---
# SSH
- name: Curl SSH trusted CA
  get_url:
    url: https://vault.ducoterra.net/v1/ssh-client-signer/public_key
    dest: /etc/ssh/trusted-user-ca-keys.pem
    mode: '0660'
  become: yes
- name: Create sshd_config file
  copy:
    dest: "/etc/ssh/sshd_config"
    content: |
      Include /etc/ssh/sshd_config.d/*.conf
      PasswordAuthentication no
      ChallengeResponseAuthentication no
      UsePAM yes
      KbdInteractiveAuthentication no
      X11Forwarding yes
      PrintMotd no
      AcceptEnv LANG LC_*
      Subsystem	sftp	/usr/lib/openssh/sftp-server
      TrustedUserCAKeys /etc/ssh/trusted-user-ca-keys.pem
  become: yes
- name: Ensure ssh service started
  ansible.builtin.systemd:
    name: sshd
    state: restarted
    daemon_reload: yes
    enabled: yes
  become: yes