---
- name: Detect if system is Proxmox
  ansible.builtin.stat:
    path: /usr/bin/pveversion
  register: proxmox_check

- name: Ensure sshd_config.d exists
  ansible.builtin.file:
    path: /etc/ssh/sshd_config.d
    state: directory

- name: Deploy SSH hardening config
  ansible.builtin.copy:
    dest: /etc/ssh/sshd_config.d/99-ansible-hardening.conf
    mode: '0644'
    content: |
      PasswordAuthentication no
      ChallengeResponseAuthentication no
      PubkeyAuthentication yes
      AuthenticationMethods publickey
      UsePAM yes

      {% if not proxmox_check.stat.exists %}
      PermitRootLogin no
      {% else %}
      PermitRootLogin prohibit-password
      {% endif %}
    validate: 'sshd -t -f %s'
  notify: Restart SSH