# {{ ansible_managed }}
#
# OpenSSH Server Configuration
#
# OpenSSH versions by distribution:
#   Ubuntu 20.04 (Focal): 8.2    | Ubuntu 22.04 (Jammy): 8.9  | Ubuntu 24.04 (Noble): 9.6
#   Debian 11 (Bullseye): 8.4    | Debian 12 (Bookworm): 9.2  | Debian 13 (Trixie): 9.9
#   EL 8: 8.0                    | EL 9: 8.7                  | EL 10: 9.8
#
# Version-specific features enabled by this template:
#   8.2+: Include directive
#   8.5+: PerSourceMaxStartups, PerSourceNetBlockSize
#   8.7+: KbdInteractiveAuthentication (replaces ChallengeResponseAuthentication)
#   9.1+: RequiredRSASize
#   9.2+: ChannelTimeout, UnusedConnectionTimeout
#   9.8+: PerSourcePenalties, PerSourcePenaltyExemptList, PAMServiceName
#
# Deprecated options handled:
#   ChallengeResponseAuthentication: deprecated in 8.7, uses KbdInteractiveAuthentication instead
#

{% set openssh_version_map = {
    'focal': 8.2,
    'jammy': 8.9,
    'noble': 9.6,
    'bullseye': 8.4,
    'bookworm': 9.2,
    'trixie': 9.9,
} %}
{% if ansible_distribution_file_variety == 'Debian' %}
{%   set openssh_version = openssh_version_map.get(ansible_distribution_release, 8.0) %}
{% elif ansible_distribution_file_variety == 'RedHat' %}
{%   if ansible_distribution_major_version | int >= 10 %}
{%     set openssh_version = 9.8 %}
{%   elif ansible_distribution_major_version | int >= 9 %}
{%     set openssh_version = 8.7 %}
{%   else %}
{%     set openssh_version = 8.0 %}
{%   endif %}
{% else %}
{%   set openssh_version = 8.0 %}
{% endif %}

# --- Include directive (OpenSSH 8.2+) ---
{% if openssh_version >= 8.2 and sshd_include_config_d %}
Include /etc/ssh/sshd_config.d/*.conf

{% endif %}
# --- Network ---
Port {{ sshd_port }}
AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

# --- Host Keys ---
{% for key in sshd_host_keys %}
HostKey {{ key }}
{% endfor %}

# --- Ciphers, MACs, and Key Exchange ---
{% if sshd_ciphers %}
Ciphers {{ sshd_ciphers }}
{% endif %}
{% if sshd_macs %}
MACs {{ sshd_macs }}
{% endif %}
{% if sshd_kex_algorithms %}
KexAlgorithms {{ sshd_kex_algorithms }}
{% endif %}
{% if sshd_host_key_algorithms %}
HostKeyAlgorithms {{ sshd_host_key_algorithms }}
{% endif %}

# --- Minimum RSA key size (OpenSSH 9.1+) ---
{% if openssh_version >= 9.1 and sshd_required_rsa_size %}
RequiredRSASize {{ sshd_required_rsa_size }}
{% endif %}

# --- Logging ---
SyslogFacility {{ sshd_syslog_facility }}
LogLevel {{ sshd_log_level }}

# --- Authentication ---
LoginGraceTime {{ sshd_login_grace_time }}
PermitRootLogin {{ sshd_permit_root_login }}
StrictModes {{ sshd_strict_mode }}
MaxAuthTries {{ sshd_max_auth_tries }}
MaxSessions {{ sshd_max_sessions }}

PubkeyAuthentication {{ sshd_pubkey_authentication }}
#AuthorizedKeysFile     .ssh/authorized_keys .ssh/authorized_keys2

# Host-based authentication
HostbasedAuthentication {{ sshd_hostbased_authentication }}
IgnoreRhosts {{ sshd_ignore_rhosts }}
{% if sshd_ignore_user_known_hosts == "yes" %}
IgnoreUserKnownHosts yes
{% endif %}

# Password and empty password settings
PermitEmptyPasswords {{ sshd_permit_empty_passwords }}
PasswordAuthentication {{ sshd_password_authentication }}

# Keyboard-interactive authentication
# Note: ChallengeResponseAuthentication was renamed to KbdInteractiveAuthentication in OpenSSH 8.7
#       and deprecated in OpenSSH 9.x. We use the appropriate directive based on version.
{% if openssh_version >= 8.7 %}
KbdInteractiveAuthentication {{ sshd_kbd_interactive_authentication }}
{% else %}
ChallengeResponseAuthentication {{ sshd_kbd_interactive_authentication }}
{% endif %}

# GSSAPI options
GSSAPIAuthentication {{ sshd_gssapi_authentication }}
{% if sshd_gssapi_authentication == "yes" %}
GSSAPICleanupCredentials {{ sshd_gssapi_cleanup_credentials }}
{% endif %}

# PAM
UsePAM {{ sshd_use_pam }}
{% if openssh_version >= 9.8 and sshd_pam_service_name %}
PAMServiceName {{ sshd_pam_service_name }}
{% endif %}

# --- Forwarding ---
AllowAgentForwarding {{ sshd_agent_forwarding }}
AllowTcpForwarding {{ sshd_tcp_forwarding }}
GatewayPorts {{ sshd_gateway_ports }}
X11Forwarding {{ sshd_x11_forwarding }}
{% if sshd_x11_forwarding == "yes" %}
X11DisplayOffset {{ sshd_x11_display_offset }}
X11UseLocalhost yes
{% endif %}
PermitTunnel {{ sshd_permit_tunnel }}
PermitUserEnvironment {{ sshd_permit_user_environment }}

# --- Connection Settings ---
TCPKeepAlive {{ sshd_tcp_keep_alive }}
{% if sshd_client_alive_interval | int > 0 %}
ClientAliveInterval {{ sshd_client_alive_interval }}
ClientAliveCountMax {{ sshd_client_alive_count_max }}
{% endif %}
MaxStartups {{ sshd_max_startups }}

# --- Per-source rate limiting (OpenSSH 8.5+) ---
{% if openssh_version >= 8.5 %}
{% if sshd_per_source_max_startups %}
PerSourceMaxStartups {{ sshd_per_source_max_startups }}
{% endif %}
{% if sshd_per_source_net_block_size %}
PerSourceNetBlockSize {{ sshd_per_source_net_block_size }}
{% endif %}
{% endif %}

# --- Penalty-based rate limiting (OpenSSH 9.8+) ---
# Supported on: EL 10+, Ubuntu 25.04+, Debian Trixie+
{% if openssh_version >= 9.8 %}
{% if sshd_per_source_penalties %}
PerSourcePenalties {{ sshd_per_source_penalties }}
{% endif %}
{% if sshd_per_source_penalty_exempt_list %}
PerSourcePenaltyExemptList {{ sshd_per_source_penalty_exempt_list }}
{% endif %}
{% endif %}

# --- Timeouts (OpenSSH 9.2+) ---
{% if openssh_version >= 9.2 %}
{% if sshd_channel_timeout %}
ChannelTimeout {{ sshd_channel_timeout }}
{% endif %}
{% if sshd_unused_connection_timeout %}
UnusedConnectionTimeout {{ sshd_unused_connection_timeout }}
{% endif %}
{% endif %}

# --- Display ---
PrintMotd {{ sshd_print_motd }}
PrintLastLog {{ sshd_print_last_log }}
Banner {{ sshd_banner_path }}

# --- DNS ---
UseDNS {{ sshd_use_dns }}

# --- Environment ---
AcceptEnv {{ sshd_acceptenv }}

# --- Subsystems ---
{% if sshd_enable_sftp_subsystem %}
{% if ansible_distribution_file_variety == 'RedHat' %}
Subsystem sftp /usr/libexec/openssh/sftp-server
{% else %}
Subsystem sftp /usr/lib/openssh/sftp-server
{% endif %}
{% endif %}

# --- Match Blocks ---
{% if sshd_enable_sftp_subsystem and sshd_enable_sftp_jail %}
# SFTP Chroot Jail
Match Group {{ sshd_sftp_chroot_match_group }}
    ChrootDirectory {{ sshd_sftp_chroot_directory }}
    ForceCommand {{ sshd_sftp_force_command }}
    PermitTunnel no
    AllowAgentForwarding no
    AllowTcpForwarding no
    X11Forwarding no

{% endif %}
{% for match in sshd_match_blocks %}
Match {{ match.criteria }}
{% for option in match.options %}
{% for key, value in option.items() %}
    {{ key }} {{ value }}
{% endfor %}
{% endfor %}

{% endfor %}