# SSH 安全加固 Role
# 功能: 修改端口、配置密钥认证、禁用密码登录
---
- name: Ensure .ssh directory exists
  ansible.builtin.file:
    path: /root/.ssh
    state: directory
    mode: '0700'

- name: Add SSH public key
  ansible.builtin.authorized_key:
    user: root
    key: "{{ ssh_pubkey }}"
    state: present

- name: Backup original sshd_config
  ansible.builtin.copy:
    src: /etc/ssh/sshd_config
    dest: /etc/ssh/sshd_config.bak
    remote_src: yes
    force: no

- name: Deploy secure sshd_config
  ansible.builtin.template:
    src: sshd_config.j2
    dest: /etc/ssh/sshd_config
    mode: '0600'
    validate: '/usr/sbin/sshd -t -f %s'
  register: sshd_config

- name: Restart sshd service
  ansible.builtin.systemd:
    name: sshd
    state: restarted
  when: sshd_config.changed

- name: Update ansible_port to new SSH port
  ansible.builtin.set_fact:
    ansible_port: "{{ ssh_new_port }}"
  when: sshd_config.changed

- name: Wait for SSH on new port
  ansible.builtin.wait_for:
    port: "{{ ssh_new_port }}"
    host: "{{ ansible_host }}"
    delay: 5
    timeout: 60
  delegate_to: localhost
  become: no
  when: sshd_config.changed