From 2fb8d4cdb4e958d5a3da97759483827f7a5b26a8 Mon Sep 17 00:00:00 2001
From: Eamonn Travers <eamonn@travers-berlin.de>
Date: Tue, 16 Jun 2020 16:41:32 +0200
Subject: [PATCH] Add role ssh-keyonly

---
 roles/ssh-keyonly/defaults/main.yml |  2 ++
 roles/ssh-keyonly/tasks/main.yml    | 18 ++++++++++++++++++
 2 files changed, 20 insertions(+)
 create mode 100644 roles/ssh-keyonly/defaults/main.yml
 create mode 100644 roles/ssh-keyonly/tasks/main.yml

diff --git a/roles/ssh-keyonly/defaults/main.yml b/roles/ssh-keyonly/defaults/main.yml
new file mode 100644
index 0000000..9c6e624
--- /dev/null
+++ b/roles/ssh-keyonly/defaults/main.yml
@@ -0,0 +1,2 @@
+---
+ssh_service_name: sshd
diff --git a/roles/ssh-keyonly/tasks/main.yml b/roles/ssh-keyonly/tasks/main.yml
new file mode 100644
index 0000000..de3f210
--- /dev/null
+++ b/roles/ssh-keyonly/tasks/main.yml
@@ -0,0 +1,18 @@
+---
+- name: "Set «PermitRootLogin» to «without-password»"
+  lineinfile:
+    dest: /etc/ssh/sshd_config
+    regexp: '^#? *PermitRootLogin'
+    line: "PermitRootLogin without-password"
+    backup: yes
+  register: sshconfigchanged
+
+
+- name: Restart sshd
+  service:
+    name: "{{ ssh_service_name }}"
+    state: restarted
+    sleep: 5
+  when: sshconfigchanged is changed
+
+