---
# SSH Hardening Configuration

- name: Create SSH banner
  copy:
    content: |
      **************************************************************************
      * WARNING: AUTHORIZED ACCESS ONLY                                       *
      **************************************************************************
      * This system is for authorized users only. All activities are logged  *
      * and monitored. Unauthorized access is prohibited and may result in    *
      * civil and/or criminal penalties.                                      *
      *                                                                        *
      * Custom PHP Framework - {{ domain_name }}                              *
      * Environment: {{ environment | upper }}                                *
      **************************************************************************
    dest: "{{ ssh_banner }}"
    owner: root
    group: root
    mode: '0644'
  notify: restart ssh
  tags:
    - ssh
    - banner

- name: Generate strong SSH host keys
  command: ssh-keygen -t {{ item }} -f /etc/ssh/ssh_host_{{ item }}_key -N ""
  args:
    creates: /etc/ssh/ssh_host_{{ item }}_key
  loop:
    - ed25519
    - ecdsa
    - rsa
  notify: restart ssh
  tags:
    - ssh
    - keys

- name: Set correct permissions on SSH host keys
  file:
    path: /etc/ssh/ssh_host_{{ item }}_key
    owner: root
    group: root
    mode: '0600'
  loop:
    - ed25519
    - ecdsa
    - rsa
  tags:
    - ssh
    - keys
    - permissions

- name: Configure SSH daemon
  template:
    src: sshd_config.j2
    dest: /etc/ssh/sshd_config
    owner: root
    group: root
    mode: '0644'
    backup: true
  notify: restart ssh
  tags:
    - ssh
    - config

- name: Create SSH client configuration
  template:
    src: ssh_config.j2
    dest: /etc/ssh/ssh_config
    owner: root
    group: root
    mode: '0644'
    backup: true
  tags:
    - ssh
    - config

- name: Ensure SSH service is enabled and running
  service:
    name: ssh
    state: started
    enabled: true
  tags:
    - ssh
    - service

- name: Configure SSH authorized keys for deploy user
  authorized_key:
    user: "{{ ansible_user }}"
    state: present
    key: "{{ lookup('file', '~/.ssh/id_rsa_deploy.pub') }}"
    exclusive: "{{ ssh_authorized_keys_exclusive }}"
  when: ansible_user != 'root'
  tags:
    - ssh
    - keys
    - users

- name: Remove default SSH keys for security
  file:
    path: "{{ item }}"
    state: absent
  loop:
    - /etc/ssh/ssh_host_dsa_key
    - /etc/ssh/ssh_host_dsa_key.pub
  tags:
    - ssh
    - keys
    - cleanup

- name: Verify SSH configuration syntax
  command: sshd -t
  register: ssh_config_test
  changed_when: false
  failed_when: ssh_config_test.rc != 0
  tags:
    - ssh
    - validation