---
- name: Block root and password authentication
  lineinfile:
    path: /etc/ssh/sshd_config
    regexp: '{{ item.regexp }}'
    line: '{{ item.line }}'
    validate: 'sshd -T -f %s'
    state: present
  with_items:
    - regexp: '^PasswordAuthentication'
      line: 'PasswordAuthentication no'
    - regexp: '^PermitRootLogin'
      line: 'PermitRootLogin no'
  notify: Restart ssh

- name: Install fail2ban
  apt:
    name: fail2ban
    state: present

- name: Configure fail2ban
  blockinfile:
    path: /etc/fail2ban/jail.local
    create: yes
    mode: 0644
    block: |
      [sshd]
      enabled = true
      filter = sshd
      #  notify: Restart fail2ban

- name: Turn fail2ban off for now
  service:
    name: fail2ban
    enabled: false
    state: stopped