---
- name: Configure SSH authentication settings
  become: true
  ansible.builtin.replace:
    path: /etc/ssh/sshd_config
    regexp: "{{ item.regex }}"
    replace: "{{ item.value }}"
  notify: [restart-sshd]
  loop:
    - name: disable root login
      regex: "^.*PermitRootLogin (yes|no).*$"
      value: PermitRootLogin no
    - name: disable password auth
      regex: "^.*PasswordAuthentication (yes|no).*$"
      value: PasswordAuthentication no
    - name: disable challenge response auth
      regex: "^.*ChallengeResponseAuthentication (yes|no).*$"
      value: ChallengeResponseAuthentication no
    - name: disable GSSAPI auth
      regex: "^.*GSSAPIAuthentication (yes|no).*$"
      value: GSSAPIAuthentication no
  loop_control:
    label: "{{ item.name }}"

- name: Disable dynamic MOTD on debian systems
  when: ansible_os_family == "Debian"
  ansible.builtin.replace:
    path: /etc/pam.d/sshd
    regexp: "^session    optional     pam_motd.so  motd=/run/motd.dynamic"
    replace: "#session    optional     pam_motd.so  motd=/run/motd.dynamic"

- name: Disable Cockpit activation message on Rocky
  when: ansible_distribution == "Rocky"
  become: true
  ansible.builtin.file:
    path: /etc/motd.d/cockpit
    state: absent

- name: Copy MOTD to remote
  become: true
  ansible.builtin.template:
    src: motd.j2
    dest: /etc/motd
    mode: 0644