playbooks/roles/sshd/tasks/main.yml

   1 - name: Check sshd
   2   become: true
   3   shell: "grep -c '^PermitRootLogin prohibit-password' /etc/ssh/sshd_config || :"
   4   register: sshd
   5   changed_when: sshd.stdout == "0"
   6
   7 - debug:
   8     msg: "sshd has already been configured"
   9   when: sshd.stdout != "0"
  10
  11 - name: "Setup sshd: disable root login"
  12   become: true
  13   lineinfile:
  14     path: /etc/ssh/sshd_config
  15     regexp: "^PermitRootLogin yes"
  16     state: absent
  17   when: sshd.stdout == "0"
  18
  19 - name: Configure sshd
  20   become: true
  21   lineinfile:
  22     path: /etc/ssh/sshd_config
  23     regexp: "^{{ item }}"
  24     line: "{{ item }}"
  25   loop: [
  26     'PermitRootLogin prohibit-password',
  27     '# See http://www.openssh.com/txt/cbc.adv',
  28     'Ciphers aes128-ctr,aes256-ctr,aes128-cbc,aes256-cbc',
  29     'PermitTunnel point-to-point',
  30
  31   ]
  32   notify: Reload sshd
  33   when: sshd.stdout == "0"