# vim: ft=yaml.ansible
---
- name: Allow SSH login with public keys
  ansible.builtin.lineinfile:
    path: /etc/ssh/sshd_config
    regexp: '^#?PubkeyAuthentication '
    line: PubkeyAuthentication yes
    state: present
  notify: Restart sshd

- name: Disallow SSH login with password
  ansible.builtin.lineinfile:
    path: /etc/ssh/sshd_config
    regexp: '^#?PasswordAuthentication '
    line: PasswordAuthentication no
    state: present
  notify: Restart sshd

- name: Disallow root login over SSH
  ansible.builtin.lineinfile:
    path: /etc/ssh/sshd_config
    regexp: '^#?PermitRootLogin '
    line: PermitRootLogin no
    state: present
  notify: Restart sshd