users/tasks/sshd.yml

---
- name: user | disable SSH access for root
  replace:
    dest: /etc/ssh/sshd_config
    regexp: '^PermitRootLogin (yes|without-password|prohibit-password)'
    replace: "PermitRootLogin no"
    validate: '/usr/sbin/sshd -T -f %s'
  notify: reload shd

#- name: user | verify AllowUsers directive
#  command: "grep -E '^AllowUsers' /etc/ssh/sshd_config"
#  changed_when: False
#  failed_when: False
#  register: grep_allowusers_ssh
#
#- name: "add AllowUsers sshd directive"
#  lineinfile:
#    dest: /etc/ssh/sshd_config
#    line: "\nAllowUsers "
#    insertafter: 'Subsystem'
#    validate: '/usr/sbin/sshd -T -f %s'
#  register: allowusers_added
#  when: grep_allowusers_ssh.rc != 0

#- name: "append username to AllowUsers sshd directive"
#  replace:
#    dest: /etc/ssh/sshd_config
#    regexp: '^(AllowUsers(?!.*\b{{ item.key }}\b).*)$'
#    replace: '\1 {{ item.key }}'
#    validate: '/usr/sbin/sshd -T -f %s'
#  with_dict: "{{ user.name }}"
#  when: allowusers_added
#  notify: "reload SSH"