host].known_hosts.stdout }}

          {% endfor %}

- name: Upload known_hosts to all nodes
  hosts: all
  tasks:
    - name: Upload known_hosts
      copy: dest=/etc/ssh/ssh_known_hosts src="{{ playbook_dir }}/../../docs/ssh-known_hosts.txt" owner=root group=root mode=0644
      tags: ['upload-known-hosts']