# networking
Protocol 2
Port 22
AddressFamily any
ListenAddress 0.0.0.0
ListenAddress ::

# hostkey
{% if inventory_hostname in groups['proxmox'] %}
HostKey /etc/ssh/ssh_host_rsa_key
{% endif %}
HostKey /etc/ssh/ssh_host_ed25519_key

# Authentication
{% if inventory_hostname in groups['proxmox'] %}
PermitRootLogin yes
{% else %}
PermitRootLogin no 
{% endif %}

# Hardening
{% if inventory_hostname in groups['proxmox'] %}
AcceptEnv LANG LC_*
{% endif %}
StrictModes yes
MaxAuthTries 2
MaxStartups 10:50:20
LoginGraceTime 15
MaxSessions 8
PasswordAuthentication no
PubkeyAuthentication yes
{% if inventory_hostname in groups['proxmox'] %}
AllowUsers ansible drone hugo root simon
{% else %}
AllowUsers ansible drone hugo simon
{% endif %}
VersionAddendum ""
IgnoreRhosts yes
UseDNS no
X11Forwarding no
ClientAliveCountMax 8
Compression no
AllowTcpForwarding yes
AllowAgentForwarding yes
PrintMotd yes
{% if ansible_distribution == 'Debian' %}
UsePAM yes
PrintLastLog no
{% endif %}

# The cryptos
KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org
Ciphers chacha20-poly1305@openssh.com,aes256-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com

# sFTP
Subsystem sftp /usr/libexec/sftp-server