---
- name: install ssh-server
  apt: name=openssh-server state=present

- name: hardening ssh-server config
  lineinfile:
    regexp: "{{ item.regexp }}"
    line: "{{ item.line }}"
    dest: /etc/ssh/sshd_config
    mode: 0644
  with_items:
    - { "regexp": "^#?\\s*IgnoreRhosts", "line": "IgnoreRhosts yes" }
    - { "regexp": "^#?\\s*PermitRootLogin", "line": "PermitRootLogin without-password" }
    - { "regexp": "^#?\\s*PubkeyAuthentication", "line": "PubkeyAuthentication yes" }
    - { "regexp": "^#?\\s*HostbasedAuthentication", "line": "HostbasedAuthentication no"  }
    - { "regexp": "^#?\\s*PermitEmptyPasswords", "line": "PermitEmptyPasswords no" }
    - { "regexp": "^#?\\s*UseDNS", "line": "UseDNS no" }
  notify: restart ssh

- name: limit allowed users
  lineinfile:
     dest: /etc/ssh/sshd_config
     regexp: "^AllowUsers"
     line: "AllowUsers {{ ' '.join([ 'root', 'rhadmin' ] | union(sshserver_allowusers_group | default([])) | union(sshserver_allowusers_host | default([]))) }}"
  when: sshserver_allowusers_set | default(true)
  notify: restart ssh

- name: allow any user to login via ssh
  lineinfile:
     dest: /etc/ssh/sshd_config
     regexp: "^AllowUsers"
     state: absent
  when: not (sshserver_allowusers_set | default(true))
  notify: restart ssh