debian: disable SSH password authentication

Oops. Also do it for proxmox-backup role even though SSH in default
VRF is disabled there, so it will be easier to deduplicate these roles
when someone gets around to it.

roles/debian/handlers/main.yml

@@ -5,3 +5,9 @@
 - name: reload interfaces
   command: ifreload -a
   when: "'handler' not in ansible_skip_tags"
+
+- name: reload sshd
+  service:
+    name: sshd
+    state: reloaded
+  when: "'handler' not in ansible_skip_tags"

roles/debian/tasks/main.yml

@@ -54,6 +54,18 @@
     mode: 0644
   notify: reload interfaces
 
+- name: Disable SSH password authentication
+  lineinfile:
+    path: /etc/ssh/sshd_config
+    regexp: '^#?{{ item.key }}'
+    line: '{{ item.key }} {{ item.value }}'
+  loop:
+    - key: PasswordAuthentication
+      value: 'no'
+    - key: PermitRootLogin
+      value: 'prohibit-password'
+  notify: reload sshd
+
 - name: Run SSH instance in management VRF
   when: interfaces | selectattr('vrf') | selectattr('vrf.name', '==', 'mgmt')
   block:

roles/proxmox-backup/handlers/main.yml

@@ -22,3 +22,9 @@
     name: postfix
     state: reloaded
   when: "'handler' not in ansible_skip_tags"
+
+- name: reload sshd
+  service:
+    name: sshd
+    state: reloaded
+  when: "'handler' not in ansible_skip_tags"

roles/proxmox-backup/tasks/main.yml

@@ -58,6 +58,18 @@
     mode: 0644
   notify: reload interfaces
 
+- name: Disable SSH password authentication
+  lineinfile:
+    path: /etc/ssh/sshd_config
+    regexp: '^#?{{ item.key }}'
+    line: '{{ item.key }} {{ item.value }}'
+  loop:
+    - key: PasswordAuthentication
+      value: 'no'
+    - key: PermitRootLogin
+      value: 'prohibit-password'
+  notify: reload sshd
+
 - name: Run SSH instance in management VRF
   when: interfaces | selectattr('vrf') | selectattr('vrf.name', '==', 'mgmt')
   block: