---

- name: disable root login
  replace:
    dest: /etc/ssh/sshd_config
    regexp: '^PermitRootLogin (yes|without-password)'
    replace: "PermitRootLogin no"
  notify: reload sshd

- name: remove root from AllowUsers directive
  replace:
    dest: /etc/ssh/sshd_config
    regexp: '^(AllowUsers ((?!root(?:@\S+)?).)*)(\sroot(?:@\S+)?|root(?:@\S+)?\s)(.*)$'
    replace: '\1\4'
    validate: '/usr/sbin/sshd -T -f %s'
  notify: reload sshd