---
- name: Disable legacy ssh algorithms
  lineinfile:
    path: /etc/ssh/sshd_config
    regexp: "^#(HostKey {{ item }})$"
    line: '\1'
    backrefs: yes
    validate: '/usr/sbin/sshd -f %s -t'
  loop:
    - /etc/ssh/ssh_host_rsa_key
    - /etc/ssh/ssh_host_ed25519_key
  notify:
    - restart sshd
  tags:
    - pkg

- name: Activate specifics SSH ports
  lineinfile:
    path: /etc/ssh/sshd_config
    regexp: "^#?(Port {{ item }})$"
    insertafter: "^Port [0-9]+$"
    line: "Port {{ item }}"
    validate: '/usr/sbin/sshd -f %s -t'
  loop:
    - 22
    - 622
  notify:
    - restart sshd
  tags:
    - pkg

- name: Disable ssh password authentification
  lineinfile:
    path: /etc/ssh/sshd_config
    regexp: "^#? *{{ item.regexp }}"
    line: "{{ item.line }}"
    validate: '/usr/sbin/sshd -f %s -t'
  loop:
    - { regexp: "ChallengeResponseAuthentication", line: "ChallengeResponseAuthentication no" }
    - { regexp: "PasswordAuthentication", line: "PasswordAuthentication no" }
  notify:
    - restart sshd
  tags:
    - pkg