{{ ansible_managed | comment }}

SyslogFacility AUTH
LogLevel VERBOSE

AddressFamily any
ListenAddress 0.0.0.0
ListenAddress ::

Port 22

MaxStartups 10:30:100

HostKey /etc/ssh/ssh_host_ed25519_key
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key

KexAlgorithms {{ openssh__kex_algorithms | join(",") }}
Ciphers {{ openssh__ciphers | join(",") }}
MACs {{ openssh__macs | join(",") }}

AuthenticationMethods publickey

TrustedUserCAKeys /etc/ssh/users_ca.pub
AuthorizedPrincipalsFile /etc/ssh/authorized_principals

StrictModes yes
UsePAM no
PermitRootLogin yes
PermitUserRC no
PermitUserEnvironment no
AllowAgentForwarding no
AllowTcpForwarding yes
X11Forwarding no
PermitTTY yes
PermitTunnel no
VersionAddendum none
PrintLastLog yes
PrintMotd yes
TCPKeepAlive yes
UseDNS no
AcceptEnv LANG LC_*

Subsystem sftp /usr/lib/openssh/sftp-server -f AUTHPRIV -l INFO