Consolidate ssh config tasks

playbooks/provision.yaml

@@ -120,37 +120,28 @@
         name: sshd
         state: restarted
   tasks:
-    - name: Disable root auth
+    - name: Configure SSH authentication settings
       become: true
       ansible.builtin.replace:
         path: /etc/ssh/sshd_config
-        regexp: "^.*PermitRootLogin (yes|no).*$"
-        replace: "PermitRootLogin no"
-      notify: [restart-sshd]
-
-    - name: Disable password auth
-      become: true
-      ansible.builtin.replace:
-        path: /etc/ssh/sshd_config
-        regexp: "^.*PasswordAuthentication (yes|no).*$"
-        replace: "PasswordAuthentication no"
-      notify: [restart-sshd]
-
-    - name: Disable challenge response auth
-      become: true
-      ansible.builtin.replace:
-        path: /etc/ssh/sshd_config
-        regexp: "^.*ChallengeResponseAuthentication (yes|no).*$"
-        replace: "ChallengeResponseAuthentication no"
-      notify: [restart-sshd]
-
-    - name: Disable GSSAPI auth
-      become: true
-      ansible.builtin.replace:
-        path: /etc/ssh/sshd_config
-        regexp: "^.*GSSAPIAuthentication (yes|no).*$"
-        replace: "GSSAPIAuthentication no"
+        regexp: "{{ item.regex }}"
+        replace: "{{ item.value }}"
       notify: [restart-sshd]
+      loop:
+        - name: disable root login
+          regex: "^.*PermitRootLogin (yes|no).*$"
+          value: PermitRootLogin no
+        - name: disable password auth
+          regex: "^.*PasswordAuthentication (yes|no).*$"
+          value: PasswordAuthentication no
+        - name: disable challenge response auth
+          regex: "^.*ChallengeResponseAuthentication (yes|no).*$"
+          value: ChallengeResponseAuthentication no
+        - name: disable GSSAPI auth
+          regex: "^.*GSSAPIAuthentication (yes|no).*$"
+          value: GSSAPIAuthentication no
+      loop_control:
+        label: "{{ item.name }}"
 
     - name: Disable dynamic MOTD on debian systems
       when: ansible_os_family == "Debian"