---
# SSH
- name: Curl SSH trusted CA
  get_url:
    url: https://vault.ducoterra.net/v1/ssh-client-signer/public_key
    dest: /etc/ssh/trusted-user-ca-keys.pem
    mode: '0660'
  become: yes
- name: Create sshd_config file
  copy:
    dest: "/etc/ssh/sshd_config"
    content: |
      AuthorizedKeysFile      .ssh/authorized_keys
      PasswordAuthentication no
      KbdInteractiveAuthentication no
      UsePAM yes
      Subsystem sftp internal-sftp
      PrintMotd no # pam does that
      TrustedUserCAKeys /etc/ssh/trusted-user-ca-keys.pem
  become: yes
- name: Ensure ssh service started
  ansible.builtin.systemd:
    name: sshd
    state: restarted
    daemon_reload: yes
    enabled: yes
  become: yes