---
# file: roles/openssh-server/defaults/main.yml

sshd_default_AllowGroups_list_container: [ 'root', 'op', 'sysop' ]
sshd_default_AllowGroups_list_virtual_machine: "{{ sshd_default_AllowGroups_list_container + [ 'localadm' ] }}"
sshd_default_AllowGroups_list_physical: "{{ sshd_default_AllowGroups_list_virtual_machine + [ 'backupop' ] }}"

sshd_HostKey_file_list:
  - '/etc/ssh/ssh_host_ed25519_key'
  - '/etc/ssh/ssh_host_rsa_key'
  - '/etc/ssh/ssh_host_ecdsa_key'

sshd_MACs:
  - hmac-sha2-512-etm@openssh.com
  - hmac-sha2-256-etm@openssh.com
  - umac-128-etm@openssh.com
  - hmac-sha2-512
  - hmac-sha2-256

sshd_kex_version_minimum_67:
  - curve25519-sha256@libssh.org
  - diffie-hellman-group-exchange-sha256

sshd_kex_version_80_to_84:
  - sntrup4591761x25519-sha512@tinyssh.org
  - curve25519-sha256@libssh.org
  - diffie-hellman-group-exchange-sha256

sshd_kex_version_85_to_99:
  - sntrup761x25519-sha512@openssh.com
  - curve25519-sha256@libssh.org
  - diffie-hellman-group-exchange-sha256

sshd_kex_version_100:
  - mlkem768x25519-sha256
  - sntrup761x25519-sha512@openssh.com
  - curve25519-sha256@libssh.org
  - diffie-hellman-group-exchange-sha256


sshd_Ciphers:
  - chacha20-poly1305@openssh.com
  - aes256-gcm@openssh.com
  - aes128-gcm@openssh.com
  - aes256-ctr
  - aes192-ctr
  - aes128-ctr

sshd_sftp_enabled: False
sshd_sssd_ldap: True