ansible-infra/roles/deploy_ssh_server_config/tasks/main.yaml

# Role and config created after: https://infosec.mozilla.org/guidelines/openssh
- name: deploy SSH server config
  become: true

  block:
    - name: deploy `sshd_config`
      ansible.builtin.template:
        force: true
        dest: /etc/ssh/sshd_config
        mode: "0644"
        owner: root
        group: root
        src: sshd_config.j2
      notify:
        - restart the ssh service

    - name: deactivate short moduli
      ansible.builtin.shell:
        executable: /bin/bash
        cmd: |
          set -eo pipefail

          awk '$5 >= 3071' /etc/ssh/moduli > /etc/ssh/moduli.tmp
          if diff /etc/ssh/moduli /etc/ssh/moduli.tmp; then
            rm /etc/ssh/moduli.tmp
          else
            mv /etc/ssh/moduli.tmp /etc/ssh/moduli
            echo "ansible-changed: changed /etc/ssh/moduli"
          fi
      register: deploy_ssh_server_config__result
      changed_when:
        - '"ansible-changed" in deploy_ssh_server_config__result.stdout'
      notify:
        - restart the ssh service