---
- name: enable post-quantum key exchange for sshd
  become: true
  ansible.builtin.template:
    src: sshd-pq-kex.conf.j2
    dest: /etc/ssh/sshd_config.d/30-pq-kex.conf
    mode: 0600
  notify: restart_sshd
  tags: security, sshd

- name: ensure sshd disallows passwords
  become: true
  ansible.builtin.lineinfile:
    path: /etc/ssh/sshd_config
    regexp: "{{ item.re }}"
    line: "{{ item.li }}"
  loop:
    - { re: "^[# ]*PasswordAuthentication ", li: "PasswordAuthentication no" }
    - { re: "^[# ]*PermitEmptyPasswords ", li: "PermitEmptyPasswords no" }
    - { re: "^[# ]*PermitRootLogin ", li: "PermitRootLogin no" }
  notify: restart_sshd
  tags: security

- name: setup fail2ban filters
  become: true
  ansible.builtin.copy:
    src: files/fail2ban/filters/{{ item }}
    dest: /etc/fail2ban/filter.d/{{ item }}
    mode: 0644
  loop: "{{ fail2ban_filters }}"
  notify: restart_fail2ban
  tags: security

- name: setup fail2ban jails
  become: true
  ansible.builtin.copy:
    src: files/fail2ban/jails/{{ item }}
    dest: /etc/fail2ban/jail.d/{{ item }}
    mode: 0644
  loop: "{{ fail2ban_jails }}"
  notify: restart_fail2ban
  tags: security

- name: adjust fail2ban sshd filter
  become: true
  ansible.builtin.lineinfile:
    path: /etc/fail2ban/filter.d/sshd.conf
    regexp: "^[#]*filter ="
    line: "filter = sshd[mode=extra]"
  notify: restart_fail2ban
  tags: security