---
- name: Ensure sshd drop-in directory exists
  ansible.builtin.file:
    path: "{{ cis_ssh_dropin_path | dirname }}"
    state: directory
    owner: root
    group: root
    mode: "0755"

- name: Ensure sshd hardening drop-in exists
  ansible.builtin.file:
    path: "{{ cis_ssh_dropin_path }}"
    state: touch
    owner: root
    group: root
    mode: "0644"
    modification_time: preserve
    access_time: preserve

- name: Ensure sshd drop-in directory is included
  ansible.builtin.lineinfile:
    path: "{{ cis_ssh_main_config_path }}"
    regexp: '^Include\s+/etc/ssh/sshd_config\.d/\*\.conf'
    line: "Include /etc/ssh/sshd_config.d/*.conf"
    insertbefore: BOF
    validate: sshd -t -f %s
  notify:
    - validate ssh
    - restart ssh

- name: Configure SSH root login
  ansible.builtin.lineinfile:
    path: "{{ cis_ssh_dropin_path }}"
    regexp: '^PermitRootLogin\s+'
    line: "PermitRootLogin {{ 'no' if cis_disable_root_login | bool else 'prohibit-password' }}"
  notify:
    - validate ssh
    - restart ssh

- name: Configure SSH empty password restriction
  ansible.builtin.lineinfile:
    path: "{{ cis_ssh_dropin_path }}"
    regexp: '^PermitEmptyPasswords\s+'
    line: "PermitEmptyPasswords no"
  notify:
    - validate ssh
    - restart ssh

- name: Configure SSH password authentication
  ansible.builtin.lineinfile:
    path: "{{ cis_ssh_dropin_path }}"
    regexp: '^PasswordAuthentication\s+'
    line: "PasswordAuthentication {{ 'no' if cis_disable_password_auth | bool else 'yes' }}"
  notify:
    - validate ssh
    - restart ssh

- name: Configure SSH MaxAuthTries
  ansible.builtin.lineinfile:
    path: "{{ cis_ssh_dropin_path }}"
    regexp: '^MaxAuthTries\s+'
    line: "MaxAuthTries {{ cis_ssh_max_auth_tries }}"
  notify:
    - validate ssh
    - restart ssh

- name: Configure SSH LoginGraceTime
  ansible.builtin.lineinfile:
    path: "{{ cis_ssh_dropin_path }}"
    regexp: '^LoginGraceTime\s+'
    line: "LoginGraceTime {{ cis_ssh_login_grace_time }}"
  notify:
    - validate ssh
    - restart ssh

- name: Configure SSH ClientAliveInterval
  ansible.builtin.lineinfile:
    path: "{{ cis_ssh_dropin_path }}"
    regexp: '^ClientAliveInterval\s+'
    line: "ClientAliveInterval {{ cis_ssh_client_alive_interval }}"
  notify:
    - validate ssh
    - restart ssh

- name: Configure SSH ClientAliveCountMax
  ansible.builtin.lineinfile:
    path: "{{ cis_ssh_dropin_path }}"
    regexp: '^ClientAliveCountMax\s+'
    line: "ClientAliveCountMax {{ cis_ssh_client_alive_count_max }}"
  notify:
    - validate ssh
    - restart ssh