---
- name: Block root and password authentication
  lineinfile:
    path: /etc/ssh/sshd_config
    regexp: '{{ item.regexp }}'
    line: '{{ item.line }}'
    validate: 'sshd -T -f %s'
    state: present
  with_items:
    - regexp: '^PasswordAuthentication'
      line: 'PasswordAuthentication no'
    - regexp: '^#PermitRootLogin'
      line: 'PermitRootLogin no'
  notify: Restart ssh