# vim: ft=yaml.ansible
---
- name: Add public SSH key to default user
  ansible.posix.authorized_key:
    user: "{{ ansible_user }}"
    key: "{{ ssh_key }}"
    exclusive: true

- name: Allow SSH login with public keys
  ansible.builtin.lineinfile:
    regexp: '^#?PubkeyAuthentication '
    line: PubkeyAuthentication yes
    dest: /etc/ssh/sshd_config
  notify: sshd

- name: Disallow SSH login with password
  ansible.builtin.lineinfile:
    regexp: '^#?PasswordAuthentication '
    line: PasswordAuthentication no
    dest: /etc/ssh/sshd_config
  notify: sshd

- name: Disallow root login over SSH
  ansible.builtin.lineinfile:
    regexp: '^#?PermitRootLogin '
    line: PermitRootLogin no
    dest: /etc/ssh/sshd_config
  notify: sshd