- name: Check sshd
  become: true
  shell: "grep -c '^PermitRootLogin prohibit-password' /etc/ssh/sshd_config || :"
  register: sshd
  changed_when: sshd.stdout == "0"

- debug:
    msg: "sshd has already been configured"
  when: sshd.stdout != "0"

- name: "Setup sshd: disable root login"
  become: true
  lineinfile:
    path: /etc/ssh/sshd_config
    regexp: "^PermitRootLogin yes"
    state: absent
  when: sshd.stdout == "0"

- name: Configure sshd
  become: true
  lineinfile:
    path: /etc/ssh/sshd_config
    regexp: "^{{ item }}"
    line: "{{ item }}"
  loop: [
    'PermitRootLogin prohibit-password',
    '# See http://www.openssh.com/txt/cbc.adv',
    'Ciphers aes128-ctr,aes256-ctr,aes128-cbc,aes256-cbc',
    'PermitTunnel point-to-point',

  ]
  notify: Reload sshd
  when: sshd.stdout == "0"