---
- name: Disable empty password login
  ansible.builtin.lineinfile:
    dest: "{{ sshd_config }}"
    regexp: '^#?PermitEmptyPasswords'
    line: 'PermitEmptyPasswords no'
#  notify: Restart sshd

- name: Disable remote root login
  ansible.builtin.lineinfile:
    dest: "{{ sshd_config }}"
    regexp: '^#?PermitRootLogin'
    line: 'PermitRootLogin no'
#  notify: Restart sshd

- name: Disable password login
  ansible.builtin.lineinfile:
    dest: "{{ sshd_config }}"
    regexp: '^(#\s*)?PasswordAuthentication '
    line: 'PasswordAuthentication no'
#  notify: Restart sshd

- name: Disable challenge response auth
  ansible.builtin.lineinfile:
    dest: "{{ sshd_config }}"
    regexp: '^(#\s*)?ChallengeResponseAuthentication '
    line: 'ChallengeResponseAuthentication no'
#  notify: Restart sshd

- name: Change SSH port
  ansible.builtin.lineinfile:
    dest: "{{ sshd_config }}"
    regexp: '^#?Port 22'
    line: "Port {{ sshd_port }}"
#  notify: Restart sshd

- name: Restart sshd
  ansible.builtin.service:
    name: "{{ sshd }}"
    state: restarted

- name: Set SSH port to custom config
  set_fact:
    ansible_port: "{{ sshd_port }}"