Disables SSH access for root on demand

defaults/main.yml

@@ -18,6 +18,10 @@ ensure_ansible_version: 2.10.3
 enable_sudo: yes
 # Allow passwordless sudo (applied to group wheel)
 enable_passwordless_sudo: yes
+# Allow root to connect through SSH
+enable_ssh_for_root: yes
+# Allow root to connect only using public key authentication, no password
+enable_ssh_for_root_prohibit_password: no
 # Skip provisioning of the firewall
 skip_firewall: no
 authorized_keys_are_exclusive: false # Be careful, this will delete non-Ansible-managed authorized keys from the target!

handlers/main.yml

@@ -1,2 +1,7 @@
 ---
 # handlers file for common
+- name: Restart SSH
+  ansible.builtin.service:
+    name: ssh
+    state: restarted
+  become: true

tasks/users.yml

@@ -72,6 +72,38 @@
         files:
           - /etc/sudoers
           - /usr/local/etc/sudoers # e.g. FreeBSD
+
+    - name: 'Disable SSH for root'
+      lineinfile:
+        dest: "/etc/ssh/sshd_config"
+        state: present
+        regexp: '^#?\s*PermitRootLogin'
+        line: 'PermitRootLogin No'
+      notify: Restart SSH
+      when:
+        - enable_ssh_for_root | bool == false
+    
+    - name: 'Enable SSH for root through password or key'
+      lineinfile:
+        dest: "/etc/ssh/sshd_config"
+        state: present
+        regexp: '^#?\s*PermitRootLogin'
+        line: 'PermitRootLogin Yes'
+      notify: Restart SSH
+      when:
+        - enable_ssh_for_root | bool == true
+        - enable_ssh_for_root_prohibit_password | bool == false
+    
+    - name: 'Enable SSH for root through key only'
+      lineinfile:
+        dest: "/etc/ssh/sshd_config"
+        state: present
+        regexp: '^#?\s*PermitRootLogin'
+        line: 'PermitRootLogin prohibit-password'
+      notify: Restart SSH
+      when:
+        - enable_ssh_for_root | bool == true
+        - enable_ssh_for_root_prohibit_password | bool == true
   when:
     - enable_sudo
     - enable_passwordless_sudo