ansible-infra/playbooks/roles/deploy_ssh_server_config/tasks/main.yaml

# Role and config created after: https://infosec.mozilla.org/guidelines/openssh
- name: deploy SSH server config
  become: true

  block:
  - name: deploy `sshd_config`
    ansible.builtin.copy:
      force: true
      dest: /etc/ssh/sshd_config
      mode: 0644
      owner: root
      group: root
      src: sshd_config
    register: deploy_ssh_server_config__ssh_config_copy_result

  - name: deactivate short moduli
    ansible.builtin.shell:
      cmd: awk '$5 >= 3071' /etc/ssh/moduli > /etc/ssh/moduli.tmp && mv /etc/ssh/moduli.tmp /etc/ssh/moduli

  # Rebooting here instead of restarting the ssh service, since I don't know how Ansible reacts, when it restarts the service it probably needs for the connection.
  - name: reboot, if ssh server config got changed
    ansible.builtin.reboot:
    when: deploy_ssh_server_config__ssh_config_copy_result.changed