rootfs: Fetch SSH known hosts file

Jenkins agents need to have a pre-built cache of SSH public keys for any
host jobs need to access.  This file is typically bind-mounted into
jobs' containers.

For the older Fedora-based agent nodes, the `ssh_known_hosts` file is
populated by Ansible.  That mechanism will not work for agent nodes
using the immutable root filesystem created by this project, so we need
an alternative.  To that end, the `fetch-ssh-knownhosts` service
downloads the keys from another machine using HTTPS when the system
boots up and then periodically while it is running.

rootfs/overlay/usr/lib/systemd/system/fetch-ssh-knownhosts.service

@@ -0,0 +1,12 @@
+[Unit]
+Description=Fetch SSH known host keys
+Wants=network-online.target
+After=network-online.target
+After=time-sync.target
+
+[Service]
+Type=oneshot
+ExecStart=/usr/libexec/fetch-ssh-knownhosts.sh
+
+[Install]
+WantedBy=multi-user.target

rootfs/overlay/usr/lib/systemd/system/fetch-ssh-knownhosts.timer

@@ -0,0 +1,10 @@
+[Unit]
+Description=Update SSH known hosts daily
+
+[Timer]
+OnCalendar=daily
+AccuracySec=1h
+RandomizedDelaySec=6000
+
+[Install]
+WantedBy=timers.target

rootfs/overlay/usr/libexec/fetch-ssh-knownhosts.sh

@@ -0,0 +1,8 @@
+#!/bin/sh
+
+: "${KNOWN_HOSTS_URL=https://files.pyrocufflink.blue/ssh_known_hosts}"
+
+curl -fsSL -o /run/ssh_known_hosts "${KNOWN_HOSTS_URL}" || exit $?
+if ! mountpoint -q /etc/ssh/ssh_known_hosts; then
+    mount -o bind /run/ssh_known_hosts /etc/ssh/ssh_known_hosts
+fi