init

defaults/main.yml

@@ -0,0 +1,5 @@
+ssh_ca_known_hosts:
+  - domain: '*.dmz'
+    key: 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAX2IhgHNxC6JTvLu9cej+iWuG+uJFMXn4AiRro9533x Host Certficate Authority for DMZ'
+  - domain: '*.hyp'
+    key: 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFzRkH3d/KVJQouswY/DMpenWbDFVOnI3Vut0xR0e1tb Host Certficate Authority for HYP'

meta/main.yml

@@ -0,0 +1,18 @@
+galaxy_info:
+  role_name: ssh_ca_known_hosts
+  author: Pim Kunis
+  description: Add SSH certificate authorities to system-wide known hosts file.
+
+  issue_tracker_url: https://git.pim.kunis.nl/pim/ansible-role-ssh-ca-known-hosts/issues
+
+  license: GPLv3
+
+  min_ansible_version: 1.2
+
+  platforms:
+  - name: Debian
+    versions:
+    - bookworm
+
+  galaxy_tags:
+    - ssh

tasks/main.yml

@@ -0,0 +1,6 @@
+- name: Add SSH CA to known hosts
+  known_hosts:
+    key: '@cert-authority {{ item.domain }} {{ item.key }}'
+    name: '@cert-authority {{ item.domain }}'
+    path: /etc/ssh/ssh_known_hosts
+  loop: '{{ ssh_ca_known_hosts }}'