---

- name: disable root login
  replace:
    dest: /etc/ssh/sshd_config
    regexp: '^PermitRootLogin (yes|without-password|prohibit-password)'
    replace: "PermitRootLogin no"
  notify: reload sshd

### Disabled : it seems useless and too dangerous for now
# - name: remove root from AllowUsers directive
#   replace:
#     dest: /etc/ssh/sshd_config
#     regexp: '^(AllowUsers ((?!root(?:@\S+)?).)*)(\sroot(?:@\S+)?|root(?:@\S+)?\s)(.*)$'
#     replace: '\1\4'
#     validate: '/usr/sbin/sshd -T -f %s'
#   notify: reload sshd