---
- name: install ssh-server
  apt:
    name: openssh-server
    state: present

- name: hardening ssh-server config
  vars:
    sshd_options:
      IgnoreRhosts: "yes"
      PermitRootLogin: "without-password"
      PubkeyAuthentication: "yes"
      HostbasedAuthentication: "no"
      PermitEmptyPasswords: "no"
      UseDNS: "no"
  loop: "{{ sshd_options | dict2items }}"
  loop_control:
    label: "{{ item.key }} = {{ item.value }}"
  lineinfile:
    regexp: "^#?\\s*{{ item.key }}"
    line: "{{ item.key }} {{ item.value }}"
    dest: /etc/ssh/sshd_config
    mode: 0644
  notify: restart ssh

- name: limit allowed users
  lineinfile:
    dest: /etc/ssh/sshd_config
    regexp: "^AllowUsers"
    line: "AllowUsers {{ ' '.join([ 'root' ] | union(ssh_allowusers_group | default([])) | union(ssh_allowusers_host | default([]))) }}"
  notify: restart ssh

- name: install ssh keys for root
  authorized_key:
    user: root
    key: "{{ ssh_keys_root | join('\n') }}"
    exclusive: yes

- name: delete root password
  user:
    name: root
    password: "!"