- name: Public‑Keys von URL holen
  ansible.builtin.uri:
    url: "{{ ssh_pub_key_url }}"
    return_content: yes
  delegate_to: localhost
  register: fetched_keys

- name: Liste der einzelnen Keys erstellen
  ansible.builtin.set_fact:
    key_list: "{{ fetched_keys.content.splitlines() }}"

- name: authorized_keys anlegen (falls nicht vorhanden)
  ansible.builtin.file:
    path: "/root/.ssh/authorized_keys"
    state: touch
    owner: "root"
    group: "root"
    mode: "0600"

- name: Jeden Key einzeln mit authorized_key hinzufügen
  ansible.builtin.authorized_key:
    user: "root"
    key: "{{ item | trim }}"
    state: present
  loop: "{{ key_list }}"
  when: item | trim != ""

- name: Harden SSH configuration
  ansible.builtin.template:
    src: sshd_config.j2
    dest: /etc/ssh/sshd_config
    owner: root
    group: root
    mode: '0644'
  notify:
    - Restart SSH