Having these in a format that can be copied to known_hosts would be nice. I am also unsure if the RSA1 key is necessary. I've seen DSA used rarely, but never RSA1 over RSA.

Good points. I will fix that.

On a related note: maybe we should only enable protocol 2?

As for ssh2 only -- I had assumed that was the default, but yes, good idea.

I'm not opposed to listing host keys in the docs, as that will give new admins a secure way to set up their known_hosts file. But after that, SSH itself will verify the key on connect, so I don't see why Ansible needs to be involved. If we had inter-host SSH connections going on, then using Ansible to get all host keys and share them to all other hosts in /etc/ssh/known_hosts would be useful. But that's not useful right now.

Agreed. Having the host keys in the docs is useful, both for new admins and for new hosts. Having a playbook to get new keys does not seem as useful due to not needing it very often. When new hosts are brought up, the keys can be either fetched by the person logging in the first time or even better getting them immediately after OS installation.

Removed the playbook.