---
# Bootstrap-only: permissive SSH for initial Ansible access.
# Post-bootstrap hardening (key-only, no root login) is handled by the linux role.
- name: Ensure SSH password authentication is enabled
  ansible.builtin.lineinfile:
    path: /mnt/etc/ssh/sshd_config
    regexp: "^#?PasswordAuthentication\\s+"
    line: "PasswordAuthentication yes"

- name: SSH permit root login
  ansible.builtin.replace:
    path: /mnt/etc/ssh/sshd_config
    regexp: "^#?PermitRootLogin.*"
    replace: "PermitRootLogin yes"