- name: Secure SSH
  lineinfile:
    path: /etc/ssh/sshd_config
    regexp: "{{ item.regexp }}"
    # insertbefore: '^\s*Match'
    insertbefore: BOF
    state: 'present'
    line: "{{ item.line }}"
  notify: restart_sshd
  loop:
    - { regexp: '^\s*Protocol\s+2', line: 'Protocol 2' }
    - { regexp: '^\s*UseDNS\s+no', line: 'UseDNS no' }
    - { regexp: '^\s*PermitEmptyPasswords\s+no', line: 'PermitEmptyPasswords no' }
    - { regexp: '^\s*PermitRootLogin\s+without-password', line: 'PermitRootLogin without-password' }
- name: Disable passwordauth
  lineinfile:
    path: /etc/ssh/sshd_config
    regexp: "{{ item.regexp }}"
    insertbefore: '^\s*Match'
    state: 'present'
    line: "{{ item.line }}"
  notify: restart_sshd
  loop:
    - { regexp: '^\s*ChallengeResponseAuthentication\s+no', line: 'ChallengeResponseAuthentication no' }
    - { regexp: '^\s*PasswordAuthentication\s+no', line: 'PasswordAuthentication no' }
    - { regexp: '^\s*AuthenticationMethods\s+publickey', line: 'AuthenticationMethods publickey' }
  when: "disable_passwordauth"
- name: Enable passwordauth
  lineinfile:
    path: /etc/ssh/sshd_config
    regexp: "{{ item.regexp }}"
    insertbefore: '^\s*Match'
    state: 'present'
    line: "{{ item.line }}"
  notify: restart_sshd
  loop:
    - { regexp: '^\s*ChallengeResponseAuthentication\s+yes', line: 'ChallengeResponseAuthentication yes' }
    - { regexp: '^\s*PasswordAuthentication\s+yes', line: 'PasswordAuthentication yes' }
    - { regexp: '^\s*AuthenticationMethods\s+publickey\s+keyboard-interactive', line: 'AuthenticationMethods publickey keyboard-interactive' }
  when: "enable_passwordauth"
- meta: "flush_handlers"