---
- name: Backup sshd_config
  copy:
    src: "{{ ssh_hardening_sshd_config }}"
    dest: "{{ ssh_hardening_sshd_config }}.{{ ssh_hardening_backup_suffix }}"
    remote_src: yes
    owner: root
    group: root
    mode: 0600


- name: "Hostkeys: Disable (EC)DSA (and maybe RSA)"
  lineinfile:
    dest: "{{ ssh_hardening_sshd_config }}"
    regexp: '(?i)\s*#*\s*hostkey.*{{ item }}_key'
    state: absent
  loop: "{{ ssh_hardening_hostkeys_all|difference(ssh_hardening_hostkeys) }}"
  notify: Restart SSH


- name: "Hostkeys: Enable (RSA &) ED25519"
  lineinfile:
    dest: "{{ ssh_hardening_sshd_config }}"
    regexp: '(?i)\s*#*\s*hostkey.*{{ item }}_key'
    line: 'HostKey /etc/ssh/ssh_host_{{ item }}_key'
  loop: '{{ ssh_hardening_hostkeys }}'
  notify: Restart SSH


- name: "Renew RSA hostkeys if too short"
  openssh_keypair:
    path: /etc/ssh/ssh_host_rsa_key
    type: rsa
    size: 4096
  when: '"rsa" in ssh_hardening_hostkeys'

####################

- name: "INCLUDE: Remove small Diffie-Hellman moduli"
  include_tasks: moduli.yml

####################

- name: "Check for crypto-policies"
  stat:
    path: /etc/crypto-policies/back-ends/opensshserver.config
  register: ssh_hardening_use_policies


- name: "The (RedHat) crypto policy way..."
  include_tasks: restrictions_crypto_policy.yml
  when: ssh_hardening_use_policies.stat.exists


- name: "The standard config way..."
  include_tasks: restrictions_configfile.yml
  when: not ssh_hardening_use_policies.stat.exists