---
- block:
    - name: Hardening sshd config
      template:
        src: etc/ssh/sshd_config.j2
        dest: /etc/ssh/sshd_config
        owner: root
        group: root
        mode: 0600
      notify: __sshd_restart

    - name: Check if /etc/ssh/moduli contains weak DH parameters
      shell: awk '$5 < {{ sshd_moduli_minimum }}' /etc/ssh/moduli
      register: __sshd_register_moduli
      changed_when: False
      check_mode: no

    - name: Remove all small primes
      shell: awk '$5 >= {{ sshd_moduli_minimum }}' /etc/ssh/moduli > /etc/ssh/moduli.new ;
            [ -r /etc/ssh/moduli.new -a -s /etc/ssh/moduli.new ] && mv /etc/ssh/moduli.new /etc/ssh/moduli || true
      notify: __sshd_restart
      when: __sshd_register_moduli.stdout

    - name: Create SSH Usergroup
      group:
        name: "{{ item }}"
        state: present
      loop: "{{ sshd_allow_groups }}"
  become: True
  become_user: root