evolix-users: disable root ssh login by default

evolinux-users/defaults/main.yml

@@ -1,3 +1,4 @@
 ---
 evolinux_users: {}
 evolinux_sudo_group: "evolinux-sudo"
+evolinux_root_disable_ssh: True

evolinux-users/tasks/main.yml

@@ -15,3 +15,6 @@
     user: "{{ item.value }}"
   with_dict: "{{ evolinux_users }}"
   when: evolinux_users != {}
+
+- include: root_disable_ssh.yml
+  when: evolinux_root_disable_ssh

evolinux-users/tasks/root_disable_ssh.yml

@@ -0,0 +1,16 @@
+---
+
+- name: disable root login
+  replace:
+    dest: /etc/ssh/sshd_config
+    regexp: '^PermitRootLogin (yes|without-password)'
+    replace: "PermitRootLogin no"
+  notify: reload sshd
+
+- name: remove root from AllowUsers directive
+  replace:
+    dest: /etc/ssh/sshd_config
+    regexp: '^(AllowUsers ((?!root(?:@\S+)?).)*)(\sroot(?:@\S+)?|root(?:@\S+)?\s)(.*)$'
+    replace: '\1\4'
+    validate: '/usr/sbin/sshd -T -f %s'
+  notify: reload sshd