# SSH 安全加固 Role
# 功能: 修改端口、配置密钥认证、禁用密码登录
---
- name: Ensure .ssh directory exists
  ansible.builtin.file:
    path: /root/.ssh
    state: directory
    mode: "0700"

- name: Add SSH public key
  ansible.builtin.authorized_key:
    user: root
    key: "{{ ssh_pubkey }}"
    state: present

- name: Backup original sshd_config
  ansible.builtin.copy:
    src: /etc/ssh/sshd_config
    dest: /etc/ssh/sshd_config.bak
    remote_src: true
    force: false
    mode: "0600"

- name: Deploy secure sshd_config
  ansible.builtin.template:
    src: sshd_config.j2
    dest: /etc/ssh/sshd_config
    mode: "0600"
    validate: "/usr/sbin/sshd -t -f %s"
  notify:
    - Restart sshd
    - Update ansible port
    - Wait for new SSH port