Improve SSHD config

defaults/main.yml

@@ -22,3 +22,5 @@ sshd_password_authentication: 'no' # 'yes' or 'no'
 # Allow optional cryptho methods (NOT RECOMENDED)
 generate_ecdsa_too: false
 use_diffie-hellman-group-exchange-sha256: false
+use_aes256-ctr: false
+use_hmac-sha2-512: false

tasks/main.yml

@@ -20,7 +20,7 @@
 - name: Copy sshd configuration
   become: yes
   template:
-    src: sshd_config
+    src: sshd_config.j2
     dest: '/etc/ssh/sshd_config'
     owner: root
     group: root

templates/sshd_config.j2

@@ -1,3 +1,4 @@
+# Attention, do not make changes
 # {{ ansible_managed }}
 
 
@@ -57,7 +58,8 @@ endif %}PubkeyAcceptedKeyTypes ssh-ed25519-cert-v01@openssh.com,ssh-ed25519
 #        aes256-ctr,
 #        aes192-ctr,
 #        aes128-ctr
-Ciphers chacha20-poly1305@openssh.com
+Ciphers chacha20-poly1305@openssh.com{%
+if use_aes256-ctr %},aes256-ctr{% endif %}
 
 
 # Message authentication codes
@@ -69,7 +71,8 @@ Ciphers chacha20-poly1305@openssh.com
 #     hmac-sha2-256,
 #     hmac-ripemd160,
 #     umac-128@openssh.com
-MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
+MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com{%
+if use_hmac-sha2-512 %},hmac-sha2-512{% endif %}
 
 
 # Allow client to pass locale environment variables