From 817f1ad8090ce37b14a39d221155968380f43d4a Mon Sep 17 00:00:00 2001
From: hogweed1 <simple.not1759@gmail.com>
Date: Fri, 22 May 2026 01:46:08 +1000
Subject: [PATCH] ssh-certs hosts.

---
 environments/proxmoxes/group_vars/proj-a.yml |  1 +
 playbooks/ssh-certs/deploy-host-certs.yml    | 31 ++++++++++++--------
 2 files changed, 19 insertions(+), 13 deletions(-)

diff --git a/environments/proxmoxes/group_vars/proj-a.yml b/environments/proxmoxes/group_vars/proj-a.yml
index 9373cc6..f1f7705 100644
--- a/environments/proxmoxes/group_vars/proj-a.yml
+++ b/environments/proxmoxes/group_vars/proj-a.yml
@@ -1,6 +1,7 @@
 #### EXPL 2026-05-21 :: логика не самая лучшая но сойдёт. 
 #### перед *_users/*projects нужно обязательно дублировать в нижних подчёркиваниях имя группы
 
+
 proj_a_users: #[]
   - name: test-nigger2
     sudo: true
diff --git a/playbooks/ssh-certs/deploy-host-certs.yml b/playbooks/ssh-certs/deploy-host-certs.yml
index d4c1115..8bc9f4a 100644
--- a/playbooks/ssh-certs/deploy-host-certs.yml
+++ b/playbooks/ssh-certs/deploy-host-certs.yml
@@ -53,6 +53,24 @@
         group: root
         mode: '0640' # Сертификат может быть 0640
 
+    - name: Configure SSH HostKeys for Proxmox compatibility
+      blockinfile:
+        path: /etc/ssh/sshd_config  # Или укажите путь к дроп-ину в sshd_config.d/, если используете их
+        block: | 
+          # Coexistence with Proxmox internal clustering (Plain Keys fallback)
+          HostKey /etc/ssh/ssh_host_rsa_key 
+
+          # Исключение для локального кластерного трафика Proxmox
+          Match User root
+              PermitRootLogin yes
+              PubkeyAuthentication yes
+        marker: "# {mark} ANSIBLE MANAGED HOST RSA KEY BLOCK #"
+        create: true
+        mode: '0600'
+        validate: /usr/sbin/sshd -t -f %s
+      when: "'proxmoxes' in group_names"
+      notify: Restart SSH
+
     - name: Настройка sshd_config для отдачи Хост-сертификата клиентам
       blockinfile:
         path: /etc/ssh/sshd_config
@@ -62,19 +80,6 @@
         marker: "# {mark} ANSIBLE MANAGED HOST CERTIFICATE BLOCK #"
       notify: Restart SSH
 
-    - name: Configure SSH HostKeys for Proxmox compatibility
-      blockinfile:
-        path: /etc/ssh/sshd_config  # Или укажите путь к дроп-ину в sshd_config.d/, если используете их
-        block: | 
-          # Coexistence with Proxmox internal clustering (Plain Keys fallback)
-          HostKey /etc/ssh/ssh_host_rsa_key 
-        marker: "# {mark} ANSIBLE MANAGED HOST RSA KEY BLOCK #"
-        create: true
-        mode: '0600'
-        validate: /usr/sbin/sshd -t -f %s
-      when: "'proxmoxes' in group_names"
-      notify: Restart SSH
-
 
     - name: Очистка временных файлов на Ansible-машине
       delegate_to: localhost