---
- block:
    - name: Hardening sshd config
      ucr:
        path: "{{ item.path }}"
        value: "{{ item.value }}"
      loop:
        - { path: sshd/permitroot, value: "{{ sshd_permit_root_login | default('') }}" }
        - { path: sshd/PermitEmptyPasswords, value: "{{ sshd_permit_empty_passwords | default('') }}" }
        - { path: sshd/permitroot, value: "{{ sshd_permit_root_login | default('') }}" }
        - { path: sshd/passwordauthentication, value: "{{ sshd_password_authentication | default('') }}" }
        - { path: sshd/challengeresponse, value: "{{ sshd_password_authentication | default('') }}" }
        - { path: sshd/IgnoreRhosts, value: "{{ sshd_ignore_rhosts | default('') }}" }
        - { path: sshd/HostbasedAuthentication, value: "{{ sshd_hostbased_authentication | default('') }}" }
        - { path: sshd/ClientAliveInterval, value: "{{ sshd_client_alive_interval | default('') }}" }
        - { path: sshd/ClientAliveCountMax, value: "{{ sshd_client_alive_count_max | default('') }}" }
        - { path: sshd/Ciphers, value: "{{ sshd_ciphers | default('[]') | join(',') }}" }
        - { path: sshd/KexAlgorithms, value: "{{ sshd_kex | default('[]') | join(',') }}" }
        - { path: sshd/MACs, value: "{{ sshd_macs | default('[]') | join(',') }}" }
      loop_control:
        label: "variable: {{ item.path }}={{ item.value }}"
      notify: __sshd_restart

    - name: Set allowed ssh groups
      ucr:
        path: "auth/sshd/group/{{ item }}"
        value: "yes"
      loop: "{{ sshd_allow_groups }}"

    - name: Create SSH Usergroup
      group:
        name: "{{ item }}"
        system: 'yes'
        state: present
      loop: "{{ sshd_allow_groups }}"
  become: True
  become_user: root