---
- name: Set some variables
  set_fact:
    ssh_hardening_backup_suffix: "42.{{ ansible_date_time.date }}@{{ ansible_date_time.time }}~"
    ssh_hardening_distri: "{{ (ansible_distribution|lower).split(' ')[0] }}"


- name: Get SSH version number
  shell: 'ssh -V 2>&1 | grep -o "OpenSSH_[0-9]\+\.[0-9]" | grep -o "[0-9]\+\.[0-9]"'
  changed_when: False
  register: ssh_hardening_version


- name: Read SSH version config file
  include_vars: "ssh_{{ ssh_hardening_version.stdout_lines.0 }}.yml"


- name: Read distribution specific variables
  include_vars: "{{ item }}"
  with_first_found:
    - "os_{{ ssh_hardening_distri }}.yml"
    - "os_{{ ansible_distribution_family }}.yml"
    - "os_{{ ansible_os_family }}.yml"
    - "os_default.yml"


- name: Backup sshd_config
  copy:
    src: "{{ ssh_hardening_sshd_config }}"
    dest: "{{ ssh_hardening_sshd_config }}.{{ ssh_hardening_backup_suffix }}"
    remote_src: yes
    owner: root
    group: root
    mode: 0600

####################

- name: "Hostkeys: Disable (EC)DSA"
  lineinfile:
    dest: "{{ ssh_hardening_sshd_config }}"
    regexp: '(?i)\s*#*\s*hostkey.*{{ item }}_key'
    state: absent
  loop:
    - dsa
    - ecdsa
  notify: Restart SSH


- name: "Hostkeys: Enable (RSA &) ED25519"
  lineinfile:
    dest: "{{ ssh_hardening_sshd_config }}"
    regexp: '(?i)\s*#*\s*hostkey.*{{ item }}_key'
    line: 'HostKey /etc/ssh/ssh_host_{{ item }}_key'
  loop: '{{ ssh_hardening_hostkeys }}'
  notify: Restart SSH

####################

- name: "INCLUDE: Remove small Diffie-Hellman moduli"
  include_tasks: moduli.yml

####################

- name: "Check for crypto-policies"
  stat:
    path: /etc/crypto-policies/back-ends/opensshserver.config
  register: ssh_hardening_use_policies


- name: "The (RedHat) crypto policy way..."
  include_tasks: restrictions_crypto_policy.yml
  when: ssh_hardening_use_policies.stat.exists


- name: "The standard config way..."
  include_tasks: restrictions_configfile.yml
  when: not ssh_hardening_use_policies.stat.exists