# vim: ft=yaml.ansible
---
- name: Add public SSH key to default user
  authorized_key:
    user: "{{ ansible_user }}"
    key: "{{ ssh_key }}"
    exclusive: true

- name: Allow SSH login with public keys
  lineinfile:
    regexp: '^#?PubkeyAuthentication '
    line: PubkeyAuthentication yes
    dest: /etc/ssh/sshd_config
  register: ssh_pubkey

- name: Disallow SSH login with password
  lineinfile:
    regexp: '^#?PasswordAuthentication '
    line: PasswordAuthentication no
    dest: /etc/ssh/sshd_config
  register: ssh_pw

- name: Disallow root login over SSH
  lineinfile:
    regexp: '^#?PermitRootLogin '
    line: PermitRootLogin no
    dest: /etc/ssh/sshd_config
  register: ssh_root

- name: Restart sshd
  service:
    name: sshd
    state: restarted
  when: (ssh_pubkey is defined and ssh_pubkey.changed) or
        (ssh_pw is defined and ssh_pw.changed) or
        (ssh_root is defined and ssh_root.changed)