---
# SSH hardening tasks

- name: Configure SSH daemon
  ansible.builtin.lineinfile:
    path: /etc/ssh/sshd_config
    regexp: "{{ item.regexp }}"
    line: "{{ item.line }}"
    state: present
    validate: 'sshd -t -f %s'
  loop:
    - regexp: "^#?Port"
      line: "Port {{ common_ssh_port }}"
    - regexp: "^#?PermitRootLogin"
      line: "PermitRootLogin {{ common_ssh_permit_root_login }}"
    - regexp: "^#?PasswordAuthentication"
      line: "PasswordAuthentication {{ common_ssh_password_authentication }}"
    - regexp: "^#?PubkeyAuthentication"
      line: "PubkeyAuthentication {{ common_ssh_pubkey_authentication }}"
    - regexp: "^#?X11Forwarding"
      line: "X11Forwarding no"
    - regexp: "^#?MaxAuthTries"
      line: "MaxAuthTries 3"
    - regexp: "^#?ClientAliveInterval"
      line: "ClientAliveInterval 300"
    - regexp: "^#?ClientAliveCountMax"
      line: "ClientAliveCountMax 2"
  notify: Restart sshd