---
# enable option if know that your ssh-server version is over 8.0
# sshd__version_is_above_eight: true

# define users for ssh whitelist
users: {}
# l3d:
#   - l3d
# ottojo:
#  - ottojo@uni
#  - ottojo@home

# set the ssh server port
sshd__port: 22

# ssh password authorisatuin (not recomended)
sshd__password_authentication: false

# should we disable not selected ssh key types?
sshd__manage_key_types: true

# choose ssh server allowed key types
sshd__key_types:
  - 'ed25519'
  # - 'rsa'
  # - 'ecdsa'
  # - 'dsa' # (do not use!)

sshd__manage_key_algorithmus: true
sshd__key_algorithmus:
  - 'ssh-ed25519-cert-v01@openssh.com'
  - 'ssh-ed25519'
  - 'ecdsa-sha2-nistp521-cert-v01@openssh.com'
  - 'ecdsa-sha2-nistp384-cert-v01@openssh.com'
  - 'ecdsa-sha2-nistp256-cert-v01@openssh.com'
  # - 'rsa-sha2-512-cert-v01@openssh.com'
  # - 'rsa-sha2-256-cert-v01@openssh.com'
  # - 'ssh-rsa-cert-v01@openssh.com'
  # - 'ecdsa-sha2-nistp521'
  # - 'ecdsa-sha2-nistp384'
  # - 'ecdsa-sha2-nistp256'
  # - 'rsa-sha2-512'
  # - 'rsa-sha2-256'
  # - 'ssh-rsa'

sshd__manage_kex_algorithmus: true
sshd__kex_algorithmus:
  - 'curve25519-sha256@libssh.org'
  - 'diffie-hellman-group-exchange-sha256'
  - 'diffie-hellman-group-exchange-sha1'
  # - 'diffie-hellman-group14-sha1'
  # - 'diffie-hellman-group1-sha1'

sshd__ciphers:
  - 'chacha20-poly1305@openssh.com'
  - 'aes256-gcm@openssh.com'
  - 'aes256-ctr'
  # - 'aes256-cbc'
  # - 'aes128-ctr'
  # - 'aes128-cbc'

sshd__macs:
  - 'hmac-sha2-512-etm@openssh.com'
  - 'hmac-sha2-256-etm@openssh.com'
  - 'hmac-sha2-512'
  # - 'hmac-sha2-256'
  # - 'hmac-ripemd160-etm@openssh.com'
  # - 'umac-128-etm@openssh.com'
  # - 'hmac-sha1'

# Enable AllowUsers and AllowGroups options
sshd__restrict_users: true
sshd__allowed_users:
  - "root"
  - "ansible"
sshd__restrict_groups: true
sshd__allowed_groups:
  - "root"
  - "admins"
sshd__xforwarding: true

sshd__state: present  # use latest for upgrading

# perform simple version check for this role? (true is recomended)
submodules_versioncheck: false