From 41f491a0bd63ce979bf084988082a688d3632f89 Mon Sep 17 00:00:00 2001
From: D025 EOD <maksym.kryva@gmail.com>
Date: Wed, 6 Mar 2024 15:29:36 +0200
Subject: [PATCH] feat: move ssh password auth to dedicated task (#3)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

## What ❔
Move task for disabling SSH password auth to dedicated task

## Why ❔
For more transparency

## Checklist

<!-- Check your PR fulfills the following items. -->
<!-- For draft PRs check the boxes as you complete them. -->

- [x] PR title corresponds to the body of PR (we generate changelog
entries from PRs).
- [x] Documentation comments have been added / updated.
---
 tasks/firewall.yml   | 13 -------------
 tasks/main.yml       |  4 ++++
 tasks/ssh-config.yml | 11 +++++++++++
 3 files changed, 15 insertions(+), 13 deletions(-)
 create mode 100644 tasks/ssh-config.yml

diff --git a/tasks/firewall.yml b/tasks/firewall.yml
index ba1fae6..ad5dbda 100644
--- a/tasks/firewall.yml
+++ b/tasks/firewall.yml
@@ -65,16 +65,3 @@
     ip_version: ipv6
     state: saved
     path: /etc/iptables/rules.v6
-
-- name: Disable SSH password authentication
-  when: disable_ssh_password_auth
-  ansible.builtin.lineinfile:
-    path: /etc/ssh/sshd_config
-    regexp: '^#PasswordAuthentication yes'
-    line: 'PasswordAuthentication no'
-
-- name: Restart ssh
-  when: disable_ssh_password_auth
-  ansible.builtin.service:
-    name: ssh
-    state: restarted
diff --git a/tasks/main.yml b/tasks/main.yml
index a705f30..cf19627 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -3,5 +3,9 @@
   ansible.builtin.include_tasks: firewall.yml
   when: use_predefined_iptables
 
+- name: Disable SSH password auth
+  ansible.builtin.include_tasks: ssh-config.yml
+  when: disable_ssh_password_auth
+
 - name: Prepare configs
   ansible.builtin.include_tasks: provision.yml
diff --git a/tasks/ssh-config.yml b/tasks/ssh-config.yml
new file mode 100644
index 0000000..8d60aa3
--- /dev/null
+++ b/tasks/ssh-config.yml
@@ -0,0 +1,11 @@
+---
+- name: Disable SSH password authentication
+  ansible.builtin.lineinfile:
+    path: /etc/ssh/sshd_config
+    regexp: '^#PasswordAuthentication yes'
+    line: 'PasswordAuthentication no'
+
+- name: Restart ssh
+  ansible.builtin.service:
+    name: ssh
+    state: restarted