---
- name: 'Moduli: Check if "moduli.not-hardened" already exists'
  stat:
    path: "{{ ssh_hardening_moduli_backup }}"
  register: ssh_hardening_moduli_backup_file


- name: 'Moduli: Backup "moduli.not-hardened"'
  shell: 'cp -a {{ ssh_hardening_moduli }} {{ ssh_hardening_moduli_backup }}'
  when: not ssh_hardening_moduli_backup_file.stat.exists


- name: 'Moduli: Check for small Diffie-Hellman moduli'
  shell: "grep -c ' 1535 \\| 2047 ' /etc/ssh/moduli || true"
  changed_when: False
  register: ssh_hardening_moduli_small


- name: 'Moduli: Remove small Diffie-Hellman moduli'
  shell: "TMPF=$(mktemp) && awk '$5 >= 3071' /etc/ssh/moduli >${TMPF} && mv ${TMPF} /etc/ssh/moduli"
  when: ssh_hardening_moduli_small.stdout|int > 0