## Context

Ubuntu 22.04+ ships with `/etc/ssh/sshd_config` that includes `Include /etc/ssh/sshd_config.d/*.conf` at the top. Files in `sshd_config.d/` override settings from the main config because they're processed first and later directives take precedence. The base role currently replaces the entire main config with a minimal template.

## Goals / Non-Goals

**Goals:**
- Only override the 6 specific settings that need hardening
- Preserve Ubuntu's default sshd_config including Include directives
- Apply changes without dropping active SSH connections

**Non-Goals:**
- No changes to which hardening settings are enforced
- No changes to UFW or fail2ban

## Decisions

Use a drop-in config file at `/etc/ssh/sshd_config.d/99-hardening.conf` containing only the settings we want to override:

```
Port {{ ssh_port }}
PermitRootLogin prohibit-password
PubkeyAuthentication yes
PasswordAuthentication no
KbdInteractiveAuthentication no
X11Forwarding no
```

Ubuntu's default config already has `Include /etc/ssh/sshd_config.d/*.conf`, so our drop-in takes effect without touching the main config.

Also fix the handler: `restart sshd` → `reload ssh`. Correct service name, and reload doesn't terminate existing connections.

## Risks / Trade-offs

- [Older Ubuntu versions may not support sshd_config.d] → This project targets Ubuntu/Debian servers; all supported versions (22.04+) include the drop-in mechanism.