---
- name: Harden SSH on all inventory hosts
  hosts: all
  become: true
  gather_facts: true

  vars:
    sshd_config_path: /etc/ssh/sshd_config
    sshd_dropin_dir: /etc/ssh/sshd_config.d
    root_authorized_keys_path: /root/.ssh/authorized_keys
    local_public_key_path: "{{ lookup('env', 'HOME') }}/.ssh/id_rsa.pub"
    ansible_user: "{{ lookup('env', 'BOOTSTRAP_ROOT_USER') | default('root', true) }}"
    ansible_password: "{{ lookup('env', 'BOOTSTRAP_ROOT_PASSWORD') | default(omit, true) }}"
    ansible_become_password: "{{ lookup('env', 'BOOTSTRAP_BECOME_PASSWORD') | default(omit, true) }}"

  roles:
    - role: harden_ssh_root_key_only