---
- name: Filter SSH on groups
  lineinfile:
    dest: /etc/ssh/sshd_config
    regexp: ^AllowGroups
    line: "AllowGroups {{ ssh_allow_groups }}"
    state: present
  notify: Restart sshd service

- name: Delete authorized SSH keys for root account
  file:
    path: "{{ item }}"
    state: absent
  loop:
    - /root/.ssh/authorized_keys
    - /root/.ssh/authorized_keys2