---

 - name: SSH (ArchLinux)
   become: yes
   when: ansible_os_family == "Archlinux"
   package:
     state: present
     name:
       - openssh

 - name: SSH (Raspbian)
   become: yes
   when: ansible_os_family == "Debian"
   package:
     state: present
     name:
       - openssh-server
       - openssh-client

 - name: Mark SSH keys as immutable
   become: yes
   file:
       path: "{{ item }}"
       attributes: i
   loop:
       - /etc/ssh/ssh_host_ed25519_key
       - /etc/ssh/ssh_host_ed25519_key.pub
       - /etc/ssh/ssh_host_rsa_key
       - /etc/ssh/ssh_host_rsa_key.pub

 - name: Add SSH control groups
   become: yes
   group:
       name: "{{ item }}"
       state: present
   loop:
       - ssh-allow
       - ssh-forward
       - sftp-home-jail

 - name: Add SSH user to ssh-allow
   become: yes
   user:
       name: "{{ ansible_user_id }}"
       groups: ssh-allow
       append: yes

 - name: Copy the SSH key
   authorized_key:
     user: "{{ ansible_user_id }}"
     state: present
     key: "{{ lookup('file', lookup('env','HOME') + '/.ssh/deploy.pub') }}"

 - name: SSH Config
   become: yes
   copy:
       src: ssh_config
       dest: /etc/ssh/ssh_config

 - name: SSHD Config
   become: yes
   register: sshd_config
   copy:
       src: sshd_config
       dest: /etc/ssh/sshd_config

 - name: Allow SSHD Includes
   become: yes
   file:
     path: /etc/ssh/includes
     state: directory
     user: root
     group: root
     mode: 0755

 - name: Restart SSHD (ArchLinux)
   become: yes
   when: ansible_os_family == "Archlinux" and sshd_config.changed
   service:
     name: sshd
     state: restarted
     enabled: yes

 - name: Restart SSHD (Raspbian)
   become: yes
   when: ansible_os_family == "Debian" and sshd_config.changed
   service:
     name: ssh
     state: restarted
     enabled: yes