---
- name: Add Authorized Keys
  ansible.posix.authorized_key:
    user: "{{ system_user_name }}"
    state: present
    key: "{{ lookup('file', 'key.pub') }}"

- name: Harden SSH Config
  ansible.builtin.lineinfile:
    path: /etc/ssh/sshd_config
    regexp: "{{ item.regexp }}"
    line: "{{ item.line }}"
    state: present
    validate: 'sshd -T -f %s'
    mode: '0644'
  with_items:
    - regexp: "^PasswordAuthentication"
      line: "PasswordAuthentication no"
    - regexp: "^Port"
      line: "Port {{ ssh_port }}"
    - regexp: "^PermitRootLogin"
      line: "PermitRootLogin without-password"
  notify: Restart ssh