---
- name: install ssh-server
  apt:
    name: openssh-server
    state: present

- name: hardening ssh-server config
  lineinfile:
    regexp: "{{ item.regexp }}"
    line: "{{ item.line }}"
    dest: /etc/ssh/sshd_config
    mode: 0644
  with_items:
  - { regexp: "^#?\\s*IgnoreRhosts", line: "IgnoreRhosts yes" }
  - { regexp: "^#?\\s*PermitRootLogin", line: "PermitRootLogin without-password" }
  - { regexp: "^#?\\s*PubkeyAuthentication", line: "PubkeyAuthentication yes" }
  - { regexp: "^#?\\s*HostbasedAuthentication", line: "HostbasedAuthentication no"  }
  - { regexp: "^#?\\s*PermitEmptyPasswords", line: "PermitEmptyPasswords no" }
  - { regexp: "^#?\\s*UseDNS", line: "UseDNS no" }
  notify: restart ssh

- name: limit allowed users
  lineinfile:
    dest: /etc/ssh/sshd_config
    regexp: "^AllowUsers"
    line: "AllowUsers {{ ' '.join([ 'root' ] | union(sshserver_allowusers_group | default([])) | union(sshserver_allowusers_host | default([]))) }}"
  notify: restart ssh

- name: install ssh keys for root
  authorized_key:
    user: root
    key: "{{ sshserver_root_keys }}"
    exclusive: yes

- name: delete root password
  user:
    name: root
    password: "!"