basessh: enable ed25519 ssh host keys everywhere

For newer ssh (in fedora) we need to have certs that are not using
sha-1. So, we need to regenerate the certs signed by our CA with sha256.
While we are at it, enable the ed25519 host keys as rsa keys are
increasingly in disfavor.

So, old ssh will use the old rsa host certs that are sha1 for now, but
new ssh will use the sha256 signed ed25519 certs. If everything works
fine for a while, we can resign the rsa host keys also and totally get
rid of the sha1 certs.

Since both host keys are signed by our CA, they should still be just as
trusted as before. If you are asked to approve a new host key for
something, make sure you have our CA in your known_hosts file:
https://admin.fedoraproject.org/ssh_known_hosts

Signed-off-by: Kevin Fenzi <kevin@scrye.com>

roles/basessh/templates/sshd_config

@@ -13,14 +13,10 @@ MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@op
 {% endif %}
 
 HostKey /etc/ssh/ssh_host_rsa_key
-{% if ansible_hostname == 'bastion02' %}
 HostKey /etc/ssh/ssh_host_ed25519_key
-{% endif %}
 
 HostCertificate /etc/ssh/ssh_host_rsa_key-cert.pub
-{% if ansible_hostname == "bastion02" %}
 HostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub
-{% endif %}
 
 SyslogFacility AUTHPRIV
 LogLevel VERBOSE