ansible-proxy-chain/openspec/changes/archive/2026-04-22-ssh-hardening-incremental/tasks.md

1. Replace full sshd_config with drop-in

• 1.1 Create new sshd-hardening.conf.j2 template with only the 6 hardened settings
• 1.2 Replace the template task in roles/base/tasks/main.yml to deploy drop-in at /etc/ssh/sshd_config.d/99-hardening.conf
• 1.3 Delete old roles/base/templates/sshd_config.j2

2. Fix sshd handler

• 2.1 Change handler from restart sshd to reload ssh in roles/base/handlers/main.yml