Configure the SSH hardening role

This one is also disabled since it's not super useful to run more than
once. This role however doesn't report changes on reruns (as we've seen
for the os_hardening role).

playbook.yml

@@ -6,12 +6,17 @@
     # These roles are disabled after they have being applied once for performance reasons, it should be safe to enable them again.
     # Notice that this role changes some settings on reruns (on the "Change various sysctl-settings" task), doesn't seem problematic though.
     # - devsec.hardening.os_hardening
+    # - devsec.hardening.ssh_hardening
   vars:
     # devsec.hardening.os_hardening vars:
     os_auth_pw_max_age: 99999 # Effectively disables the setting as mentioned in the docs.
     os_cron_enabled: false # Cron isn't needed for the installation.
     sysctl_overwrite:
       vm.mmap_rnd_bits: 16 # See the "sysctl - vm.mmap_rnd_bits" section of the docs.
+    # devsec.hardening.ssh_hardening vars:
+    ssh_allow_users: 'thomas'
+    ssh_client_port: 22 # Default, but duplicated here for documentation purpose. Not changed because its only accessible via LAN.
+    ssh_client_password_login: false # Default, but duplicated here for documentation purpose.
   tasks:
     # Disable warning on updating latest packages, it should be safe enough for this system.
     - name: Update all packages to their latest version # noqa: package-latest