---

- name: Ensure sshd config options set correctly
  ansible.builtin.lineinfile:
    path: /etc/ssh/sshd_config
    regexp: "^#?{{ item.key }} .*$"
    line: "{{ item.key }} {{ item.value }}"
    state: present
    validate: '/usr/sbin/sshd -t -f %s'
  notify: Restart ssh
  with_dict:
    PermitRootLogin: 'prohibit-password'
    PasswordAuthentication: "{{ 'yes' if sshd_password_auth else 'no' }}"
    X11Forwarding: "{{ 'yes' if sshd_x11_forwarding else 'no' }}"