clear-ssh.yml

---
- name: "Update ~/.ssh/known_host on localhost"
  hosts: all
  gather_facts: no
  tasks:

  - name: Compute path to known_host
    ansible.builtin.set_fact:
      known_host_path: "{{ lookup('env','HOME') }}/.ssh/known_hosts"

  - name: Check if known_host exists
    ansible.builtin.stat:
      path: "{{ known_host_path }}"
    register: known_host_stat
    run_once: true
    delegate_to: localhost

  - name: "Remove hostname from ~/.ssh/known_host"
    ansible.builtin.shell: "ssh-keygen -f '{{ known_host_path }}' -R '{{ inventory_hostname }}'"
    when: known_host_stat.stat.exists
    throttle: 1
    delegate_to: localhost

  - name: "Remove IP from ~/.ssh/known_host"
    ansible.builtin.shell: "ssh-keygen -f '{{ known_host_path }}' -R '{{ ansible_ssh_host }}'"
    when: known_host_stat.stat.exists
    throttle: 1
    delegate_to: localhost

  - name: "ssh-keyscan IP to ~/.ssh/known_host"
    ansible.builtin.shell: "ssh-keyscan -H '{{ ansible_ssh_host }}' >> '{{ known_host_path }}'"
    throttle: 1
    delegate_to: localhost