---
# file: tasks/ssh.yml

- name: ssh - add ssh_authorized_keys to file ~/.ssh/authorized_keys
  authorized_key: user="{{ ansible_user|default('root') }}" key="{{ item }}"
  with_items: "{{ hosts_ssh_authorized_keys|default([]) }}"
  ignore_errors: true

- name: ssh - add ssh_public_hosts keys to known_hosts
  with_items: "{{ hosts_ssh_public_hosts|default([]) }}"
  known_hosts:
    name: "{{ item }}"
    key: "{{ lookup('pipe', 'ssh-keyscan -t rsa -H ' + item) }}"
  ignore_errors: true

- name: ssh - copy ssh_private_keys to ~/.ssh/
  with_items: "{{ hosts_ssh_private_keys|default([]) }}"
  copy: src="{{ item }}" dest=~/.ssh/ mode=0400
  ignore_errors: true

- name: ssh - update ~/.ssh/myos/config
  template:
    src: ssh_config.j2
    dest: ~/.ssh/myos/config
    mode: 0400

- name: ssh - define sshd configuration
  set_fact:
    sshd_config:
    - dest: /etc/conf.d/dropbear
      line: 'DROPBEAR_OPTS="\1 -b /etc/issue.net"'
      regex: '^DROPBEAR_OPTS="((?!.*-b /etc/issue.net).*)"$'
    - dest: /etc/ssh/sshd_config
      line: Banner /etc/issue.net
      regex: ^#?Banner
    - dest: /etc/ssh/sshd_config
      line: PermitRootLogin prohibit-password
      regex: ^#?PermitRootLogin

- name: ssh - stat sshd configuration file
  changed_when: false
  register: sshd_config_stat
  stat:
    path: "{{ item.dest }}"
  with_items: "{{ sshd_config|default([]) }}"

- name: ssh - configure sshd
  become: yes
  lineinfile:
    backrefs: true
    dest: "{{ item.0.dest }}"
    line: "{{ item.0.line }}"
    regex: "{{ item.0.regex }}"
  with_together:
  - "{{ sshd_config|default([]) }}"
  - "{{ sshd_config_stat.results }}"
  when: item.1.stat.exists