---
  - name: copy sshd config
    template:
      src: ssh_sshd_config.j2
      dest: "{{ rootpath }}/etc/ssh/sshd_config"
      owner: root
      mode: 0644
    register: ssh_config
  
  - name: copy ssh config
    template:
      src: ssh_config.j2
      dest: "{{ rootpath }}/etc/ssh/ssh_config"
      owner: root
      mode: 0644

  - name: create ssh folder for user root
    file:
      path: "{{ rootpath }}/root/.ssh"
      state: directory
      owner: root
      group: root
      mode: 0700

  - name: write authorized_keys file for user root
    template:
      src: ssh_root_authorized_keys.j2
      dest: "{{ rootpath }}/root/.ssh/authorized_keys"
      owner: root
      group: root
      mode: 0600

  - name: create ssh host keys
    shell: "prefix=\"{{ rootpath }}\"; ssh-keygen -N \"\" -t ed25519 -f \"${prefix}/etc/ssh/ssh_host_ed25519_key\"; ssh-keygen -N \"\" -b 4096 -t rsa -f \"${prefix}/etc/ssh/ssh_host_rsa_key\"; ssh-keygen -N \"\" -b 521 -t ecdsa -f \"${prefix}/etc/ssh/ssh_host_ecdsa_key\""
    args:
      creates: "{{ rootpath }}/etc/ssh/ssh_host_ed25519_key"
    register: ssh_hostkeys

  - name: maybe restart sshd
    meta: noop
    changed_when: (ssh_hostkeys|changed or ssh_config|changed) and not rootpath == ''
    notify:
    - restart sshd