---
- name: Configure SSH access
  tags: [ssh, server]
  become: true
  block:
    - name: Remove any PermitRootLogin instruction
      lineinfile:
        dest: /etc/ssh/sshd_config
        regexp: "^PermitRootLogin"
        state: absent
      notify: restart ssh

    - name: Disable SSH root login
      lineinfile:
        dest: /etc/ssh/sshd_config
        regexp: "^PermitRootLogin"
        line: "PermitRootLogin prohibit-password"
        state: present
      notify: restart ssh