vn-ansible/roles/debian-guest/tasks/ssh_keys.yml

- name: Set the SSH keys generated witness variable
  set_fact:
    ssh_keys_generated: "{{ vn_ini.witness.ssh_keys_generated | default(false) }}"
- when: vn_witness_checked and not ssh_keys_generated
  block:
  - name: Generate SSH key pairs
    openssh_keypair:
      path: "/etc/ssh/ssh_host_{{ item.type }}_key"
      type: "{{ item.type }}"
      force: yes
    loop:
      - { type: 'rsa' }
      - { type: 'ecdsa' }
      - { type: 'ed25519' }
    notify: restart sshd
  - name: Set SSH keys generated witness
    ini_file:
      path: /etc/vn.ini
      section: witness
      option: ssh_keys_generated
      value: true