---
- name: Check for Include directory
  shell: "awk '/Include/ { print $2; }' /etc/ssh/sshd_config"
  changed_when: False
  register: ssh_hardening_includedir


- name: Write restrictions to include file
  template:
    src: 'sshd_config_hardening.j2'
    dest: '{{ ssh_hardening_includedir.stdout_lines.0|dirname + "/ssh-hardening.conf" }}'
    owner: root
    group: root
    mode: 0600
    backup: yes
  when: ssh_hardening_includedir.stdout_lines|length > 0
  notify: Restart SSH


- name: Write restrictons block to sshd_config
  blockinfile:
    path: '{{ ssh_hardening_sshd_config }}'
    block: '{{ lookup("template", "sshd_config_hardening.j2") }}'
    insertbefore: '^# Logging'
    marker: '# {mark} ANSIBLE ROLE ssh-hardening'
  when: ssh_hardening_includedir.stdout_lines|length == 0
  notify: Restart SSH