Group controls, hostkey protection, and typo correction in SSH

roles/SSH/tasks/main.yml

@@ -10,7 +10,7 @@
  - name: SSH Config
    become: yes
    copy: 
-       src: sshd_config
+       src: ssh_config
        dest: /etc/ssh/ssh_config
 
  - name: SSHD Config
@@ -19,3 +19,30 @@
        src: sshd_config
        dest: /etc/ssh/sshd_config
 
+ - name: Mark SSH keys as immutable
+   become: yes
+   file:
+       path: "{{ item }}" 
+       attributes: i
+   loop: 
+       - /etc/ssh/ssh_host_ed25519_key
+       - /etc/ssh/ssh_host_ed25519_key.pub
+       - /etc/ssh/ssh_host_rsa_key
+       - /etc/ssh/ssh_host_rsa_key.pub
+
+ - name: Add SSH control groups
+   become: yes
+   group: 
+       name: "{{ item }}"
+       state: present
+   loop: 
+       - ssh-allow
+       - ssh-forward
+       - sftp-home-jail
+
+ - name: Add SSH user to ssh-allow
+   become: yes
+   user: 
+       name: "{{ ansible_user_id }}"
+       groups: ssh-allow
+       append: yes