r/ssh-host-certs: Reload sshd after renewing certs

In Fedora 41, it seems the SSH daemon no longer automatically uses the
new certificate after its host certificates have been renewed.  To get
it to pick up the new ones, we have to explicitly tell it to reload.  To
handle that automatically, I've added a new systemd path unit that
monitors the certificate files.  When it detects that one of them has
changed, it will send the signal to the SSH daemon to tell it to reload.

roles/ssh-host-certs/files/reload-ssh-cert.path

@@ -0,0 +1,11 @@
+[Unit]
+Description=Watch SSH Host certificates for renewal
+After=sshd.service
+
+[Path]
+PathChanged=/etc/ssh/ssh_host_rsa_key-cert.pub
+PathChanged=/etc/ssh/ssh_host_ecdsa_key-cert.pub
+PathChanged=/etc/ssh/ssh_host_ed25519-cert.pub
+
+[Install]
+WantedBy=paths.target

roles/ssh-host-certs/files/reload-ssh-cert.service

@@ -0,0 +1,24 @@
+[Unit]
+Description=Reload SSH daemon when certificate is renewed
+After=sshd.service
+
+[Service]
+Type=oneshot
+ExecStart=/usr/bin/systemctl reload sshd
+CapabilityBoundingSet=
+NoNewPrivileges=true
+ProtectSystem=strict
+ProtectHome=true
+PrivateDevices=true
+PrivateTmp=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=yes
+RestrictAddressFamilies=AF_UNIX
+LockPersonality=true
+MemoryDenyWriteExecute=true
+RestrictRealtime=true
+RestrictSUIDSGID=true

roles/ssh-host-certs/tasks/main.yml

@@ -23,6 +23,8 @@
   - ssh-host-cert-sign@.service
   - ssh-host-certs-renew.target
   - ssh-host-certs-renew.timer
+  - reload-ssh-cert.path
+  - reload-ssh-cert.service
   notify:
   - reload systemd
   tags:
@@ -48,6 +50,14 @@
   tags:
   - service
 
+- name: ensure reload-ssh-cert.path is enabled
+  systemd:
+    name: reload-ssh-cert.path
+    enabled: true
+    state: started
+  tags:
+  - service
+
 - name: ensure sshd is configured to use host certificates
   template:
     src: hostcertificate.conf.j2