# SSH Configuration for Custom PHP Framework - {{ environment | upper }}
# Generated by Ansible - Do not edit manually

# Basic Configuration
Port {{ ssh_port }}
Protocol 2
AddressFamily inet

# Authentication
PermitRootLogin {{ ssh_permit_root_login | ternary('yes', 'no') }}
PasswordAuthentication {{ ssh_password_authentication | ternary('yes', 'no') }}
PubkeyAuthentication {{ ssh_pubkey_authentication | ternary('yes', 'no') }}
AuthorizedKeysFile .ssh/authorized_keys
ChallengeResponseAuthentication {{ ssh_challenge_response_authentication | ternary('yes', 'no') }}
GSSAPIAuthentication {{ ssh_gss_api_authentication | ternary('yes', 'no') }}
UsePAM yes

# Security Settings
MaxAuthTries {{ ssh_max_auth_tries }}
ClientAliveInterval {{ ssh_client_alive_interval }}
ClientAliveCountMax {{ ssh_client_alive_count_max }}
MaxSessions {{ ssh_max_sessions }}
TCPKeepAlive {{ ssh_tcp_keep_alive | ternary('yes', 'no') }}
Compression {{ ssh_compression | ternary('yes', 'no') }}
UseDNS {{ ssh_use_dns | ternary('yes', 'no') }}

# Tunnel and Forwarding
X11Forwarding {{ ssh_x11_forwarding | ternary('yes', 'no') }}
PermitTunnel {{ ssh_permit_tunnel | ternary('yes', 'no') }}
PermitUserEnvironment {{ ssh_permit_user_environment | ternary('yes', 'no') }}
AllowTcpForwarding no
AllowStreamLocalForwarding no
GatewayPorts no

# Host Key Configuration
{% for algorithm in ssh_host_key_algorithms %}
HostKey /etc/ssh/ssh_host_{{ algorithm.split('-')[0] }}_key
{% endfor %}

# Allowed Users and Groups
{% if ssh_allowed_users %}
AllowUsers {{ ssh_allowed_users | join(' ') }}
{% endif %}
{% if ssh_allowed_groups %}
AllowGroups {{ ssh_allowed_groups | join(' ') }}
{% endif %}

# Banner
Banner {{ ssh_banner }}

# Logging
SyslogFacility AUTH
LogLevel INFO

# Kex Algorithms (secure)
KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512

# Ciphers (secure)
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr

# MAC Algorithms (secure)
MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-512

# Host Key Algorithms
PubkeyAcceptedKeyTypes {{ ssh_host_key_algorithms | join(',') }}

# Additional Security
PermitEmptyPasswords no
StrictModes yes
IgnoreRhosts yes
HostbasedAuthentication no
PrintMotd no
PrintLastLog yes