infra/roles/sshd/tasks/sshd.yml

---

- name: install fail2ban and ensure openssh-server is installed
  apt:
    name:
      - openssh-server
      - fail2ban
    state: latest
    update_cache: true
  tags:
    - packages

- name: template sshd_config
  template:
    src: sshd_config.j2
    dest: /etc/ssh/sshd_config
    owner: root
    group: root
    mode: '0644'
  tags:
    - sshd_config
  notify:
    - reload ssh

- name: fail2ban config
  template:
    src: "{{ item }}.j2"
    dest: /etc/fail2ban/{{ item }}
    owner: root
    group: root
    mode: '0644'
  with_items:
    - fail2ban.conf
    - jail.conf
    - jail.d/sudois-defaults.conf
  tags:
    - fail2ban
    - fail2ban-config
  notify:
    - reload fail2ban