## Why

The base role completely replaces `/etc/ssh/sshd_config` with a custom template, which overwrites Ubuntu's default configuration including `Include` directives and other distro-specific settings. This can cause sshd to enter a broken state after the handler fires — password auth, root login, and other defaults are silently removed, and sshd may not recover properly from the restart.

## What Changes

- Replace the full `sshd_config.j2` template with a drop-in config file at `/etc/ssh/sshd_config.d/99-hardening.conf` that only overrides the specific settings we need to change
- Remove the old `sshd_config.j2` template file
- Change the sshd handler from `restart sshd` to `reload ssh` to avoid dropping active connections

## Capabilities

### New Capabilities
<!-- none -->

### Modified Capabilities
<!-- none -->

## Impact

- `roles/base/tasks/main.yml`: change from template to copy/drop-in task
- `roles/base/templates/sshd_config.j2`: deleted
- `roles/base/templates/sshd-hardening.conf.j2`: new file
- `roles/base/handlers/main.yml`: handler service name and state corrected
- No changes to which settings are enforced — same hardening, delivered incrementally