ssh: update ssh voodoo

ssh/files/sshd_config

@@ -5,7 +5,9 @@
 Port 22
 Protocol 2
 HostKey /etc/ssh/ssh_host_ed25519_key
+{%- if 'vmhost' in pillar.get('roles', []) %}
 HostKey /etc/ssh/ssh_host_rsa_key
+{%- endif %}
 
 PermitRootLogin {% if 'vmhost' in pillar.get('roles', []) %}prohibit-password{% else %}no{% endif %}
 PasswordAuthentication no

ssh/init.sls

@@ -9,7 +9,7 @@ openssh-server:
     - reload: True
 #    - require: openssh-server
 ssh-user:
-  group.present:  
+  group.present:
     - system: True
 
 
@@ -22,9 +22,6 @@ ssh-user:
     - group: root
     - mode: 644
     - template: jinja
-#    - watch_in:
-#      - service: openssh-server
-
 
 /etc/ssh/ssh_config:
   file.managed:
@@ -35,9 +32,6 @@ ssh-user:
     - group: root
     - mode: 644
     - template: jinja
-# following maybe not needed!
-#    - watch_in:
-#      - service: openssh-server
 
 /etc/issue.net:
   file.managed:
@@ -47,5 +41,15 @@ ssh-user:
     - group: root
     - mode: 644
     - template: jinja
-#    - watch_in:
-#      - service: openssh-server
+
+undesirable-hostkeys:
+  file.absent:
+    - names:
+      - /etc/ssh/ssh_host_dsa_key
+      - /etc/ssh/ssh_host_dsa_key.pub
+      - /etc/ssh/ssh_host_ecdsa_key
+      - /etc/ssh/ssh_host_ecdsa_key.pub
+{%- if grains.oscodename != 'jessie' and 'vmhost' not in pillar.roles %}
+      - /etc/ssh/ssh_host_rsa_key
+      - /etc/ssh/ssh_host_rsa_key.pub
+{%- endif %}