---
- name: Gather package facts
  ansible.builtin.package_facts:
  check_mode: False

- name: Hardening sshd config
  ansible.builtin.template:
    src: etc/ssh/sshd_config.j2
    dest: /etc/ssh/sshd_config
    owner: root
    group: root
    mode: "0600"
  notify: __sshd_restart

- name: Check if /etc/ssh/moduli contains weak DH parameters
  ansible.builtin.shell: awk '$5 < {{ sshd_moduli_minimum }}' /etc/ssh/moduli
  register: __sshd_register_moduli
  changed_when: False
  check_mode: False

- name: Remove all small primes
  ansible.builtin.shell:
    awk '$5 >= {{ sshd_moduli_minimum }}' /etc/ssh/moduli > /etc/ssh/moduli.new ;
    [ -r /etc/ssh/moduli.new -a -s /etc/ssh/moduli.new ] && mv /etc/ssh/moduli.new /etc/ssh/moduli || true
  notify: __sshd_restart
  when: __sshd_register_moduli.stdout

- name: Create SSH usergroup
  ansible.builtin.group:
    name: "{{ item }}"
    state: present
  loop: "{{ sshd_allow_groups }}"

- name: Configure SSH crypto policy usage
  ansible.builtin.template:
    src: etc/sysconfig/sshd.j2
    dest: /etc/sysconfig/sshd
    owner: root
    group: root
    mode: "0640"
  when: ('crypto-policies' in ansible_facts.packages)