- name: Disable root login with password
  lineinfile:
    dest: /etc/ssh/sshd_config
    regexp: '^PermitRootLogin'
    line: 'PermitRootLogin without-password'
    state: present
#TODO: use handler to reload ssh

- name: Create root .ssh
  file:
    path: /root/.ssh
    owner: root
    group: root
    mode: 0700
    state: directory
  when: sshd_enabled

- name: Install dummy root keys as placeholder
  copy:
    src: dummy_authorized_keys
    dest: /root/.ssh/authorized_keys
    owner: root
    group: root
    mode: 0600
    force: no
  when: sshd_enabled

- name: Enable & start sshd
  service:
    name: "{{ sshd_service }}"
    enabled: yes
    state: started
  when: sshd_enabled

- name: Disable sshd
  service:
    name: "{{ sshd_service }}"
    enabled: no
    state: stopped
  when: not sshd_enabled