- name: ensure sshd is configured to trust user ca keys
  copy:
    src:  trustedusercakeys.conf
    dest: /etc/ssh/sshd_config.d/70-trustedusercakeys.conf
    owner: root
    group: root
    mode: u=rw,go=r
  notify:
  - reload sshd
  tags:
  - ssh-user-ca
  - sshd-config
  - config

- name: ensure ssh trusted user ca list is set
  copy:
    dest: /etc/ssh/ca.pub
    content: >+
      {{ ssh_trusted_user_ca_keys }}
    owner: root
    group: root
    mode: u=rw,go=r
  tags:
  - ssh-user-ca

- name: ensure sshd AuthorizedKeysCommand is not set
  lineinfile:
    path: /etc/ssh/sshd_config
    line: '#AuthorizedKeysCommand none'
    regexp: '(?i)#?\s*AuthorizedKeysCommand\b'
    state: present
  notify:
  - reload sshd
  tags:
  - ssh-authorized-keys-command
  - sshd-config
  - config
  - cleanup

- name: ensure sshd AuthorizedKeysCommandUser is not set
  lineinfile:
    path: /etc/ssh/sshd_config
    line: '#AuthorizedKeysCommandUser nobody'
    regexp: '(?i)#?\s*AuthorizedKeysCommandUser\b'
    state: present
  notify:
  - reload sshd
  tags:
  - ssh-authorized-keys-command
  - sshd-config
  - config
  - cleanup

- name: ensure ssh-authorized-keys script is removed
  file:
    path: /usr/local/libexec/ssh-authorized-keys
    state: absent
  tags:
  - ssh-authorized-keys-command
  - cleanup