- name: SSH | configure root login restrictions
  template:
    src: sshd_root_conf.j2
    dest: /etc/ssh/sshd_config.d/root.conf
    mode: '0644'
    validate: /usr/sbin/sshd -t -f %s
  when: ssh_root_authorized_ips is defined
  register: sshd_conf_changes

- name: SSH | configure root authorized keys
  template:
    src: root_authorized_keys.j2
    dest: "{{ ssh_root_authorized_keys_file | default('/root/.ssh/authorized_keys') }}"
    owner: root
    group: root
    mode: '0600'
  when: ssh_root_authorized_keys is defined

- name: SSH | test SSH configuration
  command: /usr/sbin/sshd -t
  register: sshd_config_check
  changed_when: false
  when: sshd_conf_changes.changed

- name: SSH | reload SSH service
  service:
    name: ssh
    state: reloaded
  when: 
    - sshd_conf_changes.changed
    - sshd_config_check.rc == 0