---
- name: SSH configuration
  hosts: all
  tasks:
    - name: SSH hardening - Deny password authentication
      ansible.builtin.copy:
        dest: /etc/ssh/sshd_config.d/90-deny-password.conf
        owner: root
        mode: '0600'
        content: 'PasswordAuthentication no'

    - name: SSH hardening - Deny weak Message Authentication Code Algorithms
      ansible.builtin.copy:
        dest: /etc/ssh/sshd_config.d/80-deny-insecure-mac.conf
        owner: root
        mode: '0600'
        content: 'MACs -umac-64-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,hmac-sha1'

    - name: Install authorized keys
      ansible.builtin.copy:
        src: authorized_keys
        dest: /root/.ssh/
        owner: root
        mode: '0600'
        directory_mode: '0700'

    - name: Restart sshd to apply changes
      ansible.builtin.systemd:
        name: ssh.service
        state: restarted
        enabled: true