---
- name: Deploy complete SSH server configuration
  hosts: all
  become: true
  gather_facts: false

  tasks:
    - name: Deploy base /etc/ssh/sshd_config file
      template:
        src: templates/sshd/sshd_config.j2
        dest: /etc/ssh/sshd_config
        owner: root
        group: root
        mode: "0644"
      notify: Reload SSH

    - name: Deploy hardened global ssh config include
      template:
        src: templates/sshd/00-global.conf.j2
        dest: /etc/ssh/sshd_config.d/00-global.conf
        owner: root
        group: root
        mode: "0644"
      notify: Reload SSH

    - name: Deploy LAN password bypass config include
      template:
        src: templates/sshd/99-lan-bypass.conf.j2
        dest: /etc/ssh/sshd_config.d/99-lan-bypass.conf
        owner: root
        group: root
        mode: "0644"
      notify: Reload SSH

    - name: Validate sshd configuration syntax
      command: sshd -t
      changed_when: false

  handlers:
    - name: Reload SSH
      service:
        name: ssh
        state: reloaded