---
- name: Ensure SSH server is installed
  ansible.builtin.package:
    name: openssh-server
    state: present

- name: Ensure SSH daemon is enabled
  ansible.builtin.service:
    name: sshd
    enabled: true

# TODO: Prepare for /etc/ssh/sshd_config.d/* style of configuration
- name: SSH daemon configuration - global
  block:
    - name: SSH daemon configuration - base
      ansible.builtin.template:
        src: "etc/ssh/{{ ansible_distribution }}-{{ ansible_distribution_major_version }}-sshd_config.j2"
        dest: "/etc/ssh/sshd_config"
        owner: root
        group: root
        mode: '0600'
        validate: /usr/sbin/sshd -t -f %s
        backup: true
      notify: restart_sshd
      when:
        - ansible_distribution_major_version == '8'

    - name: Ensure sshd_config.d dir exists
      ansible.builtin.file:
        state: directory
        path: "/etc/ssh/sshd_config.d"
        owner: root
        group: root
        mode: '0700'
      notify: restart_sshd

    - name: Ensure an empty file exists
      ansible.builtin.file:
        state: touch
        path: "/etc/ssh/sshd_config.d/99-end.conf"
        owner: root
        group: root
        mode: '0600'
      notify: restart_sshd
      when:
        - ansible_distribution_major_version == '8'

    - name: Default Modular Configuration
      when:
        - (ansible_facts['distribution'] == 'Fedora') or
          (ansible_facts['distribution'] in el_distro_name and ansible_facts['distribution_major_version']|int >= 9)
      block:
        #- name: Modular configuration (redhat)
        #  template:
        #    src: "etc/ssh/{{ ansible_distribution }}-{{ ansible_distribution_major_version }}-50-redhat.conf.j2"
        #    dest: "{{ ssh_modular_config }}"
        #    owner: root
        #    group: root
        #    mode: '0600'
        #    validate: /usr/sbin/sshd -t -f %s
        #    backup: yes
        #  notify: restart_sshd

        - name: Custom Modular Configuration
          ansible.builtin.template:
            src: "etc/ssh/{{ ansible_distribution }}-{{ ansible_distribution_major_version }}-02-infra.conf.j2"
            dest: "/etc/ssh/sshd_config.d/02-infra.conf"
            owner: root
            group: root
            mode: '0600'
            validate: /usr/sbin/sshd -t -f %s
            backup: true
          notify: restart_sshd

  rescue:
    - name: Print errors for configuration and validation
      ansible.builtin.debug:
        msg: "Error in SSH daemon configuration or template"

- name: SSH banner
  ansible.builtin.copy:
    src: "etc/rockybanner"
    dest: "/etc/banner"
    owner: root
    group: root
    mode: '0644'
  notify: restart_sshd

- name: Remove DSA keys
  ansible.builtin.file:
    path: "{{ item }}"
    state: absent
  with_items:
    - /etc/ssh/ssh_host_dsa_key.pub
    - /etc/ssh/ssh_host_dsa_key
...