---

- name: Allow ssh on firewall
  ufw:
    rule: allow
    port: 22
    proto: tcp

- name: Disable password authentication on ssh
  lineinfile:
    path: /etc/ssh/sshd_config
    regexp: "^PasswordAuthentication "
    line: "PasswordAuthentication no"
  notify: restart ssh

- name: Collect ssh host keys
  command: "cat /etc/ssh/ssh_host_{{ item | quote }}_key.pub"
  loop: "{{ ssh_host_key_types }}"
  register: ssh_host_keys
  changed_when: False
  check_mode: no

- name: Create directory for host keys locally
  local_action:
    module: file
    path: "{{ global_ssh_host_key_directory }}/{{ ansible_fqdn }}"
    state: directory
    owner: "{{ global_local_user }}"
    group: "{{ global_local_user }}"
    mode: "u=rwx,g=rx,o=rx"

- name: Store ssh host keys locally
  local_action:
    module: copy
    content: "{{ item.stdout }}\n"
    dest: "{{ global_ssh_host_key_directory }}/{{ ansible_fqdn }}/{{ item.item }}"
    owner: "{{ global_local_user }}"
    group: "{{ global_local_user }}"
    mode: "u=rw,g=r,o=r"
  loop: "{{ ssh_host_keys.results }}"
  loop_control:
    label: "{{ item.item }}"

- name: Generate ssh host key dns fingerprints locally
  local_action:
    module: make
    chdir: "{{ global_ssh_host_key_directory }}/{{ ansible_fqdn }}"
    file: "{{ playbook_dir }}/helpers/ssh_dns_fingerprints.makefile"
    target: dns