- hosts: ssh-dev
  remote_user: debian
  become: yes
  roles:
    - role: sane_debian_system
    - role: unix_users
  tasks:
    - name: "Configure SSH server port"
      when: sshd_port is defined
      copy:
        content: |
          Port {{ sshd_port }}
        dest: /etc/ssh/sshd_config.d/port.conf
      notify: sshd_restart
    - name: "Configure user CA for SSH server"
      when: sshd_user_ca_pub is defined
      copy:
        content: |
          {{ sshd_user_ca_pub }}
        dest: /etc/ssh/user_ca_pubs
    - name: "Configure SSH server to accept user CA"
      when: sshd_user_ca_pub is defined
      copy:
        content: |
          TrustedUserCAKeys /etc/ssh/user_ca_pubs
        dest: /etc/ssh/sshd_config.d/user_ca.conf
  handlers:
    - name: sshd_restart
      systemd:
        name: ssh
        state: reloaded
  vars:
    ansible_python_interpreter: /usr/bin/python3

    sane_debian_system_version: 2
    sane_debian_system_hostname: "{{ inventory_hostname }}"
    sane_debian_system_codename: bullseye
    sane_debian_system_mirror: deb.debian.org

    unix_users_version: 2
    unix_users:
      - username: liw

    sshd_port: 22
    sshd_user_ca_pub: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHdSnGI91exKItWsZi0XFVQWluS0FUdd12FLjuQk1FxG liw User CA v1