---
- name: Create private host keys
  copy:
    dest: '/etc/ssh/{{ item.key }}'
    content: '{{ item.value.private }}'
    owner: root
    group: ssh_keys
    mode: 0640
  with_dict: '{{ ssh_host_keys }}'
  loop_control:
    label: '/etc/ssh/{{ item.key }}'
  when: ssh_host_keys is defined

- name: Create public host keys
  copy:
    dest: '/etc/ssh/{{ item.key }}.pub'
    content: '{{ item.value.public }}'
    owner: root
    group: root
    mode: 0644
  with_dict: '{{ ssh_host_keys }}'
  loop_control:
    label: '/etc/ssh/{{ item.key }}.pub'
  when: ssh_host_keys is defined

- name: Configure sshd
  lineinfile:
    path: '/etc/ssh/sshd_config'
    regexp: '{{ item.regexp }}'
    line: '{{ item.line }}'
  with_items:
  - regexp: '^[# ]*PermitRootLogin'
    line: 'PermitRootLogin no'
  - regexp: '^PasswordAuthentication'
    line: 'PasswordAuthentication no'
  - regexp: '^[# ]*GSSAPIAuthentication'
    line: 'GSSAPIAuthentication no'
  notify:
  - restart sshd

- name: Enable sshd service
  systemd:
    name: sshd.service
    enabled: yes
    masked: no
    state: started
  when: not chroot
- name: '- when in chroot'
  command: systemctl enable sshd.service
  args:
    creates: '/etc/systemd/system/multi-user.target.wants/sshd.service'
  when: chroot|bool

# vim: set ts=2 sw=2 et: