roles/git: ssh known_hosts is now idempotent

- roles/git now uses blockinfile to ensure the github ssh keypairs are trusted, and to allow subsequent ssh keypairs to be trusted and not overwritten by future runs.
- this commit marks idempotency for all roles. after a successful run of this playbook, subsequent runs will result in a change=0 !!!!!

roles/git/tasks/main.yml

@@ -9,21 +9,22 @@
 # make sure our vps trusts the github.com key signature. we pipe the output
 # of ssh-keyscan into .ssh/known_hosts
 
-# TODO: make idempotent
 - name: Scan for SSH host keys
   command: ssh-keyscan github.com 2>/dev/null
   register: ssh_scan
+  changed_when: false
 
-- name: Update known_hosts
-  copy:
-    content: "{{ ssh_scan.stdout_lines|join('\n')  }}"
-    dest: /root/.ssh/known_hosts
+- name: Update .ssh/known_hosts
+  blockinfile:
+    path: /root/.ssh/known_hosts
+    block: "{{ ssh_scan.stdout_lines|join('\n') }}"
+    insertbefore: BOF
+    create: yes
     owner: root
     mode: u=rw,g=,o=
-    force: no # if we already have a known_hosts file, ignore!
 
 # this keypair is trusted under my github account, so it allows my vps to make pushes
-# to the main branch of my openpunk repository. (for my deadswitch: see static/blog/imdead.sh)
+# to the main branch of my openpunk repository. (see roles/deadswitchfiles/imdead.sh)
 
 - name: Install ssh priv key
   copy:

roles/gitea/tasks/main.yml

@@ -2,7 +2,7 @@
 - name: Check if Gitea is installed
   shell: gitea --version
   register: validate_gitea
-  changed_when: false
+  changed_when: no
 
 - name: Add Gitea key && repository
   block: