ssh: allow to enable password auth

defaults/main.yml

@@ -4,3 +4,4 @@ users:
 - { name: 'nouser', state: 'absent', public_key: '' }
 
 system_locale: en_US.UTF-8
+ssh_allow_password: no

tasks/packages.yml

@@ -1,8 +1,8 @@
 ---
 - name: Update and upgrade apt packages
   apt:
-    upgrade: 'yes'
-    update_cache: 'yes'
+    upgrade: dist
+    update_cache: yes
     cache_valid_time: 86400 # One day
 
 - name: install a default set of packages
@@ -22,13 +22,13 @@
     - zip
     - unzip
     - zsh
-    - python-pip
-    - python3-pip
-    - python-setuptools
-    - python3-setuptools
     - rsync
     - gnupg
     - sudo
     - curl
+    - python-pip
+    - python3-pip
+    - python-setuptools
+    - python3-setuptools
     state: present
   tags: packages

tasks/sshd.yml

@@ -4,6 +4,7 @@
     path: /etc/ssh/sshd_config
     regexp: '^#?AuthenticationMethods '
     line: 'AuthenticationMethods publickey'
+  when: not ssh_allow_password
   notify: reload sshd service
 
 - name: Disable SSH password authentication
@@ -11,4 +12,21 @@
     path: /etc/ssh/sshd_config
     regexp: '^#?PasswordAuthentication '
     line: 'PasswordAuthentication no'
-  notify: reload sshd service
+  when: not ssh_allow_password
+  notify: reload sshd service
+
+- name: Restrict SSH to public key and password authentication
+  lineinfile:
+    path: /etc/ssh/sshd_config
+    regexp: '^#?AuthenticationMethods '
+    line: 'AuthenticationMethods publickey password'
+  when: ssh_allow_password
+  notify: reload sshd service
+
+- name: Enable SSH password authentication
+  lineinfile:
+    path: /etc/ssh/sshd_config
+    regexp: '^#?PasswordAuthentication '
+    line: 'PasswordAuthentication yes'
+  when: ssh_allow_password
+  notify: reload sshd service