---
- name: Disable Password Authentication
  ansible.builtin.lineinfile:
    dest: /etc/ssh/sshd_config
    regexp: ^PasswordAuthentication
    line: PasswordAuthentication no
    state: present
    backup: true
  notify:
    - Restart SSH

- name: Disable Root Login
  ansible.builtin.lineinfile:
    dest: /etc/ssh/sshd_config
    regexp: ^PermitRootLogin
    line: PermitRootLogin no
    state: present
    backup: true
  notify:
    - Restart SSH

- name: Restrict host key
  ansible.builtin.lineinfile:
    dest: /etc/ssh/sshd_config
    regexp: "#HostKey /etc/ssh/ssh_host_ed25519_key"
    line: HostKey /etc/ssh/ssh_host_ed25519_key
    state: present
    backup: true
  notify:
    - Restart SSH

- name: Configure sshd
  ansible.builtin.copy:
    src: crypto.conf
    dest: /etc/ssh/sshd_config.d/
    owner: root
    group: root
    mode: "0640"
  notify:
    - Restart SSH