Move PermitRootLogin to another file

Debian >= 12.

evolinux-base/tasks/root.yml

@@ -97,7 +97,21 @@
     replace: "PermitRootLogin no"
     validate: '/usr/sbin/sshd -t -f %s'
   notify: reload sshd
-  when: evolinux_root_disable_ssh | bool
+  when:
+    - evolinux_root_disable_ssh | bool
+    - ansible_distribution_major_version is version('11', '<=')
+
+- name: disable SSH access for root (Debian <= 12)
+  replace:
+    path: /etc/ssh/sshd_config.d/z-evolinux-defaults.conf
+    line: "PermitRootLogin no"
+    create: yes
+    validate: '/usr/sbin/sshd -t -f %s'
+  notify: reload sshd
+  when:
+    - evolinux_root_disable_ssh | bool
+    - ansible_distribution_major_version is version('12', '>=')
+
 
 ### Disabled : it seems useless and too dangerous for now
 # - name: remove root from AllowUsers directive

evolinux-users/tasks/ssh.yml

@@ -2,7 +2,7 @@
 
 - name: verify AllowGroups directive
   ansible.builtin.command:
-    cmd: "grep -E '^AllowGroups' /etc/ssh/sshd_config"
+    cmd: "grep -Er '^AllowGroups' /etc/ssh"
   changed_when: False
   failed_when: False
   check_mode: no
@@ -14,7 +14,7 @@
 
 - name: verify AllowUsers directive
   ansible.builtin.command:
-    cmd: "grep -E '^AllowUsers' /etc/ssh/sshd_config"
+    cmd: "grep -Er '^AllowUsers' /etc/ssh"
   changed_when: False
   failed_when: False
   check_mode: no
@@ -62,6 +62,19 @@
     regexp: '^#PermitRootLogin (yes|without-password|prohibit-password)'
     replace: "PermitRootLogin no"
   notify: reload sshd
-  when: evolinux_root_disable_ssh | bool
+  when:
+    - evolinux_root_disable_ssh | bool
+    - ansible_distribution_major_version is version('11', '<=')
+
+- name: disable root login (Debian <= 12)
+  replace:
+    path: /etc/ssh/sshd_config.d/z-evolinux-defaults.conf
+    line: "PermitRootLogin no"
+    create: yes
+    validate: '/usr/sbin/sshd -t -f %s'
+  notify: reload sshd
+  when:
+    - evolinux_root_disable_ssh | bool
+    - ansible_distribution_major_version is version('12', '>=')
 
 - ansible.builtin.meta: flush_handlers