# SSH daemon configuration - Managed by Ansible
# See sshd_config(5) for more information

# Basic settings
Port {{ ssh_port }}
Protocol {{ ssh_protocol }}
{% for address in ssh_listen_addresses %}
ListenAddress {{ address }}
{% endfor %}

# Host keys
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key

# Ciphers and keying
{% if ssh_kex_algorithms %}
KexAlgorithms {{ ssh_kex_algorithms | join(',') }}
{% endif %}
{% if ssh_ciphers %}
Ciphers {{ ssh_ciphers | join(',') }}
{% endif %}
{% if ssh_macs %}
MACs {{ ssh_macs | join(',') }}
{% endif %}

# Logging
SyslogFacility AUTH
LogLevel {{ ssh_log_level }}

# Authentication
LoginGraceTime {{ ssh_login_grace_time }}
PermitRootLogin {{ ssh_permit_root_login }}
StrictModes yes
MaxAuthTries {{ ssh_max_auth_tries }}
MaxSessions {{ ssh_max_sessions }}
MaxStartups {{ ssh_max_startups }}

# Public key authentication
PubkeyAuthentication {{ ssh_pubkey_authentication }}

# Password authentication
PasswordAuthentication {{ ssh_password_authentication }}
PermitEmptyPasswords {{ ssh_permit_empty_passwords }}

# Challenge-response authentication
ChallengeResponseAuthentication {{ ssh_challenge_response_auth }}

# Kerberos/GSSAPI authentication
KerberosAuthentication no
GSSAPIAuthentication {{ ssh_gss_api_authentication }}
GSSAPICleanupCredentials yes

# User/Group restrictions
{% if ssh_allowed_users %}
AllowUsers {{ ssh_allowed_users | join(' ') }}
{% endif %}
{% if ssh_allowed_groups %}
AllowGroups {{ ssh_allowed_groups | join(' ') }}
{% endif %}

# Networking
UseDNS {{ ssh_use_dns }}
TCPKeepAlive {{ ssh_tcp_keep_alive }}
ClientAliveInterval {{ ssh_client_alive_interval }}
ClientAliveCountMax 3

# Features
X11Forwarding {{ ssh_x11_forwarding }}
PrintMotd {{ ssh_print_motd }}
PrintLastLog yes
Compression {{ ssh_compression }}

# Subsystems
Subsystem sftp /usr/lib/openssh/sftp-server

# Banner (optional)
# Banner /etc/issue.net