ssh-server: Cleanup and Proxmox handling

This is to clean some old and now unneded tasks, and to respect Proxmox’ special handling.

ssh-server/tasks/main.yml

@@ -8,7 +8,7 @@
   tags:
     - ssh
 
-- name: ensure sshd configured
+- name: ensure sshd is configured
   template:
     src: sshd_config.j2
     dest: /etc/ssh/sshd_config
@@ -17,22 +17,6 @@
     mode: '0644'
     backup: true
     validate: '/usr/sbin/sshd -t -f %s'
-  when: debian_version == "jessie"
-  notify:
-    - restart sshd
-  tags:
-    - ssh
-
-- name: ensure sshd configured
-  template:
-    src: sshd_config_stretch.j2
-    dest: /etc/ssh/sshd_config
-    owner: root
-    group: root
-    mode: '0644'
-    backup: true
-    validate: '/usr/sbin/sshd -t -f %s'
-  when: debian_version != "jessie"
   notify:
     - restart sshd
   tags:
@@ -95,12 +79,30 @@
     - ssh
     - root
 
+- name: Check for Proxmox SSH keys
+  stat:
+    path: /etc/pve/priv/authorized_keys
+  register: pve_ssh_present
+  tags:
+    - ssh
+    - root
+
 # filename syntax: name.pub or name+dest_host_1,...,dest_host_n.pub
 - name: ensure our and only our keys are authorized for root
   assemble:
-    dest: /root/.ssh/authorized_keys
+    dest: >-
+      {% if pve_ssh_present.stat.exists -%}
+      /etc/pve/priv/authorized_keys
+      {%- else -%}
+      /root/.ssh/authorized_keys
+      {%- endif %}
     owner: root
-    group: root
+    group: >-
+      {% if pve_ssh_present.stat.exists -%}
+      www-data
+      {%- else -%}
+      root
+      {%- endif %}
     mode: '0600'
     remote_src: false
     src: "{{ ssh_authorized_keys }}"
@@ -111,6 +113,16 @@
     - ssh
     - root
 
+- name: Ensure Proxmox distributes the SSH keys
+  file:
+    path: /root/.ssh/authorized_keys
+    src: /etc/pve/priv/authorized_keys
+    state: link
+  when: pve_ssh_present.stat.exists
+  tags:
+    - ssh
+    - root
+
 - name: ensure we fail2ban bad people
   apt:
     name: fail2ban