# code: language=ansible-jinja
Include /etc/ssh/sshd_config.d/*.conf

Port 22
AddressFamily any
ListenAddress 0.0.0.0
ListenAddress ::

MaxAuthTries 3
PubkeyAuthentication yes
{% if hostname in groups['infrastructure'] %}
PermitRootLogin yes
{% else %}
PermitRootLogin no
{% endif %}
PermitEmptyPasswords no
PasswordAuthentication no
IgnoreRhosts yes
UsePAM yes

AllowAgentForwarding no
X11Forwarding no
PrintMotd no
UseDNS no
AcceptEnv LANG LC_*

{% if hostname in groups['infrastructure'] %}
Match User root
    PasswordAuthentication yes
{% endif %}