feat(sshd): dedicated sshd.d config file

Author: Laudenlaruto

tasks/ssh_cluster_config.yml

@@ -38,19 +38,35 @@
           Port {{ pve_ssh_port }}
       {% endfor %}
 
+- name: Ensure SSH config directory exists
+  ansible.builtin.file:
+    path: /etc/ssh/sshd_config.d
+    state: directory
+    mode: "0755"
+
 - name: Allow root logins from PVE cluster hosts
   ansible.builtin.blockinfile:
-    dest: /etc/ssh/sshd_config
+    dest: /etc/ssh/sshd_config.d/00-pve.conf
+    create: yes
+    mode: "0640"
     marker: "# {mark}: Allow root logins from PVE hosts (managed by ansible)."
     content: |
       {% for host in groups[pve_group] %}
       Match Address {{ hostvars[host].pve_cluster_ssh_addrs | join(",") }}
-      PermitRootLogin prohibit-password
+        PermitRootLogin prohibit-password
       {% endfor %}
     validate: "/usr/sbin/sshd -t -f %s"
   notify:
     - reload ssh server configuration
 
+- name: Remove SSH configuration from main sshd_config if present in favor of config in sshd_config.d
+  ansible.builtin.blockinfile:
+    path: /etc/ssh/sshd_config
+    marker: "# {mark}: Allow root logins from PVE hosts (managed by ansible)."
+    state: absent
+  notify:
+    - reload ssh server configuration
+    
 - name: Enable and start SSH server
   ansible.builtin.systemd:
     name: ssh.service