---
- name: Adjust SSHD config
  ansible.builtin.lineinfile:
    path: /mnt/etc/ssh/sshd_config
    regexp: ^\s*#?{{ item.option }}\s+.*$
    line: "{{ item.option }} {{ item.value }}"
  loop:
    - { option: LogLevel, value: VERBOSE }
    - { option: LoginGraceTime, value: "60" }
    - { option: PermitRootLogin, value: "no" }
    - { option: StrictModes, value: "yes" }
    - { option: MaxAuthTries, value: "4" }
    - { option: MaxSessions, value: "10" }
    - { option: MaxStartups, value: "10:30:60" }
    - { option: PubkeyAuthentication, value: "yes" }
    - { option: HostbasedAuthentication, value: "no" }
    - { option: IgnoreRhosts, value: "yes" }
    - { option: PasswordAuthentication, value: "no" }
    - { option: PermitEmptyPasswords, value: "no" }
    - { option: KerberosAuthentication, value: "no" }
    - { option: GSSAPIAuthentication, value: "no" }
    - { option: AllowAgentForwarding, value: "no" }
    - { option: AllowTcpForwarding, value: "no" }
    - { option: KbdInteractiveAuthentication, value: "no" }
    - { option: GatewayPorts, value: "no" }
    - { option: X11Forwarding, value: "no" }
    - { option: PermitUserEnvironment, value: "no" }
    - { option: ClientAliveInterval, value: "300" }
    - { option: ClientAliveCountMax, value: "1" }
    - { option: PermitTunnel, value: "no" }
    - { option: Banner, value: /etc/issue.net }

- name: Detect target OpenSSH version
  ansible.builtin.shell: >-
    set -o pipefail && {{ chroot_command }} ssh -V 2>&1 | grep -oP 'OpenSSH_\K[0-9]+\.[0-9]+'
  args:
    executable: /bin/bash
  register: cis_sshd_openssh_version
  changed_when: false
  failed_when: false

- name: Append CIS specific configurations to sshd_config
  vars:
    cis_sshd_has_mlkem: "{{ (cis_sshd_openssh_version.stdout | default('0.0') is version('9.9', '>=')) }}"
    cis_sshd_kex: >-
      {{
        (['mlkem768x25519-sha256'] if cis_sshd_has_mlkem | bool else [])
        + ['curve25519-sha256@libssh.org', 'ecdh-sha2-nistp521', 'ecdh-sha2-nistp384', 'ecdh-sha2-nistp256']
      }}
  ansible.builtin.blockinfile:
    path: /mnt/etc/ssh/sshd_config
    marker: "# {mark} CIS SSH HARDENING"
    block: |-
      ## CIS Specific
      ### Ciphers and keying ###
      RekeyLimit 512M 6h
      KexAlgorithms  {{ cis_sshd_kex | join(',') }}
      Ciphers        aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
      MACs           hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com
      ###########################
      AllowStreamLocalForwarding no
      PermitUserRC no
      AllowUsers *
      AllowGroups *
      DenyUsers nobody
      DenyGroups nobody