---
- name: SSH | Ensure privilege separation directory exists
  ansible.builtin.file:
    path: /run/sshd
    state: directory
    mode: '0755'

- name: SSH | Root-Login nur mit Schlüssel erlauben
  ansible.builtin.lineinfile:
    path: /etc/ssh/sshd_config
    regexp: '^#?PermitRootLogin'
    line: 'PermitRootLogin prohibit-password'
    validate: 'sshd -t -f %s'
  notify: restart sshd

- name: SSH | Passwort-Authentifizierung deaktivieren
  ansible.builtin.lineinfile:
    path: /etc/ssh/sshd_config
    regexp: '^#?PasswordAuthentication'
    line: 'PasswordAuthentication no'
    validate: 'sshd -t -f %s'
  notify: restart sshd

- name: SSH | Leere Passwörter verbieten
  ansible.builtin.lineinfile:
    path: /etc/ssh/sshd_config
    regexp: '^#?PermitEmptyPasswords'
    line: 'PermitEmptyPasswords no'
    validate: 'sshd -t -f %s'
  notify: restart sshd