---
# file: tasks/ssh.yml

- name: ssh - add hosts_ssh_public_hosts keys to known_hosts
  with_items: "{{ hosts_ssh_public_hosts|default([]) }}"
  known_hosts:
    path: /etc/ssh/ssh_known_hosts
    name: "{{ item }}"
    key: "{{ lookup('pipe', 'ssh-keyscan -t rsa -H ' + item) }}"
  become: true
  ignore_errors: true

- name: ssh - define sshd configuration
  set_fact:
    sshd_config:
    - dest: /etc/conf.d/dropbear
      line: 'DROPBEAR_OPTS="\1 -b /etc/issue.net"'
      regex: '^DROPBEAR_OPTS="((?!.*-b /etc/issue.net).*)"$'
    - dest: /etc/ssh/sshd_config
      line: Banner /etc/issue.net
      regex: ^#?Banner
    - dest: /etc/ssh/sshd_config
      line: PermitRootLogin prohibit-password
      regex: ^#?PermitRootLogin

- name: ssh - stat sshd configuration file
  changed_when: false
  register: sshd_config_stat
  stat:
    path: "{{ item.dest }}"
  with_items: "{{ sshd_config|default([]) }}"

- name: ssh - configure sshd
  become: yes
  lineinfile:
    backrefs: true
    dest: "{{ item.0.dest }}"
    line: "{{ item.0.line }}"
    regex: "{{ item.0.regex }}"
  with_together:
  - "{{ sshd_config|default([]) }}"
  - "{{ sshd_config_stat.results }}"
  when: item.1.stat.exists