From 6819e6b4cbb515f263dfb81b4c2513ec545bb47a Mon Sep 17 00:00:00 2001
From: Ethan Paul <e@enp.one>
Date: Fri, 5 Nov 2021 21:40:20 -0400
Subject: [PATCH] Consolidate ssh config tasks

---
 playbooks/provision.yaml | 45 ++++++++++++++++------------------------
 1 file changed, 18 insertions(+), 27 deletions(-)

diff --git a/playbooks/provision.yaml b/playbooks/provision.yaml
index 34011ae..923617b 100644
--- a/playbooks/provision.yaml
+++ b/playbooks/provision.yaml
@@ -120,37 +120,28 @@
         name: sshd
         state: restarted
   tasks:
-    - name: Disable root auth
+    - name: Configure SSH authentication settings
       become: true
       ansible.builtin.replace:
         path: /etc/ssh/sshd_config
-        regexp: "^.*PermitRootLogin (yes|no).*$"
-        replace: "PermitRootLogin no"
-      notify: [restart-sshd]
-
-    - name: Disable password auth
-      become: true
-      ansible.builtin.replace:
-        path: /etc/ssh/sshd_config
-        regexp: "^.*PasswordAuthentication (yes|no).*$"
-        replace: "PasswordAuthentication no"
-      notify: [restart-sshd]
-
-    - name: Disable challenge response auth
-      become: true
-      ansible.builtin.replace:
-        path: /etc/ssh/sshd_config
-        regexp: "^.*ChallengeResponseAuthentication (yes|no).*$"
-        replace: "ChallengeResponseAuthentication no"
-      notify: [restart-sshd]
-
-    - name: Disable GSSAPI auth
-      become: true
-      ansible.builtin.replace:
-        path: /etc/ssh/sshd_config
-        regexp: "^.*GSSAPIAuthentication (yes|no).*$"
-        replace: "GSSAPIAuthentication no"
+        regexp: "{{ item.regex }}"
+        replace: "{{ item.value }}"
       notify: [restart-sshd]
+      loop:
+        - name: disable root login
+          regex: "^.*PermitRootLogin (yes|no).*$"
+          value: PermitRootLogin no
+        - name: disable password auth
+          regex: "^.*PasswordAuthentication (yes|no).*$"
+          value: PasswordAuthentication no
+        - name: disable challenge response auth
+          regex: "^.*ChallengeResponseAuthentication (yes|no).*$"
+          value: ChallengeResponseAuthentication no
+        - name: disable GSSAPI auth
+          regex: "^.*GSSAPIAuthentication (yes|no).*$"
+          value: GSSAPIAuthentication no
+      loop_control:
+        label: "{{ item.name }}"
 
     - name: Disable dynamic MOTD on debian systems
       when: ansible_os_family == "Debian"