---
- name: Set sshd_config file security
  ansible.builtin.file:
    path: /etc/ssh/sshd_config
    owner: root
    group: root
    mode: "0600"
- name: Set SSHD configuration values
  ansible.builtin.lineinfile:
    path: /etc/ssh/sshd_config
    regexp: "^{{ item.key }}"
    line: "{{ item.key }} {{ item.value }}"
  notify: restart sshd
  loop:
    - { key: "X11Forwarding", value: "no" }
    - { key: "MaxAuthTries", value: "4" }
    - { key: "PermitRootLogin", value: "no" }
    - { key: "PasswordAuthentication", value: "no" }
    - { key: "PermitEmptyPasswords", value: "no" }
    - { key: "PermitUserEnvironment", value: "no" }
    - { key: "AllowTcpForwarding", value: "yes" }
    - { key: "StreamLocalBindUnlink", value: "yes" }