---
- name: Hardening sshd config
  ucr:
    path: "{{ item.path }}"
    value: "{{ item.value }}"
  loop:
    - path: sshd/permitroot
      value: "{{ sshd_permit_root_login | default('') }}"
    - path: sshd/PermitEmptyPasswords
      value: "{{ sshd_permit_empty_passwords | default('') }}"
    - path: sshd/permitroot
      value: "{{ sshd_permit_root_login | default('') }}"
    - path: sshd/passwordauthentication
      value: "{{ sshd_password_authentication | default('') }}"
    - path: sshd/challengeresponse
      value: "{{ sshd_password_authentication | default('') }}"
    - path: sshd/IgnoreRhosts
      value: "{{ sshd_ignore_rhosts | default('') }}"
    - path: sshd/HostbasedAuthentication
      value: "{{ sshd_hostbased_authentication | default('') }}"
    - path: sshd/ClientAliveInterval
      value: "{{ sshd_client_alive_interval | default('') }}"
    - path: sshd/ClientAliveCountMax
      value: "{{ sshd_client_alive_count_max | default('') }}"
    - path: sshd/Ciphers
      value: "{{ sshd_ciphers | default('[]') | join(',') }}"
    - path: sshd/KexAlgorithms
      value: "{{ sshd_kex | default('[]') | join(',') }}"
    - path: sshd/MACs
      value: "{{ sshd_macs | default('[]') | join(',') }}"
  loop_control:
    label: "variable: {{ item.path }}={{ item.value }}"
  notify: __sshd_restart

- name: Set allowed ssh groups
  ucr:
    path: "auth/sshd/group/{{ item }}"
    value: "yes"
  loop: "{{ sshd_allow_groups }}"

- name: Create SSH Usergroup
  ansible.builtin.group:
    name: "{{ item }}"
    system: "yes"
    state: present
  loop: "{{ sshd_allow_groups }}"