---
- name: combine sshd variable
  set_fact:
    sshd: "{{ _sshd|combine(sshd, recursive=True) }}"

- include_tasks: versioncheck.yml
  when: submodules_versioncheck|bool

- name: set sshd_service variable
  block:
    - name: read os specific variable
      include_vars: "vars/{{ ansible_distribution | lower }}.yml"
  rescue:
    - name: read default variable
      include_vars: vars/default.yml

- name: Collect all users and groups allowed to login via ssh
  set_fact:
    sshd_allowed_users:  '{{ sshd.allowed_users + users.keys() | default({}) | sort }}'
    sshd_allowed_groups: '{{ sshd.allowed_groups + users.keys() | default({}) | sort }}'

- name: Copy sshd configuration
  become: yes
  template:
    src: sshd_config.j2
    dest: '/etc/ssh/sshd_config'
    owner: root
    group: root
    mode: 'u=rw,g=r,o=r'
    validate: /usr/sbin/sshd -t -f %s
    backup: yes
  notify:
    - systemctrl restart ssh

- name: Generate new ssh host key pair if necessary
  become: yes
  command: ssh-keygen -t ecdsa -f 'ssh_host_{{ item }}_key' -P '' -q
  args:
    chdir: '/etc/ssh/'
    creates: 'ssh_host_{{ item }}_key.pub'
  notify:
    - systemctrl restart ssh
  with_items: "{{ sshd.key_types }}"
  when:
    - sshd.manage_key_types | bool
- pause:

- name: Remove unwanted host keys
  become: yes
  file:
    path: '/etc/ssh/ssh_host_{{ item }}_key'
    state: absent
  with_items:
    - rsa
    - dsa
  notify:
    - systemctrl restart ssh

- name: Remove unwanted host keys
  become: yes
  file:
    path: '/etc/ssh/ssh_host_{{ item }}_key'
    state: absent
  with_items:
    - ecdsa
    - rsa
    - dsa
  notify:
    - systemctrl restart ssh
  when:
    - not generate_ecdsa_too | bool
    - ansible_distribution_release != 'wheezy'
    - do_not_delete_legacy_ssh_keys | bool

- name: make sure the correct keys are available
  file:
    path: '/etc/ssh/ssh_host_{{ item }}_key.pub'
    state: absent
  become: yes
  with_items:
    - ecdsa
    - rsa
    - dsa
  notify:
    - systemctrl restart ssh
  when:
    - not generate_ecdsa_too | bool
    - ansible_distribution_release != 'wheezy'
    - do_not_delete_legacy_ssh_keys | bool

- name: make sure the correct keys are available except ecdsa
  file:
    path: '/etc/ssh/ssh_host_{{ item }}_key.pub'
    state: absent
  become: yes
  with_items:
    - rsa
    - dsa
  notify:
    - systemctrl restart ssh
  when:
    - generate_ecdsa_too | bool
    - ansible_distribution_release != 'wheezy'
    - do_not_delete_legacy_ssh_keys | bool