---
- name: Configure sshd
  become: true
  ansible.builtin.lineinfile:
    dest: "/etc/ssh/sshd_config"
    regexp: "{{ item.regex }}"
    line: "{{ item.line }}"
  notify: Restart sshd
  loop:
    - { regex: '^(#\s*)?PermitEmptyPasswords'  , line: 'PermitEmptyPasswords no' }
    - { regex: '^(#\s*)?PermitRootLogin'       , line: 'PermitRootLogin no' }
    - { regex: '^(#\s*)?PasswordAuthentication', line: 'PasswordAuthentication no' }
    - { regex: '^(#\s*)?UsePAM'                , line: 'UsePAM yes' }