---
- name: Gather package facts
  package_facts:
  check_mode: False
  when: sshd_disable_crypto_policy | bool

- block:
    - name: Hardening sshd config
      template:
        src: etc/ssh/sshd_config.j2
        dest: /etc/ssh/sshd_config
        owner: root
        group: root
        mode: 0600
      notify: __sshd_restart

    - name: Check if /etc/ssh/moduli contains weak DH parameters
      shell: awk '$5 < {{ sshd_moduli_minimum }}' /etc/ssh/moduli
      register: __sshd_register_moduli
      changed_when: False
      check_mode: no

    - name: Remove all small primes
      shell:
        awk '$5 >= {{ sshd_moduli_minimum }}' /etc/ssh/moduli > /etc/ssh/moduli.new ;
        [ -r /etc/ssh/moduli.new -a -s /etc/ssh/moduli.new ] && mv /etc/ssh/moduli.new /etc/ssh/moduli || true
      notify: __sshd_restart
      when: __sshd_register_moduli.stdout

    - name: Create SSH Usergroup
      group:
        name: "{{ item }}"
        state: present
      loop: "{{ sshd_allow_groups }}"

    - name: Disable SSH server CRYPTO_POLICY
      copy:
        src: etc/sysconfig/sshd
        dest: /etc/sysconfig/sshd
        owner: "root"
        group: "root"
        mode: "0640"
      when:
        - sshd_disable_crypto_policy | bool
        - ('crypto-policies' in ansible_facts.packages)
  become: True
  become_user: root