fix: remove invalid validate param from SSH drop-in task

Ansible template module requires %s in validate commands; the
previous value lacked it and caused playbook failure on all hosts.
Also rename handler to reload ssh to match the notify.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

openspec/changes/archive/2026-04-22-fix-ssh-dropin-validate/.openspec.yaml

@@ -0,0 +1,2 @@
+schema: spec-driven
+created: 2026-04-22

openspec/changes/archive/2026-04-22-fix-ssh-dropin-validate/design.md

@@ -0,0 +1,19 @@
+## Context
+
+The drop-in SSH hardening task uses `validate: "sshd -t -f /etc/ssh/sshd_config"`. Ansible's template module requires `%s` in validate commands and rejects any command that doesn't contain it. Since this is a drop-in file in `sshd_config.d/`, not a full config, validating the temp file standalone isn't meaningful anyway.
+
+## Goals / Non-Goals
+
+**Goals:**
+- Fix the Ansible error so the playbook runs without failure
+
+**Non-Goals:**
+- No changes to SSH hardening settings or the drop-in file content
+
+## Decisions
+
+Remove `validate` entirely. The drop-in is 6 simple key-value lines. If there's a syntax issue, `systemctl reload ssh` will fail and leave the existing working config in place.
+
+## Risks / Trade-offs
+
+- [No pre-validation of config syntax] → Mitigation: the drop-in contains only 6 well-known sshd directives. Any typo would be caught immediately on reload, and sshd won't restart if the full config is invalid.

openspec/changes/archive/2026-04-22-fix-ssh-dropin-validate/proposal.md

@@ -0,0 +1,19 @@
+## Why
+
+Ansible's `template` module requires `%s` in the `validate` command as a placeholder for the temp file. Our drop-in config uses `validate: "sshd -t -f /etc/ssh/sshd_config"` which lacks `%s`, causing the module to fail on both relay and landing servers.
+
+## What Changes
+
+- Remove the `validate` parameter from the SSH hardening drop-in task — it's a 6-line incremental config that doesn't need pre-validation; sshd reload will fail safely on bad syntax
+
+## Capabilities
+
+### New Capabilities
+<!-- none -->
+
+### Modified Capabilities
+<!-- none -->
+
+## Impact
+
+- `roles/base/tasks/main.yml`: remove `validate` from the SSH hardening drop-in task

openspec/changes/archive/2026-04-22-fix-ssh-dropin-validate/specs/NOTE.md

@@ -0,0 +1,3 @@
+## Note
+
+No capability changes. Internal task parameter fix.

openspec/changes/archive/2026-04-22-fix-ssh-dropin-validate/tasks.md

@@ -0,0 +1,3 @@
+## 1. Remove validate parameter
+
+- [x] 1.1 Remove `validate` from the SSH hardening drop-in task in `roles/base/tasks/main.yml`

roles/base/handlers/main.yml

@@ -1,5 +1,5 @@
 ---
-- name: restart sshd
+- name: reload ssh
   ansible.builtin.systemd:
     name: ssh
     state: reloaded

roles/base/tasks/main.yml

@@ -16,8 +16,7 @@
     owner: root
     group: root
     mode: "0644"
-    validate: "sshd -t -f /etc/ssh/sshd_config"
-  notify: restart sshd
+  notify: reload ssh
 
 - name: Allow SSH through UFW
   community.general.ufw: