---
- name: install ssh configuration files
  template:
    src: "{{ item }}.j2"
    dest: "/{{ item }}"
    mode: 0644
  notify:
    - restart ssh
  loop:
    - etc/ssh/ssh_config
    - etc/ssh/sshd_config
    - etc/ssh/shosts.equiv
    - etc/ssh/ssh_known_hosts
    - etc/pam.d/sshd

- name: clean up unwanted ssh host keys (DSA and ECDSA)
  file:
    name: "{{ item }}"
    state: absent
  notify:
    - restart ssh
  loop:
    - /etc/ssh/ssh_host_dsa_key
    - /etc/ssh/ssh_host_dsa_key.pub
    - /etc/ssh/ssh_host_ecdsa_key
    - /etc/ssh/ssh_host_ecdsa_key.pub

- name: correct permissions on host keys
  file:
    dest: "{{ item.name }}"
    mode: "{{ item.mode }}"
  loop:
    - name: /etc/ssh/ssh_host_rsa_key
      mode: "0600"
    - name: /etc/ssh/ssh_host_rsa_key.pub
      mode: "0644"
    - name: /etc/ssh/ssh_host_ed25519_key
      mode: "0600"
    - name: /etc/ssh/ssh_host_ed25519_key.pub
      mode: "0644"

- name: install fail2ban configuration files
  template:
    src: "{{ item }}.j2"
    dest: "/{{ item }}"
    mode: 0644
  notify:
    - restart fail2ban
  loop:
    - etc/fail2ban/action.d/route.conf
    - etc/fail2ban/filter.d/sshd.conf
    - etc/fail2ban/jail.d/global.local
    - etc/fail2ban/jail.d/sshd.conf
    - etc/fail2ban/jail.d/sshd.local

- meta: flush_handlers