- name: Set root password
  ansible.builtin.user:
    name: root
    password: "{{ root_password }}"
  when: root_password is defined

- name: Ensure ssh directory for root
  ansible.builtin.file:
    state: directory
    path: /root/.ssh
    owner: root
    group: root
    mode: "0700"
  when: root_sshkeys is defined

- name: Set authorized keys for root
  ansible.builtin.copy:
    content: "{{ root_sshkeys | join('\n') }}"
    dest: /root/.ssh/authorized_keys
    owner: root
    group: root
    mode: "0600"
  when: root_sshkeys is defined

- name: Only allow root ssh
  ansible.builtin.lineinfile:
    dest: /etc/ssh/sshd_config
    line: "PermitRootLogin prohibit-password"
    regexp: "^PermitRootLogin "
  notify: Restart sshd
  when: root_sshkeys is defined